From 54300637c4edec9b7bf97c5dc548f9d11579a8ef Mon Sep 17 00:00:00 2001 From: Lynsey Rydberg Date: Tue, 31 Mar 2026 13:20:16 -0700 Subject: [PATCH 1/3] refactor(openssl-fips-provider): use upstream fipsinstall instead of embedded HMAC Remove all Fedora-derived patches and build unmodified OpenSSL 3.1.2 FIPS provider. Use upstream `openssl fipsinstall` to generate config with the module integrity HMAC, replacing the embedded HMAC approach (patch 0033). --- ...cated-functions-with-NULL-or-highest.patch | 84 - ...eneral-default-values-in-openssl.cnf.patch | 68 - ...3-Do-not-install-html-docs-3.1.2-AZL.patch | 25 - ...ault-paths-for-the-CA-directory-tree.patch | 77 - ...0005-apps-ca-fix-md-option-help-text.patch | 28 - ...e-verification-with-totally-unsafe-h.patch | 29 - ...PROFILE-SYSTEM-system-default-cipher.patch | 329 ---- ...ode-compatibility-macro-3.1.4-fedora.patch | 83 - ...-FIPS-mode-flag-support-3.1.4-fedora.patch | 86 - ...s-to-ectest-and-eccurve-3.1.4-fedora.patch | 1148 -------------- .../0011-Remove-EC-curves-3.1.4-fedora.patch | 279 ---- .../0012-Disable-explicit-ec.patch | 235 --- ...skipped-tests-EC-curves-3.1.4-fedora.patch | 58 - .../0024-load-legacy-prov.patch | 70 - ...-Force-fips-3.1.2-AZL3-TEMP-SYMCRYPT.patch | 77 - .../0033-FIPS-embed-hmac-3.1.2-AZL.patch | 250 --- ...034.fipsinstall_disable-3.1.4-fedora.patch | 473 ------ .../0035-speed-skip-unavailable-dgst.patch | 31 - ...sabling-of-SHA1-signatures-3.1.2-AZL.patch | 525 ------- ...h-allow-sha1-signatures-3.1.4-fedora.patch | 221 --- .../0079-RSA-PKCS15-implicit-rejection.patch | 1388 ----------------- .../configuration-prefix.h | 7 - .../configuration-switch.h | 47 - .../openssl-fips-provider/fips_prov.cnf | 5 - SPECS-EXTENDED/openssl-fips-provider/fixpatch | 15 - .../openssl-fips-provider/genpatches | 26 - .../openssl-fips-provider.spec | 133 +- ...pported-calls-into-symcrypt-in-speed.patch | 163 -- 28 files changed, 33 insertions(+), 5927 deletions(-) delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0001-Replacing-deprecated-functions-with-NULL-or-highest.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0002-Use-more-general-default-values-in-openssl.cnf.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0003-Do-not-install-html-docs-3.1.2-AZL.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0004-Override-default-paths-for-the-CA-directory-tree.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0005-apps-ca-fix-md-option-help-text.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0006-Disable-signature-verification-with-totally-unsafe-h.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0008-Add-FIPS_mode-compatibility-macro-3.1.4-fedora.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0009-Add-Kernel-FIPS-mode-flag-support-3.1.4-fedora.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0010-Add-changes-to-ectest-and-eccurve-3.1.4-fedora.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0011-Remove-EC-curves-3.1.4-fedora.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0012-Disable-explicit-ec.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0013-skipped-tests-EC-curves-3.1.4-fedora.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0024-load-legacy-prov.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0032-Force-fips-3.1.2-AZL3-TEMP-SYMCRYPT.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0033-FIPS-embed-hmac-3.1.2-AZL.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0034.fipsinstall_disable-3.1.4-fedora.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0035-speed-skip-unavailable-dgst.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0049-Allow-disabling-of-SHA1-signatures-3.1.2-AZL.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures-3.1.4-fedora.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/0079-RSA-PKCS15-implicit-rejection.patch delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/configuration-prefix.h delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/configuration-switch.h delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/fips_prov.cnf delete mode 100755 SPECS-EXTENDED/openssl-fips-provider/fixpatch delete mode 100755 SPECS-EXTENDED/openssl-fips-provider/genpatches delete mode 100644 SPECS-EXTENDED/openssl-fips-provider/prevent-unsupported-calls-into-symcrypt-in-speed.patch diff --git a/SPECS-EXTENDED/openssl-fips-provider/0001-Replacing-deprecated-functions-with-NULL-or-highest.patch b/SPECS-EXTENDED/openssl-fips-provider/0001-Replacing-deprecated-functions-with-NULL-or-highest.patch deleted file mode 100644 index 6a92b56fbfb..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0001-Replacing-deprecated-functions-with-NULL-or-highest.patch +++ /dev/null @@ -1,84 +0,0 @@ -From c8978b7be6dbe388596fb899ab41a29e414ea5dc Mon Sep 17 00:00:00 2001 -From: Daniel Mihai -Date: Wed, 28 Jul 2021 14:55:12 -0700 -Subject: [PATCH] Replacing deprecated functions with NULL or highest - supported. - -This is a workaround until OpenSSL issue #7048 is officially resolved. -Issue link: https://github.com/openssl/openssl/issues/7048. - -The main purpose of the change is to prevent breaking applications -as they dynamically link to 'libssl.so' where APIs for some -deprecated protocols are no longer present. With this change -OpenSSL's build time configuration may skip the 'no--method' -switch, while still not supporting the deprecated protocols disabled -through the 'no-' switch. - -For deprecated DTLS protocol versions behind the scenes we're calling -into 'DTLS_(client_|server_)?method()' set of methods, which -automatically negotiate the highest supported protocol. - -For SSLv3 methods we're returning a NULL pointer as there are no -more supported methods for the SSL protocol. ---- - ssl/methods.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/ssl/methods.c b/ssl/methods.c -index c846143277..a7ae074bfd 100644 ---- a/ssl/methods.c -+++ b/ssl/methods.c -@@ -215,17 +215,29 @@ const SSL_METHOD *TLSv1_client_method(void) - # ifndef OPENSSL_NO_SSL3_METHOD - const SSL_METHOD *SSLv3_method(void) - { -+# ifdef OPENSSL_NO_SSL3 -+ return NULL; -+# else - return sslv3_method(); -+# endif - } - - const SSL_METHOD *SSLv3_server_method(void) - { -+# ifdef OPENSSL_NO_SSL3 -+ return NULL; -+# else - return sslv3_server_method(); -+# endif - } - - const SSL_METHOD *SSLv3_client_method(void) - { -+# ifdef OPENSSL_NO_SSL3 -+ return NULL; -+# else - return sslv3_client_method(); -+# endif - } - # endif - -@@ -249,17 +261,17 @@ const SSL_METHOD *DTLSv1_2_client_method(void) - # ifndef OPENSSL_NO_DTLS1_METHOD - const SSL_METHOD *DTLSv1_method(void) - { -- return dtlsv1_method(); -+ return DTLS_method(); - } - - const SSL_METHOD *DTLSv1_server_method(void) - { -- return dtlsv1_server_method(); -+ return DTLS_server_method(); - } - - const SSL_METHOD *DTLSv1_client_method(void) - { -- return dtlsv1_client_method(); -+ return DTLS_client_method(); - } - # endif - --- -2.25.1 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0002-Use-more-general-default-values-in-openssl.cnf.patch b/SPECS-EXTENDED/openssl-fips-provider/0002-Use-more-general-default-values-in-openssl.cnf.patch deleted file mode 100644 index 83ed599a64e..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0002-Use-more-general-default-values-in-openssl.cnf.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:03:40 +0200 -Subject: Use more general default values in openssl.cnf - -Also set sha256 as default hash, although that should not be -necessary anymore. - -(was openssl-1.1.1-defaults.patch) ---- - apps/openssl.cnf | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/apps/openssl.cnf b/apps/openssl.cnf -index 97567a67be..eb25a0ac48 100644 ---- a/apps/openssl.cnf -+++ b/apps/openssl.cnf -@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options - - default_days = 365 # how long to certify for - default_crl_days= 30 # how long before next CRL --default_md = default # use public key default MD -+default_md = sha256 # use SHA-256 by default - preserve = no # keep passed DN ordering - - # A few difference way of specifying how similar the request should look -@@ -136,6 +136,7 @@ emailAddress = optional - #################################################################### - [ req ] - default_bits = 2048 -+default_md = sha256 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes -@@ -158,17 +159,18 @@ string_mask = utf8only - - [ req_distinguished_name ] - countryName = Country Name (2 letter code) --countryName_default = AU -+countryName_default = XX - countryName_min = 2 - countryName_max = 2 - - stateOrProvinceName = State or Province Name (full name) --stateOrProvinceName_default = Some-State -+#stateOrProvinceName_default = Default Province - - localityName = Locality Name (eg, city) -+localityName_default = Default City - - 0.organizationName = Organization Name (eg, company) --0.organizationName_default = Internet Widgits Pty Ltd -+0.organizationName_default = Default Company Ltd - - # we can do this but it is not needed normally :-) - #1.organizationName = Second Organization Name (eg, company) -@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city) - organizationalUnitName = Organizational Unit Name (eg, section) - #organizationalUnitName_default = - --commonName = Common Name (e.g. server FQDN or YOUR name) -+commonName = Common Name (eg, your name or your server\'s hostname) - commonName_max = 64 - - emailAddress = Email Address --- -2.26.2 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0003-Do-not-install-html-docs-3.1.2-AZL.patch b/SPECS-EXTENDED/openssl-fips-provider/0003-Do-not-install-html-docs-3.1.2-AZL.patch deleted file mode 100644 index a8951828817..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0003-Do-not-install-html-docs-3.1.2-AZL.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 3a175899a03d7d74ab5b6af0a0c056924afea04c Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Wed, 17 Apr 2024 20:41:39 +0000 -Subject: [PATCH] Do not install html docs - ---- - Configurations/unix-Makefile.tmpl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 17e194f..77e8b53 100644 ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime - - uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev - --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs ## Install manpages but not HTML documentation - - uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r $(DESTDIR)$(DOCDIR) --- -2.45.4 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0004-Override-default-paths-for-the-CA-directory-tree.patch b/SPECS-EXTENDED/openssl-fips-provider/0004-Override-default-paths-for-the-CA-directory-tree.patch deleted file mode 100644 index 7f2077446a4..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0004-Override-default-paths-for-the-CA-directory-tree.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 7a65ee33793fa8a28c0dfc94e6872ce92f408b15 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:27 +0200 -Subject: [PATCH 04/35] - 0004-Override-default-paths-for-the-CA-directory-tree.patch - -Patch-name: 0004-Override-default-paths-for-the-CA-directory-tree.patch -Patch-id: 4 -Patch-status: | - # Override default paths for the CA directory tree -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - apps/CA.pl.in | 2 +- - apps/openssl.cnf | 13 +++++++++++-- - 2 files changed, 12 insertions(+), 3 deletions(-) - -diff --git a/apps/CA.pl.in b/apps/CA.pl.in -index f029470005..729f104a7e 100644 ---- a/apps/CA.pl.in -+++ b/apps/CA.pl.in -@@ -29,7 +29,7 @@ my $X509 = "$openssl x509"; - my $PKCS12 = "$openssl pkcs12"; - - # Default values for various configuration settings. --my $CATOP = "./demoCA"; -+my $CATOP = "/etc/pki/CA"; - my $CAKEY = "cakey.pem"; - my $CAREQ = "careq.pem"; - my $CACERT = "cacert.pem"; -diff --git a/apps/openssl.cnf b/apps/openssl.cnf -index 8141ab20cd..3956235fda 100644 ---- a/apps/openssl.cnf -+++ b/apps/openssl.cnf -@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7 - - [openssl_init] - providers = provider_sect -+# Load default TLS policy configuration -+ssl_conf = ssl_module - - # List of providers to load - [provider_sect] -@@ -71,6 +73,13 @@ default = default_sect - [default_sect] - # activate = 1 - -+[ ssl_module ] -+ -+system_default = crypto_policy -+ -+[ crypto_policy ] -+ -+.include = /etc/crypto-policies/back-ends/opensslcnf.config - - #################################################################### - [ ca ] -@@ -79,7 +88,7 @@ default_ca = CA_default # The default ca section - #################################################################### - [ CA_default ] - --dir = ./demoCA # Where everything is kept -+dir = /etc/pki/CA # Where everything is kept - certs = $dir/certs # Where the issued certs are kept - crl_dir = $dir/crl # Where the issued crl are kept - database = $dir/index.txt # database index file. -@@ -311,7 +320,7 @@ default_tsa = tsa_config1 # the default TSA section - [ tsa_config1 ] - - # These are used by the TSA reply generation only. --dir = ./demoCA # TSA root directory -+dir = /etc/pki/CA # TSA root directory - serial = $dir/tsaserial # The current serial number (mandatory) - crypto_device = builtin # OpenSSL engine to use for signing - signer_cert = $dir/tsacert.pem # The TSA signing certificate --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0005-apps-ca-fix-md-option-help-text.patch b/SPECS-EXTENDED/openssl-fips-provider/0005-apps-ca-fix-md-option-help-text.patch deleted file mode 100644 index 1fed4c4619c..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0005-apps-ca-fix-md-option-help-text.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:27:18 +0200 -Subject: apps/ca: fix md option help text - -upstreamable - -(was openssl-1.1.1-apps-dgst.patch) ---- - apps/ca.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/apps/ca.c b/apps/ca.c -index 0f21b4fa1c..3d4b2c1673 100755 ---- a/apps/ca.c -+++ b/apps/ca.c -@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = { - {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, - - OPT_SECTION("Signing"), -- {"md", OPT_MD, 's', "Digest to use, such as sha256"}, -+ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"}, - {"keyfile", OPT_KEYFILE, 's', "The CA private key"}, - {"keyform", OPT_KEYFORM, 'f', - "Private key file format (ENGINE, other values ignored)"}, --- -2.26.2 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0006-Disable-signature-verification-with-totally-unsafe-h.patch b/SPECS-EXTENDED/openssl-fips-provider/0006-Disable-signature-verification-with-totally-unsafe-h.patch deleted file mode 100644 index f9dd2ddb114..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0006-Disable-signature-verification-with-totally-unsafe-h.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:51:34 +0200 -Subject: Disable signature verification with totally unsafe hash algorithms - -(was openssl-1.1.1-no-weak-verify.patch) ---- - crypto/asn1/a_verify.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c -index b7eed914b0..af62f0ef08 100644 ---- a/crypto/asn1/a_verify.c -+++ b/crypto/asn1/a_verify.c -@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg, - ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB); - if (ret <= 1) - goto err; -+ } else if ((mdnid == NID_md5 -+ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) || -+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) { -+ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); -+ goto err; - } else { - const EVP_MD *type = NULL; - --- -2.26.2 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/SPECS-EXTENDED/openssl-fips-provider/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch deleted file mode 100644 index 2ac82fab048..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ /dev/null @@ -1,329 +0,0 @@ -From 66b728801f141c9db8e647ab02421c83694ade79 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:27 +0200 -Subject: [PATCH 07/35] - 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch - -Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch -Patch-id: 7 -Patch-status: | - # Add support for PROFILE=SYSTEM system default cipherlist -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - Configurations/unix-Makefile.tmpl | 5 ++ - Configure | 11 +++- - doc/man1/openssl-ciphers.pod.in | 9 ++++ - include/openssl/ssl.h.in | 5 ++ - ssl/ssl_ciph.c | 87 +++++++++++++++++++++++++++---- - ssl/ssl_lib.c | 4 +- - test/cipherlist_test.c | 2 + - util/libcrypto.num | 1 + - 8 files changed, 110 insertions(+), 14 deletions(-) - -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index f29cdc7f38..c0df026de3 100644 ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man - DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) - HTMLDIR=$(DOCDIR)/html - -+{- output_off() if $config{system_ciphers_file} eq ""; "" -} -+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\"" -+{- output_on() if $config{system_ciphers_file} eq ""; "" -} -+ - # MANSUFFIX is for the benefit of anyone who may want to have a suffix - # appended after the manpage file section number. "ssl" is popular, - # resulting in files such as config.5ssl rather than config.5. -@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} - CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} - CPPFLAGS={- our $cppflags1 = join(" ", - (map { "-D".$_} @{$config{CPPDEFINES}}), -+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)", - (map { "-I".$_} @{$config{CPPINCLUDES}}), - @{$config{CPPFLAGS}}) -} - CFLAGS={- join(' ', @{$config{CFLAGS}}) -} -diff --git a/Configure b/Configure -index 456995240b..93be83be94 100755 ---- a/Configure -+++ b/Configure -@@ -27,7 +27,7 @@ use OpenSSL::config; - my $orig_death_handler = $SIG{__DIE__}; - $SIG{__DIE__} = \&death_handler; - --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; - - my $banner = <<"EOF"; - -@@ -61,6 +61,10 @@ EOF - # given with --prefix. - # This becomes the value of OPENSSLDIR in Makefile and in C. - # (Default: PREFIX/ssl) -+# -+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM -+# cipher is specified (default). -+# - # --banner=".." Output specified text instead of default completion banner - # - # -w Don't wait after showing a Configure warning -@@ -387,6 +391,7 @@ $config{prefix}=""; - $config{openssldir}=""; - $config{processor}=""; - $config{libdir}=""; -+$config{system_ciphers_file}=""; - my $auto_threads=1; # enable threads automatically? true by default - my $default_ranlib; - -@@ -989,6 +994,10 @@ while (@argvcopy) - die "FIPS key too long (64 bytes max)\n" - if length $1 > 64; - } -+ elsif (/^--system-ciphers-file=(.*)$/) -+ { -+ $config{system_ciphers_file}=$1; -+ } - elsif (/^--banner=(.*)$/) - { - $banner = $1 . "\n"; -diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in -index 658730ec53..04e66bcebe 100644 ---- a/doc/man1/openssl-ciphers.pod.in -+++ b/doc/man1/openssl-ciphers.pod.in -@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. - - The cipher suites not enabled by B, currently B. - -+=item B -+ -+The list of enabled cipher suites will be loaded from the system crypto policy -+configuration file B. -+See also L. -+This is the default behavior unless an application explicitly sets a cipher -+list. If used in a cipher list configuration value this string must be at the -+beginning of the cipher list, otherwise it will not be recognized. -+ - =item B - - "High" encryption cipher suites. This currently means those with key lengths -diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in -index f03f52fbd8..0b6de603e2 100644 ---- a/include/openssl/ssl.h.in -+++ b/include/openssl/ssl.h.in -@@ -208,6 +208,11 @@ extern "C" { - * throwing out anonymous and unencrypted ciphersuites! (The latter are not - * actually enabled by ALL, but "ALL:RSA" would enable some of them.) - */ -+# ifdef SYSTEM_CIPHERS_FILE -+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM" -+# else -+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list() -+# endif - - /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ - # define SSL_SENT_SHUTDOWN 1 -diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 93de9cf8fd..a5e60e8839 100644 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) - return ret; - } - -+#ifdef SYSTEM_CIPHERS_FILE -+static char *load_system_str(const char *suffix) -+{ -+ FILE *fp; -+ char buf[1024]; -+ char *new_rules; -+ const char *ciphers_path; -+ unsigned len, slen; -+ -+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) -+ ciphers_path = SYSTEM_CIPHERS_FILE; -+ fp = fopen(ciphers_path, "r"); -+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { -+ /* cannot open or file is empty */ -+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); -+ } -+ -+ if (fp) -+ fclose(fp); -+ -+ slen = strlen(suffix); -+ len = strlen(buf); -+ -+ if (buf[len - 1] == '\n') { -+ len--; -+ buf[len] = 0; -+ } -+ if (buf[len - 1] == '\r') { -+ len--; -+ buf[len] = 0; -+ } -+ -+ new_rules = OPENSSL_malloc(len + slen + 1); -+ if (new_rules == 0) -+ return NULL; -+ -+ memcpy(new_rules, buf, len); -+ if (slen > 0) { -+ memcpy(&new_rules[len], suffix, slen); -+ len += slen; -+ } -+ new_rules[len] = 0; -+ -+ return new_rules; -+} -+#endif -+ - STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - STACK_OF(SSL_CIPHER) *tls13_ciphersuites, - STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; - const SSL_CIPHER **ca_list = NULL; - const SSL_METHOD *ssl_method = ctx->method; -+#ifdef SYSTEM_CIPHERS_FILE -+ char *new_rules = NULL; -+ -+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { -+ char *p = rule_str + 14; -+ -+ new_rules = load_system_str(p); -+ rule_str = new_rules; -+ } -+#endif - - /* - * Return with error if nothing to do. - */ - if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) -- return NULL; -+ goto err; - - if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) -- return NULL; -+ goto err; - - /* - * To reduce the work to do we only want to process the compiled -@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); - if (co_list == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); -- return NULL; /* Failure */ -+ goto err; - } - - ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - * in force within each class - */ - if (!ssl_cipher_strength_sort(&head, &tail)) { -- OPENSSL_free(co_list); -- return NULL; -+ goto err; - } - - /* -@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; - ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); - if (ca_list == NULL) { -- OPENSSL_free(co_list); - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); -- return NULL; /* Failure */ -+ goto err; - } - ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, - disabled_mkey, disabled_auth, disabled_enc, -@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - OPENSSL_free(ca_list); /* Not needed anymore */ - - if (!ok) { /* Rule processing failure */ -- OPENSSL_free(co_list); -- return NULL; -+ goto err; - } - - /* -@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - * if we cannot get one. - */ - if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { -- OPENSSL_free(co_list); -- return NULL; -+ goto err; - } - -+#ifdef SYSTEM_CIPHERS_FILE -+ OPENSSL_free(new_rules); /* Not needed anymore */ -+#endif -+ - /* Add TLSv1.3 ciphers first - we always prefer those if possible */ - for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { - const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - *cipher_list = cipherstack; - - return cipherstack; -+ -+err: -+ OPENSSL_free(co_list); -+#ifdef SYSTEM_CIPHERS_FILE -+ OPENSSL_free(new_rules); -+#endif -+ return NULL; -+ - } - - char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index f12ad6d034..a059bcd83b 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) - ctx->tls13_ciphersuites, - &(ctx->cipher_list), - &(ctx->cipher_list_by_id), -- OSSL_default_cipher_list(), ctx->cert); -+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert); - if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { - ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); - return 0; -@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, - if (!ssl_create_cipher_list(ret, - ret->tls13_ciphersuites, - &ret->cipher_list, &ret->cipher_list_by_id, -- OSSL_default_cipher_list(), ret->cert) -+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) - || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { - ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); - goto err2; -diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c -index 2d166e2b46..4ff2aa12d6 100644 ---- a/test/cipherlist_test.c -+++ b/test/cipherlist_test.c -@@ -246,7 +246,9 @@ end: - - int setup_tests(void) - { -+#ifndef SYSTEM_CIPHERS_FILE - ADD_TEST(test_default_cipherlist_implicit); -+#endif - ADD_TEST(test_default_cipherlist_explicit); - ADD_TEST(test_default_cipherlist_clear); - return 1; -diff --git a/util/libcrypto.num b/util/libcrypto.num -index 406392a7d9..9cb8a4dda2 100644 ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup 5562 3_1_0 EXIST::FUNCTION: - EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: - BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: - OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP -+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0008-Add-FIPS_mode-compatibility-macro-3.1.4-fedora.patch b/SPECS-EXTENDED/openssl-fips-provider/0008-Add-FIPS_mode-compatibility-macro-3.1.4-fedora.patch deleted file mode 100644 index c05aa798755..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0008-Add-FIPS_mode-compatibility-macro-3.1.4-fedora.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:27 +0200 -Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch - -Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch -Patch-id: 8 -Patch-status: | - # Add FIPS_mode() compatibility macro -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - include/openssl/fips.h | 26 ++++++++++++++++++++++++++ - test/property_test.c | 14 ++++++++++++++ - 2 files changed, 40 insertions(+) - create mode 100644 include/openssl/fips.h - -diff --git a/include/openssl/fips.h b/include/openssl/fips.h -new file mode 100644 -index 0000000000..4162cbf88e ---- /dev/null -+++ b/include/openssl/fips.h -@@ -0,0 +1,26 @@ -+/* -+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#ifndef OPENSSL_FIPS_H -+# define OPENSSL_FIPS_H -+# pragma once -+ -+# include -+# include -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL) -+ -+# ifdef __cplusplus -+} -+# endif -+#endif -diff --git a/test/property_test.c b/test/property_test.c -index 45b1db3e85..8894c1c1cb 100644 ---- a/test/property_test.c -+++ b/test/property_test.c -@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i) - return ret; - } - -+#include -+static int test_downstream_FIPS_mode(void) -+{ -+ int ret = 0; -+ -+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes")) -+ && TEST_true(FIPS_mode()) -+ && TEST_true(EVP_set_default_properties(NULL, "fips=no")) -+ && TEST_false(FIPS_mode()); -+ -+ return ret; -+} -+ - int setup_tests(void) - { - ADD_TEST(test_property_string); -@@ -690,6 +703,7 @@ int setup_tests(void) - ADD_TEST(test_property); - ADD_TEST(test_query_cache_stochastic); - ADD_TEST(test_fips_mode); -+ ADD_TEST(test_downstream_FIPS_mode); - ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests)); - return 1; - } --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0009-Add-Kernel-FIPS-mode-flag-support-3.1.4-fedora.patch b/SPECS-EXTENDED/openssl-fips-provider/0009-Add-Kernel-FIPS-mode-flag-support-3.1.4-fedora.patch deleted file mode 100644 index 7b7a223aff3..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0009-Add-Kernel-FIPS-mode-flag-support-3.1.4-fedora.patch +++ /dev/null @@ -1,86 +0,0 @@ -From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:27 +0200 -Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch - -Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch -Patch-id: 9 -Patch-status: | - # Add check to see if fips flag is enabled in kernel -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++ - include/internal/provider.h | 3 +++ - 2 files changed, 39 insertions(+) - -diff --git a/crypto/context.c b/crypto/context.c -index e294ea1512..51002ba79a 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -16,6 +16,41 @@ - #include "internal/provider.h" - #include "crypto/context.h" - -+# include -+# include -+# include -+# include -+# include -+ -+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" -+ -+static int kernel_fips_flag; -+ -+static void read_kernel_fips_flag(void) -+{ -+ char buf[2] = "0"; -+ int fd; -+ -+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { -+ buf[0] = '1'; -+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; -+ close(fd); -+ } -+ -+ if (buf[0] == '1') { -+ kernel_fips_flag = 1; -+ } -+ -+ return; -+} -+ -+int ossl_get_kernel_fips_flag() -+{ -+ return kernel_fips_flag; -+} -+ -+ - struct ossl_lib_ctx_st { - CRYPTO_RWLOCK *lock, *rand_crngt_lock; - OSSL_EX_DATA_GLOBAL global; -@@ -336,6 +371,7 @@ static int default_context_inited = 0; - - DEFINE_RUN_ONCE_STATIC(default_context_do_init) - { -+ read_kernel_fips_flag(); - if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) - goto err; - -diff --git a/include/internal/provider.h b/include/internal/provider.h -index 18937f84c7..1446bf7afb 100644 ---- a/include/internal/provider.h -+++ b/include/internal/provider.h -@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, - const OSSL_DISPATCH *in); - void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); - -+/* FIPS flag access */ -+int ossl_get_kernel_fips_flag(void); -+ - # ifdef __cplusplus - } - # endif --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0010-Add-changes-to-ectest-and-eccurve-3.1.4-fedora.patch b/SPECS-EXTENDED/openssl-fips-provider/0010-Add-changes-to-ectest-and-eccurve-3.1.4-fedora.patch deleted file mode 100644 index 876ddb353c4..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0010-Add-changes-to-ectest-and-eccurve-3.1.4-fedora.patch +++ /dev/null @@ -1,1148 +0,0 @@ -From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:27 +0200 -Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch - -Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch -Patch-id: 10 -Patch-status: | - # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so - # that new modifications made to these files by upstream are not lost. -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - crypto/ec/ec_curve.c | 844 ------------------------------------------- - test/ectest.c | 174 +-------- - 2 files changed, 8 insertions(+), 1010 deletions(-) - -diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c -index b5b2f3342d..d32a768fe6 100644 ---- a/crypto/ec/ec_curve.c -+++ b/crypto/ec/ec_curve.c -@@ -30,38 +30,6 @@ typedef struct { - } EC_CURVE_DATA; - - /* the nist prime curves */ --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 24 * 6]; --} _EC_NIST_PRIME_192 = { -- { -- NID_X9_62_prime_field, 20, 24, 1 -- }, -- { -- /* seed */ -- 0x30, 0x45, 0xAE, 0x6F, 0xC8, 0x42, 0x2F, 0x64, 0xED, 0x57, 0x95, 0x28, -- 0xD3, 0x81, 0x20, 0xEA, 0xE1, 0x21, 0x96, 0xD5, -- /* p */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- /* a */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, -- /* b */ -- 0x64, 0x21, 0x05, 0x19, 0xE5, 0x9C, 0x80, 0xE7, 0x0F, 0xA7, 0xE9, 0xAB, -- 0x72, 0x24, 0x30, 0x49, 0xFE, 0xB8, 0xDE, 0xEC, 0xC1, 0x46, 0xB9, 0xB1, -- /* x */ -- 0x18, 0x8D, 0xA8, 0x0E, 0xB0, 0x30, 0x90, 0xF6, 0x7C, 0xBF, 0x20, 0xEB, -- 0x43, 0xA1, 0x88, 0x00, 0xF4, 0xFF, 0x0A, 0xFD, 0x82, 0xFF, 0x10, 0x12, -- /* y */ -- 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, -- 0x6b, 0x24, 0xcd, 0xd5, 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, -- /* order */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31 -- } --}; -- - static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 28 * 6]; -@@ -200,187 +168,6 @@ static const struct { - } - }; - --# ifndef FIPS_MODULE --/* the x9.62 prime curves (minus the nist prime curves) */ --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 24 * 6]; --} _EC_X9_62_PRIME_192V2 = { -- { -- NID_X9_62_prime_field, 20, 24, 1 -- }, -- { -- /* seed */ -- 0x31, 0xA9, 0x2E, 0xE2, 0x02, 0x9F, 0xD1, 0x0D, 0x90, 0x1B, 0x11, 0x3E, -- 0x99, 0x07, 0x10, 0xF0, 0xD2, 0x1A, 0xC6, 0xB6, -- /* p */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- /* a */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, -- /* b */ -- 0xCC, 0x22, 0xD6, 0xDF, 0xB9, 0x5C, 0x6B, 0x25, 0xE4, 0x9C, 0x0D, 0x63, -- 0x64, 0xA4, 0xE5, 0x98, 0x0C, 0x39, 0x3A, 0xA2, 0x16, 0x68, 0xD9, 0x53, -- /* x */ -- 0xEE, 0xA2, 0xBA, 0xE7, 0xE1, 0x49, 0x78, 0x42, 0xF2, 0xDE, 0x77, 0x69, -- 0xCF, 0xE9, 0xC9, 0x89, 0xC0, 0x72, 0xAD, 0x69, 0x6F, 0x48, 0x03, 0x4A, -- /* y */ -- 0x65, 0x74, 0xd1, 0x1d, 0x69, 0xb6, 0xec, 0x7a, 0x67, 0x2b, 0xb8, 0x2a, -- 0x08, 0x3d, 0xf2, 0xf2, 0xb0, 0x84, 0x7d, 0xe9, 0x70, 0xb2, 0xde, 0x15, -- /* order */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, -- 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86, 0x48, 0xD8, 0xDD, 0x31 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 24 * 6]; --} _EC_X9_62_PRIME_192V3 = { -- { -- NID_X9_62_prime_field, 20, 24, 1 -- }, -- { -- /* seed */ -- 0xC4, 0x69, 0x68, 0x44, 0x35, 0xDE, 0xB3, 0x78, 0xC4, 0xB6, 0x5C, 0xA9, -- 0x59, 0x1E, 0x2A, 0x57, 0x63, 0x05, 0x9A, 0x2E, -- /* p */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- /* a */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, -- /* b */ -- 0x22, 0x12, 0x3D, 0xC2, 0x39, 0x5A, 0x05, 0xCA, 0xA7, 0x42, 0x3D, 0xAE, -- 0xCC, 0xC9, 0x47, 0x60, 0xA7, 0xD4, 0x62, 0x25, 0x6B, 0xD5, 0x69, 0x16, -- /* x */ -- 0x7D, 0x29, 0x77, 0x81, 0x00, 0xC6, 0x5A, 0x1D, 0xA1, 0x78, 0x37, 0x16, -- 0x58, 0x8D, 0xCE, 0x2B, 0x8B, 0x4A, 0xEE, 0x8E, 0x22, 0x8F, 0x18, 0x96, -- /* y */ -- 0x38, 0xa9, 0x0f, 0x22, 0x63, 0x73, 0x37, 0x33, 0x4b, 0x49, 0xdc, 0xb6, -- 0x6a, 0x6d, 0xc8, 0xf9, 0x97, 0x8a, 0xca, 0x76, 0x48, 0xa9, 0x43, 0xb0, -- /* order */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94, 0xF6, 0x40, 0xEC, 0x13 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 30 * 6]; --} _EC_X9_62_PRIME_239V1 = { -- { -- NID_X9_62_prime_field, 20, 30, 1 -- }, -- { -- /* seed */ -- 0xE4, 0x3B, 0xB4, 0x60, 0xF0, 0xB8, 0x0C, 0xC0, 0xC0, 0xB0, 0x75, 0x79, -- 0x8E, 0x94, 0x80, 0x60, 0xF8, 0x32, 0x1B, 0x7D, -- /* p */ -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- /* a */ -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, -- /* b */ -- 0x6B, 0x01, 0x6C, 0x3B, 0xDC, 0xF1, 0x89, 0x41, 0xD0, 0xD6, 0x54, 0x92, -- 0x14, 0x75, 0xCA, 0x71, 0xA9, 0xDB, 0x2F, 0xB2, 0x7D, 0x1D, 0x37, 0x79, -- 0x61, 0x85, 0xC2, 0x94, 0x2C, 0x0A, -- /* x */ -- 0x0F, 0xFA, 0x96, 0x3C, 0xDC, 0xA8, 0x81, 0x6C, 0xCC, 0x33, 0xB8, 0x64, -- 0x2B, 0xED, 0xF9, 0x05, 0xC3, 0xD3, 0x58, 0x57, 0x3D, 0x3F, 0x27, 0xFB, -- 0xBD, 0x3B, 0x3C, 0xB9, 0xAA, 0xAF, -- /* y */ -- 0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40, 0x54, 0xca, -- 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18, 0xce, 0x22, 0x6b, 0x39, -- 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae, -- /* order */ -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x7F, 0xFF, 0xFF, 0x9E, 0x5E, 0x9A, 0x9F, 0x5D, 0x90, 0x71, 0xFB, 0xD1, -- 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 30 * 6]; --} _EC_X9_62_PRIME_239V2 = { -- { -- NID_X9_62_prime_field, 20, 30, 1 -- }, -- { -- /* seed */ -- 0xE8, 0xB4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xCA, 0x3B, 0x80, 0x99, -- 0x98, 0x2B, 0xE0, 0x9F, 0xCB, 0x9A, 0xE6, 0x16, -- /* p */ -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- /* a */ -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, -- /* b */ -- 0x61, 0x7F, 0xAB, 0x68, 0x32, 0x57, 0x6C, 0xBB, 0xFE, 0xD5, 0x0D, 0x99, -- 0xF0, 0x24, 0x9C, 0x3F, 0xEE, 0x58, 0xB9, 0x4B, 0xA0, 0x03, 0x8C, 0x7A, -- 0xE8, 0x4C, 0x8C, 0x83, 0x2F, 0x2C, -- /* x */ -- 0x38, 0xAF, 0x09, 0xD9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xC9, 0x21, 0xBB, -- 0x5E, 0x9E, 0x26, 0x29, 0x6A, 0x3C, 0xDC, 0xF2, 0xF3, 0x57, 0x57, 0xA0, -- 0xEA, 0xFD, 0x87, 0xB8, 0x30, 0xE7, -- /* y */ -- 0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d, 0xa0, 0xfc, -- 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55, 0xde, 0x6e, 0xf4, 0x60, -- 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba, -- /* order */ -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x80, 0x00, 0x00, 0xCF, 0xA7, 0xE8, 0x59, 0x43, 0x77, 0xD4, 0x14, 0xC0, -- 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 30 * 6]; --} _EC_X9_62_PRIME_239V3 = { -- { -- NID_X9_62_prime_field, 20, 30, 1 -- }, -- { -- /* seed */ -- 0x7D, 0x73, 0x74, 0x16, 0x8F, 0xFE, 0x34, 0x71, 0xB6, 0x0A, 0x85, 0x76, -- 0x86, 0xA1, 0x94, 0x75, 0xD3, 0xBF, 0xA2, 0xFF, -- /* p */ -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- /* a */ -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, -- /* b */ -- 0x25, 0x57, 0x05, 0xFA, 0x2A, 0x30, 0x66, 0x54, 0xB1, 0xF4, 0xCB, 0x03, -- 0xD6, 0xA7, 0x50, 0xA3, 0x0C, 0x25, 0x01, 0x02, 0xD4, 0x98, 0x87, 0x17, -- 0xD9, 0xBA, 0x15, 0xAB, 0x6D, 0x3E, -- /* x */ -- 0x67, 0x68, 0xAE, 0x8E, 0x18, 0xBB, 0x92, 0xCF, 0xCF, 0x00, 0x5C, 0x94, -- 0x9A, 0xA2, 0xC6, 0xD9, 0x48, 0x53, 0xD0, 0xE6, 0x60, 0xBB, 0xF8, 0x54, -- 0xB1, 0xC9, 0x50, 0x5F, 0xE9, 0x5A, -- /* y */ -- 0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d, 0x55, 0x2b, -- 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b, 0x6e, 0x81, 0x84, 0x99, -- 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3, -- /* order */ -- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0x7F, 0xFF, 0xFF, 0x97, 0x5D, 0xEB, 0x41, 0xB3, 0xA6, 0x05, 0x7C, 0x3C, -- 0x43, 0x21, 0x46, 0x52, 0x65, 0x51 -- } --}; --#endif /* FIPS_MODULE */ -- - static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 32 * 6]; -@@ -421,294 +208,6 @@ static const struct { - - #ifndef FIPS_MODULE - /* the secg prime curves (minus the nist and x9.62 prime curves) */ --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 14 * 6]; --} _EC_SECG_PRIME_112R1 = { -- { -- NID_X9_62_prime_field, 20, 14, 1 -- }, -- { -- /* seed */ -- 0x00, 0xF5, 0x0B, 0x02, 0x8E, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, -- 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3F, 0xB1, -- /* p */ -- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, -- 0x20, 0x8B, -- /* a */ -- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, -- 0x20, 0x88, -- /* b */ -- 0x65, 0x9E, 0xF8, 0xBA, 0x04, 0x39, 0x16, 0xEE, 0xDE, 0x89, 0x11, 0x70, -- 0x2B, 0x22, -- /* x */ -- 0x09, 0x48, 0x72, 0x39, 0x99, 0x5A, 0x5E, 0xE7, 0x6B, 0x55, 0xF9, 0xC2, -- 0xF0, 0x98, -- /* y */ -- 0xa8, 0x9c, 0xe5, 0xaf, 0x87, 0x24, 0xc0, 0xa2, 0x3e, 0x0e, 0x0f, 0xf7, -- 0x75, 0x00, -- /* order */ -- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x76, 0x28, 0xDF, 0xAC, 0x65, -- 0x61, 0xC5 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 14 * 6]; --} _EC_SECG_PRIME_112R2 = { -- { -- NID_X9_62_prime_field, 20, 14, 4 -- }, -- { -- /* seed */ -- 0x00, 0x27, 0x57, 0xA1, 0x11, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, -- 0x51, 0x75, 0x53, 0x16, 0xC0, 0x5E, 0x0B, 0xD4, -- /* p */ -- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, -- 0x20, 0x8B, -- /* a */ -- 0x61, 0x27, 0xC2, 0x4C, 0x05, 0xF3, 0x8A, 0x0A, 0xAA, 0xF6, 0x5C, 0x0E, -- 0xF0, 0x2C, -- /* b */ -- 0x51, 0xDE, 0xF1, 0x81, 0x5D, 0xB5, 0xED, 0x74, 0xFC, 0xC3, 0x4C, 0x85, -- 0xD7, 0x09, -- /* x */ -- 0x4B, 0xA3, 0x0A, 0xB5, 0xE8, 0x92, 0xB4, 0xE1, 0x64, 0x9D, 0xD0, 0x92, -- 0x86, 0x43, -- /* y */ -- 0xad, 0xcd, 0x46, 0xf5, 0x88, 0x2e, 0x37, 0x47, 0xde, 0xf3, 0x6e, 0x95, -- 0x6e, 0x97, -- /* order */ -- 0x36, 0xDF, 0x0A, 0xAF, 0xD8, 0xB8, 0xD7, 0x59, 0x7C, 0xA1, 0x05, 0x20, -- 0xD0, 0x4B -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 16 * 6]; --} _EC_SECG_PRIME_128R1 = { -- { -- NID_X9_62_prime_field, 20, 16, 1 -- }, -- { -- /* seed */ -- 0x00, 0x0E, 0x0D, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, -- 0x0C, 0xC0, 0x3A, 0x44, 0x73, 0xD0, 0x36, 0x79, -- /* p */ -- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, -- /* a */ -- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFC, -- /* b */ -- 0xE8, 0x75, 0x79, 0xC1, 0x10, 0x79, 0xF4, 0x3D, 0xD8, 0x24, 0x99, 0x3C, -- 0x2C, 0xEE, 0x5E, 0xD3, -- /* x */ -- 0x16, 0x1F, 0xF7, 0x52, 0x8B, 0x89, 0x9B, 0x2D, 0x0C, 0x28, 0x60, 0x7C, -- 0xA5, 0x2C, 0x5B, 0x86, -- /* y */ -- 0xcf, 0x5a, 0xc8, 0x39, 0x5b, 0xaf, 0xeb, 0x13, 0xc0, 0x2d, 0xa2, 0x92, -- 0xdd, 0xed, 0x7a, 0x83, -- /* order */ -- 0xFF, 0xFF, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x75, 0xA3, 0x0D, 0x1B, -- 0x90, 0x38, 0xA1, 0x15 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 16 * 6]; --} _EC_SECG_PRIME_128R2 = { -- { -- NID_X9_62_prime_field, 20, 16, 4 -- }, -- { -- /* seed */ -- 0x00, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x12, 0xD8, -- 0xF0, 0x34, 0x31, 0xFC, 0xE6, 0x3B, 0x88, 0xF4, -- /* p */ -- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, -- /* a */ -- 0xD6, 0x03, 0x19, 0x98, 0xD1, 0xB3, 0xBB, 0xFE, 0xBF, 0x59, 0xCC, 0x9B, -- 0xBF, 0xF9, 0xAE, 0xE1, -- /* b */ -- 0x5E, 0xEE, 0xFC, 0xA3, 0x80, 0xD0, 0x29, 0x19, 0xDC, 0x2C, 0x65, 0x58, -- 0xBB, 0x6D, 0x8A, 0x5D, -- /* x */ -- 0x7B, 0x6A, 0xA5, 0xD8, 0x5E, 0x57, 0x29, 0x83, 0xE6, 0xFB, 0x32, 0xA7, -- 0xCD, 0xEB, 0xC1, 0x40, -- /* y */ -- 0x27, 0xb6, 0x91, 0x6a, 0x89, 0x4d, 0x3a, 0xee, 0x71, 0x06, 0xfe, 0x80, -- 0x5f, 0xc3, 0x4b, 0x44, -- /* order */ -- 0x3F, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xBE, 0x00, 0x24, 0x72, -- 0x06, 0x13, 0xB5, 0xA3 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 21 * 6]; --} _EC_SECG_PRIME_160K1 = { -- { -- NID_X9_62_prime_field, 0, 21, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, -- /* a */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- /* b */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, -- /* x */ -- 0x00, 0x3B, 0x4C, 0x38, 0x2C, 0xE3, 0x7A, 0xA1, 0x92, 0xA4, 0x01, 0x9E, -- 0x76, 0x30, 0x36, 0xF4, 0xF5, 0xDD, 0x4D, 0x7E, 0xBB, -- /* y */ -- 0x00, 0x93, 0x8c, 0xf9, 0x35, 0x31, 0x8f, 0xdc, 0xed, 0x6b, 0xc2, 0x82, -- 0x86, 0x53, 0x17, 0x33, 0xc3, 0xf0, 0x3c, 0x4f, 0xee, -- /* order */ -- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xB8, -- 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6, 0xB3 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 21 * 6]; --} _EC_SECG_PRIME_160R1 = { -- { -- NID_X9_62_prime_field, 20, 21, 1 -- }, -- { -- /* seed */ -- 0x10, 0x53, 0xCD, 0xE4, 0x2C, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, -- 0x15, 0x17, 0x53, 0x3B, 0xF3, 0xF8, 0x33, 0x45, -- /* p */ -- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, -- /* a */ -- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFC, -- /* b */ -- 0x00, 0x1C, 0x97, 0xBE, 0xFC, 0x54, 0xBD, 0x7A, 0x8B, 0x65, 0xAC, 0xF8, -- 0x9F, 0x81, 0xD4, 0xD4, 0xAD, 0xC5, 0x65, 0xFA, 0x45, -- /* x */ -- 0x00, 0x4A, 0x96, 0xB5, 0x68, 0x8E, 0xF5, 0x73, 0x28, 0x46, 0x64, 0x69, -- 0x89, 0x68, 0xC3, 0x8B, 0xB9, 0x13, 0xCB, 0xFC, 0x82, -- /* y */ -- 0x00, 0x23, 0xa6, 0x28, 0x55, 0x31, 0x68, 0x94, 0x7d, 0x59, 0xdc, 0xc9, -- 0x12, 0x04, 0x23, 0x51, 0x37, 0x7a, 0xc5, 0xfb, 0x32, -- /* order */ -- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xF4, -- 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22, 0x57 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[20 + 21 * 6]; --} _EC_SECG_PRIME_160R2 = { -- { -- NID_X9_62_prime_field, 20, 21, 1 -- }, -- { -- /* seed */ -- 0xB9, 0x9B, 0x99, 0xB0, 0x99, 0xB3, 0x23, 0xE0, 0x27, 0x09, 0xA4, 0xD6, -- 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51, -- /* p */ -- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, -- /* a */ -- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x70, -- /* b */ -- 0x00, 0xB4, 0xE1, 0x34, 0xD3, 0xFB, 0x59, 0xEB, 0x8B, 0xAB, 0x57, 0x27, -- 0x49, 0x04, 0x66, 0x4D, 0x5A, 0xF5, 0x03, 0x88, 0xBA, -- /* x */ -- 0x00, 0x52, 0xDC, 0xB0, 0x34, 0x29, 0x3A, 0x11, 0x7E, 0x1F, 0x4F, 0xF1, -- 0x1B, 0x30, 0xF7, 0x19, 0x9D, 0x31, 0x44, 0xCE, 0x6D, -- /* y */ -- 0x00, 0xfe, 0xaf, 0xfe, 0xf2, 0xe3, 0x31, 0xf2, 0x96, 0xe0, 0x71, 0xfa, -- 0x0d, 0xf9, 0x98, 0x2c, 0xfe, 0xa7, 0xd4, 0x3f, 0x2e, -- /* order */ -- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, -- 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1, 0x6B -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 24 * 6]; --} _EC_SECG_PRIME_192K1 = { -- { -- NID_X9_62_prime_field, 0, 24, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xEE, 0x37, -- /* a */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- /* b */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, -- /* x */ -- 0xDB, 0x4F, 0xF1, 0x0E, 0xC0, 0x57, 0xE9, 0xAE, 0x26, 0xB0, 0x7D, 0x02, -- 0x80, 0xB7, 0xF4, 0x34, 0x1D, 0xA5, 0xD1, 0xB1, 0xEA, 0xE0, 0x6C, 0x7D, -- /* y */ -- 0x9b, 0x2f, 0x2f, 0x6d, 0x9c, 0x56, 0x28, 0xa7, 0x84, 0x41, 0x63, 0xd0, -- 0x15, 0xbe, 0x86, 0x34, 0x40, 0x82, 0xaa, 0x88, 0xd9, 0x5e, 0x2f, 0x9d, -- /* order */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, -- 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A, 0x74, 0xDE, 0xFD, 0x8D -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 29 * 6]; --} _EC_SECG_PRIME_224K1 = { -- { -- NID_X9_62_prime_field, 0, 29, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFE, 0xFF, 0xFF, 0xE5, 0x6D, -- /* a */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, -- /* b */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x05, -- /* x */ -- 0x00, 0xA1, 0x45, 0x5B, 0x33, 0x4D, 0xF0, 0x99, 0xDF, 0x30, 0xFC, 0x28, -- 0xA1, 0x69, 0xA4, 0x67, 0xE9, 0xE4, 0x70, 0x75, 0xA9, 0x0F, 0x7E, 0x65, -- 0x0E, 0xB6, 0xB7, 0xA4, 0x5C, -- /* y */ -- 0x00, 0x7e, 0x08, 0x9f, 0xed, 0x7f, 0xba, 0x34, 0x42, 0x82, 0xca, 0xfb, -- 0xd6, 0xf7, 0xe3, 0x19, 0xf7, 0xc0, 0xb0, 0xbd, 0x59, 0xe2, 0xca, 0x4b, -- 0xdb, 0x55, 0x6d, 0x61, 0xa5, -- /* order */ -- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x01, 0xDC, 0xE8, 0xD2, 0xEC, 0x61, 0x84, 0xCA, 0xF0, 0xA9, -- 0x71, 0x76, 0x9F, 0xB1, 0xF7 -- } --}; -- - static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -@@ -745,102 +244,6 @@ static const struct { - } - }; - --/* some wap/wtls curves */ --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 15 * 6]; --} _EC_WTLS_8 = { -- { -- NID_X9_62_prime_field, 0, 15, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFD, 0xE7, -- /* a */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, -- /* b */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x03, -- /* x */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x01, -- /* y */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x02, -- /* order */ -- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xEC, 0xEA, 0x55, 0x1A, -- 0xD8, 0x37, 0xE9 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 21 * 6]; --} _EC_WTLS_9 = { -- { -- NID_X9_62_prime_field, 0, 21, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x80, 0x8F, -- /* a */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- /* b */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, -- /* x */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, -- /* y */ -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, -- /* order */ -- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xCD, -- 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF, 0x33 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 28 * 6]; --} _EC_WTLS_12 = { -- { -- NID_X9_62_prime_field, 0, 28, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x01, -- /* a */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0xFF, 0xFE, -- /* b */ -- 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, -- 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, -- 0x23, 0x55, 0xFF, 0xB4, -- /* x */ -- 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, -- 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, -- 0x11, 0x5C, 0x1D, 0x21, -- /* y */ -- 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, -- 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, -- 0x85, 0x00, 0x7e, 0x34, -- /* order */ -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, -- 0x5C, 0x5C, 0x2A, 0x3D -- } --}; - #endif /* FIPS_MODULE */ - - #ifndef OPENSSL_NO_EC2M -@@ -2236,198 +1639,6 @@ static const struct { - */ - - #ifndef FIPS_MODULE --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 20 * 6]; --} _EC_brainpoolP160r1 = { -- { -- NID_X9_62_prime_field, 0, 20, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, -- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, -- /* a */ -- 0x34, 0x0E, 0x7B, 0xE2, 0xA2, 0x80, 0xEB, 0x74, 0xE2, 0xBE, 0x61, 0xBA, -- 0xDA, 0x74, 0x5D, 0x97, 0xE8, 0xF7, 0xC3, 0x00, -- /* b */ -- 0x1E, 0x58, 0x9A, 0x85, 0x95, 0x42, 0x34, 0x12, 0x13, 0x4F, 0xAA, 0x2D, -- 0xBD, 0xEC, 0x95, 0xC8, 0xD8, 0x67, 0x5E, 0x58, -- /* x */ -- 0xBE, 0xD5, 0xAF, 0x16, 0xEA, 0x3F, 0x6A, 0x4F, 0x62, 0x93, 0x8C, 0x46, -- 0x31, 0xEB, 0x5A, 0xF7, 0xBD, 0xBC, 0xDB, 0xC3, -- /* y */ -- 0x16, 0x67, 0xCB, 0x47, 0x7A, 0x1A, 0x8E, 0xC3, 0x38, 0xF9, 0x47, 0x41, -- 0x66, 0x9C, 0x97, 0x63, 0x16, 0xDA, 0x63, 0x21, -- /* order */ -- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, -- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 20 * 6]; --} _EC_brainpoolP160t1 = { -- { -- NID_X9_62_prime_field, 0, 20, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, -- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, -- /* a */ -- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, -- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0C, -- /* b */ -- 0x7A, 0x55, 0x6B, 0x6D, 0xAE, 0x53, 0x5B, 0x7B, 0x51, 0xED, 0x2C, 0x4D, -- 0x7D, 0xAA, 0x7A, 0x0B, 0x5C, 0x55, 0xF3, 0x80, -- /* x */ -- 0xB1, 0x99, 0xB1, 0x3B, 0x9B, 0x34, 0xEF, 0xC1, 0x39, 0x7E, 0x64, 0xBA, -- 0xEB, 0x05, 0xAC, 0xC2, 0x65, 0xFF, 0x23, 0x78, -- /* y */ -- 0xAD, 0xD6, 0x71, 0x8B, 0x7C, 0x7C, 0x19, 0x61, 0xF0, 0x99, 0x1B, 0x84, -- 0x24, 0x43, 0x77, 0x21, 0x52, 0xC9, 0xE0, 0xAD, -- /* order */ -- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, -- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 24 * 6]; --} _EC_brainpoolP192r1 = { -- { -- NID_X9_62_prime_field, 0, 24, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, -- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, -- /* a */ -- 0x6A, 0x91, 0x17, 0x40, 0x76, 0xB1, 0xE0, 0xE1, 0x9C, 0x39, 0xC0, 0x31, -- 0xFE, 0x86, 0x85, 0xC1, 0xCA, 0xE0, 0x40, 0xE5, 0xC6, 0x9A, 0x28, 0xEF, -- /* b */ -- 0x46, 0x9A, 0x28, 0xEF, 0x7C, 0x28, 0xCC, 0xA3, 0xDC, 0x72, 0x1D, 0x04, -- 0x4F, 0x44, 0x96, 0xBC, 0xCA, 0x7E, 0xF4, 0x14, 0x6F, 0xBF, 0x25, 0xC9, -- /* x */ -- 0xC0, 0xA0, 0x64, 0x7E, 0xAA, 0xB6, 0xA4, 0x87, 0x53, 0xB0, 0x33, 0xC5, -- 0x6C, 0xB0, 0xF0, 0x90, 0x0A, 0x2F, 0x5C, 0x48, 0x53, 0x37, 0x5F, 0xD6, -- /* y */ -- 0x14, 0xB6, 0x90, 0x86, 0x6A, 0xBD, 0x5B, 0xB8, 0x8B, 0x5F, 0x48, 0x28, -- 0xC1, 0x49, 0x00, 0x02, 0xE6, 0x77, 0x3F, 0xA2, 0xFA, 0x29, 0x9B, 0x8F, -- /* order */ -- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, -- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 24 * 6]; --} _EC_brainpoolP192t1 = { -- { -- NID_X9_62_prime_field, 0, 24, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, -- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, -- /* a */ -- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, -- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x94, -- /* b */ -- 0x13, 0xD5, 0x6F, 0xFA, 0xEC, 0x78, 0x68, 0x1E, 0x68, 0xF9, 0xDE, 0xB4, -- 0x3B, 0x35, 0xBE, 0xC2, 0xFB, 0x68, 0x54, 0x2E, 0x27, 0x89, 0x7B, 0x79, -- /* x */ -- 0x3A, 0xE9, 0xE5, 0x8C, 0x82, 0xF6, 0x3C, 0x30, 0x28, 0x2E, 0x1F, 0xE7, -- 0xBB, 0xF4, 0x3F, 0xA7, 0x2C, 0x44, 0x6A, 0xF6, 0xF4, 0x61, 0x81, 0x29, -- /* y */ -- 0x09, 0x7E, 0x2C, 0x56, 0x67, 0xC2, 0x22, 0x3A, 0x90, 0x2A, 0xB5, 0xCA, -- 0x44, 0x9D, 0x00, 0x84, 0xB7, 0xE5, 0xB3, 0xDE, 0x7C, 0xCC, 0x01, 0xC9, -- /* order */ -- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, -- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 28 * 6]; --} _EC_brainpoolP224r1 = { -- { -- NID_X9_62_prime_field, 0, 28, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, -- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, -- 0x7E, 0xC8, 0xC0, 0xFF, -- /* a */ -- 0x68, 0xA5, 0xE6, 0x2C, 0xA9, 0xCE, 0x6C, 0x1C, 0x29, 0x98, 0x03, 0xA6, -- 0xC1, 0x53, 0x0B, 0x51, 0x4E, 0x18, 0x2A, 0xD8, 0xB0, 0x04, 0x2A, 0x59, -- 0xCA, 0xD2, 0x9F, 0x43, -- /* b */ -- 0x25, 0x80, 0xF6, 0x3C, 0xCF, 0xE4, 0x41, 0x38, 0x87, 0x07, 0x13, 0xB1, -- 0xA9, 0x23, 0x69, 0xE3, 0x3E, 0x21, 0x35, 0xD2, 0x66, 0xDB, 0xB3, 0x72, -- 0x38, 0x6C, 0x40, 0x0B, -- /* x */ -- 0x0D, 0x90, 0x29, 0xAD, 0x2C, 0x7E, 0x5C, 0xF4, 0x34, 0x08, 0x23, 0xB2, -- 0xA8, 0x7D, 0xC6, 0x8C, 0x9E, 0x4C, 0xE3, 0x17, 0x4C, 0x1E, 0x6E, 0xFD, -- 0xEE, 0x12, 0xC0, 0x7D, -- /* y */ -- 0x58, 0xAA, 0x56, 0xF7, 0x72, 0xC0, 0x72, 0x6F, 0x24, 0xC6, 0xB8, 0x9E, -- 0x4E, 0xCD, 0xAC, 0x24, 0x35, 0x4B, 0x9E, 0x99, 0xCA, 0xA3, 0xF6, 0xD3, -- 0x76, 0x14, 0x02, 0xCD, -- /* order */ -- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, -- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, -- 0xA5, 0xA7, 0x93, 0x9F -- } --}; -- --static const struct { -- EC_CURVE_DATA h; -- unsigned char data[0 + 28 * 6]; --} _EC_brainpoolP224t1 = { -- { -- NID_X9_62_prime_field, 0, 28, 1 -- }, -- { -- /* no seed */ -- /* p */ -- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, -- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, -- 0x7E, 0xC8, 0xC0, 0xFF, -- /* a */ -- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, -- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, -- 0x7E, 0xC8, 0xC0, 0xFC, -- /* b */ -- 0x4B, 0x33, 0x7D, 0x93, 0x41, 0x04, 0xCD, 0x7B, 0xEF, 0x27, 0x1B, 0xF6, -- 0x0C, 0xED, 0x1E, 0xD2, 0x0D, 0xA1, 0x4C, 0x08, 0xB3, 0xBB, 0x64, 0xF1, -- 0x8A, 0x60, 0x88, 0x8D, -- /* x */ -- 0x6A, 0xB1, 0xE3, 0x44, 0xCE, 0x25, 0xFF, 0x38, 0x96, 0x42, 0x4E, 0x7F, -- 0xFE, 0x14, 0x76, 0x2E, 0xCB, 0x49, 0xF8, 0x92, 0x8A, 0xC0, 0xC7, 0x60, -- 0x29, 0xB4, 0xD5, 0x80, -- /* y */ -- 0x03, 0x74, 0xE9, 0xF5, 0x14, 0x3E, 0x56, 0x8C, 0xD2, 0x3F, 0x3F, 0x4D, -- 0x7C, 0x0D, 0x4B, 0x1E, 0x41, 0xC8, 0xCC, 0x0D, 0x1C, 0x6A, 0xBD, 0x5F, -- 0x1A, 0x46, 0xDB, 0x4C, -- /* order */ -- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, -- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, -- 0xA5, 0xA7, 0x93, 0x9F -- } --}; -- - static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[] = { - "NIST/SECG curve over a 521 bit prime field"}, - - /* X9.62 curves */ -- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, -- "NIST/X9.62/SECG curve over a 192 bit prime field"}, - {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, - # if defined(ECP_NISTZ256_ASM) - EC_GFp_nistz256_method, -@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[] = { - static const ec_list_element curve_list[] = { - /* prime field curves */ - /* secg curves */ -- {NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0, -- "SECG/WTLS curve over a 112 bit prime field"}, -- {NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, -- "SECG curve over a 112 bit prime field"}, -- {NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, -- "SECG curve over a 128 bit prime field"}, -- {NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, -- "SECG curve over a 128 bit prime field"}, -- {NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, -- "SECG curve over a 160 bit prime field"}, -- {NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, -- "SECG curve over a 160 bit prime field"}, -- {NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, -- "SECG/WTLS curve over a 160 bit prime field"}, -- /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ -- {NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, -- "SECG curve over a 192 bit prime field"}, -- {NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, -- "SECG curve over a 224 bit prime field"}, - # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, - "NIST/SECG curve over a 224 bit prime field"}, -@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[] = { - # endif - "NIST/SECG curve over a 521 bit prime field"}, - /* X9.62 curves */ -- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, -- "NIST/X9.62/SECG curve over a 192 bit prime field"}, -- {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, -- "X9.62 curve over a 192 bit prime field"}, -- {NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0, -- "X9.62 curve over a 192 bit prime field"}, -- {NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, -- "X9.62 curve over a 239 bit prime field"}, -- {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, -- "X9.62 curve over a 239 bit prime field"}, -- {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, -- "X9.62 curve over a 239 bit prime field"}, - {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, - # if defined(ECP_NISTZ256_ASM) - EC_GFp_nistz256_method, -@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[] = { - {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, - "X9.62 curve over a 163 bit binary field"}, - # endif -- {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, -- "SECG/WTLS curve over a 112 bit prime field"}, -- {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, -- "SECG/WTLS curve over a 160 bit prime field"}, -- {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, -- "WTLS curve over a 112 bit prime field"}, -- {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, -- "WTLS curve over a 160 bit prime field"}, - # ifndef OPENSSL_NO_EC2M - {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, - "NIST/SECG/WTLS curve over a 233 bit binary field"}, - {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, - "NIST/SECG/WTLS curve over a 233 bit binary field"}, - # endif -- {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, -- "WTLS curve over a 224 bit prime field"}, - # ifndef OPENSSL_NO_EC2M - /* IPSec curves */ - {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, -@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[] = { - "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, - # endif - /* brainpool curves */ -- {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, -- "RFC 5639 curve over a 160 bit prime field"}, -- {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, -- "RFC 5639 curve over a 160 bit prime field"}, -- {NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0, -- "RFC 5639 curve over a 192 bit prime field"}, -- {NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0, -- "RFC 5639 curve over a 192 bit prime field"}, -- {NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0, -- "RFC 5639 curve over a 224 bit prime field"}, -- {NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0, -- "RFC 5639 curve over a 224 bit prime field"}, - {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, - "RFC 5639 curve over a 256 bit prime field"}, - {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, -diff --git a/test/ectest.c b/test/ectest.c -index afef85b0e6..4890b0555e 100644 ---- a/test/ectest.c -+++ b/test/ectest.c -@@ -175,184 +175,26 @@ static int prime_field_tests(void) - || !TEST_ptr(p = BN_new()) - || !TEST_ptr(a = BN_new()) - || !TEST_ptr(b = BN_new()) -- || !TEST_true(BN_hex2bn(&p, "17")) -- || !TEST_true(BN_hex2bn(&a, "1")) -- || !TEST_true(BN_hex2bn(&b, "1")) -- || !TEST_ptr(group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) -- || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) -+ /* -+ * applications should use EC_GROUP_new_curve_GFp so -+ * that the library gets to choose the EC_METHOD -+ */ -+ || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))) - goto err; - -- TEST_info("Curve defined by Weierstrass equation"); -- TEST_note(" y^2 = x^3 + a*x + b (mod p)"); -- test_output_bignum("a", a); -- test_output_bignum("b", b); -- test_output_bignum("p", p); -- - buf[0] = 0; - if (!TEST_ptr(P = EC_POINT_new(group)) - || !TEST_ptr(Q = EC_POINT_new(group)) - || !TEST_ptr(R = EC_POINT_new(group)) -- || !TEST_true(EC_POINT_set_to_infinity(group, P)) -- || !TEST_true(EC_POINT_is_at_infinity(group, P)) -- || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) -- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) -- || !TEST_true(EC_POINT_is_at_infinity(group, P)) - || !TEST_ptr(x = BN_new()) - || !TEST_ptr(y = BN_new()) - || !TEST_ptr(z = BN_new()) -- || !TEST_ptr(yplusone = BN_new()) -- || !TEST_true(BN_hex2bn(&x, "D")) -- || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))) -- goto err; -- -- if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { -- if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) -- goto err; -- TEST_info("Point is not on curve"); -- test_output_bignum("x", x); -- test_output_bignum("y", y); -- goto err; -- } -- -- TEST_note("A cyclic subgroup:"); -- k = 100; -- do { -- if (!TEST_int_ne(k--, 0)) -- goto err; -- -- if (EC_POINT_is_at_infinity(group, P)) { -- TEST_note(" point at infinity"); -- } else { -- if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, -- ctx))) -- goto err; -- -- test_output_bignum("x", x); -- test_output_bignum("y", y); -- } -- -- if (!TEST_true(EC_POINT_copy(R, P)) -- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) -- goto err; -- -- } while (!EC_POINT_is_at_infinity(group, P)); -- -- if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) -- || !TEST_true(EC_POINT_is_at_infinity(group, P))) -- goto err; -- -- len = -- EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, -- sizeof(buf), ctx); -- if (!TEST_size_t_ne(len, 0) -- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) -- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) -- goto err; -- test_output_memory("Generator as octet string, compressed form:", -- buf, len); -- -- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, -- buf, sizeof(buf), ctx); -- if (!TEST_size_t_ne(len, 0) -- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) -- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) -- goto err; -- test_output_memory("Generator as octet string, uncompressed form:", -- buf, len); -- -- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, -- buf, sizeof(buf), ctx); -- if (!TEST_size_t_ne(len, 0) -- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) -- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) -- goto err; -- test_output_memory("Generator as octet string, hybrid form:", -- buf, len); -- -- if (!TEST_true(EC_POINT_invert(group, P, ctx)) -- || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) -- -- /* -- * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, -- * 2000) -- not a NIST curve, but commonly used -- */ -- -- || !TEST_true(BN_hex2bn(&p, "FFFFFFFF" -- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) -- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) -- || !TEST_true(BN_hex2bn(&a, "FFFFFFFF" -- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) -- || !TEST_true(BN_hex2bn(&b, "1C97BEFC" -- "54BD7A8B65ACF89F81D4D4ADC565FA45")) -- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) -- || !TEST_true(BN_hex2bn(&x, "4A96B568" -- "8EF573284664698968C38BB913CBFC82")) -- || !TEST_true(BN_hex2bn(&y, "23a62855" -- "3168947d59dcc912042351377ac5fb32")) -- || !TEST_true(BN_add(yplusone, y, BN_value_one())) -- /* -- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, -- * and therefore setting the coordinates should fail. -- */ -- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, -- ctx)) -- || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) -- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) -- || !TEST_true(BN_hex2bn(&z, "0100000000" -- "000000000001F4C8F927AED3CA752257")) -- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) -- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) -- goto err; -- TEST_info("SEC2 curve secp160r1 -- Generator"); -- test_output_bignum("x", x); -- test_output_bignum("y", y); -- /* G_y value taken from the standard: */ -- if (!TEST_true(BN_hex2bn(&z, "23a62855" -- "3168947d59dcc912042351377ac5fb32")) -- || !TEST_BN_eq(y, z) -- || !TEST_int_eq(EC_GROUP_get_degree(group), 160) -- || !group_order_tests(group) -- -- /* Curve P-192 (FIPS PUB 186-2, App. 6) */ -- -- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF" -- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) -- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) -- || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF" -- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) -- || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7" -- "0FA7E9AB72243049FEB8DEECC146B9B1")) -- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) -- || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6" -- "7CBF20EB43A18800F4FF0AFD82FF1012")) -- || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) -- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) -- || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF" -- "FFFFFFFF99DEF836146BC9B1B4D22831")) -- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) -- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) -+ || !TEST_ptr(yplusone = BN_new())) - goto err; - -- TEST_info("NIST curve P-192 -- Generator"); -- test_output_bignum("x", x); -- test_output_bignum("y", y); -- /* G_y value taken from the standard: */ -- if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78" -- "631011ED6B24CDD573F977A11E794811")) -- || !TEST_BN_eq(y, z) -- || !TEST_true(BN_add(yplusone, y, BN_value_one())) -- /* -- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, -- * and therefore setting the coordinates should fail. -- */ -- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, -- ctx)) -- || !TEST_int_eq(EC_GROUP_get_degree(group), 192) -- || !group_order_tests(group) -- - /* Curve P-224 (FIPS PUB 186-2, App. 6) */ - -- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" -+ if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFF000000000000000000000001")) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" -@@ -3015,7 +2857,7 @@ int setup_tests(void) - return 0; - - ADD_TEST(parameter_test); -- ADD_TEST(cofactor_range_test); -+ /* ADD_TEST(cofactor_range_test); */ - ADD_ALL_TESTS(cardinality_test, crv_len); - ADD_TEST(prime_field_tests); - #ifndef OPENSSL_NO_EC2M --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0011-Remove-EC-curves-3.1.4-fedora.patch b/SPECS-EXTENDED/openssl-fips-provider/0011-Remove-EC-curves-3.1.4-fedora.patch deleted file mode 100644 index cbc0a7f6c8d..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0011-Remove-EC-curves-3.1.4-fedora.patch +++ /dev/null @@ -1,279 +0,0 @@ -From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 11:46:40 +0200 -Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch - -Patch-name: 0011-Remove-EC-curves.patch -Patch-id: 11 -Patch-status: | - # remove unsupported EC curves ---- - apps/speed.c | 8 +--- - crypto/evp/ec_support.c | 87 ------------------------------------ - test/acvp_test.inc | 9 ---- - test/ecdsatest.h | 17 ------- - test/recipes/15-test_genec.t | 27 ----------- - 5 files changed, 1 insertion(+), 147 deletions(-) - -diff --git a/apps/speed.c b/apps/speed.c -index cace25eda1..d527f12f18 100644 ---- a/apps/speed.c -+++ b/apps/speed.c -@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ - #endif /* OPENSSL_NO_DH */ - - enum ec_curves_t { -- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, -+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, - #ifndef OPENSSL_NO_EC2M - R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, - R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, -@@ -395,8 +395,6 @@ enum ec_curves_t { - }; - /* list of ecdsa curves */ - static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { -- {"ecdsap160", R_EC_P160}, -- {"ecdsap192", R_EC_P192}, - {"ecdsap224", R_EC_P224}, - {"ecdsap256", R_EC_P256}, - {"ecdsap384", R_EC_P384}, -@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { - enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; - /* list of ecdh curves, extension of |ecdsa_choices| list above */ - static const OPT_PAIR ecdh_choices[EC_NUM] = { -- {"ecdhp160", R_EC_P160}, -- {"ecdhp192", R_EC_P192}, - {"ecdhp224", R_EC_P224}, - {"ecdhp256", R_EC_P256}, - {"ecdhp384", R_EC_P384}, -@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv) - */ - static const EC_CURVE ec_curves[EC_NUM] = { - /* Prime Curves */ -- {"secp160r1", NID_secp160r1, 160}, -- {"nistp192", NID_X9_62_prime192v1, 192}, - {"nistp224", NID_secp224r1, 224}, - {"nistp256", NID_X9_62_prime256v1, 256}, - {"nistp384", NID_secp384r1, 384}, -diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c -index 1ec10143d2..82b95294b4 100644 ---- a/crypto/evp/ec_support.c -+++ b/crypto/evp/ec_support.c -@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { - static const EC_NAME2NID curve_list[] = { - /* prime field curves */ - /* secg curves */ -- {"secp112r1", NID_secp112r1 }, -- {"secp112r2", NID_secp112r2 }, -- {"secp128r1", NID_secp128r1 }, -- {"secp128r2", NID_secp128r2 }, -- {"secp160k1", NID_secp160k1 }, -- {"secp160r1", NID_secp160r1 }, -- {"secp160r2", NID_secp160r2 }, -- {"secp192k1", NID_secp192k1 }, -- {"secp224k1", NID_secp224k1 }, - {"secp224r1", NID_secp224r1 }, - {"secp256k1", NID_secp256k1 }, - {"secp384r1", NID_secp384r1 }, - {"secp521r1", NID_secp521r1 }, - /* X9.62 curves */ -- {"prime192v1", NID_X9_62_prime192v1 }, -- {"prime192v2", NID_X9_62_prime192v2 }, -- {"prime192v3", NID_X9_62_prime192v3 }, -- {"prime239v1", NID_X9_62_prime239v1 }, -- {"prime239v2", NID_X9_62_prime239v2 }, -- {"prime239v3", NID_X9_62_prime239v3 }, - {"prime256v1", NID_X9_62_prime256v1 }, - /* characteristic two field curves */ - /* NIST/SECG curves */ -- {"sect113r1", NID_sect113r1 }, -- {"sect113r2", NID_sect113r2 }, -- {"sect131r1", NID_sect131r1 }, -- {"sect131r2", NID_sect131r2 }, -- {"sect163k1", NID_sect163k1 }, -- {"sect163r1", NID_sect163r1 }, -- {"sect163r2", NID_sect163r2 }, -- {"sect193r1", NID_sect193r1 }, -- {"sect193r2", NID_sect193r2 }, -- {"sect233k1", NID_sect233k1 }, -- {"sect233r1", NID_sect233r1 }, -- {"sect239k1", NID_sect239k1 }, -- {"sect283k1", NID_sect283k1 }, -- {"sect283r1", NID_sect283r1 }, -- {"sect409k1", NID_sect409k1 }, -- {"sect409r1", NID_sect409r1 }, -- {"sect571k1", NID_sect571k1 }, -- {"sect571r1", NID_sect571r1 }, -- /* X9.62 curves */ -- {"c2pnb163v1", NID_X9_62_c2pnb163v1 }, -- {"c2pnb163v2", NID_X9_62_c2pnb163v2 }, -- {"c2pnb163v3", NID_X9_62_c2pnb163v3 }, -- {"c2pnb176v1", NID_X9_62_c2pnb176v1 }, -- {"c2tnb191v1", NID_X9_62_c2tnb191v1 }, -- {"c2tnb191v2", NID_X9_62_c2tnb191v2 }, -- {"c2tnb191v3", NID_X9_62_c2tnb191v3 }, -- {"c2pnb208w1", NID_X9_62_c2pnb208w1 }, -- {"c2tnb239v1", NID_X9_62_c2tnb239v1 }, -- {"c2tnb239v2", NID_X9_62_c2tnb239v2 }, -- {"c2tnb239v3", NID_X9_62_c2tnb239v3 }, -- {"c2pnb272w1", NID_X9_62_c2pnb272w1 }, -- {"c2pnb304w1", NID_X9_62_c2pnb304w1 }, -- {"c2tnb359v1", NID_X9_62_c2tnb359v1 }, -- {"c2pnb368w1", NID_X9_62_c2pnb368w1 }, -- {"c2tnb431r1", NID_X9_62_c2tnb431r1 }, -- /* -- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves -- * from X9.62] -- */ -- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 }, -- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 }, -- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 }, -- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 }, -- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 }, -- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 }, -- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 }, -- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 }, -- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 }, -- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 }, -- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 }, -- /* IPSec curves */ -- {"Oakley-EC2N-3", NID_ipsec3 }, -- {"Oakley-EC2N-4", NID_ipsec4 }, - /* brainpool curves */ -- {"brainpoolP160r1", NID_brainpoolP160r1 }, -- {"brainpoolP160t1", NID_brainpoolP160t1 }, -- {"brainpoolP192r1", NID_brainpoolP192r1 }, -- {"brainpoolP192t1", NID_brainpoolP192t1 }, -- {"brainpoolP224r1", NID_brainpoolP224r1 }, -- {"brainpoolP224t1", NID_brainpoolP224t1 }, - {"brainpoolP256r1", NID_brainpoolP256r1 }, - {"brainpoolP256t1", NID_brainpoolP256t1 }, - {"brainpoolP320r1", NID_brainpoolP320r1 }, -@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = { - {"brainpoolP384t1", NID_brainpoolP384t1 }, - {"brainpoolP512r1", NID_brainpoolP512r1 }, - {"brainpoolP512t1", NID_brainpoolP512t1 }, -- /* SM2 curve */ -- {"SM2", NID_sm2 }, - }; - - const char *OSSL_EC_curve_nid2name(int nid) -@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name) - /* Functions to translate between common NIST curve names and NIDs */ - - static const EC_NAME2NID nist_curves[] = { -- {"B-163", NID_sect163r2}, -- {"B-233", NID_sect233r1}, -- {"B-283", NID_sect283r1}, -- {"B-409", NID_sect409r1}, -- {"B-571", NID_sect571r1}, -- {"K-163", NID_sect163k1}, -- {"K-233", NID_sect233k1}, -- {"K-283", NID_sect283k1}, -- {"K-409", NID_sect409k1}, -- {"K-571", NID_sect571k1}, -- {"P-192", NID_X9_62_prime192v1}, - {"P-224", NID_secp224r1}, - {"P-256", NID_X9_62_prime256v1}, - {"P-384", NID_secp384r1}, -diff --git a/test/acvp_test.inc b/test/acvp_test.inc -index ad11d3ae1e..894a0bff9d 100644 ---- a/test/acvp_test.inc -+++ b/test/acvp_test.inc -@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = { - 0xB1, 0xAC, - }; - static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { -- { -- "SHA-1", -- "P-192", -- ITM(ecdsa_sigver_msg0), -- ITM(ecdsa_sigver_pub0), -- ITM(ecdsa_sigver_r0), -- ITM(ecdsa_sigver_s0), -- PASS, -- }, - { - "SHA2-512", - "P-521", -diff --git a/test/ecdsatest.h b/test/ecdsatest.h -index 63fe319025..06b5c0aac5 100644 ---- a/test/ecdsatest.h -+++ b/test/ecdsatest.h -@@ -32,23 +32,6 @@ typedef struct { - } ecdsa_cavs_kat_t; - - static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { -- /* prime KATs from X9.62 */ -- {NID_X9_62_prime192v1, NID_sha1, -- "616263", /* "abc" */ -- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", -- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" -- "5ca5c0d69716dfcb3474373902", -- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", -- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", -- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, -- {NID_X9_62_prime239v1, NID_sha1, -- "616263", /* "abc" */ -- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", -- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" -- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", -- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", -- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", -- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, - /* prime KATs from NIST CAVP */ - {NID_secp224r1, NID_sha224, - "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" -diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t -index 2dfed387ca..c733b68f83 100644 ---- a/test/recipes/15-test_genec.t -+++ b/test/recipes/15-test_genec.t -@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build" - if disabled("ec"); - - my @prime_curves = qw( -- secp112r1 -- secp112r2 -- secp128r1 -- secp128r2 -- secp160k1 -- secp160r1 -- secp160r2 -- secp192k1 -- secp224k1 - secp224r1 - secp256k1 - secp384r1 - secp521r1 -- prime192v1 -- prime192v2 -- prime192v3 -- prime239v1 -- prime239v2 -- prime239v3 - prime256v1 -- wap-wsg-idm-ecid-wtls6 -- wap-wsg-idm-ecid-wtls7 -- wap-wsg-idm-ecid-wtls8 -- wap-wsg-idm-ecid-wtls9 -- wap-wsg-idm-ecid-wtls12 -- brainpoolP160r1 -- brainpoolP160t1 -- brainpoolP192r1 -- brainpoolP192t1 -- brainpoolP224r1 -- brainpoolP224t1 - brainpoolP256r1 - brainpoolP256t1 - brainpoolP320r1 -@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') - if !disabled("sm2"); - - my @curve_aliases = qw( -- P-192 - P-224 - P-256 - P-384 --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0012-Disable-explicit-ec.patch b/SPECS-EXTENDED/openssl-fips-provider/0012-Disable-explicit-ec.patch deleted file mode 100644 index 9b86309a6f2..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0012-Disable-explicit-ec.patch +++ /dev/null @@ -1,235 +0,0 @@ -From 91bdd9b816b22bc1464ec323f3272b866b24114d Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 12/35] 0012-Disable-explicit-ec.patch - -Patch-name: 0012-Disable-explicit-ec.patch -Patch-id: 12 -Patch-status: | - # Disable explicit EC curves - # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - crypto/ec/ec_asn1.c | 11 ++++++++++ - crypto/ec/ec_lib.c | 6 +++++ - test/ectest.c | 22 ++++++++++--------- - test/endecode_test.c | 20 ++++++++--------- - .../30-test_evp_data/evppkey_ecdsa.txt | 12 ---------- - 5 files changed, 39 insertions(+), 32 deletions(-) - -diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c -index 7a0b35a594..d19d57344e 100644 ---- a/crypto/ec/ec_asn1.c -+++ b/crypto/ec/ec_asn1.c -@@ -905,6 +905,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) - if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT) - group->decoded_from_explicit_params = 1; - -+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { -+ EC_GROUP_free(group); -+ ECPKPARAMETERS_free(params); -+ return NULL; -+ } -+ - if (a) { - EC_GROUP_free(*a); - *a = group; -@@ -964,6 +970,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) - goto err; - } - -+ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) { -+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); -+ goto err; -+ } -+ - ret->version = priv_key->version; - - if (priv_key->privateKey) { -diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index a84e088c19..6c37bf78ae 100644 ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - goto err; - } - if (named_group == group) { -+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { -+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); -+ goto err; -+ } -+#if 0 - /* - * If we did not find a named group then the encoding should be explicit - * if it was specified -@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - goto err; - } - EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); -+#endif - } else { - EC_GROUP_free(group); - group = named_group; -diff --git a/test/ectest.c b/test/ectest.c -index 4890b0555e..e11aec5b3b 100644 ---- a/test/ectest.c -+++ b/test/ectest.c -@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) - || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) - || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) -- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, -+ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam, - EVP_PKEY_KEY_PARAMETERS, params), 0)) - goto err; -- -+/* As creating the key should fail, the rest of the test is pointless */ -+# if 0 - /*- Check that all the set values are retrievable -*/ - - /* There should be no match to a group name since the generator changed */ -@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, - #endif - ) - goto err; -+#endif - ret = 1; - err: - BN_free(order_out); -@@ -2714,21 +2716,21 @@ static int custom_params_test(int id) - - /* Compute keyexchange in both directions */ - if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) -- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) -- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) -+ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0) -+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) - || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) - || !TEST_int_gt(bsize, sslen) -- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) -+ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/) - goto err; - if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) -- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) -- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) -+ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1) -+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) - || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) - || !TEST_int_gt(bsize, t) - || !TEST_int_le(sslen, t) -- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) -+ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */) - goto err; -- -+#if 0 - /* Both sides should expect the same shared secret */ - if (!TEST_mem_eq(buf1, sslen, buf2, t)) - goto err; -@@ -2780,7 +2782,7 @@ static int custom_params_test(int id) - /* compare with previous result */ - || !TEST_mem_eq(buf1, t, buf2, sslen)) - goto err; -- -+#endif - ret = 1; - - err: -diff --git a/test/endecode_test.c b/test/endecode_test.c -index 14648287eb..9a437d8c64 100644 ---- a/test/endecode_test.c -+++ b/test/endecode_test.c -@@ -62,7 +62,7 @@ static BN_CTX *bnctx = NULL; - static OSSL_PARAM_BLD *bld_prime_nc = NULL; - static OSSL_PARAM_BLD *bld_prime = NULL; - static OSSL_PARAM *ec_explicit_prime_params_nc = NULL; --static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL; -+/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/ - - # ifndef OPENSSL_NO_EC2M - static OSSL_PARAM_BLD *bld_tri_nc = NULL; -@@ -1009,9 +1009,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") - DOMAIN_KEYS(ECExplicitPrimeNamedCurve); - IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1) - IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC") --DOMAIN_KEYS(ECExplicitPrime2G); --IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0) --IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC") -+/*DOMAIN_KEYS(ECExplicitPrime2G);*/ -+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/ -+/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/ - # ifndef OPENSSL_NO_EC2M - DOMAIN_KEYS(ECExplicitTriNamedCurve); - IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1) -@@ -1352,7 +1352,7 @@ int setup_tests(void) - || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc) - || !create_ec_explicit_prime_params(bld_prime) - || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc)) -- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime)) -+/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/ - # ifndef OPENSSL_NO_EC2M - || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new()) - || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new()) -@@ -1380,7 +1380,7 @@ int setup_tests(void) - TEST_info("Generating EC keys..."); - MAKE_DOMAIN_KEYS(EC, "EC", EC_params); - MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc); -- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit); -+/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/ - # ifndef OPENSSL_NO_EC2M - MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc); - MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit); -@@ -1423,8 +1423,8 @@ int setup_tests(void) - ADD_TEST_SUITE_LEGACY(EC); - ADD_TEST_SUITE(ECExplicitPrimeNamedCurve); - ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve); -- ADD_TEST_SUITE(ECExplicitPrime2G); -- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G); -+/* ADD_TEST_SUITE(ECExplicitPrime2G);*/ -+/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/ - # ifndef OPENSSL_NO_EC2M - ADD_TEST_SUITE(ECExplicitTriNamedCurve); - ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve); -@@ -1461,7 +1461,7 @@ void cleanup_tests(void) - { - #ifndef OPENSSL_NO_EC - OSSL_PARAM_free(ec_explicit_prime_params_nc); -- OSSL_PARAM_free(ec_explicit_prime_params_explicit); -+/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/ - OSSL_PARAM_BLD_free(bld_prime_nc); - OSSL_PARAM_BLD_free(bld_prime); - # ifndef OPENSSL_NO_EC2M -@@ -1483,7 +1483,7 @@ void cleanup_tests(void) - #ifndef OPENSSL_NO_EC - FREE_DOMAIN_KEYS(EC); - FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve); -- FREE_DOMAIN_KEYS(ECExplicitPrime2G); -+/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/ - # ifndef OPENSSL_NO_EC2M - FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve); - FREE_DOMAIN_KEYS(ECExplicitTri2G); -diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -index ec3c032aba..584ecee0eb 100644 ---- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj - 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl - -----END PRIVATE KEY----- - --PrivateKey = EC_EXPLICIT -------BEGIN PRIVATE KEY----- --MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB --AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA --///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV --AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG --l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A --AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk --OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL --46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg -------END PRIVATE KEY----- -- - PrivateKey = B-163 - -----BEGIN PRIVATE KEY----- - MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0013-skipped-tests-EC-curves-3.1.4-fedora.patch b/SPECS-EXTENDED/openssl-fips-provider/0013-skipped-tests-EC-curves-3.1.4-fedora.patch deleted file mode 100644 index 3cf7a78901d..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0013-skipped-tests-EC-curves-3.1.4-fedora.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 9ede2b1e13f72db37718853faff74b4429084d59 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 13/35] 0013-skipped-tests-EC-curves.patch - -Patch-name: 0013-skipped-tests-EC-curves.patch -Patch-id: 13 -Patch-status: | - # Skipped tests from former 0011-Remove-EC-curves.patch -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - test/recipes/15-test_ec.t | 2 +- - test/recipes/65-test_cmp_protect.t | 2 +- - test/recipes/65-test_cmp_vfy.t | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t -index 0638d626e7..c0efd77649 100644 ---- a/test/recipes/15-test_ec.t -+++ b/test/recipes/15-test_ec.t -@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key' => sub { - - subtest 'Check loading of fips and non-fips keys' => sub { - plan skip_all => "FIPS is disabled" -- if $no_fips; -+ if 1; #Red Hat specific, original value is $no_fips; - - plan tests => 2; - -diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t -index 631603df7c..4cb2ffebbc 100644 ---- a/test/recipes/65-test_cmp_protect.t -+++ b/test/recipes/65-test_cmp_protect.t -@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" - plan skip_all => "This test is not supported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test - - my @basic_cmd = ("cmp_protect_test", - data_file("server.pem"), -diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t -index f722800e27..26a01786bb 100644 ---- a/test/recipes/65-test_cmp_vfy.t -+++ b/test/recipes/65-test_cmp_vfy.t -@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" - plan skip_all => "This test is not supported in a no-ec build" - if disabled("ec"); - --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test - - my @basic_cmd = ("cmp_vfy_test", - data_file("server.crt"), data_file("client.crt"), --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0024-load-legacy-prov.patch b/SPECS-EXTENDED/openssl-fips-provider/0024-load-legacy-prov.patch deleted file mode 100644 index 733ddda32d7..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0024-load-legacy-prov.patch +++ /dev/null @@ -1,70 +0,0 @@ -From ffc4f8f57d2e341afd5fd2e073390aaa0df4d003 Mon Sep 17 00:00:00 2001 -From: Maxwell Moyer-McKee -Date: Thu, 11 Apr 2024 14:32:29 -0700 -Subject: [PATCH] Add default provider configuration - ---- - apps/openssl.cnf | 39 ++++++++++++++++++--------------------- - 1 file changed, 18 insertions(+), 21 deletions(-) - -diff --git a/apps/openssl.cnf b/apps/openssl.cnf -index bd25e0c622..9a92ea410c 100644 ---- a/apps/openssl.cnf -+++ b/apps/openssl.cnf -@@ -42,35 +42,32 @@ tsa_policy1 = 1.2.3.4.1 - tsa_policy2 = 1.2.3.4.5.6 - tsa_policy3 = 1.2.3.4.5.7 - --# For FIPS --# Optionally include a file that is generated by the OpenSSL fipsinstall --# application. This file contains configuration data required by the OpenSSL --# fips provider. It contains a named section e.g. [fips_sect] which is --# referenced from the [provider_sect] below. --# Refer to the OpenSSL security policy for more information. --# .include fipsmodule.cnf -- - [openssl_init] -+alg_section = evp_settings - providers = provider_sect - --# List of providers to load -+# Use the SymCrypt provider by default, if available -+[evp_settings] -+default_properties = "?provider=symcryptprovider" -+ -+# Uncomment the sections that start with ## below to enable the legacy provider. -+# Loading the legacy provider enables support for the following algorithms: -+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 -+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED -+# Key Derivation Function (KDF): PBKDF1 -+# In general it is not recommended to use the above mentioned algorithms for -+# security critical operations, as they are cryptographically weak or vulnerable -+# to side-channel attacks and as such have been deprecated. -+ - [provider_sect] - default = default_sect --# The fips section name should match the section name inside the --# included fipsmodule.cnf. --# fips = fips_sect -- --# If no providers are activated explicitly, the default one is activated implicitly. --# See man 7 OSSL_PROVIDER-default for more details. -+##legacy = legacy_sect - # --# If you add a section explicitly activating any other provider(s), you most --# probably need to explicitly activate the default provider, otherwise it --# becomes unavailable in openssl. As a consequence applications depending on --# OpenSSL may not work correctly which could lead to significant system --# problems including inability to remotely access the system. - [default_sect] --# activate = 1 -+activate = 1 - -+##[legacy_sect] -+##activate = 1 - - #################################################################### - [ ca ] --- -2.34.1 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0032-Force-fips-3.1.2-AZL3-TEMP-SYMCRYPT.patch b/SPECS-EXTENDED/openssl-fips-provider/0032-Force-fips-3.1.2-AZL3-TEMP-SYMCRYPT.patch deleted file mode 100644 index 07d59278bc1..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0032-Force-fips-3.1.2-AZL3-TEMP-SYMCRYPT.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 125705108abc9ba5b57732fd8204a40e2ea64e54 Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Wed, 17 Apr 2024 21:47:50 +0000 -Subject: [PATCH] Force fips - ---- - crypto/provider_conf.c | 40 +++++++++++++++++++++++++++++++++++++++- - 1 file changed, 39 insertions(+), 1 deletion(-) - -diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c -index 058fb58..208c695 100644 ---- a/crypto/provider_conf.c -+++ b/crypto/provider_conf.c -@@ -10,6 +10,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - #include -@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, - if (path != NULL) - ossl_provider_set_module_path(prov, path); - -- ok = provider_conf_params(prov, NULL, NULL, value, cnf); -+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; - - if (ok) { - if (!ossl_provider_activate(prov, 1, 0)) { -@@ -309,6 +311,42 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) - return 0; - } - -+# define SYMCRYPT_PROV_CONF OPENSSLDIR "/symcrypt_prov.cnf" -+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf); -+ PROVIDER_CONF_GLOBAL *pcgbl -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX); -+ int symcrypt_prov_activated; -+ int default_prov_activated; -+ -+ if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { -+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ -+ // Trying to activate either provider again will fail. -+ symcrypt_prov_activated = prov_already_activated("symcryptprovider", pcgbl->activated_providers); -+ default_prov_activated = prov_already_activated("default", pcgbl->activated_providers); -+ -+ CRYPTO_THREAD_unlock(pcgbl->lock); -+ -+ if (!symcrypt_prov_activated) -+ { -+ if (access(SYMCRYPT_PROV_CONF, R_OK) == 0) { -+ CONF *symcrypt_prov_conf = NCONF_new_ex(libctx, NCONF_default()); -+ if (NCONF_load(symcrypt_prov_conf, SYMCRYPT_PROV_CONF, NULL) <= 0) -+ return 0; -+ -+ if (provider_conf_load(libctx, "symcryptprovider", "symcrypt_prov_sect", symcrypt_prov_conf) != 1) { -+ NCONF_free(symcrypt_prov_conf); -+ return 0; -+ } -+ NCONF_free(symcrypt_prov_conf); -+ // Always load the symcrypt provider for fips mode -+ } else if (ossl_get_kernel_fips_flag() -+ && provider_conf_activate(libctx, "symcryptprovider", NULL, NULL, 0, NULL) != 1) -+ return 0; -+ } -+ - return 1; - } - --- -2.45.4 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0033-FIPS-embed-hmac-3.1.2-AZL.patch b/SPECS-EXTENDED/openssl-fips-provider/0033-FIPS-embed-hmac-3.1.2-AZL.patch deleted file mode 100644 index 53fccf2ac71..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0033-FIPS-embed-hmac-3.1.2-AZL.patch +++ /dev/null @@ -1,250 +0,0 @@ -From d489b42a88078a8809617f1b9c2f8e58e5c6d3b0 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 19 Oct 2023 13:12:40 +0200 -Subject: [PATCH] 0033-FIPS-embed-hmac.patch - -Patch-name: 0033-FIPS-embed-hmac.patch -Patch-id: 33 -Patch-status: | - # # Embed HMAC into the fips.so -From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 ---- - providers/fips/self_test.c | 70 ++++++++++++++++++++++++--- - test/fipsmodule.cnf | 2 + - test/recipes/00-prep_fipsmodule_cnf.t | 2 +- - test/recipes/01-test_fipsmodule_cnf.t | 2 +- - test/recipes/03-test_fipsinstall.t | 2 +- - test/recipes/30-test_defltfips.t | 2 +- - test/recipes/80-test_ssl_new.t | 2 +- - test/recipes/90-test_sslapi.t | 2 +- - 8 files changed, 71 insertions(+), 13 deletions(-) - create mode 100644 test/fipsmodule.cnf - -diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index 0be3146..dea52e3 100644 ---- a/providers/fips/self_test.c -+++ b/providers/fips/self_test.c -@@ -229,11 +229,27 @@ err: - return ok; - } - -+#define HMAC_LEN 32 -+/* -+ * The __attribute__ ensures we've created the .rodata1 section -+ * static ensures it's zero filled -+*/ -+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0}; -+ - /* - * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify - * the result matches the expected value. - * Return 1 if verified, or 0 if it fails. - */ -+#ifndef __USE_GNU -+#define __USE_GNU -+#include -+#undef __USE_GNU -+#else -+#include -+#endif -+#include -+ - static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, - unsigned char *expected, size_t expected_len, - OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -@@ -246,12 +262,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - EVP_MAC *mac = NULL; - EVP_MAC_CTX *ctx = NULL; - OSSL_PARAM params[2], *p = params; -+ Dl_info info; -+ void *extra_info = NULL; -+ struct link_map *lm = NULL; -+ unsigned long paddr; -+ unsigned long off = 0; - - if (!integrity_self_test(ev, libctx)) - goto err; - - OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); - -+ if (!dladdr1 ((const void *)fips_hmac_container, -+ &info, &extra_info, RTLD_DL_LINKMAP)) -+ goto err; -+ lm = extra_info; -+ paddr = (unsigned long)fips_hmac_container - lm->l_addr; -+ - mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); - if (mac == NULL) - goto err; -@@ -265,13 +292,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) - goto err; - -- while (1) { -- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); -+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { -+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); -+ if (status != 1) -+ break; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } -+ -+ if (off + INTEGRITY_BUF_SIZE > paddr) { -+ int delta = paddr - off; -+ status = read_ex_cb(bio, buf, delta, &bytes_read); -+ if (status != 1) -+ goto err; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ -+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); -+ memset(buf, 0, HMAC_LEN); -+ if (status != 1) -+ goto err; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } -+ -+ while (bytes_read > 0) { -+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); - if (status != 1) - break; - if (!EVP_MAC_update(ctx, buf, bytes_read)) - goto err; -+ off += bytes_read; - } -+ - if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) - goto err; - -@@ -281,6 +337,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - goto err; - ret = 1; - err: -+ OPENSSL_cleanse(out, sizeof(out)); - OSSL_SELF_TEST_onend(ev, ret); - EVP_MAC_CTX_free(ctx); - EVP_MAC_free(mac); -@@ -334,8 +391,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - return 0; - } - -- if (st == NULL -- || st->module_checksum_data == NULL) { -+ if (st == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); - goto end; - } -@@ -344,8 +400,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - if (ev == NULL) - goto end; - -- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, -- &checksum_len); -+ module_checksum = fips_hmac_container; -+ checksum_len = sizeof(fips_hmac_container); -+ - if (module_checksum == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); - goto end; -@@ -419,7 +476,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - end: - EVP_RAND_free(testrand); - OSSL_SELF_TEST_free(ev); -- OPENSSL_free(module_checksum); - OPENSSL_free(indicator_checksum); - - if (st != NULL) { -diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf -new file mode 100644 -index 0000000..f05d0de ---- /dev/null -+++ b/test/fipsmodule.cnf -@@ -0,0 +1,2 @@ -+[fips_sect] -+activate = 1 -diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t -index 4e3a6d8..e8255ba 100644 ---- a/test/recipes/00-prep_fipsmodule_cnf.t -+++ b/test/recipes/00-prep_fipsmodule_cnf.t -@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; - --my $no_check = disabled("fips"); -+my $no_check = 1; - plan skip_all => "FIPS module config file only supported in a fips build" - if $no_check; - -diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t -index ce59481..00cebac 100644 ---- a/test/recipes/01-test_fipsmodule_cnf.t -+++ b/test/recipes/01-test_fipsmodule_cnf.t -@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; - --my $no_check = disabled("fips"); -+my $no_check = 1; - plan skip_all => "Test only supported in a fips build" - if $no_check; - plan tests => 1; -diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t -index b8b136d..8242f4e 100644 ---- a/test/recipes/03-test_fipsinstall.t -+++ b/test/recipes/03-test_fipsinstall.t -@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; - --plan skip_all => "Test only supported in a fips build" if disabled("fips"); -+plan skip_all => "Test only supported in a fips build" if 1; - - # Compatible options for pedantic FIPS compliance - my @pedantic_okay = -diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t -index 426bd66..6dc5149 100644 ---- a/test/recipes/30-test_defltfips.t -+++ b/test/recipes/30-test_defltfips.t -@@ -21,7 +21,7 @@ BEGIN { - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - - plan tests => - ($no_fips ? 1 : 5); -diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t -index 0c6d640..e45f9cb 100644 ---- a/test/recipes/80-test_ssl_new.t -+++ b/test/recipes/80-test_ssl_new.t -@@ -27,7 +27,7 @@ setup("test_ssl_new"); - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - - $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); - -diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t -index 9e9e32b..1a1a715 100644 ---- a/test/recipes/90-test_sslapi.t -+++ b/test/recipes/90-test_sslapi.t -@@ -17,7 +17,7 @@ setup("test_sslapi"); - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - my $fipsmodcfg_filename = "fipsmodule.cnf"; - my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); - --- -2.45.4 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0034.fipsinstall_disable-3.1.4-fedora.patch b/SPECS-EXTENDED/openssl-fips-provider/0034.fipsinstall_disable-3.1.4-fedora.patch deleted file mode 100644 index f1d7b275de5..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0034.fipsinstall_disable-3.1.4-fedora.patch +++ /dev/null @@ -1,473 +0,0 @@ -From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch - -Patch-name: 0034.fipsinstall_disable.patch -Patch-id: 34 -Patch-status: | - # Comment out fipsinstall command-line utility -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - apps/fipsinstall.c | 3 + - doc/man1/openssl-fipsinstall.pod.in | 272 +--------------------------- - doc/man1/openssl.pod | 4 - - doc/man5/config.pod | 1 - - doc/man5/fips_config.pod | 104 +---------- - doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - - 6 files changed, 10 insertions(+), 375 deletions(-) - -diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c -index e1ef645b60..db92cb5fb2 100644 ---- a/apps/fipsinstall.c -+++ b/apps/fipsinstall.c -@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv) - EVP_MAC *mac = NULL; - CONF *conf = NULL; - -+ BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n"); -+ return 1; -+ - if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) - goto end; - -diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in -index b1768b7f91..b6b00e27d8 100644 ---- a/doc/man1/openssl-fipsinstall.pod.in -+++ b/doc/man1/openssl-fipsinstall.pod.in -@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation - =head1 SYNOPSIS - - B --[B<-help>] --[B<-in> I] --[B<-out> I] --[B<-module> I] --[B<-provider_name> I] --[B<-section_name> I] --[B<-verify>] --[B<-mac_name> I] --[B<-macopt> I:I] --[B<-noout>] --[B<-quiet>] --[B<-pedantic>] --[B<-no_conditional_errors>] --[B<-no_security_checks>] --[B<-ems_check>] --[B<-no_drbg_truncated_digests>] --[B<-self_test_onload>] --[B<-self_test_oninstall>] --[B<-corrupt_desc> I] --[B<-corrupt_type> I] --[B<-config> I] -- --=head1 DESCRIPTION -- --This command is used to generate a FIPS module configuration file. --This configuration file can be used each time a FIPS module is loaded --in order to pass data to the FIPS module self tests. The FIPS module always --verifies its MAC, but optionally only needs to run the KAT's once, --at installation. -- --The generated configuration file consists of: -- --=over 4 -- --=item - A MAC of the FIPS module file. -- --=item - A test status indicator. -- --This indicates if the Known Answer Self Tests (KAT's) have successfully run. -- --=item - A MAC of the status indicator. -- --=item - A control for conditional self tests errors. -- --By default if a continuous test (e.g a key pair test) fails then the FIPS module --will enter an error state, and no services or cryptographic algorithms will be --able to be accessed after this point. --The default value of '1' will cause the fips module error state to be entered. --If the value is '0' then the module error state will not be entered. --Regardless of whether the error state is entered or not, the current operation --(e.g. key generation) will return an error. The user is responsible for retrying --the operation if the module error state is not entered. -- --=item - A control to indicate whether run-time security checks are done. -- --This indicates if run-time checks related to enforcement of security parameters --such as minimum security strength of keys and approved curve names are used. --The default value of '1' will perform the checks. --If the value is '0' the checks are not performed and FIPS compliance must --be done by procedures documented in the relevant Security Policy. -- --=back -- --This file is described in L. -- --=head1 OPTIONS -- --=over 4 -- --=item B<-help> -- --Print a usage message. -- --=item B<-module> I -- --Filename of the FIPS module to perform an integrity check on. --The path provided in the filename is used to load the module when it is --activated, and this overrides the environment variable B. -- --=item B<-out> I -- --Filename to output the configuration data to; the default is standard output. -- --=item B<-in> I -- --Input filename to load configuration data from. --Must be used if the B<-verify> option is specified. -- --=item B<-verify> -- --Verify that the input configuration file contains the correct information. -- --=item B<-provider_name> I -- --Name of the provider inside the configuration file. --The default value is C. -- --=item B<-section_name> I -- --Name of the section inside the configuration file. --The default value is C. -- --=item B<-mac_name> I -- --Specifies the name of a supported MAC algorithm which will be used. --The MAC mechanisms that are available will depend on the options --used when building OpenSSL. --To see the list of supported MAC's use the command --C. The default is B. -- --=item B<-macopt> I:I -- --Passes options to the MAC algorithm. --A comprehensive list of controls can be found in the EVP_MAC implementation --documentation. --Common control strings used for this command are: -- --=over 4 -- --=item B:I -- --Specifies the MAC key as an alphanumeric string (use if the key contains --printable characters only). --The string length must conform to any restrictions of the MAC algorithm. --A key must be specified for every MAC algorithm. --If no key is provided, the default that was specified when OpenSSL was --configured is used. -- --=item B:I -- --Specifies the MAC key in hexadecimal form (two hex digits per byte). --The key length must conform to any restrictions of the MAC algorithm. --A key must be specified for every MAC algorithm. --If no key is provided, the default that was specified when OpenSSL was --configured is used. -- --=item B:I -- --Used by HMAC as an alphanumeric string (use if the key contains printable --characters only). --The string length must conform to any restrictions of the MAC algorithm. --To see the list of supported digests, use the command --C. --The default digest is SHA-256. -- --=back -- --=item B<-noout> -- --Disable logging of the self tests. -- --=item B<-pedantic> -- --Configure the module so that it is strictly FIPS compliant rather --than being backwards compatible. This enables conditional errors, --security checks etc. Note that any previous configuration options will --be overwritten and any subsequent configuration options that violate --FIPS compliance will result in an error. -- --=item B<-no_conditional_errors> -- --Configure the module to not enter an error state if a conditional self test --fails as described above. -- --=item B<-no_security_checks> -- --Configure the module to not perform run-time security checks as described above. -- --Enabling the configuration option "no-fips-securitychecks" provides another way to --turn off the check at compile time. -- --=item B<-ems_check> -- --Configure the module to enable a run-time Extended Master Secret (EMS) check --when using the TLS1_PRF KDF algorithm. This check is disabled by default. --See RFC 7627 for information related to EMS. -- --=item B<-no_drbg_truncated_digests> -- --Configure the module to not allow truncated digests to be used with Hash and --HMAC DRBGs. See FIPS 140-3 IG D.R for details. -- --=item B<-self_test_onload> -- --Do not write the two fields related to the "test status indicator" and --"MAC status indicator" to the output configuration file. Without these fields --the self tests KATS will run each time the module is loaded. This option could be --used for cross compiling, since the self tests need to run at least once on each --target machine. Once the self tests have run on the target machine the user --could possibly then add the 2 fields into the configuration using some other --mechanism. -- --This is the default. -- --=item B<-self_test_oninstall> -- --The converse of B<-self_test_oninstall>. The two fields related to the --"test status indicator" and "MAC status indicator" are written to the --output configuration file. -- --=item B<-quiet> -- --Do not output pass/fail messages. Implies B<-noout>. -- --=item B<-corrupt_desc> I, --B<-corrupt_type> I -- --The corrupt options can be used to test failure of one or more self tests by --name. --Either option or both may be used to select the tests to corrupt. --Refer to the entries for B and B in L for --values that can be used. -- --=item B<-config> I -- --Test that a FIPS provider can be loaded from the specified configuration file. --A previous call to this application needs to generate the extra configuration --data that is included by the base C configuration file. --See L for further information on how to set up a provider section. --All other options are ignored if '-config' is used. -- --=back -- --=head1 NOTES -- --Self tests results are logged by default if the options B<-quiet> and B<-noout> --are not specified, or if either of the options B<-corrupt_desc> or --B<-corrupt_type> are used. --If the base configuration file is set up to autoload the fips module, then the --fips module will be loaded and self tested BEFORE the fipsinstall application --has a chance to set up its own self test callback. As a result of this the self --test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored. --For normal usage the base configuration file should use the default provider --when generating the fips configuration file. -- --The B<-self_test_oninstall> option was added and the --B<-self_test_onload> option was made the default in OpenSSL 3.1. -- --The command and all remaining options were added in OpenSSL 3.0. -- --=head1 EXAMPLES -- --Calculate the mac of a FIPS module F and run a FIPS self test --for the module, and save the F configuration file: -- -- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips -- --Verify that the configuration file F contains the correct info: -- -- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify -- --Corrupt any self tests which have the description C: -- -- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \ -- -corrupt_desc 'SHA1' -- --Validate that the fips module can be loaded from a base configuration file: -- -- export OPENSSL_CONF_INCLUDE= -- export OPENSSL_MODULES= -- openssl fipsinstall -config' 'default.cnf' -- -- --=head1 SEE ALSO -- --L, --L, --L, --L -+This command is disabled. -+Please consult Red Hat Enterprise Linux documentation to learn how to correctly -+enable FIPS mode on Red Hat Enterprise - - =head1 COPYRIGHT - -diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod -index d9c22a580f..d5ec3b9a6a 100644 ---- a/doc/man1/openssl.pod -+++ b/doc/man1/openssl.pod -@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation. - - Error Number to Error String Conversion. - --=item B -- --FIPS configuration installation. -- - =item B - - Generation of DSA Private Key from Parameters. Superseded by -diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 714a10437b..bd05736220 100644 ---- a/doc/man5/config.pod -+++ b/doc/man5/config.pod -@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified. - =head1 SEE ALSO - - L, L, L, --L, - L, - L, - L, -diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod -index 2255464304..1c15e32a5c 100644 ---- a/doc/man5/fips_config.pod -+++ b/doc/man5/fips_config.pod -@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration - - =head1 DESCRIPTION - --A separate configuration file, using the OpenSSL L syntax, --is used to hold information about the FIPS module. This includes a digest --of the shared library file, and status about the self-testing. --This data is used automatically by the module itself for two --purposes: -- --=over 4 -- --=item - Run the startup FIPS self-test known answer tests (KATS). -- --This is normally done once, at installation time, but may also be set up to --run each time the module is used. -- --=item - Verify the module's checksum. -- --This is done each time the module is used. -- --=back -- --This file is generated by the L program, and --used internally by the FIPS module during its initialization. -- --The following options are supported. They should all appear in a section --whose name is identified by the B option in the B --section, as described in L. -- --=over 4 -- --=item B -- --If present, the module is activated. The value assigned to this name is not --significant. -- --=item B -- --A version number for the fips install process. Should be 1. -- --=item B -- --The FIPS module normally enters an internal error mode if any self test fails. --Once this error mode is active, no services or cryptographic algorithms are --accessible from this point on. --Continuous tests are a subset of the self tests (e.g., a key pair test during key --generation, or the CRNG output test). --Setting this value to C<0> allows the error mode to not be triggered if any --continuous test fails. The default value of C<1> will trigger the error mode. --Regardless of the value, the operation (e.g., key generation) that called the --continuous test will return an error code if its continuous test fails. The --operation may then be retried if the error mode has not been triggered. -- --=item B -- --This indicates if run-time checks related to enforcement of security parameters --such as minimum security strength of keys and approved curve names are used. --A value of '1' will perform the checks, otherwise if the value is '0' the checks --are not performed and FIPS compliance must be done by procedures documented in --the relevant Security Policy. -- --=item B -- --The calculated MAC of the FIPS provider file. -- --=item B -- --An indicator that the self-tests were successfully run. --This should only be written after the module has --successfully passed its self tests during installation. --If this field is not present, then the self tests will run when the module --loads. -- --=item B -- --A MAC of the value of the B option, to prevent accidental --changes to that value. --It is written-to at the same time as B is updated. -- --=back -- --For example: -- -- [fips_sect] -- activate = 1 -- install-version = 1 -- conditional-errors = 1 -- security-checks = 1 -- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC -- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C -- install-status = INSTALL_SELF_TEST_KATS_RUN -- --=head1 NOTES -- --When using the FIPS provider, it is recommended that the --B option is enabled to prevent accidental use of --non-FIPS validated algorithms via broken or mistaken configuration. --See L. -- --=head1 SEE ALSO -- --L --L -+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is -+automatically loaded when the system is booted in FIPS mode, or when the -+environment variable B is set. See the documentation -+for more information. - - =head1 HISTORY - -diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod -index 4f908888ba..ef00247770 100644 ---- a/doc/man7/OSSL_PROVIDER-FIPS.pod -+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod -@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are: - - =head1 SEE ALSO - --L, - L, - L, - L, --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0035-speed-skip-unavailable-dgst.patch b/SPECS-EXTENDED/openssl-fips-provider/0035-speed-skip-unavailable-dgst.patch deleted file mode 100644 index d52d5e14fbd..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0035-speed-skip-unavailable-dgst.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 213f38dc580d39f2cb46592b5e6db585fc6a650f Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 19/35] 0035-speed-skip-unavailable-dgst.patch - -Patch-name: 0035-speed-skip-unavailable-dgst.patch -Patch-id: 35 -Patch-status: | - # Skip unavailable algorithms running `openssl speed` -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - apps/speed.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/apps/speed.c b/apps/speed.c -index d527f12f18..2ff3eb53bd 100644 ---- a/apps/speed.c -+++ b/apps/speed.c -@@ -610,6 +610,9 @@ static int EVP_MAC_loop(int algindex, void *args) - for (count = 0; COND(c[algindex][testnum]); count++) { - size_t outl; - -+ if (mctx == NULL) -+ return -1; -+ - if (!EVP_MAC_init(mctx, NULL, 0, NULL) - || !EVP_MAC_update(mctx, buf, lengths[testnum]) - || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac))) --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0049-Allow-disabling-of-SHA1-signatures-3.1.2-AZL.patch b/SPECS-EXTENDED/openssl-fips-provider/0049-Allow-disabling-of-SHA1-signatures-3.1.2-AZL.patch deleted file mode 100644 index f579d68797c..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0049-Allow-disabling-of-SHA1-signatures-3.1.2-AZL.patch +++ /dev/null @@ -1,525 +0,0 @@ -From d8f69942883c72dcf772a7a717116d4716adf81c Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 13:07:07 +0200 -Subject: [PATCH] 0049-Allow-disabling-of-SHA1-signatures.patch - -Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch -Patch-id: 49 -Patch-status: | - # Selectively disallow SHA1 signatures rhbz#2070977 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - crypto/context.c | 14 ++++ - crypto/evp/evp_cnf.c | 13 +++ - crypto/evp/m_sigver.c | 79 +++++++++++++++++++ - crypto/evp/pmeth_lib.c | 15 ++++ - doc/man5/config.pod | 13 +++ - include/crypto/context.h | 3 + - include/internal/cryptlib.h | 3 +- - include/internal/sslconf.h | 4 + - providers/common/securitycheck.c | 20 +++++ - providers/common/securitycheck_default.c | 9 ++- - providers/implementations/signature/dsa_sig.c | 11 ++- - .../implementations/signature/ecdsa_sig.c | 4 + - providers/implementations/signature/rsa_sig.c | 20 ++++- - ssl/t1_lib.c | 8 ++ - util/libcrypto.num | 2 + - 15 files changed, 209 insertions(+), 9 deletions(-) - -diff --git a/crypto/context.c b/crypto/context.c -index 51002ba..e697974 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st { - void *fips_prov; - #endif - -+ void *legacy_digest_signatures; -+ - unsigned int ischild:1; - }; - -@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ctx) - goto err; - #endif - -+ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx); -+ if (ctx->legacy_digest_signatures == NULL) -+ goto err; -+ - /* Low priority. */ - #ifndef FIPS_MODULE - ctx->child_provider = ossl_child_prov_ctx_new(ctx); -@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx) - } - #endif - -+ if (ctx->legacy_digest_signatures != NULL) { -+ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures); -+ ctx->legacy_digest_signatures = NULL; -+ } -+ - /* Low priority. */ - #ifndef FIPS_MODULE - if (ctx->child_provider != NULL) { -@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index) - return ctx->fips_prov; - #endif - -+ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX: -+ return ctx->legacy_digest_signatures; -+ - default: - return NULL; - } -diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c -index 0e7fe64..b9d3b6d 100644 ---- a/crypto/evp/evp_cnf.c -+++ b/crypto/evp/evp_cnf.c -@@ -10,6 +10,7 @@ - #include - #include - #include "internal/cryptlib.h" -+#include "internal/sslconf.h" - #include - #include - #include -@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) - ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); - return 0; - } -+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) { -+ int m; -+ -+ /* Detailed error already reported. */ -+ if (!X509V3_get_value_bool(oval, &m)) -+ return 0; -+ -+ if (!ossl_ctx_legacy_digest_signatures_allowed_set( -+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); -+ return 0; -+ } - } else { - ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, - "name=%s, value=%s", oval->name, oval->value); -diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index 630d339..6e4e9f5 100644 ---- a/crypto/evp/m_sigver.c -+++ b/crypto/evp/m_sigver.c -@@ -15,6 +15,73 @@ - #include "internal/provider.h" - #include "internal/numbers.h" /* includes SIZE_MAX */ - #include "evp_local.h" -+#include "crypto/context.h" -+ -+typedef struct ossl_legacy_digest_signatures_st { -+ int allowed; -+} OSSL_LEGACY_DIGEST_SIGNATURES; -+ -+void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; -+ -+ if (ldsigs != NULL) { -+ OPENSSL_free(ldsigs); -+ } -+} -+ -+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); -+ /* Warning: This patch differs from the same patch in CentOS and RHEL here, -+ * because the default on Fedora is to allow SHA-1 and support disabling -+ * it, while CentOS/RHEL disable it by default and allow enabling it. */ -+ ldsigs->allowed = 1; -+ return ldsigs; -+} -+ -+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( -+ OSSL_LIB_CTX *libctx, int loadconfig) -+{ -+#ifndef FIPS_MODULE -+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) -+ return NULL; -+#endif -+ -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX); -+} -+ -+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs -+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); -+ -+#ifndef FIPS_MODULE -+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) -+ /* used in tests */ -+ return 1; -+#endif -+ -+ /* Warning: This patch differs from the same patch in CentOS and RHEL here, -+ * because the default on Fedora is to allow SHA-1 and support disabling -+ * it, while CentOS/RHEL disable it by default and allow enabling it. */ -+ return ldsigs != NULL ? ldsigs->allowed : 1; -+} -+ -+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, -+ int loadconfig) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs -+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); -+ -+ if (ldsigs == NULL) { -+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ -+ ldsigs->allowed = allow; -+ return 1; -+} - - #ifndef FIPS_MODULE - -@@ -251,6 +318,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - } - } - -+ if (ctx->reqdigest != NULL -+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) -+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) -+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) { -+ int mdnid = EVP_MD_nid(ctx->reqdigest); -+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0) -+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); -+ goto err; -+ } -+ } -+ - if (ver) { - if (signature->digest_verify_init == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index ce6e1a1..0039262 100644 ---- a/crypto/evp/pmeth_lib.c -+++ b/crypto/evp/pmeth_lib.c -@@ -33,6 +33,7 @@ - #include "internal/ffc.h" - #include "internal/numbers.h" - #include "internal/provider.h" -+#include "internal/sslconf.h" - #include "evp_local.h" - - #ifndef FIPS_MODULE -@@ -958,6 +959,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, - return -2; - } - -+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) -+ && md != NULL -+ && ctx->pkey != NULL -+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac) -+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf) -+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) { -+ int mdnid = EVP_MD_nid(md); -+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) -+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); -+ return -1; -+ } -+ } -+ - if (fallback) - return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); - -diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 8d312c6..979683e 100644 ---- a/doc/man5/config.pod -+++ b/doc/man5/config.pod -@@ -296,6 +296,19 @@ Within the algorithm properties section, the following names have meaning: - The value may be anything that is acceptable as a property query - string for EVP_set_default_properties(). - -+=item B -+ -+The value is a boolean that can be B or B. If the value is not set, -+it behaves as if it was set to B. -+ -+When set to B, any attempt to create or verify a signature with a SHA1 -+digest will fail. To test whether your software will work with future versions -+of OpenSSL, set this option to B. This setting also affects TLS, where -+signature algorithms that use SHA1 as digest will no longer be supported if -+this option is set to B. Because TLS 1.1 or lower use MD5-SHA1 as -+pseudorandom function (PRF) to derive key material, disabling -+B requires the use of TLS 1.2 or newer. -+ - =item B (deprecated) - - The value is a boolean that can be B or B. If the value is -diff --git a/include/crypto/context.h b/include/crypto/context.h -index cc06c71..e9f74a4 100644 ---- a/include/crypto/context.h -+++ b/include/crypto/context.h -@@ -39,3 +39,6 @@ void ossl_rand_crng_ctx_free(void *); - void ossl_thread_event_ctx_free(void *); - void ossl_fips_prov_ossl_ctx_free(void *); - void ossl_release_default_drbg_ctx(void); -+ -+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *); -+void ossl_ctx_legacy_digest_signatures_free(void *); -diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h -index ac50eb3..3b115cc 100644 ---- a/include/internal/cryptlib.h -+++ b/include/internal/cryptlib.h -@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st { - # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16 - # define OSSL_LIB_CTX_BIO_CORE_INDEX 17 - # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 --# define OSSL_LIB_CTX_MAX_INDEXES 19 -+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 19 -+# define OSSL_LIB_CTX_MAX_INDEXES 20 - - OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); - int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); -diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h -index fd7f7e3..05464b0 100644 ---- a/include/internal/sslconf.h -+++ b/include/internal/sslconf.h -@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx); - void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, - char **arg); - -+/* Methods to support disabling all signatures with legacy digests */ -+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig); -+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, -+ int loadconfig); - #endif -diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c -index 0d3acdb..fe694c4 100644 ---- a/providers/common/securitycheck.c -+++ b/providers/common/securitycheck.c -@@ -19,6 +19,7 @@ - #include - #include - #include "prov/securitycheck.h" -+#include "internal/sslconf.h" - - /* - * FIPS requires a minimum security strength of 112 bits (for encryption or -@@ -243,6 +244,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, - mdnid = -1; /* disallowed by security checks */ - } - # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ -+ -+#ifndef FIPS_MODULE -+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) -+ /* SHA1 is globally disabled, check whether we want to locally allow -+ * it. */ -+ if (mdnid == NID_sha1 && !sha1_allowed) -+ mdnid = -1; -+#endif -+ - return mdnid; - } - -@@ -252,5 +262,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) - if (ossl_securitycheck_enabled(ctx)) - return ossl_digest_get_approved_nid(md) != NID_undef; - # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ -+ -+#ifndef FIPS_MODULE -+ { -+ int mdnid = EVP_MD_nid(md); -+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) -+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) -+ return 0; -+ } -+#endif -+ - return 1; - } -diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c -index 2463234..2ca7a59 100644 ---- a/providers/common/securitycheck_default.c -+++ b/providers/common/securitycheck_default.c -@@ -15,6 +15,7 @@ - #include - #include "prov/securitycheck.h" - #include "internal/nelem.h" -+#include "internal/sslconf.h" - - /* Disable the security checks in the default provider */ - int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) -@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) - } - - int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, -- ossl_unused int sha1_allowed) -+ int sha1_allowed) - { - int mdnid; -+ int ldsigs_allowed; - - static const OSSL_ITEM name_to_nid[] = { - { NID_md5, OSSL_DIGEST_NAME_MD5 }, -@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, - }; - -- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1); -+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0); -+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed); - if (mdnid == NID_undef) - mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); -+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed) -+ mdnid = -1; - return mdnid; - } -diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c -index 70d0ea5..3c482e0 100644 ---- a/providers/implementations/signature/dsa_sig.c -+++ b/providers/implementations/signature/dsa_sig.c -@@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, - mdprops = ctx->propq; - - if (mdname != NULL) { -- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - WPACKET pkt; - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); -- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, -- sha1_allowed); -+ int md_nid; - size_t mdname_len = strlen(mdname); -+#ifdef FIPS_MODULE -+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); -+#else -+ int sha1_allowed = 0; -+#endif -+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, -+ sha1_allowed); - - if (md == NULL || md_nid < 0) { - if (md == NULL) -diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c -index 865d49d..99b228e 100644 ---- a/providers/implementations/signature/ecdsa_sig.c -+++ b/providers/implementations/signature/ecdsa_sig.c -@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, - "%s could not be fetched", mdname); - return 0; - } -+#ifdef FIPS_MODULE - sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); -+#else -+ sha1_allowed = 0; -+#endif - md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, - sha1_allowed); - if (md_nid < 0) { -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index cd5de6b..25a51df 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -25,6 +25,7 @@ - #include "internal/cryptlib.h" - #include "internal/nelem.h" - #include "internal/sizes.h" -+#include "internal/sslconf.h" - #include "crypto/rsa.h" - #include "prov/providercommon.h" - #include "prov/implementations.h" -@@ -33,6 +34,7 @@ - #include "prov/securitycheck.h" - - #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 -+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256 - - static OSSL_FUNC_signature_newctx_fn rsa_newctx; - static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; -@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, - - if (mdname != NULL) { - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); -+ int md_nid; -+ size_t mdname_len = strlen(mdname); -+#ifdef FIPS_MODULE - int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); -- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, -+#else -+ int sha1_allowed = 0; -+#endif -+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, - sha1_allowed); -- size_t mdname_len = strlen(mdname); - - if (md == NULL - || md_nid <= 0 -@@ -1370,8 +1377,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - prsactx->pad_mode = pad_mode; - - if (prsactx->md == NULL && pmdname == NULL -- && pad_mode == RSA_PKCS1_PSS_PADDING) -+ && pad_mode == RSA_PKCS1_PSS_PADDING) { - pmdname = RSA_DEFAULT_DIGEST_NAME; -+#ifndef FIPS_MODULE -+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { -+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; -+ } -+#endif -+ } -+ - - if (pmgf1mdname != NULL - && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 8be00a4..5811606 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include "internal/sslconf.h" - #include "internal/nelem.h" - #include "internal/sizes.h" - #include "internal/tlsgroups.h" -@@ -1172,11 +1173,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) - = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); - EVP_PKEY *tmpkey = EVP_PKEY_new(); - int ret = 0; -+ int ldsigs_allowed; - - if (cache == NULL || tmpkey == NULL) - goto err; - - ERR_set_mark(); -+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0); - for (i = 0, lu = sigalg_lookup_tbl; - i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { - EVP_PKEY_CTX *pctx; -@@ -1196,6 +1199,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) - cache[i].enabled = 0; - continue; - } -+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) -+ && !ldsigs_allowed) { -+ cache[i].enabled = 0; -+ continue; -+ } - - if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { - cache[i].enabled = 0; -diff --git a/util/libcrypto.num b/util/libcrypto.num -index 406392a..430aeb7 100644 ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5435,3 +5435,5 @@ EVP_MD_CTX_dup 5562 3_1_0 EXIST::FUNCTION: - EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: - BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: - OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP -+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: -+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: --- -2.45.4 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures-3.1.4-fedora.patch b/SPECS-EXTENDED/openssl-fips-provider/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures-3.1.4-fedora.patch deleted file mode 100644 index 256cdc88b2f..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures-3.1.4-fedora.patch +++ /dev/null @@ -1,221 +0,0 @@ -From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Tue, 1 Mar 2022 15:44:18 +0100 -Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = - yes - -NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1 -in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because -on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level -to 2. - -On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security -level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and -we want the legacy crypto policy to allow SHA-1 in TLS, the only option -to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is -SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to -allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which -will allow SHA-1 in OpenSSL 3). - -The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because -rh-allow-sha1-signatures will default to yes in Fedora (according to our -current plans including until F38), and the security level in the -DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the -default configuration. - -Related: rhbz#2055796 -Related: rhbz#2070977 ---- - crypto/x509/x509_vfy.c | 20 ++++++++++- - doc/man5/config.pod | 7 ++++ - ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++------- - test/recipes/25-test_verify.t | 4 +-- - 4 files changed, 82 insertions(+), 16 deletions(-) - -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 2f175ca517..bf0c608839 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -25,6 +25,7 @@ - #include - #include - #include "internal/dane.h" -+#include "internal/sslconf.h" - #include "crypto/x509.h" - #include "x509_local.h" - -@@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) - { - int secbits = -1; - int level = ctx->param->auth_level; -+ int nid; -+ OSSL_LIB_CTX *libctx = NULL; - - if (level <= 0) - return 1; - if (level > NUM_AUTH_LEVELS) - level = NUM_AUTH_LEVELS; - -- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) -+ if (ctx->libctx) -+ libctx = ctx->libctx; -+ else if (cert->libctx) -+ libctx = cert->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) - return 0; - -+ if ((nid == NID_sha1 || nid == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ctx->param->auth_level < 2) -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ - return secbits >= minbits_table[level - 1]; - } -diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 0c9110d28a..e0516d20b8 100644 ---- a/doc/man5/config.pod -+++ b/doc/man5/config.pod -@@ -309,6 +309,13 @@ this option is set to B. Because TLS 1.1 or lower use MD5-SHA1 as - pseudorandom function (PRF) to derive key material, disabling - B requires the use of TLS 1.2 or newer. - -+Note that enabling B will allow TLS signature -+algorithms that use SHA1 in security level 1, despite the definition of -+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet. -+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on -+Fedora without requiring to set the security level to 0, which would include -+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1. -+ - =item B (deprecated) - - The value is a boolean that can be B or B. If the value is -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index dcd487ec2e..0b50266b69 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include "crypto/x509.h" - #include "internal/sslconf.h" - #include "internal/nelem.h" - #include "internal/sizes.h" -@@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); - return 0; - } -- /* -- * Make sure security callback allows algorithm. For historical -- * reasons we have to pass the sigalg as a two byte char array. -- */ -- sigalgstr[0] = (sig >> 8) & 0xff; -- sigalgstr[1] = sig & 0xff; -- secbits = sigalg_security_bits(s->ctx, lu); -- if (secbits == 0 || -- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -- md != NULL ? EVP_MD_get_type(md) : NID_undef, -- (void *)sigalgstr)) { -- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -- return 0; -+ -+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 2) { -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ } else { -+ /* -+ * Make sure security callback allows algorithm. For historical -+ * reasons we have to pass the sigalg as a two byte char array. -+ */ -+ sigalgstr[0] = (sig >> 8) & 0xff; -+ sigalgstr[1] = sig & 0xff; -+ secbits = sigalg_security_bits(s->ctx, lu); -+ if (secbits == 0 || -+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -+ md != NULL ? EVP_MD_get_type(md) : NID_undef, -+ (void *)sigalgstr)) { -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -+ return 0; -+ } - } - /* Store the sigalg the peer uses */ - s->s3.tmp.peer_sigalg = lu; -@@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) - } - } - -+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 2) { -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ } -+ - /* Finally see if security callback allows it */ - secbits = sigalg_security_bits(s->ctx, lu); - sigalgstr[0] = (lu->sigalg >> 8) & 0xff; -@@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) - { - /* Lookup signature algorithm digest */ - int secbits, nid, pknid; -+ OSSL_LIB_CTX *libctx = NULL; -+ - /* Don't check signature if self signed */ - if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) - return 1; -@@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) - /* If digest NID not defined use signature NID */ - if (nid == NID_undef) - nid = pknid; -+ -+ if (x && x->libctx) -+ libctx = x->libctx; -+ else if (ctx && ctx->libctx) -+ libctx = ctx->libctx; -+ else if (s && s->ctx && s->ctx->libctx) -+ libctx = s->ctx->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if ((nid == NID_sha1 || nid == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ((s != NULL && SSL_get_security_level(s) < 2) -+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2) -+ )) -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ - if (s) - return ssl_security(s, op, secbits, nid, x); - else -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index 700bbd849c..280477bc9d 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -387,8 +387,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0" - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), - "CA with PSS signature using SHA256"); - --ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), -- "Reject PSS signature using SHA1 and auth level 1"); -+ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), -+ "Reject PSS signature using SHA1 and auth level 2"); - - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), - "PSS signature using SHA256 and auth level 2"); --- -2.35.1 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/0079-RSA-PKCS15-implicit-rejection.patch b/SPECS-EXTENDED/openssl-fips-provider/0079-RSA-PKCS15-implicit-rejection.patch deleted file mode 100644 index fcdf7c196ec..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/0079-RSA-PKCS15-implicit-rejection.patch +++ /dev/null @@ -1,1388 +0,0 @@ -From a4ca1cac6b38efe0de1d8afb506cea29f8c60aec Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 19 Oct 2023 13:12:41 +0200 -Subject: [PATCH 34/46] 0079-RSA-PKCS15-implicit-rejection.patch - -Patch-name: 0079-RSA-PKCS15-implicit-rejection.patch -Patch-id: 79 -Patch-status: | - # # https://github.com/openssl/openssl/pull/13817 -From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 ---- - crypto/cms/cms_env.c | 7 + - crypto/evp/ctrl_params_translate.c | 6 + - crypto/pkcs7/pk7_doit.c | 7 + - crypto/rsa/rsa_ossl.c | 101 +++- - crypto/rsa/rsa_pk1.c | 252 ++++++++++ - crypto/rsa/rsa_pmeth.c | 20 +- - doc/man1/openssl-pkeyutl.pod.in | 15 + - doc/man1/openssl-rsautl.pod.in | 5 + - doc/man3/EVP_PKEY_CTX_ctrl.pod | 9 + - doc/man3/EVP_PKEY_decrypt.pod | 12 + - doc/man3/RSA_padding_add_PKCS1_type_1.pod | 7 +- - doc/man3/RSA_public_encrypt.pod | 11 +- - doc/man7/provider-asym_cipher.pod | 9 + - include/crypto/rsa.h | 4 + - include/openssl/core_names.h | 2 + - include/openssl/rsa.h | 5 + - .../implementations/asymciphers/rsa_enc.c | 26 +- - .../30-test_evp_data/evppkey_rsa_common.txt | 472 ++++++++++++++++++ - 18 files changed, 962 insertions(+), 8 deletions(-) - -diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c -index 99cf1dcb39..730f638969 100644 ---- a/crypto/cms/cms_env.c -+++ b/crypto/cms/cms_env.c -@@ -590,6 +590,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, - if (!ossl_cms_env_asn1_ctrl(ri, 1)) - goto err; - -+ if (EVP_PKEY_is_a(pkey, "RSA")) -+ /* upper layer CMS code incorrectly assumes that a successful RSA -+ * decryption means that the key matches ciphertext (which never -+ * was the case, implicit rejection or not), so to make it work -+ * disable implicit rejection for RSA keys */ -+ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); -+ - if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, - ktri->encryptedKey->data, - ktri->encryptedKey->length) <= 0) -diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c -index 80947b0932..b10ba41e85 100644 ---- a/crypto/evp/ctrl_params_translate.c -+++ b/crypto/evp/ctrl_params_translate.c -@@ -2265,6 +2265,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { - EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, - OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL }, - -+ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, -+ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, -+ "rsa_pkcs1_implicit_rejection", -+ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER, -+ NULL }, -+ - { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, - EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, - OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, -diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c -index 1cef67b211..e0094486dd 100644 ---- a/crypto/pkcs7/pk7_doit.c -+++ b/crypto/pkcs7/pk7_doit.c -@@ -170,6 +170,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, - if (EVP_PKEY_decrypt_init(pctx) <= 0) - goto err; - -+ if (EVP_PKEY_is_a(pkey, "RSA")) -+ /* upper layer pkcs7 code incorrectly assumes that a successful RSA -+ * decryption means that the key matches ciphertext (which never -+ * was the case, implicit rejection or not), so to make it work -+ * disable implicit rejection for RSA keys */ -+ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); -+ - if (EVP_PKEY_decrypt(pctx, NULL, &eklen, - ri->enc_key->data, ri->enc_key->length) <= 0) - goto err; -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index 0fc642e777..e5591cb14a 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -17,6 +17,9 @@ - #include "crypto/bn.h" - #include "rsa_local.h" - #include "internal/constant_time.h" -+#include -+#include -+#include - - static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); -@@ -377,8 +380,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BIGNUM *f, *ret; - int j, num = 0, r = -1; - unsigned char *buf = NULL; -+ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0}; -+ HMAC_CTX *hmac = NULL; -+ unsigned int md_len = SHA256_DIGEST_LENGTH; -+ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0}; - BN_CTX *ctx = NULL; - int local_blinding = 0; -+ EVP_MD *md = NULL; - /* - * Used only if the blinding structure is shared. A non-NULL unblind - * instructs rsa_blinding_convert() and rsa_blinding_invert() to store -@@ -387,6 +395,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+ /* -+ * we need the value of the private exponent to perform implicit rejection -+ */ -+ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING)) -+ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; -+ - if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) - goto err; - BN_CTX_start(ctx); -@@ -408,6 +422,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - goto err; - } - -+ if (flen < 1) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL); -+ goto err; -+ } -+ - /* make data into a big number */ - if (BN_bin2bn(from, (int)flen, f) == NULL) - goto err; -@@ -468,6 +487,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -+ /* -+ * derive the Key Derivation Key from private exponent and public -+ * ciphertext -+ */ -+ if (padding == RSA_PKCS1_PADDING) { -+ /* -+ * because we use d as a handle to rsa->d we need to keep it local and -+ * free before any further use of rsa->d -+ */ -+ BIGNUM *d = BN_new(); -+ if (d == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); -+ goto err; -+ } -+ if (rsa->d == NULL) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); -+ BN_free(d); -+ goto err; -+ } -+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -+ if (BN_bn2binpad(d, buf, num) < 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ BN_free(d); -+ goto err; -+ } -+ BN_free(d); -+ -+ /* -+ * we use hardcoded hash so that migrating between versions that use -+ * different hash doesn't provide a Bleichenbacher oracle: -+ * if the attacker can see that different versions return different -+ * messages for the same ciphertext, they'll know that the message is -+ * syntethically generated, which means that the padding check failed -+ */ -+ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL); -+ if (md == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ hmac = HMAC_CTX_new(); -+ if (hmac == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); -+ goto err; -+ } -+ -+ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (flen < num) { -+ memset(buf, 0, num - flen); -+ if (HMAC_Update(hmac, buf, num - flen) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ } -+ if (HMAC_Update(hmac, from, flen) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ md_len = SHA256_DIGEST_LENGTH; -+ if (HMAC_Final(hmac, kdk, &md_len) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ } -+ - if (blinding) - if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) - goto err; -@@ -477,9 +571,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - goto err; - - switch (padding) { -- case RSA_PKCS1_PADDING: -+ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING: - r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); - break; -+ case RSA_PKCS1_PADDING: -+ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); -+ break; - case RSA_PKCS1_OAEP_PADDING: - r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); - break; -@@ -501,6 +598,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - #endif - - err: -+ HMAC_CTX_free(hmac); -+ EVP_MD_free(md); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - OPENSSL_clear_free(buf, num); -diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c -index 51507fc030..5cd2b26879 100644 ---- a/crypto/rsa/rsa_pk1.c -+++ b/crypto/rsa/rsa_pk1.c -@@ -21,10 +21,14 @@ - #include - /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ - #include -+#include -+#include -+#include - #include "internal/cryptlib.h" - #include "crypto/rsa.h" - #include "rsa_local.h" - -+ - int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, - const unsigned char *from, int flen) - { -@@ -273,6 +277,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, - return constant_time_select_int(good, mlen, -1); - } - -+ -+static int ossl_rsa_prf(OSSL_LIB_CTX *ctx, -+ unsigned char *to, int tlen, -+ const char *label, int llen, -+ const unsigned char *kdk, -+ uint16_t bitlen) -+{ -+ int pos; -+ int ret = -1; -+ uint16_t iter = 0; -+ unsigned char be_iter[sizeof(iter)]; -+ unsigned char be_bitlen[sizeof(bitlen)]; -+ HMAC_CTX *hmac = NULL; -+ EVP_MD *md = NULL; -+ unsigned char hmac_out[SHA256_DIGEST_LENGTH]; -+ unsigned int md_len; -+ -+ if (tlen * 8 != bitlen) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ return ret; -+ } -+ -+ be_bitlen[0] = (bitlen >> 8) & 0xff; -+ be_bitlen[1] = bitlen & 0xff; -+ -+ hmac = HMAC_CTX_new(); -+ if (hmac == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ /* -+ * we use hardcoded hash so that migrating between versions that use -+ * different hash doesn't provide a Bleichenbacher oracle: -+ * if the attacker can see that different versions return different -+ * messages for the same ciphertext, they'll know that the message is -+ * syntethically generated, which means that the padding check failed -+ */ -+ md = EVP_MD_fetch(ctx, "sha256", NULL); -+ if (md == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) { -+ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ be_iter[0] = (iter >> 8) & 0xff; -+ be_iter[1] = iter & 0xff; -+ -+ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ /* -+ * HMAC_Final requires the output buffer to fit the whole MAC -+ * value, so we need to use the intermediate buffer for the last -+ * unaligned block -+ */ -+ md_len = SHA256_DIGEST_LENGTH; -+ if (pos + SHA256_DIGEST_LENGTH > tlen) { -+ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ memcpy(to + pos, hmac_out, tlen - pos); -+ } else { -+ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ } -+ } -+ -+ ret = 0; -+ -+err: -+ HMAC_CTX_free(hmac); -+ EVP_MD_free(md); -+ return ret; -+} -+ -+/* -+ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2 -+ * padding from a decrypted RSA message. Unlike the -+ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it -+ * detects a padding error, rather it will return a deterministically generated -+ * random message. In other words it will perform an implicit rejection -+ * of an invalid padding. This means that the returned value does not indicate -+ * if the padding of the encrypted message was correct or not, making -+ * side channel attacks like the ones described by Bleichenbacher impossible -+ * without access to the full decrypted value and a brute-force search of -+ * remaining padding bytes -+ */ -+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ int num, unsigned char *kdk) -+{ -+/* -+ * We need to generate a random length for the synthethic message, to avoid -+ * bias towards zero and avoid non-constant timeness of DIV, we prepare -+ * 128 values to check if they are not too large for the used key size, -+ * and use 0 in case none of them are small enough, as 2^-128 is a good enough -+ * safety margin -+ */ -+#define MAX_LEN_GEN_TRIES 128 -+ unsigned char *synthetic = NULL; -+ int synthethic_length; -+ uint16_t len_candidate; -+ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)]; -+ uint16_t len_mask; -+ uint16_t max_sep_offset; -+ int synth_msg_index = 0; -+ int ret = -1; -+ int i, j; -+ unsigned int good, found_zero_byte; -+ int zero_index = 0, msg_index; -+ -+ /* -+ * If these checks fail then either the message in publicly invalid, or -+ * we've been called incorrectly. We can fail immediately. -+ * Since this code is called only internally by openssl, those are just -+ * sanity checks -+ */ -+ if (num != flen || tlen <= 0 || flen <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ return -1; -+ } -+ -+ /* Generate a random message to return in case the padding checks fail */ -+ synthetic = OPENSSL_malloc(flen); -+ if (synthetic == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); -+ return -1; -+ } -+ -+ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0) -+ goto err; -+ -+ /* decide how long the random message should be */ -+ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths), -+ "length", 6, kdk, -+ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0) -+ goto err; -+ -+ /* -+ * max message size is the size of the modulus size less 2 bytes for -+ * version and padding type and a minimum of 8 bytes padding -+ */ -+ len_mask = max_sep_offset = flen - 2 - 8; -+ /* -+ * we want a mask so lets propagate the high bit to all positions less -+ * significant than it -+ */ -+ len_mask |= len_mask >> 1; -+ len_mask |= len_mask >> 2; -+ len_mask |= len_mask >> 4; -+ len_mask |= len_mask >> 8; -+ -+ synthethic_length = 0; -+ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate); -+ i += sizeof(len_candidate)) { -+ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1]; -+ len_candidate &= len_mask; -+ -+ synthethic_length = constant_time_select_int( -+ constant_time_lt(len_candidate, max_sep_offset), -+ len_candidate, synthethic_length); -+ } -+ -+ synth_msg_index = flen - synthethic_length; -+ -+ /* we have alternative message ready, check the real one */ -+ good = constant_time_is_zero(from[0]); -+ good &= constant_time_eq(from[1], 2); -+ -+ /* then look for the padding|message separator (the first zero byte) */ -+ found_zero_byte = 0; -+ for (i = 2; i < flen; i++) { -+ unsigned int equals0 = constant_time_is_zero(from[i]); -+ zero_index = constant_time_select_int(~found_zero_byte & equals0, -+ i, zero_index); -+ found_zero_byte |= equals0; -+ } -+ -+ /* -+ * padding must be at least 8 bytes long, and it starts two bytes into -+ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check -+ * also fails. -+ */ -+ good &= constant_time_ge(zero_index, 2 + 8); -+ -+ /* -+ * Skip the zero byte. This is incorrect if we never found a zero-byte -+ * but in this case we also do not copy the message out. -+ */ -+ msg_index = zero_index + 1; -+ -+ /* -+ * old code returned an error in case the decrypted message wouldn't fit -+ * into the |to|, since that would leak information, return the synthethic -+ * message instead -+ */ -+ good &= constant_time_ge(tlen, num - msg_index); -+ -+ msg_index = constant_time_select_int(good, msg_index, synth_msg_index); -+ -+ /* -+ * since at this point the |msg_index| does not provide the signal -+ * indicating if the padding check failed or not, we don't have to worry -+ * about leaking the length of returned message, we still need to ensure -+ * that we read contents of both buffers so that cache accesses don't leak -+ * the value of |good| -+ */ -+ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++) -+ to[j] = constant_time_select_8(good, from[i], synthetic[i]); -+ ret = j; -+ -+err: -+ /* -+ * the only time ret < 0 is when the ciphertext is publicly invalid -+ * or we were called with invalid parameters, so we don't have to perform -+ * a side-channel secure raising of the error -+ */ -+ if (ret < 0) -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ OPENSSL_free(synthetic); -+ return ret; -+} -+ - /* - * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 - * padding from a decrypted RSA message in a TLS signature. The result is stored -diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c -index 0bf5ac098a..81b031f81b 100644 ---- a/crypto/rsa/rsa_pmeth.c -+++ b/crypto/rsa/rsa_pmeth.c -@@ -52,6 +52,8 @@ typedef struct { - /* OAEP label */ - unsigned char *oaep_label; - size_t oaep_labellen; -+ /* if to use implicit rejection in PKCS#1 v1.5 decryption */ -+ int implicit_rejection; - } RSA_PKEY_CTX; - - /* True if PSS parameters are restricted */ -@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) - /* Maximum for sign, auto for verify */ - rctx->saltlen = RSA_PSS_SALTLEN_AUTO; - rctx->min_saltlen = -1; -+ rctx->implicit_rejection = 1; - ctx->data = rctx; - ctx->keygen_info = rctx->gentmp; - ctx->keygen_info_count = 2; -@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) - dctx->md = sctx->md; - dctx->mgf1md = sctx->mgf1md; - dctx->saltlen = sctx->saltlen; -+ dctx->implicit_rejection = sctx->implicit_rejection; - if (sctx->oaep_label) { - OPENSSL_free(dctx->oaep_label); - dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); -@@ -347,6 +351,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, - const unsigned char *in, size_t inlen) - { - int ret; -+ int pad_mode; - RSA_PKEY_CTX *rctx = ctx->data; - /* - * Discard const. Its marked as const because this may be a cached copy of -@@ -367,7 +372,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, - rctx->oaep_labellen, - rctx->md, rctx->mgf1md); - } else { -- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); -+ if (rctx->pad_mode == RSA_PKCS1_PADDING && -+ rctx->implicit_rejection == 0) -+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; -+ else -+ pad_mode = rctx->pad_mode; -+ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode); - } - *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); - ret = constant_time_select_int(constant_time_msb(ret), ret, 1); -@@ -591,6 +601,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) - *(unsigned char **)p2 = rctx->oaep_label; - return rctx->oaep_labellen; - -+ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION: -+ if (rctx->pad_mode != RSA_PKCS1_PADDING) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); -+ return -2; -+ } -+ rctx->implicit_rejection = p1; -+ return 1; -+ - case EVP_PKEY_CTRL_DIGESTINIT: - case EVP_PKEY_CTRL_PKCS7_SIGN: - #ifndef OPENSSL_NO_CMS -diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in -index b0054ead66..dd87829798 100644 ---- a/doc/man1/openssl-pkeyutl.pod.in -+++ b/doc/man1/openssl-pkeyutl.pod.in -@@ -240,6 +240,11 @@ signed or verified directly instead of using a B structure. If a - digest is set then the a B structure is used and its the length - must correspond to the digest type. - -+Note, for B padding, as a protection against Bleichenbacher attack, -+the decryption will not fail in case of padding check failures. Use B -+and manual inspection of the decrypted message to verify if the decrypted -+value has correct PKCS#1 v1.5 padding. -+ - For B mode only encryption and decryption is supported. - - For B if the digest type is set it is used to format the block data -@@ -267,6 +272,16 @@ explicitly set in PSS mode then the signing digest is used. - Sets the digest used for the OAEP hash function. If not explicitly set then - SHA1 is used. - -+=item BI -+ -+Disables (when set to 0) or enables (when set to 1) the use of implicit -+rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a -+protection against Bleichenbacher attack, the library will generate a -+deterministic random plaintext that it will return to the caller in case -+of padding check failure. -+When disabled, it's the callers' responsibility to handle the returned -+errors in a side-channel free manner. -+ - =back - - =head1 RSA-PSS ALGORITHM -diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in -index 0a32fd965b..4c462abc8c 100644 ---- a/doc/man1/openssl-rsautl.pod.in -+++ b/doc/man1/openssl-rsautl.pod.in -@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, - ANSI X9.31, or no padding, respectively. - For signatures, only B<-pkcs> and B<-raw> can be used. - -+Note: because of protection against Bleichenbacher attacks, decryption -+using PKCS#1 v1.5 mode will not return errors in case padding check failed. -+Use B<-raw> and inspect the returned value manually to check if the -+padding is correct. -+ - =item B<-hexdump> - - Hex dump the output data. -diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod -index 5596b8ccdd..a8cc4ecd9f 100644 ---- a/doc/man3/EVP_PKEY_CTX_ctrl.pod -+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod -@@ -393,6 +393,15 @@ this behaviour should be tolerated then - OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual - negotiated protocol version. Otherwise it should be left unset. - -+Similarly to the B above, since OpenSSL version -+3.1.0, the use of B will return a randomly generated message -+instead of padding errors in case padding checks fail. Applications that -+want to remain secure while using earlier versions of OpenSSL, still need to -+handle both the error code from the RSA decryption operation and the -+returned message in a side channel secure manner. -+This protection against Bleichenbacher attacks can be disabled by setting -+the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0. -+ - =head2 DSA parameters - - EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA -diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod -index b6f9bad5f1..898535a7a2 100644 ---- a/doc/man3/EVP_PKEY_decrypt.pod -+++ b/doc/man3/EVP_PKEY_decrypt.pod -@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a - return value of -2 indicates the operation is not supported by the public key - algorithm. - -+=head1 WARNINGS -+ -+In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding, -+both the return value from the EVP_PKEY_decrypt() and the B provided -+information useful in mounting a Bleichenbacher attack against the -+used private key. They had to processed in a side-channel free way. -+ -+Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1 -+v1.5 padding doesn't return an error in case it detects an error in padding, -+instead it returns a pseudo-randomly generated message, removing the need -+of side-channel secure code from applications using OpenSSL. -+ - =head1 EXAMPLES - - Decrypt data using OAEP (for RSA keys): -diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod -index 9f7025c497..36ae18563f 100644 ---- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod -+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod -@@ -121,8 +121,8 @@ L. - - =head1 WARNINGS - --The result of RSA_padding_check_PKCS1_type_2() is a very sensitive --information which can potentially be used to mount a Bleichenbacher -+The result of RSA_padding_check_PKCS1_type_2() is exactly the -+information which is used to mount a classical Bleichenbacher - padding oracle attack. This is an inherent weakness in the PKCS #1 - v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not - possible, the result of RSA_padding_check_PKCS1_type_2() should be -@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be - used to mount a Bleichenbacher attack against any padding mode - including PKCS1_OAEP. - -+You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption -+as they implement the necessary workarounds internally. -+ - =head1 SEE ALSO - - L, -diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod -index 1d38073aea..bd3f835ac6 100644 ---- a/doc/man3/RSA_public_encrypt.pod -+++ b/doc/man3/RSA_public_encrypt.pod -@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure. - - =back - --B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 --based padding modes, not more than RSA_size(B) - 42 for -+When encrypting B must not be more than RSA_size(B) - 11 for the -+PKCS #1 v1.5 based padding modes, not more than RSA_size(B) - 42 for - RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. - When a padding mode other than RSA_NO_PADDING is in use, then - RSA_public_encrypt() will include some random bytes into the ciphertext -@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle - attack. This is an inherent weakness in the PKCS #1 v1.5 padding - design. Prefer RSA_PKCS1_OAEP_PADDING. - -+In OpenSSL before version 3.1.0, both the return value and the length of -+returned value could be used to mount the Bleichenbacher attack. -+Since version 3.1.0, OpenSSL does not return an error in case of padding -+checks failed. Instead it generates a random message based on used private -+key and provided ciphertext so that application code doesn't have to implement -+a side-channel secure error handling. -+ - =head1 CONFORMING TO - - SSL, PKCS #1 v2.0 -diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod -index 0976a263a8..2a8426a6ed 100644 ---- a/doc/man7/provider-asym_cipher.pod -+++ b/doc/man7/provider-asym_cipher.pod -@@ -234,6 +234,15 @@ The TLS protocol version first requested by the client. - - The negotiated TLS protocol version. - -+=item "implicit-rejection" (B) -+ -+Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 -+decryption. When set (non zero value), the decryption API will return -+a deterministically random value if the PKCS#1 v1.5 padding check fails. -+This makes explotation of the Bleichenbacher significantly harder, even -+if the code using the RSA decryption API is not implemented in side-channel -+free manner. Set by default. -+ - =back - - OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() -diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h -index 949873d0ee..f267e5d9d1 100644 ---- a/include/crypto/rsa.h -+++ b/include/crypto/rsa.h -@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg); - RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, - OSSL_LIB_CTX *libctx, const char *propq); - -+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ int num, unsigned char *kdk); - int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to, - size_t tlen, - const unsigned char *from, -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 6248dda659..300d1129a4 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -297,6 +297,7 @@ extern "C" { - #define OSSL_PKEY_PARAM_DIST_ID "distid" - #define OSSL_PKEY_PARAM_PUB_KEY "pub" - #define OSSL_PKEY_PARAM_PRIV_KEY "priv" -+#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" - - /* Diffie-Hellman/DSA Parameters */ - #define OSSL_PKEY_PARAM_FFC_P "p" -@@ -473,6 +474,7 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" -+#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection" - - /* - * Encoder / decoder parameters -diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h -index d0c9599274..e3e1476cda 100644 ---- a/include/openssl/rsa.h -+++ b/include/openssl/rsa.h -@@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); - - # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) - -+# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) -+ - # define RSA_PKCS1_PADDING 1 - # define RSA_NO_PADDING 3 - # define RSA_PKCS1_OAEP_PADDING 4 -@@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); - # define RSA_PKCS1_PSS_PADDING 6 - # define RSA_PKCS1_WITH_TLS_PADDING 7 - -+/* internal RSA_ only */ -+# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 -+ - # define RSA_PKCS1_PADDING_SIZE 11 - - # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) -diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index 666a699d84..d169bfd396 100644 ---- a/providers/implementations/asymciphers/rsa_enc.c -+++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -78,6 +78,8 @@ typedef struct { - /* TLS padding */ - unsigned int client_version; - unsigned int alt_version; -+ /* PKCS#1 v1.5 decryption mode */ -+ unsigned int implicit_rejection; - } PROV_RSA_CTX; - - static void *rsa_newctx(void *provctx) -@@ -113,6 +115,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], - RSA_free(prsactx->rsa); - prsactx->rsa = vrsa; - prsactx->operation = operation; -+ prsactx->implicit_rejection = 1; - - switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { - case RSA_FLAG_TYPE_RSA: -@@ -237,6 +240,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - int ret; -+ int pad_mode; - size_t len = RSA_size(prsactx->rsa); - - if (!ossl_prov_is_running()) -@@ -326,8 +330,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, - } - OPENSSL_free(tbuf); - } else { -- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, -- prsactx->pad_mode); -+ if ((prsactx->implicit_rejection == 0) && -+ (prsactx->pad_mode == RSA_PKCS1_PADDING)) -+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; -+ else -+ pad_mode = prsactx->pad_mode; -+ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode); - } - *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); - ret = constant_time_select_int(constant_time_msb(ret), 0, 1); -@@ -454,6 +462,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) - return 0; - -+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); -+ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) -+ return 0; -+ - return 1; - } - -@@ -465,6 +477,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), - OSSL_PARAM_END - }; - -@@ -621,6 +634,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - return 0; - prsactx->alt_version = alt_version; - } -+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); -+ if (p != NULL) { -+ unsigned int implicit_rejection; -+ -+ if (!OSSL_PARAM_get_uint(p, &implicit_rejection)) -+ return 0; -+ prsactx->implicit_rejection = implicit_rejection; -+ } - - return 1; - } -@@ -633,6 +654,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = { - OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), - OSSL_PARAM_END - }; - -diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -index 7487684e19..e807c0a2e1 100644 ---- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -@@ -268,9 +268,25 @@ Decrypt = RSA-2048 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 - Output = "Hello World" - -+Availablein = default -+# Note: disable the Bleichenbacher workaround to see if it passes -+Decrypt = RSA-2048 -+Ctrl = rsa_pkcs1_implicit_rejection:0 -+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 -+Output = "Hello World" -+ -+Availablein = default -+# Corrupted ciphertext -+# Note: output is generated synthethically by the Bleichenbacher workaround -+Decrypt = RSA-2048 -+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 -+Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff -+ - # Corrupted ciphertext - FIPSversion = <3.2.0 -+# Note: disable the Bleichenbacher workaround to see if it fails - Decrypt = RSA-2048 -+Ctrl = rsa_pkcs1_implicit_rejection:0 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 - Output = "Hello World" - Result = KEYOP_ERROR -@@ -293,6 +309,462 @@ Derive = RSA-2048 - Result = KEYOP_INIT_ERROR - Reason = operation not supported for this keytype - -+# Test vectors for the Bleichenbacher workaround -+ -+PrivateKey = RSA-2048-2 -+-----BEGIN RSA PRIVATE KEY----- -+MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS -+KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC -+Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y -+o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/ -++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F -+EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm -+pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G -+MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp -+aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo -+RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6 -+egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX -+eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe -+z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG -+lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou -+O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw -+93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF -+1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr -+uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb -+3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx -+sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a -+AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL -+9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW -+FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp -+LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM -+FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da -+-----END RSA PRIVATE KEY----- -+ -+# corresponding public key -+PublicKey = RSA-2048-2-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc -+iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO -+jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7 -+SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO -+yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1 -+a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn -+aQIDAQAB -+-----END PUBLIC KEY----- -+ -+PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC -+ -+# RSA decrypt -+ -+# a random positive test case -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 -+Output = "lorem ipsum dolor sit amet" -+ -+Availablein = default -+# a random negative test case decrypting to empty -+Decrypt = RSA-2048-2 -+Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 -+Output = -+ -+Availablein = default -+# invalid decrypting to max length message -+Decrypt = RSA-2048-2 -+Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 -+Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 -+ -+Availablein = default -+# invalid decrypting to message with length specified by second to last value from PRF -+Decrypt = RSA-2048-2 -+Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 -+Output = 0f9b -+ -+Availablein = default -+# invalid decrypting to message with length specified by third to last value from PRF -+Decrypt = RSA-2048-2 -+Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 -+Output = 4f02 -+ -+# positive test with 11 byte long value -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and zero padded ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and zero truncated ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and double zero padded ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and double zero truncated ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc -+Output = "lorem ipsum" -+ -+# positive that generates a 0 byte long synthethic message internally -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 -+Output = "lorem ipsum" -+ -+# positive that generates a 245 byte long synthethic message internally -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 -+Output = "lorem ipsum" -+ -+Availablein = default -+# a random negative test that generates an 11 byte long message -+Decrypt = RSA-2048-2 -+Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 -+Output = af9ac70191c92413cb9f2d -+ -+Availablein = default -+# an otherwise correct plaintext, but with wrong first byte -+# (0x01 instead of 0x00), generates a random 11 byte long plaintext -+Decrypt = RSA-2048-2 -+Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f -+Output = a1f8c9255c35cfba403ccc -+ -+Availablein = default -+# an otherwise correct plaintext, but with wrong second byte -+# (0x01 instead of 0x02), generates a random 11 byte long plaintext -+Decrypt = RSA-2048-2 -+Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579 -+Output = e6d700309ca0ed62452254 -+ -+Availablein = default -+# an invalid ciphertext, with a zero byte in first byte of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 -+Output = ba27b1842e7c21c0e7ef6a -+ -+Availablein = default -+# an invalid ciphertext, with a zero byte removed from first byte of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 -+Output = ba27b1842e7c21c0e7ef6a -+ -+Availablein = default -+# an invalid ciphertext, with two zero bytes in first bytes of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 -+Output = d5cf555b1d6151029a429a -+ -+Availablein = default -+# an invalid ciphertext, with two zero bytes removed from first bytes of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 -+Output = d5cf555b1d6151029a429a -+ -+Availablein = default -+# and invalid ciphertext, otherwise valid but starting with 000002, decrypts -+# to random 11 byte long synthethic plaintext -+Decrypt = RSA-2048-2 -+Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955 -+Output = 3d4a054d9358209e9cbbb9 -+ -+Availablein = default -+# negative test with otherwise valid padding but a zero byte in first byte -+# of padding -+Decrypt = RSA-2048-2 -+Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e -+Output = 1f037dd717b07d3e7f7359 -+ -+Availablein = default -+# negative test with otherwise valid padding but a zero byte at the eigth -+# byte of padding -+Decrypt = RSA-2048-2 -+Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f -+Output = 63cb0bf65fc8255dd29e17 -+ -+Availablein = default -+# negative test with an otherwise valid plaintext but with missing separator -+# byte -+Decrypt = RSA-2048-2 -+Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065 -+Output = 6f09a0b62699337c497b0b -+ -+# Test vectors for the Bleichenbacher workaround (2049 bit key size) -+ -+PrivateKey = RSA-2049 -+-----BEGIN RSA PRIVATE KEY----- -+MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD -+rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi -+5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES -+9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp -+j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6 -+3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5 -+1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl -+omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT -+e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo -+DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M -+8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH -+HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP -+wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4 -+dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H -+zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll -+YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J -+qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC -++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL -+ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c -+ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd -+G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3 -+3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP -+G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv -+iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t -+5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k= -+-----END RSA PRIVATE KEY----- -+ -+# corresponding public key -+PublicKey = RSA-2049-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL -+woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI -+XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf -+YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U -+FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr -+w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ -+lwIDAQAB -+-----END PUBLIC KEY----- -+ -+PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC -+ -+# RSA decrypt -+ -+Availablein = default -+# malformed that generates length specified by 3rd last value from PRF -+Decrypt = RSA-2049 -+Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 -+Output = 42 -+ -+# simple positive test case -+Availablein = default -+Decrypt = RSA-2049 -+Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 -+Output = "lorem ipsum" -+ -+# positive test case with null padded ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 -+Output = "lorem ipsum" -+ -+# positive test case with null truncated ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 -+Output = "lorem ipsum" -+ -+# positive test case with double null padded ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 -+Output = "lorem ipsum" -+ -+# positive test case with double null truncated ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 -+Output = "lorem ipsum" -+ -+Availablein = default -+# a random negative test case that generates an 11 byte long message -+Decrypt = RSA-2049 -+Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca -+Output = 1189b6f5498fd6df532b00 -+ -+Availablein = default -+# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) -+Decrypt = RSA-2049 -+Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff -+Output = f6d0f5b78082fe61c04674 -+ -+Availablein = default -+# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) -+Decrypt = RSA-2049 -+Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 -+Output = 1ab287fcef3ff17067914d -+ -+# RSA decrypt with 3072 bit keys -+PrivateKey = RSA-3072 -+-----BEGIN RSA PRIVATE KEY----- -+MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ -+72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS -+N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K -+CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64 -+wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU -+YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5 -+XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P -+ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5 -+CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy -+9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY -+gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J -+pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm -+DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0 -+2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s -+HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC -+Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d -+RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9 -+UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP -+Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ -++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI -+gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv -+StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF -+rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1 -+bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb -+7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm -+IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48 -+Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH -+ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2 -+c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff -+/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O -+to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6 -+ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr -+Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR -+ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo -+G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH -+mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe -+0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw== -+-----END RSA PRIVATE KEY----- -+ -+PublicKey = RSA-3072-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx -+nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd -+vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni -+5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx -+UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx -+7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v -+EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/ -+gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk -+ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= -+-----END PUBLIC KEY----- -+ -+PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC -+ -+Availablein = default -+# a random invalid ciphertext that generates an empty synthethic one -+Decrypt = RSA-3072 -+Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 -+Output = -+ -+Availablein = default -+# a random invalid that has PRF output with a length one byte too long -+# in the last value -+Decrypt = RSA-3072 -+Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271 -+Output = 56a3bea054e01338be9b7d7957539c -+ -+Availablein = default -+# a random invalid that generates a synthethic of maximum size -+Decrypt = RSA-3072 -+Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 -+Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 -+ -+# a positive test case that decrypts to 9 byte long value -+Availablein = default -+Decrypt = RSA-3072 -+Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde -+Output = "forty two" -+ -+# a positive test case with null padded ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 -+Output = "forty two" -+ -+# a positive test case with null truncated ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 -+Output = "forty two" -+ -+# a positive test case with double null padded ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 -+Output = "forty two" -+ -+# a positive test case with double null truncated ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 -+Output = "forty two" -+ -+Availablein = default -+# a random negative test case that generates a 9 byte long message -+Decrypt = RSA-3072 -+Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 -+Output = 257906ca6de8307728 -+ -+Availablein = default -+# a random negative test case that generates a 9 byte long message based on -+# second to last value from PRF -+Decrypt = RSA-3072 -+Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5 -+Output = 043383c929060374ed -+ -+Availablein = default -+# a random negative test that generates message based on 3rd last value from -+# PRF -+Decrypt = RSA-3072 -+Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83 -+Output = 70263fa6050534b9e0 -+ -+Availablein = default -+# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) -+Decrypt = RSA-3072 -+Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 -+Output = 6d8d3a094ff3afff4c -+ -+Availablein = default -+# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) -+Decrypt = RSA-3072 -+Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 -+Output = c6ae80ffa80bc184b0 -+ -+Availablein = default -+# an otherwise valid plaintext, but with zero byte in first byte of padding -+Decrypt = RSA-3072 -+Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 -+Output = a8a9301daa01bb25c7 -+ -+Availablein = default -+# an otherwise valid plaintext, but with zero byte in eight byte of padding -+Decrypt = RSA-3072 -+Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 -+Output = 6c716fe01d44398018 -+ -+Availablein = default -+# an otherwise valid plaintext, but with null separator missing -+Decrypt = RSA-3072 -+Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 -+Output = aa2de6cde4e2442884 -+ - # RSA PSS key tests - - # PSS only key, no parameter restrictions --- -2.41.0 - diff --git a/SPECS-EXTENDED/openssl-fips-provider/configuration-prefix.h b/SPECS-EXTENDED/openssl-fips-provider/configuration-prefix.h deleted file mode 100644 index 13b6e231d88..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/configuration-prefix.h +++ /dev/null @@ -1,7 +0,0 @@ -/* Prepended at openssl package build-time. Don't include this file directly, - * use instead. */ - -#ifndef openssl_conf_multilib_redirection_h -#error "Don't include this file directly, use instead!" -#endif - diff --git a/SPECS-EXTENDED/openssl-fips-provider/configuration-switch.h b/SPECS-EXTENDED/openssl-fips-provider/configuration-switch.h deleted file mode 100644 index 1c4d2380705..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/configuration-switch.h +++ /dev/null @@ -1,47 +0,0 @@ -/* This file is here to prevent a file conflict on multiarch systems. A - * conflict will frequently occur because arch-specific build-time - * configuration options are stored (and used, so they can't just be stripped - * out) in configuration.h. The original configuration.h has been renamed. - * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ - -#ifdef openssl_conf_multilib_redirection_h -#error "Do not define openssl_conf_multilib_redirection_h!" -#endif -#define openssl_conf_multilib_redirection_h - -#if defined(__i386__) -#include "configuration-i386.h" -#elif defined(__ia64__) -#include "configuration-ia64.h" -#elif defined(__mips64) && defined(__MIPSEL__) -#include "configuration-mips64el.h" -#elif defined(__mips64) -#include "configuration-mips64.h" -#elif defined(__mips) && defined(__MIPSEL__) -#include "configuration-mipsel.h" -#elif defined(__mips) -#include "configuration-mips.h" -#elif defined(__powerpc64__) -#include -#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ -#include "configuration-ppc64.h" -#else -#include "configuration-ppc64le.h" -#endif -#elif defined(__powerpc__) -#include "configuration-ppc.h" -#elif defined(__s390x__) -#include "configuration-s390x.h" -#elif defined(__s390__) -#include "configuration-s390.h" -#elif defined(__sparc__) && defined(__arch64__) -#include "configuration-sparc64.h" -#elif defined(__sparc__) -#include "configuration-sparc.h" -#elif defined(__x86_64__) -#include "configuration-x86_64.h" -#else -#error "The openssl-devel package does not work your architecture?" -#endif - -#undef openssl_conf_multilib_redirection_h diff --git a/SPECS-EXTENDED/openssl-fips-provider/fips_prov.cnf b/SPECS-EXTENDED/openssl-fips-provider/fips_prov.cnf deleted file mode 100644 index 6e646cba48e..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/fips_prov.cnf +++ /dev/null @@ -1,5 +0,0 @@ -# Matches Fedora's config. -# Does not need to be included from openss.cnf because it's manually loaded. -[fips_prov_sect] -tls1-prf-ems-check = 1 -activate = 1 diff --git a/SPECS-EXTENDED/openssl-fips-provider/fixpatch b/SPECS-EXTENDED/openssl-fips-provider/fixpatch deleted file mode 100755 index bf5eb67a2a8..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/fixpatch +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -# Fixes patch from upstream tracker view -gawk ' -BEGIN { - dir="" -} -/^Index: openssl\// { - dir = $2 -} -/^(---|\+\+\+)/ { - $2 = dir -} -{ - print -}' diff --git a/SPECS-EXTENDED/openssl-fips-provider/genpatches b/SPECS-EXTENDED/openssl-fips-provider/genpatches deleted file mode 100755 index 60c36a477d2..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/genpatches +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash - -if [ $# -ne 2 ] ; then - echo "Usage:" - echo " $0 " - exit 1 -fi - -git_dir="$1" -base_tag="$2" - -target_dir="$(pwd)" - -pushd "$git_dir" >/dev/null -git format-patch -k -o "$target_dir" "$base_tag" >/dev/null -popd >/dev/null - -echo "# Patches exported from source git" - -i=1 -for p in *.patch ; do - printf "# " - sed '/^Subject:/{s/^Subject: //;p};d' "$p" - printf "Patch%s: %s\n" $i "$p" - i=$(($i + 1)) -done diff --git a/SPECS-EXTENDED/openssl-fips-provider/openssl-fips-provider.spec b/SPECS-EXTENDED/openssl-fips-provider/openssl-fips-provider.spec index bff938b1779..34dd3c593a2 100644 --- a/SPECS-EXTENDED/openssl-fips-provider/openssl-fips-provider.spec +++ b/SPECS-EXTENDED/openssl-fips-provider/openssl-fips-provider.spec @@ -9,63 +9,63 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl-fips-provider Version: 3.1.2 -Release: 1%{?dist} +Release: 2%{?dist} Vendor: Microsoft Corporation Distribution: Azure Linux Source: https://github.com/openssl/openssl/releases/download/openssl-%{version}/openssl-%{version}.tar.gz Source2: Makefile.certificate -Source3: genpatches -Source9: configuration-switch.h -Source10: configuration-prefix.h +# Source3: genpatches +# Source9: configuration-switch.h +# Source10: configuration-prefix.h Source14: 0025-for-tests.patch -Source15: fips_prov.cnf +# Source15: fips_prov.cnf # Use more general default values in openssl.cnf -Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch +# Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch # # Do not install html docs -Patch3: 0003-Do-not-install-html-docs-3.1.2-AZL.patch +# Patch3: 0003-Do-not-install-html-docs-3.1.2-AZL.patch # # Override default paths for the CA directory tree # AZL: NOTE: We do not use crypto-policies, so this patch does not apply. # Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch # # apps/ca: fix md option help text -Patch5: 0005-apps-ca-fix-md-option-help-text.patch +# Patch5: 0005-apps-ca-fix-md-option-help-text.patch # # Disable signature verification with totally unsafe hash algorithms -Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch +# Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch # Add FIPS_mode() compatibility macro -Patch8: 0008-Add-FIPS_mode-compatibility-macro-3.1.4-fedora.patch +# Patch8: 0008-Add-FIPS_mode-compatibility-macro-3.1.4-fedora.patch # # Add check to see if fips flag is enabled in kernel -Patch9: 0009-Add-Kernel-FIPS-mode-flag-support-3.1.4-fedora.patch +# Patch9: 0009-Add-Kernel-FIPS-mode-flag-support-3.1.4-fedora.patch # # Add support for PROFILE=SYSTEM system default cipherlist # AZL: NOTE: We do not use crypto-policies, so this patch does not apply. # Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so # # that new modifications made to these files by upstream are not lost. -Patch10: 0010-Add-changes-to-ectest-and-eccurve-3.1.4-fedora.patch +# Patch10: 0010-Add-changes-to-ectest-and-eccurve-3.1.4-fedora.patch # # remove unsupported EC curves -Patch11: 0011-Remove-EC-curves-3.1.4-fedora.patch +# Patch11: 0011-Remove-EC-curves-3.1.4-fedora.patch # # Disable explicit EC curves # # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 -Patch12: 0012-Disable-explicit-ec.patch +# Patch12: 0012-Disable-explicit-ec.patch # # Skipped tests from former 0011-Remove-EC-curves.patch -Patch13: 0013-skipped-tests-EC-curves-3.1.4-fedora.patch +# Patch13: 0013-skipped-tests-EC-curves-3.1.4-fedora.patch # # Instructions to load legacy provider in openssl.cnf # AZL: NOTE: Had to change this patch because of cascading changes from previous AZL note(s) -Patch24: 0024-load-legacy-prov.patch +# Patch24: 0024-load-legacy-prov.patch # # Load the SymCrypt provider by default if present in non-FIPS mode, # # and always load it implicitly in FIPS mode -Patch32: 0032-Force-fips-3.1.2-AZL3-TEMP-SYMCRYPT.patch +# Patch32: 0032-Force-fips-3.1.2-AZL3-TEMP-SYMCRYPT.patch # # Embed HMAC into the fips.so -Patch33: 0033-FIPS-embed-hmac-3.1.2-AZL.patch +# Patch33: 0033-FIPS-embed-hmac-3.1.2-AZL.patch # # Comment out fipsinstall command-line utility -Patch34: 0034.fipsinstall_disable-3.1.4-fedora.patch +# Patch34: 0034.fipsinstall_disable-3.1.4-fedora.patch # # Skip unavailable algorithms running `openssl speed` -Patch35: 0035-speed-skip-unavailable-dgst.patch +# Patch35: 0035-speed-skip-unavailable-dgst.patch # # Selectively disallow SHA1 signatures rhbz#2070977 -Patch49: 0049-Allow-disabling-of-SHA1-signatures-3.1.2-AZL.patch +# Patch49: 0049-Allow-disabling-of-SHA1-signatures-3.1.2-AZL.patch # # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1) -Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures-3.1.4-fedora.patch +# Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures-3.1.4-fedora.patch # # See notes in the patch for details, but this patch will not be needed if # # the openssl issue https://github.com/openssl/openssl/issues/7048 is ever implemented and released. -Patch80: 0001-Replacing-deprecated-functions-with-NULL-or-highest.patch +# Patch80: 0001-Replacing-deprecated-functions-with-NULL-or-highest.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -92,6 +92,7 @@ BuildRequires: perl(Test::Harness) BuildRequires: perl(Test::More) BuildRequires: perl(Time::Piece) +Requires: openssl >= 3.3.5-4 Conflicts: SymCrypt-OpenSSL %description @@ -119,53 +120,8 @@ export HASHBANGPERL=/usr/bin/perl --openssldir=%{_sysconfdir}/pki/tls \ --libdir=lib \ shared \ - no-aria \ - enable-bf \ - no-blake2 \ - enable-camellia \ - no-capieng \ - enable-cast \ - no-chacha \ - enable-cms \ - no-comp \ - enable-ct \ - enable-deprecated \ - enable-des \ - enable-dh \ - enable-dsa \ - no-dtls1 \ - no-ec2m \ - enable-ec_nistp_64_gcc_128 \ - enable-ecdh \ - enable-ecdsa \ enable-fips \ - no-gost \ - no-idea \ - no-mdc2 \ - no-md2 \ - enable-md4 \ - no-poly1305 \ - enable-rc2 \ - enable-rc4 \ - enable-rc5 \ - no-rfc3779 \ - enable-rmd160 \ - no-sctp \ - no-seed \ - no-siphash \ - no-sm2 \ - no-sm3 \ - no-sm4 \ - no-ssl \ - no-ssl3 \ - no-weak-ssl-ciphers \ - no-whirlpool \ - no-zlib \ - no-zlib-dynamic \ - enable-ktls \ enable-buildtest-c++ \ - $NEW_RPM_OPT_FLAGS \ - '-DDEVRANDOM="\"/dev/urandom\""'\ -Wl,--allow-multiple-definition make -s %{?_smp_mflags} all @@ -189,26 +145,21 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES %endif OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE -#embed HMAC into fips provider for test run -OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac -objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac -mv providers/fips.so.mac providers/fips.so -#run tests itself +# Generate fipsmodule.cnf for the unstripped test fips.so +OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl fipsinstall \ + -module providers/fips.so \ + -out test/fipsmodule.cnf +# Run tests make test HARNESS_JOBS=8 -# Add generation of HMAC checksum of the final stripped library -# We manually copy standard definition of __spec_install_post -# and add hmac calculation/embedding to fips.so +# Run fipsinstall against the stripped fips.so to generate fipsmodule.cnf %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - set -x \ - OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ - objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ - mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ - rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ - set +x \ + mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls \ + OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl fipsinstall -module $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so -out $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_prov.cnf \ + sed -i 's/\\[fips_sect\\]/[fips_prov_sect]/' $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_prov.cnf \ %{nil} %define __provides_exclude_from %{_libdir}/openssl @@ -253,9 +204,6 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist -# We don't use native fipsmodule.cnf because FIPS module is loaded automatically -rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf - # Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} %ifarch %{ix86} @@ -275,26 +223,11 @@ sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\ # define OPENSSL_NO_SSL3\ #endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h -%ifarch %{multilib_arches} -# Do an configuration.h switcheroo to avoid file conflicts on systems where you -# can have both a 32- and 64-bit version of the library, and they each need -# their own correct-but-different versions of opensslconf.h to be usable. -install -m644 %{SOURCE10} \ - $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h -cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \ - $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h -install -m644 %{SOURCE9} \ - $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h -%endif - # Delete everything but fips.so, since that's all we ship. # To do this, we delete all files and links that aren't fips.so. find $RPM_BUILD_ROOT -type f ! -name fips.so -delete find $RPM_BUILD_ROOT -type l ! -name fips.so -delete -# Now add our fips_prov.cnf file -install -m644 %{SOURCE15} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_prov.cnf - # Clean up any empty directories left over from the deletions above. find $RPM_BUILD_ROOT -type d -empty -delete diff --git a/SPECS-EXTENDED/openssl-fips-provider/prevent-unsupported-calls-into-symcrypt-in-speed.patch b/SPECS-EXTENDED/openssl-fips-provider/prevent-unsupported-calls-into-symcrypt-in-speed.patch deleted file mode 100644 index 50e8b437fb2..00000000000 --- a/SPECS-EXTENDED/openssl-fips-provider/prevent-unsupported-calls-into-symcrypt-in-speed.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 4576a24fbe145ea200b9f9eb7e1854c61932e8b6 Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Tue, 25 Feb 2025 21:52:41 +0000 -Subject: [PATCH] prevent unsupported calls into symcrypt in speed - ---- - apps/speed.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 44 insertions(+), 2 deletions(-) - -diff --git a/apps/speed.c b/apps/speed.c -index 8c3342e..b4e966d 100644 ---- a/apps/speed.c -+++ b/apps/speed.c -@@ -27,6 +27,9 @@ - /* We need to use some deprecated APIs */ - #define OPENSSL_SUPPRESS_DEPRECATED - -+/* AZL3-Specific: Only run tests that work with the SymCrypt provider. */ -+#define AZL3_SYMCRYPT_PROVIDER -+ - #include - #include - #include -@@ -383,15 +386,24 @@ static double rsa_results[RSA_NUM][4]; /* 4 ops: sign, verify, encrypt, decrypt - - #ifndef OPENSSL_NO_DH - enum ff_params_t { -- R_FFDH_2048, R_FFDH_3072, R_FFDH_4096, R_FFDH_6144, R_FFDH_8192, FFDH_NUM -+ R_FFDH_2048, -+ R_FFDH_3072, -+ R_FFDH_4096, -+#ifndef AZL3_SYMCRYPT_PROVIDER -+ R_FFDH_6144, -+ R_FFDH_8192, -+#endif /* AZL3_SYMCRYPT_PROVIDER */ -+ FFDH_NUM, - }; - - static const OPT_PAIR ffdh_choices[FFDH_NUM] = { - {"ffdh2048", R_FFDH_2048}, - {"ffdh3072", R_FFDH_3072}, - {"ffdh4096", R_FFDH_4096}, -+#ifndef AZL3_SYMCRYPT_PROVIDER - {"ffdh6144", R_FFDH_6144}, - {"ffdh8192", R_FFDH_8192}, -+#endif /* AZL3_SYMCRYPT_PROVIDER */ - }; - - static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ -@@ -403,8 +415,11 @@ enum ec_curves_t { - R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, - R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, - #endif -+#ifndef AZL3_SYMCRYPT_PROVIDER - R_EC_BRP256R1, R_EC_BRP256T1, R_EC_BRP384R1, R_EC_BRP384T1, -- R_EC_BRP512R1, R_EC_BRP512T1, ECDSA_NUM -+ R_EC_BRP512R1, R_EC_BRP512T1, -+#endif /* AZL3_SYMCRYPT_PROVIDER */ -+ ECDSA_NUM - }; - /* list of ecdsa curves */ - static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { -@@ -424,12 +439,14 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { - {"ecdsab409", R_EC_B409}, - {"ecdsab571", R_EC_B571}, - #endif -+#ifndef AZL3_SYMCRYPT_PROVIDER - {"ecdsabrp256r1", R_EC_BRP256R1}, - {"ecdsabrp256t1", R_EC_BRP256T1}, - {"ecdsabrp384r1", R_EC_BRP384R1}, - {"ecdsabrp384t1", R_EC_BRP384T1}, - {"ecdsabrp512r1", R_EC_BRP512R1}, - {"ecdsabrp512t1", R_EC_BRP512T1} -+#endif /* AZL3_SYMCRYPT_PROVIDER */ - }; - enum { - #ifndef OPENSSL_NO_ECX -@@ -456,12 +473,14 @@ static const OPT_PAIR ecdh_choices[EC_NUM] = { - {"ecdhb409", R_EC_B409}, - {"ecdhb571", R_EC_B571}, - #endif -+#ifndef AZL3_SYMCRYPT_PROVIDER - {"ecdhbrp256r1", R_EC_BRP256R1}, - {"ecdhbrp256t1", R_EC_BRP256T1}, - {"ecdhbrp384r1", R_EC_BRP384R1}, - {"ecdhbrp384t1", R_EC_BRP384T1}, - {"ecdhbrp512r1", R_EC_BRP512R1}, - {"ecdhbrp512t1", R_EC_BRP512T1}, -+#endif /* AZL3_SYMCRYPT_PROVIDER */ - #ifndef OPENSSL_NO_ECX - {"ecdhx25519", R_EC_X25519}, - {"ecdhx448", R_EC_X448} -@@ -1806,8 +1825,10 @@ int speed_main(int argc, char **argv) - {"ffdh2048", NID_ffdhe2048, 2048}, - {"ffdh3072", NID_ffdhe3072, 3072}, - {"ffdh4096", NID_ffdhe4096, 4096}, -+#ifndef AZL3_SYMCRYPT_PROVIDER - {"ffdh6144", NID_ffdhe6144, 6144}, - {"ffdh8192", NID_ffdhe8192, 8192} -+#endif /* AZL3_SYMCRYPT_PROVIDER */ - }; - uint8_t ffdh_doit[FFDH_NUM] = { 0 }; - -@@ -1839,12 +1860,14 @@ int speed_main(int argc, char **argv) - {"nistb409", NID_sect409r1, 409}, - {"nistb571", NID_sect571r1, 571}, - #endif -+#ifndef AZL3_SYMCRYPT_PROVIDER - {"brainpoolP256r1", NID_brainpoolP256r1, 256}, - {"brainpoolP256t1", NID_brainpoolP256t1, 256}, - {"brainpoolP384r1", NID_brainpoolP384r1, 384}, - {"brainpoolP384t1", NID_brainpoolP384t1, 384}, - {"brainpoolP512r1", NID_brainpoolP512r1, 512}, - {"brainpoolP512t1", NID_brainpoolP512t1, 512}, -+#endif /* AZL3_SYMCRYPT_PROVIDER */ - #ifndef OPENSSL_NO_ECX - /* Other and ECDH only ones */ - {"X25519", NID_X25519, 253}, -@@ -1885,8 +1908,13 @@ int speed_main(int argc, char **argv) - OPENSSL_assert(ec_curves[EC_NUM - 1].nid == NID_X448); - OPENSSL_assert(strcmp(ecdh_choices[EC_NUM - 1].name, "ecdhx448") == 0); - -+#ifdef AZL3_SYMCRYPT_PROVIDER -+ OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_secp521r1); -+ OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsap521") == 0); -+#else - OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1); - OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0); -+#endif /* AZL3_SYMCRYPT_PROVIDER */ - #endif /* OPENSSL_NO_ECX */ - - #ifndef OPENSSL_NO_SM2 -@@ -2066,6 +2094,13 @@ int speed_main(int argc, char **argv) - goto end; - } - for (i = 0; i < OSSL_NELEM(rsa_choices); i++) { -+#ifdef AZL3_SYMCRYPT_PROVIDER -+ /* SymCrypt only supports 1024 and above */ -+ if (strcmp(rsa_choices[i].name, "rsa512") == 0) { -+ continue; -+ } -+#endif /* AZL3_SYMCRYPT_PROVIDER */ -+ - kems_doit[kems_algs_len] = 1; - kems_algname[kems_algs_len++] = OPENSSL_strdup(rsa_choices[i].name); - } -@@ -2111,6 +2146,13 @@ int speed_main(int argc, char **argv) - goto end; - } - for (i = 0; i < OSSL_NELEM(rsa_choices); i++) { -+#ifdef AZL3_SYMCRYPT_PROVIDER -+ /* SymCrypt only supports 1024 and above */ -+ if (strcmp(rsa_choices[i].name, "rsa512") == 0) { -+ continue; -+ } -+#endif /* AZL3_SYMCRYPT_PROVIDER */ -+ - sigs_doit[sigs_algs_len] = 1; - sigs_algname[sigs_algs_len++] = OPENSSL_strdup(rsa_choices[i].name); - } --- -2.45.3 - From 44c22e435119238c308b9b69a2bbe0570a96cc28 Mon Sep 17 00:00:00 2001 From: Lynsey Rydberg Date: Fri, 3 Apr 2026 16:28:08 -0700 Subject: [PATCH 2/3] refactor(openssl): use upstream fipsmodule.cnf naming for FIPS provider Update openssl 3.3.7 patch 0032 to load fipsmodule.cnf with [fips_sect] instead of fips_prov.cnf with [fips_prov_sect], aligning with upstream OpenSSL naming. Update openssl-fips-provider to match. Bump openssl to 3.3.7-2 and update toolkit manifests. Add openssl-fips-provider Requires on openssl >= 3.3.7-2. --- .../openssl-fips-provider.spec | 64 +++---------------- ...rce-fips-symcrypt-or-fips-3.3.5-AZL3.patch | 7 +- SPECS/openssl/openssl.spec | 5 +- 3 files changed, 16 insertions(+), 60 deletions(-) diff --git a/SPECS-EXTENDED/openssl-fips-provider/openssl-fips-provider.spec b/SPECS-EXTENDED/openssl-fips-provider/openssl-fips-provider.spec index 34dd3c593a2..efdb07b742e 100644 --- a/SPECS-EXTENDED/openssl-fips-provider/openssl-fips-provider.spec +++ b/SPECS-EXTENDED/openssl-fips-provider/openssl-fips-provider.spec @@ -14,58 +14,7 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Source: https://github.com/openssl/openssl/releases/download/openssl-%{version}/openssl-%{version}.tar.gz Source2: Makefile.certificate -# Source3: genpatches -# Source9: configuration-switch.h -# Source10: configuration-prefix.h Source14: 0025-for-tests.patch -# Source15: fips_prov.cnf -# Use more general default values in openssl.cnf -# Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch -# # Do not install html docs -# Patch3: 0003-Do-not-install-html-docs-3.1.2-AZL.patch -# # Override default paths for the CA directory tree -# AZL: NOTE: We do not use crypto-policies, so this patch does not apply. -# Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch -# # apps/ca: fix md option help text -# Patch5: 0005-apps-ca-fix-md-option-help-text.patch -# # Disable signature verification with totally unsafe hash algorithms -# Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch -# Add FIPS_mode() compatibility macro -# Patch8: 0008-Add-FIPS_mode-compatibility-macro-3.1.4-fedora.patch -# # Add check to see if fips flag is enabled in kernel -# Patch9: 0009-Add-Kernel-FIPS-mode-flag-support-3.1.4-fedora.patch -# # Add support for PROFILE=SYSTEM system default cipherlist -# AZL: NOTE: We do not use crypto-policies, so this patch does not apply. -# Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch -# # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so -# # that new modifications made to these files by upstream are not lost. -# Patch10: 0010-Add-changes-to-ectest-and-eccurve-3.1.4-fedora.patch -# # remove unsupported EC curves -# Patch11: 0011-Remove-EC-curves-3.1.4-fedora.patch -# # Disable explicit EC curves -# # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 -# Patch12: 0012-Disable-explicit-ec.patch -# # Skipped tests from former 0011-Remove-EC-curves.patch -# Patch13: 0013-skipped-tests-EC-curves-3.1.4-fedora.patch -# # Instructions to load legacy provider in openssl.cnf -# AZL: NOTE: Had to change this patch because of cascading changes from previous AZL note(s) -# Patch24: 0024-load-legacy-prov.patch -# # Load the SymCrypt provider by default if present in non-FIPS mode, -# # and always load it implicitly in FIPS mode -# Patch32: 0032-Force-fips-3.1.2-AZL3-TEMP-SYMCRYPT.patch -# # Embed HMAC into the fips.so -# Patch33: 0033-FIPS-embed-hmac-3.1.2-AZL.patch -# # Comment out fipsinstall command-line utility -# Patch34: 0034.fipsinstall_disable-3.1.4-fedora.patch -# # Skip unavailable algorithms running `openssl speed` -# Patch35: 0035-speed-skip-unavailable-dgst.patch -# # Selectively disallow SHA1 signatures rhbz#2070977 -# Patch49: 0049-Allow-disabling-of-SHA1-signatures-3.1.2-AZL.patch -# # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1) -# Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures-3.1.4-fedora.patch -# # See notes in the patch for details, but this patch will not be needed if -# # the openssl issue https://github.com/openssl/openssl/issues/7048 is ever implemented and released. -# Patch80: 0001-Replacing-deprecated-functions-with-NULL-or-highest.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -92,7 +41,7 @@ BuildRequires: perl(Test::Harness) BuildRequires: perl(Test::More) BuildRequires: perl(Time::Piece) -Requires: openssl >= 3.3.5-4 +Requires: openssl >= 3.3.7-2 Conflicts: SymCrypt-OpenSSL %description @@ -158,8 +107,7 @@ make test HARNESS_JOBS=8 %{__arch_install_post} \ %{__os_install_post} \ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls \ - OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl fipsinstall -module $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so -out $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_prov.cnf \ - sed -i 's/\\[fips_sect\\]/[fips_prov_sect]/' $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_prov.cnf \ + OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl fipsinstall -module $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so -out $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf \ %{nil} %define __provides_exclude_from %{_libdir}/openssl @@ -233,11 +181,17 @@ find $RPM_BUILD_ROOT -type d -empty -delete %files %attr(0755,root,root) %{_libdir}/ossl-modules -%config(noreplace) %{_sysconfdir}/pki/tls/fips_prov.cnf +%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf %ldconfig_scriptlets libs %changelog +* Thu Apr 23 2026 Lynsey Rydberg - 3.1.2-2 +- Remove all patches; build unmodified OpenSSL 3.1.2 FIPS provider. +- Use upstream fipsinstall to generate fipsmodule.cnf instead of embedded HMAC. +- Rename config to fipsmodule.cnf with [fips_sect] to align with upstream OpenSSL. +- Require openssl >= 3.3.7-2 for matching config path change. + * Thu Nov 13 2025 Tobias Brick - 3.1.2-1 - Initial implementation of OpenSSL FIPS provider package for AZL. - Copied from Azure Linux 3's openssl.spec diff --git a/SPECS/openssl/0032-Force-fips-symcrypt-or-fips-3.3.5-AZL3.patch b/SPECS/openssl/0032-Force-fips-symcrypt-or-fips-3.3.5-AZL3.patch index 6ada2bab79a..513ff9ff0b8 100644 --- a/SPECS/openssl/0032-Force-fips-symcrypt-or-fips-3.3.5-AZL3.patch +++ b/SPECS/openssl/0032-Force-fips-symcrypt-or-fips-3.3.5-AZL3.patch @@ -94,8 +94,8 @@ index 70c9729..5b39131 100644 + + // Config file paths +# define SYMCRYPT_PROV_CONF OPENSSLDIR "/symcrypt_prov.cnf" -+ // Upstream uses fips_local.cnf, we use fips_prov.cnf since we don't use crypto policies. -+# define FIPS_PROV_CONF OPENSSLDIR "/fips_prov.cnf" ++ // Upstream uses fipsmodule.cnf; Fedora uses fips_local.cnf for crypto-policies integration. ++# define FIPS_PROV_CONF OPENSSLDIR "/fipsmodule.cnf" + + // Context and configuration variables. + OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf); @@ -129,7 +129,7 @@ index 70c9729..5b39131 100644 + // If neither is available, fail. + symcrypt_prov_activated = load_fips_certified_provider(libctx, "symcryptprovider", SYMCRYPT_PROV_CONF, "symcrypt_prov_sect", 1); + if (symcrypt_prov_activated == 0) { -+ fips_prov_activated = load_fips_certified_provider(libctx, "fips", FIPS_PROV_CONF, "fips_prov_sect", 1); ++ fips_prov_activated = load_fips_certified_provider(libctx, "fips", FIPS_PROV_CONF, "fips_sect", 1); + } + + // If we still don't have a FIPS-certified provider, fail. @@ -161,4 +161,3 @@ index 70c9729..5b39131 100644 -- 2.45.4 - diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec index c58deef5bc3..e3b0d0988ab 100644 --- a/SPECS/openssl/openssl.spec +++ b/SPECS/openssl/openssl.spec @@ -9,7 +9,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.3.7 -Release: 1%{?dist} +Release: 2%{?dist} Vendor: Microsoft Corporation Distribution: Azure Linux Source: https://github.com/openssl/openssl/releases/download/openssl-%{version}/openssl-%{version}.tar.gz @@ -360,6 +360,9 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Apr 23 2026 Lynsey Rydberg - 3.3.7-2 +- Rename FIPS provider config from fips_prov.cnf to fipsmodule.cnf to align with upstream OpenSSL. + * Wed Apr 08 2026 Jyoti Kanase - 3.3.7-1 - Upgrade to 3.3.7 - remove unused patches From 2511e8fdd8a918f4a356260cff06353cd19a8cdc Mon Sep 17 00:00:00 2001 From: Lynsey Rydberg Date: Thu, 23 Apr 2026 15:26:42 -0700 Subject: [PATCH 3/3] fix: Update manifest files --- .../manifests/package/pkggen_core_aarch64.txt | 10 +++++----- .../manifests/package/pkggen_core_x86_64.txt | 10 +++++----- .../manifests/package/toolchain_aarch64.txt | 12 ++++++------ .../resources/manifests/package/toolchain_x86_64.txt | 12 ++++++------ 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 48358a4649f..4028f8aa42b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm autoconf-2.72-2.azl3.noarch.rpm automake-1.16.5-2.azl3.noarch.rpm ocaml-srpm-macros-9-4.azl3.noarch.rpm -openssl-3.3.7-1.azl3.aarch64.rpm -openssl-devel-3.3.7-1.azl3.aarch64.rpm -openssl-libs-3.3.7-1.azl3.aarch64.rpm -openssl-perl-3.3.7-1.azl3.aarch64.rpm -openssl-static-3.3.7-1.azl3.aarch64.rpm +openssl-3.3.7-2.azl3.aarch64.rpm +openssl-devel-3.3.7-2.azl3.aarch64.rpm +openssl-libs-3.3.7-2.azl3.aarch64.rpm +openssl-perl-3.3.7-2.azl3.aarch64.rpm +openssl-static-3.3.7-2.azl3.aarch64.rpm libcap-2.69-14.azl3.aarch64.rpm libcap-devel-2.69-14.azl3.aarch64.rpm debugedit-5.0-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 3200318718d..e9fb53fd1fe 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm autoconf-2.72-2.azl3.noarch.rpm automake-1.16.5-2.azl3.noarch.rpm ocaml-srpm-macros-9-4.azl3.noarch.rpm -openssl-3.3.7-1.azl3.x86_64.rpm -openssl-devel-3.3.7-1.azl3.x86_64.rpm -openssl-libs-3.3.7-1.azl3.x86_64.rpm -openssl-perl-3.3.7-1.azl3.x86_64.rpm -openssl-static-3.3.7-1.azl3.x86_64.rpm +openssl-3.3.7-2.azl3.x86_64.rpm +openssl-devel-3.3.7-2.azl3.x86_64.rpm +openssl-libs-3.3.7-2.azl3.x86_64.rpm +openssl-perl-3.3.7-2.azl3.x86_64.rpm +openssl-static-3.3.7-2.azl3.x86_64.rpm libcap-2.69-14.azl3.x86_64.rpm libcap-devel-2.69-14.azl3.x86_64.rpm debugedit-5.0-2.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 2a39647c90c..0589b69ddab 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -287,12 +287,12 @@ npth-debuginfo-1.6-4.azl3.aarch64.rpm npth-devel-1.6-4.azl3.aarch64.rpm ntsysv-1.25-1.azl3.aarch64.rpm ocaml-srpm-macros-9-4.azl3.noarch.rpm -openssl-3.3.7-1.azl3.aarch64.rpm -openssl-debuginfo-3.3.7-1.azl3.aarch64.rpm -openssl-devel-3.3.7-1.azl3.aarch64.rpm -openssl-libs-3.3.7-1.azl3.aarch64.rpm -openssl-perl-3.3.7-1.azl3.aarch64.rpm -openssl-static-3.3.7-1.azl3.aarch64.rpm +openssl-3.3.7-2.azl3.aarch64.rpm +openssl-debuginfo-3.3.7-2.azl3.aarch64.rpm +openssl-devel-3.3.7-2.azl3.aarch64.rpm +openssl-libs-3.3.7-2.azl3.aarch64.rpm +openssl-perl-3.3.7-2.azl3.aarch64.rpm +openssl-static-3.3.7-2.azl3.aarch64.rpm p11-kit-0.25.0-1.azl3.aarch64.rpm p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm p11-kit-devel-0.25.0-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 21c037e56d2..6d93f682aca 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -295,12 +295,12 @@ npth-debuginfo-1.6-4.azl3.x86_64.rpm npth-devel-1.6-4.azl3.x86_64.rpm ntsysv-1.25-1.azl3.x86_64.rpm ocaml-srpm-macros-9-4.azl3.noarch.rpm -openssl-3.3.7-1.azl3.x86_64.rpm -openssl-debuginfo-3.3.7-1.azl3.x86_64.rpm -openssl-devel-3.3.7-1.azl3.x86_64.rpm -openssl-libs-3.3.7-1.azl3.x86_64.rpm -openssl-perl-3.3.7-1.azl3.x86_64.rpm -openssl-static-3.3.7-1.azl3.x86_64.rpm +openssl-3.3.7-2.azl3.x86_64.rpm +openssl-debuginfo-3.3.7-2.azl3.x86_64.rpm +openssl-devel-3.3.7-2.azl3.x86_64.rpm +openssl-libs-3.3.7-2.azl3.x86_64.rpm +openssl-perl-3.3.7-2.azl3.x86_64.rpm +openssl-static-3.3.7-2.azl3.x86_64.rpm p11-kit-0.25.0-1.azl3.x86_64.rpm p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm p11-kit-devel-0.25.0-1.azl3.x86_64.rpm