From 8a39cb90e74a7a9d9dedb55fa111c717289c5062 Mon Sep 17 00:00:00 2001 From: Richard W.M. Jones Date: Jun 01 2021 08:03:00 +0000 Subject: Synch to Fedora openssl-1.1.1k-1.fc35 --- diff --git a/.gitignore b/.gitignore index 133cae4..bdea46d 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.0.2h-hobbled.tar.xz /openssl-1.1.0h-hobbled.tar.xz /openssl-1.1.1c-hobbled.tar.xz +/openssl-1.1.1k-hobbled.tar.xz diff --git a/ec_curve.c b/ec_curve.c index 58f8f3f..9171ed4 100644 --- a/ec_curve.c +++ b/ec_curve.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -9,7 +9,7 @@ */ #include -#include "ec_lcl.h" +#include "ec_local.h" #include #include #include @@ -468,3 +468,115 @@ int EC_curve_nist2nid(const char *name) } return NID_undef; } + +#define NUM_BN_FIELDS 6 +/* + * Validates EC domain parameter data for known named curves. + * This can be used when a curve is loaded explicitly (without a curve + * name) or to validate that domain parameters have not been modified. + * + * Returns: The nid associated with the found named curve, or NID_undef + * if not found. If there was an error it returns -1. + */ +int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) +{ + int ret = -1, nid, len, field_type, param_len; + size_t i, seed_len; + const unsigned char *seed, *params_seed, *params; + unsigned char *param_bytes = NULL; + const EC_CURVE_DATA *data; + const EC_POINT *generator = NULL; + const EC_METHOD *meth; + const BIGNUM *cofactor = NULL; + /* An array of BIGNUMs for (p, a, b, x, y, order) */ + BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL}; + + meth = EC_GROUP_method_of(group); + if (meth == NULL) + return -1; + /* Use the optional named curve nid as a search field */ + nid = EC_GROUP_get_curve_name(group); + field_type = EC_METHOD_get_field_type(meth); + seed_len = EC_GROUP_get_seed_len(group); + seed = EC_GROUP_get0_seed(group); + cofactor = EC_GROUP_get0_cofactor(group); + + BN_CTX_start(ctx); + + /* + * The built-in curves contains data fields (p, a, b, x, y, order) that are + * all zero-padded to be the same size. The size of the padding is + * determined by either the number of bytes in the field modulus (p) or the + * EC group order, whichever is larger. + */ + param_len = BN_num_bytes(group->order); + len = BN_num_bytes(group->field); + if (len > param_len) + param_len = len; + + /* Allocate space to store the padded data for (p, a, b, x, y, order) */ + param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS); + if (param_bytes == NULL) + goto end; + + /* Create the bignums */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if ((bn[i] = BN_CTX_get(ctx)) == NULL) + goto end; + } + /* + * Fill in the bn array with the same values as the internal curves + * i.e. the values are p, a, b, x, y, order. + */ + /* Get p, a & b */ + if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx) + && ((generator = EC_GROUP_get0_generator(group)) != NULL) + /* Get x & y */ + && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx) + /* Get order */ + && EC_GROUP_get_order(group, bn[5], ctx))) + goto end; + + /* + * Convert the bignum array to bytes that are joined together to form + * a single buffer that contains data for all fields. + * (p, a, b, x, y, order) are all zero padded to be the same size. + */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0) + goto end; + } + + for (i = 0; i < curve_list_length; i++) { + const ec_list_element curve = curve_list[i]; + + data = curve.data; + /* Get the raw order byte data */ + params_seed = (const unsigned char *)(data + 1); /* skip header */ + params = params_seed + data->seed_len; + + /* Look for unique fields in the fixed curve data */ + if (data->field_type == field_type + && param_len == data->param_len + && (nid <= 0 || nid == curve.nid) + /* check the optional cofactor (ignore if its zero) */ + && (BN_is_zero(cofactor) + || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor)) + /* Check the optional seed (ignore if its not set) */ + && (data->seed_len == 0 || seed_len == 0 + || ((size_t)data->seed_len == seed_len + && memcmp(params_seed, seed, seed_len) == 0)) + /* Check that the groups params match the built-in curve params */ + && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS) + == 0) { + ret = curve.nid; + goto end; + } + } + /* Gets here if the group was not found */ + ret = NID_undef; +end: + OPENSSL_free(param_bytes); + BN_CTX_end(ctx); + return ret; +} diff --git a/ectest.c b/ectest.c index 53adf88..e4fd45b 100644 --- a/ectest.c +++ b/ectest.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -844,6 +844,271 @@ static const unsigned char p521_explicit[] = { 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01, }; +/* + * Sometime we cannot compare nids for equality, as the built-in curve table + * includes aliases with different names for the same curve. + * + * This function returns TRUE (1) if the checked nids are identical, or if they + * alias to the same curve. FALSE (0) otherwise. + */ +static ossl_inline +int are_ec_nids_compatible(int n1d, int n2d) +{ + int ret = 0; + switch (n1d) { +# ifndef OPENSSL_NO_EC2M + case NID_sect113r1: + case NID_wap_wsg_idm_ecid_wtls4: + ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4); + break; + case NID_sect163k1: + case NID_wap_wsg_idm_ecid_wtls3: + ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3); + break; + case NID_sect233k1: + case NID_wap_wsg_idm_ecid_wtls10: + ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10); + break; + case NID_sect233r1: + case NID_wap_wsg_idm_ecid_wtls11: + ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11); + break; + case NID_X9_62_c2pnb163v1: + case NID_wap_wsg_idm_ecid_wtls5: + ret = (n2d == NID_X9_62_c2pnb163v1 + || n2d == NID_wap_wsg_idm_ecid_wtls5); + break; +# endif /* OPENSSL_NO_EC2M */ + case NID_secp112r1: + case NID_wap_wsg_idm_ecid_wtls6: + ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6); + break; + case NID_secp160r2: + case NID_wap_wsg_idm_ecid_wtls7: + ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7); + break; +# ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 + case NID_secp224r1: + case NID_wap_wsg_idm_ecid_wtls12: + ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12); + break; +# else + /* + * For SEC P-224 we want to ensure that the SECP nid is returned, as + * that is associated with a specialized method. + */ + case NID_wap_wsg_idm_ecid_wtls12: + ret = (n2d == NID_secp224r1); + break; +# endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ + + default: + ret = (n1d == n2d); + } + return ret; +} + +/* + * This checks that EC_GROUP_bew_from_ecparameters() returns a "named" + * EC_GROUP for built-in curves. + * + * Note that it is possible to retrieve an alternative alias that does not match + * the original nid. + * + * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. + */ +static int check_named_curve_from_ecparameters(int id) +{ + int ret = 0, nid, tnid; + EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL; + const EC_POINT *group_gen = NULL; + EC_POINT *other_gen = NULL; + BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; + BIGNUM *other_gen_x = NULL, *other_gen_y = NULL; + const BIGNUM *group_order = NULL; + BIGNUM *other_order = NULL; + BN_CTX *bn_ctx = NULL; + static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; + static size_t invalid_seed_len = sizeof(invalid_seed); + ECPARAMETERS *params = NULL, *other_params = NULL; + EC_GROUP *g_ary[8] = {NULL}; + EC_GROUP **g_next = &g_ary[0]; + ECPARAMETERS *p_ary[8] = {NULL}; + ECPARAMETERS **p_next = &p_ary[0]; + + /* Do some setup */ + nid = curves[id].nid; + TEST_note("Curve %s", OBJ_nid2sn(nid)); + if (!TEST_ptr(bn_ctx = BN_CTX_new())) + return ret; + BN_CTX_start(bn_ctx); + + if (/* Allocations */ + !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_order = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx)) + /* Generate reference group and params */ + || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) + || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL)) + || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) + || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) + || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) + /* compute `other_*` values */ + || !TEST_ptr(tmpg = EC_GROUP_dup(group)) + || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) + || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) + || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen, + other_gen_x, other_gen_y, bn_ctx)) + || !TEST_true(BN_copy(other_order, group_order)) + || !TEST_true(BN_add_word(other_order, 1)) + || !TEST_true(BN_copy(other_cofactor, group_cofactor)) + || !TEST_true(BN_add_word(other_cofactor, 1))) + goto err; + + EC_POINT_free(other_gen); + other_gen = NULL; + + if (!TEST_ptr(other_gen = EC_POINT_new(tmpg)) + || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen, + other_gen_x, other_gen_y, + bn_ctx))) + goto err; + + /* + * ########################### + * # Actual tests start here # + * ########################### + */ + + /* + * Creating a group from built-in explicit parameters returns a + * "named" EC_GROUP + */ + if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)) + goto err; + /* + * We cannot always guarantee the names match, as the built-in table + * contains aliases for the same curve with different names. + */ + if (!TEST_true(are_ec_nids_compatible(nid, tnid))) { + TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); + goto err; + } + /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */ + if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE)) + goto err; + + /* + * An invalid seed in the parameters should be ignored: expect a "named" + * group. + */ + if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len), + invalid_seed_len) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE)) { + TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); + goto err; + } + + /* + * A null seed in the parameters should be ignored, as it is optional: + * expect a "named" group. + */ + if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE)) { + TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); + goto err; + } + + /* + * Check that changing any of the generator parameters does not yield a + * match with the built-in curves + */ + if (/* Other gen, same group order & cofactor */ + !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order, + group_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + /* Same gen & cofactor, different order */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order, + group_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + /* The order is not an optional field, so this should fail */ + || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL, + group_cofactor)) + /* Check that a wrong cofactor is ignored, and we still match */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, + other_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE) + /* Check that if the cofactor is not set then it still matches */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, + NULL)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE) + /* check that restoring the generator passes */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, + group_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE)) + goto err; + + ret = 1; +err: + for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++) + EC_GROUP_free(*g_next); + for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++) + ECPARAMETERS_free(*p_next); + ECPARAMETERS_free(params); + EC_POINT_free(other_gen); + EC_GROUP_free(tmpg); + EC_GROUP_free(group); + BN_CTX_end(bn_ctx); + BN_CTX_free(bn_ctx); + return ret; +} + static int parameter_test(void) { EC_GROUP *group = NULL, *group2 = NULL; @@ -851,7 +1116,8 @@ static int parameter_test(void) unsigned char *buf = NULL; int r = 0, len; - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1)) + /* must use a curve without a special group method */ + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp256k1)) || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL)) || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters)) || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0)) @@ -886,7 +1152,361 @@ err: OPENSSL_free(buf); return r; } -#endif + +/*- + * random 256-bit explicit parameters curve, cofactor absent + * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) + * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit) + */ +static const unsigned char params_cf_pass[] = { + 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5, + 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, + 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, + 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5, + 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, + 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, + 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc, + 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27, + 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23, + 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77, + 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b, + 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4, + 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9, + 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a, + 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c, + 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96, + 0x14, 0xa8, 0x2f, 0x4f +}; + +/*- + * random 256-bit explicit parameters curve, cofactor absent + * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit) + * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit) + */ +static const unsigned char params_cf_fail[] = { + 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37, + 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, + 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, + 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37, + 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, + 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, + 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09, + 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d, + 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02, + 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59, + 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11, + 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24, + 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70, + 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73, + 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04, + 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e, + 0x34, 0xa2, 0x21, 0x01 +}; + +/*- + * Test two random 256-bit explicit parameters curves with absent cofactor. + * The two curves are chosen to roughly straddle the bounds at which the lib + * can compute the cofactor automatically, roughly 4*sqrt(p). So test that: + * + * - params_cf_pass: order is sufficiently close to p to compute cofactor + * - params_cf_fail: order is too far away from p to compute cofactor + * + * For standards-compliant curves, cofactor is chosen as small as possible. + * So you can see neither of these curves are fit for cryptographic use. + * + * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2: + * h <= 2**(t/8) where t is the security level of the curve, for which the lib + * will always succeed in computing the cofactor. Neither of these curves + * conform to that -- this is just robustness testing. + */ +static int cofactor_range_test(void) +{ + EC_GROUP *group = NULL; + BIGNUM *cf = NULL; + int ret = 0; + const unsigned char *b1 = (const unsigned char *)params_cf_fail; + const unsigned char *b2 = (const unsigned char *)params_cf_pass; + + if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail))) + || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group)) + || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2, + sizeof(params_cf_pass))) + || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0) + || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group))) + goto err; + ret = 1; + err: + BN_free(cf); + EC_GROUP_free(group); + return ret; +} + +/*- + * For named curves, test that: + * - the lib correctly computes the cofactor if passed a NULL or zero cofactor + * - a nonsensical cofactor throws an error (negative test) + * - nonsensical orders throw errors (negative tests) + */ +static int cardinality_test(int n) +{ + int ret = 0; + int nid = curves[n].nid; + BN_CTX *ctx = NULL; + EC_GROUP *g1 = NULL, *g2 = NULL; + EC_POINT *g2_gen = NULL; + BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL, + *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL; + + TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid)); + + if (!TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid)) + || !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) { + EC_GROUP_free(g1); + EC_GROUP_free(g2); + BN_CTX_free(ctx); + return 0; + } + + BN_CTX_start(ctx); + g1_p = BN_CTX_get(ctx); + g1_a = BN_CTX_get(ctx); + g1_b = BN_CTX_get(ctx); + g1_x = BN_CTX_get(ctx); + g1_y = BN_CTX_get(ctx); + g1_order = BN_CTX_get(ctx); + g1_cf = BN_CTX_get(ctx); + + if (!TEST_ptr(g2_cf = BN_CTX_get(ctx)) + /* pull out the explicit curve parameters */ + || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx)) + || !TEST_true(EC_POINT_get_affine_coordinates(g1, + EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx)) + || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1))) + || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx)) + /* construct g2 manually with g1 parameters */ + || !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx)) + || !TEST_ptr(g2_gen = EC_POINT_new(g2)) + || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx)) + /* pass NULL cofactor: lib should compute it */ + || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) + || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) + || !TEST_BN_eq(g1_cf, g2_cf) + /* pass zero cofactor: lib should compute it */ + || !TEST_true(BN_set_word(g2_cf, 0)) + || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) + || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) + || !TEST_BN_eq(g1_cf, g2_cf) + /* negative test for invalid cofactor */ + || !TEST_true(BN_set_word(g2_cf, 0)) + || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) + /* negative test for NULL order */ + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) + /* negative test for zero order */ + || !TEST_true(BN_set_word(g1_order, 0)) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) + /* negative test for negative order */ + || !TEST_true(BN_set_word(g2_cf, 0)) + || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) + /* negative test for too large order */ + || !TEST_true(BN_lshift(g1_order, g1_p, 2)) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) + goto err; + ret = 1; + err: + EC_POINT_free(g2_gen); + EC_GROUP_free(g1); + EC_GROUP_free(g2); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return ret; +} + +/* + * Helper for ec_point_hex2point_test + * + * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given + * (group,P) pair. + * + * If P is NULL use point at infinity. + */ +static ossl_inline +int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P, + point_conversion_form_t form, + BN_CTX *bnctx) +{ + int ret = 0; + EC_POINT *Q = NULL, *Pinf = NULL; + char *hex = NULL; + + if (P == NULL) { + /* If P is NULL use point at infinity. */ + if (!TEST_ptr(Pinf = EC_POINT_new(group)) + || !TEST_true(EC_POINT_set_to_infinity(group, Pinf))) + goto err; + P = Pinf; + } + + if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx)) + || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx))) + goto err; + + /* + * The next check is most likely superfluous, as EC_POINT_cmp should already + * cover this. + * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity, + * so we include it anyway! + */ + if (Pinf != NULL + && !TEST_true(EC_POINT_is_at_infinity(group, Q))) + goto err; + + ret = 1; + + err: + EC_POINT_free(Pinf); + OPENSSL_free(hex); + EC_POINT_free(Q); + + return ret; +} + +/* + * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex() + */ +static int ec_point_hex2point_test(int id) +{ + int ret = 0, nid; + EC_GROUP *group = NULL; + const EC_POINT *G = NULL; + EC_POINT *P = NULL; + BN_CTX * bnctx = NULL; + + /* Do some setup */ + nid = curves[id].nid; + if (!TEST_ptr(bnctx = BN_CTX_new()) + || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) + || !TEST_ptr(G = EC_GROUP_get0_generator(group)) + || !TEST_ptr(P = EC_POINT_dup(G, group))) + goto err; + + if (!TEST_true(ec_point_hex2point_test_helper(group, P, + POINT_CONVERSION_COMPRESSED, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, NULL, + POINT_CONVERSION_COMPRESSED, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, P, + POINT_CONVERSION_UNCOMPRESSED, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, NULL, + POINT_CONVERSION_UNCOMPRESSED, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, P, + POINT_CONVERSION_HYBRID, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, NULL, + POINT_CONVERSION_HYBRID, + bnctx))) + goto err; + + ret = 1; + + err: + EC_POINT_free(P); + EC_GROUP_free(group); + BN_CTX_free(bnctx); + + return ret; +} + +/* + * check the EC_METHOD respects the supplied EC_GROUP_set_generator G + */ +static int custom_generator_test(int id) +{ + int ret = 0, nid, bsize; + EC_GROUP *group = NULL; + EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; + BN_CTX *ctx = NULL; + BIGNUM *k = NULL; + unsigned char *b1 = NULL, *b2 = NULL; + + /* Do some setup */ + nid = curves[id].nid; + TEST_note("Curve %s", OBJ_nid2sn(nid)); + if (!TEST_ptr(ctx = BN_CTX_new())) + return 0; + + BN_CTX_start(ctx); + + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) + goto err; + + /* expected byte length of encoded points */ + bsize = (EC_GROUP_get_degree(group) + 7) / 8; + bsize = 2 * bsize + 1; + + if (!TEST_ptr(k = BN_CTX_get(ctx)) + /* fetch a testing scalar k != 0,1 */ + || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, + BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + /* make k even */ + || !TEST_true(BN_clear_bit(k, 0)) + || !TEST_ptr(G2 = EC_POINT_new(group)) + || !TEST_ptr(Q1 = EC_POINT_new(group)) + /* Q1 := kG */ + || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) + /* pull out the bytes of that */ + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, NULL, + 0, ctx), bsize) + || !TEST_ptr(b1 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, b1, + bsize, ctx), bsize) + /* new generator is G2 := 2G */ + || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group), + ctx)) + || !TEST_true(EC_GROUP_set_generator(group, G2, + EC_GROUP_get0_order(group), + EC_GROUP_get0_cofactor(group))) + || !TEST_ptr(Q2 = EC_POINT_new(group)) + || !TEST_true(BN_rshift1(k, k)) + /* Q2 := k/2 G2 */ + || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q2, + POINT_CONVERSION_UNCOMPRESSED, NULL, + 0, ctx), bsize) + || !TEST_ptr(b2 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q2, + POINT_CONVERSION_UNCOMPRESSED, b2, + bsize, ctx), bsize) + /* Q1 = kG = k/2 G2 = Q2 should hold */ + || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0)) + goto err; + + ret = 1; + + err: + BN_CTX_end(ctx); + EC_POINT_free(Q1); + EC_POINT_free(Q2); + EC_POINT_free(G2); + EC_GROUP_free(group); + BN_CTX_free(ctx); + OPENSSL_free(b1); + OPENSSL_free(b2); + + return ret; +} + +#endif /* OPENSSL_NO_EC */ int setup_tests(void) { @@ -897,6 +1517,8 @@ int setup_tests(void) return 0; ADD_TEST(parameter_test); + ADD_TEST(cofactor_range_test); + ADD_ALL_TESTS(cardinality_test, crv_len); ADD_TEST(prime_field_tests); # ifndef OPENSSL_NO_EC2M ADD_TEST(char2_field_tests); @@ -908,7 +1530,11 @@ int setup_tests(void) # endif ADD_ALL_TESTS(internal_curve_test, crv_len); ADD_ALL_TESTS(internal_curve_test_method, crv_len); -#endif + + ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); + ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); + ADD_ALL_TESTS(custom_generator_test, crv_len); +#endif /* OPENSSL_NO_EC */ return 1; } diff --git a/mingw-openssl.spec b/mingw-openssl.spec index 03a9bc0..29770a1 100644 --- a/mingw-openssl.spec +++ b/mingw-openssl.spec @@ -22,8 +22,8 @@ %global run_tests 0 Name: mingw-openssl -Version: 1.1.1c -Release: 7%{?dist} +Version: 1.1.1k +Release: 1%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -33,7 +33,6 @@ URL: http://www.openssl.org/ # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. Source: openssl-%{version}-hobbled.tar.xz - Source1: hobble-openssl Source2: Makefile.certificate Source6: make-dummy-cert @@ -43,14 +42,12 @@ Source10: opensslconf-new-warning.h Source11: README.FIPS Source12: ec_curve.c Source13: ectest.c - # Build changes Patch1: openssl-1.1.1-build.patch Patch2: openssl-1.1.1-defaults.patch -Patch3: openssl-1.1.0-no-html.patch +Patch3: openssl-1.1.1-no-html.patch Patch4: openssl-1.1.1-man-rename.patch -# Bug fixes -Patch21: openssl-1.1.0-issuer-hash.patch + # Functionality changes Patch31: openssl-1.1.1-conf-paths.patch Patch32: openssl-1.1.1-version-add-engines.patch @@ -61,7 +58,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch Patch40: openssl-1.1.1-disable-ssl3.patch Patch41: openssl-1.1.1-system-cipherlist.patch Patch42: openssl-1.1.1-fips.patch -Patch43: openssl-1.1.1-ignore-bound.patch Patch44: openssl-1.1.1-version-override.patch Patch45: openssl-1.1.1-weak-ciphers.patch Patch46: openssl-1.1.1-seclevel.patch @@ -69,16 +65,23 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch Patch48: openssl-1.1.1-fips-post-rand.patch Patch49: openssl-1.1.1-evp-kdf.patch Patch50: openssl-1.1.1-ssh-kdf.patch +Patch51: openssl-1.1.1-intel-cet.patch +Patch60: openssl-1.1.1-krb5-kdf.patch +Patch61: openssl-1.1.1-edk2-build.patch +Patch62: openssl-1.1.1-fips-curves.patch +Patch65: openssl-1.1.1-fips-drbg-selftest.patch +Patch66: openssl-1.1.1-fips-dh.patch +Patch67: openssl-1.1.1-kdf-selftest.patch +Patch69: openssl-1.1.1-alpn-cb.patch +Patch70: openssl-1.1.1-rewire-fips-drbg.patch # Backported fixes including security fixes -Patch51: openssl-1.1.1-upstream-sync.patch Patch52: openssl-1.1.1-s390x-update.patch Patch53: openssl-1.1.1-fips-crng-test.patch -Patch54: openssl-1.1.1-regression-fixes.patch +Patch55: openssl-1.1.1-arm-update.patch +Patch56: openssl-1.1.1-s390x-ecc.patch -# MinGW-specific patches. -# The function secure_getenv is a GNU extension which isn't available on Windows -# This reverts part of openssl-1.1.0-no-weak-verify.patch -Patch101: openssl-mingw64-dont-use-secure-getenv.patch +# Mingw-specific patch: dlfcn lacks Dl_info, dladdr etc. +Patch101: openssl-1.1.1-no-dladdr.patch BuildArch: noarch @@ -87,11 +90,13 @@ BuildRequires: mingw32-filesystem >= 95 BuildRequires: mingw32-gcc BuildRequires: mingw32-binutils BuildRequires: mingw32-zlib +BuildRequires: mingw32-dlfcn BuildRequires: mingw64-filesystem >= 95 BuildRequires: mingw64-gcc BuildRequires: mingw64-binutils BuildRequires: mingw64-zlib +BuildRequires: mingw64-dlfcn BuildRequires: perl-interpreter BuildRequires: perl-FindBin @@ -185,8 +190,6 @@ cp %{SOURCE13} test/ %patch3 -p1 -b .no-html %{?_rawbuild} %patch4 -p1 -b .man-rename -%patch21 -p1 -b .issuer-hash - %patch31 -p1 -b .conf-paths %patch32 -p1 -b .version-add-engines %patch33 -p1 -b .dgst @@ -195,22 +198,29 @@ cp %{SOURCE13} test/ %patch38 -p1 -b .no-weak-verify %patch40 -p1 -b .disable-ssl3 %patch41 -p1 -b .system-cipherlist -#%patch42 -p1 -b .fips -%patch43 -p1 -b .ignore-bound +%patch42 -p1 -b .fips %patch44 -p1 -b .version-override %patch45 -p1 -b .weak-ciphers %patch46 -p1 -b .seclevel %patch47 -p1 -b .ts-sha256-default -#%patch48 -p1 -b .fips-post-rand -#%patch49 -p1 -b .evp-kdf -#%patch50 -p1 -b .ssh-kdf -%patch51 -p1 -b .upstream-sync +%patch48 -p1 -b .fips-post-rand +%patch49 -p1 -b .evp-kdf +%patch50 -p1 -b .ssh-kdf +%patch51 -p1 -b .intel-cet %patch52 -p1 -b .s390x-update %patch53 -p1 -b .crng-test -%patch54 -p1 -b .regression - -# MinGW specific patches -%patch101 -p1 -b .secure_getenv_mingw +%patch55 -p1 -b .arm-update +%patch56 -p1 -b .s390x-ecc +%patch60 -p1 -b .krb5-kdf +%patch61 -p1 -b .edk2-build +%patch62 -p1 -b .fips-curves +%patch65 -p1 -b .drbg-selftest +%patch66 -p1 -b .fips-dh +%patch67 -p1 -b .kdf-selftest +%patch69 -p1 -b .alpn-cb +%patch70 -p1 -b .rewire-fips-drbg + +%patch101 -p1 -b .no-dladdr # Create two copies of the source folder as OpenSSL doesn't support out of source builds mkdir ../build_win32 @@ -237,7 +247,8 @@ LDFLAGS="%{mingw32_ldflags}" \ enable-weak-ssl-ciphers \ no-mdc2 no-ec2m \ --cross-compile-prefix=%{mingw32_target}- \ - shared mingw + shared mingw \ + -Dsecure_getenv=getenv # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update @@ -265,7 +276,8 @@ LDFLAGS="%{mingw64_ldflags}" \ enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 \ no-mdc2 no-ec2m no-hw \ --cross-compile-prefix=%{mingw64_target}- \ - shared mingw64 + shared mingw64 \ + -Dsecure_getenv=getenv # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update @@ -426,6 +438,9 @@ find %{buildroot}%{mingw64_prefix} | grep -E '.(exe|dll|pyd)$' | sed 's|^%{build %changelog +* Tue Jun 01 2021 Richard W.M. Jones - 1.1.1k-1 +- Synch to Fedora openssl-1.1.1k-1.fc35 + * Tue Jan 26 2021 Fedora Release Engineering - 1.1.1c-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild diff --git a/openssl-1.1.0-issuer-hash.patch b/openssl-1.1.0-issuer-hash.patch deleted file mode 100644 index 1b824e0..0000000 --- a/openssl-1.1.0-issuer-hash.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up openssl-1.1.0-pre5/crypto/x509/x509_cmp.c.issuer-hash openssl-1.1.0-pre5/crypto/x509/x509_cmp.c ---- openssl-1.1.0-pre5/crypto/x509/x509_cmp.c.issuer-hash 2016-07-18 15:16:32.788881100 +0200 -+++ openssl-1.1.0-pre5/crypto/x509/x509_cmp.c 2016-07-18 15:17:16.671871840 +0200 -@@ -87,6 +87,7 @@ unsigned long X509_issuer_and_serial_has - - if (ctx == NULL) - goto err; -+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); - if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) - goto err; diff --git a/openssl-1.1.0-no-html.patch b/openssl-1.1.0-no-html.patch deleted file mode 100644 index f6a941e..0000000 --- a/openssl-1.1.0-no-html.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl ---- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200 -+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200 -@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi - - uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev - --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs - - uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r -v $(DESTDIR)$(DOCDIR) diff --git a/openssl-1.1.1-alpn-cb.patch b/openssl-1.1.1-alpn-cb.patch new file mode 100644 index 0000000..465f7b8 --- /dev/null +++ b/openssl-1.1.1-alpn-cb.patch @@ -0,0 +1,27 @@ +commit 9e885a707d604e9528b5491b78fb9c00f41193fc +Author: Tomas Mraz +Date: Thu Mar 26 15:59:00 2020 +0100 + + s_server: Properly indicate ALPN protocol mismatch + + Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that + an alert is sent to the client on ALPN protocol mismatch. + + Fixes: #2708 + + Reviewed-by: Matt Caswell + (Merged from https://github.com/openssl/openssl/pull/11415) + +diff --git a/apps/s_server.c b/apps/s_server.c +index bcc83e562c..591c6c19c5 100644 +--- a/apps/s_server.c ++++ b/apps/s_server.c +@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, + if (SSL_select_next_proto + ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in, + inlen) != OPENSSL_NPN_NEGOTIATED) { +- return SSL_TLSEXT_ERR_NOACK; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; + } + + if (!s_quiet) { diff --git a/openssl-1.1.1-arm-update.patch b/openssl-1.1.1-arm-update.patch new file mode 100644 index 0000000..2b8c549 --- /dev/null +++ b/openssl-1.1.1-arm-update.patch @@ -0,0 +1,3706 @@ +diff -up openssl-1.1.1i/crypto/aes/asm/aesv8-armx.pl.arm-update openssl-1.1.1i/crypto/aes/asm/aesv8-armx.pl +--- openssl-1.1.1i/crypto/aes/asm/aesv8-armx.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/aes/asm/aesv8-armx.pl 2020-12-09 10:39:50.645705385 +0100 +@@ -27,44 +27,72 @@ + # CBC encrypt case. On Cortex-A57 parallelizable mode performance + # seems to be limited by sheer amount of NEON instructions... + # ++# April 2019 ++# ++# Key to performance of parallelize-able modes is round instruction ++# interleaving. But which factor to use? There is optimal one for ++# each combination of instruction latency and issue rate, beyond ++# which increasing interleave factor doesn't pay off. While on cons ++# side we have code size increase and resource waste on platforms for ++# which interleave factor is too high. In other words you want it to ++# be just right. So far interleave factor of 3x was serving well all ++# platforms. But for ThunderX2 optimal interleave factor was measured ++# to be 5x... ++# + # Performance in cycles per byte processed with 128-bit key: + # + # CBC enc CBC dec CTR + # Apple A7 2.39 1.20 1.20 +-# Cortex-A53 1.32 1.29 1.46 +-# Cortex-A57(*) 1.95 0.85 0.93 +-# Denver 1.96 0.86 0.80 +-# Mongoose 1.33 1.20 1.20 +-# Kryo 1.26 0.94 1.00 ++# Cortex-A53 1.32 1.17/1.29(**) 1.36/1.46 ++# Cortex-A57(*) 1.95 0.82/0.85 0.89/0.93 ++# Cortex-A72 1.33 0.85/0.88 0.92/0.96 ++# Denver 1.96 0.65/0.86 0.76/0.80 ++# Mongoose 1.33 1.23/1.20 1.30/1.20 ++# Kryo 1.26 0.87/0.94 1.00/1.00 ++# ThunderX2 5.95 1.25 1.30 + # + # (*) original 3.64/1.34/1.32 results were for r0p0 revision + # and are still same even for updated module; ++# (**) numbers after slash are for 32-bit code, which is 3x- ++# interleaved; + +-$flavour = shift; +-$output = shift; ++# $output is the last argument if it looks like a file (it has an extension) ++# $flavour is the first argument if it doesn't look like a file ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + +-open OUT,"| \"$^X\" $xlate $flavour $output"; ++open OUT,"| \"$^X\" $xlate $flavour \"$output\"" ++ or die "can't call $xlate: $!"; + *STDOUT=*OUT; + + $prefix="aes_v8"; + ++$_byte = ($flavour =~ /win/ ? "DCB" : ".byte"); ++ + $code=<<___; + #include "arm_arch.h" + + #if __ARM_MAX_ARCH__>=7 +-.text + ___ +-$code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/); ++$code.=".arch armv8-a+crypto\n.text\n" if ($flavour =~ /64/); + $code.=<<___ if ($flavour !~ /64/); + .arch armv7-a // don't confuse not-so-latest binutils with argv8 :-) + .fpu neon ++#ifdef __thumb2__ ++.syntax unified ++.thumb ++# define INST(a,b,c,d) $_byte c,d|0xc,a,b ++#else + .code 32 +-#undef __thumb2__ ++# define INST(a,b,c,d) $_byte a,b,c,d ++#endif ++ ++.text + ___ + + # Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax, +@@ -361,6 +389,836 @@ ___ + &gen_block("en"); + &gen_block("de"); + }}} ++ ++# Performance in cycles per byte. ++# Processed with AES-ECB different key size. ++# It shows the value before and after optimization as below: ++# (before/after): ++# ++# AES-128-ECB AES-192-ECB AES-256-ECB ++# Cortex-A57 1.85/0.82 2.16/0.96 2.47/1.10 ++# Cortex-A72 1.64/0.85 1.82/0.99 2.13/1.14 ++ ++# Optimization is implemented by loop unrolling and interleaving. ++# Commonly, we choose the unrolling factor as 5, if the input ++# data size smaller than 5 blocks, but not smaller than 3 blocks, ++# choose 3 as the unrolling factor. ++# If the input data size dsize >= 5*16 bytes, then take 5 blocks ++# as one iteration, every loop the left size lsize -= 5*16. ++# If 5*16 > lsize >= 3*16 bytes, take 3 blocks as one iteration, ++# every loop lsize -=3*16. ++# If lsize < 3*16 bytes, treat them as the tail, interleave the ++# two blocks AES instructions. ++# There is one special case, if the original input data size dsize ++# = 16 bytes, we will treat it seperately to improve the ++# performance: one independent code block without LR, FP load and ++# store, just looks like what the original ECB implementation does. ++ ++{{{ ++my ($inp,$out,$len,$key)=map("x$_",(0..3)); ++my ($enc,$rounds,$cnt,$key_,$step)=("w4","w5","w6","x7","x8"); ++my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7)); ++ ++my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); ++ ++### q7 last round key ++### q10-q15 q7 Last 7 round keys ++### q8-q9 preloaded round keys except last 7 keys for big size ++### q5, q6, q8-q9 preloaded round keys except last 7 keys for only 16 byte ++ ++{ ++my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); ++ ++my ($dat3,$in3,$tmp3); # used only in 64-bit mode ++my ($dat4,$in4,$tmp4); ++if ($flavour =~ /64/) { ++ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); ++} ++ ++$code.=<<___; ++.globl ${prefix}_ecb_encrypt ++.type ${prefix}_ecb_encrypt,%function ++.align 5 ++${prefix}_ecb_encrypt: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ subs $len,$len,#16 ++ // Original input data size bigger than 16, jump to big size processing. ++ b.ne .Lecb_big_size ++ vld1.8 {$dat0},[$inp] ++ cmp $enc,#0 // en- or decrypting? ++ ldr $rounds,[$key,#240] ++ vld1.32 {q5-q6},[$key],#32 // load key schedule... ++ ++ b.eq .Lecb_small_dec ++ aese $dat0,q5 ++ aesmc $dat0,$dat0 ++ vld1.32 {q8-q9},[$key],#32 // load key schedule... ++ aese $dat0,q6 ++ aesmc $dat0,$dat0 ++ subs $rounds,$rounds,#10 // if rounds==10, jump to aes-128-ecb processing ++ b.eq .Lecb_128_enc ++.Lecb_round_loop: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ vld1.32 {q8},[$key],#16 // load key schedule... ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ vld1.32 {q9},[$key],#16 // load key schedule... ++ subs $rounds,$rounds,#2 // bias ++ b.gt .Lecb_round_loop ++.Lecb_128_enc: ++ vld1.32 {q10-q11},[$key],#32 // load key schedule... ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ vld1.32 {q12-q13},[$key],#32 // load key schedule... ++ aese $dat0,q10 ++ aesmc $dat0,$dat0 ++ aese $dat0,q11 ++ aesmc $dat0,$dat0 ++ vld1.32 {q14-q15},[$key],#32 // load key schedule... ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ vld1.32 {$rndlast},[$key] ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ aese $dat0,q15 ++ veor $dat0,$dat0,$rndlast ++ vst1.8 {$dat0},[$out] ++ b .Lecb_Final_abort ++.Lecb_small_dec: ++ aesd $dat0,q5 ++ aesimc $dat0,$dat0 ++ vld1.32 {q8-q9},[$key],#32 // load key schedule... ++ aesd $dat0,q6 ++ aesimc $dat0,$dat0 ++ subs $rounds,$rounds,#10 // bias ++ b.eq .Lecb_128_dec ++.Lecb_dec_round_loop: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ vld1.32 {q8},[$key],#16 // load key schedule... ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ vld1.32 {q9},[$key],#16 // load key schedule... ++ subs $rounds,$rounds,#2 // bias ++ b.gt .Lecb_dec_round_loop ++.Lecb_128_dec: ++ vld1.32 {q10-q11},[$key],#32 // load key schedule... ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ vld1.32 {q12-q13},[$key],#32 // load key schedule... ++ aesd $dat0,q10 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q11 ++ aesimc $dat0,$dat0 ++ vld1.32 {q14-q15},[$key],#32 // load key schedule... ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ vld1.32 {$rndlast},[$key] ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q15 ++ veor $dat0,$dat0,$rndlast ++ vst1.8 {$dat0},[$out] ++ b .Lecb_Final_abort ++.Lecb_big_size: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ stp x29,x30,[sp,#-16]! ++ add x29,sp,#0 ++___ ++$code.=<<___ if ($flavour !~ /64/); ++ mov ip,sp ++ stmdb sp!,{r4-r8,lr} ++ vstmdb sp!,{d8-d15} @ ABI specification says so ++ ldmia ip,{r4-r5} @ load remaining args ++ subs $len,$len,#16 ++___ ++$code.=<<___; ++ mov $step,#16 ++ b.lo .Lecb_done ++ cclr $step,eq ++ ++ cmp $enc,#0 // en- or decrypting? ++ ldr $rounds,[$key,#240] ++ and $len,$len,#-16 ++ vld1.8 {$dat},[$inp],$step ++ ++ vld1.32 {q8-q9},[$key] // load key schedule... ++ sub $rounds,$rounds,#6 ++ add $key_,$key,x5,lsl#4 // pointer to last 7 round keys ++ sub $rounds,$rounds,#2 ++ vld1.32 {q10-q11},[$key_],#32 ++ vld1.32 {q12-q13},[$key_],#32 ++ vld1.32 {q14-q15},[$key_],#32 ++ vld1.32 {$rndlast},[$key_] ++ ++ add $key_,$key,#32 ++ mov $cnt,$rounds ++ b.eq .Lecb_dec ++ ++ vld1.8 {$dat1},[$inp],#16 ++ subs $len,$len,#32 // bias ++ add $cnt,$rounds,#2 ++ vorr $in1,$dat1,$dat1 ++ vorr $dat2,$dat1,$dat1 ++ vorr $dat1,$dat,$dat ++ b.lo .Lecb_enc_tail ++ ++ vorr $dat1,$in1,$in1 ++ vld1.8 {$dat2},[$inp],#16 ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ cmp $len,#32 ++ b.lo .Loop3x_ecb_enc ++ ++ vld1.8 {$dat3},[$inp],#16 ++ vld1.8 {$dat4},[$inp],#16 ++ sub $len,$len,#32 // bias ++ mov $cnt,$rounds ++ ++.Loop5x_ecb_enc: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat3,q8 ++ aesmc $dat3,$dat3 ++ aese $dat4,q8 ++ aesmc $dat4,$dat4 ++ vld1.32 {q8},[$key_],#16 ++ subs $cnt,$cnt,#2 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat3,q9 ++ aesmc $dat3,$dat3 ++ aese $dat4,q9 ++ aesmc $dat4,$dat4 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Loop5x_ecb_enc ++ ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat3,q8 ++ aesmc $dat3,$dat3 ++ aese $dat4,q8 ++ aesmc $dat4,$dat4 ++ cmp $len,#0x40 // because .Lecb_enc_tail4x ++ sub $len,$len,#0x50 ++ ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat3,q9 ++ aesmc $dat3,$dat3 ++ aese $dat4,q9 ++ aesmc $dat4,$dat4 ++ csel x6,xzr,$len,gt // borrow x6, $cnt, "gt" is not typo ++ mov $key_,$key ++ ++ aese $dat0,q10 ++ aesmc $dat0,$dat0 ++ aese $dat1,q10 ++ aesmc $dat1,$dat1 ++ aese $dat2,q10 ++ aesmc $dat2,$dat2 ++ aese $dat3,q10 ++ aesmc $dat3,$dat3 ++ aese $dat4,q10 ++ aesmc $dat4,$dat4 ++ add $inp,$inp,x6 // $inp is adjusted in such way that ++ // at exit from the loop $dat1-$dat4 ++ // are loaded with last "words" ++ add x6,$len,#0x60 // because .Lecb_enc_tail4x ++ ++ aese $dat0,q11 ++ aesmc $dat0,$dat0 ++ aese $dat1,q11 ++ aesmc $dat1,$dat1 ++ aese $dat2,q11 ++ aesmc $dat2,$dat2 ++ aese $dat3,q11 ++ aesmc $dat3,$dat3 ++ aese $dat4,q11 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ aese $dat3,q12 ++ aesmc $dat3,$dat3 ++ aese $dat4,q12 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ aese $dat3,q13 ++ aesmc $dat3,$dat3 ++ aese $dat4,q13 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ aese $dat3,q14 ++ aesmc $dat3,$dat3 ++ aese $dat4,q14 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q15 ++ vld1.8 {$in0},[$inp],#16 ++ aese $dat1,q15 ++ vld1.8 {$in1},[$inp],#16 ++ aese $dat2,q15 ++ vld1.8 {$in2},[$inp],#16 ++ aese $dat3,q15 ++ vld1.8 {$in3},[$inp],#16 ++ aese $dat4,q15 ++ vld1.8 {$in4},[$inp],#16 ++ cbz x6,.Lecb_enc_tail4x ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ veor $tmp0,$rndlast,$dat0 ++ vorr $dat0,$in0,$in0 ++ veor $tmp1,$rndlast,$dat1 ++ vorr $dat1,$in1,$in1 ++ veor $tmp2,$rndlast,$dat2 ++ vorr $dat2,$in2,$in2 ++ veor $tmp3,$rndlast,$dat3 ++ vorr $dat3,$in3,$in3 ++ veor $tmp4,$rndlast,$dat4 ++ vst1.8 {$tmp0},[$out],#16 ++ vorr $dat4,$in4,$in4 ++ vst1.8 {$tmp1},[$out],#16 ++ mov $cnt,$rounds ++ vst1.8 {$tmp2},[$out],#16 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ b.hs .Loop5x_ecb_enc ++ ++ add $len,$len,#0x50 ++ cbz $len,.Lecb_done ++ ++ add $cnt,$rounds,#2 ++ subs $len,$len,#0x30 ++ vorr $dat0,$in2,$in2 ++ vorr $dat1,$in3,$in3 ++ vorr $dat2,$in4,$in4 ++ b.lo .Lecb_enc_tail ++ ++ b .Loop3x_ecb_enc ++ ++.align 4 ++.Lecb_enc_tail4x: ++ veor $tmp1,$rndlast,$dat1 ++ veor $tmp2,$rndlast,$dat2 ++ veor $tmp3,$rndlast,$dat3 ++ veor $tmp4,$rndlast,$dat4 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$tmp2},[$out],#16 ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ ++ b .Lecb_done ++.align 4 ++___ ++$code.=<<___; ++.Loop3x_ecb_enc: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $cnt,$cnt,#2 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Loop3x_ecb_enc ++ ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ subs $len,$len,#0x30 ++ mov.lo x6,$len // x6, $cnt, is zero at this point ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ add $inp,$inp,x6 // $inp is adjusted in such way that ++ // at exit from the loop $dat1-$dat2 ++ // are loaded with last "words" ++ mov $key_,$key ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ vld1.8 {$in0},[$inp],#16 ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ vld1.8 {$in1},[$inp],#16 ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ vld1.8 {$in2},[$inp],#16 ++ aese $dat0,q15 ++ aese $dat1,q15 ++ aese $dat2,q15 ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ add $cnt,$rounds,#2 ++ veor $tmp0,$rndlast,$dat0 ++ veor $tmp1,$rndlast,$dat1 ++ veor $dat2,$dat2,$rndlast ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp0},[$out],#16 ++ vorr $dat0,$in0,$in0 ++ vst1.8 {$tmp1},[$out],#16 ++ vorr $dat1,$in1,$in1 ++ vst1.8 {$dat2},[$out],#16 ++ vorr $dat2,$in2,$in2 ++ b.hs .Loop3x_ecb_enc ++ ++ cmn $len,#0x30 ++ b.eq .Lecb_done ++ nop ++ ++.Lecb_enc_tail: ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $cnt,$cnt,#2 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lecb_enc_tail ++ ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ cmn $len,#0x20 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ aese $dat1,q15 ++ aese $dat2,q15 ++ b.eq .Lecb_enc_one ++ veor $tmp1,$rndlast,$dat1 ++ veor $tmp2,$rndlast,$dat2 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$tmp2},[$out],#16 ++ b .Lecb_done ++ ++.Lecb_enc_one: ++ veor $tmp1,$rndlast,$dat2 ++ vst1.8 {$tmp1},[$out],#16 ++ b .Lecb_done ++___ ++ ++$code.=<<___; ++.align 5 ++.Lecb_dec: ++ vld1.8 {$dat1},[$inp],#16 ++ subs $len,$len,#32 // bias ++ add $cnt,$rounds,#2 ++ vorr $in1,$dat1,$dat1 ++ vorr $dat2,$dat1,$dat1 ++ vorr $dat1,$dat,$dat ++ b.lo .Lecb_dec_tail ++ ++ vorr $dat1,$in1,$in1 ++ vld1.8 {$dat2},[$inp],#16 ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ cmp $len,#32 ++ b.lo .Loop3x_ecb_dec ++ ++ vld1.8 {$dat3},[$inp],#16 ++ vld1.8 {$dat4},[$inp],#16 ++ sub $len,$len,#32 // bias ++ mov $cnt,$rounds ++ ++.Loop5x_ecb_dec: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q8 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q8 ++ aesimc $dat4,$dat4 ++ vld1.32 {q8},[$key_],#16 ++ subs $cnt,$cnt,#2 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q9 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q9 ++ aesimc $dat4,$dat4 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Loop5x_ecb_dec ++ ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q8 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q8 ++ aesimc $dat4,$dat4 ++ cmp $len,#0x40 // because .Lecb_tail4x ++ sub $len,$len,#0x50 ++ ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q9 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q9 ++ aesimc $dat4,$dat4 ++ csel x6,xzr,$len,gt // borrow x6, $cnt, "gt" is not typo ++ mov $key_,$key ++ ++ aesd $dat0,q10 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q10 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q10 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q10 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q10 ++ aesimc $dat4,$dat4 ++ add $inp,$inp,x6 // $inp is adjusted in such way that ++ // at exit from the loop $dat1-$dat4 ++ // are loaded with last "words" ++ add x6,$len,#0x60 // because .Lecb_tail4x ++ ++ aesd $dat0,q11 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q11 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q11 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q11 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q11 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q12 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q12 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q13 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q13 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q14 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q14 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q15 ++ vld1.8 {$in0},[$inp],#16 ++ aesd $dat1,q15 ++ vld1.8 {$in1},[$inp],#16 ++ aesd $dat2,q15 ++ vld1.8 {$in2},[$inp],#16 ++ aesd $dat3,q15 ++ vld1.8 {$in3},[$inp],#16 ++ aesd $dat4,q15 ++ vld1.8 {$in4},[$inp],#16 ++ cbz x6,.Lecb_tail4x ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ veor $tmp0,$rndlast,$dat0 ++ vorr $dat0,$in0,$in0 ++ veor $tmp1,$rndlast,$dat1 ++ vorr $dat1,$in1,$in1 ++ veor $tmp2,$rndlast,$dat2 ++ vorr $dat2,$in2,$in2 ++ veor $tmp3,$rndlast,$dat3 ++ vorr $dat3,$in3,$in3 ++ veor $tmp4,$rndlast,$dat4 ++ vst1.8 {$tmp0},[$out],#16 ++ vorr $dat4,$in4,$in4 ++ vst1.8 {$tmp1},[$out],#16 ++ mov $cnt,$rounds ++ vst1.8 {$tmp2},[$out],#16 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ b.hs .Loop5x_ecb_dec ++ ++ add $len,$len,#0x50 ++ cbz $len,.Lecb_done ++ ++ add $cnt,$rounds,#2 ++ subs $len,$len,#0x30 ++ vorr $dat0,$in2,$in2 ++ vorr $dat1,$in3,$in3 ++ vorr $dat2,$in4,$in4 ++ b.lo .Lecb_dec_tail ++ ++ b .Loop3x_ecb_dec ++ ++.align 4 ++.Lecb_tail4x: ++ veor $tmp1,$rndlast,$dat1 ++ veor $tmp2,$rndlast,$dat2 ++ veor $tmp3,$rndlast,$dat3 ++ veor $tmp4,$rndlast,$dat4 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$tmp2},[$out],#16 ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ ++ b .Lecb_done ++.align 4 ++___ ++$code.=<<___; ++.Loop3x_ecb_dec: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $cnt,$cnt,#2 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Loop3x_ecb_dec ++ ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ subs $len,$len,#0x30 ++ mov.lo x6,$len // x6, $cnt, is zero at this point ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ add $inp,$inp,x6 // $inp is adjusted in such way that ++ // at exit from the loop $dat1-$dat2 ++ // are loaded with last "words" ++ mov $key_,$key ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ vld1.8 {$in0},[$inp],#16 ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ vld1.8 {$in1},[$inp],#16 ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ vld1.8 {$in2},[$inp],#16 ++ aesd $dat0,q15 ++ aesd $dat1,q15 ++ aesd $dat2,q15 ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ add $cnt,$rounds,#2 ++ veor $tmp0,$rndlast,$dat0 ++ veor $tmp1,$rndlast,$dat1 ++ veor $dat2,$dat2,$rndlast ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp0},[$out],#16 ++ vorr $dat0,$in0,$in0 ++ vst1.8 {$tmp1},[$out],#16 ++ vorr $dat1,$in1,$in1 ++ vst1.8 {$dat2},[$out],#16 ++ vorr $dat2,$in2,$in2 ++ b.hs .Loop3x_ecb_dec ++ ++ cmn $len,#0x30 ++ b.eq .Lecb_done ++ nop ++ ++.Lecb_dec_tail: ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $cnt,$cnt,#2 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lecb_dec_tail ++ ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ cmn $len,#0x20 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ aesd $dat1,q15 ++ aesd $dat2,q15 ++ b.eq .Lecb_dec_one ++ veor $tmp1,$rndlast,$dat1 ++ veor $tmp2,$rndlast,$dat2 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$tmp2},[$out],#16 ++ b .Lecb_done ++ ++.Lecb_dec_one: ++ veor $tmp1,$rndlast,$dat2 ++ vst1.8 {$tmp1},[$out],#16 ++ ++.Lecb_done: ++___ ++} ++$code.=<<___ if ($flavour !~ /64/); ++ vldmia sp!,{d8-d15} ++ ldmia sp!,{r4-r8,pc} ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ ldr x29,[sp],#16 ++___ ++$code.=<<___ if ($flavour =~ /64/); ++.Lecb_Final_abort: ++ ret ++___ ++$code.=<<___; ++.size ${prefix}_ecb_encrypt,.-${prefix}_ecb_encrypt ++___ ++}}} + {{{ + my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5"; + my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12"); +@@ -519,6 +1377,13 @@ $code.=<<___; + ___ + { + my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); ++ ++my ($dat3,$in3,$tmp3); # used only in 64-bit mode ++my ($dat4,$in4,$tmp4); ++if ($flavour =~ /64/) { ++ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); ++} ++ + $code.=<<___; + .align 5 + .Lcbc_dec: +@@ -535,7 +1400,196 @@ $code.=<<___; + vorr $in0,$dat,$dat + vorr $in1,$dat1,$dat1 + vorr $in2,$dat2,$dat2 ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ cmp $len,#32 ++ b.lo .Loop3x_cbc_dec ++ ++ vld1.8 {$dat3},[$inp],#16 ++ vld1.8 {$dat4},[$inp],#16 ++ sub $len,$len,#32 // bias ++ mov $cnt,$rounds ++ vorr $in3,$dat3,$dat3 ++ vorr $in4,$dat4,$dat4 ++ ++.Loop5x_cbc_dec: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q8 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q8 ++ aesimc $dat4,$dat4 ++ vld1.32 {q8},[$key_],#16 ++ subs $cnt,$cnt,#2 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q9 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q9 ++ aesimc $dat4,$dat4 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Loop5x_cbc_dec ++ ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q8 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q8 ++ aesimc $dat4,$dat4 ++ cmp $len,#0x40 // because .Lcbc_tail4x ++ sub $len,$len,#0x50 ++ ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q9 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q9 ++ aesimc $dat4,$dat4 ++ csel x6,xzr,$len,gt // borrow x6, $cnt, "gt" is not typo ++ mov $key_,$key ++ ++ aesd $dat0,q10 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q10 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q10 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q10 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q10 ++ aesimc $dat4,$dat4 ++ add $inp,$inp,x6 // $inp is adjusted in such way that ++ // at exit from the loop $dat1-$dat4 ++ // are loaded with last "words" ++ add x6,$len,#0x60 // because .Lcbc_tail4x ++ ++ aesd $dat0,q11 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q11 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q11 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q11 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q11 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q12 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q12 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q13 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q13 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q14 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q14 ++ aesimc $dat4,$dat4 + ++ veor $tmp0,$ivec,$rndlast ++ aesd $dat0,q15 ++ veor $tmp1,$in0,$rndlast ++ vld1.8 {$in0},[$inp],#16 ++ aesd $dat1,q15 ++ veor $tmp2,$in1,$rndlast ++ vld1.8 {$in1},[$inp],#16 ++ aesd $dat2,q15 ++ veor $tmp3,$in2,$rndlast ++ vld1.8 {$in2},[$inp],#16 ++ aesd $dat3,q15 ++ veor $tmp4,$in3,$rndlast ++ vld1.8 {$in3},[$inp],#16 ++ aesd $dat4,q15 ++ vorr $ivec,$in4,$in4 ++ vld1.8 {$in4},[$inp],#16 ++ cbz x6,.Lcbc_tail4x ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ veor $tmp0,$tmp0,$dat0 ++ vorr $dat0,$in0,$in0 ++ veor $tmp1,$tmp1,$dat1 ++ vorr $dat1,$in1,$in1 ++ veor $tmp2,$tmp2,$dat2 ++ vorr $dat2,$in2,$in2 ++ veor $tmp3,$tmp3,$dat3 ++ vorr $dat3,$in3,$in3 ++ veor $tmp4,$tmp4,$dat4 ++ vst1.8 {$tmp0},[$out],#16 ++ vorr $dat4,$in4,$in4 ++ vst1.8 {$tmp1},[$out],#16 ++ mov $cnt,$rounds ++ vst1.8 {$tmp2},[$out],#16 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ b.hs .Loop5x_cbc_dec ++ ++ add $len,$len,#0x50 ++ cbz $len,.Lcbc_done ++ ++ add $cnt,$rounds,#2 ++ subs $len,$len,#0x30 ++ vorr $dat0,$in2,$in2 ++ vorr $in0,$in2,$in2 ++ vorr $dat1,$in3,$in3 ++ vorr $in1,$in3,$in3 ++ vorr $dat2,$in4,$in4 ++ vorr $in2,$in4,$in4 ++ b.lo .Lcbc_dec_tail ++ ++ b .Loop3x_cbc_dec ++ ++.align 4 ++.Lcbc_tail4x: ++ veor $tmp1,$tmp0,$dat1 ++ veor $tmp2,$tmp2,$dat2 ++ veor $tmp3,$tmp3,$dat3 ++ veor $tmp4,$tmp4,$dat4 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$tmp2},[$out],#16 ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ ++ b .Lcbc_done ++.align 4 ++___ ++$code.=<<___; + .Loop3x_cbc_dec: + aesd $dat0,q8 + aesimc $dat0,$dat0 +@@ -696,6 +1750,9 @@ my $step="x12"; # aliases with $tctr2 + my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7)); + my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); + ++# used only in 64-bit mode... ++my ($dat3,$dat4,$in3,$in4)=map("q$_",(16..23)); ++ + my ($dat,$tmp)=($dat0,$tmp0); + + ### q8-q15 preloaded key schedule +@@ -751,6 +1808,175 @@ $code.=<<___; + vmov.32 ${ivec}[3],$tctr2 + sub $len,$len,#3 // bias + vorr $dat2,$ivec,$ivec ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ cmp $len,#2 ++ b.lo .Loop3x_ctr32 ++ ++ add w13,$ctr,#1 ++ add w14,$ctr,#2 ++ vorr $dat3,$dat0,$dat0 ++ rev w13,w13 ++ vorr $dat4,$dat0,$dat0 ++ rev w14,w14 ++ vmov.32 ${dat3}[3],w13 ++ sub $len,$len,#2 // bias ++ vmov.32 ${dat4}[3],w14 ++ add $ctr,$ctr,#2 ++ b .Loop5x_ctr32 ++ ++.align 4 ++.Loop5x_ctr32: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat3,q8 ++ aesmc $dat3,$dat3 ++ aese $dat4,q8 ++ aesmc $dat4,$dat4 ++ vld1.32 {q8},[$key_],#16 ++ subs $cnt,$cnt,#2 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat3,q9 ++ aesmc $dat3,$dat3 ++ aese $dat4,q9 ++ aesmc $dat4,$dat4 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Loop5x_ctr32 ++ ++ mov $key_,$key ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat3,q8 ++ aesmc $dat3,$dat3 ++ aese $dat4,q8 ++ aesmc $dat4,$dat4 ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat3,q9 ++ aesmc $dat3,$dat3 ++ aese $dat4,q9 ++ aesmc $dat4,$dat4 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ add $tctr0,$ctr,#1 ++ add $tctr1,$ctr,#2 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ add $tctr2,$ctr,#3 ++ add w13,$ctr,#4 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ add w14,$ctr,#5 ++ rev $tctr0,$tctr0 ++ aese $dat3,q12 ++ aesmc $dat3,$dat3 ++ rev $tctr1,$tctr1 ++ rev $tctr2,$tctr2 ++ aese $dat4,q12 ++ aesmc $dat4,$dat4 ++ rev w13,w13 ++ rev w14,w14 ++ ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ aese $dat3,q13 ++ aesmc $dat3,$dat3 ++ aese $dat4,q13 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ vld1.8 {$in0},[$inp],#16 ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ vld1.8 {$in1},[$inp],#16 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ vld1.8 {$in2},[$inp],#16 ++ aese $dat3,q14 ++ aesmc $dat3,$dat3 ++ vld1.8 {$in3},[$inp],#16 ++ aese $dat4,q14 ++ aesmc $dat4,$dat4 ++ vld1.8 {$in4},[$inp],#16 ++ ++ aese $dat0,q15 ++ veor $in0,$in0,$rndlast ++ aese $dat1,q15 ++ veor $in1,$in1,$rndlast ++ aese $dat2,q15 ++ veor $in2,$in2,$rndlast ++ aese $dat3,q15 ++ veor $in3,$in3,$rndlast ++ aese $dat4,q15 ++ veor $in4,$in4,$rndlast ++ ++ veor $in0,$in0,$dat0 ++ vorr $dat0,$ivec,$ivec ++ veor $in1,$in1,$dat1 ++ vorr $dat1,$ivec,$ivec ++ veor $in2,$in2,$dat2 ++ vorr $dat2,$ivec,$ivec ++ veor $in3,$in3,$dat3 ++ vorr $dat3,$ivec,$ivec ++ veor $in4,$in4,$dat4 ++ vorr $dat4,$ivec,$ivec ++ ++ vst1.8 {$in0},[$out],#16 ++ vmov.32 ${dat0}[3],$tctr0 ++ vst1.8 {$in1},[$out],#16 ++ vmov.32 ${dat1}[3],$tctr1 ++ vst1.8 {$in2},[$out],#16 ++ vmov.32 ${dat2}[3],$tctr2 ++ vst1.8 {$in3},[$out],#16 ++ vmov.32 ${dat3}[3],w13 ++ vst1.8 {$in4},[$out],#16 ++ vmov.32 ${dat4}[3],w14 ++ ++ mov $cnt,$rounds ++ cbz $len,.Lctr32_done ++ ++ add $ctr,$ctr,#5 ++ subs $len,$len,#5 ++ b.hs .Loop5x_ctr32 ++ ++ add $len,$len,#5 ++ sub $ctr,$ctr,#5 ++ ++ cmp $len,#2 ++ mov $step,#16 ++ cclr $step,lo ++ b.ls .Lctr32_tail ++ ++ sub $len,$len,#3 // bias ++ add $ctr,$ctr,#3 ++___ ++$code.=<<___; + b .Loop3x_ctr32 + + .align 4 +@@ -905,6 +2131,1432 @@ $code.=<<___; + .size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks + ___ + }}} ++# Performance in cycles per byte. ++# Processed with AES-XTS different key size. ++# It shows the value before and after optimization as below: ++# (before/after): ++# ++# AES-128-XTS AES-256-XTS ++# Cortex-A57 3.36/1.09 4.02/1.37 ++# Cortex-A72 3.03/1.02 3.28/1.33 ++ ++# Optimization is implemented by loop unrolling and interleaving. ++# Commonly, we choose the unrolling factor as 5, if the input ++# data size smaller than 5 blocks, but not smaller than 3 blocks, ++# choose 3 as the unrolling factor. ++# If the input data size dsize >= 5*16 bytes, then take 5 blocks ++# as one iteration, every loop the left size lsize -= 5*16. ++# If lsize < 5*16 bytes, treat them as the tail. Note: left 4*16 bytes ++# will be processed specially, which be integrated into the 5*16 bytes ++# loop to improve the efficiency. ++# There is one special case, if the original input data size dsize ++# = 16 bytes, we will treat it seperately to improve the ++# performance: one independent code block without LR, FP load and ++# store. ++# Encryption will process the (length -tailcnt) bytes as mentioned ++# previously, then encrypt the composite block as last second ++# cipher block. ++# Decryption will process the (length -tailcnt -1) bytes as mentioned ++# previously, then decrypt the last second cipher block to get the ++# last plain block(tail), decrypt the composite block as last second ++# plain text block. ++ ++{{{ ++my ($inp,$out,$len,$key1,$key2,$ivp)=map("x$_",(0..5)); ++my ($rounds0,$rounds,$key_,$step,$ivl,$ivh)=("w5","w6","x7","x8","x9","x10"); ++my ($tmpoutp,$loutp,$l2outp,$tmpinp)=("x13","w14","w15","x20"); ++my ($tailcnt,$midnum,$midnumx,$constnum,$constnumx)=("x21","w22","x22","w19","x19"); ++my ($xoffset,$tmpmx,$tmpmw)=("x6","x11","w11"); ++my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7)); ++my ($iv0,$iv1,$iv2,$iv3,$iv4)=("v6.16b","v8.16b","v9.16b","v10.16b","v11.16b"); ++my ($ivd00,$ivd01,$ivd20,$ivd21)=("d6","v6.d[1]","d9","v9.d[1]"); ++my ($ivd10,$ivd11,$ivd30,$ivd31,$ivd40,$ivd41)=("d8","v8.d[1]","d10","v10.d[1]","d11","v11.d[1]"); ++ ++my ($tmpin)=("v26.16b"); ++my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); ++ ++# q7 last round key ++# q10-q15, q7 Last 7 round keys ++# q8-q9 preloaded round keys except last 7 keys for big size ++# q20, q21, q8-q9 preloaded round keys except last 7 keys for only 16 byte ++ ++ ++my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); ++ ++my ($dat3,$in3,$tmp3); # used only in 64-bit mode ++my ($dat4,$in4,$tmp4); ++if ($flavour =~ /64/) { ++ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); ++} ++ ++$code.=<<___ if ($flavour =~ /64/); ++.globl ${prefix}_xts_encrypt ++.type ${prefix}_xts_encrypt,%function ++.align 5 ++${prefix}_xts_encrypt: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ cmp $len,#16 ++ // Original input data size bigger than 16, jump to big size processing. ++ b.ne .Lxts_enc_big_size ++ // Encrypt the iv with key2, as the first XEX iv. ++ ldr $rounds,[$key2,#240] ++ vld1.8 {$dat},[$key2],#16 ++ vld1.8 {$iv0},[$ivp] ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key2],#16 ++ ++.Loop_enc_iv_enc: ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2],#16 ++ subs $rounds,$rounds,#2 ++ aese $iv0,$dat1 ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat1},[$key2],#16 ++ b.gt .Loop_enc_iv_enc ++ ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2] ++ aese $iv0,$dat1 ++ veor $iv0,$iv0,$dat ++ ++ vld1.8 {$dat0},[$inp] ++ veor $dat0,$iv0,$dat0 ++ ++ ldr $rounds,[$key1,#240] ++ vld1.32 {q20-q21},[$key1],#32 // load key schedule... ++ ++ aese $dat0,q20 ++ aesmc $dat0,$dat0 ++ vld1.32 {q8-q9},[$key1],#32 // load key schedule... ++ aese $dat0,q21 ++ aesmc $dat0,$dat0 ++ subs $rounds,$rounds,#10 // if rounds==10, jump to aes-128-xts processing ++ b.eq .Lxts_128_enc ++.Lxts_enc_round_loop: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ vld1.32 {q8},[$key1],#16 // load key schedule... ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ vld1.32 {q9},[$key1],#16 // load key schedule... ++ subs $rounds,$rounds,#2 // bias ++ b.gt .Lxts_enc_round_loop ++.Lxts_128_enc: ++ vld1.32 {q10-q11},[$key1],#32 // load key schedule... ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ vld1.32 {q12-q13},[$key1],#32 // load key schedule... ++ aese $dat0,q10 ++ aesmc $dat0,$dat0 ++ aese $dat0,q11 ++ aesmc $dat0,$dat0 ++ vld1.32 {q14-q15},[$key1],#32 // load key schedule... ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ vld1.32 {$rndlast},[$key1] ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ aese $dat0,q15 ++ veor $dat0,$dat0,$rndlast ++ veor $dat0,$dat0,$iv0 ++ vst1.8 {$dat0},[$out] ++ b .Lxts_enc_final_abort ++ ++.align 4 ++.Lxts_enc_big_size: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ stp $constnumx,$tmpinp,[sp,#-64]! ++ stp $tailcnt,$midnumx,[sp,#48] ++ stp $ivd10,$ivd20,[sp,#32] ++ stp $ivd30,$ivd40,[sp,#16] ++ ++ // tailcnt store the tail value of length%16. ++ and $tailcnt,$len,#0xf ++ and $len,$len,#-16 ++ subs $len,$len,#16 ++ mov $step,#16 ++ b.lo .Lxts_abort ++ csel $step,xzr,$step,eq ++ ++ // Firstly, encrypt the iv with key2, as the first iv of XEX. ++ ldr $rounds,[$key2,#240] ++ vld1.32 {$dat},[$key2],#16 ++ vld1.8 {$iv0},[$ivp] ++ sub $rounds,$rounds,#2 ++ vld1.32 {$dat1},[$key2],#16 ++ ++.Loop_iv_enc: ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2],#16 ++ subs $rounds,$rounds,#2 ++ aese $iv0,$dat1 ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat1},[$key2],#16 ++ b.gt .Loop_iv_enc ++ ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2] ++ aese $iv0,$dat1 ++ veor $iv0,$iv0,$dat ++ ++ // The iv for second block ++ // $ivl- iv(low), $ivh - iv(high) ++ // the five ivs stored into, $iv0,$iv1,$iv2,$iv3,$iv4 ++ fmov $ivl,$ivd00 ++ fmov $ivh,$ivd01 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ ++ ldr $rounds0,[$key1,#240] // next starting point ++ vld1.8 {$dat},[$inp],$step ++ ++ vld1.32 {q8-q9},[$key1] // load key schedule... ++ sub $rounds0,$rounds0,#6 ++ add $key_,$key1,$ivp,lsl#4 // pointer to last 7 round keys ++ sub $rounds0,$rounds0,#2 ++ vld1.32 {q10-q11},[$key_],#32 ++ vld1.32 {q12-q13},[$key_],#32 ++ vld1.32 {q14-q15},[$key_],#32 ++ vld1.32 {$rndlast},[$key_] ++ ++ add $key_,$key1,#32 ++ mov $rounds,$rounds0 ++ ++ // Encryption ++.Lxts_enc: ++ vld1.8 {$dat2},[$inp],#16 ++ subs $len,$len,#32 // bias ++ add $rounds,$rounds0,#2 ++ vorr $in1,$dat,$dat ++ vorr $dat1,$dat,$dat ++ vorr $in3,$dat,$dat ++ vorr $in2,$dat2,$dat2 ++ vorr $in4,$dat2,$dat2 ++ b.lo .Lxts_inner_enc_tail ++ veor $dat,$dat,$iv0 // before encryption, xor with iv ++ veor $dat2,$dat2,$iv1 ++ ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ ++ ++ vorr $dat1,$dat2,$dat2 ++ vld1.8 {$dat2},[$inp],#16 ++ vorr $in0,$dat,$dat ++ vorr $in1,$dat1,$dat1 ++ veor $in2,$dat2,$iv2 // the third block ++ veor $dat2,$dat2,$iv2 ++ cmp $len,#32 ++ b.lo .Lxts_outer_enc_tail ++ ++ // The iv for fourth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd30,$ivl ++ fmov $ivd31,$ivh ++ ++ vld1.8 {$dat3},[$inp],#16 ++ // The iv for fifth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd40,$ivl ++ fmov $ivd41,$ivh ++ ++ vld1.8 {$dat4},[$inp],#16 ++ veor $dat3,$dat3,$iv3 // the fourth block ++ veor $dat4,$dat4,$iv4 ++ sub $len,$len,#32 // bias ++ mov $rounds,$rounds0 ++ b .Loop5x_xts_enc ++ ++.align 4 ++.Loop5x_xts_enc: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat3,q8 ++ aesmc $dat3,$dat3 ++ aese $dat4,q8 ++ aesmc $dat4,$dat4 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat3,q9 ++ aesmc $dat3,$dat3 ++ aese $dat4,q9 ++ aesmc $dat4,$dat4 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Loop5x_xts_enc ++ ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat3,q8 ++ aesmc $dat3,$dat3 ++ aese $dat4,q8 ++ aesmc $dat4,$dat4 ++ subs $len,$len,#0x50 // because .Lxts_enc_tail4x ++ ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat3,q9 ++ aesmc $dat3,$dat3 ++ aese $dat4,q9 ++ aesmc $dat4,$dat4 ++ csel $xoffset,xzr,$len,gt // borrow x6, w6, "gt" is not typo ++ mov $key_,$key1 ++ ++ aese $dat0,q10 ++ aesmc $dat0,$dat0 ++ aese $dat1,q10 ++ aesmc $dat1,$dat1 ++ aese $dat2,q10 ++ aesmc $dat2,$dat2 ++ aese $dat3,q10 ++ aesmc $dat3,$dat3 ++ aese $dat4,q10 ++ aesmc $dat4,$dat4 ++ add $inp,$inp,$xoffset // x0 is adjusted in such way that ++ // at exit from the loop v1.16b-v26.16b ++ // are loaded with last "words" ++ add $xoffset,$len,#0x60 // because .Lxts_enc_tail4x ++ ++ aese $dat0,q11 ++ aesmc $dat0,$dat0 ++ aese $dat1,q11 ++ aesmc $dat1,$dat1 ++ aese $dat2,q11 ++ aesmc $dat2,$dat2 ++ aese $dat3,q11 ++ aesmc $dat3,$dat3 ++ aese $dat4,q11 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ aese $dat3,q12 ++ aesmc $dat3,$dat3 ++ aese $dat4,q12 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ aese $dat3,q13 ++ aesmc $dat3,$dat3 ++ aese $dat4,q13 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ aese $dat3,q14 ++ aesmc $dat3,$dat3 ++ aese $dat4,q14 ++ aesmc $dat4,$dat4 ++ ++ veor $tmp0,$rndlast,$iv0 ++ aese $dat0,q15 ++ // The iv for first block of one iteration ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ veor $tmp1,$rndlast,$iv1 ++ vld1.8 {$in0},[$inp],#16 ++ aese $dat1,q15 ++ // The iv for second block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ veor $tmp2,$rndlast,$iv2 ++ vld1.8 {$in1},[$inp],#16 ++ aese $dat2,q15 ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ veor $tmp3,$rndlast,$iv3 ++ vld1.8 {$in2},[$inp],#16 ++ aese $dat3,q15 ++ // The iv for fourth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd30,$ivl ++ fmov $ivd31,$ivh ++ veor $tmp4,$rndlast,$iv4 ++ vld1.8 {$in3},[$inp],#16 ++ aese $dat4,q15 ++ ++ // The iv for fifth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd40,$ivl ++ fmov $ivd41,$ivh ++ ++ vld1.8 {$in4},[$inp],#16 ++ cbz $xoffset,.Lxts_enc_tail4x ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ veor $tmp0,$tmp0,$dat0 ++ veor $dat0,$in0,$iv0 ++ veor $tmp1,$tmp1,$dat1 ++ veor $dat1,$in1,$iv1 ++ veor $tmp2,$tmp2,$dat2 ++ veor $dat2,$in2,$iv2 ++ veor $tmp3,$tmp3,$dat3 ++ veor $dat3,$in3,$iv3 ++ veor $tmp4,$tmp4,$dat4 ++ vst1.8 {$tmp0},[$out],#16 ++ veor $dat4,$in4,$iv4 ++ vst1.8 {$tmp1},[$out],#16 ++ mov $rounds,$rounds0 ++ vst1.8 {$tmp2},[$out],#16 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ b.hs .Loop5x_xts_enc ++ ++ ++ // If left 4 blocks, borrow the five block's processing. ++ cmn $len,#0x10 ++ b.ne .Loop5x_enc_after ++ vorr $iv4,$iv3,$iv3 ++ vorr $iv3,$iv2,$iv2 ++ vorr $iv2,$iv1,$iv1 ++ vorr $iv1,$iv0,$iv0 ++ fmov $ivl,$ivd40 ++ fmov $ivh,$ivd41 ++ veor $dat0,$iv0,$in0 ++ veor $dat1,$iv1,$in1 ++ veor $dat2,$in2,$iv2 ++ veor $dat3,$in3,$iv3 ++ veor $dat4,$in4,$iv4 ++ b.eq .Loop5x_xts_enc ++ ++.Loop5x_enc_after: ++ add $len,$len,#0x50 ++ cbz $len,.Lxts_enc_done ++ ++ add $rounds,$rounds0,#2 ++ subs $len,$len,#0x30 ++ b.lo .Lxts_inner_enc_tail ++ ++ veor $dat0,$iv0,$in2 ++ veor $dat1,$iv1,$in3 ++ veor $dat2,$in4,$iv2 ++ b .Lxts_outer_enc_tail ++ ++.align 4 ++.Lxts_enc_tail4x: ++ add $inp,$inp,#16 ++ veor $tmp1,$dat1,$tmp1 ++ vst1.8 {$tmp1},[$out],#16 ++ veor $tmp2,$dat2,$tmp2 ++ vst1.8 {$tmp2},[$out],#16 ++ veor $tmp3,$dat3,$tmp3 ++ veor $tmp4,$dat4,$tmp4 ++ vst1.8 {$tmp3-$tmp4},[$out],#32 ++ ++ b .Lxts_enc_done ++.align 4 ++.Lxts_outer_enc_tail: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lxts_outer_enc_tail ++ ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ veor $tmp0,$iv0,$rndlast ++ subs $len,$len,#0x30 ++ // The iv for first block ++ fmov $ivl,$ivd20 ++ fmov $ivh,$ivd21 ++ //mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ veor $tmp1,$iv1,$rndlast ++ csel $xoffset,$len,$xoffset,lo // x6, w6, is zero at this point ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ veor $tmp2,$iv2,$rndlast ++ ++ add $xoffset,$xoffset,#0x20 ++ add $inp,$inp,$xoffset ++ mov $key_,$key1 ++ ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ aese $dat0,q15 ++ aese $dat1,q15 ++ aese $dat2,q15 ++ vld1.8 {$in2},[$inp],#16 ++ add $rounds,$rounds0,#2 ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ veor $tmp0,$tmp0,$dat0 ++ veor $tmp1,$tmp1,$dat1 ++ veor $dat2,$dat2,$tmp2 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp0},[$out],#16 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$dat2},[$out],#16 ++ cmn $len,#0x30 ++ b.eq .Lxts_enc_done ++.Lxts_encxor_one: ++ vorr $in3,$in1,$in1 ++ vorr $in4,$in2,$in2 ++ nop ++ ++.Lxts_inner_enc_tail: ++ cmn $len,#0x10 ++ veor $dat1,$in3,$iv0 ++ veor $dat2,$in4,$iv1 ++ b.eq .Lxts_enc_tail_loop ++ veor $dat2,$in4,$iv0 ++.Lxts_enc_tail_loop: ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lxts_enc_tail_loop ++ ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ cmn $len,#0x20 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ veor $tmp1,$iv0,$rndlast ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ veor $tmp2,$iv1,$rndlast ++ aese $dat1,q15 ++ aese $dat2,q15 ++ b.eq .Lxts_enc_one ++ veor $tmp1,$tmp1,$dat1 ++ vst1.8 {$tmp1},[$out],#16 ++ veor $tmp2,$tmp2,$dat2 ++ vorr $iv0,$iv1,$iv1 ++ vst1.8 {$tmp2},[$out],#16 ++ fmov $ivl,$ivd10 ++ fmov $ivh,$ivd11 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ b .Lxts_enc_done ++ ++.Lxts_enc_one: ++ veor $tmp1,$tmp1,$dat2 ++ vorr $iv0,$iv0,$iv0 ++ vst1.8 {$tmp1},[$out],#16 ++ fmov $ivl,$ivd00 ++ fmov $ivh,$ivd01 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ b .Lxts_enc_done ++.align 5 ++.Lxts_enc_done: ++ // Process the tail block with cipher stealing. ++ tst $tailcnt,#0xf ++ b.eq .Lxts_abort ++ ++ mov $tmpinp,$inp ++ mov $tmpoutp,$out ++ sub $out,$out,#16 ++.composite_enc_loop: ++ subs $tailcnt,$tailcnt,#1 ++ ldrb $l2outp,[$out,$tailcnt] ++ ldrb $loutp,[$tmpinp,$tailcnt] ++ strb $l2outp,[$tmpoutp,$tailcnt] ++ strb $loutp,[$out,$tailcnt] ++ b.gt .composite_enc_loop ++.Lxts_enc_load_done: ++ vld1.8 {$tmpin},[$out] ++ veor $tmpin,$tmpin,$iv0 ++ ++ // Encrypt the composite block to get the last second encrypted text block ++ ldr $rounds,[$key1,#240] // load key schedule... ++ vld1.8 {$dat},[$key1],#16 ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key1],#16 // load key schedule... ++.Loop_final_enc: ++ aese $tmpin,$dat0 ++ aesmc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key1],#16 ++ subs $rounds,$rounds,#2 ++ aese $tmpin,$dat1 ++ aesmc $tmpin,$tmpin ++ vld1.32 {$dat1},[$key1],#16 ++ b.gt .Loop_final_enc ++ ++ aese $tmpin,$dat0 ++ aesmc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key1] ++ aese $tmpin,$dat1 ++ veor $tmpin,$tmpin,$dat0 ++ veor $tmpin,$tmpin,$iv0 ++ vst1.8 {$tmpin},[$out] ++ ++.Lxts_abort: ++ ldp $tailcnt,$midnumx,[sp,#48] ++ ldp $ivd10,$ivd20,[sp,#32] ++ ldp $ivd30,$ivd40,[sp,#16] ++ ldp $constnumx,$tmpinp,[sp],#64 ++.Lxts_enc_final_abort: ++ ret ++.size ${prefix}_xts_encrypt,.-${prefix}_xts_encrypt ++___ ++ ++}}} ++{{{ ++my ($inp,$out,$len,$key1,$key2,$ivp)=map("x$_",(0..5)); ++my ($rounds0,$rounds,$key_,$step,$ivl,$ivh)=("w5","w6","x7","x8","x9","x10"); ++my ($tmpoutp,$loutp,$l2outp,$tmpinp)=("x13","w14","w15","x20"); ++my ($tailcnt,$midnum,$midnumx,$constnum,$constnumx)=("x21","w22","x22","w19","x19"); ++my ($xoffset,$tmpmx,$tmpmw)=("x6","x11","w11"); ++my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7)); ++my ($iv0,$iv1,$iv2,$iv3,$iv4,$tmpin)=("v6.16b","v8.16b","v9.16b","v10.16b","v11.16b","v26.16b"); ++my ($ivd00,$ivd01,$ivd20,$ivd21)=("d6","v6.d[1]","d9","v9.d[1]"); ++my ($ivd10,$ivd11,$ivd30,$ivd31,$ivd40,$ivd41)=("d8","v8.d[1]","d10","v10.d[1]","d11","v11.d[1]"); ++ ++my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); ++ ++# q7 last round key ++# q10-q15, q7 Last 7 round keys ++# q8-q9 preloaded round keys except last 7 keys for big size ++# q20, q21, q8-q9 preloaded round keys except last 7 keys for only 16 byte ++ ++{ ++my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); ++ ++my ($dat3,$in3,$tmp3); # used only in 64-bit mode ++my ($dat4,$in4,$tmp4); ++if ($flavour =~ /64/) { ++ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); ++} ++ ++$code.=<<___ if ($flavour =~ /64/); ++.globl ${prefix}_xts_decrypt ++.type ${prefix}_xts_decrypt,%function ++.align 5 ++${prefix}_xts_decrypt: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ cmp $len,#16 ++ // Original input data size bigger than 16, jump to big size processing. ++ b.ne .Lxts_dec_big_size ++ // Encrypt the iv with key2, as the first XEX iv. ++ ldr $rounds,[$key2,#240] ++ vld1.8 {$dat},[$key2],#16 ++ vld1.8 {$iv0},[$ivp] ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key2],#16 ++ ++.Loop_dec_small_iv_enc: ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2],#16 ++ subs $rounds,$rounds,#2 ++ aese $iv0,$dat1 ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat1},[$key2],#16 ++ b.gt .Loop_dec_small_iv_enc ++ ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2] ++ aese $iv0,$dat1 ++ veor $iv0,$iv0,$dat ++ ++ vld1.8 {$dat0},[$inp] ++ veor $dat0,$iv0,$dat0 ++ ++ ldr $rounds,[$key1,#240] ++ vld1.32 {q20-q21},[$key1],#32 // load key schedule... ++ ++ aesd $dat0,q20 ++ aesimc $dat0,$dat0 ++ vld1.32 {q8-q9},[$key1],#32 // load key schedule... ++ aesd $dat0,q21 ++ aesimc $dat0,$dat0 ++ subs $rounds,$rounds,#10 // bias ++ b.eq .Lxts_128_dec ++.Lxts_dec_round_loop: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ vld1.32 {q8},[$key1],#16 // load key schedule... ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ vld1.32 {q9},[$key1],#16 // load key schedule... ++ subs $rounds,$rounds,#2 // bias ++ b.gt .Lxts_dec_round_loop ++.Lxts_128_dec: ++ vld1.32 {q10-q11},[$key1],#32 // load key schedule... ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ vld1.32 {q12-q13},[$key1],#32 // load key schedule... ++ aesd $dat0,q10 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q11 ++ aesimc $dat0,$dat0 ++ vld1.32 {q14-q15},[$key1],#32 // load key schedule... ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ vld1.32 {$rndlast},[$key1] ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q15 ++ veor $dat0,$dat0,$rndlast ++ veor $dat0,$iv0,$dat0 ++ vst1.8 {$dat0},[$out] ++ b .Lxts_dec_final_abort ++.Lxts_dec_big_size: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ stp $constnumx,$tmpinp,[sp,#-64]! ++ stp $tailcnt,$midnumx,[sp,#48] ++ stp $ivd10,$ivd20,[sp,#32] ++ stp $ivd30,$ivd40,[sp,#16] ++ ++ and $tailcnt,$len,#0xf ++ and $len,$len,#-16 ++ subs $len,$len,#16 ++ mov $step,#16 ++ b.lo .Lxts_dec_abort ++ ++ // Encrypt the iv with key2, as the first XEX iv ++ ldr $rounds,[$key2,#240] ++ vld1.8 {$dat},[$key2],#16 ++ vld1.8 {$iv0},[$ivp] ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key2],#16 ++ ++.Loop_dec_iv_enc: ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2],#16 ++ subs $rounds,$rounds,#2 ++ aese $iv0,$dat1 ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat1},[$key2],#16 ++ b.gt .Loop_dec_iv_enc ++ ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2] ++ aese $iv0,$dat1 ++ veor $iv0,$iv0,$dat ++ ++ // The iv for second block ++ // $ivl- iv(low), $ivh - iv(high) ++ // the five ivs stored into, $iv0,$iv1,$iv2,$iv3,$iv4 ++ fmov $ivl,$ivd00 ++ fmov $ivh,$ivd01 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ ++ ldr $rounds0,[$key1,#240] // load rounds number ++ ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ ++ vld1.32 {q8-q9},[$key1] // load key schedule... ++ sub $rounds0,$rounds0,#6 ++ add $key_,$key1,$ivp,lsl#4 // pointer to last 7 round keys ++ sub $rounds0,$rounds0,#2 ++ vld1.32 {q10-q11},[$key_],#32 // load key schedule... ++ vld1.32 {q12-q13},[$key_],#32 ++ vld1.32 {q14-q15},[$key_],#32 ++ vld1.32 {$rndlast},[$key_] ++ ++ // The iv for fourth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd30,$ivl ++ fmov $ivd31,$ivh ++ ++ add $key_,$key1,#32 ++ mov $rounds,$rounds0 ++ b .Lxts_dec ++ ++ // Decryption ++.align 5 ++.Lxts_dec: ++ tst $tailcnt,#0xf ++ b.eq .Lxts_dec_begin ++ subs $len,$len,#16 ++ csel $step,xzr,$step,eq ++ vld1.8 {$dat},[$inp],#16 ++ b.lo .Lxts_done ++ sub $inp,$inp,#16 ++.Lxts_dec_begin: ++ vld1.8 {$dat},[$inp],$step ++ subs $len,$len,#32 // bias ++ add $rounds,$rounds0,#2 ++ vorr $in1,$dat,$dat ++ vorr $dat1,$dat,$dat ++ vorr $in3,$dat,$dat ++ vld1.8 {$dat2},[$inp],#16 ++ vorr $in2,$dat2,$dat2 ++ vorr $in4,$dat2,$dat2 ++ b.lo .Lxts_inner_dec_tail ++ veor $dat,$dat,$iv0 // before decryt, xor with iv ++ veor $dat2,$dat2,$iv1 ++ ++ vorr $dat1,$dat2,$dat2 ++ vld1.8 {$dat2},[$inp],#16 ++ vorr $in0,$dat,$dat ++ vorr $in1,$dat1,$dat1 ++ veor $in2,$dat2,$iv2 // third block xox with third iv ++ veor $dat2,$dat2,$iv2 ++ cmp $len,#32 ++ b.lo .Lxts_outer_dec_tail ++ ++ vld1.8 {$dat3},[$inp],#16 ++ ++ // The iv for fifth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd40,$ivl ++ fmov $ivd41,$ivh ++ ++ vld1.8 {$dat4},[$inp],#16 ++ veor $dat3,$dat3,$iv3 // the fourth block ++ veor $dat4,$dat4,$iv4 ++ sub $len,$len,#32 // bias ++ mov $rounds,$rounds0 ++ b .Loop5x_xts_dec ++ ++.align 4 ++.Loop5x_xts_dec: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q8 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q8 ++ aesimc $dat4,$dat4 ++ vld1.32 {q8},[$key_],#16 // load key schedule... ++ subs $rounds,$rounds,#2 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q9 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q9 ++ aesimc $dat4,$dat4 ++ vld1.32 {q9},[$key_],#16 // load key schedule... ++ b.gt .Loop5x_xts_dec ++ ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q8 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q8 ++ aesimc $dat4,$dat4 ++ subs $len,$len,#0x50 // because .Lxts_dec_tail4x ++ ++ aesd $dat0,q9 ++ aesimc $dat0,$dat ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q9 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q9 ++ aesimc $dat4,$dat4 ++ csel $xoffset,xzr,$len,gt // borrow x6, w6, "gt" is not typo ++ mov $key_,$key1 ++ ++ aesd $dat0,q10 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q10 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q10 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q10 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q10 ++ aesimc $dat4,$dat4 ++ add $inp,$inp,$xoffset // x0 is adjusted in such way that ++ // at exit from the loop v1.16b-v26.16b ++ // are loaded with last "words" ++ add $xoffset,$len,#0x60 // because .Lxts_dec_tail4x ++ ++ aesd $dat0,q11 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q11 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q11 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q11 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q11 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q12 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q12 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q13 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q13 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q14 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q14 ++ aesimc $dat4,$dat4 ++ ++ veor $tmp0,$rndlast,$iv0 ++ aesd $dat0,q15 ++ // The iv for first block of next iteration. ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ veor $tmp1,$rndlast,$iv1 ++ vld1.8 {$in0},[$inp],#16 ++ aesd $dat1,q15 ++ // The iv for second block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ veor $tmp2,$rndlast,$iv2 ++ vld1.8 {$in1},[$inp],#16 ++ aesd $dat2,q15 ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ veor $tmp3,$rndlast,$iv3 ++ vld1.8 {$in2},[$inp],#16 ++ aesd $dat3,q15 ++ // The iv for fourth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd30,$ivl ++ fmov $ivd31,$ivh ++ veor $tmp4,$rndlast,$iv4 ++ vld1.8 {$in3},[$inp],#16 ++ aesd $dat4,q15 ++ ++ // The iv for fifth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd40,$ivl ++ fmov $ivd41,$ivh ++ ++ vld1.8 {$in4},[$inp],#16 ++ cbz $xoffset,.Lxts_dec_tail4x ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ veor $tmp0,$tmp0,$dat0 ++ veor $dat0,$in0,$iv0 ++ veor $tmp1,$tmp1,$dat1 ++ veor $dat1,$in1,$iv1 ++ veor $tmp2,$tmp2,$dat2 ++ veor $dat2,$in2,$iv2 ++ veor $tmp3,$tmp3,$dat3 ++ veor $dat3,$in3,$iv3 ++ veor $tmp4,$tmp4,$dat4 ++ vst1.8 {$tmp0},[$out],#16 ++ veor $dat4,$in4,$iv4 ++ vst1.8 {$tmp1},[$out],#16 ++ mov $rounds,$rounds0 ++ vst1.8 {$tmp2},[$out],#16 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ b.hs .Loop5x_xts_dec ++ ++ cmn $len,#0x10 ++ b.ne .Loop5x_dec_after ++ // If x2($len) equal to -0x10, the left blocks is 4. ++ // After specially processing, utilize the five blocks processing again. ++ // It will use the following IVs: $iv0,$iv0,$iv1,$iv2,$iv3. ++ vorr $iv4,$iv3,$iv3 ++ vorr $iv3,$iv2,$iv2 ++ vorr $iv2,$iv1,$iv1 ++ vorr $iv1,$iv0,$iv0 ++ fmov $ivl,$ivd40 ++ fmov $ivh,$ivd41 ++ veor $dat0,$iv0,$in0 ++ veor $dat1,$iv1,$in1 ++ veor $dat2,$in2,$iv2 ++ veor $dat3,$in3,$iv3 ++ veor $dat4,$in4,$iv4 ++ b.eq .Loop5x_xts_dec ++ ++.Loop5x_dec_after: ++ add $len,$len,#0x50 ++ cbz $len,.Lxts_done ++ ++ add $rounds,$rounds0,#2 ++ subs $len,$len,#0x30 ++ b.lo .Lxts_inner_dec_tail ++ ++ veor $dat0,$iv0,$in2 ++ veor $dat1,$iv1,$in3 ++ veor $dat2,$in4,$iv2 ++ b .Lxts_outer_dec_tail ++ ++.align 4 ++.Lxts_dec_tail4x: ++ add $inp,$inp,#16 ++ vld1.32 {$dat0},[$inp],#16 ++ veor $tmp1,$dat1,$tmp0 ++ vst1.8 {$tmp1},[$out],#16 ++ veor $tmp2,$dat2,$tmp2 ++ vst1.8 {$tmp2},[$out],#16 ++ veor $tmp3,$dat3,$tmp3 ++ veor $tmp4,$dat4,$tmp4 ++ vst1.8 {$tmp3-$tmp4},[$out],#32 ++ ++ b .Lxts_done ++.align 4 ++.Lxts_outer_dec_tail: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lxts_outer_dec_tail ++ ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ veor $tmp0,$iv0,$rndlast ++ subs $len,$len,#0x30 ++ // The iv for first block ++ fmov $ivl,$ivd20 ++ fmov $ivh,$ivd21 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ veor $tmp1,$iv1,$rndlast ++ csel $xoffset,$len,$xoffset,lo // x6, w6, is zero at this point ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ veor $tmp2,$iv2,$rndlast ++ // The iv for second block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ ++ add $xoffset,$xoffset,#0x20 ++ add $inp,$inp,$xoffset // $inp is adjusted to the last data ++ ++ mov $key_,$key1 ++ ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ vld1.8 {$in2},[$inp],#16 ++ aesd $dat0,q15 ++ aesd $dat1,q15 ++ aesd $dat2,q15 ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ add $rounds,$rounds0,#2 ++ veor $tmp0,$tmp0,$dat0 ++ veor $tmp1,$tmp1,$dat1 ++ veor $dat2,$dat2,$tmp2 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp0},[$out],#16 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$dat2},[$out],#16 ++ ++ cmn $len,#0x30 ++ add $len,$len,#0x30 ++ b.eq .Lxts_done ++ sub $len,$len,#0x30 ++ vorr $in3,$in1,$in1 ++ vorr $in4,$in2,$in2 ++ nop ++ ++.Lxts_inner_dec_tail: ++ // $len == -0x10 means two blocks left. ++ cmn $len,#0x10 ++ veor $dat1,$in3,$iv0 ++ veor $dat2,$in4,$iv1 ++ b.eq .Lxts_dec_tail_loop ++ veor $dat2,$in4,$iv0 ++.Lxts_dec_tail_loop: ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lxts_dec_tail_loop ++ ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ cmn $len,#0x20 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ veor $tmp1,$iv0,$rndlast ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ veor $tmp2,$iv1,$rndlast ++ aesd $dat1,q15 ++ aesd $dat2,q15 ++ b.eq .Lxts_dec_one ++ veor $tmp1,$tmp1,$dat1 ++ veor $tmp2,$tmp2,$dat2 ++ vorr $iv0,$iv2,$iv2 ++ vorr $iv1,$iv3,$iv3 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$tmp2},[$out],#16 ++ add $len,$len,#16 ++ b .Lxts_done ++ ++.Lxts_dec_one: ++ veor $tmp1,$tmp1,$dat2 ++ vorr $iv0,$iv1,$iv1 ++ vorr $iv1,$iv2,$iv2 ++ vst1.8 {$tmp1},[$out],#16 ++ add $len,$len,#32 ++ ++.Lxts_done: ++ tst $tailcnt,#0xf ++ b.eq .Lxts_dec_abort ++ // Processing the last two blocks with cipher stealing. ++ mov x7,x3 ++ cbnz x2,.Lxts_dec_1st_done ++ vld1.32 {$dat0},[$inp],#16 ++ ++ // Decrypt the last secod block to get the last plain text block ++.Lxts_dec_1st_done: ++ eor $tmpin,$dat0,$iv1 ++ ldr $rounds,[$key1,#240] ++ vld1.32 {$dat0},[$key1],#16 ++ sub $rounds,$rounds,#2 ++ vld1.32 {$dat1},[$key1],#16 ++.Loop_final_2nd_dec: ++ aesd $tmpin,$dat0 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key1],#16 // load key schedule... ++ subs $rounds,$rounds,#2 ++ aesd $tmpin,$dat1 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat1},[$key1],#16 // load key schedule... ++ b.gt .Loop_final_2nd_dec ++ ++ aesd $tmpin,$dat0 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key1] ++ aesd $tmpin,$dat1 ++ veor $tmpin,$tmpin,$dat0 ++ veor $tmpin,$tmpin,$iv1 ++ vst1.8 {$tmpin},[$out] ++ ++ mov $tmpinp,$inp ++ add $tmpoutp,$out,#16 ++ ++ // Composite the tailcnt "16 byte not aligned block" into the last second plain blocks ++ // to get the last encrypted block. ++.composite_dec_loop: ++ subs $tailcnt,$tailcnt,#1 ++ ldrb $l2outp,[$out,$tailcnt] ++ ldrb $loutp,[$tmpinp,$tailcnt] ++ strb $l2outp,[$tmpoutp,$tailcnt] ++ strb $loutp,[$out,$tailcnt] ++ b.gt .composite_dec_loop ++.Lxts_dec_load_done: ++ vld1.8 {$tmpin},[$out] ++ veor $tmpin,$tmpin,$iv0 ++ ++ // Decrypt the composite block to get the last second plain text block ++ ldr $rounds,[$key_,#240] ++ vld1.8 {$dat},[$key_],#16 ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key_],#16 ++.Loop_final_dec: ++ aesd $tmpin,$dat0 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key_],#16 // load key schedule... ++ subs $rounds,$rounds,#2 ++ aesd $tmpin,$dat1 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat1},[$key_],#16 // load key schedule... ++ b.gt .Loop_final_dec ++ ++ aesd $tmpin,$dat0 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key_] ++ aesd $tmpin,$dat1 ++ veor $tmpin,$tmpin,$dat0 ++ veor $tmpin,$tmpin,$iv0 ++ vst1.8 {$tmpin},[$out] ++ ++.Lxts_dec_abort: ++ ldp $tailcnt,$midnumx,[sp,#48] ++ ldp $ivd10,$ivd20,[sp,#32] ++ ldp $ivd30,$ivd40,[sp,#16] ++ ldp $constnumx,$tmpinp,[sp],#64 ++ ++.Lxts_dec_final_abort: ++ ret ++.size ${prefix}_xts_decrypt,.-${prefix}_xts_decrypt ++___ ++} ++}}} + $code.=<<___; + #endif + ___ +@@ -963,7 +3615,7 @@ if ($flavour =~ /64/) { ######## 64-bi + # since ARMv7 instructions are always encoded little-endian. + # correct solution is to use .inst directive, but older + # assemblers don't implement it:-( +- sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s", ++ sprintf "INST(0x%02x,0x%02x,0x%02x,0x%02x)\t@ %s %s", + $word&0xff,($word>>8)&0xff, + ($word>>16)&0xff,($word>>24)&0xff, + $mnemonic,$arg; +@@ -1004,14 +3656,17 @@ if ($flavour =~ /64/) { ######## 64-bi + s/\],#[0-9]+/]!/o; + + s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or +- s/cclr\s+([^,]+),\s*([a-z]+)/mov$2 $1,#0/o or ++ s/cclr\s+([^,]+),\s*([a-z]+)/mov.$2 $1,#0/o or + s/vtbl\.8\s+(.*)/unvtbl($1)/geo or + s/vdup\.32\s+(.*)/unvdup32($1)/geo or + s/vmov\.32\s+(.*)/unvmov32($1)/geo or + s/^(\s+)b\./$1b/o or +- s/^(\s+)mov\./$1mov/o or + s/^(\s+)ret/$1bx\tlr/o; + ++ if (s/^(\s+)mov\.([a-z]+)/$1mov$2/) { ++ print " it $2\n"; ++ } ++ + print $_,"\n"; + } + } +diff -up openssl-1.1.1i/crypto/aes/asm/vpaes-armv8.pl.arm-update openssl-1.1.1i/crypto/aes/asm/vpaes-armv8.pl +--- openssl-1.1.1i/crypto/aes/asm/vpaes-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/aes/asm/vpaes-armv8.pl 2020-12-09 10:37:38.405558929 +0100 +@@ -30,6 +30,7 @@ + # Denver(***) 16.6(**) 15.1/17.8(**) [8.80/9.93 ] + # Apple A7(***) 22.7(**) 10.9/14.3 [8.45/10.0 ] + # Mongoose(***) 26.3(**) 21.0/25.0(**) [13.3/16.8 ] ++# ThunderX2(***) 39.4(**) 33.8/48.6(**) + # + # (*) ECB denotes approximate result for parallelizable modes + # such as CBC decrypt, CTR, etc.; +diff -up openssl-1.1.1i/crypto/chacha/asm/chacha-armv8.pl.arm-update openssl-1.1.1i/crypto/chacha/asm/chacha-armv8.pl +--- openssl-1.1.1i/crypto/chacha/asm/chacha-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/chacha/asm/chacha-armv8.pl 2020-12-09 10:40:57.922288627 +0100 +@@ -18,32 +18,44 @@ + # + # ChaCha20 for ARMv8. + # ++# April 2019 ++# ++# Replace 3xNEON+1xIALU code path with 4+1. 4+1 is actually fastest ++# option on most(*), but not all, processors, yet 6+2 is retained. ++# This is because penalties are considered tolerable in comparison to ++# improvement on processors where 6+2 helps. Most notably +37% on ++# ThunderX2. It's server-oriented processor which will have to serve ++# as many requests as possible. While others are mostly clients, when ++# performance doesn't have to be absolute top-notch, just fast enough, ++# as majority of time is spent "entertaining" relatively slow human. ++# + # Performance in cycles per byte out of large buffer. + # +-# IALU/gcc-4.9 3xNEON+1xIALU 6xNEON+2xIALU ++# IALU/gcc-4.9 4xNEON+1xIALU 6xNEON+2xIALU + # +-# Apple A7 5.50/+49% 3.33 1.70 +-# Cortex-A53 8.40/+80% 4.72 4.72(*) +-# Cortex-A57 8.06/+43% 4.90 4.43(**) +-# Denver 4.50/+82% 2.63 2.67(*) +-# X-Gene 9.50/+46% 8.82 8.89(*) +-# Mongoose 8.00/+44% 3.64 3.25 +-# Kryo 8.17/+50% 4.83 4.65 ++# Apple A7 5.50/+49% 2.72 1.60 ++# Cortex-A53 8.40/+80% 4.06 4.45(*) ++# Cortex-A57 8.06/+43% 4.15 4.40(*) ++# Denver 4.50/+82% 2.30 2.70(*) ++# X-Gene 9.50/+46% 8.20 8.90(*) ++# Mongoose 8.00/+44% 2.74 3.12(*) ++# Kryo 8.17/+50% 4.47 4.65(*) ++# ThunderX2 7.22/+48% 5.64 4.10 + # +-# (*) it's expected that doubling interleave factor doesn't help +-# all processors, only those with higher NEON latency and +-# higher instruction issue rate; +-# (**) expected improvement was actually higher; ++# (*) slower than 4+1:-( + +-$flavour=shift; +-$output=shift; ++# $output is the last argument if it looks like a file (it has an extension) ++# $flavour is the first argument if it doesn't look like a file ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + +-open OUT,"| \"$^X\" $xlate $flavour $output"; ++open OUT,"| \"$^X\" $xlate $flavour \"$output\"" ++ or die "can't call $xlate: $!"; + *STDOUT=*OUT; + + sub AUTOLOAD() # thunk [simplified] x86-style perlasm +@@ -120,42 +132,37 @@ my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1) + } + + $code.=<<___; +-#include "arm_arch.h" +- +-.text +- ++#ifndef __KERNEL__ ++# include "arm_arch.h" + .extern OPENSSL_armcap_P + .hidden OPENSSL_armcap_P ++#endif ++ ++.text + + .align 5 + .Lsigma: + .quad 0x3320646e61707865,0x6b20657479622d32 // endian-neutral + .Lone: +-.long 1,0,0,0 +-.LOPENSSL_armcap_P: +-#ifdef __ILP32__ +-.long OPENSSL_armcap_P-. +-#else +-.quad OPENSSL_armcap_P-. +-#endif +-.asciz "ChaCha20 for ARMv8, CRYPTOGAMS by " ++.long 1,2,3,4 ++.Lrot24: ++.long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f ++.asciz "ChaCha20 for ARMv8, CRYPTOGAMS by \@dot-asm" + + .globl ChaCha20_ctr32 + .type ChaCha20_ctr32,%function + .align 5 + ChaCha20_ctr32: + cbz $len,.Labort +- adr @x[0],.LOPENSSL_armcap_P + cmp $len,#192 + b.lo .Lshort +-#ifdef __ILP32__ +- ldrsw @x[1],[@x[0]] +-#else +- ldr @x[1],[@x[0]] +-#endif +- ldr w17,[@x[1],@x[0]] ++ ++#ifndef __KERNEL__ ++ adrp x17,OPENSSL_armcap_P ++ ldr w17,[x17,#:lo12:OPENSSL_armcap_P] + tst w17,#ARMV7_NEON +- b.ne ChaCha20_neon ++ b.ne .LChaCha20_neon ++#endif + + .Lshort: + .inst 0xd503233f // paciasp +@@ -174,7 +181,7 @@ ChaCha20_ctr32: + ldp @d[2],@d[3],[$key] // load key + ldp @d[4],@d[5],[$key,#16] + ldp @d[6],@d[7],[$ctr] // load counter +-#ifdef __ARMEB__ ++#ifdef __AARCH64EB__ + ror @d[2],@d[2],#32 + ror @d[3],@d[3],#32 + ror @d[4],@d[4],#32 +@@ -243,7 +250,7 @@ $code.=<<___; + add @x[14],@x[14],@x[15],lsl#32 + ldp @x[13],@x[15],[$inp,#48] + add $inp,$inp,#64 +-#ifdef __ARMEB__ ++#ifdef __AARCH64EB__ + rev @x[0],@x[0] + rev @x[2],@x[2] + rev @x[4],@x[4] +@@ -300,7 +307,7 @@ $code.=<<___; + add @x[10],@x[10],@x[11],lsl#32 + add @x[12],@x[12],@x[13],lsl#32 + add @x[14],@x[14],@x[15],lsl#32 +-#ifdef __ARMEB__ ++#ifdef __AARCH64EB__ + rev @x[0],@x[0] + rev @x[2],@x[2] + rev @x[4],@x[4] +@@ -341,46 +348,91 @@ $code.=<<___; + ___ + + {{{ +-my ($A0,$B0,$C0,$D0,$A1,$B1,$C1,$D1,$A2,$B2,$C2,$D2,$T0,$T1,$T2,$T3) = +- map("v$_.4s",(0..7,16..23)); +-my (@K)=map("v$_.4s",(24..30)); +-my $ONE="v31.4s"; ++my @K = map("v$_.4s",(0..3)); ++my ($xt0,$xt1,$xt2,$xt3, $CTR,$ROT24) = map("v$_.4s",(4..9)); ++my @X = map("v$_.4s",(16,20,24,28, 17,21,25,29, 18,22,26,30, 19,23,27,31)); ++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, ++ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = @X; + +-sub NEONROUND { +-my $odd = pop; +-my ($a,$b,$c,$d,$t)=@_; ++sub NEON_lane_ROUND { ++my ($a0,$b0,$c0,$d0)=@_; ++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); ++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); ++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); ++my @x=map("'$_'",@X); + + ( +- "&add ('$a','$a','$b')", +- "&eor ('$d','$d','$a')", +- "&rev32_16 ('$d','$d')", # vrot ($d,16) +- +- "&add ('$c','$c','$d')", +- "&eor ('$t','$b','$c')", +- "&ushr ('$b','$t',20)", +- "&sli ('$b','$t',12)", +- +- "&add ('$a','$a','$b')", +- "&eor ('$t','$d','$a')", +- "&ushr ('$d','$t',24)", +- "&sli ('$d','$t',8)", +- +- "&add ('$c','$c','$d')", +- "&eor ('$t','$b','$c')", +- "&ushr ('$b','$t',25)", +- "&sli ('$b','$t',7)", +- +- "&ext ('$c','$c','$c',8)", +- "&ext ('$d','$d','$d',$odd?4:12)", +- "&ext ('$b','$b','$b',$odd?12:4)" ++ "&add (@x[$a0],@x[$a0],@x[$b0])", # Q1 ++ "&add (@x[$a1],@x[$a1],@x[$b1])", # Q2 ++ "&add (@x[$a2],@x[$a2],@x[$b2])", # Q3 ++ "&add (@x[$a3],@x[$a3],@x[$b3])", # Q4 ++ "&eor (@x[$d0],@x[$d0],@x[$a0])", ++ "&eor (@x[$d1],@x[$d1],@x[$a1])", ++ "&eor (@x[$d2],@x[$d2],@x[$a2])", ++ "&eor (@x[$d3],@x[$d3],@x[$a3])", ++ "&rev32_16 (@x[$d0],@x[$d0])", ++ "&rev32_16 (@x[$d1],@x[$d1])", ++ "&rev32_16 (@x[$d2],@x[$d2])", ++ "&rev32_16 (@x[$d3],@x[$d3])", ++ ++ "&add (@x[$c0],@x[$c0],@x[$d0])", ++ "&add (@x[$c1],@x[$c1],@x[$d1])", ++ "&add (@x[$c2],@x[$c2],@x[$d2])", ++ "&add (@x[$c3],@x[$c3],@x[$d3])", ++ "&eor ('$xt0',@x[$b0],@x[$c0])", ++ "&eor ('$xt1',@x[$b1],@x[$c1])", ++ "&eor ('$xt2',@x[$b2],@x[$c2])", ++ "&eor ('$xt3',@x[$b3],@x[$c3])", ++ "&ushr (@x[$b0],'$xt0',20)", ++ "&ushr (@x[$b1],'$xt1',20)", ++ "&ushr (@x[$b2],'$xt2',20)", ++ "&ushr (@x[$b3],'$xt3',20)", ++ "&sli (@x[$b0],'$xt0',12)", ++ "&sli (@x[$b1],'$xt1',12)", ++ "&sli (@x[$b2],'$xt2',12)", ++ "&sli (@x[$b3],'$xt3',12)", ++ ++ "&add (@x[$a0],@x[$a0],@x[$b0])", ++ "&add (@x[$a1],@x[$a1],@x[$b1])", ++ "&add (@x[$a2],@x[$a2],@x[$b2])", ++ "&add (@x[$a3],@x[$a3],@x[$b3])", ++ "&eor ('$xt0',@x[$d0],@x[$a0])", ++ "&eor ('$xt1',@x[$d1],@x[$a1])", ++ "&eor ('$xt2',@x[$d2],@x[$a2])", ++ "&eor ('$xt3',@x[$d3],@x[$a3])", ++ "&tbl (@x[$d0],'{$xt0}','$ROT24')", ++ "&tbl (@x[$d1],'{$xt1}','$ROT24')", ++ "&tbl (@x[$d2],'{$xt2}','$ROT24')", ++ "&tbl (@x[$d3],'{$xt3}','$ROT24')", ++ ++ "&add (@x[$c0],@x[$c0],@x[$d0])", ++ "&add (@x[$c1],@x[$c1],@x[$d1])", ++ "&add (@x[$c2],@x[$c2],@x[$d2])", ++ "&add (@x[$c3],@x[$c3],@x[$d3])", ++ "&eor ('$xt0',@x[$b0],@x[$c0])", ++ "&eor ('$xt1',@x[$b1],@x[$c1])", ++ "&eor ('$xt2',@x[$b2],@x[$c2])", ++ "&eor ('$xt3',@x[$b3],@x[$c3])", ++ "&ushr (@x[$b0],'$xt0',25)", ++ "&ushr (@x[$b1],'$xt1',25)", ++ "&ushr (@x[$b2],'$xt2',25)", ++ "&ushr (@x[$b3],'$xt3',25)", ++ "&sli (@x[$b0],'$xt0',7)", ++ "&sli (@x[$b1],'$xt1',7)", ++ "&sli (@x[$b2],'$xt2',7)", ++ "&sli (@x[$b3],'$xt3',7)" + ); + } + + $code.=<<___; + ++#ifdef __KERNEL__ ++.globl ChaCha20_neon ++#endif + .type ChaCha20_neon,%function + .align 5 + ChaCha20_neon: ++.LChaCha20_neon: + .inst 0xd503233f // paciasp + stp x29,x30,[sp,#-96]! + add x29,sp,#0 +@@ -403,8 +455,9 @@ ChaCha20_neon: + ld1 {@K[1],@K[2]},[$key] + ldp @d[6],@d[7],[$ctr] // load counter + ld1 {@K[3]},[$ctr] +- ld1 {$ONE},[@x[0]] +-#ifdef __ARMEB__ ++ stp d8,d9,[sp] // meet ABI requirements ++ ld1 {$CTR,$ROT24},[@x[0]] ++#ifdef __AARCH64EB__ + rev64 @K[0],@K[0] + ror @d[2],@d[2],#32 + ror @d[3],@d[3],#32 +@@ -413,115 +466,129 @@ ChaCha20_neon: + ror @d[6],@d[6],#32 + ror @d[7],@d[7],#32 + #endif +- add @K[3],@K[3],$ONE // += 1 +- add @K[4],@K[3],$ONE +- add @K[5],@K[4],$ONE +- shl $ONE,$ONE,#2 // 1 -> 4 + + .Loop_outer_neon: +- mov.32 @x[0],@d[0] // unpack key block +- lsr @x[1],@d[0],#32 +- mov $A0,@K[0] +- mov.32 @x[2],@d[1] +- lsr @x[3],@d[1],#32 +- mov $A1,@K[0] +- mov.32 @x[4],@d[2] +- lsr @x[5],@d[2],#32 +- mov $A2,@K[0] +- mov.32 @x[6],@d[3] +- mov $B0,@K[1] +- lsr @x[7],@d[3],#32 +- mov $B1,@K[1] +- mov.32 @x[8],@d[4] +- mov $B2,@K[1] +- lsr @x[9],@d[4],#32 +- mov $D0,@K[3] +- mov.32 @x[10],@d[5] +- mov $D1,@K[4] +- lsr @x[11],@d[5],#32 +- mov $D2,@K[5] +- mov.32 @x[12],@d[6] +- mov $C0,@K[2] +- lsr @x[13],@d[6],#32 +- mov $C1,@K[2] +- mov.32 @x[14],@d[7] +- mov $C2,@K[2] +- lsr @x[15],@d[7],#32 ++ dup $xa0,@{K[0]}[0] // unpack key block ++ mov.32 @x[0],@d[0] ++ dup $xa1,@{K[0]}[1] ++ lsr @x[1],@d[0],#32 ++ dup $xa2,@{K[0]}[2] ++ mov.32 @x[2],@d[1] ++ dup $xa3,@{K[0]}[3] ++ lsr @x[3],@d[1],#32 ++ dup $xb0,@{K[1]}[0] ++ mov.32 @x[4],@d[2] ++ dup $xb1,@{K[1]}[1] ++ lsr @x[5],@d[2],#32 ++ dup $xb2,@{K[1]}[2] ++ mov.32 @x[6],@d[3] ++ dup $xb3,@{K[1]}[3] ++ lsr @x[7],@d[3],#32 ++ dup $xd0,@{K[3]}[0] ++ mov.32 @x[8],@d[4] ++ dup $xd1,@{K[3]}[1] ++ lsr @x[9],@d[4],#32 ++ dup $xd2,@{K[3]}[2] ++ mov.32 @x[10],@d[5] ++ dup $xd3,@{K[3]}[3] ++ lsr @x[11],@d[5],#32 ++ add $xd0,$xd0,$CTR ++ mov.32 @x[12],@d[6] ++ dup $xc0,@{K[2]}[0] ++ lsr @x[13],@d[6],#32 ++ dup $xc1,@{K[2]}[1] ++ mov.32 @x[14],@d[7] ++ dup $xc2,@{K[2]}[2] ++ lsr @x[15],@d[7],#32 ++ dup $xc3,@{K[2]}[3] + + mov $ctr,#10 +- subs $len,$len,#256 ++ subs $len,$len,#320 + .Loop_neon: + sub $ctr,$ctr,#1 + ___ +- my @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,0); +- my @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,0); +- my @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,0); +- my @thread3=&ROUND(0,4,8,12); +- +- foreach (@thread0) { +- eval; eval(shift(@thread3)); +- eval(shift(@thread1)); eval(shift(@thread3)); +- eval(shift(@thread2)); eval(shift(@thread3)); +- } +- +- @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,1); +- @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,1); +- @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,1); +- @thread3=&ROUND(0,5,10,15); ++ my @plus_one=&ROUND(0,4,8,12); ++ foreach (&NEON_lane_ROUND(0,4,8,12)) { eval; eval(shift(@plus_one)); } + +- foreach (@thread0) { +- eval; eval(shift(@thread3)); +- eval(shift(@thread1)); eval(shift(@thread3)); +- eval(shift(@thread2)); eval(shift(@thread3)); +- } ++ @plus_one=&ROUND(0,5,10,15); ++ foreach (&NEON_lane_ROUND(0,5,10,15)) { eval; eval(shift(@plus_one)); } + $code.=<<___; + cbnz $ctr,.Loop_neon + +- add.32 @x[0],@x[0],@d[0] // accumulate key block +- add $A0,$A0,@K[0] +- add @x[1],@x[1],@d[0],lsr#32 +- add $A1,$A1,@K[0] +- add.32 @x[2],@x[2],@d[1] +- add $A2,$A2,@K[0] +- add @x[3],@x[3],@d[1],lsr#32 +- add $C0,$C0,@K[2] +- add.32 @x[4],@x[4],@d[2] +- add $C1,$C1,@K[2] +- add @x[5],@x[5],@d[2],lsr#32 +- add $C2,$C2,@K[2] +- add.32 @x[6],@x[6],@d[3] +- add $D0,$D0,@K[3] +- add @x[7],@x[7],@d[3],lsr#32 +- add.32 @x[8],@x[8],@d[4] +- add $D1,$D1,@K[4] +- add @x[9],@x[9],@d[4],lsr#32 +- add.32 @x[10],@x[10],@d[5] +- add $D2,$D2,@K[5] +- add @x[11],@x[11],@d[5],lsr#32 +- add.32 @x[12],@x[12],@d[6] +- add $B0,$B0,@K[1] +- add @x[13],@x[13],@d[6],lsr#32 +- add.32 @x[14],@x[14],@d[7] +- add $B1,$B1,@K[1] +- add @x[15],@x[15],@d[7],lsr#32 +- add $B2,$B2,@K[1] ++ add $xd0,$xd0,$CTR ++ ++ zip1 $xt0,$xa0,$xa1 // transpose data ++ zip1 $xt1,$xa2,$xa3 ++ zip2 $xt2,$xa0,$xa1 ++ zip2 $xt3,$xa2,$xa3 ++ zip1.64 $xa0,$xt0,$xt1 ++ zip2.64 $xa1,$xt0,$xt1 ++ zip1.64 $xa2,$xt2,$xt3 ++ zip2.64 $xa3,$xt2,$xt3 ++ ++ zip1 $xt0,$xb0,$xb1 ++ zip1 $xt1,$xb2,$xb3 ++ zip2 $xt2,$xb0,$xb1 ++ zip2 $xt3,$xb2,$xb3 ++ zip1.64 $xb0,$xt0,$xt1 ++ zip2.64 $xb1,$xt0,$xt1 ++ zip1.64 $xb2,$xt2,$xt3 ++ zip2.64 $xb3,$xt2,$xt3 ++ ++ zip1 $xt0,$xc0,$xc1 ++ add.32 @x[0],@x[0],@d[0] // accumulate key block ++ zip1 $xt1,$xc2,$xc3 ++ add @x[1],@x[1],@d[0],lsr#32 ++ zip2 $xt2,$xc0,$xc1 ++ add.32 @x[2],@x[2],@d[1] ++ zip2 $xt3,$xc2,$xc3 ++ add @x[3],@x[3],@d[1],lsr#32 ++ zip1.64 $xc0,$xt0,$xt1 ++ add.32 @x[4],@x[4],@d[2] ++ zip2.64 $xc1,$xt0,$xt1 ++ add @x[5],@x[5],@d[2],lsr#32 ++ zip1.64 $xc2,$xt2,$xt3 ++ add.32 @x[6],@x[6],@d[3] ++ zip2.64 $xc3,$xt2,$xt3 ++ add @x[7],@x[7],@d[3],lsr#32 ++ ++ zip1 $xt0,$xd0,$xd1 ++ add.32 @x[8],@x[8],@d[4] ++ zip1 $xt1,$xd2,$xd3 ++ add @x[9],@x[9],@d[4],lsr#32 ++ zip2 $xt2,$xd0,$xd1 ++ add.32 @x[10],@x[10],@d[5] ++ zip2 $xt3,$xd2,$xd3 ++ add @x[11],@x[11],@d[5],lsr#32 ++ zip1.64 $xd0,$xt0,$xt1 ++ add.32 @x[12],@x[12],@d[6] ++ zip2.64 $xd1,$xt0,$xt1 ++ add @x[13],@x[13],@d[6],lsr#32 ++ zip1.64 $xd2,$xt2,$xt3 ++ add.32 @x[14],@x[14],@d[7] ++ zip2.64 $xd3,$xt2,$xt3 ++ add @x[15],@x[15],@d[7],lsr#32 + + b.lo .Ltail_neon + + add @x[0],@x[0],@x[1],lsl#32 // pack + add @x[2],@x[2],@x[3],lsl#32 + ldp @x[1],@x[3],[$inp,#0] // load input ++ add $xa0,$xa0,@K[0] // accumulate key block + add @x[4],@x[4],@x[5],lsl#32 + add @x[6],@x[6],@x[7],lsl#32 + ldp @x[5],@x[7],[$inp,#16] ++ add $xb0,$xb0,@K[1] + add @x[8],@x[8],@x[9],lsl#32 + add @x[10],@x[10],@x[11],lsl#32 + ldp @x[9],@x[11],[$inp,#32] ++ add $xc0,$xc0,@K[2] + add @x[12],@x[12],@x[13],lsl#32 + add @x[14],@x[14],@x[15],lsl#32 + ldp @x[13],@x[15],[$inp,#48] ++ add $xd0,$xd0,@K[3] + add $inp,$inp,#64 +-#ifdef __ARMEB__ ++#ifdef __AARCH64EB__ + rev @x[0],@x[0] + rev @x[2],@x[2] + rev @x[4],@x[4] +@@ -531,48 +598,68 @@ $code.=<<___; + rev @x[12],@x[12] + rev @x[14],@x[14] + #endif +- ld1.8 {$T0-$T3},[$inp],#64 ++ ld1.8 {$xt0-$xt3},[$inp],#64 + eor @x[0],@x[0],@x[1] ++ add $xa1,$xa1,@K[0] + eor @x[2],@x[2],@x[3] ++ add $xb1,$xb1,@K[1] + eor @x[4],@x[4],@x[5] ++ add $xc1,$xc1,@K[2] + eor @x[6],@x[6],@x[7] ++ add $xd1,$xd1,@K[3] + eor @x[8],@x[8],@x[9] +- eor $A0,$A0,$T0 ++ eor $xa0,$xa0,$xt0 ++ movi $xt0,#5 + eor @x[10],@x[10],@x[11] +- eor $B0,$B0,$T1 ++ eor $xb0,$xb0,$xt1 + eor @x[12],@x[12],@x[13] +- eor $C0,$C0,$T2 ++ eor $xc0,$xc0,$xt2 + eor @x[14],@x[14],@x[15] +- eor $D0,$D0,$T3 +- ld1.8 {$T0-$T3},[$inp],#64 ++ eor $xd0,$xd0,$xt3 ++ add $CTR,$CTR,$xt0 // += 5 ++ ld1.8 {$xt0-$xt3},[$inp],#64 + + stp @x[0],@x[2],[$out,#0] // store output +- add @d[6],@d[6],#4 // increment counter ++ add @d[6],@d[6],#5 // increment counter + stp @x[4],@x[6],[$out,#16] +- add @K[3],@K[3],$ONE // += 4 + stp @x[8],@x[10],[$out,#32] +- add @K[4],@K[4],$ONE + stp @x[12],@x[14],[$out,#48] +- add @K[5],@K[5],$ONE + add $out,$out,#64 + +- st1.8 {$A0-$D0},[$out],#64 +- ld1.8 {$A0-$D0},[$inp],#64 +- +- eor $A1,$A1,$T0 +- eor $B1,$B1,$T1 +- eor $C1,$C1,$T2 +- eor $D1,$D1,$T3 +- st1.8 {$A1-$D1},[$out],#64 +- +- eor $A2,$A2,$A0 +- eor $B2,$B2,$B0 +- eor $C2,$C2,$C0 +- eor $D2,$D2,$D0 +- st1.8 {$A2-$D2},[$out],#64 ++ st1.8 {$xa0-$xd0},[$out],#64 ++ add $xa2,$xa2,@K[0] ++ add $xb2,$xb2,@K[1] ++ add $xc2,$xc2,@K[2] ++ add $xd2,$xd2,@K[3] ++ ld1.8 {$xa0-$xd0},[$inp],#64 ++ ++ eor $xa1,$xa1,$xt0 ++ eor $xb1,$xb1,$xt1 ++ eor $xc1,$xc1,$xt2 ++ eor $xd1,$xd1,$xt3 ++ st1.8 {$xa1-$xd1},[$out],#64 ++ add $xa3,$xa3,@K[0] ++ add $xb3,$xb3,@K[1] ++ add $xc3,$xc3,@K[2] ++ add $xd3,$xd3,@K[3] ++ ld1.8 {$xa1-$xd1},[$inp],#64 ++ ++ eor $xa2,$xa2,$xa0 ++ eor $xb2,$xb2,$xb0 ++ eor $xc2,$xc2,$xc0 ++ eor $xd2,$xd2,$xd0 ++ st1.8 {$xa2-$xd2},[$out],#64 ++ ++ eor $xa3,$xa3,$xa1 ++ eor $xb3,$xb3,$xb1 ++ eor $xc3,$xc3,$xc1 ++ eor $xd3,$xd3,$xd1 ++ st1.8 {$xa3-$xd3},[$out],#64 + + b.hi .Loop_outer_neon + ++ ldp d8,d9,[sp] // meet ABI requirements ++ + ldp x19,x20,[x29,#16] + add sp,sp,#64 + ldp x21,x22,[x29,#32] +@@ -583,8 +670,10 @@ $code.=<<___; + .inst 0xd50323bf // autiasp + ret + ++.align 4 + .Ltail_neon: +- add $len,$len,#256 ++ add $len,$len,#320 ++ ldp d8,d9,[sp] // meet ABI requirements + cmp $len,#64 + b.lo .Less_than_64 + +@@ -601,7 +690,7 @@ $code.=<<___; + add @x[14],@x[14],@x[15],lsl#32 + ldp @x[13],@x[15],[$inp,#48] + add $inp,$inp,#64 +-#ifdef __ARMEB__ ++#ifdef __AARCH64EB__ + rev @x[0],@x[0] + rev @x[2],@x[2] + rev @x[4],@x[4] +@@ -621,48 +710,68 @@ $code.=<<___; + eor @x[14],@x[14],@x[15] + + stp @x[0],@x[2],[$out,#0] // store output +- add @d[6],@d[6],#4 // increment counter ++ add $xa0,$xa0,@K[0] // accumulate key block + stp @x[4],@x[6],[$out,#16] ++ add $xb0,$xb0,@K[1] + stp @x[8],@x[10],[$out,#32] ++ add $xc0,$xc0,@K[2] + stp @x[12],@x[14],[$out,#48] ++ add $xd0,$xd0,@K[3] + add $out,$out,#64 + b.eq .Ldone_neon + sub $len,$len,#64 + cmp $len,#64 +- b.lo .Less_than_128 ++ b.lo .Last_neon + +- ld1.8 {$T0-$T3},[$inp],#64 +- eor $A0,$A0,$T0 +- eor $B0,$B0,$T1 +- eor $C0,$C0,$T2 +- eor $D0,$D0,$T3 +- st1.8 {$A0-$D0},[$out],#64 ++ ld1.8 {$xt0-$xt3},[$inp],#64 ++ eor $xa0,$xa0,$xt0 ++ eor $xb0,$xb0,$xt1 ++ eor $xc0,$xc0,$xt2 ++ eor $xd0,$xd0,$xt3 ++ st1.8 {$xa0-$xd0},[$out],#64 + b.eq .Ldone_neon ++ ++ add $xa0,$xa1,@K[0] ++ add $xb0,$xb1,@K[1] + sub $len,$len,#64 ++ add $xc0,$xc1,@K[2] + cmp $len,#64 +- b.lo .Less_than_192 ++ add $xd0,$xd1,@K[3] ++ b.lo .Last_neon + +- ld1.8 {$T0-$T3},[$inp],#64 +- eor $A1,$A1,$T0 +- eor $B1,$B1,$T1 +- eor $C1,$C1,$T2 +- eor $D1,$D1,$T3 +- st1.8 {$A1-$D1},[$out],#64 ++ ld1.8 {$xt0-$xt3},[$inp],#64 ++ eor $xa1,$xa0,$xt0 ++ eor $xb1,$xb0,$xt1 ++ eor $xc1,$xc0,$xt2 ++ eor $xd1,$xd0,$xt3 ++ st1.8 {$xa1-$xd1},[$out],#64 + b.eq .Ldone_neon ++ ++ add $xa0,$xa2,@K[0] ++ add $xb0,$xb2,@K[1] + sub $len,$len,#64 ++ add $xc0,$xc2,@K[2] ++ cmp $len,#64 ++ add $xd0,$xd2,@K[3] ++ b.lo .Last_neon + +- st1.8 {$A2-$D2},[sp] +- b .Last_neon ++ ld1.8 {$xt0-$xt3},[$inp],#64 ++ eor $xa2,$xa0,$xt0 ++ eor $xb2,$xb0,$xt1 ++ eor $xc2,$xc0,$xt2 ++ eor $xd2,$xd0,$xt3 ++ st1.8 {$xa2-$xd2},[$out],#64 ++ b.eq .Ldone_neon + +-.Less_than_128: +- st1.8 {$A0-$D0},[sp] +- b .Last_neon +-.Less_than_192: +- st1.8 {$A1-$D1},[sp] +- b .Last_neon ++ add $xa0,$xa3,@K[0] ++ add $xb0,$xb3,@K[1] ++ add $xc0,$xc3,@K[2] ++ add $xd0,$xd3,@K[3] ++ sub $len,$len,#64 + +-.align 4 + .Last_neon: ++ st1.8 {$xa0-$xd0},[sp] ++ + sub $out,$out,#1 + add $inp,$inp,$len + add $out,$out,$len +@@ -695,9 +804,41 @@ $code.=<<___; + .size ChaCha20_neon,.-ChaCha20_neon + ___ + { ++my @K = map("v$_.4s",(0..6)); + my ($T0,$T1,$T2,$T3,$T4,$T5)=@K; + my ($A0,$B0,$C0,$D0,$A1,$B1,$C1,$D1,$A2,$B2,$C2,$D2, +- $A3,$B3,$C3,$D3,$A4,$B4,$C4,$D4,$A5,$B5,$C5,$D5) = map("v$_.4s",(0..23)); ++ $A3,$B3,$C3,$D3,$A4,$B4,$C4,$D4,$A5,$B5,$C5,$D5) = map("v$_.4s",(8..31)); ++my $rot24 = @K[6]; ++my $ONE = "v7.4s"; ++ ++sub NEONROUND { ++my $odd = pop; ++my ($a,$b,$c,$d,$t)=@_; ++ ++ ( ++ "&add ('$a','$a','$b')", ++ "&eor ('$d','$d','$a')", ++ "&rev32_16 ('$d','$d')", # vrot ($d,16) ++ ++ "&add ('$c','$c','$d')", ++ "&eor ('$t','$b','$c')", ++ "&ushr ('$b','$t',20)", ++ "&sli ('$b','$t',12)", ++ ++ "&add ('$a','$a','$b')", ++ "&eor ('$d','$d','$a')", ++ "&tbl ('$d','{$d}','$rot24')", ++ ++ "&add ('$c','$c','$d')", ++ "&eor ('$t','$b','$c')", ++ "&ushr ('$b','$t',25)", ++ "&sli ('$b','$t',7)", ++ ++ "&ext ('$c','$c','$c',8)", ++ "&ext ('$d','$d','$d',$odd?4:12)", ++ "&ext ('$b','$b','$b',$odd?12:4)" ++ ); ++} + + $code.=<<___; + .type ChaCha20_512_neon,%function +@@ -717,6 +858,7 @@ ChaCha20_512_neon: + .L512_or_more_neon: + sub sp,sp,#128+64 + ++ eor $ONE,$ONE,$ONE + ldp @d[0],@d[1],[@x[0]] // load sigma + ld1 {@K[0]},[@x[0]],#16 + ldp @d[2],@d[3],[$key] // load key +@@ -724,8 +866,9 @@ ChaCha20_512_neon: + ld1 {@K[1],@K[2]},[$key] + ldp @d[6],@d[7],[$ctr] // load counter + ld1 {@K[3]},[$ctr] +- ld1 {$ONE},[@x[0]] +-#ifdef __ARMEB__ ++ ld1 {$ONE}[0],[@x[0]] ++ add $key,@x[0],#16 // .Lrot24 ++#ifdef __AARCH64EB__ + rev64 @K[0],@K[0] + ror @d[2],@d[2],#32 + ror @d[3],@d[3],#32 +@@ -792,9 +935,10 @@ ChaCha20_512_neon: + mov $C4,@K[2] + stp @K[3],@K[4],[sp,#48] // off-load key block, variable part + mov $C5,@K[2] +- str @K[5],[sp,#80] ++ stp @K[5],@K[6],[sp,#80] + + mov $ctr,#5 ++ ld1 {$rot24},[$key] + subs $len,$len,#512 + .Loop_upper_neon: + sub $ctr,$ctr,#1 +@@ -867,7 +1011,7 @@ $code.=<<___; + add @x[14],@x[14],@x[15],lsl#32 + ldp @x[13],@x[15],[$inp,#48] + add $inp,$inp,#64 +-#ifdef __ARMEB__ ++#ifdef __AARCH64EB__ + rev @x[0],@x[0] + rev @x[2],@x[2] + rev @x[4],@x[4] +@@ -956,6 +1100,7 @@ $code.=<<___; + add.32 @x[2],@x[2],@d[1] + ldp @K[4],@K[5],[sp,#64] + add @x[3],@x[3],@d[1],lsr#32 ++ ldr @K[6],[sp,#96] + add $A0,$A0,@K[0] + add.32 @x[4],@x[4],@d[2] + add $A1,$A1,@K[0] +@@ -1008,7 +1153,7 @@ $code.=<<___; + add $inp,$inp,#64 + add $B5,$B5,@K[1] + +-#ifdef __ARMEB__ ++#ifdef __AARCH64EB__ + rev @x[0],@x[0] + rev @x[2],@x[2] + rev @x[4],@x[4] +@@ -1086,26 +1231,26 @@ $code.=<<___; + b.hs .Loop_outer_512_neon + + adds $len,$len,#512 +- ushr $A0,$ONE,#2 // 4 -> 1 ++ ushr $ONE,$ONE,#1 // 4 -> 2 + +- ldp d8,d9,[sp,#128+0] // meet ABI requirements + ldp d10,d11,[sp,#128+16] + ldp d12,d13,[sp,#128+32] + ldp d14,d15,[sp,#128+48] + +- stp @K[0],$ONE,[sp,#0] // wipe off-load area +- stp @K[0],$ONE,[sp,#32] +- stp @K[0],$ONE,[sp,#64] ++ stp @K[0],@K[0],[sp,#0] // wipe off-load area ++ stp @K[0],@K[0],[sp,#32] ++ stp @K[0],@K[0],[sp,#64] + + b.eq .Ldone_512_neon + ++ sub $key,$key,#16 // .Lone + cmp $len,#192 +- sub @K[3],@K[3],$A0 // -= 1 +- sub @K[4],@K[4],$A0 +- sub @K[5],@K[5],$A0 + add sp,sp,#128 ++ sub @K[3],@K[3],$ONE // -= 2 ++ ld1 {$CTR,$ROT24},[$key] + b.hs .Loop_outer_neon + ++ ldp d8,d9,[sp,#0] // meet ABI requirements + eor @K[1],@K[1],@K[1] + eor @K[2],@K[2],@K[2] + eor @K[3],@K[3],@K[3] +@@ -1115,6 +1260,7 @@ $code.=<<___; + b .Loop_outer + + .Ldone_512_neon: ++ ldp d8,d9,[sp,#128+0] // meet ABI requirements + ldp x19,x20,[x29,#16] + add sp,sp,#128+64 + ldp x21,x22,[x29,#32] +@@ -1133,9 +1279,11 @@ foreach (split("\n",$code)) { + s/\`([^\`]*)\`/eval $1/geo; + + (s/\b([a-z]+)\.32\b/$1/ and (s/x([0-9]+)/w$1/g or 1)) or +- (m/\b(eor|ext|mov)\b/ and (s/\.4s/\.16b/g or 1)) or ++ (m/\b(eor|ext|mov|tbl)\b/ and (s/\.4s/\.16b/g or 1)) or + (s/\b((?:ld|st)1)\.8\b/$1/ and (s/\.4s/\.16b/g or 1)) or + (m/\b(ld|st)[rp]\b/ and (s/v([0-9]+)\.4s/q$1/g or 1)) or ++ (m/\b(dup|ld1)\b/ and (s/\.4(s}?\[[0-3]\])/.$1/g or 1)) or ++ (s/\b(zip[12])\.64\b/$1/ and (s/\.4s/\.2d/g or 1)) or + (s/\brev32\.16\b/rev32/ and (s/\.4s/\.8h/g or 1)); + + #s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo; +diff -up openssl-1.1.1i/crypto/modes/asm/ghashv8-armx.pl.arm-update openssl-1.1.1i/crypto/modes/asm/ghashv8-armx.pl +--- openssl-1.1.1i/crypto/modes/asm/ghashv8-armx.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/modes/asm/ghashv8-armx.pl 2020-12-09 10:37:38.408558954 +0100 +@@ -42,6 +42,7 @@ + # Denver 0.51 0.65 6.02 + # Mongoose 0.65 1.10 8.06 + # Kryo 0.76 1.16 8.00 ++# ThunderX2 1.05 + # + # (*) presented for reference/comparison purposes; + +diff -up openssl-1.1.1i/crypto/poly1305/asm/poly1305-armv8.pl.arm-update openssl-1.1.1i/crypto/poly1305/asm/poly1305-armv8.pl +--- openssl-1.1.1i/crypto/poly1305/asm/poly1305-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/poly1305/asm/poly1305-armv8.pl 2020-12-09 10:37:38.408558954 +0100 +@@ -29,6 +29,7 @@ + # X-Gene 2.13/+68% 2.27 + # Mongoose 1.77/+75% 1.12 + # Kryo 2.70/+55% 1.13 ++# ThunderX2 1.17/+95% 1.36 + # + # (*) estimate based on resources availability is less than 1.0, + # i.e. measured result is worse than expected, presumably binary +diff -up openssl-1.1.1i/crypto/sha/asm/keccak1600-armv8.pl.arm-update openssl-1.1.1i/crypto/sha/asm/keccak1600-armv8.pl +--- openssl-1.1.1i/crypto/sha/asm/keccak1600-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/sha/asm/keccak1600-armv8.pl 2020-12-09 10:37:38.408558954 +0100 +@@ -51,6 +51,7 @@ + # Kryo 12 + # Denver 7.8 + # Apple A7 7.2 ++# ThunderX2 9.7 + # + # (*) Corresponds to SHA3-256. No improvement coefficients are listed + # because they vary too much from compiler to compiler. Newer +diff -up openssl-1.1.1i/crypto/sha/asm/sha1-armv8.pl.arm-update openssl-1.1.1i/crypto/sha/asm/sha1-armv8.pl +--- openssl-1.1.1i/crypto/sha/asm/sha1-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/sha/asm/sha1-armv8.pl 2020-12-09 10:37:38.408558954 +0100 +@@ -27,6 +27,7 @@ + # X-Gene 8.80 (+200%) + # Mongoose 2.05 6.50 (+160%) + # Kryo 1.88 8.00 (+90%) ++# ThunderX2 2.64 6.36 (+150%) + # + # (*) Software results are presented mostly for reference purposes. + # (**) Keep in mind that Denver relies on binary translation, which +diff -up openssl-1.1.1i/crypto/sha/asm/sha512-armv8.pl.arm-update openssl-1.1.1i/crypto/sha/asm/sha512-armv8.pl +--- openssl-1.1.1i/crypto/sha/asm/sha512-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/sha/asm/sha512-armv8.pl 2020-12-09 10:37:38.408558954 +0100 +@@ -28,6 +28,7 @@ + # X-Gene 20.0 (+100%) 12.8 (+300%(***)) + # Mongoose 2.36 13.0 (+50%) 8.36 (+33%) + # Kryo 1.92 17.4 (+30%) 11.2 (+8%) ++# ThunderX2 2.54 13.2 (+40%) 8.40 (+18%) + # + # (*) Software SHA256 results are of lesser relevance, presented + # mostly for informational purposes. diff --git a/openssl-1.1.1-build.patch b/openssl-1.1.1-build.patch index cfe20f6..c0ef62b 100644 --- a/openssl-1.1.1-build.patch +++ b/openssl-1.1.1-build.patch @@ -1,28 +1,7 @@ -diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl ---- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build 2018-06-20 16:48:09.000000000 +0200 -+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-16 17:15:38.108831031 +0200 -@@ -680,7 +680,7 @@ uninstall_runtime: - install_man_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(ECHO) "*** Installing manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX) - - uninstall_man_docs: -@@ -692,7 +692,7 @@ uninstall_man_docs: - install_html_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(ECHO) "*** Installing HTML manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(HTMLDIR) --type=html - - uninstall_html_docs: -diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf ---- openssl-1.1.1-pre8/Configurations/10-main.conf.build 2018-06-20 16:48:09.000000000 +0200 -+++ openssl-1.1.1-pre8/Configurations/10-main.conf 2018-07-16 17:17:10.312045203 +0200 -@@ -693,6 +693,7 @@ my %targets = ( +diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf +--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200 ++++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200 +@@ -678,6 +678,7 @@ my %targets = ( cxxflags => add("-m64"), lib_cppflags => add("-DL_ENDIAN"), perlasm_scheme => "linux64le", @@ -30,7 +9,7 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8 }, "linux-armv4" => { -@@ -733,6 +734,7 @@ my %targets = ( +@@ -718,6 +719,7 @@ my %targets = ( "linux-aarch64" => { inherit_from => [ "linux-generic64", asm("aarch64_asm") ], perlasm_scheme => "linux64", @@ -38,3 +17,24 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8 }, "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 inherit_from => [ "linux-generic32", asm("aarch64_asm") ], +diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl +--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200 ++++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200 +@@ -823,7 +823,7 @@ uninstall_runtime_libs: + install_man_docs: + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(ECHO) "*** Installing manpages" +- $(PERL) $(SRCDIR)/util/process_docs.pl \ ++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ + "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX) + + uninstall_man_docs: +@@ -835,7 +835,7 @@ uninstall_man_docs: + install_html_docs: + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(ECHO) "*** Installing HTML manpages" +- $(PERL) $(SRCDIR)/util/process_docs.pl \ ++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ + "--destdir=$(DESTDIR)$(HTMLDIR)" --type=html + + uninstall_html_docs: diff --git a/openssl-1.1.1-ec-curves.patch b/openssl-1.1.1-ec-curves.patch index a83a331..27f23ca 100644 --- a/openssl-1.1.1-ec-curves.patch +++ b/openssl-1.1.1-ec-curves.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ---- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200 +diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c +--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200 ++++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100 @@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2]; #endif /* OPENSSL_NO_RSA */ @@ -92,7 +92,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c {"ecdhx25519", R_EC_X25519}, {"ecdhx448", R_EC_X448} }; -@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv) +@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv) unsigned int bits; } test_curves[] = { /* Prime Curves */ @@ -124,7 +124,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c /* Other and ECDH only ones */ {"X25519", NID_X25519, 253}, {"X448", NID_X448, 448} -@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv) +@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv) # endif # ifndef OPENSSL_NO_EC @@ -137,7 +137,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) -@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv) +@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv) } } } @@ -146,7 +146,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ecdsa_c[R_EC_K163][0] = count / 1000; ecdsa_c[R_EC_K163][1] = count / 1000 / 2; for (i = R_EC_K233; i <= R_EC_K571; i++) { -@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv) +@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv) } # endif @@ -157,7 +157,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) ecdh_doit[i] = 0; -@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv) +@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv) } } } @@ -166,9 +166,9 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c ecdh_c[R_EC_K163][0] = count / 1000; for (i = R_EC_K233; i <= R_EC_K571; i++) { ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; -diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c ---- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200 +diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c +--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200 ++++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100 @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO return 0; } @@ -181,9 +181,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) -diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h ---- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200 -+++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200 +diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h +--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100 ++++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100 @@ -32,23 +32,6 @@ typedef struct { } ecdsa_cavs_kat_t; @@ -208,3 +208,59 @@ diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h /* prime KATs from NIST CAVP */ {NID_secp224r1, NID_sha224, "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" +--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100 ++++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100 +@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport + if disabled("ec"); + + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 +- brainpoolP256r1 +- brainpoolP256t1 +- brainpoolP320r1 +- brainpoolP320t1 +- brainpoolP384r1 +- brainpoolP384t1 +- brainpoolP512r1 +- brainpoolP512t1 + ); + + my @binary_curves = qw( +@@ -115,7 +81,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); + + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 diff --git a/openssl-1.1.1-edk2-build.patch b/openssl-1.1.1-edk2-build.patch new file mode 100644 index 0000000..b13708e --- /dev/null +++ b/openssl-1.1.1-edk2-build.patch @@ -0,0 +1,57 @@ +diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c +--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200 ++++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200 +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include "internal/numbers.h" + #include "crypto/evp.h" + + static int pkey_kdf_init(EVP_PKEY_CTX *ctx) +diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c +--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200 ++++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200 +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include "internal/numbers.h" + #include "internal/cryptlib.h" + #include "crypto/evp.h" + #include "kdf_local.h" +diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c +--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200 ++++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200 +@@ -20,7 +20,7 @@ + #include "crypto/fips.h" + #include + #include "internal/dso.h" +-#ifdef __linux ++#if defined(__linux) && !defined(OPENSSL_SYS_UEFI) + # include + # include + # ifdef DEVRANDOM_WAIT +diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h +--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200 ++++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200 +@@ -50,10 +50,6 @@ + #include + #include + +-#ifndef OPENSSL_FIPS +-# error FIPS is disabled. +-#endif +- + #ifdef OPENSSL_FIPS + + int FIPS_module_mode_set(int onoff); +@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void); + + void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + ++#else ++ ++# define fips_in_post() 0 ++ + #endif diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch index 6a73a61..6145753 100644 --- a/openssl-1.1.1-evp-kdf.patch +++ b/openssl-1.1.1-evp-kdf.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err/openssl.txt ---- openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/err/openssl.txt 2019-02-28 13:05:05.651521474 +0100 -@@ -743,6 +743,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn +diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err/openssl.txt +--- openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/err/openssl.txt 2021-03-03 14:10:13.729466935 +0100 +@@ -748,6 +748,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate @@ -11,7 +11,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex EVP_F_EVP_MD_SIZE:162:EVP_MD_size EVP_F_EVP_OPENINIT:102:EVP_OpenInit -@@ -805,11 +808,30 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k +@@ -810,12 +813,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen @@ -19,6 +19,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err EVP_F_PKEY_SET_TYPE:158:pkey_set_type EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth EVP_F_RC5_CTRL:125:rc5_ctrl + EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl +EVP_F_SCRYPT_ALG:228:scrypt_alg EVP_F_UPDATE:173:update @@ -42,7 +43,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init -@@ -821,6 +843,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc +@@ -827,6 +849,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init @@ -50,15 +51,15 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid -@@ -2264,6 +2287,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on - EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ +@@ -2284,6 +2307,7 @@ EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_K operation not supported for this keytype EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized + EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow +EVP_R_PARAMETER_TOO_LARGE:187:parameter too large EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers EVP_R_PBKDF2_ERROR:181:pbkdf2 error EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ -@@ -2299,6 +2323,7 @@ KDF_R_MISSING_SEED:106:missing seed +@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type KDF_R_VALUE_ERROR:108:value error KDF_R_VALUE_MISSING:102:value missing @@ -66,9 +67,9 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err OBJ_R_OID_EXISTS:102:oid exists OBJ_R_UNKNOWN_NID:101:unknown nid OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error -diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/build.info ---- openssl-1.1.1b/crypto/evp/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/build.info 2019-02-28 13:05:05.651521474 +0100 +diff -up openssl-1.1.1j/crypto/evp/build.info.evp-kdf openssl-1.1.1j/crypto/evp/build.info +--- openssl-1.1.1j/crypto/evp/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/build.info 2021-03-03 14:08:02.490294839 +0100 @@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\ p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ @@ -79,44 +80,37 @@ diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/ e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ e_chacha20_poly1305.c cmeth_lib.c -diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c ---- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-02-28 13:05:05.651521474 +0100 -@@ -14,8 +14,8 @@ +diff -up openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c +--- openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c 2021-03-03 14:08:02.490294839 +0100 +@@ -14,9 +14,9 @@ # include # include --# include "evp_locl.h" - # include "internal/evp_int.h" -+# include "evp_locl.h" - # include "internal/chacha.h" +-# include "evp_local.h" + # include "crypto/evp.h" + # include "crypto/chacha.h" ++# include "evp_local.h" typedef struct { -diff -up openssl-1.1.1b/crypto/evp/encode.c.evp-kdf openssl-1.1.1b/crypto/evp/encode.c ---- openssl-1.1.1b/crypto/evp/encode.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/encode.c 2019-02-28 13:05:05.651521474 +0100 + union { +diff -up openssl-1.1.1j/crypto/evp/encode.c.evp-kdf openssl-1.1.1j/crypto/evp/encode.c +--- openssl-1.1.1j/crypto/evp/encode.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/encode.c 2021-03-03 14:08:02.491294847 +0100 @@ -11,8 +11,8 @@ #include #include "internal/cryptlib.h" #include --#include "evp_locl.h" - #include "internal/evp_int.h" -+#include "evp_locl.h" +-#include "evp_local.h" + #include "crypto/evp.h" ++#include "evp_local.h" static unsigned char conv_ascii2bin(unsigned char a, const unsigned char *table); -diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_err.c ---- openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf 2019-02-28 13:05:05.617522103 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-02-28 13:05:05.651521474 +0100 -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -56,6 +56,9 @@ static const ERR_STRING_DATA EVP_str_fun +diff -up openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_err.c +--- openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf 2021-03-03 14:08:02.469294651 +0100 ++++ openssl-1.1.1j/crypto/evp/evp_err.c 2021-03-03 14:12:08.272351600 +0100 +@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0), "EVP_EncryptFinal_ex"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"}, @@ -126,7 +120,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"}, -@@ -147,10 +150,12 @@ static const ERR_STRING_DATA EVP_str_fun +@@ -151,12 +154,14 @@ static const ERR_STRING_DATA EVP_str_fun "PKCS5_v2_PBKDF2_keyivgen"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0), "PKCS5_v2_scrypt_keyivgen"}, @@ -134,23 +128,25 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0), + "r_32_12_16_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"}, {0, NULL} }; -@@ -233,6 +238,8 @@ static const ERR_STRING_DATA EVP_str_rea - "operation not supported for this keytype"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED), +@@ -243,6 +248,8 @@ static const ERR_STRING_DATA EVP_str_rea "operaton not initialized"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), + "output would overflow"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE), + "parameter too large"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), "partially overlapping buffers"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, -diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/evp_locl.h ---- openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf 2019-02-28 13:05:05.253528831 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_locl.h 2019-02-28 13:05:05.652521456 +0100 +diff -up openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1j/crypto/evp/evp_local.h +--- openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf 2021-03-03 14:08:02.362293695 +0100 ++++ openssl-1.1.1j/crypto/evp/evp_local.h 2021-03-03 14:08:02.491294847 +0100 @@ -41,6 +41,11 @@ struct evp_cipher_ctx_st { unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ } /* EVP_CIPHER_CTX */ ; @@ -163,20 +159,20 @@ diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, -diff -up openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_pbe.c ---- openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_pbe.c 2019-02-28 13:05:05.652521456 +0100 +diff -up openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_pbe.c +--- openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/evp_pbe.c 2021-03-03 14:08:02.491294847 +0100 @@ -12,6 +12,7 @@ #include #include #include -+#include "internal/evp_int.h" - #include "evp_locl.h" ++#include "crypto/evp.h" + #include "evp_local.h" /* Password based encryption (PBE) functions */ -diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/kdf_lib.c ---- openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf 2019-02-28 13:05:05.652521456 +0100 -+++ openssl-1.1.1b/crypto/evp/kdf_lib.c 2019-02-28 13:05:05.652521456 +0100 +diff -up openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1j/crypto/evp/kdf_lib.c +--- openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100 ++++ openssl-1.1.1j/crypto/evp/kdf_lib.c 2021-03-03 14:08:02.491294847 +0100 @@ -0,0 +1,165 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -195,10 +191,10 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k +#include +#include +#include -+#include "internal/asn1_int.h" -+#include "internal/evp_int.h" ++#include "crypto/asn1.h" ++#include "crypto/evp.h" +#include "internal/numbers.h" -+#include "evp_locl.h" ++#include "evp_local.h" + +typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); + @@ -343,9 +339,9 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k + return ctx->kmeth->derive(ctx->impl, key, keylen); +} + -diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/p5_crpt2.c ---- openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/p5_crpt2.c 2019-02-28 13:05:05.652521456 +0100 +diff -up openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1j/crypto/evp/p5_crpt2.c +--- openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/p5_crpt2.c 2021-03-03 14:08:02.491294847 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. @@ -360,13 +356,13 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/ -# include -# include -# include --# include "evp_locl.h" +-# include "evp_local.h" +#include +#include +#include +#include -+#include "internal/evp_int.h" -+#include "evp_locl.h" ++#include "crypto/evp.h" ++#include "evp_local.h" /* set this to print out info about the keygen algorithm */ /* #define OPENSSL_DEBUG_PKCS5V2 */ @@ -494,9 +490,9 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/ } int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, -diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/evp/pbe_scrypt.c ---- openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/pbe_scrypt.c 2019-02-28 13:33:18.446264056 +0100 +diff -up openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1j/crypto/evp/pbe_scrypt.c +--- openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c 2021-03-03 14:08:02.491294847 +0100 @@ -7,135 +7,12 @@ * https://www.openssl.org/source/license.html */ @@ -682,9 +678,11 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev - */ - if (Blen > INT_MAX) { - EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -- return 0; -- } -- ++ if (r > UINT32_MAX || p > UINT32_MAX) { ++ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE); + return 0; + } + - /* - * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t - * This is combined size V, X and T (section 4) @@ -692,21 +690,18 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev - i = UINT64_MAX / (32 * sizeof(uint32_t)); - if (N + 2 > i / r) { - EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ if (r > UINT32_MAX || p > UINT32_MAX) { -+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE); - return 0; +- return 0; ++ /* Maintain existing behaviour. */ ++ if (pass == NULL) { ++ pass = empty; ++ passlen = 0; } - Vlen = 32 * r * (N + 2) * sizeof(uint32_t); - +- - /* check total allocated size fits in uint64_t */ - if (Blen > UINT64_MAX - Vlen) { - EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); - return 0; -+ /* Maintain existing behaviour. */ -+ if (pass == NULL) { -+ pass = empty; -+ passlen = 0; -+ } + if (salt == NULL) { + salt = (const unsigned char *)empty; + saltlen = 0; @@ -768,9 +763,9 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev } + #endif -diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/pkey_kdf.c ---- openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf 2019-02-28 13:05:05.653521437 +0100 -+++ openssl-1.1.1b/crypto/evp/pkey_kdf.c 2019-02-28 13:05:05.653521437 +0100 +diff -up openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1j/crypto/evp/pkey_kdf.c +--- openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100 ++++ openssl-1.1.1j/crypto/evp/pkey_kdf.c 2021-03-03 14:08:02.491294847 +0100 @@ -0,0 +1,255 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -786,7 +781,7 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/ +#include +#include +#include -+#include "internal/evp_int.h" ++#include "crypto/evp.h" + +static int pkey_kdf_init(EVP_PKEY_CTX *ctx) +{ @@ -1027,45 +1022,17 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/ + pkey_kdf_ctrl_str +}; + -diff -up openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1b/crypto/include/internal/evp_int.h ---- openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf 2019-02-28 13:05:05.304527888 +0100 -+++ openssl-1.1.1b/crypto/include/internal/evp_int.h 2019-02-28 13:05:05.653521437 +0100 -@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m - extern const EVP_PKEY_METHOD poly1305_pkey_meth; - extern const EVP_PKEY_METHOD siphash_pkey_meth; - -+/* struct evp_kdf_impl_st is defined by the implementation */ -+typedef struct evp_kdf_impl_st EVP_KDF_IMPL; -+typedef struct { -+ int type; -+ EVP_KDF_IMPL *(*new) (void); -+ void (*free) (EVP_KDF_IMPL *impl); -+ void (*reset) (EVP_KDF_IMPL *impl); -+ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args); -+ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value); -+ size_t (*size) (EVP_KDF_IMPL *impl); -+ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen); -+} EVP_KDF_METHOD; -+ -+extern const EVP_KDF_METHOD pbkdf2_kdf_meth; -+extern const EVP_KDF_METHOD scrypt_kdf_meth; -+extern const EVP_KDF_METHOD tls1_prf_kdf_meth; -+extern const EVP_KDF_METHOD hkdf_kdf_meth; -+ - struct evp_md_st { - int type; - int pkey_type; -diff -up openssl-1.1.1b/crypto/kdf/build.info.evp-kdf openssl-1.1.1b/crypto/kdf/build.info ---- openssl-1.1.1b/crypto/kdf/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/build.info 2019-02-28 13:05:05.653521437 +0100 +diff -up openssl-1.1.1j/crypto/kdf/build.info.evp-kdf openssl-1.1.1j/crypto/kdf/build.info +--- openssl-1.1.1j/crypto/kdf/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/kdf/build.info 2021-03-03 14:08:02.491294847 +0100 @@ -1,3 +1,3 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - tls1_prf.c kdf_err.c hkdf.c scrypt.c + tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c -diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf.c ---- openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/hkdf.c 2019-02-28 13:05:05.653521437 +0100 +diff -up openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1j/crypto/kdf/hkdf.c +--- openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/kdf/hkdf.c 2021-03-03 14:08:02.492294856 +0100 @@ -8,32 +8,33 @@ */ @@ -1073,11 +1040,10 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf +#include #include #include --#include + #include #include -+#include #include "internal/cryptlib.h" - #include "internal/evp_int.h" + #include "crypto/evp.h" +#include "kdf_local.h" #define HKDF_MAXBUF 1024 @@ -1198,18 +1164,18 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf return 1; - if (p1 < 0) -- return 0; -- -- if (kctx->salt != NULL) -- OPENSSL_clear_free(kctx->salt, kctx->salt_len); -- -- kctx->salt = OPENSSL_memdup(p2, p1); -- if (kctx->salt == NULL) + OPENSSL_free(impl->salt); + impl->salt = OPENSSL_memdup(p, len); + if (impl->salt == NULL) return 0; +- if (kctx->salt != NULL) +- OPENSSL_clear_free(kctx->salt, kctx->salt_len); +- +- kctx->salt = OPENSSL_memdup(p2, p1); +- if (kctx->salt == NULL) +- return 0; +- - kctx->salt_len = p1; + impl->salt_len = len; return 1; @@ -1327,14 +1293,14 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf +static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl) { - HKDF_PKEY_CTX *kctx = ctx->data; -- ++ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY) ++ return SIZE_MAX; + - OPENSSL_clear_free(kctx->key, kctx->key_len); - OPENSSL_clear_free(kctx->salt, kctx->salt_len); - OPENSSL_cleanse(kctx->info, kctx->info_len); - memset(kctx, 0, sizeof(*kctx)); -+ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY) -+ return SIZE_MAX; - +- - return 1; + if (impl->md == NULL) { + KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST); @@ -1532,9 +1498,9 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf err: OPENSSL_cleanse(prev, sizeof(prev)); -diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_err.c ---- openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/kdf_err.c 2019-02-28 13:05:05.654521419 +0100 +diff -up openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_err.c +--- openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/kdf/kdf_err.c 2021-03-03 14:08:02.492294856 +0100 @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT @@ -1590,9 +1556,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/k {0, NULL} }; -diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_local.h ---- openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf 2019-02-28 13:05:05.654521419 +0100 -+++ openssl-1.1.1b/crypto/kdf/kdf_local.h 2019-02-28 13:05:05.654521419 +0100 +diff -up openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_local.h +--- openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf 2021-03-03 14:08:02.492294856 +0100 ++++ openssl-1.1.1j/crypto/kdf/kdf_local.h 2021-03-03 14:08:02.492294856 +0100 @@ -0,0 +1,22 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1616,9 +1582,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *md_name); + -diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_util.c ---- openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100 -+++ openssl-1.1.1b/crypto/kdf/kdf_util.c 2019-02-28 13:05:05.654521419 +0100 +diff -up openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_util.c +--- openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf 2021-03-03 14:08:02.492294856 +0100 ++++ openssl-1.1.1j/crypto/kdf/kdf_util.c 2021-03-03 14:08:02.492294856 +0100 @@ -0,0 +1,73 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1635,7 +1601,7 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/ +#include +#include +#include "internal/cryptlib.h" -+#include "internal/evp_int.h" ++#include "crypto/evp.h" +#include "internal/numbers.h" +#include "kdf_local.h" + @@ -1693,9 +1659,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/ + return call_ctrl(ctrl, impl, cmd, md); +} + -diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pbkdf2.c ---- openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100 -+++ openssl-1.1.1b/crypto/kdf/pbkdf2.c 2019-02-28 13:05:05.654521419 +0100 +diff -up openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1j/crypto/kdf/pbkdf2.c +--- openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf 2021-03-03 14:08:02.492294856 +0100 ++++ openssl-1.1.1j/crypto/kdf/pbkdf2.c 2021-03-03 14:08:02.492294856 +0100 @@ -0,0 +1,264 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1713,7 +1679,7 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb +#include +#include +#include "internal/cryptlib.h" -+#include "internal/evp_int.h" ++#include "crypto/evp.h" +#include "kdf_local.h" + +static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl); @@ -1961,22 +1927,21 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb + HMAC_CTX_free(hctx_tpl); + return ret; +} -diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/scrypt.c ---- openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/scrypt.c 2019-02-28 13:05:05.655521400 +0100 -@@ -8,25 +8,34 @@ +diff -up openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1j/crypto/kdf/scrypt.c +--- openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/kdf/scrypt.c 2021-03-03 14:08:02.492294856 +0100 +@@ -8,25 +8,35 @@ */ #include +#include #include --#include --#include + #include + #include #include -#include "internal/cryptlib.h" -+#include +#include - #include "internal/evp_int.h" + #include "crypto/evp.h" +#include "internal/numbers.h" +#include "kdf_local.h" @@ -2005,7 +1970,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc /* Custom uint64_t parser since we do not have strtoull */ static int atou64(const char *nptr, uint64_t *result) -@@ -53,51 +62,53 @@ static int atou64(const char *nptr, uint +@@ -53,51 +63,53 @@ static int atou64(const char *nptr, uint return 1; } @@ -2090,7 +2055,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc if (new_buflen > 0) { *buffer = OPENSSL_memdup(new_buffer, new_buflen); -@@ -105,7 +116,7 @@ static int pkey_scrypt_set_membuf(unsign +@@ -105,7 +117,7 @@ static int pkey_scrypt_set_membuf(unsign *buffer = OPENSSL_malloc(1); } if (*buffer == NULL) { @@ -2099,7 +2064,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc return 0; } -@@ -118,149 +129,378 @@ static int is_power_of_two(uint64_t valu +@@ -118,149 +130,378 @@ static int is_power_of_two(uint64_t valu return (value != 0) && ((value & (value - 1)) == 0); } @@ -2552,9 +2517,9 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc +} #endif -diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/tls1_prf.c ---- openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/tls1_prf.c 2019-02-28 13:05:05.655521400 +0100 +diff -up openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1j/crypto/kdf/tls1_prf.c +--- openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/kdf/tls1_prf.c 2021-03-03 14:08:02.492294856 +0100 @@ -8,11 +8,15 @@ */ @@ -2562,10 +2527,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/ +#include +#include #include "internal/cryptlib.h" --#include + #include #include -+#include - #include "internal/evp_int.h" + #include "crypto/evp.h" +#include "kdf_local.h" +static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl); @@ -2665,15 +2629,15 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/ - kctx->seclen = p1; + + impl->seclen = len; ++ return 1; ++ ++ case EVP_KDF_CTRL_RESET_TLS_SEED: ++ OPENSSL_cleanse(impl->seed, impl->seedlen); ++ impl->seedlen = 0; return 1; - case EVP_PKEY_CTRL_TLS_SEED: - if (p1 == 0 || p2 == NULL) -+ case EVP_KDF_CTRL_RESET_TLS_SEED: -+ OPENSSL_cleanse(impl->seed, impl->seedlen); -+ impl->seedlen = 0; -+ return 1; -+ + case EVP_KDF_CTRL_ADD_TLS_SEED: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); @@ -2838,9 +2802,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/ OPENSSL_clear_free(tmp, olen); return 0; } -diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod ---- openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod 2019-02-28 13:05:05.655521400 +0100 +diff -up openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod +--- openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2021-03-03 14:08:02.492294856 +0100 ++++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod 2021-03-03 14:08:02.492294856 +0100 @@ -0,0 +1,217 @@ +=pod + @@ -3059,9 +3023,9 @@ diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3 +L. + +=cut -diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod ---- openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod 2019-02-28 13:05:05.656521382 +0100 +diff -up openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod +--- openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 ++++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod 2021-03-03 14:08:02.493294865 +0100 @@ -0,0 +1,180 @@ +=pod + @@ -3243,9 +3207,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man +L. + +=cut -diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod ---- openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod 2019-02-28 13:05:05.656521382 +0100 +diff -up openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod +--- openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 ++++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod 2021-03-03 14:08:02.493294865 +0100 @@ -0,0 +1,78 @@ +=pod + @@ -3325,9 +3289,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/m +L. + +=cut -diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod ---- openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod 2019-02-28 13:05:05.656521382 +0100 +diff -up openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod +--- openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 ++++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod 2021-03-03 14:08:02.493294865 +0100 @@ -0,0 +1,149 @@ +=pod + @@ -3478,9 +3442,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/m +L. + +=cut -diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod ---- openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod 2019-02-28 13:05:05.656521382 +0100 +diff -up openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod +--- openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 ++++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod 2021-03-03 14:08:02.493294865 +0100 @@ -0,0 +1,142 @@ +=pod + @@ -3624,18 +3588,38 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc +L. + +=cut -diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/openssl/evperr.h ---- openssl-1.1.1b/include/openssl/evperr.h.evp-kdf 2019-02-28 13:05:05.633521807 +0100 -+++ openssl-1.1.1b/include/openssl/evperr.h 2019-02-28 13:05:05.657521363 +0100 -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -51,6 +51,9 @@ int ERR_load_EVP_strings(void); +diff -up openssl-1.1.1j/include/crypto/evp.h.evp-kdf openssl-1.1.1j/include/crypto/evp.h +--- openssl-1.1.1j/include/crypto/evp.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/crypto/evp.h 2021-03-03 14:08:02.493294865 +0100 +@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m + extern const EVP_PKEY_METHOD poly1305_pkey_meth; + extern const EVP_PKEY_METHOD siphash_pkey_meth; + ++/* struct evp_kdf_impl_st is defined by the implementation */ ++typedef struct evp_kdf_impl_st EVP_KDF_IMPL; ++typedef struct { ++ int type; ++ EVP_KDF_IMPL *(*new) (void); ++ void (*free) (EVP_KDF_IMPL *impl); ++ void (*reset) (EVP_KDF_IMPL *impl); ++ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args); ++ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value); ++ size_t (*size) (EVP_KDF_IMPL *impl); ++ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen); ++} EVP_KDF_METHOD; ++ ++extern const EVP_KDF_METHOD pbkdf2_kdf_meth; ++extern const EVP_KDF_METHOD scrypt_kdf_meth; ++extern const EVP_KDF_METHOD tls1_prf_kdf_meth; ++extern const EVP_KDF_METHOD hkdf_kdf_meth; ++ + struct evp_md_st { + int type; + int pkey_type; +diff -up openssl-1.1.1j/include/openssl/evperr.h.evp-kdf openssl-1.1.1j/include/openssl/evperr.h +--- openssl-1.1.1j/include/openssl/evperr.h.evp-kdf 2021-03-03 14:08:02.477294722 +0100 ++++ openssl-1.1.1j/include/openssl/evperr.h 2021-03-03 14:13:37.587003722 +0100 +@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void); # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 # define EVP_F_EVP_ENCRYPTFINAL_EX 127 # define EVP_F_EVP_ENCRYPTUPDATE 167 @@ -3645,7 +3629,7 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/ # define EVP_F_EVP_MD_CTX_COPY_EX 110 # define EVP_F_EVP_MD_SIZE 162 # define EVP_F_EVP_OPENINIT 102 -@@ -113,10 +116,12 @@ int ERR_load_EVP_strings(void); +@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void); # define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118 # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164 # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180 @@ -3653,31 +3637,24 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/ # define EVP_F_PKEY_SET_TYPE 158 # define EVP_F_RC2_MAGIC_TO_METH 109 # define EVP_F_RC5_CTRL 125 + # define EVP_F_R_32_12_16_INIT_KEY 242 # define EVP_F_S390X_AES_GCM_CTRL 201 +# define EVP_F_SCRYPT_ALG 228 # define EVP_F_UPDATE 173 /* -@@ -171,6 +176,7 @@ int ERR_load_EVP_strings(void); +@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 # define EVP_R_OPERATON_NOT_INITIALIZED 151 +# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_OUTPUT_WOULD_OVERFLOW 184 # define EVP_R_PARTIALLY_OVERLAPPING 162 # define EVP_R_PBKDF2_ERROR 181 - # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179 -diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/openssl/kdferr.h ---- openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/kdferr.h 2019-02-28 13:05:05.657521363 +0100 -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -19,6 +19,23 @@ int ERR_load_KDF_strings(void); +diff -up openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf openssl-1.1.1j/include/openssl/kdferr.h +--- openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/kdferr.h 2021-03-03 14:08:02.493294865 +0100 +@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void); /* * KDF function codes. */ @@ -3701,7 +3678,7 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/ # define KDF_F_PKEY_HKDF_CTRL_STR 103 # define KDF_F_PKEY_HKDF_DERIVE 102 # define KDF_F_PKEY_HKDF_INIT 108 -@@ -30,6 +47,7 @@ int ERR_load_KDF_strings(void); +@@ -34,6 +51,7 @@ int ERR_load_KDF_strings(void); # define KDF_F_PKEY_TLS1_PRF_CTRL_STR 100 # define KDF_F_PKEY_TLS1_PRF_DERIVE 101 # define KDF_F_PKEY_TLS1_PRF_INIT 110 @@ -3709,16 +3686,16 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/ # define KDF_F_TLS1_PRF_ALG 111 /* -@@ -47,5 +65,6 @@ int ERR_load_KDF_strings(void); +@@ -51,5 +69,6 @@ int ERR_load_KDF_strings(void); # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 # define KDF_R_VALUE_ERROR 108 # define KDF_R_VALUE_MISSING 102 +# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 #endif -diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/openssl/kdf.h ---- openssl-1.1.1b/include/openssl/kdf.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/kdf.h 2019-02-28 13:05:05.657521363 +0100 +diff -up openssl-1.1.1j/include/openssl/kdf.h.evp-kdf openssl-1.1.1j/include/openssl/kdf.h +--- openssl-1.1.1j/include/openssl/kdf.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/kdf.h 2021-03-03 14:08:02.493294865 +0100 @@ -10,10 +10,50 @@ #ifndef HEADER_KDF_H # define HEADER_KDF_H @@ -3797,9 +3774,9 @@ diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/ope } # endif #endif -diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/include/openssl/ossl_typ.h ---- openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/ossl_typ.h 2019-02-28 13:05:05.657521363 +0100 +diff -up openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1j/include/openssl/ossl_typ.h +--- openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/ossl_typ.h 2021-03-03 14:08:02.493294865 +0100 @@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E typedef struct evp_pkey_method_st EVP_PKEY_METHOD; typedef struct evp_pkey_ctx_st EVP_PKEY_CTX; @@ -3809,10 +3786,10 @@ diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/includ typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX; typedef struct hmac_ctx_st HMAC_CTX; -diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info ---- openssl-1.1.1b/test/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/build.info 2019-02-28 13:05:05.657521363 +0100 -@@ -43,7 +43,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I +diff -up openssl-1.1.1j/test/build.info.evp-kdf openssl-1.1.1j/test/build.info +--- openssl-1.1.1j/test/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/test/build.info 2021-03-03 14:08:02.493294865 +0100 +@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bio_callback_test bio_memleak_test \ bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ @@ -3822,7 +3799,7 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info asn1_encode_test asn1_decode_test asn1_string_table_test \ x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \ recordlentest drbgtest sslbuffertest \ -@@ -335,6 +336,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I +@@ -336,6 +337,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I INCLUDE[pkey_meth_kdf_test]=../include DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a @@ -3833,9 +3810,9 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info SOURCE[x509_time_test]=x509_time_test.c INCLUDE[x509_time_test]=../include DEPEND[x509_time_test]=../libcrypto libtestutil.a -diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_test.c ---- openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf 2019-02-28 13:05:05.658521345 +0100 -+++ openssl-1.1.1b/test/evp_kdf_test.c 2019-02-28 13:05:05.658521345 +0100 +diff -up openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf openssl-1.1.1j/test/evp_kdf_test.c +--- openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf 2021-03-03 14:08:02.494294874 +0100 ++++ openssl-1.1.1j/test/evp_kdf_test.c 2021-03-03 14:08:02.494294874 +0100 @@ -0,0 +1,237 @@ +/* + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. @@ -4074,10 +4051,10 @@ diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_ +#endif + return 1; +} -diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c ---- openssl-1.1.1b/test/evp_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/evp_test.c 2019-02-28 13:05:05.658521345 +0100 -@@ -1672,13 +1672,14 @@ static const EVP_TEST_METHOD encode_test +diff -up openssl-1.1.1j/test/evp_test.c.evp-kdf openssl-1.1.1j/test/evp_test.c +--- openssl-1.1.1j/test/evp_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/test/evp_test.c 2021-03-03 14:08:02.494294874 +0100 +@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test encode_test_run, }; @@ -4093,7 +4070,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c /* Expected output */ unsigned char *output; size_t output_len; -@@ -1705,16 +1706,11 @@ static int kdf_test_init(EVP_TEST *t, co +@@ -1738,16 +1739,11 @@ static int kdf_test_init(EVP_TEST *t, co if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata)))) return 0; @@ -4111,7 +4088,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c t->data = kdata; return 1; } -@@ -1723,7 +1719,42 @@ static void kdf_test_cleanup(EVP_TEST *t +@@ -1756,7 +1752,42 @@ static void kdf_test_cleanup(EVP_TEST *t { KDF_DATA *kdata = t->data; OPENSSL_free(kdata->output); @@ -4155,7 +4132,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c } static int kdf_test_parse(EVP_TEST *t, -@@ -1734,7 +1765,7 @@ static int kdf_test_parse(EVP_TEST *t, +@@ -1767,7 +1798,7 @@ static int kdf_test_parse(EVP_TEST *t, if (strcmp(keyword, "Output") == 0) return parse_bin(value, &kdata->output, &kdata->output_len); if (strncmp(keyword, "Ctrl", 4) == 0) @@ -4164,7 +4141,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c return 0; } -@@ -1748,7 +1779,7 @@ static int kdf_test_run(EVP_TEST *t) +@@ -1781,7 +1812,7 @@ static int kdf_test_run(EVP_TEST *t) t->err = "INTERNAL_ERROR"; goto err; } @@ -4173,7 +4150,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c t->err = "KDF_DERIVE_ERROR"; goto err; } -@@ -1774,6 +1805,106 @@ static const EVP_TEST_METHOD kdf_test_me +@@ -1807,6 +1838,106 @@ static const EVP_TEST_METHOD kdf_test_me /** @@ -4280,7 +4257,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c *** KEYPAIR TESTS **/ -@@ -2277,6 +2408,7 @@ static const EVP_TEST_METHOD *evp_test_l +@@ -2310,6 +2441,7 @@ static const EVP_TEST_METHOD *evp_test_l &digestverify_test_method, &encode_test_method, &kdf_test_method, @@ -4288,9 +4265,9 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c &keypair_test_method, &keygen_test_method, &mac_test_method, -diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pkey_meth_kdf_test.c ---- openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/pkey_meth_kdf_test.c 2019-02-28 13:05:05.658521345 +0100 +diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pkey_meth_kdf_test.c +--- openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/test/pkey_meth_kdf_test.c 2021-03-03 14:08:02.494294874 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -4494,9 +4471,9 @@ diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pk } #endif -diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt ---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt 2019-02-28 13:05:05.659521326 +0100 +diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt +--- openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt 2021-03-03 14:08:02.494294874 +0100 @@ -1,5 +1,5 @@ # -# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. @@ -4895,9 +4872,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl +Ctrl.digest = digest:sha512 +Output = 00ef42cdbfc98d29db20976608e455567fdddf14 + -diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt ---- openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2019-02-28 13:05:05.659521326 +0100 -+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt 2019-02-28 13:05:05.659521326 +0100 +diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt +--- openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2021-03-03 14:08:02.494294874 +0100 ++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt 2021-03-03 14:08:02.494294874 +0100 @@ -0,0 +1,305 @@ +# +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5204,9 +5181,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf op +Ctrl.p = p:1 +Result = INTERNAL_ERROR + -diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_kdf.t ---- openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf 2019-02-28 13:05:05.659521326 +0100 -+++ openssl-1.1.1b/test/recipes/30-test_evp_kdf.t 2019-02-28 13:05:05.659521326 +0100 +diff -up openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_kdf.t +--- openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf 2021-03-03 14:08:02.494294874 +0100 ++++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t 2021-03-03 14:08:02.494294874 +0100 @@ -0,0 +1,13 @@ +#! /usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5221,9 +5198,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/te +use OpenSSL::Test::Simple; + +simple_test("test_evp_kdf", "evp_kdf_test"); -diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/recipes/30-test_evp.t ---- openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf 2019-05-29 16:55:38.236960543 +0200 -+++ openssl-1.1.1c/test/recipes/30-test_evp.t 2019-05-29 16:57:46.348718012 +0200 +diff -up openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp.t +--- openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/test/recipes/30-test_evp.t 2021-03-03 14:08:02.495294883 +0100 @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/ setup("test_evp"); @@ -5233,11 +5210,10 @@ diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/r "evpcase.txt", "evpccmcavs.txt" ); plan tests => scalar(@files); - -diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto.num ---- openssl-1.1.1b/util/libcrypto.num.evp-kdf 2019-02-28 13:05:05.636521752 +0100 -+++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 13:05:05.660521308 +0100 -@@ -4614,3 +4614,11 @@ FIPS_drbg_get_strength +diff -up openssl-1.1.1j/util/libcrypto.num.evp-kdf openssl-1.1.1j/util/libcrypto.num +--- openssl-1.1.1j/util/libcrypto.num.evp-kdf 2021-03-03 14:08:02.481294758 +0100 ++++ openssl-1.1.1j/util/libcrypto.num 2021-03-03 14:08:02.495294883 +0100 +@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: @@ -5249,9 +5225,9 @@ diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto +EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: +EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: +EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: -diff -up openssl-1.1.1b/util/private.num.evp-kdf openssl-1.1.1b/util/private.num ---- openssl-1.1.1b/util/private.num.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/util/private.num 2019-02-28 13:05:05.660521308 +0100 +diff -up openssl-1.1.1j/util/private.num.evp-kdf openssl-1.1.1j/util/private.num +--- openssl-1.1.1j/util/private.num.evp-kdf 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/util/private.num 2021-03-03 14:08:02.495294883 +0100 @@ -21,6 +21,7 @@ CRYPTO_EX_dup CRYPTO_EX_free datatype CRYPTO_EX_new datatype diff --git a/openssl-1.1.1-fips-crng-test.patch b/openssl-1.1.1-fips-crng-test.patch index 91841f1..267a3ea 100644 --- a/openssl-1.1.1-fips-crng-test.patch +++ b/openssl-1.1.1-fips-crng-test.patch @@ -1,33 +1,17 @@ -diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1b/crypto/include/internal/rand_int.h ---- openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test 2019-05-07 08:56:33.242179136 +0200 -+++ openssl-1.1.1b/crypto/include/internal/rand_int.h 2019-05-07 09:54:14.920204875 +0200 -@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN - - void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); - -+/* CRNG test entropy filter callbacks. */ -+size_t rand_crngt_get_entropy(RAND_DRBG *drbg, -+ unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len, -+ int prediction_resistance); -+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, -+ unsigned char *out, size_t outlen); -+ - /* - * RAND_POOL functions - */ -diff -up openssl-1.1.1b/crypto/rand/build.info.crng-test openssl-1.1.1b/crypto/rand/build.info ---- openssl-1.1.1b/crypto/rand/build.info.crng-test 2019-05-07 09:54:14.921204857 +0200 -+++ openssl-1.1.1b/crypto/rand/build.info 2019-05-07 09:55:22.730014705 +0200 -@@ -1,4 +1,4 @@ +diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info +--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200 ++++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200 +@@ -1,6 +1,6 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - randfile.c rand_lib.c rand_err.c rand_egd.c \ + randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c -diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/rand/drbg_lib.c ---- openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rand/drbg_lib.c 2019-05-07 10:04:51.753157224 +0200 + + INCLUDE[drbg_ctr.o]=../modes +diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c +--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200 ++++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200 @@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg; @@ -51,9 +35,9 @@ diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/r #ifndef RAND_DRBG_GET_RANDOM_NONCE drbg->get_nonce = rand_drbg_get_nonce; drbg->cleanup_nonce = rand_drbg_cleanup_nonce; -diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/crypto/rand/rand_crng_test.c ---- openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test 2019-05-07 09:54:14.925204787 +0200 -+++ openssl-1.1.1b/crypto/rand/rand_crng_test.c 2019-05-07 09:54:14.932204664 +0200 +diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c +--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200 ++++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200 @@ -0,0 +1,118 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. @@ -71,9 +55,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr + +#include +#include -+#include "internal/rand_int.h" ++#include "crypto/rand.h" +#include "internal/thread_once.h" -+#include "rand_lcl.h" ++#include "rand_local.h" + +static RAND_POOL *crngt_pool; +static unsigned char crngt_prev[EVP_MAX_MD_SIZE]; @@ -110,7 +94,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr +{ + unsigned char buf[CRNGT_BUFSIZ]; + -+ if ((crngt_pool = rand_pool_new(0, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL) ++ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL) + return 0; + if (crngt_get_entropy(buf, crngt_prev, NULL)) { + OPENSSL_cleanse(buf, sizeof(buf)); @@ -147,7 +131,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr + if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init)) + return 0; + -+ if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL) ++ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL) + return 0; + + while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) { @@ -173,9 +157,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr +{ + OPENSSL_secure_clear_free(out, outlen); +} -diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/rand/rand_lcl.h ---- openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test 2019-05-07 08:56:33.330177674 +0200 -+++ openssl-1.1.1b/crypto/rand/rand_lcl.h 2019-05-07 09:54:14.933204647 +0200 +diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h +--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200 ++++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200 @@ -33,7 +33,15 @@ # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ @@ -193,17 +177,16 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r /* * Maximum input size for the DRBG (entropy, nonce, personalization string) -@@ -44,7 +52,8 @@ +@@ -44,6 +52,8 @@ */ # define DRBG_MAX_LENGTH INT32_MAX -- +/* The default nonce */ +# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" /* * Maximum allocation size for RANDOM_POOL buffers -@@ -290,4 +299,22 @@ int rand_drbg_enable_locking(RAND_DRBG * +@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG * /* initializes the AES-CTR DRBG implementation */ int drbg_ctr_init(RAND_DRBG *drbg); @@ -226,10 +209,28 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r +int rand_crngt_single_init(void); + #endif -diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c ---- openssl-1.1.1b/test/drbgtest.c.crng-test 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/drbgtest.c 2019-05-07 10:06:24.706551561 +0200 -@@ -143,6 +143,31 @@ static size_t kat_nonce(RAND_DRBG *drbg, +diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h +--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200 ++++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200 +@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN + + void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); + ++/* CRNG test entropy filter callbacks. */ ++size_t rand_crngt_get_entropy(RAND_DRBG *drbg, ++ unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance); ++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen); ++ + /* + * RAND_POOL functions + */ +diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c +--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200 +@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg, return t->noncelen; } @@ -261,7 +262,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c static int uninstantiate(RAND_DRBG *drbg) { int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg); -@@ -168,7 +193,8 @@ static int single_kat(DRBG_SELFTEST_DATA +@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL))) return 0; if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, @@ -271,7 +272,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c failures++; goto err; } -@@ -286,7 +312,8 @@ static int error_check(DRBG_SELFTEST_DAT +@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT unsigned int reseed_counter_tmp; int ret = 0; @@ -281,7 +282,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c goto err; /* -@@ -699,6 +726,10 @@ static int test_rand_drbg_reseed(void) +@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void) || !TEST_ptr_eq(private->parent, master)) return 0; @@ -292,7 +293,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c /* uninstantiate the three global DRBGs */ RAND_DRBG_uninstantiate(private); RAND_DRBG_uninstantiate(public); -@@ -919,7 +950,8 @@ static int test_rand_seed(void) +@@ -964,7 +995,8 @@ static int test_rand_seed(void) size_t rand_buflen; size_t required_seed_buflen = 0; @@ -302,7 +303,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c return 0; #ifdef OPENSSL_RAND_SEED_NONE -@@ -968,6 +1000,95 @@ static int test_rand_add(void) +@@ -1013,6 +1045,95 @@ static int test_rand_add(void) return 1; } @@ -398,7 +399,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c int setup_tests(void) { app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); -@@ -980,5 +1101,6 @@ int setup_tests(void) +@@ -1025,5 +1146,6 @@ int setup_tests(void) #if defined(OPENSSL_THREADS) ADD_TEST(test_multi_thread); #endif diff --git a/openssl-1.1.1-fips-curves.patch b/openssl-1.1.1-fips-curves.patch new file mode 100644 index 0000000..33e9fc5 --- /dev/null +++ b/openssl-1.1.1-fips-curves.patch @@ -0,0 +1,200 @@ +diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c +--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200 ++++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200 +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include "internal/nelem.h" + + typedef struct { +@@ -237,6 +238,7 @@ static const struct { + + typedef struct _ec_list_element_st { + int nid; ++ int fips_allowed; + const EC_CURVE_DATA *data; + const EC_METHOD *(*meth) (void); + const char *comment; +@@ -246,23 +248,23 @@ static const ec_list_element curve_list[ + /* prime field curves */ + /* secg curves */ + #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, ++ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, + "NIST/SECG curve over a 224 bit prime field"}, + #else +- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, ++ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0, + "NIST/SECG curve over a 224 bit prime field"}, + #endif +- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, ++ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0, + "SECG curve over a 256 bit prime field"}, + /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ +- {NID_secp384r1, &_EC_NIST_PRIME_384.h, ++ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h, + # if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp384_method, + # else + 0, + # endif + "NIST/SECG curve over a 384 bit prime field"}, +- {NID_secp521r1, &_EC_NIST_PRIME_521.h, ++ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h, + # if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp521_method, + # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) +@@ -272,7 +274,7 @@ static const ec_list_element curve_list[ + # endif + "NIST/SECG curve over a 521 bit prime field"}, + /* X9.62 curves */ +- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, ++ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h, + #if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, + # elif defined(S390X_EC_ASM) +@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int + + for (i = 0; i < curve_list_length; i++) + if (curve_list[i].nid == nid) { ++ if (!curve_list[i].fips_allowed && FIPS_mode()) { ++ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME); ++ return NULL; ++ } + ret = ec_group_new_from_data(curve_list[i]); + break; + } +@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int + + size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) + { +- size_t i, min; ++ size_t i, j, num; ++ int fips_mode = FIPS_mode(); + +- if (r == NULL || nitems == 0) +- return curve_list_length; ++ num = curve_list_length; ++ if (fips_mode) ++ for (i = 0; i < curve_list_length; i++) { ++ if (!curve_list[i].fips_allowed) ++ --num; ++ } + +- min = nitems < curve_list_length ? nitems : curve_list_length; ++ if (r == NULL || nitems == 0) { ++ return num; ++ } + +- for (i = 0; i < min; i++) { +- r[i].nid = curve_list[i].nid; +- r[i].comment = curve_list[i].comment; ++ for (i = 0, j = 0; i < curve_list_length; i++) { ++ if (j >= nitems) ++ break; ++ if (!fips_mode || curve_list[i].fips_allowed) { ++ r[j].nid = curve_list[i].nid; ++ r[j].comment = curve_list[i].comment; ++ ++j; ++ } + } + +- return curve_list_length; ++ return num; + } + + /* Functions to translate between common NIST curve names and NIDs */ +diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c +--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200 ++++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200 +@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] = + #endif + }; + ++static const uint16_t tls12_fips_sigalgs[] = { ++#ifndef OPENSSL_NO_EC ++ TLSEXT_SIGALG_ecdsa_secp256r1_sha256, ++ TLSEXT_SIGALG_ecdsa_secp384r1_sha384, ++ TLSEXT_SIGALG_ecdsa_secp521r1_sha512, ++#endif ++ ++ TLSEXT_SIGALG_rsa_pss_pss_sha256, ++ TLSEXT_SIGALG_rsa_pss_pss_sha384, ++ TLSEXT_SIGALG_rsa_pss_pss_sha512, ++ TLSEXT_SIGALG_rsa_pss_rsae_sha256, ++ TLSEXT_SIGALG_rsa_pss_rsae_sha384, ++ TLSEXT_SIGALG_rsa_pss_rsae_sha512, ++ ++ TLSEXT_SIGALG_rsa_pkcs1_sha256, ++ TLSEXT_SIGALG_rsa_pkcs1_sha384, ++ TLSEXT_SIGALG_rsa_pkcs1_sha512, ++ ++#ifndef OPENSSL_NO_EC ++ TLSEXT_SIGALG_ecdsa_sha224, ++#endif ++ TLSEXT_SIGALG_rsa_pkcs1_sha224, ++#ifndef OPENSSL_NO_DSA ++ TLSEXT_SIGALG_dsa_sha224, ++ TLSEXT_SIGALG_dsa_sha256, ++ TLSEXT_SIGALG_dsa_sha384, ++ TLSEXT_SIGALG_dsa_sha512, ++#endif ++}; ++ + #ifndef OPENSSL_NO_EC + static const uint16_t suiteb_sigalgs[] = { + TLSEXT_SIGALG_ecdsa_secp256r1_sha256, +@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg + } + if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) + return NULL; ++ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */ ++ return NULL; + if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { + const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]); + +@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se + } else if (s->cert->conf_sigalgs) { + *psigs = s->cert->conf_sigalgs; + return s->cert->conf_sigalgslen; ++ } else if (FIPS_mode()) { ++ *psigs = tls12_fips_sigalgs; ++ return OSSL_NELEM(tls12_fips_sigalgs); + } else { + *psigs = tls12_sigalgs; + return OSSL_NELEM(tls12_sigalgs); +@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s, + if (s->cert->conf_sigalgs) { + sigs = s->cert->conf_sigalgs; + siglen = s->cert->conf_sigalgslen; ++ } else if (FIPS_mode()) { ++ sigs = tls12_fips_sigalgs; ++ siglen = OSSL_NELEM(tls12_fips_sigalgs); + } else { + sigs = tls12_sigalgs; + siglen = OSSL_NELEM(tls12_sigalgs); +@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS + if (lu->sig == NID_id_GostR3410_2012_256 + || lu->sig == NID_id_GostR3410_2012_512 + || lu->sig == NID_id_GostR3410_2001) { ++ if (FIPS_mode()) ++ return 0; + /* We never allow GOST sig algs on the server with TLSv1.3 */ + if (s->server && SSL_IS_TLS13(s)) + return 0; +@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale + const uint16_t *sent_sigs; + size_t sent_sigslen; + ++ if (fatalerrs && FIPS_mode()) { ++ /* There are no suitable legacy algorithms in FIPS mode */ ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ++ SSL_F_TLS_CHOOSE_SIGALG, ++ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); ++ return 0; ++ } + if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { + if (!fatalerrs) + return 1; diff --git a/openssl-1.1.1-fips-dh.patch b/openssl-1.1.1-fips-dh.patch new file mode 100644 index 0000000..e1c739b --- /dev/null +++ b/openssl-1.1.1-fips-dh.patch @@ -0,0 +1,2730 @@ +diff -up openssl-1.1.1j/crypto/bn/bn_const.c.fips-dh openssl-1.1.1j/crypto/bn/bn_const.c +--- openssl-1.1.1j/crypto/bn/bn_const.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/bn/bn_const.c 2021-03-03 14:23:27.403092418 +0100 +@@ -1,13 +1,17 @@ + /* +- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. + * +- * Licensed under the OpenSSL license (the "License"). You may not use ++ * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + + #include ++#include "crypto/bn_dh.h" ++ ++#define COPY_BN(dst, src) (dst != NULL) ? BN_copy(dst, &src) : BN_dup(&src) ++ + + /*- + * "First Oakley Default Group" from RFC2409, section 6.1. +@@ -80,33 +84,7 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_1536[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x23, 0x73, 0x27, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), bn); ++ return COPY_BN(bn, _bignum_modp_1536_p); + } + + /*- +@@ -119,41 +97,7 @@ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_2048[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn); ++ return COPY_BN(bn, _bignum_modp_2048_p); + } + + /*- +@@ -166,57 +110,7 @@ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_3072[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn); ++ return COPY_BN(bn, _bignum_modp_3072_p); + } + + /*- +@@ -229,73 +123,7 @@ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_4096[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn); ++ return COPY_BN(bn, _bignum_modp_4096_p); + } + + /*- +@@ -308,105 +136,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_6144[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, +- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, +- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, +- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, +- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, +- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, +- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, +- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, +- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, +- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, +- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, +- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, +- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, +- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, +- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, +- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, +- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, +- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, +- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, +- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, +- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, +- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, +- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, +- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, +- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, +- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, +- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, +- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, +- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, +- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, +- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, +- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, +- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xCC, 0x40, 0x24, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn); ++ return COPY_BN(bn, _bignum_modp_6144_p); + } + + /*- +@@ -419,135 +149,5 @@ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_8192[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, +- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, +- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, +- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, +- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, +- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, +- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, +- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, +- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, +- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, +- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, +- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, +- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, +- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, +- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, +- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, +- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, +- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, +- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, +- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, +- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, +- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, +- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, +- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, +- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, +- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, +- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, +- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, +- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, +- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, +- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, +- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, +- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xBE, 0x11, 0x59, +- 0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4, +- 0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C, +- 0xD8, 0xBE, 0xC4, 0xD0, 0x73, 0xB9, 0x31, 0xBA, +- 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00, +- 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED, +- 0x25, 0x76, 0xF6, 0x93, 0x6B, 0xA4, 0x24, 0x66, +- 0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68, +- 0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78, +- 0x23, 0x8F, 0x16, 0xCB, 0xE3, 0x9D, 0x65, 0x2D, +- 0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9, +- 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07, +- 0x13, 0xEB, 0x57, 0xA8, 0x1A, 0x23, 0xF0, 0xC7, +- 0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B, +- 0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD, +- 0xFA, 0x9D, 0x4B, 0x7F, 0xA2, 0xC0, 0x87, 0xE8, +- 0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A, +- 0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6, +- 0x6D, 0x2A, 0x13, 0xF8, 0x3F, 0x44, 0xF8, 0x2D, +- 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36, +- 0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1, +- 0x64, 0xF3, 0x1C, 0xC5, 0x08, 0x46, 0x85, 0x1D, +- 0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1, +- 0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73, +- 0xFA, 0xF3, 0x6B, 0xC3, 0x1E, 0xCF, 0xA2, 0x68, +- 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92, +- 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7, +- 0x88, 0x9A, 0x00, 0x2E, 0xD5, 0xEE, 0x38, 0x2B, +- 0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47, +- 0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA, +- 0x9E, 0x30, 0x50, 0xE2, 0x76, 0x56, 0x94, 0xDF, +- 0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71, +- 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn); ++ return COPY_BN(bn, _bignum_modp_8192_p); + } +diff -up openssl-1.1.1j/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1j/crypto/bn/bn_dh.c +--- openssl-1.1.1j/crypto/bn/bn_dh.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/bn/bn_dh.c 2021-03-03 14:23:27.404092427 +0100 +@@ -1,7 +1,7 @@ + /* +- * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. + * +- * Licensed under the OpenSSL license (the "License"). You may not use ++ * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html +@@ -11,474 +11,995 @@ + #include "internal/nelem.h" + + #ifndef OPENSSL_NO_DH +-#include +-#include "crypto/bn_dh.h" +-/* DH parameters from RFC5114 */ ++# include ++# include "crypto/bn_dh.h" + + # if BN_BITS2 == 64 +-static const BN_ULONG dh1024_160_p[] = { +- 0xDF1FB2BC2E4A4371ULL, 0xE68CFDA76D4DA708ULL, 0x45BF37DF365C1A65ULL, +- 0xA151AF5F0DC8B4BDULL, 0xFAA31A4FF55BCCC0ULL, 0x4EFFD6FAE5644738ULL, +- 0x98488E9C219A7372ULL, 0xACCBDD7D90C4BD70ULL, 0x24975C3CD49B83BFULL, +- 0x13ECB4AEA9061123ULL, 0x9838EF1E2EE652C0ULL, 0x6073E28675A23D18ULL, +- 0x9A6A9DCA52D23B61ULL, 0x52C99FBCFB06A3C6ULL, 0xDE92DE5EAE5D54ECULL, +- 0xB10B8F96A080E01DULL +-}; +- +-static const BN_ULONG dh1024_160_g[] = { +- 0x855E6EEB22B3B2E5ULL, 0x858F4DCEF97C2A24ULL, 0x2D779D5918D08BC8ULL, +- 0xD662A4D18E73AFA3ULL, 0x1DBF0A0169B6A28AULL, 0xA6A24C087A091F53ULL, +- 0x909D0D2263F80A76ULL, 0xD7FBD7D3B9A92EE1ULL, 0x5E91547F9E2749F4ULL, +- 0x160217B4B01B886AULL, 0x777E690F5504F213ULL, 0x266FEA1E5C41564BULL, +- 0xD6406CFF14266D31ULL, 0xF8104DD258AC507FULL, 0x6765A442EFB99905ULL, +- 0xA4D1CBD5C3FD3412ULL +-}; +- +-static const BN_ULONG dh1024_160_q[] = { +- 0x64B7CB9D49462353ULL, 0x81A8DF278ABA4E7DULL, 0x00000000F518AA87ULL +-}; +- +-static const BN_ULONG dh2048_224_p[] = { +- 0x0AC4DFFE0C10E64FULL, 0xCF9DE5384E71B81CULL, 0x7EF363E2FFA31F71ULL, +- 0xE3FB73C16B8E75B9ULL, 0xC9B53DCF4BA80A29ULL, 0x23F10B0E16E79763ULL, +- 0xC52172E413042E9BULL, 0xBE60E69CC928B2B9ULL, 0x80CD86A1B9E587E8ULL, +- 0x315D75E198C641A4ULL, 0xCDF93ACC44328387ULL, 0x15987D9ADC0A486DULL, +- 0x7310F7121FD5A074ULL, 0x278273C7DE31EFDCULL, 0x1602E714415D9330ULL, +- 0x81286130BC8985DBULL, 0xB3BF8A3170918836ULL, 0x6A00E0A0B9C49708ULL, +- 0xC6BA0B2C8BBC27BEULL, 0xC9F98D11ED34DBF6ULL, 0x7AD5B7D0B6C12207ULL, +- 0xD91E8FEF55B7394BULL, 0x9037C9EDEFDA4DF8ULL, 0x6D3F8152AD6AC212ULL, +- 0x1DE6B85A1274A0A6ULL, 0xEB3D688A309C180EULL, 0xAF9A3C407BA1DF15ULL, +- 0xE6FA141DF95A56DBULL, 0xB54B1597B61D0A75ULL, 0xA20D64E5683B9FD1ULL, +- 0xD660FAA79559C51FULL, 0xAD107E1E9123A9D0ULL +-}; +- +-static const BN_ULONG dh2048_224_g[] = { +- 0x84B890D3191F2BFAULL, 0x81BC087F2A7065B3ULL, 0x19C418E1F6EC0179ULL, +- 0x7B5A0F1C71CFFF4CULL, 0xEDFE72FE9B6AA4BDULL, 0x81E1BCFE94B30269ULL, +- 0x566AFBB48D6C0191ULL, 0xB539CCE3409D13CDULL, 0x6AA21E7F5F2FF381ULL, +- 0xD9E263E4770589EFULL, 0x10E183EDD19963DDULL, 0xB70A8137150B8EEBULL, +- 0x051AE3D428C8F8ACULL, 0xBB77A86F0C1AB15BULL, 0x6E3025E316A330EFULL, +- 0x19529A45D6F83456ULL, 0xF180EB34118E98D1ULL, 0xB5F6C6B250717CBEULL, +- 0x09939D54DA7460CDULL, 0xE247150422EA1ED4ULL, 0xB8A762D0521BC98AULL, +- 0xF4D027275AC1348BULL, 0xC17669101999024AULL, 0xBE5E9001A8D66AD7ULL, +- 0xC57DB17C620A8652ULL, 0xAB739D7700C29F52ULL, 0xDD921F01A70C4AFAULL, +- 0xA6824A4E10B9A6F0ULL, 0x74866A08CFE4FFE3ULL, 0x6CDEBE7B89998CAFULL, +- 0x9DF30B5C8FFDAC50ULL, 0xAC4032EF4F2D9AE3ULL +-}; +- +-static const BN_ULONG dh2048_224_q[] = { +- 0xBF389A99B36371EBULL, 0x1F80535A4738CEBCULL, 0xC58D93FE99717710ULL, +- 0x00000000801C0D34ULL +-}; +- +-static const BN_ULONG dh2048_256_p[] = { +- 0xDB094AE91E1A1597ULL, 0x693877FAD7EF09CAULL, 0x6116D2276E11715FULL, +- 0xA4B54330C198AF12ULL, 0x75F26375D7014103ULL, 0xC3A3960A54E710C3ULL, +- 0xDED4010ABD0BE621ULL, 0xC0B857F689962856ULL, 0xB3CA3F7971506026ULL, +- 0x1CCACB83E6B486F6ULL, 0x67E144E514056425ULL, 0xF6A167B5A41825D9ULL, +- 0x3AD8347796524D8EULL, 0xF13C6D9A51BFA4ABULL, 0x2D52526735488A0EULL, +- 0xB63ACAE1CAA6B790ULL, 0x4FDB70C581B23F76ULL, 0xBC39A0BF12307F5CULL, +- 0xB941F54EB1E59BB8ULL, 0x6C5BFC11D45F9088ULL, 0x22E0B1EF4275BF7BULL, +- 0x91F9E6725B4758C0ULL, 0x5A8A9D306BCF67EDULL, 0x209E0C6497517ABDULL, +- 0x3BF4296D830E9A7CULL, 0x16C3D91134096FAAULL, 0xFAF7DF4561B2AA30ULL, +- 0xE00DF8F1D61957D4ULL, 0x5D2CEED4435E3B00ULL, 0x8CEEF608660DD0F2ULL, +- 0xFFBBD19C65195999ULL, 0x87A8E61DB4B6663CULL +-}; ++# define BN_DEF(lo, hi) (BN_ULONG)hi << 32 | lo ++# else ++# define BN_DEF(lo, hi) lo, hi ++# endif + +-static const BN_ULONG dh2048_256_g[] = { +- 0x664B4C0F6CC41659ULL, 0x5E2327CFEF98C582ULL, 0xD647D148D4795451ULL, +- 0x2F63078490F00EF8ULL, 0x184B523D1DB246C3ULL, 0xC7891428CDC67EB6ULL, +- 0x7FD028370DF92B52ULL, 0xB3353BBB64E0EC37ULL, 0xECD06E1557CD0915ULL, +- 0xB7D2BBD2DF016199ULL, 0xC8484B1E052588B9ULL, 0xDB2A3B7313D3FE14ULL, +- 0xD052B985D182EA0AULL, 0xA4BD1BFFE83B9C80ULL, 0xDFC967C1FB3F2E55ULL, +- 0xB5045AF2767164E1ULL, 0x1D14348F6F2F9193ULL, 0x64E67982428EBC83ULL, +- 0x8AC376D282D6ED38ULL, 0x777DE62AAAB8A862ULL, 0xDDF463E5E9EC144BULL, +- 0x0196F931C77A57F2ULL, 0xA55AE31341000A65ULL, 0x901228F8C28CBB18ULL, +- 0xBC3773BF7E8C6F62ULL, 0xBE3A6C1B0C6B47B1ULL, 0xFF4FED4AAC0BB555ULL, +- 0x10DBC15077BE463FULL, 0x07F4793A1A0BA125ULL, 0x4CA7B18F21EF2054ULL, +- 0x2E77506660EDBD48ULL, 0x3FB32C9B73134D0BULL +-}; ++/* DH parameters from RFC3526 */ + +-static const BN_ULONG dh2048_256_q[] = { +- 0xA308B0FE64F5FBD3ULL, 0x99B1A47D1EB3750BULL, 0xB447997640129DA2ULL, +- 0x8CF83642A709A097ULL ++/* ++ * "1536-bit MODP Group" from RFC3526, Section 2. ++ * ++ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } ++ * ++ * RFC3526 specifies a generator of 2. ++ * RFC2312 specifies a generator of 22. ++ */ ++static const BN_ULONG modp_1536_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_1536_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF) + }; + +-/* Primes from RFC 7919 */ +-static const BN_ULONG ffdhe2048_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0x886B423861285C97ULL, 0xC6F34A26C1B2EFFAULL, +- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, +- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, +- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, +- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, +- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, +- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, +- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, +- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, +- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, +- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL ++/*- ++ * "2048-bit MODP Group" from RFC3526, Section 3. ++ * ++ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_2048_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x8AACAA68, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_2048_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x45565534, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-static const BN_ULONG ffdhe3072_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0x25E41D2B66C62E37ULL, 0x3C1B20EE3FD59D7CULL, +- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, +- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, +- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, +- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, +- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, +- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, +- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, +- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, +- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, +- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, +- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, +- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, +- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, +- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, +- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL ++/*- ++ * "3072-bit MODP Group" from RFC3526, Section 4. ++ * ++ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_3072_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xA93AD2CA, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_3072_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x549D6965, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-static const BN_ULONG ffdhe4096_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xC68A007E5E655F6AULL, 0x4DB5A851F44182E1ULL, +- 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, +- 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, +- 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, +- 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, +- 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, +- 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, +- 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, +- 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, +- 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, +- 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, +- 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, +- 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, +- 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, +- 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, +- 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, +- 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, +- 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, +- 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, +- 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, +- 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, +- 0xFFFFFFFFFFFFFFFFULL ++/*- ++ * "4096-bit MODP Group" from RFC3526, Section 5. ++ * ++ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_4096_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x34063199, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_4096_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x9A0318CC, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-static const BN_ULONG ffdhe6144_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xA40E329CD0E40E65ULL, 0xA41D570D7938DAD4ULL, +- 0x62A69526D43161C1ULL, 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, +- 0xEC9D1810C6272B04ULL, 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, +- 0x505DC82DB854338AULL, 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, +- 0xF9C9091B462D538CULL, 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, +- 0xEEAAC0232A281BF6ULL, 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, +- 0x587E38DA0077D9B4ULL, 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, +- 0xA00EF092350511E3ULL, 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, +- 0x388147FB4CFDB477ULL, 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, +- 0xB38E8C334C701C3AULL, 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, +- 0x23BA4442CAF53EA6ULL, 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, +- 0xC68A007E5E0DD902ULL, 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, +- 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, +- 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, +- 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, +- 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, +- 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, +- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, +- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, +- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, +- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, +- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, +- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, +- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, +- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, +- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, +- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, +- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, +- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, +- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, +- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, +- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL ++/*- ++ * "6144-bit MODP Group" from RFC3526, Section 6. ++ * ++ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_6144_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6DCC4024, 0xE694F91E), ++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), ++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), ++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), ++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), ++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), ++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), ++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), ++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), ++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), ++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), ++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), ++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), ++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), ++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), ++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), ++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_6144_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x36E62012, 0x734A7C8F), ++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), ++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), ++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), ++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), ++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), ++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), ++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), ++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), ++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), ++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), ++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), ++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), ++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), ++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), ++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), ++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-static const BN_ULONG ffdhe8192_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xD68C8BB7C5C6424CULL, 0x011E2A94838FF88CULL, +- 0x0822E506A9F4614EULL, 0x97D11D49F7A8443DULL, 0xA6BBFDE530677F0DULL, +- 0x2F741EF8C1FE86FEULL, 0xFAFABE1C5D71A87EULL, 0xDED2FBABFBE58A30ULL, +- 0xB6855DFE72B0A66EULL, 0x1EFC8CE0BA8A4FE8ULL, 0x83F81D4A3F2FA457ULL, +- 0xA1FE3075A577E231ULL, 0xD5B8019488D9C0A0ULL, 0x624816CDAD9A95F9ULL, +- 0x99E9E31650C1217BULL, 0x51AA691E0E423CFCULL, 0x1C217E6C3826E52CULL, +- 0x51A8A93109703FEEULL, 0xBB7099876A460E74ULL, 0x541FC68C9C86B022ULL, +- 0x59160CC046FD8251ULL, 0x2846C0BA35C35F5CULL, 0x54504AC78B758282ULL, +- 0x29388839D2AF05E4ULL, 0xCB2C0F1CC01BD702ULL, 0x555B2F747C932665ULL, +- 0x86B63142A3AB8829ULL, 0x0B8CC3BDF64B10EFULL, 0x687FEB69EDD1CC5EULL, +- 0xFDB23FCEC9509D43ULL, 0x1E425A31D951AE64ULL, 0x36AD004CF600C838ULL, +- 0xA40E329CCFF46AAAULL, 0xA41D570D7938DAD4ULL, 0x62A69526D43161C1ULL, +- 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, 0xEC9D1810C6272B04ULL, +- 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, 0x505DC82DB854338AULL, +- 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, 0xF9C9091B462D538CULL, +- 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, 0xEEAAC0232A281BF6ULL, +- 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, 0x587E38DA0077D9B4ULL, +- 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, 0xA00EF092350511E3ULL, +- 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, 0x388147FB4CFDB477ULL, +- 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, 0xB38E8C334C701C3AULL, +- 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, 0x23BA4442CAF53EA6ULL, +- 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, 0xC68A007E5E0DD902ULL, +- 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, +- 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, +- 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, +- 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, +- 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, +- 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, +- 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, +- 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, +- 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, +- 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, +- 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, +- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, +- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, +- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, +- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, +- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, +- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, +- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, +- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, +- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, +- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL ++/* ++ * "8192-bit MODP Group" from RFC3526, Section 7. ++ * ++ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_8192_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x98EDD3DF, 0x60C980DD), ++ BN_DEF(0x80B96E71, 0xC81F56E8), BN_DEF(0x765694DF, 0x9E3050E2), ++ BN_DEF(0x5677E9AA, 0x9558E447), BN_DEF(0xFC026E47, 0xC9190DA6), ++ BN_DEF(0xD5EE382B, 0x889A002E), BN_DEF(0x481C6CD7, 0x4009438B), ++ BN_DEF(0xEB879F92, 0x359046F4), BN_DEF(0x1ECFA268, 0xFAF36BC3), ++ BN_DEF(0x7EE74D73, 0xB1D510BD), BN_DEF(0x5DED7EA1, 0xF9AB4819), ++ BN_DEF(0x0846851D, 0x64F31CC5), BN_DEF(0xA0255DC1, 0x4597E899), ++ BN_DEF(0x74AB6A36, 0xDF310EE0), BN_DEF(0x3F44F82D, 0x6D2A13F8), ++ BN_DEF(0xB3A278A6, 0x062B3CF5), BN_DEF(0xED5BDD3A, 0x79683303), ++ BN_DEF(0xA2C087E8, 0xFA9D4B7F), BN_DEF(0x2F8385DD, 0x4BCBC886), ++ BN_DEF(0x6CEA306B, 0x3473FC64), BN_DEF(0x1A23F0C7, 0x13EB57A8), ++ BN_DEF(0xA4037C07, 0x22222E04), BN_DEF(0xFC848AD9, 0xE3FDB8BE), ++ BN_DEF(0xE39D652D, 0x238F16CB), BN_DEF(0x2BF1C978, 0x3423B474), ++ BN_DEF(0x5AE4F568, 0x3AAB639C), BN_DEF(0x6BA42466, 0x2576F693), ++ BN_DEF(0x8AFC47ED, 0x741FA7BF), BN_DEF(0x8D9DD300, 0x3BC832B6), ++ BN_DEF(0x73B931BA, 0xD8BEC4D0), BN_DEF(0xA932DF8C, 0x38777CB6), ++ BN_DEF(0x12FEE5E4, 0x74A3926F), BN_DEF(0x6DBE1159, 0xE694F91E), ++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), ++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), ++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), ++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), ++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), ++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), ++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), ++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), ++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), ++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), ++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), ++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), ++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), ++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), ++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), ++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_8192_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCC76E9EF, 0xB064C06E), ++ BN_DEF(0x405CB738, 0xE40FAB74), BN_DEF(0x3B2B4A6F, 0x4F182871), ++ BN_DEF(0xAB3BF4D5, 0xCAAC7223), BN_DEF(0x7E013723, 0xE48C86D3), ++ BN_DEF(0x6AF71C15, 0xC44D0017), BN_DEF(0xA40E366B, 0x2004A1C5), ++ BN_DEF(0x75C3CFC9, 0x1AC8237A), BN_DEF(0x8F67D134, 0xFD79B5E1), ++ BN_DEF(0xBF73A6B9, 0xD8EA885E), BN_DEF(0xAEF6BF50, 0xFCD5A40C), ++ BN_DEF(0x8423428E, 0xB2798E62), BN_DEF(0xD012AEE0, 0x22CBF44C), ++ BN_DEF(0x3A55B51B, 0xEF988770), BN_DEF(0x1FA27C16, 0x369509FC), ++ BN_DEF(0xD9D13C53, 0x03159E7A), BN_DEF(0xF6ADEE9D, 0x3CB41981), ++ BN_DEF(0xD16043F4, 0xFD4EA5BF), BN_DEF(0x17C1C2EE, 0xA5E5E443), ++ BN_DEF(0x36751835, 0x9A39FE32), BN_DEF(0x0D11F863, 0x89F5ABD4), ++ BN_DEF(0x5201BE03, 0x91111702), BN_DEF(0x7E42456C, 0xF1FEDC5F), ++ BN_DEF(0xF1CEB296, 0x11C78B65), BN_DEF(0x15F8E4BC, 0x1A11DA3A), ++ BN_DEF(0x2D727AB4, 0x1D55B1CE), BN_DEF(0xB5D21233, 0x92BB7B49), ++ BN_DEF(0xC57E23F6, 0x3A0FD3DF), BN_DEF(0x46CEE980, 0x1DE4195B), ++ BN_DEF(0x39DC98DD, 0x6C5F6268), BN_DEF(0x54996FC6, 0x1C3BBE5B), ++ BN_DEF(0x897F72F2, 0xBA51C937), BN_DEF(0x36DF08AC, 0x734A7C8F), ++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), ++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), ++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), ++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), ++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), ++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), ++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), ++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), ++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), ++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), ++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), ++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), ++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), ++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), ++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), ++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-# elif BN_BITS2 == 32 +- ++/* DH parameters from RFC5114 */ + static const BN_ULONG dh1024_160_p[] = { +- 0x2E4A4371, 0xDF1FB2BC, 0x6D4DA708, 0xE68CFDA7, 0x365C1A65, 0x45BF37DF, +- 0x0DC8B4BD, 0xA151AF5F, 0xF55BCCC0, 0xFAA31A4F, 0xE5644738, 0x4EFFD6FA, +- 0x219A7372, 0x98488E9C, 0x90C4BD70, 0xACCBDD7D, 0xD49B83BF, 0x24975C3C, +- 0xA9061123, 0x13ECB4AE, 0x2EE652C0, 0x9838EF1E, 0x75A23D18, 0x6073E286, +- 0x52D23B61, 0x9A6A9DCA, 0xFB06A3C6, 0x52C99FBC, 0xAE5D54EC, 0xDE92DE5E, +- 0xA080E01D, 0xB10B8F96 ++ BN_DEF(0x2E4A4371, 0xDF1FB2BC), BN_DEF(0x6D4DA708, 0xE68CFDA7), ++ BN_DEF(0x365C1A65, 0x45BF37DF), BN_DEF(0x0DC8B4BD, 0xA151AF5F), ++ BN_DEF(0xF55BCCC0, 0xFAA31A4F), BN_DEF(0xE5644738, 0x4EFFD6FA), ++ BN_DEF(0x219A7372, 0x98488E9C), BN_DEF(0x90C4BD70, 0xACCBDD7D), ++ BN_DEF(0xD49B83BF, 0x24975C3C), BN_DEF(0xA9061123, 0x13ECB4AE), ++ BN_DEF(0x2EE652C0, 0x9838EF1E), BN_DEF(0x75A23D18, 0x6073E286), ++ BN_DEF(0x52D23B61, 0x9A6A9DCA), BN_DEF(0xFB06A3C6, 0x52C99FBC), ++ BN_DEF(0xAE5D54EC, 0xDE92DE5E), BN_DEF(0xA080E01D, 0xB10B8F96) + }; +- +-static const BN_ULONG dh1024_160_g[] = { +- 0x22B3B2E5, 0x855E6EEB, 0xF97C2A24, 0x858F4DCE, 0x18D08BC8, 0x2D779D59, +- 0x8E73AFA3, 0xD662A4D1, 0x69B6A28A, 0x1DBF0A01, 0x7A091F53, 0xA6A24C08, +- 0x63F80A76, 0x909D0D22, 0xB9A92EE1, 0xD7FBD7D3, 0x9E2749F4, 0x5E91547F, +- 0xB01B886A, 0x160217B4, 0x5504F213, 0x777E690F, 0x5C41564B, 0x266FEA1E, +- 0x14266D31, 0xD6406CFF, 0x58AC507F, 0xF8104DD2, 0xEFB99905, 0x6765A442, +- 0xC3FD3412, 0xA4D1CBD5 +-}; +- + static const BN_ULONG dh1024_160_q[] = { +- 0x49462353, 0x64B7CB9D, 0x8ABA4E7D, 0x81A8DF27, 0xF518AA87 ++ BN_DEF(0x49462353, 0x64B7CB9D), BN_DEF(0x8ABA4E7D, 0x81A8DF27), ++ (BN_ULONG)0xF518AA87 + }; +- +-static const BN_ULONG dh2048_224_p[] = { +- 0x0C10E64F, 0x0AC4DFFE, 0x4E71B81C, 0xCF9DE538, 0xFFA31F71, 0x7EF363E2, +- 0x6B8E75B9, 0xE3FB73C1, 0x4BA80A29, 0xC9B53DCF, 0x16E79763, 0x23F10B0E, +- 0x13042E9B, 0xC52172E4, 0xC928B2B9, 0xBE60E69C, 0xB9E587E8, 0x80CD86A1, +- 0x98C641A4, 0x315D75E1, 0x44328387, 0xCDF93ACC, 0xDC0A486D, 0x15987D9A, +- 0x1FD5A074, 0x7310F712, 0xDE31EFDC, 0x278273C7, 0x415D9330, 0x1602E714, +- 0xBC8985DB, 0x81286130, 0x70918836, 0xB3BF8A31, 0xB9C49708, 0x6A00E0A0, +- 0x8BBC27BE, 0xC6BA0B2C, 0xED34DBF6, 0xC9F98D11, 0xB6C12207, 0x7AD5B7D0, +- 0x55B7394B, 0xD91E8FEF, 0xEFDA4DF8, 0x9037C9ED, 0xAD6AC212, 0x6D3F8152, +- 0x1274A0A6, 0x1DE6B85A, 0x309C180E, 0xEB3D688A, 0x7BA1DF15, 0xAF9A3C40, +- 0xF95A56DB, 0xE6FA141D, 0xB61D0A75, 0xB54B1597, 0x683B9FD1, 0xA20D64E5, +- 0x9559C51F, 0xD660FAA7, 0x9123A9D0, 0xAD107E1E ++static const BN_ULONG dh1024_160_g[] = { ++ BN_DEF(0x22B3B2E5, 0x855E6EEB), BN_DEF(0xF97C2A24, 0x858F4DCE), ++ BN_DEF(0x18D08BC8, 0x2D779D59), BN_DEF(0x8E73AFA3, 0xD662A4D1), ++ BN_DEF(0x69B6A28A, 0x1DBF0A01), BN_DEF(0x7A091F53, 0xA6A24C08), ++ BN_DEF(0x63F80A76, 0x909D0D22), BN_DEF(0xB9A92EE1, 0xD7FBD7D3), ++ BN_DEF(0x9E2749F4, 0x5E91547F), BN_DEF(0xB01B886A, 0x160217B4), ++ BN_DEF(0x5504F213, 0x777E690F), BN_DEF(0x5C41564B, 0x266FEA1E), ++ BN_DEF(0x14266D31, 0xD6406CFF), BN_DEF(0x58AC507F, 0xF8104DD2), ++ BN_DEF(0xEFB99905, 0x6765A442), BN_DEF(0xC3FD3412, 0xA4D1CBD5) + }; + +-static const BN_ULONG dh2048_224_g[] = { +- 0x191F2BFA, 0x84B890D3, 0x2A7065B3, 0x81BC087F, 0xF6EC0179, 0x19C418E1, +- 0x71CFFF4C, 0x7B5A0F1C, 0x9B6AA4BD, 0xEDFE72FE, 0x94B30269, 0x81E1BCFE, +- 0x8D6C0191, 0x566AFBB4, 0x409D13CD, 0xB539CCE3, 0x5F2FF381, 0x6AA21E7F, +- 0x770589EF, 0xD9E263E4, 0xD19963DD, 0x10E183ED, 0x150B8EEB, 0xB70A8137, +- 0x28C8F8AC, 0x051AE3D4, 0x0C1AB15B, 0xBB77A86F, 0x16A330EF, 0x6E3025E3, +- 0xD6F83456, 0x19529A45, 0x118E98D1, 0xF180EB34, 0x50717CBE, 0xB5F6C6B2, +- 0xDA7460CD, 0x09939D54, 0x22EA1ED4, 0xE2471504, 0x521BC98A, 0xB8A762D0, +- 0x5AC1348B, 0xF4D02727, 0x1999024A, 0xC1766910, 0xA8D66AD7, 0xBE5E9001, +- 0x620A8652, 0xC57DB17C, 0x00C29F52, 0xAB739D77, 0xA70C4AFA, 0xDD921F01, +- 0x10B9A6F0, 0xA6824A4E, 0xCFE4FFE3, 0x74866A08, 0x89998CAF, 0x6CDEBE7B, +- 0x8FFDAC50, 0x9DF30B5C, 0x4F2D9AE3, 0xAC4032EF ++static const BN_ULONG dh2048_224_p[] = { ++ BN_DEF(0x0C10E64F, 0x0AC4DFFE), BN_DEF(0x4E71B81C, 0xCF9DE538), ++ BN_DEF(0xFFA31F71, 0x7EF363E2), BN_DEF(0x6B8E75B9, 0xE3FB73C1), ++ BN_DEF(0x4BA80A29, 0xC9B53DCF), BN_DEF(0x16E79763, 0x23F10B0E), ++ BN_DEF(0x13042E9B, 0xC52172E4), BN_DEF(0xC928B2B9, 0xBE60E69C), ++ BN_DEF(0xB9E587E8, 0x80CD86A1), BN_DEF(0x98C641A4, 0x315D75E1), ++ BN_DEF(0x44328387, 0xCDF93ACC), BN_DEF(0xDC0A486D, 0x15987D9A), ++ BN_DEF(0x1FD5A074, 0x7310F712), BN_DEF(0xDE31EFDC, 0x278273C7), ++ BN_DEF(0x415D9330, 0x1602E714), BN_DEF(0xBC8985DB, 0x81286130), ++ BN_DEF(0x70918836, 0xB3BF8A31), BN_DEF(0xB9C49708, 0x6A00E0A0), ++ BN_DEF(0x8BBC27BE, 0xC6BA0B2C), BN_DEF(0xED34DBF6, 0xC9F98D11), ++ BN_DEF(0xB6C12207, 0x7AD5B7D0), BN_DEF(0x55B7394B, 0xD91E8FEF), ++ BN_DEF(0xEFDA4DF8, 0x9037C9ED), BN_DEF(0xAD6AC212, 0x6D3F8152), ++ BN_DEF(0x1274A0A6, 0x1DE6B85A), BN_DEF(0x309C180E, 0xEB3D688A), ++ BN_DEF(0x7BA1DF15, 0xAF9A3C40), BN_DEF(0xF95A56DB, 0xE6FA141D), ++ BN_DEF(0xB61D0A75, 0xB54B1597), BN_DEF(0x683B9FD1, 0xA20D64E5), ++ BN_DEF(0x9559C51F, 0xD660FAA7), BN_DEF(0x9123A9D0, 0xAD107E1E) + }; +- + static const BN_ULONG dh2048_224_q[] = { +- 0xB36371EB, 0xBF389A99, 0x4738CEBC, 0x1F80535A, 0x99717710, 0xC58D93FE, +- 0x801C0D34 ++ BN_DEF(0xB36371EB, 0xBF389A99), BN_DEF(0x4738CEBC, 0x1F80535A), ++ BN_DEF(0x99717710, 0xC58D93FE), (BN_ULONG)0x801C0D34 + }; +- +-static const BN_ULONG dh2048_256_p[] = { +- 0x1E1A1597, 0xDB094AE9, 0xD7EF09CA, 0x693877FA, 0x6E11715F, 0x6116D227, +- 0xC198AF12, 0xA4B54330, 0xD7014103, 0x75F26375, 0x54E710C3, 0xC3A3960A, +- 0xBD0BE621, 0xDED4010A, 0x89962856, 0xC0B857F6, 0x71506026, 0xB3CA3F79, +- 0xE6B486F6, 0x1CCACB83, 0x14056425, 0x67E144E5, 0xA41825D9, 0xF6A167B5, +- 0x96524D8E, 0x3AD83477, 0x51BFA4AB, 0xF13C6D9A, 0x35488A0E, 0x2D525267, +- 0xCAA6B790, 0xB63ACAE1, 0x81B23F76, 0x4FDB70C5, 0x12307F5C, 0xBC39A0BF, +- 0xB1E59BB8, 0xB941F54E, 0xD45F9088, 0x6C5BFC11, 0x4275BF7B, 0x22E0B1EF, +- 0x5B4758C0, 0x91F9E672, 0x6BCF67ED, 0x5A8A9D30, 0x97517ABD, 0x209E0C64, +- 0x830E9A7C, 0x3BF4296D, 0x34096FAA, 0x16C3D911, 0x61B2AA30, 0xFAF7DF45, +- 0xD61957D4, 0xE00DF8F1, 0x435E3B00, 0x5D2CEED4, 0x660DD0F2, 0x8CEEF608, +- 0x65195999, 0xFFBBD19C, 0xB4B6663C, 0x87A8E61D ++static const BN_ULONG dh2048_224_g[] = { ++ BN_DEF(0x191F2BFA, 0x84B890D3), BN_DEF(0x2A7065B3, 0x81BC087F), ++ BN_DEF(0xF6EC0179, 0x19C418E1), BN_DEF(0x71CFFF4C, 0x7B5A0F1C), ++ BN_DEF(0x9B6AA4BD, 0xEDFE72FE), BN_DEF(0x94B30269, 0x81E1BCFE), ++ BN_DEF(0x8D6C0191, 0x566AFBB4), BN_DEF(0x409D13CD, 0xB539CCE3), ++ BN_DEF(0x5F2FF381, 0x6AA21E7F), BN_DEF(0x770589EF, 0xD9E263E4), ++ BN_DEF(0xD19963DD, 0x10E183ED), BN_DEF(0x150B8EEB, 0xB70A8137), ++ BN_DEF(0x28C8F8AC, 0x051AE3D4), BN_DEF(0x0C1AB15B, 0xBB77A86F), ++ BN_DEF(0x16A330EF, 0x6E3025E3), BN_DEF(0xD6F83456, 0x19529A45), ++ BN_DEF(0x118E98D1, 0xF180EB34), BN_DEF(0x50717CBE, 0xB5F6C6B2), ++ BN_DEF(0xDA7460CD, 0x09939D54), BN_DEF(0x22EA1ED4, 0xE2471504), ++ BN_DEF(0x521BC98A, 0xB8A762D0), BN_DEF(0x5AC1348B, 0xF4D02727), ++ BN_DEF(0x1999024A, 0xC1766910), BN_DEF(0xA8D66AD7, 0xBE5E9001), ++ BN_DEF(0x620A8652, 0xC57DB17C), BN_DEF(0x00C29F52, 0xAB739D77), ++ BN_DEF(0xA70C4AFA, 0xDD921F01), BN_DEF(0x10B9A6F0, 0xA6824A4E), ++ BN_DEF(0xCFE4FFE3, 0x74866A08), BN_DEF(0x89998CAF, 0x6CDEBE7B), ++ BN_DEF(0x8FFDAC50, 0x9DF30B5C), BN_DEF(0x4F2D9AE3, 0xAC4032EF) + }; + +-static const BN_ULONG dh2048_256_g[] = { +- 0x6CC41659, 0x664B4C0F, 0xEF98C582, 0x5E2327CF, 0xD4795451, 0xD647D148, +- 0x90F00EF8, 0x2F630784, 0x1DB246C3, 0x184B523D, 0xCDC67EB6, 0xC7891428, +- 0x0DF92B52, 0x7FD02837, 0x64E0EC37, 0xB3353BBB, 0x57CD0915, 0xECD06E15, +- 0xDF016199, 0xB7D2BBD2, 0x052588B9, 0xC8484B1E, 0x13D3FE14, 0xDB2A3B73, +- 0xD182EA0A, 0xD052B985, 0xE83B9C80, 0xA4BD1BFF, 0xFB3F2E55, 0xDFC967C1, +- 0x767164E1, 0xB5045AF2, 0x6F2F9193, 0x1D14348F, 0x428EBC83, 0x64E67982, +- 0x82D6ED38, 0x8AC376D2, 0xAAB8A862, 0x777DE62A, 0xE9EC144B, 0xDDF463E5, +- 0xC77A57F2, 0x0196F931, 0x41000A65, 0xA55AE313, 0xC28CBB18, 0x901228F8, +- 0x7E8C6F62, 0xBC3773BF, 0x0C6B47B1, 0xBE3A6C1B, 0xAC0BB555, 0xFF4FED4A, +- 0x77BE463F, 0x10DBC150, 0x1A0BA125, 0x07F4793A, 0x21EF2054, 0x4CA7B18F, +- 0x60EDBD48, 0x2E775066, 0x73134D0B, 0x3FB32C9B ++static const BN_ULONG dh2048_256_p[] = { ++ BN_DEF(0x1E1A1597, 0xDB094AE9), BN_DEF(0xD7EF09CA, 0x693877FA), ++ BN_DEF(0x6E11715F, 0x6116D227), BN_DEF(0xC198AF12, 0xA4B54330), ++ BN_DEF(0xD7014103, 0x75F26375), BN_DEF(0x54E710C3, 0xC3A3960A), ++ BN_DEF(0xBD0BE621, 0xDED4010A), BN_DEF(0x89962856, 0xC0B857F6), ++ BN_DEF(0x71506026, 0xB3CA3F79), BN_DEF(0xE6B486F6, 0x1CCACB83), ++ BN_DEF(0x14056425, 0x67E144E5), BN_DEF(0xA41825D9, 0xF6A167B5), ++ BN_DEF(0x96524D8E, 0x3AD83477), BN_DEF(0x51BFA4AB, 0xF13C6D9A), ++ BN_DEF(0x35488A0E, 0x2D525267), BN_DEF(0xCAA6B790, 0xB63ACAE1), ++ BN_DEF(0x81B23F76, 0x4FDB70C5), BN_DEF(0x12307F5C, 0xBC39A0BF), ++ BN_DEF(0xB1E59BB8, 0xB941F54E), BN_DEF(0xD45F9088, 0x6C5BFC11), ++ BN_DEF(0x4275BF7B, 0x22E0B1EF), BN_DEF(0x5B4758C0, 0x91F9E672), ++ BN_DEF(0x6BCF67ED, 0x5A8A9D30), BN_DEF(0x97517ABD, 0x209E0C64), ++ BN_DEF(0x830E9A7C, 0x3BF4296D), BN_DEF(0x34096FAA, 0x16C3D911), ++ BN_DEF(0x61B2AA30, 0xFAF7DF45), BN_DEF(0xD61957D4, 0xE00DF8F1), ++ BN_DEF(0x435E3B00, 0x5D2CEED4), BN_DEF(0x660DD0F2, 0x8CEEF608), ++ BN_DEF(0x65195999, 0xFFBBD19C), BN_DEF(0xB4B6663C, 0x87A8E61D) + }; +- + static const BN_ULONG dh2048_256_q[] = { +- 0x64F5FBD3, 0xA308B0FE, 0x1EB3750B, 0x99B1A47D, 0x40129DA2, 0xB4479976, +- 0xA709A097, 0x8CF83642 ++ BN_DEF(0x64F5FBD3, 0xA308B0FE), BN_DEF(0x1EB3750B, 0x99B1A47D), ++ BN_DEF(0x40129DA2, 0xB4479976), BN_DEF(0xA709A097, 0x8CF83642) ++}; ++static const BN_ULONG dh2048_256_g[] = { ++ BN_DEF(0x6CC41659, 0x664B4C0F), BN_DEF(0xEF98C582, 0x5E2327CF), ++ BN_DEF(0xD4795451, 0xD647D148), BN_DEF(0x90F00EF8, 0x2F630784), ++ BN_DEF(0x1DB246C3, 0x184B523D), BN_DEF(0xCDC67EB6, 0xC7891428), ++ BN_DEF(0x0DF92B52, 0x7FD02837), BN_DEF(0x64E0EC37, 0xB3353BBB), ++ BN_DEF(0x57CD0915, 0xECD06E15), BN_DEF(0xDF016199, 0xB7D2BBD2), ++ BN_DEF(0x052588B9, 0xC8484B1E), BN_DEF(0x13D3FE14, 0xDB2A3B73), ++ BN_DEF(0xD182EA0A, 0xD052B985), BN_DEF(0xE83B9C80, 0xA4BD1BFF), ++ BN_DEF(0xFB3F2E55, 0xDFC967C1), BN_DEF(0x767164E1, 0xB5045AF2), ++ BN_DEF(0x6F2F9193, 0x1D14348F), BN_DEF(0x428EBC83, 0x64E67982), ++ BN_DEF(0x82D6ED38, 0x8AC376D2), BN_DEF(0xAAB8A862, 0x777DE62A), ++ BN_DEF(0xE9EC144B, 0xDDF463E5), BN_DEF(0xC77A57F2, 0x0196F931), ++ BN_DEF(0x41000A65, 0xA55AE313), BN_DEF(0xC28CBB18, 0x901228F8), ++ BN_DEF(0x7E8C6F62, 0xBC3773BF), BN_DEF(0x0C6B47B1, 0xBE3A6C1B), ++ BN_DEF(0xAC0BB555, 0xFF4FED4A), BN_DEF(0x77BE463F, 0x10DBC150), ++ BN_DEF(0x1A0BA125, 0x07F4793A), BN_DEF(0x21EF2054, 0x4CA7B18F), ++ BN_DEF(0x60EDBD48, 0x2E775066), BN_DEF(0x73134D0B, 0x3FB32C9B) + }; + + /* Primes from RFC 7919 */ +- + static const BN_ULONG ffdhe2048_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x61285C97, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, +- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, +- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, +- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, +- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, +- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, +- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, +- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, +- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, +- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, +- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x61285C97, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe2048_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x30942E4B, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe3072_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x66C62E37, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, +- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, +- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, +- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, +- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, +- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, +- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, +- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, +- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, +- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, +- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, +- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, +- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, +- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, +- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, +- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x66C62E37, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe3072_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xB363171B, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe4096_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x5E655F6A, 0xC68A007E, 0xF44182E1, 0x4DB5A851, +- 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, +- 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, +- 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, +- 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, +- 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, +- 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, +- 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, +- 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, +- 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, +- 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, +- 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, +- 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, +- 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, +- 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, +- 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, +- 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, +- 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, +- 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, +- 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, +- 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, +- 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x5E655F6A, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe4096_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x2F32AFB5, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe6144_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0xD0E40E65, 0xA40E329C, 0x7938DAD4, 0xA41D570D, +- 0xD43161C1, 0x62A69526, 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, +- 0xC6272B04, 0xEC9D1810, 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, +- 0xB854338A, 0x505DC82D, 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, +- 0x462D538C, 0xF9C9091B, 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, +- 0x2A281BF6, 0xEEAAC023, 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, +- 0x0077D9B4, 0x587E38DA, 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, +- 0x350511E3, 0xA00EF092, 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, +- 0x4CFDB477, 0x388147FB, 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, +- 0x4C701C3A, 0xB38E8C33, 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, +- 0xCAF53EA6, 0x23BA4442, 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, +- 0x5E0DD902, 0xC68A007E, 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, +- 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, +- 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, +- 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, +- 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, +- 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, +- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, +- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, +- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, +- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, +- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, +- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, +- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, +- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, +- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, +- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, +- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, +- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, +- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, +- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, +- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xD0E40E65, 0xA40E329C), ++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), ++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), ++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), ++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), ++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), ++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), ++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), ++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), ++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), ++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), ++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), ++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), ++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), ++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), ++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), ++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe6144_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x68720732, 0x5207194E), ++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), ++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), ++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), ++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), ++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), ++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), ++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), ++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), ++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), ++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), ++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), ++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), ++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), ++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), ++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), ++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe8192_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0xC5C6424C, 0xD68C8BB7, 0x838FF88C, 0x011E2A94, +- 0xA9F4614E, 0x0822E506, 0xF7A8443D, 0x97D11D49, 0x30677F0D, 0xA6BBFDE5, +- 0xC1FE86FE, 0x2F741EF8, 0x5D71A87E, 0xFAFABE1C, 0xFBE58A30, 0xDED2FBAB, +- 0x72B0A66E, 0xB6855DFE, 0xBA8A4FE8, 0x1EFC8CE0, 0x3F2FA457, 0x83F81D4A, +- 0xA577E231, 0xA1FE3075, 0x88D9C0A0, 0xD5B80194, 0xAD9A95F9, 0x624816CD, +- 0x50C1217B, 0x99E9E316, 0x0E423CFC, 0x51AA691E, 0x3826E52C, 0x1C217E6C, +- 0x09703FEE, 0x51A8A931, 0x6A460E74, 0xBB709987, 0x9C86B022, 0x541FC68C, +- 0x46FD8251, 0x59160CC0, 0x35C35F5C, 0x2846C0BA, 0x8B758282, 0x54504AC7, +- 0xD2AF05E4, 0x29388839, 0xC01BD702, 0xCB2C0F1C, 0x7C932665, 0x555B2F74, +- 0xA3AB8829, 0x86B63142, 0xF64B10EF, 0x0B8CC3BD, 0xEDD1CC5E, 0x687FEB69, +- 0xC9509D43, 0xFDB23FCE, 0xD951AE64, 0x1E425A31, 0xF600C838, 0x36AD004C, +- 0xCFF46AAA, 0xA40E329C, 0x7938DAD4, 0xA41D570D, 0xD43161C1, 0x62A69526, +- 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, 0xC6272B04, 0xEC9D1810, +- 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, 0xB854338A, 0x505DC82D, +- 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, 0x462D538C, 0xF9C9091B, +- 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, 0x2A281BF6, 0xEEAAC023, +- 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, 0x0077D9B4, 0x587E38DA, +- 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, 0x350511E3, 0xA00EF092, +- 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, 0x4CFDB477, 0x388147FB, +- 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, 0x4C701C3A, 0xB38E8C33, +- 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, 0xCAF53EA6, 0x23BA4442, +- 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, 0x5E0DD902, 0xC68A007E, +- 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, +- 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, +- 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, +- 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, +- 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, +- 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, +- 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, +- 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, +- 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, +- 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, +- 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, +- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, +- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, +- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, +- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, +- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, +- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, +- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, +- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, +- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, +- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xC5C6424C, 0xD68C8BB7), ++ BN_DEF(0x838FF88C, 0x011E2A94), BN_DEF(0xA9F4614E, 0x0822E506), ++ BN_DEF(0xF7A8443D, 0x97D11D49), BN_DEF(0x30677F0D, 0xA6BBFDE5), ++ BN_DEF(0xC1FE86FE, 0x2F741EF8), BN_DEF(0x5D71A87E, 0xFAFABE1C), ++ BN_DEF(0xFBE58A30, 0xDED2FBAB), BN_DEF(0x72B0A66E, 0xB6855DFE), ++ BN_DEF(0xBA8A4FE8, 0x1EFC8CE0), BN_DEF(0x3F2FA457, 0x83F81D4A), ++ BN_DEF(0xA577E231, 0xA1FE3075), BN_DEF(0x88D9C0A0, 0xD5B80194), ++ BN_DEF(0xAD9A95F9, 0x624816CD), BN_DEF(0x50C1217B, 0x99E9E316), ++ BN_DEF(0x0E423CFC, 0x51AA691E), BN_DEF(0x3826E52C, 0x1C217E6C), ++ BN_DEF(0x09703FEE, 0x51A8A931), BN_DEF(0x6A460E74, 0xBB709987), ++ BN_DEF(0x9C86B022, 0x541FC68C), BN_DEF(0x46FD8251, 0x59160CC0), ++ BN_DEF(0x35C35F5C, 0x2846C0BA), BN_DEF(0x8B758282, 0x54504AC7), ++ BN_DEF(0xD2AF05E4, 0x29388839), BN_DEF(0xC01BD702, 0xCB2C0F1C), ++ BN_DEF(0x7C932665, 0x555B2F74), BN_DEF(0xA3AB8829, 0x86B63142), ++ BN_DEF(0xF64B10EF, 0x0B8CC3BD), BN_DEF(0xEDD1CC5E, 0x687FEB69), ++ BN_DEF(0xC9509D43, 0xFDB23FCE), BN_DEF(0xD951AE64, 0x1E425A31), ++ BN_DEF(0xF600C838, 0x36AD004C), BN_DEF(0xCFF46AAA, 0xA40E329C), ++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), ++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), ++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), ++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), ++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), ++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), ++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), ++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), ++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), ++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), ++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), ++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), ++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), ++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), ++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), ++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe8192_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0xE2E32126, 0x6B4645DB), ++ BN_DEF(0x41C7FC46, 0x008F154A), BN_DEF(0x54FA30A7, 0x84117283), ++ BN_DEF(0xFBD4221E, 0xCBE88EA4), BN_DEF(0x9833BF86, 0x535DFEF2), ++ BN_DEF(0x60FF437F, 0x17BA0F7C), BN_DEF(0x2EB8D43F, 0x7D7D5F0E), ++ BN_DEF(0xFDF2C518, 0x6F697DD5), BN_DEF(0x39585337, 0x5B42AEFF), ++ BN_DEF(0x5D4527F4, 0x8F7E4670), BN_DEF(0x1F97D22B, 0xC1FC0EA5), ++ BN_DEF(0xD2BBF118, 0x50FF183A), BN_DEF(0x446CE050, 0xEADC00CA), ++ BN_DEF(0xD6CD4AFC, 0xB1240B66), BN_DEF(0x286090BD, 0x4CF4F18B), ++ BN_DEF(0x07211E7E, 0x28D5348F), BN_DEF(0x1C137296, 0x0E10BF36), ++ BN_DEF(0x84B81FF7, 0x28D45498), BN_DEF(0xB523073A, 0x5DB84CC3), ++ BN_DEF(0x4E435811, 0xAA0FE346), BN_DEF(0x237EC128, 0x2C8B0660), ++ BN_DEF(0x1AE1AFAE, 0x1423605D), BN_DEF(0xC5BAC141, 0x2A282563), ++ BN_DEF(0xE95782F2, 0x149C441C), BN_DEF(0x600DEB81, 0xE596078E), ++ BN_DEF(0x3E499332, 0xAAAD97BA), BN_DEF(0x51D5C414, 0xC35B18A1), ++ BN_DEF(0xFB258877, 0x05C661DE), BN_DEF(0xF6E8E62F, 0xB43FF5B4), ++ BN_DEF(0x64A84EA1, 0x7ED91FE7), BN_DEF(0xECA8D732, 0x0F212D18), ++ BN_DEF(0x7B00641C, 0x1B568026), BN_DEF(0x67FA3555, 0x5207194E), ++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), ++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), ++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), ++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), ++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), ++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), ++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), ++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), ++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), ++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), ++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), ++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), ++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), ++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), ++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), ++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-# else +-# error "unsupported BN_BITS2" +-# endif +- + /* Macro to make a BIGNUM from static data */ + + # define make_dh_bn(x) extern const BIGNUM _bignum_##x; \ +@@ -489,24 +1010,42 @@ static const BN_ULONG ffdhe8192_p[] = { + + static const BN_ULONG value_2 = 2; + +-const BIGNUM _bignum_const_2 = +- { (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA }; ++const BIGNUM _bignum_const_2 = { ++ (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA ++}; + + make_dh_bn(dh1024_160_p) +-make_dh_bn(dh1024_160_g) + make_dh_bn(dh1024_160_q) ++make_dh_bn(dh1024_160_g) + make_dh_bn(dh2048_224_p) +-make_dh_bn(dh2048_224_g) + make_dh_bn(dh2048_224_q) ++make_dh_bn(dh2048_224_g) + make_dh_bn(dh2048_256_p) +-make_dh_bn(dh2048_256_g) + make_dh_bn(dh2048_256_q) ++make_dh_bn(dh2048_256_g) + + make_dh_bn(ffdhe2048_p) ++make_dh_bn(ffdhe2048_q) + make_dh_bn(ffdhe3072_p) ++make_dh_bn(ffdhe3072_q) + make_dh_bn(ffdhe4096_p) ++make_dh_bn(ffdhe4096_q) + make_dh_bn(ffdhe6144_p) ++make_dh_bn(ffdhe6144_q) + make_dh_bn(ffdhe8192_p) ++make_dh_bn(ffdhe8192_q) + ++make_dh_bn(modp_1536_p) ++make_dh_bn(modp_1536_q) ++make_dh_bn(modp_2048_p) ++make_dh_bn(modp_2048_q) ++make_dh_bn(modp_3072_p) ++make_dh_bn(modp_3072_q) ++make_dh_bn(modp_4096_p) ++make_dh_bn(modp_4096_q) ++make_dh_bn(modp_6144_p) ++make_dh_bn(modp_6144_q) ++make_dh_bn(modp_8192_p) ++make_dh_bn(modp_8192_q) + +-#endif ++#endif /* OPENSSL_NO_DH */ +diff -up openssl-1.1.1j/crypto/dh/dh_check.c.fips-dh openssl-1.1.1j/crypto/dh/dh_check.c +--- openssl-1.1.1j/crypto/dh/dh_check.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_check.c 2021-03-03 14:23:27.404092427 +0100 +@@ -10,6 +10,7 @@ + #include + #include "internal/cryptlib.h" + #include ++#include + #include "dh_local.h" + + # define DH_NUMBER_ITERATIONS_FOR_PRIME 64 +@@ -41,6 +42,12 @@ int DH_check_params(const DH *dh, int *r + BIGNUM *tmp = NULL; + BN_CTX *ctx = NULL; + ++ if (FIPS_mode()) { ++ int nid = dh->nid == NID_undef ? DH_get_nid(dh) : dh->nid; ++ ++ return nid != NID_undef; ++ } ++ + *ret = 0; + ctx = BN_CTX_new(); + if (ctx == NULL) +@@ -95,6 +102,7 @@ int DH_check_ex(const DH *dh) + return errflags == 0; + } + ++/* Note: according to documentation - this only checks the params */ + int DH_check(const DH *dh, int *ret) + { + int ok = 0, r; +@@ -104,6 +112,9 @@ int DH_check(const DH *dh, int *ret) + if (!DH_check_params(dh, ret)) + return 0; + ++ if (FIPS_mode()) /* we allow only well-known params */ ++ return 1; ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +@@ -177,7 +188,7 @@ int DH_check_pub_key_ex(const DH *dh, co + return errflags == 0; + } + +-int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) ++static int dh_check_pub_key_int(const DH *dh, const BIGNUM *q, const BIGNUM *pub_key, int *ret) + { + int ok = 0; + BIGNUM *tmp = NULL; +@@ -198,9 +209,9 @@ int DH_check_pub_key(const DH *dh, const + if (BN_cmp(pub_key, tmp) >= 0) + *ret |= DH_CHECK_PUBKEY_TOO_LARGE; + +- if (dh->q != NULL) { ++ if (q != NULL) { + /* Check pub_key^q == 1 mod p */ +- if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) ++ if (!BN_mod_exp(tmp, pub_key, q, dh->p, ctx)) + goto err; + if (!BN_is_one(tmp)) + *ret |= DH_CHECK_PUBKEY_INVALID; +@@ -212,3 +223,23 @@ int DH_check_pub_key(const DH *dh, const + BN_CTX_free(ctx); + return ok; + } ++ ++int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) ++{ ++ return dh_check_pub_key_int(dh, dh->q, pub_key, ret); ++} ++ ++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret) ++{ ++ BIGNUM *q = dh->q; ++ ++ if (q == NULL) { ++ if (dh_get_known_q(dh, &q) == 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE; ++ return 0; ++ } ++ } ++ ++ return dh_check_pub_key_int(dh, q, pub_key, ret); ++} ++ +diff -up openssl-1.1.1j/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1j/crypto/dh/dh_gen.c +--- openssl-1.1.1j/crypto/dh/dh_gen.c.fips-dh 2021-03-03 14:23:27.338091859 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_gen.c 2021-03-03 14:23:27.404092427 +0100 +@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i + BN_GENCB *cb) + { + #ifdef OPENSSL_FIPS +- if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) +- && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ if (FIPS_mode()) { + DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); + return 0; + } +@@ -75,18 +74,6 @@ static int dh_builtin_genparams(DH *ret, + int g, ok = -1; + BN_CTX *ctx = NULL; + +-#ifdef OPENSSL_FIPS +- if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); +- return 0; +- } +- +- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { +- DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); +- goto err; +- } +-#endif +- + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh openssl-1.1.1j/crypto/dh/dh_key.c +--- openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh 2021-03-03 14:23:27.338091859 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_key.c 2021-03-03 14:51:36.235296236 +0100 +@@ -120,10 +120,18 @@ static int generate_key(DH *dh) + BIGNUM *pub_key = NULL, *priv_key = NULL; + + #ifdef OPENSSL_FIPS +- if (FIPS_mode() +- && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { +- DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); +- return 0; ++ if (FIPS_mode()) { ++ if (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++ if (dh->nid == NID_undef) ++ dh_cache_nid(dh); ++ if (dh->nid == NID_undef || dh->length > BN_num_bits(dh->p) - 2 ++ || dh->length < 224) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } + } + #endif + +@@ -159,7 +167,15 @@ static int generate_key(DH *dh) + } + + if (generate_new_key) { +- if (dh->q) { ++ if (FIPS_mode()) { ++ do { ++ if (!BN_priv_rand(priv_key, dh->length, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) ++ goto err; ++ if (!BN_add_word(priv_key, 1)) ++ goto err; ++ } ++ while (BN_num_bits(priv_key) > dh->length); ++ } else if (dh->q) { + do { + if (!BN_priv_rand_range(priv_key, dh->q)) + goto err; +@@ -195,6 +211,15 @@ static int generate_key(DH *dh) + } + /* We MUST free prk before any further use of priv_key */ + BN_clear_free(prk); ++ ++ if (FIPS_mode()) { ++ int check_result; ++ ++ if (!dh_check_pub_key_full(dh, pub_key, &check_result) || check_result) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_INVALID_PUBKEY); ++ goto err; ++ } ++ } + } + + dh->pub_key = pub_key; +@@ -217,6 +242,7 @@ static int compute_key(unsigned char *ke + BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *tmp; ++ BIGNUM *p1; + int ret = -1; + int check_result; + +@@ -263,6 +289,18 @@ static int compute_key(unsigned char *ke + DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); + goto err; + } ++ ++ if (BN_is_zero(tmp) || BN_is_one(tmp) || BN_is_negative(tmp)) { ++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ if ((p1 = BN_CTX_get(ctx)) == NULL ++ || !BN_sub(p1, dh->p, BN_value_one()) ++ || BN_cmp(p1, tmp) <= 0) { ++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); ++ goto err; ++ } + + ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); + err: +diff -up openssl-1.1.1j/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1j/crypto/dh/dh_lib.c +--- openssl-1.1.1j/crypto/dh/dh_lib.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_lib.c 2021-03-03 14:23:27.405092436 +0100 +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include "internal/cryptlib.h" + #include "internal/refcount.h" + #include +@@ -86,6 +87,8 @@ DH *DH_new_method(ENGINE *engine) + goto err; + } + ++ ret->nid = NID_undef; ++ + return ret; + + err: +@@ -205,7 +208,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU + dh->g = g; + } + +- if (q != NULL) { ++ dh->nid = NID_undef; ++ dh_cache_nid(dh); ++ ++ if (q != NULL && dh->nid == NID_undef) { + dh->length = BN_num_bits(q); + } + +diff -up openssl-1.1.1j/crypto/dh/dh_local.h.fips-dh openssl-1.1.1j/crypto/dh/dh_local.h +--- openssl-1.1.1j/crypto/dh/dh_local.h.fips-dh 2021-03-03 14:23:27.202090689 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_local.h 2021-03-03 14:23:27.405092436 +0100 +@@ -35,6 +35,7 @@ struct dh_st { + const DH_METHOD *meth; + ENGINE *engine; + CRYPTO_RWLOCK *lock; ++ int nid; + }; + + struct dh_method { +@@ -55,3 +56,10 @@ struct dh_method { + int (*generate_params) (DH *dh, int prime_len, int generator, + BN_GENCB *cb); + }; ++ ++void dh_cache_nid(DH *dh); ++/* Obtain known q value based on nid or p */ ++int dh_get_known_q(const DH *dh, BIGNUM **q); ++/* FIPS mode only check which requires nid set and looks up q based on it. */ ++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret); ++ +diff -up openssl-1.1.1j/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1j/crypto/dh/dh_rfc7919.c +--- openssl-1.1.1j/crypto/dh/dh_rfc7919.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_rfc7919.c 2021-03-03 14:23:27.405092436 +0100 +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* DH parameters from RFC7919 and RFC3526 */ ++ + #include + #include "internal/cryptlib.h" + #include "dh_local.h" +@@ -14,14 +16,19 @@ + #include + #include "crypto/bn_dh.h" + +-static DH *dh_param_init(const BIGNUM *p, int32_t nbits) ++static DH *dh_param_init(int nid, const BIGNUM *p, const BIGNUM *q, int32_t nbits) + { + DH *dh = DH_new(); + if (dh == NULL) + return NULL; + dh->p = (BIGNUM *)p; ++ /* ++ * We do not set q as it would enable the inefficient and ++ * unnecessary pubkey modular exponentiation check. ++ */ + dh->g = (BIGNUM *)&_bignum_const_2; + dh->length = nbits; ++ dh->nid = nid; + return dh; + } + +@@ -29,46 +36,121 @@ DH *DH_new_by_nid(int nid) + { + switch (nid) { + case NID_ffdhe2048: +- return dh_param_init(&_bignum_ffdhe2048_p, 225); ++ return dh_param_init(nid, &_bignum_ffdhe2048_p, &_bignum_ffdhe2048_q, 225); + case NID_ffdhe3072: +- return dh_param_init(&_bignum_ffdhe3072_p, 275); ++ return dh_param_init(nid, &_bignum_ffdhe3072_p, &_bignum_ffdhe3072_q, 275); + case NID_ffdhe4096: +- return dh_param_init(&_bignum_ffdhe4096_p, 325); ++ return dh_param_init(nid, &_bignum_ffdhe4096_p, &_bignum_ffdhe4096_q, 325); + case NID_ffdhe6144: +- return dh_param_init(&_bignum_ffdhe6144_p, 375); ++ return dh_param_init(nid, &_bignum_ffdhe6144_p, &_bignum_ffdhe6144_q, 375); + case NID_ffdhe8192: +- return dh_param_init(&_bignum_ffdhe8192_p, 400); ++ return dh_param_init(nid, &_bignum_ffdhe8192_p, &_bignum_ffdhe8192_q, 400); ++ case NID_modp_2048: ++ return dh_param_init(nid, &_bignum_modp_2048_p, &_bignum_modp_2048_q, 225); ++ case NID_modp_3072: ++ return dh_param_init(nid, &_bignum_modp_3072_p, &_bignum_modp_3072_q, 275); ++ case NID_modp_4096: ++ return dh_param_init(nid, &_bignum_modp_4096_p, &_bignum_modp_4096_q, 325); ++ case NID_modp_6144: ++ return dh_param_init(nid, &_bignum_modp_6144_p, &_bignum_modp_6144_q, 375); ++ case NID_modp_8192: ++ return dh_param_init(nid, &_bignum_modp_8192_p, &_bignum_modp_8192_q, 400); ++ case NID_modp_1536: ++ if (!FIPS_mode()) ++ return dh_param_init(nid, &_bignum_modp_1536_p, &_bignum_modp_1536_q, 175); ++ /* fallthrough */ + default: + DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID); + return NULL; + } + } + +-int DH_get_nid(const DH *dh) ++static int dh_match_group(const DH *dh, BIGNUM **qout, int *lout) + { + int nid; ++ const BIGNUM *q; ++ int length; + + if (BN_get_word(dh->g) != 2) + return NID_undef; +- if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p)) ++ ++ if (dh->nid == NID_ffdhe2048 || !BN_cmp(dh->p, &_bignum_ffdhe2048_p)) { + nid = NID_ffdhe2048; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p)) ++ q = &_bignum_ffdhe2048_q; ++ length = 225; ++ } else if (dh->nid == NID_ffdhe3072 || !BN_cmp(dh->p, &_bignum_ffdhe3072_p)) { + nid = NID_ffdhe3072; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p)) ++ q = &_bignum_ffdhe3072_q; ++ length = 275; ++ } else if (dh->nid == NID_ffdhe4096 || !BN_cmp(dh->p, &_bignum_ffdhe4096_p)) { + nid = NID_ffdhe4096; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p)) ++ q = &_bignum_ffdhe4096_q; ++ length = 325; ++ } else if (dh->nid == NID_ffdhe6144 || !BN_cmp(dh->p, &_bignum_ffdhe6144_p)) { + nid = NID_ffdhe6144; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p)) ++ q = &_bignum_ffdhe6144_q; ++ length = 375; ++ } else if (dh->nid == NID_ffdhe8192 || !BN_cmp(dh->p, &_bignum_ffdhe8192_p)) { + nid = NID_ffdhe8192; +- else ++ q = &_bignum_ffdhe8192_q; ++ length = 400; ++ } else if (dh->nid == NID_modp_2048 || !BN_cmp(dh->p, &_bignum_modp_2048_p)) { ++ nid = NID_modp_2048; ++ q = &_bignum_modp_2048_q; ++ length = 225; ++ } else if (dh->nid == NID_modp_3072 || !BN_cmp(dh->p, &_bignum_modp_3072_p)) { ++ nid = NID_modp_3072; ++ q = &_bignum_modp_3072_q; ++ length = 275; ++ } else if (dh->nid == NID_modp_4096 || !BN_cmp(dh->p, &_bignum_modp_4096_p)) { ++ nid = NID_modp_4096; ++ q = &_bignum_modp_4096_q; ++ length = 325; ++ } else if (dh->nid == NID_modp_6144 || !BN_cmp(dh->p, &_bignum_modp_6144_p)) { ++ nid = NID_modp_6144; ++ q = &_bignum_modp_6144_q; ++ length = 375; ++ } else if (dh->nid == NID_modp_8192 || !BN_cmp(dh->p, &_bignum_modp_8192_p)) { ++ nid = NID_modp_8192; ++ q = &_bignum_modp_8192_q; ++ length = 400; ++ } else if (!FIPS_mode() && (dh->nid == NID_modp_1536 || !BN_cmp(dh->p, &_bignum_modp_1536_p))) { ++ nid = NID_modp_1536; ++ q = &_bignum_modp_1536_q; ++ length = 175; ++ } else { + return NID_undef; ++ } ++ + if (dh->q != NULL) { +- BIGNUM *q = BN_dup(dh->p); ++ /* Check that q matches the known q. */ ++ if (BN_cmp(dh->q, q)) ++ return NID_undef; ++ } else if (qout != NULL) { ++ *qout = (BIGNUM *)q; ++ } + +- /* Check q = p * 2 + 1 we already know q is odd, so just shift right */ +- if (q == NULL || !BN_rshift1(q, q) || !BN_cmp(dh->q, q)) +- nid = NID_undef; +- BN_free(q); ++ if (lout != NULL) { ++ *lout = length; + } + return nid; + } ++ ++int DH_get_nid(const DH *dh) ++{ ++ if (dh->nid != NID_undef) { ++ return dh->nid; ++ } ++ return dh_match_group(dh, NULL, NULL); ++} ++ ++void dh_cache_nid(DH *dh) ++{ ++ dh->nid = dh_match_group(dh, NULL, &dh->length); ++} ++ ++int dh_get_known_q(const DH *dh, BIGNUM **q) ++{ ++ return dh_match_group(dh, q, NULL) != NID_undef; ++} ++ +diff -up openssl-1.1.1j/crypto/ec/ec_key.c.fips-dh openssl-1.1.1j/crypto/ec/ec_key.c +--- openssl-1.1.1j/crypto/ec/ec_key.c.fips-dh 2021-03-03 14:23:27.339091868 +0100 ++++ openssl-1.1.1j/crypto/ec/ec_key.c 2021-03-03 14:23:27.405092436 +0100 +@@ -281,9 +281,18 @@ int ec_key_simple_generate_key(EC_KEY *e + if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) + goto err; + +- eckey->priv_key = priv_key; + eckey->pub_key = pub_key; + ++ if (FIPS_mode()) { ++ eckey->priv_key = NULL; ++ if (EC_KEY_check_key(eckey) <= 0) { ++ eckey->pub_key = NULL; ++ goto err; ++ } ++ } ++ ++ eckey->priv_key = priv_key; ++ + ok = 1; + + err: +@@ -297,8 +306,23 @@ int ec_key_simple_generate_key(EC_KEY *e + + int ec_key_simple_generate_public_key(EC_KEY *eckey) + { +- return EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, ++ BIGNUM *priv_key; ++ int ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, + NULL, NULL); ++ ++ if (ret <= 0 || !FIPS_mode()) ++ return ret; ++ ++ /* no need to perform private key test, temporarily hide it */ ++ priv_key = eckey->priv_key; ++ eckey->priv_key = NULL; ++ ret = EC_KEY_check_key(eckey); ++ eckey->priv_key = priv_key; ++ ++ if (ret <= 0) ++ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key); ++ ++ return ret; + } + + int EC_KEY_check_key(const EC_KEY *eckey) +diff -up openssl-1.1.1j/crypto/evp/p_lib.c.fips-dh openssl-1.1.1j/crypto/evp/p_lib.c +--- openssl-1.1.1j/crypto/evp/p_lib.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/p_lib.c 2021-03-03 14:23:27.405092436 +0100 +@@ -540,7 +540,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p + + int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) + { +- int type = DH_get0_q(key) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX; ++ int type = DH_get0_q(key) == NULL || DH_get_nid(key) != NID_undef ? ++ EVP_PKEY_DH : EVP_PKEY_DHX; + int ret = EVP_PKEY_assign(pkey, type, key); + + if (ret) +diff -up openssl-1.1.1j/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1j/crypto/objects/obj_dat.h +--- openssl-1.1.1j/crypto/objects/obj_dat.h.fips-dh 2021-03-03 14:23:27.394092341 +0100 ++++ openssl-1.1.1j/crypto/objects/obj_dat.h 2021-03-03 14:23:27.406092444 +0100 +@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ + }; + +-#define NUM_NID 1199 ++#define NUM_NID 1205 + static const ASN1_OBJECT nid_objs[NUM_NID] = { + {"UNDEF", "undefined", NID_undef}, + {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, +@@ -2279,9 +2279,15 @@ static const ASN1_OBJECT nid_objs[NUM_NI + {"KBKDF", "kbkdf", NID_kbkdf}, + {"KRB5KDF", "krb5kdf", NID_krb5kdf}, + {"SSKDF", "sskdf", NID_sskdf}, ++ {"modp_1536", "modp_1536", NID_modp_1536}, ++ {"modp_2048", "modp_2048", NID_modp_2048}, ++ {"modp_3072", "modp_3072", NID_modp_3072}, ++ {"modp_4096", "modp_4096", NID_modp_4096}, ++ {"modp_6144", "modp_6144", NID_modp_6144}, ++ {"modp_8192", "modp_8192", NID_modp_8192}, + }; + +-#define NUM_SN 1190 ++#define NUM_SN 1196 + static const unsigned int sn_objs[NUM_SN] = { + 364, /* "AD_DVCS" */ + 419, /* "AES-128-CBC" */ +@@ -3127,6 +3133,12 @@ static const unsigned int sn_objs[NUM_SN + 506, /* "mime-mhs-bodies" */ + 505, /* "mime-mhs-headings" */ + 488, /* "mobileTelephoneNumber" */ ++ 1199, /* "modp_1536" */ ++ 1200, /* "modp_2048" */ ++ 1201, /* "modp_3072" */ ++ 1202, /* "modp_4096" */ ++ 1203, /* "modp_6144" */ ++ 1204, /* "modp_8192" */ + 136, /* "msCTLSign" */ + 135, /* "msCodeCom" */ + 134, /* "msCodeInd" */ +@@ -3475,7 +3487,7 @@ static const unsigned int sn_objs[NUM_SN + 1093, /* "x509ExtAdmission" */ + }; + +-#define NUM_LN 1190 ++#define NUM_LN 1196 + static const unsigned int ln_objs[NUM_LN] = { + 363, /* "AD Time Stamping" */ + 405, /* "ANSI X9.62" */ +@@ -4313,6 +4325,12 @@ static const unsigned int ln_objs[NUM_LN + 506, /* "mime-mhs-bodies" */ + 505, /* "mime-mhs-headings" */ + 488, /* "mobileTelephoneNumber" */ ++ 1199, /* "modp_1536" */ ++ 1200, /* "modp_2048" */ ++ 1201, /* "modp_3072" */ ++ 1202, /* "modp_4096" */ ++ 1203, /* "modp_6144" */ ++ 1204, /* "modp_8192" */ + 481, /* "nSRecord" */ + 173, /* "name" */ + 681, /* "onBasis" */ +diff -up openssl-1.1.1j/crypto/objects/objects.txt.fips-dh openssl-1.1.1j/crypto/objects/objects.txt +--- openssl-1.1.1j/crypto/objects/objects.txt.fips-dh 2021-03-03 14:23:27.395092350 +0100 ++++ openssl-1.1.1j/crypto/objects/objects.txt 2021-03-03 14:23:27.406092444 +0100 +@@ -1657,6 +1657,13 @@ id-pkinit 5 : pkInit + : ffdhe4096 + : ffdhe6144 + : ffdhe8192 ++# NIDs for RFC3526 DH parameters ++ : modp_1536 ++ : modp_2048 ++ : modp_3072 ++ : modp_4096 ++ : modp_6144 ++ : modp_8192 + + # OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17) + +diff -up openssl-1.1.1j/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1j/crypto/objects/obj_mac.num +--- openssl-1.1.1j/crypto/objects/obj_mac.num.fips-dh 2021-03-03 14:23:27.395092350 +0100 ++++ openssl-1.1.1j/crypto/objects/obj_mac.num 2021-03-03 14:23:27.406092444 +0100 +@@ -1196,3 +1196,9 @@ sshkdf 1195 + kbkdf 1196 + krb5kdf 1197 + sskdf 1198 ++modp_1536 1199 ++modp_2048 1200 ++modp_3072 1201 ++modp_4096 1202 ++modp_6144 1203 ++modp_8192 1204 +diff -up openssl-1.1.1j/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1j/doc/man3/DH_new_by_nid.pod +--- openssl-1.1.1j/doc/man3/DH_new_by_nid.pod.fips-dh 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/doc/man3/DH_new_by_nid.pod 2021-03-03 14:23:27.406092444 +0100 +@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find + + #include + DH *DH_new_by_nid(int nid); +- int *DH_get_nid(const DH *dh); ++ int DH_get_nid(const DH *dh); + + =head1 DESCRIPTION + + DH_new_by_nid() creates and returns a DH structure containing named parameters + B. Currently B must be B, B, +-B, B or B. ++B, B, B, ++B, B, B, ++B, B or B. + + DH_get_nid() determines if the parameters contained in B match + any named set. It returns the NID corresponding to the matching parameters or +diff -up openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod +--- openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod 2021-03-03 14:23:27.406092444 +0100 +@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets + If B is zero (the default) then no padding is performed. + + EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to +-B as defined in RFC7919. The B parameter must be B, +-B, B, B, B +-or B to clear the stored value. This macro can be called during +-parameter or key generation. ++I as defined in RFC7919 or RFC3526. The I parameter must be ++B, B, B, B, ++B, B, B, B, ++B, B, B or B to clear ++the stored value. This macro can be called during parameter or key generation. + The nid parameter and the rfc5114 parameter are mutually exclusive. + + The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are +diff -up openssl-1.1.1j/include/crypto/bn_dh.h.fips-dh openssl-1.1.1j/include/crypto/bn_dh.h +--- openssl-1.1.1j/include/crypto/bn_dh.h.fips-dh 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/crypto/bn_dh.h 2021-03-03 14:23:27.406092444 +0100 +@@ -1,7 +1,7 @@ + /* +- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. + * +- * Licensed under the OpenSSL license (the "License"). You may not use ++ * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html +@@ -9,16 +9,35 @@ + + #define declare_dh_bn(x) \ + extern const BIGNUM _bignum_dh##x##_p; \ ++ extern const BIGNUM _bignum_dh##x##_q; \ + extern const BIGNUM _bignum_dh##x##_g; \ +- extern const BIGNUM _bignum_dh##x##_q; + + declare_dh_bn(1024_160) + declare_dh_bn(2048_224) + declare_dh_bn(2048_256) + ++extern const BIGNUM _bignum_const_2; ++ + extern const BIGNUM _bignum_ffdhe2048_p; + extern const BIGNUM _bignum_ffdhe3072_p; + extern const BIGNUM _bignum_ffdhe4096_p; + extern const BIGNUM _bignum_ffdhe6144_p; + extern const BIGNUM _bignum_ffdhe8192_p; +-extern const BIGNUM _bignum_const_2; ++extern const BIGNUM _bignum_ffdhe2048_q; ++extern const BIGNUM _bignum_ffdhe3072_q; ++extern const BIGNUM _bignum_ffdhe4096_q; ++extern const BIGNUM _bignum_ffdhe6144_q; ++extern const BIGNUM _bignum_ffdhe8192_q; ++ ++extern const BIGNUM _bignum_modp_1536_p; ++extern const BIGNUM _bignum_modp_2048_p; ++extern const BIGNUM _bignum_modp_3072_p; ++extern const BIGNUM _bignum_modp_4096_p; ++extern const BIGNUM _bignum_modp_6144_p; ++extern const BIGNUM _bignum_modp_8192_p; ++extern const BIGNUM _bignum_modp_1536_q; ++extern const BIGNUM _bignum_modp_2048_q; ++extern const BIGNUM _bignum_modp_3072_q; ++extern const BIGNUM _bignum_modp_4096_q; ++extern const BIGNUM _bignum_modp_6144_q; ++extern const BIGNUM _bignum_modp_8192_q; +diff -up openssl-1.1.1j/include/openssl/obj_mac.h.fips-dh openssl-1.1.1j/include/openssl/obj_mac.h +--- openssl-1.1.1j/include/openssl/obj_mac.h.fips-dh 2021-03-03 14:23:27.396092358 +0100 ++++ openssl-1.1.1j/include/openssl/obj_mac.h 2021-03-03 14:23:27.407092453 +0100 +@@ -5115,6 +5115,24 @@ + #define SN_ffdhe8192 "ffdhe8192" + #define NID_ffdhe8192 1130 + ++#define SN_modp_1536 "modp_1536" ++#define NID_modp_1536 1199 ++ ++#define SN_modp_2048 "modp_2048" ++#define NID_modp_2048 1200 ++ ++#define SN_modp_3072 "modp_3072" ++#define NID_modp_3072 1201 ++ ++#define SN_modp_4096 "modp_4096" ++#define NID_modp_4096 1202 ++ ++#define SN_modp_6144 "modp_6144" ++#define NID_modp_6144 1203 ++ ++#define SN_modp_8192 "modp_8192" ++#define NID_modp_8192 1204 ++ + #define SN_ISO_UA "ISO-UA" + #define NID_ISO_UA 1150 + #define OBJ_ISO_UA OBJ_member_body,804L +diff -up openssl-1.1.1j/ssl/s3_lib.c.fips-dh openssl-1.1.1j/ssl/s3_lib.c +--- openssl-1.1.1j/ssl/s3_lib.c.fips-dh 2021-03-03 14:23:27.354091997 +0100 ++++ openssl-1.1.1j/ssl/s3_lib.c 2021-03-03 14:23:27.407092453 +0100 +@@ -4849,13 +4849,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey + EVP_PKEY *ssl_dh_to_pkey(DH *dh) + { + EVP_PKEY *ret; ++ DH *dhp = NULL; ++ + if (dh == NULL) + return NULL; ++ ++ if (FIPS_mode() && DH_get_nid(dh) == NID_undef) { ++ int bits = DH_bits(dh); ++ BIGNUM *p, *g; ++ ++ dhp = DH_new(); ++ if (dhp == NULL) ++ return NULL; ++ g = BN_new(); ++ if (g == NULL || !BN_set_word(g, 2)) { ++ DH_free(dhp); ++ BN_free(g); ++ return NULL; ++ } ++ ++ if (bits >= 7000) ++ p = BN_get_rfc3526_prime_8192(NULL); ++ else if (bits >= 5000) ++ p = BN_get_rfc3526_prime_6144(NULL); ++ else if (bits >= 3800) ++ p = BN_get_rfc3526_prime_4096(NULL); ++ else if (bits >= 2500) ++ p = BN_get_rfc3526_prime_3072(NULL); ++ else ++ p = BN_get_rfc3526_prime_2048(NULL); ++ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { ++ DH_free(dhp); ++ BN_free(p); ++ BN_free(g); ++ return NULL; ++ } ++ dh = dhp; ++ } ++ + ret = EVP_PKEY_new(); + if (EVP_PKEY_set1_DH(ret, dh) <= 0) { ++ DH_free(dhp); + EVP_PKEY_free(ret); + return NULL; + } ++ DH_free(dhp); + return ret; + } + #endif +diff -up openssl-1.1.1j/ssl/t1_lib.c.fips-dh openssl-1.1.1j/ssl/t1_lib.c +--- openssl-1.1.1j/ssl/t1_lib.c.fips-dh 2021-03-03 14:23:27.401092401 +0100 ++++ openssl-1.1.1j/ssl/t1_lib.c 2021-03-03 14:23:27.407092453 +0100 +@@ -2542,7 +2542,7 @@ DH *ssl_get_auto_dh(SSL *s) + p = BN_get_rfc3526_prime_4096(NULL); + else if (dh_secbits >= 128) + p = BN_get_rfc3526_prime_3072(NULL); +- else if (dh_secbits >= 112) ++ else if (dh_secbits >= 112 || FIPS_mode()) + p = BN_get_rfc3526_prime_2048(NULL); + else + p = BN_get_rfc2409_prime_1024(NULL); diff --git a/openssl-1.1.1-fips-drbg-selftest.patch b/openssl-1.1.1-fips-drbg-selftest.patch new file mode 100644 index 0000000..b800c06 --- /dev/null +++ b/openssl-1.1.1-fips-drbg-selftest.patch @@ -0,0 +1,587 @@ +diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c +--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest 2020-04-23 13:33:12.500624151 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-04-23 13:33:12.618621925 +0200 +@@ -67,12 +67,18 @@ + + # include + # include "crypto/fips.h" ++# include "crypto/rand.h" + # include "fips_locl.h" + + /* Run all selftests */ + int FIPS_selftest(void) + { + int rv = 1; ++ if (!rand_drbg_selftest()) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE); ++ ERR_add_error_data(2, "Type=", "rand_drbg_selftest"); ++ rv = 0; ++ } + if (!FIPS_selftest_drbg()) + rv = 0; + if (!FIPS_selftest_sha1()) +diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info +--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest 2020-04-23 13:33:12.619621907 +0200 ++++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:34:10.857523497 +0200 +@@ -1,6 +1,6 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ + randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ +- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c ++ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c + + INCLUDE[drbg_ctr.o]=../modes +diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c +--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest 2020-04-23 13:33:12.619621907 +0200 ++++ openssl-1.1.1g/crypto/rand/drbg_selftest.c 2020-04-23 13:33:12.619621907 +0200 +@@ -0,0 +1,537 @@ ++/* ++ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include "internal/nelem.h" ++#include ++#include ++#include ++#include ++#include "internal/thread_once.h" ++#include "crypto/rand.h" ++ ++typedef struct test_ctx_st { ++ const unsigned char *entropy; ++ size_t entropylen; ++ int entropycnt; ++ const unsigned char *nonce; ++ size_t noncelen; ++ int noncecnt; ++} TEST_CTX; ++ ++static int app_data_index = -1; ++static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init) ++{ ++ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); ++ ++ return 1; ++} ++ ++enum drbg_kat_type { ++ NO_RESEED, ++ PR_FALSE, ++ PR_TRUE ++}; ++ ++enum drbg_df { ++ USE_DF, ++ NO_DF, ++ NA ++}; ++ ++struct drbg_kat_no_reseed { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *addin1; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat_pr_false { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *entropyinreseed; ++ const unsigned char *addinreseed; ++ const unsigned char *addin1; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat_pr_true { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *entropyinpr1; ++ const unsigned char *addin1; ++ const unsigned char *entropyinpr2; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat { ++ enum drbg_kat_type type; ++ enum drbg_df df; ++ int nid; ++ ++ size_t entropyinlen; ++ size_t noncelen; ++ size_t persstrlen; ++ size_t addinlen; ++ size_t retbyteslen; ++ ++ const void *t; ++}; ++ ++/* ++ * Excerpt from test/drbg_cavs_data.c ++ * DRBG test vectors from: ++ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/ ++ */ ++ ++static const unsigned char kat1308_entropyin[] = { ++ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c, ++ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7, ++ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97, ++ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52, ++}; ++static const unsigned char kat1308_nonce[] = {0}; ++static const unsigned char kat1308_persstr[] = { ++ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2, ++ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39, ++ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45, ++ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3, ++}; ++static const unsigned char kat1308_addin0[] = { ++ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e, ++ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a, ++ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a, ++ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c, ++}; ++static const unsigned char kat1308_addin1[] = { ++ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19, ++ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a, ++ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e, ++ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4, ++}; ++static const unsigned char kat1308_retbits[] = { ++ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2, ++ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92, ++ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f, ++ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63, ++ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53, ++ 0x26, 0x32, 0xd0, 0xb8, ++}; ++static const struct drbg_kat_no_reseed kat1308_t = { ++ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr, ++ kat1308_addin0, kat1308_addin1, kat1308_retbits ++}; ++static const struct drbg_kat kat1308 = { ++ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t ++}; ++ ++static const unsigned char kat1465_entropyin[] = { ++ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64, ++ 0x87, 0xbe, 0xaa, 0xc0, ++}; ++static const unsigned char kat1465_nonce[] = { ++ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85, ++}; ++static const unsigned char kat1465_persstr[] = {0}; ++static const unsigned char kat1465_entropyinreseed[] = { ++ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5, ++ 0x1f, 0x4b, 0x7b, 0x51, ++}; ++static const unsigned char kat1465_addinreseed[] = { ++ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12, ++ 0x61, 0x9f, 0x26, 0x5f, ++}; ++static const unsigned char kat1465_addin0[] = { ++ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6, ++ 0x10, 0x5a, 0x73, 0x9c, ++}; ++static const unsigned char kat1465_addin1[] = { ++ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18, ++ 0x47, 0x99, 0x1f, 0xeb, ++}; ++static const unsigned char kat1465_retbits[] = { ++ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d, ++ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb, ++ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52, ++ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e, ++ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41, ++ 0x58, 0xdb, 0x27, 0xba, ++}; ++static const struct drbg_kat_pr_false kat1465_t = { ++ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr, ++ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0, ++ kat1465_addin1, kat1465_retbits ++}; ++static const struct drbg_kat kat1465 = { ++ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t ++}; ++ ++static const unsigned char kat3146_entropyin[] = { ++ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3, ++ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4, ++}; ++static const unsigned char kat3146_nonce[] = { ++ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3, ++ 0x50, 0x86, 0xca, 0xca, ++}; ++static const unsigned char kat3146_persstr[] = {0}; ++static const unsigned char kat3146_entropyinpr1[] = { ++ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda, ++ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15, ++}; ++static const unsigned char kat3146_addinpr1[] = { ++ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1, ++ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90, ++ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99, ++}; ++static const unsigned char kat3146_entropyinpr2[] = { ++ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7, ++ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34, ++}; ++static const unsigned char kat3146_addinpr2[] = { ++ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c, ++ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3, ++ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6, ++}; ++static const unsigned char kat3146_retbits[] = { ++ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f, ++ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28, ++ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76, ++ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87, ++ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45, ++ 0xd4, 0x30, 0x73, 0xbb, ++}; ++static const struct drbg_kat_pr_true kat3146_t = { ++ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr, ++ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2, ++ kat3146_addinpr2, kat3146_retbits ++}; ++static const struct drbg_kat kat3146 = { ++ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t ++}; ++ ++static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 }; ++ ++static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test); ++ ++static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->entropycnt++; ++ *pout = (unsigned char *)t->entropy; ++ return t->entropylen; ++} ++ ++static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->noncecnt++; ++ *pout = (unsigned char *)t->nonce; ++ return t->noncelen; ++} ++ ++/* ++ * Do a single NO_RESEED KAT: ++ * ++ * Instantiate ++ * Generate Random Bits (pr=false) ++ * Generate Random Bits (pr=false) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_no_reseed(const struct drbg_kat *td) ++{ ++ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin1, td->addinlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++/*- ++ * Do a single PR_FALSE KAT: ++ * ++ * Instantiate ++ * Reseed ++ * Generate Random Bits (pr=false) ++ * Generate Random Bits (pr=false) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_pr_false(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ ++ t.entropy = data->entropyinreseed; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin1, td->addinlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++/*- ++ * Do a single PR_TRUE KAT: ++ * ++ * Instantiate ++ * Generate Random Bits (pr=true) ++ * Generate Random Bits (pr=true) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_pr_true(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ ++ t.entropy = data->entropyinpr1; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, ++ data->addin1, td->addinlen)) ++ failures++; ++ ++ t.entropy = data->entropyinpr2; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++static int test_kats(int i) ++{ ++ const struct drbg_kat *td = drbg_test[i]; ++ int rv = 0; ++ ++ switch (td->type) { ++ case NO_RESEED: ++ if (!single_kat_no_reseed(td)) ++ goto err; ++ break; ++ case PR_FALSE: ++ if (!single_kat_pr_false(td)) ++ goto err; ++ break; ++ case PR_TRUE: ++ if (!single_kat_pr_true(td)) ++ goto err; ++ break; ++ default: /* cant happen */ ++ goto err; ++ } ++ rv = 1; ++err: ++ return rv; ++} ++ ++/*- ++ * Do one expected-error test: ++ * ++ * Instantiate with no entropy supplied ++ * ++ * Return 0 on failure. ++ */ ++static int test_drbg_sanity(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = 0; /* No entropy */ ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ ERR_set_mark(); ++ /* This must fail. */ ++ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ RAND_DRBG_uninstantiate(drbg); ++ ERR_pop_to_mark(); ++ ++err: ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++ ++int rand_drbg_selftest(void) ++{ ++ int i; ++ ++ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init)) ++ return 0; ++ ++ for (i = 0; i < drbg_test_nelem; i++) { ++ if (test_kats(i) <= 0) ++ return 0; ++ } ++ ++ if (test_drbg_sanity(&kat1465) <= 0) ++ return 0; ++ ++ return 1; ++} +diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h +--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest 2020-04-23 13:33:12.587622510 +0200 ++++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:33:12.619621907 +0200 +@@ -140,4 +140,9 @@ void rand_pool_cleanup(void); + */ + void rand_pool_keep_random_devices_open(int keep); + ++/* ++ * Perform the DRBG KAT selftests ++ */ ++int rand_drbg_selftest(void); ++ + #endif diff --git a/openssl-1.1.1-fips-post-rand.patch b/openssl-1.1.1-fips-post-rand.patch index fc60e33..027dc55 100644 --- a/openssl-1.1.1-fips-post-rand.patch +++ b/openssl-1.1.1-fips-post-rand.patch @@ -1,11 +1,11 @@ -diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/fips/fips.c ---- openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand 2019-05-29 15:53:56.328216002 +0200 -+++ openssl-1.1.1c/crypto/fips/fips.c 2019-05-29 15:53:56.359215457 +0200 +diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c +--- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand 2020-12-09 10:26:41.634106328 +0100 ++++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-09 10:26:41.652106475 +0100 @@ -68,6 +68,7 @@ # include # include "internal/thread_once.h" -+# include "internal/rand_int.h" ++# include "crypto/rand.h" # ifndef PATH_MAX # define PATH_MAX 1024 @@ -46,41 +46,52 @@ diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/ + fips_set_mode(onoff); + /* force RNG reseed with entropy from getrandom() on next call */ -+ rand_fork(); ++ rand_force_reseed(); + ret = 1; goto end; } -diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1c/crypto/include/internal/fips_int.h ---- openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand 2019-05-29 15:53:56.337215844 +0200 -+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-05-29 15:53:56.359215457 +0200 -@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); - int FIPS_selftest_drbg(void); - int FIPS_selftest_cmac(void); +diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c +--- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-09 10:26:41.652106475 +0100 +@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg + return min_entropy > min_entropylen ? min_entropy : min_entropylen; + } -+int fips_in_post(void); ++void rand_force_reseed(void) ++{ ++ RAND_DRBG *drbg; + - int fips_pkey_signature_test(EVP_PKEY *pkey, - const unsigned char *tbs, int tbslen, - const unsigned char *kat, -diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/crypto/rand/rand_unix.c ---- openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-05-29 16:54:16.471391802 +0200 -@@ -16,10 +16,12 @@ - #include - #include "rand_lcl.h" - #include "internal/rand_int.h" -+#include "internal/fips_int.h" ++ drbg = RAND_DRBG_get0_master(); ++ drbg->fork_id = 0; ++ ++ drbg = RAND_DRBG_get0_private(); ++ drbg->fork_id = 0; ++ ++ drbg = RAND_DRBG_get0_public(); ++ drbg->fork_id = 0; ++} ++ + /* Implements the default OpenSSL RAND_add() method */ + static int drbg_add(const void *buf, int num, double randomness) + { +diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c +--- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-09 10:36:59.531221903 +0100 +@@ -17,10 +17,12 @@ + #include + #include "rand_local.h" + #include "crypto/rand.h" ++#include "crypto/fips.h" #include #include "internal/dso.h" - #if defined(__linux) --# include -+# include + #ifdef __linux + # include +# include - #endif - #if defined(__FreeBSD__) - # include -@@ -279,7 +281,7 @@ static ssize_t sysctl_random(char *buf, + # ifdef DEVRANDOM_WAIT + # include + # include +@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf, * syscall_random(): Try to get random data using a system call * returns the number of bytes returned in buf, or < 0 on error. */ @@ -89,15 +100,15 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr { /* * Note: 'buflen' equals the size of the buffer which is used by the -@@ -301,6 +303,7 @@ static ssize_t syscall_random(void *buf, - * - Linux since 3.17 with glibc 2.25 - * - FreeBSD since 12.0 (1200061) +@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf, + * Note: Sometimes getentropy() can be provided but not implemented + * internally. So we need to check errno for ENOSYS */ +# if 0 # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) extern int getentropy(void *buffer, size_t length) __attribute__((weak)); -@@ -322,10 +325,10 @@ static ssize_t syscall_random(void *buf, +@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf, if (p_getentropy.p != NULL) return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; # endif @@ -111,19 +122,17 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) return sysctl_random(buf, buflen); # else -@@ -475,8 +478,10 @@ size_t rand_pool_acquire_entropy(RAND_PO - size_t bytes_needed; - size_t entropy_available = 0; - unsigned char *buffer; -- +@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO + size_t entropy_available; + # if defined(OPENSSL_RAND_SEED_GETRANDOM) + int in_post; + + for (in_post = fips_in_post(); in_post >= 0; --in_post) { { - ssize_t bytes; - /* Maximum allowed number of consecutive unsuccessful attempts */ -@@ -485,7 +490,7 @@ size_t rand_pool_acquire_entropy(RAND_PO + size_t bytes_needed; + unsigned char *buffer; +@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); @@ -132,7 +141,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr if (bytes > 0) { rand_pool_add_end(pool, bytes, 8 * bytes); bytes_needed -= bytes; -@@ -540,8 +545,10 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO int attempts = 3; const int fd = get_random_device(i); @@ -144,8 +153,8 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); -@@ -601,7 +608,9 @@ size_t rand_pool_acquire_entropy(RAND_PO - } +@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO + return entropy_available; } # endif - @@ -155,3 +164,26 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr return rand_pool_entropy_available(pool); # endif } +diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h +--- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand 2020-12-09 10:26:41.639106369 +0100 ++++ openssl-1.1.1i/include/crypto/fips.h 2020-12-09 10:26:41.657106516 +0100 +@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); + ++int fips_in_post(void); ++ + int fips_pkey_signature_test(EVP_PKEY *pkey, + const unsigned char *tbs, int tbslen, + const unsigned char *kat, +diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h +--- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 ++++ openssl-1.1.1i/include/crypto/rand.h 2020-12-09 10:26:41.657106516 +0100 +@@ -24,6 +24,7 @@ + typedef struct rand_pool_st RAND_POOL; + + void rand_cleanup_int(void); ++void rand_force_reseed(void); + void rand_drbg_cleanup_int(void); + void drbg_delete_thread_state(void); + diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 3ff5aa4..aa3d33d 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -1,19 +1,19 @@ -diff -up openssl-1.1.1b/apps/pkcs12.c.fips openssl-1.1.1b/apps/pkcs12.c ---- openssl-1.1.1b/apps/pkcs12.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/apps/pkcs12.c 2019-05-24 12:08:40.524523735 +0200 -@@ -126,7 +126,7 @@ int pkcs12_main(int argc, char **argv) +diff -up openssl-1.1.1j/apps/pkcs12.c.fips openssl-1.1.1j/apps/pkcs12.c +--- openssl-1.1.1j/apps/pkcs12.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/apps/pkcs12.c 2021-03-03 12:57:42.194734484 +0100 +@@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv) int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; - # ifndef OPENSSL_NO_RC2 + #ifndef OPENSSL_NO_RC2 - int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC; - # else + #else int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - # endif -diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c ---- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 11:52:35.887597899 +0200 -+++ openssl-1.1.1b/apps/speed.c 2019-05-07 16:51:36.946350159 +0200 -@@ -1592,7 +1592,8 @@ int speed_main(int argc, char **argv) + #endif +diff -up openssl-1.1.1j/apps/speed.c.fips openssl-1.1.1j/apps/speed.c +--- openssl-1.1.1j/apps/speed.c.fips 2021-03-03 12:57:42.185734409 +0100 ++++ openssl-1.1.1j/apps/speed.c 2021-03-03 12:57:42.195734492 +0100 +@@ -1593,7 +1593,8 @@ int speed_main(int argc, char **argv) continue; if (strcmp(*argv, "rsa") == 0) { for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++) @@ -23,7 +23,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c continue; } if (found(*argv, rsa_choices, &i)) { -@@ -1602,7 +1603,9 @@ int speed_main(int argc, char **argv) +@@ -1603,7 +1604,9 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_DSA if (strcmp(*argv, "dsa") == 0) { @@ -34,7 +34,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c dsa_doit[R_DSA_2048] = 1; continue; } -@@ -1633,19 +1636,21 @@ int speed_main(int argc, char **argv) +@@ -1634,19 +1637,21 @@ int speed_main(int argc, char **argv) } if (strcmp(*argv, "ecdh") == 0) { for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) @@ -60,7 +60,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c eddsa_doit[i] = 2; continue; } -@@ -1734,23 +1739,30 @@ int speed_main(int argc, char **argv) +@@ -1735,23 +1740,31 @@ int speed_main(int argc, char **argv) /* No parameters; turn on everything. */ if ((argc == 0) && !doit[D_EVP]) { for (i = 0; i < ALGOR_NUM; i++) @@ -87,16 +87,18 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) ecdsa_doit[loop] = 1; for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) - ecdh_doit[loop] = 1; +- ecdh_doit[loop] = 1; - for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) - eddsa_doit[loop] = 1; ++ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448)) ++ ecdh_doit[loop] = 1; + if (!FIPS_mode()) + for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) + eddsa_doit[loop] = 1; #endif } for (i = 0; i < ALGOR_NUM; i++) -@@ -1798,30 +1810,46 @@ int speed_main(int argc, char **argv) +@@ -1799,30 +1812,46 @@ int speed_main(int argc, char **argv) AES_set_encrypt_key(key24, 192, &aes_ks2); AES_set_encrypt_key(key32, 256, &aes_ks3); #ifndef OPENSSL_NO_CAMELLIA @@ -153,7 +155,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c #endif #ifndef SIGALRM # ifndef OPENSSL_NO_DES -@@ -2118,6 +2146,7 @@ int speed_main(int argc, char **argv) +@@ -2120,6 +2149,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) { loopargs[i].hctx = HMAC_CTX_new(); @@ -161,10 +163,10 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c if (loopargs[i].hctx == NULL) { BIO_printf(bio_err, "HMAC malloc failure, exiting..."); exit(1); -diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure ---- openssl-1.1.1b/Configure.fips 2019-02-28 11:30:06.775746246 +0100 -+++ openssl-1.1.1b/Configure 2019-02-28 11:30:06.779746172 +0100 -@@ -313,7 +313,7 @@ $config{sdirs} = [ +diff -up openssl-1.1.1j/Configure.fips openssl-1.1.1j/Configure +--- openssl-1.1.1j/Configure.fips 2021-03-03 12:57:42.192734467 +0100 ++++ openssl-1.1.1j/Configure 2021-03-03 12:57:42.195734492 +0100 +@@ -329,7 +329,7 @@ $config{sdirs} = [ "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", @@ -173,9 +175,9 @@ diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" ]; -diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/cm_pmeth.c ---- openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/cmac/cm_pmeth.c 2019-05-06 14:55:32.866749109 +0200 +diff -up openssl-1.1.1j/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1j/crypto/cmac/cm_pmeth.c +--- openssl-1.1.1j/crypto/cmac/cm_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/cmac/cm_pmeth.c 2021-03-03 12:57:42.195734492 +0100 @@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD cmac_pkey_meth = { @@ -185,9 +187,9 @@ diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/c pkey_cmac_init, pkey_cmac_copy, pkey_cmac_cleanup, -diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err.c ---- openssl-1.1.1b/crypto/dh/dh_err.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dh/dh_err.c 2019-02-28 11:30:06.779746172 +0100 +diff -up openssl-1.1.1j/crypto/dh/dh_err.c.fips openssl-1.1.1j/crypto/dh/dh_err.c +--- openssl-1.1.1j/crypto/dh/dh_err.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_err.c 2021-03-03 12:57:42.195734492 +0100 @@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), @@ -213,13 +215,13 @@ diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err. {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen.c ---- openssl-1.1.1b/crypto/dh/dh_gen.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dh/dh_gen.c 2019-02-28 11:30:06.780746153 +0100 +diff -up openssl-1.1.1j/crypto/dh/dh_gen.c.fips openssl-1.1.1j/crypto/dh/dh_gen.c +--- openssl-1.1.1j/crypto/dh/dh_gen.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_gen.c 2021-03-03 12:57:42.195734492 +0100 @@ -16,6 +16,9 @@ #include "internal/cryptlib.h" #include - #include "dh_locl.h" + #include "dh_local.h" +#ifdef OPENSSL_FIPS +# include +#endif @@ -240,7 +242,7 @@ diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen. if (ret->meth->generate_params) return ret->meth->generate_params(ret, prime_len, generator, cb); return dh_builtin_genparams(ret, prime_len, generator, cb); -@@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret, +@@ -65,6 +75,18 @@ static int dh_builtin_genparams(DH *ret, int g, ok = -1; BN_CTX *ctx = NULL; @@ -259,35 +261,23 @@ diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen. ctx = BN_CTX_new(); if (ctx == NULL) goto err; -diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key.c ---- openssl-1.1.1b/crypto/dh/dh_key.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dh/dh_key.c 2019-02-28 11:30:06.780746153 +0100 +diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips openssl-1.1.1j/crypto/dh/dh_key.c +--- openssl-1.1.1j/crypto/dh/dh_key.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_key.c 2021-03-03 13:02:45.963247596 +0100 @@ -11,6 +11,9 @@ #include "internal/cryptlib.h" - #include "dh_locl.h" - #include "internal/bn_int.h" + #include "dh_local.h" + #include "crypto/bn.h" +#ifdef OPENSSL_FIPS +# include +#endif static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); -@@ -22,18 +25,32 @@ static int dh_finish(DH *dh); +@@ -34,6 +37,13 @@ int DH_compute_key(unsigned char *key, c + int ret = 0, i; + volatile size_t npad = 0, mask = 1; - int DH_generate_key(DH *dh) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) -+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { -+ DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#endif - return dh->meth->generate_key(dh); - } - - int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) + && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { @@ -295,18 +285,10 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key. + return 0; + } +#endif - return dh->meth->compute_key(key, pub_key, dh); - } - - int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) - { - int rv, pad; -- rv = dh->meth->compute_key(key, pub_key, dh); -+ rv = DH_compute_key(key, pub_key, dh); - if (rv <= 0) - return rv; - pad = BN_num_bytes(dh->p) - rv; -@@ -82,6 +99,14 @@ static int generate_key(DH *dh) + /* compute the key; ret is constant unless compute_key is external */ + if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0) + return ret; +@@ -109,6 +119,14 @@ static int generate_key(DH *dh) BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; @@ -321,7 +303,7 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key. if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); return 0; -@@ -170,6 +195,13 @@ static int compute_key(unsigned char *ke +@@ -206,6 +224,13 @@ static int compute_key(unsigned char *ke DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); goto err; } @@ -335,7 +317,7 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key. ctx = BN_CTX_new(); if (ctx == NULL) -@@ -221,6 +253,9 @@ static int dh_bn_mod_exp(const DH *dh, B +@@ -255,6 +280,9 @@ static int dh_bn_mod_exp(const DH *dh, B static int dh_init(DH *dh) { @@ -345,9 +327,9 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return 1; } -diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pmeth.c ---- openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dh/dh_pmeth.c 2019-05-06 14:57:29.184723430 +0200 +diff -up openssl-1.1.1j/crypto/dh/dh_pmeth.c.fips openssl-1.1.1j/crypto/dh/dh_pmeth.c +--- openssl-1.1.1j/crypto/dh/dh_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dh/dh_pmeth.c 2021-03-03 12:57:42.196734500 +0100 @@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * const EVP_PKEY_METHOD dh_pkey_meth = { @@ -366,9 +348,9 @@ diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pm pkey_dh_init, pkey_dh_copy, pkey_dh_cleanup, -diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_err.c ---- openssl-1.1.1b/crypto/dsa/dsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_err.c 2019-02-28 11:30:06.798745819 +0100 +diff -up openssl-1.1.1j/crypto/dsa/dsa_err.c.fips openssl-1.1.1j/crypto/dsa/dsa_err.c +--- openssl-1.1.1j/crypto/dsa/dsa_err.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dsa/dsa_err.c 2021-03-03 12:57:42.196734500 +0100 @@ -16,12 +16,15 @@ static const ERR_STRING_DATA DSA_str_functs[] = { {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"}, @@ -385,26 +367,28 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"}, -@@ -51,9 +54,12 @@ static const ERR_STRING_DATA DSA_str_rea +@@ -51,11 +54,14 @@ static const ERR_STRING_DATA DSA_str_rea {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY), + "missing private key"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, -diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_gen.c ---- openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_gen.c 2019-02-28 11:30:06.799745800 +0100 +diff -up openssl-1.1.1j/crypto/dsa/dsa_gen.c.fips openssl-1.1.1j/crypto/dsa/dsa_gen.c +--- openssl-1.1.1j/crypto/dsa/dsa_gen.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dsa/dsa_gen.c 2021-03-03 12:57:42.196734500 +0100 @@ -22,12 +22,22 @@ #include #include - #include "dsa_locl.h" + #include "dsa_local.h" +#ifdef OPENSSL_FIPS +# include +#endif @@ -440,7 +424,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ } } -@@ -310,7 +326,7 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -309,7 +325,7 @@ int dsa_builtin_paramgen2(DSA *ret, size int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) { @@ -449,7 +433,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ unsigned char *seed = NULL, *seed_tmp = NULL; unsigned char md[EVP_MAX_MD_SIZE]; int mdsize; -@@ -333,6 +349,20 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -332,6 +348,20 @@ int dsa_builtin_paramgen2(DSA *ret, size goto err; } @@ -459,7 +443,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ + goto err; + } + -+ if (FIPS_mode() && (L != 1024 || N != 160) && ++ if (FIPS_mode() && + (L != 2048 || N != 224) && (L != 2048 || N != 256) && + (L != 3072 || N != 256)) { + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID); @@ -470,7 +454,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ if (evpmd == NULL) { if (N == 160) evpmd = EVP_sha1(); -@@ -433,9 +463,10 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -432,9 +462,10 @@ int dsa_builtin_paramgen2(DSA *ret, size goto err; /* Provided seed didn't produce a prime: error */ if (seed_in) { @@ -484,7 +468,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ } /* do a callback call */ -@@ -521,11 +552,14 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -520,11 +551,14 @@ int dsa_builtin_paramgen2(DSA *ret, size if (counter >= (int)(4 * L)) break; } @@ -499,7 +483,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ } end: if (!BN_GENCB_call(cb, 2, 1)) -@@ -596,7 +630,7 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -595,7 +629,7 @@ int dsa_builtin_paramgen2(DSA *ret, size BN_free(ret->g); ret->g = BN_dup(g); if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { @@ -508,7 +492,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ goto err; } if (counter_ret != NULL) -@@ -614,3 +648,53 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -612,3 +646,53 @@ int dsa_builtin_paramgen2(DSA *ret, size EVP_MD_CTX_free(mctx); return ok; } @@ -562,16 +546,16 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ +} + +#endif -diff -up openssl-1.1.1b/crypto/dsa/dsa_key.c.fips openssl-1.1.1b/crypto/dsa/dsa_key.c ---- openssl-1.1.1b/crypto/dsa/dsa_key.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_key.c 2019-02-28 11:30:06.799745800 +0100 +diff -up openssl-1.1.1j/crypto/dsa/dsa_key.c.fips openssl-1.1.1j/crypto/dsa/dsa_key.c +--- openssl-1.1.1j/crypto/dsa/dsa_key.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dsa/dsa_key.c 2021-03-03 12:57:42.196734500 +0100 @@ -13,10 +13,49 @@ #include - #include "dsa_locl.h" + #include "dsa_local.h" +#ifdef OPENSSL_FIPS +# include -+# include "internal/fips_int.h" ++# include "crypto/fips.h" + +static int fips_check_dsa(DSA *dsa) +{ @@ -644,12 +628,12 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_key.c.fips openssl-1.1.1b/crypto/dsa/dsa_ ok = 1; err: -diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa_ossl.c ---- openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_ossl.c 2019-02-28 11:30:06.800745781 +0100 +diff -up openssl-1.1.1j/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1j/crypto/dsa/dsa_ossl.c +--- openssl-1.1.1j/crypto/dsa/dsa_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dsa/dsa_ossl.c 2021-03-03 12:57:42.196734500 +0100 @@ -14,6 +14,9 @@ #include - #include "dsa_locl.h" + #include "dsa_local.h" #include +#ifdef OPENSSL_FIPS +# include @@ -657,7 +641,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, -@@ -73,6 +76,19 @@ static DSA_SIG *dsa_do_sign(const unsign +@@ -77,6 +80,19 @@ static DSA_SIG *dsa_do_sign(const unsign goto err; } @@ -677,7 +661,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa ret = DSA_SIG_new(); if (ret == NULL) goto err; -@@ -301,6 +317,18 @@ static int dsa_do_verify(const unsigned +@@ -315,6 +331,18 @@ static int dsa_do_verify(const unsigned DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); return -1; } @@ -696,7 +680,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); -@@ -389,6 +417,9 @@ static int dsa_do_verify(const unsigned +@@ -403,6 +431,9 @@ static int dsa_do_verify(const unsigned static int dsa_init(DSA *dsa) { @@ -706,9 +690,9 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa dsa->flags |= DSA_FLAG_CACHE_MONT_P; return 1; } -diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/dsa_pmeth.c ---- openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_pmeth.c 2019-02-28 11:30:06.800745781 +0100 +diff -up openssl-1.1.1j/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1j/crypto/dsa/dsa_pmeth.c +--- openssl-1.1.1j/crypto/dsa/dsa_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/dsa/dsa_pmeth.c 2021-03-03 12:57:42.196734500 +0100 @@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT BN_GENCB_free(pcb); return 0; @@ -729,12 +713,12 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/ds pkey_dsa_init, pkey_dsa_copy, pkey_dsa_cleanup, -diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh_ossl.c ---- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-02-28 11:30:06.801745763 +0100 +diff -up openssl-1.1.1j/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1j/crypto/ec/ecdh_ossl.c +--- openssl-1.1.1j/crypto/ec/ecdh_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/ec/ecdh_ossl.c 2021-03-03 12:57:42.196734500 +0100 @@ -19,9 +19,20 @@ #include - #include "ec_lcl.h" + #include "ec_local.h" +#ifdef OPENSSL_FIPS +# include @@ -753,12 +737,12 @@ diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh if (ecdh->group->meth->ecdh_compute_key == NULL) { ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); return 0; -diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdsa_ossl.c ---- openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ecdsa_ossl.c 2019-02-28 11:30:06.801745763 +0100 +diff -up openssl-1.1.1j/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1j/crypto/ec/ecdsa_ossl.c +--- openssl-1.1.1j/crypto/ec/ecdsa_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/ec/ecdsa_ossl.c 2021-03-03 12:57:42.196734500 +0100 @@ -14,6 +14,10 @@ - #include "internal/bn_int.h" - #include "ec_lcl.h" + #include "crypto/bn.h" + #include "ec_local.h" +#ifdef OPENSSL_FIPS +# include @@ -767,7 +751,7 @@ diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecd int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) -@@ -159,6 +163,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns +@@ -163,6 +167,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns ECDSA_SIG *ret; const BIGNUM *priv_key; @@ -781,7 +765,7 @@ diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecd group = EC_KEY_get0_group(eckey); priv_key = EC_KEY_get0_private_key(eckey); -@@ -317,6 +328,13 @@ int ossl_ecdsa_verify_sig(const unsigned +@@ -325,6 +336,13 @@ int ossl_ecdsa_verify_sig(const unsigned const EC_GROUP *group; const EC_POINT *pub_key; @@ -795,17 +779,17 @@ diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecd /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key.c ---- openssl-1.1.1b/crypto/ec/ec_key.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ec_key.c 2019-02-28 11:30:06.802745744 +0100 -@@ -178,14 +178,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY +diff -up openssl-1.1.1j/crypto/ec/ec_key.c.fips openssl-1.1.1j/crypto/ec/ec_key.c +--- openssl-1.1.1j/crypto/ec/ec_key.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/ec/ec_key.c 2021-03-03 12:57:42.196734500 +0100 +@@ -179,14 +179,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY return eckey->engine; } +#ifdef OPENSSL_FIPS + +# include -+# include "internal/fips_int.h" ++# include "crypto/fips.h" + +static int fips_check_ec(EC_KEY *key) +{ @@ -863,10 +847,10 @@ diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key. ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); return 0; } -diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pmeth.c ---- openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ec_pmeth.c 2019-05-06 14:47:34.651077251 +0200 -@@ -434,7 +434,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * +diff -up openssl-1.1.1j/crypto/ec/ec_pmeth.c.fips openssl-1.1.1j/crypto/ec/ec_pmeth.c +--- openssl-1.1.1j/crypto/ec/ec_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/ec/ec_pmeth.c 2021-03-03 12:57:42.197734509 +0100 +@@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * const EVP_PKEY_METHOD ec_pkey_meth = { EVP_PKEY_EC, @@ -875,135 +859,13 @@ diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pm pkey_ec_init, pkey_ec_copy, pkey_ec_cleanup, -diff -up openssl-1.1.1b/crypto/evp/c_allc.c.fips openssl-1.1.1b/crypto/evp/c_allc.c ---- openssl-1.1.1b/crypto/evp/c_allc.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/c_allc.c 2019-02-28 11:30:06.802745744 +0100 -@@ -17,6 +17,9 @@ - void openssl_add_all_ciphers_int(void) - { - -+#ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) { -+#endif - #ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cfb()); - EVP_add_cipher(EVP_des_cfb1()); -@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void) - EVP_add_cipher(EVP_chacha20_poly1305()); - # endif - #endif -+#ifdef OPENSSL_FIPS -+ } else { -+# ifndef OPENSSL_NO_DES -+ EVP_add_cipher(EVP_des_ede3_cfb()); -+ -+ EVP_add_cipher(EVP_des_ede3_ofb()); -+ -+ EVP_add_cipher(EVP_des_ede3_cbc()); -+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3"); -+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3"); -+ -+ EVP_add_cipher(EVP_des_ede3()); -+ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB"); -+ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb"); -+ EVP_add_cipher(EVP_des_ede3_wrap()); -+ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap"); -+# endif -+ -+# ifndef OPENSSL_NO_AES -+ EVP_add_cipher(EVP_aes_128_ecb()); -+ EVP_add_cipher(EVP_aes_128_cbc()); -+ EVP_add_cipher(EVP_aes_128_cfb()); -+ EVP_add_cipher(EVP_aes_128_cfb1()); -+ EVP_add_cipher(EVP_aes_128_cfb8()); -+ EVP_add_cipher(EVP_aes_128_ofb()); -+ EVP_add_cipher(EVP_aes_128_ctr()); -+ EVP_add_cipher(EVP_aes_128_gcm()); -+ EVP_add_cipher(EVP_aes_128_xts()); -+ EVP_add_cipher(EVP_aes_128_ccm()); -+ EVP_add_cipher(EVP_aes_128_wrap()); -+ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap"); -+ EVP_add_cipher(EVP_aes_128_wrap_pad()); -+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); -+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); -+ EVP_add_cipher(EVP_aes_192_ecb()); -+ EVP_add_cipher(EVP_aes_192_cbc()); -+ EVP_add_cipher(EVP_aes_192_cfb()); -+ EVP_add_cipher(EVP_aes_192_cfb1()); -+ EVP_add_cipher(EVP_aes_192_cfb8()); -+ EVP_add_cipher(EVP_aes_192_ofb()); -+ EVP_add_cipher(EVP_aes_192_ctr()); -+ EVP_add_cipher(EVP_aes_192_gcm()); -+ EVP_add_cipher(EVP_aes_192_ccm()); -+ EVP_add_cipher(EVP_aes_192_wrap()); -+ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap"); -+ EVP_add_cipher(EVP_aes_192_wrap_pad()); -+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); -+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); -+ EVP_add_cipher(EVP_aes_256_ecb()); -+ EVP_add_cipher(EVP_aes_256_cbc()); -+ EVP_add_cipher(EVP_aes_256_cfb()); -+ EVP_add_cipher(EVP_aes_256_cfb1()); -+ EVP_add_cipher(EVP_aes_256_cfb8()); -+ EVP_add_cipher(EVP_aes_256_ofb()); -+ EVP_add_cipher(EVP_aes_256_ctr()); -+ EVP_add_cipher(EVP_aes_256_gcm()); -+ EVP_add_cipher(EVP_aes_256_xts()); -+ EVP_add_cipher(EVP_aes_256_ccm()); -+ EVP_add_cipher(EVP_aes_256_wrap()); -+ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap"); -+ EVP_add_cipher(EVP_aes_256_wrap_pad()); -+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); -+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); -+# endif -+ } -+#endif - } -diff -up openssl-1.1.1b/crypto/evp/c_alld.c.fips openssl-1.1.1b/crypto/evp/c_alld.c ---- openssl-1.1.1b/crypto/evp/c_alld.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/c_alld.c 2019-02-28 11:30:06.803745726 +0100 -@@ -16,6 +16,9 @@ - - void openssl_add_all_digests_int(void) - { -+#ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) { -+#endif - #ifndef OPENSSL_NO_MD4 - EVP_add_digest(EVP_md4()); - #endif -@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void) - EVP_add_digest(EVP_sha3_512()); - EVP_add_digest(EVP_shake128()); - EVP_add_digest(EVP_shake256()); -+#ifdef OPENSSL_FIPS -+ } else { -+ EVP_add_digest(EVP_md5_sha1()); -+ EVP_add_digest(EVP_sha1()); -+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); -+ EVP_add_digest(EVP_sha512_224()); -+ EVP_add_digest(EVP_sha512_256()); -+ EVP_add_digest(EVP_sha3_224()); -+ EVP_add_digest(EVP_sha3_256()); -+ EVP_add_digest(EVP_sha3_384()); -+ EVP_add_digest(EVP_sha3_512()); -+ EVP_add_digest(EVP_shake128()); -+ EVP_add_digest(EVP_shake256()); -+ } -+#endif - } -diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/digest.c ---- openssl-1.1.1c/crypto/evp/digest.c.fips 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/evp/digest.c 2019-05-29 15:47:59.220499971 +0200 +diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/digest.c +--- openssl-1.1.1j/crypto/evp/digest.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/digest.c 2021-03-03 12:57:42.197734509 +0100 @@ -14,6 +14,9 @@ #include - #include "internal/evp_int.h" - #include "evp_locl.h" + #include "crypto/evp.h" + #include "evp_local.h" +#ifdef OPENSSL_FIPS +# include +#endif @@ -1060,95 +922,28 @@ diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/diges OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); if (size != NULL) -diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.c ---- openssl-1.1.1b/crypto/evp/e_aes.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_aes.c 2019-05-06 16:32:41.631668333 +0200 -@@ -387,22 +387,33 @@ static int aesni_xts_init_key(EVP_CIPHER - return 1; - - if (key) { -+ /* The key is two half length keys in reality */ -+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; -+ const int bits = bytes * 8; -+ -+ /* -+ * Verify that the two keys are different. -+ * -+ * This addresses Rogaway's vulnerability. -+ * See comment in aes_xts_init_key() below. -+ */ -+ if (memcmp(key, key + bytes, bytes) == 0) { -+ EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); -+ return 0; -+ } -+ - /* key_len is two AES keys */ - if (enc) { -- aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ aesni_set_encrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) aesni_encrypt; - xctx->stream = aesni_xts_encrypt; - } else { -- aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ aesni_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) aesni_decrypt; - xctx->stream = aesni_xts_decrypt; +diff -up openssl-1.1.1j/crypto/evp/e_aes.c.fips openssl-1.1.1j/crypto/evp/e_aes.c +--- openssl-1.1.1j/crypto/evp/e_aes.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/e_aes.c 2021-03-03 12:57:42.197734509 +0100 +@@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ +- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { ++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; } - -- aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) aesni_encrypt; - - xctx->xts.key1 = &xctx->ks1; -@@ -791,7 +802,21 @@ static int aes_t4_xts_init_key(EVP_CIPHE - return 1; - - if (key) { -- int bits = EVP_CIPHER_CTX_key_length(ctx) * 4; -+ /* The key is two half length keys in reality */ -+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; -+ const int bits = bytes * 8; -+ -+ /* -+ * Verify that the two keys are different. -+ * -+ * This addresses Rogaway's vulnerability. -+ * See comment in aes_xts_init_key() below. -+ */ -+ if (memcmp(key, key + bytes, bytes) == 0) { -+ EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); -+ return 0; -+ } -+ - xctx->stream = NULL; - /* key_len is two AES keys */ - if (enc) { -@@ -808,8 +833,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE - return 0; - } - } else { -- aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) aes_t4_decrypt; - switch (bits) { - case 128: -@@ -823,9 +847,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE - } +@@ -817,7 +817,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ +- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { ++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; } - -- aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) aes_t4_encrypt; - - xctx->xts.key1 = &xctx->ks1; -@@ -2794,9 +2816,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX +@@ -2833,9 +2833,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX return 1; } @@ -1161,7 +956,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) { -@@ -2826,6 +2848,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * +@@ -2869,6 +2869,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0) return 0; @@ -1173,8 +968,8 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != c->iv) -@@ -3275,11 +3302,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX - | EVP_CIPH_CUSTOM_COPY) +@@ -3318,11 +3323,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH) BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) @@ -1191,123 +986,16 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -3313,8 +3343,33 @@ static int aes_xts_init_key(EVP_CIPHER_C - if (!iv && !key) - return 1; - -- if (key) -+ if (key) { - do { -+ /* The key is two half length keys in reality */ -+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; -+ const int bits = bytes * 8; -+ -+ /* -+ * Verify that the two keys are different. -+ * -+ * This addresses the vulnerability described in Rogaway's -+ * September 2004 paper: -+ * -+ * "Efficient Instantiations of Tweakable Blockciphers and -+ * Refinements to Modes OCB and PMAC". -+ * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf) -+ * -+ * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states -+ * that: -+ * "The check for Key_1 != Key_2 shall be done at any place -+ * BEFORE using the keys in the XTS-AES algorithm to process -+ * data with them." -+ */ -+ if (memcmp(key, key + bytes, bytes) == 0) { -+ EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); -+ return 0; -+ } -+ - #ifdef AES_XTS_ASM - xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; - #else -@@ -3324,26 +3379,20 @@ static int aes_xts_init_key(EVP_CIPHER_C - #ifdef HWAES_CAPABLE - if (HWAES_CAPABLE) { - if (enc) { -- HWAES_set_encrypt_key(key, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) HWAES_encrypt; - # ifdef HWAES_xts_encrypt - xctx->stream = HWAES_xts_encrypt; - # endif - } else { -- HWAES_set_decrypt_key(key, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) HWAES_decrypt; - # ifdef HWAES_xts_decrypt - xctx->stream = HWAES_xts_decrypt; - #endif - } - -- HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) HWAES_encrypt; - - xctx->xts.key1 = &xctx->ks1; -@@ -3358,20 +3407,14 @@ static int aes_xts_init_key(EVP_CIPHER_C - #ifdef VPAES_CAPABLE - if (VPAES_CAPABLE) { - if (enc) { -- vpaes_set_encrypt_key(key, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) vpaes_encrypt; - } else { -- vpaes_set_decrypt_key(key, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) vpaes_decrypt; - } - -- vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) vpaes_encrypt; - - xctx->xts.key1 = &xctx->ks1; -@@ -3381,22 +3424,19 @@ static int aes_xts_init_key(EVP_CIPHER_C - (void)0; /* terminate potentially open 'else' */ - - if (enc) { -- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ AES_set_encrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) AES_encrypt; - } else { -- AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ AES_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) AES_decrypt; +@@ -3380,7 +3388,7 @@ static int aes_xts_init_key(EVP_CIPHER_C + * BEFORE using the keys in the XTS-AES algorithm to process + * data with them." + */ +- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { ++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; } - -- AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) AES_encrypt; - - xctx->xts.key1 = &xctx->ks1; - } while (0); -+ } - - if (iv) { - xctx->xts.key2 = &xctx->ks2; -@@ -3414,6 +3454,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3484,6 +3492,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; if (!out || !in || len < AES_BLOCK_SIZE) return 0; @@ -1322,7 +1010,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, -@@ -3431,8 +3479,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3501,8 +3517,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ | EVP_CIPH_CUSTOM_COPY) @@ -1335,7 +1023,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -3697,11 +3747,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX +@@ -3772,11 +3790,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX #define aes_ccm_cleanup NULL BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, @@ -1350,7 +1038,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. typedef struct { union { -@@ -3794,7 +3844,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT +@@ -3869,7 +3887,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT return rv ? (int)rv : -1; } @@ -1359,9 +1047,9 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) -diff -up openssl-1.1.1b/crypto/evp/e_des3.c.fips openssl-1.1.1b/crypto/evp/e_des3.c ---- openssl-1.1.1b/crypto/evp/e_des3.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_des3.c 2019-02-28 11:30:06.804745707 +0100 +diff -up openssl-1.1.1j/crypto/evp/e_des3.c.fips openssl-1.1.1j/crypto/evp/e_des3.c +--- openssl-1.1.1j/crypto/evp/e_des3.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/e_des3.c 2021-03-03 12:57:42.197734509 +0100 @@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, # define des_ede3_cbc_cipher des_ede_cbc_cipher # define des_ede3_ecb_cipher des_ede_ecb_cipher @@ -1388,9 +1076,9 @@ diff -up openssl-1.1.1b/crypto/evp/e_des3.c.fips openssl-1.1.1b/crypto/evp/e_des static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) -diff -up openssl-1.1.1b/crypto/evp/e_null.c.fips openssl-1.1.1b/crypto/evp/e_null.c ---- openssl-1.1.1b/crypto/evp/e_null.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_null.c 2019-02-28 11:30:06.805745688 +0100 +diff -up openssl-1.1.1j/crypto/evp/e_null.c.fips openssl-1.1.1j/crypto/evp/e_null.c +--- openssl-1.1.1j/crypto/evp/e_null.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/e_null.c 2021-03-03 12:57:42.197734509 +0100 @@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c const unsigned char *in, size_t inl); static const EVP_CIPHER n_cipher = { @@ -1401,31 +1089,29 @@ diff -up openssl-1.1.1b/crypto/evp/e_null.c.fips openssl-1.1.1b/crypto/evp/e_nul null_init_key, null_cipher, NULL, -diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_enc.c ---- openssl-1.1.1b/crypto/evp/evp_enc.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-02-28 11:30:06.805745688 +0100 -@@ -17,10 +17,19 @@ +diff -up openssl-1.1.1j/crypto/evp/evp_enc.c.fips openssl-1.1.1j/crypto/evp/evp_enc.c +--- openssl-1.1.1j/crypto/evp/evp_enc.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/evp_enc.c 2021-03-03 12:57:42.197734509 +0100 +@@ -18,9 +18,18 @@ #include - #include "internal/evp_int.h" - #include "evp_locl.h" + #include "crypto/evp.h" + #include "evp_local.h" +#ifdef OPENSSL_FIPS +# include +#endif int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c) { -- if (c == NULL) +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED); + return 0; + } +#endif -+ if (c == NULL) + if (c == NULL) return 1; if (c->cipher != NULL) { - if (c->cipher->cleanup && !c->cipher->cleanup(c)) -@@ -39,6 +48,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX +@@ -40,6 +49,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { @@ -1438,7 +1124,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_ return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); } -@@ -67,6 +82,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct +@@ -68,6 +83,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct enc = 1; ctx->encrypt = enc; } @@ -1451,7 +1137,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_ #ifndef OPENSSL_NO_ENGINE /* * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so -@@ -136,7 +157,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct +@@ -137,7 +158,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct } ctx->key_len = cipher->key_len; /* Preserve wrap enable flag, zero everything else */ @@ -1460,7 +1146,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_ if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { ctx->cipher = NULL; -@@ -195,6 +216,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct +@@ -196,6 +217,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct return 0; } } @@ -1479,27 +1165,18 @@ diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_ if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if (!ctx->cipher->init(ctx, key, iv, enc)) -diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_err.c ---- openssl-1.1.1b/crypto/evp/evp_err.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-05-06 16:41:08.565739361 +0200 -@@ -15,11 +15,16 @@ - - static const ERR_STRING_DATA EVP_str_functs[] = { - {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), -+ "aes_t4_xts_init_key"}, +diff -up openssl-1.1.1j/crypto/evp/evp_err.c.fips openssl-1.1.1j/crypto/evp/evp_err.c +--- openssl-1.1.1j/crypto/evp/evp_err.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/evp_err.c 2021-03-03 12:57:42.198734517 +0100 +@@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), + "aes_t4_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"}, -@@ -179,6 +180,7 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -186,6 +187,7 @@ static const ERR_STRING_DATA EVP_str_rea "different key types"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), "different parameters"}, @@ -1507,7 +1184,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), "error loading section"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), -@@ -241,6 +243,7 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -251,6 +253,7 @@ static const ERR_STRING_DATA EVP_str_rea {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, @@ -1515,20 +1192,18 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"}, -@@ -266,6 +269,10 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -276,6 +279,8 @@ static const ERR_STRING_DATA EVP_str_rea "wrap mode not allowed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), "wrong final block length"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE), + "xts data unit is too large"}, -+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), -+ "xts duplicated keys"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), + "xts duplicated keys"}, {0, NULL} - }; - -diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_lib.c ---- openssl-1.1.1b/crypto/evp/evp_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_lib.c 2019-02-28 11:30:06.806745670 +0100 +diff -up openssl-1.1.1j/crypto/evp/evp_lib.c.fips openssl-1.1.1j/crypto/evp/evp_lib.c +--- openssl-1.1.1j/crypto/evp/evp_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/evp_lib.c 2021-03-03 12:57:42.198734517 +0100 @@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) @@ -1539,9 +1214,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_ return ctx->cipher->do_cipher(ctx, out, in, inl); } -diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha1.c ---- openssl-1.1.1b/crypto/evp/m_sha1.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/m_sha1.c 2019-02-28 11:30:06.806745670 +0100 +diff -up openssl-1.1.1j/crypto/evp/m_sha1.c.fips openssl-1.1.1j/crypto/evp/m_sha1.c +--- openssl-1.1.1j/crypto/evp/m_sha1.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/m_sha1.c 2021-03-03 12:57:42.198734517 +0100 @@ -95,7 +95,7 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -1605,10 +1280,10 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha init512, update512, final512, -diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha3.c ---- openssl-1.1.1b/crypto/evp/m_sha3.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/m_sha3.c 2019-05-06 16:12:23.012851747 +0200 -@@ -292,7 +292,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) +diff -up openssl-1.1.1j/crypto/evp/m_sha3.c.fips openssl-1.1.1j/crypto/evp/m_sha3.c +--- openssl-1.1.1j/crypto/evp/m_sha3.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/m_sha3.c 2021-03-03 12:57:42.198734517 +0100 +@@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ @@ -1617,7 +1292,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha s390x_sha3_init, \ s390x_sha3_update, \ s390x_sha3_final, \ -@@ -305,7 +305,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) +@@ -308,7 +308,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ @@ -1626,7 +1301,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha sha3_init, \ sha3_update, \ sha3_final, \ -@@ -326,7 +326,7 @@ const EVP_MD *EVP_shake##bitlen(void) +@@ -329,7 +329,7 @@ const EVP_MD *EVP_shake##bitlen(void) NID_shake##bitlen, \ 0, \ bitlen / 8, \ @@ -1635,7 +1310,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha s390x_shake_init, \ s390x_sha3_update, \ s390x_shake_final, \ -@@ -340,7 +340,7 @@ const EVP_MD *EVP_shake##bitlen(void) +@@ -343,7 +343,7 @@ const EVP_MD *EVP_shake##bitlen(void) NID_shake##bitlen, \ 0, \ bitlen / 8, \ @@ -1644,7 +1319,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha shake_init, \ sha3_update, \ sha3_final, \ -@@ -364,7 +364,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) +@@ -367,7 +367,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ @@ -1653,7 +1328,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha sha3_init, \ sha3_update, \ sha3_final, \ -@@ -383,7 +383,7 @@ const EVP_MD *EVP_shake##bitlen(void) +@@ -386,7 +386,7 @@ const EVP_MD *EVP_shake##bitlen(void) NID_shake##bitlen, \ 0, \ bitlen / 8, \ @@ -1662,9 +1337,9 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha shake_init, \ sha3_update, \ sha3_final, \ -diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pmeth_lib.c ---- openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/pmeth_lib.c 2019-05-06 15:11:33.207095983 +0200 +diff -up openssl-1.1.1j/crypto/evp/pmeth_lib.c.fips openssl-1.1.1j/crypto/evp/pmeth_lib.c +--- openssl-1.1.1j/crypto/evp/pmeth_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/evp/pmeth_lib.c 2021-03-03 12:57:42.198734517 +0100 @@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE pmeth = ENGINE_get_pkey_meth(e, id); else @@ -1681,9 +1356,9 @@ diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pm if (pmeth == NULL) { #ifndef OPENSSL_NO_ENGINE -diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/build.info ---- openssl-1.1.1b/crypto/fips/build.info.fips 2019-02-28 11:30:06.806745670 +0100 -+++ openssl-1.1.1b/crypto/fips/build.info 2019-02-28 11:30:06.806745670 +0100 +diff -up openssl-1.1.1j/crypto/fips/build.info.fips openssl-1.1.1j/crypto/fips/build.info +--- openssl-1.1.1j/crypto/fips/build.info.fips 2021-03-03 12:57:42.198734517 +0100 ++++ openssl-1.1.1j/crypto/fips/build.info 2021-03-03 12:57:42.198734517 +0100 @@ -0,0 +1,15 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ @@ -1700,9 +1375,9 @@ diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/b +SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c +INCLUDE[fips_standalone_hmac]=../../include +DEPEND[fips_standalone_hmac]=../../libcrypto -diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_aes_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips 2019-02-28 11:30:06.807745651 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_aes_selftest.c 2019-02-28 11:30:06.807745651 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_aes_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_aes_selftest.c.fips 2021-03-03 12:57:42.198734517 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_aes_selftest.c 2021-03-03 12:57:42.198734517 +0100 @@ -0,0 +1,372 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -1757,7 +1432,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/cryp +#include +#ifdef OPENSSL_FIPS +# include -+# include "internal/fips_int.h" ++# include "crypto/fips.h" +#endif + +#ifdef OPENSSL_FIPS @@ -2076,9 +1751,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/cryp +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips.c.fips openssl-1.1.1b/crypto/fips/fips.c ---- openssl-1.1.1b/crypto/fips/fips.c.fips 2019-02-28 11:30:06.807745651 +0100 -+++ openssl-1.1.1b/crypto/fips/fips.c 2019-02-28 11:30:06.807745651 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips.c.fips openssl-1.1.1j/crypto/fips/fips.c +--- openssl-1.1.1j/crypto/fips/fips.c.fips 2021-03-03 12:57:42.198734517 +0100 ++++ openssl-1.1.1j/crypto/fips/fips.c 2021-03-03 12:57:42.198734517 +0100 @@ -0,0 +1,526 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2486,7 +2161,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips.c.fips openssl-1.1.1b/crypto/fips/fips. + rv = 0; + + /* Installed == true */ -+ return !rv; ++ return !rv || FIPS_module_mode(); +} + +int FIPS_module_mode_set(int onoff) @@ -2606,9 +2281,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips.c.fips openssl-1.1.1b/crypto/fips/fips. +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips 2019-02-28 11:30:06.808745633 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c 2019-02-28 11:30:06.808745633 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c.fips 2021-03-03 12:57:42.199734525 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c 2021-03-03 12:57:42.199734525 +0100 @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2662,7 +2337,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/cry +#include +#include +#include -+#include "internal/fips_int.h" ++#include "crypto/fips.h" +#include +#include "fips_locl.h" + @@ -2766,9 +2441,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/cry + return rv; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_des_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips 2019-02-28 11:30:06.808745633 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_des_selftest.c 2019-02-28 11:30:06.808745633 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_des_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_des_selftest.c.fips 2021-03-03 12:57:42.199734525 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_des_selftest.c 2021-03-03 12:57:42.199734525 +0100 @@ -0,0 +1,133 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2823,7 +2498,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1b/cryp +#include +#ifdef OPENSSL_FIPS +# include -+# include "internal/fips_int.h" ++# include "crypto/fips.h" +#endif +#include + @@ -2903,9 +2578,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1b/cryp + return ret; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_dh_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips 2019-02-28 11:30:06.810745596 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_dh_selftest.c 2019-02-28 11:30:06.810745596 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_dh_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_dh_selftest.c.fips 2021-03-03 12:57:42.199734525 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_dh_selftest.c 2021-03-03 12:57:42.199734525 +0100 @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -3087,9 +2762,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1b/crypt + return ret; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips 2019-02-28 11:30:06.811745577 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c 2019-02-28 11:30:06.811745577 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c +--- openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c.fips 2021-03-03 12:57:42.199734525 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c 2021-03-03 12:57:42.199734525 +0100 @@ -0,0 +1,406 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3497,9 +3172,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1b/crypto/f + + return 1; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_hash.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips 2019-02-28 11:30:06.811745577 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_hash.c 2019-02-28 11:30:06.811745577 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_hash.c +--- openssl-1.1.1j/crypto/fips/fips_drbg_hash.c.fips 2021-03-03 12:57:42.199734525 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_drbg_hash.c 2021-03-03 12:57:42.199734525 +0100 @@ -0,0 +1,354 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3560,7 +3235,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/ +#include +#include +#include -+#include "internal/fips_int.h" ++#include "crypto/fips.h" +#include +#include "fips_rand_lcl.h" + @@ -3855,9 +3530,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/ + + return 1; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips 2019-02-28 11:30:06.811745577 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c 2019-02-28 11:30:06.811745577 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c +--- openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c.fips 2021-03-03 12:57:42.199734525 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c 2021-03-03 12:57:42.199734525 +0100 @@ -0,0 +1,262 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4121,9 +3796,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1b/crypto/ + + return 1; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_lib.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips 2019-02-28 11:30:06.812745558 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_lib.c 2019-02-28 11:30:06.812745558 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_lib.c +--- openssl-1.1.1j/crypto/fips/fips_drbg_lib.c.fips 2021-03-03 12:57:42.199734525 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_drbg_lib.c 2021-03-03 12:57:42.199734525 +0100 @@ -0,0 +1,528 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4181,7 +3856,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1b/crypto/f +#include +#include +#include -+#include "internal/fips_int.h" ++#include "crypto/fips.h" +#include +#include "fips_locl.h" +#include "fips_rand_lcl.h" @@ -4653,9 +4328,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1b/crypto/f +{ + /* Just backwards compatibility API call with no effect. */ +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_rand.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips 2019-02-28 11:30:06.812745558 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_rand.c 2019-02-28 11:30:06.812745558 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_rand.c +--- openssl-1.1.1j/crypto/fips/fips_drbg_rand.c.fips 2021-03-03 12:57:42.199734525 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_drbg_rand.c 2021-03-03 12:57:42.199734525 +0100 @@ -0,0 +1,185 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4842,9 +4517,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1b/crypto/ +{ + return &rand_drbg_meth; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips 2019-02-28 11:30:06.812745558 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c 2019-02-28 11:30:06.812745558 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c.fips 2021-03-03 12:57:42.200734534 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c 2021-03-03 12:57:42.200734534 +0100 @@ -0,0 +1,828 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5674,9 +5349,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1b/cry + FIPS_drbg_free(dctx); + return rv; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h ---- openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips 2019-02-28 11:30:06.813745540 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h 2019-02-28 11:30:06.813745540 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h +--- openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h.fips 2021-03-03 12:57:42.200734534 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h 2021-03-03 12:57:42.200734534 +0100 @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7469,9 +7144,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1b/cry + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c 2019-02-28 11:30:06.814745521 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c.fips 2021-03-03 12:57:42.200734534 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c 2021-03-03 12:57:42.200734534 +0100 @@ -0,0 +1,195 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7526,7 +7201,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/cryp +#include +#include +#include -+#include "internal/fips_int.h" ++#include "crypto/fips.h" +#include +#include +#include @@ -7625,7 +7300,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/cryp +{ + DSA *dsa = NULL; + EVP_PKEY *pk = NULL; -+ int ret = -1; ++ int ret = 0; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; + + fips_load_key_component(p, dsa_test_2048); @@ -7668,9 +7343,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/cryp + return ret; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c 2019-02-28 11:30:06.814745521 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c.fips 2021-03-03 12:57:42.200734534 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c 2021-03-03 12:57:42.200734534 +0100 @@ -0,0 +1,242 @@ +/* fips/ecdh/fips_ecdh_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7825,24 +7500,24 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/cry + d = BN_bin2bn(ecd->d1, ecd->d1len, d); + + if (!x || !y || !d || !ztmp) { -+ rv = -1; ++ rv = 0; + goto err; + } + + ec1 = EC_KEY_new_by_curve_name(ecd->curve); + if (!ec1) { -+ rv = -1; ++ rv = 0; + goto err; + } + EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); + + if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { -+ rv = -1; ++ rv = 0; + goto err; + } + + if (!EC_KEY_set_private_key(ec1, d)) { -+ rv = -1; ++ rv = 0; + goto err; + } + @@ -7850,30 +7525,30 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/cry + y = BN_bin2bn(ecd->y2, ecd->y2len, y); + + if (!x || !y) { -+ rv = -1; ++ rv = 0; + goto err; + } + + ec2 = EC_KEY_new_by_curve_name(ecd->curve); + if (!ec2) { -+ rv = -1; ++ rv = 0; + goto err; + } + EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); + + if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { -+ rv = -1; ++ rv = 0; + goto err; + } + + ecp = EC_KEY_get0_public_key(ec2); + if (!ecp) { -+ rv = -1; ++ rv = 0; + goto err; + } + + if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { -+ rv = -1; ++ rv = 0; + goto err; + } + @@ -7914,9 +7589,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/cry +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c 2019-02-28 11:30:06.814745521 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c.fips 2021-03-03 12:57:42.200734534 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c 2021-03-03 12:57:42.200734534 +0100 @@ -0,0 +1,166 @@ +/* fips/ecdsa/fips_ecdsa_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7979,7 +7654,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/cr +#include +#include +#include -+#include "internal/fips_int.h" ++#include "crypto/fips.h" +#include +#include +#include @@ -8084,9 +7759,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/cr +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/fips_err.h ---- openssl-1.1.1b/crypto/fips/fips_err.h.fips 2019-05-06 16:08:46.792598211 +0200 -+++ openssl-1.1.1b/crypto/fips/fips_err.h 2019-05-06 16:19:56.403993551 +0200 +diff -up openssl-1.1.1j/crypto/fips/fips_err.h.fips openssl-1.1.1j/crypto/fips/fips_err.h +--- openssl-1.1.1j/crypto/fips/fips_err.h.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_err.h 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,197 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -8285,9 +7960,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/f +#endif + return 1; +} -diff -up openssl-1.1.1b/crypto/fips/fips_ers.c.fips openssl-1.1.1b/crypto/fips/fips_ers.c ---- openssl-1.1.1b/crypto/fips/fips_ers.c.fips 2019-02-28 11:30:06.815745503 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_ers.c 2019-02-28 11:30:06.815745503 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_ers.c.fips openssl-1.1.1j/crypto/fips/fips_ers.c +--- openssl-1.1.1j/crypto/fips/fips_ers.c.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_ers.c 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,7 @@ +#include + @@ -8296,9 +7971,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ers.c.fips openssl-1.1.1b/crypto/fips/f +#else +static void *dummy = &dummy; +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips 2019-02-28 11:30:06.815745503 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c 2019-02-28 11:30:06.815745503 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8434,9 +8109,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1b/cry + return 1; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_locl.h.fips openssl-1.1.1b/crypto/fips/fips_locl.h ---- openssl-1.1.1b/crypto/fips/fips_locl.h.fips 2019-02-28 11:30:06.815745503 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_locl.h 2019-02-28 11:30:06.815745503 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_locl.h.fips openssl-1.1.1j/crypto/fips/fips_locl.h +--- openssl-1.1.1j/crypto/fips/fips_locl.h.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_locl.h 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8509,9 +8184,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_locl.h.fips openssl-1.1.1b/crypto/fips/ +} +# endif +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/fips_post.c ---- openssl-1.1.1b/crypto/fips/fips_post.c.fips 2019-05-06 16:08:46.794598177 +0200 -+++ openssl-1.1.1b/crypto/fips/fips_post.c 2019-05-06 16:08:46.794598177 +0200 +diff -up openssl-1.1.1j/crypto/fips/fips_post.c.fips openssl-1.1.1j/crypto/fips/fips_post.c +--- openssl-1.1.1j/crypto/fips/fips_post.c.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_post.c 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,224 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8581,7 +8256,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/ +/* Power on self test (POST) support functions */ + +# include -+# include "internal/fips_int.h" ++# include "crypto/fips.h" +# include "fips_locl.h" + +/* Run all selftests */ @@ -8737,9 +8412,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/ + return 1; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1b/crypto/fips/fips_rand_lcl.h ---- openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips 2019-02-28 11:30:06.816745484 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_rand_lcl.h 2019-02-28 11:30:06.816745484 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1j/crypto/fips/fips_rand_lcl.h +--- openssl-1.1.1j/crypto/fips/fips_rand_lcl.h.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_rand_lcl.h 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,203 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -8944,9 +8619,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1b/crypto/f +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1b/crypto/fips/fips_rand_lib.c ---- openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips 2019-02-28 11:30:06.816745484 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_rand_lib.c 2019-02-28 11:30:06.816745484 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1j/crypto/fips/fips_rand_lib.c +--- openssl-1.1.1j/crypto/fips/fips_rand_lib.c.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_rand_lib.c 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,234 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9008,7 +8683,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1b/crypto/f +#include +#include +#include -+#include "internal/fips_int.h" ++#include "crypto/fips.h" +#include +#include "e_os.h" + @@ -9182,9 +8857,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1b/crypto/f +# endif +} + -diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips 2019-02-28 11:30:06.816745484 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c 2019-02-28 11:30:06.816745484 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,338 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -9239,7 +8914,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/cryp +#include +#ifdef OPENSSL_FIPS +# include -+# include "internal/fips_int.h" ++# include "crypto/fips.h" +#endif +#include +#include @@ -9524,9 +9199,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/cryp +} + +#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_sha_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips 2019-05-06 16:08:46.795598159 +0200 -+++ openssl-1.1.1b/crypto/fips/fips_sha_selftest.c 2019-05-06 17:35:40.211316880 +0200 +diff -up openssl-1.1.1j/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_sha_selftest.c +--- openssl-1.1.1j/crypto/fips/fips_sha_selftest.c.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_sha_selftest.c 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,223 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9751,9 +9426,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/cryp +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c ---- openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips 2019-02-28 11:30:06.817745466 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c 2019-02-28 11:30:06.817745466 +0100 +diff -up openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c +--- openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c.fips 2021-03-03 12:57:42.201734542 +0100 ++++ openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c 2021-03-03 12:57:42.201734542 +0100 @@ -0,0 +1,127 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9882,10 +9557,10 @@ diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/c +#endif + return 0; +} -diff -up openssl-1.1.1c/crypto/hmac/hmac.c.fips openssl-1.1.1c/crypto/hmac/hmac.c ---- openssl-1.1.1c/crypto/hmac/hmac.c.fips 2019-05-29 15:46:19.138261106 +0200 -+++ openssl-1.1.1c/crypto/hmac/hmac.c 2019-05-29 15:49:09.508263133 +0200 -@@ -43,6 +43,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo +diff -up openssl-1.1.1j/crypto/hmac/hmac.c.fips openssl-1.1.1j/crypto/hmac/hmac.c +--- openssl-1.1.1j/crypto/hmac/hmac.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/hmac/hmac.c 2021-03-03 12:57:42.202734550 +0100 +@@ -44,6 +44,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo return 0; if (key != NULL) { @@ -9897,11 +9572,11 @@ diff -up openssl-1.1.1c/crypto/hmac/hmac.c.fips openssl-1.1.1c/crypto/hmac/hmac. + goto err; +#endif reset = 1; + j = EVP_MD_block_size(md); - if (!ossl_assert(j <= (int)sizeof(ctx->key))) -diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/hm_pmeth.c ---- openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/hmac/hm_pmeth.c 2019-05-06 14:56:01.123257022 +0200 +diff -up openssl-1.1.1j/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1j/crypto/hmac/hm_pmeth.c +--- openssl-1.1.1j/crypto/hmac/hm_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/hmac/hm_pmeth.c 2021-03-03 12:57:42.202734550 +0100 @@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD hmac_pkey_meth = { @@ -9911,116 +9586,14 @@ diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/h pkey_hmac_init, pkey_hmac_copy, pkey_hmac_cleanup, -diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/crypto/include/internal/fips_int.h ---- openssl-1.1.1b/crypto/include/internal/fips_int.h.fips 2019-02-28 11:30:06.817745466 +0100 -+++ openssl-1.1.1b/crypto/include/internal/fips_int.h 2019-02-28 11:30:06.817745466 +0100 -@@ -0,0 +1,98 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+# error FIPS is disabled. -+#endif -+ -+#ifdef OPENSSL_FIPS -+ -+int FIPS_module_mode_set(int onoff); -+int FIPS_module_mode(void); -+int FIPS_module_installed(void); -+int FIPS_selftest_sha1(void); -+int FIPS_selftest_sha2(void); -+int FIPS_selftest_sha3(void); -+int FIPS_selftest_aes_ccm(void); -+int FIPS_selftest_aes_gcm(void); -+int FIPS_selftest_aes_xts(void); -+int FIPS_selftest_aes(void); -+int FIPS_selftest_des(void); -+int FIPS_selftest_rsa(void); -+int FIPS_selftest_dsa(void); -+int FIPS_selftest_ecdsa(void); -+int FIPS_selftest_ecdh(void); -+int FIPS_selftest_dh(void); -+void FIPS_drbg_stick(int onoff); -+int FIPS_selftest_hmac(void); -+int FIPS_selftest_drbg(void); -+int FIPS_selftest_cmac(void); -+ -+int fips_pkey_signature_test(EVP_PKEY *pkey, -+ const unsigned char *tbs, int tbslen, -+ const unsigned char *kat, -+ unsigned int katlen, -+ const EVP_MD *digest, -+ unsigned int md_flags, const char *fail_str); -+ -+int fips_cipher_test(EVP_CIPHER_CTX *ctx, -+ const EVP_CIPHER *cipher, -+ const unsigned char *key, -+ const unsigned char *iv, -+ const unsigned char *plaintext, -+ const unsigned char *ciphertext, int len); -+ -+void fips_set_selftest_fail(void); -+ -+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); -+ -+#endif -diff -up openssl-1.1.1b/crypto/o_fips.c.fips openssl-1.1.1b/crypto/o_fips.c ---- openssl-1.1.1b/crypto/o_fips.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/o_fips.c 2019-02-28 11:30:06.817745466 +0100 +diff -up openssl-1.1.1j/crypto/o_fips.c.fips openssl-1.1.1j/crypto/o_fips.c +--- openssl-1.1.1j/crypto/o_fips.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/o_fips.c 2021-03-03 12:57:42.202734550 +0100 @@ -8,17 +8,28 @@ */ #include "internal/cryptlib.h" -+#include "internal/fips_int.h" ++#include "crypto/fips.h" int FIPS_mode(void) { @@ -10045,10 +9618,10 @@ diff -up openssl-1.1.1b/crypto/o_fips.c.fips openssl-1.1.1b/crypto/o_fips.c return 0; +#endif } -diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c ---- openssl-1.1.1b/crypto/o_init.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/o_init.c 2019-02-28 11:30:06.817745466 +0100 -@@ -7,8 +7,68 @@ +diff -up openssl-1.1.1j/crypto/o_init.c.fips openssl-1.1.1j/crypto/o_init.c +--- openssl-1.1.1j/crypto/o_init.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/o_init.c 2021-03-03 12:57:42.202734550 +0100 +@@ -7,8 +7,69 @@ * https://www.openssl.org/source/license.html */ @@ -10065,7 +9638,7 @@ diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c +# include +# include +# include -+# include "internal/fips_int.h" ++# include "crypto/fips.h" + +# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" + @@ -10074,16 +9647,20 @@ diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c + char buf[2] = "0"; + int fd; + -+ /* Ensure the selftests always run */ -+ /* XXX: TO SOLVE - premature initialization due to selftests */ -+ FIPS_mode_set(1); -+ + if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; + close(fd); + } ++ ++ if (buf[0] != '1' && !FIPS_module_installed()) ++ return; ++ ++ /* Ensure the selftests always run */ ++ /* XXX: TO SOLVE - premature initialization due to selftests */ ++ FIPS_mode_set(1); ++ + /* Failure reading the fips mode switch file means just not + * switching into FIPS mode. We would break too many things + * otherwise.. @@ -10108,21 +9685,18 @@ diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c + if (done) + return; + done = 1; -+ if (!FIPS_module_installed()) { -+ return; -+ } + init_fips_mode(); +} +#endif /* * Perform any essential OpenSSL initialization operations. Currently does -diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/rand_lib.c ---- openssl-1.1.1b/crypto/rand/rand_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rand/rand_lib.c 2019-02-28 11:30:06.818745447 +0100 +diff -up openssl-1.1.1j/crypto/rand/rand_lib.c.fips openssl-1.1.1j/crypto/rand/rand_lib.c +--- openssl-1.1.1j/crypto/rand/rand_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/rand/rand_lib.c 2021-03-03 12:57:42.202734550 +0100 @@ -16,6 +16,10 @@ #include "internal/thread_once.h" - #include "rand_lcl.h" + #include "rand_local.h" #include "e_os.h" +#ifdef OPENSSL_FIPS +# include @@ -10131,7 +9705,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/r #ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ -@@ -857,3 +861,15 @@ int RAND_status(void) +@@ -959,3 +963,15 @@ int RAND_status(void) return meth->status(); return 0; } @@ -10147,9 +9721,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/r + return 1; +} +#endif -diff -up openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1b/crypto/rsa/rsa_crpt.c ---- openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_crpt.c 2019-02-28 11:30:06.818745447 +0100 +diff -up openssl-1.1.1j/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1j/crypto/rsa/rsa_crpt.c +--- openssl-1.1.1j/crypto/rsa/rsa_crpt.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/rsa/rsa_crpt.c 2021-03-03 12:57:42.202734550 +0100 @@ -27,24 +27,52 @@ int RSA_size(const RSA *r) int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -10203,9 +9777,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1b/crypto/rsa/rsa return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); } -diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_err.c ---- openssl-1.1.1b/crypto/rsa/rsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_err.c 2019-02-28 11:30:06.818745447 +0100 +diff -up openssl-1.1.1j/crypto/rsa/rsa_err.c.fips openssl-1.1.1j/crypto/rsa/rsa_err.c +--- openssl-1.1.1j/crypto/rsa/rsa_err.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/rsa/rsa_err.c 2021-03-03 12:57:42.202734550 +0100 @@ -16,6 +16,8 @@ static const ERR_STRING_DATA RSA_str_functs[] = { {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"}, @@ -10248,7 +9822,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_ {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"}, {0, NULL} }; -@@ -181,6 +192,7 @@ static const ERR_STRING_DATA RSA_str_rea +@@ -183,6 +194,7 @@ static const ERR_STRING_DATA RSA_str_rea "mp exponent not congruent to d"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, @@ -10256,7 +9830,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), "null before block missing"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES), -@@ -189,6 +201,8 @@ static const ERR_STRING_DATA RSA_str_rea +@@ -191,6 +203,8 @@ static const ERR_STRING_DATA RSA_str_rea "n does not equal p q"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), "oaep decoding error"}, @@ -10265,7 +9839,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), -@@ -224,6 +238,8 @@ static const ERR_STRING_DATA RSA_str_rea +@@ -226,6 +240,8 @@ static const ERR_STRING_DATA RSA_str_rea "unsupported mask algorithm"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"}, @@ -10274,16 +9848,16 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"}, -diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips openssl-1.1.1b/crypto/rsa/rsa_gen.c ---- openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_gen.c 2019-02-28 11:30:06.818745447 +0100 +diff -up openssl-1.1.1j/crypto/rsa/rsa_gen.c.fips openssl-1.1.1j/crypto/rsa/rsa_gen.c +--- openssl-1.1.1j/crypto/rsa/rsa_gen.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/rsa/rsa_gen.c 2021-03-03 12:57:42.202734550 +0100 @@ -18,6 +18,76 @@ #include "internal/cryptlib.h" #include - #include "rsa_locl.h" + #include "rsa_local.h" +#ifdef OPENSSL_FIPS +# include -+# include "internal/fips_int.h" ++# include "crypto/fips.h" + +int fips_check_rsa(RSA *rsa) +{ @@ -10669,9 +10243,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips openssl-1.1.1b/crypto/rsa/rsa_ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, BN_GENCB *cb) { -diff -up openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips openssl-1.1.1b/crypto/rsa/rsa_lib.c ---- openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_lib.c 2019-02-28 11:30:06.819745428 +0100 +diff -up openssl-1.1.1j/crypto/rsa/rsa_lib.c.fips openssl-1.1.1j/crypto/rsa/rsa_lib.c +--- openssl-1.1.1j/crypto/rsa/rsa_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/rsa/rsa_lib.c 2021-03-03 12:57:42.203734558 +0100 @@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M * to deal with which ENGINE it comes from. */ @@ -10714,12 +10288,12 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips openssl-1.1.1b/crypto/rsa/rsa_ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { goto err; } -diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa_ossl.c ---- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c 2019-02-28 11:31:57.315691372 +0100 +diff -up openssl-1.1.1j/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1j/crypto/rsa/rsa_ossl.c +--- openssl-1.1.1j/crypto/rsa/rsa_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/rsa/rsa_ossl.c 2021-03-03 12:57:42.203734558 +0100 @@ -12,6 +12,10 @@ - #include "rsa_locl.h" - #include "internal/constant_time_locl.h" + #include "rsa_local.h" + #include "internal/constant_time.h" +#ifdef OPENSSL_FIPS +# include @@ -10764,7 +10338,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; -@@ -247,6 +273,22 @@ static int rsa_ossl_private_encrypt(int +@@ -246,6 +272,22 @@ static int rsa_ossl_private_encrypt(int BIGNUM *unblind = NULL; BN_BLINDING *blinding = NULL; @@ -10787,7 +10361,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa if ((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); -@@ -377,6 +419,22 @@ static int rsa_ossl_private_decrypt(int +@@ -380,6 +422,22 @@ static int rsa_ossl_private_decrypt(int BIGNUM *unblind = NULL; BN_BLINDING *blinding = NULL; @@ -10810,7 +10384,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa if ((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); -@@ -500,6 +558,22 @@ static int rsa_ossl_public_decrypt(int f +@@ -507,6 +565,22 @@ static int rsa_ossl_public_decrypt(int f unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -10833,9 +10407,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; -diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1b/crypto/rsa/rsa_pmeth.c ---- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips 2019-05-06 14:48:26.514174053 +0200 -+++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-06 14:45:46.732956649 +0200 +diff -up openssl-1.1.1j/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1j/crypto/rsa/rsa_pmeth.c +--- openssl-1.1.1j/crypto/rsa/rsa_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/rsa/rsa_pmeth.c 2021-03-03 12:57:42.203734558 +0100 @@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX const EVP_PKEY_METHOD rsa_pkey_meth = { @@ -10854,9 +10428,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1b/crypto/rsa/rs pkey_rsa_init, pkey_rsa_copy, pkey_rsa_cleanup, -diff -up openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips openssl-1.1.1b/crypto/rsa/rsa_sign.c ---- openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_sign.c 2019-02-28 11:30:06.819745428 +0100 +diff -up openssl-1.1.1j/crypto/rsa/rsa_sign.c.fips openssl-1.1.1j/crypto/rsa/rsa_sign.c +--- openssl-1.1.1j/crypto/rsa/rsa_sign.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/rsa/rsa_sign.c 2021-03-03 12:57:42.203734558 +0100 @@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch unsigned char *tmps = NULL; const unsigned char *encoded = NULL; @@ -10883,9 +10457,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips openssl-1.1.1b/crypto/rsa/rsa if (encrypt_len <= 0) goto err; -diff -up openssl-1.1.1b/crypto/sha/sha256.c.fips openssl-1.1.1b/crypto/sha/sha256.c ---- openssl-1.1.1b/crypto/sha/sha256.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/sha/sha256.c 2019-02-28 11:30:06.819745428 +0100 +diff -up openssl-1.1.1j/crypto/sha/sha256.c.fips openssl-1.1.1j/crypto/sha/sha256.c +--- openssl-1.1.1j/crypto/sha/sha256.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/sha/sha256.c 2021-03-03 12:57:42.203734558 +0100 @@ -18,6 +18,9 @@ int SHA224_Init(SHA256_CTX *c) @@ -10906,9 +10480,9 @@ diff -up openssl-1.1.1b/crypto/sha/sha256.c.fips openssl-1.1.1b/crypto/sha/sha25 memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -diff -up openssl-1.1.1b/crypto/sha/sha512.c.fips openssl-1.1.1b/crypto/sha/sha512.c ---- openssl-1.1.1b/crypto/sha/sha512.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/sha/sha512.c 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1j/crypto/sha/sha512.c.fips openssl-1.1.1j/crypto/sha/sha512.c +--- openssl-1.1.1j/crypto/sha/sha512.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/crypto/sha/sha512.c 2021-03-03 12:57:42.203734558 +0100 @@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c) int SHA384_Init(SHA512_CTX *c) @@ -10929,9 +10503,9 @@ diff -up openssl-1.1.1b/crypto/sha/sha512.c.fips openssl-1.1.1b/crypto/sha/sha51 c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -diff -up openssl-1.1.1b/crypto/sha/sha_locl.h.fips openssl-1.1.1b/crypto/sha/sha_locl.h ---- openssl-1.1.1b/crypto/sha/sha_locl.h.fips 2019-02-28 11:30:06.628748979 +0100 -+++ openssl-1.1.1b/crypto/sha/sha_locl.h 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1j/crypto/sha/sha_local.h.fips openssl-1.1.1j/crypto/sha/sha_local.h +--- openssl-1.1.1j/crypto/sha/sha_local.h.fips 2021-03-03 12:57:41.941732391 +0100 ++++ openssl-1.1.1j/crypto/sha/sha_local.h 2021-03-03 12:57:42.203734558 +0100 @@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c int HASH_INIT(SHA_CTX *c) @@ -10942,9 +10516,9 @@ diff -up openssl-1.1.1b/crypto/sha/sha_locl.h.fips openssl-1.1.1b/crypto/sha/sha memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -diff -up openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod ---- openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod +--- openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod 2021-03-03 12:57:42.203734558 +0100 @@ -30,8 +30,10 @@ B is the length of the prime p to For lengths under 2048 bits, the length of q is 160 bits; for lengths greater than or equal to 2048 bits, the length of q is set to 256 bits. @@ -10958,9 +10532,111 @@ diff -up openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1b DSA_generate_parameters_ex() places the iteration count in *B and a counter used for finding a generator in -diff -up openssl-1.1.1b/include/openssl/crypto.h.fips openssl-1.1.1b/include/openssl/crypto.h ---- openssl-1.1.1b/include/openssl/crypto.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/crypto.h 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1j/include/crypto/fips.h.fips openssl-1.1.1j/include/crypto/fips.h +--- openssl-1.1.1j/include/crypto/fips.h.fips 2021-03-03 12:57:42.202734550 +0100 ++++ openssl-1.1.1j/include/crypto/fips.h 2021-03-03 12:57:42.202734550 +0100 +@@ -0,0 +1,98 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++# error FIPS is disabled. ++#endif ++ ++#ifdef OPENSSL_FIPS ++ ++int FIPS_module_mode_set(int onoff); ++int FIPS_module_mode(void); ++int FIPS_module_installed(void); ++int FIPS_selftest_sha1(void); ++int FIPS_selftest_sha2(void); ++int FIPS_selftest_sha3(void); ++int FIPS_selftest_aes_ccm(void); ++int FIPS_selftest_aes_gcm(void); ++int FIPS_selftest_aes_xts(void); ++int FIPS_selftest_aes(void); ++int FIPS_selftest_des(void); ++int FIPS_selftest_rsa(void); ++int FIPS_selftest_dsa(void); ++int FIPS_selftest_ecdsa(void); ++int FIPS_selftest_ecdh(void); ++int FIPS_selftest_dh(void); ++void FIPS_drbg_stick(int onoff); ++int FIPS_selftest_hmac(void); ++int FIPS_selftest_drbg(void); ++int FIPS_selftest_cmac(void); ++ ++int fips_pkey_signature_test(EVP_PKEY *pkey, ++ const unsigned char *tbs, int tbslen, ++ const unsigned char *kat, ++ unsigned int katlen, ++ const EVP_MD *digest, ++ unsigned int md_flags, const char *fail_str); ++ ++int fips_cipher_test(EVP_CIPHER_CTX *ctx, ++ const EVP_CIPHER *cipher, ++ const unsigned char *key, ++ const unsigned char *iv, ++ const unsigned char *plaintext, ++ const unsigned char *ciphertext, int len); ++ ++void fips_set_selftest_fail(void); ++ ++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); ++ ++#endif +diff -up openssl-1.1.1j/include/openssl/crypto.h.fips openssl-1.1.1j/include/openssl/crypto.h +--- openssl-1.1.1j/include/openssl/crypto.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/crypto.h 2021-03-03 12:57:42.204734567 +0100 @@ -331,6 +331,11 @@ int OPENSSL_isservice(void); int FIPS_mode(void); int FIPS_mode_set(int r); @@ -10973,10 +10649,10 @@ diff -up openssl-1.1.1b/include/openssl/crypto.h.fips openssl-1.1.1b/include/ope void OPENSSL_init(void); # ifdef OPENSSL_SYS_UNIX void OPENSSL_fork_prepare(void); -diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/openssl/dherr.h ---- openssl-1.1.1b/include/openssl/dherr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/dherr.h 2019-02-28 11:30:06.820745410 +0100 -@@ -32,6 +32,9 @@ int ERR_load_DH_strings(void); +diff -up openssl-1.1.1j/include/openssl/dherr.h.fips openssl-1.1.1j/include/openssl/dherr.h +--- openssl-1.1.1j/include/openssl/dherr.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/dherr.h 2021-03-03 12:57:42.204734567 +0100 +@@ -36,6 +36,9 @@ int ERR_load_DH_strings(void); # define DH_F_DH_CMS_DECRYPT 114 # define DH_F_DH_CMS_SET_PEERKEY 115 # define DH_F_DH_CMS_SET_SHARED_INFO 116 @@ -10986,7 +10662,7 @@ diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/open # define DH_F_DH_METH_DUP 117 # define DH_F_DH_METH_NEW 118 # define DH_F_DH_METH_SET1_NAME 119 -@@ -69,12 +72,14 @@ int ERR_load_DH_strings(void); +@@ -73,12 +76,14 @@ int ERR_load_DH_strings(void); # define DH_R_INVALID_PARAMETER_NID 114 # define DH_R_INVALID_PUBKEY 102 # define DH_R_KDF_PARAMETER_ERROR 112 @@ -11001,9 +10677,9 @@ diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/open # define DH_R_PARAMETER_ENCODING_ERROR 105 # define DH_R_PEER_KEY_ERROR 111 # define DH_R_SHARED_INFO_ERROR 113 -diff -up openssl-1.1.1b/include/openssl/dh.h.fips openssl-1.1.1b/include/openssl/dh.h ---- openssl-1.1.1b/include/openssl/dh.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/dh.h 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1j/include/openssl/dh.h.fips openssl-1.1.1j/include/openssl/dh.h +--- openssl-1.1.1j/include/openssl/dh.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/dh.h 2021-03-03 12:57:42.204734567 +0100 @@ -31,6 +31,7 @@ extern "C" { # endif @@ -11012,10 +10688,10 @@ diff -up openssl-1.1.1b/include/openssl/dh.h.fips openssl-1.1.1b/include/openssl # define DH_FLAG_CACHE_MONT_P 0x01 -diff -up openssl-1.1.1b/include/openssl/dsaerr.h.fips openssl-1.1.1b/include/openssl/dsaerr.h ---- openssl-1.1.1b/include/openssl/dsaerr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/dsaerr.h 2019-02-28 11:30:06.821745391 +0100 -@@ -25,8 +25,11 @@ int ERR_load_DSA_strings(void); +diff -up openssl-1.1.1j/include/openssl/dsaerr.h.fips openssl-1.1.1j/include/openssl/dsaerr.h +--- openssl-1.1.1j/include/openssl/dsaerr.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/dsaerr.h 2021-03-03 12:57:42.204734567 +0100 +@@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void); */ # define DSA_F_DSAPARAMS_PRINT 100 # define DSA_F_DSAPARAMS_PRINT_FP 101 @@ -11027,22 +10703,23 @@ diff -up openssl-1.1.1b/include/openssl/dsaerr.h.fips openssl-1.1.1b/include/ope # define DSA_F_DSA_DO_SIGN 112 # define DSA_F_DSA_DO_VERIFY 113 # define DSA_F_DSA_METH_DUP 127 -@@ -56,9 +59,12 @@ int ERR_load_DSA_strings(void); +@@ -60,10 +63,13 @@ int ERR_load_DSA_strings(void); # define DSA_R_DECODE_ERROR 104 # define DSA_R_INVALID_DIGEST_TYPE 106 # define DSA_R_INVALID_PARAMETERS 112 +# define DSA_R_KEY_SIZE_INVALID 201 +# define DSA_R_KEY_SIZE_TOO_SMALL 202 # define DSA_R_MISSING_PARAMETERS 101 + # define DSA_R_MISSING_PRIVATE_KEY 111 # define DSA_R_MODULUS_TOO_LARGE 103 # define DSA_R_NO_PARAMETERS_SET 107 +# define DSA_R_NON_FIPS_DSA_METHOD 200 # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 -diff -up openssl-1.1.1b/include/openssl/dsa.h.fips openssl-1.1.1b/include/openssl/dsa.h ---- openssl-1.1.1b/include/openssl/dsa.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/dsa.h 2019-02-28 11:30:06.821745391 +0100 +diff -up openssl-1.1.1j/include/openssl/dsa.h.fips openssl-1.1.1j/include/openssl/dsa.h +--- openssl-1.1.1j/include/openssl/dsa.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/dsa.h 2021-03-03 12:57:42.204734567 +0100 @@ -31,6 +31,7 @@ extern "C" { # endif @@ -11051,26 +10728,29 @@ diff -up openssl-1.1.1b/include/openssl/dsa.h.fips openssl-1.1.1b/include/openss # define DSA_FLAG_CACHE_MONT_P 0x01 # if OPENSSL_API_COMPAT < 0x10100000L -diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/openssl/evperr.h ---- openssl-1.1.1b/include/openssl/evperr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/evperr.h 2019-05-06 16:40:21.324571446 +0200 -@@ -20,11 +20,15 @@ int ERR_load_EVP_strings(void); +diff -up openssl-1.1.1j/include/openssl/evperr.h.fips openssl-1.1.1j/include/openssl/evperr.h +--- openssl-1.1.1j/include/openssl/evperr.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/evperr.h 2021-03-03 12:57:42.204734567 +0100 +@@ -22,14 +22,15 @@ int ERR_load_EVP_strings(void); * EVP function codes. */ # define EVP_F_AESNI_INIT_KEY 165 +-# define EVP_F_AESNI_XTS_INIT_KEY 207 +# define EVP_F_AESNI_XTS_INIT_KEY 233 # define EVP_F_AES_GCM_CTRL 196 # define EVP_F_AES_INIT_KEY 133 # define EVP_F_AES_OCB_CIPHER 169 # define EVP_F_AES_T4_INIT_KEY 178 +-# define EVP_F_AES_T4_XTS_INIT_KEY 208 +# define EVP_F_AES_T4_XTS_INIT_KEY 234 # define EVP_F_AES_WRAP_CIPHER 170 +-# define EVP_F_AES_XTS_INIT_KEY 209 +# define EVP_F_AES_XTS_CIPHER 229 +# define EVP_F_AES_XTS_INIT_KEY 235 # define EVP_F_ALG_MODULE_INIT 177 # define EVP_F_ARIA_CCM_INIT_KEY 175 # define EVP_F_ARIA_GCM_CTRL 197 -@@ -133,6 +134,7 @@ int ERR_load_EVP_strings(void); +@@ -140,6 +141,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 # define EVP_R_DECODE_ERROR 114 @@ -11078,7 +10758,7 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/ope # define EVP_R_DIFFERENT_KEY_TYPES 101 # define EVP_R_DIFFERENT_PARAMETERS 153 # define EVP_R_ERROR_LOADING_SECTION 165 -@@ -175,6 +177,7 @@ int ERR_load_EVP_strings(void); +@@ -184,6 +186,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 # define EVP_R_PUBLIC_KEY_NOT_RSA 106 @@ -11086,18 +10766,19 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/ope # define EVP_R_UNKNOWN_CIPHER 160 # define EVP_R_UNKNOWN_DIGEST 161 # define EVP_R_UNKNOWN_OPTION 169 -@@ -190,5 +193,7 @@ int ERR_load_EVP_strings(void); +@@ -199,6 +202,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_UNSUPPORTED_SALT_TYPE 126 # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 +-# define EVP_R_XTS_DUPLICATED_KEYS 183 +# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191 +# define EVP_R_XTS_DUPLICATED_KEYS 192 #endif -diff -up openssl-1.1.1b/include/openssl/evp.h.fips openssl-1.1.1b/include/openssl/evp.h ---- openssl-1.1.1b/include/openssl/evp.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/evp.h 2019-05-06 14:54:13.213136281 +0200 -@@ -1319,6 +1319,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP +diff -up openssl-1.1.1j/include/openssl/evp.h.fips openssl-1.1.1j/include/openssl/evp.h +--- openssl-1.1.1j/include/openssl/evp.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/evp.h 2021-03-03 12:57:42.204734567 +0100 +@@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP */ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4 @@ -11107,9 +10788,9 @@ diff -up openssl-1.1.1b/include/openssl/evp.h.fips openssl-1.1.1b/include/openss const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags); void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, -diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/openssl/fips.h ---- openssl-1.1.1b/include/openssl/fips.h.fips 2019-05-06 16:08:46.800598073 +0200 -+++ openssl-1.1.1b/include/openssl/fips.h 2019-05-06 16:43:12.874549821 +0200 +diff -up openssl-1.1.1j/include/openssl/fips.h.fips openssl-1.1.1j/include/openssl/fips.h +--- openssl-1.1.1j/include/openssl/fips.h.fips 2021-03-03 12:57:42.204734567 +0100 ++++ openssl-1.1.1j/include/openssl/fips.h 2021-03-03 12:57:42.204734567 +0100 @@ -0,0 +1,187 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11298,9 +10979,9 @@ diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/opens +} +# endif +#endif -diff -up openssl-1.1.1b/include/openssl/fips_rand.h.fips openssl-1.1.1b/include/openssl/fips_rand.h ---- openssl-1.1.1b/include/openssl/fips_rand.h.fips 2019-02-28 11:30:06.821745391 +0100 -+++ openssl-1.1.1b/include/openssl/fips_rand.h 2019-02-28 11:30:06.821745391 +0100 +diff -up openssl-1.1.1j/include/openssl/fips_rand.h.fips openssl-1.1.1j/include/openssl/fips_rand.h +--- openssl-1.1.1j/include/openssl/fips_rand.h.fips 2021-03-03 12:57:42.204734567 +0100 ++++ openssl-1.1.1j/include/openssl/fips_rand.h 2021-03-03 12:57:42.204734567 +0100 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11447,10 +11128,10 @@ diff -up openssl-1.1.1b/include/openssl/fips_rand.h.fips openssl-1.1.1b/include/ +# endif +# endif +#endif -diff -up openssl-1.1.1b/include/openssl/opensslconf.h.in.fips openssl-1.1.1b/include/openssl/opensslconf.h.in ---- openssl-1.1.1b/include/openssl/opensslconf.h.in.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/opensslconf.h.in 2019-02-28 11:30:06.822745372 +0100 -@@ -150,6 +150,11 @@ extern "C" { +diff -up openssl-1.1.1j/include/openssl/opensslconf.h.in.fips openssl-1.1.1j/include/openssl/opensslconf.h.in +--- openssl-1.1.1j/include/openssl/opensslconf.h.in.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/opensslconf.h.in 2021-03-03 12:57:42.205734575 +0100 +@@ -155,6 +155,11 @@ extern "C" { #define RC4_INT {- $config{rc4_int} -} @@ -11462,10 +11143,10 @@ diff -up openssl-1.1.1b/include/openssl/opensslconf.h.in.fips openssl-1.1.1b/inc #ifdef __cplusplus } #endif -diff -up openssl-1.1.1b/include/openssl/randerr.h.fips openssl-1.1.1b/include/openssl/randerr.h ---- openssl-1.1.1b/include/openssl/randerr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/randerr.h 2019-02-28 11:30:06.822745372 +0100 -@@ -35,6 +35,7 @@ int ERR_load_RAND_strings(void); +diff -up openssl-1.1.1j/include/openssl/randerr.h.fips openssl-1.1.1j/include/openssl/randerr.h +--- openssl-1.1.1j/include/openssl/randerr.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/randerr.h 2021-03-03 12:57:42.205734575 +0100 +@@ -38,6 +38,7 @@ int ERR_load_RAND_strings(void); # define RAND_F_RAND_DRBG_SET 104 # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 # define RAND_F_RAND_DRBG_UNINSTANTIATE 118 @@ -11473,9 +11154,9 @@ diff -up openssl-1.1.1b/include/openssl/randerr.h.fips openssl-1.1.1b/include/op # define RAND_F_RAND_LOAD_FILE 111 # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 # define RAND_F_RAND_POOL_ADD 103 -diff -up openssl-1.1.1b/include/openssl/rand.h.fips openssl-1.1.1b/include/openssl/rand.h ---- openssl-1.1.1b/include/openssl/rand.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/rand.h 2019-02-28 11:30:06.822745372 +0100 +diff -up openssl-1.1.1j/include/openssl/rand.h.fips openssl-1.1.1j/include/openssl/rand.h +--- openssl-1.1.1j/include/openssl/rand.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/rand.h 2021-03-03 12:57:42.205734575 +0100 @@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) # endif @@ -11488,10 +11169,10 @@ diff -up openssl-1.1.1b/include/openssl/rand.h.fips openssl-1.1.1b/include/opens #ifdef __cplusplus } -diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/openssl/rsaerr.h ---- openssl-1.1.1b/include/openssl/rsaerr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/rsaerr.h 2019-02-28 11:30:06.822745372 +0100 -@@ -21,6 +21,7 @@ int ERR_load_RSA_strings(void); +diff -up openssl-1.1.1j/include/openssl/rsaerr.h.fips openssl-1.1.1j/include/openssl/rsaerr.h +--- openssl-1.1.1j/include/openssl/rsaerr.h.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/include/openssl/rsaerr.h 2021-03-03 12:57:42.205734575 +0100 +@@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void); */ # define RSA_F_CHECK_PADDING_MD 140 # define RSA_F_ENCODE_PKCS1 146 @@ -11499,7 +11180,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_F_INT_RSA_VERIFY 145 # define RSA_F_OLD_RSA_PRIV_DECODE 147 # define RSA_F_PKEY_PSS_INIT 165 -@@ -35,6 +36,8 @@ int ERR_load_RSA_strings(void); +@@ -39,6 +40,8 @@ int ERR_load_RSA_strings(void); # define RSA_F_RSA_CHECK_KEY_EX 160 # define RSA_F_RSA_CMS_DECRYPT 159 # define RSA_F_RSA_CMS_VERIFY 158 @@ -11508,7 +11189,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_F_RSA_ITEM_VERIFY 148 # define RSA_F_RSA_METH_DUP 161 # define RSA_F_RSA_METH_NEW 162 -@@ -72,10 +75,16 @@ int ERR_load_RSA_strings(void); +@@ -76,10 +79,16 @@ int ERR_load_RSA_strings(void); # define RSA_F_RSA_PRINT_FP 116 # define RSA_F_RSA_PRIV_DECODE 150 # define RSA_F_RSA_PRIV_ENCODE 138 @@ -11525,7 +11206,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_F_RSA_SIGN 117 # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 # define RSA_F_RSA_VERIFY 119 -@@ -132,10 +141,12 @@ int ERR_load_RSA_strings(void); +@@ -137,10 +146,12 @@ int ERR_load_RSA_strings(void); # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169 # define RSA_R_MP_R_NOT_PRIME 170 # define RSA_R_NO_PUBLIC_EXPONENT 140 @@ -11538,7 +11219,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 # define RSA_R_PADDING_CHECK_FAILED 114 # define RSA_R_PKCS_DECODING_ERROR 159 -@@ -155,6 +166,7 @@ int ERR_load_RSA_strings(void); +@@ -160,6 +171,7 @@ int ERR_load_RSA_strings(void); # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 @@ -11546,9 +11227,111 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 # define RSA_R_VALUE_MISSING 147 # define RSA_R_WRONG_SIGNATURE_LENGTH 119 -diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c ---- openssl-1.1.1b/ssl/ssl_ciph.c.fips 2019-02-28 11:30:06.776746228 +0100 -+++ openssl-1.1.1b/ssl/ssl_ciph.c 2019-02-28 11:30:06.822745372 +0100 +diff -up openssl-1.1.1j/ssl/s3_lib.c.fips openssl-1.1.1j/ssl/s3_lib.c +--- openssl-1.1.1j/ssl/s3_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/ssl/s3_lib.c 2021-03-03 12:57:42.205734575 +0100 +@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, +- SSL_HIGH, ++ SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, +@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, +- SSL_HIGH, ++ SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384, + 256, + 256, +@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, +@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +diff -up openssl-1.1.1j/ssl/ssl_ciph.c.fips openssl-1.1.1j/ssl/ssl_ciph.c +--- openssl-1.1.1j/ssl/ssl_ciph.c.fips 2021-03-03 12:57:42.193734476 +0100 ++++ openssl-1.1.1j/ssl/ssl_ciph.c 2021-03-03 12:57:42.206734583 +0100 @@ -387,7 +387,7 @@ int ssl_load_ciphers(void) } } @@ -11577,7 +11360,7 @@ diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c if ((c->algorithm_mkey & disabled_mkey) || (c->algorithm_auth & disabled_auth) || (c->algorithm_enc & disabled_enc) || -@@ -1670,7 +1675,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1671,7 +1676,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ for (curr = head; curr != NULL; curr = curr->next) { @@ -11587,9 +11370,9 @@ diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); -diff -up openssl-1.1.1b/ssl/ssl_init.c.fips openssl-1.1.1b/ssl/ssl_init.c ---- openssl-1.1.1b/ssl/ssl_init.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/ssl/ssl_init.c 2019-02-28 11:30:06.823745354 +0100 +diff -up openssl-1.1.1j/ssl/ssl_init.c.fips openssl-1.1.1j/ssl/ssl_init.c +--- openssl-1.1.1j/ssl/ssl_init.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/ssl/ssl_init.c 2021-03-03 12:57:42.206734583 +0100 @@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " "Adding SSL ciphers and digests\n"); @@ -11633,10 +11416,10 @@ diff -up openssl-1.1.1b/ssl/ssl_init.c.fips openssl-1.1.1b/ssl/ssl_init.c #ifndef OPENSSL_NO_COMP # ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " -diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c ---- openssl-1.1.1b/ssl/ssl_lib.c.fips 2019-02-28 11:30:06.776746228 +0100 -+++ openssl-1.1.1b/ssl/ssl_lib.c 2019-02-28 11:30:06.823745354 +0100 -@@ -2908,6 +2908,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +diff -up openssl-1.1.1j/ssl/ssl_lib.c.fips openssl-1.1.1j/ssl/ssl_lib.c +--- openssl-1.1.1j/ssl/ssl_lib.c.fips 2021-03-03 12:57:42.193734476 +0100 ++++ openssl-1.1.1j/ssl/ssl_lib.c 2021-03-03 12:57:42.206734583 +0100 +@@ -2973,6 +2973,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) return NULL; @@ -11648,7 +11431,7 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; -@@ -2964,13 +2969,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +@@ -3029,13 +3034,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (ret->param == NULL) goto err; @@ -11673,10 +11456,10 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c } if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) -diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h ---- openssl-1.1.1c/ssl/ssl_locl.h.fips 2019-06-03 16:44:58.963560101 +0200 -+++ openssl-1.1.1c/ssl/ssl_locl.h 2019-06-24 14:43:19.547353076 +0200 -@@ -1507,6 +1507,7 @@ typedef struct tls_group_info_st { +diff -up openssl-1.1.1j/ssl/ssl_local.h.fips openssl-1.1.1j/ssl/ssl_local.h +--- openssl-1.1.1j/ssl/ssl_local.h.fips 2021-03-03 12:57:42.100733706 +0100 ++++ openssl-1.1.1j/ssl/ssl_local.h 2021-03-03 12:57:42.206734583 +0100 +@@ -1515,6 +1515,7 @@ typedef struct tls_group_info_st { # define TLS_CURVE_PRIME 0x0 # define TLS_CURVE_CHAR2 0x1 # define TLS_CURVE_CUSTOM 0x2 @@ -11684,10 +11467,10 @@ diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h typedef struct cert_pkey_st CERT_PKEY; -diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c ---- openssl-1.1.1c/ssl/t1_lib.c.fips 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/ssl/t1_lib.c 2019-06-24 14:49:00.638576235 +0200 -@@ -156,11 +156,11 @@ static const TLS_GROUP_INFO nid_list[] = +diff -up openssl-1.1.1j/ssl/t1_lib.c.fips openssl-1.1.1j/ssl/t1_lib.c +--- openssl-1.1.1j/ssl/t1_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/ssl/t1_lib.c 2021-03-03 12:57:42.207734591 +0100 +@@ -159,11 +159,11 @@ static const TLS_GROUP_INFO nid_list[] = {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ @@ -11703,7 +11486,7 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ -@@ -255,6 +255,8 @@ int tls_curve_allowed(SSL *s, uint16_t c +@@ -258,6 +258,8 @@ int tls_curve_allowed(SSL *s, uint16_t c if (cinfo->flags & TLS_CURVE_CHAR2) return 0; # endif @@ -11712,9 +11495,9 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c ctmp[0] = curve >> 8; ctmp[1] = curve & 0xff; return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); -diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c ---- openssl-1.1.1b/test/dsatest.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/dsatest.c 2019-02-28 11:30:06.824745335 +0100 +diff -up openssl-1.1.1j/test/dsatest.c.fips openssl-1.1.1j/test/dsatest.c +--- openssl-1.1.1j/test/dsatest.c.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/test/dsatest.c 2021-03-03 12:57:42.207734591 +0100 @@ -24,41 +24,42 @@ #ifndef OPENSSL_NO_DSA static int dsa_cb(int p, int n, BN_GENCB *arg); @@ -11797,10 +11580,10 @@ diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c goto end; if (!TEST_int_eq(h, 2)) goto end; -diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt ---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips 2019-05-06 16:08:46.857597085 +0200 -+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-06 16:35:37.917563292 +0200 -@@ -1184,6 +1184,7 @@ Key = 0000000000000000000000000000000000 +diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt +--- openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt 2021-03-03 12:57:42.207734591 +0100 +@@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000 IV = 00000000000000000000000000000000 Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e @@ -11808,13 +11591,13 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1 Cipher = aes-128-xts Key = 1111111111111111111111111111111122222222222222222222222222222222 -diff -up openssl-1.1.1c/util/libcrypto.num.fips openssl-1.1.1c/util/libcrypto.num ---- openssl-1.1.1c/util/libcrypto.num.fips 2019-05-29 15:46:19.154260824 +0200 -+++ openssl-1.1.1c/util/libcrypto.num 2019-05-29 15:50:10.390191805 +0200 -@@ -4580,3 +4580,38 @@ EVP_PKEY_meth_get_digest_custom - OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO - OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO - EVP_PKEY_get0_engine 4536 1_1_1c EXIST::FUNCTION:ENGINE +diff -up openssl-1.1.1j/util/libcrypto.num.fips openssl-1.1.1j/util/libcrypto.num +--- openssl-1.1.1j/util/libcrypto.num.fips 2021-02-16 16:24:01.000000000 +0100 ++++ openssl-1.1.1j/util/libcrypto.num 2021-03-03 12:57:42.208734600 +0100 +@@ -4591,3 +4591,38 @@ X509_ALGOR_copy + X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION: + X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION: + EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC +FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: +FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: +FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: diff --git a/openssl-1.1.1-ignore-bound.patch b/openssl-1.1.1-ignore-bound.patch deleted file mode 100644 index 4838f3d..0000000 --- a/openssl-1.1.1-ignore-bound.patch +++ /dev/null @@ -1,14 +0,0 @@ -Do not return failure when setting version bound on fixed protocol -version method. -diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c ---- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200 -+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200 -@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver - * methods are not subject to controls that disable individual protocol - * versions. - */ -- return 0; -+ return 1; - - case TLS_ANY_VERSION: - if (version < SSL3_VERSION || version > TLS_MAX_VERSION) diff --git a/openssl-1.1.1-intel-cet.patch b/openssl-1.1.1-intel-cet.patch new file mode 100644 index 0000000..a95bf9c --- /dev/null +++ b/openssl-1.1.1-intel-cet.patch @@ -0,0 +1,500 @@ +diff -up openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl +--- openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl 2020-03-19 17:07:02.626522694 +0100 +@@ -275,6 +275,7 @@ $code.=<<___; + .align 16 + ${PREFIX}_encrypt: + .cfi_startproc ++ endbranch + movups ($inp),$inout0 # load input + mov 240($key),$rounds # key->rounds + ___ +@@ -293,6 +294,7 @@ $code.=<<___; + .align 16 + ${PREFIX}_decrypt: + .cfi_startproc ++ endbranch + movups ($inp),$inout0 # load input + mov 240($key),$rounds # key->rounds + ___ +@@ -613,6 +615,7 @@ $code.=<<___; + .align 16 + aesni_ecb_encrypt: + .cfi_startproc ++ endbranch + ___ + $code.=<<___ if ($win64); + lea -0x58(%rsp),%rsp +@@ -985,6 +988,7 @@ $code.=<<___; + .align 16 + aesni_ccm64_encrypt_blocks: + .cfi_startproc ++ endbranch + ___ + $code.=<<___ if ($win64); + lea -0x58(%rsp),%rsp +@@ -1077,6 +1081,7 @@ $code.=<<___; + .align 16 + aesni_ccm64_decrypt_blocks: + .cfi_startproc ++ endbranch + ___ + $code.=<<___ if ($win64); + lea -0x58(%rsp),%rsp +@@ -1203,6 +1208,7 @@ $code.=<<___; + .align 16 + aesni_ctr32_encrypt_blocks: + .cfi_startproc ++ endbranch + cmp \$1,$len + jne .Lctr32_bulk + +@@ -1775,6 +1781,7 @@ $code.=<<___; + .align 16 + aesni_xts_encrypt: + .cfi_startproc ++ endbranch + lea (%rsp),%r11 # frame pointer + .cfi_def_cfa_register %r11 + push %rbp +@@ -2258,6 +2265,7 @@ $code.=<<___; + .align 16 + aesni_xts_decrypt: + .cfi_startproc ++ endbranch + lea (%rsp),%r11 # frame pointer + .cfi_def_cfa_register %r11 + push %rbp +@@ -2783,6 +2791,7 @@ $code.=<<___; + .align 32 + aesni_ocb_encrypt: + .cfi_startproc ++ endbranch + lea (%rsp),%rax + push %rbx + .cfi_push %rbx +@@ -3249,6 +3258,7 @@ __ocb_encrypt1: + .align 32 + aesni_ocb_decrypt: + .cfi_startproc ++ endbranch + lea (%rsp),%rax + push %rbx + .cfi_push %rbx +@@ -3737,6 +3747,7 @@ $code.=<<___; + .align 16 + ${PREFIX}_cbc_encrypt: + .cfi_startproc ++ endbranch + test $len,$len # check length + jz .Lcbc_ret + +diff -up openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl +--- openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl 2020-03-19 17:00:15.974621757 +0100 +@@ -696,6 +696,7 @@ _vpaes_schedule_mangle: + .align 16 + ${PREFIX}_set_encrypt_key: + .cfi_startproc ++ endbranch + ___ + $code.=<<___ if ($win64); + lea -0xb8(%rsp),%rsp +@@ -746,6 +747,7 @@ $code.=<<___; + .align 16 + ${PREFIX}_set_decrypt_key: + .cfi_startproc ++ endbranch + ___ + $code.=<<___ if ($win64); + lea -0xb8(%rsp),%rsp +@@ -801,6 +803,7 @@ $code.=<<___; + .align 16 + ${PREFIX}_encrypt: + .cfi_startproc ++ endbranch + ___ + $code.=<<___ if ($win64); + lea -0xb8(%rsp),%rsp +@@ -846,6 +849,7 @@ $code.=<<___; + .align 16 + ${PREFIX}_decrypt: + .cfi_startproc ++ endbranch + ___ + $code.=<<___ if ($win64); + lea -0xb8(%rsp),%rsp +@@ -897,6 +901,7 @@ $code.=<<___; + .align 16 + ${PREFIX}_cbc_encrypt: + .cfi_startproc ++ endbranch + xchg $key,$len + ___ + ($len,$key)=($key,$len); +diff -up openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.c +--- openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/async/arch/async_posix.c 2020-03-19 17:00:15.974621757 +0100 +@@ -34,7 +34,9 @@ void async_local_cleanup(void) + + int async_fibre_makecontext(async_fibre *fibre) + { ++#ifndef USE_SWAPCONTEXT + fibre->env_init = 0; ++#endif + if (getcontext(&fibre->fibre) == 0) { + fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE); + if (fibre->fibre.uc_stack.ss_sp != NULL) { +diff -up openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.h +--- openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet 2020-03-19 17:00:15.435631166 +0100 ++++ openssl-1.1.1e/crypto/async/arch/async_posix.h 2020-03-19 17:00:15.975621739 +0100 +@@ -25,17 +25,33 @@ + # define ASYNC_POSIX + # define ASYNC_ARCH + ++# ifdef __CET__ ++/* ++ * When Intel CET is enabled, makecontext will create a different ++ * shadow stack for each context. async_fibre_swapcontext cannot ++ * use _longjmp. It must call swapcontext to swap shadow stack as ++ * well as normal stack. ++ */ ++# define USE_SWAPCONTEXT ++# endif + # include +-# include ++# ifndef USE_SWAPCONTEXT ++# include ++# endif + + typedef struct async_fibre_st { + ucontext_t fibre; ++# ifndef USE_SWAPCONTEXT + jmp_buf env; + int env_init; ++# endif + } async_fibre; + + static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) + { ++# ifdef USE_SWAPCONTEXT ++ swapcontext(&o->fibre, &n->fibre); ++# else + o->env_init = 1; + + if (!r || !_setjmp(o->env)) { +@@ -44,6 +60,7 @@ static ossl_inline int async_fibre_swapc + else + setcontext(&n->fibre); + } ++# endif + + return 1; + } +diff -up openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl +--- openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl 2020-03-19 17:00:15.975621739 +0100 +@@ -685,6 +685,7 @@ $code.=<<___; + .align 16 + Camellia_cbc_encrypt: + .cfi_startproc ++ endbranch + cmp \$0,%rdx + je .Lcbc_abort + push %rbx +diff -up openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl +--- openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl 2020-03-19 17:00:15.975621739 +0100 +@@ -239,6 +239,7 @@ $code=<<___; + .align 16 + gcm_gmult_4bit: + .cfi_startproc ++ endbranch + push %rbx + .cfi_push %rbx + push %rbp # %rbp and others are pushed exclusively in +@@ -286,6 +287,7 @@ $code.=<<___; + .align 16 + gcm_ghash_4bit: + .cfi_startproc ++ endbranch + push %rbx + .cfi_push %rbx + push %rbp +@@ -612,6 +614,7 @@ $code.=<<___; + .align 16 + gcm_gmult_clmul: + .cfi_startproc ++ endbranch + .L_gmult_clmul: + movdqu ($Xip),$Xi + movdqa .Lbswap_mask(%rip),$T3 +@@ -663,6 +666,7 @@ $code.=<<___; + .align 32 + gcm_ghash_clmul: + .cfi_startproc ++ endbranch + .L_ghash_clmul: + ___ + $code.=<<___ if ($win64); +@@ -1166,6 +1170,7 @@ $code.=<<___; + .align 32 + gcm_gmult_avx: + .cfi_startproc ++ endbranch + jmp .L_gmult_clmul + .cfi_endproc + .size gcm_gmult_avx,.-gcm_gmult_avx +@@ -1177,6 +1182,7 @@ $code.=<<___; + .align 32 + gcm_ghash_avx: + .cfi_startproc ++ endbranch + ___ + if ($avx) { + my ($Xip,$Htbl,$inp,$len)=@_4args; +diff -up openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet openssl-1.1.1e/crypto/perlasm/cbc.pl +--- openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/perlasm/cbc.pl 2020-03-19 17:00:15.976621722 +0100 +@@ -165,21 +165,28 @@ sub cbc + &jmp_ptr($count); + + &set_label("ej7"); ++ &endbranch() + &movb(&HB("edx"), &BP(6,$in,"",0)); + &shl("edx",8); + &set_label("ej6"); ++ &endbranch() + &movb(&HB("edx"), &BP(5,$in,"",0)); + &set_label("ej5"); ++ &endbranch() + &movb(&LB("edx"), &BP(4,$in,"",0)); + &set_label("ej4"); ++ &endbranch() + &mov("ecx", &DWP(0,$in,"",0)); + &jmp(&label("ejend")); + &set_label("ej3"); ++ &endbranch() + &movb(&HB("ecx"), &BP(2,$in,"",0)); + &shl("ecx",8); + &set_label("ej2"); ++ &endbranch() + &movb(&HB("ecx"), &BP(1,$in,"",0)); + &set_label("ej1"); ++ &endbranch() + &movb(&LB("ecx"), &BP(0,$in,"",0)); + &set_label("ejend"); + +diff -up openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl +--- openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl 2020-03-19 17:00:15.984621582 +0100 +@@ -101,6 +101,33 @@ elsif (!$gas) + $decor="\$L\$"; + } + ++my $cet_property; ++if ($flavour =~ /elf/) { ++ # Always generate .note.gnu.property section for ELF outputs to ++ # mark Intel CET support since all input files must be marked ++ # with Intel CET support in order for linker to mark output with ++ # Intel CET support. ++ my $p2align=3; $p2align=2 if ($flavour eq "elf32"); ++ $cet_property = <<_____; ++ .section ".note.gnu.property", "a" ++ .p2align $p2align ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align $p2align ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align $p2align ++4: ++_____ ++} ++ + my $current_segment; + my $current_function; + my %globals; +@@ -1213,6 +1240,7 @@ while(defined(my $line=<>)) { + print $line,"\n"; + } + ++print "$cet_property" if ($cet_property); + print "\n$current_segment\tENDS\n" if ($current_segment && $masm); + print "END\n" if ($masm); + +diff -up openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86gas.pl +--- openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/perlasm/x86gas.pl 2020-03-19 17:00:15.985621565 +0100 +@@ -124,6 +124,7 @@ sub ::function_begin_B + push(@out,".align\t$align\n"); + push(@out,"$func:\n"); + push(@out,"$begin:\n") if ($global); ++ &::endbranch(); + $::stack=4; + } + +@@ -172,6 +173,26 @@ sub ::file_end + else { push (@out,"$tmp\n"); } + } + push(@out,$initseg) if ($initseg); ++ if ($::elf) { ++ push(@out," ++ .section \".note.gnu.property\", \"a\" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz \"GNU\" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: ++"); ++ } + } + + sub ::data_byte { push(@out,".byte\t".join(',',@_)."\n"); } +diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl +--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet 2020-03-19 17:00:38.185234015 +0100 ++++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl 2020-03-19 17:05:46.575850341 +0100 +@@ -2806,6 +2806,7 @@ $code.=<<___; + .align 32 + poly1305_blocks_vpmadd52: + .cfi_startproc ++ endbranch + shr \$4,$len + jz .Lno_data_vpmadd52 # too short + +@@ -3739,6 +3740,7 @@ $code.=<<___; + .align 32 + poly1305_emit_base2_44: + .cfi_startproc ++ endbranch + mov 0($ctx),%r8 # load hash value + mov 8($ctx),%r9 + mov 16($ctx),%r10 +diff -up openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl +--- openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet 2020-03-19 17:00:38.190233928 +0100 ++++ openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl 2020-03-19 17:05:02.598618064 +0100 +@@ -140,6 +140,7 @@ $code=<<___; + .align 16 + RC4: + .cfi_startproc ++ endbranch + or $len,$len + jne .Lentry + ret +@@ -455,6 +456,7 @@ $code.=<<___; + .align 16 + RC4_set_key: + .cfi_startproc ++ endbranch + lea 8($dat),$dat + lea ($inp,$len),$inp + neg $len +@@ -529,6 +531,7 @@ RC4_set_key: + .align 16 + RC4_options: + .cfi_startproc ++ endbranch + lea .Lopts(%rip),%rax + mov OPENSSL_ia32cap_P(%rip),%edx + bt \$20,%edx +diff -up openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet openssl-1.1.1e/crypto/x86_64cpuid.pl +--- openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/x86_64cpuid.pl 2020-03-19 17:03:58.172742775 +0100 +@@ -40,6 +40,7 @@ print<<___; + .align 16 + OPENSSL_atomic_add: + .cfi_startproc ++ endbranch + movl ($arg1),%eax + .Lspin: leaq ($arg2,%rax),%r8 + .byte 0xf0 # lock +@@ -56,6 +57,7 @@ OPENSSL_atomic_add: + .align 16 + OPENSSL_rdtsc: + .cfi_startproc ++ endbranch + rdtsc + shl \$32,%rdx + or %rdx,%rax +@@ -68,6 +70,7 @@ OPENSSL_rdtsc: + .align 16 + OPENSSL_ia32_cpuid: + .cfi_startproc ++ endbranch + mov %rbx,%r8 # save %rbx + .cfi_register %rbx,%r8 + +@@ -237,6 +240,7 @@ OPENSSL_ia32_cpuid: + .align 16 + OPENSSL_cleanse: + .cfi_startproc ++ endbranch + xor %rax,%rax + cmp \$15,$arg2 + jae .Lot +@@ -274,6 +278,7 @@ OPENSSL_cleanse: + .align 16 + CRYPTO_memcmp: + .cfi_startproc ++ endbranch + xor %rax,%rax + xor %r10,%r10 + cmp \$0,$arg3 +@@ -312,6 +317,7 @@ print<<___ if (!$win64); + .align 16 + OPENSSL_wipe_cpu: + .cfi_startproc ++ endbranch + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 +@@ -346,6 +352,8 @@ print<<___ if ($win64); + .type OPENSSL_wipe_cpu,\@abi-omnipotent + .align 16 + OPENSSL_wipe_cpu: ++.cfi_startproc ++ endbranch + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 +@@ -376,6 +384,7 @@ print<<___; + .align 16 + OPENSSL_instrument_bus: + .cfi_startproc ++ endbranch + mov $arg1,$out # tribute to Win64 + mov $arg2,$cnt + mov $arg2,$max +@@ -410,6 +419,7 @@ OPENSSL_instrument_bus: + .align 16 + OPENSSL_instrument_bus2: + .cfi_startproc ++ endbranch + mov $arg1,$out # tribute to Win64 + mov $arg2,$cnt + mov $arg3,$max +@@ -465,6 +475,7 @@ print<<___; + .align 16 + OPENSSL_ia32_${rdop}_bytes: + .cfi_startproc ++ endbranch + xor %rax, %rax # return value + cmp \$0,$arg2 + je .Ldone_${rdop}_bytes diff --git a/openssl-1.1.1-kdf-selftest.patch b/openssl-1.1.1-kdf-selftest.patch new file mode 100644 index 0000000..3cb3718 --- /dev/null +++ b/openssl-1.1.1-kdf-selftest.patch @@ -0,0 +1,170 @@ +diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info +--- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest 2020-06-03 16:08:36.274849058 +0200 ++++ openssl-1.1.1g/crypto/fips/build.info 2020-06-03 16:11:05.609079372 +0200 +@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ + fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c + + PROGRAMS_NO_INST=\ + fips_standalone_hmac +diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c +--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-06-03 16:08:36.337849577 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-06-03 16:08:36.337849577 +0200 +@@ -0,0 +1,117 @@ ++/* ++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include "crypto/fips.h" ++ ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++int FIPS_selftest_pbkdf2(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[32]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, ++ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, ++ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, ++ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++ ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos ++ * 5) appendix A. */ ++int FIPS_selftest_kbkdf(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ char *label = "prf", *prf_input = "test"; ++ static unsigned char input_key[] = { ++ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28, ++ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C, ++ }; ++ static unsigned char output[] = { ++ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE, ++ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86, ++ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B, ++ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95, ++ }; ++ unsigned char result[sizeof(output)] = { 0 }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { ++ goto err; ++ } ++ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0 ++ && memcmp(result, output, sizeof(output)) == 0; ++err: ++ ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++int FIPS_selftest_kdf(void) ++{ ++ return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf(); ++} ++ ++#endif +diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c +--- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest 2020-06-03 16:08:36.332849536 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-03 16:08:36.338849585 +0200 +@@ -111,6 +111,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_ecdh()) + rv = 0; ++ if (!FIPS_selftest_kdf()) ++ rv = 0; + return rv; + } + +diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h +--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200 ++++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200 +@@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff); + int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); ++int FIPS_selftest_kbkdf(void); ++int FIPS_selftest_pbkdf2(void); ++int FIPS_selftest_kdf(void); + + int fips_in_post(void); + +diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h +--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-06-03 16:08:36.282849124 +0200 ++++ openssl-1.1.1g/include/openssl/fips.h 2020-06-03 16:08:36.338849585 +0200 +@@ -123,6 +123,8 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_DSA 112 + # define FIPS_F_FIPS_SELFTEST_ECDSA 133 + # define FIPS_F_FIPS_SELFTEST_HMAC 113 ++# define FIPS_F_FIPS_SELFTEST_KBKDF 151 ++# define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 diff --git a/openssl-1.1.1-krb5-kdf.patch b/openssl-1.1.1-krb5-kdf.patch new file mode 100644 index 0000000..249a5c5 --- /dev/null +++ b/openssl-1.1.1-krb5-kdf.patch @@ -0,0 +1,3030 @@ +diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/err/openssl.txt +--- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-14 15:07:05.342094129 +0100 +@@ -821,6 +821,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g + EVP_F_SCRYPT_ALG:228:scrypt_alg + EVP_F_UPDATE:173:update + KDF_F_HKDF_EXTRACT:112:HKDF_Extract ++KDF_F_KBKDF_CTRL:134:kbkdf_ctrl ++KDF_F_KBKDF_CTRL_STR:135:kbkdf_ctrl_str ++KDF_F_KBKDF_DERIVE:136:kbkdf_derive ++KDF_F_KBKDF_NEW:137:kbkdf_new ++KDF_F_KDF_CIPHER2CTRL:138:kdf_cipher2ctrl + KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive + KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new + KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size +@@ -840,6 +845,8 @@ KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new + KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str + KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive + KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new ++KDF_F_KRB5KDF:139:KRB5KDF ++KDF_F_KRB5KDF_DERIVE:140:krb5kdf_derive + KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf + KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str + KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive +@@ -853,6 +860,9 @@ KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tl + KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive + KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init + KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf ++KDF_F_SSKDF_DERIVE:141:sskdf_derive ++KDF_F_SSKDF_NEW:142:sskdf_new ++KDF_F_SSKDF_SIZE:143:sskdf_size + KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg + OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object + OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid +@@ -2325,7 +2335,13 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor + EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed + EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length + EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys ++KDF_R_FAILED_TO_GENERATE_KEY:118:failed to generate key ++KDF_R_INVALID_CIPHER:116:invalid cipher ++KDF_R_INVALID_CONSTANT_LENGTH:119:invalid constant length + KDF_R_INVALID_DIGEST:100:invalid digest ++KDF_R_INVALID_SEED_LENGTH:117:invalid seed length ++KDF_R_MISSING_CIPHER:120:missing cipher ++KDF_R_MISSING_CONSTANT:121:missing constant + KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count + KDF_R_MISSING_KEY:104:missing key + KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest +@@ -2340,6 +2356,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas + KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type + KDF_R_VALUE_ERROR:108:value error + KDF_R_VALUE_MISSING:102:value missing ++KDF_R_WRONG_FINAL_BLOCK_LENGTH:120:wrong final block length + KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size + OBJ_R_OID_EXISTS:102:oid exists + OBJ_R_UNKNOWN_NID:101:unknown nid +diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c +--- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-14 15:07:05.342094129 +0100 +@@ -31,6 +31,9 @@ static const EVP_KDF_METHOD *standard_me + &tls1_prf_kdf_meth, + &hkdf_kdf_meth, + &sshkdf_kdf_meth, ++ &kb_kdf_meth, ++ &krb5kdf_kdf_meth, ++ &ss_kdf_meth + }; + + DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, +diff -up openssl-1.1.1d/include/crypto/evp.h.krb5-kdf openssl-1.1.1d/include/crypto/evp.h +--- openssl-1.1.1d/include/crypto/evp.h.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/include/crypto/evp.h 2019-11-14 15:07:05.342094129 +0100 +@@ -130,6 +130,9 @@ extern const EVP_KDF_METHOD scrypt_kdf_m + extern const EVP_KDF_METHOD tls1_prf_kdf_meth; + extern const EVP_KDF_METHOD hkdf_kdf_meth; + extern const EVP_KDF_METHOD sshkdf_kdf_meth; ++extern const EVP_KDF_METHOD kb_kdf_meth; ++extern const EVP_KDF_METHOD krb5kdf_kdf_meth; ++extern const EVP_KDF_METHOD ss_kdf_meth; + + struct evp_md_st { + int type; +diff -up openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf openssl-1.1.1d/crypto/kdf/build.info +--- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-14 15:07:05.342094129 +0100 +@@ -1,3 +1,3 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ +- tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c ++ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c krb5kdf.c sskdf.c +diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kbkdf.c +--- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-14 15:07:05.343094112 +0100 ++++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-18 17:21:58.326635901 +0100 +@@ -0,0 +1,540 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2019 Red Hat, Inc. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* ++ * This implements https://csrc.nist.gov/publications/detail/sp/800-108/final ++ * section 5.1 ("counter mode") and section 5.2 ("feedback mode") in both HMAC ++ * and CMAC. That document does not name the KDFs it defines; the name is ++ * derived from ++ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Key-Derivation ++ * ++ * Note that section 5.3 ("double-pipeline mode") is not implemented, though ++ * it would be possible to do so in the future. ++ * ++ * These versions all assume the counter is used. It would be relatively ++ * straightforward to expose a configuration handle should the need arise. ++ * ++ * Variable names attempt to match those of SP800-108. ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include "internal/numbers.h" ++#include "internal/cryptlib.h" ++#include "crypto/evp.h" ++#include "kdf_local.h" ++ ++#include "e_os.h" ++ ++#ifdef MIN ++# undef MIN ++#endif ++#define MIN(a, b) ((a) < (b)) ? (a) : (b) ++ ++typedef struct { ++ int mac_type; ++ union { ++ HMAC_CTX *hmac; ++ CMAC_CTX *cmac; ++ } m; ++} MAC_CTX; ++ ++/* Our context structure. */ ++struct evp_kdf_impl_st { ++ int mode; ++ ++ MAC_CTX *ctx_init; ++ ++ const EVP_CIPHER *cipher; ++ const EVP_MD *md; ++ ++ /* Names are lowercased versions of those found in SP800-108. */ ++ unsigned char *ki; ++ size_t ki_len; ++ unsigned char *label; ++ size_t label_len; ++ unsigned char *context; ++ size_t context_len; ++ unsigned char *iv; ++ size_t iv_len; ++}; ++ ++static MAC_CTX *EVP_MAC_CTX_new(int mac_type) ++{ ++ MAC_CTX *ctx; ++ ++ ctx = OPENSSL_zalloc(sizeof(*ctx)); ++ if (ctx == NULL) ++ return NULL; ++ ++ ctx->mac_type = mac_type; ++ if (mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL) ++ goto err; ++ } else { ++ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL) ++ goto err; ++ } ++ return ctx; ++ ++err: ++ OPENSSL_free(ctx); ++ return NULL; ++} ++ ++static void EVP_MAC_CTX_free(MAC_CTX *ctx) ++{ ++ if (ctx == NULL) ++ return; ++ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) ++ HMAC_CTX_free(ctx->m.hmac); ++ else ++ CMAC_CTX_free(ctx->m.cmac); ++ OPENSSL_free(ctx); ++} ++ ++static MAC_CTX *EVP_MAC_CTX_dup(MAC_CTX *sctx) ++{ ++ MAC_CTX *ctx; ++ ++ ctx = OPENSSL_zalloc(sizeof(*sctx)); ++ if (ctx == NULL) ++ return NULL; ++ ++ ctx->mac_type = sctx->mac_type; ++ if (sctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL ++ || HMAC_CTX_copy(ctx->m.hmac, sctx->m.hmac) <= 0) ++ goto err; ++ } else { ++ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL ++ || CMAC_CTX_copy(ctx->m.cmac, sctx->m.cmac) <= 0) ++ goto err; ++ } ++ return ctx; ++ ++err: ++ EVP_MAC_CTX_free(ctx); ++ return NULL; ++} ++ ++static size_t EVP_MAC_size(MAC_CTX *ctx) ++{ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ const EVP_MD *md; ++ ++ if (ctx->m.hmac == NULL) ++ return 0; ++ if ((md = HMAC_CTX_get_md(ctx->m.hmac)) == NULL) ++ return 0; ++ return (size_t)EVP_MD_size(md); ++ } else { ++ const EVP_CIPHER_CTX *cctx; ++ ++ if (ctx->m.cmac == NULL) ++ return 0; ++ if ((cctx = CMAC_CTX_get0_cipher_ctx(ctx->m.cmac)) == NULL) ++ return 0; ++ return EVP_CIPHER_CTX_block_size(cctx); ++ } ++} ++ ++static int EVP_MAC_update(MAC_CTX *ctx, const unsigned char *data, ++ size_t datalen) ++{ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) ++ return HMAC_Update(ctx->m.hmac, data, datalen); ++ else ++ return CMAC_Update(ctx->m.cmac, data, datalen); ++} ++ ++static int EVP_MAC_final(MAC_CTX *ctx, unsigned char *out, ++ size_t *outl, size_t outsize) ++{ ++ if (outsize != EVP_MAC_size(ctx)) ++ /* we do not cope with anything else */ ++ return 0; ++ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ unsigned int intsize = (unsigned int)outsize; ++ int ret; ++ ++ ret = HMAC_Final(ctx->m.hmac, out, &intsize); ++ if (outl != NULL) ++ *outl = intsize; ++ return ret; ++ } else { ++ size_t size = outsize; ++ int ret; ++ ++ ret = CMAC_Final(ctx->m.cmac, out, &size); ++ if (outl != NULL) ++ *outl = size; ++ return ret; ++ } ++} ++ ++static int evp_mac_init(MAC_CTX *ctx, const EVP_MD *md, ++ const EVP_CIPHER *cipher, unsigned char *key, size_t keylen) ++{ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ if (md == NULL) ++ return 0; ++ return HMAC_Init_ex(ctx->m.hmac, key, (int)keylen, md, NULL); ++ } else { ++ if (cipher == NULL) ++ return 0; ++ return CMAC_Init(ctx->m.cmac, key, keylen, cipher, NULL); ++ } ++} ++ ++static void kbkdf_reset(EVP_KDF_IMPL *ctx); ++ ++/* Not all platforms have htobe32(). */ ++static uint32_t be32(uint32_t host) ++{ ++ uint32_t big = 0; ++ const union { ++ long one; ++ char little; ++ } is_endian = { 1 }; ++ ++ if (!is_endian.little) ++ return host; ++ ++ big |= (host & 0xff000000) >> 24; ++ big |= (host & 0x00ff0000) >> 8; ++ big |= (host & 0x0000ff00) << 8; ++ big |= (host & 0x000000ff) << 24; ++ return big; ++} ++ ++static EVP_KDF_IMPL *kbkdf_new(void) ++{ ++ EVP_KDF_IMPL *ctx; ++ ++ ctx = OPENSSL_zalloc(sizeof(*ctx)); ++ if (ctx == NULL) { ++ KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE); ++ return NULL; ++ } ++ ++ return ctx; ++} ++ ++static void kbkdf_free(EVP_KDF_IMPL *ctx) ++{ ++ kbkdf_reset(ctx); ++ OPENSSL_free(ctx); ++} ++ ++static void kbkdf_reset(EVP_KDF_IMPL *ctx) ++{ ++ EVP_MAC_CTX_free(ctx->ctx_init); ++ OPENSSL_clear_free(ctx->context, ctx->context_len); ++ OPENSSL_clear_free(ctx->label, ctx->label_len); ++ OPENSSL_clear_free(ctx->ki, ctx->ki_len); ++ OPENSSL_clear_free(ctx->iv, ctx->iv_len); ++ memset(ctx, 0, sizeof(*ctx)); ++} ++ ++/* SP800-108 section 5.1 or section 5.2 depending on mode. */ ++static int derive(MAC_CTX *ctx_init, int mode, unsigned char *iv, ++ size_t iv_len, unsigned char *label, size_t label_len, ++ unsigned char *context, size_t context_len, ++ unsigned char *k_i, size_t h, uint32_t l, unsigned char *ko, ++ size_t ko_len) ++{ ++ int ret = 0; ++ MAC_CTX *ctx = NULL; ++ size_t written = 0, to_write, k_i_len = iv_len; ++ const unsigned char zero = 0; ++ uint32_t counter, i; ++ ++ /* Setup K(0) for feedback mode. */ ++ if (iv_len > 0) ++ memcpy(k_i, iv, iv_len); ++ ++ for (counter = 1; written < ko_len; counter++) { ++ i = be32(counter); ++ ++ ctx = EVP_MAC_CTX_dup(ctx_init); ++ if (ctx == NULL) ++ goto done; ++ ++ /* Perform feedback, if appropriate. */ ++ if (mode == EVP_KDF_KB_MODE_FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len)) ++ goto done; ++ ++ if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4) ++ || !EVP_MAC_update(ctx, label, label_len) ++ || !EVP_MAC_update(ctx, &zero, 1) ++ || !EVP_MAC_update(ctx, context, context_len) ++ || !EVP_MAC_update(ctx, (unsigned char *)&l, 4) ++ || !EVP_MAC_final(ctx, k_i, NULL, h)) ++ goto done; ++ ++ to_write = ko_len - written; ++ memcpy(ko + written, k_i, MIN(to_write, h)); ++ written += h; ++ ++ k_i_len = h; ++ EVP_MAC_CTX_free(ctx); ++ ctx = NULL; ++ } ++ ++ ret = 1; ++done: ++ EVP_MAC_CTX_free(ctx); ++ return ret; ++} ++ ++static int kbkdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key, size_t keylen) ++{ ++ int ret = 0; ++ unsigned char *k_i = NULL; ++ uint32_t l = be32(keylen * 8); ++ size_t h = 0; ++ ++ /* label, context, and iv are permitted to be empty. Check everything ++ * else. */ ++ if (ctx->ctx_init == NULL ++ || evp_mac_init(ctx->ctx_init, ctx->md, ctx->cipher, ctx->ki, ctx->ki_len) <= 0) { ++ if (ctx->ki_len == 0 || ctx->ki == NULL) { ++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_KEY); ++ return 0; ++ } ++ /* Could either be missing MAC or missing message digest or missing ++ * cipher - arbitrarily, I pick this one. */ ++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_PARAMETER); ++ return 0; ++ } ++ ++ h = EVP_MAC_size(ctx->ctx_init); ++ if (h == 0) ++ goto done; ++ if (ctx->iv_len != 0 && ctx->iv_len != h) { ++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_INVALID_SEED_LENGTH); ++ goto done; ++ } ++ ++ k_i = OPENSSL_zalloc(h); ++ if (k_i == NULL) ++ goto done; ++ ++ ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label, ++ ctx->label_len, ctx->context, ctx->context_len, k_i, h, l, ++ key, keylen); ++done: ++ if (ret != 1) ++ OPENSSL_cleanse(key, keylen); ++ OPENSSL_clear_free(k_i, h); ++ return ret; ++} ++ ++static size_t kbkdf_size(EVP_KDF_IMPL *ctx) ++{ ++ return UINT32_MAX/8; ++} ++ ++static int kbkdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len, ++ va_list args) ++{ ++ const unsigned char *p; ++ size_t len; ++ ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ OPENSSL_clear_free(*dst, *dst_len); ++ if (len == 0) { ++ *dst = NULL; ++ *dst_len = 0; ++ return 1; ++ } ++ ++ *dst = OPENSSL_memdup(p, len); ++ if (*dst == NULL) ++ return 0; ++ ++ *dst_len = len; ++ return 1; ++} ++ ++static int kbkdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args) ++{ ++ int t; ++ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_MD: ++ ctx->md = va_arg(args, const EVP_MD *); ++ if (ctx->md == NULL) ++ return 0; ++ ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_CIPHER: ++ ctx->cipher = va_arg(args, const EVP_CIPHER *); ++ if (ctx->cipher == NULL) ++ return 0; ++ ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_KEY: ++ return kbkdf_parse_buffer_arg(&ctx->ki, ++ &ctx->ki_len, args); ++ ++ case EVP_KDF_CTRL_SET_SALT: ++ return kbkdf_parse_buffer_arg(&ctx->label, ++ &ctx->label_len, args); ++ ++ case EVP_KDF_CTRL_SET_KB_INFO: ++ return kbkdf_parse_buffer_arg(&ctx->context, ++ &ctx->context_len, args); ++ ++ case EVP_KDF_CTRL_SET_KB_SEED: ++ return kbkdf_parse_buffer_arg(&ctx->iv, ++ &ctx->iv_len, args); ++ ++ case EVP_KDF_CTRL_SET_KB_MODE: ++ t = va_arg(args, int); ++ if (t != EVP_KDF_KB_MODE_COUNTER && t != EVP_KDF_KB_MODE_FEEDBACK ) { ++ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ctx->mode = t; ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_KB_MAC_TYPE: ++ t = va_arg(args, int); ++ if (t != EVP_KDF_KB_MAC_TYPE_HMAC && t != EVP_KDF_KB_MAC_TYPE_CMAC ) { ++ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ if (ctx->ctx_init != NULL) { ++ EVP_MAC_CTX_free(ctx->ctx_init); ++ } ++ ctx->ctx_init = EVP_MAC_CTX_new(t); ++ if (ctx->ctx_init == NULL) { ++ KDFerr(KDF_F_KBKDF_CTRL, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ return 1; ++ ++ default: ++ return -2; ++ ++ } ++} ++ ++static int kbkdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type, ++ const char *value) ++{ ++ if (value == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING); ++ return 0; ++ } ++ ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ /* alias, for historical reasons */ ++ if (strcmp(type, "md") == 0) ++ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ ++ if (strcmp(type, "cipher") == 0) ++ return kdf_cipher2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value); ++ ++ if (strcmp(type, "key") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "hexkey") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "salt") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_SALT, value); ++ ++ if (strcmp(type, "hexsalt") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_SALT, value); ++ ++ if (strcmp(type, "info") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_INFO, value); ++ ++ if (strcmp(type, "hexinfo") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_INFO, value); ++ ++ if (strcmp(type, "seed") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_SEED, value); ++ ++ if (strcmp(type, "hexseed") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_SEED, value); ++ ++ if (strcmp(type, "mode") == 0) { ++ int mode; ++ ++ if (strcasecmp(value, "counter") == 0) { ++ mode = EVP_KDF_KB_MODE_COUNTER; ++ } else if (strcasecmp(value, "feedback") == 0) { ++ mode = EVP_KDF_KB_MODE_FEEDBACK; ++ } else { ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MODE, ++ mode); ++ } ++ ++ if (strcmp(type, "mac_type") == 0) { ++ int mac_type; ++ ++ if (strcasecmp(value, "hmac") == 0) { ++ mac_type = EVP_KDF_KB_MAC_TYPE_HMAC; ++ } else if (strcasecmp(value, "cmac") == 0) { ++ mac_type = EVP_KDF_KB_MAC_TYPE_CMAC; ++ } else { ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, ++ mac_type); ++ } ++ ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); ++ return -2; ++} ++ ++const EVP_KDF_METHOD kb_kdf_meth = { ++ EVP_KDF_KB, ++ kbkdf_new, ++ kbkdf_free, ++ kbkdf_reset, ++ kbkdf_ctrl, ++ kbkdf_ctrl_str, ++ kbkdf_size, ++ kbkdf_derive, ++}; ++ +diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c +--- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-14 15:07:05.343094112 +0100 +@@ -15,6 +15,11 @@ + + static const ERR_STRING_DATA KDF_str_functs[] = { + {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL, 0), "kbkdf_ctrl"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL_STR, 0), "kbkdf_ctrl_str"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_DERIVE, 0), "kbkdf_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_NEW, 0), "kbkdf_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_CIPHER2CTRL, 0), "kdf_cipher2ctrl"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"}, +@@ -41,6 +46,8 @@ static const ERR_STRING_DATA KDF_str_fun + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0), + "kdf_tls1_prf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_NEW, 0), "kdf_tls1_prf_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KRB5KDF, 0), "KRB5KDF"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KRB5KDF_DERIVE, 0), "krb5kdf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"}, +@@ -59,12 +66,22 @@ static const ERR_STRING_DATA KDF_str_fun + "pkey_tls1_prf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_INIT, 0), "pkey_tls1_prf_init"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_SCRYPT_SET_MEMBUF, 0), "scrypt_set_membuf"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_DERIVE, 0), "sskdf_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_NEW, 0), "sskdf_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_SIZE, 0), "sskdf_size"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_TLS1_PRF_ALG, 0), "tls1_prf_alg"}, + {0, NULL} + }; + + static const ERR_STRING_DATA KDF_str_reasons[] = { ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_FAILED_TO_GENERATE_KEY), ++ "failed to generate key"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CIPHER), "invalid cipher"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CONSTANT_LENGTH), "invalid constant length"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_SEED_LENGTH), "invalid seed length"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_CIPHER), "missing cipher"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_CONSTANT), "missing constant"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_ITERATION_COUNT), + "missing iteration count"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"}, +@@ -82,6 +99,8 @@ static const ERR_STRING_DATA KDF_str_rea + "unknown parameter type"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_FINAL_BLOCK_LENGTH), ++ "wrong final block length"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE), + "wrong output buffer size"}, + {0, NULL} +diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h +--- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-14 15:07:05.313094646 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-14 15:07:05.344094093 +0100 +@@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl, + int kdf_md2ctrl(EVP_KDF_IMPL *impl, + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *md_name); +- ++int kdf_cipher2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *cipher_name); +diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c +--- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-14 15:07:05.313094646 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-14 15:07:05.344094093 +0100 +@@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl, + return call_ctrl(ctrl, impl, cmd, md); + } + ++/* Pass a cipher to a ctrl */ ++int kdf_cipher2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *cipher_name) ++{ ++ const EVP_CIPHER *cipher; ++ ++ if (cipher_name == NULL || (cipher = EVP_get_cipherbyname(cipher_name)) == NULL) { ++ KDFerr(KDF_F_KDF_CIPHER2CTRL, KDF_R_INVALID_CIPHER); ++ return 0; ++ } ++ return call_ctrl(ctrl, impl, cmd, cipher); ++} +diff -up openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/krb5kdf.c +--- openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100 ++++ openssl-1.1.1d/crypto/kdf/krb5kdf.c 2019-11-18 17:18:13.056604404 +0100 +@@ -0,0 +1,423 @@ ++/* ++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include "internal/cryptlib.h" ++#include "crypto/evp.h" ++#include "kdf_local.h" ++ ++/* KRB5 KDF defined in RFC 3961, Section 5.1 */ ++ ++static int KRB5KDF(const EVP_CIPHER *cipher, ++ const unsigned char *key, size_t key_len, ++ const unsigned char *constant, size_t constant_len, ++ unsigned char *okey, size_t okey_len); ++ ++struct evp_kdf_impl_st { ++ const EVP_CIPHER *cipher; ++ unsigned char *key; ++ size_t key_len; ++ unsigned char *constant; ++ size_t constant_len; ++}; ++ ++static void krb5kdf_reset(EVP_KDF_IMPL *ctx); ++ ++static EVP_KDF_IMPL *krb5kdf_new(void) ++{ ++ EVP_KDF_IMPL *ctx; ++ ++ if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) ++ KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE); ++ return ctx; ++} ++ ++static void krb5kdf_free(EVP_KDF_IMPL *ctx) ++{ ++ krb5kdf_reset(ctx); ++ OPENSSL_free(ctx); ++} ++ ++static void krb5kdf_reset(EVP_KDF_IMPL *ctx) ++{ ++ OPENSSL_clear_free(ctx->key, ctx->key_len); ++ OPENSSL_clear_free(ctx->constant, ctx->constant_len); ++ memset(ctx, 0, sizeof(*ctx)); ++} ++ ++static int krb5kdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key, ++ size_t keylen) ++{ ++ if (ctx->cipher == NULL) { ++ KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_CIPHER); ++ return 0; ++ } ++ if (ctx->key == NULL) { ++ KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_KEY); ++ return 0; ++ } ++ if (ctx->constant == NULL) { ++ KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_CONSTANT); ++ return 0; ++ } ++ return KRB5KDF(ctx->cipher, ctx->key, ctx->key_len, ++ ctx->constant, ctx->constant_len, ++ key, keylen); ++} ++ ++static size_t krb5kdf_size(EVP_KDF_IMPL *ctx) ++{ ++ if (ctx->cipher != NULL) ++ return EVP_CIPHER_key_length(ctx->cipher); ++ else ++ return EVP_MAX_KEY_LENGTH; ++} ++ ++ ++static int krb5kdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len, ++ va_list args) ++{ ++ const unsigned char *p; ++ size_t len; ++ ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ OPENSSL_clear_free(*dst, *dst_len); ++ if (len == 0) { ++ *dst = NULL; ++ *dst_len = 0; ++ return 1; ++ } ++ ++ *dst = OPENSSL_memdup(p, len); ++ if (*dst == NULL) ++ return 0; ++ ++ *dst_len = len; ++ return 1; ++} ++ ++static int krb5kdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args) ++{ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_CIPHER: ++ ctx->cipher = va_arg(args, const EVP_CIPHER *); ++ if (ctx->cipher == NULL) ++ return 0; ++ ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_KEY: ++ return krb5kdf_parse_buffer_arg(&ctx->key, ++ &ctx->key_len, args); ++ ++ case EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT: ++ return krb5kdf_parse_buffer_arg(&ctx->constant, ++ &ctx->constant_len, args); ++ default: ++ return -2; ++ ++ } ++} ++ ++static int krb5kdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type, ++ const char *value) ++{ ++ if (value == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING); ++ return 0; ++ } ++ ++ if (strcmp(type, "cipher") == 0) ++ return kdf_cipher2ctrl(ctx, krb5kdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value); ++ ++ if (strcmp(type, "key") == 0) ++ return kdf_str2ctrl(ctx, krb5kdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "hexkey") == 0) ++ return kdf_hex2ctrl(ctx, krb5kdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "constant") == 0) ++ return kdf_str2ctrl(ctx, krb5kdf_ctrl, ++ EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, value); ++ ++ if (strcmp(type, "hexconstant") == 0) ++ return kdf_hex2ctrl(ctx, krb5kdf_ctrl, ++ EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, value); ++ ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); ++ return -2; ++} ++ ++ ++#ifndef OPENSSL_NO_DES ++/* ++ * DES3 is a special case, it requires a random-to-key function and its ++ * input truncated to 21 bytes of the 24 produced by the cipher. ++ * See RFC3961 6.3.1 ++ */ ++static int fixup_des3_key(unsigned char *key) ++{ ++ unsigned char *cblock; ++ int i, j; ++ ++ for (i = 2; i >= 0; i--) { ++ cblock = &key[i * 8]; ++ memmove(cblock, &key[i * 7], 7); ++ cblock[7] = 0; ++ for (j = 0; j < 7; j++) ++ cblock[7] |= (cblock[j] & 1) << (j + 1); ++ DES_set_odd_parity((DES_cblock *)cblock); ++ } ++ ++ /* fail if keys are such that triple des degrades to single des */ ++ if (CRYPTO_memcmp(&key[0], &key[8], 8) == 0 || ++ CRYPTO_memcmp(&key[8], &key[16], 8) == 0) { ++ return 0; ++ } ++ ++ return 1; ++} ++#endif ++ ++/* ++ * N-fold(K) where blocksize is N, and constant_len is K ++ * Note: Here |= denotes concatenation ++ * ++ * L = lcm(N,K) ++ * R = L/K ++ * ++ * for r: 1 -> R ++ * s |= constant rot 13*(r-1)) ++ * ++ * block = 0 ++ * for k: 1 -> K ++ * block += s[N(k-1)..(N-1)k] (one's complement addition) ++ * ++ * Optimizing for space we compute: ++ * for each l in L-1 -> 0: ++ * s[l] = (constant rot 13*(l/K))[l%k] ++ * block[l % N] += s[l] (with carry) ++ * finally add carry if any ++ */ ++static void n_fold(unsigned char *block, unsigned int blocksize, ++ const unsigned char *constant, size_t constant_len) ++{ ++ unsigned int tmp, gcd, remainder, lcm, carry; ++ int b, l; ++ ++ if (constant_len == blocksize) { ++ memcpy(block, constant, constant_len); ++ return; ++ } ++ ++ /* Least Common Multiple of lengths: LCM(a,b)*/ ++ gcd = blocksize; ++ remainder = constant_len; ++ /* Calculate Great Common Divisor first GCD(a,b) */ ++ while (remainder != 0) { ++ tmp = gcd % remainder; ++ gcd = remainder; ++ remainder = tmp; ++ } ++ /* resulting a is the GCD, LCM(a,b) = |a*b|/GCD(a,b) */ ++ lcm = blocksize * constant_len / gcd; ++ ++ /* now spread out the bits */ ++ memset(block, 0, blocksize); ++ ++ /* last to first to be able to bring carry forward */ ++ carry = 0; ++ for (l = lcm - 1; l >= 0; l--) { ++ unsigned int rotbits, rshift, rbyte; ++ ++ /* destination byte in block is l % N */ ++ b = l % blocksize; ++ /* Our virtual s buffer is R = L/K long (K = constant_len) */ ++ /* So we rotate backwards from R-1 to 0 (none) rotations */ ++ rotbits = 13 * (l / constant_len); ++ /* find the byte on s where rotbits falls onto */ ++ rbyte = l - (rotbits / 8); ++ /* calculate how much shift on that byte */ ++ rshift = rotbits & 0x07; ++ /* rbyte % constant_len gives us the unrotated byte in the ++ * constant buffer, get also the previous byte then ++ * appropriately shift them to get the rotated byte we need */ ++ tmp = (constant[(rbyte-1) % constant_len] << (8 - rshift) ++ | constant[rbyte % constant_len] >> rshift) ++ & 0xff; ++ /* add with carry to any value placed by previous passes */ ++ tmp += carry + block[b]; ++ block[b] = tmp & 0xff; ++ /* save any carry that may be left */ ++ carry = tmp >> 8; ++ } ++ ++ /* if any carry is left at the end, add it through the number */ ++ for (b = blocksize - 1; b >= 0 && carry != 0; b--) { ++ carry += block[b]; ++ block[b] = carry & 0xff; ++ carry >>= 8; ++ } ++} ++ ++static int cipher_init(EVP_CIPHER_CTX *ctx, ++ const EVP_CIPHER *cipher, ++ const unsigned char *key, size_t key_len) ++{ ++ int klen, ret; ++ ++ ret = EVP_EncryptInit_ex(ctx, cipher, NULL, key, NULL); ++ if (!ret) ++ goto out; ++ /* set the key len for the odd variable key len cipher */ ++ klen = EVP_CIPHER_CTX_key_length(ctx); ++ if (key_len != (size_t)klen) { ++ ret = EVP_CIPHER_CTX_set_key_length(ctx, key_len); ++ if (!ret) ++ goto out; ++ } ++ /* we never want padding, either the length requested is a multiple of ++ * the cipher block size or we are passed a cipher that can cope with ++ * partial blocks via techniques like cipher text stealing */ ++ ret = EVP_CIPHER_CTX_set_padding(ctx, 0); ++ if (!ret) ++ goto out; ++ ++out: ++ return ret; ++} ++ ++static int KRB5KDF(const EVP_CIPHER *cipher, ++ const unsigned char *key, size_t key_len, ++ const unsigned char *constant, size_t constant_len, ++ unsigned char *okey, size_t okey_len) ++{ ++ EVP_CIPHER_CTX *ctx = NULL; ++ unsigned char block[EVP_MAX_BLOCK_LENGTH * 2]; ++ unsigned char *plainblock, *cipherblock; ++ size_t blocksize; ++ size_t cipherlen; ++ size_t osize; ++ int des3_no_fixup = 0; ++ int ret; ++ ++ if (key_len != okey_len) { ++ /* special case for 3des, where the caller may be requesting ++ * the random raw key, instead of the fixed up key */ ++ if (EVP_CIPHER_nid(cipher) == NID_des_ede3_cbc && ++ key_len == 24 && okey_len == 21) { ++ des3_no_fixup = 1; ++ } else { ++ KDFerr(KDF_F_KRB5KDF, KDF_R_WRONG_OUTPUT_BUFFER_SIZE); ++ return 0; ++ } ++ } ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ return 0; ++ ++ ret = cipher_init(ctx, cipher, key, key_len); ++ if (!ret) ++ goto out; ++ ++ /* Initialize input block */ ++ blocksize = EVP_CIPHER_CTX_block_size(ctx); ++ ++ if (constant_len == 0 || constant_len > blocksize) { ++ KDFerr(KDF_F_KRB5KDF, KDF_R_INVALID_CONSTANT_LENGTH); ++ ret = 0; ++ goto out; ++ } ++ ++ n_fold(block, blocksize, constant, constant_len); ++ plainblock = block; ++ cipherblock = block + EVP_MAX_BLOCK_LENGTH; ++ ++ for (osize = 0; osize < okey_len; osize += cipherlen) { ++ int olen; ++ ++ ret = EVP_EncryptUpdate(ctx, cipherblock, &olen, ++ plainblock, blocksize); ++ if (!ret) ++ goto out; ++ cipherlen = olen; ++ ret = EVP_EncryptFinal_ex(ctx, cipherblock, &olen); ++ if (!ret) ++ goto out; ++ if (olen != 0) { ++ KDFerr(KDF_F_KRB5KDF, KDF_R_WRONG_FINAL_BLOCK_LENGTH); ++ ret = 0; ++ goto out; ++ } ++ ++ /* write cipherblock out */ ++ if (cipherlen > okey_len - osize) ++ cipherlen = okey_len - osize; ++ memcpy(okey + osize, cipherblock, cipherlen); ++ ++ if (okey_len > osize + cipherlen) { ++ /* we need to reinitialize cipher context per spec */ ++ ret = EVP_CIPHER_CTX_reset(ctx); ++ if (!ret) ++ goto out; ++ ret = cipher_init(ctx, cipher, key, key_len); ++ if (!ret) ++ goto out; ++ ++ /* also swap block offsets so last ciphertext becomes new ++ * plaintext */ ++ plainblock = cipherblock; ++ if (cipherblock == block) { ++ cipherblock += EVP_MAX_BLOCK_LENGTH; ++ } else { ++ cipherblock = block; ++ } ++ } ++ } ++ ++#ifndef OPENSSL_NO_DES ++ if (EVP_CIPHER_nid(cipher) == NID_des_ede3_cbc && !des3_no_fixup) { ++ ret = fixup_des3_key(okey); ++ if (!ret) { ++ KDFerr(KDF_F_KRB5KDF, KDF_R_FAILED_TO_GENERATE_KEY); ++ goto out; ++ } ++ } ++#endif ++ ++ ret = 1; ++ ++out: ++ EVP_CIPHER_CTX_free(ctx); ++ OPENSSL_cleanse(block, EVP_MAX_BLOCK_LENGTH * 2); ++ return ret; ++} ++ ++const EVP_KDF_METHOD krb5kdf_kdf_meth = { ++ EVP_KDF_KRB5KDF, ++ krb5kdf_new, ++ krb5kdf_free, ++ krb5kdf_reset, ++ krb5kdf_ctrl, ++ krb5kdf_ctrl_str, ++ krb5kdf_size, ++ krb5kdf_derive, ++}; ++ +diff -up openssl-1.1.1d/crypto/kdf/sshkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/sshkdf.c +--- openssl-1.1.1d/crypto/kdf/sshkdf.c.krb5-kdf 2019-11-14 15:07:05.327094396 +0100 ++++ openssl-1.1.1d/crypto/kdf/sshkdf.c 2019-11-18 17:18:25.343388314 +0100 +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include "internal/numbers.h" + #include "internal/cryptlib.h" + #include "crypto/evp.h" + #include "kdf_local.h" +@@ -68,6 +69,12 @@ static int kdf_sshkdf_parse_buffer_arg(u + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + OPENSSL_clear_free(*dst, *dst_len); ++ if (len == 0) { ++ *dst = NULL; ++ *dst_len = 0; ++ return 1; ++ } ++ + *dst = OPENSSL_memdup(p, len); + if (*dst == NULL) + return 0; +diff -up openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/sskdf.c +--- openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100 ++++ openssl-1.1.1d/crypto/kdf/sskdf.c 2019-11-18 17:21:40.349952802 +0100 +@@ -0,0 +1,255 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* ++ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final ++ * Section 4.1. ++ * ++ * The Single Step KDF algorithm is given by: ++ * ++ * Result(0) = empty bit string (i.e., the null string). ++ * For i = 1 to reps, do the following: ++ * Increment counter by 1. ++ * Result(i) = Result(i – 1) || H(counter || Z || FixedInfo). ++ * DKM = LeftmostBits(Result(reps), L)) ++ * ++ * NOTES: ++ * Z is a shared secret required to produce the derived key material. ++ * counter is a 4 byte buffer. ++ * FixedInfo is a bit string containing context specific data. ++ * DKM is the output derived key material. ++ * L is the required size of the DKM. ++ * reps = [L / H_outputBits] ++ * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC. ++ * This backported version supports only a hash. ++ * H_outputBits is the length of the output of the auxiliary function H(x). ++ * ++ * Currently there is not a comprehensive list of test vectors for this ++ * algorithm, especially for H(x) = HMAC and H(x) = KMAC. ++ * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "internal/cryptlib.h" ++#include "crypto/evp.h" ++#include "kdf_local.h" ++ ++struct evp_kdf_impl_st { ++ const EVP_MD *md; /* H(x) = hash */ ++ unsigned char *secret; ++ size_t secret_len; ++ unsigned char *info; ++ size_t info_len; ++}; ++ ++#define SSKDF_MAX_INLEN (1<<30) ++ ++/* ++ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final ++ * Section 4. One-Step Key Derivation using H(x) = hash(x) ++ */ ++static int SSKDF_hash_kdm(const EVP_MD *kdf_md, ++ const unsigned char *z, size_t z_len, ++ const unsigned char *info, size_t info_len, ++ unsigned char *derived_key, size_t derived_key_len) ++{ ++ int ret = 0, hlen; ++ size_t counter, out_len, len = derived_key_len; ++ unsigned char c[4]; ++ unsigned char mac[EVP_MAX_MD_SIZE]; ++ unsigned char *out = derived_key; ++ EVP_MD_CTX *ctx = NULL, *ctx_init = NULL; ++ ++ if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN ++ || derived_key_len > SSKDF_MAX_INLEN ++ || derived_key_len == 0) ++ return 0; ++ ++ hlen = EVP_MD_size(kdf_md); ++ if (hlen <= 0) ++ return 0; ++ out_len = (size_t)hlen; ++ ++ ctx = EVP_MD_CTX_create(); ++ ctx_init = EVP_MD_CTX_create(); ++ if (ctx == NULL || ctx_init == NULL) ++ goto end; ++ ++ if (!EVP_DigestInit(ctx_init, kdf_md)) ++ goto end; ++ ++ for (counter = 1;; counter++) { ++ c[0] = (unsigned char)((counter >> 24) & 0xff); ++ c[1] = (unsigned char)((counter >> 16) & 0xff); ++ c[2] = (unsigned char)((counter >> 8) & 0xff); ++ c[3] = (unsigned char)(counter & 0xff); ++ ++ if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init) ++ && EVP_DigestUpdate(ctx, c, sizeof(c)) ++ && EVP_DigestUpdate(ctx, z, z_len) ++ && EVP_DigestUpdate(ctx, info, info_len))) ++ goto end; ++ if (len >= out_len) { ++ if (!EVP_DigestFinal_ex(ctx, out, NULL)) ++ goto end; ++ out += out_len; ++ len -= out_len; ++ if (len == 0) ++ break; ++ } else { ++ if (!EVP_DigestFinal_ex(ctx, mac, NULL)) ++ goto end; ++ memcpy(out, mac, len); ++ break; ++ } ++ } ++ ret = 1; ++end: ++ EVP_MD_CTX_destroy(ctx); ++ EVP_MD_CTX_destroy(ctx_init); ++ OPENSSL_cleanse(mac, sizeof(mac)); ++ return ret; ++} ++ ++static EVP_KDF_IMPL *sskdf_new(void) ++{ ++ EVP_KDF_IMPL *impl; ++ ++ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) ++ KDFerr(KDF_F_SSKDF_NEW, ERR_R_MALLOC_FAILURE); ++ return impl; ++} ++ ++static void sskdf_reset(EVP_KDF_IMPL *impl) ++{ ++ OPENSSL_clear_free(impl->secret, impl->secret_len); ++ OPENSSL_clear_free(impl->info, impl->info_len); ++ memset(impl, 0, sizeof(*impl)); ++} ++ ++static void sskdf_free(EVP_KDF_IMPL *impl) ++{ ++ sskdf_reset(impl); ++ OPENSSL_free(impl); ++} ++ ++static int sskdf_set_buffer(va_list args, unsigned char **out, size_t *out_len) ++{ ++ const unsigned char *p; ++ size_t len; ++ ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ OPENSSL_clear_free(*out, *out_len); ++ if (len == 0) { ++ *out = NULL; ++ *out_len = 0; ++ return 1; ++ } ++ ++ *out = OPENSSL_memdup(p, len); ++ if (*out == NULL) ++ return 0; ++ ++ *out_len = len; ++ return 1; ++} ++ ++static int sskdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) ++{ ++ const EVP_MD *md; ++ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_KEY: ++ return sskdf_set_buffer(args, &impl->secret, &impl->secret_len); ++ ++ case EVP_KDF_CTRL_SET_SSKDF_INFO: ++ return sskdf_set_buffer(args, &impl->info, &impl->info_len); ++ ++ case EVP_KDF_CTRL_SET_MD: ++ md = va_arg(args, const EVP_MD *); ++ if (md == NULL) ++ return 0; ++ ++ impl->md = md; ++ return 1; ++ ++ default: ++ return -2; ++ } ++} ++ ++static int sskdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type, ++ const char *value) ++{ ++ if (strcmp(type, "secret") == 0 || strcmp(type, "key") == 0) ++ return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY, ++ value); ++ ++ if (strcmp(type, "hexsecret") == 0 || strcmp(type, "hexkey") == 0) ++ return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY, ++ value); ++ ++ if (strcmp(type, "info") == 0) ++ return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO, ++ value); ++ ++ if (strcmp(type, "hexinfo") == 0) ++ return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO, ++ value); ++ ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ ++ return -2; ++} ++ ++static size_t sskdf_size(EVP_KDF_IMPL *impl) ++{ ++ int len; ++ ++ if (impl->md == NULL) { ++ KDFerr(KDF_F_SSKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST); ++ return 0; ++ } ++ len = EVP_MD_size(impl->md); ++ return (len <= 0) ? 0 : (size_t)len; ++} ++ ++static int sskdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen) ++{ ++ if (impl->secret == NULL) { ++ KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_SECRET); ++ return 0; ++ } ++ ++ /* H(x) = hash */ ++ if (impl->md == NULL) { ++ KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); ++ return 0; ++ } ++ return SSKDF_hash_kdm(impl->md, impl->secret, impl->secret_len, ++ impl->info, impl->info_len, key, keylen); ++} ++ ++const EVP_KDF_METHOD ss_kdf_meth = { ++ EVP_KDF_SS, ++ sskdf_new, ++ sskdf_free, ++ sskdf_reset, ++ sskdf_ctrl, ++ sskdf_ctrl_str, ++ sskdf_size, ++ sskdf_derive ++}; +diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/objects/obj_dat.h +--- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-14 15:07:05.322094485 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-14 15:07:05.345094076 +0100 +@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ + }; + +-#define NUM_NID 1196 ++#define NUM_NID 1199 + static const ASN1_OBJECT nid_objs[NUM_NID] = { + {"UNDEF", "undefined", NID_undef}, + {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, +@@ -2276,9 +2276,12 @@ static const ASN1_OBJECT nid_objs[NUM_NI + {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, + {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, + {"SSHKDF", "sshkdf", NID_sshkdf}, ++ {"KBKDF", "kbkdf", NID_kbkdf}, ++ {"KRB5KDF", "krb5kdf", NID_krb5kdf}, ++ {"SSKDF", "sskdf", NID_sskdf}, + }; + +-#define NUM_SN 1187 ++#define NUM_SN 1190 + static const unsigned int sn_objs[NUM_SN] = { + 364, /* "AD_DVCS" */ + 419, /* "AES-128-CBC" */ +@@ -2442,7 +2445,9 @@ static const unsigned int sn_objs[NUM_SN + 183, /* "ISO-US" */ + 645, /* "ITU-T" */ + 646, /* "JOINT-ISO-ITU-T" */ ++ 1196, /* "KBKDF" */ + 773, /* "KISA" */ ++ 1197, /* "KRB5KDF" */ + 1063, /* "KxANY" */ + 1039, /* "KxDHE" */ + 1041, /* "KxDHE-PSK" */ +@@ -2557,6 +2562,7 @@ static const unsigned int sn_objs[NUM_SN + 100, /* "SN" */ + 1006, /* "SNILS" */ + 1195, /* "SSHKDF" */ ++ 1198, /* "SSKDF" */ + 16, /* "ST" */ + 143, /* "SXNetID" */ + 1062, /* "SipHash" */ +@@ -3469,7 +3475,7 @@ static const unsigned int sn_objs[NUM_SN + 1093, /* "x509ExtAdmission" */ + }; + +-#define NUM_LN 1187 ++#define NUM_LN 1190 + static const unsigned int ln_objs[NUM_LN] = { + 363, /* "AD Time Stamping" */ + 405, /* "ANSI X9.62" */ +@@ -4262,8 +4268,10 @@ static const unsigned int ln_objs[NUM_LN + 957, /* "jurisdictionCountryName" */ + 955, /* "jurisdictionLocalityName" */ + 956, /* "jurisdictionStateOrProvinceName" */ ++ 1196, /* "kbkdf" */ + 150, /* "keyBag" */ + 773, /* "kisa" */ ++ 1197, /* "krb5kdf" */ + 1063, /* "kx-any" */ + 1039, /* "kx-dhe" */ + 1041, /* "kx-dhe-psk" */ +@@ -4612,6 +4620,7 @@ static const unsigned int ln_objs[NUM_LN + 1133, /* "sm4-ecb" */ + 1135, /* "sm4-ofb" */ + 1195, /* "sshkdf" */ ++ 1198, /* "sskdf" */ + 16, /* "stateOrProvinceName" */ + 660, /* "streetAddress" */ + 498, /* "subtreeMaximumQuality" */ +diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypto/objects/objects.txt +--- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-14 15:07:05.322094485 +0100 ++++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-14 15:07:05.345094076 +0100 +@@ -1603,6 +1603,15 @@ secg-scheme 14 3 : dhSinglePass-cofactor + # NID for SSHKDF + : SSHKDF : sshkdf + ++# NID for KBKDF ++ : KBKDF : kbkdf ++ ++# NID for KRB5KDF ++ : KRB5KDF : krb5kdf ++ ++# NID for SSKDF ++ : SSKDF : sskdf ++ + # RFC 4556 + 1 3 6 1 5 2 3 : id-pkinit + id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth +diff -up openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1d/crypto/objects/obj_mac.num +--- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-14 15:07:05.322094485 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-14 15:07:05.346094058 +0100 +@@ -1193,3 +1193,6 @@ magma_mac 1192 + hmacWithSHA512_224 1193 + hmacWithSHA512_256 1194 + sshkdf 1195 ++kbkdf 1196 ++krb5kdf 1197 ++sskdf 1198 +diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod +--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-14 15:07:05.314094628 +0100 ++++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-14 15:07:05.346094058 +0100 +@@ -140,7 +140,14 @@ The value string is expected to be a dec + This control expects one argument: C + + For MAC implementations that use a message digest as an underlying computation +-algorithm, this control set what the digest algorithm should be. ++algorithm, this control sets what the digest algorithm should be. ++ ++=item B ++ ++This control expects one argument: C ++ ++For MAC implementations that use a cipher as an underlying computation ++algorithm, this control sets what the cipher algorithm should be. + + EVP_KDF_ctrl_str() type string: "md" + +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-14 15:07:05.346094058 +0100 +@@ -0,0 +1,173 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_KB - The Key-Based EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++The EVP_KDF_KB algorithm implements the Key-Based key derivation function ++(KBKDF). KBKDF derives a key from repeated application of a keyed MAC to an ++input secret (and other optional values). ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it can be used with the ++EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++This control expects one argument: C ++ ++Sets the mode for the KBKDF operation. There are two supported modes: ++ ++=over 4 ++ ++=item B ++ ++The counter mode of KBKDF should be used. This is the default. ++ ++=item B ++ ++The feedback mode of KBKDF should be used. ++ ++=back ++ ++=item B ++ ++This control expects one argument: C ++ ++Sets the mac type for the KBKDF operation. There are two supported mac types: ++ ++=over 4 ++ ++=item B ++ ++The HMAC with the digest set by B should be used as the mac. ++ ++=item B ++ ++The CMAC with the cipher set by B should be used as the mac. ++ ++=back ++ ++=item B ++ ++=item B ++ ++=item B ++ ++=item B ++ ++These controls work as described in L. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++It is used only in the feedback mode and the length must be the same ++as the block length of the cipher in CMAC or the size of the digest in HMAC. ++ ++=back ++ ++The controls B, B, ++B, and B ++correspond to KI, Label, Context, and IV (respectively) in SP800-108. ++As in that document, salt, info, and seed are optional and may be ++omitted. ++ ++Depending on whether mac is CMAC or HMAC, either digest or cipher is ++required (respectively) and the other is unused. ++ ++=head1 NOTES ++ ++A context for KBKDF can be obtained by calling: ++ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); ++ ++The output length of an KBKDF is specified via the C ++parameter to the L function. ++ ++Note that currently OpenSSL only implements counter and feedback modes. Other ++variants may be supported in the future. ++ ++=head1 EXAMPLES ++ ++This example derives 10 bytes using COUNTER-HMAC-SHA256, with KI "secret", ++Label "label", and Context "context". ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); ++ ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context")); ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ error("EVP_KDF_derive"); ++ ++ EVP_KDF_CTX_free(kctx); ++ ++This example derives 10 bytes using FEEDBACK-CMAC-AES256, with KI "secret", ++Label "label", Context "context", and IV "sixteen bytes iv". ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ unsigned char *iv = "sixteen bytes iv"; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); ++ ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_256_cbc()); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, strlen(iv)); ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ error("EVP_KDF_derive"); ++ ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 CONFORMING TO ++ ++NIST SP800-108, IETF RFC 6803, IETF RFC 8009. ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 HISTORY ++ ++This functionality was added to OpenSSL 3.0. ++ ++=head1 COPYRIGHT ++ ++Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2019 Red Hat, Inc. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod 2019-11-14 15:07:05.346094058 +0100 +@@ -0,0 +1,107 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_KRB5KDF - The RFC3961 Krb5 KDF EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++Support for computing the B KDF through the B API. ++ ++The B algorithm implements the key derivation function defined ++in RFC 3961, section 5.1 and is used by Krb5 to derive session keys. ++Three inputs are required to perform key derivation: a cipher, (for example ++AES-128-CBC), the initial key, and a constant. ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it can be used with the ++EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++=item B ++ ++These controls work as described in L. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++This control sets the I value for the KDF. ++If a value is already set, the contents are replaced. ++ ++=back ++ ++ ++=head1 NOTES ++ ++A context for KRB5KDF can be obtained by calling: ++ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF); ++ ++The output length of the KRB5KDF derivation is specified via the I ++parameter to the L function, and MUST match the key ++length for the chosen cipher or an error is returned. Moreover the ++I's length must not exceed the block size of the cipher. ++Since the KRB5KDF output length depends on the chosen cipher, calling ++L to obtain the requisite length returns the correct length ++only after the cipher is set. Prior to that B is returned. ++The caller must allocate a buffer of the correct length for the chosen ++cipher, and pass that buffer to the L function along ++with that length. ++ ++=head1 EXAMPLES ++ ++This example derives a key using the AES-128-CBC cipher: ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char key[16] = "01234..."; ++ unsigned char constant[] = "I'm a constant"; ++ unsigned char out[16]; ++ size_t outlen = sizeof(out); ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF); ++ ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, (size_t)16); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, strlen(constant)); ++ if (EVP_KDF_derive(kctx, out, outlen) <= 0) ++ /* Error */ ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 CONFORMING TO ++ ++RFC 3961 ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 HISTORY ++ ++This functionality was added to OpenSSL 3.0. ++ ++=head1 COPYRIGHT ++ ++Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the OpenSSL license (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut ++ +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod 2019-11-14 15:07:05.346094058 +0100 +@@ -0,0 +1,146 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_SS - The Single Step / One Step EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++The EVP_KDF_SS algorithm implements the Single Step key derivation function (SSKDF). ++SSKDF derives a key using input such as a shared secret key (that was generated ++during the execution of a key establishment scheme) and fixedinfo. ++SSKDF is also informally referred to as 'Concat KDF'. ++ ++=head2 Auxilary function ++ ++The implementation uses a selectable auxiliary function H, which can be in the ++backported version only a: ++ ++=over 4 ++ ++=item B ++ ++=back ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it ++can be used with the EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++This control works as described in L. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++The shared secret used for key derivation. This control sets the secret. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "secret" ++ ++The value string is used as is. ++ ++=item "hexsecret" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++An optional value for fixedinfo, also known as otherinfo. This control sets the fixedinfo. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "info" ++ ++The value string is used as is. ++ ++=item "hexinfo" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=back ++ ++=head1 NOTES ++ ++A context for SSKDF can be obtained by calling: ++ ++EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); ++ ++The output length of an SSKDF is specified via the C ++parameter to the L function. ++ ++=head1 EXAMPLE ++ ++This example derives 10 bytes using H(x) = SHA-256, with the secret key "secret" ++and fixedinfo value "label": ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ error("EVP_KDF_CTRL_SET_MD"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { ++ error("EVP_KDF_CTRL_SET_KEY"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, "label", (size_t)5) <= 0) { ++ error("EVP_KDF_CTRL_SET_SSKDF_INFO"); ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ error("EVP_KDF_derive"); ++ } ++ ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 CONFORMING TO ++ ++NIST SP800-56Cr1. ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 HISTORY ++ ++This functionality was added to OpenSSL 3.0.0. ++ ++=head1 COPYRIGHT ++ ++Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. Copyright ++(c) 2019, Oracle and/or its affiliates. All rights reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include/openssl/kdferr.h +--- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100 ++++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-14 15:07:05.347094040 +0100 +@@ -24,6 +24,11 @@ int ERR_load_KDF_strings(void); + * KDF function codes. + */ + # define KDF_F_HKDF_EXTRACT 112 ++# define KDF_F_KBKDF_CTRL 134 ++# define KDF_F_KBKDF_CTRL_STR 135 ++# define KDF_F_KBKDF_DERIVE 136 ++# define KDF_F_KBKDF_NEW 137 ++# define KDF_F_KDF_CIPHER2CTRL 138 + # define KDF_F_KDF_HKDF_DERIVE 113 + # define KDF_F_KDF_HKDF_NEW 114 + # define KDF_F_KDF_HKDF_SIZE 115 +@@ -43,6 +48,8 @@ int ERR_load_KDF_strings(void); + # define KDF_F_KDF_TLS1_PRF_CTRL_STR 125 + # define KDF_F_KDF_TLS1_PRF_DERIVE 126 + # define KDF_F_KDF_TLS1_PRF_NEW 127 ++# define KDF_F_KRB5KDF 139 ++# define KDF_F_KRB5KDF_DERIVE 140 + # define KDF_F_PBKDF2_SET_MEMBUF 128 + # define KDF_F_PKEY_HKDF_CTRL_STR 103 + # define KDF_F_PKEY_HKDF_DERIVE 102 +@@ -56,12 +63,21 @@ int ERR_load_KDF_strings(void); + # define KDF_F_PKEY_TLS1_PRF_DERIVE 101 + # define KDF_F_PKEY_TLS1_PRF_INIT 110 + # define KDF_F_SCRYPT_SET_MEMBUF 129 ++# define KDF_F_SSKDF_DERIVE 141 ++# define KDF_F_SSKDF_NEW 142 ++# define KDF_F_SSKDF_SIZE 143 + # define KDF_F_TLS1_PRF_ALG 111 + + /* + * KDF reason codes. + */ ++# define KDF_R_FAILED_TO_GENERATE_KEY 118 ++# define KDF_R_INVALID_CIPHER 116 ++# define KDF_R_INVALID_CONSTANT_LENGTH 119 + # define KDF_R_INVALID_DIGEST 100 ++# define KDF_R_INVALID_SEED_LENGTH 117 ++# define KDF_R_MISSING_CIPHER 120 ++# define KDF_R_MISSING_CONSTANT 121 + # define KDF_R_MISSING_ITERATION_COUNT 109 + # define KDF_R_MISSING_KEY 104 + # define KDF_R_MISSING_MESSAGE_DIGEST 105 +@@ -76,6 +92,7 @@ int ERR_load_KDF_strings(void); + # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 + # define KDF_R_VALUE_ERROR 108 + # define KDF_R_VALUE_MISSING 102 ++# define KDF_R_WRONG_FINAL_BLOCK_LENGTH 122 + # define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 + + #endif +diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/openssl/kdf.h +--- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100 ++++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-14 15:07:05.347094040 +0100 +@@ -21,6 +21,9 @@ extern "C" { + # define EVP_KDF_TLS1_PRF NID_tls1_prf + # define EVP_KDF_HKDF NID_hkdf + # define EVP_KDF_SSHKDF NID_sshkdf ++# define EVP_KDF_KB NID_kbkdf ++# define EVP_KDF_KRB5KDF NID_krb5kdf ++# define EVP_KDF_SS NID_sskdf + + EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); + void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); +@@ -51,6 +54,13 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + # define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH 0x10 /* unsigned char *, size_t */ + # define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */ + # define EVP_KDF_CTRL_SET_SSHKDF_TYPE 0x12 /* int */ ++# define EVP_KDF_CTRL_SET_KB_MODE 0x13 /* int */ ++# define EVP_KDF_CTRL_SET_KB_MAC_TYPE 0x14 /* int */ ++# define EVP_KDF_CTRL_SET_CIPHER 0x15 /* EVP_CIPHER * */ ++# define EVP_KDF_CTRL_SET_KB_INFO 0x16 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_KB_SEED 0x17 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT 0x18 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_SSKDF_INFO 0x19 /* unsigned char *, size_t */ + + # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 +@@ -63,6 +73,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 + #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 + ++#define EVP_KDF_KB_MODE_COUNTER 0 ++#define EVP_KDF_KB_MODE_FEEDBACK 1 ++ ++#define EVP_KDF_KB_MAC_TYPE_HMAC 0 ++#define EVP_KDF_KB_MAC_TYPE_CMAC 1 ++ + /**** The legacy PKEY-based KDF API follows. ****/ + + # define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL) +diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/include/openssl/obj_mac.h +--- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100 ++++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-14 15:07:05.347094040 +0100 +@@ -4974,6 +4974,18 @@ + #define LN_sshkdf "sshkdf" + #define NID_sshkdf 1203 + ++#define SN_kbkdf "KBKDF" ++#define LN_kbkdf "kbkdf" ++#define NID_kbkdf 1204 ++ ++#define SN_krb5kdf "KRB5KDF" ++#define LN_krb5kdf "krb5kdf" ++#define NID_krb5kdf 1205 ++ ++#define SN_sskdf "SSKDF" ++#define LN_sskdf "sskdf" ++#define NID_sskdf 1206 ++ + #define SN_id_pkinit "id-pkinit" + #define NID_id_pkinit 1031 + #define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L +diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf_test.c +--- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-14 15:07:05.315094610 +0100 ++++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-14 15:07:05.348094022 +0100 +@@ -225,13 +225,358 @@ err: + } + #endif + ++/* ++ * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5) ++ * section 10. ++ */ ++static int test_kdf_kbkdf_6803_128(void) ++{ ++ int ret = 0, i; ++ EVP_KDF_CTX *kctx; ++ static unsigned char input_key[] = { ++ 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3, ++ 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B, ++ }; ++ static unsigned char constants[][5] = { ++ { 0x00, 0x00, 0x00, 0x02, 0x99 }, ++ { 0x00, 0x00, 0x00, 0x02, 0xaa }, ++ { 0x00, 0x00, 0x00, 0x02, 0x55 }, ++ }; ++ static unsigned char outputs[][16] = { ++ {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0, ++ 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56}, ++ {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17, ++ 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB}, ++ {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C, ++ 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35} ++ }; ++ static unsigned char iv[16] = { 0 }; ++ unsigned char result[16] = { 0 }; ++ ++ for (i = 0; i < 3; i++) { ++ ret = 0; ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MODE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_128_cbc()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_SEED"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), outputs[i], ++ sizeof(outputs[i])); ++err: ++ EVP_KDF_CTX_free(kctx); ++ if (ret != 1) ++ return ret; ++ } ++ return ret; ++} ++ ++static int test_kdf_kbkdf_6803_256(void) ++{ ++ int ret = 0, i; ++ EVP_KDF_CTX *kctx; ++ static unsigned char input_key[] = { ++ 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE, ++ 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6, ++ 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F, ++ 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C, ++ }; ++ static unsigned char constants[][5] = { ++ { 0x00, 0x00, 0x00, 0x02, 0x99 }, ++ { 0x00, 0x00, 0x00, 0x02, 0xaa }, ++ { 0x00, 0x00, 0x00, 0x02, 0x55 }, ++ }; ++ static unsigned char outputs[][32] = { ++ {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3, ++ 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22, ++ 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6, ++ 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50, ++ }, ++ {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F, ++ 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60, ++ 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F, ++ 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04, ++ }, ++ {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F, ++ 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB, ++ 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D, ++ 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0, ++ }, ++ }; ++ static unsigned char iv[16] = { 0 }; ++ unsigned char result[32] = { 0 }; ++ ++ for (i = 0; i < 3; i++) { ++ ret = 0; ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MODE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_256_cbc()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_SEED"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), outputs[i], ++ sizeof(outputs[i])); ++err: ++ EVP_KDF_CTX_free(kctx); ++ if (ret != 1) ++ return ret; ++ } ++ return ret; ++} ++ ++/* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos ++ * 5) appendix A. */ ++static int test_kdf_kbkdf_8009_prf1(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ char *label = "prf", *prf_input = "test"; ++ static unsigned char input_key[] = { ++ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28, ++ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C, ++ }; ++ static unsigned char output[] = { ++ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE, ++ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86, ++ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B, ++ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95, ++ }; ++ unsigned char result[sizeof(output)] = { 0 }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_INFO"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), output, ++ sizeof(output)); ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++static int test_kdf_kbkdf_8009_prf2(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ char *label = "prf", *prf_input = "test"; ++ static unsigned char input_key[] = { ++ 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D, ++ 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98, ++ 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0, ++ 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52, ++ }; ++ static unsigned char output[] = { ++ 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6, ++ 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0, ++ 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C, ++ 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D, ++ 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33, ++ 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2, ++ }; ++ unsigned char result[sizeof(output)] = { 0 }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha384()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_INFO"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), output, ++ sizeof(output)); ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++static int test_kdf_krb5kdf(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[16]; ++ static unsigned char key[] = { ++ 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28, ++ 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15 ++ }; ++ static unsigned char constant[] = { ++ 0x00, 0x00, 0x00, 0x02, 0x99 ++ }; ++ static const unsigned char expected[sizeof(out)] = { ++ 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69, ++ 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B ++ }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF)) == NULL) { ++ TEST_error("EVP_KDF_KRB5KDF"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, sizeof(constant)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT"); ++ goto err; ++ } ++ ++ ret = ++ TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) ++ && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); ++ ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++static int test_kdf_ss_hash(void) ++{ ++ EVP_KDF_CTX *kctx; ++ const unsigned char z[] = { ++ 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e, ++ 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62, ++ 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4, ++ 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9 ++ }; ++ const unsigned char other[] = { ++ 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e, ++ 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde, ++ 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e, ++ 0xe0,0xec,0x3f,0x8d,0xbe ++ }; ++ const unsigned char expected[] = { ++ 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8 ++ }; ++ unsigned char out[14]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ return 0; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ return 0; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other, ++ sizeof(other)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SSKDF_INFO"); ++ return 0; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ TEST_error("EVP_KDF_derive"); ++ return 0; ++ } ++ ++ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) ++ return 0; ++ ++ EVP_KDF_CTX_free(kctx); ++ return 1; ++} ++ + int setup_tests(void) + { ++ ADD_TEST(test_kdf_kbkdf_6803_128); ++ ADD_TEST(test_kdf_kbkdf_6803_256); ++ ADD_TEST(test_kdf_kbkdf_8009_prf1); ++ ADD_TEST(test_kdf_kbkdf_8009_prf2); + ADD_TEST(test_kdf_tls1_prf); + ADD_TEST(test_kdf_hkdf); + ADD_TEST(test_kdf_pbkdf2); + #ifndef OPENSSL_NO_SCRYPT + ADD_TEST(test_kdf_scrypt); + #endif ++ ADD_TEST(test_kdf_krb5kdf); ++ ADD_TEST(test_kdf_ss_hash); + return 1; + } +diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt +--- openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf 2019-11-14 15:07:05.327094396 +0100 ++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2019-11-14 15:07:05.349094005 +0100 +@@ -5286,3 +5286,559 @@ Ctrl.hexsession_id = hexsession_id:a4ebd + Ctrl.type = type:A + Output = FF + Result = KDF_MISMATCH ++ ++Title = KRB5KDF tests (from RFC 3961 test vectors and krb5 sources) ++ ++#RFC3961 ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92 ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = 925179d04591a79b5d3192c4a7e9c289b049c71f6ee604cd ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:5e13d31c70ef765746578531cb51c15bf11ca82c97cee9f2 ++Ctrl.hexconstant = hexconstant:00000001aa ++Output = 9e58e5a146d9942a101c469845d67a20e3c4259ed913f207 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:98e6fd8a04a4b6859b75a176540b9752bad3ecd610a252bc ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = 13fef80d763e94ec6d13fd2ca1d085070249dad39808eabf ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:622aec25a2fe2cad7094680b7c64940280084c1a7cec92b5 ++Ctrl.hexconstant = hexconstant:00000001aa ++Output = f8dfbf04b097e6d9dc0702686bcb3489d91fd9a4516b703e ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:d3f8298ccb166438dcb9b93ee5a7629286a491f838f802fb ++Ctrl.hexconstant = hexconstant:6b65726265726f73 ++Output = 2370da575d2a3da864cebfdc5204d56df779a7df43d9da43 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:c1081649ada74362e6a1459d01dfd30d67c2234c940704da ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = 348057ec98fdc48016161c2a4c7a943e92ae492c989175f7 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:5d154af238f46713155719d55e2f1f790dd661f279a7917c ++Ctrl.hexconstant = hexconstant:00000001aa ++Output = a8808ac267dada3dcbe9a7c84626fbc761c294b01315e5c1 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:798562e049852f57dc8c343ba17f2ca1d97394efc8adc443 ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = c813f88a3be3b334f75425ce9175fbe3c8493b89c8703b49 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:26dce334b545292f2feab9a8701a89a4b99eb9942cecd016 ++Ctrl.hexconstant = hexconstant:00000001aa ++Output = f48ffd6e83f83e7354e694fd252cf83bfe58f7d5ba37ec5d ++ ++#Krb5 sources ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E ++Ctrl.hexconstant = hexconstant:0000000299 ++Output = F78C496D16E6C2DAE0E0B6C24057A84C0426AEEF26FD6DCE ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E ++Ctrl.hexconstant = hexconstant:00000002AA ++Output = 5B5723D0B634CB684C3EBA5264E9A70D52E683231AD3C4CE ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E ++Ctrl.hexconstant = hexconstant:0000000255 ++Output = A77C94980E9B7345A81525C423A737CE67F4CD91B6B3DA45 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-128-CBC ++Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15 ++Ctrl.hexconstant = hexconstant:0000000299 ++Output = 34280A382BC92769B2DA2F9EF066854B ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-128-CBC ++Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15 ++Ctrl.hexconstant = hexconstant:00000002AA ++Output = 5B14FC4E250E14DDF9DCCF1AF6674F53 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-128-CBC ++Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15 ++Ctrl.hexconstant = hexconstant:0000000255 ++Output = 4ED31063621684F09AE8D89991AF3E8F ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-256-CBC ++Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 ++Ctrl.hexconstant = hexconstant:0000000299 ++Output = BFAB388BDCB238E9F9C98D6A878304F04D30C82556375AC507A7A852790F4674 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-256-CBC ++Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 ++Ctrl.hexconstant = hexconstant:00000002AA ++Output = C7CFD9CD75FE793A586A542D87E0D1396F1134A104BB1A9190B8C90ADA3DDF37 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-256-CBC ++Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 ++Ctrl.hexconstant = hexconstant:0000000255 ++Output = 97151B4C76945063E2EB0529DC067D97D7BBA90776D8126D91F34F3101AEA8BA ++ ++#Same as the first but with no "fixup" ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92 ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = 935079d14490a75c3093c4a6e8c3b049c71e6ee705 ++ ++#There are currently no official test vectors for Single Step KDF ++#https://github.com/patrickfav/singlestep-kdf/wiki/NIST-SP-800-56C-Rev1:-Non-Official-Test-Vectors ++Title = Single Step KDF tests ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:d09a6b1a472f930db4f5e6b967900744 ++Ctrl.hexinfo = hexinfo:b117255ab5f1b6b96fc434b0 ++Output = b5a3c52e97ae6e8c5069954354eab3c7 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:343666c0dd34b756e70f759f14c304f5 ++Ctrl.hexinfo = hexinfo:722b28448d7eab85491bce09 ++Output = 1003b650ddd3f0891a15166db5ec881d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:b84acf03ab08652dd7f82fa956933261 ++Ctrl.hexinfo = hexinfo:3d8773ec068c86053a918565 ++Output = 1635dcd1ce698f736831b4badb68ab2b ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:8cc24ca3f1d1a8b34783780b79890430 ++Ctrl.hexinfo = hexinfo:f08d4f2d9a8e6d7105c0bc16 ++Output = b8e716fb84a420aed4812cd76d9700ee ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:b616905a6f7562cd2689142ce21e42a3 ++Ctrl.hexinfo = hexinfo:ead310159a909da87e7b4b40 ++Output = 1b9201358c50fe5d5d42907c4a9fce78 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:3f57fd3fd56199b3eb33890f7ee28180 ++Ctrl.hexinfo = hexinfo:7a5056ba4fdb034c7cb6c4fe ++Output = e51ebd30a8c4b8449b0fb29d9adc11af ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:fb9fb108d104e9f662d6593fc84cde69 ++Ctrl.hexinfo = hexinfo:5faf29211c1bdbf1b2696a7c ++Output = 7a3a7e670656e48c390cdd7c51e167e0 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:237a39981794f4516dccffc3dda28396 ++Ctrl.hexinfo = hexinfo:62ed9528d104c241e0f66275 ++Output = 0c26fc9e90e1c5c5f943428301682045 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:b9b6c45f7279218fa09894e06366a3a1 ++Ctrl.hexinfo = hexinfo:0f384339670aaed4b89ecb7e ++Output = ee5fad414e32fad5d52a2bf61a7f6c72 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:08b7140e2cd0a4abd79171e4d5a71cad ++Ctrl.hexinfo = hexinfo:099211f0d8a2e02dbb5958c0 ++Output = 6162f5142e057efafd2c4f2bad5985a1 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a2 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f4853 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759a ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac704 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbe ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf1050 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f3 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8b ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f22 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f227688 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abf ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d480d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d480d9192 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:d7e6 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 31e798e9931b612a3ad1b9b1008faa8c ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:4646779d ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 139f68bcca879b490e268e569087d04d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:d9811c81d4c6 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 914dc4f09cb633a76e6c389e04c64485 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:8838f9d99ec46f09 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 4f07dfb6f7a5bf348689e08b2e29c948 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:3e0939b33f34e779f30e ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = b42c7a98c23be19d1187ff960e87557f ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:f36230cacca4d245d303058c ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 50f2068d8010d355d56c5e34aaffbc67 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:7005d32c3d4284c73c3aefc70438 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 66fd712ccf5462bbd41e89041ea7ea26 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:c01c83150b7734f8dbd6efd6f54d7365 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 5c5edb0ceda9cd0c7f1f3d9e239c67d5 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:9949 ++Output = 33c83f54ed00fb1bccd2113e88550941 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:17144da6 ++Output = a999c28961424cab35ec06015e8c376a ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:dffdee1062eb ++Output = 4101ad50e626ed6f957bff926dfbb7db ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:9f365043e23b4648 ++Output = 4d3e4b971b88771f229df9f564984832 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:a885a0c4567ddc4f96da ++Output = bebbc30f5a83df5e9c9b57db33c0c879 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:c9d86183295bfe4c3d85f0fd ++Output = 87c947e45407db63eb94cbaa02d14e94 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:825fadce46964236a486732c5dad ++Output = 192370a85ff78e3c0245129d9b398558 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:5c0b5eb3ac9f342347d73d7a521723aa ++Output = c7b7634fd809383e87c4b1b3e728be56 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:8d7a4e7d5cf34b3f74873b862aeb33b7 ++Output = 6a5594f402f74f69 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:9b208e7ee1e641fac1dff48fc1beb2d2 ++Output = 556ed67e24ac0c7c46cc432da8bdb23c ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:4d2572539fed433211da28c8a0eebac3 ++Output = 5a4054c59c5b92814025578f43c1b79fe84968fc284e240b ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:4e1e70c9886819a31bc29a537911add9 ++Output = ddbfc440449aab4131c6d8aec08ce1496f2702241d0e27cc155c5c7c3cda75b5 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:68f144c952528e540c686dc353b766f2 ++Output = 59ed66bb6f54a9688a0b891d0b2ea6743621d9e1b5cc098cf3a55e6f864f9af8a95e4d945d2f987f ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:b66c9d507c9f837fbe60b6675fdbf38b ++Output = c282787ddf421a72fc88811be81b08d0d6ab66c92d1011974aa58335a6bbbd62e9e982bfae5929865ea1d517247089d2 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:34e730b49e46c7ed2fb25975a4cccd2d ++Output = 39e76e6571cb00740260b9070accbdcc4a492c295cbef33d9e37dac21e5e9d07e0f12dc7063d2172641475d4e08b8e3712fb26a10c8376b8 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:e340d87e2d7adbc1b95ec2dbdc3b82be ++Output = a660c0037a53f76f1e7667043f5869348ad07ac0e272e615ce31f16d4ab90d4b35fe5c370c0010ce79aff45682c6fb8b97f9a05b7d40b5af3c62999a10df9c6d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA256 ++Ctrl.hexsecret = hexsecret:afc4e154498d4770aa8365f6903dc83b ++Ctrl.hexinfo = hexinfo:662af20379b29d5ef813e655 ++Output = f0b80d6ae4c1e19e2105a37024e35dc6 ++ ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA512 ++Ctrl.hexsecret = hexsecret:108cf63318555c787fa578731dd4f037 ++Ctrl.hexinfo = hexinfo:53191b1dd3f94d83084d61d6 ++Output = 0ad475c1826da3007637970c8b92b993 ++ ++Title = SSKDF Test vectors from RFC 8636 Section 8 (With precoumputed ASN.1 info) ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++Ctrl.hexinfo = hexinfo:307e300a06082b06010502030601a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020112a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb ++Output = e6ab38c9413e035bb079201ed0b6b73d8d49a814a737c04ee6649614206f73ad ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA256 ++Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++Ctrl.hexinfo = hexinfo:307e300a06082b06010502030602a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020112a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb ++Output = 77ef4e48c420ae3fec75109d7981697eed5d295c90c62564f7bfd101fa9bc1d5 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA512 ++Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++Ctrl.hexinfo = hexinfo:307e300a06082b06010502030603a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020110a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb ++Output = d3c78b78d75313e9a926f75dfb012363fa17fa01db diff --git a/openssl-1.1.1-no-brainpool.patch b/openssl-1.1.1-no-brainpool.patch index 2ab6fc9..90c87a8 100644 --- a/openssl-1.1.1-no-brainpool.patch +++ b/openssl-1.1.1-no-brainpool.patch @@ -1,17 +1,16 @@ -diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in ---- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in 2019-05-07 11:52:35.885597934 +0200 -@@ -141,22 +141,23 @@ our @tests = ( +diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in +--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in 2019-09-13 15:11:07.358687169 +0200 +@@ -147,22 +147,22 @@ our @tests = ( { name => "ECDSA with brainpool", server => { - "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), - "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), - "Groups" => "brainpoolP256r1", -+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), +# "Groups" => "brainpoolP256r1", -+ "CipherString" => "aNULL", }, client => { #We don't restrict this to TLSv1.2, although use of brainpool @@ -32,17 +31,16 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens "ExpectedResult" => "Success" }, }, -@@ -787,18 +788,19 @@ my @tests_tls_1_3 = ( +@@ -853,18 +853,18 @@ my @tests_tls_1_3 = ( { name => "TLS 1.3 ECDSA with brainpool", server => { - "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), - "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), - "Groups" => "brainpoolP256r1", -+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), +# "Groups" => "brainpoolP256r1", -+ "CipherString" => "aNULL", }, client => { "RequestCAFile" => test_pem("root-cert.pem"), @@ -57,20 +55,19 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens }, }, ); -diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf ---- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf 2019-05-07 12:15:12.762907496 +0200 -@@ -233,23 +233,18 @@ server = 5-ECDSA with brainpool-server +diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf +--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf 2019-09-13 15:12:27.380288469 +0200 +@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server client = 5-ECDSA with brainpool-client [5-ECDSA with brainpool-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem --CipherString = DEFAULT ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT -Groups = brainpoolP256r1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = aNULL -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem [5-ECDSA with brainpool-client] CipherString = aECDSA @@ -87,28 +84,27 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl- # =========================================================== -@@ -1577,14 +1572,12 @@ server = 47-TLS 1.3 ECDSA with brainpool - client = 47-TLS 1.3 ECDSA with brainpool-client +@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool + client = 52-TLS 1.3 ECDSA with brainpool-client - [47-TLS 1.3 ECDSA with brainpool-server] + [52-TLS 1.3 ECDSA with brainpool-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem --CipherString = DEFAULT ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT -Groups = brainpoolP256r1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = aNULL -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - [47-TLS 1.3 ECDSA with brainpool-client] + [52-TLS 1.3 ECDSA with brainpool-client] CipherString = DEFAULT -Groups = brainpoolP256r1 MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -@@ -1592,7 +1585,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro +@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro VerifyMode = Peer - [test-47] + [test-52] -ExpectedResult = ServerFail +ExpectedResult = Success diff --git a/openssl-1.1.1-no-dladdr.patch b/openssl-1.1.1-no-dladdr.patch new file mode 100644 index 0000000..b526b07 --- /dev/null +++ b/openssl-1.1.1-no-dladdr.patch @@ -0,0 +1,29 @@ +--- openssl-1.1.1k.old/crypto/fips/fips.c 2021-06-01 08:55:05.727572580 +0100 ++++ openssl-1.1.1k/crypto/fips/fips.c 2021-06-01 08:57:13.303122104 +0100 +@@ -165,6 +165,8 @@ + return fips_post; + } + ++#ifndef __MINGW32__ ++ + /* we implement what libfipscheck does ourselves */ + + static int +@@ -193,6 +195,17 @@ + return rv; + } + ++#else /* __MINGW32__ */ ++ ++static int ++get_library_path(const char *libname, const char *symbolname, char *path, ++ size_t pathlen) ++{ ++ return -1; ++} ++ ++#endif /* __MINGW32__ */ ++ + static const char conv[] = "0123456789abcdef"; + + static char *bin2hex(void *buf, size_t len) diff --git a/openssl-1.1.1-no-html.patch b/openssl-1.1.1-no-html.patch new file mode 100644 index 0000000..d0e335e --- /dev/null +++ b/openssl-1.1.1-no-html.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl +--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html 2020-04-07 16:45:21.904083989 +0200 ++++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:45:56.218461895 +0200 +@@ -544,7 +544,7 @@ install_sw: install_dev install_engines + + uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev + +-install_docs: install_man_docs install_html_docs ++install_docs: install_man_docs + + uninstall_docs: uninstall_man_docs uninstall_html_docs + $(RM) -r "$(DESTDIR)$(DOCDIR)" diff --git a/openssl-1.1.1-regression-fixes.patch b/openssl-1.1.1-regression-fixes.patch deleted file mode 100644 index 11099a1..0000000 --- a/openssl-1.1.1-regression-fixes.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/conf/conf_lib.c ---- openssl-1.1.1b/crypto/conf/conf_lib.c.regression 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/conf/conf_lib.c 2019-05-10 14:28:57.718049429 +0200 -@@ -356,8 +356,10 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new( - { - OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret)); - -- if (ret != NULL) -- memset(ret, 0, sizeof(*ret)); -+ if (ret == NULL) -+ return NULL; -+ -+ memset(ret, 0, sizeof(*ret)); - ret->flags = DEFAULT_CONF_MFLAGS; - - return ret; diff --git a/openssl-1.1.1-rewire-fips-drbg.patch b/openssl-1.1.1-rewire-fips-drbg.patch new file mode 100644 index 0000000..4d04d37 --- /dev/null +++ b/openssl-1.1.1-rewire-fips-drbg.patch @@ -0,0 +1,170 @@ +diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c +--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200 +@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx, + int FIPS_drbg_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)adinlen; ++ ++ if (len < 0 || (size_t)len != adinlen) { ++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); ++ return 0; ++ } ++ RAND_seed(adin, len); ++ return 1; ++} ++ ++int FIPS_drbg_reseed_internal(DRBG_CTX *dctx, ++ const unsigned char *adin, size_t adinlen) ++{ + return drbg_reseed(dctx, adin, adinlen, 1); + } + +@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u + int prediction_resistance, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)outlen; ++ ++ if (len < 0 || (size_t)len != outlen) { ++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG); ++ return 0; ++ } ++ return RAND_bytes(out, len); ++} ++ ++int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen, ++ int prediction_resistance, ++ const unsigned char *adin, size_t adinlen) ++{ + int r = 0; + + if (FIPS_selftest_failed()) { +diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c +--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200 +@@ -57,6 +57,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + +diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c +--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200 +@@ -55,6 +55,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + #include "fips_locl.h" +diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c +--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200 +@@ -79,8 +79,6 @@ int FIPS_selftest(void) + ERR_add_error_data(2, "Type=", "rand_drbg_selftest"); + rv = 0; + } +- if (!FIPS_selftest_drbg()) +- rv = 0; + if (!FIPS_selftest_sha1()) + rv = 0; + if (!FIPS_selftest_sha2()) +diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c +--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200 +@@ -120,6 +120,7 @@ void FIPS_rand_reset(void) + + int FIPS_rand_seed(const void *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int + if (fips_rand_meth && fips_rand_meth->seed) + fips_rand_meth->seed(buf, num); + return 1; ++#else ++ RAND_seed(buf, num); ++ return 1; ++#endif + } + + int FIPS_rand_bytes(unsigned char *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf, + if (fips_rand_meth && fips_rand_meth->bytes) + return fips_rand_meth->bytes(buf, num); + return 0; ++#else ++ return RAND_bytes(buf, num); ++#endif + } + + int FIPS_rand_status(void) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -149,6 +159,9 @@ int FIPS_rand_status(void) + if (fips_rand_meth && fips_rand_meth->status) + return fips_rand_meth->status(); + return 0; ++#else ++ return RAND_status(); ++#endif + } + + /* Return instantiated strength of PRNG. For DRBG this is an internal +diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h +--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200 ++++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200 +@@ -64,6 +64,11 @@ extern "C" { + + int FIPS_selftest(void); + int FIPS_selftest_failed(void); ++ ++ /* ++ * This function is deprecated as it performs selftest of the old FIPS drbg ++ * implementation that is not validated. ++ */ + int FIPS_selftest_drbg_all(void); + + int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, +diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h +--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200 ++++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200 +@@ -60,6 +60,20 @@ + # ifdef __cplusplus + extern "C" { + # endif ++ ++/* ++ * IMPORTANT NOTE: ++ * All functions in this header file are deprecated and should not be used ++ * as they use the old FIPS_drbg implementation that is not FIPS validated ++ * anymore. ++ * To provide backwards compatibility for applications that need FIPS compliant ++ * RNG number generation and use FIPS_drbg_generate, this function was ++ * re-wired to call the FIPS validated DRBG instance instead through ++ * the RAND_bytes() call. ++ * ++ * All these functions will be removed in future. ++ */ ++ + typedef struct drbg_ctx_st DRBG_CTX; + /* DRBG external flags */ + /* Flag for CTR mode only: use derivation function ctr_df */ diff --git a/openssl-1.1.1-s390x-ecc.patch b/openssl-1.1.1-s390x-ecc.patch new file mode 100644 index 0000000..6b5963f --- /dev/null +++ b/openssl-1.1.1-s390x-ecc.patch @@ -0,0 +1,2306 @@ +diff -up openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc openssl-1.1.1g/Configurations/00-base-templates.conf +--- openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/Configurations/00-base-templates.conf 2020-05-18 12:45:40.855234262 +0200 +@@ -289,6 +289,7 @@ my %targets=( + template => 1, + cpuid_asm_src => "s390xcap.c s390xcpuid.S", + bn_asm_src => "asm/s390x.S s390x-mont.S s390x-gf2m.s", ++ ec_asm_src => "ecp_s390x_nistp.c", + aes_asm_src => "aes-s390x.S aes-ctr.fake aes-xts.fake", + sha1_asm_src => "sha1-s390x.S sha256-s390x.S sha512-s390x.S", + rc4_asm_src => "rc4-s390x.s", +diff -up openssl-1.1.1g/Configure.s390x-ecc openssl-1.1.1g/Configure +--- openssl-1.1.1g/Configure.s390x-ecc 2020-05-18 12:45:40.781233618 +0200 ++++ openssl-1.1.1g/Configure 2020-05-18 12:45:40.856234270 +0200 +@@ -1398,6 +1398,9 @@ unless ($disabled{asm}) { + if ($target{ec_asm_src} =~ /ecp_nistz256/) { + push @{$config{lib_defines}}, "ECP_NISTZ256_ASM"; + } ++ if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) { ++ push @{$config{lib_defines}}, "S390X_EC_ASM"; ++ } + if ($target{ec_asm_src} =~ /x25519/) { + push @{$config{lib_defines}}, "X25519_ASM"; + } +diff -up openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/cmac/cm_pmeth.c +--- openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200 ++++ openssl-1.1.1g/crypto/cmac/cm_pmeth.c 2020-05-18 12:45:42.661249957 +0200 +@@ -159,3 +159,8 @@ const EVP_PKEY_METHOD cmac_pkey_meth = { + pkey_cmac_ctrl, + pkey_cmac_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *cmac_pkey_method(void) ++{ ++ return &cmac_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dh/dh_pmeth.c +--- openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200 ++++ openssl-1.1.1g/crypto/dh/dh_pmeth.c 2020-05-18 12:45:42.661249957 +0200 +@@ -512,6 +512,11 @@ const EVP_PKEY_METHOD dh_pkey_meth = { + pkey_dh_ctrl_str + }; + ++const EVP_PKEY_METHOD *dh_pkey_method(void) ++{ ++ return &dh_pkey_meth; ++} ++ + const EVP_PKEY_METHOD dhx_pkey_meth = { + EVP_PKEY_DHX, + EVP_PKEY_FLAG_FIPS, +@@ -545,3 +550,8 @@ const EVP_PKEY_METHOD dhx_pkey_meth = { + pkey_dh_ctrl, + pkey_dh_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *dhx_pkey_method(void) ++{ ++ return &dhx_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dsa/dsa_pmeth.c +--- openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.783233636 +0200 ++++ openssl-1.1.1g/crypto/dsa/dsa_pmeth.c 2020-05-18 12:45:42.662249966 +0200 +@@ -271,3 +271,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = { + pkey_dsa_ctrl, + pkey_dsa_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *dsa_pkey_method(void) ++{ ++ return &dsa_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/ec/build.info.s390x-ecc openssl-1.1.1g/crypto/ec/build.info +--- openssl-1.1.1g/crypto/ec/build.info.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/build.info 2020-05-18 12:45:42.662249966 +0200 +@@ -26,6 +26,9 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_n + INCLUDE[ecp_nistz256-armv8.o]=.. + GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl $(PERLASM_SCHEME) + ++INCLUDE[ecp_s390x_nistp.o]=.. ++INCLUDE[ecx_meth.o]=.. ++ + GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl $(PERLASM_SCHEME) + GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl $(PERLASM_SCHEME) + +diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_curve.c +--- openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc 2020-05-18 12:45:40.753233375 +0200 ++++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:45:42.663249975 +0200 +@@ -255,20 +255,29 @@ static const ec_list_element curve_list[ + {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, + "SECG curve over a 256 bit prime field"}, + /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ +- {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, ++ {NID_secp384r1, &_EC_NIST_PRIME_384.h, ++# if defined(S390X_EC_ASM) ++ EC_GFp_s390x_nistp384_method, ++# else ++ 0, ++# endif + "NIST/SECG curve over a 384 bit prime field"}, +-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +- {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, +- "NIST/SECG curve over a 521 bit prime field"}, +-#else +- {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, ++ {NID_secp521r1, &_EC_NIST_PRIME_521.h, ++# if defined(S390X_EC_ASM) ++ EC_GFp_s390x_nistp521_method, ++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) ++ EC_GFp_nistp521_method, ++# else ++ 0, ++# endif + "NIST/SECG curve over a 521 bit prime field"}, +-#endif + /* X9.62 curves */ + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + #if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +-#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) ++# elif defined(S390X_EC_ASM) ++ EC_GFp_s390x_nistp256_method, ++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp256_method, + #else + 0, +diff -up openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecdsa_ossl.c +--- openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200 ++++ openssl-1.1.1g/crypto/ec/ecdsa_ossl.c 2020-05-18 12:45:42.664249983 +0200 +@@ -18,6 +18,41 @@ + # include + #endif + ++int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ++ BIGNUM **rp) ++{ ++ if (eckey->group->meth->ecdsa_sign_setup == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); ++ return 0; ++ } ++ ++ return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); ++} ++ ++ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ++ const BIGNUM *in_kinv, const BIGNUM *in_r, ++ EC_KEY *eckey) ++{ ++ if (eckey->group->meth->ecdsa_sign_sig == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); ++ return NULL; ++ } ++ ++ return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len, ++ in_kinv, in_r, eckey); ++} ++ ++int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, ++ const ECDSA_SIG *sig, EC_KEY *eckey) ++{ ++ if (eckey->group->meth->ecdsa_verify_sig == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); ++ return 0; ++ } ++ ++ return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey); ++} ++ + int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, + unsigned char *sig, unsigned int *siglen, + const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) +@@ -149,15 +184,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke + return ret; + } + +-int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, +- BIGNUM **rp) ++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ++ BIGNUM **rp) + { + return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0); + } + +-ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, +- const BIGNUM *in_kinv, const BIGNUM *in_r, +- EC_KEY *eckey) ++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, ++ const BIGNUM *in_kinv, const BIGNUM *in_r, ++ EC_KEY *eckey) + { + int ok = 0, i; + BIGNUM *kinv = NULL, *s, *m = NULL; +@@ -218,25 +253,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + if (8 * dgst_len > i) + dgst_len = (i + 7) / 8; + if (!BN_bin2bn(dgst, dgst_len, m)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + /* If still too long, truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + do { + if (in_kinv == NULL || in_r == NULL) { + if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_ECDSA_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_ECDSA_LIB); + goto err; + } + ckinv = kinv; + } else { + ckinv = in_kinv; + if (BN_copy(ret->r, in_r) == NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } + } +@@ -250,11 +285,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + */ + if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx) + || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + if (!bn_mod_add_fixed_top(s, s, m, order)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + /* +@@ -263,7 +298,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + */ + if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx) + || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + +@@ -273,7 +308,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + * generate new kinv and r values + */ + if (in_kinv != NULL && in_r != NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } else { +@@ -325,8 +360,8 @@ int ossl_ecdsa_verify(int type, const un + return ret; + } + +-int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, +- const ECDSA_SIG *sig, EC_KEY *eckey) ++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, ++ const ECDSA_SIG *sig, EC_KEY *eckey) + { + int ret = -1, i; + BN_CTX *ctx; +@@ -346,18 +381,18 @@ int ossl_ecdsa_verify_sig(const unsigned + /* check input values */ + if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || + (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_MISSING_PARAMETERS); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_MISSING_PARAMETERS); + return -1; + } + + if (!EC_KEY_can_sign(eckey)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); + return -1; + } + + ctx = BN_CTX_new(); + if (ctx == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE); + return -1; + } + BN_CTX_start(ctx); +@@ -366,26 +401,26 @@ int ossl_ecdsa_verify_sig(const unsigned + m = BN_CTX_get(ctx); + X = BN_CTX_get(ctx); + if (X == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + + order = EC_GROUP_get0_order(group); + if (order == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB); + goto err; + } + + if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || + BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || + BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_BAD_SIGNATURE); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_BAD_SIGNATURE); + ret = 0; /* signature is invalid */ + goto err; + } + /* calculate tmp1 = inv(S) mod order */ + if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* digest -> m */ +@@ -396,41 +431,41 @@ int ossl_ecdsa_verify_sig(const unsigned + if (8 * dgst_len > i) + dgst_len = (i + 7) / 8; + if (!BN_bin2bn(dgst, dgst_len, m)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* If still too long truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* u1 = m * tmp mod order */ + if (!BN_mod_mul(u1, m, u2, order, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* u2 = r * w mod q */ + if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + + if ((point = EC_POINT_new(group)) == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB); + goto err; + } + + if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB); + goto err; + } + + if (!BN_nnmod(u1, X, order, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* if the signature is correct u1 is equal to sig->r */ +diff -up openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_err.c +--- openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ec_err.c 2020-05-18 12:45:42.664249983 +0200 +@@ -31,6 +31,11 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_VERIFY, 0), "ECDSA_verify"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SETUP, 0), "ecdsa_simple_sign_setup"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SIG, 0), "ecdsa_simple_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_VERIFY_SIG, 0), "ecdsa_simple_verify_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_SIGN_SIG, 0), "ecdsa_s390x_nistp_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, 0), "ecdsa_s390x_nistp_verify_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECD_ITEM_VERIFY, 0), "ecd_item_verify"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM2TYPE, 0), "eckey_param2type"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM_DECODE, 0), "eckey_param_decode"}, +@@ -266,6 +271,7 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_OLD_EC_PRIV_DECODE, 0), "old_ec_priv_decode"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDH_COMPUTE_KEY, 0), + "ossl_ecdh_compute_key"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SETUP, 0), "ossl_ecdsa_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SIG, 0), "ossl_ecdsa_sign_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_VERIFY_SIG, 0), + "ossl_ecdsa_verify_sig"}, +@@ -284,6 +290,12 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, 0), "s390x_pkey_ecd_digestsign25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN448, 0), "s390x_pkey_ecd_digestsign448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN25519, 0), "s390x_pkey_ecd_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN448, 0), "s390x_pkey_ecd_keygen448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN25519, 0), "s390x_pkey_ecx_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN448, 0), "s390x_pkey_ecx_keygen448"}, + {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"}, + {0, NULL} + }; +@@ -298,6 +310,8 @@ static const ERR_STRING_DATA EC_str_reas + "coordinates out of range"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH), + "curve does not support ecdh"}, ++ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA), ++ "curve does not support ecdsa"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING), + "curve does not support signing"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE), +diff -up openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc openssl-1.1.1g/crypto/ec/ec_local.h +--- openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc 2020-05-18 12:45:40.554231646 +0200 ++++ openssl-1.1.1g/crypto/ec/ec_local.h 2020-05-18 12:45:44.564266496 +0200 +@@ -179,6 +179,14 @@ struct ec_method_st { + /* custom ECDH operation */ + int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen, + const EC_POINT *pub_key, const EC_KEY *ecdh); ++ /* custom ECDSA */ ++ int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp, ++ BIGNUM **rp); ++ ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen, ++ const BIGNUM *kinv, const BIGNUM *r, ++ EC_KEY *eckey); ++ int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen, ++ const ECDSA_SIG *sig, EC_KEY *eckey); + /* Inverse modulo order */ + int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r, + const BIGNUM *x, BN_CTX *); +@@ -587,6 +595,11 @@ int ec_group_simple_order_bits(const EC_ + */ + const EC_METHOD *EC_GFp_nistz256_method(void); + #endif ++#ifdef S390X_EC_ASM ++const EC_METHOD *EC_GFp_s390x_nistp256_method(void); ++const EC_METHOD *EC_GFp_s390x_nistp384_method(void); ++const EC_METHOD *EC_GFp_s390x_nistp521_method(void); ++#endif + + size_t ec_key_simple_priv2oct(const EC_KEY *eckey, + unsigned char *buf, size_t len); +@@ -651,6 +664,13 @@ int ossl_ecdsa_verify(int type, const un + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); + int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey); ++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ++ BIGNUM **rp); ++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, ++ const BIGNUM *in_kinv, const BIGNUM *in_r, ++ EC_KEY *eckey); ++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, ++ const ECDSA_SIG *sig, EC_KEY *eckey); + + int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, + const uint8_t public_key[32], const uint8_t private_key[32]); +diff -up openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_pmeth.c +--- openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200 ++++ openssl-1.1.1g/crypto/ec/ec_pmeth.c 2020-05-18 12:45:44.565266505 +0200 +@@ -474,3 +474,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = { + pkey_ec_ctrl, + pkey_ec_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *ec_pkey_method(void) ++{ ++ return &ec_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_mont.c +--- openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_mont.c 2020-05-18 12:45:44.567266523 +0200 +@@ -63,6 +63,9 @@ const EC_METHOD *EC_GFp_mont_method(void + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + ec_GFp_simple_blind_coordinates, + ec_GFp_simple_ladder_pre, +diff -up openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nist.c +--- openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nist.c 2020-05-18 12:45:44.567266523 +0200 +@@ -65,6 +65,9 @@ const EC_METHOD *EC_GFp_nist_method(void + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + ec_GFp_simple_blind_coordinates, + ec_GFp_simple_ladder_pre, +diff -up openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp224.c +--- openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nistp224.c 2020-05-18 12:45:44.568266531 +0200 +@@ -292,6 +292,9 @@ const EC_METHOD *EC_GFp_nistp224_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +diff -up openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp256.c +--- openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nistp256.c 2020-05-18 12:45:44.568266531 +0200 +@@ -1829,6 +1829,9 @@ const EC_METHOD *EC_GFp_nistp256_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +diff -up openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp521.c +--- openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nistp521.c 2020-05-18 12:45:44.569266540 +0200 +@@ -1669,6 +1669,9 @@ const EC_METHOD *EC_GFp_nistp521_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +diff -up openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistz256.c +--- openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nistz256.c 2020-05-18 12:45:44.570266549 +0200 +@@ -1720,6 +1720,9 @@ const EC_METHOD *EC_GFp_nistz256_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +diff -up openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c +--- openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc 2020-05-18 12:45:44.571266557 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c 2020-05-18 12:45:44.571266557 +0200 +@@ -0,0 +1,394 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include ++#include "ec_local.h" ++#include "s390x_arch.h" ++ ++/* Size of parameter blocks */ ++#define S390X_SIZE_PARAM 4096 ++ ++/* Size of fields in parameter blocks */ ++#define S390X_SIZE_P256 32 ++#define S390X_SIZE_P384 48 ++#define S390X_SIZE_P521 80 ++ ++/* Offsets of fields in PCC parameter blocks */ ++#define S390X_OFF_RES_X(n) (0 * n) ++#define S390X_OFF_RES_Y(n) (1 * n) ++#define S390X_OFF_SRC_X(n) (2 * n) ++#define S390X_OFF_SRC_Y(n) (3 * n) ++#define S390X_OFF_SCALAR(n) (4 * n) ++ ++/* Offsets of fields in KDSA parameter blocks */ ++#define S390X_OFF_R(n) (0 * n) ++#define S390X_OFF_S(n) (1 * n) ++#define S390X_OFF_H(n) (2 * n) ++#define S390X_OFF_K(n) (3 * n) ++#define S390X_OFF_X(n) (3 * n) ++#define S390X_OFF_RN(n) (4 * n) ++#define S390X_OFF_Y(n) (4 * n) ++ ++static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, ++ size_t num, const EC_POINT *points[], ++ const BIGNUM *scalars[], ++ BN_CTX *ctx, unsigned int fc, int len) ++{ ++ unsigned char param[S390X_SIZE_PARAM]; ++ BIGNUM *x, *y; ++ const EC_POINT *point_ptr = NULL; ++ const BIGNUM *scalar_ptr = NULL; ++ BN_CTX *new_ctx = NULL; ++ int rc = -1; ++ ++ if (ctx == NULL) { ++ ctx = new_ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ return 0; ++ } ++ ++ BN_CTX_start(ctx); ++ ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (x == NULL || y == NULL) { ++ rc = 0; ++ goto ret; ++ } ++ ++ /* ++ * Use PCC for EC keygen and ECDH key derivation: ++ * scalar * generator and scalar * peer public key, ++ * scalar in [0,order). ++ */ ++ if ((scalar != NULL && num == 0 && BN_is_negative(scalar) == 0) ++ || (scalar == NULL && num == 1 && BN_is_negative(scalars[0]) == 0)) { ++ ++ if (num == 0) { ++ point_ptr = EC_GROUP_get0_generator(group); ++ scalar_ptr = scalar; ++ } else { ++ point_ptr = points[0]; ++ scalar_ptr = scalars[0]; ++ } ++ ++ if (EC_POINT_is_at_infinity(group, point_ptr) == 1 ++ || BN_is_zero(scalar_ptr)) { ++ rc = EC_POINT_set_to_infinity(group, r); ++ goto ret; ++ } ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ if (group->meth->point_get_affine_coordinates(group, point_ptr, ++ x, y, ctx) != 1 ++ || BN_bn2binpad(x, param + S390X_OFF_SRC_X(len), len) == -1 ++ || BN_bn2binpad(y, param + S390X_OFF_SRC_Y(len), len) == -1 ++ || BN_bn2binpad(scalar_ptr, ++ param + S390X_OFF_SCALAR(len), len) == -1 ++ || s390x_pcc(fc, param) != 0 ++ || BN_bin2bn(param + S390X_OFF_RES_X(len), len, x) == NULL ++ || BN_bin2bn(param + S390X_OFF_RES_Y(len), len, y) == NULL ++ || group->meth->point_set_affine_coordinates(group, r, ++ x, y, ctx) != 1) ++ goto ret; ++ ++ rc = 1; ++ } ++ ++ret: ++ /* Otherwise use default. */ ++ if (rc == -1) ++ rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); ++ OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len); ++ BN_CTX_end(ctx); ++ BN_CTX_free(new_ctx); ++ return rc; ++} ++ ++static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, ++ int dgstlen, ++ const BIGNUM *kinv, ++ const BIGNUM *r, ++ EC_KEY *eckey, ++ unsigned int fc, int len) ++{ ++ unsigned char param[S390X_SIZE_PARAM]; ++ int ok = 0; ++ BIGNUM *k; ++ ECDSA_SIG *sig; ++ const EC_GROUP *group; ++ const BIGNUM *privkey; ++ int off; ++ ++ group = EC_KEY_get0_group(eckey); ++ privkey = EC_KEY_get0_private_key(eckey); ++ if (group == NULL || privkey == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, EC_R_MISSING_PARAMETERS); ++ return NULL; ++ } ++ ++ if (!EC_KEY_can_sign(eckey)) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ++ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ return NULL; ++ } ++ ++ k = BN_secure_new(); ++ sig = ECDSA_SIG_new(); ++ if (k == NULL || sig == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto ret; ++ } ++ ++ sig->r = BN_new(); ++ sig->s = BN_new(); ++ if (sig->r == NULL || sig->s == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto ret; ++ } ++ ++ memset(param, 0, sizeof(param)); ++ off = len - (dgstlen > len ? len : dgstlen); ++ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off); ++ ++ if (BN_bn2binpad(privkey, param + S390X_OFF_K(len), len) == -1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ ++ if (r == NULL || kinv == NULL) { ++ /* ++ * Generate random k and copy to param param block. RAND_priv_bytes ++ * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce ++ * because kdsa instruction constructs an in-range, invertible nonce ++ * internally implementing counter-measures for RNG weakness. ++ */ ++ if (RAND_priv_bytes(param + S390X_OFF_RN(len), len) != 1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ++ EC_R_RANDOM_NUMBER_GENERATION_FAILED); ++ goto ret; ++ } ++ } else { ++ /* Reconstruct k = (k^-1)^-1. */ ++ if (ec_group_do_inverse_ord(group, k, kinv, NULL) == 0 ++ || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ /* Turns KDSA internal nonce-generation off. */ ++ fc |= S390X_KDSA_D; ++ } ++ ++ if (s390x_kdsa(fc, param, NULL, 0) != 0) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_ECDSA_LIB); ++ goto ret; ++ } ++ ++ if (BN_bin2bn(param + S390X_OFF_R(len), len, sig->r) == NULL ++ || BN_bin2bn(param + S390X_OFF_S(len), len, sig->s) == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ ++ ok = 1; ++ret: ++ OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len); ++ if (ok != 1) { ++ ECDSA_SIG_free(sig); ++ sig = NULL; ++ } ++ BN_clear_free(k); ++ return sig; ++} ++ ++static int ecdsa_s390x_nistp_verify_sig(const unsigned char *dgst, int dgstlen, ++ const ECDSA_SIG *sig, EC_KEY *eckey, ++ unsigned int fc, int len) ++{ ++ unsigned char param[S390X_SIZE_PARAM]; ++ int rc = -1; ++ BN_CTX *ctx; ++ BIGNUM *x, *y; ++ const EC_GROUP *group; ++ const EC_POINT *pubkey; ++ int off; ++ ++ group = EC_KEY_get0_group(eckey); ++ pubkey = EC_KEY_get0_public_key(eckey); ++ if (eckey == NULL || group == NULL || pubkey == NULL || sig == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, EC_R_MISSING_PARAMETERS); ++ return -1; ++ } ++ ++ if (!EC_KEY_can_sign(eckey)) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ++ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ return -1; ++ } ++ ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ return -1; ++ } ++ ++ BN_CTX_start(ctx); ++ ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (x == NULL || y == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ goto ret; ++ } ++ ++ memset(param, 0, sizeof(param)); ++ off = len - (dgstlen > len ? len : dgstlen); ++ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off); ++ ++ if (group->meth->point_get_affine_coordinates(group, pubkey, ++ x, y, ctx) != 1 ++ || BN_bn2binpad(sig->r, param + S390X_OFF_R(len), len) == -1 ++ || BN_bn2binpad(sig->s, param + S390X_OFF_S(len), len) == -1 ++ || BN_bn2binpad(x, param + S390X_OFF_X(len), len) == -1 ++ || BN_bn2binpad(y, param + S390X_OFF_Y(len), len) == -1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ ++ rc = s390x_kdsa(fc, param, NULL, 0) == 0 ? 1 : 0; ++ret: ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return rc; ++} ++ ++#define EC_GFP_S390X_NISTP_METHOD(bits) \ ++ \ ++static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \ ++ EC_POINT *r, \ ++ const BIGNUM *scalar, \ ++ size_t num, \ ++ const EC_POINT *points[], \ ++ const BIGNUM *scalars[], \ ++ BN_CTX *ctx) \ ++{ \ ++ return ec_GFp_s390x_nistp_mul(group, r, scalar, num, points, \ ++ scalars, ctx, \ ++ S390X_SCALAR_MULTIPLY_P##bits, \ ++ S390X_SIZE_P##bits); \ ++} \ ++ \ ++static ECDSA_SIG *ecdsa_s390x_nistp##bits##_sign_sig(const unsigned \ ++ char *dgst, \ ++ int dgstlen, \ ++ const BIGNUM *kinv,\ ++ const BIGNUM *r, \ ++ EC_KEY *eckey) \ ++{ \ ++ return ecdsa_s390x_nistp_sign_sig(dgst, dgstlen, kinv, r, eckey, \ ++ S390X_ECDSA_SIGN_P##bits, \ ++ S390X_SIZE_P##bits); \ ++} \ ++ \ ++static int ecdsa_s390x_nistp##bits##_verify_sig(const \ ++ unsigned char *dgst, \ ++ int dgstlen, \ ++ const ECDSA_SIG *sig, \ ++ EC_KEY *eckey) \ ++{ \ ++ return ecdsa_s390x_nistp_verify_sig(dgst, dgstlen, sig, eckey, \ ++ S390X_ECDSA_VERIFY_P##bits, \ ++ S390X_SIZE_P##bits); \ ++} \ ++ \ ++const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \ ++{ \ ++ static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \ ++ EC_FLAGS_DEFAULT_OCT, \ ++ NID_X9_62_prime_field, \ ++ ec_GFp_simple_group_init, \ ++ ec_GFp_simple_group_finish, \ ++ ec_GFp_simple_group_clear_finish, \ ++ ec_GFp_simple_group_copy, \ ++ ec_GFp_simple_group_set_curve, \ ++ ec_GFp_simple_group_get_curve, \ ++ ec_GFp_simple_group_get_degree, \ ++ ec_group_simple_order_bits, \ ++ ec_GFp_simple_group_check_discriminant, \ ++ ec_GFp_simple_point_init, \ ++ ec_GFp_simple_point_finish, \ ++ ec_GFp_simple_point_clear_finish, \ ++ ec_GFp_simple_point_copy, \ ++ ec_GFp_simple_point_set_to_infinity, \ ++ ec_GFp_simple_set_Jprojective_coordinates_GFp, \ ++ ec_GFp_simple_get_Jprojective_coordinates_GFp, \ ++ ec_GFp_simple_point_set_affine_coordinates, \ ++ ec_GFp_simple_point_get_affine_coordinates, \ ++ NULL, /* point_set_compressed_coordinates */ \ ++ NULL, /* point2oct */ \ ++ NULL, /* oct2point */ \ ++ ec_GFp_simple_add, \ ++ ec_GFp_simple_dbl, \ ++ ec_GFp_simple_invert, \ ++ ec_GFp_simple_is_at_infinity, \ ++ ec_GFp_simple_is_on_curve, \ ++ ec_GFp_simple_cmp, \ ++ ec_GFp_simple_make_affine, \ ++ ec_GFp_simple_points_make_affine, \ ++ ec_GFp_s390x_nistp##bits##_mul, \ ++ NULL, /* precompute_mult */ \ ++ NULL, /* have_precompute_mult */ \ ++ ec_GFp_simple_field_mul, \ ++ ec_GFp_simple_field_sqr, \ ++ NULL, /* field_div */ \ ++ ec_GFp_simple_field_inv, \ ++ NULL, /* field_encode */ \ ++ NULL, /* field_decode */ \ ++ NULL, /* field_set_to_one */ \ ++ ec_key_simple_priv2oct, \ ++ ec_key_simple_oct2priv, \ ++ NULL, /* set_private */ \ ++ ec_key_simple_generate_key, \ ++ ec_key_simple_check_key, \ ++ ec_key_simple_generate_public_key, \ ++ NULL, /* keycopy */ \ ++ NULL, /* keyfinish */ \ ++ ecdh_simple_compute_key, \ ++ ecdsa_simple_sign_setup, \ ++ ecdsa_s390x_nistp##bits##_sign_sig, \ ++ ecdsa_s390x_nistp##bits##_verify_sig, \ ++ NULL, /* field_inverse_mod_ord */ \ ++ ec_GFp_simple_blind_coordinates, \ ++ ec_GFp_simple_ladder_pre, \ ++ ec_GFp_simple_ladder_step, \ ++ ec_GFp_simple_ladder_post \ ++ }; \ ++ static const EC_METHOD *ret; \ ++ \ ++ if ((OPENSSL_s390xcap_P.pcc[1] \ ++ & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \ ++ && (OPENSSL_s390xcap_P.kdsa[0] \ ++ & S390X_CAPBIT(S390X_ECDSA_VERIFY_P##bits)) \ ++ && (OPENSSL_s390xcap_P.kdsa[0] \ ++ & S390X_CAPBIT(S390X_ECDSA_SIGN_P##bits))) \ ++ ret = &EC_GFp_s390x_nistp##bits##_meth; \ ++ else \ ++ ret = EC_GFp_mont_method(); \ ++ \ ++ return ret; \ ++} ++ ++EC_GFP_S390X_NISTP_METHOD(256) ++EC_GFP_S390X_NISTP_METHOD(384) ++EC_GFP_S390X_NISTP_METHOD(521) +diff -up openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_smpl.c +--- openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc 2020-05-18 12:45:40.769233514 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_smpl.c 2020-05-18 12:45:44.572266566 +0200 +@@ -64,6 +64,9 @@ const EC_METHOD *EC_GFp_simple_method(vo + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + ec_GFp_simple_blind_coordinates, + ec_GFp_simple_ladder_pre, +diff -up openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecx_meth.c +--- openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecx_meth.c 2020-05-18 12:45:44.573266575 +0200 +@@ -20,6 +20,7 @@ + #define X25519_BITS 253 + #define X25519_SECURITY_BITS 128 + ++#define ED25519_KEYLEN 32 + #define ED25519_SIGSIZE 64 + + #define X448_BITS 448 +@@ -839,3 +840,666 @@ const EVP_PKEY_METHOD ed448_pkey_meth = + pkey_ecd_digestsign448, + pkey_ecd_digestverify448 + }; ++ ++#ifdef S390X_EC_ASM ++# include "s390x_arch.h" ++# include "internal/constant_time.h" ++ ++static void s390x_x25519_mod_p(unsigned char u[32]) ++{ ++ unsigned char u_red[32]; ++ unsigned int c = 0; ++ int i; ++ ++ memcpy(u_red, u, sizeof(u_red)); ++ ++ c += (unsigned int)u_red[31] + 19; ++ u_red[31] = (unsigned char)c; ++ c >>= 8; ++ ++ for (i = 30; i >= 0; i--) { ++ c += (unsigned int)u_red[i]; ++ u_red[i] = (unsigned char)c; ++ c >>= 8; ++ } ++ ++ c = (u_red[0] & 0x80) >> 7; ++ u_red[0] &= 0x7f; ++ constant_time_cond_swap_buff(0 - (unsigned char)c, ++ u, u_red, sizeof(u_red)); ++} ++ ++static void s390x_x448_mod_p(unsigned char u[56]) ++{ ++ unsigned char u_red[56]; ++ unsigned int c = 0; ++ int i; ++ ++ memcpy(u_red, u, sizeof(u_red)); ++ ++ c += (unsigned int)u_red[55] + 1; ++ u_red[55] = (unsigned char)c; ++ c >>= 8; ++ ++ for (i = 54; i >= 28; i--) { ++ c += (unsigned int)u_red[i]; ++ u_red[i] = (unsigned char)c; ++ c >>= 8; ++ } ++ ++ c += (unsigned int)u_red[27] + 1; ++ u_red[27] = (unsigned char)c; ++ c >>= 8; ++ ++ for (i = 26; i >= 0; i--) { ++ c += (unsigned int)u_red[i]; ++ u_red[i] = (unsigned char)c; ++ c >>= 8; ++ } ++ ++ constant_time_cond_swap_buff(0 - (unsigned char)c, ++ u, u_red, sizeof(u_red)); ++} ++ ++static int s390x_x25519_mul(unsigned char u_dst[32], ++ const unsigned char u_src[32], ++ const unsigned char d_src[32]) ++{ ++ union { ++ struct { ++ unsigned char u_dst[32]; ++ unsigned char u_src[32]; ++ unsigned char d_src[32]; ++ } x25519; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ s390x_flip_endian32(param.x25519.u_src, u_src); ++ param.x25519.u_src[0] &= 0x7f; ++ s390x_x25519_mod_p(param.x25519.u_src); ++ ++ s390x_flip_endian32(param.x25519.d_src, d_src); ++ param.x25519.d_src[31] &= 248; ++ param.x25519.d_src[0] &= 127; ++ param.x25519.d_src[0] |= 64; ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X25519, ¶m.x25519) ? 0 : 1; ++ if (rc == 1) ++ s390x_flip_endian32(u_dst, param.x25519.u_dst); ++ ++ OPENSSL_cleanse(param.x25519.d_src, sizeof(param.x25519.d_src)); ++ return rc; ++} ++ ++static int s390x_x448_mul(unsigned char u_dst[56], ++ const unsigned char u_src[56], ++ const unsigned char d_src[56]) ++{ ++ union { ++ struct { ++ unsigned char u_dst[64]; ++ unsigned char u_src[64]; ++ unsigned char d_src[64]; ++ } x448; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ memcpy(param.x448.u_src, u_src, 56); ++ memcpy(param.x448.d_src, d_src, 56); ++ ++ s390x_flip_endian64(param.x448.u_src, param.x448.u_src); ++ s390x_x448_mod_p(param.x448.u_src + 8); ++ ++ s390x_flip_endian64(param.x448.d_src, param.x448.d_src); ++ param.x448.d_src[63] &= 252; ++ param.x448.d_src[8] |= 128; ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X448, ¶m.x448) ? 0 : 1; ++ if (rc == 1) { ++ s390x_flip_endian64(param.x448.u_dst, param.x448.u_dst); ++ memcpy(u_dst, param.x448.u_dst, 56); ++ } ++ ++ OPENSSL_cleanse(param.x448.d_src, sizeof(param.x448.d_src)); ++ return rc; ++} ++ ++static int s390x_ed25519_mul(unsigned char x_dst[32], ++ unsigned char y_dst[32], ++ const unsigned char x_src[32], ++ const unsigned char y_src[32], ++ const unsigned char d_src[32]) ++{ ++ union { ++ struct { ++ unsigned char x_dst[32]; ++ unsigned char y_dst[32]; ++ unsigned char x_src[32]; ++ unsigned char y_src[32]; ++ unsigned char d_src[32]; ++ } ed25519; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ s390x_flip_endian32(param.ed25519.x_src, x_src); ++ s390x_flip_endian32(param.ed25519.y_src, y_src); ++ s390x_flip_endian32(param.ed25519.d_src, d_src); ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED25519, ¶m.ed25519) ? 0 : 1; ++ if (rc == 1) { ++ s390x_flip_endian32(x_dst, param.ed25519.x_dst); ++ s390x_flip_endian32(y_dst, param.ed25519.y_dst); ++ } ++ ++ OPENSSL_cleanse(param.ed25519.d_src, sizeof(param.ed25519.d_src)); ++ return rc; ++} ++ ++static int s390x_ed448_mul(unsigned char x_dst[57], ++ unsigned char y_dst[57], ++ const unsigned char x_src[57], ++ const unsigned char y_src[57], ++ const unsigned char d_src[57]) ++{ ++ union { ++ struct { ++ unsigned char x_dst[64]; ++ unsigned char y_dst[64]; ++ unsigned char x_src[64]; ++ unsigned char y_src[64]; ++ unsigned char d_src[64]; ++ } ed448; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ memcpy(param.ed448.x_src, x_src, 57); ++ memcpy(param.ed448.y_src, y_src, 57); ++ memcpy(param.ed448.d_src, d_src, 57); ++ s390x_flip_endian64(param.ed448.x_src, param.ed448.x_src); ++ s390x_flip_endian64(param.ed448.y_src, param.ed448.y_src); ++ s390x_flip_endian64(param.ed448.d_src, param.ed448.d_src); ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED448, ¶m.ed448) ? 0 : 1; ++ if (rc == 1) { ++ s390x_flip_endian64(param.ed448.x_dst, param.ed448.x_dst); ++ s390x_flip_endian64(param.ed448.y_dst, param.ed448.y_dst); ++ memcpy(x_dst, param.ed448.x_dst, 57); ++ memcpy(y_dst, param.ed448.y_dst, 57); ++ } ++ ++ OPENSSL_cleanse(param.ed448.d_src, sizeof(param.ed448.d_src)); ++ return rc; ++} ++ ++static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator[] = { ++ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++ }; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(X25519_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, X25519_KEYLEN) <= 0) ++ goto err; ++ ++ privkey[0] &= 248; ++ privkey[31] &= 127; ++ privkey[31] |= 64; ++ ++ if (s390x_x25519_mul(pubkey, generator, privkey) != 1) ++ goto err; ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, X25519_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ return 0; ++} ++ ++static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator[] = { ++ 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++ }; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(X448_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, X448_KEYLEN) <= 0) ++ goto err; ++ ++ privkey[0] &= 252; ++ privkey[55] |= 128; ++ ++ if (s390x_x448_mul(pubkey, generator, privkey) != 1) ++ goto err; ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, X448_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ return 0; ++} ++ ++static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator_x[] = { ++ 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95, ++ 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, ++ 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21 ++ }; ++ static const unsigned char generator_y[] = { ++ 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, ++ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, ++ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, ++ }; ++ unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH]; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(ED25519_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0) ++ goto err; ++ ++ SHA512(privkey, 32, buff); ++ buff[0] &= 248; ++ buff[31] &= 63; ++ buff[31] |= 64; ++ ++ if (s390x_ed25519_mul(x_dst, pubkey, ++ generator_x, generator_y, buff) != 1) ++ goto err; ++ ++ pubkey[31] |= ((x_dst[0] & 0x01) << 7); ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, ED25519_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ return 0; ++} ++ ++static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator_x[] = { ++ 0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b, ++ 0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12, ++ 0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47, ++ 0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22, ++ 0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f, 0x00 ++ }; ++ static const unsigned char generator_y[] = { ++ 0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e, ++ 0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a, ++ 0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c, ++ 0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88, ++ 0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00 ++ }; ++ unsigned char x_dst[57], buff[114]; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ EVP_MD_CTX *hashctx = NULL; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(ED448_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, ED448_KEYLEN) <= 0) ++ goto err; ++ ++ hashctx = EVP_MD_CTX_new(); ++ if (hashctx == NULL) ++ goto err; ++ if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1) ++ goto err; ++ if (EVP_DigestUpdate(hashctx, privkey, 57) != 1) ++ goto err; ++ if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1) ++ goto err; ++ ++ buff[0] &= -4; ++ buff[55] |= 0x80; ++ buff[56] = 0; ++ ++ if (s390x_ed448_mul(x_dst, pubkey, ++ generator_x, generator_y, buff) != 1) ++ goto err; ++ ++ pubkey[56] |= ((x_dst[0] & 0x01) << 7); ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ EVP_MD_CTX_free(hashctx); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, ED448_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ EVP_MD_CTX_free(hashctx); ++ return 0; ++} ++ ++static int s390x_pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key, ++ size_t *keylen) ++{ ++ const unsigned char *privkey, *pubkey; ++ ++ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)) ++ return 0; ++ ++ if (key != NULL) ++ return s390x_x25519_mul(key, pubkey, privkey); ++ ++ *keylen = X25519_KEYLEN; ++ return 1; ++} ++ ++static int s390x_pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key, ++ size_t *keylen) ++{ ++ const unsigned char *privkey, *pubkey; ++ ++ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)) ++ return 0; ++ ++ if (key != NULL) ++ return s390x_x448_mul(key, pubkey, privkey); ++ ++ *keylen = X448_KEYLEN; ++ return 1; ++} ++ ++static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, ++ unsigned char *sig, size_t *siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[64]; ++ unsigned char priv[32]; ++ } ed25519; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ int rc; ++ ++ if (sig == NULL) { ++ *siglen = ED25519_SIGSIZE; ++ return 1; ++ } ++ ++ if (*siglen < ED25519_SIGSIZE) { ++ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL); ++ return 0; ++ } ++ ++ memset(¶m, 0, sizeof(param)); ++ memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv)); ++ ++ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, ¶m.ed25519, tbs, tbslen); ++ OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv)); ++ if (rc != 0) ++ return 0; ++ ++ s390x_flip_endian32(sig, param.ed25519.sig); ++ s390x_flip_endian32(sig + 32, param.ed25519.sig + 32); ++ ++ *siglen = ED25519_SIGSIZE; ++ return 1; ++} ++ ++static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx, ++ unsigned char *sig, size_t *siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[128]; ++ unsigned char priv[64]; ++ } ed448; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ int rc; ++ ++ if (sig == NULL) { ++ *siglen = ED448_SIGSIZE; ++ return 1; ++ } ++ ++ if (*siglen < ED448_SIGSIZE) { ++ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL); ++ return 0; ++ } ++ ++ memset(¶m, 0, sizeof(param)); ++ memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57); ++ ++ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, ¶m.ed448, tbs, tbslen); ++ OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv)); ++ if (rc != 0) ++ return 0; ++ ++ s390x_flip_endian64(param.ed448.sig, param.ed448.sig); ++ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64); ++ memcpy(sig, param.ed448.sig, 57); ++ memcpy(sig + 57, param.ed448.sig + 64, 57); ++ ++ *siglen = ED448_SIGSIZE; ++ return 1; ++} ++ ++static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, ++ const unsigned char *sig, ++ size_t siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[64]; ++ unsigned char pub[32]; ++ } ed25519; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ ++ if (siglen != ED25519_SIGSIZE) ++ return 0; ++ ++ memset(¶m, 0, sizeof(param)); ++ s390x_flip_endian32(param.ed25519.sig, sig); ++ s390x_flip_endian32(param.ed25519.sig + 32, sig + 32); ++ s390x_flip_endian32(param.ed25519.pub, edkey->pubkey); ++ ++ return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519, ++ ¶m.ed25519, tbs, tbslen) == 0 ? 1 : 0; ++} ++ ++static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx, ++ const unsigned char *sig, ++ size_t siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[128]; ++ unsigned char pub[64]; ++ } ed448; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ ++ if (siglen != ED448_SIGSIZE) ++ return 0; ++ ++ memset(¶m, 0, sizeof(param)); ++ memcpy(param.ed448.sig, sig, 57); ++ s390x_flip_endian64(param.ed448.sig, param.ed448.sig); ++ memcpy(param.ed448.sig + 64, sig + 57, 57); ++ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64); ++ memcpy(param.ed448.pub, edkey->pubkey, 57); ++ s390x_flip_endian64(param.ed448.pub, param.ed448.pub); ++ ++ return s390x_kdsa(S390X_EDDSA_VERIFY_ED448, ++ ¶m.ed448, tbs, tbslen) == 0 ? 1 : 0; ++} ++ ++static const EVP_PKEY_METHOD ecx25519_s390x_pkey_meth = { ++ EVP_PKEY_X25519, ++ 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_keygen25519, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_derive25519, ++ pkey_ecx_ctrl, ++ 0 ++}; ++ ++static const EVP_PKEY_METHOD ecx448_s390x_pkey_meth = { ++ EVP_PKEY_X448, ++ 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_keygen448, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_derive448, ++ pkey_ecx_ctrl, ++ 0 ++}; ++static const EVP_PKEY_METHOD ed25519_s390x_pkey_meth = { ++ EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM, ++ 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecd_keygen25519, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ pkey_ecd_ctrl, ++ 0, ++ s390x_pkey_ecd_digestsign25519, ++ s390x_pkey_ecd_digestverify25519 ++}; ++ ++static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = { ++ EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM, ++ 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecd_keygen448, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ pkey_ecd_ctrl, ++ 0, ++ s390x_pkey_ecd_digestsign448, ++ s390x_pkey_ecd_digestverify448 ++}; ++#endif ++ ++const EVP_PKEY_METHOD *ecx25519_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519)) ++ return &ecx25519_s390x_pkey_meth; ++#endif ++ return &ecx25519_pkey_meth; ++} ++ ++const EVP_PKEY_METHOD *ecx448_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)) ++ return &ecx448_s390x_pkey_meth; ++#endif ++ return &ecx448_pkey_meth; ++} ++ ++const EVP_PKEY_METHOD *ed25519_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519) ++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519) ++ && OPENSSL_s390xcap_P.kdsa[0] ++ & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519)) ++ return &ed25519_s390x_pkey_meth; ++#endif ++ return &ed25519_pkey_meth; ++} ++ ++const EVP_PKEY_METHOD *ed448_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448) ++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448) ++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448)) ++ return &ed448_s390x_pkey_meth; ++#endif ++ return &ed448_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1g/crypto/err/openssl.txt +--- openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc 2020-05-18 12:45:40.834234079 +0200 ++++ openssl-1.1.1g/crypto/err/openssl.txt 2020-05-18 12:45:44.575266592 +0200 +@@ -496,6 +496,11 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex + EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup + EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new + EC_F_ECDSA_VERIFY:253:ECDSA_verify ++EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup ++EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig ++EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig ++EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig ++EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig + EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify + EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type + EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode +@@ -657,6 +662,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_ + EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey + EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode + EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key ++EC_F_OSSL_ECDSA_SIGN_SETUP:300:ossl_ecdsa_sign_setup + EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig + EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig + EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl +@@ -672,6 +678,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_ + EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen + EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen + EC_F_PKEY_EC_SIGN:218:pkey_ec_sign ++EC_F_S390X_PKEY_ECD_DIGESTSIGN25519:303:s390x_pkey_ecd_digestsign25519 ++EC_F_S390X_PKEY_ECD_DIGESTSIGN448:304:s390x_pkey_ecd_digestsign448 ++EC_F_S390X_PKEY_ECD_KEYGEN25519:305:s390x_pkey_ecd_keygen25519 ++EC_F_S390X_PKEY_ECD_KEYGEN448:306:s390x_pkey_ecd_keygen448 ++EC_F_S390X_PKEY_ECX_KEYGEN25519:307:s390x_pkey_ecx_keygen25519 ++EC_F_S390X_PKEY_ECX_KEYGEN448:308:s390x_pkey_ecx_keygen448 + EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive + ENGINE_F_DIGEST_UPDATE:198:digest_update + ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl +@@ -2160,6 +2172,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma + EC_R_CANNOT_INVERT:165:cannot invert + EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range + EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh ++EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa + EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing + EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure + EC_R_DECODE_ERROR:142:decode error +diff -up openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1g/crypto/evp/pmeth_lib.c +--- openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc 2020-05-18 12:45:40.787233671 +0200 ++++ openssl-1.1.1g/crypto/evp/pmeth_lib.c 2020-05-18 12:45:44.576266601 +0200 +@@ -17,60 +17,67 @@ + #include "crypto/evp.h" + #include "internal/numbers.h" + ++typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void); + typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); + + static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; + + /* This array needs to be in order of NIDs */ +-static const EVP_PKEY_METHOD *standard_methods[] = { ++static pmeth_fn standard_methods[] = { + #ifndef OPENSSL_NO_RSA +- &rsa_pkey_meth, ++ rsa_pkey_method, + #endif + #ifndef OPENSSL_NO_DH +- &dh_pkey_meth, ++ dh_pkey_method, + #endif + #ifndef OPENSSL_NO_DSA +- &dsa_pkey_meth, ++ dsa_pkey_method, + #endif + #ifndef OPENSSL_NO_EC +- &ec_pkey_meth, ++ ec_pkey_method, + #endif +- &hmac_pkey_meth, ++ hmac_pkey_method, + #ifndef OPENSSL_NO_CMAC +- &cmac_pkey_meth, ++ cmac_pkey_method, + #endif + #ifndef OPENSSL_NO_RSA +- &rsa_pss_pkey_meth, ++ rsa_pss_pkey_method, + #endif + #ifndef OPENSSL_NO_DH +- &dhx_pkey_meth, ++ dhx_pkey_method, + #endif + #ifndef OPENSSL_NO_SCRYPT +- &scrypt_pkey_meth, ++ scrypt_pkey_method, + #endif +- &tls1_prf_pkey_meth, ++ tls1_prf_pkey_method, + #ifndef OPENSSL_NO_EC +- &ecx25519_pkey_meth, +- &ecx448_pkey_meth, ++ ecx25519_pkey_method, ++ ecx448_pkey_method, + #endif +- &hkdf_pkey_meth, ++ hkdf_pkey_method, + #ifndef OPENSSL_NO_POLY1305 +- &poly1305_pkey_meth, ++ poly1305_pkey_method, + #endif + #ifndef OPENSSL_NO_SIPHASH +- &siphash_pkey_meth, ++ siphash_pkey_method, + #endif + #ifndef OPENSSL_NO_EC +- &ed25519_pkey_meth, +- &ed448_pkey_meth, ++ ed25519_pkey_method, ++ ed448_pkey_method, + #endif + #ifndef OPENSSL_NO_SM2 +- &sm2_pkey_meth, ++ sm2_pkey_method, + #endif + }; + +-DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, +- pmeth); ++DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func); ++ ++static int pmeth_func_cmp(const EVP_PKEY_METHOD *const *a, pmeth_fn const *b) ++{ ++ return ((*a)->pkey_id - ((**b)())->pkey_id); ++} ++ ++IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func); + + static int pmeth_cmp(const EVP_PKEY_METHOD *const *a, + const EVP_PKEY_METHOD *const *b) +@@ -78,13 +85,11 @@ static int pmeth_cmp(const EVP_PKEY_METH + return ((*a)->pkey_id - (*b)->pkey_id); + } + +-IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, +- pmeth); +- + const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type) + { ++ pmeth_fn *ret; + EVP_PKEY_METHOD tmp; +- const EVP_PKEY_METHOD *t = &tmp, **ret; ++ const EVP_PKEY_METHOD *t = &tmp; + tmp.pkey_id = type; + if (app_pkey_methods) { + int idx; +@@ -92,12 +97,12 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_fin + if (idx >= 0) + return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx); + } +- ret = OBJ_bsearch_pmeth(&t, standard_methods, +- sizeof(standard_methods) / +- sizeof(EVP_PKEY_METHOD *)); ++ ret = OBJ_bsearch_pmeth_func(&t, standard_methods, ++ sizeof(standard_methods) / ++ sizeof(pmeth_fn)); + if (!ret || !*ret) + return NULL; +- return *ret; ++ return (**ret)(); + } + + static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) +@@ -348,7 +353,7 @@ size_t EVP_PKEY_meth_get_count(void) + const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx) + { + if (idx < OSSL_NELEM(standard_methods)) +- return standard_methods[idx]; ++ return (standard_methods[idx])(); + if (app_pkey_methods == NULL) + return NULL; + idx -= OSSL_NELEM(standard_methods); +diff -up openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/hmac/hm_pmeth.c +--- openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.796233749 +0200 ++++ openssl-1.1.1g/crypto/hmac/hm_pmeth.c 2020-05-18 12:45:44.576266601 +0200 +@@ -210,3 +210,8 @@ const EVP_PKEY_METHOD hmac_pkey_meth = { + pkey_hmac_ctrl, + pkey_hmac_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *hmac_pkey_method(void) ++{ ++ return &hmac_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/hkdf.c +--- openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc 2020-05-18 12:45:40.826234009 +0200 ++++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:45:44.577266609 +0200 +@@ -233,6 +233,11 @@ const EVP_KDF_METHOD hkdf_kdf_meth = { + kdf_hkdf_derive + }; + ++const EVP_PKEY_METHOD *hkdf_pkey_method(void) ++{ ++ return &hkdf_pkey_meth; ++} ++ + static int HKDF(const EVP_MD *evp_md, + const unsigned char *salt, size_t salt_len, + const unsigned char *key, size_t key_len, +diff -up openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1g/crypto/kdf/scrypt.c +--- openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc 2020-05-18 12:45:40.827234018 +0200 ++++ openssl-1.1.1g/crypto/kdf/scrypt.c 2020-05-18 12:45:44.578266618 +0200 +@@ -504,4 +504,9 @@ static int scrypt_alg(const char *pass, + return rv; + } + ++const EVP_PKEY_METHOD *scrypt_pkey_method(void) ++{ ++ return &scrypt_pkey_meth; ++} ++ + #endif +diff -up openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/tls1_prf.c +--- openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc 2020-05-18 12:45:40.828234027 +0200 ++++ openssl-1.1.1g/crypto/kdf/tls1_prf.c 2020-05-18 12:45:44.578266618 +0200 +@@ -168,6 +168,11 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth = + kdf_tls1_prf_derive + }; + ++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void) ++{ ++ return &tls1_prf_pkey_meth; ++} ++ + static int tls1_prf_P_hash(const EVP_MD *md, + const unsigned char *sec, size_t sec_len, + const unsigned char *seed, size_t seed_len, +diff -up openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c +--- openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c 2020-05-18 12:45:44.579266627 +0200 +@@ -192,3 +192,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth + pkey_poly1305_ctrl, + pkey_poly1305_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *poly1305_pkey_method(void) ++{ ++ return &poly1305_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/rsa/rsa_pmeth.c +--- openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.798233766 +0200 ++++ openssl-1.1.1g/crypto/rsa/rsa_pmeth.c 2020-05-18 12:45:44.580266635 +0200 +@@ -789,6 +789,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = { + pkey_rsa_ctrl_str + }; + ++const EVP_PKEY_METHOD *rsa_pkey_method(void) ++{ ++ return &rsa_pkey_meth; ++} ++ + /* + * Called for PSS sign or verify initialisation: checks PSS parameter + * sanity and sets any restrictions on key usage. +@@ -859,3 +864,8 @@ const EVP_PKEY_METHOD rsa_pss_pkey_meth + pkey_rsa_ctrl, + pkey_rsa_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void) ++{ ++ return &rsa_pss_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1g/crypto/s390x_arch.h +--- openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc 2020-05-18 12:45:40.603232072 +0200 ++++ openssl-1.1.1g/crypto/s390x_arch.h 2020-05-18 12:45:44.580266635 +0200 +@@ -26,6 +26,12 @@ void s390x_kmf(const unsigned char *in, + unsigned int fc, void *param); + void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in, + size_t len, unsigned char *out, unsigned int fc, void *param); ++int s390x_pcc(unsigned int fc, void *param); ++int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in, ++ size_t len); ++ ++void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]); ++void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]); + + /* + * The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by +@@ -45,6 +51,8 @@ struct OPENSSL_s390xcap_st { + unsigned long long kmf[2]; + unsigned long long prno[2]; + unsigned long long kma[2]; ++ unsigned long long pcc[2]; ++ unsigned long long kdsa[2]; + }; + + extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; +@@ -66,11 +74,14 @@ extern struct OPENSSL_s390xcap_st OPENSS + # define S390X_KMF 0x90 + # define S390X_PRNO 0xa0 + # define S390X_KMA 0xb0 ++# define S390X_PCC 0xc0 ++# define S390X_KDSA 0xd0 + + /* Facility Bit Numbers */ + # define S390X_VX 129 + # define S390X_VXD 134 + # define S390X_VXE 135 ++# define S390X_MSA9 155 /* message-security-assist-ext. 9 */ + + /* Function Codes */ + +@@ -94,10 +105,32 @@ extern struct OPENSSL_s390xcap_st OPENSS + /* prno */ + # define S390X_TRNG 114 + ++/* pcc */ ++# define S390X_SCALAR_MULTIPLY_P256 64 ++# define S390X_SCALAR_MULTIPLY_P384 65 ++# define S390X_SCALAR_MULTIPLY_P521 66 ++# define S390X_SCALAR_MULTIPLY_ED25519 72 ++# define S390X_SCALAR_MULTIPLY_ED448 73 ++# define S390X_SCALAR_MULTIPLY_X25519 80 ++# define S390X_SCALAR_MULTIPLY_X448 81 ++ ++/* kdsa */ ++# define S390X_ECDSA_VERIFY_P256 1 ++# define S390X_ECDSA_VERIFY_P384 2 ++# define S390X_ECDSA_VERIFY_P521 3 ++# define S390X_ECDSA_SIGN_P256 9 ++# define S390X_ECDSA_SIGN_P384 10 ++# define S390X_ECDSA_SIGN_P521 11 ++# define S390X_EDDSA_VERIFY_ED25519 32 ++# define S390X_EDDSA_VERIFY_ED448 36 ++# define S390X_EDDSA_SIGN_ED25519 40 ++# define S390X_EDDSA_SIGN_ED448 44 ++ + /* Register 0 Flags */ + # define S390X_DECRYPT 0x80 + # define S390X_KMA_LPC 0x100 + # define S390X_KMA_LAAD 0x200 + # define S390X_KMA_HS 0x400 ++# define S390X_KDSA_D 0x80 + + #endif +diff -up openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1g/crypto/s390xcpuid.pl +--- openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/s390xcpuid.pl 2020-05-18 12:45:44.581266644 +0200 +@@ -58,6 +58,10 @@ OPENSSL_s390x_facilities: + stg %r0,S390X_PRNO+8(%r4) + stg %r0,S390X_KMA(%r4) + stg %r0,S390X_KMA+8(%r4) ++ stg %r0,S390X_PCC(%r4) ++ stg %r0,S390X_PCC+8(%r4) ++ stg %r0,S390X_KDSA(%r4) ++ stg %r0,S390X_KDSA+8(%r4) + + .long 0xb2b04000 # stfle 0(%r4) + brc 8,.Ldone +@@ -68,6 +72,7 @@ OPENSSL_s390x_facilities: + .long 0xb2b04000 # stfle 0(%r4) + .Ldone: + lmg %r2,%r3,S390X_STFLE(%r4) ++ + tmhl %r2,0x4000 # check for message-security-assist + jz .Lret + +@@ -91,6 +96,13 @@ OPENSSL_s390x_facilities: + la %r1,S390X_KMAC(%r4) + .long 0xb91e0042 # kmac %r4,%r2 + ++ tmhh %r3,0x0008 # check for message-security-assist-3 ++ jz .Lret ++ ++ lghi %r0,S390X_QUERY # query pcc capability vector ++ la %r1,S390X_PCC(%r4) ++ .long 0xb92c0000 # pcc ++ + tmhh %r3,0x0004 # check for message-security-assist-4 + jz .Lret + +@@ -114,6 +126,7 @@ OPENSSL_s390x_facilities: + .long 0xb93c0042 # prno %r4,%r2 + + lg %r2,S390X_STFLE+16(%r4) ++ + tmhl %r2,0x2000 # check for message-security-assist-8 + jz .Lret + +@@ -121,6 +134,13 @@ OPENSSL_s390x_facilities: + la %r1,S390X_KMA(%r4) + .long 0xb9294022 # kma %r2,%r4,%r2 + ++ tmhl %r2,0x0010 # check for message-security-assist-9 ++ jz .Lret ++ ++ lghi %r0,S390X_QUERY # query kdsa capability vector ++ la %r1,S390X_KDSA(%r4) ++ .long 0xb93a0002 # kdsa %r0,%r2 ++ + .Lret: + br $ra + .size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities +@@ -411,6 +431,113 @@ s390x_kma: + ___ + } + ++################ ++# int s390x_pcc(unsigned int fc, void *param) ++{ ++my ($fc,$param) = map("%r$_",(2..3)); ++$code.=<<___; ++.globl s390x_pcc ++.type s390x_pcc,\@function ++.align 16 ++s390x_pcc: ++ lr %r0,$fc ++ l${g}r %r1,$param ++ lhi %r2,0 ++ ++ .long 0xb92c0000 # pcc ++ brc 1,.-4 # pay attention to "partial completion" ++ brc 7,.Lpcc_err # if CC==0 return 0, else return 1 ++.Lpcc_out: ++ br $ra ++.Lpcc_err: ++ lhi %r2,1 ++ j .Lpcc_out ++.size s390x_pcc,.-s390x_pcc ++___ ++} ++ ++################ ++# int s390x_kdsa(unsigned int fc, void *param, ++# const unsigned char *in, size_t len) ++{ ++my ($fc,$param,$in,$len) = map("%r$_",(2..5)); ++$code.=<<___; ++.globl s390x_kdsa ++.type s390x_kdsa,\@function ++.align 16 ++s390x_kdsa: ++ lr %r0,$fc ++ l${g}r %r1,$param ++ lhi %r2,0 ++ ++ .long 0xb93a0004 # kdsa %r0,$in ++ brc 1,.-4 # pay attention to "partial completion" ++ brc 7,.Lkdsa_err # if CC==0 return 0, else return 1 ++.Lkdsa_out: ++ br $ra ++.Lkdsa_err: ++ lhi %r2,1 ++ j .Lkdsa_out ++.size s390x_kdsa,.-s390x_kdsa ++___ ++} ++ ++################ ++# void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]) ++{ ++my ($dst,$src) = map("%r$_",(2..3)); ++$code.=<<___; ++.globl s390x_flip_endian32 ++.type s390x_flip_endian32,\@function ++.align 16 ++s390x_flip_endian32: ++ lrvg %r0,0(%r0,$src) ++ lrvg %r1,8(%r0,$src) ++ lrvg %r4,16(%r0,$src) ++ lrvg %r5,24(%r0,$src) ++ stg %r0,24(%r0,$dst) ++ stg %r1,16(%r0,$dst) ++ stg %r4,8(%r0,$dst) ++ stg %r5,0(%r0,$dst) ++ br $ra ++.size s390x_flip_endian32,.-s390x_flip_endian32 ++___ ++} ++ ++################ ++# void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]) ++{ ++my ($dst,$src) = map("%r$_",(2..3)); ++$code.=<<___; ++.globl s390x_flip_endian64 ++.type s390x_flip_endian64,\@function ++.align 16 ++s390x_flip_endian64: ++ stmg %r6,%r9,6*$SIZE_T($sp) ++ ++ lrvg %r0,0(%r0,$src) ++ lrvg %r1,8(%r0,$src) ++ lrvg %r4,16(%r0,$src) ++ lrvg %r5,24(%r0,$src) ++ lrvg %r6,32(%r0,$src) ++ lrvg %r7,40(%r0,$src) ++ lrvg %r8,48(%r0,$src) ++ lrvg %r9,56(%r0,$src) ++ stg %r0,56(%r0,$dst) ++ stg %r1,48(%r0,$dst) ++ stg %r4,40(%r0,$dst) ++ stg %r5,32(%r0,$dst) ++ stg %r6,24(%r0,$dst) ++ stg %r7,16(%r0,$dst) ++ stg %r8,8(%r0,$dst) ++ stg %r9,0(%r0,$dst) ++ ++ lmg %r6,%r9,6*$SIZE_T($sp) ++ br $ra ++.size s390x_flip_endian64,.-s390x_flip_endian64 ++___ ++} ++ + $code.=<<___; + .section .init + brasl $ra,OPENSSL_cpuid_setup +diff -up openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/siphash/siphash_pmeth.c +--- openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/siphash/siphash_pmeth.c 2020-05-18 12:45:44.581266644 +0200 +@@ -203,3 +203,8 @@ const EVP_PKEY_METHOD siphash_pkey_meth + pkey_siphash_ctrl, + pkey_siphash_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *siphash_pkey_method(void) ++{ ++ return &siphash_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/sm2/sm2_pmeth.c +--- openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/sm2/sm2_pmeth.c 2020-05-18 12:45:44.582266653 +0200 +@@ -327,3 +327,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = { + + pkey_sm2_digest_custom + }; ++ ++const EVP_PKEY_METHOD *sm2_pkey_method(void) ++{ ++ return &sm2_pkey_meth; ++} +diff -up openssl-1.1.1g/include/crypto/evp.h.s390x-ecc openssl-1.1.1g/include/crypto/evp.h +--- openssl-1.1.1g/include/crypto/evp.h.s390x-ecc 2020-05-18 12:45:40.834234079 +0200 ++++ openssl-1.1.1g/include/crypto/evp.h 2020-05-18 12:45:44.577266609 +0200 +@@ -459,3 +459,22 @@ void evp_encode_ctx_set_flags(EVP_ENCODE + #define EVP_ENCODE_CTX_NO_NEWLINES 1 + /* Use the SRP base64 alphabet instead of the standard one */ + #define EVP_ENCODE_CTX_USE_SRP_ALPHABET 2 ++ ++const EVP_PKEY_METHOD *cmac_pkey_method(void); ++const EVP_PKEY_METHOD *dh_pkey_method(void); ++const EVP_PKEY_METHOD *dhx_pkey_method(void); ++const EVP_PKEY_METHOD *dsa_pkey_method(void); ++const EVP_PKEY_METHOD *ec_pkey_method(void); ++const EVP_PKEY_METHOD *sm2_pkey_method(void); ++const EVP_PKEY_METHOD *ecx25519_pkey_method(void); ++const EVP_PKEY_METHOD *ecx448_pkey_method(void); ++const EVP_PKEY_METHOD *ed25519_pkey_method(void); ++const EVP_PKEY_METHOD *ed448_pkey_method(void); ++const EVP_PKEY_METHOD *hmac_pkey_method(void); ++const EVP_PKEY_METHOD *rsa_pkey_method(void); ++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void); ++const EVP_PKEY_METHOD *scrypt_pkey_method(void); ++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void); ++const EVP_PKEY_METHOD *hkdf_pkey_method(void); ++const EVP_PKEY_METHOD *poly1305_pkey_method(void); ++const EVP_PKEY_METHOD *siphash_pkey_method(void); +diff -up openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc openssl-1.1.1g/include/internal/constant_time.h +--- openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/include/internal/constant_time.h 2020-05-18 12:45:44.582266653 +0200 +@@ -353,6 +353,34 @@ static ossl_inline void constant_time_co + } + + /* ++ * mask must be 0xFF or 0x00. ++ * "constant time" is per len. ++ * ++ * if (mask) { ++ * unsigned char tmp[len]; ++ * ++ * memcpy(tmp, a, len); ++ * memcpy(a, b); ++ * memcpy(b, tmp); ++ * } ++ */ ++static ossl_inline void constant_time_cond_swap_buff(unsigned char mask, ++ unsigned char *a, ++ unsigned char *b, ++ size_t len) ++{ ++ size_t i; ++ unsigned char tmp; ++ ++ for (i = 0; i < len; i++) { ++ tmp = a[i] ^ b[i]; ++ tmp &= mask; ++ a[i] ^= tmp; ++ b[i] ^= tmp; ++ } ++} ++ ++/* + * table is a two dimensional array of bytes. Each row has rowsize elements. + * Copies row number idx into out. rowsize and numrows are not considered + * private. +diff -up openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1g/include/openssl/ecerr.h +--- openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/include/openssl/ecerr.h 2020-05-18 12:45:44.583266662 +0200 +@@ -42,6 +42,11 @@ int ERR_load_EC_strings(void); + # define EC_F_ECDSA_SIGN_SETUP 248 + # define EC_F_ECDSA_SIG_NEW 265 + # define EC_F_ECDSA_VERIFY 253 ++# define EC_F_ECDSA_SIMPLE_SIGN_SETUP 310 ++# define EC_F_ECDSA_SIMPLE_SIGN_SIG 311 ++# define EC_F_ECDSA_SIMPLE_VERIFY_SIG 312 ++# define EC_F_ECDSA_S390X_NISTP_SIGN_SIG 313 ++# define EC_F_ECDSA_S390X_NISTP_VERIFY_SIG 314 + # define EC_F_ECD_ITEM_VERIFY 270 + # define EC_F_ECKEY_PARAM2TYPE 223 + # define EC_F_ECKEY_PARAM_DECODE 212 +@@ -185,6 +190,7 @@ int ERR_load_EC_strings(void); + # define EC_F_O2I_ECPUBLICKEY 152 + # define EC_F_OLD_EC_PRIV_DECODE 222 + # define EC_F_OSSL_ECDH_COMPUTE_KEY 247 ++# define EC_F_OSSL_ECDSA_SIGN_SETUP 300 + # define EC_F_OSSL_ECDSA_SIGN_SIG 249 + # define EC_F_OSSL_ECDSA_VERIFY_SIG 250 + # define EC_F_PKEY_ECD_CTRL 271 +@@ -200,6 +206,12 @@ int ERR_load_EC_strings(void); + # define EC_F_PKEY_EC_KEYGEN 199 + # define EC_F_PKEY_EC_PARAMGEN 219 + # define EC_F_PKEY_EC_SIGN 218 ++# define EC_F_S390X_PKEY_ECD_DIGESTSIGN25519 320 ++# define EC_F_S390X_PKEY_ECD_DIGESTSIGN448 321 ++# define EC_F_S390X_PKEY_ECD_KEYGEN25519 322 ++# define EC_F_S390X_PKEY_ECD_KEYGEN448 323 ++# define EC_F_S390X_PKEY_ECX_KEYGEN25519 324 ++# define EC_F_S390X_PKEY_ECX_KEYGEN448 325 + # define EC_F_VALIDATE_ECX_DERIVE 278 + + /* +@@ -212,6 +224,7 @@ int ERR_load_EC_strings(void); + # define EC_R_CANNOT_INVERT 165 + # define EC_R_COORDINATES_OUT_OF_RANGE 146 + # define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160 ++# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA 170 + # define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159 + # define EC_R_D2I_ECPKPARAMETERS_FAILURE 117 + # define EC_R_DECODE_ERROR 142 +diff -up openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt +--- openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt 2020-05-18 12:45:44.590266722 +0200 +@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb + + PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw + ++PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ++ + Derive=Alice-448 + PeerKey=Bob-448-PUBLIC + SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d +@@ -830,6 +832,11 @@ Derive=Bob-448-Raw + PeerKey=Alice-448-PUBLIC-Raw + SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d + ++# Self-generated non-canonical ++Derive=Alice-448-Raw ++PeerKey=Bob-448-PUBLIC-Raw-NonCanonical ++SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb ++ + # Illegal sign/verify operations with X448 key + + Sign=Alice-448 diff --git a/openssl-1.1.1-s390x-update.patch b/openssl-1.1.1-s390x-update.patch index f46c1a5..83061af 100644 --- a/openssl-1.1.1-s390x-update.patch +++ b/openssl-1.1.1-s390x-update.patch @@ -1,13 +1,6 @@ -diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl ---- openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl 2019-05-06 10:54:00.035367605 +0200 -@@ -1,5 +1,5 @@ - #! /usr/bin/env perl --# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the OpenSSL license (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy +diff -up openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl +--- openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl.s390x-update 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl 2020-03-19 16:45:05.483440129 +0100 @@ -20,41 +20,53 @@ # # 3 times faster than compiler-generated code. @@ -472,7 +465,7 @@ diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1 + vsldb (@b[$_],@b[$_],@b[$_],$odd?12:4) for (0..5); + vsldb (@d[$_],@d[$_],@d[$_],$odd?4:12) for (0..5); } --close STDOUT; +-close STDOUT or die "error closing STDOUT: $!"; + +PERLASM_BEGIN($output); + @@ -1290,9 +1283,9 @@ diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1 +ALIGN (4); + +PERLASM_END(); -diff -up openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1b/crypto/perlasm/s390x.pm ---- openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update 2019-05-06 10:54:00.037367571 +0200 -+++ openssl-1.1.1b/crypto/perlasm/s390x.pm 2019-05-06 10:54:00.038367554 +0200 +diff -up openssl-1.1.1e/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1e/crypto/perlasm/s390x.pm +--- openssl-1.1.1e/crypto/perlasm/s390x.pm.s390x-update 2020-03-19 16:20:22.039227394 +0100 ++++ openssl-1.1.1e/crypto/perlasm/s390x.pm 2020-03-19 16:20:22.039227394 +0100 @@ -0,0 +1,3060 @@ +#!/usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -4354,9 +4347,9 @@ diff -up openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1b/cryp +} + +1; -diff -up openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl ---- openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl 2019-05-06 10:54:00.036367588 +0200 +diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl +--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update 2020-03-19 16:20:22.041227359 +0100 ++++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl 2020-03-19 16:23:22.364098257 +0100 @@ -24,204 +24,961 @@ # # On side note, z13 enables vector base 2^26 implementation... @@ -5494,11 +5487,11 @@ diff -up openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update opens +STRING ("\"Poly1305 for s390x, CRYPTOGAMS by \""); -print $code; --close STDOUT; +-close STDOUT or die "error closing STDOUT: $!"; +PERLASM_END(); -diff -up openssl-1.1.1b/crypto/poly1305/build.info.s390x-update openssl-1.1.1b/crypto/poly1305/build.info ---- openssl-1.1.1b/crypto/poly1305/build.info.s390x-update 2019-05-06 10:54:00.036367588 +0200 -+++ openssl-1.1.1b/crypto/poly1305/build.info 2019-05-06 10:56:14.964105164 +0200 +diff -up openssl-1.1.1e/crypto/poly1305/build.info.s390x-update openssl-1.1.1e/crypto/poly1305/build.info +--- openssl-1.1.1e/crypto/poly1305/build.info.s390x-update 2020-03-17 15:31:17.000000000 +0100 ++++ openssl-1.1.1e/crypto/poly1305/build.info 2020-03-19 16:20:22.042227342 +0100 @@ -18,6 +18,7 @@ INCLUDE[poly1305-armv8.o]=.. GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME) INCLUDE[poly1305-mips.o]=.. diff --git a/openssl-1.1.1-seclevel.patch b/openssl-1.1.1-seclevel.patch index fe6c6bb..c6751a5 100644 --- a/openssl-1.1.1-seclevel.patch +++ b/openssl-1.1.1-seclevel.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c ---- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200 -+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 09:52:23.535298908 +0200 -@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c +diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c +--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200 +@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c } static const int minbits_table[] = { 80, 112, 128, 192, 256 }; @@ -9,20 +9,23 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509 static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); /* -@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT +@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) return 0; - - return secbits >= minbits_table[level - 1]; -+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */ -+ if (FIPS_mode()) ++ /* ++ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic ++ * disable SHA1 flag is not set. ++ */ ++ if ((ctx->param->flags & 0x40000000) || FIPS_mode()) + return secbits >= minbits_table[level - 1]; + return secbits >= minbits_digest_table[level - 1]; } -diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod ---- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200 -+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 09:52:23.535298908 +0200 +diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod +--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200 @@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited =item B @@ -36,23 +39,115 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl- In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled. -diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c ---- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200 -+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200 -@@ -983,6 +983,9 @@ static int ssl_security_default_callback +diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c +--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200 +@@ -27,6 +27,7 @@ + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, + int op, int bits, int nid, void *other, + void *ex); ++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx); + + static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT; + static volatile int ssl_x509_store_ctx_idx = -1; +@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_ + X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); + + /* Set suite B flags if needed */ +- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s)); ++ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL)); + if (!X509_STORE_CTX_set_ex_data + (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) { + goto end; +@@ -953,12 +954,33 @@ static int ssl_security_default_callback return 0; break; default: + /* allow SHA1 in SECLEVEL 2 in non FIPS mode */ -+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode()) ++ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx)) + break; if (bits < minbits) return 0; } -diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t ---- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200 -+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 09:52:23.535298908 +0200 -@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver + return 1; + } + ++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx) ++{ ++ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */ ++ const CERT *c; ++ ++ if (FIPS_mode()) ++ return ret; ++ ++ if (ctx != NULL) { ++ c = ctx->cert; ++ } else { ++ c = s->cert; ++ } ++ if (tls1_cert_sigalgs_have_sha1(c)) ++ return 0; ++ return ret; ++} ++ + int ssl_security(const SSL *s, int op, int bits, int nid, void *other) + { + return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex); +diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h +--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200 ++++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200 +@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC + __owur int tls1_process_sigalgs(SSL *s); + __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey); + __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd); ++int tls1_cert_sigalgs_have_sha1(const CERT *c); + __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); + # ifndef OPENSSL_NO_EC + __owur int tls_check_sigalg_curve(const SSL *s, int curve); +diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c +--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200 ++++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200 +@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int + return 0; + } + ++static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen) ++{ ++ size_t i; ++ ++ for (i = 0; i < sigalgslen; i++, sigalgs++) { ++ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs); ++ ++ if (lu == NULL) ++ continue; ++ if (lu->hash == NID_sha1) ++ return 1; ++ } ++ return 0; ++} ++ ++ ++int tls1_cert_sigalgs_have_sha1(const CERT *c) ++{ ++ if (c->client_sigalgs != NULL) { ++ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen)) ++ return 1; ++ } ++ if (c->conf_sigalgs != NULL) { ++ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen)) ++ return 1; ++ return 0; ++ } ++ return 1; ++} ++ + static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) + { + int sig_nid, use_pc_sigalgs = 0; +diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t +--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200 +@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ), "CA with PSS signature using SHA256"); diff --git a/openssl-1.1.1-ssh-kdf.patch b/openssl-1.1.1-ssh-kdf.patch index 08f02ac..1bf71c4 100644 --- a/openssl-1.1.1-ssh-kdf.patch +++ b/openssl-1.1.1-ssh-kdf.patch @@ -51,10 +51,10 @@ index 05f5cec3a9..811fe727f6 100644 }; DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, -diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h +diff --git a/include/crypto/evp.h b/include/crypto/evp.h index a109e561b3..8c313c65ac 100644 ---- a/crypto/include/internal/evp_int.h -+++ b/crypto/include/internal/evp_int.h +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h @@ -129,6 +129,7 @@ extern const EVP_KDF_METHOD pbkdf2_kdf_meth; extern const EVP_KDF_METHOD scrypt_kdf_meth; extern const EVP_KDF_METHOD tls1_prf_kdf_meth; @@ -119,7 +119,7 @@ index 0000000000..24f37cbed4 +#include +#include +#include "internal/cryptlib.h" -+#include "internal/evp_int.h" ++#include "crypto/evp.h" +#include "kdf_local.h" + +/* See RFC 4253, Section 7.2 */ diff --git a/openssl-1.1.1-ts-sha256-default.patch b/openssl-1.1.1-ts-sha256-default.patch index d99dc47..2a1dd6c 100644 --- a/openssl-1.1.1-ts-sha256-default.patch +++ b/openssl-1.1.1-ts-sha256-default.patch @@ -1,8 +1,17 @@ -diff --git a/apps/ts.c b/apps/ts.c -index 63c5210183..4ef8a72eef 100644 ---- a/apps/ts.c -+++ b/apps/ts.c -@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md, +diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf +--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default 2020-11-06 11:07:28.850100899 +0100 ++++ openssl-1.1.1h/apps/openssl.cnf 2020-11-06 11:11:28.042913791 +0100 +@@ -364,5 +348,5 @@ tsa_name = yes # Must the TSA name be i + # (optional, default: no) + ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +-ess_cert_id_alg = sha1 # algorithm to compute certificate ++ess_cert_id_alg = sha256 # algorithm to compute certificate + # identifier (optional, default: sha1) +diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c +--- openssl-1.1.1h/apps/ts.c.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200 ++++ openssl-1.1.1h/apps/ts.c 2020-11-06 11:07:28.883101220 +0100 +@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi ASN1_OBJECT *policy_obj = NULL; ASN1_INTEGER *nonce_asn1 = NULL; @@ -11,11 +20,22 @@ index 63c5210183..4ef8a72eef 100644 goto err; if ((ts_req = TS_REQ_new()) == NULL) goto err; -diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod -index 078905a845..83b8fe4350 100644 ---- a/doc/man1/ts.pod -+++ b/doc/man1/ts.pod -@@ -517,7 +517,7 @@ included. Default is no. (Optional) +diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c +--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default 2020-11-06 12:03:51.226372867 +0100 ++++ openssl-1.1.1h/crypto/ts/ts_conf.c 2020-11-06 12:04:01.713488990 +0100 +@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF + const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG); + + if (md == NULL) +- md = "sha1"; ++ md = "sha256"; + + cert_md = EVP_get_digestbyname(md); + if (cert_md == NULL) { +diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod +--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200 ++++ openssl-1.1.1h/doc/man1/ts.pod 2020-11-06 11:07:28.883101220 +0100 +@@ -518,7 +518,7 @@ included. Default is no. (Optional) =item B This option specifies the hash function to be used to calculate the TSA's @@ -24,21 +44,21 @@ index 078905a845..83b8fe4350 100644 =back -@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do. +@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do. =head2 Time Stamp Request --To create a time stamp request for design1.txt with SHA-1 -+To create a time stamp request for design1.txt with SHA-256 +-To create a timestamp request for design1.txt with SHA-1 ++To create a timestamp request for design1.txt with SHA-256 without nonce and policy and no certificate is required in the response: openssl ts -query -data design1.txt -no_nonce \ -@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format: +@@ -546,12 +546,12 @@ To print the content of the previous req openssl ts -query -in design1.tsq -text --To create a time stamp request which includes the MD-5 digest -+To create a time stamp request which includes the SHA-512 digest +-To create a timestamp request which includes the MD-5 digest ++To create a timestamp request which includes the SHA-512 digest of design2.txt, requests the signer certificate and nonce, specifies a policy id (assuming the tsa_policy1 name is defined in the OID section of the config file): diff --git a/openssl-1.1.1-upstream-sync.patch b/openssl-1.1.1-upstream-sync.patch deleted file mode 100644 index 7e03b8d..0000000 --- a/openssl-1.1.1-upstream-sync.patch +++ /dev/null @@ -1,534 +0,0 @@ -diff -up openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync openssl-1.1.1c/crypto/dsa/dsa_ameth.c ---- openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/dsa/dsa_ameth.c 2019-05-29 17:10:39.768187283 +0200 -@@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, - - case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha256; -- return 2; -+ return 1; - - default: - return -2; -diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c ---- openssl-1.1.1c/crypto/err/err.c.sync 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/err/err.c 2019-05-29 17:07:13.345793792 +0200 -@@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item - } - - #ifndef OPENSSL_NO_ERR --/* A measurement on Linux 2018-11-21 showed about 3.5kib */ --# define SPACE_SYS_STR_REASONS 4 * 1024 -+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */ -+# define SPACE_SYS_STR_REASONS 8 * 1024 - # define NUM_SYS_STR_REASONS 127 - - static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1]; -@@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void) - ERR_STRING_DATA *str = &SYS_str_reasons[i - 1]; - - str->error = ERR_PACK(ERR_LIB_SYS, 0, i); -- if (str->string == NULL) { -+ /* -+ * If we have used up all the space in strerror_pool, -+ * there's no point in calling openssl_strerror_r() -+ */ -+ if (str->string == NULL && cnt < sizeof(strerror_pool)) { - if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) { - size_t l = strlen(cur); - - str->string = cur; - cnt += l; -- if (cnt > sizeof(strerror_pool)) -- cnt = sizeof(strerror_pool); - cur += l; - - /* - * VMS has an unusual quirk of adding spaces at the end of -- * some (most? all?) messages. Lets trim them off. -+ * some (most? all?) messages. Lets trim them off. - */ -- while (ossl_isspace(cur[-1])) { -+ while (cur > strerror_pool && ossl_isspace(cur[-1])) { - cur--; - cnt--; - } -diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.sync openssl-1.1.1c/crypto/rand/rand_lib.c ---- openssl-1.1.1c/crypto/rand/rand_lib.c.sync 2019-05-29 17:20:17.175099183 +0200 -+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-05-30 11:51:20.784850208 +0200 -@@ -239,8 +239,9 @@ size_t rand_drbg_get_nonce(RAND_DRBG *dr - struct { - void * instance; - int count; -- } data = { NULL, 0 }; -+ } data; - -+ memset(&data, 0, sizeof(data)); - pool = rand_pool_new(0, min_len, max_len); - if (pool == NULL) - return 0; -From 6c2f347c78a530407b5310497080810094427920 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 17 Apr 2019 11:09:05 +0100 -Subject: [PATCH 1/2] Defer sending a KeyUpdate until after pending writes are - complete - -If we receive a KeyUpdate message (update requested) from the peer while -we are in the middle of a write, we should defer sending the responding -KeyUpdate message until after the current write is complete. We do this -by waiting to send the KeyUpdate until the next time we write and there is -no pending write data. - -This does imply a subtle change in behaviour. Firstly the responding -KeyUpdate message won't be sent straight away as it is now. Secondly if -the peer sends multiple KeyUpdates without us doing any writing then we -will only send one response, as opposed to previously where we sent a -response for each KeyUpdate received. - -Fixes #8677 - -Reviewed-by: Ben Kaduk -(Merged from https://github.com/openssl/openssl/pull/8773) - -(cherry picked from commit feb9e31c40c49de6384dd0413685e9b5a15adc99) ---- - ssl/record/rec_layer_s3.c | 7 +++++++ - ssl/statem/statem_clnt.c | 6 ------ - ssl/statem/statem_lib.c | 7 ++----- - ssl/statem/statem_srvr.c | 6 ------ - 4 files changed, 9 insertions(+), 17 deletions(-) - -diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c -index b2f97ef905..b65137c332 100644 ---- a/ssl/record/rec_layer_s3.c -+++ b/ssl/record/rec_layer_s3.c -@@ -373,6 +373,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, - - s->rlayer.wnum = 0; - -+ /* -+ * If we are supposed to be sending a KeyUpdate then go into init unless we -+ * have writes pending - in which case we should finish doing that first. -+ */ -+ if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE) -+ ossl_statem_set_in_init(s, 1); -+ - /* - * When writing early data on the server side we could be "in_init" in - * between receiving the EoED and the CF - but we don't want to handle those -diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c -index 87800cd835..6410414fb6 100644 ---- a/ssl/statem/statem_clnt.c -+++ b/ssl/statem/statem_clnt.c -@@ -473,12 +473,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) - return WRITE_TRAN_CONTINUE; - - case TLS_ST_CR_KEY_UPDATE: -- if (s->key_update != SSL_KEY_UPDATE_NONE) { -- st->hand_state = TLS_ST_CW_KEY_UPDATE; -- return WRITE_TRAN_CONTINUE; -- } -- /* Fall through */ -- - case TLS_ST_CW_KEY_UPDATE: - case TLS_ST_CR_SESSION_TICKET: - case TLS_ST_CW_FINISHED: -diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c -index c0482b0a90..2960dafa52 100644 ---- a/ssl/statem/statem_lib.c -+++ b/ssl/statem/statem_lib.c -@@ -645,12 +645,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) - /* - * If we get a request for us to update our sending keys too then, we need - * to additionally send a KeyUpdate message. However that message should -- * not also request an update (otherwise we get into an infinite loop). We -- * ignore a request for us to update our sending keys too if we already -- * sent close_notify. -+ * not also request an update (otherwise we get into an infinite loop). - */ -- if (updatetype == SSL_KEY_UPDATE_REQUESTED -- && (s->shutdown & SSL_SENT_SHUTDOWN) == 0) -+ if (updatetype == SSL_KEY_UPDATE_REQUESTED) - s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; - - if (!tls13_update_key(s, 0)) { -diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c -index d454326a99..04a23320fc 100644 ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -502,12 +502,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) - return WRITE_TRAN_CONTINUE; - - case TLS_ST_SR_KEY_UPDATE: -- if (s->key_update != SSL_KEY_UPDATE_NONE) { -- st->hand_state = TLS_ST_SW_KEY_UPDATE; -- return WRITE_TRAN_CONTINUE; -- } -- /* Fall through */ -- - case TLS_ST_SW_KEY_UPDATE: - st->hand_state = TLS_ST_OK; - return WRITE_TRAN_CONTINUE; --- -2.20.1 - -From c8feb1039ccc4cd11e6db084df1446bf863bee1e Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 17 Apr 2019 10:30:53 +0100 -Subject: [PATCH 2/2] Write a test for receiving a KeyUpdate (update requested) - while writing - -Reviewed-by: Ben Kaduk -(Merged from https://github.com/openssl/openssl/pull/8773) - -(cherry picked from commit a77b4dba237d001073d2d1c5d55c674a196c949f) ---- - test/sslapitest.c | 92 +++++++++++++++++++++++++++++++++++++++++++++ - test/ssltestlib.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++ - test/ssltestlib.h | 3 ++ - 3 files changed, 191 insertions(+) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 2261fe4a7a..577342644d 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -4290,6 +4290,11 @@ static int test_key_update(void) - || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)), - strlen(mess))) - goto end; -+ -+ if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess)) -+ || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)), -+ strlen(mess))) -+ goto end; - } - - testresult = 1; -@@ -4302,6 +4307,91 @@ static int test_key_update(void) - - return testresult; - } -+ -+/* -+ * Test we can handle a KeyUpdate (update requested) message while write data -+ * is pending. -+ * Test 0: Client sends KeyUpdate while Server is writing -+ * Test 1: Server sends KeyUpdate while Client is writing -+ */ -+static int test_key_update_in_write(int tst) -+{ -+ SSL_CTX *cctx = NULL, *sctx = NULL; -+ SSL *clientssl = NULL, *serverssl = NULL; -+ int testresult = 0; -+ char buf[20]; -+ static char *mess = "A test message"; -+ BIO *bretry = BIO_new(bio_s_always_retry()); -+ BIO *tmp = NULL; -+ SSL *peerupdate = NULL, *peerwrite = NULL; -+ -+ if (!TEST_ptr(bretry) -+ || !TEST_true(create_ssl_ctx_pair(TLS_server_method(), -+ TLS_client_method(), -+ TLS1_3_VERSION, -+ 0, -+ &sctx, &cctx, cert, privkey)) -+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL)) -+ || !TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ peerupdate = tst == 0 ? clientssl : serverssl; -+ peerwrite = tst == 0 ? serverssl : clientssl; -+ -+ if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED)) -+ || !TEST_true(SSL_do_handshake(peerupdate))) -+ goto end; -+ -+ /* Swap the writing endpoint's write BIO to force a retry */ -+ tmp = SSL_get_wbio(peerwrite); -+ if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { -+ tmp = NULL; -+ goto end; -+ } -+ SSL_set0_wbio(peerwrite, bretry); -+ bretry = NULL; -+ -+ /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */ -+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1) -+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)) -+ goto end; -+ -+ /* Reinstate the original writing endpoint's write BIO */ -+ SSL_set0_wbio(peerwrite, tmp); -+ tmp = NULL; -+ -+ /* Now read some data - we will read the key update */ -+ if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1) -+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)) -+ goto end; -+ -+ /* -+ * Complete the write we started previously and read it from the other -+ * endpoint -+ */ -+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) -+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) -+ goto end; -+ -+ /* Write more data to ensure we send the KeyUpdate message back */ -+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) -+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) -+ goto end; -+ -+ testresult = 1; -+ -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ BIO_free(bretry); -+ BIO_free(tmp); -+ -+ return testresult; -+} - #endif /* OPENSSL_NO_TLS1_3 */ - - static int test_ssl_clear(int idx) -@@ -5982,6 +6072,7 @@ int setup_tests(void) - #ifndef OPENSSL_NO_TLS1_3 - ADD_ALL_TESTS(test_export_key_mat_early, 3); - ADD_TEST(test_key_update); -+ ADD_ALL_TESTS(test_key_update_in_write, 2); - #endif - ADD_ALL_TESTS(test_ssl_clear, 2); - ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); -@@ -6002,4 +6093,5 @@ int setup_tests(void) - void cleanup_tests(void) - { - bio_s_mempacket_test_free(); -+ bio_s_always_retry_free(); - } -diff --git a/test/ssltestlib.c b/test/ssltestlib.c -index 05139be750..e1038620ac 100644 ---- a/test/ssltestlib.c -+++ b/test/ssltestlib.c -@@ -62,9 +62,11 @@ static int tls_dump_puts(BIO *bp, const char *str); - /* Choose a sufficiently large type likely to be unused for this custom BIO */ - #define BIO_TYPE_TLS_DUMP_FILTER (0x80 | BIO_TYPE_FILTER) - #define BIO_TYPE_MEMPACKET_TEST 0x81 -+#define BIO_TYPE_ALWAYS_RETRY 0x82 - - static BIO_METHOD *method_tls_dump = NULL; - static BIO_METHOD *meth_mem = NULL; -+static BIO_METHOD *meth_always_retry = NULL; - - /* Note: Not thread safe! */ - const BIO_METHOD *bio_f_tls_dump_filter(void) -@@ -612,6 +614,100 @@ static int mempacket_test_puts(BIO *bio, const char *str) - return mempacket_test_write(bio, str, strlen(str)); - } - -+static int always_retry_new(BIO *bi); -+static int always_retry_free(BIO *a); -+static int always_retry_read(BIO *b, char *out, int outl); -+static int always_retry_write(BIO *b, const char *in, int inl); -+static long always_retry_ctrl(BIO *b, int cmd, long num, void *ptr); -+static int always_retry_gets(BIO *bp, char *buf, int size); -+static int always_retry_puts(BIO *bp, const char *str); -+ -+const BIO_METHOD *bio_s_always_retry(void) -+{ -+ if (meth_always_retry == NULL) { -+ if (!TEST_ptr(meth_always_retry = BIO_meth_new(BIO_TYPE_ALWAYS_RETRY, -+ "Always Retry")) -+ || !TEST_true(BIO_meth_set_write(meth_always_retry, -+ always_retry_write)) -+ || !TEST_true(BIO_meth_set_read(meth_always_retry, -+ always_retry_read)) -+ || !TEST_true(BIO_meth_set_puts(meth_always_retry, -+ always_retry_puts)) -+ || !TEST_true(BIO_meth_set_gets(meth_always_retry, -+ always_retry_gets)) -+ || !TEST_true(BIO_meth_set_ctrl(meth_always_retry, -+ always_retry_ctrl)) -+ || !TEST_true(BIO_meth_set_create(meth_always_retry, -+ always_retry_new)) -+ || !TEST_true(BIO_meth_set_destroy(meth_always_retry, -+ always_retry_free))) -+ return NULL; -+ } -+ return meth_always_retry; -+} -+ -+void bio_s_always_retry_free(void) -+{ -+ BIO_meth_free(meth_always_retry); -+} -+ -+static int always_retry_new(BIO *bio) -+{ -+ BIO_set_init(bio, 1); -+ return 1; -+} -+ -+static int always_retry_free(BIO *bio) -+{ -+ BIO_set_data(bio, NULL); -+ BIO_set_init(bio, 0); -+ return 1; -+} -+ -+static int always_retry_read(BIO *bio, char *out, int outl) -+{ -+ BIO_set_retry_read(bio); -+ return -1; -+} -+ -+static int always_retry_write(BIO *bio, const char *in, int inl) -+{ -+ BIO_set_retry_write(bio); -+ return -1; -+} -+ -+static long always_retry_ctrl(BIO *bio, int cmd, long num, void *ptr) -+{ -+ long ret = 1; -+ -+ switch (cmd) { -+ case BIO_CTRL_FLUSH: -+ BIO_set_retry_write(bio); -+ /* fall through */ -+ case BIO_CTRL_EOF: -+ case BIO_CTRL_RESET: -+ case BIO_CTRL_DUP: -+ case BIO_CTRL_PUSH: -+ case BIO_CTRL_POP: -+ default: -+ ret = 0; -+ break; -+ } -+ return ret; -+} -+ -+static int always_retry_gets(BIO *bio, char *buf, int size) -+{ -+ BIO_set_retry_read(bio); -+ return -1; -+} -+ -+static int always_retry_puts(BIO *bio, const char *str) -+{ -+ BIO_set_retry_write(bio); -+ return -1; -+} -+ - int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, - int min_proto_version, int max_proto_version, - SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, -diff --git a/test/ssltestlib.h b/test/ssltestlib.h -index fa19e7d80d..56e323f5bc 100644 ---- a/test/ssltestlib.h -+++ b/test/ssltestlib.h -@@ -30,6 +30,9 @@ void bio_f_tls_dump_filter_free(void); - const BIO_METHOD *bio_s_mempacket_test(void); - void bio_s_mempacket_test_free(void); - -+const BIO_METHOD *bio_s_always_retry(void); -+void bio_s_always_retry_free(void); -+ - /* Packet types - value 0 is reserved */ - #define INJECT_PACKET 1 - #define INJECT_PACKET_IGNORE_REC_SEQ 2 --- -2.20.1 - -diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h ---- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-06-24 15:02:12.796053536 +0200 -@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan - return constant_time_eq_8((unsigned)(a), (unsigned)(b)); - } - -+/* Returns the value unmodified, but avoids optimizations. */ -+static ossl_inline unsigned int value_barrier(unsigned int a) -+{ -+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) -+ unsigned int r; -+ __asm__("" : "=r"(r) : "0"(a)); -+#else -+ volatile unsigned int r = a; -+#endif -+ return r; -+} -+ -+/* Convenience method for uint32_t. */ -+static ossl_inline uint32_t value_barrier_32(uint32_t a) -+{ -+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) -+ uint32_t r; -+ __asm__("" : "=r"(r) : "0"(a)); -+#else -+ volatile uint32_t r = a; -+#endif -+ return r; -+} -+ -+/* Convenience method for uint64_t. */ -+static ossl_inline uint64_t value_barrier_64(uint64_t a) -+{ -+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) -+ uint64_t r; -+ __asm__("" : "=r"(r) : "0"(a)); -+#else -+ volatile uint64_t r = a; -+#endif -+ return r; -+} -+ -+/* Convenience method for size_t. */ -+static ossl_inline size_t value_barrier_s(size_t a) -+{ -+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) -+ size_t r; -+ __asm__("" : "=r"(r) : "0"(a)); -+#else -+ volatile size_t r = a; -+#endif -+ return r; -+} -+ - static ossl_inline unsigned int constant_time_select(unsigned int mask, - unsigned int a, - unsigned int b) - { -- return (mask & a) | (~mask & b); -+ return (value_barrier(mask) & a) | (value_barrier(~mask) & b); - } - - static ossl_inline size_t constant_time_select_s(size_t mask, - size_t a, - size_t b) - { -- return (mask & a) | (~mask & b); -+ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b); - } - - static ossl_inline unsigned char constant_time_select_8(unsigned char mask, -@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel - static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a, - uint32_t b) - { -- return (mask & a) | (~mask & b); -+ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b); - } - - static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a, - uint64_t b) - { -- return (mask & a) | (~mask & b); -+ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b); - } - - /* diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch index 7970b84..b89ebc6 100644 --- a/openssl-1.1.1-version-override.patch +++ b/openssl-1.1.1-version-override.patch @@ -1,12 +1,12 @@ -diff -up openssl-1.1.1c/include/openssl/opensslv.h.version-override openssl-1.1.1c/include/openssl/opensslv.h ---- openssl-1.1.1c/include/openssl/opensslv.h.version-override 2019-05-29 15:52:30.014734859 +0200 -+++ openssl-1.1.1c/include/openssl/opensslv.h 2019-05-29 15:53:23.093800831 +0200 +diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h +--- openssl-1.1.1i/include/openssl/opensslv.h.version-override 2020-12-09 10:25:12.042374409 +0100 ++++ openssl-1.1.1i/include/openssl/opensslv.h 2020-12-09 10:26:00.362769170 +0100 @@ -40,7 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ - # define OPENSSL_VERSION_NUMBER 0x1010103fL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c 28 May 2019" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c FIPS 28 May 2019" + # define OPENSSL_VERSION_NUMBER 0x101010bfL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k 25 Mar 2021" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k FIPS 25 Mar 2021" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl-mingw64-dont-use-secure-getenv.patch b/openssl-mingw64-dont-use-secure-getenv.patch deleted file mode 100644 index ff0007c..0000000 --- a/openssl-mingw64-dont-use-secure-getenv.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c -index 376b359..1d42c2c 100644 ---- a/crypto/asn1/a_verify.c -+++ b/crypto/asn1/a_verify.c -@@ -7,9 +7,6 @@ - * https://www.openssl.org/source/license.html - */ - --/* for secure_getenv */ --#define _GNU_SOURCE -- - #include - #include - #include -@@ -130,7 +127,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, - goto err; - ret = -1; - } else if ((mdnid == NID_md5 -- && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) || -+ && getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) || - mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) { - ASN1err(ASN1_F_ASN1_ITEM_VERIFY, - ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); diff --git a/sources b/sources index 1c013a4..cc9f962 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-1.1.1c-hobbled.tar.xz) = e6476209366d284bd02dca7e59a7ba2562aa7c58c91f0063b1e2b0f1a7f96fcff000e26d9c6f59b944e047b3305d237ed442f702ddd2e8c6c7a4d5b12e23c8db +SHA512 (openssl-1.1.1k-hobbled.tar.xz) = b5282e40af8f28f7a859dfddeb269f3a4b0f4fb535de330dfd3ad14a123b57fe66e3880c6c9aacf49865175b1f7f6c88cae31451a99d4ac2b2cb1c5135d4ada9