diff --git a/.gitignore b/.gitignore
index 983be65..5559f5c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/openssl-1.1.1c-hobbled.tar.xz
+SOURCES/openssl-1.1.1g-hobbled.tar.xz
diff --git a/.openssl.metadata b/.openssl.metadata
index 0207a7b..5a5d250 100644
--- a/.openssl.metadata
+++ b/.openssl.metadata
@@ -1 +1 @@
-a85056adf2c2402e808bbe3201f6e473cfa8c214 SOURCES/openssl-1.1.1c-hobbled.tar.xz
+b55517bdc9aa61627a9896c1a3a156d5f6a4348f SOURCES/openssl-1.1.1g-hobbled.tar.xz
diff --git a/SOURCES/ec_curve.c b/SOURCES/ec_curve.c
index 58f8f3f..9171ed4 100644
--- a/SOURCES/ec_curve.c
+++ b/SOURCES/ec_curve.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -9,7 +9,7 @@
*/
#include <string.h>
-#include "ec_lcl.h"
+#include "ec_local.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>
@@ -468,3 +468,115 @@ int EC_curve_nist2nid(const char *name)
}
return NID_undef;
}
+
+#define NUM_BN_FIELDS 6
+/*
+ * Validates EC domain parameter data for known named curves.
+ * This can be used when a curve is loaded explicitly (without a curve
+ * name) or to validate that domain parameters have not been modified.
+ *
+ * Returns: The nid associated with the found named curve, or NID_undef
+ * if not found. If there was an error it returns -1.
+ */
+int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
+{
+ int ret = -1, nid, len, field_type, param_len;
+ size_t i, seed_len;
+ const unsigned char *seed, *params_seed, *params;
+ unsigned char *param_bytes = NULL;
+ const EC_CURVE_DATA *data;
+ const EC_POINT *generator = NULL;
+ const EC_METHOD *meth;
+ const BIGNUM *cofactor = NULL;
+ /* An array of BIGNUMs for (p, a, b, x, y, order) */
+ BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
+
+ meth = EC_GROUP_method_of(group);
+ if (meth == NULL)
+ return -1;
+ /* Use the optional named curve nid as a search field */
+ nid = EC_GROUP_get_curve_name(group);
+ field_type = EC_METHOD_get_field_type(meth);
+ seed_len = EC_GROUP_get_seed_len(group);
+ seed = EC_GROUP_get0_seed(group);
+ cofactor = EC_GROUP_get0_cofactor(group);
+
+ BN_CTX_start(ctx);
+
+ /*
+ * The built-in curves contains data fields (p, a, b, x, y, order) that are
+ * all zero-padded to be the same size. The size of the padding is
+ * determined by either the number of bytes in the field modulus (p) or the
+ * EC group order, whichever is larger.
+ */
+ param_len = BN_num_bytes(group->order);
+ len = BN_num_bytes(group->field);
+ if (len > param_len)
+ param_len = len;
+
+ /* Allocate space to store the padded data for (p, a, b, x, y, order) */
+ param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
+ if (param_bytes == NULL)
+ goto end;
+
+ /* Create the bignums */
+ for (i = 0; i < NUM_BN_FIELDS; ++i) {
+ if ((bn[i] = BN_CTX_get(ctx)) == NULL)
+ goto end;
+ }
+ /*
+ * Fill in the bn array with the same values as the internal curves
+ * i.e. the values are p, a, b, x, y, order.
+ */
+ /* Get p, a & b */
+ if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
+ && ((generator = EC_GROUP_get0_generator(group)) != NULL)
+ /* Get x & y */
+ && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
+ /* Get order */
+ && EC_GROUP_get_order(group, bn[5], ctx)))
+ goto end;
+
+ /*
+ * Convert the bignum array to bytes that are joined together to form
+ * a single buffer that contains data for all fields.
+ * (p, a, b, x, y, order) are all zero padded to be the same size.
+ */
+ for (i = 0; i < NUM_BN_FIELDS; ++i) {
+ if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
+ goto end;
+ }
+
+ for (i = 0; i < curve_list_length; i++) {
+ const ec_list_element curve = curve_list[i];
+
+ data = curve.data;
+ /* Get the raw order byte data */
+ params_seed = (const unsigned char *)(data + 1); /* skip header */
+ params = params_seed + data->seed_len;
+
+ /* Look for unique fields in the fixed curve data */
+ if (data->field_type == field_type
+ && param_len == data->param_len
+ && (nid <= 0 || nid == curve.nid)
+ /* check the optional cofactor (ignore if its zero) */
+ && (BN_is_zero(cofactor)
+ || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
+ /* Check the optional seed (ignore if its not set) */
+ && (data->seed_len == 0 || seed_len == 0
+ || ((size_t)data->seed_len == seed_len
+ && memcmp(params_seed, seed, seed_len) == 0))
+ /* Check that the groups params match the built-in curve params */
+ && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
+ == 0) {
+ ret = curve.nid;
+ goto end;
+ }
+ }
+ /* Gets here if the group was not found */
+ ret = NID_undef;
+end:
+ OPENSSL_free(param_bytes);
+ BN_CTX_end(ctx);
+ return ret;
+}
diff --git a/SOURCES/ectest.c b/SOURCES/ectest.c
index 53adf88..c16642e 100644
--- a/SOURCES/ectest.c
+++ b/SOURCES/ectest.c
@@ -844,6 +844,271 @@ static const unsigned char p521_explicit[] = {
0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
};
+/*
+ * Sometime we cannot compare nids for equality, as the built-in curve table
+ * includes aliases with different names for the same curve.
+ *
+ * This function returns TRUE (1) if the checked nids are identical, or if they
+ * alias to the same curve. FALSE (0) otherwise.
+ */
+static ossl_inline
+int are_ec_nids_compatible(int n1d, int n2d)
+{
+ int ret = 0;
+ switch (n1d) {
+# ifndef OPENSSL_NO_EC2M
+ case NID_sect113r1:
+ case NID_wap_wsg_idm_ecid_wtls4:
+ ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4);
+ break;
+ case NID_sect163k1:
+ case NID_wap_wsg_idm_ecid_wtls3:
+ ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3);
+ break;
+ case NID_sect233k1:
+ case NID_wap_wsg_idm_ecid_wtls10:
+ ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10);
+ break;
+ case NID_sect233r1:
+ case NID_wap_wsg_idm_ecid_wtls11:
+ ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11);
+ break;
+ case NID_X9_62_c2pnb163v1:
+ case NID_wap_wsg_idm_ecid_wtls5:
+ ret = (n2d == NID_X9_62_c2pnb163v1
+ || n2d == NID_wap_wsg_idm_ecid_wtls5);
+ break;
+# endif /* OPENSSL_NO_EC2M */
+ case NID_secp112r1:
+ case NID_wap_wsg_idm_ecid_wtls6:
+ ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6);
+ break;
+ case NID_secp160r2:
+ case NID_wap_wsg_idm_ecid_wtls7:
+ ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7);
+ break;
+# ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
+ case NID_secp224r1:
+ case NID_wap_wsg_idm_ecid_wtls12:
+ ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12);
+ break;
+# else
+ /*
+ * For SEC P-224 we want to ensure that the SECP nid is returned, as
+ * that is associated with a specialized method.
+ */
+ case NID_wap_wsg_idm_ecid_wtls12:
+ ret = (n2d == NID_secp224r1);
+ break;
+# endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
+
+ default:
+ ret = (n1d == n2d);
+ }
+ return ret;
+}
+
+/*
+ * This checks that EC_GROUP_bew_from_ecparameters() returns a "named"
+ * EC_GROUP for built-in curves.
+ *
+ * Note that it is possible to retrieve an alternative alias that does not match
+ * the original nid.
+ *
+ * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.
+ */
+static int check_named_curve_from_ecparameters(int id)
+{
+ int ret = 0, nid, tnid;
+ EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL;
+ const EC_POINT *group_gen = NULL;
+ EC_POINT *other_gen = NULL;
+ BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
+ BIGNUM *other_gen_x = NULL, *other_gen_y = NULL;
+ const BIGNUM *group_order = NULL;
+ BIGNUM *other_order = NULL;
+ BN_CTX *bn_ctx = NULL;
+ static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
+ static size_t invalid_seed_len = sizeof(invalid_seed);
+ ECPARAMETERS *params = NULL, *other_params = NULL;
+ EC_GROUP *g_ary[8] = {NULL};
+ EC_GROUP **g_next = &g_ary[0];
+ ECPARAMETERS *p_ary[8] = {NULL};
+ ECPARAMETERS **p_next = &p_ary[0];
+
+ /* Do some setup */
+ nid = curves[id].nid;
+ TEST_note("Curve %s", OBJ_nid2sn(nid));
+ if (!TEST_ptr(bn_ctx = BN_CTX_new()))
+ return ret;
+ BN_CTX_start(bn_ctx);
+
+ if (/* Allocations */
+ !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx))
+ || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx))
+ || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx))
+ || !TEST_ptr(other_order = BN_CTX_get(bn_ctx))
+ || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx))
+ /* Generate reference group and params */
+ || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
+ || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL))
+ || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
+ || !TEST_ptr(group_order = EC_GROUP_get0_order(group))
+ || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
+ /* compute `other_*` values */
+ || !TEST_ptr(tmpg = EC_GROUP_dup(group))
+ || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
+ || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
+ || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,
+ other_gen_x, other_gen_y, bn_ctx))
+ || !TEST_true(BN_copy(other_order, group_order))
+ || !TEST_true(BN_add_word(other_order, 1))
+ || !TEST_true(BN_copy(other_cofactor, group_cofactor))
+ || !TEST_true(BN_add_word(other_cofactor, 1)))
+ goto err;
+
+ EC_POINT_free(other_gen);
+ other_gen = NULL;
+
+ if (!TEST_ptr(other_gen = EC_POINT_new(tmpg))
+ || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,
+ other_gen_x, other_gen_y,
+ bn_ctx)))
+ goto err;
+
+ /*
+ * ###########################
+ * # Actual tests start here #
+ * ###########################
+ */
+
+ /*
+ * Creating a group from built-in explicit parameters returns a
+ * "named" EC_GROUP
+ */
+ if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params))
+ || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef))
+ goto err;
+ /*
+ * We cannot always guarantee the names match, as the built-in table
+ * contains aliases for the same curve with different names.
+ */
+ if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {
+ TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
+ goto err;
+ }
+ /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */
+ if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))
+ goto err;
+
+ /*
+ * An invalid seed in the parameters should be ignored: expect a "named"
+ * group.
+ */
+ if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),
+ invalid_seed_len)
+ || !TEST_ptr(other_params = *p_next++ =
+ EC_GROUP_get_ecparameters(tmpg, NULL))
+ || !TEST_ptr(tgroup = *g_next++ =
+ EC_GROUP_new_from_ecparameters(other_params))
+ || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+ || !TEST_true(are_ec_nids_compatible(nid, tnid))
+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+ OPENSSL_EC_EXPLICIT_CURVE)) {
+ TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
+ goto err;
+ }
+
+ /*
+ * A null seed in the parameters should be ignored, as it is optional:
+ * expect a "named" group.
+ */
+ if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)
+ || !TEST_ptr(other_params = *p_next++ =
+ EC_GROUP_get_ecparameters(tmpg, NULL))
+ || !TEST_ptr(tgroup = *g_next++ =
+ EC_GROUP_new_from_ecparameters(other_params))
+ || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+ || !TEST_true(are_ec_nids_compatible(nid, tnid))
+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+ OPENSSL_EC_EXPLICIT_CURVE)) {
+ TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
+ goto err;
+ }
+
+ /*
+ * Check that changing any of the generator parameters does not yield a
+ * match with the built-in curves
+ */
+ if (/* Other gen, same group order & cofactor */
+ !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,
+ group_cofactor))
+ || !TEST_ptr(other_params = *p_next++ =
+ EC_GROUP_get_ecparameters(tmpg, NULL))
+ || !TEST_ptr(tgroup = *g_next++ =
+ EC_GROUP_new_from_ecparameters(other_params))
+ || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+ /* Same gen & cofactor, different order */
+ || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,
+ group_cofactor))
+ || !TEST_ptr(other_params = *p_next++ =
+ EC_GROUP_get_ecparameters(tmpg, NULL))
+ || !TEST_ptr(tgroup = *g_next++ =
+ EC_GROUP_new_from_ecparameters(other_params))
+ || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+ /* The order is not an optional field, so this should fail */
+ || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,
+ group_cofactor))
+ /* Check that a wrong cofactor is ignored, and we still match */
+ || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
+ other_cofactor))
+ || !TEST_ptr(other_params = *p_next++ =
+ EC_GROUP_get_ecparameters(tmpg, NULL))
+ || !TEST_ptr(tgroup = *g_next++ =
+ EC_GROUP_new_from_ecparameters(other_params))
+ || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+ || !TEST_true(are_ec_nids_compatible(nid, tnid))
+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+ OPENSSL_EC_EXPLICIT_CURVE)
+ /* Check that if the cofactor is not set then it still matches */
+ || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
+ NULL))
+ || !TEST_ptr(other_params = *p_next++ =
+ EC_GROUP_get_ecparameters(tmpg, NULL))
+ || !TEST_ptr(tgroup = *g_next++ =
+ EC_GROUP_new_from_ecparameters(other_params))
+ || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+ || !TEST_true(are_ec_nids_compatible(nid, tnid))
+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+ OPENSSL_EC_EXPLICIT_CURVE)
+ /* check that restoring the generator passes */
+ || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
+ group_cofactor))
+ || !TEST_ptr(other_params = *p_next++ =
+ EC_GROUP_get_ecparameters(tmpg, NULL))
+ || !TEST_ptr(tgroup = *g_next++ =
+ EC_GROUP_new_from_ecparameters(other_params))
+ || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
+ || !TEST_true(are_ec_nids_compatible(nid, tnid))
+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
+ OPENSSL_EC_EXPLICIT_CURVE))
+ goto err;
+
+ ret = 1;
+err:
+ for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++)
+ EC_GROUP_free(*g_next);
+ for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++)
+ ECPARAMETERS_free(*p_next);
+ ECPARAMETERS_free(params);
+ EC_POINT_free(other_gen);
+ EC_GROUP_free(tmpg);
+ EC_GROUP_free(group);
+ BN_CTX_end(bn_ctx);
+ BN_CTX_free(bn_ctx);
+ return ret;
+}
+
static int parameter_test(void)
{
EC_GROUP *group = NULL, *group2 = NULL;
@@ -851,7 +1116,8 @@ static int parameter_test(void)
unsigned char *buf = NULL;
int r = 0, len;
- if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1))
+ /* must use a curve without a special group method */
+ if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp256k1))
|| !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
|| !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
|| !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
@@ -886,7 +1152,280 @@ err:
OPENSSL_free(buf);
return r;
}
-#endif
+
+/*-
+ * random 256-bit explicit parameters curve, cofactor absent
+ * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
+ * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit)
+ */
+static const unsigned char params_cf_pass[] = {
+ 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
+ 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
+ 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
+ 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
+ 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
+ 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
+ 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
+ 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
+ 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
+ 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
+ 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
+ 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
+ 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
+ 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
+ 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
+ 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
+ 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
+ 0x14, 0xa8, 0x2f, 0x4f
+};
+
+/*-
+ * random 256-bit explicit parameters curve, cofactor absent
+ * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
+ * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
+ */
+static const unsigned char params_cf_fail[] = {
+ 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
+ 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
+ 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
+ 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
+ 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
+ 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
+ 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
+ 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
+ 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
+ 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
+ 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
+ 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
+ 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
+ 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
+ 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
+ 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
+ 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
+ 0x34, 0xa2, 0x21, 0x01
+};
+
+/*-
+ * Test two random 256-bit explicit parameters curves with absent cofactor.
+ * The two curves are chosen to roughly straddle the bounds at which the lib
+ * can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
+ *
+ * - params_cf_pass: order is sufficiently close to p to compute cofactor
+ * - params_cf_fail: order is too far away from p to compute cofactor
+ *
+ * For standards-compliant curves, cofactor is chosen as small as possible.
+ * So you can see neither of these curves are fit for cryptographic use.
+ *
+ * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
+ * h <= 2**(t/8) where t is the security level of the curve, for which the lib
+ * will always succeed in computing the cofactor. Neither of these curves
+ * conform to that -- this is just robustness testing.
+ */
+static int cofactor_range_test(void)
+{
+ EC_GROUP *group = NULL;
+ BIGNUM *cf = NULL;
+ int ret = 0;
+ const unsigned char *b1 = (const unsigned char *)params_cf_fail;
+ const unsigned char *b2 = (const unsigned char *)params_cf_pass;
+
+ if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
+ || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
+ || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
+ sizeof(params_cf_pass)))
+ || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
+ || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
+ goto err;
+ ret = 1;
+ err:
+ BN_free(cf);
+ EC_GROUP_free(group);
+ return ret;
+}
+
+/*-
+ * For named curves, test that:
+ * - the lib correctly computes the cofactor if passed a NULL or zero cofactor
+ * - a nonsensical cofactor throws an error (negative test)
+ * - nonsensical orders throw errors (negative tests)
+ */
+static int cardinality_test(int n)
+{
+ int ret = 0;
+ int nid = curves[n].nid;
+ BN_CTX *ctx = NULL;
+ EC_GROUP *g1 = NULL, *g2 = NULL;
+ EC_POINT *g2_gen = NULL;
+ BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
+ *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
+
+ TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
+
+ if (!TEST_ptr(ctx = BN_CTX_new())
+ || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))
+ || !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) {
+ EC_GROUP_free(g1);
+ EC_GROUP_free(g2);
+ BN_CTX_free(ctx);
+ return 0;
+ }
+
+ BN_CTX_start(ctx);
+ g1_p = BN_CTX_get(ctx);
+ g1_a = BN_CTX_get(ctx);
+ g1_b = BN_CTX_get(ctx);
+ g1_x = BN_CTX_get(ctx);
+ g1_y = BN_CTX_get(ctx);
+ g1_order = BN_CTX_get(ctx);
+ g1_cf = BN_CTX_get(ctx);
+
+ if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
+ /* pull out the explicit curve parameters */
+ || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
+ || !TEST_true(EC_POINT_get_affine_coordinates(g1,
+ EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
+ || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
+ || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
+ /* construct g2 manually with g1 parameters */
+ || !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx))
+ || !TEST_ptr(g2_gen = EC_POINT_new(g2))
+ || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
+ /* pass NULL cofactor: lib should compute it */
+ || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
+ || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
+ || !TEST_BN_eq(g1_cf, g2_cf)
+ /* pass zero cofactor: lib should compute it */
+ || !TEST_true(BN_set_word(g2_cf, 0))
+ || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
+ || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
+ || !TEST_BN_eq(g1_cf, g2_cf)
+ /* negative test for invalid cofactor */
+ || !TEST_true(BN_set_word(g2_cf, 0))
+ || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
+ || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
+ /* negative test for NULL order */
+ || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
+ /* negative test for zero order */
+ || !TEST_true(BN_set_word(g1_order, 0))
+ || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
+ /* negative test for negative order */
+ || !TEST_true(BN_set_word(g2_cf, 0))
+ || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
+ || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
+ /* negative test for too large order */
+ || !TEST_true(BN_lshift(g1_order, g1_p, 2))
+ || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
+ goto err;
+ ret = 1;
+ err:
+ EC_POINT_free(g2_gen);
+ EC_GROUP_free(g1);
+ EC_GROUP_free(g2);
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ return ret;
+}
+
+/*
+ * Helper for ec_point_hex2point_test
+ *
+ * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given
+ * (group,P) pair.
+ *
+ * If P is NULL use point at infinity.
+ */
+static ossl_inline
+int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P,
+ point_conversion_form_t form,
+ BN_CTX *bnctx)
+{
+ int ret = 0;
+ EC_POINT *Q = NULL, *Pinf = NULL;
+ char *hex = NULL;
+
+ if (P == NULL) {
+ /* If P is NULL use point at infinity. */
+ if (!TEST_ptr(Pinf = EC_POINT_new(group))
+ || !TEST_true(EC_POINT_set_to_infinity(group, Pinf)))
+ goto err;
+ P = Pinf;
+ }
+
+ if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx))
+ || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx)))
+ goto err;
+
+ /*
+ * The next check is most likely superfluous, as EC_POINT_cmp should already
+ * cover this.
+ * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity,
+ * so we include it anyway!
+ */
+ if (Pinf != NULL
+ && !TEST_true(EC_POINT_is_at_infinity(group, Q)))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EC_POINT_free(Pinf);
+ OPENSSL_free(hex);
+ EC_POINT_free(Q);
+
+ return ret;
+}
+
+/*
+ * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex()
+ */
+static int ec_point_hex2point_test(int id)
+{
+ int ret = 0, nid;
+ EC_GROUP *group = NULL;
+ const EC_POINT *G = NULL;
+ EC_POINT *P = NULL;
+ BN_CTX * bnctx = NULL;
+
+ /* Do some setup */
+ nid = curves[id].nid;
+ if (!TEST_ptr(bnctx = BN_CTX_new())
+ || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
+ || !TEST_ptr(G = EC_GROUP_get0_generator(group))
+ || !TEST_ptr(P = EC_POINT_dup(G, group)))
+ goto err;
+
+ if (!TEST_true(ec_point_hex2point_test_helper(group, P,
+ POINT_CONVERSION_COMPRESSED,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
+ POINT_CONVERSION_COMPRESSED,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, P,
+ POINT_CONVERSION_UNCOMPRESSED,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
+ POINT_CONVERSION_UNCOMPRESSED,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, P,
+ POINT_CONVERSION_HYBRID,
+ bnctx))
+ || !TEST_true(ec_point_hex2point_test_helper(group, NULL,
+ POINT_CONVERSION_HYBRID,
+ bnctx)))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EC_POINT_free(P);
+ EC_GROUP_free(group);
+ BN_CTX_free(bnctx);
+
+ return ret;
+}
+
+#endif /* OPENSSL_NO_EC */
int setup_tests(void)
{
@@ -897,6 +1436,8 @@ int setup_tests(void)
return 0;
ADD_TEST(parameter_test);
+ ADD_TEST(cofactor_range_test);
+ ADD_ALL_TESTS(cardinality_test, crv_len);
ADD_TEST(prime_field_tests);
# ifndef OPENSSL_NO_EC2M
ADD_TEST(char2_field_tests);
@@ -908,7 +1449,10 @@ int setup_tests(void)
# endif
ADD_ALL_TESTS(internal_curve_test, crv_len);
ADD_ALL_TESTS(internal_curve_test_method, crv_len);
-#endif
+
+ ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
+ ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
+#endif /* OPENSSL_NO_EC */
return 1;
}
diff --git a/SOURCES/openssl-1.1.0-no-html.patch b/SOURCES/openssl-1.1.0-no-html.patch
deleted file mode 100644
index f6a941e..0000000
--- a/SOURCES/openssl-1.1.0-no-html.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
---- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200
-+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200
-@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
-
- uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
-
--install_docs: install_man_docs install_html_docs
-+install_docs: install_man_docs
-
- uninstall_docs: uninstall_man_docs uninstall_html_docs
- $(RM) -r -v $(DESTDIR)$(DOCDIR)
diff --git a/SOURCES/openssl-1.1.1-alpn-cb.patch b/SOURCES/openssl-1.1.1-alpn-cb.patch
new file mode 100644
index 0000000..465f7b8
--- /dev/null
+++ b/SOURCES/openssl-1.1.1-alpn-cb.patch
@@ -0,0 +1,27 @@
+commit 9e885a707d604e9528b5491b78fb9c00f41193fc
+Author: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu Mar 26 15:59:00 2020 +0100
+
+ s_server: Properly indicate ALPN protocol mismatch
+
+ Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
+ an alert is sent to the client on ALPN protocol mismatch.
+
+ Fixes: #2708
+
+ Reviewed-by: Matt Caswell <matt@openssl.org>
+ (Merged from https://github.com/openssl/openssl/pull/11415)
+
+diff --git a/apps/s_server.c b/apps/s_server.c
+index bcc83e562c..591c6c19c5 100644
+--- a/apps/s_server.c
++++ b/apps/s_server.c
+@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
+ if (SSL_select_next_proto
+ ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
+ inlen) != OPENSSL_NPN_NEGOTIATED) {
+- return SSL_TLSEXT_ERR_NOACK;
++ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+
+ if (!s_quiet) {
diff --git a/SOURCES/openssl-1.1.1-build.patch b/SOURCES/openssl-1.1.1-build.patch
index cfe20f6..c0ef62b 100644
--- a/SOURCES/openssl-1.1.1-build.patch
+++ b/SOURCES/openssl-1.1.1-build.patch
@@ -1,28 +1,7 @@
-diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build 2018-06-20 16:48:09.000000000 +0200
-+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-16 17:15:38.108831031 +0200
-@@ -680,7 +680,7 @@ uninstall_runtime:
- install_man_docs:
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(ECHO) "*** Installing manpages"
-- $(PERL) $(SRCDIR)/util/process_docs.pl \
-+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
-
- uninstall_man_docs:
-@@ -692,7 +692,7 @@ uninstall_man_docs:
- install_html_docs:
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(ECHO) "*** Installing HTML manpages"
-- $(PERL) $(SRCDIR)/util/process_docs.pl \
-+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- --destdir=$(DESTDIR)$(HTMLDIR) --type=html
-
- uninstall_html_docs:
-diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf
---- openssl-1.1.1-pre8/Configurations/10-main.conf.build 2018-06-20 16:48:09.000000000 +0200
-+++ openssl-1.1.1-pre8/Configurations/10-main.conf 2018-07-16 17:17:10.312045203 +0200
-@@ -693,6 +693,7 @@ my %targets = (
+diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
+--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200
++++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200
+@@ -678,6 +678,7 @@ my %targets = (
cxxflags => add("-m64"),
lib_cppflags => add("-DL_ENDIAN"),
perlasm_scheme => "linux64le",
@@ -30,7 +9,7 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
},
"linux-armv4" => {
-@@ -733,6 +734,7 @@ my %targets = (
+@@ -718,6 +719,7 @@ my %targets = (
"linux-aarch64" => {
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
perlasm_scheme => "linux64",
@@ -38,3 +17,24 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
},
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
+diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200
++++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200
+@@ -823,7 +823,7 @@ uninstall_runtime_libs:
+ install_man_docs:
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(ECHO) "*** Installing manpages"
+- $(PERL) $(SRCDIR)/util/process_docs.pl \
++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
+
+ uninstall_man_docs:
+@@ -835,7 +835,7 @@ uninstall_man_docs:
+ install_html_docs:
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(ECHO) "*** Installing HTML manpages"
+- $(PERL) $(SRCDIR)/util/process_docs.pl \
++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ "--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
+
+ uninstall_html_docs:
diff --git a/SOURCES/openssl-1.1.1-cve-2019-1547.patch b/SOURCES/openssl-1.1.1-cve-2019-1547.patch
deleted file mode 100644
index b4e2a05..0000000
--- a/SOURCES/openssl-1.1.1-cve-2019-1547.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From 30c22fa8b1d840036b8e203585738df62a03cec8 Mon Sep 17 00:00:00 2001
-From: Billy Brumley <bbrumley@gmail.com>
-Date: Thu, 5 Sep 2019 21:25:37 +0300
-Subject: [PATCH] [crypto/ec] for ECC parameters with NULL or zero cofactor,
- compute it
-
-The cofactor argument to EC_GROUP_set_generator is optional, and SCA
-mitigations for ECC currently use it. So the library currently falls
-back to very old SCA-vulnerable code if the cofactor is not present.
-
-This PR allows EC_GROUP_set_generator to compute the cofactor for all
-curves of cryptographic interest. Steering scalar multiplication to more
-SCA-robust code.
-
-This issue affects persisted private keys in explicit parameter form,
-where the (optional) cofactor field is zero or absent.
-
-It also affects curves not built-in to the library, but constructed
-programatically with explicit parameters, then calling
-EC_GROUP_set_generator with a nonsensical value (NULL, zero).
-
-The very old scalar multiplication code is known to be vulnerable to
-local uarch attacks, outside of the OpenSSL threat model. New results
-suggest the code path is also vulnerable to traditional wall clock
-timing attacks.
-
-CVE-2019-1547
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
-Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/9781)
----
- crypto/ec/ec_lib.c | 103 ++++++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 96 insertions(+), 7 deletions(-)
-
-diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
-index 8cab5a5061..1289c8608e 100644
---- a/crypto/ec/ec_lib.c
-+++ b/crypto/ec/ec_lib.c
-@@ -265,6 +265,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
-
- static int ec_precompute_mont_data(EC_GROUP *);
-
-+/*-
-+ * Try computing cofactor from the generator order (n) and field cardinality (q).
-+ * This works for all curves of cryptographic interest.
-+ *
-+ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
-+ * h_min = (q + 1 - 2*sqrt(q))/n
-+ * h_max = (q + 1 + 2*sqrt(q))/n
-+ * h_max - h_min = 4*sqrt(q)/n
-+ * So if n > 4*sqrt(q) holds, there is only one possible value for h:
-+ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
-+ *
-+ * Otherwise, zero cofactor and return success.
-+ */
-+static int ec_guess_cofactor(EC_GROUP *group) {
-+ int ret = 0;
-+ BN_CTX *ctx = NULL;
-+ BIGNUM *q = NULL;
-+
-+ /*-
-+ * If the cofactor is too large, we cannot guess it.
-+ * The RHS of below is a strict overestimate of lg(4 * sqrt(q))
-+ */
-+ if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
-+ /* default to 0 */
-+ BN_zero(group->cofactor);
-+ /* return success */
-+ return 1;
-+ }
-+
-+ if ((ctx = BN_CTX_new()) == NULL)
-+ return 0;
-+
-+ BN_CTX_start(ctx);
-+ if ((q = BN_CTX_get(ctx)) == NULL)
-+ goto err;
-+
-+ /* set q = 2**m for binary fields; q = p otherwise */
-+ if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
-+ BN_zero(q);
-+ if (!BN_set_bit(q, BN_num_bits(group->field) - 1))
-+ goto err;
-+ } else {
-+ if (!BN_copy(q, group->field))
-+ goto err;
-+ }
-+
-+ /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
-+ if (!BN_rshift1(group->cofactor, group->order) /* n/2 */
-+ || !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */
-+ /* q + 1 + n/2 */
-+ || !BN_add(group->cofactor, group->cofactor, BN_value_one())
-+ /* (q + 1 + n/2)/n */
-+ || !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))
-+ goto err;
-+ ret = 1;
-+ err:
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ return ret;
-+}
-+
- int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
- const BIGNUM *order, const BIGNUM *cofactor)
- {
-@@ -273,6 +334,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
- return 0;
- }
-
-+ /* require group->field >= 1 */
-+ if (group->field == NULL || BN_is_zero(group->field)
-+ || BN_is_negative(group->field)) {
-+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
-+ return 0;
-+ }
-+
-+ /*-
-+ * - require order >= 1
-+ * - enforce upper bound due to Hasse thm: order can be no more than one bit
-+ * longer than field cardinality
-+ */
-+ if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
-+ || BN_num_bits(order) > BN_num_bits(group->field) + 1) {
-+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
-+ return 0;
-+ }
-+
-+ /*-
-+ * Unfortunately the cofactor is an optional field in many standards.
-+ * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
-+ * So accept cofactor == NULL or cofactor >= 0.
-+ */
-+ if (cofactor != NULL && BN_is_negative(cofactor)) {
-+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
-+ return 0;
-+ }
-+
- if (group->generator == NULL) {
- group->generator = EC_POINT_new(group);
- if (group->generator == NULL)
-@@ -281,17 +370,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
- if (!EC_POINT_copy(group->generator, generator))
- return 0;
-
-- if (order != NULL) {
-- if (!BN_copy(group->order, order))
-- return 0;
-- } else
-- BN_zero(group->order);
-+ if (!BN_copy(group->order, order))
-+ return 0;
-
-- if (cofactor != NULL) {
-+ /* Either take the provided positive cofactor, or try to compute it */
-+ if (cofactor != NULL && !BN_is_zero(cofactor)) {
- if (!BN_copy(group->cofactor, cofactor))
- return 0;
-- } else
-+ } else if (!ec_guess_cofactor(group)) {
- BN_zero(group->cofactor);
-+ return 0;
-+ }
-
- /*
- * Some groups have an order with
---
-2.20.1
-
diff --git a/SOURCES/openssl-1.1.1-cve-2019-1549.patch b/SOURCES/openssl-1.1.1-cve-2019-1549.patch
deleted file mode 100644
index 787a2a3..0000000
--- a/SOURCES/openssl-1.1.1-cve-2019-1549.patch
+++ /dev/null
@@ -1,300 +0,0 @@
-diff -up openssl-1.1.1c/crypto/fips/fips.c.fork-safety openssl-1.1.1c/crypto/fips/fips.c
---- openssl-1.1.1c/crypto/fips/fips.c.fork-safety 2019-11-20 11:36:22.343506961 +0100
-+++ openssl-1.1.1c/crypto/fips/fips.c 2019-11-21 17:44:32.920776849 +0100
-@@ -472,7 +472,7 @@ int FIPS_module_mode_set(int onoff)
-
- fips_set_mode(onoff);
- /* force RNG reseed with entropy from getrandom() on next call */
-- rand_fork();
-+ rand_force_reseed();
-
- ret = 1;
- goto end;
-diff -up openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety openssl-1.1.1c/crypto/include/internal/rand_int.h
---- openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety 2019-11-20 11:36:22.382506277 +0100
-+++ openssl-1.1.1c/crypto/include/internal/rand_int.h 2019-11-21 17:45:42.102456672 +0100
-@@ -24,9 +24,9 @@
- typedef struct rand_pool_st RAND_POOL;
-
- void rand_cleanup_int(void);
-+void rand_force_reseed(void);
- void rand_drbg_cleanup_int(void);
- void drbg_delete_thread_state(void);
--void rand_fork(void);
-
- /* Hardware-based seeding functions. */
- size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool);
-diff -up openssl-1.1.1c/crypto/init.c.fork-safety openssl-1.1.1c/crypto/init.c
---- openssl-1.1.1c/crypto/init.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/init.c 2019-11-21 17:34:13.478597398 +0100
-@@ -847,6 +847,5 @@ void OPENSSL_fork_parent(void)
-
- void OPENSSL_fork_child(void)
- {
-- rand_fork();
- }
- #endif
-diff -up openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety openssl-1.1.1c/crypto/rand/drbg_lib.c
---- openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety 2019-11-20 11:36:22.383506260 +0100
-+++ openssl-1.1.1c/crypto/rand/drbg_lib.c 2019-11-21 17:46:37.583397431 +0100
-@@ -197,7 +197,7 @@ static RAND_DRBG *rand_drbg_new(int secu
- }
-
- drbg->secure = secure && CRYPTO_secure_allocated(drbg);
-- drbg->fork_count = rand_fork_count;
-+ drbg->fork_id = openssl_get_fork_id();
- drbg->parent = parent;
-
- if (parent == NULL) {
-@@ -583,6 +583,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
- int prediction_resistance,
- const unsigned char *adin, size_t adinlen)
- {
-+ int fork_id;
- int reseed_required = 0;
-
- if (drbg->state != DRBG_READY) {
-@@ -608,8 +609,10 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
- return 0;
- }
-
-- if (drbg->fork_count != rand_fork_count) {
-- drbg->fork_count = rand_fork_count;
-+ fork_id = openssl_get_fork_id();
-+
-+ if (drbg->fork_id != fork_id) {
-+ drbg->fork_id = fork_id;
- reseed_required = 1;
- }
-
-@@ -1011,6 +1014,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
- return min_entropy > min_entropylen ? min_entropy : min_entropylen;
- }
-
-+void rand_force_reseed(void)
-+{
-+ RAND_DRBG *drbg;
-+
-+ drbg = RAND_DRBG_get0_master();
-+ drbg->fork_id = 0;
-+
-+ drbg = RAND_DRBG_get0_private();
-+ drbg->fork_id = 0;
-+
-+ drbg = RAND_DRBG_get0_public();
-+ drbg->fork_id = 0;
-+}
-+
- /* Implements the default OpenSSL RAND_add() method */
- static int drbg_add(const void *buf, int num, double randomness)
- {
-diff -up openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety openssl-1.1.1c/crypto/rand/rand_lcl.h
---- openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety 2019-11-20 11:36:22.383506260 +0100
-+++ openssl-1.1.1c/crypto/rand/rand_lcl.h 2019-11-21 17:34:13.485597265 +0100
-@@ -176,12 +176,12 @@ struct rand_drbg_st {
- int secure; /* 1: allocated on the secure heap, 0: otherwise */
- int type; /* the nid of the underlying algorithm */
- /*
-- * Stores the value of the rand_fork_count global as of when we last
-- * reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
-- * rand_fork_count. Used to provide fork-safety and reseed this DRBG in
-- * the child process.
-+ * Stores the return value of openssl_get_fork_id() as of when we last
-+ * reseeded. The DRBG reseeds automatically whenever drbg->fork_id !=
-+ * openssl_get_fork_id(). Used to provide fork-safety and reseed this
-+ * DRBG in the child process.
- */
-- int fork_count;
-+ int fork_id;
- unsigned short flags; /* various external flags */
-
- /*
-@@ -273,19 +273,6 @@ struct rand_drbg_st {
- /* The global RAND method, and the global buffer and DRBG instance. */
- extern RAND_METHOD rand_meth;
-
--/*
-- * A "generation count" of forks. Incremented in the child process after a
-- * fork. Since rand_fork_count is increment-only, and only ever written to in
-- * the child process of the fork, which is guaranteed to be single-threaded, no
-- * locking is needed for normal (read) accesses; the rest of pthread fork
-- * processing is assumed to introduce the necessary memory barriers. Sibling
-- * children of a given parent will produce duplicate values, but this is not
-- * problematic because the reseeding process pulls input from the system CSPRNG
-- * and/or other global sources, so the siblings will end up generating
-- * different output streams.
-- */
--extern int rand_fork_count;
--
- /* DRBG helpers */
- int rand_drbg_restart(RAND_DRBG *drbg,
- const unsigned char *buffer, size_t len, size_t entropy);
-diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety openssl-1.1.1c/crypto/rand/rand_lib.c
---- openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety 2019-11-20 11:36:22.374506418 +0100
-+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-11-21 17:34:13.487597227 +0100
-@@ -30,8 +30,6 @@ static CRYPTO_RWLOCK *rand_meth_lock;
- static const RAND_METHOD *default_RAND_meth;
- static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT;
-
--int rand_fork_count;
--
- static CRYPTO_RWLOCK *rand_nonce_lock;
- static int rand_nonce_count;
-
-@@ -303,11 +301,6 @@ void rand_drbg_cleanup_additional_data(R
- rand_pool_reattach(pool, out);
- }
-
--void rand_fork(void)
--{
-- rand_fork_count++;
--}
--
- DEFINE_RUN_ONCE_STATIC(do_rand_init)
- {
- #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.1.1c/crypto/threads_none.c.fork-safety openssl-1.1.1c/crypto/threads_none.c
---- openssl-1.1.1c/crypto/threads_none.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/threads_none.c 2019-11-21 17:34:13.489597189 +0100
-@@ -12,6 +12,11 @@
-
- #if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG)
-
-+# if defined(OPENSSL_SYS_UNIX)
-+# include <sys/types.h>
-+# include <unistd.h>
-+# endif
-+
- CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
- {
- CRYPTO_RWLOCK *lock;
-@@ -133,4 +138,12 @@ int openssl_init_fork_handlers(void)
- return 0;
- }
-
-+int openssl_get_fork_id(void)
-+{
-+# if defined(OPENSSL_SYS_UNIX)
-+ return getpid();
-+# else
-+ return 0;
-+# endif
-+}
- #endif
-diff -up openssl-1.1.1c/crypto/threads_pthread.c.fork-safety openssl-1.1.1c/crypto/threads_pthread.c
---- openssl-1.1.1c/crypto/threads_pthread.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/threads_pthread.c 2019-11-21 17:34:13.492597131 +0100
-@@ -12,6 +12,11 @@
-
- #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
-
-+# if defined(OPENSSL_SYS_UNIX)
-+# include <sys/types.h>
-+# include <unistd.h>
-+#endif
-+
- # ifdef PTHREAD_RWLOCK_INITIALIZER
- # define USE_RWLOCK
- # endif
-@@ -193,4 +198,9 @@ int openssl_init_fork_handlers(void)
- # endif
- return 0;
- }
-+
-+int openssl_get_fork_id(void)
-+{
-+ return getpid();
-+}
- #endif
-diff -up openssl-1.1.1c/crypto/threads_win.c.fork-safety openssl-1.1.1c/crypto/threads_win.c
---- openssl-1.1.1c/crypto/threads_win.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/threads_win.c 2019-11-21 17:34:13.495597074 +0100
-@@ -164,4 +164,8 @@ int openssl_init_fork_handlers(void)
- return 0;
- }
-
-+int openssl_get_fork_id(void)
-+{
-+ return 0;
-+}
- #endif
-diff -up openssl-1.1.1c/include/internal/cryptlib.h.fork-safety openssl-1.1.1c/include/internal/cryptlib.h
---- openssl-1.1.1c/include/internal/cryptlib.h.fork-safety 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/include/internal/cryptlib.h 2019-11-21 17:34:13.497597036 +0100
-@@ -80,6 +80,7 @@ extern unsigned int OPENSSL_ia32cap_P[];
- void OPENSSL_showfatal(const char *fmta, ...);
- void crypto_cleanup_all_ex_data_int(void);
- int openssl_init_fork_handlers(void);
-+int openssl_get_fork_id(void);
-
- char *ossl_safe_getenv(const char *name);
-
-diff -up openssl-1.1.1c/test/drbgtest.c.fork-safety openssl-1.1.1c/test/drbgtest.c
---- openssl-1.1.1c/test/drbgtest.c.fork-safety 2019-11-20 11:36:22.384506242 +0100
-+++ openssl-1.1.1c/test/drbgtest.c 2019-11-21 17:34:13.499596998 +0100
-@@ -22,6 +22,13 @@
- # include <windows.h>
- #endif
-
-+
-+#if defined(OPENSSL_SYS_UNIX)
-+# include <sys/types.h>
-+# include <sys/wait.h>
-+# include <unistd.h>
-+#endif
-+
- #include "testutil.h"
- #include "drbgtest.h"
-
-@@ -696,6 +703,40 @@ static int test_drbg_reseed(int expect_s
- return 1;
- }
-
-+
-+#if defined(OPENSSL_SYS_UNIX)
-+/*
-+ * Test whether master, public and private DRBG are reseeded after
-+ * forking the process.
-+ */
-+static int test_drbg_reseed_after_fork(RAND_DRBG *master,
-+ RAND_DRBG *public,
-+ RAND_DRBG *private)
-+{
-+ pid_t pid;
-+ int status=0;
-+
-+ pid = fork();
-+ if (!TEST_int_ge(pid, 0))
-+ return 0;
-+
-+ if (pid > 0) {
-+ /* I'm the parent; wait for the child and check its exit code */
-+ return TEST_int_eq(waitpid(pid, &status, 0), pid) && TEST_int_eq(status, 0);
-+ }
-+
-+ /* I'm the child; check whether all three DRBGs reseed. */
-+ if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)))
-+ status = 1;
-+
-+ /* Remove hooks */
-+ unhook_drbg(master);
-+ unhook_drbg(public);
-+ unhook_drbg(private);
-+ exit(status);
-+}
-+#endif
-+
- /*
- * Test whether the default rand_method (RAND_OpenSSL()) is
- * setup correctly, in particular whether reseeding works
-@@ -786,6 +827,10 @@ static int test_rand_drbg_reseed(void)
- goto error;
- reset_drbg_hook_ctx();
-
-+#if defined(OPENSSL_SYS_UNIX)
-+ if (!TEST_true(test_drbg_reseed_after_fork(master, public, private)))
-+ goto error;
-+#endif
-
- /* fill 'randomness' buffer with some arbitrary data */
- memset(rand_add_buf, 'r', sizeof(rand_add_buf));
diff --git a/SOURCES/openssl-1.1.1-cve-2019-1563.patch b/SOURCES/openssl-1.1.1-cve-2019-1563.patch
deleted file mode 100644
index 4c0f533..0000000
--- a/SOURCES/openssl-1.1.1-cve-2019-1563.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From 08229ad838c50f644d7e928e2eef147b4308ad64 Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Sun, 1 Sep 2019 00:16:28 +0200
-Subject: [PATCH] Fix a padding oracle in PKCS7_dataDecode and
- CMS_decrypt_set1_pkey
-
-An attack is simple, if the first CMS_recipientInfo is valid but the
-second CMS_recipientInfo is chosen ciphertext. If the second
-recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
-encryption key will be replaced by garbage, and the message cannot be
-decoded, but if the RSA decryption fails, the correct encryption key is
-used and the recipient will not notice the attack.
-
-As a work around for this potential attack the length of the decrypted
-key must be equal to the cipher default key length, in case the
-certifiate is not given and all recipientInfo are tried out.
-
-The old behaviour can be re-enabled in the CMS code by setting the
-CMS_DEBUG_DECRYPT flag.
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/9777)
-
-(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
----
- crypto/cms/cms_env.c | 18 +++++++++++++++++-
- crypto/cms/cms_lcl.h | 2 ++
- crypto/cms/cms_smime.c | 4 ++++
- crypto/pkcs7/pk7_doit.c | 12 ++++++++----
- 5 files changed, 45 insertions(+), 5 deletions(-)
-
-diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
-index bb95af75e3..25df1c40b1 100644
---- a/crypto/cms/cms_env.c
-+++ b/crypto/cms/cms_env.c
-@@ -363,6 +363,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
- unsigned char *ek = NULL;
- size_t eklen;
- int ret = 0;
-+ size_t fixlen = 0;
- CMS_EncryptedContentInfo *ec;
- ec = cms->d.envelopedData->encryptedContentInfo;
-
-@@ -371,6 +372,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
- return 0;
- }
-
-+ if (cms->d.envelopedData->encryptedContentInfo->havenocert
-+ && !cms->d.envelopedData->encryptedContentInfo->debug) {
-+ X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
-+ const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
-+
-+ if (ciph == NULL) {
-+ CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
-+ return 0;
-+ }
-+
-+ fixlen = EVP_CIPHER_key_length(ciph);
-+ }
-+
- ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
- if (ktri->pctx == NULL)
- return 0;
-@@ -401,7 +415,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
-
- if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
- ktri->encryptedKey->data,
-- ktri->encryptedKey->length) <= 0) {
-+ ktri->encryptedKey->length) <= 0
-+ || eklen == 0
-+ || (fixlen != 0 && eklen != fixlen)) {
- CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
- goto err;
- }
-diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h
-index b5c06b7f6c..8eddb02493 100644
---- a/crypto/cms/cms_lcl.h
-+++ b/crypto/cms/cms_lcl.h
-@@ -125,6 +125,8 @@ struct CMS_EncryptedContentInfo_st {
- size_t keylen;
- /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
- int debug;
-+ /* Set to 1 if we have no cert and need extra safety measures for MMA */
-+ int havenocert;
- };
-
- struct CMS_RecipientInfo_st {
-diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
-index 5dcf803f4b..3a26108b8c 100644
---- a/crypto/cms/cms_smime.c
-+++ b/crypto/cms/cms_smime.c
-@@ -743,6 +743,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
- cms->d.envelopedData->encryptedContentInfo->debug = 1;
- else
- cms->d.envelopedData->encryptedContentInfo->debug = 0;
-+ if (!cert)
-+ cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
-+ else
-+ cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
- if (!pk && !cert && !dcont && !out)
- return 1;
- if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
-diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
-index ee08e602a1..15a6160cfe 100644
---- a/crypto/pkcs7/pk7_doit.c
-+++ b/crypto/pkcs7/pk7_doit.c
-@@ -137,7 +137,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
- }
-
- static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
-- PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
-+ PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
-+ size_t fixlen)
- {
- EVP_PKEY_CTX *pctx = NULL;
- unsigned char *ek = NULL;
-@@ -170,7 +171,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
- }
-
- if (EVP_PKEY_decrypt(pctx, ek, &eklen,
-- ri->enc_key->data, ri->enc_key->length) <= 0) {
-+ ri->enc_key->data, ri->enc_key->length) <= 0
-+ || eklen == 0
-+ || (fixlen != 0 && eklen != fixlen)) {
- ret = 0;
- PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
- goto err;
-@@ -499,13 +502,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
- for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
- ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
-
-- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
-+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
-+ EVP_CIPHER_key_length(evp_cipher)) < 0)
- goto err;
- ERR_clear_error();
- }
- } else {
- /* Only exit on fatal errors, not decrypt failure */
-- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
-+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
- goto err;
- ERR_clear_error();
- }
---
-2.20.1
-
diff --git a/SOURCES/openssl-1.1.1-edk2-build.patch b/SOURCES/openssl-1.1.1-edk2-build.patch
index 01045a3..b13708e 100644
--- a/SOURCES/openssl-1.1.1-edk2-build.patch
+++ b/SOURCES/openssl-1.1.1-edk2-build.patch
@@ -1,17 +1,40 @@
-diff -up openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1c/crypto/evp/pkey_kdf.c
---- openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build 2019-11-14 16:25:09.437914854 +0100
-+++ openssl-1.1.1c/crypto/evp/pkey_kdf.c 2019-11-15 14:52:40.216905772 +0100
+diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
+--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200
++++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200
@@ -12,6 +12,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/kdf.h>
+#include "internal/numbers.h"
- #include "internal/evp_int.h"
+ #include "crypto/evp.h"
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
-diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build openssl-1.1.1c/crypto/include/internal/fips_int.h
---- openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build 2019-11-14 16:25:09.430914981 +0100
-+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-11-15 14:48:02.489936610 +0100
+diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
+--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200
++++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200
+@@ -13,6 +13,7 @@
+ #include <openssl/hmac.h>
+ #include <openssl/kdf.h>
+ #include <openssl/evp.h>
++#include "internal/numbers.h"
+ #include "internal/cryptlib.h"
+ #include "crypto/evp.h"
+ #include "kdf_local.h"
+diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
+--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200
++++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200
+@@ -20,7 +20,7 @@
+ #include "crypto/fips.h"
+ #include <stdio.h>
+ #include "internal/dso.h"
+-#ifdef __linux
++#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
+ # include <sys/syscall.h>
+ # include <sys/random.h>
+ # ifdef DEVRANDOM_WAIT
+diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
+--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200
++++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200
@@ -50,10 +50,6 @@
#include <openssl/opensslconf.h>
#include <openssl/evp.h>
@@ -32,37 +55,3 @@ diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build openssl-1.
+# define fips_in_post() 0
+
#endif
-diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/hkdf.c
---- openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build 2019-11-14 16:25:09.438914836 +0100
-+++ openssl-1.1.1c/crypto/kdf/hkdf.c 2019-11-15 14:48:53.360015134 +0100
-@@ -13,6 +13,7 @@
- #include <openssl/hmac.h>
- #include <openssl/evp.h>
- #include <openssl/kdf.h>
-+#include "internal/numbers.h"
- #include "internal/cryptlib.h"
- #include "internal/evp_int.h"
- #include "kdf_local.h"
-diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/sshkdf.c
---- openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build 2019-11-14 16:25:09.452914583 +0100
-+++ openssl-1.1.1c/crypto/kdf/sshkdf.c 2019-11-15 14:53:14.769279878 +0100
-@@ -12,6 +12,7 @@
- #include <string.h>
- #include <openssl/evp.h>
- #include <openssl/kdf.h>
-+#include "internal/numbers.h"
- #include "internal/cryptlib.h"
- #include "internal/evp_int.h"
- #include "kdf_local.h"
-diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1c/crypto/rand/rand_unix.c
---- openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build 2019-11-14 16:25:09.430914981 +0100
-+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-11-15 14:51:41.634966941 +0100
-@@ -19,7 +19,7 @@
- #include "internal/fips_int.h"
- #include <stdio.h>
- #include "internal/dso.h"
--#if defined(__linux)
-+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
- # include <sys/syscall.h>
- # include <sys/random.h>
- #endif
diff --git a/SOURCES/openssl-1.1.1-evp-kdf.patch b/SOURCES/openssl-1.1.1-evp-kdf.patch
index 6a73a61..f1d7618 100644
--- a/SOURCES/openssl-1.1.1-evp-kdf.patch
+++ b/SOURCES/openssl-1.1.1-evp-kdf.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err/openssl.txt
---- openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/err/openssl.txt 2019-02-28 13:05:05.651521474 +0100
-@@ -743,6 +743,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
+diff -up openssl-1.1.1e/crypto/err/openssl.txt.evp-kdf openssl-1.1.1e/crypto/err/openssl.txt
+--- openssl-1.1.1e/crypto/err/openssl.txt.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/err/openssl.txt 2020-03-19 16:04:11.299063517 +0100
+@@ -747,6 +747,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
@@ -11,7 +11,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
EVP_F_EVP_MD_SIZE:162:EVP_MD_size
EVP_F_EVP_OPENINIT:102:EVP_OpenInit
-@@ -805,11 +808,30 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
+@@ -809,12 +812,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
@@ -19,6 +19,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
EVP_F_PKEY_SET_TYPE:158:pkey_set_type
EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
EVP_F_RC5_CTRL:125:rc5_ctrl
+ EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key
EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
+EVP_F_SCRYPT_ALG:228:scrypt_alg
EVP_F_UPDATE:173:update
@@ -42,7 +43,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
-@@ -821,6 +843,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
+@@ -826,6 +848,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
@@ -50,7 +51,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
-@@ -2264,6 +2287,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
+@@ -2277,6 +2300,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
operation not supported for this keytype
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
@@ -58,7 +59,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
EVP_R_PBKDF2_ERROR:181:pbkdf2 error
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
-@@ -2299,6 +2323,7 @@ KDF_R_MISSING_SEED:106:missing seed
+@@ -2313,6 +2337,7 @@ KDF_R_MISSING_SEED:106:missing seed
KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
KDF_R_VALUE_ERROR:108:value error
KDF_R_VALUE_MISSING:102:value missing
@@ -66,9 +67,9 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
OBJ_R_OID_EXISTS:102:oid exists
OBJ_R_UNKNOWN_NID:101:unknown nid
OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
-diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/build.info
---- openssl-1.1.1b/crypto/evp/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/build.info 2019-02-28 13:05:05.651521474 +0100
+diff -up openssl-1.1.1e/crypto/evp/build.info.evp-kdf openssl-1.1.1e/crypto/evp/build.info
+--- openssl-1.1.1e/crypto/evp/build.info.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/build.info 2020-03-19 16:04:11.300063500 +0100
@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
@@ -79,44 +80,37 @@ diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/
e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
e_chacha20_poly1305.c cmeth_lib.c
-diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c
---- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-02-28 13:05:05.651521474 +0100
-@@ -14,8 +14,8 @@
+diff -up openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c
+--- openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2020-03-19 16:04:11.300063500 +0100
++++ openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c 2020-03-19 16:16:46.497967633 +0100
+@@ -14,9 +14,9 @@
# include <openssl/evp.h>
# include <openssl/objects.h>
--# include "evp_locl.h"
- # include "internal/evp_int.h"
-+# include "evp_locl.h"
- # include "internal/chacha.h"
+-# include "evp_local.h"
+ # include "crypto/evp.h"
+ # include "crypto/chacha.h"
++# include "evp_local.h"
typedef struct {
-diff -up openssl-1.1.1b/crypto/evp/encode.c.evp-kdf openssl-1.1.1b/crypto/evp/encode.c
---- openssl-1.1.1b/crypto/evp/encode.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/encode.c 2019-02-28 13:05:05.651521474 +0100
+ union {
+diff -up openssl-1.1.1e/crypto/evp/encode.c.evp-kdf openssl-1.1.1e/crypto/evp/encode.c
+--- openssl-1.1.1e/crypto/evp/encode.c.evp-kdf 2020-03-19 16:04:11.301063483 +0100
++++ openssl-1.1.1e/crypto/evp/encode.c 2020-03-19 16:14:13.147628683 +0100
@@ -11,8 +11,8 @@
#include <limits.h>
#include "internal/cryptlib.h"
#include <openssl/evp.h>
--#include "evp_locl.h"
- #include "internal/evp_int.h"
-+#include "evp_locl.h"
+-#include "evp_local.h"
+ #include "crypto/evp.h"
++#include "evp_local.h"
static unsigned char conv_ascii2bin(unsigned char a,
const unsigned char *table);
-diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_err.c
---- openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf 2019-02-28 13:05:05.617522103 +0100
-+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-02-28 13:05:05.651521474 +0100
-@@ -1,6 +1,6 @@
- /*
- * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
-@@ -56,6 +56,9 @@ static const ERR_STRING_DATA EVP_str_fun
+diff -up openssl-1.1.1e/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1e/crypto/evp/evp_err.c
+--- openssl-1.1.1e/crypto/evp/evp_err.c.evp-kdf 2020-03-19 16:04:11.218064919 +0100
++++ openssl-1.1.1e/crypto/evp/evp_err.c 2020-03-19 16:04:11.302063465 +0100
+@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
"EVP_EncryptFinal_ex"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},
@@ -126,7 +120,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"},
-@@ -147,10 +150,12 @@ static const ERR_STRING_DATA EVP_str_fun
+@@ -151,12 +154,14 @@ static const ERR_STRING_DATA EVP_str_fun
"PKCS5_v2_PBKDF2_keyivgen"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0),
"PKCS5_v2_scrypt_keyivgen"},
@@ -134,12 +128,14 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0),
+ "r_32_12_16_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
{0, NULL}
};
-@@ -233,6 +238,8 @@ static const ERR_STRING_DATA EVP_str_rea
+@@ -241,6 +246,8 @@ static const ERR_STRING_DATA EVP_str_rea
"operation not supported for this keytype"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
"operaton not initialized"},
@@ -148,9 +144,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
"partially overlapping buffers"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
-diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/evp_locl.h
---- openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf 2019-02-28 13:05:05.253528831 +0100
-+++ openssl-1.1.1b/crypto/evp/evp_locl.h 2019-02-28 13:05:05.652521456 +0100
+diff -up openssl-1.1.1e/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1e/crypto/evp/evp_local.h
+--- openssl-1.1.1e/crypto/evp/evp_local.h.evp-kdf 2020-03-19 16:04:10.657074629 +0100
++++ openssl-1.1.1e/crypto/evp/evp_local.h 2020-03-19 16:04:20.722900404 +0100
@@ -41,6 +41,11 @@ struct evp_cipher_ctx_st {
unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
} /* EVP_CIPHER_CTX */ ;
@@ -163,20 +159,20 @@ diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/
int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
int passlen, ASN1_TYPE *param,
const EVP_CIPHER *c, const EVP_MD *md,
-diff -up openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_pbe.c
---- openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/evp_pbe.c 2019-02-28 13:05:05.652521456 +0100
+diff -up openssl-1.1.1e/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1e/crypto/evp/evp_pbe.c
+--- openssl-1.1.1e/crypto/evp/evp_pbe.c.evp-kdf 2020-03-19 16:04:20.723900386 +0100
++++ openssl-1.1.1e/crypto/evp/evp_pbe.c 2020-03-19 16:11:56.425001210 +0100
@@ -12,6 +12,7 @@
#include <openssl/evp.h>
#include <openssl/pkcs12.h>
#include <openssl/x509.h>
-+#include "internal/evp_int.h"
- #include "evp_locl.h"
++#include "crypto/evp.h"
+ #include "evp_local.h"
/* Password based encryption (PBE) functions */
-diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/kdf_lib.c
---- openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf 2019-02-28 13:05:05.652521456 +0100
-+++ openssl-1.1.1b/crypto/evp/kdf_lib.c 2019-02-28 13:05:05.652521456 +0100
+diff -up openssl-1.1.1e/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1e/crypto/evp/kdf_lib.c
+--- openssl-1.1.1e/crypto/evp/kdf_lib.c.evp-kdf 2020-03-19 16:04:20.723900386 +0100
++++ openssl-1.1.1e/crypto/evp/kdf_lib.c 2020-03-19 16:04:20.723900386 +0100
@@ -0,0 +1,165 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -195,10 +191,10 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k
+#include <openssl/evp.h>
+#include <openssl/x509v3.h>
+#include <openssl/kdf.h>
-+#include "internal/asn1_int.h"
-+#include "internal/evp_int.h"
++#include "crypto/asn1.h"
++#include "crypto/evp.h"
+#include "internal/numbers.h"
-+#include "evp_locl.h"
++#include "evp_local.h"
+
+typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
+
@@ -343,9 +339,9 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k
+ return ctx->kmeth->derive(ctx->impl, key, keylen);
+}
+
-diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/p5_crpt2.c
---- openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/p5_crpt2.c 2019-02-28 13:05:05.652521456 +0100
+diff -up openssl-1.1.1e/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1e/crypto/evp/p5_crpt2.c
+--- openssl-1.1.1e/crypto/evp/p5_crpt2.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/p5_crpt2.c 2020-03-19 16:17:48.822886126 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
@@ -360,13 +356,13 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/
-# include <openssl/x509.h>
-# include <openssl/evp.h>
-# include <openssl/hmac.h>
--# include "evp_locl.h"
+-# include "evp_local.h"
+#include <openssl/x509.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/hmac.h>
-+#include "internal/evp_int.h"
-+#include "evp_locl.h"
++#include "crypto/evp.h"
++#include "evp_local.h"
/* set this to print out info about the keygen algorithm */
/* #define OPENSSL_DEBUG_PKCS5V2 */
@@ -494,9 +490,9 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/
}
int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
-diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/evp/pbe_scrypt.c
---- openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/pbe_scrypt.c 2019-02-28 13:33:18.446264056 +0100
+diff -up openssl-1.1.1e/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1e/crypto/evp/pbe_scrypt.c
+--- openssl-1.1.1e/crypto/evp/pbe_scrypt.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/pbe_scrypt.c 2020-03-19 16:04:20.725900352 +0100
@@ -7,135 +7,12 @@
* https://www.openssl.org/source/license.html
*/
@@ -682,9 +678,11 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
- */
- if (Blen > INT_MAX) {
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
-- return 0;
-- }
--
++ if (r > UINT32_MAX || p > UINT32_MAX) {
++ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
+ return 0;
+ }
+
- /*
- * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
- * This is combined size V, X and T (section 4)
@@ -692,21 +690,18 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
- i = UINT64_MAX / (32 * sizeof(uint32_t));
- if (N + 2 > i / r) {
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
-+ if (r > UINT32_MAX || p > UINT32_MAX) {
-+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
- return 0;
+- return 0;
++ /* Maintain existing behaviour. */
++ if (pass == NULL) {
++ pass = empty;
++ passlen = 0;
}
- Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
-
+-
- /* check total allocated size fits in uint64_t */
- if (Blen > UINT64_MAX - Vlen) {
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
- return 0;
-+ /* Maintain existing behaviour. */
-+ if (pass == NULL) {
-+ pass = empty;
-+ passlen = 0;
-+ }
+ if (salt == NULL) {
+ salt = (const unsigned char *)empty;
+ saltlen = 0;
@@ -768,9 +763,9 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
}
+
#endif
-diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/pkey_kdf.c
---- openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf 2019-02-28 13:05:05.653521437 +0100
-+++ openssl-1.1.1b/crypto/evp/pkey_kdf.c 2019-02-28 13:05:05.653521437 +0100
+diff -up openssl-1.1.1e/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1e/crypto/evp/pkey_kdf.c
+--- openssl-1.1.1e/crypto/evp/pkey_kdf.c.evp-kdf 2020-03-19 16:04:20.726900334 +0100
++++ openssl-1.1.1e/crypto/evp/pkey_kdf.c 2020-03-19 16:04:20.725900352 +0100
@@ -0,0 +1,255 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -786,7 +781,7 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/kdf.h>
-+#include "internal/evp_int.h"
++#include "crypto/evp.h"
+
+static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
+{
@@ -1027,45 +1022,17 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/
+ pkey_kdf_ctrl_str
+};
+
-diff -up openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1b/crypto/include/internal/evp_int.h
---- openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf 2019-02-28 13:05:05.304527888 +0100
-+++ openssl-1.1.1b/crypto/include/internal/evp_int.h 2019-02-28 13:05:05.653521437 +0100
-@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
- extern const EVP_PKEY_METHOD poly1305_pkey_meth;
- extern const EVP_PKEY_METHOD siphash_pkey_meth;
-
-+/* struct evp_kdf_impl_st is defined by the implementation */
-+typedef struct evp_kdf_impl_st EVP_KDF_IMPL;
-+typedef struct {
-+ int type;
-+ EVP_KDF_IMPL *(*new) (void);
-+ void (*free) (EVP_KDF_IMPL *impl);
-+ void (*reset) (EVP_KDF_IMPL *impl);
-+ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args);
-+ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);
-+ size_t (*size) (EVP_KDF_IMPL *impl);
-+ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);
-+} EVP_KDF_METHOD;
-+
-+extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
-+extern const EVP_KDF_METHOD scrypt_kdf_meth;
-+extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
-+extern const EVP_KDF_METHOD hkdf_kdf_meth;
-+
- struct evp_md_st {
- int type;
- int pkey_type;
-diff -up openssl-1.1.1b/crypto/kdf/build.info.evp-kdf openssl-1.1.1b/crypto/kdf/build.info
---- openssl-1.1.1b/crypto/kdf/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/kdf/build.info 2019-02-28 13:05:05.653521437 +0100
+diff -up openssl-1.1.1e/crypto/kdf/build.info.evp-kdf openssl-1.1.1e/crypto/kdf/build.info
+--- openssl-1.1.1e/crypto/kdf/build.info.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/kdf/build.info 2020-03-19 16:04:32.347699194 +0100
@@ -1,3 +1,3 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
- tls1_prf.c kdf_err.c hkdf.c scrypt.c
+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
-diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf.c
---- openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/kdf/hkdf.c 2019-02-28 13:05:05.653521437 +0100
+diff -up openssl-1.1.1e/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1e/crypto/kdf/hkdf.c
+--- openssl-1.1.1e/crypto/kdf/hkdf.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/kdf/hkdf.c 2020-03-19 16:06:59.757147720 +0100
@@ -8,32 +8,33 @@
*/
@@ -1073,11 +1040,10 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
+#include <stdarg.h>
#include <string.h>
#include <openssl/hmac.h>
--#include <openssl/kdf.h>
+ #include <openssl/kdf.h>
#include <openssl/evp.h>
-+#include <openssl/kdf.h>
#include "internal/cryptlib.h"
- #include "internal/evp_int.h"
+ #include "crypto/evp.h"
+#include "kdf_local.h"
#define HKDF_MAXBUF 1024
@@ -1198,18 +1164,18 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
return 1;
- if (p1 < 0)
-- return 0;
--
-- if (kctx->salt != NULL)
-- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
--
-- kctx->salt = OPENSSL_memdup(p2, p1);
-- if (kctx->salt == NULL)
+ OPENSSL_free(impl->salt);
+ impl->salt = OPENSSL_memdup(p, len);
+ if (impl->salt == NULL)
return 0;
+- if (kctx->salt != NULL)
+- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
+-
+- kctx->salt = OPENSSL_memdup(p2, p1);
+- if (kctx->salt == NULL)
+- return 0;
+-
- kctx->salt_len = p1;
+ impl->salt_len = len;
return 1;
@@ -1327,14 +1293,14 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
+static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl)
{
- HKDF_PKEY_CTX *kctx = ctx->data;
--
++ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
++ return SIZE_MAX;
+
- OPENSSL_clear_free(kctx->key, kctx->key_len);
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
- OPENSSL_cleanse(kctx->info, kctx->info_len);
- memset(kctx, 0, sizeof(*kctx));
-+ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
-+ return SIZE_MAX;
-
+-
- return 1;
+ if (impl->md == NULL) {
+ KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST);
@@ -1532,9 +1498,9 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
err:
OPENSSL_cleanse(prev, sizeof(prev));
-diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_err.c
---- openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/kdf/kdf_err.c 2019-02-28 13:05:05.654521419 +0100
+diff -up openssl-1.1.1e/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1e/crypto/kdf/kdf_err.c
+--- openssl-1.1.1e/crypto/kdf/kdf_err.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/kdf/kdf_err.c 2020-03-19 16:04:32.349699159 +0100
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
@@ -1590,9 +1556,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/k
{0, NULL}
};
-diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_local.h
---- openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf 2019-02-28 13:05:05.654521419 +0100
-+++ openssl-1.1.1b/crypto/kdf/kdf_local.h 2019-02-28 13:05:05.654521419 +0100
+diff -up openssl-1.1.1e/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1e/crypto/kdf/kdf_local.h
+--- openssl-1.1.1e/crypto/kdf/kdf_local.h.evp-kdf 2020-03-19 16:04:32.349699159 +0100
++++ openssl-1.1.1e/crypto/kdf/kdf_local.h 2020-03-19 16:04:32.349699159 +0100
@@ -0,0 +1,22 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -1616,9 +1582,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
+ int cmd, const char *md_name);
+
-diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_util.c
---- openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100
-+++ openssl-1.1.1b/crypto/kdf/kdf_util.c 2019-02-28 13:05:05.654521419 +0100
+diff -up openssl-1.1.1e/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1e/crypto/kdf/kdf_util.c
+--- openssl-1.1.1e/crypto/kdf/kdf_util.c.evp-kdf 2020-03-19 16:04:32.350699142 +0100
++++ openssl-1.1.1e/crypto/kdf/kdf_util.c 2020-03-19 16:04:32.350699142 +0100
@@ -0,0 +1,73 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -1635,7 +1601,7 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/
+#include <openssl/kdf.h>
+#include <openssl/evp.h>
+#include "internal/cryptlib.h"
-+#include "internal/evp_int.h"
++#include "crypto/evp.h"
+#include "internal/numbers.h"
+#include "kdf_local.h"
+
@@ -1693,9 +1659,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/
+ return call_ctrl(ctrl, impl, cmd, md);
+}
+
-diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pbkdf2.c
---- openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100
-+++ openssl-1.1.1b/crypto/kdf/pbkdf2.c 2019-02-28 13:05:05.654521419 +0100
+diff -up openssl-1.1.1e/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1e/crypto/kdf/pbkdf2.c
+--- openssl-1.1.1e/crypto/kdf/pbkdf2.c.evp-kdf 2020-03-19 16:04:32.374698727 +0100
++++ openssl-1.1.1e/crypto/kdf/pbkdf2.c 2020-03-19 16:04:32.374698727 +0100
@@ -0,0 +1,264 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -1713,7 +1679,7 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include "internal/cryptlib.h"
-+#include "internal/evp_int.h"
++#include "crypto/evp.h"
+#include "kdf_local.h"
+
+static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl);
@@ -1961,22 +1927,21 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb
+ HMAC_CTX_free(hctx_tpl);
+ return ret;
+}
-diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/scrypt.c
---- openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/kdf/scrypt.c 2019-02-28 13:05:05.655521400 +0100
-@@ -8,25 +8,34 @@
+diff -up openssl-1.1.1e/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1e/crypto/kdf/scrypt.c
+--- openssl-1.1.1e/crypto/kdf/scrypt.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/kdf/scrypt.c 2020-03-19 16:11:06.215872475 +0100
+@@ -8,25 +8,35 @@
*/
#include <stdlib.h>
+#include <stdarg.h>
#include <string.h>
--#include <openssl/hmac.h>
--#include <openssl/kdf.h>
+ #include <openssl/hmac.h>
+ #include <openssl/kdf.h>
#include <openssl/evp.h>
-#include "internal/cryptlib.h"
-+#include <openssl/kdf.h>
+#include <openssl/err.h>
- #include "internal/evp_int.h"
+ #include "crypto/evp.h"
+#include "internal/numbers.h"
+#include "kdf_local.h"
@@ -2005,7 +1970,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
/* Custom uint64_t parser since we do not have strtoull */
static int atou64(const char *nptr, uint64_t *result)
-@@ -53,51 +62,53 @@ static int atou64(const char *nptr, uint
+@@ -53,51 +63,53 @@ static int atou64(const char *nptr, uint
return 1;
}
@@ -2090,7 +2055,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
if (new_buflen > 0) {
*buffer = OPENSSL_memdup(new_buffer, new_buflen);
-@@ -105,7 +116,7 @@ static int pkey_scrypt_set_membuf(unsign
+@@ -105,7 +117,7 @@ static int pkey_scrypt_set_membuf(unsign
*buffer = OPENSSL_malloc(1);
}
if (*buffer == NULL) {
@@ -2099,7 +2064,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
return 0;
}
-@@ -118,149 +129,378 @@ static int is_power_of_two(uint64_t valu
+@@ -118,149 +130,378 @@ static int is_power_of_two(uint64_t valu
return (value != 0) && ((value & (value - 1)) == 0);
}
@@ -2552,9 +2517,9 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
+}
#endif
-diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/tls1_prf.c
---- openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/kdf/tls1_prf.c 2019-02-28 13:05:05.655521400 +0100
+diff -up openssl-1.1.1e/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1e/crypto/kdf/tls1_prf.c
+--- openssl-1.1.1e/crypto/kdf/tls1_prf.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/kdf/tls1_prf.c 2020-03-19 16:10:32.317460707 +0100
@@ -8,11 +8,15 @@
*/
@@ -2562,10 +2527,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
+#include <stdarg.h>
+#include <string.h>
#include "internal/cryptlib.h"
--#include <openssl/kdf.h>
+ #include <openssl/kdf.h>
#include <openssl/evp.h>
-+#include <openssl/kdf.h>
- #include "internal/evp_int.h"
+ #include "crypto/evp.h"
+#include "kdf_local.h"
+static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl);
@@ -2665,15 +2629,15 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
- kctx->seclen = p1;
+
+ impl->seclen = len;
++ return 1;
++
++ case EVP_KDF_CTRL_RESET_TLS_SEED:
++ OPENSSL_cleanse(impl->seed, impl->seedlen);
++ impl->seedlen = 0;
return 1;
- case EVP_PKEY_CTRL_TLS_SEED:
- if (p1 == 0 || p2 == NULL)
-+ case EVP_KDF_CTRL_RESET_TLS_SEED:
-+ OPENSSL_cleanse(impl->seed, impl->seedlen);
-+ impl->seedlen = 0;
-+ return 1;
-+
+ case EVP_KDF_CTRL_ADD_TLS_SEED:
+ p = va_arg(args, const unsigned char *);
+ len = va_arg(args, size_t);
@@ -2838,9 +2802,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
OPENSSL_clear_free(tmp, olen);
return 0;
}
-diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod
---- openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
-+++ openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod 2019-02-28 13:05:05.655521400 +0100
+diff -up openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod
+--- openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2020-03-19 16:04:32.377698675 +0100
++++ openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod 2020-03-19 16:04:32.377698675 +0100
@@ -0,0 +1,217 @@
+=pod
+
@@ -3059,9 +3023,9 @@ diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3
+L<https://www.openssl.org/source/license.html>.
+
+=cut
-diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod
---- openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
-+++ openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod 2019-02-28 13:05:05.656521382 +0100
+diff -up openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod
+--- openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2020-03-19 16:04:32.377698675 +0100
++++ openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod 2020-03-19 16:04:32.377698675 +0100
@@ -0,0 +1,180 @@
+=pod
+
@@ -3243,9 +3207,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man
+L<https://www.openssl.org/source/license.html>.
+
+=cut
-diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod
---- openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
-+++ openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod 2019-02-28 13:05:05.656521382 +0100
+diff -up openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod
+--- openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2020-03-19 16:04:32.378698658 +0100
++++ openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod 2020-03-19 16:04:32.378698658 +0100
@@ -0,0 +1,78 @@
+=pod
+
@@ -3325,9 +3289,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/m
+L<https://www.openssl.org/source/license.html>.
+
+=cut
-diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod
---- openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
-+++ openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod 2019-02-28 13:05:05.656521382 +0100
+diff -up openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod
+--- openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2020-03-19 16:04:32.378698658 +0100
++++ openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod 2020-03-19 16:04:32.378698658 +0100
@@ -0,0 +1,149 @@
+=pod
+
@@ -3478,9 +3442,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/m
+L<https://www.openssl.org/source/license.html>.
+
+=cut
-diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod
---- openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
-+++ openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod 2019-02-28 13:05:05.656521382 +0100
+diff -up openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod
+--- openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2020-03-19 16:04:32.378698658 +0100
++++ openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod 2020-03-19 16:04:32.378698658 +0100
@@ -0,0 +1,142 @@
+=pod
+
@@ -3624,18 +3588,38 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc
+L<https://www.openssl.org/source/license.html>.
+
+=cut
-diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/openssl/evperr.h
---- openssl-1.1.1b/include/openssl/evperr.h.evp-kdf 2019-02-28 13:05:05.633521807 +0100
-+++ openssl-1.1.1b/include/openssl/evperr.h 2019-02-28 13:05:05.657521363 +0100
-@@ -1,6 +1,6 @@
- /*
- * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
-@@ -51,6 +51,9 @@ int ERR_load_EVP_strings(void);
+diff -up openssl-1.1.1e/include/crypto/evp.h.evp-kdf openssl-1.1.1e/include/crypto/evp.h
+--- openssl-1.1.1e/include/crypto/evp.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/crypto/evp.h 2020-03-19 16:04:32.347699194 +0100
+@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
+ extern const EVP_PKEY_METHOD poly1305_pkey_meth;
+ extern const EVP_PKEY_METHOD siphash_pkey_meth;
+
++/* struct evp_kdf_impl_st is defined by the implementation */
++typedef struct evp_kdf_impl_st EVP_KDF_IMPL;
++typedef struct {
++ int type;
++ EVP_KDF_IMPL *(*new) (void);
++ void (*free) (EVP_KDF_IMPL *impl);
++ void (*reset) (EVP_KDF_IMPL *impl);
++ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args);
++ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);
++ size_t (*size) (EVP_KDF_IMPL *impl);
++ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);
++} EVP_KDF_METHOD;
++
++extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
++extern const EVP_KDF_METHOD scrypt_kdf_meth;
++extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
++extern const EVP_KDF_METHOD hkdf_kdf_meth;
++
+ struct evp_md_st {
+ int type;
+ int pkey_type;
+diff -up openssl-1.1.1e/include/openssl/evperr.h.evp-kdf openssl-1.1.1e/include/openssl/evperr.h
+--- openssl-1.1.1e/include/openssl/evperr.h.evp-kdf 2020-03-19 16:04:11.250064365 +0100
++++ openssl-1.1.1e/include/openssl/evperr.h 2020-03-19 16:04:32.379698640 +0100
+@@ -58,6 +58,9 @@ int ERR_load_EVP_strings(void);
# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219
# define EVP_F_EVP_ENCRYPTFINAL_EX 127
# define EVP_F_EVP_ENCRYPTUPDATE 167
@@ -3645,7 +3629,7 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
# define EVP_F_EVP_MD_CTX_COPY_EX 110
# define EVP_F_EVP_MD_SIZE 162
# define EVP_F_EVP_OPENINIT 102
-@@ -113,10 +116,12 @@ int ERR_load_EVP_strings(void);
+@@ -120,11 +123,13 @@ int ERR_load_EVP_strings(void);
# define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118
# define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164
# define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180
@@ -3653,12 +3637,13 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
# define EVP_F_PKEY_SET_TYPE 158
# define EVP_F_RC2_MAGIC_TO_METH 109
# define EVP_F_RC5_CTRL 125
+ # define EVP_F_R_32_12_16_INIT_KEY 242
# define EVP_F_S390X_AES_GCM_CTRL 201
+# define EVP_F_SCRYPT_ALG 228
# define EVP_F_UPDATE 173
/*
-@@ -171,6 +176,7 @@ int ERR_load_EVP_strings(void);
+@@ -181,6 +186,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_ONLY_ONESHOT_SUPPORTED 177
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
# define EVP_R_OPERATON_NOT_INITIALIZED 151
@@ -3666,18 +3651,10 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
# define EVP_R_PARTIALLY_OVERLAPPING 162
# define EVP_R_PBKDF2_ERROR 181
# define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
-diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/openssl/kdferr.h
---- openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/kdferr.h 2019-02-28 13:05:05.657521363 +0100
-@@ -1,6 +1,6 @@
- /*
- * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
-@@ -19,6 +19,23 @@ int ERR_load_KDF_strings(void);
+diff -up openssl-1.1.1e/include/openssl/kdferr.h.evp-kdf openssl-1.1.1e/include/openssl/kdferr.h
+--- openssl-1.1.1e/include/openssl/kdferr.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/kdferr.h 2020-03-19 16:04:32.379698640 +0100
+@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void);
/*
* KDF function codes.
*/
@@ -3701,7 +3678,7 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/
# define KDF_F_PKEY_HKDF_CTRL_STR 103
# define KDF_F_PKEY_HKDF_DERIVE 102
# define KDF_F_PKEY_HKDF_INIT 108
-@@ -30,6 +47,7 @@ int ERR_load_KDF_strings(void);
+@@ -34,6 +51,7 @@ int ERR_load_KDF_strings(void);
# define KDF_F_PKEY_TLS1_PRF_CTRL_STR 100
# define KDF_F_PKEY_TLS1_PRF_DERIVE 101
# define KDF_F_PKEY_TLS1_PRF_INIT 110
@@ -3709,16 +3686,16 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/
# define KDF_F_TLS1_PRF_ALG 111
/*
-@@ -47,5 +65,6 @@ int ERR_load_KDF_strings(void);
+@@ -51,5 +69,6 @@ int ERR_load_KDF_strings(void);
# define KDF_R_UNKNOWN_PARAMETER_TYPE 103
# define KDF_R_VALUE_ERROR 108
# define KDF_R_VALUE_MISSING 102
+# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112
#endif
-diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/openssl/kdf.h
---- openssl-1.1.1b/include/openssl/kdf.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/kdf.h 2019-02-28 13:05:05.657521363 +0100
+diff -up openssl-1.1.1e/include/openssl/kdf.h.evp-kdf openssl-1.1.1e/include/openssl/kdf.h
+--- openssl-1.1.1e/include/openssl/kdf.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/kdf.h 2020-03-19 16:04:32.380698623 +0100
@@ -10,10 +10,50 @@
#ifndef HEADER_KDF_H
# define HEADER_KDF_H
@@ -3797,9 +3774,9 @@ diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/ope
}
# endif
#endif
-diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/include/openssl/ossl_typ.h
---- openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/ossl_typ.h 2019-02-28 13:05:05.657521363 +0100
+diff -up openssl-1.1.1e/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1e/include/openssl/ossl_typ.h
+--- openssl-1.1.1e/include/openssl/ossl_typ.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/ossl_typ.h 2020-03-19 16:04:32.381698606 +0100
@@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E
typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
@@ -3809,10 +3786,10 @@ diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/includ
typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;
typedef struct hmac_ctx_st HMAC_CTX;
-diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
---- openssl-1.1.1b/test/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/build.info 2019-02-28 13:05:05.657521363 +0100
-@@ -43,7 +43,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
+diff -up openssl-1.1.1e/test/build.info.evp-kdf openssl-1.1.1e/test/build.info
+--- openssl-1.1.1e/test/build.info.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/test/build.info 2020-03-19 16:04:32.381698606 +0100
+@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
bio_callback_test bio_memleak_test \
bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
@@ -3822,7 +3799,7 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
asn1_encode_test asn1_decode_test asn1_string_table_test \
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
recordlentest drbgtest sslbuffertest \
-@@ -335,6 +336,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
+@@ -336,6 +337,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
INCLUDE[pkey_meth_kdf_test]=../include
DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a
@@ -3833,9 +3810,9 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
SOURCE[x509_time_test]=x509_time_test.c
INCLUDE[x509_time_test]=../include
DEPEND[x509_time_test]=../libcrypto libtestutil.a
-diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_test.c
---- openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf 2019-02-28 13:05:05.658521345 +0100
-+++ openssl-1.1.1b/test/evp_kdf_test.c 2019-02-28 13:05:05.658521345 +0100
+diff -up openssl-1.1.1e/test/evp_kdf_test.c.evp-kdf openssl-1.1.1e/test/evp_kdf_test.c
+--- openssl-1.1.1e/test/evp_kdf_test.c.evp-kdf 2020-03-19 16:04:32.382698588 +0100
++++ openssl-1.1.1e/test/evp_kdf_test.c 2020-03-19 16:04:32.382698588 +0100
@@ -0,0 +1,237 @@
+/*
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
@@ -4074,10 +4051,10 @@ diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_
+#endif
+ return 1;
+}
-diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
---- openssl-1.1.1b/test/evp_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/evp_test.c 2019-02-28 13:05:05.658521345 +0100
-@@ -1672,13 +1672,14 @@ static const EVP_TEST_METHOD encode_test
+diff -up openssl-1.1.1e/test/evp_test.c.evp-kdf openssl-1.1.1e/test/evp_test.c
+--- openssl-1.1.1e/test/evp_test.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/test/evp_test.c 2020-03-19 16:04:32.383698571 +0100
+@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test
encode_test_run,
};
@@ -4093,7 +4070,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
/* Expected output */
unsigned char *output;
size_t output_len;
-@@ -1705,16 +1706,11 @@ static int kdf_test_init(EVP_TEST *t, co
+@@ -1738,16 +1739,11 @@ static int kdf_test_init(EVP_TEST *t, co
if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))
return 0;
@@ -4111,7 +4088,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
t->data = kdata;
return 1;
}
-@@ -1723,7 +1719,42 @@ static void kdf_test_cleanup(EVP_TEST *t
+@@ -1756,7 +1752,42 @@ static void kdf_test_cleanup(EVP_TEST *t
{
KDF_DATA *kdata = t->data;
OPENSSL_free(kdata->output);
@@ -4155,7 +4132,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
}
static int kdf_test_parse(EVP_TEST *t,
-@@ -1734,7 +1765,7 @@ static int kdf_test_parse(EVP_TEST *t,
+@@ -1767,7 +1798,7 @@ static int kdf_test_parse(EVP_TEST *t,
if (strcmp(keyword, "Output") == 0)
return parse_bin(value, &kdata->output, &kdata->output_len);
if (strncmp(keyword, "Ctrl", 4) == 0)
@@ -4164,7 +4141,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
return 0;
}
-@@ -1748,7 +1779,7 @@ static int kdf_test_run(EVP_TEST *t)
+@@ -1781,7 +1812,7 @@ static int kdf_test_run(EVP_TEST *t)
t->err = "INTERNAL_ERROR";
goto err;
}
@@ -4173,7 +4150,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
t->err = "KDF_DERIVE_ERROR";
goto err;
}
-@@ -1774,6 +1805,106 @@ static const EVP_TEST_METHOD kdf_test_me
+@@ -1807,6 +1838,106 @@ static const EVP_TEST_METHOD kdf_test_me
/**
@@ -4280,7 +4257,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
*** KEYPAIR TESTS
**/
-@@ -2277,6 +2408,7 @@ static const EVP_TEST_METHOD *evp_test_l
+@@ -2310,6 +2441,7 @@ static const EVP_TEST_METHOD *evp_test_l
&digestverify_test_method,
&encode_test_method,
&kdf_test_method,
@@ -4288,9 +4265,9 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
&keypair_test_method,
&keygen_test_method,
&mac_test_method,
-diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pkey_meth_kdf_test.c
---- openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/pkey_meth_kdf_test.c 2019-02-28 13:05:05.658521345 +0100
+diff -up openssl-1.1.1e/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1e/test/pkey_meth_kdf_test.c
+--- openssl-1.1.1e/test/pkey_meth_kdf_test.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/test/pkey_meth_kdf_test.c 2020-03-19 16:04:32.386698519 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -4494,9 +4471,9 @@ diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pk
}
#endif
-diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt
---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt 2019-02-28 13:05:05.659521326 +0100
+diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt
+--- openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt 2020-03-19 16:04:32.388698484 +0100
@@ -1,5 +1,5 @@
#
-# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
@@ -4895,9 +4872,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl
+Ctrl.digest = digest:sha512
+Output = 00ef42cdbfc98d29db20976608e455567fdddf14
+
-diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt
---- openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2019-02-28 13:05:05.659521326 +0100
-+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt 2019-02-28 13:05:05.659521326 +0100
+diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt
+--- openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2020-03-19 16:04:32.389698467 +0100
++++ openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt 2020-03-19 16:04:32.389698467 +0100
@@ -0,0 +1,305 @@
+#
+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -5204,9 +5181,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf op
+Ctrl.p = p:1
+Result = INTERNAL_ERROR
+
-diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_kdf.t
---- openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf 2019-02-28 13:05:05.659521326 +0100
-+++ openssl-1.1.1b/test/recipes/30-test_evp_kdf.t 2019-02-28 13:05:05.659521326 +0100
+diff -up openssl-1.1.1e/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp_kdf.t
+--- openssl-1.1.1e/test/recipes/30-test_evp_kdf.t.evp-kdf 2020-03-19 16:04:32.390698450 +0100
++++ openssl-1.1.1e/test/recipes/30-test_evp_kdf.t 2020-03-19 16:04:32.390698450 +0100
@@ -0,0 +1,13 @@
+#! /usr/bin/env perl
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -5221,9 +5198,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/te
+use OpenSSL::Test::Simple;
+
+simple_test("test_evp_kdf", "evp_kdf_test");
-diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/recipes/30-test_evp.t
---- openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf 2019-05-29 16:55:38.236960543 +0200
-+++ openssl-1.1.1c/test/recipes/30-test_evp.t 2019-05-29 16:57:46.348718012 +0200
+diff -up openssl-1.1.1e/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp.t
+--- openssl-1.1.1e/test/recipes/30-test_evp.t.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/test/recipes/30-test_evp.t 2020-03-19 16:04:32.390698450 +0100
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
setup("test_evp");
@@ -5233,11 +5210,10 @@ diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/r
"evpcase.txt", "evpccmcavs.txt" );
plan tests => scalar(@files);
-
-diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto.num
---- openssl-1.1.1b/util/libcrypto.num.evp-kdf 2019-02-28 13:05:05.636521752 +0100
-+++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 13:05:05.660521308 +0100
-@@ -4614,3 +4614,11 @@ FIPS_drbg_get_strength
+diff -up openssl-1.1.1e/util/libcrypto.num.evp-kdf openssl-1.1.1e/util/libcrypto.num
+--- openssl-1.1.1e/util/libcrypto.num.evp-kdf 2020-03-19 16:04:11.263064140 +0100
++++ openssl-1.1.1e/util/libcrypto.num 2020-03-19 16:04:32.392698415 +0100
+@@ -4622,3 +4622,11 @@ FIPS_drbg_get_strength
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
@@ -5249,9 +5225,9 @@ diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto
+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
-diff -up openssl-1.1.1b/util/private.num.evp-kdf openssl-1.1.1b/util/private.num
---- openssl-1.1.1b/util/private.num.evp-kdf 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/util/private.num 2019-02-28 13:05:05.660521308 +0100
+diff -up openssl-1.1.1e/util/private.num.evp-kdf openssl-1.1.1e/util/private.num
+--- openssl-1.1.1e/util/private.num.evp-kdf 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/util/private.num 2020-03-19 16:04:32.393698398 +0100
@@ -21,6 +21,7 @@ CRYPTO_EX_dup
CRYPTO_EX_free datatype
CRYPTO_EX_new datatype
diff --git a/SOURCES/openssl-1.1.1-fips-crng-test.patch b/SOURCES/openssl-1.1.1-fips-crng-test.patch
index 91841f1..267a3ea 100644
--- a/SOURCES/openssl-1.1.1-fips-crng-test.patch
+++ b/SOURCES/openssl-1.1.1-fips-crng-test.patch
@@ -1,33 +1,17 @@
-diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1b/crypto/include/internal/rand_int.h
---- openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test 2019-05-07 08:56:33.242179136 +0200
-+++ openssl-1.1.1b/crypto/include/internal/rand_int.h 2019-05-07 09:54:14.920204875 +0200
-@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
-
- void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
-
-+/* CRNG test entropy filter callbacks. */
-+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
-+ unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len,
-+ int prediction_resistance);
-+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
-+ unsigned char *out, size_t outlen);
-+
- /*
- * RAND_POOL functions
- */
-diff -up openssl-1.1.1b/crypto/rand/build.info.crng-test openssl-1.1.1b/crypto/rand/build.info
---- openssl-1.1.1b/crypto/rand/build.info.crng-test 2019-05-07 09:54:14.921204857 +0200
-+++ openssl-1.1.1b/crypto/rand/build.info 2019-05-07 09:55:22.730014705 +0200
-@@ -1,4 +1,4 @@
+diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
+--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200
++++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200
+@@ -1,6 +1,6 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
- randfile.c rand_lib.c rand_err.c rand_egd.c \
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
-diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/rand/drbg_lib.c
---- openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rand/drbg_lib.c 2019-05-07 10:04:51.753157224 +0200
+
+ INCLUDE[drbg_ctr.o]=../modes
+diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
+--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200
++++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
@@ -51,9 +35,9 @@ diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/r
#ifndef RAND_DRBG_GET_RANDOM_NONCE
drbg->get_nonce = rand_drbg_get_nonce;
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
-diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/crypto/rand/rand_crng_test.c
---- openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test 2019-05-07 09:54:14.925204787 +0200
-+++ openssl-1.1.1b/crypto/rand/rand_crng_test.c 2019-05-07 09:54:14.932204664 +0200
+diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
+--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200
++++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200
@@ -0,0 +1,118 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@@ -71,9 +55,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
+
+#include <string.h>
+#include <openssl/evp.h>
-+#include "internal/rand_int.h"
++#include "crypto/rand.h"
+#include "internal/thread_once.h"
-+#include "rand_lcl.h"
++#include "rand_local.h"
+
+static RAND_POOL *crngt_pool;
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
@@ -110,7 +94,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
+{
+ unsigned char buf[CRNGT_BUFSIZ];
+
-+ if ((crngt_pool = rand_pool_new(0, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
++ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
+ return 0;
+ if (crngt_get_entropy(buf, crngt_prev, NULL)) {
+ OPENSSL_cleanse(buf, sizeof(buf));
@@ -147,7 +131,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
+ return 0;
+
-+ if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL)
++ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
+ return 0;
+
+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
@@ -173,9 +157,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
+{
+ OPENSSL_secure_clear_free(out, outlen);
+}
-diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/rand/rand_lcl.h
---- openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test 2019-05-07 08:56:33.330177674 +0200
-+++ openssl-1.1.1b/crypto/rand/rand_lcl.h 2019-05-07 09:54:14.933204647 +0200
+diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
+--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200
++++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200
@@ -33,7 +33,15 @@
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
@@ -193,17 +177,16 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
-@@ -44,7 +52,8 @@
+@@ -44,6 +52,8 @@
*/
# define DRBG_MAX_LENGTH INT32_MAX
--
+/* The default nonce */
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
/*
* Maximum allocation size for RANDOM_POOL buffers
-@@ -290,4 +299,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
+@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
/* initializes the AES-CTR DRBG implementation */
int drbg_ctr_init(RAND_DRBG *drbg);
@@ -226,10 +209,28 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r
+int rand_crngt_single_init(void);
+
#endif
-diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
---- openssl-1.1.1b/test/drbgtest.c.crng-test 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/drbgtest.c 2019-05-07 10:06:24.706551561 +0200
-@@ -143,6 +143,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
+diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
+--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200
++++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200
+@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
+
+ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
+
++/* CRNG test entropy filter callbacks. */
++size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
++ unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len,
++ int prediction_resistance);
++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
++ unsigned char *out, size_t outlen);
++
+ /*
+ * RAND_POOL functions
+ */
+diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
+--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200
+@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
return t->noncelen;
}
@@ -261,7 +262,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
static int uninstantiate(RAND_DRBG *drbg)
{
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
-@@ -168,7 +193,8 @@ static int single_kat(DRBG_SELFTEST_DATA
+@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
@@ -271,7 +272,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
failures++;
goto err;
}
-@@ -286,7 +312,8 @@ static int error_check(DRBG_SELFTEST_DAT
+@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
unsigned int reseed_counter_tmp;
int ret = 0;
@@ -281,7 +282,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
goto err;
/*
-@@ -699,6 +726,10 @@ static int test_rand_drbg_reseed(void)
+@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
|| !TEST_ptr_eq(private->parent, master))
return 0;
@@ -292,7 +293,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
/* uninstantiate the three global DRBGs */
RAND_DRBG_uninstantiate(private);
RAND_DRBG_uninstantiate(public);
-@@ -919,7 +950,8 @@ static int test_rand_seed(void)
+@@ -964,7 +995,8 @@ static int test_rand_seed(void)
size_t rand_buflen;
size_t required_seed_buflen = 0;
@@ -302,7 +303,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
return 0;
#ifdef OPENSSL_RAND_SEED_NONE
-@@ -968,6 +1000,95 @@ static int test_rand_add(void)
+@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
return 1;
}
@@ -398,7 +399,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
int setup_tests(void)
{
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
-@@ -980,5 +1101,6 @@ int setup_tests(void)
+@@ -1025,5 +1146,6 @@ int setup_tests(void)
#if defined(OPENSSL_THREADS)
ADD_TEST(test_multi_thread);
#endif
diff --git a/SOURCES/openssl-1.1.1-fips-curves.patch b/SOURCES/openssl-1.1.1-fips-curves.patch
index 038bbbf..33e9fc5 100644
--- a/SOURCES/openssl-1.1.1-fips-curves.patch
+++ b/SOURCES/openssl-1.1.1-fips-curves.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1c/crypto/ec/ec_curve.c
---- openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves 2019-11-25 13:18:40.719532357 +0100
-+++ openssl-1.1.1c/crypto/ec/ec_curve.c 2019-11-25 13:18:40.765531559 +0100
+diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
+--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
++++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
@@ -13,6 +13,7 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
@@ -106,18 +106,10 @@ diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1c/crypto/e
}
/* Functions to translate between common NIST curve names and NIDs */
-diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
---- openssl-1.1.1c/ssl/t1_lib.c.fips-curves 2019-11-25 13:18:40.658533416 +0100
-+++ openssl-1.1.1c/ssl/t1_lib.c 2019-11-26 17:57:15.014742428 +0100
-@@ -20,6 +20,7 @@
- #include "internal/nelem.h"
- #include "ssl_locl.h"
- #include <openssl/ct.h>
-+#include <openssl/crypto.h>
-
- SSL3_ENC_METHOD const TLSv1_enc_data = {
- tls1_enc,
-@@ -676,6 +677,36 @@ static const uint16_t tls12_sigalgs[] =
+diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
+@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
#endif
};
@@ -154,20 +146,16 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
#ifndef OPENSSL_NO_EC
static const uint16_t suiteb_sigalgs[] = {
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
-@@ -890,8 +921,11 @@ static const SIGALG_LOOKUP *tls1_get_leg
+@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
+ }
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
return NULL;
++ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
++ return NULL;
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
-- const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
-+ const SIGALG_LOOKUP *lu;
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
-+ if (FIPS_mode()) /* We do not allow SHA1 signatures in FIPS mode */
-+ return NULL;
-+ lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
- if (!tls1_lookup_md(lu, NULL))
- return NULL;
- return lu;
-@@ -945,6 +979,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
+@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
} else if (s->cert->conf_sigalgs) {
*psigs = s->cert->conf_sigalgs;
return s->cert->conf_sigalgslen;
@@ -177,7 +165,7 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
} else {
*psigs = tls12_sigalgs;
return OSSL_NELEM(tls12_sigalgs);
-@@ -964,6 +1001,9 @@ int tls_check_sigalg_curve(const SSL *s,
+@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
if (s->cert->conf_sigalgs) {
sigs = s->cert->conf_sigalgs;
siglen = s->cert->conf_sigalgslen;
@@ -187,7 +175,7 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
} else {
sigs = tls12_sigalgs;
siglen = OSSL_NELEM(tls12_sigalgs);
-@@ -1582,6 +1622,8 @@ static int tls12_sigalg_allowed(SSL *s,
+@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
if (lu->sig == NID_id_GostR3410_2012_256
|| lu->sig == NID_id_GostR3410_2012_512
|| lu->sig == NID_id_GostR3410_2001) {
@@ -196,7 +184,7 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
/* We never allow GOST sig algs on the server with TLSv1.3 */
if (s->server && SSL_IS_TLS13(s))
return 0;
-@@ -2720,6 +2762,13 @@ int tls_choose_sigalg(SSL *s, int fatale
+@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
const uint16_t *sent_sigs;
size_t sent_sigslen;
diff --git a/SOURCES/openssl-1.1.1-fips-dh.patch b/SOURCES/openssl-1.1.1-fips-dh.patch
new file mode 100644
index 0000000..9e15289
--- /dev/null
+++ b/SOURCES/openssl-1.1.1-fips-dh.patch
@@ -0,0 +1,2658 @@
+diff -up openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh openssl-1.1.1g/crypto/bn/bn_const.c
+--- openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/bn/bn_const.c 2020-06-05 17:31:28.044776018 +0200
+@@ -1,13 +1,17 @@
+ /*
+- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+- * Licensed under the OpenSSL license (the "License"). You may not use
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+ #include <openssl/bn.h>
++#include "crypto/bn_dh.h"
++
++#define COPY_BN(dst, src) (dst != NULL) ? BN_copy(dst, &src) : BN_dup(&src)
++
+
+ /*-
+ * "First Oakley Default Group" from RFC2409, section 6.1.
+@@ -80,33 +84,7 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM
+
+ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn)
+ {
+- static const unsigned char RFC3526_PRIME_1536[] = {
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x23, 0x73, 0x27,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- };
+- return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), bn);
++ return COPY_BN(bn, _bignum_modp_1536_p);
+ }
+
+ /*-
+@@ -119,41 +97,7 @@ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM
+
+ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn)
+ {
+- static const unsigned char RFC3526_PRIME_2048[] = {
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- };
+- return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn);
++ return COPY_BN(bn, _bignum_modp_2048_p);
+ }
+
+ /*-
+@@ -166,57 +110,7 @@ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM
+
+ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn)
+ {
+- static const unsigned char RFC3526_PRIME_3072[] = {
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,
+- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,
+- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,
+- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,
+- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,
+- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,
+- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,
+- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,
+- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,
+- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,
+- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,
+- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- };
+- return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn);
++ return COPY_BN(bn, _bignum_modp_3072_p);
+ }
+
+ /*-
+@@ -229,73 +123,7 @@ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM
+
+ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn)
+ {
+- static const unsigned char RFC3526_PRIME_4096[] = {
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,
+- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,
+- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,
+- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,
+- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,
+- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,
+- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,
+- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,
+- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,
+- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,
+- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,
+- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,
+- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,
+- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,
+- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,
+- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,
+- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,
+- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,
+- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,
+- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,
+- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,
+- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,
+- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,
+- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,
+- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,
+- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,
+- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,
+- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- };
+- return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn);
++ return COPY_BN(bn, _bignum_modp_4096_p);
+ }
+
+ /*-
+@@ -308,105 +136,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM
+
+ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn)
+ {
+- static const unsigned char RFC3526_PRIME_6144[] = {
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,
+- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,
+- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,
+- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,
+- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,
+- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,
+- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,
+- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,
+- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,
+- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,
+- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,
+- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,
+- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,
+- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,
+- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,
+- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,
+- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,
+- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,
+- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,
+- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,
+- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,
+- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,
+- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,
+- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,
+- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,
+- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,
+- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,
+- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92,
+- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26,
+- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE,
+- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD,
+- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E,
+- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE,
+- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31,
+- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18,
+- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED,
+- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B,
+- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B,
+- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42,
+- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF,
+- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC,
+- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03,
+- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6,
+- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82,
+- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E,
+- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3,
+- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE,
+- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5,
+- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA,
+- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8,
+- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0,
+- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28,
+- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76,
+- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0,
+- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C,
+- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32,
+- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68,
+- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE,
+- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6,
+- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xCC, 0x40, 0x24,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- };
+- return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn);
++ return COPY_BN(bn, _bignum_modp_6144_p);
+ }
+
+ /*-
+@@ -419,135 +149,5 @@ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM
+
+ BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn)
+ {
+- static const unsigned char RFC3526_PRIME_8192[] = {
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,
+- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,
+- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,
+- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,
+- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,
+- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,
+- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,
+- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,
+- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,
+- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,
+- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,
+- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,
+- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,
+- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,
+- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,
+- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,
+- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,
+- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,
+- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,
+- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,
+- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,
+- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,
+- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,
+- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,
+- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,
+- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,
+- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,
+- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92,
+- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26,
+- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE,
+- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD,
+- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E,
+- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE,
+- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31,
+- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18,
+- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED,
+- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B,
+- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B,
+- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42,
+- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF,
+- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC,
+- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03,
+- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6,
+- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82,
+- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E,
+- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3,
+- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE,
+- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5,
+- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA,
+- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8,
+- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0,
+- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28,
+- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76,
+- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0,
+- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C,
+- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32,
+- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68,
+- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE,
+- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6,
+- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xBE, 0x11, 0x59,
+- 0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4,
+- 0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C,
+- 0xD8, 0xBE, 0xC4, 0xD0, 0x73, 0xB9, 0x31, 0xBA,
+- 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00,
+- 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED,
+- 0x25, 0x76, 0xF6, 0x93, 0x6B, 0xA4, 0x24, 0x66,
+- 0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68,
+- 0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78,
+- 0x23, 0x8F, 0x16, 0xCB, 0xE3, 0x9D, 0x65, 0x2D,
+- 0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9,
+- 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07,
+- 0x13, 0xEB, 0x57, 0xA8, 0x1A, 0x23, 0xF0, 0xC7,
+- 0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B,
+- 0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD,
+- 0xFA, 0x9D, 0x4B, 0x7F, 0xA2, 0xC0, 0x87, 0xE8,
+- 0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A,
+- 0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6,
+- 0x6D, 0x2A, 0x13, 0xF8, 0x3F, 0x44, 0xF8, 0x2D,
+- 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36,
+- 0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1,
+- 0x64, 0xF3, 0x1C, 0xC5, 0x08, 0x46, 0x85, 0x1D,
+- 0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1,
+- 0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73,
+- 0xFA, 0xF3, 0x6B, 0xC3, 0x1E, 0xCF, 0xA2, 0x68,
+- 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92,
+- 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7,
+- 0x88, 0x9A, 0x00, 0x2E, 0xD5, 0xEE, 0x38, 0x2B,
+- 0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47,
+- 0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA,
+- 0x9E, 0x30, 0x50, 0xE2, 0x76, 0x56, 0x94, 0xDF,
+- 0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71,
+- 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF,
+- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+- };
+- return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn);
++ return COPY_BN(bn, _bignum_modp_8192_p);
+ }
+diff -up openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1g/crypto/bn/bn_dh.c
+--- openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/bn/bn_dh.c 2020-06-05 17:31:28.044776018 +0200
+@@ -1,7 +1,7 @@
+ /*
+- * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+- * Licensed under the OpenSSL license (the "License"). You may not use
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+@@ -11,474 +11,995 @@
+ #include "internal/nelem.h"
+
+ #ifndef OPENSSL_NO_DH
+-#include <openssl/dh.h>
+-#include "crypto/bn_dh.h"
+-/* DH parameters from RFC5114 */
++# include <openssl/dh.h>
++# include "crypto/bn_dh.h"
+
+ # if BN_BITS2 == 64
+-static const BN_ULONG dh1024_160_p[] = {
+- 0xDF1FB2BC2E4A4371ULL, 0xE68CFDA76D4DA708ULL, 0x45BF37DF365C1A65ULL,
+- 0xA151AF5F0DC8B4BDULL, 0xFAA31A4FF55BCCC0ULL, 0x4EFFD6FAE5644738ULL,
+- 0x98488E9C219A7372ULL, 0xACCBDD7D90C4BD70ULL, 0x24975C3CD49B83BFULL,
+- 0x13ECB4AEA9061123ULL, 0x9838EF1E2EE652C0ULL, 0x6073E28675A23D18ULL,
+- 0x9A6A9DCA52D23B61ULL, 0x52C99FBCFB06A3C6ULL, 0xDE92DE5EAE5D54ECULL,
+- 0xB10B8F96A080E01DULL
+-};
+-
+-static const BN_ULONG dh1024_160_g[] = {
+- 0x855E6EEB22B3B2E5ULL, 0x858F4DCEF97C2A24ULL, 0x2D779D5918D08BC8ULL,
+- 0xD662A4D18E73AFA3ULL, 0x1DBF0A0169B6A28AULL, 0xA6A24C087A091F53ULL,
+- 0x909D0D2263F80A76ULL, 0xD7FBD7D3B9A92EE1ULL, 0x5E91547F9E2749F4ULL,
+- 0x160217B4B01B886AULL, 0x777E690F5504F213ULL, 0x266FEA1E5C41564BULL,
+- 0xD6406CFF14266D31ULL, 0xF8104DD258AC507FULL, 0x6765A442EFB99905ULL,
+- 0xA4D1CBD5C3FD3412ULL
+-};
+-
+-static const BN_ULONG dh1024_160_q[] = {
+- 0x64B7CB9D49462353ULL, 0x81A8DF278ABA4E7DULL, 0x00000000F518AA87ULL
+-};
+-
+-static const BN_ULONG dh2048_224_p[] = {
+- 0x0AC4DFFE0C10E64FULL, 0xCF9DE5384E71B81CULL, 0x7EF363E2FFA31F71ULL,
+- 0xE3FB73C16B8E75B9ULL, 0xC9B53DCF4BA80A29ULL, 0x23F10B0E16E79763ULL,
+- 0xC52172E413042E9BULL, 0xBE60E69CC928B2B9ULL, 0x80CD86A1B9E587E8ULL,
+- 0x315D75E198C641A4ULL, 0xCDF93ACC44328387ULL, 0x15987D9ADC0A486DULL,
+- 0x7310F7121FD5A074ULL, 0x278273C7DE31EFDCULL, 0x1602E714415D9330ULL,
+- 0x81286130BC8985DBULL, 0xB3BF8A3170918836ULL, 0x6A00E0A0B9C49708ULL,
+- 0xC6BA0B2C8BBC27BEULL, 0xC9F98D11ED34DBF6ULL, 0x7AD5B7D0B6C12207ULL,
+- 0xD91E8FEF55B7394BULL, 0x9037C9EDEFDA4DF8ULL, 0x6D3F8152AD6AC212ULL,
+- 0x1DE6B85A1274A0A6ULL, 0xEB3D688A309C180EULL, 0xAF9A3C407BA1DF15ULL,
+- 0xE6FA141DF95A56DBULL, 0xB54B1597B61D0A75ULL, 0xA20D64E5683B9FD1ULL,
+- 0xD660FAA79559C51FULL, 0xAD107E1E9123A9D0ULL
+-};
+-
+-static const BN_ULONG dh2048_224_g[] = {
+- 0x84B890D3191F2BFAULL, 0x81BC087F2A7065B3ULL, 0x19C418E1F6EC0179ULL,
+- 0x7B5A0F1C71CFFF4CULL, 0xEDFE72FE9B6AA4BDULL, 0x81E1BCFE94B30269ULL,
+- 0x566AFBB48D6C0191ULL, 0xB539CCE3409D13CDULL, 0x6AA21E7F5F2FF381ULL,
+- 0xD9E263E4770589EFULL, 0x10E183EDD19963DDULL, 0xB70A8137150B8EEBULL,
+- 0x051AE3D428C8F8ACULL, 0xBB77A86F0C1AB15BULL, 0x6E3025E316A330EFULL,
+- 0x19529A45D6F83456ULL, 0xF180EB34118E98D1ULL, 0xB5F6C6B250717CBEULL,
+- 0x09939D54DA7460CDULL, 0xE247150422EA1ED4ULL, 0xB8A762D0521BC98AULL,
+- 0xF4D027275AC1348BULL, 0xC17669101999024AULL, 0xBE5E9001A8D66AD7ULL,
+- 0xC57DB17C620A8652ULL, 0xAB739D7700C29F52ULL, 0xDD921F01A70C4AFAULL,
+- 0xA6824A4E10B9A6F0ULL, 0x74866A08CFE4FFE3ULL, 0x6CDEBE7B89998CAFULL,
+- 0x9DF30B5C8FFDAC50ULL, 0xAC4032EF4F2D9AE3ULL
+-};
+-
+-static const BN_ULONG dh2048_224_q[] = {
+- 0xBF389A99B36371EBULL, 0x1F80535A4738CEBCULL, 0xC58D93FE99717710ULL,
+- 0x00000000801C0D34ULL
+-};
+-
+-static const BN_ULONG dh2048_256_p[] = {
+- 0xDB094AE91E1A1597ULL, 0x693877FAD7EF09CAULL, 0x6116D2276E11715FULL,
+- 0xA4B54330C198AF12ULL, 0x75F26375D7014103ULL, 0xC3A3960A54E710C3ULL,
+- 0xDED4010ABD0BE621ULL, 0xC0B857F689962856ULL, 0xB3CA3F7971506026ULL,
+- 0x1CCACB83E6B486F6ULL, 0x67E144E514056425ULL, 0xF6A167B5A41825D9ULL,
+- 0x3AD8347796524D8EULL, 0xF13C6D9A51BFA4ABULL, 0x2D52526735488A0EULL,
+- 0xB63ACAE1CAA6B790ULL, 0x4FDB70C581B23F76ULL, 0xBC39A0BF12307F5CULL,
+- 0xB941F54EB1E59BB8ULL, 0x6C5BFC11D45F9088ULL, 0x22E0B1EF4275BF7BULL,
+- 0x91F9E6725B4758C0ULL, 0x5A8A9D306BCF67EDULL, 0x209E0C6497517ABDULL,
+- 0x3BF4296D830E9A7CULL, 0x16C3D91134096FAAULL, 0xFAF7DF4561B2AA30ULL,
+- 0xE00DF8F1D61957D4ULL, 0x5D2CEED4435E3B00ULL, 0x8CEEF608660DD0F2ULL,
+- 0xFFBBD19C65195999ULL, 0x87A8E61DB4B6663CULL
+-};
++# define BN_DEF(lo, hi) (BN_ULONG)hi << 32 | lo
++# else
++# define BN_DEF(lo, hi) lo, hi
++# endif
+
+-static const BN_ULONG dh2048_256_g[] = {
+- 0x664B4C0F6CC41659ULL, 0x5E2327CFEF98C582ULL, 0xD647D148D4795451ULL,
+- 0x2F63078490F00EF8ULL, 0x184B523D1DB246C3ULL, 0xC7891428CDC67EB6ULL,
+- 0x7FD028370DF92B52ULL, 0xB3353BBB64E0EC37ULL, 0xECD06E1557CD0915ULL,
+- 0xB7D2BBD2DF016199ULL, 0xC8484B1E052588B9ULL, 0xDB2A3B7313D3FE14ULL,
+- 0xD052B985D182EA0AULL, 0xA4BD1BFFE83B9C80ULL, 0xDFC967C1FB3F2E55ULL,
+- 0xB5045AF2767164E1ULL, 0x1D14348F6F2F9193ULL, 0x64E67982428EBC83ULL,
+- 0x8AC376D282D6ED38ULL, 0x777DE62AAAB8A862ULL, 0xDDF463E5E9EC144BULL,
+- 0x0196F931C77A57F2ULL, 0xA55AE31341000A65ULL, 0x901228F8C28CBB18ULL,
+- 0xBC3773BF7E8C6F62ULL, 0xBE3A6C1B0C6B47B1ULL, 0xFF4FED4AAC0BB555ULL,
+- 0x10DBC15077BE463FULL, 0x07F4793A1A0BA125ULL, 0x4CA7B18F21EF2054ULL,
+- 0x2E77506660EDBD48ULL, 0x3FB32C9B73134D0BULL
+-};
++/* DH parameters from RFC3526 */
+
+-static const BN_ULONG dh2048_256_q[] = {
+- 0xA308B0FE64F5FBD3ULL, 0x99B1A47D1EB3750BULL, 0xB447997640129DA2ULL,
+- 0x8CF83642A709A097ULL
++/*
++ * "1536-bit MODP Group" from RFC3526, Section 2.
++ *
++ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
++ *
++ * RFC3526 specifies a generator of 2.
++ * RFC2312 specifies a generator of 22.
++ */
++static const BN_ULONG modp_1536_p[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08),
++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_1536_q[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604),
++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483),
++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91),
++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B),
++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328),
++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD),
++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174),
++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6),
++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9),
++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53),
++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145),
++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF)
+ };
+
+-/* Primes from RFC 7919 */
+-static const BN_ULONG ffdhe2048_p[] = {
+- 0xFFFFFFFFFFFFFFFFULL, 0x886B423861285C97ULL, 0xC6F34A26C1B2EFFAULL,
+- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL,
+- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL,
+- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL,
+- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL,
+- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL,
+- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL,
+- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL,
+- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL,
+- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL,
+- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL
++/*-
++ * "2048-bit MODP Group" from RFC3526, Section 3.
++ *
++ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_2048_p[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x8AACAA68, 0x15728E5A),
++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_2048_q[] = {
++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x45565534, 0x0AB9472D),
++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE),
++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8),
++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96),
++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604),
++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483),
++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91),
++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B),
++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328),
++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD),
++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174),
++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6),
++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9),
++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53),
++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145),
++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+-static const BN_ULONG ffdhe3072_p[] = {
+- 0xFFFFFFFFFFFFFFFFULL, 0x25E41D2B66C62E37ULL, 0x3C1B20EE3FD59D7CULL,
+- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL,
+- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL,
+- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL,
+- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL,
+- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL,
+- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL,
+- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL,
+- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL,
+- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL,
+- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL,
+- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL,
+- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL,
+- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL,
+- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL,
+- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL
++/*-
++ * "3072-bit MODP Group" from RFC3526, Section 4.
++ *
++ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_3072_p[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xA93AD2CA, 0x4B82D120),
++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0),
++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757),
++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273),
++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226),
++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C),
++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157),
++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB),
++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A),
++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_3072_q[] = {
++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x549D6965, 0x25C16890),
++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0),
++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB),
++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139),
++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913),
++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746),
++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB),
++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5),
++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D),
++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE),
++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8),
++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96),
++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604),
++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483),
++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91),
++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B),
++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328),
++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD),
++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174),
++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6),
++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9),
++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53),
++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145),
++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+-static const BN_ULONG ffdhe4096_p[] = {
+- 0xFFFFFFFFFFFFFFFFULL, 0xC68A007E5E655F6AULL, 0x4DB5A851F44182E1ULL,
+- 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL,
+- 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL,
+- 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL,
+- 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL,
+- 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL,
+- 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL,
+- 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL,
+- 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL,
+- 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL,
+- 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL,
+- 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL,
+- 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL,
+- 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL,
+- 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL,
+- 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL,
+- 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL,
+- 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL,
+- 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL,
+- 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL,
+- 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL,
+- 0xFFFFFFFFFFFFFFFFULL
++/*-
++ * "4096-bit MODP Group" from RFC3526, Section 5.
++ *
++ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_4096_p[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x34063199, 0x4DF435C9),
++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98),
++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76),
++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186),
++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947),
++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB),
++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834),
++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10),
++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120),
++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0),
++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757),
++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273),
++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226),
++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C),
++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157),
++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB),
++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A),
++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_4096_q[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x9A0318CC, 0xA6FA1AE4),
++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C),
++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB),
++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3),
++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3),
++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D),
++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A),
++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08),
++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890),
++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0),
++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB),
++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139),
++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913),
++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746),
++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB),
++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5),
++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D),
++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE),
++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8),
++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96),
++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604),
++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483),
++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91),
++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B),
++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328),
++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD),
++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174),
++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6),
++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9),
++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53),
++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145),
++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+-static const BN_ULONG ffdhe6144_p[] = {
+- 0xFFFFFFFFFFFFFFFFULL, 0xA40E329CD0E40E65ULL, 0xA41D570D7938DAD4ULL,
+- 0x62A69526D43161C1ULL, 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL,
+- 0xEC9D1810C6272B04ULL, 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL,
+- 0x505DC82DB854338AULL, 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL,
+- 0xF9C9091B462D538CULL, 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL,
+- 0xEEAAC0232A281BF6ULL, 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL,
+- 0x587E38DA0077D9B4ULL, 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL,
+- 0xA00EF092350511E3ULL, 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL,
+- 0x388147FB4CFDB477ULL, 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL,
+- 0xB38E8C334C701C3AULL, 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL,
+- 0x23BA4442CAF53EA6ULL, 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL,
+- 0xC68A007E5E0DD902ULL, 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL,
+- 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL,
+- 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL,
+- 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL,
+- 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL,
+- 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL,
+- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL,
+- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL,
+- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL,
+- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL,
+- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL,
+- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL,
+- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL,
+- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL,
+- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL,
+- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL,
+- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL,
+- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL,
+- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL,
+- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL,
+- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL
++/*-
++ * "6144-bit MODP Group" from RFC3526, Section 6.
++ *
++ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_6144_p[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6DCC4024, 0xE694F91E),
++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66),
++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC),
++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D),
++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE),
++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E),
++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7),
++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F),
++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F),
++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15),
++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401),
++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447),
++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB),
++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED),
++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406),
++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2),
++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9),
++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98),
++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76),
++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186),
++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947),
++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB),
++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834),
++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10),
++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120),
++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0),
++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757),
++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273),
++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226),
++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C),
++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157),
++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB),
++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A),
++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_6144_q[] = {
++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x36E62012, 0x734A7C8F),
++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3),
++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6),
++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E),
++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7),
++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF),
++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB),
++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF),
++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817),
++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A),
++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00),
++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23),
++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5),
++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6),
++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03),
++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59),
++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4),
++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C),
++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB),
++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3),
++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3),
++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D),
++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A),
++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08),
++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890),
++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0),
++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB),
++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139),
++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913),
++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746),
++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB),
++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5),
++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D),
++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE),
++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8),
++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96),
++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604),
++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483),
++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91),
++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B),
++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328),
++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD),
++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174),
++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6),
++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9),
++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53),
++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145),
++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+-static const BN_ULONG ffdhe8192_p[] = {
+- 0xFFFFFFFFFFFFFFFFULL, 0xD68C8BB7C5C6424CULL, 0x011E2A94838FF88CULL,
+- 0x0822E506A9F4614EULL, 0x97D11D49F7A8443DULL, 0xA6BBFDE530677F0DULL,
+- 0x2F741EF8C1FE86FEULL, 0xFAFABE1C5D71A87EULL, 0xDED2FBABFBE58A30ULL,
+- 0xB6855DFE72B0A66EULL, 0x1EFC8CE0BA8A4FE8ULL, 0x83F81D4A3F2FA457ULL,
+- 0xA1FE3075A577E231ULL, 0xD5B8019488D9C0A0ULL, 0x624816CDAD9A95F9ULL,
+- 0x99E9E31650C1217BULL, 0x51AA691E0E423CFCULL, 0x1C217E6C3826E52CULL,
+- 0x51A8A93109703FEEULL, 0xBB7099876A460E74ULL, 0x541FC68C9C86B022ULL,
+- 0x59160CC046FD8251ULL, 0x2846C0BA35C35F5CULL, 0x54504AC78B758282ULL,
+- 0x29388839D2AF05E4ULL, 0xCB2C0F1CC01BD702ULL, 0x555B2F747C932665ULL,
+- 0x86B63142A3AB8829ULL, 0x0B8CC3BDF64B10EFULL, 0x687FEB69EDD1CC5EULL,
+- 0xFDB23FCEC9509D43ULL, 0x1E425A31D951AE64ULL, 0x36AD004CF600C838ULL,
+- 0xA40E329CCFF46AAAULL, 0xA41D570D7938DAD4ULL, 0x62A69526D43161C1ULL,
+- 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, 0xEC9D1810C6272B04ULL,
+- 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, 0x505DC82DB854338AULL,
+- 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, 0xF9C9091B462D538CULL,
+- 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, 0xEEAAC0232A281BF6ULL,
+- 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, 0x587E38DA0077D9B4ULL,
+- 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, 0xA00EF092350511E3ULL,
+- 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, 0x388147FB4CFDB477ULL,
+- 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, 0xB38E8C334C701C3AULL,
+- 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, 0x23BA4442CAF53EA6ULL,
+- 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, 0xC68A007E5E0DD902ULL,
+- 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL,
+- 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL,
+- 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL,
+- 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL,
+- 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL,
+- 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL,
+- 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL,
+- 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL,
+- 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL,
+- 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL,
+- 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL,
+- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL,
+- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL,
+- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL,
+- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL,
+- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL,
+- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL,
+- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL,
+- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL,
+- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL,
+- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL
++/*
++ * "8192-bit MODP Group" from RFC3526, Section 7.
++ *
++ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_8192_p[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x98EDD3DF, 0x60C980DD),
++ BN_DEF(0x80B96E71, 0xC81F56E8), BN_DEF(0x765694DF, 0x9E3050E2),
++ BN_DEF(0x5677E9AA, 0x9558E447), BN_DEF(0xFC026E47, 0xC9190DA6),
++ BN_DEF(0xD5EE382B, 0x889A002E), BN_DEF(0x481C6CD7, 0x4009438B),
++ BN_DEF(0xEB879F92, 0x359046F4), BN_DEF(0x1ECFA268, 0xFAF36BC3),
++ BN_DEF(0x7EE74D73, 0xB1D510BD), BN_DEF(0x5DED7EA1, 0xF9AB4819),
++ BN_DEF(0x0846851D, 0x64F31CC5), BN_DEF(0xA0255DC1, 0x4597E899),
++ BN_DEF(0x74AB6A36, 0xDF310EE0), BN_DEF(0x3F44F82D, 0x6D2A13F8),
++ BN_DEF(0xB3A278A6, 0x062B3CF5), BN_DEF(0xED5BDD3A, 0x79683303),
++ BN_DEF(0xA2C087E8, 0xFA9D4B7F), BN_DEF(0x2F8385DD, 0x4BCBC886),
++ BN_DEF(0x6CEA306B, 0x3473FC64), BN_DEF(0x1A23F0C7, 0x13EB57A8),
++ BN_DEF(0xA4037C07, 0x22222E04), BN_DEF(0xFC848AD9, 0xE3FDB8BE),
++ BN_DEF(0xE39D652D, 0x238F16CB), BN_DEF(0x2BF1C978, 0x3423B474),
++ BN_DEF(0x5AE4F568, 0x3AAB639C), BN_DEF(0x6BA42466, 0x2576F693),
++ BN_DEF(0x8AFC47ED, 0x741FA7BF), BN_DEF(0x8D9DD300, 0x3BC832B6),
++ BN_DEF(0x73B931BA, 0xD8BEC4D0), BN_DEF(0xA932DF8C, 0x38777CB6),
++ BN_DEF(0x12FEE5E4, 0x74A3926F), BN_DEF(0x6DBE1159, 0xE694F91E),
++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66),
++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC),
++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D),
++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE),
++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E),
++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7),
++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F),
++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F),
++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15),
++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401),
++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447),
++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB),
++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED),
++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406),
++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2),
++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9),
++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98),
++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76),
++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186),
++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947),
++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB),
++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834),
++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10),
++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120),
++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0),
++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757),
++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273),
++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226),
++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C),
++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157),
++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB),
++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A),
++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_8192_q[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCC76E9EF, 0xB064C06E),
++ BN_DEF(0x405CB738, 0xE40FAB74), BN_DEF(0x3B2B4A6F, 0x4F182871),
++ BN_DEF(0xAB3BF4D5, 0xCAAC7223), BN_DEF(0x7E013723, 0xE48C86D3),
++ BN_DEF(0x6AF71C15, 0xC44D0017), BN_DEF(0xA40E366B, 0x2004A1C5),
++ BN_DEF(0x75C3CFC9, 0x1AC8237A), BN_DEF(0x8F67D134, 0xFD79B5E1),
++ BN_DEF(0xBF73A6B9, 0xD8EA885E), BN_DEF(0xAEF6BF50, 0xFCD5A40C),
++ BN_DEF(0x8423428E, 0xB2798E62), BN_DEF(0xD012AEE0, 0x22CBF44C),
++ BN_DEF(0x3A55B51B, 0xEF988770), BN_DEF(0x1FA27C16, 0x369509FC),
++ BN_DEF(0xD9D13C53, 0x03159E7A), BN_DEF(0xF6ADEE9D, 0x3CB41981),
++ BN_DEF(0xD16043F4, 0xFD4EA5BF), BN_DEF(0x17C1C2EE, 0xA5E5E443),
++ BN_DEF(0x36751835, 0x9A39FE32), BN_DEF(0x0D11F863, 0x89F5ABD4),
++ BN_DEF(0x5201BE03, 0x91111702), BN_DEF(0x7E42456C, 0xF1FEDC5F),
++ BN_DEF(0xF1CEB296, 0x11C78B65), BN_DEF(0x15F8E4BC, 0x1A11DA3A),
++ BN_DEF(0x2D727AB4, 0x1D55B1CE), BN_DEF(0xB5D21233, 0x92BB7B49),
++ BN_DEF(0xC57E23F6, 0x3A0FD3DF), BN_DEF(0x46CEE980, 0x1DE4195B),
++ BN_DEF(0x39DC98DD, 0x6C5F6268), BN_DEF(0x54996FC6, 0x1C3BBE5B),
++ BN_DEF(0x897F72F2, 0xBA51C937), BN_DEF(0x36DF08AC, 0x734A7C8F),
++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3),
++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6),
++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E),
++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7),
++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF),
++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB),
++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF),
++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817),
++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A),
++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00),
++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23),
++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5),
++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6),
++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03),
++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59),
++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4),
++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C),
++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB),
++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3),
++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3),
++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D),
++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A),
++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08),
++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890),
++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0),
++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB),
++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139),
++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913),
++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746),
++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB),
++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5),
++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D),
++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE),
++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8),
++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96),
++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604),
++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483),
++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91),
++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B),
++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328),
++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD),
++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174),
++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6),
++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9),
++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53),
++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145),
++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+-# elif BN_BITS2 == 32
+-
++/* DH parameters from RFC5114 */
+ static const BN_ULONG dh1024_160_p[] = {
+- 0x2E4A4371, 0xDF1FB2BC, 0x6D4DA708, 0xE68CFDA7, 0x365C1A65, 0x45BF37DF,
+- 0x0DC8B4BD, 0xA151AF5F, 0xF55BCCC0, 0xFAA31A4F, 0xE5644738, 0x4EFFD6FA,
+- 0x219A7372, 0x98488E9C, 0x90C4BD70, 0xACCBDD7D, 0xD49B83BF, 0x24975C3C,
+- 0xA9061123, 0x13ECB4AE, 0x2EE652C0, 0x9838EF1E, 0x75A23D18, 0x6073E286,
+- 0x52D23B61, 0x9A6A9DCA, 0xFB06A3C6, 0x52C99FBC, 0xAE5D54EC, 0xDE92DE5E,
+- 0xA080E01D, 0xB10B8F96
++ BN_DEF(0x2E4A4371, 0xDF1FB2BC), BN_DEF(0x6D4DA708, 0xE68CFDA7),
++ BN_DEF(0x365C1A65, 0x45BF37DF), BN_DEF(0x0DC8B4BD, 0xA151AF5F),
++ BN_DEF(0xF55BCCC0, 0xFAA31A4F), BN_DEF(0xE5644738, 0x4EFFD6FA),
++ BN_DEF(0x219A7372, 0x98488E9C), BN_DEF(0x90C4BD70, 0xACCBDD7D),
++ BN_DEF(0xD49B83BF, 0x24975C3C), BN_DEF(0xA9061123, 0x13ECB4AE),
++ BN_DEF(0x2EE652C0, 0x9838EF1E), BN_DEF(0x75A23D18, 0x6073E286),
++ BN_DEF(0x52D23B61, 0x9A6A9DCA), BN_DEF(0xFB06A3C6, 0x52C99FBC),
++ BN_DEF(0xAE5D54EC, 0xDE92DE5E), BN_DEF(0xA080E01D, 0xB10B8F96)
+ };
+-
+-static const BN_ULONG dh1024_160_g[] = {
+- 0x22B3B2E5, 0x855E6EEB, 0xF97C2A24, 0x858F4DCE, 0x18D08BC8, 0x2D779D59,
+- 0x8E73AFA3, 0xD662A4D1, 0x69B6A28A, 0x1DBF0A01, 0x7A091F53, 0xA6A24C08,
+- 0x63F80A76, 0x909D0D22, 0xB9A92EE1, 0xD7FBD7D3, 0x9E2749F4, 0x5E91547F,
+- 0xB01B886A, 0x160217B4, 0x5504F213, 0x777E690F, 0x5C41564B, 0x266FEA1E,
+- 0x14266D31, 0xD6406CFF, 0x58AC507F, 0xF8104DD2, 0xEFB99905, 0x6765A442,
+- 0xC3FD3412, 0xA4D1CBD5
+-};
+-
+ static const BN_ULONG dh1024_160_q[] = {
+- 0x49462353, 0x64B7CB9D, 0x8ABA4E7D, 0x81A8DF27, 0xF518AA87
++ BN_DEF(0x49462353, 0x64B7CB9D), BN_DEF(0x8ABA4E7D, 0x81A8DF27),
++ (BN_ULONG)0xF518AA87
+ };
+-
+-static const BN_ULONG dh2048_224_p[] = {
+- 0x0C10E64F, 0x0AC4DFFE, 0x4E71B81C, 0xCF9DE538, 0xFFA31F71, 0x7EF363E2,
+- 0x6B8E75B9, 0xE3FB73C1, 0x4BA80A29, 0xC9B53DCF, 0x16E79763, 0x23F10B0E,
+- 0x13042E9B, 0xC52172E4, 0xC928B2B9, 0xBE60E69C, 0xB9E587E8, 0x80CD86A1,
+- 0x98C641A4, 0x315D75E1, 0x44328387, 0xCDF93ACC, 0xDC0A486D, 0x15987D9A,
+- 0x1FD5A074, 0x7310F712, 0xDE31EFDC, 0x278273C7, 0x415D9330, 0x1602E714,
+- 0xBC8985DB, 0x81286130, 0x70918836, 0xB3BF8A31, 0xB9C49708, 0x6A00E0A0,
+- 0x8BBC27BE, 0xC6BA0B2C, 0xED34DBF6, 0xC9F98D11, 0xB6C12207, 0x7AD5B7D0,
+- 0x55B7394B, 0xD91E8FEF, 0xEFDA4DF8, 0x9037C9ED, 0xAD6AC212, 0x6D3F8152,
+- 0x1274A0A6, 0x1DE6B85A, 0x309C180E, 0xEB3D688A, 0x7BA1DF15, 0xAF9A3C40,
+- 0xF95A56DB, 0xE6FA141D, 0xB61D0A75, 0xB54B1597, 0x683B9FD1, 0xA20D64E5,
+- 0x9559C51F, 0xD660FAA7, 0x9123A9D0, 0xAD107E1E
++static const BN_ULONG dh1024_160_g[] = {
++ BN_DEF(0x22B3B2E5, 0x855E6EEB), BN_DEF(0xF97C2A24, 0x858F4DCE),
++ BN_DEF(0x18D08BC8, 0x2D779D59), BN_DEF(0x8E73AFA3, 0xD662A4D1),
++ BN_DEF(0x69B6A28A, 0x1DBF0A01), BN_DEF(0x7A091F53, 0xA6A24C08),
++ BN_DEF(0x63F80A76, 0x909D0D22), BN_DEF(0xB9A92EE1, 0xD7FBD7D3),
++ BN_DEF(0x9E2749F4, 0x5E91547F), BN_DEF(0xB01B886A, 0x160217B4),
++ BN_DEF(0x5504F213, 0x777E690F), BN_DEF(0x5C41564B, 0x266FEA1E),
++ BN_DEF(0x14266D31, 0xD6406CFF), BN_DEF(0x58AC507F, 0xF8104DD2),
++ BN_DEF(0xEFB99905, 0x6765A442), BN_DEF(0xC3FD3412, 0xA4D1CBD5)
+ };
+
+-static const BN_ULONG dh2048_224_g[] = {
+- 0x191F2BFA, 0x84B890D3, 0x2A7065B3, 0x81BC087F, 0xF6EC0179, 0x19C418E1,
+- 0x71CFFF4C, 0x7B5A0F1C, 0x9B6AA4BD, 0xEDFE72FE, 0x94B30269, 0x81E1BCFE,
+- 0x8D6C0191, 0x566AFBB4, 0x409D13CD, 0xB539CCE3, 0x5F2FF381, 0x6AA21E7F,
+- 0x770589EF, 0xD9E263E4, 0xD19963DD, 0x10E183ED, 0x150B8EEB, 0xB70A8137,
+- 0x28C8F8AC, 0x051AE3D4, 0x0C1AB15B, 0xBB77A86F, 0x16A330EF, 0x6E3025E3,
+- 0xD6F83456, 0x19529A45, 0x118E98D1, 0xF180EB34, 0x50717CBE, 0xB5F6C6B2,
+- 0xDA7460CD, 0x09939D54, 0x22EA1ED4, 0xE2471504, 0x521BC98A, 0xB8A762D0,
+- 0x5AC1348B, 0xF4D02727, 0x1999024A, 0xC1766910, 0xA8D66AD7, 0xBE5E9001,
+- 0x620A8652, 0xC57DB17C, 0x00C29F52, 0xAB739D77, 0xA70C4AFA, 0xDD921F01,
+- 0x10B9A6F0, 0xA6824A4E, 0xCFE4FFE3, 0x74866A08, 0x89998CAF, 0x6CDEBE7B,
+- 0x8FFDAC50, 0x9DF30B5C, 0x4F2D9AE3, 0xAC4032EF
++static const BN_ULONG dh2048_224_p[] = {
++ BN_DEF(0x0C10E64F, 0x0AC4DFFE), BN_DEF(0x4E71B81C, 0xCF9DE538),
++ BN_DEF(0xFFA31F71, 0x7EF363E2), BN_DEF(0x6B8E75B9, 0xE3FB73C1),
++ BN_DEF(0x4BA80A29, 0xC9B53DCF), BN_DEF(0x16E79763, 0x23F10B0E),
++ BN_DEF(0x13042E9B, 0xC52172E4), BN_DEF(0xC928B2B9, 0xBE60E69C),
++ BN_DEF(0xB9E587E8, 0x80CD86A1), BN_DEF(0x98C641A4, 0x315D75E1),
++ BN_DEF(0x44328387, 0xCDF93ACC), BN_DEF(0xDC0A486D, 0x15987D9A),
++ BN_DEF(0x1FD5A074, 0x7310F712), BN_DEF(0xDE31EFDC, 0x278273C7),
++ BN_DEF(0x415D9330, 0x1602E714), BN_DEF(0xBC8985DB, 0x81286130),
++ BN_DEF(0x70918836, 0xB3BF8A31), BN_DEF(0xB9C49708, 0x6A00E0A0),
++ BN_DEF(0x8BBC27BE, 0xC6BA0B2C), BN_DEF(0xED34DBF6, 0xC9F98D11),
++ BN_DEF(0xB6C12207, 0x7AD5B7D0), BN_DEF(0x55B7394B, 0xD91E8FEF),
++ BN_DEF(0xEFDA4DF8, 0x9037C9ED), BN_DEF(0xAD6AC212, 0x6D3F8152),
++ BN_DEF(0x1274A0A6, 0x1DE6B85A), BN_DEF(0x309C180E, 0xEB3D688A),
++ BN_DEF(0x7BA1DF15, 0xAF9A3C40), BN_DEF(0xF95A56DB, 0xE6FA141D),
++ BN_DEF(0xB61D0A75, 0xB54B1597), BN_DEF(0x683B9FD1, 0xA20D64E5),
++ BN_DEF(0x9559C51F, 0xD660FAA7), BN_DEF(0x9123A9D0, 0xAD107E1E)
+ };
+-
+ static const BN_ULONG dh2048_224_q[] = {
+- 0xB36371EB, 0xBF389A99, 0x4738CEBC, 0x1F80535A, 0x99717710, 0xC58D93FE,
+- 0x801C0D34
++ BN_DEF(0xB36371EB, 0xBF389A99), BN_DEF(0x4738CEBC, 0x1F80535A),
++ BN_DEF(0x99717710, 0xC58D93FE), (BN_ULONG)0x801C0D34
+ };
+-
+-static const BN_ULONG dh2048_256_p[] = {
+- 0x1E1A1597, 0xDB094AE9, 0xD7EF09CA, 0x693877FA, 0x6E11715F, 0x6116D227,
+- 0xC198AF12, 0xA4B54330, 0xD7014103, 0x75F26375, 0x54E710C3, 0xC3A3960A,
+- 0xBD0BE621, 0xDED4010A, 0x89962856, 0xC0B857F6, 0x71506026, 0xB3CA3F79,
+- 0xE6B486F6, 0x1CCACB83, 0x14056425, 0x67E144E5, 0xA41825D9, 0xF6A167B5,
+- 0x96524D8E, 0x3AD83477, 0x51BFA4AB, 0xF13C6D9A, 0x35488A0E, 0x2D525267,
+- 0xCAA6B790, 0xB63ACAE1, 0x81B23F76, 0x4FDB70C5, 0x12307F5C, 0xBC39A0BF,
+- 0xB1E59BB8, 0xB941F54E, 0xD45F9088, 0x6C5BFC11, 0x4275BF7B, 0x22E0B1EF,
+- 0x5B4758C0, 0x91F9E672, 0x6BCF67ED, 0x5A8A9D30, 0x97517ABD, 0x209E0C64,
+- 0x830E9A7C, 0x3BF4296D, 0x34096FAA, 0x16C3D911, 0x61B2AA30, 0xFAF7DF45,
+- 0xD61957D4, 0xE00DF8F1, 0x435E3B00, 0x5D2CEED4, 0x660DD0F2, 0x8CEEF608,
+- 0x65195999, 0xFFBBD19C, 0xB4B6663C, 0x87A8E61D
++static const BN_ULONG dh2048_224_g[] = {
++ BN_DEF(0x191F2BFA, 0x84B890D3), BN_DEF(0x2A7065B3, 0x81BC087F),
++ BN_DEF(0xF6EC0179, 0x19C418E1), BN_DEF(0x71CFFF4C, 0x7B5A0F1C),
++ BN_DEF(0x9B6AA4BD, 0xEDFE72FE), BN_DEF(0x94B30269, 0x81E1BCFE),
++ BN_DEF(0x8D6C0191, 0x566AFBB4), BN_DEF(0x409D13CD, 0xB539CCE3),
++ BN_DEF(0x5F2FF381, 0x6AA21E7F), BN_DEF(0x770589EF, 0xD9E263E4),
++ BN_DEF(0xD19963DD, 0x10E183ED), BN_DEF(0x150B8EEB, 0xB70A8137),
++ BN_DEF(0x28C8F8AC, 0x051AE3D4), BN_DEF(0x0C1AB15B, 0xBB77A86F),
++ BN_DEF(0x16A330EF, 0x6E3025E3), BN_DEF(0xD6F83456, 0x19529A45),
++ BN_DEF(0x118E98D1, 0xF180EB34), BN_DEF(0x50717CBE, 0xB5F6C6B2),
++ BN_DEF(0xDA7460CD, 0x09939D54), BN_DEF(0x22EA1ED4, 0xE2471504),
++ BN_DEF(0x521BC98A, 0xB8A762D0), BN_DEF(0x5AC1348B, 0xF4D02727),
++ BN_DEF(0x1999024A, 0xC1766910), BN_DEF(0xA8D66AD7, 0xBE5E9001),
++ BN_DEF(0x620A8652, 0xC57DB17C), BN_DEF(0x00C29F52, 0xAB739D77),
++ BN_DEF(0xA70C4AFA, 0xDD921F01), BN_DEF(0x10B9A6F0, 0xA6824A4E),
++ BN_DEF(0xCFE4FFE3, 0x74866A08), BN_DEF(0x89998CAF, 0x6CDEBE7B),
++ BN_DEF(0x8FFDAC50, 0x9DF30B5C), BN_DEF(0x4F2D9AE3, 0xAC4032EF)
+ };
+
+-static const BN_ULONG dh2048_256_g[] = {
+- 0x6CC41659, 0x664B4C0F, 0xEF98C582, 0x5E2327CF, 0xD4795451, 0xD647D148,
+- 0x90F00EF8, 0x2F630784, 0x1DB246C3, 0x184B523D, 0xCDC67EB6, 0xC7891428,
+- 0x0DF92B52, 0x7FD02837, 0x64E0EC37, 0xB3353BBB, 0x57CD0915, 0xECD06E15,
+- 0xDF016199, 0xB7D2BBD2, 0x052588B9, 0xC8484B1E, 0x13D3FE14, 0xDB2A3B73,
+- 0xD182EA0A, 0xD052B985, 0xE83B9C80, 0xA4BD1BFF, 0xFB3F2E55, 0xDFC967C1,
+- 0x767164E1, 0xB5045AF2, 0x6F2F9193, 0x1D14348F, 0x428EBC83, 0x64E67982,
+- 0x82D6ED38, 0x8AC376D2, 0xAAB8A862, 0x777DE62A, 0xE9EC144B, 0xDDF463E5,
+- 0xC77A57F2, 0x0196F931, 0x41000A65, 0xA55AE313, 0xC28CBB18, 0x901228F8,
+- 0x7E8C6F62, 0xBC3773BF, 0x0C6B47B1, 0xBE3A6C1B, 0xAC0BB555, 0xFF4FED4A,
+- 0x77BE463F, 0x10DBC150, 0x1A0BA125, 0x07F4793A, 0x21EF2054, 0x4CA7B18F,
+- 0x60EDBD48, 0x2E775066, 0x73134D0B, 0x3FB32C9B
++static const BN_ULONG dh2048_256_p[] = {
++ BN_DEF(0x1E1A1597, 0xDB094AE9), BN_DEF(0xD7EF09CA, 0x693877FA),
++ BN_DEF(0x6E11715F, 0x6116D227), BN_DEF(0xC198AF12, 0xA4B54330),
++ BN_DEF(0xD7014103, 0x75F26375), BN_DEF(0x54E710C3, 0xC3A3960A),
++ BN_DEF(0xBD0BE621, 0xDED4010A), BN_DEF(0x89962856, 0xC0B857F6),
++ BN_DEF(0x71506026, 0xB3CA3F79), BN_DEF(0xE6B486F6, 0x1CCACB83),
++ BN_DEF(0x14056425, 0x67E144E5), BN_DEF(0xA41825D9, 0xF6A167B5),
++ BN_DEF(0x96524D8E, 0x3AD83477), BN_DEF(0x51BFA4AB, 0xF13C6D9A),
++ BN_DEF(0x35488A0E, 0x2D525267), BN_DEF(0xCAA6B790, 0xB63ACAE1),
++ BN_DEF(0x81B23F76, 0x4FDB70C5), BN_DEF(0x12307F5C, 0xBC39A0BF),
++ BN_DEF(0xB1E59BB8, 0xB941F54E), BN_DEF(0xD45F9088, 0x6C5BFC11),
++ BN_DEF(0x4275BF7B, 0x22E0B1EF), BN_DEF(0x5B4758C0, 0x91F9E672),
++ BN_DEF(0x6BCF67ED, 0x5A8A9D30), BN_DEF(0x97517ABD, 0x209E0C64),
++ BN_DEF(0x830E9A7C, 0x3BF4296D), BN_DEF(0x34096FAA, 0x16C3D911),
++ BN_DEF(0x61B2AA30, 0xFAF7DF45), BN_DEF(0xD61957D4, 0xE00DF8F1),
++ BN_DEF(0x435E3B00, 0x5D2CEED4), BN_DEF(0x660DD0F2, 0x8CEEF608),
++ BN_DEF(0x65195999, 0xFFBBD19C), BN_DEF(0xB4B6663C, 0x87A8E61D)
+ };
+-
+ static const BN_ULONG dh2048_256_q[] = {
+- 0x64F5FBD3, 0xA308B0FE, 0x1EB3750B, 0x99B1A47D, 0x40129DA2, 0xB4479976,
+- 0xA709A097, 0x8CF83642
++ BN_DEF(0x64F5FBD3, 0xA308B0FE), BN_DEF(0x1EB3750B, 0x99B1A47D),
++ BN_DEF(0x40129DA2, 0xB4479976), BN_DEF(0xA709A097, 0x8CF83642)
++};
++static const BN_ULONG dh2048_256_g[] = {
++ BN_DEF(0x6CC41659, 0x664B4C0F), BN_DEF(0xEF98C582, 0x5E2327CF),
++ BN_DEF(0xD4795451, 0xD647D148), BN_DEF(0x90F00EF8, 0x2F630784),
++ BN_DEF(0x1DB246C3, 0x184B523D), BN_DEF(0xCDC67EB6, 0xC7891428),
++ BN_DEF(0x0DF92B52, 0x7FD02837), BN_DEF(0x64E0EC37, 0xB3353BBB),
++ BN_DEF(0x57CD0915, 0xECD06E15), BN_DEF(0xDF016199, 0xB7D2BBD2),
++ BN_DEF(0x052588B9, 0xC8484B1E), BN_DEF(0x13D3FE14, 0xDB2A3B73),
++ BN_DEF(0xD182EA0A, 0xD052B985), BN_DEF(0xE83B9C80, 0xA4BD1BFF),
++ BN_DEF(0xFB3F2E55, 0xDFC967C1), BN_DEF(0x767164E1, 0xB5045AF2),
++ BN_DEF(0x6F2F9193, 0x1D14348F), BN_DEF(0x428EBC83, 0x64E67982),
++ BN_DEF(0x82D6ED38, 0x8AC376D2), BN_DEF(0xAAB8A862, 0x777DE62A),
++ BN_DEF(0xE9EC144B, 0xDDF463E5), BN_DEF(0xC77A57F2, 0x0196F931),
++ BN_DEF(0x41000A65, 0xA55AE313), BN_DEF(0xC28CBB18, 0x901228F8),
++ BN_DEF(0x7E8C6F62, 0xBC3773BF), BN_DEF(0x0C6B47B1, 0xBE3A6C1B),
++ BN_DEF(0xAC0BB555, 0xFF4FED4A), BN_DEF(0x77BE463F, 0x10DBC150),
++ BN_DEF(0x1A0BA125, 0x07F4793A), BN_DEF(0x21EF2054, 0x4CA7B18F),
++ BN_DEF(0x60EDBD48, 0x2E775066), BN_DEF(0x73134D0B, 0x3FB32C9B)
+ };
+
+ /* Primes from RFC 7919 */
+-
+ static const BN_ULONG ffdhe2048_p[] = {
+- 0xFFFFFFFF, 0xFFFFFFFF, 0x61285C97, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26,
+- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B,
+- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD,
+- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7,
+- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B,
+- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1,
+- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E,
+- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5,
+- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE,
+- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620,
+- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x61285C97, 0x886B4238),
++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe2048_q[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x30942E4B, 0x4435A11C),
++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1),
++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D),
++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E),
++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70),
++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3),
++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B),
++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1),
++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50),
++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638),
++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA),
++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A),
++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1),
++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20),
++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10),
++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+ static const BN_ULONG ffdhe3072_p[] = {
+- 0xFFFFFFFF, 0xFFFFFFFF, 0x66C62E37, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE,
+- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197,
+- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E,
+- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309,
+- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9,
+- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238,
+- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC,
+- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C,
+- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8,
+- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7,
+- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F,
+- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70,
+- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F,
+- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363,
+- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583,
+- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x66C62E37, 0x25E41D2B),
++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B),
++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197),
++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB),
++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452),
++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309),
++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26),
++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE),
++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238),
++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe3072_q[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xB363171B, 0x12F20E95),
++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835),
++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB),
++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155),
++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229),
++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984),
++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93),
++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F),
++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C),
++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1),
++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D),
++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E),
++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70),
++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3),
++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B),
++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1),
++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50),
++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638),
++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA),
++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A),
++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1),
++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20),
++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10),
++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+ static const BN_ULONG ffdhe4096_p[] = {
+- 0xFFFFFFFF, 0xFFFFFFFF, 0x5E655F6A, 0xC68A007E, 0xF44182E1, 0x4DB5A851,
+- 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9,
+- 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9,
+- 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886,
+- 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42,
+- 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B,
+- 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42,
+- 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB,
+- 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93,
+- 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26,
+- 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B,
+- 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183,
+- 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232,
+- 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1,
+- 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3,
+- 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182,
+- 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA,
+- 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555,
+- 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202,
+- 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641,
+- 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458,
+- 0xFFFFFFFF, 0xFFFFFFFF
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x5E655F6A, 0xC68A007E),
++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A),
++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9),
++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3),
++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A),
++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886),
++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D),
++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4),
++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B),
++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B),
++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197),
++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB),
++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452),
++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309),
++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26),
++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE),
++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238),
++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe4096_q[] = {
++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x2F32AFB5, 0xE345003F),
++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD),
++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754),
++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1),
++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005),
++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443),
++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E),
++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2),
++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95),
++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835),
++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB),
++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155),
++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229),
++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984),
++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93),
++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F),
++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C),
++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1),
++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D),
++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E),
++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70),
++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3),
++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B),
++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1),
++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50),
++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638),
++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA),
++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A),
++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1),
++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20),
++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10),
++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+ static const BN_ULONG ffdhe6144_p[] = {
+- 0xFFFFFFFF, 0xFFFFFFFF, 0xD0E40E65, 0xA40E329C, 0x7938DAD4, 0xA41D570D,
+- 0xD43161C1, 0x62A69526, 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9,
+- 0xC6272B04, 0xEC9D1810, 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235,
+- 0xB854338A, 0x505DC82D, 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374,
+- 0x462D538C, 0xF9C9091B, 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1,
+- 0x2A281BF6, 0xEEAAC023, 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B,
+- 0x0077D9B4, 0x587E38DA, 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF,
+- 0x350511E3, 0xA00EF092, 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7,
+- 0x4CFDB477, 0x388147FB, 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657,
+- 0x4C701C3A, 0xB38E8C33, 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432,
+- 0xCAF53EA6, 0x23BA4442, 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6,
+- 0x5E0DD902, 0xC68A007E, 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A,
+- 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D,
+- 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A,
+- 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5,
+- 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4,
+- 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE,
+- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197,
+- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E,
+- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309,
+- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9,
+- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238,
+- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC,
+- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C,
+- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8,
+- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7,
+- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F,
+- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70,
+- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F,
+- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363,
+- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583,
+- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xD0E40E65, 0xA40E329C),
++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526),
++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9),
++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5),
++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D),
++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374),
++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58),
++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023),
++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B),
++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C),
++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092),
++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7),
++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E),
++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33),
++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432),
++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C),
++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E),
++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A),
++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9),
++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3),
++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A),
++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886),
++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D),
++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4),
++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B),
++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B),
++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197),
++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB),
++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452),
++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309),
++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26),
++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE),
++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238),
++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe6144_q[] = {
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x68720732, 0x5207194E),
++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93),
++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC),
++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA),
++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416),
++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA),
++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC),
++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011),
++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725),
++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6),
++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849),
++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB),
++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F),
++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619),
++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19),
++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96),
++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F),
++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD),
++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754),
++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1),
++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005),
++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443),
++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E),
++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2),
++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95),
++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835),
++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB),
++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155),
++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229),
++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984),
++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93),
++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F),
++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C),
++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1),
++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D),
++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E),
++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70),
++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3),
++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B),
++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1),
++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50),
++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638),
++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA),
++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A),
++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1),
++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20),
++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10),
++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+ static const BN_ULONG ffdhe8192_p[] = {
+- 0xFFFFFFFF, 0xFFFFFFFF, 0xC5C6424C, 0xD68C8BB7, 0x838FF88C, 0x011E2A94,
+- 0xA9F4614E, 0x0822E506, 0xF7A8443D, 0x97D11D49, 0x30677F0D, 0xA6BBFDE5,
+- 0xC1FE86FE, 0x2F741EF8, 0x5D71A87E, 0xFAFABE1C, 0xFBE58A30, 0xDED2FBAB,
+- 0x72B0A66E, 0xB6855DFE, 0xBA8A4FE8, 0x1EFC8CE0, 0x3F2FA457, 0x83F81D4A,
+- 0xA577E231, 0xA1FE3075, 0x88D9C0A0, 0xD5B80194, 0xAD9A95F9, 0x624816CD,
+- 0x50C1217B, 0x99E9E316, 0x0E423CFC, 0x51AA691E, 0x3826E52C, 0x1C217E6C,
+- 0x09703FEE, 0x51A8A931, 0x6A460E74, 0xBB709987, 0x9C86B022, 0x541FC68C,
+- 0x46FD8251, 0x59160CC0, 0x35C35F5C, 0x2846C0BA, 0x8B758282, 0x54504AC7,
+- 0xD2AF05E4, 0x29388839, 0xC01BD702, 0xCB2C0F1C, 0x7C932665, 0x555B2F74,
+- 0xA3AB8829, 0x86B63142, 0xF64B10EF, 0x0B8CC3BD, 0xEDD1CC5E, 0x687FEB69,
+- 0xC9509D43, 0xFDB23FCE, 0xD951AE64, 0x1E425A31, 0xF600C838, 0x36AD004C,
+- 0xCFF46AAA, 0xA40E329C, 0x7938DAD4, 0xA41D570D, 0xD43161C1, 0x62A69526,
+- 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, 0xC6272B04, 0xEC9D1810,
+- 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, 0xB854338A, 0x505DC82D,
+- 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, 0x462D538C, 0xF9C9091B,
+- 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, 0x2A281BF6, 0xEEAAC023,
+- 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, 0x0077D9B4, 0x587E38DA,
+- 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, 0x350511E3, 0xA00EF092,
+- 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, 0x4CFDB477, 0x388147FB,
+- 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, 0x4C701C3A, 0xB38E8C33,
+- 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, 0xCAF53EA6, 0x23BA4442,
+- 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, 0x5E0DD902, 0xC68A007E,
+- 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD,
+- 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3,
+- 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01,
+- 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D,
+- 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3,
+- 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B,
+- 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5,
+- 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452,
+- 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA,
+- 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE,
+- 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26,
+- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B,
+- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD,
+- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7,
+- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B,
+- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1,
+- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E,
+- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5,
+- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE,
+- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620,
+- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF
++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xC5C6424C, 0xD68C8BB7),
++ BN_DEF(0x838FF88C, 0x011E2A94), BN_DEF(0xA9F4614E, 0x0822E506),
++ BN_DEF(0xF7A8443D, 0x97D11D49), BN_DEF(0x30677F0D, 0xA6BBFDE5),
++ BN_DEF(0xC1FE86FE, 0x2F741EF8), BN_DEF(0x5D71A87E, 0xFAFABE1C),
++ BN_DEF(0xFBE58A30, 0xDED2FBAB), BN_DEF(0x72B0A66E, 0xB6855DFE),
++ BN_DEF(0xBA8A4FE8, 0x1EFC8CE0), BN_DEF(0x3F2FA457, 0x83F81D4A),
++ BN_DEF(0xA577E231, 0xA1FE3075), BN_DEF(0x88D9C0A0, 0xD5B80194),
++ BN_DEF(0xAD9A95F9, 0x624816CD), BN_DEF(0x50C1217B, 0x99E9E316),
++ BN_DEF(0x0E423CFC, 0x51AA691E), BN_DEF(0x3826E52C, 0x1C217E6C),
++ BN_DEF(0x09703FEE, 0x51A8A931), BN_DEF(0x6A460E74, 0xBB709987),
++ BN_DEF(0x9C86B022, 0x541FC68C), BN_DEF(0x46FD8251, 0x59160CC0),
++ BN_DEF(0x35C35F5C, 0x2846C0BA), BN_DEF(0x8B758282, 0x54504AC7),
++ BN_DEF(0xD2AF05E4, 0x29388839), BN_DEF(0xC01BD702, 0xCB2C0F1C),
++ BN_DEF(0x7C932665, 0x555B2F74), BN_DEF(0xA3AB8829, 0x86B63142),
++ BN_DEF(0xF64B10EF, 0x0B8CC3BD), BN_DEF(0xEDD1CC5E, 0x687FEB69),
++ BN_DEF(0xC9509D43, 0xFDB23FCE), BN_DEF(0xD951AE64, 0x1E425A31),
++ BN_DEF(0xF600C838, 0x36AD004C), BN_DEF(0xCFF46AAA, 0xA40E329C),
++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526),
++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9),
++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5),
++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D),
++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374),
++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58),
++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023),
++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B),
++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C),
++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092),
++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7),
++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E),
++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33),
++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432),
++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C),
++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E),
++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A),
++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9),
++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3),
++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A),
++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886),
++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D),
++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4),
++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B),
++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B),
++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197),
++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB),
++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452),
++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309),
++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26),
++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE),
++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238),
++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe8192_q[] = {
++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0xE2E32126, 0x6B4645DB),
++ BN_DEF(0x41C7FC46, 0x008F154A), BN_DEF(0x54FA30A7, 0x84117283),
++ BN_DEF(0xFBD4221E, 0xCBE88EA4), BN_DEF(0x9833BF86, 0x535DFEF2),
++ BN_DEF(0x60FF437F, 0x17BA0F7C), BN_DEF(0x2EB8D43F, 0x7D7D5F0E),
++ BN_DEF(0xFDF2C518, 0x6F697DD5), BN_DEF(0x39585337, 0x5B42AEFF),
++ BN_DEF(0x5D4527F4, 0x8F7E4670), BN_DEF(0x1F97D22B, 0xC1FC0EA5),
++ BN_DEF(0xD2BBF118, 0x50FF183A), BN_DEF(0x446CE050, 0xEADC00CA),
++ BN_DEF(0xD6CD4AFC, 0xB1240B66), BN_DEF(0x286090BD, 0x4CF4F18B),
++ BN_DEF(0x07211E7E, 0x28D5348F), BN_DEF(0x1C137296, 0x0E10BF36),
++ BN_DEF(0x84B81FF7, 0x28D45498), BN_DEF(0xB523073A, 0x5DB84CC3),
++ BN_DEF(0x4E435811, 0xAA0FE346), BN_DEF(0x237EC128, 0x2C8B0660),
++ BN_DEF(0x1AE1AFAE, 0x1423605D), BN_DEF(0xC5BAC141, 0x2A282563),
++ BN_DEF(0xE95782F2, 0x149C441C), BN_DEF(0x600DEB81, 0xE596078E),
++ BN_DEF(0x3E499332, 0xAAAD97BA), BN_DEF(0x51D5C414, 0xC35B18A1),
++ BN_DEF(0xFB258877, 0x05C661DE), BN_DEF(0xF6E8E62F, 0xB43FF5B4),
++ BN_DEF(0x64A84EA1, 0x7ED91FE7), BN_DEF(0xECA8D732, 0x0F212D18),
++ BN_DEF(0x7B00641C, 0x1B568026), BN_DEF(0x67FA3555, 0x5207194E),
++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93),
++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC),
++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA),
++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416),
++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA),
++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC),
++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011),
++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725),
++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6),
++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849),
++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB),
++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F),
++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619),
++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19),
++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96),
++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F),
++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD),
++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754),
++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1),
++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005),
++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443),
++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E),
++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2),
++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95),
++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835),
++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB),
++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155),
++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229),
++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984),
++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93),
++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F),
++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C),
++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1),
++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D),
++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E),
++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70),
++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3),
++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B),
++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1),
++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50),
++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638),
++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA),
++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A),
++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1),
++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20),
++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10),
++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF),
+ };
+
+-# else
+-# error "unsupported BN_BITS2"
+-# endif
+-
+ /* Macro to make a BIGNUM from static data */
+
+ # define make_dh_bn(x) extern const BIGNUM _bignum_##x; \
+@@ -489,24 +1010,42 @@ static const BN_ULONG ffdhe8192_p[] = {
+
+ static const BN_ULONG value_2 = 2;
+
+-const BIGNUM _bignum_const_2 =
+- { (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA };
++const BIGNUM _bignum_const_2 = {
++ (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA
++};
+
+ make_dh_bn(dh1024_160_p)
+-make_dh_bn(dh1024_160_g)
+ make_dh_bn(dh1024_160_q)
++make_dh_bn(dh1024_160_g)
+ make_dh_bn(dh2048_224_p)
+-make_dh_bn(dh2048_224_g)
+ make_dh_bn(dh2048_224_q)
++make_dh_bn(dh2048_224_g)
+ make_dh_bn(dh2048_256_p)
+-make_dh_bn(dh2048_256_g)
+ make_dh_bn(dh2048_256_q)
++make_dh_bn(dh2048_256_g)
+
+ make_dh_bn(ffdhe2048_p)
++make_dh_bn(ffdhe2048_q)
+ make_dh_bn(ffdhe3072_p)
++make_dh_bn(ffdhe3072_q)
+ make_dh_bn(ffdhe4096_p)
++make_dh_bn(ffdhe4096_q)
+ make_dh_bn(ffdhe6144_p)
++make_dh_bn(ffdhe6144_q)
+ make_dh_bn(ffdhe8192_p)
++make_dh_bn(ffdhe8192_q)
+
++make_dh_bn(modp_1536_p)
++make_dh_bn(modp_1536_q)
++make_dh_bn(modp_2048_p)
++make_dh_bn(modp_2048_q)
++make_dh_bn(modp_3072_p)
++make_dh_bn(modp_3072_q)
++make_dh_bn(modp_4096_p)
++make_dh_bn(modp_4096_q)
++make_dh_bn(modp_6144_p)
++make_dh_bn(modp_6144_q)
++make_dh_bn(modp_8192_p)
++make_dh_bn(modp_8192_q)
+
+-#endif
++#endif /* OPENSSL_NO_DH */
+diff -up openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh openssl-1.1.1g/crypto/dh/dh_check.c
+--- openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/dh/dh_check.c 2020-06-05 17:31:28.045776027 +0200
+@@ -10,6 +10,7 @@
+ #include <stdio.h>
+ #include "internal/cryptlib.h"
+ #include <openssl/bn.h>
++#include <openssl/obj_mac.h>
+ #include "dh_local.h"
+
+ # define DH_NUMBER_ITERATIONS_FOR_PRIME 64
+@@ -41,6 +42,12 @@ int DH_check_params(const DH *dh, int *r
+ BIGNUM *tmp = NULL;
+ BN_CTX *ctx = NULL;
+
++ if (FIPS_mode()) {
++ int nid = dh->nid == NID_undef ? DH_get_nid(dh) : dh->nid;
++
++ return nid != NID_undef;
++ }
++
+ *ret = 0;
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+@@ -95,6 +102,7 @@ int DH_check_ex(const DH *dh)
+ return errflags == 0;
+ }
+
++/* Note: according to documentation - this only checks the params */
+ int DH_check(const DH *dh, int *ret)
+ {
+ int ok = 0, r;
+@@ -104,6 +112,9 @@ int DH_check(const DH *dh, int *ret)
+ if (!DH_check_params(dh, ret))
+ return 0;
+
++ if (FIPS_mode()) /* we allow only well-known params */
++ return 1;
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+diff -up openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1g/crypto/dh/dh_gen.c
+--- openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh 2020-06-05 17:31:27.977775462 +0200
++++ openssl-1.1.1g/crypto/dh/dh_gen.c 2020-06-05 17:31:28.045776027 +0200
+@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i
+ BN_GENCB *cb)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
+- && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
++ if (FIPS_mode()) {
+ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
+ return 0;
+ }
+@@ -75,18 +74,6 @@ static int dh_builtin_genparams(DH *ret,
+ int g, ok = -1;
+ BN_CTX *ctx = NULL;
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_selftest_failed()) {
+- FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
+- return 0;
+- }
+-
+- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
+- DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
+- goto err;
+- }
+-#endif
+-
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+diff -up openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh openssl-1.1.1g/crypto/dh/dh_key.c
+--- openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh 2020-06-05 17:31:27.977775462 +0200
++++ openssl-1.1.1g/crypto/dh/dh_key.c 2020-06-05 17:31:28.045776027 +0200
+@@ -100,10 +100,18 @@ static int generate_key(DH *dh)
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode()
+- && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
+- DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+- return 0;
++ if (FIPS_mode()) {
++ if (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ return 0;
++ }
++ if (dh->nid == NID_undef)
++ dh_cache_nid(dh);
++ if (dh->nid == NID_undef || dh->length > BN_num_bits(dh->p) - 2
++ || dh->length < 224) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
++ return 0;
++ }
+ }
+ #endif
+
+@@ -139,7 +147,15 @@ static int generate_key(DH *dh)
+ }
+
+ if (generate_new_key) {
+- if (dh->q) {
++ if (FIPS_mode()) {
++ do {
++ if (!BN_priv_rand(priv_key, dh->length, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
++ goto err;
++ if (!BN_add_word(priv_key, 1))
++ goto err;
++ }
++ while (BN_num_bits(priv_key) > dh->length);
++ } else if (dh->q) {
+ do {
+ if (!BN_priv_rand_range(priv_key, dh->q))
+ goto err;
+diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_lib.c
+--- openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/dh/dh_lib.c 2020-06-18 14:13:33.546892717 +0200
+@@ -8,6 +8,7 @@
+ */
+
+ #include <stdio.h>
++#include <openssl/objects.h>
+ #include "internal/cryptlib.h"
+ #include "internal/refcount.h"
+ #include <openssl/bn.h>
+@@ -86,6 +87,8 @@ DH *DH_new_method(ENGINE *engine)
+ goto err;
+ }
+
++ ret->nid = NID_undef;
++
+ return ret;
+
+ err:
+@@ -205,7 +208,9 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
+ dh->g = g;
+ }
+
+- if (q != NULL) {
++ dh_cache_nid(dh);
++
++ if (q != NULL && dh->nid == NID_undef) {
+ dh->length = BN_num_bits(q);
+ }
+
+diff -up openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh openssl-1.1.1g/crypto/dh/dh_local.h
+--- openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh 2020-06-05 17:31:27.763773685 +0200
++++ openssl-1.1.1g/crypto/dh/dh_local.h 2020-06-05 17:31:28.045776027 +0200
+@@ -35,6 +35,7 @@ struct dh_st {
+ const DH_METHOD *meth;
+ ENGINE *engine;
+ CRYPTO_RWLOCK *lock;
++ int nid;
+ };
+
+ struct dh_method {
+@@ -55,3 +56,5 @@ struct dh_method {
+ int (*generate_params) (DH *dh, int prime_len, int generator,
+ BN_GENCB *cb);
+ };
++
++void dh_cache_nid(DH *dh);
+diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/dh_rfc7919.c
+--- openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/dh/dh_rfc7919.c 2020-06-05 17:31:28.045776027 +0200
+@@ -7,6 +7,8 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* DH parameters from RFC7919 and RFC3526 */
++
+ #include <stdio.h>
+ #include "internal/cryptlib.h"
+ #include "dh_local.h"
+@@ -14,14 +16,19 @@
+ #include <openssl/objects.h>
+ #include "crypto/bn_dh.h"
+
+-static DH *dh_param_init(const BIGNUM *p, int32_t nbits)
++static DH *dh_param_init(int nid, const BIGNUM *p, const BIGNUM *q, int32_t nbits)
+ {
+ DH *dh = DH_new();
+ if (dh == NULL)
+ return NULL;
+ dh->p = (BIGNUM *)p;
++ /*
++ * We do not set q as it would enable the inefficient and
++ * unnecessary pubkey modular exponentiation check.
++ */
+ dh->g = (BIGNUM *)&_bignum_const_2;
+ dh->length = nbits;
++ dh->nid = nid;
+ return dh;
+ }
+
+@@ -29,46 +36,115 @@ DH *DH_new_by_nid(int nid)
+ {
+ switch (nid) {
+ case NID_ffdhe2048:
+- return dh_param_init(&_bignum_ffdhe2048_p, 225);
++ return dh_param_init(nid, &_bignum_ffdhe2048_p, &_bignum_ffdhe2048_q, 225);
+ case NID_ffdhe3072:
+- return dh_param_init(&_bignum_ffdhe3072_p, 275);
++ return dh_param_init(nid, &_bignum_ffdhe3072_p, &_bignum_ffdhe3072_q, 275);
+ case NID_ffdhe4096:
+- return dh_param_init(&_bignum_ffdhe4096_p, 325);
++ return dh_param_init(nid, &_bignum_ffdhe4096_p, &_bignum_ffdhe4096_q, 325);
+ case NID_ffdhe6144:
+- return dh_param_init(&_bignum_ffdhe6144_p, 375);
++ return dh_param_init(nid, &_bignum_ffdhe6144_p, &_bignum_ffdhe6144_q, 375);
+ case NID_ffdhe8192:
+- return dh_param_init(&_bignum_ffdhe8192_p, 400);
++ return dh_param_init(nid, &_bignum_ffdhe8192_p, &_bignum_ffdhe8192_q, 400);
++ case NID_modp_2048:
++ return dh_param_init(nid, &_bignum_modp_2048_p, &_bignum_modp_2048_q, 225);
++ case NID_modp_3072:
++ return dh_param_init(nid, &_bignum_modp_3072_p, &_bignum_modp_3072_q, 275);
++ case NID_modp_4096:
++ return dh_param_init(nid, &_bignum_modp_4096_p, &_bignum_modp_4096_q, 325);
++ case NID_modp_6144:
++ return dh_param_init(nid, &_bignum_modp_6144_p, &_bignum_modp_6144_q, 375);
++ case NID_modp_8192:
++ return dh_param_init(nid, &_bignum_modp_8192_p, &_bignum_modp_8192_q, 400);
++ case NID_modp_1536:
++ if (!FIPS_mode())
++ return dh_param_init(nid, &_bignum_modp_1536_p, &_bignum_modp_1536_q, 175);
++ /* fallthrough */
+ default:
+ DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID);
+ return NULL;
+ }
+ }
+
+-int DH_get_nid(const DH *dh)
++static int dh_match_group(const DH *dh, BIGNUM **qout, int *lout)
+ {
+ int nid;
++ const BIGNUM *q;
++ int length;
+
+ if (BN_get_word(dh->g) != 2)
+ return NID_undef;
+- if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p))
++
++ if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p)) {
+ nid = NID_ffdhe2048;
+- else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p))
++ q = &_bignum_ffdhe2048_q;
++ length = 225;
++ } else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p)) {
+ nid = NID_ffdhe3072;
+- else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p))
++ q = &_bignum_ffdhe3072_q;
++ length = 275;
++ } else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p)) {
+ nid = NID_ffdhe4096;
+- else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p))
++ q = &_bignum_ffdhe4096_q;
++ length = 325;
++ } else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p)) {
+ nid = NID_ffdhe6144;
+- else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p))
++ q = &_bignum_ffdhe6144_q;
++ length = 375;
++ } else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p)) {
+ nid = NID_ffdhe8192;
+- else
++ q = &_bignum_ffdhe8192_q;
++ length = 400;
++ } else if (!BN_cmp(dh->p, &_bignum_modp_2048_p)) {
++ nid = NID_modp_2048;
++ q = &_bignum_modp_2048_q;
++ length = 225;
++ } else if (!BN_cmp(dh->p, &_bignum_modp_3072_p)) {
++ nid = NID_modp_3072;
++ q = &_bignum_modp_3072_q;
++ length = 275;
++ } else if (!BN_cmp(dh->p, &_bignum_modp_4096_p)) {
++ nid = NID_modp_4096;
++ q = &_bignum_modp_4096_q;
++ length = 325;
++ } else if (!BN_cmp(dh->p, &_bignum_modp_6144_p)) {
++ nid = NID_modp_6144;
++ q = &_bignum_modp_6144_q;
++ length = 375;
++ } else if (!BN_cmp(dh->p, &_bignum_modp_8192_p)) {
++ nid = NID_modp_8192;
++ q = &_bignum_modp_8192_q;
++ length = 400;
++ } else if (!FIPS_mode() && !BN_cmp(dh->p, &_bignum_modp_1536_p)) {
++ nid = NID_modp_1536;
++ q = &_bignum_modp_1536_q;
++ length = 175;
++ } else {
+ return NID_undef;
++ }
++
+ if (dh->q != NULL) {
+- BIGNUM *q = BN_dup(dh->p);
++ /* Check that q matches the known q. */
++ if (BN_cmp(dh->q, q))
++ return NID_undef;
++ } else if (qout != NULL) {
++ *qout = (BIGNUM *)q;
++ }
+
+- /* Check q = p * 2 + 1 we already know q is odd, so just shift right */
+- if (q == NULL || !BN_rshift1(q, q) || !BN_cmp(dh->q, q))
+- nid = NID_undef;
+- BN_free(q);
++ if (lout != NULL) {
++ *lout = length;
+ }
+ return nid;
+ }
++
++int DH_get_nid(const DH *dh)
++{
++ if (dh->nid != NID_undef) {
++ return dh->nid;
++ }
++ return dh_match_group(dh, NULL, NULL);
++}
++
++void dh_cache_nid(DH *dh)
++{
++ dh->nid = dh_match_group(dh, NULL, &dh->length);
++}
+diff -up openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh openssl-1.1.1g/crypto/evp/p_lib.c
+--- openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/evp/p_lib.c 2020-06-05 17:31:28.045776027 +0200
+@@ -540,7 +540,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p
+
+ int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
+ {
+- int type = DH_get0_q(key) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX;
++ int type = DH_get0_q(key) == NULL || DH_get_nid(key) != NID_undef ?
++ EVP_PKEY_DH : EVP_PKEY_DHX;
+ int ret = EVP_PKEY_assign(pkey, type, key);
+
+ if (ret)
+diff -up openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1g/crypto/objects/obj_dat.h
+--- openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh 2020-06-05 17:31:28.036775952 +0200
++++ openssl-1.1.1g/crypto/objects/obj_dat.h 2020-06-05 17:31:28.046776035 +0200
+@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
+ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
+ };
+
+-#define NUM_NID 1199
++#define NUM_NID 1205
+ static const ASN1_OBJECT nid_objs[NUM_NID] = {
+ {"UNDEF", "undefined", NID_undef},
+ {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
+@@ -2279,9 +2279,15 @@ static const ASN1_OBJECT nid_objs[NUM_NI
+ {"KBKDF", "kbkdf", NID_kbkdf},
+ {"KRB5KDF", "krb5kdf", NID_krb5kdf},
+ {"SSKDF", "sskdf", NID_sskdf},
++ {"modp_1536", "modp_1536", NID_modp_1536},
++ {"modp_2048", "modp_2048", NID_modp_2048},
++ {"modp_3072", "modp_3072", NID_modp_3072},
++ {"modp_4096", "modp_4096", NID_modp_4096},
++ {"modp_6144", "modp_6144", NID_modp_6144},
++ {"modp_8192", "modp_8192", NID_modp_8192},
+ };
+
+-#define NUM_SN 1190
++#define NUM_SN 1196
+ static const unsigned int sn_objs[NUM_SN] = {
+ 364, /* "AD_DVCS" */
+ 419, /* "AES-128-CBC" */
+@@ -3127,6 +3133,12 @@ static const unsigned int sn_objs[NUM_SN
+ 506, /* "mime-mhs-bodies" */
+ 505, /* "mime-mhs-headings" */
+ 488, /* "mobileTelephoneNumber" */
++ 1199, /* "modp_1536" */
++ 1200, /* "modp_2048" */
++ 1201, /* "modp_3072" */
++ 1202, /* "modp_4096" */
++ 1203, /* "modp_6144" */
++ 1204, /* "modp_8192" */
+ 136, /* "msCTLSign" */
+ 135, /* "msCodeCom" */
+ 134, /* "msCodeInd" */
+@@ -3475,7 +3487,7 @@ static const unsigned int sn_objs[NUM_SN
+ 1093, /* "x509ExtAdmission" */
+ };
+
+-#define NUM_LN 1190
++#define NUM_LN 1196
+ static const unsigned int ln_objs[NUM_LN] = {
+ 363, /* "AD Time Stamping" */
+ 405, /* "ANSI X9.62" */
+@@ -4313,6 +4325,12 @@ static const unsigned int ln_objs[NUM_LN
+ 506, /* "mime-mhs-bodies" */
+ 505, /* "mime-mhs-headings" */
+ 488, /* "mobileTelephoneNumber" */
++ 1199, /* "modp_1536" */
++ 1200, /* "modp_2048" */
++ 1201, /* "modp_3072" */
++ 1202, /* "modp_4096" */
++ 1203, /* "modp_6144" */
++ 1204, /* "modp_8192" */
+ 481, /* "nSRecord" */
+ 173, /* "name" */
+ 681, /* "onBasis" */
+diff -up openssl-1.1.1g/crypto/objects/objects.txt.fips-dh openssl-1.1.1g/crypto/objects/objects.txt
+--- openssl-1.1.1g/crypto/objects/objects.txt.fips-dh 2020-06-05 17:31:28.037775960 +0200
++++ openssl-1.1.1g/crypto/objects/objects.txt 2020-06-05 17:31:28.046776035 +0200
+@@ -1657,6 +1657,13 @@ id-pkinit 5 : pkInit
+ : ffdhe4096
+ : ffdhe6144
+ : ffdhe8192
++# NIDs for RFC3526 DH parameters
++ : modp_1536
++ : modp_2048
++ : modp_3072
++ : modp_4096
++ : modp_6144
++ : modp_8192
+
+ # OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17)
+
+diff -up openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1g/crypto/objects/obj_mac.num
+--- openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh 2020-06-05 17:31:28.037775960 +0200
++++ openssl-1.1.1g/crypto/objects/obj_mac.num 2020-06-05 17:31:28.046776035 +0200
+@@ -1196,3 +1196,9 @@ sshkdf 1195
+ kbkdf 1196
+ krb5kdf 1197
+ sskdf 1198
++modp_1536 1199
++modp_2048 1200
++modp_3072 1201
++modp_4096 1202
++modp_6144 1203
++modp_8192 1204
+diff -up openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1g/doc/man3/DH_new_by_nid.pod
+--- openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/doc/man3/DH_new_by_nid.pod 2020-06-05 17:31:28.046776035 +0200
+@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find
+
+ #include <openssl/dh.h>
+ DH *DH_new_by_nid(int nid);
+- int *DH_get_nid(const DH *dh);
++ int DH_get_nid(const DH *dh);
+
+ =head1 DESCRIPTION
+
+ DH_new_by_nid() creates and returns a DH structure containing named parameters
+ B<nid>. Currently B<nid> must be B<NID_ffdhe2048>, B<NID_ffdhe3072>,
+-B<NID_ffdhe4096>, B<NID_ffdhe6144> or B<NID_ffdhe8192>.
++B<NID_ffdhe4096>, B<NID_ffdhe6144>, B<NID_ffdhe8192>,
++B<NID_modp_1536>, B<NID_modp_2048>, B<NID_modp_3072>,
++B<NID_modp_4096>, B<NID_modp_6144> or B<NID_modp_8192>.
+
+ DH_get_nid() determines if the parameters contained in B<dh> match
+ any named set. It returns the NID corresponding to the matching parameters or
+diff -up openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod
+--- openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod 2020-06-05 17:31:28.046776035 +0200
+@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets
+ If B<pad> is zero (the default) then no padding is performed.
+
+ EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to
+-B<nid> as defined in RFC7919. The B<nid> parameter must be B<NID_ffdhe2048>,
+-B<NID_ffdhe3072>, B<NID_ffdhe4096>, B<NID_ffdhe6144>, B<NID_ffdhe8192>
+-or B<NID_undef> to clear the stored value. This macro can be called during
+-parameter or key generation.
++I<nid> as defined in RFC7919 or RFC3526. The I<nid> parameter must be
++B<NID_ffdhe2048>, B<NID_ffdhe3072>, B<NID_ffdhe4096>, B<NID_ffdhe6144>,
++B<NID_ffdhe8192>, B<NID_modp_1536>, B<NID_modp_2048>, B<NID_modp_3072>,
++B<NID_modp_4096>, B<NID_modp_6144>, B<NID_modp_8192> or B<NID_undef> to clear
++the stored value. This macro can be called during parameter or key generation.
+ The nid parameter and the rfc5114 parameter are mutually exclusive.
+
+ The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are
+diff -up openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh openssl-1.1.1g/include/crypto/bn_dh.h
+--- openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/include/crypto/bn_dh.h 2020-06-05 17:31:28.047776043 +0200
+@@ -1,7 +1,7 @@
+ /*
+- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+- * Licensed under the OpenSSL license (the "License"). You may not use
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+@@ -9,16 +9,35 @@
+
+ #define declare_dh_bn(x) \
+ extern const BIGNUM _bignum_dh##x##_p; \
++ extern const BIGNUM _bignum_dh##x##_q; \
+ extern const BIGNUM _bignum_dh##x##_g; \
+- extern const BIGNUM _bignum_dh##x##_q;
+
+ declare_dh_bn(1024_160)
+ declare_dh_bn(2048_224)
+ declare_dh_bn(2048_256)
+
++extern const BIGNUM _bignum_const_2;
++
+ extern const BIGNUM _bignum_ffdhe2048_p;
+ extern const BIGNUM _bignum_ffdhe3072_p;
+ extern const BIGNUM _bignum_ffdhe4096_p;
+ extern const BIGNUM _bignum_ffdhe6144_p;
+ extern const BIGNUM _bignum_ffdhe8192_p;
+-extern const BIGNUM _bignum_const_2;
++extern const BIGNUM _bignum_ffdhe2048_q;
++extern const BIGNUM _bignum_ffdhe3072_q;
++extern const BIGNUM _bignum_ffdhe4096_q;
++extern const BIGNUM _bignum_ffdhe6144_q;
++extern const BIGNUM _bignum_ffdhe8192_q;
++
++extern const BIGNUM _bignum_modp_1536_p;
++extern const BIGNUM _bignum_modp_2048_p;
++extern const BIGNUM _bignum_modp_3072_p;
++extern const BIGNUM _bignum_modp_4096_p;
++extern const BIGNUM _bignum_modp_6144_p;
++extern const BIGNUM _bignum_modp_8192_p;
++extern const BIGNUM _bignum_modp_1536_q;
++extern const BIGNUM _bignum_modp_2048_q;
++extern const BIGNUM _bignum_modp_3072_q;
++extern const BIGNUM _bignum_modp_4096_q;
++extern const BIGNUM _bignum_modp_6144_q;
++extern const BIGNUM _bignum_modp_8192_q;
+diff -up openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh openssl-1.1.1g/include/openssl/obj_mac.h
+--- openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh 2020-06-05 17:31:28.038775968 +0200
++++ openssl-1.1.1g/include/openssl/obj_mac.h 2020-06-05 17:31:28.047776043 +0200
+@@ -5115,6 +5115,24 @@
+ #define SN_ffdhe8192 "ffdhe8192"
+ #define NID_ffdhe8192 1130
+
++#define SN_modp_1536 "modp_1536"
++#define NID_modp_1536 1199
++
++#define SN_modp_2048 "modp_2048"
++#define NID_modp_2048 1200
++
++#define SN_modp_3072 "modp_3072"
++#define NID_modp_3072 1201
++
++#define SN_modp_4096 "modp_4096"
++#define NID_modp_4096 1202
++
++#define SN_modp_6144 "modp_6144"
++#define NID_modp_6144 1203
++
++#define SN_modp_8192 "modp_8192"
++#define NID_modp_8192 1204
++
+ #define SN_ISO_UA "ISO-UA"
+ #define NID_ISO_UA 1150
+ #define OBJ_ISO_UA OBJ_member_body,804L
+diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
+--- openssl-1.1.1g/ssl/s3_lib.c.fips-dh 2020-06-05 17:31:27.996775620 +0200
++++ openssl-1.1.1g/ssl/s3_lib.c 2020-06-05 17:31:28.047776043 +0200
+@@ -4858,13 +4858,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey
+ EVP_PKEY *ssl_dh_to_pkey(DH *dh)
+ {
+ EVP_PKEY *ret;
++ DH *dhp = NULL;
++
+ if (dh == NULL)
+ return NULL;
++
++ if (FIPS_mode() && DH_get_nid(dh) == NID_undef) {
++ int bits = DH_bits(dh);
++ BIGNUM *p, *g;
++
++ dhp = DH_new();
++ if (dhp == NULL)
++ return NULL;
++ g = BN_new();
++ if (g == NULL || !BN_set_word(g, 2)) {
++ DH_free(dhp);
++ BN_free(g);
++ return NULL;
++ }
++
++ if (bits >= 7000)
++ p = BN_get_rfc3526_prime_8192(NULL);
++ else if (bits >= 5000)
++ p = BN_get_rfc3526_prime_6144(NULL);
++ else if (bits >= 3800)
++ p = BN_get_rfc3526_prime_4096(NULL);
++ else if (bits >= 2500)
++ p = BN_get_rfc3526_prime_3072(NULL);
++ else
++ p = BN_get_rfc3526_prime_2048(NULL);
++ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
++ DH_free(dhp);
++ BN_free(p);
++ BN_free(g);
++ return NULL;
++ }
++ dh = dhp;
++ }
++
+ ret = EVP_PKEY_new();
+ if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
++ DH_free(dhp);
+ EVP_PKEY_free(ret);
+ return NULL;
+ }
++ DH_free(dhp);
+ return ret;
+ }
+ #endif
+diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-06-05 17:31:28.042776002 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-18 14:18:13.518339214 +0200
+@@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
+ #ifndef OPENSSL_NO_DH
+ DH *ssl_get_auto_dh(SSL *s)
+ {
++ DH *dhp = NULL;
++ BIGNUM *p = NULL, *g = NULL;
+ int dh_secbits = 80;
+- if (s->cert->dh_tmp_auto == 2)
+- return DH_get_1024_160();
+- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
+- if (s->s3->tmp.new_cipher->strength_bits == 256)
+- dh_secbits = 128;
+- else
+- dh_secbits = 80;
+- } else {
+- if (s->s3->tmp.cert == NULL)
+- return NULL;
+- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
++ if (s->cert->dh_tmp_auto != 2) {
++ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
++ if (s->s3->tmp.new_cipher->strength_bits == 256)
++ dh_secbits = 128;
++ else
++ dh_secbits = 80;
++ } else {
++ if (s->s3->tmp.cert == NULL)
++ return NULL;
++ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
++ }
+ }
+
+- if (dh_secbits >= 128) {
+- DH *dhp = DH_new();
+- BIGNUM *p, *g;
+- if (dhp == NULL)
+- return NULL;
+- g = BN_new();
+- if (g == NULL || !BN_set_word(g, 2)) {
+- DH_free(dhp);
+- BN_free(g);
+- return NULL;
+- }
+- if (dh_secbits >= 192)
+- p = BN_get_rfc3526_prime_8192(NULL);
+- else
+- p = BN_get_rfc3526_prime_3072(NULL);
+- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
+- DH_free(dhp);
+- BN_free(p);
+- BN_free(g);
+- return NULL;
+- }
+- return dhp;
++ dhp = DH_new();
++ if (dhp == NULL)
++ return NULL;
++ g = BN_new();
++ if (g == NULL || !BN_set_word(g, 2)) {
++ DH_free(dhp);
++ BN_free(g);
++ return NULL;
++ }
++ if (dh_secbits >= 192)
++ p = BN_get_rfc3526_prime_8192(NULL);
++ else if (dh_secbits >= 152)
++ p = BN_get_rfc3526_prime_4096(NULL);
++ else if (dh_secbits >= 128)
++ p = BN_get_rfc3526_prime_3072(NULL);
++ else if (dh_secbits >= 112 || FIPS_mode())
++ p = BN_get_rfc3526_prime_2048(NULL);
++ else
++ p = BN_get_rfc2409_prime_1024(NULL);
++ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
++ DH_free(dhp);
++ BN_free(p);
++ BN_free(g);
++ return NULL;
+ }
+- if (dh_secbits >= 112)
+- return DH_get_2048_224();
+- return DH_get_1024_160();
++ return dhp;
+ }
+ #endif
+
diff --git a/SOURCES/openssl-1.1.1-fips-drbg-selftest.patch b/SOURCES/openssl-1.1.1-fips-drbg-selftest.patch
new file mode 100644
index 0000000..b800c06
--- /dev/null
+++ b/SOURCES/openssl-1.1.1-fips-drbg-selftest.patch
@@ -0,0 +1,587 @@
+diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
+--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest 2020-04-23 13:33:12.500624151 +0200
++++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-04-23 13:33:12.618621925 +0200
+@@ -67,12 +67,18 @@
+
+ # include <openssl/fips.h>
+ # include "crypto/fips.h"
++# include "crypto/rand.h"
+ # include "fips_locl.h"
+
+ /* Run all selftests */
+ int FIPS_selftest(void)
+ {
+ int rv = 1;
++ if (!rand_drbg_selftest()) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE);
++ ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
++ rv = 0;
++ }
+ if (!FIPS_selftest_drbg())
+ rv = 0;
+ if (!FIPS_selftest_sha1())
+diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
+--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
++++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:34:10.857523497 +0200
+@@ -1,6 +1,6 @@
+ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
+- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
++ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
+
+ INCLUDE[drbg_ctr.o]=../modes
+diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
+--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
++++ openssl-1.1.1g/crypto/rand/drbg_selftest.c 2020-04-23 13:33:12.619621907 +0200
+@@ -0,0 +1,537 @@
++/*
++ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <string.h>
++#include <stddef.h>
++#include "internal/nelem.h"
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/rand_drbg.h>
++#include <openssl/obj_mac.h>
++#include "internal/thread_once.h"
++#include "crypto/rand.h"
++
++typedef struct test_ctx_st {
++ const unsigned char *entropy;
++ size_t entropylen;
++ int entropycnt;
++ const unsigned char *nonce;
++ size_t noncelen;
++ int noncecnt;
++} TEST_CTX;
++
++static int app_data_index = -1;
++static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
++{
++ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
++
++ return 1;
++}
++
++enum drbg_kat_type {
++ NO_RESEED,
++ PR_FALSE,
++ PR_TRUE
++};
++
++enum drbg_df {
++ USE_DF,
++ NO_DF,
++ NA
++};
++
++struct drbg_kat_no_reseed {
++ size_t count;
++ const unsigned char *entropyin;
++ const unsigned char *nonce;
++ const unsigned char *persstr;
++ const unsigned char *addin1;
++ const unsigned char *addin2;
++ const unsigned char *retbytes;
++};
++
++struct drbg_kat_pr_false {
++ size_t count;
++ const unsigned char *entropyin;
++ const unsigned char *nonce;
++ const unsigned char *persstr;
++ const unsigned char *entropyinreseed;
++ const unsigned char *addinreseed;
++ const unsigned char *addin1;
++ const unsigned char *addin2;
++ const unsigned char *retbytes;
++};
++
++struct drbg_kat_pr_true {
++ size_t count;
++ const unsigned char *entropyin;
++ const unsigned char *nonce;
++ const unsigned char *persstr;
++ const unsigned char *entropyinpr1;
++ const unsigned char *addin1;
++ const unsigned char *entropyinpr2;
++ const unsigned char *addin2;
++ const unsigned char *retbytes;
++};
++
++struct drbg_kat {
++ enum drbg_kat_type type;
++ enum drbg_df df;
++ int nid;
++
++ size_t entropyinlen;
++ size_t noncelen;
++ size_t persstrlen;
++ size_t addinlen;
++ size_t retbyteslen;
++
++ const void *t;
++};
++
++/*
++ * Excerpt from test/drbg_cavs_data.c
++ * DRBG test vectors from:
++ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
++ */
++
++static const unsigned char kat1308_entropyin[] = {
++ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
++ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
++ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
++ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
++};
++static const unsigned char kat1308_nonce[] = {0};
++static const unsigned char kat1308_persstr[] = {
++ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
++ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
++ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
++ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
++};
++static const unsigned char kat1308_addin0[] = {
++ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
++ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
++ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
++ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
++};
++static const unsigned char kat1308_addin1[] = {
++ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
++ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
++ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
++ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
++};
++static const unsigned char kat1308_retbits[] = {
++ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
++ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
++ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
++ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
++ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
++ 0x26, 0x32, 0xd0, 0xb8,
++};
++static const struct drbg_kat_no_reseed kat1308_t = {
++ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
++ kat1308_addin0, kat1308_addin1, kat1308_retbits
++};
++static const struct drbg_kat kat1308 = {
++ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
++};
++
++static const unsigned char kat1465_entropyin[] = {
++ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
++ 0x87, 0xbe, 0xaa, 0xc0,
++};
++static const unsigned char kat1465_nonce[] = {
++ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
++};
++static const unsigned char kat1465_persstr[] = {0};
++static const unsigned char kat1465_entropyinreseed[] = {
++ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
++ 0x1f, 0x4b, 0x7b, 0x51,
++};
++static const unsigned char kat1465_addinreseed[] = {
++ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
++ 0x61, 0x9f, 0x26, 0x5f,
++};
++static const unsigned char kat1465_addin0[] = {
++ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
++ 0x10, 0x5a, 0x73, 0x9c,
++};
++static const unsigned char kat1465_addin1[] = {
++ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
++ 0x47, 0x99, 0x1f, 0xeb,
++};
++static const unsigned char kat1465_retbits[] = {
++ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
++ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
++ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
++ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
++ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
++ 0x58, 0xdb, 0x27, 0xba,
++};
++static const struct drbg_kat_pr_false kat1465_t = {
++ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
++ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
++ kat1465_addin1, kat1465_retbits
++};
++static const struct drbg_kat kat1465 = {
++ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
++};
++
++static const unsigned char kat3146_entropyin[] = {
++ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
++ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
++};
++static const unsigned char kat3146_nonce[] = {
++ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
++ 0x50, 0x86, 0xca, 0xca,
++};
++static const unsigned char kat3146_persstr[] = {0};
++static const unsigned char kat3146_entropyinpr1[] = {
++ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
++ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
++};
++static const unsigned char kat3146_addinpr1[] = {
++ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
++ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
++ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
++};
++static const unsigned char kat3146_entropyinpr2[] = {
++ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
++ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
++};
++static const unsigned char kat3146_addinpr2[] = {
++ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
++ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
++ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
++};
++static const unsigned char kat3146_retbits[] = {
++ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
++ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
++ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
++ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
++ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
++ 0xd4, 0x30, 0x73, 0xbb,
++};
++static const struct drbg_kat_pr_true kat3146_t = {
++ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
++ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
++ kat3146_addinpr2, kat3146_retbits
++};
++static const struct drbg_kat kat3146 = {
++ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
++};
++
++static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
++
++static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
++
++static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len,
++ int prediction_resistance)
++{
++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
++
++ t->entropycnt++;
++ *pout = (unsigned char *)t->entropy;
++ return t->entropylen;
++}
++
++static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
++
++ t->noncecnt++;
++ *pout = (unsigned char *)t->nonce;
++ return t->noncelen;
++}
++
++/*
++ * Do a single NO_RESEED KAT:
++ *
++ * Instantiate
++ * Generate Random Bits (pr=false)
++ * Generate Random Bits (pr=false)
++ * Uninstantiate
++ *
++ * Return 0 on failure.
++ */
++static int single_kat_no_reseed(const struct drbg_kat *td)
++{
++ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
++ RAND_DRBG *drbg = NULL;
++ unsigned char *buff = NULL;
++ unsigned int flags = 0;
++ int failures = 0;
++ TEST_CTX t;
++
++ if (td->df != USE_DF)
++ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++ return 0;
++
++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++ kat_nonce, NULL)) {
++ failures++;
++ goto err;
++ }
++ memset(&t, 0, sizeof(t));
++ t.entropy = data->entropyin;
++ t.entropylen = td->entropyinlen;
++ t.nonce = data->nonce;
++ t.noncelen = td->noncelen;
++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++ buff = OPENSSL_malloc(td->retbyteslen);
++ if (buff == NULL) {
++ failures++;
++ goto err;
++ }
++
++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++ data->addin1, td->addinlen)
++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++ data->addin2, td->addinlen)
++ || memcmp(data->retbytes, buff,
++ td->retbyteslen) != 0)
++ failures++;
++
++err:
++ OPENSSL_free(buff);
++ RAND_DRBG_uninstantiate(drbg);
++ RAND_DRBG_free(drbg);
++ return failures == 0;
++}
++
++/*-
++ * Do a single PR_FALSE KAT:
++ *
++ * Instantiate
++ * Reseed
++ * Generate Random Bits (pr=false)
++ * Generate Random Bits (pr=false)
++ * Uninstantiate
++ *
++ * Return 0 on failure.
++ */
++static int single_kat_pr_false(const struct drbg_kat *td)
++{
++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
++ RAND_DRBG *drbg = NULL;
++ unsigned char *buff = NULL;
++ unsigned int flags = 0;
++ int failures = 0;
++ TEST_CTX t;
++
++ if (td->df != USE_DF)
++ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++ return 0;
++
++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++ kat_nonce, NULL)) {
++ failures++;
++ goto err;
++ }
++ memset(&t, 0, sizeof(t));
++ t.entropy = data->entropyin;
++ t.entropylen = td->entropyinlen;
++ t.nonce = data->nonce;
++ t.noncelen = td->noncelen;
++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++ buff = OPENSSL_malloc(td->retbyteslen);
++ if (buff == NULL) {
++ failures++;
++ goto err;
++ }
++
++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
++ failures++;
++
++ t.entropy = data->entropyinreseed;
++ t.entropylen = td->entropyinlen;
++
++ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++ data->addin1, td->addinlen)
++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++ data->addin2, td->addinlen)
++ || memcmp(data->retbytes, buff,
++ td->retbyteslen) != 0)
++ failures++;
++
++err:
++ OPENSSL_free(buff);
++ RAND_DRBG_uninstantiate(drbg);
++ RAND_DRBG_free(drbg);
++ return failures == 0;
++}
++
++/*-
++ * Do a single PR_TRUE KAT:
++ *
++ * Instantiate
++ * Generate Random Bits (pr=true)
++ * Generate Random Bits (pr=true)
++ * Uninstantiate
++ *
++ * Return 0 on failure.
++ */
++static int single_kat_pr_true(const struct drbg_kat *td)
++{
++ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
++ RAND_DRBG *drbg = NULL;
++ unsigned char *buff = NULL;
++ unsigned int flags = 0;
++ int failures = 0;
++ TEST_CTX t;
++
++ if (td->df != USE_DF)
++ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++ return 0;
++
++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++ kat_nonce, NULL)) {
++ failures++;
++ goto err;
++ }
++ memset(&t, 0, sizeof(t));
++ t.nonce = data->nonce;
++ t.noncelen = td->noncelen;
++ t.entropy = data->entropyin;
++ t.entropylen = td->entropyinlen;
++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++ buff = OPENSSL_malloc(td->retbyteslen);
++ if (buff == NULL) {
++ failures++;
++ goto err;
++ }
++
++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
++ failures++;
++
++ t.entropy = data->entropyinpr1;
++ t.entropylen = td->entropyinlen;
++
++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
++ data->addin1, td->addinlen))
++ failures++;
++
++ t.entropy = data->entropyinpr2;
++ t.entropylen = td->entropyinlen;
++
++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
++ data->addin2, td->addinlen)
++ || memcmp(data->retbytes, buff,
++ td->retbyteslen) != 0)
++ failures++;
++
++err:
++ OPENSSL_free(buff);
++ RAND_DRBG_uninstantiate(drbg);
++ RAND_DRBG_free(drbg);
++ return failures == 0;
++}
++
++static int test_kats(int i)
++{
++ const struct drbg_kat *td = drbg_test[i];
++ int rv = 0;
++
++ switch (td->type) {
++ case NO_RESEED:
++ if (!single_kat_no_reseed(td))
++ goto err;
++ break;
++ case PR_FALSE:
++ if (!single_kat_pr_false(td))
++ goto err;
++ break;
++ case PR_TRUE:
++ if (!single_kat_pr_true(td))
++ goto err;
++ break;
++ default: /* cant happen */
++ goto err;
++ }
++ rv = 1;
++err:
++ return rv;
++}
++
++/*-
++ * Do one expected-error test:
++ *
++ * Instantiate with no entropy supplied
++ *
++ * Return 0 on failure.
++ */
++static int test_drbg_sanity(const struct drbg_kat *td)
++{
++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
++ RAND_DRBG *drbg = NULL;
++ unsigned int flags = 0;
++ int failures = 0;
++ TEST_CTX t;
++
++ if (td->df != USE_DF)
++ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++ return 0;
++
++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++ kat_nonce, NULL)) {
++ failures++;
++ goto err;
++ }
++ memset(&t, 0, sizeof(t));
++ t.entropy = data->entropyin;
++ t.entropylen = 0; /* No entropy */
++ t.nonce = data->nonce;
++ t.noncelen = td->noncelen;
++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++ ERR_set_mark();
++ /* This must fail. */
++ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
++ failures++;
++ RAND_DRBG_uninstantiate(drbg);
++ ERR_pop_to_mark();
++
++err:
++ RAND_DRBG_free(drbg);
++ return failures == 0;
++}
++
++
++int rand_drbg_selftest(void)
++{
++ int i;
++
++ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
++ return 0;
++
++ for (i = 0; i < drbg_test_nelem; i++) {
++ if (test_kats(i) <= 0)
++ return 0;
++ }
++
++ if (test_drbg_sanity(&kat1465) <= 0)
++ return 0;
++
++ return 1;
++}
+diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
+--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest 2020-04-23 13:33:12.587622510 +0200
++++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:33:12.619621907 +0200
+@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
+ */
+ void rand_pool_keep_random_devices_open(int keep);
+
++/*
++ * Perform the DRBG KAT selftests
++ */
++int rand_drbg_selftest(void);
++
+ #endif
diff --git a/SOURCES/openssl-1.1.1-fips-post-rand.patch b/SOURCES/openssl-1.1.1-fips-post-rand.patch
index fc60e33..18a01fe 100644
--- a/SOURCES/openssl-1.1.1-fips-post-rand.patch
+++ b/SOURCES/openssl-1.1.1-fips-post-rand.patch
@@ -1,11 +1,11 @@
-diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/fips/fips.c
---- openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand 2019-05-29 15:53:56.328216002 +0200
-+++ openssl-1.1.1c/crypto/fips/fips.c 2019-05-29 15:53:56.359215457 +0200
+diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/fips/fips.c
+--- openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand 2020-03-17 18:06:16.822418854 +0100
++++ openssl-1.1.1e/crypto/fips/fips.c 2020-03-17 18:06:16.861418172 +0100
@@ -68,6 +68,7 @@
# include <openssl/fips.h>
# include "internal/thread_once.h"
-+# include "internal/rand_int.h"
++# include "crypto/rand.h"
# ifndef PATH_MAX
# define PATH_MAX 1024
@@ -46,41 +46,52 @@ diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/
+
fips_set_mode(onoff);
+ /* force RNG reseed with entropy from getrandom() on next call */
-+ rand_fork();
++ rand_force_reseed();
+
ret = 1;
goto end;
}
-diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1c/crypto/include/internal/fips_int.h
---- openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand 2019-05-29 15:53:56.337215844 +0200
-+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-05-29 15:53:56.359215457 +0200
-@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
- int FIPS_selftest_drbg(void);
- int FIPS_selftest_cmac(void);
+diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/crypto/rand/drbg_lib.c
+--- openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rand/drbg_lib.c 2020-03-17 18:07:35.305045521 +0100
+@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
+ return min_entropy > min_entropylen ? min_entropy : min_entropylen;
+ }
-+int fips_in_post(void);
++void rand_force_reseed(void)
++{
++ RAND_DRBG *drbg;
+
- int fips_pkey_signature_test(EVP_PKEY *pkey,
- const unsigned char *tbs, int tbslen,
- const unsigned char *kat,
-diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/crypto/rand/rand_unix.c
---- openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-05-29 16:54:16.471391802 +0200
-@@ -16,10 +16,12 @@
- #include <openssl/rand.h>
- #include "rand_lcl.h"
- #include "internal/rand_int.h"
-+#include "internal/fips_int.h"
++ drbg = RAND_DRBG_get0_master();
++ drbg->fork_id = 0;
++
++ drbg = RAND_DRBG_get0_private();
++ drbg->fork_id = 0;
++
++ drbg = RAND_DRBG_get0_public();
++ drbg->fork_id = 0;
++}
++
+ /* Implements the default OpenSSL RAND_add() method */
+ static int drbg_add(const void *buf, int num, double randomness)
+ {
+diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/crypto/rand/rand_unix.c
+--- openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rand/rand_unix.c 2020-03-17 18:09:01.503537189 +0100
+@@ -17,10 +17,12 @@
+ #include <openssl/crypto.h>
+ #include "rand_local.h"
+ #include "crypto/rand.h"
++#include "crypto/fips.h"
#include <stdio.h>
#include "internal/dso.h"
- #if defined(__linux)
--# include <asm/unistd.h>
-+# include <sys/syscall.h>
+ #ifdef __linux
+ # include <sys/syscall.h>
+# include <sys/random.h>
- #endif
- #if defined(__FreeBSD__)
- # include <sys/types.h>
-@@ -279,7 +281,7 @@ static ssize_t sysctl_random(char *buf,
+ # ifdef DEVRANDOM_WAIT
+ # include <sys/shm.h>
+ # include <sys/utsname.h>
+@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
* syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error.
*/
@@ -89,7 +100,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
{
/*
* Note: 'buflen' equals the size of the buffer which is used by the
-@@ -301,6 +303,7 @@ static ssize_t syscall_random(void *buf,
+@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
* - Linux since 3.17 with glibc 2.25
* - FreeBSD since 12.0 (1200061)
*/
@@ -97,7 +108,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
-@@ -322,10 +325,10 @@ static ssize_t syscall_random(void *buf,
+@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
if (p_getentropy.p != NULL)
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
# endif
@@ -111,19 +122,17 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
return sysctl_random(buf, buflen);
# else
-@@ -475,8 +478,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
- size_t bytes_needed;
- size_t entropy_available = 0;
- unsigned char *buffer;
--
+@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+ size_t entropy_available;
+
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
+ int in_post;
+
+ for (in_post = fips_in_post(); in_post >= 0; --in_post) {
{
- ssize_t bytes;
- /* Maximum allowed number of consecutive unsuccessful attempts */
-@@ -485,7 +490,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
+ size_t bytes_needed;
+ unsigned char *buffer;
+@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -132,7 +141,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes;
-@@ -540,8 +545,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
int attempts = 3;
const int fd = get_random_device(i);
@@ -144,8 +153,8 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
-@@ -601,7 +608,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
- }
+@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+ return entropy_available;
}
# endif
-
@@ -155,3 +164,26 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
return rand_pool_entropy_available(pool);
# endif
}
+diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/include/crypto/fips.h
+--- openssl-1.1.1e/include/crypto/fips.h.fips-post-rand 2020-03-17 18:06:16.831418696 +0100
++++ openssl-1.1.1e/include/crypto/fips.h 2020-03-17 18:06:16.861418172 +0100
+@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
+ int FIPS_selftest_drbg(void);
+ int FIPS_selftest_cmac(void);
+
++int fips_in_post(void);
++
+ int fips_pkey_signature_test(EVP_PKEY *pkey,
+ const unsigned char *tbs, int tbslen,
+ const unsigned char *kat,
+diff -up openssl-1.1.1e/include/crypto/rand.h.fips-post-rand openssl-1.1.1e/include/crypto/rand.h
+--- openssl-1.1.1e/include/crypto/rand.h.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/crypto/rand.h 2020-03-17 18:07:35.303045555 +0100
+@@ -24,6 +24,7 @@
+ typedef struct rand_pool_st RAND_POOL;
+
+ void rand_cleanup_int(void);
++void rand_force_reseed(void);
+ void rand_drbg_cleanup_int(void);
+ void drbg_delete_thread_state(void);
+
diff --git a/SOURCES/openssl-1.1.1-fips.patch b/SOURCES/openssl-1.1.1-fips.patch
index 6dd23b6..ad295a4 100644
--- a/SOURCES/openssl-1.1.1-fips.patch
+++ b/SOURCES/openssl-1.1.1-fips.patch
@@ -1,19 +1,19 @@
-diff -up openssl-1.1.1b/apps/pkcs12.c.fips openssl-1.1.1b/apps/pkcs12.c
---- openssl-1.1.1b/apps/pkcs12.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/apps/pkcs12.c 2019-05-24 12:08:40.524523735 +0200
-@@ -126,7 +126,7 @@ int pkcs12_main(int argc, char **argv)
+diff -up openssl-1.1.1g/apps/pkcs12.c.fips openssl-1.1.1g/apps/pkcs12.c
+--- openssl-1.1.1g/apps/pkcs12.c.fips 2020-04-23 13:26:06.975649817 +0200
++++ openssl-1.1.1g/apps/pkcs12.c 2020-04-23 13:28:27.689995889 +0200
+@@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv)
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
- # ifndef OPENSSL_NO_RC2
+ #ifndef OPENSSL_NO_RC2
- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC;
- # else
+ #else
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
- # endif
-diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
---- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 11:52:35.887597899 +0200
-+++ openssl-1.1.1b/apps/speed.c 2019-05-07 16:51:36.946350159 +0200
-@@ -1592,7 +1592,8 @@ int speed_main(int argc, char **argv)
+ #endif
+diff -up openssl-1.1.1e/apps/speed.c.fips openssl-1.1.1e/apps/speed.c
+--- openssl-1.1.1e/apps/speed.c.fips 2020-03-17 17:30:51.997567897 +0100
++++ openssl-1.1.1e/apps/speed.c 2020-03-17 17:30:52.021567479 +0100
+@@ -1593,7 +1593,8 @@ int speed_main(int argc, char **argv)
continue;
if (strcmp(*argv, "rsa") == 0) {
for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++)
@@ -23,7 +23,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
continue;
}
if (found(*argv, rsa_choices, &i)) {
-@@ -1602,7 +1603,9 @@ int speed_main(int argc, char **argv)
+@@ -1603,7 +1604,9 @@ int speed_main(int argc, char **argv)
#endif
#ifndef OPENSSL_NO_DSA
if (strcmp(*argv, "dsa") == 0) {
@@ -34,7 +34,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
dsa_doit[R_DSA_2048] = 1;
continue;
}
-@@ -1633,19 +1636,21 @@ int speed_main(int argc, char **argv)
+@@ -1634,19 +1637,21 @@ int speed_main(int argc, char **argv)
}
if (strcmp(*argv, "ecdh") == 0) {
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
@@ -60,7 +60,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
eddsa_doit[i] = 2;
continue;
}
-@@ -1734,23 +1739,31 @@ int speed_main(int argc, char **argv)
+@@ -1735,23 +1740,31 @@ int speed_main(int argc, char **argv)
/* No parameters; turn on everything. */
if ((argc == 0) && !doit[D_EVP]) {
for (i = 0; i < ALGOR_NUM; i++)
@@ -98,7 +98,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
#endif
}
for (i = 0; i < ALGOR_NUM; i++)
-@@ -1798,30 +1810,46 @@ int speed_main(int argc, char **argv)
+@@ -1799,30 +1812,46 @@ int speed_main(int argc, char **argv)
AES_set_encrypt_key(key24, 192, &aes_ks2);
AES_set_encrypt_key(key32, 256, &aes_ks3);
#ifndef OPENSSL_NO_CAMELLIA
@@ -155,7 +155,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
#endif
#ifndef SIGALRM
# ifndef OPENSSL_NO_DES
-@@ -2118,6 +2146,7 @@ int speed_main(int argc, char **argv)
+@@ -2120,6 +2149,7 @@ int speed_main(int argc, char **argv)
for (i = 0; i < loopargs_len; i++) {
loopargs[i].hctx = HMAC_CTX_new();
@@ -163,10 +163,10 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
if (loopargs[i].hctx == NULL) {
BIO_printf(bio_err, "HMAC malloc failure, exiting...");
exit(1);
-diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure
---- openssl-1.1.1b/Configure.fips 2019-02-28 11:30:06.775746246 +0100
-+++ openssl-1.1.1b/Configure 2019-02-28 11:30:06.779746172 +0100
-@@ -313,7 +313,7 @@ $config{sdirs} = [
+diff -up openssl-1.1.1e/Configure.fips openssl-1.1.1e/Configure
+--- openssl-1.1.1e/Configure.fips 2020-03-17 17:30:52.015567584 +0100
++++ openssl-1.1.1e/Configure 2020-03-17 17:30:52.022567462 +0100
+@@ -319,7 +319,7 @@ $config{sdirs} = [
"md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3",
"des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes",
"bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine",
@@ -175,9 +175,9 @@ diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure
"evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
];
-diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/cm_pmeth.c
---- openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/cmac/cm_pmeth.c 2019-05-06 14:55:32.866749109 +0200
+diff -up openssl-1.1.1e/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1e/crypto/cmac/cm_pmeth.c
+--- openssl-1.1.1e/crypto/cmac/cm_pmeth.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/cmac/cm_pmeth.c 2020-03-17 17:30:52.022567462 +0100
@@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C
const EVP_PKEY_METHOD cmac_pkey_meth = {
@@ -187,9 +187,9 @@ diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/c
pkey_cmac_init,
pkey_cmac_copy,
pkey_cmac_cleanup,
-diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err.c
---- openssl-1.1.1b/crypto/dh/dh_err.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dh/dh_err.c 2019-02-28 11:30:06.779746172 +0100
+diff -up openssl-1.1.1e/crypto/dh/dh_err.c.fips openssl-1.1.1e/crypto/dh/dh_err.c
+--- openssl-1.1.1e/crypto/dh/dh_err.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/dh/dh_err.c 2020-03-17 17:30:52.022567462 +0100
@@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0),
@@ -215,13 +215,13 @@ diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err.
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
-diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen.c
---- openssl-1.1.1b/crypto/dh/dh_gen.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dh/dh_gen.c 2019-02-28 11:30:06.780746153 +0100
+diff -up openssl-1.1.1e/crypto/dh/dh_gen.c.fips openssl-1.1.1e/crypto/dh/dh_gen.c
+--- openssl-1.1.1e/crypto/dh/dh_gen.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/dh/dh_gen.c 2020-03-17 18:03:31.005320382 +0100
@@ -16,6 +16,9 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
- #include "dh_locl.h"
+ #include "dh_local.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
@@ -242,7 +242,7 @@ diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen.
if (ret->meth->generate_params)
return ret->meth->generate_params(ret, prime_len, generator, cb);
return dh_builtin_genparams(ret, prime_len, generator, cb);
-@@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret,
+@@ -65,6 +75,18 @@ static int dh_builtin_genparams(DH *ret,
int g, ok = -1;
BN_CTX *ctx = NULL;
@@ -261,13 +261,13 @@ diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen.
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
-diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key.c
---- openssl-1.1.1b/crypto/dh/dh_key.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dh/dh_key.c 2019-02-28 11:30:06.780746153 +0100
+diff -up openssl-1.1.1e/crypto/dh/dh_key.c.fips openssl-1.1.1e/crypto/dh/dh_key.c
+--- openssl-1.1.1e/crypto/dh/dh_key.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/dh/dh_key.c 2020-03-17 18:03:52.706940641 +0100
@@ -11,6 +11,9 @@
#include "internal/cryptlib.h"
- #include "dh_locl.h"
- #include "internal/bn_int.h"
+ #include "dh_local.h"
+ #include "crypto/bn.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
@@ -323,7 +323,7 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key.
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
return 0;
-@@ -170,6 +195,13 @@ static int compute_key(unsigned char *ke
+@@ -179,6 +204,13 @@ static int compute_key(unsigned char *ke
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
goto err;
}
@@ -337,7 +337,7 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key.
ctx = BN_CTX_new();
if (ctx == NULL)
-@@ -221,6 +253,9 @@ static int dh_bn_mod_exp(const DH *dh, B
+@@ -228,6 +260,9 @@ static int dh_bn_mod_exp(const DH *dh, B
static int dh_init(DH *dh)
{
@@ -347,9 +347,9 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key.
dh->flags |= DH_FLAG_CACHE_MONT_P;
return 1;
}
-diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pmeth.c
---- openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dh/dh_pmeth.c 2019-05-06 14:57:29.184723430 +0200
+diff -up openssl-1.1.1e/crypto/dh/dh_pmeth.c.fips openssl-1.1.1e/crypto/dh/dh_pmeth.c
+--- openssl-1.1.1e/crypto/dh/dh_pmeth.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/dh/dh_pmeth.c 2020-03-17 17:30:52.023567444 +0100
@@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *
const EVP_PKEY_METHOD dh_pkey_meth = {
@@ -368,9 +368,9 @@ diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pm
pkey_dh_init,
pkey_dh_copy,
pkey_dh_cleanup,
-diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_err.c
---- openssl-1.1.1b/crypto/dsa/dsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dsa/dsa_err.c 2019-02-28 11:30:06.798745819 +0100
+diff -up openssl-1.1.1e/crypto/dsa/dsa_err.c.fips openssl-1.1.1e/crypto/dsa/dsa_err.c
+--- openssl-1.1.1e/crypto/dsa/dsa_err.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/dsa/dsa_err.c 2020-03-17 17:30:52.023567444 +0100
@@ -16,12 +16,15 @@
static const ERR_STRING_DATA DSA_str_functs[] = {
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"},
@@ -387,26 +387,28 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"},
-@@ -51,9 +54,12 @@ static const ERR_STRING_DATA DSA_str_rea
+@@ -51,11 +54,14 @@ static const ERR_STRING_DATA DSA_str_rea
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE),
"invalid digest type"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY),
+ "missing private key"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
-diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_gen.c
---- openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dsa/dsa_gen.c 2019-02-28 11:30:06.799745800 +0100
+diff -up openssl-1.1.1e/crypto/dsa/dsa_gen.c.fips openssl-1.1.1e/crypto/dsa/dsa_gen.c
+--- openssl-1.1.1e/crypto/dsa/dsa_gen.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/dsa/dsa_gen.c 2020-03-17 18:02:14.626656877 +0100
@@ -22,12 +22,22 @@
#include <openssl/rand.h>
#include <openssl/sha.h>
- #include "dsa_locl.h"
+ #include "dsa_local.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
@@ -442,7 +444,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
}
}
-@@ -310,7 +326,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -309,7 +325,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
int *counter_ret, unsigned long *h_ret,
BN_GENCB *cb)
{
@@ -451,7 +453,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
unsigned char *seed = NULL, *seed_tmp = NULL;
unsigned char md[EVP_MAX_MD_SIZE];
int mdsize;
-@@ -333,6 +349,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -332,6 +348,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
goto err;
}
@@ -472,7 +474,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
if (evpmd == NULL) {
if (N == 160)
evpmd = EVP_sha1();
-@@ -433,9 +463,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -432,9 +462,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
goto err;
/* Provided seed didn't produce a prime: error */
if (seed_in) {
@@ -486,7 +488,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
}
/* do a callback call */
-@@ -521,11 +552,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -520,11 +551,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
if (counter >= (int)(4 * L))
break;
}
@@ -501,7 +503,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
}
end:
if (!BN_GENCB_call(cb, 2, 1))
-@@ -596,7 +630,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -595,7 +629,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
BN_free(ret->g);
ret->g = BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
@@ -510,7 +512,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
goto err;
}
if (counter_ret != NULL)
-@@ -614,3 +648,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
+@@ -612,3 +646,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
EVP_MD_CTX_free(mctx);
return ok;
}
@@ -564,16 +566,16 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_
+}
+
+#endif
-diff -up openssl-1.1.1b/crypto/dsa/dsa_key.c.fips openssl-1.1.1b/crypto/dsa/dsa_key.c
---- openssl-1.1.1b/crypto/dsa/dsa_key.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dsa/dsa_key.c 2019-02-28 11:30:06.799745800 +0100
+diff -up openssl-1.1.1e/crypto/dsa/dsa_key.c.fips openssl-1.1.1e/crypto/dsa/dsa_key.c
+--- openssl-1.1.1e/crypto/dsa/dsa_key.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/dsa/dsa_key.c 2020-03-17 18:02:51.103018604 +0100
@@ -13,10 +13,49 @@
#include <openssl/bn.h>
- #include "dsa_locl.h"
+ #include "dsa_local.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
++# include "crypto/fips.h"
+
+static int fips_check_dsa(DSA *dsa)
+{
@@ -646,12 +648,12 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_key.c.fips openssl-1.1.1b/crypto/dsa/dsa_
ok = 1;
err:
-diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa_ossl.c
---- openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dsa/dsa_ossl.c 2019-02-28 11:30:06.800745781 +0100
+diff -up openssl-1.1.1e/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1e/crypto/dsa/dsa_ossl.c
+--- openssl-1.1.1e/crypto/dsa/dsa_ossl.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/dsa/dsa_ossl.c 2020-03-19 17:11:22.037994064 +0100
@@ -14,6 +14,9 @@
#include <openssl/sha.h>
- #include "dsa_locl.h"
+ #include "dsa_local.h"
#include <openssl/asn1.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
@@ -659,7 +661,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-@@ -73,6 +76,19 @@ static DSA_SIG *dsa_do_sign(const unsign
+@@ -77,6 +80,19 @@ static DSA_SIG *dsa_do_sign(const unsign
goto err;
}
@@ -679,7 +681,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa
ret = DSA_SIG_new();
if (ret == NULL)
goto err;
-@@ -301,6 +317,18 @@ static int dsa_do_verify(const unsigned
+@@ -315,6 +331,18 @@ static int dsa_do_verify(const unsigned
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
return -1;
}
@@ -698,7 +700,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa
if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
-@@ -389,6 +417,9 @@ static int dsa_do_verify(const unsigned
+@@ -403,6 +431,9 @@ static int dsa_do_verify(const unsigned
static int dsa_init(DSA *dsa)
{
@@ -708,9 +710,9 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa
dsa->flags |= DSA_FLAG_CACHE_MONT_P;
return 1;
}
-diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/dsa_pmeth.c
---- openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/dsa/dsa_pmeth.c 2019-02-28 11:30:06.800745781 +0100
+diff -up openssl-1.1.1e/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1e/crypto/dsa/dsa_pmeth.c
+--- openssl-1.1.1e/crypto/dsa/dsa_pmeth.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/dsa/dsa_pmeth.c 2020-03-17 17:30:52.025567409 +0100
@@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
BN_GENCB_free(pcb);
return 0;
@@ -731,12 +733,12 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/ds
pkey_dsa_init,
pkey_dsa_copy,
pkey_dsa_cleanup,
-diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh_ossl.c
---- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-02-28 11:30:06.801745763 +0100
+diff -up openssl-1.1.1e/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1e/crypto/ec/ecdh_ossl.c
+--- openssl-1.1.1e/crypto/ec/ecdh_ossl.c.fips 2020-03-17 17:30:52.025567409 +0100
++++ openssl-1.1.1e/crypto/ec/ecdh_ossl.c 2020-03-17 18:01:24.704530440 +0100
@@ -19,9 +19,20 @@
#include <openssl/ec.h>
- #include "ec_lcl.h"
+ #include "ec_local.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
@@ -755,12 +757,12 @@ diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh
if (ecdh->group->meth->ecdh_compute_key == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
return 0;
-diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdsa_ossl.c
---- openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/ec/ecdsa_ossl.c 2019-02-28 11:30:06.801745763 +0100
+diff -up openssl-1.1.1e/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1e/crypto/ec/ecdsa_ossl.c
+--- openssl-1.1.1e/crypto/ec/ecdsa_ossl.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/ec/ecdsa_ossl.c 2020-03-17 18:01:41.642234061 +0100
@@ -14,6 +14,10 @@
- #include "internal/bn_int.h"
- #include "ec_lcl.h"
+ #include "crypto/bn.h"
+ #include "ec_local.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
@@ -769,7 +771,7 @@ diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecd
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
-@@ -159,6 +163,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+@@ -163,6 +167,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
ECDSA_SIG *ret;
const BIGNUM *priv_key;
@@ -783,7 +785,7 @@ diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecd
group = EC_KEY_get0_group(eckey);
priv_key = EC_KEY_get0_private_key(eckey);
-@@ -317,6 +328,13 @@ int ossl_ecdsa_verify_sig(const unsigned
+@@ -325,6 +336,13 @@ int ossl_ecdsa_verify_sig(const unsigned
const EC_GROUP *group;
const EC_POINT *pub_key;
@@ -797,9 +799,9 @@ diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecd
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
-diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key.c
---- openssl-1.1.1b/crypto/ec/ec_key.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/ec/ec_key.c 2019-02-28 11:30:06.802745744 +0100
+diff -up openssl-1.1.1e/crypto/ec/ec_key.c.fips openssl-1.1.1e/crypto/ec/ec_key.c
+--- openssl-1.1.1e/crypto/ec/ec_key.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/ec/ec_key.c 2020-03-17 17:30:52.026567392 +0100
@@ -178,14 +178,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY
return eckey->engine;
}
@@ -807,7 +809,7 @@ diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key.
+#ifdef OPENSSL_FIPS
+
+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
++# include "crypto/fips.h"
+
+static int fips_check_ec(EC_KEY *key)
+{
@@ -865,10 +867,10 @@ diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key.
ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
return 0;
}
-diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pmeth.c
---- openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/ec/ec_pmeth.c 2019-05-06 14:47:34.651077251 +0200
-@@ -434,7 +434,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
+diff -up openssl-1.1.1e/crypto/ec/ec_pmeth.c.fips openssl-1.1.1e/crypto/ec/ec_pmeth.c
+--- openssl-1.1.1e/crypto/ec/ec_pmeth.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/ec/ec_pmeth.c 2020-03-17 17:30:52.026567392 +0100
+@@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
const EVP_PKEY_METHOD ec_pkey_meth = {
EVP_PKEY_EC,
@@ -877,135 +879,13 @@ diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pm
pkey_ec_init,
pkey_ec_copy,
pkey_ec_cleanup,
-diff -up openssl-1.1.1b/crypto/evp/c_allc.c.fips openssl-1.1.1b/crypto/evp/c_allc.c
---- openssl-1.1.1b/crypto/evp/c_allc.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/c_allc.c 2019-02-28 11:30:06.802745744 +0100
-@@ -17,6 +17,9 @@
- void openssl_add_all_ciphers_int(void)
- {
-
-+#ifdef OPENSSL_FIPS
-+ if (!FIPS_mode()) {
-+#endif
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cfb());
- EVP_add_cipher(EVP_des_cfb1());
-@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void)
- EVP_add_cipher(EVP_chacha20_poly1305());
- # endif
- #endif
-+#ifdef OPENSSL_FIPS
-+ } else {
-+# ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede3_cfb());
-+
-+ EVP_add_cipher(EVP_des_ede3_ofb());
-+
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
-+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
-+
-+ EVP_add_cipher(EVP_des_ede3());
-+ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB");
-+ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb");
-+ EVP_add_cipher(EVP_des_ede3_wrap());
-+ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap");
-+# endif
-+
-+# ifndef OPENSSL_NO_AES
-+ EVP_add_cipher(EVP_aes_128_ecb());
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_128_cfb());
-+ EVP_add_cipher(EVP_aes_128_cfb1());
-+ EVP_add_cipher(EVP_aes_128_cfb8());
-+ EVP_add_cipher(EVP_aes_128_ofb());
-+ EVP_add_cipher(EVP_aes_128_ctr());
-+ EVP_add_cipher(EVP_aes_128_gcm());
-+ EVP_add_cipher(EVP_aes_128_xts());
-+ EVP_add_cipher(EVP_aes_128_ccm());
-+ EVP_add_cipher(EVP_aes_128_wrap());
-+ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
-+ EVP_add_cipher(EVP_aes_128_wrap_pad());
-+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
-+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
-+ EVP_add_cipher(EVP_aes_192_ecb());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_192_cfb());
-+ EVP_add_cipher(EVP_aes_192_cfb1());
-+ EVP_add_cipher(EVP_aes_192_cfb8());
-+ EVP_add_cipher(EVP_aes_192_ofb());
-+ EVP_add_cipher(EVP_aes_192_ctr());
-+ EVP_add_cipher(EVP_aes_192_gcm());
-+ EVP_add_cipher(EVP_aes_192_ccm());
-+ EVP_add_cipher(EVP_aes_192_wrap());
-+ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
-+ EVP_add_cipher(EVP_aes_192_wrap_pad());
-+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
-+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
-+ EVP_add_cipher(EVP_aes_256_ecb());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_256_cfb());
-+ EVP_add_cipher(EVP_aes_256_cfb1());
-+ EVP_add_cipher(EVP_aes_256_cfb8());
-+ EVP_add_cipher(EVP_aes_256_ofb());
-+ EVP_add_cipher(EVP_aes_256_ctr());
-+ EVP_add_cipher(EVP_aes_256_gcm());
-+ EVP_add_cipher(EVP_aes_256_xts());
-+ EVP_add_cipher(EVP_aes_256_ccm());
-+ EVP_add_cipher(EVP_aes_256_wrap());
-+ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
-+ EVP_add_cipher(EVP_aes_256_wrap_pad());
-+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
-+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
-+# endif
-+ }
-+#endif
- }
-diff -up openssl-1.1.1b/crypto/evp/c_alld.c.fips openssl-1.1.1b/crypto/evp/c_alld.c
---- openssl-1.1.1b/crypto/evp/c_alld.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/c_alld.c 2019-02-28 11:30:06.803745726 +0100
-@@ -16,6 +16,9 @@
-
- void openssl_add_all_digests_int(void)
- {
-+#ifdef OPENSSL_FIPS
-+ if (!FIPS_mode()) {
-+#endif
- #ifndef OPENSSL_NO_MD4
- EVP_add_digest(EVP_md4());
- #endif
-@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void)
- EVP_add_digest(EVP_sha3_512());
- EVP_add_digest(EVP_shake128());
- EVP_add_digest(EVP_shake256());
-+#ifdef OPENSSL_FIPS
-+ } else {
-+ EVP_add_digest(EVP_md5_sha1());
-+ EVP_add_digest(EVP_sha1());
-+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+ EVP_add_digest(EVP_sha512_224());
-+ EVP_add_digest(EVP_sha512_256());
-+ EVP_add_digest(EVP_sha3_224());
-+ EVP_add_digest(EVP_sha3_256());
-+ EVP_add_digest(EVP_sha3_384());
-+ EVP_add_digest(EVP_sha3_512());
-+ EVP_add_digest(EVP_shake128());
-+ EVP_add_digest(EVP_shake256());
-+ }
-+#endif
- }
-diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/digest.c
---- openssl-1.1.1c/crypto/evp/digest.c.fips 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/evp/digest.c 2019-05-29 15:47:59.220499971 +0200
+diff -up openssl-1.1.1e/crypto/evp/digest.c.fips openssl-1.1.1e/crypto/evp/digest.c
+--- openssl-1.1.1e/crypto/evp/digest.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/digest.c 2020-03-17 17:38:57.528093469 +0100
@@ -14,6 +14,9 @@
#include <openssl/engine.h>
- #include "internal/evp_int.h"
- #include "evp_locl.h"
+ #include "crypto/evp.h"
+ #include "evp_local.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
@@ -1062,95 +942,28 @@ diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/diges
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
ret = ctx->digest->final(ctx, md);
if (size != NULL)
-diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.c
---- openssl-1.1.1b/crypto/evp/e_aes.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/e_aes.c 2019-05-06 16:32:41.631668333 +0200
-@@ -387,22 +387,33 @@ static int aesni_xts_init_key(EVP_CIPHER
- return 1;
-
- if (key) {
-+ /* The key is two half length keys in reality */
-+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
-+ const int bits = bytes * 8;
-+
-+ /*
-+ * Verify that the two keys are different.
-+ *
-+ * This addresses Rogaway's vulnerability.
-+ * See comment in aes_xts_init_key() below.
-+ */
-+ if (memcmp(key, key + bytes, bytes) == 0) {
-+ EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
-+ return 0;
-+ }
-+
- /* key_len is two AES keys */
- if (enc) {
-- aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks1.ks);
-+ aesni_set_encrypt_key(key, bits, &xctx->ks1.ks);
- xctx->xts.block1 = (block128_f) aesni_encrypt;
- xctx->stream = aesni_xts_encrypt;
- } else {
-- aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks1.ks);
-+ aesni_set_decrypt_key(key, bits, &xctx->ks1.ks);
- xctx->xts.block1 = (block128_f) aesni_decrypt;
- xctx->stream = aesni_xts_decrypt;
+diff -up openssl-1.1.1e/crypto/evp/e_aes.c.fips openssl-1.1.1e/crypto/evp/e_aes.c
+--- openssl-1.1.1e/crypto/evp/e_aes.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/e_aes.c 2020-03-17 17:30:52.028567357 +0100
+@@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER
+ * This addresses Rogaway's vulnerability.
+ * See comment in aes_xts_init_key() below.
+ */
+- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+ EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
+ return 0;
}
-
-- aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-- EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks2.ks);
-+ aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
- xctx->xts.block2 = (block128_f) aesni_encrypt;
-
- xctx->xts.key1 = &xctx->ks1;
-@@ -791,7 +802,21 @@ static int aes_t4_xts_init_key(EVP_CIPHE
- return 1;
-
- if (key) {
-- int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
-+ /* The key is two half length keys in reality */
-+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
-+ const int bits = bytes * 8;
-+
-+ /*
-+ * Verify that the two keys are different.
-+ *
-+ * This addresses Rogaway's vulnerability.
-+ * See comment in aes_xts_init_key() below.
-+ */
-+ if (memcmp(key, key + bytes, bytes) == 0) {
-+ EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
-+ return 0;
-+ }
-+
- xctx->stream = NULL;
- /* key_len is two AES keys */
- if (enc) {
-@@ -808,8 +833,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE
- return 0;
- }
- } else {
-- aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks1.ks);
-+ aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks);
- xctx->xts.block1 = (block128_f) aes_t4_decrypt;
- switch (bits) {
- case 128:
-@@ -823,9 +847,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE
- }
+@@ -817,7 +817,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE
+ * This addresses Rogaway's vulnerability.
+ * See comment in aes_xts_init_key() below.
+ */
+- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+ EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
+ return 0;
}
-
-- aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-- EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks2.ks);
-+ aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
- xctx->xts.block2 = (block128_f) aes_t4_encrypt;
-
- xctx->xts.key1 = &xctx->ks1;
-@@ -2794,9 +2816,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
+@@ -2833,9 +2833,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
return 1;
}
@@ -1163,7 +976,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
{
-@@ -2826,6 +2848,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
+@@ -2869,6 +2869,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
@@ -1175,8 +988,8 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
/* Allocate memory for IV if needed */
if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
if (gctx->iv != c->iv)
-@@ -3275,11 +3302,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
- | EVP_CIPH_CUSTOM_COPY)
+@@ -3318,11 +3323,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+ | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
@@ -1193,123 +1006,16 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
-@@ -3313,8 +3343,33 @@ static int aes_xts_init_key(EVP_CIPHER_C
- if (!iv && !key)
- return 1;
-
-- if (key)
-+ if (key) {
- do {
-+ /* The key is two half length keys in reality */
-+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
-+ const int bits = bytes * 8;
-+
-+ /*
-+ * Verify that the two keys are different.
-+ *
-+ * This addresses the vulnerability described in Rogaway's
-+ * September 2004 paper:
-+ *
-+ * "Efficient Instantiations of Tweakable Blockciphers and
-+ * Refinements to Modes OCB and PMAC".
-+ * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
-+ *
-+ * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
-+ * that:
-+ * "The check for Key_1 != Key_2 shall be done at any place
-+ * BEFORE using the keys in the XTS-AES algorithm to process
-+ * data with them."
-+ */
-+ if (memcmp(key, key + bytes, bytes) == 0) {
-+ EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
-+ return 0;
-+ }
-+
- #ifdef AES_XTS_ASM
- xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
- #else
-@@ -3324,26 +3379,20 @@ static int aes_xts_init_key(EVP_CIPHER_C
- #ifdef HWAES_CAPABLE
- if (HWAES_CAPABLE) {
- if (enc) {
-- HWAES_set_encrypt_key(key,
-- EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks1.ks);
-+ HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks);
- xctx->xts.block1 = (block128_f) HWAES_encrypt;
- # ifdef HWAES_xts_encrypt
- xctx->stream = HWAES_xts_encrypt;
- # endif
- } else {
-- HWAES_set_decrypt_key(key,
-- EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks1.ks);
-+ HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks);
- xctx->xts.block1 = (block128_f) HWAES_decrypt;
- # ifdef HWAES_xts_decrypt
- xctx->stream = HWAES_xts_decrypt;
- #endif
- }
-
-- HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-- EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks2.ks);
-+ HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
- xctx->xts.block2 = (block128_f) HWAES_encrypt;
-
- xctx->xts.key1 = &xctx->ks1;
-@@ -3358,20 +3407,14 @@ static int aes_xts_init_key(EVP_CIPHER_C
- #ifdef VPAES_CAPABLE
- if (VPAES_CAPABLE) {
- if (enc) {
-- vpaes_set_encrypt_key(key,
-- EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks1.ks);
-+ vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks);
- xctx->xts.block1 = (block128_f) vpaes_encrypt;
- } else {
-- vpaes_set_decrypt_key(key,
-- EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks1.ks);
-+ vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks);
- xctx->xts.block1 = (block128_f) vpaes_decrypt;
- }
-
-- vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-- EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks2.ks);
-+ vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
- xctx->xts.block2 = (block128_f) vpaes_encrypt;
-
- xctx->xts.key1 = &xctx->ks1;
-@@ -3381,22 +3424,19 @@ static int aes_xts_init_key(EVP_CIPHER_C
- (void)0; /* terminate potentially open 'else' */
-
- if (enc) {
-- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks1.ks);
-+ AES_set_encrypt_key(key, bits, &xctx->ks1.ks);
- xctx->xts.block1 = (block128_f) AES_encrypt;
- } else {
-- AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks1.ks);
-+ AES_set_decrypt_key(key, bits, &xctx->ks1.ks);
- xctx->xts.block1 = (block128_f) AES_decrypt;
+@@ -3380,7 +3388,7 @@ static int aes_xts_init_key(EVP_CIPHER_C
+ * BEFORE using the keys in the XTS-AES algorithm to process
+ * data with them."
+ */
+- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+ EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
+ return 0;
}
-
-- AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-- EVP_CIPHER_CTX_key_length(ctx) * 4,
-- &xctx->ks2.ks);
-+ AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
- xctx->xts.block2 = (block128_f) AES_encrypt;
-
- xctx->xts.key1 = &xctx->ks1;
- } while (0);
-+ }
-
- if (iv) {
- xctx->xts.key2 = &xctx->ks2;
-@@ -3414,6 +3454,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+@@ -3484,6 +3492,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
return 0;
if (!out || !in || len < AES_BLOCK_SIZE)
return 0;
@@ -1324,7 +1030,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
if (xctx->stream)
(*xctx->stream) (in, out, len,
xctx->xts.key1, xctx->xts.key2,
-@@ -3431,8 +3479,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+@@ -3501,8 +3517,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
| EVP_CIPH_CUSTOM_COPY)
@@ -1337,7 +1043,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
-@@ -3697,11 +3747,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
+@@ -3772,11 +3790,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
#define aes_ccm_cleanup NULL
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
@@ -1352,7 +1058,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
typedef struct {
union {
-@@ -3794,7 +3844,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
+@@ -3869,7 +3887,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
return rv ? (int)rv : -1;
}
@@ -1361,9 +1067,9 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
-diff -up openssl-1.1.1b/crypto/evp/e_des3.c.fips openssl-1.1.1b/crypto/evp/e_des3.c
---- openssl-1.1.1b/crypto/evp/e_des3.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/e_des3.c 2019-02-28 11:30:06.804745707 +0100
+diff -up openssl-1.1.1e/crypto/evp/e_des3.c.fips openssl-1.1.1e/crypto/evp/e_des3.c
+--- openssl-1.1.1e/crypto/evp/e_des3.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/e_des3.c 2020-03-17 17:30:52.029567340 +0100
@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
# define des_ede3_cbc_cipher des_ede_cbc_cipher
# define des_ede3_ecb_cipher des_ede_ecb_cipher
@@ -1390,9 +1096,9 @@ diff -up openssl-1.1.1b/crypto/evp/e_des3.c.fips openssl-1.1.1b/crypto/evp/e_des
static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
-diff -up openssl-1.1.1b/crypto/evp/e_null.c.fips openssl-1.1.1b/crypto/evp/e_null.c
---- openssl-1.1.1b/crypto/evp/e_null.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/e_null.c 2019-02-28 11:30:06.805745688 +0100
+diff -up openssl-1.1.1e/crypto/evp/e_null.c.fips openssl-1.1.1e/crypto/evp/e_null.c
+--- openssl-1.1.1e/crypto/evp/e_null.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/e_null.c 2020-03-17 17:30:52.029567340 +0100
@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c
const unsigned char *in, size_t inl);
static const EVP_CIPHER n_cipher = {
@@ -1403,30 +1109,28 @@ diff -up openssl-1.1.1b/crypto/evp/e_null.c.fips openssl-1.1.1b/crypto/evp/e_nul
null_init_key,
null_cipher,
NULL,
-diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_enc.c
---- openssl-1.1.1b/crypto/evp/evp_enc.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-02-28 11:30:06.805745688 +0100
-@@ -17,10 +17,19 @@
+diff -up openssl-1.1.1e/crypto/evp/evp_enc.c.fips openssl-1.1.1e/crypto/evp/evp_enc.c
+--- openssl-1.1.1e/crypto/evp/evp_enc.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/evp_enc.c 2020-03-17 17:39:52.663129373 +0100
+@@ -17,9 +17,18 @@
#include <openssl/engine.h>
- #include "internal/evp_int.h"
- #include "evp_locl.h"
+ #include "crypto/evp.h"
+ #include "evp_local.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
{
-- if (c == NULL)
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+#endif
-+ if (c == NULL)
+ if (c == NULL)
return 1;
if (c->cipher != NULL) {
- if (c->cipher->cleanup && !c->cipher->cleanup(c))
@@ -39,6 +48,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
@@ -1481,27 +1185,18 @@ diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_
if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
if (!ctx->cipher->init(ctx, key, iv, enc))
-diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_err.c
---- openssl-1.1.1b/crypto/evp/evp_err.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-05-06 16:41:08.565739361 +0200
-@@ -15,11 +15,16 @@
-
- static const ERR_STRING_DATA EVP_str_functs[] = {
- {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"},
-+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
-+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0),
-+ "aes_t4_xts_init_key"},
+diff -up openssl-1.1.1e/crypto/evp/evp_err.c.fips openssl-1.1.1e/crypto/evp/evp_err.c
+--- openssl-1.1.1e/crypto/evp/evp_err.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/evp_err.c 2020-03-17 17:30:52.030567322 +0100
+@@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0),
+ "aes_t4_xts_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"},
-+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"},
-@@ -179,6 +180,7 @@ static const ERR_STRING_DATA EVP_str_rea
+@@ -186,6 +187,7 @@ static const ERR_STRING_DATA EVP_str_rea
"different key types"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS),
"different parameters"},
@@ -1509,7 +1204,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION),
"error loading section"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE),
-@@ -241,6 +243,7 @@ static const ERR_STRING_DATA EVP_str_rea
+@@ -249,6 +251,7 @@ static const ERR_STRING_DATA EVP_str_rea
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR),
"private key encode error"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
@@ -1517,20 +1212,18 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},
-@@ -266,6 +269,10 @@ static const ERR_STRING_DATA EVP_str_rea
+@@ -274,6 +277,8 @@ static const ERR_STRING_DATA EVP_str_rea
"wrap mode not allowed"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
"wrong final block length"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE),
+ "xts data unit is too large"},
-+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),
-+ "xts duplicated keys"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),
+ "xts duplicated keys"},
{0, NULL}
- };
-
-diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_lib.c
---- openssl-1.1.1b/crypto/evp/evp_lib.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/evp_lib.c 2019-02-28 11:30:06.806745670 +0100
+diff -up openssl-1.1.1e/crypto/evp/evp_lib.c.fips openssl-1.1.1e/crypto/evp/evp_lib.c
+--- openssl-1.1.1e/crypto/evp/evp_lib.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/evp_lib.c 2020-03-17 17:30:52.030567322 +0100
@@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C
int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl)
@@ -1541,9 +1234,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_
return ctx->cipher->do_cipher(ctx, out, in, inl);
}
-diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha1.c
---- openssl-1.1.1b/crypto/evp/m_sha1.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/m_sha1.c 2019-02-28 11:30:06.806745670 +0100
+diff -up openssl-1.1.1e/crypto/evp/m_sha1.c.fips openssl-1.1.1e/crypto/evp/m_sha1.c
+--- openssl-1.1.1e/crypto/evp/m_sha1.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/m_sha1.c 2020-03-17 17:30:52.030567322 +0100
@@ -95,7 +95,7 @@ static const EVP_MD sha1_md = {
NID_sha1,
NID_sha1WithRSAEncryption,
@@ -1607,10 +1300,10 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha
init512,
update512,
final512,
-diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha3.c
---- openssl-1.1.1b/crypto/evp/m_sha3.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/m_sha3.c 2019-05-06 16:12:23.012851747 +0200
-@@ -292,7 +292,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
+diff -up openssl-1.1.1e/crypto/evp/m_sha3.c.fips openssl-1.1.1e/crypto/evp/m_sha3.c
+--- openssl-1.1.1e/crypto/evp/m_sha3.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/m_sha3.c 2020-03-17 17:30:52.031567305 +0100
+@@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
NID_sha3_##bitlen, \
NID_RSA_SHA3_##bitlen, \
bitlen / 8, \
@@ -1619,7 +1312,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha
s390x_sha3_init, \
s390x_sha3_update, \
s390x_sha3_final, \
-@@ -305,7 +305,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
+@@ -308,7 +308,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
NID_sha3_##bitlen, \
NID_RSA_SHA3_##bitlen, \
bitlen / 8, \
@@ -1628,7 +1321,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha
sha3_init, \
sha3_update, \
sha3_final, \
-@@ -326,7 +326,7 @@ const EVP_MD *EVP_shake##bitlen(void)
+@@ -329,7 +329,7 @@ const EVP_MD *EVP_shake##bitlen(void)
NID_shake##bitlen, \
0, \
bitlen / 8, \
@@ -1637,7 +1330,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha
s390x_shake_init, \
s390x_sha3_update, \
s390x_shake_final, \
-@@ -340,7 +340,7 @@ const EVP_MD *EVP_shake##bitlen(void)
+@@ -343,7 +343,7 @@ const EVP_MD *EVP_shake##bitlen(void)
NID_shake##bitlen, \
0, \
bitlen / 8, \
@@ -1646,7 +1339,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha
shake_init, \
sha3_update, \
sha3_final, \
-@@ -364,7 +364,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
+@@ -367,7 +367,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
NID_sha3_##bitlen, \
NID_RSA_SHA3_##bitlen, \
bitlen / 8, \
@@ -1655,7 +1348,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha
sha3_init, \
sha3_update, \
sha3_final, \
-@@ -383,7 +383,7 @@ const EVP_MD *EVP_shake##bitlen(void)
+@@ -386,7 +386,7 @@ const EVP_MD *EVP_shake##bitlen(void)
NID_shake##bitlen, \
0, \
bitlen / 8, \
@@ -1664,9 +1357,9 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha
shake_init, \
sha3_update, \
sha3_final, \
-diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pmeth_lib.c
---- openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/pmeth_lib.c 2019-05-06 15:11:33.207095983 +0200
+diff -up openssl-1.1.1e/crypto/evp/pmeth_lib.c.fips openssl-1.1.1e/crypto/evp/pmeth_lib.c
+--- openssl-1.1.1e/crypto/evp/pmeth_lib.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/evp/pmeth_lib.c 2020-03-17 17:30:52.031567305 +0100
@@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE
pmeth = ENGINE_get_pkey_meth(e, id);
else
@@ -1683,9 +1376,9 @@ diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pm
if (pmeth == NULL) {
#ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/build.info
---- openssl-1.1.1b/crypto/fips/build.info.fips 2019-02-28 11:30:06.806745670 +0100
-+++ openssl-1.1.1b/crypto/fips/build.info 2019-02-28 11:30:06.806745670 +0100
+diff -up openssl-1.1.1e/crypto/fips/build.info.fips openssl-1.1.1e/crypto/fips/build.info
+--- openssl-1.1.1e/crypto/fips/build.info.fips 2020-03-17 17:30:52.032567287 +0100
++++ openssl-1.1.1e/crypto/fips/build.info 2020-03-17 17:30:52.032567287 +0100
@@ -0,0 +1,15 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]=\
@@ -1702,9 +1395,9 @@ diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/b
+SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
+INCLUDE[fips_standalone_hmac]=../../include
+DEPEND[fips_standalone_hmac]=../../libcrypto
-diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_aes_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips 2019-02-28 11:30:06.807745651 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_aes_selftest.c 2019-02-28 11:30:06.807745651 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_aes_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_aes_selftest.c.fips 2020-03-17 17:30:52.033567270 +0100
++++ openssl-1.1.1e/crypto/fips/fips_aes_selftest.c 2020-03-17 17:30:52.033567270 +0100
@@ -0,0 +1,372 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -1759,7 +1452,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/cryp
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
++# include "crypto/fips.h"
+#endif
+
+#ifdef OPENSSL_FIPS
@@ -2078,9 +1771,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/cryp
+}
+
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips.c.fips openssl-1.1.1b/crypto/fips/fips.c
---- openssl-1.1.1b/crypto/fips/fips.c.fips 2019-02-28 11:30:06.807745651 +0100
-+++ openssl-1.1.1b/crypto/fips/fips.c 2019-02-28 11:30:06.807745651 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips.c.fips openssl-1.1.1e/crypto/fips/fips.c
+--- openssl-1.1.1e/crypto/fips/fips.c.fips 2020-03-17 17:30:52.033567270 +0100
++++ openssl-1.1.1e/crypto/fips/fips.c 2020-03-17 17:30:52.033567270 +0100
@@ -0,0 +1,526 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -2488,7 +2181,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips.c.fips openssl-1.1.1b/crypto/fips/fips.
+ rv = 0;
+
+ /* Installed == true */
-+ return !rv;
++ return !rv || FIPS_module_mode();
+}
+
+int FIPS_module_mode_set(int onoff)
@@ -2608,9 +2301,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips.c.fips openssl-1.1.1b/crypto/fips/fips.
+}
+
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips 2019-02-28 11:30:06.808745633 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c 2019-02-28 11:30:06.808745633 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_cmac_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_cmac_selftest.c.fips 2020-03-17 17:30:52.034567253 +0100
++++ openssl-1.1.1e/crypto/fips/fips_cmac_selftest.c 2020-03-17 17:30:52.033567270 +0100
@@ -0,0 +1,156 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -2664,7 +2357,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/cry
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
++#include "crypto/fips.h"
+#include <openssl/cmac.h>
+#include "fips_locl.h"
+
@@ -2768,9 +2461,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/cry
+ return rv;
+}
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_des_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips 2019-02-28 11:30:06.808745633 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_des_selftest.c 2019-02-28 11:30:06.808745633 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_des_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_des_selftest.c.fips 2020-03-17 17:30:52.034567253 +0100
++++ openssl-1.1.1e/crypto/fips/fips_des_selftest.c 2020-03-17 17:30:52.034567253 +0100
@@ -0,0 +1,133 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -2825,7 +2518,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1b/cryp
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
++# include "crypto/fips.h"
+#endif
+#include <openssl/opensslconf.h>
+
@@ -2905,9 +2598,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1b/cryp
+ return ret;
+}
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_dh_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips 2019-02-28 11:30:06.810745596 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_dh_selftest.c 2019-02-28 11:30:06.810745596 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_dh_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_dh_selftest.c.fips 2020-03-17 17:30:52.038567183 +0100
++++ openssl-1.1.1e/crypto/fips/fips_dh_selftest.c 2020-03-17 17:30:52.038567183 +0100
@@ -0,0 +1,180 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -3089,9 +2782,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1b/crypt
+ return ret;
+}
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c
---- openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips 2019-02-28 11:30:06.811745577 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c 2019-02-28 11:30:06.811745577 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1e/crypto/fips/fips_drbg_ctr.c
+--- openssl-1.1.1e/crypto/fips/fips_drbg_ctr.c.fips 2020-03-17 17:30:52.040567148 +0100
++++ openssl-1.1.1e/crypto/fips/fips_drbg_ctr.c 2020-03-17 17:30:52.039567165 +0100
@@ -0,0 +1,406 @@
+/* fips/rand/fips_drbg_ctr.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -3499,9 +3192,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1b/crypto/f
+
+ return 1;
+}
-diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_hash.c
---- openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips 2019-02-28 11:30:06.811745577 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_drbg_hash.c 2019-02-28 11:30:06.811745577 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1e/crypto/fips/fips_drbg_hash.c
+--- openssl-1.1.1e/crypto/fips/fips_drbg_hash.c.fips 2020-03-17 17:30:52.041567130 +0100
++++ openssl-1.1.1e/crypto/fips/fips_drbg_hash.c 2020-03-17 17:30:52.040567148 +0100
@@ -0,0 +1,354 @@
+/* fips/rand/fips_drbg_hash.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -3562,7 +3255,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
++#include "crypto/fips.h"
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+
@@ -3857,9 +3550,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/
+
+ return 1;
+}
-diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c
---- openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips 2019-02-28 11:30:06.811745577 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c 2019-02-28 11:30:06.811745577 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1e/crypto/fips/fips_drbg_hmac.c
+--- openssl-1.1.1e/crypto/fips/fips_drbg_hmac.c.fips 2020-03-17 17:30:52.042567113 +0100
++++ openssl-1.1.1e/crypto/fips/fips_drbg_hmac.c 2020-03-17 17:30:52.042567113 +0100
@@ -0,0 +1,262 @@
+/* fips/rand/fips_drbg_hmac.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -4123,9 +3816,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1b/crypto/
+
+ return 1;
+}
-diff -up openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_lib.c
---- openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips 2019-02-28 11:30:06.812745558 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_drbg_lib.c 2019-02-28 11:30:06.812745558 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1e/crypto/fips/fips_drbg_lib.c
+--- openssl-1.1.1e/crypto/fips/fips_drbg_lib.c.fips 2020-03-17 17:30:52.043567095 +0100
++++ openssl-1.1.1e/crypto/fips/fips_drbg_lib.c 2020-03-17 17:30:52.043567095 +0100
@@ -0,0 +1,528 @@
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
@@ -4183,7 +3876,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1b/crypto/f
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
++#include "crypto/fips.h"
+#include <openssl/fips_rand.h>
+#include "fips_locl.h"
+#include "fips_rand_lcl.h"
@@ -4655,9 +4348,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1b/crypto/f
+{
+ /* Just backwards compatibility API call with no effect. */
+}
-diff -up openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_rand.c
---- openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips 2019-02-28 11:30:06.812745558 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_drbg_rand.c 2019-02-28 11:30:06.812745558 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1e/crypto/fips/fips_drbg_rand.c
+--- openssl-1.1.1e/crypto/fips/fips_drbg_rand.c.fips 2020-03-17 17:30:52.044567078 +0100
++++ openssl-1.1.1e/crypto/fips/fips_drbg_rand.c 2020-03-17 17:30:52.044567078 +0100
@@ -0,0 +1,185 @@
+/* fips/rand/fips_drbg_rand.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -4844,9 +4537,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1b/crypto/
+{
+ return &rand_drbg_meth;
+}
-diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips 2019-02-28 11:30:06.812745558 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c 2019-02-28 11:30:06.812745558 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_drbg_selftest.c.fips 2020-03-17 17:30:52.044567078 +0100
++++ openssl-1.1.1e/crypto/fips/fips_drbg_selftest.c 2020-03-17 17:30:52.044567078 +0100
@@ -0,0 +1,828 @@
+/* fips/rand/fips_drbg_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -5676,9 +5369,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1b/cry
+ FIPS_drbg_free(dctx);
+ return rv;
+}
-diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h
---- openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips 2019-02-28 11:30:06.813745540 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h 2019-02-28 11:30:06.813745540 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1e/crypto/fips/fips_drbg_selftest.h
+--- openssl-1.1.1e/crypto/fips/fips_drbg_selftest.h.fips 2020-03-17 17:30:52.045567061 +0100
++++ openssl-1.1.1e/crypto/fips/fips_drbg_selftest.h 2020-03-17 17:30:52.045567061 +0100
@@ -0,0 +1,1791 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -7471,9 +7164,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1b/cry
+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
+ 0xc2, 0xd6, 0xfd, 0xa5
+};
-diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c 2019-02-28 11:30:06.814745521 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_dsa_selftest.c.fips 2020-03-17 17:30:52.046567043 +0100
++++ openssl-1.1.1e/crypto/fips/fips_dsa_selftest.c 2020-03-17 17:30:52.046567043 +0100
@@ -0,0 +1,195 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -7528,7 +7221,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/cryp
+#include <openssl/crypto.h>
+#include <openssl/dsa.h>
+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
++#include "crypto/fips.h"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
@@ -7627,7 +7320,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/cryp
+{
+ DSA *dsa = NULL;
+ EVP_PKEY *pk = NULL;
-+ int ret = -1;
++ int ret = 0;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL;
+
+ fips_load_key_component(p, dsa_test_2048);
@@ -7670,9 +7363,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/cryp
+ return ret;
+}
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c 2019-02-28 11:30:06.814745521 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_ecdh_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_ecdh_selftest.c.fips 2020-03-17 17:30:52.046567043 +0100
++++ openssl-1.1.1e/crypto/fips/fips_ecdh_selftest.c 2020-03-17 17:30:52.046567043 +0100
@@ -0,0 +1,242 @@
+/* fips/ecdh/fips_ecdh_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -7827,24 +7520,24 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/cry
+ d = BN_bin2bn(ecd->d1, ecd->d1len, d);
+
+ if (!x || !y || !d || !ztmp) {
-+ rv = -1;
++ rv = 0;
+ goto err;
+ }
+
+ ec1 = EC_KEY_new_by_curve_name(ecd->curve);
+ if (!ec1) {
-+ rv = -1;
++ rv = 0;
+ goto err;
+ }
+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
+
+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
-+ rv = -1;
++ rv = 0;
+ goto err;
+ }
+
+ if (!EC_KEY_set_private_key(ec1, d)) {
-+ rv = -1;
++ rv = 0;
+ goto err;
+ }
+
@@ -7852,30 +7545,30 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/cry
+ y = BN_bin2bn(ecd->y2, ecd->y2len, y);
+
+ if (!x || !y) {
-+ rv = -1;
++ rv = 0;
+ goto err;
+ }
+
+ ec2 = EC_KEY_new_by_curve_name(ecd->curve);
+ if (!ec2) {
-+ rv = -1;
++ rv = 0;
+ goto err;
+ }
+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
+
+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
-+ rv = -1;
++ rv = 0;
+ goto err;
+ }
+
+ ecp = EC_KEY_get0_public_key(ec2);
+ if (!ecp) {
-+ rv = -1;
++ rv = 0;
+ goto err;
+ }
+
+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
-+ rv = -1;
++ rv = 0;
+ goto err;
+ }
+
@@ -7916,9 +7609,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/cry
+}
+
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c 2019-02-28 11:30:06.814745521 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_ecdsa_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_ecdsa_selftest.c.fips 2020-03-17 17:30:52.046567043 +0100
++++ openssl-1.1.1e/crypto/fips/fips_ecdsa_selftest.c 2020-03-17 17:30:52.046567043 +0100
@@ -0,0 +1,166 @@
+/* fips/ecdsa/fips_ecdsa_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -7981,7 +7674,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/cr
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
++#include "crypto/fips.h"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
@@ -8086,9 +7779,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/cr
+}
+
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/fips_err.h
---- openssl-1.1.1b/crypto/fips/fips_err.h.fips 2019-05-06 16:08:46.792598211 +0200
-+++ openssl-1.1.1b/crypto/fips/fips_err.h 2019-05-06 16:19:56.403993551 +0200
+diff -up openssl-1.1.1e/crypto/fips/fips_err.h.fips openssl-1.1.1e/crypto/fips/fips_err.h
+--- openssl-1.1.1e/crypto/fips/fips_err.h.fips 2020-03-17 17:30:52.047567026 +0100
++++ openssl-1.1.1e/crypto/fips/fips_err.h 2020-03-17 17:30:52.047567026 +0100
@@ -0,0 +1,197 @@
+/* crypto/fips_err.h */
+/* ====================================================================
@@ -8287,9 +7980,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/f
+#endif
+ return 1;
+}
-diff -up openssl-1.1.1b/crypto/fips/fips_ers.c.fips openssl-1.1.1b/crypto/fips/fips_ers.c
---- openssl-1.1.1b/crypto/fips/fips_ers.c.fips 2019-02-28 11:30:06.815745503 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_ers.c 2019-02-28 11:30:06.815745503 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_ers.c.fips openssl-1.1.1e/crypto/fips/fips_ers.c
+--- openssl-1.1.1e/crypto/fips/fips_ers.c.fips 2020-03-17 17:30:52.047567026 +0100
++++ openssl-1.1.1e/crypto/fips/fips_ers.c 2020-03-17 17:30:52.047567026 +0100
@@ -0,0 +1,7 @@
+#include <openssl/opensslconf.h>
+
@@ -8298,9 +7991,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ers.c.fips openssl-1.1.1b/crypto/fips/f
+#else
+static void *dummy = &dummy;
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips 2019-02-28 11:30:06.815745503 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c 2019-02-28 11:30:06.815745503 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_hmac_selftest.c.fips 2020-03-17 17:30:52.047567026 +0100
++++ openssl-1.1.1e/crypto/fips/fips_hmac_selftest.c 2020-03-17 17:30:52.047567026 +0100
@@ -0,0 +1,134 @@
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
@@ -8436,9 +8129,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1b/cry
+ return 1;
+}
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_locl.h.fips openssl-1.1.1b/crypto/fips/fips_locl.h
---- openssl-1.1.1b/crypto/fips/fips_locl.h.fips 2019-02-28 11:30:06.815745503 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_locl.h 2019-02-28 11:30:06.815745503 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_locl.h.fips openssl-1.1.1e/crypto/fips/fips_locl.h
+--- openssl-1.1.1e/crypto/fips/fips_locl.h.fips 2020-03-17 17:30:52.048567008 +0100
++++ openssl-1.1.1e/crypto/fips/fips_locl.h 2020-03-17 17:30:52.048567008 +0100
@@ -0,0 +1,71 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -8511,9 +8204,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_locl.h.fips openssl-1.1.1b/crypto/fips/
+}
+# endif
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/fips_post.c
---- openssl-1.1.1b/crypto/fips/fips_post.c.fips 2019-05-06 16:08:46.794598177 +0200
-+++ openssl-1.1.1b/crypto/fips/fips_post.c 2019-05-06 16:08:46.794598177 +0200
+diff -up openssl-1.1.1e/crypto/fips/fips_post.c.fips openssl-1.1.1e/crypto/fips/fips_post.c
+--- openssl-1.1.1e/crypto/fips/fips_post.c.fips 2020-03-17 17:30:52.048567008 +0100
++++ openssl-1.1.1e/crypto/fips/fips_post.c 2020-03-17 17:30:52.048567008 +0100
@@ -0,0 +1,224 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -8583,7 +8276,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/
+/* Power on self test (POST) support functions */
+
+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
++# include "crypto/fips.h"
+# include "fips_locl.h"
+
+/* Run all selftests */
@@ -8739,9 +8432,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/
+ return 1;
+}
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1b/crypto/fips/fips_rand_lcl.h
---- openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips 2019-02-28 11:30:06.816745484 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_rand_lcl.h 2019-02-28 11:30:06.816745484 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1e/crypto/fips/fips_rand_lcl.h
+--- openssl-1.1.1e/crypto/fips/fips_rand_lcl.h.fips 2020-03-17 17:30:52.048567008 +0100
++++ openssl-1.1.1e/crypto/fips/fips_rand_lcl.h 2020-03-17 17:30:52.048567008 +0100
@@ -0,0 +1,203 @@
+/* fips/rand/fips_rand_lcl.h */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -8946,9 +8639,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1b/crypto/f
+#define FIPS_digestupdate EVP_DigestUpdate
+#define FIPS_digestfinal EVP_DigestFinal
+#define M_EVP_MD_size EVP_MD_size
-diff -up openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1b/crypto/fips/fips_rand_lib.c
---- openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips 2019-02-28 11:30:06.816745484 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_rand_lib.c 2019-02-28 11:30:06.816745484 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1e/crypto/fips/fips_rand_lib.c
+--- openssl-1.1.1e/crypto/fips/fips_rand_lib.c.fips 2020-03-17 17:30:52.049566991 +0100
++++ openssl-1.1.1e/crypto/fips/fips_rand_lib.c 2020-03-17 17:30:52.049566991 +0100
@@ -0,0 +1,234 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -9010,7 +8703,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1b/crypto/f
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
++#include "crypto/fips.h"
+#include <openssl/fips_rand.h>
+#include "e_os.h"
+
@@ -9184,9 +8877,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1b/crypto/f
+# endif
+}
+
-diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips 2019-02-28 11:30:06.816745484 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c 2019-02-28 11:30:06.816745484 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_rsa_selftest.c.fips 2020-03-17 17:30:52.049566991 +0100
++++ openssl-1.1.1e/crypto/fips/fips_rsa_selftest.c 2020-03-17 17:30:52.049566991 +0100
@@ -0,0 +1,338 @@
+/* ====================================================================
+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
@@ -9241,7 +8934,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/cryp
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
++# include "crypto/fips.h"
+#endif
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
@@ -9526,9 +9219,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/cryp
+}
+
+#endif /* def OPENSSL_FIPS */
-diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_sha_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips 2019-05-06 16:08:46.795598159 +0200
-+++ openssl-1.1.1b/crypto/fips/fips_sha_selftest.c 2019-05-06 17:35:40.211316880 +0200
+diff -up openssl-1.1.1e/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1e/crypto/fips/fips_sha_selftest.c
+--- openssl-1.1.1e/crypto/fips/fips_sha_selftest.c.fips 2020-03-17 17:30:52.050566973 +0100
++++ openssl-1.1.1e/crypto/fips/fips_sha_selftest.c 2020-03-17 17:30:52.050566973 +0100
@@ -0,0 +1,223 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -9753,9 +9446,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/cryp
+}
+
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c
---- openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips 2019-02-28 11:30:06.817745466 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c 2019-02-28 11:30:06.817745466 +0100
+diff -up openssl-1.1.1e/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1e/crypto/fips/fips_standalone_hmac.c
+--- openssl-1.1.1e/crypto/fips/fips_standalone_hmac.c.fips 2020-03-17 17:30:52.050566973 +0100
++++ openssl-1.1.1e/crypto/fips/fips_standalone_hmac.c 2020-03-17 17:30:52.050566973 +0100
@@ -0,0 +1,127 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -9884,10 +9577,10 @@ diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/c
+#endif
+ return 0;
+}
-diff -up openssl-1.1.1c/crypto/hmac/hmac.c.fips openssl-1.1.1c/crypto/hmac/hmac.c
---- openssl-1.1.1c/crypto/hmac/hmac.c.fips 2019-05-29 15:46:19.138261106 +0200
-+++ openssl-1.1.1c/crypto/hmac/hmac.c 2019-05-29 15:49:09.508263133 +0200
-@@ -43,6 +43,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+diff -up openssl-1.1.1e/crypto/hmac/hmac.c.fips openssl-1.1.1e/crypto/hmac/hmac.c
+--- openssl-1.1.1e/crypto/hmac/hmac.c.fips 2020-03-17 17:30:52.050566973 +0100
++++ openssl-1.1.1e/crypto/hmac/hmac.c 2020-03-17 17:38:16.969802663 +0100
+@@ -44,6 +44,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
return 0;
if (key != NULL) {
@@ -9899,11 +9592,11 @@ diff -up openssl-1.1.1c/crypto/hmac/hmac.c.fips openssl-1.1.1c/crypto/hmac/hmac.
+ goto err;
+#endif
reset = 1;
+
j = EVP_MD_block_size(md);
- if (!ossl_assert(j <= (int)sizeof(ctx->key)))
-diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/hm_pmeth.c
---- openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/hmac/hm_pmeth.c 2019-05-06 14:56:01.123257022 +0200
+diff -up openssl-1.1.1e/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1e/crypto/hmac/hm_pmeth.c
+--- openssl-1.1.1e/crypto/hmac/hm_pmeth.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/hmac/hm_pmeth.c 2020-03-17 17:30:52.051566956 +0100
@@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C
const EVP_PKEY_METHOD hmac_pkey_meth = {
@@ -9913,9 +9606,9 @@ diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/h
pkey_hmac_init,
pkey_hmac_copy,
pkey_hmac_cleanup,
-diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/crypto/include/internal/fips_int.h
---- openssl-1.1.1b/crypto/include/internal/fips_int.h.fips 2019-02-28 11:30:06.817745466 +0100
-+++ openssl-1.1.1b/crypto/include/internal/fips_int.h 2019-02-28 11:30:06.817745466 +0100
+diff -up openssl-1.1.1e/include/crypto/fips.h.fips openssl-1.1.1e/include/crypto/fips.h
+--- openssl-1.1.1e/include/crypto/fips.h.fips 2020-03-17 17:30:52.051566956 +0100
++++ openssl-1.1.1e/include/crypto/fips.h 2020-03-17 17:30:52.051566956 +0100
@@ -0,0 +1,98 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -10015,14 +9708,14 @@ diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/c
+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+
+#endif
-diff -up openssl-1.1.1b/crypto/o_fips.c.fips openssl-1.1.1b/crypto/o_fips.c
---- openssl-1.1.1b/crypto/o_fips.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/o_fips.c 2019-02-28 11:30:06.817745466 +0100
+diff -up openssl-1.1.1e/crypto/o_fips.c.fips openssl-1.1.1e/crypto/o_fips.c
+--- openssl-1.1.1e/crypto/o_fips.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/o_fips.c 2020-03-17 17:30:52.052566939 +0100
@@ -8,17 +8,28 @@
*/
#include "internal/cryptlib.h"
-+#include "internal/fips_int.h"
++#include "crypto/fips.h"
int FIPS_mode(void)
{
@@ -10047,10 +9740,10 @@ diff -up openssl-1.1.1b/crypto/o_fips.c.fips openssl-1.1.1b/crypto/o_fips.c
return 0;
+#endif
}
-diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c
---- openssl-1.1.1b/crypto/o_init.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/o_init.c 2019-02-28 11:30:06.817745466 +0100
-@@ -7,8 +7,68 @@
+diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
+--- openssl-1.1.1e/crypto/o_init.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/o_init.c 2020-03-17 17:30:52.052566939 +0100
+@@ -7,8 +7,69 @@
* https://www.openssl.org/source/license.html
*/
@@ -10067,7 +9760,7 @@ diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c
+# include <stdlib.h>
+# include <openssl/rand.h>
+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
++# include "crypto/fips.h"
+
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
@@ -10076,16 +9769,20 @@ diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c
+ char buf[2] = "0";
+ int fd;
+
-+ /* Ensure the selftests always run */
-+ /* XXX: TO SOLVE - premature initialization due to selftests */
-+ FIPS_mode_set(1);
-+
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
++
++ if (buf[0] != '1' && !FIPS_module_installed())
++ return;
++
++ /* Ensure the selftests always run */
++ /* XXX: TO SOLVE - premature initialization due to selftests */
++ FIPS_mode_set(1);
++
+ /* Failure reading the fips mode switch file means just not
+ * switching into FIPS mode. We would break too many things
+ * otherwise..
@@ -10110,21 +9807,18 @@ diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c
+ if (done)
+ return;
+ done = 1;
-+ if (!FIPS_module_installed()) {
-+ return;
-+ }
+ init_fips_mode();
+}
+#endif
/*
* Perform any essential OpenSSL initialization operations. Currently does
-diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/rand_lib.c
---- openssl-1.1.1b/crypto/rand/rand_lib.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rand/rand_lib.c 2019-02-28 11:30:06.818745447 +0100
+diff -up openssl-1.1.1e/crypto/rand/rand_lib.c.fips openssl-1.1.1e/crypto/rand/rand_lib.c
+--- openssl-1.1.1e/crypto/rand/rand_lib.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rand/rand_lib.c 2020-03-17 17:35:56.471259207 +0100
@@ -16,6 +16,10 @@
#include "internal/thread_once.h"
- #include "rand_lcl.h"
+ #include "rand_local.h"
#include "e_os.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
@@ -10133,7 +9827,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/r
#ifndef OPENSSL_NO_ENGINE
/* non-NULL if default_RAND_meth is ENGINE-provided */
-@@ -857,3 +861,15 @@ int RAND_status(void)
+@@ -961,3 +965,15 @@ int RAND_status(void)
return meth->status();
return 0;
}
@@ -10149,9 +9843,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/r
+ return 1;
+}
+#endif
-diff -up openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1b/crypto/rsa/rsa_crpt.c
---- openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_crpt.c 2019-02-28 11:30:06.818745447 +0100
+diff -up openssl-1.1.1e/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1e/crypto/rsa/rsa_crpt.c
+--- openssl-1.1.1e/crypto/rsa/rsa_crpt.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rsa/rsa_crpt.c 2020-03-17 17:30:52.055566886 +0100
@@ -27,24 +27,52 @@ int RSA_size(const RSA *r)
int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
@@ -10205,9 +9899,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1b/crypto/rsa/rsa
return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
}
-diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_err.c
---- openssl-1.1.1b/crypto/rsa/rsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_err.c 2019-02-28 11:30:06.818745447 +0100
+diff -up openssl-1.1.1e/crypto/rsa/rsa_err.c.fips openssl-1.1.1e/crypto/rsa/rsa_err.c
+--- openssl-1.1.1e/crypto/rsa/rsa_err.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rsa/rsa_err.c 2020-03-17 17:30:52.055566886 +0100
@@ -16,6 +16,8 @@
static const ERR_STRING_DATA RSA_str_functs[] = {
{ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"},
@@ -10250,7 +9944,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_
{ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"},
{0, NULL}
};
-@@ -181,6 +192,7 @@ static const ERR_STRING_DATA RSA_str_rea
+@@ -183,6 +194,7 @@ static const ERR_STRING_DATA RSA_str_rea
"mp exponent not congruent to d"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"},
@@ -10258,7 +9952,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING),
"null before block missing"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES),
-@@ -189,6 +201,8 @@ static const ERR_STRING_DATA RSA_str_rea
+@@ -191,6 +203,8 @@ static const ERR_STRING_DATA RSA_str_rea
"n does not equal p q"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR),
"oaep decoding error"},
@@ -10267,7 +9961,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
"operation not supported for this keytype"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED),
-@@ -224,6 +238,8 @@ static const ERR_STRING_DATA RSA_str_rea
+@@ -226,6 +240,8 @@ static const ERR_STRING_DATA RSA_str_rea
"unsupported mask algorithm"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER),
"unsupported mask parameter"},
@@ -10276,16 +9970,16 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE),
"unsupported signature type"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"},
-diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips openssl-1.1.1b/crypto/rsa/rsa_gen.c
---- openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_gen.c 2019-02-28 11:30:06.818745447 +0100
+diff -up openssl-1.1.1e/crypto/rsa/rsa_gen.c.fips openssl-1.1.1e/crypto/rsa/rsa_gen.c
+--- openssl-1.1.1e/crypto/rsa/rsa_gen.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rsa/rsa_gen.c 2020-03-17 17:33:55.560367363 +0100
@@ -18,6 +18,76 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
- #include "rsa_locl.h"
+ #include "rsa_local.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
++# include "crypto/fips.h"
+
+int fips_check_rsa(RSA *rsa)
+{
@@ -10671,9 +10365,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips openssl-1.1.1b/crypto/rsa/rsa_
static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
BN_GENCB *cb)
{
-diff -up openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips openssl-1.1.1b/crypto/rsa/rsa_lib.c
---- openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_lib.c 2019-02-28 11:30:06.819745428 +0100
+diff -up openssl-1.1.1e/crypto/rsa/rsa_lib.c.fips openssl-1.1.1e/crypto/rsa/rsa_lib.c
+--- openssl-1.1.1e/crypto/rsa/rsa_lib.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rsa/rsa_lib.c 2020-03-17 17:30:52.056566869 +0100
@@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
* to deal with which ENGINE it comes from.
*/
@@ -10716,12 +10410,12 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips openssl-1.1.1b/crypto/rsa/rsa_
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
goto err;
}
-diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa_ossl.c
---- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c 2019-02-28 11:31:57.315691372 +0100
+diff -up openssl-1.1.1e/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1e/crypto/rsa/rsa_ossl.c
+--- openssl-1.1.1e/crypto/rsa/rsa_ossl.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rsa/rsa_ossl.c 2020-03-17 17:34:32.289726964 +0100
@@ -12,6 +12,10 @@
- #include "rsa_locl.h"
- #include "internal/constant_time_locl.h"
+ #include "rsa_local.h"
+ #include "internal/constant_time.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
@@ -10766,7 +10460,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
return -1;
-@@ -247,6 +273,22 @@ static int rsa_ossl_private_encrypt(int
+@@ -246,6 +272,22 @@ static int rsa_ossl_private_encrypt(int
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
@@ -10789,7 +10483,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
-@@ -377,6 +419,22 @@ static int rsa_ossl_private_decrypt(int
+@@ -380,6 +422,22 @@ static int rsa_ossl_private_decrypt(int
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
@@ -10812,7 +10506,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
-@@ -500,6 +558,22 @@ static int rsa_ossl_public_decrypt(int f
+@@ -507,6 +565,22 @@ static int rsa_ossl_public_decrypt(int f
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
@@ -10835,9 +10529,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
return -1;
-diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1b/crypto/rsa/rsa_pmeth.c
---- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips 2019-05-06 14:48:26.514174053 +0200
-+++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-06 14:45:46.732956649 +0200
+diff -up openssl-1.1.1e/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1e/crypto/rsa/rsa_pmeth.c
+--- openssl-1.1.1e/crypto/rsa/rsa_pmeth.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rsa/rsa_pmeth.c 2020-03-17 17:30:52.056566869 +0100
@@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX
const EVP_PKEY_METHOD rsa_pkey_meth = {
@@ -10856,9 +10550,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1b/crypto/rsa/rs
pkey_rsa_init,
pkey_rsa_copy,
pkey_rsa_cleanup,
-diff -up openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips openssl-1.1.1b/crypto/rsa/rsa_sign.c
---- openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/rsa/rsa_sign.c 2019-02-28 11:30:06.819745428 +0100
+diff -up openssl-1.1.1e/crypto/rsa/rsa_sign.c.fips openssl-1.1.1e/crypto/rsa/rsa_sign.c
+--- openssl-1.1.1e/crypto/rsa/rsa_sign.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/rsa/rsa_sign.c 2020-03-17 17:30:52.057566851 +0100
@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch
unsigned char *tmps = NULL;
const unsigned char *encoded = NULL;
@@ -10885,9 +10579,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips openssl-1.1.1b/crypto/rsa/rsa
if (encrypt_len <= 0)
goto err;
-diff -up openssl-1.1.1b/crypto/sha/sha256.c.fips openssl-1.1.1b/crypto/sha/sha256.c
---- openssl-1.1.1b/crypto/sha/sha256.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/sha/sha256.c 2019-02-28 11:30:06.819745428 +0100
+diff -up openssl-1.1.1e/crypto/sha/sha256.c.fips openssl-1.1.1e/crypto/sha/sha256.c
+--- openssl-1.1.1e/crypto/sha/sha256.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/sha/sha256.c 2020-03-17 17:30:52.057566851 +0100
@@ -18,6 +18,9 @@
int SHA224_Init(SHA256_CTX *c)
@@ -10908,9 +10602,9 @@ diff -up openssl-1.1.1b/crypto/sha/sha256.c.fips openssl-1.1.1b/crypto/sha/sha25
memset(c, 0, sizeof(*c));
c->h[0] = 0x6a09e667UL;
c->h[1] = 0xbb67ae85UL;
-diff -up openssl-1.1.1b/crypto/sha/sha512.c.fips openssl-1.1.1b/crypto/sha/sha512.c
---- openssl-1.1.1b/crypto/sha/sha512.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/sha/sha512.c 2019-02-28 11:30:06.820745410 +0100
+diff -up openssl-1.1.1e/crypto/sha/sha512.c.fips openssl-1.1.1e/crypto/sha/sha512.c
+--- openssl-1.1.1e/crypto/sha/sha512.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/sha/sha512.c 2020-03-17 17:30:52.057566851 +0100
@@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c)
int SHA384_Init(SHA512_CTX *c)
@@ -10931,9 +10625,9 @@ diff -up openssl-1.1.1b/crypto/sha/sha512.c.fips openssl-1.1.1b/crypto/sha/sha51
c->h[0] = U64(0x6a09e667f3bcc908);
c->h[1] = U64(0xbb67ae8584caa73b);
c->h[2] = U64(0x3c6ef372fe94f82b);
-diff -up openssl-1.1.1b/crypto/sha/sha_locl.h.fips openssl-1.1.1b/crypto/sha/sha_locl.h
---- openssl-1.1.1b/crypto/sha/sha_locl.h.fips 2019-02-28 11:30:06.628748979 +0100
-+++ openssl-1.1.1b/crypto/sha/sha_locl.h 2019-02-28 11:30:06.820745410 +0100
+diff -up openssl-1.1.1e/crypto/sha/sha_local.h.fips openssl-1.1.1e/crypto/sha/sha_local.h
+--- openssl-1.1.1e/crypto/sha/sha_local.h.fips 2020-03-17 17:30:51.766571925 +0100
++++ openssl-1.1.1e/crypto/sha/sha_local.h 2020-03-17 17:31:00.996410998 +0100
@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c
int HASH_INIT(SHA_CTX *c)
@@ -10944,9 +10638,9 @@ diff -up openssl-1.1.1b/crypto/sha/sha_locl.h.fips openssl-1.1.1b/crypto/sha/sha
memset(c, 0, sizeof(*c));
c->h0 = INIT_DATA_h0;
c->h1 = INIT_DATA_h1;
-diff -up openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod
---- openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod 2019-02-28 11:30:06.820745410 +0100
+diff -up openssl-1.1.1e/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1e/doc/man3/DSA_generate_parameters.pod
+--- openssl-1.1.1e/doc/man3/DSA_generate_parameters.pod.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/doc/man3/DSA_generate_parameters.pod 2020-03-17 17:31:00.996410998 +0100
@@ -30,8 +30,10 @@ B<bits> is the length of the prime p to
For lengths under 2048 bits, the length of q is 160 bits; for lengths
greater than or equal to 2048 bits, the length of q is set to 256 bits.
@@ -10960,9 +10654,9 @@ diff -up openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1b
DSA_generate_parameters_ex() places the iteration count in
*B<counter_ret> and a counter used for finding a generator in
-diff -up openssl-1.1.1b/include/openssl/crypto.h.fips openssl-1.1.1b/include/openssl/crypto.h
---- openssl-1.1.1b/include/openssl/crypto.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/crypto.h 2019-02-28 11:30:06.820745410 +0100
+diff -up openssl-1.1.1e/include/openssl/crypto.h.fips openssl-1.1.1e/include/openssl/crypto.h
+--- openssl-1.1.1e/include/openssl/crypto.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/crypto.h 2020-03-17 17:31:00.997410980 +0100
@@ -331,6 +331,11 @@ int OPENSSL_isservice(void);
int FIPS_mode(void);
int FIPS_mode_set(int r);
@@ -10975,10 +10669,10 @@ diff -up openssl-1.1.1b/include/openssl/crypto.h.fips openssl-1.1.1b/include/ope
void OPENSSL_init(void);
# ifdef OPENSSL_SYS_UNIX
void OPENSSL_fork_prepare(void);
-diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/openssl/dherr.h
---- openssl-1.1.1b/include/openssl/dherr.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/dherr.h 2019-02-28 11:30:06.820745410 +0100
-@@ -32,6 +32,9 @@ int ERR_load_DH_strings(void);
+diff -up openssl-1.1.1e/include/openssl/dherr.h.fips openssl-1.1.1e/include/openssl/dherr.h
+--- openssl-1.1.1e/include/openssl/dherr.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/dherr.h 2020-03-17 17:31:00.998410963 +0100
+@@ -36,6 +36,9 @@ int ERR_load_DH_strings(void);
# define DH_F_DH_CMS_DECRYPT 114
# define DH_F_DH_CMS_SET_PEERKEY 115
# define DH_F_DH_CMS_SET_SHARED_INFO 116
@@ -10988,7 +10682,7 @@ diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/open
# define DH_F_DH_METH_DUP 117
# define DH_F_DH_METH_NEW 118
# define DH_F_DH_METH_SET1_NAME 119
-@@ -69,12 +72,14 @@ int ERR_load_DH_strings(void);
+@@ -73,12 +76,14 @@ int ERR_load_DH_strings(void);
# define DH_R_INVALID_PARAMETER_NID 114
# define DH_R_INVALID_PUBKEY 102
# define DH_R_KDF_PARAMETER_ERROR 112
@@ -11003,9 +10697,9 @@ diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/open
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
# define DH_R_SHARED_INFO_ERROR 113
-diff -up openssl-1.1.1b/include/openssl/dh.h.fips openssl-1.1.1b/include/openssl/dh.h
---- openssl-1.1.1b/include/openssl/dh.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/dh.h 2019-02-28 11:30:06.820745410 +0100
+diff -up openssl-1.1.1e/include/openssl/dh.h.fips openssl-1.1.1e/include/openssl/dh.h
+--- openssl-1.1.1e/include/openssl/dh.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/dh.h 2020-03-17 17:31:00.998410963 +0100
@@ -31,6 +31,7 @@ extern "C" {
# endif
@@ -11014,10 +10708,10 @@ diff -up openssl-1.1.1b/include/openssl/dh.h.fips openssl-1.1.1b/include/openssl
# define DH_FLAG_CACHE_MONT_P 0x01
-diff -up openssl-1.1.1b/include/openssl/dsaerr.h.fips openssl-1.1.1b/include/openssl/dsaerr.h
---- openssl-1.1.1b/include/openssl/dsaerr.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/dsaerr.h 2019-02-28 11:30:06.821745391 +0100
-@@ -25,8 +25,11 @@ int ERR_load_DSA_strings(void);
+diff -up openssl-1.1.1e/include/openssl/dsaerr.h.fips openssl-1.1.1e/include/openssl/dsaerr.h
+--- openssl-1.1.1e/include/openssl/dsaerr.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/dsaerr.h 2020-03-17 17:31:00.999410945 +0100
+@@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void);
*/
# define DSA_F_DSAPARAMS_PRINT 100
# define DSA_F_DSAPARAMS_PRINT_FP 101
@@ -11029,22 +10723,23 @@ diff -up openssl-1.1.1b/include/openssl/dsaerr.h.fips openssl-1.1.1b/include/ope
# define DSA_F_DSA_DO_SIGN 112
# define DSA_F_DSA_DO_VERIFY 113
# define DSA_F_DSA_METH_DUP 127
-@@ -56,9 +59,12 @@ int ERR_load_DSA_strings(void);
+@@ -60,10 +63,13 @@ int ERR_load_DSA_strings(void);
# define DSA_R_DECODE_ERROR 104
# define DSA_R_INVALID_DIGEST_TYPE 106
# define DSA_R_INVALID_PARAMETERS 112
+# define DSA_R_KEY_SIZE_INVALID 201
+# define DSA_R_KEY_SIZE_TOO_SMALL 202
# define DSA_R_MISSING_PARAMETERS 101
+ # define DSA_R_MISSING_PRIVATE_KEY 111
# define DSA_R_MODULUS_TOO_LARGE 103
# define DSA_R_NO_PARAMETERS_SET 107
+# define DSA_R_NON_FIPS_DSA_METHOD 200
# define DSA_R_PARAMETER_ENCODING_ERROR 105
# define DSA_R_Q_NOT_PRIME 113
# define DSA_R_SEED_LEN_SMALL 110
-diff -up openssl-1.1.1b/include/openssl/dsa.h.fips openssl-1.1.1b/include/openssl/dsa.h
---- openssl-1.1.1b/include/openssl/dsa.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/dsa.h 2019-02-28 11:30:06.821745391 +0100
+diff -up openssl-1.1.1e/include/openssl/dsa.h.fips openssl-1.1.1e/include/openssl/dsa.h
+--- openssl-1.1.1e/include/openssl/dsa.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/dsa.h 2020-03-17 17:31:01.000410928 +0100
@@ -31,6 +31,7 @@ extern "C" {
# endif
@@ -11053,26 +10748,29 @@ diff -up openssl-1.1.1b/include/openssl/dsa.h.fips openssl-1.1.1b/include/openss
# define DSA_FLAG_CACHE_MONT_P 0x01
# if OPENSSL_API_COMPAT < 0x10100000L
-diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/openssl/evperr.h
---- openssl-1.1.1b/include/openssl/evperr.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/evperr.h 2019-05-06 16:40:21.324571446 +0200
-@@ -20,11 +20,15 @@ int ERR_load_EVP_strings(void);
+diff -up openssl-1.1.1e/include/openssl/evperr.h.fips openssl-1.1.1e/include/openssl/evperr.h
+--- openssl-1.1.1e/include/openssl/evperr.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/evperr.h 2020-03-17 17:31:01.000410928 +0100
+@@ -24,14 +24,15 @@ int ERR_load_EVP_strings(void);
* EVP function codes.
*/
# define EVP_F_AESNI_INIT_KEY 165
+-# define EVP_F_AESNI_XTS_INIT_KEY 207
+# define EVP_F_AESNI_XTS_INIT_KEY 233
# define EVP_F_AES_GCM_CTRL 196
# define EVP_F_AES_INIT_KEY 133
# define EVP_F_AES_OCB_CIPHER 169
# define EVP_F_AES_T4_INIT_KEY 178
+-# define EVP_F_AES_T4_XTS_INIT_KEY 208
+# define EVP_F_AES_T4_XTS_INIT_KEY 234
# define EVP_F_AES_WRAP_CIPHER 170
+-# define EVP_F_AES_XTS_INIT_KEY 209
+# define EVP_F_AES_XTS_CIPHER 229
+# define EVP_F_AES_XTS_INIT_KEY 235
# define EVP_F_ALG_MODULE_INIT 177
# define EVP_F_ARIA_CCM_INIT_KEY 175
# define EVP_F_ARIA_GCM_CTRL 197
-@@ -133,6 +134,7 @@ int ERR_load_EVP_strings(void);
+@@ -142,6 +143,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133
# define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138
# define EVP_R_DECODE_ERROR 114
@@ -11080,7 +10778,7 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/ope
# define EVP_R_DIFFERENT_KEY_TYPES 101
# define EVP_R_DIFFERENT_PARAMETERS 153
# define EVP_R_ERROR_LOADING_SECTION 165
-@@ -175,6 +177,7 @@ int ERR_load_EVP_strings(void);
+@@ -185,6 +187,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
# define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
# define EVP_R_PUBLIC_KEY_NOT_RSA 106
@@ -11088,18 +10786,19 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/ope
# define EVP_R_UNKNOWN_CIPHER 160
# define EVP_R_UNKNOWN_DIGEST 161
# define EVP_R_UNKNOWN_OPTION 169
-@@ -190,5 +193,7 @@ int ERR_load_EVP_strings(void);
+@@ -200,6 +203,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_UNSUPPORTED_SALT_TYPE 126
# define EVP_R_WRAP_MODE_NOT_ALLOWED 170
# define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
+-# define EVP_R_XTS_DUPLICATED_KEYS 183
+# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191
+# define EVP_R_XTS_DUPLICATED_KEYS 192
#endif
-diff -up openssl-1.1.1b/include/openssl/evp.h.fips openssl-1.1.1b/include/openssl/evp.h
---- openssl-1.1.1b/include/openssl/evp.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/evp.h 2019-05-06 14:54:13.213136281 +0200
-@@ -1319,6 +1319,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP
+diff -up openssl-1.1.1e/include/openssl/evp.h.fips openssl-1.1.1e/include/openssl/evp.h
+--- openssl-1.1.1e/include/openssl/evp.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/evp.h 2020-03-17 17:31:01.001410911 +0100
+@@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP
*/
# define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4
@@ -11109,9 +10808,9 @@ diff -up openssl-1.1.1b/include/openssl/evp.h.fips openssl-1.1.1b/include/openss
const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags,
-diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/openssl/fips.h
---- openssl-1.1.1b/include/openssl/fips.h.fips 2019-05-06 16:08:46.800598073 +0200
-+++ openssl-1.1.1b/include/openssl/fips.h 2019-05-06 16:43:12.874549821 +0200
+diff -up openssl-1.1.1e/include/openssl/fips.h.fips openssl-1.1.1e/include/openssl/fips.h
+--- openssl-1.1.1e/include/openssl/fips.h.fips 2020-03-17 17:31:01.002410893 +0100
++++ openssl-1.1.1e/include/openssl/fips.h 2020-03-17 17:31:01.002410893 +0100
@@ -0,0 +1,187 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -11300,9 +10999,9 @@ diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/opens
+}
+# endif
+#endif
-diff -up openssl-1.1.1b/include/openssl/fips_rand.h.fips openssl-1.1.1b/include/openssl/fips_rand.h
---- openssl-1.1.1b/include/openssl/fips_rand.h.fips 2019-02-28 11:30:06.821745391 +0100
-+++ openssl-1.1.1b/include/openssl/fips_rand.h 2019-02-28 11:30:06.821745391 +0100
+diff -up openssl-1.1.1e/include/openssl/fips_rand.h.fips openssl-1.1.1e/include/openssl/fips_rand.h
+--- openssl-1.1.1e/include/openssl/fips_rand.h.fips 2020-03-17 17:31:01.003410876 +0100
++++ openssl-1.1.1e/include/openssl/fips_rand.h 2020-03-17 17:31:01.003410876 +0100
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -11449,9 +11148,9 @@ diff -up openssl-1.1.1b/include/openssl/fips_rand.h.fips openssl-1.1.1b/include/
+# endif
+# endif
+#endif
-diff -up openssl-1.1.1b/include/openssl/opensslconf.h.in.fips openssl-1.1.1b/include/openssl/opensslconf.h.in
---- openssl-1.1.1b/include/openssl/opensslconf.h.in.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/opensslconf.h.in 2019-02-28 11:30:06.822745372 +0100
+diff -up openssl-1.1.1e/include/openssl/opensslconf.h.in.fips openssl-1.1.1e/include/openssl/opensslconf.h.in
+--- openssl-1.1.1e/include/openssl/opensslconf.h.in.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/opensslconf.h.in 2020-03-17 17:31:01.003410876 +0100
@@ -150,6 +150,11 @@ extern "C" {
#define RC4_INT {- $config{rc4_int} -}
@@ -11464,10 +11163,10 @@ diff -up openssl-1.1.1b/include/openssl/opensslconf.h.in.fips openssl-1.1.1b/inc
#ifdef __cplusplus
}
#endif
-diff -up openssl-1.1.1b/include/openssl/randerr.h.fips openssl-1.1.1b/include/openssl/randerr.h
---- openssl-1.1.1b/include/openssl/randerr.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/randerr.h 2019-02-28 11:30:06.822745372 +0100
-@@ -35,6 +35,7 @@ int ERR_load_RAND_strings(void);
+diff -up openssl-1.1.1e/include/openssl/randerr.h.fips openssl-1.1.1e/include/openssl/randerr.h
+--- openssl-1.1.1e/include/openssl/randerr.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/randerr.h 2020-03-17 17:31:01.004410858 +0100
+@@ -38,6 +38,7 @@ int ERR_load_RAND_strings(void);
# define RAND_F_RAND_DRBG_SET 104
# define RAND_F_RAND_DRBG_SET_DEFAULTS 121
# define RAND_F_RAND_DRBG_UNINSTANTIATE 118
@@ -11475,9 +11174,9 @@ diff -up openssl-1.1.1b/include/openssl/randerr.h.fips openssl-1.1.1b/include/op
# define RAND_F_RAND_LOAD_FILE 111
# define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122
# define RAND_F_RAND_POOL_ADD 103
-diff -up openssl-1.1.1b/include/openssl/rand.h.fips openssl-1.1.1b/include/openssl/rand.h
---- openssl-1.1.1b/include/openssl/rand.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/rand.h 2019-02-28 11:30:06.822745372 +0100
+diff -up openssl-1.1.1e/include/openssl/rand.h.fips openssl-1.1.1e/include/openssl/rand.h
+--- openssl-1.1.1e/include/openssl/rand.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/rand.h 2020-03-17 17:31:01.004410858 +0100
@@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void
DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
# endif
@@ -11490,10 +11189,10 @@ diff -up openssl-1.1.1b/include/openssl/rand.h.fips openssl-1.1.1b/include/opens
#ifdef __cplusplus
}
-diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/openssl/rsaerr.h
---- openssl-1.1.1b/include/openssl/rsaerr.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/rsaerr.h 2019-02-28 11:30:06.822745372 +0100
-@@ -21,6 +21,7 @@ int ERR_load_RSA_strings(void);
+diff -up openssl-1.1.1e/include/openssl/rsaerr.h.fips openssl-1.1.1e/include/openssl/rsaerr.h
+--- openssl-1.1.1e/include/openssl/rsaerr.h.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/include/openssl/rsaerr.h 2020-03-17 17:31:01.005410841 +0100
+@@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void);
*/
# define RSA_F_CHECK_PADDING_MD 140
# define RSA_F_ENCODE_PKCS1 146
@@ -11501,7 +11200,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope
# define RSA_F_INT_RSA_VERIFY 145
# define RSA_F_OLD_RSA_PRIV_DECODE 147
# define RSA_F_PKEY_PSS_INIT 165
-@@ -35,6 +36,8 @@ int ERR_load_RSA_strings(void);
+@@ -39,6 +40,8 @@ int ERR_load_RSA_strings(void);
# define RSA_F_RSA_CHECK_KEY_EX 160
# define RSA_F_RSA_CMS_DECRYPT 159
# define RSA_F_RSA_CMS_VERIFY 158
@@ -11510,7 +11209,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope
# define RSA_F_RSA_ITEM_VERIFY 148
# define RSA_F_RSA_METH_DUP 161
# define RSA_F_RSA_METH_NEW 162
-@@ -72,10 +75,16 @@ int ERR_load_RSA_strings(void);
+@@ -76,10 +79,16 @@ int ERR_load_RSA_strings(void);
# define RSA_F_RSA_PRINT_FP 116
# define RSA_F_RSA_PRIV_DECODE 150
# define RSA_F_RSA_PRIV_ENCODE 138
@@ -11527,7 +11226,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope
# define RSA_F_RSA_SIGN 117
# define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
# define RSA_F_RSA_VERIFY 119
-@@ -132,10 +141,12 @@ int ERR_load_RSA_strings(void);
+@@ -137,10 +146,12 @@ int ERR_load_RSA_strings(void);
# define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169
# define RSA_R_MP_R_NOT_PRIME 170
# define RSA_R_NO_PUBLIC_EXPONENT 140
@@ -11540,7 +11239,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope
# define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
# define RSA_R_PADDING_CHECK_FAILED 114
# define RSA_R_PKCS_DECODING_ERROR 159
-@@ -155,6 +166,7 @@ int ERR_load_RSA_strings(void);
+@@ -160,6 +171,7 @@ int ERR_load_RSA_strings(void);
# define RSA_R_UNSUPPORTED_LABEL_SOURCE 163
# define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
# define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
@@ -11548,9 +11247,9 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
# define RSA_R_VALUE_MISSING 147
# define RSA_R_WRONG_SIGNATURE_LENGTH 119
-diff -up openssl-1.1.1c/ssl/s3_lib.c.fips openssl-1.1.1c/ssl/s3_lib.c
---- openssl-1.1.1c/ssl/s3_lib.c.fips 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/ssl/s3_lib.c 2019-11-20 12:00:32.770173240 +0100
+diff -up openssl-1.1.1e/ssl/s3_lib.c.fips openssl-1.1.1e/ssl/s3_lib.c
+--- openssl-1.1.1e/ssl/s3_lib.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/ssl/s3_lib.c 2020-03-17 17:31:01.007410806 +0100
@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
@@ -11650,9 +11349,9 @@ diff -up openssl-1.1.1c/ssl/s3_lib.c.fips openssl-1.1.1c/ssl/s3_lib.c
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
-diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c
---- openssl-1.1.1b/ssl/ssl_ciph.c.fips 2019-02-28 11:30:06.776746228 +0100
-+++ openssl-1.1.1b/ssl/ssl_ciph.c 2019-02-28 11:30:06.822745372 +0100
+diff -up openssl-1.1.1e/ssl/ssl_ciph.c.fips openssl-1.1.1e/ssl/ssl_ciph.c
+--- openssl-1.1.1e/ssl/ssl_ciph.c.fips 2020-03-17 17:30:52.017567549 +0100
++++ openssl-1.1.1e/ssl/ssl_ciph.c 2020-03-17 17:31:01.008410788 +0100
@@ -387,7 +387,7 @@ int ssl_load_ciphers(void)
}
}
@@ -11681,7 +11380,7 @@ diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c
if ((c->algorithm_mkey & disabled_mkey) ||
(c->algorithm_auth & disabled_auth) ||
(c->algorithm_enc & disabled_enc) ||
-@@ -1670,7 +1675,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1671,7 +1676,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* to the resulting precedence to the STACK_OF(SSL_CIPHER).
*/
for (curr = head; curr != NULL; curr = curr->next) {
@@ -11691,9 +11390,9 @@ diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
-diff -up openssl-1.1.1b/ssl/ssl_init.c.fips openssl-1.1.1b/ssl/ssl_init.c
---- openssl-1.1.1b/ssl/ssl_init.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/ssl/ssl_init.c 2019-02-28 11:30:06.823745354 +0100
+diff -up openssl-1.1.1e/ssl/ssl_init.c.fips openssl-1.1.1e/ssl/ssl_init.c
+--- openssl-1.1.1e/ssl/ssl_init.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/ssl/ssl_init.c 2020-03-17 17:31:01.009410771 +0100
@@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
"Adding SSL ciphers and digests\n");
@@ -11737,10 +11436,10 @@ diff -up openssl-1.1.1b/ssl/ssl_init.c.fips openssl-1.1.1b/ssl/ssl_init.c
#ifndef OPENSSL_NO_COMP
# ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
-diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c
---- openssl-1.1.1b/ssl/ssl_lib.c.fips 2019-02-28 11:30:06.776746228 +0100
-+++ openssl-1.1.1b/ssl/ssl_lib.c 2019-02-28 11:30:06.823745354 +0100
-@@ -2908,6 +2908,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+diff -up openssl-1.1.1e/ssl/ssl_lib.c.fips openssl-1.1.1e/ssl/ssl_lib.c
+--- openssl-1.1.1e/ssl/ssl_lib.c.fips 2020-03-17 17:30:52.018567531 +0100
++++ openssl-1.1.1e/ssl/ssl_lib.c 2020-03-17 17:31:01.011410736 +0100
+@@ -2970,6 +2970,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
return NULL;
@@ -11752,7 +11451,7 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
goto err;
-@@ -2964,13 +2969,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+@@ -3026,13 +3031,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
if (ret->param == NULL)
goto err;
@@ -11777,10 +11476,10 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c
}
if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
-diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h
---- openssl-1.1.1c/ssl/ssl_locl.h.fips 2019-06-03 16:44:58.963560101 +0200
-+++ openssl-1.1.1c/ssl/ssl_locl.h 2019-06-24 14:43:19.547353076 +0200
-@@ -1507,6 +1507,7 @@ typedef struct tls_group_info_st {
+diff -up openssl-1.1.1e/ssl/ssl_local.h.fips openssl-1.1.1e/ssl/ssl_local.h
+--- openssl-1.1.1e/ssl/ssl_local.h.fips 2020-03-17 17:30:51.842570600 +0100
++++ openssl-1.1.1e/ssl/ssl_local.h 2020-03-17 17:31:10.740241108 +0100
+@@ -1516,6 +1516,7 @@ typedef struct tls_group_info_st {
# define TLS_CURVE_PRIME 0x0
# define TLS_CURVE_CHAR2 0x1
# define TLS_CURVE_CUSTOM 0x2
@@ -11788,10 +11487,10 @@ diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h
typedef struct cert_pkey_st CERT_PKEY;
-diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c
---- openssl-1.1.1c/ssl/t1_lib.c.fips 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/ssl/t1_lib.c 2019-06-24 14:49:00.638576235 +0200
-@@ -156,11 +156,11 @@ static const TLS_GROUP_INFO nid_list[] =
+diff -up openssl-1.1.1e/ssl/t1_lib.c.fips openssl-1.1.1e/ssl/t1_lib.c
+--- openssl-1.1.1e/ssl/t1_lib.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/ssl/t1_lib.c 2020-03-17 17:31:10.741241091 +0100
+@@ -159,11 +159,11 @@ static const TLS_GROUP_INFO nid_list[] =
{NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
{NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
{NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
@@ -11807,7 +11506,7 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c
{NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
{NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
{NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
-@@ -255,6 +255,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
+@@ -258,6 +258,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
if (cinfo->flags & TLS_CURVE_CHAR2)
return 0;
# endif
@@ -11816,9 +11515,9 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c
ctmp[0] = curve >> 8;
ctmp[1] = curve & 0xff;
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
-diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c
---- openssl-1.1.1b/test/dsatest.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/dsatest.c 2019-02-28 11:30:06.824745335 +0100
+diff -up openssl-1.1.1e/test/dsatest.c.fips openssl-1.1.1e/test/dsatest.c
+--- openssl-1.1.1e/test/dsatest.c.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/test/dsatest.c 2020-03-17 17:31:10.741241091 +0100
@@ -24,41 +24,42 @@
#ifndef OPENSSL_NO_DSA
static int dsa_cb(int p, int n, BN_GENCB *arg);
@@ -11901,10 +11600,10 @@ diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c
goto end;
if (!TEST_int_eq(h, 2))
goto end;
-diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt
---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips 2019-05-06 16:08:46.857597085 +0200
-+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-06 16:35:37.917563292 +0200
-@@ -1184,6 +1184,7 @@ Key = 0000000000000000000000000000000000
+diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt
+--- openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt.fips 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/test/recipes/30-test_evp_data/evpciph.txt 2020-03-17 17:31:10.742241073 +0100
+@@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000
IV = 00000000000000000000000000000000
Plaintext = 0000000000000000000000000000000000000000000000000000000000000000
Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e
@@ -11912,13 +11611,13 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1
Cipher = aes-128-xts
Key = 1111111111111111111111111111111122222222222222222222222222222222
-diff -up openssl-1.1.1c/util/libcrypto.num.fips openssl-1.1.1c/util/libcrypto.num
---- openssl-1.1.1c/util/libcrypto.num.fips 2019-05-29 15:46:19.154260824 +0200
-+++ openssl-1.1.1c/util/libcrypto.num 2019-05-29 15:50:10.390191805 +0200
-@@ -4580,3 +4580,38 @@ EVP_PKEY_meth_get_digest_custom
- OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO
- OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO
- EVP_PKEY_get0_engine 4536 1_1_1c EXIST::FUNCTION:ENGINE
+diff -up openssl-1.1.1e/util/libcrypto.num.fips openssl-1.1.1e/util/libcrypto.num
+--- openssl-1.1.1e/util/libcrypto.num.fips 2020-03-17 17:31:10.744241038 +0100
++++ openssl-1.1.1e/util/libcrypto.num 2020-03-17 17:32:37.851722261 +0100
+@@ -4587,3 +4587,38 @@ EVP_PKEY_meth_set_digestverify
+ EVP_PKEY_meth_get_digestverify 4541 1_1_1e EXIST::FUNCTION:
+ EVP_PKEY_meth_get_digestsign 4542 1_1_1e EXIST::FUNCTION:
+ RSA_get0_pss_params 4543 1_1_1e EXIST::FUNCTION:RSA
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:
diff --git a/SOURCES/openssl-1.1.1-intel-cet.patch b/SOURCES/openssl-1.1.1-intel-cet.patch
new file mode 100644
index 0000000..a95bf9c
--- /dev/null
+++ b/SOURCES/openssl-1.1.1-intel-cet.patch
@@ -0,0 +1,500 @@
+diff -up openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl
+--- openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl 2020-03-19 17:07:02.626522694 +0100
+@@ -275,6 +275,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_encrypt:
+ .cfi_startproc
++ endbranch
+ movups ($inp),$inout0 # load input
+ mov 240($key),$rounds # key->rounds
+ ___
+@@ -293,6 +294,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_decrypt:
+ .cfi_startproc
++ endbranch
+ movups ($inp),$inout0 # load input
+ mov 240($key),$rounds # key->rounds
+ ___
+@@ -613,6 +615,7 @@ $code.=<<___;
+ .align 16
+ aesni_ecb_encrypt:
+ .cfi_startproc
++ endbranch
+ ___
+ $code.=<<___ if ($win64);
+ lea -0x58(%rsp),%rsp
+@@ -985,6 +988,7 @@ $code.=<<___;
+ .align 16
+ aesni_ccm64_encrypt_blocks:
+ .cfi_startproc
++ endbranch
+ ___
+ $code.=<<___ if ($win64);
+ lea -0x58(%rsp),%rsp
+@@ -1077,6 +1081,7 @@ $code.=<<___;
+ .align 16
+ aesni_ccm64_decrypt_blocks:
+ .cfi_startproc
++ endbranch
+ ___
+ $code.=<<___ if ($win64);
+ lea -0x58(%rsp),%rsp
+@@ -1203,6 +1208,7 @@ $code.=<<___;
+ .align 16
+ aesni_ctr32_encrypt_blocks:
+ .cfi_startproc
++ endbranch
+ cmp \$1,$len
+ jne .Lctr32_bulk
+
+@@ -1775,6 +1781,7 @@ $code.=<<___;
+ .align 16
+ aesni_xts_encrypt:
+ .cfi_startproc
++ endbranch
+ lea (%rsp),%r11 # frame pointer
+ .cfi_def_cfa_register %r11
+ push %rbp
+@@ -2258,6 +2265,7 @@ $code.=<<___;
+ .align 16
+ aesni_xts_decrypt:
+ .cfi_startproc
++ endbranch
+ lea (%rsp),%r11 # frame pointer
+ .cfi_def_cfa_register %r11
+ push %rbp
+@@ -2783,6 +2791,7 @@ $code.=<<___;
+ .align 32
+ aesni_ocb_encrypt:
+ .cfi_startproc
++ endbranch
+ lea (%rsp),%rax
+ push %rbx
+ .cfi_push %rbx
+@@ -3249,6 +3258,7 @@ __ocb_encrypt1:
+ .align 32
+ aesni_ocb_decrypt:
+ .cfi_startproc
++ endbranch
+ lea (%rsp),%rax
+ push %rbx
+ .cfi_push %rbx
+@@ -3737,6 +3747,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_cbc_encrypt:
+ .cfi_startproc
++ endbranch
+ test $len,$len # check length
+ jz .Lcbc_ret
+
+diff -up openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl
+--- openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl 2020-03-19 17:00:15.974621757 +0100
+@@ -696,6 +696,7 @@ _vpaes_schedule_mangle:
+ .align 16
+ ${PREFIX}_set_encrypt_key:
+ .cfi_startproc
++ endbranch
+ ___
+ $code.=<<___ if ($win64);
+ lea -0xb8(%rsp),%rsp
+@@ -746,6 +747,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_set_decrypt_key:
+ .cfi_startproc
++ endbranch
+ ___
+ $code.=<<___ if ($win64);
+ lea -0xb8(%rsp),%rsp
+@@ -801,6 +803,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_encrypt:
+ .cfi_startproc
++ endbranch
+ ___
+ $code.=<<___ if ($win64);
+ lea -0xb8(%rsp),%rsp
+@@ -846,6 +849,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_decrypt:
+ .cfi_startproc
++ endbranch
+ ___
+ $code.=<<___ if ($win64);
+ lea -0xb8(%rsp),%rsp
+@@ -897,6 +901,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_cbc_encrypt:
+ .cfi_startproc
++ endbranch
+ xchg $key,$len
+ ___
+ ($len,$key)=($key,$len);
+diff -up openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.c
+--- openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/async/arch/async_posix.c 2020-03-19 17:00:15.974621757 +0100
+@@ -34,7 +34,9 @@ void async_local_cleanup(void)
+
+ int async_fibre_makecontext(async_fibre *fibre)
+ {
++#ifndef USE_SWAPCONTEXT
+ fibre->env_init = 0;
++#endif
+ if (getcontext(&fibre->fibre) == 0) {
+ fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE);
+ if (fibre->fibre.uc_stack.ss_sp != NULL) {
+diff -up openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.h
+--- openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet 2020-03-19 17:00:15.435631166 +0100
++++ openssl-1.1.1e/crypto/async/arch/async_posix.h 2020-03-19 17:00:15.975621739 +0100
+@@ -25,17 +25,33 @@
+ # define ASYNC_POSIX
+ # define ASYNC_ARCH
+
++# ifdef __CET__
++/*
++ * When Intel CET is enabled, makecontext will create a different
++ * shadow stack for each context. async_fibre_swapcontext cannot
++ * use _longjmp. It must call swapcontext to swap shadow stack as
++ * well as normal stack.
++ */
++# define USE_SWAPCONTEXT
++# endif
+ # include <ucontext.h>
+-# include <setjmp.h>
++# ifndef USE_SWAPCONTEXT
++# include <setjmp.h>
++# endif
+
+ typedef struct async_fibre_st {
+ ucontext_t fibre;
++# ifndef USE_SWAPCONTEXT
+ jmp_buf env;
+ int env_init;
++# endif
+ } async_fibre;
+
+ static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r)
+ {
++# ifdef USE_SWAPCONTEXT
++ swapcontext(&o->fibre, &n->fibre);
++# else
+ o->env_init = 1;
+
+ if (!r || !_setjmp(o->env)) {
+@@ -44,6 +60,7 @@ static ossl_inline int async_fibre_swapc
+ else
+ setcontext(&n->fibre);
+ }
++# endif
+
+ return 1;
+ }
+diff -up openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl
+--- openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl 2020-03-19 17:00:15.975621739 +0100
+@@ -685,6 +685,7 @@ $code.=<<___;
+ .align 16
+ Camellia_cbc_encrypt:
+ .cfi_startproc
++ endbranch
+ cmp \$0,%rdx
+ je .Lcbc_abort
+ push %rbx
+diff -up openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl
+--- openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl 2020-03-19 17:00:15.975621739 +0100
+@@ -239,6 +239,7 @@ $code=<<___;
+ .align 16
+ gcm_gmult_4bit:
+ .cfi_startproc
++ endbranch
+ push %rbx
+ .cfi_push %rbx
+ push %rbp # %rbp and others are pushed exclusively in
+@@ -286,6 +287,7 @@ $code.=<<___;
+ .align 16
+ gcm_ghash_4bit:
+ .cfi_startproc
++ endbranch
+ push %rbx
+ .cfi_push %rbx
+ push %rbp
+@@ -612,6 +614,7 @@ $code.=<<___;
+ .align 16
+ gcm_gmult_clmul:
+ .cfi_startproc
++ endbranch
+ .L_gmult_clmul:
+ movdqu ($Xip),$Xi
+ movdqa .Lbswap_mask(%rip),$T3
+@@ -663,6 +666,7 @@ $code.=<<___;
+ .align 32
+ gcm_ghash_clmul:
+ .cfi_startproc
++ endbranch
+ .L_ghash_clmul:
+ ___
+ $code.=<<___ if ($win64);
+@@ -1166,6 +1170,7 @@ $code.=<<___;
+ .align 32
+ gcm_gmult_avx:
+ .cfi_startproc
++ endbranch
+ jmp .L_gmult_clmul
+ .cfi_endproc
+ .size gcm_gmult_avx,.-gcm_gmult_avx
+@@ -1177,6 +1182,7 @@ $code.=<<___;
+ .align 32
+ gcm_ghash_avx:
+ .cfi_startproc
++ endbranch
+ ___
+ if ($avx) {
+ my ($Xip,$Htbl,$inp,$len)=@_4args;
+diff -up openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet openssl-1.1.1e/crypto/perlasm/cbc.pl
+--- openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/perlasm/cbc.pl 2020-03-19 17:00:15.976621722 +0100
+@@ -165,21 +165,28 @@ sub cbc
+ &jmp_ptr($count);
+
+ &set_label("ej7");
++ &endbranch()
+ &movb(&HB("edx"), &BP(6,$in,"",0));
+ &shl("edx",8);
+ &set_label("ej6");
++ &endbranch()
+ &movb(&HB("edx"), &BP(5,$in,"",0));
+ &set_label("ej5");
++ &endbranch()
+ &movb(&LB("edx"), &BP(4,$in,"",0));
+ &set_label("ej4");
++ &endbranch()
+ &mov("ecx", &DWP(0,$in,"",0));
+ &jmp(&label("ejend"));
+ &set_label("ej3");
++ &endbranch()
+ &movb(&HB("ecx"), &BP(2,$in,"",0));
+ &shl("ecx",8);
+ &set_label("ej2");
++ &endbranch()
+ &movb(&HB("ecx"), &BP(1,$in,"",0));
+ &set_label("ej1");
++ &endbranch()
+ &movb(&LB("ecx"), &BP(0,$in,"",0));
+ &set_label("ejend");
+
+diff -up openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl
+--- openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl 2020-03-19 17:00:15.984621582 +0100
+@@ -101,6 +101,33 @@ elsif (!$gas)
+ $decor="\$L\$";
+ }
+
++my $cet_property;
++if ($flavour =~ /elf/) {
++ # Always generate .note.gnu.property section for ELF outputs to
++ # mark Intel CET support since all input files must be marked
++ # with Intel CET support in order for linker to mark output with
++ # Intel CET support.
++ my $p2align=3; $p2align=2 if ($flavour eq "elf32");
++ $cet_property = <<_____;
++ .section ".note.gnu.property", "a"
++ .p2align $p2align
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ .asciz "GNU"
++1:
++ .p2align $p2align
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align $p2align
++4:
++_____
++}
++
+ my $current_segment;
+ my $current_function;
+ my %globals;
+@@ -1213,6 +1240,7 @@ while(defined(my $line=<>)) {
+ print $line,"\n";
+ }
+
++print "$cet_property" if ($cet_property);
+ print "\n$current_segment\tENDS\n" if ($current_segment && $masm);
+ print "END\n" if ($masm);
+
+diff -up openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86gas.pl
+--- openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/perlasm/x86gas.pl 2020-03-19 17:00:15.985621565 +0100
+@@ -124,6 +124,7 @@ sub ::function_begin_B
+ push(@out,".align\t$align\n");
+ push(@out,"$func:\n");
+ push(@out,"$begin:\n") if ($global);
++ &::endbranch();
+ $::stack=4;
+ }
+
+@@ -172,6 +173,26 @@ sub ::file_end
+ else { push (@out,"$tmp\n"); }
+ }
+ push(@out,$initseg) if ($initseg);
++ if ($::elf) {
++ push(@out,"
++ .section \".note.gnu.property\", \"a\"
++ .p2align 2
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ .asciz \"GNU\"
++1:
++ .p2align 2
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 2
++4:
++");
++ }
+ }
+
+ sub ::data_byte { push(@out,".byte\t".join(',',@_)."\n"); }
+diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl
+--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet 2020-03-19 17:00:38.185234015 +0100
++++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl 2020-03-19 17:05:46.575850341 +0100
+@@ -2806,6 +2806,7 @@ $code.=<<___;
+ .align 32
+ poly1305_blocks_vpmadd52:
+ .cfi_startproc
++ endbranch
+ shr \$4,$len
+ jz .Lno_data_vpmadd52 # too short
+
+@@ -3739,6 +3740,7 @@ $code.=<<___;
+ .align 32
+ poly1305_emit_base2_44:
+ .cfi_startproc
++ endbranch
+ mov 0($ctx),%r8 # load hash value
+ mov 8($ctx),%r9
+ mov 16($ctx),%r10
+diff -up openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl
+--- openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet 2020-03-19 17:00:38.190233928 +0100
++++ openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl 2020-03-19 17:05:02.598618064 +0100
+@@ -140,6 +140,7 @@ $code=<<___;
+ .align 16
+ RC4:
+ .cfi_startproc
++ endbranch
+ or $len,$len
+ jne .Lentry
+ ret
+@@ -455,6 +456,7 @@ $code.=<<___;
+ .align 16
+ RC4_set_key:
+ .cfi_startproc
++ endbranch
+ lea 8($dat),$dat
+ lea ($inp,$len),$inp
+ neg $len
+@@ -529,6 +531,7 @@ RC4_set_key:
+ .align 16
+ RC4_options:
+ .cfi_startproc
++ endbranch
+ lea .Lopts(%rip),%rax
+ mov OPENSSL_ia32cap_P(%rip),%edx
+ bt \$20,%edx
+diff -up openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet openssl-1.1.1e/crypto/x86_64cpuid.pl
+--- openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/x86_64cpuid.pl 2020-03-19 17:03:58.172742775 +0100
+@@ -40,6 +40,7 @@ print<<___;
+ .align 16
+ OPENSSL_atomic_add:
+ .cfi_startproc
++ endbranch
+ movl ($arg1),%eax
+ .Lspin: leaq ($arg2,%rax),%r8
+ .byte 0xf0 # lock
+@@ -56,6 +57,7 @@ OPENSSL_atomic_add:
+ .align 16
+ OPENSSL_rdtsc:
+ .cfi_startproc
++ endbranch
+ rdtsc
+ shl \$32,%rdx
+ or %rdx,%rax
+@@ -68,6 +70,7 @@ OPENSSL_rdtsc:
+ .align 16
+ OPENSSL_ia32_cpuid:
+ .cfi_startproc
++ endbranch
+ mov %rbx,%r8 # save %rbx
+ .cfi_register %rbx,%r8
+
+@@ -237,6 +240,7 @@ OPENSSL_ia32_cpuid:
+ .align 16
+ OPENSSL_cleanse:
+ .cfi_startproc
++ endbranch
+ xor %rax,%rax
+ cmp \$15,$arg2
+ jae .Lot
+@@ -274,6 +278,7 @@ OPENSSL_cleanse:
+ .align 16
+ CRYPTO_memcmp:
+ .cfi_startproc
++ endbranch
+ xor %rax,%rax
+ xor %r10,%r10
+ cmp \$0,$arg3
+@@ -312,6 +317,7 @@ print<<___ if (!$win64);
+ .align 16
+ OPENSSL_wipe_cpu:
+ .cfi_startproc
++ endbranch
+ pxor %xmm0,%xmm0
+ pxor %xmm1,%xmm1
+ pxor %xmm2,%xmm2
+@@ -346,6 +352,8 @@ print<<___ if ($win64);
+ .type OPENSSL_wipe_cpu,\@abi-omnipotent
+ .align 16
+ OPENSSL_wipe_cpu:
++.cfi_startproc
++ endbranch
+ pxor %xmm0,%xmm0
+ pxor %xmm1,%xmm1
+ pxor %xmm2,%xmm2
+@@ -376,6 +384,7 @@ print<<___;
+ .align 16
+ OPENSSL_instrument_bus:
+ .cfi_startproc
++ endbranch
+ mov $arg1,$out # tribute to Win64
+ mov $arg2,$cnt
+ mov $arg2,$max
+@@ -410,6 +419,7 @@ OPENSSL_instrument_bus:
+ .align 16
+ OPENSSL_instrument_bus2:
+ .cfi_startproc
++ endbranch
+ mov $arg1,$out # tribute to Win64
+ mov $arg2,$cnt
+ mov $arg3,$max
+@@ -465,6 +475,7 @@ print<<___;
+ .align 16
+ OPENSSL_ia32_${rdop}_bytes:
+ .cfi_startproc
++ endbranch
+ xor %rax, %rax # return value
+ cmp \$0,$arg2
+ je .Ldone_${rdop}_bytes
diff --git a/SOURCES/openssl-1.1.1-kdf-selftest.patch b/SOURCES/openssl-1.1.1-kdf-selftest.patch
new file mode 100644
index 0000000..3cb3718
--- /dev/null
+++ b/SOURCES/openssl-1.1.1-kdf-selftest.patch
@@ -0,0 +1,170 @@
+diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info
+--- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest 2020-06-03 16:08:36.274849058 +0200
++++ openssl-1.1.1g/crypto/fips/build.info 2020-06-03 16:11:05.609079372 +0200
+@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
+ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
+- fips_dh_selftest.c fips_ers.c
++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
+
+ PROGRAMS_NO_INST=\
+ fips_standalone_hmac
+diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
+--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-06-03 16:08:36.337849577 +0200
++++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-06-03 16:08:36.337849577 +0200
+@@ -0,0 +1,117 @@
++/*
++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include "crypto/fips.h"
++
++#include <openssl/evp.h>
++#include <openssl/kdf.h>
++
++#ifdef OPENSSL_FIPS
++int FIPS_selftest_pbkdf2(void)
++{
++ int ret = 0;
++ EVP_KDF_CTX *kctx;
++ unsigned char out[32];
++
++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++ goto err;
++ }
++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++ goto err;
++ }
++
++ {
++ const unsigned char expected[sizeof(out)] = {
++ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
++ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
++ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
++ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
++ };
++ if (memcmp(out, expected, sizeof(expected))) {
++ goto err;
++ }
++ }
++ ret = 1;
++
++err:
++ if (!ret)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
++ EVP_KDF_CTX_free(kctx);
++ return ret;
++}
++
++/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
++ * 5) appendix A. */
++int FIPS_selftest_kbkdf(void)
++{
++ int ret = 0;
++ EVP_KDF_CTX *kctx;
++ char *label = "prf", *prf_input = "test";
++ static unsigned char input_key[] = {
++ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
++ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
++ };
++ static unsigned char output[] = {
++ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
++ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
++ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
++ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
++ };
++ unsigned char result[sizeof(output)] = { 0 };
++
++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
++ goto err;
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
++ goto err;
++ }
++ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
++ && memcmp(result, output, sizeof(output)) == 0;
++err:
++
++ if (!ret)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
++ EVP_KDF_CTX_free(kctx);
++ return ret;
++}
++
++int FIPS_selftest_kdf(void)
++{
++ return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf();
++}
++
++#endif
+diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c
+--- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest 2020-06-03 16:08:36.332849536 +0200
++++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-03 16:08:36.338849585 +0200
+@@ -111,6 +111,8 @@ int FIPS_selftest(void)
+ rv = 0;
+ if (!FIPS_selftest_ecdh())
+ rv = 0;
++ if (!FIPS_selftest_kdf())
++ rv = 0;
+ return rv;
+ }
+
+diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
+--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200
++++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200
+@@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff);
+ int FIPS_selftest_hmac(void);
+ int FIPS_selftest_drbg(void);
+ int FIPS_selftest_cmac(void);
++int FIPS_selftest_kbkdf(void);
++int FIPS_selftest_pbkdf2(void);
++int FIPS_selftest_kdf(void);
+
+ int fips_in_post(void);
+
+diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
+--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-06-03 16:08:36.282849124 +0200
++++ openssl-1.1.1g/include/openssl/fips.h 2020-06-03 16:08:36.338849585 +0200
+@@ -123,6 +123,8 @@ extern "C" {
+ # define FIPS_F_FIPS_SELFTEST_DSA 112
+ # define FIPS_F_FIPS_SELFTEST_ECDSA 133
+ # define FIPS_F_FIPS_SELFTEST_HMAC 113
++# define FIPS_F_FIPS_SELFTEST_KBKDF 151
++# define FIPS_F_FIPS_SELFTEST_PBKDF2 152
+ # define FIPS_F_FIPS_SELFTEST_SHA1 115
+ # define FIPS_F_FIPS_SELFTEST_SHA2 105
+ # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
diff --git a/SOURCES/openssl-1.1.1-krb5-kdf.patch b/SOURCES/openssl-1.1.1-krb5-kdf.patch
index f8332f6..249a5c5 100644
--- a/SOURCES/openssl-1.1.1-krb5-kdf.patch
+++ b/SOURCES/openssl-1.1.1-krb5-kdf.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/err/openssl.txt
---- openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf 2019-11-14 16:25:09.445914709 +0100
-+++ openssl-1.1.1c/crypto/err/openssl.txt 2019-11-14 16:26:10.333811902 +0100
-@@ -816,6 +816,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g
+diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/err/openssl.txt
+--- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
++++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-14 15:07:05.342094129 +0100
+@@ -821,6 +821,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g
EVP_F_SCRYPT_ALG:228:scrypt_alg
EVP_F_UPDATE:173:update
KDF_F_HKDF_EXTRACT:112:HKDF_Extract
@@ -13,7 +13,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive
KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new
KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size
-@@ -835,6 +840,8 @@ KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new
+@@ -840,6 +845,8 @@ KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new
KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str
KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive
KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new
@@ -22,7 +22,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
-@@ -848,6 +855,9 @@ KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tl
+@@ -853,6 +860,9 @@ KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tl
KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf
@@ -32,10 +32,10 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
-@@ -2315,7 +2325,13 @@ EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
- EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type
+@@ -2325,7 +2335,13 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor
EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
+ EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys
+KDF_R_FAILED_TO_GENERATE_KEY:118:failed to generate key
+KDF_R_INVALID_CIPHER:116:invalid cipher
+KDF_R_INVALID_CONSTANT_LENGTH:119:invalid constant length
@@ -46,7 +46,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count
KDF_R_MISSING_KEY:104:missing key
KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest
-@@ -2330,6 +2346,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas
+@@ -2340,6 +2356,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas
KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
KDF_R_VALUE_ERROR:108:value error
KDF_R_VALUE_MISSING:102:value missing
@@ -54,9 +54,9 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size
OBJ_R_OID_EXISTS:102:oid exists
OBJ_R_UNKNOWN_NID:101:unknown nid
-diff -up openssl-1.1.1c/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1c/crypto/evp/kdf_lib.c
---- openssl-1.1.1c/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-14 16:25:09.445914709 +0100
-+++ openssl-1.1.1c/crypto/evp/kdf_lib.c 2019-11-14 16:25:09.475914166 +0100
+diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c
+--- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
++++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-14 15:07:05.342094129 +0100
@@ -31,6 +31,9 @@ static const EVP_KDF_METHOD *standard_me
&tls1_prf_kdf_meth,
&hkdf_kdf_meth,
@@ -67,9 +67,9 @@ diff -up openssl-1.1.1c/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1c/crypto/evp/
};
DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
-diff -up openssl-1.1.1c/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1c/crypto/include/internal/evp_int.h
---- openssl-1.1.1c/crypto/include/internal/evp_int.h.krb5-kdf 2019-11-14 16:25:09.446914691 +0100
-+++ openssl-1.1.1c/crypto/include/internal/evp_int.h 2019-11-14 16:25:09.475914166 +0100
+diff -up openssl-1.1.1d/include/crypto/evp.h.krb5-kdf openssl-1.1.1d/include/crypto/evp.h
+--- openssl-1.1.1d/include/crypto/evp.h.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
++++ openssl-1.1.1d/include/crypto/evp.h 2019-11-14 15:07:05.342094129 +0100
@@ -130,6 +130,9 @@ extern const EVP_KDF_METHOD scrypt_kdf_m
extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
extern const EVP_KDF_METHOD hkdf_kdf_meth;
@@ -80,17 +80,17 @@ diff -up openssl-1.1.1c/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1
struct evp_md_st {
int type;
-diff -up openssl-1.1.1c/crypto/kdf/build.info.krb5-kdf openssl-1.1.1c/crypto/kdf/build.info
---- openssl-1.1.1c/crypto/kdf/build.info.krb5-kdf 2019-11-14 16:25:09.446914691 +0100
-+++ openssl-1.1.1c/crypto/kdf/build.info 2019-11-14 16:25:09.475914166 +0100
+diff -up openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf openssl-1.1.1d/crypto/kdf/build.info
+--- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
++++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-14 15:07:05.342094129 +0100
@@ -1,3 +1,3 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
- tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c
+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c krb5kdf.c sskdf.c
-diff -up openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kbkdf.c
---- openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-14 16:25:09.475914166 +0100
-+++ openssl-1.1.1c/crypto/kdf/kbkdf.c 2019-11-18 17:21:58.326635901 +0100
+diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kbkdf.c
+--- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-14 15:07:05.343094112 +0100
++++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-18 17:21:58.326635901 +0100
@@ -0,0 +1,540 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@@ -129,7 +129,7 @@ diff -up openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kb
+
+#include "internal/numbers.h"
+#include "internal/cryptlib.h"
-+#include "internal/evp_int.h"
++#include "crypto/evp.h"
+#include "kdf_local.h"
+
+#include "e_os.h"
@@ -632,9 +632,9 @@ diff -up openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kb
+ kbkdf_derive,
+};
+
-diff -up openssl-1.1.1c/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kdf_err.c
---- openssl-1.1.1c/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-14 16:25:09.446914691 +0100
-+++ openssl-1.1.1c/crypto/kdf/kdf_err.c 2019-11-14 16:25:09.475914166 +0100
+diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c
+--- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
++++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-14 15:07:05.343094112 +0100
@@ -15,6 +15,11 @@
static const ERR_STRING_DATA KDF_str_functs[] = {
@@ -688,9 +688,9 @@ diff -up openssl-1.1.1c/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1c/crypto/kdf/
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE),
"wrong output buffer size"},
{0, NULL}
-diff -up openssl-1.1.1c/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1c/crypto/kdf/kdf_local.h
---- openssl-1.1.1c/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-14 16:25:09.438914836 +0100
-+++ openssl-1.1.1c/crypto/kdf/kdf_local.h 2019-11-14 16:25:09.475914166 +0100
+diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h
+--- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-14 15:07:05.313094646 +0100
++++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-14 15:07:05.344094093 +0100
@@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl,
int kdf_md2ctrl(EVP_KDF_IMPL *impl,
int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
@@ -699,9 +699,9 @@ diff -up openssl-1.1.1c/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1c/crypto/kd
+int kdf_cipher2ctrl(EVP_KDF_IMPL *impl,
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
+ int cmd, const char *cipher_name);
-diff -up openssl-1.1.1c/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kdf_util.c
---- openssl-1.1.1c/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-14 16:25:09.438914836 +0100
-+++ openssl-1.1.1c/crypto/kdf/kdf_util.c 2019-11-14 16:25:09.475914166 +0100
+diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c
+--- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-14 15:07:05.313094646 +0100
++++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-14 15:07:05.344094093 +0100
@@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl,
return call_ctrl(ctrl, impl, cmd, md);
}
@@ -719,9 +719,9 @@ diff -up openssl-1.1.1c/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1c/crypto/kdf
+ }
+ return call_ctrl(ctrl, impl, cmd, cipher);
+}
-diff -up openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/krb5kdf.c
---- openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf 2019-11-14 16:25:09.476914148 +0100
-+++ openssl-1.1.1c/crypto/kdf/krb5kdf.c 2019-11-18 17:18:13.056604404 +0100
+diff -up openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/krb5kdf.c
+--- openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100
++++ openssl-1.1.1d/crypto/kdf/krb5kdf.c 2019-11-18 17:18:13.056604404 +0100
@@ -0,0 +1,423 @@
+/*
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
@@ -741,7 +741,7 @@ diff -up openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/
+#include <openssl/kdf.h>
+
+#include "internal/cryptlib.h"
-+#include "internal/evp_int.h"
++#include "crypto/evp.h"
+#include "kdf_local.h"
+
+/* KRB5 KDF defined in RFC 3961, Section 5.1 */
@@ -1146,10 +1146,18 @@ diff -up openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/
+ krb5kdf_derive,
+};
+
-diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/sshkdf.c
---- openssl-1.1.1c/crypto/kdf/sshkdf.c.krb5-kdf 2019-11-15 14:53:14.769279878 +0100
-+++ openssl-1.1.1c/crypto/kdf/sshkdf.c 2019-11-18 17:18:25.343388314 +0100
-@@ -69,6 +69,12 @@ static int kdf_sshkdf_parse_buffer_arg(u
+diff -up openssl-1.1.1d/crypto/kdf/sshkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/sshkdf.c
+--- openssl-1.1.1d/crypto/kdf/sshkdf.c.krb5-kdf 2019-11-14 15:07:05.327094396 +0100
++++ openssl-1.1.1d/crypto/kdf/sshkdf.c 2019-11-18 17:18:25.343388314 +0100
+@@ -12,6 +12,7 @@
+ #include <string.h>
+ #include <openssl/evp.h>
+ #include <openssl/kdf.h>
++#include "internal/numbers.h"
+ #include "internal/cryptlib.h"
+ #include "crypto/evp.h"
+ #include "kdf_local.h"
+@@ -68,6 +69,12 @@ static int kdf_sshkdf_parse_buffer_arg(u
p = va_arg(args, const unsigned char *);
len = va_arg(args, size_t);
OPENSSL_clear_free(*dst, *dst_len);
@@ -1162,9 +1170,9 @@ diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/s
*dst = OPENSSL_memdup(p, len);
if (*dst == NULL)
return 0;
-diff -up openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/sskdf.c
---- openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf 2019-11-14 16:25:09.476914148 +0100
-+++ openssl-1.1.1c/crypto/kdf/sskdf.c 2019-11-18 17:21:40.349952802 +0100
+diff -up openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/sskdf.c
+--- openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100
++++ openssl-1.1.1d/crypto/kdf/sskdf.c 2019-11-18 17:21:40.349952802 +0100
@@ -0,0 +1,255 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@@ -1210,7 +1218,7 @@ diff -up openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/ss
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include "internal/cryptlib.h"
-+#include "internal/evp_int.h"
++#include "crypto/evp.h"
+#include "kdf_local.h"
+
+struct evp_kdf_impl_st {
@@ -1421,9 +1429,9 @@ diff -up openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/ss
+ sskdf_size,
+ sskdf_derive
+};
-diff -up openssl-1.1.1c/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1c/crypto/objects/obj_dat.h
---- openssl-1.1.1c/crypto/objects/obj_dat.h.krb5-kdf 2019-11-14 16:25:09.447914673 +0100
-+++ openssl-1.1.1c/crypto/objects/obj_dat.h 2019-11-14 16:25:09.477914130 +0100
+diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/objects/obj_dat.h
+--- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-14 15:07:05.322094485 +0100
++++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-14 15:07:05.345094076 +0100
@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
};
@@ -1493,9 +1501,9 @@ diff -up openssl-1.1.1c/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1c/crypto/
16, /* "stateOrProvinceName" */
660, /* "streetAddress" */
498, /* "subtreeMaximumQuality" */
-diff -up openssl-1.1.1c/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1c/crypto/objects/objects.txt
---- openssl-1.1.1c/crypto/objects/objects.txt.krb5-kdf 2019-11-14 16:25:09.447914673 +0100
-+++ openssl-1.1.1c/crypto/objects/objects.txt 2019-11-14 16:25:09.477914130 +0100
+diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypto/objects/objects.txt
+--- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-14 15:07:05.322094485 +0100
++++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-14 15:07:05.345094076 +0100
@@ -1603,6 +1603,15 @@ secg-scheme 14 3 : dhSinglePass-cofactor
# NID for SSHKDF
: SSHKDF : sshkdf
@@ -1512,9 +1520,9 @@ diff -up openssl-1.1.1c/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1c/crypt
# RFC 4556
1 3 6 1 5 2 3 : id-pkinit
id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth
-diff -up openssl-1.1.1c/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1c/crypto/objects/obj_mac.num
---- openssl-1.1.1c/crypto/objects/obj_mac.num.krb5-kdf 2019-11-14 16:25:09.447914673 +0100
-+++ openssl-1.1.1c/crypto/objects/obj_mac.num 2019-11-14 16:25:09.477914130 +0100
+diff -up openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1d/crypto/objects/obj_mac.num
+--- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-14 15:07:05.322094485 +0100
++++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-14 15:07:05.346094058 +0100
@@ -1193,3 +1193,6 @@ magma_mac 1192
hmacWithSHA512_224 1193
hmacWithSHA512_256 1194
@@ -1522,9 +1530,9 @@ diff -up openssl-1.1.1c/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1c/crypt
+kbkdf 1196
+krb5kdf 1197
+sskdf 1198
-diff -up openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod
---- openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-14 16:25:09.439914818 +0100
-+++ openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod 2019-11-14 16:25:09.477914130 +0100
+diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod
+--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-14 15:07:05.314094628 +0100
++++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-14 15:07:05.346094058 +0100
@@ -140,7 +140,14 @@ The value string is expected to be a dec
This control expects one argument: C<EVP_MD *md>
@@ -1541,9 +1549,9 @@ diff -up openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1c/doc/man
EVP_KDF_ctrl_str() type string: "md"
-diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod
---- openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-14 16:25:09.478914112 +0100
-+++ openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod 2019-11-14 16:25:09.478914112 +0100
+diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod
+--- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100
++++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-14 15:07:05.346094058 +0100
@@ -0,0 +1,173 @@
+=pod
+
@@ -1718,9 +1726,9 @@ diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1c/doc/man7
+L<https://www.openssl.org/source/license.html>.
+
+=cut
-diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod
---- openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf 2019-11-14 16:25:09.478914112 +0100
-+++ openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod 2019-11-14 16:25:09.478914112 +0100
+diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod
+--- openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100
++++ openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod 2019-11-14 15:07:05.346094058 +0100
@@ -0,0 +1,107 @@
+=pod
+
@@ -1829,9 +1837,9 @@ diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1c/doc
+
+=cut
+
-diff -up openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod
---- openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod.krb5-kdf 2019-11-14 16:25:09.478914112 +0100
-+++ openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod 2019-11-14 16:25:09.478914112 +0100
+diff -up openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod
+--- openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100
++++ openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod 2019-11-14 15:07:05.346094058 +0100
@@ -0,0 +1,146 @@
+=pod
+
@@ -1979,10 +1987,10 @@ diff -up openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1c/doc/man7
+L<https://www.openssl.org/source/license.html>.
+
+=cut
-diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include/openssl/kdferr.h
---- openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf 2019-11-14 16:25:09.448914655 +0100
-+++ openssl-1.1.1c/include/openssl/kdferr.h 2019-11-14 16:25:09.478914112 +0100
-@@ -20,6 +20,11 @@ int ERR_load_KDF_strings(void);
+diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include/openssl/kdferr.h
+--- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100
++++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-14 15:07:05.347094040 +0100
+@@ -24,6 +24,11 @@ int ERR_load_KDF_strings(void);
* KDF function codes.
*/
# define KDF_F_HKDF_EXTRACT 112
@@ -1994,7 +2002,7 @@ diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include
# define KDF_F_KDF_HKDF_DERIVE 113
# define KDF_F_KDF_HKDF_NEW 114
# define KDF_F_KDF_HKDF_SIZE 115
-@@ -39,6 +44,8 @@ int ERR_load_KDF_strings(void);
+@@ -43,6 +48,8 @@ int ERR_load_KDF_strings(void);
# define KDF_F_KDF_TLS1_PRF_CTRL_STR 125
# define KDF_F_KDF_TLS1_PRF_DERIVE 126
# define KDF_F_KDF_TLS1_PRF_NEW 127
@@ -2003,7 +2011,7 @@ diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include
# define KDF_F_PBKDF2_SET_MEMBUF 128
# define KDF_F_PKEY_HKDF_CTRL_STR 103
# define KDF_F_PKEY_HKDF_DERIVE 102
-@@ -52,12 +59,21 @@ int ERR_load_KDF_strings(void);
+@@ -56,12 +63,21 @@ int ERR_load_KDF_strings(void);
# define KDF_F_PKEY_TLS1_PRF_DERIVE 101
# define KDF_F_PKEY_TLS1_PRF_INIT 110
# define KDF_F_SCRYPT_SET_MEMBUF 129
@@ -2025,7 +2033,7 @@ diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include
# define KDF_R_MISSING_ITERATION_COUNT 109
# define KDF_R_MISSING_KEY 104
# define KDF_R_MISSING_MESSAGE_DIGEST 105
-@@ -72,6 +88,7 @@ int ERR_load_KDF_strings(void);
+@@ -76,6 +92,7 @@ int ERR_load_KDF_strings(void);
# define KDF_R_UNKNOWN_PARAMETER_TYPE 103
# define KDF_R_VALUE_ERROR 108
# define KDF_R_VALUE_MISSING 102
@@ -2033,9 +2041,9 @@ diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include
# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112
#endif
-diff -up openssl-1.1.1c/include/openssl/kdf.h.krb5-kdf openssl-1.1.1c/include/openssl/kdf.h
---- openssl-1.1.1c/include/openssl/kdf.h.krb5-kdf 2019-11-14 16:25:09.448914655 +0100
-+++ openssl-1.1.1c/include/openssl/kdf.h 2019-11-14 16:25:09.478914112 +0100
+diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/openssl/kdf.h
+--- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100
++++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-14 15:07:05.347094040 +0100
@@ -21,6 +21,9 @@ extern "C" {
# define EVP_KDF_TLS1_PRF NID_tls1_prf
# define EVP_KDF_HKDF NID_hkdf
@@ -2073,9 +2081,9 @@ diff -up openssl-1.1.1c/include/openssl/kdf.h.krb5-kdf openssl-1.1.1c/include/op
/**** The legacy PKEY-based KDF API follows. ****/
# define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL)
-diff -up openssl-1.1.1c/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1c/include/openssl/obj_mac.h
---- openssl-1.1.1c/include/openssl/obj_mac.h.krb5-kdf 2019-11-14 16:25:09.449914637 +0100
-+++ openssl-1.1.1c/include/openssl/obj_mac.h 2019-11-14 16:25:09.479914093 +0100
+diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/include/openssl/obj_mac.h
+--- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100
++++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-14 15:07:05.347094040 +0100
@@ -4974,6 +4974,18 @@
#define LN_sshkdf "sshkdf"
#define NID_sshkdf 1203
@@ -2095,9 +2103,9 @@ diff -up openssl-1.1.1c/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1c/includ
#define SN_id_pkinit "id-pkinit"
#define NID_id_pkinit 1031
#define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L
-diff -up openssl-1.1.1c/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1c/test/evp_kdf_test.c
---- openssl-1.1.1c/test/evp_kdf_test.c.krb5-kdf 2019-11-14 16:25:09.441914782 +0100
-+++ openssl-1.1.1c/test/evp_kdf_test.c 2019-11-14 16:25:09.479914093 +0100
+diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf_test.c
+--- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-14 15:07:05.315094610 +0100
++++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-14 15:07:05.348094022 +0100
@@ -225,13 +225,358 @@ err:
}
#endif
@@ -2457,9 +2465,9 @@ diff -up openssl-1.1.1c/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1c/test/evp_kdf
+ ADD_TEST(test_kdf_ss_hash);
return 1;
}
-diff -up openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt
---- openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf 2019-11-14 16:25:09.451914601 +0100
-+++ openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt 2019-11-14 16:25:09.480914075 +0100
+diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt
+--- openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf 2019-11-14 15:07:05.327094396 +0100
++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2019-11-14 15:07:05.349094005 +0100
@@ -5286,3 +5286,559 @@ Ctrl.hexsession_id = hexsession_id:a4ebd
Ctrl.type = type:A
Output = FF
diff --git a/SOURCES/openssl-1.1.1-no-brainpool.patch b/SOURCES/openssl-1.1.1-no-brainpool.patch
index 2ab6fc9..90c87a8 100644
--- a/SOURCES/openssl-1.1.1-no-brainpool.patch
+++ b/SOURCES/openssl-1.1.1-no-brainpool.patch
@@ -1,17 +1,16 @@
-diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in
---- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in 2019-05-07 11:52:35.885597934 +0200
-@@ -141,22 +141,23 @@ our @tests = (
+diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in
+--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in 2019-09-13 15:11:07.358687169 +0200
+@@ -147,22 +147,22 @@ our @tests = (
{
name => "ECDSA with brainpool",
server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- "Groups" => "brainpoolP256r1",
-+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
-+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
++ "Certificate" => test_pem("server-ecdsa-cert.pem"),
++ "PrivateKey" => test_pem("server-ecdsa-key.pem"),
+# "Groups" => "brainpoolP256r1",
-+ "CipherString" => "aNULL",
},
client => {
#We don't restrict this to TLSv1.2, although use of brainpool
@@ -32,17 +31,16 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens
"ExpectedResult" => "Success"
},
},
-@@ -787,18 +788,19 @@ my @tests_tls_1_3 = (
+@@ -853,18 +853,18 @@ my @tests_tls_1_3 = (
{
name => "TLS 1.3 ECDSA with brainpool",
server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- "Groups" => "brainpoolP256r1",
-+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
-+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
++ "Certificate" => test_pem("server-ecdsa-cert.pem"),
++ "PrivateKey" => test_pem("server-ecdsa-key.pem"),
+# "Groups" => "brainpoolP256r1",
-+ "CipherString" => "aNULL",
},
client => {
"RequestCAFile" => test_pem("root-cert.pem"),
@@ -57,20 +55,19 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens
},
},
);
-diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf
---- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf 2019-05-07 12:15:12.762907496 +0200
-@@ -233,23 +233,18 @@ server = 5-ECDSA with brainpool-server
+diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf
+--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf 2019-09-13 15:12:27.380288469 +0200
+@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server
client = 5-ECDSA with brainpool-client
[5-ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
--CipherString = DEFAULT
++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = aNULL
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
[5-ECDSA with brainpool-client]
CipherString = aECDSA
@@ -87,28 +84,27 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-
# ===========================================================
-@@ -1577,14 +1572,12 @@ server = 47-TLS 1.3 ECDSA with brainpool
- client = 47-TLS 1.3 ECDSA with brainpool-client
+@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool
+ client = 52-TLS 1.3 ECDSA with brainpool-client
- [47-TLS 1.3 ECDSA with brainpool-server]
+ [52-TLS 1.3 ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
--CipherString = DEFAULT
++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = aNULL
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
- [47-TLS 1.3 ECDSA with brainpool-client]
+ [52-TLS 1.3 ECDSA with brainpool-client]
CipherString = DEFAULT
-Groups = brainpoolP256r1
MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-@@ -1592,7 +1585,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
+@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
VerifyMode = Peer
- [test-47]
+ [test-52]
-ExpectedResult = ServerFail
+ExpectedResult = Success
diff --git a/SOURCES/openssl-1.1.1-no-html.patch b/SOURCES/openssl-1.1.1-no-html.patch
new file mode 100644
index 0000000..d0e335e
--- /dev/null
+++ b/SOURCES/openssl-1.1.1-no-html.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html 2020-04-07 16:45:21.904083989 +0200
++++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:45:56.218461895 +0200
+@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
+
+ uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
+
+-install_docs: install_man_docs install_html_docs
++install_docs: install_man_docs
+
+ uninstall_docs: uninstall_man_docs uninstall_html_docs
+ $(RM) -r "$(DESTDIR)$(DOCDIR)"
diff --git a/SOURCES/openssl-1.1.1-regression-fixes.patch b/SOURCES/openssl-1.1.1-regression-fixes.patch
deleted file mode 100644
index 11099a1..0000000
--- a/SOURCES/openssl-1.1.1-regression-fixes.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/conf/conf_lib.c
---- openssl-1.1.1b/crypto/conf/conf_lib.c.regression 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/conf/conf_lib.c 2019-05-10 14:28:57.718049429 +0200
-@@ -356,8 +356,10 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(
- {
- OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret));
-
-- if (ret != NULL)
-- memset(ret, 0, sizeof(*ret));
-+ if (ret == NULL)
-+ return NULL;
-+
-+ memset(ret, 0, sizeof(*ret));
- ret->flags = DEFAULT_CONF_MFLAGS;
-
- return ret;
diff --git a/SOURCES/openssl-1.1.1-reneg-no-extms.patch b/SOURCES/openssl-1.1.1-reneg-no-extms.patch
new file mode 100644
index 0000000..76adef7
--- /dev/null
+++ b/SOURCES/openssl-1.1.1-reneg-no-extms.patch
@@ -0,0 +1,44 @@
+diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
+--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
+@@ -292,6 +292,9 @@ extern "C" {
+
+ # define TLS1_FLAGS_STATELESS 0x0800
+
++/* Set if extended master secret extension required on renegotiation */
++# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
++
+ # define SSL3_MT_HELLO_REQUEST 0
+ # define SSL3_MT_CLIENT_HELLO 1
+ # define SSL3_MT_SERVER_HELLO 2
+diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
+--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
+@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
+
+ static int init_ems(SSL *s, unsigned int context)
+ {
+- if (!s->server)
++ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
+ s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
++ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
++ }
+
+ return 1;
+ }
+
+ static int final_ems(SSL *s, unsigned int context, int sent)
+ {
++ /*
++ * Check extended master secret extension is not dropped on
++ * renegotiation.
++ */
++ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
++ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
++ SSL_R_INCONSISTENT_EXTMS);
++ return 0;
++ }
+ if (!s->server && s->hit) {
+ /*
+ * Check extended master secret extension is consistent with
diff --git a/SOURCES/openssl-1.1.1-rewire-fips-drbg.patch b/SOURCES/openssl-1.1.1-rewire-fips-drbg.patch
new file mode 100644
index 0000000..4d04d37
--- /dev/null
+++ b/SOURCES/openssl-1.1.1-rewire-fips-drbg.patch
@@ -0,0 +1,170 @@
+diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
+--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200
+@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
+ int FIPS_drbg_reseed(DRBG_CTX *dctx,
+ const unsigned char *adin, size_t adinlen)
+ {
++ int len = (int)adinlen;
++
++ if (len < 0 || (size_t)len != adinlen) {
++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
++ return 0;
++ }
++ RAND_seed(adin, len);
++ return 1;
++}
++
++int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
++ const unsigned char *adin, size_t adinlen)
++{
+ return drbg_reseed(dctx, adin, adinlen, 1);
+ }
+
+@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen)
+ {
++ int len = (int)outlen;
++
++ if (len < 0 || (size_t)len != outlen) {
++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
++ return 0;
++ }
++ return RAND_bytes(out, len);
++}
++
++int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++ int prediction_resistance,
++ const unsigned char *adin, size_t adinlen)
++{
+ int r = 0;
+
+ if (FIPS_selftest_failed()) {
+diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
+--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200
+@@ -57,6 +57,8 @@
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+ #include <openssl/fips.h>
++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
+ #include <openssl/fips_rand.h>
+ #include "fips_rand_lcl.h"
+
+diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200
+@@ -55,6 +55,8 @@
+ #include <openssl/crypto.h>
+ #include <openssl/err.h>
+ #include <openssl/fips.h>
++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
+ #include <openssl/fips_rand.h>
+ #include "fips_rand_lcl.h"
+ #include "fips_locl.h"
+diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
+--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
++++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200
+@@ -79,8 +79,6 @@ int FIPS_selftest(void)
+ ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
+ rv = 0;
+ }
+- if (!FIPS_selftest_drbg())
+- rv = 0;
+ if (!FIPS_selftest_sha1())
+ rv = 0;
+ if (!FIPS_selftest_sha2())
+diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
+--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200
+@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
+
+ int FIPS_rand_seed(const void *buf, int num)
+ {
++#if 0
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
+ if (fips_rand_meth && fips_rand_meth->seed)
+ fips_rand_meth->seed(buf, num);
+ return 1;
++#else
++ RAND_seed(buf, num);
++ return 1;
++#endif
+ }
+
+ int FIPS_rand_bytes(unsigned char *buf, int num)
+ {
++#if 0
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
+ if (fips_rand_meth && fips_rand_meth->bytes)
+ return fips_rand_meth->bytes(buf, num);
+ return 0;
++#else
++ return RAND_bytes(buf, num);
++#endif
+ }
+
+ int FIPS_rand_status(void)
+ {
++#if 0
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
+ if (fips_rand_meth && fips_rand_meth->status)
+ return fips_rand_meth->status();
+ return 0;
++#else
++ return RAND_status();
++#endif
+ }
+
+ /* Return instantiated strength of PRNG. For DRBG this is an internal
+diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
+--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
++++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200
+@@ -64,6 +64,11 @@ extern "C" {
+
+ int FIPS_selftest(void);
+ int FIPS_selftest_failed(void);
++
++ /*
++ * This function is deprecated as it performs selftest of the old FIPS drbg
++ * implementation that is not validated.
++ */
+ int FIPS_selftest_drbg_all(void);
+
+ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
+--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200
++++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200
+@@ -60,6 +60,20 @@
+ # ifdef __cplusplus
+ extern "C" {
+ # endif
++
++/*
++ * IMPORTANT NOTE:
++ * All functions in this header file are deprecated and should not be used
++ * as they use the old FIPS_drbg implementation that is not FIPS validated
++ * anymore.
++ * To provide backwards compatibility for applications that need FIPS compliant
++ * RNG number generation and use FIPS_drbg_generate, this function was
++ * re-wired to call the FIPS validated DRBG instance instead through
++ * the RAND_bytes() call.
++ *
++ * All these functions will be removed in future.
++ */
++
+ typedef struct drbg_ctx_st DRBG_CTX;
+ /* DRBG external flags */
+ /* Flag for CTR mode only: use derivation function ctr_df */
diff --git a/SOURCES/openssl-1.1.1-s390x-ecc.patch b/SOURCES/openssl-1.1.1-s390x-ecc.patch
index 30d6866..6b5963f 100644
--- a/SOURCES/openssl-1.1.1-s390x-ecc.patch
+++ b/SOURCES/openssl-1.1.1-s390x-ecc.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.1.1c/Configurations/00-base-templates.conf.s390x-ecc openssl-1.1.1c/Configurations/00-base-templates.conf
---- openssl-1.1.1c/Configurations/00-base-templates.conf.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/Configurations/00-base-templates.conf 2019-11-20 11:36:02.190860451 +0100
+diff -up openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc openssl-1.1.1g/Configurations/00-base-templates.conf
+--- openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/Configurations/00-base-templates.conf 2020-05-18 12:45:40.855234262 +0200
@@ -289,6 +289,7 @@ my %targets=(
template => 1,
cpuid_asm_src => "s390xcap.c s390xcpuid.S",
@@ -9,10 +9,10 @@ diff -up openssl-1.1.1c/Configurations/00-base-templates.conf.s390x-ecc openssl-
aes_asm_src => "aes-s390x.S aes-ctr.fake aes-xts.fake",
sha1_asm_src => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",
rc4_asm_src => "rc4-s390x.s",
-diff -up openssl-1.1.1c/Configure.s390x-ecc openssl-1.1.1c/Configure
---- openssl-1.1.1c/Configure.s390x-ecc 2019-11-20 11:36:02.078862415 +0100
-+++ openssl-1.1.1c/Configure 2019-11-20 11:36:02.191860433 +0100
-@@ -1410,6 +1410,9 @@ unless ($disabled{asm}) {
+diff -up openssl-1.1.1g/Configure.s390x-ecc openssl-1.1.1g/Configure
+--- openssl-1.1.1g/Configure.s390x-ecc 2020-05-18 12:45:40.781233618 +0200
++++ openssl-1.1.1g/Configure 2020-05-18 12:45:40.856234270 +0200
+@@ -1398,6 +1398,9 @@ unless ($disabled{asm}) {
if ($target{ec_asm_src} =~ /ecp_nistz256/) {
push @{$config{lib_defines}}, "ECP_NISTZ256_ASM";
}
@@ -22,21 +22,9 @@ diff -up openssl-1.1.1c/Configure.s390x-ecc openssl-1.1.1c/Configure
if ($target{ec_asm_src} =~ /x25519/) {
push @{$config{lib_defines}}, "X25519_ASM";
}
-diff -up openssl-1.1.1c/crypto/bn/asm/s390x.S.s390x-ecc openssl-1.1.1c/crypto/bn/asm/s390x.S
---- openssl-1.1.1c/crypto/bn/asm/s390x.S.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/bn/asm/s390x.S 2019-11-20 11:36:02.191860433 +0100
-@@ -511,7 +511,7 @@ bn_mul_comba4:
- lghi zero,0
-
- mul_add_c(0,0,c1,c2,c3);
-- stg c1,0*8(%r3)
-+ stg c1,0*8(%r2)
- lghi c1,0
-
- mul_add_c(0,1,c2,c3,c1);
-diff -up openssl-1.1.1c/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/cmac/cm_pmeth.c
---- openssl-1.1.1c/crypto/cmac/cm_pmeth.c.s390x-ecc 2019-11-20 11:36:02.078862415 +0100
-+++ openssl-1.1.1c/crypto/cmac/cm_pmeth.c 2019-11-20 11:36:02.191860433 +0100
+diff -up openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/cmac/cm_pmeth.c
+--- openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200
++++ openssl-1.1.1g/crypto/cmac/cm_pmeth.c 2020-05-18 12:45:42.661249957 +0200
@@ -159,3 +159,8 @@ const EVP_PKEY_METHOD cmac_pkey_meth = {
pkey_cmac_ctrl,
pkey_cmac_ctrl_str
@@ -46,9 +34,9 @@ diff -up openssl-1.1.1c/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/c
+{
+ return &cmac_pkey_meth;
+}
-diff -up openssl-1.1.1c/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/dh/dh_pmeth.c
---- openssl-1.1.1c/crypto/dh/dh_pmeth.c.s390x-ecc 2019-11-20 11:36:02.079862397 +0100
-+++ openssl-1.1.1c/crypto/dh/dh_pmeth.c 2019-11-20 11:36:02.191860433 +0100
+diff -up openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dh/dh_pmeth.c
+--- openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200
++++ openssl-1.1.1g/crypto/dh/dh_pmeth.c 2020-05-18 12:45:42.661249957 +0200
@@ -512,6 +512,11 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
pkey_dh_ctrl_str
};
@@ -70,10 +58,10 @@ diff -up openssl-1.1.1c/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/dh/
+{
+ return &dhx_pkey_meth;
+}
-diff -up openssl-1.1.1c/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/dsa/dsa_pmeth.c
---- openssl-1.1.1c/crypto/dsa/dsa_pmeth.c.s390x-ecc 2019-11-20 11:36:02.100862029 +0100
-+++ openssl-1.1.1c/crypto/dsa/dsa_pmeth.c 2019-11-20 11:36:02.191860433 +0100
-@@ -275,3 +275,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = {
+diff -up openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dsa/dsa_pmeth.c
+--- openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.783233636 +0200
++++ openssl-1.1.1g/crypto/dsa/dsa_pmeth.c 2020-05-18 12:45:42.662249966 +0200
+@@ -271,3 +271,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = {
pkey_dsa_ctrl,
pkey_dsa_ctrl_str
};
@@ -82,9 +70,9 @@ diff -up openssl-1.1.1c/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/d
+{
+ return &dsa_pkey_meth;
+}
-diff -up openssl-1.1.1c/crypto/ec/build.info.s390x-ecc openssl-1.1.1c/crypto/ec/build.info
---- openssl-1.1.1c/crypto/ec/build.info.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/build.info 2019-11-20 11:36:02.192860416 +0100
+diff -up openssl-1.1.1g/crypto/ec/build.info.s390x-ecc openssl-1.1.1g/crypto/ec/build.info
+--- openssl-1.1.1g/crypto/ec/build.info.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/build.info 2020-05-18 12:45:42.662249966 +0200
@@ -26,6 +26,9 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_n
INCLUDE[ecp_nistz256-armv8.o]=..
GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl $(PERLASM_SCHEME)
@@ -95,9 +83,9 @@ diff -up openssl-1.1.1c/crypto/ec/build.info.s390x-ecc openssl-1.1.1c/crypto/ec/
GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl $(PERLASM_SCHEME)
GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl $(PERLASM_SCHEME)
-diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec_curve.c
---- openssl-1.1.1c/crypto/ec/ec_curve.c.s390x-ecc 2019-11-20 11:36:02.043863029 +0100
-+++ openssl-1.1.1c/crypto/ec/ec_curve.c 2019-11-20 11:36:02.192860416 +0100
+diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_curve.c
+--- openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc 2020-05-18 12:45:40.753233375 +0200
++++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:45:42.663249975 +0200
@@ -255,20 +255,29 @@ static const ec_list_element curve_list[
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
"SECG curve over a 256 bit prime field"},
@@ -136,9 +124,9 @@ diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1c/crypto/ec/
EC_GFp_nistp256_method,
#else
0,
-diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecdsa_ossl.c
---- openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc 2019-11-20 11:36:02.100862029 +0100
-+++ openssl-1.1.1c/crypto/ec/ecdsa_ossl.c 2019-11-20 11:36:02.192860416 +0100
+diff -up openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecdsa_ossl.c
+--- openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200
++++ openssl-1.1.1g/crypto/ec/ecdsa_ossl.c 2020-05-18 12:45:42.664249983 +0200
@@ -18,6 +18,41 @@
# include <openssl/fips.h>
#endif
@@ -181,7 +169,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
-@@ -145,15 +180,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke
+@@ -149,15 +184,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke
return ret;
}
@@ -202,7 +190,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
{
int ok = 0, i;
BIGNUM *kinv = NULL, *s, *m = NULL;
-@@ -210,25 +245,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+@@ -218,25 +253,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
if (8 * dgst_len > i)
dgst_len = (i + 7) / 8;
if (!BN_bin2bn(dgst, dgst_len, m)) {
@@ -232,7 +220,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
}
-@@ -242,11 +277,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+@@ -250,11 +285,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
*/
if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
|| !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
@@ -246,7 +234,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
/*
-@@ -255,7 +290,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+@@ -263,7 +298,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
*/
if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
|| !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
@@ -255,7 +243,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
-@@ -265,7 +300,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+@@ -273,7 +308,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
* generate new kinv and r values
*/
if (in_kinv != NULL && in_r != NULL) {
@@ -264,7 +252,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
} else {
-@@ -317,8 +352,8 @@ int ossl_ecdsa_verify(int type, const un
+@@ -325,8 +360,8 @@ int ossl_ecdsa_verify(int type, const un
return ret;
}
@@ -275,7 +263,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
{
int ret = -1, i;
BN_CTX *ctx;
-@@ -338,18 +373,18 @@ int ossl_ecdsa_verify_sig(const unsigned
+@@ -346,18 +381,18 @@ int ossl_ecdsa_verify_sig(const unsigned
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
@@ -297,7 +285,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
return -1;
}
BN_CTX_start(ctx);
-@@ -358,26 +393,26 @@ int ossl_ecdsa_verify_sig(const unsigned
+@@ -366,26 +401,26 @@ int ossl_ecdsa_verify_sig(const unsigned
m = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
if (X == NULL) {
@@ -328,7 +316,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
/* digest -> m */
-@@ -388,41 +423,41 @@ int ossl_ecdsa_verify_sig(const unsigned
+@@ -396,41 +431,41 @@ int ossl_ecdsa_verify_sig(const unsigned
if (8 * dgst_len > i)
dgst_len = (i + 7) / 8;
if (!BN_bin2bn(dgst, dgst_len, m)) {
@@ -378,9 +366,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
/* if the signature is correct u1 is equal to sig->r */
-diff -up openssl-1.1.1c/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec_err.c
---- openssl-1.1.1c/crypto/ec/ec_err.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ec_err.c 2019-11-20 11:36:02.192860416 +0100
+diff -up openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_err.c
+--- openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ec_err.c 2020-05-18 12:45:42.664249983 +0200
@@ -31,6 +31,11 @@ static const ERR_STRING_DATA EC_str_func
{ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"},
{ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"},
@@ -423,18 +411,9 @@ diff -up openssl-1.1.1c/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING),
"curve does not support signing"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE),
-diff -up openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc openssl-1.1.1c/crypto/ec/ec_lcl.h
---- openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc 2019-11-20 11:36:01.676869466 +0100
-+++ openssl-1.1.1c/crypto/ec/ec_lcl.h 2019-11-20 11:36:02.192860416 +0100
-@@ -154,7 +154,7 @@ struct ec_method_st {
- int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- const BIGNUM *b, BN_CTX *);
- /*-
-- * 'field_inv' computes the multipicative inverse of a in the field,
-+ * 'field_inv' computes the multiplicative inverse of a in the field,
- * storing the result in r.
- *
- * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
+diff -up openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc openssl-1.1.1g/crypto/ec/ec_local.h
+--- openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc 2020-05-18 12:45:40.554231646 +0200
++++ openssl-1.1.1g/crypto/ec/ec_local.h 2020-05-18 12:45:44.564266496 +0200
@@ -179,6 +179,14 @@ struct ec_method_st {
/* custom ECDH operation */
int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
@@ -462,7 +441,7 @@ diff -up openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc openssl-1.1.1c/crypto/ec/ec
size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
unsigned char *buf, size_t len);
-@@ -649,6 +662,13 @@ int ossl_ecdsa_verify(int type, const un
+@@ -651,6 +664,13 @@ int ossl_ecdsa_verify(int type, const un
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey);
@@ -476,9 +455,9 @@ diff -up openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc openssl-1.1.1c/crypto/ec/ec
int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
const uint8_t public_key[32], const uint8_t private_key[32]);
-diff -up openssl-1.1.1c/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec_pmeth.c
---- openssl-1.1.1c/crypto/ec/ec_pmeth.c.s390x-ecc 2019-11-20 11:36:02.101862012 +0100
-+++ openssl-1.1.1c/crypto/ec/ec_pmeth.c 2019-11-20 11:36:02.193860398 +0100
+diff -up openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_pmeth.c
+--- openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200
++++ openssl-1.1.1g/crypto/ec/ec_pmeth.c 2020-05-18 12:45:44.565266505 +0200
@@ -474,3 +474,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = {
pkey_ec_ctrl,
pkey_ec_ctrl_str
@@ -488,9 +467,9 @@ diff -up openssl-1.1.1c/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/ec/
+{
+ return &ec_pkey_meth;
+}
-diff -up openssl-1.1.1c/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_mont.c
---- openssl-1.1.1c/crypto/ec/ecp_mont.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ecp_mont.c 2019-11-20 11:36:02.193860398 +0100
+diff -up openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_mont.c
+--- openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_mont.c 2020-05-18 12:45:44.567266523 +0200
@@ -63,6 +63,9 @@ const EC_METHOD *EC_GFp_mont_method(void
0, /* keycopy */
0, /* keyfinish */
@@ -501,9 +480,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1c/crypto/ec/
0, /* field_inverse_mod_ord */
ec_GFp_simple_blind_coordinates,
ec_GFp_simple_ladder_pre,
-diff -up openssl-1.1.1c/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nist.c
---- openssl-1.1.1c/crypto/ec/ecp_nist.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ecp_nist.c 2019-11-20 11:36:02.193860398 +0100
+diff -up openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nist.c
+--- openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nist.c 2020-05-18 12:45:44.567266523 +0200
@@ -65,6 +65,9 @@ const EC_METHOD *EC_GFp_nist_method(void
0, /* keycopy */
0, /* keyfinish */
@@ -514,9 +493,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1c/crypto/ec/
0, /* field_inverse_mod_ord */
ec_GFp_simple_blind_coordinates,
ec_GFp_simple_ladder_pre,
-diff -up openssl-1.1.1c/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistp224.c
---- openssl-1.1.1c/crypto/ec/ecp_nistp224.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ecp_nistp224.c 2019-11-20 11:36:02.193860398 +0100
+diff -up openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp224.c
+--- openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nistp224.c 2020-05-18 12:45:44.568266531 +0200
@@ -292,6 +292,9 @@ const EC_METHOD *EC_GFp_nistp224_method(
0, /* keycopy */
0, /* keyfinish */
@@ -527,10 +506,10 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1c/crypto
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
-diff -up openssl-1.1.1c/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistp256.c
---- openssl-1.1.1c/crypto/ec/ecp_nistp256.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ecp_nistp256.c 2019-11-20 11:36:02.194860380 +0100
-@@ -1823,6 +1823,9 @@ const EC_METHOD *EC_GFp_nistp256_method(
+diff -up openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp256.c
+--- openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nistp256.c 2020-05-18 12:45:44.568266531 +0200
+@@ -1829,6 +1829,9 @@ const EC_METHOD *EC_GFp_nistp256_method(
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
@@ -540,10 +519,10 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1c/crypto
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
-diff -up openssl-1.1.1c/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistp521.c
---- openssl-1.1.1c/crypto/ec/ecp_nistp521.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ecp_nistp521.c 2019-11-20 11:36:02.194860380 +0100
-@@ -1665,6 +1665,9 @@ const EC_METHOD *EC_GFp_nistp521_method(
+diff -up openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp521.c
+--- openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nistp521.c 2020-05-18 12:45:44.569266540 +0200
+@@ -1669,6 +1669,9 @@ const EC_METHOD *EC_GFp_nistp521_method(
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
@@ -553,10 +532,10 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1c/crypto
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
-diff -up openssl-1.1.1c/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistz256.c
---- openssl-1.1.1c/crypto/ec/ecp_nistz256.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ecp_nistz256.c 2019-11-20 11:36:02.195860363 +0100
-@@ -1689,6 +1689,9 @@ const EC_METHOD *EC_GFp_nistz256_method(
+diff -up openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistz256.c
+--- openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nistz256.c 2020-05-18 12:45:44.570266549 +0200
+@@ -1720,6 +1720,9 @@ const EC_METHOD *EC_GFp_nistz256_method(
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
@@ -566,9 +545,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1c/crypto
ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */
0, /* blind_coordinates */
0, /* ladder_pre */
-diff -up openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c
---- openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc 2019-11-20 11:36:02.195860363 +0100
-+++ openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c 2019-11-20 11:36:02.195860363 +0100
+diff -up openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c
+--- openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc 2020-05-18 12:45:44.571266557 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c 2020-05-18 12:45:44.571266557 +0200
@@ -0,0 +1,394 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@@ -583,7 +562,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1c/cry
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
-+#include "ec_lcl.h"
++#include "ec_local.h"
+#include "s390x_arch.h"
+
+/* Size of parameter blocks */
@@ -964,9 +943,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1c/cry
+EC_GFP_S390X_NISTP_METHOD(256)
+EC_GFP_S390X_NISTP_METHOD(384)
+EC_GFP_S390X_NISTP_METHOD(521)
-diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_smpl.c
---- openssl-1.1.1c/crypto/ec/ecp_smpl.c.s390x-ecc 2019-11-20 11:36:02.066862626 +0100
-+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-11-20 11:36:02.195860363 +0100
+diff -up openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_smpl.c
+--- openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc 2020-05-18 12:45:40.769233514 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_smpl.c 2020-05-18 12:45:44.572266566 +0200
@@ -64,6 +64,9 @@ const EC_METHOD *EC_GFp_simple_method(vo
0, /* keycopy */
0, /* keyfinish */
@@ -977,9 +956,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1c/crypto/ec/
0, /* field_inverse_mod_ord */
ec_GFp_simple_blind_coordinates,
ec_GFp_simple_ladder_pre,
-diff -up openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecx_meth.c
---- openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/ec/ecx_meth.c 2019-11-20 11:36:02.196860345 +0100
+diff -up openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecx_meth.c
+--- openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecx_meth.c 2020-05-18 12:45:44.573266575 +0200
@@ -20,6 +20,7 @@
#define X25519_BITS 253
#define X25519_SECURITY_BITS 128
@@ -995,7 +974,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1c/crypto/ec/
+
+#ifdef S390X_EC_ASM
+# include "s390x_arch.h"
-+# include "internal/constant_time_locl.h"
++# include "internal/constant_time.h"
+
+static void s390x_x25519_mod_p(unsigned char u[32])
+{
@@ -1655,10 +1634,10 @@ diff -up openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1c/crypto/ec/
+#endif
+ return &ed448_pkey_meth;
+}
-diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/err/openssl.txt
---- openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc 2019-11-20 11:36:02.158861012 +0100
-+++ openssl-1.1.1c/crypto/err/openssl.txt 2019-11-20 11:36:02.196860345 +0100
-@@ -495,6 +495,11 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex
+diff -up openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1g/crypto/err/openssl.txt
+--- openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc 2020-05-18 12:45:40.834234079 +0200
++++ openssl-1.1.1g/crypto/err/openssl.txt 2020-05-18 12:45:44.575266592 +0200
+@@ -496,6 +496,11 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex
EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup
EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new
EC_F_ECDSA_VERIFY:253:ECDSA_verify
@@ -1670,7 +1649,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/e
EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify
EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type
EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode
-@@ -656,6 +661,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_
+@@ -657,6 +662,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_
EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey
EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode
EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key
@@ -1678,7 +1657,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/e
EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig
EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig
EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl
-@@ -671,6 +677,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_
+@@ -672,6 +678,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_
EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen
EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen
EC_F_PKEY_EC_SIGN:218:pkey_ec_sign
@@ -1691,7 +1670,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/e
EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive
ENGINE_F_DIGEST_UPDATE:198:digest_update
ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl
-@@ -2149,6 +2161,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma
+@@ -2160,6 +2172,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma
EC_R_CANNOT_INVERT:165:cannot invert
EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range
EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
@@ -1699,11 +1678,11 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/e
EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure
EC_R_DECODE_ERROR:142:decode error
-diff -up openssl-1.1.1c/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1c/crypto/evp/pmeth_lib.c
---- openssl-1.1.1c/crypto/evp/pmeth_lib.c.s390x-ecc 2019-11-20 11:36:02.105861942 +0100
-+++ openssl-1.1.1c/crypto/evp/pmeth_lib.c 2019-11-20 11:36:02.197860328 +0100
+diff -up openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1g/crypto/evp/pmeth_lib.c
+--- openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc 2020-05-18 12:45:40.787233671 +0200
++++ openssl-1.1.1g/crypto/evp/pmeth_lib.c 2020-05-18 12:45:44.576266601 +0200
@@ -17,60 +17,67 @@
- #include "internal/evp_int.h"
+ #include "crypto/evp.h"
#include "internal/numbers.h"
+typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void);
@@ -1833,9 +1812,9 @@ diff -up openssl-1.1.1c/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1c/crypto/e
if (app_pkey_methods == NULL)
return NULL;
idx -= OSSL_NELEM(standard_methods);
-diff -up openssl-1.1.1c/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/hmac/hm_pmeth.c
---- openssl-1.1.1c/crypto/hmac/hm_pmeth.c.s390x-ecc 2019-11-20 11:36:02.115861766 +0100
-+++ openssl-1.1.1c/crypto/hmac/hm_pmeth.c 2019-11-20 11:36:02.197860328 +0100
+diff -up openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/hmac/hm_pmeth.c
+--- openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.796233749 +0200
++++ openssl-1.1.1g/crypto/hmac/hm_pmeth.c 2020-05-18 12:45:44.576266601 +0200
@@ -210,3 +210,8 @@ const EVP_PKEY_METHOD hmac_pkey_meth = {
pkey_hmac_ctrl,
pkey_hmac_ctrl_str
@@ -1845,35 +1824,9 @@ diff -up openssl-1.1.1c/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/h
+{
+ return &hmac_pkey_meth;
+}
-diff -up openssl-1.1.1c/crypto/include/internal/evp_int.h.s390x-ecc openssl-1.1.1c/crypto/include/internal/evp_int.h
---- openssl-1.1.1c/crypto/include/internal/evp_int.h.s390x-ecc 2019-11-20 11:36:02.158861012 +0100
-+++ openssl-1.1.1c/crypto/include/internal/evp_int.h 2019-11-20 11:36:02.197860328 +0100
-@@ -459,3 +459,22 @@ void evp_encode_ctx_set_flags(EVP_ENCODE
- #define EVP_ENCODE_CTX_NO_NEWLINES 1
- /* Use the SRP base64 alphabet instead of the standard one */
- #define EVP_ENCODE_CTX_USE_SRP_ALPHABET 2
-+
-+const EVP_PKEY_METHOD *cmac_pkey_method(void);
-+const EVP_PKEY_METHOD *dh_pkey_method(void);
-+const EVP_PKEY_METHOD *dhx_pkey_method(void);
-+const EVP_PKEY_METHOD *dsa_pkey_method(void);
-+const EVP_PKEY_METHOD *ec_pkey_method(void);
-+const EVP_PKEY_METHOD *sm2_pkey_method(void);
-+const EVP_PKEY_METHOD *ecx25519_pkey_method(void);
-+const EVP_PKEY_METHOD *ecx448_pkey_method(void);
-+const EVP_PKEY_METHOD *ed25519_pkey_method(void);
-+const EVP_PKEY_METHOD *ed448_pkey_method(void);
-+const EVP_PKEY_METHOD *hmac_pkey_method(void);
-+const EVP_PKEY_METHOD *rsa_pkey_method(void);
-+const EVP_PKEY_METHOD *rsa_pss_pkey_method(void);
-+const EVP_PKEY_METHOD *scrypt_pkey_method(void);
-+const EVP_PKEY_METHOD *tls1_prf_pkey_method(void);
-+const EVP_PKEY_METHOD *hkdf_pkey_method(void);
-+const EVP_PKEY_METHOD *poly1305_pkey_method(void);
-+const EVP_PKEY_METHOD *siphash_pkey_method(void);
-diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1c/crypto/kdf/hkdf.c
---- openssl-1.1.1c/crypto/kdf/hkdf.c.s390x-ecc 2019-11-20 11:36:02.148861187 +0100
-+++ openssl-1.1.1c/crypto/kdf/hkdf.c 2019-11-20 11:36:02.198860310 +0100
+diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/hkdf.c
+--- openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc 2020-05-18 12:45:40.826234009 +0200
++++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:45:44.577266609 +0200
@@ -233,6 +233,11 @@ const EVP_KDF_METHOD hkdf_kdf_meth = {
kdf_hkdf_derive
};
@@ -1886,10 +1839,10 @@ diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1c/crypto/kdf/hk
static int HKDF(const EVP_MD *evp_md,
const unsigned char *salt, size_t salt_len,
const unsigned char *key, size_t key_len,
-diff -up openssl-1.1.1c/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1c/crypto/kdf/scrypt.c
---- openssl-1.1.1c/crypto/kdf/scrypt.c.s390x-ecc 2019-11-20 11:36:02.149861170 +0100
-+++ openssl-1.1.1c/crypto/kdf/scrypt.c 2019-11-20 11:36:02.198860310 +0100
-@@ -503,4 +503,9 @@ static int scrypt_alg(const char *pass,
+diff -up openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1g/crypto/kdf/scrypt.c
+--- openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc 2020-05-18 12:45:40.827234018 +0200
++++ openssl-1.1.1g/crypto/kdf/scrypt.c 2020-05-18 12:45:44.578266618 +0200
+@@ -504,4 +504,9 @@ static int scrypt_alg(const char *pass,
return rv;
}
@@ -1899,9 +1852,9 @@ diff -up openssl-1.1.1c/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1c/crypto/kdf/
+}
+
#endif
-diff -up openssl-1.1.1c/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1c/crypto/kdf/tls1_prf.c
---- openssl-1.1.1c/crypto/kdf/tls1_prf.c.s390x-ecc 2019-11-20 11:36:02.149861170 +0100
-+++ openssl-1.1.1c/crypto/kdf/tls1_prf.c 2019-11-20 11:36:02.198860310 +0100
+diff -up openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/tls1_prf.c
+--- openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc 2020-05-18 12:45:40.828234027 +0200
++++ openssl-1.1.1g/crypto/kdf/tls1_prf.c 2020-05-18 12:45:44.578266618 +0200
@@ -168,6 +168,11 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth =
kdf_tls1_prf_derive
};
@@ -1914,9 +1867,9 @@ diff -up openssl-1.1.1c/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1c/crypto/kd
static int tls1_prf_P_hash(const EVP_MD *md,
const unsigned char *sec, size_t sec_len,
const unsigned char *seed, size_t seed_len,
-diff -up openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c
---- openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c 2019-11-20 11:36:02.199860293 +0100
+diff -up openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c
+--- openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c 2020-05-18 12:45:44.579266627 +0200
@@ -192,3 +192,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth
pkey_poly1305_ctrl,
pkey_poly1305_ctrl_str
@@ -1926,9 +1879,9 @@ diff -up openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1
+{
+ return &poly1305_pkey_meth;
+}
-diff -up openssl-1.1.1c/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/rsa/rsa_pmeth.c
---- openssl-1.1.1c/crypto/rsa/rsa_pmeth.c.s390x-ecc 2019-11-20 11:36:02.117861731 +0100
-+++ openssl-1.1.1c/crypto/rsa/rsa_pmeth.c 2019-11-20 11:36:02.199860293 +0100
+diff -up openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/rsa/rsa_pmeth.c
+--- openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.798233766 +0200
++++ openssl-1.1.1g/crypto/rsa/rsa_pmeth.c 2020-05-18 12:45:44.580266635 +0200
@@ -789,6 +789,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
pkey_rsa_ctrl_str
};
@@ -1950,9 +1903,9 @@ diff -up openssl-1.1.1c/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/r
+{
+ return &rsa_pss_pkey_meth;
+}
-diff -up openssl-1.1.1c/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1c/crypto/s390x_arch.h
---- openssl-1.1.1c/crypto/s390x_arch.h.s390x-ecc 2019-11-20 11:36:01.867866116 +0100
-+++ openssl-1.1.1c/crypto/s390x_arch.h 2019-11-20 11:36:02.199860293 +0100
+diff -up openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1g/crypto/s390x_arch.h
+--- openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc 2020-05-18 12:45:40.603232072 +0200
++++ openssl-1.1.1g/crypto/s390x_arch.h 2020-05-18 12:45:44.580266635 +0200
@@ -26,6 +26,12 @@ void s390x_kmf(const unsigned char *in,
unsigned int fc, void *param);
void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in,
@@ -2023,9 +1976,9 @@ diff -up openssl-1.1.1c/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1c/crypto/s390
+# define S390X_KDSA_D 0x80
#endif
-diff -up openssl-1.1.1c/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1c/crypto/s390xcpuid.pl
---- openssl-1.1.1c/crypto/s390xcpuid.pl.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/s390xcpuid.pl 2019-11-20 11:36:02.199860293 +0100
+diff -up openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1g/crypto/s390xcpuid.pl
+--- openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/s390xcpuid.pl 2020-05-18 12:45:44.581266644 +0200
@@ -58,6 +58,10 @@ OPENSSL_s390x_facilities:
stg %r0,S390X_PRNO+8(%r4)
stg %r0,S390X_KMA(%r4)
@@ -2195,9 +2148,9 @@ diff -up openssl-1.1.1c/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1c/crypto/s39
$code.=<<___;
.section .init
brasl $ra,OPENSSL_cpuid_setup
-diff -up openssl-1.1.1c/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/siphash/siphash_pmeth.c
---- openssl-1.1.1c/crypto/siphash/siphash_pmeth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/siphash/siphash_pmeth.c 2019-11-20 11:36:02.200860275 +0100
+diff -up openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/siphash/siphash_pmeth.c
+--- openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/siphash/siphash_pmeth.c 2020-05-18 12:45:44.581266644 +0200
@@ -203,3 +203,8 @@ const EVP_PKEY_METHOD siphash_pkey_meth
pkey_siphash_ctrl,
pkey_siphash_ctrl_str
@@ -2207,10 +2160,10 @@ diff -up openssl-1.1.1c/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1c/
+{
+ return &siphash_pkey_meth;
+}
-diff -up openssl-1.1.1c/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/sm2/sm2_pmeth.c
---- openssl-1.1.1c/crypto/sm2/sm2_pmeth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/sm2/sm2_pmeth.c 2019-11-20 11:36:02.200860275 +0100
-@@ -323,3 +323,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = {
+diff -up openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/sm2/sm2_pmeth.c
+--- openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/sm2/sm2_pmeth.c 2020-05-18 12:45:44.582266653 +0200
+@@ -327,3 +327,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = {
pkey_sm2_digest_custom
};
@@ -2219,10 +2172,36 @@ diff -up openssl-1.1.1c/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/s
+{
+ return &sm2_pkey_meth;
+}
-diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.s390x-ecc openssl-1.1.1c/include/internal/constant_time_locl.h
---- openssl-1.1.1c/include/internal/constant_time_locl.h.s390x-ecc 2019-11-20 11:36:02.176860696 +0100
-+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-11-20 11:36:02.200860275 +0100
-@@ -347,6 +347,34 @@ static ossl_inline void constant_time_co
+diff -up openssl-1.1.1g/include/crypto/evp.h.s390x-ecc openssl-1.1.1g/include/crypto/evp.h
+--- openssl-1.1.1g/include/crypto/evp.h.s390x-ecc 2020-05-18 12:45:40.834234079 +0200
++++ openssl-1.1.1g/include/crypto/evp.h 2020-05-18 12:45:44.577266609 +0200
+@@ -459,3 +459,22 @@ void evp_encode_ctx_set_flags(EVP_ENCODE
+ #define EVP_ENCODE_CTX_NO_NEWLINES 1
+ /* Use the SRP base64 alphabet instead of the standard one */
+ #define EVP_ENCODE_CTX_USE_SRP_ALPHABET 2
++
++const EVP_PKEY_METHOD *cmac_pkey_method(void);
++const EVP_PKEY_METHOD *dh_pkey_method(void);
++const EVP_PKEY_METHOD *dhx_pkey_method(void);
++const EVP_PKEY_METHOD *dsa_pkey_method(void);
++const EVP_PKEY_METHOD *ec_pkey_method(void);
++const EVP_PKEY_METHOD *sm2_pkey_method(void);
++const EVP_PKEY_METHOD *ecx25519_pkey_method(void);
++const EVP_PKEY_METHOD *ecx448_pkey_method(void);
++const EVP_PKEY_METHOD *ed25519_pkey_method(void);
++const EVP_PKEY_METHOD *ed448_pkey_method(void);
++const EVP_PKEY_METHOD *hmac_pkey_method(void);
++const EVP_PKEY_METHOD *rsa_pkey_method(void);
++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void);
++const EVP_PKEY_METHOD *scrypt_pkey_method(void);
++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void);
++const EVP_PKEY_METHOD *hkdf_pkey_method(void);
++const EVP_PKEY_METHOD *poly1305_pkey_method(void);
++const EVP_PKEY_METHOD *siphash_pkey_method(void);
+diff -up openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc openssl-1.1.1g/include/internal/constant_time.h
+--- openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/include/internal/constant_time.h 2020-05-18 12:45:44.582266653 +0200
+@@ -353,6 +353,34 @@ static ossl_inline void constant_time_co
}
/*
@@ -2257,10 +2236,10 @@ diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.s390x-ecc openssl-
* table is a two dimensional array of bytes. Each row has rowsize elements.
* Copies row number idx into out. rowsize and numrows are not considered
* private.
-diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include/openssl/ecerr.h
---- openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/include/openssl/ecerr.h 2019-11-20 11:36:02.200860275 +0100
-@@ -38,6 +38,11 @@ int ERR_load_EC_strings(void);
+diff -up openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1g/include/openssl/ecerr.h
+--- openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/include/openssl/ecerr.h 2020-05-18 12:45:44.583266662 +0200
+@@ -42,6 +42,11 @@ int ERR_load_EC_strings(void);
# define EC_F_ECDSA_SIGN_SETUP 248
# define EC_F_ECDSA_SIG_NEW 265
# define EC_F_ECDSA_VERIFY 253
@@ -2272,7 +2251,7 @@ diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include
# define EC_F_ECD_ITEM_VERIFY 270
# define EC_F_ECKEY_PARAM2TYPE 223
# define EC_F_ECKEY_PARAM_DECODE 212
-@@ -181,6 +186,7 @@ int ERR_load_EC_strings(void);
+@@ -185,6 +190,7 @@ int ERR_load_EC_strings(void);
# define EC_F_O2I_ECPUBLICKEY 152
# define EC_F_OLD_EC_PRIV_DECODE 222
# define EC_F_OSSL_ECDH_COMPUTE_KEY 247
@@ -2280,7 +2259,7 @@ diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include
# define EC_F_OSSL_ECDSA_SIGN_SIG 249
# define EC_F_OSSL_ECDSA_VERIFY_SIG 250
# define EC_F_PKEY_ECD_CTRL 271
-@@ -196,6 +202,12 @@ int ERR_load_EC_strings(void);
+@@ -200,6 +206,12 @@ int ERR_load_EC_strings(void);
# define EC_F_PKEY_EC_KEYGEN 199
# define EC_F_PKEY_EC_PARAMGEN 219
# define EC_F_PKEY_EC_SIGN 218
@@ -2293,7 +2272,7 @@ diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include
# define EC_F_VALIDATE_ECX_DERIVE 278
/*
-@@ -208,6 +220,7 @@ int ERR_load_EC_strings(void);
+@@ -212,6 +224,7 @@ int ERR_load_EC_strings(void);
# define EC_R_CANNOT_INVERT 165
# define EC_R_COORDINATES_OUT_OF_RANGE 146
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
@@ -2301,9 +2280,9 @@ diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include
# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
# define EC_R_D2I_ECPKPARAMETERS_FAILURE 117
# define EC_R_DECODE_ERROR 142
-diff -up openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt
---- openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt 2019-11-20 11:36:02.203860223 +0100
+diff -up openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt
+--- openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt 2020-05-18 12:45:44.590266722 +0200
@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb
PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw
diff --git a/SOURCES/openssl-1.1.1-s390x-update.patch b/SOURCES/openssl-1.1.1-s390x-update.patch
index f46c1a5..83061af 100644
--- a/SOURCES/openssl-1.1.1-s390x-update.patch
+++ b/SOURCES/openssl-1.1.1-s390x-update.patch
@@ -1,13 +1,6 @@
-diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl
---- openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl 2019-05-06 10:54:00.035367605 +0200
-@@ -1,5 +1,5 @@
- #! /usr/bin/env perl
--# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
-+# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
- #
- # Licensed under the OpenSSL license (the "License"). You may not use
- # this file except in compliance with the License. You can obtain a copy
+diff -up openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl
+--- openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl.s390x-update 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl 2020-03-19 16:45:05.483440129 +0100
@@ -20,41 +20,53 @@
#
# 3 times faster than compiler-generated code.
@@ -472,7 +465,7 @@ diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1
+ vsldb (@b[$_],@b[$_],@b[$_],$odd?12:4) for (0..5);
+ vsldb (@d[$_],@d[$_],@d[$_],$odd?4:12) for (0..5);
}
--close STDOUT;
+-close STDOUT or die "error closing STDOUT: $!";
+
+PERLASM_BEGIN($output);
+
@@ -1290,9 +1283,9 @@ diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1
+ALIGN (4);
+
+PERLASM_END();
-diff -up openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1b/crypto/perlasm/s390x.pm
---- openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update 2019-05-06 10:54:00.037367571 +0200
-+++ openssl-1.1.1b/crypto/perlasm/s390x.pm 2019-05-06 10:54:00.038367554 +0200
+diff -up openssl-1.1.1e/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1e/crypto/perlasm/s390x.pm
+--- openssl-1.1.1e/crypto/perlasm/s390x.pm.s390x-update 2020-03-19 16:20:22.039227394 +0100
++++ openssl-1.1.1e/crypto/perlasm/s390x.pm 2020-03-19 16:20:22.039227394 +0100
@@ -0,0 +1,3060 @@
+#!/usr/bin/env perl
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@@ -4354,9 +4347,9 @@ diff -up openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1b/cryp
+}
+
+1;
-diff -up openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl
---- openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl 2019-05-06 10:54:00.036367588 +0200
+diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl
+--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update 2020-03-19 16:20:22.041227359 +0100
++++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl 2020-03-19 16:23:22.364098257 +0100
@@ -24,204 +24,961 @@
#
# On side note, z13 enables vector base 2^26 implementation...
@@ -5494,11 +5487,11 @@ diff -up openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update opens
+STRING ("\"Poly1305 for s390x, CRYPTOGAMS by <appro\@openssl.org>\"");
-print $code;
--close STDOUT;
+-close STDOUT or die "error closing STDOUT: $!";
+PERLASM_END();
-diff -up openssl-1.1.1b/crypto/poly1305/build.info.s390x-update openssl-1.1.1b/crypto/poly1305/build.info
---- openssl-1.1.1b/crypto/poly1305/build.info.s390x-update 2019-05-06 10:54:00.036367588 +0200
-+++ openssl-1.1.1b/crypto/poly1305/build.info 2019-05-06 10:56:14.964105164 +0200
+diff -up openssl-1.1.1e/crypto/poly1305/build.info.s390x-update openssl-1.1.1e/crypto/poly1305/build.info
+--- openssl-1.1.1e/crypto/poly1305/build.info.s390x-update 2020-03-17 15:31:17.000000000 +0100
++++ openssl-1.1.1e/crypto/poly1305/build.info 2020-03-19 16:20:22.042227342 +0100
@@ -18,6 +18,7 @@ INCLUDE[poly1305-armv8.o]=..
GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME)
INCLUDE[poly1305-mips.o]=..
diff --git a/SOURCES/openssl-1.1.1-seclevel.patch b/SOURCES/openssl-1.1.1-seclevel.patch
index 6b30d7d..c6751a5 100644
--- a/SOURCES/openssl-1.1.1-seclevel.patch
+++ b/SOURCES/openssl-1.1.1-seclevel.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
---- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
-+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 14:34:43.083145020 +0200
-@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
+diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
+--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200
+@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
}
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
@@ -9,20 +9,23 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
/*
-@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
+@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
return 0;
-
- return secbits >= minbits_table[level - 1];
-+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
-+ if (FIPS_mode())
++ /*
++ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
++ * disable SHA1 flag is not set.
++ */
++ if ((ctx->param->flags & 0x40000000) || FIPS_mode())
+ return secbits >= minbits_table[level - 1];
+ return secbits >= minbits_digest_table[level - 1];
}
-diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
---- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
-+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 14:34:43.083145020 +0200
+diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
+--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
=item B<Level 2>
@@ -36,23 +39,115 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-
In addition to the level 1 exclusions any cipher suite using RC4 is also
prohibited. SSL version 3 is also not allowed. Compression is disabled.
-diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
---- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
-+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200
-@@ -983,6 +983,9 @@ static int ssl_security_default_callback
+diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
+--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200
+@@ -27,6 +27,7 @@
+ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
+ int op, int bits, int nid, void *other,
+ void *ex);
++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
+
+ static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
+ static volatile int ssl_x509_store_ctx_idx = -1;
+@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
+ X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
+
+ /* Set suite B flags if needed */
+- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
++ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
+ if (!X509_STORE_CTX_set_ex_data
+ (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
+ goto end;
+@@ -953,12 +954,33 @@ static int ssl_security_default_callback
return 0;
break;
default:
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
-+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
++ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
+ break;
if (bits < minbits)
return 0;
}
-diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
---- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
-+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 14:34:43.084145044 +0200
-@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
+ return 1;
+ }
+
++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
++{
++ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
++ const CERT *c;
++
++ if (FIPS_mode())
++ return ret;
++
++ if (ctx != NULL) {
++ c = ctx->cert;
++ } else {
++ c = s->cert;
++ }
++ if (tls1_cert_sigalgs_have_sha1(c))
++ return 0;
++ return ret;
++}
++
+ int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
+ {
+ return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
+diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
+--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200
++++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200
+@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
+ __owur int tls1_process_sigalgs(SSL *s);
+ __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
+ __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
++int tls1_cert_sigalgs_have_sha1(const CERT *c);
+ __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
+ # ifndef OPENSSL_NO_EC
+ __owur int tls_check_sigalg_curve(const SSL *s, int curve);
+diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200
+@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
+ return 0;
+ }
+
++static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
++{
++ size_t i;
++
++ for (i = 0; i < sigalgslen; i++, sigalgs++) {
++ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
++
++ if (lu == NULL)
++ continue;
++ if (lu->hash == NID_sha1)
++ return 1;
++ }
++ return 0;
++}
++
++
++int tls1_cert_sigalgs_have_sha1(const CERT *c)
++{
++ if (c->client_sigalgs != NULL) {
++ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
++ return 1;
++ }
++ if (c->conf_sigalgs != NULL) {
++ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
++ return 1;
++ return 0;
++ }
++ return 1;
++}
++
+ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
+ {
+ int sig_nid, use_pc_sigalgs = 0;
+diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
+--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200
+@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
diff --git a/SOURCES/openssl-1.1.1-ssh-kdf.patch b/SOURCES/openssl-1.1.1-ssh-kdf.patch
index 08f02ac..1bf71c4 100644
--- a/SOURCES/openssl-1.1.1-ssh-kdf.patch
+++ b/SOURCES/openssl-1.1.1-ssh-kdf.patch
@@ -51,10 +51,10 @@ index 05f5cec3a9..811fe727f6 100644
};
DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
-diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index a109e561b3..8c313c65ac 100644
---- a/crypto/include/internal/evp_int.h
-+++ b/crypto/include/internal/evp_int.h
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
@@ -129,6 +129,7 @@ extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
extern const EVP_KDF_METHOD scrypt_kdf_meth;
extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
@@ -119,7 +119,7 @@ index 0000000000..24f37cbed4
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include "internal/cryptlib.h"
-+#include "internal/evp_int.h"
++#include "crypto/evp.h"
+#include "kdf_local.h"
+
+/* See RFC 4253, Section 7.2 */
diff --git a/SOURCES/openssl-1.1.1-tls-compliance.patch b/SOURCES/openssl-1.1.1-tls-compliance.patch
deleted file mode 100644
index e10b53e..0000000
--- a/SOURCES/openssl-1.1.1-tls-compliance.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff -up openssl-1.1.1c/ssl/record/ssl3_record.c.compliance openssl-1.1.1c/ssl/record/ssl3_record.c
---- openssl-1.1.1c/ssl/record/ssl3_record.c.compliance 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/ssl/record/ssl3_record.c 2019-11-25 13:10:53.890637381 +0100
-@@ -559,7 +559,7 @@ int ssl3_get_record(SSL *s)
- RECORD_LAYER_reset_read_sequence(&s->rlayer);
- return 1;
- }
-- SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
-+ SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
- SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
- return -1;
- }
-diff -up openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance openssl-1.1.1c/ssl/statem/extensions_srvr.c
---- openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/ssl/statem/extensions_srvr.c 2019-11-25 13:12:59.329459528 +0100
-@@ -1487,6 +1487,10 @@ EXT_RETURN tls_construct_stoc_status_req
- unsigned int context, X509 *x,
- size_t chainidx)
- {
-+ /* We don't currently support this extension inside a CertificateRequest */
-+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
-+ return EXT_RETURN_NOT_SENT;
-+
- if (!s->ext.status_expected)
- return EXT_RETURN_NOT_SENT;
-
diff --git a/SOURCES/openssl-1.1.1-upstream-sync.patch b/SOURCES/openssl-1.1.1-upstream-sync.patch
deleted file mode 100644
index 7e03b8d..0000000
--- a/SOURCES/openssl-1.1.1-upstream-sync.patch
+++ /dev/null
@@ -1,534 +0,0 @@
-diff -up openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync openssl-1.1.1c/crypto/dsa/dsa_ameth.c
---- openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/dsa/dsa_ameth.c 2019-05-29 17:10:39.768187283 +0200
-@@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
-
- case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
- *(int *)arg2 = NID_sha256;
-- return 2;
-+ return 1;
-
- default:
- return -2;
-diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c
---- openssl-1.1.1c/crypto/err/err.c.sync 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/crypto/err/err.c 2019-05-29 17:07:13.345793792 +0200
-@@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item
- }
-
- #ifndef OPENSSL_NO_ERR
--/* A measurement on Linux 2018-11-21 showed about 3.5kib */
--# define SPACE_SYS_STR_REASONS 4 * 1024
-+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
-+# define SPACE_SYS_STR_REASONS 8 * 1024
- # define NUM_SYS_STR_REASONS 127
-
- static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
-@@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void)
- ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
-
- str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
-- if (str->string == NULL) {
-+ /*
-+ * If we have used up all the space in strerror_pool,
-+ * there's no point in calling openssl_strerror_r()
-+ */
-+ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
- if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
- size_t l = strlen(cur);
-
- str->string = cur;
- cnt += l;
-- if (cnt > sizeof(strerror_pool))
-- cnt = sizeof(strerror_pool);
- cur += l;
-
- /*
- * VMS has an unusual quirk of adding spaces at the end of
-- * some (most? all?) messages. Lets trim them off.
-+ * some (most? all?) messages. Lets trim them off.
- */
-- while (ossl_isspace(cur[-1])) {
-+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
- cur--;
- cnt--;
- }
-diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.sync openssl-1.1.1c/crypto/rand/rand_lib.c
---- openssl-1.1.1c/crypto/rand/rand_lib.c.sync 2019-05-29 17:20:17.175099183 +0200
-+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-05-30 11:51:20.784850208 +0200
-@@ -239,8 +239,9 @@ size_t rand_drbg_get_nonce(RAND_DRBG *dr
- struct {
- void * instance;
- int count;
-- } data = { NULL, 0 };
-+ } data;
-
-+ memset(&data, 0, sizeof(data));
- pool = rand_pool_new(0, min_len, max_len);
- if (pool == NULL)
- return 0;
-From 6c2f347c78a530407b5310497080810094427920 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Wed, 17 Apr 2019 11:09:05 +0100
-Subject: [PATCH 1/2] Defer sending a KeyUpdate until after pending writes are
- complete
-
-If we receive a KeyUpdate message (update requested) from the peer while
-we are in the middle of a write, we should defer sending the responding
-KeyUpdate message until after the current write is complete. We do this
-by waiting to send the KeyUpdate until the next time we write and there is
-no pending write data.
-
-This does imply a subtle change in behaviour. Firstly the responding
-KeyUpdate message won't be sent straight away as it is now. Secondly if
-the peer sends multiple KeyUpdates without us doing any writing then we
-will only send one response, as opposed to previously where we sent a
-response for each KeyUpdate received.
-
-Fixes #8677
-
-Reviewed-by: Ben Kaduk <kaduk@mit.edu>
-(Merged from https://github.com/openssl/openssl/pull/8773)
-
-(cherry picked from commit feb9e31c40c49de6384dd0413685e9b5a15adc99)
----
- ssl/record/rec_layer_s3.c | 7 +++++++
- ssl/statem/statem_clnt.c | 6 ------
- ssl/statem/statem_lib.c | 7 ++-----
- ssl/statem/statem_srvr.c | 6 ------
- 4 files changed, 9 insertions(+), 17 deletions(-)
-
-diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
-index b2f97ef905..b65137c332 100644
---- a/ssl/record/rec_layer_s3.c
-+++ b/ssl/record/rec_layer_s3.c
-@@ -373,6 +373,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
-
- s->rlayer.wnum = 0;
-
-+ /*
-+ * If we are supposed to be sending a KeyUpdate then go into init unless we
-+ * have writes pending - in which case we should finish doing that first.
-+ */
-+ if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE)
-+ ossl_statem_set_in_init(s, 1);
-+
- /*
- * When writing early data on the server side we could be "in_init" in
- * between receiving the EoED and the CF - but we don't want to handle those
-diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
-index 87800cd835..6410414fb6 100644
---- a/ssl/statem/statem_clnt.c
-+++ b/ssl/statem/statem_clnt.c
-@@ -473,12 +473,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
- return WRITE_TRAN_CONTINUE;
-
- case TLS_ST_CR_KEY_UPDATE:
-- if (s->key_update != SSL_KEY_UPDATE_NONE) {
-- st->hand_state = TLS_ST_CW_KEY_UPDATE;
-- return WRITE_TRAN_CONTINUE;
-- }
-- /* Fall through */
--
- case TLS_ST_CW_KEY_UPDATE:
- case TLS_ST_CR_SESSION_TICKET:
- case TLS_ST_CW_FINISHED:
-diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
-index c0482b0a90..2960dafa52 100644
---- a/ssl/statem/statem_lib.c
-+++ b/ssl/statem/statem_lib.c
-@@ -645,12 +645,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
- /*
- * If we get a request for us to update our sending keys too then, we need
- * to additionally send a KeyUpdate message. However that message should
-- * not also request an update (otherwise we get into an infinite loop). We
-- * ignore a request for us to update our sending keys too if we already
-- * sent close_notify.
-+ * not also request an update (otherwise we get into an infinite loop).
- */
-- if (updatetype == SSL_KEY_UPDATE_REQUESTED
-- && (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
-+ if (updatetype == SSL_KEY_UPDATE_REQUESTED)
- s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
-
- if (!tls13_update_key(s, 0)) {
-diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
-index d454326a99..04a23320fc 100644
---- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -502,12 +502,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
- return WRITE_TRAN_CONTINUE;
-
- case TLS_ST_SR_KEY_UPDATE:
-- if (s->key_update != SSL_KEY_UPDATE_NONE) {
-- st->hand_state = TLS_ST_SW_KEY_UPDATE;
-- return WRITE_TRAN_CONTINUE;
-- }
-- /* Fall through */
--
- case TLS_ST_SW_KEY_UPDATE:
- st->hand_state = TLS_ST_OK;
- return WRITE_TRAN_CONTINUE;
---
-2.20.1
-
-From c8feb1039ccc4cd11e6db084df1446bf863bee1e Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Wed, 17 Apr 2019 10:30:53 +0100
-Subject: [PATCH 2/2] Write a test for receiving a KeyUpdate (update requested)
- while writing
-
-Reviewed-by: Ben Kaduk <kaduk@mit.edu>
-(Merged from https://github.com/openssl/openssl/pull/8773)
-
-(cherry picked from commit a77b4dba237d001073d2d1c5d55c674a196c949f)
----
- test/sslapitest.c | 92 +++++++++++++++++++++++++++++++++++++++++++++
- test/ssltestlib.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++
- test/ssltestlib.h | 3 ++
- 3 files changed, 191 insertions(+)
-
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 2261fe4a7a..577342644d 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -4290,6 +4290,11 @@ static int test_key_update(void)
- || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
- strlen(mess)))
- goto end;
-+
-+ if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
-+ || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
-+ strlen(mess)))
-+ goto end;
- }
-
- testresult = 1;
-@@ -4302,6 +4307,91 @@ static int test_key_update(void)
-
- return testresult;
- }
-+
-+/*
-+ * Test we can handle a KeyUpdate (update requested) message while write data
-+ * is pending.
-+ * Test 0: Client sends KeyUpdate while Server is writing
-+ * Test 1: Server sends KeyUpdate while Client is writing
-+ */
-+static int test_key_update_in_write(int tst)
-+{
-+ SSL_CTX *cctx = NULL, *sctx = NULL;
-+ SSL *clientssl = NULL, *serverssl = NULL;
-+ int testresult = 0;
-+ char buf[20];
-+ static char *mess = "A test message";
-+ BIO *bretry = BIO_new(bio_s_always_retry());
-+ BIO *tmp = NULL;
-+ SSL *peerupdate = NULL, *peerwrite = NULL;
-+
-+ if (!TEST_ptr(bretry)
-+ || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
-+ TLS_client_method(),
-+ TLS1_3_VERSION,
-+ 0,
-+ &sctx, &cctx, cert, privkey))
-+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
-+ NULL, NULL))
-+ || !TEST_true(create_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE)))
-+ goto end;
-+
-+ peerupdate = tst == 0 ? clientssl : serverssl;
-+ peerwrite = tst == 0 ? serverssl : clientssl;
-+
-+ if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
-+ || !TEST_true(SSL_do_handshake(peerupdate)))
-+ goto end;
-+
-+ /* Swap the writing endpoint's write BIO to force a retry */
-+ tmp = SSL_get_wbio(peerwrite);
-+ if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
-+ tmp = NULL;
-+ goto end;
-+ }
-+ SSL_set0_wbio(peerwrite, bretry);
-+ bretry = NULL;
-+
-+ /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
-+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
-+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
-+ goto end;
-+
-+ /* Reinstate the original writing endpoint's write BIO */
-+ SSL_set0_wbio(peerwrite, tmp);
-+ tmp = NULL;
-+
-+ /* Now read some data - we will read the key update */
-+ if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
-+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
-+ goto end;
-+
-+ /*
-+ * Complete the write we started previously and read it from the other
-+ * endpoint
-+ */
-+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
-+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
-+ goto end;
-+
-+ /* Write more data to ensure we send the KeyUpdate message back */
-+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
-+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
-+ goto end;
-+
-+ testresult = 1;
-+
-+ end:
-+ SSL_free(serverssl);
-+ SSL_free(clientssl);
-+ SSL_CTX_free(sctx);
-+ SSL_CTX_free(cctx);
-+ BIO_free(bretry);
-+ BIO_free(tmp);
-+
-+ return testresult;
-+}
- #endif /* OPENSSL_NO_TLS1_3 */
-
- static int test_ssl_clear(int idx)
-@@ -5982,6 +6072,7 @@ int setup_tests(void)
- #ifndef OPENSSL_NO_TLS1_3
- ADD_ALL_TESTS(test_export_key_mat_early, 3);
- ADD_TEST(test_key_update);
-+ ADD_ALL_TESTS(test_key_update_in_write, 2);
- #endif
- ADD_ALL_TESTS(test_ssl_clear, 2);
- ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
-@@ -6002,4 +6093,5 @@ int setup_tests(void)
- void cleanup_tests(void)
- {
- bio_s_mempacket_test_free();
-+ bio_s_always_retry_free();
- }
-diff --git a/test/ssltestlib.c b/test/ssltestlib.c
-index 05139be750..e1038620ac 100644
---- a/test/ssltestlib.c
-+++ b/test/ssltestlib.c
-@@ -62,9 +62,11 @@ static int tls_dump_puts(BIO *bp, const char *str);
- /* Choose a sufficiently large type likely to be unused for this custom BIO */
- #define BIO_TYPE_TLS_DUMP_FILTER (0x80 | BIO_TYPE_FILTER)
- #define BIO_TYPE_MEMPACKET_TEST 0x81
-+#define BIO_TYPE_ALWAYS_RETRY 0x82
-
- static BIO_METHOD *method_tls_dump = NULL;
- static BIO_METHOD *meth_mem = NULL;
-+static BIO_METHOD *meth_always_retry = NULL;
-
- /* Note: Not thread safe! */
- const BIO_METHOD *bio_f_tls_dump_filter(void)
-@@ -612,6 +614,100 @@ static int mempacket_test_puts(BIO *bio, const char *str)
- return mempacket_test_write(bio, str, strlen(str));
- }
-
-+static int always_retry_new(BIO *bi);
-+static int always_retry_free(BIO *a);
-+static int always_retry_read(BIO *b, char *out, int outl);
-+static int always_retry_write(BIO *b, const char *in, int inl);
-+static long always_retry_ctrl(BIO *b, int cmd, long num, void *ptr);
-+static int always_retry_gets(BIO *bp, char *buf, int size);
-+static int always_retry_puts(BIO *bp, const char *str);
-+
-+const BIO_METHOD *bio_s_always_retry(void)
-+{
-+ if (meth_always_retry == NULL) {
-+ if (!TEST_ptr(meth_always_retry = BIO_meth_new(BIO_TYPE_ALWAYS_RETRY,
-+ "Always Retry"))
-+ || !TEST_true(BIO_meth_set_write(meth_always_retry,
-+ always_retry_write))
-+ || !TEST_true(BIO_meth_set_read(meth_always_retry,
-+ always_retry_read))
-+ || !TEST_true(BIO_meth_set_puts(meth_always_retry,
-+ always_retry_puts))
-+ || !TEST_true(BIO_meth_set_gets(meth_always_retry,
-+ always_retry_gets))
-+ || !TEST_true(BIO_meth_set_ctrl(meth_always_retry,
-+ always_retry_ctrl))
-+ || !TEST_true(BIO_meth_set_create(meth_always_retry,
-+ always_retry_new))
-+ || !TEST_true(BIO_meth_set_destroy(meth_always_retry,
-+ always_retry_free)))
-+ return NULL;
-+ }
-+ return meth_always_retry;
-+}
-+
-+void bio_s_always_retry_free(void)
-+{
-+ BIO_meth_free(meth_always_retry);
-+}
-+
-+static int always_retry_new(BIO *bio)
-+{
-+ BIO_set_init(bio, 1);
-+ return 1;
-+}
-+
-+static int always_retry_free(BIO *bio)
-+{
-+ BIO_set_data(bio, NULL);
-+ BIO_set_init(bio, 0);
-+ return 1;
-+}
-+
-+static int always_retry_read(BIO *bio, char *out, int outl)
-+{
-+ BIO_set_retry_read(bio);
-+ return -1;
-+}
-+
-+static int always_retry_write(BIO *bio, const char *in, int inl)
-+{
-+ BIO_set_retry_write(bio);
-+ return -1;
-+}
-+
-+static long always_retry_ctrl(BIO *bio, int cmd, long num, void *ptr)
-+{
-+ long ret = 1;
-+
-+ switch (cmd) {
-+ case BIO_CTRL_FLUSH:
-+ BIO_set_retry_write(bio);
-+ /* fall through */
-+ case BIO_CTRL_EOF:
-+ case BIO_CTRL_RESET:
-+ case BIO_CTRL_DUP:
-+ case BIO_CTRL_PUSH:
-+ case BIO_CTRL_POP:
-+ default:
-+ ret = 0;
-+ break;
-+ }
-+ return ret;
-+}
-+
-+static int always_retry_gets(BIO *bio, char *buf, int size)
-+{
-+ BIO_set_retry_read(bio);
-+ return -1;
-+}
-+
-+static int always_retry_puts(BIO *bio, const char *str)
-+{
-+ BIO_set_retry_write(bio);
-+ return -1;
-+}
-+
- int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
- int min_proto_version, int max_proto_version,
- SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
-diff --git a/test/ssltestlib.h b/test/ssltestlib.h
-index fa19e7d80d..56e323f5bc 100644
---- a/test/ssltestlib.h
-+++ b/test/ssltestlib.h
-@@ -30,6 +30,9 @@ void bio_f_tls_dump_filter_free(void);
- const BIO_METHOD *bio_s_mempacket_test(void);
- void bio_s_mempacket_test_free(void);
-
-+const BIO_METHOD *bio_s_always_retry(void);
-+void bio_s_always_retry_free(void);
-+
- /* Packet types - value 0 is reserved */
- #define INJECT_PACKET 1
- #define INJECT_PACKET_IGNORE_REC_SEQ 2
---
-2.20.1
-
-diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h
---- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind 2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-06-24 15:02:12.796053536 +0200
-@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan
- return constant_time_eq_8((unsigned)(a), (unsigned)(b));
- }
-
-+/* Returns the value unmodified, but avoids optimizations. */
-+static ossl_inline unsigned int value_barrier(unsigned int a)
-+{
-+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
-+ unsigned int r;
-+ __asm__("" : "=r"(r) : "0"(a));
-+#else
-+ volatile unsigned int r = a;
-+#endif
-+ return r;
-+}
-+
-+/* Convenience method for uint32_t. */
-+static ossl_inline uint32_t value_barrier_32(uint32_t a)
-+{
-+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
-+ uint32_t r;
-+ __asm__("" : "=r"(r) : "0"(a));
-+#else
-+ volatile uint32_t r = a;
-+#endif
-+ return r;
-+}
-+
-+/* Convenience method for uint64_t. */
-+static ossl_inline uint64_t value_barrier_64(uint64_t a)
-+{
-+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
-+ uint64_t r;
-+ __asm__("" : "=r"(r) : "0"(a));
-+#else
-+ volatile uint64_t r = a;
-+#endif
-+ return r;
-+}
-+
-+/* Convenience method for size_t. */
-+static ossl_inline size_t value_barrier_s(size_t a)
-+{
-+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
-+ size_t r;
-+ __asm__("" : "=r"(r) : "0"(a));
-+#else
-+ volatile size_t r = a;
-+#endif
-+ return r;
-+}
-+
- static ossl_inline unsigned int constant_time_select(unsigned int mask,
- unsigned int a,
- unsigned int b)
- {
-- return (mask & a) | (~mask & b);
-+ return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
- }
-
- static ossl_inline size_t constant_time_select_s(size_t mask,
- size_t a,
- size_t b)
- {
-- return (mask & a) | (~mask & b);
-+ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
- }
-
- static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
-@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel
- static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
- uint32_t b)
- {
-- return (mask & a) | (~mask & b);
-+ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
- }
-
- static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
- uint64_t b)
- {
-- return (mask & a) | (~mask & b);
-+ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
- }
-
- /*
diff --git a/SOURCES/openssl-1.1.1-version-override.patch b/SOURCES/openssl-1.1.1-version-override.patch
index 7970b84..a6975fa 100644
--- a/SOURCES/openssl-1.1.1-version-override.patch
+++ b/SOURCES/openssl-1.1.1-version-override.patch
@@ -1,12 +1,12 @@
-diff -up openssl-1.1.1c/include/openssl/opensslv.h.version-override openssl-1.1.1c/include/openssl/opensslv.h
---- openssl-1.1.1c/include/openssl/opensslv.h.version-override 2019-05-29 15:52:30.014734859 +0200
-+++ openssl-1.1.1c/include/openssl/opensslv.h 2019-05-29 15:53:23.093800831 +0200
+diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h
+--- openssl-1.1.1g/include/openssl/opensslv.h.version-override 2020-04-23 13:29:37.802673513 +0200
++++ openssl-1.1.1g/include/openssl/opensslv.h 2020-04-23 13:30:13.064008458 +0200
@@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
- # define OPENSSL_VERSION_NUMBER 0x1010103fL
--# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c 28 May 2019"
-+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c FIPS 28 May 2019"
+ # define OPENSSL_VERSION_NUMBER 0x1010107fL
+-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index 0efe5cc..fadc22e 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.1.1c
-Release: 12%{?dist}
+Version: 1.1.1g
+Release: 9%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -40,7 +40,7 @@ Source13: ectest.c
# Build changes
Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.1-defaults.patch
-Patch3: openssl-1.1.0-no-html.patch
+Patch3: openssl-1.1.1-no-html.patch
Patch4: openssl-1.1.1-man-rename.patch
# Bug fixes
Patch21: openssl-1.1.0-issuer-hash.patch
@@ -62,23 +62,23 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
Patch49: openssl-1.1.1-evp-kdf.patch
Patch50: openssl-1.1.1-ssh-kdf.patch
+Patch51: openssl-1.1.1-intel-cet.patch
Patch60: openssl-1.1.1-krb5-kdf.patch
Patch61: openssl-1.1.1-edk2-build.patch
Patch62: openssl-1.1.1-fips-curves.patch
+Patch65: openssl-1.1.1-fips-drbg-selftest.patch
+Patch66: openssl-1.1.1-fips-dh.patch
+Patch67: openssl-1.1.1-kdf-selftest.patch
+Patch68: openssl-1.1.1-reneg-no-extms.patch
+Patch69: openssl-1.1.1-alpn-cb.patch
+Patch70: openssl-1.1.1-rewire-fips-drbg.patch
# Backported fixes including security fixes
-Patch51: openssl-1.1.1-upstream-sync.patch
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
-Patch54: openssl-1.1.1-regression-fixes.patch
Patch55: openssl-1.1.1-arm-update.patch
Patch56: openssl-1.1.1-s390x-ecc.patch
-Patch57: openssl-1.1.1-cve-2019-1547.patch
-Patch58: openssl-1.1.1-cve-2019-1563.patch
-Patch59: openssl-1.1.1-cve-2019-1549.patch
-Patch63: openssl-1.1.1-tls-compliance.patch
-License: OpenSSL
-Group: System Environment/Libraries
+License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/
BuildRequires: gcc
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
@@ -89,6 +89,7 @@ BuildRequires: /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes)
+BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
Requires: coreutils
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@@ -100,7 +101,6 @@ protocols.
%package libs
Summary: A general purpose cryptography library with TLS implementation
-Group: System Environment/Libraries
Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730
Recommends: openssl-pkcs11%{?_isa}
@@ -116,7 +116,6 @@ support cryptographic algorithms and protocols.
%package devel
Summary: Files for development of applications which will use OpenSSL
-Group: Development/Libraries
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}
Requires: pkgconfig
@@ -128,7 +127,6 @@ support various cryptographic algorithms and protocols.
%package static
Summary: Libraries for static linking of applications which will use OpenSSL
-Group: Development/Libraries
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
%description static
@@ -139,7 +137,6 @@ protocols.
%package perl
Summary: Perl scripts provided with OpenSSL
-Group: Applications/Internet
Requires: perl-interpreter
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
@@ -182,19 +179,21 @@ cp %{SOURCE13} test/
%patch48 -p1 -b .fips-post-rand
%patch49 -p1 -b .evp-kdf
%patch50 -p1 -b .ssh-kdf
-%patch51 -p1 -b .upstream-sync
+%patch51 -p1 -b .intel-cet
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
-%patch54 -p1 -b .regression
%patch55 -p1 -b .arm-update
%patch56 -p1 -b .s390x-ecc
-%patch57 -p1 -b .compute-cofactor
-%patch58 -p1 -b .cms-padding-oracle
-%patch59 -p1 -b .fork-safety
%patch60 -p1 -b .krb5-kdf
%patch61 -p1 -b .edk2-build
%patch62 -p1 -b .fips-curves
-%patch63 -p1 -b .compliance
+%patch65 -p1 -b .drbg-selftest
+%patch66 -p1 -b .fips-dh
+%patch67 -p1 -b .kdf-selftest
+%patch68 -p1 -b .reneg-no-extms
+%patch69 -p1 -b .alpn-cb
+%patch70 -p1 -b .rewire-fips-drbg
+
%build
# Figure out which flags we want to use.
@@ -478,6 +477,34 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Tue Jun 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9
+- Rewire FIPS_drbg API to use the RAND_DRBG
+- Use the well known DH groups in TLS even for 2048 and 1024 bit parameters
+
+* Mon Jun 8 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7
+- Disallow dropping Extended Master Secret extension
+ on renegotiation
+- Return alert from s_server if ALPN protocol does not match
+- SHA1 is allowed in @SECLEVEL=2 only if allowed by
+ TLS SigAlgs configuration
+
+* Wed Jun 3 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6
+- Add FIPS selftest for PBKDF2 and KBKDF
+
+* Wed May 27 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-5
+- Allow only well known DH groups in the FIPS mode
+
+* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
+- update to the 1.1.1g release
+- FIPS module installed state definition is modified
+
+* Thu Mar 5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-15
+- add selftest of the RAND_DRBG implementation
+
+* Wed Feb 19 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-14
+- fix incorrect error return value from FIPS_selftest_dsa
+- S390x: properly restore SIGILL signal handler
+
* Wed Dec 4 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-12
- additional fix for the edk2 build