Bug#1050572: bookworm-pu: package openssl/3.0.10-1~deb12u1
Package: release.debian.org
Control: affects -1 + src:openssl
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
This is an update of the openssl package to the 3.0.10 version, a patch
release (bug and security fixes). This release contains three CVEs:
- CVE-2023-2975 (AES-SIV implementation ignores empty associated data entries)
- CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
- CVE-2023-3817 (Excessive time spent checking DH q parameter value).
which have been rated as minor and have not been fixed upfront via
d-security.
The 3.0.10 release has been in unstable since 2023-08-01 and there are
no known regression. It took two weeks to migrate to testing. This was
due to debci failure on curl/armhf and based on feedback from the
curl maintainer, it is believed to be bug in the testsuite.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Sebastian
diff -Nru openssl-3.0.9/apps/ca.c openssl-3.0.10/apps/ca.c
--- openssl-3.0.9/apps/ca.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/apps/ca.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -628,6 +628,8 @@
f = NCONF_get_string(conf, section, ENV_NAMEOPT);
+ if (f == NULL)
+ ERR_clear_error();
if (f != NULL) {
if (!set_nameopt(f)) {
BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
@@ -785,8 +787,10 @@
/* We can have sections in the ext file */
if (extensions == NULL) {
extensions = NCONF_get_string(extfile_conf, "default", "extensions");
- if (extensions == NULL)
+ if (extensions == NULL) {
+ ERR_clear_error();
extensions = "default";
+ }
}
}
@@ -802,15 +806,20 @@
/*
* EVP_PKEY_get_default_digest_name() returns 2 if the digest is
* mandatory for this algorithm.
+ *
+ * That call may give back the name "UNDEF", which has these meanings:
+ *
+ * when def_ret == 2: the user MUST leave the digest unspecified
+ * when def_ret == 1: the user MAY leave the digest unspecified
*/
if (def_ret == 2 && strcmp(def_dgst, "UNDEF") == 0) {
- /* The signing algorithm requires there to be no digest */
dgst = NULL;
} else if (dgst == NULL
- && (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) {
+ && (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL
+ && strcmp(def_dgst, "UNDEF") != 0) {
goto end;
} else {
- if (strcmp(dgst, "default") == 0) {
+ if (strcmp(dgst, "default") == 0 || strcmp(def_dgst, "UNDEF") == 0) {
if (def_ret <= 0) {
BIO_puts(bio_err, "no default digest\n");
goto end;
@@ -824,6 +833,8 @@
char *tmp_email_dn = NULL;
tmp_email_dn = NCONF_get_string(conf, section, ENV_DEFAULT_EMAIL_DN);
+ if (tmp_email_dn == NULL)
+ ERR_clear_error();
if (tmp_email_dn != NULL && strcmp(tmp_email_dn, "no") == 0)
email_dn = 0;
}
@@ -839,6 +850,7 @@
if (NCONF_get_string(conf, section, ENV_RAND_SERIAL) != NULL) {
rand_ser = 1;
} else {
+ ERR_clear_error();
serialfile = lookup_conf(conf, section, ENV_SERIAL);
if (serialfile == NULL)
goto end;
@@ -908,8 +920,10 @@
}
if (days == 0) {
- if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days))
+ if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)) {
+ ERR_clear_error();
days = 0;
+ }
}
if (enddate == NULL && days == 0) {
BIO_printf(bio_err, "cannot lookup how many days to certify for\n");
@@ -1034,7 +1048,7 @@
}
}
/*
- * we have a stack of newly certified certificates and a data base
+ * we have a stack of newly certified certificates and a database
* and serial number that need updating
*/
@@ -1135,7 +1149,7 @@
if (!rotate_index(dbfile, "new", "old"))
goto end;
- BIO_printf(bio_err, "Data Base Updated\n");
+ BIO_printf(bio_err, "Database updated\n");
}
}
@@ -1161,22 +1175,28 @@
}
}
- if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER))
- != NULL)
+ crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER);
+ if (crlnumberfile != NULL) {
if ((crlnumber = load_serial(crlnumberfile, NULL, 0, NULL))
== NULL) {
BIO_printf(bio_err, "error while loading CRL number\n");
goto end;
}
+ } else {
+ ERR_clear_error();
+ }
if (!crldays && !crlhours && !crlsec) {
if (!NCONF_get_number(conf, section,
- ENV_DEFAULT_CRL_DAYS, &crldays))
+ ENV_DEFAULT_CRL_DAYS, &crldays)) {
+ ERR_clear_error();
crldays = 0;
+ }
if (!NCONF_get_number(conf, section,
- ENV_DEFAULT_CRL_HOURS, &crlhours))
+ ENV_DEFAULT_CRL_HOURS, &crlhours)) {
+ ERR_clear_error();
crlhours = 0;
- ERR_clear_error();
+ }
}
if ((crl_nextupdate == NULL) &&
(crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
@@ -1316,7 +1336,7 @@
if (!rotate_index(dbfile, "new", "old"))
goto end;
- BIO_printf(bio_err, "Data Base Updated\n");
+ BIO_printf(bio_err, "Database updated\n");
}
}
ret = 0;
@@ -1758,7 +1778,7 @@
if (verbose)
BIO_printf(bio_err,
- "The subject name appears to be ok, checking data base for clashes\n");
+ "The subject name appears to be ok, checking database for clashes\n");
/* Build the correct Subject if no e-mail is wanted in the subject. */
if (!email_dn) {
@@ -1847,7 +1867,7 @@
else if (rrow[DB_type][0] == DB_TYPE_VAL)
p = "Valid";
else
- p = "\ninvalid type, Data base error\n";
+ p = "\ninvalid type, Database error\n";
BIO_printf(bio_err, "Type :%s\n", p);;
if (rrow[DB_type][0] == DB_TYPE_REV) {
p = rrow[DB_exp_date];
diff -Nru openssl-3.0.9/apps/cmp.c openssl-3.0.10/apps/cmp.c
--- openssl-3.0.9/apps/cmp.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/apps/cmp.c 2023-08-01 15:47:24.000000000 +0200
@@ -2115,7 +2115,7 @@
beg = end;
while (beg > opt) {
--beg;
- if (beg[0] == ',' || isspace(beg[0])) {
+ if (beg[0] == ',' || isspace(_UC(beg[0]))) {
++beg;
break;
}
@@ -2130,7 +2130,7 @@
opt_item[len] = '\0';
while (beg > opt) {
--beg;
- if (beg[0] != ',' && !isspace(beg[0])) {
+ if (beg[0] != ',' && !isspace(_UC(beg[0]))) {
++beg;
break;
}
@@ -2148,6 +2148,7 @@
while ((end = prev_item(groups, end)) != NULL) {
if ((res = NCONF_get_string(src_conf, opt_item, name)) != NULL)
return res;
+ ERR_clear_error();
}
return res;
}
diff -Nru openssl-3.0.9/apps/cms.c openssl-3.0.10/apps/cms.c
--- openssl-3.0.9/apps/cms.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/apps/cms.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -796,6 +796,9 @@
if ((operation & SMIME_IP) == 0 && contfile != NULL)
BIO_printf(bio_err,
"Warning: -contfile option is ignored for the given operation\n");
+ if (operation != SMIME_ENCRYPT && *argv != NULL)
+ BIO_printf(bio_err,
+ "Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
if ((flags & CMS_BINARY) != 0) {
if (!(operation & SMIME_OP))
@@ -823,19 +826,13 @@
goto end;
}
- if (*argv != NULL) {
- if (operation == SMIME_ENCRYPT) {
- for (; *argv != NULL; argv++) {
- cert = load_cert(*argv, FORMAT_UNDEF,
- "recipient certificate file");
- if (cert == NULL)
- goto end;
- sk_X509_push(encerts, cert);
- cert = NULL;
- }
- } else {
- BIO_printf(bio_err, "Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
- }
+ for (; *argv != NULL; argv++) {
+ cert = load_cert(*argv, FORMAT_UNDEF,
+ "recipient certificate file");
+ if (cert == NULL)
+ goto end;
+ sk_X509_push(encerts, cert);
+ cert = NULL;
}
}
diff -Nru openssl-3.0.9/apps/lib/apps.c openssl-3.0.10/apps/lib/apps.c
--- openssl-3.0.9/apps/lib/apps.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/apps/lib/apps.c 2023-08-01 15:47:24.000000000 +0200
@@ -638,13 +638,13 @@
char *next_item(char *opt) /* in list separated by comma and/or space */
{
/* advance to separator (comma or whitespace), if any */
- while (*opt != ',' && !isspace(*opt) && *opt != '\0')
+ while (*opt != ',' && !isspace(_UC(*opt)) && *opt != '\0')
opt++;
if (*opt != '\0') {
/* terminate current item */
*opt++ = '\0';
/* skip over any whitespace after separator */
- while (isspace(*opt))
+ while (isspace(_UC(*opt)))
opt++;
}
return *opt == '\0' ? NULL : opt; /* NULL indicates end of input */
@@ -1679,7 +1679,10 @@
char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
if (p) {
retdb->attributes.unique_subject = parse_yesno(p, 1);
+ } else {
+ ERR_clear_error();
}
+
}
retdb->dbfname = OPENSSL_strdup(dbfile);
@@ -2008,7 +2011,8 @@
BIO_free(mem);
return -1;
}
- maxlen -= len;
+ if (maxlen != -1)
+ maxlen -= len;
if (maxlen == 0)
break;
diff -Nru openssl-3.0.9/apps/pkeyutl.c openssl-3.0.10/apps/pkeyutl.c
--- openssl-3.0.9/apps/pkeyutl.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/apps/pkeyutl.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -421,7 +421,7 @@
/* Raw input data is handled elsewhere */
if (in != NULL && !rawin) {
/* Read the input data */
- buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
+ buf_inlen = bio_to_mem(&buf_in, -1, in);
if (buf_inlen < 0) {
BIO_printf(bio_err, "Error reading input Data\n");
goto end;
diff -Nru openssl-3.0.9/apps/req.c openssl-3.0.10/apps/req.c
--- openssl-3.0.9/apps/req.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/apps/req.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -199,7 +199,7 @@
/* Check syntax. */
/* Skip leading whitespace, make a copy. */
- while (*kv && isspace(*kv))
+ while (*kv && isspace(_UC(*kv)))
if (*++kv == '\0')
return 1;
if ((p = strchr(kv, '=')) == NULL)
@@ -210,7 +210,7 @@
/* Skip trailing space before the equal sign. */
for (p = kv + off; p > kv; --p)
- if (!isspace(p[-1]))
+ if (!isspace(_UC(p[-1])))
break;
if (p == kv) {
OPENSSL_free(kv);
@@ -635,8 +635,10 @@
if (newreq && pkey == NULL) {
app_RAND_load_conf(req_conf, section);
- if (!NCONF_get_number(req_conf, section, BITS, &newkey_len))
+ if (!NCONF_get_number(req_conf, section, BITS, &newkey_len)) {
+ ERR_clear_error();
newkey_len = DEFAULT_KEY_LENGTH;
+ }
genctx = set_keygen_ctx(keyalg, &keyalgstr, &newkey_len, gen_eng);
if (genctx == NULL)
diff -Nru openssl-3.0.9/apps/s_client.c openssl-3.0.10/apps/s_client.c
--- openssl-3.0.9/apps/s_client.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/apps/s_client.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -2271,7 +2271,7 @@
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
}
- while (mbuf_len > 3 && (!isdigit(mbuf[0]) || !isdigit(mbuf[1]) || !isdigit(mbuf[2]) || mbuf[3] != ' '));
+ while (mbuf_len > 3 && (!isdigit((unsigned char)mbuf[0]) || !isdigit((unsigned char)mbuf[1]) || !isdigit((unsigned char)mbuf[2]) || mbuf[3] != ' '));
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
diff -Nru openssl-3.0.9/apps/speed.c openssl-3.0.10/apps/speed.c
--- openssl-3.0.9/apps/speed.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/apps/speed.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -1005,6 +1005,13 @@
int ret, count;
for (count = 0; COND(eddsa_c[testnum][0]); count++) {
+ ret = EVP_DigestSignInit(edctx[testnum], NULL, NULL, NULL, NULL);
+ if (ret == 0) {
+ BIO_printf(bio_err, "EdDSA sign init failure\n");
+ ERR_print_errors(bio_err);
+ count = -1;
+ break;
+ }
ret = EVP_DigestSign(edctx[testnum], eddsasig, eddsasigsize, buf, 20);
if (ret == 0) {
BIO_printf(bio_err, "EdDSA sign failure\n");
@@ -1026,6 +1033,13 @@
int ret, count;
for (count = 0; COND(eddsa_c[testnum][1]); count++) {
+ ret = EVP_DigestVerifyInit(edctx[testnum], NULL, NULL, NULL, NULL);
+ if (ret == 0) {
+ BIO_printf(bio_err, "EdDSA verify init failure\n");
+ ERR_print_errors(bio_err);
+ count = -1;
+ break;
+ }
ret = EVP_DigestVerify(edctx[testnum], eddsasig, eddsasigsize, buf, 20);
if (ret != 1) {
BIO_printf(bio_err, "EdDSA verify failure\n");
@@ -3133,12 +3147,22 @@
}
for (k = 0; k < ALGOR_NUM; k++) {
+ const char *alg_name = names[k];
+
if (!doit[k])
continue;
+
+ if (k == D_EVP) {
+ if (evp_cipher == NULL)
+ alg_name = evp_md_name;
+ else if ((alg_name = EVP_CIPHER_get0_name(evp_cipher)) == NULL)
+ app_bail_out("failed to get name of cipher '%s'\n", evp_cipher);
+ }
+
if (mr)
- printf("+F:%u:%s", k, names[k]);
+ printf("+F:%u:%s", k, alg_name);
else
- printf("%-13s", names[k]);
+ printf("%-13s", alg_name);
for (testnum = 0; testnum < size_num; testnum++) {
if (results[k][testnum] > 10000 && !mr)
printf(" %11.2fk", results[k][testnum] / 1e3);
diff -Nru openssl-3.0.9/CHANGES.md openssl-3.0.10/CHANGES.md
--- openssl-3.0.9/CHANGES.md 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/CHANGES.md 2023-08-01 15:47:24.000000000 +0200
@@ -28,6 +28,64 @@
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+### Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
+
+ * Fix excessive time spent checking DH q parameter value.
+
+ The function DH_check() performs various checks on DH parameters. After
+ fixing CVE-2023-3446 it was discovered that a large q parameter value can
+ also trigger an overly long computation during some of these checks.
+ A correct q value, if present, cannot be larger than the modulus p
+ parameter, thus it is unnecessary to perform these checks if q is larger
+ than p.
+
+ If DH_check() is called with such q parameter value,
+ DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
+ intensive checks are skipped.
+
+ ([CVE-2023-3817])
+
+ *Tomáš Mráz*
+
+ * Fix DH_check() excessive time with over sized modulus.
+
+ The function DH_check() performs various checks on DH parameters. One of
+ those checks confirms that the modulus ("p" parameter) is not too large.
+ Trying to use a very large modulus is slow and OpenSSL will not normally use
+ a modulus which is over 10,000 bits in length.
+
+ However the DH_check() function checks numerous aspects of the key or
+ parameters that have been supplied. Some of those checks use the supplied
+ modulus value even if it has already been found to be too large.
+
+ A new limit has been added to DH_check of 32,768 bits. Supplying a
+ key/parameters with a modulus over this size will simply cause DH_check() to
+ fail.
+
+ ([CVE-2023-3446])
+
+ *Matt Caswell*
+
+ * Do not ignore empty associated data entries with AES-SIV.
+
+ The AES-SIV algorithm allows for authentication of multiple associated
+ data entries along with the encryption. To authenticate empty data the
+ application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`)
+ with NULL pointer as the output buffer and 0 as the input buffer length.
+ The AES-SIV implementation in OpenSSL just returns success for such call
+ instead of performing the associated data authentication operation.
+ The empty data thus will not be authenticated. ([CVE-2023-2975])
+
+ Thanks to Juerg Wullschleger (Google) for discovering the issue.
+
+ The fix changes the authentication tag value and the ciphertext for
+ applications that use empty associated data entries with AES-SIV.
+ To decrypt data encrypted with previous versions of OpenSSL the application
+ has to skip calls to `EVP_DecryptUpdate()` for empty associated data
+ entries.
+
+ *Tomáš Mráz*
+
### Changes between 3.0.8 and 3.0.9 [30 May 2023]
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
@@ -42,7 +100,7 @@
IDENTIFIER to canonical numeric text form if the size of that OBJECT
IDENTIFIER is 586 bytes or less, and fail otherwise.
- The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
+ The basis for this restriction is [RFC 2578 (STD 58), section 3.5]. OBJECT
IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
most 128 sub-identifiers, and that the maximum value that each sub-
identifier may have is 2^32-1 (4294967295 decimal).
@@ -52,8 +110,6 @@
these restrictions may occupy is 32 * 128 / 7, which is approximately 586
bytes.
- Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
-
*Richard Levitte*
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
@@ -19652,6 +19708,10 @@
<!-- Links -->
+[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
+[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
+[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
+[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
diff -Nru openssl-3.0.9/Configure openssl-3.0.10/Configure
--- openssl-3.0.9/Configure 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/Configure 2023-08-01 15:47:24.000000000 +0200
@@ -597,8 +597,7 @@
"crypto-mdebug" => [ "crypto-mdebug-backtrace" ],
- # If no modules, then no dynamic engines either
- "module" => [ "dynamic-engine" ],
+ "module" => [ "dynamic-engine", "fips" ],
# Without shared libraries, dynamic engines aren't possible.
# This is due to them having to link with libcrypto and register features
@@ -616,8 +615,6 @@
# or modules.
"pic" => [ "shared", "module" ],
- "module" => [ "fips", "dso" ],
-
"engine" => [ "dynamic-engine", grep(/eng$/, @disablables) ],
"dynamic-engine" => [ "loadereng" ],
"hw" => [ "padlockeng" ],
diff -Nru openssl-3.0.9/crypto/asn1/asn_mime.c openssl-3.0.10/crypto/asn1/asn_mime.c
--- openssl-3.0.9/crypto/asn1/asn_mime.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/asn1/asn_mime.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -516,6 +516,12 @@
int len;
char linebuf[MAX_SMLEN];
int ret;
+
+ if (in == NULL || out == NULL) {
+ ERR_raise(ERR_LIB_ASN1, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+
/*
* Buffer output so we don't write one line at a time. This is useful
* when streaming as we don't end up with one OCTET STRING per line.
diff -Nru openssl-3.0.9/crypto/bn/bn_recp.c openssl-3.0.10/crypto/bn/bn_recp.c
--- openssl-3.0.9/crypto/bn/bn_recp.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/bn/bn_recp.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -44,7 +44,7 @@
int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx)
{
- if (!BN_copy(&(recp->N), d))
+ if (BN_is_zero(d) || !BN_copy(&(recp->N), d))
return 0;
BN_zero(&(recp->Nr));
recp->num_bits = BN_num_bits(d);
diff -Nru openssl-3.0.9/crypto/cms/cms_env.c openssl-3.0.10/crypto/cms/cms_env.c
--- openssl-3.0.9/crypto/cms/cms_env.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/cms/cms_env.c 2023-08-01 15:47:24.000000000 +0200
@@ -142,10 +142,12 @@
{
switch (cms_get_enveloped_type(cms)) {
case CMS_ENVELOPED_STANDARD:
- return cms->d.envelopedData->encryptedContentInfo;
+ return cms->d.envelopedData == NULL ? NULL
+ : cms->d.envelopedData->encryptedContentInfo;
case CMS_ENVELOPED_AUTH:
- return cms->d.authEnvelopedData->authEncryptedContentInfo;
+ return cms->d.authEnvelopedData == NULL ? NULL
+ : cms->d.authEnvelopedData->authEncryptedContentInfo;
default:
return NULL;
diff -Nru openssl-3.0.9/crypto/cms/cms_lib.c openssl-3.0.10/crypto/cms/cms_lib.c
--- openssl-3.0.9/crypto/cms/cms_lib.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/cms/cms_lib.c 2023-08-01 15:47:24.000000000 +0200
@@ -76,6 +76,10 @@
void CMS_ContentInfo_free(CMS_ContentInfo *cms)
{
if (cms != NULL) {
+ CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms);
+
+ if (ec != NULL)
+ OPENSSL_clear_free(ec->key, ec->keylen);
OPENSSL_free(cms->ctx.propq);
ASN1_item_free((ASN1_VALUE *)cms, ASN1_ITEM_rptr(CMS_ContentInfo));
}
diff -Nru openssl-3.0.9/crypto/cms/cms_rsa.c openssl-3.0.10/crypto/cms/cms_rsa.c
--- openssl-3.0.9/crypto/cms/cms_rsa.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/cms/cms_rsa.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -13,6 +13,7 @@
#include <openssl/core_names.h>
#include "crypto/asn1.h"
#include "crypto/rsa.h"
+#include "crypto/evp.h"
#include "cms_local.h"
static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg)
@@ -210,6 +211,16 @@
if (pad_mode != RSA_PKCS1_PSS_PADDING)
return 0;
+ if (evp_pkey_ctx_is_legacy(pkctx)) {
+ /* No provider -> we cannot query it for algorithm ID. */
+ ASN1_STRING *os = NULL;
+
+ os = ossl_rsa_ctx_to_pss_string(pkctx);
+ if (os == NULL)
+ return 0;
+ return X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
+ }
+
params[0] = OSSL_PARAM_construct_octet_string(
OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
params[1] = OSSL_PARAM_construct_end();
diff -Nru openssl-3.0.9/crypto/conf/conf_mod.c openssl-3.0.10/crypto/conf/conf_mod.c
--- openssl-3.0.9/crypto/conf/conf_mod.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/conf/conf_mod.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -184,15 +184,21 @@
CONF *conf = NULL;
int ret = 0, diagnostics = 0;
+ ERR_set_mark();
+
if (filename == NULL) {
file = CONF_get1_default_config_file();
if (file == NULL)
goto err;
+ if (*file == '\0') {
+ /* Do not try to load an empty file name but do not error out */
+ ret = 1;
+ goto err;
+ }
} else {
file = (char *)filename;
}
- ERR_set_mark();
conf = NCONF_new_ex(libctx, NULL);
if (conf == NULL)
goto err;
diff -Nru openssl-3.0.9/crypto/conf/conf_sap.c openssl-3.0.10/crypto/conf/conf_sap.c
--- openssl-3.0.9/crypto/conf/conf_sap.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/conf/conf_sap.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -66,6 +66,8 @@
#ifndef OPENSSL_SYS_UEFI
ret = CONF_modules_load_file(filename, appname, flags);
+#else
+ ret = 1;
#endif
openssl_configured = 1;
return ret;
diff -Nru openssl-3.0.9/crypto/core_namemap.c openssl-3.0.10/crypto/core_namemap.c
--- openssl-3.0.9/crypto/core_namemap.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/core_namemap.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -142,6 +142,9 @@
cbdata.number = number;
cbdata.found = 0;
+ if (namemap == NULL)
+ return 0;
+
/*
* We collect all the names first under a read lock. Subsequently we call
* the user function, so that we're not holding the read lock when in user
diff -Nru openssl-3.0.9/crypto/dh/dh_check.c openssl-3.0.10/crypto/dh/dh_check.c
--- openssl-3.0.9/crypto/dh/dh_check.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/dh/dh_check.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -143,7 +143,7 @@
#ifdef FIPS_MODULE
return DH_check_params(dh, ret);
#else
- int ok = 0, r;
+ int ok = 0, r, q_good = 0;
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
int nid = DH_get_nid((DH *)dh);
@@ -152,6 +152,13 @@
if (nid != NID_undef)
return 1;
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_P_NOT_PRIME;
+ return 0;
+ }
+
if (!DH_check_params(dh, ret))
return 0;
@@ -165,6 +172,13 @@
goto err;
if (dh->params.q != NULL) {
+ if (BN_ucmp(dh->params.p, dh->params.q) > 0)
+ q_good = 1;
+ else
+ *ret |= DH_CHECK_INVALID_Q_VALUE;
+ }
+
+ if (q_good) {
if (BN_cmp(dh->params.g, BN_value_one()) <= 0)
*ret |= DH_NOT_SUITABLE_GENERATOR;
else if (BN_cmp(dh->params.g, dh->params.p) >= 0)
diff -Nru openssl-3.0.9/crypto/err/openssl.txt openssl-3.0.10/crypto/err/openssl.txt
--- openssl-3.0.9/crypto/err/openssl.txt 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/err/openssl.txt 2023-08-01 15:47:24.000000000 +0200
@@ -1675,6 +1675,7 @@
X509_R_CERT_ALREADY_IN_HASH_TABLE:101:cert already in hash table
X509_R_CRL_ALREADY_DELTA:127:crl already delta
X509_R_CRL_VERIFY_FAILURE:131:crl verify failure
+X509_R_DUPLICATE_ATTRIBUTE:140:duplicate attribute
X509_R_ERROR_GETTING_MD_BY_NID:141:error getting md by nid
X509_R_ERROR_USING_SIGINF_SET:142:error using siginf set
X509_R_IDP_MISMATCH:128:idp mismatch
diff -Nru openssl-3.0.9/crypto/evp/ctrl_params_translate.c openssl-3.0.10/crypto/evp/ctrl_params_translate.c
--- openssl-3.0.9/crypto/evp/ctrl_params_translate.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/evp/ctrl_params_translate.c 2023-08-01 15:47:24.000000000 +0200
@@ -636,8 +636,8 @@
ctx->p2, ctx->sz);
case OSSL_PARAM_OCTET_STRING:
return OSSL_PARAM_get_octet_string(ctx->params,
- ctx->p2, ctx->sz,
- &ctx->sz);
+ &ctx->p2, ctx->sz,
+ (size_t *)&ctx->p1);
case OSSL_PARAM_OCTET_PTR:
return OSSL_PARAM_get_octet_ptr(ctx->params,
ctx->p2, &ctx->sz);
@@ -685,7 +685,7 @@
return OSSL_PARAM_set_octet_string(ctx->params, ctx->p2,
size);
case OSSL_PARAM_OCTET_PTR:
- return OSSL_PARAM_set_octet_ptr(ctx->params, ctx->p2,
+ return OSSL_PARAM_set_octet_ptr(ctx->params, *(void **)ctx->p2,
size);
default:
ERR_raise_data(ERR_LIB_EVP, ERR_R_UNSUPPORTED,
@@ -695,6 +695,9 @@
translation->param_data_type);
return 0;
}
+ } else if (state == PRE_PARAMS_TO_CTRL && ctx->action_type == GET) {
+ if (translation->param_data_type == OSSL_PARAM_OCTET_PTR)
+ ctx->p2 = &ctx->bufp;
}
}
/* Any other combination is simply pass-through */
@@ -2254,7 +2257,7 @@
OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL },
{ GET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT,
EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL,
- OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL },
+ OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL },
{ SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN,
EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL,
diff -Nru openssl-3.0.9/crypto/evp/p5_crpt2.c openssl-3.0.10/crypto/evp/p5_crpt2.c
--- openssl-3.0.9/crypto/evp/p5_crpt2.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/evp/p5_crpt2.c 2023-08-01 15:47:24.000000000 +0200
@@ -231,13 +231,16 @@
goto err;
}
+ (void)ERR_set_mark();
prfmd = prfmd_fetch = EVP_MD_fetch(libctx, OBJ_nid2sn(hmac_md_nid), propq);
if (prfmd == NULL)
prfmd = EVP_get_digestbynid(hmac_md_nid);
if (prfmd == NULL) {
+ (void)ERR_clear_last_mark();
ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_PRF);
goto err;
}
+ (void)ERR_pop_to_mark();
if (kdf->salt->type != V_ASN1_OCTET_STRING) {
ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_SALT_TYPE);
diff -Nru openssl-3.0.9/crypto/evp/p_lib.c openssl-3.0.10/crypto/evp/p_lib.c
--- openssl-3.0.9/crypto/evp/p_lib.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/evp/p_lib.c 2023-08-01 15:47:24.000000000 +0200
@@ -722,6 +722,7 @@
break;
# ifndef OPENSSL_NO_EC
case EVP_PKEY_SM2:
+ break;
case EVP_PKEY_EC:
pkey->foreign = pkey->pkey.ec != NULL
&& ossl_ec_key_is_foreign(pkey->pkey.ec);
diff -Nru openssl-3.0.9/crypto/http/http_lib.c openssl-3.0.10/crypto/http/http_lib.c
--- openssl-3.0.9/crypto/http/http_lib.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/http/http_lib.c 2023-08-01 15:47:24.000000000 +0200
@@ -22,6 +22,13 @@
}
}
+static void init_pint(int *pint)
+{
+ if (pint != NULL) {
+ *pint = 0;
+ }
+}
+
static int copy_substring(char **dest, const char *start, const char *end)
{
return dest == NULL
@@ -54,6 +61,7 @@
init_pstring(puser);
init_pstring(phost);
init_pstring(pport);
+ init_pint(pport_num);
init_pstring(ppath);
init_pstring(pfrag);
init_pstring(pquery);
diff -Nru openssl-3.0.9/crypto/LPdir_unix.c openssl-3.0.10/crypto/LPdir_unix.c
--- openssl-3.0.9/crypto/LPdir_unix.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/LPdir_unix.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -137,7 +137,7 @@
if ((*ctx)->expect_file_generations) {
char *p = (*ctx)->entry_name + strlen((*ctx)->entry_name);
- while(p > (*ctx)->entry_name && isdigit(p[-1]))
+ while (p > (*ctx)->entry_name && isdigit((unsigned char)p[-1]))
p--;
if (p > (*ctx)->entry_name && p[-1] == ';')
p[-1] = '\0';
diff -Nru openssl-3.0.9/crypto/params.c openssl-3.0.10/crypto/params.c
--- openssl-3.0.9/crypto/params.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/params.c 2023-08-01 15:47:24.000000000 +0200
@@ -14,6 +14,7 @@
#include "internal/numbers.h"
#include "internal/endian.h"
+#ifndef OPENSSL_SYS_UEFI
/*
* Return the number of bits in the mantissa of a double. This is used to
* shift a larger integral value to determine if it will exactly fit into a
@@ -23,6 +24,7 @@
{
return sizeof(double) == 4 ? 24 : 53;
}
+#endif
OSSL_PARAM *OSSL_PARAM_locate(OSSL_PARAM *p, const char *key)
{
@@ -342,8 +344,6 @@
int OSSL_PARAM_get_int32(const OSSL_PARAM *p, int32_t *val)
{
- double d;
-
if (val == NULL || p == NULL )
return 0;
@@ -391,6 +391,9 @@
return general_get_int(p, val, sizeof(*val));
} else if (p->data_type == OSSL_PARAM_REAL) {
+#ifndef OPENSSL_SYS_UEFI
+ double d;
+
switch (p->data_size) {
case sizeof(double):
d = *(const double *)p->data;
@@ -400,6 +403,7 @@
}
break;
}
+#endif
}
return 0;
}
@@ -442,6 +446,7 @@
#endif
return general_set_int(p, &val, sizeof(val));
} else if (p->data_type == OSSL_PARAM_REAL) {
+#ifndef OPENSSL_SYS_UEFI
p->return_size = sizeof(double);
if (p->data == NULL)
return 1;
@@ -450,6 +455,7 @@
*(double *)p->data = (double)val;
return 1;
}
+#endif
}
return 0;
}
@@ -462,8 +468,6 @@
int OSSL_PARAM_get_uint32(const OSSL_PARAM *p, uint32_t *val)
{
- double d;
-
if (val == NULL || p == NULL)
return 0;
@@ -509,6 +513,9 @@
#endif
return general_get_uint(p, val, sizeof(*val));
} else if (p->data_type == OSSL_PARAM_REAL) {
+#ifndef OPENSSL_SYS_UEFI
+ double d;
+
switch (p->data_size) {
case sizeof(double):
d = *(const double *)p->data;
@@ -518,6 +525,7 @@
}
break;
}
+#endif
}
return 0;
}
@@ -564,6 +572,7 @@
#endif
return general_set_uint(p, &val, sizeof(val));
} else if (p->data_type == OSSL_PARAM_REAL) {
+#ifndef OPENSSL_SYS_UEFI
p->return_size = sizeof(double);
if (p->data == NULL)
return 1;
@@ -572,6 +581,7 @@
*(double *)p->data = (double)val;
return 1;
}
+#endif
}
return 0;
}
@@ -584,8 +594,6 @@
int OSSL_PARAM_get_int64(const OSSL_PARAM *p, int64_t *val)
{
- double d;
-
if (val == NULL || p == NULL )
return 0;
@@ -620,6 +628,9 @@
#endif
return general_get_int(p, val, sizeof(*val));
} else if (p->data_type == OSSL_PARAM_REAL) {
+#ifndef OPENSSL_SYS_UEFI
+ double d;
+
switch (p->data_size) {
case sizeof(double):
d = *(const double *)p->data;
@@ -636,14 +647,13 @@
}
break;
}
+#endif
}
return 0;
}
int OSSL_PARAM_set_int64(OSSL_PARAM *p, int64_t val)
{
- uint64_t u64;
-
if (p == NULL)
return 0;
p->return_size = 0;
@@ -686,6 +696,9 @@
#endif
return general_set_int(p, &val, sizeof(val));
} else if (p->data_type == OSSL_PARAM_REAL) {
+#ifndef OPENSSL_SYS_UEFI
+ uint64_t u64;
+
p->return_size = sizeof(double);
if (p->data == NULL)
return 1;
@@ -698,6 +711,7 @@
}
break;
}
+#endif
}
return 0;
}
@@ -709,8 +723,6 @@
int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val)
{
- double d;
-
if (val == NULL || p == NULL)
return 0;
@@ -750,6 +762,9 @@
#endif
return general_get_uint(p, val, sizeof(*val));
} else if (p->data_type == OSSL_PARAM_REAL) {
+#ifndef OPENSSL_SYS_UEFI
+ double d;
+
switch (p->data_size) {
case sizeof(double):
d = *(const double *)p->data;
@@ -766,6 +781,7 @@
}
break;
}
+#endif
}
return 0;
}
@@ -818,6 +834,7 @@
#endif
return general_set_uint(p, &val, sizeof(val));
} else if (p->data_type == OSSL_PARAM_REAL) {
+#ifndef OPENSSL_SYS_UEFI
p->return_size = sizeof(double);
switch (p->data_size) {
case sizeof(double):
@@ -827,6 +844,7 @@
}
break;
}
+#endif
}
return 0;
}
@@ -953,6 +971,7 @@
buf, bsize);
}
+#ifndef OPENSSL_SYS_UEFI
int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val)
{
int64_t i64;
@@ -1073,6 +1092,7 @@
{
return ossl_param_construct(key, OSSL_PARAM_REAL, buf, sizeof(double));
}
+#endif
static int get_string_internal(const OSSL_PARAM *p, void **val,
size_t *max_len, size_t *used_len,
diff -Nru openssl-3.0.9/crypto/pkcs12/p12_mutl.c openssl-3.0.10/crypto/pkcs12/p12_mutl.c
--- openssl-3.0.9/crypto/pkcs12/p12_mutl.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/pkcs12/p12_mutl.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -108,15 +108,20 @@
X509_ALGOR_get0(&macoid, NULL, NULL, macalg);
if (OBJ_obj2txt(md_name, sizeof(md_name), macoid, 0) < 0)
return 0;
+
+ (void)ERR_set_mark();
md = md_fetch = EVP_MD_fetch(p12->authsafes->ctx.libctx, md_name,
p12->authsafes->ctx.propq);
if (md == NULL)
md = EVP_get_digestbynid(OBJ_obj2nid(macoid));
if (md == NULL) {
+ (void)ERR_clear_last_mark();
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
return 0;
}
+ (void)ERR_pop_to_mark();
+
md_size = EVP_MD_get_size(md);
md_nid = EVP_MD_get_type(md);
if (md_size < 0)
diff -Nru openssl-3.0.9/crypto/rand/rand_lib.c openssl-3.0.10/crypto/rand/rand_lib.c
--- openssl-3.0.9/crypto/rand/rand_lib.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/rand/rand_lib.c 2023-08-01 15:47:24.000000000 +0200
@@ -120,6 +120,8 @@
*/
int RAND_poll(void)
{
+ static const char salt[] = "polling";
+
# ifndef OPENSSL_NO_DEPRECATED_3_0
const RAND_METHOD *meth = RAND_get_rand_method();
int ret = meth == RAND_OpenSSL();
@@ -148,14 +150,12 @@
ret = 1;
err:
ossl_rand_pool_free(pool);
+ return ret;
}
- return ret;
-# else
- static const char salt[] = "polling";
+# endif
RAND_seed(salt, sizeof(salt));
return 1;
-# endif
}
# ifndef OPENSSL_NO_DEPRECATED_3_0
diff -Nru openssl-3.0.9/crypto/rc4/build.info openssl-3.0.10/crypto/rc4/build.info
--- openssl-3.0.9/crypto/rc4/build.info 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/rc4/build.info 2023-08-01 15:47:24.000000000 +0200
@@ -21,10 +21,15 @@
# When all deprecated symbols are removed, libcrypto doesn't export the
# rc4 functions, so we must include them directly in liblegacy.a
-IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}]
+IF[{- !$disabled{module} && !$disabled{shared} -}]
SOURCE[../../providers/liblegacy.a]=$RC4ASM
ENDIF
+# Implementations are now spread across several libraries, so the defines
+# need to be applied to all affected libraries and modules.
+DEFINE[../../libcrypto]=$RC4DEF
+DEFINE[../../providers/liblegacy.a]=$RC4DEF
+
GENERATE[rc4-586.S]=asm/rc4-586.pl
DEPEND[rc4-586.S]=../perlasm/x86asm.pl
diff -Nru openssl-3.0.9/crypto/rsa/rsa_ameth.c openssl-3.0.10/crypto/rsa/rsa_ameth.c
--- openssl-3.0.9/crypto/rsa/rsa_ameth.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/rsa/rsa_ameth.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -641,6 +641,36 @@
size_t aid_len = 0;
OSSL_PARAM params[2];
+ if (evp_pkey_ctx_is_legacy(pkctx)) {
+ /* No provider -> we cannot query it for algorithm ID. */
+ ASN1_STRING *os1 = NULL;
+
+ os1 = ossl_rsa_ctx_to_pss_string(pkctx);
+ if (os1 == NULL)
+ return 0;
+ /* Duplicate parameters if we have to */
+ if (alg2 != NULL) {
+ ASN1_STRING *os2 = ASN1_STRING_dup(os1);
+
+ if (os2 == NULL) {
+ ASN1_STRING_free(os1);
+ return 0;
+ }
+ if (!X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
+ V_ASN1_SEQUENCE, os2)) {
+ ASN1_STRING_free(os1);
+ ASN1_STRING_free(os2);
+ return 0;
+ }
+ }
+ if (!X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
+ V_ASN1_SEQUENCE, os1)) {
+ ASN1_STRING_free(os1);
+ return 0;
+ }
+ return 3;
+ }
+
params[0] = OSSL_PARAM_construct_octet_string(
OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
params[1] = OSSL_PARAM_construct_end();
@@ -652,11 +682,13 @@
if (alg1 != NULL) {
const unsigned char *pp = aid;
+
if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL)
return 0;
}
if (alg2 != NULL) {
const unsigned char *pp = aid;
+
if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL)
return 0;
}
diff -Nru openssl-3.0.9/crypto/rsa/rsa_pmeth.c openssl-3.0.10/crypto/rsa/rsa_pmeth.c
--- openssl-3.0.9/crypto/rsa/rsa_pmeth.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/rsa/rsa_pmeth.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -584,6 +584,10 @@
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
return -2;
}
+ if (p2 == NULL) {
+ ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
*(unsigned char **)p2 = rctx->oaep_label;
return rctx->oaep_labellen;
diff -Nru openssl-3.0.9/crypto/sha/asm/keccak1600-avx2.pl openssl-3.0.10/crypto/sha/asm/keccak1600-avx2.pl
--- openssl-3.0.9/crypto/sha/asm/keccak1600-avx2.pl 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/sha/asm/keccak1600-avx2.pl 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
#!/usr/bin/env perl
-# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -432,6 +432,7 @@
ret
.size SHA3_squeeze,.-SHA3_squeeze
+.section .rodata
.align 64
rhotates_left:
.quad 3, 18, 36, 41 # [2][0] [4][0] [1][0] [3][0]
diff -Nru openssl-3.0.9/crypto/sha/asm/keccak1600-avx512.pl openssl-3.0.10/crypto/sha/asm/keccak1600-avx512.pl
--- openssl-3.0.9/crypto/sha/asm/keccak1600-avx512.pl 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/sha/asm/keccak1600-avx512.pl 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
#!/usr/bin/env perl
-# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -486,6 +486,7 @@
ret
.size SHA3_squeeze,.-SHA3_squeeze
+.section .rodata
.align 64
theta_perm:
.quad 0, 1, 2, 3, 4, 5, 6, 7 # [not used]
diff -Nru openssl-3.0.9/crypto/sha/asm/keccak1600-avx512vl.pl openssl-3.0.10/crypto/sha/asm/keccak1600-avx512vl.pl
--- openssl-3.0.9/crypto/sha/asm/keccak1600-avx512vl.pl 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/sha/asm/keccak1600-avx512vl.pl 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
#!/usr/bin/env perl
-# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -349,6 +349,7 @@
ret
.size SHA3_squeeze,.-SHA3_squeeze
+.section .rodata
.align 64
rhotates_left:
.quad 3, 18, 36, 41 # [2][0] [4][0] [1][0] [3][0]
diff -Nru openssl-3.0.9/crypto/store/store_result.c openssl-3.0.10/crypto/store/store_result.c
--- openssl-3.0.9/crypto/store/store_result.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/store/store_result.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -553,8 +553,10 @@
ok = 0; /* Assume decryption or parse error */
- if (PKCS12_verify_mac(p12, "", 0)
+ if (!PKCS12_mac_present(p12)
|| PKCS12_verify_mac(p12, NULL, 0)) {
+ pass = NULL;
+ } else if (PKCS12_verify_mac(p12, "", 0)) {
pass = "";
} else {
static char prompt_info[] = "PKCS12 import pass phrase";
diff -Nru openssl-3.0.9/crypto/x509/by_dir.c openssl-3.0.10/crypto/x509/by_dir.c
--- openssl-3.0.9/crypto/x509/by_dir.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/x509/by_dir.c 2023-08-01 15:47:24.000000000 +0200
@@ -348,7 +348,8 @@
/*
* we have added it to the cache so now pull it out again
*/
- X509_STORE_lock(xl->store_ctx);
+ if (!X509_STORE_lock(xl->store_ctx))
+ goto finish;
j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp);
tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j);
X509_STORE_unlock(xl->store_ctx);
diff -Nru openssl-3.0.9/crypto/x509/v3_ist.c openssl-3.0.10/crypto/x509/v3_ist.c
--- openssl-3.0.9/crypto/x509/v3_ist.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/x509/v3_ist.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -50,43 +50,38 @@
}
if (strcmp(cnf->name, "signTool") == 0) {
ist->signTool = ASN1_UTF8STRING_new();
- if (ist->signTool == NULL) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
- ISSUER_SIGN_TOOL_free(ist);
- return NULL;
+ if (ist->signTool == NULL || !ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value))) {
+ ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
+ goto err;
}
- ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value));
} else if (strcmp(cnf->name, "cATool") == 0) {
ist->cATool = ASN1_UTF8STRING_new();
- if (ist->cATool == NULL) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
- ISSUER_SIGN_TOOL_free(ist);
- return NULL;
+ if (ist->cATool == NULL || !ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value))) {
+ ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
+ goto err;
}
- ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value));
} else if (strcmp(cnf->name, "signToolCert") == 0) {
ist->signToolCert = ASN1_UTF8STRING_new();
- if (ist->signToolCert == NULL) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
- ISSUER_SIGN_TOOL_free(ist);
- return NULL;
+ if (ist->signToolCert == NULL || !ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value))) {
+ ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
+ goto err;
}
- ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value));
} else if (strcmp(cnf->name, "cAToolCert") == 0) {
ist->cAToolCert = ASN1_UTF8STRING_new();
- if (ist->cAToolCert == NULL) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
- ISSUER_SIGN_TOOL_free(ist);
- return NULL;
+ if (ist->cAToolCert == NULL || !ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value))) {
+ ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
+ goto err;
}
- ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value));
} else {
ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT);
- ISSUER_SIGN_TOOL_free(ist);
- return NULL;
+ goto err;
}
}
return ist;
+
+err:
+ ISSUER_SIGN_TOOL_free(ist);
+ return NULL;
}
static int i2r_issuer_sign_tool(X509V3_EXT_METHOD *method,
diff -Nru openssl-3.0.9/crypto/x509/v3_purp.c openssl-3.0.10/crypto/x509/v3_purp.c
--- openssl-3.0.9/crypto/x509/v3_purp.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/x509/v3_purp.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -438,7 +438,7 @@
* in case ctx->param->flags & X509_V_FLAG_X509_STRICT
*/
if (bs->pathlen->type == V_ASN1_NEG_INTEGER) {
- ERR_raise(ERR_LIB_X509, X509V3_R_NEGATIVE_PATHLEN);
+ ERR_raise(ERR_LIB_X509V3, X509V3_R_NEGATIVE_PATHLEN);
x->ex_flags |= EXFLAG_INVALID;
} else {
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
@@ -479,7 +479,7 @@
ASN1_BIT_STRING_free(usage);
/* Check for empty key usage according to RFC 5280 section 4.2.1.3 */
if (x->ex_kusage == 0) {
- ERR_raise(ERR_LIB_X509, X509V3_R_EMPTY_KEY_USAGE);
+ ERR_raise(ERR_LIB_X509V3, X509V3_R_EMPTY_KEY_USAGE);
x->ex_flags |= EXFLAG_INVALID;
}
} else if (i != -1) {
@@ -632,7 +632,7 @@
return 1;
}
if ((x->ex_flags & EXFLAG_INVALID) != 0)
- ERR_raise(ERR_LIB_X509, X509V3_R_INVALID_CERTIFICATE);
+ ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_CERTIFICATE);
/* If computing sha1_hash failed the error queue already reflects this. */
err:
diff -Nru openssl-3.0.9/crypto/x509/x509_att.c openssl-3.0.10/crypto/x509/x509_att.c
--- openssl-3.0.9/crypto/x509/x509_att.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/x509/x509_att.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -82,6 +82,11 @@
return NULL;
}
+ if (*x != NULL && X509at_get_attr_by_OBJ(*x, attr->object, -1) != -1) {
+ ERR_raise(ERR_LIB_X509, X509_R_DUPLICATE_ATTRIBUTE);
+ return NULL;
+ }
+
if (*x == NULL) {
if ((sk = sk_X509_ATTRIBUTE_new_null()) == NULL)
goto err;
diff -Nru openssl-3.0.9/crypto/x509/x509_cmp.c openssl-3.0.10/crypto/x509/x509_cmp.c
--- openssl-3.0.9/crypto/x509/x509_cmp.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/x509/x509_cmp.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -277,11 +277,11 @@
if (ret == 0 && a->canon_enclen == 0)
return 0;
- if (a->canon_enc == NULL || b->canon_enc == NULL)
- return -2;
-
- if (ret == 0)
+ if (ret == 0) {
+ if (a->canon_enc == NULL || b->canon_enc == NULL)
+ return -2;
ret = memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
+ }
return ret < 0 ? -1 : ret > 0;
}
diff -Nru openssl-3.0.9/crypto/x509/x509_err.c openssl-3.0.10/crypto/x509/x509_err.c
--- openssl-3.0.9/crypto/x509/x509_err.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/x509/x509_err.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -28,6 +28,8 @@
{ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_ALREADY_DELTA), "crl already delta"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_VERIFY_FAILURE),
"crl verify failure"},
+ {ERR_PACK(ERR_LIB_X509, 0, X509_R_DUPLICATE_ATTRIBUTE),
+ "duplicate attribute"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_ERROR_GETTING_MD_BY_NID),
"error getting md by nid"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_ERROR_USING_SIGINF_SET),
diff -Nru openssl-3.0.9/crypto/x509/x509_vpm.c openssl-3.0.10/crypto/x509/x509_vpm.c
--- openssl-3.0.9/crypto/x509/x509_vpm.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/crypto/x509/x509_vpm.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -337,7 +337,10 @@
if (param->policies == NULL)
return 0;
}
- return sk_ASN1_OBJECT_push(param->policies, policy);
+
+ if (sk_ASN1_OBJECT_push(param->policies, policy) <= 0)
+ return 0;
+ return 1;
}
int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
@@ -592,7 +595,10 @@
X509_VERIFY_PARAM_free(ptmp);
}
}
- return sk_X509_VERIFY_PARAM_push(param_table, param);
+
+ if (sk_X509_VERIFY_PARAM_push(param_table, param) <= 0)
+ return 0;
+ return 1;
}
int X509_VERIFY_PARAM_get_count(void)
diff -Nru openssl-3.0.9/debian/changelog openssl-3.0.10/debian/changelog
--- openssl-3.0.9/debian/changelog 2023-05-30 18:12:36.000000000 +0200
+++ openssl-3.0.10/debian/changelog 2023-08-26 11:29:40.000000000 +0200
@@ -1,6 +1,17 @@
+openssl (3.0.10-1~deb12u1) bookworm; urgency=medium
+
+ * Import 3.0.10
+ - CVE-2023-2975 (AES-SIV implementation ignores empty associated data
+ entries) (Closes: #1041818).
+ - CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
+ (Closes: #1041817).
+ - CVE-2023-3817 (Excessive time spent checking DH q parameter value).
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Sat, 26 Aug 2023 11:29:40 +0200
+
openssl (3.0.9-1) unstable; urgency=medium
- * Import 3.0.7
+ * Import 3.0.9
- CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
Constraints) (Closes: #1034720).
- CVE-2023-0465 (Invalid certificate policies in leaf certificates are
@@ -15,7 +26,7 @@
openssl (3.0.8-1) unstable; urgency=medium
- * Import 3.0.7
+ * Import 3.0.8
- CVE-2023-0401 (NULL dereference during PKCS7 data verification).
- CVE-2023-0286 (X.400 address type confusion in X.509 GeneralName).
- CVE-2023-0217 (NULL dereference validating DSA public key).
diff -Nru openssl-3.0.9/debian/gbp.conf openssl-3.0.10/debian/gbp.conf
--- openssl-3.0.9/debian/gbp.conf 2023-05-30 17:33:23.000000000 +0200
+++ openssl-3.0.10/debian/gbp.conf 2023-08-26 11:29:40.000000000 +0200
@@ -3,7 +3,7 @@
#sign-tags = false
dist = DEP14
upstream-branch = upstream/openssl-3.0
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
debian-tag = debian/openssl-%(version)s
id-length = 12
abbrev = 12
diff -Nru openssl-3.0.9/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch openssl-3.0.10/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch
--- openssl-3.0.9/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch 2023-05-30 17:39:06.000000000 +0200
+++ openssl-3.0.10/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch 2023-08-26 11:29:40.000000000 +0200
@@ -23,7 +23,7 @@
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index b578a3c2a861..b3b21d39990b 100644
+index 8010087b46dc..228af3f90cfc 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -697,7 +697,7 @@ my %targets = (
@@ -36,10 +36,10 @@
"linux-latomic" => {
inherit_from => [ "linux-generic32" ],
diff --git a/Configure b/Configure
-index 5ac4b5222e4f..978414d914ea 100755
+index dd06aa48988f..38a04cd15030 100755
--- a/Configure
+++ b/Configure
-@@ -1715,7 +1715,7 @@ unless ($disabled{devcryptoeng}) {
+@@ -1712,7 +1712,7 @@ unless ($disabled{devcryptoeng}) {
unless ($disabled{ktls}) {
$config{ktls}="";
my $cc = $config{CROSS_COMPILE}.$config{CC};
diff -Nru openssl-3.0.9/debian/patches/Fix-tests-for-new-default-security-level.patch openssl-3.0.10/debian/patches/Fix-tests-for-new-default-security-level.patch
--- openssl-3.0.9/debian/patches/Fix-tests-for-new-default-security-level.patch 2023-05-30 17:39:06.000000000 +0200
+++ openssl-3.0.10/debian/patches/Fix-tests-for-new-default-security-level.patch 2023-08-26 11:29:40.000000000 +0200
@@ -10,12 +10,12 @@
---
test/ssl-tests/12-ct.cnf | 24 ++--
test/ssl-tests/12-ct.cnf.in | 12 ++
- test/ssl-tests/14-curves.cnf | 220 +++++++++++++++++------------------
+ test/ssl-tests/14-curves.cnf | 240 +++++++++++++++++------------------
test/ssl-tests/14-curves.cnf.in | 9 +-
test/ssl-tests/22-compression.cnf | 32 ++---
test/ssl-tests/22-compression.cnf.in | 16 +++
- test/sslapitest.c | 24 ++--
- 7 files changed, 189 insertions(+), 148 deletions(-)
+ test/sslapitest.c | 24 +++-
+ 7 files changed, 199 insertions(+), 158 deletions(-)
diff --git a/test/ssl-tests/12-ct.cnf b/test/ssl-tests/12-ct.cnf
index 2e6e9dea6757..369c5d4e8eef 100644
@@ -184,10 +184,10 @@
extra => {
"CTValidation" => "Strict",
diff --git a/test/ssl-tests/14-curves.cnf b/test/ssl-tests/14-curves.cnf
-index bafa4a65cd35..f472dd7d634e 100644
+index 75635d29bd0f..ad62e28935ae 100644
--- a/test/ssl-tests/14-curves.cnf
+++ b/test/ssl-tests/14-curves.cnf
-@@ -93,13 +93,13 @@ client = 0-curve-prime256v1-client
+@@ -108,13 +108,13 @@ client = 0-curve-prime256v1-client
[0-curve-prime256v1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
@@ -203,7 +203,7 @@
Curves = prime256v1
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -122,13 +122,13 @@ client = 1-curve-secp384r1-client
+@@ -137,13 +137,13 @@ client = 1-curve-secp384r1-client
[1-curve-secp384r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
@@ -219,7 +219,7 @@
Curves = secp384r1
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -151,13 +151,13 @@ client = 2-curve-secp521r1-client
+@@ -166,13 +166,13 @@ client = 2-curve-secp521r1-client
[2-curve-secp521r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
@@ -235,7 +235,7 @@
Curves = secp521r1
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -180,13 +180,13 @@ client = 3-curve-X25519-client
+@@ -195,13 +195,13 @@ client = 3-curve-X25519-client
[3-curve-X25519-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
@@ -251,7 +251,7 @@
Curves = X25519
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -209,13 +209,13 @@ client = 4-curve-X448-client
+@@ -224,13 +224,13 @@ client = 4-curve-X448-client
[4-curve-X448-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
@@ -267,9 +267,89 @@
Curves = X448
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -238,13 +238,13 @@ client = 5-curve-sect233k1-client
+@@ -253,13 +253,13 @@ client = 5-curve-ffdhe2048-client
- [5-curve-sect233k1-server]
+ [5-curve-ffdhe2048-server]
+ Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+-CipherString = DEFAULT
++CipherString = DEFAULT@SECLEVEL=1
+ Curves = ffdhe2048
+ MaxProtocol = TLSv1.3
+ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+ [5-curve-ffdhe2048-client]
+-CipherString = ECDHE
++CipherString = ECDHE@SECLEVEL=1
+ Curves = ffdhe2048
+ MaxProtocol = TLSv1.3
+ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+@@ -282,13 +282,13 @@ client = 6-curve-ffdhe3072-client
+
+ [6-curve-ffdhe3072-server]
+ Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+-CipherString = DEFAULT
++CipherString = DEFAULT@SECLEVEL=1
+ Curves = ffdhe3072
+ MaxProtocol = TLSv1.3
+ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+ [6-curve-ffdhe3072-client]
+-CipherString = ECDHE
++CipherString = ECDHE@SECLEVEL=1
+ Curves = ffdhe3072
+ MaxProtocol = TLSv1.3
+ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+@@ -311,13 +311,13 @@ client = 7-curve-ffdhe4096-client
+
+ [7-curve-ffdhe4096-server]
+ Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+-CipherString = DEFAULT
++CipherString = DEFAULT@SECLEVEL=1
+ Curves = ffdhe4096
+ MaxProtocol = TLSv1.3
+ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+ [7-curve-ffdhe4096-client]
+-CipherString = ECDHE
++CipherString = ECDHE@SECLEVEL=1
+ Curves = ffdhe4096
+ MaxProtocol = TLSv1.3
+ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+@@ -340,13 +340,13 @@ client = 8-curve-ffdhe6144-client
+
+ [8-curve-ffdhe6144-server]
+ Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+-CipherString = DEFAULT
++CipherString = DEFAULT@SECLEVEL=1
+ Curves = ffdhe6144
+ MaxProtocol = TLSv1.3
+ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+ [8-curve-ffdhe6144-client]
+-CipherString = ECDHE
++CipherString = ECDHE@SECLEVEL=1
+ Curves = ffdhe6144
+ MaxProtocol = TLSv1.3
+ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+@@ -369,13 +369,13 @@ client = 9-curve-ffdhe8192-client
+
+ [9-curve-ffdhe8192-server]
+ Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+-CipherString = DEFAULT
++CipherString = DEFAULT@SECLEVEL=1
+ Curves = ffdhe8192
+ MaxProtocol = TLSv1.3
+ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+ [9-curve-ffdhe8192-client]
+-CipherString = ECDHE
++CipherString = ECDHE@SECLEVEL=1
+ Curves = ffdhe8192
+ MaxProtocol = TLSv1.3
+ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+@@ -398,13 +398,13 @@ client = 10-curve-sect233k1-client
+
+ [10-curve-sect233k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -277,15 +357,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [5-curve-sect233k1-client]
+ [10-curve-sect233k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect233k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -267,13 +267,13 @@ client = 6-curve-sect233r1-client
+@@ -427,13 +427,13 @@ client = 11-curve-sect233r1-client
- [6-curve-sect233r1-server]
+ [11-curve-sect233r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -293,15 +373,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [6-curve-sect233r1-client]
+ [11-curve-sect233r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect233r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -296,13 +296,13 @@ client = 7-curve-sect283k1-client
+@@ -456,13 +456,13 @@ client = 12-curve-sect283k1-client
- [7-curve-sect283k1-server]
+ [12-curve-sect283k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -309,15 +389,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [7-curve-sect283k1-client]
+ [12-curve-sect283k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect283k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -325,13 +325,13 @@ client = 8-curve-sect283r1-client
+@@ -485,13 +485,13 @@ client = 13-curve-sect283r1-client
- [8-curve-sect283r1-server]
+ [13-curve-sect283r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -325,15 +405,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [8-curve-sect283r1-client]
+ [13-curve-sect283r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect283r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -354,13 +354,13 @@ client = 9-curve-sect409k1-client
+@@ -514,13 +514,13 @@ client = 14-curve-sect409k1-client
- [9-curve-sect409k1-server]
+ [14-curve-sect409k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -341,15 +421,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [9-curve-sect409k1-client]
+ [14-curve-sect409k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect409k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -383,13 +383,13 @@ client = 10-curve-sect409r1-client
+@@ -543,13 +543,13 @@ client = 15-curve-sect409r1-client
- [10-curve-sect409r1-server]
+ [15-curve-sect409r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -357,15 +437,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [10-curve-sect409r1-client]
+ [15-curve-sect409r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect409r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -412,13 +412,13 @@ client = 11-curve-sect571k1-client
+@@ -572,13 +572,13 @@ client = 16-curve-sect571k1-client
- [11-curve-sect571k1-server]
+ [16-curve-sect571k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -373,15 +453,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [11-curve-sect571k1-client]
+ [16-curve-sect571k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect571k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -441,13 +441,13 @@ client = 12-curve-sect571r1-client
+@@ -601,13 +601,13 @@ client = 17-curve-sect571r1-client
- [12-curve-sect571r1-server]
+ [17-curve-sect571r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -389,15 +469,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [12-curve-sect571r1-client]
+ [17-curve-sect571r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect571r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -470,13 +470,13 @@ client = 13-curve-secp224r1-client
+@@ -630,13 +630,13 @@ client = 18-curve-secp224r1-client
- [13-curve-secp224r1-server]
+ [18-curve-secp224r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -405,15 +485,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [13-curve-secp224r1-client]
+ [18-curve-secp224r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp224r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -499,13 +499,13 @@ client = 14-curve-sect163k1-client
+@@ -659,13 +659,13 @@ client = 19-curve-sect163k1-client
- [14-curve-sect163k1-server]
+ [19-curve-sect163k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -421,15 +501,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [14-curve-sect163k1-client]
+ [19-curve-sect163k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect163k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -528,13 +528,13 @@ client = 15-curve-sect163r2-client
+@@ -688,13 +688,13 @@ client = 20-curve-sect163r2-client
- [15-curve-sect163r2-server]
+ [20-curve-sect163r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -437,15 +517,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [15-curve-sect163r2-client]
+ [20-curve-sect163r2-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect163r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -557,13 +557,13 @@ client = 16-curve-prime192v1-client
+@@ -717,13 +717,13 @@ client = 21-curve-prime192v1-client
- [16-curve-prime192v1-server]
+ [21-curve-prime192v1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -453,15 +533,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [16-curve-prime192v1-client]
+ [21-curve-prime192v1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = prime192v1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -586,13 +586,13 @@ client = 17-curve-sect163r1-client
+@@ -746,13 +746,13 @@ client = 22-curve-sect163r1-client
- [17-curve-sect163r1-server]
+ [22-curve-sect163r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -469,15 +549,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [17-curve-sect163r1-client]
+ [22-curve-sect163r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect163r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -615,13 +615,13 @@ client = 18-curve-sect193r1-client
+@@ -775,13 +775,13 @@ client = 23-curve-sect193r1-client
- [18-curve-sect193r1-server]
+ [23-curve-sect193r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -485,15 +565,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [18-curve-sect193r1-client]
+ [23-curve-sect193r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect193r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -644,13 +644,13 @@ client = 19-curve-sect193r2-client
+@@ -804,13 +804,13 @@ client = 24-curve-sect193r2-client
- [19-curve-sect193r2-server]
+ [24-curve-sect193r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -501,15 +581,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [19-curve-sect193r2-client]
+ [24-curve-sect193r2-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect193r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -673,13 +673,13 @@ client = 20-curve-sect239k1-client
+@@ -833,13 +833,13 @@ client = 25-curve-sect239k1-client
- [20-curve-sect239k1-server]
+ [25-curve-sect239k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -517,15 +597,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [20-curve-sect239k1-client]
+ [25-curve-sect239k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect239k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -702,13 +702,13 @@ client = 21-curve-secp160k1-client
+@@ -862,13 +862,13 @@ client = 26-curve-secp160k1-client
- [21-curve-secp160k1-server]
+ [26-curve-secp160k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -533,15 +613,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [21-curve-secp160k1-client]
+ [26-curve-secp160k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp160k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -731,13 +731,13 @@ client = 22-curve-secp160r1-client
+@@ -891,13 +891,13 @@ client = 27-curve-secp160r1-client
- [22-curve-secp160r1-server]
+ [27-curve-secp160r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -549,15 +629,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [22-curve-secp160r1-client]
+ [27-curve-secp160r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp160r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -760,13 +760,13 @@ client = 23-curve-secp160r2-client
+@@ -920,13 +920,13 @@ client = 28-curve-secp160r2-client
- [23-curve-secp160r2-server]
+ [28-curve-secp160r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -565,15 +645,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [23-curve-secp160r2-client]
+ [28-curve-secp160r2-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp160r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -789,13 +789,13 @@ client = 24-curve-secp192k1-client
+@@ -949,13 +949,13 @@ client = 29-curve-secp192k1-client
- [24-curve-secp192k1-server]
+ [29-curve-secp192k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -581,15 +661,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [24-curve-secp192k1-client]
+ [29-curve-secp192k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp192k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -818,13 +818,13 @@ client = 25-curve-secp224k1-client
+@@ -978,13 +978,13 @@ client = 30-curve-secp224k1-client
- [25-curve-secp224k1-server]
+ [30-curve-secp224k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -597,15 +677,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [25-curve-secp224k1-client]
+ [30-curve-secp224k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp224k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -847,13 +847,13 @@ client = 26-curve-secp256k1-client
+@@ -1007,13 +1007,13 @@ client = 31-curve-secp256k1-client
- [26-curve-secp256k1-server]
+ [31-curve-secp256k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -613,15 +693,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [26-curve-secp256k1-client]
+ [31-curve-secp256k1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp256k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -876,13 +876,13 @@ client = 27-curve-brainpoolP256r1-client
+@@ -1036,13 +1036,13 @@ client = 32-curve-brainpoolP256r1-client
- [27-curve-brainpoolP256r1-server]
+ [32-curve-brainpoolP256r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -629,15 +709,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [27-curve-brainpoolP256r1-client]
+ [32-curve-brainpoolP256r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP256r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -905,13 +905,13 @@ client = 28-curve-brainpoolP384r1-client
+@@ -1065,13 +1065,13 @@ client = 33-curve-brainpoolP384r1-client
- [28-curve-brainpoolP384r1-server]
+ [33-curve-brainpoolP384r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -645,15 +725,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [28-curve-brainpoolP384r1-client]
+ [33-curve-brainpoolP384r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP384r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -934,13 +934,13 @@ client = 29-curve-brainpoolP512r1-client
+@@ -1094,13 +1094,13 @@ client = 34-curve-brainpoolP512r1-client
- [29-curve-brainpoolP512r1-server]
+ [34-curve-brainpoolP512r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -661,15 +741,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [29-curve-brainpoolP512r1-client]
+ [34-curve-brainpoolP512r1-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP512r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1713,13 +1713,13 @@ client = 55-curve-sect233k1-tls13-client
+@@ -1873,13 +1873,13 @@ client = 60-curve-sect233k1-tls13-client
- [55-curve-sect233k1-tls13-server]
+ [60-curve-sect233k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -677,15 +757,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [55-curve-sect233k1-tls13-client]
+ [60-curve-sect233k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect233k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1740,13 +1740,13 @@ client = 56-curve-sect233r1-tls13-client
+@@ -1900,13 +1900,13 @@ client = 61-curve-sect233r1-tls13-client
- [56-curve-sect233r1-tls13-server]
+ [61-curve-sect233r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -693,15 +773,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [56-curve-sect233r1-tls13-client]
+ [61-curve-sect233r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect233r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1767,13 +1767,13 @@ client = 57-curve-sect283k1-tls13-client
+@@ -1927,13 +1927,13 @@ client = 62-curve-sect283k1-tls13-client
- [57-curve-sect283k1-tls13-server]
+ [62-curve-sect283k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -709,15 +789,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [57-curve-sect283k1-tls13-client]
+ [62-curve-sect283k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect283k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1794,13 +1794,13 @@ client = 58-curve-sect283r1-tls13-client
+@@ -1954,13 +1954,13 @@ client = 63-curve-sect283r1-tls13-client
- [58-curve-sect283r1-tls13-server]
+ [63-curve-sect283r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -725,15 +805,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [58-curve-sect283r1-tls13-client]
+ [63-curve-sect283r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect283r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1821,13 +1821,13 @@ client = 59-curve-sect409k1-tls13-client
+@@ -1981,13 +1981,13 @@ client = 64-curve-sect409k1-tls13-client
- [59-curve-sect409k1-tls13-server]
+ [64-curve-sect409k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -741,15 +821,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [59-curve-sect409k1-tls13-client]
+ [64-curve-sect409k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect409k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1848,13 +1848,13 @@ client = 60-curve-sect409r1-tls13-client
+@@ -2008,13 +2008,13 @@ client = 65-curve-sect409r1-tls13-client
- [60-curve-sect409r1-tls13-server]
+ [65-curve-sect409r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -757,15 +837,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [60-curve-sect409r1-tls13-client]
+ [65-curve-sect409r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect409r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1875,13 +1875,13 @@ client = 61-curve-sect571k1-tls13-client
+@@ -2035,13 +2035,13 @@ client = 66-curve-sect571k1-tls13-client
- [61-curve-sect571k1-tls13-server]
+ [66-curve-sect571k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -773,15 +853,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [61-curve-sect571k1-tls13-client]
+ [66-curve-sect571k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect571k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1902,13 +1902,13 @@ client = 62-curve-sect571r1-tls13-client
+@@ -2062,13 +2062,13 @@ client = 67-curve-sect571r1-tls13-client
- [62-curve-sect571r1-tls13-server]
+ [67-curve-sect571r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -789,15 +869,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [62-curve-sect571r1-tls13-client]
+ [67-curve-sect571r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect571r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1929,13 +1929,13 @@ client = 63-curve-secp224r1-tls13-client
+@@ -2089,13 +2089,13 @@ client = 68-curve-secp224r1-tls13-client
- [63-curve-secp224r1-tls13-server]
+ [68-curve-secp224r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -805,15 +885,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [63-curve-secp224r1-tls13-client]
+ [68-curve-secp224r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp224r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1956,13 +1956,13 @@ client = 64-curve-sect163k1-tls13-client
+@@ -2116,13 +2116,13 @@ client = 69-curve-sect163k1-tls13-client
- [64-curve-sect163k1-tls13-server]
+ [69-curve-sect163k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -821,15 +901,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [64-curve-sect163k1-tls13-client]
+ [69-curve-sect163k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect163k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -1983,13 +1983,13 @@ client = 65-curve-sect163r2-tls13-client
+@@ -2143,13 +2143,13 @@ client = 70-curve-sect163r2-tls13-client
- [65-curve-sect163r2-tls13-server]
+ [70-curve-sect163r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -837,15 +917,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [65-curve-sect163r2-tls13-client]
+ [70-curve-sect163r2-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect163r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2010,13 +2010,13 @@ client = 66-curve-prime192v1-tls13-client
+@@ -2170,13 +2170,13 @@ client = 71-curve-prime192v1-tls13-client
- [66-curve-prime192v1-tls13-server]
+ [71-curve-prime192v1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -853,15 +933,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [66-curve-prime192v1-tls13-client]
+ [71-curve-prime192v1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = prime192v1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2037,13 +2037,13 @@ client = 67-curve-sect163r1-tls13-client
+@@ -2197,13 +2197,13 @@ client = 72-curve-sect163r1-tls13-client
- [67-curve-sect163r1-tls13-server]
+ [72-curve-sect163r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -869,15 +949,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [67-curve-sect163r1-tls13-client]
+ [72-curve-sect163r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect163r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2064,13 +2064,13 @@ client = 68-curve-sect193r1-tls13-client
+@@ -2224,13 +2224,13 @@ client = 73-curve-sect193r1-tls13-client
- [68-curve-sect193r1-tls13-server]
+ [73-curve-sect193r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -885,15 +965,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [68-curve-sect193r1-tls13-client]
+ [73-curve-sect193r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect193r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2091,13 +2091,13 @@ client = 69-curve-sect193r2-tls13-client
+@@ -2251,13 +2251,13 @@ client = 74-curve-sect193r2-tls13-client
- [69-curve-sect193r2-tls13-server]
+ [74-curve-sect193r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -901,15 +981,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [69-curve-sect193r2-tls13-client]
+ [74-curve-sect193r2-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect193r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2118,13 +2118,13 @@ client = 70-curve-sect239k1-tls13-client
+@@ -2278,13 +2278,13 @@ client = 75-curve-sect239k1-tls13-client
- [70-curve-sect239k1-tls13-server]
+ [75-curve-sect239k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -917,15 +997,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [70-curve-sect239k1-tls13-client]
+ [75-curve-sect239k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = sect239k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2145,13 +2145,13 @@ client = 71-curve-secp160k1-tls13-client
+@@ -2305,13 +2305,13 @@ client = 76-curve-secp160k1-tls13-client
- [71-curve-secp160k1-tls13-server]
+ [76-curve-secp160k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -933,15 +1013,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [71-curve-secp160k1-tls13-client]
+ [76-curve-secp160k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp160k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2172,13 +2172,13 @@ client = 72-curve-secp160r1-tls13-client
+@@ -2332,13 +2332,13 @@ client = 77-curve-secp160r1-tls13-client
- [72-curve-secp160r1-tls13-server]
+ [77-curve-secp160r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -949,15 +1029,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [72-curve-secp160r1-tls13-client]
+ [77-curve-secp160r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp160r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2199,13 +2199,13 @@ client = 73-curve-secp160r2-tls13-client
+@@ -2359,13 +2359,13 @@ client = 78-curve-secp160r2-tls13-client
- [73-curve-secp160r2-tls13-server]
+ [78-curve-secp160r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -965,15 +1045,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [73-curve-secp160r2-tls13-client]
+ [78-curve-secp160r2-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp160r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2226,13 +2226,13 @@ client = 74-curve-secp192k1-tls13-client
+@@ -2386,13 +2386,13 @@ client = 79-curve-secp192k1-tls13-client
- [74-curve-secp192k1-tls13-server]
+ [79-curve-secp192k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -981,15 +1061,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [74-curve-secp192k1-tls13-client]
+ [79-curve-secp192k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp192k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2253,13 +2253,13 @@ client = 75-curve-secp224k1-tls13-client
+@@ -2413,13 +2413,13 @@ client = 80-curve-secp224k1-tls13-client
- [75-curve-secp224k1-tls13-server]
+ [80-curve-secp224k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -997,15 +1077,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [75-curve-secp224k1-tls13-client]
+ [80-curve-secp224k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp224k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2280,13 +2280,13 @@ client = 76-curve-secp256k1-tls13-client
+@@ -2440,13 +2440,13 @@ client = 81-curve-secp256k1-tls13-client
- [76-curve-secp256k1-tls13-server]
+ [81-curve-secp256k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -1013,15 +1093,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [76-curve-secp256k1-tls13-client]
+ [81-curve-secp256k1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = secp256k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2307,13 +2307,13 @@ client = 77-curve-brainpoolP256r1-tls13-client
+@@ -2467,13 +2467,13 @@ client = 82-curve-brainpoolP256r1-tls13-client
- [77-curve-brainpoolP256r1-tls13-server]
+ [82-curve-brainpoolP256r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -1029,15 +1109,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [77-curve-brainpoolP256r1-tls13-client]
+ [82-curve-brainpoolP256r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP256r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2334,13 +2334,13 @@ client = 78-curve-brainpoolP384r1-tls13-client
+@@ -2494,13 +2494,13 @@ client = 83-curve-brainpoolP384r1-tls13-client
- [78-curve-brainpoolP384r1-tls13-server]
+ [83-curve-brainpoolP384r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -1045,15 +1125,15 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [78-curve-brainpoolP384r1-tls13-client]
+ [83-curve-brainpoolP384r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP384r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-@@ -2361,13 +2361,13 @@ client = 79-curve-brainpoolP512r1-tls13-client
+@@ -2521,13 +2521,13 @@ client = 84-curve-brainpoolP512r1-tls13-client
- [79-curve-brainpoolP512r1-tls13-server]
+ [84-curve-brainpoolP512r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=1
@@ -1061,17 +1141,17 @@
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
- [79-curve-brainpoolP512r1-tls13-client]
+ [84-curve-brainpoolP512r1-tls13-client]
-CipherString = ECDHE
+CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP512r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in
-index 5653e70bef21..0b49d08fa59d 100644
+index 1e003bace0b7..db3a467d2384 100644
--- a/test/ssl-tests/14-curves.cnf.in
+++ b/test/ssl-tests/14-curves.cnf.in
-@@ -36,10 +36,11 @@ sub generate_tests() {
+@@ -55,10 +55,11 @@ sub generate_tests() {
name => "curve-${curve}",
server => {
"Curves" => $curve,
@@ -1084,7 +1164,7 @@
"MaxProtocol" => "TLSv1.3",
"Curves" => $curve
},
-@@ -56,10 +57,11 @@ sub generate_tests() {
+@@ -75,10 +76,11 @@ sub generate_tests() {
name => "curve-${curve}",
server => {
"Curves" => $curve,
@@ -1097,7 +1177,7 @@
"MaxProtocol" => "TLSv1.2",
"Curves" => $curve
},
-@@ -100,10 +102,11 @@ sub generate_tests() {
+@@ -119,10 +121,11 @@ sub generate_tests() {
name => "curve-${curve}-tls13",
server => {
"Curves" => $curve,
@@ -1327,10 +1407,10 @@
},
test => {
diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 1f63212f9015..4150e462c1c9 100644
+index a27f5b881c47..5d40a747dfcb 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
-@@ -9507,7 +9507,8 @@ static int test_set_tmp_dh(int idx)
+@@ -9587,7 +9587,8 @@ static int test_set_tmp_dh(int idx)
*/
static int test_dh_auto(int idx)
{
@@ -1340,7 +1420,7 @@
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
EVP_PKEY *tmpkey = NULL;
-@@ -9515,14 +9516,21 @@ static int test_dh_auto(int idx)
+@@ -9595,14 +9596,21 @@ static int test_dh_auto(int idx)
size_t expdhsize = 0;
const char *ciphersuite = "DHE-RSA-AES128-SHA";
@@ -1364,7 +1444,7 @@
break;
case 1:
/* 2048 bit prime */
-@@ -9548,8 +9556,10 @@ static int test_dh_auto(int idx)
+@@ -9628,8 +9636,10 @@ static int test_dh_auto(int idx)
/* No certificate cases */
case 5:
/* The FIPS provider doesn't support this DH size - so we ignore it */
@@ -1377,7 +1457,7 @@
ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
expdhsize = 1024;
break;
-@@ -9562,8 +9572,8 @@ static int test_dh_auto(int idx)
+@@ -9642,8 +9652,8 @@ static int test_dh_auto(int idx)
goto end;
}
diff -Nru openssl-3.0.9/debian/patches/man-section.patch openssl-3.0.10/debian/patches/man-section.patch
--- openssl-3.0.9/debian/patches/man-section.patch 2023-05-30 17:39:06.000000000 +0200
+++ openssl-3.0.10/debian/patches/man-section.patch 2023-08-26 11:29:40.000000000 +0200
@@ -7,7 +7,7 @@
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index ebf20965b7a9..5b7e317b51d1 100644
+index 17e194f1ef75..18255fd43b94 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -318,7 +318,8 @@ HTMLDIR=$(DOCDIR)/html
@@ -20,7 +20,7 @@
HTMLSUFFIX=html
# For "optional" echo messages, to get "real" silence
-@@ -1537,7 +1538,7 @@ EOF
+@@ -1538,7 +1539,7 @@ EOF
my $pod = $gen0;
return <<"EOF";
$args{src}: $pod
diff -Nru openssl-3.0.9/debian/patches/Remove-the-provider-section.patch openssl-3.0.10/debian/patches/Remove-the-provider-section.patch
--- openssl-3.0.9/debian/patches/Remove-the-provider-section.patch 2023-05-30 17:33:23.000000000 +0200
+++ openssl-3.0.10/debian/patches/Remove-the-provider-section.patch 2023-08-26 11:29:40.000000000 +0200
@@ -11,7 +11,7 @@
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
-index 03330e0120a2..215768bfe710 100644
+index 12bc40896ef2..c58ef2983912 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -51,11 +51,11 @@ tsa_policy3 = 1.2.3.4.5.7
diff -Nru openssl-3.0.9/debian/upstream/signing-key.asc openssl-3.0.10/debian/upstream/signing-key.asc
--- openssl-3.0.9/debian/upstream/signing-key.asc 2023-05-30 17:33:23.000000000 +0200
+++ openssl-3.0.10/debian/upstream/signing-key.asc 2023-08-26 11:29:40.000000000 +0200
@@ -5,509 +5,372 @@
iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
-UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0IE1hdHQgQ2Fzd2VsbCA8
-ZnJvZG9AYmFnZ2lucy5vcmc+iQFPBBMBAgAiBQJRgC7CAhsDBgsJCAcDAgYVCAIJ
-CgsEFgIDAQIeAQIXgAAhCRDZxNJtDmBEkRYhBIZXq7Jg8Fax5RkIOdnE0m0OYESR
-Y/4H/RKxZJ4saj6+Khvz3flSKt6LgW+fMY5RXXD92AMtLNq+bKxXFvir2mynW+PU
-oS2bXy/Nk7v0B4BEbBZNBgaYWas1FZnYOBuMbIngtLmQsGpD0VoXu9QW2aXpHTjL
-H5FOBBODrTVewCN5Ty5JquZ5mAZUwAiex0ytRzviUl5YpKei+vggU52CJT96e/X2
-0rfnlux9O9vSSwTlDvCeehFd0vI163QBZ/h52dYMSdFvpwhUMXbxRGPEfrIh+oBV
-7tWe4MHhJ+5yThHiBgVL/EZ9OChw9QNnitTPzCV4YvAMiJTsamKWa1lOXUVM+QVr
-+aptwmB1VMmotk7m8hImRm+oTlS0H01hdHQgQ2Fzd2VsbCA8bWF0dEBvcGVuc3Ns
-Lm9yZz6JAU8EEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
-ACEJENnE0m0OYESRFiEEhlersmDwVrHlGQg52cTSbQ5gRJGgPQf/WUQld+vrqt2+
-yTI6LTNTQBG9RceNuaZiRnsROR1eHtVr9OOfzVPenCavcXghwsY0sPPgSDrvFur9
-PyuuwQ87HmdX+ZGdRP3tSaxC4udHbAsZtEG7bgUozuhfcpC+Ah0lZ3EccmyOkYJW
-ITWYgUBEDOU37qne09udDMA2NHLuL89hT+eIZ2pVwyFydkJfkXtgfrDq3RmZgfeb
-VB5ESdap/G7t7Iewi95syApMj9swbxnsqUtmFr0fCsVdAA8hJPqx9zVuUon0g1QM
-z2IroNH+6WTDt7SGYcuqNapizk/PJd6g2ew9cm3r3CIANiqPgo0Mh02nVGgX2p9v
-WcT4MzquBrkBDQRRgC7CAQgAz2dQkASmxUFjAr3Y8/0yWjX961enomAEjryw4InF
-PDMGttPMiV69VBepb3N04MPo5spyAY24b4bo3Cfng/oxxGl3Z3Giv1gD7JojTJPo
-JWeHGxePBz++5Di0EAvq1+4wBdFUh4RWTbZwqTgckHrwiZcIJF3JGL0cgTmJOtke
-wcLiyMCyKuGVzSjyFTeCqQqHYSHBrr5TyXM3HTqGgURnEhVG16jPWPMIciYXsRfO
-0RwMhqY7y5yRUoC4psmAUaRTduS82BaVzw+DHi1FQ0kYLUsTidippITB57VKkD9V
-7CIM5uP3s+jMJMXNEJQEKdK9oCVOekD3ROc4Mftqv4vloQARAQABiQE2BBgBAgAJ
-BQJRgC7CAhsMACEJENnE0m0OYESRFiEEhlersmDwVrHlGQg52cTSbQ5gRJELNgf/
-elwfYchaV/24buNWDa+50gOuXQ4vXfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMh
-TupjrXV1oDXYAxexymWLxwa+qcrbSwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw
-0kBJEiAiyPv4SMLhFzm+me4Dq1+xdbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpg
-oIN/4p28G/IN9fdWG5Ni315p3WhLHRMzC609IOsCIJsm8+lHVblT30jxpctFVlQB
-tbDTzgqQLiaTVevlca3VYgMd70D28d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780H
-KIpFp6UWP5aDxpEoOEwe2pkCDQRg8UwlARAAotCdQIMF8Y6wFfxmpuaOGmUlXDxQ
-XDtG31jC+Zk/GVHN8TtXK+eQ7HG5F29uzivxUna6tWD+/qQrUmTrLTT2P+5OFczU
-taPFaDMyWdywIlyOVgfyxxfF0ssxrhRHKP1U9YY072/BFtipXAQkemNts+Vpta1S
-6ru0PG/339fjP5GljOgRYlCqnwWXaibgwzRURqha9CYwqJdA9b9b6JZZutdjgESq
-c7lEjhEXXNdbrYnZBooWoKSQ8j+Wvqh2eBjc2ZGfgQXbrmQzFHRCoCtvD4tD9DZt
-e10c19Tn9bl6IzL66KL+yvwZG6b/rr2aIkhAHg/hv/k8pPVS4Zso4vT/tJcGMh29
-wAoEt8BJc+wmcBYAd5IybzF/dzpQgDK7hYbf/uoULtM8dSj8cfueY/8O6Elcx/GZ
-mDQ+ZDOM5RlZycSZOmgbvJWjgEWcOxBDc93PoXYKPgvpF6LLTbG4rkE0J5RRWiDO
-1MtNvcFp5QikhJshJVvWQR5z4XIoYvFm36EXU3HXzK2sQhCFNRv6FcWCn81dpKGU
-0pMD6aiWHJMox7O2Xs+QN81ZQFzxRFSxAhK9NhEqVsRWm5PIrQM9KDGUp+bW95QR
-7NVxag7yWqjBNbp2rI49OmFLg4Ch8QlmS8aP3HyUa1cZUXLA4Gd7OD48SpAJs1F7
-ecm+ytxFVg0K4tMAEQEAAbQbVG9tw6HFoSBNcsOheiA8dG1AdDhtLmluZm8+iQJU
-BBMBCAA+FiEEoh+rdLAIiqNhFSWGuO8aa6naLVwFAmDxTJECGwMFCRLMAwAFCwkI
-BwIGFQoJCAsCBBYCAwECHgECF4AACgkQuO8aa6naLVxBqA//QskRTPLc3HULEAXk
-HsChkxnSbz8fbGgyzuhFclPZRMvLyyjB55gJPvZslQX9FB8Qo1WW5b1xC+lP3giD
-VvEwbvWR+egDJD0IL32ZBCq6QaD9sn5APf9q3woXnO45BVMAK1igAfIciz4gAV3Z
-t70WTIYgQLBU7/a3a6/PVpwL3HfTlz8axDO5jZJAg1JUZH0cHcUns0rZif9fGzOZ
-a5UeA4/TGFDonmCArLv54dbvQvkAzhq7qP8ZLuwfO6lUpyjODMtvP0bUnho0wTcN
-0DxJrpgKyDTVAzWW3t3viJtt5ercj+55rS26NMD3EQfauCtRpZnnKs0oC7HX/GAj
-mSmsfQy2gNn1lSQsqdtlI5Aph5FYHl5gcp3VlXX2MiTuCxiYTOwX5lhmv8iESkSm
-RpSWr0WPlAJH6pFwm84RQyDMkU1N86iXyXF61Q7JbwdZjGwRiEe4Ji9h0k6DbzeR
-NsYhGph20jr9M3tFcOQNTPEu9Yvoy1Enpxk4Iy3budviu0hi7coRv5AOTabzMgiw
-TmGfuBz4GyMCi5XJuUkSes+LCi0mZlOxyzKevY13xkKo2GyaFBB7ArCznlTBojlW
-aqGVkFnDB8vVbzgNBVceNca6XQy37fWnfnDP6GomFxFoamEZwTOXiB9AdxzpP5Ji
-2enKzRPl+cRtaoaGYALqzDK4jxW0H1RvbcOhxaEgTXLDoXogPHRvbWFzQGFybGV0
-by5jej6JAlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMagIbAwUJ
-EswDAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXHrLD/4xu3Rb
-/2BCJ+6eO8APqvuNyqK45PCy6XW/mIVRKV4Cyt8lDTnIIbPnvlMUpUuIw1fU4aSo
-ARIEwp+lfLxFnuXY7y1XDlDRv8Md95LGSgzq2bdqhs8/VQXdrq9dNB4wN4mxgpTI
-3ITEAnLZQBwQiP41e4PUrxSB6/6hAg56+dJYeJDXgWR/+oGBJwdVKpHPu8v9IKKZ
-N5BHMTtNKio/XfED2rbKFhTgVujk9JXV+ZtfRC/seCrtv2sgcJqG7EMo93A1fHCT
-fUMScQdQKiwClyt16REPEFBEaK+mdoELvWwkaEApd17vpX6odoJn6F6FomRYp6Ac
-xBE7SCxFHTWtjLCYXjblck3/lv7638gClZew4D5Pp9+tH68ZkfJ+6ZEqQ6tdrPSe
-Hopl+2lJW4Q19l4jKP5BktqKNrpQdPN6CatPVIniNmnMESJ+nxQDl8eAq/SEQJyr
-bxsU9185AyfFpAv/kBO8FpI7Q/feJA9iX9RgqhSFj8fifPFV6eVG6GzhDWARlr3O
-T5IueNWhSpF3uZryvZ9hZk93zngZ8oU9uye/VGEpDoPWZNKO5XCyr4F906jsEa8D
-DhqsgSKx5C6ayG3l+SjgSMr7aL8k7qt6YhejnHzmLmSTnFeC551ujpPbIImtVoKj
-cifhUnUperS2m83DOrGdSPLZlweAXKBxQfTdALQhVG9tw6HFoSBNcsOheiA8dG9t
-YXNAb3BlbnNzbC5vcmc+iQJUBBMBCAA+FiEEoh+rdLAIiqNhFSWGuO8aa6naLVwF
-AmDxTCUCGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQuO8aa6na
-LVyVHw//ahSVEV68q/P1ISiSAGEGsHN64EgnjGkoutH4D4bXgX/VTwOcPODii7Z2
-RXD3KbxqWh7kcY/pnITkqNh5GM+3rHk7Fm34Lg4gTX9bANCFuv1nyI6nxpYsP4pC
-5/5gPBoC84DzxIhG2R/oGfidbbcb9eRPHVlUmCCyXJ+1S1/BIGHPd7moj23HOsBt
-6gc+VA+xVuqYOgIxIc+o+MkAav3QFFC/Z3668fKeuePGrJQEeQO3tZFj0jJK1w+h
-AnZSfC0Xmj44lq7ywrX9THJgECZF1/Tyx7T7ZF830/exnXBFrTxd6qbvZPICt0Av
-3T6AAiLA1FNfprmqpUQdwKMy1RW0idpANAapx74Qfu3CAf2ZAGrIiNYyfVz8CSZ8
-2RpURRiZ1IOjEV//xSL5clYvoRbdQ0NrVjKOqXrtbDQwzjWCi+/zYRXnSYSEaGFI
-kLXBLlqrU4zlJ+xK5GgtsqvIc1oGAntmn8tbFL8g7VI7pXVUzc1dYnODDwvkGeWR
-MNrh3z9qBC5Sts1JS2SKbQcL4M6sOanMY9JwR6Gg00ciV61w1n/w7Mkug39bfFIn
-aHOlt8zRISm2m702+ILVo4Yf0HsyTbckUoOEmdmcfhMYAJ4BXYSlJNNV8rS3BKmB
-4zozumR6T9P/hO0/Mme7CMOQJwQv5pE26qeTbG5P7KaDdFpez2W5Ag0EYPFMqAEQ
-AKYlkax43RLvRadsneyvd1abbbAFhnmaOmnQO5Cq3QfgxcMkHUECBhdTKMcym963
-DtrMaFP0p2P06cXVW0jtu9TC1HKqBHORfrsbl7KeE8ebOol2PcU8EHgYvKQFEEi5
-VnP8qGpBeLGoRvuftDVA6XYwhHr0cNpx1WzG8swAoAdFURK4aWOoDgSuy5B8FwBF
-4daTfN+j9bNwyyyJ46DOdCBkCSyd/P3QXln/Zaiaw4n95WfQa+4dsR1YWo/tPIli
-hV2/jA5FupVzrk/gPKcxym89U1YaKYnfTTnMPMLNNFZ6vUdP3YZPhU/NVyQuhpqA
-Ytho4yqSzTM3wROiJCY4Z4DGPVs+bEn14cndMe2RnUt8PUoiF16McN+cKAtf1Huk
-FWrJv5XQjUjR+t8vBuW+8DQPOP34VWvf07oPM8s0Y/aeRnu29cjG7VcvUXrfHtcQ
-d8jiR/K48Jndd6HDQaxWIQ+G9fj9A0nK+E27q0d0uIMM2sAdo7iE6BC0BrHkfJ0I
-PJOhZOb2fDGmLJTFNs2ux2t+/QvPgPYdAtpqG6rcOxqvDcwx9h+AYKctAnvAclp0
-RxCK2XCuL2Q08wX1vpWCQRxZTXNJoXldooer45s/eNHGpMy7xheuVAOvbbEvEP97
-Fh9kCxU8sHXBFGTYGUVp3JwGiziP58NcnXoMPBfrNQCxABEBAAGJBHIEGAEIACYW
-IQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMqAIbAgUJC0c1AAJACRC47xprqdot
-XMF0IAQZAQgAHRYhBNxwMmYq+IXi9H8kP1J0ZqIcp55tBQJg8UyoAAoJEFJ0ZqIc
-p55t7/kP/jaWELjvtGue/qLcL7jd8aDLDpoop4J3eruX3n4vKgox4GCcZ2UIYoZO
-DDsomOOgsSSJhSiOjNdx+UpbLmhjG5de3+VfHRO61Aw/Q/bQ+PoVXudOFLAHamih
-xYRPMcliduIrfS5iF2N+fHEO4JvxMwP8AihHs9WfyFJceoaxugZwLhOhWIS00LeV
-nAhmwNeyO9jNR+dK1/H2tPKjoOK88jRDnrM9WriN6bdVTsv1SaO1fqDtss+DTRga
-owjdZjDpgZdbwZXWc+KGSb6qAhYMeAY+IfCx4pcoNjlmVeF4e31Bh9v0SHXwGIQk
-8+PeTdbHQx3sPUHNzz9L1cs8KAiWNpqAomdeitKNtea4GACXGNiggorYY8PpLR2f
-xNdPHJiSRNGVxvbBVXRegBxBKH2mEYFxL8BTsBAZ8rQKtpdXj5pU3unruf4UjGJW
-p/d2KbBdraJfo8OxfmrKYCtiT1qgeBbLqcZ77wL8xga00xnwi+M+yvP+kJmKyQQc
-sdFv5ZBbHmxHzs9EmP0b7GhkNyxJkJG5/gs9nNj8JiLmCYrLpxzQtax+pRdWtfQ9
-paXvNhId07FxLII7ctvrIbh7Cgl/7J0mvs8kqjG7BOqP/AKrrk+7ZHRzta2H6933
-7yHl/B1Y+jSptXspOrsghHG9PI6gVjhvLc6TbejyL4sq0Eayvp3Ei48P/Rk+C4WS
-p3yzOaVQBVdI1an9vZVYZERw3ojZnaa6qb1t+XAEuyx9sL9sRo+PsBmiZpLK7oiY
-9irTQFmvu1L3eMb57ay9xfZBuagtOIk8fZ54OKpYmQCNcBsU/3wCkteuS+bHU10b
-3MsKJLIcbbD4Al3B/ydr/yQugRp+OKPKqPwixiGkwZOlfDX2OGKjRcjGjEQEEkPT
-5NCl0MbMHcQEmmM002/d4JrqDu16yLu2ntZaaXi9xweYUNP8xdXFcwqy1337BGTV
-Vv9f/VWponEzlj/HVf8pTfOnezb3yZPC+zvmCLBCmIShA3wlyGaxe2J7vUglokfC
-wKsWaQcdv+paJpkCe0ZSqxwZFlBsgvFh2K/7MTkctLsUnrxhXHytrBTJ6SyYQugv
-N9DtOQekhU1k6w/XPzQtkgw1kAq9U7ndxmet+AaME5UEYCaRiXNrOMDjGgEZ4Vba
-/xmUIXwszoXGhwFTAV9BRHHvi5LYoRJ8xCSYHP280x/rd3yFvG0uHOuWJcAszAid
-aGMgC5Q9QZWesIRUlVGa6LmFbvHYieAJX/foXGDlPxp28ot2xW0RoQVc/JQd03BH
-j9NvoEkhQ+4g4tlrd4ZJmGGk+5N2BjNpLF3UNuUhjNWluHa8WqgI+bGePDl0zDU/
-Yq2t0y/6P16ehkYVRPIjpSSmxqKgvsHIR5jiuQINBGDxTCUBEADfyegcqR2Ls6sF
-Qx/IawkCdLPSNXxXYrutLmni00D3gdiVcFeLfVmbDOplTBFGSRiKG5NmORRcy7B7
-Wz5UrOzF7S4ZS2tOYojF6qGbEuxGCPhgzTujj9Y/IfTp9iJORJyv9HVhkIJUmP68
-sPuUoXQIx0neIQkbwcX1+xSRja7yJCKfAMZU7zQUMrkeK5bjp30tS1xQ5Wk1sUQG
-QSXQfxsgGwqippH25F2WzGRQPdxNrJKyyeugj4GivN6/g1IuvhMrzik5GcNDlOkt
-JO8U+GdX9AG0vzjeRvMIy78Srvk5ndixyzFEzIkkO/ytIsOPqZrNfjDgVhQ1/Gkv
-6aEXtDUu+/USJPh8uDhu/ovUaX+MFPmdkB21GK7p+oe/kckr/hNu0FgoDbgHZthf
-HCLMUNwdJgGqan9hAiJDWz37Q5b/4g6swMQKGzSc5bCkK3EZhDyDqjcYt0z/h/OX
-pMB03cMHT2+bvKYHoaQ7pnIsh32GewN3jZekbm0DCFkIEM8VG63lCZCox8C6KpEx
-w2nyXiiO/tpyCOK96XkHxDdI2eR0lx0x7uOdtBVARzbrb7h6gstJ0K4b6FxHw+MK
-GJNuzjsEih7tWXRBWuoiR3gFtH+qUjjJBDA0bRVr9P4VaTQ24QPowLMMw+Pl2A5P
-sWXQzjbmvYpzvd9DBiNgbC0NZKLRUwARAQABiQI8BBgBCAAmFiEEoh+rdLAIiqNh
-FSWGuO8aa6naLVwFAmDxTCUCGwwFCRLMAwAACgkQuO8aa6naLVwVNg/+Lxf+Ra5D
-8+/I0pe2De+4HP7E6QRjIUMYWcSqX/vMRP6IoPfxfdATCmhQH5QoYhDD3Pg49Faw
-hsD9sTE1TuCe5cO20690QbhE7lavEt14LZk5V8KEUC/dV7aBowI4X4KV24vwxMme
-vt+EMDGK+O+K7CojLAXDEp1kw7qkapBWAGheC0Ww+kZFnJPgu5OKbPyiH5RCokhL
-r6Y5NU6Ym8KErfsyHmSOrrEi1mxnAA6p1x3tBgpVKnDGGyIC81cl0EM1L368AM4v
-F731vvEIT/geaGU+svGAQzR0A3CEwuDmGlR2J2VkvrT7T0GSuHbgJWUXf5QcSj2z
-Vnnubnz4eQCxQCDaQVj9ApxylY/z93wXAq89mWGh+YkJqoUmyd5chSiaEEIK3J1m
-5zliPdQ3YZrxNhiMp9SSRBU9mEKkR+dnQ1+YDpeTnME+z8VdY3NN24WbDgspQaKt
-WHfYg91NG4IqiO9XRma12amkM7ooAkcZb/Jxfe0lBiwwrr6guXo5nnEAWJiwq4CI
-kXCPhV0lZ2YVGJHgW4PbFwpWvJgoMRdUYR9kvc/W5ayxH9q/pf/D9PiFppmk7wm2
-e5CK1LGxr+xTQrm1QN1F3Mz6w0e4UAv8TQF9UVzBjZj67vcFbYJ5+9lJ3qA/3S2G
-OuVP2RSzXkAJ6vXN1SSkNkyHY7xmyf5OKseZAg0EYCmvuwEQAKjJzMcw2BaJWDiM
-yO12RvmPtywo90XHwHsUk0wWsv9n8jUGPAxNDt/Eq8M3rPeaMAwqFT7AIv29RJIx
-S3LN79+jHT2fziNgPA3effujOSuFwMHTWJqIoIJ5E0RbqZ5Ozf9ok8YLOcg6T+Qw
-eWdmdA9xKmEh7Gj9lTIHn2HqybPYu+hNmDRp5l4nB7Rx9pWdZgDVr3Cv5AkNDBGQ
-Sp3LvvZwzTc+Gz+xFZ3j6cGo/VfFaVffRiNUaMOxjeAf0ADLihSdvu06aTlL0Ugq
-4x2SRZ5TQBubz/fo59nIwVtkMAxs7yLe6fh4hA6Dm2PKdJdh6XeeUn9/ChId58+B
-q8KQF2SeTzjYsz3Gvba34gqbL325bsUOq+PBs+gyDrPYlquXQWq7caEiMKYox7pM
-F+RjAHh+nkq3NHCtKMOjXq+Qygzr2ZeoDvB/UlX4Eq8TpBN4823yLHiJvlzqY86s
-WdgbVfe2Q05zj+ropwZu9LXExrHXarb/NJk+agm/NZOtIXyVANkqMydeeGtkxjyH
-uW79ATgNDUz1TU8V1/q/Aus1ocd+L+tYpN5+ysanZMipTiWbjmnR8OuhioMwv6Cn
-xExRkFTwzjAbCGW50SIKg4WNe7YQK++CsHskeuH4W0y65E/HirZ5E7vk16kN9mqa
-njw8iqS3ZvdWOKw1x4HvS5iJRDZ5ABEBAAG0HVBhdWwgRGFsZSA8cGF1bGlAb3Bl
-bnNzbC5vcmc+iQJOBBMBCgA4FiEEt8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sC
-GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQIxyEzdzGnEVrRhAAgCec16Tf
-5Rdkv+7hHqGz+UmikL2n8wVsKcvRvXNmdvMptu9rXQ8Dc8S/6zOHKUMp4MhsMoXX
-ISMjgFM0ItLywsoRlZItMxbUxmGbFablN0V5uGiPpOON/GZ7gRPKTf6/eELdiWbS
-OKoccSu61EA8hbVUMVBXEpk9qy/XKPdg2IFKS1NIfUyNlm2UNiOn3PdVNzO+s7cE
-EklLFDkJjvj2kTC2PB0tOo5W2gkvy2Fncn2NKdIOyAVWn+k81XHFX3xh3z0mozfg
-y864PeNhI4S0xQImAwVc1n9zb4Glatf6yw+qtj28Guruj3Ur45AdtvhnWmMr93MO
-rXzcTfa5M5htyjuBr8moTtz33vNjR+BCwjOF0S94LigzJ3PAdD1bMdRhHsC1OAX2
-QqxMfLwfrJ7e5okwgxIR0C8jibEb+T/Mb9Aqsi3WdQmH8zu67YhP18z4ChH7ZVXW
-7W+KbGkKk5elMHiZMhHlh+JpF9ecebnmKr+h3FWP/JWoVRy6PL5gL1ICgpEYlFBX
-Qpm6vXEA4myDBQnWJclnDKmjCQjn2OnCXapYJ9khLVmukh5uJWThkFocN7W/Xvy4
-s7chqxlHscu9wPsRJfxTzyeDwnWdcer5RzviPkNzoIxN3lZhOQW+GM7fcmIedwrw
-Itg4Wyd0gZe2z84SGnTw3kkQscJ5K67hQhu5Ag0EYCmvuwEQAM1DrDqNA2rFbEcO
-MnNxdyVAkU8HaqVP/l4xrtB45iInkOZjZVA/QyW2SatzxP8j019EWloHtn7zMTmW
-aNKLc3l9haOGhmn2g/RZh9It5/gqkPsp8QRNoGiGfxzDQq36eYQ33TjD2SksT5YC
-8PSpEqeKVwJRYTkSzvX1bx0yH/xwHoWIIjnybIi9XrfINXUOI3IRwo15qwgUXyfc
-UJ3SBY9ddL0V7ua5CkgngtvanfKWpxj1RpTyf4tABvUsvWQLjrwxTQsGGGQKdnYF
-pxacm7smvNDU2KGT4lHJe3RABFyCwhO3z7etB1kNvqjqNOLEKU1c4nYsZkwAjY2t
-Cml+fe4GfLTq97J172XeuLC05jCoR8RO3o413LSA53jN6U86d8y3PAN48LSbRvmJ
-s2wwZVga7lua7hcVmuTyK9wCISDhMkdxi1SZ443K6GZoJtwbyKfQZm9SBv9gtwGk
-sGEUVRR3UAsF+LpxeW8WVJTQcdCg1EgDIW0LUNBoA5ZD2/bUpIXrMUb1CDfIcrL7
-EGNeN+nQhk6o3mOuZfFt+X/4tapQcPni2ZKIetR/UKJbqej7hYEj1/r/5AJUsUGh
-K2U2ChG385whearVxMnalNI+XdLT4ehsIRqWUQYQNeqwbGZXaQ2bGxSSz+ScQYUS
-Wn9e0yuHKSJwh1Bie0xpF5uWOumLABEBAAGJAjYEGAEKACAWIQS3wcFDYPNTo2hi
-5NUjHITN3MacRQUCYCmvuwIbDAAKCRAjHITN3MacRbZ7D/4jMZVeAHfg14edotUN
-O2JReCs2g5XjEVNL6S9lesYLmL6YyFp709yC8DKOywnt1U/ZEkFI2R93GtF3YPgc
-Vx/d2f+frjoc2JOKeKt++hR/hUgDWN0On2qLGL/+07t+w/Kffl3rvY4D0ALdxwGC
-OLpX1cDnxESicX5qnZsTQkElhMlmsRP1afIE8SN592k5FIdpeqKZ8c3n1BXmBcQV
-ngKLWMK32fpYRvSij6RBORRvzPsX0/7uiOND7gquC2Vdv2KPELAx8ZE80iee6arI
-onQ+FNXCEzUk12LnefBVj3w4YRldaIo8VDqUAbIstfBo5LO0oZJ2wU8r+2nJWKHC
-ioeMkJTlK389WWm9EqFu2rbgV8O7tjIM7ZAOnb8X5Ah1WdQU7YjXF5vaT79PH7ed
-8pg26L4AVq505uWthDM+uWzAnMKaYH85OS3C46qvae9CvYlTCZJpG90IB7wQj8cB
-r+6OUDztPr0vhProrAFa4GQhhlDEW0KIL4GaSw8Jh71MFNmbb7zGTpSJIwq6vARJ
-OQOP+5Qaa0YeLdxIk9JDnHjUI5IRz7/JnSR5BNKeeRWsHvVwyvbJV71ZaJSpSgdu
-TCKLL1gAeSnvqMdtNGwKOzw7ai2KgBbTphvuvWJanq3CH+CIHOxUmd14/lKz/zlN
-B+uXzHzImO/U5CIhGtNPPoZ1TZkCDQRQAG6uARAAs2kXLX9f3Wn7Nk0LTqzHm85M
-uExsNQa1hVp/8XXPRy5utfmPXBpBBari8Lww3bP3ErfielPur6j6VlbdKapr6O21
-xecOtkBgPPHOUf9qMAen8OeK8Rr3SZ3kbR27Kj7gbVvv/BIgI6Qr0ocOf2Af1U/8
-2wYLsB+CUczWN8ka6RSdHMEQ+5aNcJ7QAjBTxuXjLvH5VP8l4T+h6fdqZzbpAY8Y
-Gsrr4r2KQpd5ZiaxNkASL2iBEtlvVwavDGncfyZTe075xoQM9hp9WeIfGPxD7bsu
-zl1e5rUH1tAcj3b+BZlzvnXyr4cq0yYPikJaZ6MiFXEuoDgC1Di2JTyARJsGUw6c
-eQOWUbH1M8arsL7L7w1QwYpLkAJdutYTuT+V8cuWWi6PH4vsTAPI/B31VYLIBTwL
-wMvIjP6TbdwRVLpVcY2Qca6vaXeT13cS8baqQBGfl588OUIIyXtzDFl/OXhNp0Ey
-8nr8xEShVoujPXQaQhDN+LihefWVEP4uhkjpKMaaJDVVpzp6YjoKegABDrQvBvfm
-fqY0JTwn/S1OV5m/9Ssfw0ZJi7rOJx2ParWoldV1EgD9VmUq11JVUDDsIiYL3sFi
-ahYr8vNpTO5+FpJNcH4yPG0fK0ACgYh4sFQ56V4K/Www1rtzkmewlOW4swKBoCJY
-sIF3IoGaqz1ATZI2NgsAEQEAAbQcS3VydCBSb2Vja3ggPGt1cnRAcm9lY2t4LmJl
-PokCNwQTAQoAIQUCUABurgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAg
-ZMU2QcJeXcwkD/oDkqfF8+t4xGRprFDxJbn5+jiwES/aSmZwq7s3XDjlrIq9cUWY
-Wbp7KydKgjGqkGVMSuLV5bjKure6nbCMpaSOu1qBN/aG3P//3kIZ0U+09aR8EdRI
-YOVJuo+P45xrXoLS80roJArRScWkPGg6mk9xW2OueMVsLSldh1zKDAb/UzFoZLPp
-ekK8zn27NV0kXqFMVxjYRgKfcoNj0U7Z6q2eji1HoIwl91Edt6TmjbmwMOzehLj5
-6kvFP1h12ppim3+yz5rrxXo8Z1unq1GpxXY/v0CiBNZABHX1qa089sJkilErLpx5
-G4RC8VQF+KH0T4k6P7EP/4SDu8WDlzNoXtPVWYd3ptiqU4UgegKV/AsignUeH4U2
-oMdyi1fu6WylxGBJj6iUXItu2Vo1ycwCA+B8sc/OIiy6b4G67L0VgsilpObAfM+Y
-rLGsL+BLye5IYeleRH6f+FJyDOMhxzcmpQ3e77VMeWPEqqdrGNyOQqDWdQiDPKXp
-twknSrOymFfhYqowhdpA8CqRCgnsB7xjRDQkW2gxbNeOt1D/ftdK4ZnhA+buuXi7
-VV6ISEwyw65C6CVjr8YRbDJguHQlKThVqASK5zse5yG+bN7HHFxkqCYrbFwDRubQ
-TAA3ts9jKvshy/X6RvYXoJhRXJm5fuxkyeln6kJHO0qKjdWY3OKn1NKErbgzBFWr
-m+UWCSsGAQQB2kcPAQEHQB6fWGzwF5Edk7HZzxS5oUH/QtpmNFzt+0z0tSBDJnk+
-iQJ/BBgBCgAJBQJVq5vlAhsCAGoJECBkxTZBwl5dXyAEGRYKAAYFAlWrm+UACgkQ
-CG6lBdyi0/PzMQD/SEnr9Af0jEL9FGSQK6hA76Rpb8SEOxIo7z0g3s/35UEBAN3M
-P0VRiLQthWSJV/lgILmN5MAodnwnzqZvkxp38gkIACEQAIcMK8F0dxmn9S+xNLbW
-mKtX51FIafEjvOkV7yS185uneQsI6kfXk4p3d+hfdl78XPofgms0pAEdGi7zlMWB
-HBYpjteuGx2lTeATx9eMcamMq+tAx4upL/eauWv/McPVRTHPbUml4CcT0VBzTBTO
-jI5YBVvuUluAbgKvnOcJy2NlQ2LjGzO8KgduccOIiklsuLGJJvBvzXpbQY4Q1I4Y
-RKUiJ6E6p5IGTMj1pyx915yNO+kkPupzHkfUBx62Z/t9mXBji7HyvanMaBWtYFUM
-b0+qYrf45vRuOUvpBkp/hm9IdT8MmdNG/wMuQC7FgMdE57l9DBE+QBVe/m354J8J
-8ygGLOUnDLkgjM8Z9WlcX6vjoJh3QjuLQ9hVLjktlgprSdx9G7tSDG2Ln6fQP9F2
-PWa2IFrVwSZaewfS2IySdBzhMHR+PgorLNc2siOngRiA7/xsF+gZu5OfpZ2lNs2+
-cWyMmnp/sQkyZgtLFUHW/whNJHqPS5QtPEth2x4hJAm89VcVc5U6cYZHu3K6WKbS
-pyrGf6Xt+aXUCuQWR22/lgayPu6RyNl6Ws79qC4btr4ULHZ7ak6gWyOgjw/O6ZDE
-pPz2Fz/ljIRvWarHOYwQ1iK4H61PPwn8ec1Nw5c98I7B/ngjqyznP1A95xZzgsC2
-4K3QtyGYd285wQjpbsp5YGisuQINBFAAbq4BEADwWxezMu9t9odD5LT+tWM8gicf
-GTQ2AEXuboBl53X8TgRTeDsZ48e2SCsphZkOhsPKKyWkTsb4doIMc1ZJt09OQRyb
-jQUKUxUd2HtxxWreYDyOgq94ef1PZT+SzakX/UV9A0fw+7JHvtE6dA3qSIv2jyG9
-nkuLY+AD1BtZEEXVn4YPRAT7vY4b2ATfGRru+LVPsqRRcAwD/jLFnTDAVhKfznhH
-wQEOhit1LFLZjsNzmxvCWeajGdZFPCsDN3twYi3UG72C4PFR2JCup6GLAGoo1/Ln
-ZclHvXZEPHqBV9Js/Ga4jirq0U27MesmDDT4qvmjtSfo5yrJ4TOJyPKoMiZPwysu
-d9CE74MIXAg3T/b7Woc61lxhLUFK0f5ZtWZmzf0yVI8gkukphegVZzz73s5ok9cK
-Gsad1HL59CgjmsrgX7NnxnhsqFh9eEBymKw3Z9e7hyL7tfmY37X4mWVpo4v4myga
-u0s7Lbp0pAHjCwKVe8fXaP51V8IlxVRFQRRUU6B0y+vdNj/xD6uy4rbJlj8gPPRF
-zwZ9rduwZallvRsV734lWRGKqq5/Np6/g/0fUucFS9/m53y5sBBQ6y8HK7kc4mkg
-gpXGg+mjM5TyYCFGrip8iRRebDQlBc5U55OSnzmItlUV1JDfrXlS7rLSaHrGTueB
-1I5qP9XGYVvszZQ8SwARAQABiQIfBBgBCgAJBQJQAG6uAhsMAAoJECBkxTZBwl5d
-h4gP/2aOoPpm+3e9ei54VjMs605weMJgmWcEkZV++w2N2kPKFom1cBrRW1hLyRvm
-E/4kQJdhM6w1hmE0UgQ523TwMRL+4FLUAPLF7kblVKfSrk4yF0cgaeKGR/B6U8Pi
-SJxK5YhzbPSDzDBLtB4g2v2lQL5xuTPC7wMvsrBNu+fbJvGCd49/6ENE7tnaApdg
-Us1NLejWEEOZwV717lUrn454NyxJNN9wsvS0MOEKdDYs0QWGHINP0P4ObViG9YEf
-v4pz49k85PRL1eGGqKiUec2R6fieO/aEVPhhfFcZ4wBiPuOtbb6bEOv0OX/L/I4E
-bk+mMwczFcGk55at8Pw2hcDmZAUXFmF2V5X8lSBMG26vsWvmDDPkdLssTNgdvo02
-4l+GmQJBuns38DEwqa0gT75thmbqb/73BsgIBaTejhp6fAytkRKxtLrzj8uPZSNO
-J63pde4e/SYCiFgZzIdGca1k3GPRBbMRG3ThQAgv9NvBWlvHPBgRNAm284kcNQgl
-yauk8s9nD15mfC4OZvcqNQXKOJWhNKKqnViHqcw2laf2z5W8HJmwaOz1VqmwFtCd
-7N7z49a+2u7I8SC5KhuYVwFhku+3L9rRn5xuSNa/WO48SbBcyVcI01ifXckNNOOU
-ZQ/uJGzxXeny4IY1EKOxaxsbkCTHqIODYFkwoaUEg3Ak4L+CuQINBFAA4uIBEAC5
-2UAd0Yc0MDPEplRr1MxAaRpUCz2yJs0IUVDyKWre3Miz+/EKQWOk2pImkMCrrfNq
-yJQKatQZ8M1Bb8hhGq//0kFkG/zjPUj0h9iNqXu4qJqovnEAMUg1Ll+fEgS4WK0p
-XiNKKifBtS6YlahYOsVi0GFEgAJJn8kjFmXuEHBOV8foqM6/ud9YoYxAX5Y6HL6m
-xumE01aVTGuqYNXppG9JDgYOWF4MQ/3cOerBgu98ndNudsVp+6ndUN3YPXe/pktO
-pc3wOaQO5Tcj2gdvaQpvfGRPa1FQaa7eDSFT8tZ/3mbzJan/Ii6lJDVtz6r0b9DK
-c73wLmnj0TwOY5McAA/vErif0fkRsCbZRV9TxK2CzDcEn3qiWEEcj4wqGIuiPvIj
-V/1sCpF2KYbQ46e+Z02vykujtJWpPB9fWbx4D/e2DEMhb201v5t8Xg/MRkLoY6AC
-lEx5gJamMxt9aZ83GqrayIFKfrtzkGkzGXV/6+J5t/qdUR4WVyhds0D231RMv0V4
-Str9KEBTjKZuOsMG93l2sfXYR/fP1+VKd0fMV4NZ977j49WKJwLAS5iGbcW/vZ9C
-COsQzYcLvf71RvweflH5NAie3VR48VZ1hje4IQOj49IbIZ/+KrLIvGuonV2o9m8V
-Qrugt5FP3zIkq9Gj6V1h33S/fU1NHpz1qEq/pEsO4QARAQABiQQ+BBgBCgAJBQJQ
-AOLiAhsCAikJECBkxTZBwl5dwV0gBBkBCgAGBQJQAOLiAAoJEKGfLDAaVSLdAgsP
-/R9vl721X3SRju4Nsb8vfUaWoCoLEPkvRXEWy29nIf/xFExnzDfIyA/vdkYXrx+Z
-2YJbO60A1DFj1ODFOKy+6HBdtpax6bRgfb1CTxcAgAyqHOzn0MVZK7SKgwJjFWLK
-GHLNVV9nSbcO/M+ORuyNd8lZI8cCvNruNzsFkfASoDV+Lhqoru+74E/8IaWNddBY
-dXHjIVEBVfOFxo1tDpyvS+rJ5yi14YkebHlbeNCoZrrx2CDPPVeaNLgm5e6/Dxjs
-bOcbDCD1nSi1wc2j6QG0ObcqF9c15OMgcGD5Tjkyq9cTS/maEJK+c8pi/wpTySG8
-jF/UC4ev3ZOJ3atP02aBBCO/N0IrAecamH7SNoxZXBxP+/VHdL2NDRCP81yiLt3f
-qi7l821yNdSz7sOoP7qk6Jx5pBGDzKAmK4xVhhXMFaKT6mECVM1zVN+A+zC8j08F
-AScmBld9qNn1hclNU3qwUgv+1PJSyQdnYuBlBuZIO5HcdOwl2+08JuRgr5EhxQAh
-wEvSVbaolu2TCUZPs2stkMkVhLQdI3O/rYWvkI7ln0cMqZTaIHymdzGCUNyyNPjw
-+6F9ZrYJPqihLQnK5aY8C8yHlWVi8vd9uYP7NMd3ELiYqkh0w9VpDJUpzu5Tmd1b
-zc9FnpOEjEC0sBHOLbPSor5T3bcrvcTqCcjwnTIQuHHY/vAQAIDanQ7UvmC3ICd8
-JMa2fQ0sINfajRIqVBUQF2owFiKOJ9HbjFHb2/0Iz3KDYZWbP7GItpF1nbNwlwlD
-8fkdGVcJEsFTT6vila3WTt4a+u2Hlj4yKepEeobPzcFANgd/7JxmGSvlkKLuTJ4e
-lk3I8O4BXgaH37kIHvklKv6DEF2uMoNHQG5dXhpVTOGaEF0V+JmF/PAlof/ICud9
-vz/74gN/9SdpWCPr7ZBpRzBwiPpNK91zM/OC6e+MQHljO5mGHCAkbYjNcqKNZwmH
-L92XsbEU0IqACktdRIblvXjA0Iwy5rNQGjCzH20v2C0/CZHwzs9IePZvsH8b2OH6
-j+Tw4q56VPbaZDjqdy5QytM163+edrDNz0xxpbxKSqq5ediwjFPzCY2iseQ8nEfn
-z0AtxmZ82/vjNdBtzh5UI4VVvjU0jCsqeLxN5UTDs+AtozOMyKOHXx58Scb91UGB
-3TVn9fn26twR1m8fvfNXcrcBVcyFEOvBioZ3Z90KGVuAennbFiGetxBjqAVIf8EN
-pOp3DFwc9d6Lv7y4YPnK8AVwAt9SN675GSwtBZxcbCVV82X+00kkWjRN1bFFAPp5
-fBWL8R3ZU2B51OTVVigiUii+MQoJzqb6J0l0w2N0USZObh2SpqGIK4MfnonCB/7T
-O39xX2zl5ALMf5SVx4xKqsCe0wV9uQINBFR/F8UBEAC07yEIOlRGObuPTAkfDsZn
-xJZZ8qRdGUy1/7V20WxfGNUbPG639x+N3F0hib7EbzK7SQ5eIs+g2qBezsvII/iq
-6Qe8DQWLjuMJYUf7GrfTXxVAfrTCzuUmVOwoAT42fuMe8n3W/oe+doOdgapHq7VU
-htmDKhUiPJont1unpbHZ8eWcVvKJdmSxmSmEEu7itnlqJmCsmCnbp7iF898BCWU/
-bHnofKTVpldP5/ZMqKmftuRDnaAP/1qL90PJ8Aprr/VIaBznrUQzawFX0uLb2hyM
-5Xk3O9wUM9Wp14yO79Zw82ybYrpjiQlvwAiTw8+5wn5Mkd2eASN0ThZdqqfk1qml
-/Fw4q8L46DWAeY0m6oCv2L3vXnWFWXzNEDV6KphT81BATLP3MwP9GOum1pEvSRkZ
-oiE1qUKKLozqS2NaYs2/dYr/unQbGUUr77AzCY2fOACNZ0j4SLrB4oxL73s5RYjm
-2S/P063hM6iLjvrGLyvMxVcf2r56mjgV3Hsoi7Yt2Vo8Bxcsn0i35iJWLZbf/6YO
-2xXcgBinqYsT751XuXgj5rIOdMd3rdsejD3NRBB9cG7Ce2+FIE/PJaxTJWgmBybi
-qB7yPpf5S1J9M1Ly0eXGTcLS1c8rw6k08CG5CmOVEUNni9clm+jaGroIoAz2kCHn
-FEMQ9DzmN9arO76zMUjYIQARAQABiQQ+BBgBCgAJBQJUfxfFAhsCAikJECBkxTZB
-wl5dwV0gBBkBCgAGBQJUfxfFAAoJEOPE3c0eTBJExywP/311BHQQkx//R156yYH6
-WkgCUcDhF9VMUqCZa0ZkREsVzRRz2XeWtxX/fVSEneQUCXk9RCaEBmU6AE2yOheu
-+NlL9ppHhM/4gW2BD05yb3FbsRPMxBmOEXU4gWBFFbp0U14sxe5od5LMCFWXN48m
-uSbAS3tjUg7+ky6AXY8/zrC5nGA/nohOL0+O0n6HwyNkzMauiR+3szAa1XIom3Fx
-9zEsmnA25oI9g84rK1p5HQ7wD0cuPtHYOW6NCiqNntXJtGjmWchOOu8pzu/svkKx
-USGa72aM4Lx7cgKrLVlazOYAFccibTwqWOJN/lJsEOtcKhjNpT6pZ7JMggPlXjuy
-8mIlKKeBphIv8/fY4O0bYmNJkE6tfZgGXeXQcMYwkSO2W+z8PLDKsxKW5rvXrZnZ
-ib8zg5UqotdNBGAhuOHz21H7LP+lI+pNGEOzRRKi3s1GEHGUU/Jd0RMfCex0MHEO
-b2GXz/zgcafeMT7gaqTi4FkG9FkeVeEMwjaUaZ9ACreDaxQeL9bLtJ7kJTHb4yy9
-k9ttrT6cQ5BZpXyP08s7CDuLP+eIAW2ZGxd9uDsBUzS+Bm26n9lLp9XBoLdepOx7
-1/2LTolInUunpoWpFZsaWXtdY6IO68D9SyJ5veYDz2fwIUtn6HFs10m4PQcQdRsU
-GlMRos9cx2eu1rsyrUVwdUbJ+moQAJptfgVFFZrX9PnuSE5bPX33+xnNR4cX2vfR
-JaM9yd9mDF47rKmUMkaFNSEX8Re8CmxDPyPUveShHFyBU9R8kaVI3dNvriU2pFoP
-eUtkcNvYRXv6tKkK4x+rAiulbbpw4OGy458OMMYgngFFc8xsImLMfa2zQyVWHqTP
-9JHF9Hpc7YCW2YRX1sA3ZfiTdns1qwzSeuBFd52+TDJMvfdAjhRVwDgeCoQ2NELc
-O6UVTg1Ys+dcND6RW83Zq9p/S+56Bvq8xozeuLS3C8AeJ4Kq98qar9hsqD4Prfog
-1jL9Hv+1jmEU9JJs55Pw3PtLDdotjUPbWjZ472ZR/1g/QGDNHzEua9Hk0xLxS2Qt
-4pYpOcxnxhn9xD37gfRlM7zY/hb44BvKAWcI1Ll30hpYt5f4jhQ2PVJMxFxlKpvZ
-VxNFPH+IUk+zHnf4n7pvxgRBT67nZ/4tMYJmYtsC6pu4AUcEUqRpkAJp5PxGqf6r
-jev+0Jx32CSMBfZiahpRDtrau11E4gvNXeNmLPLbvf86kEumNsDQ+K2wieGf8g+3
-q3Mg6y/vTig5mzoC6NPXSdEEBXysIyp0k98dkWbLjdQXu33fpVFx6hdiKVelIhQy
-5rE9BdKqLjZxI/9vh8z8lY/kKnf9TpczaSF/NUeF5u118o7ryKAHiZfyS16m/PBw
-MopBdOjnmQINBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ym
-G/pXvmqx5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAm
-NIf+OmvlG7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYz
-UbGKZMnr94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyF
-oi5XTj+BiVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kP
-o1KdqlwDF+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2
-DsgljQuWSj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA
-05gGQTUJDeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQ
-Ur8+t/iH3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw
-1whitGG+y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt
-1+VPMt2L732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9
-sQARAQABtB9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+iQI4BBMBAgAi
-BQJUMGwdAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV6eQ/ffnujKu0
-D/4jYQRAyWEU62HOiQJkSIOmMoio3jsfJF7VQnvfqgswvmPXocmQeQ8pdGG3o/Yz
-SXRAycwxys1cFODa33n3E1qlDkAzW6QpRrV3EB5VLYY0RD1qcgBB9ToQ+TQ00jCO
-WGCmQxH4jeqBKVpXO1itJl2bmOZhzqNAd8jQ31fOOfuwhjyvc7hOev3/Ui5gmhbA
-pDTBm71eMmy0aAX2XZwuTTzisiV0NExtAm8RjICDeXDqwaYVPmaz2GPqeIxKA+a7
-xboEJePqEbL8coKSVebfKXtYoTTIZs7twqUbTI5kQHcyvtu2fKe5vATkbqAvjW11
-aXJoyLnlw5GHcT/tPalMsPMRN/fLQLhF6WwlaEOvG+jQwgaaMIL1Lt+M8Q59MCnb
-dmBhwes+ype2/EcnFht2PLvx7PpekHoRJosulCl5e81tzyIt9fdlsxJVIu07Rv27
-agumD7NFN0kDJDVs8JI2yjPWwuIDxTCtOWvEBDXOujPlElozYNE4gJBj/Tw5aWMo
-bY4nAk4C+dZQ5vCwV6/XG8712r+yXOjVYe2W8vPa9Q7Dxc3w5HHDl+p0p6mDCEpr
-0VBqxn4K5HnjNDDbvd2j067PtH8avhySGRIV/2AskDeI6jPoUBofWzsDOwWnGj/R
-fb56toQytliF5VgoV/UO9MQK1YiasyPP++j4dYpz242yXLQlUmljaGFyZCBMZXZp
-dHRlIDxsZXZpdHRlQG9wZW5zc2wub3JnPokCOAQTAQIAIgUCVDBsCgIbAwYLCQgH
-AwIGFQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357ozVsA//RvKgkyIyyzBqlsHK
-lAJP+9CZqheNnM1xTioAqUHkQyUeTGXVPzK0RfGY0x397SW1X0cAt4GpfV5gdLuh
-Mbesxcq5hVhM7X14zbAuIJbrrgRS06wH3MCemnpf7xRYyg0SlaUQeCR2UANDTEiu
-sfem3b1IBt3HRCy/CRY9rASgoyhSIY+dVjiEC3tfH2AOZYRrZPq0TF32ygEFMi4i
-lMfcxsAQey+cFt3Jqs2W0YX+ldgYyYZpiZTRa6OorOqkGnLfPB3RHHUqazl7RlzK
-lXOrHdeBy55bx9sw9Nlsb5n3bYZQUMnXf1aMADYWwwn0RLtcgigmH/id8HCT49dy
-Pb1OJ4OeXat3jHtjGeqnhXNq74gBHP1WvU4gVWVBtpJ1d+YMWL9+9V/0IlmdbBxL
-CSqnimTnRnKcQD7xPMRCPTyN2PT7Ksk29tHGpshp/NKahTvtsA2ziBzRY51NOm+/
-iGidRBE4BGkb8lPjuETsBNUY10XtuZY0TIRgW1kx0Y/TEP4rTESCyKvrlqu5WLFW
-s0rE5f3CrHokbMdNJOC0BVgC8wixYlMu4JdlsxGaaaa5t/JVowCKzPlQhgP5MI+d
-y4nV0xRb1Yi4s0UYtNEYeuLTURZ7Z6lodlYDRYHRxBlp4alzsL3zpayQOL1ID1nM
-IgZbihAgFBeVEmONjEgEKePG1Ra0JVJpY2hhcmQgTGV2aXR0ZSA8cmljaGFyZEBs
-ZXZpdHRlLm9yZz6JAjsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
-BQJUMG0mAhkBAAoJENXp5D99+e6MmN0P/AmpB8DasBnjh9fAlBM8kEZ23MHVdEgu
-PWX8KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh4V86hIYgLK9tisZyby+5
-NT4dEl6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvdooy/4ThXNS16HcsJRcka
-n6oFjCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1C3I+oL3+qWwiqAG9hp/z
-edsIsNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6MZPiFBRGsARRRFfTRGkz
-I9W1M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFAnwf5MeO3MqzvjocoUyoZ
-Nc4t7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4+1WmLxwcF0n3xaB04KCv
-XTaBZ5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbYk81XfXBuBKv7Vxk0fRYf
-9+HJ7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9fyZn/sv+UCLrMR6fyD/5
-EtzgzW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W3mDDxJoaYe5bE2p0ca+m
-wEHZQpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlFIEUgucXLOLQHyEl+kEkC
-LEmSbn71WsM8tCVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAb3BlbnNzbC5jb20+
-iQI4BBMBAgAiBQJUO42DAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV
-6eQ/ffnujLPhD/4n7Jl5/FIKKNPIDJDAYmq/Z36t1m+m0IvSL0yuZh2WSCDo+xur
-ZWVLPQIrP14ORvWJJzZTmRLUWTxQPDF0z3S4kkopMyqTeHl++to/4eTQPF0QkpLc
-DXVKzRe5jzRUTYC8x7mtJHdgKjmWqbgqm63RJg2PphRSbFqoPkfoZ0/kNdzG3bkE
-LlpW8YphA4guQBlU3N7p52KOavVny03UDLN1jVE/QmD641g4E7iNNxyXNs15iRi8
-84Ox4+EjBZOQFygx7RtrWXVokOS4Ba4fp3yDnkAdqhN3DtjKGPv7oqMcJuJpuBP6
-F1Rmd7eJPS6+nIfJac0EnhDu25k5m248mUAgvtX8PR9n6OB39G6UEKnBoBFpmDpU
-CJKeOLwGjvkpB04gAVdIbWJVXVkYVUyX6i2VRQiVEEmEsTNRZKrjyWtHyAzfSg0o
-EKUTxijtVbkHZk33SuCSATq+8qKMXDDJHhcpX8/K3zgVOMDTRexY5Zpe47IiL0/C
-bK3MN+SnBfgZzsw/TNasJ0a/AUw+FDGIq71UNysVL7dKHeKQX3nRRvHp7blpdCf0
-bOlBc4Ni5Rk/QYMAR1zVHgXHOrANzTim1dUHensnlquYGx3sdws2d7G3p0VX5Ke+
-Dreal5NraRhMYk0hJTgOy34vf+z1UGejbViVkEgts1X2nRmBInJhZOSyP7QvUmlj
-aGFyZCBMZXZpdHRlIDxyaWNoYXJkQG9wZW5zc2xmb3VuZGF0aW9uLmNvbT6JAjgE
-EwECACIFAlQwa/UCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENXp5D99
-+e6M3KkP/izg32cHPYfDZaWDVbzV1V1EcyMM1hpsQm4C3bo2UY/06NtLescn/6kU
-wAlhBnn9jfqbhoPzqJXc/kbNxtVRc5JvZxhulBj+UdgoB3wiyrY8tM0+eYMWB4Te
-j4830s4c5rUenM2OrUNrpaLVL5pFm1M7k4m5xaMIkKUVQB0PaCms9NB4yplSIEcL
-9c3M5UFm/ipQYML6qp07qknd/NTbNNPUfZreLYQiAr/kZxsjZR4mcCMaal8rcRZV
-hzkGwX78aReu0xIdkPaNfJAvrO7NMCz7U3yntwbXmRi1jw4PAXvZjAfgRbOv7ug1
-xPcVdbr7YbhL3miyYXH8H72muLvslOvba2CBAE4x6wZi7IEx3VNG9aklOx09PDZy
-29tyPx4AhMLPj9GnGROUcMzC3+ZvOPmteaQjdA1MmR2PEAdm1OZLJ1Lb78FcGoWB
-XdWmI0XFM09YxAAD1YNvVijPnS193jtTqesKtu57D4PEqLPUupHZZpic9X9T17ve
-SjbI6B1VCi46HHF4MEbQt7pTsGiNMKS2i/YVTap29Fj8x+cTxAmV2Fb8BWPjdLee
-5VGyH8dwDYtMXK7fE6hQFZX3Vn7RXInv4onouolcyq7aPvxYPVnGdijNSMDtHdFx
-78vSt9kMx75s8jyJ0ILojuAqB7C2G/ScybtQNYBXAIZtFZWLiPuEuQINBFQwazYB
-EADPNcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpjU45k
-x/wO5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV9qT3
-i0eSSpa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdkHsEo
-MSVU6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHMel8Z
-cEgTah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1nbMQ
-/dEvMQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAtc/+i
-wMUkQQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQJe31
-m7sezA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+sjau
-CZQW3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbhddJB
-Hsd7GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz5JTj
-Mkj1s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABiQIfBBgBAgAJ
-BQJUMGs2AhsMAAoJENXp5D99+e6M69gP/2MzECejKPv0lN9vHTnqLHiP7BcqbivP
-NqT4V3yal/JfB9c8h2ylsuZSy4r9TKDTgv/KVm6b9kJVsjdzyqwerKwpZ6T8ohyD
-t+/5UAXKY7wH8vR1qZdtRQ8Z/UbsZ2vyDGMKutBIxOYfDcpzZ+e78nRd6k3E6pIb
-R1utS972wQHM/VTEmsvUFZtX+qszOVm2y8adbHzY0FikqN/NZI7NVY+8gkwaybpd
-6knl9ArEQe1heVWDGpaTUxz0SKglqc0zHDtxOUkhiCcvgKsAGWbxYspRq0rLsek5
-1RFSdO7NJ59co96uyIu2r/sGhpk3+/QdAMmb9CGeI+DVFhTZxobBtWxLphS5EJey
-HfzOtZNMijrrB3cw3GWws3nMsMNcN1g/o+MLxpHwcuJkEai4so7rbDf3acUUZFCw
-EzBPkx/SeXjatAObEUWmshIgNUw3AFnxdD7QOLJjctRsiGq6GwvsZ/ABDYuHnmGQ
-W3w34fKEYRLCAkOq7NPfMImM/I7Wf6Tq7s24g+2Sg8vr4yrWKoIxp4qB0GpSQmay
-k1J0RKR9dNqYNQsOr9jnI4l7KlOS+2K4b9Y0CJbiCNOdVSCf0AVnubk+2IiTrDCz
-EBlr5Dmz1xGC5XdlBeoSujB+HqZMFf8Nbjap5byHhBYB0ypkh738JQBeuJVIgwlH
-VhMV8mypBNjWmQENBE76Z9YBCAClJEJJTPrqEX9P84lgfWoeAz6MqIgDxxmIjFMe
-JZ+sp47tHnPaam0t4+8v+63RpsIlepNZtsufUyeIVq104YB+2pLWlTLCG0vQRmA5
-D6RiD7PeadLnAZtBMzhTNRyx0gD2hLM9HN19KftTa9ar4SfIVd2e/N6vgSSJKsI1
-2x9M4G3Zd0poEnz897HGftxg5APVsJoBw7tSQKHmKxLgJWAmxFV7bMxquF8tGSga
-EeV+AceRKQmVWFWBb2JIa2qihptuJOfIlSke6h09oVa1jZ6kI3ATWCbzAWUjcT9n
-HCmEVzT/Fha7JNW5JT8tyO08B5b82HyL+83n+87FVbOkncULABEBAAG0HFRpbSBI
-dWRzb24gPHRqaEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlOctAQCGyMGCwkIBwMC
-BhUIAgkKCwQWAgMBAh4BAheAAAoJEJGVxIJB+/fdlikH/RLnyBDNaQuyPkl09ZDK
-YiYqg0uL/BtjEdzZzGzfV5uk9RctMd5UMU5Lh6phdc/Jei0d/VpQnSxhSoWmQHn6
-reYfq9SabApzZzQcscBxL9g0P4mMj4PzYGmhYCkkh1GOTtDtm5wleTaoIKz8KTHz
-vc7bLP5XIwrzwrtiRAiAfCCdmKz9hVqllM7yV9HZZzXnd5lAqoxV9wt6eiGfB4OR
-VJFasQsPAA0/+YoWhc8Zta819MRABKw+egfWoRm+DVAEVl+5hPBOJGzrFpZdPVPi
-Gt16QgmHVKVh9z46OBup/CfhvXWHY7J7X28c0/zHgI1dFJBOlgGxAzvBGmXkYNLX
-XMG0JlRpbSBIdWRzb24gPHRqaEBvcGVuc3NsZm91bmRhdGlvbi5jb20+iQE4BBMB
-AgAiBQJO+mfWAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRlcSCQfv3
-3cdHCACS9HhOWAyEAGNhCPjOhYsJRY0iQk57Ekxh2kWTO66NLfX6HwnmOv+6z2uM
-o6XxIDqLtCMFYoURkOUuoYNhZBhbLNNCqBY47382zuivs4X4RUNuewQGCmQd5ASz
-bCxtZ6eqMG6qJpnn8lsAbI9yGQ8ofwqSs98CTbRsv4P1DVacwXFqGDeu4qKQ2liI
-dbQmCP9mkl7dkwJ2BJrc5X8msu226WVeT7z3lPWlmEWnYtJLnjaLeGjP4wEcaUDm
-6LubRWxUAZ7gqRWqP8dX37Y9VSZvKHOmUINrvLAmhhYlZvt8z32PUA+hICJ7AMwB
-3V4HoNy/qJfAtkWqODvnG2HT00BduQENBE76Z9YBCAC5xpa7smrlstM6q6gnBkjT
-s1Tb68mtEXTGPpc8ds6T/79sApVbyIq3xXCinqtSwYeH/kkYnB3+kBQDgDsSFos8
-XpxBLqr9mrVk2Bu4Pz/c5/vF9L2uhf1p8nt/V+HlC9p7Q7ZCf/TRFQj+3WFafHbB
-jzDZw6kkJm7gBtzNj6FTHNUxv1t3NzbPSeW7tQbo6ptrclLk+S7rgEnG5t8VOYbo
-60I6bniGUvUVYMVVR49BsZ5tW7jrLToZf5wQEE2C6iud46poPpcDNiBiPi/LBFHC
-r71KzGnAWsfHu8lt7v9MarEuXDPoC045DLQyWSKHGP9/uSuesEOpnb63J9gDlgaP
-ABEBAAGJAR8EGAECAAkFAk76Z9YCGwwACgkQkZXEgkH7990gaAf9FD6fsKERbpB5
-aSiyCyXWm4vgIla4U2WE8ttGRNOVX646XHN/lA3W9r84HOsFgK4JvbLomiwZLQS+
-bvSj9qplO+s5OqzfWyZpdpjZNhAeb4GsfaYThrT0mCngb6gVnAEpvtf/6+4KIQSx
-qvbeGXJyaHtWhhXtqd8qzV6RbXDc5kCDJQMSZiwTxHUo7UmWR3fPJDTfhyyLlD+f
-jI/HhHwR140q1xnP2L/4wWF8pNqxX3qcMkXm6uDfRgY0eCdT/BlrJAQ0lfa09h6f
-sMkHsoHd5Pvpz+TkGHUI7TNMj3oOSrSKSu+qI6kJnOUY9PFNwTq4ljvTdbNLymjJ
-iugLyosU15kBDQRVlEpGAQgAmdVZaxAD6wKTiQ/VUd6EIuOocLXUuU4v9yRooArb
-bpLNlgTyzlDRcNYFpvW5gZ/KXt7sfE72pbDWV2HVFfcf8zyTMygz+2tzDL9ldWTA
-EqYeis4NYIH9yQToZGoc1oEkgBYwKoEQUnpq2A4IMggRaD4KSc/7W98raf63IrBO
-K2u9tfg6CZDgKHRsv6d5AHSZTFrJR7vh9EIg33z/qzaebZ5lO7woV0q69yqUdzBs
-dFEc20fUUIEv2PsWcfNKx+BzKmbddlfwSWVv6xua7KDFge6uDrg3ISWQWCwd8iz3
-jOUseeiaLYk5QOUJapWyKBqYJiOAbbQSTzkVuQMMB4QSmQARAQABtBdNYXJrIENv
-eCA8bWFya0Bhd2UuY29tPokBOgQTAQIAJAIbLwIeAQIXgAULCQgHAwUVCgkICwUW
-AwIBAAUCVZUDDgIZAQAKCRA2zuTesAz+MyFiB/99TL4ML2eevVmxbtcN3f70VZtt
-eoKvwIcZ6hDw3sG8DVAjFlyiwtXtDG/mNOBxuW78o9dCceCI/ngbH4qHbCuiKUXp
-kh6LBw3VnS6eORHWJOk4xPwktHHl9YPf4DO4sraq8OeJyooSqcRO++eCMR1JQiUc
-G59qoL93c9zibpanh8K7aoHe5P3bsACJED4kqis4sEa5oDA6JVu4LPccic2LTpOF
-9LDdZxn92Ii6MHdyia3E8tkJiFOXurOw2JNHZHbFBHZaARLES4GLAP28VEfuEZir
-PECIw9tJ+jecmxMIYj0SdvMp/bOEdlH1ot/JGMhWEsAlZUG4OEj9V9UDkHP5tBlN
-YXJrIENveCA8bWpjQGFwYWNoZS5vcmc+iQE3BBMBAgAhAhsvAh4BAheABQJVlQLq
-BQsJCAcDBRUKCQgLBRYDAgEAAAoJEDbO5N6wDP4zohwH/jOC5HbMlwaMbPHRVkDz
-5wdV9qivHXuV1PxNKjCPEv9dEdOq8CcyQqTBfZoc2mUFLrulvZAUxpl3ki6afSL3
-yjl3VlXD8VtFmaAmdBgtLQvQ/PvovW2xnc2alM2iY3e/MXdyRCEx1b6zHYUWJALt
-ZXyQa20UE6g9oTePNzaValNnup24ymmPDHy8YWdeHuDTL8dh6ji6v58nwAQkZ3Nl
-YJgpbUBj4TJfk38fm0h1BRnKCMgOxYp69lwLmC7EbvbgauzYn0Elwl68t02njv0Y
-ga+8cHvo84nRQHnn7aVWBaJWwwYKMzMlXndJWsj52gPKXyO51X2Su4jAvGxM59m2
-VcG0GU1hcmsgQ294IDxtamNAcmVkaGF0LmNvbT6JATcEEwECACECGy8CHgECF4AF
-AlWVAu4FCwkIBwMFFQoJCAsFFgMCAQAACgkQNs7k3rAM/jODoQf7BTBbQ7v7nJ8C
-xSr4P3Yqsr4jXgaY2O3M0ilodmeo0EgxhK384O1JZ4NV86YVzsGI//+6quGcYGt4
-fcskRf/9cE4LhhnbP6N2Z4XyyyXVlwJNR6oDyH1zqpZTCtQNmou8hxm1MvmpM67u
-e2smLVg/p1g+h1NWbfjoo4L0UyRUlDlELun6Y737pg6usNK2IOcv6G9gv+QVi3DV
-GpmU2+z2SK6Rxh/5Dk5sDoT4oM0e5DL7KTt5Po+dWrUyo+nUtm/3L3ugNHl48vA/
-Fvy2HBH4zxs+Y5kCyiotePiTww49l5QQDYPdFylab8Jd44wpwiJEV93cqxVuzIAB
-FM3ReFqU5bQbTWFyayBDb3ggPG1hcmtAb3BlbnNzbC5vcmc+iQE3BBMBAgAhAhsv
-Ah4BAheABQJVlQLuBQsJCAcDBRUKCQgLBRYDAgEAAAoJEDbO5N6wDP4zu7UH/0Y4
-2wgWGcVzDJu9zFlMX/XPMXJYbSENOsSyq+LUhGKLK7xPjXAl4eWVrUWsGFQTO+sy
-A4fipMw1XbTPpXDaNxacfjSwayeTV25H3KmgnQgKQXH3Kkfze9Zxe10vG+knssaO
-kf5EYEVtthbBL/k6qKC2zIrixzfS5MOpSK3sAepn1mNBFjtPSikaNwHtxcBXdIbi
-khuTpImu/PfGlOaeYwgUm7Sx9BmfGnZLvTz8MGDtqziXld0NxO0lXTh5Y2+Ojv0y
-WisUoXA44blslYYWC8aRR3FCWCxMmKfkDb9ztM5KQbQXS/nyYra6/Nsh/Acvgg4G
-BPOIenT+uE82YZfpPWG5AQ0EVZT51AEIAO91fZyiPkiioZURT8zZfUtpQxLJOHno
-vp0h1yo1xfX7okpq2nM1hytWu3ICZ0CpZw2kv+bmbRdD11xbobFnl/QWb42KThqD
-L7T/+chZz/uMzrHNFgzRCRiTJlkTcI+Q4jK71eyVzMWoiv0xnLRNf46x66AxieXY
-Tkn0e7KPC2sUppfIbpRA2BshXuJqCzjaHH/z4+QI7JTAoROayyApVcGgO7njWKVA
-k+JOd3iThS+wjnzU0sBIg12yT6q4w/M6MSMOBsqcwOMtx/iXmEHCWCuYzubhOL6B
-v3k11pkkBgArD+wZGA5JuFYfTSAnKsCWbDxVmJzGTkqwY9DgIAOpQgUAEQEAAYkC
-PgQYAQIACQUCVZT51AIbAgEpCRA2zuTesAz+M8BdIAQZAQIABgUCVZT51AAKCRAB
-ClBAfEyMvSc6B/9tpCI1LeZx9TxpYo8PLw1QcZdwpxQU9hanlg55ZeyL2j104cz/
-7fzEqHd4zNlzS5J1fs2xiuDl3pLP+tPz3uOBxiergyAOcprXMCZOjAksvUpwuX/E
-k8NIHjUAk6iCbFB0awUrrXMQq7WY+yYfCP7dUxVkXP6dHOQGs2B94TMUYkJs7/QV
-YYE0qGb4XkgwENH07Wywt/oejBn9UXFo80pv7Rz6jdELoPF60hMT14ZuDu7f9Jxn
-2of94QJGNlA3OuueQR4W25iaJQe4P4alr3PCTmyuoaFI5K0yHByB489JO4eSPLOe
-r4pftNESsDyBwc8A4Fx8ro88xLuufYnoPwrTAkcH/3d/MGABEEmqDwRDXzH/cLh0
-h9/OinNEgilOCc+zK+6+7bi7x/jUw+aAIN+bmO/6+EEnl1GQuUj7F2ZxXU9tPRvb
-YF0uCoyd+ZMayHbuMc8etThWqvMNlbNeZegLHbNO7NsoDxPmDb/rPlc7tvKdxUVG
-KfZSWT78tQAb4JeJUR4G1Rm+3jlkCNoiaFCV02C9HGXu3Amqkz33FJKjCnEv61tm
-wYZvkLc9bYQzqXt8rvb3nlZbvbFYlf3oNU7YFV43a4W0y07NtxiXzPhC+E4FIAdi
-aBbJmv9EEXzrMRyXuZFOUZx9wGAC77dHcJ8cw7+MUxpJ5ja8aoFS7ly7sk442gK5
-AQ0EVZT5+AEIALH40GSCbgSuXVHjhUYYLeo0TNBevlZD7Po1OEyhi2eEhrWYg/3c
-Awr0/neLXXD6xiAlOXcN01H+OjY4ZAmKzm290LCRBuo9WPsRvHIECAY9XZBeL+tu
-69biSXv07vhvqmMG8yZ6Hi8Q5wUHJvISo6MC6fbq2RUVnkscgqp4jlBVjRNo97Ng
-i+WEco+znvu7pio7uXYGPT9UorIPX7cQ2kpbiYM4UU4i/ezbAELc8Ttq4IXzz5zi
-/Rea/r7HR7aSpapzVB56Wwg87F3c4zcwK9bdxxgdpRfHnBJ84mrBZlSGwKN6a1ks
-N/zks6R6eNVhO9UbozzVqgl1Riz/aXlv2tsAEQEAAYkBHwQYAQIACQUCVZT5+AIb
-DAAKCRA2zuTesAz+M2u5B/997Q3sXvQo3J2ZB/gSXYVIjh76pzabO9NIlhW2fX3Z
-41VsgZKX6tpTGlqUn9Q14EkntzpGBtX/3PtoycH+Ta0E+IfpoINwSy/7SQfWmPhY
-xjMnu3LH0ho1mkGMuxXf/dMoapovKY3d//ud6KcPruq+W+8ZXD8CT4zay6z/5JIg
-FAP1viRNtyVmFh6NfZTIsKGyS+jaHniAR9N3cRa1Y7gutwT6cNV1zpTOAOBx0L75
-xLxGy6WuyBLaaZIhk0f3ONryFQslIsVGGs/d2QJm2xxywvaq4JrSor+TPJxXu3Jr
-umMEE9U0zENea7N8dQxWQBmXnChX88eRPHOIAdXEWrOj
-=Qsm0
+UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8
+bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK
+CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH
+jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR
+nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p
+3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH
+sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0
+hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h
+dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD
+BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+
+viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA
+RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj
+eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE
+5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R
+4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO
+5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg
+icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM
+k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6
+2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex
+F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ
+P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC
+AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v
+Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb
+SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x
+dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL
+HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2
+8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2pkCDQRg
+8UwlARAAotCdQIMF8Y6wFfxmpuaOGmUlXDxQXDtG31jC+Zk/GVHN8TtXK+eQ7HG5
+F29uzivxUna6tWD+/qQrUmTrLTT2P+5OFczUtaPFaDMyWdywIlyOVgfyxxfF0ssx
+rhRHKP1U9YY072/BFtipXAQkemNts+Vpta1S6ru0PG/339fjP5GljOgRYlCqnwWX
+aibgwzRURqha9CYwqJdA9b9b6JZZutdjgESqc7lEjhEXXNdbrYnZBooWoKSQ8j+W
+vqh2eBjc2ZGfgQXbrmQzFHRCoCtvD4tD9DZte10c19Tn9bl6IzL66KL+yvwZG6b/
+rr2aIkhAHg/hv/k8pPVS4Zso4vT/tJcGMh29wAoEt8BJc+wmcBYAd5IybzF/dzpQ
+gDK7hYbf/uoULtM8dSj8cfueY/8O6Elcx/GZmDQ+ZDOM5RlZycSZOmgbvJWjgEWc
+OxBDc93PoXYKPgvpF6LLTbG4rkE0J5RRWiDO1MtNvcFp5QikhJshJVvWQR5z4XIo
+YvFm36EXU3HXzK2sQhCFNRv6FcWCn81dpKGU0pMD6aiWHJMox7O2Xs+QN81ZQFzx
+RFSxAhK9NhEqVsRWm5PIrQM9KDGUp+bW95QR7NVxag7yWqjBNbp2rI49OmFLg4Ch
+8QlmS8aP3HyUa1cZUXLA4Gd7OD48SpAJs1F7ecm+ytxFVg0K4tMAEQEAAbQbVG9t
+w6HFoSBNcsOheiA8dG1AdDhtLmluZm8+iQJUBBMBCAA+FiEEoh+rdLAIiqNhFSWG
+uO8aa6naLVwFAmDxTJECGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
+CgkQuO8aa6naLVxBqA//QskRTPLc3HULEAXkHsChkxnSbz8fbGgyzuhFclPZRMvL
+yyjB55gJPvZslQX9FB8Qo1WW5b1xC+lP3giDVvEwbvWR+egDJD0IL32ZBCq6QaD9
+sn5APf9q3woXnO45BVMAK1igAfIciz4gAV3Zt70WTIYgQLBU7/a3a6/PVpwL3HfT
+lz8axDO5jZJAg1JUZH0cHcUns0rZif9fGzOZa5UeA4/TGFDonmCArLv54dbvQvkA
+zhq7qP8ZLuwfO6lUpyjODMtvP0bUnho0wTcN0DxJrpgKyDTVAzWW3t3viJtt5erc
+j+55rS26NMD3EQfauCtRpZnnKs0oC7HX/GAjmSmsfQy2gNn1lSQsqdtlI5Aph5FY
+Hl5gcp3VlXX2MiTuCxiYTOwX5lhmv8iESkSmRpSWr0WPlAJH6pFwm84RQyDMkU1N
+86iXyXF61Q7JbwdZjGwRiEe4Ji9h0k6DbzeRNsYhGph20jr9M3tFcOQNTPEu9Yvo
+y1Enpxk4Iy3budviu0hi7coRv5AOTabzMgiwTmGfuBz4GyMCi5XJuUkSes+LCi0m
+ZlOxyzKevY13xkKo2GyaFBB7ArCznlTBojlWaqGVkFnDB8vVbzgNBVceNca6XQy3
+7fWnfnDP6GomFxFoamEZwTOXiB9AdxzpP5Ji2enKzRPl+cRtaoaGYALqzDK4jxW0
+H1RvbcOhxaEgTXLDoXogPHRvbWFzQGFybGV0by5jej6JAlQEEwEIAD4WIQSiH6t0
+sAiKo2EVJYa47xprqdotXAUCYPFMagIbAwUJEswDAAULCQgHAgYVCgkICwIEFgID
+AQIeAQIXgAAKCRC47xprqdotXHrLD/4xu3Rb/2BCJ+6eO8APqvuNyqK45PCy6XW/
+mIVRKV4Cyt8lDTnIIbPnvlMUpUuIw1fU4aSoARIEwp+lfLxFnuXY7y1XDlDRv8Md
+95LGSgzq2bdqhs8/VQXdrq9dNB4wN4mxgpTI3ITEAnLZQBwQiP41e4PUrxSB6/6h
+Ag56+dJYeJDXgWR/+oGBJwdVKpHPu8v9IKKZN5BHMTtNKio/XfED2rbKFhTgVujk
+9JXV+ZtfRC/seCrtv2sgcJqG7EMo93A1fHCTfUMScQdQKiwClyt16REPEFBEaK+m
+doELvWwkaEApd17vpX6odoJn6F6FomRYp6AcxBE7SCxFHTWtjLCYXjblck3/lv76
+38gClZew4D5Pp9+tH68ZkfJ+6ZEqQ6tdrPSeHopl+2lJW4Q19l4jKP5BktqKNrpQ
+dPN6CatPVIniNmnMESJ+nxQDl8eAq/SEQJyrbxsU9185AyfFpAv/kBO8FpI7Q/fe
+JA9iX9RgqhSFj8fifPFV6eVG6GzhDWARlr3OT5IueNWhSpF3uZryvZ9hZk93zngZ
+8oU9uye/VGEpDoPWZNKO5XCyr4F906jsEa8DDhqsgSKx5C6ayG3l+SjgSMr7aL8k
+7qt6YhejnHzmLmSTnFeC551ujpPbIImtVoKjcifhUnUperS2m83DOrGdSPLZlweA
+XKBxQfTdALQhVG9tw6HFoSBNcsOheiA8dG9tYXNAb3BlbnNzbC5vcmc+iQJUBBMB
+CAA+FiEEoh+rdLAIiqNhFSWGuO8aa6naLVwFAmDxTCUCGwMFCRLMAwAFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQuO8aa6naLVyVHw//ahSVEV68q/P1ISiSAGEG
+sHN64EgnjGkoutH4D4bXgX/VTwOcPODii7Z2RXD3KbxqWh7kcY/pnITkqNh5GM+3
+rHk7Fm34Lg4gTX9bANCFuv1nyI6nxpYsP4pC5/5gPBoC84DzxIhG2R/oGfidbbcb
+9eRPHVlUmCCyXJ+1S1/BIGHPd7moj23HOsBt6gc+VA+xVuqYOgIxIc+o+MkAav3Q
+FFC/Z3668fKeuePGrJQEeQO3tZFj0jJK1w+hAnZSfC0Xmj44lq7ywrX9THJgECZF
+1/Tyx7T7ZF830/exnXBFrTxd6qbvZPICt0Av3T6AAiLA1FNfprmqpUQdwKMy1RW0
+idpANAapx74Qfu3CAf2ZAGrIiNYyfVz8CSZ82RpURRiZ1IOjEV//xSL5clYvoRbd
+Q0NrVjKOqXrtbDQwzjWCi+/zYRXnSYSEaGFIkLXBLlqrU4zlJ+xK5GgtsqvIc1oG
+Antmn8tbFL8g7VI7pXVUzc1dYnODDwvkGeWRMNrh3z9qBC5Sts1JS2SKbQcL4M6s
+OanMY9JwR6Gg00ciV61w1n/w7Mkug39bfFInaHOlt8zRISm2m702+ILVo4Yf0Hsy
+TbckUoOEmdmcfhMYAJ4BXYSlJNNV8rS3BKmB4zozumR6T9P/hO0/Mme7CMOQJwQv
+5pE26qeTbG5P7KaDdFpez2W5Ag0EYPFMqAEQAKYlkax43RLvRadsneyvd1abbbAF
+hnmaOmnQO5Cq3QfgxcMkHUECBhdTKMcym963DtrMaFP0p2P06cXVW0jtu9TC1HKq
+BHORfrsbl7KeE8ebOol2PcU8EHgYvKQFEEi5VnP8qGpBeLGoRvuftDVA6XYwhHr0
+cNpx1WzG8swAoAdFURK4aWOoDgSuy5B8FwBF4daTfN+j9bNwyyyJ46DOdCBkCSyd
+/P3QXln/Zaiaw4n95WfQa+4dsR1YWo/tPIlihV2/jA5FupVzrk/gPKcxym89U1Ya
+KYnfTTnMPMLNNFZ6vUdP3YZPhU/NVyQuhpqAYtho4yqSzTM3wROiJCY4Z4DGPVs+
+bEn14cndMe2RnUt8PUoiF16McN+cKAtf1HukFWrJv5XQjUjR+t8vBuW+8DQPOP34
+VWvf07oPM8s0Y/aeRnu29cjG7VcvUXrfHtcQd8jiR/K48Jndd6HDQaxWIQ+G9fj9
+A0nK+E27q0d0uIMM2sAdo7iE6BC0BrHkfJ0IPJOhZOb2fDGmLJTFNs2ux2t+/QvP
+gPYdAtpqG6rcOxqvDcwx9h+AYKctAnvAclp0RxCK2XCuL2Q08wX1vpWCQRxZTXNJ
+oXldooer45s/eNHGpMy7xheuVAOvbbEvEP97Fh9kCxU8sHXBFGTYGUVp3JwGiziP
+58NcnXoMPBfrNQCxABEBAAGJBHIEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdot
+XAUCYPFMqAIbAgUJC0c1AAJACRC47xprqdotXMF0IAQZAQgAHRYhBNxwMmYq+IXi
+9H8kP1J0ZqIcp55tBQJg8UyoAAoJEFJ0ZqIcp55t7/kP/jaWELjvtGue/qLcL7jd
+8aDLDpoop4J3eruX3n4vKgox4GCcZ2UIYoZODDsomOOgsSSJhSiOjNdx+UpbLmhj
+G5de3+VfHRO61Aw/Q/bQ+PoVXudOFLAHamihxYRPMcliduIrfS5iF2N+fHEO4Jvx
+MwP8AihHs9WfyFJceoaxugZwLhOhWIS00LeVnAhmwNeyO9jNR+dK1/H2tPKjoOK8
+8jRDnrM9WriN6bdVTsv1SaO1fqDtss+DTRgaowjdZjDpgZdbwZXWc+KGSb6qAhYM
+eAY+IfCx4pcoNjlmVeF4e31Bh9v0SHXwGIQk8+PeTdbHQx3sPUHNzz9L1cs8KAiW
+NpqAomdeitKNtea4GACXGNiggorYY8PpLR2fxNdPHJiSRNGVxvbBVXRegBxBKH2m
+EYFxL8BTsBAZ8rQKtpdXj5pU3unruf4UjGJWp/d2KbBdraJfo8OxfmrKYCtiT1qg
+eBbLqcZ77wL8xga00xnwi+M+yvP+kJmKyQQcsdFv5ZBbHmxHzs9EmP0b7GhkNyxJ
+kJG5/gs9nNj8JiLmCYrLpxzQtax+pRdWtfQ9paXvNhId07FxLII7ctvrIbh7Cgl/
+7J0mvs8kqjG7BOqP/AKrrk+7ZHRzta2H69337yHl/B1Y+jSptXspOrsghHG9PI6g
+VjhvLc6TbejyL4sq0Eayvp3Ei48P/Rk+C4WSp3yzOaVQBVdI1an9vZVYZERw3ojZ
+naa6qb1t+XAEuyx9sL9sRo+PsBmiZpLK7oiY9irTQFmvu1L3eMb57ay9xfZBuagt
+OIk8fZ54OKpYmQCNcBsU/3wCkteuS+bHU10b3MsKJLIcbbD4Al3B/ydr/yQugRp+
+OKPKqPwixiGkwZOlfDX2OGKjRcjGjEQEEkPT5NCl0MbMHcQEmmM002/d4JrqDu16
+yLu2ntZaaXi9xweYUNP8xdXFcwqy1337BGTVVv9f/VWponEzlj/HVf8pTfOnezb3
+yZPC+zvmCLBCmIShA3wlyGaxe2J7vUglokfCwKsWaQcdv+paJpkCe0ZSqxwZFlBs
+gvFh2K/7MTkctLsUnrxhXHytrBTJ6SyYQugvN9DtOQekhU1k6w/XPzQtkgw1kAq9
+U7ndxmet+AaME5UEYCaRiXNrOMDjGgEZ4Vba/xmUIXwszoXGhwFTAV9BRHHvi5LY
+oRJ8xCSYHP280x/rd3yFvG0uHOuWJcAszAidaGMgC5Q9QZWesIRUlVGa6LmFbvHY
+ieAJX/foXGDlPxp28ot2xW0RoQVc/JQd03BHj9NvoEkhQ+4g4tlrd4ZJmGGk+5N2
+BjNpLF3UNuUhjNWluHa8WqgI+bGePDl0zDU/Yq2t0y/6P16ehkYVRPIjpSSmxqKg
+vsHIR5jiuQINBGDxTCUBEADfyegcqR2Ls6sFQx/IawkCdLPSNXxXYrutLmni00D3
+gdiVcFeLfVmbDOplTBFGSRiKG5NmORRcy7B7Wz5UrOzF7S4ZS2tOYojF6qGbEuxG
+CPhgzTujj9Y/IfTp9iJORJyv9HVhkIJUmP68sPuUoXQIx0neIQkbwcX1+xSRja7y
+JCKfAMZU7zQUMrkeK5bjp30tS1xQ5Wk1sUQGQSXQfxsgGwqippH25F2WzGRQPdxN
+rJKyyeugj4GivN6/g1IuvhMrzik5GcNDlOktJO8U+GdX9AG0vzjeRvMIy78Srvk5
+ndixyzFEzIkkO/ytIsOPqZrNfjDgVhQ1/Gkv6aEXtDUu+/USJPh8uDhu/ovUaX+M
+FPmdkB21GK7p+oe/kckr/hNu0FgoDbgHZthfHCLMUNwdJgGqan9hAiJDWz37Q5b/
+4g6swMQKGzSc5bCkK3EZhDyDqjcYt0z/h/OXpMB03cMHT2+bvKYHoaQ7pnIsh32G
+ewN3jZekbm0DCFkIEM8VG63lCZCox8C6KpExw2nyXiiO/tpyCOK96XkHxDdI2eR0
+lx0x7uOdtBVARzbrb7h6gstJ0K4b6FxHw+MKGJNuzjsEih7tWXRBWuoiR3gFtH+q
+UjjJBDA0bRVr9P4VaTQ24QPowLMMw+Pl2A5PsWXQzjbmvYpzvd9DBiNgbC0NZKLR
+UwARAQABiQI8BBgBCAAmFiEEoh+rdLAIiqNhFSWGuO8aa6naLVwFAmDxTCUCGwwF
+CRLMAwAACgkQuO8aa6naLVwVNg/+Lxf+Ra5D8+/I0pe2De+4HP7E6QRjIUMYWcSq
+X/vMRP6IoPfxfdATCmhQH5QoYhDD3Pg49FawhsD9sTE1TuCe5cO20690QbhE7lav
+Et14LZk5V8KEUC/dV7aBowI4X4KV24vwxMmevt+EMDGK+O+K7CojLAXDEp1kw7qk
+apBWAGheC0Ww+kZFnJPgu5OKbPyiH5RCokhLr6Y5NU6Ym8KErfsyHmSOrrEi1mxn
+AA6p1x3tBgpVKnDGGyIC81cl0EM1L368AM4vF731vvEIT/geaGU+svGAQzR0A3CE
+wuDmGlR2J2VkvrT7T0GSuHbgJWUXf5QcSj2zVnnubnz4eQCxQCDaQVj9ApxylY/z
+93wXAq89mWGh+YkJqoUmyd5chSiaEEIK3J1m5zliPdQ3YZrxNhiMp9SSRBU9mEKk
+R+dnQ1+YDpeTnME+z8VdY3NN24WbDgspQaKtWHfYg91NG4IqiO9XRma12amkM7oo
+AkcZb/Jxfe0lBiwwrr6guXo5nnEAWJiwq4CIkXCPhV0lZ2YVGJHgW4PbFwpWvJgo
+MRdUYR9kvc/W5ayxH9q/pf/D9PiFppmk7wm2e5CK1LGxr+xTQrm1QN1F3Mz6w0e4
+UAv8TQF9UVzBjZj67vcFbYJ5+9lJ3qA/3S2GOuVP2RSzXkAJ6vXN1SSkNkyHY7xm
+yf5OKseZAg0EYCmvuwEQAKjJzMcw2BaJWDiMyO12RvmPtywo90XHwHsUk0wWsv9n
+8jUGPAxNDt/Eq8M3rPeaMAwqFT7AIv29RJIxS3LN79+jHT2fziNgPA3effujOSuF
+wMHTWJqIoIJ5E0RbqZ5Ozf9ok8YLOcg6T+QweWdmdA9xKmEh7Gj9lTIHn2HqybPY
+u+hNmDRp5l4nB7Rx9pWdZgDVr3Cv5AkNDBGQSp3LvvZwzTc+Gz+xFZ3j6cGo/VfF
+aVffRiNUaMOxjeAf0ADLihSdvu06aTlL0Ugq4x2SRZ5TQBubz/fo59nIwVtkMAxs
+7yLe6fh4hA6Dm2PKdJdh6XeeUn9/ChId58+Bq8KQF2SeTzjYsz3Gvba34gqbL325
+bsUOq+PBs+gyDrPYlquXQWq7caEiMKYox7pMF+RjAHh+nkq3NHCtKMOjXq+Qygzr
+2ZeoDvB/UlX4Eq8TpBN4823yLHiJvlzqY86sWdgbVfe2Q05zj+ropwZu9LXExrHX
+arb/NJk+agm/NZOtIXyVANkqMydeeGtkxjyHuW79ATgNDUz1TU8V1/q/Aus1ocd+
+L+tYpN5+ysanZMipTiWbjmnR8OuhioMwv6CnxExRkFTwzjAbCGW50SIKg4WNe7YQ
+K++CsHskeuH4W0y65E/HirZ5E7vk16kN9mqanjw8iqS3ZvdWOKw1x4HvS5iJRDZ5
+ABEBAAG0HVBhdWwgRGFsZSA8cGF1bGlAb3BlbnNzbC5vcmc+iQJOBBMBCgA4FiEE
+t8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwMFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQIxyEzdzGnEVrRhAAgCec16Tf5Rdkv+7hHqGz+UmikL2n8wVsKcvR
+vXNmdvMptu9rXQ8Dc8S/6zOHKUMp4MhsMoXXISMjgFM0ItLywsoRlZItMxbUxmGb
+FablN0V5uGiPpOON/GZ7gRPKTf6/eELdiWbSOKoccSu61EA8hbVUMVBXEpk9qy/X
+KPdg2IFKS1NIfUyNlm2UNiOn3PdVNzO+s7cEEklLFDkJjvj2kTC2PB0tOo5W2gkv
+y2Fncn2NKdIOyAVWn+k81XHFX3xh3z0mozfgy864PeNhI4S0xQImAwVc1n9zb4Gl
+atf6yw+qtj28Guruj3Ur45AdtvhnWmMr93MOrXzcTfa5M5htyjuBr8moTtz33vNj
+R+BCwjOF0S94LigzJ3PAdD1bMdRhHsC1OAX2QqxMfLwfrJ7e5okwgxIR0C8jibEb
++T/Mb9Aqsi3WdQmH8zu67YhP18z4ChH7ZVXW7W+KbGkKk5elMHiZMhHlh+JpF9ec
+ebnmKr+h3FWP/JWoVRy6PL5gL1ICgpEYlFBXQpm6vXEA4myDBQnWJclnDKmjCQjn
+2OnCXapYJ9khLVmukh5uJWThkFocN7W/Xvy4s7chqxlHscu9wPsRJfxTzyeDwnWd
+cer5RzviPkNzoIxN3lZhOQW+GM7fcmIedwrwItg4Wyd0gZe2z84SGnTw3kkQscJ5
+K67hQhu5Ag0EYCmvuwEQAM1DrDqNA2rFbEcOMnNxdyVAkU8HaqVP/l4xrtB45iIn
+kOZjZVA/QyW2SatzxP8j019EWloHtn7zMTmWaNKLc3l9haOGhmn2g/RZh9It5/gq
+kPsp8QRNoGiGfxzDQq36eYQ33TjD2SksT5YC8PSpEqeKVwJRYTkSzvX1bx0yH/xw
+HoWIIjnybIi9XrfINXUOI3IRwo15qwgUXyfcUJ3SBY9ddL0V7ua5CkgngtvanfKW
+pxj1RpTyf4tABvUsvWQLjrwxTQsGGGQKdnYFpxacm7smvNDU2KGT4lHJe3RABFyC
+whO3z7etB1kNvqjqNOLEKU1c4nYsZkwAjY2tCml+fe4GfLTq97J172XeuLC05jCo
+R8RO3o413LSA53jN6U86d8y3PAN48LSbRvmJs2wwZVga7lua7hcVmuTyK9wCISDh
+Mkdxi1SZ443K6GZoJtwbyKfQZm9SBv9gtwGksGEUVRR3UAsF+LpxeW8WVJTQcdCg
+1EgDIW0LUNBoA5ZD2/bUpIXrMUb1CDfIcrL7EGNeN+nQhk6o3mOuZfFt+X/4tapQ
+cPni2ZKIetR/UKJbqej7hYEj1/r/5AJUsUGhK2U2ChG385whearVxMnalNI+XdLT
+4ehsIRqWUQYQNeqwbGZXaQ2bGxSSz+ScQYUSWn9e0yuHKSJwh1Bie0xpF5uWOumL
+ABEBAAGJAjYEGAEKACAWIQS3wcFDYPNTo2hi5NUjHITN3MacRQUCYCmvuwIbDAAK
+CRAjHITN3MacRbZ7D/4jMZVeAHfg14edotUNO2JReCs2g5XjEVNL6S9lesYLmL6Y
+yFp709yC8DKOywnt1U/ZEkFI2R93GtF3YPgcVx/d2f+frjoc2JOKeKt++hR/hUgD
+WN0On2qLGL/+07t+w/Kffl3rvY4D0ALdxwGCOLpX1cDnxESicX5qnZsTQkElhMlm
+sRP1afIE8SN592k5FIdpeqKZ8c3n1BXmBcQVngKLWMK32fpYRvSij6RBORRvzPsX
+0/7uiOND7gquC2Vdv2KPELAx8ZE80iee6arIonQ+FNXCEzUk12LnefBVj3w4YRld
+aIo8VDqUAbIstfBo5LO0oZJ2wU8r+2nJWKHCioeMkJTlK389WWm9EqFu2rbgV8O7
+tjIM7ZAOnb8X5Ah1WdQU7YjXF5vaT79PH7ed8pg26L4AVq505uWthDM+uWzAnMKa
+YH85OS3C46qvae9CvYlTCZJpG90IB7wQj8cBr+6OUDztPr0vhProrAFa4GQhhlDE
+W0KIL4GaSw8Jh71MFNmbb7zGTpSJIwq6vARJOQOP+5Qaa0YeLdxIk9JDnHjUI5IR
+z7/JnSR5BNKeeRWsHvVwyvbJV71ZaJSpSgduTCKLL1gAeSnvqMdtNGwKOzw7ai2K
+gBbTphvuvWJanq3CH+CIHOxUmd14/lKz/zlNB+uXzHzImO/U5CIhGtNPPoZ1TZkC
+DQRUMGs2ARAAtNb/ePchWM8G59FJBJDNzB06w6lm6fnq4V6nVQ+cphv6V75qseSp
+cS9U2TLlhBbmqvRFZFvFpuYJZOA9eCGpSFSgEQDA8KoDaz58NBggJjSH/jpr5Ru4
+HbEkfd3gCyadb7ymaXhFWY9DNIENYuECCEfDzKrPto2mMnneB4UWM1GximTJ6/eD
+p28vBSAGKtAe/Vagb+TXzHNihCqy18Lg0o7WXdkxge6nixe7AnM8haIuV04/gYlX
+3cQs6GBGtUY6eYRpZVY/OcNg3XyhA/wVu1QnpeB/lk2RqkxUNXt5D6NSnapcAxfg
+otiRVOpsj8tC6R6zYZ+hbHUBjrkSoGD8nKJe1cyRyrXBjTA5FBRldg7IJY0Llko+
+UzTV+bphQiCDfeHi7x7VfW1z/fMigf+aa9iYWoC+pHVOzhNHP5roANOYBkE1CQ3i
+zbEaueGAvgi8jPXcTLx+8geN8jH1L4CnEkbdLB1KPIOWjmHRatEl0FK/Prf4h97e
+fycYagYpPBQYrtGiErEw1G728UEEHvy4X0fhVg2URcBzi9FRC2qX8NcIYrRhvsvh
+fX0CCX2ucsxIgvQFmGYx0WhQe6uiwLxdFfLz/qZE9ee30yut1ud5rdflTzLdi+99
+ovvwqsv+h88DnZzZzcnxHb5tiaI7PClzdtLwoZ31Bon7048bohYm/bEAEQEAAbQf
+UmljaGFyZCBMZXZpdHRlIDxsZXZpdHRlQGxwLnNlPokCOAQTAQIAIgUCVDBsHQIb
+AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357oyrtA/+I2EEQMlh
+FOthzokCZEiDpjKIqN47HyRe1UJ736oLML5j16HJkHkPKXRht6P2M0l0QMnMMcrN
+XBTg2t959xNapQ5AM1ukKUa1dxAeVS2GNEQ9anIAQfU6EPk0NNIwjlhgpkMR+I3q
+gSlaVztYrSZdm5jmYc6jQHfI0N9Xzjn7sIY8r3O4Tnr9/1IuYJoWwKQ0wZu9XjJs
+tGgF9l2cLk084rIldDRMbQJvEYyAg3lw6sGmFT5ms9hj6niMSgPmu8W6BCXj6hGy
+/HKCklXm3yl7WKE0yGbO7cKlG0yOZEB3Mr7btnynubwE5G6gL41tdWlyaMi55cOR
+h3E/7T2pTLDzETf3y0C4RelsJWhDrxvo0MIGmjCC9S7fjPEOfTAp23ZgYcHrPsqX
+tvxHJxYbdjy78ez6XpB6ESaLLpQpeXvNbc8iLfX3ZbMSVSLtO0b9u2oLpg+zRTdJ
+AyQ1bPCSNsoz1sLiA8UwrTlrxAQ1zroz5RJaM2DROICQY/08OWljKG2OJwJOAvnW
+UObwsFev1xvO9dq/slzo1WHtlvLz2vUOw8XN8ORxw5fqdKepgwhKa9FQasZ+CuR5
+4zQw273do9Ouz7R/Gr4ckhkSFf9gLJA3iOoz6FAaH1s7AzsFpxo/0X2+eraEMrZY
+heVYKFf1DvTECtWImrMjz/vo+HWKc9uNsly0JVJpY2hhcmQgTGV2aXR0ZSA8bGV2
+aXR0ZUBvcGVuc3NsLm9yZz6JAjgEEwECACIFAlQwbAoCGwMGCwkIBwMCBhUIAgkK
+CwQWAgMBAh4BAheAAAoJENXp5D99+e6M1bAP/0byoJMiMsswapbBypQCT/vQmaoX
+jZzNcU4qAKlB5EMlHkxl1T8ytEXxmNMd/e0ltV9HALeBqX1eYHS7oTG3rMXKuYVY
+TO19eM2wLiCW664EUtOsB9zAnpp6X+8UWMoNEpWlEHgkdlADQ0xIrrH3pt29SAbd
+x0QsvwkWPawEoKMoUiGPnVY4hAt7Xx9gDmWEa2T6tExd9soBBTIuIpTH3MbAEHsv
+nBbdyarNltGF/pXYGMmGaYmU0WujqKzqpBpy3zwd0Rx1Kms5e0ZcypVzqx3Xgcue
+W8fbMPTZbG+Z922GUFDJ139WjAA2FsMJ9ES7XIIoJh/4nfBwk+PXcj29TieDnl2r
+d4x7Yxnqp4Vzau+IARz9Vr1OIFVlQbaSdXfmDFi/fvVf9CJZnWwcSwkqp4pk50Zy
+nEA+8TzEQj08jdj0+yrJNvbRxqbIafzSmoU77bANs4gc0WOdTTpvv4honUQROARp
+G/JT47hE7ATVGNdF7bmWNEyEYFtZMdGP0xD+K0xEgsir65aruVixVrNKxOX9wqx6
+JGzHTSTgtAVYAvMIsWJTLuCXZbMRmmmmubfyVaMAisz5UIYD+TCPncuJ1dMUW9WI
+uLNFGLTRGHri01EWe2epaHZWA0WB0cQZaeGpc7C986WskDi9SA9ZzCIGW4oQIBQX
+lRJjjYxIBCnjxtUWtCVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAbGV2aXR0ZS5v
+cmc+iQI7BBMBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVDBtJgIZ
+AQAKCRDV6eQ/ffnujJjdD/wJqQfA2rAZ44fXwJQTPJBGdtzB1XRILj1l/CgTC+C+
+nlZVkZ+4XX6bzkvdC5eS03bVjwELPJQ2IeFfOoSGICyvbYrGcm8vuTU+HRJegl4B
+20Y3Q26dMSnxnORfY1sz2aRvGXQ8+mW73aKMv+E4VzUteh3LCUXJGp+qBYwjQFkj
+aVw2HC7QO/vZ3IpqwvwvpBmJcj1iRmGbtQtyPqC9/qlsIqgBvYaf83nbCLDT+6Nu
+MG9EoA9HU86YZjgD8E0Xxktgx4aWwB/T+jGT4hQURrAEUURX00RpMyPVtTOG7/Zf
+y/LOkk6Yw/PuNH/mlBPHMlHDY9cnMkRhQJ8H+THjtzKs746HKFMqGTXOLe/+q4er
+HHhY4DLfwxRWW4t5L8/XCQXGjek1lpLXePtVpi8cHBdJ98WgdOCgr102gWeX/x8+
+Q+DvB8mLEuhpVusiFIrgDr2r/Fos2kzG2JPNV31wbgSr+1cZNH0WH/fhye38lsiJ
+SDfRaq0ooqKQNyUfvID/LnhXMnJi55dg/X8mZ/7L/lAi6zEen8g/+RLc4M1tACfA
+QycOZ+3LZmelIbmrA2WTDwtrgfS1YaUPFt5gw8SaGmHuWxNqdHGvpsBB2UKW6Y5r
+U/9seaxhWWMQVDobhp//eMxGEqiyw4q5RSBFILnFyzi0B8hJfpBJAixJkm5+9VrD
+PLQlUmljaGFyZCBMZXZpdHRlIDxyaWNoYXJkQG9wZW5zc2wuY29tPokCOAQTAQIA
+IgUCVDuNgwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357oyz
+4Q/+J+yZefxSCijTyAyQwGJqv2d+rdZvptCL0i9MrmYdlkgg6Psbq2VlSz0CKz9e
+Dkb1iSc2U5kS1Fk8UDwxdM90uJJKKTMqk3h5fvraP+Hk0DxdEJKS3A11Ss0XuY80
+VE2AvMe5rSR3YCo5lqm4Kput0SYNj6YUUmxaqD5H6GdP5DXcxt25BC5aVvGKYQOI
+LkAZVNze6edijmr1Z8tN1AyzdY1RP0Jg+uNYOBO4jTcclzbNeYkYvPODsePhIwWT
+kBcoMe0ba1l1aJDkuAWuH6d8g55AHaoTdw7Yyhj7+6KjHCbiabgT+hdUZne3iT0u
+vpyHyWnNBJ4Q7tuZOZtuPJlAIL7V/D0fZ+jgd/RulBCpwaARaZg6VAiSnji8Bo75
+KQdOIAFXSG1iVV1ZGFVMl+otlUUIlRBJhLEzUWSq48lrR8gM30oNKBClE8Yo7VW5
+B2ZN90rgkgE6vvKijFwwyR4XKV/Pyt84FTjA00XsWOWaXuOyIi9PwmytzDfkpwX4
+Gc7MP0zWrCdGvwFMPhQxiKu9VDcrFS+3Sh3ikF950Ubx6e25aXQn9GzpQXODYuUZ
+P0GDAEdc1R4FxzqwDc04ptXVB3p7J5armBsd7HcLNnext6dFV+Snvg63mpeTa2kY
+TGJNISU4Dst+L3/s9VBno21YlZBILbNV9p0ZgSJyYWTksj+0L1JpY2hhcmQgTGV2
+aXR0ZSA8cmljaGFyZEBvcGVuc3NsZm91bmRhdGlvbi5jb20+iQI4BBMBAgAiBQJU
+MGv1AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV6eQ/ffnujNypD/4s
+4N9nBz2Hw2Wlg1W81dVdRHMjDNYabEJuAt26NlGP9OjbS3rHJ/+pFMAJYQZ5/Y36
+m4aD86iV3P5GzcbVUXOSb2cYbpQY/lHYKAd8Isq2PLTNPnmDFgeE3o+PN9LOHOa1
+HpzNjq1Da6Wi1S+aRZtTO5OJucWjCJClFUAdD2gprPTQeMqZUiBHC/XNzOVBZv4q
+UGDC+qqdO6pJ3fzU2zTT1H2a3i2EIgK/5GcbI2UeJnAjGmpfK3EWVYc5BsF+/GkX
+rtMSHZD2jXyQL6zuzTAs+1N8p7cG15kYtY8ODwF72YwH4EWzr+7oNcT3FXW6+2G4
+S95osmFx/B+9pri77JTr22tggQBOMesGYuyBMd1TRvWpJTsdPTw2ctvbcj8eAITC
+z4/RpxkTlHDMwt/mbzj5rXmkI3QNTJkdjxAHZtTmSydS2+/BXBqFgV3VpiNFxTNP
+WMQAA9WDb1Yoz50tfd47U6nrCrbuew+DxKiz1LqR2WaYnPV/U9e73ko2yOgdVQou
+OhxxeDBG0Le6U7BojTCktov2FU2qdvRY/MfnE8QJldhW/AVj43S3nuVRsh/HcA2L
+TFyu3xOoUBWV91Z+0VyJ7+KJ6LqJXMqu2j78WD1ZxnYozUjA7R3Rce/L0rfZDMe+
+bPI8idCC6I7gKgewthv0nMm7UDWAVwCGbRWVi4j7hLQvUmljaGFyZCBMZXZpdHRl
+IDxyaWNoYXJkQG9wZW5zc2xmb3VuZGF0aW9uLm9yZz6JAjgEEwECACIFAlbPAe0C
+GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENXp5D99+e6M0mkP/3mgwmAw
+TgX1pC3JMF457JF0wEWmnIkm1yfLVI5xBH8X0i0J9y3IeyYWcGm5Kwj5PEpI00BM
+i4Xa4tJNK3rnusTFqcg98pmCYw6t7baujhj8IA+jVyZALD3rYBwQYa60Ax6QuULJ
+vBz/h1GFajah+2py6VS4JodBLD2MBWGIyoVmnTwsXBet+zNvugnb34uTsGM7I5Vz
+icUu6966lze9Lp7WkEF2GmHq+ZIE0B/ttP4uNhkCuxGZJtEFGk3GgwRUlfxWyyeJ
+x0os1yUjk4GEPkx9Yl/Aah03BUgLbRBFiGYm/DnUIq96sVNa31X4CcZyQSGmeat8
+oBkGM46Irn8xqItgO7oF2U3abPucHd6c81zM0TWyXztsK+VGiHQ23Dsn36ThZ1o4
+lqboHKQ8JFtGdukC4XmgOS+IKShxWPN6g4Mqs0xkXyqey8+Lrwwg0b51gDoZtVn0
+jxQwQk25NM36FUXDPNKNCYhFNSmB0WAZ8LKumeAd0eVgCantCdY4PR5WgRWbv3eQ
+62l+V6oH2VsT1xQgd13vTXxfz7HhleJClwvx/QHLjtKD1L1vUbF+GF/tc0/nwMPV
+7cJO2OnbV6iIjfRGxslI4t+rhYbj5JajGOszat2aPySso5MkF4WTfdn2jPeah8as
+1W8A+DAkqBGFltJBTD8VYqfu3F52MkCjShaiuQINBFQwazYBEADPNcBdaXTUwkG8
+1K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpjU45kx/wO5KiTVj+bM+sc
+SzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV9qT3i0eSSpa1Kpx8eAHK
+cVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdkHsEoMSVU6Jy86E908OLa
+JbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHMel8ZcEgTah7huS6lUA4s
+eQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1nbMQ/dEvMQpFxLCOBNQP
+0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAtc/+iwMUkQQXJRw7Vlp9F
+p9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQJe31m7sezA3cLnFR86ol
+2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+sjauCZQW3KYx31Il5bO3
+ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbhddJBHsd7GNkwzb1Qivcq
+nYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz5JTjMkj1s9cppQ8tdqiV
+4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABiQIfBBgBAgAJBQJUMGs2AhsMAAoJ
+ENXp5D99+e6M69gP/2MzECejKPv0lN9vHTnqLHiP7BcqbivPNqT4V3yal/JfB9c8
+h2ylsuZSy4r9TKDTgv/KVm6b9kJVsjdzyqwerKwpZ6T8ohyDt+/5UAXKY7wH8vR1
+qZdtRQ8Z/UbsZ2vyDGMKutBIxOYfDcpzZ+e78nRd6k3E6pIbR1utS972wQHM/VTE
+msvUFZtX+qszOVm2y8adbHzY0FikqN/NZI7NVY+8gkwaybpd6knl9ArEQe1heVWD
+GpaTUxz0SKglqc0zHDtxOUkhiCcvgKsAGWbxYspRq0rLsek51RFSdO7NJ59co96u
+yIu2r/sGhpk3+/QdAMmb9CGeI+DVFhTZxobBtWxLphS5EJeyHfzOtZNMijrrB3cw
+3GWws3nMsMNcN1g/o+MLxpHwcuJkEai4so7rbDf3acUUZFCwEzBPkx/SeXjatAOb
+EUWmshIgNUw3AFnxdD7QOLJjctRsiGq6GwvsZ/ABDYuHnmGQW3w34fKEYRLCAkOq
+7NPfMImM/I7Wf6Tq7s24g+2Sg8vr4yrWKoIxp4qB0GpSQmayk1J0RKR9dNqYNQsO
+r9jnI4l7KlOS+2K4b9Y0CJbiCNOdVSCf0AVnubk+2IiTrDCzEBlr5Dmz1xGC5Xdl
+BeoSujB+HqZMFf8Nbjap5byHhBYB0ypkh738JQBeuJVIgwlHVhMV8mypBNjWmQIN
+BFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWMkRhx
+9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholByyUGF
+Tb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt4vMI
+oWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5Qivu
+OvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q2zR8
+3QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9Ce9t
+Wq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO3GLc
+yTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf5HCn
+afDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWczYY6
+spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfKeCOV
+NtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQABtCVP
+cGVuU1NMIE9NQyA8b3BlbnNzbC1vbWNAb3BlbnNzbC5vcmc+iQJUBBMBCgA+AhsD
+BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTizos9efUF
+AmPX/O0FCRGJRs4ACgkQ2JTizos9efVwcw//SJ1HcktYXQu39rhGw+QPuVBVMMvY
+as8vLFy6xn1DLSQt1K/ggEaqR8OiwvaKhZQDIXUqSCDc7MC76WKmClJZUFsNG0ra
+lnnesLqJwu50JOHyYWloUzBMlTQu4KctRXBUGGWf68FcX7b1ehHrDiC/nDPU4NiC
+r3aybLhbZoXKxJqwFaz7jlZCAWzo8pVOYh27N4VteQ6jF4rurPcC5cUiballnBk+
+F6d0o1Mtl0c7FsBT63bJ2XI9YdQtaJ4JSKTbqu8kBeq6wZilHcuxQpV7MBIPh3uq
+lesy4WaOm0QGTtm/4OGjVzVToeQUvWaUHbORXox8d5Wuhs3zzP7MwtFiUdq/+kak
+f3Ys6z5YbCV94OSPn0ZzRpjq1Gu0vzq0d0JVshOab8rSk56NFLz7iEwOzBrUH98+
+J+FGzO22Mi5giFRJA0JfSmsdb7RGCyise7FS5iVEFaqPEZpo6LbUWevgeVFjgfnV
+77d2fpiSx7fdsujS5OIjl6t24DvXjD4JPhnS144LYHru0t9wTRPfOP9Afowy6oYB
+IytrKQOdLj1wVLQ5vgLvrNc33jyVX0MXWqCmNNIjpbbo0UurKhNT7W3m0x4A2pMZ
+6/TApc05kc+spgIJcaO9qIJNDiQjRC3XJCtBx3eYRixCgZUlRmEsdiffOaO1RP62
+ga+/2FC5uJNC1yW0L09wZW5TU0wgU2VjdXJpdHkgPG9wZW5zc2wtc2VjdXJpdHlA
+b3BlbnNzbC5vcmc+iQJVBBMBCgA/AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
+gBYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJiKerwBQkXYALFAAoJENiU4s6LPXn1
+m8gP/3MOYfZM6oxzT61slJ6nIUgPwQMRgH7/CFub01yiBqLv72xftnleKRnvHI2B
+K34hDCNlxKoFtzarQfCHtSabx2/yQEQ6V0QHjtJwM+vFGYr9LPgWBtXC9DCYMUps
+CxKNVyMcfjWEET2iD4ViHYHSZoTspRh0W2T31LtILF9ybxWGCb6km2WCceOycy4L
+7GkbWNOqDrfPYalTqfYHkuB7cHGYiKIatROBcvPk2Ee4jL+tpQQBtMTqCwsuFMzN
+6VWwoc3H5iy7R+GWwztpLL4Wn3nOpVHrcTCbr6gpaeKGA6fbnK3GRd6SQNH3khhe
+hFzpmKNyjIlWxt+Q6nyayPIL2ukD0xaPFkbE2e4VK5/wYqF8ezq65rZefviDwFO3
+P9CTxwlaK3cYpw/1w3XBVbNiCH+Yi/dePwmiPAF5njOB9JvZLmkvTdFCPPt4CAYT
+tfXD9VSQcPxFncI8B7VJX3epjgG8LlQIzxFkJnH9IyMaFEfbft4nmYz3XB7rOXff
+8R9oji3RB2EER0Yi5Shbbj4VoKsu1IKVkcnv+tvGreQvZuU3xkAZXUqDpFMz0Bhq
+Vd6VIh3iZUDwQGJdQALwCvPmNk/YkmV1LjF4jKd5aZQxM1yh41Gl11JIBbhrPy/G
+AfgQTQUhPxktO/JEK3Olrsu5ppxNtmhX+xtDf4Yp/vUHiFiatDRPcGVuU1NMIHNl
+Y3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNzbC5vcmc+iQJUBBMB
+CgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTi
+zos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negna1HZIWs18LDktjV4
+9a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJuBl1MZElcmrqIsVC
+KHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl4EeTkPsOCo20QEC8
+jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNEXBjzqxHGKcq4iyOK
+TGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY3Y/9rVvtU/Na044F
+QBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAzZQ5CqauGvjTJ4GXi
++pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGeHW4qagRaLDtDRtkF
+nIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8c281Nv9o+xaNI4TN
+3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAVnRF2iAB25Vjcz/92
+Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZjhnZdL3b3F4iKpyz
+DhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqtVH02VwVHMVt4no62
+mZj2UNT2+Ci5p+tze4Rhfl65Ag0EVC/pnwEQAMB3s+8dq5T8fW+b3OcGujEcbhyg
+uc6D5shlNWsuCV3W7+izsVUe+0hD1YwD30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL
+7GQiA/n192hX2DuHxvQwnDNkHxYghtrFKOlXAyte2awA0fC+e0o8lHa1Yd2ZZNql
+DC23qJtLMJH8bX8CIr59KckNyv64bF+hVPIN3evnh1Ajn4A85848EZMQcjedg72M
+sA3TW2D4omayY7eXE5uut7FYcY6SM4pThIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxy
+XiA8XF+FZukXc/iM68P0VS/sMml9QPsYMWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/
+Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6lVa7GCSASTRrS3OvmY++fTsUPzSOvit0
+kqQfimziYx7QcJIagG92mvUmuf2PEfzvSi6iaIqMhaTaJq5qxOR0q430KakQktNP
+X53HflWL7YenDPYw1rEyQFxGqjaBY1X8NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvS
+TsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/
+4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5
+IUO3SoTs5kl6bARzABEBAAGJAjwEGAEKACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLO
+iz159QUCY9f9DQUJEYlG7gAKCRDYlOLOiz159f5RD/9Dhv5+muyWX9U4wNH7Dt7K
+HOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJsHwFuiaIjnZmQwiUJm72jCMUncL3OsWrQ
+Xm6SU60aG20XeQl1oXWmSD9D/len23hOYo/3WsC3o1AIkLA9cJ3h/oo3I7RE30sk
+w4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaK
+SBJQDya2TkEh6OUf1B/7EIk811oeNSaL9eJXS9VGDytVyjGGXSbudBw2XAV0/oiP
+PDKYElbOZH66d6marGwCCdc29cNono/7zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9
+GEAz0O1rss/4hxnGqn/m3gue+aQx4hji/K/vAV+531YT9MEp6m6e3074a7Hvn2l/
+tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1LzsQXmyjgr1yTlCShgNQCYXAgprWXPCwv1
+76kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDo
+rK3Pbu5/VeIeEfIkc717EgvdZU4EB70vE/jnY1V9GLFzdPcygy7bz5aA4IA/Y12V
+FdhQ9/E7HFvEv0KUa294rQiH86lRyCJIaEUqeymypLjoU2oeR4Cujkne+5spQHBf
+n2/RWGqH28v+vqHysb/8GA==
+=BQaf
-----END PGP PUBLIC KEY BLOCK-----
diff -Nru openssl-3.0.9/doc/man1/openssl-dhparam.pod.in openssl-3.0.10/doc/man1/openssl-dhparam.pod.in
--- openssl-3.0.9/doc/man1/openssl-dhparam.pod.in 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man1/openssl-dhparam.pod.in 2023-08-01 15:47:24.000000000 +0200
@@ -88,7 +88,7 @@
the input file is ignored and parameters are generated instead. If
this option is not present but a generator (B<-2>, B<-3> or B<-5>) is
present, parameters are generated with a default length of 2048 bits.
-The minimim length is 512 bits. The maximum length is 10000 bits.
+The minimum length is 512 bits. The maximum length is 10000 bits.
=item B<-noout>
@@ -126,7 +126,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man1/openssl-genpkey.pod.in openssl-3.0.10/doc/man1/openssl-genpkey.pod.in
--- openssl-3.0.9/doc/man1/openssl-genpkey.pod.in 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man1/openssl-genpkey.pod.in 2023-08-01 15:47:24.000000000 +0200
@@ -278,7 +278,7 @@
If this option is set, then the appropriate RFC5114 parameters are used
instead of generating new parameters. The value I<num> can be one of
-1, 2 or 3 that are equivalant to using the option B<group> with one of
+1, 2 or 3 that are equivalent to using the option B<group> with one of
"dh_1024_160", "dh_2048_224" or "dh_2048_256".
All other options will be ignored if this value is set.
@@ -333,7 +333,7 @@
=item "default"
Selects a default type based on the B<algorithm>. This is used by the
-OpenSSL default provider to set the type for backwards compatability.
+OpenSSL default provider to set the type for backwards compatibility.
If B<algorithm> is B<"DH"> then B<"generator"> is used.
If B<algorithm> is B<"DHX"> then B<"fips186_2"> is used.
@@ -494,7 +494,7 @@
=head1 COPYRIGHT
-Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man1/openssl-genrsa.pod.in openssl-3.0.10/doc/man1/openssl-genrsa.pod.in
--- openssl-3.0.9/doc/man1/openssl-genrsa.pod.in 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man1/openssl-genrsa.pod.in 2023-08-01 15:47:24.000000000 +0200
@@ -35,9 +35,6 @@
=head1 DESCRIPTION
-This command has been deprecated.
-The L<openssl-genpkey(1)> command should be used instead.
-
This command generates an RSA private key.
=head1 OPTIONS
@@ -118,13 +115,9 @@
L<openssl-genpkey(1)>,
L<openssl-gendsa(1)>
-=head1 HISTORY
-
-This command was deprecated in OpenSSL 3.0.
-
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man1/openssl-kdf.pod.in openssl-3.0.10/doc/man1/openssl-kdf.pod.in
--- openssl-3.0.9/doc/man1/openssl-kdf.pod.in 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man1/openssl-kdf.pod.in 2023-08-01 15:47:24.000000000 +0200
@@ -66,8 +66,7 @@
=item B<-kdfopt> I<nm>:I<v>
Passes options to the KDF algorithm.
-A comprehensive list of parameters can be found in the EVP_KDF_CTX
-implementation documentation.
+A comprehensive list of parameters can be found in L<EVP_KDF(3)/PARAMETERS>.
Common parameter names used by EVP_KDF_CTX_set_params() are:
=over 4
@@ -81,9 +80,8 @@
=item B<hexkey:>I<string>
-Specifies the secret key in hexadecimal form (two hex digits per byte).
-The key length must conform to any restrictions of the KDF algorithm.
-A key must be specified for most KDF algorithms.
+Alternative to the B<key:> option where
+the secret key is specified in hexadecimal form (two hex digits per byte).
=item B<pass:>I<string>
@@ -93,8 +91,35 @@
=item B<hexpass:>I<string>
-Specifies the password in hexadecimal form (two hex digits per byte).
-The password must be specified for PBKDF2 and scrypt.
+Alternative to the B<pass:> option where
+the password is specified in hexadecimal form (two hex digits per byte).
+
+=item B<salt:>I<string>
+
+Specifies a non-secret unique cryptographic salt as an alphanumeric string
+(use if it contains printable characters only).
+The length must conform to any restrictions of the KDF algorithm.
+A salt parameter is required for several KDF algorithms,
+such as L<EVP_KDF-PBKDF2(7)>.
+
+=item B<hexsalt:>I<string>
+
+Alternative to the B<salt:> option where
+the salt is specified in hexadecimal form (two hex digits per byte).
+
+=item B<info:>I<string>
+
+Some KDF implementations, such as L<EVP_KDF-HKDF(7)>, take an 'info' parameter
+for binding the derived key material
+to application- and context-specific information.
+Specifies the info, fixed info, other info or shared info argument
+as an alphanumeric string (use if it contains printable characters only).
+The length must conform to any restrictions of the KDF algorithm.
+
+=item B<hexinfo:>I<string>
+
+Alternative to the B<info:> option where
+the info is specified in hexadecimal form (two hex digits per byte).
=item B<digest:>I<string>
@@ -195,7 +220,7 @@
=head1 COPYRIGHT
-Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man1/openssl-rsautl.pod.in openssl-3.0.10/doc/man1/openssl-rsautl.pod.in
--- openssl-3.0.9/doc/man1/openssl-rsautl.pod.in 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man1/openssl-rsautl.pod.in 2023-08-01 15:47:24.000000000 +0200
@@ -99,7 +99,7 @@
Decrypt the input data using an RSA private key.
-=item B<-pkcs>, B<-oaep>, B<-x931> B<-raw>
+=item B<-pkcs>, B<-oaep>, B<-x931>, B<-raw>
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
ANSI X9.31, or no padding, respectively.
@@ -232,7 +232,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man1/openssl-s_client.pod.in openssl-3.0.10/doc/man1/openssl-s_client.pod.in
--- openssl-3.0.9/doc/man1/openssl-s_client.pod.in 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man1/openssl-s_client.pod.in 2023-08-01 15:47:24.000000000 +0200
@@ -274,7 +274,7 @@
=item B<-pass> I<arg>
-the private key and certifiate file password source.
+the private key and certificate file password source.
For more information about the format of I<arg>
see L<openssl-passphrase-options(1)>.
@@ -910,7 +910,7 @@
=head1 COPYRIGHT
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man1/openssl-verification-options.pod openssl-3.0.10/doc/man1/openssl-verification-options.pod
--- openssl-3.0.9/doc/man1/openssl-verification-options.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man1/openssl-verification-options.pod 2023-08-01 15:47:24.000000000 +0200
@@ -92,7 +92,7 @@
=item *
It has a positive trust attribute accepting the given use
-or (by default) one of the following compatibilty conditions apply:
+or (by default) one of the following compatibility conditions apply:
It is self-signed or the B<-partial_chain> option is given
(which corresponds to the B<X509_V_FLAG_PARTIAL_CHAIN> flag being set).
@@ -686,7 +686,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man1/openssl-x509.pod.in openssl-3.0.10/doc/man1/openssl-x509.pod.in
--- openssl-3.0.9/doc/man1/openssl-x509.pod.in 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man1/openssl-x509.pod.in 2023-08-01 15:47:24.000000000 +0200
@@ -478,7 +478,7 @@
=item B<-CAform> B<DER>|B<PEM>|B<P12>,
-The format for the CA certificate; unspecifed by default.
+The format for the CA certificate; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-CAkey> I<filename>|I<uri>
@@ -784,7 +784,7 @@
=head1 COPYRIGHT
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/ASN1_aux_cb.pod openssl-3.0.10/doc/man3/ASN1_aux_cb.pod
--- openssl-3.0.9/doc/man3/ASN1_aux_cb.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/ASN1_aux_cb.pod 2023-08-01 15:47:24.000000000 +0200
@@ -3,7 +3,7 @@
=head1 NAME
ASN1_AUX, ASN1_PRINT_ARG, ASN1_STREAM_ARG, ASN1_aux_cb, ASN1_aux_const_cb
-- ASN.1 auxilliary data
+- ASN.1 auxiliary data
=head1 SYNOPSIS
@@ -45,7 +45,7 @@
additional information about the ASN.1 structure. An B<ASN1_AUX> structure is
associated with the structure during the definition of the ASN.1 template. For
example an B<ASN1_AUX> structure will be associated by using one of the various
-ASN.1 template definition macros that supply auxilliary information such as
+ASN.1 template definition macros that supply auxiliary information such as
ASN1_SEQUENCE_enc(), ASN1_SEQUENCE_ref(), ASN1_SEQUENCE_cb_const_cb(),
ASN1_SEQUENCE_const_cb(), ASN1_SEQUENCE_cb() or ASN1_NDEF_SEQUENCE_cb().
@@ -274,7 +274,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/ASN1_item_sign.pod openssl-3.0.10/doc/man3/ASN1_item_sign.pod
--- openssl-3.0.9/doc/man3/ASN1_item_sign.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/ASN1_item_sign.pod 2023-08-01 15:47:24.000000000 +0200
@@ -62,7 +62,7 @@
ASN1_item_sign() is similar to ASN1_item_sign_ex() but uses default values of
NULL for the I<id>, I<libctx> and I<propq>.
-ASN1_item_sign_ctx() is similiar to ASN1_item_sign() but uses the parameters
+ASN1_item_sign_ctx() is similar to ASN1_item_sign() but uses the parameters
contained in digest context I<ctx>.
ASN1_item_verify_ex() is used to verify the signature I<signature> of internal
@@ -77,7 +77,7 @@
ASN1_item_verify() is similar to ASN1_item_verify_ex() but uses default values of
NULL for the I<id>, I<libctx> and I<propq>.
-ASN1_item_verify_ctx() is similiar to ASN1_item_verify() but uses the parameters
+ASN1_item_verify_ctx() is similar to ASN1_item_verify() but uses the parameters
contained in digest context I<ctx>.
@@ -216,7 +216,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/ASYNC_WAIT_CTX_new.pod openssl-3.0.10/doc/man3/ASYNC_WAIT_CTX_new.pod
--- openssl-3.0.9/doc/man3/ASYNC_WAIT_CTX_new.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/ASYNC_WAIT_CTX_new.pod 2023-08-01 15:47:24.000000000 +0200
@@ -83,7 +83,7 @@
to ASYNC_WAIT_CTX_get_all_fds() either of these can be NULL, but if they are not
NULL then the caller is responsible for ensuring sufficient memory is allocated.
-Implementors of async aware code (e.g. engines) are encouraged to return a
+Implementers of async aware code (e.g. engines) are encouraged to return a
stable fd for the lifetime of the B<ASYNC_WAIT_CTX> in order to reduce the
"churn" of regularly changing fds - although no guarantees of this are provided
to applications.
@@ -216,7 +216,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/BIO_s_core.pod openssl-3.0.10/doc/man3/BIO_s_core.pod
--- openssl-3.0.9/doc/man3/BIO_s_core.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/BIO_s_core.pod 2023-08-01 15:47:24.000000000 +0200
@@ -22,7 +22,7 @@
a BIO within libcrypto, but cannot be used directly by a provider. Instead it
should be wrapped using a BIO_s_core().
-Once a BIO is contructed based on BIO_s_core(), the associated OSSL_CORE_BIO
+Once a BIO is constructed based on BIO_s_core(), the associated OSSL_CORE_BIO
object should be set on it using BIO_set_data(3). Note that the BIO will only
operate correctly if it is associated with a library context constructed using
OSSL_LIB_CTX_new_from_dispatch(3). To associate the BIO with a library context
@@ -62,7 +62,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/BN_rand.pod openssl-3.0.10/doc/man3/BN_rand.pod
--- openssl-3.0.9/doc/man3/BN_rand.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/BN_rand.pod 2023-08-01 15:47:24.000000000 +0200
@@ -59,7 +59,7 @@
is always used.
BN_rand_range_ex() generates a cryptographically strong pseudo-random
-number I<rnd>, of security stength at least I<strength> bits,
+number I<rnd>, of security strength at least I<strength> bits,
in the range 0 E<lt>= I<rnd> E<lt> I<range> using the random number
generator for the library context associated with I<ctx>. The parameter I<ctx>
may be NULL in which case the default library context is used.
@@ -119,7 +119,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/CONF_modules_load_file.pod openssl-3.0.10/doc/man3/CONF_modules_load_file.pod
--- openssl-3.0.9/doc/man3/CONF_modules_load_file.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/CONF_modules_load_file.pod 2023-08-01 15:47:24.000000000 +0200
@@ -34,7 +34,7 @@
If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
used.
The behaviour can be customized using B<flags>. Note that, the error suppressing
-can be overriden by B<config_diagnostics> as described in L<config(5)>.
+can be overridden by B<config_diagnostics> as described in L<config(5)>.
CONF_modules_load_file() is the same as CONF_modules_load_file_ex() but
has a NULL library context.
@@ -154,7 +154,7 @@
=head1 COPYRIGHT
-Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/DH_get0_pqg.pod openssl-3.0.10/doc/man3/DH_get0_pqg.pod
--- openssl-3.0.9/doc/man3/DH_get0_pqg.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/DH_get0_pqg.pod 2023-08-01 15:47:24.000000000 +0200
@@ -40,7 +40,7 @@
All of the functions described on this page are deprecated.
Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
-return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
+return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information.
A DH object contains the parameters I<p>, I<q> and I<g>. Note that the I<q>
parameter is optional. It also contains a public key (I<pub_key>) and
@@ -141,7 +141,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_chacha20.pod openssl-3.0.10/doc/man3/EVP_chacha20.pod
--- openssl-3.0.9/doc/man3/EVP_chacha20.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_chacha20.pod 2023-08-01 15:47:24.000000000 +0200
@@ -22,10 +22,10 @@
=item EVP_chacha20()
The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long.
-The first 32 bits consists of a counter in little-endian order followed by a 96
+The first 64 bits consists of a counter in little-endian order followed by a 64
bit nonce. For example a nonce of:
-000000000000000000000002
+0000000000000002
With an initial counter of 42 (2a in hex) would be expressed as:
@@ -47,6 +47,9 @@
L<EVP_CIPHER_fetch(3)> instead.
See L<crypto(7)/Performance> for further information.
+L<RFC 7539|https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4>
+uses a 32 bit counter and a 96 bit nonce for the IV.
+
=head1 RETURN VALUES
These functions return an B<EVP_CIPHER> structure that contains the
diff -Nru openssl-3.0.9/doc/man3/EVP_EncryptInit.pod openssl-3.0.10/doc/man3/EVP_EncryptInit.pod
--- openssl-3.0.9/doc/man3/EVP_EncryptInit.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_EncryptInit.pod 2023-08-01 15:47:24.000000000 +0200
@@ -665,7 +665,7 @@
the underlying encryption/decryption primitive.
For example AES in CTR mode has a block size of 1 (because it operates like a
stream cipher), even though AES has a block size of 16.
-Use EVP_CIPHER_get_block_size() to retreive the cached value.
+Use EVP_CIPHER_get_block_size() to retrieve the cached value.
=item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer>
@@ -1192,10 +1192,11 @@
EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for failure.
EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
-EVP_Cipher() returns the amount of encrypted / decrypted bytes, or -1
-on failure if the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the
-cipher. EVP_Cipher() returns 1 on success or 0 on failure, if the flag
+EVP_Cipher() returns 1 on success or 0 on failure, if the flag
B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher.
+EVP_Cipher() returns the number of bytes written to I<out> for encryption / decryption, or
+the number of bytes authenticated in a call specifying AAD for an AEAD cipher, if the flag
+B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the cipher.
EVP_CIPHER_CTX_reset() returns 1 for success and 0 for failure.
@@ -1266,7 +1267,8 @@
To specify additional authenticated data (AAD), a call to EVP_CipherUpdate(),
EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output
-parameter I<out> set to B<NULL>.
+parameter I<out> set to B<NULL>. In this case, on success, the parameter
+I<outl> is set to the number of bytes authenticated.
When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal()
indicates whether the operation was successful. If it does not indicate success,
diff -Nru openssl-3.0.9/doc/man3/EVP_KDF.pod openssl-3.0.10/doc/man3/EVP_KDF.pod
--- openssl-3.0.9/doc/man3/EVP_KDF.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_KDF.pod 2023-08-01 15:47:24.000000000 +0200
@@ -191,7 +191,7 @@
=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string>
-Some KDF implementations can take a salt.
+Some KDF implementations can take a non-secret unique cryptographic salt.
For those KDF implementations that support it, this parameter sets the salt.
The default value, if any, is implementation dependent.
@@ -227,6 +227,15 @@
For those KDF implementations that support it, this octet string parameter
sets the key.
+=item "info" (B<OSSL_KDF_PARAM_INFO>) <octet string>
+
+Some KDF implementations, such as L<EVP_KDF-HKDF(7)>, take an 'info' parameter
+for binding the derived key material
+to application- and context-specific information.
+This parameter sets the info, fixed info, other info or shared info argument.
+You can specify this parameter multiple times, and each instance will
+be concatenated to form the final value.
+
=item "maclen" (B<OSSL_KDF_PARAM_MAC_SIZE>) <unsigned integer>
Used by implementations that use a MAC with a variable output size (KMAC).
@@ -295,7 +304,7 @@
=head1 COPYRIGHT
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_KEYMGMT.pod openssl-3.0.10/doc/man3/EVP_KEYMGMT.pod
--- openssl-3.0.9/doc/man3/EVP_KEYMGMT.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_KEYMGMT.pod 2023-08-01 15:47:24.000000000 +0200
@@ -123,7 +123,7 @@
EVP_KEYMGMT_get0_name() returns the algorithm name, or NULL on error.
-EVP_KEYMGMT_get0_description() returns a pointer to a decription, or NULL if
+EVP_KEYMGMT_get0_description() returns a pointer to a description, or NULL if
there isn't one.
EVP_KEYMGMT_gettable_params(), EVP_KEYMGMT_settable_params() and
@@ -140,7 +140,7 @@
=head1 COPYRIGHT
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_PKEY2PKCS8.pod openssl-3.0.10/doc/man3/EVP_PKEY2PKCS8.pod
--- openssl-3.0.9/doc/man3/EVP_PKEY2PKCS8.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_PKEY2PKCS8.pod 2023-08-01 15:47:24.000000000 +0200
@@ -21,7 +21,7 @@
EVP_PKCS82PKEY_ex() converts a PKCS8 object I<p8> into a returned private key.
It uses I<libctx> and I<propq> when fetching algorithms.
-EVP_PKCS82PKEY() is similiar to EVP_PKCS82PKEY_ex() but uses default values of
+EVP_PKCS82PKEY() is similar to EVP_PKCS82PKEY_ex() but uses default values of
NULL for the I<libctx> and I<propq>.
=head1 RETURN VALUES
@@ -37,7 +37,7 @@
=head1 COPYRIGHT
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_PKEY_decapsulate.pod openssl-3.0.10/doc/man3/EVP_PKEY_decapsulate.pod
--- openssl-3.0.9/doc/man3/EVP_PKEY_decapsulate.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_PKEY_decapsulate.pod 2023-08-01 15:47:24.000000000 +0200
@@ -3,7 +3,7 @@
=head1 NAME
EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate
-- Key decapsulation using a private key algorithm
+- Key decapsulation using a KEM algorithm with a private key
=head1 SYNOPSIS
@@ -11,7 +11,7 @@
int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx,
- unsigned char *secret, size_t *secretlen,
+ unsigned char *unwrapped, size_t *unwrappedlen,
const unsigned char *wrapped, size_t wrappedlen);
=head1 DESCRIPTION
@@ -19,18 +19,20 @@
The EVP_PKEY_decapsulate_init() function initializes a private key algorithm
context I<ctx> for a decapsulation operation and then sets the I<params>
on the context in the same way as calling L<EVP_PKEY_CTX_set_params(3)>.
+Note that I<ctx> usually is produced using L<EVP_PKEY_CTX_new_from_pkey(3)>,
+specifying the private key to use.
The EVP_PKEY_decapsulate() function performs a private key decapsulation
operation using I<ctx>. The data to be decapsulated is specified using the
I<wrapped> and I<wrappedlen> parameters.
-If I<secret> is I<NULL> then the maximum size of the output secret buffer
-is written to the I<*secretlen> parameter. If I<secret> is not B<NULL> and the
-call is successful then the decapsulated secret data is written to I<secret> and
-the amount of data written to I<secretlen>.
+If I<unwrapped> is NULL then the maximum size of the output secret buffer
+is written to I<*unwrappedlen>. If I<unwrapped> is not NULL and the
+call is successful then the decapsulated secret data is written to I<unwrapped>
+and the amount of data written to I<*unwrappedlen>.
=head1 NOTES
-After the call to EVP_PKEY_decapsulate_init() algorithm specific parameters
+After the call to EVP_PKEY_decapsulate_init() algorithm-specific parameters
for the operation may be set or modified using L<EVP_PKEY_CTX_set_params(3)>.
=head1 RETURN VALUES
@@ -79,7 +81,7 @@
=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_CTX_new_from_pkey(3)>,
L<EVP_PKEY_encapsulate(3)>,
L<EVP_KEM-RSA(7)>,
@@ -89,7 +91,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_PKEY_derive.pod openssl-3.0.10/doc/man3/EVP_PKEY_derive.pod
--- openssl-3.0.9/doc/man3/EVP_PKEY_derive.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_PKEY_derive.pod 2023-08-01 15:47:24.000000000 +0200
@@ -32,7 +32,7 @@
be a public key. The I<validate_peer> will validate the public key if this value
is non zero.
-EVP_PKEY_derive_set_peer() is similiar to EVP_PKEY_derive_set_peer_ex() with
+EVP_PKEY_derive_set_peer() is similar to EVP_PKEY_derive_set_peer_ex() with
I<validate_peer> set to 1.
EVP_PKEY_derive() derives a shared secret using I<ctx>.
@@ -114,7 +114,7 @@
=head1 COPYRIGHT
-Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_PKEY_encapsulate.pod openssl-3.0.10/doc/man3/EVP_PKEY_encapsulate.pod
--- openssl-3.0.9/doc/man3/EVP_PKEY_encapsulate.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_PKEY_encapsulate.pod 2023-08-01 15:47:24.000000000 +0200
@@ -3,7 +3,7 @@
=head1 NAME
EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate
-- Key encapsulation using a public key algorithm
+- Key encapsulation using a KEM algorithm with a public key
=head1 SYNOPSIS
@@ -11,7 +11,7 @@
int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
- unsigned char *out, size_t *outlen,
+ unsigned char *wrappedkey, size_t *wrappedkeylen,
unsigned char *genkey, size_t *genkeylen);
=head1 DESCRIPTION
@@ -19,19 +19,27 @@
The EVP_PKEY_encapsulate_init() function initializes a public key algorithm
context I<ctx> for an encapsulation operation and then sets the I<params>
on the context in the same way as calling L<EVP_PKEY_CTX_set_params(3)>.
+Note that I<ctx> is usually is produced using L<EVP_PKEY_CTX_new_from_pkey(3)>,
+specifying the public key to use.
The EVP_PKEY_encapsulate() function performs a public key encapsulation
-operation using I<ctx> with the name I<name>.
-If I<out> is B<NULL> then the maximum size of the output buffer is written to the
-I<*outlen> parameter and the maximum size of the generated key buffer is written
-to I<*genkeylen>. If I<out> is not B<NULL> and the call is successful then the
+operation using I<ctx>.
+The symmetric secret generated in I<genkey> can be used as key material.
+The ciphertext in I<wrappedkey> is its encapsulated form, which can be sent
+to another party, who can use L<EVP_PKEY_decapsulate(3)> to retrieve it
+using their private key.
+If I<wrappedkey> is NULL then the maximum size of the output buffer
+is written to the I<*wrappedkeylen> parameter unless I<wrappedkeylen> is NULL
+and the maximum size of the generated key buffer is written to I<*genkeylen>
+unless I<genkeylen> is NULL.
+If I<wrappedkey> is not NULL and the call is successful then the
internally generated key is written to I<genkey> and its size is written to
I<*genkeylen>. The encapsulated version of the generated key is written to
-I<out> and its size is written to I<*outlen>.
+I<wrappedkey> and its size is written to I<*wrappedkeylen>.
=head1 NOTES
-After the call to EVP_PKEY_encapsulate_init() algorithm specific parameters
+After the call to EVP_PKEY_encapsulate_init() algorithm-specific parameters
for the operation may be set or modified using L<EVP_PKEY_CTX_set_params(3)>.
=head1 RETURN VALUES
@@ -82,7 +90,7 @@
=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_CTX_new_from_pkey(3)>,
L<EVP_PKEY_decapsulate(3)>,
L<EVP_KEM-RSA(7)>,
@@ -92,7 +100,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_PKEY_get_default_digest_nid.pod openssl-3.0.10/doc/man3/EVP_PKEY_get_default_digest_nid.pod
--- openssl-3.0.9/doc/man3/EVP_PKEY_get_default_digest_nid.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_PKEY_get_default_digest_nid.pod 2023-08-01 15:47:24.000000000 +0200
@@ -18,8 +18,8 @@
EVP_PKEY_get_default_digest_name() fills in the default message digest
name for the public key signature operations associated with key
I<pkey> into I<mdname>, up to at most I<mdname_sz> bytes including the
-ending NUL byte. The name could be C<"UNDEF">, signifying that no digest
-should be used.
+ending NUL byte. The name could be C<"UNDEF">, signifying that a digest
+must (for return value 2) or may (for return value 1) be left unspecified.
EVP_PKEY_get_default_digest_nid() sets I<pnid> to the default message
digest NID for the public key signature operations associated with key
@@ -57,7 +57,7 @@
=head1 COPYRIGHT
-Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_PKEY_gettable_params.pod openssl-3.0.10/doc/man3/EVP_PKEY_gettable_params.pod
--- openssl-3.0.9/doc/man3/EVP_PKEY_gettable_params.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_PKEY_gettable_params.pod 2023-08-01 15:47:24.000000000 +0200
@@ -60,7 +60,7 @@
EVP_PKEY_get_utf8_string_param() get a key I<pkey> UTF8 string value into a
buffer I<str> of maximum size I<max_buf_sz> associated with a name of
-I<key_name>. The maximum size must be large enough to accomodate the string
+I<key_name>. The maximum size must be large enough to accommodate the string
value including a terminating NUL byte, or this function will fail.
If I<out_len> is not NULL, I<*out_len> is set to the length of the string
not including the terminating NUL byte. The required buffer size not including
@@ -125,7 +125,7 @@
=head1 COPYRIGHT
-Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_PKEY_new.pod openssl-3.0.10/doc/man3/EVP_PKEY_new.pod
--- openssl-3.0.9/doc/man3/EVP_PKEY_new.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_PKEY_new.pod 2023-08-01 15:47:24.000000000 +0200
@@ -62,7 +62,7 @@
B<EVP_PKEY> is a generic structure to hold diverse types of asymmetric keys
(also known as "key pairs"), and can be used for diverse operations, like
signing, verifying signatures, key derivation, etc. The asymmetric keys
-themselves are often refered to as the "internal key", and are handled by
+themselves are often referred to as the "internal key", and are handled by
backends, such as providers (through L<EVP_KEYMGMT(3)>) or B<ENGINE>s.
Conceptually, an B<EVP_PKEY> internal key may hold a private key, a public
@@ -210,7 +210,7 @@
=head1 COPYRIGHT
-Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/EVP_PKEY_todata.pod openssl-3.0.10/doc/man3/EVP_PKEY_todata.pod
--- openssl-3.0.9/doc/man3/EVP_PKEY_todata.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/EVP_PKEY_todata.pod 2023-08-01 15:47:24.000000000 +0200
@@ -23,7 +23,7 @@
L<OSSL_PARAM_free(3)> should be used to free the returned parameters in
I<*params>.
-EVP_PKEY_export() is similiar to EVP_PKEY_todata() but uses a callback
+EVP_PKEY_export() is similar to EVP_PKEY_todata() but uses a callback
I<export_cb> that gets passed the value of I<export_cbarg>.
See L<openssl-core.h(7)> for more information about the callback. Note that the
L<OSSL_PARAM(3)> array that is passed to the callback is not persistent after the
@@ -53,7 +53,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OCSP_resp_find_status.pod openssl-3.0.10/doc/man3/OCSP_resp_find_status.pod
--- openssl-3.0.9/doc/man3/OCSP_resp_find_status.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OCSP_resp_find_status.pod 2023-08-01 15:47:24.000000000 +0200
@@ -131,7 +131,7 @@
If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
and in I<bs>, else it takes them as untrusted intermediate CA certificates
and uses them for constructing the validation path for the signer certificate.
-Certicate revocation status checks using CRLs is disabled during path validation
+Certificate revocation status checks using CRLs is disabled during path validation
if the signer certificate contains the B<id-pkix-ocsp-no-check> extension.
After successful path
validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
@@ -210,7 +210,7 @@
=head1 COPYRIGHT
-Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OCSP_sendreq_new.pod openssl-3.0.10/doc/man3/OCSP_sendreq_new.pod
--- openssl-3.0.9/doc/man3/OCSP_sendreq_new.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OCSP_sendreq_new.pod 2023-08-01 15:47:24.000000000 +0200
@@ -40,7 +40,7 @@
using the HTTP request functions described in L<OSSL_HTTP_REQ_CTX(3)>.
The function OCSP_sendreq_new() builds a complete B<OSSL_HTTP_REQ_CTX> structure
-with the B<BIO> I<io> to be used for requests and reponse, the URL path I<path>,
+with the B<BIO> I<io> to be used for requests and response, the URL path I<path>,
optionally the OCSP request I<req>, and a response header maximum line length
of I<buf_size>. If I<buf_size> is zero a default value of 4KiB is used.
The I<req> may be set to NULL and provided later using OCSP_REQ_CTX_set1_req()
@@ -115,7 +115,7 @@
=head1 COPYRIGHT
-Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_CMP_CTX_new.pod openssl-3.0.10/doc/man3/OSSL_CMP_CTX_new.pod
--- openssl-3.0.9/doc/man3/OSSL_CMP_CTX_new.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_CMP_CTX_new.pod 2023-08-01 15:47:24.000000000 +0200
@@ -627,7 +627,7 @@
OSSL_CMP_CTX_get_status() returns for client contexts the PKIstatus from
the last received CertRepMessage or Revocation Response or error message:
-=item B<OSSL_CMP_PKISTATUS_accepted> on sucessful receipt of a GENP message:
+=item B<OSSL_CMP_PKISTATUS_accepted> on successful receipt of a GENP message:
=over 4
diff -Nru openssl-3.0.9/doc/man3/OSSL_CMP_log_open.pod openssl-3.0.10/doc/man3/OSSL_CMP_log_open.pod
--- openssl-3.0.9/doc/man3/OSSL_CMP_log_open.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_CMP_log_open.pod 2023-08-01 15:47:24.000000000 +0200
@@ -89,7 +89,7 @@
OSSL_CMP_log_close() may be called when all activities are finished to flush
any pending CMP-specific log output and deallocate related resources.
-It may be called multiple times. It does get called at OpenSSL stutdown.
+It may be called multiple times. It does get called at OpenSSL shutdown.
OSSL_CMP_print_to_bio() prints the given component info, filename, line number,
severity level, and log message or error queue message to the given I<bio>.
@@ -114,7 +114,7 @@
=head1 COPYRIGHT
-Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod openssl-3.0.10/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod
--- openssl-3.0.9/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod 2023-08-01 15:47:24.000000000 +0200
@@ -41,7 +41,7 @@
L<OSSL_DECODER_from_bio(3)>. The caller may use the optional I<input_type>,
I<input_struct>, I<keytype> and I<selection> to specify what the input is
expected to contain. The I<pkey> must reference an B<EVP_PKEY *> variable
-that will be set to the newly created B<EVP_PKEY> on succesfull decoding.
+that will be set to the newly created B<EVP_PKEY> on successful decoding.
The referenced variable must be initialized to NULL before calling the
function.
@@ -135,7 +135,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_DECODER.pod openssl-3.0.10/doc/man3/OSSL_DECODER.pod
--- openssl-3.0.9/doc/man3/OSSL_DECODER.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_DECODER.pod 2023-08-01 15:47:24.000000000 +0200
@@ -116,7 +116,7 @@
algorithm definition is returned. Ownership of the returned string is retained
by the I<decoder> object and should not be freed by the caller.
-OSSL_DECODER_get0_description() returns a pointer to a decription, or NULL if
+OSSL_DECODER_get0_description() returns a pointer to a description, or NULL if
there isn't one.
OSSL_DECODER_names_do_all() returns 1 if the callback was called for all
@@ -180,7 +180,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_ENCODER_CTX.pod openssl-3.0.10/doc/man3/OSSL_ENCODER_CTX.pod
--- openssl-3.0.9/doc/man3/OSSL_ENCODER_CTX.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_ENCODER_CTX.pod 2023-08-01 15:47:24.000000000 +0200
@@ -80,7 +80,7 @@
The final output type must be given, and a chain of encoders must end with
an implementation that produces that output type.
-At the beginning of the encoding process, a contructor provided by the
+At the beginning of the encoding process, a constructor provided by the
caller is called to ensure that there is an appropriate provider-side object
to start with.
The constructor is set with OSSL_ENCODER_CTX_set_construct().
@@ -148,7 +148,7 @@
The constructor is expected to return a valid (non-NULL) pointer to a
provider-native object that can be used as first input of an encoding chain,
-or NULL to indicate that an error has occured.
+or NULL to indicate that an error has occurred.
These utility functions may be used by a constructor:
@@ -211,7 +211,7 @@
=head1 COPYRIGHT
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_ENCODER.pod openssl-3.0.10/doc/man3/OSSL_ENCODER.pod
--- openssl-3.0.9/doc/man3/OSSL_ENCODER.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_ENCODER.pod 2023-08-01 15:47:24.000000000 +0200
@@ -117,7 +117,7 @@
algorithm definition is returned. Ownership of the returned string is retained
by the I<encoder> object and should not be freed by the caller.
-OSSL_ENCODER_get0_description() returns a pointer to a decription, or NULL if
+OSSL_ENCODER_get0_description() returns a pointer to a description, or NULL if
there isn't one.
OSSL_ENCODER_names_do_all() returns 1 if the callback was called for all
@@ -134,7 +134,7 @@
=head1 COPYRIGHT
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_ESS_check_signing_certs.pod openssl-3.0.10/doc/man3/OSSL_ESS_check_signing_certs.pod
--- openssl-3.0.9/doc/man3/OSSL_ESS_check_signing_certs.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_ESS_check_signing_certs.pod 2023-08-01 15:47:24.000000000 +0200
@@ -46,7 +46,7 @@
As far as these lists are present, they must be nonempty.
The certificate identified by their first entry must be the first element of
I<chain>, i.e. the signer certificate.
-Any further certficates referenced in the list must also be found in I<chain>.
+Any further certificates referenced in the list must also be found in I<chain>.
The matching is done using the given certificate hash algorithm and value.
In addition to the checks required by RFCs 2624 and 5035,
if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
@@ -78,7 +78,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_HTTP_parse_url.pod openssl-3.0.10/doc/man3/OSSL_HTTP_parse_url.pod
--- openssl-3.0.9/doc/man3/OSSL_HTTP_parse_url.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_HTTP_parse_url.pod 2023-08-01 15:47:24.000000000 +0200
@@ -57,7 +57,7 @@
Each non-NULL result pointer argument I<pscheme>, I<puser>, I<phost>, I<pport>,
I<ppath>, I<pquery>, and I<pfrag>, is assigned the respective url component.
On success, they are guaranteed to contain non-NULL string pointers, else NULL.
-It is the reponsibility of the caller to free them using L<OPENSSL_free(3)>.
+It is the responsibility of the caller to free them using L<OPENSSL_free(3)>.
If I<pquery> is NULL, any given query component is handled as part of the path.
A string returned via I<*ppath> is guaranteed to begin with a C</> character.
For absent scheme, userinfo, port, query, and fragment components
@@ -97,7 +97,7 @@
=head1 COPYRIGHT
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_HTTP_REQ_CTX.pod openssl-3.0.10/doc/man3/OSSL_HTTP_REQ_CTX.pod
--- openssl-3.0.9/doc/man3/OSSL_HTTP_REQ_CTX.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_HTTP_REQ_CTX.pod 2023-08-01 15:47:24.000000000 +0200
@@ -133,7 +133,7 @@
L<BIO_should_retry(3)>. In such a case it is advisable to sleep a little in
between, using L<BIO_wait(3)> on the read BIO to prevent a busy loop.
-OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on successs
+OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on success
in addition parses the response, which must be a DER-encoded ASN.1 structure,
using the ASN.1 template I<it> and places the result in I<*pval>.
@@ -256,7 +256,7 @@
=head1 COPYRIGHT
-Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_PARAM_int.pod openssl-3.0.10/doc/man3/OSSL_PARAM_int.pod
--- openssl-3.0.9/doc/man3/OSSL_PARAM_int.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_PARAM_int.pod 2023-08-01 15:47:24.000000000 +0200
@@ -241,7 +241,7 @@
OSSL_PARAM_get_utf8_string() retrieves a UTF8 string from the parameter
pointed to by I<p>.
The string is stored into I<*val> with a size limit of I<max_len>,
-which must be large enough to accomodate a terminating NUL byte,
+which must be large enough to accommodate a terminating NUL byte,
otherwise this function will fail.
If I<*val> is NULL, memory is allocated for the string (including the
terminating NUL byte) and I<max_len> is ignored.
@@ -250,14 +250,14 @@
OSSL_PARAM_set_utf8_string() sets a UTF8 string from the parameter pointed to
by I<p> to the value referenced by I<val>.
If the parameter's I<data> field isn't NULL, its I<data_size> must indicate
-that the buffer is large enough to accomodate the string that I<val> points at,
+that the buffer is large enough to accommodate the string that I<val> points at,
not including the terminating NUL byte, or this function will fail.
A terminating NUL byte is added only if the parameter's I<data_size> indicates
the buffer is longer than the string length, otherwise the string will not be
NUL terminated.
If the parameter's I<data> field is NULL, then only its I<return_size> field
will be assigned the minimum size the parameter's I<data> buffer should have
-to accomodate the string, not including a terminating NUL byte.
+to accommodate the string, not including a terminating NUL byte.
OSSL_PARAM_get_octet_string() retrieves an OCTET string from the parameter
pointed to by I<p>.
diff -Nru openssl-3.0.9/doc/man3/OSSL_PARAM.pod openssl-3.0.10/doc/man3/OSSL_PARAM.pod
--- openssl-3.0.9/doc/man3/OSSL_PARAM.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_PARAM.pod 2023-08-01 15:47:24.000000000 +0200
@@ -108,7 +108,7 @@
parameters, the size should be set to the length of the string, not
counting the terminating NUL byte. When requesting parameters, the
size should be set to the size of the buffer to be populated, which
-should accomodate enough space for a terminating NUL byte.
+should accommodate enough space for a terminating NUL byte.
When I<requesting parameters>, it's acceptable for I<data> to be NULL.
This can be used by the I<requester> to figure out dynamically exactly
diff -Nru openssl-3.0.9/doc/man3/OSSL_PROVIDER.pod openssl-3.0.10/doc/man3/OSSL_PROVIDER.pod
--- openssl-3.0.9/doc/man3/OSSL_PROVIDER.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_PROVIDER.pod 2023-08-01 15:47:24.000000000 +0200
@@ -90,8 +90,8 @@
OSSL_PROVIDER_try_load() functions like OSSL_PROVIDER_load(), except that
it does not disable the fallback providers if the provider cannot be
-loaded and initialized or if I<retain_fallbacks> is zero.
-If the provider loads successfully and I<retain_fallbacks> is nonzero, the
+loaded and initialized or if I<retain_fallbacks> is nonzero.
+If the provider loads successfully and I<retain_fallbacks> is zero, the
fallback providers are disabled.
OSSL_PROVIDER_unload() unloads the given provider.
@@ -213,7 +213,7 @@
=head1 COPYRIGHT
-Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_SELF_TEST_new.pod openssl-3.0.10/doc/man3/OSSL_SELF_TEST_new.pod
--- openssl-3.0.9/doc/man3/OSSL_SELF_TEST_new.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_SELF_TEST_new.pod 2023-08-01 15:47:24.000000000 +0200
@@ -22,7 +22,7 @@
=head1 DESCRIPTION
-These methods are intended for use by provider implementors, to display
+These methods are intended for use by provider implementers, to display
diagnostic information during self testing.
OSSL_SELF_TEST_new() allocates an opaque B<OSSL_SELF_TEST> object that has a
@@ -165,7 +165,7 @@
=head1 COPYRIGHT
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_STORE_LOADER.pod openssl-3.0.10/doc/man3/OSSL_STORE_LOADER.pod
--- openssl-3.0.9/doc/man3/OSSL_STORE_LOADER.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_STORE_LOADER.pod 2023-08-01 15:47:24.000000000 +0200
@@ -327,7 +327,7 @@
OSSL_STORE_LOADER_is_a() returns 1 if I<loader> was identifiable,
otherwise 0.
-OSSL_STORE_LOADER_get0_description() returns a pointer to a decription, or NULL if
+OSSL_STORE_LOADER_get0_description() returns a pointer to a description, or NULL if
there isn't one.
The functions with the types B<OSSL_STORE_open_fn>,
@@ -380,7 +380,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/OSSL_trace_set_channel.pod openssl-3.0.10/doc/man3/OSSL_trace_set_channel.pod
--- openssl-3.0.9/doc/man3/OSSL_trace_set_channel.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/OSSL_trace_set_channel.pod 2023-08-01 15:47:24.000000000 +0200
@@ -48,7 +48,7 @@
OSSL_trace_set_prefix() and OSSL_trace_set_suffix() can be used to add
an extra line for each channel, to be output before and after group of
tracing output.
-What constitues an output group is decided by the code that produces
+What constitutes an output group is decided by the code that produces
the output.
The lines given here are considered immutable; for more dynamic
tracing prefixes, consider setting a callback with
diff -Nru openssl-3.0.9/doc/man3/PKCS12_decrypt_skey.pod openssl-3.0.10/doc/man3/PKCS12_decrypt_skey.pod
--- openssl-3.0.9/doc/man3/PKCS12_decrypt_skey.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/PKCS12_decrypt_skey.pod 2023-08-01 15:47:24.000000000 +0200
@@ -21,7 +21,7 @@
PKCS12_decrypt_skey() Decrypt the PKCS#8 shrouded keybag contained within I<bag>
using the supplied password I<pass> of length I<passlen>.
-PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex
+PKCS12_decrypt_skey_ex() is similar to the above but allows for a library context
I<ctx> and property query I<propq> to be used to select algorithm implementations.
=head1 RETURN VALUES
@@ -45,7 +45,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/PKCS12_gen_mac.pod openssl-3.0.10/doc/man3/PKCS12_gen_mac.pod
--- openssl-3.0.9/doc/man3/PKCS12_gen_mac.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/PKCS12_gen_mac.pod 2023-08-01 15:47:24.000000000 +0200
@@ -21,7 +21,7 @@
=head1 DESCRIPTION
PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the
-supplied password along with a set of already configured paramters.
+supplied password along with a set of already configured parameters.
PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied
password.
@@ -62,7 +62,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/RAND_bytes.pod openssl-3.0.10/doc/man3/RAND_bytes.pod
--- openssl-3.0.9/doc/man3/RAND_bytes.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/RAND_bytes.pod 2023-08-01 15:47:24.000000000 +0200
@@ -37,7 +37,7 @@
RAND_bytes_ex() and RAND_priv_bytes_ex() are the same as RAND_bytes() and
RAND_priv_bytes() except that they both take additional I<strength> and
-I<ctx> parameters. The bytes genreated will have a security strength of at
+I<ctx> parameters. The bytes generated will have a security strength of at
least I<strength> bits.
The DRBG used for the operation is the public or private DRBG associated with
the specified I<ctx>. The parameter can be NULL, in which case
@@ -101,7 +101,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/RSA_get0_key.pod openssl-3.0.10/doc/man3/RSA_get0_key.pod
--- openssl-3.0.9/doc/man3/RSA_get0_key.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/RSA_get0_key.pod 2023-08-01 15:47:24.000000000 +0200
@@ -54,7 +54,7 @@
All of the functions described on this page are deprecated.
Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
-return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
+return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information.
An RSA object contains the components for the public and private key,
B<n>, B<e>, B<d>, B<p>, B<q>, B<dmp1>, B<dmq1> and B<iqmp>. B<n> is
@@ -184,7 +184,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/SSL_CTX_new.pod openssl-3.0.10/doc/man3/SSL_CTX_new.pod
--- openssl-3.0.9/doc/man3/SSL_CTX_new.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/SSL_CTX_new.pod 2023-08-01 15:47:24.000000000 +0200
@@ -100,7 +100,7 @@
=head1 NOTES
-On session estabilishment, by default, no peer credentials verification is done.
+On session establishment, by default, no peer credentials verification is done.
This must be explicitly requested, typically using L<SSL_CTX_set_verify(3)>.
For verifying peer certificates many options can be set using various functions
such as L<SSL_CTX_load_verify_locations(3)> and L<SSL_CTX_set1_param(3)>.
@@ -249,7 +249,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/SSL_CTX_set_tmp_dh_callback.pod openssl-3.0.10/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
--- openssl-3.0.9/doc/man3/SSL_CTX_set_tmp_dh_callback.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/SSL_CTX_set_tmp_dh_callback.pod 2023-08-01 15:47:24.000000000 +0200
@@ -73,9 +73,9 @@
their own DH parameters should call SSL_CTX_set0_tmp_dh_pkey() or
SSL_set0_tmp_dh_pkey() to supply the parameters for the B<SSL_CTX> or B<SSL>
respectively. The parameters should be supplied in the I<dhpkey> argument as
-an B<EVP_PKEY> containg DH parameters. Ownership of the I<dhpkey> value is
+an B<EVP_PKEY> containing DH parameters. Ownership of the I<dhpkey> value is
passed to the B<SSL_CTX> or B<SSL> object as a result of this call, and so the
-caller should not free it if the function call is succesful.
+caller should not free it if the function call is successful.
The deprecated macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do the same
thing as SSL_CTX_set0_tmp_dh_pkey() and SSL_set0_tmp_dh_pkey() except that the
@@ -112,7 +112,7 @@
=head1 COPYRIGHT
-Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/SSL_get_verify_result.pod openssl-3.0.10/doc/man3/SSL_get_verify_result.pod
--- openssl-3.0.9/doc/man3/SSL_get_verify_result.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/SSL_get_verify_result.pod 2023-08-01 15:47:24.000000000 +0200
@@ -22,6 +22,13 @@
the last verification error that occurred during the processing is available
from SSL_get_verify_result().
+Sometimes there can be a sequence of errors leading to the verification
+failure as reported by SSL_get_verify_result().
+To get the errors, it is necessary to setup a verify callback via
+L<SSL_CTX_set_verify(3)> or L<SSL_set_verify(3)> and retrieve the errors
+from the error stack there, because once L<SSL_connect(3)> returns,
+these errors may no longer be available.
+
The verification result is part of the established session and is restored
when a session is reused.
@@ -56,7 +63,7 @@
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/X509_add_cert.pod openssl-3.0.10/doc/man3/X509_add_cert.pod
--- openssl-3.0.9/doc/man3/X509_add_cert.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/X509_add_cert.pod 2023-08-01 15:47:24.000000000 +0200
@@ -31,7 +31,7 @@
If B<X509_ADD_FLAG_UP_REF> is set then
the reference counts of those certificates added successfully are increased.
-If B<X509_ADD_FLAG_PREPEND> is set then the certifcates are prepended to I<sk>.
+If B<X509_ADD_FLAG_PREPEND> is set then the certificates are prepended to I<sk>.
By default they are appended to I<sk>.
In both cases the original order of the added certificates is preserved.
@@ -66,7 +66,7 @@
=head1 COPYRIGHT
-Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/X509_digest.pod openssl-3.0.10/doc/man3/X509_digest.pod
--- openssl-3.0.9/doc/man3/X509_digest.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/X509_digest.pod 2023-08-01 15:47:24.000000000 +0200
@@ -44,9 +44,9 @@
using the same hash algorithm as in its signature, if the digest
is an integral part of the certificate signature algorithm identifier.
Otherwise, a fallback hash algorithm is determined as follows:
-SHA512 if the signature alorithm is ED25519,
+SHA512 if the signature algorithm is ED25519,
SHAKE256 if it is ED448, otherwise SHA256.
-The output parmeters are assigned as follows.
+The output parameters are assigned as follows.
Unless I<md_used> is NULL, the hash algorithm used is provided
in I<*md_used> and must be freed by the caller (if it is not NULL).
Unless I<md_is_fallback> is NULL,
@@ -81,7 +81,7 @@
=head1 COPYRIGHT
-Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/X509_dup.pod openssl-3.0.10/doc/man3/X509_dup.pod
--- openssl-3.0.9/doc/man3/X509_dup.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/X509_dup.pod 2023-08-01 15:47:24.000000000 +0200
@@ -350,7 +350,7 @@
B<I<TYPE>_new>() allocates an empty object of the indicated type.
The object returned must be released by calling B<I<TYPE>_free>().
-B<I<TYPE>_new_ex>() is similiar to B<I<TYPE>_new>() but also passes the
+B<I<TYPE>_new_ex>() is similar to B<I<TYPE>_new>() but also passes the
library context I<libctx> and the property query I<propq> to use when retrieving
algorithms from providers. This created object can then be used when loading
binary data using B<d2i_I<TYPE>>().
@@ -383,7 +383,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/X509_STORE_CTX_new.pod openssl-3.0.10/doc/man3/X509_STORE_CTX_new.pod
--- openssl-3.0.9/doc/man3/X509_STORE_CTX_new.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/X509_STORE_CTX_new.pod 2023-08-01 15:47:24.000000000 +0200
@@ -177,7 +177,7 @@
exists that can record extended key usage information to supplement the purpose
information described above. This extended mechanism is arbitrarily extensible
and not well suited for a generic library API; applications that need to
-validate extended key usage information in certifiates will need to define a
+validate extended key usage information in certificates will need to define a
custom "purpose" (see below) or supply a nondefault verification callback
(L<X509_STORE_set_verify_cb_func(3)>).
@@ -273,7 +273,7 @@
=head1 COPYRIGHT
-Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man3/X509_VERIFY_PARAM_set_flags.pod openssl-3.0.10/doc/man3/X509_VERIFY_PARAM_set_flags.pod
--- openssl-3.0.9/doc/man3/X509_VERIFY_PARAM_set_flags.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man3/X509_VERIFY_PARAM_set_flags.pod 2023-08-01 15:47:24.000000000 +0200
@@ -223,7 +223,7 @@
failure.
X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and
-X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers pecified above
+X509_VERIFY_PARAM_get1_ip_asc(), return the string pointer specified above
or NULL if the respective value has not been set or on error.
X509_VERIFY_PARAM_get_flags() returns the current verification flags.
diff -Nru openssl-3.0.9/doc/man5/config.pod openssl-3.0.10/doc/man5/config.pod
--- openssl-3.0.9/doc/man5/config.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man5/config.pod 2023-08-01 15:47:24.000000000 +0200
@@ -415,7 +415,7 @@
=head2 Random Configuration
The name B<random> in the initialization section names the section
-containing the random number generater settings.
+containing the random number generator settings.
Within the random section, the following names have meaning:
diff -Nru openssl-3.0.9/doc/man7/crypto.pod openssl-3.0.10/doc/man7/crypto.pod
--- openssl-3.0.9/doc/man7/crypto.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/crypto.pod 2023-08-01 15:47:24.000000000 +0200
@@ -207,7 +207,7 @@
As a fallback, try to fetch the operation type implementation from the same
provider as the original L<EVP_PKEY(3)>'s L<EVP_KEYMGMT(3)>, still using the
-propery string from the B<EVP_PKEY_CTX>.
+property string from the B<EVP_PKEY_CTX>.
=back
diff -Nru openssl-3.0.9/doc/man7/EVP_PKEY-EC.pod openssl-3.0.10/doc/man7/EVP_PKEY-EC.pod
--- openssl-3.0.9/doc/man7/EVP_PKEY-EC.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/EVP_PKEY-EC.pod 2023-08-01 15:47:24.000000000 +0200
@@ -15,7 +15,7 @@
The normal way of specifying domain parameters for an EC curve is via the
curve name "group". For curves with no curve name, explicit parameters can be
used that specify "field-type", "p", "a", "b", "generator" and "order".
-Explicit parameters are supported for backwards compability reasons, but they
+Explicit parameters are supported for backwards compatibility reasons, but they
are not compliant with multiple standards (including RFC5915) which only allow
named curves.
@@ -70,7 +70,7 @@
=item "decoded-from-explicit" (B<OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS>) <integer>
-Gets a flag indicating wether the key or parameters were decoded from explicit
+Gets a flag indicating whether the key or parameters were decoded from explicit
curve parameters. Set to 1 if so or 0 if a named curve was used.
=item "use-cofactor-flag" (B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH>) <integer>
@@ -99,7 +99,7 @@
Sets or Gets the type of group check done when EVP_PKEY_param_check() is called.
Valid values are "default", "named" and "named-nist".
The "named" type checks that the domain parameters match the inbuilt curve parameters,
-"named-nist" is similiar but also checks that the named curve is a nist curve.
+"named-nist" is similar but also checks that the named curve is a nist curve.
The "default" type does domain parameter validation for the OpenSSL default provider,
but is equivalent to "named-nist" for the OpenSSL FIPS provider.
diff -Nru openssl-3.0.9/doc/man7/EVP_PKEY-RSA.pod openssl-3.0.10/doc/man7/EVP_PKEY-RSA.pod
--- openssl-3.0.9/doc/man7/EVP_PKEY-RSA.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/EVP_PKEY-RSA.pod 2023-08-01 15:47:24.000000000 +0200
@@ -189,7 +189,7 @@
For RSA keys, L<EVP_PKEY_public_check(3)> conforms to the SP800-56Br1 I<public key
check> when the OpenSSL FIPS provider is used. The OpenSSL default provider
-performs similiar tests but relaxes the keysize restrictions for backwards
+performs similar tests but relaxes the keysize restrictions for backwards
compatibility.
For RSA keys, L<EVP_PKEY_public_check_quick(3)> is the same as
diff -Nru openssl-3.0.9/doc/man7/fips_module.pod openssl-3.0.10/doc/man7/fips_module.pod
--- openssl-3.0.9/doc/man7/fips_module.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/fips_module.pod 2023-08-01 15:47:24.000000000 +0200
@@ -14,6 +14,9 @@
with the FIPS module. Which is the correct approach to use will depend on your
own specific circumstances and what you are attempting to achieve.
+For information related to installing the FIPS module see
+L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
+
Note that the old functions FIPS_mode() and FIPS_mode_set() are no longer
present so you must remove them from your application if you use them.
@@ -92,7 +95,7 @@
FIPS module config file that you installed earlier.
See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
-For FIPS usage, it is recommened that the B<config_diagnostics> option is
+For FIPS usage, it is recommended that the B<config_diagnostics> option is
enabled to prevent accidental use of non-FIPS validated algorithms via broken
or mistaken configuration. See L<config(5)>.
@@ -456,9 +459,23 @@
To extract the name from the B<OSSL_PROVIDER>, use
L<OSSL_PROVIDER_get0_name(3)>.
+=head1 NOTES
+
+Some released versions of OpenSSL do not include a validated
+FIPS provider. To determine which versions have undergone
+the validation process, please refer to the
+L<OpenSSL Downloads page|https://www.openssl.org/source/>. If you
+require FIPS-approved functionality, it is essential to build your FIPS
+provider using one of the validated versions listed there. Normally,
+it is possible to utilize a FIPS provider constructed from one of the
+validated versions alongside F<libcrypto> and F<libssl> compiled from any
+release within the same major release series. This flexibility enables
+you to address bug fixes and CVEs that fall outside the FIPS boundary.
+
=head1 SEE ALSO
-L<migration_guide(7)>, L<crypto(7)>, L<fips_config(5)>
+L<migration_guide(7)>, L<crypto(7)>, L<fips_config(5)>,
+L<https://www.openssl.org/source/>
=head1 HISTORY
@@ -467,7 +484,7 @@
=head1 COPYRIGHT
-Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man7/life_cycle-pkey.pod openssl-3.0.10/doc/man7/life_cycle-pkey.pod
--- openssl-3.0.9/doc/man7/life_cycle-pkey.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/life_cycle-pkey.pod 2023-08-01 15:47:24.000000000 +0200
@@ -22,7 +22,7 @@
=item decapsulate
This state represents the PKEY when it is ready to perform a private key decapsulation
-opeartion.
+operation.
=item decrypt
@@ -40,7 +40,7 @@
=item encapsulate
This state represents the PKEY when it is ready to perform a public key encapsulation
-opeartion.
+operation.
=item encrypt
@@ -703,7 +703,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man7/migration_guide.pod openssl-3.0.10/doc/man7/migration_guide.pod
--- openssl-3.0.9/doc/man7/migration_guide.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/migration_guide.pod 2023-08-01 15:47:24.000000000 +0200
@@ -130,7 +130,7 @@
Engine-backed keys can be loaded via custom B<OSSL_STORE> implementation.
In this case the B<EVP_PKEY> objects created via L<ENGINE_load_private_key(3)>
-will be concidered legacy and will continue to work.
+will be considered legacy and will continue to work.
To ensure the future compatibility, the engines should be turned to providers.
To prefer the provider-based hardware offload, you can specify the default
@@ -641,7 +641,7 @@
L<X509_CRL_new_ex(3)>, L<X509_REQ_new_ex(3)> and L<X509_PUBKEY_new_ex(3)> if a
library context is required.
-All functions listed below with a I<NAME> have a replacment function I<NAME_ex>
+All functions listed below with a I<NAME> have a replacement function I<NAME_ex>
that takes B<OSSL_LIB_CTX> as an additional argument. Functions that have other
mappings are listed along with the respective name.
@@ -999,7 +999,7 @@
Any accessor that uses an ENGINE is deprecated (such as EVP_PKEY_set1_engine()).
Applications using engines should instead use providers.
-Before providers were added algorithms were overriden by changing the methods
+Before providers were added algorithms were overridden by changing the methods
used by algorithms. All these methods such as RSA_new_method() and RSA_meth_new()
are now deprecated and can be replaced by using providers instead.
@@ -1548,7 +1548,7 @@
EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags()
-See L<EVP_PKEY-EC(7)/Common EC parameters> which handles flags as seperate
+See L<EVP_PKEY-EC(7)/Common EC parameters> which handles flags as separate
parameters for B<OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT>,
B<OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE>, B<OSSL_PKEY_PARAM_EC_ENCODING>,
B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH> and
diff -Nru openssl-3.0.9/doc/man7/openssl-glossary.pod openssl-3.0.10/doc/man7/openssl-glossary.pod
--- openssl-3.0.9/doc/man7/openssl-glossary.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/openssl-glossary.pod 2023-08-01 15:47:24.000000000 +0200
@@ -12,7 +12,7 @@
=item Algorithm
-Cryptograpic primitives such as the SHA256 digest, or AES encryption are
+Cryptographic primitives such as the SHA256 digest, or AES encryption are
referred to in OpenSSL as "algorithms". There can be more than one
implementation for any given algorithm available for use.
@@ -45,7 +45,7 @@
=item Default Provider
-An OpenSSL Provider that contains the most commmon OpenSSL algorithm
+An OpenSSL Provider that contains the most common OpenSSL algorithm
implementations. It is loaded by default if no other provider is available. All
the algorithm implementations in the Base Provider are also available in the
Default Provider.
@@ -81,7 +81,7 @@
implementations, applying selection criteria (via a property query string), and
finally choosing the implementation that will be used.
-Also see Explicit Fetching and Implict Fetching.
+Also see Explicit Fetching and Implicit Fetching.
L<crypto(7)>
@@ -221,7 +221,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man7/OSSL_PROVIDER-FIPS.pod openssl-3.0.10/doc/man7/OSSL_PROVIDER-FIPS.pod
--- openssl-3.0.9/doc/man7/OSSL_PROVIDER-FIPS.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/OSSL_PROVIDER-FIPS.pod 2023-08-01 15:47:24.000000000 +0200
@@ -408,6 +408,19 @@
return ret;
}
+=head1 NOTES
+
+Some released versions of OpenSSL do not include a validated
+FIPS provider. To determine which versions have undergone
+the validation process, please refer to the
+L<OpenSSL Downloads page|https://www.openssl.org/source/>. If you
+require FIPS-approved functionality, it is essential to build your FIPS
+provider using one of the validated versions listed there. Normally,
+it is possible to utilize a FIPS provider constructed from one of the
+validated versions alongside F<libcrypto> and F<libssl> compiled from any
+release within the same major release series. This flexibility enables
+you to address bug fixes and CVEs that fall outside the FIPS boundary.
+
=head1 SEE ALSO
L<openssl-fipsinstall(1)>,
@@ -417,7 +430,8 @@
L<OSSL_PARAM(3)>,
L<openssl-core.h(7)>,
L<openssl-core_dispatch.h(7)>,
-L<provider(7)>
+L<provider(7)>,
+L<https://www.openssl.org/source/>
=head1 HISTORY
diff -Nru openssl-3.0.9/doc/man7/provider-kdf.pod openssl-3.0.10/doc/man7/provider-kdf.pod
--- openssl-3.0.9/doc/man7/provider-kdf.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/provider-kdf.pod 2023-08-01 15:47:24.000000000 +0200
@@ -198,7 +198,7 @@
=item "pkcs5" (B<OSSL_KDF_PARAM_PKCS5>) <integer>
-Enables or diables the SP800-132 compliance checks.
+Enables or disables the SP800-132 compliance checks.
A mode of 0 enables the compliance checks.
The checks performed are:
@@ -349,7 +349,7 @@
=head1 COPYRIGHT
-Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/doc/man7/provider-object.pod openssl-3.0.10/doc/man7/provider-object.pod
--- openssl-3.0.9/doc/man7/provider-object.pod 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/doc/man7/provider-object.pod 2023-08-01 15:47:24.000000000 +0200
@@ -164,7 +164,7 @@
=back
-When a provider-native object abtraction is used, it I<must> contain object
+When a provider-native object abstraction is used, it I<must> contain object
data in at least one form (object data I<passed by value>, i.e. the "data"
item, or object data I<passed by reference>, i.e. the "reference" item).
Both may be present at once, in which case the OpenSSL library code that
@@ -184,7 +184,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/engines/e_loader_attic.c openssl-3.0.10/engines/e_loader_attic.c
--- openssl-3.0.9/engines/e_loader_attic.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/engines/e_loader_attic.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1486,9 +1486,9 @@
* Last, check that the rest of the extension is a decimal number, at
* least one digit long.
*/
- if (!isdigit(*p))
+ if (!isdigit((unsigned char)*p))
return 0;
- while (isdigit(*p))
+ while (isdigit((unsigned char)*p))
p++;
#ifdef __VMS
diff -Nru openssl-3.0.9/include/crypto/x509err.h openssl-3.0.10/include/crypto/x509err.h
--- openssl-3.0.9/include/crypto/x509err.h 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/include/crypto/x509err.h 2023-08-01 15:47:24.000000000 +0200
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.9/include/openssl/dh.h openssl-3.0.10/include/openssl/dh.h
--- openssl-3.0.9/include/openssl/dh.h 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/include/openssl/dh.h 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -89,7 +89,11 @@
# include <openssl/dherr.h>
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
-# define OPENSSL_DH_MAX_MODULUS_BITS 10000
+# define OPENSSL_DH_MAX_MODULUS_BITS 10000
+# endif
+
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
# endif
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
diff -Nru openssl-3.0.9/include/openssl/x509err.h openssl-3.0.10/include/openssl/x509err.h
--- openssl-3.0.9/include/openssl/x509err.h 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/include/openssl/x509err.h 2023-08-01 15:47:24.000000000 +0200
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -30,6 +30,7 @@
# define X509_R_CERT_ALREADY_IN_HASH_TABLE 101
# define X509_R_CRL_ALREADY_DELTA 127
# define X509_R_CRL_VERIFY_FAILURE 131
+# define X509_R_DUPLICATE_ATTRIBUTE 140
# define X509_R_ERROR_GETTING_MD_BY_NID 141
# define X509_R_ERROR_USING_SIGINF_SET 142
# define X509_R_IDP_MISMATCH 128
diff -Nru openssl-3.0.9/INSTALL.md openssl-3.0.10/INSTALL.md
--- openssl-3.0.9/INSTALL.md 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/INSTALL.md 2023-08-01 15:47:24.000000000 +0200
@@ -796,14 +796,22 @@
This is so that libcrypto and libssl can be properly cleaned up automatically
via an `atexit()` handler. The handler is registered by libcrypto and cleans
up both libraries. On some platforms the `atexit()` handler will run on unload of
-libcrypto (if it has been dynamically loaded) rather than at process exit. This
-option can be used to stop OpenSSL from attempting to stay in memory until the
+libcrypto (if it has been dynamically loaded) rather than at process exit.
+
+This option can be used to stop OpenSSL from attempting to stay in memory until the
process exits. This could lead to crashes if either libcrypto or libssl have
already been unloaded at the point that the atexit handler is invoked, e.g. on a
platform which calls `atexit()` on unload of the library, and libssl is unloaded
-before libcrypto then a crash is likely to happen. Applications can suppress
-running of the `atexit()` handler at run time by using the
-`OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`.
+before libcrypto then a crash is likely to happen.
+
+Note that shared library pinning is not automatically disabled for static builds,
+i.e., `no-shared` does not imply `no-pinshared`. This may come as a surprise when
+linking libcrypto statically into a shared third-party library, because in this
+case the shared library will be pinned. To prevent this behaviour, you need to
+configure the static build using `no-shared` and `no-pinshared` together.
+
+Applications can suppress running of the `atexit()` handler at run time by
+using the `OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`.
See the man page for it for further details.
### no-posix-io
diff -Nru openssl-3.0.9/NEWS.md openssl-3.0.10/NEWS.md
--- openssl-3.0.9/NEWS.md 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/NEWS.md 2023-08-01 15:47:24.000000000 +0200
@@ -18,6 +18,12 @@
OpenSSL 3.0
-----------
+### Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023]
+
+ * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
+ * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
+ * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])
+
### Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT
@@ -1442,6 +1448,9 @@
<!-- Links -->
+[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
+[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
+[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
diff -Nru openssl-3.0.9/providers/common/securitycheck.c openssl-3.0.10/providers/common/securitycheck.c
--- openssl-3.0.9/providers/common/securitycheck.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/providers/common/securitycheck.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -167,17 +167,25 @@
/*
* For Digital signature verification DSA keys with < 112 bits of
- * security strength (i.e L < 2048 bits), are still allowed for legacy
- * use. The bounds given in SP800 131Ar2 - Table 2 are
- * (512 <= L < 2048 and 160 <= N < 224)
+ * security strength, are still allowed for legacy
+ * use. The bounds given in SP 800-131Ar2 - Table 2 are
+ * (512 <= L < 2048 or 160 <= N < 224).
+ *
+ * We are a little stricter and insist that both minimums are met.
+ * For example a L = 256, N = 160 key *would* be allowed by SP 800-131Ar2
+ * but we don't.
*/
- if (!sign && L < 2048)
- return (L >= 512 && N >= 160 && N < 224);
+ if (!sign) {
+ if (L < 512 || N < 160)
+ return 0;
+ if (L < 2048 || N < 224)
+ return 1;
+ }
/* Valid sizes for both sign and verify */
- if (L == 2048 && (N == 224 || N == 256))
+ if (L == 2048 && (N == 224 || N == 256)) /* 112 bits */
return 1;
- return (L == 3072 && N == 256);
+ return (L == 3072 && N == 256); /* 128 bits */
}
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
return 1;
diff -Nru openssl-3.0.9/providers/fips/self_test.c openssl-3.0.10/providers/fips/self_test.c
--- openssl-3.0.9/providers/fips/self_test.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/providers/fips/self_test.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -16,6 +16,7 @@
#include <openssl/err.h>
#include <openssl/proverr.h>
#include "e_os.h"
+#include "internal/tsan_assist.h"
#include "prov/providercommon.h"
/*
@@ -47,7 +48,6 @@
static int FIPS_conditional_error_check = 1;
static CRYPTO_RWLOCK *self_test_lock = NULL;
-static CRYPTO_RWLOCK *fips_state_lock = NULL;
static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS };
static CRYPTO_ONCE fips_self_test_init = CRYPTO_ONCE_STATIC_INIT;
@@ -59,7 +59,6 @@
* platform then we just leak it deliberately.
*/
self_test_lock = CRYPTO_THREAD_lock_new();
- fips_state_lock = CRYPTO_THREAD_lock_new();
return self_test_lock != NULL;
}
@@ -155,12 +154,12 @@
# define DEP_INITIAL_STATE FIPS_STATE_SELFTEST
#endif
-static int FIPS_state = DEP_INITIAL_STATE;
+static TSAN_QUALIFIER int FIPS_state = DEP_INITIAL_STATE;
#if defined(DEP_INIT_ATTRIBUTE)
DEP_INIT_ATTRIBUTE void init(void)
{
- FIPS_state = FIPS_STATE_SELFTEST;
+ tsan_store(&FIPS_state, FIPS_STATE_SELFTEST);
}
#endif
@@ -168,7 +167,6 @@
DEP_FINI_ATTRIBUTE void cleanup(void)
{
CRYPTO_THREAD_lock_free(self_test_lock);
- CRYPTO_THREAD_lock_free(fips_state_lock);
}
#endif
@@ -229,10 +227,7 @@
static void set_fips_state(int state)
{
- if (ossl_assert(CRYPTO_THREAD_write_lock(fips_state_lock) != 0)) {
- FIPS_state = state;
- CRYPTO_THREAD_unlock(fips_state_lock);
- }
+ tsan_store(&FIPS_state, state);
}
/* This API is triggered either on loading of the FIPS module or on demand */
@@ -250,10 +245,7 @@
if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init))
return 0;
- if (!CRYPTO_THREAD_read_lock(fips_state_lock))
- return 0;
- loclstate = FIPS_state;
- CRYPTO_THREAD_unlock(fips_state_lock);
+ loclstate = tsan_load(&FIPS_state);
if (loclstate == FIPS_STATE_RUNNING) {
if (!on_demand_test)
@@ -265,24 +257,17 @@
if (!CRYPTO_THREAD_write_lock(self_test_lock))
return 0;
- if (!CRYPTO_THREAD_read_lock(fips_state_lock)) {
- CRYPTO_THREAD_unlock(self_test_lock);
- return 0;
- }
- if (FIPS_state == FIPS_STATE_RUNNING) {
- CRYPTO_THREAD_unlock(fips_state_lock);
+ loclstate = tsan_load(&FIPS_state);
+ if (loclstate == FIPS_STATE_RUNNING) {
if (!on_demand_test) {
CRYPTO_THREAD_unlock(self_test_lock);
return 1;
}
set_fips_state(FIPS_STATE_SELFTEST);
- } else if (FIPS_state != FIPS_STATE_SELFTEST) {
- CRYPTO_THREAD_unlock(fips_state_lock);
+ } else if (loclstate != FIPS_STATE_SELFTEST) {
CRYPTO_THREAD_unlock(self_test_lock);
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_STATE);
return 0;
- } else {
- CRYPTO_THREAD_unlock(fips_state_lock);
}
if (st == NULL
@@ -393,20 +378,13 @@
int ossl_prov_is_running(void)
{
- int res;
- static unsigned int rate_limit = 0;
+ int res, loclstate;
+ static TSAN_QUALIFIER unsigned int rate_limit = 0;
- if (!CRYPTO_THREAD_read_lock(fips_state_lock))
- return 0;
- res = FIPS_state == FIPS_STATE_RUNNING
- || FIPS_state == FIPS_STATE_SELFTEST;
- if (FIPS_state == FIPS_STATE_ERROR) {
- CRYPTO_THREAD_unlock(fips_state_lock);
- if (!CRYPTO_THREAD_write_lock(fips_state_lock))
- return 0;
- if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT)
+ loclstate = tsan_load(&FIPS_state);
+ res = loclstate == FIPS_STATE_RUNNING || loclstate == FIPS_STATE_SELFTEST;
+ if (loclstate == FIPS_STATE_ERROR)
+ if (tsan_counter(&rate_limit) < FIPS_ERROR_REPORTING_RATE_LIMIT)
ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE);
- }
- CRYPTO_THREAD_unlock(fips_state_lock);
return res;
}
diff -Nru openssl-3.0.9/providers/fips.checksum openssl-3.0.10/providers/fips.checksum
--- openssl-3.0.9/providers/fips.checksum 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/providers/fips.checksum 2023-08-01 15:47:24.000000000 +0200
@@ -1 +1 @@
-d4b8aaf04173ffd7bdd7d64e823002a988146d85c193a4bb8217dc8225583169 providers/fips-sources.checksums
+f07990ec634ec6ea3c8c42a664768debcf92a1b0c39bde7041c24df33dd7f052 providers/fips-sources.checksums
diff -Nru openssl-3.0.9/providers/fips-sources.checksums openssl-3.0.10/providers/fips-sources.checksums
--- openssl-3.0.9/providers/fips-sources.checksums 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/providers/fips-sources.checksums 2023-08-01 15:47:24.000000000 +0200
@@ -93,7 +93,7 @@
c6760a724d696b7209f0a71f8483fabcf4f081f7e93e2628284c32ef78f69365 crypto/bn/bn_prime.c
c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3 crypto/bn/bn_prime.h
628419eabdb88b265823e43a7a1c88fdfecef79771180836f6089050dc9eadb1 crypto/bn/bn_rand.c
-1f6e13da1d9965b341f81bc0842a987a7db9b7de0fa7f7040d49be01b92d282b crypto/bn/bn_recp.c
+4df8f204c8a06de2b4395be613ca0b9943613c523586e2005876d5c7bb891c75 crypto/bn/bn_recp.c
a5c5c9f99961a5a7f22a3dcdce964c8a330f822be17f08652223a20fed747d0a crypto/bn/bn_rsa_fips186_4.c
704b0b4723e5c9e9bae5f3e35f9ae8ae8dca3383929e954de9e5169845abfdb2 crypto/bn/bn_shift.c
622e90766b29e0d25f46474429aebda8eba2246835b9e85dc26da7cdbd49334f crypto/bn/bn_sqr.c
@@ -109,7 +109,7 @@
ff9be205d6d7ff00b0e64508f0eb8d9ec0415fbabc0948d26e308212b3f7b2d8 crypto/context.c
c309d81ea991ddf5be4337afad2fd132169f7443c76f863349d3f3c82f3374e4 crypto/core_algorithm.c
f0fd9eb38bf7f196bbb4d26ce8fdf86d0a4f9db219157e66b2c0ffefb4f42005 crypto/core_fetch.c
-02670d631bf0f34cca1e3477079d7fe5de4e03c391cf3992986f44f55319597c crypto/core_namemap.c
+799c84d224639c6760c5c28e0e287500a973ca6d0c3d7c1bdcd61b0da4018b3c crypto/core_namemap.c
469e2f53b5f76cd487a60d3d4c44c8fc3a6c4d08405597ba664661ba485508d3 crypto/cpuid.c
71f0fff881eb4c5505fb17662f0ea4bbff24c6858c045a013ad8f786b07da5c4 crypto/cryptlib.c
66dbfc58916709d5a6913777346083247942a8d9458ee9b2bf443f0ea4988d64 crypto/ctype.c
@@ -253,7 +253,7 @@
8ddbbdf43131c10dcd4428aef0eff2b1e98b0410accada0fad41a4925868beef crypto/packet.c
a20bfd927d69737c86ca95d3cf636afa8cefd8fe23412d1a3897644a0da21211 crypto/param_build.c
c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb crypto/param_build_set.c
-06e67fdd2a308bf355c8dae2e0acd9af94f6e53d428a7d31966311eb5c0aebc1 crypto/params.c
+0e4a5388a92fabbe5a540176c0b4c5ce258b78dc9168ecc2e805352a06aaf0ba crypto/params.c
4fda13f6af05d80b0ab89ec4f5813c274a21a9b4565be958a02d006236cef05c crypto/params_dup.c
a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_from_text.c
97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c
@@ -292,9 +292,9 @@
5fa59240ca885cbc0c1cd026934b226d44fc9c3fdf0c2e7e3a7bd7f4963ca2e5 crypto/self_test_core.c
05c533fde7fdba0c76103e97d881b7224c8427451b453e2f6413552996063e31 crypto/sha/asm/keccak1600-armv4.pl
ca3b2b654f9a8c4bc2fa2538c1f19d17acd4a6b9e0df6a4b81df04efa697e67e crypto/sha/asm/keccak1600-armv8.pl
-ef575a7fb4956cc3be4ef10a6aeaa10702eadfc92c86167880690320ce942b26 crypto/sha/asm/keccak1600-avx2.pl
-f1dcf75789dfb0c5d7cd35988cb8046f60097bbaf1fbdab32a9269fa5492214c crypto/sha/asm/keccak1600-avx512.pl
-63e547b100562d1142512d5b54e16efc276ecb6c743c27873dbcdd7cb917c828 crypto/sha/asm/keccak1600-avx512vl.pl
+12b7acce2fba0bc0e1ca07842ec84be6a022f141c86e077abb42c864af1d8d9c crypto/sha/asm/keccak1600-avx2.pl
+faf0cccb685d5abc807e08db194f847c67b940da2fc3c235c210dc31d73a5334 crypto/sha/asm/keccak1600-avx512.pl
+be1e7dd9998e3f31cfa6e1b17bc198aeec584a8b76820e38f71d51b05f8a9f2a crypto/sha/asm/keccak1600-avx512vl.pl
33bdcc6f7668460c3bdf779633e43bfad62b937042a73acb007b462fc5b0a034 crypto/sha/asm/keccak1600-c64x.pl
09fc831dd39bd90a701e9b16d9e9987cc215252a22e1e0355f5da6c495fca35a crypto/sha/asm/keccak1600-mmx.pl
ce4a58129e5ee3ac4c9dfec5ecc010440570ebf7bf869e3e9977f2121a64b27a crypto/sha/asm/keccak1600-ppc64.pl
@@ -419,7 +419,7 @@
1d1697bd3e35920ff9eaec23c29472d727a7fc4d108150957f41f6f5ecf80f1a include/openssl/cryptoerr.h
bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6 include/openssl/cryptoerr_legacy.h
fa3e6b6c2e6222424b9cd7005e3c5499a2334c831cd5d6a29256ce945be8cb1d include/openssl/des.h
-3a57eceec58ab781d79cb0458c2251a233f45ba0ef8f414d148c55ac2dff1bc8 include/openssl/dh.h
+75fba45d6fc66e3aaef216959327157613f08070935aae4a5260e740184f031f include/openssl/dh.h
836130f5a32bbdce51b97b34758ed1b03a9d06065c187418eaf323dca6adfc6d include/openssl/dherr.h
92ae2c907fd56859e3ae28a085071611be5c9245879305cdf8bad027219e64b6 include/openssl/dsa.h
276d1f6e111ba933bc708e6a0670047cbe0d0b67aabe31807abbbc231de4d8cf include/openssl/dsaerr.h
@@ -492,11 +492,11 @@
a8b73b10ab0100942dd2bc45f2fc9c9238b70bec0e49708ba113bc7479c8b92a providers/common/provider_err.c
9eae3e2cac89c7b63d091fdca1b6d80c5c5d52aa79c8ba4ce0158c5437ad62f3 providers/common/provider_seeding.c
eec462d685dd3b4764b076a3c18ecd9dd254350a0b78ddc2f8a60587829e1ce3 providers/common/provider_util.c
-ba345b0d71f74c9e3d752579e16d11cc70b4b00faa329cc674bc43dd2620e044 providers/common/securitycheck.c
+5b94312727ca33e4f5c038f4caaae8417bf584cfde22df83d91f3c55c30c81ee providers/common/securitycheck.c
527eda471e26763a5fcf123b2d290234d5c836de7b8ef6eef2166ef439919d82 providers/common/securitycheck_fips.c
abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c
0f761a26c8fa6ad8d5a15c817afe1741352b21769b2164a2eb7dd50e1f6fe04f providers/fips/fipsprov.c
-52b48aece6aa3592593c94b53326410c75efb95ac480697ce414679446b49943 providers/fips/self_test.c
+5d24ba30f9cc7ca48546fb85dc285bd68590f3a604a0bd471bcb0c2a61169591 providers/fips/self_test.c
f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h
d3c95c9c6cc4e3b1a5e4b2bfb2ae735a4109d763bcda7b1e9b8f9eb253f79820 providers/fips/self_test_data.inc
629f619ad055723e42624230c08430a3ef53e17ab405dc0fd35499e9ca4e389c providers/fips/self_test_kats.c
diff -Nru openssl-3.0.9/providers/implementations/ciphers/cipher_aes_siv.c openssl-3.0.10/providers/implementations/ciphers/cipher_aes_siv.c
--- openssl-3.0.9/providers/implementations/ciphers/cipher_aes_siv.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/providers/implementations/ciphers/cipher_aes_siv.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -120,14 +120,18 @@
if (!ossl_prov_is_running())
return 0;
- if (inl == 0) {
- *outl = 0;
- return 1;
- }
+ /* Ignore just empty encryption/decryption call and not AAD. */
+ if (out != NULL) {
+ if (inl == 0) {
+ if (outl != NULL)
+ *outl = 0;
+ return 1;
+ }
- if (outsize < inl) {
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
- return 0;
+ if (outsize < inl) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+ return 0;
+ }
}
if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
diff -Nru openssl-3.0.9/providers/implementations/ciphers/cipher_rc4_hmac_md5.h openssl-3.0.10/providers/implementations/ciphers/cipher_rc4_hmac_md5.h
--- openssl-3.0.9/providers/implementations/ciphers/cipher_rc4_hmac_md5.h 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/providers/implementations/ciphers/cipher_rc4_hmac_md5.h 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -31,3 +31,6 @@
} PROV_CIPHER_HW_RC4_HMAC_MD5;
const PROV_CIPHER_HW *ossl_prov_cipher_hw_rc4_hmac_md5(size_t keybits);
+
+void rc4_md5_enc(RC4_KEY *key, const void *in0, void *out,
+ MD5_CTX *ctx, const void *inp, size_t blocks);
diff -Nru openssl-3.0.9/providers/implementations/storemgmt/file_store.c openssl-3.0.10/providers/implementations/storemgmt/file_store.c
--- openssl-3.0.9/providers/implementations/storemgmt/file_store.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/providers/implementations/storemgmt/file_store.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -612,9 +612,9 @@
* Last, check that the rest of the extension is a decimal number, at
* least one digit long.
*/
- if (!isdigit(*p))
+ if (!isdigit((unsigned char)*p))
return 0;
- while (isdigit(*p))
+ while (isdigit((unsigned char)*p))
p++;
#ifdef __VMS
@@ -623,7 +623,7 @@
*/
if (*p == ';')
for (p++; *p != '\0'; p++)
- if (!ossl_isdigit(*p))
+ if (!ossl_isdigit((unsigned char)*p))
break;
#endif
diff -Nru openssl-3.0.9/README-FIPS.md openssl-3.0.10/README-FIPS.md
--- openssl-3.0.9/README-FIPS.md 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/README-FIPS.md 2023-08-01 15:47:24.000000000 +0200
@@ -2,7 +2,7 @@
====================
This release of OpenSSL includes a cryptographic module that can be
-FIPS 140-2 validated. The module is implemented as an OpenSSL provider.
+FIPS validated. The module is implemented as an OpenSSL provider.
A provider is essentially a dynamically loadable module which implements
cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file
for further details.
@@ -28,8 +28,16 @@
installed automatically. To enable it, you need to configure OpenSSL using
the `enable-fips` option.
-Installing the FIPS module
-==========================
+Installing the FIPS provider
+============================
+
+In order to be FIPS compliant you must only use FIPS validated source code.
+Refer to <https://www.openssl.org/source/> for information related to
+which versions are FIPS validated. The instructions given below build OpenSSL
+just using the FIPS validated source code.
+
+If you want to use a validated FIPS provider, but also want to use the latest
+OpenSSL release to build everything else, then refer to the next section.
The following is only a guide.
Please read the Security Policy for up to date installation instructions.
@@ -63,11 +71,12 @@
- Runs the FIPS module self tests
- Generates the so-called FIPS module configuration file containing information
- about the module such as the self test status, and the module checksum.
+ about the module such as the module checksum (and for OpenSSL 3.0 the
+ self test status).
The FIPS module must have the self tests run, and the FIPS module config file
-output generated on every machine that it is to be used on. You must not copy
-the FIPS module config file output data from one machine to another.
+output generated on every machine that it is to be used on. For OpenSSL 3.0,
+you must not copy the FIPS module config file output data from one machine to another.
On Unix the `openssl fipsinstall` command will be invoked as follows by default:
@@ -75,7 +84,80 @@
If you configured OpenSSL to be installed to a different location, the paths will
vary accordingly. In the rare case that you need to install the fipsmodule.cnf
-to non-standard location, you can execute the `openssl fipsinstall` command manually.
+to a non-standard location, you can execute the `openssl fipsinstall` command manually.
+
+Installing the FIPS provider and using it with the latest release
+=================================================================
+
+This normally requires you to download 2 copies of the OpenSSL source code.
+
+Download and build a validated FIPS provider
+--------------------------------------------
+
+Refer to <https://www.openssl.org/source/> for information related to
+which versions are FIPS validated. For this example we use OpenSSL 3.0.0.
+
+ $ wget https://www.openssl.org/source/openssl-3.0.0.tar.gz
+ $ tar -xf openssl-3.0.0.tar.gz
+ $ cd openssl-3.0.0
+ $ ./Configure enable-fips
+ $ make
+ $ cd ..
+
+Download and build the latest release of OpenSSL
+------------------------------------------------
+
+We use OpenSSL 3.1.0 here, (but you could also use the latest 3.0.X)
+
+ $ wget https://www.openssl.org/source/openssl-3.1.0.tar.gz
+ $ tar -xf openssl-3.1.0.tar.gz
+ $ cd openssl-3.1.0
+ $ ./Configure enable-fips
+ $ make
+
+Use the OpenSSL FIPS provider for testing
+-----------------------------------------
+
+We do this by replacing the artifact for the OpenSSL 3.1.0 FIPS provider.
+Note that the OpenSSL 3.1.0 FIPS provider has not been validated
+so it must not be used for FIPS purposes.
+
+ $ cp ../openssl-3.0.0/providers/fips.so providers/.
+ $ cp ../openssl-3.0.0/providers/fipsmodule.cnf providers/.
+ // Note that for OpenSSL 3.0 that the `fipsmodule.cnf` file should not
+ // be copied across multiple machines if it contains an entry for
+ // `install-status`. (Otherwise the self tests would be skipped).
+
+ // Validate the output of the following to make sure we are using the
+ // OpenSSL 3.0.0 FIPS provider
+ $ ./util/wrap.pl -fips apps/openssl list -provider-path providers \
+ -provider fips -providers
+
+ // Now run the current tests using the OpenSSL 3.0 FIPS provider.
+ $ make tests
+
+Copy the FIPS provider artifacts (`fips.so` & `fipsmodule.cnf`) to known locations
+-------------------------------------------------------------------------------------
+
+ $ cd ../openssl-3.0.0
+ $ sudo make install_fips
+
+Check that the correct FIPS provider is being used
+--------------------------------------------------
+
+ $./util/wrap.pl -fips apps/openssl list -provider-path providers \
+ -provider fips -providers
+
+ // This should produce the following output
+ Providers:
+ base
+ name: OpenSSL Base Provider
+ version: 3.1.0
+ status: active
+ fips
+ name: OpenSSL FIPS Provider
+ version: 3.0.0
+ status: active
Using the FIPS Module in applications
=====================================
diff -Nru openssl-3.0.9/ssl/statem/extensions.c openssl-3.0.10/ssl/statem/extensions.c
--- openssl-3.0.9/ssl/statem/extensions.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/ssl/statem/extensions.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1392,7 +1392,11 @@
group_id = pgroups[i];
if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
- 1))
+ 1)
+ && tls_group_allowed(s, group_id,
+ SSL_SECOP_CURVE_SUPPORTED)
+ && tls_valid_group(s, group_id, TLS1_3_VERSION,
+ TLS1_3_VERSION, 0, NULL))
break;
}
diff -Nru openssl-3.0.9/ssl/statem/statem_lib.c openssl-3.0.10/ssl/statem/statem_lib.c
--- openssl-3.0.9/ssl/statem/statem_lib.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/ssl/statem/statem_lib.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -47,7 +47,7 @@
ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
s->init_num, &written);
- if (ret < 0)
+ if (ret <= 0)
return -1;
if (type == SSL3_RT_HANDSHAKE)
/*
diff -Nru openssl-3.0.9/ssl/t1_lib.c openssl-3.0.10/ssl/t1_lib.c
--- openssl-3.0.9/ssl/t1_lib.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/ssl/t1_lib.c 2023-08-01 15:47:24.000000000 +0200
@@ -23,6 +23,7 @@
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
+#include "internal/cryptlib.h"
#include "ssl_local.h"
#include <openssl/ct.h>
@@ -600,6 +601,7 @@
const uint16_t *pref, *supp;
size_t num_pref, num_supp, i;
int k;
+ SSL_CTX *ctx = s->ctx;
/* Can't do anything on client side */
if (s->server == 0)
@@ -636,10 +638,29 @@
for (k = 0, i = 0; i < num_pref; i++) {
uint16_t id = pref[i];
+ const TLS_GROUP_INFO *inf;
if (!tls1_in_list(id, supp, num_supp)
- || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED))
- continue;
+ || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED))
+ continue;
+ inf = tls1_group_id_lookup(ctx, id);
+ if (!ossl_assert(inf != NULL))
+ return 0;
+ if (SSL_IS_DTLS(s)) {
+ if (inf->maxdtls == -1)
+ continue;
+ if ((inf->mindtls != 0 && DTLS_VERSION_LT(s->version, inf->mindtls))
+ || (inf->maxdtls != 0
+ && DTLS_VERSION_GT(s->version, inf->maxdtls)))
+ continue;
+ } else {
+ if (inf->maxtls == -1)
+ continue;
+ if ((inf->mintls != 0 && s->version < inf->mintls)
+ || (inf->maxtls != 0 && s->version > inf->maxtls))
+ continue;
+ }
+
if (nmatch == k)
return id;
k++;
diff -Nru openssl-3.0.9/test/build.info openssl-3.0.10/test/build.info
--- openssl-3.0.9/test/build.info 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/build.info 2023-08-01 15:47:24.000000000 +0200
@@ -41,8 +41,6 @@
evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
evp_fetch_prov_test evp_libctx_test ossl_store_test \
v3nametest v3ext punycode_test \
- evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
- evp_fetch_prov_test v3nametest v3ext \
crltest danetest bad_dtls_test lhash_test sparse_array_test \
conf_include_test params_api_test params_conversion_test \
constant_time_test verify_extra_test clienthellotest \
diff -Nru openssl-3.0.9/test/certs/sm2-pub.key openssl-3.0.10/test/certs/sm2-pub.key
--- openssl-3.0.9/test/certs/sm2-pub.key 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.10/test/certs/sm2-pub.key 2023-08-01 15:47:24.000000000 +0200
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEMKnjZFqe34rtSmZ7g5ALnKTPKYhM
+xEy9cpq3Kzgb7/JoTTZHm9tGrG1oBUCNszq0jPff7Fxp/azNv7rDPzJXGg==
+-----END PUBLIC KEY-----
diff -Nru openssl-3.0.9/test/dhtest.c openssl-3.0.10/test/dhtest.c
--- openssl-3.0.9/test/dhtest.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/dhtest.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -73,7 +73,7 @@
goto err1;
/* check fails, because p is way too small */
- if (!DH_check(dh, &i))
+ if (!TEST_true(DH_check(dh, &i)))
goto err2;
i ^= DH_MODULUS_TOO_SMALL;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
@@ -124,6 +124,29 @@
/* We'll have a stale error on the queue from the above test so clear it */
ERR_clear_error();
+ if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one())))
+ goto err3;
+
+ if (!TEST_true(DH_check(dh, &i)))
+ goto err3;
+ if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE)
+ || !TEST_false(i & DH_CHECK_Q_NOT_PRIME))
+ goto err3;
+
+ /* Modulus of size: dh check max modulus bits + 1 */
+ if (!TEST_true(BN_set_word(p, 1))
+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
+ goto err3;
+
+ /*
+ * We expect no checks at all for an excessively large modulus
+ */
+ if (!TEST_false(DH_check(dh, &i)))
+ goto err3;
+
+ /* We'll have a stale error on the queue from the above test so clear it */
+ ERR_clear_error();
+
/*
* II) key generation
*/
@@ -138,7 +161,7 @@
goto err3;
/* ... and check whether it is valid */
- if (!DH_check(a, &i))
+ if (!TEST_true(DH_check(a, &i)))
goto err3;
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
diff -Nru openssl-3.0.9/test/evp_test.c openssl-3.0.10/test/evp_test.c
--- openssl-3.0.9/test/evp_test.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/evp_test.c 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -3683,11 +3683,11 @@
int more = 1;
while (more) {
- for (; isspace(*providers); providers++)
+ for (; isspace((unsigned char)(*providers)); providers++)
continue;
if (*providers == '\0')
break; /* End of the road */
- for (p = providers; *p != '\0' && !isspace(*p); p++)
+ for (p = providers; *p != '\0' && !isspace((unsigned char)(*p)); p++)
continue;
if (*p == '\0')
more = 0;
diff -Nru openssl-3.0.9/test/helpers/ssltestlib.c openssl-3.0.10/test/helpers/ssltestlib.c
--- openssl-3.0.9/test/helpers/ssltestlib.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/helpers/ssltestlib.c 2023-08-01 15:47:24.000000000 +0200
@@ -42,6 +42,7 @@
static BIO_METHOD *method_tls_dump = NULL;
static BIO_METHOD *meth_mem = NULL;
static BIO_METHOD *meth_always_retry = NULL;
+static int retry_err = -1;
/* Note: Not thread safe! */
const BIO_METHOD *bio_f_tls_dump_filter(void)
@@ -760,16 +761,21 @@
return 1;
}
+void set_always_retry_err_val(int err)
+{
+ retry_err = err;
+}
+
static int always_retry_read(BIO *bio, char *out, int outl)
{
BIO_set_retry_read(bio);
- return -1;
+ return retry_err;
}
static int always_retry_write(BIO *bio, const char *in, int inl)
{
BIO_set_retry_write(bio);
- return -1;
+ return retry_err;
}
static long always_retry_ctrl(BIO *bio, int cmd, long num, void *ptr)
@@ -795,13 +801,13 @@
static int always_retry_gets(BIO *bio, char *buf, int size)
{
BIO_set_retry_read(bio);
- return -1;
+ return retry_err;
}
static int always_retry_puts(BIO *bio, const char *str)
{
BIO_set_retry_write(bio);
- return -1;
+ return retry_err;
}
int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm,
diff -Nru openssl-3.0.9/test/helpers/ssltestlib.h openssl-3.0.10/test/helpers/ssltestlib.h
--- openssl-3.0.9/test/helpers/ssltestlib.h 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/helpers/ssltestlib.h 2023-08-01 15:47:24.000000000 +0200
@@ -35,6 +35,7 @@
const BIO_METHOD *bio_s_always_retry(void);
void bio_s_always_retry_free(void);
+void set_always_retry_err_val(int err);
/* Packet types - value 0 is reserved */
#define INJECT_PACKET 1
diff -Nru openssl-3.0.9/test/recipes/20-test_cli_fips.t openssl-3.0.10/test/recipes/20-test_cli_fips.t
--- openssl-3.0.9/test/recipes/20-test_cli_fips.t 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/recipes/20-test_cli_fips.t 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -109,65 +109,70 @@
$ENV{OPENSSL_CONF} = $defaultconf;
- $sigfile = $nonfips_sigfile;
- $testtext = $prefix.': '.
- 'Sign something with a non-FIPS key'.
- ' with the default provider';
- ok(run(app(['openssl', 'dgst', '-sha256',
- '-sign', $nonfips_key,
- '-out', $sigfile,
- $tbs_data])),
- $testtext);
-
- $testtext = $prefix.': '.
- 'Verify something with a non-FIPS key'.
- ' with the default provider';
- ok(run(app(['openssl', 'dgst', '-sha256',
- '-verify', $nonfips_pub_key,
- '-signature', $sigfile,
- $tbs_data])),
- $testtext);
-
- $ENV{OPENSSL_CONF} = $fipsconf;
+ SKIP : {
+ skip "FIPS failure testing", 6
+ if ($nonfips_key eq '');
+
+ $sigfile = $nonfips_sigfile;
+ $testtext = $prefix.': '.
+ 'Sign something with a non-FIPS key'.
+ ' with the default provider';
+ ok(run(app(['openssl', 'dgst', '-sha256',
+ '-sign', $nonfips_key,
+ '-out', $sigfile,
+ $tbs_data])),
+ $testtext);
+
+ $testtext = $prefix.': '.
+ 'Verify something with a non-FIPS key'.
+ ' with the default provider';
+ ok(run(app(['openssl', 'dgst', '-sha256',
+ '-verify', $nonfips_pub_key,
+ '-signature', $sigfile,
+ $tbs_data])),
+ $testtext);
- $testtext = $prefix.': '.
- 'Sign something with a non-FIPS key'.
- ' (should fail)';
- ok(!run(app(['openssl', 'dgst', '-sha256',
- '-sign', $nonfips_key,
- '-out', $prefix.'.nonfips.fail.sig',
- $tbs_data])),
- $testtext);
+ $ENV{OPENSSL_CONF} = $fipsconf;
- $testtext = $prefix.': '.
- 'Verify something with a non-FIPS key'.
- ' (should fail)';
- ok(!run(app(['openssl', 'dgst', '-sha256',
- '-verify', $nonfips_pub_key,
- '-signature', $sigfile,
- $tbs_data])),
- $testtext);
+ $testtext = $prefix.': '.
+ 'Sign something with a non-FIPS key'.
+ ' (should fail)';
+ ok(!run(app(['openssl', 'dgst', '-sha256',
+ '-sign', $nonfips_key,
+ '-out', $prefix.'.nonfips.fail.sig',
+ $tbs_data])),
+ $testtext);
- $testtext = $prefix.': '.
- 'Verify something with a non-FIPS key'.
- ' in FIPS mode but with a non-FIPS property query';
- ok(run(app(['openssl', 'dgst',
- '-provider', 'default',
- '-propquery', '?fips!=yes',
- '-sha256',
- '-verify', $nonfips_pub_key,
- '-signature', $sigfile,
- $tbs_data])),
- $testtext);
+ $testtext = $prefix.': '.
+ 'Verify something with a non-FIPS key'.
+ ' (should fail)';
+ ok(!run(app(['openssl', 'dgst', '-sha256',
+ '-verify', $nonfips_pub_key,
+ '-signature', $sigfile,
+ $tbs_data])),
+ $testtext);
+
+ $testtext = $prefix.': '.
+ 'Verify something with a non-FIPS key'.
+ ' in FIPS mode but with a non-FIPS property query';
+ ok(run(app(['openssl', 'dgst',
+ '-provider', 'default',
+ '-propquery', '?fips!=yes',
+ '-sha256',
+ '-verify', $nonfips_pub_key,
+ '-signature', $sigfile,
+ $tbs_data])),
+ $testtext);
- $testtext = $prefix.': '.
- 'Verify a valid signature against the wrong data with a non-FIPS key'.
- ' (should fail)';
- ok(!run(app(['openssl', 'dgst', '-sha256',
- '-verify', $nonfips_pub_key,
- '-signature', $sigfile,
- $bogus_data])),
- $testtext);
+ $testtext = $prefix.': '.
+ 'Verify a valid signature against the wrong data with a non-FIPS key'.
+ ' (should fail)';
+ ok(!run(app(['openssl', 'dgst', '-sha256',
+ '-verify', $nonfips_pub_key,
+ '-signature', $sigfile,
+ $bogus_data])),
+ $testtext);
+ }
}
SKIP : {
@@ -395,7 +400,6 @@
'-out', $testtext_prefix.'.fail.priv.pem'])),
$testtext);
- tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
- $nonfips_pub_key);
+ tsignverify($testtext_prefix, $fips_key, $fips_pub_key, '', '');
};
}
diff -Nru openssl-3.0.9/test/recipes/20-test_pkeyutl.t openssl-3.0.10/test/recipes/20-test_pkeyutl.t
--- openssl-3.0.9/test/recipes/20-test_pkeyutl.t 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/recipes/20-test_pkeyutl.t 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -13,15 +13,16 @@
use File::Basename;
use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
use OpenSSL::Test::Utils;
+use File::Compare qw/compare_text/;
setup("test_pkeyutl");
-plan tests => 12;
+plan tests => 14;
# For the tests below we use the cert itself as the TBS file
SKIP: {
- skip "Skipping tests that require EC, SM2 or SM3", 2
+ skip "Skipping tests that require EC, SM2 or SM3", 4
if disabled("ec") || disabled("sm2") || disabled("sm3");
# SM2
@@ -38,6 +39,18 @@
'-sigfile', 'sm2.sig', '-rawin',
'-digest', 'sm3', '-pkeyopt', 'distid:someid']))),
"Verify an SM2 signature against a piece of data");
+ ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-encrypt',
+ '-in', srctop_file('test', 'data2.bin'),
+ '-inkey', srctop_file('test', 'certs', 'sm2-pub.key'),
+ '-pubin', '-out', 'sm2.enc']))),
+ "Encrypt a piece of data using SM2");
+ ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-decrypt',
+ '-in', 'sm2.enc',
+ '-inkey', srctop_file('test', 'certs', 'sm2.key'),
+ '-out', 'sm2.dat'])))
+ && compare_text('sm2.dat',
+ srctop_file('test', 'data2.bin')) == 0,
+ "Decrypt a piece of data using SM2");
}
SKIP: {
diff -Nru openssl-3.0.9/test/recipes/30-test_evp_data/evpciph_aes_siv.txt openssl-3.0.10/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
--- openssl-3.0.9/test/recipes/30-test_evp_data/evpciph_aes_siv.txt 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/recipes/30-test_evp_data/evpciph_aes_siv.txt 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
#
-# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -21,6 +21,19 @@
Ciphertext = 40c02b9690c4dc04daef7f6afe5c
Cipher = aes-128-siv
+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+Tag = f1c5fdeac1f15a26779c1501f9fb7588
+Plaintext = 112233445566778899aabbccddee
+Ciphertext = 27e946c669088ab06da58c5c831c
+
+Cipher = aes-128-siv
+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+AAD =
+Tag = d1022f5b3664e5a4dfaf90f85be6f28a
+Plaintext = 112233445566778899aabbccddee
+Ciphertext = b66cff6b8eca0b79f083b39a0901
+
+Cipher = aes-128-siv
Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
AAD = 102030405060708090a0
@@ -29,6 +42,24 @@
Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
+Cipher = aes-128-siv
+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
+AAD =
+AAD = 09f911029d74e35bd84156c5635688c0
+Tag = 83ce6593a8fa67eb6fcd2819cedfc011
+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
+Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
+
+Cipher = aes-128-siv
+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
+AAD =
+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
+AAD = 09f911029d74e35bd84156c5635688c0
+Tag = 77dd4a44f5a6b41302121ee7f378de25
+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
+Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe
+
Cipher = aes-192-siv
Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0
AAD = 101112131415161718191a1b1c1d1e1f2021222324252627
diff -Nru openssl-3.0.9/test/recipes/30-test_evp_data/evppkey_dsa.txt openssl-3.0.10/test/recipes/30-test_evp_data/evppkey_dsa.txt
--- openssl-3.0.9/test/recipes/30-test_evp_data/evppkey_dsa.txt 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/recipes/30-test_evp_data/evppkey_dsa.txt 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
#
-# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -142,6 +142,23 @@
/TqkTaCFsMDwcDc20Jg=
-----END PRIVATE KEY-----
+PrivateKey = DSA-2048-160
+-----BEGIN PRIVATE KEY-----
+MIICTAIBADCCAi0GByqGSM44BAEwggIgAoIBAQCOypCJyAO7uNZSPSNGalSkyjQC
+xdFVIGfMJKjEXzJnH4g3ts0UqUyO8126REDJEXDeMi22841xsSvzz0ZJeT5YvMLW
+t1BtSTiYg2QOar1qEGJunHgjsWKJbVzIqWNw60ZP7pNKmlR7PKa3WDaPhdeVP8zJ
+PEMeUHOSprO5Jk/Hjr8jxV0znIIixb9L9PgJAwxiM7rkRHS2Oz1FCYDmNmuFhQDh
+Cb3wY9t1AcAHZ05uZ4PtNjdRPwFLPeVdckPj0ntApvOrH18xPWBmwcVeHAH1SV2k
+7LPK7wILHVzcKm74ubX/s1wKysyyXyKM+oCgG9jvfh09VQJcHTHaVS643ohZAhUA
+uQMLDZqMQbh9TYlm9xYCEBaeVs0CggEAcum3PgEQIRfukytMQ7gKMyfxHqhMmJ6t
+RolRhgMrSfl99dmMoqJV+sdSjYvZSkwl71N1Y4Al8GcJB1SzTSb8qGRzM+43pa4k
+SyQZ62WA8w5gaIQJ85JUrWiT8C6SgwAbruS5BVHRbQD6FxZwro9+s8uPnLesMTQX
+p4maNSQaqYX7tqGl6Z7Wo0PsEwuDRvBlI6sl97gl4q3FQPByCq/64UW/eF6Illo1
+dpfbiWCszsp8oczXCEuP+2Y67WUIj3LjFA7WM/R8K4SfdMQ/VXY/cyRhlUqQl8Qe
+ndBVKe0IeSdqvMcLNoUip7DGcOXW2ogZl+wgeP4xL3pdo8uS025kjwQWAhRfutAE
+r/MlbdGMvcA7l0XmzzY85w==
+-----END PRIVATE KEY-----
+
PrivateKey = DSA-2048-224
-----BEGIN PRIVATE KEY-----
MIICXAIBADCCAjUGByqGSM44BAEwggIoAoIBAQDVjuiHR3XA9yAjToNQOmdg2rN9
@@ -249,9 +266,16 @@
h2C/91Z0b0Xg4QYNOtVUbfqQTJQAqEpaRg==
-----END PRIVATE KEY-----
-
Title = FIPS Tests (using different key sizes and digests)
+# Test sign with a 2048 bit key with N == 160 is not allowed in fips mode
+Availablein = fips
+DigestSign = SHA256
+Key = DSA-2048-160
+Input = "Hello"
+Output = 00
+Result = DIGESTSIGNINIT_ERROR
+
# Test sign with a 2048 bit key with N == 224 is allowed in fips mode
DigestSign = SHA256
Key = DSA-2048-224
@@ -289,6 +313,13 @@
Input = "Hello "
Output = 302c0214602d21ed37e46051bb3d06cc002adddeb4cdb3bd02144f39f75587b286588862d06366b2f29bddaf8cf6
+# Test verify with a 2048/160 bit key is allowed in fips mode
+FIPSversion = >3.1.1
+DigestVerify = SHA256
+Key = DSA-2048-160
+Input = "Hello"
+Output = 302e021500a51ca7f70ae206f221dc9b805bb04bfc07d6e448021500b16e45f9dac8aff04e115f96c00f4237d0fced41
+
Title = Fips Negative Tests (using different key sizes and digests)
# Test sign with a 1024 bit key is not allowed in fips mode
diff -Nru openssl-3.0.9/test/recipes/70-test_tls13hrr.t openssl-3.0.10/test/recipes/70-test_tls13hrr.t
--- openssl-3.0.9/test/recipes/70-test_tls13hrr.t 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/recipes/70-test_tls13hrr.t 2023-08-01 15:47:24.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -38,7 +38,8 @@
use constant {
CHANGE_HRR_CIPHERSUITE => 0,
CHANGE_CH1_CIPHERSUITE => 1,
- DUPLICATE_HRR => 2
+ DUPLICATE_HRR => 2,
+ INVALID_GROUP => 3
};
#Test 1: A client should fail if the server changes the ciphersuite between the
@@ -51,7 +52,7 @@
}
my $testtype = CHANGE_HRR_CIPHERSUITE;
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 3;
+plan tests => 4;
ok(TLSProxy::Message->fail(), "Server ciphersuite changes");
#Test 2: It is an error if the client changes the offered ciphersuites so that
@@ -80,6 +81,24 @@
$proxy->start();
ok($fatal_alert, "Server duplicated HRR");
+#Test 4: If the client sends a group that is in the supported_groups list but
+# otherwise not valid (e.g. not suitable for TLSv1.3) we should reject it
+# and not consider it when sending the HRR. We send brainpoolP512r1 in
+# the ClientHello, which is acceptable to the server but is not valid in
+# TLSv1.3. We expect the server to select X25519 in the HRR and the
+# handshake to complete successfully
+SKIP: {
+ skip "EC/TLSv1.2 is disabled in this build", 1
+ if disabled("ec") || disabled("tls1_2");
+
+ $proxy->clear();
+ $proxy->clientflags("-groups P-256:brainpoolP512r1:X25519");
+ $proxy->serverflags("-groups brainpoolP512r1:X25519");
+ $testtype = INVALID_GROUP;
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Invalid group with HRR");
+}
+
sub hrr_filter
{
my $proxy = shift;
@@ -133,16 +152,25 @@
return;
}
- # CHANGE_CH1_CIPHERSUITE
if ($proxy->flight != 0) {
return;
}
my $ch1 = ${$proxy->message_list}[0];
- # The server will always pick TLS_AES_256_GCM_SHA384
- my @ciphersuites = (TLSProxy::Message::CIPHER_TLS13_AES_128_GCM_SHA256);
- $ch1->ciphersuite_len(2 * scalar @ciphersuites);
- $ch1->ciphersuites(\@ciphersuites);
+ if ($testtype == CHANGE_CH1_CIPHERSUITE) {
+ # The server will always pick TLS_AES_256_GCM_SHA384
+ my @ciphersuites = (TLSProxy::Message::CIPHER_TLS13_AES_128_GCM_SHA256);
+ $ch1->ciphersuite_len(2 * scalar @ciphersuites);
+ $ch1->ciphersuites(\@ciphersuites);
+ } elsif ($testtype == INVALID_GROUP) {
+ # INVALID_GROUP
+ my $ext = pack "C7",
+ 0x00, 0x05, #List Length
+ 0x00, 0x1c, #brainpoolP512r1 (not compatible with TLSv1.3)
+ 0x00, 0x01, 0xff; #key_exchange data
+ $ch1->set_extension(
+ TLSProxy::Message::EXT_KEY_SHARE, $ext);
+ }
$ch1->repack();
}
diff -Nru openssl-3.0.9/test/recipes/90-test_store_cases_data/garbage-pkcs12.p12 openssl-3.0.10/test/recipes/90-test_store_cases_data/garbage-pkcs12.p12
--- openssl-3.0.9/test/recipes/90-test_store_cases_data/garbage-pkcs12.p12 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.10/test/recipes/90-test_store_cases_data/garbage-pkcs12.p12 2023-08-01 15:47:24.000000000 +0200
@@ -0,0 +1 @@
+0����[�0 ��*�H���0��1�0 ��U����US1�0���Upo
\ No newline at end of file
diff -Nru openssl-3.0.9/test/recipes/90-test_store_cases.t openssl-3.0.10/test/recipes/90-test_store_cases.t
--- openssl-3.0.9/test/recipes/90-test_store_cases.t 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.10/test/recipes/90-test_store_cases.t 2023-08-01 15:47:24.000000000 +0200
@@ -0,0 +1,36 @@
+#! /usr/bin/env perl
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+# This collects specific use cases, and tests our handling
+
+use File::Spec::Functions;
+use File::Copy;
+use MIME::Base64;
+use OpenSSL::Test qw(:DEFAULT srctop_file srctop_dir bldtop_file bldtop_dir
+ data_file);
+use OpenSSL::Test::Utils;
+
+my $test_name = "test_store_cases";
+setup($test_name);
+
+plan tests => 2;
+
+my $stderr;
+
+# The case of the garbage PKCS#12 DER file where a passphrase was
+# prompted for. That should not have happened.
+$stderr = 'garbage-pkcs12.stderr.txt';
+ok(!run(app(['openssl', 'storeutl', '-passin', 'pass:invalidapass',
+ data_file('garbage-pkcs12.p12')],
+ stderr => $stderr)),
+ "checking that storeutl fails when given a garbage pkcs12 file");
+open DATA, $stderr;
+@match = grep /try_pkcs12:.*?:maybe wrong password$/, <DATA>;
+close DATA;
+ok(scalar @match > 0 ? 0 : 1,
+ "checking that storeutl didn't ask for a passphrase");
diff -Nru openssl-3.0.9/test/sslapitest.c openssl-3.0.10/test/sslapitest.c
--- openssl-3.0.9/test/sslapitest.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/sslapitest.c 2023-08-01 15:47:24.000000000 +0200
@@ -948,18 +948,13 @@
}
#endif
-static int execute_test_large_message(const SSL_METHOD *smeth,
- const SSL_METHOD *cmeth,
- int min_version, int max_version,
- int read_ahead)
+static int add_large_cert_chain(SSL_CTX *sctx)
{
- SSL_CTX *cctx = NULL, *sctx = NULL;
- SSL *clientssl = NULL, *serverssl = NULL;
- int testresult = 0;
- int i;
BIO *certbio = NULL;
X509 *chaincert = NULL;
int certlen;
+ int ret = 0;
+ int i;
if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
goto end;
@@ -972,6 +967,41 @@
BIO_free(certbio);
certbio = NULL;
+ /*
+ * We assume the supplied certificate is big enough so that if we add
+ * NUM_EXTRA_CERTS it will make the overall message large enough. The
+ * default buffer size is requested to be 16k, but due to the way BUF_MEM
+ * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
+ * test we need to have a message larger than that.
+ */
+ certlen = i2d_X509(chaincert, NULL);
+ OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
+ (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
+ for (i = 0; i < NUM_EXTRA_CERTS; i++) {
+ if (!X509_up_ref(chaincert))
+ goto end;
+ if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
+ X509_free(chaincert);
+ goto end;
+ }
+ }
+
+ ret = 1;
+ end:
+ BIO_free(certbio);
+ X509_free(chaincert);
+ return ret;
+}
+
+static int execute_test_large_message(const SSL_METHOD *smeth,
+ const SSL_METHOD *cmeth,
+ int min_version, int max_version,
+ int read_ahead)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+
if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
max_version, &sctx, &cctx, cert,
privkey)))
@@ -998,24 +1028,8 @@
SSL_CTX_set_read_ahead(cctx, 1);
}
- /*
- * We assume the supplied certificate is big enough so that if we add
- * NUM_EXTRA_CERTS it will make the overall message large enough. The
- * default buffer size is requested to be 16k, but due to the way BUF_MEM
- * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
- * test we need to have a message larger than that.
- */
- certlen = i2d_X509(chaincert, NULL);
- OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
- (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
- for (i = 0; i < NUM_EXTRA_CERTS; i++) {
- if (!X509_up_ref(chaincert))
- goto end;
- if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
- X509_free(chaincert);
- goto end;
- }
- }
+ if (!add_large_cert_chain(sctx))
+ goto end;
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL))
@@ -1032,8 +1046,6 @@
testresult = 1;
end:
- BIO_free(certbio);
- X509_free(chaincert);
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
@@ -10297,12 +10309,108 @@
ENGINE_finish(e);
ENGINE_free(e);
OPENSSL_free(buf);
- if (idx == 5)
+ if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
OPENSSL_free(msg);
return testresult;
}
#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
+/*
+ * Force a write retry during handshaking. We test various combinations of
+ * scenarios. We test a large certificate message which will fill the buffering
+ * BIO used in the handshake. We try with client auth on and off. Finally we
+ * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
+ * to indicate retry via -1 - but sometimes BIOs don't do that.
+ *
+ * Test 0: Standard certificate message
+ * Test 1: Large certificate message
+ * Test 2: Standard cert, verify peer
+ * Test 3: Large cert, verify peer
+ * Test 4: Standard cert, BIO returns 0 on retry
+ * Test 5: Large cert, BIO returns 0 on retry
+ * Test 6: Standard cert, verify peer, BIO returns 0 on retry
+ * Test 7: Large cert, verify peer, BIO returns 0 on retry
+ * Test 8-15: Repeat of above with TLSv1.2
+ */
+static int test_handshake_retry(int idx)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
+ int maxversion = 0;
+
+ if (!TEST_ptr(bretry))
+ goto end;
+
+#ifndef OPENSSL_NO_TLS1_2
+ if ((idx & 8) == 8)
+ maxversion = TLS1_2_VERSION;
+#else
+ if ((idx & 8) == 8)
+ return TEST_skip("No TLSv1.2");
+#endif
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), 0, maxversion,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ /*
+ * Add a large amount of data to fill the buffering BIO used by the SSL
+ * object
+ */
+ if ((idx & 1) == 1 && !add_large_cert_chain(sctx))
+ goto end;
+
+ /*
+ * We don't actually configure a client cert, but neither do we fail if one
+ * isn't present.
+ */
+ if ((idx & 2) == 2)
+ SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
+
+ if ((idx & 4) == 4)
+ set_always_retry_err_val(0);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+ &clientssl, NULL, NULL)))
+ goto end;
+
+ tmp = SSL_get_wbio(serverssl);
+ if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
+ tmp = NULL;
+ goto end;
+ }
+ SSL_set0_wbio(serverssl, bretry);
+ bretry = NULL;
+
+ if (!TEST_int_eq(SSL_connect(clientssl), -1))
+ goto end;
+
+ if (!TEST_int_eq(SSL_accept(serverssl), -1)
+ || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
+ goto end;
+
+ /* Restore a BIO that will let the write succeed */
+ SSL_set0_wbio(serverssl, tmp);
+ tmp = NULL;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ testresult = 1;
+end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ BIO_free(bretry);
+ BIO_free(tmp);
+ set_always_retry_err_val(-1);
+ return testresult;
+}
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
int setup_tests(void)
@@ -10574,6 +10682,7 @@
#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
ADD_ALL_TESTS(test_pipelining, 6);
#endif
+ ADD_ALL_TESTS(test_handshake_retry, 16);
return 1;
err:
diff -Nru openssl-3.0.9/test/ssl-tests/14-curves.cnf openssl-3.0.10/test/ssl-tests/14-curves.cnf
--- openssl-3.0.9/test/ssl-tests/14-curves.cnf 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/ssl-tests/14-curves.cnf 2023-08-01 15:47:24.000000000 +0200
@@ -1,87 +1,102 @@
# Generated with generate_ssl_tests.pl
-num_tests = 80
+num_tests = 95
test-0 = 0-curve-prime256v1
test-1 = 1-curve-secp384r1
test-2 = 2-curve-secp521r1
test-3 = 3-curve-X25519
test-4 = 4-curve-X448
-test-5 = 5-curve-sect233k1
-test-6 = 6-curve-sect233r1
-test-7 = 7-curve-sect283k1
-test-8 = 8-curve-sect283r1
-test-9 = 9-curve-sect409k1
-test-10 = 10-curve-sect409r1
-test-11 = 11-curve-sect571k1
-test-12 = 12-curve-sect571r1
-test-13 = 13-curve-secp224r1
-test-14 = 14-curve-sect163k1
-test-15 = 15-curve-sect163r2
-test-16 = 16-curve-prime192v1
-test-17 = 17-curve-sect163r1
-test-18 = 18-curve-sect193r1
-test-19 = 19-curve-sect193r2
-test-20 = 20-curve-sect239k1
-test-21 = 21-curve-secp160k1
-test-22 = 22-curve-secp160r1
-test-23 = 23-curve-secp160r2
-test-24 = 24-curve-secp192k1
-test-25 = 25-curve-secp224k1
-test-26 = 26-curve-secp256k1
-test-27 = 27-curve-brainpoolP256r1
-test-28 = 28-curve-brainpoolP384r1
-test-29 = 29-curve-brainpoolP512r1
-test-30 = 30-curve-sect233k1-tls12-in-tls13
-test-31 = 31-curve-sect233r1-tls12-in-tls13
-test-32 = 32-curve-sect283k1-tls12-in-tls13
-test-33 = 33-curve-sect283r1-tls12-in-tls13
-test-34 = 34-curve-sect409k1-tls12-in-tls13
-test-35 = 35-curve-sect409r1-tls12-in-tls13
-test-36 = 36-curve-sect571k1-tls12-in-tls13
-test-37 = 37-curve-sect571r1-tls12-in-tls13
-test-38 = 38-curve-secp224r1-tls12-in-tls13
-test-39 = 39-curve-sect163k1-tls12-in-tls13
-test-40 = 40-curve-sect163r2-tls12-in-tls13
-test-41 = 41-curve-prime192v1-tls12-in-tls13
-test-42 = 42-curve-sect163r1-tls12-in-tls13
-test-43 = 43-curve-sect193r1-tls12-in-tls13
-test-44 = 44-curve-sect193r2-tls12-in-tls13
-test-45 = 45-curve-sect239k1-tls12-in-tls13
-test-46 = 46-curve-secp160k1-tls12-in-tls13
-test-47 = 47-curve-secp160r1-tls12-in-tls13
-test-48 = 48-curve-secp160r2-tls12-in-tls13
-test-49 = 49-curve-secp192k1-tls12-in-tls13
-test-50 = 50-curve-secp224k1-tls12-in-tls13
-test-51 = 51-curve-secp256k1-tls12-in-tls13
-test-52 = 52-curve-brainpoolP256r1-tls12-in-tls13
-test-53 = 53-curve-brainpoolP384r1-tls12-in-tls13
-test-54 = 54-curve-brainpoolP512r1-tls12-in-tls13
-test-55 = 55-curve-sect233k1-tls13
-test-56 = 56-curve-sect233r1-tls13
-test-57 = 57-curve-sect283k1-tls13
-test-58 = 58-curve-sect283r1-tls13
-test-59 = 59-curve-sect409k1-tls13
-test-60 = 60-curve-sect409r1-tls13
-test-61 = 61-curve-sect571k1-tls13
-test-62 = 62-curve-sect571r1-tls13
-test-63 = 63-curve-secp224r1-tls13
-test-64 = 64-curve-sect163k1-tls13
-test-65 = 65-curve-sect163r2-tls13
-test-66 = 66-curve-prime192v1-tls13
-test-67 = 67-curve-sect163r1-tls13
-test-68 = 68-curve-sect193r1-tls13
-test-69 = 69-curve-sect193r2-tls13
-test-70 = 70-curve-sect239k1-tls13
-test-71 = 71-curve-secp160k1-tls13
-test-72 = 72-curve-secp160r1-tls13
-test-73 = 73-curve-secp160r2-tls13
-test-74 = 74-curve-secp192k1-tls13
-test-75 = 75-curve-secp224k1-tls13
-test-76 = 76-curve-secp256k1-tls13
-test-77 = 77-curve-brainpoolP256r1-tls13
-test-78 = 78-curve-brainpoolP384r1-tls13
-test-79 = 79-curve-brainpoolP512r1-tls13
+test-5 = 5-curve-ffdhe2048
+test-6 = 6-curve-ffdhe3072
+test-7 = 7-curve-ffdhe4096
+test-8 = 8-curve-ffdhe6144
+test-9 = 9-curve-ffdhe8192
+test-10 = 10-curve-sect233k1
+test-11 = 11-curve-sect233r1
+test-12 = 12-curve-sect283k1
+test-13 = 13-curve-sect283r1
+test-14 = 14-curve-sect409k1
+test-15 = 15-curve-sect409r1
+test-16 = 16-curve-sect571k1
+test-17 = 17-curve-sect571r1
+test-18 = 18-curve-secp224r1
+test-19 = 19-curve-sect163k1
+test-20 = 20-curve-sect163r2
+test-21 = 21-curve-prime192v1
+test-22 = 22-curve-sect163r1
+test-23 = 23-curve-sect193r1
+test-24 = 24-curve-sect193r2
+test-25 = 25-curve-sect239k1
+test-26 = 26-curve-secp160k1
+test-27 = 27-curve-secp160r1
+test-28 = 28-curve-secp160r2
+test-29 = 29-curve-secp192k1
+test-30 = 30-curve-secp224k1
+test-31 = 31-curve-secp256k1
+test-32 = 32-curve-brainpoolP256r1
+test-33 = 33-curve-brainpoolP384r1
+test-34 = 34-curve-brainpoolP512r1
+test-35 = 35-curve-sect233k1-tls12-in-tls13
+test-36 = 36-curve-sect233r1-tls12-in-tls13
+test-37 = 37-curve-sect283k1-tls12-in-tls13
+test-38 = 38-curve-sect283r1-tls12-in-tls13
+test-39 = 39-curve-sect409k1-tls12-in-tls13
+test-40 = 40-curve-sect409r1-tls12-in-tls13
+test-41 = 41-curve-sect571k1-tls12-in-tls13
+test-42 = 42-curve-sect571r1-tls12-in-tls13
+test-43 = 43-curve-secp224r1-tls12-in-tls13
+test-44 = 44-curve-sect163k1-tls12-in-tls13
+test-45 = 45-curve-sect163r2-tls12-in-tls13
+test-46 = 46-curve-prime192v1-tls12-in-tls13
+test-47 = 47-curve-sect163r1-tls12-in-tls13
+test-48 = 48-curve-sect193r1-tls12-in-tls13
+test-49 = 49-curve-sect193r2-tls12-in-tls13
+test-50 = 50-curve-sect239k1-tls12-in-tls13
+test-51 = 51-curve-secp160k1-tls12-in-tls13
+test-52 = 52-curve-secp160r1-tls12-in-tls13
+test-53 = 53-curve-secp160r2-tls12-in-tls13
+test-54 = 54-curve-secp192k1-tls12-in-tls13
+test-55 = 55-curve-secp224k1-tls12-in-tls13
+test-56 = 56-curve-secp256k1-tls12-in-tls13
+test-57 = 57-curve-brainpoolP256r1-tls12-in-tls13
+test-58 = 58-curve-brainpoolP384r1-tls12-in-tls13
+test-59 = 59-curve-brainpoolP512r1-tls12-in-tls13
+test-60 = 60-curve-sect233k1-tls13
+test-61 = 61-curve-sect233r1-tls13
+test-62 = 62-curve-sect283k1-tls13
+test-63 = 63-curve-sect283r1-tls13
+test-64 = 64-curve-sect409k1-tls13
+test-65 = 65-curve-sect409r1-tls13
+test-66 = 66-curve-sect571k1-tls13
+test-67 = 67-curve-sect571r1-tls13
+test-68 = 68-curve-secp224r1-tls13
+test-69 = 69-curve-sect163k1-tls13
+test-70 = 70-curve-sect163r2-tls13
+test-71 = 71-curve-prime192v1-tls13
+test-72 = 72-curve-sect163r1-tls13
+test-73 = 73-curve-sect193r1-tls13
+test-74 = 74-curve-sect193r2-tls13
+test-75 = 75-curve-sect239k1-tls13
+test-76 = 76-curve-secp160k1-tls13
+test-77 = 77-curve-secp160r1-tls13
+test-78 = 78-curve-secp160r2-tls13
+test-79 = 79-curve-secp192k1-tls13
+test-80 = 80-curve-secp224k1-tls13
+test-81 = 81-curve-secp256k1-tls13
+test-82 = 82-curve-brainpoolP256r1-tls13
+test-83 = 83-curve-brainpoolP384r1-tls13
+test-84 = 84-curve-brainpoolP512r1-tls13
+test-85 = 85-curve-ffdhe2048-tls13-in-tls12
+test-86 = 86-curve-ffdhe2048-tls13-in-tls12-2
+test-87 = 87-curve-ffdhe3072-tls13-in-tls12
+test-88 = 88-curve-ffdhe3072-tls13-in-tls12-2
+test-89 = 89-curve-ffdhe4096-tls13-in-tls12
+test-90 = 90-curve-ffdhe4096-tls13-in-tls12-2
+test-91 = 91-curve-ffdhe6144-tls13-in-tls12
+test-92 = 92-curve-ffdhe6144-tls13-in-tls12-2
+test-93 = 93-curve-ffdhe8192-tls13-in-tls12
+test-94 = 94-curve-ffdhe8192-tls13-in-tls12-2
# ===========================================================
[0-curve-prime256v1]
@@ -229,28 +244,173 @@
# ===========================================================
-[5-curve-sect233k1]
-ssl_conf = 5-curve-sect233k1-ssl
+[5-curve-ffdhe2048]
+ssl_conf = 5-curve-ffdhe2048-ssl
-[5-curve-sect233k1-ssl]
-server = 5-curve-sect233k1-server
-client = 5-curve-sect233k1-client
+[5-curve-ffdhe2048-ssl]
+server = 5-curve-ffdhe2048-server
+client = 5-curve-ffdhe2048-client
-[5-curve-sect233k1-server]
+[5-curve-ffdhe2048-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Curves = ffdhe2048
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[5-curve-ffdhe2048-client]
+CipherString = ECDHE
+Curves = ffdhe2048
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-5]
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
+ExpectedTmpKeyType = dhKeyAgreement
+
+
+# ===========================================================
+
+[6-curve-ffdhe3072]
+ssl_conf = 6-curve-ffdhe3072-ssl
+
+[6-curve-ffdhe3072-ssl]
+server = 6-curve-ffdhe3072-server
+client = 6-curve-ffdhe3072-client
+
+[6-curve-ffdhe3072-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Curves = ffdhe3072
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-curve-ffdhe3072-client]
+CipherString = ECDHE
+Curves = ffdhe3072
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-6]
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
+ExpectedTmpKeyType = dhKeyAgreement
+
+
+# ===========================================================
+
+[7-curve-ffdhe4096]
+ssl_conf = 7-curve-ffdhe4096-ssl
+
+[7-curve-ffdhe4096-ssl]
+server = 7-curve-ffdhe4096-server
+client = 7-curve-ffdhe4096-client
+
+[7-curve-ffdhe4096-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Curves = ffdhe4096
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[7-curve-ffdhe4096-client]
+CipherString = ECDHE
+Curves = ffdhe4096
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-7]
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
+ExpectedTmpKeyType = dhKeyAgreement
+
+
+# ===========================================================
+
+[8-curve-ffdhe6144]
+ssl_conf = 8-curve-ffdhe6144-ssl
+
+[8-curve-ffdhe6144-ssl]
+server = 8-curve-ffdhe6144-server
+client = 8-curve-ffdhe6144-client
+
+[8-curve-ffdhe6144-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Curves = ffdhe6144
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-curve-ffdhe6144-client]
+CipherString = ECDHE
+Curves = ffdhe6144
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-8]
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
+ExpectedTmpKeyType = dhKeyAgreement
+
+
+# ===========================================================
+
+[9-curve-ffdhe8192]
+ssl_conf = 9-curve-ffdhe8192-ssl
+
+[9-curve-ffdhe8192-ssl]
+server = 9-curve-ffdhe8192-server
+client = 9-curve-ffdhe8192-client
+
+[9-curve-ffdhe8192-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Curves = ffdhe8192
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[9-curve-ffdhe8192-client]
+CipherString = ECDHE
+Curves = ffdhe8192
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-9]
+ExpectedProtocol = TLSv1.3
+ExpectedResult = Success
+ExpectedTmpKeyType = dhKeyAgreement
+
+
+# ===========================================================
+
+[10-curve-sect233k1]
+ssl_conf = 10-curve-sect233k1-ssl
+
+[10-curve-sect233k1-ssl]
+server = 10-curve-sect233k1-server
+client = 10-curve-sect233k1-client
+
+[10-curve-sect233k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect233k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[5-curve-sect233k1-client]
+[10-curve-sect233k1-client]
CipherString = ECDHE
Curves = sect233k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-5]
+[test-10]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect233k1
@@ -258,28 +418,28 @@
# ===========================================================
-[6-curve-sect233r1]
-ssl_conf = 6-curve-sect233r1-ssl
+[11-curve-sect233r1]
+ssl_conf = 11-curve-sect233r1-ssl
-[6-curve-sect233r1-ssl]
-server = 6-curve-sect233r1-server
-client = 6-curve-sect233r1-client
+[11-curve-sect233r1-ssl]
+server = 11-curve-sect233r1-server
+client = 11-curve-sect233r1-client
-[6-curve-sect233r1-server]
+[11-curve-sect233r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect233r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[6-curve-sect233r1-client]
+[11-curve-sect233r1-client]
CipherString = ECDHE
Curves = sect233r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-6]
+[test-11]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect233r1
@@ -287,28 +447,28 @@
# ===========================================================
-[7-curve-sect283k1]
-ssl_conf = 7-curve-sect283k1-ssl
+[12-curve-sect283k1]
+ssl_conf = 12-curve-sect283k1-ssl
-[7-curve-sect283k1-ssl]
-server = 7-curve-sect283k1-server
-client = 7-curve-sect283k1-client
+[12-curve-sect283k1-ssl]
+server = 12-curve-sect283k1-server
+client = 12-curve-sect283k1-client
-[7-curve-sect283k1-server]
+[12-curve-sect283k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect283k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[7-curve-sect283k1-client]
+[12-curve-sect283k1-client]
CipherString = ECDHE
Curves = sect283k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-7]
+[test-12]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect283k1
@@ -316,28 +476,28 @@
# ===========================================================
-[8-curve-sect283r1]
-ssl_conf = 8-curve-sect283r1-ssl
+[13-curve-sect283r1]
+ssl_conf = 13-curve-sect283r1-ssl
-[8-curve-sect283r1-ssl]
-server = 8-curve-sect283r1-server
-client = 8-curve-sect283r1-client
+[13-curve-sect283r1-ssl]
+server = 13-curve-sect283r1-server
+client = 13-curve-sect283r1-client
-[8-curve-sect283r1-server]
+[13-curve-sect283r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect283r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[8-curve-sect283r1-client]
+[13-curve-sect283r1-client]
CipherString = ECDHE
Curves = sect283r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-8]
+[test-13]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect283r1
@@ -345,28 +505,28 @@
# ===========================================================
-[9-curve-sect409k1]
-ssl_conf = 9-curve-sect409k1-ssl
+[14-curve-sect409k1]
+ssl_conf = 14-curve-sect409k1-ssl
-[9-curve-sect409k1-ssl]
-server = 9-curve-sect409k1-server
-client = 9-curve-sect409k1-client
+[14-curve-sect409k1-ssl]
+server = 14-curve-sect409k1-server
+client = 14-curve-sect409k1-client
-[9-curve-sect409k1-server]
+[14-curve-sect409k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect409k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[9-curve-sect409k1-client]
+[14-curve-sect409k1-client]
CipherString = ECDHE
Curves = sect409k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-9]
+[test-14]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect409k1
@@ -374,28 +534,28 @@
# ===========================================================
-[10-curve-sect409r1]
-ssl_conf = 10-curve-sect409r1-ssl
+[15-curve-sect409r1]
+ssl_conf = 15-curve-sect409r1-ssl
-[10-curve-sect409r1-ssl]
-server = 10-curve-sect409r1-server
-client = 10-curve-sect409r1-client
+[15-curve-sect409r1-ssl]
+server = 15-curve-sect409r1-server
+client = 15-curve-sect409r1-client
-[10-curve-sect409r1-server]
+[15-curve-sect409r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect409r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[10-curve-sect409r1-client]
+[15-curve-sect409r1-client]
CipherString = ECDHE
Curves = sect409r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-10]
+[test-15]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect409r1
@@ -403,28 +563,28 @@
# ===========================================================
-[11-curve-sect571k1]
-ssl_conf = 11-curve-sect571k1-ssl
+[16-curve-sect571k1]
+ssl_conf = 16-curve-sect571k1-ssl
-[11-curve-sect571k1-ssl]
-server = 11-curve-sect571k1-server
-client = 11-curve-sect571k1-client
+[16-curve-sect571k1-ssl]
+server = 16-curve-sect571k1-server
+client = 16-curve-sect571k1-client
-[11-curve-sect571k1-server]
+[16-curve-sect571k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect571k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[11-curve-sect571k1-client]
+[16-curve-sect571k1-client]
CipherString = ECDHE
Curves = sect571k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-11]
+[test-16]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect571k1
@@ -432,28 +592,28 @@
# ===========================================================
-[12-curve-sect571r1]
-ssl_conf = 12-curve-sect571r1-ssl
+[17-curve-sect571r1]
+ssl_conf = 17-curve-sect571r1-ssl
-[12-curve-sect571r1-ssl]
-server = 12-curve-sect571r1-server
-client = 12-curve-sect571r1-client
+[17-curve-sect571r1-ssl]
+server = 17-curve-sect571r1-server
+client = 17-curve-sect571r1-client
-[12-curve-sect571r1-server]
+[17-curve-sect571r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect571r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[12-curve-sect571r1-client]
+[17-curve-sect571r1-client]
CipherString = ECDHE
Curves = sect571r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-12]
+[test-17]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect571r1
@@ -461,28 +621,28 @@
# ===========================================================
-[13-curve-secp224r1]
-ssl_conf = 13-curve-secp224r1-ssl
+[18-curve-secp224r1]
+ssl_conf = 18-curve-secp224r1-ssl
-[13-curve-secp224r1-ssl]
-server = 13-curve-secp224r1-server
-client = 13-curve-secp224r1-client
+[18-curve-secp224r1-ssl]
+server = 18-curve-secp224r1-server
+client = 18-curve-secp224r1-client
-[13-curve-secp224r1-server]
+[18-curve-secp224r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp224r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[13-curve-secp224r1-client]
+[18-curve-secp224r1-client]
CipherString = ECDHE
Curves = secp224r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-13]
+[test-18]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = secp224r1
@@ -490,28 +650,28 @@
# ===========================================================
-[14-curve-sect163k1]
-ssl_conf = 14-curve-sect163k1-ssl
+[19-curve-sect163k1]
+ssl_conf = 19-curve-sect163k1-ssl
-[14-curve-sect163k1-ssl]
-server = 14-curve-sect163k1-server
-client = 14-curve-sect163k1-client
+[19-curve-sect163k1-ssl]
+server = 19-curve-sect163k1-server
+client = 19-curve-sect163k1-client
-[14-curve-sect163k1-server]
+[19-curve-sect163k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect163k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[14-curve-sect163k1-client]
+[19-curve-sect163k1-client]
CipherString = ECDHE
Curves = sect163k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-14]
+[test-19]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect163k1
@@ -519,28 +679,28 @@
# ===========================================================
-[15-curve-sect163r2]
-ssl_conf = 15-curve-sect163r2-ssl
+[20-curve-sect163r2]
+ssl_conf = 20-curve-sect163r2-ssl
-[15-curve-sect163r2-ssl]
-server = 15-curve-sect163r2-server
-client = 15-curve-sect163r2-client
+[20-curve-sect163r2-ssl]
+server = 20-curve-sect163r2-server
+client = 20-curve-sect163r2-client
-[15-curve-sect163r2-server]
+[20-curve-sect163r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect163r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[15-curve-sect163r2-client]
+[20-curve-sect163r2-client]
CipherString = ECDHE
Curves = sect163r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-15]
+[test-20]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect163r2
@@ -548,28 +708,28 @@
# ===========================================================
-[16-curve-prime192v1]
-ssl_conf = 16-curve-prime192v1-ssl
+[21-curve-prime192v1]
+ssl_conf = 21-curve-prime192v1-ssl
-[16-curve-prime192v1-ssl]
-server = 16-curve-prime192v1-server
-client = 16-curve-prime192v1-client
+[21-curve-prime192v1-ssl]
+server = 21-curve-prime192v1-server
+client = 21-curve-prime192v1-client
-[16-curve-prime192v1-server]
+[21-curve-prime192v1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = prime192v1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[16-curve-prime192v1-client]
+[21-curve-prime192v1-client]
CipherString = ECDHE
Curves = prime192v1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-16]
+[test-21]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = prime192v1
@@ -577,28 +737,28 @@
# ===========================================================
-[17-curve-sect163r1]
-ssl_conf = 17-curve-sect163r1-ssl
+[22-curve-sect163r1]
+ssl_conf = 22-curve-sect163r1-ssl
-[17-curve-sect163r1-ssl]
-server = 17-curve-sect163r1-server
-client = 17-curve-sect163r1-client
+[22-curve-sect163r1-ssl]
+server = 22-curve-sect163r1-server
+client = 22-curve-sect163r1-client
-[17-curve-sect163r1-server]
+[22-curve-sect163r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect163r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[17-curve-sect163r1-client]
+[22-curve-sect163r1-client]
CipherString = ECDHE
Curves = sect163r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-17]
+[test-22]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect163r1
@@ -606,28 +766,28 @@
# ===========================================================
-[18-curve-sect193r1]
-ssl_conf = 18-curve-sect193r1-ssl
+[23-curve-sect193r1]
+ssl_conf = 23-curve-sect193r1-ssl
-[18-curve-sect193r1-ssl]
-server = 18-curve-sect193r1-server
-client = 18-curve-sect193r1-client
+[23-curve-sect193r1-ssl]
+server = 23-curve-sect193r1-server
+client = 23-curve-sect193r1-client
-[18-curve-sect193r1-server]
+[23-curve-sect193r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect193r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[18-curve-sect193r1-client]
+[23-curve-sect193r1-client]
CipherString = ECDHE
Curves = sect193r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-18]
+[test-23]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect193r1
@@ -635,28 +795,28 @@
# ===========================================================
-[19-curve-sect193r2]
-ssl_conf = 19-curve-sect193r2-ssl
+[24-curve-sect193r2]
+ssl_conf = 24-curve-sect193r2-ssl
-[19-curve-sect193r2-ssl]
-server = 19-curve-sect193r2-server
-client = 19-curve-sect193r2-client
+[24-curve-sect193r2-ssl]
+server = 24-curve-sect193r2-server
+client = 24-curve-sect193r2-client
-[19-curve-sect193r2-server]
+[24-curve-sect193r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect193r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[19-curve-sect193r2-client]
+[24-curve-sect193r2-client]
CipherString = ECDHE
Curves = sect193r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-19]
+[test-24]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect193r2
@@ -664,28 +824,28 @@
# ===========================================================
-[20-curve-sect239k1]
-ssl_conf = 20-curve-sect239k1-ssl
+[25-curve-sect239k1]
+ssl_conf = 25-curve-sect239k1-ssl
-[20-curve-sect239k1-ssl]
-server = 20-curve-sect239k1-server
-client = 20-curve-sect239k1-client
+[25-curve-sect239k1-ssl]
+server = 25-curve-sect239k1-server
+client = 25-curve-sect239k1-client
-[20-curve-sect239k1-server]
+[25-curve-sect239k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect239k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[20-curve-sect239k1-client]
+[25-curve-sect239k1-client]
CipherString = ECDHE
Curves = sect239k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-20]
+[test-25]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = sect239k1
@@ -693,28 +853,28 @@
# ===========================================================
-[21-curve-secp160k1]
-ssl_conf = 21-curve-secp160k1-ssl
+[26-curve-secp160k1]
+ssl_conf = 26-curve-secp160k1-ssl
-[21-curve-secp160k1-ssl]
-server = 21-curve-secp160k1-server
-client = 21-curve-secp160k1-client
+[26-curve-secp160k1-ssl]
+server = 26-curve-secp160k1-server
+client = 26-curve-secp160k1-client
-[21-curve-secp160k1-server]
+[26-curve-secp160k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp160k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[21-curve-secp160k1-client]
+[26-curve-secp160k1-client]
CipherString = ECDHE
Curves = secp160k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-21]
+[test-26]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = secp160k1
@@ -722,28 +882,28 @@
# ===========================================================
-[22-curve-secp160r1]
-ssl_conf = 22-curve-secp160r1-ssl
+[27-curve-secp160r1]
+ssl_conf = 27-curve-secp160r1-ssl
-[22-curve-secp160r1-ssl]
-server = 22-curve-secp160r1-server
-client = 22-curve-secp160r1-client
+[27-curve-secp160r1-ssl]
+server = 27-curve-secp160r1-server
+client = 27-curve-secp160r1-client
-[22-curve-secp160r1-server]
+[27-curve-secp160r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp160r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[22-curve-secp160r1-client]
+[27-curve-secp160r1-client]
CipherString = ECDHE
Curves = secp160r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-22]
+[test-27]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = secp160r1
@@ -751,28 +911,28 @@
# ===========================================================
-[23-curve-secp160r2]
-ssl_conf = 23-curve-secp160r2-ssl
+[28-curve-secp160r2]
+ssl_conf = 28-curve-secp160r2-ssl
-[23-curve-secp160r2-ssl]
-server = 23-curve-secp160r2-server
-client = 23-curve-secp160r2-client
+[28-curve-secp160r2-ssl]
+server = 28-curve-secp160r2-server
+client = 28-curve-secp160r2-client
-[23-curve-secp160r2-server]
+[28-curve-secp160r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp160r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[23-curve-secp160r2-client]
+[28-curve-secp160r2-client]
CipherString = ECDHE
Curves = secp160r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-23]
+[test-28]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = secp160r2
@@ -780,28 +940,28 @@
# ===========================================================
-[24-curve-secp192k1]
-ssl_conf = 24-curve-secp192k1-ssl
+[29-curve-secp192k1]
+ssl_conf = 29-curve-secp192k1-ssl
-[24-curve-secp192k1-ssl]
-server = 24-curve-secp192k1-server
-client = 24-curve-secp192k1-client
+[29-curve-secp192k1-ssl]
+server = 29-curve-secp192k1-server
+client = 29-curve-secp192k1-client
-[24-curve-secp192k1-server]
+[29-curve-secp192k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp192k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[24-curve-secp192k1-client]
+[29-curve-secp192k1-client]
CipherString = ECDHE
Curves = secp192k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-24]
+[test-29]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = secp192k1
@@ -809,28 +969,28 @@
# ===========================================================
-[25-curve-secp224k1]
-ssl_conf = 25-curve-secp224k1-ssl
+[30-curve-secp224k1]
+ssl_conf = 30-curve-secp224k1-ssl
-[25-curve-secp224k1-ssl]
-server = 25-curve-secp224k1-server
-client = 25-curve-secp224k1-client
+[30-curve-secp224k1-ssl]
+server = 30-curve-secp224k1-server
+client = 30-curve-secp224k1-client
-[25-curve-secp224k1-server]
+[30-curve-secp224k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp224k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[25-curve-secp224k1-client]
+[30-curve-secp224k1-client]
CipherString = ECDHE
Curves = secp224k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-25]
+[test-30]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = secp224k1
@@ -838,28 +998,28 @@
# ===========================================================
-[26-curve-secp256k1]
-ssl_conf = 26-curve-secp256k1-ssl
+[31-curve-secp256k1]
+ssl_conf = 31-curve-secp256k1-ssl
-[26-curve-secp256k1-ssl]
-server = 26-curve-secp256k1-server
-client = 26-curve-secp256k1-client
+[31-curve-secp256k1-ssl]
+server = 31-curve-secp256k1-server
+client = 31-curve-secp256k1-client
-[26-curve-secp256k1-server]
+[31-curve-secp256k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp256k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[26-curve-secp256k1-client]
+[31-curve-secp256k1-client]
CipherString = ECDHE
Curves = secp256k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-26]
+[test-31]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = secp256k1
@@ -867,28 +1027,28 @@
# ===========================================================
-[27-curve-brainpoolP256r1]
-ssl_conf = 27-curve-brainpoolP256r1-ssl
+[32-curve-brainpoolP256r1]
+ssl_conf = 32-curve-brainpoolP256r1-ssl
-[27-curve-brainpoolP256r1-ssl]
-server = 27-curve-brainpoolP256r1-server
-client = 27-curve-brainpoolP256r1-client
+[32-curve-brainpoolP256r1-ssl]
+server = 32-curve-brainpoolP256r1-server
+client = 32-curve-brainpoolP256r1-client
-[27-curve-brainpoolP256r1-server]
+[32-curve-brainpoolP256r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = brainpoolP256r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[27-curve-brainpoolP256r1-client]
+[32-curve-brainpoolP256r1-client]
CipherString = ECDHE
Curves = brainpoolP256r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-27]
+[test-32]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = brainpoolP256r1
@@ -896,28 +1056,28 @@
# ===========================================================
-[28-curve-brainpoolP384r1]
-ssl_conf = 28-curve-brainpoolP384r1-ssl
+[33-curve-brainpoolP384r1]
+ssl_conf = 33-curve-brainpoolP384r1-ssl
-[28-curve-brainpoolP384r1-ssl]
-server = 28-curve-brainpoolP384r1-server
-client = 28-curve-brainpoolP384r1-client
+[33-curve-brainpoolP384r1-ssl]
+server = 33-curve-brainpoolP384r1-server
+client = 33-curve-brainpoolP384r1-client
-[28-curve-brainpoolP384r1-server]
+[33-curve-brainpoolP384r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = brainpoolP384r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[28-curve-brainpoolP384r1-client]
+[33-curve-brainpoolP384r1-client]
CipherString = ECDHE
Curves = brainpoolP384r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-28]
+[test-33]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = brainpoolP384r1
@@ -925,28 +1085,28 @@
# ===========================================================
-[29-curve-brainpoolP512r1]
-ssl_conf = 29-curve-brainpoolP512r1-ssl
+[34-curve-brainpoolP512r1]
+ssl_conf = 34-curve-brainpoolP512r1-ssl
-[29-curve-brainpoolP512r1-ssl]
-server = 29-curve-brainpoolP512r1-server
-client = 29-curve-brainpoolP512r1-client
+[34-curve-brainpoolP512r1-ssl]
+server = 34-curve-brainpoolP512r1-server
+client = 34-curve-brainpoolP512r1-client
-[29-curve-brainpoolP512r1-server]
+[34-curve-brainpoolP512r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = brainpoolP512r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[29-curve-brainpoolP512r1-client]
+[34-curve-brainpoolP512r1-client]
CipherString = ECDHE
Curves = brainpoolP512r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-29]
+[test-34]
ExpectedProtocol = TLSv1.2
ExpectedResult = Success
ExpectedTmpKeyType = brainpoolP512r1
@@ -954,21 +1114,21 @@
# ===========================================================
-[30-curve-sect233k1-tls12-in-tls13]
-ssl_conf = 30-curve-sect233k1-tls12-in-tls13-ssl
+[35-curve-sect233k1-tls12-in-tls13]
+ssl_conf = 35-curve-sect233k1-tls12-in-tls13-ssl
-[30-curve-sect233k1-tls12-in-tls13-ssl]
-server = 30-curve-sect233k1-tls12-in-tls13-server
-client = 30-curve-sect233k1-tls12-in-tls13-client
+[35-curve-sect233k1-tls12-in-tls13-ssl]
+server = 35-curve-sect233k1-tls12-in-tls13-server
+client = 35-curve-sect233k1-tls12-in-tls13-client
-[30-curve-sect233k1-tls12-in-tls13-server]
+[35-curve-sect233k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect233k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[30-curve-sect233k1-tls12-in-tls13-client]
+[35-curve-sect233k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect233k1:P-256
MaxProtocol = TLSv1.3
@@ -976,7 +1136,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-30]
+[test-35]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -984,21 +1144,21 @@
# ===========================================================
-[31-curve-sect233r1-tls12-in-tls13]
-ssl_conf = 31-curve-sect233r1-tls12-in-tls13-ssl
+[36-curve-sect233r1-tls12-in-tls13]
+ssl_conf = 36-curve-sect233r1-tls12-in-tls13-ssl
-[31-curve-sect233r1-tls12-in-tls13-ssl]
-server = 31-curve-sect233r1-tls12-in-tls13-server
-client = 31-curve-sect233r1-tls12-in-tls13-client
+[36-curve-sect233r1-tls12-in-tls13-ssl]
+server = 36-curve-sect233r1-tls12-in-tls13-server
+client = 36-curve-sect233r1-tls12-in-tls13-client
-[31-curve-sect233r1-tls12-in-tls13-server]
+[36-curve-sect233r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect233r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[31-curve-sect233r1-tls12-in-tls13-client]
+[36-curve-sect233r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect233r1:P-256
MaxProtocol = TLSv1.3
@@ -1006,7 +1166,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-31]
+[test-36]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1014,21 +1174,21 @@
# ===========================================================
-[32-curve-sect283k1-tls12-in-tls13]
-ssl_conf = 32-curve-sect283k1-tls12-in-tls13-ssl
+[37-curve-sect283k1-tls12-in-tls13]
+ssl_conf = 37-curve-sect283k1-tls12-in-tls13-ssl
-[32-curve-sect283k1-tls12-in-tls13-ssl]
-server = 32-curve-sect283k1-tls12-in-tls13-server
-client = 32-curve-sect283k1-tls12-in-tls13-client
+[37-curve-sect283k1-tls12-in-tls13-ssl]
+server = 37-curve-sect283k1-tls12-in-tls13-server
+client = 37-curve-sect283k1-tls12-in-tls13-client
-[32-curve-sect283k1-tls12-in-tls13-server]
+[37-curve-sect283k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect283k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[32-curve-sect283k1-tls12-in-tls13-client]
+[37-curve-sect283k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect283k1:P-256
MaxProtocol = TLSv1.3
@@ -1036,7 +1196,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-32]
+[test-37]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1044,21 +1204,21 @@
# ===========================================================
-[33-curve-sect283r1-tls12-in-tls13]
-ssl_conf = 33-curve-sect283r1-tls12-in-tls13-ssl
+[38-curve-sect283r1-tls12-in-tls13]
+ssl_conf = 38-curve-sect283r1-tls12-in-tls13-ssl
-[33-curve-sect283r1-tls12-in-tls13-ssl]
-server = 33-curve-sect283r1-tls12-in-tls13-server
-client = 33-curve-sect283r1-tls12-in-tls13-client
+[38-curve-sect283r1-tls12-in-tls13-ssl]
+server = 38-curve-sect283r1-tls12-in-tls13-server
+client = 38-curve-sect283r1-tls12-in-tls13-client
-[33-curve-sect283r1-tls12-in-tls13-server]
+[38-curve-sect283r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect283r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[33-curve-sect283r1-tls12-in-tls13-client]
+[38-curve-sect283r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect283r1:P-256
MaxProtocol = TLSv1.3
@@ -1066,7 +1226,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-33]
+[test-38]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1074,21 +1234,21 @@
# ===========================================================
-[34-curve-sect409k1-tls12-in-tls13]
-ssl_conf = 34-curve-sect409k1-tls12-in-tls13-ssl
+[39-curve-sect409k1-tls12-in-tls13]
+ssl_conf = 39-curve-sect409k1-tls12-in-tls13-ssl
-[34-curve-sect409k1-tls12-in-tls13-ssl]
-server = 34-curve-sect409k1-tls12-in-tls13-server
-client = 34-curve-sect409k1-tls12-in-tls13-client
+[39-curve-sect409k1-tls12-in-tls13-ssl]
+server = 39-curve-sect409k1-tls12-in-tls13-server
+client = 39-curve-sect409k1-tls12-in-tls13-client
-[34-curve-sect409k1-tls12-in-tls13-server]
+[39-curve-sect409k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect409k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[34-curve-sect409k1-tls12-in-tls13-client]
+[39-curve-sect409k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect409k1:P-256
MaxProtocol = TLSv1.3
@@ -1096,7 +1256,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-34]
+[test-39]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1104,21 +1264,21 @@
# ===========================================================
-[35-curve-sect409r1-tls12-in-tls13]
-ssl_conf = 35-curve-sect409r1-tls12-in-tls13-ssl
+[40-curve-sect409r1-tls12-in-tls13]
+ssl_conf = 40-curve-sect409r1-tls12-in-tls13-ssl
-[35-curve-sect409r1-tls12-in-tls13-ssl]
-server = 35-curve-sect409r1-tls12-in-tls13-server
-client = 35-curve-sect409r1-tls12-in-tls13-client
+[40-curve-sect409r1-tls12-in-tls13-ssl]
+server = 40-curve-sect409r1-tls12-in-tls13-server
+client = 40-curve-sect409r1-tls12-in-tls13-client
-[35-curve-sect409r1-tls12-in-tls13-server]
+[40-curve-sect409r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect409r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[35-curve-sect409r1-tls12-in-tls13-client]
+[40-curve-sect409r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect409r1:P-256
MaxProtocol = TLSv1.3
@@ -1126,7 +1286,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-35]
+[test-40]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1134,21 +1294,21 @@
# ===========================================================
-[36-curve-sect571k1-tls12-in-tls13]
-ssl_conf = 36-curve-sect571k1-tls12-in-tls13-ssl
+[41-curve-sect571k1-tls12-in-tls13]
+ssl_conf = 41-curve-sect571k1-tls12-in-tls13-ssl
-[36-curve-sect571k1-tls12-in-tls13-ssl]
-server = 36-curve-sect571k1-tls12-in-tls13-server
-client = 36-curve-sect571k1-tls12-in-tls13-client
+[41-curve-sect571k1-tls12-in-tls13-ssl]
+server = 41-curve-sect571k1-tls12-in-tls13-server
+client = 41-curve-sect571k1-tls12-in-tls13-client
-[36-curve-sect571k1-tls12-in-tls13-server]
+[41-curve-sect571k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect571k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[36-curve-sect571k1-tls12-in-tls13-client]
+[41-curve-sect571k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect571k1:P-256
MaxProtocol = TLSv1.3
@@ -1156,7 +1316,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-36]
+[test-41]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1164,21 +1324,21 @@
# ===========================================================
-[37-curve-sect571r1-tls12-in-tls13]
-ssl_conf = 37-curve-sect571r1-tls12-in-tls13-ssl
+[42-curve-sect571r1-tls12-in-tls13]
+ssl_conf = 42-curve-sect571r1-tls12-in-tls13-ssl
-[37-curve-sect571r1-tls12-in-tls13-ssl]
-server = 37-curve-sect571r1-tls12-in-tls13-server
-client = 37-curve-sect571r1-tls12-in-tls13-client
+[42-curve-sect571r1-tls12-in-tls13-ssl]
+server = 42-curve-sect571r1-tls12-in-tls13-server
+client = 42-curve-sect571r1-tls12-in-tls13-client
-[37-curve-sect571r1-tls12-in-tls13-server]
+[42-curve-sect571r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect571r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[37-curve-sect571r1-tls12-in-tls13-client]
+[42-curve-sect571r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect571r1:P-256
MaxProtocol = TLSv1.3
@@ -1186,7 +1346,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-37]
+[test-42]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1194,21 +1354,21 @@
# ===========================================================
-[38-curve-secp224r1-tls12-in-tls13]
-ssl_conf = 38-curve-secp224r1-tls12-in-tls13-ssl
+[43-curve-secp224r1-tls12-in-tls13]
+ssl_conf = 43-curve-secp224r1-tls12-in-tls13-ssl
-[38-curve-secp224r1-tls12-in-tls13-ssl]
-server = 38-curve-secp224r1-tls12-in-tls13-server
-client = 38-curve-secp224r1-tls12-in-tls13-client
+[43-curve-secp224r1-tls12-in-tls13-ssl]
+server = 43-curve-secp224r1-tls12-in-tls13-server
+client = 43-curve-secp224r1-tls12-in-tls13-client
-[38-curve-secp224r1-tls12-in-tls13-server]
+[43-curve-secp224r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = secp224r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[38-curve-secp224r1-tls12-in-tls13-client]
+[43-curve-secp224r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = secp224r1:P-256
MaxProtocol = TLSv1.3
@@ -1216,7 +1376,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-38]
+[test-43]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1224,21 +1384,21 @@
# ===========================================================
-[39-curve-sect163k1-tls12-in-tls13]
-ssl_conf = 39-curve-sect163k1-tls12-in-tls13-ssl
+[44-curve-sect163k1-tls12-in-tls13]
+ssl_conf = 44-curve-sect163k1-tls12-in-tls13-ssl
-[39-curve-sect163k1-tls12-in-tls13-ssl]
-server = 39-curve-sect163k1-tls12-in-tls13-server
-client = 39-curve-sect163k1-tls12-in-tls13-client
+[44-curve-sect163k1-tls12-in-tls13-ssl]
+server = 44-curve-sect163k1-tls12-in-tls13-server
+client = 44-curve-sect163k1-tls12-in-tls13-client
-[39-curve-sect163k1-tls12-in-tls13-server]
+[44-curve-sect163k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect163k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[39-curve-sect163k1-tls12-in-tls13-client]
+[44-curve-sect163k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect163k1:P-256
MaxProtocol = TLSv1.3
@@ -1246,7 +1406,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-39]
+[test-44]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1254,21 +1414,21 @@
# ===========================================================
-[40-curve-sect163r2-tls12-in-tls13]
-ssl_conf = 40-curve-sect163r2-tls12-in-tls13-ssl
+[45-curve-sect163r2-tls12-in-tls13]
+ssl_conf = 45-curve-sect163r2-tls12-in-tls13-ssl
-[40-curve-sect163r2-tls12-in-tls13-ssl]
-server = 40-curve-sect163r2-tls12-in-tls13-server
-client = 40-curve-sect163r2-tls12-in-tls13-client
+[45-curve-sect163r2-tls12-in-tls13-ssl]
+server = 45-curve-sect163r2-tls12-in-tls13-server
+client = 45-curve-sect163r2-tls12-in-tls13-client
-[40-curve-sect163r2-tls12-in-tls13-server]
+[45-curve-sect163r2-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect163r2:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[40-curve-sect163r2-tls12-in-tls13-client]
+[45-curve-sect163r2-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect163r2:P-256
MaxProtocol = TLSv1.3
@@ -1276,7 +1436,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-40]
+[test-45]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1284,21 +1444,21 @@
# ===========================================================
-[41-curve-prime192v1-tls12-in-tls13]
-ssl_conf = 41-curve-prime192v1-tls12-in-tls13-ssl
+[46-curve-prime192v1-tls12-in-tls13]
+ssl_conf = 46-curve-prime192v1-tls12-in-tls13-ssl
-[41-curve-prime192v1-tls12-in-tls13-ssl]
-server = 41-curve-prime192v1-tls12-in-tls13-server
-client = 41-curve-prime192v1-tls12-in-tls13-client
+[46-curve-prime192v1-tls12-in-tls13-ssl]
+server = 46-curve-prime192v1-tls12-in-tls13-server
+client = 46-curve-prime192v1-tls12-in-tls13-client
-[41-curve-prime192v1-tls12-in-tls13-server]
+[46-curve-prime192v1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = prime192v1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[41-curve-prime192v1-tls12-in-tls13-client]
+[46-curve-prime192v1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = prime192v1:P-256
MaxProtocol = TLSv1.3
@@ -1306,7 +1466,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-41]
+[test-46]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1314,21 +1474,21 @@
# ===========================================================
-[42-curve-sect163r1-tls12-in-tls13]
-ssl_conf = 42-curve-sect163r1-tls12-in-tls13-ssl
+[47-curve-sect163r1-tls12-in-tls13]
+ssl_conf = 47-curve-sect163r1-tls12-in-tls13-ssl
-[42-curve-sect163r1-tls12-in-tls13-ssl]
-server = 42-curve-sect163r1-tls12-in-tls13-server
-client = 42-curve-sect163r1-tls12-in-tls13-client
+[47-curve-sect163r1-tls12-in-tls13-ssl]
+server = 47-curve-sect163r1-tls12-in-tls13-server
+client = 47-curve-sect163r1-tls12-in-tls13-client
-[42-curve-sect163r1-tls12-in-tls13-server]
+[47-curve-sect163r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect163r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[42-curve-sect163r1-tls12-in-tls13-client]
+[47-curve-sect163r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect163r1:P-256
MaxProtocol = TLSv1.3
@@ -1336,7 +1496,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-42]
+[test-47]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1344,21 +1504,21 @@
# ===========================================================
-[43-curve-sect193r1-tls12-in-tls13]
-ssl_conf = 43-curve-sect193r1-tls12-in-tls13-ssl
+[48-curve-sect193r1-tls12-in-tls13]
+ssl_conf = 48-curve-sect193r1-tls12-in-tls13-ssl
-[43-curve-sect193r1-tls12-in-tls13-ssl]
-server = 43-curve-sect193r1-tls12-in-tls13-server
-client = 43-curve-sect193r1-tls12-in-tls13-client
+[48-curve-sect193r1-tls12-in-tls13-ssl]
+server = 48-curve-sect193r1-tls12-in-tls13-server
+client = 48-curve-sect193r1-tls12-in-tls13-client
-[43-curve-sect193r1-tls12-in-tls13-server]
+[48-curve-sect193r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect193r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[43-curve-sect193r1-tls12-in-tls13-client]
+[48-curve-sect193r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect193r1:P-256
MaxProtocol = TLSv1.3
@@ -1366,7 +1526,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-43]
+[test-48]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1374,21 +1534,21 @@
# ===========================================================
-[44-curve-sect193r2-tls12-in-tls13]
-ssl_conf = 44-curve-sect193r2-tls12-in-tls13-ssl
+[49-curve-sect193r2-tls12-in-tls13]
+ssl_conf = 49-curve-sect193r2-tls12-in-tls13-ssl
-[44-curve-sect193r2-tls12-in-tls13-ssl]
-server = 44-curve-sect193r2-tls12-in-tls13-server
-client = 44-curve-sect193r2-tls12-in-tls13-client
+[49-curve-sect193r2-tls12-in-tls13-ssl]
+server = 49-curve-sect193r2-tls12-in-tls13-server
+client = 49-curve-sect193r2-tls12-in-tls13-client
-[44-curve-sect193r2-tls12-in-tls13-server]
+[49-curve-sect193r2-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect193r2:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[44-curve-sect193r2-tls12-in-tls13-client]
+[49-curve-sect193r2-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect193r2:P-256
MaxProtocol = TLSv1.3
@@ -1396,7 +1556,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-44]
+[test-49]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1404,21 +1564,21 @@
# ===========================================================
-[45-curve-sect239k1-tls12-in-tls13]
-ssl_conf = 45-curve-sect239k1-tls12-in-tls13-ssl
+[50-curve-sect239k1-tls12-in-tls13]
+ssl_conf = 50-curve-sect239k1-tls12-in-tls13-ssl
-[45-curve-sect239k1-tls12-in-tls13-ssl]
-server = 45-curve-sect239k1-tls12-in-tls13-server
-client = 45-curve-sect239k1-tls12-in-tls13-client
+[50-curve-sect239k1-tls12-in-tls13-ssl]
+server = 50-curve-sect239k1-tls12-in-tls13-server
+client = 50-curve-sect239k1-tls12-in-tls13-client
-[45-curve-sect239k1-tls12-in-tls13-server]
+[50-curve-sect239k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = sect239k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[45-curve-sect239k1-tls12-in-tls13-client]
+[50-curve-sect239k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = sect239k1:P-256
MaxProtocol = TLSv1.3
@@ -1426,7 +1586,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-45]
+[test-50]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1434,21 +1594,21 @@
# ===========================================================
-[46-curve-secp160k1-tls12-in-tls13]
-ssl_conf = 46-curve-secp160k1-tls12-in-tls13-ssl
+[51-curve-secp160k1-tls12-in-tls13]
+ssl_conf = 51-curve-secp160k1-tls12-in-tls13-ssl
-[46-curve-secp160k1-tls12-in-tls13-ssl]
-server = 46-curve-secp160k1-tls12-in-tls13-server
-client = 46-curve-secp160k1-tls12-in-tls13-client
+[51-curve-secp160k1-tls12-in-tls13-ssl]
+server = 51-curve-secp160k1-tls12-in-tls13-server
+client = 51-curve-secp160k1-tls12-in-tls13-client
-[46-curve-secp160k1-tls12-in-tls13-server]
+[51-curve-secp160k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = secp160k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[46-curve-secp160k1-tls12-in-tls13-client]
+[51-curve-secp160k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = secp160k1:P-256
MaxProtocol = TLSv1.3
@@ -1456,7 +1616,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-46]
+[test-51]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1464,21 +1624,21 @@
# ===========================================================
-[47-curve-secp160r1-tls12-in-tls13]
-ssl_conf = 47-curve-secp160r1-tls12-in-tls13-ssl
+[52-curve-secp160r1-tls12-in-tls13]
+ssl_conf = 52-curve-secp160r1-tls12-in-tls13-ssl
-[47-curve-secp160r1-tls12-in-tls13-ssl]
-server = 47-curve-secp160r1-tls12-in-tls13-server
-client = 47-curve-secp160r1-tls12-in-tls13-client
+[52-curve-secp160r1-tls12-in-tls13-ssl]
+server = 52-curve-secp160r1-tls12-in-tls13-server
+client = 52-curve-secp160r1-tls12-in-tls13-client
-[47-curve-secp160r1-tls12-in-tls13-server]
+[52-curve-secp160r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = secp160r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[47-curve-secp160r1-tls12-in-tls13-client]
+[52-curve-secp160r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = secp160r1:P-256
MaxProtocol = TLSv1.3
@@ -1486,7 +1646,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-47]
+[test-52]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1494,21 +1654,21 @@
# ===========================================================
-[48-curve-secp160r2-tls12-in-tls13]
-ssl_conf = 48-curve-secp160r2-tls12-in-tls13-ssl
+[53-curve-secp160r2-tls12-in-tls13]
+ssl_conf = 53-curve-secp160r2-tls12-in-tls13-ssl
-[48-curve-secp160r2-tls12-in-tls13-ssl]
-server = 48-curve-secp160r2-tls12-in-tls13-server
-client = 48-curve-secp160r2-tls12-in-tls13-client
+[53-curve-secp160r2-tls12-in-tls13-ssl]
+server = 53-curve-secp160r2-tls12-in-tls13-server
+client = 53-curve-secp160r2-tls12-in-tls13-client
-[48-curve-secp160r2-tls12-in-tls13-server]
+[53-curve-secp160r2-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = secp160r2:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[48-curve-secp160r2-tls12-in-tls13-client]
+[53-curve-secp160r2-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = secp160r2:P-256
MaxProtocol = TLSv1.3
@@ -1516,7 +1676,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-48]
+[test-53]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1524,21 +1684,21 @@
# ===========================================================
-[49-curve-secp192k1-tls12-in-tls13]
-ssl_conf = 49-curve-secp192k1-tls12-in-tls13-ssl
+[54-curve-secp192k1-tls12-in-tls13]
+ssl_conf = 54-curve-secp192k1-tls12-in-tls13-ssl
-[49-curve-secp192k1-tls12-in-tls13-ssl]
-server = 49-curve-secp192k1-tls12-in-tls13-server
-client = 49-curve-secp192k1-tls12-in-tls13-client
+[54-curve-secp192k1-tls12-in-tls13-ssl]
+server = 54-curve-secp192k1-tls12-in-tls13-server
+client = 54-curve-secp192k1-tls12-in-tls13-client
-[49-curve-secp192k1-tls12-in-tls13-server]
+[54-curve-secp192k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = secp192k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[49-curve-secp192k1-tls12-in-tls13-client]
+[54-curve-secp192k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = secp192k1:P-256
MaxProtocol = TLSv1.3
@@ -1546,7 +1706,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-49]
+[test-54]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1554,21 +1714,21 @@
# ===========================================================
-[50-curve-secp224k1-tls12-in-tls13]
-ssl_conf = 50-curve-secp224k1-tls12-in-tls13-ssl
+[55-curve-secp224k1-tls12-in-tls13]
+ssl_conf = 55-curve-secp224k1-tls12-in-tls13-ssl
-[50-curve-secp224k1-tls12-in-tls13-ssl]
-server = 50-curve-secp224k1-tls12-in-tls13-server
-client = 50-curve-secp224k1-tls12-in-tls13-client
+[55-curve-secp224k1-tls12-in-tls13-ssl]
+server = 55-curve-secp224k1-tls12-in-tls13-server
+client = 55-curve-secp224k1-tls12-in-tls13-client
-[50-curve-secp224k1-tls12-in-tls13-server]
+[55-curve-secp224k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = secp224k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[50-curve-secp224k1-tls12-in-tls13-client]
+[55-curve-secp224k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = secp224k1:P-256
MaxProtocol = TLSv1.3
@@ -1576,7 +1736,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-50]
+[test-55]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1584,21 +1744,21 @@
# ===========================================================
-[51-curve-secp256k1-tls12-in-tls13]
-ssl_conf = 51-curve-secp256k1-tls12-in-tls13-ssl
+[56-curve-secp256k1-tls12-in-tls13]
+ssl_conf = 56-curve-secp256k1-tls12-in-tls13-ssl
-[51-curve-secp256k1-tls12-in-tls13-ssl]
-server = 51-curve-secp256k1-tls12-in-tls13-server
-client = 51-curve-secp256k1-tls12-in-tls13-client
+[56-curve-secp256k1-tls12-in-tls13-ssl]
+server = 56-curve-secp256k1-tls12-in-tls13-server
+client = 56-curve-secp256k1-tls12-in-tls13-client
-[51-curve-secp256k1-tls12-in-tls13-server]
+[56-curve-secp256k1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = secp256k1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[51-curve-secp256k1-tls12-in-tls13-client]
+[56-curve-secp256k1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = secp256k1:P-256
MaxProtocol = TLSv1.3
@@ -1606,7 +1766,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-51]
+[test-56]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1614,21 +1774,21 @@
# ===========================================================
-[52-curve-brainpoolP256r1-tls12-in-tls13]
-ssl_conf = 52-curve-brainpoolP256r1-tls12-in-tls13-ssl
+[57-curve-brainpoolP256r1-tls12-in-tls13]
+ssl_conf = 57-curve-brainpoolP256r1-tls12-in-tls13-ssl
-[52-curve-brainpoolP256r1-tls12-in-tls13-ssl]
-server = 52-curve-brainpoolP256r1-tls12-in-tls13-server
-client = 52-curve-brainpoolP256r1-tls12-in-tls13-client
+[57-curve-brainpoolP256r1-tls12-in-tls13-ssl]
+server = 57-curve-brainpoolP256r1-tls12-in-tls13-server
+client = 57-curve-brainpoolP256r1-tls12-in-tls13-client
-[52-curve-brainpoolP256r1-tls12-in-tls13-server]
+[57-curve-brainpoolP256r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = brainpoolP256r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[52-curve-brainpoolP256r1-tls12-in-tls13-client]
+[57-curve-brainpoolP256r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP256r1:P-256
MaxProtocol = TLSv1.3
@@ -1636,7 +1796,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-52]
+[test-57]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1644,21 +1804,21 @@
# ===========================================================
-[53-curve-brainpoolP384r1-tls12-in-tls13]
-ssl_conf = 53-curve-brainpoolP384r1-tls12-in-tls13-ssl
+[58-curve-brainpoolP384r1-tls12-in-tls13]
+ssl_conf = 58-curve-brainpoolP384r1-tls12-in-tls13-ssl
-[53-curve-brainpoolP384r1-tls12-in-tls13-ssl]
-server = 53-curve-brainpoolP384r1-tls12-in-tls13-server
-client = 53-curve-brainpoolP384r1-tls12-in-tls13-client
+[58-curve-brainpoolP384r1-tls12-in-tls13-ssl]
+server = 58-curve-brainpoolP384r1-tls12-in-tls13-server
+client = 58-curve-brainpoolP384r1-tls12-in-tls13-client
-[53-curve-brainpoolP384r1-tls12-in-tls13-server]
+[58-curve-brainpoolP384r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = brainpoolP384r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[53-curve-brainpoolP384r1-tls12-in-tls13-client]
+[58-curve-brainpoolP384r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP384r1:P-256
MaxProtocol = TLSv1.3
@@ -1666,7 +1826,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-53]
+[test-58]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1674,21 +1834,21 @@
# ===========================================================
-[54-curve-brainpoolP512r1-tls12-in-tls13]
-ssl_conf = 54-curve-brainpoolP512r1-tls12-in-tls13-ssl
+[59-curve-brainpoolP512r1-tls12-in-tls13]
+ssl_conf = 59-curve-brainpoolP512r1-tls12-in-tls13-ssl
-[54-curve-brainpoolP512r1-tls12-in-tls13-ssl]
-server = 54-curve-brainpoolP512r1-tls12-in-tls13-server
-client = 54-curve-brainpoolP512r1-tls12-in-tls13-client
+[59-curve-brainpoolP512r1-tls12-in-tls13-ssl]
+server = 59-curve-brainpoolP512r1-tls12-in-tls13-server
+client = 59-curve-brainpoolP512r1-tls12-in-tls13-client
-[54-curve-brainpoolP512r1-tls12-in-tls13-server]
+[59-curve-brainpoolP512r1-tls12-in-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT@SECLEVEL=1
Curves = brainpoolP512r1:P-256
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[54-curve-brainpoolP512r1-tls12-in-tls13-client]
+[59-curve-brainpoolP512r1-tls12-in-tls13-client]
CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP512r1:P-256
MaxProtocol = TLSv1.3
@@ -1696,7 +1856,7 @@
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-54]
+[test-59]
ExpectedProtocol = TLSv1.3
ExpectedResult = Success
ExpectedTmpKeyType = P-256
@@ -1704,676 +1864,946 @@
# ===========================================================
-[55-curve-sect233k1-tls13]
-ssl_conf = 55-curve-sect233k1-tls13-ssl
+[60-curve-sect233k1-tls13]
+ssl_conf = 60-curve-sect233k1-tls13-ssl
-[55-curve-sect233k1-tls13-ssl]
-server = 55-curve-sect233k1-tls13-server
-client = 55-curve-sect233k1-tls13-client
+[60-curve-sect233k1-tls13-ssl]
+server = 60-curve-sect233k1-tls13-server
+client = 60-curve-sect233k1-tls13-client
-[55-curve-sect233k1-tls13-server]
+[60-curve-sect233k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect233k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[55-curve-sect233k1-tls13-client]
+[60-curve-sect233k1-tls13-client]
CipherString = ECDHE
Curves = sect233k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-55]
+[test-60]
ExpectedResult = ClientFail
# ===========================================================
-[56-curve-sect233r1-tls13]
-ssl_conf = 56-curve-sect233r1-tls13-ssl
+[61-curve-sect233r1-tls13]
+ssl_conf = 61-curve-sect233r1-tls13-ssl
-[56-curve-sect233r1-tls13-ssl]
-server = 56-curve-sect233r1-tls13-server
-client = 56-curve-sect233r1-tls13-client
+[61-curve-sect233r1-tls13-ssl]
+server = 61-curve-sect233r1-tls13-server
+client = 61-curve-sect233r1-tls13-client
-[56-curve-sect233r1-tls13-server]
+[61-curve-sect233r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect233r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[56-curve-sect233r1-tls13-client]
+[61-curve-sect233r1-tls13-client]
CipherString = ECDHE
Curves = sect233r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-56]
+[test-61]
ExpectedResult = ClientFail
# ===========================================================
-[57-curve-sect283k1-tls13]
-ssl_conf = 57-curve-sect283k1-tls13-ssl
+[62-curve-sect283k1-tls13]
+ssl_conf = 62-curve-sect283k1-tls13-ssl
-[57-curve-sect283k1-tls13-ssl]
-server = 57-curve-sect283k1-tls13-server
-client = 57-curve-sect283k1-tls13-client
+[62-curve-sect283k1-tls13-ssl]
+server = 62-curve-sect283k1-tls13-server
+client = 62-curve-sect283k1-tls13-client
-[57-curve-sect283k1-tls13-server]
+[62-curve-sect283k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect283k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[57-curve-sect283k1-tls13-client]
+[62-curve-sect283k1-tls13-client]
CipherString = ECDHE
Curves = sect283k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-57]
+[test-62]
ExpectedResult = ClientFail
# ===========================================================
-[58-curve-sect283r1-tls13]
-ssl_conf = 58-curve-sect283r1-tls13-ssl
+[63-curve-sect283r1-tls13]
+ssl_conf = 63-curve-sect283r1-tls13-ssl
-[58-curve-sect283r1-tls13-ssl]
-server = 58-curve-sect283r1-tls13-server
-client = 58-curve-sect283r1-tls13-client
+[63-curve-sect283r1-tls13-ssl]
+server = 63-curve-sect283r1-tls13-server
+client = 63-curve-sect283r1-tls13-client
-[58-curve-sect283r1-tls13-server]
+[63-curve-sect283r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect283r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[58-curve-sect283r1-tls13-client]
+[63-curve-sect283r1-tls13-client]
CipherString = ECDHE
Curves = sect283r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-58]
+[test-63]
ExpectedResult = ClientFail
# ===========================================================
-[59-curve-sect409k1-tls13]
-ssl_conf = 59-curve-sect409k1-tls13-ssl
+[64-curve-sect409k1-tls13]
+ssl_conf = 64-curve-sect409k1-tls13-ssl
-[59-curve-sect409k1-tls13-ssl]
-server = 59-curve-sect409k1-tls13-server
-client = 59-curve-sect409k1-tls13-client
+[64-curve-sect409k1-tls13-ssl]
+server = 64-curve-sect409k1-tls13-server
+client = 64-curve-sect409k1-tls13-client
-[59-curve-sect409k1-tls13-server]
+[64-curve-sect409k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect409k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[59-curve-sect409k1-tls13-client]
+[64-curve-sect409k1-tls13-client]
CipherString = ECDHE
Curves = sect409k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-59]
+[test-64]
ExpectedResult = ClientFail
# ===========================================================
-[60-curve-sect409r1-tls13]
-ssl_conf = 60-curve-sect409r1-tls13-ssl
+[65-curve-sect409r1-tls13]
+ssl_conf = 65-curve-sect409r1-tls13-ssl
-[60-curve-sect409r1-tls13-ssl]
-server = 60-curve-sect409r1-tls13-server
-client = 60-curve-sect409r1-tls13-client
+[65-curve-sect409r1-tls13-ssl]
+server = 65-curve-sect409r1-tls13-server
+client = 65-curve-sect409r1-tls13-client
-[60-curve-sect409r1-tls13-server]
+[65-curve-sect409r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect409r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[60-curve-sect409r1-tls13-client]
+[65-curve-sect409r1-tls13-client]
CipherString = ECDHE
Curves = sect409r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-60]
+[test-65]
ExpectedResult = ClientFail
# ===========================================================
-[61-curve-sect571k1-tls13]
-ssl_conf = 61-curve-sect571k1-tls13-ssl
+[66-curve-sect571k1-tls13]
+ssl_conf = 66-curve-sect571k1-tls13-ssl
-[61-curve-sect571k1-tls13-ssl]
-server = 61-curve-sect571k1-tls13-server
-client = 61-curve-sect571k1-tls13-client
+[66-curve-sect571k1-tls13-ssl]
+server = 66-curve-sect571k1-tls13-server
+client = 66-curve-sect571k1-tls13-client
-[61-curve-sect571k1-tls13-server]
+[66-curve-sect571k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect571k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[61-curve-sect571k1-tls13-client]
+[66-curve-sect571k1-tls13-client]
CipherString = ECDHE
Curves = sect571k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-61]
+[test-66]
ExpectedResult = ClientFail
# ===========================================================
-[62-curve-sect571r1-tls13]
-ssl_conf = 62-curve-sect571r1-tls13-ssl
+[67-curve-sect571r1-tls13]
+ssl_conf = 67-curve-sect571r1-tls13-ssl
-[62-curve-sect571r1-tls13-ssl]
-server = 62-curve-sect571r1-tls13-server
-client = 62-curve-sect571r1-tls13-client
+[67-curve-sect571r1-tls13-ssl]
+server = 67-curve-sect571r1-tls13-server
+client = 67-curve-sect571r1-tls13-client
-[62-curve-sect571r1-tls13-server]
+[67-curve-sect571r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect571r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[62-curve-sect571r1-tls13-client]
+[67-curve-sect571r1-tls13-client]
CipherString = ECDHE
Curves = sect571r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-62]
+[test-67]
ExpectedResult = ClientFail
# ===========================================================
-[63-curve-secp224r1-tls13]
-ssl_conf = 63-curve-secp224r1-tls13-ssl
+[68-curve-secp224r1-tls13]
+ssl_conf = 68-curve-secp224r1-tls13-ssl
-[63-curve-secp224r1-tls13-ssl]
-server = 63-curve-secp224r1-tls13-server
-client = 63-curve-secp224r1-tls13-client
+[68-curve-secp224r1-tls13-ssl]
+server = 68-curve-secp224r1-tls13-server
+client = 68-curve-secp224r1-tls13-client
-[63-curve-secp224r1-tls13-server]
+[68-curve-secp224r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp224r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[63-curve-secp224r1-tls13-client]
+[68-curve-secp224r1-tls13-client]
CipherString = ECDHE
Curves = secp224r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-63]
+[test-68]
ExpectedResult = ClientFail
# ===========================================================
-[64-curve-sect163k1-tls13]
-ssl_conf = 64-curve-sect163k1-tls13-ssl
+[69-curve-sect163k1-tls13]
+ssl_conf = 69-curve-sect163k1-tls13-ssl
-[64-curve-sect163k1-tls13-ssl]
-server = 64-curve-sect163k1-tls13-server
-client = 64-curve-sect163k1-tls13-client
+[69-curve-sect163k1-tls13-ssl]
+server = 69-curve-sect163k1-tls13-server
+client = 69-curve-sect163k1-tls13-client
-[64-curve-sect163k1-tls13-server]
+[69-curve-sect163k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect163k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[64-curve-sect163k1-tls13-client]
+[69-curve-sect163k1-tls13-client]
CipherString = ECDHE
Curves = sect163k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-64]
+[test-69]
ExpectedResult = ClientFail
# ===========================================================
-[65-curve-sect163r2-tls13]
-ssl_conf = 65-curve-sect163r2-tls13-ssl
+[70-curve-sect163r2-tls13]
+ssl_conf = 70-curve-sect163r2-tls13-ssl
-[65-curve-sect163r2-tls13-ssl]
-server = 65-curve-sect163r2-tls13-server
-client = 65-curve-sect163r2-tls13-client
+[70-curve-sect163r2-tls13-ssl]
+server = 70-curve-sect163r2-tls13-server
+client = 70-curve-sect163r2-tls13-client
-[65-curve-sect163r2-tls13-server]
+[70-curve-sect163r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect163r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[65-curve-sect163r2-tls13-client]
+[70-curve-sect163r2-tls13-client]
CipherString = ECDHE
Curves = sect163r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-65]
+[test-70]
ExpectedResult = ClientFail
# ===========================================================
-[66-curve-prime192v1-tls13]
-ssl_conf = 66-curve-prime192v1-tls13-ssl
+[71-curve-prime192v1-tls13]
+ssl_conf = 71-curve-prime192v1-tls13-ssl
-[66-curve-prime192v1-tls13-ssl]
-server = 66-curve-prime192v1-tls13-server
-client = 66-curve-prime192v1-tls13-client
+[71-curve-prime192v1-tls13-ssl]
+server = 71-curve-prime192v1-tls13-server
+client = 71-curve-prime192v1-tls13-client
-[66-curve-prime192v1-tls13-server]
+[71-curve-prime192v1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = prime192v1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[66-curve-prime192v1-tls13-client]
+[71-curve-prime192v1-tls13-client]
CipherString = ECDHE
Curves = prime192v1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-66]
+[test-71]
ExpectedResult = ClientFail
# ===========================================================
-[67-curve-sect163r1-tls13]
-ssl_conf = 67-curve-sect163r1-tls13-ssl
+[72-curve-sect163r1-tls13]
+ssl_conf = 72-curve-sect163r1-tls13-ssl
-[67-curve-sect163r1-tls13-ssl]
-server = 67-curve-sect163r1-tls13-server
-client = 67-curve-sect163r1-tls13-client
+[72-curve-sect163r1-tls13-ssl]
+server = 72-curve-sect163r1-tls13-server
+client = 72-curve-sect163r1-tls13-client
-[67-curve-sect163r1-tls13-server]
+[72-curve-sect163r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect163r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[67-curve-sect163r1-tls13-client]
+[72-curve-sect163r1-tls13-client]
CipherString = ECDHE
Curves = sect163r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-67]
+[test-72]
ExpectedResult = ClientFail
# ===========================================================
-[68-curve-sect193r1-tls13]
-ssl_conf = 68-curve-sect193r1-tls13-ssl
+[73-curve-sect193r1-tls13]
+ssl_conf = 73-curve-sect193r1-tls13-ssl
-[68-curve-sect193r1-tls13-ssl]
-server = 68-curve-sect193r1-tls13-server
-client = 68-curve-sect193r1-tls13-client
+[73-curve-sect193r1-tls13-ssl]
+server = 73-curve-sect193r1-tls13-server
+client = 73-curve-sect193r1-tls13-client
-[68-curve-sect193r1-tls13-server]
+[73-curve-sect193r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect193r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[68-curve-sect193r1-tls13-client]
+[73-curve-sect193r1-tls13-client]
CipherString = ECDHE
Curves = sect193r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-68]
+[test-73]
ExpectedResult = ClientFail
# ===========================================================
-[69-curve-sect193r2-tls13]
-ssl_conf = 69-curve-sect193r2-tls13-ssl
+[74-curve-sect193r2-tls13]
+ssl_conf = 74-curve-sect193r2-tls13-ssl
-[69-curve-sect193r2-tls13-ssl]
-server = 69-curve-sect193r2-tls13-server
-client = 69-curve-sect193r2-tls13-client
+[74-curve-sect193r2-tls13-ssl]
+server = 74-curve-sect193r2-tls13-server
+client = 74-curve-sect193r2-tls13-client
-[69-curve-sect193r2-tls13-server]
+[74-curve-sect193r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect193r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[69-curve-sect193r2-tls13-client]
+[74-curve-sect193r2-tls13-client]
CipherString = ECDHE
Curves = sect193r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-69]
+[test-74]
ExpectedResult = ClientFail
# ===========================================================
-[70-curve-sect239k1-tls13]
-ssl_conf = 70-curve-sect239k1-tls13-ssl
+[75-curve-sect239k1-tls13]
+ssl_conf = 75-curve-sect239k1-tls13-ssl
-[70-curve-sect239k1-tls13-ssl]
-server = 70-curve-sect239k1-tls13-server
-client = 70-curve-sect239k1-tls13-client
+[75-curve-sect239k1-tls13-ssl]
+server = 75-curve-sect239k1-tls13-server
+client = 75-curve-sect239k1-tls13-client
-[70-curve-sect239k1-tls13-server]
+[75-curve-sect239k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = sect239k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[70-curve-sect239k1-tls13-client]
+[75-curve-sect239k1-tls13-client]
CipherString = ECDHE
Curves = sect239k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-70]
+[test-75]
ExpectedResult = ClientFail
# ===========================================================
-[71-curve-secp160k1-tls13]
-ssl_conf = 71-curve-secp160k1-tls13-ssl
+[76-curve-secp160k1-tls13]
+ssl_conf = 76-curve-secp160k1-tls13-ssl
-[71-curve-secp160k1-tls13-ssl]
-server = 71-curve-secp160k1-tls13-server
-client = 71-curve-secp160k1-tls13-client
+[76-curve-secp160k1-tls13-ssl]
+server = 76-curve-secp160k1-tls13-server
+client = 76-curve-secp160k1-tls13-client
-[71-curve-secp160k1-tls13-server]
+[76-curve-secp160k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp160k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[71-curve-secp160k1-tls13-client]
+[76-curve-secp160k1-tls13-client]
CipherString = ECDHE
Curves = secp160k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-71]
+[test-76]
ExpectedResult = ClientFail
# ===========================================================
-[72-curve-secp160r1-tls13]
-ssl_conf = 72-curve-secp160r1-tls13-ssl
+[77-curve-secp160r1-tls13]
+ssl_conf = 77-curve-secp160r1-tls13-ssl
-[72-curve-secp160r1-tls13-ssl]
-server = 72-curve-secp160r1-tls13-server
-client = 72-curve-secp160r1-tls13-client
+[77-curve-secp160r1-tls13-ssl]
+server = 77-curve-secp160r1-tls13-server
+client = 77-curve-secp160r1-tls13-client
-[72-curve-secp160r1-tls13-server]
+[77-curve-secp160r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp160r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[72-curve-secp160r1-tls13-client]
+[77-curve-secp160r1-tls13-client]
CipherString = ECDHE
Curves = secp160r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-72]
+[test-77]
ExpectedResult = ClientFail
# ===========================================================
-[73-curve-secp160r2-tls13]
-ssl_conf = 73-curve-secp160r2-tls13-ssl
+[78-curve-secp160r2-tls13]
+ssl_conf = 78-curve-secp160r2-tls13-ssl
-[73-curve-secp160r2-tls13-ssl]
-server = 73-curve-secp160r2-tls13-server
-client = 73-curve-secp160r2-tls13-client
+[78-curve-secp160r2-tls13-ssl]
+server = 78-curve-secp160r2-tls13-server
+client = 78-curve-secp160r2-tls13-client
-[73-curve-secp160r2-tls13-server]
+[78-curve-secp160r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp160r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[73-curve-secp160r2-tls13-client]
+[78-curve-secp160r2-tls13-client]
CipherString = ECDHE
Curves = secp160r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-73]
+[test-78]
ExpectedResult = ClientFail
# ===========================================================
-[74-curve-secp192k1-tls13]
-ssl_conf = 74-curve-secp192k1-tls13-ssl
+[79-curve-secp192k1-tls13]
+ssl_conf = 79-curve-secp192k1-tls13-ssl
-[74-curve-secp192k1-tls13-ssl]
-server = 74-curve-secp192k1-tls13-server
-client = 74-curve-secp192k1-tls13-client
+[79-curve-secp192k1-tls13-ssl]
+server = 79-curve-secp192k1-tls13-server
+client = 79-curve-secp192k1-tls13-client
-[74-curve-secp192k1-tls13-server]
+[79-curve-secp192k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp192k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[74-curve-secp192k1-tls13-client]
+[79-curve-secp192k1-tls13-client]
CipherString = ECDHE
Curves = secp192k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-74]
+[test-79]
ExpectedResult = ClientFail
# ===========================================================
-[75-curve-secp224k1-tls13]
-ssl_conf = 75-curve-secp224k1-tls13-ssl
+[80-curve-secp224k1-tls13]
+ssl_conf = 80-curve-secp224k1-tls13-ssl
-[75-curve-secp224k1-tls13-ssl]
-server = 75-curve-secp224k1-tls13-server
-client = 75-curve-secp224k1-tls13-client
+[80-curve-secp224k1-tls13-ssl]
+server = 80-curve-secp224k1-tls13-server
+client = 80-curve-secp224k1-tls13-client
-[75-curve-secp224k1-tls13-server]
+[80-curve-secp224k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp224k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[75-curve-secp224k1-tls13-client]
+[80-curve-secp224k1-tls13-client]
CipherString = ECDHE
Curves = secp224k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-75]
+[test-80]
ExpectedResult = ClientFail
# ===========================================================
-[76-curve-secp256k1-tls13]
-ssl_conf = 76-curve-secp256k1-tls13-ssl
+[81-curve-secp256k1-tls13]
+ssl_conf = 81-curve-secp256k1-tls13-ssl
-[76-curve-secp256k1-tls13-ssl]
-server = 76-curve-secp256k1-tls13-server
-client = 76-curve-secp256k1-tls13-client
+[81-curve-secp256k1-tls13-ssl]
+server = 81-curve-secp256k1-tls13-server
+client = 81-curve-secp256k1-tls13-client
-[76-curve-secp256k1-tls13-server]
+[81-curve-secp256k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = secp256k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[76-curve-secp256k1-tls13-client]
+[81-curve-secp256k1-tls13-client]
CipherString = ECDHE
Curves = secp256k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-76]
+[test-81]
ExpectedResult = ClientFail
# ===========================================================
-[77-curve-brainpoolP256r1-tls13]
-ssl_conf = 77-curve-brainpoolP256r1-tls13-ssl
+[82-curve-brainpoolP256r1-tls13]
+ssl_conf = 82-curve-brainpoolP256r1-tls13-ssl
-[77-curve-brainpoolP256r1-tls13-ssl]
-server = 77-curve-brainpoolP256r1-tls13-server
-client = 77-curve-brainpoolP256r1-tls13-client
+[82-curve-brainpoolP256r1-tls13-ssl]
+server = 82-curve-brainpoolP256r1-tls13-server
+client = 82-curve-brainpoolP256r1-tls13-client
-[77-curve-brainpoolP256r1-tls13-server]
+[82-curve-brainpoolP256r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = brainpoolP256r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[77-curve-brainpoolP256r1-tls13-client]
+[82-curve-brainpoolP256r1-tls13-client]
CipherString = ECDHE
Curves = brainpoolP256r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-77]
+[test-82]
ExpectedResult = ClientFail
# ===========================================================
-[78-curve-brainpoolP384r1-tls13]
-ssl_conf = 78-curve-brainpoolP384r1-tls13-ssl
+[83-curve-brainpoolP384r1-tls13]
+ssl_conf = 83-curve-brainpoolP384r1-tls13-ssl
-[78-curve-brainpoolP384r1-tls13-ssl]
-server = 78-curve-brainpoolP384r1-tls13-server
-client = 78-curve-brainpoolP384r1-tls13-client
+[83-curve-brainpoolP384r1-tls13-ssl]
+server = 83-curve-brainpoolP384r1-tls13-server
+client = 83-curve-brainpoolP384r1-tls13-client
-[78-curve-brainpoolP384r1-tls13-server]
+[83-curve-brainpoolP384r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = brainpoolP384r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[78-curve-brainpoolP384r1-tls13-client]
+[83-curve-brainpoolP384r1-tls13-client]
CipherString = ECDHE
Curves = brainpoolP384r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-78]
+[test-83]
ExpectedResult = ClientFail
# ===========================================================
-[79-curve-brainpoolP512r1-tls13]
-ssl_conf = 79-curve-brainpoolP512r1-tls13-ssl
+[84-curve-brainpoolP512r1-tls13]
+ssl_conf = 84-curve-brainpoolP512r1-tls13-ssl
-[79-curve-brainpoolP512r1-tls13-ssl]
-server = 79-curve-brainpoolP512r1-tls13-server
-client = 79-curve-brainpoolP512r1-tls13-client
+[84-curve-brainpoolP512r1-tls13-ssl]
+server = 84-curve-brainpoolP512r1-tls13-server
+client = 84-curve-brainpoolP512r1-tls13-client
-[79-curve-brainpoolP512r1-tls13-server]
+[84-curve-brainpoolP512r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
Curves = brainpoolP512r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[79-curve-brainpoolP512r1-tls13-client]
+[84-curve-brainpoolP512r1-tls13-client]
CipherString = ECDHE
Curves = brainpoolP512r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-79]
+[test-84]
ExpectedResult = ClientFail
+# ===========================================================
+
+[85-curve-ffdhe2048-tls13-in-tls12]
+ssl_conf = 85-curve-ffdhe2048-tls13-in-tls12-ssl
+
+[85-curve-ffdhe2048-tls13-in-tls12-ssl]
+server = 85-curve-ffdhe2048-tls13-in-tls12-server
+client = 85-curve-ffdhe2048-tls13-in-tls12-client
+
+[85-curve-ffdhe2048-tls13-in-tls12-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe2048
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[85-curve-ffdhe2048-tls13-in-tls12-client]
+CipherString = ECDHE@SECLEVEL=1
+Curves = ffdhe2048
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-85]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[86-curve-ffdhe2048-tls13-in-tls12-2]
+ssl_conf = 86-curve-ffdhe2048-tls13-in-tls12-2-ssl
+
+[86-curve-ffdhe2048-tls13-in-tls12-2-ssl]
+server = 86-curve-ffdhe2048-tls13-in-tls12-2-server
+client = 86-curve-ffdhe2048-tls13-in-tls12-2-client
+
+[86-curve-ffdhe2048-tls13-in-tls12-2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe2048
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[86-curve-ffdhe2048-tls13-in-tls12-2-client]
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe2048
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-86]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[87-curve-ffdhe3072-tls13-in-tls12]
+ssl_conf = 87-curve-ffdhe3072-tls13-in-tls12-ssl
+
+[87-curve-ffdhe3072-tls13-in-tls12-ssl]
+server = 87-curve-ffdhe3072-tls13-in-tls12-server
+client = 87-curve-ffdhe3072-tls13-in-tls12-client
+
+[87-curve-ffdhe3072-tls13-in-tls12-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe3072
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[87-curve-ffdhe3072-tls13-in-tls12-client]
+CipherString = ECDHE@SECLEVEL=1
+Curves = ffdhe3072
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-87]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[88-curve-ffdhe3072-tls13-in-tls12-2]
+ssl_conf = 88-curve-ffdhe3072-tls13-in-tls12-2-ssl
+
+[88-curve-ffdhe3072-tls13-in-tls12-2-ssl]
+server = 88-curve-ffdhe3072-tls13-in-tls12-2-server
+client = 88-curve-ffdhe3072-tls13-in-tls12-2-client
+
+[88-curve-ffdhe3072-tls13-in-tls12-2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe3072
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[88-curve-ffdhe3072-tls13-in-tls12-2-client]
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe3072
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-88]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[89-curve-ffdhe4096-tls13-in-tls12]
+ssl_conf = 89-curve-ffdhe4096-tls13-in-tls12-ssl
+
+[89-curve-ffdhe4096-tls13-in-tls12-ssl]
+server = 89-curve-ffdhe4096-tls13-in-tls12-server
+client = 89-curve-ffdhe4096-tls13-in-tls12-client
+
+[89-curve-ffdhe4096-tls13-in-tls12-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe4096
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[89-curve-ffdhe4096-tls13-in-tls12-client]
+CipherString = ECDHE@SECLEVEL=1
+Curves = ffdhe4096
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-89]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[90-curve-ffdhe4096-tls13-in-tls12-2]
+ssl_conf = 90-curve-ffdhe4096-tls13-in-tls12-2-ssl
+
+[90-curve-ffdhe4096-tls13-in-tls12-2-ssl]
+server = 90-curve-ffdhe4096-tls13-in-tls12-2-server
+client = 90-curve-ffdhe4096-tls13-in-tls12-2-client
+
+[90-curve-ffdhe4096-tls13-in-tls12-2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe4096
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[90-curve-ffdhe4096-tls13-in-tls12-2-client]
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe4096
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-90]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[91-curve-ffdhe6144-tls13-in-tls12]
+ssl_conf = 91-curve-ffdhe6144-tls13-in-tls12-ssl
+
+[91-curve-ffdhe6144-tls13-in-tls12-ssl]
+server = 91-curve-ffdhe6144-tls13-in-tls12-server
+client = 91-curve-ffdhe6144-tls13-in-tls12-client
+
+[91-curve-ffdhe6144-tls13-in-tls12-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe6144
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[91-curve-ffdhe6144-tls13-in-tls12-client]
+CipherString = ECDHE@SECLEVEL=1
+Curves = ffdhe6144
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-91]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[92-curve-ffdhe6144-tls13-in-tls12-2]
+ssl_conf = 92-curve-ffdhe6144-tls13-in-tls12-2-ssl
+
+[92-curve-ffdhe6144-tls13-in-tls12-2-ssl]
+server = 92-curve-ffdhe6144-tls13-in-tls12-2-server
+client = 92-curve-ffdhe6144-tls13-in-tls12-2-client
+
+[92-curve-ffdhe6144-tls13-in-tls12-2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe6144
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[92-curve-ffdhe6144-tls13-in-tls12-2-client]
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe6144
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-92]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[93-curve-ffdhe8192-tls13-in-tls12]
+ssl_conf = 93-curve-ffdhe8192-tls13-in-tls12-ssl
+
+[93-curve-ffdhe8192-tls13-in-tls12-ssl]
+server = 93-curve-ffdhe8192-tls13-in-tls12-server
+client = 93-curve-ffdhe8192-tls13-in-tls12-client
+
+[93-curve-ffdhe8192-tls13-in-tls12-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe8192
+MaxProtocol = TLSv1.3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[93-curve-ffdhe8192-tls13-in-tls12-client]
+CipherString = ECDHE@SECLEVEL=1
+Curves = ffdhe8192
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-93]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[94-curve-ffdhe8192-tls13-in-tls12-2]
+ssl_conf = 94-curve-ffdhe8192-tls13-in-tls12-2-ssl
+
+[94-curve-ffdhe8192-tls13-in-tls12-2-ssl]
+server = 94-curve-ffdhe8192-tls13-in-tls12-2-server
+client = 94-curve-ffdhe8192-tls13-in-tls12-2-client
+
+[94-curve-ffdhe8192-tls13-in-tls12-2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe8192
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[94-curve-ffdhe8192-tls13-in-tls12-2-client]
+CipherString = DEFAULT@SECLEVEL=1
+Curves = ffdhe8192
+MaxProtocol = TLSv1.3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-94]
+ExpectedResult = Success
+
+
diff -Nru openssl-3.0.9/test/ssl-tests/14-curves.cnf.in openssl-3.0.10/test/ssl-tests/14-curves.cnf.in
--- openssl-3.0.9/test/ssl-tests/14-curves.cnf.in 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/ssl-tests/14-curves.cnf.in 2023-08-01 15:47:24.000000000 +0200
@@ -15,6 +15,12 @@
my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519",
"X448");
+#Curves *only* suitable for use in TLSv1.3
+my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144",
+ "ffdhe8192");
+
+push @curves, @curves_tls_1_3;
+
my @curves_tls_1_2 = ("sect233k1", "sect233r1",
"sect283k1", "sect283r1", "sect409k1", "sect409r1",
"sect571k1", "sect571r1", "secp224r1");
@@ -29,6 +35,19 @@
our @tests = ();
+sub get_key_type {
+ my $group = shift;
+ my $keyType;
+
+ if ($group =~ /ffdhe/) {
+ $keyType = "dhKeyAgreement";
+ } else {
+ $keyType = $group;
+ }
+
+ return $keyType;
+}
+
sub generate_tests() {
foreach (0..$#curves) {
my $curve = $curves[$_];
@@ -44,7 +63,7 @@
"Curves" => $curve
},
test => {
- "ExpectedTmpKeyType" => $curve,
+ "ExpectedTmpKeyType" => get_key_type($curve),
"ExpectedProtocol" => "TLSv1.3",
"ExpectedResult" => "Success"
},
@@ -64,7 +83,7 @@
"Curves" => $curve
},
test => {
- "ExpectedTmpKeyType" => $curve,
+ "ExpectedTmpKeyType" => get_key_type($curve),
"ExpectedProtocol" => "TLSv1.2",
"ExpectedResult" => "Success"
},
@@ -112,6 +131,47 @@
},
};
}
+ foreach (0..$#curves_tls_1_3) {
+ my $curve = $curves_tls_1_3[$_];
+ push @tests, {
+ name => "curve-${curve}-tls13-in-tls12",
+ server => {
+ "Curves" => $curve,
+ "CipherString" => 'DEFAULT@SECLEVEL=1',
+ "MaxProtocol" => "TLSv1.3"
+ },
+ client => {
+ "CipherString" => 'ECDHE@SECLEVEL=1',
+ "MaxProtocol" => "TLSv1.2",
+ "Curves" => $curve
+ },
+ test => {
+ #These curves are only suitable for TLSv1.3 so we expect the
+ #server to fail because it has no shared groups for TLSv1.2
+ #ECDHE key exchange
+ "ExpectedResult" => "ServerFail"
+ },
+ };
+ push @tests, {
+ name => "curve-${curve}-tls13-in-tls12-2",
+ server => {
+ "Curves" => $curve,
+ "CipherString" => 'DEFAULT@SECLEVEL=1',
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "CipherString" => 'DEFAULT@SECLEVEL=1',
+ "MaxProtocol" => "TLSv1.3",
+ "Curves" => $curve
+ },
+ test => {
+ #These curves are only suitable for TLSv1.3. We expect TLSv1.2
+ #negotiation to succeed because we fall back to some other
+ #ciphersuite
+ "ExpectedResult" => "Success"
+ },
+ };
+ }
}
generate_tests();
diff -Nru openssl-3.0.9/test/testutil/provider.c openssl-3.0.10/test/testutil/provider.c
--- openssl-3.0.9/test/testutil/provider.c 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/test/testutil/provider.c 2023-08-01 15:47:24.000000000 +0200
@@ -177,11 +177,11 @@
} mode;
while (*versions != '\0') {
- for (; isspace(*versions); versions++)
+ for (; isspace((unsigned char)(*versions)); versions++)
continue;
if (*versions == '\0')
break;
- for (p = versions; *versions != '\0' && !isspace(*versions); versions++)
+ for (p = versions; *versions != '\0' && !isspace((unsigned char)(*versions)); versions++)
continue;
if (*p == '!') {
mode = MODE_NE;
@@ -201,7 +201,7 @@
} else if (*p == '>') {
mode = MODE_GT;
p++;
- } else if (isdigit(*p)) {
+ } else if (isdigit((unsigned char)*p)) {
mode = MODE_EQ;
} else {
TEST_info("Error matching FIPS version: mode %s\n", p);
diff -Nru openssl-3.0.9/VERSION.dat openssl-3.0.10/VERSION.dat
--- openssl-3.0.9/VERSION.dat 2023-05-30 14:31:57.000000000 +0200
+++ openssl-3.0.10/VERSION.dat 2023-08-01 15:47:24.000000000 +0200
@@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
-PATCH=9
+PATCH=10
PRE_RELEASE_TAG=
BUILD_METADATA=
-RELEASE_DATE="30 May 2023"
+RELEASE_DATE="1 Aug 2023"
SHLIB_VERSION=3
Reply to: