From b201aea402564c7446484132b1d754c67e703102 Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Fri, 22 Dec 2023 10:23:13 -0800 Subject: [PATCH] Add DH groups from RFC 7919 to support MySQL 8.1 (#1371) MySQL's new version release depends on some new DH groups. This adds the support for the new groups and updates our CI to test against the new version. * Security Groups added were ffdhe3072 and ffdhe8192. The NIDs were autogenerated with objects.go. * The MySQL integration version was updated, two 2 additional unrelated test cases are being skipped. One depends on a supervisor process, while one is using stateful session resumption. --- crypto/dh_extra/dh_test.cc | 261 ++++++++++++++++-- crypto/fipsmodule/dh/dh.c | 110 ++++++++ crypto/fipsmodule/dh/internal.h | 9 + crypto/obj/obj_dat.h | 8 +- crypto/obj/obj_mac.num | 2 + crypto/obj/objects.txt | 2 + include/openssl/nid.h | 6 + tests/ci/integration/run_mysql_integration.sh | 6 +- 8 files changed, 384 insertions(+), 20 deletions(-) diff --git a/crypto/dh_extra/dh_test.cc b/crypto/dh_extra/dh_test.cc index 3f18f83c68..fb264fbb76 100644 --- a/crypto/dh_extra/dh_test.cc +++ b/crypto/dh_extra/dh_test.cc @@ -352,8 +352,8 @@ TEST(DHTest, RFC3526) { TEST(DHTest, RFC7919) { - // Primes taken from Appendix 1 and 3 of RFC 7919 - struct testInput{ + // Primes taken from Appendix 1-4 of RFC 7919 + struct testInput { int nid; std::vector p; std::vector q; @@ -384,6 +384,41 @@ TEST(DHTest, RFC7919) { "C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9" "9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD" "4435A11C 30942E4B FFFFFFFF FFFFFFFF")}, + {NID_ffdhe3072, + rfc_string_to_bytes( + "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1" + "D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9" + "7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561" + "2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935" + "984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735" + "30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB" + "B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19" + "0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61" + "9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73" + "3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA" + "886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238" + "61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C" + "AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3" + "64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D" + "ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF" + "3C1B20EE 3FD59D7C 25E41D2B 66C62E37 FFFFFFFF FFFFFFFF"), + rfc_string_to_bytes( + "7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78" + "EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C" + "BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0" + "9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A" + "CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A" + "98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD" + "DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C" + "8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0" + "C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9" + "9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD" + "4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C" + "30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E" + "577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9" + "B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06" + "D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7" + "9E0D9077 1FEACEBE 12F20E95 B363171B FFFFFFFF FFFFFFFF")}, {NID_ffdhe4096, rfc_string_to_bytes( "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1" @@ -430,9 +465,97 @@ TEST(DHTest, RFC7919) { "5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD" "0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7" "C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F32AFB5" - "7FFFFFFF FFFFFFFF")} - }; - for (const testInput &test : testInputs ) { + "7FFFFFFF FFFFFFFF")}, + {NID_ffdhe8192, + rfc_string_to_bytes( + "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1" + "D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9" + "7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561" + "2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935" + "984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735" + "30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB" + "B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19" + "0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61" + "9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73" + "3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA" + "886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238" + "61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C" + "AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3" + "64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D" + "ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF" + "3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB" + "7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004" + "87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832" + "A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A" + "1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF" + "8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E0DD902" + "0BFD64B6 45036C7A 4E677D2C 38532A3A 23BA4442 CAF53EA6" + "3BB45432 9B7624C8 917BDD64 B1C0FD4C B38E8C33 4C701C3A" + "CDAD0657 FCCFEC71 9B1F5C3E 4E46041F 388147FB 4CFDB477" + "A52471F7 A9A96910 B855322E DB6340D8 A00EF092 350511E3" + "0ABEC1FF F9E3A26E 7FB29F8C 183023C3 587E38DA 0077D9B4" + "763E4E4B 94B2BBC1 94C6651E 77CAF992 EEAAC023 2A281BF6" + "B3A739C1 22611682 0AE8DB58 47A67CBE F9C9091B 462D538C" + "D72B0374 6AE77F5E 62292C31 1562A846 505DC82D B854338A" + "E49F5235 C95B9117 8CCF2DD5 CACEF403 EC9D1810 C6272B04" + "5B3B71F9 DC6B80D6 3FDD4A8E 9ADB1E69 62A69526 D43161C1" + "A41D570D 7938DAD4 A40E329C CFF46AAA 36AD004C F600C838" + "1E425A31 D951AE64 FDB23FCE C9509D43 687FEB69 EDD1CC5E" + "0B8CC3BD F64B10EF 86B63142 A3AB8829 555B2F74 7C932665" + "CB2C0F1C C01BD702 29388839 D2AF05E4 54504AC7 8B758282" + "2846C0BA 35C35F5C 59160CC0 46FD8251 541FC68C 9C86B022" + "BB709987 6A460E74 51A8A931 09703FEE 1C217E6C 3826E52C" + "51AA691E 0E423CFC 99E9E316 50C1217B 624816CD AD9A95F9" + "D5B80194 88D9C0A0 A1FE3075 A577E231 83F81D4A 3F2FA457" + "1EFC8CE0 BA8A4FE8 B6855DFE 72B0A66E DED2FBAB FBE58A30" + "FAFABE1C 5D71A87E 2F741EF8 C1FE86FE A6BBFDE5 30677F0D" + "97D11D49 F7A8443D 0822E506 A9F4614E 011E2A94 838FF88C" + "D68C8BB7 C5C6424C FFFFFFFF FFFFFFFF"), + rfc_string_to_bytes( + "7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78" + "EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C" + "BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0" + "9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A" + "CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A" + "98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD" + "DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C" + "8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0" + "C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9" + "9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD" + "4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C" + "30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E" + "577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9" + "B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06" + "D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7" + "9E0D9077 1FEACEBE 12F20E95 B34F0F78 B737A961 8B26FA7D" + "BC9874F2 72C42BDB 563EAFA1 6B4FB68C 3BB1E78E AA81A002" + "43FAADD2 BF18E63D 389AE443 77DA18C5 76B50F00 96CF3419" + "5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD" + "0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7" + "C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F06EC81" + "05FEB25B 2281B63D 2733BE96 1C29951D 11DD2221 657A9F53" + "1DDA2A19 4DBB1264 48BDEEB2 58E07EA6 59C74619 A6380E1D" + "66D6832B FE67F638 CD8FAE1F 2723020F 9C40A3FD A67EDA3B" + "D29238FB D4D4B488 5C2A9917 6DB1A06C 50077849 1A8288F1" + "855F60FF FCF1D137 3FD94FC6 0C1811E1 AC3F1C6D 003BECDA" + "3B1F2725 CA595DE0 CA63328F 3BE57CC9 77556011 95140DFB" + "59D39CE0 91308B41 05746DAC 23D33E5F 7CE4848D A316A9C6" + "6B9581BA 3573BFAF 31149618 8AB15423 282EE416 DC2A19C5" + "724FA91A E4ADC88B C66796EA E5677A01 F64E8C08 63139582" + "2D9DB8FC EE35C06B 1FEEA547 4D6D8F34 B1534A93 6A18B0E0" + "D20EAB86 BC9C6D6A 5207194E 67FA3555 1B568026 7B00641C" + "0F212D18 ECA8D732 7ED91FE7 64A84EA1 B43FF5B4 F6E8E62F" + "05C661DE FB258877 C35B18A1 51D5C414 AAAD97BA 3E499332" + "E596078E 600DEB81 149C441C E95782F2 2A282563 C5BAC141" + "1423605D 1AE1AFAE 2C8B0660 237EC128 AA0FE346 4E435811" + "5DB84CC3 B523073A 28D45498 84B81FF7 0E10BF36 1C137296" + "28D5348F 07211E7E 4CF4F18B 286090BD B1240B66 D6CD4AFC" + "EADC00CA 446CE050 50FF183A D2BBF118 C1FC0EA5 1F97D22B" + "8F7E4670 5D4527F4 5B42AEFF 39585337 6F697DD5 FDF2C518" + "7D7D5F0E 2EB8D43F 17BA0F7C 60FF437F 535DFEF2 9833BF86" + "CBE88EA4 FBD4221E 84117283 54FA30A7 008F154A 41C7FC46" + "6B4645DB E2E32126 7FFFFFFF FFFFFFFF")}}; + for (const testInput &test : testInputs) { bssl::UniquePtr dh(DH_new_by_nid(test.nid)); ASSERT_TRUE(dh); check_bn_matches_bytes(test.p, DH_get0_p(dh.get())); @@ -442,12 +565,18 @@ TEST(DHTest, RFC7919) { TEST(DHExpectedTestnputTest, CalculateSharedSecretMatches) { // KAT calculated with the following sage math code: - // prime=int("0x[prime for 2048 or 4096]", 16) R=Integers(prime) g = R(2) - // client_sk = int("0xABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890", 16) client_pk = g^client_sk - // server_sk = int("0xAABBCCDDEEFF11223344556677889900AABBCCDDEEFF11223344556677889900", 16) shared_secret = client_pk^server_sk - // print("client_pk", format(int(client_pk), '#x')) - // print("server_sk", format(server_sk, '#x')) - // print("expected_ss", format(int(shared_secret), '#x')) + // prime = int("0x[prime for field sizes 2048, 3072, 4096, 8192]", 16); + // R = Integers(prime); + // g = R(2); + // client_sk = int("0xABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF" + // "1234567890", 16); + // client_pk = g^client_sk; + // server_sk = int("0xAABBCCDDEEFF11223344556677889900AABBCCDDEEFF1122334455" + // "6677889900", 16); + // shared_secret = client_pk^server_sk; + // print("client_pk", format(int(client_pk), '#x')); + // print("server_sk", format(server_sk, '#x')); + // print("expected_ss", format(int(shared_secret), '#x')); struct testInput { int nid; std::vector client_pk; @@ -476,6 +605,35 @@ TEST(DHExpectedTestnputTest, CalculateSharedSecretMatches) { "5e0a3a1f930bc547149fd6dfe1dc7ad7945dd74a38d46a6bc7658ac953b43770" "b5d9212737a3cef574796c50aaa4168f07ddabccf5d12d8f87808e526cf68e15" "224b8eb822048df910fe36a84a752177dbfce76a90f1ae864543e721d7885ad7")}, + {NID_ffdhe3072, + HexToBytes( + "b3955fefb03b1979f9bd6c26d8d7820ed1d14155f6d8f08c94480bee2753f659bcf" + "2c364f58e173c114d14b782034d97eb45a2e24b313151e1b3ae4e1bb3986786c18e" + "fe5f75cc5c6dcec48e5a0a2799e12fe17b2a803f9bb0c18a5fc207a580cf4d47bda" + "d1495b26668abbbdf13ff1cda7753a792060176a167ea84f3cf6d9f303f88b5dcad" + "8201582d783cc4858f8cc6f720db0f3739a5d05b3a1b5a5c5edfa933c0a7fb4c5ee" + "f534d3212c74318080c863ee6845d85f429a9707e228868144726e8a0e93eae380a" + "2f28164f6a764a3dd114ade26cf0e5db7f49148d84dcdf7e535dcc3ff9591787ba0" + "5060b02e0d934b951ee2b3f7444c8cd1ab12af3e5722a80c441d4bb394414a6ca5e" + "f9892a6543a2087759922a94723beff30116e9a262396ca7bb601d4c786d822e2e0" + "e476cc8551c1699e4599124e7e29489230fd2fddbff2eab311113d356e2de8772ad" + "20eeddf650021cb9ae5f24ab14ab8d43b15a800421a8b26126cbcd2a754ba981660" + "68e832dd76d1992fb89689cf624d76a"), + HexToBytes( + "aabbccddeeff11223344556677889900aabbccddeeff11223344556677889900"), + HexToBytes( + "baba992b3ad121f3a9f7ff2d197e54a2e65d6951691c93e91655a4c59e01f83af28" + "85e87dbc56514026bc428095be04be5509aacf0ab9b7bc15579849a3f39f392470e" + "07d84f72f692b9ef4a898d8b68a7c73b620e5af7035579b50697f0fec671fbbdafe" + "a144330886f2c4408554a5881778f9aa29ab17cf68d82b1c98c7c93d3d287d035ff" + "2905246030ee5224ff47aac779af072c6fc4710da0d82dd58679a74cd8c33a4ceda" + "b73c3b8339028a7ccfe2e7f6564a8bbec24cf285683c772e53810f0959edfeeea9a" + "6295c669fe07df7ddbde3ba7cea8473fbdaef9cea70011150191144ddd71e36b3bc" + "d48455adaa3c7bec645e1cb8a92ffc18bd5414d9e1ddd18bc36fc843c2955028497" + "970b6806b1f721f208b813e5d16e0503a4186c964a476035a5afe221936c6a3b721" + "cc6ca686fe6e8a65faf3cd6db3c718a7af58e3b8cd6712b34d33bb917a24c6ab41c" + "15c056e2afb0936970b3224b4c183eb3bba319a09083621ecb93ed78139955b17c8" + "bfebcb188edcc5b27385eab0588ad4a")}, {NID_ffdhe4096, HexToBytes( "525b74f0c4c3d942cd65f924cebd4f76a1ec2c866d48462e1c468f75070b18bc" @@ -513,17 +671,86 @@ TEST(DHExpectedTestnputTest, CalculateSharedSecretMatches) { "f4b88d759689819cde545d202b641b0529a02d588ff4c6b832c3f5a3d9bec9ec" "ce0fb9af978b76bf93eba919c5bef844b4b1e2bff3d3758b577c70fa78d89a1d" "d5a1864a2d3795c3668562c67aa77265f38812f001d28b25f7965109481ec2c7") - } - }; - for (const testInput &test : testInputs ){ - bssl::UniquePtr client_public(BN_bin2bn(test.client_pk.data(), test.client_pk.size(), nullptr)); + }, + {NID_ffdhe8192, + HexToBytes( + "9d8f631335eb2f802176a33b08ea7553398407e474f2b8031fbefe1f62cdec9798d" + "1804ac73a0b1dd5735ad177b8b89d8f9b807e103dbf1f3161a63475e1249fed8a37" + "f6704c730be48f7dfc0716cc30b094457b91b641c13f95074b7230ab5daf38ced4d" + "784c6ed56eae1cb9a9c4276039270f04e4a4b0e4ca48945ba8ccc2837f4063db35c" + "cbe4a03533ab50058518a89183938f4f94bf014e4142da43745002c35e10b67335c" + "564b728cda9b340330a921d776dcfcffca773d354813b387b215eb2fc3732f79ba9" + "b9a1d11231796d33192a92c3a686245c6c40d8c78140761f2a961ee587965ea395d" + "fdaa306141efdd51c5c6ed8976d4a87ff8b8d29f94556195e763d9b6c19de3d0b74" + "d9e11a6b5b7b2a6477c419460e7c4a611bee2eea9486dadc625ba7b4e7438eb2a42" + "c2d2c577e384ef22e355662989b27022872cfa97f14a20bdb2769eecd7756fd45a2" + "5d471ad9e4db865deb58e9d049a1947dcbbcc409d7a14dea8dd32e68dbd0f9e7872" + "373e3c33c96c86d50602fe320951cf19d5cf1444150c9063585d1993e79279a5492" + "5a077256ba254e468d1cba8e48ff9c9b87c8814a61c1b4005314f5b75dd50ccb1a8" + "9142277d64edea02b81b5ba825d5822c0092cf1206feb88392e213447153e1aa0aa" + "23837f641b7c7da7cafeac26e8c09ec0402c4c39e67f35b2fe5b0a122bb16cd30e2" + "ac5a6f1a3c9aae8338c315c80dc874eb4584c9a68dd329ef30489927bb0cac69518" + "88108712055b1d89b0e394245f92a236f31387a0e5bde7dfa86b112209f84d5c97c" + "c9003cf72e58ab8acd05c8c08b8897021d801cc7f2035d04c3f6eda42e827741e73" + "5a36eef2031661f6cb766adf5026e52cbb520f0c7913f6d13235655932f61bb9396" + "cf55da603a81f2e1e56cdf483a05f11d192e9a689a18334465df0cbd6c9180a636d" + "f31f3583331582b1b7042de6ab3c2c16b02d288adc082840471d569aed38fed5fa6" + "a19b30fffb9a17030e78eea87c9151040308685d1edc1de44eca7fdb04f4bf9783a" + "cb9711a3f5fd5d04e2d5ef77f4ea2d8fe3624e0c78e90354e7558d65a56f5e720fa" + "97aec18da9428ad8b4736d1cb1d89fa4c54015bff26289eaf4c523a29fe40a7ef53" + "988b7c21034eed774617fc252b01f09d0a7e335d0363e0d703b5d3b10ef9fb1b999" + "c8d6eceb185f570235f3109bcfcfc843ebb2a3df45227a679d5e48d681ba95e0121" + "3b5a096a5fd0e2bc9701816819a89fac2cb83d1485566b6191ca768ce154649a70b" + "47eec616b142755405b344307f2fd74aa013e1c4ccfe9bb5547f353b1f94440f356" + "7a8994bcadcc22798bd9449211098ee5e0bbaf649aa77cfe9ef51795190ad0c0d7d" + "376cb82bde11286ff39f94798c8b2bcff253f5cc0e77668596a125c77c39ef89574" + "a9f246bb9fc6b5e5f86b5c07f26f06af119d19"), + HexToBytes( + "aabbccddeeff11223344556677889900aabbccddeeff11223344556677889900"), + HexToBytes( + "9040f16f84a65d195f5016293a8c9e7cac0aa740636ead9e8bc008be34111702f60" + "b449c8bced3a155e6a1f44652bbbe1d8c1390db146ee361a571fa7145092fb0752a" + "6af48b2e9de26b07757fc35bc846e8ecb5c1e626bed394fb24fe9d470b0e210f87c" + "18716a16612e263367da677d0f57be0afeb9e76b113b2a629bb9075b02005d734b8" + "33c63b2a19c201089fc6125bf0117cf7ae35908e5d8eabf98aeb46fd405ee1d93cd" + "6883fd328cbabbc3274d13e7f653bf54091205e7ff2a26e52223e74f508aa309892" + "f962370c98c16d012c13bcbe6d5fcf6e6319d14db76829d6c8e121f0f4b59cde07b" + "564645c37d127fec97fd8efaeac174f30bfdda1c90007637e126f748e4485f8a36d" + "c735cd78f2c12cbff1d0057d573a764ad01661726117c91a6227c8d4e9ab0c9f13f" + "9dd5720bb840da91e71313bb39093d5d00c7051d2ef52b7e091fc467ff4c7427702" + "6b223e3217b0a407cdb3061bb2f71d0ffe8e46536069973c0f4424381758554ab35" + "1fdf25c7a33bf267de0bddfa8f52ff903fd0df500cd13f44b7911ad30913fbf45da" + "594b9a57a7cadaba17c5b5e62ff8ddc3fe6a3d9c484078ab676fc6862a8c77cd433" + "3b36e396e979a41438ea82f9a491414c75acedb0cc77063695569f5bc1dc509bb0d" + "81c2c44d041815e3d2f043f4910e15dfa1cfbd3daab2f3b4b0b21d2d1edc1d18bbd" + "a9547fa67f9f9c28cc3a9da2fe829c02df7e20a1aa1bcba93f0a9868358dab26edb" + "31337c9121bd35b8c56616f1958db33d807ab042cf8efa8fad60a2f0f264efd49e6" + "759cf384fda088d3a14f176eeb3b06eca54fff2e4898e9f5126b2236ffd3777839c" + "98586fd4180f602132a943f9c401b06c8e1281953157164546e75d4359b518be90b" + "e3fc8dd731218a75c3c7627a40f50d7f604776de08814ec5cc6f2865ee8ecd0e426" + "123c08c71ddbf39a0564b0edaa43513674688c56d61c9712d4b11375ada55d69641" + "b416880c1387428ecd0cdb39cedd02987ae30839c97141b0162de1992c549046214" + "bf45a3054561539a647aaebe0392366cd6936accf7262412d987618a05882d5d19e" + "d93a1f3245f3930f3bf4cbc6529ab14dddf02ce6045b6971de8572a625d9911d092" + "9d159307491b6b6f17dba77e0e9ce76875ab276226bc01f301effc949257092c2bd" + "ab22141e7487dd1df5188edad0776dcefaa7298b3a2a9c42799cef5207a47b37a0c" + "5c45c160b76394adda6b76e40ac32d705c279e23c49c74b9ab2609009950fa6758e" + "710fa7eb58ef4bdbddf876978d7c99cdb357d25c6515e0a7192b15751b7dd04c077" + "095753c8481d0835ff5008c0953ac1d5ab08c9925c3a73c25875f3bb4be449e4247" + "660d45ee031b25061aaa9eb5d72d3fa0670e9c7ed72a86d5dc2df7c64ee2da143e7" + "5e6042700423e990849b387d59b9a372dd0d04")}}; + for (const testInput &test : testInputs) { + bssl::UniquePtr client_public( + BN_bin2bn(test.client_pk.data(), test.client_pk.size(), nullptr)); EXPECT_TRUE(client_public); - bssl::UniquePtr server_secret(BN_bin2bn(test.server_sk.data(), test.server_sk.size(), nullptr)); + bssl::UniquePtr server_secret( + BN_bin2bn(test.server_sk.data(), test.server_sk.size(), nullptr)); EXPECT_TRUE(server_secret); bssl::UniquePtr ffdhe2048_dh(DH_new_by_nid(test.nid)); - EXPECT_TRUE(DH_set0_key(ffdhe2048_dh.get(), nullptr, server_secret.release())); + EXPECT_TRUE( + DH_set0_key(ffdhe2048_dh.get(), nullptr, server_secret.release())); uint8_t buffer[4096]; int size = DH_compute_key(buffer, client_public.get(), ffdhe2048_dh.get()); EXPECT_TRUE(size > 0 && size < 4096); diff --git a/crypto/fipsmodule/dh/dh.c b/crypto/fipsmodule/dh/dh.c index 73d63dfb0e..89c3182a72 100644 --- a/crypto/fipsmodule/dh/dh.c +++ b/crypto/fipsmodule/dh/dh.c @@ -88,8 +88,12 @@ DH *DH_new_by_nid(int nid) { switch (nid) { case NID_ffdhe2048: return DH_get_rfc7919_2048(); + case NID_ffdhe3072: + return DH_get_rfc7919_3072(); case NID_ffdhe4096: return DH_get_rfc7919_4096(); + case NID_ffdhe8192: + return DH_get_rfc7919_8192(); default: OPENSSL_PUT_ERROR(DH, DH_R_INVALID_NID); return NULL; @@ -511,6 +515,39 @@ DH *DH_get_rfc7919_2048(void) { return calculate_rfc7919_DH_from_p(kFFDHE2048Data, OPENSSL_ARRAY_SIZE(kFFDHE2048Data)); } +DH *DH_get_rfc7919_3072(void) { + // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.2, + // which is specifically approved for FIPS in appendix D of SP 800-56Ar3. + static const BN_ULONG kFFDHE3072Data[] = { + TOBN(0xffffffff, 0xffffffff), TOBN(0x25e41d2b, 0x66c62e37), + TOBN(0x3c1b20ee, 0x3fd59d7c), TOBN(0x0abcd06b, 0xfa53ddef), + TOBN(0x1dbf9a42, 0xd5c4484e), TOBN(0xabc52197, 0x9b0deada), + TOBN(0xe86d2bc5, 0x22363a0d), TOBN(0x5cae82ab, 0x9c9df69e), + TOBN(0x64f2e21e, 0x71f54bff), TOBN(0xf4fd4452, 0xe2d74dd3), + TOBN(0xb4130c93, 0xbc437944), TOBN(0xaefe1309, 0x85139270), + TOBN(0x598cb0fa, 0xc186d91c), TOBN(0x7ad91d26, 0x91f7f7ee), + TOBN(0x61b46fc9, 0xd6e6c907), TOBN(0xbc34f4de, 0xf99c0238), + TOBN(0xde355b3b, 0x6519035b), TOBN(0x886b4238, 0x611fcfdc), + TOBN(0xc6f34a26, 0xc1b2effa), TOBN(0xc58ef183, 0x7d1683b2), + TOBN(0x3bb5fcbc, 0x2ec22005), TOBN(0xc3fe3b1b, 0x4c6fad73), + TOBN(0x8e4f1232, 0xeef28183), TOBN(0x9172fe9c, 0xe98583ff), + TOBN(0xc03404cd, 0x28342f61), TOBN(0x9e02fce1, 0xcdf7e2ec), + TOBN(0x0b07a7c8, 0xee0a6d70), TOBN(0xae56ede7, 0x6372bb19), + TOBN(0x1d4f42a3, 0xde394df4), TOBN(0xb96adab7, 0x60d7f468), + TOBN(0xd108a94b, 0xb2c8e3fb), TOBN(0xbc0ab182, 0xb324fb61), + TOBN(0x30acca4f, 0x483a797a), TOBN(0x1df158a1, 0x36ade735), + TOBN(0xe2a689da, 0xf3efe872), TOBN(0x984f0c70, 0xe0e68b77), + TOBN(0xb557135e, 0x7f57c935), TOBN(0x85636555, 0x3ded1af3), + TOBN(0x2433f51f, 0x5f066ed0), TOBN(0xd3df1ed5, 0xd5fd6561), + TOBN(0xf681b202, 0xaec4617a), TOBN(0x7d2fe363, 0x630c75d8), + TOBN(0xcc939dce, 0x249b3ef9), TOBN(0xa9e13641, 0x146433fb), + TOBN(0xd8b9c583, 0xce2d3695), TOBN(0xafdc5620, 0x273d3cf1), + TOBN(0xadf85458, 0xa2bb4a9a), TOBN(0xffffffff, 0xffffffff)}; + + return calculate_rfc7919_DH_from_p(kFFDHE3072Data, + OPENSSL_ARRAY_SIZE(kFFDHE3072Data)); +} + DH *DH_get_rfc7919_4096(void) { // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.3, // which is specifically approved for FIPS in appendix D of SP 800-56Ar3. @@ -551,3 +588,76 @@ DH *DH_get_rfc7919_4096(void) { return calculate_rfc7919_DH_from_p(kFFDHE4096Data, OPENSSL_ARRAY_SIZE(kFFDHE4096Data)); } + +DH *DH_get_rfc7919_8192(void) { + // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.4, + // which is specifically approved for FIPS in appendix D of SP 800-56Ar3. + static const BN_ULONG kFFDHE8192Data[] = { + TOBN(0xffffffff, 0xffffffff), TOBN(0xd68c8bb7, 0xc5c6424c), + TOBN(0x011e2a94, 0x838ff88c), TOBN(0x0822e506, 0xa9f4614e), + TOBN(0x97d11d49, 0xf7a8443d), TOBN(0xa6bbfde5, 0x30677f0d), + TOBN(0x2f741ef8, 0xc1fe86fe), TOBN(0xfafabe1c, 0x5d71a87e), + TOBN(0xded2fbab, 0xfbe58a30), TOBN(0xb6855dfe, 0x72b0a66e), + TOBN(0x1efc8ce0, 0xba8a4fe8), TOBN(0x83f81d4a, 0x3f2fa457), + TOBN(0xa1fe3075, 0xa577e231), TOBN(0xd5b80194, 0x88d9c0a0), + TOBN(0x624816cd, 0xad9a95f9), TOBN(0x99e9e316, 0x50c1217b), + TOBN(0x51aa691e, 0x0e423cfc), TOBN(0x1c217e6c, 0x3826e52c), + TOBN(0x51a8a931, 0x09703fee), TOBN(0xbb709987, 0x6a460e74), + TOBN(0x541fc68c, 0x9c86b022), TOBN(0x59160cc0, 0x46fd8251), + TOBN(0x2846c0ba, 0x35c35f5c), TOBN(0x54504ac7, 0x8b758282), + TOBN(0x29388839, 0xd2af05e4), TOBN(0xcb2c0f1c, 0xc01bd702), + TOBN(0x555b2f74, 0x7c932665), TOBN(0x86b63142, 0xa3ab8829), + TOBN(0x0b8cc3bd, 0xf64b10ef), TOBN(0x687feb69, 0xedd1cc5e), + TOBN(0xfdb23fce, 0xc9509d43), TOBN(0x1e425a31, 0xd951ae64), + TOBN(0x36ad004c, 0xf600c838), TOBN(0xa40e329c, 0xcff46aaa), + TOBN(0xa41d570d, 0x7938dad4), TOBN(0x62a69526, 0xd43161c1), + TOBN(0x3fdd4a8e, 0x9adb1e69), TOBN(0x5b3b71f9, 0xdc6b80d6), + TOBN(0xec9d1810, 0xc6272b04), TOBN(0x8ccf2dd5, 0xcacef403), + TOBN(0xe49f5235, 0xc95b9117), TOBN(0x505dc82d, 0xb854338a), + TOBN(0x62292c31, 0x1562a846), TOBN(0xd72b0374, 0x6ae77f5e), + TOBN(0xf9c9091b, 0x462d538c), TOBN(0x0ae8db58, 0x47a67cbe), + TOBN(0xb3a739c1, 0x22611682), TOBN(0xeeaac023, 0x2a281bf6), + TOBN(0x94c6651e, 0x77caf992), TOBN(0x763e4e4b, 0x94b2bbc1), + TOBN(0x587e38da, 0x0077d9b4), TOBN(0x7fb29f8c, 0x183023c3), + TOBN(0x0abec1ff, 0xf9e3a26e), TOBN(0xa00ef092, 0x350511e3), + TOBN(0xb855322e, 0xdb6340d8), TOBN(0xa52471f7, 0xa9a96910), + TOBN(0x388147fb, 0x4cfdb477), TOBN(0x9b1f5c3e, 0x4e46041f), + TOBN(0xcdad0657, 0xfccfec71), TOBN(0xb38e8c33, 0x4c701c3a), + TOBN(0x917bdd64, 0xb1c0fd4c), TOBN(0x3bb45432, 0x9b7624c8), + TOBN(0x23ba4442, 0xcaf53ea6), TOBN(0x4e677d2c, 0x38532a3a), + TOBN(0x0bfd64b6, 0x45036c7a), TOBN(0xc68a007e, 0x5e0dd902), + TOBN(0x4db5a851, 0xf44182e1), TOBN(0x8ec9b55a, 0x7f88a46b), + TOBN(0x0a8291cd, 0xcec97dcf), TOBN(0x2a4ecea9, 0xf98d0acc), + TOBN(0x1a1db93d, 0x7140003c), TOBN(0x092999a3, 0x33cb8b7a), + TOBN(0x6dc778f9, 0x71ad0038), TOBN(0xa907600a, 0x918130c4), + TOBN(0xed6a1e01, 0x2d9e6832), TOBN(0x7135c886, 0xefb4318a), + TOBN(0x87f55ba5, 0x7e31cc7a), TOBN(0x7763cf1d, 0x55034004), + TOBN(0xac7d5f42, 0xd69f6d18), TOBN(0x7930e9e4, 0xe58857b6), + TOBN(0x6e6f52c3, 0x164df4fb), TOBN(0x25e41d2b, 0x669e1ef1), + TOBN(0x3c1b20ee, 0x3fd59d7c), TOBN(0x0abcd06b, 0xfa53ddef), + TOBN(0x1dbf9a42, 0xd5c4484e), TOBN(0xabc52197, 0x9b0deada), + TOBN(0xe86d2bc5, 0x22363a0d), TOBN(0x5cae82ab, 0x9c9df69e), + TOBN(0x64f2e21e, 0x71f54bff), TOBN(0xf4fd4452, 0xe2d74dd3), + TOBN(0xb4130c93, 0xbc437944), TOBN(0xaefe1309, 0x85139270), + TOBN(0x598cb0fa, 0xc186d91c), TOBN(0x7ad91d26, 0x91f7f7ee), + TOBN(0x61b46fc9, 0xd6e6c907), TOBN(0xbc34f4de, 0xf99c0238), + TOBN(0xde355b3b, 0x6519035b), TOBN(0x886b4238, 0x611fcfdc), + TOBN(0xc6f34a26, 0xc1b2effa), TOBN(0xc58ef183, 0x7d1683b2), + TOBN(0x3bb5fcbc, 0x2ec22005), TOBN(0xc3fe3b1b, 0x4c6fad73), + TOBN(0x8e4f1232, 0xeef28183), TOBN(0x9172fe9c, 0xe98583ff), + TOBN(0xc03404cd, 0x28342f61), TOBN(0x9e02fce1, 0xcdf7e2ec), + TOBN(0x0b07a7c8, 0xee0a6d70), TOBN(0xae56ede7, 0x6372bb19), + TOBN(0x1d4f42a3, 0xde394df4), TOBN(0xb96adab7, 0x60d7f468), + TOBN(0xd108a94b, 0xb2c8e3fb), TOBN(0xbc0ab182, 0xb324fb61), + TOBN(0x30acca4f, 0x483a797a), TOBN(0x1df158a1, 0x36ade735), + TOBN(0xe2a689da, 0xf3efe872), TOBN(0x984f0c70, 0xe0e68b77), + TOBN(0xb557135e, 0x7f57c935), TOBN(0x85636555, 0x3ded1af3), + TOBN(0x2433f51f, 0x5f066ed0), TOBN(0xd3df1ed5, 0xd5fd6561), + TOBN(0xf681b202, 0xaec4617a), TOBN(0x7d2fe363, 0x630c75d8), + TOBN(0xcc939dce, 0x249b3ef9), TOBN(0xa9e13641, 0x146433fb), + TOBN(0xd8b9c583, 0xce2d3695), TOBN(0xafdc5620, 0x273d3cf1), + TOBN(0xadf85458, 0xa2bb4a9a), TOBN(0xffffffff, 0xffffffff)}; + + return calculate_rfc7919_DH_from_p(kFFDHE8192Data, + OPENSSL_ARRAY_SIZE(kFFDHE8192Data)); +} diff --git a/crypto/fipsmodule/dh/internal.h b/crypto/fipsmodule/dh/internal.h index e109e24480..30412ac702 100644 --- a/crypto/fipsmodule/dh/internal.h +++ b/crypto/fipsmodule/dh/internal.h @@ -55,6 +55,15 @@ int dh_check_params_fast(const DH *dh); int dh_compute_key_padded_no_self_test(unsigned char *out, const BIGNUM *peers_key, DH *dh); +// DH_get_rfc7919_3072 returns the group `ffdhe3072` from +// https://tools.ietf.org/html/rfc7919#appendix-A.2. It returns NULL if out +// of memory. +OPENSSL_EXPORT DH *DH_get_rfc7919_3072(void); + +// DH_get_rfc7919_8192 returns the group `ffdhe8192` from +// https://tools.ietf.org/html/rfc7919#appendix-A.4. It returns NULL if out +// of memory. +OPENSSL_EXPORT DH *DH_get_rfc7919_8192(void); #if defined(__cplusplus) } diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h index f0a0fe8be5..0da1e911d1 100644 --- a/crypto/obj/obj_dat.h +++ b/crypto/obj/obj_dat.h @@ -56,7 +56,7 @@ /* This file is generated by crypto/obj/objects.go. */ -#define NUM_NID 983 +#define NUM_NID 985 static const uint8_t kObjectData[] = { /* NID_rsadsi */ @@ -8887,6 +8887,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = { NID_SecP256r1Kyber768Draft00, 0, NULL, 0}, {"X25519Kyber768Draft00", "X25519Kyber768Draft00", NID_X25519Kyber768Draft00, 0, NULL, 0}, + {"ffdhe3072", "ffdhe3072", NID_ffdhe3072, 0, NULL, 0}, + {"ffdhe8192", "ffdhe8192", NID_ffdhe8192, 0, NULL, 0}, }; static const uint16_t kNIDsInShortNameOrder[] = { @@ -9248,7 +9250,9 @@ static const uint16_t kNIDsInShortNameOrder[] = { 867 /* facsimileTelephoneNumber */, 462 /* favouriteDrink */, 976 /* ffdhe2048 */, + 983 /* ffdhe3072 */, 977 /* ffdhe4096 */, + 984 /* ffdhe8192 */, 857 /* freshestCRL */, 453 /* friendlyCountry */, 490 /* friendlyCountryName */, @@ -10222,7 +10226,9 @@ static const uint16_t kNIDsInLongNameOrder[] = { 867 /* facsimileTelephoneNumber */, 462 /* favouriteDrink */, 976 /* ffdhe2048 */, + 983 /* ffdhe3072 */, 977 /* ffdhe4096 */, + 984 /* ffdhe8192 */, 453 /* friendlyCountry */, 490 /* friendlyCountryName */, 156 /* friendlyName */, diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num index b1948089bb..c95416ed35 100644 --- a/crypto/obj/obj_mac.num +++ b/crypto/obj/obj_mac.num @@ -970,3 +970,5 @@ shake128 979 shake256 980 SecP256r1Kyber768Draft00 981 X25519Kyber768Draft00 982 +ffdhe3072 983 +ffdhe8192 984 diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt index 2503babf3a..4a43a612b7 100644 --- a/crypto/obj/objects.txt +++ b/crypto/obj/objects.txt @@ -129,7 +129,9 @@ secg-ellipticCurve 39 : sect571r1 # Finite field diffie hellman groups : ffdhe2048 + : ffdhe3072 : ffdhe4096 + : ffdhe8192 # PQ Groups : SecP256r1Kyber768Draft00 diff --git a/include/openssl/nid.h b/include/openssl/nid.h index aa2e31e18a..49a79ff9cc 100644 --- a/include/openssl/nid.h +++ b/include/openssl/nid.h @@ -4325,6 +4325,12 @@ extern "C" { #define SN_X25519Kyber768Draft00 "X25519Kyber768Draft00" #define NID_X25519Kyber768Draft00 982 +#define SN_ffdhe3072 "ffdhe3072" +#define NID_ffdhe3072 983 + +#define SN_ffdhe8192 "ffdhe8192" +#define NID_ffdhe8192 984 + #if defined(__cplusplus) } /* extern C */ #endif diff --git a/tests/ci/integration/run_mysql_integration.sh b/tests/ci/integration/run_mysql_integration.sh index 3669eecb1a..24cae6202f 100755 --- a/tests/ci/integration/run_mysql_integration.sh +++ b/tests/ci/integration/run_mysql_integration.sh @@ -4,7 +4,7 @@ source tests/ci/common_posix_setup.sh -MYSQL_VERSION_TAG="mysql-8.0.33" +MYSQL_VERSION_TAG="mysql-8.1.0" # This directory is specific to the docker image used. Use -DDOWNLOAD_BOOST=1 -DWITH_BOOST= # with mySQL to download a compatible boost version locally. BOOST_INSTALL_FOLDER=/home/dependencies/boost @@ -61,6 +61,7 @@ function mysql_run_tests() { # currently support this. echo "main.mysqlpump_bugs : Bug#0000 Can't create/open a file ~/dump.sql' main.restart_server : Bug#0000 mysqld is not managed by supervisor process +main.udf_bug35242734 : Bug#0000 mysqld is not managed by supervisor process main.file_contents : Bug#0000 Cannot open 'INFO_SRC' in '' main.resource_group_thr_prio_unsupported : Bug#0000 Invalid thread priority value -5 main.dd_upgrade_error : Bug#0000 running mysqld as root @@ -83,10 +84,11 @@ main.ssl : Bug#0001 Uses DHE cipher suites in test, which AWS-LC does not suppor main.ssl_cipher : Bug#0001 Uses DHE cipher suites in test, which AWS-LC does not support. main.ssl_dynamic : Bug#0001 Uses DHE cipher suites in test, which AWS-LC does not support. main.ssl-sha512 : Bug#0001 Uses DHE cipher suites in test, which AWS-LC does not support. +main.client_ssl_data_print : Bug#0002 AWS-LC does not support Stateful session resumption (Session Caching). main.ssl_cache : Bug#0002 AWS-LC does not support Stateful session resumption (Session Caching). main.ssl_cache_tls13 : Bug#0002 AWS-LC does not support Stateful session resumption (Session Caching). "> skiplist - ./mtr --suite=main --force --parallel=auto --skip-test-list=${MYSQL_BUILD_FOLDER}/mysql-test/skiplist --retry-failure=3 + ./mtr --suite=main --force --parallel=auto --skip-test-list=${MYSQL_BUILD_FOLDER}/mysql-test/skiplist --retry-failure=3 --retry=3 --report-unstable-tests popd }