summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch618
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch358
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch41
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch441
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch284
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch57
-rw-r--r--meta/recipes-connectivity/openssl/openssl_3.0.17.bb8
7 files changed, 1806 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch
new file mode 100644
index 0000000000..234fe7b8aa
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch
@@ -0,0 +1,618 @@
1From 24734088e1034392de981151dfe57e3a379ada18 Mon Sep 17 00:00:00 2001
2From: Hubert Kario <hkario@redhat.com>
3Date: Tue, 15 Mar 2022 13:58:08 +0100
4Subject: [PATCH 1/3] rsa: add implicit rejection in PKCS#1 v1.5
5
6The RSA decryption as implemented before required very careful handling
7of both the exit code returned by OpenSSL and the potentially returned
8ciphertext. Looking at the recent security vulnerabilities
9(CVE-2020-25659 and CVE-2020-25657) it is unlikely that most users of
10OpenSSL do it correctly.
11
12Given that correct code requires side channel secure programming in
13application code, we can classify the existing RSA decryption methods
14as CWE-676, which in turn likely causes CWE-208 and CWE-385 in
15application code.
16
17To prevent that, we can use a technique called "implicit rejection".
18For that we generate a random message to be returned in case the
19padding check fails. We generate the message based on static secret
20data (the private exponent) and the provided ciphertext (so that the
21attacker cannot determine that the returned value is randomly generated
22instead of result of decryption and de-padding). We return it in case
23any part of padding check fails.
24
25The upshot of this approach is that then not only is the length of the
26returned message useless as the Bleichenbacher oracle, so are the
27actual bytes of the returned message. So application code doesn't have
28to perform any operations on the returned message in side-channel free
29way to remain secure against Bleichenbacher attacks.
30
31Note: this patch implements a specific algorithm, shared with Mozilla
32NSS, so that the attacker cannot use one library as an oracle against the
33other in heterogeneous environments.
34
35CVE: CVE-2023-50781
36
37Upstream-Status: Backport
38[https://github.com/openssl/openssl/commit/7fc67e0a33102aa47bbaa56533eeecb98c0450f7]
39
40Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
41Reviewed-by: Tim Hudson <tjh@openssl.org>
42Reviewed-by: Tomas Mraz <tomas@openssl.org>
43(Merged from https://github.com/openssl/openssl/pull/13817)
44
45Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
46---
47 crypto/rsa/rsa_ossl.c | 95 +++++++-
48 crypto/rsa/rsa_pk1.c | 252 ++++++++++++++++++++++
49 doc/man1/openssl-pkeyutl.pod.in | 5 +
50 doc/man1/openssl-rsautl.pod.in | 5 +
51 doc/man3/EVP_PKEY_CTX_ctrl.pod | 7 +
52 doc/man3/EVP_PKEY_decrypt.pod | 12 ++
53 doc/man3/RSA_padding_add_PKCS1_type_1.pod | 7 +-
54 doc/man3/RSA_public_encrypt.pod | 11 +-
55 include/crypto/rsa.h | 4 +
56 9 files changed, 393 insertions(+), 5 deletions(-)
57
58diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
59index 0fc642e777..330302ae55 100644
60--- a/crypto/rsa/rsa_ossl.c
61+++ b/crypto/rsa/rsa_ossl.c
62@@ -17,6 +17,9 @@
63 #include "crypto/bn.h"
64 #include "rsa_local.h"
65 #include "internal/constant_time.h"
66+#include <openssl/evp.h>
67+#include <openssl/sha.h>
68+#include <openssl/hmac.h>
69
70 static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
71 unsigned char *to, RSA *rsa, int padding);
72@@ -377,8 +380,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
73 BIGNUM *f, *ret;
74 int j, num = 0, r = -1;
75 unsigned char *buf = NULL;
76+ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0};
77+ HMAC_CTX *hmac = NULL;
78+ unsigned int md_len = SHA256_DIGEST_LENGTH;
79+ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0};
80 BN_CTX *ctx = NULL;
81 int local_blinding = 0;
82+ EVP_MD *md = NULL;
83 /*
84 * Used only if the blinding structure is shared. A non-NULL unblind
85 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
86@@ -408,6 +416,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
87 goto err;
88 }
89
90+ if (flen < 1) {
91+ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
92+ goto err;
93+ }
94+
95 /* make data into a big number */
96 if (BN_bin2bn(from, (int)flen, f) == NULL)
97 goto err;
98@@ -472,13 +485,91 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
99 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
100 goto err;
101
102+ /*
103+ * derive the Key Derivation Key from private exponent and public
104+ * ciphertext
105+ */
106+ if (!(rsa->flags & RSA_FLAG_EXT_PKEY)) {
107+ /*
108+ * because we use d as a handle to rsa->d we need to keep it local and
109+ * free before any further use of rsa->d
110+ */
111+ BIGNUM *d = BN_new();
112+ if (d == NULL) {
113+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
114+ goto err;
115+ }
116+ if (rsa->d == NULL) {
117+ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
118+ BN_free(d);
119+ goto err;
120+ }
121+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
122+ if (BN_bn2binpad(d, buf, num) < 0) {
123+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
124+ BN_free(d);
125+ goto err;
126+ }
127+ BN_free(d);
128+
129+ /*
130+ * we use hardcoded hash so that migrating between versions that use
131+ * different hash doesn't provide a Bleichenbacher oracle:
132+ * if the attacker can see that different versions return different
133+ * messages for the same ciphertext, they'll know that the message is
134+ * syntethically generated, which means that the padding check failed
135+ */
136+ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL);
137+ if (md == NULL) {
138+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
139+ goto err;
140+ }
141+
142+ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) {
143+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
144+ goto err;
145+ }
146+
147+ hmac = HMAC_CTX_new();
148+ if (hmac == NULL) {
149+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
150+ goto err;
151+ }
152+
153+ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) {
154+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
155+ goto err;
156+ }
157+
158+ if (flen < num) {
159+ memset(buf, 0, num - flen);
160+ if (HMAC_Update(hmac, buf, num - flen) <= 0) {
161+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
162+ goto err;
163+ }
164+ }
165+ if (HMAC_Update(hmac, from, flen) <= 0) {
166+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
167+ goto err;
168+ }
169+
170+ md_len = SHA256_DIGEST_LENGTH;
171+ if (HMAC_Final(hmac, kdk, &md_len) <= 0) {
172+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
173+ goto err;
174+ }
175+ }
176+
177 j = BN_bn2binpad(ret, buf, num);
178 if (j < 0)
179 goto err;
180
181 switch (padding) {
182 case RSA_PKCS1_PADDING:
183- r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
184+ if (rsa->flags & RSA_FLAG_EXT_PKEY)
185+ r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
186+ else
187+ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
188 break;
189 case RSA_PKCS1_OAEP_PADDING:
190 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
191@@ -501,6 +592,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
192 #endif
193
194 err:
195+ HMAC_CTX_free(hmac);
196+ EVP_MD_free(md);
197 BN_CTX_end(ctx);
198 BN_CTX_free(ctx);
199 OPENSSL_clear_free(buf, num);
200diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
201index 51507fc030..5cd2b26879 100644
202--- a/crypto/rsa/rsa_pk1.c
203+++ b/crypto/rsa/rsa_pk1.c
204@@ -21,10 +21,14 @@
205 #include <openssl/rand.h>
206 /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */
207 #include <openssl/prov_ssl.h>
208+#include <openssl/evp.h>
209+#include <openssl/sha.h>
210+#include <openssl/hmac.h>
211 #include "internal/cryptlib.h"
212 #include "crypto/rsa.h"
213 #include "rsa_local.h"
214
215+
216 int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
217 const unsigned char *from, int flen)
218 {
219@@ -273,6 +277,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
220 return constant_time_select_int(good, mlen, -1);
221 }
222
223+
224+static int ossl_rsa_prf(OSSL_LIB_CTX *ctx,
225+ unsigned char *to, int tlen,
226+ const char *label, int llen,
227+ const unsigned char *kdk,
228+ uint16_t bitlen)
229+{
230+ int pos;
231+ int ret = -1;
232+ uint16_t iter = 0;
233+ unsigned char be_iter[sizeof(iter)];
234+ unsigned char be_bitlen[sizeof(bitlen)];
235+ HMAC_CTX *hmac = NULL;
236+ EVP_MD *md = NULL;
237+ unsigned char hmac_out[SHA256_DIGEST_LENGTH];
238+ unsigned int md_len;
239+
240+ if (tlen * 8 != bitlen) {
241+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
242+ return ret;
243+ }
244+
245+ be_bitlen[0] = (bitlen >> 8) & 0xff;
246+ be_bitlen[1] = bitlen & 0xff;
247+
248+ hmac = HMAC_CTX_new();
249+ if (hmac == NULL) {
250+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
251+ goto err;
252+ }
253+
254+ /*
255+ * we use hardcoded hash so that migrating between versions that use
256+ * different hash doesn't provide a Bleichenbacher oracle:
257+ * if the attacker can see that different versions return different
258+ * messages for the same ciphertext, they'll know that the message is
259+ * syntethically generated, which means that the padding check failed
260+ */
261+ md = EVP_MD_fetch(ctx, "sha256", NULL);
262+ if (md == NULL) {
263+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
264+ goto err;
265+ }
266+
267+ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) {
268+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
269+ goto err;
270+ }
271+
272+ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) {
273+ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) {
274+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
275+ goto err;
276+ }
277+
278+ be_iter[0] = (iter >> 8) & 0xff;
279+ be_iter[1] = iter & 0xff;
280+
281+ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) {
282+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
283+ goto err;
284+ }
285+ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) {
286+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
287+ goto err;
288+ }
289+ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) {
290+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
291+ goto err;
292+ }
293+
294+ /*
295+ * HMAC_Final requires the output buffer to fit the whole MAC
296+ * value, so we need to use the intermediate buffer for the last
297+ * unaligned block
298+ */
299+ md_len = SHA256_DIGEST_LENGTH;
300+ if (pos + SHA256_DIGEST_LENGTH > tlen) {
301+ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) {
302+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
303+ goto err;
304+ }
305+ memcpy(to + pos, hmac_out, tlen - pos);
306+ } else {
307+ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) {
308+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
309+ goto err;
310+ }
311+ }
312+ }
313+
314+ ret = 0;
315+
316+err:
317+ HMAC_CTX_free(hmac);
318+ EVP_MD_free(md);
319+ return ret;
320+}
321+
322+/*
323+ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2
324+ * padding from a decrypted RSA message. Unlike the
325+ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it
326+ * detects a padding error, rather it will return a deterministically generated
327+ * random message. In other words it will perform an implicit rejection
328+ * of an invalid padding. This means that the returned value does not indicate
329+ * if the padding of the encrypted message was correct or not, making
330+ * side channel attacks like the ones described by Bleichenbacher impossible
331+ * without access to the full decrypted value and a brute-force search of
332+ * remaining padding bytes
333+ */
334+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
335+ unsigned char *to, int tlen,
336+ const unsigned char *from, int flen,
337+ int num, unsigned char *kdk)
338+{
339+/*
340+ * We need to generate a random length for the synthethic message, to avoid
341+ * bias towards zero and avoid non-constant timeness of DIV, we prepare
342+ * 128 values to check if they are not too large for the used key size,
343+ * and use 0 in case none of them are small enough, as 2^-128 is a good enough
344+ * safety margin
345+ */
346+#define MAX_LEN_GEN_TRIES 128
347+ unsigned char *synthetic = NULL;
348+ int synthethic_length;
349+ uint16_t len_candidate;
350+ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)];
351+ uint16_t len_mask;
352+ uint16_t max_sep_offset;
353+ int synth_msg_index = 0;
354+ int ret = -1;
355+ int i, j;
356+ unsigned int good, found_zero_byte;
357+ int zero_index = 0, msg_index;
358+
359+ /*
360+ * If these checks fail then either the message in publicly invalid, or
361+ * we've been called incorrectly. We can fail immediately.
362+ * Since this code is called only internally by openssl, those are just
363+ * sanity checks
364+ */
365+ if (num != flen || tlen <= 0 || flen <= 0) {
366+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
367+ return -1;
368+ }
369+
370+ /* Generate a random message to return in case the padding checks fail */
371+ synthetic = OPENSSL_malloc(flen);
372+ if (synthetic == NULL) {
373+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
374+ return -1;
375+ }
376+
377+ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0)
378+ goto err;
379+
380+ /* decide how long the random message should be */
381+ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths),
382+ "length", 6, kdk,
383+ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0)
384+ goto err;
385+
386+ /*
387+ * max message size is the size of the modulus size less 2 bytes for
388+ * version and padding type and a minimum of 8 bytes padding
389+ */
390+ len_mask = max_sep_offset = flen - 2 - 8;
391+ /*
392+ * we want a mask so lets propagate the high bit to all positions less
393+ * significant than it
394+ */
395+ len_mask |= len_mask >> 1;
396+ len_mask |= len_mask >> 2;
397+ len_mask |= len_mask >> 4;
398+ len_mask |= len_mask >> 8;
399+
400+ synthethic_length = 0;
401+ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate);
402+ i += sizeof(len_candidate)) {
403+ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1];
404+ len_candidate &= len_mask;
405+
406+ synthethic_length = constant_time_select_int(
407+ constant_time_lt(len_candidate, max_sep_offset),
408+ len_candidate, synthethic_length);
409+ }
410+
411+ synth_msg_index = flen - synthethic_length;
412+
413+ /* we have alternative message ready, check the real one */
414+ good = constant_time_is_zero(from[0]);
415+ good &= constant_time_eq(from[1], 2);
416+
417+ /* then look for the padding|message separator (the first zero byte) */
418+ found_zero_byte = 0;
419+ for (i = 2; i < flen; i++) {
420+ unsigned int equals0 = constant_time_is_zero(from[i]);
421+ zero_index = constant_time_select_int(~found_zero_byte & equals0,
422+ i, zero_index);
423+ found_zero_byte |= equals0;
424+ }
425+
426+ /*
427+ * padding must be at least 8 bytes long, and it starts two bytes into
428+ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check
429+ * also fails.
430+ */
431+ good &= constant_time_ge(zero_index, 2 + 8);
432+
433+ /*
434+ * Skip the zero byte. This is incorrect if we never found a zero-byte
435+ * but in this case we also do not copy the message out.
436+ */
437+ msg_index = zero_index + 1;
438+
439+ /*
440+ * old code returned an error in case the decrypted message wouldn't fit
441+ * into the |to|, since that would leak information, return the synthethic
442+ * message instead
443+ */
444+ good &= constant_time_ge(tlen, num - msg_index);
445+
446+ msg_index = constant_time_select_int(good, msg_index, synth_msg_index);
447+
448+ /*
449+ * since at this point the |msg_index| does not provide the signal
450+ * indicating if the padding check failed or not, we don't have to worry
451+ * about leaking the length of returned message, we still need to ensure
452+ * that we read contents of both buffers so that cache accesses don't leak
453+ * the value of |good|
454+ */
455+ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++)
456+ to[j] = constant_time_select_8(good, from[i], synthetic[i]);
457+ ret = j;
458+
459+err:
460+ /*
461+ * the only time ret < 0 is when the ciphertext is publicly invalid
462+ * or we were called with invalid parameters, so we don't have to perform
463+ * a side-channel secure raising of the error
464+ */
465+ if (ret < 0)
466+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
467+ OPENSSL_free(synthetic);
468+ return ret;
469+}
470+
471 /*
472 * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2
473 * padding from a decrypted RSA message in a TLS signature. The result is stored
474diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
475index 2f6ef0021d..015265a74d 100644
476--- a/doc/man1/openssl-pkeyutl.pod.in
477+++ b/doc/man1/openssl-pkeyutl.pod.in
478@@ -273,6 +273,11 @@ signed or verified directly instead of using a B<DigestInfo> structure. If a
479 digest is set, then the B<DigestInfo> structure is used and its length
480 must correspond to the digest type.
481
482+Note, for B<pkcs1> padding, as a protection against Bleichenbacher attack,
483+the decryption will not fail in case of padding check failures. Use B<none>
484+and manual inspection of the decrypted message to verify if the decrypted
485+value has correct PKCS#1 v1.5 padding.
486+
487 For B<oaep> mode only encryption and decryption is supported.
488
489 For B<x931> if the digest type is set it is used to format the block data
490diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in
491index 0a32fd965b..4c462abc8c 100644
492--- a/doc/man1/openssl-rsautl.pod.in
493+++ b/doc/man1/openssl-rsautl.pod.in
494@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
495 ANSI X9.31, or no padding, respectively.
496 For signatures, only B<-pkcs> and B<-raw> can be used.
497
498+Note: because of protection against Bleichenbacher attacks, decryption
499+using PKCS#1 v1.5 mode will not return errors in case padding check failed.
500+Use B<-raw> and inspect the returned value manually to check if the
501+padding is correct.
502+
503 =item B<-hexdump>
504
505 Hex dump the output data.
506diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
507index 3075eaafd6..e788f38809 100644
508--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
509+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
510@@ -386,6 +386,13 @@ this behaviour should be tolerated then
511 OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual
512 negotiated protocol version. Otherwise it should be left unset.
513
514+Similarly to the B<RSA_PKCS1_WITH_TLS_PADDING> above, since OpenSSL version
515+3.1.0, the use of B<RSA_PKCS1_PADDING> will return a randomly generated message
516+instead of padding errors in case padding checks fail. Applications that
517+want to remain secure while using earlier versions of OpenSSL, still need to
518+handle both the error code from the RSA decryption operation and the
519+returned message in a side channel secure manner.
520+
521 =head2 DSA parameters
522
523 EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA
524diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod
525index b6f9bad5f1..898535a7a2 100644
526--- a/doc/man3/EVP_PKEY_decrypt.pod
527+++ b/doc/man3/EVP_PKEY_decrypt.pod
528@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a
529 return value of -2 indicates the operation is not supported by the public key
530 algorithm.
531
532+=head1 WARNINGS
533+
534+In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding,
535+both the return value from the EVP_PKEY_decrypt() and the B<outlen> provided
536+information useful in mounting a Bleichenbacher attack against the
537+used private key. They had to processed in a side-channel free way.
538+
539+Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1
540+v1.5 padding doesn't return an error in case it detects an error in padding,
541+instead it returns a pseudo-randomly generated message, removing the need
542+of side-channel secure code from applications using OpenSSL.
543+
544 =head1 EXAMPLES
545
546 Decrypt data using OAEP (for RSA keys):
547diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
548index 9f7025c497..36ae18563f 100644
549--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod
550+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
551@@ -121,8 +121,8 @@ L<ERR_get_error(3)>.
552
553 =head1 WARNINGS
554
555-The result of RSA_padding_check_PKCS1_type_2() is a very sensitive
556-information which can potentially be used to mount a Bleichenbacher
557+The result of RSA_padding_check_PKCS1_type_2() is exactly the
558+information which is used to mount a classical Bleichenbacher
559 padding oracle attack. This is an inherent weakness in the PKCS #1
560 v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not
561 possible, the result of RSA_padding_check_PKCS1_type_2() should be
562@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be
563 used to mount a Bleichenbacher attack against any padding mode
564 including PKCS1_OAEP.
565
566+You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption
567+as they implement the necessary workarounds internally.
568+
569 =head1 SEE ALSO
570
571 L<RSA_public_encrypt(3)>,
572diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod
573index 1d38073aea..bd3f835ac6 100644
574--- a/doc/man3/RSA_public_encrypt.pod
575+++ b/doc/man3/RSA_public_encrypt.pod
576@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure.
577
578 =back
579
580-B<flen> must not be more than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
581-based padding modes, not more than RSA_size(B<rsa>) - 42 for
582+When encrypting B<flen> must not be more than RSA_size(B<rsa>) - 11 for the
583+PKCS #1 v1.5 based padding modes, not more than RSA_size(B<rsa>) - 42 for
584 RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
585 When a padding mode other than RSA_NO_PADDING is in use, then
586 RSA_public_encrypt() will include some random bytes into the ciphertext
587@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle
588 attack. This is an inherent weakness in the PKCS #1 v1.5 padding
589 design. Prefer RSA_PKCS1_OAEP_PADDING.
590
591+In OpenSSL before version 3.1.0, both the return value and the length of
592+returned value could be used to mount the Bleichenbacher attack.
593+Since version 3.1.0, OpenSSL does not return an error in case of padding
594+checks failed. Instead it generates a random message based on used private
595+key and provided ciphertext so that application code doesn't have to implement
596+a side-channel secure error handling.
597+
598 =head1 CONFORMING TO
599
600 SSL, PKCS #1 v2.0
601diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h
602index 949873d0ee..f267e5d9d1 100644
603--- a/include/crypto/rsa.h
604+++ b/include/crypto/rsa.h
605@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg);
606 RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf,
607 OSSL_LIB_CTX *libctx, const char *propq);
608
609+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
610+ unsigned char *to, int tlen,
611+ const unsigned char *from, int flen,
612+ int num, unsigned char *kdk);
613 int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to,
614 size_t tlen,
615 const unsigned char *from,
616--
6172.34.1
618
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch
new file mode 100644
index 0000000000..b336d9e850
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch
@@ -0,0 +1,358 @@
1From e92f0cd3b03e5aca948b03df7e3d02e536700f68 Mon Sep 17 00:00:00 2001
2From: Hubert Kario <hkario@redhat.com>
3Date: Thu, 27 Oct 2022 19:16:58 +0200
4Subject: [PATCH 2/3] rsa: Add option to disable implicit rejection
5
6CVE: CVE-2023-50781
7
8Upstream-Status: Backport
9[https://github.com/openssl/openssl/commit/5ab3ec1bb1eaa795d775f5896818cfaa84d33a1a]
10
11Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
12Reviewed-by: Tim Hudson <tjh@openssl.org>
13Reviewed-by: Tomas Mraz <tomas@openssl.org>
14(Merged from https://github.com/openssl/openssl/pull/13817)
15
16Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
17---
18 crypto/cms/cms_env.c | 7 +++++
19 crypto/evp/ctrl_params_translate.c | 6 +++++
20 crypto/rsa/rsa_ossl.c | 16 ++++++++----
21 crypto/rsa/rsa_pmeth.c | 20 +++++++++++++-
22 doc/man1/openssl-pkeyutl.pod.in | 10 +++++++
23 doc/man3/EVP_PKEY_CTX_ctrl.pod | 2 ++
24 doc/man7/provider-asym_cipher.pod | 9 +++++++
25 include/openssl/core_names.h | 2 ++
26 include/openssl/rsa.h | 5 ++++
27 .../implementations/asymciphers/rsa_enc.c | 26 +++++++++++++++++--
28 10 files changed, 95 insertions(+), 8 deletions(-)
29
30diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
31index 445a16fb77..49b0289114 100644
32--- a/crypto/cms/cms_env.c
33+++ b/crypto/cms/cms_env.c
34@@ -581,6 +581,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
35 if (!ossl_cms_env_asn1_ctrl(ri, 1))
36 goto err;
37
38+ if (EVP_PKEY_is_a(pkey, "RSA"))
39+ /* upper layer CMS code incorrectly assumes that a successful RSA
40+ * decryption means that the key matches ciphertext (which never
41+ * was the case, implicit rejection or not), so to make it work
42+ * disable implicit rejection for RSA keys */
43+ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0");
44+
45 if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen,
46 ktri->encryptedKey->data,
47 ktri->encryptedKey->length) <= 0)
48diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
49index 44d0895bcf..db7325439a 100644
50--- a/crypto/evp/ctrl_params_translate.c
51+++ b/crypto/evp/ctrl_params_translate.c
52@@ -2269,6 +2269,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
53 EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL,
54 OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL },
55
56+ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT,
57+ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL,
58+ "rsa_pkcs1_implicit_rejection",
59+ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER,
60+ NULL },
61+
62 { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN,
63 EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL,
64 OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
65diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
66index 330302ae55..4bdacd5ed9 100644
67--- a/crypto/rsa/rsa_ossl.c
68+++ b/crypto/rsa/rsa_ossl.c
69@@ -395,6 +395,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
70 BIGNUM *unblind = NULL;
71 BN_BLINDING *blinding = NULL;
72
73+ /*
74+ * we need the value of the private exponent to perform implicit rejection
75+ */
76+ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING))
77+ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
78+
79 if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
80 goto err;
81 BN_CTX_start(ctx);
82@@ -489,7 +495,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
83 * derive the Key Derivation Key from private exponent and public
84 * ciphertext
85 */
86- if (!(rsa->flags & RSA_FLAG_EXT_PKEY)) {
87+ if (padding == RSA_PKCS1_PADDING) {
88 /*
89 * because we use d as a handle to rsa->d we need to keep it local and
90 * free before any further use of rsa->d
91@@ -565,11 +571,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
92 goto err;
93
94 switch (padding) {
95+ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING:
96+ r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
97+ break;
98 case RSA_PKCS1_PADDING:
99- if (rsa->flags & RSA_FLAG_EXT_PKEY)
100- r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
101- else
102- r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
103+ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
104 break;
105 case RSA_PKCS1_OAEP_PADDING:
106 r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
107diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
108index 0bf5ac098a..81b031f81b 100644
109--- a/crypto/rsa/rsa_pmeth.c
110+++ b/crypto/rsa/rsa_pmeth.c
111@@ -52,6 +52,8 @@ typedef struct {
112 /* OAEP label */
113 unsigned char *oaep_label;
114 size_t oaep_labellen;
115+ /* if to use implicit rejection in PKCS#1 v1.5 decryption */
116+ int implicit_rejection;
117 } RSA_PKEY_CTX;
118
119 /* True if PSS parameters are restricted */
120@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
121 /* Maximum for sign, auto for verify */
122 rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
123 rctx->min_saltlen = -1;
124+ rctx->implicit_rejection = 1;
125 ctx->data = rctx;
126 ctx->keygen_info = rctx->gentmp;
127 ctx->keygen_info_count = 2;
128@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
129 dctx->md = sctx->md;
130 dctx->mgf1md = sctx->mgf1md;
131 dctx->saltlen = sctx->saltlen;
132+ dctx->implicit_rejection = sctx->implicit_rejection;
133 if (sctx->oaep_label) {
134 OPENSSL_free(dctx->oaep_label);
135 dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
136@@ -347,6 +351,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
137 const unsigned char *in, size_t inlen)
138 {
139 int ret;
140+ int pad_mode;
141 RSA_PKEY_CTX *rctx = ctx->data;
142 /*
143 * Discard const. Its marked as const because this may be a cached copy of
144@@ -367,7 +372,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
145 rctx->oaep_labellen,
146 rctx->md, rctx->mgf1md);
147 } else {
148- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode);
149+ if (rctx->pad_mode == RSA_PKCS1_PADDING &&
150+ rctx->implicit_rejection == 0)
151+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
152+ else
153+ pad_mode = rctx->pad_mode;
154+ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode);
155 }
156 *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
157 ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
158@@ -591,6 +601,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
159 *(unsigned char **)p2 = rctx->oaep_label;
160 return rctx->oaep_labellen;
161
162+ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION:
163+ if (rctx->pad_mode != RSA_PKCS1_PADDING) {
164+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
165+ return -2;
166+ }
167+ rctx->implicit_rejection = p1;
168+ return 1;
169+
170 case EVP_PKEY_CTRL_DIGESTINIT:
171 case EVP_PKEY_CTRL_PKCS7_SIGN:
172 #ifndef OPENSSL_NO_CMS
173diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
174index 015265a74d..5e62551d34 100644
175--- a/doc/man1/openssl-pkeyutl.pod.in
176+++ b/doc/man1/openssl-pkeyutl.pod.in
177@@ -305,6 +305,16 @@ explicitly set in PSS mode then the signing digest is used.
178 Sets the digest used for the OAEP hash function. If not explicitly set then
179 SHA1 is used.
180
181+=item B<rsa_pkcs1_implicit_rejection:>I<flag>
182+
183+Disables (when set to 0) or enables (when set to 1) the use of implicit
184+rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a
185+protection against Bleichenbacher attack, the library will generate a
186+deterministic random plaintext that it will return to the caller in case
187+of padding check failure.
188+When disabled, it's the callers' responsibility to handle the returned
189+errors in a side-channel free manner.
190+
191 =back
192
193 =head1 RSA-PSS ALGORITHM
194diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
195index e788f38809..3844aa2199 100644
196--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
197+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
198@@ -392,6 +392,8 @@ instead of padding errors in case padding checks fail. Applications that
199 want to remain secure while using earlier versions of OpenSSL, still need to
200 handle both the error code from the RSA decryption operation and the
201 returned message in a side channel secure manner.
202+This protection against Bleichenbacher attacks can be disabled by setting
203+the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0.
204
205 =head2 DSA parameters
206
207diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod
208index 0976a263a8..2a8426a6ed 100644
209--- a/doc/man7/provider-asym_cipher.pod
210+++ b/doc/man7/provider-asym_cipher.pod
211@@ -234,6 +234,15 @@ The TLS protocol version first requested by the client.
212
213 The negotiated TLS protocol version.
214
215+=item "implicit-rejection" (B<OSSL_PKEY_PARAM_IMPLICIT_REJECTION>) <unsigned integer>
216+
217+Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5
218+decryption. When set (non zero value), the decryption API will return
219+a deterministically random value if the PKCS#1 v1.5 padding check fails.
220+This makes explotation of the Bleichenbacher significantly harder, even
221+if the code using the RSA decryption API is not implemented in side-channel
222+free manner. Set by default.
223+
224 =back
225
226 OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params()
227diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
228index 6bed5a8a67..5a350b537f 100644
229--- a/include/openssl/core_names.h
230+++ b/include/openssl/core_names.h
231@@ -292,6 +292,7 @@ extern "C" {
232 #define OSSL_PKEY_PARAM_DIST_ID "distid"
233 #define OSSL_PKEY_PARAM_PUB_KEY "pub"
234 #define OSSL_PKEY_PARAM_PRIV_KEY "priv"
235+#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection"
236
237 /* Diffie-Hellman/DSA Parameters */
238 #define OSSL_PKEY_PARAM_FFC_P "p"
239@@ -467,6 +468,7 @@ extern "C" {
240 #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"
241 #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"
242 #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"
243+#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection"
244
245 /*
246 * Encoder / decoder parameters
247diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
248index a55c9727c6..247f9014e3 100644
249--- a/include/openssl/rsa.h
250+++ b/include/openssl/rsa.h
251@@ -183,6 +183,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
252
253 # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13)
254
255+# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14)
256+
257 # define RSA_PKCS1_PADDING 1
258 # define RSA_NO_PADDING 3
259 # define RSA_PKCS1_OAEP_PADDING 4
260@@ -192,6 +194,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
261 # define RSA_PKCS1_PSS_PADDING 6
262 # define RSA_PKCS1_WITH_TLS_PADDING 7
263
264+/* internal RSA_ only */
265+# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
266+
267 # define RSA_PKCS1_PADDING_SIZE 11
268
269 # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
270diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
271index c8921acd6e..11a91e62b1 100644
272--- a/providers/implementations/asymciphers/rsa_enc.c
273+++ b/providers/implementations/asymciphers/rsa_enc.c
274@@ -75,6 +75,8 @@ typedef struct {
275 /* TLS padding */
276 unsigned int client_version;
277 unsigned int alt_version;
278+ /* PKCS#1 v1.5 decryption mode */
279+ unsigned int implicit_rejection;
280 } PROV_RSA_CTX;
281
282 static void *rsa_newctx(void *provctx)
283@@ -107,6 +109,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[],
284 RSA_free(prsactx->rsa);
285 prsactx->rsa = vrsa;
286 prsactx->operation = operation;
287+ prsactx->implicit_rejection = 1;
288
289 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
290 case RSA_FLAG_TYPE_RSA:
291@@ -199,6 +202,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
292 {
293 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
294 int ret;
295+ int pad_mode;
296 size_t len = RSA_size(prsactx->rsa);
297
298 if (!ossl_prov_is_running())
299@@ -276,8 +280,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
300 }
301 OPENSSL_free(tbuf);
302 } else {
303- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa,
304- prsactx->pad_mode);
305+ if ((prsactx->implicit_rejection == 0) &&
306+ (prsactx->pad_mode == RSA_PKCS1_PADDING))
307+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
308+ else
309+ pad_mode = prsactx->pad_mode;
310+ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode);
311 }
312 *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
313 ret = constant_time_select_int(constant_time_msb(ret), 0, 1);
314@@ -401,6 +409,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
315 if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
316 return 0;
317
318+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION);
319+ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
320+ return 0;
321+
322 return 1;
323 }
324
325@@ -412,6 +424,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
326 NULL, 0),
327 OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
328 OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
329+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
330 OSSL_PARAM_END
331 };
332
333@@ -549,6 +562,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
334 return 0;
335 prsactx->alt_version = alt_version;
336 }
337+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION);
338+ if (p != NULL) {
339+ unsigned int implicit_rejection;
340+
341+ if (!OSSL_PARAM_get_uint(p, &implicit_rejection))
342+ return 0;
343+ prsactx->implicit_rejection = implicit_rejection;
344+ }
345
346 return 1;
347 }
348@@ -562,6 +583,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = {
349 OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0),
350 OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
351 OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
352+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
353 OSSL_PARAM_END
354 };
355
356--
3572.34.1
358
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch
new file mode 100644
index 0000000000..0a1f63f30a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch
@@ -0,0 +1,41 @@
1From ba78f7b0599ba5bfb5032dd2664465c5b13388e3 Mon Sep 17 00:00:00 2001
2From: Hubert Kario <hkario@redhat.com>
3Date: Tue, 22 Nov 2022 18:25:49 +0100
4Subject: [PATCH 3/3] smime/pkcs7: disable the Bleichenbacher workaround
5
6CVE: CVE-2023-50781
7
8Upstream-Status: Backport
9[https://github.com/openssl/openssl/commit/056dade341d2589975a3aae71f81c8d7061583c7]
10
11Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
12Reviewed-by: Tim Hudson <tjh@openssl.org>
13Reviewed-by: Tomas Mraz <tomas@openssl.org>
14(Merged from https://github.com/openssl/openssl/pull/13817)
15
16Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
17---
18 crypto/pkcs7/pk7_doit.c | 7 +++++++
19 1 file changed, 7 insertions(+)
20
21diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
22index e9de097da1..6d3124da87 100644
23--- a/crypto/pkcs7/pk7_doit.c
24+++ b/crypto/pkcs7/pk7_doit.c
25@@ -170,6 +170,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
26 if (EVP_PKEY_decrypt_init(pctx) <= 0)
27 goto err;
28
29+ if (EVP_PKEY_is_a(pkey, "RSA"))
30+ /* upper layer pkcs7 code incorrectly assumes that a successful RSA
31+ * decryption means that the key matches ciphertext (which never
32+ * was the case, implicit rejection or not), so to make it work
33+ * disable implicit rejection for RSA keys */
34+ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0");
35+
36 if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
37 ri->enc_key->data, ri->enc_key->length) <= 0)
38 goto err;
39--
402.34.1
41
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch
new file mode 100644
index 0000000000..c6dad3cbec
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch
@@ -0,0 +1,441 @@
1From 8ae4f0e68ebb7435be494b58676827ae91695371 Mon Sep 17 00:00:00 2001
2From: Hubert Kario <hkario@redhat.com>
3Date: Tue, 12 Jan 2021 14:58:04 +0100
4Subject: [PATCH] rsa: add test vectors for the implicit rejection in RSA
5 PKCS#1 v1.5
6
7CVE: CVE-2023-50781
8
9Upstream-Status: Backport [https://github.com/openssl/openssl/commit/8ae4f0e68ebb7435be494b58676827ae91695371]
10
11Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
12Reviewed-by: Tim Hudson <tjh@openssl.org>
13Reviewed-by: Tomas Mraz <tomas@openssl.org>
14(Merged from https://github.com/openssl/openssl/pull/13817)
15Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
16---
17 .../30-test_evp_data/evppkey_rsa_common.txt | 408 ++++++++++++++++++
18 1 file changed, 408 insertions(+)
19
20diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
21index 080c4d02af..1405465098 100644
22--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
23+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
24@@ -277,6 +277,414 @@ Derive = RSA-2048
25 Result = KEYOP_INIT_ERROR
26 Reason = operation not supported for this keytype
27
28+# Test vectors for the Bleichenbacher workaround
29+
30+PrivateKey = RSA-2048-2
31+-----BEGIN RSA PRIVATE KEY-----
32+MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS
33+KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC
34+Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y
35+o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/
36++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F
37+EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm
38+pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G
39+MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp
40+aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo
41+RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6
42+egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX
43+eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe
44+z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG
45+lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou
46+O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw
47+93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF
48+1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr
49+uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb
50+3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx
51+sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a
52+AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL
53+9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW
54+FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp
55+LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM
56+FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da
57+-----END RSA PRIVATE KEY-----
58+
59+# corresponding public key
60+PublicKey = RSA-2048-2-PUBLIC
61+-----BEGIN PUBLIC KEY-----
62+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc
63+iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO
64+jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7
65+SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO
66+yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1
67+a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn
68+aQIDAQAB
69+-----END PUBLIC KEY-----
70+
71+PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC
72+
73+# RSA decrypt
74+
75+# a random positive test case
76+Decrypt = RSA-2048-2
77+Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
78+Output = "lorem ipsum dolor sit amet"
79+
80+# a random negative test case decrypting to empty
81+Decrypt = RSA-2048-2
82+Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
83+Output =
84+
85+# invalid decrypting to max length message
86+Decrypt = RSA-2048-2
87+Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
88+Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
89+
90+# invalid decrypting to message with length specified by second to last value from PRF
91+Decrypt = RSA-2048-2
92+Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
93+Output = 0f9b
94+
95+# invalid decrypting to message with length specified by third to last value from PRF
96+Decrypt = RSA-2048-2
97+Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
98+Output = 4f02
99+
100+# positive test with 11 byte long value
101+Decrypt = RSA-2048-2
102+Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592
103+Output = "lorem ipsum"
104+
105+# positive test with 11 byte long value and zero padded ciphertext
106+Decrypt = RSA-2048-2
107+Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
108+Output = "lorem ipsum"
109+
110+# positive test with 11 byte long value and zero truncated ciphertext
111+Decrypt = RSA-2048-2
112+Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
113+Output = "lorem ipsum"
114+
115+# positive test with 11 byte long value and double zero padded ciphertext
116+Decrypt = RSA-2048-2
117+Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
118+Output = "lorem ipsum"
119+
120+# positive test with 11 byte long value and double zero truncated ciphertext
121+Decrypt = RSA-2048-2
122+Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
123+Output = "lorem ipsum"
124+
125+# positive that generates a 0 byte long synthethic message internally
126+Decrypt = RSA-2048-2
127+Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0
128+Output = "lorem ipsum"
129+
130+# positive that generates a 245 byte long synthethic message internally
131+Decrypt = RSA-2048-2
132+Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
133+Output = "lorem ipsum"
134+
135+# a random negative test that generates an 11 byte long message
136+Decrypt = RSA-2048-2
137+Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
138+Output = af9ac70191c92413cb9f2d
139+
140+# an otherwise correct plaintext, but with wrong first byte
141+# (0x01 instead of 0x00), generates a random 11 byte long plaintext
142+Decrypt = RSA-2048-2
143+Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f
144+Output = a1f8c9255c35cfba403ccc
145+
146+# an otherwise correct plaintext, but with wrong second byte
147+# (0x01 instead of 0x02), generates a random 11 byte long plaintext
148+Decrypt = RSA-2048-2
149+Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579
150+Output = e6d700309ca0ed62452254
151+
152+# an invalid ciphertext, with a zero byte in first byte of
153+# ciphertext, decrypts to a random 11 byte long synthethic
154+# plaintext
155+Decrypt = RSA-2048-2
156+Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576
157+Output = ba27b1842e7c21c0e7ef6a
158+
159+# an invalid ciphertext, with a zero byte removed from first byte of
160+# ciphertext, decrypts to a random 11 byte long synthethic
161+# plaintext
162+Decrypt = RSA-2048-2
163+Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576
164+Output = ba27b1842e7c21c0e7ef6a
165+
166+# an invalid ciphertext, with two zero bytes in first bytes of
167+# ciphertext, decrypts to a random 11 byte long synthethic
168+# plaintext
169+Decrypt = RSA-2048-2
170+Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645
171+Output = d5cf555b1d6151029a429a
172+
173+# an invalid ciphertext, with two zero bytes removed from first bytes of
174+# ciphertext, decrypts to a random 11 byte long synthethic
175+# plaintext
176+Decrypt = RSA-2048-2
177+Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645
178+Output = d5cf555b1d6151029a429a
179+
180+# and invalid ciphertext, otherwise valid but starting with 000002, decrypts
181+# to random 11 byte long synthethic plaintext
182+Decrypt = RSA-2048-2
183+Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955
184+Output = 3d4a054d9358209e9cbbb9
185+
186+# negative test with otherwise valid padding but a zero byte in first byte
187+# of padding
188+Decrypt = RSA-2048-2
189+Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e
190+Output = 1f037dd717b07d3e7f7359
191+
192+# negative test with otherwise valid padding but a zero byte at the eigth
193+# byte of padding
194+Decrypt = RSA-2048-2
195+Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f
196+Output = 63cb0bf65fc8255dd29e17
197+
198+# negative test with an otherwise valid plaintext but with missing separator
199+# byte
200+Decrypt = RSA-2048-2
201+Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065
202+Output = 6f09a0b62699337c497b0b
203+
204+# Test vectors for the Bleichenbacher workaround (2049 bit key size)
205+
206+PrivateKey = RSA-2049
207+-----BEGIN RSA PRIVATE KEY-----
208+MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD
209+rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi
210+5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES
211+9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp
212+j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6
213+3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5
214+1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl
215+omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT
216+e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo
217+DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M
218+8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH
219+HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP
220+wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4
221+dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H
222+zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll
223+YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J
224+qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC
225++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL
226+ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c
227+ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd
228+G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3
229+3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP
230+G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv
231+iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t
232+5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k=
233+-----END RSA PRIVATE KEY-----
234+
235+# corresponding public key
236+PublicKey = RSA-2049-PUBLIC
237+-----BEGIN PUBLIC KEY-----
238+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL
239+woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI
240+XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf
241+YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U
242+FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr
243+w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ
244+lwIDAQAB
245+-----END PUBLIC KEY-----
246+
247+PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC
248+
249+# RSA decrypt
250+
251+# malformed that generates length specified by 3rd last value from PRF
252+Decrypt = RSA-2049
253+Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
254+Output = 42
255+
256+# simple positive test case
257+Decrypt = RSA-2049
258+Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967
259+Output = "lorem ipsum"
260+
261+# positive test case with null padded ciphertext
262+Decrypt = RSA-2049
263+Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
264+Output = "lorem ipsum"
265+
266+# positive test case with null truncated ciphertext
267+Decrypt = RSA-2049
268+Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
269+Output = "lorem ipsum"
270+
271+# positive test case with double null padded ciphertext
272+Decrypt = RSA-2049
273+Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
274+Output = "lorem ipsum"
275+
276+# positive test case with double null truncated ciphertext
277+Decrypt = RSA-2049
278+Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
279+Output = "lorem ipsum"
280+
281+# a random negative test case that generates an 11 byte long message
282+Decrypt = RSA-2049
283+Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
284+Output = 1189b6f5498fd6df532b00
285+
286+# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
287+Decrypt = RSA-2049
288+Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
289+Output = f6d0f5b78082fe61c04674
290+
291+# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
292+Decrypt = RSA-2049
293+Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
294+Output = 1ab287fcef3ff17067914d
295+
296+# RSA decrypt with 3072 bit keys
297+PrivateKey = RSA-3072
298+-----BEGIN RSA PRIVATE KEY-----
299+MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ
300+72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS
301+N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K
302+CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64
303+wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU
304+YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5
305+XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P
306+ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5
307+CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy
308+9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY
309+gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J
310+pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm
311+DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0
312+2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s
313+HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC
314+Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d
315+RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9
316+UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP
317+Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ
318++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI
319+gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv
320+StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF
321+rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1
322+bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb
323+7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm
324+IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48
325+Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH
326+ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2
327+c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff
328+/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O
329+to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6
330+ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr
331+Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR
332+ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo
333+G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH
334+mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe
335+0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw==
336+-----END RSA PRIVATE KEY-----
337+
338+PublicKey = RSA-3072-PUBLIC
339+-----BEGIN PUBLIC KEY-----
340+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx
341+nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd
342+vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni
343+5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx
344+UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx
345+7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v
346+EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/
347+gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk
348+ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE=
349+-----END PUBLIC KEY-----
350+
351+PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
352+
353+# a random invalid ciphertext that generates an empty synthethic one
354+Decrypt = RSA-3072
355+Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
356+Output =
357+
358+# a random invalid that has PRF output with a length one byte too long
359+# in the last value
360+Decrypt = RSA-3072
361+Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271
362+Output = 56a3bea054e01338be9b7d7957539c
363+
364+# a random invalid that generates a synthethic of maximum size
365+Decrypt = RSA-3072
366+Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
367+Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04
368+
369+# a positive test case that decrypts to 9 byte long value
370+Decrypt = RSA-3072
371+Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde
372+Output = "forty two"
373+
374+# a positive test case with null padded ciphertext
375+Decrypt = RSA-3072
376+Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
377+Output = "forty two"
378+
379+# a positive test case with null truncated ciphertext
380+Decrypt = RSA-3072
381+Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
382+Output = "forty two"
383+
384+# a positive test case with double null padded ciphertext
385+Decrypt = RSA-3072
386+Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
387+Output = "forty two"
388+
389+# a positive test case with double null truncated ciphertext
390+Decrypt = RSA-3072
391+Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
392+Output = "forty two"
393+
394+# a random negative test case that generates a 9 byte long message
395+Decrypt = RSA-3072
396+Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
397+Output = 257906ca6de8307728
398+
399+# a random negative test case that generates a 9 byte long message based on
400+# second to last value from PRF
401+Decrypt = RSA-3072
402+Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5
403+Output = 043383c929060374ed
404+
405+# a random negative test that generates message based on 3rd last value from
406+# PRF
407+Decrypt = RSA-3072
408+Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83
409+Output = 70263fa6050534b9e0
410+
411+# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
412+Decrypt = RSA-3072
413+Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
414+Output = 6d8d3a094ff3afff4c
415+
416+# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
417+Decrypt = RSA-3072
418+Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
419+Output = c6ae80ffa80bc184b0
420+
421+# an otherwise valid plaintext, but with zero byte in first byte of padding
422+Decrypt = RSA-3072
423+Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
424+Output = a8a9301daa01bb25c7
425+
426+# an otherwise valid plaintext, but with zero byte in eight byte of padding
427+Decrypt = RSA-3072
428+Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
429+Output = 6c716fe01d44398018
430+
431+# an otherwise valid plaintext, but with null separator missing
432+Decrypt = RSA-3072
433+Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
434+Output = aa2de6cde4e2442884
435+
436 # RSA PSS key tests
437
438 # PSS only key, no parameter restrictions
439--
4402.34.1
441
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch
new file mode 100644
index 0000000000..f4650de5de
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch
@@ -0,0 +1,284 @@
1From c693522a96b6fb2bb4b55a53d86550811bc0d7df Mon Sep 17 00:00:00 2001
2From: Hubert Kario <hkario@redhat.com>
3Date: Thu, 3 Nov 2022 17:45:58 +0100
4Subject: [PATCH] rsa: Skip the synthethic plaintext test with old FIPS
5 provider
6
7since the 3.0.0 FIPS provider doesn't implement the Bleichenbacher
8workaround, the decryption fails instead of providing a synthetic
9plaintext, so skip them then
10
11CVE: CVE-2023-50781
12
13Upstream-Status: Backport [https://github.com/openssl/openssl/commit/ddecbef6e389d263b728b7fa30fd3d9ce13feddb]
14
15Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
16Reviewed-by: Tim Hudson <tjh@openssl.org>
17Reviewed-by: Tomas Mraz <tomas@openssl.org>
18(Merged from https://github.com/openssl/openssl/pull/13817)
19Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
20---
21 .../30-test_evp_data/evppkey_rsa_common.txt | 66 ++++++++++++++++++-
22 1 file changed, 63 insertions(+), 3 deletions(-)
23
24diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
25index d569e78..4bd7c72 100644
26--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
27+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
28@@ -253,12 +253,12 @@ Decrypt = RSA-2048
29 Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
30 Output = "Hello World"
31
32+# The old FIPS provider doesn't include the workaround (#13817)
33+FIPSversion = >3.0.0
34 # Corrupted ciphertext
35-FIPSversion = <3.2.0
36 Decrypt = RSA-2048
37 Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
38-Output = "Hello World"
39-Result = KEYOP_ERROR
40+Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
41
42 # OAEP padding
43 Decrypt = RSA-2048
44@@ -330,21 +330,29 @@ Decrypt = RSA-2048-2
45 Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
46 Output = "lorem ipsum dolor sit amet"
47
48+# The old FIPS provider doesn't include the workaround (#13817)
49+FIPSversion = >3.0.0
50 # a random negative test case decrypting to empty
51 Decrypt = RSA-2048-2
52 Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
53 Output =
54
55+# The old FIPS provider doesn't include the workaround (#13817)
56+FIPSversion = >3.0.0
57 # invalid decrypting to max length message
58 Decrypt = RSA-2048-2
59 Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
60 Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
61
62+# The old FIPS provider doesn't include the workaround (#13817)
63+FIPSversion = >3.0.0
64 # invalid decrypting to message with length specified by second to last value from PRF
65 Decrypt = RSA-2048-2
66 Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
67 Output = 0f9b
68
69+# The old FIPS provider doesn't include the workaround (#13817)
70+FIPSversion = >3.0.0
71 # invalid decrypting to message with length specified by third to last value from PRF
72 Decrypt = RSA-2048-2
73 Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
74@@ -385,23 +393,31 @@ Decrypt = RSA-2048-2
75 Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
76 Output = "lorem ipsum"
77
78+# The old FIPS provider doesn't include the workaround (#13817)
79+FIPSversion = >3.0.0
80 # a random negative test that generates an 11 byte long message
81 Decrypt = RSA-2048-2
82 Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
83 Output = af9ac70191c92413cb9f2d
84
85+# The old FIPS provider doesn't include the workaround (#13817)
86+FIPSversion = >3.0.0
87 # an otherwise correct plaintext, but with wrong first byte
88 # (0x01 instead of 0x00), generates a random 11 byte long plaintext
89 Decrypt = RSA-2048-2
90 Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f
91 Output = a1f8c9255c35cfba403ccc
92
93+# The old FIPS provider doesn't include the workaround (#13817)
94+FIPSversion = >3.0.0
95 # an otherwise correct plaintext, but with wrong second byte
96 # (0x01 instead of 0x02), generates a random 11 byte long plaintext
97 Decrypt = RSA-2048-2
98 Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579
99 Output = e6d700309ca0ed62452254
100
101+# The old FIPS provider doesn't include the workaround (#13817)
102+FIPSversion = >3.0.0
103 # an invalid ciphertext, with a zero byte in first byte of
104 # ciphertext, decrypts to a random 11 byte long synthethic
105 # plaintext
106@@ -409,6 +425,8 @@ Decrypt = RSA-2048-2
107 Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576
108 Output = ba27b1842e7c21c0e7ef6a
109
110+# The old FIPS provider doesn't include the workaround (#13817)
111+FIPSversion = >3.0.0
112 # an invalid ciphertext, with a zero byte removed from first byte of
113 # ciphertext, decrypts to a random 11 byte long synthethic
114 # plaintext
115@@ -416,6 +434,8 @@ Decrypt = RSA-2048-2
116 Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576
117 Output = ba27b1842e7c21c0e7ef6a
118
119+# The old FIPS provider doesn't include the workaround (#13817)
120+FIPSversion = >3.0.0
121 # an invalid ciphertext, with two zero bytes in first bytes of
122 # ciphertext, decrypts to a random 11 byte long synthethic
123 # plaintext
124@@ -423,6 +443,8 @@ Decrypt = RSA-2048-2
125 Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645
126 Output = d5cf555b1d6151029a429a
127
128+# The old FIPS provider doesn't include the workaround (#13817)
129+FIPSversion = >3.0.0
130 # an invalid ciphertext, with two zero bytes removed from first bytes of
131 # ciphertext, decrypts to a random 11 byte long synthethic
132 # plaintext
133@@ -430,24 +452,32 @@ Decrypt = RSA-2048-2
134 Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645
135 Output = d5cf555b1d6151029a429a
136
137+# The old FIPS provider doesn't include the workaround (#13817)
138+FIPSversion = >3.0.0
139 # and invalid ciphertext, otherwise valid but starting with 000002, decrypts
140 # to random 11 byte long synthethic plaintext
141 Decrypt = RSA-2048-2
142 Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955
143 Output = 3d4a054d9358209e9cbbb9
144
145+# The old FIPS provider doesn't include the workaround (#13817)
146+FIPSversion = >3.0.0
147 # negative test with otherwise valid padding but a zero byte in first byte
148 # of padding
149 Decrypt = RSA-2048-2
150 Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e
151 Output = 1f037dd717b07d3e7f7359
152
153+# The old FIPS provider doesn't include the workaround (#13817)
154+FIPSversion = >3.0.0
155 # negative test with otherwise valid padding but a zero byte at the eigth
156 # byte of padding
157 Decrypt = RSA-2048-2
158 Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f
159 Output = 63cb0bf65fc8255dd29e17
160
161+# The old FIPS provider doesn't include the workaround (#13817)
162+FIPSversion = >3.0.0
163 # negative test with an otherwise valid plaintext but with missing separator
164 # byte
165 Decrypt = RSA-2048-2
166@@ -501,6 +531,8 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC
167
168 # RSA decrypt
169
170+# The old FIPS provider doesn't include the workaround (#13817)
171+FIPSversion = >3.0.0
172 # malformed that generates length specified by 3rd last value from PRF
173 Decrypt = RSA-2049
174 Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
175@@ -531,16 +563,22 @@ Decrypt = RSA-2049
176 Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
177 Output = "lorem ipsum"
178
179+# The old FIPS provider doesn't include the workaround (#13817)
180+FIPSversion = >3.0.0
181 # a random negative test case that generates an 11 byte long message
182 Decrypt = RSA-2049
183 Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
184 Output = 1189b6f5498fd6df532b00
185
186+# The old FIPS provider doesn't include the workaround (#13817)
187+FIPSversion = >3.0.0
188 # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
189 Decrypt = RSA-2049
190 Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
191 Output = f6d0f5b78082fe61c04674
192
193+# The old FIPS provider doesn't include the workaround (#13817)
194+FIPSversion = >3.0.0
195 # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
196 Decrypt = RSA-2049
197 Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
198@@ -603,17 +641,23 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE=
199
200 PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
201
202+# The old FIPS provider doesn't include the workaround (#13817)
203+FIPSversion = >3.0.0
204 # a random invalid ciphertext that generates an empty synthethic one
205 Decrypt = RSA-3072
206 Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
207 Output =
208
209+# The old FIPS provider doesn't include the workaround (#13817)
210+FIPSversion = >3.0.0
211 # a random invalid that has PRF output with a length one byte too long
212 # in the last value
213 Decrypt = RSA-3072
214 Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271
215 Output = 56a3bea054e01338be9b7d7957539c
216
217+# The old FIPS provider doesn't include the workaround (#13817)
218+FIPSversion = >3.0.0
219 # a random invalid that generates a synthethic of maximum size
220 Decrypt = RSA-3072
221 Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
222@@ -644,43 +688,59 @@ Decrypt = RSA-3072
223 Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
224 Output = "forty two"
225
226+# The old FIPS provider doesn't include the workaround (#13817)
227+FIPSversion = >3.0.0
228 # a random negative test case that generates a 9 byte long message
229 Decrypt = RSA-3072
230 Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
231 Output = 257906ca6de8307728
232
233+# The old FIPS provider doesn't include the workaround (#13817)
234+FIPSversion = >3.0.0
235 # a random negative test case that generates a 9 byte long message based on
236 # second to last value from PRF
237 Decrypt = RSA-3072
238 Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5
239 Output = 043383c929060374ed
240
241+# The old FIPS provider doesn't include the workaround (#13817)
242+FIPSversion = >3.0.0
243 # a random negative test that generates message based on 3rd last value from
244 # PRF
245 Decrypt = RSA-3072
246 Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83
247 Output = 70263fa6050534b9e0
248
249+# The old FIPS provider doesn't include the workaround (#13817)
250+FIPSversion = >3.0.0
251 # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
252 Decrypt = RSA-3072
253 Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
254 Output = 6d8d3a094ff3afff4c
255
256+# The old FIPS provider doesn't include the workaround (#13817)
257+FIPSversion = >3.0.0
258 # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
259 Decrypt = RSA-3072
260 Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
261 Output = c6ae80ffa80bc184b0
262
263+# The old FIPS provider doesn't include the workaround (#13817)
264+FIPSversion = >3.0.0
265 # an otherwise valid plaintext, but with zero byte in first byte of padding
266 Decrypt = RSA-3072
267 Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
268 Output = a8a9301daa01bb25c7
269
270+# The old FIPS provider doesn't include the workaround (#13817)
271+FIPSversion = >3.0.0
272 # an otherwise valid plaintext, but with zero byte in eight byte of padding
273 Decrypt = RSA-3072
274 Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
275 Output = 6c716fe01d44398018
276
277+# The old FIPS provider doesn't include the workaround (#13817)
278+FIPSversion = >3.0.0
279 # an otherwise valid plaintext, but with null separator missing
280 Decrypt = RSA-3072
281 Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
282--
2832.34.1
284
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch
new file mode 100644
index 0000000000..75e1df4bba
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch
@@ -0,0 +1,57 @@
1From 455db0c94c0b83083ce8b792982c03aa56fc866f Mon Sep 17 00:00:00 2001
2From: Hubert Kario <hkario@redhat.com>
3Date: Tue, 22 Nov 2022 17:42:11 +0100
4Subject: [PATCH] rsa: add test for the option to disable implicit rejection
5
6CVE: CVE-2023-50781
7
8Upstream-Status: Backport [https://github.com/openssl/openssl/commit/455db0c94c0b83083ce8b792982c03aa56fc866f]
9
10Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
11Reviewed-by: Tim Hudson <tjh@openssl.org>
12Reviewed-by: Tomas Mraz <tomas@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/13817)
14Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
15---
16 .../30-test_evp_data/evppkey_rsa_common.txt | 18 ++++++++++++++++++
17 1 file changed, 18 insertions(+)
18
19diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
20index 0ad654fc60..a3d01eec45 100644
21--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
22+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
23@@ -253,6 +253,14 @@ Decrypt = RSA-2048
24 Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
25 Output = "Hello World"
26
27+# The old FIPS provider doesn't include the workaround (#13817)
28+FIPSversion = >3.0.0
29+# Note: disable the Bleichenbacher workaround to see if it passes
30+Decrypt = RSA-2048
31+Ctrl = rsa_pkcs1_implicit_rejection:0
32+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
33+Output = "Hello World"
34+
35 # The old FIPS provider doesn't include the workaround (#13817)
36 FIPSversion = >3.0.0
37 # Corrupted ciphertext
38@@ -261,6 +269,16 @@ Decrypt = RSA-2048
39 Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
40 Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
41
42+# The old FIPS provider doesn't include the workaround (#13817)
43+FIPSversion = >3.0.0
44+# Corrupted ciphertext
45+# Note: disable the Bleichenbacher workaround to see if it fails
46+Decrypt = RSA-2048
47+Ctrl = rsa_pkcs1_implicit_rejection:0
48+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
49+Output = "Hello World"
50+Result = KEYOP_ERROR
51+
52 # OAEP padding
53 Decrypt = RSA-2048
54 Ctrl = rsa_padding_mode:oaep
55--
562.34.1
57
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb b/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
index ee0ab2e498..a50bd2edbf 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
@@ -13,7 +13,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
13 file://afalg.patch \ 13 file://afalg.patch \
14 file://0001-Configure-do-not-tweak-mips-cflags.patch \ 14 file://0001-Configure-do-not-tweak-mips-cflags.patch \
15 file://CVE-2024-41996.patch \ 15 file://CVE-2024-41996.patch \
16 " 16 file://CVE-2023-50781-1.patch \
17 file://CVE-2023-50781-2.patch \
18 file://CVE-2023-50781-3.patch \
19 file://CVE-2023-50781-4.patch \
20 file://CVE-2023-50781-5.patch \
21 file://CVE-2023-50781-6.patch \
22 "
17 23
18SRC_URI:append:class-nativesdk = " \ 24SRC_URI:append:class-nativesdk = " \
19 file://environment.d-openssl.sh \ 25 file://environment.d-openssl.sh \