Hello community,
here is the log from the commit of package openssl-1_0_0 for openSUSE:Factory
checked in at 2017-07-07 10:15:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-1_0_0 (Old)
and /work/SRC/openSUSE:Factory/.openssl-1_0_0.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_0_0"
Fri Jul 7 10:15:17 2017 rev:4 rq:508256 version:1.0.2l
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-1_0_0/openssl-1_0_0.changes
2017-06-27 10:19:47.307778558 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_0_0.new/openssl-1_0_0.changes
2017-07-07 10:15:21.736206236 +0200
@@ -1,0 +2,36 @@
+Tue Jul 4 09:24:55 UTC 2017 - vci...@suse.com
+
+- Don't run FIPS power-up self-tests when the checksum files aren't
+ installed (bsc#1042392, boo#1038906)
+ * add openssl-fips-run_selftests_only_when_module_is_complete.patch
+- AES XTS key parts must not be identical in FIPS mode (bsc#1019637)
+ * add openssl-fips-xts_nonidentical_key_parts.patch
+- Allow runtime switching of s390x capabilities via OPENSSL_s390xcap
+ environmental variable (bsc#1028723)
+ * add openssl-fips-OPENSSL_s390xcap.patch
+
+-------------------------------------------------------------------
+Tue Jul 4 09:24:51 UTC 2017 - vci...@suse.com
+
+- remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE (bsc#1027908)
+ * update patches:
+ openssl-1.0.1e-add-suse-default-cipher.patch
+ openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
+- s_client sent empty client certificate (bsc#1028281)
+ Add back certificate initialization set_cert_key_stuff()
+ which was removed by openssl-1.0.2a-default-paths.patch
+ * modified openssl-1.0.2a-default-paths.patch
+
+-------------------------------------------------------------------
+Tue Jul 4 09:24:48 UTC 2017 - vci...@suse.com
+
+- package FIPS CAVS testing tools (bsc#1027688)
+ * add openssl-fips_add_cavs_tests.patch
+- FIPS CAVS: Add AES keywrap (KWVS) test tool (bsc#1044095)
+ * add openssl-fips_cavs_aes_keywrap.patch
+- Fix CAVS testing padding issue with RSA d values (bsc#1044107)
+ * add openssl-fips_cavs_pad_with_zeroes.patch from Pedro Monreal
+- FIPS CAVS: allow fips_* tools to run in FIPS mode (bnc#902364)
+ * added openssl-fips_cavs_helpers_run_in_fips_mode.patch
+
+-------------------------------------------------------------------
New:
----
openssl-fips-OPENSSL_s390xcap.patch
openssl-fips-run_selftests_only_when_module_is_complete.patch
openssl-fips-xts_nonidentical_key_parts.patch
openssl-fips_add_cavs_tests.patch
openssl-fips_cavs_aes_keywrap.patch
openssl-fips_cavs_helpers_run_in_fips_mode.patch
openssl-fips_cavs_pad_with_zeroes.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl-1_0_0.spec ++++++
--- /var/tmp/diff_new_pack.EGDZw8/_old 2017-07-07 10:15:23.211997412 +0200
+++ /var/tmp/diff_new_pack.EGDZw8/_new 2017-07-07 10:15:23.215996847 +0200
@@ -83,6 +83,13 @@
Patch59: openssl-fips-dont-fall-back-to-default-digest.patch
Patch61: openssl-fipslocking.patch
Patch63: openssl-randfile_fread_interrupt.patch
+Patch70: openssl-fips-xts_nonidentical_key_parts.patch
+Patch71: openssl-fips_add_cavs_tests.patch
+Patch73: openssl-fips-OPENSSL_s390xcap.patch
+Patch74: openssl-fips_cavs_helpers_run_in_fips_mode.patch
+Patch75: openssl-fips_cavs_pad_with_zeroes.patch
+Patch76: openssl-fips_cavs_aes_keywrap.patch
+Patch77: openssl-fips-run_selftests_only_when_module_is_complete.patch
# steam patches
Patch100: openssl-fix-cpuid_setup.patch
BuildRequires: bc
@@ -231,6 +238,13 @@
%patch59 -p1
%patch61 -p1
%patch63 -p1
+%patch70 -p1
+%patch71 -p1
+%patch73 -p1
+%patch74 -p1
+%patch75 -p1
+%patch76 -p1
+%patch77 -p1
cp -p %{SOURCE10} .
cp -p %{SOURCE11} .
++++++ openssl-1.0.1e-add-suse-default-cipher.patch ++++++
--- /var/tmp/diff_new_pack.EGDZw8/_old 2017-07-07 10:15:23.347978172 +0200
+++ /var/tmp/diff_new_pack.EGDZw8/_new 2017-07-07 10:15:23.347978172 +0200
@@ -31,7 +31,7 @@
+
+# define SSL_DEFAULT_SUSE_CIPHER_LIST
"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+
"DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
-+
"AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
++
"AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
++++++ openssl-1.0.1e-add-test-suse-default-cipher-suite.patch ++++++
--- /var/tmp/diff_new_pack.EGDZw8/_old 2017-07-07 10:15:23.359976474 +0200
+++ /var/tmp/diff_new_pack.EGDZw8/_new 2017-07-07 10:15:23.363975907 +0200
@@ -17,7 +17,7 @@
+done
+
+echo "Testing if MD5, DES and RC4 are excluded from DEFAULT_SUSE cipher suite"
-+../util/shlib_wrap.sh ../apps/openssl ciphers DEFAULT_SUSE| grep
"MD5\|RC4\|DES-[^CBC3]"
++../util/shlib_wrap.sh ../apps/openssl ciphers DEFAULT_SUSE| grep
"MD5\|RC4\|DES"
+
+if [ $? -ne 1 ];then
+ echo "weak ciphers are present on DEFAULT_SUSE cipher suite"
++++++ openssl-1.0.2a-default-paths.patch ++++++
--- /var/tmp/diff_new_pack.EGDZw8/_old 2017-07-07 10:15:23.375974210 +0200
+++ /var/tmp/diff_new_pack.EGDZw8/_new 2017-07-07 10:15:23.379973644 +0200
@@ -1,18 +1,3 @@
-Index: openssl-1.0.2b/apps/s_client.c
-===================================================================
---- openssl-1.0.2b.orig/apps/s_client.c 2015-06-11 17:28:32.039203737
+0200
-+++ openssl-1.0.2b/apps/s_client.c 2015-06-11 17:39:40.138741521 +0200
-@@ -1346,10 +1346,6 @@ int MAIN(int argc, char **argv)
- ERR_print_errors(bio_err);
- }
-
-- ssl_ctx_add_crls(ctx, crls, crl_download);
-- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
-- goto end;
--
- #ifndef OPENSSL_NO_TLSEXT
- if (servername != NULL) {
- tlsextcbp.biodebug = bio_err;
Index: openssl-1.0.2b/apps/s_server.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_server.c 2015-06-11 17:28:04.879854931
+0200
++++++ openssl-fips-OPENSSL_s390xcap.patch ++++++
++++ 1312 lines (skipped)
++++++ openssl-fips-run_selftests_only_when_module_is_complete.patch ++++++
Index: openssl-1.0.2j/crypto/fips/fips.c
===================================================================
--- openssl-1.0.2j.orig/crypto/fips/fips.c 2017-05-12 15:51:59.258797863
+0200
+++ openssl-1.0.2j/crypto/fips/fips.c 2017-06-20 19:57:12.649510712 +0200
@@ -421,15 +421,15 @@ int FIPS_module_mode_set(int onoff, cons
}
# endif
- if (!FIPS_selftest()) {
+ if (!verify_checksums()) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1;
ret = 0;
goto end;
}
- if (!verify_checksums()) {
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ if (!FIPS_selftest()) {
fips_selftest_fail = 1;
ret = 0;
goto end;
++++++ openssl-fips-xts_nonidentical_key_parts.patch ++++++
Index: openssl-1.0.2j/crypto/evp/e_aes.c
===================================================================
--- openssl-1.0.2j.orig/crypto/evp/e_aes.c 2017-02-16 17:20:41.647972394
+0100
+++ openssl-1.0.2j/crypto/evp/e_aes.c 2017-02-17 17:05:29.251130889 +0100
@@ -177,6 +177,26 @@ void AES_xts_decrypt(const char *inp, ch
# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
# endif
+static int xts_check_key(const unsigned char *key, unsigned int key_len)
+{
+ /*
+ * key consists of two keys of equal size concatenated,
+ * therefore the length must be even
+ */
+ if (key_len % 2)
+ return 0;
+
+# ifdef OPENSSL_FIPS
+ /* FIPS 140-2 IG A.9 mandates that the key parts mustn't match */
+ if (FIPS_module_mode() &&
+ CRYPTO_memcmp(key, key + (key_len / 2), key_len / 2) == 0) {
+ return 0;
+ }
+# endif
+
+ return 1;
+}
+
# if defined(AES_ASM) && !defined(I386_ONLY) && ( \
((defined(__i386) || defined(__i386__) || \
defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
@@ -387,6 +407,9 @@ static int aesni_xts_init_key(EVP_CIPHER
return 1;
if (key) {
+ if (xts_check_key(key, ctx->key_len) == 0)
+ return 0;
+
/* key_len is two AES keys */
if (enc) {
aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
@@ -707,6 +730,9 @@ static int aes_t4_xts_init_key(EVP_CIPHE
return 1;
if (key) {
+ if (xts_check_key(key, ctx->key_len) == 0)
+ return 0;
+
int bits = ctx->key_len * 4;
xctx->stream = NULL;
/* key_len is two AES keys */
@@ -1650,7 +1676,10 @@ static int aes_xts_init_key(EVP_CIPHER_C
if (!iv && !key)
return 1;
- if (key)
+ if (key) {
+ if (xts_check_key(key, ctx->key_len) == 0)
+ return 0;
+
do {
# ifdef AES_XTS_ASM
xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
@@ -1719,6 +1748,7 @@ static int aes_xts_init_key(EVP_CIPHER_C
xctx->xts.key1 = &xctx->ks1;
} while (0);
+ }
if (iv) {
xctx->xts.key2 = &xctx->ks2;
++++++ openssl-fips_add_cavs_tests.patch ++++++
++++ 10654 lines (skipped)
++++++ openssl-fips_cavs_aes_keywrap.patch ++++++
Index: openssl-1.0.2j/crypto/fips/fips_kwvs.c
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.2j/crypto/fips/fips_kwvs.c 2017-05-12 14:14:26.561672018
+0200
@@ -0,0 +1,137 @@
+/*
+ * Crude test driver for processing the VST and MCT testvector files
+ * generated by the CMVP RNGVS product.
+ *
+ * Note the input files are assumed to have a _very_ specific format
+ * as described in the NIST document "The Random Number Generator
+ * Validation System (RNGVS)", May 25, 2004.
+ *
+ */
+#include <openssl/opensslconf.h>
+
+#include <openssl/bn.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
+#include <openssl/modes.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "fips_utl.h"
+
+void die(char *mes)
+{
+ fprintf(stderr, mes);
+ exit(1);
+}
+
+void process(char *req, char *rsp)
+{
+ char buf[2048], lbuf[2048];
+ unsigned char result[2048];
+ unsigned char *K = NULL;
+ unsigned char *P = NULL;
+ unsigned char *C = NULL;
+ unsigned plaintext_len, ciphertext_len;
+ unsigned key_len;
+ char *end;
+ AES_KEY aes_key;
+ char *keyword, *value;
+ long l;
+ int length;
+ int inverse = 0;
+ block128_f f;
+
+ FILE *in = fopen(req, "r");
+ FILE *out = fopen(rsp, "w");
+
+ if (!in || !out) {
+ die("Can't open input or output file\n");
+ }
+
+ while(fgets(buf, sizeof(buf), in) != NULL)
+ {
+ fputs(buf,out);
+
+ if (!parse_line(&keyword, &value, lbuf, buf)) {
+ /* might be a header, check if inverse cipher function is
requested */
+ if(strstr(buf, "inverse")) {
+ inverse = 1;
+ }
+ continue;
+ }
+
+ if(!strcmp(keyword, "[PLAINTEXT LENGTH"))
+ {
+ end = value + strlen(value) - 1;
+ /* remove trailing ] */
+ if (*end == ']')
+ *end = 0;
+ plaintext_len = atoi(value) / 8;
+ ciphertext_len = plaintext_len + 8;
+ }
+ /* key */
+ else if(!strcmp(keyword, "K"))
+ {
+ K = hex2bin_m(value, &l);
+ key_len = strlen(value) / 2;
+ }
+ /* plaintext */
+ else if(!strcmp(keyword, "P"))
+ {
+ /* Wrap, we have a key and a plaintext */
+ P = hex2bin_m(value, &l);
+ if (inverse) {
+ if (AES_set_decrypt_key(K, key_len*8, &aes_key))
+ die("Can't set AES decrypt key.\n");
+ f = (block128_f)AES_decrypt;
+ } else {
+ if (AES_set_encrypt_key(K, key_len*8, &aes_key))
+ die("Can't set AES encrypt key.\n");
+ f = (block128_f)AES_encrypt;
+ }
+ length = CRYPTO_128_wrap(&aes_key, NULL, result, P, plaintext_len,
f);
+ if (!length)
+ die("Wrapping failed.\n");
+ OutputValue("C", result, length, out, 0);
+ }
+ /* ciphertext */
+ else if(!strcmp(keyword, "C"))
+ {
+ /* Unwrap, we have a key and a ciphertext */
+ C = hex2bin_m(value, &l);
+ if (inverse) {
+ if (AES_set_encrypt_key(K, key_len*8, &aes_key))
+ die("Can't set AES encrypt key.\n");
+ f = (block128_f)AES_encrypt;
+ } else {
+ if (AES_set_decrypt_key(K, key_len*8, &aes_key))
+ die("Can't set AES decrypt key.\n");
+ f = (block128_f)AES_decrypt;
+ }
+ length = CRYPTO_128_unwrap(&aes_key, NULL, result, C,
ciphertext_len, f);
+ if (!length) {
+ fprintf(out, "FAIL" RESP_EOL);
+ } else {
+ OutputValue("P", result, length, out, 0);
+ }
+ }
+ }
+}
+
+int main(int argc,char **argv)
+{
+ if(argc != 3)
+ {
+ fprintf(stderr,"%s Req Rsp\n",argv[0]);
+ exit(1);
+ }
+ if(!FIPS_mode_set(1))
+ {
+ do_print_errors();
+ exit(1);
+ }
+
+ process(argv[1], argv[2]);
+
+ return 0;
+}
Index: openssl-1.0.2j/crypto/fips/Makefile
===================================================================
--- openssl-1.0.2j.orig/crypto/fips/Makefile 2017-05-11 16:56:02.495668727
+0200
+++ openssl-1.0.2j/crypto/fips/Makefile 2017-05-11 16:56:02.531669302 +0200
@@ -19,15 +19,15 @@ APPS=
PROGRAM= fips_standalone_hmac
EXE= $(PROGRAM)$(EXE_EXT)
-CAVS_PROGRAMS= fips_aesavs fips_cmactest fips_desmovs fips_dhvs fips_drbgvs \
+CAVS_PROGRAMS= fips_kwvs fips_aesavs fips_cmactest fips_desmovs fips_dhvs
fips_drbgvs \
fips_ecdhvs fips_ecdsavs fips_rngvs fips_rsagtest fips_rsastest \
fips_rsavtest fips_shatest fips_gcmtest fips_dssvs fips_tlsvs fips_hmactest
-CAVS_SRC= fips_aesavs.c fips_cmactest.c fips_desmovs.c fips_dhvs.c
fips_drbgvs.c fips_dssvs.c \
+CAVS_SRC= fips_kwvs.c fips_aesavs.c fips_cmactest.c fips_desmovs.c fips_dhvs.c
fips_drbgvs.c fips_dssvs.c \
fips_ecdhvs.c fips_ecdsavs.c fips_gcmtest.c fips_rngvs.c fips_rsagtest.c
fips_rsastest.c \
fips_rsavtest.c fips_shatest.c fips_tlsvs.c fips_hmactest.c
-CAVS_OBJ= fips_aesavs.o fips_cmactest.o fips_desmovs.o fips_dhvs.o
fips_drbgvs.o \
+CAVS_OBJ= fips_kwvs.o fips_aesavs.o fips_cmactest.o fips_desmovs.o fips_dhvs.o
fips_drbgvs.o \
fips_ecdhvs.o fips_ecdsavs.o fips_gcmtest.o fips_rngvs.o fips_rsagtest.o
fips_rsastest.o \
fips_rsavtest.o fips_shatest.o fips_dssvs.o fips_tlsvs.o fips_hmactest.o
@@ -454,6 +454,19 @@ fips_aesavs.o: ../../include/openssl/ope
fips_aesavs.o: ../../include/openssl/ossl_typ.h
fips_aesavs.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
fips_aesavs.o: ../../include/openssl/symhacks.h fips_utl.h fips_aesavs.c
+fips_kwvs.o: ../../e_os.h ../../include/openssl/aes.h
+fips_kwvs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+fips_kwvs.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+fips_kwvs.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+fips_kwvs.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+fips_kwvs.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
+fips_kwvs.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
+fips_kwvs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+fips_kwvs.o: ../../include/openssl/opensslconf.h
+fips_kwvs.o: ../../include/openssl/opensslv.h
+fips_kwvs.o: ../../include/openssl/ossl_typ.h
+fips_kwvs.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+fips_kwvs.o: ../../include/openssl/symhacks.h fips_utl.h fips_kwvs.c
fips_gcmtest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
fips_gcmtest.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
fips_gcmtest.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
++++++ openssl-fips_cavs_helpers_run_in_fips_mode.patch ++++++
Index: openssl-1.0.2j/crypto/fips/fips_aesavs.c
===================================================================
--- openssl-1.0.2j.orig/crypto/fips/fips_aesavs.c 2017-04-07
12:01:35.335422766 +0200
+++ openssl-1.0.2j/crypto/fips/fips_aesavs.c 2017-04-07 12:11:35.876483996
+0200
@@ -870,7 +870,11 @@ int main(int argc, char **argv)
FILE *fp = NULL;
char fn[250] = "", rfn[256] = "";
int d_opt = 1;
- fips_algtest_init();
+ fips_algtest_init_nofips();
+ if(!FIPS_mode_set(1)) {
+ fprintf(stderr, "Can't set FIPS mode\n");
+ exit(1);
+ }
if (argc > 1)
{
++++++ openssl-fips_cavs_pad_with_zeroes.patch ++++++
Index: openssl-1.0.2j/crypto/fips/fips_rsagtest.c
===================================================================
--- openssl-1.0.2j.orig/crypto/fips/fips_rsagtest.c 2017-05-04
20:57:44.099237241 +0200
+++ openssl-1.0.2j/crypto/fips/fips_rsagtest.c 2017-05-04 20:58:13.159687179
+0200
@@ -585,7 +585,7 @@ int rsa_PrimeGen(FILE *out, FILE *in)
do_bn_print_name(out, "p", rsa->p);
do_bn_print_name(out, "q", rsa->q);
do_bn_print_name(out, "n", rsa->n);
- do_bn_print_name(out, "d", rsa->d);
+ do_bn_print_name_pad(out, "d", rsa->d, mod);
FIPS_rsa_free(rsa);
rsa = NULL;
}
Index: openssl-1.0.2j/crypto/fips/fips_utl.h
===================================================================
--- openssl-1.0.2j.orig/crypto/fips/fips_utl.h 2017-05-04 20:57:44.099237241
+0200
+++ openssl-1.0.2j/crypto/fips/fips_utl.h 2017-05-04 20:57:44.131237737
+0200
@@ -74,7 +74,9 @@ int hex2bin(const char *in, unsigned cha
unsigned char *hex2bin_m(const char *in, long *plen);
int do_hex2bn(BIGNUM **pr, const char *in);
int do_bn_print(FILE *out, const BIGNUM *bn);
+int do_bn_print_pad(FILE *out, const BIGNUM *bn, int padbits);
int do_bn_print_name(FILE *out, const char *name, const BIGNUM *bn);
+int do_bn_print_name_pad(FILE *out, const char *name, const BIGNUM *bn, int
padbits);
int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf);
int parse_line2(char **pkw, char **pval, char *linebuf, char *olinebuf, int
eol);
BIGNUM *hex2bn(const char *in);
@@ -291,6 +293,43 @@ int do_bn_print_name(FILE *out, const ch
if (!r)
return 0;
fputs(RESP_EOL, out);
+ return 1;
+ }
+
+int do_bn_print_pad(FILE *out, const BIGNUM *bn, int padbits)
+ {
+ int len, i;
+ unsigned char *tmp;
+ len = BN_num_bytes(bn);
+ if (len == 0)
+ {
+ fputs("00", out);
+ return 1;
+ }
+
+ tmp = OPENSSL_malloc(len);
+ if (!tmp)
+ {
+ fprintf(stderr, "Memory allocation error\n");
+ return 0;
+ }
+ BN_bn2bin(bn, tmp);
+ for (i = 0; i < padbits/BN_BYTES - len; i++)
+ fprintf(out, "%02x", 0);
+ for (i = 0; i < len; i++)
+ fprintf(out, "%02x", tmp[i]);
+ OPENSSL_free(tmp);
+ return 1;
+ }
+
+int do_bn_print_name_pad(FILE *out, const char *name, const BIGNUM *bn, int
padbits)
+ {
+ int r;
+ fprintf(out, "%s = ", name);
+ r = do_bn_print_pad(out, bn, padbits);
+ if (!r)
+ return 0;
+ fputs(RESP_EOL, out);
return 1;
}
