From b68ef26e8c5a6a441693aba0f64c9e7b7478caed Mon Sep 17 00:00:00 2001 From: Hannes Mehnert Date: Tue, 5 Mar 2024 19:52:37 +0100 Subject: [PATCH] mirage-crypto-pk: revise API to not use Cstruct.t (#211) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * mirage-crypto-pk: revise API to not use Cstruct.t Co-Authored-By: Reynir Björnsson --- .github/workflows/windows.yml | 3 + bench/speed.ml | 48 +- mirage-crypto-ec.opam | 1 - mirage-crypto-pk.opam | 3 +- pk/dh.ml | 825 ++++++++++++++++++++-------------- pk/dsa.ml | 49 +- pk/dune | 2 +- pk/mirage_crypto_pk.mli | 76 ++-- pk/rsa.ml | 164 +++---- pk/z_extra.ml | 89 ++-- src/mirage_crypto.mli | 9 +- src/uncommon.ml | 43 +- tests/test_common.ml | 6 +- tests/test_dh.ml | 14 +- tests/test_dsa.ml | 36 +- tests/test_numeric.ml | 10 +- tests/test_rsa.ml | 42 +- 17 files changed, 803 insertions(+), 617 deletions(-) diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 82d45e2b..7f2d38af 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -21,6 +21,9 @@ jobs: - name: Use OCaml ${{ matrix.ocaml-compiler }} uses: ocaml/setup-ocaml@v2 with: + opam-repositories: | + opam-repository-mingw: https://github.com/ocaml-opam/opam-repository-mingw.git#sunset + default: https://github.com/ocaml/opam-repository.git opam-local-packages: | *.opam !mirage-crypto-rng-async.opam diff --git a/bench/speed.ml b/bench/speed.ml index dc8428a6..b446cd8f 100644 --- a/bench/speed.ml +++ b/bench/speed.ml @@ -87,15 +87,15 @@ let rsa_1024 = in match Mirage_crypto_pk.Rsa.priv_of_primes ~e ~p ~q with Ok r -> r | _ -> assert false -let enc_1024 = Mirage_crypto_pk.Rsa.(encrypt ~key:(pub_of_priv rsa_1024) msg) +let enc_1024 = Mirage_crypto_pk.Rsa.(encrypt ~key:(pub_of_priv rsa_1024) msg_str) let pkcs1_sig_1024 () = - Mirage_crypto_pk.Rsa.PKCS1.sign ~hash:`SHA256 ~key:rsa_1024 (`Message msg) + Mirage_crypto_pk.Rsa.PKCS1.sign ~hash:`SHA256 ~key:rsa_1024 (`Message msg_str) let pkcs1_enc_1024 () = - Mirage_crypto_pk.Rsa.(PKCS1.encrypt ~key:(pub_of_priv rsa_1024) msg) + Mirage_crypto_pk.Rsa.(PKCS1.encrypt ~key:(pub_of_priv rsa_1024) msg_str) -let pss_sig_1024 () = PSS.sign ~key:rsa_1024 (`Message msg) +let pss_sig_1024 () = PSS.sign ~key:rsa_1024 (`Message msg_str) let rsa_2048 = let p = Z.of_string "146881832325800831419400417618624202055588545997890787121932184528831630537012732415698782899346395306540669232648045731896347007978622067056705527305566180903122107927148832001099595387953189273726394573803912262323600581299712943797238366745329534148223987933536186022708693674753193534229263584177098260169" @@ -104,15 +104,15 @@ let rsa_2048 = in match Mirage_crypto_pk.Rsa.priv_of_primes ~e ~p ~q with Ok r -> r | _ -> assert false -let enc_2048 = Mirage_crypto_pk.Rsa.(encrypt ~key:(pub_of_priv rsa_2048) msg) +let enc_2048 = Mirage_crypto_pk.Rsa.(encrypt ~key:(pub_of_priv rsa_2048) msg_str) let pkcs1_sig_2048 () = - Mirage_crypto_pk.Rsa.PKCS1.sign ~hash:`SHA256 ~key:rsa_2048 (`Message msg) + Mirage_crypto_pk.Rsa.PKCS1.sign ~hash:`SHA256 ~key:rsa_2048 (`Message msg_str) let pkcs1_enc_2048 () = - Mirage_crypto_pk.Rsa.(PKCS1.encrypt ~key:(pub_of_priv rsa_2048) msg) + Mirage_crypto_pk.Rsa.(PKCS1.encrypt ~key:(pub_of_priv rsa_2048) msg_str) -let pss_sig_2048 () = PSS.sign ~key:rsa_2048 (`Message msg) +let pss_sig_2048 () = PSS.sign ~key:rsa_2048 (`Message msg_str) let rsa_4096 = let p = Z.of_string "30773596934476715066776070065844902670036493980016387964275170019397018472432997910667589359581914549510631424565206701540136804180560112829236103459317928059975099687383138310206374921731816027058152009810073337617754052401932141110921176212810704858018214605862299356217860547747262170495777126218319842708093667844701139914958775637423731967187071886349669479192453619522943080948061657926138418380417577129184420732857906610804965319661598089231703183044642635889126023201809407430354992888247464125783088294095728916671050049684448794153783082653555256735912037270303014887722063417225893745458164718800442738569" @@ -121,15 +121,15 @@ let rsa_4096 = in match Mirage_crypto_pk.Rsa.priv_of_primes ~e ~p ~q with Ok r -> r | _ -> assert false -let enc_4096 = Mirage_crypto_pk.Rsa.(encrypt ~key:(pub_of_priv rsa_4096) msg) +let enc_4096 = Mirage_crypto_pk.Rsa.(encrypt ~key:(pub_of_priv rsa_4096) msg_str) let pkcs1_sig_4096 () = - Mirage_crypto_pk.Rsa.PKCS1.sign ~hash:`SHA256 ~key:rsa_4096 (`Message msg) + Mirage_crypto_pk.Rsa.PKCS1.sign ~hash:`SHA256 ~key:rsa_4096 (`Message msg_str) let pkcs1_enc_4096 () = - Mirage_crypto_pk.Rsa.(PKCS1.encrypt ~key:(pub_of_priv rsa_4096) msg) + Mirage_crypto_pk.Rsa.(PKCS1.encrypt ~key:(pub_of_priv rsa_4096) msg_str) -let pss_sig_4096 () = PSS.sign ~key:rsa_4096 (`Message msg) +let pss_sig_4096 () = PSS.sign ~key:rsa_4096 (`Message msg_str) let dsa_1024 = let p = Z.of_string "115320471016337933377056549329182706825658339080795846324118938187917903660539570102468495091957028599543345588517799627361082806070282899880721557018345825086927289316756283826093243695405203187016738458545513419551779925532261196890562077023934735570005318513791942265699098088390517334916527653326493928799" @@ -140,7 +140,7 @@ let dsa_1024 = in match Mirage_crypto_pk.Dsa.priv ~fips:true ~p ~q ~gg ~x ~y () with Ok p -> p | _ -> assert false -let dsa_sig_1024 () = Mirage_crypto_pk.Dsa.sign ~key:dsa_1024 msg +let dsa_sig_1024 () = Mirage_crypto_pk.Dsa.sign ~key:dsa_1024 msg_str let dsa_2048 = let p = Z.of_string "27787495469795504213817302334103600594688179071059183073859876165757248559489321478170600304273914000462158587756787453177210321379060448141559798652196363556897576291878245650614903612762833777567911000834171168229784178643222849655095281437320492725855855778320111645629834980350492228611813830302209080760811887894272862901026864911346096471199762409562102789142939773632891860019140618313962854554152891445175391927591825205548689170996430765723064763763481336517107917261869303217480777161449935319930795628114622197586510378927239068257979584784079128534248603619156372913573809491691986354447396965646770535701" @@ -151,7 +151,7 @@ let dsa_2048 = in match Mirage_crypto_pk.Dsa.priv ~fips:true ~p ~q ~gg ~x ~y () with Ok p -> p | _ -> assert false -let dsa_sig_2048 () = Mirage_crypto_pk.Dsa.sign ~key:dsa_2048 msg +let dsa_sig_2048 () = Mirage_crypto_pk.Dsa.sign ~key:dsa_2048 msg_str let dsa_3072 = let p = Z.of_string "4944862491052787177238323499959371418651354629231656321315236369672827559263545931134286049323485061071828187289578269594065783019111035804017538871324004047710342711620233110167493989997579634523303899794913823240058891327833786211541568251787338957336540247816021098378292806006955851897646808403078979142749428669072523191276645021175423303816467433407072660616741824124536840773744646488191896772232795413707995397140064396495425700133866462410490239713815308709711960470201906326732033816522202617817869465691798938486540955726912350768931476362143768721380759395525951947017232778140349423557015356082357043807910825817719748257213281893007933859227824276579765323175836008193865064772817200047353825332039369252224256435661514851653526942065285711420907389170574343434449883875510985495078384130667046036846831401643151166834922210257258578675547742596423035828159461629721005113634334227074529533688136165903014911127" @@ -162,7 +162,7 @@ let dsa_3072 = in match Mirage_crypto_pk.Dsa.priv ~fips:true ~p ~q ~gg ~x ~y () with Ok p -> p | _ -> assert false -let dsa_sig_3072 () = Mirage_crypto_pk.Dsa.sign ~key:dsa_3072 msg +let dsa_sig_3072 () = Mirage_crypto_pk.Dsa.sign ~key:dsa_3072 msg_str let dh_groups = ["oakley5 (1536)",Mirage_crypto_pk.Dh.Group.oakley_5; @@ -176,7 +176,7 @@ let dh_secrets = List.map2 (fun (n, group) s -> (n, group), Mirage_crypto_pk.Dh.key_of_secret group ~s) dh_groups - (List.map (fun s -> Z.of_string s |> Mirage_crypto_pk.Z_extra.to_cstruct_be) + (List.map (fun s -> Z.of_string s |> Mirage_crypto_pk.Z_extra.to_octets_be) [ "31271182055444024732867835946284871743952969208281694762833912267184" ; "27594341083884344999714422172371027333192426063917478556668524561591" ; @@ -241,7 +241,7 @@ let benchmarks = [ string_of_int [1024;2048;4096]) ; bm "rsa-encrypt" (fun name -> - count name (fun key -> Mirage_crypto_pk.Rsa.(encrypt ~key:(pub_of_priv key) msg)) + count name (fun key -> Mirage_crypto_pk.Rsa.(encrypt ~key:(pub_of_priv key) msg_str)) (fun k -> string_of_int (Mirage_crypto_pk.Rsa.priv_bits k)) [rsa_1024;rsa_2048;rsa_4096]) ; @@ -251,7 +251,7 @@ let benchmarks = [ [rsa_1024,enc_1024 ; rsa_2048,enc_2048 ; rsa_4096,enc_4096]) ; bm "rsa-pkcs1-encrypt" (fun name -> - count name (fun key -> Mirage_crypto_pk.Rsa.(PKCS1.encrypt ~key:(pub_of_priv key) msg)) + count name (fun key -> Mirage_crypto_pk.Rsa.(PKCS1.encrypt ~key:(pub_of_priv key) msg_str)) (fun k -> string_of_int (Mirage_crypto_pk.Rsa.priv_bits k)) [rsa_1024;rsa_2048;rsa_4096]) ; @@ -261,24 +261,24 @@ let benchmarks = [ [rsa_1024,pkcs1_enc_1024 () ; rsa_2048,pkcs1_enc_2048 () ; rsa_4096,pkcs1_enc_4096 ()]) ; bm "rsa-pkcs1-sign" (fun name -> - count name (fun key -> Mirage_crypto_pk.Rsa.PKCS1.sign ~hash:`SHA256 ~key (`Message msg)) + count name (fun key -> Mirage_crypto_pk.Rsa.PKCS1.sign ~hash:`SHA256 ~key (`Message msg_str)) (fun k -> string_of_int (Mirage_crypto_pk.Rsa.priv_bits k)) [rsa_1024;rsa_2048;rsa_4096]) ; bm "rsa-pkcs1-verify" (fun name -> count name (fun (key, signature) -> - Mirage_crypto_pk.Rsa.(PKCS1.verify ~hashp:(fun _ -> true) ~key:(pub_of_priv key) ~signature (`Message msg))) + Mirage_crypto_pk.Rsa.(PKCS1.verify ~hashp:(fun _ -> true) ~key:(pub_of_priv key) ~signature (`Message msg_str))) (fun (k, _) -> string_of_int (Mirage_crypto_pk.Rsa.priv_bits k)) [rsa_1024,pkcs1_sig_1024 () ; rsa_2048,pkcs1_sig_2048 () ; rsa_4096,pkcs1_sig_4096 ()]) ; bm "rsa-pss-sign" (fun name -> - count name (fun key -> PSS.sign ~key (`Message msg)) + count name (fun key -> PSS.sign ~key (`Message msg_str)) (fun k -> string_of_int (Mirage_crypto_pk.Rsa.priv_bits k)) [rsa_1024;rsa_2048;rsa_4096]) ; bm "rsa-pss-verify" (fun name -> count name (fun (key, signature) -> - PSS.verify ~key:(Mirage_crypto_pk.Rsa.pub_of_priv key) ~signature (`Message msg)) + PSS.verify ~key:(Mirage_crypto_pk.Rsa.pub_of_priv key) ~signature (`Message msg_str)) (fun (k, _) -> string_of_int (Mirage_crypto_pk.Rsa.priv_bits k)) [rsa_1024,pss_sig_1024 () ; rsa_2048,pss_sig_2048 () ; rsa_4096,pss_sig_4096 ()]) ; @@ -288,13 +288,13 @@ let benchmarks = [ [`Fips1024;`Fips2048;`Fips3072]); bm "dsa-sign" (fun name -> - count name (fun key -> Mirage_crypto_pk.Dsa.sign ~key msg) + count name (fun key -> Mirage_crypto_pk.Dsa.sign ~key msg_str) (fun k -> string_of_int (Z.numbits k.p)) [dsa_1024;dsa_2048;dsa_3072]); bm "dsa-verify" (fun name -> count name (fun (key, signature) -> - Mirage_crypto_pk.Dsa.(verify ~key:(pub_of_priv key) signature msg)) + Mirage_crypto_pk.Dsa.(verify ~key:(pub_of_priv key) signature msg_str)) (fun (k, _) -> string_of_int (Z.numbits k.p)) [dsa_1024,dsa_sig_1024 () ; dsa_2048,dsa_sig_2048 () ; dsa_3072,dsa_sig_3072 ()]); diff --git a/mirage-crypto-ec.opam b/mirage-crypto-ec.opam index a7539c37..80309315 100644 --- a/mirage-crypto-ec.opam +++ b/mirage-crypto-ec.opam @@ -27,7 +27,6 @@ bug-reports: "https://github.com/mirage/mirage-crypto/issues" depends: [ "dune" {>= "2.7"} "ocaml" {>= "4.08.0"} - "cstruct" {>= "6.0.0"} "dune-configurator" "eqaf" {>= "0.7"} "mirage-crypto" {=version} diff --git a/mirage-crypto-pk.opam b/mirage-crypto-pk.opam index 9a4dfa75..d3aa3dca 100644 --- a/mirage-crypto-pk.opam +++ b/mirage-crypto-pk.opam @@ -18,10 +18,9 @@ depends: [ "dune" {>= "2.7"} "ounit2" {with-test} "randomconv" {with-test & >= "0.1.3"} - "cstruct" {>="6.00"} "mirage-crypto" {=version} "mirage-crypto-rng" {=version} - "zarith" {>= "1.4"} + "zarith" {>= "1.13"} "eqaf" {>= "0.8"} ] conflicts: [ diff --git a/pk/dh.ml b/pk/dh.ml index d0fc3890..bfe918e4 100644 --- a/pk/dh.ml +++ b/pk/dh.ml @@ -55,13 +55,13 @@ let key_of_secret_z ({ p; gg; _ } as group) x = if valid_secret group x then match Z.(powm_sec gg x p) with | ggx when bad_public_key group ggx -> raise_notrace Invalid_key - | ggx -> ({ group ; x }, Z_extra.to_cstruct_be ggx) + | ggx -> ({ group ; x }, Z_extra.to_octets_be ggx) else raise_notrace Invalid_key let key_of_secret group ~s = (* catches Invalid_private_key and re-raises with exception trace: *) - try key_of_secret_z group (Z_extra.of_cstruct_be s) + try key_of_secret_z group (Z_extra.of_octets_be s) with Invalid_key -> raise Invalid_key (* XXX @@ -78,9 +78,9 @@ let rec gen_key ?g ?bits ({ p; q; _ } as group) = try key_of_secret_z group s with Invalid_key -> gen_key ?g ?bits group let shared { group ; x } cs = - match Z_extra.of_cstruct_be cs with + match Z_extra.of_octets_be cs with | ggy when bad_public_key group ggy -> None - | ggy -> Some (Z_extra.to_cstruct_be (Z.powm_sec ggy x group.p)) + | ggy -> Some (Z_extra.to_octets_be (Z.powm_sec ggy x group.p)) (* Finds a safe prime with [p = 2q + 1] and [2^q = 1 mod p]. *) let rec gen_group ?g ~bits () = @@ -90,194 +90,261 @@ let rec gen_group ?g ~bits () = module Group = struct - let f z = Z_extra.of_cstruct_be (Cstruct.of_hex z) - (* Safe-prime-style group: p = 2q + 1 && gg = 2 && gg^q = 1 mod p *) let s_group ~p = - let p = f p in + let p = Z_extra.of_octets_be p in { p ; gg = Z.(~$2) ; q = Some Z.(pred p / ~$2) } (* Any old group. *) - let group ~p ~gg ~q = { p = f p ; gg = f gg ; q = Some (f q) } + let group ~p ~gg ~q = + let f = Z_extra.of_octets_be in + { p = f p ; gg = f gg ; q = Some (f q) } (* RFC2409 *) let oakley_1 = (* 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 } *) s_group ~p: - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC9\x0F\xDA\xA2\x21\x68\xC2\x34\ + \xC4\xC6\x62\x8B\x80\xDC\x1C\xD1\x29\x02\x4E\x08\x8A\x67\xCC\x74\ + \x02\x0B\xBE\xA6\x3B\x13\x9B\x22\x51\x4A\x08\x79\x8E\x34\x04\xDD\ + \xEF\x95\x19\xB3\xCD\x3A\x43\x1B\x30\x2B\x0A\x6D\xF2\x5F\x14\x37\ + \x4F\xE1\x35\x6D\x6D\x51\xC2\x45\xE4\x85\xB5\x76\x62\x5E\x7E\xC6\ + \xF4\x4C\x42\xE9\xA6\x3A\x36\x20\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let oakley_2 = (* 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }. *) s_group ~p: - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 - FFFFFFFF FFFFFFFF" - + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC9\x0F\xDA\xA2\x21\x68\xC2\x34\ + \xC4\xC6\x62\x8B\x80\xDC\x1C\xD1\x29\x02\x4E\x08\x8A\x67\xCC\x74\ + \x02\x0B\xBE\xA6\x3B\x13\x9B\x22\x51\x4A\x08\x79\x8E\x34\x04\xDD\ + \xEF\x95\x19\xB3\xCD\x3A\x43\x1B\x30\x2B\x0A\x6D\xF2\x5F\x14\x37\ + \x4F\xE1\x35\x6D\x6D\x51\xC2\x45\xE4\x85\xB5\x76\x62\x5E\x7E\xC6\ + \xF4\x4C\x42\xE9\xA6\x37\xED\x6B\x0B\xFF\x5C\xB6\xF4\x06\xB7\xED\ + \xEE\x38\x6B\xFB\x5A\x89\x9F\xA5\xAE\x9F\x24\x11\x7C\x4B\x1F\xE6\ + x49\x28\x66\x51\xEC\xE6\x53\x81\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" (* RFC3526 *) let oakley_5 = (* 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } *) s_group ~p: - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D - C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F - 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D - 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC9\x0F\xDA\xA2\x21\x68\xC2\x34\ + \xC4\xC6\x62\x8B\x80\xDC\x1C\xD1\x29\x02\x4E\x08\x8A\x67\xCC\x74\ + \x02\x0B\xBE\xA6\x3B\x13\x9B\x22\x51\x4A\x08\x79\x8E\x34\x04\xDD\ + \xEF\x95\x19\xB3\xCD\x3A\x43\x1B\x30\x2B\x0A\x6D\xF2\x5F\x14\x37\ + \x4F\xE1\x35\x6D\x6D\x51\xC2\x45\xE4\x85\xB5\x76\x62\x5E\x7E\xC6\ + \xF4\x4C\x42\xE9\xA6\x37\xED\x6B\x0B\xFF\x5C\xB6\xF4\x06\xB7\xED\ + \xEE\x38\x6B\xFB\x5A\x89\x9F\xA5\xAE\x9F\x24\x11\x7C\x4B\x1F\xE6\ + \x49\x28\x66\x51\xEC\xE4\x5B\x3D\xC2\x00\x7C\xB8\xA1\x63\xBF\x05\ + \x98\xDA\x48\x36\x1C\x55\xD3\x9A\x69\x16\x3F\xA8\xFD\x24\xCF\x5F\ + \x83\x65\x5D\x23\xDC\xA3\xAD\x96\x1C\x62\xF3\x56\x20\x85\x52\xBB\ + \x9E\xD5\x29\x07\x70\x96\x96\x6D\x67\x0C\x35\x4E\x4A\xBC\x98\x04\ + \xF1\x74\x6C\x08\xCA\x23\x73\x27\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let oakley_14 = (* 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } *) s_group ~p: - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D - C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F - 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D - 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B - E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 - DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 - 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC9\x0F\xDA\xA2\x21\x68\xC2\x34\ + \xC4\xC6\x62\x8B\x80\xDC\x1C\xD1\x29\x02\x4E\x08\x8A\x67\xCC\x74\ + \x02\x0B\xBE\xA6\x3B\x13\x9B\x22\x51\x4A\x08\x79\x8E\x34\x04\xDD\ + \xEF\x95\x19\xB3\xCD\x3A\x43\x1B\x30\x2B\x0A\x6D\xF2\x5F\x14\x37\ + \x4F\xE1\x35\x6D\x6D\x51\xC2\x45\xE4\x85\xB5\x76\x62\x5E\x7E\xC6\ + \xF4\x4C\x42\xE9\xA6\x37\xED\x6B\x0B\xFF\x5C\xB6\xF4\x06\xB7\xED\ + \xEE\x38\x6B\xFB\x5A\x89\x9F\xA5\xAE\x9F\x24\x11\x7C\x4B\x1F\xE6\ + \x49\x28\x66\x51\xEC\xE4\x5B\x3D\xC2\x00\x7C\xB8\xA1\x63\xBF\x05\ + \x98\xDA\x48\x36\x1C\x55\xD3\x9A\x69\x16\x3F\xA8\xFD\x24\xCF\x5F\ + \x83\x65\x5D\x23\xDC\xA3\xAD\x96\x1C\x62\xF3\x56\x20\x85\x52\xBB\ + \x9E\xD5\x29\x07\x70\x96\x96\x6D\x67\x0C\x35\x4E\x4A\xBC\x98\x04\ + \xF1\x74\x6C\x08\xCA\x18\x21\x7C\x32\x90\x5E\x46\x2E\x36\xCE\x3B\ + \xE3\x9E\x77\x2C\x18\x0E\x86\x03\x9B\x27\x83\xA2\xEC\x07\xA2\x8F\ + \xB5\xC5\x5D\xF0\x6F\x4C\x52\xC9\xDE\x2B\xCB\xF6\x95\x58\x17\x18\ + \x39\x95\x49\x7C\xEA\x95\x6A\xE5\x15\xD2\x26\x18\x98\xFA\x05\x10\ + \x15\x72\x8E\x5A\x8A\xAC\xAA\x68\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let oakley_15 = (* 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } *) s_group ~p: - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D - C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F - 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D - 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B - E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 - DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 - 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64 - ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7 - ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B - F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C - BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 - 43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC9\x0F\xDA\xA2\x21\x68\xC2\x34\ + \xC4\xC6\x62\x8B\x80\xDC\x1C\xD1\x29\x02\x4E\x08\x8A\x67\xCC\x74\ + \x02\x0B\xBE\xA6\x3B\x13\x9B\x22\x51\x4A\x08\x79\x8E\x34\x04\xDD\ + \xEF\x95\x19\xB3\xCD\x3A\x43\x1B\x30\x2B\x0A\x6D\xF2\x5F\x14\x37\ + \x4F\xE1\x35\x6D\x6D\x51\xC2\x45\xE4\x85\xB5\x76\x62\x5E\x7E\xC6\ + \xF4\x4C\x42\xE9\xA6\x37\xED\x6B\x0B\xFF\x5C\xB6\xF4\x06\xB7\xED\ + \xEE\x38\x6B\xFB\x5A\x89\x9F\xA5\xAE\x9F\x24\x11\x7C\x4B\x1F\xE6\ + \x49\x28\x66\x51\xEC\xE4\x5B\x3D\xC2\x00\x7C\xB8\xA1\x63\xBF\x05\ + \x98\xDA\x48\x36\x1C\x55\xD3\x9A\x69\x16\x3F\xA8\xFD\x24\xCF\x5F\ + \x83\x65\x5D\x23\xDC\xA3\xAD\x96\x1C\x62\xF3\x56\x20\x85\x52\xBB\ + \x9E\xD5\x29\x07\x70\x96\x96\x6D\x67\x0C\x35\x4E\x4A\xBC\x98\x04\ + \xF1\x74\x6C\x08\xCA\x18\x21\x7C\x32\x90\x5E\x46\x2E\x36\xCE\x3B\ + \xE3\x9E\x77\x2C\x18\x0E\x86\x03\x9B\x27\x83\xA2\xEC\x07\xA2\x8F\ + \xB5\xC5\x5D\xF0\x6F\x4C\x52\xC9\xDE\x2B\xCB\xF6\x95\x58\x17\x18\ + \x39\x95\x49\x7C\xEA\x95\x6A\xE5\x15\xD2\x26\x18\x98\xFA\x05\x10\ + \x15\x72\x8E\x5A\x8A\xAA\xC4\x2D\xAD\x33\x17\x0D\x04\x50\x7A\x33\ + \xA8\x55\x21\xAB\xDF\x1C\xBA\x64\xEC\xFB\x85\x04\x58\xDB\xEF\x0A\ + \x8A\xEA\x71\x57\x5D\x06\x0C\x7D\xB3\x97\x0F\x85\xA6\xE1\xE4\xC7\ + \xAB\xF5\xAE\x8C\xDB\x09\x33\xD7\x1E\x8C\x94\xE0\x4A\x25\x61\x9D\ + \xCE\xE3\xD2\x26\x1A\xD2\xEE\x6B\xF1\x2F\xFA\x06\xD9\x8A\x08\x64\ + \xD8\x76\x02\x73\x3E\xC8\x6A\x64\x52\x1F\x2B\x18\x17\x7B\x20\x0C\ + \xBB\xE1\x17\x57\x7A\x61\x5D\x6C\x77\x09\x88\xC0\xBA\xD9\x46\xE2\ + \x08\xE2\x4F\xA0\x74\xE5\xAB\x31\x43\xDB\x5B\xFC\xE0\xFD\x10\x8E\ + \x4B\x82\xD1\x20\xA9\x3A\xD2\xCA\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let oakley_16 = (* 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } *) s_group ~p: - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D - C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F - 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D - 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B - E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 - DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 - 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64 - ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7 - ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B - F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C - BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 - 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7 - 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA - 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6 - 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED - 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9 - 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199 - FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC9\x0F\xDA\xA2\x21\x68\xC2\x34\ + \xC4\xC6\x62\x8B\x80\xDC\x1C\xD1\x29\x02\x4E\x08\x8A\x67\xCC\x74\ + \x02\x0B\xBE\xA6\x3B\x13\x9B\x22\x51\x4A\x08\x79\x8E\x34\x04\xDD\ + \xEF\x95\x19\xB3\xCD\x3A\x43\x1B\x30\x2B\x0A\x6D\xF2\x5F\x14\x37\ + \x4F\xE1\x35\x6D\x6D\x51\xC2\x45\xE4\x85\xB5\x76\x62\x5E\x7E\xC6\ + \xF4\x4C\x42\xE9\xA6\x37\xED\x6B\x0B\xFF\x5C\xB6\xF4\x06\xB7\xED\ + \xEE\x38\x6B\xFB\x5A\x89\x9F\xA5\xAE\x9F\x24\x11\x7C\x4B\x1F\xE6\ + \x49\x28\x66\x51\xEC\xE4\x5B\x3D\xC2\x00\x7C\xB8\xA1\x63\xBF\x05\ + \x98\xDA\x48\x36\x1C\x55\xD3\x9A\x69\x16\x3F\xA8\xFD\x24\xCF\x5F\ + \x83\x65\x5D\x23\xDC\xA3\xAD\x96\x1C\x62\xF3\x56\x20\x85\x52\xBB\ + \x9E\xD5\x29\x07\x70\x96\x96\x6D\x67\x0C\x35\x4E\x4A\xBC\x98\x04\ + \xF1\x74\x6C\x08\xCA\x18\x21\x7C\x32\x90\x5E\x46\x2E\x36\xCE\x3B\ + \xE3\x9E\x77\x2C\x18\x0E\x86\x03\x9B\x27\x83\xA2\xEC\x07\xA2\x8F\ + \xB5\xC5\x5D\xF0\x6F\x4C\x52\xC9\xDE\x2B\xCB\xF6\x95\x58\x17\x18\ + \x39\x95\x49\x7C\xEA\x95\x6A\xE5\x15\xD2\x26\x18\x98\xFA\x05\x10\ + \x15\x72\x8E\x5A\x8A\xAA\xC4\x2D\xAD\x33\x17\x0D\x04\x50\x7A\x33\ + \xA8\x55\x21\xAB\xDF\x1C\xBA\x64\xEC\xFB\x85\x04\x58\xDB\xEF\x0A\ + \x8A\xEA\x71\x57\x5D\x06\x0C\x7D\xB3\x97\x0F\x85\xA6\xE1\xE4\xC7\ + \xAB\xF5\xAE\x8C\xDB\x09\x33\xD7\x1E\x8C\x94\xE0\x4A\x25\x61\x9D\ + \xCE\xE3\xD2\x26\x1A\xD2\xEE\x6B\xF1\x2F\xFA\x06\xD9\x8A\x08\x64\ + \xD8\x76\x02\x73\x3E\xC8\x6A\x64\x52\x1F\x2B\x18\x17\x7B\x20\x0C\ + \xBB\xE1\x17\x57\x7A\x61\x5D\x6C\x77\x09\x88\xC0\xBA\xD9\x46\xE2\ + \x08\xE2\x4F\xA0\x74\xE5\xAB\x31\x43\xDB\x5B\xFC\xE0\xFD\x10\x8E\ + \x4B\x82\xD1\x20\xA9\x21\x08\x01\x1A\x72\x3C\x12\xA7\x87\xE6\xD7\ + \x88\x71\x9A\x10\xBD\xBA\x5B\x26\x99\xC3\x27\x18\x6A\xF4\xE2\x3C\ + \x1A\x94\x68\x34\xB6\x15\x0B\xDA\x25\x83\xE9\xCA\x2A\xD4\x4C\xE8\ + \xDB\xBB\xC2\xDB\x04\xDE\x8E\xF9\x2E\x8E\xFC\x14\x1F\xBE\xCA\xA6\ + \x28\x7C\x59\x47\x4E\x6B\xC0\x5D\x99\xB2\x96\x4F\xA0\x90\xC3\xA2\ + \x23\x3B\xA1\x86\x51\x5B\xE7\xED\x1F\x61\x29\x70\xCE\xE2\xD7\xAF\ + \xB8\x1B\xDD\x76\x21\x70\x48\x1C\xD0\x06\x91\x27\xD5\xB0\x5A\xA9\ + \x93\xB4\xEA\x98\x8D\x8F\xDD\xC1\x86\xFF\xB7\xDC\x90\xA6\xC0\x8F\ + \x4D\xF4\x35\xC9\x34\x06\x31\x99\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let oakley_17 = (* 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } *) s_group ~p: - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D - C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F - 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D - 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B - E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 - DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 - 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64 - ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7 - ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B - F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C - BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 - 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7 - 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA - 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6 - 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED - 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9 - 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492 - 36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD - F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831 - 179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B - DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF - 5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6 - D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3 - 23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA - CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328 - 06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C - DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE - 12BF2D5B 0B7474D6 E694F91E 6DCC4024 FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC9\x0F\xDA\xA2\x21\x68\xC2\x34\ + \xC4\xC6\x62\x8B\x80\xDC\x1C\xD1\x29\x02\x4E\x08\x8A\x67\xCC\x74\ + \x02\x0B\xBE\xA6\x3B\x13\x9B\x22\x51\x4A\x08\x79\x8E\x34\x04\xDD\ + \xEF\x95\x19\xB3\xCD\x3A\x43\x1B\x30\x2B\x0A\x6D\xF2\x5F\x14\x37\ + \x4F\xE1\x35\x6D\x6D\x51\xC2\x45\xE4\x85\xB5\x76\x62\x5E\x7E\xC6\ + \xF4\x4C\x42\xE9\xA6\x37\xED\x6B\x0B\xFF\x5C\xB6\xF4\x06\xB7\xED\ + \xEE\x38\x6B\xFB\x5A\x89\x9F\xA5\xAE\x9F\x24\x11\x7C\x4B\x1F\xE6\ + \x49\x28\x66\x51\xEC\xE4\x5B\x3D\xC2\x00\x7C\xB8\xA1\x63\xBF\x05\ + \x98\xDA\x48\x36\x1C\x55\xD3\x9A\x69\x16\x3F\xA8\xFD\x24\xCF\x5F\ + \x83\x65\x5D\x23\xDC\xA3\xAD\x96\x1C\x62\xF3\x56\x20\x85\x52\xBB\ + \x9E\xD5\x29\x07\x70\x96\x96\x6D\x67\x0C\x35\x4E\x4A\xBC\x98\x04\ + \xF1\x74\x6C\x08\xCA\x18\x21\x7C\x32\x90\x5E\x46\x2E\x36\xCE\x3B\ + \xE3\x9E\x77\x2C\x18\x0E\x86\x03\x9B\x27\x83\xA2\xEC\x07\xA2\x8F\ + \xB5\xC5\x5D\xF0\x6F\x4C\x52\xC9\xDE\x2B\xCB\xF6\x95\x58\x17\x18\ + \x39\x95\x49\x7C\xEA\x95\x6A\xE5\x15\xD2\x26\x18\x98\xFA\x05\x10\ + \x15\x72\x8E\x5A\x8A\xAA\xC4\x2D\xAD\x33\x17\x0D\x04\x50\x7A\x33\ + \xA8\x55\x21\xAB\xDF\x1C\xBA\x64\xEC\xFB\x85\x04\x58\xDB\xEF\x0A\ + \x8A\xEA\x71\x57\x5D\x06\x0C\x7D\xB3\x97\x0F\x85\xA6\xE1\xE4\xC7\ + \xAB\xF5\xAE\x8C\xDB\x09\x33\xD7\x1E\x8C\x94\xE0\x4A\x25\x61\x9D\ + \xCE\xE3\xD2\x26\x1A\xD2\xEE\x6B\xF1\x2F\xFA\x06\xD9\x8A\x08\x64\ + \xD8\x76\x02\x73\x3E\xC8\x6A\x64\x52\x1F\x2B\x18\x17\x7B\x20\x0C\ + \xBB\xE1\x17\x57\x7A\x61\x5D\x6C\x77\x09\x88\xC0\xBA\xD9\x46\xE2\ + \x08\xE2\x4F\xA0\x74\xE5\xAB\x31\x43\xDB\x5B\xFC\xE0\xFD\x10\x8E\ + \x4B\x82\xD1\x20\xA9\x21\x08\x01\x1A\x72\x3C\x12\xA7\x87\xE6\xD7\ + \x88\x71\x9A\x10\xBD\xBA\x5B\x26\x99\xC3\x27\x18\x6A\xF4\xE2\x3C\ + \x1A\x94\x68\x34\xB6\x15\x0B\xDA\x25\x83\xE9\xCA\x2A\xD4\x4C\xE8\ + \xDB\xBB\xC2\xDB\x04\xDE\x8E\xF9\x2E\x8E\xFC\x14\x1F\xBE\xCA\xA6\ + \x28\x7C\x59\x47\x4E\x6B\xC0\x5D\x99\xB2\x96\x4F\xA0\x90\xC3\xA2\ + \x23\x3B\xA1\x86\x51\x5B\xE7\xED\x1F\x61\x29\x70\xCE\xE2\xD7\xAF\ + \xB8\x1B\xDD\x76\x21\x70\x48\x1C\xD0\x06\x91\x27\xD5\xB0\x5A\xA9\ + \x93\xB4\xEA\x98\x8D\x8F\xDD\xC1\x86\xFF\xB7\xDC\x90\xA6\xC0\x8F\ + \x4D\xF4\x35\xC9\x34\x02\x84\x92\x36\xC3\xFA\xB4\xD2\x7C\x70\x26\ + \xC1\xD4\xDC\xB2\x60\x26\x46\xDE\xC9\x75\x1E\x76\x3D\xBA\x37\xBD\ + \xF8\xFF\x94\x06\xAD\x9E\x53\x0E\xE5\xDB\x38\x2F\x41\x30\x01\xAE\ + \xB0\x6A\x53\xED\x90\x27\xD8\x31\x17\x97\x27\xB0\x86\x5A\x89\x18\ + \xDA\x3E\xDB\xEB\xCF\x9B\x14\xED\x44\xCE\x6C\xBA\xCE\xD4\xBB\x1B\ + \xDB\x7F\x14\x47\xE6\xCC\x25\x4B\x33\x20\x51\x51\x2B\xD7\xAF\x42\ + \x6F\xB8\xF4\x01\x37\x8C\xD2\xBF\x59\x83\xCA\x01\xC6\x4B\x92\xEC\ + \xF0\x32\xEA\x15\xD1\x72\x1D\x03\xF4\x82\xD7\xCE\x6E\x74\xFE\xF6\ + \xD5\x5E\x70\x2F\x46\x98\x0C\x82\xB5\xA8\x40\x31\x90\x0B\x1C\x9E\ + \x59\xE7\xC9\x7F\xBE\xC7\xE8\xF3\x23\xA9\x7A\x7E\x36\xCC\x88\xBE\ + \x0F\x1D\x45\xB7\xFF\x58\x5A\xC5\x4B\xD4\x07\xB2\x2B\x41\x54\xAA\ + \xCC\x8F\x6D\x7E\xBF\x48\xE1\xD8\x14\xCC\x5E\xD2\x0F\x80\x37\xE0\ + \xA7\x97\x15\xEE\xF2\x9B\xE3\x28\x06\xA1\xD5\x8B\xB7\xC5\xDA\x76\ + \xF5\x50\xAA\x3D\x8A\x1F\xBF\xF0\xEB\x19\xCC\xB1\xA3\x13\xD5\x5C\ + \xDA\x56\xC9\xEC\x2E\xF2\x96\x32\x38\x7F\xE8\xD7\x6E\x3C\x04\x68\ + \x04\x3E\x8F\x66\x3F\x48\x60\xEE\x12\xBF\x2D\x5B\x0B\x74\x74\xD6\ + \xE6\x94\xF9\x1E\x6D\xCC\x40\x24\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let oakley_18 = (* 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } *) s_group ~p: - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D - C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F - 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D - 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B - E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 - DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 - 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64 - ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7 - ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B - F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C - BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 - 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7 - 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA - 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6 - 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED - 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9 - 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492 - 36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD - F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831 - 179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B - DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF - 5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6 - D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3 - 23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA - CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328 - 06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C - DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE - 12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4 - 38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300 - 741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568 - 3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9 - 22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B - 4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A - 062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36 - 4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1 - B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92 - 4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47 - 9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71 - 60C980DD 98EDD3DF FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xC9\x0F\xDA\xA2\x21\x68\xC2\x34\ + \xC4\xC6\x62\x8B\x80\xDC\x1C\xD1\x29\x02\x4E\x08\x8A\x67\xCC\x74\ + \x02\x0B\xBE\xA6\x3B\x13\x9B\x22\x51\x4A\x08\x79\x8E\x34\x04\xDD\ + \xEF\x95\x19\xB3\xCD\x3A\x43\x1B\x30\x2B\x0A\x6D\xF2\x5F\x14\x37\ + \x4F\xE1\x35\x6D\x6D\x51\xC2\x45\xE4\x85\xB5\x76\x62\x5E\x7E\xC6\ + \xF4\x4C\x42\xE9\xA6\x37\xED\x6B\x0B\xFF\x5C\xB6\xF4\x06\xB7\xED\ + \xEE\x38\x6B\xFB\x5A\x89\x9F\xA5\xAE\x9F\x24\x11\x7C\x4B\x1F\xE6\ + \x49\x28\x66\x51\xEC\xE4\x5B\x3D\xC2\x00\x7C\xB8\xA1\x63\xBF\x05\ + \x98\xDA\x48\x36\x1C\x55\xD3\x9A\x69\x16\x3F\xA8\xFD\x24\xCF\x5F\ + \x83\x65\x5D\x23\xDC\xA3\xAD\x96\x1C\x62\xF3\x56\x20\x85\x52\xBB\ + \x9E\xD5\x29\x07\x70\x96\x96\x6D\x67\x0C\x35\x4E\x4A\xBC\x98\x04\ + \xF1\x74\x6C\x08\xCA\x18\x21\x7C\x32\x90\x5E\x46\x2E\x36\xCE\x3B\ + \xE3\x9E\x77\x2C\x18\x0E\x86\x03\x9B\x27\x83\xA2\xEC\x07\xA2\x8F\ + \xB5\xC5\x5D\xF0\x6F\x4C\x52\xC9\xDE\x2B\xCB\xF6\x95\x58\x17\x18\ + \x39\x95\x49\x7C\xEA\x95\x6A\xE5\x15\xD2\x26\x18\x98\xFA\x05\x10\ + \x15\x72\x8E\x5A\x8A\xAA\xC4\x2D\xAD\x33\x17\x0D\x04\x50\x7A\x33\ + \xA8\x55\x21\xAB\xDF\x1C\xBA\x64\xEC\xFB\x85\x04\x58\xDB\xEF\x0A\ + \x8A\xEA\x71\x57\x5D\x06\x0C\x7D\xB3\x97\x0F\x85\xA6\xE1\xE4\xC7\ + \xAB\xF5\xAE\x8C\xDB\x09\x33\xD7\x1E\x8C\x94\xE0\x4A\x25\x61\x9D\ + \xCE\xE3\xD2\x26\x1A\xD2\xEE\x6B\xF1\x2F\xFA\x06\xD9\x8A\x08\x64\ + \xD8\x76\x02\x73\x3E\xC8\x6A\x64\x52\x1F\x2B\x18\x17\x7B\x20\x0C\ + \xBB\xE1\x17\x57\x7A\x61\x5D\x6C\x77\x09\x88\xC0\xBA\xD9\x46\xE2\ + \x08\xE2\x4F\xA0\x74\xE5\xAB\x31\x43\xDB\x5B\xFC\xE0\xFD\x10\x8E\ + \x4B\x82\xD1\x20\xA9\x21\x08\x01\x1A\x72\x3C\x12\xA7\x87\xE6\xD7\ + \x88\x71\x9A\x10\xBD\xBA\x5B\x26\x99\xC3\x27\x18\x6A\xF4\xE2\x3C\ + \x1A\x94\x68\x34\xB6\x15\x0B\xDA\x25\x83\xE9\xCA\x2A\xD4\x4C\xE8\ + \xDB\xBB\xC2\xDB\x04\xDE\x8E\xF9\x2E\x8E\xFC\x14\x1F\xBE\xCA\xA6\ + \x28\x7C\x59\x47\x4E\x6B\xC0\x5D\x99\xB2\x96\x4F\xA0\x90\xC3\xA2\ + \x23\x3B\xA1\x86\x51\x5B\xE7\xED\x1F\x61\x29\x70\xCE\xE2\xD7\xAF\ + \xB8\x1B\xDD\x76\x21\x70\x48\x1C\xD0\x06\x91\x27\xD5\xB0\x5A\xA9\ + \x93\xB4\xEA\x98\x8D\x8F\xDD\xC1\x86\xFF\xB7\xDC\x90\xA6\xC0\x8F\ + \x4D\xF4\x35\xC9\x34\x02\x84\x92\x36\xC3\xFA\xB4\xD2\x7C\x70\x26\ + \xC1\xD4\xDC\xB2\x60\x26\x46\xDE\xC9\x75\x1E\x76\x3D\xBA\x37\xBD\ + \xF8\xFF\x94\x06\xAD\x9E\x53\x0E\xE5\xDB\x38\x2F\x41\x30\x01\xAE\ + \xB0\x6A\x53\xED\x90\x27\xD8\x31\x17\x97\x27\xB0\x86\x5A\x89\x18\ + \xDA\x3E\xDB\xEB\xCF\x9B\x14\xED\x44\xCE\x6C\xBA\xCE\xD4\xBB\x1B\ + \xDB\x7F\x14\x47\xE6\xCC\x25\x4B\x33\x20\x51\x51\x2B\xD7\xAF\x42\ + \x6F\xB8\xF4\x01\x37\x8C\xD2\xBF\x59\x83\xCA\x01\xC6\x4B\x92\xEC\ + \xF0\x32\xEA\x15\xD1\x72\x1D\x03\xF4\x82\xD7\xCE\x6E\x74\xFE\xF6\ + \xD5\x5E\x70\x2F\x46\x98\x0C\x82\xB5\xA8\x40\x31\x90\x0B\x1C\x9E\ + \x59\xE7\xC9\x7F\xBE\xC7\xE8\xF3\x23\xA9\x7A\x7E\x36\xCC\x88\xBE\ + \x0F\x1D\x45\xB7\xFF\x58\x5A\xC5\x4B\xD4\x07\xB2\x2B\x41\x54\xAA\ + \xCC\x8F\x6D\x7E\xBF\x48\xE1\xD8\x14\xCC\x5E\xD2\x0F\x80\x37\xE0\ + \xA7\x97\x15\xEE\xF2\x9B\xE3\x28\x06\xA1\xD5\x8B\xB7\xC5\xDA\x76\ + \xF5\x50\xAA\x3D\x8A\x1F\xBF\xF0\xEB\x19\xCC\xB1\xA3\x13\xD5\x5C\ + \xDA\x56\xC9\xEC\x2E\xF2\x96\x32\x38\x7F\xE8\xD7\x6E\x3C\x04\x68\ + \x04\x3E\x8F\x66\x3F\x48\x60\xEE\x12\xBF\x2D\x5B\x0B\x74\x74\xD6\ + \xE6\x94\xF9\x1E\x6D\xBE\x11\x59\x74\xA3\x92\x6F\x12\xFE\xE5\xE4\ + \x38\x77\x7C\xB6\xA9\x32\xDF\x8C\xD8\xBE\xC4\xD0\x73\xB9\x31\xBA\ + \x3B\xC8\x32\xB6\x8D\x9D\xD3\x00\x74\x1F\xA7\xBF\x8A\xFC\x47\xED\ + \x25\x76\xF6\x93\x6B\xA4\x24\x66\x3A\xAB\x63\x9C\x5A\xE4\xF5\x68\ + \x34\x23\xB4\x74\x2B\xF1\xC9\x78\x23\x8F\x16\xCB\xE3\x9D\x65\x2D\ + \xE3\xFD\xB8\xBE\xFC\x84\x8A\xD9\x22\x22\x2E\x04\xA4\x03\x7C\x07\ + \x13\xEB\x57\xA8\x1A\x23\xF0\xC7\x34\x73\xFC\x64\x6C\xEA\x30\x6B\ + \x4B\xCB\xC8\x86\x2F\x83\x85\xDD\xFA\x9D\x4B\x7F\xA2\xC0\x87\xE8\ + \x79\x68\x33\x03\xED\x5B\xDD\x3A\x06\x2B\x3C\xF5\xB3\xA2\x78\xA6\ + \x6D\x2A\x13\xF8\x3F\x44\xF8\x2D\xDF\x31\x0E\xE0\x74\xAB\x6A\x36\ + \x45\x97\xE8\x99\xA0\x25\x5D\xC1\x64\xF3\x1C\xC5\x08\x46\x85\x1D\ + \xF9\xAB\x48\x19\x5D\xED\x7E\xA1\xB1\xD5\x10\xBD\x7E\xE7\x4D\x73\ + \xFA\xF3\x6B\xC3\x1E\xCF\xA2\x68\x35\x90\x46\xF4\xEB\x87\x9F\x92\ + \x40\x09\x43\x8B\x48\x1C\x6C\xD7\x88\x9A\x00\x2E\xD5\xEE\x38\x2B\ + \xC9\x19\x0D\xA6\xFC\x02\x6E\x47\x95\x58\xE4\x47\x56\x77\xE9\xAA\ + \x9E\x30\x50\xE2\x76\x56\x94\xDF\xC8\x1F\x56\xE8\x80\xB9\x6E\x71\ + \x60\xC9\x80\xDD\x98\xED\xD3\xDF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" (* RFC5114 *) @@ -285,84 +352,110 @@ module Group = struct (* 1024-bit, 160-bit subgroup *) let rfc_5114_1 = let p = - "B10B8F96 A080E01D DE92DE5E AE5D54EC 52C99FBC FB06A3C6 - 9A6A9DCA 52D23B61 6073E286 75A23D18 9838EF1E 2EE652C0 - 13ECB4AE A9061123 24975C3C D49B83BF ACCBDD7D 90C4BD70 - 98488E9C 219A7372 4EFFD6FA E5644738 FAA31A4F F55BCCC0 - A151AF5F 0DC8B4BD 45BF37DF 365C1A65 E68CFDA7 6D4DA708 - DF1FB2BC 2E4A4371" + "\xB1\x0B\x8F\x96\xA0\x80\xE0\x1D\xDE\x92\xDE\x5E\xAE\x5D\x54\xEC\ + \x52\xC9\x9F\xBC\xFB\x06\xA3\xC6\x9A\x6A\x9D\xCA\x52\xD2\x3B\x61\ + \x60\x73\xE2\x86\x75\xA2\x3D\x18\x98\x38\xEF\x1E\x2E\xE6\x52\xC0\ + \x13\xEC\xB4\xAE\xA9\x06\x11\x23\x24\x97\x5C\x3C\xD4\x9B\x83\xBF\ + \xAC\xCB\xDD\x7D\x90\xC4\xBD\x70\x98\x48\x8E\x9C\x21\x9A\x73\x72\ + \x4E\xFF\xD6\xFA\xE5\x64\x47\x38\xFA\xA3\x1A\x4F\xF5\x5B\xCC\xC0\ + \xA1\x51\xAF\x5F\x0D\xC8\xB4\xBD\x45\xBF\x37\xDF\x36\x5C\x1A\x65\ + \xE6\x8C\xFD\xA7\x6D\x4D\xA7\x08\xDF\x1F\xB2\xBC\x2E\x4A\x43\x71" and gg = - "A4D1CBD5 C3FD3412 6765A442 EFB99905 F8104DD2 58AC507F - D6406CFF 14266D31 266FEA1E 5C41564B 777E690F 5504F213 - 160217B4 B01B886A 5E91547F 9E2749F4 D7FBD7D3 B9A92EE1 - 909D0D22 63F80A76 A6A24C08 7A091F53 1DBF0A01 69B6A28A - D662A4D1 8E73AFA3 2D779D59 18D08BC8 858F4DCE F97C2A24 - 855E6EEB 22B3B2E5" - and q = "F518AA87 81A8DF27 8ABA4E7D 64B7CB9D 49462353" + "\xA4\xD1\xCB\xD5\xC3\xFD\x34\x12\x67\x65\xA4\x42\xEF\xB9\x99\x05\ + \xF8\x10\x4D\xD2\x58\xAC\x50\x7F\xD6\x40\x6C\xFF\x14\x26\x6D\x31\ + \x26\x6F\xEA\x1E\x5C\x41\x56\x4B\x77\x7E\x69\x0F\x55\x04\xF2\x13\ + \x16\x02\x17\xB4\xB0\x1B\x88\x6A\x5E\x91\x54\x7F\x9E\x27\x49\xF4\ + \xD7\xFB\xD7\xD3\xB9\xA9\x2E\xE1\x90\x9D\x0D\x22\x63\xF8\x0A\x76\ + \xA6\xA2\x4C\x08\x7A\x09\x1F\x53\x1D\xBF\x0A\x01\x69\xB6\xA2\x8A\ + \xD6\x62\xA4\xD1\x8E\x73\xAF\xA3\x2D\x77\x9D\x59\x18\xD0\x8B\xC8\ + \x85\x8F\x4D\xCE\xF9\x7C\x2A\x24\\x85\x5E\x6E\xEB\x22\xB3\xB2\xE5" + and q = + "\xF5\x18\xAA\x87\x81\xA8\xDF\x27\x8A\xBA\x4E\x7D\x64\xB7\xCB\x9D\ + \x49\x46\x23\x53" in group ~p ~gg ~q (* 2048-bit, 224-bit subgroup *) let rfc_5114_2 = let p = - "AD107E1E 9123A9D0 D660FAA7 9559C51F A20D64E5 683B9FD1 - B54B1597 B61D0A75 E6FA141D F95A56DB AF9A3C40 7BA1DF15 - EB3D688A 309C180E 1DE6B85A 1274A0A6 6D3F8152 AD6AC212 - 9037C9ED EFDA4DF8 D91E8FEF 55B7394B 7AD5B7D0 B6C12207 - C9F98D11 ED34DBF6 C6BA0B2C 8BBC27BE 6A00E0A0 B9C49708 - B3BF8A31 70918836 81286130 BC8985DB 1602E714 415D9330 - 278273C7 DE31EFDC 7310F712 1FD5A074 15987D9A DC0A486D - CDF93ACC 44328387 315D75E1 98C641A4 80CD86A1 B9E587E8 - BE60E69C C928B2B9 C52172E4 13042E9B 23F10B0E 16E79763 - C9B53DCF 4BA80A29 E3FB73C1 6B8E75B9 7EF363E2 FFA31F71 - CF9DE538 4E71B81C 0AC4DFFE 0C10E64F" + "\xAD\x10\x7E\x1E\x91\x23\xA9\xD0\xD6\x60\xFA\xA7\x95\x59\xC5\x1F\ + \xA2\x0D\x64\xE5\x68\x3B\x9F\xD1\xB5\x4B\x15\x97\xB6\x1D\x0A\x75\ + \xE6\xFA\x14\x1D\xF9\x5A\x56\xDB\xAF\x9A\x3C\x40\x7B\xA1\xDF\x15\ + \xEB\x3D\x68\x8A\x30\x9C\x18\x0E\x1D\xE6\xB8\x5A\x12\x74\xA0\xA6\ + \x6D\x3F\x81\x52\xAD\x6A\xC2\x12\x90\x37\xC9\xED\xEF\xDA\x4D\xF8\ + \xD9\x1E\x8F\xEF\x55\xB7\x39\x4B\x7A\xD5\xB7\xD0\xB6\xC1\x22\x07\ + \xC9\xF9\x8D\x11\xED\x34\xDB\xF6\xC6\xBA\x0B\x2C\x8B\xBC\x27\xBE\ + \x6A\x00\xE0\xA0\xB9\xC4\x97\x08\xB3\xBF\x8A\x31\x70\x91\x88\x36\ + \x81\x28\x61\x30\xBC\x89\x85\xDB\x16\x02\xE7\x14\x41\x5D\x93\x30\ + \x27\x82\x73\xC7\xDE\x31\xEF\xDC\x73\x10\xF7\x12\x1F\xD5\xA0\x74\ + \x15\x98\x7D\x9A\xDC\x0A\x48\x6D\xCD\xF9\x3A\xCC\x44\x32\x83\x87\ + \x31\x5D\x75\xE1\x98\xC6\x41\xA4\x80\xCD\x86\xA1\xB9\xE5\x87\xE8\ + \xBE\x60\xE6\x9C\xC9\x28\xB2\xB9\xC5\x21\x72\xE4\x13\x04\x2E\x9B\ + \x23\xF1\x0B\x0E\x16\xE7\x97\x63\xC9\xB5\x3D\xCF\x4B\xA8\x0A\x29\ + \xE3\xFB\x73\xC1\x6B\x8E\x75\xB9\x7E\xF3\x63\xE2\xFF\xA3\x1F\x71\ + \xCF\x9D\xE5\x38\x4E\x71\xB8\x1C\x0A\xC4\xDF\xFE\x0C\x10\xE6\x4F" and gg = - "AC4032EF 4F2D9AE3 9DF30B5C 8FFDAC50 6CDEBE7B 89998CAF - 74866A08 CFE4FFE3 A6824A4E 10B9A6F0 DD921F01 A70C4AFA - AB739D77 00C29F52 C57DB17C 620A8652 BE5E9001 A8D66AD7 - C1766910 1999024A F4D02727 5AC1348B B8A762D0 521BC98A - E2471504 22EA1ED4 09939D54 DA7460CD B5F6C6B2 50717CBE - F180EB34 118E98D1 19529A45 D6F83456 6E3025E3 16A330EF - BB77A86F 0C1AB15B 051AE3D4 28C8F8AC B70A8137 150B8EEB - 10E183ED D19963DD D9E263E4 770589EF 6AA21E7F 5F2FF381 - B539CCE3 409D13CD 566AFBB4 8D6C0191 81E1BCFE 94B30269 - EDFE72FE 9B6AA4BD 7B5A0F1C 71CFFF4C 19C418E1 F6EC0179 - 81BC087F 2A7065B3 84B890D3 191F2BFA" + "\xAC\x40\x32\xEF\x4F\x2D\x9A\xE3\x9D\xF3\x0B\x5C\x8F\xFD\xAC\x50\ + \x6C\xDE\xBE\x7B\x89\x99\x8C\xAF\x74\x86\x6A\x08\xCF\xE4\xFF\xE3\ + \xA6\x82\x4A\x4E\x10\xB9\xA6\xF0\xDD\x92\x1F\x01\xA7\x0C\x4A\xFA\ + \xAB\x73\x9D\x77\x00\xC2\x9F\x52\xC5\x7D\xB1\x7C\x62\x0A\x86\x52\ + \xBE\x5E\x90\x01\xA8\xD6\x6A\xD7\xC1\x76\x69\x10\x19\x99\x02\x4A\ + \xF4\xD0\x27\x27\x5A\xC1\x34\x8B\xB8\xA7\x62\xD0\x52\x1B\xC9\x8A\ + \xE2\x47\x15\x04\x22\xEA\x1E\xD4\x09\x93\x9D\x54\xDA\x74\x60\xCD\ + \xB5\xF6\xC6\xB2\x50\x71\x7C\xBE\xF1\x80\xEB\x34\x11\x8E\x98\xD1\ + \x19\x52\x9A\x45\xD6\xF8\x34\x56\x6E\x30\x25\xE3\x16\xA3\x30\xEF\ + \xBB\x77\xA8\x6F\x0C\x1A\xB1\x5B\x05\x1A\xE3\xD4\x28\xC8\xF8\xAC\ + \xB7\x0A\x81\x37\x15\x0B\x8E\xEB\x10\xE1\x83\xED\xD1\x99\x63\xDD\ + \xD9\xE2\x63\xE4\x77\x05\x89\xEF\x6A\xA2\x1E\x7F\x5F\x2F\xF3\x81\ + \xB5\x39\xCC\xE3\x40\x9D\x13\xCD\x56\x6A\xFB\xB4\x8D\x6C\x01\x91\ + \x81\xE1\xBC\xFE\x94\xB3\x02\x69\xED\xFE\x72\xFE\x9B\x6A\xA4\xBD\ + \x7B\x5A\x0F\x1C\x71\xCF\xFF\x4C\x19\xC4\x18\xE1\xF6\xEC\x01\x79\ + \x81\xBC\x08\x7F\x2A\x70\x65\xB3\x84\xB8\x90\xD3\x19\x1F\x2B\xFA" and q = - "801C0D34 C58D93FE 99717710 1F80535A 4738CEBC BF389A99 - B36371EB" + "\x80\x1C\x0D\x34\xC5\x8D\x93\xFE\x99\x71\x77\x10\x1F\x80\x53\x5A\ + \x47\x38\xCE\xBC\xBF\x38\x9A\x99\xB3\x63\x71\xEB" in group ~p ~gg ~q (* 2048-bit, 256-bit subgroup *) let rfc_5114_3 = let p = - "87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2 - 5D2CEED4 435E3B00 E00DF8F1 D61957D4 FAF7DF45 61B2AA30 - 16C3D911 34096FAA 3BF4296D 830E9A7C 209E0C64 97517ABD - 5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B - 6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C - 4FDB70C5 81B23F76 B63ACAE1 CAA6B790 2D525267 35488A0E - F13C6D9A 51BFA4AB 3AD83477 96524D8E F6A167B5 A41825D9 - 67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026 - C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3 - 75F26375 D7014103 A4B54330 C198AF12 6116D227 6E11715F - 693877FA D7EF09CA DB094AE9 1E1A1597" + "\x87\xA8\xE6\x1D\xB4\xB6\x66\x3C\xFF\xBB\xD1\x9C\x65\x19\x59\x99\ + \x8C\xEE\xF6\x08\x66\x0D\xD0\xF2\x5D\x2C\xEE\xD4\x43\x5E\x3B\x00\ + \xE0\x0D\xF8\xF1\xD6\x19\x57\xD4\xFA\xF7\xDF\x45\x61\xB2\xAA\x30\ + \x16\xC3\xD9\x11\x34\x09\x6F\xAA\x3B\xF4\x29\x6D\x83\x0E\x9A\x7C\ + \x20\x9E\x0C\x64\x97\x51\x7A\xBD\x5A\x8A\x9D\x30\x6B\xCF\x67\xED\ + \x91\xF9\xE6\x72\x5B\x47\x58\xC0\x22\xE0\xB1\xEF\x42\x75\xBF\x7B\ + \x6C\x5B\xFC\x11\xD4\x5F\x90\x88\xB9\x41\xF5\x4E\xB1\xE5\x9B\xB8\ + \xBC\x39\xA0\xBF\x12\x30\x7F\x5C\x4F\xDB\x70\xC5\x81\xB2\x3F\x76\ + \xB6\x3A\xCA\xE1\xCA\xA6\xB7\x90\x2D\x52\x52\x67\x35\x48\x8A\x0E\ + \xF1\x3C\x6D\x9A\x51\xBF\xA4\xAB\x3A\xD8\x34\x77\x96\x52\x4D\x8E\ + \xF6\xA1\x67\xB5\xA4\x18\x25\xD9\x67\xE1\x44\xE5\x14\x05\x64\x25\ + \x1C\xCA\xCB\x83\xE6\xB4\x86\xF6\xB3\xCA\x3F\x79\x71\x50\x60\x26\ + \xC0\xB8\x57\xF6\x89\x96\x28\x56\xDE\xD4\x01\x0A\xBD\x0B\xE6\x21\ + \xC3\xA3\x96\x0A\x54\xE7\x10\xC3\x75\xF2\x63\x75\xD7\x01\x41\x03\ + \xA4\xB5\x43\x30\xC1\x98\xAF\x12\x61\x16\xD2\x27\x6E\x11\x71\x5F\ + \x69\x38\x77\xFA\xD7\xEF\x09\xCA\xDB\x09\x4A\xE9\x1E\x1A\x15\x97" and gg = - "3FB32C9B 73134D0B 2E775066 60EDBD48 4CA7B18F 21EF2054 - 07F4793A 1A0BA125 10DBC150 77BE463F FF4FED4A AC0BB555 - BE3A6C1B 0C6B47B1 BC3773BF 7E8C6F62 901228F8 C28CBB18 - A55AE313 41000A65 0196F931 C77A57F2 DDF463E5 E9EC144B - 777DE62A AAB8A862 8AC376D2 82D6ED38 64E67982 428EBC83 - 1D14348F 6F2F9193 B5045AF2 767164E1 DFC967C1 FB3F2E55 - A4BD1BFF E83B9C80 D052B985 D182EA0A DB2A3B73 13D3FE14 - C8484B1E 052588B9 B7D2BBD2 DF016199 ECD06E15 57CD0915 - B3353BBB 64E0EC37 7FD02837 0DF92B52 C7891428 CDC67EB6 - 184B523D 1DB246C3 2F630784 90F00EF8 D647D148 D4795451 - 5E2327CF EF98C582 664B4C0F 6CC41659" + "\x3F\xB3\x2C\x9B\x73\x13\x4D\x0B\x2E\x77\x50\x66\x60\xED\xBD\x48\ + \x4C\xA7\xB1\x8F\x21\xEF\x20\x54\x07\xF4\x79\x3A\x1A\x0B\xA1\x25\ + \x10\xDB\xC1\x50\x77\xBE\x46\x3F\xFF\x4F\xED\x4A\xAC\x0B\xB5\x55\ + \xBE\x3A\x6C\x1B\x0C\x6B\x47\xB1\xBC\x37\x73\xBF\x7E\x8C\x6F\x62\ + \x90\x12\x28\xF8\xC2\x8C\xBB\x18\xA5\x5A\xE3\x13\x41\x00\x0A\x65\ + \x01\x96\xF9\x31\xC7\x7A\x57\xF2\xDD\xF4\x63\xE5\xE9\xEC\x14\x4B\ + \x77\x7D\xE6\x2A\xAA\xB8\xA8\x62\x8A\xC3\x76\xD2\x82\xD6\xED\x38\ + \x64\xE6\x79\x82\x42\x8E\xBC\x83\x1D\x14\x34\x8F\x6F\x2F\x91\x93\ + \xB5\x04\x5A\xF2\x76\x71\x64\xE1\xDF\xC9\x67\xC1\xFB\x3F\x2E\x55\ + \xA4\xBD\x1B\xFF\xE8\x3B\x9C\x80\xD0\x52\xB9\x85\xD1\x82\xEA\x0A\ + \xDB\x2A\x3B\x73\x13\xD3\xFE\x14\xC8\x48\x4B\x1E\x05\x25\x88\xB9\ + \xB7\xD2\xBB\xD2\xDF\x01\x61\x99\xEC\xD0\x6E\x15\x57\xCD\x09\x15\ + \xB3\x35\x3B\xBB\x64\xE0\xEC\x37\x7F\xD0\x28\x37\x0D\xF9\x2B\x52\ + \xC7\x89\x14\x28\xCD\xC6\x7E\xB6\x18\x4B\x52\x3D\x1D\xB2\x46\xC3\ + \x2F\x63\x07\x84\x90\xF0\x0E\xF8\xD6\x47\xD1\x48\xD4\x79\x54\x51\ + \x5E\x23\x27\xCF\xEF\x98\xC5\x82\x66\x4B\x4C\x0F\x6C\xC4\x16\x59" and q = - "8CF83642 A709A097 B4479976 40129DA2 99B1A47D 1EB3750B - A308B0FE 64F5FBD3" + "\x8C\xF8\x36\x42\xA7\x09\xA0\x97\xB4\x47\x99\x76\x40\x12\x9D\xA2\ + \x99\xB1\xA4\x7D\x1E\xB3\x75\x0B\xA3\x08\xB0\xFE\x64\xF5\xFB\xD3" in group ~p ~gg ~q @@ -377,17 +470,22 @@ module Group = struct short exponent (Section 5.2) should choose a secret key of at least 225 bits. *) s_group ~p: - "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 - D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 - 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 - 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 - 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 - 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB - B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 - 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 - 9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73 - 3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA - 886B4238 61285C97 FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xAD\xF8\x54\x58\xA2\xBB\x4A\x9A\ + \xAF\xDC\x56\x20\x27\x3D\x3C\xF1\xD8\xB9\xC5\x83\xCE\x2D\x36\x95\ + \xA9\xE1\x36\x41\x14\x64\x33\xFB\xCC\x93\x9D\xCE\x24\x9B\x3E\xF9\ + \x7D\x2F\xE3\x63\x63\x0C\x75\xD8\xF6\x81\xB2\x02\xAE\xC4\x61\x7A\ + \xD3\xDF\x1E\xD5\xD5\xFD\x65\x61\x24\x33\xF5\x1F\x5F\x06\x6E\xD0\ + \x85\x63\x65\x55\x3D\xED\x1A\xF3\xB5\x57\x13\x5E\x7F\x57\xC9\x35\ + \x98\x4F\x0C\x70\xE0\xE6\x8B\x77\xE2\xA6\x89\xDA\xF3\xEF\xE8\x72\ + \x1D\xF1\x58\xA1\x36\xAD\xE7\x35\x30\xAC\xCA\x4F\x48\x3A\x79\x7A\ + \xBC\x0A\xB1\x82\xB3\x24\xFB\x61\xD1\x08\xA9\x4B\xB2\xC8\xE3\xFB\ + \xB9\x6A\xDA\xB7\x60\xD7\xF4\x68\x1D\x4F\x42\xA3\xDE\x39\x4D\xF4\ + \xAE\x56\xED\xE7\x63\x72\xBB\x19\x0B\x07\xA7\xC8\xEE\x0A\x6D\x70\ + \x9E\x02\xFC\xE1\xCD\xF7\xE2\xEC\xC0\x34\x04\xCD\x28\x34\x2F\x61\ + \x91\x72\xFE\x9C\xE9\x85\x83\xFF\x8E\x4F\x12\x32\xEE\xF2\x81\x83\ + \xC3\xFE\x3B\x1B\x4C\x6F\xAD\x73\x3B\xB5\xFC\xBC\x2E\xC2\x20\x05\ + \xC5\x8E\xF1\x83\x7D\x16\x83\xB2\xC6\xF3\x4A\x26\xC1\xB2\xEF\xFA\ + \x88\x6B\x42\x38\x61\x28\x5C\x97\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let ffdhe3072 = @@ -398,22 +496,30 @@ module Group = struct short exponent (Section 5.2) should choose a secret key of at least 275 bits. *) s_group ~p: - "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 - D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 - 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 - 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 - 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 - 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB - B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 - 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 - 9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73 - 3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA - 886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238 - 61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C - AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3 - 64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D - ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF - 3C1B20EE 3FD59D7C 25E41D2B 66C62E37 FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xAD\xF8\x54\x58\xA2\xBB\x4A\x9A\ + \xAF\xDC\x56\x20\x27\x3D\x3C\xF1\xD8\xB9\xC5\x83\xCE\x2D\x36\x95\ + \xA9\xE1\x36\x41\x14\x64\x33\xFB\xCC\x93\x9D\xCE\x24\x9B\x3E\xF9\ + \x7D\x2F\xE3\x63\x63\x0C\x75\xD8\xF6\x81\xB2\x02\xAE\xC4\x61\x7A\ + \xD3\xDF\x1E\xD5\xD5\xFD\x65\x61\x24\x33\xF5\x1F\x5F\x06\x6E\xD0\ + \x85\x63\x65\x55\x3D\xED\x1A\xF3\xB5\x57\x13\x5E\x7F\x57\xC9\x35\ + \x98\x4F\x0C\x70\xE0\xE6\x8B\x77\xE2\xA6\x89\xDA\xF3\xEF\xE8\x72\ + \x1D\xF1\x58\xA1\x36\xAD\xE7\x35\x30\xAC\xCA\x4F\x48\x3A\x79\x7A\ + \xBC\x0A\xB1\x82\xB3\x24\xFB\x61\xD1\x08\xA9\x4B\xB2\xC8\xE3\xFB\ + \xB9\x6A\xDA\xB7\x60\xD7\xF4\x68\x1D\x4F\x42\xA3\xDE\x39\x4D\xF4\ + \xAE\x56\xED\xE7\x63\x72\xBB\x19\x0B\x07\xA7\xC8\xEE\x0A\x6D\x70\ + \x9E\x02\xFC\xE1\xCD\xF7\xE2\xEC\xC0\x34\x04\xCD\x28\x34\x2F\x61\ + \x91\x72\xFE\x9C\xE9\x85\x83\xFF\x8E\x4F\x12\x32\xEE\xF2\x81\x83\ + \xC3\xFE\x3B\x1B\x4C\x6F\xAD\x73\x3B\xB5\xFC\xBC\x2E\xC2\x20\x05\ + \xC5\x8E\xF1\x83\x7D\x16\x83\xB2\xC6\xF3\x4A\x26\xC1\xB2\xEF\xFA\ + \x88\x6B\x42\x38\x61\x1F\xCF\xDC\xDE\x35\x5B\x3B\x65\x19\x03\x5B\ + \xBC\x34\xF4\xDE\xF9\x9C\x02\x38\x61\xB4\x6F\xC9\xD6\xE6\xC9\x07\ + \x7A\xD9\x1D\x26\x91\xF7\xF7\xEE\x59\x8C\xB0\xFA\xC1\x86\xD9\x1C\ + \xAE\xFE\x13\x09\x85\x13\x92\x70\xB4\x13\x0C\x93\xBC\x43\x79\x44\ + \xF4\xFD\x44\x52\xE2\xD7\x4D\xD3\x64\xF2\xE2\x1E\x71\xF5\x4B\xFF\ + \x5C\xAE\x82\xAB\x9C\x9D\xF6\x9E\xE8\x6D\x2B\xC5\x22\x36\x3A\x0D\ + \xAB\xC5\x21\x97\x9B\x0D\xEA\xDA\x1D\xBF\x9A\x42\xD5\xC4\x48\x4E\ + \x0A\xBC\xD0\x6B\xFA\x53\xDD\xEF\x3C\x1B\x20\xEE\x3F\xD5\x9D\x7C\ + \x25\xE4\x1D\x2B\x66\xC6\x2E\x37\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let ffdhe4096 = (* p = 2^4096 - 2^4032 + {[2^3966 * e] + 5736041} * 2^64 - 1 *) @@ -423,28 +529,38 @@ module Group = struct short exponent (Section 5.2) should choose a secret key of at least 325 bits. *) s_group ~p: - "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 - D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 - 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 - 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 - 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 - 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB - B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 - 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 - 9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73 - 3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA - 886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238 - 61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C - AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3 - 64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D - ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF - 3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB - 7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004 - 87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832 - A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A - 1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF - 8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E655F6A - FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xAD\xF8\x54\x58\xA2\xBB\x4A\x9A\ + \xAF\xDC\x56\x20\x27\x3D\x3C\xF1\xD8\xB9\xC5\x83\xCE\x2D\x36\x95\ + \xA9\xE1\x36\x41\x14\x64\x33\xFB\xCC\x93\x9D\xCE\x24\x9B\x3E\xF9\ + \x7D\x2F\xE3\x63\x63\x0C\x75\xD8\xF6\x81\xB2\x02\xAE\xC4\x61\x7A\ + \xD3\xDF\x1E\xD5\xD5\xFD\x65\x61\x24\x33\xF5\x1F\x5F\x06\x6E\xD0\ + \x85\x63\x65\x55\x3D\xED\x1A\xF3\xB5\x57\x13\x5E\x7F\x57\xC9\x35\ + \x98\x4F\x0C\x70\xE0\xE6\x8B\x77\xE2\xA6\x89\xDA\xF3\xEF\xE8\x72\ + \x1D\xF1\x58\xA1\x36\xAD\xE7\x35\x30\xAC\xCA\x4F\x48\x3A\x79\x7A\ + \xBC\x0A\xB1\x82\xB3\x24\xFB\x61\xD1\x08\xA9\x4B\xB2\xC8\xE3\xFB\ + \xB9\x6A\xDA\xB7\x60\xD7\xF4\x68\x1D\x4F\x42\xA3\xDE\x39\x4D\xF4\ + \xAE\x56\xED\xE7\x63\x72\xBB\x19\x0B\x07\xA7\xC8\xEE\x0A\x6D\x70\ + \x9E\x02\xFC\xE1\xCD\xF7\xE2\xEC\xC0\x34\x04\xCD\x28\x34\x2F\x61\ + \x91\x72\xFE\x9C\xE9\x85\x83\xFF\x8E\x4F\x12\x32\xEE\xF2\x81\x83\ + \xC3\xFE\x3B\x1B\x4C\x6F\xAD\x73\x3B\xB5\xFC\xBC\x2E\xC2\x20\x05\ + \xC5\x8E\xF1\x83\x7D\x16\x83\xB2\xC6\xF3\x4A\x26\xC1\xB2\xEF\xFA\ + \x88\x6B\x42\x38\x61\x1F\xCF\xDC\xDE\x35\x5B\x3B\x65\x19\x03\x5B\ + \xBC\x34\xF4\xDE\xF9\x9C\x02\x38\x61\xB4\x6F\xC9\xD6\xE6\xC9\x07\ + \x7A\xD9\x1D\x26\x91\xF7\xF7\xEE\x59\x8C\xB0\xFA\xC1\x86\xD9\x1C\ + \xAE\xFE\x13\x09\x85\x13\x92\x70\xB4\x13\x0C\x93\xBC\x43\x79\x44\ + \xF4\xFD\x44\x52\xE2\xD7\x4D\xD3\x64\xF2\xE2\x1E\x71\xF5\x4B\xFF\ + \x5C\xAE\x82\xAB\x9C\x9D\xF6\x9E\xE8\x6D\x2B\xC5\x22\x36\x3A\x0D\ + \xAB\xC5\x21\x97\x9B\x0D\xEA\xDA\x1D\xBF\x9A\x42\xD5\xC4\x48\x4E\ + \x0A\xBC\xD0\x6B\xFA\x53\xDD\xEF\x3C\x1B\x20\xEE\x3F\xD5\x9D\x7C\ + \x25\xE4\x1D\x2B\x66\x9E\x1E\xF1\x6E\x6F\x52\xC3\x16\x4D\xF4\xFB\ + \x79\x30\xE9\xE4\xE5\x88\x57\xB6\xAC\x7D\x5F\x42\xD6\x9F\x6D\x18\ + \x77\x63\xCF\x1D\x55\x03\x40\x04\x87\xF5\x5B\xA5\x7E\x31\xCC\x7A\ + \x71\x35\xC8\x86\xEF\xB4\x31\x8A\xED\x6A\x1E\x01\x2D\x9E\x68\x32\ + \xA9\x07\x60\x0A\x91\x81\x30\xC4\x6D\xC7\x78\xF9\x71\xAD\x00\x38\ + \x09\x29\x99\xA3\x33\xCB\x8B\x7A\x1A\x1D\xB9\x3D\x71\x40\x00\x3C\ + \x2A\x4E\xCE\xA9\xF9\x8D\x0A\xCC\x0A\x82\x91\xCD\xCE\xC9\x7D\xCF\ + \x8E\xC9\xB5\x5A\x7F\x88\xA4\x6B\x4D\xB5\xA8\x51\xF4\x41\x82\xE1\ + \xC6\x8A\x00\x7E\x5E\x65\x5F\x6A\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let ffdhe6144 = (* p = 2^6144 - 2^6080 + {[2^6014 * e] + 15705020} * 2^64 - 1 *) @@ -454,38 +570,54 @@ module Group = struct short exponent (Section 5.2) should choose a secret key of at least 375 bits. *) s_group ~p: - "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 - D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 - 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 - 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 - 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 - 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB - B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 - 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 - 9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73 - 3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA - 886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238 - 61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C - AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3 - 64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D - ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF - 3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB - 7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004 - 87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832 - A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A - 1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF - 8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E0DD902 - 0BFD64B6 45036C7A 4E677D2C 38532A3A 23BA4442 CAF53EA6 - 3BB45432 9B7624C8 917BDD64 B1C0FD4C B38E8C33 4C701C3A - CDAD0657 FCCFEC71 9B1F5C3E 4E46041F 388147FB 4CFDB477 - A52471F7 A9A96910 B855322E DB6340D8 A00EF092 350511E3 - 0ABEC1FF F9E3A26E 7FB29F8C 183023C3 587E38DA 0077D9B4 - 763E4E4B 94B2BBC1 94C6651E 77CAF992 EEAAC023 2A281BF6 - B3A739C1 22611682 0AE8DB58 47A67CBE F9C9091B 462D538C - D72B0374 6AE77F5E 62292C31 1562A846 505DC82D B854338A - E49F5235 C95B9117 8CCF2DD5 CACEF403 EC9D1810 C6272B04 - 5B3B71F9 DC6B80D6 3FDD4A8E 9ADB1E69 62A69526 D43161C1 - A41D570D 7938DAD4 A40E329C D0E40E65 FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xAD\xF8\x54\x58\xA2\xBB\x4A\x9A\ + \xAF\xDC\x56\x20\x27\x3D\x3C\xF1\xD8\xB9\xC5\x83\xCE\x2D\x36\x95\ + \xA9\xE1\x36\x41\x14\x64\x33\xFB\xCC\x93\x9D\xCE\x24\x9B\x3E\xF9\ + \x7D\x2F\xE3\x63\x63\x0C\x75\xD8\xF6\x81\xB2\x02\xAE\xC4\x61\x7A\ + \xD3\xDF\x1E\xD5\xD5\xFD\x65\x61\x24\x33\xF5\x1F\x5F\x06\x6E\xD0\ + \x85\x63\x65\x55\x3D\xED\x1A\xF3\xB5\x57\x13\x5E\x7F\x57\xC9\x35\ + \x98\x4F\x0C\x70\xE0\xE6\x8B\x77\xE2\xA6\x89\xDA\xF3\xEF\xE8\x72\ + \x1D\xF1\x58\xA1\x36\xAD\xE7\x35\x30\xAC\xCA\x4F\x48\x3A\x79\x7A\ + \xBC\x0A\xB1\x82\xB3\x24\xFB\x61\xD1\x08\xA9\x4B\xB2\xC8\xE3\xFB\ + \xB9\x6A\xDA\xB7\x60\xD7\xF4\x68\x1D\x4F\x42\xA3\xDE\x39\x4D\xF4\ + \xAE\x56\xED\xE7\x63\x72\xBB\x19\x0B\x07\xA7\xC8\xEE\x0A\x6D\x70\ + \x9E\x02\xFC\xE1\xCD\xF7\xE2\xEC\xC0\x34\x04\xCD\x28\x34\x2F\x61\ + \x91\x72\xFE\x9C\xE9\x85\x83\xFF\x8E\x4F\x12\x32\xEE\xF2\x81\x83\ + \xC3\xFE\x3B\x1B\x4C\x6F\xAD\x73\x3B\xB5\xFC\xBC\x2E\xC2\x20\x05\ + \xC5\x8E\xF1\x83\x7D\x16\x83\xB2\xC6\xF3\x4A\x26\xC1\xB2\xEF\xFA\ + \x88\x6B\x42\x38\x61\x1F\xCF\xDC\xDE\x35\x5B\x3B\x65\x19\x03\x5B\ + \xBC\x34\xF4\xDE\xF9\x9C\x02\x38\x61\xB4\x6F\xC9\xD6\xE6\xC9\x07\ + \x7A\xD9\x1D\x26\x91\xF7\xF7\xEE\x59\x8C\xB0\xFA\xC1\x86\xD9\x1C\ + \xAE\xFE\x13\x09\x85\x13\x92\x70\xB4\x13\x0C\x93\xBC\x43\x79\x44\ + \xF4\xFD\x44\x52\xE2\xD7\x4D\xD3\x64\xF2\xE2\x1E\x71\xF5\x4B\xFF\ + \x5C\xAE\x82\xAB\x9C\x9D\xF6\x9E\xE8\x6D\x2B\xC5\x22\x36\x3A\x0D\ + \xAB\xC5\x21\x97\x9B\x0D\xEA\xDA\x1D\xBF\x9A\x42\xD5\xC4\x48\x4E\ + \x0A\xBC\xD0\x6B\xFA\x53\xDD\xEF\x3C\x1B\x20\xEE\x3F\xD5\x9D\x7C\ + \x25\xE4\x1D\x2B\x66\x9E\x1E\xF1\x6E\x6F\x52\xC3\x16\x4D\xF4\xFB\ + \x79\x30\xE9\xE4\xE5\x88\x57\xB6\xAC\x7D\x5F\x42\xD6\x9F\x6D\x18\ + \x77\x63\xCF\x1D\x55\x03\x40\x04\x87\xF5\x5B\xA5\x7E\x31\xCC\x7A\ + \x71\x35\xC8\x86\xEF\xB4\x31\x8A\xED\x6A\x1E\x01\x2D\x9E\x68\x32\ + \xA9\x07\x60\x0A\x91\x81\x30\xC4\x6D\xC7\x78\xF9\x71\xAD\x00\x38\ + \x09\x29\x99\xA3\x33\xCB\x8B\x7A\x1A\x1D\xB9\x3D\x71\x40\x00\x3C\ + \x2A\x4E\xCE\xA9\xF9\x8D\x0A\xCC\x0A\x82\x91\xCD\xCE\xC9\x7D\xCF\ + \x8E\xC9\xB5\x5A\x7F\x88\xA4\x6B\x4D\xB5\xA8\x51\xF4\x41\x82\xE1\ + \xC6\x8A\x00\x7E\x5E\x0D\xD9\x02\x0B\xFD\x64\xB6\x45\x03\x6C\x7A\ + \x4E\x67\x7D\x2C\x38\x53\x2A\x3A\x23\xBA\x44\x42\xCA\xF5\x3E\xA6\ + \x3B\xB4\x54\x32\x9B\x76\x24\xC8\x91\x7B\xDD\x64\xB1\xC0\xFD\x4C\ + \xB3\x8E\x8C\x33\x4C\x70\x1C\x3A\xCD\xAD\x06\x57\xFC\xCF\xEC\x71\ + \x9B\x1F\x5C\x3E\x4E\x46\x04\x1F\x38\x81\x47\xFB\x4C\xFD\xB4\x77\ + \xA5\x24\x71\xF7\xA9\xA9\x69\x10\xB8\x55\x32\x2E\xDB\x63\x40\xD8\ + \xA0\x0E\xF0\x92\x35\x05\x11\xE3\x0A\xBE\xC1\xFF\xF9\xE3\xA2\x6E\ + \x7F\xB2\x9F\x8C\x18\x30\x23\xC3\x58\x7E\x38\xDA\x00\x77\xD9\xB4\ + \x76\x3E\x4E\x4B\x94\xB2\xBB\xC1\x94\xC6\x65\x1E\x77\xCA\xF9\x92\ + \xEE\xAA\xC0\x23\x2A\x28\x1B\xF6\xB3\xA7\x39\xC1\x22\x61\x16\x82\ + \x0A\xE8\xDB\x58\x47\xA6\x7C\xBE\xF9\xC9\x09\x1B\x46\x2D\x53\x8C\ + \xD7\x2B\x03\x74\x6A\xE7\x7F\x5E\x62\x29\x2C\x31\x15\x62\xA8\x46\ + \x50\x5D\xC8\x2D\xB8\x54\x33\x8A\xE4\x9F\x52\x35\xC9\x5B\x91\x17\ + \x8C\xCF\x2D\xD5\xCA\xCE\xF4\x03\xEC\x9D\x18\x10\xC6\x27\x2B\x04\ + \x5B\x3B\x71\xF9\xDC\x6B\x80\xD6\x3F\xDD\x4A\x8E\x9A\xDB\x1E\x69\ + \x62\xA6\x95\x26\xD4\x31\x61\xC1\xA4\x1D\x57\x0D\x79\x38\xDA\xD4\ + \xA4\x0E\x32\x9C\xD0\xE4\x0E\x65\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" let ffdhe8192 = (* p = 2^8192 - 2^8128 + {[2^8062 * e] + 10965728} * 2^64 - 1 *) @@ -495,48 +627,69 @@ module Group = struct short exponent (Section 5.2) should choose a secret key of at least 400 bits. *) s_group ~p: - "FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 - D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 - 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 - 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 - 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 - 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB - B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 - 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 - 9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73 - 3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA - 886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238 - 61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C - AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3 - 64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D - ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF - 3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB - 7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004 - 87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832 - A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A - 1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF - 8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E0DD902 - 0BFD64B6 45036C7A 4E677D2C 38532A3A 23BA4442 CAF53EA6 - 3BB45432 9B7624C8 917BDD64 B1C0FD4C B38E8C33 4C701C3A - CDAD0657 FCCFEC71 9B1F5C3E 4E46041F 388147FB 4CFDB477 - A52471F7 A9A96910 B855322E DB6340D8 A00EF092 350511E3 - 0ABEC1FF F9E3A26E 7FB29F8C 183023C3 587E38DA 0077D9B4 - 763E4E4B 94B2BBC1 94C6651E 77CAF992 EEAAC023 2A281BF6 - B3A739C1 22611682 0AE8DB58 47A67CBE F9C9091B 462D538C - D72B0374 6AE77F5E 62292C31 1562A846 505DC82D B854338A - E49F5235 C95B9117 8CCF2DD5 CACEF403 EC9D1810 C6272B04 - 5B3B71F9 DC6B80D6 3FDD4A8E 9ADB1E69 62A69526 D43161C1 - A41D570D 7938DAD4 A40E329C CFF46AAA 36AD004C F600C838 - 1E425A31 D951AE64 FDB23FCE C9509D43 687FEB69 EDD1CC5E - 0B8CC3BD F64B10EF 86B63142 A3AB8829 555B2F74 7C932665 - CB2C0F1C C01BD702 29388839 D2AF05E4 54504AC7 8B758282 - 2846C0BA 35C35F5C 59160CC0 46FD8251 541FC68C 9C86B022 - BB709987 6A460E74 51A8A931 09703FEE 1C217E6C 3826E52C - 51AA691E 0E423CFC 99E9E316 50C1217B 624816CD AD9A95F9 - D5B80194 88D9C0A0 A1FE3075 A577E231 83F81D4A 3F2FA457 - 1EFC8CE0 BA8A4FE8 B6855DFE 72B0A66E DED2FBAB FBE58A30 - FAFABE1C 5D71A87E 2F741EF8 C1FE86FE A6BBFDE5 30677F0D - 97D11D49 F7A8443D 0822E506 A9F4614E 011E2A94 838FF88C - D68C8BB7 C5C6424C FFFFFFFF FFFFFFFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xAD\xF8\x54\x58\xA2\xBB\x4A\x9A\ + \xAF\xDC\x56\x20\x27\x3D\x3C\xF1\xD8\xB9\xC5\x83\xCE\x2D\x36\x95\ + \xA9\xE1\x36\x41\x14\x64\x33\xFB\xCC\x93\x9D\xCE\x24\x9B\x3E\xF9\ + \x7D\x2F\xE3\x63\x63\x0C\x75\xD8\xF6\x81\xB2\x02\xAE\xC4\x61\x7A\ + \xD3\xDF\x1E\xD5\xD5\xFD\x65\x61\x24\x33\xF5\x1F\x5F\x06\x6E\xD0\ + \x85\x63\x65\x55\x3D\xED\x1A\xF3\xB5\x57\x13\x5E\x7F\x57\xC9\x35\ + \x98\x4F\x0C\x70\xE0\xE6\x8B\x77\xE2\xA6\x89\xDA\xF3\xEF\xE8\x72\ + \x1D\xF1\x58\xA1\x36\xAD\xE7\x35\x30\xAC\xCA\x4F\x48\x3A\x79\x7A\ + \xBC\x0A\xB1\x82\xB3\x24\xFB\x61\xD1\x08\xA9\x4B\xB2\xC8\xE3\xFB\ + \xB9\x6A\xDA\xB7\x60\xD7\xF4\x68\x1D\x4F\x42\xA3\xDE\x39\x4D\xF4\ + \xAE\x56\xED\xE7\x63\x72\xBB\x19\x0B\x07\xA7\xC8\xEE\x0A\x6D\x70\ + \x9E\x02\xFC\xE1\xCD\xF7\xE2\xEC\xC0\x34\x04\xCD\x28\x34\x2F\x61\ + \x91\x72\xFE\x9C\xE9\x85\x83\xFF\x8E\x4F\x12\x32\xEE\xF2\x81\x83\ + \xC3\xFE\x3B\x1B\x4C\x6F\xAD\x73\x3B\xB5\xFC\xBC\x2E\xC2\x20\x05\ + \xC5\x8E\xF1\x83\x7D\x16\x83\xB2\xC6\xF3\x4A\x26\xC1\xB2\xEF\xFA\ + \x88\x6B\x42\x38\x61\x1F\xCF\xDC\xDE\x35\x5B\x3B\x65\x19\x03\x5B\ + \xBC\x34\xF4\xDE\xF9\x9C\x02\x38\x61\xB4\x6F\xC9\xD6\xE6\xC9\x07\ + \x7A\xD9\x1D\x26\x91\xF7\xF7\xEE\x59\x8C\xB0\xFA\xC1\x86\xD9\x1C\ + \xAE\xFE\x13\x09\x85\x13\x92\x70\xB4\x13\x0C\x93\xBC\x43\x79\x44\ + \xF4\xFD\x44\x52\xE2\xD7\x4D\xD3\x64\xF2\xE2\x1E\x71\xF5\x4B\xFF\ + \x5C\xAE\x82\xAB\x9C\x9D\xF6\x9E\xE8\x6D\x2B\xC5\x22\x36\x3A\x0D\ + \xAB\xC5\x21\x97\x9B\x0D\xEA\xDA\x1D\xBF\x9A\x42\xD5\xC4\x48\x4E\ + \x0A\xBC\xD0\x6B\xFA\x53\xDD\xEF\x3C\x1B\x20\xEE\x3F\xD5\x9D\x7C\ + \x25\xE4\x1D\x2B\x66\x9E\x1E\xF1\x6E\x6F\x52\xC3\x16\x4D\xF4\xFB\ + \x79\x30\xE9\xE4\xE5\x88\x57\xB6\xAC\x7D\x5F\x42\xD6\x9F\x6D\x18\ + \x77\x63\xCF\x1D\x55\x03\x40\x04\x87\xF5\x5B\xA5\x7E\x31\xCC\x7A\ + \x71\x35\xC8\x86\xEF\xB4\x31\x8A\xED\x6A\x1E\x01\x2D\x9E\x68\x32\ + \xA9\x07\x60\x0A\x91\x81\x30\xC4\x6D\xC7\x78\xF9\x71\xAD\x00\x38\ + \x09\x29\x99\xA3\x33\xCB\x8B\x7A\x1A\x1D\xB9\x3D\x71\x40\x00\x3C\ + \x2A\x4E\xCE\xA9\xF9\x8D\x0A\xCC\x0A\x82\x91\xCD\xCE\xC9\x7D\xCF\ + \x8E\xC9\xB5\x5A\x7F\x88\xA4\x6B\x4D\xB5\xA8\x51\xF4\x41\x82\xE1\ + \xC6\x8A\x00\x7E\x5E\x0D\xD9\x02\x0B\xFD\x64\xB6\x45\x03\x6C\x7A\ + \x4E\x67\x7D\x2C\x38\x53\x2A\x3A\x23\xBA\x44\x42\xCA\xF5\x3E\xA6\ + \x3B\xB4\x54\x32\x9B\x76\x24\xC8\x91\x7B\xDD\x64\xB1\xC0\xFD\x4C\ + \xB3\x8E\x8C\x33\x4C\x70\x1C\x3A\xCD\xAD\x06\x57\xFC\xCF\xEC\x71\ + \x9B\x1F\x5C\x3E\x4E\x46\x04\x1F\x38\x81\x47\xFB\x4C\xFD\xB4\x77\ + \xA5\x24\x71\xF7\xA9\xA9\x69\x10\xB8\x55\x32\x2E\xDB\x63\x40\xD8\ + \xA0\x0E\xF0\x92\x35\x05\x11\xE3\x0A\xBE\xC1\xFF\xF9\xE3\xA2\x6E\ + \x7F\xB2\x9F\x8C\x18\x30\x23\xC3\x58\x7E\x38\xDA\x00\x77\xD9\xB4\ + \x76\x3E\x4E\x4B\x94\xB2\xBB\xC1\x94\xC6\x65\x1E\x77\xCA\xF9\x92\ + \xEE\xAA\xC0\x23\x2A\x28\x1B\xF6\xB3\xA7\x39\xC1\x22\x61\x16\x82\ + \x0A\xE8\xDB\x58\x47\xA6\x7C\xBE\xF9\xC9\x09\x1B\x46\x2D\x53\x8C\ + \xD7\x2B\x03\x74\x6A\xE7\x7F\x5E\x62\x29\x2C\x31\x15\x62\xA8\x46\ + \x50\x5D\xC8\x2D\xB8\x54\x33\x8A\xE4\x9F\x52\x35\xC9\x5B\x91\x17\ + \x8C\xCF\x2D\xD5\xCA\xCE\xF4\x03\xEC\x9D\x18\x10\xC6\x27\x2B\x04\ + \x5B\x3B\x71\xF9\xDC\x6B\x80\xD6\x3F\xDD\x4A\x8E\x9A\xDB\x1E\x69\ + \x62\xA6\x95\x26\xD4\x31\x61\xC1\xA4\x1D\x57\x0D\x79\x38\xDA\xD4\ + \xA4\x0E\x32\x9C\xCF\xF4\x6A\xAA\x36\xAD\x00\x4C\xF6\x00\xC8\x38\ + \x1E\x42\x5A\x31\xD9\x51\xAE\x64\xFD\xB2\x3F\xCE\xC9\x50\x9D\x43\ + \x68\x7F\xEB\x69\xED\xD1\xCC\x5E\x0B\x8C\xC3\xBD\xF6\x4B\x10\xEF\ + \x86\xB6\x31\x42\xA3\xAB\x88\x29\x55\x5B\x2F\x74\x7C\x93\x26\x65\ + \xCB\x2C\x0F\x1C\xC0\x1B\xD7\x02\x29\x38\x88\x39\xD2\xAF\x05\xE4\ + \x54\x50\x4A\xC7\x8B\x75\x82\x82\x28\x46\xC0\xBA\x35\xC3\x5F\x5C\ + \x59\x16\x0C\xC0\x46\xFD\x82\x51\x54\x1F\xC6\x8C\x9C\x86\xB0\x22\ + \xBB\x70\x99\x87\x6A\x46\x0E\x74\x51\xA8\xA9\x31\x09\x70\x3F\xEE\ + \x1C\x21\x7E\x6C\x38\x26\xE5\x2C\x51\xAA\x69\x1E\x0E\x42\x3C\xFC\ + \x99\xE9\xE3\x16\x50\xC1\x21\x7B\x62\x48\x16\xCD\xAD\x9A\x95\xF9\ + \xD5\xB8\x01\x94\x88\xD9\xC0\xA0\xA1\xFE\x30\x75\xA5\x77\xE2\x31\ + \x83\xF8\x1D\x4A\x3F\x2F\xA4\x57\x1E\xFC\x8C\xE0\xBA\x8A\x4F\xE8\ + \xB6\x85\x5D\xFE\x72\xB0\xA6\x6E\xDE\xD2\xFB\xAB\xFB\xE5\x8A\x30\ + \xFA\xFA\xBE\x1C\x5D\x71\xA8\x7E\x2F\x74\x1E\xF8\xC1\xFE\x86\xFE\ + \xA6\xBB\xFD\xE5\x30\x67\x7F\x0D\x97\xD1\x1D\x49\xF7\xA8\x44\x3D\ + \x08\x22\xE5\x06\xA9\xF4\x61\x4E\x01\x1E\x2A\x94\x83\x8F\xF8\x8C\ + \xD6\x8C\x8B\xB7\xC5\xC6\x42\x4C\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" end diff --git a/pk/dsa.ml b/pk/dsa.ml index 1690bfcd..856a84ce 100644 --- a/pk/dsa.ml +++ b/pk/dsa.ml @@ -88,13 +88,13 @@ module K_gen (H : Mirage_crypto.Hash.S) = struct let module M = Mirage_crypto_rng.Hmac_drbg (H) in (module M) let z_gen ~key:{ q; x; _ } z = - let repr = Z_extra.to_cstruct_be ~size:(Z.numbits q // 8) in + let repr = Z_extra.to_octets_be ~size:(Z.numbits q // 8) in let g = Mirage_crypto_rng.create ~strict:true drbg in - Mirage_crypto_rng.reseed ~g Cs.(repr x <+> repr Z.(z mod q)); + Mirage_crypto_rng.reseed ~g (Cstruct.of_string (repr x ^ repr Z.(z mod q))); Z_extra.gen_r ~g Z.one q - let generate ~key cs = - z_gen ~key (Z_extra.of_cstruct_be ~bits:(Z.numbits key.q) cs) + let generate ~key buf = + z_gen ~key (Z_extra.of_octets_be ~bits:(Z.numbits key.q) buf) end module K_gen_sha256 = K_gen (Mirage_crypto.Hash.SHA256) @@ -136,16 +136,43 @@ let verify_z ~key:({ p; q; gg; y }: pub ) (r, s) z = let sign ?mask ?k ~(key : priv) digest = let bits = Z.numbits key.q in let size = bits // 8 in - let (r, s) = sign_z ?mask ?k ~key (Z_extra.of_cstruct_be ~bits digest) in - Z_extra.(to_cstruct_be ~size r, to_cstruct_be ~size s) + let (r, s) = sign_z ?mask ?k ~key (Z_extra.of_octets_be ~bits digest) in + Z_extra.(to_octets_be ~size r, to_octets_be ~size s) let verify ~(key : pub) (r, s) digest = - let z = Z_extra.of_cstruct_be ~bits:(Z.numbits key.q) digest - and (r, s) = Z_extra.(of_cstruct_be r, of_cstruct_be s) in + let z = Z_extra.of_octets_be ~bits:(Z.numbits key.q) digest + and (r, s) = Z_extra.(of_octets_be r, of_octets_be s) in verify_z ~key (r, s) z +let rec shift_left_inplace buf = function + | 0 -> () + | bits when bits mod 8 = 0 -> + let off = bits / 8 in + let to_blit = Bytes.length buf - off in + Bytes.blit buf off buf 0 to_blit ; + Bytes.unsafe_fill buf to_blit (Bytes.length buf - to_blit) '\x00' + | bits when bits < 8 -> + let foo = 8 - bits in + for i = 0 to Bytes.length buf - 2 do + let b1 = Bytes.get_uint8 buf i + and b2 = Bytes.get_uint8 buf (i + 1) in + Bytes.set_uint8 buf i ((b1 lsl bits) lor (b2 lsr foo)) + done ; + Bytes.set_uint8 buf (Bytes.length buf - 1) + (Bytes.get_uint8 buf (Bytes.length buf - 1) lsl bits) + | bits -> + shift_left_inplace buf (8 * (bits / 8)) ; + shift_left_inplace buf (bits mod 8) + +let (lsl) buf bits = + let buf' = Bytes.of_string buf in + shift_left_inplace buf' bits; + Bytes.unsafe_to_string buf' + let massage ~key:({ q; _ }: pub) digest = let bits = Z.numbits q in - if bits >= Cstruct.length digest * 8 then digest else - let cs = Z_extra.(to_cstruct_be Z.(of_cstruct_be digest mod q)) in - Cs.(cs lsl ((8 - bits mod 8) mod 8)) + if bits >= String.length digest * 8 then + digest + else + let buf = Z_extra.(to_octets_be Z.(of_octets_be digest mod q)) in + buf lsl ((8 - bits mod 8) mod 8) diff --git a/pk/dune b/pk/dune index aa7d8ba0..0e487722 100644 --- a/pk/dune +++ b/pk/dune @@ -1,5 +1,5 @@ (library (name mirage_crypto_pk) (public_name mirage-crypto-pk) - (libraries cstruct zarith mirage-crypto mirage-crypto-rng eqaf.cstruct) + (libraries zarith mirage-crypto mirage-crypto-rng eqaf) (private_modules common dh dsa rsa z_extra)) diff --git a/pk/mirage_crypto_pk.mli b/pk/mirage_crypto_pk.mli index 6c9ab505..188551f7 100644 --- a/pk/mirage_crypto_pk.mli +++ b/pk/mirage_crypto_pk.mli @@ -94,7 +94,7 @@ module Rsa : sig (** {1 The RSA transformation} *) - type 'a or_digest = [ `Message of 'a | `Digest of Mirage_crypto.Hash.digest ] + type 'a or_digest = [ `Message of 'a | `Digest of string ] (** Either an ['a] or its digest, according to some hash algorithm. *) type mask = [ `No | `Yes | `Yes_with of Mirage_crypto_rng.g ] @@ -109,7 +109,7 @@ module Rsa : sig the sane option.} {- [`Yes_with g] uses random masking with the generator [g].}} *) - val encrypt : key:pub -> Cstruct.t -> Cstruct.t + val encrypt : key:pub -> string -> string (** [encrypt key message] is the encrypted [message]. @raise Insufficient_key (see {{!Insufficient_key}Insufficient_key}) @@ -117,7 +117,7 @@ module Rsa : sig @raise Invalid_argument if [message] is [0x00] or [0x01]. *) val decrypt : ?crt_hardening:bool -> ?mask:mask -> key:priv -> - Cstruct.t -> Cstruct.t + string -> string (** [decrypt ~crt_hardening ~mask key ciphertext] is the decrypted [ciphertext], left-padded with [0x00] up to [key] size. @@ -157,21 +157,21 @@ module Rsa : sig key size is [priv_bits key / 8], rounded up. *) module PKCS1 : sig - val encrypt : ?g:Mirage_crypto_rng.g -> key:pub -> Cstruct.t -> Cstruct.t + val encrypt : ?g:Mirage_crypto_rng.g -> key:pub -> string -> string (** [encrypt g key message] is a PKCS1-padded (type 2) and encrypted [message]. @raise Insufficient_key (see {{!Insufficient_key}Insufficient_key}) *) val decrypt : ?crt_hardening:bool -> ?mask:mask -> key:priv -> - Cstruct.t -> Cstruct.t option + string -> string option (** [decrypt ~crt_hardening ~mask ~key ciphertext] is [Some message] if the [ciphertext] was produced by the corresponding {{!encrypt}encrypt} operation, or [None] otherwise. [crt_hardening] defaults to [false]. *) val sig_encode : ?crt_hardening:bool -> ?mask:mask -> key:priv -> - Cstruct.t -> Cstruct.t + string -> string (** [sig_encode ~crt_hardening ~mask ~key message] is the PKCS1-padded (type 1) [message] signed by the [key]. [crt_hardening] defaults to [true] and verifies that the computed signature is correct. @@ -182,7 +182,7 @@ module Rsa : sig @raise Insufficient_key (see {{!Insufficient_key}Insufficient_key}) *) - val sig_decode : key:pub -> Cstruct.t -> Cstruct.t option + val sig_decode : key:pub -> string -> string option (** [sig_decode key signature] is [Some message] when the [signature] was produced with the given [key] as per {{!sig_encode}sig_encode}, or [None] *) @@ -191,8 +191,8 @@ module Rsa : sig (** [min_key hash] is the minimum key size required by {{!sign}[sign]}. *) val sign : ?crt_hardening:bool -> ?mask:mask -> - hash:Mirage_crypto.Hash.hash -> key:priv -> Cstruct.t or_digest -> - Cstruct.t + hash:Mirage_crypto.Hash.hash -> key:priv -> string or_digest -> + string (** [sign ~crt_hardening ~mask ~hash ~key message] is the PKCS 1.5 signature of [message], signed by the [key], using the hash function [hash]. This is the full signature, with the ASN-encoded message digest @@ -206,7 +206,7 @@ module Rsa : sig @raise Invalid_argument if message is a [`Digest] of the wrong size. *) val verify : hashp:(Mirage_crypto.Hash.hash -> bool) -> key:pub -> - signature:Cstruct.t -> Cstruct.t or_digest -> bool + signature:string -> string or_digest -> bool (** [verify ~hashp ~key ~signature message] checks that [signature] is the PKCS 1.5 signature of the [message] under the given [key]. @@ -229,15 +229,15 @@ module Rsa : sig [hlen] is the hash length. *) module OAEP (H : Mirage_crypto.Hash.S) : sig - val encrypt : ?g:Mirage_crypto_rng.g -> ?label:Cstruct.t -> key:pub -> - Cstruct.t -> Cstruct.t + val encrypt : ?g:Mirage_crypto_rng.g -> ?label:string -> key:pub -> + string -> string (** [encrypt ~g ~label ~key message] is {b OAEP}-padded and encrypted [message], using the optional [label]. @raise Insufficient_key (see {{!Insufficient_key}Insufficient_key}) *) - val decrypt : ?crt_hardening:bool -> ?mask:mask -> ?label:Cstruct.t -> - key:priv -> Cstruct.t -> Cstruct.t option + val decrypt : ?crt_hardening:bool -> ?mask:mask -> ?label:string -> + key:priv -> string -> string option (** [decrypt ~crt_hardening ~mask ~label ~key ciphertext] is [Some message] if the [ciphertext] was produced by the corresponding {{!encrypt}encrypt} operation, or [None] otherwise. [crt_hardening] @@ -256,7 +256,7 @@ module Rsa : sig module PSS (H: Mirage_crypto.Hash.S) : sig val sign : ?g:Mirage_crypto_rng.g -> ?crt_hardening:bool -> - ?mask:mask -> ?slen:int -> key:priv -> Cstruct.t or_digest -> Cstruct.t + ?mask:mask -> ?slen:int -> key:priv -> string or_digest -> string (** [sign ~g ~crt_hardening ~mask ~slen ~key message] the [PSS]-padded digest of [message], signed with the [key]. [crt_hardening] defaults to [false]. @@ -270,7 +270,7 @@ module Rsa : sig @raise Invalid_argument if message is a [`Digest] of the wrong size. *) - val verify : ?slen:int -> key:pub -> signature:Cstruct.t -> Cstruct.t or_digest -> bool + val verify : ?slen:int -> key:pub -> signature:string -> string or_digest -> bool (** [verify ~slen ~key ~signature message] checks whether [signature] is a valid {b PSS} signature of the [message] under the given [key]. @@ -343,8 +343,8 @@ module Dsa : sig @raise Invalid_argument if [size] is (`Exactly (l, n)), and either [l] or [n] is ridiculously small. *) - val sign : ?mask:mask -> ?k:Z.t -> key:priv -> Cstruct.t -> Cstruct.t * Cstruct.t - (** [sign ~mask ~k ~key digest] is the signature, a pair of {!Cstruct.t}s + val sign : ?mask:mask -> ?k:Z.t -> key:priv -> string -> string * string + (** [sign ~mask ~k ~key digest] is the signature, a pair of strings representing [r] and [s] in big-endian. [digest] is the full digest of the actual message. @@ -355,11 +355,11 @@ module Dsa : sig @raise Invalid_argument if [k] is unsuitable (leading to r or s being 0). *) - val verify : key:pub -> Cstruct.t * Cstruct.t -> Cstruct.t -> bool + val verify : key:pub -> string * string -> string -> bool (** [verify ~key (r, s) digest] verifies that the pair [(r, s)] is the signature of [digest], the message digest, under the private counterpart to [key]. *) - val massage : key:pub -> Cstruct.t -> Cstruct.t + val massage : key:pub -> string -> string (** [massage key digest] is the numeric value of [digest] taken modulo [q] and represented in the leftmost [bits(q)] bits of the result. @@ -375,7 +375,7 @@ module Dsa : sig compliant [k]-generator for that hash. *) module K_gen (H : Mirage_crypto.Hash.S) : sig - val generate : key:priv -> Cstruct.t -> Z.t + val generate : key:priv -> string -> Z.t (** [generate key digest] deterministically takes the given private key and message digest to a [k] suitable for seeding the signing process. *) end @@ -412,20 +412,20 @@ module Dh : sig val modulus_size : group -> bits (** Bit size of the modulus. *) - val key_of_secret : group -> s:Cstruct.t -> secret * Cstruct.t + val key_of_secret : group -> s:string -> secret * string (** [key_of_secret group s] is the {!secret} and the corresponding public key which use [s] as the secret exponent. @raise Invalid_key if [s] is degenerate. *) - val gen_key : ?g:Mirage_crypto_rng.g -> ?bits:bits -> group -> secret * Cstruct.t + val gen_key : ?g:Mirage_crypto_rng.g -> ?bits:bits -> group -> secret * string (** Generate a random {!secret} and the corresponding public key. [bits] is the exact bit-size of {!secret} and defaults to a value dependent on the {!type-group}'s [p]. {b Note} The process might diverge when [bits] is extremely small. *) - val shared : secret -> Cstruct.t -> Cstruct.t option + val shared : secret -> string -> string option (** [shared secret public] is [Some shared_key] given a a previously generated {!secret} (which specifies the [group]) and the other party's public key. @@ -477,27 +477,27 @@ module Dh : sig end end -(** {b Z} Convert Z to big endian Cstruct.t and generate random Z values. *) +(** {b Z} Convert Z to big endian string and generate random Z values. *) module Z_extra : sig - (** {1 Conversion to and from Cstruct.t} *) + (** {1 Conversion to and from string} *) - val of_cstruct_be : ?bits:bits -> Cstruct.t -> Z.t - (** [of_cstruct_be ~bits cs] interprets the bit pattern of [cs] as a + val of_octets_be : ?bits:bits -> string -> Z.t + (** [of_octets_be ~bits buf] interprets the bit pattern of [buf] as a {{!Z.t}[t]} in big-endian. - If [~bits] is not given, the operation considers the entire [cs], - otherwise the initial [min ~bits (bit-length cs)] bits of [cs]. + If [~bits] is not given, the operation considers the entire [buf], + otherwise the initial [min ~bits (bit-length buf)] bits of [buf]. - Assuming [n] is the number of bits to extract, the [n]-bit in [cs] is + Assuming [n] is the number of bits to extract, the [n]-bit in [buf] is always the least significant bit of the result. Therefore: {ul {- if the bit size [k] of [t] is larger than [n], [k - n] most significant bits in the result are [0]; and} {- if [k] is smaller than [n], the result contains [k] last of the [n] - first bits of [cs].}} *) + first bits of [buf].}} *) - val to_cstruct_be : ?size:int -> Z.t -> Cstruct.t - (** [to_cstruct_be ~size t] is the big-endian representation of [t]. + val to_octets_be : ?size:int -> Z.t -> string + (** [to_octets_be ~size t] is the big-endian representation of [t]. If [~size] is not given, it defaults to the minimal number of bytes needed to represent [t], which is [bits t / 8] rounded up. @@ -506,10 +506,10 @@ module Z_extra : sig If the size is larger than needed, the output is padded with zero bits. If it is smaller, the high bits in [t] are dropped. *) - val into_cstruct_be : Z.t -> Cstruct.t -> unit - (** [into_cstruct_be t cs] writes the big-endian representation of [t] into - [cs]. It behaves like {{!to_cstruct_be}[to_cstruct_be]}, with [~size] - spanning the entire [cs]. *) + val into_octets_be : Z.t -> bytes -> unit + (** [into_octets_be t buf] writes the big-endian representation of [t] into + [buf]. It behaves like {{!to_octets_be}[to_octets_be]}, with [~size] + spanning the entire [buf]. *) (** {1 Random generation} *) diff --git a/pk/rsa.ml b/pk/rsa.ml index 0801ccf9..1c83e420 100644 --- a/pk/rsa.ml +++ b/pk/rsa.ml @@ -7,20 +7,20 @@ and three = Z.(~$3) (* A constant-time [find_uint8] with a default value. *) let ct_find_uint8 ~default ?off ~f cs = - let res = Eqaf_cstruct.find_uint8 ?off ~f cs in + let res = Eqaf.find_uint8 ?off ~f cs in Eqaf.select_int (res + 1) default res let (&.) f g = fun h -> f (g h) module Hash = Mirage_crypto.Hash -type 'a or_digest = [ `Message of 'a | `Digest of Hash.digest ] +type 'a or_digest = [ `Message of 'a | `Digest of string ] module Digest_or (H : Hash.S) = struct let digest_or = function - | `Message msg -> H.digest msg + | `Message msg -> Cstruct.to_string (H.digest (Cstruct.of_string msg)) | `Digest digest -> - let n = digest.Cstruct.len and m = H.digest_size in + let n = String.length digest and m = H.digest_size in if n = m then digest else invalid_arg "(`Digest _): %d bytes, expecting %d" n m end @@ -197,15 +197,18 @@ let (encrypt_z, decrypt_z) = | `Yes_with g -> decrypt_blinded_unsafe ~crt_hardening ~g ~key msg ) let reformat out f msg = - Z_extra.(of_cstruct_be msg |> f |> to_cstruct_be ~size:(out // 8)) + Z_extra.(of_octets_be msg |> f |> to_octets_be ~size:(out // 8)) let encrypt ~key = reformat (pub_bits key) (encrypt_z ~key) let decrypt ?(crt_hardening=false) ?(mask=`Yes) ~key = reformat (priv_bits key) (decrypt_z ~crt_hardening ~mask ~key) -let b = Cs.b -let cat = Cstruct.concat +let b x = String.make 1 (char_of_int x) + +(* OCaml 4.13 *) +let string_get_uint8 buf idx = + Bytes.get_uint8 (Bytes.unsafe_of_string buf) idx let (bx00, bx01) = (b 0x00, b 0x01) @@ -213,41 +216,35 @@ module PKCS1 = struct let min_pad = 8 - open Cstruct - (* XXX Generalize this into `Rng.samplev` or something. *) let generate_with ?g ~f n = - let cs = create n + let buf = Bytes.create n and k = let b = Mirage_crypto_rng.block g in (n // b * b) in let rec go nonce i j = - if i = n then cs else - if j = k then go Mirage_crypto_rng.(generate ?g k) i 0 else - match get_uint8 nonce j with - | b when f b -> set_uint8 cs i b ; go nonce (succ i) (succ j) + if i = n then Bytes.unsafe_to_string buf else + if j = k then go (Cstruct.to_string Mirage_crypto_rng.(generate ?g k)) i 0 else + match string_get_uint8 nonce j with + | b when f b -> Bytes.set_uint8 buf i b ; go nonce (succ i) (succ j) | _ -> go nonce i (succ j) in - go Mirage_crypto_rng.(generate ?g k) 0 0 + go (Cstruct.to_string Mirage_crypto_rng.(generate ?g k)) 0 0 let pad ~mark ~padding k msg = - let pad = padding (k - length msg - 3 |> imax min_pad) in - cat [ bx00 ; b mark ; pad ; bx00 ; msg ] + let pad = padding (k - String.length msg - 3 |> imax min_pad) in + String.concat "" [ bx00 ; b mark ; pad ; bx00 ; msg ] - let unpad ~mark ~is_pad cs = + let unpad ~mark ~is_pad buf = let f = not &. is_pad in - let i = ct_find_uint8 ~default:2 ~off:2 ~f cs in - let c1 = get_uint8 cs 0 = 0x00 - and c2 = get_uint8 cs 1 = mark - and c3 = get_uint8 cs i = 0x00 + let i = ct_find_uint8 ~default:2 ~off:2 ~f buf in + let c1 = string_get_uint8 buf 0 = 0x00 + and c2 = string_get_uint8 buf 1 = mark + and c3 = string_get_uint8 buf i = 0x00 and c4 = min_pad <= i - 2 in if c1 && c2 && c3 && c4 then - Some (sub cs (i + 1) (length cs - i - 1)) + Some (String.sub buf (i + 1) (String.length buf - i - 1)) else None let pad_01 = - let padding size = - let buf = Cstruct.create size in - Cstruct.memset buf 0xff; - buf - in + let padding size = String.make size '\xff' in pad ~mark:0x01 ~padding let pad_02 ?g = pad ~mark:0x02 ~padding:(generate_with ?g ~f:((<>) 0x00)) @@ -257,10 +254,10 @@ module PKCS1 = struct let padded pad transform keybits msg = let n = keybits // 8 in let p = pad n msg in - if length p = n then transform p else raise Insufficient_key + if String.length p = n then transform p else raise Insufficient_key let unpadded unpad transform keybits msg = - if length msg = keybits // 8 then + if String.length msg = keybits // 8 then try unpad (transform msg) with Insufficient_key -> None else None @@ -276,7 +273,7 @@ module PKCS1 = struct let decrypt ?(crt_hardening = false) ?mask ~key msg = unpadded unpad_02 (decrypt ~crt_hardening ?mask ~key) (priv_bits key) msg - let asns = List.(combine Hash.hashes &. map of_string) [ + let asns = List.combine Hash.hashes [ "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10" (* md5 *) ; "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14" (* sha1 *) ; "\x30\x2d\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x04\x05\x00\x04\x1c" (* sha224 *) @@ -287,10 +284,15 @@ module PKCS1 = struct let asn_of_hash hash = try List.assoc hash asns with Not_found -> assert false - let detect msg = List.find_opt (fun (_, asn) -> Cs.is_prefix asn msg) asns + (* OCaml 4.13 contains starts_with *) + let is_prefix asn msg = + String.length msg >= String.length asn && + String.equal asn (String.sub msg 0 (String.length asn)) + + let detect msg = List.find_opt (fun (_, asn) -> is_prefix asn msg) asns let sign ?(crt_hardening = true) ?mask ~hash ~key msg = - let msg' = Cs.(asn_of_hash hash <+> digest_or ~hash msg) in + let msg' = asn_of_hash hash ^ digest_or ~hash msg in sig_encode ~crt_hardening ?mask ~key msg' let verify ~hashp ~key ~signature msg = @@ -298,13 +300,13 @@ module PKCS1 = struct and (>>|) = Fun.flip Option.map in Option.value - (sig_decode ~key signature >>= fun cs -> - detect cs >>| fun (hash, asn) -> - hashp hash && Eqaf_cstruct.equal Cs.(asn <+> digest_or ~hash msg) cs) + (sig_decode ~key signature >>= fun buf -> + detect buf >>| fun (hash, asn) -> + hashp hash && Eqaf.equal (asn ^ digest_or ~hash msg) buf) ~default:false let min_key hash = - (length (asn_of_hash hash) + Hash.digest_size hash + min_pad + 2) * 8 + 1 + (String.length (asn_of_hash hash) + Hash.digest_size hash + min_pad + 2) * 8 + 1 end module MGF1 (H : Hash.S) = struct @@ -317,49 +319,53 @@ module MGF1 (H : Hash.S) = struct (* Assumes len < 2^32 * H.digest_size. *) let mgf ~seed len = let rec go acc c = function - | 0 -> Cstruct.sub (cat (List.rev acc)) 0 len - | n -> let h = H.digesti (iter2 seed (repr c)) in + | 0 -> Bytes.sub (Bytes.concat Bytes.empty (List.rev acc)) 0 len + | n -> let h = Cstruct.to_bytes (H.digesti (iter2 (Cstruct.of_string seed) (repr c))) in go (h :: acc) Int32.(succ c) (pred n) in go [] 0l (len // H.digest_size) - let mask ~seed cs = Cs.xor (mgf ~seed (Cstruct.length cs)) cs + let mask ~seed buf = + let mgf_data = mgf ~seed (String.length buf) in + xor_into buf mgf_data (String.length buf); + mgf_data end module OAEP (H : Hash.S) = struct - open Cstruct - module MGF = MGF1 (H) let hlen = H.digest_size let max_msg_bytes k = k - 2 * hlen - 2 - let eme_oaep_encode ?g ?(label = Cstruct.empty) k msg = - let seed = Mirage_crypto_rng.generate ?g hlen - and pad = Cstruct.create (max_msg_bytes k - length msg) in - let db = cat [ H.digest label ; pad ; bx01 ; msg ] in - let mdb = MGF.mask ~seed db in - let mseed = MGF.mask ~seed:mdb seed in - cat [ bx00 ; mseed ; mdb ] - - let eme_oaep_decode ?(label = Cstruct.empty) msg = - let (b0, ms, mdb) = Cs.split3 msg 1 hlen in - let db = MGF.mask ~seed:(MGF.mask ~seed:mdb ms) mdb in + let eme_oaep_encode ?g ?(label = "") k msg = + let seed = Cstruct.to_string (Mirage_crypto_rng.generate ?g hlen) + and pad = String.make (max_msg_bytes k - String.length msg) '\x00' in + let db = String.concat "" [ Cstruct.to_string (H.digest (Cstruct.of_string label)) ; pad ; bx01 ; msg ] in + let mdb = Bytes.unsafe_to_string (MGF.mask ~seed db) in + let mseed = Bytes.unsafe_to_string (MGF.mask ~seed:mdb seed) in + String.concat "" [ bx00 ; mseed ; mdb ] + + let eme_oaep_decode ?(label = "") msg = + let b0 = String.sub msg 0 1 + and ms = String.sub msg 1 hlen + and mdb = String.sub msg (1 + hlen) (String.length msg - 1 - hlen) + in + let db = Bytes.unsafe_to_string (MGF.mask ~seed:(Bytes.unsafe_to_string (MGF.mask ~seed:mdb ms)) mdb) in let i = ct_find_uint8 ~default:0 ~off:hlen ~f:((<>) 0x00) db in - let c1 = Eqaf_cstruct.equal (sub db 0 hlen) H.(digest label) - and c2 = get_uint8 b0 0 = 0x00 - and c3 = get_uint8 db i = 0x01 in - if c1 && c2 && c3 then Some (shift db (i + 1)) else None + let c1 = Eqaf.equal (String.sub db 0 hlen) (Cstruct.to_string H.(digest (Cstruct.of_string label))) + and c2 = string_get_uint8 b0 0 = 0x00 + and c3 = string_get_uint8 db i = 0x01 in + if c1 && c2 && c3 then Some (String.sub db (i + 1) (String.length db - i - 1)) else None let encrypt ?g ?label ~key msg = let k = pub_bits key // 8 in - if length msg > max_msg_bytes k then raise Insufficient_key + if String.length msg > max_msg_bytes k then raise Insufficient_key else encrypt ~key @@ eme_oaep_encode ?g ?label k msg let decrypt ?(crt_hardening = false) ?mask ?label ~key em = let k = priv_bits key // 8 in - if length em <> k || max_msg_bytes k < 0 then None else + if String.length em <> k || max_msg_bytes k < 0 then None else try eme_oaep_decode ?label @@ decrypt ~crt_hardening ?mask ~key em with Insufficient_key -> None @@ -371,9 +377,6 @@ module OAEP (H : Hash.S) = struct end module PSS (H: Hash.S) = struct - - open Cstruct - module MGF = MGF1 (H) module H1 = Digest_or (H) @@ -385,29 +388,33 @@ module PSS (H: Hash.S) = struct let zero_8 = Cstruct.create 8 - let digest ~salt msg = H.digesti @@ iter3 zero_8 (H1.digest_or msg) salt + let digest ~salt msg = H.digesti @@ iter3 zero_8 (Cstruct.of_string (H1.digest_or msg)) salt let emsa_pss_encode ?g slen emlen msg = let n = emlen // 8 and salt = Mirage_crypto_rng.generate ?g slen in let h = digest ~salt msg in - let db = cat [ Cstruct.create (n - slen - hlen - 2) ; bx01 ; salt ] in - let mdb = MGF.mask ~seed:h db in - set_uint8 mdb 0 @@ get_uint8 mdb 0 land b0mask emlen ; - cat [ mdb ; h ; bxbc ] + let db = String.concat "" [ String.make (n - slen - hlen - 2) '\x00' ; bx01 ; Cstruct.to_string salt ] in + let mdb = MGF.mask ~seed:(Cstruct.to_string h) db in + Bytes.set_uint8 mdb 0 @@ Bytes.get_uint8 mdb 0 land b0mask emlen ; + String.concat "" [ Bytes.unsafe_to_string mdb ; Cstruct.to_string h ; bxbc ] let emsa_pss_verify slen emlen em msg = - let (mdb, h, bxx) = Cs.split3 em (em.len - hlen - 1) hlen in + let mdb = String.sub em 0 (String.length em - hlen - 1) + and h = String.sub em (String.length em - hlen - 1) hlen + and bxx = string_get_uint8 em (String.length em - 1) + in let db = MGF.mask ~seed:h mdb in - set_uint8 db 0 (get_uint8 db 0 land b0mask emlen) ; - let salt = shift db (length db - slen) in - let h' = digest ~salt msg + Bytes.set_uint8 db 0 (Bytes.get_uint8 db 0 land b0mask emlen) ; + let db = Bytes.unsafe_to_string db in + let salt = String.sub db (String.length db - slen) slen in + let h' = Cstruct.to_string (digest ~salt:(Cstruct.of_string salt) msg) and i = ct_find_uint8 ~default:0 ~f:((<>) 0x00) db in - let c1 = lnot (b0mask emlen) land get_uint8 mdb 0 = 0x00 - and c2 = i = em.len - hlen - slen - 2 - and c3 = get_uint8 db i = 0x01 - and c4 = get_uint8 bxx 0 = 0xbc - and c5 = Eqaf_cstruct.equal h h' in + let c1 = lnot (b0mask emlen) land string_get_uint8 mdb 0 = 0x00 + and c2 = i = String.length em - hlen - slen - 2 + and c3 = string_get_uint8 db i = 0x01 + and c4 = bxx = 0xbc + and c5 = Eqaf.equal h h' in c1 && c2 && c3 && c4 && c5 let sufficient_key ~slen kbits = @@ -422,10 +429,11 @@ module PSS (H: Hash.S) = struct let verify ?(slen = hlen) ~key ~signature msg = let b = pub_bits key - and s = length signature in + and s = String.length signature in s = b // 8 && sufficient_key ~slen b && try let em = encrypt ~key signature in - emsa_pss_verify (imax 0 slen) (b - 1) (shift em (s - (b - 1) // 8)) msg + let to_see = s - (b - 1) // 8 in + emsa_pss_verify (imax 0 slen) (b - 1) (String.sub em to_see (String.length em - to_see)) msg with Insufficient_key -> false end diff --git a/pk/z_extra.ml b/pk/z_extra.ml index f8e5c6f5..1536b181 100644 --- a/pk/z_extra.ml +++ b/pk/z_extra.ml @@ -2,61 +2,70 @@ open Mirage_crypto.Uncommon let bit_bound z = Z.size z * 64 -let of_cstruct_be ?bits cs = - let open Cstruct in - let open BE in +(* revise once OCaml 4.13 is the lower bound *) +let string_get_int64_be buf idx = + Bytes.get_int64_be (Bytes.unsafe_of_string buf) idx + +let string_get_int32_be buf idx = + Bytes.get_int32_be (Bytes.unsafe_of_string buf) idx + +let string_get_uint16_be buf idx = + Bytes.get_uint16_be (Bytes.unsafe_of_string buf) idx + +let string_get_uint8 buf idx = + Bytes.get_uint8 (Bytes.unsafe_of_string buf) idx + +let of_octets_be ?bits buf = let rec loop acc i = function | b when b >= 64 -> - let x = get_uint64 cs i in - let x = Z.of_int64 Int64.(shift_right_logical x 8) in + let x = string_get_int64_be buf i in + let x = Z.of_int64_unsigned Int64.(shift_right_logical x 8) in loop Z.(x + acc lsl 56) (i + 7) (b - 56) | b when b >= 32 -> - let x = get_uint32 cs i in - let x = Z.of_int32 Int32.(shift_right_logical x 8) in + let x = string_get_int32_be buf i in + let x = Z.of_int32_unsigned Int32.(shift_right_logical x 8) in loop Z.(x + acc lsl 24) (i + 3) (b - 24) | b when b >= 16 -> - let x = Z.of_int (get_uint16 cs i) in + let x = Z.of_int (string_get_uint16_be buf i) in loop Z.(x + acc lsl 16) (i + 2) (b - 16) | b when b >= 8 -> - let x = Z.of_int (get_uint8 cs i) in + let x = Z.of_int (string_get_uint8 buf i) in loop Z.(x + acc lsl 8 ) (i + 1) (b - 8 ) | b when b > 0 -> - let x = get_uint8 cs i and b' = 8 - b in + let x = string_get_uint8 buf i and b' = 8 - b in Z.(of_int x asr b' + acc lsl b) | _ -> acc in loop Z.zero 0 @@ match bits with - | None -> Cstruct.length cs * 8 - | Some b -> imin b (Cstruct.length cs * 8) + | None -> String.length buf * 8 + | Some b -> imin b (String.length buf * 8) let byte1 = Z.of_int64 0xffL and byte2 = Z.of_int64 0xffffL and byte3 = Z.of_int64 0xffffffL and byte7 = Z.of_int64 0xffffffffffffffL -let into_cstruct_be n cs = - let open Cstruct in - let open BE in +let into_octets_be n buf = let rec write n = function | i when i >= 7 -> - set_uint64 cs (i - 7) Z.(to_int64 (n land byte7)) ; + Bytes.set_int64_be buf (i - 7) Z.(to_int64_unsigned (n land byte7)) ; write Z.(n asr 56) (i - 7) | i when i >= 3 -> - set_uint32 cs (i - 3) Z.(to_int32 (n land byte3)) ; + Bytes.set_int32_be buf (i - 3) Z.(to_int32_unsigned (n land byte3)) ; write Z.(n asr 24) (i - 3) | i when i >= 1 -> - set_uint16 cs (i - 1) Z.(to_int (n land byte2)) ; + Bytes.set_uint16_be buf (i - 1) Z.(to_int (n land byte2)) ; write Z.(n asr 16) (i - 2) - | 0 -> set_uint8 cs 0 Z.(to_int (n land byte1)) ; + | 0 -> Bytes.set_uint8 buf 0 Z.(to_int (n land byte1)) ; | _ -> () in - write n (length cs - 1) + write n (Bytes.length buf - 1) -let to_cstruct_be ?size n = - let cs = Cstruct.create_unsafe @@ match size with +let to_octets_be ?size n = + let buf = Bytes.create @@ match size with | Some s -> imax 0 s | None -> Z.numbits n // 8 in - ( into_cstruct_be n cs ; cs ) - + into_octets_be n buf; + Bytes.unsafe_to_string buf (* Handbook of Applied Cryptography, Table 4.4: * Miller-Rabin rounds for composite probability <= 1/2^80. *) @@ -90,22 +99,36 @@ let gen ?g n = let batch = if Mirage_crypto_rng.strict g then octets else 2 * octets // bs * bs in - let rec attempt cs = - if cs.Cstruct.len >= octets then - let x = of_cstruct_be ~bits cs in - if x < n then x else attempt (Cstruct.shift cs octets) - else attempt (Mirage_crypto_rng.generate ?g batch) in - attempt (Mirage_crypto_rng.generate ?g batch) + let rec attempt buf = + if String.length buf >= octets then + let x = of_octets_be ~bits buf in + if x < n then x else attempt (String.sub buf octets (String.length buf - octets)) + else attempt (Cstruct.to_string (Mirage_crypto_rng.generate ?g batch)) in + attempt (Cstruct.to_string (Mirage_crypto_rng.generate ?g batch)) let rec gen_r ?g a b = if Mirage_crypto_rng.strict g then let x = gen ?g b in if x < a then gen_r ?g a b else x else Z.(a + gen ?g (b - a)) + +let set_msb bits buf = + if bits > 0 then + let n = Bytes.length buf in + let rec go width = function + | i when i = n -> () + | i when width < 8 -> + Bytes.set_uint8 buf i (Bytes.get_uint8 buf i lor (0xff lsl (8 - width))) + | i -> + Bytes.set_uint8 buf i 0xff ; + go (width - 8) (succ i) + in + go bits 0 + let gen_bits ?g ?(msb = 0) bits = - let res = Mirage_crypto_rng.generate ?g (bits // 8) in - Cs.set_msb msb res ; - of_cstruct_be ~bits res + let res = Cstruct.to_bytes (Mirage_crypto_rng.generate ?g (bits // 8)) in + set_msb msb res ; + of_octets_be ~bits (Bytes.unsafe_to_string res) (* Invalid combinations of ~bits and ~msb will loop forever, but there is no * way to quickly determine upfront whether there are any primes in the diff --git a/src/mirage_crypto.mli b/src/mirage_crypto.mli index 73987744..231f433c 100644 --- a/src/mirage_crypto.mli +++ b/src/mirage_crypto.mli @@ -42,16 +42,10 @@ module Uncommon : sig val clone : ?len:int -> Cstruct.t -> Cstruct.t - val (lsl) : Cstruct.t -> int -> Cstruct.t - val b : int -> Cstruct.t val of_bytes : int list -> Cstruct.t - val set_msb : int -> Cstruct.t -> unit - - val is_prefix : Cstruct.t -> Cstruct.t -> bool - val split3 : Cstruct.t -> int -> int -> Cstruct.t * Cstruct.t * Cstruct.t end @@ -60,6 +54,9 @@ module Uncommon : sig val iter2 : 'a -> 'a -> ('a -> unit) -> unit val iter3 : 'a -> 'a -> 'a -> ('a -> unit) -> unit + val xor : string -> string -> string + val xor_into : string -> bytes -> int -> unit + val invalid_arg : ('a, Format.formatter, unit, unit, unit, 'b) format6 -> 'a val failwith : ('a, Format.formatter, unit, unit, unit, 'b) format6 -> 'a end diff --git a/src/uncommon.ml b/src/uncommon.ml index f2175038..e186aaa8 100644 --- a/src/uncommon.ml +++ b/src/uncommon.ml @@ -18,6 +18,15 @@ type 'a iter = ('a -> unit) -> unit let iter2 a b f = f a; f b let iter3 a b c f = f a; f b; f c +let xor_into src dst n = + Native.xor_into_bytes src 0 dst 0 n + +let xor a b = + assert (String.length a = String.length b); + let b' = Bytes.copy (Bytes.unsafe_of_string b) in + xor_into a b' (Bytes.length b'); + Bytes.unsafe_to_string b' + module Cs = struct open Cstruct @@ -39,19 +48,6 @@ module Cs = struct let cs = clone ~len cs2 in ( xor_into cs1 cs len ; cs ) - let is_prefix cs0 cs = cs0.len <= cs.len && equal cs0 (sub cs 0 cs0.len) - - let set_msb bits cs = - if bits > 0 then - let n = length cs in - let rec go width = function - | i when i = n -> () - | i when width < 8 -> - set_uint8 cs i (get_uint8 cs i lor (0xff lsl (8 - width))) - | i -> - set_uint8 cs i 0xff ; go (width - 8) (succ i) in - go bits 0 - let split3 cs l1 l2 = let l12 = l1 + l2 in (sub cs 0 l1, sub cs l1 l2, sub cs l12 (length cs - l12)) @@ -78,25 +74,4 @@ module Cs = struct let b x = let cs = Cstruct.create_unsafe 1 in ( set_uint8 cs 0 x ; cs ) - let rec shift_left_inplace cs = function - | 0 -> () - | bits when bits mod 8 = 0 -> - let off = bits / 8 in - blit cs off cs 0 (cs.len - off) ; - memset (shift cs (cs.len - off)) 0x00 - | bits when bits < 8 -> - let foo = 8 - bits in - for i = 0 to cs.len - 2 do - let b1 = get_uint8 cs i - and b2 = get_uint8 cs (i + 1) in - set_uint8 cs i ((b1 lsl bits) lor (b2 lsr foo)) - done ; - set_uint8 cs (cs.len - 1) @@ get_uint8 cs (cs.len - 1) lsl bits - | bits -> - shift_left_inplace cs (8 * (bits / 8)) ; - shift_left_inplace cs (bits mod 8) - - let (lsl) cs bits = - let cs' = clone cs in - shift_left_inplace cs' bits ; cs' end diff --git a/tests/test_common.ml b/tests/test_common.ml index e743432e..a64b0b96 100644 --- a/tests/test_common.ml +++ b/tests/test_common.ml @@ -57,9 +57,11 @@ let assert_cs_equal ?msg = assert_equal ~cmp:Cstruct.equal ?msg ~pp_diff:(pp_diff Cstruct.hexdump_pp) +let pp_octets pp ppf (a, b) = + pp Cstruct.hexdump_pp ppf (Cstruct.of_string a, Cstruct.of_string b) + let assert_str_equal ?msg = - assert_equal ~cmp:String.equal ?msg - ~pp_diff:(fun ppf (a, b) -> pp_diff Cstruct.hexdump_pp ppf (Cstruct.of_string a, Cstruct.of_string b)) + assert_equal ~cmp:String.equal ?msg ~pp_diff:(pp_octets pp_diff) let iter_list xs f = List.iter f xs diff --git a/tests/test_dh.ml b/tests/test_dh.ml index ae277bb3..f43dfc07 100644 --- a/tests/test_dh.ml +++ b/tests/test_dh.ml @@ -12,13 +12,15 @@ let dh_selftest ~bits n = let sh1 = Dh.shared s1 m2 and sh2 = Dh.shared s2 m1 in assert_equal sh1 sh2 - ~cmp:(eq_opt Cstruct.equal) - ~pp_diff:(pp_diff (pp_opt Cstruct.hexdump_pp)) + ~cmp:(eq_opt String.equal) + ~pp_diff:(pp_diff (fun ppf -> function + | None -> Format.fprintf ppf "None" + | Some a -> Format.fprintf ppf "Some(%a)" Cstruct.hexdump_pp (Cstruct.of_string a))) ~msg:"shared secret" let dh_shared_0 = "shared_0" >:: fun _ -> - let gy = vx + let gy = vx_str "14 ac e2 c0 9c c0 0c 25 89 71 b2 d0 1c 94 58 21 02 23 b7 23 ec 3e 24 e5 a3 c2 fd 16 cc 49 f0 e2 87 62 a5 a0 73 f5 de 5b 9b eb c3 60 0b a4 03 38 @@ -31,7 +33,7 @@ let dh_shared_0 = a5 23 69 38 7e ec b5 fc 4b 89 42 c4 32 fa e5 58 6f 39 5d a7 4e cd b5 da dc 1e 52 fe a4 33 72 c1 82 48 8a 5b c1 44 bc 60 9b 38 5b 80 5f 44 14 93" - and s = vx + and s = vx_str "f9 47 87 95 d2 a1 6d d1 7c c8 a9 c0 71 28 a2 82 71 95 7e 79 87 0b fc 34 a2 42 ec 42 ac cc 42 81 7b f6 c4 f5 80 a9 70 e3 35 93 9b a3 21 81 a4 e3 @@ -44,7 +46,7 @@ let dh_shared_0 = 29 22 63 6e bb 1a 7f 93 bd 98 db 20 94 f8 f0 2e db ce 9d 79 db b9 a7 41 5f e5 29 a2 31 f8 e2 c3 30 6a 09 f2 16 a7 30 8c 2f 36 7b 71 99 1e 28 54" - and shared = vx + and shared = vx_str "a7 40 0d eb f0 4b 2b ec cb 90 3c 55 2d 3c 17 63 b2 4b 4e 1a ff 1e a0 24 c6 56 e3 5e 44 7b d0 01 ef b3 6b 57 20 0e 15 95 b1 53 1a 83 16 3a b1 61 @@ -62,7 +64,7 @@ let dh_shared_0 = match Dh.(shared (fst (key_of_secret grp ~s)) gy) with | None -> assert_failure "degenerate shared secret" | Some shared' -> - assert_cs_equal ~msg:"shared secret" shared shared' + assert_str_equal ~msg:"shared secret" shared shared' let suite = [ dh_selftest ~bits:16 1000 ; diff --git a/tests/test_dsa.ml b/tests/test_dsa.ml index 16500061..cfef2a50 100644 --- a/tests/test_dsa.ml +++ b/tests/test_dsa.ml @@ -6,8 +6,6 @@ open Mirage_crypto_pk open Test_common -let hex = Cstruct.of_hex - (* # CAVS 11.2 # "SigGen" information for "dsa2_values" @@ -16,36 +14,36 @@ let hex = Cstruct.of_hex *) let dsa_test ~priv ~msg ?k ~r ~s ~hash _ = - let hmsg = Hash.digest hash msg in + let hmsg = Cstruct.to_string (Hash.digest hash (Cstruct.of_string msg)) in let (r', s') = Dsa.sign ~mask:`No ~key:priv ?k hmsg in - assert_cs_equal ~msg:"computed r" r r' ; - assert_cs_equal ~msg:"computed s" s s' ; + assert_str_equal ~msg:"computed r" r r' ; + assert_str_equal ~msg:"computed s" s s' ; (* now with masking *) let (r', s') = Dsa.sign ~key:priv ?k hmsg in - assert_cs_equal ~msg:"computed r (masked)" r r' ; - assert_cs_equal ~msg:"computed s (masked)" s s' ; + assert_str_equal ~msg:"computed r (masked)" r r' ; + assert_str_equal ~msg:"computed s (masked)" s s' ; let pub = Dsa.pub_of_priv priv in assert_bool "verify of given r, s" (Dsa.verify ~key:pub (r, s) hmsg) ; assert_bool "verify of computed r, s" (Dsa.verify ~key:pub (r', s') hmsg) -let params ~p ~q ~g = Cstruct.(of_hex p, of_hex q, of_hex g) +let params ~p ~q ~g = vx_str p, vx_str q, vx_str g let priv_of f ~p ~q ~gg ~x ~y = match Dsa.priv ~fips:true ~p:(f p) ~q:(f q) ~gg:(f gg) ~x:(f x) ~y:(f y) () with | Ok dsa -> dsa | Error (`Msg m) -> invalid_arg "bad DSA private key %s" m -let priv_of_cs = priv_of Z_extra.of_cstruct_be -let priv_of_hex = priv_of (fun cs -> hex cs |> Z_extra.of_cstruct_be) +let priv_of_cs = priv_of Z_extra.of_octets_be +let priv_of_hex = priv_of (fun cs -> vx_str cs |> Z_extra.of_octets_be) let case_of ~domain ~hash ~x ~y ~k ~r ~s ~msg = let (p, q, gg) = domain in - let priv = priv_of_cs ~p ~q ~gg ~x:(hex x) ~y:(hex y) - and (r, s) = Cstruct.(of_hex r, of_hex s) - and k = Z_extra.of_cstruct_be (hex k) - and msg = hex msg in + let priv = priv_of_cs ~p ~q ~gg ~x:(vx_str x) ~y:(vx_str y) + and (r, s) = vx_str r, vx_str s + and k = Z_extra.of_octets_be (vx_str k) + and msg = vx_str msg in dsa_test ~priv ~msg ~k ~r ~s ~hash let sha1_cases = @@ -2189,14 +2187,14 @@ let sha512_n256_cases2 = let private_key ~p ~q ~g ~x ~y = priv_of_hex ~p ~q ~gg:g ~x ~y let test_rfc6979 ~priv ~msg ~hash ~k ~r ~s _ = - let h1 = Hash.digest hash msg in + let h1 = Cstruct.to_string (Hash.digest hash (Cstruct.of_string msg)) in let k' = let module H = (val (Hash.module_of hash)) in let module K = Dsa.K_gen (H) in K.generate ~key:priv h1 in - assert_cs_equal + assert_str_equal ~msg:"computed k" k - (Z_extra.to_cstruct_be ~size:(Z.numbits priv.Dsa.q // 8) k') ; + (Z_extra.to_octets_be ~size:(Z.numbits priv.Dsa.q // 8) k') ; dsa_test ~priv ~msg ~k:k' ~r ~s ~hash () @@ -2219,7 +2217,7 @@ let rfc6979_dsa_1024 = in let case ~msg ~hash ~k ~r ~s = - test_rfc6979 ~priv ~msg:(Cstruct.of_string msg) ~k:(hex k) ~r:(hex r) ~s:(hex s) ~hash + test_rfc6979 ~priv ~msg ~k:(vx_str k) ~r:(vx_str r) ~s:(vx_str s) ~hash in [ case ~msg:"sample" ~hash:`SHA1 ~k:"7BDB6B0FF756E1BB5D53583EF979082F9AD5BD5B" @@ -2303,7 +2301,7 @@ let rfc6979_dsa_2048 = in let case ~msg ~hash ~k ~r ~s = - test_rfc6979 ~priv ~msg:(Cstruct.of_string msg) ~k:(hex k) ~r:(hex r) ~s:(hex s) ~hash + test_rfc6979 ~priv ~msg ~k:(vx_str k) ~r:(vx_str r) ~s:(vx_str s) ~hash in [ case ~hash:`SHA1 ~msg:"sample" ~k:"888FA6F7738A41BDC9846466ABDB8174C0338250AE50CE955CA16230F9CBD53E" diff --git a/tests/test_numeric.ml b/tests/test_numeric.ml index ad57dbd0..47b44889 100644 --- a/tests/test_numeric.ml +++ b/tests/test_numeric.ml @@ -8,16 +8,16 @@ open Test_common let n_encode_decode_selftest ~typ ~bound n = typ ^ "selftest" >:: times ~n @@ fun _ -> let r = Z_extra.gen bound in - let s = Z_extra.(of_cstruct_be @@ to_cstruct_be r) - and t = Z_extra.(of_cstruct_be @@ to_cstruct_be ~size:24 r) in + let s = Z_extra.(of_octets_be @@ to_octets_be r) + and t = Z_extra.(of_octets_be @@ to_octets_be ~size:24 r) in assert_equal r s; assert_equal r t let n_decode_reencode_selftest ~typ ~bytes n = typ ^ " selftest" >:: times ~n @@ fun _ -> - let cs = Mirage_crypto_rng.generate bytes in - let cs' = Z_extra.(to_cstruct_be ~size:bytes @@ of_cstruct_be cs) in - assert_cs_equal cs cs' + let cs = Cstruct.to_string (Mirage_crypto_rng.generate bytes) in + let cs' = Z_extra.(to_octets_be ~size:bytes @@ of_octets_be cs) in + assert_str_equal cs cs' let random_n_selftest ~typ n bounds = typ ^ " selftest" >::: ( diff --git a/tests/test_rsa.ml b/tests/test_rsa.ml index a580f18a..e0d79a91 100644 --- a/tests/test_rsa.ml +++ b/tests/test_rsa.ml @@ -32,7 +32,7 @@ module Null = struct end let random_is seed = - Mirage_crypto_rng.create ~seed (module Null) + Mirage_crypto_rng.create ~seed:(Cstruct.of_string seed) (module Null) let gen_rsa ~bits = let e = Z.(if bits < 24 then ~$3 else ~$0x10001) in @@ -89,12 +89,12 @@ let rsa_selftest ~bits n = Cstruct.(set_uint8 cs i (get_uint8 cs i lor 2)); cs in let key = gen_rsa ~bits in - let enc = Rsa.(encrypt ~key:(pub_of_priv key) msg) in + let enc = Rsa.(encrypt ~key:(pub_of_priv key) (Cstruct.to_string msg)) in let dec = Rsa.(decrypt ~key enc) in - assert_cs_equal + assert_str_equal ~msg:Printf.(sprintf "failed decryption with") - msg dec + (Cstruct.to_string msg) dec let show_key_size key = Printf.sprintf "(%d bits)" (Rsa.priv_bits key) @@ -107,34 +107,34 @@ let pkcs_message_for_bits bits = let rsa_pkcs1_encode_selftest ~bits n = "selftest" >:: times ~n @@ fun _ -> let key = gen_rsa ~bits - and msg = pkcs_message_for_bits bits in + and msg = Cstruct.to_string (pkcs_message_for_bits bits) in let sgn = Rsa.PKCS1.sig_encode ~key msg in match Rsa.(PKCS1.sig_decode ~key:(pub_of_priv key) sgn) with | None -> assert_failure ("unpad failure " ^ show_key_size key) - | Some dec -> assert_cs_equal msg dec + | Some dec -> assert_str_equal msg dec ~msg:("recovery failure " ^ show_key_size key) let rsa_pkcs1_sign_selftest n = let open Hash.SHA1 in "selftest" >:: times ~n @@ fun _ -> let key = gen_rsa ~bits:(Rsa.PKCS1.min_key `SHA1) - and msg = Mirage_crypto_rng.generate 47 in + and msg = Cstruct.to_string (Mirage_crypto_rng.generate 47) in let pkey = Rsa.pub_of_priv key in assert_bool "invert 1" Rsa.PKCS1.( verify ~key:pkey ~hashp:any (`Message msg) - ~signature:(sign ~hash:`SHA1 ~key (`Digest (digest msg))) ); + ~signature:(sign ~hash:`SHA1 ~key (`Digest (Cstruct.to_string (digest (Cstruct.of_string msg))))) ); assert_bool "invert 2" Rsa.PKCS1.( - verify ~key:pkey ~hashp:any (`Digest (digest msg)) + verify ~key:pkey ~hashp:any (`Digest (Cstruct.to_string (digest (Cstruct.of_string msg)))) ~signature:(sign ~hash:`SHA1 ~key (`Message msg)) ) let rsa_pkcs1_encrypt_selftest ~bits n = "selftest" >:: times ~n @@ fun _ -> let key = gen_rsa ~bits - and msg = pkcs_message_for_bits bits in + and msg = Cstruct.to_string (pkcs_message_for_bits bits) in let enc = Rsa.(PKCS1.encrypt ~key:(pub_of_priv key) msg) in match Rsa.PKCS1.decrypt ~key enc with | None -> assert_failure ("unpad failure " ^ show_key_size key) - | Some dec -> assert_cs_equal msg dec + | Some dec -> assert_str_equal msg dec ~msg:("recovery failure " ^ show_key_size key) let rsa_oaep_encrypt_selftest ~bits n = @@ -143,23 +143,23 @@ let rsa_oaep_encrypt_selftest ~bits n = let module H = (val (Hash.module_of (sample hashes))) in let module OAEP = Rsa.OAEP (H) in let key = gen_rsa ~bits - and msg = Mirage_crypto_rng.generate (bits // 8 - 2 * H.digest_size - 2) in + and msg = Cstruct.to_string (Mirage_crypto_rng.generate (bits // 8 - 2 * H.digest_size - 2)) in let enc = OAEP.encrypt ~key:(Rsa.pub_of_priv key) msg in match OAEP.decrypt ~key enc with | None -> assert_failure "unpad failure" - | Some dec -> assert_cs_equal msg dec ~msg:"recovery failure" + | Some dec -> assert_str_equal msg dec ~msg:"recovery failure" let rsa_pss_sign_selftest ~bits n = let module Pss_sha1 = Rsa.PSS (Hash.SHA1) in let open Hash.SHA1 in "selftest" >:: times ~n @@ fun _ -> let key = gen_rsa ~bits - and msg = Mirage_crypto_rng.generate 1024 in + and msg = Cstruct.to_string (Mirage_crypto_rng.generate 1024) in let pkey = Rsa.pub_of_priv key in Pss_sha1.(verify ~key:pkey (`Message msg) - ~signature:(sign ~key (`Digest (digest msg)))) + ~signature:(sign ~key (`Digest (Cstruct.to_string (digest (Cstruct.of_string msg)))))) |> assert_bool "invert 1" ; - Pss_sha1.(verify ~key:pkey (`Digest (digest msg)) + Pss_sha1.(verify ~key:pkey (`Digest (Cstruct.to_string (digest (Cstruct.of_string msg)))) ~signature:(Pss_sha1.sign ~key (`Message msg))) |> assert_bool "invert 2" @@ -175,10 +175,10 @@ let rsa_pkcs1_cases = in let case ~hash ~msg ~sgn = test_case @@ fun _ -> - let msg = vx msg and sgn = vx sgn in + let msg = vx_str msg and sgn = vx_str sgn in let key, public = key () in Rsa.(PKCS1.sign ~hash ~key (`Message msg)) - |> assert_cs_equal ~msg:"recomputing sig:" sgn ; + |> assert_str_equal ~msg:"recomputing sig:" sgn ; Rsa.(PKCS1.verify ~hashp:any ~key:public ~signature:sgn (`Message msg)) |> assert_bool "sig verification" in @@ -228,11 +228,11 @@ let rsa_pss_cases = let case ~hash ~msg ~sgn = test_case @@ fun _ -> let module H = (val (Hash.module_of hash)) in let module Pss = Rsa.PSS (H) in - let msg = vx msg and sgn = vx sgn and salt = vx salt in + let msg = vx_str msg and sgn = vx_str sgn and salt = vx_str salt in let key, public = key () in - let slen = Cstruct.length salt in + let slen = String.length salt in Pss.sign ~g:(random_is salt) ~slen ~mask:`No ~key (`Message msg) - |> assert_cs_equal ~msg:"recomputing sig:" sgn ; + |> assert_str_equal ~msg:"recomputing sig:" sgn ; Pss.verify ~key:public ~slen ~signature:sgn (`Message msg) |> assert_bool "sig verification" in