From b29012c45349025975c5655c003cdf299e85bea0 Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Mon, 20 Sep 2021 06:32:35 -0600
Subject: [PATCH] main/botan: add mitigation for CVE-2021-40529
---
main/botan/APKBUILD | 14 +-
main/botan/CVE-2021-40529.patch | 132 ++++++++++++++
main/botan/dl-exponents.patch | 304 ++++++++++++++++++++++++++++++++
3 files changed, 447 insertions(+), 3 deletions(-)
create mode 100644 main/botan/CVE-2021-40529.patch
create mode 100644 main/botan/dl-exponents.patch
diff --git a/main/botan/APKBUILD b/main/botan/APKBUILD
index 6214b79bacb9..5fe0b4453436 100644
--- a/main/botan/APKBUILD
+++ b/main/botan/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=botan
pkgver=2.18.1
-pkgrel=2
+pkgrel=3
pkgdesc="Crypto and TLS for C++11"
url="https://botan.randombit.net/"
arch="all"
@@ -10,10 +10,14 @@ license="BSD-2-Clause"
depends_dev="boost-dev bzip2-dev openssl1.1-compat-dev sqlite-dev xz-dev zlib-dev"
makedepends="$depends_dev python3"
subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
-source="https://botan.randombit.net/releases/Botan-$pkgver.tar.xz"
+source="https://botan.randombit.net/releases/Botan-$pkgver.tar.xz
+ dl-exponents.patch
+ CVE-2021-40529.patch"
builddir="$srcdir/Botan-$pkgver"
# secfixes:
+# 2.18.1-r3:
+# - CVE-2021-40529
# 2.17.3-r0:
# - CVE-2021-24115
# 2.9.0-r0:
@@ -57,4 +61,8 @@ package() {
rm -rf "$pkgdir"/usr/lib/python*
}
-sha512sums="2f11d1ab703d977a2d64504d2a2489ce56109a2a6c46c0dc7c8db428470ce511bcc0160f70baedad29237abd5e1622f2c155ea58c4dec4d3ae57ee7b350415c3 Botan-2.18.1.tar.xz"
+sha512sums="
+2f11d1ab703d977a2d64504d2a2489ce56109a2a6c46c0dc7c8db428470ce511bcc0160f70baedad29237abd5e1622f2c155ea58c4dec4d3ae57ee7b350415c3 Botan-2.18.1.tar.xz
+e0d5e2c07d1ea66def33cbf8d64ba87eeb46c10ff0c14a54bc518b87a668a74a184e18b89440a2ef4b78ddf97cb4e2b02f1a70b4bbf705170715e353b2abbddb dl-exponents.patch
+fd5d29ea98de0f0ddc63340270f118a2a633e740d604cf030780fdca46a87733654c38c01f933bb607f92cbb3750250a1af6ef9fe26fec601bbe8c9f079a6660 CVE-2021-40529.patch
+"
diff --git a/main/botan/CVE-2021-40529.patch b/main/botan/CVE-2021-40529.patch
new file mode 100644
index 000000000000..c864ef5838ed
--- /dev/null
+++ b/main/botan/CVE-2021-40529.patch
@@ -0,0 +1,132 @@
+From 9a23e4e3bc3966340531f2ff608fa9d33b5185a2 Mon Sep 17 00:00:00 2001
+From: Jack Lloyd <jack@randombit.net>
+Date: Tue, 3 Aug 2021 18:20:29 -0400
+Subject: [PATCH] Avoid using short exponents with ElGamal
+
+Some off-brand PGP implementation generates keys where p - 1 is
+smooth, as a result short exponents can leak enough information about
+k to allow decryption.
+---
+ src/lib/pubkey/elgamal/elgamal.cpp | 8 +++-
+ src/tests/data/pubkey/elgamal_decrypt.vec | 45 +++++++++++++++++++++++
+ src/tests/data/pubkey/elgamal_encrypt.vec | 17 ++++++---
+ 3 files changed, 62 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib/pubkey/elgamal/elgamal.cpp b/src/lib/pubkey/elgamal/elgamal.cpp
+index b3ec6df2cb..0e33c2ca5f 100644
+--- a/src/lib/pubkey/elgamal/elgamal.cpp
++++ b/src/lib/pubkey/elgamal/elgamal.cpp
+@@ -113,8 +113,12 @@ ElGamal_Encryption_Operation::raw_encrypt(const uint8_t msg[], size_t msg_len,
+ if(m >= m_group.get_p())
+ throw Invalid_Argument("ElGamal encryption: Input is too large");
+
+- const size_t k_bits = m_group.exponent_bits();
+- const BigInt k(rng, k_bits);
++ /*
++ Some ElGamal implementations foolishly use prime fields where p - 1 is
++ smooth, as a result it is unsafe to use short exponents.
++ */
++ const size_t k_bits = m_group.p_bits() - 1;
++ const BigInt k(rng, k_bits, false);
+
+ const BigInt a = m_group.power_g_p(k, k_bits);
+ const BigInt b = m_group.multiply_mod_p(m, monty_execute(*m_monty_y_p, k, k_bits));
+diff --git a/src/tests/data/pubkey/elgamal_decrypt.vec b/src/tests/data/pubkey/elgamal_decrypt.vec
+index f676be50e7..a9d9dd1679 100644
+--- a/src/tests/data/pubkey/elgamal_decrypt.vec
++++ b/src/tests/data/pubkey/elgamal_decrypt.vec
+@@ -58,3 +58,48 @@ G = 4956716650468111499852968442558584961751486202697832959709919208796153871740
+ X = 4304232149632055597449717737864742436448127103739097
+ Msg = F73BB7E5C8A5619380
+ Ciphertext = C9881464A37749949D66D75CD9B7A8ACAD33DD1FAC7561F684E9CB5343D2ED15969D7EDB4135518B50F0FEC9A9559C1D5E44DAB42C14BBDE2D2711EA4D02D7F27D1A9BCFEC9E8B73FA64BA3C54707FDDE7D5BE695E17FB9D259FB576FD4E57D66C8F727DC236E2A6E9FD01709D34B8D09F7DD3890F003EBE616042B4E0A8A00F6C3F34DE7E002FE72A84AF8D014D64E8CD08B9B56CC3A6BBE6F966B92105A92C5ABF4F2BF735670622F6213FE9739FAD65692E1C0EBF708A47E18600A22972A5A3DA0F22D11C581D46F734151A083FF757E961351EB183B467A859FBB9ED1DAC396FA405701FD6E3A62EB126E93648C3C6DFA9C4DBF3C005880F4799F66B310E
++
++P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF
++G = 0x02
++X = 0xCC13EE3533858E0F0024FFC935DC5BD297DEC9385AC8EF7E
++Msg = 1C
++Ciphertext = D73F6E5CEF558B92C924FEC2329774ACD75E7CEA04D2485F07920EF4E5B86E361E23E42AB6F3A97F5B1F46218BF3C00E93A2EA981B8BB48EDD020A3F96D61FDA0F3E4D26F5538B2179B7D7E333CE78414F18E6CD0AE74C3F44FBFAC9121A3A6CF80C85E89280F9BC476078F9FD686A6500590B1AD75616C0A92BC73838A6D4437368304638242BCD628A72EA432FE7C1892922136B3C19B39990980185328E5BBD35DE42549819C8E301348320BA80602E751172D9ACAA8E0B67FB97996310BC0C14B9E40626FE54138851E4BC4CA4CB2F0A1F3D3F042556A4942B2B03B4C2F75E50260365865FEE0050DAC3604E78708715549FF878F1B337D6ABF8B695462F
++
++P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF
++G = 0x02
++X = 0x8D81343C4994DAF21AD0E6CB88C74F55529925EC953381470B72B3C8
++Msg = 7F0CCACA157707BF03
++Ciphertext = 2EDE1A9F975FCAF943AEEB51EB37EAEDF54C4D939D0DCF7C80874A3BF8601B511685B1FDE52E07D8894EA647C50E480DE7A48ACADD89F79EEB9411234507CE6AB8503BD47B284134E301A78BD7FAC8D8B15A5D1424B820FF3FE1F363FC88FF510183165F52EE022A55EC43D4DD75763297C13F9EE3BCD579ADBA6800348F0C6240F49744B385737926A770EDF67257E7F5654C478C614700B6D2D671A13B28006C11C499BEB29658EF10C3E2EEC390A972372EBF733BA6EE5F4D600AAE1DDDC87EFA6D9FB05CBC995F82C3EF47CF862715E17DF7CC948846E849661D5C82C6A120610D90BB2D373D189A0BF13175F551326ECACF2D349A4BD2D265FDAC716E4B0A5D850E7EDA92CF9F8863BF1CD31C3888BFD81500DA4C615575EE8FA27615EF8E4B9D23A53852B236057E15DA7FC5827668A7B8AA699D3F79201567F4F0DAF7D89919906486A66ABA689FFD9E3BB5F0D1C677CCC12EA29BBFE1083C4FC349EE7E236BC8DC02DEE063E7F7C7B719E3176739D55196A2B7E6C3AA2A543135AB8F
++
++P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF
++G = 0x02
++X = 0xA9F666E685F4F0BAFFF22C407B28461591CBF43F8DA1A8C3B1510BB6AA3BCD6C
++Msg = D830F02AA1AE9328CF3F2C6CB7D86875
++Ciphertext = E8AC61EE6EA9DCBEDF5DD10247240E0FF3A6D1B1D2C9832A73C5EF2F96FB23C6FA571F9E407089ADAB459086B4331DBCBB3E5FC69B996748131D0D499EFF4F3654CEF8ED3C14C97C4985E5E0D6E0714E789F9D926CB26A23ACB52D6308CDB3C4DBF92F7A701513B133A0512A0CC16E13BCC7F983BC181C71A42252D48B113BAB4B861430AC6157E3043BD861C44D0804CCBB0B9D5BA599650DABE9FA7BF286EB08A97D11D5F88CB0157A4522E2C9F4EF53EB9D7679974C5AD86554EED49736D0D7B39461B92C73CBBEBAD8E92A6501293AE9A5BF0FBDA11BC743E032F78740F96F8CD71D30EA0F17F42181783C908A6008E339620CCB80226E9CDD7E5D50DEF9310DF03C971955CCF70557C9816049C2137CB7554998BD90B81AD549E9B65347E4BC798039BF05929DED052EE816EA3A87014B0D25E2E279B7736446201F52E542AA6E494BDC6D02A9A0479E1F90D5F3898A36AF7BA03E8F0BCBBF891A1C1B0B300EA664349E765EA331841ABC7963012C623318EF9B681711461ECC83EDC88722DE5E16FF1AB57B23F285CC5E75F6FCB46EEC9F919D1C089E7C045535E64A97F16662DF9CEFFB0E6C9C6402A43E47D1D073A5555A470E2451809234ABFD463A013D70288BA4A093E51FCED6A434886ED70490D63DFD809F27A773CDAC3D848A21C2937CA194C4FFBF8E50C05AEB3A530A7AB8B39B91A72EA45034A2FF8F16B1
++
++P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF
++G = 0x02
++X = 0x981606068AE29B5B86E6F1E4E578010E43E1DBCB12504857CA6CDFC77913EFF0B3F563E1DDB40934B4F33099A6BF8EE8
++Msg = 0E738AF35B6AE8951E5C3BF8EB
++Ciphertext = 659C8E28BF6A26E5D55386E437F2B66282EB9F9ECA54522D8A1FDE6BC6C4D65E5412D030BDC9833F93E3653B7B58FFD66A2EBFB8AAF1F7BBB52C3CD43E08DDB3D2C73E26EEA988EEF9CFDC9C59872B4D2454A1F500911B4D3BD3EED99107FAF39D97A3302166AD5B0381ECAB769953406DD3FEB502D23587D9CF2C89F93FE6A73167E3734CD0676EE95F7C43A558A56E7B0264A6084875D1E7F2312FA7BA7145AAA5921F904EDDC7A6EC823C57AFE323E4368CD7D47CAF2F8A94D6D3117A8BE92BAF6F0392A20C7FCFE381789755B7B47B9C5496382FF26533EA7F911472F02E2F9E29CAC9CFF4AEB90C36E55A1AF5D0259B195E2824C7F6B40299D8A0858E162B3D9392E323F62B48DA629089902F16D01D1AB3DCFBAAB46F1E74ECA6560B3A97E85E9B88B8F11AA83F78E8E542B8A3B4C0E7B47220594979BC7DD12E97238EB4B91D23A8F2D5362CB8B08C1F07B3461AD0968FB3053F60ECC2B3C0E900A0A7C2924C3FA79CCB43B33B336B807C6F4B83A7AE0112BD72A13822E3CD0B2E2AF7717F2CB21BE02D8DB0EB3BCCF66836BD83C828C221569EFCAA53124D206CB51D3718BC1511799DEA0558DD6FDBFB06B3D96BAC451FE71A4244BD3CD6826BF27EA3CC7782C17DCAF52EAA944CEA734D011145F10A4132A271349A8BF1ED0D7F7EF2ABC7031475B4397574F8A7EC4F5480D85CF0CA1F7C69097A2A009FFD4927AA769FD821F64741812FE5DB996ECAD3265CE93DBA7B40532A2133FB8EE5066A0C5F91C7E0F3902B6CEA39D5BB4B59B2993B5DAA2B61FF589BF45613D1EF36D5F7D959E8255C0010EC439AAE1C9B682BAC92C2883ED279CD8C644A301150879EB8D37B217B36447CBAC37C132C0278AA8CB38A8596392E3A3CAA91573370ED44DF46311EEE878B63F947F2A28930133D343737502623D0C7D3EA5D8D8123D7963C70AD30CC865BCD68F96C1A13A3484AB4EF3828CE338BF8E087F2300B777D556974D5E23FAFD55AB54353BCA31BEC13003AC7258510578F96B8F1E2254E91768A78CF9FCC6D8CFB0493701D523F75EC25B37B623B5A73A28009DBC169A084E95D
++
++P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF
++G = 0x02
++X = 0xB73A80EB48DB4DF3108BE1345281A1B39B4373BFE71CB4DA9F3594A94C525E2E288F06089F61C1D29D6A99EA775C05D6
++Msg = D413DAC9D341361F17EDCE1C46A04D343424251B
++Ciphertext = 085E76D450C7FF0B2DB59D41D12596AD1B0D8AF877F5C63416D2B355ED137A5AEAB3B75AC4CBFB5168F37EC02724EA057ED5B9AAF0C40D5469FB9E068C7E090C6EB411CDFBC9A500294E2433A9F879F52F8359B0865128A76801B7C4E22D5A3A6279F755291ECC9454AC3C1F1395DA5FA8E25CD951FCBF9B569EED304B3B82B0198913FAFD0B9A3ED32A64B0E394F96C153D25FBFEF92ECB38F79F2DE12570A041C8B4E8ADB998D6A559BC9640EBA8B61A6D0387CF0CA621B6C3F60D464DE7D27D5347F79CABD09533219DD2CDA8BAB74E886E206409A94054CCF3EBBA570C33FE456BD6B0BEB564F406AF49400550AE01A21A68126C90E0B8295CB7F9C2F4C790D8B0FEFD1FC6BFF40A00737AF9EDA25A1BF00E7FEC8CE776C3D24C61EBF48049CE5B27E024B796566BA670090BAB1A6015C01DB57DFDDAD61240F151C61BC80C3BA320050D1E537D501611627531E41793C3468B87F28BF2281CE996957901BE6CE41FAB0F88467ECBC0DE6C5F60AB5A1AF21A9528B0E8BABAD56FA23F2AD3CBC521A8D54047F15F58FC9C5CD4BB322A0838EDAC053415CFED87FD0756FBFF6B052D385C2EED6FD4686E024F7175A9840DF7E74740FF368DA4DAEB879D7C0D265D51809BD6EC6A66717498A4998D0232586CA4C5F7858EBEC824821CDBD1133DA557612A398EA8F9AC959A39381FCF1D727D08136CAFC4D72E9A945043E6DE2C67F6B55C21B7EDBFDCEA2B63CF9A5BB931DFE76CA2BE5D3D964AA2C348E6DFBA4FFC4D5E463105E243BD20AF38531A70BE1DD4930F998E28C3182665507700976BC14438452179747E623B2E5328A3ED5925FA526AE897ACF67059D76D159CB31D85F03589A4874AB11A7E2BB680FCEF7A4CEBFD98B0DC18BC1AF838524107E3264C2FDACF883ED2701CF3306E83CB8E75F5ED148F3377A77474D47522596F50DADEFC149A91C619F4A9366771681CAE1A82AA57BB038E0180BD38C4323928E63FA890B85009B1A25C022AEE8DB4D7F4E34260677A22B3BC7F24089E98FC484B93EC95ED68D9D56B2F6DDBCE73AB844F5CBBD908E51651517F6920DC42F41B874EEB9DA244C4485D2A931C7A76E99D490E6B3D4AE44484CAE4B784A0773782D2B9CFB4D893E79D35CF4282CB9A70EA53700F49F6F47F374161D0B820690D2C99E3A2602B31E659E64E5D4D4BD111C73FD5AF47412748091E272947A307309F3732E04FA848AACC312ADD0323F09F7947788D9F2BC55BDB7DDDD1FE664C5C9E861F6052F8F94084927116CAB24C6B11FEE69ADD2BCED4CC7EF330519D287531861A75E0F00CA8E52CBE9B77E8F840168937222D5851C84195DD4E698AB8BB558A05026EBC09520A1B1F0BC44F699478A69E1C1384F37F16102DE90ED960CEFFD9EA299FB79D416F3AF6CCD1A022895CFE032AC65978486998E3714A56E3DBAE
++
++# Generated by Golang x/crypto
++P = 0xB10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371
++G = 0xA4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B777E690F5504F213160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28AD662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24855E6EEB22B3B2E5
++X = 0x626adfc4696e5dee7f95f24077c8377b1df439cb76ab82134fe4a48b673e565a
++Msg = 0244454144424545464445414442454546444541444245454644454144424545464445414442454546444541444245454644454144424545464445414442454546444541444245454644454144424545464445414442454546444541444245454644454144424545464445414442454500476F207465737420766563746F72
++Ciphertext = 0F0AF27EB240927497A4245E592BDA1AA12420054AA406080420E92FCEDA12A3DCBF1CDEDA86A87029DF05C8D2435DF91A53BF65164375C302C19773C88677E88C36C3BBC408DFAD0672C1A56E5CDB8932AE11DD250F3DC31CB601582CC10C2E4BD26149AA5519AEDC7619C35B6F920B53B3AAEF728B06F37D08250B14C7AA0E291F233A5F5A6EE2333C9839C7C654C21669795B5C1415F92AFFBD24273403160AFE1DF058F554085283E0D5D8C487CBD4F7EFFBAE620C67F285CE4DD83FB1A00733B5BF9CA22A33039A7A15169757EFECC36A15F67609707C751F88FB5E70861BDE09A72A6B4558EA2841792BC86EC523DF23094D4B55663527EAB70D182CA9
++
++[EME-PKCS1-v1_5]
++# Same as above test from Go but with PKCS1 padding removed
++P = 0xB10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371
++G = 0xA4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B777E690F5504F213160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28AD662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24855E6EEB22B3B2E5
++X = 0x626adfc4696e5dee7f95f24077c8377b1df439cb76ab82134fe4a48b673e565a
++Msg = 476F207465737420766563746F72
++Ciphertext = 0F0AF27EB240927497A4245E592BDA1AA12420054AA406080420E92FCEDA12A3DCBF1CDEDA86A87029DF05C8D2435DF91A53BF65164375C302C19773C88677E88C36C3BBC408DFAD0672C1A56E5CDB8932AE11DD250F3DC31CB601582CC10C2E4BD26149AA5519AEDC7619C35B6F920B53B3AAEF728B06F37D08250B14C7AA0E291F233A5F5A6EE2333C9839C7C654C21669795B5C1415F92AFFBD24273403160AFE1DF058F554085283E0D5D8C487CBD4F7EFFBAE620C67F285CE4DD83FB1A00733B5BF9CA22A33039A7A15169757EFECC36A15F67609707C751F88FB5E70861BDE09A72A6B4558EA2841792BC86EC523DF23094D4B55663527EAB70D182CA9
+diff --git a/src/tests/data/pubkey/elgamal_encrypt.vec b/src/tests/data/pubkey/elgamal_encrypt.vec
+index 059eb1668d..92e8690549 100644
+--- a/src/tests/data/pubkey/elgamal_encrypt.vec
++++ b/src/tests/data/pubkey/elgamal_encrypt.vec
+@@ -3,30 +3,35 @@
+ Group = modp/ietf/1024
+ Secret = 0xCC13EE3533858E0F0024FFC935DC5BD297DEC9385AC8EF7E
+ Msg = 1C
+-Nonce = EEE23AAA149AF29E18EF8D66AD8D4BACB72076BAE583A297
++Nonce = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000EEE23AAA149AF29E18EF8D66AD8D4BACB72076BAE583A297
+ Ciphertext = D73F6E5CEF558B92C924FEC2329774ACD75E7CEA04D2485F07920EF4E5B86E361E23E42AB6F3A97F5B1F46218BF3C00E93A2EA981B8BB48EDD020A3F96D61FDA0F3E4D26F5538B2179B7D7E333CE78414F18E6CD0AE74C3F44FBFAC9121A3A6CF80C85E89280F9BC476078F9FD686A6500590B1AD75616C0A92BC73838A6D4437368304638242BCD628A72EA432FE7C1892922136B3C19B39990980185328E5BBD35DE42549819C8E301348320BA80602E751172D9ACAA8E0B67FB97996310BC0C14B9E40626FE54138851E4BC4CA4CB2F0A1F3D3F042556A4942B2B03B4C2F75E50260365865FEE0050DAC3604E78708715549FF878F1B337D6ABF8B695462F
+
++Group = modp/ietf/1024
++Secret = 0xCC13EE3533858E0F0024FFC935DC5BD297DEC9385AC8EF7E
++Msg = 1C
++Nonce = D0F937A84865734C37877CBBD731D9A378EA8644B5C4D9A65B2C81C46F1014364F3593C6B9DFF25E0741EFB6C3E033522D66A6DA1C6B7666E8C15112BFAB850C38177C30CC05449B1A7D0D11EDD555997C57840D319279E5C80A51DC15F8103B820C5C870432DC14B70A12207EF749C835825C63B05B2E1A8FE36F0264D5B13D
++Ciphertext = B1F5602B7E72A8B3B5932EE86F303A14D764BAD54BF37902F0AA4C2592E04D3BB70F6CAAD3287B613D48C4D735E776F212BB26D46F53699B08194A0105239C588A2678EDC7476DF68B6C60F83E8DE47BA3477E17B3AD72D96F41FC1066089940F99ED6C0C8E9E77F322D986FDC4C718451E2CFBA51DCE13741C78AF81878EC6D4155741BFDD369A9DB4C9619E3753E0E80BD39A9B788481FB82ABA9A26FEF1B7619F9FC524B5D64DA2E3B23F8E8C0922754EB56A495DBD4F31B2DD3F9DC76A2EAB4D94F957F4E3776F423B85A8CDB343787AAFF00C95AFC297875DFF49EC9C886A5D550E1130A6CCC25E4A1C2D078C3B98586FFFD3C87EABC3FDC13A15AD4666
++
+ Group = modp/ietf/1536
+ Secret = 0x8D81343C4994DAF21AD0E6CB88C74F55529925EC953381470B72B3C8
+ Msg = 7F0CCACA157707BF03
+-Nonce = F0A0844B268ECEABA04827E7CE9F960119E0053CFBA00ADA47604857
++Nonce = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F0A0844B268ECEABA04827E7CE9F960119E0053CFBA00ADA47604857
+ Ciphertext = 2EDE1A9F975FCAF943AEEB51EB37EAEDF54C4D939D0DCF7C80874A3BF8601B511685B1FDE52E07D8894EA647C50E480DE7A48ACADD89F79EEB9411234507CE6AB8503BD47B284134E301A78BD7FAC8D8B15A5D1424B820FF3FE1F363FC88FF510183165F52EE022A55EC43D4DD75763297C13F9EE3BCD579ADBA6800348F0C6240F49744B385737926A770EDF67257E7F5654C478C614700B6D2D671A13B28006C11C499BEB29658EF10C3E2EEC390A972372EBF733BA6EE5F4D600AAE1DDDC87EFA6D9FB05CBC995F82C3EF47CF862715E17DF7CC948846E849661D5C82C6A120610D90BB2D373D189A0BF13175F551326ECACF2D349A4BD2D265FDAC716E4B0A5D850E7EDA92CF9F8863BF1CD31C3888BFD81500DA4C615575EE8FA27615EF8E4B9D23A53852B236057E15DA7FC5827668A7B8AA699D3F79201567F4F0DAF7D89919906486A66ABA689FFD9E3BB5F0D1C677CCC12EA29BBFE1083C4FC349EE7E236BC8DC02DEE063E7F7C7B719E3176739D55196A2B7E6C3AA2A543135AB8F
+
+ Group = modp/ietf/2048
+ Secret = 0xA9F666E685F4F0BAFFF22C407B28461591CBF43F8DA1A8C3B1510BB6AA3BCD6C
+ Msg = D830F02AA1AE9328CF3F2C6CB7D86875
+-Nonce = DFA4E0979DADE5A620C4B9ED87C205F34D7AE739761BCDD060A9EC530E066538
++Nonce = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DFA4E0979DADE5A620C4B9ED87C205F34D7AE739761BCDD060A9EC530E066538
+ Ciphertext = E8AC61EE6EA9DCBEDF5DD10247240E0FF3A6D1B1D2C9832A73C5EF2F96FB23C6FA571F9E407089ADAB459086B4331DBCBB3E5FC69B996748131D0D499EFF4F3654CEF8ED3C14C97C4985E5E0D6E0714E789F9D926CB26A23ACB52D6308CDB3C4DBF92F7A701513B133A0512A0CC16E13BCC7F983BC181C71A42252D48B113BAB4B861430AC6157E3043BD861C44D0804CCBB0B9D5BA599650DABE9FA7BF286EB08A97D11D5F88CB0157A4522E2C9F4EF53EB9D7679974C5AD86554EED49736D0D7B39461B92C73CBBEBAD8E92A6501293AE9A5BF0FBDA11BC743E032F78740F96F8CD71D30EA0F17F42181783C908A6008E339620CCB80226E9CDD7E5D50DEF9310DF03C971955CCF70557C9816049C2137CB7554998BD90B81AD549E9B65347E4BC798039BF05929DED052EE816EA3A87014B0D25E2E279B7736446201F52E542AA6E494BDC6D02A9A0479E1F90D5F3898A36AF7BA03E8F0BCBBF891A1C1B0B300EA664349E765EA331841ABC7963012C623318EF9B681711461ECC83EDC88722DE5E16FF1AB57B23F285CC5E75F6FCB46EEC9F919D1C089E7C045535E64A97F16662DF9CEFFB0E6C9C6402A43E47D1D073A5555A470E2451809234ABFD463A013D70288BA4A093E51FCED6A434886ED70490D63DFD809F27A773CDAC3D848A21C2937CA194C4FFBF8E50C05AEB3A530A7AB8B39B91A72EA45034A2FF8F16B1
+
+ Group = modp/ietf/3072
+ Secret = 0x981606068AE29B5B86E6F1E4E578010E43E1DBCB12504857CA6CDFC77913EFF0B3F563E1DDB40934B4F33099A6BF8EE8
+ Msg = 0E738AF35B6AE8951E5C3BF8EB
+-Nonce = F53B7EF9224D33392AE79CA3816755F066A2B15689B157FBA588CD5C247EFC9050DB2F84FA40C12E3493230D94D89306
++Nonce = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F53B7EF9224D33392AE79CA3816755F066A2B15689B157FBA588CD5C247EFC9050DB2F84FA40C12E3493230D94D89306
+ Ciphertext = 659C8E28BF6A26E5D55386E437F2B66282EB9F9ECA54522D8A1FDE6BC6C4D65E5412D030BDC9833F93E3653B7B58FFD66A2EBFB8AAF1F7BBB52C3CD43E08DDB3D2C73E26EEA988EEF9CFDC9C59872B4D2454A1F500911B4D3BD3EED99107FAF39D97A3302166AD5B0381ECAB769953406DD3FEB502D23587D9CF2C89F93FE6A73167E3734CD0676EE95F7C43A558A56E7B0264A6084875D1E7F2312FA7BA7145AAA5921F904EDDC7A6EC823C57AFE323E4368CD7D47CAF2F8A94D6D3117A8BE92BAF6F0392A20C7FCFE381789755B7B47B9C5496382FF26533EA7F911472F02E2F9E29CAC9CFF4AEB90C36E55A1AF5D0259B195E2824C7F6B40299D8A0858E162B3D9392E323F62B48DA629089902F16D01D1AB3DCFBAAB46F1E74ECA6560B3A97E85E9B88B8F11AA83F78E8E542B8A3B4C0E7B47220594979BC7DD12E97238EB4B91D23A8F2D5362CB8B08C1F07B3461AD0968FB3053F60ECC2B3C0E900A0A7C2924C3FA79CCB43B33B336B807C6F4B83A7AE0112BD72A13822E3CD0B2E2AF7717F2CB21BE02D8DB0EB3BCCF66836BD83C828C221569EFCAA53124D206CB51D3718BC1511799DEA0558DD6FDBFB06B3D96BAC451FE71A4244BD3CD6826BF27EA3CC7782C17DCAF52EAA944CEA734D011145F10A4132A271349A8BF1ED0D7F7EF2ABC7031475B4397574F8A7EC4F5480D85CF0CA1F7C69097A2A009FFD4927AA769FD821F64741812FE5DB996ECAD3265CE93DBA7B40532A2133FB8EE5066A0C5F91C7E0F3902B6CEA39D5BB4B59B2993B5DAA2B61FF589BF45613D1EF36D5F7D959E8255C0010EC439AAE1C9B682BAC92C2883ED279CD8C644A301150879EB8D37B217B36447CBAC37C132C0278AA8CB38A8596392E3A3CAA91573370ED44DF46311EEE878B63F947F2A28930133D343737502623D0C7D3EA5D8D8123D7963C70AD30CC865BCD68F96C1A13A3484AB4EF3828CE338BF8E087F2300B777D556974D5E23FAFD55AB54353BCA31BEC13003AC7258510578F96B8F1E2254E91768A78CF9FCC6D8CFB0493701D523F75EC25B37B623B5A73A28009DBC169A084E95D
+
+ Group = modp/ietf/4096
+ Secret = 0xB73A80EB48DB4DF3108BE1345281A1B39B4373BFE71CB4DA9F3594A94C525E2E288F06089F61C1D29D6A99EA775C05D6
+ Msg = D413DAC9D341361F17EDCE1C46A04D343424251B
+-Nonce = B9AFD0F2F97C677BD3088B032696E7928DD62AD20912367113CFE5ABEEB7B4DFAD22E30442B04571CDC683D9971DE257
++Nonce = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B9AFD0F2F97C677BD3088B032696E7928DD62AD20912367113CFE5ABEEB7B4DFAD22E30442B04571CDC683D9971DE257
+ Ciphertext = 085E76D450C7FF0B2DB59D41D12596AD1B0D8AF877F5C63416D2B355ED137A5AEAB3B75AC4CBFB5168F37EC02724EA057ED5B9AAF0C40D5469FB9E068C7E090C6EB411CDFBC9A500294E2433A9F879F52F8359B0865128A76801B7C4E22D5A3A6279F755291ECC9454AC3C1F1395DA5FA8E25CD951FCBF9B569EED304B3B82B0198913FAFD0B9A3ED32A64B0E394F96C153D25FBFEF92ECB38F79F2DE12570A041C8B4E8ADB998D6A559BC9640EBA8B61A6D0387CF0CA621B6C3F60D464DE7D27D5347F79CABD09533219DD2CDA8BAB74E886E206409A94054CCF3EBBA570C33FE456BD6B0BEB564F406AF49400550AE01A21A68126C90E0B8295CB7F9C2F4C790D8B0FEFD1FC6BFF40A00737AF9EDA25A1BF00E7FEC8CE776C3D24C61EBF48049CE5B27E024B796566BA670090BAB1A6015C01DB57DFDDAD61240F151C61BC80C3BA320050D1E537D501611627531E41793C3468B87F28BF2281CE996957901BE6CE41FAB0F88467ECBC0DE6C5F60AB5A1AF21A9528B0E8BABAD56FA23F2AD3CBC521A8D54047F15F58FC9C5CD4BB322A0838EDAC053415CFED87FD0756FBFF6B052D385C2EED6FD4686E024F7175A9840DF7E74740FF368DA4DAEB879D7C0D265D51809BD6EC6A66717498A4998D0232586CA4C5F7858EBEC824821CDBD1133DA557612A398EA8F9AC959A39381FCF1D727D08136CAFC4D72E9A945043E6DE2C67F6B55C21B7EDBFDCEA2B63CF9A5BB931DFE76CA2BE5D3D964AA2C348E6DFBA4FFC4D5E463105E243BD20AF38531A70BE1DD4930F998E28C3182665507700976BC14438452179747E623B2E5328A3ED5925FA526AE897ACF67059D76D159CB31D85F03589A4874AB11A7E2BB680FCEF7A4CEBFD98B0DC18BC1AF838524107E3264C2FDACF883ED2701CF3306E83CB8E75F5ED148F3377A77474D47522596F50DADEFC149A91C619F4A9366771681CAE1A82AA57BB038E0180BD38C4323928E63FA890B85009B1A25C022AEE8DB4D7F4E34260677A22B3BC7F24089E98FC484B93EC95ED68D9D56B2F6DDBCE73AB844F5CBBD908E51651517F6920DC42F41B874EEB9DA244C4485D2A931C7A76E99D490E6B3D4AE44484CAE4B784A0773782D2B9CFB4D893E79D35CF4282CB9A70EA53700F49F6F47F374161D0B820690D2C99E3A2602B31E659E64E5D4D4BD111C73FD5AF47412748091E272947A307309F3732E04FA848AACC312ADD0323F09F7947788D9F2BC55BDB7DDDD1FE664C5C9E861F6052F8F94084927116CAB24C6B11FEE69ADD2BCED4CC7EF330519D287531861A75E0F00CA8E52CBE9B77E8F840168937222D5851C84195DD4E698AB8BB558A05026EBC09520A1B1F0BC44F699478A69E1C1384F37F16102DE90ED960CEFFD9EA299FB79D416F3AF6CCD1A022895CFE032AC65978486998E3714A56E3DBAE
+-
diff --git a/main/botan/dl-exponents.patch b/main/botan/dl-exponents.patch
new file mode 100644
index 000000000000..28c5e06b8176
--- /dev/null
+++ b/main/botan/dl-exponents.patch
@@ -0,0 +1,304 @@
+From 9258696e147894e45d0422fd65a34193fba76211 Mon Sep 17 00:00:00 2001
+From: Jack Lloyd <jack@randombit.net>
+Date: Mon, 14 Dec 2020 07:15:20 -0500
+Subject: [PATCH] New sizes for DL exponents
+
+Avoid using a formula for this and instead just bucket into a few very
+rough sizes. In all cases (except very large keys) this results in
+using a somewhat larger exponent.
+---
+ src/lib/pubkey/workfactor.cpp | 23 +++++++------
+ src/scripts/test_cli.py | 4 +--
+ .../{elgamal.vec => elgamal_decrypt.vec} | 10 ------
+ src/tests/data/pubkey/elgamal_encrypt.vec | 32 ++++++++++++++++++
+ src/tests/data/pubkey/workfactor.vec | 18 ++++++----
+ src/tests/{test_elg.cpp => test_elgamal.cpp} | 33 +++++++++++++++----
+ src/tests/test_workfactor.cpp | 2 +-
+ 7 files changed, 86 insertions(+), 36 deletions(-)
+ rename src/tests/data/pubkey/{elgamal.vec => elgamal_decrypt.vec} (95%)
+ create mode 100644 src/tests/data/pubkey/elgamal_encrypt.vec
+ rename src/tests/{test_elg.cpp => test_elgamal.cpp} (54%)
+
+diff --git a/src/lib/pubkey/workfactor.cpp b/src/lib/pubkey/workfactor.cpp
+index cd0a83e5ce..13760351ea 100644
+--- a/src/lib/pubkey/workfactor.cpp
++++ b/src/lib/pubkey/workfactor.cpp
+@@ -51,16 +51,19 @@ size_t dl_work_factor(size_t bits)
+
+ size_t dl_exponent_size(size_t bits)
+ {
+- /*
+- This uses a slightly tweaked version of the standard work factor
+- function above. It assumes k is 1 (thus overestimating the strength
+- of the prime group by 5-6 bits), and always returns at least 128 bits
+- (this only matters for very small primes).
+- */
+- const size_t min_workfactor = 64;
+- const double log2_k = 0;
+-
+- return 2 * std::max<size_t>(min_workfactor, nfs_workfactor(bits, log2_k));
++ if(bits == 0)
++ return 0;
++ if(bits <= 256)
++ return bits - 1;
++ if(bits <= 1024)
++ return 192;
++ if(bits <= 1536)
++ return 224;
++ if(bits <= 2048)
++ return 256;
++ if(bits <= 4096)
++ return 384;
++ return 512;
+ }
+
+ }
+diff --git a/src/scripts/test_cli.py b/src/scripts/test_cli.py
+index 7fb46feab4..5fc2f04e84 100755
+--- a/src/scripts/test_cli.py
++++ b/src/scripts/test_cli.py
+@@ -278,7 +278,7 @@ def cli_gen_dl_group_tests(_tmp_dir):
+ mFvAZ/8wal0=
+ -----END X9.42 DH PARAMETERS-----"""
+
+- test_cli("gen_dl_group", "--pbits=1043", pem)
++ test_cli("gen_dl_group", ["--pbits=1043", "--qbits=174"], pem)
+
+ dsa_grp = """-----BEGIN DSA PARAMETERS-----
+ MIIBHgKBgQCyP1vosC/axliM2hmJ9EOSdd1zBkuzMP25CYD8PFkRVrPLr1ClSUtn
+@@ -679,7 +679,7 @@ def cli_pk_workfactor_tests(_tmp_dir):
+ test_cli("pk_workfactor", "2048", "111")
+ test_cli("pk_workfactor", ["--type=rsa", "512"], "58")
+ test_cli("pk_workfactor", ["--type=dl", "512"], "58")
+- test_cli("pk_workfactor", ["--type=dl_exp", "512"], "128")
++ test_cli("pk_workfactor", ["--type=dl_exp", "512"], "192")
+
+ def cli_dl_group_info_tests(_tmp_dir):
+
+diff --git a/src/tests/data/pubkey/elgamal.vec b/src/tests/data/pubkey/elgamal_decrypt.vec
+similarity index 95%
+rename from src/tests/data/pubkey/elgamal.vec
+rename to src/tests/data/pubkey/elgamal_decrypt.vec
+index 5cfbacdeee..f676be50e7 100644
+--- a/src/tests/data/pubkey/elgamal.vec
++++ b/src/tests/data/pubkey/elgamal_decrypt.vec
+@@ -3,68 +3,58 @@ P = 1365501321293735349225077112267598047546199828869335521691442858164229618266
+ G = 13
+ X = 1510837665211600837455333225484573368412905214721958306259132011740929687444
+ Msg = 02AD1D776D591520E4D8BEF8B21CC2F54FB4EB788E52ECEBE13564435DA66284D51A6A6696E615EF599786CE4CBEFAFF066E0A1CD8868454EB5CE0CA99241B29E1D1492CF2712C2C101B3F3779034683AD8271098C2E3FBAA83901A97D9645FA5815AF79F4F638ECBE09020003F434D708914899C668F34830E70F4CAF0803
+-Nonce = 0A5842A8D0C1B07E5DE6FD3E0C6B1108523D4D35417F
+ Ciphertext = 5B99F58B48F3D473327075F2FF4EEA3C8C1FEB0B241F042864610D6FC512A81F431A965724195DB71C3B84B6B9F1DFAE0DAE60E7CDA957703D10FCCDA45CDD0EF8C8F76AA4F51F3EDAD8E5085B97D69523A3EAC89D67CDFDDCF0A30491A98BE2FD6C5E69C3A2C95300B9DB4EDF2111E7613EF7B2CA430D0CFFBDECF6A7BE592A853B404B6910C48A0204ED3430691E766FBAF21A428B9F833C5932C053C616EEB59850150A22331A8FB5AF2065B595E4F08881B1DB7CB85A28A33F4449890739679CCAA431A9205210995BEA68759B475BE4183A975C9D042FBBEDF589AB6AF017D7523B2CC90CD63526BC584F1E9EF42ABAAA9238987D7F73B94E323C6AADFD
+
+ P = 1541287358797997024335652872773425159872421808416662301794871595911973385718041854467851087853175356350298847849929853669980047096240555092681165983790725605204837589691602540741068782404825906414885161661820441988899240406981724303
+ G = 5
+ X = 1344717445208905302019700797220481877896877304443340806021921711564
+ Msg = 02C1ED6A171875F055809F12BC61829961CC740935C6DCC468FA663E8D1A7DE9E0555E3EA99476436743FC5C76D3E041055FAEB7641907F8E2F1F94061B22E72B7CD39EDD7A6367828CCDC000301CEA7D91CB1E8A3E20DC85FAA23EF6D08E6
+-Nonce = F42F854C10C9DD14A6712594A31326A1FD2CF5
+ Ciphertext = 9E47FB001BDDB12F2D8E0FA5501A7EAC1B185FDFC7D2FF3E4461B0D75D626F5156DEDD4D25F13C6C1F5F9A1F916058045705F5E82F748E9B6F0DC95D572B8DC2770159092EECA13946F0522FE2A859705009B615818A1B4F98E8DD38CF00DE746ABD5F3852D93F8D9299DE18EB763F11E41A8B9660C5F056538EED431BB8E2199D9012F50C7FBEF5AAD35ECCD7F141CD9AC6553315A2699D6718F50EBDCEAE62A11ACC466E8533EDBAF13C15B5532B323EBF283B108F892DBFCEA21231DFD548
+
+ P = 13232376895198612407547930718267435757728527029623408872245156039757713029036368719146452186041204237350521785240337048752071462798273003935646236777459223
+ G = 11629401773565540073100961473632977008134185076958364415809981826641612629974728305105606061133984394938666464842000720534465163992699133277631369246002549
+ X = 175607362627753240470186183617696577774
+ Msg = 47E586A7E7D98C116A6F553F652E57BF
+-Nonce = BEF5E7EFAA76C52A8ECEE604EDAFD31B
+ Ciphertext = CD70DE085B0C586B4E64097EA3AB4CE0B60A71B0F640FE4468F4F940412EDBDD9035EEC602530CFF81B2CDC35805264A866E4689DDBADC3438575B6337118BB23A5AB7710F85F2A4E1E0DBEC5652FEF73C868747ECB7043BA08241A0879A2DC588D3EC14ED552E62B1B111646FF4DFA9050754240A46A840EA5EB1D97712F2BB
+
+ P = 13232376895198612407547930718267435757728527029623408872245156039757713029036368719146452186041204237350521785240337048752071462798273003935646236777459223
+ G = 11629401773565540073100961473632977008134185076958364415809981826641612629974728305105606061133984394938666464842000720534465163992699133277631369246002549
+ X = 226260657342880764984259695048075261500
+ Msg = 74BC8D009250F4CD2E08BC556EE01449
+-Nonce = A2951BE393736E39E9D209FE978C7546
+ Ciphertext = 6D6ED1C6E519C628CACC7981A5BBE487F6E013B26448D711911698CEEAA4F746182A716602183A746FC35B022BD7B27EF079F7164309653D148D0CE91907FF6C4A9001A0CCA2A0A163F3F93200C2E40A957919CB84AC35B928E026F1827E6D4A9B986B592BE39861538414D5EA6980248FD3C3C0CDEE372F392D5AC46DB8EEFB
+
+ P = 13232376895198612407547930718267435757728527029623408872245156039757713029036368719146452186041204237350521785240337048752071462798273003935646236777459223
+ G = 11629401773565540073100961473632977008134185076958364415809981826641612629974728305105606061133984394938666464842000720534465163992699133277631369246002549
+ X = 190989497955271245954961490592364802400
+ Msg = 01AFE1A93EDB9CD3E3715523C952478D
+-Nonce = 9500DDCD404618F64A2063BC19941A6E
+ Ciphertext = 0636C3F1C63C54CAB4B48B6EF0ECBFF00BA6AB70DF4DB6266D0785351B37279D41D957D16CAB48C64035DCB2A1CD75BAC298C8ECAE8057D87071EADAA5DA6E2B69B5F353B5753F7E24DA81ABAD40059CD73CFA6E78CAB1C7DA418D55E5DBD42FA4F2B876A25B4AF63588C80E0DB11E8BAB1531960E951C08C1A68C8FAE0DA87C
+
+ P = 1418488780399624169246918906980830188668962659968489177172519612007411971965075884911751185624649475197807409457369163882960326663412481439463507475025544888587052733646843233033458377686354235239579046252542291754237282749312023983
+ G = 1351977104923085061876231022324913317418268765766371251774974499254352282996737121345129752664271877383194755574993089982460597274051441610498438524702048238124542105329402087161253933648442955133245175046317041420863434958965806440
+ X = 5693645782587047029911723275175292231768316497
+ Msg = 58E72BD0F04B11
+-Nonce = EF07721FF6B28A8A3B4EBC95C16B13A83649B7
+ Ciphertext = C7B6ACADBBCFD3A34EDA31CE9CA7F7889FBB2DF5C6C25793EB974591BF0EDE93637B6A95E8075BDB2A987039D92487665465C98AAD0C123FA00BB9736170E78069AA32DFBEB07099A0B7D439AA807A2D3D6F9F913EBC673F9F8CD5D3C0E9DD0D988EAC4D8204928C2DA8ECD1FA3A598FCBFFEF5017DB8542D123CF69E8C92EB956F10DC995AE6B6564967D5C12A07BA35607C54CC3F10A36FF3603DD7CC1490664610002977CE8C4A4EFFBD1421C902D4D8DFF81D014E1AB55F239E0F2FD28AB
+
+ P = 1418488780399624169246918906980830188668962659968489177172519612007411971965075884911751185624649475197807409457369163882960326663412481439463507475025544888587052733646843233033458377686354235239579046252542291754237282749312023983
+ G = 1351977104923085061876231022324913317418268765766371251774974499254352282996737121345129752664271877383194755574993089982460597274051441610498438524702048238124542105329402087161253933648442955133245175046317041420863434958965806440
+ X = 4008521039270359712424267366152273661245582878
+ Msg = C37AA41207A357DBCCFBE93DC45C5BD91D29FD29CBA29B26AC437A9B560C3BEA
+-Nonce = A36338E4D7815E6A4B178E951BEF073C6D5A7F
+ Ciphertext = D824C94623313298600CC20203F8A40006CAFCFC8F883C99AC09DBAE4B95E6DB9FB5737E24D9D7E39B603893076BC81A2BC0C0D608B32B353972B57066535DAAC49E3F7F2A0E243618EEE01C5AB3AFAE1D55E3A1DB33CF713E5187AD51D55144B1A108354ECA651E55F85F253FE73C1C15FA5EDDDA47467BD0425F09E3C4156548E71896659C618B84FD72BA176E2DEEECD8B15F2C05F870697EA464B88273742BD6ECBA5164424F34EBB9E13E31683A16712901818C7E5F502720FBCB075EA1
+
+ P = 1418488780399624169246918906980830188668962659968489177172519612007411971965075884911751185624649475197807409457369163882960326663412481439463507475025544888587052733646843233033458377686354235239579046252542291754237282749312023983
+ G = 1351977104923085061876231022324913317418268765766371251774974499254352282996737121345129752664271877383194755574993089982460597274051441610498438524702048238124542105329402087161253933648442955133245175046317041420863434958965806440
+ X = 5316253934868425065538718034591876558413406625
+ Msg = 36FDC0501B44AF
+-Nonce = 832BC01DB63F958D47B6962AEAA74C0831A6AB
+ Ciphertext = 62E46CDF100BADF4419215256BEC8427DD0388D1B60B5A8675532C0934351BA0036AF58032AB6C4DB829F1A0C8217FBF2CB9C10A5C60FF285919BCAF238E89FBAA4771CAD13D4A69AB2C1FFF0A44D2F9287F1E70D58210AE859074B3969EE800A9D1507BA48582BD1E03CC234B0CB11408BE0932763EDC99CA4BEC6E496A452237F920972C629714EA2F1FF212460C23B66DB56BC73E94743D32D2CD3536A17A136F56D7F7C24E3B8F102F48BBB21633279D3E584E71DC37B436104CA69A6BB3
+
+ P = 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668388144034129745221171818506047231150039301079959358067395348717066319802262019714966524135060945913707594956514672855690606794135837542707371727429551343320695239
+ G = 49567166504681114998529684425585849617514862026978329597099192087961538717407709177883083441369264146939535263894140299406849834767828526204179623557679393249247253593623658376992386256295047165071989556654741504656225128772294708626157371448610928885819291350567633953878147205134001752476855481804967677085
+ X = 3756315909532643155590215634844150624450334340186095
+ Msg = DF72B687F62AFEA3A51195EE876E4C87708F7ABB8D2D5DD72B68256DAC6D
+-Nonce = 0B333C9C486C5F3A96F37D00133ADD18113376C9BE76
+ Ciphertext = 4156CF437A39C415B212AAA34C9AACAFA3F3113F53BB75E0BD3D759089E21754EF89B4BA1A8B37E5EDA13F8A2F87D16F03F3B6FE19A5CF799B17D83F7B5E9A225F324AAD7D46E80A1DAFCA337A3F500930A7831D1F3785763EB9A6994063CED033177E1CA2770B751B3053C1445ADFEAED790E49E4685A05B9563D1EF32BD321971D541B525D648EA7C8741D8FA7E46293D46A0F4345BE73EA4FAF1E4C16BCBE11C53BA0FCBA2975BD37F11FE5ADA8731CAED3C403EA6E43AE47ADAA7E28433404AD3ADE6AA8E12BFC374BADAAFB167F3AAF91DC6F8398003E5F8528E8D4773F800D48C8EDDAEDD72A3870E97679F946CE27FB692BC11677757A28F3899A3DA8
+
+ P = 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668388144034129745221171818506047231150039301079959358067395348717066319802262019714966524135060945913707594956514672855690606794135837542707371727429551343320695239
+ G = 49567166504681114998529684425585849617514862026978329597099192087961538717407709177883083441369264146939535263894140299406849834767828526204179623557679393249247253593623658376992386256295047165071989556654741504656225128772294708626157371448610928885819291350567633953878147205134001752476855481804967677085
+ X = 4304232149632055597449717737864742436448127103739097
+ Msg = F73BB7E5C8A5619380
+-Nonce = 0AD9527B09EAD1E59B4A1CAF58C861B69A856AB8AA80
+ Ciphertext = C9881464A37749949D66D75CD9B7A8ACAD33DD1FAC7561F684E9CB5343D2ED15969D7EDB4135518B50F0FEC9A9559C1D5E44DAB42C14BBDE2D2711EA4D02D7F27D1A9BCFEC9E8B73FA64BA3C54707FDDE7D5BE695E17FB9D259FB576FD4E57D66C8F727DC236E2A6E9FD01709D34B8D09F7DD3890F003EBE616042B4E0A8A00F6C3F34DE7E002FE72A84AF8D014D64E8CD08B9B56CC3A6BBE6F966B92105A92C5ABF4F2BF735670622F6213FE9739FAD65692E1C0EBF708A47E18600A22972A5A3DA0F22D11C581D46F734151A083FF757E961351EB183B467A859FBB9ED1DAC396FA405701FD6E3A62EB126E93648C3C6DFA9C4DBF3C005880F4799F66B310E
+diff --git a/src/tests/data/pubkey/elgamal_encrypt.vec b/src/tests/data/pubkey/elgamal_encrypt.vec
+new file mode 100644
+index 0000000000..059eb1668d
+--- /dev/null
++++ b/src/tests/data/pubkey/elgamal_encrypt.vec
+@@ -0,0 +1,32 @@
++# These were generated by Botan and not checked against other implementations
++
++Group = modp/ietf/1024
++Secret = 0xCC13EE3533858E0F0024FFC935DC5BD297DEC9385AC8EF7E
++Msg = 1C
++Nonce = EEE23AAA149AF29E18EF8D66AD8D4BACB72076BAE583A297
++Ciphertext = D73F6E5CEF558B92C924FEC2329774ACD75E7CEA04D2485F07920EF4E5B86E361E23E42AB6F3A97F5B1F46218BF3C00E93A2EA981B8BB48EDD020A3F96D61FDA0F3E4D26F5538B2179B7D7E333CE78414F18E6CD0AE74C3F44FBFAC9121A3A6CF80C85E89280F9BC476078F9FD686A6500590B1AD75616C0A92BC73838A6D4437368304638242BCD628A72EA432FE7C1892922136B3C19B39990980185328E5BBD35DE42549819C8E301348320BA80602E751172D9ACAA8E0B67FB97996310BC0C14B9E40626FE54138851E4BC4CA4CB2F0A1F3D3F042556A4942B2B03B4C2F75E50260365865FEE0050DAC3604E78708715549FF878F1B337D6ABF8B695462F
++
++Group = modp/ietf/1536
++Secret = 0x8D81343C4994DAF21AD0E6CB88C74F55529925EC953381470B72B3C8
++Msg = 7F0CCACA157707BF03
++Nonce = F0A0844B268ECEABA04827E7CE9F960119E0053CFBA00ADA47604857
++Ciphertext = 2EDE1A9F975FCAF943AEEB51EB37EAEDF54C4D939D0DCF7C80874A3BF8601B511685B1FDE52E07D8894EA647C50E480DE7A48ACADD89F79EEB9411234507CE6AB8503BD47B284134E301A78BD7FAC8D8B15A5D1424B820FF3FE1F363FC88FF510183165F52EE022A55EC43D4DD75763297C13F9EE3BCD579ADBA6800348F0C6240F49744B385737926A770EDF67257E7F5654C478C614700B6D2D671A13B28006C11C499BEB29658EF10C3E2EEC390A972372EBF733BA6EE5F4D600AAE1DDDC87EFA6D9FB05CBC995F82C3EF47CF862715E17DF7CC948846E849661D5C82C6A120610D90BB2D373D189A0BF13175F551326ECACF2D349A4BD2D265FDAC716E4B0A5D850E7EDA92CF9F8863BF1CD31C3888BFD81500DA4C615575EE8FA27615EF8E4B9D23A53852B236057E15DA7FC5827668A7B8AA699D3F79201567F4F0DAF7D89919906486A66ABA689FFD9E3BB5F0D1C677CCC12EA29BBFE1083C4FC349EE7E236BC8DC02DEE063E7F7C7B719E3176739D55196A2B7E6C3AA2A543135AB8F
++
++Group = modp/ietf/2048
++Secret = 0xA9F666E685F4F0BAFFF22C407B28461591CBF43F8DA1A8C3B1510BB6AA3BCD6C
++Msg = D830F02AA1AE9328CF3F2C6CB7D86875
++Nonce = DFA4E0979DADE5A620C4B9ED87C205F34D7AE739761BCDD060A9EC530E066538
++Ciphertext = E8AC61EE6EA9DCBEDF5DD10247240E0FF3A6D1B1D2C9832A73C5EF2F96FB23C6FA571F9E407089ADAB459086B4331DBCBB3E5FC69B996748131D0D499EFF4F3654CEF8ED3C14C97C4985E5E0D6E0714E789F9D926CB26A23ACB52D6308CDB3C4DBF92F7A701513B133A0512A0CC16E13BCC7F983BC181C71A42252D48B113BAB4B861430AC6157E3043BD861C44D0804CCBB0B9D5BA599650DABE9FA7BF286EB08A97D11D5F88CB0157A4522E2C9F4EF53EB9D7679974C5AD86554EED49736D0D7B39461B92C73CBBEBAD8E92A6501293AE9A5BF0FBDA11BC743E032F78740F96F8CD71D30EA0F17F42181783C908A6008E339620CCB80226E9CDD7E5D50DEF9310DF03C971955CCF70557C9816049C2137CB7554998BD90B81AD549E9B65347E4BC798039BF05929DED052EE816EA3A87014B0D25E2E279B7736446201F52E542AA6E494BDC6D02A9A0479E1F90D5F3898A36AF7BA03E8F0BCBBF891A1C1B0B300EA664349E765EA331841ABC7963012C623318EF9B681711461ECC83EDC88722DE5E16FF1AB57B23F285CC5E75F6FCB46EEC9F919D1C089E7C045535E64A97F16662DF9CEFFB0E6C9C6402A43E47D1D073A5555A470E2451809234ABFD463A013D70288BA4A093E51FCED6A434886ED70490D63DFD809F27A773CDAC3D848A21C2937CA194C4FFBF8E50C05AEB3A530A7AB8B39B91A72EA45034A2FF8F16B1
++
++Group = modp/ietf/3072
++Secret = 0x981606068AE29B5B86E6F1E4E578010E43E1DBCB12504857CA6CDFC77913EFF0B3F563E1DDB40934B4F33099A6BF8EE8
++Msg = 0E738AF35B6AE8951E5C3BF8EB
++Nonce = F53B7EF9224D33392AE79CA3816755F066A2B15689B157FBA588CD5C247EFC9050DB2F84FA40C12E3493230D94D89306
++Ciphertext = 659C8E28BF6A26E5D55386E437F2B66282EB9F9ECA54522D8A1FDE6BC6C4D65E5412D030BDC9833F93E3653B7B58FFD66A2EBFB8AAF1F7BBB52C3CD43E08DDB3D2C73E26EEA988EEF9CFDC9C59872B4D2454A1F500911B4D3BD3EED99107FAF39D97A3302166AD5B0381ECAB769953406DD3FEB502D23587D9CF2C89F93FE6A73167E3734CD0676EE95F7C43A558A56E7B0264A6084875D1E7F2312FA7BA7145AAA5921F904EDDC7A6EC823C57AFE323E4368CD7D47CAF2F8A94D6D3117A8BE92BAF6F0392A20C7FCFE381789755B7B47B9C5496382FF26533EA7F911472F02E2F9E29CAC9CFF4AEB90C36E55A1AF5D0259B195E2824C7F6B40299D8A0858E162B3D9392E323F62B48DA629089902F16D01D1AB3DCFBAAB46F1E74ECA6560B3A97E85E9B88B8F11AA83F78E8E542B8A3B4C0E7B47220594979BC7DD12E97238EB4B91D23A8F2D5362CB8B08C1F07B3461AD0968FB3053F60ECC2B3C0E900A0A7C2924C3FA79CCB43B33B336B807C6F4B83A7AE0112BD72A13822E3CD0B2E2AF7717F2CB21BE02D8DB0EB3BCCF66836BD83C828C221569EFCAA53124D206CB51D3718BC1511799DEA0558DD6FDBFB06B3D96BAC451FE71A4244BD3CD6826BF27EA3CC7782C17DCAF52EAA944CEA734D011145F10A4132A271349A8BF1ED0D7F7EF2ABC7031475B4397574F8A7EC4F5480D85CF0CA1F7C69097A2A009FFD4927AA769FD821F64741812FE5DB996ECAD3265CE93DBA7B40532A2133FB8EE5066A0C5F91C7E0F3902B6CEA39D5BB4B59B2993B5DAA2B61FF589BF45613D1EF36D5F7D959E8255C0010EC439AAE1C9B682BAC92C2883ED279CD8C644A301150879EB8D37B217B36447CBAC37C132C0278AA8CB38A8596392E3A3CAA91573370ED44DF46311EEE878B63F947F2A28930133D343737502623D0C7D3EA5D8D8123D7963C70AD30CC865BCD68F96C1A13A3484AB4EF3828CE338BF8E087F2300B777D556974D5E23FAFD55AB54353BCA31BEC13003AC7258510578F96B8F1E2254E91768A78CF9FCC6D8CFB0493701D523F75EC25B37B623B5A73A28009DBC169A084E95D
++
++Group = modp/ietf/4096
++Secret = 0xB73A80EB48DB4DF3108BE1345281A1B39B4373BFE71CB4DA9F3594A94C525E2E288F06089F61C1D29D6A99EA775C05D6
++Msg = D413DAC9D341361F17EDCE1C46A04D343424251B
++Nonce = B9AFD0F2F97C677BD3088B032696E7928DD62AD20912367113CFE5ABEEB7B4DFAD22E30442B04571CDC683D9971DE257
++Ciphertext = 085E76D450C7FF0B2DB59D41D12596AD1B0D8AF877F5C63416D2B355ED137A5AEAB3B75AC4CBFB5168F37EC02724EA057ED5B9AAF0C40D5469FB9E068C7E090C6EB411CDFBC9A500294E2433A9F879F52F8359B0865128A76801B7C4E22D5A3A6279F755291ECC9454AC3C1F1395DA5FA8E25CD951FCBF9B569EED304B3B82B0198913FAFD0B9A3ED32A64B0E394F96C153D25FBFEF92ECB38F79F2DE12570A041C8B4E8ADB998D6A559BC9640EBA8B61A6D0387CF0CA621B6C3F60D464DE7D27D5347F79CABD09533219DD2CDA8BAB74E886E206409A94054CCF3EBBA570C33FE456BD6B0BEB564F406AF49400550AE01A21A68126C90E0B8295CB7F9C2F4C790D8B0FEFD1FC6BFF40A00737AF9EDA25A1BF00E7FEC8CE776C3D24C61EBF48049CE5B27E024B796566BA670090BAB1A6015C01DB57DFDDAD61240F151C61BC80C3BA320050D1E537D501611627531E41793C3468B87F28BF2281CE996957901BE6CE41FAB0F88467ECBC0DE6C5F60AB5A1AF21A9528B0E8BABAD56FA23F2AD3CBC521A8D54047F15F58FC9C5CD4BB322A0838EDAC053415CFED87FD0756FBFF6B052D385C2EED6FD4686E024F7175A9840DF7E74740FF368DA4DAEB879D7C0D265D51809BD6EC6A66717498A4998D0232586CA4C5F7858EBEC824821CDBD1133DA557612A398EA8F9AC959A39381FCF1D727D08136CAFC4D72E9A945043E6DE2C67F6B55C21B7EDBFDCEA2B63CF9A5BB931DFE76CA2BE5D3D964AA2C348E6DFBA4FFC4D5E463105E243BD20AF38531A70BE1DD4930F998E28C3182665507700976BC14438452179747E623B2E5328A3ED5925FA526AE897ACF67059D76D159CB31D85F03589A4874AB11A7E2BB680FCEF7A4CEBFD98B0DC18BC1AF838524107E3264C2FDACF883ED2701CF3306E83CB8E75F5ED148F3377A77474D47522596F50DADEFC149A91C619F4A9366771681CAE1A82AA57BB038E0180BD38C4323928E63FA890B85009B1A25C022AEE8DB4D7F4E34260677A22B3BC7F24089E98FC484B93EC95ED68D9D56B2F6DDBCE73AB844F5CBBD908E51651517F6920DC42F41B874EEB9DA244C4485D2A931C7A76E99D490E6B3D4AE44484CAE4B784A0773782D2B9CFB4D893E79D35CF4282CB9A70EA53700F49F6F47F374161D0B820690D2C99E3A2602B31E659E64E5D4D4BD111C73FD5AF47412748091E272947A307309F3732E04FA848AACC312ADD0323F09F7947788D9F2BC55BDB7DDDD1FE664C5C9E861F6052F8F94084927116CAB24C6B11FEE69ADD2BCED4CC7EF330519D287531861A75E0F00CA8E52CBE9B77E8F840168937222D5851C84195DD4E698AB8BB558A05026EBC09520A1B1F0BC44F699478A69E1C1384F37F16102DE90ED960CEFFD9EA299FB79D416F3AF6CCD1A022895CFE032AC65978486998E3714A56E3DBAE
++
+diff --git a/src/tests/data/pubkey/workfactor.vec b/src/tests/data/pubkey/workfactor.vec
+index 7d8999da84..1b7fa70235 100644
+--- a/src/tests/data/pubkey/workfactor.vec
++++ b/src/tests/data/pubkey/workfactor.vec
+@@ -24,20 +24,26 @@ ParamSize = 14400
+ Workfactor = 256
+
+ [DL_Exponent_Size]
++ParamSize = 192
++Workfactor = 191
++
++ParamSize = 512
++Workfactor = 192
++
+ ParamSize = 1024
+-Workfactor = 86
++Workfactor = 192
+
+ ParamSize = 1536
+-Workfactor = 103
++Workfactor = 224
+
+ ParamSize = 2048
+-Workfactor = 116
++Workfactor = 256
+
+ ParamSize = 3072
+-Workfactor = 138
++Workfactor = 384
+
+ ParamSize = 4096
+-Workfactor = 156
++Workfactor = 384
+
+ ParamSize = 8192
+-Workfactor = 208
++Workfactor = 512
+diff --git a/src/tests/test_elg.cpp b/src/tests/test_elgamal.cpp
+similarity index 54%
+rename from src/tests/test_elg.cpp
+rename to src/tests/test_elgamal.cpp
+index 6a6bdb8b54..cb69657251 100644
+--- a/src/tests/test_elg.cpp
++++ b/src/tests/test_elgamal.cpp
+@@ -1,5 +1,5 @@
+ /*
+-* (C) 2014,2015 Jack Lloyd
++* (C) 2014,2015,2020 Jack Lloyd
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ */
+@@ -17,15 +17,33 @@ namespace {
+
+ #if defined(BOTAN_HAS_ELGAMAL)
+
+-class ElGamal_KAT_Tests final : public PK_Encryption_Decryption_Test
++class ElGamal_Encrypt_Tests final : public PK_Encryption_Decryption_Test
+ {
+ public:
+- ElGamal_KAT_Tests()
++ ElGamal_Encrypt_Tests()
+ : PK_Encryption_Decryption_Test(
+ "ElGamal",
+- "pubkey/elgamal.vec",
+- "P,G,X,Msg,Nonce,Ciphertext",
+- "Padding") {}
++ "pubkey/elgamal_encrypt.vec",
++ "Group,Padding,Secret,Nonce,Msg,Ciphertext") {}
++
++ std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override
++ {
++ const Botan::BigInt x = vars.get_req_bn("Secret");
++ const Botan::DL_Group grp(vars.get_req_str("Group"));
++
++ std::unique_ptr<Botan::Private_Key> key(new Botan::ElGamal_PrivateKey(Test::rng(), grp, x));
++ return key;
++ }
++ };
++
++class ElGamal_Decrypt_Tests final : public PK_Decryption_Test
++ {
++ public:
++ ElGamal_Decrypt_Tests()
++ : PK_Decryption_Test(
++ "ElGamal",
++ "pubkey/elgamal_decrypt.vec",
++ "P,G,X,Msg,Ciphertext") {}
+
+ std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override
+ {
+@@ -53,7 +71,8 @@ class ElGamal_Keygen_Tests final : public PK_Key_Generation_Test
+ }
+ };
+
+-BOTAN_REGISTER_TEST("pubkey", "elgamal_encrypt", ElGamal_KAT_Tests);
++BOTAN_REGISTER_TEST("pubkey", "elgamal_encrypt", ElGamal_Encrypt_Tests);
++BOTAN_REGISTER_TEST("pubkey", "elgamal_decrypt", ElGamal_Decrypt_Tests);
+ BOTAN_REGISTER_TEST("pubkey", "elgamal_keygen", ElGamal_Keygen_Tests);
+
+ #endif
+diff --git a/src/tests/test_workfactor.cpp b/src/tests/test_workfactor.cpp
+index fe61f80e46..8c11869c73 100644
+--- a/src/tests/test_workfactor.cpp
++++ b/src/tests/test_workfactor.cpp
+@@ -34,7 +34,7 @@ class PK_Workfactor_Tests final : public Text_Based_Test
+ }
+ else if(type == "DL_Exponent_Size")
+ {
+- output = Botan::dl_exponent_size(param_size) / 2;
++ output = Botan::dl_exponent_size(param_size);
+ }
+
+ Test::Result result(type + " work factor calculation");
--
GitLab