/[smecontribs]/rpms/openssl3/contribs10/0045-FIPS-services-minimize.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0045-FIPS-services-minimize.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:38 2024 UTC (8 months, 2 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD 
Initial import
1 jpp 1.1 diff -up openssl-3.0.1/providers/common/capabilities.c.fipsmin3 openssl-3.0.1/providers/common/capabilities.c
2     --- openssl-3.0.1/providers/common/capabilities.c.fipsmin3 2022-05-05 17:11:36.146638536 +0200
3     +++ openssl-3.0.1/providers/common/capabilities.c 2022-05-05 17:12:00.138848787 +0200
4     @@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list
5     TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
6     TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
7     TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
8     -# endif
9     TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
10     TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
11     +# endif
12     # endif /* OPENSSL_NO_EC */
13     # ifndef OPENSSL_NO_DH
14     /* Security bit values for FFDHE groups are as per RFC 7919 */
15     diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/providers/fips/fipsprov.c
16     --- openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 2022-05-05 11:42:58.596848856 +0200
17     +++ openssl-3.0.1/providers/fips/fipsprov.c 2022-05-05 11:55:42.997562712 +0200
18     @@ -54,7 +54,6 @@ static void fips_deinit_casecmp(void);
19    
20     #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }
21     #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
22     -
23     extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
24     int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
25    
26     @@ -191,13 +190,13 @@ static int fips_get_params(void *provctx
27     &fips_prov_ossl_ctx_method);
28    
29     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
30     - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
31     + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider"))
32     return 0;
33     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
34     - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
35     + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
36     return 0;
37     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
38     - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
39     + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
40     return 0;
41     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
42     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
43     @@ -281,10 +280,11 @@ static const OSSL_ALGORITHM fips_digests
44     * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
45     * KMAC128 and KMAC256.
46     */
47     - { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
48     + /* We don't certify KECCAK in our FIPS provider */
49     + /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
50     ossl_keccak_kmac_128_functions },
51     { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
52     - ossl_keccak_kmac_256_functions },
53     + ossl_keccak_kmac_256_functions }, */
54     { NULL, NULL, NULL }
55     };
56    
57     @@ -343,8 +343,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
58     ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
59     ossl_cipher_capable_aes_cbc_hmac_sha256),
60     #ifndef OPENSSL_NO_DES
61     - ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
62     - ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
63     + /* We don't certify 3DES in our FIPS provider */
64     + /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
65     + ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
66     #endif /* OPENSSL_NO_DES */
67     { { NULL, NULL, NULL }, NULL }
68     };
69     @@ -356,8 +357,9 @@ static const OSSL_ALGORITHM fips_macs[]
70     #endif
71     { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
72     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
73     - { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
74     - { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
75     + /* We don't certify KMAC in our FIPS provider */
76     + /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
77     + { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
78     { NULL, NULL, NULL }
79     };
80    
81     @@ -392,8 +394,9 @@ static const OSSL_ALGORITHM fips_keyexch
82     #endif
83     #ifndef OPENSSL_NO_EC
84     { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
85     - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
86     - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
87     + /* We don't certify Edwards curves in our FIPS provider */
88     + /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
89     + { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
90     #endif
91     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
92     ossl_kdf_tls1_prf_keyexch_functions },
93     @@ -403,12 +406,14 @@ static const OSSL_ALGORITHM fips_keyexch
94    
95     static const OSSL_ALGORITHM fips_signature[] = {
96     #ifndef OPENSSL_NO_DSA
97     - { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
98     + /* We don't certify DSA in our FIPS provider */
99     + /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */
100     #endif
101     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
102     #ifndef OPENSSL_NO_EC
103     - { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
104     - { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions },
105     + /* We don't certify Edwards curves in our FIPS provider */
106     + /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
107     + { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */
108     { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
109     #endif
110     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
111     @@ -438,8 +443,9 @@ static const OSSL_ALGORITHM fips_keymgmt
112     PROV_DESCS_DHX },
113     #endif
114     #ifndef OPENSSL_NO_DSA
115     - { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
116     - PROV_DESCS_DSA },
117     + /* We don't certify DSA in our FIPS provider */
118     + /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
119     + PROV_DESCS_DSA }, */
120     #endif
121     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
122     PROV_DESCS_RSA },
123     @@ -448,14 +454,15 @@ static const OSSL_ALGORITHM fips_keymgmt
124     #ifndef OPENSSL_NO_EC
125     { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
126     PROV_DESCS_EC },
127     - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
128     + /* We don't certify Edwards curves in our FIPS provider */
129     + /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
130     PROV_DESCS_X25519 },
131     { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
132     PROV_DESCS_X448 },
133     { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions,
134     PROV_DESCS_ED25519 },
135     { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions,
136     - PROV_DESCS_ED448 },
137     + PROV_DESCS_ED448 }, */
138     #endif
139     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
140     PROV_DESCS_TLS1_PRF_SIGN },
141     diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/providers/fips/self_test_data.inc
142     --- openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 2022-05-05 12:36:32.335069046 +0200
143     +++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-05 12:40:02.427966128 +0200
144     @@ -171,6 +171,7 @@ static const ST_KAT_DIGEST st_kat_digest
145     /*- CIPHER TEST DATA */
146    
147     /* DES3 test data */
148     +#if 0
149     static const unsigned char des_ede3_cbc_pt[] = {
150     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
151     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
152     @@ -191,7 +192,7 @@ static const unsigned char des_ede3_cbc_
153     0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
154     0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
155     };
156     -
157     +#endif
158     /* AES-256 GCM test data */
159     static const unsigned char aes_256_gcm_key[] = {
160     0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
161     @@ -235,6 +236,7 @@ static const unsigned char aes_128_ecb_c
162     };
163    
164     static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
165     +#if 0
166     #ifndef OPENSSL_NO_DES
167     {
168     {
169     @@ -248,6 +250,7 @@ static const ST_KAT_CIPHER st_kat_cipher
170     ITM(des_ede3_cbc_iv),
171     },
172     #endif
173     +#endif
174     {
175     {
176     OSSL_SELF_TEST_DESC_CIPHER_AES_GCM,
177     @@ -1424,8 +1427,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[
178     # endif /* OPENSSL_NO_EC2M */
179     #endif /* OPENSSL_NO_EC */
180    
181     -#ifndef OPENSSL_NO_DSA
182     /* dsa 2048 */
183     +#if 0
184     +#ifndef OPENSSL_NO_DSA
185     static const unsigned char dsa_p[] = {
186     0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
187     0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
188     @@ -1549,8 +1553,8 @@ static const ST_KAT_PARAM dsa_key[] = {
189     ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, dsa_priv),
190     ST_KAT_PARAM_END()
191     };
192     -#endif /* OPENSSL_NO_DSA */
193     -
194     +#endif
195     +#endif
196     static const ST_KAT_SIGN st_kat_sign_tests[] = {
197     {
198     OSSL_SELF_TEST_DESC_SIGN_RSA,
199     @@ -1583,6 +1587,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
200     },
201     # endif
202     #endif /* OPENSSL_NO_EC */
203     +#if 0
204     #ifndef OPENSSL_NO_DSA
205     {
206     OSSL_SELF_TEST_DESC_SIGN_DSA,
207     @@ -1595,6 +1600,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
208     */
209     },
210     #endif /* OPENSSL_NO_DSA */
211     +#endif
212     };
213    
214     static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
215     diff -up openssl-3.0.1/test/acvp_test.c.fipsmin2 openssl-3.0.1/test/acvp_test.c
216     --- openssl-3.0.1/test/acvp_test.c.fipsmin2 2022-05-05 11:42:58.597848865 +0200
217     +++ openssl-3.0.1/test/acvp_test.c 2022-05-05 11:43:30.141126336 +0200
218     @@ -1476,6 +1476,7 @@ int setup_tests(void)
219     OSSL_NELEM(dh_safe_prime_keyver_data));
220     #endif /* OPENSSL_NO_DH */
221    
222     +#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
223     #ifndef OPENSSL_NO_DSA
224     ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
225     ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
226     @@ -1483,6 +1484,7 @@ int setup_tests(void)
227     ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
228     ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
229     #endif /* OPENSSL_NO_DSA */
230     +#endif
231    
232     #ifndef OPENSSL_NO_EC
233     ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
234     diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_libctx_test.c
235     --- openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 2022-05-05 14:18:46.370911817 +0200
236     +++ openssl-3.0.1/test/evp_libctx_test.c 2022-05-05 14:30:02.117911993 +0200
237     @@ -21,6 +21,7 @@
238     */
239     #include "internal/deprecated.h"
240     #include <assert.h>
241     +#include <string.h>
242     #include <openssl/evp.h>
243     #include <openssl/provider.h>
244     #include <openssl/dsa.h>
245     @@ -725,8 +726,10 @@ int setup_tests(void)
246     if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name))
247     return 0;
248    
249     #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
250     - ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
251     + if (strcmp(prov_name, "fips") != 0) {
252     + ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
253     + }
254     #endif
255     #ifndef OPENSSL_NO_DH
256     ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
257     @@ -746,7 +750,9 @@ int setup_tests(void)
258     ADD_TEST(kem_invalid_keytype);
259     #endif
260     #ifndef OPENSSL_NO_DES
261     - ADD_TEST(test_cipher_tdes_randkey);
262     + if (strcmp(prov_name, "fips") != 0) {
263     + ADD_TEST(test_cipher_tdes_randkey);
264     + }
265     #endif
266     return 1;
267     }
268     diff -up openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 openssl-3.0.1/test/recipes/15-test_gendsa.t
269     --- openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 2022-05-05 13:46:00.631590335 +0200
270     +++ openssl-3.0.1/test/recipes/15-test_gendsa.t 2022-05-05 13:46:06.999644496 +0200
271     @@ -24,7 +24,7 @@ use lib bldtop_dir('.');
272     plan skip_all => "This test is unsupported in a no-dsa build"
273     if disabled("dsa");
274    
275     -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
276     +my $no_fips = 1;
277    
278     plan tests =>
279     ($no_fips ? 0 : 2) # FIPS related tests
280     diff -up openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 openssl-3.0.1/test/recipes/20-test_cli_fips.t
281     --- openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 2022-05-05 13:47:55.217564900 +0200
282     +++ openssl-3.0.1/test/recipes/20-test_cli_fips.t 2022-05-05 13:48:02.824629600 +0200
283     @@ -207,8 +207,7 @@ SKIP: {
284     }
285    
286     SKIP : {
287     - skip "FIPS DSA tests because of no dsa in this build", 1
288     - if disabled("dsa");
289     + skip "FIPS DSA tests because of no dsa in this build", 1;
290    
291     subtest DSA => sub {
292     my $testtext_prefix = 'DSA';
293     diff -up openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_cms.t
294     --- openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 2022-05-05 13:55:05.257292637 +0200
295     +++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-05 13:58:35.307150750 +0200
296     @@ -95,7 +95,7 @@ my @smime_pkcs7_tests = (
297     \&final_compare
298     ],
299    
300     - [ "signed content DER format, DSA key",
301     + [ "signed content DER format, DSA key, no Red Hat FIPS",
302     [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
303     "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
304     [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
305     @@ -103,7 +103,7 @@ my @smime_pkcs7_tests = (
306     \&final_compare
307     ],
308    
309     - [ "signed detached content DER format, DSA key",
310     + [ "signed detached content DER format, DSA key, no Red Hat FIPS",
311     [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
312     "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
313     [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
314     @@ -112,7 +112,7 @@ my @smime_pkcs7_tests = (
315     \&final_compare
316     ],
317    
318     - [ "signed detached content DER format, add RSA signer (with DSA existing)",
319     + [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS",
320     [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
321     "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
322     [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
323     @@ -123,7 +123,7 @@ my @smime_pkcs7_tests = (
324     \&final_compare
325     ],
326    
327     - [ "signed content test streaming BER format, DSA key",
328     + [ "signed content test streaming BER format, DSA key, no Red Hat FIPS",
329     [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
330     "-nodetach", "-stream",
331     "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
332     @@ -132,7 +132,7 @@ my @smime_pkcs7_tests = (
333     \&final_compare
334     ],
335    
336     - [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
337     + [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
338     [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
339     "-nodetach", "-stream",
340     "-signer", $smrsa1,
341     @@ -145,7 +145,7 @@ my @smime_pkcs7_tests = (
342     \&final_compare
343     ],
344    
345     - [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
346     + [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
347     [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
348     "-noattr", "-nodetach", "-stream",
349     "-signer", $smrsa1,
350     @@ -175,7 +175,7 @@ my @smime_pkcs7_tests = (
351     \&zero_compare
352     ],
353    
354     - [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
355     + [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
356     [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
357     "-signer", $smrsa1,
358     "-signer", catfile($smdir, "smrsa2.pem"),
359     @@ -187,7 +187,7 @@ my @smime_pkcs7_tests = (
360     \&final_compare
361     ],
362    
363     - [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
364     + [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
365     [ "{cmd1}", @prov, "-sign", "-in", $smcont,
366     "-signer", $smrsa1,
367     "-signer", catfile($smdir, "smrsa2.pem"),
368     @@ -247,7 +247,7 @@ my @smime_pkcs7_tests = (
369    
370     my @smime_cms_tests = (
371    
372     - [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
373     + [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS",
374     [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
375     "-nodetach", "-keyid",
376     "-signer", $smrsa1,
377     @@ -260,7 +260,7 @@ my @smime_cms_tests = (
378     \&final_compare
379     ],
380    
381     - [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
382     + [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
383     [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
384     "-signer", $smrsa1,
385     "-signer", catfile($smdir, "smrsa2.pem"),
386     @@ -370,7 +370,7 @@ my @smime_cms_tests = (
387     \&final_compare
388     ],
389    
390     - [ "encrypted content test streaming PEM format, triple DES key",
391     + [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
392     [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
393     "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
394     "-stream", "-out", "{output}.cms" ],
395     diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp.t
396     --- openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 2022-05-05 14:43:04.276857033 +0200
397     +++ openssl-3.0.1/test/recipes/30-test_evp.t 2022-05-05 14:43:35.975138234 +0200
398     @@ -43,7 +43,6 @@ my @files = qw(
399     evpciph_aes_cts.txt
400     evpciph_aes_wrap.txt
401     evpciph_aes_stitched.txt
402     - evpciph_des3_common.txt
403     evpkdf_hkdf.txt
404     evpkdf_pbkdf1.txt
405     evpkdf_pbkdf2.txt
406     @@ -66,12 +65,6 @@ push @files, qw(
407     evppkey_dh.txt
408     ) unless $no_dh;
409     push @files, qw(
410     - evpkdf_x942_des.txt
411     - evpmac_cmac_des.txt
412     - ) unless $no_des;
413     -push @files, qw(evppkey_dsa.txt) unless $no_dsa;
414     -push @files, qw(evppkey_ecx.txt) unless $no_ec;
415     -push @files, qw(
416     evppkey_ecc.txt
417     evppkey_ecdh.txt
418     evppkey_ecdsa.txt
419     @@ -91,6 +84,7 @@ my @defltfiles = qw(
420     evpciph_cast5.txt
421     evpciph_chacha.txt
422     evpciph_des.txt
423     + evpciph_des3_common.txt
424     evpciph_idea.txt
425     evpciph_rc2.txt
426     evpciph_rc4.txt
427     @@ -117,6 +111,12 @@ my @defltfiles = qw(
428     evppkey_kdf_tls1_prf.txt
429     evppkey_rsa.txt
430     );
431     +push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
432     +push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
433     +push @defltfiles, qw(
434     + evpkdf_x942_des.txt
435     + evpmac_cmac_des.txt
436     + ) unless $no_des;
437     push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
438    
439     plan tests =>
440     diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt
441     --- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 2022-05-05 14:46:32.721700697 +0200
442     +++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt 2022-05-05 14:51:40.205418897 +0200
443     @@ -328,6 +328,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E54100
444     Output = 00BDA1B7E87608BCBF470F12157F4C07
445    
446    
447     +Availablein = default
448     Title = KMAC Tests (From NIST)
449     MAC = KMAC128
450     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
451     @@ -338,12 +339,14 @@ Ctrl = xof:0
452     OutputSize = 32
453     BlockSize = 168
454    
455     +Availablein = default
456     MAC = KMAC128
457     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
458     Input = 00010203
459     Custom = "My Tagged Application"
460     Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
461    
462     +Availablein = default
463     MAC = KMAC128
464     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
465     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
466     @@ -351,6 +354,7 @@ Custom = "My Tagged Application"
467     Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
468     Ctrl = size:32
469    
470     +Availablein = default
471     MAC = KMAC256
472     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
473     Input = 00010203
474     @@ -359,12 +363,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6
475     OutputSize = 64
476     BlockSize = 136
477    
478     +Availablein = default
479     MAC = KMAC256
480     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
481     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
482     Custom = ""
483     Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
484    
485     +Availablein = default
486     MAC = KMAC256
487     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
488     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
489     @@ -374,12 +380,14 @@ Ctrl = size:64
490    
491     Title = KMAC XOF Tests (From NIST)
492    
493     +Availablein = default
494     MAC = KMAC128
495     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
496     Input = 00010203
497     Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
498     XOF = 1
499    
500     +Availablein = default
501     MAC = KMAC128
502     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
503     Input = 00010203
504     @@ -387,6 +395,7 @@ Custom = "My Tagged Application"
505     Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
506     XOF = 1
507    
508     +Availablein = default
509     MAC = KMAC128
510     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
511     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
512     @@ -395,6 +404,7 @@ Output = 47026C7CD793084AA0283C253EF6584
513     XOF = 1
514     Ctrl = size:32
515    
516     +Availablein = default
517     MAC = KMAC256
518     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
519     Input = 00010203
520     @@ -402,6 +412,7 @@ Custom = "My Tagged Application"
521     Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
522     XOF = 1
523    
524     +Availablein = default
525     MAC = KMAC256
526     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
527     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
528     @@ -409,6 +420,7 @@ Custom = ""
529     Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
530     XOF = 1
531    
532     +Availablein = default
533     MAC = KMAC256
534     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
535     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
536     @@ -419,6 +431,7 @@ XOF = 1
537    
538     Title = KMAC long customisation string (from NIST ACVP)
539    
540     +Availablein = default
541     MAC = KMAC256
542     Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
543     Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
544     @@ -429,12 +442,14 @@ XOF = 1
545    
546     Title = KMAC XOF Tests via ctrl (From NIST)
547    
548     +Availablein = default
549     MAC = KMAC128
550     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
551     Input = 00010203
552     Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
553     Ctrl = xof:1
554    
555     +Availablein = default
556     MAC = KMAC128
557     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
558     Input = 00010203
559     @@ -442,6 +457,7 @@ Custom = "My Tagged Application"
560     Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
561     Ctrl = xof:1
562    
563     +Availablein = default
564     MAC = KMAC128
565     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
566     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
567     @@ -450,6 +466,7 @@ Output = 47026C7CD793084AA0283C253EF6584
568     Ctrl = xof:1
569     Ctrl = size:32
570    
571     +Availablein = default
572     MAC = KMAC256
573     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
574     Input = 00010203
575     @@ -457,6 +474,7 @@ Custom = "My Tagged Application"
576     Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
577     Ctrl = xof:1
578    
579     +Availablein = default
580     MAC = KMAC256
581     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
582     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
583     @@ -464,6 +482,7 @@ Custom = ""
584     Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
585     Ctrl = xof:1
586    
587     +Availablein = default
588     MAC = KMAC256
589     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
590     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
591     @@ -474,6 +493,7 @@ Ctrl = xof:1
592    
593     Title = KMAC long customisation string via ctrl (from NIST ACVP)
594    
595     +Availablein = default
596     MAC = KMAC256
597     Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
598     Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
599     @@ -484,6 +504,7 @@ Ctrl = xof:1
600    
601     Title = KMAC long customisation string negative test
602    
603     +Availablein = default
604     MAC = KMAC128
605     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
606     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
607     @@ -492,6 +513,7 @@ Result = MAC_INIT_ERROR
608    
609     Title = KMAC output is too large
610    
611     +Availablein = default
612     MAC = KMAC256
613     Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
614     Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
615     diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_ssl_old.t
616     --- openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 2022-05-05 16:02:59.745500635 +0200
617     +++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-05 16:10:24.071348890 +0200
618     @@ -426,7 +426,7 @@ sub testssl {
619     my @exkeys = ();
620     my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
621    
622     - if (!$no_dsa) {
623     + if (!$no_dsa && $provider ne "fips") {
624     push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
625     }
626    
627     diff -up openssl-3.0.1/test/endecode_test.c.fipsmin3 openssl-3.0.1/test/endecode_test.c
628     --- openssl-3.0.1/test/endecode_test.c.fipsmin3 2022-05-06 16:25:57.296926271 +0200
629     +++ openssl-3.0.1/test/endecode_test.c 2022-05-06 16:27:42.712850840 +0200
630     @@ -1387,6 +1387,7 @@ int setup_tests(void)
631     * so no legacy tests.
632     */
633     #endif
634     + if (is_fips == 0) {
635     #ifndef OPENSSL_NO_DSA
636     ADD_TEST_SUITE(DSA);
637     ADD_TEST_SUITE_PARAMS(DSA);
638     @@ -1397,6 +1398,7 @@ int setup_tests(void)
639     ADD_TEST_SUITE_PROTECTED_PVK(DSA);
640     # endif
641     #endif
642     + }
643     #ifndef OPENSSL_NO_EC
644     ADD_TEST_SUITE(EC);
645     ADD_TEST_SUITE_PARAMS(EC);
646     @@ -1411,10 +1413,12 @@ int setup_tests(void)
647     ADD_TEST_SUITE(ECExplicitTri2G);
648     ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
649     # endif
650     + if (is_fips == 0) {
651     ADD_TEST_SUITE(ED25519);
652     ADD_TEST_SUITE(ED448);
653     ADD_TEST_SUITE(X25519);
654     ADD_TEST_SUITE(X448);
655     + }
656     /*
657     * ED25519, ED448, X25519 and X448 have no support for
658     * PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
659     diff -up openssl-3.0.1/apps/req.c.dfc openssl-3.0.1/apps/req.c
660     --- openssl-3.0.1/apps/req.c.dfc 2022-05-12 13:31:21.957638329 +0200
661     +++ openssl-3.0.1/apps/req.c 2022-05-12 13:31:49.587984867 +0200
662     @@ -266,7 +266,7 @@ int req_main(int argc, char **argv)
663     unsigned long chtype = MBSTRING_ASC, reqflag = 0;
664    
665     #ifndef OPENSSL_NO_DES
666     - cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
667     + cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
668     #endif
669    
670     prog = opt_init(argc, argv, req_options);
671     diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecparam.c
672     --- openssl-3.0.1/apps/ecparam.c.fips_list_curves 2022-05-19 11:46:22.682519422 +0200
673     +++ openssl-3.0.1/apps/ecparam.c 2022-05-19 11:50:44.559828701 +0200
674     @@ -79,6 +79,9 @@ static int list_builtin_curves(BIO *out)
675     const char *comment = curves[n].comment;
676     const char *sname = OBJ_nid2sn(curves[n].nid);
677    
678     + if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL))
679     + continue;
680     +
681     if (comment == NULL)
682     comment = "CURVE DESCRIPTION NOT AVAILABLE";
683     if (sname == NULL)
684     diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
685     --- openssl-3.0.1/ssl/ssl_ciph.c.nokrsa 2022-05-19 13:32:32.536708638 +0200
686     +++ openssl-3.0.1/ssl/ssl_ciph.c 2022-05-19 13:42:29.734002959 +0200
687     @@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
688     ctx->disabled_mkey_mask = 0;
689     ctx->disabled_auth_mask = 0;
690    
691     + if (EVP_default_properties_is_fips_enabled(ctx->libctx))
692     + ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
693     +
694     /*
695     * We ignore any errors from the fetches below. They are expected to fail
696     * if theose algorithms are not available.
697     diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c
698     --- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200
699     +++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200
700     @@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co
701     {
702     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
703     size_t rslen;
704     +# ifdef FIPS_MODULE
705     + size_t rsabits = RSA_bits(prsactx->rsa);
706     +
707     + if (rsabits < 2048) {
708     + if (rsabits != 1024
709     + && rsabits != 1280
710     + && rsabits != 1536
711     + && rsabits != 1792) {
712     + ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
713     + return 0;
714     + }
715     + }
716     +# endif
717    
718     if (!ossl_prov_is_running())
719     return 0;
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed