From 02c75e5a653485a49b780444d5c26966109b66cb Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 2 May 2022 15:54:28 +0200 Subject: [PATCH] We dont'want totally forbid RSA encryption. Related: rhbz#2053289 --- 0045-FIPS-services-minimize.patch | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index 0fb6e72..41b1646 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -89,15 +89,6 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, #endif { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, -@@ -407,7 +407,7 @@ static const OSSL_ALGORITHM fips_signatu - }; - - static const OSSL_ALGORITHM fips_asym_cipher[] = { -- { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions }, -+ { PROV_NAMES_RSA, FIPS_UNAPPROVED_PROPERTIES, ossl_rsa_asym_cipher_functions }, - { NULL, NULL, NULL } - }; - @@ -421,7 +424,7 @@ static const OSSL_ALGORITHM fips_keymgmt PROV_DESCS_DHX }, #endif @@ -128,18 +119,6 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c --- openssl-3.0.0/test/acvp_test.c.fipsmin 2022-01-12 18:34:17.283654119 +0100 +++ openssl-3.0.0/test/acvp_test.c 2022-01-12 18:35:46.270430676 +0100 -@@ -1466,8 +1466,9 @@ int setup_tests(void) - ADD_ALL_TESTS(rsa_keygen_test, OSSL_NELEM(rsa_keygen_data)); - ADD_ALL_TESTS(rsa_siggen_test, OSSL_NELEM(rsa_siggen_data)); - ADD_ALL_TESTS(rsa_sigver_test, OSSL_NELEM(rsa_sigver_data)); -- ADD_ALL_TESTS(rsa_decryption_primitive_test, -- OSSL_NELEM(rsa_decrypt_prim_data)); -+/* Red Hat FIPS provider doesn't have fips=yes property on RSA encryption */ -+/* ADD_ALL_TESTS(rsa_decryption_primitive_test, -+ OSSL_NELEM(rsa_decrypt_prim_data)); */ - - #ifndef OPENSSL_NO_DH - ADD_ALL_TESTS(dh_safe_prime_keygen_test, @@ -1473,6 +1473,7 @@ int setup_tests(void) OSSL_NELEM(dh_safe_prime_keyver_data)); #endif /* OPENSSL_NO_DH */