91 lines
3.8 KiB
Diff
91 lines
3.8 KiB
Diff
|
diff -up openssl-3.0.7/providers/fips/fipsprov.c.nodhx openssl-3.0.7/providers/fips/fipsprov.c
|
||
|
--- openssl-3.0.7/providers/fips/fipsprov.c.nodhx 2023-03-09 13:02:21.621694715 +0100
|
||
|
+++ openssl-3.0.7/providers/fips/fipsprov.c 2023-03-09 13:02:34.001791831 +0100
|
||
|
@@ -486,8 +486,8 @@ static const OSSL_ALGORITHM fips_keymgmt
|
||
|
#ifndef OPENSSL_NO_DH
|
||
|
{ PROV_NAMES_DH, FIPS_DEFAULT_PROPERTIES, ossl_dh_keymgmt_functions,
|
||
|
PROV_DESCS_DH },
|
||
|
- { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions,
|
||
|
- PROV_DESCS_DHX },
|
||
|
+/* { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions,
|
||
|
+ PROV_DESCS_DHX }, */
|
||
|
#endif
|
||
|
#ifndef OPENSSL_NO_DSA
|
||
|
/* We don't certify DSA in our FIPS provider */
|
||
|
diff -up openssl-3.0.7/test/endecode_test.c.nodhx openssl-3.0.7/test/endecode_test.c
|
||
|
--- openssl-3.0.7/test/endecode_test.c.nodhx 2023-03-09 13:39:10.826000162 +0100
|
||
|
+++ openssl-3.0.7/test/endecode_test.c 2023-03-09 13:41:26.533073598 +0100
|
||
|
@@ -1356,7 +1358,9 @@ int setup_tests(void)
|
||
|
#ifndef OPENSSL_NO_DH
|
||
|
TEST_info("Generating DH keys...");
|
||
|
MAKE_DOMAIN_KEYS(DH, "DH", NULL);
|
||
|
+if (is_fips == 0) {
|
||
|
MAKE_DOMAIN_KEYS(DHX, "X9.42 DH", NULL);
|
||
|
+}
|
||
|
#endif
|
||
|
#ifndef OPENSSL_NO_DSA
|
||
|
TEST_info("Generating DSA keys...");
|
||
|
@@ -1386,8 +1390,10 @@ int setup_tests(void)
|
||
|
#ifndef OPENSSL_NO_DH
|
||
|
ADD_TEST_SUITE(DH);
|
||
|
ADD_TEST_SUITE_PARAMS(DH);
|
||
|
+if (is_fips == 0) {
|
||
|
ADD_TEST_SUITE(DHX);
|
||
|
ADD_TEST_SUITE_PARAMS(DHX);
|
||
|
+}
|
||
|
/*
|
||
|
* DH has no support for PEM_write_bio_PrivateKey_traditional(),
|
||
|
* so no legacy tests.
|
||
|
@@ -1465,7 +1471,9 @@ void cleanup_tests(void)
|
||
|
|
||
|
#ifndef OPENSSL_NO_DH
|
||
|
FREE_DOMAIN_KEYS(DH);
|
||
|
+if (is_fips == 0) {
|
||
|
FREE_DOMAIN_KEYS(DHX);
|
||
|
+}
|
||
|
#endif
|
||
|
#ifndef OPENSSL_NO_DSA
|
||
|
FREE_DOMAIN_KEYS(DSA);
|
||
|
diff -up openssl-3.0.7/test/recipes/80-test_cms.t.nodhx openssl-3.0.7/test/recipes/80-test_cms.t
|
||
|
--- openssl-3.0.7/test/recipes/80-test_cms.t.nodhx 2023-03-09 13:31:36.851432859 +0100
|
||
|
+++ openssl-3.0.7/test/recipes/80-test_cms.t 2023-03-09 13:32:35.987888417 +0100
|
||
|
@@ -869,6 +869,8 @@ sub check_availability {
|
||
|
if ($no_ec2m && $tnam =~ /K-283/);
|
||
|
return "$tnam: skipped, DH disabled\n"
|
||
|
if ($no_dh && $tnam =~ /X9\.42/);
|
||
|
+ return "$tnam: skipped, DHX disabled in RHEL\n"
|
||
|
+ if ($provname eq 'fips' && $tnam =~ /X9\.42/);
|
||
|
return "$tnam: skipped, RC2 disabled\n"
|
||
|
if ($no_rc2 && $tnam =~ /RC2/);
|
||
|
return "$tnam: skipped, DES disabled\n"
|
||
|
diff -up openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx openssl-3.0.7/providers/implementations/exchange/dh_exch.c
|
||
|
--- openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx 2023-03-09 16:33:07.092040809 +0100
|
||
|
+++ openssl-3.0.7/providers/implementations/exchange/dh_exch.c 2023-03-09 16:42:30.594837565 +0100
|
||
|
@@ -102,6 +102,11 @@ static int dh_init(void *vpdhctx, void *
|
||
|
|| vdh == NULL
|
||
|
|| !DH_up_ref(vdh))
|
||
|
return 0;
|
||
|
+#ifdef FIPS_MODULE
|
||
|
+ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(vdh),
|
||
|
+ DH_get0_q(vdh), DH_get0_g(vdh)) == NULL)
|
||
|
+ return 0;
|
||
|
+#endif
|
||
|
DH_free(pdhctx->dh);
|
||
|
pdhctx->dh = vdh;
|
||
|
pdhctx->kdf_type = PROV_DH_KDF_NONE;
|
||
|
diff -up openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c
|
||
|
--- openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx 2023-03-09 15:38:04.024555943 +0100
|
||
|
+++ openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c 2023-03-09 16:32:04.142490068 +0100
|
||
|
@@ -498,6 +499,11 @@ static int dh_gen_set_template(void *gen
|
||
|
|
||
|
if (!ossl_prov_is_running() || gctx == NULL || dh == NULL)
|
||
|
return 0;
|
||
|
+#ifdef FIPS_MODULE
|
||
|
+ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(dh),
|
||
|
+ DH_get0_q(dh), DH_get0_g(dh)) == NULL)
|
||
|
+ return 0;
|
||
|
+#endif
|
||
|
gctx->ffc_params = ossl_dh_get0_params(dh);
|
||
|
return 1;
|
||
|
}
|