b0cff60812
Resolves: RHEL-80854 Resolves: RHEL-50208 Resolves: RHEL-50210 Resolves: RHEL-50211 Resolves: RHEL-85954
175 lines
6.3 KiB
Diff
175 lines
6.3 KiB
Diff
From 88abbb0a30dd2d990992c769eaad71f6c6764237 Mon Sep 17 00:00:00 2001
|
|
From: Simo Sorce <simo@redhat.com>
|
|
Date: Fri, 7 Mar 2025 18:15:13 -0500
|
|
Subject: [PATCH 44/50] FIPS: NO DES support
|
|
|
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
---
|
|
providers/fips/fipsprov.c | 3 ++-
|
|
providers/fips/self_test_data.inc | 5 ++++-
|
|
test/evp_libctx_test.c | 4 +++-
|
|
.../30-test_evp_data/evpciph_des3_common.txt | 13 ++++---------
|
|
test/recipes/30-test_evp_data/evpmac_cmac_des.txt | 10 ----------
|
|
test/recipes/80-test_cms.t | 2 +-
|
|
6 files changed, 14 insertions(+), 23 deletions(-)
|
|
|
|
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
|
index 7999744b5a..30f0c8ca14 100644
|
|
--- a/providers/fips/fipsprov.c
|
|
+++ b/providers/fips/fipsprov.c
|
|
@@ -354,7 +354,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
|
|
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
|
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
|
|
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
|
-#ifndef OPENSSL_NO_DES
|
|
+/* We don't certify 3DES in our FIPS provider */
|
|
+#if 0 /* ifndef OPENSSL_NO_DES */
|
|
ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
|
ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
|
#endif /* OPENSSL_NO_DES */
|
|
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
|
index 10ca473764..6a69e1687b 100644
|
|
--- a/providers/fips/self_test_data.inc
|
|
+++ b/providers/fips/self_test_data.inc
|
|
@@ -209,6 +209,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
|
|
/*- CIPHER TEST DATA */
|
|
|
|
/* DES3 test data */
|
|
+#if 0
|
|
static const unsigned char des_ede3_cbc_pt[] = {
|
|
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
|
|
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
|
|
@@ -229,7 +230,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
|
|
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
|
|
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
|
|
};
|
|
-
|
|
+#endif
|
|
/* AES-256 GCM test data */
|
|
static const unsigned char aes_256_gcm_key[] = {
|
|
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
|
|
@@ -315,6 +316,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
|
|
CIPHER_MODE_DECRYPT,
|
|
ITM(aes_128_ecb_key)
|
|
},
|
|
+#if 0
|
|
#ifndef OPENSSL_NO_DES
|
|
{
|
|
{
|
|
@@ -327,6 +329,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
|
|
ITM(tdes_key)
|
|
}
|
|
#endif
|
|
+#endif
|
|
};
|
|
|
|
static const char hkdf_digest[] = "SHA256";
|
|
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
|
|
index 2838f343bd..19dd2c6c63 100644
|
|
--- a/test/evp_libctx_test.c
|
|
+++ b/test/evp_libctx_test.c
|
|
@@ -831,7 +831,9 @@ int setup_tests(void)
|
|
ADD_TEST(kem_invalid_keytype);
|
|
#endif
|
|
#ifndef OPENSSL_NO_DES
|
|
- ADD_TEST(test_cipher_tdes_randkey);
|
|
+ if (strcmp(prov_name, "fips") != 0) {
|
|
+ ADD_TEST(test_cipher_tdes_randkey);
|
|
+ }
|
|
#endif
|
|
return 1;
|
|
}
|
|
diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
|
|
index 1947e21f74..119b75d9ce 100644
|
|
--- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt
|
|
+++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
|
|
@@ -14,7 +14,7 @@
|
|
Title = DES3 Tests
|
|
|
|
# DES EDE3 CBC tests (from destest)
|
|
-FIPSversion = <3.4.0
|
|
+Availablein = default
|
|
Cipher = DES-EDE3-CBC
|
|
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
|
|
IV = fedcba9876543210
|
|
@@ -24,8 +24,7 @@ NextIV = 1c673812cfde9675
|
|
|
|
# DES EDE3 ECB test
|
|
# FIPS(3.0.0): has a bug in the IV length #17591
|
|
-FIPSversion = >3.0.0
|
|
-FIPSversion = <3.4.0
|
|
+Availablein = default
|
|
Cipher = DES-EDE3-ECB
|
|
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
|
|
Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
|
|
@@ -42,7 +41,6 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2bae5e4e6a0094171abcfc27df2bfd40da9f4e4d
|
|
|
|
# Test that DES3 CBC mode encryption fails because it is not FIPS approved
|
|
Availablein = fips
|
|
-FIPSversion = >=3.4.0
|
|
Cipher = DES-EDE3-CBC
|
|
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
|
|
IV = fedcba9876543210
|
|
@@ -52,7 +50,6 @@ Result = CIPHERINIT_ERROR
|
|
|
|
# Test that DES3 EBC mode encryption fails because it is not FIPS approved
|
|
Availablein = fips
|
|
-FIPSversion = >=3.4.0
|
|
Cipher = DES-EDE3-ECB
|
|
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
|
|
Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
|
|
@@ -62,8 +59,7 @@ Result = CIPHERINIT_ERROR
|
|
Title = DES3 FIPS Indicator Tests
|
|
|
|
# Test that DES3 CBC mode encryption is not FIPS approved
|
|
-Availablein = fips
|
|
-FIPSversion = >=3.4.0
|
|
+Availablein = none
|
|
Cipher = DES-EDE3-CBC
|
|
Unapproved = 1
|
|
CtrlInit = encrypt-check:0
|
|
@@ -74,8 +70,7 @@ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
|
|
Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
|
|
|
|
# Test that DES3 ECB mode encryption is not FIPS approved
|
|
-Availablein = fipss
|
|
-FIPSversion = >=3.4.0
|
|
+Availablein = none
|
|
Cipher = DES-EDE3-ECB
|
|
Operation = ENCRYPT
|
|
Unapproved = 1
|
|
diff --git a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
|
|
index a11e5ffe54..e4a7cbe75e 100644
|
|
--- a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
|
|
+++ b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
|
|
@@ -35,13 +35,3 @@ Algorithm = DES-EDE3-CBC
|
|
Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23
|
|
Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
|
|
Result = MAC_INIT_ERROR
|
|
-
|
|
-Availablein = fips
|
|
-FIPSversion = >=3.4.0
|
|
-MAC = CMAC
|
|
-Unapproved = 1
|
|
-Ctrl = encrypt-check:0
|
|
-Algorithm = DES-EDE3-CBC
|
|
-Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23
|
|
-Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
|
|
-Output = 8F49A1B7D6AA2258
|
|
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
|
index 756f90c1bd..ac833d2a2f 100644
|
|
--- a/test/recipes/80-test_cms.t
|
|
+++ b/test/recipes/80-test_cms.t
|
|
@@ -398,7 +398,7 @@ my @smime_cms_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "encrypted content test streaming PEM format, triple DES key",
|
|
+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
|
|
[ "{cmd1}", @defaultprov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
|
|
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
|
|
"-stream", "-out", "{output}.cms" ],
|
|
--
|
|
2.49.0
|
|
|