05bbcc9920
- Remove the hobbling script as it is redundant. It is now allowed to ship the sources of patented EC curves, however it is still made unavailable to use by compiling with the 'no-ec2m' Configure option. The additional forbidden curves such as P-160, P-192, wap-tls curves are manually removed by updating 0011-Remove-EC-curves.patch. - Enable Brainpool curves. - Apply the changes to ec_curve.c and ectest.c as a new patch 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them. - Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. - Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M. Resolves: rhbz#2130618, rhbz#2188180 Signed-off-by: Sahana Prasad <sahana@redhat.com>
740 lines
34 KiB
Diff
740 lines
34 KiB
Diff
diff -up openssl-3.0.1/providers/common/capabilities.c.fipsmin3 openssl-3.0.1/providers/common/capabilities.c
|
|
--- openssl-3.0.1/providers/common/capabilities.c.fipsmin3 2022-05-05 17:11:36.146638536 +0200
|
|
+++ openssl-3.0.1/providers/common/capabilities.c 2022-05-05 17:12:00.138848787 +0200
|
|
@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list
|
|
TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
|
|
TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
|
|
TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
|
|
-# endif
|
|
TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
|
|
TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
|
|
+# endif
|
|
# endif /* OPENSSL_NO_EC */
|
|
# ifndef OPENSSL_NO_DH
|
|
/* Security bit values for FFDHE groups are as per RFC 7919 */
|
|
diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/providers/fips/fipsprov.c
|
|
--- openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 2022-05-05 11:42:58.596848856 +0200
|
|
+++ openssl-3.0.1/providers/fips/fipsprov.c 2022-05-05 11:55:42.997562712 +0200
|
|
@@ -54,7 +54,6 @@ static void fips_deinit_casecmp(void);
|
|
|
|
#define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }
|
|
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
|
|
-
|
|
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
|
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
|
|
|
@@ -191,13 +190,13 @@ static int fips_get_params(void *provctx
|
|
&fips_prov_ossl_ctx_method);
|
|
|
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
|
|
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
|
|
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider"))
|
|
return 0;
|
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
|
|
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
|
|
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
|
return 0;
|
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
|
|
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
|
|
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
|
return 0;
|
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
|
|
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
|
|
@@ -281,10 +280,11 @@ static const OSSL_ALGORITHM fips_digests
|
|
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
|
* KMAC128 and KMAC256.
|
|
*/
|
|
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
|
+ /* We don't certify KECCAK in our FIPS provider */
|
|
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
|
ossl_keccak_kmac_128_functions },
|
|
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
|
|
- ossl_keccak_kmac_256_functions },
|
|
+ ossl_keccak_kmac_256_functions }, */
|
|
{ NULL, NULL, NULL }
|
|
};
|
|
|
|
@@ -343,8 +343,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
|
|
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
|
|
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
|
#ifndef OPENSSL_NO_DES
|
|
- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
|
- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
|
+ /* We don't certify 3DES in our FIPS provider */
|
|
+ /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
|
+ ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
|
|
#endif /* OPENSSL_NO_DES */
|
|
{ { NULL, NULL, NULL }, NULL }
|
|
};
|
|
@@ -356,8 +357,9 @@ static const OSSL_ALGORITHM fips_macs[]
|
|
#endif
|
|
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
|
|
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
|
|
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
|
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
|
|
+ /* We don't certify KMAC in our FIPS provider */
|
|
+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
|
+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
|
|
{ NULL, NULL, NULL }
|
|
};
|
|
|
|
@@ -392,8 +394,9 @@ static const OSSL_ALGORITHM fips_keyexch
|
|
#endif
|
|
#ifndef OPENSSL_NO_EC
|
|
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
|
|
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
|
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
|
|
+ /* We don't certify Edwards curves in our FIPS provider */
|
|
+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
|
+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
|
|
#endif
|
|
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
|
|
ossl_kdf_tls1_prf_keyexch_functions },
|
|
@@ -403,12 +406,14 @@ static const OSSL_ALGORITHM fips_keyexch
|
|
|
|
static const OSSL_ALGORITHM fips_signature[] = {
|
|
#ifndef OPENSSL_NO_DSA
|
|
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
|
|
+ /* We don't certify DSA in our FIPS provider */
|
|
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */
|
|
#endif
|
|
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
|
|
#ifndef OPENSSL_NO_EC
|
|
- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
|
|
- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions },
|
|
+ /* We don't certify Edwards curves in our FIPS provider */
|
|
+ /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
|
|
+ { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */
|
|
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
|
|
#endif
|
|
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
|
|
@@ -438,8 +443,9 @@ static const OSSL_ALGORITHM fips_keymgmt
|
|
PROV_DESCS_DHX },
|
|
#endif
|
|
#ifndef OPENSSL_NO_DSA
|
|
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
|
- PROV_DESCS_DSA },
|
|
+ /* We don't certify DSA in our FIPS provider */
|
|
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
|
+ PROV_DESCS_DSA }, */
|
|
#endif
|
|
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
|
|
PROV_DESCS_RSA },
|
|
@@ -448,14 +454,15 @@ static const OSSL_ALGORITHM fips_keymgmt
|
|
#ifndef OPENSSL_NO_EC
|
|
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
|
|
PROV_DESCS_EC },
|
|
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
|
+ /* We don't certify Edwards curves in our FIPS provider */
|
|
+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
|
PROV_DESCS_X25519 },
|
|
{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
|
|
PROV_DESCS_X448 },
|
|
{ PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions,
|
|
PROV_DESCS_ED25519 },
|
|
{ PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions,
|
|
- PROV_DESCS_ED448 },
|
|
+ PROV_DESCS_ED448 }, */
|
|
#endif
|
|
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
|
|
PROV_DESCS_TLS1_PRF_SIGN },
|
|
diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/providers/fips/self_test_data.inc
|
|
--- openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 2022-05-05 12:36:32.335069046 +0200
|
|
+++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-05 12:40:02.427966128 +0200
|
|
@@ -171,6 +171,7 @@ static const ST_KAT_DIGEST st_kat_digest
|
|
/*- CIPHER TEST DATA */
|
|
|
|
/* DES3 test data */
|
|
+#if 0
|
|
static const unsigned char des_ede3_cbc_pt[] = {
|
|
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
|
|
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
|
|
@@ -191,7 +192,7 @@ static const unsigned char des_ede3_cbc_
|
|
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
|
|
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
|
|
};
|
|
-
|
|
+#endif
|
|
/* AES-256 GCM test data */
|
|
static const unsigned char aes_256_gcm_key[] = {
|
|
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
|
|
@@ -235,6 +236,7 @@ static const unsigned char aes_128_ecb_c
|
|
};
|
|
|
|
static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
|
|
+#if 0
|
|
#ifndef OPENSSL_NO_DES
|
|
{
|
|
{
|
|
@@ -248,6 +250,7 @@ static const ST_KAT_CIPHER st_kat_cipher
|
|
ITM(des_ede3_cbc_iv),
|
|
},
|
|
#endif
|
|
+#endif
|
|
{
|
|
{
|
|
OSSL_SELF_TEST_DESC_CIPHER_AES_GCM,
|
|
@@ -1424,8 +1427,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[
|
|
# endif /* OPENSSL_NO_EC2M */
|
|
#endif /* OPENSSL_NO_EC */
|
|
|
|
-#ifndef OPENSSL_NO_DSA
|
|
/* dsa 2048 */
|
|
+#if 0
|
|
+#ifndef OPENSSL_NO_DSA
|
|
static const unsigned char dsa_p[] = {
|
|
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
|
|
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
|
|
@@ -1549,8 +1553,8 @@ static const ST_KAT_PARAM dsa_key[] = {
|
|
ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, dsa_priv),
|
|
ST_KAT_PARAM_END()
|
|
};
|
|
-#endif /* OPENSSL_NO_DSA */
|
|
-
|
|
+#endif
|
|
+#endif
|
|
static const ST_KAT_SIGN st_kat_sign_tests[] = {
|
|
{
|
|
OSSL_SELF_TEST_DESC_SIGN_RSA,
|
|
@@ -1583,6 +1587,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
|
|
},
|
|
# endif
|
|
#endif /* OPENSSL_NO_EC */
|
|
+#if 0
|
|
#ifndef OPENSSL_NO_DSA
|
|
{
|
|
OSSL_SELF_TEST_DESC_SIGN_DSA,
|
|
@@ -1595,6 +1600,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
|
|
*/
|
|
},
|
|
#endif /* OPENSSL_NO_DSA */
|
|
+#endif
|
|
};
|
|
|
|
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
|
|
diff -up openssl-3.0.1/test/acvp_test.c.fipsmin2 openssl-3.0.1/test/acvp_test.c
|
|
--- openssl-3.0.1/test/acvp_test.c.fipsmin2 2022-05-05 11:42:58.597848865 +0200
|
|
+++ openssl-3.0.1/test/acvp_test.c 2022-05-05 11:43:30.141126336 +0200
|
|
@@ -1476,6 +1476,7 @@ int setup_tests(void)
|
|
OSSL_NELEM(dh_safe_prime_keyver_data));
|
|
#endif /* OPENSSL_NO_DH */
|
|
|
|
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
|
|
#ifndef OPENSSL_NO_DSA
|
|
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
|
|
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
|
|
@@ -1483,6 +1484,7 @@ int setup_tests(void)
|
|
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
|
|
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
|
|
#endif /* OPENSSL_NO_DSA */
|
|
+#endif
|
|
|
|
#ifndef OPENSSL_NO_EC
|
|
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
|
|
diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_libctx_test.c
|
|
--- openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 2022-05-05 14:18:46.370911817 +0200
|
|
+++ openssl-3.0.1/test/evp_libctx_test.c 2022-05-05 14:30:02.117911993 +0200
|
|
@@ -21,6 +21,7 @@
|
|
*/
|
|
#include "internal/deprecated.h"
|
|
#include <assert.h>
|
|
+#include <string.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/provider.h>
|
|
#include <openssl/dsa.h>
|
|
@@ -725,8 +726,10 @@ int setup_tests(void)
|
|
if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name))
|
|
return 0;
|
|
|
|
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
|
|
- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
|
+ if (strcmp(prov_name, "fips") != 0) {
|
|
+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
|
+ }
|
|
#endif
|
|
#ifndef OPENSSL_NO_DH
|
|
ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
|
|
@@ -746,7 +750,9 @@ int setup_tests(void)
|
|
ADD_TEST(kem_invalid_keytype);
|
|
#endif
|
|
#ifndef OPENSSL_NO_DES
|
|
- ADD_TEST(test_cipher_tdes_randkey);
|
|
+ if (strcmp(prov_name, "fips") != 0) {
|
|
+ ADD_TEST(test_cipher_tdes_randkey);
|
|
+ }
|
|
#endif
|
|
return 1;
|
|
}
|
|
diff -up openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 openssl-3.0.1/test/recipes/15-test_gendsa.t
|
|
--- openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 2022-05-05 13:46:00.631590335 +0200
|
|
+++ openssl-3.0.1/test/recipes/15-test_gendsa.t 2022-05-05 13:46:06.999644496 +0200
|
|
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
|
plan skip_all => "This test is unsupported in a no-dsa build"
|
|
if disabled("dsa");
|
|
|
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
+my $no_fips = 1;
|
|
|
|
plan tests =>
|
|
($no_fips ? 0 : 2) # FIPS related tests
|
|
diff -up openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 openssl-3.0.1/test/recipes/20-test_cli_fips.t
|
|
--- openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 2022-05-05 13:47:55.217564900 +0200
|
|
+++ openssl-3.0.1/test/recipes/20-test_cli_fips.t 2022-05-05 13:48:02.824629600 +0200
|
|
@@ -207,8 +207,7 @@ SKIP: {
|
|
}
|
|
|
|
SKIP : {
|
|
- skip "FIPS DSA tests because of no dsa in this build", 1
|
|
- if disabled("dsa");
|
|
+ skip "FIPS DSA tests because of no dsa in this build", 1;
|
|
|
|
subtest DSA => sub {
|
|
my $testtext_prefix = 'DSA';
|
|
diff -up openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_cms.t
|
|
--- openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 2022-05-05 13:55:05.257292637 +0200
|
|
+++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-05 13:58:35.307150750 +0200
|
|
@@ -95,7 +95,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content DER format, DSA key",
|
|
+ [ "signed content DER format, DSA key, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
|
@@ -103,7 +103,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed detached content DER format, DSA key",
|
|
+ [ "signed detached content DER format, DSA key, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
|
@@ -112,7 +112,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed detached content DER format, add RSA signer (with DSA existing)",
|
|
+ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
|
|
@@ -123,7 +123,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming BER format, DSA key",
|
|
+ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-nodetach", "-stream",
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
@@ -132,7 +132,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
|
|
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-nodetach", "-stream",
|
|
"-signer", $smrsa1,
|
|
@@ -145,7 +145,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
|
|
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-noattr", "-nodetach", "-stream",
|
|
"-signer", $smrsa1,
|
|
@@ -175,7 +175,7 @@ my @smime_pkcs7_tests = (
|
|
\&zero_compare
|
|
],
|
|
|
|
- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
|
|
+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
|
|
"-signer", $smrsa1,
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
|
|
+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
|
|
"-signer", $smrsa1,
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
@@ -247,7 +247,7 @@ my @smime_pkcs7_tests = (
|
|
|
|
my @smime_cms_tests = (
|
|
|
|
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
|
|
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-nodetach", "-keyid",
|
|
"-signer", $smrsa1,
|
|
@@ -260,7 +260,7 @@ my @smime_cms_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
|
|
+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
|
"-signer", $smrsa1,
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
@@ -370,7 +370,7 @@ my @smime_cms_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "encrypted content test streaming PEM format, triple DES key",
|
|
+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
|
|
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
|
|
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
|
|
"-stream", "-out", "{output}.cms" ],
|
|
diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp.t
|
|
--- openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 2022-05-05 14:43:04.276857033 +0200
|
|
+++ openssl-3.0.1/test/recipes/30-test_evp.t 2022-05-05 14:43:35.975138234 +0200
|
|
@@ -43,7 +43,6 @@ my @files = qw(
|
|
evpciph_aes_cts.txt
|
|
evpciph_aes_wrap.txt
|
|
evpciph_aes_stitched.txt
|
|
- evpciph_des3_common.txt
|
|
evpkdf_hkdf.txt
|
|
evpkdf_pbkdf1.txt
|
|
evpkdf_pbkdf2.txt
|
|
@@ -66,12 +65,6 @@ push @files, qw(
|
|
evppkey_dh.txt
|
|
) unless $no_dh;
|
|
push @files, qw(
|
|
- evpkdf_x942_des.txt
|
|
- evpmac_cmac_des.txt
|
|
- ) unless $no_des;
|
|
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
|
|
-push @files, qw(evppkey_ecx.txt) unless $no_ec;
|
|
-push @files, qw(
|
|
evppkey_ecc.txt
|
|
evppkey_ecdh.txt
|
|
evppkey_ecdsa.txt
|
|
@@ -91,6 +84,7 @@ my @defltfiles = qw(
|
|
evpciph_cast5.txt
|
|
evpciph_chacha.txt
|
|
evpciph_des.txt
|
|
+ evpciph_des3_common.txt
|
|
evpciph_idea.txt
|
|
evpciph_rc2.txt
|
|
evpciph_rc4.txt
|
|
@@ -117,6 +111,12 @@ my @defltfiles = qw(
|
|
evppkey_kdf_tls1_prf.txt
|
|
evppkey_rsa.txt
|
|
);
|
|
+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
|
|
+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
|
|
+push @defltfiles, qw(
|
|
+ evpkdf_x942_des.txt
|
|
+ evpmac_cmac_des.txt
|
|
+ ) unless $no_des;
|
|
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
|
|
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
|
|
|
|
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt
|
|
--- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 2022-05-05 14:46:32.721700697 +0200
|
|
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt 2022-05-05 14:51:40.205418897 +0200
|
|
@@ -328,6 +328,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E54100
|
|
Output = 00BDA1B7E87608BCBF470F12157F4C07
|
|
|
|
|
|
+Availablein = default
|
|
Title = KMAC Tests (From NIST)
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
@@ -338,12 +339,14 @@ Ctrl = xof:0
|
|
OutputSize = 32
|
|
BlockSize = 168
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
Custom = "My Tagged Application"
|
|
Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -351,6 +354,7 @@ Custom = "My Tagged Application"
|
|
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
|
|
Ctrl = size:32
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -359,12 +363,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6
|
|
OutputSize = 64
|
|
BlockSize = 136
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
Custom = ""
|
|
Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -374,12 +380,14 @@ Ctrl = size:64
|
|
|
|
Title = KMAC XOF Tests (From NIST)
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
|
XOF = 1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -387,6 +395,7 @@ Custom = "My Tagged Application"
|
|
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
|
XOF = 1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -395,6 +404,7 @@ Output = 47026C7CD793084AA0283C253EF6584
|
|
XOF = 1
|
|
Ctrl = size:32
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -402,6 +412,7 @@ Custom = "My Tagged Application"
|
|
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
|
XOF = 1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -409,6 +420,7 @@ Custom = ""
|
|
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
|
XOF = 1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -419,6 +431,7 @@ XOF = 1
|
|
|
|
Title = KMAC long customisation string (from NIST ACVP)
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
|
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
|
@@ -429,12 +442,14 @@ XOF = 1
|
|
|
|
Title = KMAC XOF Tests via ctrl (From NIST)
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
|
Ctrl = xof:1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -442,6 +457,7 @@ Custom = "My Tagged Application"
|
|
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
|
Ctrl = xof:1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -450,6 +466,7 @@ Output = 47026C7CD793084AA0283C253EF6584
|
|
Ctrl = xof:1
|
|
Ctrl = size:32
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -457,6 +474,7 @@ Custom = "My Tagged Application"
|
|
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
|
Ctrl = xof:1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -464,6 +482,7 @@ Custom = ""
|
|
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
|
Ctrl = xof:1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -474,6 +493,7 @@ Ctrl = xof:1
|
|
|
|
Title = KMAC long customisation string via ctrl (from NIST ACVP)
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
|
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
|
@@ -484,6 +504,7 @@ Ctrl = xof:1
|
|
|
|
Title = KMAC long customisation string negative test
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -492,6 +513,7 @@ Result = MAC_INIT_ERROR
|
|
|
|
Title = KMAC output is too large
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_ssl_old.t
|
|
--- openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 2022-05-05 16:02:59.745500635 +0200
|
|
+++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-05 16:10:24.071348890 +0200
|
|
@@ -426,7 +426,7 @@ sub testssl {
|
|
my @exkeys = ();
|
|
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
|
|
|
|
- if (!$no_dsa) {
|
|
+ if (!$no_dsa && $provider ne "fips") {
|
|
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
|
|
}
|
|
|
|
diff -up openssl-3.0.1/test/endecode_test.c.fipsmin3 openssl-3.0.1/test/endecode_test.c
|
|
--- openssl-3.0.1/test/endecode_test.c.fipsmin3 2022-05-06 16:25:57.296926271 +0200
|
|
+++ openssl-3.0.1/test/endecode_test.c 2022-05-06 16:27:42.712850840 +0200
|
|
@@ -1387,6 +1387,7 @@ int setup_tests(void)
|
|
* so no legacy tests.
|
|
*/
|
|
#endif
|
|
+ if (is_fips == 0) {
|
|
#ifndef OPENSSL_NO_DSA
|
|
ADD_TEST_SUITE(DSA);
|
|
ADD_TEST_SUITE_PARAMS(DSA);
|
|
@@ -1397,6 +1398,7 @@ int setup_tests(void)
|
|
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
|
|
# endif
|
|
#endif
|
|
+ }
|
|
#ifndef OPENSSL_NO_EC
|
|
ADD_TEST_SUITE(EC);
|
|
ADD_TEST_SUITE_PARAMS(EC);
|
|
@@ -1411,10 +1413,12 @@ int setup_tests(void)
|
|
ADD_TEST_SUITE(ECExplicitTri2G);
|
|
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
|
|
# endif
|
|
+ if (is_fips == 0) {
|
|
ADD_TEST_SUITE(ED25519);
|
|
ADD_TEST_SUITE(ED448);
|
|
ADD_TEST_SUITE(X25519);
|
|
ADD_TEST_SUITE(X448);
|
|
+ }
|
|
/*
|
|
* ED25519, ED448, X25519 and X448 have no support for
|
|
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
|
|
diff -up openssl-3.0.1/apps/req.c.dfc openssl-3.0.1/apps/req.c
|
|
--- openssl-3.0.1/apps/req.c.dfc 2022-05-12 13:31:21.957638329 +0200
|
|
+++ openssl-3.0.1/apps/req.c 2022-05-12 13:31:49.587984867 +0200
|
|
@@ -266,7 +266,7 @@ int req_main(int argc, char **argv)
|
|
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
|
|
|
|
#ifndef OPENSSL_NO_DES
|
|
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
|
+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
|
|
#endif
|
|
|
|
prog = opt_init(argc, argv, req_options);
|
|
diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecparam.c
|
|
--- openssl-3.0.1/apps/ecparam.c.fips_list_curves 2022-05-19 11:46:22.682519422 +0200
|
|
+++ openssl-3.0.1/apps/ecparam.c 2022-05-19 11:50:44.559828701 +0200
|
|
@@ -79,6 +79,9 @@ static int list_builtin_curves(BIO *out)
|
|
const char *comment = curves[n].comment;
|
|
const char *sname = OBJ_nid2sn(curves[n].nid);
|
|
|
|
+ if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL))
|
|
+ continue;
|
|
+
|
|
if (comment == NULL)
|
|
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
|
if (sname == NULL)
|
|
diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
|
|
--- openssl-3.0.1/ssl/ssl_ciph.c.nokrsa 2022-05-19 13:32:32.536708638 +0200
|
|
+++ openssl-3.0.1/ssl/ssl_ciph.c 2022-05-19 13:42:29.734002959 +0200
|
|
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
|
|
ctx->disabled_mkey_mask = 0;
|
|
ctx->disabled_auth_mask = 0;
|
|
|
|
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
|
|
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
|
|
+
|
|
/*
|
|
* We ignore any errors from the fetches below. They are expected to fail
|
|
* if theose algorithms are not available.
|
|
diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c
|
|
--- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200
|
|
+++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200
|
|
@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs
|
|
{
|
|
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
|
int ret;
|
|
+# ifdef FIPS_MODULE
|
|
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
|
+
|
|
+ if (rsabits < 2048) {
|
|
+ if (rsabits != 1024
|
|
+ && rsabits != 1280
|
|
+ && rsabits != 1536
|
|
+ && rsabits != 1792) {
|
|
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
+ return 0;
|
|
+ }
|
|
+ }
|
|
+# endif
|
|
|
|
if (!ossl_prov_is_running())
|
|
return 0;
|
|
@@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co
|
|
{
|
|
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
|
size_t rslen;
|
|
+# ifdef FIPS_MODULE
|
|
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
|
+
|
|
+ if (rsabits < 2048) {
|
|
+ if (rsabits != 1024
|
|
+ && rsabits != 1280
|
|
+ && rsabits != 1536
|
|
+ && rsabits != 1792) {
|
|
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
+ return 0;
|
|
+ }
|
|
+ }
|
|
+# endif
|
|
|
|
if (!ossl_prov_is_running())
|
|
return 0;
|