From ad863e9fc8f3e663b6e59eecd75e374c4f3d69d4 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 5 May 2022 17:34:49 +0200 Subject: [PATCH] OpenSSL FIPS module should not build in non-approved algorithms Resolves: rhbz#2081378 --- 0045-FIPS-services-minimize.patch | 577 ++++++++++++++++-- ...t-different-R_BITS-lengths-for-KBKDF.patch | 2 +- 0056-strcasecmp.patch | 2 +- openssl.spec | 6 +- 4 files changed, 540 insertions(+), 47 deletions(-) diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index 41b1646..3efbc0f 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -1,17 +1,29 @@ -diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers/fips/fipsprov.c ---- openssl-3.0.0/providers/fips/fipsprov.c.fipsmin 2022-01-12 17:17:42.574377550 +0100 -+++ openssl-3.0.0/providers/fips/fipsprov.c 2022-01-12 17:19:57.590598279 +0100 -@@ -37,6 +37,9 @@ static OSSL_FUNC_provider_query_operatio +diff -up openssl-3.0.1/providers/common/capabilities.c.fipsmin3 openssl-3.0.1/providers/common/capabilities.c +--- openssl-3.0.1/providers/common/capabilities.c.fipsmin3 2022-05-05 17:11:36.146638536 +0200 ++++ openssl-3.0.1/providers/common/capabilities.c 2022-05-05 17:12:00.138848787 +0200 +@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list + TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), + TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), + TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), +-# endif + TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), + TLS_GROUP_ENTRY("x448", "X448", "X448", 29), ++# endif + # endif /* OPENSSL_NO_EC */ + # ifndef OPENSSL_NO_DH + /* Security bit values for FFDHE groups are as per RFC 7919 */ +diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/providers/fips/fipsprov.c +--- openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 2022-05-05 11:42:58.596848856 +0200 ++++ openssl-3.0.1/providers/fips/fipsprov.c 2022-05-05 11:55:42.997562712 +0200 +@@ -54,7 +54,6 @@ static void fips_deinit_casecmp(void); #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) -+#define ALGCU(NAMES, FUNC, CHECK) { { NAMES, FIPS_UNAPPROVED_PROPERTIES, FUNC }, CHECK } -+#define ALGU(NAMES, FUNC) ALGCU(NAMES, FUNC, NULL) -+ - +- extern OSSL_FUNC_core_thread_start_fn *c_thread_start; int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); -@@ -177,13 +177,13 @@ static int fips_get_params(void *provctx + +@@ -191,13 +190,13 @@ static int fips_get_params(void *provctx &fips_prov_ossl_ctx_method); p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); @@ -28,98 +40,182 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) -@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests +@@ -281,10 +280,11 @@ static const OSSL_ALGORITHM fips_digests * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for * KMAC128 and KMAC256. */ - { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, -+ { PROV_NAMES_KECCAK_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, ++ /* We don't certify KECCAK in our FIPS provider */ ++ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_keccak_kmac_128_functions }, -- { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, -+ { PROV_NAMES_KECCAK_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, - ossl_keccak_kmac_256_functions }, + { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, +- ossl_keccak_kmac_256_functions }, ++ ossl_keccak_kmac_256_functions }, */ { NULL, NULL, NULL } }; -@@ -326,8 +329,8 @@ static const OSSL_ALGORITHM_CAPABLE fips + +@@ -343,8 +343,9 @@ static const OSSL_ALGORITHM_CAPABLE fips ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, ossl_cipher_capable_aes_cbc_hmac_sha256), #ifndef OPENSSL_NO_DES - ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), - ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), -+ ALGU(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), -+ ALGU(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), ++ /* We don't certify 3DES in our FIPS provider */ ++ /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), ++ ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ #endif /* OPENSSL_NO_DES */ { { NULL, NULL, NULL }, NULL } }; -@@ -339,8 +342,8 @@ static const OSSL_ALGORITHM fips_macs[] +@@ -356,8 +357,9 @@ static const OSSL_ALGORITHM fips_macs[] #endif { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, - { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, - { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, -+ { PROV_NAMES_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac128_functions }, -+ { PROV_NAMES_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac256_functions }, ++ /* We don't certify KMAC in our FIPS provider */ ++ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, ++ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */ { NULL, NULL, NULL } }; -@@ -375,8 +378,8 @@ static const OSSL_ALGORITHM fips_keyexch +@@ -392,8 +394,9 @@ static const OSSL_ALGORITHM fips_keyexch #endif #ifndef OPENSSL_NO_EC { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, -+ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keyexch_functions }, -+ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keyexch_functions }, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, ++ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/ #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_tls1_prf_keyexch_functions }, -@@ -386,12 +389,12 @@ static const OSSL_ALGORITHM fips_keyexch +@@ -403,12 +406,14 @@ static const OSSL_ALGORITHM fips_keyexch static const OSSL_ALGORITHM fips_signature[] = { #ifndef OPENSSL_NO_DSA - { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, -+ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_signature_functions }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */ #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, #ifndef OPENSSL_NO_EC - { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, - { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, -+ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_signature_functions }, -+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, ++ { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, #endif { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, -@@ -421,7 +424,7 @@ static const OSSL_ALGORITHM fips_keymgmt +@@ -438,8 +443,9 @@ static const OSSL_ALGORITHM fips_keymgmt PROV_DESCS_DHX }, #endif #ifndef OPENSSL_NO_DSA - { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, -+ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_keymgmt_functions, - PROV_DESCS_DSA }, +- PROV_DESCS_DSA }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, ++ PROV_DESCS_DSA }, */ #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, -@@ -431,13 +434,13 @@ static const OSSL_ALGORITHM fips_keymgmt + PROV_DESCS_RSA }, +@@ -448,14 +454,15 @@ static const OSSL_ALGORITHM fips_keymgmt #ifndef OPENSSL_NO_EC { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, PROV_DESCS_EC }, - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, -+ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keymgmt_functions, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, PROV_DESCS_X25519 }, -- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, -+ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keymgmt_functions, + { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, PROV_DESCS_X448 }, -- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions, -+ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, + { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions, PROV_DESCS_ED25519 }, -- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions, -+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, - PROV_DESCS_ED448 }, + { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions, +- PROV_DESCS_ED448 }, ++ PROV_DESCS_ED448 }, */ #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, -diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c ---- openssl-3.0.0/test/acvp_test.c.fipsmin 2022-01-12 18:34:17.283654119 +0100 -+++ openssl-3.0.0/test/acvp_test.c 2022-01-12 18:35:46.270430676 +0100 -@@ -1473,6 +1473,7 @@ int setup_tests(void) + PROV_DESCS_TLS1_PRF_SIGN }, +diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/providers/fips/self_test_data.inc +--- openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 2022-05-05 12:36:32.335069046 +0200 ++++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-05 12:40:02.427966128 +0200 +@@ -171,6 +171,7 @@ static const ST_KAT_DIGEST st_kat_digest + /*- CIPHER TEST DATA */ + + /* DES3 test data */ ++#if 0 + static const unsigned char des_ede3_cbc_pt[] = { + 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, + 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, +@@ -191,7 +192,7 @@ static const unsigned char des_ede3_cbc_ + 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, + 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 + }; +- ++#endif + /* AES-256 GCM test data */ + static const unsigned char aes_256_gcm_key[] = { + 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, +@@ -235,6 +236,7 @@ static const unsigned char aes_128_ecb_c + }; + + static const ST_KAT_CIPHER st_kat_cipher_tests[] = { ++#if 0 + #ifndef OPENSSL_NO_DES + { + { +@@ -248,6 +250,7 @@ static const ST_KAT_CIPHER st_kat_cipher + ITM(des_ede3_cbc_iv), + }, + #endif ++#endif + { + { + OSSL_SELF_TEST_DESC_CIPHER_AES_GCM, +@@ -1424,8 +1427,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[ + # endif /* OPENSSL_NO_EC2M */ + #endif /* OPENSSL_NO_EC */ + +-#ifndef OPENSSL_NO_DSA + /* dsa 2048 */ ++#if 0 ++#ifndef OPENSSL_NO_DSA + static const unsigned char dsa_p[] = { + 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, + 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, +@@ -1549,8 +1553,8 @@ static const ST_KAT_PARAM dsa_key[] = { + ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, dsa_priv), + ST_KAT_PARAM_END() + }; +-#endif /* OPENSSL_NO_DSA */ +- ++#endif ++#endif + static const ST_KAT_SIGN st_kat_sign_tests[] = { + { + OSSL_SELF_TEST_DESC_SIGN_RSA, +@@ -1583,6 +1587,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + }, + # endif + #endif /* OPENSSL_NO_EC */ ++#if 0 + #ifndef OPENSSL_NO_DSA + { + OSSL_SELF_TEST_DESC_SIGN_DSA, +@@ -1595,6 +1600,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + */ + }, + #endif /* OPENSSL_NO_DSA */ ++#endif + }; + + static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { +diff -up openssl-3.0.1/test/acvp_test.c.fipsmin2 openssl-3.0.1/test/acvp_test.c +--- openssl-3.0.1/test/acvp_test.c.fipsmin2 2022-05-05 11:42:58.597848865 +0200 ++++ openssl-3.0.1/test/acvp_test.c 2022-05-05 11:43:30.141126336 +0200 +@@ -1476,6 +1476,7 @@ int setup_tests(void) OSSL_NELEM(dh_safe_prime_keyver_data)); #endif /* OPENSSL_NO_DH */ @@ -127,7 +223,7 @@ diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c #ifndef OPENSSL_NO_DSA ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); -@@ -1480,6 +1481,7 @@ int setup_tests(void) +@@ -1483,6 +1484,7 @@ int setup_tests(void) ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); #endif /* OPENSSL_NO_DSA */ @@ -135,3 +231,396 @@ diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c #ifndef OPENSSL_NO_EC ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); +diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_libctx_test.c +--- openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 2022-05-05 14:18:46.370911817 +0200 ++++ openssl-3.0.1/test/evp_libctx_test.c 2022-05-05 14:30:02.117911993 +0200 +@@ -21,6 +21,7 @@ + */ + #include "internal/deprecated.h" + #include ++#include + #include + #include + #include +@@ -725,8 +726,10 @@ int setup_tests(void) + if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name)) + return 0; + + #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) +- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ } + #endif + #ifndef OPENSSL_NO_DH + ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); +@@ -746,7 +750,9 @@ int setup_tests(void) + ADD_TEST(kem_invalid_keytype); + #endif + #ifndef OPENSSL_NO_DES +- ADD_TEST(test_cipher_tdes_randkey); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_TEST(test_cipher_tdes_randkey); ++ } + #endif + return 1; + } +diff -up openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 openssl-3.0.1/test/recipes/15-test_gendsa.t +--- openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 2022-05-05 13:46:00.631590335 +0200 ++++ openssl-3.0.1/test/recipes/15-test_gendsa.t 2022-05-05 13:46:06.999644496 +0200 +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "This test is unsupported in a no-dsa build" + if disabled("dsa"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; + + plan tests => + ($no_fips ? 0 : 2) # FIPS related tests +diff -up openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 openssl-3.0.1/test/recipes/20-test_cli_fips.t +--- openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 2022-05-05 13:47:55.217564900 +0200 ++++ openssl-3.0.1/test/recipes/20-test_cli_fips.t 2022-05-05 13:48:02.824629600 +0200 +@@ -207,8 +207,7 @@ SKIP: { + } + + SKIP : { +- skip "FIPS DSA tests because of no dsa in this build", 1 +- if disabled("dsa"); ++ skip "FIPS DSA tests because of no dsa in this build", 1; + + subtest DSA => sub { + my $testtext_prefix = 'DSA'; +diff -up openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_cms.t +--- openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 2022-05-05 13:55:05.257292637 +0200 ++++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-05 13:58:35.307150750 +0200 +@@ -95,7 +95,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content DER format, DSA key", ++ [ "signed content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -103,7 +103,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, DSA key", ++ [ "signed detached content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -112,7 +112,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, add RSA signer (with DSA existing)", ++ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", +@@ -123,7 +123,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, DSA key", ++ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], +@@ -132,7 +132,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -145,7 +145,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-noattr", "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -175,7 +175,7 @@ my @smime_pkcs7_tests = ( + \&zero_compare + ], + +- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -247,7 +247,7 @@ my @smime_pkcs7_tests = ( + + my @smime_cms_tests = ( + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-keyid", + "-signer", $smrsa1, +@@ -260,7 +260,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -370,7 +370,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "encrypted content test streaming PEM format, triple DES key", ++ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "{output}.cms" ], +diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp.t +--- openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 2022-05-05 14:43:04.276857033 +0200 ++++ openssl-3.0.1/test/recipes/30-test_evp.t 2022-05-05 14:43:35.975138234 +0200 +@@ -43,7 +43,6 @@ my @files = qw( + evpciph_aes_cts.txt + evpciph_aes_wrap.txt + evpciph_aes_stitched.txt +- evpciph_des3_common.txt + evpkdf_hkdf.txt + evpkdf_pbkdf1.txt + evpkdf_pbkdf2.txt +@@ -66,12 +65,6 @@ push @files, qw( + evppkey_dh.txt + ) unless $no_dh; + push @files, qw( +- evpkdf_x942_des.txt +- evpmac_cmac_des.txt +- ) unless $no_des; +-push @files, qw(evppkey_dsa.txt) unless $no_dsa; +-push @files, qw(evppkey_ecx.txt) unless $no_ec; +-push @files, qw( + evppkey_ecc.txt + evppkey_ecdh.txt + evppkey_ecdsa.txt +@@ -91,6 +84,7 @@ my @defltfiles = qw( + evpciph_cast5.txt + evpciph_chacha.txt + evpciph_des.txt ++ evpciph_des3_common.txt + evpciph_idea.txt + evpciph_rc2.txt + evpciph_rc4.txt +@@ -117,6 +111,12 @@ my @defltfiles = qw( + evppkey_kdf_tls1_prf.txt + evppkey_rsa.txt + ); ++push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa; ++push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec; ++push @defltfiles, qw( ++ evpkdf_x942_des.txt ++ evpmac_cmac_des.txt ++ ) unless $no_des; + push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + + plan tests => +diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt +--- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 2022-05-05 14:46:32.721700697 +0200 ++++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt 2022-05-05 14:51:40.205418897 +0200 +@@ -328,6 +328,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E54100 + Output = 00BDA1B7E87608BCBF470F12157F4C07 + + ++Availablein = default + Title = KMAC Tests (From NIST) + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +@@ -338,12 +339,14 @@ Ctrl = xof:0 + OutputSize = 32 + BlockSize = 168 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Custom = "My Tagged Application" + Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -351,6 +354,7 @@ Custom = "My Tagged Application" + Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -359,12 +363,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6 + OutputSize = 64 + BlockSize = 136 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 + Custom = "" + Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -374,12 +380,14 @@ Ctrl = size:64 + + Title = KMAC XOF Tests (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -387,6 +395,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -395,6 +404,7 @@ Output = 47026C7CD793084AA0283C253EF6584 + XOF = 1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -402,6 +412,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -409,6 +420,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -419,6 +431,7 @@ XOF = 1 + + Title = KMAC long customisation string (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -429,12 +442,14 @@ XOF = 1 + + Title = KMAC XOF Tests via ctrl (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -442,6 +457,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -450,6 +466,7 @@ Output = 47026C7CD793084AA0283C253EF6584 + Ctrl = xof:1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -457,6 +474,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -464,6 +482,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -474,6 +493,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string via ctrl (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -484,6 +504,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string negative test + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -492,6 +513,7 @@ Result = MAC_INIT_ERROR + + Title = KMAC output is too large + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_ssl_old.t +--- openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 2022-05-05 16:02:59.745500635 +0200 ++++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-05 16:10:24.071348890 +0200 +@@ -426,7 +426,7 @@ sub testssl { + my @exkeys = (); + my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; + +- if (!$no_dsa) { ++ if (!$no_dsa && $provider ne "fips") { + push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; + } + diff --git a/0051-Support-different-R_BITS-lengths-for-KBKDF.patch b/0051-Support-different-R_BITS-lengths-for-KBKDF.patch index eb8b5e3..c240628 100644 --- a/0051-Support-different-R_BITS-lengths-for-KBKDF.patch +++ b/0051-Support-different-R_BITS-lengths-for-KBKDF.patch @@ -293,8 +293,8 @@ index 7ae546e1d70c..7b976c0a1b5e 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -45,6 +45,7 @@ my @files = qw( + evpciph_aes_wrap.txt evpciph_aes_stitched.txt - evpciph_des3_common.txt evpkdf_hkdf.txt + evpkdf_kbkdf_counter.txt evpkdf_pbkdf1.txt diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch index 2bbb995..ed30b2e 100644 --- a/0056-strcasecmp.patch +++ b/0056-strcasecmp.patch @@ -1427,7 +1427,7 @@ index f4605dcd6ce5..fc17a958ce26 100644 + #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) - #define ALGCU(NAMES, FUNC, CHECK) { { NAMES, FIPS_UNAPPROVED_PROPERTIES, FUNC }, CHECK } + extern OSSL_FUNC_core_thread_start_fn *c_thread_start; @@ -486,6 +503,23 @@ static const OSSL_ALGORITHM *fips_query(void *provctx, int operation_id, return NULL; } diff --git a/openssl.spec b/openssl.spec index 275a680..723ac94 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 25%{?dist} +Release: 26%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -426,6 +426,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu May 05 2022 Dmitry Belyavskiy - 1:3.0.1-26 +- OpenSSL FIPS module should not build in non-approved algorithms +- Resolves: rhbz#2081378 + * Mon May 02 2022 Dmitry Belyavskiy - 1:3.0.1-25 - FIPS provider should block RSA encryption for key transport. - Other RSA encryption options should still be available