1 Commits (e7c35f0edebd46cd8e18f8ab596d08e559fec21c)

Author	SHA1	Message	Date
Clemens Lang	b1d3f019d4	FIPS: Re-enable DHX, disable FIPS 186-4 groups ... For DH parameter and key pair generation/verification, the DSA procedures specified in FIPS 186-4 are used. With the release of FIPS 186-5 and the removal of DSA, the approved status of these groups is in peril. Once the transition for DSA ends (this transition will be 1 year long and start once CMVP has published the guidance), no more submissions claiming DSA will be allowed. Hence, FIPS 186-type parameters will also be automatically non-approved. Previously, we had addressed this by completely disabling the DHX key type in the OpenSSL FIPS provider, but the default encoding for DHX-type keys is X9.42 DH, which is used, for example, by kerberos. Re-enable DHX-type keys in the FIPS provider, but disable import and validation of any DH parameters that are not well-known groups, and remove DH parameter generation completely. Adjust tests to use well-known groups or larger DH groups where this change would now cause failures, and skip tests that are expected to fail due to this change. Signed-off-by: Clemens Lang <cllang@redhat.com> Resolves: rhbz#2169757	1 year ago