diff -up openssl-3.0.7/providers/fips/fipsprov.c.nodhx openssl-3.0.7/providers/fips/fipsprov.c --- openssl-3.0.7/providers/fips/fipsprov.c.nodhx 2023-03-09 13:02:21.621694715 +0100 +++ openssl-3.0.7/providers/fips/fipsprov.c 2023-03-09 13:02:34.001791831 +0100 @@ -486,8 +486,8 @@ static const OSSL_ALGORITHM fips_keymgmt #ifndef OPENSSL_NO_DH { PROV_NAMES_DH, FIPS_DEFAULT_PROPERTIES, ossl_dh_keymgmt_functions, PROV_DESCS_DH }, - { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions, - PROV_DESCS_DHX }, +/* { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions, + PROV_DESCS_DHX }, */ #endif #ifndef OPENSSL_NO_DSA /* We don't certify DSA in our FIPS provider */ diff -up openssl-3.0.7/test/endecode_test.c.nodhx openssl-3.0.7/test/endecode_test.c --- openssl-3.0.7/test/endecode_test.c.nodhx 2023-03-09 13:39:10.826000162 +0100 +++ openssl-3.0.7/test/endecode_test.c 2023-03-09 13:41:26.533073598 +0100 @@ -1356,7 +1358,9 @@ int setup_tests(void) #ifndef OPENSSL_NO_DH TEST_info("Generating DH keys..."); MAKE_DOMAIN_KEYS(DH, "DH", NULL); +if (is_fips == 0) { MAKE_DOMAIN_KEYS(DHX, "X9.42 DH", NULL); +} #endif #ifndef OPENSSL_NO_DSA TEST_info("Generating DSA keys..."); @@ -1386,8 +1390,10 @@ int setup_tests(void) #ifndef OPENSSL_NO_DH ADD_TEST_SUITE(DH); ADD_TEST_SUITE_PARAMS(DH); +if (is_fips == 0) { ADD_TEST_SUITE(DHX); ADD_TEST_SUITE_PARAMS(DHX); +} /* * DH has no support for PEM_write_bio_PrivateKey_traditional(), * so no legacy tests. @@ -1465,7 +1471,9 @@ void cleanup_tests(void) #ifndef OPENSSL_NO_DH FREE_DOMAIN_KEYS(DH); +if (is_fips == 0) { FREE_DOMAIN_KEYS(DHX); +} #endif #ifndef OPENSSL_NO_DSA FREE_DOMAIN_KEYS(DSA); diff -up openssl-3.0.7/test/recipes/80-test_cms.t.nodhx openssl-3.0.7/test/recipes/80-test_cms.t --- openssl-3.0.7/test/recipes/80-test_cms.t.nodhx 2023-03-09 13:31:36.851432859 +0100 +++ openssl-3.0.7/test/recipes/80-test_cms.t 2023-03-09 13:32:35.987888417 +0100 @@ -869,6 +869,8 @@ sub check_availability { if ($no_ec2m && $tnam =~ /K-283/); return "$tnam: skipped, DH disabled\n" if ($no_dh && $tnam =~ /X9\.42/); + return "$tnam: skipped, DHX disabled in RHEL\n" + if ($provname eq 'fips' && $tnam =~ /X9\.42/); return "$tnam: skipped, RC2 disabled\n" if ($no_rc2 && $tnam =~ /RC2/); return "$tnam: skipped, DES disabled\n" diff -up openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx openssl-3.0.7/providers/implementations/exchange/dh_exch.c --- openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx 2023-03-09 16:33:07.092040809 +0100 +++ openssl-3.0.7/providers/implementations/exchange/dh_exch.c 2023-03-09 16:42:30.594837565 +0100 @@ -102,6 +102,11 @@ static int dh_init(void *vpdhctx, void * || vdh == NULL || !DH_up_ref(vdh)) return 0; +#ifdef FIPS_MODULE + if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(vdh), + DH_get0_q(vdh), DH_get0_g(vdh)) == NULL) + return 0; +#endif DH_free(pdhctx->dh); pdhctx->dh = vdh; pdhctx->kdf_type = PROV_DH_KDF_NONE; diff -up openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c --- openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx 2023-03-09 15:38:04.024555943 +0100 +++ openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c 2023-03-09 16:32:04.142490068 +0100 @@ -498,6 +499,11 @@ static int dh_gen_set_template(void *gen if (!ossl_prov_is_running() || gctx == NULL || dh == NULL) return 0; +#ifdef FIPS_MODULE + if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(dh), + DH_get0_q(dh), DH_get0_g(dh)) == NULL) + return 0; +#endif gctx->ffc_params = ossl_dh_get0_params(dh); return 1; }