diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers/fips/fipsprov.c --- openssl-3.0.0/providers/fips/fipsprov.c.fipsmin 2022-01-12 17:17:42.574377550 +0100 +++ openssl-3.0.0/providers/fips/fipsprov.c 2022-01-12 17:19:57.590598279 +0100 @@ -37,6 +37,9 @@ static OSSL_FUNC_provider_query_operatio #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) +#define ALGCU(NAMES, FUNC, CHECK) { { NAMES, FIPS_UNAPPROVED_PROPERTIES, FUNC }, CHECK } +#define ALGU(NAMES, FUNC) ALGCU(NAMES, FUNC, NULL) + extern OSSL_FUNC_core_thread_start_fn *c_thread_start; int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); @@ -177,13 +177,13 @@ static int fips_get_params(void *provctx &fips_prov_ossl_ctx_method); p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider")) return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) @@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for * KMAC128 and KMAC256. */ - { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, + { PROV_NAMES_KECCAK_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, ossl_keccak_kmac_128_functions }, - { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, + { PROV_NAMES_KECCAK_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, ossl_keccak_kmac_256_functions }, { NULL, NULL, NULL } }; @@ -326,8 +329,8 @@ static const OSSL_ALGORITHM_CAPABLE fips ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, ossl_cipher_capable_aes_cbc_hmac_sha256), #ifndef OPENSSL_NO_DES - ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), - ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), + ALGU(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), + ALGU(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), #endif /* OPENSSL_NO_DES */ { { NULL, NULL, NULL }, NULL } }; @@ -339,8 +342,8 @@ static const OSSL_ALGORITHM fips_macs[] #endif { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, - { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, - { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, + { PROV_NAMES_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac128_functions }, + { PROV_NAMES_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac256_functions }, { NULL, NULL, NULL } }; @@ -375,8 +378,8 @@ static const OSSL_ALGORITHM fips_keyexch #endif #ifndef OPENSSL_NO_EC { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, + { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keyexch_functions }, + { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keyexch_functions }, #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_tls1_prf_keyexch_functions }, @@ -386,12 +389,12 @@ static const OSSL_ALGORITHM fips_keyexch static const OSSL_ALGORITHM fips_signature[] = { #ifndef OPENSSL_NO_DSA - { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, + { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_signature_functions }, #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, #ifndef OPENSSL_NO_EC - { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, - { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, + { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_signature_functions }, + { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, #endif { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, @@ -407,7 +407,7 @@ static const OSSL_ALGORITHM fips_signatu }; static const OSSL_ALGORITHM fips_asym_cipher[] = { - { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions }, + { PROV_NAMES_RSA, FIPS_UNAPPROVED_PROPERTIES, ossl_rsa_asym_cipher_functions }, { NULL, NULL, NULL } }; @@ -421,7 +424,7 @@ static const OSSL_ALGORITHM fips_keymgmt PROV_DESCS_DHX }, #endif #ifndef OPENSSL_NO_DSA - { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, + { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_keymgmt_functions, PROV_DESCS_DSA }, #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, @@ -431,13 +434,13 @@ static const OSSL_ALGORITHM fips_keymgmt #ifndef OPENSSL_NO_EC { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, PROV_DESCS_EC }, - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, + { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keymgmt_functions, PROV_DESCS_X25519 }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, + { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keymgmt_functions, PROV_DESCS_X448 }, - { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions, + { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, PROV_DESCS_ED25519 }, - { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions, + { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, PROV_DESCS_ED448 }, #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c --- openssl-3.0.0/test/acvp_test.c.fipsmin 2022-01-12 18:34:17.283654119 +0100 +++ openssl-3.0.0/test/acvp_test.c 2022-01-12 18:35:46.270430676 +0100 @@ -1466,8 +1466,9 @@ int setup_tests(void) ADD_ALL_TESTS(rsa_keygen_test, OSSL_NELEM(rsa_keygen_data)); ADD_ALL_TESTS(rsa_siggen_test, OSSL_NELEM(rsa_siggen_data)); ADD_ALL_TESTS(rsa_sigver_test, OSSL_NELEM(rsa_sigver_data)); - ADD_ALL_TESTS(rsa_decryption_primitive_test, - OSSL_NELEM(rsa_decrypt_prim_data)); +/* Red Hat FIPS provider doesn't have fips=yes property on RSA encryption */ +/* ADD_ALL_TESTS(rsa_decryption_primitive_test, + OSSL_NELEM(rsa_decrypt_prim_data)); */ #ifndef OPENSSL_NO_DH ADD_ALL_TESTS(dh_safe_prime_keygen_test, @@ -1473,6 +1473,7 @@ int setup_tests(void) OSSL_NELEM(dh_safe_prime_keyver_data)); #endif /* OPENSSL_NO_DH */ +#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */ #ifndef OPENSSL_NO_DSA ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); @@ -1480,6 +1481,7 @@ int setup_tests(void) ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); #endif /* OPENSSL_NO_DSA */ +#endif #ifndef OPENSSL_NO_EC ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));