Pedro Monreal Gonzalez
8c598ed63d
* Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch * Add openssl-3-fix-hmac-digest-detection-s390x.patch * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch - Add hardware acceleration for full AES-XTS jsc#PED-10273 * Add openssl-3-hw-acceleration-aes-xts-s390x.patch - Support MSA 12 SHA3 on s390x jsc#PED-10280 * Add openssl-3-add_EVP_DigestSqueeze_api.patch * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch * Add openssl-3-add-xof-state-handling-s3_absorb.patch * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch * Add openssl-3-fix-state-handling-sha3_final_s390x.patch * Add openssl-3-fix-state-handling-shake_final_s390x.patch * Add openssl-3-fix-state-handling-keccak_final_s390x.patch * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch * Add openssl-3-add-defines-CPACF-funcs.patch * Add openssl-3-add-hw-acceleration-hmac.patch * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch * Add openssl-3-fix-s390x_sha3_absorb.patch * Add openssl-3-fix-s390x_shake_squeeze.patch - Update to 3.2.3: * Changes between 3.2.2 and 3.2.3: - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119] - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535] * Changes between 3.2.1 and 3.2.2: - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741] - Fixed an issue where checking excessively long DSA keys or parameters may OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=121
783 lines
35 KiB
Diff
783 lines
35 KiB
Diff
From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001
|
|
From: rpm-build <rpm-build>
|
|
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
|
Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch
|
|
|
|
Patch-name: 0045-FIPS-services-minimize.patch
|
|
Patch-id: 45
|
|
Patch-status: |
|
|
# # Minimize fips services
|
|
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
|
---
|
|
apps/ecparam.c | 7 +++
|
|
apps/req.c | 2 +-
|
|
providers/common/capabilities.c | 2 +-
|
|
providers/fips/fipsprov.c | 44 +++++++++++--------
|
|
providers/fips/self_test_data.inc | 9 +++-
|
|
providers/implementations/signature/rsa_sig.c | 26 +++++++++++
|
|
ssl/ssl_ciph.c | 3 ++
|
|
test/acvp_test.c | 2 +
|
|
test/endecode_test.c | 4 ++
|
|
test/evp_libctx_test.c | 9 +++-
|
|
test/recipes/15-test_gendsa.t | 2 +-
|
|
test/recipes/20-test_cli_fips.t | 3 +-
|
|
test/recipes/30-test_evp.t | 20 ++++-----
|
|
.../30-test_evp_data/evpmac_common.txt | 22 ++++++++++
|
|
test/recipes/80-test_cms.t | 22 +++++-----
|
|
test/recipes/80-test_ssl_old.t | 2 +-
|
|
16 files changed, 128 insertions(+), 51 deletions(-)
|
|
|
|
Index: openssl-3.2.3/apps/ecparam.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/apps/ecparam.c
|
|
+++ openssl-3.2.3/apps/ecparam.c
|
|
@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
|
|
const char *comment = curves[n].comment;
|
|
const char *sname = OBJ_nid2sn(curves[n].nid);
|
|
|
|
+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
|
|
+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
|
|
+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
|
|
+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
|
|
+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
|
|
+ continue;
|
|
+
|
|
if (comment == NULL)
|
|
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
|
if (sname == NULL)
|
|
Index: openssl-3.2.3/apps/req.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/apps/req.c
|
|
+++ openssl-3.2.3/apps/req.c
|
|
@@ -268,7 +268,7 @@ int req_main(int argc, char **argv)
|
|
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
|
|
|
|
#ifndef OPENSSL_NO_DES
|
|
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
|
+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
|
|
#endif
|
|
|
|
opt_set_unknown_name("digest");
|
|
Index: openssl-3.2.3/providers/common/capabilities.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/providers/common/capabilities.c
|
|
+++ openssl-3.2.3/providers/common/capabilities.c
|
|
@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list
|
|
TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
|
|
TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
|
|
TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
|
|
-# endif
|
|
TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
|
|
TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
|
|
+# endif
|
|
# ifndef FIPS_MODULE
|
|
TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
|
|
TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
|
|
Index: openssl-3.2.3/providers/fips/fipsprov.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/providers/fips/fipsprov.c
|
|
+++ openssl-3.2.3/providers/fips/fipsprov.c
|
|
@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
|
|
|
|
static int fips_get_params(void *provctx, OSSL_PARAM params[])
|
|
{
|
|
+#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
|
|
OSSL_PARAM *p;
|
|
FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
|
|
OSSL_LIB_CTX_FIPS_PROV_INDEX);
|
|
|
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
|
|
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
|
|
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
|
|
return 0;
|
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
|
|
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
|
|
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
|
|
return 0;
|
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
|
|
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
|
|
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
|
|
return 0;
|
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
|
|
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
|
|
@@ -298,10 +299,11 @@ static const OSSL_ALGORITHM fips_digests
|
|
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
|
* KMAC128 and KMAC256.
|
|
*/
|
|
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
|
+ /* We don't certify KECCAK in our FIPS provider */
|
|
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
|
ossl_keccak_kmac_128_functions },
|
|
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
|
|
- ossl_keccak_kmac_256_functions },
|
|
+ ossl_keccak_kmac_256_functions }, */
|
|
{ NULL, NULL, NULL }
|
|
};
|
|
|
|
@@ -360,8 +362,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
|
|
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
|
|
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
|
#ifndef OPENSSL_NO_DES
|
|
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
|
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
|
+ /* We don't certify 3DES in our FIPS provider */
|
|
+ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
|
+ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
|
|
#endif /* OPENSSL_NO_DES */
|
|
{ { NULL, NULL, NULL }, NULL }
|
|
};
|
|
@@ -373,8 +376,9 @@ static const OSSL_ALGORITHM fips_macs[]
|
|
#endif
|
|
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
|
|
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
|
|
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
|
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
|
|
+ /* We don't certify KMAC in our FIPS provider */
|
|
+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
|
+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
|
|
{ NULL, NULL, NULL }
|
|
};
|
|
|
|
@@ -410,8 +414,9 @@ static const OSSL_ALGORITHM fips_keyexch
|
|
#ifndef OPENSSL_NO_EC
|
|
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
|
|
# ifndef OPENSSL_NO_ECX
|
|
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
|
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
|
|
+ /* We don't certify Edwards curves in our FIPS provider */
|
|
+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
|
+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
|
|
# endif
|
|
#endif
|
|
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
|
|
@@ -422,14 +427,16 @@ static const OSSL_ALGORITHM fips_keyexch
|
|
|
|
static const OSSL_ALGORITHM fips_signature[] = {
|
|
#ifndef OPENSSL_NO_DSA
|
|
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
|
|
+ /* We don't certify DSA in our FIPS provider */
|
|
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
|
|
#endif
|
|
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
|
|
#ifndef OPENSSL_NO_EC
|
|
# ifndef OPENSSL_NO_ECX
|
|
- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
|
|
+ /* We don't certify Edwards curves in our FIPS provider */
|
|
+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
|
|
ossl_ed25519_signature_functions },
|
|
- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
|
|
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
|
|
# endif
|
|
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
|
|
#endif
|
|
@@ -460,8 +467,9 @@ static const OSSL_ALGORITHM fips_keymgmt
|
|
PROV_DESCS_DHX },
|
|
#endif
|
|
#ifndef OPENSSL_NO_DSA
|
|
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
|
- PROV_DESCS_DSA },
|
|
+ /* We don't certify DSA in our FIPS provider */
|
|
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
|
+ PROV_DESCS_DSA }, */
|
|
#endif
|
|
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
|
|
PROV_DESCS_RSA },
|
|
@@ -471,14 +479,15 @@ static const OSSL_ALGORITHM fips_keymgmt
|
|
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
|
|
PROV_DESCS_EC },
|
|
# ifndef OPENSSL_NO_ECX
|
|
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
|
+ /* We don't certify Edwards curves in our FIPS provider */
|
|
+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
|
PROV_DESCS_X25519 },
|
|
{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
|
|
PROV_DESCS_X448 },
|
|
{ PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
|
|
PROV_DESCS_ED25519 },
|
|
{ PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
|
|
- PROV_DESCS_ED448 },
|
|
+ PROV_DESCS_ED448 }, */
|
|
# endif
|
|
#endif
|
|
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
|
|
Index: openssl-3.2.3/providers/fips/self_test_data.inc
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/providers/fips/self_test_data.inc
|
|
+++ openssl-3.2.3/providers/fips/self_test_data.inc
|
|
@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest
|
|
/*- CIPHER TEST DATA */
|
|
|
|
/* DES3 test data */
|
|
+#if 0
|
|
static const unsigned char des_ede3_cbc_pt[] = {
|
|
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
|
|
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
|
|
@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_
|
|
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
|
|
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
|
|
};
|
|
-
|
|
+#endif
|
|
/* AES-256 GCM test data */
|
|
static const unsigned char aes_256_gcm_key[] = {
|
|
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
|
|
@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[
|
|
# endif /* OPENSSL_NO_EC2M */
|
|
#endif /* OPENSSL_NO_EC */
|
|
|
|
-#ifndef OPENSSL_NO_DSA
|
|
/* dsa 2048 */
|
|
+#if 0
|
|
+#ifndef OPENSSL_NO_DSA
|
|
static const unsigned char dsa_p[] = {
|
|
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
|
|
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
|
|
@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
|
|
ST_KAT_PARAM_END()
|
|
};
|
|
#endif /* OPENSSL_NO_DSA */
|
|
+#endif
|
|
|
|
/* Hash DRBG inputs for signature KATs */
|
|
static const unsigned char sig_kat_entropyin[] = {
|
|
@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
|
|
},
|
|
# endif
|
|
#endif /* OPENSSL_NO_EC */
|
|
+#if 0
|
|
#ifndef OPENSSL_NO_DSA
|
|
{
|
|
OSSL_SELF_TEST_DESC_SIGN_DSA,
|
|
@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
|
|
ITM(dsa_expected_sig)
|
|
},
|
|
#endif /* OPENSSL_NO_DSA */
|
|
+#endif
|
|
};
|
|
|
|
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
|
|
Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
|
|
+++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
|
|
@@ -702,6 +702,19 @@ static int rsa_verify_recover(void *vprs
|
|
{
|
|
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
|
int ret;
|
|
+# ifdef FIPS_MODULE
|
|
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
|
+
|
|
+ if (rsabits < 2048) {
|
|
+ if (rsabits != 1024
|
|
+ && rsabits != 1280
|
|
+ && rsabits != 1536
|
|
+ && rsabits != 1792) {
|
|
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
+ return 0;
|
|
+ }
|
|
+ }
|
|
+# endif
|
|
|
|
if (!ossl_prov_is_running())
|
|
return 0;
|
|
@@ -790,6 +803,19 @@ static int rsa_verify(void *vprsactx, co
|
|
{
|
|
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
|
size_t rslen;
|
|
+# ifdef FIPS_MODULE
|
|
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
|
+
|
|
+ if (rsabits < 2048) {
|
|
+ if (rsabits != 1024
|
|
+ && rsabits != 1280
|
|
+ && rsabits != 1536
|
|
+ && rsabits != 1792) {
|
|
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
+ return 0;
|
|
+ }
|
|
+ }
|
|
+# endif
|
|
|
|
if (!ossl_prov_is_running())
|
|
return 0;
|
|
Index: openssl-3.2.3/ssl/ssl_ciph.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/ssl/ssl_ciph.c
|
|
+++ openssl-3.2.3/ssl/ssl_ciph.c
|
|
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
|
|
ctx->disabled_mkey_mask = 0;
|
|
ctx->disabled_auth_mask = 0;
|
|
|
|
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
|
|
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
|
|
+
|
|
/*
|
|
* We ignore any errors from the fetches below. They are expected to fail
|
|
* if these algorithms are not available.
|
|
Index: openssl-3.2.3/test/acvp_test.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/test/acvp_test.c
|
|
+++ openssl-3.2.3/test/acvp_test.c
|
|
@@ -1478,6 +1478,7 @@ int setup_tests(void)
|
|
OSSL_NELEM(dh_safe_prime_keyver_data));
|
|
#endif /* OPENSSL_NO_DH */
|
|
|
|
+#if 0 /* SUSE FIPS provider doesn't have fips=yes property on DSA */
|
|
#ifndef OPENSSL_NO_DSA
|
|
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
|
|
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
|
|
@@ -1485,6 +1486,7 @@ int setup_tests(void)
|
|
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
|
|
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
|
|
#endif /* OPENSSL_NO_DSA */
|
|
+#endif
|
|
|
|
#ifndef OPENSSL_NO_EC
|
|
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
|
|
Index: openssl-3.2.3/test/endecode_test.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/test/endecode_test.c
|
|
+++ openssl-3.2.3/test/endecode_test.c
|
|
@@ -1424,6 +1424,7 @@ int setup_tests(void)
|
|
* so no legacy tests.
|
|
*/
|
|
#endif
|
|
+ if (is_fips == 0) {
|
|
#ifndef OPENSSL_NO_DSA
|
|
ADD_TEST_SUITE(DSA);
|
|
ADD_TEST_SUITE_PARAMS(DSA);
|
|
@@ -1434,6 +1435,7 @@ int setup_tests(void)
|
|
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
|
|
# endif
|
|
#endif
|
|
+ }
|
|
#ifndef OPENSSL_NO_EC
|
|
ADD_TEST_SUITE(EC);
|
|
ADD_TEST_SUITE_PARAMS(EC);
|
|
@@ -1454,10 +1456,12 @@ int setup_tests(void)
|
|
ADD_TEST_SUITE(SM2);
|
|
}
|
|
# endif
|
|
+ if (is_fips == 0) {
|
|
ADD_TEST_SUITE(ED25519);
|
|
ADD_TEST_SUITE(ED448);
|
|
ADD_TEST_SUITE(X25519);
|
|
ADD_TEST_SUITE(X448);
|
|
+ }
|
|
/*
|
|
* ED25519, ED448, X25519 and X448 have no support for
|
|
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
|
|
Index: openssl-3.2.3/test/evp_libctx_test.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/test/evp_libctx_test.c
|
|
+++ openssl-3.2.3/test/evp_libctx_test.c
|
|
@@ -21,6 +21,7 @@
|
|
*/
|
|
#include "internal/deprecated.h"
|
|
#include <assert.h>
|
|
+#include <string.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/provider.h>
|
|
#include <openssl/dsa.h>
|
|
@@ -726,7 +727,9 @@ int setup_tests(void)
|
|
return 0;
|
|
|
|
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
|
|
- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
|
+ if (strcmp(prov_name, "fips") != 0) {
|
|
+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
|
+ }
|
|
#endif
|
|
#ifndef OPENSSL_NO_DH
|
|
ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
|
|
@@ -746,7 +749,9 @@ int setup_tests(void)
|
|
ADD_TEST(kem_invalid_keytype);
|
|
#endif
|
|
#ifndef OPENSSL_NO_DES
|
|
- ADD_TEST(test_cipher_tdes_randkey);
|
|
+ if (strcmp(prov_name, "fips") != 0) {
|
|
+ ADD_TEST(test_cipher_tdes_randkey);
|
|
+ }
|
|
#endif
|
|
return 1;
|
|
}
|
|
Index: openssl-3.2.3/test/recipes/15-test_gendsa.t
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/test/recipes/15-test_gendsa.t
|
|
+++ openssl-3.2.3/test/recipes/15-test_gendsa.t
|
|
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
|
plan skip_all => "This test is unsupported in a no-dsa build"
|
|
if disabled("dsa");
|
|
|
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
+my $no_fips = 1;
|
|
|
|
plan tests =>
|
|
($no_fips ? 0 : 2) # FIPS related tests
|
|
Index: openssl-3.2.3/test/recipes/20-test_cli_fips.t
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/test/recipes/20-test_cli_fips.t
|
|
+++ openssl-3.2.3/test/recipes/20-test_cli_fips.t
|
|
@@ -278,8 +278,7 @@ SKIP: {
|
|
}
|
|
|
|
SKIP : {
|
|
- skip "FIPS DSA tests because of no dsa in this build", 1
|
|
- if disabled("dsa");
|
|
+ skip "FIPS DSA tests because of no dsa in this build", 1;
|
|
|
|
subtest DSA => sub {
|
|
my $testtext_prefix = 'DSA';
|
|
Index: openssl-3.2.3/test/recipes/30-test_evp.t
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/test/recipes/30-test_evp.t
|
|
+++ openssl-3.2.3/test/recipes/30-test_evp.t
|
|
@@ -46,10 +46,8 @@ my @files = qw(
|
|
evpciph_aes_cts.txt
|
|
evpciph_aes_wrap.txt
|
|
evpciph_aes_stitched.txt
|
|
- evpciph_des3_common.txt
|
|
evpkdf_hkdf.txt
|
|
evpkdf_kbkdf_counter.txt
|
|
- evpkdf_kbkdf_kmac.txt
|
|
evpkdf_pbkdf1.txt
|
|
evpkdf_pbkdf2.txt
|
|
evpkdf_ss.txt
|
|
@@ -70,15 +68,6 @@ push @files, qw(
|
|
evppkey_dh.txt
|
|
) unless $no_dh;
|
|
push @files, qw(
|
|
- evpkdf_x942_des.txt
|
|
- evpmac_cmac_des.txt
|
|
- ) unless $no_des;
|
|
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
|
|
-push @files, qw(
|
|
- evppkey_ecx.txt
|
|
- evppkey_mismatch_ecx.txt
|
|
- ) unless $no_ecx;
|
|
-push @files, qw(
|
|
evppkey_ecc.txt
|
|
evppkey_ecdh.txt
|
|
evppkey_ecdsa.txt
|
|
@@ -97,6 +86,7 @@ my @defltfiles = qw(
|
|
evpciph_cast5.txt
|
|
evpciph_chacha.txt
|
|
evpciph_des.txt
|
|
+ evpciph_des3_common.txt
|
|
evpciph_idea.txt
|
|
evpciph_rc2.txt
|
|
evpciph_rc4.txt
|
|
@@ -121,13 +111,19 @@ my @defltfiles = qw(
|
|
evpmd_whirlpool.txt
|
|
evppbe_scrypt.txt
|
|
evppbe_pkcs12.txt
|
|
+ evpkdf_kbkdf_kmac.txt
|
|
evppkey_kdf_scrypt.txt
|
|
evppkey_kdf_tls1_prf.txt
|
|
evppkey_rsa.txt
|
|
);
|
|
+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
|
|
+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
|
|
+push @defltfiles, qw(
|
|
+ evpkdf_x942_des.txt
|
|
+ evpmac_cmac_des.txt
|
|
+ ) unless $no_des;
|
|
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
|
|
push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
|
|
-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
|
|
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
|
|
push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
|
|
push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
|
|
Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evpmac_common.txt
|
|
+++ openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
|
|
@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C
|
|
Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
|
|
Result = MAC_INIT_ERROR
|
|
|
|
+Availablein = default
|
|
Title = KMAC Tests (From NIST)
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
@@ -373,12 +374,14 @@ Ctrl = xof:0
|
|
OutputSize = 32
|
|
BlockSize = 168
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
Custom = "My Tagged Application"
|
|
Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -386,6 +389,7 @@ Custom = "My Tagged Application"
|
|
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
|
|
Ctrl = size:32
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6
|
|
OutputSize = 64
|
|
BlockSize = 136
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
Custom = ""
|
|
Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -409,12 +415,14 @@ Ctrl = size:64
|
|
|
|
Title = KMAC XOF Tests (From NIST)
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
|
XOF = 1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -422,6 +430,7 @@ Custom = "My Tagged Application"
|
|
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
|
XOF = 1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF6584
|
|
XOF = 1
|
|
Ctrl = size:32
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -437,6 +447,7 @@ Custom = "My Tagged Application"
|
|
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
|
XOF = 1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -444,6 +455,7 @@ Custom = ""
|
|
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
|
XOF = 1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -454,6 +466,7 @@ XOF = 1
|
|
|
|
Title = KMAC long customisation string (from NIST ACVP)
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
|
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
|
@@ -464,12 +477,14 @@ XOF = 1
|
|
|
|
Title = KMAC XOF Tests via ctrl (From NIST)
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
|
Ctrl = xof:1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -477,6 +492,7 @@ Custom = "My Tagged Application"
|
|
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
|
Ctrl = xof:1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF6584
|
|
Ctrl = xof:1
|
|
Ctrl = size:32
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 00010203
|
|
@@ -492,6 +509,7 @@ Custom = "My Tagged Application"
|
|
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
|
Ctrl = xof:1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -499,6 +517,7 @@ Custom = ""
|
|
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
|
Ctrl = xof:1
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -509,6 +528,7 @@ Ctrl = xof:1
|
|
|
|
Title = KMAC long customisation string via ctrl (from NIST ACVP)
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
|
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
|
@@ -519,6 +539,7 @@ Ctrl = xof:1
|
|
|
|
Title = KMAC long customisation string negative test
|
|
|
|
+Availablein = default
|
|
MAC = KMAC128
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR
|
|
|
|
Title = KMAC output is too large
|
|
|
|
+Availablein = default
|
|
MAC = KMAC256
|
|
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
Index: openssl-3.2.3/test/recipes/80-test_cms.t
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/test/recipes/80-test_cms.t
|
|
+++ openssl-3.2.3/test/recipes/80-test_cms.t
|
|
@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content DER format, DSA key",
|
|
+ [ "signed content DER format, DSA key, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
|
@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed detached content DER format, DSA key",
|
|
+ [ "signed detached content DER format, DSA key, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
|
@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed detached content DER format, add RSA signer (with DSA existing)",
|
|
+ [ "signed detached content DER format, add RSA signer (with DSA existing), no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
|
|
@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming BER format, DSA key",
|
|
+ [ "signed content test streaming BER format, DSA key, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-nodetach", "-stream",
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
|
|
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-nodetach", "-stream",
|
|
"-signer", $smrsa1,
|
|
@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
|
|
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-noattr", "-nodetach", "-stream",
|
|
"-signer", $smrsa1,
|
|
@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = (
|
|
\&zero_compare
|
|
],
|
|
|
|
- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
|
|
+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
|
|
"-signer", $smrsa1,
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
|
|
+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
|
|
"-signer", $smrsa1,
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
|
|
|
|
my @smime_cms_tests = (
|
|
|
|
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
|
|
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
"-nodetach", "-keyid",
|
|
"-signer", $smrsa1,
|
|
@@ -263,7 +263,7 @@ my @smime_cms_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
|
|
+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
|
"-signer", $smrsa1,
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
@@ -373,7 +373,7 @@ my @smime_cms_tests = (
|
|
\&final_compare
|
|
],
|
|
|
|
- [ "encrypted content test streaming PEM format, triple DES key",
|
|
+ [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS",
|
|
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
|
|
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
|
|
"-stream", "-out", "{output}.cms" ],
|
|
Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
|
|
+++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
|
|
@@ -436,7 +436,7 @@ sub testssl {
|
|
my @exkeys = ();
|
|
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
|
|
|
|
- if (!$no_dsa) {
|
|
+ if (!$no_dsa && $provider ne "fips") {
|
|
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
|
|
}
|
|
|