From 3a1abccdfc3bb78dd472bbb7ff36313959ef0cdf Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:15:13 -0500
Subject: [PATCH 47/53] FIPS: NO DES support

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 providers/fips/fipsprov.c                           |  3 ++-
 providers/fips/self_test_data.inc                   |  5 ++++-
 test/evp_libctx_test.c                              |  4 +++-
 .../30-test_evp_data/evpciph_des3_common.txt        | 13 ++++---------
 test/recipes/80-test_cms.t                          |  2 +-
 5 files changed, 14 insertions(+), 13 deletions(-)

Index: openssl-3.5.2/providers/fips/fipsprov.c
===================================================================
--- openssl-3.5.2.orig/providers/fips/fipsprov.c
+++ openssl-3.5.2/providers/fips/fipsprov.c
@@ -360,7 +360,8 @@ static const OSSL_ALGORITHM_CAPABLE fips
          ossl_cipher_capable_aes_cbc_hmac_sha256),
     ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
          ossl_cipher_capable_aes_cbc_hmac_sha256),
-#ifndef OPENSSL_NO_DES
+/* We don't certify 3DES in our FIPS provider */
+#if 0 /* ifndef OPENSSL_NO_DES */
     ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
     ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
 #endif  /* OPENSSL_NO_DES */
Index: openssl-3.5.2/providers/fips/self_test_data.inc
===================================================================
--- openssl-3.5.2.orig/providers/fips/self_test_data.inc
+++ openssl-3.5.2/providers/fips/self_test_data.inc
@@ -293,6 +293,7 @@ static const ST_KAT_CIPHER st_kat_cipher
         CIPHER_MODE_DECRYPT,
         ITM(aes_128_ecb_key)
     },
+#if 0
 #ifndef OPENSSL_NO_DES
     {
         {
@@ -305,6 +306,7 @@ static const ST_KAT_CIPHER st_kat_cipher
         ITM(tdes_key)
     }
 #endif
+#endif
 };
 
 static const char hkdf_digest[] = "SHA256";
Index: openssl-3.5.2/test/evp_libctx_test.c
===================================================================
--- openssl-3.5.2.orig/test/evp_libctx_test.c
+++ openssl-3.5.2/test/evp_libctx_test.c
@@ -831,7 +831,9 @@ int setup_tests(void)
     ADD_TEST(kem_invalid_keytype);
 #endif
 #ifndef OPENSSL_NO_DES
-    ADD_TEST(test_cipher_tdes_randkey);
+    if (strcmp(prov_name, "fips") != 0) {
+        ADD_TEST(test_cipher_tdes_randkey);
+    }
 #endif
     return 1;
 }
Index: openssl-3.5.2/test/recipes/30-test_evp_data/evpciph_des3_common.txt
===================================================================
--- openssl-3.5.2.orig/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+++ openssl-3.5.2/test/recipes/30-test_evp_data/evpciph_des3_common.txt
@@ -14,7 +14,7 @@
 Title = DES3 Tests
 
 # DES EDE3 CBC tests (from destest)
-FIPSversion = <3.4.0
+Availablein = default
 Cipher = DES-EDE3-CBC
 Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
 IV = fedcba9876543210
@@ -24,8 +24,7 @@ NextIV = 1c673812cfde9675
 
 # DES EDE3 ECB test
 # FIPS(3.0.0): has a bug in the IV length #17591
-FIPSversion = >3.0.0
-FIPSversion = <3.4.0
+Availablein = default
 Cipher = DES-EDE3-ECB
 Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
 Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
@@ -42,7 +41,6 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2ba
 
 # Test that DES3 CBC mode encryption fails because it is not FIPS approved
 Availablein = fips
-FIPSversion = >=3.4.0
 Cipher = DES-EDE3-CBC
 Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
 IV = fedcba9876543210
@@ -52,7 +50,6 @@ Result = CIPHERINIT_ERROR
 
 # Test that DES3 EBC mode encryption fails because it is not FIPS approved
 Availablein = fips
-FIPSversion = >=3.4.0
 Cipher = DES-EDE3-ECB
 Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
 Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
@@ -62,8 +59,7 @@ Result = CIPHERINIT_ERROR
 Title = DES3 FIPS Indicator Tests
 
 # Test that DES3 CBC mode encryption is not FIPS approved
-Availablein = fips
-FIPSversion = >=3.4.0
+Availablein = none
 Cipher = DES-EDE3-CBC
 Unapproved = 1
 CtrlInit = encrypt-check:0
@@ -74,8 +70,7 @@ Plaintext = 37363534333231204E6F77206973
 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
 
 # Test that DES3 ECB mode encryption is not FIPS approved
-Availablein = fips
-FIPSversion = >=3.4.0
+Availablein = none
 Cipher = DES-EDE3-ECB
 Operation = ENCRYPT
 Unapproved = 1
Index: openssl-3.5.2/test/recipes/80-test_cms.t
===================================================================
--- openssl-3.5.2.orig/test/recipes/80-test_cms.t
+++ openssl-3.5.2/test/recipes/80-test_cms.t
@@ -398,7 +398,7 @@ my @smime_cms_tests = (
       \&final_compare
     ],
 
-    [ "encrypted content test streaming PEM format, triple DES key",
+    [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS",
       [ "{cmd1}", @defaultprov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
         "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
         "-stream", "-out", "{output}.cms" ],