diff options
author | Tomas Mraz <tomas@openssl.org> | 2024-04-11 08:57:51 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-04-19 10:32:27 +0200 |
commit | 52ca56090cb651ffa8ef9b5cd155742ee35117d1 (patch) | |
tree | 8843486beafcc85c5fc0e20e2607d1175f7ce4b4 | |
parent | 4e3c1e6206251c59855362d6d2edab4621c31dec (diff) |
Make X25519 and X448 FIPS unapproved
Partially fixes: #22105
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24099)
-rw-r--r-- | CHANGES.md | 5 | ||||
-rw-r--r-- | doc/man7/OSSL_PROVIDER-FIPS.pod | 4 | ||||
-rw-r--r-- | providers/fips/fipsprov.c | 8 |
3 files changed, 13 insertions, 4 deletions
diff --git a/CHANGES.md b/CHANGES.md index a15321dda9..76801ac78c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -36,6 +36,11 @@ OpenSSL 3.4 *Stephan Wurm* + * The X25519 and X448 key exchange implementation in the FIPS provider + is unapproved and has `fips=no` property. + + * Tomas Mraz* + OpenSSL 3.3 ----------- diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index c1dd603643..6da7a81ea3 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -204,8 +204,12 @@ This is an unapproved algorithm. =item X25519, see L<EVP_KEYMGMT-X25519(7)> +This is an unapproved algorithm. + =item X448, see L<EVP_KEYMGMT-X448(7)> +This is an unapproved algorithm. + =item ED25519, see L<EVP_KEYMGMT-ED25519(7)> This is an unapproved algorithm. diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 7ec409710b..1f36ce6393 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -410,8 +410,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = { #ifndef OPENSSL_NO_EC { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, # ifndef OPENSSL_NO_ECX - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, + { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keyexch_functions }, + { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keyexch_functions }, # endif #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, @@ -471,9 +471,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, PROV_DESCS_EC }, # ifndef OPENSSL_NO_ECX - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, + { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keymgmt_functions, PROV_DESCS_X25519 }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, + { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keymgmt_functions, PROV_DESCS_X448 }, { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, PROV_DESCS_ED25519 }, |