Update new FIPS indicator evp_tests to use FIPSversion + Availablein options.

Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25267)
2024-11-21 01:15:20 +08:00 · 2024-08-22 14:11:13 +10:00 · 2024-08-22 14:11:13 +10:00 · 32b43b9160
commit 32b43b9160
parent f2a5c80ca4
17 changed files with 79 additions and 0 deletions
--- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
@ -41,6 +41,7 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2bae5e4e6a0094171abcfc27df2bfd40da9f4e4d
 # DES EDE3 CBC tests (from destest)

 # Test that DES3 CBC mode encryption fails because it is not FIPS approved
+Availablein = fips
 FIPSversion = >=3.4.0
 Cipher = DES-EDE3-CBC
 Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
@ -50,6 +51,7 @@ Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
 Result = CIPHERINIT_ERROR

 # Test that DES3 EBC mode encryption fails because it is not FIPS approved
+Availablein = fips
 FIPSversion = >=3.4.0
 Cipher = DES-EDE3-ECB
 Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
@ -60,6 +62,7 @@ Result = CIPHERINIT_ERROR
 Title = DES3 FIPS Indicator Tests

 # Test that DES3 CBC mode encryption is not FIPS approved
+Availablein = fips
 FIPSversion = >=3.4.0
 Cipher = DES-EDE3-CBC
 Unapproved = 1
@ -71,6 +74,7 @@ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675

 # Test that DES3 ECB mode encryption is not FIPS approved
+Availablein = fipss
 FIPSversion = >=3.4.0
 Cipher = DES-EDE3-ECB
 Operation = ENCRYPT
--- a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt
@ -237,6 +237,7 @@ Reason = xof digests not allowed
 Title = FIPS indicator tests

 # Test that the key whose length is shorter than 112 bits is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = HKDF
 Ctrl.digest = digest:SHA1
@ -248,6 +249,7 @@ Reason = invalid key length

 # Test that the key whose length is shorter than 112 bits is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = HKDF
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
@ -1858,6 +1858,7 @@ Output = 6db880daac98b078ee389a2164252ded61322d661e2b49247ea921e544675d8f17af2bf

 Title = Negative tests for FIPS minimum key length

+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = KBKDF
 Ctrl.mode = mode:COUNTER
@ -1871,6 +1872,7 @@ Ctrl.hexinfo = hexinfo:56ec
 Result = KDF_CTRL_ERROR
 Reason = invalid key length

+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = KBKDF
 Ctrl.mode = mode:COUNTER
--- a/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt
@ -207,6 +207,7 @@ Ctrl.iter = iter:1
 Ctrl.digest = digest:sha512
 Output = 00ef42cdbfc98d29db20976608e455567fdddf14

+Availablein = fips
 FIPSversion = <3.4.0
 KDF = PBKDF2
 Ctrl.pkcs5 = pkcs5:1
@ -216,6 +217,7 @@ Ctrl.iter = iter:1
 Ctrl.digest = digest:shake-128
 Result = KDF_DERIVE_ERROR

+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = PBKDF2
 Ctrl.pkcs5 = pkcs5:1
@ -229,6 +231,7 @@ Reason = xof digests not allowed
 Title = FIPS indicator tests

 # Test that operations with unapproved parameters are rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = PBKDF2
 Ctrl.pass = pass:password
@ -239,6 +242,7 @@ Result = KDF_CTRL_ERROR
 Reason = invalid salt length

 # Test that operations with unapproved parameters are reported as unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = PBKDF2
 Unapproved = 1
@ -251,6 +255,7 @@ Output = 4b007901b765489abead49d926f721d065a429c1

 # Test that the operation with approved parameters and unapproved pkcs5 value is
 # reposted as approved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = PBKDF2
 Ctrl.pkcs5 = pkcs5:1
--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt
@ -1182,6 +1182,7 @@ Title = Secret length < 112 bits is not allowed in FIPS
 Title = FIPS indicator tests

 # Test that the key whose length is shorter than 112 bits is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = SSKDF
 Ctrl.digest = digest:SHA1
@ -1214,6 +1215,7 @@ Title = Secret length < 112 is not approved in FIPS

 # Test that the key whose length is shorter than 112 bits is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = SSKDF
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evpkdf_ssh.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_ssh.txt
@ -4878,6 +4878,7 @@ Ctrl.type = type:A
 Result = KDF_CTRL_ERROR
 Reason = xof digests not allowed

+Availablein = fips
 FIPSversion = <3.4.0
 KDF = SSHKDF
 Ctrl.digest = digest:SHAKE-256
@ -4890,6 +4891,7 @@ Result = KDF_MISMATCH
 Title = FIPS indicator tests

 # Test that the operation with unapproved digest function is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = SSHKDF
 Ctrl.digest = digest:SHA512-256
@ -4902,6 +4904,7 @@ Reason = digest not allowed

 # Test that the operation with unapproved digest function is is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = SSHKDF
 Unapproved = 1
@ -4914,6 +4917,7 @@ Ctrl.type = type:A
 Output = d37ea221cbcc026d95e8c10b7d28a1b41e4ec1b497bae0e4cdbc1446e5bd59e2

 # Test that the key whose length is shorter than 112 bits is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = SSHKDF
 Ctrl.digest = digest:SHA1
@ -4926,6 +4930,7 @@ Reason = invalid key length

 # Test that the key whose length is shorter than 112 bits is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = SSHKDF
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
@ -61,6 +61,7 @@ Result = KDF_DERIVE_ERROR
 Reason = invalid key length

 # FIPS indicator callback test
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS1-PRF
 Unapproved = 1
@ -85,6 +86,7 @@ Result = KDF_CTRL_ERROR
 Title = FIPS indicator tests

 # Test that the operation with unapproved digest function is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS1-PRF
 Ctrl.digest = digest:SHA512-256
@ -97,6 +99,7 @@ Reason = digest not allowed

 # Test that the operation with unapproved digest function is is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS1-PRF
 Unapproved = 1
@ -110,6 +113,7 @@ Output = 17be20a3b4cc05524d7de353b2f125537c23372144111b0367bda166fcfc09cf1c94909


 # Test that the key whose length is shorter than 112 bits is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS1-PRF
 Ctrl.digest = digest:SHA256
@ -122,6 +126,7 @@ Reason = invalid key length

 # Test that the key whose length is shorter than 112 bits is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS1-PRF
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
@ -4937,6 +4937,7 @@ Result = KDF_CTRL_ERROR

 Title = TLS13-KDF unsupported XOF test

+Availablein = fips
 FIPSversion = <3.4.0
 KDF = TLS13-KDF
 Ctrl.mode = mode:EXTRACT_ONLY
@ -4944,6 +4945,7 @@ Ctrl.digest = digest:SHAKE-256
 Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05
 Result = KDF_DERIVE_ERROR

+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS13-KDF
 Ctrl.mode = mode:EXTRACT_ONLY
@ -4955,6 +4957,7 @@ Reason = xof digests not allowed
 Title = FIPS indicator tests

 # Test that the operation with unapproved digest function is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS13-KDF
 Ctrl.mode = mode:EXTRACT_ONLY
@ -4964,6 +4967,7 @@ Result = KDF_CTRL_ERROR

 # Test that the operation with unapproved digest function is is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS13-KDF
 Unapproved = 1
@ -4975,6 +4979,7 @@ Output = c8240b43113bb8bd211ee97c5145d389e8074f76eeeaac74eb55691062a436e4
 Reason = digest not allowed

 # Test that the key whose length is shorter than 112 bits is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS13-KDF
 Ctrl.mode = mode:EXTRACT_ONLY
@ -4983,6 +4988,7 @@ Ctrl.key = hexkey:0102030405060708090a0b
 Result = KDF_CTRL_ERROR
 Reason = invalid key length

+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS13-KDF
 Ctrl.mode = mode:EXPAND_ONLY
@ -4996,6 +5002,7 @@ Reason = invalid key length

 # Test that the key whose length is shorter than 112 bits is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS13-KDF
 Unapproved = 1
@ -5005,6 +5012,7 @@ Ctrl.digest = digest:SHA2-256
 Ctrl.key = hexkey:0102030405060708090a0b
 Output = ac5ae06e0f6bff82f6256f0fc9fb943554752ba0c93f42ee6499b99c9e5c24a8

+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = TLS13-KDF
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evpkdf_x942.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt
@ -98,6 +98,7 @@ Ctrl.hexukm = hexukm:012345
 Output = C2E6A0978C24AF3932F478583ADBFB5F57D491822592EAD3C538875F46EB057A
 Result = KDF_DERIVE_ERROR

+Availablein = fips
 FIPSversion = <3.4.0
 KDF = X942KDF-ASN1
 Ctrl.digest = digest:SHAKE-128
@ -107,6 +108,7 @@ Ctrl.cekalg = cekalg:id-aes128-wrap
 Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC
 Result = KDF_DERIVE_ERROR

+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = X942KDF-ASN1
 Ctrl.digest = digest:SHAKE-128
--- a/test/recipes/30-test_evp_data/evpkdf_x963.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt
@ -122,6 +122,7 @@ Ctrl.hexinfo = hexinfo:af42f1ae85477ead645583
 Output = 995d1ab8557dfeafcb347f8182583fa0ac5e6cb3912393592590989f38a0214f6cf7d6fbe23917b0966c6a870876de2a2c13a45fa7aa1715be137ed332e1ffc204ce4dcce33ece6dec7f3da61fa049780040e44142cc8a1e5121cf56b386f65b7c261a192f05e5fefae4221a602bc51c41ef175dc45fb7eab8642421b4f7e3e7

 # Test that unsupported XOF is rejected
+Availablein = fips
 FIPSversion = <3.4.0
 KDF = X963KDF
 Ctrl.digest = digest:SHAKE-256
@ -129,6 +130,7 @@ Ctrl.hexsecret = hexsecret:fd17198b89ab39c4ab5d7cca363b82f9fd7e23c3984dc8a2
 Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2
 Result = KDF_DERIVE_ERROR

+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = X963KDF
 Ctrl.digest = digest:SHAKE-256
@ -140,6 +142,7 @@ Reason = xof digests not allowed
 Title = FIPS indicator tests

 # Test that the operation with unapproved digest function is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = X963KDF
 Ctrl.digest = digest:SHA1
@ -150,6 +153,7 @@ Reason = digest not allowed

 # Test that the operation with unapproved digest function is is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = X963KDF
 Unapproved = 1
@ -160,6 +164,7 @@ Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2
 Output = 6e5fad865cb4a51c95209b16df0cc490bc2c9064405c5bccd4ee4832a531fbe7f10cb79e2eab6ab1149fbd5a23cfdabc41242269c9df22f628c4424333855b64e95e2d4fb8469c669f17176c07d103376b10b384ec5763d8b8c610409f19aca8eb31f9d85cc61a8d6d4a03d03e5a506b78d6847e93d295ee548c65afedd2efec

 # Test that the key whose length is shorter than 112 bits is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = X963KDF
 Ctrl.digest = digest:SHA224
@ -170,6 +175,7 @@ Reason = invalid key length

 # Test that the key whose length is shorter than 112 bits is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 KDF = X963KDF
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
+++ b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
@ -28,6 +28,7 @@ Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23
 Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
 Output = 8F49A1B7D6AA2258

+Availablein = fips
 FIPSversion = >=3.4.0
 MAC = CMAC
 Algorithm = DES-EDE3-CBC
@ -35,6 +36,7 @@ Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23
 Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
 Result = MAC_INIT_ERROR

+Availablein = fips
 FIPSversion = >=3.4.0
 MAC = CMAC
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evpmac_common.txt
+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
@ -574,6 +574,7 @@ Reason = invalid output length

 Title = KMAC output is too small in FIPS

+Availablein = fips
 FIPSversion = >=3.4.0
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
@ -584,6 +585,7 @@ Unapproved = 1
 Ctrl = size:3
 Ctrl = no-short-mac:0

+Availablein = fips
 FIPSversion = >=3.4.0
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
@ -594,6 +596,7 @@ Ctrl = size:3
 Result = MAC_INIT_ERROR
 Reason = invalid output length

+Availablein = fips
 FIPSversion = >=3.4.0
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
--- a/test/recipes/30-test_evp_data/evppkey_ecc.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecc.txt
@ -4546,6 +4546,7 @@ KeyName = ec1
 Ctrl = group:P-256

 # Test KeyGen with a curve with < 112 bits of security fails.
+Availablein = fips
 FIPSversion = >=3.4.0
 KeyGen = ec
 KeyName = ec2
@ -4553,6 +4554,7 @@ Ctrl = group:P-192
 Result = KEYGEN_GENERATE_ERROR

 # Test KeyGen with a curve with < 112 bits of security is not approved
+Availablein = fips
 FIPSversion = >=3.4.0
 KeyGen = ec
 KeyName = ec3
--- a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
+++ b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
@ -209,6 +209,7 @@ Reason = xof digests not allowed
 Title = FIPS indicator tests

 # Test that the key whose length is shorter than 112 bits is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 PKEYKDF = HKDF
 Ctrl.digest = digest:SHA1
@ -220,6 +221,7 @@ Reason = invalid key length

 # Test that the key whose length is shorter than 112 bits is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 PKEYKDF = HKDF
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt
+++ b/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt
@ -82,6 +82,7 @@ Result = KDF_CTRL_ERROR
 Title = FIPS indicator tests

 # Test that the operation with unapproved digest function is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 PKEYKDF = TLS1-PRF
 Ctrl.digest = digest:SHA512-256
@ -94,6 +95,7 @@ Reason = digest not allowed

 # Test that the operation with unapproved digest function is is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 PKEYKDF = TLS1-PRF
 Unapproved = 1
@ -106,6 +108,7 @@ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae04
 Output = 17be20a3b4cc05524d7de353b2f125537c23372144111b0367bda166fcfc09cf1c94909a408b986f53afbdc41d93ae09

 # Test that the key whose length is shorter than 112 bits is rejected
+Availablein = fips
 FIPSversion = >=3.4.0
 PKEYKDF = TLS1-PRF
 Ctrl.digest = digest:SHA256
@ -118,6 +121,7 @@ Reason = invalid key length

 # Test that the key whose length is shorter than 112 bits is reported as
 # unapproved
+Availablein = fips
 FIPSversion = >=3.4.0
 PKEYKDF = TLS1-PRF
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@ -1938,6 +1938,7 @@ Input = "Hello"
 Output = 80382819f51b197c42f9fc02a85198683d918059afc013ae155992442563dd2897008297fecb3a8d8cf9421d493a99bd427a628f17cc4a7c76d23dfad0619f4068403fa7351f6d5a92a631d670c04407f305a4b5cb492295754e73e9b7ad41459826d3619a61e90d4744bdaf0f24f2393ea9241e973600c2ed62b1a0a37c504e

 # Signing with SHA1 is not allowed in fips mode
+Availablein = fips
 FIPSversion = >=3.4.0
 DigestSign = SHA1
 Securitycheck = 1
@ -1947,6 +1948,7 @@ Result = DIGESTSIGNINIT_ERROR
 Reason = invalid digest

 # Signing with a 1024 bit key is not allowed in fips mode
+Availablein = fips
 FIPSversion = >=3.4.0
 DigestSign = SHA256
 Securitycheck = 1
@ -1956,6 +1958,7 @@ Result = DIGESTSIGNINIT_ERROR
 Reason = invalid key length

 # Verifying with a legacy digest in fips mode is not allowed
+Availablein = fips
 FIPSversion = >=3.4.0
 DigestVerify = MD5
 Securitycheck = 1
@ -1965,6 +1968,7 @@ Result = DIGESTVERIFYINIT_ERROR
 Reason = unsupported

 # Verifying with a key smaller than 1024 bits in fips mode is not allowed
+Availablein = fips
 FIPSversion = >=3.4.0
 DigestVerify = SHA256
 Securitycheck = 1
@ -1974,6 +1978,7 @@ Result = DIGESTVERIFYINIT_ERROR
 Reason = invalid key length

 # RSA Signing with X931 is not approved in FIPS 140-3
+Availablein = fips
 FIPSversion = >=3.4.0
 Sign = RSA-2048
 Ctrl = rsa_padding_mode:x931
@ -1988,6 +1993,7 @@ Reason = illegal or unsupported padding mode
 Title = RSA FIPS Indicator tests

 # Decrypt with small RSA key is not permitted in FIPS mode
+Availablein = fips
 FIPSversion = >=3.4.0
 Decrypt = RSA-512
 Securitycheck = 1
@ -1997,6 +2003,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235
 Result = KEYOP_MISMATCH

 # Signing with SHA1 is not allowed in fips mode
+Availablein = fips
 FIPSversion = >=3.4.0
 DigestSign = SHA1
 Securitycheck = 1
@ -2006,6 +2013,7 @@ Key = RSA-2048
 Input = "Hello"
 Result = SIGNATURE_MISMATCH

+Availablein = fips
 FIPSversion = >=3.4.0
 DigestSign = SHA256
 Securitycheck = 1
@ -2016,6 +2024,7 @@ Input = "Hello"
 Result = SIGNATURE_MISMATCH

 # Verifying with a key smaller than 1024 bits in fips mode is not allowed
+Availablein = fips
 FIPSversion = >=3.4.0
 DigestVerify = SHA256
 Securitycheck = 1
@ -2026,6 +2035,7 @@ Input = "Hello"
 Result = VERIFY_ERROR

 # RSA Signing with X931 is not approved in FIPS 140-3
+Availablein = fips
 FIPSversion = >=3.4.0
 Sign = RSA-2048
 Unapproved = 1
@ -2036,6 +2046,7 @@ Input = "0123456789ABCDEF123456789ABCDEFG"
 Output = 4b75f521e2e6eeda3f2dcb84ebdacbadeab8ffc1ecdf06c7c4e38727e082a8f5e71be66cdee6d14da1d3a0f18ff20914f71b5308363c81e7471688f4f201e82603ea6a7f31da89cd846b30e2893fd956e76b3d23d40f733e0358e3883526158c74577ba43cc664eaeb909818e75b89fc764cf4575517f87251f8d3cf29b1532f33e6183d454bddd6f255d0ca4415d957eb90dbc55d047f48a01c6e68d5ab46327a158ff7a3383b5b0446b8cd4a91b8859abd3285020a1613ef17d3f8562147828bb36be65505eeec77e968d04e172e2851ff1d7ef523b4022deb72d5fbf78db6738d170098586b904d1c369cedb5e3fe1b909a8dd8ac3beb521af2510d044580

 # RSA signing with PSS salt length >= digest length is unapproved
+Availablein = fips
 FIPSversion = >= 3.4.0
 Sign = RSA-PSS
 Ctrl = digest:SHA384
@ -2046,6 +2057,7 @@ Result = KEYOP_ERROR
 Reason = invalid salt length

 # RSA verifying with PSS salt length >= digest length is unapproved
+Availablein = fips
 FIPSversion = >= 3.4.0
 Verify = RSA-PSS
 Ctrl = digest:SHA384
@ -2056,6 +2068,7 @@ Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B
 Result = VERIFY_ERROR
 Reason = invalid salt length

+Availablein = fips
 FIPSversion = >= 3.4.0
 Verify = RSA-PSS
 Unapproved = 1
@ -2067,6 +2080,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
 Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B433CA3B11E36D2844265C6B52CD7393FC62A7C6706747BD9454ADE78DE35417D6F6FCE32F1C1D8F40CEF5715BC981AE4B1C94BF8C11E30BC3F19C71BE0FBDED06ECA5FCAC372688A9E821785B9ABA9705D76A1F74A092ACFEF30B018387771031554C43D3C49317C289EC570C603A6356E2FC1FB824F0505029750BC9028B342C27CD8F01C811C0172EFA807218C4657ACA5AA81A2BB1B0C4D63BE32C08BEF11C6E19C565D03246EE021B9293AB3FE33A8946F8EAAAE353E66FA3BB170FDADB7431FFAD4C92623148395FC6F6601495D6FF83E67B20BDDAD082C149E8

 # RSA verifying with PSS salt length "digest" is approved
+Availablein = fips
 FIPSversion = >= 3.4.0
 Verify = RSA-PSS
 Ctrl = digest:SHA384
@ -2076,6 +2090,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
 Output = C7280C47D9E2E7468157776CA84F52485F771D961674BF88B64FE3476A193494BCCD7139C204C557EA2FD69BC986EA2AA0416B7CA0C95C442EEAEA1AD5E8F8CE8B248AACDBEDAAA0FF2486F2B10F7F310D63969258BDC6E4D1EAEA5F45E5EB00A328BE70424DC2676EE3679D65F5AEA7A7057FDDE1EE24DFF2BEF63206466D9B6BB440C818683797EAF26D9273CC1A9CDCEDB9A90023BCB35A1DA66288741C5728EEFA681AA8384521B6067E9C7502A005814979BAA71074FAF7D08F61B38F2812B4F5DB889BE2CA19B9D9B32E3463544D35F36F5116527A573AE245878F42E3E7AACC99AA5B18A3E89002779DCD3CF15B5942D31D0E0FF2753C58D046F864F5

 # RSA signing with PSS salt length "max" is unapproved
+Availablein = fips
 FIPSversion = >= 3.4.0
 Sign = RSA-PSS
 Ctrl = digest:SHA384
@ -2086,6 +2101,7 @@ Result = KEYOP_ERROR
 Reason = invalid salt length

 # RSA verifying with PSS salt length "max" is unapproved
+Availablein = fips
 FIPSversion = >= 3.4.0
 Verify = RSA-PSS
 Ctrl = digest:SHA384
@ -2097,6 +2113,7 @@ Result = VERIFY_ERROR
 Reason = invalid salt length

 FIPSversion = >= 3.4.0
+Availablein = fips
 Verify = RSA-PSS
 Unapproved = 1
 CtrlInit = rsa-pss-saltlen-check:0
@ -2107,6 +2124,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
 Output = 8424963AB8323443EC617FCB698B583A831303EB97C24C35EFAD6800D32BF74E2E1ACDA367FAD902EE852B1408602A8903E6D90C08F841215C130421E634BCDC798DD12A3E444B4237DE9497D2DD43794D7D04727B4E11C48E6F6BDA03A0117893ABBF3B00EC954AED35904AECA4B6E6020F860C8AE40B17FBBA7E2AB7BFC62E04AC9FBD8CABB03EEA68A12EDB417F13F24084AA5440C206886B86EDA4ADD29CE5DA07701FCC53CE5D77F03E711C8B1DD38763414022A88887813F7F31BA733CCAB124CFA03455C4850514231C9294BC68AD04E917E0F7675B53457A30EC1793D3D117A94D3B9DD60346EEB7027F79BF93AE62A297C261F36969CE2F797BB9B9

 # RSA signing with PSS salt length "auto" is unapproved
+Availablein = fips
 FIPSversion = >= 3.4.0
 Sign = RSA-PSS
 Ctrl = digest:SHA384
@ -2117,6 +2135,7 @@ Result = KEYOP_ERROR
 Reason = invalid salt length

 # RSA verifying with PSS salt length "auto" is unapproved
+Availablein = fips
 FIPSversion = >= 3.4.0
 Verify = RSA-PSS
 Ctrl = digest:SHA384
@ -2127,6 +2146,7 @@ Output = 4B3602F5E515B82573F0A19E244E8D2B6ED6A7E3066891B65E13D1EDAE535ECD0E59830
 Result = VERIFY_ERROR
 Reason = invalid salt length

+Availablein = fips
 FIPSversion = >= 3.4.0
 Verify = RSA-PSS
 Unapproved = 1
@ -2138,6 +2158,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
 Output = 4B3602F5E515B82573F0A19E244E8D2B6ED6A7E3066891B65E13D1EDAE535ECD0E59830B190322D357D6199E29C94DB6FFF2EEDB3B8BA57E81062AF963C9C392DC17343873EE7D572C059BAD5B6E4AD09EE50FC69C6FFE22353B95EA80B420E5C85BA86423ECF610F61887D2F02839B28B271B3FA98420D8630EF94E36015A1383C45EB4CA2CA7FCDCDBCF7722DB84AA303F333DF38ED1C92466CB139F8C7D5D7D7B393574951F2DB071579F7170A72934F29AD3EFB403A57AC8A6449742E240DB32C3505293942CAAF1785F886B561075DACB546BBA76FC4C1D8DD8241BC452A3A8B2510D136A2563B242FBF15D7ED3BA08A2C3F45CDE795C94B891F98A8E4F

 # RSA verifying with PSS salt length "auto-digestmax" and a signature whose salt length is compliant to FIPS standard is approved
+Availablein = fips
 FIPSversion = >= 3.4.0
 Verify = RSA-PSS
 Ctrl = digest:SHA384
@ -2147,6 +2168,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
 Output = A3D8F40E767B72EED6B9DEA1D717F6A2792001B6BFAD28B54989C668FD65010BD07C90CBFDE139AEE41731A58BF2E895754AA61D3BD9AEF3D6307316EE5792075C22E4DC1DF1377242C258557281C089DF6996148342F3D259DF67A7D67D47EE222F0D14AD6292A6C8D4461AB9E24D27D8BDD35CE9CCC755B7BBCD8D3BEE779C97745A577B6B5634DBCB68A573423089BA93407A96CA07A235C90DA233AC76B290B0475812999531A90BC08F6947F15894232125F1EA35070FADCAB94AF11B149A7B76B0D74C0799DABBA027069DFA8AB56BDC1247F25016C631A18322F9F2B071405991A3618B42EBB05CE215DF93ADC3C14DB87466ED9A6B61605B32686DBB

 # RSA verifying with PSS salt length "auto-digestmax" and a signature whose salt length is not compliant to FIPS standard is unapproved
+Availablein = fips
 FIPSversion = >= 3.4.0
 Verify = RSA-PSS
 Ctrl = digest:SHA384
@ -2157,6 +2179,7 @@ Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B
 Result = VERIFY_ERROR
 Reason = invalid salt length

+Availablein = fips
 FIPSversion = >= 3.4.0
 Verify = RSA-PSS
 Unapproved = 1
--- a/test/recipes/30-test_evp_data/evprand.txt
+++ b/test/recipes/30-test_evp_data/evprand.txt
@ -79807,6 +79807,7 @@ Output.0 = 5af6
 Result = EVP_RAND_CTX_set_params
 Reason = digest not allowed

+Availablein = fips
 FIPSversion = >=3.4.0
 RAND = HASH-DRBG
 Unapproved = 1
@ -79830,6 +79831,7 @@ Output.0 = ee9f
 Result = EVP_RAND_CTX_set_params
 Reason = digest not allowed

+Availablein = fips
 FIPSversion = >=3.4.0
 RAND = HMAC-DRBG
 Unapproved = 1