From 32b43b9160cfcbb2940a0666869a680db827b892 Mon Sep 17 00:00:00 2001 From: slontis Date: Thu, 22 Aug 2024 14:11:13 +1000 Subject: [PATCH] Update new FIPS indicator evp_tests to use FIPSversion + Availablein options. Reviewed-by: Neil Horman Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25267) --- .../30-test_evp_data/evpciph_des3_common.txt | 4 ++++ test/recipes/30-test_evp_data/evpkdf_hkdf.txt | 2 ++ .../30-test_evp_data/evpkdf_kbkdf_counter.txt | 2 ++ .../30-test_evp_data/evpkdf_pbkdf2.txt | 5 ++++ test/recipes/30-test_evp_data/evpkdf_ss.txt | 2 ++ test/recipes/30-test_evp_data/evpkdf_ssh.txt | 5 ++++ .../30-test_evp_data/evpkdf_tls12_prf.txt | 5 ++++ .../30-test_evp_data/evpkdf_tls13_kdf.txt | 8 +++++++ test/recipes/30-test_evp_data/evpkdf_x942.txt | 2 ++ test/recipes/30-test_evp_data/evpkdf_x963.txt | 6 +++++ .../30-test_evp_data/evpmac_cmac_des.txt | 2 ++ .../30-test_evp_data/evpmac_common.txt | 3 +++ test/recipes/30-test_evp_data/evppkey_ecc.txt | 2 ++ .../30-test_evp_data/evppkey_kdf_hkdf.txt | 2 ++ .../30-test_evp_data/evppkey_kdf_tls1_prf.txt | 4 ++++ .../30-test_evp_data/evppkey_rsa_common.txt | 23 +++++++++++++++++++ test/recipes/30-test_evp_data/evprand.txt | 2 ++ 17 files changed, 79 insertions(+) diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt index fa4c4f06a6..326f9a2c9f 100644 --- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt +++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt @@ -41,6 +41,7 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2bae5e4e6a0094171abcfc27df2bfd40da9f4e4d # DES EDE3 CBC tests (from destest) # Test that DES3 CBC mode encryption fails because it is not FIPS approved +Availablein = fips FIPSversion = >=3.4.0 Cipher = DES-EDE3-CBC Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 @@ -50,6 +51,7 @@ Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 Result = CIPHERINIT_ERROR # Test that DES3 EBC mode encryption fails because it is not FIPS approved +Availablein = fips FIPSversion = >=3.4.0 Cipher = DES-EDE3-ECB Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 @@ -60,6 +62,7 @@ Result = CIPHERINIT_ERROR Title = DES3 FIPS Indicator Tests # Test that DES3 CBC mode encryption is not FIPS approved +Availablein = fips FIPSversion = >=3.4.0 Cipher = DES-EDE3-CBC Unapproved = 1 @@ -71,6 +74,7 @@ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 # Test that DES3 ECB mode encryption is not FIPS approved +Availablein = fipss FIPSversion = >=3.4.0 Cipher = DES-EDE3-ECB Operation = ENCRYPT diff --git a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt index 44f7cece04..34ca269934 100644 --- a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt @@ -237,6 +237,7 @@ Reason = xof digests not allowed Title = FIPS indicator tests # Test that the key whose length is shorter than 112 bits is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = HKDF Ctrl.digest = digest:SHA1 @@ -248,6 +249,7 @@ Reason = invalid key length # Test that the key whose length is shorter than 112 bits is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = HKDF Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt index cc01454c8b..e41c3ca943 100644 --- a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt +++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt @@ -1858,6 +1858,7 @@ Output = 6db880daac98b078ee389a2164252ded61322d661e2b49247ea921e544675d8f17af2bf Title = Negative tests for FIPS minimum key length +Availablein = fips FIPSversion = >=3.4.0 KDF = KBKDF Ctrl.mode = mode:COUNTER @@ -1871,6 +1872,7 @@ Ctrl.hexinfo = hexinfo:56ec Result = KDF_CTRL_ERROR Reason = invalid key length +Availablein = fips FIPSversion = >=3.4.0 KDF = KBKDF Ctrl.mode = mode:COUNTER diff --git a/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt b/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt index e01b47fbaa..bc7d869c84 100644 --- a/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt +++ b/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt @@ -207,6 +207,7 @@ Ctrl.iter = iter:1 Ctrl.digest = digest:sha512 Output = 00ef42cdbfc98d29db20976608e455567fdddf14 +Availablein = fips FIPSversion = <3.4.0 KDF = PBKDF2 Ctrl.pkcs5 = pkcs5:1 @@ -216,6 +217,7 @@ Ctrl.iter = iter:1 Ctrl.digest = digest:shake-128 Result = KDF_DERIVE_ERROR +Availablein = fips FIPSversion = >=3.4.0 KDF = PBKDF2 Ctrl.pkcs5 = pkcs5:1 @@ -229,6 +231,7 @@ Reason = xof digests not allowed Title = FIPS indicator tests # Test that operations with unapproved parameters are rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = PBKDF2 Ctrl.pass = pass:password @@ -239,6 +242,7 @@ Result = KDF_CTRL_ERROR Reason = invalid salt length # Test that operations with unapproved parameters are reported as unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = PBKDF2 Unapproved = 1 @@ -251,6 +255,7 @@ Output = 4b007901b765489abead49d926f721d065a429c1 # Test that the operation with approved parameters and unapproved pkcs5 value is # reposted as approved +Availablein = fips FIPSversion = >=3.4.0 KDF = PBKDF2 Ctrl.pkcs5 = pkcs5:1 diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt index eb94707a8a..1a87f37ad9 100644 --- a/test/recipes/30-test_evp_data/evpkdf_ss.txt +++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt @@ -1182,6 +1182,7 @@ Title = Secret length < 112 bits is not allowed in FIPS Title = FIPS indicator tests # Test that the key whose length is shorter than 112 bits is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = SSKDF Ctrl.digest = digest:SHA1 @@ -1214,6 +1215,7 @@ Title = Secret length < 112 is not approved in FIPS # Test that the key whose length is shorter than 112 bits is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = SSKDF Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evpkdf_ssh.txt b/test/recipes/30-test_evp_data/evpkdf_ssh.txt index 71a000df6f..e4bfefc2bf 100644 --- a/test/recipes/30-test_evp_data/evpkdf_ssh.txt +++ b/test/recipes/30-test_evp_data/evpkdf_ssh.txt @@ -4878,6 +4878,7 @@ Ctrl.type = type:A Result = KDF_CTRL_ERROR Reason = xof digests not allowed +Availablein = fips FIPSversion = <3.4.0 KDF = SSHKDF Ctrl.digest = digest:SHAKE-256 @@ -4890,6 +4891,7 @@ Result = KDF_MISMATCH Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = SSHKDF Ctrl.digest = digest:SHA512-256 @@ -4902,6 +4904,7 @@ Reason = digest not allowed # Test that the operation with unapproved digest function is is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = SSHKDF Unapproved = 1 @@ -4914,6 +4917,7 @@ Ctrl.type = type:A Output = d37ea221cbcc026d95e8c10b7d28a1b41e4ec1b497bae0e4cdbc1446e5bd59e2 # Test that the key whose length is shorter than 112 bits is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = SSHKDF Ctrl.digest = digest:SHA1 @@ -4926,6 +4930,7 @@ Reason = invalid key length # Test that the key whose length is shorter than 112 bits is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = SSHKDF Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt index fa452ee394..5ddd0e15aa 100644 --- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt @@ -61,6 +61,7 @@ Result = KDF_DERIVE_ERROR Reason = invalid key length # FIPS indicator callback test +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS1-PRF Unapproved = 1 @@ -85,6 +86,7 @@ Result = KDF_CTRL_ERROR Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS1-PRF Ctrl.digest = digest:SHA512-256 @@ -97,6 +99,7 @@ Reason = digest not allowed # Test that the operation with unapproved digest function is is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS1-PRF Unapproved = 1 @@ -110,6 +113,7 @@ Output = 17be20a3b4cc05524d7de353b2f125537c23372144111b0367bda166fcfc09cf1c94909 # Test that the key whose length is shorter than 112 bits is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS1-PRF Ctrl.digest = digest:SHA256 @@ -122,6 +126,7 @@ Reason = invalid key length # Test that the key whose length is shorter than 112 bits is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS1-PRF Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt index e27e478c09..1f144ad549 100644 --- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt @@ -4937,6 +4937,7 @@ Result = KDF_CTRL_ERROR Title = TLS13-KDF unsupported XOF test +Availablein = fips FIPSversion = <3.4.0 KDF = TLS13-KDF Ctrl.mode = mode:EXTRACT_ONLY @@ -4944,6 +4945,7 @@ Ctrl.digest = digest:SHAKE-256 Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05 Result = KDF_DERIVE_ERROR +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS13-KDF Ctrl.mode = mode:EXTRACT_ONLY @@ -4955,6 +4957,7 @@ Reason = xof digests not allowed Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS13-KDF Ctrl.mode = mode:EXTRACT_ONLY @@ -4964,6 +4967,7 @@ Result = KDF_CTRL_ERROR # Test that the operation with unapproved digest function is is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS13-KDF Unapproved = 1 @@ -4975,6 +4979,7 @@ Output = c8240b43113bb8bd211ee97c5145d389e8074f76eeeaac74eb55691062a436e4 Reason = digest not allowed # Test that the key whose length is shorter than 112 bits is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS13-KDF Ctrl.mode = mode:EXTRACT_ONLY @@ -4983,6 +4988,7 @@ Ctrl.key = hexkey:0102030405060708090a0b Result = KDF_CTRL_ERROR Reason = invalid key length +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS13-KDF Ctrl.mode = mode:EXPAND_ONLY @@ -4996,6 +5002,7 @@ Reason = invalid key length # Test that the key whose length is shorter than 112 bits is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS13-KDF Unapproved = 1 @@ -5005,6 +5012,7 @@ Ctrl.digest = digest:SHA2-256 Ctrl.key = hexkey:0102030405060708090a0b Output = ac5ae06e0f6bff82f6256f0fc9fb943554752ba0c93f42ee6499b99c9e5c24a8 +Availablein = fips FIPSversion = >=3.4.0 KDF = TLS13-KDF Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evpkdf_x942.txt b/test/recipes/30-test_evp_data/evpkdf_x942.txt index aaba52f19f..0d7a34403c 100644 --- a/test/recipes/30-test_evp_data/evpkdf_x942.txt +++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt @@ -98,6 +98,7 @@ Ctrl.hexukm = hexukm:012345 Output = C2E6A0978C24AF3932F478583ADBFB5F57D491822592EAD3C538875F46EB057A Result = KDF_DERIVE_ERROR +Availablein = fips FIPSversion = <3.4.0 KDF = X942KDF-ASN1 Ctrl.digest = digest:SHAKE-128 @@ -107,6 +108,7 @@ Ctrl.cekalg = cekalg:id-aes128-wrap Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC Result = KDF_DERIVE_ERROR +Availablein = fips FIPSversion = >=3.4.0 KDF = X942KDF-ASN1 Ctrl.digest = digest:SHAKE-128 diff --git a/test/recipes/30-test_evp_data/evpkdf_x963.txt b/test/recipes/30-test_evp_data/evpkdf_x963.txt index c6e76f3a3e..8ed70e712e 100644 --- a/test/recipes/30-test_evp_data/evpkdf_x963.txt +++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt @@ -122,6 +122,7 @@ Ctrl.hexinfo = hexinfo:af42f1ae85477ead645583 Output = 995d1ab8557dfeafcb347f8182583fa0ac5e6cb3912393592590989f38a0214f6cf7d6fbe23917b0966c6a870876de2a2c13a45fa7aa1715be137ed332e1ffc204ce4dcce33ece6dec7f3da61fa049780040e44142cc8a1e5121cf56b386f65b7c261a192f05e5fefae4221a602bc51c41ef175dc45fb7eab8642421b4f7e3e7 # Test that unsupported XOF is rejected +Availablein = fips FIPSversion = <3.4.0 KDF = X963KDF Ctrl.digest = digest:SHAKE-256 @@ -129,6 +130,7 @@ Ctrl.hexsecret = hexsecret:fd17198b89ab39c4ab5d7cca363b82f9fd7e23c3984dc8a2 Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2 Result = KDF_DERIVE_ERROR +Availablein = fips FIPSversion = >=3.4.0 KDF = X963KDF Ctrl.digest = digest:SHAKE-256 @@ -140,6 +142,7 @@ Reason = xof digests not allowed Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = X963KDF Ctrl.digest = digest:SHA1 @@ -150,6 +153,7 @@ Reason = digest not allowed # Test that the operation with unapproved digest function is is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = X963KDF Unapproved = 1 @@ -160,6 +164,7 @@ Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2 Output = 6e5fad865cb4a51c95209b16df0cc490bc2c9064405c5bccd4ee4832a531fbe7f10cb79e2eab6ab1149fbd5a23cfdabc41242269c9df22f628c4424333855b64e95e2d4fb8469c669f17176c07d103376b10b384ec5763d8b8c610409f19aca8eb31f9d85cc61a8d6d4a03d03e5a506b78d6847e93d295ee548c65afedd2efec # Test that the key whose length is shorter than 112 bits is rejected +Availablein = fips FIPSversion = >=3.4.0 KDF = X963KDF Ctrl.digest = digest:SHA224 @@ -170,6 +175,7 @@ Reason = invalid key length # Test that the key whose length is shorter than 112 bits is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 KDF = X963KDF Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt index 14169c45b4..e8b5aaab6b 100644 --- a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt +++ b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt @@ -28,6 +28,7 @@ Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23 Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E Output = 8F49A1B7D6AA2258 +Availablein = fips FIPSversion = >=3.4.0 MAC = CMAC Algorithm = DES-EDE3-CBC @@ -35,6 +36,7 @@ Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23 Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E Result = MAC_INIT_ERROR +Availablein = fips FIPSversion = >=3.4.0 MAC = CMAC Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt index ff18d2e033..8cd03aa6b5 100644 --- a/test/recipes/30-test_evp_data/evpmac_common.txt +++ b/test/recipes/30-test_evp_data/evpmac_common.txt @@ -574,6 +574,7 @@ Reason = invalid output length Title = KMAC output is too small in FIPS +Availablein = fips FIPSversion = >=3.4.0 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F @@ -584,6 +585,7 @@ Unapproved = 1 Ctrl = size:3 Ctrl = no-short-mac:0 +Availablein = fips FIPSversion = >=3.4.0 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F @@ -594,6 +596,7 @@ Ctrl = size:3 Result = MAC_INIT_ERROR Reason = invalid output length +Availablein = fips FIPSversion = >=3.4.0 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F diff --git a/test/recipes/30-test_evp_data/evppkey_ecc.txt b/test/recipes/30-test_evp_data/evppkey_ecc.txt index b450a974e5..16b9a1b022 100644 --- a/test/recipes/30-test_evp_data/evppkey_ecc.txt +++ b/test/recipes/30-test_evp_data/evppkey_ecc.txt @@ -4546,6 +4546,7 @@ KeyName = ec1 Ctrl = group:P-256 # Test KeyGen with a curve with < 112 bits of security fails. +Availablein = fips FIPSversion = >=3.4.0 KeyGen = ec KeyName = ec2 @@ -4553,6 +4554,7 @@ Ctrl = group:P-192 Result = KEYGEN_GENERATE_ERROR # Test KeyGen with a curve with < 112 bits of security is not approved +Availablein = fips FIPSversion = >=3.4.0 KeyGen = ec KeyName = ec3 diff --git a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt index 2f573c3708..d9d4884515 100644 --- a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt +++ b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt @@ -209,6 +209,7 @@ Reason = xof digests not allowed Title = FIPS indicator tests # Test that the key whose length is shorter than 112 bits is rejected +Availablein = fips FIPSversion = >=3.4.0 PKEYKDF = HKDF Ctrl.digest = digest:SHA1 @@ -220,6 +221,7 @@ Reason = invalid key length # Test that the key whose length is shorter than 112 bits is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 PKEYKDF = HKDF Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt b/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt index 4483bb79b0..958742ec9c 100644 --- a/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt +++ b/test/recipes/30-test_evp_data/evppkey_kdf_tls1_prf.txt @@ -82,6 +82,7 @@ Result = KDF_CTRL_ERROR Title = FIPS indicator tests # Test that the operation with unapproved digest function is rejected +Availablein = fips FIPSversion = >=3.4.0 PKEYKDF = TLS1-PRF Ctrl.digest = digest:SHA512-256 @@ -94,6 +95,7 @@ Reason = digest not allowed # Test that the operation with unapproved digest function is is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 PKEYKDF = TLS1-PRF Unapproved = 1 @@ -106,6 +108,7 @@ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae04 Output = 17be20a3b4cc05524d7de353b2f125537c23372144111b0367bda166fcfc09cf1c94909a408b986f53afbdc41d93ae09 # Test that the key whose length is shorter than 112 bits is rejected +Availablein = fips FIPSversion = >=3.4.0 PKEYKDF = TLS1-PRF Ctrl.digest = digest:SHA256 @@ -118,6 +121,7 @@ Reason = invalid key length # Test that the key whose length is shorter than 112 bits is reported as # unapproved +Availablein = fips FIPSversion = >=3.4.0 PKEYKDF = TLS1-PRF Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt index 10a305dd02..bd11517161 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt @@ -1938,6 +1938,7 @@ Input = "Hello" Output = 80382819f51b197c42f9fc02a85198683d918059afc013ae155992442563dd2897008297fecb3a8d8cf9421d493a99bd427a628f17cc4a7c76d23dfad0619f4068403fa7351f6d5a92a631d670c04407f305a4b5cb492295754e73e9b7ad41459826d3619a61e90d4744bdaf0f24f2393ea9241e973600c2ed62b1a0a37c504e # Signing with SHA1 is not allowed in fips mode +Availablein = fips FIPSversion = >=3.4.0 DigestSign = SHA1 Securitycheck = 1 @@ -1947,6 +1948,7 @@ Result = DIGESTSIGNINIT_ERROR Reason = invalid digest # Signing with a 1024 bit key is not allowed in fips mode +Availablein = fips FIPSversion = >=3.4.0 DigestSign = SHA256 Securitycheck = 1 @@ -1956,6 +1958,7 @@ Result = DIGESTSIGNINIT_ERROR Reason = invalid key length # Verifying with a legacy digest in fips mode is not allowed +Availablein = fips FIPSversion = >=3.4.0 DigestVerify = MD5 Securitycheck = 1 @@ -1965,6 +1968,7 @@ Result = DIGESTVERIFYINIT_ERROR Reason = unsupported # Verifying with a key smaller than 1024 bits in fips mode is not allowed +Availablein = fips FIPSversion = >=3.4.0 DigestVerify = SHA256 Securitycheck = 1 @@ -1974,6 +1978,7 @@ Result = DIGESTVERIFYINIT_ERROR Reason = invalid key length # RSA Signing with X931 is not approved in FIPS 140-3 +Availablein = fips FIPSversion = >=3.4.0 Sign = RSA-2048 Ctrl = rsa_padding_mode:x931 @@ -1988,6 +1993,7 @@ Reason = illegal or unsupported padding mode Title = RSA FIPS Indicator tests # Decrypt with small RSA key is not permitted in FIPS mode +Availablein = fips FIPSversion = >=3.4.0 Decrypt = RSA-512 Securitycheck = 1 @@ -1997,6 +2003,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 Result = KEYOP_MISMATCH # Signing with SHA1 is not allowed in fips mode +Availablein = fips FIPSversion = >=3.4.0 DigestSign = SHA1 Securitycheck = 1 @@ -2006,6 +2013,7 @@ Key = RSA-2048 Input = "Hello" Result = SIGNATURE_MISMATCH +Availablein = fips FIPSversion = >=3.4.0 DigestSign = SHA256 Securitycheck = 1 @@ -2016,6 +2024,7 @@ Input = "Hello" Result = SIGNATURE_MISMATCH # Verifying with a key smaller than 1024 bits in fips mode is not allowed +Availablein = fips FIPSversion = >=3.4.0 DigestVerify = SHA256 Securitycheck = 1 @@ -2026,6 +2035,7 @@ Input = "Hello" Result = VERIFY_ERROR # RSA Signing with X931 is not approved in FIPS 140-3 +Availablein = fips FIPSversion = >=3.4.0 Sign = RSA-2048 Unapproved = 1 @@ -2036,6 +2046,7 @@ Input = "0123456789ABCDEF123456789ABCDEFG" Output = 4b75f521e2e6eeda3f2dcb84ebdacbadeab8ffc1ecdf06c7c4e38727e082a8f5e71be66cdee6d14da1d3a0f18ff20914f71b5308363c81e7471688f4f201e82603ea6a7f31da89cd846b30e2893fd956e76b3d23d40f733e0358e3883526158c74577ba43cc664eaeb909818e75b89fc764cf4575517f87251f8d3cf29b1532f33e6183d454bddd6f255d0ca4415d957eb90dbc55d047f48a01c6e68d5ab46327a158ff7a3383b5b0446b8cd4a91b8859abd3285020a1613ef17d3f8562147828bb36be65505eeec77e968d04e172e2851ff1d7ef523b4022deb72d5fbf78db6738d170098586b904d1c369cedb5e3fe1b909a8dd8ac3beb521af2510d044580 # RSA signing with PSS salt length >= digest length is unapproved +Availablein = fips FIPSversion = >= 3.4.0 Sign = RSA-PSS Ctrl = digest:SHA384 @@ -2046,6 +2057,7 @@ Result = KEYOP_ERROR Reason = invalid salt length # RSA verifying with PSS salt length >= digest length is unapproved +Availablein = fips FIPSversion = >= 3.4.0 Verify = RSA-PSS Ctrl = digest:SHA384 @@ -2056,6 +2068,7 @@ Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B Result = VERIFY_ERROR Reason = invalid salt length +Availablein = fips FIPSversion = >= 3.4.0 Verify = RSA-PSS Unapproved = 1 @@ -2067,6 +2080,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B433CA3B11E36D2844265C6B52CD7393FC62A7C6706747BD9454ADE78DE35417D6F6FCE32F1C1D8F40CEF5715BC981AE4B1C94BF8C11E30BC3F19C71BE0FBDED06ECA5FCAC372688A9E821785B9ABA9705D76A1F74A092ACFEF30B018387771031554C43D3C49317C289EC570C603A6356E2FC1FB824F0505029750BC9028B342C27CD8F01C811C0172EFA807218C4657ACA5AA81A2BB1B0C4D63BE32C08BEF11C6E19C565D03246EE021B9293AB3FE33A8946F8EAAAE353E66FA3BB170FDADB7431FFAD4C92623148395FC6F6601495D6FF83E67B20BDDAD082C149E8 # RSA verifying with PSS salt length "digest" is approved +Availablein = fips FIPSversion = >= 3.4.0 Verify = RSA-PSS Ctrl = digest:SHA384 @@ -2076,6 +2090,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" Output = C7280C47D9E2E7468157776CA84F52485F771D961674BF88B64FE3476A193494BCCD7139C204C557EA2FD69BC986EA2AA0416B7CA0C95C442EEAEA1AD5E8F8CE8B248AACDBEDAAA0FF2486F2B10F7F310D63969258BDC6E4D1EAEA5F45E5EB00A328BE70424DC2676EE3679D65F5AEA7A7057FDDE1EE24DFF2BEF63206466D9B6BB440C818683797EAF26D9273CC1A9CDCEDB9A90023BCB35A1DA66288741C5728EEFA681AA8384521B6067E9C7502A005814979BAA71074FAF7D08F61B38F2812B4F5DB889BE2CA19B9D9B32E3463544D35F36F5116527A573AE245878F42E3E7AACC99AA5B18A3E89002779DCD3CF15B5942D31D0E0FF2753C58D046F864F5 # RSA signing with PSS salt length "max" is unapproved +Availablein = fips FIPSversion = >= 3.4.0 Sign = RSA-PSS Ctrl = digest:SHA384 @@ -2086,6 +2101,7 @@ Result = KEYOP_ERROR Reason = invalid salt length # RSA verifying with PSS salt length "max" is unapproved +Availablein = fips FIPSversion = >= 3.4.0 Verify = RSA-PSS Ctrl = digest:SHA384 @@ -2097,6 +2113,7 @@ Result = VERIFY_ERROR Reason = invalid salt length FIPSversion = >= 3.4.0 +Availablein = fips Verify = RSA-PSS Unapproved = 1 CtrlInit = rsa-pss-saltlen-check:0 @@ -2107,6 +2124,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" Output = 8424963AB8323443EC617FCB698B583A831303EB97C24C35EFAD6800D32BF74E2E1ACDA367FAD902EE852B1408602A8903E6D90C08F841215C130421E634BCDC798DD12A3E444B4237DE9497D2DD43794D7D04727B4E11C48E6F6BDA03A0117893ABBF3B00EC954AED35904AECA4B6E6020F860C8AE40B17FBBA7E2AB7BFC62E04AC9FBD8CABB03EEA68A12EDB417F13F24084AA5440C206886B86EDA4ADD29CE5DA07701FCC53CE5D77F03E711C8B1DD38763414022A88887813F7F31BA733CCAB124CFA03455C4850514231C9294BC68AD04E917E0F7675B53457A30EC1793D3D117A94D3B9DD60346EEB7027F79BF93AE62A297C261F36969CE2F797BB9B9 # RSA signing with PSS salt length "auto" is unapproved +Availablein = fips FIPSversion = >= 3.4.0 Sign = RSA-PSS Ctrl = digest:SHA384 @@ -2117,6 +2135,7 @@ Result = KEYOP_ERROR Reason = invalid salt length # RSA verifying with PSS salt length "auto" is unapproved +Availablein = fips FIPSversion = >= 3.4.0 Verify = RSA-PSS Ctrl = digest:SHA384 @@ -2127,6 +2146,7 @@ Output = 4B3602F5E515B82573F0A19E244E8D2B6ED6A7E3066891B65E13D1EDAE535ECD0E59830 Result = VERIFY_ERROR Reason = invalid salt length +Availablein = fips FIPSversion = >= 3.4.0 Verify = RSA-PSS Unapproved = 1 @@ -2138,6 +2158,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" Output = 4B3602F5E515B82573F0A19E244E8D2B6ED6A7E3066891B65E13D1EDAE535ECD0E59830B190322D357D6199E29C94DB6FFF2EEDB3B8BA57E81062AF963C9C392DC17343873EE7D572C059BAD5B6E4AD09EE50FC69C6FFE22353B95EA80B420E5C85BA86423ECF610F61887D2F02839B28B271B3FA98420D8630EF94E36015A1383C45EB4CA2CA7FCDCDBCF7722DB84AA303F333DF38ED1C92466CB139F8C7D5D7D7B393574951F2DB071579F7170A72934F29AD3EFB403A57AC8A6449742E240DB32C3505293942CAAF1785F886B561075DACB546BBA76FC4C1D8DD8241BC452A3A8B2510D136A2563B242FBF15D7ED3BA08A2C3F45CDE795C94B891F98A8E4F # RSA verifying with PSS salt length "auto-digestmax" and a signature whose salt length is compliant to FIPS standard is approved +Availablein = fips FIPSversion = >= 3.4.0 Verify = RSA-PSS Ctrl = digest:SHA384 @@ -2147,6 +2168,7 @@ Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" Output = A3D8F40E767B72EED6B9DEA1D717F6A2792001B6BFAD28B54989C668FD65010BD07C90CBFDE139AEE41731A58BF2E895754AA61D3BD9AEF3D6307316EE5792075C22E4DC1DF1377242C258557281C089DF6996148342F3D259DF67A7D67D47EE222F0D14AD6292A6C8D4461AB9E24D27D8BDD35CE9CCC755B7BBCD8D3BEE779C97745A577B6B5634DBCB68A573423089BA93407A96CA07A235C90DA233AC76B290B0475812999531A90BC08F6947F15894232125F1EA35070FADCAB94AF11B149A7B76B0D74C0799DABBA027069DFA8AB56BDC1247F25016C631A18322F9F2B071405991A3618B42EBB05CE215DF93ADC3C14DB87466ED9A6B61605B32686DBB # RSA verifying with PSS salt length "auto-digestmax" and a signature whose salt length is not compliant to FIPS standard is unapproved +Availablein = fips FIPSversion = >= 3.4.0 Verify = RSA-PSS Ctrl = digest:SHA384 @@ -2157,6 +2179,7 @@ Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B Result = VERIFY_ERROR Reason = invalid salt length +Availablein = fips FIPSversion = >= 3.4.0 Verify = RSA-PSS Unapproved = 1 diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt index 0d09899a7c..439b5a2cdf 100644 --- a/test/recipes/30-test_evp_data/evprand.txt +++ b/test/recipes/30-test_evp_data/evprand.txt @@ -79807,6 +79807,7 @@ Output.0 = 5af6 Result = EVP_RAND_CTX_set_params Reason = digest not allowed +Availablein = fips FIPSversion = >=3.4.0 RAND = HASH-DRBG Unapproved = 1 @@ -79830,6 +79831,7 @@ Output.0 = ee9f Result = EVP_RAND_CTX_set_params Reason = digest not allowed +Availablein = fips FIPSversion = >=3.4.0 RAND = HMAC-DRBG Unapproved = 1