Add SKEYMGMT support to the FIPS provider

author Pavol Žáčik <zacik.pa@gmail.com>

Wed, 20 Aug 2025 12:35:03 +0000 (14:35 +0200)

committer Neil Horman <nhorman@openssl.org>

Fri, 29 Aug 2025 15:21:08 +0000 (11:21 -0400)
author Pavol Žáčik <zacik.pa@gmail.com>
Wed, 20 Aug 2025 12:35:03 +0000 (14:35 +0200)
committer Neil Horman <nhorman@openssl.org>
Fri, 29 Aug 2025 15:21:08 +0000 (11:21 -0400)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c

index 55aa27cb669174ccf4f81cb3cb168489926b430d..dea863c79f283fe1374ce73f88e5fa8edfff79a2 100644 (file)
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -694,6 +694,14 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
      { NULL, NULL, NULL }
  };
  
+static const OSSL_ALGORITHM fips_skeymgmt[] = {
+    { PROV_NAMES_AES, FIPS_DEFAULT_PROPERTIES, ossl_aes_skeymgmt_functions,
+      PROV_DESCS_AES },
+    { PROV_NAMES_GENERIC, FIPS_DEFAULT_PROPERTIES, ossl_generic_skeymgmt_functions,
+      PROV_DESCS_GENERIC },
+    { NULL, NULL, NULL }
+};
+
  static const OSSL_ALGORITHM *fips_query(void *provctx, int operation_id,
                                          int *no_cache)
  {
@@ -723,6 +731,8 @@ static const OSSL_ALGORITHM *fips_query(void *provctx, int operation_id,
          return fips_asym_cipher;
      case OSSL_OP_KEM:
          return fips_asym_kem;
+    case OSSL_OP_SKEYMGMT:
+        return fips_skeymgmt;
      }
      return NULL;
  }
diff --git a/test/recipes/20-test_cli_list.t b/test/recipes/20-test_cli_list.t

index 2416da476347132e71c9be614555f3812ce9b081..00187f341ddd2d1198f6d9b081d8d687fcc63961 100644 (file)
--- a/test/recipes/20-test_cli_list.t
+++ b/test/recipes/20-test_cli_list.t
@@ -13,13 +13,35 @@ use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file bldtop_dir with/;
  use OpenSSL::Test::Utils;
  
  setup("test_cli_list");
+plan tests => 4;
+my $fipsconf = srctop_file("test", "fips-and-base.cnf");
+my $defaultconf = srctop_file("test", "default.cnf");
  
-plan tests => 2;
+sub check_skey_manager_list {
+    my $provider = $_[0];
+    ok(run(app(["openssl", "list", "-skey-managers"],
+               stdout => "listout.txt")),
+       "List skey managers - $provider provider");
+    open DATA, "listout.txt";
+    my @match = grep /secret key/, <DATA>;
+    close DATA;
+    ok(scalar @match > 1 ? 1 : 0,
+       "Several skey managers are listed - $provider provider");
+}
  
-ok(run(app(["openssl", "list", "-skey-managers"],
-        stdout => "listout.txt")),
-"List skey managers - default configuration");
-open DATA, "listout.txt";
-my @match = grep /secret key/, <DATA>;
-close DATA;
-ok(scalar @match > 1 ? 1 : 0, "Several skey managers are listed - default configuration");
+check_skey_manager_list("default");
+
+SKIP: {
+    my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+    skip "FIPS provider disabled or not installed", 2
+        if $no_fips;
+
+    run(test(["fips_version_test", "-config", $fipsconf, ">=3.6.0"]),
+             capture => 1, statusvar => \my $exit);
+    skip "FIPS provider version doesn't support skeymgmt", 2
+        if !$exit;
+
+    $ENV{OPENSSL_CONF} = $fipsconf;
+    check_skey_manager_list("fips");
+    $ENV{OPENSSL_CONF} = $defaultconf;
+}
author	Pavol Žáčik <zacik.pa@gmail.com>
	Wed, 20 Aug 2025 12:35:03 +0000 (14:35 +0200)
committer	Neil Horman <nhorman@openssl.org>
	Fri, 29 Aug 2025 15:21:08 +0000 (11:21 -0400)
providers/fips/fipsprov.c		patch \| blob \| blame \| history
test/recipes/20-test_cli_list.t		patch \| blob \| blame \| history