From: Pavol Žáčik <zacik.pa@gmail.com>
Date: Wed, 20 Aug 2025 12:35:03 +0000 (+0200)
Subject: Add SKEYMGMT support to the FIPS provider
X-Git-Tag: openssl-3.6.0-alpha1~46
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f289c45b16a34938f8aebb6fb3afc8bf92f2708b;p=thirdparty%2Fopenssl.git

Add SKEYMGMT support to the FIPS provider

And extend the SKEY managers listing test with a FIPS case.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28339)
---

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 55aa27cb669..dea863c79f2 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -694,6 +694,14 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
     { NULL, NULL, NULL }
 };
 
+static const OSSL_ALGORITHM fips_skeymgmt[] = {
+    { PROV_NAMES_AES, FIPS_DEFAULT_PROPERTIES, ossl_aes_skeymgmt_functions,
+      PROV_DESCS_AES },
+    { PROV_NAMES_GENERIC, FIPS_DEFAULT_PROPERTIES, ossl_generic_skeymgmt_functions,
+      PROV_DESCS_GENERIC },
+    { NULL, NULL, NULL }
+};
+
 static const OSSL_ALGORITHM *fips_query(void *provctx, int operation_id,
                                         int *no_cache)
 {
@@ -723,6 +731,8 @@ static const OSSL_ALGORITHM *fips_query(void *provctx, int operation_id,
         return fips_asym_cipher;
     case OSSL_OP_KEM:
         return fips_asym_kem;
+    case OSSL_OP_SKEYMGMT:
+        return fips_skeymgmt;
     }
     return NULL;
 }
diff --git a/test/recipes/20-test_cli_list.t b/test/recipes/20-test_cli_list.t
index 2416da47634..00187f341dd 100644
--- a/test/recipes/20-test_cli_list.t
+++ b/test/recipes/20-test_cli_list.t
@@ -13,13 +13,35 @@ use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file bldtop_dir with/;
 use OpenSSL::Test::Utils;
 
 setup("test_cli_list");
+plan tests => 4;
+my $fipsconf = srctop_file("test", "fips-and-base.cnf");
+my $defaultconf = srctop_file("test", "default.cnf");
 
-plan tests => 2;
+sub check_skey_manager_list {
+    my $provider = $_[0];
+    ok(run(app(["openssl", "list", "-skey-managers"],
+               stdout => "listout.txt")),
+       "List skey managers - $provider provider");
+    open DATA, "listout.txt";
+    my @match = grep /secret key/, <DATA>;
+    close DATA;
+    ok(scalar @match > 1 ? 1 : 0,
+       "Several skey managers are listed - $provider provider");
+}
 
-ok(run(app(["openssl", "list", "-skey-managers"],
-        stdout => "listout.txt")),
-"List skey managers - default configuration");
-open DATA, "listout.txt";
-my @match = grep /secret key/, <DATA>;
-close DATA;
-ok(scalar @match > 1 ? 1 : 0, "Several skey managers are listed - default configuration");
+check_skey_manager_list("default");
+
+SKIP: {
+    my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+    skip "FIPS provider disabled or not installed", 2
+        if $no_fips;
+
+    run(test(["fips_version_test", "-config", $fipsconf, ">=3.6.0"]),
+             capture => 1, statusvar => \my $exit);
+    skip "FIPS provider version doesn't support skeymgmt", 2
+        if !$exit;
+
+    $ENV{OPENSSL_CONF} = $fipsconf;
+    check_skey_manager_list("fips");
+    $ENV{OPENSSL_CONF} = $defaultconf;
+}