Make X25519 and X448 FIPS unapproved

author Tomas Mraz <tomas@openssl.org>

Thu, 11 Apr 2024 06:57:51 +0000 (08:57 +0200)

committer Tomas Mraz <tomas@openssl.org>

Fri, 19 Apr 2024 08:32:27 +0000 (10:32 +0200)
author Tomas Mraz <tomas@openssl.org>
Thu, 11 Apr 2024 06:57:51 +0000 (08:57 +0200)
committer Tomas Mraz <tomas@openssl.org>
Fri, 19 Apr 2024 08:32:27 +0000 (10:32 +0200)
diff --git a/CHANGES.md b/CHANGES.md

index a15321dda97147e8c091a67d2e33a6c009995eaf..76801ac78c1c623074d1b440fad7a9d6a4829f76 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -36,6 +36,11 @@ OpenSSL 3.4
  
     *Stephan Wurm*
  
+ * The X25519 and X448 key exchange implementation in the FIPS provider
+   is unapproved and has `fips=no` property.
+
+   * Tomas Mraz*
+
  OpenSSL 3.3
  -----------
  
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod

index c1dd6036435b583c0b94fe79b0646aac802a4413..6da7a81ea3bdb0b1386fb5202add56d8c38a063e 100644 (file)
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -204,8 +204,12 @@ This is an unapproved algorithm.
  
  =item X25519, see L<EVP_KEYMGMT-X25519(7)>
  
+This is an unapproved algorithm.
+
  =item X448, see L<EVP_KEYMGMT-X448(7)>
  
+This is an unapproved algorithm.
+
  =item ED25519, see L<EVP_KEYMGMT-ED25519(7)>
  
  This is an unapproved algorithm.
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c

index 7ec409710b6cc02835d4d00f83a06d3caad895d0..1f36ce63932b0acca8afcb455d5fcea0a38d7a57 100644 (file)
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -410,8 +410,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
  #ifndef OPENSSL_NO_EC
      { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
  # ifndef OPENSSL_NO_ECX
-    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
-    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
+    { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keyexch_functions },
+    { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keyexch_functions },
  # endif
  #endif
      { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
@@ -471,9 +471,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
      { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
        PROV_DESCS_EC },
  # ifndef OPENSSL_NO_ECX
-    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
+    { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keymgmt_functions,
        PROV_DESCS_X25519 },
-    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
+    { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keymgmt_functions,
        PROV_DESCS_X448 },
      { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
        PROV_DESCS_ED25519 },
author	Tomas Mraz <tomas@openssl.org>
	Thu, 11 Apr 2024 06:57:51 +0000 (08:57 +0200)
committer	Tomas Mraz <tomas@openssl.org>
	Fri, 19 Apr 2024 08:32:27 +0000 (10:32 +0200)
CHANGES.md		patch \| blob \| blame \| history
doc/man7/OSSL_PROVIDER-FIPS.pod		patch \| blob \| blame \| history
providers/fips/fipsprov.c		patch \| blob \| blame \| history