Remove 3DES from FIPS approved algorithms.

According to the section 2 of SP800-131A Rev.2, 3DES algorithm
will be disallowed for encryption after December 31, 2023:
https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

diff --git a/NEWS b/NEWS
index 32b1e0dd2c1d6866c77d08f3653e6dd424d08f7b..5957286d7d10d5acbf94f158db9b931ae6c4c4ad 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,11 @@ See the end for copying conditions.
 
 * Version ?.?.? (released ????-??-??)
 
+** libgnutls: Removed 3DES from FIPS approved algorithms (#1353).
+   According to the section 2 of SP800-131A Rev.2, 3DES algorithm
+   will be disallowed for encryption after December 31, 2023:
+   https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
+
 ** The configure arguments for Brotli and Zstandard (zstd) support
    have changed to reflect the previous help text: they are now
    --with-brotli/--with-zstd respectively (#1342).

diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
index 0a49e23b5ec41456b1b0eb0d0642669e6d384e40..57b50ac514a9c7ce8e899fe989735cfcfb8d8d3c 100644 (file)
--- a/lib/crypto-selftests.c
+++ b/lib/crypto-selftests.c
@@ -2715,7 +2715,7 @@ int gnutls_cipher_self_test(unsigned flags, gnutls_cipher_algorithm_t cipher)
                CASE(GNUTLS_CIPHER_AES_256_CBC, test_cipher,
                     aes256_cbc_vectors);
                FALLTHROUGH;
-               CASE(GNUTLS_CIPHER_3DES_CBC, test_cipher,
+               NON_FIPS_CASE(GNUTLS_CIPHER_3DES_CBC, test_cipher,
                     tdes_cbc_vectors);
                FALLTHROUGH;
                NON_FIPS_CASE(GNUTLS_CIPHER_ARCFOUR_128, test_cipher,

diff --git a/lib/fips.h b/lib/fips.h
index 2f0a808945a83fc22cc8c06887866ee324bc13f1..49ad1d961187ecc88fe0c8d2de4a3ac72914c45c 100644 (file)
--- a/lib/fips.h
+++ b/lib/fips.h
@@ -118,7 +118,6 @@ is_cipher_algo_approved_in_fips(gnutls_cipher_algorithm_t algo)
        case GNUTLS_CIPHER_AES_192_CBC:
        case GNUTLS_CIPHER_AES_128_CCM:
        case GNUTLS_CIPHER_AES_256_CCM:
-       case GNUTLS_CIPHER_3DES_CBC:
        case GNUTLS_CIPHER_AES_128_CCM_8:
        case GNUTLS_CIPHER_AES_256_CCM_8:
        case GNUTLS_CIPHER_AES_128_CFB8:

diff --git a/tests/dtls1-2-mtu-check.c b/tests/dtls1-2-mtu-check.c
index 49eead14796133f4c1795fe9ab77476fab7af05f..f27929ba6ed101f4841b04c9114343f8094f6742 100644 (file)
--- a/tests/dtls1-2-mtu-check.c
+++ b/tests/dtls1-2-mtu-check.c
@@ -205,7 +205,8 @@ void doit(void)
        dtls_mtu_try("DTLS 1.2 with AES-128-CBC-HMAC-SHA1 - mtu:1536", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA1", 1536, 1483);
 
        dtls_mtu_try("DTLS 1.2 with AES-128-CBC-HMAC-SHA256", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA256", 1500, 1423);
-       dtls_mtu_try("DTLS 1.2 with 3DES-CBC-HMAC-SHA1", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1451);
+       if (!gnutls_fips140_mode_enabled())
+               dtls_mtu_try("DTLS 1.2 with 3DES-CBC-HMAC-SHA1", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1451);
 
        /* check non-CBC ciphers */
        dtls_mtu_try("DTLS 1.2 with AES-128-GCM", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-GCM", 1500, 1463);
@@ -234,7 +235,8 @@ void doit(void)
        dtls_mtu_try("DTLS 1.2 with AES-128-CBC-HMAC-SHA1 - mtu:1518", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA1", 1518, 1455);
 
        dtls_mtu_try("DTLS 1.2/EtM with AES-128-CBC-HMAC-SHA256", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA256", 1500, 1423);
-       dtls_mtu_try("DTLS 1.2/EtM with 3DES-CBC-HMAC-SHA1", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1455);
+       if (!gnutls_fips140_mode_enabled())
+               dtls_mtu_try("DTLS 1.2/EtM with 3DES-CBC-HMAC-SHA1", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1455);
 
        gnutls_global_deinit();
 }

diff --git a/tests/key-openssl.c b/tests/key-openssl.c
index 3903f97c7bcf266808e6e7de34e5129ab09651a2..7800f23be6fa8289ea23f3c1a5459223b6dbd861 100644 (file)
--- a/tests/key-openssl.c
+++ b/tests/key-openssl.c
@@ -115,6 +115,9 @@ void doit(void)
        int ret;
        gnutls_datum_t key;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        ret = global_init();
        if (ret < 0)
                fail("global_init: %d\n", ret);

diff --git a/tests/mini-overhead.c b/tests/mini-overhead.c
index 4496491884df2ad724f166ebc49133e5b9251fbd..9836ea51324a36624118ad201b292dfc3b5cf025 100644 (file)
--- a/tests/mini-overhead.c
+++ b/tests/mini-overhead.c
@@ -328,9 +328,11 @@ void doit(void)
             65);
 
        /* 13 + 20(sha1) + 8(iv) + 8(max pad) */
-       start
-           ("NONE:+VERS-DTLS1.0:+3DES-CBC:%NO_ETM:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA",
-            49);
+       if (!gnutls_fips140_mode_enabled())
+               start
+                   ("NONE:+VERS-DTLS1.0:+3DES-CBC:%NO_ETM:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA",
+                    49);
+
        /* 13 + 16(tag) + 4(iv) */
        start
            ("NONE:+VERS-DTLS1.2:+AES-128-GCM:%NO_ETM:+AEAD:+SIGN-ALL:+COMP-NULL:+RSA",

diff --git a/tests/pkcs11/gnutls_pcert_list_import_x509_file.c b/tests/pkcs11/gnutls_pcert_list_import_x509_file.c
index e553c29317eae74b593159d972ad42313ee80e7c..a4602a4ee958e0f8dda2419a408722bfb1c062a5 100644 (file)
--- a/tests/pkcs11/gnutls_pcert_list_import_x509_file.c
+++ b/tests/pkcs11/gnutls_pcert_list_import_x509_file.c
@@ -149,6 +149,9 @@ void doit(void)
        unsigned int pcerts_size;
        char file[TMPNAME_SIZE];
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        track_temp_files();
        bin = softhsm_bin();
 

diff --git a/tests/pkcs11/gnutls_x509_crt_list_import_url.c b/tests/pkcs11/gnutls_x509_crt_list_import_url.c
index 869d7034fc30b084aadefe613a8dd5638acb0b4a..e395180a25704c379b6c7c19a1a4390e78241cb7 100644 (file)
--- a/tests/pkcs11/gnutls_x509_crt_list_import_url.c
+++ b/tests/pkcs11/gnutls_x509_crt_list_import_url.c
@@ -130,6 +130,9 @@ void doit(void)
        gnutls_x509_crt_t *crts;
        unsigned int crts_size, i;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        bin = softhsm_bin();
 
        lib = softhsm_lib();

diff --git a/tests/pkcs11/pkcs11-chainverify.c b/tests/pkcs11/pkcs11-chainverify.c
index e9865b62b9fdd6d83e5e140f99e9018af4bf9ca7..0ad2efe927d45123f088414ba999ec7ddb157e80 100644 (file)
--- a/tests/pkcs11/pkcs11-chainverify.c
+++ b/tests/pkcs11/pkcs11-chainverify.c
@@ -78,6 +78,9 @@ void doit(void)
        gnutls_typed_vdata_st vdata[2];
        char buf[128];
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        /* The overloading of time() seems to work in linux (ELF?)
         * systems only. Disable it on windows.
         */

diff --git a/tests/pkcs11/pkcs11-combo.c b/tests/pkcs11/pkcs11-combo.c
index f12388c0f3d547a02ddd89f32389cff55b8f4d5c..43189c479bd833d436434804fc20b545129dacae 100644 (file)
--- a/tests/pkcs11/pkcs11-combo.c
+++ b/tests/pkcs11/pkcs11-combo.c
@@ -217,6 +217,9 @@ void doit(void)
        unsigned verify_status = 0;
        gnutls_datum_t tmp;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        /* The overloading of time() seems to work in linux (ELF?)
         * systems only. Disable it on windows.
         */

diff --git a/tests/pkcs11/pkcs11-ec-privkey-test.c b/tests/pkcs11/pkcs11-ec-privkey-test.c
index 1b24c8150fc53d02944ff84b6db1231d7cda7f87..782ba00420cedc0e5b6c81cc75dbe2c2b51e89a8 100644 (file)
--- a/tests/pkcs11/pkcs11-ec-privkey-test.c
+++ b/tests/pkcs11/pkcs11-ec-privkey-test.c
@@ -83,6 +83,9 @@ void doit(void)
        gnutls_pubkey_t pubkey4;
        unsigned i;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        bin = softhsm_bin();
 
        lib = softhsm_lib();

diff --git a/tests/pkcs11/pkcs11-get-issuer.c b/tests/pkcs11/pkcs11-get-issuer.c
index fd65f3d82ba988641c3e52b96d093b493d38c3ba..b4df717ed56f5ef0af706ca10f638f8b5bbcc5a2 100644 (file)
--- a/tests/pkcs11/pkcs11-get-issuer.c
+++ b/tests/pkcs11/pkcs11-get-issuer.c
@@ -85,6 +85,9 @@ void doit(void)
        gnutls_datum_t tmp;
        int idx = -1;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        /* The overloading of time() seems to work in linux (ELF?)
         * systems only. Disable it on windows.
         */

diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c
index 4a5efd25899892e1c02d5fac876471cb66f3bdfa..79cf187375046be86fca748956ecec7ae64ebb87 100644 (file)
--- a/tests/pkcs11/pkcs11-import-with-pin.c
+++ b/tests/pkcs11/pkcs11-import-with-pin.c
@@ -83,6 +83,9 @@ void doit(void)
        gnutls_privkey_t pkey;
        char file[TMPNAME_SIZE];
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        bin = softhsm_bin();
 
        lib = softhsm_lib();

diff --git a/tests/pkcs11/pkcs11-is-known.c b/tests/pkcs11/pkcs11-is-known.c
index cc874251e6f192afa17e1bd7050302dd102999f9..95b9c56d0d5f2ff656e3d478235c110506e364a9 100644 (file)
--- a/tests/pkcs11/pkcs11-is-known.c
+++ b/tests/pkcs11/pkcs11-is-known.c
@@ -352,6 +352,9 @@ void doit(void)
        gnutls_x509_crt_t intermediate, same_dn, same_issuer;
        gnutls_datum_t tmp;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        /* The overloading of time() seems to work in linux (ELF?)
         * systems only. Disable it on windows.
         */

diff --git a/tests/pkcs11/pkcs11-obj-import.c b/tests/pkcs11/pkcs11-obj-import.c
index fd17ed066156d443022dce27c71b374b06e4ff15..17c75a7e01e452f2c0c576f262786ddb8ecf6852 100644 (file)
--- a/tests/pkcs11/pkcs11-obj-import.c
+++ b/tests/pkcs11/pkcs11-obj-import.c
@@ -75,6 +75,9 @@ void doit(void)
        gnutls_datum_t tmp, tmp2;
        size_t buf_size;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        bin = softhsm_bin();
 
        lib = softhsm_lib();

diff --git a/tests/pkcs11/pkcs11-privkey-generate.c b/tests/pkcs11/pkcs11-privkey-generate.c
index d3ed905f6f39468364728df0d06f769219b5b714..102cf4b292d240b02b47050d0e4b36ccdfadab47 100644 (file)
--- a/tests/pkcs11/pkcs11-privkey-generate.c
+++ b/tests/pkcs11/pkcs11-privkey-generate.c
@@ -85,6 +85,9 @@ void doit(void)
        unsigned flags;
        gnutls_pkcs11_obj_t obj;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        ret = global_init();
        if (ret != 0) {
                fail("%d: %s\n", ret, gnutls_strerror(ret));

diff --git a/tests/pkcs11/pkcs11-privkey.c b/tests/pkcs11/pkcs11-privkey.c
index 714614d9976123637c5f580aa3cbfe0802db3f2c..a4217d4a1269de9346f1aa78f799ba0b00bda4a0 100644 (file)
--- a/tests/pkcs11/pkcs11-privkey.c
+++ b/tests/pkcs11/pkcs11-privkey.c
@@ -129,6 +129,9 @@ void doit(void)
        gnutls_certificate_credentials_t cred;
        gnutls_datum_t tmp;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        /* The overloading of time() seems to work in linux (ELF?)
         * systems only. Disable it on windows.
         */

diff --git a/tests/pkcs11/pkcs11-pubkey-import.c b/tests/pkcs11/pkcs11-pubkey-import.c
index 3ec1982c3af8457fdeadea0f09544289b207d500..57d0d59b72f22e3a32be75606fa3c9d123cc3345 100644 (file)
--- a/tests/pkcs11/pkcs11-pubkey-import.c
+++ b/tests/pkcs11/pkcs11-pubkey-import.c
@@ -75,6 +75,9 @@ static void try(int rsa)
        gnutls_pubkey_t pubkey;
        gnutls_pubkey_t pubkey2;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        bin = softhsm_bin();
 
        lib = softhsm_lib();

diff --git a/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c b/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c
index fd8afb5ea8cd9b73ad76f10829d9d27544c4ae5f..2d1d0932dc572b50d70c6531a82710f8d405c612 100644 (file)
--- a/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c
+++ b/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c
@@ -96,6 +96,9 @@ void doit(void)
        gnutls_pubkey_t pubkey2;
        unsigned i, sigalgo;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        bin = softhsm_bin();
 
        lib = softhsm_lib();

diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
index 5cc1ae6e2e48acfaca8b3aab74f440072e388272..25f08ac2700d00c4799085422cb4af5e1a6f7d9d 100644 (file)
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
@@ -422,6 +422,9 @@ void doit(void)
        unsigned int i, have_eddsa;
        int ret;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
 #ifdef _WIN32
        exit(77);
 #endif

diff --git a/tests/pkcs11/tls-neg-pkcs11-no-key.c b/tests/pkcs11/tls-neg-pkcs11-no-key.c
index ac098ba142aaec6811f9669993fcfab37b557dcd..124378ded68c7f0af8afc5cbd43aa8b7df0ab2c5 100644 (file)
--- a/tests/pkcs11/tls-neg-pkcs11-no-key.c
+++ b/tests/pkcs11/tls-neg-pkcs11-no-key.c
@@ -330,6 +330,9 @@ void doit(void)
        pid_t child;
        int status = 0;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        /* check if softhsm module is loadable */
        (void) softhsm_lib();
 

diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
index 78f6f41b480af4f8bcee2e86415b2dd90f25f642..ea39f3d69e93226d53f22433e27163bb752222c0 100644 (file)
--- a/tests/pkcs12_encode.c
+++ b/tests/pkcs12_encode.c
@@ -116,6 +116,9 @@ void doit(void)
                int bag_encrypt_expected;
        } tests[2];
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        ret = global_init();
        if (ret < 0) {
                fprintf(stderr, "global_init %d", ret);

diff --git a/tests/pkcs12_s2k_pem.c b/tests/pkcs12_s2k_pem.c
index dc5093ccc4424632f31476e0ccc7a81dc08e485d..49715a1b252c95c8e9d1122ef085efdbeeabfd90 100644 (file)
--- a/tests/pkcs12_s2k_pem.c
+++ b/tests/pkcs12_s2k_pem.c
@@ -254,6 +254,9 @@ int main(void)
        size_t i;
        int ret;
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        global_init();
 
        for (i = 0; i < sizeof(keys) / sizeof(keys[0]); i++) {

diff --git a/tests/rsa-illegal-import.c b/tests/rsa-illegal-import.c
index 6c629168f73deffb4fd6f24cee6644426fc8fe34..dd38aeabbabb7d15feb7c580de2ca9da8155c8d0 100644 (file)
--- a/tests/rsa-illegal-import.c
+++ b/tests/rsa-illegal-import.c
@@ -145,6 +145,9 @@ int check_pkcs8_privkey2(void)
 
 void doit(void)
 {
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
 #if NETTLE_VERSION_MAJOR < 3 || (NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR <= 2)
        /* These checks are enforced only on new versions of nettle */
        exit(77);

diff --git a/tests/slow/cipher-api-test.c b/tests/slow/cipher-api-test.c
index 0ce85ed86b42d6bb2acebb027339627e095ae81b..fc880bcc9fca776cadb2c306379bb717ecd209e4 100644 (file)
--- a/tests/slow/cipher-api-test.c
+++ b/tests/slow/cipher-api-test.c
@@ -475,8 +475,8 @@ void doit(void)
        start("aes128-cbc", GNUTLS_CIPHER_AES_128_CBC, 0);
        start("aes192-cbc", GNUTLS_CIPHER_AES_192_CBC, 0);
        start("aes256-cbc", GNUTLS_CIPHER_AES_256_CBC, 0);
-       start("3des-cbc", GNUTLS_CIPHER_3DES_CBC, 0);
        if (!gnutls_fips140_mode_enabled()) {
+               start("3des-cbc", GNUTLS_CIPHER_3DES_CBC, 0);
                start("camellia128-gcm", GNUTLS_CIPHER_CAMELLIA_128_GCM, 1);
                start("camellia256-gcm", GNUTLS_CIPHER_CAMELLIA_256_GCM, 1);
                start("chacha20-poly1305", GNUTLS_CIPHER_CHACHA20_POLY1305, 1);

diff --git a/tests/suite/testcompat-openssl-tls13-cli.sh b/tests/suite/testcompat-openssl-tls13-cli.sh
index 57ffef85333db8752c2a8ea2e6754f935e785da0..ce0d896762385bb70064fb1b7ce3cf77cea31aca 100755 (executable)
--- a/tests/suite/testcompat-openssl-tls13-cli.sh
+++ b/tests/suite/testcompat-openssl-tls13-cli.sh
@@ -35,6 +35,11 @@
 : ${CLI=../../src/gnutls-cli${EXEEXT}}
 unset RETCODE
 
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+       echo "Cannot run in FIPS140-2 mode"
+       exit 77
+fi
+
 if ! test -x "${CLI}"; then
        exit 77
 fi

diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh
index 638594bc3ba9d6921249a0f5bae7c9877cfaad1f..bfd34516587549edb2e119c651c9c2521cc3e60f 100755 (executable)
--- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh
+++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh
@@ -20,6 +20,11 @@
 
 : ${srcdir=.}
 
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+       echo "Cannot run in FIPS140-2 mode"
+       exit 77
+fi
+
 tls_fuzzer_prepare() {
 PRIORITY="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+AES-128-CCM:+AES-256-CCM:+AES-128-CCM-8"
 

diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
index d068d6d0e65d75f7c9585e624097293cbaec2363..dde5ce6736c0831ea36b52b93339f90e16aae387 100755 (executable)
--- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
+++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
@@ -20,6 +20,11 @@
 
 : ${srcdir=.}
 
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+       echo "Cannot run in FIPS140-2 mode"
+       exit 77
+fi
+
 tls_fuzzer_prepare() {
 VERSIONS="-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"
 PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256:+SHA384:+AES-128-CCM:+AES-256-CCM:+AES-128-CCM-8:+AES-256-CCM-8"

diff --git a/tests/tls10-cipher-neg.c b/tests/tls10-cipher-neg.c
index f48fb80b4d31686de45705cf713a8edfef458552..c1461306be4a191326e0c4a0a67385d3d49cd53c 100644 (file)
--- a/tests/tls10-cipher-neg.c
+++ b/tests/tls10-cipher-neg.c
@@ -65,24 +65,28 @@ test_case_st tests[] = {
        {
                .name = "server TLS 1.0: 3DES-CBC (server)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0:%SERVER_PRECEDENCE",
                .client_prio = "NORMAL:+3DES-CBC"
        },
        {
                .name = "both TLS 1.0: 3DES-CBC (server)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0:%SERVER_PRECEDENCE",
                .client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.0"
        },
        {
                .name = "client TLS 1.0: 3DES-CBC (client)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:+3DES-CBC",
                .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0"
        },
        {
                .name = "both TLS 1.0: 3DES-CBC (client)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.0",
                .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0"
        },

diff --git a/tests/tls11-cipher-neg.c b/tests/tls11-cipher-neg.c
index f315f103780488cf6c0fcc1ede529fde62b66f4e..b0698da75aceb32bdf0b8377c6474922b7c67f94 100644 (file)
--- a/tests/tls11-cipher-neg.c
+++ b/tests/tls11-cipher-neg.c
@@ -65,24 +65,28 @@ test_case_st tests[] = {
        {
                .name = "server TLS 1.1: 3DES-CBC (server)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1:%SERVER_PRECEDENCE",
                .client_prio = "NORMAL:+3DES-CBC"
        },
        {
                .name = "both TLS 1.1: 3DES-CBC (server)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1:%SERVER_PRECEDENCE",
                .client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.1"
        },
        {
                .name = "client TLS 1.1: 3DES-CBC (client)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:+3DES-CBC",
                .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1"
        },
        {
                .name = "both TLS 1.1: 3DES-CBC (client)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.1",
                .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1"
        },

diff --git a/tests/tls12-cipher-neg.c b/tests/tls12-cipher-neg.c
index af2050df6c39afc1bb0701222fd2236773285a4f..f437be3d15f7b862ac9c37741b8b6ed4460508cc 100644 (file)
--- a/tests/tls12-cipher-neg.c
+++ b/tests/tls12-cipher-neg.c
@@ -173,6 +173,7 @@ test_case_st tests[] = {
        {
                .name = "server TLS 1.2: 3DES-CBC (server)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
                .client_prio = "NORMAL:+3DES-CBC",
                .desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
@@ -180,6 +181,7 @@ test_case_st tests[] = {
        {
                .name = "both TLS 1.2: 3DES-CBC (server)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
                .client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.2",
                .desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
@@ -187,6 +189,7 @@ test_case_st tests[] = {
        {
                .name = "client TLS 1.2: 3DES-CBC (client)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:+3DES-CBC",
                .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
                .desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
@@ -194,6 +197,7 @@ test_case_st tests[] = {
        {
                .name = "both TLS 1.2: 3DES-CBC (client)",
                .cipher = GNUTLS_CIPHER_3DES_CBC,
+               .not_on_fips = 1,
                .server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.2",
                .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
                .desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"

diff --git a/tests/tls13/post-handshake-with-cert-pkcs11.c b/tests/tls13/post-handshake-with-cert-pkcs11.c
index faf901dbed5099130fc257d5cdedb719e02e7dce..f5882509737b4daf055159bff7efee30bdb0c71f 100644 (file)
--- a/tests/tls13/post-handshake-with-cert-pkcs11.c
+++ b/tests/tls13/post-handshake-with-cert-pkcs11.c
@@ -444,6 +444,9 @@ void doit(void)
        const char *bin;
        char buf[128];
 
+       if (gnutls_fips140_mode_enabled())
+               exit(77);
+
        /* check if softhsm module is loadable */
        (void) softhsm_lib();