[openssl] master update

Matt Caswell matt at openssl.org
Thu Apr 23 09:38:31 UTC 2020 

The branch master has been updated
       via  916b1f83d094fe2e0f7dea1e24f4eac3287a4157 (commit)
      from  555ed96812f7f6cfb6066327aee40244517e2e05 (commit)


- Log -----------------------------------------------------------------
commit 916b1f83d094fe2e0f7dea1e24f4eac3287a4157
Author: Pauli <paul.dale at oracle.com>
Date:   Wed Apr 22 17:08:30 2020 +1000

    FIPS: remove algorithms that are not being validated.
    
    Several MACs and one KDF are included in the FIPS provider with the property
    "fips=yes" set but are not listed as being part of the OpenSSL validation.
    
    This removes them from the FIPS provider.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11602)

-----------------------------------------------------------------------

Summary of changes:
 providers/fips/fipsprov.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 4fe14c2ba3..a9a7703ea2 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -367,12 +367,6 @@ static const OSSL_ALGORITHM fips_digests[] = {
     { "SHA3-256", "provider=fips,fips=yes", sha3_256_functions },
     { "SHA3-384", "provider=fips,fips=yes", sha3_384_functions },
     { "SHA3-512", "provider=fips,fips=yes", sha3_512_functions },
-    /*
-     * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
-     * KMAC128 and KMAC256.
-     */
-    { "KECCAK-KMAC-128:KECCAK-KMAC128", "provider=fips,fips=yes", keccak_kmac_128_functions },
-    { "KECCAK-KMAC-256:KECCAK-KMAC256", "provider=fips,fips=yes", keccak_kmac_256_functions },
 
     /* Non-FIPS algorithm to support oneshot_hash in the Ed448 code */
     { "SHAKE-256:SHAKE256", "provider=fips,fips=no", shake_256_functions },
@@ -424,13 +418,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
 static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
 
 static const OSSL_ALGORITHM fips_macs[] = {
-#ifndef OPENSSL_NO_CMAC
-    { "CMAC", "provider=fips,fips=yes", cmac_functions },
-#endif
     { "GMAC", "provider=fips,fips=yes", gmac_functions },
     { "HMAC", "provider=fips,fips=yes", hmac_functions },
-    { "KMAC-128:KMAC128", "provider=fips,fips=yes", kmac128_functions },
-    { "KMAC-256:KMAC256", "provider=fips,fips=yes", kmac256_functions },
     { NULL, NULL, NULL }
 };
 
@@ -439,7 +428,6 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
     { "SSKDF", "provider=fips,fips=yes", kdf_sskdf_functions },
     { "PBKDF2", "provider=fips,fips=yes", kdf_pbkdf2_functions },
     { "TLS1-PRF", "provider=fips,fips=yes", kdf_tls1_prf_functions },
-    { "KBKDF", "provider=fips,fips=yes", kdf_kbkdf_functions },
     { NULL, NULL, NULL }
 };

More information about the openssl-commits mailing list