File openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch of Package openssl-1_1.34285

---
 crypto/asn1/ameth_lib.c        |   18 ++++++++++++++++++
 crypto/asn1/standard_methods.h |   29 +++++++++++++++++++++++++++++
 crypto/evp/c_alld.c            |   27 +++++++++++++++++++++++++++
 3 files changed, 74 insertions(+)

--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@@ -35,7 +35,11 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_P
 
 int EVP_PKEY_asn1_get_count(void)
 {
+#ifdef OPENSSL_FIPS
+    int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods);
+#else
     int num = OSSL_NELEM(standard_methods);
+#endif
     if (app_methods)
         num += sk_EVP_PKEY_ASN1_METHOD_num(app_methods);
     return num;
@@ -43,11 +47,19 @@ int EVP_PKEY_asn1_get_count(void)
 
 const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx)
 {
+#ifdef OPENSSL_FIPS
+    int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods);
+#else
     int num = OSSL_NELEM(standard_methods);
+#endif
     if (idx < 0)
         return NULL;
     if (idx < num)
+#ifdef OPENSSL_FIPS
+        return FIPS_mode() ? standard_fips_methods[idx] : standard_methods[idx];
+#else
         return standard_methods[idx];
+#endif
     idx -= num;
     return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
 }
@@ -63,7 +75,13 @@ static const EVP_PKEY_ASN1_METHOD *pkey_
         if (idx >= 0)
             return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
     }
+#ifdef OPENSSL_FIPS
+    ret = FIPS_mode() ? \
+          OBJ_bsearch_ameth(&t, standard_fips_methods, OSSL_NELEM(standard_fips_methods)) : \
+          OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods));
+#else
     ret = OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods));
+#endif
     if (!ret || !*ret)
         return NULL;
     return *ret;
--- a/crypto/asn1/standard_methods.h
+++ b/crypto/asn1/standard_methods.h
@@ -59,3 +59,32 @@ static const EVP_PKEY_ASN1_METHOD *stand
 #endif
 };
 
+static const EVP_PKEY_ASN1_METHOD *standard_fips_methods[] = {
+#ifndef OPENSSL_NO_RSA
+    &rsa_asn1_meths[0],
+    &rsa_asn1_meths[1],
+#endif
+#ifndef OPENSSL_NO_DH
+    &dh_asn1_meth,
+#endif
+#ifndef OPENSSL_NO_DSA
+    &dsa_asn1_meths[0],
+    &dsa_asn1_meths[1],
+    &dsa_asn1_meths[2],
+    &dsa_asn1_meths[3],
+    &dsa_asn1_meths[4],
+#endif
+#ifndef OPENSSL_NO_EC
+    &eckey_asn1_meth,
+#endif
+    &hmac_asn1_meth,
+#ifndef OPENSSL_NO_CMAC
+    &cmac_asn1_meth,
+#endif
+#ifndef OPENSSL_NO_RSA
+    &rsa_pss_asn1_meth,
+#endif
+#ifndef OPENSSL_NO_DH
+    &dhx_asn1_meth,
+#endif
+};
--- a/crypto/evp/c_alld.c
+++ b/crypto/evp/c_alld.c
@@ -16,6 +16,13 @@
 
 void openssl_add_all_digests_int(void)
 {
+#ifdef OPENSSL_FIPS
+    /*
+     * This function is called from FIPS_selftest_ecdsa() before FIPS mode is
+     * turned on. That is the reason why we need to also check fips_in_post().
+     */
+    if (!FIPS_mode() && !fips_in_post()) {
+#endif
 #ifndef OPENSSL_NO_MD4
     EVP_add_digest(EVP_md4());
 #endif
@@ -57,4 +64,24 @@ void openssl_add_all_digests_int(void)
     EVP_add_digest(EVP_sha3_512());
     EVP_add_digest(EVP_shake128());
     EVP_add_digest(EVP_shake256());
+#ifdef OPENSSL_FIPS
+    } else {
+        EVP_add_digest(EVP_md5_sha1());
+        EVP_add_digest(EVP_sha1());
+        EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
+        EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+        EVP_add_digest(EVP_sha224());
+        EVP_add_digest(EVP_sha256());
+        EVP_add_digest(EVP_sha384());
+        EVP_add_digest(EVP_sha512());
+        EVP_add_digest(EVP_sha512_224());
+        EVP_add_digest(EVP_sha512_256());
+        EVP_add_digest(EVP_sha3_224());
+        EVP_add_digest(EVP_sha3_256());
+        EVP_add_digest(EVP_sha3_384());
+        EVP_add_digest(EVP_sha3_512());
+        EVP_add_digest(EVP_shake128());
+        EVP_add_digest(EVP_shake256());
+    }
+#endif
 }
openSUSE Build Service is sponsored by