File gnutls-Remove-3DES-from-FIPS-approved-algos.patch of Package gnutls.28048
From 4f43efcd5a8fbdcf79f12cb98019d98629844091 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Wed, 6 Apr 2022 15:33:32 +0200
Subject: [PATCH] Remove 3DES from FIPS approved algorithms. According to the
section 2 of SP800-131A Rev.2, 3DES algorithm will be disallowed for
encryption after December 31, 2023:
https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
NEWS | 5 +++++
lib/crypto-selftests.c | 2 +-
lib/fips.h | 1 -
tests/dtls1-2-mtu-check.c | 6 ++++--
tests/key-openssl.c | 3 +++
tests/mini-overhead.c | 8 +++++---
tests/pkcs11/gnutls_pcert_list_import_x509_file.c | 3 +++
tests/pkcs11/gnutls_x509_crt_list_import_url.c | 3 +++
tests/pkcs11/pkcs11-chainverify.c | 3 +++
tests/pkcs11/pkcs11-combo.c | 3 +++
tests/pkcs11/pkcs11-ec-privkey-test.c | 3 +++
tests/pkcs11/pkcs11-get-issuer.c | 3 +++
tests/pkcs11/pkcs11-import-with-pin.c | 3 +++
tests/pkcs11/pkcs11-is-known.c | 3 +++
tests/pkcs11/pkcs11-obj-import.c | 3 +++
tests/pkcs11/pkcs11-privkey-generate.c | 3 +++
tests/pkcs11/pkcs11-privkey.c | 3 +++
tests/pkcs11/pkcs11-pubkey-import.c | 3 +++
tests/pkcs11/pkcs11-rsa-pss-privkey-test.c | 3 +++
tests/pkcs11/tls-neg-pkcs11-key.c | 3 +++
tests/pkcs11/tls-neg-pkcs11-no-key.c | 3 +++
tests/pkcs12_encode.c | 3 +++
tests/pkcs12_s2k_pem.c | 3 +++
tests/rsa-illegal-import.c | 3 +++
tests/slow/cipher-api-test.c | 2 +-
tests/tls10-cipher-neg.c | 4 ++++
tests/tls11-cipher-neg.c | 4 ++++
tests/tls12-cipher-neg.c | 4 ++++
tests/tls13/post-handshake-with-cert-pkcs11.c | 3 +++
32 files changed, 103 insertions(+), 8 deletions(-)
Index: gnutls-3.7.3/lib/crypto-selftests.c
===================================================================
--- gnutls-3.7.3.orig/lib/crypto-selftests.c
+++ gnutls-3.7.3/lib/crypto-selftests.c
@@ -2715,7 +2715,7 @@ int gnutls_cipher_self_test(unsigned fla
CASE(GNUTLS_CIPHER_AES_256_CBC, test_cipher,
aes256_cbc_vectors);
FALLTHROUGH;
- CASE(GNUTLS_CIPHER_3DES_CBC, test_cipher,
+ NON_FIPS_CASE(GNUTLS_CIPHER_3DES_CBC, test_cipher,
tdes_cbc_vectors);
FALLTHROUGH;
NON_FIPS_CASE(GNUTLS_CIPHER_ARCFOUR_128, test_cipher,
Index: gnutls-3.7.3/lib/fips.h
===================================================================
--- gnutls-3.7.3.orig/lib/fips.h
+++ gnutls-3.7.3/lib/fips.h
@@ -118,7 +118,6 @@ is_cipher_algo_approved_in_fips(gnutls_c
case GNUTLS_CIPHER_AES_192_CBC:
case GNUTLS_CIPHER_AES_128_CCM:
case GNUTLS_CIPHER_AES_256_CCM:
- case GNUTLS_CIPHER_3DES_CBC:
case GNUTLS_CIPHER_AES_128_CCM_8:
case GNUTLS_CIPHER_AES_256_CCM_8:
case GNUTLS_CIPHER_AES_128_CFB8:
Index: gnutls-3.7.3/tests/dtls1-2-mtu-check.c
===================================================================
--- gnutls-3.7.3.orig/tests/dtls1-2-mtu-check.c
+++ gnutls-3.7.3/tests/dtls1-2-mtu-check.c
@@ -205,7 +205,8 @@ void doit(void)
dtls_mtu_try("DTLS 1.2 with AES-128-CBC-HMAC-SHA1 - mtu:1536", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA1", 1536, 1483);
dtls_mtu_try("DTLS 1.2 with AES-128-CBC-HMAC-SHA256", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA256", 1500, 1423);
- dtls_mtu_try("DTLS 1.2 with 3DES-CBC-HMAC-SHA1", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1451);
+ if (!gnutls_fips140_mode_enabled())
+ dtls_mtu_try("DTLS 1.2 with 3DES-CBC-HMAC-SHA1", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1451);
/* check non-CBC ciphers */
dtls_mtu_try("DTLS 1.2 with AES-128-GCM", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-GCM", 1500, 1463);
@@ -234,7 +235,8 @@ void doit(void)
dtls_mtu_try("DTLS 1.2 with AES-128-CBC-HMAC-SHA1 - mtu:1518", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA1", 1518, 1455);
dtls_mtu_try("DTLS 1.2/EtM with AES-128-CBC-HMAC-SHA256", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA256", 1500, 1423);
- dtls_mtu_try("DTLS 1.2/EtM with 3DES-CBC-HMAC-SHA1", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1455);
+ if (!gnutls_fips140_mode_enabled())
+ dtls_mtu_try("DTLS 1.2/EtM with 3DES-CBC-HMAC-SHA1", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1455);
gnutls_global_deinit();
}
Index: gnutls-3.7.3/tests/key-openssl.c
===================================================================
--- gnutls-3.7.3.orig/tests/key-openssl.c
+++ gnutls-3.7.3/tests/key-openssl.c
@@ -115,6 +115,9 @@ void doit(void)
int ret;
gnutls_datum_t key;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
ret = global_init();
if (ret < 0)
fail("global_init: %d\n", ret);
Index: gnutls-3.7.3/tests/mini-overhead.c
===================================================================
--- gnutls-3.7.3.orig/tests/mini-overhead.c
+++ gnutls-3.7.3/tests/mini-overhead.c
@@ -328,9 +328,11 @@ void doit(void)
65);
/* 13 + 20(sha1) + 8(iv) + 8(max pad) */
- start
- ("NONE:+VERS-DTLS1.0:+3DES-CBC:%NO_ETM:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA",
- 49);
+ if (!gnutls_fips140_mode_enabled())
+ start
+ ("NONE:+VERS-DTLS1.0:+3DES-CBC:%NO_ETM:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA",
+ 49);
+
/* 13 + 16(tag) + 4(iv) */
start
("NONE:+VERS-DTLS1.2:+AES-128-GCM:%NO_ETM:+AEAD:+SIGN-ALL:+COMP-NULL:+RSA",
Index: gnutls-3.7.3/tests/pkcs11/gnutls_pcert_list_import_x509_file.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/gnutls_pcert_list_import_x509_file.c
+++ gnutls-3.7.3/tests/pkcs11/gnutls_pcert_list_import_x509_file.c
@@ -149,6 +149,9 @@ void doit(void)
unsigned int pcerts_size;
char file[TMPNAME_SIZE];
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
track_temp_files();
bin = softhsm_bin();
Index: gnutls-3.7.3/tests/pkcs11/gnutls_x509_crt_list_import_url.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/gnutls_x509_crt_list_import_url.c
+++ gnutls-3.7.3/tests/pkcs11/gnutls_x509_crt_list_import_url.c
@@ -130,6 +130,9 @@ void doit(void)
gnutls_x509_crt_t *crts;
unsigned int crts_size, i;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
bin = softhsm_bin();
lib = softhsm_lib();
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-chainverify.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-chainverify.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-chainverify.c
@@ -78,6 +78,9 @@ void doit(void)
gnutls_typed_vdata_st vdata[2];
char buf[128];
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-combo.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-combo.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-combo.c
@@ -217,6 +217,9 @@ void doit(void)
unsigned verify_status = 0;
gnutls_datum_t tmp;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-ec-privkey-test.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-ec-privkey-test.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-ec-privkey-test.c
@@ -83,6 +83,9 @@ void doit(void)
gnutls_pubkey_t pubkey4;
unsigned i;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
bin = softhsm_bin();
lib = softhsm_lib();
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-get-issuer.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-get-issuer.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-get-issuer.c
@@ -85,6 +85,9 @@ void doit(void)
gnutls_datum_t tmp;
int idx = -1;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-import-with-pin.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-import-with-pin.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-import-with-pin.c
@@ -83,6 +83,9 @@ void doit(void)
gnutls_privkey_t pkey;
char file[TMPNAME_SIZE];
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
bin = softhsm_bin();
lib = softhsm_lib();
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-is-known.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-is-known.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-is-known.c
@@ -352,6 +352,9 @@ void doit(void)
gnutls_x509_crt_t intermediate, same_dn, same_issuer;
gnutls_datum_t tmp;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-obj-import.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-obj-import.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-obj-import.c
@@ -75,6 +75,9 @@ void doit(void)
gnutls_datum_t tmp, tmp2;
size_t buf_size;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
bin = softhsm_bin();
lib = softhsm_lib();
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-privkey-generate.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-privkey-generate.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-privkey-generate.c
@@ -85,6 +85,9 @@ void doit(void)
unsigned flags;
gnutls_pkcs11_obj_t obj;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-privkey.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-privkey.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-privkey.c
@@ -129,6 +129,9 @@ void doit(void)
gnutls_certificate_credentials_t cred;
gnutls_datum_t tmp;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-pubkey-import.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-pubkey-import.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-pubkey-import.c
@@ -75,6 +75,9 @@ static void try(int rsa)
gnutls_pubkey_t pubkey;
gnutls_pubkey_t pubkey2;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
bin = softhsm_bin();
lib = softhsm_lib();
Index: gnutls-3.7.3/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c
+++ gnutls-3.7.3/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c
@@ -96,6 +96,9 @@ void doit(void)
gnutls_pubkey_t pubkey2;
unsigned i, sigalgo;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
bin = softhsm_bin();
lib = softhsm_lib();
Index: gnutls-3.7.3/tests/pkcs11/tls-neg-pkcs11-key.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/tls-neg-pkcs11-key.c
+++ gnutls-3.7.3/tests/pkcs11/tls-neg-pkcs11-key.c
@@ -419,6 +419,9 @@ void doit(void)
unsigned int i, have_eddsa;
int ret;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
#ifdef _WIN32
exit(77);
#endif
Index: gnutls-3.7.3/tests/pkcs11/tls-neg-pkcs11-no-key.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs11/tls-neg-pkcs11-no-key.c
+++ gnutls-3.7.3/tests/pkcs11/tls-neg-pkcs11-no-key.c
@@ -330,6 +330,9 @@ void doit(void)
pid_t child;
int status = 0;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
/* check if softhsm module is loadable */
(void) softhsm_lib();
Index: gnutls-3.7.3/tests/pkcs12_encode.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs12_encode.c
+++ gnutls-3.7.3/tests/pkcs12_encode.c
@@ -83,6 +83,9 @@ void doit(void)
size_t size;
unsigned tests, i;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
ret = global_init();
if (ret < 0) {
fprintf(stderr, "global_init %d", ret);
Index: gnutls-3.7.3/tests/pkcs12_s2k_pem.c
===================================================================
--- gnutls-3.7.3.orig/tests/pkcs12_s2k_pem.c
+++ gnutls-3.7.3/tests/pkcs12_s2k_pem.c
@@ -254,6 +254,9 @@ int main(void)
size_t i;
int ret;
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
global_init();
for (i = 0; i < sizeof(keys) / sizeof(keys[0]); i++) {
Index: gnutls-3.7.3/tests/rsa-illegal-import.c
===================================================================
--- gnutls-3.7.3.orig/tests/rsa-illegal-import.c
+++ gnutls-3.7.3/tests/rsa-illegal-import.c
@@ -145,6 +145,9 @@ int check_pkcs8_privkey2(void)
void doit(void)
{
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
#if NETTLE_VERSION_MAJOR < 3 || (NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR <= 2)
/* These checks are enforced only on new versions of nettle */
exit(77);
Index: gnutls-3.7.3/tests/slow/cipher-api-test.c
===================================================================
--- gnutls-3.7.3.orig/tests/slow/cipher-api-test.c
+++ gnutls-3.7.3/tests/slow/cipher-api-test.c
@@ -359,8 +359,8 @@ void doit(void)
start("aes128-cbc", GNUTLS_CIPHER_AES_128_CBC, 0);
start("aes192-cbc", GNUTLS_CIPHER_AES_192_CBC, 0);
start("aes256-cbc", GNUTLS_CIPHER_AES_256_CBC, 0);
- start("3des-cbc", GNUTLS_CIPHER_3DES_CBC, 0);
if (!gnutls_fips140_mode_enabled()) {
+ start("3des-cbc", GNUTLS_CIPHER_3DES_CBC, 0);
start("camellia128-gcm", GNUTLS_CIPHER_CAMELLIA_128_GCM, 1);
start("camellia256-gcm", GNUTLS_CIPHER_CAMELLIA_256_GCM, 1);
start("chacha20-poly1305", GNUTLS_CIPHER_CHACHA20_POLY1305, 1);
Index: gnutls-3.7.3/tests/tls10-cipher-neg.c
===================================================================
--- gnutls-3.7.3.orig/tests/tls10-cipher-neg.c
+++ gnutls-3.7.3/tests/tls10-cipher-neg.c
@@ -65,24 +65,28 @@ test_case_st tests[] = {
{
.name = "server TLS 1.0: 3DES-CBC (server)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0:%SERVER_PRECEDENCE",
.client_prio = "NORMAL:+3DES-CBC"
},
{
.name = "both TLS 1.0: 3DES-CBC (server)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0:%SERVER_PRECEDENCE",
.client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.0"
},
{
.name = "client TLS 1.0: 3DES-CBC (client)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:+3DES-CBC",
.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0"
},
{
.name = "both TLS 1.0: 3DES-CBC (client)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.0",
.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0"
},
Index: gnutls-3.7.3/tests/tls11-cipher-neg.c
===================================================================
--- gnutls-3.7.3.orig/tests/tls11-cipher-neg.c
+++ gnutls-3.7.3/tests/tls11-cipher-neg.c
@@ -65,24 +65,28 @@ test_case_st tests[] = {
{
.name = "server TLS 1.1: 3DES-CBC (server)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1:%SERVER_PRECEDENCE",
.client_prio = "NORMAL:+3DES-CBC"
},
{
.name = "both TLS 1.1: 3DES-CBC (server)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1:%SERVER_PRECEDENCE",
.client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.1"
},
{
.name = "client TLS 1.1: 3DES-CBC (client)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:+3DES-CBC",
.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1"
},
{
.name = "both TLS 1.1: 3DES-CBC (client)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.1",
.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1"
},
Index: gnutls-3.7.3/tests/tls12-cipher-neg.c
===================================================================
--- gnutls-3.7.3.orig/tests/tls12-cipher-neg.c
+++ gnutls-3.7.3/tests/tls12-cipher-neg.c
@@ -173,6 +173,7 @@ test_case_st tests[] = {
{
.name = "server TLS 1.2: 3DES-CBC (server)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
.client_prio = "NORMAL:+3DES-CBC",
.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
@@ -180,6 +181,7 @@ test_case_st tests[] = {
{
.name = "both TLS 1.2: 3DES-CBC (server)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
.client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.2",
.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
@@ -187,6 +189,7 @@ test_case_st tests[] = {
{
.name = "client TLS 1.2: 3DES-CBC (client)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:+3DES-CBC",
.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
@@ -194,6 +197,7 @@ test_case_st tests[] = {
{
.name = "both TLS 1.2: 3DES-CBC (client)",
.cipher = GNUTLS_CIPHER_3DES_CBC,
+ .not_on_fips = 1,
.server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.2",
.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
Index: gnutls-3.7.3/tests/tls13/post-handshake-with-cert-pkcs11.c
===================================================================
--- gnutls-3.7.3.orig/tests/tls13/post-handshake-with-cert-pkcs11.c
+++ gnutls-3.7.3/tests/tls13/post-handshake-with-cert-pkcs11.c
@@ -444,6 +444,9 @@ void doit(void)
const char *bin;
char buf[128];
+ if (gnutls_fips140_mode_enabled())
+ exit(77);
+
/* check if softhsm module is loadable */
(void) softhsm_lib();
