Commit 0c537b55b3 for openssl.org
commit 0c537b55b3df65014b694db385117427db32a31e
Author: slontis <shane.lontis@oracle.com>
Date: Wed Feb 18 16:48:04 2026 +1100
FIPS self tests: fix config options when -no-bulk is used
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 25 11:02:07 2026
(Merged from https://github.com/openssl/openssl/pull/30103)
diff --git a/providers/fips/self_test_data.c b/providers/fips/self_test_data.c
index fe77f1d0ed..8990d6cf8e 100644
--- a/providers/fips/self_test_data.c
+++ b/providers/fips/self_test_data.c
@@ -578,13 +578,13 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_INFO, kbkdf_kmac_context),
ST_KAT_PARAM_END()
};
-#endif /* OPENSSL_NO_KBKDF */
static const self_test_id_t kbkdf_depends_on[] = {
ST_ID_KDF_KBKDF,
ST_ID_KDF_KBKDF_KMAC,
ST_ID_MAX
};
+#endif /* OPENSSL_NO_KBKDF */
static const char tls13_kdf_digest[] = "SHA256";
static int tls13_kdf_extract_mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
@@ -643,7 +643,9 @@ static const ST_KAT_PARAM tls13_kdf_client_early_secret_params[] = {
* the variants will be used, so we just test them all at once
*/
static const self_test_id_t hkdf_depends_on[] = {
+#ifndef OPENSSL_NO_KBKDF
ST_ID_KDF_KBKDF,
+#endif
ST_ID_KDF_TLS13_EXTRACT,
ST_ID_KDF_TLS13_EXPAND,
ST_ID_MAX
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 6b9515b24e..cb8e17af3c 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -19,6 +19,18 @@
#include "internal/cryptlib.h"
#include "self_test.h"
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
+#define SELF_TEST_KA_ENABLED 1
+#endif
+
+#if !defined(OPENSSL_NO_ML_DSA) || !defined(OPENSSL_NO_SLH_DSA)
+#define SELF_TEST_ASYM_KEYGEN_ENABLED 1
+#endif
+
+#if !defined(OPENSSL_NO_ML_KEM)
+#define SELF_TEST_KEM_ENABLED 1
+#endif
+
static int set_kat_drbg(OSSL_LIB_CTX *ctx,
const unsigned char *entropy, size_t entropy_len,
const unsigned char *nonce, size_t nonce_len,
@@ -393,7 +405,7 @@ err:
return ret;
}
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
+#if defined(SELF_TEST_KA_ENABLED)
static int self_test_ka(const ST_DEFINITION *t,
OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
{
@@ -454,7 +466,7 @@ err:
OSSL_SELF_TEST_onend(st, ret);
return ret;
}
-#endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */
+#endif /* defined(SELF_TEST_KA_ENABLED) */
static int digest_signature(const uint8_t *sig, size_t sig_len,
uint8_t *out, size_t *out_len,
@@ -601,7 +613,7 @@ err:
return ret;
}
-#if !defined(OPENSSL_NO_ML_DSA) || !defined(OPENSSL_NO_SLH_DSA)
+#if defined(SELF_TEST_ASYM_KEYGEN_ENABLED)
/*
* Test that a deterministic key generation produces the correct key
*/
@@ -651,9 +663,9 @@ err:
OSSL_SELF_TEST_onend(st, ret);
return ret;
}
-#endif /* OPENSSL_NO_ML_DSA */
+#endif /* defined(SELF_TEST_ASYM_KEYGEN_ENABLED) */
-#ifndef OPENSSL_NO_ML_KEM
+#if defined(SELF_TEST_KEM_ENABLED)
/*
* FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for ML-KEM
* encapsulation.
@@ -809,7 +821,7 @@ err:
OSSL_PARAM_free(params);
return ret;
}
-#endif
+#endif /* defined(SELF_TEST_KEM_ENABLED) */
/*
* Test an encrypt or decrypt KAT..
@@ -1112,15 +1124,21 @@ static int SELF_TEST_kats_single(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
case SELF_TEST_DRBG:
ret = self_test_drbg(&st_all_tests[id], st, libctx);
break;
+#if defined(SELF_TEST_KA_ENABLED)
case SELF_TEST_KAT_KAS:
ret = self_test_ka(&st_all_tests[id], st, libctx);
break;
+#endif
+#if defined(SELF_TEST_ASYM_KEYGEN_ENABLED)
case SELF_TEST_KAT_ASYM_KEYGEN:
ret = self_test_asym_keygen(&st_all_tests[id], st, libctx);
break;
+#endif
+#if defined(SELF_TEST_KEM_ENABLED)
case SELF_TEST_KAT_KEM:
ret = self_test_kem(&st_all_tests[id], st, libctx);
break;
+#endif
case SELF_TEST_KAT_ASYM_CIPHER:
ret = self_test_asym_cipher(&st_all_tests[id], st, libctx);
break;
diff --git a/providers/implementations/kdfs/build.info b/providers/implementations/kdfs/build.info
index 60146804b3..fbf6097dc0 100644
--- a/providers/implementations/kdfs/build.info
+++ b/providers/implementations/kdfs/build.info
@@ -22,7 +22,7 @@ SOURCE[$TLS1_PRF_GOAL]=tls1_prf.c
SOURCE[$HKDF_GOAL]=hkdf.c
-IF[{- !$disable{kbkdf} -}]
+IF[{- !$disabled{kbkdf} -}]
SOURCE[$KBKDF_GOAL]=kbkdf.c
ENDIF