FIPS 140-3 updates

[paulidale]

@ ICMC @t8m noted these items in a discussion with KeyPair:

• X25519 and X449 KEX is not really allowed with FIPS 140-3 modules - it was explicitly mentioned in some presentations (it was and is allowed with 140-2) and it was also affirmed by Steve from Keypair.

• Steve also mentioned that there are some other requirements such as minimum key size for HMAC which we currently do not check and we might be required to with the FIPS 140-3 module.

• Steve promised to file-in issues in our GHE about these things they had to do because of NIST review of their module.

• DSA will be no longer approved except for signature verification from Feb 2024

• What we are doing with chaining trees of DRBGs is not yet approved but it should be with a SP 800-90C update that is in works.

• the reason for making the RSA PKCS#1 1.5 encryption being soft transition is that the queue is already long from these previous hard transitions.

Not noted:

• Indicators

### Tasks
- [ ] https://github.com/openssl/project/issues/245
- [ ] https://github.com/openssl/project/issues/243
- [ ] https://github.com/openssl/project/issues/242
- [ ] https://github.com/openssl/project/issues/223
- [ ] https://github.com/openssl/project/issues/238
- [ ] https://github.com/openssl/project/issues/239
- [ ] https://github.com/openssl/project/issues/240
- [ ] https://github.com/openssl/project/issues/241

[paulidale]

openssl/openssl#22256 adds MAC length enforcement for KMAC. HMAC is problematic because shorter lengths are allowed for legacy verification & we cannot distinguish.

[paulidale]

Also there is a tracker for outstanding items from our lab.

[arapov]

@paulidale, could you provide a ballpark estimate for the work detailed here and possibly break it down into separate tickets?

[paulidale]

Ha ha ha ha ha. Ты, должно быть, шутишь.

[paulidale]

See also this epic covering the FIPS 186-5 changes: openssl/project#263