zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanups for FIPS options..

Browse Source 
The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.

Some FIPS related headers have moved to providers/fips/include so that
they can use fips_indicator_params.inc.
securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes
fipscommon.h.

fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than
using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used.
fips_names.h just uses aliases now for existing public names.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25162)
This commit is contained in:
slontis 2024-08-12 19:31:10 +10:00 committed by Tomas Mraz
parent accd835f8d
commit f6a296c386
46 changed files with 225 additions and 719 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
apps/fipsinstall.c
View File

@ -361,68 +361,68 @@ static int write_config_fips_section(BIO *out, const char *section,
VERSION_VAL) <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
opts->conditional_errors ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SECURITY_CHECKS,
opts->security_checks ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HMAC_KEY_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HMAC_KEY_CHECK,
opts->hmac_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KMAC_KEY_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KMAC_KEY_CHECK,
opts->kmac_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
opts->tls_prf_ems_check ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_NO_SHORT_MAC,
opts->no_short_mac ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
opts->drgb_no_trunc_dgst ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK,
opts->signature_digest_check ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_DIGEST_CHECK,
opts->hkdf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_FIPS_PARAM_TLS13_KDF_DIGEST_CHECK,
OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
opts->tls13_kdf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_FIPS_PARAM_TLS1_PRF_DIGEST_CHECK,
OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
opts->tls1_prf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_FIPS_PARAM_SSHKDF_DIGEST_CHECK,
OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
opts->sshkdf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SSKDF_DIGEST_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK,
opts->sskdf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK,
OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
opts->x963kdf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DSA_SIGN_DISABLED,
opts->dsa_sign_disabled ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED,
opts->tdes_encrypt_disabled ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED,
OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED,
opts->rsa_pkcs15_padding_disabled ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK,
OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
opts->rsa_pss_saltlen_check ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED,
OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
opts->sign_x931_padding_disabled ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_KEY_CHECK,
opts->hkdf_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KBKDF_KEY_CHECK,
opts->kbkdf_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK,
OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
opts->tls13_kdf_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_KEY_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK,
opts->tls1_prf_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SSHKDF_KEY_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSHKDF_KEY_CHECK,
opts->sshkdf_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SSKDF_KEY_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_KEY_CHECK,
opts->sskdf_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_X963KDF_KEY_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X963KDF_KEY_CHECK,
opts->x963kdf_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
OSSL_PROV_FIPS_PARAM_PBKDF2_LOWER_BOUND_CHECK,
OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
opts->pbkdf2_lower_bound_check ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_ECDH_COFACTOR_CHECK,
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK,
opts->ecdh_cofactor_check ? "1": "0") <= 0
|| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
module_mac_len))

243
include/openssl/fips_names.h
View File

@ -17,27 +17,18 @@ extern "C" {
/*
* Parameter names that the FIPS Provider defines
* All parameters are of type: OSSL_PARAM_UTF8_STRING
*/
/*
* The calculated MAC of the module file (Used for FIPS Self Testing)
* Type: OSSL_PARAM_UTF8_STRING
*/
/* The following 4 Parameters are used for FIPS Self Testing */
/* The calculated MAC of the module file */
# define OSSL_PROV_FIPS_PARAM_MODULE_MAC "module-mac"
/*
* A version number for the fips install process (Used for FIPS Self Testing)
* Type: OSSL_PARAM_UTF8_STRING
*/
/* The Version number for the fips install process */
# define OSSL_PROV_FIPS_PARAM_INSTALL_VERSION "install-version"
/*
* The calculated MAC of the install status indicator (Used for FIPS Self Testing)
* Type: OSSL_PARAM_UTF8_STRING
*/
/* The calculated MAC of the install status indicator */
# define OSSL_PROV_FIPS_PARAM_INSTALL_MAC "install-mac"
/*
* The install status indicator (Used for FIPS Self Testing)
* Type: OSSL_PARAM_UTF8_STRING
*/
/* The install status indicator */
# define OSSL_PROV_FIPS_PARAM_INSTALL_STATUS "install-status"
/*
@ -47,222 +38,10 @@ extern "C" {
*/
# define OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS "conditional-errors"
/*
* A boolean that determines if the runtime FIPS security checks are performed.
* This is enabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks"
/*
* A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
/*
* A boolean that determines if the runtime FIPS check for undersized MAC output
* is performed.
* This is enabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_NO_SHORT_MAC "no-short-mac"
/*
* A boolean that determines if the runtime FIPS key check for HMAC is
* performed.
* This is enabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_HMAC_KEY_CHECK "hmac-key-check"
/*
* A boolean that determines if the runtime FIPS key check for KMAC is
* performed.
* This is enabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_KMAC_KEY_CHECK "kmac-key-check"
/*
* A boolean that determines if truncated digests can be used with Hash and HMAC
* DRBGs. FIPS 140-3 IG D.R disallows such use for efficiency rather than
* security reasons.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
/*
* A boolean that determines if the digest algorithm used as part of a
* signature algorithm is in the approved list.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK "signature-digest-check"
/*
* A boolean that determines if the runtime FIPS digest check for HKDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK "hkdf-digest-check"
/*
* A boolean that determines if the runtime FIPS digest check for TLS13 KDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_TLS13_KDF_DIGEST_CHECK "tls13-kdf-digest-check"
/*
* A boolean that determines if the runtime FIPS digest check for TLS1_PRF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_DIGEST_CHECK "tls1-prf-digest-check"
/*
* A boolean that determines if the runtime FIPS digest check for SSHKDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_SSHKDF_DIGEST_CHECK "sshkdf-digest-check"
/*
* A boolean that determines if the runtime FIPS digest check for SSKDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_SSKDF_DIGEST_CHECK "sskdf-digest-check"
/*
* A boolean that determines if the runtime FIPS digest check for X963KDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK "x963kdf-digest-check"
/*
* A boolean that determines if DSA signing operations are allowed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED "dsa-sign-disabled"
/*
* A boolean that determines if Triple-DES encryption operations are allowed.
* See SP800-131A r2 for further information.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_TDES_ENCRYPT_DISABLED "tdes-encrypt-disabled"
/*
* A boolean that determines if PKCS#1 v1.5 padding is allowed for key
* agreement and transport operations.
* See SP800-131A r2 for further information.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED \
"rsa-pkcs15-padding-disabled"
/*
* A boolean that determines if the runtime salt length check for RSA-PSS is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK "rsa-pss-saltlen-check"
/*
* A boolean that determines if X9.31 padding can be used for RSA signing.
* X9.31 RSA has been removed from FIPS 186-5, and is no longer approved for
* signing. it may still be used for verification for legacy purposes.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED "rsa-sign-x931-pad-disabled"
/*
* A boolean that determines if the runtime FIPS key check for HKDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK "hkdf-key-check"
/*
* A boolean that determines if the runtime FIPS key check for KBKDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK "kbkdf-key-check"
/*
* A boolean that determines if the runtime FIPS key check for TLS13 KDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK "tls13-kdf-key-check"
/*
* A boolean that determines if the runtime FIPS key check for TLS1_PRF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_KEY_CHECK "tls1-prf-key-check"
/*
* A boolean that determines if the runtime FIPS key check for SSHKDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_SSHKDF_KEY_CHECK "sshkdf-key-check"
/*
* A boolean that determines if the runtime FIPS key check for SSKDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_SSKDF_KEY_CHECK "sskdf-key-check"
/*
* A boolean that determines if the runtime FIPS key check for X963KDF is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_X963KDF_KEY_CHECK "x963kdf-key-check"
/*
* A boolean that determines if the runtime lower bound check for PBKDF2 is
* performed.
* This is enabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_PBKDF2_LOWER_BOUND_CHECK "pbkdf2-lower-bound-check"
/*
* A boolean that determines if the runtime cofactor check for ECDH is
* performed.
* This is disabled by default.
* Type: OSSL_PARAM_UTF8_STRING
*/
# define OSSL_PROV_FIPS_PARAM_ECDH_COFACTOR_CHECK "ecdh-cofactor-check"
/* The following are provided for backwards compatibility */
# define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS OSSL_PROV_PARAM_SECURITY_CHECKS
# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST
# ifdef __cplusplus
}

3
providers/build.info
View File

@ -46,7 +46,8 @@ LIBS{noinst}=$LIBDEFAULT $LIBCOMMON
# providers/implementations/include), which includes crypto/*_platform.h
# (present in include), which in turn may include very internal header
# files in crypto/, so let's have a common include list for them all.
$COMMON_INCLUDES=../crypto ../include implementations/include common/include
$COMMON_INCLUDES=../crypto ../include implementations/include common/include \
fips/include
INCLUDE[$LIBCOMMON]=$COMMON_INCLUDES
INCLUDE[$LIBFIPS]=.. $COMMON_INCLUDES

40
providers/common/include/prov/fipscommon.h
View File

@ -1,40 +0,0 @@
/*
* Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifdef FIPS_MODULE
# include <openssl/types.h>
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx);
int FIPS_no_short_mac(OSSL_LIB_CTX *libctx);
int FIPS_hmac_key_check(OSSL_LIB_CTX *libctx);
int FIPS_kmac_key_check(OSSL_LIB_CTX *libctx);
int FIPS_restricted_drbg_digests_enabled(OSSL_LIB_CTX *libctx);
int FIPS_fips_signature_digest_check(OSSL_LIB_CTX *libctx);
int FIPS_hkdf_digest_check(OSSL_LIB_CTX *libctx);
int FIPS_tls13_kdf_digest_check(OSSL_LIB_CTX *libctx);
int FIPS_tls1_prf_digest_check(OSSL_LIB_CTX *libctx);
int FIPS_sshkdf_digest_check(OSSL_LIB_CTX *libctx);
int FIPS_sskdf_digest_check(OSSL_LIB_CTX *libctx);
int FIPS_x963kdf_digest_check(OSSL_LIB_CTX *libctx);
int FIPS_dsa_sign_check(OSSL_LIB_CTX *libctx);
int FIPS_tdes_encrypt_check(OSSL_LIB_CTX *libctx);
int FIPS_rsa_pkcs15_padding_disabled(OSSL_LIB_CTX *libctx);
int FIPS_rsa_pss_saltlen_check(OSSL_LIB_CTX *libctx);
int FIPS_rsa_sign_x931_disallowed(OSSL_LIB_CTX *libctx);
int FIPS_hkdf_key_check(OSSL_LIB_CTX *libctx);
int FIPS_kbkdf_key_check(OSSL_LIB_CTX *libctx);
int FIPS_tls13_kdf_key_check(OSSL_LIB_CTX *libctx);
int FIPS_tls1_prf_key_check(OSSL_LIB_CTX *libctx);
int FIPS_sshkdf_key_check(OSSL_LIB_CTX *libctx);
int FIPS_sskdf_key_check(OSSL_LIB_CTX *libctx);
int FIPS_x963kdf_key_check(OSSL_LIB_CTX *libctx);
int FIPS_pbkdf2_lower_bound_check(OSSL_LIB_CTX *libctx);
int FIPS_ecdh_cofactor_check(OSSL_LIB_CTX *libctx);
#endif

6
providers/common/include/prov/securitycheck.h
View File

@ -10,9 +10,7 @@
#include "crypto/types.h"
#include <openssl/ec.h>
#ifdef FIPS_MODULE
# include "fipscommon.h"
#endif
#include "fips/fipsindicator.h"
/* Functions that are common */
int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect);
@ -38,4 +36,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md);
/* Functions that have different implementations for the FIPS_MODULE */
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md);
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx);
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx);

1
providers/common/securitycheck.c
View File

@ -19,7 +19,6 @@
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112

2
providers/common/securitycheck_default.c
View File

@ -17,7 +17,7 @@
#include "internal/nelem.h"
/* Disable the security checks in the default provider */
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
{
return 0;
}

12
providers/common/securitycheck_fips.c
View File

@ -18,13 +18,11 @@
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#include "prov/fipscommon.h"
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
{
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
return FIPS_security_check_enabled(libctx);
return ossl_fips_config_security_checks(libctx);
#else
return 0;
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
@ -43,7 +41,7 @@ int ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND *ind, int id,
if (!key_approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Key size",
ossl_securitycheck_enabled)) {
ossl_fips_config_securitycheck_enabled)) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
"operation: %s", desc);
return 0;
@ -68,7 +66,7 @@ int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id,
if (!strength_allowed || !curve_allowed) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "EC Key",
ossl_securitycheck_enabled)) {
ossl_fips_config_securitycheck_enabled)) {
if (!curve_allowed)
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
if (!strength_allowed)
@ -88,7 +86,7 @@ int ossl_fips_ind_digest_check(OSSL_FIPS_IND *ind, int id,
if (!approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest",
ossl_securitycheck_enabled)) {
ossl_fips_config_securitycheck_enabled)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return 0;
}

2
providers/fips/fipsindicator.c
View File

@ -10,8 +10,8 @@
#include <openssl/indicator.h>
#include <openssl/params.h>
#include <openssl/core_names.h>
#include "prov/fipsindicator.h"
#include "internal/common.h" /* for ossl_assert() */
#include "fips/fipsindicator.h"
void ossl_FIPS_IND_init(OSSL_FIPS_IND *ind)
{

395
providers/fips/fipsprov.c
View File

@ -23,10 +23,10 @@
#include "prov/providercommon.h"
#include "prov/provider_util.h"
#include "prov/seeding.h"
#include "prov/fipscommon.h"
#include "internal/nelem.h"
#include "self_test.h"
#include "crypto/context.h"
#include "fipscommon.h"
#include "internal/core.h"
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
@ -87,33 +87,12 @@ typedef struct {
typedef struct fips_global_st {
const OSSL_CORE_HANDLE *handle;
SELF_TEST_POST_PARAMS selftest_params;
FIPS_OPTION fips_security_checks;
FIPS_OPTION fips_tls1_prf_ems_check;
FIPS_OPTION fips_no_short_mac;
FIPS_OPTION fips_hmac_key_check;
FIPS_OPTION fips_kmac_key_check;
FIPS_OPTION fips_restricted_drgb_digests;
FIPS_OPTION fips_signature_digest_check;
FIPS_OPTION fips_hkdf_digest_check;
FIPS_OPTION fips_tls13_kdf_digest_check;
FIPS_OPTION fips_tls1_prf_digest_check;
FIPS_OPTION fips_sshkdf_digest_check;
FIPS_OPTION fips_sskdf_digest_check;
FIPS_OPTION fips_x963kdf_digest_check;
FIPS_OPTION fips_dsa_sign_disallowed;
FIPS_OPTION fips_tdes_encrypt_disallowed;
FIPS_OPTION fips_rsa_pkcs15_padding_disabled;
FIPS_OPTION fips_rsa_pss_saltlen_check;
FIPS_OPTION fips_rsa_sign_x931_disallowed;
FIPS_OPTION fips_hkdf_key_check;
FIPS_OPTION fips_kbkdf_key_check;
FIPS_OPTION fips_tls13_kdf_key_check;
FIPS_OPTION fips_tls1_prf_key_check;
FIPS_OPTION fips_sshkdf_key_check;
FIPS_OPTION fips_sskdf_key_check;
FIPS_OPTION fips_x963kdf_key_check;
FIPS_OPTION fips_pbkdf2_lower_bound_check;
FIPS_OPTION fips_ecdh_cofactor_check;
#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
FIPS_OPTION fips_##structname;
#include "fips_indicator_params.inc"
#undef OSSL_FIPS_PARAM
} FIPS_GLOBAL;
static void init_fips_option(FIPS_OPTION *opt, int enabled)
@ -128,33 +107,12 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
if (fgbl == NULL)
return NULL;
init_fips_option(&fgbl->fips_security_checks, 1);
init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
init_fips_option(&fgbl->fips_no_short_mac, 1);
init_fips_option(&fgbl->fips_hmac_key_check, 0);
init_fips_option(&fgbl->fips_kmac_key_check, 0);
init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
init_fips_option(&fgbl->fips_signature_digest_check, 0);
init_fips_option(&fgbl->fips_hkdf_digest_check, 0);
init_fips_option(&fgbl->fips_tls13_kdf_digest_check, 0);
init_fips_option(&fgbl->fips_tls1_prf_digest_check, 0);
init_fips_option(&fgbl->fips_sshkdf_digest_check, 0);
init_fips_option(&fgbl->fips_sskdf_digest_check, 0);
init_fips_option(&fgbl->fips_x963kdf_digest_check, 0);
init_fips_option(&fgbl->fips_dsa_sign_disallowed, 0);
init_fips_option(&fgbl->fips_tdes_encrypt_disallowed, 0);
init_fips_option(&fgbl->fips_rsa_pkcs15_padding_disabled, 0);
init_fips_option(&fgbl->fips_rsa_pss_saltlen_check, 0);
init_fips_option(&fgbl->fips_rsa_sign_x931_disallowed, 0);
init_fips_option(&fgbl->fips_hkdf_key_check, 0);
init_fips_option(&fgbl->fips_kbkdf_key_check, 0);
init_fips_option(&fgbl->fips_tls13_kdf_key_check, 0);
init_fips_option(&fgbl->fips_tls1_prf_key_check, 0);
init_fips_option(&fgbl->fips_sshkdf_key_check, 0);
init_fips_option(&fgbl->fips_sskdf_key_check, 0);
init_fips_option(&fgbl->fips_x963kdf_key_check, 0);
init_fips_option(&fgbl->fips_pbkdf2_lower_bound_check, 1);
init_fips_option(&fgbl->fips_ecdh_cofactor_check, 0);
#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
init_fips_option(&fgbl->fips_##structname, initvalue);
#include "fips_indicator_params.inc"
#undef OSSL_FIPS_PARAM
return fgbl;
}
@ -163,143 +121,32 @@ void ossl_fips_prov_ossl_ctx_free(void *fgbl)
OPENSSL_free(fgbl);
}
/* Parameters we provide to the core */
static const OSSL_PARAM fips_param_types[] = {
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NO_SHORT_MAC, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_HMAC_KEY_CHECK, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_HKDF_DIGEST_CHECK, OSSL_PARAM_INTEGER, NULL,
0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_DSA_SIGN_DISABLED, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_HKDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_KMAC_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSHKDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSKDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_X963KDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK, OSSL_PARAM_INTEGER,
NULL, 0),
OSSL_PARAM_END
};
/*
* Parameters to retrieve from the core provider
* NOTE: inside core_get_params() these will be loaded from config items
* stored inside prov->parameters
*/
static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
{
/*
* Parameters to retrieve from the core provider - required for self testing.
* NOTE: inside core_get_params() these will be loaded from config items
* stored inside prov->parameters (except for
* OSSL_PROV_PARAM_CORE_MODULE_FILENAME).
* OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and
* OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters.
*/
OSSL_PARAM core_params[31], *p = core_params;
OSSL_PARAM core_params[32], *p = core_params;
/* FIPS self test params */
#define FIPS_FEATURE_SELF_TEST(fgbl, pname, field) \
*p++ = OSSL_PARAM_construct_utf8_ptr(pname, \
(char **)&fgbl->selftest_params.field,\
sizeof(fgbl->selftest_params.field))
#define OSSL_FIPS_PARAM(structname, paramname) \
*p++ = OSSL_PARAM_construct_utf8_ptr( \
paramname, (char **)&fgbl->selftest_params.structname, \
sizeof(fgbl->selftest_params.structname));
FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_PARAM_CORE_MODULE_FILENAME,
module_filename);
FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_MODULE_MAC,
module_checksum_data);
FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
conditional_error_check);
#undef FIPS_FEATURE_SELF_TEST
/* Parameters required for self testing */
#include "fips_selftest_params.inc"
#undef OSSL_FIPS_PARAM
/* FIPS features can be enabled or disabled independently */
#define FIPS_FEATURE_OPTION(fgbl, pname, field) \
*p++ = OSSL_PARAM_construct_utf8_ptr( \
pname, (char **)&fgbl->field.option, \
sizeof(fgbl->field.option))
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
fips_security_checks);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
fips_tls1_prf_ems_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_NO_SHORT_MAC,
fips_no_short_mac);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HMAC_KEY_CHECK,
fips_hmac_key_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_KMAC_KEY_CHECK,
fips_kmac_key_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST,
fips_restricted_drgb_digests);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK,
fips_signature_digest_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK,
fips_hkdf_digest_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS13_KDF_DIGEST_CHECK,
fips_tls13_kdf_digest_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS1_PRF_DIGEST_CHECK,
fips_tls1_prf_digest_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSHKDF_DIGEST_CHECK,
fips_sshkdf_digest_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSKDF_DIGEST_CHECK,
fips_sskdf_digest_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK,
fips_x963kdf_digest_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED,
fips_dsa_sign_disallowed);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TDES_ENCRYPT_DISABLED,
fips_tdes_encrypt_disallowed);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED,
fips_rsa_pkcs15_padding_disabled);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK,
fips_rsa_pss_saltlen_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED,
fips_rsa_sign_x931_disallowed);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK,
fips_hkdf_key_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK,
fips_kbkdf_key_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK,
fips_tls13_kdf_key_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS1_PRF_KEY_CHECK,
fips_tls1_prf_key_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSHKDF_KEY_CHECK,
fips_sshkdf_key_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSKDF_KEY_CHECK,
fips_sskdf_key_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_X963KDF_KEY_CHECK,
fips_x963kdf_key_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_PBKDF2_LOWER_BOUND_CHECK,
fips_pbkdf2_lower_bound_check);
FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_ECDH_COFACTOR_CHECK,
fips_ecdh_cofactor_check);
#undef FIPS_FEATURE_OPTION
/* FIPS indicator options can be enabled or disabled independently */
#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
*p++ = OSSL_PARAM_construct_utf8_ptr( \
OSSL_PROV_PARAM_##paramname, \
(char **)&fgbl->fips_##structname.option, \
sizeof(fgbl->fips_##structname.option));
#include "fips_indicator_params.inc"
#undef OSSL_FIPS_PARAM
*p = OSSL_PARAM_construct_end();
@ -313,6 +160,20 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
static const OSSL_PARAM *fips_gettable_params(void *provctx)
{
/* Parameters we provide to the core */
static const OSSL_PARAM fips_param_types[] = {
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_##paramname, OSSL_PARAM_INTEGER, NULL, 0),
#include "fips_indicator_params.inc"
#undef OSSL_FIPS_PARAM
OSSL_PARAM_END
};
return fips_param_types;
}
@ -335,66 +196,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
return 0;
#define FIPS_FEATURE_GET(fgbl, pname, field) \
p = OSSL_PARAM_locate(params, pname); \
if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->field.enabled)) \
return 0
#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_##paramname); \
if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_##structname.enabled)) \
return 0;
#include "fips_indicator_params.inc"
#undef OSSL_FIPS_PARAM
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SECURITY_CHECKS,
fips_security_checks);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
fips_tls1_prf_ems_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_NO_SHORT_MAC,
fips_no_short_mac);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HMAC_KEY_CHECK,
fips_hmac_key_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_KMAC_KEY_CHECK,
fips_kmac_key_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
fips_restricted_drgb_digests);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK,
fips_signature_digest_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HKDF_DIGEST_CHECK,
fips_hkdf_digest_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
fips_tls13_kdf_digest_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
fips_tls1_prf_digest_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
fips_sshkdf_digest_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK,
fips_sskdf_digest_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
fips_x963kdf_digest_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_DSA_SIGN_DISABLED,
fips_dsa_sign_disallowed);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED,
fips_tdes_encrypt_disallowed);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED,
fips_rsa_pkcs15_padding_disabled);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
fips_rsa_pss_saltlen_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
fips_rsa_sign_x931_disallowed);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HKDF_KEY_CHECK,
fips_hkdf_key_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_KBKDF_KEY_CHECK,
fips_kbkdf_key_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
fips_tls13_kdf_key_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK,
fips_tls1_prf_key_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSHKDF_KEY_CHECK,
fips_sshkdf_key_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSKDF_KEY_CHECK,
fips_sskdf_key_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_X963KDF_KEY_CHECK,
fips_x963kdf_key_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
fips_pbkdf2_lower_bound_check);
FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK,
fips_ecdh_cofactor_check);
#undef FIPS_FEATURE_GET
return 1;
}
@ -959,44 +767,17 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
SELF_TEST_disable_conditional_error_state();
/* Enable or disable FIPS provider options */
#define FIPS_SET_OPTION(fgbl, field) \
if (fgbl->field.option != NULL) { \
if (strcmp(fgbl->field.option, "1") == 0) \
fgbl->field.enabled = 1; \
else if (strcmp(fgbl->field.option, "0") == 0) \
fgbl->field.enabled = 0; \
else \
goto err; \
#define OSSL_FIPS_PARAM(structname, paramname, unused) \
if (fgbl->fips_##structname.option != NULL) { \
if (strcmp(fgbl->fips_##structname.option, "1") == 0) \
fgbl->fips_##structname.enabled = 1; \
else if (strcmp(fgbl->fips_##structname.option, "0") == 0) \
fgbl->fips_##structname.enabled = 0; \
else \
goto err; \
}
FIPS_SET_OPTION(fgbl, fips_security_checks);
FIPS_SET_OPTION(fgbl, fips_tls1_prf_ems_check);
FIPS_SET_OPTION(fgbl, fips_no_short_mac);
FIPS_SET_OPTION(fgbl, fips_hmac_key_check);
FIPS_SET_OPTION(fgbl, fips_kmac_key_check);
FIPS_SET_OPTION(fgbl, fips_restricted_drgb_digests);
FIPS_SET_OPTION(fgbl, fips_signature_digest_check);
FIPS_SET_OPTION(fgbl, fips_hkdf_digest_check);
FIPS_SET_OPTION(fgbl, fips_tls13_kdf_digest_check);
FIPS_SET_OPTION(fgbl, fips_tls1_prf_digest_check);
FIPS_SET_OPTION(fgbl, fips_sshkdf_digest_check);
FIPS_SET_OPTION(fgbl, fips_sskdf_digest_check);
FIPS_SET_OPTION(fgbl, fips_x963kdf_digest_check);
FIPS_SET_OPTION(fgbl, fips_dsa_sign_disallowed);
FIPS_SET_OPTION(fgbl, fips_tdes_encrypt_disallowed);
FIPS_SET_OPTION(fgbl, fips_rsa_pkcs15_padding_disabled);
FIPS_SET_OPTION(fgbl, fips_rsa_pss_saltlen_check);
FIPS_SET_OPTION(fgbl, fips_rsa_sign_x931_disallowed);
FIPS_SET_OPTION(fgbl, fips_hkdf_key_check);
FIPS_SET_OPTION(fgbl, fips_kbkdf_key_check);
FIPS_SET_OPTION(fgbl, fips_tls13_kdf_key_check);
FIPS_SET_OPTION(fgbl, fips_tls1_prf_key_check);
FIPS_SET_OPTION(fgbl, fips_sshkdf_key_check);
FIPS_SET_OPTION(fgbl, fips_sskdf_key_check);
FIPS_SET_OPTION(fgbl, fips_x963kdf_key_check);
FIPS_SET_OPTION(fgbl, fips_pbkdf2_lower_bound_check);
FIPS_SET_OPTION(fgbl, fips_ecdh_cofactor_check);
#undef FIPS_SET_OPTION
#include "fips_indicator_params.inc"
#undef OSSL_FIPS_PARAM
ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
@ -1191,46 +972,16 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...)
return ret;
}
#define FIPS_FEATURE_CHECK(fname, field) \
int fname(OSSL_LIB_CTX *libctx) \
{ \
FIPS_GLOBAL *fgbl = \
ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX); \
return fgbl->field.enabled; \
#define OSSL_FIPS_PARAM(structname, paramname, unused) \
int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx) \
{ \
FIPS_GLOBAL *fgbl = \
ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX); \
\
return fgbl->fips_##structname.enabled; \
}
FIPS_FEATURE_CHECK(FIPS_security_check_enabled, fips_security_checks)
FIPS_FEATURE_CHECK(FIPS_tls_prf_ems_check, fips_tls1_prf_ems_check)
FIPS_FEATURE_CHECK(FIPS_no_short_mac, fips_no_short_mac)
FIPS_FEATURE_CHECK(FIPS_hmac_key_check, fips_hmac_key_check)
FIPS_FEATURE_CHECK(FIPS_kmac_key_check, fips_kmac_key_check)
FIPS_FEATURE_CHECK(FIPS_restricted_drbg_digests_enabled,
fips_restricted_drgb_digests)
FIPS_FEATURE_CHECK(FIPS_fips_signature_digest_check, fips_signature_digest_check)
FIPS_FEATURE_CHECK(FIPS_hkdf_digest_check, fips_hkdf_digest_check)
FIPS_FEATURE_CHECK(FIPS_tls13_kdf_digest_check, fips_tls13_kdf_digest_check)
FIPS_FEATURE_CHECK(FIPS_tls1_prf_digest_check, fips_tls1_prf_digest_check)
FIPS_FEATURE_CHECK(FIPS_sshkdf_digest_check, fips_sshkdf_digest_check)
FIPS_FEATURE_CHECK(FIPS_sskdf_digest_check, fips_sskdf_digest_check)
FIPS_FEATURE_CHECK(FIPS_x963kdf_digest_check, fips_x963kdf_digest_check)
FIPS_FEATURE_CHECK(FIPS_dsa_sign_check, fips_dsa_sign_disallowed)
FIPS_FEATURE_CHECK(FIPS_tdes_encrypt_check, fips_tdes_encrypt_disallowed)
FIPS_FEATURE_CHECK(FIPS_rsa_pkcs15_padding_disabled,
fips_rsa_pkcs15_padding_disabled)
FIPS_FEATURE_CHECK(FIPS_rsa_pss_saltlen_check, fips_rsa_pss_saltlen_check)
FIPS_FEATURE_CHECK(FIPS_rsa_sign_x931_disallowed,
fips_rsa_sign_x931_disallowed)
FIPS_FEATURE_CHECK(FIPS_hkdf_key_check, fips_hkdf_key_check)
FIPS_FEATURE_CHECK(FIPS_kbkdf_key_check, fips_kbkdf_key_check)
FIPS_FEATURE_CHECK(FIPS_tls13_kdf_key_check, fips_tls13_kdf_key_check)
FIPS_FEATURE_CHECK(FIPS_tls1_prf_key_check, fips_tls1_prf_key_check)
FIPS_FEATURE_CHECK(FIPS_sshkdf_key_check, fips_sshkdf_key_check)
FIPS_FEATURE_CHECK(FIPS_sskdf_key_check, fips_sskdf_key_check)
FIPS_FEATURE_CHECK(FIPS_x963kdf_key_check, fips_x963kdf_key_check)
FIPS_FEATURE_CHECK(FIPS_pbkdf2_lower_bound_check, fips_pbkdf2_lower_bound_check)
FIPS_FEATURE_CHECK(FIPS_ecdh_cofactor_check, fips_ecdh_cofactor_check)
#undef FIPS_FEATURE_CHECK
#include "fips_indicator_params.inc"
#undef OSSL_FIPS_PARAM
void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb,
void **cbarg)

1
providers/common/include/prov/fipsindicator.h → providers/fips/include/fips/fipsindicator.h
View File

@ -13,6 +13,7 @@
# include <openssl/indicator.h>
# include "crypto/types.h"
# include <openssl/ec.h>
# include "fipscommon.h"
/*
* There may be multiple settables associated with an algorithm that allow

27
providers/fips/include/fips_indicator_params.inc Normal file
View File

@ -0,0 +1,27 @@
OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1)
OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0)
OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1)
OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0)
OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0)
OSSL_FIPS_PARAM(restricted_drbg_digests, DRBG_TRUNC_DIGEST, 0)
OSSL_FIPS_PARAM(signature_digest_check, SIGNATURE_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(hkdf_digest_check, HKDF_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(tls13_kdf_digest_check, TLS13_KDF_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(tls1_prf_digest_check, TLS1_PRF_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(sshkdf_digest_check, SSHKDF_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(sskdf_digest_check, SSKDF_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0)
OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0)
OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0)
OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0)
OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(tls1_prf_key_check, TLS1_PRF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(sshkdf_key_check, SSHKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(sskdf_key_check, SSKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(x963kdf_key_check, X963KDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(pbkdf2_lower_bound_check, PBKDF2_LOWER_BOUND_CHECK, 1)
OSSL_FIPS_PARAM(ecdh_cofactor_check, ECDH_COFACTOR_CHECK, 0)

3
providers/fips/include/fips_selftest_params.inc Normal file
View File

@ -0,0 +1,3 @@
OSSL_FIPS_PARAM(module_filename, OSSL_PROV_PARAM_CORE_MODULE_FILENAME)
OSSL_FIPS_PARAM(module_checksum_data, OSSL_PROV_FIPS_PARAM_MODULE_MAC)
OSSL_FIPS_PARAM(conditional_error_check, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS)

18
providers/fips/include/fipscommon.h Normal file
View File

@ -0,0 +1,18 @@
/*
* Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifdef FIPS_MODULE
# include <openssl/types.h>
# define OSSL_FIPS_PARAM(structname, paramname, unused) \
int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx);
# include "fips_indicator_params.inc"
# undef OSSL_FIPS_PARAM
#endif

12
providers/implementations/asymciphers/rsa_enc.c
View File

@ -30,8 +30,6 @@
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#include <stdlib.h>
static OSSL_FUNC_asym_cipher_newctx_fn rsa_newctx;
@ -164,7 +162,7 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
&& !OSSL_FIPS_IND_ON_UNAPPROVED(prsactx, OSSL_FIPS_IND_SETTABLE1,
prsactx->libctx, "RSA Encrypt",
"PKCS#1 v1.5 padding",
FIPS_rsa_pkcs15_padding_disabled)) {
ossl_fips_config_rsa_pkcs15_padding_disabled)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
return 0;
}
@ -473,10 +471,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,
OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK))
return 0;
return 0;
if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params,
OSSL_ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED))
return 0;
OSSL_ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED))
return 0;
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST);
if (p != NULL) {
@ -615,7 +613,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = {
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK)
OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED)
OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED)
OSSL_PARAM_END
};

2
providers/implementations/ciphers/cipher_tdes.h
View File

@ -9,8 +9,8 @@
#include <openssl/des.h>
#include <openssl/core_dispatch.h>
#include "prov/securitycheck.h"
#include "crypto/des_platform.h"
#include "prov/fipsindicator.h"
#define DES_BLOCK_SIZE 8
#define TDES_IVLEN 8

3
providers/implementations/ciphers/cipher_tdes_common.c
View File

@ -19,7 +19,6 @@
#include "cipher_tdes.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/fipscommon.h"
void *ossl_tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits,
size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw)
@ -70,7 +69,7 @@ static int tdes_encrypt_check_approved(PROV_TDES_CTX *ctx, int enc)
if (enc && !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
ctx->base.libctx,
"Triple-DES", "Encryption",
FIPS_tdes_encrypt_check))
ossl_fips_config_tdes_encrypt_disallowed))
return 0;
return 1;
}

3
providers/implementations/exchange/dh_exch.c
View File

@ -25,7 +25,6 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#include "crypto/dh.h"
static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
@ -104,7 +103,7 @@ static int dh_check_key(PROV_DH_CTX *ctx)
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
ctx->libctx, "DH Init", "DH Key",
ossl_securitycheck_enabled)) {
ossl_fips_config_securitycheck_enabled)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}

3
providers/implementations/exchange/ecdh_exch.c
View File

@ -26,7 +26,6 @@
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */
static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
@ -550,7 +549,7 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
if (has_cofactor && !cofactor_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(pecdhctx, OSSL_FIPS_IND_SETTABLE2,
pecdhctx->libctx, "ECDH", "Cofactor",
FIPS_ecdh_cofactor_check)) {
ossl_fips_config_ecdh_cofactor_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_COFACTOR_REQUIRED);
return 0;
}

3
providers/implementations/exchange/ecx_exch.c
View File

@ -17,8 +17,7 @@
#include "crypto/ecx.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/fipsindicator.h"
#include "prov/fipscommon.h"
#include "prov/securitycheck.h"
static OSSL_FUNC_keyexch_newctx_fn x25519_newctx;
static OSSL_FUNC_keyexch_newctx_fn x448_newctx;

8
providers/implementations/kdfs/hkdf.c
View File

@ -30,8 +30,6 @@
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "prov/securitycheck.h"
#include "prov/fipscommon.h"
#include "prov/fipsindicator.h"
#include "internal/e_os.h"
#include "internal/params.h"
@ -203,7 +201,7 @@ static int fips_hkdf_key_check_passed(KDF_HKDF *ctx)
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "HKDF", "Key size",
FIPS_hkdf_key_check)) {
ossl_fips_config_hkdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
@ -756,7 +754,7 @@ static int fips_tls1_3_digest_check_passed(KDF_HKDF *ctx, const EVP_MD *md)
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "TLS13 KDF", "Digest",
FIPS_tls13_kdf_digest_check)) {
ossl_fips_config_tls13_kdf_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
@ -792,7 +790,7 @@ static int fips_tls1_3_key_check_passed(KDF_HKDF *ctx)
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "TLS13 KDF", "Key size",
FIPS_tls13_kdf_key_check)) {
ossl_fips_config_tls13_kdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}

5
providers/implementations/kdfs/kbkdf.c
View File

@ -44,9 +44,6 @@
#include "prov/provider_util.h"
#include "prov/providercommon.h"
#include "prov/securitycheck.h"
#include "prov/fipscommon.h"
#include "prov/fipsindicator.h"
#include "internal/e_os.h"
#include "internal/params.h"
@ -197,7 +194,7 @@ static int fips_kbkdf_key_check_passed(KBKDF *ctx)
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "KBKDF", "Key size",
FIPS_kbkdf_key_check)) {
ossl_fips_config_kbkdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}

5
providers/implementations/kdfs/pbkdf2.c
View File

@ -28,8 +28,7 @@
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "prov/fipscommon.h"
#include "prov/fipsindicator.h"
#include "prov/securitycheck.h"
#include "pbkdf2.h"
/* Constants specified in SP800-132 */
@ -217,7 +216,7 @@ static int fips_lower_bound_check_passed(KDF_PBKDF2 *ctx, size_t keylen)
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx,
"PBKDF2", desc,
FIPS_pbkdf2_lower_bound_check)) {
ossl_fips_config_pbkdf2_lower_bound_check)) {
ERR_raise(ERR_LIB_PROV, error);
return 0;
}

6
providers/implementations/kdfs/sshkdf.c
View File

@ -22,8 +22,6 @@
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "prov/securitycheck.h"
#include "prov/fipscommon.h"
#include "prov/fipsindicator.h"
/* See RFC 4253, Section 7.2 */
static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new;
@ -146,7 +144,7 @@ static int fips_digest_check_passed(KDF_SSHKDF *ctx, const EVP_MD *md)
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "SSHKDF", "Digest",
FIPS_sshkdf_digest_check)) {
ossl_fips_config_sshkdf_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
@ -162,7 +160,7 @@ static int fips_key_check_passed(KDF_SSHKDF *ctx)
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "SSHKDF", "Key size",
FIPS_sshkdf_key_check)) {
ossl_fips_config_sshkdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}

8
providers/implementations/kdfs/sskdf.c
View File

@ -51,8 +51,6 @@
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "prov/securitycheck.h"
#include "prov/fipscommon.h"
#include "prov/fipsindicator.h"
#include "internal/params.h"
typedef struct {
@ -403,7 +401,7 @@ static int fips_sskdf_key_check_passed(KDF_SSKDF *ctx)
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "SSKDF", "Key size",
FIPS_sskdf_key_check)) {
ossl_fips_config_sskdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
@ -496,7 +494,7 @@ static int fips_x963kdf_digest_check_passed(KDF_SSKDF *ctx, const EVP_MD *md)
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "X963KDF", "Digest",
FIPS_x963kdf_digest_check)) {
ossl_fips_config_x963kdf_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
@ -512,7 +510,7 @@ static int fips_x963kdf_key_check_passed(KDF_SSKDF *ctx)
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "X963KDF", "Key size",
FIPS_x963kdf_key_check)) {
ossl_fips_config_x963kdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}

8
providers/implementations/kdfs/tls1_prf.c
View File

@ -68,8 +68,6 @@
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "prov/securitycheck.h"
#include "prov/fipscommon.h"
#include "prov/fipsindicator.h"
#include "internal/e_os.h"
#include "internal/safe_math.h"
@ -196,7 +194,7 @@ static int fips_ems_check_passed(TLS1_PRF *ctx)
if (!ems_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "TLS_PRF", "EMS",
FIPS_tls_prf_ems_check)) {
ossl_fips_config_tls1_prf_ems_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
return 0;
}
@ -221,7 +219,7 @@ static int fips_digest_check_passed(TLS1_PRF *ctx, const EVP_MD *md)
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "TLS_PRF", "Digest",
FIPS_tls1_prf_digest_check)) {
ossl_fips_config_tls1_prf_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
@ -237,7 +235,7 @@ static int fips_key_check_passed(TLS1_PRF *ctx)
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
libctx, "TLS_PRF", "Key size",
FIPS_tls1_prf_key_check)) {
ossl_fips_config_tls1_prf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}

5
providers/implementations/kem/rsa_kem.c
View File

@ -13,7 +13,6 @@
*/
#include "internal/deprecated.h"
#include "internal/nelem.h"
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_dispatch.h>
@ -21,13 +20,11 @@
#include <openssl/rsa.h>
#include <openssl/params.h>
#include <openssl/err.h>
#include "crypto/rsa.h"
#include <openssl/proverr.h>
#include "internal/nelem.h"
#include "crypto/rsa.h"
#include "prov/provider_ctx.h"
#include "prov/implementations.h"
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;

5
providers/implementations/keymgmt/dsa_kmgmt.c
View File

@ -17,9 +17,8 @@
#include <openssl/core_names.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include "prov/securitycheck.h"
#include "prov/providercommon.h"
#include "prov/fipsindicator.h"
#include "prov/fipscommon.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "crypto/dsa.h"
@ -610,7 +609,7 @@ static void *dsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
*/
if (!OSSL_FIPS_IND_ON_UNAPPROVED(gctx, OSSL_FIPS_IND_SETTABLE0,
gctx->libctx, "DSA", "Keygen",
FIPS_dsa_sign_check))
ossl_fips_config_dsa_sign_disallowed))
return 0;
#endif

3
providers/implementations/keymgmt/ec_kmgmt.c
View File

@ -26,7 +26,6 @@
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#include "internal/param_build_set.h"
#ifndef FIPS_MODULE
@ -1311,7 +1310,7 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (!ossl_ec_check_security_strength(gctx->gen_group, 1)) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(gctx, OSSL_FIPS_IND_SETTABLE0,
gctx->libctx, "EC KeyGen", "key size",
ossl_securitycheck_enabled)) {
ossl_fips_config_securitycheck_enabled)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
goto err;
}

3
providers/implementations/keymgmt/ecx_kmgmt.c
View File

@ -24,8 +24,7 @@
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "prov/ecx.h"
#include "prov/fipsindicator.h"
#include "prov/fipscommon.h"
#include "prov/securitycheck.h"
#ifdef S390X_EC_ASM
# include "s390x_arch.h"
# include <openssl/sha.h> /* For SHA512_DIGEST_LENGTH */

5
providers/implementations/macs/cmac_prov.c
View File

@ -21,12 +21,11 @@
#include <openssl/err.h>
#include <openssl/proverr.h>
#include "prov/securitycheck.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/providercommon.h"
#include "prov/fipscommon.h"
#include "prov/fipsindicator.h"
#include "crypto/cmac.h"
/*
@ -138,7 +137,7 @@ static int tdes_check_param(struct cmac_data_st *macctx, OSSL_PARAM *p,
if (EVP_CIPHER_is_a(cipher, "DES-EDE3-CBC")) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(macctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "CMAC", "Triple-DES",
FIPS_tdes_encrypt_check))
ossl_fips_config_tdes_encrypt_disallowed))
return 0;
OSSL_FIPS_IND_GET_PARAM(macctx, p, state, OSSL_FIPS_IND_SETTABLE0,
OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK)

4
providers/implementations/macs/hmac_prov.c
View File

@ -29,9 +29,7 @@
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/providercommon.h"
#include "prov/fipsindicator.h"
#include "prov/securitycheck.h"
#include "prov/fipscommon.h"
/*
* Forward declaration of everything implemented here. This is not strictly
@ -171,7 +169,7 @@ static int hmac_setkey(struct hmac_data_st *macctx,
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(macctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "HMAC", "keysize",
FIPS_hmac_key_check)) {
ossl_fips_config_hmac_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}

9
providers/implementations/macs/kmac_prov.c
View File

@ -55,14 +55,11 @@
#include <openssl/err.h>
#include <openssl/proverr.h>
#include <openssl/fips_names.h>
#include "prov/securitycheck.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/providercommon.h"
#include "prov/fipscommon.h"
#include "prov/fipsindicator.h"
#include "prov/securitycheck.h"
#include "internal/cryptlib.h" /* ossl_assert */
/*
@ -284,7 +281,7 @@ static int kmac_setkey(struct kmac_data_st *kctx, const unsigned char *key,
if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE1,
PROV_LIBCTX_OF(kctx->provctx),
"KMAC", "Key size",
FIPS_kmac_key_check)) {
ossl_fips_config_kmac_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
@ -483,7 +480,7 @@ static int kmac_set_ctx_params(void *vmacctx, const OSSL_PARAM *params)
if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE0,
PROV_LIBCTX_OF(kctx->provctx),
"KMAC", "length",
&FIPS_no_short_mac)) {
ossl_fips_config_no_short_mac)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
return 0;
}

3
providers/implementations/rands/drbg.c
View File

@ -21,7 +21,6 @@
#include "crypto/rand_pool.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/fipscommon.h"
#include "crypto/context.h"
/*
@ -1024,7 +1023,7 @@ int ossl_drbg_verify_digest(PROV_DRBG *drbg, OSSL_LIB_CTX *libctx,
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(drbg, OSSL_FIPS_IND_SETTABLE0,
libctx, "DRBG", "Digest",
FIPS_restricted_drbg_digests_enabled)) {
ossl_fips_config_restricted_drbg_digests)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}

2
providers/implementations/rands/drbg_local.h
View File

@ -18,7 +18,7 @@
# include "internal/nelem.h"
# include "internal/numbers.h"
# include "prov/provider_ctx.h"
# include "prov/fipsindicator.h"
# include "prov/securitycheck.h"
/* How many times to read the TSC as a randomness source. */
# define TSC_READ_COUNT 4

2
providers/implementations/rands/test_rng.c
View File

@ -16,11 +16,11 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/randerr.h>
#include "prov/securitycheck.h"
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/implementations.h"
#include "prov/fipsindicator.h"
static OSSL_FUNC_rand_newctx_fn test_rng_new;
static OSSL_FUNC_rand_freectx_fn test_rng_free;

7
providers/implementations/signature/dsa_sig.c
View File

@ -30,7 +30,6 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#include "crypto/dsa.h"
#include "prov/der_dsa.h"
@ -169,7 +168,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx, md_nid, sha1_allowed,
desc,
&FIPS_fips_signature_digest_check))
ossl_fips_config_signature_digest_check))
goto err;
}
#endif
@ -223,7 +222,7 @@ static int dsa_sign_check_approved(PROV_DSA_CTX *ctx, int signing,
if (signing
&& !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
ctx->libctx, desc, "DSA",
FIPS_dsa_sign_check))
ossl_fips_config_dsa_sign_disallowed))
return 0;
return 1;
}
@ -235,7 +234,7 @@ static int dsa_check_key(PROV_DSA_CTX *ctx, int sign, const char *desc)
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
ctx->libctx, desc, "DSA Key",
FIPS_fips_signature_digest_check)) {
ossl_fips_config_signature_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}

3
providers/implementations/signature/ecdsa_sig.c
View File

@ -30,7 +30,6 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#include "crypto/ec.h"
#include "prov/der_ec.h"
@ -302,7 +301,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1, ctx->libctx,
md_nid, sha1_allowed, desc,
&FIPS_fips_signature_digest_check))
ossl_fips_config_signature_digest_check))
goto err;
}
#endif

1
providers/implementations/signature/eddsa_sig.c
View File

@ -18,6 +18,7 @@
#include "internal/sizes.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/securitycheck.h"
#include "prov/provider_ctx.h"
#include "prov/der_ecx.h"
#include "crypto/ecx.h"

7
providers/implementations/signature/rsa_sig.c
View File

@ -32,7 +32,6 @@
#include "prov/provider_ctx.h"
#include "prov/der_rsa.h"
#include "prov/securitycheck.h"
#include "prov/fipsindicator.h"
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
@ -413,7 +412,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx,
md_nid, sha1_allowed, desc,
&FIPS_fips_signature_digest_check))
ossl_fips_config_signature_digest_check))
goto err;
}
#endif
@ -646,7 +645,7 @@ static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname,
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3,
ctx->libctx,
algoname, "PSS Salt Length",
FIPS_rsa_pss_saltlen_check)) {
ossl_fips_config_rsa_pss_saltlen_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
return 0;
}
@ -1520,7 +1519,7 @@ static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx)
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
ctx->libctx,
"RSA Sign set ctx", "X931 Padding",
FIPS_rsa_sign_x931_disallowed)) {
ossl_fips_config_rsa_sign_x931_disallowed)) {
ERR_raise(ERR_LIB_PROV,
PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
return 0;

3
test/build.info
View File

@ -619,7 +619,8 @@ IF[{- !$disabled{tests} -}]
DEPEND[recordlentest]=../libcrypto ../libssl libtestutil.a
SOURCE[drbgtest]=drbgtest.c
INCLUDE[drbgtest]=../include ../apps/include ../providers/common/include
INCLUDE[drbgtest]=../include ../apps/include ../providers/common/include \
../providers/fips/include
DEPEND[drbgtest]=../libcrypto.a libtestutil.a
SOURCE[rand_status_test]=rand_status_test.c

2
test/recipes/03-test_fipsinstall.t
View File

@ -50,7 +50,7 @@ my @commandline =
( 'x963kdf_digest_check', 'x963kdf-digest-check' ),
( 'dsa_sign_disabled', 'dsa-sign-disabled' ),
( 'tdes_encrypt_disabled', 'tdes-encrypt-disabled' ),
( 'rsa_pkcs15_padding_disabled', 'rsa-pkcs15-padding-disabled' ),
( 'rsa_pkcs15_pad_disabled', 'rsa-pkcs15-pad-disabled' ),
( 'rsa_pss_saltlen_check', 'rsa-pss-saltlen-check' ),
( 'rsa_sign_x931_disabled', 'rsa-sign-x931-pad-disabled' ),
( 'hkdf_key_check', 'hkdf-key-check' ),

2
test/recipes/80-test_ssl_old.t
View File

@ -161,7 +161,7 @@ unless ($no_fips) {
my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename);
$ENV{OPENSSL_CONF_INCLUDE} = result_dir();
ok(replace_kv_file($fipsmodcfg,
'rsa-pkcs15-padding-disabled', '0',
'rsa-pkcs15-pad-disabled', '0',
$fipsmodcfgnew)
&& replace_line_file($provconf,
$fipsmodcfg_filename, $fipsmodcfgnew_filename,

2
test/recipes/90-test_sslapi.t
View File

@ -127,7 +127,7 @@ SKIP: {
'tls1-prf-ems-check', '0',
$fipsmodcfgtmp)
&& replace_kv_file($fipsmodcfgtmp,
'rsa-pkcs15-padding-disabled', '0',
'rsa-pkcs15-pad-disabled', '0',
$fipsmodcfgnew)
&& replace_line_file($provconf,
$fipsmodcfg_filename, $fipsmodcfgnew_filename,

2
util/mk-fipsmodule-cnf.pl
View File

@ -71,7 +71,7 @@ sshkdf-digest-check = $digest_check
sskdf-digest-check = $digest_check
x963kdf-digest-check = $digest_check
tdes-encrypt-disabled = $tdes_encrypt_disabled
rsa-pkcs15-padding-disabled = $pkcs15_pad_disable
rsa-pkcs15-pad-disabled = $pkcs15_pad_disable
rsa-pss-saltlen-check = $rsa_pss_saltlen_check
rsa-sign-x931-pad-disabled = $rsa_sign_x931_pad_disabled
hkdf-key-check = $kdf_key_check

5
util/perl/OpenSSL/paramnames.pm
View File

@ -46,6 +46,7 @@ my %params = (
'PROV_PARAM_TDES_ENCRYPT_DISABLED' => "tdes-encrypt-disabled", # uint
'PROV_PARAM_RSA_PSS_SALTLEN_CHECK' => "rsa-pss-saltlen-check", # uint
'PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED' => "rsa-sign-x931-pad-disabled", # uint
'PROV_PARAM_RSA_PKCS15_PAD_DISABLED' => "rsa-pkcs15-pad-disabled", # uint
'PROV_PARAM_HKDF_KEY_CHECK' => "hkdf-key-check", # uint
'PROV_PARAM_KBKDF_KEY_CHECK' => "kbkdf-key-check", # uint
'PROV_PARAM_TLS13_KDF_KEY_CHECK' => "tls13-kdf-key-check", # uint
@ -55,6 +56,7 @@ my %params = (
'PROV_PARAM_X963KDF_KEY_CHECK' => "x963kdf-key-check", # uint
'PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK' => "pbkdf2-lower-bound-check", # uint
'PROV_PARAM_ECDH_COFACTOR_CHECK' => "ecdh-cofactor-check", # uint
'PROV_PARAM_SIGNATURE_DIGEST_CHECK' => "signature-digest-check", # uint
# Self test callback parameters
'PROV_PARAM_SELF_TEST_PHASE' => "st-phase",# utf8_string
@ -188,6 +190,7 @@ my %params = (
'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC',
'MAC_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
'MAC_PARAM_FIPS_NO_SHORT_MAC' => '*PROV_PARAM_NO_SHORT_MAC',
# KDF / PRF parameters
'KDF_PARAM_SECRET' => "secret", # octet string
@ -473,7 +476,7 @@ my %params = (
'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version",
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
'ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED' => "pkcs15-padding-disabled",
'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED',
'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',