run: git submodule update --init --depth 1 fuzz/corpora
- name: localegen
run: sudo locale-gen tr_TR.UTF-8
+ - name: fipsvendor
+ # Make one fips build use a customized FIPS vendor
+ run: echo "FIPS_VENDOR=CI" >> VERSION.dat
- name: config
# enable-quic is on by default, but we leave it here to check we're testing the explicit enable somewhere
run: CC=gcc ./config --banner=Configured enable-demos enable-h3demo enable-fips enable-quic --strict-warnings && perl configdata.pm --dump
./util/opensslwrap.sh version -c
- name: make test
run: .github/workflows/make-test
+ - name: check fipsvendor
+ run: |
+ util/wrap.pl -fips apps/openssl list -providers | grep 'name: CI FIPS Provider for OpenSSL$'
- name: save artifacts
uses: actions/upload-artifact@v3
with:
map { (my $x = $_) =~ tr|[\-a-z]|[_A-Z]|; "OPENSSL_RAND_SEED_$x" }
@seed_sources;
+my $provider_string = $disabled{"fips-post"} ? "non-compliant FIPS Provider" : "FIPS Provider";
+
+$config{FIPS_VENDOR} =
+ (defined $version{FIPS_VENDOR} ? "$version{FIPS_VENDOR} $provider_string for OpenSSL" : "OpenSSL $provider_string");
+
# Backward compatibility?
if ($target =~ m/^CygWin32(-.*)$/) {
$target = "Cygwin".$1;
manual page.
[fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html
+
+3rd-Party Vendor Builds
+=====================================
+
+Some Vendors choose to patch/modify/build their own FIPS provider,
+test it with a Security Laboratory and submit it under their own CMVP
+certificate, instead of using OpenSSL Project submissions. When doing
+so, FIPS provider should uniquely identify its own name and version
+number. The build infrastructure allows to customize FIPS provider
+build information via changes to strings in `VERSION.dat`.
+
+Setting "PRE_RELEASE_TAG" (dashed suffix), "BUILD_METADATA" (plus
+suffix), and "FIPS_VENDOR" allow to control reported FIPS provider
+name and build version as required for CMVP submission.
*/
#define FIPS_KEY_STRING "{- $config{FIPSKEY} -}"
+/*
+ * The FIPS provider vendor name, as a string.
+ */
+#define FIPS_VENDOR "{- $config{FIPS_VENDOR} -}"
+
# ifdef __cplusplus
}
# endif
#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/fips_names.h>
+#include <openssl/fipskey.h>
#include <openssl/rand.h> /* RAND_get0_public() */
#include <openssl/proverr.h>
#include <openssl/indicator.h>
#include "crypto/context.h"
#include "internal/core.h"
-#if defined(OPENSSL_NO_FIPS_POST)
-# define OSSL_FIPS_PROV_NAME "OpenSSL non-compliant FIPS Provider"
-#else
-# define OSSL_FIPS_PROV_NAME "OpenSSL FIPS Provider"
-#endif
-
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OSSL_FIPS_PROV_NAME))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, FIPS_VENDOR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
if (!TEST_ptr(prov))
return 0;
name = OSSL_PROVIDER_get0_name(prov);
- return strcmp(name, "OpenSSL FIPS Provider") == 0;
+ return strstr(name, "FIPS Provider") != NULL;
}
/*
projects / thirdparty / openssl.git / commitdiff
