The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.
Some FIPS related headers have moved to providers/fips/include so that
they can use fips_indicator_params.inc.
securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes
fipscommon.h.
fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than
using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used.
fips_names.h just uses aliases now for existing public names.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25162)
VERSION_VAL) <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
opts->conditional_errors ? "1" : "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SECURITY_CHECKS,
opts->security_checks ? "1" : "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HMAC_KEY_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HMAC_KEY_CHECK,
opts->hmac_key_check ? "1": "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KMAC_KEY_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KMAC_KEY_CHECK,
opts->kmac_key_check ? "1": "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
opts->tls_prf_ems_check ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_NO_SHORT_MAC,
opts->no_short_mac ? "1" : "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
opts->drgb_no_trunc_dgst ? "1" : "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK,
opts->signature_digest_check ? "1" : "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_DIGEST_CHECK,
opts->hkdf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
- OSSL_PROV_FIPS_PARAM_TLS13_KDF_DIGEST_CHECK,
+ OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
opts->tls13_kdf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
- OSSL_PROV_FIPS_PARAM_TLS1_PRF_DIGEST_CHECK,
+ OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
opts->tls1_prf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
- OSSL_PROV_FIPS_PARAM_SSHKDF_DIGEST_CHECK,
+ OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
opts->sshkdf_digest_check ? "1": "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SSKDF_DIGEST_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK,
opts->sskdf_digest_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
- OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK,
+ OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
opts->x963kdf_digest_check ? "1": "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DSA_SIGN_DISABLED,
opts->dsa_sign_disabled ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED,
opts->tdes_encrypt_disabled ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n",
- OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED,
+ OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED,
opts->rsa_pkcs15_padding_disabled ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n",
- OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK,
+ OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
opts->rsa_pss_saltlen_check ? "1" : "0") <= 0
|| BIO_printf(out, "%s = %s\n",
- OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED,
+ OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
opts->sign_x931_padding_disabled ? "1" : "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_KEY_CHECK,
opts->hkdf_key_check ? "1": "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KBKDF_KEY_CHECK,
opts->kbkdf_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
- OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK,
+ OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
opts->tls13_kdf_key_check ? "1": "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_KEY_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK,
opts->tls1_prf_key_check ? "1": "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SSHKDF_KEY_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSHKDF_KEY_CHECK,
opts->sshkdf_key_check ? "1": "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SSKDF_KEY_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_KEY_CHECK,
opts->sskdf_key_check ? "1": "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_X963KDF_KEY_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X963KDF_KEY_CHECK,
opts->x963kdf_key_check ? "1": "0") <= 0
|| BIO_printf(out, "%s = %s\n",
- OSSL_PROV_FIPS_PARAM_PBKDF2_LOWER_BOUND_CHECK,
+ OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
opts->pbkdf2_lower_bound_check ? "1" : "0") <= 0
- || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_ECDH_COFACTOR_CHECK,
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK,
opts->ecdh_cofactor_check ? "1": "0") <= 0
|| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
module_mac_len))
/*
* Parameter names that the FIPS Provider defines
+ * All parameters are of type: OSSL_PARAM_UTF8_STRING
*/
-/*
- * The calculated MAC of the module file (Used for FIPS Self Testing)
- * Type: OSSL_PARAM_UTF8_STRING
- */
+/* The following 4 Parameters are used for FIPS Self Testing */
+
+/* The calculated MAC of the module file */
# define OSSL_PROV_FIPS_PARAM_MODULE_MAC "module-mac"
-/*
- * A version number for the fips install process (Used for FIPS Self Testing)
- * Type: OSSL_PARAM_UTF8_STRING
- */
+/* The Version number for the fips install process */
# define OSSL_PROV_FIPS_PARAM_INSTALL_VERSION "install-version"
-/*
- * The calculated MAC of the install status indicator (Used for FIPS Self Testing)
- * Type: OSSL_PARAM_UTF8_STRING
- */
+/* The calculated MAC of the install status indicator */
# define OSSL_PROV_FIPS_PARAM_INSTALL_MAC "install-mac"
-/*
- * The install status indicator (Used for FIPS Self Testing)
- * Type: OSSL_PARAM_UTF8_STRING
- */
+/* The install status indicator */
# define OSSL_PROV_FIPS_PARAM_INSTALL_STATUS "install-status"
/*
*/
# define OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS "conditional-errors"
-/*
- * A boolean that determines if the runtime FIPS security checks are performed.
- * This is enabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks"
-
-/*
- * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
-
-/*
- * A boolean that determines if the runtime FIPS check for undersized MAC output
- * is performed.
- * This is enabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_NO_SHORT_MAC "no-short-mac"
-
-/*
- * A boolean that determines if the runtime FIPS key check for HMAC is
- * performed.
- * This is enabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_HMAC_KEY_CHECK "hmac-key-check"
-
-/*
- * A boolean that determines if the runtime FIPS key check for KMAC is
- * performed.
- * This is enabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_KMAC_KEY_CHECK "kmac-key-check"
-
-/*
- * A boolean that determines if truncated digests can be used with Hash and HMAC
- * DRBGs. FIPS 140-3 IG D.R disallows such use for efficiency rather than
- * security reasons.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
-
-/*
- * A boolean that determines if the digest algorithm used as part of a
- * signature algorithm is in the approved list.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK "signature-digest-check"
-
-/*
- * A boolean that determines if the runtime FIPS digest check for HKDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK "hkdf-digest-check"
-
-/*
- * A boolean that determines if the runtime FIPS digest check for TLS13 KDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_TLS13_KDF_DIGEST_CHECK "tls13-kdf-digest-check"
-
-/*
- * A boolean that determines if the runtime FIPS digest check for TLS1_PRF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_DIGEST_CHECK "tls1-prf-digest-check"
-
-/*
- * A boolean that determines if the runtime FIPS digest check for SSHKDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_SSHKDF_DIGEST_CHECK "sshkdf-digest-check"
-
-/*
- * A boolean that determines if the runtime FIPS digest check for SSKDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_SSKDF_DIGEST_CHECK "sskdf-digest-check"
-
-/*
- * A boolean that determines if the runtime FIPS digest check for X963KDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK "x963kdf-digest-check"
-
-/*
- * A boolean that determines if DSA signing operations are allowed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED "dsa-sign-disabled"
-
-/*
- * A boolean that determines if Triple-DES encryption operations are allowed.
- * See SP800-131A r2 for further information.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_TDES_ENCRYPT_DISABLED "tdes-encrypt-disabled"
-
-/*
- * A boolean that determines if PKCS#1 v1.5 padding is allowed for key
- * agreement and transport operations.
- * See SP800-131A r2 for further information.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED \
- "rsa-pkcs15-padding-disabled"
-
-/*
- * A boolean that determines if the runtime salt length check for RSA-PSS is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK "rsa-pss-saltlen-check"
-
-/*
- * A boolean that determines if X9.31 padding can be used for RSA signing.
- * X9.31 RSA has been removed from FIPS 186-5, and is no longer approved for
- * signing. it may still be used for verification for legacy purposes.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED "rsa-sign-x931-pad-disabled"
-
-/*
- * A boolean that determines if the runtime FIPS key check for HKDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK "hkdf-key-check"
-
-/*
- * A boolean that determines if the runtime FIPS key check for KBKDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK "kbkdf-key-check"
-
-/*
- * A boolean that determines if the runtime FIPS key check for TLS13 KDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK "tls13-kdf-key-check"
-
-/*
- * A boolean that determines if the runtime FIPS key check for TLS1_PRF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_KEY_CHECK "tls1-prf-key-check"
-
-/*
- * A boolean that determines if the runtime FIPS key check for SSHKDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_SSHKDF_KEY_CHECK "sshkdf-key-check"
-
-/*
- * A boolean that determines if the runtime FIPS key check for SSKDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_SSKDF_KEY_CHECK "sskdf-key-check"
-
-/*
- * A boolean that determines if the runtime FIPS key check for X963KDF is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_X963KDF_KEY_CHECK "x963kdf-key-check"
-
-/*
- * A boolean that determines if the runtime lower bound check for PBKDF2 is
- * performed.
- * This is enabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_PBKDF2_LOWER_BOUND_CHECK "pbkdf2-lower-bound-check"
-
-/*
- * A boolean that determines if the runtime cofactor check for ECDH is
- * performed.
- * This is disabled by default.
- * Type: OSSL_PARAM_UTF8_STRING
- */
-# define OSSL_PROV_FIPS_PARAM_ECDH_COFACTOR_CHECK "ecdh-cofactor-check"
+/* The following are provided for backwards compatibility */
+# define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS OSSL_PROV_PARAM_SECURITY_CHECKS
+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK
+# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST
# ifdef __cplusplus
}
# providers/implementations/include), which includes crypto/*_platform.h
# (present in include), which in turn may include very internal header
# files in crypto/, so let's have a common include list for them all.
-$COMMON_INCLUDES=../crypto ../include implementations/include common/include
+$COMMON_INCLUDES=../crypto ../include implementations/include common/include \
+ fips/include
INCLUDE[$LIBCOMMON]=$COMMON_INCLUDES
INCLUDE[$LIBFIPS]=.. $COMMON_INCLUDES
+++ /dev/null
-/*
- * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifdef FIPS_MODULE
-# include <openssl/types.h>
-
-int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
-int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx);
-int FIPS_no_short_mac(OSSL_LIB_CTX *libctx);
-int FIPS_hmac_key_check(OSSL_LIB_CTX *libctx);
-int FIPS_kmac_key_check(OSSL_LIB_CTX *libctx);
-int FIPS_restricted_drbg_digests_enabled(OSSL_LIB_CTX *libctx);
-int FIPS_fips_signature_digest_check(OSSL_LIB_CTX *libctx);
-int FIPS_hkdf_digest_check(OSSL_LIB_CTX *libctx);
-int FIPS_tls13_kdf_digest_check(OSSL_LIB_CTX *libctx);
-int FIPS_tls1_prf_digest_check(OSSL_LIB_CTX *libctx);
-int FIPS_sshkdf_digest_check(OSSL_LIB_CTX *libctx);
-int FIPS_sskdf_digest_check(OSSL_LIB_CTX *libctx);
-int FIPS_x963kdf_digest_check(OSSL_LIB_CTX *libctx);
-int FIPS_dsa_sign_check(OSSL_LIB_CTX *libctx);
-int FIPS_tdes_encrypt_check(OSSL_LIB_CTX *libctx);
-int FIPS_rsa_pkcs15_padding_disabled(OSSL_LIB_CTX *libctx);
-int FIPS_rsa_pss_saltlen_check(OSSL_LIB_CTX *libctx);
-int FIPS_rsa_sign_x931_disallowed(OSSL_LIB_CTX *libctx);
-int FIPS_hkdf_key_check(OSSL_LIB_CTX *libctx);
-int FIPS_kbkdf_key_check(OSSL_LIB_CTX *libctx);
-int FIPS_tls13_kdf_key_check(OSSL_LIB_CTX *libctx);
-int FIPS_tls1_prf_key_check(OSSL_LIB_CTX *libctx);
-int FIPS_sshkdf_key_check(OSSL_LIB_CTX *libctx);
-int FIPS_sskdf_key_check(OSSL_LIB_CTX *libctx);
-int FIPS_x963kdf_key_check(OSSL_LIB_CTX *libctx);
-int FIPS_pbkdf2_lower_bound_check(OSSL_LIB_CTX *libctx);
-int FIPS_ecdh_cofactor_check(OSSL_LIB_CTX *libctx);
-#endif
#include "crypto/types.h"
#include <openssl/ec.h>
-#ifdef FIPS_MODULE
-# include "fipscommon.h"
-#endif
+#include "fips/fipsindicator.h"
/* Functions that are common */
int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect);
/* Functions that have different implementations for the FIPS_MODULE */
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md);
-int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx);
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
#define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112
#include "internal/nelem.h"
/* Disable the security checks in the default provider */
-int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
+int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
{
return 0;
}
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
-#include "prov/fipscommon.h"
-int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
+int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
{
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- return FIPS_security_check_enabled(libctx);
+ return ossl_fips_config_security_checks(libctx);
#else
return 0;
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
if (!key_approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Key size",
- ossl_securitycheck_enabled)) {
+ ossl_fips_config_securitycheck_enabled)) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
"operation: %s", desc);
return 0;
if (!strength_allowed || !curve_allowed) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "EC Key",
- ossl_securitycheck_enabled)) {
+ ossl_fips_config_securitycheck_enabled)) {
if (!curve_allowed)
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
if (!strength_allowed)
if (!approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest",
- ossl_securitycheck_enabled)) {
+ ossl_fips_config_securitycheck_enabled)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return 0;
}
#include <openssl/indicator.h>
#include <openssl/params.h>
#include <openssl/core_names.h>
-#include "prov/fipsindicator.h"
#include "internal/common.h" /* for ossl_assert() */
+#include "fips/fipsindicator.h"
void ossl_FIPS_IND_init(OSSL_FIPS_IND *ind)
{
#include "prov/providercommon.h"
#include "prov/provider_util.h"
#include "prov/seeding.h"
-#include "prov/fipscommon.h"
#include "internal/nelem.h"
#include "self_test.h"
#include "crypto/context.h"
+#include "fipscommon.h"
#include "internal/core.h"
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
typedef struct fips_global_st {
const OSSL_CORE_HANDLE *handle;
SELF_TEST_POST_PARAMS selftest_params;
- FIPS_OPTION fips_security_checks;
- FIPS_OPTION fips_tls1_prf_ems_check;
- FIPS_OPTION fips_no_short_mac;
- FIPS_OPTION fips_hmac_key_check;
- FIPS_OPTION fips_kmac_key_check;
- FIPS_OPTION fips_restricted_drgb_digests;
- FIPS_OPTION fips_signature_digest_check;
- FIPS_OPTION fips_hkdf_digest_check;
- FIPS_OPTION fips_tls13_kdf_digest_check;
- FIPS_OPTION fips_tls1_prf_digest_check;
- FIPS_OPTION fips_sshkdf_digest_check;
- FIPS_OPTION fips_sskdf_digest_check;
- FIPS_OPTION fips_x963kdf_digest_check;
- FIPS_OPTION fips_dsa_sign_disallowed;
- FIPS_OPTION fips_tdes_encrypt_disallowed;
- FIPS_OPTION fips_rsa_pkcs15_padding_disabled;
- FIPS_OPTION fips_rsa_pss_saltlen_check;
- FIPS_OPTION fips_rsa_sign_x931_disallowed;
- FIPS_OPTION fips_hkdf_key_check;
- FIPS_OPTION fips_kbkdf_key_check;
- FIPS_OPTION fips_tls13_kdf_key_check;
- FIPS_OPTION fips_tls1_prf_key_check;
- FIPS_OPTION fips_sshkdf_key_check;
- FIPS_OPTION fips_sskdf_key_check;
- FIPS_OPTION fips_x963kdf_key_check;
- FIPS_OPTION fips_pbkdf2_lower_bound_check;
- FIPS_OPTION fips_ecdh_cofactor_check;
+
+#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
+ FIPS_OPTION fips_##structname;
+#include "fips_indicator_params.inc"
+#undef OSSL_FIPS_PARAM
+
} FIPS_GLOBAL;
static void init_fips_option(FIPS_OPTION *opt, int enabled)
if (fgbl == NULL)
return NULL;
- init_fips_option(&fgbl->fips_security_checks, 1);
- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
- init_fips_option(&fgbl->fips_no_short_mac, 1);
- init_fips_option(&fgbl->fips_hmac_key_check, 0);
- init_fips_option(&fgbl->fips_kmac_key_check, 0);
- init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
- init_fips_option(&fgbl->fips_signature_digest_check, 0);
- init_fips_option(&fgbl->fips_hkdf_digest_check, 0);
- init_fips_option(&fgbl->fips_tls13_kdf_digest_check, 0);
- init_fips_option(&fgbl->fips_tls1_prf_digest_check, 0);
- init_fips_option(&fgbl->fips_sshkdf_digest_check, 0);
- init_fips_option(&fgbl->fips_sskdf_digest_check, 0);
- init_fips_option(&fgbl->fips_x963kdf_digest_check, 0);
- init_fips_option(&fgbl->fips_dsa_sign_disallowed, 0);
- init_fips_option(&fgbl->fips_tdes_encrypt_disallowed, 0);
- init_fips_option(&fgbl->fips_rsa_pkcs15_padding_disabled, 0);
- init_fips_option(&fgbl->fips_rsa_pss_saltlen_check, 0);
- init_fips_option(&fgbl->fips_rsa_sign_x931_disallowed, 0);
- init_fips_option(&fgbl->fips_hkdf_key_check, 0);
- init_fips_option(&fgbl->fips_kbkdf_key_check, 0);
- init_fips_option(&fgbl->fips_tls13_kdf_key_check, 0);
- init_fips_option(&fgbl->fips_tls1_prf_key_check, 0);
- init_fips_option(&fgbl->fips_sshkdf_key_check, 0);
- init_fips_option(&fgbl->fips_sskdf_key_check, 0);
- init_fips_option(&fgbl->fips_x963kdf_key_check, 0);
- init_fips_option(&fgbl->fips_pbkdf2_lower_bound_check, 1);
- init_fips_option(&fgbl->fips_ecdh_cofactor_check, 0);
+
+#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
+ init_fips_option(&fgbl->fips_##structname, initvalue);
+#include "fips_indicator_params.inc"
+#undef OSSL_FIPS_PARAM
+
return fgbl;
}
OPENSSL_free(fgbl);
}
-/* Parameters we provide to the core */
-static const OSSL_PARAM fips_param_types[] = {
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NO_SHORT_MAC, OSSL_PARAM_INTEGER, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_HMAC_KEY_CHECK, OSSL_PARAM_INTEGER, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST, OSSL_PARAM_INTEGER, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_HKDF_DIGEST_CHECK, OSSL_PARAM_INTEGER, NULL,
- 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_DSA_SIGN_DISABLED, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
- OSSL_PARAM_INTEGER, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_HKDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
- 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_KMAC_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
- 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSHKDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
- 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSKDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
- 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_X963KDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL,
- 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
- OSSL_PARAM_INTEGER, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK, OSSL_PARAM_INTEGER,
- NULL, 0),
- OSSL_PARAM_END
-};
-
+/*
+ * Parameters to retrieve from the core provider
+ * NOTE: inside core_get_params() these will be loaded from config items
+ * stored inside prov->parameters
+ */
static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
{
- /*
- * Parameters to retrieve from the core provider - required for self testing.
- * NOTE: inside core_get_params() these will be loaded from config items
- * stored inside prov->parameters (except for
- * OSSL_PROV_PARAM_CORE_MODULE_FILENAME).
- * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and
- * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters.
- */
- OSSL_PARAM core_params[31], *p = core_params;
-
-/* FIPS self test params */
-#define FIPS_FEATURE_SELF_TEST(fgbl, pname, field) \
- *p++ = OSSL_PARAM_construct_utf8_ptr(pname, \
- (char **)&fgbl->selftest_params.field,\
- sizeof(fgbl->selftest_params.field))
-
- FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_PARAM_CORE_MODULE_FILENAME,
- module_filename);
- FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_MODULE_MAC,
- module_checksum_data);
- FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
- conditional_error_check);
-#undef FIPS_FEATURE_SELF_TEST
-
-/* FIPS features can be enabled or disabled independently */
-#define FIPS_FEATURE_OPTION(fgbl, pname, field) \
- *p++ = OSSL_PARAM_construct_utf8_ptr( \
- pname, (char **)&fgbl->field.option, \
- sizeof(fgbl->field.option))
-
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
- fips_security_checks);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
- fips_tls1_prf_ems_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_NO_SHORT_MAC,
- fips_no_short_mac);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HMAC_KEY_CHECK,
- fips_hmac_key_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_KMAC_KEY_CHECK,
- fips_kmac_key_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST,
- fips_restricted_drgb_digests);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK,
- fips_signature_digest_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK,
- fips_hkdf_digest_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS13_KDF_DIGEST_CHECK,
- fips_tls13_kdf_digest_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS1_PRF_DIGEST_CHECK,
- fips_tls1_prf_digest_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSHKDF_DIGEST_CHECK,
- fips_sshkdf_digest_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSKDF_DIGEST_CHECK,
- fips_sskdf_digest_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK,
- fips_x963kdf_digest_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED,
- fips_dsa_sign_disallowed);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TDES_ENCRYPT_DISABLED,
- fips_tdes_encrypt_disallowed);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED,
- fips_rsa_pkcs15_padding_disabled);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK,
- fips_rsa_pss_saltlen_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED,
- fips_rsa_sign_x931_disallowed);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK,
- fips_hkdf_key_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK,
- fips_kbkdf_key_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK,
- fips_tls13_kdf_key_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS1_PRF_KEY_CHECK,
- fips_tls1_prf_key_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSHKDF_KEY_CHECK,
- fips_sshkdf_key_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSKDF_KEY_CHECK,
- fips_sskdf_key_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_X963KDF_KEY_CHECK,
- fips_x963kdf_key_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_PBKDF2_LOWER_BOUND_CHECK,
- fips_pbkdf2_lower_bound_check);
- FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_ECDH_COFACTOR_CHECK,
- fips_ecdh_cofactor_check);
-#undef FIPS_FEATURE_OPTION
+ OSSL_PARAM core_params[32], *p = core_params;
+
+#define OSSL_FIPS_PARAM(structname, paramname) \
+ *p++ = OSSL_PARAM_construct_utf8_ptr( \
+ paramname, (char **)&fgbl->selftest_params.structname, \
+ sizeof(fgbl->selftest_params.structname));
+
+/* Parameters required for self testing */
+#include "fips_selftest_params.inc"
+#undef OSSL_FIPS_PARAM
+
+/* FIPS indicator options can be enabled or disabled independently */
+#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
+ *p++ = OSSL_PARAM_construct_utf8_ptr( \
+ OSSL_PROV_PARAM_##paramname, \
+ (char **)&fgbl->fips_##structname.option, \
+ sizeof(fgbl->fips_##structname.option));
+#include "fips_indicator_params.inc"
+#undef OSSL_FIPS_PARAM
*p = OSSL_PARAM_construct_end();
static const OSSL_PARAM *fips_gettable_params(void *provctx)
{
+ /* Parameters we provide to the core */
+ static const OSSL_PARAM fips_param_types[] = {
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
+
+#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_##paramname, OSSL_PARAM_INTEGER, NULL, 0),
+#include "fips_indicator_params.inc"
+#undef OSSL_FIPS_PARAM
+
+ OSSL_PARAM_END
+ };
return fips_param_types;
}
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
return 0;
-#define FIPS_FEATURE_GET(fgbl, pname, field) \
- p = OSSL_PARAM_locate(params, pname); \
- if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->field.enabled)) \
- return 0
-
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SECURITY_CHECKS,
- fips_security_checks);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
- fips_tls1_prf_ems_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_NO_SHORT_MAC,
- fips_no_short_mac);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HMAC_KEY_CHECK,
- fips_hmac_key_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_KMAC_KEY_CHECK,
- fips_kmac_key_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
- fips_restricted_drgb_digests);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK,
- fips_signature_digest_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HKDF_DIGEST_CHECK,
- fips_hkdf_digest_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
- fips_tls13_kdf_digest_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
- fips_tls1_prf_digest_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
- fips_sshkdf_digest_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK,
- fips_sskdf_digest_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
- fips_x963kdf_digest_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_DSA_SIGN_DISABLED,
- fips_dsa_sign_disallowed);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED,
- fips_tdes_encrypt_disallowed);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED,
- fips_rsa_pkcs15_padding_disabled);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
- fips_rsa_pss_saltlen_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
- fips_rsa_sign_x931_disallowed);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HKDF_KEY_CHECK,
- fips_hkdf_key_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_KBKDF_KEY_CHECK,
- fips_kbkdf_key_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
- fips_tls13_kdf_key_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK,
- fips_tls1_prf_key_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSHKDF_KEY_CHECK,
- fips_sshkdf_key_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSKDF_KEY_CHECK,
- fips_sskdf_key_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_X963KDF_KEY_CHECK,
- fips_x963kdf_key_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
- fips_pbkdf2_lower_bound_check);
- FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK,
- fips_ecdh_cofactor_check);
-#undef FIPS_FEATURE_GET
+#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
+ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_##paramname); \
+ if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_##structname.enabled)) \
+ return 0;
+#include "fips_indicator_params.inc"
+#undef OSSL_FIPS_PARAM
+
return 1;
}
SELF_TEST_disable_conditional_error_state();
/* Enable or disable FIPS provider options */
-#define FIPS_SET_OPTION(fgbl, field) \
- if (fgbl->field.option != NULL) { \
- if (strcmp(fgbl->field.option, "1") == 0) \
- fgbl->field.enabled = 1; \
- else if (strcmp(fgbl->field.option, "0") == 0) \
- fgbl->field.enabled = 0; \
- else \
- goto err; \
+#define OSSL_FIPS_PARAM(structname, paramname, unused) \
+ if (fgbl->fips_##structname.option != NULL) { \
+ if (strcmp(fgbl->fips_##structname.option, "1") == 0) \
+ fgbl->fips_##structname.enabled = 1; \
+ else if (strcmp(fgbl->fips_##structname.option, "0") == 0) \
+ fgbl->fips_##structname.enabled = 0; \
+ else \
+ goto err; \
}
-
- FIPS_SET_OPTION(fgbl, fips_security_checks);
- FIPS_SET_OPTION(fgbl, fips_tls1_prf_ems_check);
- FIPS_SET_OPTION(fgbl, fips_no_short_mac);
- FIPS_SET_OPTION(fgbl, fips_hmac_key_check);
- FIPS_SET_OPTION(fgbl, fips_kmac_key_check);
- FIPS_SET_OPTION(fgbl, fips_restricted_drgb_digests);
- FIPS_SET_OPTION(fgbl, fips_signature_digest_check);
- FIPS_SET_OPTION(fgbl, fips_hkdf_digest_check);
- FIPS_SET_OPTION(fgbl, fips_tls13_kdf_digest_check);
- FIPS_SET_OPTION(fgbl, fips_tls1_prf_digest_check);
- FIPS_SET_OPTION(fgbl, fips_sshkdf_digest_check);
- FIPS_SET_OPTION(fgbl, fips_sskdf_digest_check);
- FIPS_SET_OPTION(fgbl, fips_x963kdf_digest_check);
- FIPS_SET_OPTION(fgbl, fips_dsa_sign_disallowed);
- FIPS_SET_OPTION(fgbl, fips_tdes_encrypt_disallowed);
- FIPS_SET_OPTION(fgbl, fips_rsa_pkcs15_padding_disabled);
- FIPS_SET_OPTION(fgbl, fips_rsa_pss_saltlen_check);
- FIPS_SET_OPTION(fgbl, fips_rsa_sign_x931_disallowed);
- FIPS_SET_OPTION(fgbl, fips_hkdf_key_check);
- FIPS_SET_OPTION(fgbl, fips_kbkdf_key_check);
- FIPS_SET_OPTION(fgbl, fips_tls13_kdf_key_check);
- FIPS_SET_OPTION(fgbl, fips_tls1_prf_key_check);
- FIPS_SET_OPTION(fgbl, fips_sshkdf_key_check);
- FIPS_SET_OPTION(fgbl, fips_sskdf_key_check);
- FIPS_SET_OPTION(fgbl, fips_x963kdf_key_check);
- FIPS_SET_OPTION(fgbl, fips_pbkdf2_lower_bound_check);
- FIPS_SET_OPTION(fgbl, fips_ecdh_cofactor_check);
-#undef FIPS_SET_OPTION
+#include "fips_indicator_params.inc"
+#undef OSSL_FIPS_PARAM
ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
return ret;
}
-#define FIPS_FEATURE_CHECK(fname, field) \
- int fname(OSSL_LIB_CTX *libctx) \
- { \
- FIPS_GLOBAL *fgbl = \
- ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX); \
- return fgbl->field.enabled; \
+#define OSSL_FIPS_PARAM(structname, paramname, unused) \
+ int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx) \
+ { \
+ FIPS_GLOBAL *fgbl = \
+ ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX); \
+ \
+ return fgbl->fips_##structname.enabled; \
}
-
-FIPS_FEATURE_CHECK(FIPS_security_check_enabled, fips_security_checks)
-FIPS_FEATURE_CHECK(FIPS_tls_prf_ems_check, fips_tls1_prf_ems_check)
-FIPS_FEATURE_CHECK(FIPS_no_short_mac, fips_no_short_mac)
-FIPS_FEATURE_CHECK(FIPS_hmac_key_check, fips_hmac_key_check)
-FIPS_FEATURE_CHECK(FIPS_kmac_key_check, fips_kmac_key_check)
-FIPS_FEATURE_CHECK(FIPS_restricted_drbg_digests_enabled,
- fips_restricted_drgb_digests)
-FIPS_FEATURE_CHECK(FIPS_fips_signature_digest_check, fips_signature_digest_check)
-FIPS_FEATURE_CHECK(FIPS_hkdf_digest_check, fips_hkdf_digest_check)
-FIPS_FEATURE_CHECK(FIPS_tls13_kdf_digest_check, fips_tls13_kdf_digest_check)
-FIPS_FEATURE_CHECK(FIPS_tls1_prf_digest_check, fips_tls1_prf_digest_check)
-FIPS_FEATURE_CHECK(FIPS_sshkdf_digest_check, fips_sshkdf_digest_check)
-FIPS_FEATURE_CHECK(FIPS_sskdf_digest_check, fips_sskdf_digest_check)
-FIPS_FEATURE_CHECK(FIPS_x963kdf_digest_check, fips_x963kdf_digest_check)
-FIPS_FEATURE_CHECK(FIPS_dsa_sign_check, fips_dsa_sign_disallowed)
-FIPS_FEATURE_CHECK(FIPS_tdes_encrypt_check, fips_tdes_encrypt_disallowed)
-FIPS_FEATURE_CHECK(FIPS_rsa_pkcs15_padding_disabled,
- fips_rsa_pkcs15_padding_disabled)
-FIPS_FEATURE_CHECK(FIPS_rsa_pss_saltlen_check, fips_rsa_pss_saltlen_check)
-FIPS_FEATURE_CHECK(FIPS_rsa_sign_x931_disallowed,
- fips_rsa_sign_x931_disallowed)
-FIPS_FEATURE_CHECK(FIPS_hkdf_key_check, fips_hkdf_key_check)
-FIPS_FEATURE_CHECK(FIPS_kbkdf_key_check, fips_kbkdf_key_check)
-FIPS_FEATURE_CHECK(FIPS_tls13_kdf_key_check, fips_tls13_kdf_key_check)
-FIPS_FEATURE_CHECK(FIPS_tls1_prf_key_check, fips_tls1_prf_key_check)
-FIPS_FEATURE_CHECK(FIPS_sshkdf_key_check, fips_sshkdf_key_check)
-FIPS_FEATURE_CHECK(FIPS_sskdf_key_check, fips_sskdf_key_check)
-FIPS_FEATURE_CHECK(FIPS_x963kdf_key_check, fips_x963kdf_key_check)
-FIPS_FEATURE_CHECK(FIPS_pbkdf2_lower_bound_check, fips_pbkdf2_lower_bound_check)
-FIPS_FEATURE_CHECK(FIPS_ecdh_cofactor_check, fips_ecdh_cofactor_check)
-
-#undef FIPS_FEATURE_CHECK
+#include "fips_indicator_params.inc"
+#undef OSSL_FIPS_PARAM
void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb,
void **cbarg)
# include <openssl/indicator.h>
# include "crypto/types.h"
# include <openssl/ec.h>
+# include "fipscommon.h"
/*
* There may be multiple settables associated with an algorithm that allow
--- /dev/null
+OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1)
+OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0)
+OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1)
+OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0)
+OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0)
+OSSL_FIPS_PARAM(restricted_drbg_digests, DRBG_TRUNC_DIGEST, 0)
+OSSL_FIPS_PARAM(signature_digest_check, SIGNATURE_DIGEST_CHECK, 0)
+OSSL_FIPS_PARAM(hkdf_digest_check, HKDF_DIGEST_CHECK, 0)
+OSSL_FIPS_PARAM(tls13_kdf_digest_check, TLS13_KDF_DIGEST_CHECK, 0)
+OSSL_FIPS_PARAM(tls1_prf_digest_check, TLS1_PRF_DIGEST_CHECK, 0)
+OSSL_FIPS_PARAM(sshkdf_digest_check, SSHKDF_DIGEST_CHECK, 0)
+OSSL_FIPS_PARAM(sskdf_digest_check, SSKDF_DIGEST_CHECK, 0)
+OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0)
+OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0)
+OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0)
+OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0)
+OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0)
+OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
+OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
+OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
+OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
+OSSL_FIPS_PARAM(tls1_prf_key_check, TLS1_PRF_KEY_CHECK, 0)
+OSSL_FIPS_PARAM(sshkdf_key_check, SSHKDF_KEY_CHECK, 0)
+OSSL_FIPS_PARAM(sskdf_key_check, SSKDF_KEY_CHECK, 0)
+OSSL_FIPS_PARAM(x963kdf_key_check, X963KDF_KEY_CHECK, 0)
+OSSL_FIPS_PARAM(pbkdf2_lower_bound_check, PBKDF2_LOWER_BOUND_CHECK, 1)
+OSSL_FIPS_PARAM(ecdh_cofactor_check, ECDH_COFACTOR_CHECK, 0)
--- /dev/null
+OSSL_FIPS_PARAM(module_filename, OSSL_PROV_PARAM_CORE_MODULE_FILENAME)
+OSSL_FIPS_PARAM(module_checksum_data, OSSL_PROV_FIPS_PARAM_MODULE_MAC)
+OSSL_FIPS_PARAM(conditional_error_check, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS)
--- /dev/null
+/*
+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifdef FIPS_MODULE
+# include <openssl/types.h>
+
+# define OSSL_FIPS_PARAM(structname, paramname, unused) \
+ int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx);
+# include "fips_indicator_params.inc"
+# undef OSSL_FIPS_PARAM
+
+#endif
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
-
#include <stdlib.h>
static OSSL_FUNC_asym_cipher_newctx_fn rsa_newctx;
&& !OSSL_FIPS_IND_ON_UNAPPROVED(prsactx, OSSL_FIPS_IND_SETTABLE1,
prsactx->libctx, "RSA Encrypt",
"PKCS#1 v1.5 padding",
- FIPS_rsa_pkcs15_padding_disabled)) {
+ ossl_fips_config_rsa_pkcs15_padding_disabled)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
return 0;
}
if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,
OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK))
- return 0;
+ return 0;
if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params,
- OSSL_ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED))
- return 0;
+ OSSL_ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED))
+ return 0;
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST);
if (p != NULL) {
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK)
- OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED)
+ OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED)
OSSL_PARAM_END
};
#include <openssl/des.h>
#include <openssl/core_dispatch.h>
+#include "prov/securitycheck.h"
#include "crypto/des_platform.h"
-#include "prov/fipsindicator.h"
#define DES_BLOCK_SIZE 8
#define TDES_IVLEN 8
#include "cipher_tdes.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"
-#include "prov/fipscommon.h"
void *ossl_tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits,
size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw)
if (enc && !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
ctx->base.libctx,
"Triple-DES", "Encryption",
- FIPS_tdes_encrypt_check))
+ ossl_fips_config_tdes_encrypt_disallowed))
return 0;
return 1;
}
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
#include "crypto/dh.h"
static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
ctx->libctx, "DH Init", "DH Key",
- ossl_securitycheck_enabled)) {
+ ossl_fips_config_securitycheck_enabled)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
#include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */
static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
if (has_cofactor && !cofactor_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(pecdhctx, OSSL_FIPS_IND_SETTABLE2,
pecdhctx->libctx, "ECDH", "Cofactor",
- FIPS_ecdh_cofactor_check)) {
+ ossl_fips_config_ecdh_cofactor_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_COFACTOR_REQUIRED);
return 0;
}
#include "crypto/ecx.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"
-#include "prov/fipsindicator.h"
-#include "prov/fipscommon.h"
+#include "prov/securitycheck.h"
static OSSL_FUNC_keyexch_newctx_fn x25519_newctx;
static OSSL_FUNC_keyexch_newctx_fn x448_newctx;
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "prov/securitycheck.h"
-#include "prov/fipscommon.h"
-#include "prov/fipsindicator.h"
#include "internal/e_os.h"
#include "internal/params.h"
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "HKDF", "Key size",
- FIPS_hkdf_key_check)) {
+ ossl_fips_config_hkdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "TLS13 KDF", "Digest",
- FIPS_tls13_kdf_digest_check)) {
+ ossl_fips_config_tls13_kdf_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "TLS13 KDF", "Key size",
- FIPS_tls13_kdf_key_check)) {
+ ossl_fips_config_tls13_kdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
#include "prov/provider_util.h"
#include "prov/providercommon.h"
#include "prov/securitycheck.h"
-#include "prov/fipscommon.h"
-#include "prov/fipsindicator.h"
-
#include "internal/e_os.h"
#include "internal/params.h"
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "KBKDF", "Key size",
- FIPS_kbkdf_key_check)) {
+ ossl_fips_config_kbkdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
-#include "prov/fipscommon.h"
-#include "prov/fipsindicator.h"
+#include "prov/securitycheck.h"
#include "pbkdf2.h"
/* Constants specified in SP800-132 */
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx,
"PBKDF2", desc,
- FIPS_pbkdf2_lower_bound_check)) {
+ ossl_fips_config_pbkdf2_lower_bound_check)) {
ERR_raise(ERR_LIB_PROV, error);
return 0;
}
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "prov/securitycheck.h"
-#include "prov/fipscommon.h"
-#include "prov/fipsindicator.h"
/* See RFC 4253, Section 7.2 */
static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new;
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "SSHKDF", "Digest",
- FIPS_sshkdf_digest_check)) {
+ ossl_fips_config_sshkdf_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "SSHKDF", "Key size",
- FIPS_sshkdf_key_check)) {
+ ossl_fips_config_sshkdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "prov/securitycheck.h"
-#include "prov/fipscommon.h"
-#include "prov/fipsindicator.h"
#include "internal/params.h"
typedef struct {
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "SSKDF", "Key size",
- FIPS_sskdf_key_check)) {
+ ossl_fips_config_sskdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "X963KDF", "Digest",
- FIPS_x963kdf_digest_check)) {
+ ossl_fips_config_x963kdf_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "X963KDF", "Key size",
- FIPS_x963kdf_key_check)) {
+ ossl_fips_config_x963kdf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
#include "prov/implementations.h"
#include "prov/provider_util.h"
#include "prov/securitycheck.h"
-#include "prov/fipscommon.h"
-#include "prov/fipsindicator.h"
#include "internal/e_os.h"
#include "internal/safe_math.h"
if (!ems_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "TLS_PRF", "EMS",
- FIPS_tls_prf_ems_check)) {
+ ossl_fips_config_tls1_prf_ems_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
return 0;
}
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "TLS_PRF", "Digest",
- FIPS_tls1_prf_digest_check)) {
+ ossl_fips_config_tls1_prf_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
libctx, "TLS_PRF", "Key size",
- FIPS_tls1_prf_key_check)) {
+ ossl_fips_config_tls1_prf_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
*/
#include "internal/deprecated.h"
#include "internal/nelem.h"
-
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_dispatch.h>
#include <openssl/rsa.h>
#include <openssl/params.h>
#include <openssl/err.h>
-#include "crypto/rsa.h"
#include <openssl/proverr.h>
-#include "internal/nelem.h"
+#include "crypto/rsa.h"
#include "prov/provider_ctx.h"
#include "prov/implementations.h"
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;
#include <openssl/core_names.h>
#include <openssl/bn.h>
#include <openssl/err.h>
+#include "prov/securitycheck.h"
#include "prov/providercommon.h"
-#include "prov/fipsindicator.h"
-#include "prov/fipscommon.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "crypto/dsa.h"
*/
if (!OSSL_FIPS_IND_ON_UNAPPROVED(gctx, OSSL_FIPS_IND_SETTABLE0,
gctx->libctx, "DSA", "Keygen",
- FIPS_dsa_sign_check))
+ ossl_fips_config_dsa_sign_disallowed))
return 0;
#endif
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
#include "internal/param_build_set.h"
#ifndef FIPS_MODULE
if (!ossl_ec_check_security_strength(gctx->gen_group, 1)) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(gctx, OSSL_FIPS_IND_SETTABLE0,
gctx->libctx, "EC KeyGen", "key size",
- ossl_securitycheck_enabled)) {
+ ossl_fips_config_securitycheck_enabled)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
goto err;
}
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "prov/ecx.h"
-#include "prov/fipsindicator.h"
-#include "prov/fipscommon.h"
+#include "prov/securitycheck.h"
#ifdef S390X_EC_ASM
# include "s390x_arch.h"
# include <openssl/sha.h> /* For SHA512_DIGEST_LENGTH */
#include <openssl/err.h>
#include <openssl/proverr.h>
+#include "prov/securitycheck.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/providercommon.h"
-#include "prov/fipscommon.h"
-#include "prov/fipsindicator.h"
#include "crypto/cmac.h"
/*
if (EVP_CIPHER_is_a(cipher, "DES-EDE3-CBC")) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(macctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "CMAC", "Triple-DES",
- FIPS_tdes_encrypt_check))
+ ossl_fips_config_tdes_encrypt_disallowed))
return 0;
OSSL_FIPS_IND_GET_PARAM(macctx, p, state, OSSL_FIPS_IND_SETTABLE0,
OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK)
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/providercommon.h"
-#include "prov/fipsindicator.h"
#include "prov/securitycheck.h"
-#include "prov/fipscommon.h"
/*
* Forward declaration of everything implemented here. This is not strictly
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(macctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "HMAC", "keysize",
- FIPS_hmac_key_check)) {
+ ossl_fips_config_hmac_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
#include <openssl/err.h>
#include <openssl/proverr.h>
#include <openssl/fips_names.h>
-
+#include "prov/securitycheck.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/providercommon.h"
-#include "prov/fipscommon.h"
-#include "prov/fipsindicator.h"
-#include "prov/securitycheck.h"
#include "internal/cryptlib.h" /* ossl_assert */
/*
if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE1,
PROV_LIBCTX_OF(kctx->provctx),
"KMAC", "Key size",
- FIPS_kmac_key_check)) {
+ ossl_fips_config_kmac_key_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE0,
PROV_LIBCTX_OF(kctx->provctx),
"KMAC", "length",
- &FIPS_no_short_mac)) {
+ ossl_fips_config_no_short_mac)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
return 0;
}
#include "crypto/rand_pool.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
-#include "prov/fipscommon.h"
#include "crypto/context.h"
/*
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(drbg, OSSL_FIPS_IND_SETTABLE0,
libctx, "DRBG", "Digest",
- FIPS_restricted_drbg_digests_enabled)) {
+ ossl_fips_config_restricted_drbg_digests)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
# include "internal/nelem.h"
# include "internal/numbers.h"
# include "prov/provider_ctx.h"
-# include "prov/fipsindicator.h"
+# include "prov/securitycheck.h"
/* How many times to read the TSC as a randomness source. */
# define TSC_READ_COUNT 4
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/randerr.h>
+#include "prov/securitycheck.h"
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/implementations.h"
-#include "prov/fipsindicator.h"
static OSSL_FUNC_rand_newctx_fn test_rng_new;
static OSSL_FUNC_rand_freectx_fn test_rng_free;
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
#include "crypto/dsa.h"
#include "prov/der_dsa.h"
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx, md_nid, sha1_allowed,
desc,
- &FIPS_fips_signature_digest_check))
+ ossl_fips_config_signature_digest_check))
goto err;
}
#endif
if (signing
&& !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
ctx->libctx, desc, "DSA",
- FIPS_dsa_sign_check))
+ ossl_fips_config_dsa_sign_disallowed))
return 0;
return 1;
}
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
ctx->libctx, desc, "DSA Key",
- FIPS_fips_signature_digest_check)) {
+ ossl_fips_config_signature_digest_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
#include "crypto/ec.h"
#include "prov/der_ec.h"
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1, ctx->libctx,
md_nid, sha1_allowed, desc,
- &FIPS_fips_signature_digest_check))
+ ossl_fips_config_signature_digest_check))
goto err;
}
#endif
#include "internal/sizes.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
+#include "prov/securitycheck.h"
#include "prov/provider_ctx.h"
#include "prov/der_ecx.h"
#include "crypto/ecx.h"
#include "prov/provider_ctx.h"
#include "prov/der_rsa.h"
#include "prov/securitycheck.h"
-#include "prov/fipsindicator.h"
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx,
md_nid, sha1_allowed, desc,
- &FIPS_fips_signature_digest_check))
+ ossl_fips_config_signature_digest_check))
goto err;
}
#endif
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3,
ctx->libctx,
algoname, "PSS Salt Length",
- FIPS_rsa_pss_saltlen_check)) {
+ ossl_fips_config_rsa_pss_saltlen_check)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
return 0;
}
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
ctx->libctx,
"RSA Sign set ctx", "X931 Padding",
- FIPS_rsa_sign_x931_disallowed)) {
+ ossl_fips_config_rsa_sign_x931_disallowed)) {
ERR_raise(ERR_LIB_PROV,
PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
return 0;
DEPEND[recordlentest]=../libcrypto ../libssl libtestutil.a
SOURCE[drbgtest]=drbgtest.c
- INCLUDE[drbgtest]=../include ../apps/include ../providers/common/include
+ INCLUDE[drbgtest]=../include ../apps/include ../providers/common/include \
+ ../providers/fips/include
DEPEND[drbgtest]=../libcrypto.a libtestutil.a
SOURCE[rand_status_test]=rand_status_test.c
( 'x963kdf_digest_check', 'x963kdf-digest-check' ),
( 'dsa_sign_disabled', 'dsa-sign-disabled' ),
( 'tdes_encrypt_disabled', 'tdes-encrypt-disabled' ),
- ( 'rsa_pkcs15_padding_disabled', 'rsa-pkcs15-padding-disabled' ),
+ ( 'rsa_pkcs15_pad_disabled', 'rsa-pkcs15-pad-disabled' ),
( 'rsa_pss_saltlen_check', 'rsa-pss-saltlen-check' ),
( 'rsa_sign_x931_disabled', 'rsa-sign-x931-pad-disabled' ),
( 'hkdf_key_check', 'hkdf-key-check' ),
my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename);
$ENV{OPENSSL_CONF_INCLUDE} = result_dir();
ok(replace_kv_file($fipsmodcfg,
- 'rsa-pkcs15-padding-disabled', '0',
+ 'rsa-pkcs15-pad-disabled', '0',
$fipsmodcfgnew)
&& replace_line_file($provconf,
$fipsmodcfg_filename, $fipsmodcfgnew_filename,
'tls1-prf-ems-check', '0',
$fipsmodcfgtmp)
&& replace_kv_file($fipsmodcfgtmp,
- 'rsa-pkcs15-padding-disabled', '0',
+ 'rsa-pkcs15-pad-disabled', '0',
$fipsmodcfgnew)
&& replace_line_file($provconf,
$fipsmodcfg_filename, $fipsmodcfgnew_filename,
sskdf-digest-check = $digest_check
x963kdf-digest-check = $digest_check
tdes-encrypt-disabled = $tdes_encrypt_disabled
-rsa-pkcs15-padding-disabled = $pkcs15_pad_disable
+rsa-pkcs15-pad-disabled = $pkcs15_pad_disable
rsa-pss-saltlen-check = $rsa_pss_saltlen_check
rsa-sign-x931-pad-disabled = $rsa_sign_x931_pad_disabled
hkdf-key-check = $kdf_key_check
'PROV_PARAM_TDES_ENCRYPT_DISABLED' => "tdes-encrypt-disabled", # uint
'PROV_PARAM_RSA_PSS_SALTLEN_CHECK' => "rsa-pss-saltlen-check", # uint
'PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED' => "rsa-sign-x931-pad-disabled", # uint
+ 'PROV_PARAM_RSA_PKCS15_PAD_DISABLED' => "rsa-pkcs15-pad-disabled", # uint
'PROV_PARAM_HKDF_KEY_CHECK' => "hkdf-key-check", # uint
'PROV_PARAM_KBKDF_KEY_CHECK' => "kbkdf-key-check", # uint
'PROV_PARAM_TLS13_KDF_KEY_CHECK' => "tls13-kdf-key-check", # uint
'PROV_PARAM_X963KDF_KEY_CHECK' => "x963kdf-key-check", # uint
'PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK' => "pbkdf2-lower-bound-check", # uint
'PROV_PARAM_ECDH_COFACTOR_CHECK' => "ecdh-cofactor-check", # uint
+ 'PROV_PARAM_SIGNATURE_DIGEST_CHECK' => "signature-digest-check", # uint
# Self test callback parameters
'PROV_PARAM_SELF_TEST_PHASE' => "st-phase",# utf8_string
'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC',
'MAC_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+ 'MAC_PARAM_FIPS_NO_SHORT_MAC' => '*PROV_PARAM_NO_SHORT_MAC',
# KDF / PRF parameters
'KDF_PARAM_SECRET' => "secret", # octet string
'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version",
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
- 'ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED' => "pkcs15-padding-disabled",
+ 'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED',
'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
projects / thirdparty / openssl.git / commitdiff
