From: Simo Sorce Date: Fri, 27 Feb 2026 22:44:31 +0000 (-0500) Subject: Generate FIPS parameter handling with Perl X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6c992b95406d4e597a57219f34db7d29afe6806;p=thirdparty%2Fopenssl.git Generate FIPS parameter handling with Perl Replace the C preprocessor macros used for FIPS indicators and self-test parameters with a Perl-based code generation approach. This introduces `util/perl/OpenSSL/fipsparams.pm` and `providers/fips/fipsparams.inc.in` to generate the boilerplate code, simplifying `fipsprov.c` and reducing macro complexity. Co-authored-by: Gemini Signed-off-by: Simo Sorce Reviewed-by: Paul Dale Reviewed-by: Shane Lontis Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/30213) --- diff --git a/.gitignore b/.gitignore index 25ce225689d..94610e62d62 100644 --- a/.gitignore +++ b/.gitignore @@ -86,6 +86,7 @@ providers/common/include/prov/der_wrap.h providers/common/include/prov/der_sm2.h providers/common/include/prov/der_ml_dsa.h providers/common/include/prov/der_hkdf.h +providers/fips/fipsparams.inc providers/implementations/asymciphers/rsa_enc.inc providers/implementations/asymciphers/sm2_enc.inc providers/implementations/exchange/dh_exch.inc diff --git a/providers/fips/build.info b/providers/fips/build.info index f6f38e9f417..895c5e9d990 100644 --- a/providers/fips/build.info +++ b/providers/fips/build.info @@ -4,3 +4,7 @@ SOURCE[../libfips.a]=fipsprov.c self_test.c self_test_data.c self_test_kats.c fi # It is necessary to have an explicit entry point SOURCE[../fips]=fips_entry.c + +DEPEND[]=fipsparams.inc +DEPEND[fipsparams.inc]=../../util/perl|OpenSSL/fipsparams.pm +GENERATE[fipsparams.inc]=fipsparams.inc.in diff --git a/providers/fips/fipsparams.inc.in b/providers/fips/fipsparams.inc.in new file mode 100644 index 00000000000..9127cd6f6c6 --- /dev/null +++ b/providers/fips/fipsparams.inc.in @@ -0,0 +1,71 @@ +/* + * Copyright 2026 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Handles the loading of FIPS algorithm conditional options from a config file + * passed from the core using OSSL_PARAM. + * + * The perl function generates code that: + * + * Creates fields in a structure for each item in the list using the first + * parameter as the base name. + * + * Creates a function to properly initialize each field based on the last + * parameter in each line. + * + * Creates a function to retrieve the values from the core. + * + * Creates a function to convert the retrieved string values to integer booleans. + * + * Creates getter functions for each parameter. + */ +{- use OpenSSL::fipsparams qw(produce_fips_indicators); -} +{- produce_fips_indicators( + ['security_checks', 'OSSL_PROV_PARAM_SECURITY_CHECKS', '1'], + ['tls1_prf_ems_check', 'OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK', '0'], + ['no_short_mac', 'OSSL_PROV_PARAM_NO_SHORT_MAC', '1'], + ['hmac_key_check', 'OSSL_PROV_PARAM_HMAC_KEY_CHECK', '0'], + ['kmac_key_check', 'OSSL_PROV_PARAM_KMAC_KEY_CHECK', '0'], + ['restricted_drbg_digests', 'OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST', '0'], + ['signature_digest_check', 'OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK', '0'], + ['hkdf_digest_check', 'OSSL_PROV_PARAM_HKDF_DIGEST_CHECK', '0'], + ['tls13_kdf_digest_check', 'OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK', '0'], + ['tls1_prf_digest_check', 'OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK', '0'], + ['sshkdf_digest_check', 'OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK', '0'], + ['sskdf_digest_check', 'OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK', '0'], + ['x963kdf_digest_check', 'OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK', '0'], + ['dsa_sign_disallowed', 'OSSL_PROV_PARAM_DSA_SIGN_DISABLED', '0'], + ['tdes_encrypt_disallowed', 'OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED', '0'], + ['rsa_pkcs15_padding_disabled', 'OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED', '0'], + ['rsa_pss_saltlen_check', 'OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK', '0'], + ['rsa_sign_x931_disallowed', 'OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED', '0'], + ['hkdf_key_check', 'OSSL_PROV_PARAM_HKDF_KEY_CHECK', '0'], + ['kbkdf_key_check', 'OSSL_PROV_PARAM_KBKDF_KEY_CHECK', '0'], + ['tls13_kdf_key_check', 'OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK', '0'], + ['tls1_prf_key_check', 'OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK', '0'], + ['sshkdf_key_check', 'OSSL_PROV_PARAM_SSHKDF_KEY_CHECK', '0'], + ['sskdf_key_check', 'OSSL_PROV_PARAM_SSKDF_KEY_CHECK', '0'], + ['x963kdf_key_check', 'OSSL_PROV_PARAM_X963KDF_KEY_CHECK', '0'], + ['x942kdf_key_check', 'OSSL_PROV_PARAM_X942KDF_KEY_CHECK', '0'], + ['pbkdf2_lower_bound_check', 'OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK', '1'], + ['ecdh_cofactor_check', 'OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK', '0']) -} +/* + * Handles the loading of FIPS self test parameters from the core using + * OSSL_PARAM. + * + * The perl function generates code that: + * + * Creates a function to retrieve the values from the core. + */ +{-use OpenSSL::fipsparams qw(produce_fips_selftest_params); -} +{- produce_fips_selftest_params( + ['module_filename', 'OSSL_PROV_PARAM_CORE_MODULE_FILENAME'], + ['module_checksum_data', 'OSSL_PROV_FIPS_PARAM_MODULE_MAC'], + ['conditional_error_check', 'OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS'], + ['defer_tests', 'OSSL_PROV_FIPS_PARAM_DEFER_TESTS']) -} diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 7ee38f837ec..59509da6313 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -94,24 +94,25 @@ typedef struct { unsigned char enabled; } FIPS_OPTION; +typedef struct fips_global_st FIPS_GLOBAL; +typedef struct fips_indicators_st FIPS_INDICATORS; +static FIPS_INDICATORS *get_fips_indicators(FIPS_GLOBAL *fgbl); +#include "fipsparams.inc" + typedef struct fips_global_st { const OSSL_CORE_HANDLE *handle; SELF_TEST_POST_PARAMS selftest_params; -#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ - FIPS_OPTION fips_##structname; -#include "fips_indicator_params.inc" -#undef OSSL_FIPS_PARAM + FIPS_INDICATORS fips_indicators; /* Guards access to deferred self-test */ CRYPTO_RWLOCK *deferred_lock; } FIPS_GLOBAL; -static void init_fips_option(FIPS_OPTION *opt, int enabled) +static inline FIPS_INDICATORS *get_fips_indicators(FIPS_GLOBAL *fgbl) { - opt->enabled = enabled; - opt->option = enabled ? "1" : "0"; + return &fgbl->fips_indicators; } void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) @@ -121,10 +122,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) if (fgbl == NULL) return NULL; -#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ - init_fips_option(&fgbl->fips_##structname, initvalue); -#include "fips_indicator_params.inc" -#undef OSSL_FIPS_PARAM + init_fips_indicators(&fgbl->fips_indicators); return fgbl; } @@ -159,23 +157,11 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) { OSSL_PARAM core_params[33], *p = core_params; -#define OSSL_FIPS_PARAM(structname, paramname) \ - *p++ = OSSL_PARAM_construct_utf8_ptr( \ - paramname, (char **)&fgbl->selftest_params.structname, \ - sizeof(fgbl->selftest_params.structname)); - -/* Parameters required for self testing */ -#include "fips_selftest_params.inc" -#undef OSSL_FIPS_PARAM + /* Parameters required for self testing */ + p = get_fips_selftest_params_from_core(p, &fgbl->selftest_params); -/* FIPS indicator options can be enabled or disabled independently */ -#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ - *p++ = OSSL_PARAM_construct_utf8_ptr( \ - OSSL_PROV_PARAM_##paramname, \ - (char **)&fgbl->fips_##structname.option, \ - sizeof(fgbl->fips_##structname.option)); -#include "fips_indicator_params.inc" -#undef OSSL_FIPS_PARAM + /* FIPS indicator options can be enabled or disabled independently */ + p = get_fips_indicator_params_from_core(p, &fgbl->fips_indicators); *p = OSSL_PARAM_construct_end(); @@ -184,7 +170,7 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) return 0; } - return 1; + return set_fips_indicators_from_core(&fgbl->fips_indicators); } static const OSSL_PARAM *fips_gettable_params(void *provctx) @@ -195,12 +181,7 @@ static const OSSL_PARAM *fips_gettable_params(void *provctx) OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), - -#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_##paramname, OSSL_PARAM_INTEGER, NULL, 0), -#include "fips_indicator_params.inc" -#undef OSSL_FIPS_PARAM - + OSSL_FIPS_INDICATOR_PARAM_TYPES, OSSL_PARAM_END }; return fips_param_types; @@ -225,14 +206,7 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) return 0; -#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_##paramname); \ - if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_##structname.enabled)) \ - return 0; -#include "fips_indicator_params.inc" -#undef OSSL_FIPS_PARAM - - return 1; + return get_fips_indicator_params(params, &fgbl->fips_indicators); } static void set_self_test_cb(FIPS_GLOBAL *fgbl) @@ -1046,19 +1020,6 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, && strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0) SELF_TEST_disable_conditional_error_state(); - /* Enable or disable FIPS provider options */ -#define OSSL_FIPS_PARAM(structname, paramname, unused) \ - if (fgbl->fips_##structname.option != NULL) { \ - if (strcmp(fgbl->fips_##structname.option, "1") == 0) \ - fgbl->fips_##structname.enabled = 1; \ - else if (strcmp(fgbl->fips_##structname.option, "0") == 0) \ - fgbl->fips_##structname.enabled = 0; \ - else \ - goto err; \ - } -#include "fips_indicator_params.inc" -#undef OSSL_FIPS_PARAM - ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); /* initialize deferred self-test infrastructure */ @@ -1264,16 +1225,6 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...) return ret; } -#define OSSL_FIPS_PARAM(structname, paramname, unused) \ - int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx) \ - { \ - FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX); \ - \ - return fgbl->fips_##structname.enabled; \ - } -#include "fips_indicator_params.inc" -#undef OSSL_FIPS_PARAM - void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, void **cbarg) { diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc deleted file mode 100644 index 78f9fc06551..00000000000 --- a/providers/fips/include/fips_indicator_params.inc +++ /dev/null @@ -1,28 +0,0 @@ -OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1) -OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0) -OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1) -OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0) -OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0) -OSSL_FIPS_PARAM(restricted_drbg_digests, DRBG_TRUNC_DIGEST, 0) -OSSL_FIPS_PARAM(signature_digest_check, SIGNATURE_DIGEST_CHECK, 0) -OSSL_FIPS_PARAM(hkdf_digest_check, HKDF_DIGEST_CHECK, 0) -OSSL_FIPS_PARAM(tls13_kdf_digest_check, TLS13_KDF_DIGEST_CHECK, 0) -OSSL_FIPS_PARAM(tls1_prf_digest_check, TLS1_PRF_DIGEST_CHECK, 0) -OSSL_FIPS_PARAM(sshkdf_digest_check, SSHKDF_DIGEST_CHECK, 0) -OSSL_FIPS_PARAM(sskdf_digest_check, SSKDF_DIGEST_CHECK, 0) -OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0) -OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0) -OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0) -OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0) -OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0) -OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0) -OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0) -OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0) -OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0) -OSSL_FIPS_PARAM(tls1_prf_key_check, TLS1_PRF_KEY_CHECK, 0) -OSSL_FIPS_PARAM(sshkdf_key_check, SSHKDF_KEY_CHECK, 0) -OSSL_FIPS_PARAM(sskdf_key_check, SSKDF_KEY_CHECK, 0) -OSSL_FIPS_PARAM(x963kdf_key_check, X963KDF_KEY_CHECK, 0) -OSSL_FIPS_PARAM(x942kdf_key_check, X942KDF_KEY_CHECK, 0) -OSSL_FIPS_PARAM(pbkdf2_lower_bound_check, PBKDF2_LOWER_BOUND_CHECK, 1) -OSSL_FIPS_PARAM(ecdh_cofactor_check, ECDH_COFACTOR_CHECK, 0) diff --git a/providers/fips/include/fips_selftest_params.inc b/providers/fips/include/fips_selftest_params.inc deleted file mode 100644 index 170ebc4c71a..00000000000 --- a/providers/fips/include/fips_selftest_params.inc +++ /dev/null @@ -1,4 +0,0 @@ -OSSL_FIPS_PARAM(module_filename, OSSL_PROV_PARAM_CORE_MODULE_FILENAME) -OSSL_FIPS_PARAM(module_checksum_data, OSSL_PROV_FIPS_PARAM_MODULE_MAC) -OSSL_FIPS_PARAM(conditional_error_check, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS) -OSSL_FIPS_PARAM(defer_tests, OSSL_PROV_FIPS_PARAM_DEFER_TESTS) diff --git a/providers/fips/include/fipscommon.h b/providers/fips/include/fipscommon.h index c8df9a8ac4f..ff73ea6d7dd 100644 --- a/providers/fips/include/fipscommon.h +++ b/providers/fips/include/fipscommon.h @@ -10,9 +10,33 @@ #ifdef FIPS_MODULE #include -#define OSSL_FIPS_PARAM(structname, paramname, unused) \ - int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx); -#include "fips_indicator_params.inc" -#undef OSSL_FIPS_PARAM +int ossl_fips_config_security_checks(OSSL_LIB_CTX *libctx); +int ossl_fips_config_tls1_prf_ems_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_no_short_mac(OSSL_LIB_CTX *libctx); +int ossl_fips_config_hmac_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_kmac_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_restricted_drbg_digests(OSSL_LIB_CTX *libctx); +int ossl_fips_config_signature_digest_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_hkdf_digest_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_tls13_kdf_digest_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_tls1_prf_digest_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_sshkdf_digest_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_sskdf_digest_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_x963kdf_digest_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_dsa_sign_disallowed(OSSL_LIB_CTX *libctx); +int ossl_fips_config_tdes_encrypt_disallowed(OSSL_LIB_CTX *libctx); +int ossl_fips_config_rsa_pkcs15_padding_disabled(OSSL_LIB_CTX *libctx); +int ossl_fips_config_rsa_pss_saltlen_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_rsa_sign_x931_disallowed(OSSL_LIB_CTX *libctx); +int ossl_fips_config_hkdf_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_kbkdf_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_tls13_kdf_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_tls1_prf_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_sshkdf_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_sskdf_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_x963kdf_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_x942kdf_key_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_pbkdf2_lower_bound_check(OSSL_LIB_CTX *libctx); +int ossl_fips_config_ecdh_cofactor_check(OSSL_LIB_CTX *libctx); #endif diff --git a/util/perl/OpenSSL/fipsparams.pm b/util/perl/OpenSSL/fipsparams.pm new file mode 100644 index 00000000000..b6ea39707ca --- /dev/null +++ b/util/perl/OpenSSL/fipsparams.pm @@ -0,0 +1,135 @@ +#! /usr/bin/env perl +# Copyright 2026 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +package OpenSSL::fipsparams; + +use strict; +use warnings; +use Exporter; + +our @ISA = qw(Exporter); +our @EXPORT_OK = qw(produce_fips_indicators produce_fips_selftest_params); + +sub produce_fips_indicators { + my @params = @_; + my $s; + open(local *STDOUT, '>', \$s); + + print "/* Machine generated by util/perl/OpenSSL/fipsparams.pm */\n"; + print "\n"; + print "typedef struct fips_indicators_st {\n"; + foreach my $p (@params) { + printf " const char *%s_string;\n", $p->[0]; + printf " unsigned char %s_enabled;\n", $p->[0]; + } + print "} FIPS_INDICATORS;\n"; + + print "\n"; + print "static void init_fips_indicators(FIPS_INDICATORS *indicators)\n"; + print "{\n"; + foreach my $p (@params) { + my $field = $p->[0]; + my $name = $p->[1]; + my $enabled = $p->[2]; + printf " indicators->%s_string = \"%s\";\n", $field, $enabled; + printf " indicators->%s_enabled = %s;\n", $field, $enabled; + } + print "}\n"; + + print "\n"; + print "static OSSL_PARAM *get_fips_indicator_params_from_core(\n"; + print " OSSL_PARAM *op, FIPS_INDICATORS *fi)\n"; + print "{\n"; + foreach my $p (@params) { + my $field = $p->[0]; + my $name = $p->[1]; + print " *op++ = OSSL_PARAM_construct_utf8_ptr(\n"; + printf " $name, (char **)&fi->%s_string,\n", $field; + printf " sizeof(fi->%s_string));\n", $field; + } + print " return op;\n"; + print "}\n"; + + print "\n"; + print "#define OSSL_FIPS_INDICATOR_PARAM_TYPES \\\n"; + my $cnt = 0; + foreach my $p (@params) { + my $name = $p->[1]; + print " OSSL_PARAM_DEFN($name, OSSL_PARAM_INTEGER, NULL, 0)"; + print "," if ($cnt++ < $#params); + print "\\\n"; + } + print "\n"; + + print "\n"; + print "static int get_fips_indicator_params(OSSL_PARAM *params, FIPS_INDICATORS *fi)\n"; + print "{\n"; + print " OSSL_PARAM *p;\n"; + foreach my $p (@params) { + my $field = $p->[0]; + my $name = $p->[1]; + print " p = OSSL_PARAM_locate(params, $name);\n"; + printf " if (p != NULL && !OSSL_PARAM_set_int(p, fi->%s_enabled))\n", $field; + print " return 0;\n"; + } + print " return 1;\n"; + print "}\n"; + + print "\n"; + print "static int set_fips_indicators_from_core(FIPS_INDICATORS *fi)\n"; + print "{\n"; + foreach my $p (@params) { + my $field = $p->[0]; + printf " if (fi->%s_string != NULL) {\n", $field; + printf " if (strcmp(fi->%s_string, \"1\") == 0)\n", $field; + printf " fi->%s_enabled = 1;\n", $field; + printf " else if (strcmp(fi->%s_string, \"0\") == 0)\n", $field; + printf " fi->%s_enabled = 0;\n", $field; + print " else\n"; + print " return 0;\n"; + print " }\n"; + } + print " return 1;\n"; + print "}\n"; + + foreach my $p (@params) { + my $field = $p->[0]; + print "\n"; + printf "int ossl_fips_config_%s(OSSL_LIB_CTX *libctx)\n", $field; + print "{\n"; + print " FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX);\n"; + print " FIPS_INDICATORS *indicators = get_fips_indicators(fgbl);\n"; + printf " return indicators->%s_enabled;\n", $field; + print "}\n"; + } + + return $s; +} + +sub produce_fips_selftest_params { + my @params = @_; + my $s; + open(local *STDOUT, '>', \$s); + + print "/* Machine generated by util/perl/OpenSSL/fipsparams.pm */\n"; + + print "static OSSL_PARAM *get_fips_selftest_params_from_core(\n"; + print " OSSL_PARAM *op, SELF_TEST_POST_PARAMS *stpp)\n"; + print "{\n"; + foreach my $p (@params) { + my $field = $p->[0]; + my $name = $p->[1]; + print " *op++ = OSSL_PARAM_construct_utf8_ptr(\n"; + print " $name, (char **)&stpp->$field,\n"; + print " sizeof(stpp->$field));\n"; + } + print " return op;\n"; + print "}\n"; + + return $s; +}