From: slontis Date: Mon, 12 Aug 2024 09:31:10 +0000 (+1000) Subject: Cleanups for FIPS options.. X-Git-Tag: openssl-3.4.0-alpha1~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6a296c3867f53cd005069292d512280835bcdae;p=thirdparty%2Fopenssl.git Cleanups for FIPS options.. The options in fipsprov.c are now generated using macros with fips_indicator_params.inc. This should keep the naming consistent. Some FIPS related headers have moved to providers/fips/include so that they can use fips_indicator_params.inc. securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes fipscommon.h. fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used. fips_names.h just uses aliases now for existing public names. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/25162) --- diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index 32d514bedb5..7b3fdbaf534 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -361,68 +361,68 @@ static int write_config_fips_section(BIO *out, const char *section, VERSION_VAL) <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, opts->conditional_errors ? "1" : "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SECURITY_CHECKS, opts->security_checks ? "1" : "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HMAC_KEY_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HMAC_KEY_CHECK, opts->hmac_key_check ? "1": "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KMAC_KEY_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KMAC_KEY_CHECK, opts->kmac_key_check ? "1": "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, opts->tls_prf_ems_check ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_NO_SHORT_MAC, opts->no_short_mac ? "1" : "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST, opts->drgb_no_trunc_dgst ? "1" : "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK, opts->signature_digest_check ? "1" : "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_DIGEST_CHECK, opts->hkdf_digest_check ? "1": "0") <= 0 || BIO_printf(out, "%s = %s\n", - OSSL_PROV_FIPS_PARAM_TLS13_KDF_DIGEST_CHECK, + OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK, opts->tls13_kdf_digest_check ? "1": "0") <= 0 || BIO_printf(out, "%s = %s\n", - OSSL_PROV_FIPS_PARAM_TLS1_PRF_DIGEST_CHECK, + OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK, opts->tls1_prf_digest_check ? "1": "0") <= 0 || BIO_printf(out, "%s = %s\n", - OSSL_PROV_FIPS_PARAM_SSHKDF_DIGEST_CHECK, + OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK, opts->sshkdf_digest_check ? "1": "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SSKDF_DIGEST_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK, opts->sskdf_digest_check ? "1": "0") <= 0 || BIO_printf(out, "%s = %s\n", - OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK, + OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK, opts->x963kdf_digest_check ? "1": "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DSA_SIGN_DISABLED, opts->dsa_sign_disabled ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED, opts->tdes_encrypt_disabled ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", - OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED, + OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED, opts->rsa_pkcs15_padding_disabled ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", - OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK, + OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK, opts->rsa_pss_saltlen_check ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", - OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED, + OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED, opts->sign_x931_padding_disabled ? "1" : "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_KEY_CHECK, opts->hkdf_key_check ? "1": "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KBKDF_KEY_CHECK, opts->kbkdf_key_check ? "1": "0") <= 0 || BIO_printf(out, "%s = %s\n", - OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK, + OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK, opts->tls13_kdf_key_check ? "1": "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_KEY_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK, opts->tls1_prf_key_check ? "1": "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SSHKDF_KEY_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSHKDF_KEY_CHECK, opts->sshkdf_key_check ? "1": "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SSKDF_KEY_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_KEY_CHECK, opts->sskdf_key_check ? "1": "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_X963KDF_KEY_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X963KDF_KEY_CHECK, opts->x963kdf_key_check ? "1": "0") <= 0 || BIO_printf(out, "%s = %s\n", - OSSL_PROV_FIPS_PARAM_PBKDF2_LOWER_BOUND_CHECK, + OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK, opts->pbkdf2_lower_bound_check ? "1" : "0") <= 0 - || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_ECDH_COFACTOR_CHECK, + || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK, opts->ecdh_cofactor_check ? "1": "0") <= 0 || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac, module_mac_len)) diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h index af13e9acebc..288ea839353 100644 --- a/include/openssl/fips_names.h +++ b/include/openssl/fips_names.h @@ -17,27 +17,18 @@ extern "C" { /* * Parameter names that the FIPS Provider defines + * All parameters are of type: OSSL_PARAM_UTF8_STRING */ -/* - * The calculated MAC of the module file (Used for FIPS Self Testing) - * Type: OSSL_PARAM_UTF8_STRING - */ +/* The following 4 Parameters are used for FIPS Self Testing */ + +/* The calculated MAC of the module file */ # define OSSL_PROV_FIPS_PARAM_MODULE_MAC "module-mac" -/* - * A version number for the fips install process (Used for FIPS Self Testing) - * Type: OSSL_PARAM_UTF8_STRING - */ +/* The Version number for the fips install process */ # define OSSL_PROV_FIPS_PARAM_INSTALL_VERSION "install-version" -/* - * The calculated MAC of the install status indicator (Used for FIPS Self Testing) - * Type: OSSL_PARAM_UTF8_STRING - */ +/* The calculated MAC of the install status indicator */ # define OSSL_PROV_FIPS_PARAM_INSTALL_MAC "install-mac" -/* - * The install status indicator (Used for FIPS Self Testing) - * Type: OSSL_PARAM_UTF8_STRING - */ +/* The install status indicator */ # define OSSL_PROV_FIPS_PARAM_INSTALL_STATUS "install-status" /* @@ -47,222 +38,10 @@ extern "C" { */ # define OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS "conditional-errors" -/* - * A boolean that determines if the runtime FIPS security checks are performed. - * This is enabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks" - -/* - * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" - -/* - * A boolean that determines if the runtime FIPS check for undersized MAC output - * is performed. - * This is enabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_NO_SHORT_MAC "no-short-mac" - -/* - * A boolean that determines if the runtime FIPS key check for HMAC is - * performed. - * This is enabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_HMAC_KEY_CHECK "hmac-key-check" - -/* - * A boolean that determines if the runtime FIPS key check for KMAC is - * performed. - * This is enabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_KMAC_KEY_CHECK "kmac-key-check" - -/* - * A boolean that determines if truncated digests can be used with Hash and HMAC - * DRBGs. FIPS 140-3 IG D.R disallows such use for efficiency rather than - * security reasons. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" - -/* - * A boolean that determines if the digest algorithm used as part of a - * signature algorithm is in the approved list. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK "signature-digest-check" - -/* - * A boolean that determines if the runtime FIPS digest check for HKDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK "hkdf-digest-check" - -/* - * A boolean that determines if the runtime FIPS digest check for TLS13 KDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_TLS13_KDF_DIGEST_CHECK "tls13-kdf-digest-check" - -/* - * A boolean that determines if the runtime FIPS digest check for TLS1_PRF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_DIGEST_CHECK "tls1-prf-digest-check" - -/* - * A boolean that determines if the runtime FIPS digest check for SSHKDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_SSHKDF_DIGEST_CHECK "sshkdf-digest-check" - -/* - * A boolean that determines if the runtime FIPS digest check for SSKDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_SSKDF_DIGEST_CHECK "sskdf-digest-check" - -/* - * A boolean that determines if the runtime FIPS digest check for X963KDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK "x963kdf-digest-check" - -/* - * A boolean that determines if DSA signing operations are allowed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED "dsa-sign-disabled" - -/* - * A boolean that determines if Triple-DES encryption operations are allowed. - * See SP800-131A r2 for further information. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_TDES_ENCRYPT_DISABLED "tdes-encrypt-disabled" - -/* - * A boolean that determines if PKCS#1 v1.5 padding is allowed for key - * agreement and transport operations. - * See SP800-131A r2 for further information. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED \ - "rsa-pkcs15-padding-disabled" - -/* - * A boolean that determines if the runtime salt length check for RSA-PSS is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK "rsa-pss-saltlen-check" - -/* - * A boolean that determines if X9.31 padding can be used for RSA signing. - * X9.31 RSA has been removed from FIPS 186-5, and is no longer approved for - * signing. it may still be used for verification for legacy purposes. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED "rsa-sign-x931-pad-disabled" - -/* - * A boolean that determines if the runtime FIPS key check for HKDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK "hkdf-key-check" - -/* - * A boolean that determines if the runtime FIPS key check for KBKDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK "kbkdf-key-check" - -/* - * A boolean that determines if the runtime FIPS key check for TLS13 KDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK "tls13-kdf-key-check" - -/* - * A boolean that determines if the runtime FIPS key check for TLS1_PRF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_KEY_CHECK "tls1-prf-key-check" - -/* - * A boolean that determines if the runtime FIPS key check for SSHKDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_SSHKDF_KEY_CHECK "sshkdf-key-check" - -/* - * A boolean that determines if the runtime FIPS key check for SSKDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_SSKDF_KEY_CHECK "sskdf-key-check" - -/* - * A boolean that determines if the runtime FIPS key check for X963KDF is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_X963KDF_KEY_CHECK "x963kdf-key-check" - -/* - * A boolean that determines if the runtime lower bound check for PBKDF2 is - * performed. - * This is enabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_PBKDF2_LOWER_BOUND_CHECK "pbkdf2-lower-bound-check" - -/* - * A boolean that determines if the runtime cofactor check for ECDH is - * performed. - * This is disabled by default. - * Type: OSSL_PARAM_UTF8_STRING - */ -# define OSSL_PROV_FIPS_PARAM_ECDH_COFACTOR_CHECK "ecdh-cofactor-check" +/* The following are provided for backwards compatibility */ +# define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS OSSL_PROV_PARAM_SECURITY_CHECKS +# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK +# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST # ifdef __cplusplus } diff --git a/providers/build.info b/providers/build.info index 3b211bbb2fe..06f27df9c64 100644 --- a/providers/build.info +++ b/providers/build.info @@ -46,7 +46,8 @@ LIBS{noinst}=$LIBDEFAULT $LIBCOMMON # providers/implementations/include), which includes crypto/*_platform.h # (present in include), which in turn may include very internal header # files in crypto/, so let's have a common include list for them all. -$COMMON_INCLUDES=../crypto ../include implementations/include common/include +$COMMON_INCLUDES=../crypto ../include implementations/include common/include \ + fips/include INCLUDE[$LIBCOMMON]=$COMMON_INCLUDES INCLUDE[$LIBFIPS]=.. $COMMON_INCLUDES diff --git a/providers/common/include/prov/fipscommon.h b/providers/common/include/prov/fipscommon.h deleted file mode 100644 index 2fd97bade84..00000000000 --- a/providers/common/include/prov/fipscommon.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#ifdef FIPS_MODULE -# include - -int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); -int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); -int FIPS_no_short_mac(OSSL_LIB_CTX *libctx); -int FIPS_hmac_key_check(OSSL_LIB_CTX *libctx); -int FIPS_kmac_key_check(OSSL_LIB_CTX *libctx); -int FIPS_restricted_drbg_digests_enabled(OSSL_LIB_CTX *libctx); -int FIPS_fips_signature_digest_check(OSSL_LIB_CTX *libctx); -int FIPS_hkdf_digest_check(OSSL_LIB_CTX *libctx); -int FIPS_tls13_kdf_digest_check(OSSL_LIB_CTX *libctx); -int FIPS_tls1_prf_digest_check(OSSL_LIB_CTX *libctx); -int FIPS_sshkdf_digest_check(OSSL_LIB_CTX *libctx); -int FIPS_sskdf_digest_check(OSSL_LIB_CTX *libctx); -int FIPS_x963kdf_digest_check(OSSL_LIB_CTX *libctx); -int FIPS_dsa_sign_check(OSSL_LIB_CTX *libctx); -int FIPS_tdes_encrypt_check(OSSL_LIB_CTX *libctx); -int FIPS_rsa_pkcs15_padding_disabled(OSSL_LIB_CTX *libctx); -int FIPS_rsa_pss_saltlen_check(OSSL_LIB_CTX *libctx); -int FIPS_rsa_sign_x931_disallowed(OSSL_LIB_CTX *libctx); -int FIPS_hkdf_key_check(OSSL_LIB_CTX *libctx); -int FIPS_kbkdf_key_check(OSSL_LIB_CTX *libctx); -int FIPS_tls13_kdf_key_check(OSSL_LIB_CTX *libctx); -int FIPS_tls1_prf_key_check(OSSL_LIB_CTX *libctx); -int FIPS_sshkdf_key_check(OSSL_LIB_CTX *libctx); -int FIPS_sskdf_key_check(OSSL_LIB_CTX *libctx); -int FIPS_x963kdf_key_check(OSSL_LIB_CTX *libctx); -int FIPS_pbkdf2_lower_bound_check(OSSL_LIB_CTX *libctx); -int FIPS_ecdh_cofactor_check(OSSL_LIB_CTX *libctx); -#endif diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h index a932c7771de..29a2b7fbf81 100644 --- a/providers/common/include/prov/securitycheck.h +++ b/providers/common/include/prov/securitycheck.h @@ -10,9 +10,7 @@ #include "crypto/types.h" #include -#ifdef FIPS_MODULE -# include "fipscommon.h" -#endif +#include "fips/fipsindicator.h" /* Functions that are common */ int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect); @@ -38,4 +36,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md); /* Functions that have different implementations for the FIPS_MODULE */ int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md); -int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); +int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx); diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index fc22d5c3a09..8748d4a5cc6 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -19,7 +19,6 @@ #include #include #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" #define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112 diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c index 19916a46ca5..5a8ab8c6df3 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -17,7 +17,7 @@ #include "internal/nelem.h" /* Disable the security checks in the default provider */ -int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) +int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx) { return 0; } diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index 617d3bd2b78..0d257adf7c3 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -18,13 +18,11 @@ #include #include #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" -#include "prov/fipscommon.h" -int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) +int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - return FIPS_security_check_enabled(libctx); + return ossl_fips_config_security_checks(libctx); #else return 0; #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ @@ -43,7 +41,7 @@ int ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND *ind, int id, if (!key_approved) { if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Key size", - ossl_securitycheck_enabled)) { + ossl_fips_config_securitycheck_enabled)) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH, "operation: %s", desc); return 0; @@ -68,7 +66,7 @@ int ossl_fips_ind_ec_key_check(OSSL_FIPS_IND *ind, int id, if (!strength_allowed || !curve_allowed) { if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "EC Key", - ossl_securitycheck_enabled)) { + ossl_fips_config_securitycheck_enabled)) { if (!curve_allowed) ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); if (!strength_allowed) @@ -88,7 +86,7 @@ int ossl_fips_ind_digest_check(OSSL_FIPS_IND *ind, int id, if (!approved) { if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest", - ossl_securitycheck_enabled)) { + ossl_fips_config_securitycheck_enabled)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); return 0; } diff --git a/providers/fips/fipsindicator.c b/providers/fips/fipsindicator.c index a1deebdd724..d514ca6ecd9 100644 --- a/providers/fips/fipsindicator.c +++ b/providers/fips/fipsindicator.c @@ -10,8 +10,8 @@ #include #include #include -#include "prov/fipsindicator.h" #include "internal/common.h" /* for ossl_assert() */ +#include "fips/fipsindicator.h" void ossl_FIPS_IND_init(OSSL_FIPS_IND *ind) { diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 6de56ddb88f..13df65faed3 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -23,10 +23,10 @@ #include "prov/providercommon.h" #include "prov/provider_util.h" #include "prov/seeding.h" -#include "prov/fipscommon.h" #include "internal/nelem.h" #include "self_test.h" #include "crypto/context.h" +#include "fipscommon.h" #include "internal/core.h" static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; @@ -87,33 +87,12 @@ typedef struct { typedef struct fips_global_st { const OSSL_CORE_HANDLE *handle; SELF_TEST_POST_PARAMS selftest_params; - FIPS_OPTION fips_security_checks; - FIPS_OPTION fips_tls1_prf_ems_check; - FIPS_OPTION fips_no_short_mac; - FIPS_OPTION fips_hmac_key_check; - FIPS_OPTION fips_kmac_key_check; - FIPS_OPTION fips_restricted_drgb_digests; - FIPS_OPTION fips_signature_digest_check; - FIPS_OPTION fips_hkdf_digest_check; - FIPS_OPTION fips_tls13_kdf_digest_check; - FIPS_OPTION fips_tls1_prf_digest_check; - FIPS_OPTION fips_sshkdf_digest_check; - FIPS_OPTION fips_sskdf_digest_check; - FIPS_OPTION fips_x963kdf_digest_check; - FIPS_OPTION fips_dsa_sign_disallowed; - FIPS_OPTION fips_tdes_encrypt_disallowed; - FIPS_OPTION fips_rsa_pkcs15_padding_disabled; - FIPS_OPTION fips_rsa_pss_saltlen_check; - FIPS_OPTION fips_rsa_sign_x931_disallowed; - FIPS_OPTION fips_hkdf_key_check; - FIPS_OPTION fips_kbkdf_key_check; - FIPS_OPTION fips_tls13_kdf_key_check; - FIPS_OPTION fips_tls1_prf_key_check; - FIPS_OPTION fips_sshkdf_key_check; - FIPS_OPTION fips_sskdf_key_check; - FIPS_OPTION fips_x963kdf_key_check; - FIPS_OPTION fips_pbkdf2_lower_bound_check; - FIPS_OPTION fips_ecdh_cofactor_check; + +#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ + FIPS_OPTION fips_##structname; +#include "fips_indicator_params.inc" +#undef OSSL_FIPS_PARAM + } FIPS_GLOBAL; static void init_fips_option(FIPS_OPTION *opt, int enabled) @@ -128,33 +107,12 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) if (fgbl == NULL) return NULL; - init_fips_option(&fgbl->fips_security_checks, 1); - init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */ - init_fips_option(&fgbl->fips_no_short_mac, 1); - init_fips_option(&fgbl->fips_hmac_key_check, 0); - init_fips_option(&fgbl->fips_kmac_key_check, 0); - init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); - init_fips_option(&fgbl->fips_signature_digest_check, 0); - init_fips_option(&fgbl->fips_hkdf_digest_check, 0); - init_fips_option(&fgbl->fips_tls13_kdf_digest_check, 0); - init_fips_option(&fgbl->fips_tls1_prf_digest_check, 0); - init_fips_option(&fgbl->fips_sshkdf_digest_check, 0); - init_fips_option(&fgbl->fips_sskdf_digest_check, 0); - init_fips_option(&fgbl->fips_x963kdf_digest_check, 0); - init_fips_option(&fgbl->fips_dsa_sign_disallowed, 0); - init_fips_option(&fgbl->fips_tdes_encrypt_disallowed, 0); - init_fips_option(&fgbl->fips_rsa_pkcs15_padding_disabled, 0); - init_fips_option(&fgbl->fips_rsa_pss_saltlen_check, 0); - init_fips_option(&fgbl->fips_rsa_sign_x931_disallowed, 0); - init_fips_option(&fgbl->fips_hkdf_key_check, 0); - init_fips_option(&fgbl->fips_kbkdf_key_check, 0); - init_fips_option(&fgbl->fips_tls13_kdf_key_check, 0); - init_fips_option(&fgbl->fips_tls1_prf_key_check, 0); - init_fips_option(&fgbl->fips_sshkdf_key_check, 0); - init_fips_option(&fgbl->fips_sskdf_key_check, 0); - init_fips_option(&fgbl->fips_x963kdf_key_check, 0); - init_fips_option(&fgbl->fips_pbkdf2_lower_bound_check, 1); - init_fips_option(&fgbl->fips_ecdh_cofactor_check, 0); + +#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ + init_fips_option(&fgbl->fips_##structname, initvalue); +#include "fips_indicator_params.inc" +#undef OSSL_FIPS_PARAM + return fgbl; } @@ -163,143 +121,32 @@ void ossl_fips_prov_ossl_ctx_free(void *fgbl) OPENSSL_free(fgbl); } -/* Parameters we provide to the core */ -static const OSSL_PARAM fips_param_types[] = { - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NO_SHORT_MAC, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_HMAC_KEY_CHECK, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_HKDF_DIGEST_CHECK, OSSL_PARAM_INTEGER, NULL, - 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_DSA_SIGN_DISABLED, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED, - OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_HKDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL, - 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_KMAC_KEY_CHECK, OSSL_PARAM_INTEGER, NULL, - 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSHKDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL, - 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SSKDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL, - 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_X963KDF_KEY_CHECK, OSSL_PARAM_INTEGER, NULL, - 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK, - OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK, OSSL_PARAM_INTEGER, - NULL, 0), - OSSL_PARAM_END -}; - +/* + * Parameters to retrieve from the core provider + * NOTE: inside core_get_params() these will be loaded from config items + * stored inside prov->parameters + */ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) { - /* - * Parameters to retrieve from the core provider - required for self testing. - * NOTE: inside core_get_params() these will be loaded from config items - * stored inside prov->parameters (except for - * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). - * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and - * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters. - */ - OSSL_PARAM core_params[31], *p = core_params; - -/* FIPS self test params */ -#define FIPS_FEATURE_SELF_TEST(fgbl, pname, field) \ - *p++ = OSSL_PARAM_construct_utf8_ptr(pname, \ - (char **)&fgbl->selftest_params.field,\ - sizeof(fgbl->selftest_params.field)) - - FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_PARAM_CORE_MODULE_FILENAME, - module_filename); - FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_MODULE_MAC, - module_checksum_data); - FIPS_FEATURE_SELF_TEST(fgbl, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, - conditional_error_check); -#undef FIPS_FEATURE_SELF_TEST - -/* FIPS features can be enabled or disabled independently */ -#define FIPS_FEATURE_OPTION(fgbl, pname, field) \ - *p++ = OSSL_PARAM_construct_utf8_ptr( \ - pname, (char **)&fgbl->field.option, \ - sizeof(fgbl->field.option)) - - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, - fips_security_checks); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, - fips_tls1_prf_ems_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_NO_SHORT_MAC, - fips_no_short_mac); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HMAC_KEY_CHECK, - fips_hmac_key_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_KMAC_KEY_CHECK, - fips_kmac_key_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST, - fips_restricted_drgb_digests); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK, - fips_signature_digest_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HKDF_DIGEST_CHECK, - fips_hkdf_digest_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS13_KDF_DIGEST_CHECK, - fips_tls13_kdf_digest_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS1_PRF_DIGEST_CHECK, - fips_tls1_prf_digest_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSHKDF_DIGEST_CHECK, - fips_sshkdf_digest_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSKDF_DIGEST_CHECK, - fips_sskdf_digest_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_X963KDF_DIGEST_CHECK, - fips_x963kdf_digest_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_DSA_SIGN_DISABLED, - fips_dsa_sign_disallowed); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TDES_ENCRYPT_DISABLED, - fips_tdes_encrypt_disallowed); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED, - fips_rsa_pkcs15_padding_disabled); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK, - fips_rsa_pss_saltlen_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED, - fips_rsa_sign_x931_disallowed); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK, - fips_hkdf_key_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_KBKDF_KEY_CHECK, - fips_kbkdf_key_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS13_KDF_KEY_CHECK, - fips_tls13_kdf_key_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_TLS1_PRF_KEY_CHECK, - fips_tls1_prf_key_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSHKDF_KEY_CHECK, - fips_sshkdf_key_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_SSKDF_KEY_CHECK, - fips_sskdf_key_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_X963KDF_KEY_CHECK, - fips_x963kdf_key_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_PBKDF2_LOWER_BOUND_CHECK, - fips_pbkdf2_lower_bound_check); - FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_ECDH_COFACTOR_CHECK, - fips_ecdh_cofactor_check); -#undef FIPS_FEATURE_OPTION + OSSL_PARAM core_params[32], *p = core_params; + +#define OSSL_FIPS_PARAM(structname, paramname) \ + *p++ = OSSL_PARAM_construct_utf8_ptr( \ + paramname, (char **)&fgbl->selftest_params.structname, \ + sizeof(fgbl->selftest_params.structname)); + +/* Parameters required for self testing */ +#include "fips_selftest_params.inc" +#undef OSSL_FIPS_PARAM + +/* FIPS indicator options can be enabled or disabled independently */ +#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ + *p++ = OSSL_PARAM_construct_utf8_ptr( \ + OSSL_PROV_PARAM_##paramname, \ + (char **)&fgbl->fips_##structname.option, \ + sizeof(fgbl->fips_##structname.option)); +#include "fips_indicator_params.inc" +#undef OSSL_FIPS_PARAM *p = OSSL_PARAM_construct_end(); @@ -313,6 +160,20 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) static const OSSL_PARAM *fips_gettable_params(void *provctx) { + /* Parameters we provide to the core */ + static const OSSL_PARAM fips_param_types[] = { + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), + +#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_##paramname, OSSL_PARAM_INTEGER, NULL, 0), +#include "fips_indicator_params.inc" +#undef OSSL_FIPS_PARAM + + OSSL_PARAM_END + }; return fips_param_types; } @@ -335,66 +196,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) return 0; -#define FIPS_FEATURE_GET(fgbl, pname, field) \ - p = OSSL_PARAM_locate(params, pname); \ - if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->field.enabled)) \ - return 0 - - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SECURITY_CHECKS, - fips_security_checks); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, - fips_tls1_prf_ems_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_NO_SHORT_MAC, - fips_no_short_mac); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HMAC_KEY_CHECK, - fips_hmac_key_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_KMAC_KEY_CHECK, - fips_kmac_key_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST, - fips_restricted_drgb_digests); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_FIPS_PARAM_SIGNATURE_DIGEST_CHECK, - fips_signature_digest_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HKDF_DIGEST_CHECK, - fips_hkdf_digest_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK, - fips_tls13_kdf_digest_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK, - fips_tls1_prf_digest_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK, - fips_sshkdf_digest_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK, - fips_sskdf_digest_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK, - fips_x963kdf_digest_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_DSA_SIGN_DISABLED, - fips_dsa_sign_disallowed); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED, - fips_tdes_encrypt_disallowed); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED, - fips_rsa_pkcs15_padding_disabled); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK, - fips_rsa_pss_saltlen_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED, - fips_rsa_sign_x931_disallowed); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HKDF_KEY_CHECK, - fips_hkdf_key_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_KBKDF_KEY_CHECK, - fips_kbkdf_key_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK, - fips_tls13_kdf_key_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK, - fips_tls1_prf_key_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSHKDF_KEY_CHECK, - fips_sshkdf_key_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_SSKDF_KEY_CHECK, - fips_sskdf_key_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_X963KDF_KEY_CHECK, - fips_x963kdf_key_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK, - fips_pbkdf2_lower_bound_check); - FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK, - fips_ecdh_cofactor_check); -#undef FIPS_FEATURE_GET +#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \ + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_##paramname); \ + if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_##structname.enabled)) \ + return 0; +#include "fips_indicator_params.inc" +#undef OSSL_FIPS_PARAM + return 1; } @@ -959,44 +767,17 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, SELF_TEST_disable_conditional_error_state(); /* Enable or disable FIPS provider options */ -#define FIPS_SET_OPTION(fgbl, field) \ - if (fgbl->field.option != NULL) { \ - if (strcmp(fgbl->field.option, "1") == 0) \ - fgbl->field.enabled = 1; \ - else if (strcmp(fgbl->field.option, "0") == 0) \ - fgbl->field.enabled = 0; \ - else \ - goto err; \ +#define OSSL_FIPS_PARAM(structname, paramname, unused) \ + if (fgbl->fips_##structname.option != NULL) { \ + if (strcmp(fgbl->fips_##structname.option, "1") == 0) \ + fgbl->fips_##structname.enabled = 1; \ + else if (strcmp(fgbl->fips_##structname.option, "0") == 0) \ + fgbl->fips_##structname.enabled = 0; \ + else \ + goto err; \ } - - FIPS_SET_OPTION(fgbl, fips_security_checks); - FIPS_SET_OPTION(fgbl, fips_tls1_prf_ems_check); - FIPS_SET_OPTION(fgbl, fips_no_short_mac); - FIPS_SET_OPTION(fgbl, fips_hmac_key_check); - FIPS_SET_OPTION(fgbl, fips_kmac_key_check); - FIPS_SET_OPTION(fgbl, fips_restricted_drgb_digests); - FIPS_SET_OPTION(fgbl, fips_signature_digest_check); - FIPS_SET_OPTION(fgbl, fips_hkdf_digest_check); - FIPS_SET_OPTION(fgbl, fips_tls13_kdf_digest_check); - FIPS_SET_OPTION(fgbl, fips_tls1_prf_digest_check); - FIPS_SET_OPTION(fgbl, fips_sshkdf_digest_check); - FIPS_SET_OPTION(fgbl, fips_sskdf_digest_check); - FIPS_SET_OPTION(fgbl, fips_x963kdf_digest_check); - FIPS_SET_OPTION(fgbl, fips_dsa_sign_disallowed); - FIPS_SET_OPTION(fgbl, fips_tdes_encrypt_disallowed); - FIPS_SET_OPTION(fgbl, fips_rsa_pkcs15_padding_disabled); - FIPS_SET_OPTION(fgbl, fips_rsa_pss_saltlen_check); - FIPS_SET_OPTION(fgbl, fips_rsa_sign_x931_disallowed); - FIPS_SET_OPTION(fgbl, fips_hkdf_key_check); - FIPS_SET_OPTION(fgbl, fips_kbkdf_key_check); - FIPS_SET_OPTION(fgbl, fips_tls13_kdf_key_check); - FIPS_SET_OPTION(fgbl, fips_tls1_prf_key_check); - FIPS_SET_OPTION(fgbl, fips_sshkdf_key_check); - FIPS_SET_OPTION(fgbl, fips_sskdf_key_check); - FIPS_SET_OPTION(fgbl, fips_x963kdf_key_check); - FIPS_SET_OPTION(fgbl, fips_pbkdf2_lower_bound_check); - FIPS_SET_OPTION(fgbl, fips_ecdh_cofactor_check); -#undef FIPS_SET_OPTION +#include "fips_indicator_params.inc" +#undef OSSL_FIPS_PARAM ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); @@ -1191,46 +972,16 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...) return ret; } -#define FIPS_FEATURE_CHECK(fname, field) \ - int fname(OSSL_LIB_CTX *libctx) \ - { \ - FIPS_GLOBAL *fgbl = \ - ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX); \ - return fgbl->field.enabled; \ +#define OSSL_FIPS_PARAM(structname, paramname, unused) \ + int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx) \ + { \ + FIPS_GLOBAL *fgbl = \ + ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX); \ + \ + return fgbl->fips_##structname.enabled; \ } - -FIPS_FEATURE_CHECK(FIPS_security_check_enabled, fips_security_checks) -FIPS_FEATURE_CHECK(FIPS_tls_prf_ems_check, fips_tls1_prf_ems_check) -FIPS_FEATURE_CHECK(FIPS_no_short_mac, fips_no_short_mac) -FIPS_FEATURE_CHECK(FIPS_hmac_key_check, fips_hmac_key_check) -FIPS_FEATURE_CHECK(FIPS_kmac_key_check, fips_kmac_key_check) -FIPS_FEATURE_CHECK(FIPS_restricted_drbg_digests_enabled, - fips_restricted_drgb_digests) -FIPS_FEATURE_CHECK(FIPS_fips_signature_digest_check, fips_signature_digest_check) -FIPS_FEATURE_CHECK(FIPS_hkdf_digest_check, fips_hkdf_digest_check) -FIPS_FEATURE_CHECK(FIPS_tls13_kdf_digest_check, fips_tls13_kdf_digest_check) -FIPS_FEATURE_CHECK(FIPS_tls1_prf_digest_check, fips_tls1_prf_digest_check) -FIPS_FEATURE_CHECK(FIPS_sshkdf_digest_check, fips_sshkdf_digest_check) -FIPS_FEATURE_CHECK(FIPS_sskdf_digest_check, fips_sskdf_digest_check) -FIPS_FEATURE_CHECK(FIPS_x963kdf_digest_check, fips_x963kdf_digest_check) -FIPS_FEATURE_CHECK(FIPS_dsa_sign_check, fips_dsa_sign_disallowed) -FIPS_FEATURE_CHECK(FIPS_tdes_encrypt_check, fips_tdes_encrypt_disallowed) -FIPS_FEATURE_CHECK(FIPS_rsa_pkcs15_padding_disabled, - fips_rsa_pkcs15_padding_disabled) -FIPS_FEATURE_CHECK(FIPS_rsa_pss_saltlen_check, fips_rsa_pss_saltlen_check) -FIPS_FEATURE_CHECK(FIPS_rsa_sign_x931_disallowed, - fips_rsa_sign_x931_disallowed) -FIPS_FEATURE_CHECK(FIPS_hkdf_key_check, fips_hkdf_key_check) -FIPS_FEATURE_CHECK(FIPS_kbkdf_key_check, fips_kbkdf_key_check) -FIPS_FEATURE_CHECK(FIPS_tls13_kdf_key_check, fips_tls13_kdf_key_check) -FIPS_FEATURE_CHECK(FIPS_tls1_prf_key_check, fips_tls1_prf_key_check) -FIPS_FEATURE_CHECK(FIPS_sshkdf_key_check, fips_sshkdf_key_check) -FIPS_FEATURE_CHECK(FIPS_sskdf_key_check, fips_sskdf_key_check) -FIPS_FEATURE_CHECK(FIPS_x963kdf_key_check, fips_x963kdf_key_check) -FIPS_FEATURE_CHECK(FIPS_pbkdf2_lower_bound_check, fips_pbkdf2_lower_bound_check) -FIPS_FEATURE_CHECK(FIPS_ecdh_cofactor_check, fips_ecdh_cofactor_check) - -#undef FIPS_FEATURE_CHECK +#include "fips_indicator_params.inc" +#undef OSSL_FIPS_PARAM void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, void **cbarg) diff --git a/providers/common/include/prov/fipsindicator.h b/providers/fips/include/fips/fipsindicator.h similarity index 99% rename from providers/common/include/prov/fipsindicator.h rename to providers/fips/include/fips/fipsindicator.h index 8f97bc35d90..405b800dbcf 100644 --- a/providers/common/include/prov/fipsindicator.h +++ b/providers/fips/include/fips/fipsindicator.h @@ -13,6 +13,7 @@ # include # include "crypto/types.h" # include +# include "fipscommon.h" /* * There may be multiple settables associated with an algorithm that allow diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc new file mode 100644 index 00000000000..c1d12c32a64 --- /dev/null +++ b/providers/fips/include/fips_indicator_params.inc @@ -0,0 +1,27 @@ +OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1) +OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0) +OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1) +OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0) +OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0) +OSSL_FIPS_PARAM(restricted_drbg_digests, DRBG_TRUNC_DIGEST, 0) +OSSL_FIPS_PARAM(signature_digest_check, SIGNATURE_DIGEST_CHECK, 0) +OSSL_FIPS_PARAM(hkdf_digest_check, HKDF_DIGEST_CHECK, 0) +OSSL_FIPS_PARAM(tls13_kdf_digest_check, TLS13_KDF_DIGEST_CHECK, 0) +OSSL_FIPS_PARAM(tls1_prf_digest_check, TLS1_PRF_DIGEST_CHECK, 0) +OSSL_FIPS_PARAM(sshkdf_digest_check, SSHKDF_DIGEST_CHECK, 0) +OSSL_FIPS_PARAM(sskdf_digest_check, SSKDF_DIGEST_CHECK, 0) +OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0) +OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0) +OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0) +OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0) +OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0) +OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0) +OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0) +OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0) +OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0) +OSSL_FIPS_PARAM(tls1_prf_key_check, TLS1_PRF_KEY_CHECK, 0) +OSSL_FIPS_PARAM(sshkdf_key_check, SSHKDF_KEY_CHECK, 0) +OSSL_FIPS_PARAM(sskdf_key_check, SSKDF_KEY_CHECK, 0) +OSSL_FIPS_PARAM(x963kdf_key_check, X963KDF_KEY_CHECK, 0) +OSSL_FIPS_PARAM(pbkdf2_lower_bound_check, PBKDF2_LOWER_BOUND_CHECK, 1) +OSSL_FIPS_PARAM(ecdh_cofactor_check, ECDH_COFACTOR_CHECK, 0) diff --git a/providers/fips/include/fips_selftest_params.inc b/providers/fips/include/fips_selftest_params.inc new file mode 100644 index 00000000000..df942d9cea6 --- /dev/null +++ b/providers/fips/include/fips_selftest_params.inc @@ -0,0 +1,3 @@ +OSSL_FIPS_PARAM(module_filename, OSSL_PROV_PARAM_CORE_MODULE_FILENAME) +OSSL_FIPS_PARAM(module_checksum_data, OSSL_PROV_FIPS_PARAM_MODULE_MAC) +OSSL_FIPS_PARAM(conditional_error_check, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS) diff --git a/providers/fips/include/fipscommon.h b/providers/fips/include/fipscommon.h new file mode 100644 index 00000000000..1a89b4fd5e6 --- /dev/null +++ b/providers/fips/include/fipscommon.h @@ -0,0 +1,18 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifdef FIPS_MODULE +# include + +# define OSSL_FIPS_PARAM(structname, paramname, unused) \ + int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx); +# include "fips_indicator_params.inc" +# undef OSSL_FIPS_PARAM + +#endif diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c index 9a6c3032fe7..452210bf089 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -30,8 +30,6 @@ #include "prov/implementations.h" #include "prov/providercommon.h" #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" - #include static OSSL_FUNC_asym_cipher_newctx_fn rsa_newctx; @@ -164,7 +162,7 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, && !OSSL_FIPS_IND_ON_UNAPPROVED(prsactx, OSSL_FIPS_IND_SETTABLE1, prsactx->libctx, "RSA Encrypt", "PKCS#1 v1.5 padding", - FIPS_rsa_pkcs15_padding_disabled)) { + ossl_fips_config_rsa_pkcs15_padding_disabled)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); return 0; } @@ -473,10 +471,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params, OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK)) - return 0; + return 0; if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params, - OSSL_ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED)) - return 0; + OSSL_ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED)) + return 0; p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST); if (p != NULL) { @@ -615,7 +613,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK) - OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED) + OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED) OSSL_PARAM_END }; diff --git a/providers/implementations/ciphers/cipher_tdes.h b/providers/implementations/ciphers/cipher_tdes.h index d0bd79b7118..a8907a7c702 100644 --- a/providers/implementations/ciphers/cipher_tdes.h +++ b/providers/implementations/ciphers/cipher_tdes.h @@ -9,8 +9,8 @@ #include #include +#include "prov/securitycheck.h" #include "crypto/des_platform.h" -#include "prov/fipsindicator.h" #define DES_BLOCK_SIZE 8 #define TDES_IVLEN 8 diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c index 60f0707951d..cf8bf936cf1 100644 --- a/providers/implementations/ciphers/cipher_tdes_common.c +++ b/providers/implementations/ciphers/cipher_tdes_common.c @@ -19,7 +19,6 @@ #include "cipher_tdes.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/fipscommon.h" void *ossl_tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits, size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw) @@ -70,7 +69,7 @@ static int tdes_encrypt_check_approved(PROV_TDES_CTX *ctx, int enc) if (enc && !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, ctx->base.libctx, "Triple-DES", "Encryption", - FIPS_tdes_encrypt_check)) + ossl_fips_config_tdes_encrypt_disallowed)) return 0; return 1; } diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 753bc79f83c..2c054bb9921 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -25,7 +25,6 @@ #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" #include "crypto/dh.h" static OSSL_FUNC_keyexch_newctx_fn dh_newctx; @@ -104,7 +103,7 @@ static int dh_check_key(PROV_DH_CTX *ctx) if (!key_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, ctx->libctx, "DH Init", "DH Key", - ossl_securitycheck_enabled)) { + ossl_fips_config_securitycheck_enabled)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index b6ec8d99133..39307e4e1e9 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -26,7 +26,6 @@ #include "prov/providercommon.h" #include "prov/implementations.h" #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" #include "crypto/ec.h" /* ossl_ecdh_kdf_X9_63() */ static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx; @@ -550,7 +549,7 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, if (has_cofactor && !cofactor_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(pecdhctx, OSSL_FIPS_IND_SETTABLE2, pecdhctx->libctx, "ECDH", "Cofactor", - FIPS_ecdh_cofactor_check)) { + ossl_fips_config_ecdh_cofactor_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_COFACTOR_REQUIRED); return 0; } diff --git a/providers/implementations/exchange/ecx_exch.c b/providers/implementations/exchange/ecx_exch.c index cae2feb5519..04bda300ce3 100644 --- a/providers/implementations/exchange/ecx_exch.c +++ b/providers/implementations/exchange/ecx_exch.c @@ -17,8 +17,7 @@ #include "crypto/ecx.h" #include "prov/implementations.h" #include "prov/providercommon.h" -#include "prov/fipsindicator.h" -#include "prov/fipscommon.h" +#include "prov/securitycheck.h" static OSSL_FUNC_keyexch_newctx_fn x25519_newctx; static OSSL_FUNC_keyexch_newctx_fn x448_newctx; diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 64a3e8f05e0..587a9f43a87 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -30,8 +30,6 @@ #include "prov/implementations.h" #include "prov/provider_util.h" #include "prov/securitycheck.h" -#include "prov/fipscommon.h" -#include "prov/fipsindicator.h" #include "internal/e_os.h" #include "internal/params.h" @@ -203,7 +201,7 @@ static int fips_hkdf_key_check_passed(KDF_HKDF *ctx) if (!key_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, "HKDF", "Key size", - FIPS_hkdf_key_check)) { + ossl_fips_config_hkdf_key_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } @@ -756,7 +754,7 @@ static int fips_tls1_3_digest_check_passed(KDF_HKDF *ctx, const EVP_MD *md) if (digest_unapproved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, "TLS13 KDF", "Digest", - FIPS_tls13_kdf_digest_check)) { + ossl_fips_config_tls13_kdf_digest_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); return 0; } @@ -792,7 +790,7 @@ static int fips_tls1_3_key_check_passed(KDF_HKDF *ctx) if (!key_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1, libctx, "TLS13 KDF", "Key size", - FIPS_tls13_kdf_key_check)) { + ossl_fips_config_tls13_kdf_key_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index 4dd8fe6f873..7f767948b07 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -44,9 +44,6 @@ #include "prov/provider_util.h" #include "prov/providercommon.h" #include "prov/securitycheck.h" -#include "prov/fipscommon.h" -#include "prov/fipsindicator.h" - #include "internal/e_os.h" #include "internal/params.h" @@ -197,7 +194,7 @@ static int fips_kbkdf_key_check_passed(KBKDF *ctx) if (!key_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, "KBKDF", "Key size", - FIPS_kbkdf_key_check)) { + ossl_fips_config_kbkdf_key_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index 2ee637ec433..1c94ece4942 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -28,8 +28,7 @@ #include "prov/providercommon.h" #include "prov/implementations.h" #include "prov/provider_util.h" -#include "prov/fipscommon.h" -#include "prov/fipsindicator.h" +#include "prov/securitycheck.h" #include "pbkdf2.h" /* Constants specified in SP800-132 */ @@ -217,7 +216,7 @@ static int fips_lower_bound_check_passed(KDF_PBKDF2 *ctx, size_t keylen) if (!approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, "PBKDF2", desc, - FIPS_pbkdf2_lower_bound_check)) { + ossl_fips_config_pbkdf2_lower_bound_check)) { ERR_raise(ERR_LIB_PROV, error); return 0; } diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index fd77dabcb7f..c1d3066951c 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -22,8 +22,6 @@ #include "prov/implementations.h" #include "prov/provider_util.h" #include "prov/securitycheck.h" -#include "prov/fipscommon.h" -#include "prov/fipsindicator.h" /* See RFC 4253, Section 7.2 */ static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new; @@ -146,7 +144,7 @@ static int fips_digest_check_passed(KDF_SSHKDF *ctx, const EVP_MD *md) if (digest_unapproved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, "SSHKDF", "Digest", - FIPS_sshkdf_digest_check)) { + ossl_fips_config_sshkdf_digest_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); return 0; } @@ -162,7 +160,7 @@ static int fips_key_check_passed(KDF_SSHKDF *ctx) if (!key_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1, libctx, "SSHKDF", "Key size", - FIPS_sshkdf_key_check)) { + ossl_fips_config_sshkdf_key_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index 4bdb4e039c0..ce9d0a71505 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -51,8 +51,6 @@ #include "prov/implementations.h" #include "prov/provider_util.h" #include "prov/securitycheck.h" -#include "prov/fipscommon.h" -#include "prov/fipsindicator.h" #include "internal/params.h" typedef struct { @@ -403,7 +401,7 @@ static int fips_sskdf_key_check_passed(KDF_SSKDF *ctx) if (!key_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, "SSKDF", "Key size", - FIPS_sskdf_key_check)) { + ossl_fips_config_sskdf_key_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } @@ -496,7 +494,7 @@ static int fips_x963kdf_digest_check_passed(KDF_SSKDF *ctx, const EVP_MD *md) if (digest_unapproved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, "X963KDF", "Digest", - FIPS_x963kdf_digest_check)) { + ossl_fips_config_x963kdf_digest_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); return 0; } @@ -512,7 +510,7 @@ static int fips_x963kdf_key_check_passed(KDF_SSKDF *ctx) if (!key_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1, libctx, "X963KDF", "Key size", - FIPS_x963kdf_key_check)) { + ossl_fips_config_x963kdf_key_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index a82e4573d4d..451d8a818f8 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -68,8 +68,6 @@ #include "prov/implementations.h" #include "prov/provider_util.h" #include "prov/securitycheck.h" -#include "prov/fipscommon.h" -#include "prov/fipsindicator.h" #include "internal/e_os.h" #include "internal/safe_math.h" @@ -196,7 +194,7 @@ static int fips_ems_check_passed(TLS1_PRF *ctx) if (!ems_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, "TLS_PRF", "EMS", - FIPS_tls_prf_ems_check)) { + ossl_fips_config_tls1_prf_ems_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); return 0; } @@ -221,7 +219,7 @@ static int fips_digest_check_passed(TLS1_PRF *ctx, const EVP_MD *md) if (digest_unapproved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1, libctx, "TLS_PRF", "Digest", - FIPS_tls1_prf_digest_check)) { + ossl_fips_config_tls1_prf_digest_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); return 0; } @@ -237,7 +235,7 @@ static int fips_key_check_passed(TLS1_PRF *ctx) if (!key_approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, libctx, "TLS_PRF", "Key size", - FIPS_tls1_prf_key_check)) { + ossl_fips_config_tls1_prf_key_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 28925b7d133..6dfc9920966 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -13,7 +13,6 @@ */ #include "internal/deprecated.h" #include "internal/nelem.h" - #include #include #include @@ -21,13 +20,11 @@ #include #include #include -#include "crypto/rsa.h" #include -#include "internal/nelem.h" +#include "crypto/rsa.h" #include "prov/provider_ctx.h" #include "prov/implementations.h" #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" static OSSL_FUNC_kem_newctx_fn rsakem_newctx; static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init; diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c index 7e084d62ee2..c3dfcee406d 100644 --- a/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/providers/implementations/keymgmt/dsa_kmgmt.c @@ -17,9 +17,8 @@ #include #include #include +#include "prov/securitycheck.h" #include "prov/providercommon.h" -#include "prov/fipsindicator.h" -#include "prov/fipscommon.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "crypto/dsa.h" @@ -610,7 +609,7 @@ static void *dsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) */ if (!OSSL_FIPS_IND_ON_UNAPPROVED(gctx, OSSL_FIPS_IND_SETTABLE0, gctx->libctx, "DSA", "Keygen", - FIPS_dsa_sign_check)) + ossl_fips_config_dsa_sign_disallowed)) return 0; #endif diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 8539b05a623..693cb9ec20c 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -26,7 +26,6 @@ #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" #include "internal/param_build_set.h" #ifndef FIPS_MODULE @@ -1311,7 +1310,7 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (!ossl_ec_check_security_strength(gctx->gen_group, 1)) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(gctx, OSSL_FIPS_IND_SETTABLE0, gctx->libctx, "EC KeyGen", "key size", - ossl_securitycheck_enabled)) { + ossl_fips_config_securitycheck_enabled)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); goto err; } diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 1f1ab063011..958fc37a47f 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -24,8 +24,7 @@ #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "prov/ecx.h" -#include "prov/fipsindicator.h" -#include "prov/fipscommon.h" +#include "prov/securitycheck.h" #ifdef S390X_EC_ASM # include "s390x_arch.h" # include /* For SHA512_DIGEST_LENGTH */ diff --git a/providers/implementations/macs/cmac_prov.c b/providers/implementations/macs/cmac_prov.c index 39ab09172bb..7dbca4fa6a2 100644 --- a/providers/implementations/macs/cmac_prov.c +++ b/providers/implementations/macs/cmac_prov.c @@ -21,12 +21,11 @@ #include #include +#include "prov/securitycheck.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/provider_util.h" #include "prov/providercommon.h" -#include "prov/fipscommon.h" -#include "prov/fipsindicator.h" #include "crypto/cmac.h" /* @@ -138,7 +137,7 @@ static int tdes_check_param(struct cmac_data_st *macctx, OSSL_PARAM *p, if (EVP_CIPHER_is_a(cipher, "DES-EDE3-CBC")) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(macctx, OSSL_FIPS_IND_SETTABLE0, libctx, "CMAC", "Triple-DES", - FIPS_tdes_encrypt_check)) + ossl_fips_config_tdes_encrypt_disallowed)) return 0; OSSL_FIPS_IND_GET_PARAM(macctx, p, state, OSSL_FIPS_IND_SETTABLE0, OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK) diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c index d871a85033c..d05e5b4e6ae 100644 --- a/providers/implementations/macs/hmac_prov.c +++ b/providers/implementations/macs/hmac_prov.c @@ -29,9 +29,7 @@ #include "prov/provider_ctx.h" #include "prov/provider_util.h" #include "prov/providercommon.h" -#include "prov/fipsindicator.h" #include "prov/securitycheck.h" -#include "prov/fipscommon.h" /* * Forward declaration of everything implemented here. This is not strictly @@ -171,7 +169,7 @@ static int hmac_setkey(struct hmac_data_st *macctx, if (!approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(macctx, OSSL_FIPS_IND_SETTABLE0, libctx, "HMAC", "keysize", - FIPS_hmac_key_check)) { + ossl_fips_config_hmac_key_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c index 44b7022e652..ad6753235aa 100644 --- a/providers/implementations/macs/kmac_prov.c +++ b/providers/implementations/macs/kmac_prov.c @@ -55,14 +55,11 @@ #include #include #include - +#include "prov/securitycheck.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/provider_util.h" #include "prov/providercommon.h" -#include "prov/fipscommon.h" -#include "prov/fipsindicator.h" -#include "prov/securitycheck.h" #include "internal/cryptlib.h" /* ossl_assert */ /* @@ -284,7 +281,7 @@ static int kmac_setkey(struct kmac_data_st *kctx, const unsigned char *key, if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE1, PROV_LIBCTX_OF(kctx->provctx), "KMAC", "Key size", - FIPS_kmac_key_check)) { + ossl_fips_config_kmac_key_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } @@ -483,7 +480,7 @@ static int kmac_set_ctx_params(void *vmacctx, const OSSL_PARAM *params) if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE0, PROV_LIBCTX_OF(kctx->provctx), "KMAC", "length", - &FIPS_no_short_mac)) { + ossl_fips_config_no_short_mac)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); return 0; } diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index c15c4606e62..825fe30214f 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -21,7 +21,6 @@ #include "crypto/rand_pool.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/fipscommon.h" #include "crypto/context.h" /* @@ -1024,7 +1023,7 @@ int ossl_drbg_verify_digest(PROV_DRBG *drbg, OSSL_LIB_CTX *libctx, if (!approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(drbg, OSSL_FIPS_IND_SETTABLE0, libctx, "DRBG", "Digest", - FIPS_restricted_drbg_digests_enabled)) { + ossl_fips_config_restricted_drbg_digests)) { ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); return 0; } diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h index f8907a3193a..b78c7fbf3c9 100644 --- a/providers/implementations/rands/drbg_local.h +++ b/providers/implementations/rands/drbg_local.h @@ -18,7 +18,7 @@ # include "internal/nelem.h" # include "internal/numbers.h" # include "prov/provider_ctx.h" -# include "prov/fipsindicator.h" +# include "prov/securitycheck.h" /* How many times to read the TSC as a randomness source. */ # define TSC_READ_COUNT 4 diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index 72e815bebf2..948c04cdf65 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -16,11 +16,11 @@ #include #include #include +#include "prov/securitycheck.h" #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "prov/provider_util.h" #include "prov/implementations.h" -#include "prov/fipsindicator.h" static OSSL_FUNC_rand_newctx_fn test_rng_new; static OSSL_FUNC_rand_freectx_fn test_rng_free; diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c index 72b245049ff..a4b8c21f76f 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c @@ -30,7 +30,6 @@ #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" #include "crypto/dsa.h" #include "prov/der_dsa.h" @@ -169,7 +168,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, OSSL_FIPS_IND_SETTABLE1, ctx->libctx, md_nid, sha1_allowed, desc, - &FIPS_fips_signature_digest_check)) + ossl_fips_config_signature_digest_check)) goto err; } #endif @@ -223,7 +222,7 @@ static int dsa_sign_check_approved(PROV_DSA_CTX *ctx, int signing, if (signing && !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, ctx->libctx, desc, "DSA", - FIPS_dsa_sign_check)) + ossl_fips_config_dsa_sign_disallowed)) return 0; return 1; } @@ -235,7 +234,7 @@ static int dsa_check_key(PROV_DSA_CTX *ctx, int sign, const char *desc) if (!approved) { if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, ctx->libctx, desc, "DSA Key", - FIPS_fips_signature_digest_check)) { + ossl_fips_config_signature_digest_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c index c9a23e7bc87..1a58850b23f 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c @@ -30,7 +30,6 @@ #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" #include "crypto/ec.h" #include "prov/der_ec.h" @@ -302,7 +301,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), OSSL_FIPS_IND_SETTABLE1, ctx->libctx, md_nid, sha1_allowed, desc, - &FIPS_fips_signature_digest_check)) + ossl_fips_config_signature_digest_check)) goto err; } #endif diff --git a/providers/implementations/signature/eddsa_sig.c b/providers/implementations/signature/eddsa_sig.c index 7aae2afa89b..29be3fcd3a6 100644 --- a/providers/implementations/signature/eddsa_sig.c +++ b/providers/implementations/signature/eddsa_sig.c @@ -18,6 +18,7 @@ #include "internal/sizes.h" #include "prov/providercommon.h" #include "prov/implementations.h" +#include "prov/securitycheck.h" #include "prov/provider_ctx.h" #include "prov/der_ecx.h" #include "crypto/ecx.h" diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c index f3764ab809e..2ca9c658985 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -32,7 +32,6 @@ #include "prov/provider_ctx.h" #include "prov/der_rsa.h" #include "prov/securitycheck.h" -#include "prov/fipsindicator.h" #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 @@ -413,7 +412,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, OSSL_FIPS_IND_SETTABLE1, ctx->libctx, md_nid, sha1_allowed, desc, - &FIPS_fips_signature_digest_check)) + ossl_fips_config_signature_digest_check)) goto err; } #endif @@ -646,7 +645,7 @@ static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3, ctx->libctx, algoname, "PSS Salt Length", - FIPS_rsa_pss_saltlen_check)) { + ossl_fips_config_rsa_pss_saltlen_check)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); return 0; } @@ -1520,7 +1519,7 @@ static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx) if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2, ctx->libctx, "RSA Sign set ctx", "X931 Padding", - FIPS_rsa_sign_x931_disallowed)) { + ossl_fips_config_rsa_sign_x931_disallowed)) { ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); return 0; diff --git a/test/build.info b/test/build.info index 7fd0ab33116..5ec0b93ca06 100644 --- a/test/build.info +++ b/test/build.info @@ -619,7 +619,8 @@ IF[{- !$disabled{tests} -}] DEPEND[recordlentest]=../libcrypto ../libssl libtestutil.a SOURCE[drbgtest]=drbgtest.c - INCLUDE[drbgtest]=../include ../apps/include ../providers/common/include + INCLUDE[drbgtest]=../include ../apps/include ../providers/common/include \ + ../providers/fips/include DEPEND[drbgtest]=../libcrypto.a libtestutil.a SOURCE[rand_status_test]=rand_status_test.c diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t index 4dc7da0768a..79b425962c9 100644 --- a/test/recipes/03-test_fipsinstall.t +++ b/test/recipes/03-test_fipsinstall.t @@ -50,7 +50,7 @@ my @commandline = ( 'x963kdf_digest_check', 'x963kdf-digest-check' ), ( 'dsa_sign_disabled', 'dsa-sign-disabled' ), ( 'tdes_encrypt_disabled', 'tdes-encrypt-disabled' ), - ( 'rsa_pkcs15_padding_disabled', 'rsa-pkcs15-padding-disabled' ), + ( 'rsa_pkcs15_pad_disabled', 'rsa-pkcs15-pad-disabled' ), ( 'rsa_pss_saltlen_check', 'rsa-pss-saltlen-check' ), ( 'rsa_sign_x931_disabled', 'rsa-sign-x931-pad-disabled' ), ( 'hkdf_key_check', 'hkdf-key-check' ), diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 71db50c9c2a..95098e02640 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -161,7 +161,7 @@ unless ($no_fips) { my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename); $ENV{OPENSSL_CONF_INCLUDE} = result_dir(); ok(replace_kv_file($fipsmodcfg, - 'rsa-pkcs15-padding-disabled', '0', + 'rsa-pkcs15-pad-disabled', '0', $fipsmodcfgnew) && replace_line_file($provconf, $fipsmodcfg_filename, $fipsmodcfgnew_filename, diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t index 932e08530a2..869d78b3fa5 100644 --- a/test/recipes/90-test_sslapi.t +++ b/test/recipes/90-test_sslapi.t @@ -127,7 +127,7 @@ SKIP: { 'tls1-prf-ems-check', '0', $fipsmodcfgtmp) && replace_kv_file($fipsmodcfgtmp, - 'rsa-pkcs15-padding-disabled', '0', + 'rsa-pkcs15-pad-disabled', '0', $fipsmodcfgnew) && replace_line_file($provconf, $fipsmodcfg_filename, $fipsmodcfgnew_filename, diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl index a8d1baf3b52..a6bc39c7d46 100644 --- a/util/mk-fipsmodule-cnf.pl +++ b/util/mk-fipsmodule-cnf.pl @@ -71,7 +71,7 @@ sshkdf-digest-check = $digest_check sskdf-digest-check = $digest_check x963kdf-digest-check = $digest_check tdes-encrypt-disabled = $tdes_encrypt_disabled -rsa-pkcs15-padding-disabled = $pkcs15_pad_disable +rsa-pkcs15-pad-disabled = $pkcs15_pad_disable rsa-pss-saltlen-check = $rsa_pss_saltlen_check rsa-sign-x931-pad-disabled = $rsa_sign_x931_pad_disabled hkdf-key-check = $kdf_key_check diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm index c5d26ab743f..0701064ccfc 100644 --- a/util/perl/OpenSSL/paramnames.pm +++ b/util/perl/OpenSSL/paramnames.pm @@ -46,6 +46,7 @@ my %params = ( 'PROV_PARAM_TDES_ENCRYPT_DISABLED' => "tdes-encrypt-disabled", # uint 'PROV_PARAM_RSA_PSS_SALTLEN_CHECK' => "rsa-pss-saltlen-check", # uint 'PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED' => "rsa-sign-x931-pad-disabled", # uint + 'PROV_PARAM_RSA_PKCS15_PAD_DISABLED' => "rsa-pkcs15-pad-disabled", # uint 'PROV_PARAM_HKDF_KEY_CHECK' => "hkdf-key-check", # uint 'PROV_PARAM_KBKDF_KEY_CHECK' => "kbkdf-key-check", # uint 'PROV_PARAM_TLS13_KDF_KEY_CHECK' => "tls13-kdf-key-check", # uint @@ -55,6 +56,7 @@ my %params = ( 'PROV_PARAM_X963KDF_KEY_CHECK' => "x963kdf-key-check", # uint 'PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK' => "pbkdf2-lower-bound-check", # uint 'PROV_PARAM_ECDH_COFACTOR_CHECK' => "ecdh-cofactor-check", # uint + 'PROV_PARAM_SIGNATURE_DIGEST_CHECK' => "signature-digest-check", # uint # Self test callback parameters 'PROV_PARAM_SELF_TEST_PHASE' => "st-phase",# utf8_string @@ -188,6 +190,7 @@ my %params = ( 'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC', 'MAC_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK', 'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR', + 'MAC_PARAM_FIPS_NO_SHORT_MAC' => '*PROV_PARAM_NO_SHORT_MAC', # KDF / PRF parameters 'KDF_PARAM_SECRET' => "secret", # octet string @@ -473,7 +476,7 @@ my %params = ( 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", - 'ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED' => "pkcs15-padding-disabled", + 'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED', 'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK', 'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',