/* Functions that have different implementations for the FIPS_MODULE */
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md);
-int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx);
#include "prov/securitycheck.h"
#include "internal/nelem.h"
-/* Disable the security checks in the default provider */
-int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
-{
- return 0;
-}
-
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md)
{
int mdnid;
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
-int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
-{
-#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- return ossl_fips_config_security_checks(libctx);
-#else
- return 0;
-#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
-}
-
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md)
{
return ossl_digest_get_approved_nid(md);
if (!key_approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Key size",
- ossl_fips_config_securitycheck_enabled)) {
+ FIPS_CONFIG_SECURITY_CHECKS)) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH,
"operation: %s", desc);
return 0;
if (!strength_allowed || !curve_allowed) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "EC Key",
- ossl_fips_config_securitycheck_enabled)) {
+ FIPS_CONFIG_SECURITY_CHECKS)) {
if (!curve_allowed)
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
if (!strength_allowed)
if (!approved) {
if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest",
- ossl_fips_config_securitycheck_enabled)) {
+ FIPS_CONFIG_SECURITY_CHECKS)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return 0;
}
int nid, int sha1_allowed,
int sha512_trunc_allowed,
const char *desc,
- OSSL_FIPS_IND_CHECK_CB *config_check_f)
+ enum fips_config_id config_id)
{
int approved;
const char *op = "none";
}
if (!approved) {
- if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, op,
- config_check_f)) {
+ if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, op, config_id)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return 0;
}
int ossl_FIPS_IND_on_unapproved(OSSL_FIPS_IND *ind, int id,
OSSL_LIB_CTX *libctx,
const char *algname, const char *opname,
- OSSL_FIPS_IND_CHECK_CB *config_check_fn)
+ enum fips_config_id config_id)
{
/* Set to unapproved. Once unapproved mode is set this will not be reset */
ind->approved = 0;
* assumed to be strict.
*/
if (ossl_FIPS_IND_get_settable(ind, id) == OSSL_FIPS_IND_STATE_TOLERANT
- || (config_check_fn != NULL
- && config_check_fn(libctx) == OSSL_FIPS_IND_STATE_TOLERANT)) {
+ || (ossl_fips_config(libctx, config_id) == OSSL_FIPS_IND_STATE_TOLERANT)) {
return ossl_FIPS_IND_callback(libctx, algname, opname);
}
/* Strict mode gets here: This returns an error */
* Handles the loading of FIPS algorithm conditional options from a config file
* passed from the core using OSSL_PARAM.
*
- * The perl function generates code that:
- *
- * Creates fields in a structure for each item in the list using the first
- * parameter as the base name.
- *
- * Creates a function to properly initialize each field based on the last
- * parameter in each line.
- *
- * Creates a function to retrieve the values from the core.
- *
- * Creates a function to convert the retrieved string values to integer booleans.
- *
- * Creates getter functions for each parameter.
- */
-{- use OpenSSL::fipsparams qw(produce_fips_indicators); -}
-{- produce_fips_indicators(
- ['security_checks', 'OSSL_PROV_PARAM_SECURITY_CHECKS', '1'],
- ['tls1_prf_ems_check', 'OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK', '0'],
- ['no_short_mac', 'OSSL_PROV_PARAM_NO_SHORT_MAC', '1'],
- ['hmac_key_check', 'OSSL_PROV_PARAM_HMAC_KEY_CHECK', '0'],
- ['kmac_key_check', 'OSSL_PROV_PARAM_KMAC_KEY_CHECK', '0'],
- ['restricted_drbg_digests', 'OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST', '0'],
- ['signature_digest_check', 'OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK', '0'],
- ['hkdf_digest_check', 'OSSL_PROV_PARAM_HKDF_DIGEST_CHECK', '0'],
- ['tls13_kdf_digest_check', 'OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK', '0'],
- ['tls1_prf_digest_check', 'OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK', '0'],
- ['sshkdf_digest_check', 'OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK', '0'],
- ['sskdf_digest_check', 'OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK', '0'],
- ['x963kdf_digest_check', 'OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK', '0'],
- ['dsa_sign_disallowed', 'OSSL_PROV_PARAM_DSA_SIGN_DISABLED', '0'],
- ['tdes_encrypt_disallowed', 'OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED', '0'],
- ['rsa_pkcs15_padding_disabled', 'OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED', '0'],
- ['rsa_pss_saltlen_check', 'OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK', '0'],
- ['rsa_sign_x931_disallowed', 'OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED', '0'],
- ['hkdf_key_check', 'OSSL_PROV_PARAM_HKDF_KEY_CHECK', '0'],
- ['kbkdf_key_check', 'OSSL_PROV_PARAM_KBKDF_KEY_CHECK', '0'],
- ['tls13_kdf_key_check', 'OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK', '0'],
- ['tls1_prf_key_check', 'OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK', '0'],
- ['sshkdf_key_check', 'OSSL_PROV_PARAM_SSHKDF_KEY_CHECK', '0'],
- ['sskdf_key_check', 'OSSL_PROV_PARAM_SSKDF_KEY_CHECK', '0'],
- ['x963kdf_key_check', 'OSSL_PROV_PARAM_X963KDF_KEY_CHECK', '0'],
- ['x942kdf_key_check', 'OSSL_PROV_PARAM_X942KDF_KEY_CHECK', '0'],
- ['pbkdf2_lower_bound_check', 'OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK', '1'],
- ['ecdh_cofactor_check', 'OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK', '0']) -}
-/*
- * Handles the loading of FIPS self test parameters from the core using
- * OSSL_PARAM.
- *
- * The perl function generates code that:
- *
- * Creates a function to retrieve the values from the core.
+ * The perl function produce_fips_params() generates code that:
+ * - Defines the FIPS_PARAMS structure with fields for each item.
+ * - Creates a function init_fips_params() to initialize the structure with default values.
+ * - Creates a function fips_get_params_from_core() to retrieve values from the core.
+ * - Defines a macro OSSL_FIPS_PARAMS_DEFN_TYPES listing the parameters.
+ * - Creates a function return_fips_params() to return values to the core.
+ * - Creates accessor functions for parameters marked as 'indicator'.
+ *
+ * The fields of the table below are:
+ * 1. field: The name of the field in the FIPS_PARAMS structure.
+ * 2. name: The OSSL_PARAM name used to identify the parameter.
+ * 3. type: The C type of the field (e.g., "unsigned char" or "const char *").
+ * 4. default: The default value for the field.
+ * 5. description: A tag indicating usage. If set to 'indicator', an accessor function
+ * ossl_fips_config_<field>() is generated.
*/
-{-use OpenSSL::fipsparams qw(produce_fips_selftest_params); -}
-{- produce_fips_selftest_params(
- ['module_filename', 'OSSL_PROV_PARAM_CORE_MODULE_FILENAME'],
- ['module_checksum_data', 'OSSL_PROV_FIPS_PARAM_MODULE_MAC'],
- ['conditional_error_check', 'OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS'],
- ['defer_tests', 'OSSL_PROV_FIPS_PARAM_DEFER_TESTS']) -}
+{- use OpenSSL::fipsparams qw(produce_fips_params); -}
+{- produce_fips_params(
+ [ 'security_checks', 'SECURITY_CHECKS', 'unsigned char', '1', 'indicator' ],
+ [ 'tls1_prf_ems_check', 'TLS1_PRF_EMS_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'no_short_mac', 'NO_SHORT_MAC', 'unsigned char', '1', 'indicator' ],
+ [ 'hmac_key_check', 'HMAC_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'kmac_key_check', 'KMAC_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'restricted_drbg_digests', 'DRBG_TRUNC_DIGEST', 'unsigned char', '0', 'indicator' ],
+ [ 'signature_digest_check', 'SIGNATURE_DIGEST_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'hkdf_digest_check', 'HKDF_DIGEST_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'tls13_kdf_digest_check', 'TLS13_KDF_DIGEST_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'tls1_prf_digest_check', 'TLS1_PRF_DIGEST_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'sshkdf_digest_check', 'SSHKDF_DIGEST_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'sskdf_digest_check', 'SSKDF_DIGEST_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'x963kdf_digest_check', 'X963KDF_DIGEST_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'dsa_sign_disallowed', 'DSA_SIGN_DISABLED', 'unsigned char', '0', 'indicator' ],
+ [ 'tdes_encrypt_disallowed', 'TDES_ENCRYPT_DISABLED', 'unsigned char', '0', 'indicator' ],
+ [ 'rsa_pkcs15_padding_disabled', 'RSA_PKCS15_PAD_DISABLED', 'unsigned char', '0', 'indicator' ],
+ [ 'rsa_pss_saltlen_check', 'RSA_PSS_SALTLEN_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'rsa_sign_x931_disallowed', 'RSA_SIGN_X931_PAD_DISABLED', 'unsigned char', '0', 'indicator' ],
+ [ 'hkdf_key_check', 'HKDF_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'kbkdf_key_check', 'KBKDF_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'tls13_kdf_key_check', 'TLS13_KDF_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'tls1_prf_key_check', 'TLS1_PRF_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'sshkdf_key_check', 'SSHKDF_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'sskdf_key_check', 'SSKDF_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'x963kdf_key_check', 'X963KDF_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'x942kdf_key_check', 'X942KDF_KEY_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'pbkdf2_lower_bound_check', 'PBKDF2_LOWER_BOUND_CHECK', 'unsigned char', '1', 'indicator' ],
+ [ 'ecdh_cofactor_check', 'ECDH_COFACTOR_CHECK', 'unsigned char', '0', 'indicator' ],
+ [ 'module_filename', 'OSSL_PROV_PARAM_CORE_MODULE_FILENAME', 'const char *', 'NULL', 'selftest' ],
+ [ 'module_checksum_data', 'OSSL_PROV_FIPS_PARAM_MODULE_MAC', 'const char *', 'NULL', 'selftest' ],
+ [ 'conditional_error_check', 'OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS', 'unsigned char', '1', 'selftest' ],
+ [ 'defer_tests', 'OSSL_PROV_FIPS_PARAM_DEFER_TESTS', 'unsigned char', '0', 'selftest' ]) -}
static OSSL_FUNC_indicator_cb_fn *c_indcbfn = NULL;
static OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL;
-typedef struct {
- const char *option;
- unsigned char enabled;
-} FIPS_OPTION;
-
-typedef struct fips_global_st FIPS_GLOBAL;
-typedef struct fips_indicators_st FIPS_INDICATORS;
-static FIPS_INDICATORS *get_fips_indicators(FIPS_GLOBAL *fgbl);
-#include "fipsparams.inc"
+#include "providers/fips/fipsparams.inc"
typedef struct fips_global_st {
const OSSL_CORE_HANDLE *handle;
SELF_TEST_POST_PARAMS selftest_params;
- FIPS_INDICATORS fips_indicators;
+ FIPS_PARAMS fips_params;
/* Guards access to deferred self-test */
CRYPTO_RWLOCK *deferred_lock;
} FIPS_GLOBAL;
-static inline FIPS_INDICATORS *get_fips_indicators(FIPS_GLOBAL *fgbl)
+static inline FIPS_PARAMS *get_fips_params(FIPS_GLOBAL *fgbl)
{
- return &fgbl->fips_indicators;
+ return &fgbl->fips_params;
}
void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
if (fgbl == NULL)
return NULL;
- init_fips_indicators(&fgbl->fips_indicators);
+ init_fips_params(&fgbl->fips_params);
return fgbl;
}
return RAND_bytes_ex(libctx, buf, n, strength);
}
-/*
- * Parameters to retrieve from the core provider
- * NOTE: inside core_get_params() these will be loaded from config items
- * stored inside prov->parameters
- */
-static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
-{
- OSSL_PARAM core_params[33], *p = core_params;
-
- /* Parameters required for self testing */
- p = get_fips_selftest_params_from_core(p, &fgbl->selftest_params);
-
- /* FIPS indicator options can be enabled or disabled independently */
- p = get_fips_indicator_params_from_core(p, &fgbl->fips_indicators);
-
- *p = OSSL_PARAM_construct_end();
-
- if (!c_get_params(fgbl->handle, core_params)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
- return 0;
- }
-
- return set_fips_indicators_from_core(&fgbl->fips_indicators);
-}
-
static const OSSL_PARAM *fips_gettable_params(void *provctx)
{
/* Parameters we provide to the core */
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
- OSSL_FIPS_INDICATOR_PARAM_TYPES,
+ OSSL_FIPS_PARAMS_DEFN_TYPES,
OSSL_PARAM_END
};
return fips_param_types;
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
return 0;
- return get_fips_indicator_params(params, &fgbl->fips_indicators);
+ return return_fips_params(params, &fgbl->fips_params);
}
static void set_self_test_cb(FIPS_GLOBAL *fgbl)
if (!ossl_provider_activate_fallbacks(libctx))
goto err;
+ /* Retrieve all FIPS parameters from core so they can be used later */
+ if (!fips_get_params_from_core(fgbl->handle, &fgbl->fips_params)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ goto err;
+ }
+
+ /* disable security_checks if needed */
+#ifdef OPENSSL_NO_FIPS_SECURITYCHECKS
+ fgbl->fips_params.security_checks = 0;
+#endif
+
/*
* We did initial set up of selftest_params in a local copy, because we
* could not create fgbl until c_CRYPTO_zalloc was defined in the loop
* above.
*/
fgbl->selftest_params = selftest_params;
-
+ fgbl->selftest_params.module_filename = fgbl->fips_params.module_filename;
+ fgbl->selftest_params.module_checksum_data = fgbl->fips_params.module_checksum_data;
+ fgbl->selftest_params.defer_tests = fgbl->fips_params.defer_tests;
fgbl->selftest_params.libctx = libctx;
set_self_test_cb(fgbl);
-
- if (!fips_get_params_from_core(fgbl)) {
- /* Error already raised */
- goto err;
- }
/*
* Disable the conditional error check if it's disabled in the fips config
* file.
*/
- if (fgbl->selftest_params.conditional_error_check != NULL
- && strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0)
+ if (fgbl->fips_params.conditional_error_check == 0)
SELF_TEST_disable_conditional_error_state();
ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
void ossl_FIPS_IND_set_settable(OSSL_FIPS_IND *ind, int id, int enable);
int ossl_FIPS_IND_get_settable(const OSSL_FIPS_IND *ind, int id);
int ossl_FIPS_IND_on_unapproved(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *libctx,
- const char *algname, const char *opname,
- OSSL_FIPS_IND_CHECK_CB *config_check_fn);
+ const char *algname, const char *opname, enum fips_config_id config_id);
int ossl_FIPS_IND_set_ctx_param(OSSL_FIPS_IND *ind, int id, const OSSL_PARAM *p);
int ossl_FIPS_IND_set_ctx_param_locate(OSSL_FIPS_IND *ind, int id,
const OSSL_PARAM params[],
* If there is more than 1 strict check flag per algorithm ctx, the id represents
* the index.
*/
-#define OSSL_FIPS_IND_ON_UNAPPROVED(ctx, id, libctx, algname, opname, config_check_fn) \
- ossl_FIPS_IND_on_unapproved(&ctx->indicator, id, libctx, algname, opname, config_check_fn)
+#define OSSL_FIPS_IND_ON_UNAPPROVED(ctx, id, libctx, algname, opname, config_id) \
+ ossl_FIPS_IND_on_unapproved(&ctx->indicator, id, libctx, algname, opname, config_id)
#define OSSL_FIPS_IND_SETTABLE_CTX_PARAM(name) \
OSSL_PARAM_int(name, NULL),
int nid, int sha1_allowed,
int sha512_trunc_allowed,
const char *desc,
- OSSL_FIPS_IND_CHECK_CB *config_check_f);
+ enum fips_config_id config_id);
#else
#define OSSL_FIPS_IND_DECLARE
#ifdef FIPS_MODULE
#include <openssl/types.h>
-int ossl_fips_config_security_checks(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_tls1_prf_ems_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_no_short_mac(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_hmac_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_kmac_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_restricted_drbg_digests(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_signature_digest_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_hkdf_digest_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_tls13_kdf_digest_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_tls1_prf_digest_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_sshkdf_digest_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_sskdf_digest_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_x963kdf_digest_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_dsa_sign_disallowed(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_tdes_encrypt_disallowed(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_rsa_pkcs15_padding_disabled(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_rsa_pss_saltlen_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_rsa_sign_x931_disallowed(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_hkdf_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_kbkdf_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_tls13_kdf_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_tls1_prf_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_sshkdf_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_sskdf_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_x963kdf_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_x942kdf_key_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_pbkdf2_lower_bound_check(OSSL_LIB_CTX *libctx);
-int ossl_fips_config_ecdh_cofactor_check(OSSL_LIB_CTX *libctx);
+#define FIPSPARAMS_AS_HEADER
+#include "providers/fips/fipsparams.inc"
+#undef FIPSPARAMS_AS_HEADER
+
+int ossl_fips_config(OSSL_LIB_CTX *libctx, enum fips_config_id id);
#endif
goto locked_end;
}
- if ((st->defer_tests != NULL)
- && strcmp(st->defer_tests, "1") == 0) {
+ if (st->defer_tests == 1) {
/* Mark all non executed tests as deferred */
for (int i = 0; i < ST_ID_MAX; i++) {
if (st_all_tests[i].state == SELF_TEST_STATE_INIT) {
const char *module_filename; /* Module file to perform MAC on */
const char *module_checksum_data; /* Expected module MAC integrity */
- /* Used for continuous tests */
- const char *conditional_error_check;
-
/* Used to decide whether to defer tests or not */
- const char *defer_tests;
+ unsigned char defer_tests;
/* BIO callbacks supplied to the FIPS provider */
OSSL_FUNC_BIO_new_file_fn *bio_new_file_cb;
&& !OSSL_FIPS_IND_ON_UNAPPROVED(prsactx, OSSL_FIPS_IND_SETTABLE1,
prsactx->libctx, "RSA Encrypt",
"PKCS#1 v1.5 padding",
- ossl_fips_config_rsa_pkcs15_padding_disabled)) {
+ FIPS_CONFIG_RSA_PKCS15_PAD_DISABLED)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
return 0;
}
static int tdes_encrypt_check_approved(PROV_TDES_CTX *ctx, int enc)
{
/* Triple-DES encryption is not approved in FIPS 140-3 */
- if (enc && !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, ctx->base.libctx, "Triple-DES", "Encryption", ossl_fips_config_tdes_encrypt_disallowed))
+ if (enc
+ && !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
+ ctx->base.libctx, "Triple-DES", "Encryption",
+ FIPS_CONFIG_TDES_ENCRYPT_DISABLED))
return 0;
return 1;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
ctx->libctx, "DH Init", "DH Key",
- ossl_fips_config_securitycheck_enabled)) {
+ FIPS_CONFIG_SECURITY_CHECKS)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (has_cofactor && !cofactor_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(pecdhctx, OSSL_FIPS_IND_SETTABLE2,
pecdhctx->libctx, "ECDH", "Cofactor",
- ossl_fips_config_ecdh_cofactor_check)) {
+ FIPS_CONFIG_ECDH_COFACTOR_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_COFACTOR_REQUIRED);
goto end;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "HKDF", "Key size",
- ossl_fips_config_hkdf_key_check)) {
+ FIPS_CONFIG_HKDF_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "TLS13 KDF", "Digest",
- ossl_fips_config_tls13_kdf_digest_check)) {
+ FIPS_CONFIG_TLS13_KDF_DIGEST_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "TLS13 KDF", "Key size",
- ossl_fips_config_tls13_kdf_key_check)) {
+ FIPS_CONFIG_TLS13_KDF_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "KBKDF", "Key size",
- ossl_fips_config_kbkdf_key_check)) {
+ FIPS_CONFIG_KBKDF_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx,
"PBKDF2", desc,
- ossl_fips_config_pbkdf2_lower_bound_check)) {
+ FIPS_CONFIG_PBKDF2_LOWER_BOUND_CHECK)) {
ERR_raise(ERR_LIB_PROV, error);
return 0;
}
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "SSHKDF", "Digest",
- ossl_fips_config_sshkdf_digest_check)) {
+ FIPS_CONFIG_SSHKDF_DIGEST_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "SSHKDF", "Key size",
- ossl_fips_config_sshkdf_key_check)) {
+ FIPS_CONFIG_SSHKDF_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "SSKDF", "Key size",
- ossl_fips_config_sskdf_key_check)) {
+ FIPS_CONFIG_SSKDF_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "X963KDF", "Digest",
- ossl_fips_config_x963kdf_digest_check)) {
+ FIPS_CONFIG_X963KDF_DIGEST_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "X963KDF", "Key size",
- ossl_fips_config_x963kdf_key_check)) {
+ FIPS_CONFIG_X963KDF_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (!ems_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "TLS_PRF", "EMS",
- ossl_fips_config_tls1_prf_ems_check)) {
+ FIPS_CONFIG_TLS1_PRF_EMS_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
return 0;
}
if (digest_unapproved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE1,
libctx, "TLS_PRF", "Digest",
- ossl_fips_config_tls1_prf_digest_check)) {
+ FIPS_CONFIG_TLS1_PRF_DIGEST_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
libctx, "TLS_PRF", "Key size",
- ossl_fips_config_tls1_prf_key_check)) {
+ FIPS_CONFIG_TLS1_PRF_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (!key_approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "X942KDF", "Key size",
- ossl_fips_config_x942kdf_key_check)) {
+ FIPS_CONFIG_X942KDF_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
*/
if (!OSSL_FIPS_IND_ON_UNAPPROVED(gctx, OSSL_FIPS_IND_SETTABLE0,
gctx->libctx, "DSA", "Keygen",
- ossl_fips_config_dsa_sign_disallowed))
+ FIPS_CONFIG_DSA_SIGN_DISABLED))
return 0;
#endif
if (EVP_CIPHER_is_a(cipher, "DES-EDE3-CBC")) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(macctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "CMAC", "Triple-DES",
- ossl_fips_config_tdes_encrypt_disallowed))
+ FIPS_CONFIG_TDES_ENCRYPT_DISABLED))
return 0;
OSSL_FIPS_IND_GET_PARAM(macctx, p, state, OSSL_FIPS_IND_SETTABLE0,
OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK)
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(macctx, OSSL_FIPS_IND_SETTABLE0,
libctx, "HMAC", "keysize",
- ossl_fips_config_hmac_key_check)) {
+ FIPS_CONFIG_HMAC_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE1,
PROV_LIBCTX_OF(kctx->provctx),
"KMAC", "Key size",
- ossl_fips_config_kmac_key_check)) {
+ FIPS_CONFIG_KMAC_KEY_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE0,
PROV_LIBCTX_OF(kctx->provctx),
"KMAC", "length",
- ossl_fips_config_no_short_mac)) {
+ FIPS_CONFIG_NO_SHORT_MAC)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
return 0;
}
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(drbg, OSSL_FIPS_IND_SETTABLE0,
libctx, "DRBG", "Digest",
- ossl_fips_config_restricted_drbg_digests)) {
+ FIPS_CONFIG_DRBG_TRUNC_DIGEST)) {
ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
return 0;
}
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx,
md_nid, sha1_allowed, 0, desc,
- ossl_fips_config_signature_digest_check))
+ FIPS_CONFIG_SIGNATURE_DIGEST_CHECK))
goto err;
}
#endif
if (signing
&& !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
ctx->libctx, desc, "DSA",
- ossl_fips_config_dsa_sign_disallowed))
+ FIPS_CONFIG_DSA_SIGN_DISABLED))
return 0;
return 1;
}
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
ctx->libctx, desc, "DSA Key",
- ossl_fips_config_signature_digest_check)) {
+ FIPS_CONFIG_SIGNATURE_DIGEST_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx,
md_nid, sha1_allowed, 0, desc,
- ossl_fips_config_signature_digest_check))
+ FIPS_CONFIG_SIGNATURE_DIGEST_CHECK))
goto err;
}
#endif
OSSL_FIPS_IND_SETTABLE1,
ctx->libctx,
md_nid, sha1_allowed, 1, desc,
- ossl_fips_config_signature_digest_check))
+ FIPS_CONFIG_SIGNATURE_DIGEST_CHECK))
goto err;
}
#endif
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3,
ctx->libctx,
algoname, "PSS Salt Length",
- ossl_fips_config_rsa_pss_saltlen_check)) {
+ FIPS_CONFIG_RSA_PSS_SALTLEN_CHECK)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
return 0;
}
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
ctx->libctx,
"RSA Sign set ctx", "X931 Padding",
- ossl_fips_config_rsa_sign_x931_disallowed)) {
+ FIPS_CONFIG_RSA_SIGN_X931_PAD_DISABLED)) {
ERR_raise(ERR_LIB_PROV,
PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
return 0;
use Exporter;
our @ISA = qw(Exporter);
-our @EXPORT_OK = qw(produce_fips_indicators produce_fips_selftest_params);
+our @EXPORT_OK = qw(produce_fips_params);
-sub produce_fips_indicators {
+sub produce_fips_params {
my @params = @_;
my $s;
open(local *STDOUT, '>', \$s);
print "/* Machine generated by util/perl/OpenSSL/fipsparams.pm */\n";
print "\n";
- print "typedef struct fips_indicators_st {\n";
+
+ print "#ifdef FIPSPARAMS_AS_HEADER\n";
+ print "enum fips_config_id {\n";
+ my $first = " = 1";
foreach my $p (@params) {
- printf " const char *%s_string;\n", $p->[0];
- printf " unsigned char %s_enabled;\n", $p->[0];
+ my $name = $p->[1];
+ my $use = $p->[4];
+ if ($use eq 'indicator') {
+ print " FIPS_CONFIG_$name$first,\n";
+ $first = "";
+ }
}
- print "} FIPS_INDICATORS;\n";
+ print "};\n";
+ print "#else /* FIPSPARAMS_AS_HEADER */\n";
print "\n";
- print "static void init_fips_indicators(FIPS_INDICATORS *indicators)\n";
- print "{\n";
+ print "typedef struct fips_params_st {\n";
foreach my $p (@params) {
my $field = $p->[0];
- my $name = $p->[1];
- my $enabled = $p->[2];
- printf " indicators->%s_string = \"%s\";\n", $field, $enabled;
- printf " indicators->%s_enabled = %s;\n", $field, $enabled;
+ my $type = $p->[2];
+ my $sep = $type =~ /\*$/ ? "" : " ";
+ printf " $type$sep$field;\n";
}
- print "}\n";
+ print "} FIPS_PARAMS;\n";
print "\n";
- print "static OSSL_PARAM *get_fips_indicator_params_from_core(\n";
- print " OSSL_PARAM *op, FIPS_INDICATORS *fi)\n";
+ print "static void init_fips_params(FIPS_PARAMS *fp)\n";
print "{\n";
foreach my $p (@params) {
my $field = $p->[0];
- my $name = $p->[1];
- print " *op++ = OSSL_PARAM_construct_utf8_ptr(\n";
- printf " $name, (char **)&fi->%s_string,\n", $field;
- printf " sizeof(fi->%s_string));\n", $field;
+ my $default = $p->[3];
+ printf " fp->$field = $default;\n";
}
- print " return op;\n";
print "}\n";
print "\n";
- print "#define OSSL_FIPS_INDICATOR_PARAM_TYPES \\\n";
- my $cnt = 0;
+ print "/*\n";
+ print " * Parameters to retrieve from the core provider\n";
+ print " * NOTE: inside core_get_params() these will be loaded from config items\n";
+ print " * stored inside prov->parameters\n";
+ print " */\n";
+ print "static int fips_get_params_from_core(\n";
+ print " const OSSL_CORE_HANDLE *handle, FIPS_PARAMS *fp)\n";
+ print "{\n";
+ foreach my $p (@params) {
+ my $field = $p->[0];
+ print " const char *$field = NULL;\n";
+ }
+ print " OSSL_PARAM core_params[] = {\n";
foreach my $p (@params) {
+ my $field = $p->[0];
my $name = $p->[1];
- print " OSSL_PARAM_DEFN($name, OSSL_PARAM_INTEGER, NULL, 0)";
- print "," if ($cnt++ < $#params);
- print "\\\n";
+ my $type = $p->[2];
+ my $use = $p->[4];
+ if ($use eq 'indicator') {
+ $name = "OSSL_PROV_PARAM_" . $name;
+ }
+ print " OSSL_PARAM_construct_utf8_ptr($name,\n";
+ print " (char **)&$field, 0),\n";
}
+ print " OSSL_PARAM_construct_end()\n";
+ print " };\n";
+ print " OSSL_PARAM *p = core_params;\n";
print "\n";
-
+ print " if (!c_get_params(handle, core_params)) {\n";
+ print " return 0;\n";
+ print " }\n";
print "\n";
- print "static int get_fips_indicator_params(OSSL_PARAM *params, FIPS_INDICATORS *fi)\n";
- print "{\n";
- print " OSSL_PARAM *p;\n";
+ print " for (;p->key != NULL; p++) {\n";
+ print " if (OSSL_PARAM_modified(p)) {\n";
foreach my $p (@params) {
my $field = $p->[0];
my $name = $p->[1];
- print " p = OSSL_PARAM_locate(params, $name);\n";
- printf " if (p != NULL && !OSSL_PARAM_set_int(p, fi->%s_enabled))\n", $field;
- print " return 0;\n";
+ my $type = $p->[2];
+ my $use = $p->[4];
+ if ($use eq 'indicator') {
+ $name = "OSSL_PROV_PARAM_" . $name;
+ }
+ print " if (strcmp($name, p->key) == 0) {\n";
+ if ($type eq 'const char *') {
+ print " fp->$field = $field;\n";
+ } elsif ($type eq 'unsigned char') {
+ print " if ($field != NULL\n";
+ print " && strcmp($field, \"1\") == 0)\n";
+ print " fp->$field = 1;\n";
+ print " else if ($field != NULL\n";
+ print " && strcmp($field, \"0\") == 0)\n";
+ print " fp->$field = 0;\n";
+ print " else\n";
+ print " return 0;\n";
+ }
+ print " }\n";
}
+ print " }\n";
+ print " }\n";
print " return 1;\n";
print "}\n";
print "\n";
- print "static int set_fips_indicators_from_core(FIPS_INDICATORS *fi)\n";
- print "{\n";
+ print "#define OSSL_FIPS_PARAMS_DEFN_TYPES \\\n";
+ my $cnt = 0;
+ my $sep = "";
foreach my $p (@params) {
- my $field = $p->[0];
- printf " if (fi->%s_string != NULL) {\n", $field;
- printf " if (strcmp(fi->%s_string, \"1\") == 0)\n", $field;
- printf " fi->%s_enabled = 1;\n", $field;
- printf " else if (strcmp(fi->%s_string, \"0\") == 0)\n", $field;
- printf " fi->%s_enabled = 0;\n", $field;
- print " else\n";
- print " return 0;\n";
- print " }\n";
+ my $use = $p->[4];
+ if ($use eq 'indicator') {
+ my $name = "OSSL_PROV_PARAM_" . $p->[1];
+ print "$sep OSSL_PARAM_DEFN($name, OSSL_PARAM_INTEGER, NULL, 0)";
+ $sep = ", \\\n";
+ }
}
- print " return 1;\n";
- print "}\n";
+ print "\n";
+ print "\n";
+ print "static int return_fips_params(OSSL_PARAM *params, FIPS_PARAMS *fp)\n";
+ print "{\n";
+ print " OSSL_PARAM *p = params;\n";
+ print "\n";
+ print " for (;p->key != NULL; p++) {\n";
foreach my $p (@params) {
my $field = $p->[0];
- print "\n";
- printf "int ossl_fips_config_%s(OSSL_LIB_CTX *libctx)\n", $field;
- print "{\n";
- print " FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX);\n";
- print " FIPS_INDICATORS *indicators = get_fips_indicators(fgbl);\n";
- printf " return indicators->%s_enabled;\n", $field;
- print "}\n";
+ my $use = $p->[4];
+ if ($use eq 'indicator') {
+ my $name = "OSSL_PROV_PARAM_" . $p->[1];
+ print " if (strcmp($name, p->key) == 0)\n";
+ print " if (!OSSL_PARAM_set_int(p, fp->$field))\n";
+ print " return 0;\n";
+ }
}
+ print " }\n";
+ print " return 1;\n";
+ print "}\n";
- return $s;
-}
-
-sub produce_fips_selftest_params {
- my @params = @_;
- my $s;
- open(local *STDOUT, '>', \$s);
-
- print "/* Machine generated by util/perl/OpenSSL/fipsparams.pm */\n";
-
- print "static OSSL_PARAM *get_fips_selftest_params_from_core(\n";
- print " OSSL_PARAM *op, SELF_TEST_POST_PARAMS *stpp)\n";
+ print "\n";
+ print "struct fips_global_st;\n";
+ print "static FIPS_PARAMS *get_fips_params(struct fips_global_st *fgbl);\n";
+ print "int ossl_fips_config(OSSL_LIB_CTX *libctx, enum fips_config_id id)\n";
print "{\n";
+ print " struct fips_global_st *fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX);\n";
+ print " FIPS_PARAMS *params = get_fips_params(fgbl);\n";
+ print " switch (id) {\n";
foreach my $p (@params) {
my $field = $p->[0];
- my $name = $p->[1];
- print " *op++ = OSSL_PARAM_construct_utf8_ptr(\n";
- print " $name, (char **)&stpp->$field,\n";
- print " sizeof(stpp->$field));\n";
+ my $use = $p->[4];
+ if ($use eq 'indicator') {
+ my $id = "FIPS_CONFIG_" . $p->[1];
+ print " case $id:\n";
+ print " return params->$field;\n";
+ }
}
- print " return op;\n";
+ print " default:\n";
+ print " return -1;\n";
+ print " }\n";
print "}\n";
+ print "\n";
+ print "#endif /* FIPSPARAMS_AS_HEADER */\n";
+
return $s;
}
projects / thirdparty / openssl.git / commitdiff
