providers/common/include/prov/der_sm2.h
providers/common/include/prov/der_ml_dsa.h
providers/common/include/prov/der_hkdf.h
+providers/fips/fipsparams.inc
providers/implementations/asymciphers/rsa_enc.inc
providers/implementations/asymciphers/sm2_enc.inc
providers/implementations/exchange/dh_exch.inc
# It is necessary to have an explicit entry point
SOURCE[../fips]=fips_entry.c
+
+DEPEND[]=fipsparams.inc
+DEPEND[fipsparams.inc]=../../util/perl|OpenSSL/fipsparams.pm
+GENERATE[fipsparams.inc]=fipsparams.inc.in
--- /dev/null
+/*
+ * Copyright 2026 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Handles the loading of FIPS algorithm conditional options from a config file
+ * passed from the core using OSSL_PARAM.
+ *
+ * The perl function generates code that:
+ *
+ * Creates fields in a structure for each item in the list using the first
+ * parameter as the base name.
+ *
+ * Creates a function to properly initialize each field based on the last
+ * parameter in each line.
+ *
+ * Creates a function to retrieve the values from the core.
+ *
+ * Creates a function to convert the retrieved string values to integer booleans.
+ *
+ * Creates getter functions for each parameter.
+ */
+{- use OpenSSL::fipsparams qw(produce_fips_indicators); -}
+{- produce_fips_indicators(
+ ['security_checks', 'OSSL_PROV_PARAM_SECURITY_CHECKS', '1'],
+ ['tls1_prf_ems_check', 'OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK', '0'],
+ ['no_short_mac', 'OSSL_PROV_PARAM_NO_SHORT_MAC', '1'],
+ ['hmac_key_check', 'OSSL_PROV_PARAM_HMAC_KEY_CHECK', '0'],
+ ['kmac_key_check', 'OSSL_PROV_PARAM_KMAC_KEY_CHECK', '0'],
+ ['restricted_drbg_digests', 'OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST', '0'],
+ ['signature_digest_check', 'OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK', '0'],
+ ['hkdf_digest_check', 'OSSL_PROV_PARAM_HKDF_DIGEST_CHECK', '0'],
+ ['tls13_kdf_digest_check', 'OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK', '0'],
+ ['tls1_prf_digest_check', 'OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK', '0'],
+ ['sshkdf_digest_check', 'OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK', '0'],
+ ['sskdf_digest_check', 'OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK', '0'],
+ ['x963kdf_digest_check', 'OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK', '0'],
+ ['dsa_sign_disallowed', 'OSSL_PROV_PARAM_DSA_SIGN_DISABLED', '0'],
+ ['tdes_encrypt_disallowed', 'OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED', '0'],
+ ['rsa_pkcs15_padding_disabled', 'OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED', '0'],
+ ['rsa_pss_saltlen_check', 'OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK', '0'],
+ ['rsa_sign_x931_disallowed', 'OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED', '0'],
+ ['hkdf_key_check', 'OSSL_PROV_PARAM_HKDF_KEY_CHECK', '0'],
+ ['kbkdf_key_check', 'OSSL_PROV_PARAM_KBKDF_KEY_CHECK', '0'],
+ ['tls13_kdf_key_check', 'OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK', '0'],
+ ['tls1_prf_key_check', 'OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK', '0'],
+ ['sshkdf_key_check', 'OSSL_PROV_PARAM_SSHKDF_KEY_CHECK', '0'],
+ ['sskdf_key_check', 'OSSL_PROV_PARAM_SSKDF_KEY_CHECK', '0'],
+ ['x963kdf_key_check', 'OSSL_PROV_PARAM_X963KDF_KEY_CHECK', '0'],
+ ['x942kdf_key_check', 'OSSL_PROV_PARAM_X942KDF_KEY_CHECK', '0'],
+ ['pbkdf2_lower_bound_check', 'OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK', '1'],
+ ['ecdh_cofactor_check', 'OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK', '0']) -}
+/*
+ * Handles the loading of FIPS self test parameters from the core using
+ * OSSL_PARAM.
+ *
+ * The perl function generates code that:
+ *
+ * Creates a function to retrieve the values from the core.
+ */
+{-use OpenSSL::fipsparams qw(produce_fips_selftest_params); -}
+{- produce_fips_selftest_params(
+ ['module_filename', 'OSSL_PROV_PARAM_CORE_MODULE_FILENAME'],
+ ['module_checksum_data', 'OSSL_PROV_FIPS_PARAM_MODULE_MAC'],
+ ['conditional_error_check', 'OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS'],
+ ['defer_tests', 'OSSL_PROV_FIPS_PARAM_DEFER_TESTS']) -}
unsigned char enabled;
} FIPS_OPTION;
+typedef struct fips_global_st FIPS_GLOBAL;
+typedef struct fips_indicators_st FIPS_INDICATORS;
+static FIPS_INDICATORS *get_fips_indicators(FIPS_GLOBAL *fgbl);
+#include "fipsparams.inc"
+
typedef struct fips_global_st {
const OSSL_CORE_HANDLE *handle;
SELF_TEST_POST_PARAMS selftest_params;
-#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
- FIPS_OPTION fips_##structname;
-#include "fips_indicator_params.inc"
-#undef OSSL_FIPS_PARAM
+ FIPS_INDICATORS fips_indicators;
/* Guards access to deferred self-test */
CRYPTO_RWLOCK *deferred_lock;
} FIPS_GLOBAL;
-static void init_fips_option(FIPS_OPTION *opt, int enabled)
+static inline FIPS_INDICATORS *get_fips_indicators(FIPS_GLOBAL *fgbl)
{
- opt->enabled = enabled;
- opt->option = enabled ? "1" : "0";
+ return &fgbl->fips_indicators;
}
void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
if (fgbl == NULL)
return NULL;
-#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
- init_fips_option(&fgbl->fips_##structname, initvalue);
-#include "fips_indicator_params.inc"
-#undef OSSL_FIPS_PARAM
+ init_fips_indicators(&fgbl->fips_indicators);
return fgbl;
}
{
OSSL_PARAM core_params[33], *p = core_params;
-#define OSSL_FIPS_PARAM(structname, paramname) \
- *p++ = OSSL_PARAM_construct_utf8_ptr( \
- paramname, (char **)&fgbl->selftest_params.structname, \
- sizeof(fgbl->selftest_params.structname));
-
-/* Parameters required for self testing */
-#include "fips_selftest_params.inc"
-#undef OSSL_FIPS_PARAM
+ /* Parameters required for self testing */
+ p = get_fips_selftest_params_from_core(p, &fgbl->selftest_params);
-/* FIPS indicator options can be enabled or disabled independently */
-#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
- *p++ = OSSL_PARAM_construct_utf8_ptr( \
- OSSL_PROV_PARAM_##paramname, \
- (char **)&fgbl->fips_##structname.option, \
- sizeof(fgbl->fips_##structname.option));
-#include "fips_indicator_params.inc"
-#undef OSSL_FIPS_PARAM
+ /* FIPS indicator options can be enabled or disabled independently */
+ p = get_fips_indicator_params_from_core(p, &fgbl->fips_indicators);
*p = OSSL_PARAM_construct_end();
return 0;
}
- return 1;
+ return set_fips_indicators_from_core(&fgbl->fips_indicators);
}
static const OSSL_PARAM *fips_gettable_params(void *provctx)
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
-
-#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_##paramname, OSSL_PARAM_INTEGER, NULL, 0),
-#include "fips_indicator_params.inc"
-#undef OSSL_FIPS_PARAM
-
+ OSSL_FIPS_INDICATOR_PARAM_TYPES,
OSSL_PARAM_END
};
return fips_param_types;
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
return 0;
-#define OSSL_FIPS_PARAM(structname, paramname, initvalue) \
- p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_##paramname); \
- if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_##structname.enabled)) \
- return 0;
-#include "fips_indicator_params.inc"
-#undef OSSL_FIPS_PARAM
-
- return 1;
+ return get_fips_indicator_params(params, &fgbl->fips_indicators);
}
static void set_self_test_cb(FIPS_GLOBAL *fgbl)
&& strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0)
SELF_TEST_disable_conditional_error_state();
- /* Enable or disable FIPS provider options */
-#define OSSL_FIPS_PARAM(structname, paramname, unused) \
- if (fgbl->fips_##structname.option != NULL) { \
- if (strcmp(fgbl->fips_##structname.option, "1") == 0) \
- fgbl->fips_##structname.enabled = 1; \
- else if (strcmp(fgbl->fips_##structname.option, "0") == 0) \
- fgbl->fips_##structname.enabled = 0; \
- else \
- goto err; \
- }
-#include "fips_indicator_params.inc"
-#undef OSSL_FIPS_PARAM
-
ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
/* initialize deferred self-test infrastructure */
return ret;
}
-#define OSSL_FIPS_PARAM(structname, paramname, unused) \
- int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx) \
- { \
- FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX); \
- \
- return fgbl->fips_##structname.enabled; \
- }
-#include "fips_indicator_params.inc"
-#undef OSSL_FIPS_PARAM
-
void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb,
void **cbarg)
{
+++ /dev/null
-OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1)
-OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0)
-OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1)
-OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(restricted_drbg_digests, DRBG_TRUNC_DIGEST, 0)
-OSSL_FIPS_PARAM(signature_digest_check, SIGNATURE_DIGEST_CHECK, 0)
-OSSL_FIPS_PARAM(hkdf_digest_check, HKDF_DIGEST_CHECK, 0)
-OSSL_FIPS_PARAM(tls13_kdf_digest_check, TLS13_KDF_DIGEST_CHECK, 0)
-OSSL_FIPS_PARAM(tls1_prf_digest_check, TLS1_PRF_DIGEST_CHECK, 0)
-OSSL_FIPS_PARAM(sshkdf_digest_check, SSHKDF_DIGEST_CHECK, 0)
-OSSL_FIPS_PARAM(sskdf_digest_check, SSKDF_DIGEST_CHECK, 0)
-OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0)
-OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0)
-OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0)
-OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0)
-OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0)
-OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
-OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(tls1_prf_key_check, TLS1_PRF_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(sshkdf_key_check, SSHKDF_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(sskdf_key_check, SSKDF_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(x963kdf_key_check, X963KDF_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(x942kdf_key_check, X942KDF_KEY_CHECK, 0)
-OSSL_FIPS_PARAM(pbkdf2_lower_bound_check, PBKDF2_LOWER_BOUND_CHECK, 1)
-OSSL_FIPS_PARAM(ecdh_cofactor_check, ECDH_COFACTOR_CHECK, 0)
+++ /dev/null
-OSSL_FIPS_PARAM(module_filename, OSSL_PROV_PARAM_CORE_MODULE_FILENAME)
-OSSL_FIPS_PARAM(module_checksum_data, OSSL_PROV_FIPS_PARAM_MODULE_MAC)
-OSSL_FIPS_PARAM(conditional_error_check, OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS)
-OSSL_FIPS_PARAM(defer_tests, OSSL_PROV_FIPS_PARAM_DEFER_TESTS)
#ifdef FIPS_MODULE
#include <openssl/types.h>
-#define OSSL_FIPS_PARAM(structname, paramname, unused) \
- int ossl_fips_config_##structname(OSSL_LIB_CTX *libctx);
-#include "fips_indicator_params.inc"
-#undef OSSL_FIPS_PARAM
+int ossl_fips_config_security_checks(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_tls1_prf_ems_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_no_short_mac(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_hmac_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_kmac_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_restricted_drbg_digests(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_signature_digest_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_hkdf_digest_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_tls13_kdf_digest_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_tls1_prf_digest_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_sshkdf_digest_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_sskdf_digest_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_x963kdf_digest_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_dsa_sign_disallowed(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_tdes_encrypt_disallowed(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_rsa_pkcs15_padding_disabled(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_rsa_pss_saltlen_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_rsa_sign_x931_disallowed(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_hkdf_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_kbkdf_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_tls13_kdf_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_tls1_prf_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_sshkdf_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_sskdf_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_x963kdf_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_x942kdf_key_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_pbkdf2_lower_bound_check(OSSL_LIB_CTX *libctx);
+int ossl_fips_config_ecdh_cofactor_check(OSSL_LIB_CTX *libctx);
#endif
--- /dev/null
+#! /usr/bin/env perl
+# Copyright 2026 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+package OpenSSL::fipsparams;
+
+use strict;
+use warnings;
+use Exporter;
+
+our @ISA = qw(Exporter);
+our @EXPORT_OK = qw(produce_fips_indicators produce_fips_selftest_params);
+
+sub produce_fips_indicators {
+ my @params = @_;
+ my $s;
+ open(local *STDOUT, '>', \$s);
+
+ print "/* Machine generated by util/perl/OpenSSL/fipsparams.pm */\n";
+ print "\n";
+ print "typedef struct fips_indicators_st {\n";
+ foreach my $p (@params) {
+ printf " const char *%s_string;\n", $p->[0];
+ printf " unsigned char %s_enabled;\n", $p->[0];
+ }
+ print "} FIPS_INDICATORS;\n";
+
+ print "\n";
+ print "static void init_fips_indicators(FIPS_INDICATORS *indicators)\n";
+ print "{\n";
+ foreach my $p (@params) {
+ my $field = $p->[0];
+ my $name = $p->[1];
+ my $enabled = $p->[2];
+ printf " indicators->%s_string = \"%s\";\n", $field, $enabled;
+ printf " indicators->%s_enabled = %s;\n", $field, $enabled;
+ }
+ print "}\n";
+
+ print "\n";
+ print "static OSSL_PARAM *get_fips_indicator_params_from_core(\n";
+ print " OSSL_PARAM *op, FIPS_INDICATORS *fi)\n";
+ print "{\n";
+ foreach my $p (@params) {
+ my $field = $p->[0];
+ my $name = $p->[1];
+ print " *op++ = OSSL_PARAM_construct_utf8_ptr(\n";
+ printf " $name, (char **)&fi->%s_string,\n", $field;
+ printf " sizeof(fi->%s_string));\n", $field;
+ }
+ print " return op;\n";
+ print "}\n";
+
+ print "\n";
+ print "#define OSSL_FIPS_INDICATOR_PARAM_TYPES \\\n";
+ my $cnt = 0;
+ foreach my $p (@params) {
+ my $name = $p->[1];
+ print " OSSL_PARAM_DEFN($name, OSSL_PARAM_INTEGER, NULL, 0)";
+ print "," if ($cnt++ < $#params);
+ print "\\\n";
+ }
+ print "\n";
+
+ print "\n";
+ print "static int get_fips_indicator_params(OSSL_PARAM *params, FIPS_INDICATORS *fi)\n";
+ print "{\n";
+ print " OSSL_PARAM *p;\n";
+ foreach my $p (@params) {
+ my $field = $p->[0];
+ my $name = $p->[1];
+ print " p = OSSL_PARAM_locate(params, $name);\n";
+ printf " if (p != NULL && !OSSL_PARAM_set_int(p, fi->%s_enabled))\n", $field;
+ print " return 0;\n";
+ }
+ print " return 1;\n";
+ print "}\n";
+
+ print "\n";
+ print "static int set_fips_indicators_from_core(FIPS_INDICATORS *fi)\n";
+ print "{\n";
+ foreach my $p (@params) {
+ my $field = $p->[0];
+ printf " if (fi->%s_string != NULL) {\n", $field;
+ printf " if (strcmp(fi->%s_string, \"1\") == 0)\n", $field;
+ printf " fi->%s_enabled = 1;\n", $field;
+ printf " else if (strcmp(fi->%s_string, \"0\") == 0)\n", $field;
+ printf " fi->%s_enabled = 0;\n", $field;
+ print " else\n";
+ print " return 0;\n";
+ print " }\n";
+ }
+ print " return 1;\n";
+ print "}\n";
+
+ foreach my $p (@params) {
+ my $field = $p->[0];
+ print "\n";
+ printf "int ossl_fips_config_%s(OSSL_LIB_CTX *libctx)\n", $field;
+ print "{\n";
+ print " FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX);\n";
+ print " FIPS_INDICATORS *indicators = get_fips_indicators(fgbl);\n";
+ printf " return indicators->%s_enabled;\n", $field;
+ print "}\n";
+ }
+
+ return $s;
+}
+
+sub produce_fips_selftest_params {
+ my @params = @_;
+ my $s;
+ open(local *STDOUT, '>', \$s);
+
+ print "/* Machine generated by util/perl/OpenSSL/fipsparams.pm */\n";
+
+ print "static OSSL_PARAM *get_fips_selftest_params_from_core(\n";
+ print " OSSL_PARAM *op, SELF_TEST_POST_PARAMS *stpp)\n";
+ print "{\n";
+ foreach my $p (@params) {
+ my $field = $p->[0];
+ my $name = $p->[1];
+ print " *op++ = OSSL_PARAM_construct_utf8_ptr(\n";
+ print " $name, (char **)&stpp->$field,\n";
+ print " sizeof(stpp->$field));\n";
+ }
+ print " return op;\n";
+ print "}\n";
+
+ return $s;
+}
projects / thirdparty / openssl.git / commitdiff
