summaryrefslogtreecommitdiff
path: root/providers/fips
Commit message (Collapse)AuthorAgeFilesLines
* Replaced '{ 0, NULL }' with OSSL_DISPATCH_END in OSSL_DISPATCH arraysIrak Rigia2023-04-211-2/+2
| | | | | | | | | Fixes #20710 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20745)
* Declare FIPS option functions in their own headerPauli2023-03-291-1/+1
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
* fips: rework the option handling codePauli2023-03-291-49/+74
| | | | | | | | Add option for restricting digests available to DRBGs. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
* fips: Use salt >= 16 bytes in PBKDF2 selftestClemens Lang2023-03-071-6/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NIST SP 800-132 [1] section 5.1 says "[t]he length of the randomly-generated portion of the salt shall be at least 128 bits", which implies that the salt for PBKDF2 must be at least 16 bytes long (see also Appendix A.2.1). The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the properties of the Password and Salt parameters, as well as the desired length of the Master Key used in a CAST shall be among those supported by the module in the approved mode." As a consequence, the salt length in the self test must be at least 16 bytes long for FIPS 140-3 compliance. Switch the self test to use the only test vector from RFC 6070 that uses salt that is long enough to fulfil this requirement. Since RFC 6070 does not provide expected results for PBKDF2 with HMAC-SHA256, use the output from [3], which was generated with python cryptography, which was tested against the RFC 6070 vectors with HMAC-SHA1. [1]: https://doi.org/10.6028/NIST.SP.800-132 [2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf [3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20429)
* Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.slontis2023-03-071-2/+30
| | | | | | | | Fixes #19989 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20241)
* Remove AES SIV ciphers from the FIPS providerPauli2023-03-011-5/+0
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20386)
* Revert "Put EdDSA back as approved algorithms."Pauli2023-02-221-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 09627a8ceb69e19d2855b36228f44a3660af177a. NIST isn't allowing EdDSA at this stage after all, so flag it as not FIPS approved in the FIPS provider. Guidance for FIPS 140-3 is expected later this month: The use of EdDSA still remains non-approved. Before the FIPS 186-5 and SP 800-186 algorithms / curves can be used in the approved mode, the CMVP will need to do (at least) the following: * Incorporate FIPS 186-5 and SP 800-186 into SP 800-140C/D; * Update IG 10.3.A to incorporate self-test requirements for the new algorithms/curves. * Write a new IG on this transition to clarify the issues raised in this thread and elsewhere and provide a clear transition schedule. The CMVP is working on all three of these items and hope to have drafts public by the end of March. Since security relevant changes are not permitted for new 140-2 submissions, and under the assumption that this transition away from FIPS 186-4 algorithms will be 'soft' and not move modules to the historical list, we do not plan on writing 140-2 guidance for this transition. It seems unlikely that all of these requirements will be completed before we submit. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20343)
* Put EdDSA back as approved algorithms.Pauli2023-02-081-4/+4
| | | | | | | | | With FIPS 186-5 being published, these can again be validated. https://csrc.nist.gov/publications/detail/fips/186/5/final Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/20219)
* Put X25519 and X448 back as approved algorithmsPauli2023-01-241-4/+4
| | | | | | | | | | | | | | | | CMVP's answer when questioned about this being: X448 and X25519 uses Curve448 and Curve25519, respectfully, within an ECDH scheme. Therefore, it is possible for a key agreement scheme that uses Curve448 and Curve25519 to be used in the approved mode and be viewed as an allowed algorithm if requirements of Scenario X2 of IG D.8 and IG A.2 are met (or Scenario 3 of D.F and IG C.A for FIPS 140-3). The use of EdDSA in the approved mode is not permitted until FIPS 186-5 is published and part of CMVP guidance. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20079)
* fips: make EdDSA unapproved for FIPSPauli2023-01-131-8/+9
| | | | | | | | | | Likewise for the related ECX key exchanges. NIST is mandating this until FIPS 186-5 is finalised. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20020)
* aes: add AES-GCM-SIV modes to the FIPS providerPauli2022-11-301-0/+5
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/19777)
* Cleanup : directly include of `internal/nelem.h` when required.FdaSilvaYY2022-11-231-0/+1
| | | | | | | | And so clean a few useless includes Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19721)
* Put 3DES back into the FIPS provider as a non-approved algorithmPauli2022-11-101-1/+9
| | | | | | | | | This reverts commit fc0bb3411bd0c6ca264f610303933d0bf4f4682c and changes how 3DES is advertised. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19631)
* fips: verify that the RNG was restored after the self testsPauli2022-11-021-0/+14
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/19510)
* Update FIPS KATs for 140-3Pauli2022-11-023-33/+266
| | | | | | | | | | | Co-authored-by: Randall Steck <rsteck@thinqsoft.com> Co-authored-by: Mark J. Minnoch <mark@keypair.us> Co-authored-by: Steve Weymann <steve@keypair.us> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/19510)
* Remove DES cipher from the FIPS providerPauli2022-11-021-4/+0
| | | | | | | | | | | Co-authored-by: Randall Steck <rsteck@thinqsoft.com> Co-authored-by: Mark J. Minnoch <mark@keypair.us> Co-authored-by: Steve Weymann <steve@keypair.us> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/19510)
* Use RSA CRT parameters in FIPS self tests.slontis2022-10-271-5/+5
| | | | | | | | | | | | Fixes #19488 Use the correct OSSL_PKEY_PARAM_RSA CRT names fior the self tests. The invalid names cause CRT parameters to be silently ignored. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19501)
* Updating ifdefs to account for xlclang compiler frontend on AIX.Rob Mc Gee2022-08-011-2/+2
| | | | | | | | | | | The fallback DEP works fine there. XLC should be unaffected. CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18892)
* Fix check of EVP_CIPHER_CTX_ctrlPeiwei Hu2022-05-241-4/+4
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18368)
* strcasecmp: implement strcasecmp and strncasecmpPauli2022-05-231-3/+0
| | | | | | | | | | | | Rather than relying on the locale code working, instead implement these functions directly. Fixes #18322 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18344)
* Avoid code duplication for locale initializationTomas Mraz2022-05-131-46/+3
| | | | | | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18282)
* Fix build on OPENSSL_SYS_TANDEM and older POSIXesTomas Mraz2022-05-131-12/+22
| | | | | | | | | | | It also allows for passing -DOPENSSL_NO_LOCALE as a workaround to ./Configure command. Fixes #18233 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18282)
* Update copyright yearMatt Caswell2022-05-033-3/+3
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
* Prefer GNU library initialization mechanism over platform oneJon Spillett2022-04-271-6/+7
| | | | | | | | If GNU toolchain is used, use the __attribute__((constructor)) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18147)
* FIPS provider modificationsDmitry Belyavskiy2022-04-221-0/+37
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18069)
* Refactor OSSL_LIB_CTX to avoid using CRYPTO_EX_DATAHugo Landau2022-04-011-19/+8
| | | | | | | | | | | | | This refactors OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA. The assorted objects to be managed by OSSL_LIB_CTX are hardcoded and are initialized eagerly rather than lazily, which avoids the need for locking on access in most cases. Fixes #17116. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17881)
* Move e_os.h to include/internalRichard Levitte2022-02-051-1/+1
| | | | | | | | | | | | Including e_os.h with a path from a header file doesn't work well on certain exotic platform. It simply fails to build. Since we don't seem to be able to stop ourselves, the better move is to move e_os.h to an include directory that's part of the inclusion path given to the compiler. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17641)
* Avoid using a macro expansion in a macro when statically initialisingPauli2022-01-131-3/+9
| | | | | | | | | Circumvents a problem with ancient PA-RISC compilers on HP/UX. Fixes #17477 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17478)
* Fix a bug in signature self tests in the FIPS moduleMatt Caswell2021-10-221-1/+1
| | | | | | | | When calling EVP_PKEY_sign(), the size of the signature buffer must be passed in *siglen. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16789)
* Add the self test type OSSL_SELF_TEST_TYPE_PCT_SIGNATUREslontis2021-08-311-1/+5
| | | | | | | | | | | | Fixes #16457 The ECDSA and DSA signature tests use Pairwise tests instead of KATS. Note there is a seperate type used by the keygen for conditional Pairwise Tests. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16461)
* fips: add power up test for TLS 1.3 KDFPauli2021-08-051-0/+64
| | | | | | | | | | The power up known answer test for the TLS 1.3 KDF does just the first step to derive the "client_early_traffic_secret" using the two modes of the KDF. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16203)
* provider: add TLS13_KDF to the default and FIPS providersPauli2021-08-051-0/+2
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16203)
* Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS moduleMatt Caswell2021-07-281-0/+1
| | | | | | | | | | Ensure we free the OSSL_LIB_CTX on the error path. Fixes #16163 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168)
* Change self test for AES_CGM to perform both an encrypt and decrypt.Shane Lontis2021-06-221-1/+1
| | | | | | | | | | | This is a request from the lab that changes the AES_GCM test back to perform both a encrypt and decrypt. (This makes no logical sense since this is not an inverse cipher). I have left the AES_ECB decrypt test in (although it may not be needed) since it is actually testing the inverse cipher case. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15844)
* aix64-gcc target: Fix build breakage with enable-fipsTomas Mraz2021-06-181-2/+0
| | | | | | | | | Fixes #15804 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15807)
* Add self test for ECDSA using curve with a binary fieldShane Lontis2021-06-171-8/+45
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15794)
* Fix AIX FIPS DEP.Shane Lontis2021-06-081-1/+15
| | | | | | | | | | | The entry point needs the option 'binitfini', but it was not being added since the perl code to detect the match did not work. The entry point for AIX is no longer static - so a wrapper has been added to call the static version. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15636)
* Rename all getters to use get/get0 in nameTomas Mraz2021-06-011-1/+1
| | | | | | | | | | | | | | For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_, EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_, EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_, EVP_MD_, and EVP_CIPHER_ prefixes are renamed. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15405)
* fips: set the library context and handle laterPauli2021-05-291-2/+3
| | | | | | | | | | | They need to be set once the provider will definitely be loading. If they are set earlier, a double free results on a failure. Fixes #15452 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15492)
* Use "" for include internal/xxxRich Salz2021-05-271-2/+2
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15468)
* Add fipsinstall option to run self test KATS on module loadShane Lontis2021-05-251-1/+5
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15149)
* fips: default to running self tests when starting the fips providerPauli2021-05-241-27/+30
| | | | | | | | | | Also add a C++ constructor as per note 7 of IG 9.10 if no DEP is available and C++ is being used. Fixes #15322 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15324)
* PROV: Relegate most of the FIPS provider code to libfips.aRichard Levitte2021-05-213-6/+45
| | | | | | | | | | | | | | | | | | | | provider/fips/fipsprov.c contains a number of symbols that get used by anything that's included in libfips.a, at least on Unix. Unfortunately, there are platforms that do not support resolving symbols to things that are already included in the end product (module in this case) being built; they only support resolving symbols with what comes next in the linking process. The offending symbols in this case are FIPS_security_check_enabled, c_thread_start and ossl_fips_intern_provider_init. We resolve this by placing provider/fips/fipsprov.c in libfips.a along with everything else there. That takes care of the offending symbols. What remains is to ensure that there is an entry point in an object file used directly when linking the module, providers/fips/fips_entry.c Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15370)
* fipsprov: Missing teardown on fips_get_params_from_core() errorTomas Mraz2021-05-131-1/+1
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15229)
* Add the ability for ex_data to have a priorityMatt Caswell2021-05-111-0/+1
| | | | | | | | Where an object has multiple ex_data associated with it, then we free that ex_data in order of priority (high priority first). Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14991)
* Clarify two comments (typos) in fipsprov.cDaniel Bevenius2021-05-061-3/+3
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15150)
* PROV: Add OIDs we know to all provider applicable algorithmsRichard Levitte2021-04-181-138/+127
| | | | | | | | | | | The OIDs were extracted with the help of libcrypto's ASN1 OID database. While doing this, we move all the names strings to macro definitions, to avoid duplication and conflicting names declarations. Those macros are all in providers/implementations/include/prov/names.h Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14498)
* Fix naming for EVP_RAND_CTX_gettable functions.Pauli2021-04-171-4/+4
| | | | | | | | | | | | | | | Change: EVP_RAND_gettable_ctx_params -> EVP_RAND_CTX_gettable_params EVP_RAND_settable_ctx_params -> EVP_RAND_CTX_settable_params Which brings them in line with the other similar functions for other algorithm types. Fixes #14880 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14893)
* Sanity check provider up-callsMatt Caswell2021-04-161-28/+43
| | | | | | | | | | | | | When we store references to up-calls for future reference we run a sanity check to make sure we either previously haven't set these values or they are the same as last time. We don't support the scenario where an application is linked against multiple versions of libcrypto but using a shared fips.so file. This would result in different up-calls for different calls to OSSL_provider_init(), which we currently can't handle. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14814)
* Store some FIPS global variables in the FIPS_GLOBAL structureMatt Caswell2021-04-161-72/+119
| | | | | | | | | | | | | We had some FIPS global variables that were based on values from the config file. In theory if two instances of the fips module are loaded they could be based on different config files which would cause this to fail. Instead we store them in the FIPS_GLOBAL structure. Fixes #14364 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14814)
View Lorry Controller Status