2 title: OpenSSL 3.0.0 Design
3 author: OpenSSL Management Committee (OMC)
8 <style type="text/css">
9 ol, ol ol, ol ol ol { list-style-type: decimal; }
15 This document outlines the design of OpenSSL 3.0, the next version of
16 OpenSSL after 1.1.1. It assumes familiarity with the document entitled
17 _OpenSSL Strategic Architecture_ and a working knowledge of OpenSSL
20 The OpenSSL 3.0 release will have minimal impact to the vast majority
21 of existing applications; almost all well-behaved applications will
22 just need to be recompiled.
24 The majority of the changes in OpenSSL 3.0 are internal architectural
25 restructuring to facilitate a long-term supportable cryptographic
26 framework that enables better separation of algorithm implementations
27 from algorithm APIs. These structural changes also support a more
28 maintainable OpenSSL FIPS Cryptographic Module 3.0.
30 No currently marked deprecated APIs will be removed in OpenSSL 3.0.
32 Many additional low-level functions will be marked as deprecated APIs
35 OpenSSL 3.0 will support an application having TLS connections that
36 are in FIPS mode (using the OpenSSL FIPS Cryptographic Module 3.0) and
37 TLS connections that are in non-FIPS mode simultaneously.
39 ## Terms Used in This Document {#terms-used-in-this-document}
41 The following terms, in alphabetical order, are used in this
42 document. A brief (summary) definition is provided.
46 * **Algorithm**, or sometimes **cryptographic algorithm**, is a
47 method to perform a set of operations (such as encryption or
48 decryption). Our use of the term is abstract, and usually
49 represents an algorithm by its name, such as "aes-128-cbc".
50 * **Algorithm implementation**, or sometimes just
51 **implementation**, is a concrete implementation of an algorithm.
52 This is mainly represented in code in the form of a set of
54 * **CAVS** is the Cryptographic Algorithm Validation System. A tool
55 used to test that a cryptographic implementation conforms to FIPS
57 * **CMVP** is the Cryptographic Module Validation Program. A process
58 that validates that cryptographic implementations conform to FIPS
60 * **EVP** is a family of APIs implemented by libcrypto that enables
61 applications to perform cryptographic operations. The
62 implementation of the EVP API uses the Core and Provider
64 * The **Core** is a component in libcrypto that enables applications
65 to access the algorithm implementations offered by providers.
66 * **CSP** is Critical Security Parameters. This includes any information (e.g.
67 private keys, passwords, pin numbers etc) that might compromise the security
68 of a module in the event of their unauthorised disclosure or modification.
69 * **Explicit Fetch** is a method for finding an algorithm
70 implementation where the application makes an explicit call to
71 locate the implementation and supplies search criteria.
72 * **FIPS** is the Federal Information Processing Standards. This is
73 a set of standards defined by the US government. In particular,
74 FIPS standard 140-2 is applicable to cryptographic software.
75 * A **FIPS module** is an implementation of cryptographic algorithms
76 that has been validated by the CMVP as conforming to FIPS
77 standards. In OpenSSL the FIPS module is implemented as a provider
78 and is available in dynamically loadable module form.
79 * **Implicit Fetch** is a method for finding an algorithm
80 implementation where the application does not explicitly make a
81 call to locate the implementation and therefore default search
83 * The **Integrity Check** is a test that is automatically run when
84 the FIPS module is loaded. The module checksums itself and
85 verifies that it hasn't been inadvertently altered.
86 * **KAS** is Key Agreement Scheme. A method by which two communicating parties
87 can agree a shared key between them.
88 * **KAT**s are Known Answer Tests. A set of tests used to perform a
89 health-check of a FIPS module.
90 * **libcrypto** is a shared library implemented by OpenSSL that
91 provides applications with access to various cryptography related
93 * **libssl** is a shared library implemented by OpenSSL that
94 provides applications with the ability to create SSL/TLS
95 connections either as a client or as a server.
96 * A **Library Context** is an opaque structure that holds library
98 * **Operation** is a class of functions to be performed on data,
99 such as calculating a digest, encrypting, decrypting, etc. An
100 algorithm may offer one or more operations. For example RSA
101 provides asymmetric encryption, asymmetric decryption, signing,
103 * **Parameters** are an implementation agnostic set of key-value
104 pairs that are used to communicate object data between the Core
105 and providers. For example they could be used to transfer private
107 * **POST** refers to the FIPS module Power-Up Self-Tests
108 (a.k.a. Power-On Self-Tests) that are run at installation time, at
109 power up (i.e. each time the FIPS module is loaded for an
110 application) or on demand. These tests include the Integrity Check
111 and the KATs. If the KATs were run successfully at installation
112 time then they don't need to be run again at power up, however the
113 Integrity Check is always performed.
114 * **Properties** are used by providers to describe the features of
115 their algorithm implementations. They are also used in application
116 queries to find specific implementations.
117 * **Provider** is a unit that provides one or more algorithm
119 * **Provider module** is a provider in dynamically loadable module
122 ## Architecture {#architecture}
124 The architecture shall have the following features:
126 * Common Services form the building blocks usable by applications
127 and providers. (e.g. BIO, X509, SECMEM, ASN.1, etc).
128 * Providers implement cryptographic algorithms and supporting
129 services. An algorithm may consist of multiple operations (for
130 example RSA may have "encrypt", "decrypt", "sign", "verify"
131 etc). Similarly an operation (for example "sign") can be
132 implemented by multiple algorithms such as RSA and ECDSA. A
133 provider has implementations of the cryptographic primitives for
134 an algorithm. This release will include the following providers:
135 a. Default, which contains the current non-legacy OpenSSL
136 cryptographic algorithms; this will be built-in (i.e., part of
138 b. Legacy, with implementations of older algorithms (e.g, DES,
139 MDC2, MD2, Blowfish, CAST)
140 c. Engines, which include a compatibility layer between engines
141 designed for older versions of OpenSSL, and the new Provider
143 d. FIPS, which implements the OpenSSL FIPS Cryptographic Module
144 3.0; this can be loaded dynamically at runtime.
145 * The Core enables access to the operations offered by providers to
146 applications (and other providers). The Core is the mechanism via
147 which concrete implementations of operations are located.
148 * Protocol implementations. E.g. TLS, DTLS.
150 This document has many references to the "EVP API." This refers to
151 "application-level" operations, such as public-key signing, generating
152 a digest and so on. These functions include `EVP_DigestSign`,
153 `EVP_Digest`, `EVP_MAC_init` and the like. The EVP API also
154 encapsulates the cryptographic objects used to perform those services,
155 such as `EVP_PKEY`, `EVP_CIPHER`, `EVP_MD`, `EVP_MAC` and so
156 forth. Providers implement the backend functionality for the latter
157 set. Instances of these objects can be bound to providers implicitly
158 or explicitly, depending on the application's needs. This is discussed
159 in more detail in the [Provider Design](#core-and-provider-design),
162 The architecture has the following characteristics:
164 * The EVP layer is a thin wrapper for operations implemented in the
165 providers. Most calls are passed straight through with little/no
166 pre- or post-processing.
167 * New EVP APIs will be provided to affect how the Core selects (or
168 finds) the implementation of an operation to be used for any given
170 * Information will be passed between libcrypto and the providers in
171 an implementation agnostic manner.
172 * Legacy APIs (e.g. low level cryptographic APIs that do not go via
173 the EVP layer) will be deprecated. Note that there are legacy APIs
174 to non legacy algorithms (e.g. AES is not a legacy algorithm but
175 `AES_encrypt` is a legacy API).
176 * The OpenSSL FIPS Cryptographic Module will be implemented as a
177 dynamically loaded provider. It will be self-contained (i.e. can
178 only depend on system runtime libraries and services provided by
181 ### Conceptual Component View {#conceptual-component-view}
183 An overview of the conceptual components in the OpenSSL architecture
184 is as shown in the diagram below. Note that the existence of a
185 component in the diagram does not indicate that the component is a
186 public API or intended for end-user direct access or usage.
188 ![](images/ToBeComponent.png)
190 The new components (not present in the previous architecture) shown
193 * Core: This is a fundamental component that connects requests for
194 an operation (such as encryption) to a provider of that
195 operation. It provides the ability to locate an implementation of
196 an algorithm offering specified operations given a set of
197 properties that the implementation must fulfil. For example,
198 properties of an encryption algorithm may include at a minimum
200 * Default Provider: Implements a set of default algorithms.
201 * FIPS Provider: Implements a set of algorithms that are FIPS
202 validated and are made available via the Core. This includes the
203 following supporting services:
204 * POST: Power On Self Test
205 * KAT: Known Answer Tests
207 * Low Level Implementations: This is the set of components that
208 actually implement the cryptographic primitives (to meet the
209 FIPS-mandated self-contained requirement).
210 * Engines Provider: A shim that allows existing engines to work
211 when called via the Core.
212 * Legacy Provider: Provides implementations of older algorithms that
213 will be exposed via EVP-level APIs.
214 * 3rd Party Providers: Eventually, third-parties may provide their
215 own providers. A third-party provider, like any other provider,
216 implements a set of algorithms that will be accessible to
217 applications and other providers via the Core.
219 ### Packaging View {#package-view}
221 The various components described in the conceptual component view
222 above are physically packaged into:
224 * Executable application(s) for use by users
225 * Libraries for use by application(s)
226 * Dynamically loadable module(s) for use by the Core.
228 There will be multiple different packaging options provided with
229 OpenSSL 3.0 (for example a single library libcrypto containing
230 everything except the FIPS Provider, and all providers as separate
231 dynamically loadable modules).
233 Which dynamically loadable modules are registered, used, or available
234 will be able to be configured at runtime.
236 The following figure describes the architecture in terms of physical
239 ![](images/ToBePackaging.png)
241 The physical packages new to this release are:
243 * FIPS module. This contains the FIPS Provider that implements a set
244 of algorithms that are FIPS validated and are available via the
245 Core. The FIPS Provider is the OpenSSL FIPS Cryptographic Module
248 We will not attempt to preclude users from making errors, however
249 we will keep in mind the typical user usage and "safety". By
250 default the FIPS provider will be built and installed.
252 We will be able to perform a safety check that detects if the user
253 has modified the source in a FIPS-impactful manner from the
254 release distribution and block building the FIPS provider (on best
255 effort basis) unless an override option is provided.
257 We need to ensure there is a mechanism that enables the end user
258 to determine whether or not their usage of the FIPS module is
259 within the allowed uses under a formal validation.
261 Versioning of the FIPS module will be aligned with the base
262 OpenSSL version number at the point in time of the
263 validation. Not all OpenSSL releases will need an update to the
264 FIPS module. Therefore when a new FIPS module version is released
265 there may be gaps/jumps in its version number since the previous
268 * Legacy module. This contains implementations of legacy
271 Engines will be built with a provider shim, to allow them to work as
272 usual for cases when an ENGINE pointer is passed to some functions,
273 and as providers when acting as default implementations. Engines
274 compiled for pre-3.0.0 OpenSSL will need to be recompiled to work with
275 OpenSSL 3.0.0. Details in
276 [The ENGINE API](#the-engine-api) further down.
278 ## Core and Provider Design {#core-and-provider-design}
280 The interactions relevant for the Core and provider design are shown
281 in the diagram below. There are four major components: User
282 Application, EVP component, the Core, and a cryptographic
283 Provider. (There may be multiple providers, but that is not relevant
286 ![](images/300ProviderCollab.png)
288 The Core has the following characteristics:
290 * It enables Provider discovery, loading, initialisation and
292 * It enables property-based algorithm queries
293 * It implements caching of algorithm queries and implementation
295 * It operates within a library context that contains data such as
296 global properties, search cache and dispatch tables.
298 Providers have the following characteristics:
300 * They provide for access to specific algorithm implementations
301 * They associate algorithm implementations with a set of well
303 * They support parameter passing in an implementation agnostic
305 * They can be loaded at any point in time
306 * They have a well-known module entry point
308 The subsections that follow describe the flow an application uses to
309 load a provider, fetch an algorithm implementation, and use it. In
310 addition, this section describes in detail how algorithms, properties,
311 and parameters are named; how algorithm queries are handled; how
312 algorithms are registered and initialized; and how providers are
315 In order for an application to be able to use an algorithm it must
316 first "fetch" an implementation of it through an algorithm query. Our
317 design objective is to be able to support both explicit (up front)
318 fetching of algorithms and fetching of algorithms on use. By default
319 we expect to do fetching on use (e.g. using `EVP_sha256()`) so that
320 algorithms are typically fetched during an "init" function and bound
321 to a context object (often named `ctx`). The explicit fetching option
322 will be implemented via new API calls (e.g. `EVP_MD_fetch()`).
324 The diagram above shows the explicit fetch approach. The steps are as
329 1. Every provider needs to be loaded. This will happen implicitly
330 (default provider or specified via configuration) and may also be
331 explicitly requested by the application. Load encompases both
332 dynamic shared object loading (as needed) and initialisation.
333 1. The Core physically loads the module into memory (not required
334 if default provider is already in memory).
335 2. The Core calls the provider's entry point for the provider to
337 1. Within the entry point function, the provider initialises
338 some provider variables using values passed in from the
339 Core. A provider algorithm implementation query callback
340 is returned to the Core if initialization succeeds.
341 2. User application requests algorithm by calling a fetch routine.
342 1. The search by EVP will combine global properties with
343 call-specific ones and an algorithm identity to find the
344 corresponding algorithm implementation, and then create and
345 return a library handle (e.g. `EVP_MD`, `EVP_CIPHER`) to the
347 1. The first search of the implementation dispatch table is
348 made in an internal cache.
349 2. Should the first search fail, a second search is made by
350 asking the providers if they have an implementation of
351 said algorithm with the queried properties. When this
352 search is done, the resulting data is cached unless the
353 provider opts out of caching, to be used in the first
354 search (2.1.1). For example a PKCS#11 provider may opt out
355 of caching because its algorithms may become available and
356 unavailable over time.
357 3. The user application then uses the algorithm via EVP APIs (e.g.,
358 `EVP_DigestInit()`, `EVP_DigestUpdate()`, `EVP_DigestFinal()`,
360 1. The function pointer is invoked and ends up in the provider
361 for the implementation to perform the requested cryptographic
364 For the existing `EVP_{algorithm}()` functions (e.g. `EVP_sha256()`,
365 etc) things remain mostly unchanged. In particular, the fetch call is
366 not performed when the `EVP_{algorithm}()` call returns, but rather it
367 happens implicitly when the context object (e.g. `EVP_MD_CTX`) is
368 bound within the respective EVP init function. Specifically, step 2.1
369 happens just before step 3.1. This is known as "implicit
370 fetch". Implicit fetch always operates within a default library
371 context (see [Library Context](#library-context) below).
373 The method dispatch table is a list of `<function-id,
374 function-pointer>` pairs — where the `function-id`s are publically
375 defined and known by OpenSSL — put together with a set of properties
376 that can be used to identify each particular implementation. The Core
377 can take a property query and find the corresponding dispatch table,
378 to be used for applicable operations. This approach allows providers
379 to flexibly pass references to functions that the OpenSSL code can use
380 to create its method structures dynamically.
382 Providers can be loaded at any point in time. Unload at any point in
383 time can be requested. It is up to the application to ensure that a
384 provider is not currently being used or referenced when it is
385 unloaded. If an attempt is made to use an implementation that is no
386 longer available then an error will be returned.
388 The assumptions an application can currently make about the return
389 from `EVP_{algorithm}()` and not the new fetch approach are:
392 * does not need to be freed by the application
393 * can safely be compared for checking algorithms are the same
394 (i.e. specifically comparing pointers to `EVP_CIPHER`, `EVP_MD`,
397 For a direct use of explicit fetch by the application (rather than
398 using the existing `EVP_{algorithm}()` functions) the semantics will
402 * needs to be freed by the application
403 * pointers can't be safely compared with each other (more on that in
406 There will be new APIs to test the equality of objects that can be
407 used for both explicitly fetched objects and static variant ones
408 These APIs will enable comparison of just the algorithm identity,
409 or of specific algorithm implementations.
411 ### Library Context {#library-context}
413 A library context is an opaque structure that holds library "global"
414 data. OpenSSL will provide such a structure, limited to the global
415 data that the Core has to keep. Future expansion may come to include
416 other existing global data. An application will be able to create and
417 destroy one or more library context(s) within which all subsequent
418 interactions with the Core operate within. If the application does not
419 create and provide its own library context, an internal default one
424 OPENSSL_CTX *OPENSSL_CTX_new();
425 void OPENSSL_CTX_free(OPENSSL_CTX *ctx);
428 A library context can be passed to the explicit fetch functions. If
429 `NULL` is passed to them, the internal default context will be used.
431 More than one library context may be allocated, which implies that any
432 provider module may be initialized more than once. This permits an
433 application to both be directly linked with libcrypto and loading
434 providers it's interested in, as well as being linked with other
435 libraries that use their own provider modules, independently.
439 Names are required for algorithms, parameters, and properties. In
440 order to ensure consistency and to enable external Provider
441 implementers to define new names in a consistent way there will be a
442 registry of recommended or used names. It will be maintained
443 separately from the sources.
445 The ability to define aliases for names is required because there are
446 contexts where there are more than one name for the same thing
447 (e.g. EC curves with general names and NIST names for the same
450 ### Properties for Algorithm Implementation Selection {#properties-for-algorithm-implementation-selection}
452 Algorithm implementations (cryptographic and non-cryptographic) will
453 have some properties which will be used to select an implementation
454 from amongst those available. For 3.0, two properties are defined:
456 * _is this implementation the default implementation?_
457 * _is this implementation FIPS validated_?
459 The valid input and their meaning are:
461 +---------------------+-----------------------------+------------------------+
462 | **Property String** | **Meaning in a definition** | **Meaning in a query** |
463 +=====================+=============================+========================+
464 | `default` | This is the default | Request the default |
465 | | implementation | implementation |
466 +---------------------+-----------------------------+------------------------+
467 | `default=yes` | This is the default | Request the default |
468 | | implementation | implementation |
469 +---------------------+-----------------------------+------------------------+
470 | `default=no` | This is not the default | Request a non-default |
471 | | implementation | implementation |
472 +---------------------+-----------------------------+------------------------+
473 | `fips` | This implementation is FIPS | Request an |
474 | | validated. | implementation that is |
475 | | | FIPS validated |
476 +---------------------+-----------------------------+------------------------+
477 | `fips=yes` | This implementation is FIPS | Request an |
478 | | validated. | implementation that is |
479 | | | FIPS validated |
480 +---------------------+-----------------------------+------------------------+
481 | `fips=no` | This implementation is not | Request an |
482 | | FIPS validated. | implementation that is |
483 | | | not FIPS validated |
485 +---------------------+-----------------------------+------------------------+
487 In all cases property names will be defined as printable ASCII
488 characters and are case insensitive. Property values may be quoted or
489 unquoted. Unquoted values will also always be printable ASCII
490 characters and are case insensitive. Quoted values are tested for
491 equality on a raw byte comparison basis only.
493 Providers will be able to provide their own names or values. The full
494 syntax of property definitions and queries appear in
495 [Appendix 1 - Property Syntax](#appendix-1---property-syntax).
497 OpenSSL reserves all property names that do not have a period;
498 vendor-provided property names must have a period in the name. It is
499 expected (but not enforced) that the part of the property name before
500 the first period is or relates to the provider's name, to provide some
501 level of conflict avoidance via namespacing.
503 It is likely that additional properties will be defined during the
504 development of this release. A likely candidate is `provider` being
505 the name of the provider that is supplying the implementation.
506 Another possibility is `engine`, meaning that this algorithm is
507 implemented by an OpenSSL 1.1.1 dynamically loaded engine masquerading
510 There will be a built in global property query string, which will be
513 #### Property-based Algorithm Selection {#property-based-algorithmselection}
515 Algorithm implementation selection is based on properties.
517 The provider sets properties on the algorithms it offers. The
518 application sets which properties that it wants to see used as a
519 filter during algorithm selection - the query.
521 The desired properties for fetching algorithm implementations can be
522 specified in the following places:
524 1. globally, based on configuration files.
525 2. globally, based on API calls.
526 3. on a per-object basis for specific objects. E.g. SSL_CTX, SSL.
528 Properties will be used during algorithm lookup (parameter
529 specification of property values).
531 The sets of properties will be evaluated in a manner that resolves to
532 a single value of a property for each specified property
533 (keyword). The precedence order for keyword evaluation is:
537 1. The per-object or directly specified API parameter to fetch
538 1. The global (default) properties set by API calls
539 1. The global (default) properties set in configuration files
541 It is possible that additional property setting methods and evaluation
542 approaches will be defined during the development of this release.
544 By default, OpenSSL 3.0 will load a configuration file (which contains
545 global properties and other settings) automatically without explicit
546 application API calls. This will occur in libcrypto. Note that in
547 OpenSSL 1.1.1 the configuration file is automatically loaded only by
548 the default (automatic) initialisation of libssl.
550 ### Parameter Definition {#parameter-definition}
552 The OpenSSL Core and providers have to exchange data while keeping
553 OpenSSL and provider structures opaque. All composite values will be
554 passed as an array of items, using the public data structure defined
556 [Appendix 2 - OpenSSL parameter passing](#appendix-2---parameter-passing).
557 Parameters will be identified using their name (as a string) and each
558 contains its own type and size information.
560 The Core will define an API to pass an array of parameter values or
561 requests for values to a provider or a specific algorithm
562 implementation, and for the latter, an associated object handled by
563 that implementation. In the cases of the basic machine types, macros
564 could be developed to assist in the construction and extraction of
567 ### Operation and Operation Function Definitions {#operation-and-operation-function-definitions}
569 While algorithm and parameter names are essentially controlled and
570 allocated by the providers, the operations and associated functions
571 that are going to be called by libcrypto are essentially controlled
572 and allocated by the Core.
574 For things that are only controlled by the Core, we will use macros to
575 name them, with numbers as values to be used as indexes. Allocation
576 will be incremental, i.e. for any new operation or function, the next
577 number available will be picked.
579 ### Algorithm Query {#algorithm-query}
581 Each algorithm type (e.g. `EVP_MD`, `EVP_CIPHER` etc) with have a
582 "fetch" function available (e.g. `EVP_MD_fetch()`,
583 `EVP_CIPHER_fetch()`). Algorithm implementations are identified using
584 their name and properties
586 Each fetch function will use services provided by the Core to find an
587 appropriate implementation as described in the introduction of
588 [Core and Provider Design](#core-and-provider-design). If an appropriate
589 implementation has been found then it is constructed into a suitable
590 algorithm structure (e.g. `EVP_MD`, `EVP_CIPHER`) and returned to the
593 If multiple implementations are equally good matches for the passed
594 name and properties, one of these will be returned on retrieval but
595 exactly which one is not defined. Furthermore, there is no guarantee
596 that the same match would be returned every time.
598 ### Algorithm Query Caching {#algorithm-query-caching}
601 Algorithm queries will be cached together with their result.
603 The algorithm query cache can be flushed to remove:
605 * All queries returning a specific algorithm implementation
606 * All algorithm implementations from a specific provider
607 * All algorithm implementations
609 ### Multilevel Queries {#multilevel-queries}
611 In order to handle both global properties and properties passed to
612 specific calls (such as fetch calls), the global property query
613 settings will be merged with the passed property settings except where
614 there is a conflict, specifically:
617 +--------------------+---------------------+---------------------+
618 | **Global Setting** | **Passed Settings** | **Resulting Query** |
619 +====================+=====================+=====================+
620 | `fips=yes` | `fips=yes` | `fips=yes` |
621 +--------------------+---------------------+---------------------+
622 | `fips=yes` | `fips=no` | `fips=no` |
623 +--------------------+---------------------+---------------------+
624 | `fips=yes` | `-fips` | *fips is not |
626 +--------------------+---------------------+---------------------+
627 | `fips=yes` | *fips is not | `fips=yes` |
629 +--------------------+---------------------+---------------------+
630 | `fips=no` | `fips=yes` | `fips=yes` |
631 +--------------------+---------------------+---------------------+
632 | `fips=no` | `fips=no` | `fips=no` |
633 +--------------------+---------------------+---------------------+
634 | `fips=no` | `-fips` | *fips is not |
636 +--------------------+---------------------+---------------------+
637 | `fips=no` | *fips is not | `fips=no` |
639 +--------------------+---------------------+---------------------+
640 | *fips is not | `fips=yes` | `fips=yes` |
642 +--------------------+---------------------+---------------------+
643 | *fips is not | `fips=no` | `fips=no` |
645 +--------------------+---------------------+---------------------+
646 | *fips is not | `-fips` | *fips stays not |
647 | specified* | | specified* |
648 +--------------------+---------------------+---------------------+
649 | *fips is not | *fips is not | *fips stays not |
650 | specified* | specified* | specified* |
651 +--------------------+---------------------+---------------------+
654 ### Provider Module Loading {#provider-module-loading}
657 Providers can either be built-in or dynamically loadable modules.
659 All algorithms are implemented by providers. The OpenSSL Core will
660 initially have no providers loaded, and therefore will have no
661 algorithms available. Providers will need to be discovered and
662 loaded. The algorithm implementations contained within them can then
663 be queried by the Core at a later time, with those queries possibly
666 If no provider has been loaded at the time of the first fetch
667 (implicit as well as explicit), the built in default provider will be
668 automatically loaded.
670 Note that a provider may be written against an older version of the
671 Core API than the current version in libcrypto. For example, it will
672 have to be possible for users to run a different FIPS provider module
673 version than the main OpenSSL version. This means the Core API will
674 have to remain stable and backwards compatible (just like any other
677 All of the command line applications supplied as part of the OpenSSL
678 build will gain a `-provider xxx` option which loads a provider. This
679 option can be specified multiple times on the command line (as
680 multiple providers can always be loaded) and it isn't an error if the
681 provider remains unused for any specific operation (e.g. loading a
682 provider that only supplies AES when doing a SHA256 digest).
684 #### Finding and loading dynamic provider modules {#finding-and-loading-dynamic-provider-modules}
686 Dynamic provider modules are `.so` files on UNIX type operating
687 systems, or a `.dll` file on Windows type operating systems, or
688 whatever corresponds on other operating systems. By default, they
689 will be installed in a well known directory.
691 Provider module loading can occur several ways:
693 * **On demand**, the application will have to specify exactly what
694 provider modules should be loaded.
695 * **By configuration**, the set of provider modules to load would be
696 specified in a configuration file.
698 Some of these methods may be combined.
700 A provider module can be specified by full path, and can therefore be
701 loaded even if it isn't located in the well known directory.
703 After the Core loads a provider module, it calls the provider module
706 #### Provider Module Entry Point {#provider-module-entry-point}
708 A provider module _must_ have the following well known entry point:
711 int OSSL_provider_init(const OSSL_PROVIDER *provider,
712 const OSSL_DISPATCH *in,
713 const OSSL_DISPATCH **out
714 void **provider_ctx);
717 If the entry point does not exist in the dynamically loaded object,
718 then it is not a valid module and loading it will fail.
720 `in` is an array of functions that the Core passes to the provider.
722 `out` is an array of provider functions that the provider passes back
725 `provider_ctx` (may be shortened to `provctx` elsewhere in this
726 document) is an object optionally created by the provider for its own
727 use (storing data it needs to keep around safely). This pointer will
728 be passed back to appropriate provider functions.
730 `provider` is a handle to a provider object belonging to the Core.
731 This can serve as a unique provider identity which may be required in
732 some API calls. This object will also be populated with diverse data,
733 such as module path, NCONF configuration structure for the provider
734 (see [CONF / NCONF values as parameters](#conf-nconf-values-as-parameters)
735 below for an idea on how that would be implemented), and these diverse
736 values can then be retrieved by the provider using a params getter
737 callback that the Core provides. The type `OSSL_PROVIDER` is opaque.
739 `OSSL_DISPATCH` is an open structure that implements the `< function-id,
740 function-pointer >` tuple mentioned in the introduction of
741 [Core and Provider Design](#core-and-provider-design):
745 typedef struct ossl_dispatch_st {
752 The `funcion_id` identifies a specific function, and `function` is the
753 pointer to that function. An array of these is terminated with
754 `function_id` set to zero.
756 The provider module may or may not be linked against libcrypto. If it
757 is not then it will have no direct access to any libcrypto
758 functions. All essential communication back to libcrypto will be via
759 callback functions provided by the Core. It is important that memory
760 allocated by specific providers is freed by the same
761 providers. Similarly memory allocated in libcrypto should be freed by
764 The API will specify a well known set of callback function
765 numbers. More function numbers can be added in later releases as
766 required without breaking backwards compatibility.
770 /* Functions provided by the Core to the provider */
771 #define OSSL_FUNC_ERR_PUT_ERROR 1
772 #define OSSL_FUNC_GET_PARAMS 2
773 /* Functions provided by the provider to the Core */
774 #define OSSL_FUNC_PROVIDER_QUERY_OPERATION 3
775 #define OSSL_FUNC_PROVIDER_TEARDOWN 4
779 The Core will set up an array of the well known callback functions:
783 static OSSL_DISPATCH core_callbacks[] = {
784 { OSSL_FUNC_ERR_PUT_ERROR, ERR_put_error },
785 /* int ossl_get_params(OSSL_PROVIDER *prov, OSSL_PARAM params[]); */
786 { OSSL_FUNC_GET_PARAMS, ossl_get_params, }
791 This is only a few of the functions that the Core may see fit to pass
792 to a provider. We may also pass functions to help with logging,
793 testing, instrumentation etc as the need comes up.
795 Once the module is loaded and the well known entry point located, the
796 init entry point can be invoked by the Core:
800 * NOTE: this code is meant as a simple demonstration of what could happen
801 * in the core. This is an area where the OSSL_PROVIDER type is not opaque.
803 OSSL_PROVIDER *provider = OSSL_PROVIDER_new();
804 const OSSL_DISPATCH *provider_callbacks;
806 * The following are diverse parameters that the provider can get the values
807 * of with ossl_get_params.
809 /* reference to the loaded module, or NULL if built in */
810 provider->module = dso;
811 /* reference to the path of the loaded module */
812 provider->module_path = dso_path;
813 /* reference to the NCONF structure used for this provider */
814 provider->conf_module = conf_module;
816 if (!OSSL_provider_init(provider, core_callbacks, &provider_callbacks))
819 /* populate |provider| with functions passed by the provider */
820 while (provider_callbacks->func_num > 0) {
821 switch (provider_callbacks->func_num) {
822 case OSSL_FUNC_PROVIDER_QUERY_OPERATION:
823 provider->query_operation = provider_callbacks->func;
825 case OSSL_FUNC_PROVIDER_TEARDOWN:
826 provider->teardown = provider_callbacks->func;
829 provider_callbacks++;
834 The `OSSL_provider_init` entry point does not register any algorithms
835 that will be needed, but it will return at least these two callbacks
836 to enable this process:
838 1. `OSSL_FUNC_QUERY_OPERATION`, which is used to find out what
839 implementations of an operation are available. This must return
840 an array of `OSSL_ALGORITHM` (see further down), which maps
841 algorithm names and property definition strings to implementation
842 dispatch tables. This function must also be able to indicate if
843 the resulting array may be cached by the Core or not. This is
844 explained in further detail below.
845 2. `OSSL_FUNC_TEARDOWN`, which is used when the provider is unloaded.
847 The provider register callback can only be run after the
848 `OSSL_provider_init()` call succeeds.
850 #### Provider Initialisation and Algorithm Registration {#provider-initialisation-and-algorithm-registration}
853 An algorithm offers a set of operations (capabilities, features,
854 etc). The operations are invoked via functions. For example, the RSA
855 algorithm offers signing and encryption (two operations) which are
856 invoked via the _init_, _update_, _final_ functions for signing and
857 _init_, _update_, _final _ functions for encryption. The set of
858 functions is determined by the implementation of the upper-level EVP
861 Operations are identified by a unique number. For example:
865 #define OSSL_OP_DIGEST 1
866 #define OSSL_OP_SYM_ENCRYPT 2
867 #define OSSL_OP_SEAL 3
868 #define OSSL_OP_DIGEST_SIGN 4
869 #define OSSL_OP_SIGN 5
870 #define OSSL_OP_ASYM_KEYGEN 6
871 #define OSSL_OP_ASYM_PARAMGEN 7
872 #define OSSL_OP_ASYM_ENCRYPT 8
873 #define OSSL_OP_ASYM_SIGN 9
874 #define OSSL_OP_ASYM_DERIVE 10
877 For a provider to make an algorithm usable by libcrypto, it must
878 register an operation querying callback, which returns an array of
879 implementation descriptors, given an operation identity:
882 < algorithm name, property definition string, implementation `OSSL_DISPATCH*` >
884 So for example, this query callback will return the list of all its
885 digests if the given operation is `OSSL_OP_DIGEST`.
887 Algorithms are identified by a string.
889 The Core provides a set of services for the provider to use in the
890 form of a function table.
892 A provider will also offer a service for returning information (in the
893 form of parameters as specified in
894 [Appendix 2 - Parameter Passing](#appendix-2---parameter-passing)) via
895 a callback provided by the provider, such as:
899 * Build strings - as per the current OpenSSL related build
900 information (only at the provider level)
904 An individual operation may require multiple function callbacks to be
905 defined in order to implement the operation. Each function will be
906 identified by a numeric function identity. Each of the identities are
907 unique for the combination of operation and function, i.e. the number
908 assigned to the init function of the digest operation cannot be reused
909 for init functions for other operations, those will have their own
910 unique numbers. For example, for the digest operation, these functions
914 #define OSSL_OP_DIGEST_NEWCTX_FUNC 1
915 #define OSSL_OP_DIGEST_INIT_FUNC 2
916 #define OSSL_OP_DIGEST_UPDATE_FUNC 3
917 #define OSSL_OP_DIGEST_FINAL_FUNC 4
918 #define OSSL_OP_DIGEST_FREECTX_FUNC 5
919 typedef void *(*OSSL_OP_digest_newctx_fn)(void *provctx);
920 typedef int (*OSSL_OP_digest_init_fn)(void *ctx);
921 typedef int (*OSSL_OP_digest_update_fn)(void *ctx, void *data, size_t len);
922 typedef int (*OSSL_OP_digest_final_fn)(void *ctx, void *md, size_t mdsize,
924 typedef void (*OSSL_OP_digest_freectx_fn)(void *ctx);
927 An all in one version is also advisable for devices that cannot handle
928 multi-part operations:
931 #define OSSL_OP_DIGEST_FUNC 6
932 typedef int (*OSSL_OP_digest)(void *provctx,
933 const void *data, size_t len,
934 unsigned char *md, size_t mdsize,
939 A provider then defines arrays containing the set of functions for
940 each algorithm implementation and one array of algorithm descriptors
941 for each operation. The algorithm descriptor was mentioned higher up,
942 and would be publically defined like this:
946 typedef struct ossl_algorithm_st {
948 const char *properties;
953 For example (and it is only an example, providers may arrange these
954 things any way they want, the important thing is what the algorithm
955 querying function such as `fips_query_operation` below returns) the
956 FIPS module may define arrays like this for the SHA1 algorithm:
960 static OSSL_DISPATCH fips_sha1_callbacks[] = {
961 { OSSL_OP_DIGEST_NEWCTX_FUNC, fips_sha1_newctx },
962 { OSSL_OP_DIGEST_INIT_FUNC, fips_sha1_init },
963 { OSSL_OP_DIGEST_UPDATE_FUNC, fips_sha1_update },
964 { OSSL_OP_DIGEST_FINAL_FUNC, fips_sha1_final },
965 { OSSL_OP_DIGEST_FUNC, fips_sha1_digest },
966 { OSSL_OP_DIGEST_FREECTX_FUNC, fips_sha1_freectx },
969 static const char prop_fips[] = "fips";
970 static const OSSL_ALGORITHM fips_digests[] = {
971 { "sha1", prop_fips, fips_sha1_callbacks },
972 { "SHA-1", prop_fips, fips_sha1_callbacks }, /* alias for "sha1" */
977 The FIPS provider init module entry point function might look like
981 static int fips_query_operation(void *provctx, int op_id,
982 const OSSL_ALGORITHM **map)
993 #define param_set_string(o,s) do { \
995 (o)->data_type = OSSL_PARAM_UTF8_STRING_PTR; \
996 if ((o)->result_size != NULL) *(o)->result_size = sizeof(s); \
998 static int fips_get_params(void *provctx, OSSL_PARAM *outparams)
1000 while (outparams->key != NULL) {
1001 if (strcmp(outparams->key, "provider.name") == 0) {
1002 param_set_string(outparams, "OPENSSL_FIPS");
1003 } else if if (strcmp(outparams->key, "provider.build") == 0) {
1004 param_set_string(outparams, OSSL_FIPS_PROV_BUILD_STRING);
1010 OSSL_DISPATCH provider_dispatch[] = {
1011 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, fips_query_operation },
1012 { OSSL_FUNC_PROVIDER_GET_PARAMS, fips_get_params },
1013 { OSSL_FUNC_PROVIDER_STATUS, fips_get_status },
1014 { OSSL_FUNC_PROVIDER_TEARDOWN, fips_teardown },
1017 static core_put_error_fn *core_put_error = NULL;
1018 static core_get_params_fn *core_get_params = NULL;
1020 int OSSL_provider_init(const OSSL_PROVIDER *provider,
1021 const OSSL_DISPATCH *in,
1022 const OSSL_DISPATCH **out
1023 void **provider_ctx)
1028 * Start with collecting the functions provided by the core
1029 * (we could write it more elegantly, but ...)
1031 while (in->func_num > 0) {
1032 switch (in->func_num) {
1033 case OSSL_FUNC_ERR_PUT_ERROR:
1034 core_put_error = in->func;
1036 case OSSL_FUNC_GET_PARAMS:
1037 core_get_params = in->func;
1043 /* Get all parameters required for self tests */
1046 * All these parameters come from a configuration saying this:
1050 * selftest_path = "foo"
1051 * selftest_bool = true
1052 * selftest_name = "bar"
1054 OSSL_PARAM selftest_params[] = {
1055 { "provider.selftest_i", OSSL_PARAM_NUMBER,
1056 &selftest_i, sizeof(selftest_i), NULL },
1057 { "provider.selftest_path", OSSL_PARAM_STRING,
1058 &selftest_path, sizeof(selftest_path), &selftest_path_ln },
1059 { "provider.selftest_bool", OSSL_PARAM_BOOLEAN,
1060 &selftest_bool, sizeof(selftest_bool), NULL },
1061 { "provider.selftest_name", OSSL_PARAM_STRING,
1062 &selftest_name, sizeof(selftest_name), &selftest_name_ln },
1063 { NULL, 0, NULL, 0, NULL }
1065 core_get_params(provider, selftest_params);
1068 /* Perform the FIPS self test - only return params if it succeeds. */
1069 if (OSSL_FIPS_self_test()) {
1070 *out = provider_dispatch;
1077 ### Algorithm Selection {#algorithm-selection}
1080 Multiple providers may be available at any one time. Existing
1081 application code re-compiled for this version should continue to
1082 work. At the same time it should be possible with minor code
1083 adjustments to be able to find and use algorithms using the new
1084 property based algorithm lookup capability.
1086 To illustrate how this might work, the code below is an example of how
1087 a simple AES-CBC-128 encryption might be done using OpenSSL 1.1.1. All
1088 error handling has been stripped out for simplicity.
1091 EVP_CIPHER_CTX *ctx;
1094 ctx = EVP_CIPHER_CTX_new();
1095 ciph = EVP_aes_128_cbc();
1096 EVP_EncryptInit_ex(ctx, ciph, NULL, key, iv);
1097 EVP_EncryptUpdate(ctx, ciphertext, &clen, plaintext, plen);
1098 EVP_EncryptFinal_ex(ctx, ciphertext + clen, &clentmp);
1101 EVP_CIPHER_CTX_free(ctx);
1104 In OpenSSL 3.0, such code would continue to work and would use
1105 algorithms from a provider (assuming nothing else has been configured,
1106 it will be the default provider). It could also be rewritten using
1107 explicit fetching as follows. Explicit fetching also enables the
1108 application to specify a non-default library context if required
1109 (`osslctx` in this example):
1113 EVP_CIPHER_CTX *ctx;
1116 ctx = EVP_CIPHER_CTX_new();
1117 ciph = EVP_CIPHER_fetch(osslctx, "aes-128-cbc", NULL); /* <=== */
1118 EVP_EncryptInit_ex(ctx, ciph, NULL, key, iv);
1119 EVP_EncryptUpdate(ctx, ciphertext, &clen, plaintext, plen);
1120 EVP_EncryptFinal_ex(ctx, ciphertext + clen, &clentmp);
1123 EVP_CIPHER_CTX_free(ctx);
1124 EVP_CIPHER_free(ciph); /* <=== */
1128 An application may wish to use algorithms from a different provider.
1130 For example, consider the scenario where an application wishes to use
1131 some algorithms from the FIPS provider, but still use the default
1132 algorithms in certain cases. This could be implemented in different
1137 1. Only use FIPS algorithms.
1138 2. Default to using FIPS algorithms. Be able to override it on an "as
1139 needed" basis to get access to a non FIPS algorithm.
1140 3. Default to not caring about FIPS algorithms. Be able to override
1141 it on an "as needed" basis to get a FIPS algorithm.
1143 #### Only FIPS {#only-fips}
1145 Compared to code written for pre-3.0.0 OpenSSL, all you need to do to
1146 only get FIPS implementations is something like this:
1151 EVP_set_default_alg_properties(NULL, "fips=yes"); /* <=== */
1156 Then the above encryption code that uses `EVP_aes_128_cbc() `would
1157 continue to work as before. The `EVP_EncryptInit_ex()` call would use
1158 those default algorithm properties, and then look it up via the Core
1159 in order to get a handle to the FIPS implementation. This
1160 implementation would then be associated with the `EVP_CIPHER_CTX`
1161 object. If there isn't a suitable algorithm implementation available
1162 then the the `EVP_Encrypt_init_ex()` call will fail.
1164 The first parameter to `EVP_set_default_alg_properties` is the library
1165 context, NULL being the default internal one.
1167 #### Default to FIPS but allow an override {#default-to-fips-but-allow-an-override}
1169 To default to using FIPS algorithms but override it on an _as needed_
1170 basis to non-FIPS algorithms, the application might instead do this,
1171 compared to code written for pre-3.0.0 OpenSSL:
1176 EVP_set_default_alg_properties(osslctx, "fips=yes"); /* <=== */
1180 EVP_CIPHER_CTX *ctx;
1183 ctx = EVP_CIPHER_CTX_new();
1184 ciph = EVP_CIPHER_fetch(osslctx, "aes-128-cbc", "fips!=yes"); /* <=== */
1185 EVP_EncryptInit_ex(ctx, ciph, NULL, key, iv);
1186 EVP_EncryptUpdate(ctx, ciphertext, &clen, plaintext, plen);
1187 EVP_EncryptFinal_ex(ctx, ciphertext + clen, &clentmp);
1190 EVP_CIPHER_CTX_free(ctx);
1191 EVP_CIPHER_free(ciph); /* <=== */
1194 Here the `EVP_CIPHER_fetch()` call would combine properties from:
1196 1. The default algorithm properties
1197 2. The properties passed in as a parameter (with the passed in
1198 properties taking precedence).
1200 Because the `EVP_CIPHER_fetch()` call overrides the default "fips"
1201 property it will look for an implementation of AES-CBC-128 that is not
1204 In this example, we see a non-default library context being used.
1205 This is only possible with explicitly fetched implementations.
1207 (note for the attentive: `"fips!=yes"` could as well be `"fips=no"`,
1208 but is provided here as an example of the "not equal to" operator)
1210 #### Default to not caring and allow override for FIPS {#default-to-not-caring-and-allow-override-for-fips}
1212 To default to not using FIPS algorithms but override it on an _as
1213 needed_ basis to use FIPS, the application code might look like this,
1214 compared to code written for pre-3.0.0 OpenSSL:
1217 EVP_CIPHER_CTX *ctx;
1220 ctx = EVP_CIPHER_CTX_new();
1221 ciph = EVP_CIPHER_fetch(osslctx, "aes-128-cbc", "fips=yes"); /* <=== */
1222 EVP_EncryptInit_ex(ctx, ciph, NULL, key, iv);
1223 EVP_EncryptUpdate(ctx, ciphertext, &clen, plaintext, plen);
1224 EVP_EncryptFinal_ex(ctx, ciphertext + clen, &clentmp);
1227 EVP_CIPHER_CTX_free(ctx);
1228 EVP_CIPHER_free(ciph); /* <=== */
1231 In this version we have not overridden the default algorithm
1232 properties in "main", and therefore you get the standard
1233 out-of-the-box defaults which are to not mandate the use of
1234 FIPS. However we've explicitly set the "fips" property at the
1235 `EVP_CIPHER_fetch()` level, and so that overrides the default. When
1236 `EVP_CIPHER_fetch()` looks up the algorithm using the Core it will get
1237 a reference to the FIPS one (or fail if no such algorithm is
1240 #### Asymmetric algorithm selection {#asymmetric-algorithm-selection}
1242 Note that for symmetric encryption/decryption and for message digests
1243 there are existing OpenSSL objects that can be used to represent an
1244 algorithm, i.e. `EVP_CIPHER` and `EVP_MD`. For asymmetric algorithms
1245 there is no equivalent object. The algorithm in use is inferred
1246 implicitly from the type of the `EVP_PKEY`.
1248 In order to solve this problem a new asymmetric algorithm object will
1249 be introduced. In the example below an ECDH key derivation is
1250 performed. We lookup a FIPS ECDH implementation (assuming we _know_
1251 that the given private key is an ECC one, of course) using a new
1252 algorithm object, `EVP_ASYM`:
1255 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(privkey, NULL);
1256 EVP_ASYM *asym = EVP_ASYM_fetch(osslctx, EVP_PKEY_EC, "fips=yes");
1257 EVP_PKEY_CTX_set_alg(pctx, asym));
1258 EVP_PKEY_derive_init(pctx);
1259 EVP_PKEY_derive_set_peer(pctx, pubkey);
1260 EVP_PKEY_derive(pctx, out, &outlen);
1261 EVP_PKEY_CTX_free(pctx);
1264 ### Example dynamic views of algorithm selection {#example-dynamic-views-of-algorithm-selection}
1266 The sequence diagram below shows an example of how the SHA256
1267 algorithm might be selected and invoked from the default provider.
1269 ![](images/DigestExplicit.png)
1271 Note that each EVP layer call is implemented by thin wrappers in the
1272 EVP layer, which invoke similarly named functions within the provider
1273 on an algorithm by algorithm basis. The specific provider functions to
1274 be used will be looked up in the Core Dispatcher tables via an
1275 explicit `EVP_MD_fetch()` call that specifies the message digest name as a
1276 string and any other relevant properties. The returned "md" object contains
1277 function pointers to the implementation of the algorithm in the selected
1280 The `EVP_MD_CTX` object is not passed through to the provider since we
1281 do not know whether any specific provider module is linked against
1282 libcrypto. Instead we simply pass through a black box handle (`void *`
1283 pointer), which the provider will associate with whatever structure it
1284 requires. This is allocated during an explicit `digestNewCtx()` call
1285 to the provider at the beginning of the operation, and freed at the
1286 end with a `digestFreeCtx()` call.
1288 The next diagram shows a slightly more complex scenario, i.e. an
1289 `EVP_DigestSign*` operation using RSA and SHA256. This diagram is
1290 drawn from the perspective of libcrypto with algorithms being provided
1291 by the FIPS module. A later section will examine this scenario from
1292 the perspective of the FIPS module.
1294 ![](images/DigestSignFIPSExplicit.png)
1296 An `EVP_DigestSign*` operation is more complicated because it involves
1297 two algorithms: a signing algorithm, and a digest algorithm. In
1298 general those two algorithms may come from different providers or the
1299 same one. In the case of the FIPS module the algorithms must both come
1300 from the same FIPS module provider. The operation will fail if an
1301 attempt is made to do otherwise.
1303 In spite of the added complexity of having two algorithms the same
1304 concepts apply as for the simpler `EVP_Digest*` operation shown in the
1305 earlier diagram. There are two contexts produced: an `EVP_MD_CTX` and
1306 an `EVP_PKEY_CTX`. Neither of these are passed through to the
1307 provider. Instead black box (`void *`) handles are created via
1308 explicit "newCtx" provider calls, and then those handles are passed
1309 through during subsequent "init", "update" and "final" operations.
1311 The algorithms are looked up in the Core dispatch tables using
1312 explicit `EVP_MD_fetch()` and `EVP_ASYM_fetch()` calls in advance.
1314 ## FIPS Module {#fips-module}
1317 [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final)
1318 validated cryptographic module. It is a
1319 [provider](#core-and-provider-design) that contains FIPS
1320 validated/approved cryptographic algorithms only. Non FIPS algorithms
1321 will be supplied by the default provider (not the FIPS module).
1323 The module is dynamically loadable - static linking is not supported.
1325 The FIPS Module will itself not have a "FIPS mode". The OpenSSL that
1326 can use the FIPS provider will have a "mode" concept that is
1327 compatible with the FIPS Module 2.0.0.
1329 ### FIPS Module Version Numbering {#fips-module-version-numbering}
1332 The version will be FIPS module 3.0
1334 Any subsequent revisions will be labelled in a similar manner to
1335 previous releases i.e 3.0.x.
1337 For change letters or revalidations the version number of the FIPS
1338 Module will be updated to match the current version of the OpenSSL
1341 ### Detection of Changes inside the FIPS Boundary {#detection-of-changes-inside-the-fips-boundary}
1343 For the sake of validation, we need to detect if any relevant source
1346 This can be done with a script that tokenizes the C sources the same
1347 way a C preprocessor does, but that is also taught to ignore certain
1348 parts of the source:
1352 * System `#include` directives.
1353 * Code that is conditioned away in FIPS mode (as described in
1354 [Conditional Code](#conditional-code) below).
1356 (reminder: a C preprocessor can, but doesn't not have to, collapse all
1357 non-newline whitespace and leave a standard single space between every
1358 token, and comments are considered to be whitespace for this purpose)
1360 The result of the tokenization process can then go through a checksum,
1361 which is stored in a file parallel to the source file and ultimately
1364 The process will be something like this (not exactly, this is a code
1365 example to show the overall process):
1368 for f in $(FIPS_SOURCES); do
1369 perl ./util/fips-tokenize $f | openssl sha256 -r
1370 done | openssl sha256 -hex -out fips.checksum
1373 There will also be some mechanism that alerts us of changes so we can take appropriate action. For example:
1377 git diff --quiet fips.checksum || \
1378 (git rev-parse HEAD > fips.commit; scream)
1382 What `scream` should actually do is still to be determined.
1384 Updating `fips.checksum` should happen as part of a normal `make
1385 update`, which is the usual method to change and check changes on
1386 files that are version controlled. OpenSSL's CIs already run this to
1387 see that nothing was forgotten, and breaks the build if something was
1388 changed by this command. Running `make update` is also part of the
1389 normal OpenSSL release process.
1391 #### How to react to a change of the signed checksum {#how-to-react-to-a-change-of-the-signed-checksum}
1394 In spite of `scream`, a changed checksum in our repo isn't very
1395 dramatic per se, it simply notifies us that we need to pay some extra
1396 attention to the FIPS source.
1400 1. _When it's soon time for a release_ and `fips.checksum` no longer
1401 contains the checksum from the last validated source, send the
1402 FIPS source to the lab and get the update validation process
1404 2. _At the same time as a release is made_ `fips.checksum` no longer
1405 contains the checksum from the last validated source, send the
1406 FIPS source to the lab (including diff files and a change list)
1407 and get the appropriate update validation process started.
1409 The list of validated checksums will be listed _somewhere else_ (to be
1412 #### Compiling {#compiling}
1414 For each FIPS provider source file, we calculate that file's checksum
1415 and check it against the collected checksum in `fips.checksum`, and
1416 refuse to compile if there's a mismatch.
1418 ### FIPS Mode {#fips-mode}
1420 The FIPS module only contains FIPS validated cryptographic
1421 algorithms. Any FIPS mode 'switching logic' will be outside the FIPS
1422 module boundary - this will be handled by the "fips" property.
1424 [Conditional code](#conditional-code) related to FIPS mode is
1425 discussed in a separate section.
1427 The following FIPS API's will continue to be available for application
1428 use (for consistency the same names present in 1.1.1 are used):
1430 * `int FIPS_mode_set(int on)`
1432 Ensures that "fips=yes" is set (for `on != 0`) or "fips" is unset
1433 (for `on == 0`) in the current global property setting. This will
1434 also attempt to fetch the `HMAC-SHA256` algorithm with the
1435 property "fips=yes" and ensure that it successfully returns.
1437 * `int FIPS_mode(void)`
1439 Returns 1 if the current global property string contains the
1440 property "fips=yes" (or "fips"), 0 otherwise.
1442 We could check if there is any provider available that offers a
1443 FIPS algorithm currently and handle this a little differently.
1445 * `int FIPS_self_test(void)`
1447 If the `FIPS_mode()` returns true then this runs the KATs.
1449 The integrity test will not be covered. That will be a separate
1450 function if we decide to provide it.
1452 Returns 1 on success; 0 on failure or there being no OpenSSL FIPS
1455 Note: these functions will only operate in the context of the OpenSSL
1456 FIPS provider - not in the context of any other FIPS provider. These
1457 are legacy, deprecated interfaces. The
1458 `EVP_set_default_alg_properties()` function(s) should be used for
1459 non-legacy configuration.
1461 ### Roles and Authentication {#roles-and-authentication}
1463 There are two implied roles - Cryptographic Officer (CO) and
1464 User. Both roles support all the same services. The only difference is
1465 that the CO installs the software. The module should not support user
1466 authentication (it is not required for level 1). This can all be
1467 explained in the security policy without any specific code.
1469 ### Finite State Model (FIPS 140-2 section 4.4) {#finite-state-model}
1471 A state machine needs to be defined.
1473 We will require the following:
1475 * Self test states - initialisation, running, self test, error,
1476 shutdown, (and potentially post_triggered)
1477 * Error States - If a self test fails the module should return an
1478 error for that operation. It is permissible to try to clear the
1479 error and repeat the operation. If failure persists, the module
1480 should enter an error state. This can either be a hard error
1481 state where all cryptographic operations fail or a reduced
1482 functionality state where the failing components only return error
1485 Failing a self test can be triggered by:
1487 1. Continuous tests (key pair gen pairwise test (sign/verify) and
1488 random number compare test from entropy source to verify
1489 random number inputs into the DRBG are not the same).
1490 2. DRBG health tests - this can be made to cause an error always
1491 just in the RNG (rather than setting a global error
1493 3. POST Integrity test failure either at install, startup, or on
1495 4. POST KAT failure at startup, or on demand.
1497 An internal API will be supplied to set the failure state for the above cases.
1499 #### State Machine {#state-machine}
1501 States which are not present in the state machine are shown dotted.
1502 The edges into and out of the error state are dashed to indicate that
1503 they are not expected to be traversed.
1505 ![](images/300FIPSStateMachine.png){style="float: right"}
1507 The state model consists of these states:
1509 1. **Power Off**: the FIPS module is not loaded into an application
1510 and the shared library is not in memory.
1511 2. **Power On**: the FIPS module has been loaded by an application
1512 and the shared library is in memory. Default Entry Point
1513 Constructors will be initiated.
1514 3. **Initialisation**: `OSSL_provider_init` is called.
1515 4. **Integrity Check (POST Integrity)**: the module checksums itself
1516 and verifies that it hasn't been inadvertently altered.
1518 (This is run during the FIPS providers `OSSL_provider_init()`).
1520 5. **Self Test (POST KAT)**: the FIPS module is performing its POST
1521 during installation or the POST on demand from an API call.
1522 6. **Running**: the FIPS module is in its normal operating state.
1523 All APIs can be used and continuous testing is in force.
1524 7. **Error**: the FIPS module has entered an error state. All
1525 cryptographic APIs will return an error when called.
1526 8. **Shutdown**: the FIPS module is being terminated and unloaded
1527 from the using application.
1529 The edges between states are:
1531 1. **Power Off** to **Power On**: this transition is performed by the
1532 operating system when loading the shared library into an
1534 2. **Power On** to **Initialisation**: this transition occurs when
1535 the shared library constructor is called.
1536 3. **Power On** to **Shutdown**: this transition is triggered if the
1537 constructor cannot be called or if it fails.
1538 4. **Initialisation **to **Integrity Check**: this transition occurs
1539 when the initialisation code has completed. The module integrity
1540 checksum is computed and compared to the expected value.
1541 5. **Initialisation **to **Error**: this transition is triggered if
1542 the initialisation code encounters an error before the self tests
1544 6. **Integrity Check** to **Running**: this transition occurs for all
1545 startup where the integrity checks succeed after initial
1547 7. **Integrity Check** to **Self Test**: this transition occurs
1548 during installation when the integrity checks succeed.
1549 8. **Integrity Check** to **Error**: this transition is triggered if
1550 the integrity check fails.
1551 9. **Running **to **Shutdown**: this transition occurs when the FIPS
1552 module is being finalised.
1553 10. **Running **to **Error**: this transition is triggered if one of
1554 the continuous tests fail.
1555 11. **Running **to **Self Test**: this transition is triggered by the
1556 application when it initiates the self tests manually. The
1557 integrity checks are not rerun.
1558 12. **Self Test** to **Running**: this transition occurs when the
1560 13. **Self Test** to **Error**: this transition is triggered if the
1562 14. **Shutdown **to **Power Off**: this transition occurs when the
1563 FIPS module is unloaded from the memory of the application.
1564 15. **Error **to **Shutdown**: this transition occurs when the FIPS
1565 module is being finalised.
1567 If possible, we should aim to have algorithms registered only in the
1568 running state. Any transition into the running state should allow
1569 registration / caching of cryptographic algorithms and any transition
1570 into the error or shutdown states should flush all cached algorithms
1571 from libcrypto. By taking this approach, we obviate the need to check
1572 the state in all the cryptographic factory functions. This avoids
1573 special case access for the self tests (when started manually) while
1574 denying access to external callers.
1576 ### Services {#services}
1578 The FIPS module provides the following services.
1580 * Show status. This returns 1 if the 'Running' state is active
1581 otherwise it returns 0.
1582 * Cryptographic services such as HMAC, SHS, Encryption. See
1583 [Algorithms](#appendix-3---algorithms).
1584 * Self Test (POST On Demand) - A public API FIPS_self_test() in
1585 libcrypto will be used to access this method. The method used must
1586 be the same one that is triggered during initialization. The
1587 Security Policy will state that this may only be accessed while no
1588 other cryptographic services are running.
1589 * Key Zeroization. See [CSP/Key Zeroization](#csp-key-zeroization).
1591 Services are only operational in the running state. Any attempts to
1592 access services in any other state will result in an error being
1593 returned. If the POST fails then any attempt to access any service
1594 should result in an error being returned.
1596 ### Self Testing {#self-testing}
1598 Self-testing consists of power-on self-tests (POST) and run-time tests
1599 (such as ensuring entropy isn't repeated as input to the RNG).
1601 The POST consists of a module integrity check (which runs each time a
1602 FIPS-using application runs) as well as algorithm KATs (which can be
1603 run once at installation time).
1605 The POST tests run during the call to the FIPS modules
1606 `OSSL_provider_init()` entry point.
1608 In order to implement the Integrity Test and KAT in the proper order,
1609 the module needs access to the following data items:
1611 1. Path to the library;
1612 2. HMAC-SHA256 of the library contents (or path to the file with
1614 3. An indication that the library has been installed and the KAT has
1616 4. HMAC-SHA256 of that indicator.
1618 These values will be part of the parameters that can be retrieved
1619 through the `OSSL_PROVIDER` object and associated `OSSL_PARAM`
1620 getter. A "safer" get-value function that doesn't expand environment
1621 variables, etc. will be used to fetch the values. In addition,
1622 functions to access and return the library contents (probably
1623 BIO-based by having the Core pass a select number of BIO functions in
1624 its dispatch table) will also have to be passed into the module so
1625 that it can generate its own digest of the library.
1627 A new OpenSSL "fips" application will provide install (run the KAT and
1628 output data for the config file) and check (see if the values in the
1629 config file are valid) capabilities.
1631 The module's Default Entry Point (DEP), the ".init" function in Linux
1632 libraries, will set a module variable (probably the state
1633 variable). This variable will be checked in the OSSL_provider_init()
1634 and, if set (which it always will be), will verify the values in the
1635 file. This two-step process meets the FIPS requirement of having the
1636 DEP ensure the tests are run, but allows us to implement the tests
1637 when the rest of the module is being initialized during normal
1640 As part of the build process the integrity checksum of the FIPS module
1641 must be saved to a file. This could be done as a script. It is just a
1642 HMAC_SHA256 of the entire FIPS module file with a known fixed key. If
1643 the library is signed then the checksum would have to be calculated
1644 after the signature is applied.
1646 A fixed key of at least 112 bits will be embedded in the FIPS module
1647 for all HMAC integrity operation(s), this key will also be made
1648 available to the external build script.
1650 For testing purposes all active POST tests run even if one or more of
1653 #### Integrity Checksum Location {#integrity-checksum-location}
1655 The integrity checksum will be saved into a seperate file during
1656 installation. This file will be in the same location as the FIPS module
1657 itself by default, but may be configured to be in a different
1660 #### Known Answer Tests {#known-answer-tests}
1662 The purpose of a KAT is to perform a health-check of the cryptographic
1663 module to identify catastrophic failures or alterations of the module
1664 between power cycles and not that the implementation is correct.
1667 [FIPS 140-2 IG](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf)'s
1668 rules that specify that each supported algorithm (not each mode) need
1669 to be tested, and that if an algorithm is tested as a component of
1670 another test then it does not need separate tests. Here is the list of
1671 algorithms that 'need' to be tested.
1673 * Cipher encrypt/decrypt
1678 * _SHA256 is required but tested elsewhere_
1683 * RSA_SHA256 (with PKCS #1 v1.5 padding)
1685 * DRBG Health Tests for any supported DRBG mechanisms
1689 * Derived Tests (Compute Z)
1693 * KBKDF (HKDF for TLS)
1695 Note: HMAC-SHA-256 is used by the integrity test, so there is no need
1696 for a seperate HMAC test.
1698 ##### API access {#api-access}
1700 In order to easily modify and change the self tests that are run - the
1701 self tests should be data driven. The POST tests are run before any
1702 methods are registered but the method tables can still be used
1703 indirectly. Lower level API's will still be required to set up keys
1704 (params, public/private) - the key loading code should be isolated in
1705 a separate function.
1707 An init method that sets up any required dependencies for the high
1708 level functions will be required i.e. `set_cpuid` may need to be
1709 called before doing primitive calls.
1711 API's for different types of self tests should be provided for
1712 digests, ciphers, signatures, DRBGs, KDFs, HMACs.
1714 The parameter passed into each of these tests is KAT data.
1716 ### Security Strength {#security-strength}
1718 [SP 800-131A rev2](https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/draft)
1719 disallows certain algorithms and key lengths after certain dates.
1720 Security strengths are associated with these items.
1722 Algorithms with at least 112 bits of security strength are allowed.
1724 For signature verification, security strengths of at least 80 and
1725 below 112 are allowed for legacy purposes.
1727 These two values could be defined and enforced in the FIPS module for
1728 keys, or it can be handled more simply in the Security Policy
1731 They could be defined by public API's that allow setting of these
1734 A concept of target security strength should also be added, this value
1735 would be used during key generation algorithms, which have an input
1736 target security strength parameter specified by their standards.
1738 ### SP800-56A & 56B {#sp800-56a-and-56b}
1740 These standards contain Key Agreement protocols. In order to test the
1741 protocols the following low level primitives would need to be in the
1742 cryptographic module.
1744 * Compute key methods - These already exist. (e.g `DH_compute_key()`).
1745 * Key Generation - (RSA
1746 [FIPS 186-4](https://csrc.nist.gov/publications/detail/fips/186/4/final)
1747 Keygen is currently missing).
1748 * Key Validation - (Mostly implemented).
1750 #### FIPS 186-4 RSA Key Generation {#fips-186-4-rsa-key-generation}
1752 * Initial Code for RSA key generation has been written
1753 ([https://github.com/openssl/openssl/pull/6652](https://github.com/openssl/openssl/pull/6652))
1755 Outstanding work is to plumb this into the FIPS module. The
1756 OpenSSL FIPs provider will have the logic that enforces the key size
1758 * A pairwise consistency test (Conditional Self Test) is required
1759 for RSA, DSA & ECDSA key pair generation. As the purpose of keys
1760 is not known during key generation,
1761 [FIPS 140-2 IG](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf)
1762 states that the same pairwise tests can be used for both modes
1763 i.e Signatures and Encryption.
1764 * 1024 bit keys are not allowed for RSA key generation.
1765 * The Key generation algorithms have the concept of a
1766 target_security_strength. i.e- the code in key generation needs
1767 the following check for RSA for example
1770 if (target_strength < 112
1771 || target_strength > 256
1772 || BN_security_bits(nbits) < target_strength)
1777 #### DH Key Generation {#dh-key-generation}
1779 * DH Key generation - This could possibly be broken up so that it
1780 matches the standard steps. It is currently a fairly complex
1781 monolithic function that is also used for validation.
1783 #### Key Validation {#key-validation}
1787 [SP 800-56B](https://csrc.nist.gov/publications/detail/sp/800-56b/rev-1/final)
1788 Key validation - public key, private key and key-pair checks that
1789 conform to the standard have been added to
1790 [PR #6652](https://github.com/openssl/openssl/pull/6652).
1791 * DH key validation checks need to be checked that they match the
1793 * EC key validation matches the standards checks.
1794 * AES-XTS mode requires a tweak key check.
1796 For KAS DH Params - two types are supported:
1798 1. Approved Safe Prime groups given by the following:
1800 (where g=2, q=(p-1)/2, priv=[1, q-1], pub=[2, p-2])
1802 TLS: (ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192)
1804 IKE: (modp-2048, modp-3072, modp-4096, modp-6144, modp-8192)
1806 Only the above safe primes can be validated - any others should fail.
1808 Safe primes can be used for security strengths of at least 112
1809 bits. FIPS specific checks to validate the group may be required.
1811 2. [FIPS 186-4](https://csrc.nist.gov/publications/detail/fips/186/4/final)
1812 param sets can be used for backwards compatibility with security
1813 strength of 112 bits only. The groups are
1819 This requires the seed and counter to be saved for validation purposes.
1821 If both types need to be supported then different key validation code
1824 The existing `DH_Check()` will require FIPS specific checks for the
1827 Keygen is the same for both (the security strength and max bitlen of
1828 private key are inputs).
1831 [FIPS 186-4](https://csrc.nist.gov/publications/detail/fips/186/4/final).
1832 The DSA key generation/key validation could be reworked so that it
1833 matches the standard steps better. The key validation would benefit
1834 from this and can possibly be reused for the DH case if required.
1836 ### GCM IV Generation {#gcm-iv-generation}
1838 For the FIPS module AES GCM has requirements related to unique key/IV
1843 * Key/IV pair's must be unique for encryption.
1844 * The IV's must be generated inside the FIPS boundary.
1845 * For TLS the counter portion of the IV must be set by the
1846 module. The module must ensure that when the counter is exhausted
1847 an error is returned.
1848 * For a given key (for any IV length) the total number of
1849 invocations of the authenticated encryption function must be less
1851 * A loss of power to the module should not cause the repetition of IVs.
1853 The Random Construction method for IV generation
1854 (from [SP 800-38D](https://csrc.nist.gov/publications/detail/sp/800-38d/final))
1855 will be used (except for TLS which will behave the same way it
1856 currently does). The Random Construction consists of a free field
1857 (which will be NULL) and a random field which will use a DRBG that can
1858 return at least 96 bits of entropy strength. This DRBG needs to be
1859 seeded by the module.
1861 The existing code needs to be modified so that an IV is generated if
1862 it is not set during the init() phase. The do_cipher() method can then
1863 be used to generate an iv if required..
1867 int aes_gcm_cipher()
1870 /* old code just returned -1 if iv_set was zero */
1871 if (!gctx->iv_set) {
1873 if (!aes_gcm_iv_generate(gctx, 0))
1883 The generate code would look like the following:
1886 #define AES_GCM_IV_GENERATE(gctx, offset) \
1887 if (!gctx->iv_set) { \
1888 int sz = gctx->ivlen - offset; \
1891 /* Must be at least 96 bits */ \
1892 if (gctx->ivlen < 12) \
1894 /* Use DRBG to generate random iv */ \
1895 if (RAND_bytes(gctx->iv + offset, sz) <= 0) \
1901 The generated IV can be retrieved via `EVP_CIPHER_CTX_iv()` so a ctrl
1902 id should not be needed.
1904 Ideally in FIPS mode trying to set the GCM IV parameter would result
1905 in an error. In practice there may be some applications that still
1906 require setting of the IV, so it is recommended that this is
1907 specified as a security policy item.
1909 The security policy would also need to state the following: (See
1910 [FIPS 140-2 IG](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf)
1915 * When the power is lost and then restored, a new key for use with
1916 AES GCM encryption shall be established.
1917 * The total number of invocations using the same key must be less
1919 * Scenario 1: IV gen is in compliance with the TLS protocol.
1920 * Scenario 2: IV gen using
1921 [NIST SP 800-38D](https://csrc.nist.gov/publications/detail/sp/800-38d/final)
1924 ### CSP/Key Zeroization {#csp-key-zeroization}
1926 We must set all Critical Security Parameters (CSPs) to zero when they
1927 are no longer needed. This might happen at different times dependent
1930 * Temporary copies of CSPs may be stack or heap allocated, and will
1931 be zeroized within the relevant function for the scope within
1932 which they are used.
1933 * Some CSPs will have a lifetime associated with an OpenSSL object
1934 such as an `EVP_PKEY`, or an `EVP_CIPHER_CTX`. In this case the
1935 CSPs will be zeroized at the point that these objects are
1936 freed. In some cases objects may be reused (e.g. an
1937 `EVP_CIPHER_CTX` can be reused for multiple encryption
1938 operations), in which case any CSPs still present in the object
1939 will be zeroized at the point that it is reinitialized for the new
1941 * Some CSPs (e.g. internal DRBG state) may live for the entire time
1942 that the OpenSSL FIPS Module is loaded. In this case the state
1943 will be encapsulated within OpenSSL objects. All OpenSSL Providers
1944 (including the FIPS Module Provider) will have the ability to
1945 register an "unload" function which is to be called when OpenSSL
1946 is closed down (or the module is unloaded for any other
1947 reason). The objects containing CSPs will be freed (and hence
1948 zeroized) by this unload function.
1950 [FIPS 140-2 IG](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf)
1951 4.7: Cryptographic keys used by a cryptographic module ONLY to perform
1952 [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final)
1953 Section 4.9.1 Power-Up Tests are not considered CSPs and therefore
1954 do not need to meet the
1955 [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final)
1956 Section 4.7.6 zeroization requirements.
1958 The OpenSSL FIPS Module will contain its own copy of the standard
1959 `OPENSSL_cleanse()` function to perform the zeroization. This is
1960 implemented using platform specific assembler.
1965 The following API's existed in the old FIPS module and may need to be
1968 * **FIPS_drbg_health_check**: runs the DRBG KAT tests on demand. We
1969 will need this available.
1970 * **FIPS_drbg_set_check_interval**: sets the interval (number of
1971 generate calls) between running the DRBG KATs. This doesn't seem
1972 like it is necessary, these tests are run at power up but are not
1973 required to be run later, however this call is useful for failure
1976 #### Derivation Function {#derivation-function}
1979 [FIPS 140-2 IG 14.5](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf),
1980 CTR DRBG will need to support the derivation function unconditionally.
1981 With the derivation function disabled, the current code has issues
1982 reseeding. Moreover, without a derivation function, additional
1983 justification is required from the lab.
1985 #### Test Requirements {#test-requirements}
1987 * The `uninstantiate()` needs to demonstrate that the internal state
1989 * Failure testing requires a function for DRBG's to always produce the same
1992 #### Other Items to Consider {#other-items-to-consider}
1994 In addition to entropy, described below, the following items need to be
1997 * The entropy expansion in
1998 [NIST SP 800-90C](https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
1999 10.1.2 should be considered for implementation.
2000 * A better DRBG selection mechanism to choose between the available
2002 * Support for prediction resistance. I.e. attempt to collect more
2003 entropy from our sources when requested.
2004 * We need to figure out what the DRBG layer is going to look like. A
2005 fair portion of the code will need to sit inside the FIPS
2006 module. This code currently accesses EVP functionality which might
2007 not be exposed inside the module. e.g. `drbg_ctr_init()` resolves
2008 the `EVP_CIPHER` from a NID, and then sets up an `EVP_CIPHER_CTX`.
2010 ### Entropy {#entropy}
2012 For all platforms, the operating system will provide entropy. For
2013 some platforms, built in hardware random number generators can also be
2014 used, although this introduces additional justification needs.
2016 For UNIX-like systems, one of the system calls `getrandom` or
2017 `getentropy` or the random device, `/dev/random`, will be used as
2018 entropy sources. Preference to be given to the system calls. Other
2019 strong random devices that can be used instead of `/dev/random`
2020 include: `/dev/srandom` and `/dev/hwrng`. Note, `/dev/urandom`,
2021 `/dev/prandom`, `/dev/wrandom` and `/dev/arandom` are not useable for
2022 FIPS operations without additional justification.
2024 On Windows, `BCryptGenRandom` or `CryptGenRandom` will be used as
2027 On VMS, various pieces of system status information will be used as
2028 entropy sources. Note, this will require justification and analysis
2029 to attest to the quality of the sources.
2032 [SecRandomCopyBytes](https://developer.apple.com/documentation/security/1399291-secrandomcopybytes)
2034 [cryptographically secure random bytes](https://developer.apple.com/documentation/security/secrandomref).
2036 FIPS only allows one entropy source to be credited so the FIPS module
2037 will rely solely on the aforementioned operating system sources.
2038 Other sources, e.g. egd, hardware devices and the like, will not be
2041 #### Work to do to Complete the Entropy Solution {#work-to-do-to-complete-the-entropy-solution}
2043 The DRBG health tests need to be added to the random framework so that
2044 the seed material being fed into the DRBGs is checked. The check is
2045 for no two sequential blocks of seed material being identical. The
2046 check is made after all entropy sources are coalesced together and if
2047 it fails, reseeding the DRBGs fails forever more. We get to define
2048 the block size used: 64 bits. This is a balance between the
2049 probability of accidentally receiving a duplicate block
2050 (2^-64^) and grabbing too much entropy from the operating
2051 system (since the first block is discarded). Other obvious block
2052 sizes that could be used are 128 and 256 bits.
2054 The initial block of data must be zeroed and discarded after it is
2057 ##### GCM IV {#gcm-iv}
2061 [FIPS 140-2 IG](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf)
2062 A.5 states that justification is required if the module claims to
2063 generate a random IV for GCM. We would need to substantiate that the
2064 module can obtain the required 96 bits of entropy from the operating
2065 system. This should not be an insurmountable problem if the blocking
2066 calls to the operating system's randomness source are used and at
2067 least this amount is used as seed material for the DRBGs.
2069 ### FIPS Module Boundary {#fips-module-boundary}
2071 Once in a FIPS module provided algorithm, we must remain within the
2072 FIPS module for any other cryptographic operations. It would be
2073 allowed by the FIPS rules for one FIPS module to use another FIPS
2074 module. However, for the purposes of the 3.0 design we are making the
2075 simplifying assumption that we will not allow this. For example an
2076 `EVP_DigestSign*` implementation uses both a signing algorithm and
2077 digest algorithm. We will not allow one of those algorithms to come
2078 from the FIPS module, and one to come from some other provider.
2080 All providers are assigned a unique `OSSL_PROVIDER` object when they
2081 are initialised. When the FIPS module is asked to use an algorithm it
2082 will verify that the implementation `OSSL_PROVIDER` object for that
2083 algorithm is the same as its own `OSSL_PROVIDER` object (i.e. the one
2084 that was passed to `OSSL_provider_init`). For example consider the
2085 case of an `EVP_DigestSign*` using RSA and SHA256. Both algorithms
2086 will be looked up externally to the FIPS module using the
2087 Core. The RSA signing algorithm is the first entry point and the
2088 "init" call will be passed references to the SHA256 algorithm to be
2089 used. The FIPS module implementation will check that the
2090 `OSSL_PROVIDER` object associated that the SHA256 implementation that
2091 it has been asked to use is also within the FIPS module boundary. If
2092 it is not then the "init" operation will fail. This is illustrated in
2093 the diagram below, which shows this operation from the perspective of
2096 ![](images/DigestSignFIPSModulePerspective.png)
2098 Note that within the FIPS module we are using EVP concepts
2099 (EVP_MD_CTX, EVP_PKEY_CTX, etc) in order to implement this. These are
2100 **copies** of the EVP implementation found in libcrypto. The FIPS
2101 module is **not** linked against libcrypto. This is to ensure that the
2102 complete operation stays within the boundary of the FIPS module
2103 without calling code that is external to it.
2105 ### ASN.1 code {#asn.1-code}
2107 ASN.1 DER (distinguished encoding rules) is used to:
2109 * serialize **keys **and **parameters**
2110 * serialize **DSA and ECDSA signatures**, which consist of two
2112 * encode the signature digest OBJECT IDENTIFIER (OID) that is placed
2113 in **RSA PKCS #1 padding**
2114 * serialize X.509 certificates and CRLs
2115 * other PDUs, such as PKCS #7/CMS, OCSP, PKCS #12, etc.
2117 The FIPS module will not have a copy of the ASN.1 DER encoder/parser
2118 and there will be no requirement for any provider to perform ASN.1
2119 serialization/deserialization for algorithms implemented by OpenSSL.
2121 All ASN.1 serialization/deserialization will be performed in
2122 libcrypto, with composite-value **key, parameter and signature**
2123 structures crossing the Core/provider boundary as an array of items,
2124 using the public data structure defined in
2125 [Appendix 2 - OpenSSL parameter passing](#appendix-2---parameter-passing).
2127 The encoded digest OIDs used for **RSA PKCS #1 padding** will either
2128 be pre-generated (as was done in the old FIPS module using the SHA_DATA macro)
2129 or generated on demand using a simple function that only generates
2130 encoded OIDs for the small set of digests supported by PKCS #1
2131 padding. These digest OIDs occur in the "OID tree" under a common
2132 node. Verifying the padding will include getting the encoded OID for
2133 the expected digest and comparing the bytes with what occurs in the
2134 padding; no DER parsing/decoding is required.
2138 ## Code Maintenance {#code-maintenance}
2140 ### Source code structure/tree clean-up {#source-code-structure-tree-clean-up}
2142 Cryptographic implementations (`crypto/evp/e_*.c` and most of
2143 `crypto/evp/m_*.c`; essentially any code that defines an `EVP_CIPHER`,
2144 `EVP_MD`, `EVP_PKEY_METHOD`, `EVP_MAC`, or `EVP_KDF`) must move out of
2145 the evp directory. They will all end up being part of one or two
2146 providers, so they should end up in a provider specific sub-tree.
2148 There will be a new directory `providers/`, where provider specific
2149 code is moved. `providers/build.info` defines exactly what source is
2150 used in what provider module(s).
2152 ### Shared source code {#shared-source-code}
2154 The FIPS provider module and the default provider will share the same
2155 source, under different conditions, such as different include paths or
2156 different macros being defined (the latter requires added support in
2157 the build system). An example `build.info` that does this:
2160 PROVIDERS=p_fips p_default
2162 SOURCE[p_fips]=foo.c
2163 INCLUDE[p_fips]=include/fips
2165 SOURCE[p_default]=foo.c
2166 INCLUDE[p_default]=include/default
2172 PROVIDERS=p_fips p_default
2174 SOURCE[p_fips]=foo.c
2175 DEFINE[p_fips]=FIPS_MODE
2177 SOURCE[p_default]=foo.c
2180 Note: some keywords aren't yet part of the `build.info` language.
2182 ### Conditional Code {#conditional-code}
2184 We need a consistent approach to the compile-time inclusion of
2185 FIPS-specific code, and in some cases the exclusion of code that FIPS
2188 Compile-time controls will be done via `#ifdef FIPS_MODE`. This
2189 ensures that all relevant files are compiled explicitly for non-FIPS
2190 or for use within the FIPS module. Since every file will be compiled
2191 twice (in the default provider, and in the FIPS module), once with
2192 each setting, there is no benefit to using a run-time if statement
2193 with constant value. (Further, a runtime setting will not always work
2194 (such as when expanding macros like BLOCK_CIPHER_custom, which create
2195 a global variable of function pointers.)
2197 The build system will support this by building FIPS provider object
2198 files with `-DFIPS_MODE` and default provider object files, which come
2199 from the same source, without the command line define.
2201 For runtime checks, a test for a TLS connection being in FIPS mode
2202 will be required. This can be done in a generic way by checking the
2203 property query string that is associated with a specific `SSL_CTX` or
2204 `SSL` object, to see if the "fips" property was set.
2206 ## FIPS Testing {#fips-testing}
2208 The following types of tests are required:
2210 * CAVS testing for CMVP validated algorithms
2211 * FIPS Test Suite that can run all FIPS module algorithms.
2212 * POST failure testing.
2214 Acumen will write applications that use libcrypto to gain access to
2215 the FIPS provider via the EVP layer.
2217 Any special case code needed to return intermediate values (say for
2218 CAVS key generation), to display info (self test states), or change
2219 the normal flow of FIPS module code (e.g - self test failure or
2220 failing a keygen loop that supplies fixed rand values) will be
2221 controlled by embedding callbacks into the FIPS module code.
2223 It is recommended that this callback code would be conditionally
2224 compiled into the module, since some of the values should not be
2225 returned (e.g- intermediate values in keygen are not supposed to be
2226 output by the FIPS module).
2228 rand_bytes() will be overridden for tests that require fixed
2229 rand_bytes to be used.
2231 ### FIPS Test callbacks {#fips-test-callbacks}
2234 The application can optionally supply a single callback function that
2235 can be used to process values received from the FIPS module. (Multiple
2236 callbacks could be registered if this is required).
2238 The optional application callback would be of the form:
2241 static int fips_test_callback(const char *type, void *arg)
2247 The return value can be used to control flow in special cases inside
2248 the FIPS module code.
2250 The type is passed in from the FIPS module hook. Each different hook
2251 in the FIPS module should have a unique type. The type determines
2252 what the arg param contains (either a struct (e.g- intermediate
2253 values), a name, or int.
2255 The callback in the FIPS module will be of the form
2258 MY_STRUCT data; /* values that need to be returned to the application */
2261 if (FIPS_test_cb != NULL)
2262 FIPS_test_cb(FIPS_TEST_CB_RSA_KEYGEN_GET, (void *)&data);
2265 ### POST Failure Testing and Logging. {#post-failure-testing-and-logging.}
2267 In order to support the failure of multiple tests all tests will
2268 always be run without early exiting (the failure is just flagged). A
2269 failure status will be returned after all the tests have completed.
2271 For logging or failure, the args would be:
2277 const char *fail_reason;
2283 * type is one of "post_integrity", "post_cipher", "post_digest",
2284 "post_signature", "post_drbg", ..
2285 * desc is the identifying name: e.g AES_128_CBC
2287 * "start" - indicates the test is starting
2288 * "corrupt" - if this returns 0 then the test will fail
2289 * "pass" - indicates the test passed
2290 * "fail" - indicates the test failed
2291 * fail_reason - is the specific reason for failure (e.g- unable to
2292 read the integrity module file, or integrity checksum file.)
2294 ### CAVS Testing {#cavs-testing}
2296 CAVS testing will be performed by the lab.
2298 However each CAVS tests file could also be sampled and added to the
2299 unit tests. This would mean converting the file data of a single test
2300 into binary data inside a unit test.
2302 (DRBG_ctr is an example that does this already).
2304 This will ensure the following:
2308 * The required interfaces will be available to the CAVS tests (some
2309 CAVS tests require access to internals, that are not normally
2311 * That the algorithm works.
2314 We could skip doing this if there is good communication with the lab,
2315 but there may be some extra callback hooks required in the code if the
2316 labs finds missing accessors for internals.
2320 ### EVP to low level API bridges {#evp-to-low-level-api-bridges}
2322 There are places where low level API structures are assigned to an `EVP_PKEY`
2323 object. The impact on the public `EVP_PKEY` is that it will have to keep a
2324 pointer to a possible low level structure and the type of that low
2325 level structure must be known internally in `libcrypto`. Any time the
2326 `EVP_PKEY` with such a pointer is used for any computation, it must
2327 check if the low level structure has changed and convert its data to
2328 parameters that can be used with the new providers.
2330 The exact mechanism to check if the contents of a low level structure
2331 has changed is to be determined. One possibility would be to have a
2332 dirty counter in the low level structure and a copy in the `EVP_PKEY`
2333 structure. The dirty counter gets incremented any time the low level
2334 structure is changed (functions such as `RSA_set0_key` would have to
2335 do the increment), and any time the `EVP_PKEY` is used for
2336 computations, its copy of the counter get checked against the low
2337 level dirty counter, and if they differ, the `EVP_PKEY` provider
2338 parameters get modified with data from the low level structure.
2340 (yet another idea is to have a callback function placed in the
2341 `EVP_PKEY` by the legacy functions, which does the update of
2342 parameters if it detects that low level changes have been made)
2344 ### EVP method creators {#evp-method-creators}
2346 There is functionality to create diverse EVP method structures in
2347 OpenSSL 1.1.x, easily found like this:
2351 grep EVP_CIPHER_meth util/libcrypto.num
2352 grep EVP_MD_meth util/libcrypto.num
2353 grep EVP_PKEY_meth util/libcrypto.num
2356 ### Associated types {#associated-types}
2358 The low level APIs are fairly standalone, so all low level API types
2359 will remain unchanged apart from an added dirty flag in some of the
2360 types. Associated `EVP_CIPHER`, `EVP_MD`, `EVP_PKEY_METHOD`,
2361 `EVP_MAC`, or `EVP_KDF` instances are handled separately through the
2362 implementation of dispatch tables in the Legacy provider module (see
2367 ## Legacy Provider Module {#legacy-provider-module}
2369 Some algorithms that are considered "legacy" (an example could be
2370 IDEA) and that have current `EVP_CIPHER`, `EVP_MD`, `EVP_PKEY_METHOD`,
2371 `EVP_MAC`, or `EVP_KDF` implementations will move to a Legacy provider
2372 module rather than our default provider module.
2374 The methods for the following algorithms will become dispatch tables
2375 in the Legacy provider module:
2379 3. DES (but not 3DES)
2392 (note: this is not meant to be an exhaustive list, even though fairly
2393 complete _for the moment_)
2395 ## The ENGINE API {#the-engine-api}
2397 The whole ENGINE API will be deprecated and removed in the major
2398 release after this one. By then, people will have to have learned how
2399 to create provider modules instead. In the meantime, it will be
2400 transformed into a tool to help implementers to transition from an
2401 ENGINE module implementation to a provider module implementation.
2403 Because algorithm constructors will be changed to construct dispatch
2404 tables, the ENGINE type will change into a collection of dispatch
2405 tables, and the ENGINE constructor functionality will change to
2406 collect the dispatch tables they get into the given ENGINE.
2408 Dispatch tables registered this way will get the added property
2409 _engine_ with the ENGINE identity as provider name property. That
2410 will make it possible for `ENGINE_by_id` and similar functionality to
2411 find the correct provider.
2413 The ENGINE module entry point `bind_engine` will be replaced with the
2414 provider module entry point, and the macro `IMPLEMENT_DYNAMIC_BIND_FN`
2415 will be changed to construct such an entry point. This entry point
2416 will create a provider style ENGINE structure, call the binding
2417 function which will fill it up with dispatch tables using the same
2418 method creation functions it has always used, then register all those
2419 dispatch tables collected in the ENGINE structure just like any
2420 provider module would, using the same method setting functions as
2423 As with the rest of this release, our goal is source-level
2426 With OpenSSL 1.1.x and older, it's possible to hook in ENGINE provided
2427 methods to be used instead of the functions built into `libcrypto`,
2428 using functions like `ENGINE_get_default_RSA` and `ENGINE_get_RSA`.
2429 The first of the two needs no modification, while the latter will be
2430 changed to create the old-style methods (such as `RSA_METHOD`) from
2431 the corresponding dispatch table attached to the engine.
2433 # Appendix 1 - Property Syntax {#appendix-1---property-syntax}
2435 Property definitions and queries have a well defined syntax. This
2436 section presents this in both eBNF and as railroad diagrams. Okay,
2437 almost eBNF but using regular expression extensions in places.
2439 ![](images/300PropDefinition.png){style="float: right; padding-left: 20px"}
2445 ::= SingleDefinition ( ',' SingleDefinition )*
2448 ::= PropertyName ( '=' Value )?
2455 ![](images/300PropQuery.png){style="float: right; padding-left: 20px"}
2460 Query ::= SingleQuery ( ',' SingleQuery )*
2463 ::= '-'? PropertyName
2464 | PropertyName ( '=' | '!=' ) Value )
2471 ![](images/300PropValue.png){style="float: right; padding-left: 20px"}
2476 Value ::= NumberLiteral
2484 ![](images/300PropStringLiteral.png){style="float: right; padding-left: 20px"}
2498 ![](images/300PropQuotedString.png){style="float: right; padding-left: 20px"}
2500 **QuotedString**[^4]
2512 ![](images/300PropUnquotedString.png){style="float: right; padding-left: 20px"}
2514 **UnquotedString**[^5]
2525 ![](images/300PropNumberLiteral.png){style="float: right; padding-left: 20px"}
2531 ::= '0' ( [0-7]+ | 'x' [0-9A-Fa-f]+ )
2539 ![](images/300PropPropertyName.png){style="float: right; padding-left: 20px"}
2541 **PropertyName**[^6]
2545 ::= [A-Z] [A-Z0-9_]* ( '.' [A-Z] [A-Z0-9_]* )*
2550 # Appendix 2 - Parameter Passing {#appendix-2---parameter-passing}
2552 Core or provider objects are supposed to be opaque to everything
2553 outside, and yet, we will need to be able to get parameters from them,
2554 or to pass parameters to them in a uniform way. We therefore need an
2555 intermediary non-opaque structure to support this.
2557 The types of data passed need to remain simple:
2559 * Numbers (integers of arbitrary size)
2560 * Character strings (assume UTF-8 encoding)
2561 * Octet strings (byte arrays of arbitrary size)
2563 Any parameter that's passing values to a module will need the
2566 * An identifier, to indicate what parameter is being passed
2567 * The type of the value (from the list above)
2568 * The size of the value
2571 Any parameters that are used to request values _from_ a module will
2572 need the following items:
2574 * An identifier to indicate what is being requested
2575 * The type of the value (from the list above)
2576 * The size of the buffer
2577 * A buffer where the values get filled in
2578 * The resultant output size, to be filled in by the function we ask
2581 These two structure are similar enough to be expressed as one and the same:
2584 typedef struct ossl_param_st {
2586 unsigned char data_type; /* declare what kind of content is sent or
2588 void *buffer; /* value being passed in
2590 size_t buffer_size; /* buffer size */
2591 size_t *return_size; /* OPTIONAL: address to
2599 /* passing parameters to a module */
2600 unsigned char *rsa_n = /* memory allocation */
2601 #if __BYTE_ORDER == __LITTLE_ENDIAN
2602 size_t rsa_n_size = BN_bn2lebinpad(N, rsa_n, BN_num_bytes(rsa_n));
2604 size_t rsa_n_size = BN_bn2bin(N, rsa_n);
2606 struct OSSL_PARAM rsa_params[] = {
2607 { RSA_N, OSSL_PARAM_INTEGER, rsa_n, rsa_n_size, NULL },
2611 EVP_set_params(pkey, rsa_params);
2613 /* requesting parameters from a module */
2614 size_t rsa_n_buffer_size = BITS / 2 / 8 + 1;
2615 unsigned char *rsa_n_buffer =
2616 OPENSSL_malloc(rsa_n_size);
2617 size_t rsa_n_size = 0;
2618 OSSL_PARAM rsa_params[] = {
2619 { RSA_N, OSSL_PARAM_INTEGER, rsa_n_buffer, rsa_n_buffer_size,
2624 EVP_get_params(pkey, rsa_params);
2627 * Note: we could also have a ctrl functionality:
2628 * EVP_ctrl(pkey, EVP_CTRL_SET_PARAMS, rsa_params);
2629 * EVP_ctrl(pkey, EVP_CTRL_GET_PARAMS, rsa_params);
2631 * This would allow other controls using the same API.
2632 * For added flexibility, the signature could be something like:
2634 * int EVP_ctrl(EVP_CTX *ctx, int cmd, ...);
2638 ## Data types {#data-types}
2641 This specification supports the following parameter types:
2646 * `UNSIGNED_INTEGER`
2647 * These are arbitrary length and may therefore require an
2648 arbitrarily sized buffer.
2649 * The number is stored in native form, i.e. MSB first on big
2650 endian systems and LSB first on little endian systems. This
2651 means that arbitrary native integers can be stored in the
2652 buffer, just make sure that the buffer size is correct and
2655 * These store C binary floating point values in their native
2656 format and alignment.
2658 * This type of string is expected to be printable as is.
2660 * When printed, this is expected to become a hexdump.
2662 We also support pointer variants of the same types (which means that
2663 the `OSSL_PARAM` `buffer` only has to have space for a `void *`).
2664 This use is _fragile_ unless the pointed at values are constant over
2667 We have macros to declare the type of content in `data_type`:
2670 #define OSSL_PARAM_INTEGER 1
2671 #define OSSL_PARAM_UNSIGNED_INTEGER 2
2672 #define OSSL_PARAM_UTF8_STRING 3
2673 #define OSSL_PARAM_OCTET_STRING 4
2675 * This one is combined with one of the above, i.e. to get a string pointer:
2676 * OSSL_PARAM_POINTER | OSSL_PARAM_UTF8_STRING
2678 #define OSSL_PARAM_POINTER 0x80
2681 ## Implementation details {#implementation-details}
2683 ### Determining the size of the buffer {#determining-the-size-of-the-buffer}
2685 When requesting parameter values, the caller may choose to assign
2686 `NULL` to `buffer` in one or more parameter structures. The called
2687 getter should answer such a request by filling in the size pointed at
2688 by `return_size` and return, at which point the caller can allocate
2689 appropriately sized buffers and make a second call, at which point the
2690 getter can fill in the buffer with no problem.
2692 If the programmer wants, `return_size` could be made to point at
2693 `buffer_size` in the same `OSSL_PARAM`.
2695 ## Uses beyond the immediately obvious {#uses-beyond-the-immediately-obvious}
2697 ### CONF / NCONF values as parameters {#conf-nconf-values-as-parameters}
2699 Configuration values are interesting to providers! And yet, just
2700 passing a CONF pointer between the Core and the provider may not be
2701 feasible, even though it's _currently_ a non-opaque structure.
2703 Another method could be to make the CONF / NCONF values into
2704 parameters, with a bit of inspiration from git config value names.
2706 Let's start with imagining a provider configuration along the same
2707 lines as the what the current ENGINE configuration module supports:
2711 # Configure provider named "foo"
2713 # Configure provider named "bar"
2718 module_path = /usr/lib/openssl/providers/foo.so
2719 selftests = foo_selftest_section
2720 algorithms = RSA, DSA, DH
2722 [foo_selftest_section]
2727 The Core side provider structure for the provider "foo" could then
2728 answer to these requested parameter keys:
2730 * `"provider_id"` (value is `"myfoo"`)
2731 * `"module_path"` (value is `"/usr/lib/openssl/providers/foo.so"`)
2732 * `"selftests.doodah"` (value is `1`)
2733 * `"selftests.cookie"` (value is `0`)
2734 * `"algorithms"` (value is `"RSA, DSA, DH"`)
2736 Note that the section names themselves never appear in the parameter
2737 key, but that the key that lead to the section does instead. This is
2738 suggested because OpenSSL allows arbitrarily named section names.
2740 ## The tooth of time {#the-tooth-of-time}
2742 The parameter structure defined above isn't something that's been
2743 invented on the spot. It's highly inspired from OpenVMS programming
2744 paradigms that have proven stable over time. The actual inspiring
2745 structure is called "item_list_3", which is documented here:
2746 [OpenVMS Programming Concepts Manual, Volume I](https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04621447)
2748 # Appendix 3 - Algorithms {#appendix-3---algorithms}
2750 The algorithms which are to be included in the FIPS module are:
2752 <!-- this remains a table in markdown to get colspan and rowspan -->
2755 <td colspan="2" ><strong>Requirement</strong>
2757 <td><strong>Standard</strong>
2759 <td><strong>Notes</strong>
2767 <td><a href="https://csrc.nist.gov/publications/detail/fips/81/archive/1980-12-02">FIPS 81</a>
2769 <td rowspan="2" >Refer also to <a href="https://csrc.nist.gov/publications/detail/sp/800-67/rev-2/final">SP 800-67rev2</a>. \
2771 TDES support being decryption only (from 2020) and banned (from 2025). \
2773 Limits to data length imposed.
2775 Security Policy statement regarding the <a href="https://csrc.nist.gov/publications/detail/sp/800-67/rev-1/archive/2012-01-23">SP 800-67rev1 </a>transition and limitations will be required.
2783 <td><a href="https://csrc.nist.gov/publications/detail/fips/81/archive/1980-12-02">FIPS 81</a>
2791 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38a/final">SP 800-38A</a>
2793 <td>All AES cipher modes supporting 128, 192 and 256 bits.
2811 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38c/final">SP 800-38C</a>
2821 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38a/final">SP 800-38A</a>
2831 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38a/final">SP 800-38A</a>
2841 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38a/final">SP 800-38A</a>
2851 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38d/final">SP 800-38D</a>
2859 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38d/final">SP 800-38D</a>
2867 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38a/final">SP 800-38A</a>
2875 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38e/final">SP 800-38E</a>
2877 <td>See <a href="https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Module-Validation-Program/documents/fips140-2/FIPS1402IG.pdf">FIPS 140-2 I.G.</a> A.9. Needs key check added. This mode does not support 192 bits. Check added by <a href="https://github.com/openssl/openssl/pull/7120">#7120</a>.
2885 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38f/final">SP 800-38F</a>
2887 <td rowspan="2" >Differences from standard but within it.
2895 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38f/final">SP 800-38F</a>
2903 <td><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">FIPS 180-4</a>
2911 <td><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">FIPS 180-4</a>
2913 <td>224, 256, 384, 512.
2921 <td><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">FIPS 180-4</a>
2923 <td>512/224, 512/256.
2931 <td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202</a>
2933 <td>224, 256, 384, 512.
2941 <td><a href="https://www.nist.gov/publications/keyed-hash-message-authentication-code-hmac-0?pub_id=901614">FIPS 198-1</a>
2949 <td><a href="https://www.nist.gov/publications/keyed-hash-message-authentication-code-hmac-0?pub_id=901614">FIPS 198-1</a>
2951 <td>224, 256, 384, 512.
2959 <td><a href="https://www.nist.gov/publications/keyed-hash-message-authentication-code-hmac-0?pub_id=901614">FIPS 198-1</a>
2979 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final">SP 800-90A</a>
2981 <td rowspan="3" >Issues with <a href="https://csrc.nist.gov/publications/detail/sp/800-90c/draft">SP 800-90C</a>.
2983 All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final">SP 800-90A</a>.
2991 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final">SP 800-90A</a>
2999 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final">SP 800-90A</a>
3007 <td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf">FIPS 186-4</a>
3009 <td>Refer also to <a href="https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/draft">SP 800-56B</a>. PKCS#1.5, PSS, Key pair generation. Modulus size changes.
3015 <td>Key wrap (transport)
3017 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/draft">SP 800-56B</a>
3019 <td>OAEP. Update to <a href="https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/draft">SP 800-56B rev-1</a> standard.
3027 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final">SP 800-56A</a>
3029 <td>Update to <a href="https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final">SP 800-56A rev-3</a> standard.
3037 <td><a href="https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/keymgmt/KASVS.pdf">KASVS</a>
3039 <td>Additional testing to meet ZZonly. CVL/KAS.
3047 <td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf">FIPS 186-4</a>
3049 <td>PQG generation & verification, signature generation & verification, key pair generation.
3057 <td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf">FIPS 186-4</a>
3059 <td>Key pair generation, public key generation, signature generation & verification.
3067 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final">SP 800-56A</a>
3069 <td>B-233, 283, 409, 571; K-233, 283, 409, 571; P-224, 256, 384, 521. Update to <a href="https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final">SP 800-56A rev-3</a> standard.
3077 <td><a href="https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/keymgmt/KASVS.pdf">KASVS</a>
3079 <td>Additional testing to meet ZZonly. CVL/KAS.
3087 <td><a href="https://csrc.nist.gov/publications/detail/sp/800-132/final">SP 800-132</a>
3089 <td>Verify conformance with standards. See <a href="https://github.com/openssl/openssl/pull/6674">#6674</a>.
3141 <td>For TLS 1.2 and 1.3.
3146 <!-- Footnotes themselves at the bottom. -->
3149 [^1]: The output of the DRBGs are not required to be tested because of
3150 [FIPS 140-2 IG](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf)
3151 9.8. However, the seed material being fed into the master DRBG
3152 still requires the RCT or stuck bit testing.
3154 [^2]: The draft guidance has changed. The alternatives are: AES_GMAC,
3155 AES_128_CCM, AES_256_GCM and AES_256_CCM. GMAC is arguably the
3156 simplest of the three and thus might be preferable.
3158 [^3]: Using a different digest algorithm for HASH and HMAC DRBGs would
3159 obviate the need to test the digest independently.
3161 [^4]: Quoted strings can contain UTF-8 characters.
3163 [^5]: Unquoted strings are passed through a lower case conversion and
3164 can only contain ASCII characters.
3166 [^6]: Property names are case insensitive even though only upper case