2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/core.h>
13 #include <openssl/core_numbers.h>
14 #include <openssl/core_names.h>
15 #include <openssl/params.h>
16 #include <openssl/err.h>
17 #include <openssl/evp.h>
18 #include <openssl/kdf.h>
20 /* TODO(3.0): Needed for dummy_evp_call(). To be removed */
21 #include <openssl/sha.h>
22 #include <openssl/rand_drbg.h>
23 #include <openssl/ec.h>
24 #include <openssl/fips_names.h>
26 #include "internal/cryptlib.h"
27 #include "internal/property.h"
28 #include "internal/nelem.h"
29 #include "openssl/param_build.h"
30 #include "crypto/evp.h"
31 #include "prov/implementations.h"
32 #include "prov/provider_ctx.h"
33 #include "prov/providercommon.h"
34 #include "prov/provider_util.h"
35 #include "self_test.h"
37 #define ALGC(NAMES, FUNC, CHECK) { { NAMES, "provider=fips,fips=yes", FUNC }, CHECK }
38 #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
40 extern OSSL_core_thread_start_fn *c_thread_start;
43 * TODO(3.0): Should these be stored in the provider side provctx? Could they
44 * ever be different from one init to the next? Unfortunately we can't do this
45 * at the moment because c_put_error/c_add_error_vdata do not provide
46 * us with the OPENSSL_CTX as a parameter.
49 static SELF_TEST_POST_PARAMS selftest_params;
51 /* Functions provided by the core */
52 static OSSL_core_gettable_params_fn *c_gettable_params;
53 static OSSL_core_get_params_fn *c_get_params;
54 OSSL_core_thread_start_fn *c_thread_start;
55 static OSSL_core_new_error_fn *c_new_error;
56 static OSSL_core_set_error_debug_fn *c_set_error_debug;
57 static OSSL_core_vset_error_fn *c_vset_error;
58 static OSSL_core_set_error_mark_fn *c_set_error_mark;
59 static OSSL_core_clear_last_error_mark_fn *c_clear_last_error_mark;
60 static OSSL_core_pop_error_to_mark_fn *c_pop_error_to_mark;
61 static OSSL_CRYPTO_malloc_fn *c_CRYPTO_malloc;
62 static OSSL_CRYPTO_zalloc_fn *c_CRYPTO_zalloc;
63 static OSSL_CRYPTO_free_fn *c_CRYPTO_free;
64 static OSSL_CRYPTO_clear_free_fn *c_CRYPTO_clear_free;
65 static OSSL_CRYPTO_realloc_fn *c_CRYPTO_realloc;
66 static OSSL_CRYPTO_clear_realloc_fn *c_CRYPTO_clear_realloc;
67 static OSSL_CRYPTO_secure_malloc_fn *c_CRYPTO_secure_malloc;
68 static OSSL_CRYPTO_secure_zalloc_fn *c_CRYPTO_secure_zalloc;
69 static OSSL_CRYPTO_secure_free_fn *c_CRYPTO_secure_free;
70 static OSSL_CRYPTO_secure_clear_free_fn *c_CRYPTO_secure_clear_free;
71 static OSSL_CRYPTO_secure_allocated_fn *c_CRYPTO_secure_allocated;
72 static OSSL_BIO_vsnprintf_fn *c_BIO_vsnprintf;
74 typedef struct fips_global_st {
75 const OSSL_PROVIDER *prov;
78 static void *fips_prov_ossl_ctx_new(OPENSSL_CTX *libctx)
80 FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl));
85 static void fips_prov_ossl_ctx_free(void *fgbl)
90 static const OPENSSL_CTX_METHOD fips_prov_ossl_ctx_method = {
91 fips_prov_ossl_ctx_new,
92 fips_prov_ossl_ctx_free,
96 /* Parameters we provide to the core */
97 static const OSSL_PARAM fips_param_types[] = {
98 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
99 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
100 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
105 * Parameters to retrieve from the core provider - required for self testing.
106 * NOTE: inside core_get_params() these will be loaded from config items
107 * stored inside prov->parameters (except for OSSL_PROV_PARAM_MODULE_FILENAME).
109 static OSSL_PARAM core_params[] =
111 OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_MODULE_FILENAME,
112 selftest_params.module_filename,
113 sizeof(selftest_params.module_filename)),
114 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC,
115 selftest_params.module_checksum_data,
116 sizeof(selftest_params.module_checksum_data)),
117 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
118 selftest_params.indicator_checksum_data,
119 sizeof(selftest_params.indicator_checksum_data)),
120 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
121 selftest_params.indicator_data,
122 sizeof(selftest_params.indicator_data)),
123 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
124 selftest_params.indicator_version,
125 sizeof(selftest_params.indicator_version)),
130 * Convert a string into a bignumber.
131 * The array of hex_data is used to get around compilers that dont like
132 * strings longer than 509 bytes,
134 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA)
135 static int hextobn(const char *hex_data[], BIGNUM **bn)
141 /* Get the total length of the strings */
142 for (slen = 0, i = 0; hex_data[i] != NULL; ++i)
143 slen += strlen(hex_data[i]);
145 /* Add 1 for the string terminator */
146 str = OPENSSL_zalloc(slen + 1);
150 /* join the strings together into 1 buffer */
151 for (i = 0; hex_data[i] != NULL; ++i)
152 strcat(str, hex_data[i]);
154 if (BN_hex2bn(bn, str) <= 0)
161 #endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) */
163 #ifndef OPENSSL_NO_DH
164 static int hextobin(const char *hex_data[], unsigned char **out, size_t *len)
168 unsigned char *buf = NULL;
170 if (!hextobn(hex_data, &bn))
172 sz = BN_num_bytes(bn);
173 buf = OPENSSL_zalloc(sz);
176 if (BN_bn2binpad(bn, buf, sz) <= 0)
181 buf = NULL; /* Set to NULL so it is not freed */
190 #ifndef OPENSSL_NO_DSA
191 static int dsa_key_signature_test(OPENSSL_CTX *libctx)
194 BIGNUM *p = NULL, *q = NULL, *g = NULL;
195 BIGNUM *pub = NULL, *priv = NULL;
196 OSSL_PARAM *params = NULL, *params_sig = NULL;
197 OSSL_PARAM_BLD *bld = NULL;
198 EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
199 EVP_PKEY *pkey = NULL;
200 unsigned char sig[64];
203 static const unsigned char dgst[SHA256_DIGEST_LENGTH] = {
204 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
205 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
206 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
209 static const char *dsa_p_hex[] = {
210 "a29b8872ce8b8423b7d5d21d4b02f57e03e9e6b8a258dc16611ba098ab543415"
211 "e415f156997a3ee236658fa093260de3ad422e05e046f9ec29161a375f0eb4ef"
212 "fcef58285c5d39ed425d7a62ca12896c4a92cb1946f2952a48133f07da364d1b"
213 "df6b0f7139983e693c80059b0eacd1479ba9f2857754ede75f112b07ebbf3534",
214 "8bbf3e01e02f2d473de39453f99dd2367541caca3ba01166343d7b5b58a37bd1"
215 "b7521db2f13b86707132fe09f4cd09dc1618fa3401ebf9cc7b19fa94aa472088"
216 "133d6cb2d35c1179c8c8ff368758d507d9f9a17d46c110fe3144ce9b022b42e4"
217 "19eb4f5388613bfc3e26241a432e8706bc58ef76117278deab6cf692618291b7",
220 static const char *dsa_q_hex[] = {
221 "a3bfd9ab7884794e383450d5891dc18b65157bdcfcdac51518902867",
224 static const char *dsa_g_hex[] = {
225 "6819278869c7fd3d2d7b77f77e8150d9ad433bea3ba85efc80415aa3545f78f7"
226 "2296f06cb19ceda06c94b0551cfe6e6f863e31d1de6eed7dab8b0c9df231e084"
227 "34d1184f91d033696bb382f8455e9888f5d31d4784ec40120246f4bea61794bb"
228 "a5866f09746463bdf8e9e108cd9529c3d0f6df80316e2e70aaeb1b26cdb8ad97",
229 "bc3d287e0b8d616c42e65b87db20deb7005bc416747a6470147a68a7820388eb"
230 "f44d52e0628af9cf1b7166d03465f35acc31b6110c43dabc7c5d591e671eaf7c"
231 "252c1c145336a1a4ddf13244d55e835680cab2533b82df2efe55ec18c1e6cd00"
232 "7bb089758bb17c2cbe14441bd093ae66e5976d53733f4fa3269701d31d23d467",
235 static const char *dsa_pub_hex[] = {
236 "a012b3b170b307227957b7ca2061a816ac7a2b3d9ae995a5119c385b603bf6f6"
237 "c5de4dc5ecb5dfa4a41c68662eb25b638b7e2620ba898d07da6c4991e76cc0ec"
238 "d1ad3421077067e47c18f58a92a72ad43199ecb7bd84e7d3afb9019f0e9dd0fb"
239 "aa487300b13081e33c902876436f7b03c345528481d362815e24fe59dac5ac34",
240 "660d4c8a76cb99a7c7de93eb956cd6bc88e58d901034944a094b01803a43c672"
241 "b9688c0e01d8f4fc91c62a3f88021f7bd6a651b1a88f43aa4ef27653d12bf8b7"
242 "099fdf6b461082f8e939107bfd2f7210087d326c375200f1f51e7e74a3413190"
243 "1bcd0863521ff8d676c48581868736c5e51b16a4e39215ea0b17c4735974c516",
246 static const char *dsa_priv_hex[] = {
247 "6ccaeef6d73b4e80f11c17b8e9627c036635bac39423505e407e5cb7",
251 if (!hextobn(dsa_p_hex, &p)
252 || !hextobn(dsa_q_hex, &q)
253 || !hextobn(dsa_g_hex, &g)
254 || !hextobn(dsa_pub_hex, &pub)
255 || !hextobn(dsa_priv_hex, &priv))
258 bld = OSSL_PARAM_BLD_new();
260 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p)
261 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q)
262 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g)
263 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub)
264 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))
266 params = OSSL_PARAM_BLD_to_param(bld);
268 /* Create a EVP_PKEY_CTX to load the DSA key into */
269 kctx = EVP_PKEY_CTX_new_from_name(libctx, SN_dsa, "");
270 if (kctx == NULL || params == NULL)
272 if (EVP_PKEY_key_fromdata_init(kctx) <= 0
273 || EVP_PKEY_fromdata(kctx, &pkey, params) <= 0)
276 /* Create a EVP_PKEY_CTX to use for the signing operation */
277 sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
279 || EVP_PKEY_sign_init(sctx) <= 0)
282 /* set signature parameters */
283 if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
284 SN_sha256,strlen(SN_sha256) + 1))
286 params_sig = OSSL_PARAM_BLD_to_param(bld);
287 if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
290 if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
291 || EVP_PKEY_verify_init(sctx) <= 0
292 || EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
296 OSSL_PARAM_BLD_free_params(params);
297 OSSL_PARAM_BLD_free_params(params_sig);
298 OSSL_PARAM_BLD_free(bld);
305 EVP_PKEY_CTX_free(kctx);
306 EVP_PKEY_CTX_free(sctx);
309 #endif /* OPENSSL_NO_DSA */
311 #ifndef OPENSSL_NO_DH
312 static int dh_key_exchange_test(OPENSSL_CTX *libctx)
315 BIGNUM *p = NULL, *q = NULL, *g = NULL;
316 BIGNUM *pub = NULL, *priv = NULL, *pub_peer = NULL;
317 unsigned char *kat_secret = NULL;
318 EVP_PKEY_CTX *kactx = NULL, *dctx = NULL;
319 EVP_PKEY *pkey = NULL, *peerkey = NULL;
320 OSSL_PARAM *params = NULL;
321 OSSL_PARAM *params_peer = NULL;
322 unsigned char secret[256];
323 size_t secret_len, kat_secret_len = 0;
324 OSSL_PARAM_BLD *bld = NULL;
327 static const char *dh_p_hex[] = {
328 "dcca1511b2313225f52116e1542789e001f0425bccc7f366f7406407f1c9fa8b"
329 "e610f1778bb170be39dbb76f85bf24ce6880adb7629f7c6d015e61d43fa3ee4d"
330 "e185f2cfd041ffde9d418407e15138bb021daeb35f762d1782acc658d32bd4b0"
331 "232c927dd38fa097b3d1859fa8acafb98f066608fc644ec7ddb6f08599f92ac1",
332 "b59825da8432077def695646063c20823c9507ab6f0176d4730d990dbbe6361c"
333 "d8b2b94d3d2f329b82099bd661f42950f403df3ede62a33188b02798ba823f44"
334 "b946fe9df677a0c5a1238eaa97b70f80da8cac88e092b1127060ffbf45579994"
335 "011dc2faa5e7f6c76245e1cc312231c17d1ca6b19007ef0db99f9cb60e1d5f69",
338 static const char *dh_q_hex[] = {
339 "898b226717ef039e603e82e5c7afe48374ac5f625c54f1ea11acb57d",
342 static const char *dh_g_hex[] = {
343 "5ef7b88f2df60139351dfbfe1266805fdf356cdfd13a4da0050c7ede"
344 "246df59f6abf96ade5f2b28ffe88d6bce7f7894a3d535fc82126ddd4"
345 "24872e16b838df8c51e9016f889c7c203e98a8b631f9c72563d38a49"
346 "589a0753d358e783318cefd9677c7b2dbb77d6dce2a1963795ca64b9",
347 "2d1c9aac6d0e8d431de5e50060dff78689c9eca1c1248c16ed09c7ad",
348 "412a17406d2b525aa1cabb237b9734ec7b8ce3fae02f29c5efed30d6"
349 "9187da109c2c9fe2aadbb0c22af54c616655000c431c6b4a379763b0"
350 "a91658efc84e8b06358c8b4f213710fd10172cf39b830c2dd84a0c8a"
351 "b82516ecab995fa4215e023e4ecf8074c39d6c88b70d1ee4e96fdc20",
355 static const char *dh_priv_hex[] = {
356 "1433e0b5a917b60a3023f2f8aa2c2d70d2968aba9aeac81540b8fce6",
359 static const char *dh_pub_hex[] = {
360 "95dd338d29e5710492b918317b72a36936e1951a2ee5a5591699c048"
361 "6d0d4f9bdd6d5a3f6b98890c62b37652d36e712111e68a7355372506"
362 "99efe330537391fbc2c548bc5ac3e5b23386c3eef5eb43c099d70a52"
363 "02687e83964248fca91f40908e8fb3319315f6d2606d7f7cd52cc6e7",
364 "c5843afb22519cf0f0f9d3a0a4e8c88899efede7364351fb6a363ee7"
365 "17e5445adab4c931a6483997b87dad83677e4d1d3a7775e0f6d00fdf"
366 "73c7ad801e665a0e5a796d0a0380a19fa182efc8a04f5e4db90d1a86"
367 "37f95db16436bdc8f3fc096c4ff7f234be8fef479ac4b0dc4b77263e",
368 "07d9959de0f1bf3f0ae3d9d50e4b89c99e3ea1217343dd8c6581acc4"
372 static const char *dh_peer_pub_hex[] = {
373 "1fc1da341d1a846a96b7be24340f877dd010aa0356d5ad58aae9c7b0"
374 "8f749a32235110b5d88eb5dbfa978d27ecc530f02d3114005b64b1c0"
375 "e024cb8ae21698bca9e60d42808622f181c56e1de7a96e6efee9d665"
376 "67e91b977042c7e3d0448f05fb77f522b9bfc8d33cc3c31ed3b31f0f",
377 "ecb6db4f6ea311e77afdbcd47aee1bb150f216873578fb96468e8f9f"
378 "3de8efbfce75624b1df05322a34f1463e839e8984c4ad0a96e1ac842"
379 "e5318cc23c062a8ca171b8d575980dde7fc56f1536523820d43192bf"
380 "d51e8e228978aca5b94472f339caeb9931b42be301268bc99789c9b2",
381 "5571c3c0e4cb3f007f1a511cbb53c8519cdd1302abca6c0f34f96739"
385 static const char *dh_secret_exptd_hex[] = {
386 "08ff33bb2ecff49a7d4a7912aeb1bb6ab511641b4a76770c8cc1bcc2"
387 "33343dfe700d11813d2c9ed23b211ca9e8786921edca283c68b16153"
388 "fa01e91ab82c90ddab4a95816770a98710e14c92ab83b6e46e1e426e"
389 "e852430d6187daa3720a6bcd73235c6b0f941f3364f50420551a4bfe",
390 "afe2bc438505a59a4a40daca7a895a73db575c74c13a23ad8832957d"
391 "582d38f0a6165fb0d7e9b8799e42fd3220e332e98185a0c9429757b2"
392 "d0d02c17dbaa1ff6ed93d7e73e241eaed90caf394d2bc6570f18c81f"
393 "2be5d01a2ca99ff142b5d963f9f500325e7556f95849b3ffc7479486",
394 "be1d4596a3106bd5cb4f61c57ec5f100fb7a0c82a10b82526a97d1d9"
399 if (!hextobn(dh_p_hex, &p)
400 || !hextobn(dh_q_hex, &q)
401 || !hextobn(dh_g_hex, &g)
402 || !hextobn(dh_pub_hex, &pub)
403 || !hextobn(dh_priv_hex, &priv)
404 || !hextobn(dh_peer_pub_hex, &pub_peer)
405 || !hextobin(dh_secret_exptd_hex, &kat_secret, &kat_secret_len))
408 bld = OSSL_PARAM_BLD_new();
410 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p)
411 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q)
412 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g)
413 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub)
414 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))
416 params = OSSL_PARAM_BLD_to_param(bld);
418 if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p)
419 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q)
420 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g)
421 || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_peer))
424 params_peer = OSSL_PARAM_BLD_to_param(bld);
425 if (params == NULL || params_peer == NULL)
428 /* Create a EVP_PKEY_CTX to load the DH keys into */
429 kactx = EVP_PKEY_CTX_new_from_name(libctx, "DH", "");
432 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
433 || EVP_PKEY_fromdata(kactx, &pkey, params) <= 0)
435 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
436 || EVP_PKEY_fromdata(kactx, &peerkey, params_peer) <= 0)
439 /* Create a EVP_PKEY_CTX to perform key derivation */
440 dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
444 if (EVP_PKEY_derive_init(dctx) <= 0
445 || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0
446 || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0)
449 if (secret_len != kat_secret_len
450 || memcmp(secret, kat_secret, secret_len) != 0)
454 OSSL_PARAM_BLD_free(bld);
455 OSSL_PARAM_BLD_free_params(params_peer);
456 OSSL_PARAM_BLD_free_params(params);
463 OPENSSL_free(kat_secret);
465 EVP_PKEY_free(peerkey);
466 EVP_PKEY_CTX_free(kactx);
467 EVP_PKEY_CTX_free(dctx);
470 #endif /* OPENSSL_NO_DH */
472 /* TODO(3.0): To be removed */
473 static int dummy_evp_call(void *provctx)
475 OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
476 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
477 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
478 EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
479 unsigned char dgst[SHA256_DIGEST_LENGTH];
480 unsigned int dgstlen;
482 BN_CTX *bnctx = NULL;
483 BIGNUM *a = NULL, *b = NULL;
484 unsigned char randbuf[128];
485 RAND_DRBG *drbg = OPENSSL_CTX_get0_public_drbg(libctx);
486 #ifndef OPENSSL_NO_EC
490 static const char msg[] = "Hello World!";
491 static const unsigned char exptd[] = {
492 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
493 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
494 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
497 if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
500 if (!EVP_DigestInit_ex(ctx, sha256, NULL))
502 if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
504 if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
506 if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
509 bnctx = BN_CTX_new_ex(libctx);
513 a = BN_CTX_get(bnctx);
514 b = BN_CTX_get(bnctx);
520 || BN_cmp(a, b) != 0)
523 if (RAND_DRBG_bytes(drbg, randbuf, sizeof(randbuf)) <= 0)
526 if (!BN_rand_ex(a, 256, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, bnctx))
529 #ifndef OPENSSL_NO_EC
530 /* Do some dummy EC calls */
531 key = EC_KEY_new_by_curve_name_ex(libctx, NID_X9_62_prime256v1);
535 if (!EC_KEY_generate_key(key))
539 #ifndef OPENSSL_NO_DSA
540 if (!dsa_key_signature_test(libctx))
544 #ifndef OPENSSL_NO_DH
545 if (!dh_key_exchange_test(libctx))
547 #endif /* OPENSSL_NO_DH */
555 EVP_MD_CTX_free(ctx);
558 #ifndef OPENSSL_NO_EC
564 static const OSSL_PARAM *fips_gettable_params(const OSSL_PROVIDER *prov)
566 return fips_param_types;
569 static int fips_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
573 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
574 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
576 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
577 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
579 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
580 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
586 /* FIPS specific version of the function of the same name in provlib.c */
587 const char *ossl_prov_util_nid_to_name(int nid)
589 /* We don't have OBJ_nid2n() in FIPS_MODE so we have an explicit list */
604 return "SHA-512/224";
606 return "SHA-512/256";
617 case NID_aes_256_ecb:
618 return "AES-256-ECB";
619 case NID_aes_192_ecb:
620 return "AES-192-ECB";
621 case NID_aes_128_ecb:
622 return "AES-128-ECB";
623 case NID_aes_256_cbc:
624 return "AES-256-CBC";
625 case NID_aes_192_cbc:
626 return "AES-192-CBC";
627 case NID_aes_128_cbc:
628 return "AES-128-CBC";
629 case NID_aes_256_ctr:
630 return "AES-256-CTR";
631 case NID_aes_192_ctr:
632 return "AES-192-CTR";
633 case NID_aes_128_ctr:
634 return "AES-128-CTR";
635 case NID_aes_256_xts:
636 return "AES-256-XTS";
637 case NID_aes_128_xts:
638 return "AES-128-XTS";
639 case NID_aes_256_gcm:
640 return "AES-256-GCM";
641 case NID_aes_192_gcm:
642 return "AES-192-GCM";
643 case NID_aes_128_gcm:
644 return "AES-128-GCM";
645 case NID_aes_256_ccm:
646 return "AES-256-CCM";
647 case NID_aes_192_ccm:
648 return "AES-192-CCM";
649 case NID_aes_128_ccm:
650 return "AES-128-CCM";
651 case NID_id_aes256_wrap:
652 return "AES-256-WRAP";
653 case NID_id_aes192_wrap:
654 return "AES-192-WRAP";
655 case NID_id_aes128_wrap:
656 return "AES-128-WRAP";
657 case NID_id_aes256_wrap_pad:
658 return "AES-256-WRAP-PAD";
659 case NID_id_aes192_wrap_pad:
660 return "AES-192-WRAP-PAD";
661 case NID_id_aes128_wrap_pad:
662 return "AES-128-WRAP-PAD";
663 case NID_des_ede3_ecb:
665 case NID_des_ede3_cbc:
666 return "DES-EDE3-CBC";
667 case NID_aes_256_cbc_hmac_sha256:
668 return "AES-256-CBC-HMAC-SHA256";
669 case NID_aes_128_cbc_hmac_sha256:
670 return "AES-128-CBC-HMAC-SHA256";
671 case NID_aes_256_cbc_hmac_sha1:
672 return "AES-256-CBC-HMAC-SHA1";
673 case NID_aes_128_cbc_hmac_sha1:
674 return "AES-128-CBC-HMAC-SHA1";
683 * For the algorithm names, we use the following formula for our primary
686 * ALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?]
688 * VERSION is only present if there are multiple versions of
689 * an alg (MD2, MD4, MD5). It may be omitted if there is only
690 * one version (if a subsequent version is released in the future,
691 * we can always change the canonical name, and add the old name
694 * SUBNAME may be present where we are combining multiple
695 * algorithms together, e.g. MD5-SHA1.
697 * SIZE is only present if multiple versions of an algorithm exist
698 * with different sizes (e.g. AES-128-CBC, AES-256-CBC)
700 * MODE is only present where applicable.
702 * We add diverse other names where applicable, such as the names that
703 * NIST uses, or that are used for ASN.1 OBJECT IDENTIFIERs, or names
704 * we have used historically.
706 static const OSSL_ALGORITHM fips_digests[] = {
707 /* Our primary name:NiST name[:our older names] */
708 { "SHA1:SHA-1", "provider=fips,fips=yes", sha1_functions },
709 { "SHA2-224:SHA-224:SHA224", "provider=fips,fips=yes", sha224_functions },
710 { "SHA2-256:SHA-256:SHA256", "provider=fips,fips=yes", sha256_functions },
711 { "SHA2-384:SHA-384:SHA384", "provider=fips,fips=yes", sha384_functions },
712 { "SHA2-512:SHA-512:SHA512", "provider=fips,fips=yes", sha512_functions },
713 { "SHA2-512/224:SHA-512/224:SHA512-224", "provider=fips,fips=yes",
714 sha512_224_functions },
715 { "SHA2-512/256:SHA-512/256:SHA512-256", "provider=fips,fips=yes",
716 sha512_256_functions },
718 /* We agree with NIST here, so one name only */
719 { "SHA3-224", "provider=fips,fips=yes", sha3_224_functions },
720 { "SHA3-256", "provider=fips,fips=yes", sha3_256_functions },
721 { "SHA3-384", "provider=fips,fips=yes", sha3_384_functions },
722 { "SHA3-512", "provider=fips,fips=yes", sha3_512_functions },
724 * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
725 * KMAC128 and KMAC256.
727 { "KECCAK-KMAC-128:KECCAK-KMAC128", "provider=fips,fips=yes", keccak_kmac_128_functions },
728 { "KECCAK-KMAC-256:KECCAK-KMAC256", "provider=fips,fips=yes", keccak_kmac_256_functions },
733 static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
734 /* Our primary name[:ASN.1 OID name][:our older names] */
735 ALG("AES-256-ECB", aes256ecb_functions),
736 ALG("AES-192-ECB", aes192ecb_functions),
737 ALG("AES-128-ECB", aes128ecb_functions),
738 ALG("AES-256-CBC", aes256cbc_functions),
739 ALG("AES-192-CBC", aes192cbc_functions),
740 ALG("AES-128-CBC", aes128cbc_functions),
741 ALG("AES-256-CTR", aes256ctr_functions),
742 ALG("AES-192-CTR", aes192ctr_functions),
743 ALG("AES-128-CTR", aes128ctr_functions),
744 ALG("AES-256-XTS", aes256xts_functions),
745 ALG("AES-128-XTS", aes128xts_functions),
746 ALG("AES-256-GCM:id-aes256-GCM", aes256gcm_functions),
747 ALG("AES-192-GCM:id-aes192-GCM", aes192gcm_functions),
748 ALG("AES-128-GCM:id-aes128-GCM", aes128gcm_functions),
749 ALG("AES-256-CCM:id-aes256-CCM", aes256ccm_functions),
750 ALG("AES-192-CCM:id-aes192-CCM", aes192ccm_functions),
751 ALG("AES-128-CCM:id-aes128-CCM", aes128ccm_functions),
752 ALG("AES-256-WRAP:id-aes256-wrap:AES256-WRAP", aes256wrap_functions),
753 ALG("AES-192-WRAP:id-aes192-wrap:AES192-WRAP", aes192wrap_functions),
754 ALG("AES-128-WRAP:id-aes128-wrap:AES128-WRAP", aes128wrap_functions),
755 ALG("AES-256-WRAP-PAD:id-aes256-wrap-pad:AES256-WRAP-PAD",
756 aes256wrappad_functions),
757 ALG("AES-192-WRAP-PAD:id-aes192-wrap-pad:AES192-WRAP-PAD",
758 aes192wrappad_functions),
759 ALG("AES-128-WRAP-PAD:id-aes128-wrap-pad:AES128-WRAP-PAD",
760 aes128wrappad_functions),
761 ALGC("AES-128-CBC-HMAC-SHA1", aes128cbc_hmac_sha1_functions,
762 cipher_capable_aes_cbc_hmac_sha1),
763 ALGC("AES-256-CBC-HMAC-SHA1", aes256cbc_hmac_sha1_functions,
764 cipher_capable_aes_cbc_hmac_sha1),
765 ALGC("AES-128-CBC-HMAC-SHA256", aes128cbc_hmac_sha256_functions,
766 cipher_capable_aes_cbc_hmac_sha256),
767 ALGC("AES-256-CBC-HMAC-SHA256", aes256cbc_hmac_sha256_functions,
768 cipher_capable_aes_cbc_hmac_sha256),
769 #ifndef OPENSSL_NO_DES
770 ALG("DES-EDE3-ECB:DES-EDE3", tdes_ede3_ecb_functions),
771 ALG("DES-EDE3-CBC:DES3", tdes_ede3_cbc_functions),
772 #endif /* OPENSSL_NO_DES */
773 { { NULL, NULL, NULL }, NULL }
775 static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
777 static const OSSL_ALGORITHM fips_macs[] = {
778 #ifndef OPENSSL_NO_CMAC
779 { "CMAC", "provider=fips,fips=yes", cmac_functions },
781 { "GMAC", "provider=fips,fips=yes", gmac_functions },
782 { "HMAC", "provider=fips,fips=yes", hmac_functions },
783 { "KMAC-128:KMAC128", "provider=fips,fips=yes", kmac128_functions },
784 { "KMAC-256:KMAC256", "provider=fips,fips=yes", kmac256_functions },
788 static const OSSL_ALGORITHM fips_kdfs[] = {
789 { "HKDF", "provider=fips,fips=yes", kdf_hkdf_functions },
790 { "SSKDF", "provider=fips,fips=yes", kdf_sskdf_functions },
791 { "PBKDF2", "provider=fips,fips=yes", kdf_pbkdf2_functions },
792 { "TLS1-PRF", "provider=fips,fips=yes", kdf_tls1_prf_functions },
793 { "KBKDF", "provider=fips,fips=yes", kdf_kbkdf_functions },
797 static const OSSL_ALGORITHM fips_keyexch[] = {
798 #ifndef OPENSSL_NO_DH
799 { "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keyexch_functions },
801 #ifndef OPENSSL_NO_EC
802 { "ECDH", "provider=fips,fips=yes", ecdh_keyexch_functions },
807 static const OSSL_ALGORITHM fips_signature[] = {
808 #ifndef OPENSSL_NO_DSA
809 { "DSA:dsaEncryption", "provider=fips,fips=yes", dsa_signature_functions },
811 { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_signature_functions },
812 #ifndef OPENSSL_NO_EC
813 { "ECDSA", "provider=fips,fips=yes", ecdsa_signature_functions },
818 static const OSSL_ALGORITHM fips_asym_cipher[] = {
819 { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_asym_cipher_functions },
823 static const OSSL_ALGORITHM fips_keymgmt[] = {
824 #ifndef OPENSSL_NO_DH
825 { "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keymgmt_functions },
827 #ifndef OPENSSL_NO_DSA
828 { "DSA", "provider=fips,fips=yes", dsa_keymgmt_functions },
830 { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_keymgmt_functions },
831 #ifndef OPENSSL_NO_EC
832 { "EC:id-ecPublicKey", "provider=fips,fips=yes", ec_keymgmt_functions },
837 static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
842 switch (operation_id) {
846 ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
847 return exported_fips_ciphers;
852 case OSSL_OP_KEYMGMT:
854 case OSSL_OP_KEYEXCH:
856 case OSSL_OP_SIGNATURE:
857 return fips_signature;
858 case OSSL_OP_ASYM_CIPHER:
859 return fips_asym_cipher;
864 /* Functions we provide to the core */
865 static const OSSL_DISPATCH fips_dispatch_table[] = {
867 * To release our resources we just need to free the OPENSSL_CTX so we just
868 * use OPENSSL_CTX_free directly as our teardown function
870 { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free },
871 { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))fips_gettable_params },
872 { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
873 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
877 /* Functions we provide to ourself */
878 static const OSSL_DISPATCH intern_dispatch_table[] = {
879 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
884 int OSSL_provider_init(const OSSL_PROVIDER *provider,
885 const OSSL_DISPATCH *in,
886 const OSSL_DISPATCH **out,
891 OSSL_self_test_cb_fn *stcbfn = NULL;
892 OSSL_core_get_library_context_fn *c_get_libctx = NULL;
894 for (; in->function_id != 0; in++) {
895 switch (in->function_id) {
896 case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
897 c_get_libctx = OSSL_get_core_get_library_context(in);
899 case OSSL_FUNC_CORE_GETTABLE_PARAMS:
900 c_gettable_params = OSSL_get_core_gettable_params(in);
902 case OSSL_FUNC_CORE_GET_PARAMS:
903 c_get_params = OSSL_get_core_get_params(in);
905 case OSSL_FUNC_CORE_THREAD_START:
906 c_thread_start = OSSL_get_core_thread_start(in);
908 case OSSL_FUNC_CORE_NEW_ERROR:
909 c_new_error = OSSL_get_core_new_error(in);
911 case OSSL_FUNC_CORE_SET_ERROR_DEBUG:
912 c_set_error_debug = OSSL_get_core_set_error_debug(in);
914 case OSSL_FUNC_CORE_VSET_ERROR:
915 c_vset_error = OSSL_get_core_vset_error(in);
917 case OSSL_FUNC_CORE_SET_ERROR_MARK:
918 c_set_error_mark = OSSL_get_core_set_error_mark(in);
920 case OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK:
921 c_clear_last_error_mark = OSSL_get_core_clear_last_error_mark(in);
923 case OSSL_FUNC_CORE_POP_ERROR_TO_MARK:
924 c_pop_error_to_mark = OSSL_get_core_pop_error_to_mark(in);
926 case OSSL_FUNC_CRYPTO_MALLOC:
927 c_CRYPTO_malloc = OSSL_get_CRYPTO_malloc(in);
929 case OSSL_FUNC_CRYPTO_ZALLOC:
930 c_CRYPTO_zalloc = OSSL_get_CRYPTO_zalloc(in);
932 case OSSL_FUNC_CRYPTO_FREE:
933 c_CRYPTO_free = OSSL_get_CRYPTO_free(in);
935 case OSSL_FUNC_CRYPTO_CLEAR_FREE:
936 c_CRYPTO_clear_free = OSSL_get_CRYPTO_clear_free(in);
938 case OSSL_FUNC_CRYPTO_REALLOC:
939 c_CRYPTO_realloc = OSSL_get_CRYPTO_realloc(in);
941 case OSSL_FUNC_CRYPTO_CLEAR_REALLOC:
942 c_CRYPTO_clear_realloc = OSSL_get_CRYPTO_clear_realloc(in);
944 case OSSL_FUNC_CRYPTO_SECURE_MALLOC:
945 c_CRYPTO_secure_malloc = OSSL_get_CRYPTO_secure_malloc(in);
947 case OSSL_FUNC_CRYPTO_SECURE_ZALLOC:
948 c_CRYPTO_secure_zalloc = OSSL_get_CRYPTO_secure_zalloc(in);
950 case OSSL_FUNC_CRYPTO_SECURE_FREE:
951 c_CRYPTO_secure_free = OSSL_get_CRYPTO_secure_free(in);
953 case OSSL_FUNC_CRYPTO_SECURE_CLEAR_FREE:
954 c_CRYPTO_secure_clear_free = OSSL_get_CRYPTO_secure_clear_free(in);
956 case OSSL_FUNC_CRYPTO_SECURE_ALLOCATED:
957 c_CRYPTO_secure_allocated = OSSL_get_CRYPTO_secure_allocated(in);
959 case OSSL_FUNC_BIO_NEW_FILE:
960 selftest_params.bio_new_file_cb = OSSL_get_BIO_new_file(in);
962 case OSSL_FUNC_BIO_NEW_MEMBUF:
963 selftest_params.bio_new_buffer_cb = OSSL_get_BIO_new_membuf(in);
965 case OSSL_FUNC_BIO_READ_EX:
966 selftest_params.bio_read_ex_cb = OSSL_get_BIO_read_ex(in);
968 case OSSL_FUNC_BIO_FREE:
969 selftest_params.bio_free_cb = OSSL_get_BIO_free(in);
971 case OSSL_FUNC_BIO_VSNPRINTF:
972 c_BIO_vsnprintf = OSSL_get_BIO_vsnprintf(in);
974 case OSSL_FUNC_SELF_TEST_CB: {
975 stcbfn = OSSL_get_self_test_cb(in);
979 /* Just ignore anything we don't understand */
984 if (stcbfn != NULL && c_get_libctx != NULL) {
985 stcbfn(c_get_libctx(provider), &selftest_params.cb,
986 &selftest_params.cb_arg);
989 selftest_params.cb = NULL;
990 selftest_params.cb_arg = NULL;
993 if (!c_get_params(provider, core_params))
996 /* Create a context. */
997 if ((ctx = OPENSSL_CTX_new()) == NULL)
999 if ((fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
1000 &fips_prov_ossl_ctx_method)) == NULL) {
1001 OPENSSL_CTX_free(ctx);
1005 fgbl->prov = provider;
1007 selftest_params.libctx = PROV_LIBRARY_CONTEXT_OF(ctx);
1008 if (!SELF_TEST_post(&selftest_params, 0)) {
1009 OPENSSL_CTX_free(ctx);
1014 * TODO(3.0): Remove me. This is just a dummy call to demonstrate making
1015 * EVP calls from within the FIPS module.
1017 if (!dummy_evp_call(ctx)) {
1018 OPENSSL_CTX_free(ctx);
1022 *out = fips_dispatch_table;
1029 * The internal init function used when the FIPS module uses EVP to call
1030 * another algorithm also in the FIPS module. This is a recursive call that has
1031 * been made from within the FIPS module itself. To make this work, we populate
1032 * the provider context of this inner instance with the same library context
1033 * that was used in the EVP call that initiated this recursive call.
1035 OSSL_provider_init_fn fips_intern_provider_init;
1036 int fips_intern_provider_init(const OSSL_PROVIDER *provider,
1037 const OSSL_DISPATCH *in,
1038 const OSSL_DISPATCH **out,
1041 OSSL_core_get_library_context_fn *c_get_libctx = NULL;
1043 for (; in->function_id != 0; in++) {
1044 switch (in->function_id) {
1045 case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
1046 c_get_libctx = OSSL_get_core_get_library_context(in);
1053 if (c_get_libctx == NULL)
1056 *provctx = c_get_libctx(provider);
1059 * Safety measure... we should get the library context that was
1060 * created up in OSSL_provider_init().
1062 if (*provctx == NULL)
1065 *out = intern_dispatch_table;
1074 void ERR_set_debug(const char *file, int line, const char *func)
1076 c_set_error_debug(NULL, file, line, func);
1079 void ERR_set_error(int lib, int reason, const char *fmt, ...)
1083 va_start(args, fmt);
1084 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
1088 void ERR_vset_error(int lib, int reason, const char *fmt, va_list args)
1090 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
1093 int ERR_set_mark(void)
1095 return c_set_error_mark(NULL);
1098 int ERR_clear_last_mark(void)
1100 return c_clear_last_error_mark(NULL);
1103 int ERR_pop_to_mark(void)
1105 return c_pop_error_to_mark(NULL);
1108 const OSSL_PROVIDER *FIPS_get_provider(OPENSSL_CTX *ctx)
1110 FIPS_GLOBAL *fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
1111 &fips_prov_ossl_ctx_method);
1119 void *CRYPTO_malloc(size_t num, const char *file, int line)
1121 return c_CRYPTO_malloc(num, file, line);
1124 void *CRYPTO_zalloc(size_t num, const char *file, int line)
1126 return c_CRYPTO_zalloc(num, file, line);
1129 void CRYPTO_free(void *ptr, const char *file, int line)
1131 c_CRYPTO_free(ptr, file, line);
1134 void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line)
1136 c_CRYPTO_clear_free(ptr, num, file, line);
1139 void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line)
1141 return c_CRYPTO_realloc(addr, num, file, line);
1144 void *CRYPTO_clear_realloc(void *addr, size_t old_num, size_t num,
1145 const char *file, int line)
1147 return c_CRYPTO_clear_realloc(addr, old_num, num, file, line);
1150 void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
1152 return c_CRYPTO_secure_malloc(num, file, line);
1155 void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
1157 return c_CRYPTO_secure_zalloc(num, file, line);
1160 void CRYPTO_secure_free(void *ptr, const char *file, int line)
1162 c_CRYPTO_secure_free(ptr, file, line);
1165 void CRYPTO_secure_clear_free(void *ptr, size_t num, const char *file, int line)
1167 c_CRYPTO_secure_clear_free(ptr, num, file, line);
1170 int CRYPTO_secure_allocated(const void *ptr)
1172 return c_CRYPTO_secure_allocated(ptr);
1175 int BIO_snprintf(char *buf, size_t n, const char *format, ...)
1180 va_start(args, format);
1181 ret = c_BIO_vsnprintf(buf, n, format, args);