#include <openssl/params.h>
#include <openssl/err.h>
#include <openssl/evp.h>
+#include <openssl/kdf.h>
/* TODO(3.0): Needed for dummy_evp_call(). To be removed */
#include <openssl/sha.h>
#include <openssl/rand_drbg.h>
#include <openssl/ec.h>
+#include <openssl/fips_names.h>
#include "internal/cryptlib.h"
#include "internal/property.h"
#include "internal/provider_algs.h"
#include "internal/provider_ctx.h"
#include "internal/providercommon.h"
+#include "selftest.h"
extern OSSL_core_thread_start_fn *c_thread_start;
* at the moment because c_put_error/c_add_error_vdata do not provide
* us with the OPENSSL_CTX as a parameter.
*/
+
+static SELF_TEST_POST_PARAMS selftest_params;
+
/* Functions provided by the core */
static OSSL_core_gettable_params_fn *c_gettable_params;
static OSSL_core_get_params_fn *c_get_params;
OSSL_PARAM_END
};
+/*
+ * Parameters to retrieve from the core provider - required for self testing.
+ * NOTE: inside core_get_params() these will be loaded from config items
+ * stored inside prov->parameters (except for OSSL_PROV_PARAM_MODULE_FILENAME).
+ */
+static OSSL_PARAM core_params[] =
+{
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_MODULE_FILENAME,
+ selftest_params.module_filename,
+ sizeof(selftest_params.module_filename)),
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC,
+ selftest_params.module_checksum_data,
+ sizeof(selftest_params.module_checksum_data)),
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
+ selftest_params.indicator_checksum_data,
+ sizeof(selftest_params.indicator_checksum_data)),
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
+ selftest_params.indicator_data,
+ sizeof(selftest_params.indicator_data)),
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
+ selftest_params.indicator_version,
+ sizeof(selftest_params.indicator_version)),
+ OSSL_PARAM_END
+};
+
/* TODO(3.0): To be removed */
static int dummy_evp_call(void *provctx)
{
OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
+ EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
char msg[] = "Hello World!";
const unsigned char exptd[] = {
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
EC_KEY *key = NULL;
#endif
- if (ctx == NULL || sha256 == NULL || drbg == NULL)
+ if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
goto err;
if (!EVP_DigestInit_ex(ctx, sha256, NULL))
BN_CTX_end(bnctx);
BN_CTX_free(bnctx);
+ EVP_KDF_free(kdf);
EVP_MD_CTX_free(ctx);
- EVP_MD_meth_free(sha256);
+ EVP_MD_free(sha256);
#ifndef OPENSSL_NO_EC
EC_KEY_free(key);
return "AES-192-CTR";
case NID_aes_128_ctr:
return "AES-128-CTR";
+ /* TODO(3.0) Change these when we have aliases */
+ case NID_aes_256_gcm:
+ return "id-aes256-GCM";
+ case NID_aes_192_gcm:
+ return "id-aes192-GCM";
+ case NID_aes_128_gcm:
+ return "id-aes128-GCM";
+ case NID_aes_256_ccm:
+ return "id-aes256-CCM";
+ case NID_aes_192_ccm:
+ return "id-aes192-CCM";
+ case NID_aes_128_ccm:
+ return "id-aes128-CCM";
+ default:
+ break;
}
return NULL;
{ "SHA3-256", "fips=yes", sha3_256_functions },
{ "SHA3-384", "fips=yes", sha3_384_functions },
{ "SHA3-512", "fips=yes", sha3_512_functions },
- { "KMAC128", "fips=yes", keccak_kmac_128_functions },
- { "KMAC256", "fips=yes", keccak_kmac_256_functions },
+ /*
+ * KECCAK_KMAC128 and KECCAK_KMAC256 as hashes are mostly useful for
+ * the KMAC128 and KMAC256.
+ */
+ { "KECCAK_KMAC128", "fips=yes", keccak_kmac_128_functions },
+ { "KECCAK_KMAC256", "fips=yes", keccak_kmac_256_functions },
{ NULL, NULL, NULL }
};
{ "AES-256-CTR", "fips=yes", aes256ctr_functions },
{ "AES-192-CTR", "fips=yes", aes192ctr_functions },
{ "AES-128-CTR", "fips=yes", aes128ctr_functions },
+ /* TODO(3.0) Add aliases for these ciphers */
{ "id-aes256-GCM", "fips=yes", aes256gcm_functions },
{ "id-aes192-GCM", "fips=yes", aes192gcm_functions },
{ "id-aes128-GCM", "fips=yes", aes128gcm_functions },
+ { "id-aes256-CCM", "fips=yes", aes256ccm_functions },
+ { "id-aes192-CCM", "fips=yes", aes192ccm_functions },
+ { "id-aes128-CCM", "fips=yes", aes128ccm_functions },
+#ifndef OPENSSL_NO_DES
+ { "DES-EDE3", "fips=yes", tdes_ede3_ecb_functions },
+ { "DES-EDE3-CBC", "fips=yes", tdes_ede3_cbc_functions },
+#endif /* OPENSSL_NO_DES */
{ NULL, NULL, NULL }
};
static const OSSL_ALGORITHM fips_macs[] = {
+#ifndef OPENSSL_NO_CMAC
{ "CMAC", "fips=yes", cmac_functions },
+#endif
{ "GMAC", "fips=yes", gmac_functions },
+ { "HMAC", "fips=yes", hmac_functions },
+ { "KMAC128", "fips=yes", kmac128_functions },
+ { "KMAC256", "fips=yes", kmac256_functions },
{ NULL, NULL, NULL }
};
+static const OSSL_ALGORITHM fips_kdfs[] = {
+ { OSSL_KDF_NAME_HKDF, "fips=yes", kdf_hkdf_functions },
+ { OSSL_KDF_NAME_SSKDF, "fips=yes", kdf_sskdf_functions },
+ { OSSL_KDF_NAME_PBKDF2, "fips=yes", kdf_pbkdf2_functions },
+ { OSSL_KDF_NAME_TLS1_PRF, "fips=yes", kdf_tls1_prf_functions },
+ { NULL, NULL, NULL }
+};
+
static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
int operation_id,
int *no_cache)
return fips_ciphers;
case OSSL_OP_MAC:
return fips_macs;
+ case OSSL_OP_KDF:
+ return fips_kdfs;
}
return NULL;
}
case OSSL_FUNC_CRYPTO_SECURE_ALLOCATED:
c_CRYPTO_secure_allocated = OSSL_get_CRYPTO_secure_allocated(in);
break;
+ case OSSL_FUNC_BIO_NEW_FILE:
+ selftest_params.bio_new_file_cb = OSSL_get_BIO_new_file(in);
+ break;
+ case OSSL_FUNC_BIO_NEW_MEMBUF:
+ selftest_params.bio_new_buffer_cb = OSSL_get_BIO_new_membuf(in);
+ break;
+ case OSSL_FUNC_BIO_READ:
+ selftest_params.bio_read_cb = OSSL_get_BIO_read(in);
+ break;
+ case OSSL_FUNC_BIO_FREE:
+ selftest_params.bio_free_cb = OSSL_get_BIO_free(in);
+ break;
default:
/* Just ignore anything we don't understand */
break;
}
}
+ if (!c_get_params(provider, core_params))
+ return 0;
+
/* Create a context. */
if ((ctx = OPENSSL_CTX_new()) == NULL)
return 0;