Register KDF's using their name macros rather than strings

[openssl.git] / providers / fips / fipsprov.c
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c

index be601c5dacc98d86d75de9dad4efa33f84b16b71..e5bb9b41d6af4aeaf89d2091ba2e0d89a058ecbe 100644 (file)
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -15,11 +15,13 @@
  #include <openssl/params.h>
  #include <openssl/err.h>
  #include <openssl/evp.h>
+#include <openssl/kdf.h>
  
  /* TODO(3.0): Needed for dummy_evp_call(). To be removed */
  #include <openssl/sha.h>
  #include <openssl/rand_drbg.h>
  #include <openssl/ec.h>
+#include <openssl/fips_names.h>
  
  #include "internal/cryptlib.h"
  #include "internal/property.h"
@@ -27,6 +29,7 @@
  #include "internal/provider_algs.h"
  #include "internal/provider_ctx.h"
  #include "internal/providercommon.h"
+#include "selftest.h"
  
  extern OSSL_core_thread_start_fn *c_thread_start;
  
@@ -36,6 +39,9 @@ extern OSSL_core_thread_start_fn *c_thread_start;
   * at the moment because c_put_error/c_add_error_vdata do not provide
   * us with the OPENSSL_CTX as a parameter.
   */
+
+static SELF_TEST_POST_PARAMS selftest_params;
+
  /* Functions provided by the core */
  static OSSL_core_gettable_params_fn *c_gettable_params;
  static OSSL_core_get_params_fn *c_get_params;
@@ -85,12 +91,38 @@ static const OSSL_PARAM fips_param_types[] = {
      OSSL_PARAM_END
  };
  
+/*
+ * Parameters to retrieve from the core provider - required for self testing.
+ * NOTE: inside core_get_params() these will be loaded from config items
+ * stored inside prov->parameters (except for OSSL_PROV_PARAM_MODULE_FILENAME).
+ */
+static OSSL_PARAM core_params[] =
+{
+    OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_MODULE_FILENAME,
+                        selftest_params.module_filename,
+                        sizeof(selftest_params.module_filename)),
+    OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC,
+                        selftest_params.module_checksum_data,
+                        sizeof(selftest_params.module_checksum_data)),
+    OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
+                        selftest_params.indicator_checksum_data,
+                        sizeof(selftest_params.indicator_checksum_data)),
+    OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
+                        selftest_params.indicator_data,
+                        sizeof(selftest_params.indicator_data)),
+    OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
+                        selftest_params.indicator_version,
+                        sizeof(selftest_params.indicator_version)),
+    OSSL_PARAM_END
+};
+
  /* TODO(3.0): To be removed */
  static int dummy_evp_call(void *provctx)
  {
      OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
      EVP_MD_CTX *ctx = EVP_MD_CTX_new();
      EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
+    EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
      char msg[] = "Hello World!";
      const unsigned char exptd[] = {
          0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
@@ -108,7 +140,7 @@ static int dummy_evp_call(void *provctx)
      EC_KEY *key = NULL;
  #endif
  
-    if (ctx == NULL || sha256 == NULL || drbg == NULL)
+    if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
          goto err;
  
      if (!EVP_DigestInit_ex(ctx, sha256, NULL))
@@ -155,8 +187,9 @@ static int dummy_evp_call(void *provctx)
      BN_CTX_end(bnctx);
      BN_CTX_free(bnctx);
  
+    EVP_KDF_free(kdf);
      EVP_MD_CTX_free(ctx);
-    EVP_MD_meth_free(sha256);
+    EVP_MD_free(sha256);
  
  #ifndef OPENSSL_NO_EC
      EC_KEY_free(key);
@@ -235,6 +268,21 @@ const char *ossl_prov_util_nid_to_name(int nid)
          return "AES-192-CTR";
      case NID_aes_128_ctr:
          return "AES-128-CTR";
+    /* TODO(3.0) Change these when we have aliases */
+    case NID_aes_256_gcm:
+        return "id-aes256-GCM";
+    case NID_aes_192_gcm:
+        return "id-aes192-GCM";
+    case NID_aes_128_gcm:
+        return "id-aes128-GCM";
+    case NID_aes_256_ccm:
+        return "id-aes256-CCM";
+    case NID_aes_192_ccm:
+        return "id-aes192-CCM";
+    case NID_aes_128_ccm:
+        return "id-aes128-CCM";
+    default:
+        break;
      }
  
      return NULL;
@@ -252,8 +300,12 @@ static const OSSL_ALGORITHM fips_digests[] = {
      { "SHA3-256", "fips=yes", sha3_256_functions },
      { "SHA3-384", "fips=yes", sha3_384_functions },
      { "SHA3-512", "fips=yes", sha3_512_functions },
-    { "KMAC128", "fips=yes", keccak_kmac_128_functions },
-    { "KMAC256", "fips=yes", keccak_kmac_256_functions },
+    /*
+     * KECCAK_KMAC128 and KECCAK_KMAC256 as hashes are mostly useful for
+     * the KMAC128 and KMAC256.
+     */
+    { "KECCAK_KMAC128", "fips=yes", keccak_kmac_128_functions },
+    { "KECCAK_KMAC256", "fips=yes", keccak_kmac_256_functions },
  
      { NULL, NULL, NULL }
  };
@@ -268,18 +320,39 @@ static const OSSL_ALGORITHM fips_ciphers[] = {
      { "AES-256-CTR", "fips=yes", aes256ctr_functions },
      { "AES-192-CTR", "fips=yes", aes192ctr_functions },
      { "AES-128-CTR", "fips=yes", aes128ctr_functions },
+    /* TODO(3.0) Add aliases for these ciphers */
      { "id-aes256-GCM", "fips=yes", aes256gcm_functions },
      { "id-aes192-GCM", "fips=yes", aes192gcm_functions },
      { "id-aes128-GCM", "fips=yes", aes128gcm_functions },
+    { "id-aes256-CCM", "fips=yes", aes256ccm_functions },
+    { "id-aes192-CCM", "fips=yes", aes192ccm_functions },
+    { "id-aes128-CCM", "fips=yes", aes128ccm_functions },
+#ifndef OPENSSL_NO_DES
+    { "DES-EDE3", "fips=yes", tdes_ede3_ecb_functions },
+    { "DES-EDE3-CBC", "fips=yes", tdes_ede3_cbc_functions },
+#endif  /* OPENSSL_NO_DES */
      { NULL, NULL, NULL }
  };
  
  static const OSSL_ALGORITHM fips_macs[] = {
+#ifndef OPENSSL_NO_CMAC
      { "CMAC", "fips=yes", cmac_functions },
+#endif
      { "GMAC", "fips=yes", gmac_functions },
+    { "HMAC", "fips=yes", hmac_functions },
+    { "KMAC128", "fips=yes", kmac128_functions },
+    { "KMAC256", "fips=yes", kmac256_functions },
      { NULL, NULL, NULL }
  };
  
+static const OSSL_ALGORITHM fips_kdfs[] = {
+    { OSSL_KDF_NAME_HKDF, "fips=yes", kdf_hkdf_functions },
+    { OSSL_KDF_NAME_SSKDF, "fips=yes", kdf_sskdf_functions },
+    { OSSL_KDF_NAME_PBKDF2, "fips=yes", kdf_pbkdf2_functions },
+    { OSSL_KDF_NAME_TLS1_PRF, "fips=yes", kdf_tls1_prf_functions },
+   { NULL, NULL, NULL }
+};
+
  static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
                                           int operation_id,
                                           int *no_cache)
@@ -292,6 +365,8 @@ static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
          return fips_ciphers;
      case OSSL_OP_MAC:
          return fips_macs;
+    case OSSL_OP_KDF:
+        return fips_kdfs;
      }
      return NULL;
  }
@@ -377,12 +452,27 @@ int OSSL_provider_init(const OSSL_PROVIDER *provider,
          case OSSL_FUNC_CRYPTO_SECURE_ALLOCATED:
              c_CRYPTO_secure_allocated = OSSL_get_CRYPTO_secure_allocated(in);
              break;
+        case OSSL_FUNC_BIO_NEW_FILE:
+            selftest_params.bio_new_file_cb = OSSL_get_BIO_new_file(in);
+            break;
+        case OSSL_FUNC_BIO_NEW_MEMBUF:
+            selftest_params.bio_new_buffer_cb = OSSL_get_BIO_new_membuf(in);
+            break;
+        case OSSL_FUNC_BIO_READ:
+            selftest_params.bio_read_cb = OSSL_get_BIO_read(in);
+            break;
+        case OSSL_FUNC_BIO_FREE:
+            selftest_params.bio_free_cb = OSSL_get_BIO_free(in);
+            break;
          default:
              /* Just ignore anything we don't understand */
              break;
          }
      }
  
+    if (!c_get_params(provider, core_params))
+        return 0;
+
      /*  Create a context. */
      if ((ctx = OPENSSL_CTX_new()) == NULL)
          return 0;