2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/core.h>
13 #include <openssl/core_numbers.h>
14 #include <openssl/core_names.h>
15 #include <openssl/params.h>
16 #include <openssl/err.h>
17 #include <openssl/evp.h>
18 #include <openssl/kdf.h>
20 /* TODO(3.0): Needed for dummy_evp_call(). To be removed */
21 #include <openssl/sha.h>
22 #include <openssl/rand_drbg.h>
23 #include <openssl/ec.h>
24 #include <openssl/fips_names.h>
26 #include "internal/cryptlib.h"
27 #include "internal/property.h"
28 #include "internal/nelem.h"
29 #include "internal/param_build.h"
30 #include "crypto/evp.h"
31 #include "prov/implementations.h"
32 #include "prov/provider_ctx.h"
33 #include "prov/providercommon.h"
34 #include "prov/provider_util.h"
35 #include "self_test.h"
37 #define ALGC(NAMES, FUNC, CHECK) { { NAMES, "fips=yes", FUNC }, CHECK }
38 #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
40 extern OSSL_core_thread_start_fn *c_thread_start;
43 * TODO(3.0): Should these be stored in the provider side provctx? Could they
44 * ever be different from one init to the next? Unfortunately we can't do this
45 * at the moment because c_put_error/c_add_error_vdata do not provide
46 * us with the OPENSSL_CTX as a parameter.
49 static SELF_TEST_POST_PARAMS selftest_params;
51 /* Functions provided by the core */
52 static OSSL_core_gettable_params_fn *c_gettable_params;
53 static OSSL_core_get_params_fn *c_get_params;
54 OSSL_core_thread_start_fn *c_thread_start;
55 static OSSL_core_new_error_fn *c_new_error;
56 static OSSL_core_set_error_debug_fn *c_set_error_debug;
57 static OSSL_core_vset_error_fn *c_vset_error;
58 static OSSL_core_set_error_mark_fn *c_set_error_mark;
59 static OSSL_core_clear_last_error_mark_fn *c_clear_last_error_mark;
60 static OSSL_core_pop_error_to_mark_fn *c_pop_error_to_mark;
61 static OSSL_CRYPTO_malloc_fn *c_CRYPTO_malloc;
62 static OSSL_CRYPTO_zalloc_fn *c_CRYPTO_zalloc;
63 static OSSL_CRYPTO_free_fn *c_CRYPTO_free;
64 static OSSL_CRYPTO_clear_free_fn *c_CRYPTO_clear_free;
65 static OSSL_CRYPTO_realloc_fn *c_CRYPTO_realloc;
66 static OSSL_CRYPTO_clear_realloc_fn *c_CRYPTO_clear_realloc;
67 static OSSL_CRYPTO_secure_malloc_fn *c_CRYPTO_secure_malloc;
68 static OSSL_CRYPTO_secure_zalloc_fn *c_CRYPTO_secure_zalloc;
69 static OSSL_CRYPTO_secure_free_fn *c_CRYPTO_secure_free;
70 static OSSL_CRYPTO_secure_clear_free_fn *c_CRYPTO_secure_clear_free;
71 static OSSL_CRYPTO_secure_allocated_fn *c_CRYPTO_secure_allocated;
73 typedef struct fips_global_st {
74 const OSSL_PROVIDER *prov;
77 static void *fips_prov_ossl_ctx_new(OPENSSL_CTX *libctx)
79 FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl));
84 static void fips_prov_ossl_ctx_free(void *fgbl)
89 static const OPENSSL_CTX_METHOD fips_prov_ossl_ctx_method = {
90 fips_prov_ossl_ctx_new,
91 fips_prov_ossl_ctx_free,
95 /* Parameters we provide to the core */
96 static const OSSL_PARAM fips_param_types[] = {
97 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
98 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
99 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
104 * Parameters to retrieve from the core provider - required for self testing.
105 * NOTE: inside core_get_params() these will be loaded from config items
106 * stored inside prov->parameters (except for OSSL_PROV_PARAM_MODULE_FILENAME).
108 static OSSL_PARAM core_params[] =
110 OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_MODULE_FILENAME,
111 selftest_params.module_filename,
112 sizeof(selftest_params.module_filename)),
113 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC,
114 selftest_params.module_checksum_data,
115 sizeof(selftest_params.module_checksum_data)),
116 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
117 selftest_params.indicator_checksum_data,
118 sizeof(selftest_params.indicator_checksum_data)),
119 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
120 selftest_params.indicator_data,
121 sizeof(selftest_params.indicator_data)),
122 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
123 selftest_params.indicator_version,
124 sizeof(selftest_params.indicator_version)),
129 * Convert a string into a bignumber.
130 * The array of hex_data is used to get around compilers that dont like
131 * strings longer than 509 bytes,
133 static int hextobn(const char *hex_data[], BIGNUM **bn)
139 /* Get the total length of the strings */
140 for (slen = 0, i = 0; hex_data[i] != NULL; ++i)
141 slen += strlen(hex_data[i]);
143 /* Add 1 for the string terminator */
144 str = OPENSSL_zalloc(slen + 1);
148 /* join the strings together into 1 buffer */
149 for (i = 0; hex_data[i] != NULL; ++i)
150 strcat(str, hex_data[i]);
152 if (BN_hex2bn(bn, str) <= 0)
160 static int hextobin(const char *hex_data[], unsigned char **out, size_t *len)
164 unsigned char *buf = NULL;
166 if (!hextobn(hex_data, &bn))
168 sz = BN_num_bytes(bn);
169 buf = OPENSSL_zalloc(sz);
172 if (BN_bn2binpad(bn, buf, sz) <= 0)
177 buf = NULL; /* Set to NULL so it is not freed */
185 #ifndef OPENSSL_NO_DSA
186 static int dsa_key_signature_test(OPENSSL_CTX *libctx)
189 BIGNUM *p = NULL, *q = NULL, *g = NULL;
190 BIGNUM *pub = NULL, *priv = NULL;
191 OSSL_PARAM *params = NULL, *params_sig = NULL;
193 EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
194 EVP_PKEY *pkey = NULL;
195 unsigned char sig[64];
198 static const unsigned char dgst[SHA256_DIGEST_LENGTH] = {
199 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
200 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
201 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
204 static const char *dsa_p_hex[] = {
205 "a29b8872ce8b8423b7d5d21d4b02f57e03e9e6b8a258dc16611ba098ab543415"
206 "e415f156997a3ee236658fa093260de3ad422e05e046f9ec29161a375f0eb4ef"
207 "fcef58285c5d39ed425d7a62ca12896c4a92cb1946f2952a48133f07da364d1b"
208 "df6b0f7139983e693c80059b0eacd1479ba9f2857754ede75f112b07ebbf3534",
209 "8bbf3e01e02f2d473de39453f99dd2367541caca3ba01166343d7b5b58a37bd1"
210 "b7521db2f13b86707132fe09f4cd09dc1618fa3401ebf9cc7b19fa94aa472088"
211 "133d6cb2d35c1179c8c8ff368758d507d9f9a17d46c110fe3144ce9b022b42e4"
212 "19eb4f5388613bfc3e26241a432e8706bc58ef76117278deab6cf692618291b7",
215 static const char *dsa_q_hex[] = {
216 "a3bfd9ab7884794e383450d5891dc18b65157bdcfcdac51518902867",
219 static const char *dsa_g_hex[] = {
220 "6819278869c7fd3d2d7b77f77e8150d9ad433bea3ba85efc80415aa3545f78f7"
221 "2296f06cb19ceda06c94b0551cfe6e6f863e31d1de6eed7dab8b0c9df231e084"
222 "34d1184f91d033696bb382f8455e9888f5d31d4784ec40120246f4bea61794bb"
223 "a5866f09746463bdf8e9e108cd9529c3d0f6df80316e2e70aaeb1b26cdb8ad97",
224 "bc3d287e0b8d616c42e65b87db20deb7005bc416747a6470147a68a7820388eb"
225 "f44d52e0628af9cf1b7166d03465f35acc31b6110c43dabc7c5d591e671eaf7c"
226 "252c1c145336a1a4ddf13244d55e835680cab2533b82df2efe55ec18c1e6cd00"
227 "7bb089758bb17c2cbe14441bd093ae66e5976d53733f4fa3269701d31d23d467",
230 static const char *dsa_pub_hex[] = {
231 "a012b3b170b307227957b7ca2061a816ac7a2b3d9ae995a5119c385b603bf6f6"
232 "c5de4dc5ecb5dfa4a41c68662eb25b638b7e2620ba898d07da6c4991e76cc0ec"
233 "d1ad3421077067e47c18f58a92a72ad43199ecb7bd84e7d3afb9019f0e9dd0fb"
234 "aa487300b13081e33c902876436f7b03c345528481d362815e24fe59dac5ac34",
235 "660d4c8a76cb99a7c7de93eb956cd6bc88e58d901034944a094b01803a43c672"
236 "b9688c0e01d8f4fc91c62a3f88021f7bd6a651b1a88f43aa4ef27653d12bf8b7"
237 "099fdf6b461082f8e939107bfd2f7210087d326c375200f1f51e7e74a3413190"
238 "1bcd0863521ff8d676c48581868736c5e51b16a4e39215ea0b17c4735974c516",
241 static const char *dsa_priv_hex[] = {
242 "6ccaeef6d73b4e80f11c17b8e9627c036635bac39423505e407e5cb7",
246 if (!hextobn(dsa_p_hex, &p)
247 || !hextobn(dsa_q_hex, &q)
248 || !hextobn(dsa_g_hex, &g)
249 || !hextobn(dsa_pub_hex, &pub)
250 || !hextobn(dsa_priv_hex, &priv))
253 ossl_param_bld_init(&bld);
254 if (!ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_P, p)
255 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_Q, q)
256 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_G, g)
257 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_DSA_PUB_KEY, pub)
258 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_DSA_PRIV_KEY, priv))
260 params = ossl_param_bld_to_param(&bld);
262 /* Create a EVP_PKEY_CTX to load the DSA key into */
263 kctx = EVP_PKEY_CTX_new_from_name(libctx, SN_dsa, "");
264 if (kctx == NULL || params == NULL)
266 if (EVP_PKEY_key_fromdata_init(kctx) <= 0
267 || EVP_PKEY_fromdata(kctx, &pkey, params) <= 0)
270 /* Create a EVP_PKEY_CTX to use for the signing operation */
271 sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey);
273 || EVP_PKEY_sign_init(sctx) <= 0)
276 /* set signature parameters */
277 ossl_param_bld_init(&bld);
278 if (!ossl_param_bld_push_utf8_string(&bld, OSSL_SIGNATURE_PARAM_DIGEST,
279 SN_sha256,strlen(SN_sha256) + 1)
280 || !ossl_param_bld_push_size_t(&bld, OSSL_SIGNATURE_PARAM_DIGEST_SIZE,
281 SHA256_DIGEST_LENGTH))
283 params_sig = ossl_param_bld_to_param(&bld);
284 if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
287 if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
288 || EVP_PKEY_verify_init(sctx) <= 0
289 || EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
293 ossl_param_bld_free(params);
294 ossl_param_bld_free(params_sig);
301 EVP_PKEY_CTX_free(kctx);
302 EVP_PKEY_CTX_free(sctx);
305 #endif /* OPENSSL_NO_DSA */
307 #ifndef OPENSSL_NO_DH
308 static int dh_key_exchange_test(OPENSSL_CTX *libctx)
311 BIGNUM *p = NULL, *q = NULL, *g = NULL;
312 BIGNUM *pub = NULL, *priv = NULL, *pub_peer = NULL;
313 unsigned char *kat_secret = NULL;
314 EVP_PKEY_CTX *kactx = NULL, *dctx = NULL;
315 EVP_PKEY *pkey = NULL, *peerkey = NULL;
316 OSSL_PARAM *params = NULL;
317 OSSL_PARAM *params_peer = NULL;
318 unsigned char secret[256];
319 size_t secret_len, kat_secret_len = 0;
323 static const char *dh_p_hex[] = {
324 "dcca1511b2313225f52116e1542789e001f0425bccc7f366f7406407f1c9fa8b"
325 "e610f1778bb170be39dbb76f85bf24ce6880adb7629f7c6d015e61d43fa3ee4d"
326 "e185f2cfd041ffde9d418407e15138bb021daeb35f762d1782acc658d32bd4b0"
327 "232c927dd38fa097b3d1859fa8acafb98f066608fc644ec7ddb6f08599f92ac1",
328 "b59825da8432077def695646063c20823c9507ab6f0176d4730d990dbbe6361c"
329 "d8b2b94d3d2f329b82099bd661f42950f403df3ede62a33188b02798ba823f44"
330 "b946fe9df677a0c5a1238eaa97b70f80da8cac88e092b1127060ffbf45579994"
331 "011dc2faa5e7f6c76245e1cc312231c17d1ca6b19007ef0db99f9cb60e1d5f69",
334 static const char *dh_q_hex[] = {
335 "898b226717ef039e603e82e5c7afe48374ac5f625c54f1ea11acb57d",
338 static const char *dh_g_hex[] = {
339 "5ef7b88f2df60139351dfbfe1266805fdf356cdfd13a4da0050c7ede"
340 "246df59f6abf96ade5f2b28ffe88d6bce7f7894a3d535fc82126ddd4"
341 "24872e16b838df8c51e9016f889c7c203e98a8b631f9c72563d38a49"
342 "589a0753d358e783318cefd9677c7b2dbb77d6dce2a1963795ca64b9",
343 "2d1c9aac6d0e8d431de5e50060dff78689c9eca1c1248c16ed09c7ad",
344 "412a17406d2b525aa1cabb237b9734ec7b8ce3fae02f29c5efed30d6"
345 "9187da109c2c9fe2aadbb0c22af54c616655000c431c6b4a379763b0"
346 "a91658efc84e8b06358c8b4f213710fd10172cf39b830c2dd84a0c8a"
347 "b82516ecab995fa4215e023e4ecf8074c39d6c88b70d1ee4e96fdc20",
351 static const char *dh_priv_hex[] = {
352 "1433e0b5a917b60a3023f2f8aa2c2d70d2968aba9aeac81540b8fce6",
355 static const char *dh_pub_hex[] = {
356 "95dd338d29e5710492b918317b72a36936e1951a2ee5a5591699c048"
357 "6d0d4f9bdd6d5a3f6b98890c62b37652d36e712111e68a7355372506"
358 "99efe330537391fbc2c548bc5ac3e5b23386c3eef5eb43c099d70a52"
359 "02687e83964248fca91f40908e8fb3319315f6d2606d7f7cd52cc6e7",
360 "c5843afb22519cf0f0f9d3a0a4e8c88899efede7364351fb6a363ee7"
361 "17e5445adab4c931a6483997b87dad83677e4d1d3a7775e0f6d00fdf"
362 "73c7ad801e665a0e5a796d0a0380a19fa182efc8a04f5e4db90d1a86"
363 "37f95db16436bdc8f3fc096c4ff7f234be8fef479ac4b0dc4b77263e",
364 "07d9959de0f1bf3f0ae3d9d50e4b89c99e3ea1217343dd8c6581acc4"
368 static const char *dh_peer_pub_hex[] = {
369 "1fc1da341d1a846a96b7be24340f877dd010aa0356d5ad58aae9c7b0"
370 "8f749a32235110b5d88eb5dbfa978d27ecc530f02d3114005b64b1c0"
371 "e024cb8ae21698bca9e60d42808622f181c56e1de7a96e6efee9d665"
372 "67e91b977042c7e3d0448f05fb77f522b9bfc8d33cc3c31ed3b31f0f",
373 "ecb6db4f6ea311e77afdbcd47aee1bb150f216873578fb96468e8f9f"
374 "3de8efbfce75624b1df05322a34f1463e839e8984c4ad0a96e1ac842"
375 "e5318cc23c062a8ca171b8d575980dde7fc56f1536523820d43192bf"
376 "d51e8e228978aca5b94472f339caeb9931b42be301268bc99789c9b2",
377 "5571c3c0e4cb3f007f1a511cbb53c8519cdd1302abca6c0f34f96739"
381 static const char *dh_secret_exptd_hex[] = {
382 "08ff33bb2ecff49a7d4a7912aeb1bb6ab511641b4a76770c8cc1bcc2"
383 "33343dfe700d11813d2c9ed23b211ca9e8786921edca283c68b16153"
384 "fa01e91ab82c90ddab4a95816770a98710e14c92ab83b6e46e1e426e"
385 "e852430d6187daa3720a6bcd73235c6b0f941f3364f50420551a4bfe",
386 "afe2bc438505a59a4a40daca7a895a73db575c74c13a23ad8832957d"
387 "582d38f0a6165fb0d7e9b8799e42fd3220e332e98185a0c9429757b2"
388 "d0d02c17dbaa1ff6ed93d7e73e241eaed90caf394d2bc6570f18c81f"
389 "2be5d01a2ca99ff142b5d963f9f500325e7556f95849b3ffc7479486",
390 "be1d4596a3106bd5cb4f61c57ec5f100fb7a0c82a10b82526a97d1d9"
395 if (!hextobn(dh_p_hex, &p)
396 || !hextobn(dh_q_hex, &q)
397 || !hextobn(dh_g_hex, &g)
398 || !hextobn(dh_pub_hex, &pub)
399 || !hextobn(dh_priv_hex, &priv)
400 || !hextobn(dh_peer_pub_hex, &pub_peer)
401 || !hextobin(dh_secret_exptd_hex, &kat_secret, &kat_secret_len))
404 ossl_param_bld_init(&bld);
405 if (!ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_P, p)
406 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_Q, q)
407 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_G, g)
408 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_DH_PUB_KEY, pub)
409 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_DH_PRIV_KEY, priv))
411 params = ossl_param_bld_to_param(&bld);
413 ossl_param_bld_init(&bld);
414 if (!ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_P, p)
415 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_Q, q)
416 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_G, g)
417 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_DH_PUB_KEY, pub_peer))
420 params_peer = ossl_param_bld_to_param(&bld);
421 if (params == NULL || params_peer == NULL)
424 /* Create a EVP_PKEY_CTX to load the DH keys into */
425 kactx = EVP_PKEY_CTX_new_from_name(libctx, "DH", "");
428 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
429 || EVP_PKEY_fromdata(kactx, &pkey, params) <= 0)
431 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
432 || EVP_PKEY_fromdata(kactx, &peerkey, params_peer) <= 0)
435 /* Create a EVP_PKEY_CTX to perform key derivation */
436 dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey);
440 if (EVP_PKEY_derive_init(dctx) <= 0
441 || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0
442 || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0)
445 if (secret_len != kat_secret_len
446 || memcmp(secret, kat_secret, secret_len) != 0)
450 ossl_param_bld_free(params_peer);
451 ossl_param_bld_free(params);
458 OPENSSL_free(kat_secret);
460 EVP_PKEY_free(peerkey);
461 EVP_PKEY_CTX_free(kactx);
462 EVP_PKEY_CTX_free(dctx);
465 #endif /* OPENSSL_NO_DH */
467 /* TODO(3.0): To be removed */
468 static int dummy_evp_call(void *provctx)
470 OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
471 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
472 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
473 EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
474 unsigned char dgst[SHA256_DIGEST_LENGTH];
475 unsigned int dgstlen;
477 BN_CTX *bnctx = NULL;
478 BIGNUM *a = NULL, *b = NULL;
479 unsigned char randbuf[128];
480 RAND_DRBG *drbg = OPENSSL_CTX_get0_public_drbg(libctx);
481 #ifndef OPENSSL_NO_EC
485 static const char msg[] = "Hello World!";
486 static const unsigned char exptd[] = {
487 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
488 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
489 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
492 if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
495 if (!EVP_DigestInit_ex(ctx, sha256, NULL))
497 if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
499 if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
501 if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
504 bnctx = BN_CTX_new_ex(libctx);
508 a = BN_CTX_get(bnctx);
509 b = BN_CTX_get(bnctx);
515 || BN_cmp(a, b) != 0)
518 if (RAND_DRBG_bytes(drbg, randbuf, sizeof(randbuf)) <= 0)
521 if (!BN_rand_ex(a, 256, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, bnctx))
524 #ifndef OPENSSL_NO_EC
525 /* Do some dummy EC calls */
526 key = EC_KEY_new_by_curve_name_ex(libctx, NID_X9_62_prime256v1);
530 if (!EC_KEY_generate_key(key))
534 #ifndef OPENSSL_NO_DSA
535 if (!dsa_key_signature_test(libctx))
539 #ifndef OPENSSL_NO_DH
540 if (!dh_key_exchange_test(libctx))
542 #endif /* OPENSSL_NO_DH */
550 EVP_MD_CTX_free(ctx);
553 #ifndef OPENSSL_NO_EC
559 static const OSSL_PARAM *fips_gettable_params(const OSSL_PROVIDER *prov)
561 return fips_param_types;
564 static int fips_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
568 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
569 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
571 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
572 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
574 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
575 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
581 /* FIPS specific version of the function of the same name in provlib.c */
582 const char *ossl_prov_util_nid_to_name(int nid)
584 /* We don't have OBJ_nid2n() in FIPS_MODE so we have an explicit list */
599 return "SHA-512/224";
601 return "SHA-512/256";
612 case NID_aes_256_ecb:
613 return "AES-256-ECB";
614 case NID_aes_192_ecb:
615 return "AES-192-ECB";
616 case NID_aes_128_ecb:
617 return "AES-128-ECB";
618 case NID_aes_256_cbc:
619 return "AES-256-CBC";
620 case NID_aes_192_cbc:
621 return "AES-192-CBC";
622 case NID_aes_128_cbc:
623 return "AES-128-CBC";
624 case NID_aes_256_ctr:
625 return "AES-256-CTR";
626 case NID_aes_192_ctr:
627 return "AES-192-CTR";
628 case NID_aes_128_ctr:
629 return "AES-128-CTR";
630 case NID_aes_256_xts:
631 return "AES-256-XTS";
632 case NID_aes_128_xts:
633 return "AES-128-XTS";
634 case NID_aes_256_gcm:
635 return "AES-256-GCM";
636 case NID_aes_192_gcm:
637 return "AES-192-GCM";
638 case NID_aes_128_gcm:
639 return "AES-128-GCM";
640 case NID_aes_256_ccm:
641 return "AES-256-CCM";
642 case NID_aes_192_ccm:
643 return "AES-192-CCM";
644 case NID_aes_128_ccm:
645 return "AES-128-CCM";
646 case NID_id_aes256_wrap:
647 return "AES-256-WRAP";
648 case NID_id_aes192_wrap:
649 return "AES-192-WRAP";
650 case NID_id_aes128_wrap:
651 return "AES-128-WRAP";
652 case NID_id_aes256_wrap_pad:
653 return "AES-256-WRAP-PAD";
654 case NID_id_aes192_wrap_pad:
655 return "AES-192-WRAP-PAD";
656 case NID_id_aes128_wrap_pad:
657 return "AES-128-WRAP-PAD";
658 case NID_des_ede3_ecb:
660 case NID_des_ede3_cbc:
661 return "DES-EDE3-CBC";
662 case NID_aes_256_cbc_hmac_sha256:
663 return "AES-256-CBC-HMAC-SHA256";
664 case NID_aes_128_cbc_hmac_sha256:
665 return "AES-128-CBC-HMAC-SHA256";
666 case NID_aes_256_cbc_hmac_sha1:
667 return "AES-256-CBC-HMAC-SHA1";
668 case NID_aes_128_cbc_hmac_sha1:
669 return "AES-128-CBC-HMAC-SHA1";
678 * For the algorithm names, we use the following formula for our primary
681 * ALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?]
683 * VERSION is only present if there are multiple versions of
684 * an alg (MD2, MD4, MD5). It may be omitted if there is only
685 * one version (if a subsequent version is released in the future,
686 * we can always change the canonical name, and add the old name
689 * SUBNAME may be present where we are combining multiple
690 * algorithms together, e.g. MD5-SHA1.
692 * SIZE is only present if multiple versions of an algorithm exist
693 * with different sizes (e.g. AES-128-CBC, AES-256-CBC)
695 * MODE is only present where applicable.
697 * We add diverse other names where applicable, such as the names that
698 * NIST uses, or that are used for ASN.1 OBJECT IDENTIFIERs, or names
699 * we have used historically.
701 static const OSSL_ALGORITHM fips_digests[] = {
702 /* Our primary name:NiST name[:our older names] */
703 { "SHA1:SHA-1", "fips=yes", sha1_functions },
704 { "SHA2-224:SHA-224:SHA224", "fips=yes", sha224_functions },
705 { "SHA2-256:SHA-256:SHA256", "fips=yes", sha256_functions },
706 { "SHA2-384:SHA-384:SHA384", "fips=yes", sha384_functions },
707 { "SHA2-512:SHA-512:SHA512", "fips=yes", sha512_functions },
708 { "SHA2-512/224:SHA-512/224:SHA512-224", "fips=yes",
709 sha512_224_functions },
710 { "SHA2-512/256:SHA-512/256:SHA512-256", "fips=yes",
711 sha512_256_functions },
713 /* We agree with NIST here, so one name only */
714 { "SHA3-224", "fips=yes", sha3_224_functions },
715 { "SHA3-256", "fips=yes", sha3_256_functions },
716 { "SHA3-384", "fips=yes", sha3_384_functions },
717 { "SHA3-512", "fips=yes", sha3_512_functions },
719 * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
720 * KMAC128 and KMAC256.
722 { "KECCAK-KMAC-128:KECCAK-KMAC128", "fips=yes", keccak_kmac_128_functions },
723 { "KECCAK-KMAC-256:KECCAK-KMAC256", "fips=yes", keccak_kmac_256_functions },
728 static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
729 /* Our primary name[:ASN.1 OID name][:our older names] */
730 ALG("AES-256-ECB", aes256ecb_functions),
731 ALG("AES-192-ECB", aes192ecb_functions),
732 ALG("AES-128-ECB", aes128ecb_functions),
733 ALG("AES-256-CBC", aes256cbc_functions),
734 ALG("AES-192-CBC", aes192cbc_functions),
735 ALG("AES-128-CBC", aes128cbc_functions),
736 ALG("AES-256-CTR", aes256ctr_functions),
737 ALG("AES-192-CTR", aes192ctr_functions),
738 ALG("AES-128-CTR", aes128ctr_functions),
739 ALG("AES-256-XTS", aes256xts_functions),
740 ALG("AES-128-XTS", aes128xts_functions),
741 ALG("AES-256-GCM:id-aes256-GCM", aes256gcm_functions),
742 ALG("AES-192-GCM:id-aes192-GCM", aes192gcm_functions),
743 ALG("AES-128-GCM:id-aes128-GCM", aes128gcm_functions),
744 ALG("AES-256-CCM:id-aes256-CCM", aes256ccm_functions),
745 ALG("AES-192-CCM:id-aes192-CCM", aes192ccm_functions),
746 ALG("AES-128-CCM:id-aes128-CCM", aes128ccm_functions),
747 ALG("AES-256-WRAP:id-aes256-wrap:AES256-WRAP", aes256wrap_functions),
748 ALG("AES-192-WRAP:id-aes192-wrap:AES192-WRAP", aes192wrap_functions),
749 ALG("AES-128-WRAP:id-aes128-wrap:AES128-WRAP", aes128wrap_functions),
750 ALG("AES-256-WRAP-PAD:id-aes256-wrap-pad:AES256-WRAP-PAD",
751 aes256wrappad_functions),
752 ALG("AES-192-WRAP-PAD:id-aes192-wrap-pad:AES192-WRAP-PAD",
753 aes192wrappad_functions),
754 ALG("AES-128-WRAP-PAD:id-aes128-wrap-pad:AES128-WRAP-PAD",
755 aes128wrappad_functions),
756 ALGC("AES-128-CBC-HMAC-SHA1", aes128cbc_hmac_sha1_functions,
757 cipher_capable_aes_cbc_hmac_sha1),
758 ALGC("AES-256-CBC-HMAC-SHA1", aes256cbc_hmac_sha1_functions,
759 cipher_capable_aes_cbc_hmac_sha1),
760 ALGC("AES-128-CBC-HMAC-SHA256", aes128cbc_hmac_sha256_functions,
761 cipher_capable_aes_cbc_hmac_sha256),
762 ALGC("AES-256-CBC-HMAC-SHA256", aes256cbc_hmac_sha256_functions,
763 cipher_capable_aes_cbc_hmac_sha256),
764 #ifndef OPENSSL_NO_DES
765 ALG("DES-EDE3-ECB:DES-EDE3", tdes_ede3_ecb_functions),
766 ALG("DES-EDE3-CBC:DES3", tdes_ede3_cbc_functions),
767 #endif /* OPENSSL_NO_DES */
768 { { NULL, NULL, NULL }, NULL }
770 static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
772 static const OSSL_ALGORITHM fips_macs[] = {
773 #ifndef OPENSSL_NO_CMAC
774 { "CMAC", "fips=yes", cmac_functions },
776 { "GMAC", "fips=yes", gmac_functions },
777 { "HMAC", "fips=yes", hmac_functions },
778 { "KMAC-128:KMAC128", "fips=yes", kmac128_functions },
779 { "KMAC-256:KMAC256", "fips=yes", kmac256_functions },
783 static const OSSL_ALGORITHM fips_kdfs[] = {
784 { "HKDF", "fips=yes", kdf_hkdf_functions },
785 { "SSKDF", "fips=yes", kdf_sskdf_functions },
786 { "PBKDF2", "fips=yes", kdf_pbkdf2_functions },
787 { "TLS1-PRF", "fips=yes", kdf_tls1_prf_functions },
788 { "KBKDF", "fips=yes", kdf_kbkdf_functions },
792 static const OSSL_ALGORITHM fips_keyexch[] = {
793 #ifndef OPENSSL_NO_DH
794 { "DH:dhKeyAgreement", "fips=yes", dh_keyexch_functions },
799 static const OSSL_ALGORITHM fips_signature[] = {
800 #ifndef OPENSSL_NO_DSA
801 { "DSA:dsaEncryption", "fips=yes", dsa_signature_functions },
806 static const OSSL_ALGORITHM fips_keymgmt[] = {
807 #ifndef OPENSSL_NO_DH
808 { "DH:dhKeyAgreement", "fips=yes", dh_keymgmt_functions },
810 #ifndef OPENSSL_NO_DSA
811 { "DSA", "fips=yes", dsa_keymgmt_functions },
816 static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
821 switch (operation_id) {
825 ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
826 return exported_fips_ciphers;
831 case OSSL_OP_KEYMGMT:
833 case OSSL_OP_KEYEXCH:
835 case OSSL_OP_SIGNATURE:
836 return fips_signature;
841 /* Functions we provide to the core */
842 static const OSSL_DISPATCH fips_dispatch_table[] = {
844 * To release our resources we just need to free the OPENSSL_CTX so we just
845 * use OPENSSL_CTX_free directly as our teardown function
847 { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free },
848 { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))fips_gettable_params },
849 { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
850 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
854 /* Functions we provide to ourself */
855 static const OSSL_DISPATCH intern_dispatch_table[] = {
856 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
861 int OSSL_provider_init(const OSSL_PROVIDER *provider,
862 const OSSL_DISPATCH *in,
863 const OSSL_DISPATCH **out,
868 OSSL_self_test_cb_fn *stcbfn = NULL;
869 OSSL_core_get_library_context_fn *c_get_libctx = NULL;
871 for (; in->function_id != 0; in++) {
872 switch (in->function_id) {
873 case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
874 c_get_libctx = OSSL_get_core_get_library_context(in);
876 case OSSL_FUNC_CORE_GETTABLE_PARAMS:
877 c_gettable_params = OSSL_get_core_gettable_params(in);
879 case OSSL_FUNC_CORE_GET_PARAMS:
880 c_get_params = OSSL_get_core_get_params(in);
882 case OSSL_FUNC_CORE_THREAD_START:
883 c_thread_start = OSSL_get_core_thread_start(in);
885 case OSSL_FUNC_CORE_NEW_ERROR:
886 c_new_error = OSSL_get_core_new_error(in);
888 case OSSL_FUNC_CORE_SET_ERROR_DEBUG:
889 c_set_error_debug = OSSL_get_core_set_error_debug(in);
891 case OSSL_FUNC_CORE_VSET_ERROR:
892 c_vset_error = OSSL_get_core_vset_error(in);
894 case OSSL_FUNC_CORE_SET_ERROR_MARK:
895 c_set_error_mark = OSSL_get_core_set_error_mark(in);
897 case OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK:
898 c_clear_last_error_mark = OSSL_get_core_clear_last_error_mark(in);
900 case OSSL_FUNC_CORE_POP_ERROR_TO_MARK:
901 c_pop_error_to_mark = OSSL_get_core_pop_error_to_mark(in);
903 case OSSL_FUNC_CRYPTO_MALLOC:
904 c_CRYPTO_malloc = OSSL_get_CRYPTO_malloc(in);
906 case OSSL_FUNC_CRYPTO_ZALLOC:
907 c_CRYPTO_zalloc = OSSL_get_CRYPTO_zalloc(in);
909 case OSSL_FUNC_CRYPTO_FREE:
910 c_CRYPTO_free = OSSL_get_CRYPTO_free(in);
912 case OSSL_FUNC_CRYPTO_CLEAR_FREE:
913 c_CRYPTO_clear_free = OSSL_get_CRYPTO_clear_free(in);
915 case OSSL_FUNC_CRYPTO_REALLOC:
916 c_CRYPTO_realloc = OSSL_get_CRYPTO_realloc(in);
918 case OSSL_FUNC_CRYPTO_CLEAR_REALLOC:
919 c_CRYPTO_clear_realloc = OSSL_get_CRYPTO_clear_realloc(in);
921 case OSSL_FUNC_CRYPTO_SECURE_MALLOC:
922 c_CRYPTO_secure_malloc = OSSL_get_CRYPTO_secure_malloc(in);
924 case OSSL_FUNC_CRYPTO_SECURE_ZALLOC:
925 c_CRYPTO_secure_zalloc = OSSL_get_CRYPTO_secure_zalloc(in);
927 case OSSL_FUNC_CRYPTO_SECURE_FREE:
928 c_CRYPTO_secure_free = OSSL_get_CRYPTO_secure_free(in);
930 case OSSL_FUNC_CRYPTO_SECURE_CLEAR_FREE:
931 c_CRYPTO_secure_clear_free = OSSL_get_CRYPTO_secure_clear_free(in);
933 case OSSL_FUNC_CRYPTO_SECURE_ALLOCATED:
934 c_CRYPTO_secure_allocated = OSSL_get_CRYPTO_secure_allocated(in);
936 case OSSL_FUNC_BIO_NEW_FILE:
937 selftest_params.bio_new_file_cb = OSSL_get_BIO_new_file(in);
939 case OSSL_FUNC_BIO_NEW_MEMBUF:
940 selftest_params.bio_new_buffer_cb = OSSL_get_BIO_new_membuf(in);
942 case OSSL_FUNC_BIO_READ_EX:
943 selftest_params.bio_read_ex_cb = OSSL_get_BIO_read_ex(in);
945 case OSSL_FUNC_BIO_FREE:
946 selftest_params.bio_free_cb = OSSL_get_BIO_free(in);
948 case OSSL_FUNC_SELF_TEST_CB: {
949 stcbfn = OSSL_get_self_test_cb(in);
953 /* Just ignore anything we don't understand */
958 if (stcbfn != NULL && c_get_libctx != NULL) {
959 stcbfn(c_get_libctx(provider), &selftest_params.event_cb,
960 &selftest_params.event_cb_arg);
963 selftest_params.event_cb = NULL;
964 selftest_params.event_cb_arg = NULL;
967 if (!c_get_params(provider, core_params))
970 /* Create a context. */
971 if ((ctx = OPENSSL_CTX_new()) == NULL)
973 if ((fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
974 &fips_prov_ossl_ctx_method)) == NULL) {
975 OPENSSL_CTX_free(ctx);
979 fgbl->prov = provider;
981 selftest_params.libctx = PROV_LIBRARY_CONTEXT_OF(ctx);
982 if (!SELF_TEST_post(&selftest_params, 0)) {
983 OPENSSL_CTX_free(ctx);
988 * TODO(3.0): Remove me. This is just a dummy call to demonstrate making
989 * EVP calls from within the FIPS module.
991 if (!dummy_evp_call(ctx)) {
992 OPENSSL_CTX_free(ctx);
996 *out = fips_dispatch_table;
1003 * The internal init function used when the FIPS module uses EVP to call
1004 * another algorithm also in the FIPS module. This is a recursive call that has
1005 * been made from within the FIPS module itself. To make this work, we populate
1006 * the provider context of this inner instance with the same library context
1007 * that was used in the EVP call that initiated this recursive call.
1009 OSSL_provider_init_fn fips_intern_provider_init;
1010 int fips_intern_provider_init(const OSSL_PROVIDER *provider,
1011 const OSSL_DISPATCH *in,
1012 const OSSL_DISPATCH **out,
1015 OSSL_core_get_library_context_fn *c_get_libctx = NULL;
1017 for (; in->function_id != 0; in++) {
1018 switch (in->function_id) {
1019 case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
1020 c_get_libctx = OSSL_get_core_get_library_context(in);
1027 if (c_get_libctx == NULL)
1030 *provctx = c_get_libctx(provider);
1033 * Safety measure... we should get the library context that was
1034 * created up in OSSL_provider_init().
1036 if (*provctx == NULL)
1039 *out = intern_dispatch_table;
1048 void ERR_set_debug(const char *file, int line, const char *func)
1050 c_set_error_debug(NULL, file, line, func);
1053 void ERR_set_error(int lib, int reason, const char *fmt, ...)
1057 va_start(args, fmt);
1058 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
1062 void ERR_vset_error(int lib, int reason, const char *fmt, va_list args)
1064 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
1067 int ERR_set_mark(void)
1069 return c_set_error_mark(NULL);
1072 int ERR_clear_last_mark(void)
1074 return c_clear_last_error_mark(NULL);
1077 int ERR_pop_to_mark(void)
1079 return c_pop_error_to_mark(NULL);
1082 const OSSL_PROVIDER *FIPS_get_provider(OPENSSL_CTX *ctx)
1084 FIPS_GLOBAL *fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
1085 &fips_prov_ossl_ctx_method);
1093 void *CRYPTO_malloc(size_t num, const char *file, int line)
1095 return c_CRYPTO_malloc(num, file, line);
1098 void *CRYPTO_zalloc(size_t num, const char *file, int line)
1100 return c_CRYPTO_zalloc(num, file, line);
1103 void CRYPTO_free(void *ptr, const char *file, int line)
1105 c_CRYPTO_free(ptr, file, line);
1108 void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line)
1110 c_CRYPTO_clear_free(ptr, num, file, line);
1113 void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line)
1115 return c_CRYPTO_realloc(addr, num, file, line);
1118 void *CRYPTO_clear_realloc(void *addr, size_t old_num, size_t num,
1119 const char *file, int line)
1121 return c_CRYPTO_clear_realloc(addr, old_num, num, file, line);
1124 void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
1126 return c_CRYPTO_secure_malloc(num, file, line);
1129 void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
1131 return c_CRYPTO_secure_zalloc(num, file, line);
1134 void CRYPTO_secure_free(void *ptr, const char *file, int line)
1136 c_CRYPTO_secure_free(ptr, file, line);
1139 void CRYPTO_secure_clear_free(void *ptr, size_t num, const char *file, int line)
1141 c_CRYPTO_secure_clear_free(ptr, num, file, line);
1144 int CRYPTO_secure_allocated(const void *ptr)
1146 return c_CRYPTO_secure_allocated(ptr);