2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/core.h>
13 #include <openssl/core_numbers.h>
14 #include <openssl/core_names.h>
15 #include <openssl/params.h>
16 #include <openssl/err.h>
17 #include <openssl/evp.h>
18 #include <openssl/kdf.h>
20 /* TODO(3.0): Needed for dummy_evp_call(). To be removed */
21 #include <openssl/sha.h>
22 #include <openssl/rand_drbg.h>
23 #include <openssl/ec.h>
24 #include <openssl/fips_names.h>
26 #include "internal/cryptlib.h"
27 #include "internal/property.h"
28 #include "internal/nelem.h"
29 #include "internal/param_build.h"
30 #include "crypto/evp.h"
31 #include "prov/implementations.h"
32 #include "prov/provider_ctx.h"
33 #include "prov/providercommon.h"
34 #include "prov/provider_util.h"
35 #include "self_test.h"
37 #define ALGC(NAMES, FUNC, CHECK) { { NAMES, "fips=yes", FUNC }, CHECK }
38 #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
40 extern OSSL_core_thread_start_fn *c_thread_start;
43 * TODO(3.0): Should these be stored in the provider side provctx? Could they
44 * ever be different from one init to the next? Unfortunately we can't do this
45 * at the moment because c_put_error/c_add_error_vdata do not provide
46 * us with the OPENSSL_CTX as a parameter.
49 static SELF_TEST_POST_PARAMS selftest_params;
51 /* Functions provided by the core */
52 static OSSL_core_gettable_params_fn *c_gettable_params;
53 static OSSL_core_get_params_fn *c_get_params;
54 OSSL_core_thread_start_fn *c_thread_start;
55 static OSSL_core_new_error_fn *c_new_error;
56 static OSSL_core_set_error_debug_fn *c_set_error_debug;
57 static OSSL_core_vset_error_fn *c_vset_error;
58 static OSSL_core_set_error_mark_fn *c_set_error_mark;
59 static OSSL_core_clear_last_error_mark_fn *c_clear_last_error_mark;
60 static OSSL_core_pop_error_to_mark_fn *c_pop_error_to_mark;
61 static OSSL_CRYPTO_malloc_fn *c_CRYPTO_malloc;
62 static OSSL_CRYPTO_zalloc_fn *c_CRYPTO_zalloc;
63 static OSSL_CRYPTO_free_fn *c_CRYPTO_free;
64 static OSSL_CRYPTO_clear_free_fn *c_CRYPTO_clear_free;
65 static OSSL_CRYPTO_realloc_fn *c_CRYPTO_realloc;
66 static OSSL_CRYPTO_clear_realloc_fn *c_CRYPTO_clear_realloc;
67 static OSSL_CRYPTO_secure_malloc_fn *c_CRYPTO_secure_malloc;
68 static OSSL_CRYPTO_secure_zalloc_fn *c_CRYPTO_secure_zalloc;
69 static OSSL_CRYPTO_secure_free_fn *c_CRYPTO_secure_free;
70 static OSSL_CRYPTO_secure_clear_free_fn *c_CRYPTO_secure_clear_free;
71 static OSSL_CRYPTO_secure_allocated_fn *c_CRYPTO_secure_allocated;
73 typedef struct fips_global_st {
74 const OSSL_PROVIDER *prov;
77 static void *fips_prov_ossl_ctx_new(OPENSSL_CTX *libctx)
79 FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl));
84 static void fips_prov_ossl_ctx_free(void *fgbl)
89 static const OPENSSL_CTX_METHOD fips_prov_ossl_ctx_method = {
90 fips_prov_ossl_ctx_new,
91 fips_prov_ossl_ctx_free,
95 /* Parameters we provide to the core */
96 static const OSSL_PARAM fips_param_types[] = {
97 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
98 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
99 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
104 * Parameters to retrieve from the core provider - required for self testing.
105 * NOTE: inside core_get_params() these will be loaded from config items
106 * stored inside prov->parameters (except for OSSL_PROV_PARAM_MODULE_FILENAME).
108 static OSSL_PARAM core_params[] =
110 OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_MODULE_FILENAME,
111 selftest_params.module_filename,
112 sizeof(selftest_params.module_filename)),
113 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC,
114 selftest_params.module_checksum_data,
115 sizeof(selftest_params.module_checksum_data)),
116 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
117 selftest_params.indicator_checksum_data,
118 sizeof(selftest_params.indicator_checksum_data)),
119 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
120 selftest_params.indicator_data,
121 sizeof(selftest_params.indicator_data)),
122 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
123 selftest_params.indicator_version,
124 sizeof(selftest_params.indicator_version)),
129 * Convert a string into a bignumber.
130 * The array of hex_data is used to get around compilers that dont like
131 * strings longer than 509 bytes,
133 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA)
134 static int hextobn(const char *hex_data[], BIGNUM **bn)
140 /* Get the total length of the strings */
141 for (slen = 0, i = 0; hex_data[i] != NULL; ++i)
142 slen += strlen(hex_data[i]);
144 /* Add 1 for the string terminator */
145 str = OPENSSL_zalloc(slen + 1);
149 /* join the strings together into 1 buffer */
150 for (i = 0; hex_data[i] != NULL; ++i)
151 strcat(str, hex_data[i]);
153 if (BN_hex2bn(bn, str) <= 0)
160 #endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) */
162 #ifndef OPENSSL_NO_DH
163 static int hextobin(const char *hex_data[], unsigned char **out, size_t *len)
167 unsigned char *buf = NULL;
169 if (!hextobn(hex_data, &bn))
171 sz = BN_num_bytes(bn);
172 buf = OPENSSL_zalloc(sz);
175 if (BN_bn2binpad(bn, buf, sz) <= 0)
180 buf = NULL; /* Set to NULL so it is not freed */
189 #ifndef OPENSSL_NO_DSA
190 static int dsa_key_signature_test(OPENSSL_CTX *libctx)
193 BIGNUM *p = NULL, *q = NULL, *g = NULL;
194 BIGNUM *pub = NULL, *priv = NULL;
195 OSSL_PARAM *params = NULL, *params_sig = NULL;
197 EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
198 EVP_PKEY *pkey = NULL;
199 unsigned char sig[64];
202 static const unsigned char dgst[SHA256_DIGEST_LENGTH] = {
203 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
204 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
205 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
208 static const char *dsa_p_hex[] = {
209 "a29b8872ce8b8423b7d5d21d4b02f57e03e9e6b8a258dc16611ba098ab543415"
210 "e415f156997a3ee236658fa093260de3ad422e05e046f9ec29161a375f0eb4ef"
211 "fcef58285c5d39ed425d7a62ca12896c4a92cb1946f2952a48133f07da364d1b"
212 "df6b0f7139983e693c80059b0eacd1479ba9f2857754ede75f112b07ebbf3534",
213 "8bbf3e01e02f2d473de39453f99dd2367541caca3ba01166343d7b5b58a37bd1"
214 "b7521db2f13b86707132fe09f4cd09dc1618fa3401ebf9cc7b19fa94aa472088"
215 "133d6cb2d35c1179c8c8ff368758d507d9f9a17d46c110fe3144ce9b022b42e4"
216 "19eb4f5388613bfc3e26241a432e8706bc58ef76117278deab6cf692618291b7",
219 static const char *dsa_q_hex[] = {
220 "a3bfd9ab7884794e383450d5891dc18b65157bdcfcdac51518902867",
223 static const char *dsa_g_hex[] = {
224 "6819278869c7fd3d2d7b77f77e8150d9ad433bea3ba85efc80415aa3545f78f7"
225 "2296f06cb19ceda06c94b0551cfe6e6f863e31d1de6eed7dab8b0c9df231e084"
226 "34d1184f91d033696bb382f8455e9888f5d31d4784ec40120246f4bea61794bb"
227 "a5866f09746463bdf8e9e108cd9529c3d0f6df80316e2e70aaeb1b26cdb8ad97",
228 "bc3d287e0b8d616c42e65b87db20deb7005bc416747a6470147a68a7820388eb"
229 "f44d52e0628af9cf1b7166d03465f35acc31b6110c43dabc7c5d591e671eaf7c"
230 "252c1c145336a1a4ddf13244d55e835680cab2533b82df2efe55ec18c1e6cd00"
231 "7bb089758bb17c2cbe14441bd093ae66e5976d53733f4fa3269701d31d23d467",
234 static const char *dsa_pub_hex[] = {
235 "a012b3b170b307227957b7ca2061a816ac7a2b3d9ae995a5119c385b603bf6f6"
236 "c5de4dc5ecb5dfa4a41c68662eb25b638b7e2620ba898d07da6c4991e76cc0ec"
237 "d1ad3421077067e47c18f58a92a72ad43199ecb7bd84e7d3afb9019f0e9dd0fb"
238 "aa487300b13081e33c902876436f7b03c345528481d362815e24fe59dac5ac34",
239 "660d4c8a76cb99a7c7de93eb956cd6bc88e58d901034944a094b01803a43c672"
240 "b9688c0e01d8f4fc91c62a3f88021f7bd6a651b1a88f43aa4ef27653d12bf8b7"
241 "099fdf6b461082f8e939107bfd2f7210087d326c375200f1f51e7e74a3413190"
242 "1bcd0863521ff8d676c48581868736c5e51b16a4e39215ea0b17c4735974c516",
245 static const char *dsa_priv_hex[] = {
246 "6ccaeef6d73b4e80f11c17b8e9627c036635bac39423505e407e5cb7",
250 if (!hextobn(dsa_p_hex, &p)
251 || !hextobn(dsa_q_hex, &q)
252 || !hextobn(dsa_g_hex, &g)
253 || !hextobn(dsa_pub_hex, &pub)
254 || !hextobn(dsa_priv_hex, &priv))
257 ossl_param_bld_init(&bld);
258 if (!ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_P, p)
259 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_Q, q)
260 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_G, g)
261 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_PUB_KEY, pub)
262 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))
264 params = ossl_param_bld_to_param(&bld);
266 /* Create a EVP_PKEY_CTX to load the DSA key into */
267 kctx = EVP_PKEY_CTX_new_from_name(libctx, SN_dsa, "");
268 if (kctx == NULL || params == NULL)
270 if (EVP_PKEY_key_fromdata_init(kctx) <= 0
271 || EVP_PKEY_fromdata(kctx, &pkey, params) <= 0)
274 /* Create a EVP_PKEY_CTX to use for the signing operation */
275 sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
277 || EVP_PKEY_sign_init(sctx) <= 0)
280 /* set signature parameters */
281 ossl_param_bld_init(&bld);
282 if (!ossl_param_bld_push_utf8_string(&bld, OSSL_SIGNATURE_PARAM_DIGEST,
283 SN_sha256,strlen(SN_sha256) + 1))
285 params_sig = ossl_param_bld_to_param(&bld);
286 if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
289 if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
290 || EVP_PKEY_verify_init(sctx) <= 0
291 || EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
295 ossl_param_bld_free(params);
296 ossl_param_bld_free(params_sig);
303 EVP_PKEY_CTX_free(kctx);
304 EVP_PKEY_CTX_free(sctx);
307 #endif /* OPENSSL_NO_DSA */
309 #ifndef OPENSSL_NO_DH
310 static int dh_key_exchange_test(OPENSSL_CTX *libctx)
313 BIGNUM *p = NULL, *q = NULL, *g = NULL;
314 BIGNUM *pub = NULL, *priv = NULL, *pub_peer = NULL;
315 unsigned char *kat_secret = NULL;
316 EVP_PKEY_CTX *kactx = NULL, *dctx = NULL;
317 EVP_PKEY *pkey = NULL, *peerkey = NULL;
318 OSSL_PARAM *params = NULL;
319 OSSL_PARAM *params_peer = NULL;
320 unsigned char secret[256];
321 size_t secret_len, kat_secret_len = 0;
325 static const char *dh_p_hex[] = {
326 "dcca1511b2313225f52116e1542789e001f0425bccc7f366f7406407f1c9fa8b"
327 "e610f1778bb170be39dbb76f85bf24ce6880adb7629f7c6d015e61d43fa3ee4d"
328 "e185f2cfd041ffde9d418407e15138bb021daeb35f762d1782acc658d32bd4b0"
329 "232c927dd38fa097b3d1859fa8acafb98f066608fc644ec7ddb6f08599f92ac1",
330 "b59825da8432077def695646063c20823c9507ab6f0176d4730d990dbbe6361c"
331 "d8b2b94d3d2f329b82099bd661f42950f403df3ede62a33188b02798ba823f44"
332 "b946fe9df677a0c5a1238eaa97b70f80da8cac88e092b1127060ffbf45579994"
333 "011dc2faa5e7f6c76245e1cc312231c17d1ca6b19007ef0db99f9cb60e1d5f69",
336 static const char *dh_q_hex[] = {
337 "898b226717ef039e603e82e5c7afe48374ac5f625c54f1ea11acb57d",
340 static const char *dh_g_hex[] = {
341 "5ef7b88f2df60139351dfbfe1266805fdf356cdfd13a4da0050c7ede"
342 "246df59f6abf96ade5f2b28ffe88d6bce7f7894a3d535fc82126ddd4"
343 "24872e16b838df8c51e9016f889c7c203e98a8b631f9c72563d38a49"
344 "589a0753d358e783318cefd9677c7b2dbb77d6dce2a1963795ca64b9",
345 "2d1c9aac6d0e8d431de5e50060dff78689c9eca1c1248c16ed09c7ad",
346 "412a17406d2b525aa1cabb237b9734ec7b8ce3fae02f29c5efed30d6"
347 "9187da109c2c9fe2aadbb0c22af54c616655000c431c6b4a379763b0"
348 "a91658efc84e8b06358c8b4f213710fd10172cf39b830c2dd84a0c8a"
349 "b82516ecab995fa4215e023e4ecf8074c39d6c88b70d1ee4e96fdc20",
353 static const char *dh_priv_hex[] = {
354 "1433e0b5a917b60a3023f2f8aa2c2d70d2968aba9aeac81540b8fce6",
357 static const char *dh_pub_hex[] = {
358 "95dd338d29e5710492b918317b72a36936e1951a2ee5a5591699c048"
359 "6d0d4f9bdd6d5a3f6b98890c62b37652d36e712111e68a7355372506"
360 "99efe330537391fbc2c548bc5ac3e5b23386c3eef5eb43c099d70a52"
361 "02687e83964248fca91f40908e8fb3319315f6d2606d7f7cd52cc6e7",
362 "c5843afb22519cf0f0f9d3a0a4e8c88899efede7364351fb6a363ee7"
363 "17e5445adab4c931a6483997b87dad83677e4d1d3a7775e0f6d00fdf"
364 "73c7ad801e665a0e5a796d0a0380a19fa182efc8a04f5e4db90d1a86"
365 "37f95db16436bdc8f3fc096c4ff7f234be8fef479ac4b0dc4b77263e",
366 "07d9959de0f1bf3f0ae3d9d50e4b89c99e3ea1217343dd8c6581acc4"
370 static const char *dh_peer_pub_hex[] = {
371 "1fc1da341d1a846a96b7be24340f877dd010aa0356d5ad58aae9c7b0"
372 "8f749a32235110b5d88eb5dbfa978d27ecc530f02d3114005b64b1c0"
373 "e024cb8ae21698bca9e60d42808622f181c56e1de7a96e6efee9d665"
374 "67e91b977042c7e3d0448f05fb77f522b9bfc8d33cc3c31ed3b31f0f",
375 "ecb6db4f6ea311e77afdbcd47aee1bb150f216873578fb96468e8f9f"
376 "3de8efbfce75624b1df05322a34f1463e839e8984c4ad0a96e1ac842"
377 "e5318cc23c062a8ca171b8d575980dde7fc56f1536523820d43192bf"
378 "d51e8e228978aca5b94472f339caeb9931b42be301268bc99789c9b2",
379 "5571c3c0e4cb3f007f1a511cbb53c8519cdd1302abca6c0f34f96739"
383 static const char *dh_secret_exptd_hex[] = {
384 "08ff33bb2ecff49a7d4a7912aeb1bb6ab511641b4a76770c8cc1bcc2"
385 "33343dfe700d11813d2c9ed23b211ca9e8786921edca283c68b16153"
386 "fa01e91ab82c90ddab4a95816770a98710e14c92ab83b6e46e1e426e"
387 "e852430d6187daa3720a6bcd73235c6b0f941f3364f50420551a4bfe",
388 "afe2bc438505a59a4a40daca7a895a73db575c74c13a23ad8832957d"
389 "582d38f0a6165fb0d7e9b8799e42fd3220e332e98185a0c9429757b2"
390 "d0d02c17dbaa1ff6ed93d7e73e241eaed90caf394d2bc6570f18c81f"
391 "2be5d01a2ca99ff142b5d963f9f500325e7556f95849b3ffc7479486",
392 "be1d4596a3106bd5cb4f61c57ec5f100fb7a0c82a10b82526a97d1d9"
397 if (!hextobn(dh_p_hex, &p)
398 || !hextobn(dh_q_hex, &q)
399 || !hextobn(dh_g_hex, &g)
400 || !hextobn(dh_pub_hex, &pub)
401 || !hextobn(dh_priv_hex, &priv)
402 || !hextobn(dh_peer_pub_hex, &pub_peer)
403 || !hextobin(dh_secret_exptd_hex, &kat_secret, &kat_secret_len))
406 ossl_param_bld_init(&bld);
407 if (!ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_P, p)
408 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_Q, q)
409 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_G, g)
410 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_PUB_KEY, pub)
411 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_PRIV_KEY, priv))
413 params = ossl_param_bld_to_param(&bld);
415 ossl_param_bld_init(&bld);
416 if (!ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_P, p)
417 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_Q, q)
418 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_FFC_G, g)
419 || !ossl_param_bld_push_BN(&bld, OSSL_PKEY_PARAM_PUB_KEY, pub_peer))
422 params_peer = ossl_param_bld_to_param(&bld);
423 if (params == NULL || params_peer == NULL)
426 /* Create a EVP_PKEY_CTX to load the DH keys into */
427 kactx = EVP_PKEY_CTX_new_from_name(libctx, "DH", "");
430 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
431 || EVP_PKEY_fromdata(kactx, &pkey, params) <= 0)
433 if (EVP_PKEY_key_fromdata_init(kactx) <= 0
434 || EVP_PKEY_fromdata(kactx, &peerkey, params_peer) <= 0)
437 /* Create a EVP_PKEY_CTX to perform key derivation */
438 dctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
442 if (EVP_PKEY_derive_init(dctx) <= 0
443 || EVP_PKEY_derive_set_peer(dctx, peerkey) <= 0
444 || EVP_PKEY_derive(dctx, secret, &secret_len) <= 0)
447 if (secret_len != kat_secret_len
448 || memcmp(secret, kat_secret, secret_len) != 0)
452 ossl_param_bld_free(params_peer);
453 ossl_param_bld_free(params);
460 OPENSSL_free(kat_secret);
462 EVP_PKEY_free(peerkey);
463 EVP_PKEY_CTX_free(kactx);
464 EVP_PKEY_CTX_free(dctx);
467 #endif /* OPENSSL_NO_DH */
469 /* TODO(3.0): To be removed */
470 static int dummy_evp_call(void *provctx)
472 OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
473 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
474 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
475 EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
476 unsigned char dgst[SHA256_DIGEST_LENGTH];
477 unsigned int dgstlen;
479 BN_CTX *bnctx = NULL;
480 BIGNUM *a = NULL, *b = NULL;
481 unsigned char randbuf[128];
482 RAND_DRBG *drbg = OPENSSL_CTX_get0_public_drbg(libctx);
483 #ifndef OPENSSL_NO_EC
487 static const char msg[] = "Hello World!";
488 static const unsigned char exptd[] = {
489 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
490 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
491 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
494 if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
497 if (!EVP_DigestInit_ex(ctx, sha256, NULL))
499 if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
501 if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
503 if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
506 bnctx = BN_CTX_new_ex(libctx);
510 a = BN_CTX_get(bnctx);
511 b = BN_CTX_get(bnctx);
517 || BN_cmp(a, b) != 0)
520 if (RAND_DRBG_bytes(drbg, randbuf, sizeof(randbuf)) <= 0)
523 if (!BN_rand_ex(a, 256, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, bnctx))
526 #ifndef OPENSSL_NO_EC
527 /* Do some dummy EC calls */
528 key = EC_KEY_new_by_curve_name_ex(libctx, NID_X9_62_prime256v1);
532 if (!EC_KEY_generate_key(key))
536 #ifndef OPENSSL_NO_DSA
537 if (!dsa_key_signature_test(libctx))
541 #ifndef OPENSSL_NO_DH
542 if (!dh_key_exchange_test(libctx))
544 #endif /* OPENSSL_NO_DH */
552 EVP_MD_CTX_free(ctx);
555 #ifndef OPENSSL_NO_EC
561 static const OSSL_PARAM *fips_gettable_params(const OSSL_PROVIDER *prov)
563 return fips_param_types;
566 static int fips_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
570 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
571 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
573 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
574 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
576 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
577 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
583 /* FIPS specific version of the function of the same name in provlib.c */
584 const char *ossl_prov_util_nid_to_name(int nid)
586 /* We don't have OBJ_nid2n() in FIPS_MODE so we have an explicit list */
601 return "SHA-512/224";
603 return "SHA-512/256";
614 case NID_aes_256_ecb:
615 return "AES-256-ECB";
616 case NID_aes_192_ecb:
617 return "AES-192-ECB";
618 case NID_aes_128_ecb:
619 return "AES-128-ECB";
620 case NID_aes_256_cbc:
621 return "AES-256-CBC";
622 case NID_aes_192_cbc:
623 return "AES-192-CBC";
624 case NID_aes_128_cbc:
625 return "AES-128-CBC";
626 case NID_aes_256_ctr:
627 return "AES-256-CTR";
628 case NID_aes_192_ctr:
629 return "AES-192-CTR";
630 case NID_aes_128_ctr:
631 return "AES-128-CTR";
632 case NID_aes_256_xts:
633 return "AES-256-XTS";
634 case NID_aes_128_xts:
635 return "AES-128-XTS";
636 case NID_aes_256_gcm:
637 return "AES-256-GCM";
638 case NID_aes_192_gcm:
639 return "AES-192-GCM";
640 case NID_aes_128_gcm:
641 return "AES-128-GCM";
642 case NID_aes_256_ccm:
643 return "AES-256-CCM";
644 case NID_aes_192_ccm:
645 return "AES-192-CCM";
646 case NID_aes_128_ccm:
647 return "AES-128-CCM";
648 case NID_id_aes256_wrap:
649 return "AES-256-WRAP";
650 case NID_id_aes192_wrap:
651 return "AES-192-WRAP";
652 case NID_id_aes128_wrap:
653 return "AES-128-WRAP";
654 case NID_id_aes256_wrap_pad:
655 return "AES-256-WRAP-PAD";
656 case NID_id_aes192_wrap_pad:
657 return "AES-192-WRAP-PAD";
658 case NID_id_aes128_wrap_pad:
659 return "AES-128-WRAP-PAD";
660 case NID_des_ede3_ecb:
662 case NID_des_ede3_cbc:
663 return "DES-EDE3-CBC";
664 case NID_aes_256_cbc_hmac_sha256:
665 return "AES-256-CBC-HMAC-SHA256";
666 case NID_aes_128_cbc_hmac_sha256:
667 return "AES-128-CBC-HMAC-SHA256";
668 case NID_aes_256_cbc_hmac_sha1:
669 return "AES-256-CBC-HMAC-SHA1";
670 case NID_aes_128_cbc_hmac_sha1:
671 return "AES-128-CBC-HMAC-SHA1";
680 * For the algorithm names, we use the following formula for our primary
683 * ALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?]
685 * VERSION is only present if there are multiple versions of
686 * an alg (MD2, MD4, MD5). It may be omitted if there is only
687 * one version (if a subsequent version is released in the future,
688 * we can always change the canonical name, and add the old name
691 * SUBNAME may be present where we are combining multiple
692 * algorithms together, e.g. MD5-SHA1.
694 * SIZE is only present if multiple versions of an algorithm exist
695 * with different sizes (e.g. AES-128-CBC, AES-256-CBC)
697 * MODE is only present where applicable.
699 * We add diverse other names where applicable, such as the names that
700 * NIST uses, or that are used for ASN.1 OBJECT IDENTIFIERs, or names
701 * we have used historically.
703 static const OSSL_ALGORITHM fips_digests[] = {
704 /* Our primary name:NiST name[:our older names] */
705 { "SHA1:SHA-1", "fips=yes", sha1_functions },
706 { "SHA2-224:SHA-224:SHA224", "fips=yes", sha224_functions },
707 { "SHA2-256:SHA-256:SHA256", "fips=yes", sha256_functions },
708 { "SHA2-384:SHA-384:SHA384", "fips=yes", sha384_functions },
709 { "SHA2-512:SHA-512:SHA512", "fips=yes", sha512_functions },
710 { "SHA2-512/224:SHA-512/224:SHA512-224", "fips=yes",
711 sha512_224_functions },
712 { "SHA2-512/256:SHA-512/256:SHA512-256", "fips=yes",
713 sha512_256_functions },
715 /* We agree with NIST here, so one name only */
716 { "SHA3-224", "fips=yes", sha3_224_functions },
717 { "SHA3-256", "fips=yes", sha3_256_functions },
718 { "SHA3-384", "fips=yes", sha3_384_functions },
719 { "SHA3-512", "fips=yes", sha3_512_functions },
721 * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
722 * KMAC128 and KMAC256.
724 { "KECCAK-KMAC-128:KECCAK-KMAC128", "fips=yes", keccak_kmac_128_functions },
725 { "KECCAK-KMAC-256:KECCAK-KMAC256", "fips=yes", keccak_kmac_256_functions },
730 static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
731 /* Our primary name[:ASN.1 OID name][:our older names] */
732 ALG("AES-256-ECB", aes256ecb_functions),
733 ALG("AES-192-ECB", aes192ecb_functions),
734 ALG("AES-128-ECB", aes128ecb_functions),
735 ALG("AES-256-CBC", aes256cbc_functions),
736 ALG("AES-192-CBC", aes192cbc_functions),
737 ALG("AES-128-CBC", aes128cbc_functions),
738 ALG("AES-256-CTR", aes256ctr_functions),
739 ALG("AES-192-CTR", aes192ctr_functions),
740 ALG("AES-128-CTR", aes128ctr_functions),
741 ALG("AES-256-XTS", aes256xts_functions),
742 ALG("AES-128-XTS", aes128xts_functions),
743 ALG("AES-256-GCM:id-aes256-GCM", aes256gcm_functions),
744 ALG("AES-192-GCM:id-aes192-GCM", aes192gcm_functions),
745 ALG("AES-128-GCM:id-aes128-GCM", aes128gcm_functions),
746 ALG("AES-256-CCM:id-aes256-CCM", aes256ccm_functions),
747 ALG("AES-192-CCM:id-aes192-CCM", aes192ccm_functions),
748 ALG("AES-128-CCM:id-aes128-CCM", aes128ccm_functions),
749 ALG("AES-256-WRAP:id-aes256-wrap:AES256-WRAP", aes256wrap_functions),
750 ALG("AES-192-WRAP:id-aes192-wrap:AES192-WRAP", aes192wrap_functions),
751 ALG("AES-128-WRAP:id-aes128-wrap:AES128-WRAP", aes128wrap_functions),
752 ALG("AES-256-WRAP-PAD:id-aes256-wrap-pad:AES256-WRAP-PAD",
753 aes256wrappad_functions),
754 ALG("AES-192-WRAP-PAD:id-aes192-wrap-pad:AES192-WRAP-PAD",
755 aes192wrappad_functions),
756 ALG("AES-128-WRAP-PAD:id-aes128-wrap-pad:AES128-WRAP-PAD",
757 aes128wrappad_functions),
758 ALGC("AES-128-CBC-HMAC-SHA1", aes128cbc_hmac_sha1_functions,
759 cipher_capable_aes_cbc_hmac_sha1),
760 ALGC("AES-256-CBC-HMAC-SHA1", aes256cbc_hmac_sha1_functions,
761 cipher_capable_aes_cbc_hmac_sha1),
762 ALGC("AES-128-CBC-HMAC-SHA256", aes128cbc_hmac_sha256_functions,
763 cipher_capable_aes_cbc_hmac_sha256),
764 ALGC("AES-256-CBC-HMAC-SHA256", aes256cbc_hmac_sha256_functions,
765 cipher_capable_aes_cbc_hmac_sha256),
766 #ifndef OPENSSL_NO_DES
767 ALG("DES-EDE3-ECB:DES-EDE3", tdes_ede3_ecb_functions),
768 ALG("DES-EDE3-CBC:DES3", tdes_ede3_cbc_functions),
769 #endif /* OPENSSL_NO_DES */
770 { { NULL, NULL, NULL }, NULL }
772 static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
774 static const OSSL_ALGORITHM fips_macs[] = {
775 #ifndef OPENSSL_NO_CMAC
776 { "CMAC", "fips=yes", cmac_functions },
778 { "GMAC", "fips=yes", gmac_functions },
779 { "HMAC", "fips=yes", hmac_functions },
780 { "KMAC-128:KMAC128", "fips=yes", kmac128_functions },
781 { "KMAC-256:KMAC256", "fips=yes", kmac256_functions },
785 static const OSSL_ALGORITHM fips_kdfs[] = {
786 { "HKDF", "fips=yes", kdf_hkdf_functions },
787 { "SSKDF", "fips=yes", kdf_sskdf_functions },
788 { "PBKDF2", "fips=yes", kdf_pbkdf2_functions },
789 { "TLS1-PRF", "fips=yes", kdf_tls1_prf_functions },
790 { "KBKDF", "fips=yes", kdf_kbkdf_functions },
794 static const OSSL_ALGORITHM fips_keyexch[] = {
795 #ifndef OPENSSL_NO_DH
796 { "DH:dhKeyAgreement", "fips=yes", dh_keyexch_functions },
801 static const OSSL_ALGORITHM fips_signature[] = {
802 #ifndef OPENSSL_NO_DSA
803 { "DSA:dsaEncryption", "fips=yes", dsa_signature_functions },
808 static const OSSL_ALGORITHM fips_keymgmt[] = {
809 #ifndef OPENSSL_NO_DH
810 { "DH:dhKeyAgreement", "fips=yes", dh_keymgmt_functions },
812 #ifndef OPENSSL_NO_DSA
813 { "DSA", "fips=yes", dsa_keymgmt_functions },
818 static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
823 switch (operation_id) {
827 ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
828 return exported_fips_ciphers;
833 case OSSL_OP_KEYMGMT:
835 case OSSL_OP_KEYEXCH:
837 case OSSL_OP_SIGNATURE:
838 return fips_signature;
843 /* Functions we provide to the core */
844 static const OSSL_DISPATCH fips_dispatch_table[] = {
846 * To release our resources we just need to free the OPENSSL_CTX so we just
847 * use OPENSSL_CTX_free directly as our teardown function
849 { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free },
850 { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))fips_gettable_params },
851 { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
852 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
856 /* Functions we provide to ourself */
857 static const OSSL_DISPATCH intern_dispatch_table[] = {
858 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
863 int OSSL_provider_init(const OSSL_PROVIDER *provider,
864 const OSSL_DISPATCH *in,
865 const OSSL_DISPATCH **out,
870 OSSL_self_test_cb_fn *stcbfn = NULL;
871 OSSL_core_get_library_context_fn *c_get_libctx = NULL;
873 for (; in->function_id != 0; in++) {
874 switch (in->function_id) {
875 case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
876 c_get_libctx = OSSL_get_core_get_library_context(in);
878 case OSSL_FUNC_CORE_GETTABLE_PARAMS:
879 c_gettable_params = OSSL_get_core_gettable_params(in);
881 case OSSL_FUNC_CORE_GET_PARAMS:
882 c_get_params = OSSL_get_core_get_params(in);
884 case OSSL_FUNC_CORE_THREAD_START:
885 c_thread_start = OSSL_get_core_thread_start(in);
887 case OSSL_FUNC_CORE_NEW_ERROR:
888 c_new_error = OSSL_get_core_new_error(in);
890 case OSSL_FUNC_CORE_SET_ERROR_DEBUG:
891 c_set_error_debug = OSSL_get_core_set_error_debug(in);
893 case OSSL_FUNC_CORE_VSET_ERROR:
894 c_vset_error = OSSL_get_core_vset_error(in);
896 case OSSL_FUNC_CORE_SET_ERROR_MARK:
897 c_set_error_mark = OSSL_get_core_set_error_mark(in);
899 case OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK:
900 c_clear_last_error_mark = OSSL_get_core_clear_last_error_mark(in);
902 case OSSL_FUNC_CORE_POP_ERROR_TO_MARK:
903 c_pop_error_to_mark = OSSL_get_core_pop_error_to_mark(in);
905 case OSSL_FUNC_CRYPTO_MALLOC:
906 c_CRYPTO_malloc = OSSL_get_CRYPTO_malloc(in);
908 case OSSL_FUNC_CRYPTO_ZALLOC:
909 c_CRYPTO_zalloc = OSSL_get_CRYPTO_zalloc(in);
911 case OSSL_FUNC_CRYPTO_FREE:
912 c_CRYPTO_free = OSSL_get_CRYPTO_free(in);
914 case OSSL_FUNC_CRYPTO_CLEAR_FREE:
915 c_CRYPTO_clear_free = OSSL_get_CRYPTO_clear_free(in);
917 case OSSL_FUNC_CRYPTO_REALLOC:
918 c_CRYPTO_realloc = OSSL_get_CRYPTO_realloc(in);
920 case OSSL_FUNC_CRYPTO_CLEAR_REALLOC:
921 c_CRYPTO_clear_realloc = OSSL_get_CRYPTO_clear_realloc(in);
923 case OSSL_FUNC_CRYPTO_SECURE_MALLOC:
924 c_CRYPTO_secure_malloc = OSSL_get_CRYPTO_secure_malloc(in);
926 case OSSL_FUNC_CRYPTO_SECURE_ZALLOC:
927 c_CRYPTO_secure_zalloc = OSSL_get_CRYPTO_secure_zalloc(in);
929 case OSSL_FUNC_CRYPTO_SECURE_FREE:
930 c_CRYPTO_secure_free = OSSL_get_CRYPTO_secure_free(in);
932 case OSSL_FUNC_CRYPTO_SECURE_CLEAR_FREE:
933 c_CRYPTO_secure_clear_free = OSSL_get_CRYPTO_secure_clear_free(in);
935 case OSSL_FUNC_CRYPTO_SECURE_ALLOCATED:
936 c_CRYPTO_secure_allocated = OSSL_get_CRYPTO_secure_allocated(in);
938 case OSSL_FUNC_BIO_NEW_FILE:
939 selftest_params.bio_new_file_cb = OSSL_get_BIO_new_file(in);
941 case OSSL_FUNC_BIO_NEW_MEMBUF:
942 selftest_params.bio_new_buffer_cb = OSSL_get_BIO_new_membuf(in);
944 case OSSL_FUNC_BIO_READ_EX:
945 selftest_params.bio_read_ex_cb = OSSL_get_BIO_read_ex(in);
947 case OSSL_FUNC_BIO_FREE:
948 selftest_params.bio_free_cb = OSSL_get_BIO_free(in);
950 case OSSL_FUNC_SELF_TEST_CB: {
951 stcbfn = OSSL_get_self_test_cb(in);
955 /* Just ignore anything we don't understand */
960 if (stcbfn != NULL && c_get_libctx != NULL) {
961 stcbfn(c_get_libctx(provider), &selftest_params.event_cb,
962 &selftest_params.event_cb_arg);
965 selftest_params.event_cb = NULL;
966 selftest_params.event_cb_arg = NULL;
969 if (!c_get_params(provider, core_params))
972 /* Create a context. */
973 if ((ctx = OPENSSL_CTX_new()) == NULL)
975 if ((fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
976 &fips_prov_ossl_ctx_method)) == NULL) {
977 OPENSSL_CTX_free(ctx);
981 fgbl->prov = provider;
983 selftest_params.libctx = PROV_LIBRARY_CONTEXT_OF(ctx);
984 if (!SELF_TEST_post(&selftest_params, 0)) {
985 OPENSSL_CTX_free(ctx);
990 * TODO(3.0): Remove me. This is just a dummy call to demonstrate making
991 * EVP calls from within the FIPS module.
993 if (!dummy_evp_call(ctx)) {
994 OPENSSL_CTX_free(ctx);
998 *out = fips_dispatch_table;
1005 * The internal init function used when the FIPS module uses EVP to call
1006 * another algorithm also in the FIPS module. This is a recursive call that has
1007 * been made from within the FIPS module itself. To make this work, we populate
1008 * the provider context of this inner instance with the same library context
1009 * that was used in the EVP call that initiated this recursive call.
1011 OSSL_provider_init_fn fips_intern_provider_init;
1012 int fips_intern_provider_init(const OSSL_PROVIDER *provider,
1013 const OSSL_DISPATCH *in,
1014 const OSSL_DISPATCH **out,
1017 OSSL_core_get_library_context_fn *c_get_libctx = NULL;
1019 for (; in->function_id != 0; in++) {
1020 switch (in->function_id) {
1021 case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
1022 c_get_libctx = OSSL_get_core_get_library_context(in);
1029 if (c_get_libctx == NULL)
1032 *provctx = c_get_libctx(provider);
1035 * Safety measure... we should get the library context that was
1036 * created up in OSSL_provider_init().
1038 if (*provctx == NULL)
1041 *out = intern_dispatch_table;
1050 void ERR_set_debug(const char *file, int line, const char *func)
1052 c_set_error_debug(NULL, file, line, func);
1055 void ERR_set_error(int lib, int reason, const char *fmt, ...)
1059 va_start(args, fmt);
1060 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
1064 void ERR_vset_error(int lib, int reason, const char *fmt, va_list args)
1066 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
1069 int ERR_set_mark(void)
1071 return c_set_error_mark(NULL);
1074 int ERR_clear_last_mark(void)
1076 return c_clear_last_error_mark(NULL);
1079 int ERR_pop_to_mark(void)
1081 return c_pop_error_to_mark(NULL);
1084 const OSSL_PROVIDER *FIPS_get_provider(OPENSSL_CTX *ctx)
1086 FIPS_GLOBAL *fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
1087 &fips_prov_ossl_ctx_method);
1095 void *CRYPTO_malloc(size_t num, const char *file, int line)
1097 return c_CRYPTO_malloc(num, file, line);
1100 void *CRYPTO_zalloc(size_t num, const char *file, int line)
1102 return c_CRYPTO_zalloc(num, file, line);
1105 void CRYPTO_free(void *ptr, const char *file, int line)
1107 c_CRYPTO_free(ptr, file, line);
1110 void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line)
1112 c_CRYPTO_clear_free(ptr, num, file, line);
1115 void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line)
1117 return c_CRYPTO_realloc(addr, num, file, line);
1120 void *CRYPTO_clear_realloc(void *addr, size_t old_num, size_t num,
1121 const char *file, int line)
1123 return c_CRYPTO_clear_realloc(addr, old_num, num, file, line);
1126 void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
1128 return c_CRYPTO_secure_malloc(num, file, line);
1131 void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
1133 return c_CRYPTO_secure_zalloc(num, file, line);
1136 void CRYPTO_secure_free(void *ptr, const char *file, int line)
1138 c_CRYPTO_secure_free(ptr, file, line);
1141 void CRYPTO_secure_clear_free(void *ptr, size_t num, const char *file, int line)
1143 c_CRYPTO_secure_clear_free(ptr, num, file, line);
1146 int CRYPTO_secure_allocated(const void *ptr)
1148 return c_CRYPTO_secure_allocated(ptr);