Cleanups for FIPS options..

The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.

Some FIPS related he

Cleanups for FIPS options..

The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.

Some FIPS related headers have moved to providers/fips/include so that
they can use fips_indicator_params.inc.
securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes
fipscommon.h.

fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than
using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used.
fips_names.h just uses aliases now for existing public names.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25162)

show more ...

Amend the design of AlgorithmIdentifier parameter passing

I realised that any application that passes AlgorithmIdentifier parameters
to and from a provider may also be interested in the

Amend the design of AlgorithmIdentifier parameter passing

I realised that any application that passes AlgorithmIdentifier parameters
to and from a provider may also be interested in the full AlgorithmIdentifier
of the implementation invocation.

Likewise, any application that wants to get the full AlgorithmIdentifier
from an implementation invocation may also want to pass AlgorithmIdentifier
parameters to that same implementation invocation.

These amendments should be useful to cover all intended uses of the legacy
ctrls for PKCS7 and CMS:

- EVP_PKEY_CTRL_PKCS7_ENCRYPT
- EVP_PKEY_CTRL_PKCS7_DECRYPT
- EVP_PKEY_CTRL_PKCS7_SIGN
- EVP_PKEY_CTRL_CMS_ENCRYPT
- EVP_PKEY_CTRL_CMS_DECRYPT
- EVP_PKEY_CTRL_CMS_SIGN

It should also cover a number of other cases that were previously implemented
through EVP_PKEY_ASN1_METHOD, as well as all sorts of other cases where the
application has had to assemble a X509_ALGOR on their own.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)

show more ...

param: add OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE parameter name

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https:

param: add OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE parameter name

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25211)

show more ...

Add FIPS KMAC key check

This adds a FIPS indicator for KMAC key size.
Note that 112 bits keys are still smaller than the
sizes required to reach 128 bits for KMAC128 and
256 bits

Add FIPS KMAC key check

This adds a FIPS indicator for KMAC key size.
Note that 112 bits keys are still smaller than the
sizes required to reach 128 bits for KMAC128 and
256 bits for KMAC256

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)

show more ...

Add HMAC FIPS keysize check.

HMAC has been changed to use a FIPS indicator for its key check.

HKDF and Single Step use a salt rather than a key when using HMAC,
so we need a mec

Add HMAC FIPS keysize check.

HMAC has been changed to use a FIPS indicator for its key check.

HKDF and Single Step use a salt rather than a key when using HMAC,
so we need a mechanism to bypass this check in HMAC.

A seperate 'internal' query table has been added to the FIPS provider
for MACS. Giving HMAC a seprate dispatch table allows KDF's to ignore
the key check. If a KDF requires the key check then it must do the
check itself. The normal MAC dipatch table is used if the user fetches
HMAC directly.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)

show more ...

Implement functionality for direct use of composite signature algorithms

The following API groups are extended with a new init function, as well
as an update and final function, to allow

Implement functionality for direct use of composite signature algorithms

The following API groups are extended with a new init function, as well
as an update and final function, to allow the use of explicitly fetched
signature implementations for any composite signature algorithm, like
"sha1WithRSAEncryption":

- EVP_PKEY_sign
- EVP_PKEY_verify
- EVP_PKEY_verify_recover

To support this, providers are required to add a few new functions, not
the least one that declares what key types an signature implementation
supports.

While at this, the validity check in evp_signature_from_algorithm() is
also refactored; the SIGNATURE provider functionality is too complex for
counters. It's better, or at least more readable, to check function
combinations.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)

show more ...

Add an indicator for AES GCM that returns if the iv has been generated
internally.

This is not using a strict check since there may be applications that
require the IV to be generate

Add an indicator for AES GCM that returns if the iv has been generated
internally.

This is not using a strict check since there may be applications that
require the IV to be generated externally (e.g. java).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25178)

show more ...

Revert "param: add OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED"

This reverts commit 5abd7e5f796a9564c5f020053833deee1b9f7c6e.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>

Revert "param: add OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED"

This reverts commit 5abd7e5f796a9564c5f020053833deee1b9f7c6e.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Add FIPS Indicator for ECDH cofactor.

FIPS KAS requires use of ECC CDH.

The EC 'B' and 'K' curves have a cofactor that is not 1, and this
MUST be multiplied by the private key w

Add FIPS Indicator for ECDH cofactor.

FIPS KAS requires use of ECC CDH.

The EC 'B' and 'K' curves have a cofactor that is not 1, and this
MUST be multiplied by the private key when deriving the shared secret.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25139)

show more ...

Restrict salt length for RSA-PSS in the FIPS provider

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/o

Restrict salt length for RSA-PSS in the FIPS provider

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)

show more ...

params: add kbkdf key check param

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull

params: add kbkdf key check param

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)

show more ...

param: add ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://githu

param: add ASYM_CIPHER_PARAM_PKCS15_PADDING_DISABLED

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25070)

show more ...

param: add OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/

param: add OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)

show more ...

Disallow DSA Keygen in the FIPS provider

This uses a FIPS indicator.
Since DSA KeyGen is only useful for DSA signing,
it reuses the DSA signing FIPS configuration option and settable

Disallow DSA Keygen in the FIPS provider

This uses a FIPS indicator.
Since DSA KeyGen is only useful for DSA signing,
it reuses the DSA signing FIPS configuration option and settable ctx name.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24978)

show more ...

Add new configurable item `pbkdf2-lower-bound-check`

Since FIPS provider performs lower bound check by default from v3.0, the
default value for new configurable item will be one.

Add new configurable item `pbkdf2-lower-bound-check`

Since FIPS provider performs lower bound check by default from v3.0, the
default value for new configurable item will be one.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24120)

show more ...

ssl_evp_cipher_fetch(): Avoid using 3DES from the FIPS provider

Avoid using a fetched cipher that is decrypt-only
which is the case for 3DES from the fips provider.

Add a decryp

ssl_evp_cipher_fetch(): Avoid using 3DES from the FIPS provider

Avoid using a fetched cipher that is decrypt-only
which is the case for 3DES from the fips provider.

Add a decrypt-only parameter to the EVP_CIPHER and test it
in libssl when fetching.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25028)

show more ...

Restrict the length of key-derivation key used in KDFs

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/o

Restrict the length of key-derivation key used in KDFs

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23900)

show more ...

Add RSA Signature restrictions for X9.31 padding in the FIPS provider.

In FIPS 140-3, RSA Signing with X9.31 padding is not approved,
but verification is allowed for legacy purposes. An

Add RSA Signature restrictions for X9.31 padding in the FIPS provider.

In FIPS 140-3, RSA Signing with X9.31 padding is not approved,
but verification is allowed for legacy purposes. An indicator has been added
for RSA signing with X9.31 padding.

A strict restriction on the size of the RSA modulus has been added
i.e. It must be 1024 + 256 * s (which is part of the ANSI X9.31 spec).

Added implementation comments to the X9.31 padding code

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24021)

show more ...

Add FIPS indicator support for Triple-DES encryption.

This leaves 3DES with the FIPS query "FIPS=yes", which allows
Triple-DES to be used for Decryption by default.

Disallow CMA

Add FIPS indicator support for Triple-DES encryption.

This leaves 3DES with the FIPS query "FIPS=yes", which allows
Triple-DES to be used for Decryption by default.

Disallow CMAC using Triple-DES in FIPS.
This does not use a FIPS indicator.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24960)

show more ...

paramnames: add params for no-short-mac option

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/op

paramnames: add params for no-short-mac option

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

Disable DSA signing in the FIPS provider.

This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATU

Disable DSA signing in the FIPS provider.

This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24799)

show more ...

Restrict digest algorithm used in KDFs

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/

Restrict digest algorithm used in KDFs

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23889)

show more ...

Add FIPS indicator for TEST-RAND

The indicator is always non-FIPS, since this is used for internal tasks and
hasn't been validated.

Reviewed-by: Shane Lontis <shane.lontis@oracl

Add FIPS indicator for TEST-RAND

The indicator is always non-FIPS, since this is used for internal tasks and
hasn't been validated.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24851)

show more ...

Change all existing FIPS configurable checks to use FIPS indicators.

This changes the logic to always do the security checks and then decide
what to do based on if this passes or not. Fa

Change all existing FIPS configurable checks to use FIPS indicators.

This changes the logic to always do the security checks and then decide
what to do based on if this passes or not. Failure of a check causes
either a failure OR the FIPS indicator callback to be triggered.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)

show more ...

Extend TLSv1.3 record layer padding API calls

Added SSL_set_block_padding_ex() and SSL_CTX_set_block_padding_ex()
to allow separate padding block size values for handshake messages
a

Extend TLSv1.3 record layer padding API calls

Added SSL_set_block_padding_ex() and SSL_CTX_set_block_padding_ex()
to allow separate padding block size values for handshake messages
and application data messages.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24796)

show more ...