FIPS providers need to specify identifiable names and versions. Allow
to customize the fips provider name prefix, via VERSION.dat which
already allows to customize version & buildinfo. With this patch
in-place it removes the need of patching code to set customized
provider name.
E.g. echo FIPS_VENDOR=ACME >> VERSION.dat, results in
```
$ OPENSSL_CONF=fips-and-base.cnf ../util/wrap.pl ../apps/openssl list -providers --verbose
Providers:
base
name: OpenSSL Base Provider
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
fips
name: ACME FIPS Provider for OpenSSL
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
security-checks: integer (arbitrary size)
tls1-prf-ems-check: integer (arbitrary size)
drbg-no-trunc-md: integer (arbitrary size)
```
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24368)
If you are building the latest release source code with enable-fips configured
then the FIPS provider you are using is not likely to be FIPS compliant.
This update demonstrates how to build a FIPS provider that is compliant
and use it with the latest source code.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20907)
This also links back to the new location that lists the cert and
security policy.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19617)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/19262)
Note that configuration and installation procedure has changed:
- The FIPS provider is now disabled by default and needs to
be enabled by configuring with `enable-fips`.
- If the FIPS provider is enabled, it gets installed automatically.
There is no extra installation step required anymore.
This is more natural and coincides with the expectation of the
user, namely "what's configured, gets installed".
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
The README-FIPS.md file was still the one used from 1.1.1. We update it
with 3.0 specific information.
Fixes#14237
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14575)
