mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
3fed27181a
Fixes #14807 Compliance with IG 9.4 requires that an inverse cipher function be tested if one is implemented. Just running AES_GCM encrypt/decrypt does not meet this requirement (Since only ECB, CBC, XTS, KW, KWP support the inverse function during decryption mode). Added a mode to the cipher test so that the AES_GCM only does an encrypt and AES_ECB only does a decrypt. TDES still does both. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14825)
404 lines
9.9 KiB
Plaintext
404 lines
9.9 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
OSSL_PROVIDER-FIPS - OpenSSL FIPS provider
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The OpenSSL FIPS provider is a special provider that conforms to the Federal
|
|
Information Processing Standards (FIPS) specified in FIPS 140-2. This 'module'
|
|
contains an approved set of cryptographic algorithms that is validated by an
|
|
accredited testing laboratory.
|
|
|
|
=head2 Properties
|
|
|
|
The implementations in this provider specifically have these properties
|
|
defined:
|
|
|
|
=over 4
|
|
|
|
=item "provider=default"
|
|
|
|
=item "fips=yes"
|
|
|
|
=back
|
|
|
|
It may be used in a property query string with fetching functions such as
|
|
L<EVP_MD_fetch(3)> or L<EVP_CIPHER_fetch(3)>, as well as with other
|
|
functions that take a property query string, such as
|
|
L<EVP_PKEY_CTX_new_from_name(3)>.
|
|
|
|
It isn't mandatory to query for any of these properties, except to
|
|
make sure to get implementations of this provider and none other.
|
|
|
|
The "fips=yes" property can be use to make sure only FIPS approved
|
|
implementations are used for crypto operations. This may also include
|
|
other non-crypto support operations that are not in the fips provider,
|
|
such as asymmetric key encoders,
|
|
see L<OSSL_PROVIDER-default(7)/Asymmetric Key Management>.
|
|
|
|
=head1 OPERATIONS AND ALGORITHMS
|
|
|
|
The OpenSSL FIPS provider supports these operations and algorithms:
|
|
|
|
=head2 Hashing Algorithms / Message Digests
|
|
|
|
=over 4
|
|
|
|
=item SHA1, see L<EVP_MD-SHA1(7)>
|
|
|
|
=item SHA2, see L<EVP_MD-SHA2(7)>
|
|
|
|
=item SHA3, see L<EVP_MD-SHA3(7)>
|
|
|
|
=item KECCAK-KMAC, see L<EVP_MD-KECCAK-KMAC(7)>
|
|
|
|
=back
|
|
|
|
=head2 Symmetric Ciphers
|
|
|
|
=over 4
|
|
|
|
=item AES, see L<EVP_CIPHER-AES(7)>
|
|
|
|
=item DES-EDE3 (TrippleDES), see L<EVP_CIPHER-DES(7)>
|
|
|
|
=back
|
|
|
|
=head2 Message Authentication Code (MAC)
|
|
|
|
=over 4
|
|
|
|
=item CMAC, see L<EVP_MAC-CMAC(7)>
|
|
|
|
=item GMAC, see L<EVP_MAC-GMAC(7)>
|
|
|
|
=item HMAC, see L<EVP_MAC-HMAC(7)>
|
|
|
|
=item KMAC, see L<EVP_MAC-KMAC(7)>
|
|
|
|
=back
|
|
|
|
=head2 Key Derivation Function (KDF)
|
|
|
|
=over 4
|
|
|
|
=item HKDF, see L<EVP_KDF-HKDF(7)>
|
|
|
|
=item SSKDF, see L<EVP_KDF-SSKDF(7)>
|
|
|
|
=item PBKDF2, see L<EVP_KDF-PBKDF2(7)>
|
|
|
|
=item SSHKDF, see L<EVP_KDF-SSHKDF(7)>
|
|
|
|
=item TLS1-PRF, see L<EVP_KDF-TLS1-PRF(7)>
|
|
|
|
=item KBKDF, see L<EVP_KDF-KBKDF(7)>
|
|
|
|
=item X942KDF-ASN1, see L<EVP_KDF-X942-ASN1(7)>
|
|
|
|
=item X942KDF-CONCAT, see L<EVP_KDF-X942-CONCAT(7)>
|
|
|
|
=item X963KDF, see L<EVP_KDF-X963(7)>
|
|
|
|
=back
|
|
|
|
=head2 Key Exchange
|
|
|
|
=over 4
|
|
|
|
=item DH, see L<EVP_KEYEXCH-DH(7)>
|
|
|
|
=item ECDH, see L<EVP_KEYEXCH-ECDH(7)>
|
|
|
|
=item X25519, see L<EVP_KEYEXCH-X25519(7)>
|
|
|
|
This has the property "provider=fips,fips=no"
|
|
|
|
=item X448, see L<EVP_KEYEXCH-X448(7)>
|
|
|
|
This has the property "provider=fips,fips=no"
|
|
|
|
=back
|
|
|
|
=head2 Asymmetric Signature
|
|
|
|
=over 4
|
|
|
|
=item DSA, see L<EVP_KEYEXCH-DSA(7)>
|
|
|
|
=item RSA, see L<EVP_SIGNATURE-RSA(7)>
|
|
|
|
=item HMAC, see L<EVP_SIGNATURE-HMAC(7)>
|
|
|
|
=item CMAC, see L<EVP_SIGNATURE-CMAC(7)>
|
|
|
|
=back
|
|
|
|
=head2 Asymmetric Cipher
|
|
|
|
=over 4
|
|
|
|
=item RSA, see L<EVP_KEYEXCH-RSA(7)>
|
|
|
|
=back
|
|
|
|
=head2 Asymmetric Key Encapsulation
|
|
|
|
=over 4
|
|
|
|
=item RSA, see L<EVP_KEM-RSA(7)>
|
|
|
|
=back
|
|
|
|
=head2 Asymmetric Key Management
|
|
|
|
=over 4
|
|
|
|
=item DH, see L<EVP_KEYMGMT-DH(7)>
|
|
|
|
=item DSA, see L<EVP_KEYMGMT-DSA(7)>
|
|
|
|
=item RSA, see L<EVP_KEYMGMT-RSA(7)>
|
|
|
|
=back
|
|
|
|
=head1 SELF TESTING
|
|
|
|
One of the requirements for the FIPS module is self testing. An optional callback
|
|
mechanism is available to return information to the user using
|
|
L<OSSL_SELF_TEST_set_callback(3)>.
|
|
|
|
The parameters passed to the callback are described in L<OSSL_SELF_TEST_new(3)>
|
|
|
|
The OpenSSL FIPS module uses the following mechanism to provide information
|
|
about the self tests as they run.
|
|
This is useful for debugging if a self test is failing.
|
|
The callback also allows forcing any self test to fail, in order to check that
|
|
it operates correctly on failure.
|
|
Note that all self tests run even if a self test failure occurs.
|
|
|
|
The FIPS module passes the following type(s) to OSSL_SELF_TEST_onbegin().
|
|
|
|
=over 4
|
|
|
|
=item "Module_Integrity" (B<OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY>)
|
|
|
|
Uses HMAC SHA256 on the module file to validate that the module has not been
|
|
modified. The integrity value is compared to a value written to a configuration
|
|
file during installation.
|
|
|
|
=item "Install_Integrity" (B<OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY>)
|
|
|
|
Uses HMAC SHA256 on a fixed string to validate that the installation process
|
|
has already been performed and the self test KATS have already been tested,
|
|
The integrity value is compared to a value written to a configuration
|
|
file after successfully running the self tests during installation.
|
|
|
|
=item "KAT_Cipher" (B<OSSL_SELF_TEST_TYPE_KAT_CIPHER>)
|
|
|
|
Known answer test for a symmetric cipher.
|
|
|
|
=item "KAT_AsymmetricCipher" (B<OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER>)
|
|
|
|
Known answer test for a asymmetric cipher.
|
|
|
|
=item "KAT_Digest" (B<OSSL_SELF_TEST_TYPE_KAT_DIGEST>)
|
|
|
|
Known answer test for a digest.
|
|
|
|
=item "KAT_Signature" (B<OSSL_SELF_TEST_TYPE_KAT_SIGNATURE>)
|
|
|
|
Known answer test for a signature.
|
|
|
|
=item "KAT_KDF" (B<OSSL_SELF_TEST_TYPE_KAT_KDF>)
|
|
|
|
Known answer test for a key derivation function.
|
|
|
|
=item "KAT_KA" (B<OSSL_SELF_TEST_TYPE_KAT_KA>)
|
|
|
|
Known answer test for key agreement.
|
|
|
|
=item "DRBG" (B<OSSL_SELF_TEST_TYPE_DRBG>)
|
|
|
|
Known answer test for a Deterministic Random Bit Generator.
|
|
|
|
=item "Pairwise_Consistency_Test" (B<OSSL_SELF_TEST_TYPE_PCT>)
|
|
|
|
Conditional test that is run during the generation of key pairs.
|
|
|
|
=item "Continuous_RNG_Test" (B<OSSL_SELF_TEST_TYPE_CRNG>)
|
|
|
|
Continuous random number generator test.
|
|
|
|
=back
|
|
|
|
The "Module_Integrity" self test is always run at startup.
|
|
The "Install_Integrity" self test is used to check if the self tests have
|
|
already been run at installation time. If they have already run then the
|
|
self tests are not run on subsequent startups.
|
|
All other self test categories are run once at installation time, except for the
|
|
"Pairwise_Consistency_Test".
|
|
|
|
There is only one instance of the "Module_Integrity" and "Install_Integrity"
|
|
self tests. All other self tests may have multiple instances.
|
|
|
|
|
|
The FIPS module passes the following descriptions(s) to OSSL_SELF_TEST_onbegin().
|
|
|
|
=over 4
|
|
|
|
=item "HMAC" (B<OSSL_SELF_TEST_DESC_INTEGRITY_HMAC>)
|
|
|
|
"Module_Integrity" and "Install_Integrity" use this.
|
|
|
|
=item "RSA" (B<OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1>)
|
|
|
|
=item "ECDSA" (B<OSSL_SELF_TEST_DESC_PCT_ECDSA>)
|
|
|
|
=item "DSA" (B<OSSL_SELF_TEST_DESC_PCT_DSA>)
|
|
|
|
Key generation tests used with the "Pairwise_Consistency_Test" type.
|
|
|
|
=item "RSA_Encrypt" (B<OSSL_SELF_TEST_DESC_ASYM_RSA_ENC>)
|
|
|
|
=item "RSA_Decrypt" (B<OSSL_SELF_TEST_DESC_ASYM_RSA_DEC>)
|
|
|
|
"KAT_AsymmetricCipher" uses this to indicate an encrypt or decrypt KAT.
|
|
|
|
=item "AES_GCM_Encrypt" (B<OSSL_SELF_TEST_DESC_CIPHER_AES_GCM>)
|
|
|
|
=item "AES_ECB_Decrypt" (B<OSSL_SELF_TEST_DESC_CIPHER_AES_ECB>)
|
|
|
|
=item "TDES" (B<OSSL_SELF_TEST_DESC_CIPHER_TDES>)
|
|
|
|
Symmetric cipher tests used with the "KAT_Cipher" type.
|
|
|
|
=item "SHA1" (B<OSSL_SELF_TEST_DESC_MD_SHA1>)
|
|
|
|
=item "SHA2" (B<OSSL_SELF_TEST_DESC_MD_SHA2>)
|
|
|
|
=item "SHA3" (B<OSSL_SELF_TEST_DESC_MD_SHA3>)
|
|
|
|
Digest tests used with the "KAT_Digest" type.
|
|
|
|
=item "DSA" (B<OSSL_SELF_TEST_DESC_SIGN_DSA>)
|
|
|
|
=item "RSA" (B<OSSL_SELF_TEST_DESC_SIGN_RSA>)
|
|
|
|
=item "ECDSA" (B<OSSL_SELF_TEST_DESC_SIGN_ECDSA>)
|
|
|
|
Signature tests used with the "KAT_Signature" type.
|
|
|
|
=item "ECDH" (B<OSSL_SELF_TEST_DESC_KA_ECDH>)
|
|
|
|
=item "DH" (B<OSSL_SELF_TEST_DESC_KA_DH>)
|
|
|
|
Key agreement tests used with the "KAT_KA" type.
|
|
|
|
=item "HKDF" (B<OSSL_SELF_TEST_DESC_KDF_HKDF>)
|
|
|
|
=item "SSKDF" (B<OSSL_SELF_TEST_DESC_KDF_SSKDF>)
|
|
|
|
=item "X963KDF" (B<OSSL_SELF_TEST_DESC_KDF_X963KDF>)
|
|
|
|
=item "X942KDF" (B<OSSL_SELF_TEST_DESC_KDF_X942KDF>)
|
|
|
|
=item "PBKDF2" (B<OSSL_SELF_TEST_DESC_KDF_PBKDF2>)
|
|
|
|
=item "SSHKDF" (B<OSSL_SELF_TEST_DESC_KDF_SSHKDF>)
|
|
|
|
=item "TLS12_PRF" (B<OSSL_SELF_TEST_DESC_KDF_TLS12_PRF>)
|
|
|
|
=item "KBKDF" (B<OSSL_SELF_TEST_DESC_KDF_KBKDF>)
|
|
|
|
Key Derivation Function tests used with the "KAT_KDF" type.
|
|
|
|
=item "CTR" (B<OSSL_SELF_TEST_DESC_DRBG_CTR>)
|
|
|
|
=item "HASH" (B<OSSL_SELF_TEST_DESC_DRBG_HASH>)
|
|
|
|
=item "HMAC" (B<OSSL_SELF_TEST_DESC_DRBG_HMAC>)
|
|
|
|
DRBG tests used with the "DRBG" type.
|
|
|
|
= item "RNG" (B<OSSL_SELF_TEST_DESC_RNG>)
|
|
|
|
"Continuous_RNG_Test" uses this.
|
|
|
|
=back
|
|
|
|
=head1 EXAMPLES
|
|
|
|
A simple self test callback is shown below for illustrative purposes.
|
|
|
|
#include <openssl/self_test.h>
|
|
|
|
static OSSL_CALLBACK self_test_cb;
|
|
|
|
static int self_test_cb(const OSSL_PARAM params[], void *arg)
|
|
{
|
|
int ret = 0;
|
|
const OSSL_PARAM *p = NULL;
|
|
const char *phase = NULL, *type = NULL, *desc = NULL;
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
|
|
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
|
goto err;
|
|
phase = (const char *)p->data;
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
|
|
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
|
goto err;
|
|
desc = (const char *)p->data;
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
|
|
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
|
goto err;
|
|
type = (const char *)p->data;
|
|
|
|
/* Do some logging */
|
|
if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
|
|
BIO_printf(bio_out, "%s : (%s) : ", desc, type);
|
|
if (strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0
|
|
|| strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
|
|
BIO_printf(bio_out, "%s\n", phase);
|
|
|
|
/* Corrupt the SHA1 self test during the 'corrupt' phase by returning 0 */
|
|
if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) == 0
|
|
&& strcmp(desc, OSSL_SELF_TEST_DESC_MD_SHA1) == 0) {
|
|
BIO_printf(bio_out, "%s %s", phase, desc);
|
|
return 0;
|
|
}
|
|
ret = 1;
|
|
err:
|
|
return ret;
|
|
}
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<openssl-fipsinstall(1)>,
|
|
L<fips_config(5)>,
|
|
L<OSSL_SELF_TEST_set_callback(3)>,
|
|
L<OSSL_SELF_TEST_new(3)>,
|
|
L<OSSL_PARAM(3)>,
|
|
L<openssl-core.h(7)>,
|
|
L<openssl-core_dispatch.h(7)>,
|
|
L<provider(7)>
|
|
|
|
=head1 HISTORY
|
|
|
|
The type and functions described here were added in OpenSSL 3.0.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|