mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
0557d6c62b
Add a FIPS indicator callback that can be set via OSSL_INDICATOR_set_callback(). This callback is intended to be run whenever a non approved algorithm check has occurred and strict checking has been disabled.The callback may be used to log non approved algorithms. The callback is passed a type and description string as well as the cbarg specified in OSSL_INDICATOR_set_callback. The return value can be either 0 or 1. A value of 0 can be used for testing purposes to force an error to occur from the algorithm that called the callback. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24623)
82 lines
2.4 KiB
Plaintext
82 lines
2.4 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
OSSL_INDICATOR_set_callback,
|
|
OSSL_INDICATOR_get_callback - specify a callback for FIPS indicators
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/indicator.h>
|
|
|
|
typedef int (OSSL_INDICATOR_CALLBACK)(const char *type, const char *desc,
|
|
const OSSL_PARAM params[]);
|
|
|
|
void OSSL_INDICATOR_set_callback(OSSL_LIB_CTX *libctx,
|
|
OSSL_INDICATOR_CALLBACK *cb);
|
|
void OSSL_INDICATOR_get_callback(OSSL_LIB_CTX *libctx,
|
|
OSSL_INDICATOR_CALLBACK **cb);
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
OSSL_INDICATOR_set_callback() sets a user callback I<cb> associated with a
|
|
I<libctx> that will be called when a non approved FIPS operation is detected.
|
|
|
|
The user's callback may be triggered multiple times during an algorithm operation
|
|
to indicate different approved mode checks have failed.
|
|
|
|
Non approved operations may only occur if the user has deliberately chosen to do
|
|
so (either by setting a global FIPS configuration option or via an option in an
|
|
algorithm's operation context).
|
|
|
|
The user's callback B<OSSL_INDICATOR_CALLBACK> I<type> and I<desc>
|
|
contain the algorithm type and operation that is not approved.
|
|
I<params> is not currently used.
|
|
|
|
If the user callback returns 0, an error will occur in the caller. This can be
|
|
used for testing purposes.
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
OSSL_INDICATOR_get_callback() returns the callback that has been set via
|
|
OSSL_INDICATOR_set_callback() for the given library context I<libctx>, or NULL
|
|
if no callback is currently set.
|
|
|
|
=head1 EXAMPLES
|
|
|
|
A simple indicator callback to log non approved FIPS operations
|
|
|
|
static int indicator_cb(const char *type, const char *desc,
|
|
const OSSL_PARAM params[])
|
|
{
|
|
if (type != NULL && desc != NULL)
|
|
fprintf(stdout, "%s %s is not approved\n", type, desc);
|
|
end:
|
|
/* For Testing purposes you could return 0 here to cause an error */
|
|
return 1;
|
|
}
|
|
|
|
OSSL_INDICATOR_set_callback(libctx, indicator_cb);
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<openssl-core.h(7)>,
|
|
L<OSSL_PROVIDER-FIPS(7)>
|
|
L<OSSL_LIB_CTX(3)>
|
|
|
|
=head1 HISTORY
|
|
|
|
The functions described here were added in OpenSSL 3.4.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|