[openssl/openssl] 0557d6: Add FIPS indicator callback.
Shane
noreply at github.com
Wed Jul 10 22:31:59 UTC 2024
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: 0557d6c62b7d1f46f6f51e0dca87ad9409236164
https://github.com/openssl/openssl/commit/0557d6c62b7d1f46f6f51e0dca87ad9409236164
Author: slontis <shane.lontis at oracle.com>
Date: 2024-07-11 (Thu, 11 Jul 2024)
Changed paths:
M crypto/build.info
M crypto/context.c
A crypto/indicator_core.c
M crypto/provider_core.c
M doc/build.info
A doc/man3/OSSL_INDICATOR_set_callback.pod
M include/crypto/context.h
M include/internal/cryptlib.h
M include/openssl/core_dispatch.h
A include/openssl/indicator.h
M providers/fips/fipsprov.c
Log Message:
-----------
Add FIPS indicator callback.
Add a FIPS indicator callback that can be set via
OSSL_INDICATOR_set_callback(). This callback is intended to be run
whenever a non approved algorithm check has occurred and strict checking
has been disabled.The callback may be used to
log non approved algorithms. The callback is passed a type and
description string as well as the cbarg specified in OSSL_INDICATOR_set_callback.
The return value can be either 0 or 1.
A value of 0 can be used for testing purposes to force an error to occur from the algorithm
that called the callback.
Reviewed-by: Neil Horman <nhorman at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
Commit: d4848934a61a668d16078f3118786c9a741b7efd
https://github.com/openssl/openssl/commit/d4848934a61a668d16078f3118786c9a741b7efd
Author: slontis <shane.lontis at oracle.com>
Date: 2024-07-11 (Thu, 11 Jul 2024)
Changed paths:
A providers/common/include/prov/fipsindicator.h
M providers/fips/build.info
A providers/fips/fipsindicator.c
Log Message:
-----------
Add FIPS indicator helpers
Each provider algorithm context can use these helpers to add indicator
support.
Reviewed-by: Neil Horman <nhorman at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
Commit: c13ddf0a6c71efac8ef546f0d3632341afab3f07
https://github.com/openssl/openssl/commit/c13ddf0a6c71efac8ef546f0d3632341afab3f07
Author: slontis <shane.lontis at oracle.com>
Date: 2024-07-11 (Thu, 11 Jul 2024)
Changed paths:
M doc/man7/EVP_ASYM_CIPHER-RSA.pod
M doc/man7/EVP_KDF-TLS1_PRF.pod
M doc/man7/EVP_KEM-RSA.pod
M doc/man7/EVP_KEYEXCH-DH.pod
M doc/man7/EVP_KEYEXCH-ECDH.pod
M doc/man7/EVP_SIGNATURE-DSA.pod
M doc/man7/EVP_SIGNATURE-ECDSA.pod
M doc/man7/EVP_SIGNATURE-RSA.pod
M doc/man7/provider-asym_cipher.pod
M doc/man7/provider-kem.pod
M doc/man7/provider-keyexch.pod
M doc/man7/provider-rand.pod
M doc/man7/provider-signature.pod
M providers/common/include/prov/fipsindicator.h
M providers/common/include/prov/securitycheck.h
M providers/common/securitycheck.c
M providers/common/securitycheck_default.c
M providers/common/securitycheck_fips.c
M providers/implementations/asymciphers/rsa_enc.c
M providers/implementations/exchange/dh_exch.c
M providers/implementations/exchange/ecdh_exch.c
M providers/implementations/kdfs/tls1_prf.c
M providers/implementations/kem/rsa_kem.c
M providers/implementations/rands/drbg.c
M providers/implementations/rands/drbg_ctr.c
M providers/implementations/rands/drbg_hash.c
M providers/implementations/rands/drbg_hmac.c
M providers/implementations/rands/drbg_local.h
M providers/implementations/signature/dsa_sig.c
M providers/implementations/signature/ecdsa_sig.c
M providers/implementations/signature/rsa_sig.c
M util/perl/OpenSSL/paramnames.pm
Log Message:
-----------
Change all existing FIPS configurable checks to use FIPS indicators.
This changes the logic to always do the security checks and then decide
what to do based on if this passes or not. Failure of a check causes
either a failure OR the FIPS indicator callback to be triggered.
Reviewed-by: Neil Horman <nhorman at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
Commit: 06da14737369e7c90899aed4bb21cce9a0910d29
https://github.com/openssl/openssl/commit/06da14737369e7c90899aed4bb21cce9a0910d29
Author: slontis <shane.lontis at oracle.com>
Date: 2024-07-11 (Thu, 11 Jul 2024)
Changed paths:
M test/evp_test.c
M test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
M test/recipes/30-test_evp_data/evppkey_dsa.txt
M test/recipes/30-test_evp_data/evppkey_ecc.txt
M test/recipes/30-test_evp_data/evppkey_ecdh.txt
M test/recipes/30-test_evp_data/evppkey_ecdsa.txt
M test/recipes/30-test_evp_data/evppkey_ffdhe.txt
M test/recipes/30-test_evp_data/evppkey_kas.txt
M test/recipes/30-test_evp_data/evppkey_rsa.txt
M test/recipes/30-test_evp_data/evppkey_rsa_common.txt
M test/recipes/30-test_evp_data/evprand.txt
M util/libcrypto.num
Log Message:
-----------
Add FIPS indicators to evp_test
evp_test code needed to be modified to defer setting algorithm contexts
until the run phase. The parse functions also defer setting into the context
until the run phase, which allows the context to initialize in a controlled order.
This allows params to be passed into the algorithm init function.
Reviewed-by: Neil Horman <nhorman at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)
Compare: https://github.com/openssl/openssl/compare/45cada1339ba...06da14737369
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
More information about the openssl-commits
mailing list