Chiebot-Mirror
/
boringssl
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add a function to return a FIPS version.

Browse Source 
We need a function that returns a version that links to a certificate.
Previously we have used the git hash as the version of our modules but
the source cannot contain its own hash. Thus this change defines a new
format for FIPS module versions which will be filled in once we're ready
to define a version.

Change-Id: Ie4641945119106bc47e8da94ed8a45a86abb6f92
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51986
Reviewed-by: David Benjamin <davidben@google.com>
fips-20220613
Adam Langley 3 years ago committed by Adam Langley
parent 7f4057ec10
commit c6e8f3ed08
3 changed files with 19 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      crypto/fipsmodule/self_check/fips.c
  2. 8
      include/openssl/crypto.h
  3. 7
      util/fipstools/test_fips.c

4
crypto/fipsmodule/self_check/fips.c
Unescape View File

@ -28,6 +28,10 @@ int FIPS_mode(void) {
int FIPS_mode_set(int on) { return on == FIPS_mode(); }
uint32_t FIPS_version(void) {
return 0;
}
int FIPS_query_algorithm_status(const char *algorithm) {
#if defined(BORINGSSL_FIPS)
static const char kApprovedAlgorithms[][13] = {

8
include/openssl/crypto.h
Unescape View File

@ -172,6 +172,14 @@ OPENSSL_EXPORT void OPENSSL_cleanup(void);
// |BORINGSSL_FIPS| and zero otherwise.
OPENSSL_EXPORT int FIPS_mode_set(int on);
// FIPS_version returns the version of the FIPS module, or zero if the build
// isn't exactly at a verified version. The version, expressed in base 10, will
// be a date in the form yyyymmddXX where XX is often "00", but can be
// incremented if multiple versions are defined on a single day.
//
// (This format exceeds a |uint32_t| in the year 4294.)
OPENSSL_EXPORT uint32_t FIPS_version(void);
// FIPS_query_algorithm_status returns one if |algorithm| is FIPS validated in
// the current BoringSSL and zero otherwise.
OPENSSL_EXPORT int FIPS_query_algorithm_status(const char *algorithm);

7
util/fipstools/test_fips.c
Unescape View File

@ -47,6 +47,13 @@ static void hexdump(const void *a, size_t len) {
int main(int argc, char **argv) {
CRYPTO_library_init();
const uint32_t module_version = FIPS_version();
if (module_version == 0) {
printf("No module version set\n");
goto err;
}
printf("Module version: %" PRIu32 "\n", module_version);
static const uint8_t kAESKey[16] = "BoringCrypto Key";
static const uint8_t kPlaintext[64] =
"BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!";

Write Preview
Loading…
Cancel
Save