From 745fc918e7eeb86b2ac541325a8ae5c6e374ee56 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 14 Feb 2020 22:49:26 +0000
Subject: Introduce the provider property

Replace the properties default, fips and legacy with a single property
called "provider". So, for example, instead of writing "default=yes" to
get algorithms from the default provider you would instead write
"provider=default". We also have a new "fips" property to indicate that
an algorithm is compatible with FIPS mode. This applies to all the
algorithms in the FIPS provider, as well as any non-cryptographic
algorithms (currently only serializers).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11097)
---
 providers/defltprov.c | 157 ++++++++++++++++++++++++++------------------------
 1 file changed, 81 insertions(+), 76 deletions(-)

(limited to 'providers/defltprov.c')

diff --git a/providers/defltprov.c b/providers/defltprov.c
index 3819c61..0b2390a 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -20,7 +20,7 @@
 #include "prov/provider_util.h"
 #include "internal/nelem.h"
 
-#define ALGC(NAMES, FUNC, CHECK) { { NAMES, "default=yes", FUNC }, CHECK }
+#define ALGC(NAMES, FUNC, CHECK) { { NAMES, "provider=default", FUNC }, CHECK }
 #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
 
 /* Functions provided by the core */
@@ -86,32 +86,32 @@ static int deflt_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
  */
 static const OSSL_ALGORITHM deflt_digests[] = {
     /* Our primary name:NIST name[:our older names] */
-    { "SHA1:SHA-1", "default=yes", sha1_functions },
-    { "SHA2-224:SHA-224:SHA224", "default=yes", sha224_functions },
-    { "SHA2-256:SHA-256:SHA256", "default=yes", sha256_functions },
-    { "SHA2-384:SHA-384:SHA384", "default=yes", sha384_functions },
-    { "SHA2-512:SHA-512:SHA512", "default=yes", sha512_functions },
-    { "SHA2-512/224:SHA-512/224:SHA512-224", "default=yes",
+    { "SHA1:SHA-1", "provider=default", sha1_functions },
+    { "SHA2-224:SHA-224:SHA224", "provider=default", sha224_functions },
+    { "SHA2-256:SHA-256:SHA256", "provider=default", sha256_functions },
+    { "SHA2-384:SHA-384:SHA384", "provider=default", sha384_functions },
+    { "SHA2-512:SHA-512:SHA512", "provider=default", sha512_functions },
+    { "SHA2-512/224:SHA-512/224:SHA512-224", "provider=default",
       sha512_224_functions },
-    { "SHA2-512/256:SHA-512/256:SHA512-256", "default=yes",
+    { "SHA2-512/256:SHA-512/256:SHA512-256", "provider=default",
       sha512_256_functions },
 
     /* We agree with NIST here, so one name only */
-    { "SHA3-224", "default=yes", sha3_224_functions },
-    { "SHA3-256", "default=yes", sha3_256_functions },
-    { "SHA3-384", "default=yes", sha3_384_functions },
-    { "SHA3-512", "default=yes", sha3_512_functions },
+    { "SHA3-224", "provider=default", sha3_224_functions },
+    { "SHA3-256", "provider=default", sha3_256_functions },
+    { "SHA3-384", "provider=default", sha3_384_functions },
+    { "SHA3-512", "provider=default", sha3_512_functions },
 
     /*
      * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
      * the KMAC-128 and KMAC-256.
      */
-    { "KECCAK-KMAC-128:KECCAK-KMAC128", "default=yes", keccak_kmac_128_functions },
-    { "KECCAK-KMAC-256:KECCAK-KMAC256", "default=yes", keccak_kmac_256_functions },
+    { "KECCAK-KMAC-128:KECCAK-KMAC128", "provider=default", keccak_kmac_128_functions },
+    { "KECCAK-KMAC-256:KECCAK-KMAC256", "provider=default", keccak_kmac_256_functions },
 
     /* Our primary name:NIST name */
-    { "SHAKE-128:SHAKE128", "default=yes", shake_128_functions },
-    { "SHAKE-256:SHAKE256", "default=yes", shake_256_functions },
+    { "SHAKE-128:SHAKE128", "provider=default", shake_128_functions },
+    { "SHAKE-256:SHAKE256", "provider=default", shake_256_functions },
 
 #ifndef OPENSSL_NO_BLAKE2
     /*
@@ -121,17 +121,17 @@ static const OSSL_ALGORITHM deflt_digests[] = {
      * If we assume that "2b" and "2s" are versions, that pattern
      * fits with ours.  We also add our historical names.
      */
-    { "BLAKE2S-256:BLAKE2s256", "default=yes", blake2s256_functions },
-    { "BLAKE2B-512:BLAKE2b512", "default=yes", blake2b512_functions },
+    { "BLAKE2S-256:BLAKE2s256", "provider=default", blake2s256_functions },
+    { "BLAKE2B-512:BLAKE2b512", "provider=default", blake2b512_functions },
 #endif /* OPENSSL_NO_BLAKE2 */
 
 #ifndef OPENSSL_NO_SM3
-    { "SM3", "default=yes", sm3_functions },
+    { "SM3", "provider=default", sm3_functions },
 #endif /* OPENSSL_NO_SM3 */
 
 #ifndef OPENSSL_NO_MD5
-    { "MD5", "default=yes", md5_functions },
-    { "MD5-SHA1", "default=yes", md5_sha1_functions },
+    { "MD5", "provider=default", md5_functions },
+    { "MD5-SHA1", "provider=default", md5_sha1_functions },
 #endif /* OPENSSL_NO_MD5 */
 
     { NULL, NULL, NULL }
@@ -331,136 +331,141 @@ static OSSL_ALGORITHM exported_ciphers[OSSL_NELEM(deflt_ciphers)];
 
 static const OSSL_ALGORITHM deflt_macs[] = {
 #ifndef OPENSSL_NO_BLAKE2
-    { "BLAKE2BMAC", "default=yes", blake2bmac_functions },
-    { "BLAKE2SMAC", "default=yes", blake2smac_functions },
+    { "BLAKE2BMAC", "provider=default", blake2bmac_functions },
+    { "BLAKE2SMAC", "provider=default", blake2smac_functions },
 #endif
 #ifndef OPENSSL_NO_CMAC
-    { "CMAC", "default=yes", cmac_functions },
+    { "CMAC", "provider=default", cmac_functions },
 #endif
-    { "GMAC", "default=yes", gmac_functions },
-    { "HMAC", "default=yes", hmac_functions },
-    { "KMAC-128:KMAC128", "default=yes", kmac128_functions },
-    { "KMAC-256:KMAC256", "default=yes", kmac256_functions },
+    { "GMAC", "provider=default", gmac_functions },
+    { "HMAC", "provider=default", hmac_functions },
+    { "KMAC-128:KMAC128", "provider=default", kmac128_functions },
+    { "KMAC-256:KMAC256", "provider=default", kmac256_functions },
 #ifndef OPENSSL_NO_SIPHASH
-    { "SIPHASH", "default=yes", siphash_functions },
+    { "SIPHASH", "provider=default", siphash_functions },
 #endif
 #ifndef OPENSSL_NO_POLY1305
-    { "POLY1305", "default=yes", poly1305_functions },
+    { "POLY1305", "provider=default", poly1305_functions },
 #endif
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM deflt_kdfs[] = {
-    { "HKDF", "default=yes", kdf_hkdf_functions },
-    { "SSKDF", "default=yes", kdf_sskdf_functions },
-    { "PBKDF2", "default=yes", kdf_pbkdf2_functions },
-    { "SSHKDF", "default=yes", kdf_sshkdf_functions },
-    { "X963KDF", "default=yes", kdf_x963_kdf_functions },
-    { "TLS1-PRF", "default=yes", kdf_tls1_prf_functions },
-    { "KBKDF", "default=yes", kdf_kbkdf_functions },
+    { "HKDF", "provider=default", kdf_hkdf_functions },
+    { "SSKDF", "provider=default", kdf_sskdf_functions },
+    { "PBKDF2", "provider=default", kdf_pbkdf2_functions },
+    { "SSHKDF", "provider=default", kdf_sshkdf_functions },
+    { "X963KDF", "provider=default", kdf_x963_kdf_functions },
+    { "TLS1-PRF", "provider=default", kdf_tls1_prf_functions },
+    { "KBKDF", "provider=default", kdf_kbkdf_functions },
 #ifndef OPENSSL_NO_CMS
-    { "X942KDF", "default=yes", kdf_x942_kdf_functions },
+    { "X942KDF", "provider=default", kdf_x942_kdf_functions },
 #endif
 #ifndef OPENSSL_NO_SCRYPT
-    { "SCRYPT:id-scrypt", "default=yes", kdf_scrypt_functions },
+    { "SCRYPT:id-scrypt", "provider=default", kdf_scrypt_functions },
 #endif
-    { "KRB5KDF", "default=yes", kdf_krb5kdf_functions },
+    { "KRB5KDF", "provider=default", kdf_krb5kdf_functions },
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM deflt_keyexch[] = {
 #ifndef OPENSSL_NO_DH
-    { "DH:dhKeyAgreement", "default=yes", dh_keyexch_functions },
+    { "DH:dhKeyAgreement", "provider=default", dh_keyexch_functions },
 #endif
 #ifndef OPENSSL_NO_EC
-    { "ECDH:id-ecPublicKey", "default=yes", ecdh_keyexch_functions },
-    { "X25519", "default=yes", x25519_keyexch_functions },
-    { "X448", "default=yes", x448_keyexch_functions },
+    { "ECDH:id-ecPublicKey", "provider=default", ecdh_keyexch_functions },
+    { "X25519", "provider=default", x25519_keyexch_functions },
+    { "X448", "provider=default", x448_keyexch_functions },
 #endif
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM deflt_signature[] = {
 #ifndef OPENSSL_NO_DSA
-    { "DSA:dsaEncryption", "default=yes", dsa_signature_functions },
+    { "DSA:dsaEncryption", "provider=default", dsa_signature_functions },
 #endif
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM deflt_asym_cipher[] = {
-    { "RSA:rsaEncryption", "default=yes", rsa_asym_cipher_functions },
+    { "RSA:rsaEncryption", "provider=default", rsa_asym_cipher_functions },
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM deflt_keymgmt[] = {
 #ifndef OPENSSL_NO_DH
-    { "DH:dhKeyAgreement", "default=yes", dh_keymgmt_functions },
+    { "DH:dhKeyAgreement", "provider=default", dh_keymgmt_functions },
 #endif
 #ifndef OPENSSL_NO_DSA
-    { "DSA:dsaEncryption", "default=yes", dsa_keymgmt_functions },
+    { "DSA:dsaEncryption", "provider=default", dsa_keymgmt_functions },
 #endif
-    { "RSA:rsaEncryption", "default=yes", rsa_keymgmt_functions },
+    { "RSA:rsaEncryption", "provider=default", rsa_keymgmt_functions },
 #ifndef OPENSSL_NO_EC
-    { "EC:id-ecPublicKey", "default=yes", ec_keymgmt_functions },
-    { "X25519", "default=yes", x25519_keymgmt_functions },
-    { "X448", "default=yes", x448_keymgmt_functions },
+    { "EC:id-ecPublicKey", "provider=default", ec_keymgmt_functions },
+    { "X25519", "provider=default", x25519_keymgmt_functions },
+    { "X448", "provider=default", x448_keymgmt_functions },
 #endif
     { NULL, NULL, NULL }
 };
 
+/*
+ * Unlike most algorithms in the default provider, the serializers are allowed
+ * for use in FIPS mode because they are not FIPS relevant, and therefore have
+ * the "fips=yes" property.
+ */
 static const OSSL_ALGORITHM deflt_serializer[] = {
-    { "RSA", "default=yes,format=text,type=private",
+    { "RSA", "provider=default,fips=yes,format=text,type=private",
       rsa_priv_text_serializer_functions },
-    { "RSA", "default=yes,format=text,type=public",
+    { "RSA", "provider=default,fips=yes,format=text,type=public",
       rsa_pub_text_serializer_functions },
-    { "RSA", "default=yes,format=der,type=private",
+    { "RSA", "provider=default,fips=yes,format=der,type=private",
       rsa_priv_der_serializer_functions },
-    { "RSA", "default=yes,format=der,type=public",
+    { "RSA", "provider=default,fips=yes,format=der,type=public",
       rsa_pub_der_serializer_functions },
-    { "RSA", "default=yes,format=pem,type=private",
+    { "RSA", "provider=default,fips=yes,format=pem,type=private",
       rsa_priv_pem_serializer_functions },
-    { "RSA", "default=yes,format=pem,type=public",
+    { "RSA", "provider=default,fips=yes,format=pem,type=public",
       rsa_pub_pem_serializer_functions },
 
 #ifndef OPENSSL_NO_DH
-    { "DH", "default=yes,format=text,type=private",
+    { "DH", "provider=default,fips=yes,format=text,type=private",
       dh_priv_text_serializer_functions },
-    { "DH", "default=yes,format=text,type=public",
+    { "DH", "provider=default,fips=yes,format=text,type=public",
       dh_pub_text_serializer_functions },
-    { "DH", "default=yes,format=text,type=parameters",
+    { "DH", "provider=default,fips=yes,format=text,type=parameters",
       dh_param_text_serializer_functions },
-    { "DH", "default=yes,format=der,type=private",
+    { "DH", "provider=default,fips=yes,format=der,type=private",
       dh_priv_der_serializer_functions },
-    { "DH", "default=yes,format=der,type=public",
+    { "DH", "provider=default,fips=yes,format=der,type=public",
       dh_pub_der_serializer_functions },
-    { "DH", "default=yes,format=der,type=parameters",
+    { "DH", "provider=default,fips=yes,format=der,type=parameters",
       dh_param_der_serializer_functions },
-    { "DH", "default=yes,format=pem,type=private",
+    { "DH", "provider=default,fips=yes,format=pem,type=private",
       dh_priv_pem_serializer_functions },
-    { "DH", "default=yes,format=pem,type=public",
+    { "DH", "provider=default,fips=yes,format=pem,type=public",
       dh_pub_pem_serializer_functions },
-    { "DH", "default=yes,format=pem,type=parameters",
+    { "DH", "provider=default,fips=yes,format=pem,type=parameters",
       dh_param_pem_serializer_functions },
 #endif
 
 #ifndef OPENSSL_NO_DSA
-    { "DSA", "default=yes,format=text,type=private",
+    { "DSA", "provider=default,fips=yes,format=text,type=private",
       dsa_priv_text_serializer_functions },
-    { "DSA", "default=yes,format=text,type=public",
+    { "DSA", "provider=default,fips=yes,format=text,type=public",
       dsa_pub_text_serializer_functions },
-    { "DSA", "default=yes,format=text,type=parameters",
+    { "DSA", "provider=default,fips=yes,format=text,type=parameters",
       dsa_param_text_serializer_functions },
-    { "DSA", "default=yes,format=der,type=private",
+    { "DSA", "provider=default,fips=yes,format=der,type=private",
       dsa_priv_der_serializer_functions },
-    { "DSA", "default=yes,format=der,type=public",
+    { "DSA", "provider=default,fips=yes,format=der,type=public",
       dsa_pub_der_serializer_functions },
-    { "DSA", "default=yes,format=der,type=parameters",
+    { "DSA", "provider=default,fips=yes,format=der,type=parameters",
       dsa_param_der_serializer_functions },
-    { "DSA", "default=yes,format=pem,type=private",
+    { "DSA", "provider=default,fips=yes,format=pem,type=private",
       dsa_priv_pem_serializer_functions },
-    { "DSA", "default=yes,format=pem,type=public",
+    { "DSA", "provider=default,fips=yes,format=pem,type=public",
       dsa_pub_pem_serializer_functions },
-    { "DSA", "default=yes,format=pem,type=parameters",
+    { "DSA", "provider=default,fips=yes,format=pem,type=parameters",
       dsa_param_pem_serializer_functions },
 #endif
 
-- 
cgit v1.1