fips: allow to customize provider vendor name

FIPS providers need to specify identifiable names and versions. Allow to customize the fips provider name prefix, via VERSION.dat which already allows to customize version & buildinfo. With this patch in-place it removes the need of patching code to set customized provider name. E.g. echo FIPSVENDOR=ACME >> VERSION.dat, results in ``` $ OPENSSL_CONF=fips-and-base.cnf ../util/wrap.pl ../apps/openssl list -providers --verbose Providers: base name: OpenSSL Base Provider version: 3.4.0 status: active build info: 3.4.0-dev gettable provider parameters: name: pointer to a UTF8 encoded string (arbitrary size) version: pointer to a UTF8 encoded string (arbitrary size) buildinfo: pointer to a UTF8 encoded string (arbitrary size) status: integer (arbitrary size) fips name: ACME OpenSSL FIPS Provider version: 3.4.0 status: active build info: 3.4.0-dev gettable provider parameters: name: pointer to a UTF8 encoded string (arbitrary size) version: pointer to a UTF8 encoded string (arbitrary size) buildinfo: pointer to a UTF8 encoded string (arbitrary size) status: integer (arbitrary size) security-checks: integer (arbitrary size) tls1-prf-ems-check: integer (arbitrary size) drbg-no-trunc-md: integer (arbitrary size) ```
openssl · May 10, 2024 · 5c7c29e · 5c7c29e
1 parent 4a50882
commit 5c7c29e
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 2 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -81,6 +81,9 @@ jobs:
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: localegen
       run: sudo locale-gen tr_TR.UTF-8
+    - name: fipsvendor
+      # Make one fips build use a customized FIPS vendor
+      run: echo "FIPSVENDOR=CI" >> VERSION.dat
     - name: config
       # enable-quic is on by default, but we leave it here to check we're testing the explicit enable somewhere
       run: CC=gcc ./config --banner=Configured enable-demos enable-h3demo enable-fips enable-quic --strict-warnings && perl configdata.pm --dump

diff --git a/Configure b/Configure
@@ -360,6 +360,8 @@ $config{release_date} = $version{RELEASE_DATE} // 'xx XXX xxxx';
 
 $config{version} = "$config{major}.$config{minor}.$config{patch}";
 $config{full_version} = "$config{version}$config{prerelease}$config{build_metadata}";
+$config{FIPSVENDOR} =
+    (defined $version{FIPSVENDOR} ? "$version{FIPSVENDOR} " : "") . "OpenSSL FIPS Provider";
 
 die "erroneous version information in VERSION.dat: ",
     "$config{version}, $config{shlib_version}\n"

diff --git a/include/openssl/fipskey.h.in b/include/openssl/fipskey.h.in
@@ -28,6 +28,11 @@ extern "C" {
  */
 #define FIPS_KEY_STRING "{- $config{FIPSKEY} -}"
 
+/*
+ * The FIPS provider vendor name, as a string.
+ */
+#define FIPS_VENDOR "{- $config{FIPSVENDOR} -}"
+
 # ifdef  __cplusplus
 }
 # endif

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
@@ -12,6 +12,7 @@
 #include <openssl/core_names.h>
 #include <openssl/params.h>
 #include <openssl/fips_names.h>
+#include <openssl/fipskey.h>
 #include <openssl/rand.h> /* RAND_get0_public() */
 #include <openssl/proverr.h>
 #include "internal/cryptlib.h"
@@ -199,7 +200,7 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
 
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, FIPS_VENDOR))
         return 0;
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
     if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))

diff --git a/test/drbgtest.c b/test/drbgtest.c
@@ -142,7 +142,7 @@ static int using_fips_rng(void)
     if (!TEST_ptr(prov))
         return 0;
     name = OSSL_PROVIDER_get0_name(prov);
-    return strcmp(name, "OpenSSL FIPS Provider") == 0;
+    return strstr(name, "OpenSSL FIPS Provider") != NULL;
 }
 
  /*