wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make some EVP code available from within the FIPS module

Browse source 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8728)
This commit is contained in:
Matt Caswell 2019-05-13 06:41:06 +01:00
parent 3593266d1c
commit 319e518a5a
9 changed files with 156 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
crypto/build.info
View file

@ -27,7 +27,8 @@ SOURCE[../libcrypto]=\
# FIPS module
SOURCE[../providers/fips]=\
cryptlib.c mem.c mem_clr.c params.c bsearch.c ex_data.c o_str.c \
threads_pthread.c threads_win.c threads_none.c context.c
ctype.c threads_pthread.c threads_win.c threads_none.c context.c \
sparse_array.c
DEPEND[cversion.o]=buildinf.h

4
crypto/evp/build.info
View file

@ -20,6 +20,10 @@ SOURCE[../../libcrypto]=\
SOURCE[../../libcrypto]=\
evp_fetch.c
# FIPS Module
SOURCE[../../providers/fips]=\
digest.c evp_enc.c evp_lib.c evp_fetch.c cmeth_lib.c
INCLUDE[e_aes.o]=.. ../modes
INCLUDE[e_aes_cbc_hmac_sha1.o]=../modes
INCLUDE[e_aes_cbc_hmac_sha256.o]=../modes

39
crypto/evp/digest.c
View file

@ -55,10 +55,14 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
* pctx should be freed by the user of EVP_MD_CTX
* if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set
*/
#ifndef FIPS_MODE
/* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX))
EVP_PKEY_CTX_free(ctx->pctx);
#ifndef OPENSSL_NO_ENGINE
# ifndef OPENSSL_NO_ENGINE
ENGINE_finish(ctx->engine);
# endif
#endif
OPENSSL_cleanse(ctx, sizeof(*ctx));
@ -102,8 +106,9 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
{
EVP_MD *provmd;
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
ENGINE *tmpimpl = NULL;
#endif
EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
@ -111,7 +116,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
ctx->reqdigest = type;
/* TODO(3.0): Legacy work around code below. Remove this */
#ifndef OPENSSL_NO_ENGINE
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
/*
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
* this context may already have an ENGINE! Try to avoid releasing the
@ -132,7 +137,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
*/
if (ctx->engine != NULL
|| impl != NULL
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
|| tmpimpl != NULL
#endif
|| ctx->pctx != NULL
|| (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0) {
if (ctx->digest == ctx->fetched_digest)
@ -160,7 +167,13 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
/* TODO(3.0): Start of non-legacy code below */
if (type->prov == NULL) {
provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), "");
#ifdef FIPS_MODE
/* We only do explict fetches inside the FIPS module */
EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
return 0;
#else
EVP_MD *provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), "");
if (provmd == NULL) {
EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
return 0;
@ -168,6 +181,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
type = provmd;
EVP_MD_meth_free(ctx->fetched_digest);
ctx->fetched_digest = provmd;
#endif
}
ctx->digest = type;
@ -189,7 +203,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
/* TODO(3.0): Remove legacy code below */
legacy:
#ifndef OPENSSL_NO_ENGINE
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
if (type) {
/*
* Ensure an ENGINE left lying around from last time is cleared (the
@ -247,16 +261,19 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
}
}
}
#ifndef OPENSSL_NO_ENGINE
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
skip_to_init:
#endif
if (ctx->pctx) {
#ifndef FIPS_MODE
/* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
if (ctx->pctx != NULL) {
int r;
r = EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
EVP_PKEY_CTRL_DIGESTINIT, 0, ctx);
if (r <= 0 && (r != -2))
return 0;
}
#endif
if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
return 1;
return ctx->digest->init(ctx);
@ -397,6 +414,8 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
/* copied EVP_MD_CTX should free the copied EVP_PKEY_CTX */
EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
#ifndef FIPS_MODE
/* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
if (in->pctx != NULL) {
out->pctx = EVP_PKEY_CTX_dup(in->pctx);
if (out->pctx == NULL) {
@ -405,12 +424,13 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
return 0;
}
}
#endif
return 1;
/* TODO(3.0): Remove legacy code below */
legacy:
#ifndef OPENSSL_NO_ENGINE
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
/* Make sure it's safe to copy a digest context using an ENGINE */
if (in->engine && !ENGINE_init(in->engine)) {
EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, ERR_R_ENGINE_LIB);
@ -451,6 +471,8 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
out->update = in->update;
#ifndef FIPS_MODE
/* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
if (in->pctx) {
out->pctx = EVP_PKEY_CTX_dup(in->pctx);
if (!out->pctx) {
@ -458,6 +480,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
return 0;
}
}
#endif
if (out->digest->copy)
return out->digest->copy(out, in);

32
crypto/evp/evp_enc.c
View file

@ -51,7 +51,7 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx)
OPENSSL_cleanse(ctx->cipher_data, ctx->cipher->ctx_size);
}
OPENSSL_free(ctx->cipher_data);
#ifndef OPENSSL_NO_ENGINE
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
ENGINE_finish(ctx->engine);
#endif
memset(ctx, 0, sizeof(*ctx));
@ -81,8 +81,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
ENGINE *impl, const unsigned char *key,
const unsigned char *iv, int enc)
{
EVP_CIPHER *provciph = NULL;
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
ENGINE *tmpimpl = NULL;
#endif
const EVP_CIPHER *tmpcipher;
/*
@ -105,7 +106,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
/* TODO(3.0): Legacy work around code below. Remove this */
#ifndef OPENSSL_NO_ENGINE
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
/*
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
* this context may already have an ENGINE! Try to avoid releasing the
@ -126,8 +127,10 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
* If there are engines involved then we should use legacy handling for now.
*/
if (ctx->engine != NULL
|| impl != NULL
|| tmpimpl != NULL) {
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
|| tmpimpl != NULL
#endif
|| impl != NULL) {
if (ctx->cipher == ctx->fetched_cipher)
ctx->cipher = NULL;
EVP_CIPHER_meth_free(ctx->fetched_cipher);
@ -194,7 +197,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
cipher = ctx->cipher;
if (cipher->prov == NULL) {
provciph = EVP_CIPHER_fetch(NULL, OBJ_nid2sn(cipher->nid), "");
#ifdef FIPS_MODE
/* We only do explict fetches inside the FIPS module */
EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
return 0;
#else
EVP_CIPHER *provciph =
EVP_CIPHER_fetch(NULL, OBJ_nid2sn(cipher->nid), "");
if (provciph == NULL) {
EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
return 0;
@ -202,6 +212,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
cipher = provciph;
EVP_CIPHER_meth_free(ctx->fetched_cipher);
ctx->fetched_cipher = provciph;
#endif
}
ctx->cipher = cipher;
@ -279,7 +290,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
ctx->encrypt = enc;
ctx->flags = flags;
}
#ifndef OPENSSL_NO_ENGINE
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
if (impl != NULL) {
if (!ENGINE_init(impl)) {
EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
@ -335,7 +346,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
}
}
}
#ifndef OPENSSL_NO_ENGINE
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
skip_to_init:
#endif
if (ctx->cipher == NULL)
@ -966,6 +977,8 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
return ret;
}
#if !defined(FIPS_MODE)
/* TODO(3.0): No support for RAND yet in the FIPS module */
int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
{
int kl;
@ -976,6 +989,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
return 0;
return 1;
}
#endif
int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
{
@ -1013,7 +1027,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
/* TODO(3.0): Remove legacy code below */
legacy:
#ifndef OPENSSL_NO_ENGINE
#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
/* Make sure it's safe to copy a cipher context using an ENGINE */
if (in->engine && !ENGINE_init(in->engine)) {
EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_ENGINE_LIB);

25
crypto/evp/evp_lib.c
View file

@ -17,6 +17,7 @@
#include "internal/provider.h"
#include "evp_locl.h"
#if !defined(FIPS_MODE)
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
{
int ret;
@ -146,12 +147,12 @@ int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
}
return i;
}
#endif /* !defined(FIPS_MODE) */
/* Convert the various cipher NIDs and dummies to a proper OID NID */
int EVP_CIPHER_type(const EVP_CIPHER *ctx)
{
int nid;
ASN1_OBJECT *otmp;
nid = EVP_CIPHER_nid(ctx);
switch (nid) {
@ -198,12 +199,19 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx)
return NID_des_cfb64;
default:
/* Check it has an OID and it is valid */
otmp = OBJ_nid2obj(nid);
if (OBJ_get0_data(otmp) == NULL)
nid = NID_undef;
ASN1_OBJECT_free(otmp);
return nid;
#ifdef FIPS_MODE
return NID_undef;
#else
{
/* Check it has an OID and it is valid */
ASN1_OBJECT *otmp = OBJ_nid2obj(nid);
if (OBJ_get0_data(otmp) == NULL)
nid = NID_undef;
ASN1_OBJECT_free(otmp);
return nid;
}
#endif
}
}
@ -596,6 +604,8 @@ EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx)
return ctx->pctx;
}
#if !defined(FIPS_MODE)
/* TODO(3.0): EVP_DigestSign* not yet supported in FIPS module */
void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx)
{
/*
@ -614,6 +624,7 @@ void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx)
EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
}
}
#endif /* !defined(FIPS_MODE) */
void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx)
{

2
crypto/lhash/build.info
View file

@ -1,3 +1,5 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
lhash.c lh_stats.c
SOURCE[../../providers/fips]=\
lhash.c

2
crypto/property/build.info
View file

@ -1,3 +1,5 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=property_string.c property_parse.c property.c \
property_err.c defn_cache.c
SOURCE[../../providers/fips]=\
property_string.c property_parse.c property.c defn_cache.c

3
crypto/property/property.c
View file

@ -391,6 +391,8 @@ IMPLEMENT_LHASH_DOALL_ARG(QUERY, IMPL_CACHE_FLUSH);
*/
static void impl_cache_flush_cache(QUERY *c, IMPL_CACHE_FLUSH *state)
{
#if !defined(FIPS_MODE)
/* TODO(3.0): No RAND_bytes yet in FIPS module. Add this back when available */
OSSL_METHOD_STORE *store = state->store;
unsigned int n;
@ -404,6 +406,7 @@ static void impl_cache_flush_cache(QUERY *c, IMPL_CACHE_FLUSH *state)
OPENSSL_free(lh_QUERY_delete(state->cache, c));
else
state->nelem++;
#endif /* !defined(FIPS_MODE) */
}
static void impl_cache_flush_one_alg(ossl_uintmax_t idx, ALGORITHM *alg,

79
providers/fips/fipsprov.c
View file

@ -14,7 +14,12 @@
#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/err.h>
#include <openssl/evp.h>
/* TODO(3.0): Needed for dummy_evp_call(). To be removed */
#include <openssl/sha.h>
#include "internal/cryptlib.h"
#include "internal/property.h"
#include "internal/evp_int.h"
/* Functions provided by the core */
static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
@ -30,9 +35,38 @@ static const OSSL_ITEM fips_param_types[] = {
{ 0, NULL }
};
static void fips_teardown(void)
/* TODO(3.0): To be removed */
static int dummy_evp_call(OPENSSL_CTX *libctx)
{
do_default_context_deinit();
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
char msg[] = "Hello World!";
const unsigned char exptd[] = {
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
};
unsigned int dgstlen = 0;
unsigned char dgst[SHA256_DIGEST_LENGTH];
int ret = 0;
if (ctx == NULL || sha256 == NULL)
goto err;
if (!EVP_DigestInit_ex(ctx, sha256, NULL))
goto err;
if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
goto err;
if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
goto err;
if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
goto err;
ret = 1;
err:
EVP_MD_CTX_free(ctx);
EVP_MD_meth_free(sha256);
return ret;
}
static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
@ -79,18 +113,31 @@ static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
/* Functions we provide to the core */
static const OSSL_DISPATCH fips_dispatch_table[] = {
{ OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))fips_teardown },
/*
* To release our resources we just need to free the OPENSSL_CTX so we just
* use OPENSSL_CTX_free directly as our teardown function
*/
{ OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free },
{ OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
{ OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
{ 0, NULL }
};
/* Functions we provide to ourself */
static const OSSL_DISPATCH intern_dispatch_table[] = {
{ OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
{ 0, NULL }
};
int OSSL_provider_init(const OSSL_PROVIDER *provider,
const OSSL_DISPATCH *in,
const OSSL_DISPATCH **out,
void **provctx)
{
OPENSSL_CTX *ctx;
for (; in->function_id != 0; in++) {
switch (in->function_id) {
case OSSL_FUNC_CORE_GET_PARAM_TYPES:
@ -111,19 +158,35 @@ int OSSL_provider_init(const OSSL_PROVIDER *provider,
}
}
ctx = OPENSSL_CTX_new();
if (ctx == NULL)
return 0;
/*
* TODO(3.0): Remove me. This is just a dummy call to demonstrate making
* EVP calls from within the FIPS module.
*/
if (!dummy_evp_call(ctx)) {
OPENSSL_CTX_free(ctx);
return 0;
}
*out = fips_dispatch_table;
*provctx = ctx;
return 1;
}
/*
* The internal init function used when the FIPS module uses EVP to call
* another algorithm also in the FIPS module.
*/
OSSL_provider_init_fn fips_intern_provider_init;
int fips_intern_provider_init(const OSSL_PROVIDER *provider,
const OSSL_DISPATCH *in,
const OSSL_DISPATCH **out)
const OSSL_DISPATCH **out,
void **provctx)
{
/*
* The internal init function used when the FIPS module uses EVP to call
* another algorithm also in the FIPS module.
*/
*out = intern_dispatch_table;
return 1;
}