Make core code available within the FIPS module
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8728)
This commit is contained in:
Matt Caswell
parent
ecb0f148a9
commit
3593266d1c
8 changed files with 97 additions and 6 deletions
|
|
@ -12,6 +12,9 @@ LIBS=../libcrypto
|
||||||
SOURCE[../libcrypto]=provider_core.c provider_predefined.c provider_conf.c \
|
SOURCE[../libcrypto]=provider_core.c provider_predefined.c provider_conf.c \
|
||||||
core_fetch.c core_namemap.c
|
core_fetch.c core_namemap.c
|
||||||
|
|
||||||
|
SOURCE[../providers/fips]=provider_core.c provider_predefined.c \
|
||||||
|
core_fetch.c core_namemap.c
|
||||||
|
|
||||||
# Central utilities
|
# Central utilities
|
||||||
SOURCE[../libcrypto]=\
|
SOURCE[../libcrypto]=\
|
||||||
cryptlib.c mem.c mem_dbg.c cversion.c info.c ex_data.c cpt_err.c \
|
cryptlib.c mem.c mem_dbg.c cversion.c info.c ex_data.c cpt_err.c \
|
||||||
|
|
@ -23,7 +26,8 @@ SOURCE[../libcrypto]=\
|
||||||
|
|
||||||
# FIPS module
|
# FIPS module
|
||||||
SOURCE[../providers/fips]=\
|
SOURCE[../providers/fips]=\
|
||||||
cryptlib.c mem.c mem_clr.c params.c bsearch.c
|
cryptlib.c mem.c mem_clr.c params.c bsearch.c ex_data.c o_str.c \
|
||||||
|
threads_pthread.c threads_win.c threads_none.c context.c
|
||||||
|
|
||||||
|
|
||||||
DEPEND[cversion.o]=buildinf.h
|
DEPEND[cversion.o]=buildinf.h
|
||||||
|
|
|
||||||
|
|
@ -36,10 +36,10 @@ struct openssl_ctx_st {
|
||||||
|
|
||||||
#ifndef FIPS_MODE
|
#ifndef FIPS_MODE
|
||||||
static OPENSSL_CTX default_context_int;
|
static OPENSSL_CTX default_context_int;
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Always points at default_context_int if it has been initialised */
|
/* Always points at default_context_int if it has been initialised */
|
||||||
static OPENSSL_CTX *default_context = NULL;
|
static OPENSSL_CTX *default_context = NULL;
|
||||||
|
#endif
|
||||||
|
|
||||||
static int context_init(OPENSSL_CTX *ctx)
|
static int context_init(OPENSSL_CTX *ctx)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -275,7 +275,9 @@ void ossl_provider_free(OSSL_PROVIDER *prov)
|
||||||
* the store. All we have to do here is clean it out.
|
* the store. All we have to do here is clean it out.
|
||||||
*/
|
*/
|
||||||
if (ref == 0) {
|
if (ref == 0) {
|
||||||
|
#ifndef FIPS_MODE
|
||||||
DSO_free(prov->module);
|
DSO_free(prov->module);
|
||||||
|
#endif
|
||||||
OPENSSL_free(prov->name);
|
OPENSSL_free(prov->name);
|
||||||
OPENSSL_free(prov->path);
|
OPENSSL_free(prov->path);
|
||||||
sk_INFOPAIR_pop_free(prov->parameters, free_infopair);
|
sk_INFOPAIR_pop_free(prov->parameters, free_infopair);
|
||||||
|
|
@ -352,6 +354,9 @@ static int provider_activate(OSSL_PROVIDER *prov)
|
||||||
* a loadable module.
|
* a loadable module.
|
||||||
*/
|
*/
|
||||||
if (prov->init_function == NULL) {
|
if (prov->init_function == NULL) {
|
||||||
|
#ifdef FIPS_MODE
|
||||||
|
return 0;
|
||||||
|
#else
|
||||||
if (prov->module == NULL) {
|
if (prov->module == NULL) {
|
||||||
char *allocated_path = NULL;
|
char *allocated_path = NULL;
|
||||||
const char *module_path = NULL;
|
const char *module_path = NULL;
|
||||||
|
|
@ -389,6 +394,7 @@ static int provider_activate(OSSL_PROVIDER *prov)
|
||||||
if (prov->module != NULL)
|
if (prov->module != NULL)
|
||||||
prov->init_function = (OSSL_provider_init_fn *)
|
prov->init_function = (OSSL_provider_init_fn *)
|
||||||
DSO_bind_func(prov->module, "OSSL_provider_init");
|
DSO_bind_func(prov->module, "OSSL_provider_init");
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
if (prov->init_function == NULL
|
if (prov->init_function == NULL
|
||||||
|
|
@ -396,8 +402,10 @@ static int provider_activate(OSSL_PROVIDER *prov)
|
||||||
&prov->provctx)) {
|
&prov->provctx)) {
|
||||||
CRYPTOerr(CRYPTO_F_PROVIDER_ACTIVATE, ERR_R_INIT_FAIL);
|
CRYPTOerr(CRYPTO_F_PROVIDER_ACTIVATE, ERR_R_INIT_FAIL);
|
||||||
ERR_add_error_data(2, "name=", prov->name);
|
ERR_add_error_data(2, "name=", prov->name);
|
||||||
|
#ifndef FIPS_MODE
|
||||||
DSO_free(prov->module);
|
DSO_free(prov->module);
|
||||||
prov->module = NULL;
|
prov->module = NULL;
|
||||||
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -557,13 +565,21 @@ const DSO *ossl_provider_dso(OSSL_PROVIDER *prov)
|
||||||
|
|
||||||
const char *ossl_provider_module_name(OSSL_PROVIDER *prov)
|
const char *ossl_provider_module_name(OSSL_PROVIDER *prov)
|
||||||
{
|
{
|
||||||
|
#ifdef FIPS_MODE
|
||||||
|
return NULL;
|
||||||
|
#else
|
||||||
return DSO_get_filename(prov->module);
|
return DSO_get_filename(prov->module);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
const char *ossl_provider_module_path(OSSL_PROVIDER *prov)
|
const char *ossl_provider_module_path(OSSL_PROVIDER *prov)
|
||||||
{
|
{
|
||||||
|
#ifdef FIPS_MODE
|
||||||
|
return NULL;
|
||||||
|
#else
|
||||||
/* FIXME: Ensure it's a full path */
|
/* FIXME: Ensure it's a full path */
|
||||||
return DSO_get_filename(prov->module);
|
return DSO_get_filename(prov->module);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Wrappers around calls to the provider */
|
/* Wrappers around calls to the provider */
|
||||||
|
|
@ -643,6 +659,8 @@ static int core_get_params(const OSSL_PROVIDER *prov, const OSSL_PARAM params[])
|
||||||
static const OSSL_DISPATCH core_dispatch_[] = {
|
static const OSSL_DISPATCH core_dispatch_[] = {
|
||||||
{ OSSL_FUNC_CORE_GET_PARAM_TYPES, (void (*)(void))core_get_param_types },
|
{ OSSL_FUNC_CORE_GET_PARAM_TYPES, (void (*)(void))core_get_param_types },
|
||||||
{ OSSL_FUNC_CORE_GET_PARAMS, (void (*)(void))core_get_params },
|
{ OSSL_FUNC_CORE_GET_PARAMS, (void (*)(void))core_get_params },
|
||||||
|
{ OSSL_FUNC_CORE_PUT_ERROR, (void (*)(void))ERR_put_error },
|
||||||
|
{ OSSL_FUNC_CORE_ADD_ERROR_VDATA, (void (*)(void))ERR_add_error_vdata },
|
||||||
{ 0, NULL }
|
{ 0, NULL }
|
||||||
};
|
};
|
||||||
static const OSSL_DISPATCH *core_dispatch = core_dispatch_;
|
static const OSSL_DISPATCH *core_dispatch = core_dispatch_;
|
||||||
|
|
|
||||||
|
|
@ -11,8 +11,13 @@
|
||||||
#include "provider_local.h"
|
#include "provider_local.h"
|
||||||
|
|
||||||
OSSL_provider_init_fn ossl_default_provider_init;
|
OSSL_provider_init_fn ossl_default_provider_init;
|
||||||
|
OSSL_provider_init_fn fips_intern_provider_init;
|
||||||
|
|
||||||
const struct predefined_providers_st predefined_providers[] = {
|
const struct predefined_providers_st predefined_providers[] = {
|
||||||
|
#ifdef FIPS_MODE
|
||||||
|
{ "fips", fips_intern_provider_init, 1 },
|
||||||
|
#else
|
||||||
{ "default", ossl_default_provider_init, 1 },
|
{ "default", ossl_default_provider_init, 1 },
|
||||||
|
#endif
|
||||||
{ NULL, NULL, 0 }
|
{ NULL, NULL, 0 }
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,3 @@
|
||||||
LIBS=../../libcrypto
|
LIBS=../../libcrypto
|
||||||
SOURCE[../../libcrypto]=stack.c
|
SOURCE[../../libcrypto]=stack.c
|
||||||
|
SOURCE[../../providers/fips]=stack.c
|
||||||
|
|
|
||||||
|
|
@ -175,6 +175,9 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# ifndef FIPS_MODE
|
||||||
|
/* TODO(3.0): No fork protection in FIPS module yet! */
|
||||||
|
|
||||||
# ifdef OPENSSL_SYS_UNIX
|
# ifdef OPENSSL_SYS_UNIX
|
||||||
static pthread_once_t fork_once_control = PTHREAD_ONCE_INIT;
|
static pthread_once_t fork_once_control = PTHREAD_ONCE_INIT;
|
||||||
|
|
||||||
|
|
@ -193,4 +196,5 @@ int openssl_init_fork_handlers(void)
|
||||||
# endif
|
# endif
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
# endif /* FIPS_MODE */
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@
|
||||||
#ifndef OSSL_CORE_NUMBERS_H
|
#ifndef OSSL_CORE_NUMBERS_H
|
||||||
# define OSSL_CORE_NUMBERS_H
|
# define OSSL_CORE_NUMBERS_H
|
||||||
|
|
||||||
|
# include <stdarg.h>
|
||||||
# include <openssl/core.h>
|
# include <openssl/core.h>
|
||||||
|
|
||||||
# ifdef __cplusplus
|
# ifdef __cplusplus
|
||||||
|
|
@ -57,6 +58,12 @@ OSSL_CORE_MAKE_FUNC(const OSSL_ITEM *,
|
||||||
# define OSSL_FUNC_CORE_GET_PARAMS 2
|
# define OSSL_FUNC_CORE_GET_PARAMS 2
|
||||||
OSSL_CORE_MAKE_FUNC(int,core_get_params,(const OSSL_PROVIDER *prov,
|
OSSL_CORE_MAKE_FUNC(int,core_get_params,(const OSSL_PROVIDER *prov,
|
||||||
const OSSL_PARAM params[]))
|
const OSSL_PARAM params[]))
|
||||||
|
# define OSSL_FUNC_CORE_PUT_ERROR 3
|
||||||
|
OSSL_CORE_MAKE_FUNC(void,core_put_error,(int lib, int func, int reason,
|
||||||
|
const char *file, int line))
|
||||||
|
# define OSSL_FUNC_CORE_ADD_ERROR_VDATA 4
|
||||||
|
OSSL_CORE_MAKE_FUNC(void,core_add_error_vdata,(int num, va_list args))
|
||||||
|
|
||||||
|
|
||||||
/* Functions provided by the provider to the Core, reserved numbers 1024-1535 */
|
/* Functions provided by the provider to the Core, reserved numbers 1024-1535 */
|
||||||
# define OSSL_FUNC_PROVIDER_TEARDOWN 1024
|
# define OSSL_FUNC_PROVIDER_TEARDOWN 1024
|
||||||
|
|
|
||||||
|
|
@ -13,10 +13,14 @@
|
||||||
#include <openssl/core_numbers.h>
|
#include <openssl/core_numbers.h>
|
||||||
#include <openssl/core_names.h>
|
#include <openssl/core_names.h>
|
||||||
#include <openssl/params.h>
|
#include <openssl/params.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
|
|
||||||
/* Functions provided by the core */
|
/* Functions provided by the core */
|
||||||
static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
|
static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
|
||||||
static OSSL_core_get_params_fn *c_get_params = NULL;
|
static OSSL_core_get_params_fn *c_get_params = NULL;
|
||||||
|
static OSSL_core_put_error_fn *c_put_error = NULL;
|
||||||
|
static OSSL_core_add_error_vdata_fn *c_add_error_vdata = NULL;
|
||||||
|
|
||||||
/* Parameters we provide to the core */
|
/* Parameters we provide to the core */
|
||||||
static const OSSL_ITEM fips_param_types[] = {
|
static const OSSL_ITEM fips_param_types[] = {
|
||||||
|
|
@ -26,6 +30,11 @@ static const OSSL_ITEM fips_param_types[] = {
|
||||||
{ 0, NULL }
|
{ 0, NULL }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static void fips_teardown(void)
|
||||||
|
{
|
||||||
|
do_default_context_deinit();
|
||||||
|
}
|
||||||
|
|
||||||
static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
|
static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
|
||||||
{
|
{
|
||||||
return fips_param_types;
|
return fips_param_types;
|
||||||
|
|
@ -70,6 +79,7 @@ static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
|
||||||
|
|
||||||
/* Functions we provide to the core */
|
/* Functions we provide to the core */
|
||||||
static const OSSL_DISPATCH fips_dispatch_table[] = {
|
static const OSSL_DISPATCH fips_dispatch_table[] = {
|
||||||
|
{ OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))fips_teardown },
|
||||||
{ OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
|
{ OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
|
||||||
{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
|
{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
|
||||||
{ OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
|
{ OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
|
||||||
|
|
@ -89,6 +99,12 @@ int OSSL_provider_init(const OSSL_PROVIDER *provider,
|
||||||
case OSSL_FUNC_CORE_GET_PARAMS:
|
case OSSL_FUNC_CORE_GET_PARAMS:
|
||||||
c_get_params = OSSL_get_core_get_params(in);
|
c_get_params = OSSL_get_core_get_params(in);
|
||||||
break;
|
break;
|
||||||
|
case OSSL_FUNC_CORE_PUT_ERROR:
|
||||||
|
c_put_error = OSSL_get_core_put_error(in);
|
||||||
|
break;
|
||||||
|
case OSSL_FUNC_CORE_ADD_ERROR_VDATA:
|
||||||
|
c_add_error_vdata = OSSL_get_core_add_error_vdata(in);
|
||||||
|
break;
|
||||||
/* Just ignore anything we don't understand */
|
/* Just ignore anything we don't understand */
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
|
|
@ -98,3 +114,39 @@ int OSSL_provider_init(const OSSL_PROVIDER *provider,
|
||||||
*out = fips_dispatch_table;
|
*out = fips_dispatch_table;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
OSSL_provider_init_fn fips_intern_provider_init;
|
||||||
|
int fips_intern_provider_init(const OSSL_PROVIDER *provider,
|
||||||
|
const OSSL_DISPATCH *in,
|
||||||
|
const OSSL_DISPATCH **out)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* The internal init function used when the FIPS module uses EVP to call
|
||||||
|
* another algorithm also in the FIPS module.
|
||||||
|
*/
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
void ERR_put_error(int lib, int func, int reason, const char *file, int line)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* TODO(3.0): This works for the FIPS module because we're going to be
|
||||||
|
* using lib/func/reason codes that libcrypto already knows about. This
|
||||||
|
* won't work for third party providers that have their own error mechanisms,
|
||||||
|
* so we'll need to come up with something else for them.
|
||||||
|
*/
|
||||||
|
c_put_error(lib, func, reason, file, line);
|
||||||
|
}
|
||||||
|
|
||||||
|
void ERR_add_error_data(int num, ...)
|
||||||
|
{
|
||||||
|
va_list args;
|
||||||
|
va_start(args, num);
|
||||||
|
ERR_add_error_vdata(num, args);
|
||||||
|
va_end(args);
|
||||||
|
}
|
||||||
|
|
||||||
|
void ERR_add_error_vdata(int num, va_list args)
|
||||||
|
{
|
||||||
|
c_add_error_vdata(num, args);
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue