Create a FIPS provider and put SHA256 in it
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8537)
This commit is contained in:
parent
ecbfaef2aa
commit
9efa0ae0b6
8 changed files with 136 additions and 7 deletions
|
@ -21,6 +21,11 @@ SOURCE[../libcrypto]=\
|
|||
trace.c provider.c params.c \
|
||||
{- $target{cpuid_asm_src} -} {- $target{uplink_aux_src} -}
|
||||
|
||||
# FIPS module
|
||||
SOURCE[../providers/fips]=\
|
||||
cryptlib.c mem.c mem_clr.c params.c
|
||||
|
||||
|
||||
DEPEND[cversion.o]=buildinf.h
|
||||
GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
|
||||
DEPEND[buildinf.h]=../configdata.pm
|
||||
|
|
12
crypto/mem.c
12
crypto/mem.c
|
@ -14,7 +14,7 @@
|
|||
#include <stdlib.h>
|
||||
#include <limits.h>
|
||||
#include <openssl/crypto.h>
|
||||
#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
|
||||
#if !defined(OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE) && !defined(FIPS_MODE)
|
||||
# include <execinfo.h>
|
||||
#endif
|
||||
|
||||
|
@ -30,7 +30,7 @@ static void *(*realloc_impl)(void *, size_t, const char *, int)
|
|||
static void (*free_impl)(void *, const char *, int)
|
||||
= CRYPTO_free;
|
||||
|
||||
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
|
||||
#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
|
||||
# include "internal/tsan_assist.h"
|
||||
|
||||
static TSAN_QUALIFIER int malloc_count;
|
||||
|
@ -94,7 +94,7 @@ void CRYPTO_get_mem_functions(
|
|||
*f = free_impl;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
|
||||
#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
|
||||
void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount)
|
||||
{
|
||||
if (mcount != NULL)
|
||||
|
@ -209,7 +209,7 @@ void *CRYPTO_malloc(size_t num, const char *file, int line)
|
|||
*/
|
||||
allow_customize = 0;
|
||||
}
|
||||
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
|
||||
#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
|
||||
if (call_malloc_debug) {
|
||||
CRYPTO_mem_debug_malloc(NULL, num, 0, file, line);
|
||||
ret = malloc(num);
|
||||
|
@ -250,7 +250,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)
|
|||
return NULL;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
|
||||
#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
|
||||
if (call_malloc_debug) {
|
||||
void *ret;
|
||||
CRYPTO_mem_debug_realloc(str, NULL, num, 0, file, line);
|
||||
|
@ -300,7 +300,7 @@ void CRYPTO_free(void *str, const char *file, int line)
|
|||
return;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
|
||||
#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
|
||||
if (call_malloc_debug) {
|
||||
CRYPTO_mem_debug_free(str, 0, file, line);
|
||||
free(str);
|
||||
|
|
|
@ -348,6 +348,13 @@ OSSL_PARAM OSSL_PARAM_construct_size_t(const char *key, size_t *buf,
|
|||
return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER, buf,
|
||||
sizeof(size_t), rsize); }
|
||||
|
||||
#ifndef FIPS_MODE
|
||||
/*
|
||||
* TODO(3.0): Make this available in FIPS mode.
|
||||
*
|
||||
* Temporarily we don't include these functions in FIPS mode to avoid pulling
|
||||
* in the entire BN sub-library into the module at this point.
|
||||
*/
|
||||
int OSSL_PARAM_get_BN(const OSSL_PARAM *p, BIGNUM **val)
|
||||
{
|
||||
BIGNUM *b;
|
||||
|
@ -387,6 +394,7 @@ OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf,
|
|||
return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER,
|
||||
buf, bsize, rsize);
|
||||
}
|
||||
#endif
|
||||
|
||||
int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val)
|
||||
{
|
||||
|
|
|
@ -3,6 +3,8 @@ SOURCE[../../libcrypto]=\
|
|||
sha1dgst.c sha1_one.c sha256.c sha512.c {- $target{sha1_asm_src} -} \
|
||||
{- $target{keccak1600_asm_src} -}
|
||||
|
||||
SOURCE[../../providers/fips]= sha256.c
|
||||
|
||||
GENERATE[sha1-586.s]=asm/sha1-586.pl \
|
||||
$(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR)
|
||||
DEPEND[sha1-586.s]=../perlasm/x86asm.pl
|
||||
|
|
|
@ -1 +1,12 @@
|
|||
SUBDIRS=common default
|
||||
|
||||
IF[{- !$disabled{fips} -}]
|
||||
SUBDIRS=fips
|
||||
MODULES=fips
|
||||
IF[{- defined $target{shared_defflag} -}]
|
||||
SOURCE[fips]=fips.ld
|
||||
GENERATE[fips.ld]=../util/providers.num
|
||||
ENDIF
|
||||
INCLUDE[fips]=.. ../include ../crypto/include
|
||||
DEFINE[fips]=FIPS_MODE
|
||||
ENDIF
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
LIBS=../../../libcrypto
|
||||
SOURCE[../../../libcrypto]=\
|
||||
sha2.c
|
||||
|
||||
SOURCE[../../fips]=\
|
||||
sha2.c
|
||||
|
|
2
providers/fips/build.info
Normal file
2
providers/fips/build.info
Normal file
|
@ -0,0 +1,2 @@
|
|||
|
||||
SOURCE[../fips]=fipsprov.c
|
99
providers/fips/fipsprov.c
Normal file
99
providers/fips/fipsprov.c
Normal file
|
@ -0,0 +1,99 @@
|
|||
/*
|
||||
* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <openssl/core.h>
|
||||
#include <openssl/core_numbers.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/params.h>
|
||||
|
||||
/* Functions provided by the core */
|
||||
static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
|
||||
static OSSL_core_get_params_fn *c_get_params = NULL;
|
||||
|
||||
/* Parameters we provide to the core */
|
||||
static const OSSL_ITEM fips_param_types[] = {
|
||||
{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME },
|
||||
{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION },
|
||||
{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO },
|
||||
{ 0, NULL }
|
||||
};
|
||||
|
||||
static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
|
||||
{
|
||||
return fips_param_types;
|
||||
}
|
||||
|
||||
static int fips_get_params(const OSSL_PROVIDER *prov,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
const OSSL_PARAM *p;
|
||||
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
|
||||
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
|
||||
return 0;
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
|
||||
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
|
||||
return 0;
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
|
||||
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
|
||||
return 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
extern const OSSL_DISPATCH sha256_functions[];
|
||||
|
||||
static const OSSL_ALGORITHM fips_digests[] = {
|
||||
{ "SHA256", "fips=yes", sha256_functions },
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
|
||||
int operation_id,
|
||||
int *no_cache)
|
||||
{
|
||||
*no_cache = 0;
|
||||
switch (operation_id) {
|
||||
case OSSL_OP_DIGEST:
|
||||
return fips_digests;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* Functions we provide to the core */
|
||||
static const OSSL_DISPATCH fips_dispatch_table[] = {
|
||||
{ OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
|
||||
{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
|
||||
{ OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
|
||||
{ 0, NULL }
|
||||
};
|
||||
|
||||
int OSSL_provider_init(const OSSL_PROVIDER *provider,
|
||||
const OSSL_DISPATCH *in,
|
||||
const OSSL_DISPATCH **out)
|
||||
{
|
||||
for (; in->function_id != 0; in++) {
|
||||
switch (in->function_id) {
|
||||
case OSSL_FUNC_CORE_GET_PARAM_TYPES:
|
||||
c_get_param_types = OSSL_get_core_get_param_types(in);
|
||||
break;
|
||||
case OSSL_FUNC_CORE_GET_PARAMS:
|
||||
c_get_params = OSSL_get_core_get_params(in);
|
||||
break;
|
||||
/* Just ignore anything we don't understand */
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
*out = fips_dispatch_table;
|
||||
return 1;
|
||||
}
|
Loading…
Reference in a new issue