# FIPS module
SOURCE[../providers/fips]=\
cryptlib.c mem.c mem_clr.c params.c bsearch.c ex_data.c o_str.c \
- threads_pthread.c threads_win.c threads_none.c context.c
+ ctype.c threads_pthread.c threads_win.c threads_none.c context.c \
+ sparse_array.c
DEPEND[cversion.o]=buildinf.h
SOURCE[../../libcrypto]=\
evp_fetch.c
+# FIPS Module
+SOURCE[../../providers/fips]=\
+ digest.c evp_enc.c evp_lib.c evp_fetch.c cmeth_lib.c
+
INCLUDE[e_aes.o]=.. ../modes
INCLUDE[e_aes_cbc_hmac_sha1.o]=../modes
INCLUDE[e_aes_cbc_hmac_sha256.o]=../modes
* pctx should be freed by the user of EVP_MD_CTX
* if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set
*/
+#ifndef FIPS_MODE
+ /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX))
EVP_PKEY_CTX_free(ctx->pctx);
-#ifndef OPENSSL_NO_ENGINE
+
+# ifndef OPENSSL_NO_ENGINE
ENGINE_finish(ctx->engine);
+# endif
#endif
OPENSSL_cleanse(ctx, sizeof(*ctx));
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
{
- EVP_MD *provmd;
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
ENGINE *tmpimpl = NULL;
+#endif
EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
ctx->reqdigest = type;
/* TODO(3.0): Legacy work around code below. Remove this */
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
/*
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
* this context may already have an ENGINE! Try to avoid releasing the
*/
if (ctx->engine != NULL
|| impl != NULL
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
|| tmpimpl != NULL
+#endif
|| ctx->pctx != NULL
|| (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0) {
if (ctx->digest == ctx->fetched_digest)
/* TODO(3.0): Start of non-legacy code below */
if (type->prov == NULL) {
- provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), "");
+#ifdef FIPS_MODE
+ /* We only do explict fetches inside the FIPS module */
+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
+ return 0;
+#else
+ EVP_MD *provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), "");
+
if (provmd == NULL) {
EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
return 0;
type = provmd;
EVP_MD_meth_free(ctx->fetched_digest);
ctx->fetched_digest = provmd;
+#endif
}
ctx->digest = type;
/* TODO(3.0): Remove legacy code below */
legacy:
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
if (type) {
/*
* Ensure an ENGINE left lying around from last time is cleared (the
}
}
}
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
skip_to_init:
#endif
- if (ctx->pctx) {
+#ifndef FIPS_MODE
+ /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
+ if (ctx->pctx != NULL) {
int r;
r = EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
EVP_PKEY_CTRL_DIGESTINIT, 0, ctx);
if (r <= 0 && (r != -2))
return 0;
}
+#endif
if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
return 1;
return ctx->digest->init(ctx);
/* copied EVP_MD_CTX should free the copied EVP_PKEY_CTX */
EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
+#ifndef FIPS_MODE
+ /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
if (in->pctx != NULL) {
out->pctx = EVP_PKEY_CTX_dup(in->pctx);
if (out->pctx == NULL) {
return 0;
}
}
+#endif
return 1;
/* TODO(3.0): Remove legacy code below */
legacy:
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
/* Make sure it's safe to copy a digest context using an ENGINE */
if (in->engine && !ENGINE_init(in->engine)) {
EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, ERR_R_ENGINE_LIB);
out->update = in->update;
+#ifndef FIPS_MODE
+ /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
if (in->pctx) {
out->pctx = EVP_PKEY_CTX_dup(in->pctx);
if (!out->pctx) {
return 0;
}
}
+#endif
if (out->digest->copy)
return out->digest->copy(out, in);
OPENSSL_cleanse(ctx->cipher_data, ctx->cipher->ctx_size);
}
OPENSSL_free(ctx->cipher_data);
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
ENGINE_finish(ctx->engine);
#endif
memset(ctx, 0, sizeof(*ctx));
ENGINE *impl, const unsigned char *key,
const unsigned char *iv, int enc)
{
- EVP_CIPHER *provciph = NULL;
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
ENGINE *tmpimpl = NULL;
+#endif
const EVP_CIPHER *tmpcipher;
/*
/* TODO(3.0): Legacy work around code below. Remove this */
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
/*
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
* this context may already have an ENGINE! Try to avoid releasing the
* If there are engines involved then we should use legacy handling for now.
*/
if (ctx->engine != NULL
- || impl != NULL
- || tmpimpl != NULL) {
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
+ || tmpimpl != NULL
+#endif
+ || impl != NULL) {
if (ctx->cipher == ctx->fetched_cipher)
ctx->cipher = NULL;
EVP_CIPHER_meth_free(ctx->fetched_cipher);
cipher = ctx->cipher;
if (cipher->prov == NULL) {
- provciph = EVP_CIPHER_fetch(NULL, OBJ_nid2sn(cipher->nid), "");
+#ifdef FIPS_MODE
+ /* We only do explict fetches inside the FIPS module */
+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
+ return 0;
+#else
+ EVP_CIPHER *provciph =
+ EVP_CIPHER_fetch(NULL, OBJ_nid2sn(cipher->nid), "");
+
if (provciph == NULL) {
EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
return 0;
cipher = provciph;
EVP_CIPHER_meth_free(ctx->fetched_cipher);
ctx->fetched_cipher = provciph;
+#endif
}
ctx->cipher = cipher;
ctx->encrypt = enc;
ctx->flags = flags;
}
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
if (impl != NULL) {
if (!ENGINE_init(impl)) {
EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
}
}
}
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
skip_to_init:
#endif
if (ctx->cipher == NULL)
return ret;
}
+#if !defined(FIPS_MODE)
+/* TODO(3.0): No support for RAND yet in the FIPS module */
int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
{
int kl;
return 0;
return 1;
}
+#endif
int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
{
/* TODO(3.0): Remove legacy code below */
legacy:
-#ifndef OPENSSL_NO_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE)
/* Make sure it's safe to copy a cipher context using an ENGINE */
if (in->engine && !ENGINE_init(in->engine)) {
EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_ENGINE_LIB);
#include "internal/provider.h"
#include "evp_locl.h"
+#if !defined(FIPS_MODE)
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
{
int ret;
}
return i;
}
+#endif /* !defined(FIPS_MODE) */
/* Convert the various cipher NIDs and dummies to a proper OID NID */
int EVP_CIPHER_type(const EVP_CIPHER *ctx)
{
int nid;
- ASN1_OBJECT *otmp;
nid = EVP_CIPHER_nid(ctx);
switch (nid) {
return NID_des_cfb64;
default:
- /* Check it has an OID and it is valid */
- otmp = OBJ_nid2obj(nid);
- if (OBJ_get0_data(otmp) == NULL)
- nid = NID_undef;
- ASN1_OBJECT_free(otmp);
- return nid;
+#ifdef FIPS_MODE
+ return NID_undef;
+#else
+ {
+ /* Check it has an OID and it is valid */
+ ASN1_OBJECT *otmp = OBJ_nid2obj(nid);
+
+ if (OBJ_get0_data(otmp) == NULL)
+ nid = NID_undef;
+ ASN1_OBJECT_free(otmp);
+ return nid;
+ }
+#endif
}
}
return ctx->pctx;
}
+#if !defined(FIPS_MODE)
+/* TODO(3.0): EVP_DigestSign* not yet supported in FIPS module */
void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx)
{
/*
EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
}
}
+#endif /* !defined(FIPS_MODE) */
void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx)
{
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
lhash.c lh_stats.c
+SOURCE[../../providers/fips]=\
+ lhash.c
LIBS=../../libcrypto
SOURCE[../../libcrypto]=property_string.c property_parse.c property.c \
property_err.c defn_cache.c
+SOURCE[../../providers/fips]=\
+ property_string.c property_parse.c property.c defn_cache.c
*/
static void impl_cache_flush_cache(QUERY *c, IMPL_CACHE_FLUSH *state)
{
+#if !defined(FIPS_MODE)
+/* TODO(3.0): No RAND_bytes yet in FIPS module. Add this back when available */
OSSL_METHOD_STORE *store = state->store;
unsigned int n;
OPENSSL_free(lh_QUERY_delete(state->cache, c));
else
state->nelem++;
+#endif /* !defined(FIPS_MODE) */
}
static void impl_cache_flush_one_alg(ossl_uintmax_t idx, ALGORITHM *alg,
#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
+/* TODO(3.0): Needed for dummy_evp_call(). To be removed */
+#include <openssl/sha.h>
#include "internal/cryptlib.h"
+#include "internal/property.h"
+#include "internal/evp_int.h"
/* Functions provided by the core */
static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
{ 0, NULL }
};
-static void fips_teardown(void)
+/* TODO(3.0): To be removed */
+static int dummy_evp_call(OPENSSL_CTX *libctx)
{
- do_default_context_deinit();
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
+ char msg[] = "Hello World!";
+ const unsigned char exptd[] = {
+ 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
+ 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
+ 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
+ };
+ unsigned int dgstlen = 0;
+ unsigned char dgst[SHA256_DIGEST_LENGTH];
+ int ret = 0;
+
+ if (ctx == NULL || sha256 == NULL)
+ goto err;
+
+ if (!EVP_DigestInit_ex(ctx, sha256, NULL))
+ goto err;
+ if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
+ goto err;
+ if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
+ goto err;
+ if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
+ goto err;
+
+ ret = 1;
+ err:
+ EVP_MD_CTX_free(ctx);
+ EVP_MD_meth_free(sha256);
+ return ret;
}
static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
/* Functions we provide to the core */
static const OSSL_DISPATCH fips_dispatch_table[] = {
- { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))fips_teardown },
+ /*
+ * To release our resources we just need to free the OPENSSL_CTX so we just
+ * use OPENSSL_CTX_free directly as our teardown function
+ */
+ { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free },
{ OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
{ OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
{ 0, NULL }
};
+/* Functions we provide to ourself */
+static const OSSL_DISPATCH intern_dispatch_table[] = {
+ { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
+ { 0, NULL }
+};
+
+
int OSSL_provider_init(const OSSL_PROVIDER *provider,
const OSSL_DISPATCH *in,
const OSSL_DISPATCH **out,
void **provctx)
{
+ OPENSSL_CTX *ctx;
+
for (; in->function_id != 0; in++) {
switch (in->function_id) {
case OSSL_FUNC_CORE_GET_PARAM_TYPES:
}
}
+ ctx = OPENSSL_CTX_new();
+ if (ctx == NULL)
+ return 0;
+
+ /*
+ * TODO(3.0): Remove me. This is just a dummy call to demonstrate making
+ * EVP calls from within the FIPS module.
+ */
+ if (!dummy_evp_call(ctx)) {
+ OPENSSL_CTX_free(ctx);
+ return 0;
+ }
+
*out = fips_dispatch_table;
+ *provctx = ctx;
return 1;
}
+/*
+ * The internal init function used when the FIPS module uses EVP to call
+ * another algorithm also in the FIPS module.
+ */
OSSL_provider_init_fn fips_intern_provider_init;
int fips_intern_provider_init(const OSSL_PROVIDER *provider,
const OSSL_DISPATCH *in,
- const OSSL_DISPATCH **out)
+ const OSSL_DISPATCH **out,
+ void **provctx)
{
- /*
- * The internal init function used when the FIPS module uses EVP to call
- * another algorithm also in the FIPS module.
- */
+ *out = intern_dispatch_table;
return 1;
}