Create a FIPS provider and put SHA256 in it

author Matt Caswell <matt@openssl.org>

Wed, 20 Mar 2019 14:27:52 +0000 (14:27 +0000)

committer Matt Caswell <matt@openssl.org>

Thu, 4 Apr 2019 22:09:47 +0000 (23:09 +0100)
author Matt Caswell <matt@openssl.org>
Wed, 20 Mar 2019 14:27:52 +0000 (14:27 +0000)
committer Matt Caswell <matt@openssl.org>
Thu, 4 Apr 2019 22:09:47 +0000 (23:09 +0100)
diff --git a/crypto/build.info b/crypto/build.info

index a6f35245424edac65f9e7a841fe7d3e5981990e2..77dcffb906604e10d4bf17cab83d6a601f716330 100644 (file)
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -21,6 +21,11 @@ SOURCE[../libcrypto]=\
          trace.c provider.c params.c \
          {- $target{cpuid_asm_src} -} {- $target{uplink_aux_src} -}
  
+# FIPS module
+SOURCE[../providers/fips]=\
+        cryptlib.c mem.c mem_clr.c params.c
+
+
  DEPEND[cversion.o]=buildinf.h
  GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
  DEPEND[buildinf.h]=../configdata.pm
diff --git a/crypto/mem.c b/crypto/mem.c

index 5feece36fb5d49051c12c0321f3652f0712e72bb..562d6b51e2b34511111517036da876ca2545c5b9 100644 (file)
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -14,7 +14,7 @@
  #include <stdlib.h>
  #include <limits.h>
  #include <openssl/crypto.h>
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE) && !defined(FIPS_MODE)
  # include <execinfo.h>
  #endif
  
@@ -30,7 +30,7 @@ static void *(*realloc_impl)(void *, size_t, const char *, int)
  static void (*free_impl)(void *, const char *, int)
      = CRYPTO_free;
  
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
  # include "internal/tsan_assist.h"
  
  static TSAN_QUALIFIER int malloc_count;
@@ -94,7 +94,7 @@ void CRYPTO_get_mem_functions(
          *f = free_impl;
  }
  
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
  void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount)
  {
      if (mcount != NULL)
@@ -209,7 +209,7 @@ void *CRYPTO_malloc(size_t num, const char *file, int line)
           */
          allow_customize = 0;
      }
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
      if (call_malloc_debug) {
          CRYPTO_mem_debug_malloc(NULL, num, 0, file, line);
          ret = malloc(num);
@@ -250,7 +250,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)
          return NULL;
      }
  
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
      if (call_malloc_debug) {
          void *ret;
          CRYPTO_mem_debug_realloc(str, NULL, num, 0, file, line);
@@ -300,7 +300,7 @@ void CRYPTO_free(void *str, const char *file, int line)
          return;
      }
  
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
      if (call_malloc_debug) {
          CRYPTO_mem_debug_free(str, 0, file, line);
          free(str);
diff --git a/crypto/params.c b/crypto/params.c

index 367b2abd21a02583a773cb6b834165c40cf7bc4d..8eef736ef403d23158010ca382db41557263d483 100644 (file)
--- a/crypto/params.c
+++ b/crypto/params.c
@@ -348,6 +348,13 @@ OSSL_PARAM OSSL_PARAM_construct_size_t(const char *key, size_t *buf,
      return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER, buf,
                                  sizeof(size_t), rsize); }
  
+#ifndef FIPS_MODE
+/*
+ * TODO(3.0): Make this available in FIPS mode.
+ *
+ * Temporarily we don't include these functions in FIPS mode to avoid pulling
+ * in the entire BN sub-library into the module at this point.
+ */
  int OSSL_PARAM_get_BN(const OSSL_PARAM *p, BIGNUM **val)
  {
      BIGNUM *b;
@@ -387,6 +394,7 @@ OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf,
      return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER,
                                  buf, bsize, rsize);
  }
+#endif
  
  int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val)
  {
diff --git a/crypto/sha/build.info b/crypto/sha/build.info

index 58d15bbb6dc100f0bdc888e0050753dadbcf2ecf..242a08e3fff15dafa38b932d92dd57bfe8dcf749 100644 (file)
--- a/crypto/sha/build.info
+++ b/crypto/sha/build.info
@@ -3,6 +3,8 @@ SOURCE[../../libcrypto]=\
          sha1dgst.c sha1_one.c sha256.c sha512.c {- $target{sha1_asm_src} -} \
          {- $target{keccak1600_asm_src} -}
  
+SOURCE[../../providers/fips]= sha256.c
+
  GENERATE[sha1-586.s]=asm/sha1-586.pl \
          $(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR)
  DEPEND[sha1-586.s]=../perlasm/x86asm.pl
diff --git a/providers/build.info b/providers/build.info

index ec4162bdd895d8dce30748df4070eebdc0b1c8b5..b2b53849cb1afb4351b00fee5aba89d6d1c1f72b 100644 (file)
--- a/providers/build.info
+++ b/providers/build.info
@@ -1 +1,12 @@
  SUBDIRS=common default
+
+IF[{- !$disabled{fips} -}]
+  SUBDIRS=fips
+  MODULES=fips
+  IF[{- defined $target{shared_defflag} -}]
+    SOURCE[fips]=fips.ld
+    GENERATE[fips.ld]=../util/providers.num
+  ENDIF
+  INCLUDE[fips]=.. ../include ../crypto/include
+  DEFINE[fips]=FIPS_MODE
+ENDIF
diff --git a/providers/common/digests/build.info b/providers/common/digests/build.info

index a3c2369fb3ced3490190c11a0bc3975482d0cf4f..b98df29fc539d577b57e223a14215016d02e7873 100644 (file)
--- a/providers/common/digests/build.info
+++ b/providers/common/digests/build.info
@@ -1,3 +1,5 @@
-LIBS=../../../libcrypto
  SOURCE[../../../libcrypto]=\
          sha2.c
+
+SOURCE[../../fips]=\
+        sha2.c
diff --git a/providers/fips/build.info b/providers/fips/build.info

new file mode 100644 (file)

index 0000000..9372062
--- /dev/null
+++ b/providers/fips/build.info
@@ -0,0 +1,2 @@
+
+SOURCE[../fips]=fipsprov.c
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c

new file mode 100644 (file)

index 0000000..d3671b5
--- /dev/null
+++ b/providers/fips/fipsprov.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <openssl/core.h>
+#include <openssl/core_numbers.h>
+#include <openssl/core_names.h>
+#include <openssl/params.h>
+
+/* Functions provided by the core */
+static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
+static OSSL_core_get_params_fn *c_get_params = NULL;
+
+/* Parameters we provide to the core */
+static const OSSL_ITEM fips_param_types[] = {
+    { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME },
+    { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION },
+    { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO },
+    { 0, NULL }
+};
+
+static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
+{
+    return fips_param_types;
+}
+
+static int fips_get_params(const OSSL_PROVIDER *prov,
+                            const OSSL_PARAM params[])
+{
+    const OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
+        return 0;
+    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
+        return 0;
+    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
+        return 0;
+
+    return 1;
+}
+
+extern const OSSL_DISPATCH sha256_functions[];
+
+static const OSSL_ALGORITHM fips_digests[] = {
+    { "SHA256", "fips=yes", sha256_functions },
+    { NULL, NULL, NULL }
+};
+
+static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
+                                         int operation_id,
+                                         int *no_cache)
+{
+    *no_cache = 0;
+    switch (operation_id) {
+    case OSSL_OP_DIGEST:
+        return fips_digests;
+    }
+    return NULL;
+}
+
+/* Functions we provide to the core */
+static const OSSL_DISPATCH fips_dispatch_table[] = {
+    { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
+    { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
+    { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
+    { 0, NULL }
+};
+
+int OSSL_provider_init(const OSSL_PROVIDER *provider,
+                       const OSSL_DISPATCH *in,
+                       const OSSL_DISPATCH **out)
+{
+    for (; in->function_id != 0; in++) {
+        switch (in->function_id) {
+        case OSSL_FUNC_CORE_GET_PARAM_TYPES:
+            c_get_param_types = OSSL_get_core_get_param_types(in);
+            break;
+        case OSSL_FUNC_CORE_GET_PARAMS:
+            c_get_params = OSSL_get_core_get_params(in);
+            break;
+        /* Just ignore anything we don't understand */
+        default:
+            break;
+        }
+    }
+
+    *out = fips_dispatch_table;
+    return 1;
+}
author	Matt Caswell <matt@openssl.org>
	Wed, 20 Mar 2019 14:27:52 +0000 (14:27 +0000)
committer	Matt Caswell <matt@openssl.org>
	Thu, 4 Apr 2019 22:09:47 +0000 (23:09 +0100)
crypto/build.info		patch \| blob \| history
crypto/mem.c		patch \| blob \| history
crypto/params.c		patch \| blob \| history
crypto/sha/build.info		patch \| blob \| history
providers/build.info		patch \| blob \| history
providers/common/digests/build.info		patch \| blob \| history
providers/fips/build.info	[new file with mode: 0644]	patch \| blob
providers/fips/fipsprov.c	[new file with mode: 0644]	patch \| blob