From 7cc684f4f7fbcdc5cf4683eaf025d4f915acbf3c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 27 Jan 2011 17:23:43 +0000 Subject: [PATCH] Redirect FIPS memory allocation to FIPS_malloc() routine, remove OpenSSL malloc dependencies. --- Makefile.org | 1 - crypto/bn/bn_blind.c | 6 ++++++ crypto/bn/bn_ctx.c | 6 ++++++ crypto/bn/bn_exp.c | 5 +++++ crypto/bn/bn_lib.c | 5 +++++ crypto/bn/bn_rand.c | 5 +++++ crypto/bn/bn_recp.c | 5 +++++ crypto/buffer/buf_str.c | 5 +++++ crypto/dsa/dsa_sign.c | 5 +++++ crypto/rsa/rsa_gen.c | 2 ++ crypto/rsa/rsa_oaep.c | 4 ++++ crypto/rsa/rsa_pss.c | 4 ++++ fips/dh/fips_dh_lib.c | 3 +++ fips/dsa/fips_dsa_lib.c | 3 +++ fips/fips.h | 5 +++++ fips/fips_utl.h | 3 +++ fips/hmac/fips_hmactest.c | 1 - fips/rand/fips_randtest.c | 2 ++ fips/rsa/fips_rsa_lib.c | 4 +++- fips/rsa/fips_rsa_sign.c | 1 + fips/utl/Makefile | 4 ++-- fips/utl/fips_enc.c | 4 +++- fips/utl/fips_md.c | 3 +++ 23 files changed, 80 insertions(+), 6 deletions(-) diff --git a/Makefile.org b/Makefile.org index 4160f590a8..8e7a77d578 100644 --- a/Makefile.org +++ b/Makefile.org @@ -313,7 +313,6 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \ ../crypto/evp/e_des3.o \ ../crypto/evp/m_sha1.o \ ../crypto/hmac/hmac.o \ - ../crypto/mem.o \ ../crypto/modes/cfb128.o \ ../crypto/modes/ctr128.o \ ../crypto/modes/ofb128.o \ diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 6e00f43c66..d2bba48b0d 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -113,6 +113,12 @@ #include "cryptlib.h" #include "bn_lcl.h" +#define OPENSSL_FIPSAPI + +#ifdef OPENSSL_FIPS +#include +#endif + #define BN_BLINDING_COUNTER 32 struct bn_blinding_st diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 3f2256f675..f16fb35f5a 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -60,12 +60,18 @@ #endif #endif +#define OPENSSL_FIPSAPI + #include #include #include "cryptlib.h" #include "bn_lcl.h" +#ifdef OPENSSL_FIPS +#include +#endif + /* TODO list * * 1. Check a bunch of "(words+1)" type hacks in various bignum functions and diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index d9b6c737fc..2267367793 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -113,6 +113,11 @@ #include "cryptlib.h" #include "bn_lcl.h" +#define OPENSSL_FIPSAPI +#ifdef OPENSSL_FIPS +#include +#endif + /* maximum precomputation table size for *variable* sliding windows */ #define TABLE_SIZE 32 diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 7a5676de69..503762b31e 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -67,6 +67,11 @@ #include "cryptlib.h" #include "bn_lcl.h" +#define OPENSSL_FIPSAPI +#ifdef OPENSSL_FIPS +#include +#endif + const char BN_version[]="Big Number" OPENSSL_VERSION_PTEXT; /* This stuff appears to be completely unused, so is deprecated */ diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index b376c28ff3..070b1e4ed2 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -115,6 +115,11 @@ #include "bn_lcl.h" #include +#define OPENSSL_FIPSAPI +#ifdef OPENSSL_FIPS +#include +#endif + static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) { unsigned char *buf=NULL; diff --git a/crypto/bn/bn_recp.c b/crypto/bn/bn_recp.c index 2e8efb8dae..dde27ae71a 100644 --- a/crypto/bn/bn_recp.c +++ b/crypto/bn/bn_recp.c @@ -60,6 +60,11 @@ #include "cryptlib.h" #include "bn_lcl.h" +#define OPENSSL_FIPSAPI +#ifdef OPENSSL_FIPS +#include +#endif + void BN_RECP_CTX_init(BN_RECP_CTX *recp) { BN_init(&(recp->N)); diff --git a/crypto/buffer/buf_str.c b/crypto/buffer/buf_str.c index 151f5ea971..6d94942df8 100644 --- a/crypto/buffer/buf_str.c +++ b/crypto/buffer/buf_str.c @@ -60,6 +60,11 @@ #include "cryptlib.h" #include +#define OPENSSL_FIPSAPI +#ifdef OPENSSL_FIPS +#include +#endif + char *BUF_strdup(const char *str) { if (str == NULL) return(NULL); diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index e02365a8b1..3684960203 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -63,6 +63,11 @@ #include #include +#define OPENSSL_FIPSAPI +#ifdef OPENSSL_FIPS +#include +#endif + DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { return dsa->meth->dsa_do_sign(dgst, dlen, dsa); diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index b8676ad020..e82a81b03a 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -70,6 +70,8 @@ #ifdef OPENSSL_FIPS +#define OPENSSL_FIPSAPI + #include #include diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index eaae712236..48cd89dd48 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -30,6 +30,10 @@ #include #include +#ifdef OPENSSL_FIPS +#include +#endif + static int MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen); diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index e8f6798bbd..0d008c33f3 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -67,6 +67,10 @@ #include #include "rsa_locl.h" +#ifdef OPENSSL_FIPS +#include +#endif + static const unsigned char zeroes[] = {0,0,0,0,0,0,0,0}; #if defined(_MSC_VER) && defined(_ARM_) diff --git a/fips/dh/fips_dh_lib.c b/fips/dh/fips_dh_lib.c index 4a822cf192..747d949389 100644 --- a/fips/dh/fips_dh_lib.c +++ b/fips/dh/fips_dh_lib.c @@ -56,9 +56,12 @@ * */ +#define OPENSSL_FIPSAPI + #include #include #include +#include /* Minimal FIPS versions of FIPS_dh_new() and FIPS_dh_free(): to * reduce external dependencies. diff --git a/fips/dsa/fips_dsa_lib.c b/fips/dsa/fips_dsa_lib.c index 2545966d2a..06f8cabfee 100644 --- a/fips/dsa/fips_dsa_lib.c +++ b/fips/dsa/fips_dsa_lib.c @@ -56,9 +56,12 @@ * */ +#define OPENSSL_FIPSAPI + #include #include #include +#include /* Minimal FIPS versions of FIPS_dsa_new() and FIPS_dsa_free: to * reduce external dependencies. diff --git a/fips/fips.h b/fips/fips.h index 2ef955ab13..5452db9311 100644 --- a/fips/fips.h +++ b/fips/fips.h @@ -113,8 +113,13 @@ void FIPS_lock(int mode, int type,const char *file,int line); void FIPS_set_locking_callback (void (*func)(int mode, int type, const char *file,int line)); +void *FIPS_malloc(int num, const char *file, int line); +void FIPS_free(void *); + #if defined(OPENSSL_FIPSCANISTER) && defined(OPENSSL_FIPSAPI) #define CRYPTO_lock FIPS_lock +#define CRYPTO_malloc FIPS_malloc +#define CRYPTO_free FIPS_free #endif /* BEGIN ERROR CODES */ diff --git a/fips/fips_utl.h b/fips/fips_utl.h index b3162d6863..76ae4f8e38 100644 --- a/fips/fips_utl.h +++ b/fips/fips_utl.h @@ -47,6 +47,9 @@ * */ +#define OPENSSL_FIPSAPI +#include + int hex2bin(const char *in, unsigned char *out); unsigned char *hex2bin_m(const char *in, long *plen); int do_hex2bn(BIGNUM **pr, const char *in); diff --git a/fips/hmac/fips_hmactest.c b/fips/hmac/fips_hmactest.c index 575f6524b7..8c51fe523b 100644 --- a/fips/hmac/fips_hmactest.c +++ b/fips/hmac/fips_hmactest.c @@ -77,7 +77,6 @@ int main(int argc, char *argv[]) #else -#include #include "fips_utl.h" static int hmac_test(const EVP_MD *md, FILE *out, FILE *in); diff --git a/fips/rand/fips_randtest.c b/fips/rand/fips_randtest.c index 88fb86060d..31c51d3392 100644 --- a/fips/rand/fips_randtest.c +++ b/fips/rand/fips_randtest.c @@ -123,6 +123,8 @@ int main(int argc, char *argv[]) #else +#define OPENSSL_FIPSAPI + #include #include "fips_utl.h" diff --git a/fips/rsa/fips_rsa_lib.c b/fips/rsa/fips_rsa_lib.c index a37ad3e540..77c0cb8466 100644 --- a/fips/rsa/fips_rsa_lib.c +++ b/fips/rsa/fips_rsa_lib.c @@ -56,11 +56,14 @@ * */ +#define OPENSSL_FIPSAPI + #include #include #include #include #include +#include /* Minimal FIPS versions of FIPS_rsa_new() and FIPS_rsa_free: to * reduce external dependencies. @@ -95,7 +98,6 @@ void FIPS_rsa_free(RSA *r) if (r->iqmp != NULL) BN_clear_free(r->iqmp); if (r->blinding != NULL) BN_BLINDING_free(r->blinding); if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding); - if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data); OPENSSL_free(r); } diff --git a/fips/rsa/fips_rsa_sign.c b/fips/rsa/fips_rsa_sign.c index d07111b4be..4e5b4bf1db 100644 --- a/fips/rsa/fips_rsa_sign.c +++ b/fips/rsa/fips_rsa_sign.c @@ -63,6 +63,7 @@ #include #include #include +#include #ifdef OPENSSL_FIPS diff --git a/fips/utl/Makefile b/fips/utl/Makefile index 577578ee70..8542b32156 100644 --- a/fips/utl/Makefile +++ b/fips/utl/Makefile @@ -22,8 +22,8 @@ TEST= APPS= LIB=$(TOP)/libcrypto.a -LIBSRC= fips_err.c fips_md.c fips_enc.c fips_lck.c -LIBOBJ= fips_err.o fips_md.o fips_enc.o fips_lck.o +LIBSRC= fips_err.c fips_md.c fips_enc.c fips_lck.c fips_mem.c +LIBOBJ= fips_err.o fips_md.o fips_enc.o fips_lck.o fips_mem.o SRC= $(LIBSRC) diff --git a/fips/utl/fips_enc.c b/fips/utl/fips_enc.c index 23ba5ddb74..93647a023b 100644 --- a/fips/utl/fips_enc.c +++ b/fips/utl/fips_enc.c @@ -56,11 +56,13 @@ * [including the GNU Public Licence.] */ +#define OPENSSL_FIPSAPI + #include #include #include #include -#include +#include void FIPS_cipher_ctx_init(EVP_CIPHER_CTX *ctx) { diff --git a/fips/utl/fips_md.c b/fips/utl/fips_md.c index 6e33e841a5..0038646f58 100644 --- a/fips/utl/fips_md.c +++ b/fips/utl/fips_md.c @@ -111,11 +111,14 @@ /* Minimal standalone FIPS versions of Digest operations */ +#define OPENSSL_FIPSAPI + #include #include #include #include #include +#include void FIPS_md_ctx_init(EVP_MD_CTX *ctx) { -- 2.25.1