diff options
| author | Matt Caswell <matt@openssl.org> | 2019-05-13 06:41:06 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-05-23 11:02:04 +0100 |
| commit | 319e518a5ae17fb8def2bd9209675acbaa6c22c2 (patch) | |
| tree | 34d515cc857f1a4adf37311228925330ad635dd3 /crypto | |
| parent | 3593266d1c924ea595a1074e78381890f964392c (diff) | |
Make some EVP code available from within the FIPS module
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8728)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/build.info | 3 | ||||
| -rw-r--r-- | crypto/evp/build.info | 4 | ||||
| -rw-r--r-- | crypto/evp/digest.c | 39 | ||||
| -rw-r--r-- | crypto/evp/evp_enc.c | 32 | ||||
| -rw-r--r-- | crypto/evp/evp_lib.c | 25 | ||||
| -rw-r--r-- | crypto/lhash/build.info | 2 | ||||
| -rw-r--r-- | crypto/property/build.info | 2 | ||||
| -rw-r--r-- | crypto/property/property.c | 3 |
8 files changed, 85 insertions, 25 deletions
diff --git a/crypto/build.info b/crypto/build.info index 546865bdc9..db6d6afbdc 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -27,7 +27,8 @@ SOURCE[../libcrypto]=\ # FIPS module SOURCE[../providers/fips]=\ cryptlib.c mem.c mem_clr.c params.c bsearch.c ex_data.c o_str.c \ - threads_pthread.c threads_win.c threads_none.c context.c + ctype.c threads_pthread.c threads_win.c threads_none.c context.c \ + sparse_array.c DEPEND[cversion.o]=buildinf.h diff --git a/crypto/evp/build.info b/crypto/evp/build.info index 23aa733a66..61e8880632 100644 --- a/crypto/evp/build.info +++ b/crypto/evp/build.info @@ -20,6 +20,10 @@ SOURCE[../../libcrypto]=\ SOURCE[../../libcrypto]=\ evp_fetch.c +# FIPS Module +SOURCE[../../providers/fips]=\ + digest.c evp_enc.c evp_lib.c evp_fetch.c cmeth_lib.c + INCLUDE[e_aes.o]=.. ../modes INCLUDE[e_aes_cbc_hmac_sha1.o]=../modes INCLUDE[e_aes_cbc_hmac_sha256.o]=../modes diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index dc50528607..a1f0154a7f 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -55,10 +55,14 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) * pctx should be freed by the user of EVP_MD_CTX * if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set */ +#ifndef FIPS_MODE + /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */ if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX)) EVP_PKEY_CTX_free(ctx->pctx); -#ifndef OPENSSL_NO_ENGINE + +# ifndef OPENSSL_NO_ENGINE ENGINE_finish(ctx->engine); +# endif #endif OPENSSL_cleanse(ctx, sizeof(*ctx)); @@ -102,8 +106,9 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { - EVP_MD *provmd; +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) ENGINE *tmpimpl = NULL; +#endif EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); @@ -111,7 +116,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) ctx->reqdigest = type; /* TODO(3.0): Legacy work around code below. Remove this */ -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) /* * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so * this context may already have an ENGINE! Try to avoid releasing the @@ -132,7 +137,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) */ if (ctx->engine != NULL || impl != NULL +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) || tmpimpl != NULL +#endif || ctx->pctx != NULL || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0) { if (ctx->digest == ctx->fetched_digest) @@ -160,7 +167,13 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) /* TODO(3.0): Start of non-legacy code below */ if (type->prov == NULL) { - provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), ""); +#ifdef FIPS_MODE + /* We only do explict fetches inside the FIPS module */ + EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR); + return 0; +#else + EVP_MD *provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), ""); + if (provmd == NULL) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR); return 0; @@ -168,6 +181,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) type = provmd; EVP_MD_meth_free(ctx->fetched_digest); ctx->fetched_digest = provmd; +#endif } ctx->digest = type; @@ -189,7 +203,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) /* TODO(3.0): Remove legacy code below */ legacy: -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) if (type) { /* * Ensure an ENGINE left lying around from last time is cleared (the @@ -247,16 +261,19 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) } } } -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) skip_to_init: #endif - if (ctx->pctx) { +#ifndef FIPS_MODE + /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */ + if (ctx->pctx != NULL) { int r; r = EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_DIGESTINIT, 0, ctx); if (r <= 0 && (r != -2)) return 0; } +#endif if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) return 1; return ctx->digest->init(ctx); @@ -397,6 +414,8 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) /* copied EVP_MD_CTX should free the copied EVP_PKEY_CTX */ EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); +#ifndef FIPS_MODE + /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */ if (in->pctx != NULL) { out->pctx = EVP_PKEY_CTX_dup(in->pctx); if (out->pctx == NULL) { @@ -405,12 +424,13 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) return 0; } } +#endif return 1; /* TODO(3.0): Remove legacy code below */ legacy: -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) /* Make sure it's safe to copy a digest context using an ENGINE */ if (in->engine && !ENGINE_init(in->engine)) { EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, ERR_R_ENGINE_LIB); @@ -451,6 +471,8 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) out->update = in->update; +#ifndef FIPS_MODE + /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */ if (in->pctx) { out->pctx = EVP_PKEY_CTX_dup(in->pctx); if (!out->pctx) { @@ -458,6 +480,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) return 0; } } +#endif if (out->digest->copy) return out->digest->copy(out, in); diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index d0566ad170..b3e97d005d 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -51,7 +51,7 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) OPENSSL_cleanse(ctx->cipher_data, ctx->cipher->ctx_size); } OPENSSL_free(ctx->cipher_data); -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) ENGINE_finish(ctx->engine); #endif memset(ctx, 0, sizeof(*ctx)); @@ -81,8 +81,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc) { - EVP_CIPHER *provciph = NULL; +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) ENGINE *tmpimpl = NULL; +#endif const EVP_CIPHER *tmpcipher; /* @@ -105,7 +106,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, /* TODO(3.0): Legacy work around code below. Remove this */ -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) /* * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so * this context may already have an ENGINE! Try to avoid releasing the @@ -126,8 +127,10 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, * If there are engines involved then we should use legacy handling for now. */ if (ctx->engine != NULL - || impl != NULL - || tmpimpl != NULL) { +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) + || tmpimpl != NULL +#endif + || impl != NULL) { if (ctx->cipher == ctx->fetched_cipher) ctx->cipher = NULL; EVP_CIPHER_meth_free(ctx->fetched_cipher); @@ -194,7 +197,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, cipher = ctx->cipher; if (cipher->prov == NULL) { - provciph = EVP_CIPHER_fetch(NULL, OBJ_nid2sn(cipher->nid), ""); +#ifdef FIPS_MODE + /* We only do explict fetches inside the FIPS module */ + EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR); + return 0; +#else + EVP_CIPHER *provciph = + EVP_CIPHER_fetch(NULL, OBJ_nid2sn(cipher->nid), ""); + if (provciph == NULL) { EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR); return 0; @@ -202,6 +212,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, cipher = provciph; EVP_CIPHER_meth_free(ctx->fetched_cipher); ctx->fetched_cipher = provciph; +#endif } ctx->cipher = cipher; @@ -279,7 +290,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ctx->encrypt = enc; ctx->flags = flags; } -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) if (impl != NULL) { if (!ENGINE_init(impl)) { EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR); @@ -335,7 +346,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, } } } -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) skip_to_init: #endif if (ctx->cipher == NULL) @@ -966,6 +977,8 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) return ret; } +#if !defined(FIPS_MODE) +/* TODO(3.0): No support for RAND yet in the FIPS module */ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) { int kl; @@ -976,6 +989,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) return 0; return 1; } +#endif int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { @@ -1013,7 +1027,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) /* TODO(3.0): Remove legacy code below */ legacy: -#ifndef OPENSSL_NO_ENGINE +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODE) /* Make sure it's safe to copy a cipher context using an ENGINE */ if (in->engine && !ENGINE_init(in->engine)) { EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_ENGINE_LIB); diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 34b938281e..faaa69d338 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -17,6 +17,7 @@ #include "internal/provider.h" #include "evp_locl.h" +#if !defined(FIPS_MODE) int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) { int ret; @@ -146,12 +147,12 @@ int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type) } return i; } +#endif /* !defined(FIPS_MODE) */ /* Convert the various cipher NIDs and dummies to a proper OID NID */ int EVP_CIPHER_type(const EVP_CIPHER *ctx) { int nid; - ASN1_OBJECT *otmp; nid = EVP_CIPHER_nid(ctx); switch (nid) { @@ -198,12 +199,19 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx) return NID_des_cfb64; default: - /* Check it has an OID and it is valid */ - otmp = OBJ_nid2obj(nid); - if (OBJ_get0_data(otmp) == NULL) - nid = NID_undef; - ASN1_OBJECT_free(otmp); - return nid; +#ifdef FIPS_MODE + return NID_undef; +#else + { + /* Check it has an OID and it is valid */ + ASN1_OBJECT *otmp = OBJ_nid2obj(nid); + + if (OBJ_get0_data(otmp) == NULL) + nid = NID_undef; + ASN1_OBJECT_free(otmp); + return nid; + } +#endif } } @@ -596,6 +604,8 @@ EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx) return ctx->pctx; } +#if !defined(FIPS_MODE) +/* TODO(3.0): EVP_DigestSign* not yet supported in FIPS module */ void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx) { /* @@ -614,6 +624,7 @@ void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx) EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); } } +#endif /* !defined(FIPS_MODE) */ void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx) { diff --git a/crypto/lhash/build.info b/crypto/lhash/build.info index 30797f2caf..0aa12a1eb3 100644 --- a/crypto/lhash/build.info +++ b/crypto/lhash/build.info @@ -1,3 +1,5 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ lhash.c lh_stats.c +SOURCE[../../providers/fips]=\ + lhash.c diff --git a/crypto/property/build.info b/crypto/property/build.info index 3a86b6e141..3bdf307c92 100644 --- a/crypto/property/build.info +++ b/crypto/property/build.info @@ -1,3 +1,5 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=property_string.c property_parse.c property.c \ property_err.c defn_cache.c +SOURCE[../../providers/fips]=\ + property_string.c property_parse.c property.c defn_cache.c diff --git a/crypto/property/property.c b/crypto/property/property.c index 9dd8f6a3ff..4c328ffbd8 100644 --- a/crypto/property/property.c +++ b/crypto/property/property.c @@ -391,6 +391,8 @@ IMPLEMENT_LHASH_DOALL_ARG(QUERY, IMPL_CACHE_FLUSH); */ static void impl_cache_flush_cache(QUERY *c, IMPL_CACHE_FLUSH *state) { +#if !defined(FIPS_MODE) +/* TODO(3.0): No RAND_bytes yet in FIPS module. Add this back when available */ OSSL_METHOD_STORE *store = state->store; unsigned int n; @@ -404,6 +406,7 @@ static void impl_cache_flush_cache(QUERY *c, IMPL_CACHE_FLUSH *state) OPENSSL_free(lh_QUERY_delete(state->cache, c)); else state->nelem++; +#endif /* !defined(FIPS_MODE) */ } static void impl_cache_flush_one_alg(ossl_uintmax_t idx, ALGORITHM *alg, |