diff options
author | Richard Levitte <levitte@openssl.org> | 2019-10-04 01:38:17 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2019-10-10 14:12:15 +0200 |
commit | dec95d75897125133380c7ce3c6ce58c93c06f10 (patch) | |
tree | c95ecfb434a58251f6f422d413eda49f1ac53857 /providers/common | |
parent | e805c2d6d36d6be3db8141abc98f3ce5c6fa9776 (diff) |
Rework how our providers are built
We put almost everything in these internal static libraries:
libcommon Block building code that can be used by all
our implementations, legacy and non-legacy
alike.
libimplementations All non-legacy algorithm implementations and
only them. All the code that ends up here is
agnostic to the definitions of FIPS_MODE.
liblegacy All legacy implementations.
libnonfips Support code for the algorithm implementations.
Built with FIPS_MODE undefined. Any code that
checks that FIPS_MODE isn't defined must end
up in this library.
libfips Support code for the algorithm implementations.
Built with FIPS_MODE defined. Any code that
checks that FIPS_MODE is defined must end up
in this library.
The FIPS provider module is built from providers/fips/*.c and linked
with libimplementations, libcommon and libfips.
The Legacy provider module is built from providers/legacy/*.c and
linked with liblegacy, libcommon and libcrypto.
If module building is disabled, the object files from liblegacy and
libcommon are added to libcrypto and the Legacy provider becomes a
built-in provider.
The Default provider module is built-in, so it ends up being linked
with libimplementations, libcommon and libnonfips. For libcrypto in
form of static library, the object files from those other libraries
are simply being added to libcrypto.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)
Diffstat (limited to 'providers/common')
-rw-r--r-- | providers/common/build.info | 7 | ||||
-rw-r--r-- | providers/common/ciphers/build.info | 23 | ||||
-rw-r--r-- | providers/common/ciphers/cipher_aes_xts.c | 6 | ||||
-rw-r--r-- | providers/common/ciphers/cipher_aes_xts.h | 6 | ||||
-rw-r--r-- | providers/common/ciphers/cipher_fips.c | 16 | ||||
-rw-r--r-- | providers/common/digests/build.info | 10 | ||||
-rw-r--r-- | providers/common/exchange/build.info | 8 | ||||
-rw-r--r-- | providers/common/kdfs/build.info | 16 | ||||
-rw-r--r-- | providers/common/kdfs/pbkdf2.c | 12 | ||||
-rw-r--r-- | providers/common/kdfs/pbkdf2.h | 14 | ||||
-rw-r--r-- | providers/common/kdfs/pbkdf2_fips.c | 20 | ||||
-rw-r--r-- | providers/common/keymgmt/build.info | 9 | ||||
-rw-r--r-- | providers/common/macs/build.info | 12 | ||||
-rw-r--r-- | providers/common/signature/build.info | 6 |
14 files changed, 99 insertions, 66 deletions
diff --git a/providers/common/build.info b/providers/common/build.info index 916cc3e4ea..95c2fd107e 100644 --- a/providers/common/build.info +++ b/providers/common/build.info @@ -1,5 +1,6 @@ SUBDIRS=digests ciphers macs kdfs exchange keymgmt signature -$COMMON=provider_util.c -SOURCE[../../libcrypto]=$COMMON provider_err.c provlib.c -SOURCE[../fips]=$COMMON +SOURCE[../libcommon.a]=provider_err.c provlib.c +$FIPSCOMMON=provider_util.c +SOURCE[../libnonfips.a]=$FIPSCOMMON +SOURCE[../libfips.a]=$FIPSCOMMON diff --git a/providers/common/ciphers/build.info b/providers/common/ciphers/build.info index 0969e6d378..77376cce1e 100644 --- a/providers/common/ciphers/build.info +++ b/providers/common/ciphers/build.info @@ -1,21 +1,26 @@ -LIBS=../../../libcrypto +# This source is common building blockss for all ciphers in all our providers. +SOURCE[../../libcommon.a]=\ + cipher_common.c cipher_common_hw.c block.c \ + cipher_gcm.c cipher_gcm_hw.c \ + cipher_ccm.c cipher_ccm_hw.c + +# These are our implementations +$GOAL=../../libimplementations.a IF[{- !$disabled{des} -}] $COMMON_DES=cipher_tdes.c cipher_tdes_hw.c ENDIF -$COMMON=cipher_common.c cipher_common_hw.c block.c \ +SOURCE[$GOAL]=\ cipher_aes.c cipher_aes_hw.c \ cipher_aes_xts.c cipher_aes_xts_hw.c \ - cipher_gcm.c cipher_gcm_hw.c \ cipher_aes_gcm.c cipher_aes_gcm_hw.c \ - cipher_ccm.c cipher_ccm_hw.c \ cipher_aes_ccm.c cipher_aes_ccm_hw.c \ cipher_aes_wrp.c \ $COMMON_DES - -SOURCE[../../../libcrypto]=$COMMON -INCLUDE[../../../libcrypto]=. ../../../crypto +# Because some default ciphers need it +INCLUDE[$GOAL]=. -SOURCE[../../fips]=$COMMON -INCLUDE[../../fips]=. ../../../crypto +# Finally, we have a few things that aren't FIPS agnostic +SOURCE[../../libfips.a]=cipher_fips.c +SOURCE[../../libnonfips.a]=cipher_fips.c diff --git a/providers/common/ciphers/cipher_aes_xts.c b/providers/common/ciphers/cipher_aes_xts.c index fdda733d24..d0b999081e 100644 --- a/providers/common/ciphers/cipher_aes_xts.c +++ b/providers/common/ciphers/cipher_aes_xts.c @@ -20,12 +20,6 @@ #define AES_XTS_IV_BITS 128 #define AES_XTS_BLOCK_BITS 8 -#ifdef FIPS_MODE -static const int allow_insecure_decrypt = 0; -#else -static const int allow_insecure_decrypt = 1; -#endif /* FIPS_MODE */ - /* forward declarations */ static OSSL_OP_cipher_encrypt_init_fn aes_xts_einit; static OSSL_OP_cipher_decrypt_init_fn aes_xts_dinit; diff --git a/providers/common/ciphers/cipher_aes_xts.h b/providers/common/ciphers/cipher_aes_xts.h index 4f8a8f874f..16fb8c34cd 100644 --- a/providers/common/ciphers/cipher_aes_xts.h +++ b/providers/common/ciphers/cipher_aes_xts.h @@ -10,6 +10,12 @@ #include <openssl/aes.h> #include "internal/ciphers/ciphercommon.h" +/* + * Available in cipher_fips.c, and compiled with different values depending + * on we're in the FIPS module or not. + */ +extern const int allow_insecure_decrypt; + PROV_CIPHER_FUNC(void, xts_stream, (const unsigned char *in, unsigned char *out, size_t len, const AES_KEY *key1, const AES_KEY *key2, diff --git a/providers/common/ciphers/cipher_fips.c b/providers/common/ciphers/cipher_fips.c new file mode 100644 index 0000000000..c99d6ed2f4 --- /dev/null +++ b/providers/common/ciphers/cipher_fips.c @@ -0,0 +1,16 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "cipher_aes_xts.h" + +#ifdef FIPS_MODE +const int allow_insecure_decrypt = 0; +#else +const int allow_insecure_decrypt = 1; +#endif /* FIPS_MODE */ diff --git a/providers/common/digests/build.info b/providers/common/digests/build.info index fbbce36e87..2a8e8aa397 100644 --- a/providers/common/digests/build.info +++ b/providers/common/digests/build.info @@ -1,5 +1,7 @@ -$COMMON=sha2_prov.c sha3_prov.c digest_common.c +# This source is common for all digests in all our providers. +SOURCE[../../libcommon.a]=digest_common.c -SOURCE[../../../libcrypto]=$COMMON -SOURCE[../../fips]=$COMMON -SOURCE[../../legacy]= digest_common.c +# These are our implementations +$GOAL=../../libimplementations.a + +SOURCE[$GOAL]=sha2_prov.c sha3_prov.c diff --git a/providers/common/exchange/build.info b/providers/common/exchange/build.info index c99c9d81b5..90ea0c9a02 100644 --- a/providers/common/exchange/build.info +++ b/providers/common/exchange/build.info @@ -1,7 +1,5 @@ -LIBS=../../../libcrypto +$GOAL=../../libimplementations.a + IF[{- !$disabled{dh} -}] - SOURCE[../../../libcrypto]=\ - dh_exch.c + SOURCE[$GOAL]=dh_exch.c ENDIF - - diff --git a/providers/common/kdfs/build.info b/providers/common/kdfs/build.info index 8a723d488d..b2b354dc34 100644 --- a/providers/common/kdfs/build.info +++ b/providers/common/kdfs/build.info @@ -1,13 +1,5 @@ -$COMMON=tls1_prf.c hkdf.c kbkdf.c pbkdf2.c sskdf.c +$GOAL=../../libimplementations.a -LIBS=../../../libcrypto -SOURCE[../../../libcrypto]=$COMMON -INCLUDE[../../../libcrypto]=. ../../../crypto - -IF[{- !$disabled{fips} -}] - MODULES=../../fips - SOURCE[../../fips]=$COMMON - INCLUDE[../../fips]=. ../../../crypto -ENDIF - - +SOURCE[$GOAL]=tls1_prf.c hkdf.c kbkdf.c pbkdf2.c sskdf.c +SOURCE[../../libfips.a]=pbkdf2_fips.c +SOURCE[../../libnonfips.a]=pbkdf2_fips.c diff --git a/providers/common/kdfs/pbkdf2.c b/providers/common/kdfs/pbkdf2.c index b98123b872..68aa0aa7c4 100644 --- a/providers/common/kdfs/pbkdf2.c +++ b/providers/common/kdfs/pbkdf2.c @@ -21,21 +21,13 @@ #include "internal/providercommonerr.h" #include "internal/provider_algs.h" #include "internal/provider_util.h" +#include "pbkdf2.h" /* Constants specified in SP800-132 */ #define KDF_PBKDF2_MIN_KEY_LEN_BITS 112 #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF #define KDF_PBKDF2_MIN_ITERATIONS 1000 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) -/* - * For backwards compatibility reasons, - * Extra checks are done by default in fips mode only. - */ -#ifdef FIPS_MODE -# define KDF_PBKDF2_DEFAULT_CHECKS 1 -#else -# define KDF_PBKDF2_DEFAULT_CHECKS 0 -#endif /* FIPS_MODE */ static OSSL_OP_kdf_newctx_fn kdf_pbkdf2_new; static OSSL_OP_kdf_freectx_fn kdf_pbkdf2_free; @@ -111,7 +103,7 @@ static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx) /* This is an error, but there is no way to indicate such directly */ ossl_prov_digest_reset(&ctx->digest); ctx->iter = PKCS5_DEFAULT_ITER; - ctx->lower_bound_checks = KDF_PBKDF2_DEFAULT_CHECKS; + ctx->lower_bound_checks = kdf_pbkdf2_default_checks; } static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, diff --git a/providers/common/kdfs/pbkdf2.h b/providers/common/kdfs/pbkdf2.h new file mode 100644 index 0000000000..c8c2e5b8a7 --- /dev/null +++ b/providers/common/kdfs/pbkdf2.h @@ -0,0 +1,14 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Available in pbkdfe_fips.c, and compiled with different values depending + * on we're in the FIPS module or not. + */ +extern const int kdf_pbkdf2_default_checks; diff --git a/providers/common/kdfs/pbkdf2_fips.c b/providers/common/kdfs/pbkdf2_fips.c new file mode 100644 index 0000000000..d33782b24c --- /dev/null +++ b/providers/common/kdfs/pbkdf2_fips.c @@ -0,0 +1,20 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "pbkdf2.h" + +/* + * For backwards compatibility reasons, + * Extra checks are done by default in fips mode only. + */ +#ifdef FIPS_MODE +const int kdf_pbkdf2_default_checks = 1; +#else +const int kdf_pbkdf2_default_checks = 0; +#endif /* FIPS_MODE */ diff --git a/providers/common/keymgmt/build.info b/providers/common/keymgmt/build.info index e66190c401..533c489077 100644 --- a/providers/common/keymgmt/build.info +++ b/providers/common/keymgmt/build.info @@ -1,9 +1,8 @@ -LIBS=../../../libcrypto +$GOAL=../../libimplementations.a + IF[{- !$disabled{dh} -}] - SOURCE[../../../libcrypto]=\ - dh_kmgmt.c + SOURCE[$GOAL]=dh_kmgmt.c ENDIF IF[{- !$disabled{dsa} -}] - SOURCE[../../../libcrypto]=\ - dsa_kmgmt.c + SOURCE[$GOAL]=dsa_kmgmt.c ENDIF diff --git a/providers/common/macs/build.info b/providers/common/macs/build.info index 832a1e76ec..1eafe70604 100644 --- a/providers/common/macs/build.info +++ b/providers/common/macs/build.info @@ -1,15 +1,9 @@ +$GOAL=../../libimplementations.a + $COMMON=gmac_prov.c hmac_prov.c kmac_prov.c IF[{- !$disabled{cmac} -}] $COMMON=$COMMON cmac_prov.c ENDIF -LIBS=../../../libcrypto -SOURCE[../../../libcrypto]=$COMMON -INCLUDE[../../../libcrypto]=. ../../../crypto - -IF[{- !$disabled{fips} -}] - MODULES=../../fips - SOURCE[../../fips]=$COMMON - INCLUDE[../../fips]=. ../../../crypto -ENDIF +SOURCE[$GOAL]=$COMMON diff --git a/providers/common/signature/build.info b/providers/common/signature/build.info index 5b64229dfc..496fb7d7d8 100644 --- a/providers/common/signature/build.info +++ b/providers/common/signature/build.info @@ -1,7 +1,7 @@ -LIBS=../../../libcrypto +$GOAL=../../libimplementations.a + IF[{- !$disabled{dsa} -}] - SOURCE[../../../libcrypto]=\ - dsa.c + SOURCE[$GOAL]=dsa.c ENDIF |