diff options
author | Pauli <paul.dale@oracle.com> | 2020-10-30 15:54:03 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-11-20 08:24:21 +1000 |
commit | 08edd447c97854d6548c15149de90d6bd3ddd47b (patch) | |
tree | 005070d7bc73f7e588741c01522fb2f500aa711e /providers/common | |
parent | 0d4460d27ea2fef46f02fa94a60717e9d168ed96 (diff) |
prov: move the entropy source out of the FIPS provider
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13226)
Diffstat (limited to 'providers/common')
-rw-r--r-- | providers/common/build.info | 2 | ||||
-rw-r--r-- | providers/common/include/prov/providercommonerr.h | 2 | ||||
-rw-r--r-- | providers/common/provider_err.c | 4 | ||||
-rw-r--r-- | providers/common/provider_seeding.c | 73 |
4 files changed, 77 insertions, 4 deletions
diff --git a/providers/common/build.info b/providers/common/build.info index b6d56682a9..8de65f3fa8 100644 --- a/providers/common/build.info +++ b/providers/common/build.info @@ -2,6 +2,6 @@ SUBDIRS=der SOURCE[../libcommon.a]=provider_err.c provider_ctx.c $FIPSCOMMON=provider_util.c capabilities.c bio_prov.c digest_to_nid.c\ - securitycheck.c + securitycheck.c provider_seeding.c SOURCE[../libnonfips.a]=$FIPSCOMMON securitycheck_default.c SOURCE[../libfips.a]=$FIPSCOMMON securitycheck_fips.c diff --git a/providers/common/include/prov/providercommonerr.h b/providers/common/include/prov/providercommonerr.h index 05ca8abef0..86a3667641 100644 --- a/providers/common/include/prov/providercommonerr.h +++ b/providers/common/include/prov/providercommonerr.h @@ -141,6 +141,7 @@ int ERR_load_PROV_strings(void); # define PROV_R_NO_PARAMETERS_SET 177 # define PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 178 # define PROV_R_OUTPUT_BUFFER_TOO_SMALL 106 +# define PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS 228 # define PROV_R_PARENT_LOCKING_NOT_ENABLED 182 # define PROV_R_PARENT_STRENGTH_TOO_WEAK 194 # define PROV_R_PATH_MUST_BE_ABSOLUTE 219 @@ -158,7 +159,6 @@ int ERR_load_PROV_strings(void); # define PROV_R_UNABLE_TO_FIND_CIPHERS 207 # define PROV_R_UNABLE_TO_GET_ENTROPY 202 # define PROV_R_UNABLE_TO_GET_NONCE 203 -# define PROV_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER 198 # define PROV_R_UNABLE_TO_GET_PARENT_STRENGTH 199 # define PROV_R_UNABLE_TO_INITIALISE_CIPHERS 208 # define PROV_R_UNABLE_TO_LOAD_SHA1 143 diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c index 2b65903a31..2915330b86 100644 --- a/providers/common/provider_err.c +++ b/providers/common/provider_err.c @@ -152,6 +152,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "operation not supported for this keytype"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_OUTPUT_BUFFER_TOO_SMALL), "output buffer too small"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS), + "parent cannot generate random numbers"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_PARENT_LOCKING_NOT_ENABLED), "parent locking not enabled"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_PARENT_STRENGTH_TOO_WEAK), @@ -182,8 +184,6 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "unable to get entropy"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_GET_NONCE), "unable to get nonce"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER), - "unable to get parent reseed prop counter"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_GET_PARENT_STRENGTH), "unable to get parent strength"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_UNABLE_TO_INITIALISE_CIPHERS), diff --git a/providers/common/provider_seeding.c b/providers/common/provider_seeding.c new file mode 100644 index 0000000000..98704a2cdf --- /dev/null +++ b/providers/common/provider_seeding.c @@ -0,0 +1,73 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/core_dispatch.h> +#include "prov/seeding.h" + +static OSSL_FUNC_get_entropy_fn *c_get_entropy = NULL; +static OSSL_FUNC_cleanup_entropy_fn *c_cleanup_entropy = NULL; +static OSSL_FUNC_get_nonce_fn *c_get_nonce = NULL; +static OSSL_FUNC_cleanup_nonce_fn *c_cleanup_nonce = NULL; + +int ossl_prov_seeding_from_dispatch(const OSSL_DISPATCH *fns) +{ + for (; fns->function_id != 0; fns++) { + switch (fns->function_id) { + case OSSL_FUNC_GET_ENTROPY: + if (c_get_entropy == NULL) + c_get_entropy = OSSL_FUNC_get_entropy(fns); + break; + case OSSL_FUNC_CLEANUP_ENTROPY: + if (c_cleanup_entropy == NULL) + c_cleanup_entropy = OSSL_FUNC_cleanup_entropy(fns); + break; + case OSSL_FUNC_GET_NONCE: + if (c_get_nonce == NULL) + c_get_nonce = OSSL_FUNC_get_nonce(fns); + break; + case OSSL_FUNC_CLEANUP_NONCE: + if (c_cleanup_nonce == NULL) + c_cleanup_nonce = OSSL_FUNC_cleanup_nonce(fns); + break; + } + } + return 1; +} + +size_t ossl_prov_get_entropy(PROV_CTX *prov_ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + if (c_get_entropy == NULL) + return 0; + return c_get_entropy(ossl_prov_ctx_get0_handle(prov_ctx), + pout, entropy, min_len, max_len); +} + +void ossl_prov_cleanup_entropy(PROV_CTX *prov_ctx, unsigned char *buf, + size_t len) +{ + if (c_cleanup_entropy != NULL) + c_cleanup_entropy(ossl_prov_ctx_get0_handle(prov_ctx), buf, len); +} + +size_t ossl_prov_get_nonce(PROV_CTX *prov_ctx, unsigned char **pout, + size_t min_len, size_t max_len, + const void *salt,size_t salt_len) +{ + if (c_get_nonce == NULL) + return 0; + return c_get_nonce(ossl_prov_ctx_get0_handle(prov_ctx), pout, + min_len, max_len, salt, salt_len); +} + +void ossl_prov_cleanup_nonce(PROV_CTX *prov_ctx, unsigned char *buf, size_t len) +{ + if (c_cleanup_nonce != NULL) + c_cleanup_nonce(ossl_prov_ctx_get0_handle(prov_ctx), buf, len); +} |