From 9efa0ae0b602c1c0e356009a58410a2e8b80201a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 20 Mar 2019 14:27:52 +0000 Subject: Create a FIPS provider and put SHA256 in it Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8537) --- crypto/build.info | 5 ++ crypto/mem.c | 12 ++--- crypto/params.c | 8 +++ crypto/sha/build.info | 2 + providers/build.info | 11 +++++ providers/common/digests/build.info | 4 +- providers/fips/build.info | 2 + providers/fips/fipsprov.c | 99 +++++++++++++++++++++++++++++++++++++ 8 files changed, 136 insertions(+), 7 deletions(-) create mode 100644 providers/fips/build.info create mode 100644 providers/fips/fipsprov.c diff --git a/crypto/build.info b/crypto/build.info index a6f3524542..77dcffb906 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -21,6 +21,11 @@ SOURCE[../libcrypto]=\ trace.c provider.c params.c \ {- $target{cpuid_asm_src} -} {- $target{uplink_aux_src} -} +# FIPS module +SOURCE[../providers/fips]=\ + cryptlib.c mem.c mem_clr.c params.c + + DEPEND[cversion.o]=buildinf.h GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" DEPEND[buildinf.h]=../configdata.pm diff --git a/crypto/mem.c b/crypto/mem.c index 5feece36fb..562d6b51e2 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -14,7 +14,7 @@ #include #include #include -#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE) && !defined(FIPS_MODE) # include #endif @@ -30,7 +30,7 @@ static void *(*realloc_impl)(void *, size_t, const char *, int) static void (*free_impl)(void *, const char *, int) = CRYPTO_free; -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) # include "internal/tsan_assist.h" static TSAN_QUALIFIER int malloc_count; @@ -94,7 +94,7 @@ void CRYPTO_get_mem_functions( *f = free_impl; } -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount) { if (mcount != NULL) @@ -209,7 +209,7 @@ void *CRYPTO_malloc(size_t num, const char *file, int line) */ allow_customize = 0; } -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) if (call_malloc_debug) { CRYPTO_mem_debug_malloc(NULL, num, 0, file, line); ret = malloc(num); @@ -250,7 +250,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line) return NULL; } -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) if (call_malloc_debug) { void *ret; CRYPTO_mem_debug_realloc(str, NULL, num, 0, file, line); @@ -300,7 +300,7 @@ void CRYPTO_free(void *str, const char *file, int line) return; } -#ifndef OPENSSL_NO_CRYPTO_MDEBUG +#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE) if (call_malloc_debug) { CRYPTO_mem_debug_free(str, 0, file, line); free(str); diff --git a/crypto/params.c b/crypto/params.c index 367b2abd21..8eef736ef4 100644 --- a/crypto/params.c +++ b/crypto/params.c @@ -348,6 +348,13 @@ OSSL_PARAM OSSL_PARAM_construct_size_t(const char *key, size_t *buf, return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER, buf, sizeof(size_t), rsize); } +#ifndef FIPS_MODE +/* + * TODO(3.0): Make this available in FIPS mode. + * + * Temporarily we don't include these functions in FIPS mode to avoid pulling + * in the entire BN sub-library into the module at this point. + */ int OSSL_PARAM_get_BN(const OSSL_PARAM *p, BIGNUM **val) { BIGNUM *b; @@ -387,6 +394,7 @@ OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf, return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER, buf, bsize, rsize); } +#endif int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val) { diff --git a/crypto/sha/build.info b/crypto/sha/build.info index 58d15bbb6d..242a08e3ff 100644 --- a/crypto/sha/build.info +++ b/crypto/sha/build.info @@ -3,6 +3,8 @@ SOURCE[../../libcrypto]=\ sha1dgst.c sha1_one.c sha256.c sha512.c {- $target{sha1_asm_src} -} \ {- $target{keccak1600_asm_src} -} +SOURCE[../../providers/fips]= sha256.c + GENERATE[sha1-586.s]=asm/sha1-586.pl \ $(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR) DEPEND[sha1-586.s]=../perlasm/x86asm.pl diff --git a/providers/build.info b/providers/build.info index ec4162bdd8..b2b53849cb 100644 --- a/providers/build.info +++ b/providers/build.info @@ -1 +1,12 @@ SUBDIRS=common default + +IF[{- !$disabled{fips} -}] + SUBDIRS=fips + MODULES=fips + IF[{- defined $target{shared_defflag} -}] + SOURCE[fips]=fips.ld + GENERATE[fips.ld]=../util/providers.num + ENDIF + INCLUDE[fips]=.. ../include ../crypto/include + DEFINE[fips]=FIPS_MODE +ENDIF diff --git a/providers/common/digests/build.info b/providers/common/digests/build.info index a3c2369fb3..b98df29fc5 100644 --- a/providers/common/digests/build.info +++ b/providers/common/digests/build.info @@ -1,3 +1,5 @@ -LIBS=../../../libcrypto SOURCE[../../../libcrypto]=\ sha2.c + +SOURCE[../../fips]=\ + sha2.c diff --git a/providers/fips/build.info b/providers/fips/build.info new file mode 100644 index 0000000000..9372062261 --- /dev/null +++ b/providers/fips/build.info @@ -0,0 +1,2 @@ + +SOURCE[../fips]=fipsprov.c diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c new file mode 100644 index 0000000000..d3671b5a36 --- /dev/null +++ b/providers/fips/fipsprov.c @@ -0,0 +1,99 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include + +/* Functions provided by the core */ +static OSSL_core_get_param_types_fn *c_get_param_types = NULL; +static OSSL_core_get_params_fn *c_get_params = NULL; + +/* Parameters we provide to the core */ +static const OSSL_ITEM fips_param_types[] = { + { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME }, + { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION }, + { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO }, + { 0, NULL } +}; + +static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov) +{ + return fips_param_types; +} + +static int fips_get_params(const OSSL_PROVIDER *prov, + const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) + return 0; + + return 1; +} + +extern const OSSL_DISPATCH sha256_functions[]; + +static const OSSL_ALGORITHM fips_digests[] = { + { "SHA256", "fips=yes", sha256_functions }, + { NULL, NULL, NULL } +}; + +static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov, + int operation_id, + int *no_cache) +{ + *no_cache = 0; + switch (operation_id) { + case OSSL_OP_DIGEST: + return fips_digests; + } + return NULL; +} + +/* Functions we provide to the core */ +static const OSSL_DISPATCH fips_dispatch_table[] = { + { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types }, + { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params }, + { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query }, + { 0, NULL } +}; + +int OSSL_provider_init(const OSSL_PROVIDER *provider, + const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out) +{ + for (; in->function_id != 0; in++) { + switch (in->function_id) { + case OSSL_FUNC_CORE_GET_PARAM_TYPES: + c_get_param_types = OSSL_get_core_get_param_types(in); + break; + case OSSL_FUNC_CORE_GET_PARAMS: + c_get_params = OSSL_get_core_get_params(in); + break; + /* Just ignore anything we don't understand */ + default: + break; + } + } + + *out = fips_dispatch_table; + return 1; +} -- cgit v1.2.3