[thirdparty/openssl.git] / providers / fips / fipsprov.c

/*
 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <string.h>
#include <stdio.h>
#include <openssl/core.h>
#include <openssl/core_numbers.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/err.h>
#include <openssl/evp.h>
/* TODO(3.0): Needed for dummy_evp_call(). To be removed */
#include <openssl/sha.h>
#include "internal/cryptlib.h"
#include "internal/property.h"
#include "internal/evp_int.h"
#include "internal/provider_algs.h"
#include "internal/provider_ctx.h"
#include "internal/providercommon.h"

/*
 * TODO(3.0): Should these be stored in the provider side provctx? Could they
 * ever be different from one init to the next? Unfortunately we can't do this
 * at the moment because c_put_error/c_add_error_vdata do not provide us with
 * the OPENSSL_CTX as a parameter.
 */
/* Functions provided by the core */
static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
static OSSL_core_get_params_fn *c_get_params = NULL;
extern OSSL_core_thread_start_fn *c_thread_start;
OSSL_core_thread_start_fn *c_thread_start = NULL;
static OSSL_core_put_error_fn *c_put_error = NULL;
static OSSL_core_add_error_vdata_fn *c_add_error_vdata = NULL;

typedef struct fips_global_st {
    const OSSL_PROVIDER *prov;
} FIPS_GLOBAL;

static void *fips_prov_ossl_ctx_new(OPENSSL_CTX *libctx)
{
    FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl));

    return fgbl;
}

static void fips_prov_ossl_ctx_free(void *fgbl)
{
    OPENSSL_free(fgbl);
}

static const OPENSSL_CTX_METHOD fips_prov_ossl_ctx_method = {
    fips_prov_ossl_ctx_new,
    fips_prov_ossl_ctx_free,
};


/* Parameters we provide to the core */
static const OSSL_ITEM fips_param_types[] = {
    { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME },
    { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION },
    { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO },
    { 0, NULL }
};

/* TODO(3.0): To be removed */
static int dummy_evp_call(void *provctx)
{
    OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
    char msg[] = "Hello World!";
    const unsigned char exptd[] = {
        0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
        0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
        0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
    };
    unsigned int dgstlen = 0;
    unsigned char dgst[SHA256_DIGEST_LENGTH];
    int ret = 0;
    BN_CTX *bnctx = NULL;
    BIGNUM *a = NULL, *b = NULL;

    if (ctx == NULL || sha256 == NULL)
        goto err;

    if (!EVP_DigestInit_ex(ctx, sha256, NULL))
        goto err;
    if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
        goto err;
    if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
        goto err;
    if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
        goto err;

    bnctx = BN_CTX_new_ex(libctx);
    if (bnctx == NULL)
        goto err;
    BN_CTX_start(bnctx);
    a = BN_CTX_get(bnctx);
    b = BN_CTX_get(bnctx);
    if (b == NULL)
        goto err;
    BN_zero(a);
    if (!BN_one(b)
        || !BN_add(a, a, b)
        || BN_cmp(a, b) != 0)
        goto err;
    
    ret = 1;
 err:
    BN_CTX_end(bnctx);
    BN_CTX_free(bnctx);
    
    EVP_MD_CTX_free(ctx);
    EVP_MD_meth_free(sha256);
    return ret;
}

static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
{
    return fips_param_types;
}

static int fips_get_params(const OSSL_PROVIDER *prov,
                            const OSSL_PARAM params[])
{
    const OSSL_PARAM *p;

    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
        return 0;
    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
        return 0;
    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
        return 0;

    return 1;
}

static const OSSL_ALGORITHM fips_digests[] = {
    { "SHA1", "fips=yes", sha1_functions },
    { "SHA224", "fips=yes", sha224_functions },
    { "SHA256", "fips=yes", sha256_functions },
    { "SHA384", "fips=yes", sha384_functions },
    { "SHA512", "fips=yes", sha512_functions },
    { "SHA512-224", "fips=yes", sha512_224_functions },
    { "SHA512-256", "fips=yes", sha512_256_functions },
    { "SHA3-224", "fips=yes", sha3_224_functions },
    { "SHA3-256", "fips=yes", sha3_256_functions },
    { "SHA3-384", "fips=yes", sha3_384_functions },
    { "SHA3-512", "fips=yes", sha3_512_functions },
    { "KMAC128", "fips=yes", keccak_kmac_128_functions },
    { "KMAC256", "fips=yes", keccak_kmac_256_functions },

    { NULL, NULL, NULL }
};

static const OSSL_ALGORITHM fips_ciphers[] = {
    { "AES-256-ECB", "fips=yes", aes256ecb_functions },
    { "AES-192-ECB", "fips=yes", aes192ecb_functions },
    { "AES-128-ECB", "fips=yes", aes128ecb_functions },
    { "AES-256-CBC", "fips=yes", aes256cbc_functions },
    { "AES-192-CBC", "fips=yes", aes192cbc_functions },
    { "AES-128-CBC", "fips=yes", aes128cbc_functions },
    { "AES-256-CTR", "fips=yes", aes256ctr_functions },
    { "AES-192-CTR", "fips=yes", aes192ctr_functions },
    { "AES-128-CTR", "fips=yes", aes128ctr_functions },
    { NULL, NULL, NULL }
};

static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
                                         int operation_id,
                                         int *no_cache)
{
    *no_cache = 0;
    switch (operation_id) {
    case OSSL_OP_DIGEST:
        return fips_digests;
    case OSSL_OP_CIPHER:
        return fips_ciphers;
    }
    return NULL;
}

/* Functions we provide to the core */
static const OSSL_DISPATCH fips_dispatch_table[] = {
    /*
     * To release our resources we just need to free the OPENSSL_CTX so we just
     * use OPENSSL_CTX_free directly as our teardown function
     */
    { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free },
    { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
    { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
    { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
    { 0, NULL }
};

/* Functions we provide to ourself */
static const OSSL_DISPATCH intern_dispatch_table[] = {
    { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
    { 0, NULL }
};


int OSSL_provider_init(const OSSL_PROVIDER *provider,
                       const OSSL_DISPATCH *in,
                       const OSSL_DISPATCH **out,
                       void **provctx)
{
    FIPS_GLOBAL *fgbl;
    OPENSSL_CTX *ctx;

    for (; in->function_id != 0; in++) {
        switch (in->function_id) {
        case OSSL_FUNC_CORE_GET_PARAM_TYPES:
            c_get_param_types = OSSL_get_core_get_param_types(in);
            break;
        case OSSL_FUNC_CORE_GET_PARAMS:
            c_get_params = OSSL_get_core_get_params(in);
            break;
        case OSSL_FUNC_CORE_THREAD_START:
            c_thread_start = OSSL_get_core_thread_start(in);
            break;
        case OSSL_FUNC_CORE_PUT_ERROR:
            c_put_error = OSSL_get_core_put_error(in);
            break;
        case OSSL_FUNC_CORE_ADD_ERROR_VDATA:
            c_add_error_vdata = OSSL_get_core_add_error_vdata(in);
            break;
        /* Just ignore anything we don't understand */
        default:
            break;
        }
    }

    ctx = OPENSSL_CTX_new();
    if (ctx == NULL)
        return 0;

    fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
                                &fips_prov_ossl_ctx_method);

    if (fgbl == NULL)
        goto err;

    fgbl->prov = provider;

    *out = fips_dispatch_table;
    *provctx = ctx;

    /*
     * TODO(3.0): Remove me. This is just a dummy call to demonstrate making
     * EVP calls from within the FIPS module.
     */
    if (!dummy_evp_call(*provctx)) {
        OPENSSL_CTX_free(*provctx);
        *provctx = NULL;
        return 0;
    }

    return 1;

 err:
    OPENSSL_CTX_free(ctx);
    return 0;
}

/*
 * The internal init function used when the FIPS module uses EVP to call
 * another algorithm also in the FIPS module. This is a recursive call that has
 * been made from within the FIPS module itself. To make this work, we populate
 * the provider context of this inner instance with the same library context
 * that was used in the EVP call that initiated this recursive call.
 */
OSSL_provider_init_fn fips_intern_provider_init;
int fips_intern_provider_init(const OSSL_PROVIDER *provider,
                              const OSSL_DISPATCH *in,
                              const OSSL_DISPATCH **out,
                              void **provctx)
{
    OSSL_core_get_library_context_fn *c_get_libctx = NULL;

    for (; in->function_id != 0; in++) {
        switch (in->function_id) {
        case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
            c_get_libctx = OSSL_get_core_get_library_context(in);
            break;
        default:
            break;
        }
    }

    if (c_get_libctx == NULL)
        return 0;

    *provctx = c_get_libctx(provider);

    /*
     * Safety measure...  we should get the library context that was
     * created up in OSSL_provider_init().
     */
    if (*provctx == NULL)
        return 0;

    *out = intern_dispatch_table;
    return 1;
}

void ERR_put_error(int lib, int func, int reason, const char *file, int line)
{
    /*
     * TODO(3.0): This works for the FIPS module because we're going to be
     * using lib/func/reason codes that libcrypto already knows about. This
     * won't work for third party providers that have their own error mechanisms,
     * so we'll need to come up with something else for them.
     */
    c_put_error(lib, func, reason, file, line);
    ERR_add_error_data(1, "(in the FIPS module)");
}

void ERR_add_error_data(int num, ...)
{
    va_list args;

    va_start(args, num);
    ERR_add_error_vdata(num, args);
    va_end(args);
}

void ERR_add_error_vdata(int num, va_list args)
{
    c_add_error_vdata(num, args);
}

const OSSL_PROVIDER *FIPS_get_provider(OPENSSL_CTX *ctx)
{
    FIPS_GLOBAL *fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
                                             &fips_prov_ossl_ctx_method);

    if (fgbl == NULL)
        return NULL;

    return fgbl->prov;
}
Commit	Line	Data
9efa0ae0 MC	1	/*
	2	* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <string.h>
	11	#include <stdio.h>
	12	#include <openssl/core.h>
	13	#include <openssl/core_numbers.h>
	14	#include <openssl/core_names.h>
	15	#include <openssl/params.h>
3593266d	16	#include <openssl/err.h>
319e518a MC	17	#include <openssl/evp.h>
	18	/* TODO(3.0): Needed for dummy_evp_call(). To be removed */
	19	#include <openssl/sha.h>
3593266d	20	#include "internal/cryptlib.h"
319e518a MC	21	#include "internal/property.h"
319e518a MC	22	#include "internal/evp_int.h"
66ad63e8	23	#include "internal/provider_algs.h"
bb751e11	24	#include "internal/provider_ctx.h"
da747958	25	#include "internal/providercommon.h"
9efa0ae0	26
da747958 MC	27	/*
	28	* TODO(3.0): Should these be stored in the provider side provctx? Could they
	29	* ever be different from one init to the next? Unfortunately we can't do this
	30	* at the moment because c_put_error/c_add_error_vdata do not provide us with
	31	* the OPENSSL_CTX as a parameter.
	32	*/
9efa0ae0 MC	33	/* Functions provided by the core */
	34	static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
	35	static OSSL_core_get_params_fn *c_get_params = NULL;
da747958 MC	36	extern OSSL_core_thread_start_fn *c_thread_start;
da747958 MC	37	OSSL_core_thread_start_fn *c_thread_start = NULL;
3593266d MC	38	static OSSL_core_put_error_fn *c_put_error = NULL;
3593266d MC	39	static OSSL_core_add_error_vdata_fn *c_add_error_vdata = NULL;
9efa0ae0	40
da747958 MC	41	typedef struct fips_global_st {
	42	const OSSL_PROVIDER *prov;
	43	} FIPS_GLOBAL;
	44
	45	static void fips_prov_ossl_ctx_new(OPENSSL_CTX libctx)
	46	{
	47	FIPS_GLOBAL fgbl = OPENSSL_zalloc(sizeof(fgbl));
	48
	49	return fgbl;
	50	}
	51
	52	static void fips_prov_ossl_ctx_free(void *fgbl)
	53	{
	54	OPENSSL_free(fgbl);
	55	}
	56
	57	static const OPENSSL_CTX_METHOD fips_prov_ossl_ctx_method = {
	58	fips_prov_ossl_ctx_new,
	59	fips_prov_ossl_ctx_free,
	60	};
	61
	62
9efa0ae0 MC	63	/* Parameters we provide to the core */
	64	static const OSSL_ITEM fips_param_types[] = {
	65	{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME },
	66	{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION },
	67	{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO },
	68	{ 0, NULL }
	69	};
	70
319e518a	71	/* TODO(3.0): To be removed */
bb751e11	72	static int dummy_evp_call(void *provctx)
3593266d	73	{
bb751e11	74	OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
319e518a MC	75	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
	76	EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
	77	char msg[] = "Hello World!";
	78	const unsigned char exptd[] = {
	79	0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
	80	0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
	81	0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
	82	};
	83	unsigned int dgstlen = 0;
	84	unsigned char dgst[SHA256_DIGEST_LENGTH];
	85	int ret = 0;
444ab3ab MC	86	BN_CTX *bnctx = NULL;
444ab3ab MC	87	BIGNUM a = NULL, b = NULL;
319e518a MC	88
	89	if (ctx == NULL \|\| sha256 == NULL)
	90	goto err;
	91
	92	if (!EVP_DigestInit_ex(ctx, sha256, NULL))
	93	goto err;
	94	if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
	95	goto err;
	96	if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
	97	goto err;
	98	if (dgstlen != sizeof(exptd) \|\| memcmp(dgst, exptd, sizeof(exptd)) != 0)
	99	goto err;
	100
444ab3ab MC	101	bnctx = BN_CTX_new_ex(libctx);
	102	if (bnctx == NULL)
	103	goto err;
	104	BN_CTX_start(bnctx);
	105	a = BN_CTX_get(bnctx);
	106	b = BN_CTX_get(bnctx);
	107	if (b == NULL)
	108	goto err;
	109	BN_zero(a);
	110	if (!BN_one(b)
	111	\|\| !BN_add(a, a, b)
	112	\|\| BN_cmp(a, b) != 0)
	113	goto err;
	114
319e518a MC	115	ret = 1;
319e518a MC	116	err:
444ab3ab MC	117	BN_CTX_end(bnctx);
	118	BN_CTX_free(bnctx);
	119
319e518a MC	120	EVP_MD_CTX_free(ctx);
	121	EVP_MD_meth_free(sha256);
	122	return ret;
3593266d MC	123	}
3593266d MC	124
9efa0ae0 MC	125	static const OSSL_ITEM fips_get_param_types(const OSSL_PROVIDER prov)
	126	{
	127	return fips_param_types;
	128	}
	129
	130	static int fips_get_params(const OSSL_PROVIDER *prov,
	131	const OSSL_PARAM params[])
	132	{
	133	const OSSL_PARAM *p;
	134
	135	p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
	136	if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
	137	return 0;
	138	p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
	139	if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
	140	return 0;
	141	p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
	142	if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
	143	return 0;
	144
	145	return 1;
	146	}
	147
9efa0ae0	148	static const OSSL_ALGORITHM fips_digests[] = {
d5e5e2ff SL	149	{ "SHA1", "fips=yes", sha1_functions },
d5e5e2ff SL	150	{ "SHA224", "fips=yes", sha224_functions },
9efa0ae0	151	{ "SHA256", "fips=yes", sha256_functions },
d5e5e2ff SL	152	{ "SHA384", "fips=yes", sha384_functions },
	153	{ "SHA512", "fips=yes", sha512_functions },
	154	{ "SHA512-224", "fips=yes", sha512_224_functions },
	155	{ "SHA512-256", "fips=yes", sha512_256_functions },
	156	{ "SHA3-224", "fips=yes", sha3_224_functions },
	157	{ "SHA3-256", "fips=yes", sha3_256_functions },
	158	{ "SHA3-384", "fips=yes", sha3_384_functions },
	159	{ "SHA3-512", "fips=yes", sha3_512_functions },
	160	{ "KMAC128", "fips=yes", keccak_kmac_128_functions },
	161	{ "KMAC256", "fips=yes", keccak_kmac_256_functions },
	162
9efa0ae0 MC	163	{ NULL, NULL, NULL }
	164	};
	165
66ad63e8 MC	166	static const OSSL_ALGORITHM fips_ciphers[] = {
	167	{ "AES-256-ECB", "fips=yes", aes256ecb_functions },
	168	{ "AES-192-ECB", "fips=yes", aes192ecb_functions },
	169	{ "AES-128-ECB", "fips=yes", aes128ecb_functions },
	170	{ "AES-256-CBC", "fips=yes", aes256cbc_functions },
	171	{ "AES-192-CBC", "fips=yes", aes192cbc_functions },
	172	{ "AES-128-CBC", "fips=yes", aes128cbc_functions },
	173	{ "AES-256-CTR", "fips=yes", aes256ctr_functions },
	174	{ "AES-192-CTR", "fips=yes", aes192ctr_functions },
	175	{ "AES-128-CTR", "fips=yes", aes128ctr_functions },
	176	{ NULL, NULL, NULL }
	177	};
	178
9efa0ae0 MC	179	static const OSSL_ALGORITHM fips_query(OSSL_PROVIDER prov,
	180	int operation_id,
	181	int *no_cache)
	182	{
	183	*no_cache = 0;
	184	switch (operation_id) {
	185	case OSSL_OP_DIGEST:
	186	return fips_digests;
66ad63e8 MC	187	case OSSL_OP_CIPHER:
66ad63e8 MC	188	return fips_ciphers;
9efa0ae0 MC	189	}
	190	return NULL;
	191	}
	192
	193	/* Functions we provide to the core */
	194	static const OSSL_DISPATCH fips_dispatch_table[] = {
319e518a MC	195	/*
	196	* To release our resources we just need to free the OPENSSL_CTX so we just
	197	* use OPENSSL_CTX_free directly as our teardown function
	198	*/
	199	{ OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free },
9efa0ae0 MC	200	{ OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
	201	{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
	202	{ OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
	203	{ 0, NULL }
	204	};
	205
319e518a MC	206	/* Functions we provide to ourself */
	207	static const OSSL_DISPATCH intern_dispatch_table[] = {
	208	{ OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
	209	{ 0, NULL }
	210	};
	211
	212
9efa0ae0 MC	213	int OSSL_provider_init(const OSSL_PROVIDER *provider,
9efa0ae0 MC	214	const OSSL_DISPATCH *in,
a39eb840 RL	215	const OSSL_DISPATCH **out,
a39eb840 RL	216	void **provctx)
9efa0ae0	217	{
da747958	218	FIPS_GLOBAL *fgbl;
03361afb	219	OPENSSL_CTX *ctx;
319e518a	220
9efa0ae0 MC	221	for (; in->function_id != 0; in++) {
	222	switch (in->function_id) {
	223	case OSSL_FUNC_CORE_GET_PARAM_TYPES:
	224	c_get_param_types = OSSL_get_core_get_param_types(in);
	225	break;
	226	case OSSL_FUNC_CORE_GET_PARAMS:
	227	c_get_params = OSSL_get_core_get_params(in);
	228	break;
da747958 MC	229	case OSSL_FUNC_CORE_THREAD_START:
	230	c_thread_start = OSSL_get_core_thread_start(in);
	231	break;
3593266d MC	232	case OSSL_FUNC_CORE_PUT_ERROR:
	233	c_put_error = OSSL_get_core_put_error(in);
	234	break;
	235	case OSSL_FUNC_CORE_ADD_ERROR_VDATA:
	236	c_add_error_vdata = OSSL_get_core_add_error_vdata(in);
	237	break;
9efa0ae0 MC	238	/* Just ignore anything we don't understand */
	239	default:
	240	break;
	241	}
	242	}
	243
319e518a MC	244	ctx = OPENSSL_CTX_new();
	245	if (ctx == NULL)
	246	return 0;
	247
03361afb MC	248	fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
	249	&fips_prov_ossl_ctx_method);
	250
	251	if (fgbl == NULL)
	252	goto err;
	253
	254	fgbl->prov = provider;
	255
bb751e11 RL	256	*out = fips_dispatch_table;
	257	*provctx = ctx;
	258
319e518a MC	259	/*
	260	* TODO(3.0): Remove me. This is just a dummy call to demonstrate making
	261	* EVP calls from within the FIPS module.
	262	*/
bb751e11 RL	263	if (!dummy_evp_call(*provctx)) {
	264	OPENSSL_CTX_free(*provctx);
	265	*provctx = NULL;
319e518a MC	266	return 0;
	267	}
	268
9efa0ae0	269	return 1;
da747958 MC	270
	271	err:
	272	OPENSSL_CTX_free(ctx);
	273	return 0;
9efa0ae0	274	}
3593266d	275
319e518a MC	276	/*
319e518a MC	277	* The internal init function used when the FIPS module uses EVP to call
b1eb3fd7	278	* another algorithm also in the FIPS module. This is a recursive call that has
bb751e11 RL	279	* been made from within the FIPS module itself. To make this work, we populate
	280	* the provider context of this inner instance with the same library context
	281	* that was used in the EVP call that initiated this recursive call.
319e518a	282	*/
3593266d MC	283	OSSL_provider_init_fn fips_intern_provider_init;
	284	int fips_intern_provider_init(const OSSL_PROVIDER *provider,
	285	const OSSL_DISPATCH *in,
319e518a MC	286	const OSSL_DISPATCH **out,
319e518a MC	287	void **provctx)
3593266d	288	{
bb751e11 RL	289	OSSL_core_get_library_context_fn *c_get_libctx = NULL;
	290
	291	for (; in->function_id != 0; in++) {
	292	switch (in->function_id) {
	293	case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
	294	c_get_libctx = OSSL_get_core_get_library_context(in);
	295	break;
	296	default:
	297	break;
	298	}
	299	}
	300
	301	if (c_get_libctx == NULL)
	302	return 0;
	303
	304	*provctx = c_get_libctx(provider);
	305
	306	/*
	307	* Safety measure... we should get the library context that was
	308	* created up in OSSL_provider_init().
	309	*/
	310	if (*provctx == NULL)
	311	return 0;
	312
319e518a	313	*out = intern_dispatch_table;
3593266d MC	314	return 1;
	315	}
	316
	317	void ERR_put_error(int lib, int func, int reason, const char *file, int line)
	318	{
	319	/*
	320	* TODO(3.0): This works for the FIPS module because we're going to be
	321	* using lib/func/reason codes that libcrypto already knows about. This
	322	* won't work for third party providers that have their own error mechanisms,
	323	* so we'll need to come up with something else for them.
	324	*/
	325	c_put_error(lib, func, reason, file, line);
8908d18c	326	ERR_add_error_data(1, "(in the FIPS module)");
3593266d MC	327	}
	328
	329	void ERR_add_error_data(int num, ...)
	330	{
	331	va_list args;
8908d18c	332
3593266d MC	333	va_start(args, num);
	334	ERR_add_error_vdata(num, args);
	335	va_end(args);
	336	}
	337
	338	void ERR_add_error_vdata(int num, va_list args)
	339	{
	340	c_add_error_vdata(num, args);
	341	}
da747958 MC	342
	343	const OSSL_PROVIDER FIPS_get_provider(OPENSSL_CTX ctx)
	344	{
	345	FIPS_GLOBAL *fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
	346	&fips_prov_ossl_ctx_method);
	347
	348	if (fgbl == NULL)
	349	return NULL;
	350
	351	return fgbl->prov;
	352	}