]>
Commit | Line | Data |
---|---|---|
9efa0ae0 MC |
1 | /* |
2 | * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <string.h> | |
11 | #include <stdio.h> | |
12 | #include <openssl/core.h> | |
13 | #include <openssl/core_numbers.h> | |
14 | #include <openssl/core_names.h> | |
15 | #include <openssl/params.h> | |
3593266d | 16 | #include <openssl/err.h> |
319e518a MC |
17 | #include <openssl/evp.h> |
18 | /* TODO(3.0): Needed for dummy_evp_call(). To be removed */ | |
19 | #include <openssl/sha.h> | |
3593266d | 20 | #include "internal/cryptlib.h" |
319e518a MC |
21 | #include "internal/property.h" |
22 | #include "internal/evp_int.h" | |
66ad63e8 | 23 | #include "internal/provider_algs.h" |
bb751e11 | 24 | #include "internal/provider_ctx.h" |
da747958 | 25 | #include "internal/providercommon.h" |
9efa0ae0 | 26 | |
da747958 MC |
27 | /* |
28 | * TODO(3.0): Should these be stored in the provider side provctx? Could they | |
29 | * ever be different from one init to the next? Unfortunately we can't do this | |
30 | * at the moment because c_put_error/c_add_error_vdata do not provide us with | |
31 | * the OPENSSL_CTX as a parameter. | |
32 | */ | |
9efa0ae0 MC |
33 | /* Functions provided by the core */ |
34 | static OSSL_core_get_param_types_fn *c_get_param_types = NULL; | |
35 | static OSSL_core_get_params_fn *c_get_params = NULL; | |
da747958 MC |
36 | extern OSSL_core_thread_start_fn *c_thread_start; |
37 | OSSL_core_thread_start_fn *c_thread_start = NULL; | |
3593266d MC |
38 | static OSSL_core_put_error_fn *c_put_error = NULL; |
39 | static OSSL_core_add_error_vdata_fn *c_add_error_vdata = NULL; | |
9efa0ae0 | 40 | |
da747958 MC |
41 | typedef struct fips_global_st { |
42 | const OSSL_PROVIDER *prov; | |
43 | } FIPS_GLOBAL; | |
44 | ||
45 | static void *fips_prov_ossl_ctx_new(OPENSSL_CTX *libctx) | |
46 | { | |
47 | FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl)); | |
48 | ||
49 | return fgbl; | |
50 | } | |
51 | ||
52 | static void fips_prov_ossl_ctx_free(void *fgbl) | |
53 | { | |
54 | OPENSSL_free(fgbl); | |
55 | } | |
56 | ||
57 | static const OPENSSL_CTX_METHOD fips_prov_ossl_ctx_method = { | |
58 | fips_prov_ossl_ctx_new, | |
59 | fips_prov_ossl_ctx_free, | |
60 | }; | |
61 | ||
62 | ||
9efa0ae0 MC |
63 | /* Parameters we provide to the core */ |
64 | static const OSSL_ITEM fips_param_types[] = { | |
65 | { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME }, | |
66 | { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION }, | |
67 | { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO }, | |
68 | { 0, NULL } | |
69 | }; | |
70 | ||
319e518a | 71 | /* TODO(3.0): To be removed */ |
bb751e11 | 72 | static int dummy_evp_call(void *provctx) |
3593266d | 73 | { |
bb751e11 | 74 | OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx); |
319e518a MC |
75 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
76 | EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL); | |
77 | char msg[] = "Hello World!"; | |
78 | const unsigned char exptd[] = { | |
79 | 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, | |
80 | 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28, | |
81 | 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69 | |
82 | }; | |
83 | unsigned int dgstlen = 0; | |
84 | unsigned char dgst[SHA256_DIGEST_LENGTH]; | |
85 | int ret = 0; | |
444ab3ab MC |
86 | BN_CTX *bnctx = NULL; |
87 | BIGNUM *a = NULL, *b = NULL; | |
319e518a MC |
88 | |
89 | if (ctx == NULL || sha256 == NULL) | |
90 | goto err; | |
91 | ||
92 | if (!EVP_DigestInit_ex(ctx, sha256, NULL)) | |
93 | goto err; | |
94 | if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1)) | |
95 | goto err; | |
96 | if (!EVP_DigestFinal(ctx, dgst, &dgstlen)) | |
97 | goto err; | |
98 | if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0) | |
99 | goto err; | |
100 | ||
444ab3ab MC |
101 | bnctx = BN_CTX_new_ex(libctx); |
102 | if (bnctx == NULL) | |
103 | goto err; | |
104 | BN_CTX_start(bnctx); | |
105 | a = BN_CTX_get(bnctx); | |
106 | b = BN_CTX_get(bnctx); | |
107 | if (b == NULL) | |
108 | goto err; | |
109 | BN_zero(a); | |
110 | if (!BN_one(b) | |
111 | || !BN_add(a, a, b) | |
112 | || BN_cmp(a, b) != 0) | |
113 | goto err; | |
114 | ||
319e518a MC |
115 | ret = 1; |
116 | err: | |
444ab3ab MC |
117 | BN_CTX_end(bnctx); |
118 | BN_CTX_free(bnctx); | |
119 | ||
319e518a MC |
120 | EVP_MD_CTX_free(ctx); |
121 | EVP_MD_meth_free(sha256); | |
122 | return ret; | |
3593266d MC |
123 | } |
124 | ||
9efa0ae0 MC |
125 | static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov) |
126 | { | |
127 | return fips_param_types; | |
128 | } | |
129 | ||
130 | static int fips_get_params(const OSSL_PROVIDER *prov, | |
131 | const OSSL_PARAM params[]) | |
132 | { | |
133 | const OSSL_PARAM *p; | |
134 | ||
135 | p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); | |
136 | if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) | |
137 | return 0; | |
138 | p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); | |
139 | if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) | |
140 | return 0; | |
141 | p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); | |
142 | if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) | |
143 | return 0; | |
144 | ||
145 | return 1; | |
146 | } | |
147 | ||
9efa0ae0 | 148 | static const OSSL_ALGORITHM fips_digests[] = { |
d5e5e2ff SL |
149 | { "SHA1", "fips=yes", sha1_functions }, |
150 | { "SHA224", "fips=yes", sha224_functions }, | |
9efa0ae0 | 151 | { "SHA256", "fips=yes", sha256_functions }, |
d5e5e2ff SL |
152 | { "SHA384", "fips=yes", sha384_functions }, |
153 | { "SHA512", "fips=yes", sha512_functions }, | |
154 | { "SHA512-224", "fips=yes", sha512_224_functions }, | |
155 | { "SHA512-256", "fips=yes", sha512_256_functions }, | |
156 | { "SHA3-224", "fips=yes", sha3_224_functions }, | |
157 | { "SHA3-256", "fips=yes", sha3_256_functions }, | |
158 | { "SHA3-384", "fips=yes", sha3_384_functions }, | |
159 | { "SHA3-512", "fips=yes", sha3_512_functions }, | |
160 | { "KMAC128", "fips=yes", keccak_kmac_128_functions }, | |
161 | { "KMAC256", "fips=yes", keccak_kmac_256_functions }, | |
162 | ||
9efa0ae0 MC |
163 | { NULL, NULL, NULL } |
164 | }; | |
165 | ||
66ad63e8 MC |
166 | static const OSSL_ALGORITHM fips_ciphers[] = { |
167 | { "AES-256-ECB", "fips=yes", aes256ecb_functions }, | |
168 | { "AES-192-ECB", "fips=yes", aes192ecb_functions }, | |
169 | { "AES-128-ECB", "fips=yes", aes128ecb_functions }, | |
170 | { "AES-256-CBC", "fips=yes", aes256cbc_functions }, | |
171 | { "AES-192-CBC", "fips=yes", aes192cbc_functions }, | |
172 | { "AES-128-CBC", "fips=yes", aes128cbc_functions }, | |
173 | { "AES-256-CTR", "fips=yes", aes256ctr_functions }, | |
174 | { "AES-192-CTR", "fips=yes", aes192ctr_functions }, | |
175 | { "AES-128-CTR", "fips=yes", aes128ctr_functions }, | |
176 | { NULL, NULL, NULL } | |
177 | }; | |
178 | ||
9efa0ae0 MC |
179 | static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov, |
180 | int operation_id, | |
181 | int *no_cache) | |
182 | { | |
183 | *no_cache = 0; | |
184 | switch (operation_id) { | |
185 | case OSSL_OP_DIGEST: | |
186 | return fips_digests; | |
66ad63e8 MC |
187 | case OSSL_OP_CIPHER: |
188 | return fips_ciphers; | |
9efa0ae0 MC |
189 | } |
190 | return NULL; | |
191 | } | |
192 | ||
193 | /* Functions we provide to the core */ | |
194 | static const OSSL_DISPATCH fips_dispatch_table[] = { | |
319e518a MC |
195 | /* |
196 | * To release our resources we just need to free the OPENSSL_CTX so we just | |
197 | * use OPENSSL_CTX_free directly as our teardown function | |
198 | */ | |
199 | { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free }, | |
9efa0ae0 MC |
200 | { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types }, |
201 | { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params }, | |
202 | { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query }, | |
203 | { 0, NULL } | |
204 | }; | |
205 | ||
319e518a MC |
206 | /* Functions we provide to ourself */ |
207 | static const OSSL_DISPATCH intern_dispatch_table[] = { | |
208 | { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query }, | |
209 | { 0, NULL } | |
210 | }; | |
211 | ||
212 | ||
9efa0ae0 MC |
213 | int OSSL_provider_init(const OSSL_PROVIDER *provider, |
214 | const OSSL_DISPATCH *in, | |
a39eb840 RL |
215 | const OSSL_DISPATCH **out, |
216 | void **provctx) | |
9efa0ae0 | 217 | { |
da747958 | 218 | FIPS_GLOBAL *fgbl; |
03361afb | 219 | OPENSSL_CTX *ctx; |
319e518a | 220 | |
9efa0ae0 MC |
221 | for (; in->function_id != 0; in++) { |
222 | switch (in->function_id) { | |
223 | case OSSL_FUNC_CORE_GET_PARAM_TYPES: | |
224 | c_get_param_types = OSSL_get_core_get_param_types(in); | |
225 | break; | |
226 | case OSSL_FUNC_CORE_GET_PARAMS: | |
227 | c_get_params = OSSL_get_core_get_params(in); | |
228 | break; | |
da747958 MC |
229 | case OSSL_FUNC_CORE_THREAD_START: |
230 | c_thread_start = OSSL_get_core_thread_start(in); | |
231 | break; | |
3593266d MC |
232 | case OSSL_FUNC_CORE_PUT_ERROR: |
233 | c_put_error = OSSL_get_core_put_error(in); | |
234 | break; | |
235 | case OSSL_FUNC_CORE_ADD_ERROR_VDATA: | |
236 | c_add_error_vdata = OSSL_get_core_add_error_vdata(in); | |
237 | break; | |
9efa0ae0 MC |
238 | /* Just ignore anything we don't understand */ |
239 | default: | |
240 | break; | |
241 | } | |
242 | } | |
243 | ||
319e518a MC |
244 | ctx = OPENSSL_CTX_new(); |
245 | if (ctx == NULL) | |
246 | return 0; | |
247 | ||
03361afb MC |
248 | fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX, |
249 | &fips_prov_ossl_ctx_method); | |
250 | ||
251 | if (fgbl == NULL) | |
252 | goto err; | |
253 | ||
254 | fgbl->prov = provider; | |
255 | ||
bb751e11 RL |
256 | *out = fips_dispatch_table; |
257 | *provctx = ctx; | |
258 | ||
319e518a MC |
259 | /* |
260 | * TODO(3.0): Remove me. This is just a dummy call to demonstrate making | |
261 | * EVP calls from within the FIPS module. | |
262 | */ | |
bb751e11 RL |
263 | if (!dummy_evp_call(*provctx)) { |
264 | OPENSSL_CTX_free(*provctx); | |
265 | *provctx = NULL; | |
319e518a MC |
266 | return 0; |
267 | } | |
268 | ||
9efa0ae0 | 269 | return 1; |
da747958 MC |
270 | |
271 | err: | |
272 | OPENSSL_CTX_free(ctx); | |
273 | return 0; | |
9efa0ae0 | 274 | } |
3593266d | 275 | |
319e518a MC |
276 | /* |
277 | * The internal init function used when the FIPS module uses EVP to call | |
b1eb3fd7 | 278 | * another algorithm also in the FIPS module. This is a recursive call that has |
bb751e11 RL |
279 | * been made from within the FIPS module itself. To make this work, we populate |
280 | * the provider context of this inner instance with the same library context | |
281 | * that was used in the EVP call that initiated this recursive call. | |
319e518a | 282 | */ |
3593266d MC |
283 | OSSL_provider_init_fn fips_intern_provider_init; |
284 | int fips_intern_provider_init(const OSSL_PROVIDER *provider, | |
285 | const OSSL_DISPATCH *in, | |
319e518a MC |
286 | const OSSL_DISPATCH **out, |
287 | void **provctx) | |
3593266d | 288 | { |
bb751e11 RL |
289 | OSSL_core_get_library_context_fn *c_get_libctx = NULL; |
290 | ||
291 | for (; in->function_id != 0; in++) { | |
292 | switch (in->function_id) { | |
293 | case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT: | |
294 | c_get_libctx = OSSL_get_core_get_library_context(in); | |
295 | break; | |
296 | default: | |
297 | break; | |
298 | } | |
299 | } | |
300 | ||
301 | if (c_get_libctx == NULL) | |
302 | return 0; | |
303 | ||
304 | *provctx = c_get_libctx(provider); | |
305 | ||
306 | /* | |
307 | * Safety measure... we should get the library context that was | |
308 | * created up in OSSL_provider_init(). | |
309 | */ | |
310 | if (*provctx == NULL) | |
311 | return 0; | |
312 | ||
319e518a | 313 | *out = intern_dispatch_table; |
3593266d MC |
314 | return 1; |
315 | } | |
316 | ||
317 | void ERR_put_error(int lib, int func, int reason, const char *file, int line) | |
318 | { | |
319 | /* | |
320 | * TODO(3.0): This works for the FIPS module because we're going to be | |
321 | * using lib/func/reason codes that libcrypto already knows about. This | |
322 | * won't work for third party providers that have their own error mechanisms, | |
323 | * so we'll need to come up with something else for them. | |
324 | */ | |
325 | c_put_error(lib, func, reason, file, line); | |
8908d18c | 326 | ERR_add_error_data(1, "(in the FIPS module)"); |
3593266d MC |
327 | } |
328 | ||
329 | void ERR_add_error_data(int num, ...) | |
330 | { | |
331 | va_list args; | |
8908d18c | 332 | |
3593266d MC |
333 | va_start(args, num); |
334 | ERR_add_error_vdata(num, args); | |
335 | va_end(args); | |
336 | } | |
337 | ||
338 | void ERR_add_error_vdata(int num, va_list args) | |
339 | { | |
340 | c_add_error_vdata(num, args); | |
341 | } | |
da747958 MC |
342 | |
343 | const OSSL_PROVIDER *FIPS_get_provider(OPENSSL_CTX *ctx) | |
344 | { | |
345 | FIPS_GLOBAL *fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX, | |
346 | &fips_prov_ossl_ctx_method); | |
347 | ||
348 | if (fgbl == NULL) | |
349 | return NULL; | |
350 | ||
351 | return fgbl->prov; | |
352 | } |