]> git.ipfire.org Git - thirdparty/openssl.git/blob - providers/fips/fipsprov.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Make sure we only run the self tests once
[thirdparty/openssl.git] / providers / fips / fipsprov.c
1 /*
2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11 #include <stdio.h>
12 #include <openssl/core.h>
13 #include <openssl/core_numbers.h>
14 #include <openssl/core_names.h>
15 #include <openssl/params.h>
16 #include <openssl/err.h>
17 #include <openssl/evp.h>
18 #include <openssl/kdf.h>
19
20 /* TODO(3.0): Needed for dummy_evp_call(). To be removed */
21 #include <openssl/sha.h>
22 #include <openssl/rand_drbg.h>
23 #include <openssl/ec.h>
24 #include <openssl/fips_names.h>
25
26 #include "internal/cryptlib.h"
27 #include "internal/property.h"
28 #include "crypto/evp.h"
29 #include "prov/implementations.h"
30 #include "prov/provider_ctx.h"
31 #include "prov/providercommon.h"
32 #include "selftest.h"
33
34 extern OSSL_core_thread_start_fn *c_thread_start;
35
36 /*
37 * TODO(3.0): Should these be stored in the provider side provctx? Could they
38 * ever be different from one init to the next? Unfortunately we can't do this
39 * at the moment because c_put_error/c_add_error_vdata do not provide
40 * us with the OPENSSL_CTX as a parameter.
41 */
42
43 static SELF_TEST_POST_PARAMS selftest_params;
44
45 /* Functions provided by the core */
46 static OSSL_core_gettable_params_fn *c_gettable_params;
47 static OSSL_core_get_params_fn *c_get_params;
48 OSSL_core_thread_start_fn *c_thread_start;
49 static OSSL_core_new_error_fn *c_new_error;
50 static OSSL_core_set_error_debug_fn *c_set_error_debug;
51 static OSSL_core_vset_error_fn *c_vset_error;
52 static OSSL_CRYPTO_malloc_fn *c_CRYPTO_malloc;
53 static OSSL_CRYPTO_zalloc_fn *c_CRYPTO_zalloc;
54 static OSSL_CRYPTO_free_fn *c_CRYPTO_free;
55 static OSSL_CRYPTO_clear_free_fn *c_CRYPTO_clear_free;
56 static OSSL_CRYPTO_realloc_fn *c_CRYPTO_realloc;
57 static OSSL_CRYPTO_clear_realloc_fn *c_CRYPTO_clear_realloc;
58 static OSSL_CRYPTO_secure_malloc_fn *c_CRYPTO_secure_malloc;
59 static OSSL_CRYPTO_secure_zalloc_fn *c_CRYPTO_secure_zalloc;
60 static OSSL_CRYPTO_secure_free_fn *c_CRYPTO_secure_free;
61 static OSSL_CRYPTO_secure_clear_free_fn *c_CRYPTO_secure_clear_free;
62 static OSSL_CRYPTO_secure_allocated_fn *c_CRYPTO_secure_allocated;
63
64 typedef struct fips_global_st {
65 const OSSL_PROVIDER *prov;
66 } FIPS_GLOBAL;
67
68 static void *fips_prov_ossl_ctx_new(OPENSSL_CTX *libctx)
69 {
70 FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl));
71
72 return fgbl;
73 }
74
75 static void fips_prov_ossl_ctx_free(void *fgbl)
76 {
77 OPENSSL_free(fgbl);
78 }
79
80 static const OPENSSL_CTX_METHOD fips_prov_ossl_ctx_method = {
81 fips_prov_ossl_ctx_new,
82 fips_prov_ossl_ctx_free,
83 };
84
85
86 /* Parameters we provide to the core */
87 static const OSSL_PARAM fips_param_types[] = {
88 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
89 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
90 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
91 OSSL_PARAM_END
92 };
93
94 /*
95 * Parameters to retrieve from the core provider - required for self testing.
96 * NOTE: inside core_get_params() these will be loaded from config items
97 * stored inside prov->parameters (except for OSSL_PROV_PARAM_MODULE_FILENAME).
98 */
99 static OSSL_PARAM core_params[] =
100 {
101 OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_MODULE_FILENAME,
102 selftest_params.module_filename,
103 sizeof(selftest_params.module_filename)),
104 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC,
105 selftest_params.module_checksum_data,
106 sizeof(selftest_params.module_checksum_data)),
107 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
108 selftest_params.indicator_checksum_data,
109 sizeof(selftest_params.indicator_checksum_data)),
110 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
111 selftest_params.indicator_data,
112 sizeof(selftest_params.indicator_data)),
113 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
114 selftest_params.indicator_version,
115 sizeof(selftest_params.indicator_version)),
116 OSSL_PARAM_END
117 };
118
119 /* TODO(3.0): To be removed */
120 static int dummy_evp_call(void *provctx)
121 {
122 OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
123 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
124 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
125 EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
126 char msg[] = "Hello World!";
127 const unsigned char exptd[] = {
128 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
129 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
130 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
131 };
132 unsigned int dgstlen = 0;
133 unsigned char dgst[SHA256_DIGEST_LENGTH];
134 int ret = 0;
135 BN_CTX *bnctx = NULL;
136 BIGNUM *a = NULL, *b = NULL;
137 unsigned char randbuf[128];
138 RAND_DRBG *drbg = OPENSSL_CTX_get0_public_drbg(libctx);
139 #ifndef OPENSSL_NO_EC
140 EC_KEY *key = NULL;
141 #endif
142
143 if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
144 goto err;
145
146 if (!EVP_DigestInit_ex(ctx, sha256, NULL))
147 goto err;
148 if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
149 goto err;
150 if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
151 goto err;
152 if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
153 goto err;
154
155 bnctx = BN_CTX_new_ex(libctx);
156 if (bnctx == NULL)
157 goto err;
158 BN_CTX_start(bnctx);
159 a = BN_CTX_get(bnctx);
160 b = BN_CTX_get(bnctx);
161 if (b == NULL)
162 goto err;
163 BN_zero(a);
164 if (!BN_one(b)
165 || !BN_add(a, a, b)
166 || BN_cmp(a, b) != 0)
167 goto err;
168
169 if (RAND_DRBG_bytes(drbg, randbuf, sizeof(randbuf)) <= 0)
170 goto err;
171
172 if (!BN_rand_ex(a, 256, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, bnctx))
173 goto err;
174
175 #ifndef OPENSSL_NO_EC
176 /* Do some dummy EC calls */
177 key = EC_KEY_new_by_curve_name_ex(libctx, NID_X9_62_prime256v1);
178 if (key == NULL)
179 goto err;
180
181 if (!EC_KEY_generate_key(key))
182 goto err;
183 #endif
184
185 ret = 1;
186 err:
187 BN_CTX_end(bnctx);
188 BN_CTX_free(bnctx);
189
190 EVP_KDF_free(kdf);
191 EVP_MD_CTX_free(ctx);
192 EVP_MD_free(sha256);
193
194 #ifndef OPENSSL_NO_EC
195 EC_KEY_free(key);
196 #endif
197 return ret;
198 }
199
200 static const OSSL_PARAM *fips_gettable_params(const OSSL_PROVIDER *prov)
201 {
202 return fips_param_types;
203 }
204
205 static int fips_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
206 {
207 OSSL_PARAM *p;
208
209 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
210 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
211 return 0;
212 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
213 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
214 return 0;
215 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
216 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
217 return 0;
218
219 return 1;
220 }
221
222 /* FIPS specific version of the function of the same name in provlib.c */
223 const char *ossl_prov_util_nid_to_name(int nid)
224 {
225 /* We don't have OBJ_nid2n() in FIPS_MODE so we have an explicit list */
226
227 switch (nid) {
228 /* Digests */
229 case NID_sha1:
230 return "SHA1";
231 case NID_sha224:
232 return "SHA-224";
233 case NID_sha256:
234 return "SHA-256";
235 case NID_sha384:
236 return "SHA-384";
237 case NID_sha512:
238 return "SHA-512";
239 case NID_sha512_224:
240 return "SHA-512/224";
241 case NID_sha512_256:
242 return "SHA-512/256";
243 case NID_sha3_224:
244 return "SHA3-224";
245 case NID_sha3_256:
246 return "SHA3-256";
247 case NID_sha3_384:
248 return "SHA3-384";
249 case NID_sha3_512:
250 return "SHA3-512";
251
252 /* Ciphers */
253 case NID_aes_256_ecb:
254 return "AES-256-ECB";
255 case NID_aes_192_ecb:
256 return "AES-192-ECB";
257 case NID_aes_128_ecb:
258 return "AES-128-ECB";
259 case NID_aes_256_cbc:
260 return "AES-256-CBC";
261 case NID_aes_192_cbc:
262 return "AES-192-CBC";
263 case NID_aes_128_cbc:
264 return "AES-128-CBC";
265 case NID_aes_256_ctr:
266 return "AES-256-CTR";
267 case NID_aes_192_ctr:
268 return "AES-192-CTR";
269 case NID_aes_128_ctr:
270 return "AES-128-CTR";
271 case NID_aes_256_xts:
272 return "AES-256-XTS";
273 case NID_aes_128_xts:
274 return "AES-128-XTS";
275 case NID_aes_256_gcm:
276 return "AES-256-GCM";
277 case NID_aes_192_gcm:
278 return "AES-192-GCM";
279 case NID_aes_128_gcm:
280 return "AES-128-GCM";
281 case NID_aes_256_ccm:
282 return "AES-256-CCM";
283 case NID_aes_192_ccm:
284 return "AES-192-CCM";
285 case NID_aes_128_ccm:
286 return "AES-128-CCM";
287 case NID_id_aes256_wrap:
288 return "AES-256-WRAP";
289 case NID_id_aes192_wrap:
290 return "AES-192-WRAP";
291 case NID_id_aes128_wrap:
292 return "AES-128-WRAP";
293 case NID_id_aes256_wrap_pad:
294 return "AES-256-WRAP-PAD";
295 case NID_id_aes192_wrap_pad:
296 return "AES-192-WRAP-PAD";
297 case NID_id_aes128_wrap_pad:
298 return "AES-128-WRAP-PAD";
299 case NID_des_ede3_ecb:
300 return "DES-EDE3";
301 case NID_des_ede3_cbc:
302 return "DES-EDE3-CBC";
303 default:
304 break;
305 }
306
307 return NULL;
308 }
309
310 /*
311 * For the algorithm names, we use the following formula for our primary
312 * names:
313 *
314 * ALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?]
315 *
316 * VERSION is only present if there are multiple versions of
317 * an alg (MD2, MD4, MD5). It may be omitted if there is only
318 * one version (if a subsequent version is released in the future,
319 * we can always change the canonical name, and add the old name
320 * as an alias).
321 *
322 * SUBNAME may be present where we are combining multiple
323 * algorithms together, e.g. MD5-SHA1.
324 *
325 * SIZE is only present if multiple versions of an algorithm exist
326 * with different sizes (e.g. AES-128-CBC, AES-256-CBC)
327 *
328 * MODE is only present where applicable.
329 *
330 * We add diverse other names where applicable, such as the names that
331 * NIST uses, or that are used for ASN.1 OBJECT IDENTIFIERs, or names
332 * we have used historically.
333 */
334 static const OSSL_ALGORITHM fips_digests[] = {
335 /* Our primary name:NiST name[:our older names] */
336 { "SHA1:SHA-1", "fips=yes", sha1_functions },
337 { "SHA2-224:SHA-224:SHA224", "fips=yes", sha224_functions },
338 { "SHA2-256:SHA-256:SHA256", "fips=yes", sha256_functions },
339 { "SHA2-384:SHA-384:SHA384", "fips=yes", sha384_functions },
340 { "SHA2-512:SHA-512:SHA512", "fips=yes", sha512_functions },
341 { "SHA2-512/224:SHA-512/224:SHA512-224", "fips=yes",
342 sha512_224_functions },
343 { "SHA2-512/256:SHA-512/256:SHA512-256", "fips=yes",
344 sha512_256_functions },
345
346 /* We agree with NIST here, so one name only */
347 { "SHA3-224", "fips=yes", sha3_224_functions },
348 { "SHA3-256", "fips=yes", sha3_256_functions },
349 { "SHA3-384", "fips=yes", sha3_384_functions },
350 { "SHA3-512", "fips=yes", sha3_512_functions },
351 /*
352 * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
353 * KMAC128 and KMAC256.
354 */
355 { "KECCAK-KMAC-128:KECCAK-KMAC128", "fips=yes", keccak_kmac_128_functions },
356 { "KECCAK-KMAC-256:KECCAK-KMAC256", "fips=yes", keccak_kmac_256_functions },
357
358 { NULL, NULL, NULL }
359 };
360
361 static const OSSL_ALGORITHM fips_ciphers[] = {
362 /* Our primary name[:ASN.1 OID name][:our older names] */
363 { "AES-256-ECB", "fips=yes", aes256ecb_functions },
364 { "AES-192-ECB", "fips=yes", aes192ecb_functions },
365 { "AES-128-ECB", "fips=yes", aes128ecb_functions },
366 { "AES-256-CBC", "fips=yes", aes256cbc_functions },
367 { "AES-192-CBC", "fips=yes", aes192cbc_functions },
368 { "AES-128-CBC", "fips=yes", aes128cbc_functions },
369 { "AES-256-CTR", "fips=yes", aes256ctr_functions },
370 { "AES-192-CTR", "fips=yes", aes192ctr_functions },
371 { "AES-128-CTR", "fips=yes", aes128ctr_functions },
372 { "AES-256-XTS", "fips=yes", aes256xts_functions },
373 { "AES-128-XTS", "fips=yes", aes128xts_functions },
374 { "AES-256-GCM:id-aes256-GCM", "fips=yes", aes256gcm_functions },
375 { "AES-192-GCM:id-aes192-GCM", "fips=yes", aes192gcm_functions },
376 { "AES-128-GCM:id-aes128-GCM", "fips=yes", aes128gcm_functions },
377 { "AES-256-CCM:id-aes256-CCM", "fips=yes", aes256ccm_functions },
378 { "AES-192-CCM:id-aes192-CCM", "fips=yes", aes192ccm_functions },
379 { "AES-128-CCM:id-aes128-CCM", "fips=yes", aes128ccm_functions },
380 { "AES-256-WRAP:id-aes256-wrap:AES256-WRAP", "fips=yes",
381 aes256wrap_functions },
382 { "AES-192-WRAP:id-aes192-wrap:AES192-WRAP", "fips=yes",
383 aes192wrap_functions },
384 { "AES-128-WRAP:id-aes128-wrap:AES128-WRAP", "fips=yes",
385 aes128wrap_functions },
386 { "AES-256-WRAP-PAD:id-aes256-wrap-pad:AES256-WRAP-PAD", "fips=yes",
387 aes256wrappad_functions },
388 { "AES-192-WRAP-PAD:id-aes192-wrap-pad:AES192-WRAP-PAD", "fips=yes",
389 aes192wrappad_functions },
390 { "AES-128-WRAP-PAD:id-aes128-wrap-pad:AES128-WRAP-PAD", "fips=yes",
391 aes128wrappad_functions },
392 #ifndef OPENSSL_NO_DES
393 { "DES-EDE3-ECB:DES-EDE3", "fips=yes", tdes_ede3_ecb_functions },
394 { "DES-EDE3-CBC:DES3", "fips=yes", tdes_ede3_cbc_functions },
395 #endif /* OPENSSL_NO_DES */
396 { NULL, NULL, NULL }
397 };
398
399 static const OSSL_ALGORITHM fips_macs[] = {
400 #ifndef OPENSSL_NO_CMAC
401 { "CMAC", "fips=yes", cmac_functions },
402 #endif
403 { "GMAC", "fips=yes", gmac_functions },
404 { "HMAC", "fips=yes", hmac_functions },
405 { "KMAC-128:KMAC128", "fips=yes", kmac128_functions },
406 { "KMAC-256:KMAC256", "fips=yes", kmac256_functions },
407 { NULL, NULL, NULL }
408 };
409
410 static const OSSL_ALGORITHM fips_kdfs[] = {
411 { "HKDF", "fips=yes", kdf_hkdf_functions },
412 { "SSKDF", "fips=yes", kdf_sskdf_functions },
413 { "PBKDF2", "fips=yes", kdf_pbkdf2_functions },
414 { "TLS1-PRF", "fips=yes", kdf_tls1_prf_functions },
415 { "KBKDF", "fips=yes", kdf_kbkdf_functions },
416 { NULL, NULL, NULL }
417 };
418
419 static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
420 int operation_id,
421 int *no_cache)
422 {
423 *no_cache = 0;
424 switch (operation_id) {
425 case OSSL_OP_DIGEST:
426 return fips_digests;
427 case OSSL_OP_CIPHER:
428 return fips_ciphers;
429 case OSSL_OP_MAC:
430 return fips_macs;
431 case OSSL_OP_KDF:
432 return fips_kdfs;
433 }
434 return NULL;
435 }
436
437 /* Functions we provide to the core */
438 static const OSSL_DISPATCH fips_dispatch_table[] = {
439 /*
440 * To release our resources we just need to free the OPENSSL_CTX so we just
441 * use OPENSSL_CTX_free directly as our teardown function
442 */
443 { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free },
444 { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))fips_gettable_params },
445 { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
446 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
447 { 0, NULL }
448 };
449
450 /* Functions we provide to ourself */
451 static const OSSL_DISPATCH intern_dispatch_table[] = {
452 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
453 { 0, NULL }
454 };
455
456
457 int OSSL_provider_init(const OSSL_PROVIDER *provider,
458 const OSSL_DISPATCH *in,
459 const OSSL_DISPATCH **out,
460 void **provctx)
461 {
462 FIPS_GLOBAL *fgbl;
463 OPENSSL_CTX *ctx;
464
465 for (; in->function_id != 0; in++) {
466 switch (in->function_id) {
467 case OSSL_FUNC_CORE_GETTABLE_PARAMS:
468 c_gettable_params = OSSL_get_core_gettable_params(in);
469 break;
470 case OSSL_FUNC_CORE_GET_PARAMS:
471 c_get_params = OSSL_get_core_get_params(in);
472 break;
473 case OSSL_FUNC_CORE_THREAD_START:
474 c_thread_start = OSSL_get_core_thread_start(in);
475 break;
476 case OSSL_FUNC_CORE_NEW_ERROR:
477 c_new_error = OSSL_get_core_new_error(in);
478 break;
479 case OSSL_FUNC_CORE_SET_ERROR_DEBUG:
480 c_set_error_debug = OSSL_get_core_set_error_debug(in);
481 break;
482 case OSSL_FUNC_CORE_VSET_ERROR:
483 c_vset_error = OSSL_get_core_vset_error(in);
484 break;
485 case OSSL_FUNC_CRYPTO_MALLOC:
486 c_CRYPTO_malloc = OSSL_get_CRYPTO_malloc(in);
487 break;
488 case OSSL_FUNC_CRYPTO_ZALLOC:
489 c_CRYPTO_zalloc = OSSL_get_CRYPTO_zalloc(in);
490 break;
491 case OSSL_FUNC_CRYPTO_FREE:
492 c_CRYPTO_free = OSSL_get_CRYPTO_free(in);
493 break;
494 case OSSL_FUNC_CRYPTO_CLEAR_FREE:
495 c_CRYPTO_clear_free = OSSL_get_CRYPTO_clear_free(in);
496 break;
497 case OSSL_FUNC_CRYPTO_REALLOC:
498 c_CRYPTO_realloc = OSSL_get_CRYPTO_realloc(in);
499 break;
500 case OSSL_FUNC_CRYPTO_CLEAR_REALLOC:
501 c_CRYPTO_clear_realloc = OSSL_get_CRYPTO_clear_realloc(in);
502 break;
503 case OSSL_FUNC_CRYPTO_SECURE_MALLOC:
504 c_CRYPTO_secure_malloc = OSSL_get_CRYPTO_secure_malloc(in);
505 break;
506 case OSSL_FUNC_CRYPTO_SECURE_ZALLOC:
507 c_CRYPTO_secure_zalloc = OSSL_get_CRYPTO_secure_zalloc(in);
508 break;
509 case OSSL_FUNC_CRYPTO_SECURE_FREE:
510 c_CRYPTO_secure_free = OSSL_get_CRYPTO_secure_free(in);
511 break;
512 case OSSL_FUNC_CRYPTO_SECURE_CLEAR_FREE:
513 c_CRYPTO_secure_clear_free = OSSL_get_CRYPTO_secure_clear_free(in);
514 break;
515 case OSSL_FUNC_CRYPTO_SECURE_ALLOCATED:
516 c_CRYPTO_secure_allocated = OSSL_get_CRYPTO_secure_allocated(in);
517 break;
518 case OSSL_FUNC_BIO_NEW_FILE:
519 selftest_params.bio_new_file_cb = OSSL_get_BIO_new_file(in);
520 break;
521 case OSSL_FUNC_BIO_NEW_MEMBUF:
522 selftest_params.bio_new_buffer_cb = OSSL_get_BIO_new_membuf(in);
523 break;
524 case OSSL_FUNC_BIO_READ_EX:
525 selftest_params.bio_read_ex_cb = OSSL_get_BIO_read_ex(in);
526 break;
527 case OSSL_FUNC_BIO_FREE:
528 selftest_params.bio_free_cb = OSSL_get_BIO_free(in);
529 break;
530 default:
531 /* Just ignore anything we don't understand */
532 break;
533 }
534 }
535
536 if (!c_get_params(provider, core_params))
537 return 0;
538
539 /* Create a context. */
540 if ((ctx = OPENSSL_CTX_new()) == NULL)
541 return 0;
542 if ((fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
543 &fips_prov_ossl_ctx_method)) == NULL) {
544 OPENSSL_CTX_free(ctx);
545 return 0;
546 }
547
548 fgbl->prov = provider;
549
550 selftest_params.libctx = PROV_LIBRARY_CONTEXT_OF(ctx);
551 if (!SELF_TEST_post(&selftest_params, 0)) {
552 OPENSSL_CTX_free(ctx);
553 return 0;
554 }
555
556 *out = fips_dispatch_table;
557 *provctx = ctx;
558
559 /*
560 * TODO(3.0): Remove me. This is just a dummy call to demonstrate making
561 * EVP calls from within the FIPS module.
562 */
563 if (!dummy_evp_call(*provctx)) {
564 OPENSSL_CTX_free(*provctx);
565 *provctx = NULL;
566 return 0;
567 }
568
569 return 1;
570 }
571
572 /*
573 * The internal init function used when the FIPS module uses EVP to call
574 * another algorithm also in the FIPS module. This is a recursive call that has
575 * been made from within the FIPS module itself. To make this work, we populate
576 * the provider context of this inner instance with the same library context
577 * that was used in the EVP call that initiated this recursive call.
578 */
579 OSSL_provider_init_fn fips_intern_provider_init;
580 int fips_intern_provider_init(const OSSL_PROVIDER *provider,
581 const OSSL_DISPATCH *in,
582 const OSSL_DISPATCH **out,
583 void **provctx)
584 {
585 OSSL_core_get_library_context_fn *c_get_libctx = NULL;
586
587 for (; in->function_id != 0; in++) {
588 switch (in->function_id) {
589 case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
590 c_get_libctx = OSSL_get_core_get_library_context(in);
591 break;
592 default:
593 break;
594 }
595 }
596
597 if (c_get_libctx == NULL)
598 return 0;
599
600 *provctx = c_get_libctx(provider);
601
602 /*
603 * Safety measure... we should get the library context that was
604 * created up in OSSL_provider_init().
605 */
606 if (*provctx == NULL)
607 return 0;
608
609 *out = intern_dispatch_table;
610 return 1;
611 }
612
613 void ERR_new(void)
614 {
615 c_new_error(NULL);
616 }
617
618 void ERR_set_debug(const char *file, int line, const char *func)
619 {
620 c_set_error_debug(NULL, file, line, func);
621 }
622
623 void ERR_set_error(int lib, int reason, const char *fmt, ...)
624 {
625 va_list args;
626
627 va_start(args, fmt);
628 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
629 va_end(args);
630 }
631
632 void ERR_vset_error(int lib, int reason, const char *fmt, va_list args)
633 {
634 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
635 }
636
637 const OSSL_PROVIDER *FIPS_get_provider(OPENSSL_CTX *ctx)
638 {
639 FIPS_GLOBAL *fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
640 &fips_prov_ossl_ctx_method);
641
642 if (fgbl == NULL)
643 return NULL;
644
645 return fgbl->prov;
646 }
647
648 void *CRYPTO_malloc(size_t num, const char *file, int line)
649 {
650 return c_CRYPTO_malloc(num, file, line);
651 }
652
653 void *CRYPTO_zalloc(size_t num, const char *file, int line)
654 {
655 return c_CRYPTO_zalloc(num, file, line);
656 }
657
658 void CRYPTO_free(void *ptr, const char *file, int line)
659 {
660 c_CRYPTO_free(ptr, file, line);
661 }
662
663 void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line)
664 {
665 c_CRYPTO_clear_free(ptr, num, file, line);
666 }
667
668 void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line)
669 {
670 return c_CRYPTO_realloc(addr, num, file, line);
671 }
672
673 void *CRYPTO_clear_realloc(void *addr, size_t old_num, size_t num,
674 const char *file, int line)
675 {
676 return c_CRYPTO_clear_realloc(addr, old_num, num, file, line);
677 }
678
679 void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
680 {
681 return c_CRYPTO_secure_malloc(num, file, line);
682 }
683
684 void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
685 {
686 return c_CRYPTO_secure_zalloc(num, file, line);
687 }
688
689 void CRYPTO_secure_free(void *ptr, const char *file, int line)
690 {
691 c_CRYPTO_secure_free(ptr, file, line);
692 }
693
694 void CRYPTO_secure_clear_free(void *ptr, size_t num, const char *file, int line)
695 {
696 c_CRYPTO_secure_clear_free(ptr, num, file, line);
697 }
698
699 int CRYPTO_secure_allocated(const void *ptr)
700 {
701 return c_CRYPTO_secure_allocated(ptr);
702 }
A mirror of the official openssl repository