]> git.ipfire.org Git - thirdparty/openssl.git/blob - providers/fips/fipsprov.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright year
[thirdparty/openssl.git] / providers / fips / fipsprov.c
1 /*
2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11 #include <stdio.h>
12 #include <openssl/core.h>
13 #include <openssl/core_numbers.h>
14 #include <openssl/core_names.h>
15 #include <openssl/params.h>
16 #include <openssl/err.h>
17 #include <openssl/evp.h>
18 #include <openssl/kdf.h>
19
20 /* TODO(3.0): Needed for dummy_evp_call(). To be removed */
21 #include <openssl/sha.h>
22 #include <openssl/rand_drbg.h>
23 #include <openssl/ec.h>
24 #include <openssl/fips_names.h>
25
26 #include "internal/cryptlib.h"
27 #include "internal/property.h"
28 #include "internal/nelem.h"
29 #include "openssl/param_build.h"
30 #include "crypto/evp.h"
31 #include "prov/implementations.h"
32 #include "prov/provider_ctx.h"
33 #include "prov/providercommon.h"
34 #include "prov/provider_util.h"
35 #include "self_test.h"
36
37 #define ALGC(NAMES, FUNC, CHECK) { { NAMES, "provider=fips,fips=yes", FUNC }, CHECK }
38 #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
39
40 extern OSSL_core_thread_start_fn *c_thread_start;
41
42 /*
43 * TODO(3.0): Should these be stored in the provider side provctx? Could they
44 * ever be different from one init to the next? Unfortunately we can't do this
45 * at the moment because c_put_error/c_add_error_vdata do not provide
46 * us with the OPENSSL_CTX as a parameter.
47 */
48
49 static SELF_TEST_POST_PARAMS selftest_params;
50
51 /* Functions provided by the core */
52 static OSSL_core_gettable_params_fn *c_gettable_params;
53 static OSSL_core_get_params_fn *c_get_params;
54 OSSL_core_thread_start_fn *c_thread_start;
55 static OSSL_core_new_error_fn *c_new_error;
56 static OSSL_core_set_error_debug_fn *c_set_error_debug;
57 static OSSL_core_vset_error_fn *c_vset_error;
58 static OSSL_core_set_error_mark_fn *c_set_error_mark;
59 static OSSL_core_clear_last_error_mark_fn *c_clear_last_error_mark;
60 static OSSL_core_pop_error_to_mark_fn *c_pop_error_to_mark;
61 static OSSL_CRYPTO_malloc_fn *c_CRYPTO_malloc;
62 static OSSL_CRYPTO_zalloc_fn *c_CRYPTO_zalloc;
63 static OSSL_CRYPTO_free_fn *c_CRYPTO_free;
64 static OSSL_CRYPTO_clear_free_fn *c_CRYPTO_clear_free;
65 static OSSL_CRYPTO_realloc_fn *c_CRYPTO_realloc;
66 static OSSL_CRYPTO_clear_realloc_fn *c_CRYPTO_clear_realloc;
67 static OSSL_CRYPTO_secure_malloc_fn *c_CRYPTO_secure_malloc;
68 static OSSL_CRYPTO_secure_zalloc_fn *c_CRYPTO_secure_zalloc;
69 static OSSL_CRYPTO_secure_free_fn *c_CRYPTO_secure_free;
70 static OSSL_CRYPTO_secure_clear_free_fn *c_CRYPTO_secure_clear_free;
71 static OSSL_CRYPTO_secure_allocated_fn *c_CRYPTO_secure_allocated;
72 static OSSL_BIO_vsnprintf_fn *c_BIO_vsnprintf;
73
74 typedef struct fips_global_st {
75 const OSSL_PROVIDER *prov;
76 } FIPS_GLOBAL;
77
78 static void *fips_prov_ossl_ctx_new(OPENSSL_CTX *libctx)
79 {
80 FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl));
81
82 return fgbl;
83 }
84
85 static void fips_prov_ossl_ctx_free(void *fgbl)
86 {
87 OPENSSL_free(fgbl);
88 }
89
90 static const OPENSSL_CTX_METHOD fips_prov_ossl_ctx_method = {
91 fips_prov_ossl_ctx_new,
92 fips_prov_ossl_ctx_free,
93 };
94
95
96 /* Parameters we provide to the core */
97 static const OSSL_PARAM fips_param_types[] = {
98 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
99 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
100 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
101 OSSL_PARAM_END
102 };
103
104 /*
105 * Parameters to retrieve from the core provider - required for self testing.
106 * NOTE: inside core_get_params() these will be loaded from config items
107 * stored inside prov->parameters (except for OSSL_PROV_PARAM_MODULE_FILENAME).
108 */
109 static OSSL_PARAM core_params[] =
110 {
111 OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_MODULE_FILENAME,
112 selftest_params.module_filename,
113 sizeof(selftest_params.module_filename)),
114 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC,
115 selftest_params.module_checksum_data,
116 sizeof(selftest_params.module_checksum_data)),
117 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
118 selftest_params.indicator_checksum_data,
119 sizeof(selftest_params.indicator_checksum_data)),
120 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
121 selftest_params.indicator_data,
122 sizeof(selftest_params.indicator_data)),
123 OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
124 selftest_params.indicator_version,
125 sizeof(selftest_params.indicator_version)),
126 OSSL_PARAM_END
127 };
128
129 /* TODO(3.0): To be removed */
130 static int dummy_evp_call(void *provctx)
131 {
132 OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
133 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
134 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
135 EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
136 unsigned char dgst[SHA256_DIGEST_LENGTH];
137 unsigned int dgstlen;
138 int ret = 0;
139 BN_CTX *bnctx = NULL;
140 BIGNUM *a = NULL, *b = NULL;
141 unsigned char randbuf[128];
142 RAND_DRBG *drbg = OPENSSL_CTX_get0_public_drbg(libctx);
143 #ifndef OPENSSL_NO_EC
144 EC_KEY *key = NULL;
145 #endif
146
147 static const char msg[] = "Hello World!";
148 static const unsigned char exptd[] = {
149 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
150 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
151 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
152 };
153
154 if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
155 goto err;
156
157 if (!EVP_DigestInit_ex(ctx, sha256, NULL))
158 goto err;
159 if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
160 goto err;
161 if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
162 goto err;
163 if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
164 goto err;
165
166 bnctx = BN_CTX_new_ex(libctx);
167 if (bnctx == NULL)
168 goto err;
169 BN_CTX_start(bnctx);
170 a = BN_CTX_get(bnctx);
171 b = BN_CTX_get(bnctx);
172 if (b == NULL)
173 goto err;
174 BN_zero(a);
175 if (!BN_one(b)
176 || !BN_add(a, a, b)
177 || BN_cmp(a, b) != 0)
178 goto err;
179
180 if (RAND_DRBG_bytes(drbg, randbuf, sizeof(randbuf)) <= 0)
181 goto err;
182
183 if (!BN_rand_ex(a, 256, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, bnctx))
184 goto err;
185
186 #ifndef OPENSSL_NO_EC
187 /* Do some dummy EC calls */
188 key = EC_KEY_new_by_curve_name_ex(libctx, NID_X9_62_prime256v1);
189 if (key == NULL)
190 goto err;
191
192 if (!EC_KEY_generate_key(key))
193 goto err;
194 #endif
195
196 ret = 1;
197 err:
198 BN_CTX_end(bnctx);
199 BN_CTX_free(bnctx);
200
201 EVP_KDF_free(kdf);
202 EVP_MD_CTX_free(ctx);
203 EVP_MD_free(sha256);
204
205 #ifndef OPENSSL_NO_EC
206 EC_KEY_free(key);
207 #endif
208 return ret;
209 }
210
211 static const OSSL_PARAM *fips_gettable_params(const OSSL_PROVIDER *prov)
212 {
213 return fips_param_types;
214 }
215
216 static int fips_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
217 {
218 OSSL_PARAM *p;
219
220 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
221 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
222 return 0;
223 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
224 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
225 return 0;
226 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
227 if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
228 return 0;
229
230 return 1;
231 }
232
233 /* FIPS specific version of the function of the same name in provlib.c */
234 const char *ossl_prov_util_nid_to_name(int nid)
235 {
236 /* We don't have OBJ_nid2n() in FIPS_MODE so we have an explicit list */
237
238 switch (nid) {
239 /* Digests */
240 case NID_sha1:
241 return "SHA1";
242 case NID_sha224:
243 return "SHA-224";
244 case NID_sha256:
245 return "SHA-256";
246 case NID_sha384:
247 return "SHA-384";
248 case NID_sha512:
249 return "SHA-512";
250 case NID_sha512_224:
251 return "SHA-512/224";
252 case NID_sha512_256:
253 return "SHA-512/256";
254 case NID_sha3_224:
255 return "SHA3-224";
256 case NID_sha3_256:
257 return "SHA3-256";
258 case NID_sha3_384:
259 return "SHA3-384";
260 case NID_sha3_512:
261 return "SHA3-512";
262
263 /* Ciphers */
264 case NID_aes_256_ecb:
265 return "AES-256-ECB";
266 case NID_aes_192_ecb:
267 return "AES-192-ECB";
268 case NID_aes_128_ecb:
269 return "AES-128-ECB";
270 case NID_aes_256_cbc:
271 return "AES-256-CBC";
272 case NID_aes_192_cbc:
273 return "AES-192-CBC";
274 case NID_aes_128_cbc:
275 return "AES-128-CBC";
276 case NID_aes_256_ctr:
277 return "AES-256-CTR";
278 case NID_aes_192_ctr:
279 return "AES-192-CTR";
280 case NID_aes_128_ctr:
281 return "AES-128-CTR";
282 case NID_aes_256_xts:
283 return "AES-256-XTS";
284 case NID_aes_128_xts:
285 return "AES-128-XTS";
286 case NID_aes_256_gcm:
287 return "AES-256-GCM";
288 case NID_aes_192_gcm:
289 return "AES-192-GCM";
290 case NID_aes_128_gcm:
291 return "AES-128-GCM";
292 case NID_aes_256_ccm:
293 return "AES-256-CCM";
294 case NID_aes_192_ccm:
295 return "AES-192-CCM";
296 case NID_aes_128_ccm:
297 return "AES-128-CCM";
298 case NID_id_aes256_wrap:
299 return "AES-256-WRAP";
300 case NID_id_aes192_wrap:
301 return "AES-192-WRAP";
302 case NID_id_aes128_wrap:
303 return "AES-128-WRAP";
304 case NID_id_aes256_wrap_pad:
305 return "AES-256-WRAP-PAD";
306 case NID_id_aes192_wrap_pad:
307 return "AES-192-WRAP-PAD";
308 case NID_id_aes128_wrap_pad:
309 return "AES-128-WRAP-PAD";
310 case NID_des_ede3_ecb:
311 return "DES-EDE3";
312 case NID_des_ede3_cbc:
313 return "DES-EDE3-CBC";
314 case NID_aes_256_cbc_hmac_sha256:
315 return "AES-256-CBC-HMAC-SHA256";
316 case NID_aes_128_cbc_hmac_sha256:
317 return "AES-128-CBC-HMAC-SHA256";
318 case NID_aes_256_cbc_hmac_sha1:
319 return "AES-256-CBC-HMAC-SHA1";
320 case NID_aes_128_cbc_hmac_sha1:
321 return "AES-128-CBC-HMAC-SHA1";
322 default:
323 break;
324 }
325
326 return NULL;
327 }
328
329 /*
330 * For the algorithm names, we use the following formula for our primary
331 * names:
332 *
333 * ALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?]
334 *
335 * VERSION is only present if there are multiple versions of
336 * an alg (MD2, MD4, MD5). It may be omitted if there is only
337 * one version (if a subsequent version is released in the future,
338 * we can always change the canonical name, and add the old name
339 * as an alias).
340 *
341 * SUBNAME may be present where we are combining multiple
342 * algorithms together, e.g. MD5-SHA1.
343 *
344 * SIZE is only present if multiple versions of an algorithm exist
345 * with different sizes (e.g. AES-128-CBC, AES-256-CBC)
346 *
347 * MODE is only present where applicable.
348 *
349 * We add diverse other names where applicable, such as the names that
350 * NIST uses, or that are used for ASN.1 OBJECT IDENTIFIERs, or names
351 * we have used historically.
352 */
353 static const OSSL_ALGORITHM fips_digests[] = {
354 /* Our primary name:NiST name[:our older names] */
355 { "SHA1:SHA-1", "provider=fips,fips=yes", sha1_functions },
356 { "SHA2-224:SHA-224:SHA224", "provider=fips,fips=yes", sha224_functions },
357 { "SHA2-256:SHA-256:SHA256", "provider=fips,fips=yes", sha256_functions },
358 { "SHA2-384:SHA-384:SHA384", "provider=fips,fips=yes", sha384_functions },
359 { "SHA2-512:SHA-512:SHA512", "provider=fips,fips=yes", sha512_functions },
360 { "SHA2-512/224:SHA-512/224:SHA512-224", "provider=fips,fips=yes",
361 sha512_224_functions },
362 { "SHA2-512/256:SHA-512/256:SHA512-256", "provider=fips,fips=yes",
363 sha512_256_functions },
364
365 /* We agree with NIST here, so one name only */
366 { "SHA3-224", "provider=fips,fips=yes", sha3_224_functions },
367 { "SHA3-256", "provider=fips,fips=yes", sha3_256_functions },
368 { "SHA3-384", "provider=fips,fips=yes", sha3_384_functions },
369 { "SHA3-512", "provider=fips,fips=yes", sha3_512_functions },
370
371 /* Non-FIPS algorithm to support oneshot_hash in the Ed448 code */
372 { "SHAKE-256:SHAKE256", "provider=fips,fips=no", shake_256_functions },
373 { NULL, NULL, NULL }
374 };
375
376 static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
377 /* Our primary name[:ASN.1 OID name][:our older names] */
378 ALG("AES-256-ECB", aes256ecb_functions),
379 ALG("AES-192-ECB", aes192ecb_functions),
380 ALG("AES-128-ECB", aes128ecb_functions),
381 ALG("AES-256-CBC", aes256cbc_functions),
382 ALG("AES-192-CBC", aes192cbc_functions),
383 ALG("AES-128-CBC", aes128cbc_functions),
384 ALG("AES-256-CTR", aes256ctr_functions),
385 ALG("AES-192-CTR", aes192ctr_functions),
386 ALG("AES-128-CTR", aes128ctr_functions),
387 ALG("AES-256-XTS", aes256xts_functions),
388 ALG("AES-128-XTS", aes128xts_functions),
389 ALG("AES-256-GCM:id-aes256-GCM", aes256gcm_functions),
390 ALG("AES-192-GCM:id-aes192-GCM", aes192gcm_functions),
391 ALG("AES-128-GCM:id-aes128-GCM", aes128gcm_functions),
392 ALG("AES-256-CCM:id-aes256-CCM", aes256ccm_functions),
393 ALG("AES-192-CCM:id-aes192-CCM", aes192ccm_functions),
394 ALG("AES-128-CCM:id-aes128-CCM", aes128ccm_functions),
395 ALG("AES-256-WRAP:id-aes256-wrap:AES256-WRAP", aes256wrap_functions),
396 ALG("AES-192-WRAP:id-aes192-wrap:AES192-WRAP", aes192wrap_functions),
397 ALG("AES-128-WRAP:id-aes128-wrap:AES128-WRAP", aes128wrap_functions),
398 ALG("AES-256-WRAP-PAD:id-aes256-wrap-pad:AES256-WRAP-PAD",
399 aes256wrappad_functions),
400 ALG("AES-192-WRAP-PAD:id-aes192-wrap-pad:AES192-WRAP-PAD",
401 aes192wrappad_functions),
402 ALG("AES-128-WRAP-PAD:id-aes128-wrap-pad:AES128-WRAP-PAD",
403 aes128wrappad_functions),
404 ALGC("AES-128-CBC-HMAC-SHA1", aes128cbc_hmac_sha1_functions,
405 cipher_capable_aes_cbc_hmac_sha1),
406 ALGC("AES-256-CBC-HMAC-SHA1", aes256cbc_hmac_sha1_functions,
407 cipher_capable_aes_cbc_hmac_sha1),
408 ALGC("AES-128-CBC-HMAC-SHA256", aes128cbc_hmac_sha256_functions,
409 cipher_capable_aes_cbc_hmac_sha256),
410 ALGC("AES-256-CBC-HMAC-SHA256", aes256cbc_hmac_sha256_functions,
411 cipher_capable_aes_cbc_hmac_sha256),
412 #ifndef OPENSSL_NO_DES
413 ALG("DES-EDE3-ECB:DES-EDE3", tdes_ede3_ecb_functions),
414 ALG("DES-EDE3-CBC:DES3", tdes_ede3_cbc_functions),
415 #endif /* OPENSSL_NO_DES */
416 { { NULL, NULL, NULL }, NULL }
417 };
418 static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
419
420 static const OSSL_ALGORITHM fips_macs[] = {
421 { "GMAC", "provider=fips,fips=yes", gmac_functions },
422 { "HMAC", "provider=fips,fips=yes", hmac_functions },
423 { NULL, NULL, NULL }
424 };
425
426 static const OSSL_ALGORITHM fips_kdfs[] = {
427 { "HKDF", "provider=fips,fips=yes", kdf_hkdf_functions },
428 { "SSKDF", "provider=fips,fips=yes", kdf_sskdf_functions },
429 { "PBKDF2", "provider=fips,fips=yes", kdf_pbkdf2_functions },
430 { "TLS1-PRF", "provider=fips,fips=yes", kdf_tls1_prf_functions },
431 { NULL, NULL, NULL }
432 };
433
434 static const OSSL_ALGORITHM fips_keyexch[] = {
435 #ifndef OPENSSL_NO_DH
436 { "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keyexch_functions },
437 #endif
438 #ifndef OPENSSL_NO_EC
439 { "ECDH", "provider=fips,fips=yes", ecdh_keyexch_functions },
440 { "X25519", "provider=fips,fips=no", x25519_keyexch_functions },
441 { "X448", "provider=fips,fips=no", x448_keyexch_functions },
442 #endif
443 { NULL, NULL, NULL }
444 };
445
446 static const OSSL_ALGORITHM fips_signature[] = {
447 #ifndef OPENSSL_NO_DSA
448 { "DSA:dsaEncryption", "provider=fips,fips=yes", dsa_signature_functions },
449 #endif
450 { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_signature_functions },
451 #ifndef OPENSSL_NO_EC
452 { "ED25519", "provider=fips,fips=no", ed25519_signature_functions },
453 { "ED448", "provider=fips,fips=no", ed448_signature_functions },
454 { "ECDSA", "provider=fips,fips=yes", ecdsa_signature_functions },
455 #endif
456 { NULL, NULL, NULL }
457 };
458
459 static const OSSL_ALGORITHM fips_asym_cipher[] = {
460 { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_asym_cipher_functions },
461 { NULL, NULL, NULL }
462 };
463
464 static const OSSL_ALGORITHM fips_keymgmt[] = {
465 #ifndef OPENSSL_NO_DH
466 { "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keymgmt_functions },
467 #endif
468 #ifndef OPENSSL_NO_DSA
469 { "DSA", "provider=fips,fips=yes", dsa_keymgmt_functions },
470 #endif
471 { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_keymgmt_functions },
472 #ifndef OPENSSL_NO_EC
473 { "EC:id-ecPublicKey", "provider=fips,fips=yes", ec_keymgmt_functions },
474 { "X25519", "provider=fips,fips=no", x25519_keymgmt_functions },
475 { "X448", "provider=fips,fips=no", x448_keymgmt_functions },
476 { "ED25519", "provider=fips,fips=no", ed25519_keymgmt_functions },
477 { "ED448", "provider=fips,fips=no", ed448_keymgmt_functions },
478 #endif
479 { NULL, NULL, NULL }
480 };
481
482 static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
483 int operation_id,
484 int *no_cache)
485 {
486 *no_cache = 0;
487 switch (operation_id) {
488 case OSSL_OP_DIGEST:
489 return fips_digests;
490 case OSSL_OP_CIPHER:
491 ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
492 return exported_fips_ciphers;
493 case OSSL_OP_MAC:
494 return fips_macs;
495 case OSSL_OP_KDF:
496 return fips_kdfs;
497 case OSSL_OP_KEYMGMT:
498 return fips_keymgmt;
499 case OSSL_OP_KEYEXCH:
500 return fips_keyexch;
501 case OSSL_OP_SIGNATURE:
502 return fips_signature;
503 case OSSL_OP_ASYM_CIPHER:
504 return fips_asym_cipher;
505 }
506 return NULL;
507 }
508
509 /* Functions we provide to the core */
510 static const OSSL_DISPATCH fips_dispatch_table[] = {
511 /*
512 * To release our resources we just need to free the OPENSSL_CTX so we just
513 * use OPENSSL_CTX_free directly as our teardown function
514 */
515 { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free },
516 { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))fips_gettable_params },
517 { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
518 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
519 { 0, NULL }
520 };
521
522 /* Functions we provide to ourself */
523 static const OSSL_DISPATCH intern_dispatch_table[] = {
524 { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
525 { 0, NULL }
526 };
527
528
529 int OSSL_provider_init(const OSSL_PROVIDER *provider,
530 const OSSL_DISPATCH *in,
531 const OSSL_DISPATCH **out,
532 void **provctx)
533 {
534 FIPS_GLOBAL *fgbl;
535 OPENSSL_CTX *ctx;
536 OSSL_self_test_cb_fn *stcbfn = NULL;
537 OSSL_core_get_library_context_fn *c_get_libctx = NULL;
538
539 for (; in->function_id != 0; in++) {
540 switch (in->function_id) {
541 case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
542 c_get_libctx = OSSL_get_core_get_library_context(in);
543 break;
544 case OSSL_FUNC_CORE_GETTABLE_PARAMS:
545 c_gettable_params = OSSL_get_core_gettable_params(in);
546 break;
547 case OSSL_FUNC_CORE_GET_PARAMS:
548 c_get_params = OSSL_get_core_get_params(in);
549 break;
550 case OSSL_FUNC_CORE_THREAD_START:
551 c_thread_start = OSSL_get_core_thread_start(in);
552 break;
553 case OSSL_FUNC_CORE_NEW_ERROR:
554 c_new_error = OSSL_get_core_new_error(in);
555 break;
556 case OSSL_FUNC_CORE_SET_ERROR_DEBUG:
557 c_set_error_debug = OSSL_get_core_set_error_debug(in);
558 break;
559 case OSSL_FUNC_CORE_VSET_ERROR:
560 c_vset_error = OSSL_get_core_vset_error(in);
561 break;
562 case OSSL_FUNC_CORE_SET_ERROR_MARK:
563 c_set_error_mark = OSSL_get_core_set_error_mark(in);
564 break;
565 case OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK:
566 c_clear_last_error_mark = OSSL_get_core_clear_last_error_mark(in);
567 break;
568 case OSSL_FUNC_CORE_POP_ERROR_TO_MARK:
569 c_pop_error_to_mark = OSSL_get_core_pop_error_to_mark(in);
570 break;
571 case OSSL_FUNC_CRYPTO_MALLOC:
572 c_CRYPTO_malloc = OSSL_get_CRYPTO_malloc(in);
573 break;
574 case OSSL_FUNC_CRYPTO_ZALLOC:
575 c_CRYPTO_zalloc = OSSL_get_CRYPTO_zalloc(in);
576 break;
577 case OSSL_FUNC_CRYPTO_FREE:
578 c_CRYPTO_free = OSSL_get_CRYPTO_free(in);
579 break;
580 case OSSL_FUNC_CRYPTO_CLEAR_FREE:
581 c_CRYPTO_clear_free = OSSL_get_CRYPTO_clear_free(in);
582 break;
583 case OSSL_FUNC_CRYPTO_REALLOC:
584 c_CRYPTO_realloc = OSSL_get_CRYPTO_realloc(in);
585 break;
586 case OSSL_FUNC_CRYPTO_CLEAR_REALLOC:
587 c_CRYPTO_clear_realloc = OSSL_get_CRYPTO_clear_realloc(in);
588 break;
589 case OSSL_FUNC_CRYPTO_SECURE_MALLOC:
590 c_CRYPTO_secure_malloc = OSSL_get_CRYPTO_secure_malloc(in);
591 break;
592 case OSSL_FUNC_CRYPTO_SECURE_ZALLOC:
593 c_CRYPTO_secure_zalloc = OSSL_get_CRYPTO_secure_zalloc(in);
594 break;
595 case OSSL_FUNC_CRYPTO_SECURE_FREE:
596 c_CRYPTO_secure_free = OSSL_get_CRYPTO_secure_free(in);
597 break;
598 case OSSL_FUNC_CRYPTO_SECURE_CLEAR_FREE:
599 c_CRYPTO_secure_clear_free = OSSL_get_CRYPTO_secure_clear_free(in);
600 break;
601 case OSSL_FUNC_CRYPTO_SECURE_ALLOCATED:
602 c_CRYPTO_secure_allocated = OSSL_get_CRYPTO_secure_allocated(in);
603 break;
604 case OSSL_FUNC_BIO_NEW_FILE:
605 selftest_params.bio_new_file_cb = OSSL_get_BIO_new_file(in);
606 break;
607 case OSSL_FUNC_BIO_NEW_MEMBUF:
608 selftest_params.bio_new_buffer_cb = OSSL_get_BIO_new_membuf(in);
609 break;
610 case OSSL_FUNC_BIO_READ_EX:
611 selftest_params.bio_read_ex_cb = OSSL_get_BIO_read_ex(in);
612 break;
613 case OSSL_FUNC_BIO_FREE:
614 selftest_params.bio_free_cb = OSSL_get_BIO_free(in);
615 break;
616 case OSSL_FUNC_BIO_VSNPRINTF:
617 c_BIO_vsnprintf = OSSL_get_BIO_vsnprintf(in);
618 break;
619 case OSSL_FUNC_SELF_TEST_CB: {
620 stcbfn = OSSL_get_self_test_cb(in);
621 break;
622 }
623 default:
624 /* Just ignore anything we don't understand */
625 break;
626 }
627 }
628
629 if (stcbfn != NULL && c_get_libctx != NULL) {
630 stcbfn(c_get_libctx(provider), &selftest_params.cb,
631 &selftest_params.cb_arg);
632 }
633 else {
634 selftest_params.cb = NULL;
635 selftest_params.cb_arg = NULL;
636 }
637
638 if (!c_get_params(provider, core_params))
639 return 0;
640
641 /* Create a context. */
642 if ((ctx = OPENSSL_CTX_new()) == NULL)
643 return 0;
644 if ((fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
645 &fips_prov_ossl_ctx_method)) == NULL) {
646 OPENSSL_CTX_free(ctx);
647 return 0;
648 }
649
650 fgbl->prov = provider;
651
652 selftest_params.libctx = PROV_LIBRARY_CONTEXT_OF(ctx);
653 if (!SELF_TEST_post(&selftest_params, 0)) {
654 OPENSSL_CTX_free(ctx);
655 return 0;
656 }
657
658 /*
659 * TODO(3.0): Remove me. This is just a dummy call to demonstrate making
660 * EVP calls from within the FIPS module.
661 */
662 if (!dummy_evp_call(ctx)) {
663 OPENSSL_CTX_free(ctx);
664 return 0;
665 }
666
667 *out = fips_dispatch_table;
668 *provctx = ctx;
669
670 return 1;
671 }
672
673 /*
674 * The internal init function used when the FIPS module uses EVP to call
675 * another algorithm also in the FIPS module. This is a recursive call that has
676 * been made from within the FIPS module itself. To make this work, we populate
677 * the provider context of this inner instance with the same library context
678 * that was used in the EVP call that initiated this recursive call.
679 */
680 OSSL_provider_init_fn fips_intern_provider_init;
681 int fips_intern_provider_init(const OSSL_PROVIDER *provider,
682 const OSSL_DISPATCH *in,
683 const OSSL_DISPATCH **out,
684 void **provctx)
685 {
686 OSSL_core_get_library_context_fn *c_get_libctx = NULL;
687
688 for (; in->function_id != 0; in++) {
689 switch (in->function_id) {
690 case OSSL_FUNC_CORE_GET_LIBRARY_CONTEXT:
691 c_get_libctx = OSSL_get_core_get_library_context(in);
692 break;
693 default:
694 break;
695 }
696 }
697
698 if (c_get_libctx == NULL)
699 return 0;
700
701 *provctx = c_get_libctx(provider);
702
703 /*
704 * Safety measure... we should get the library context that was
705 * created up in OSSL_provider_init().
706 */
707 if (*provctx == NULL)
708 return 0;
709
710 *out = intern_dispatch_table;
711 return 1;
712 }
713
714 void ERR_new(void)
715 {
716 c_new_error(NULL);
717 }
718
719 void ERR_set_debug(const char *file, int line, const char *func)
720 {
721 c_set_error_debug(NULL, file, line, func);
722 }
723
724 void ERR_set_error(int lib, int reason, const char *fmt, ...)
725 {
726 va_list args;
727
728 va_start(args, fmt);
729 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
730 va_end(args);
731 }
732
733 void ERR_vset_error(int lib, int reason, const char *fmt, va_list args)
734 {
735 c_vset_error(NULL, ERR_PACK(lib, 0, reason), fmt, args);
736 }
737
738 int ERR_set_mark(void)
739 {
740 return c_set_error_mark(NULL);
741 }
742
743 int ERR_clear_last_mark(void)
744 {
745 return c_clear_last_error_mark(NULL);
746 }
747
748 int ERR_pop_to_mark(void)
749 {
750 return c_pop_error_to_mark(NULL);
751 }
752
753 const OSSL_PROVIDER *FIPS_get_provider(OPENSSL_CTX *ctx)
754 {
755 FIPS_GLOBAL *fgbl = openssl_ctx_get_data(ctx, OPENSSL_CTX_FIPS_PROV_INDEX,
756 &fips_prov_ossl_ctx_method);
757
758 if (fgbl == NULL)
759 return NULL;
760
761 return fgbl->prov;
762 }
763
764 void *CRYPTO_malloc(size_t num, const char *file, int line)
765 {
766 return c_CRYPTO_malloc(num, file, line);
767 }
768
769 void *CRYPTO_zalloc(size_t num, const char *file, int line)
770 {
771 return c_CRYPTO_zalloc(num, file, line);
772 }
773
774 void CRYPTO_free(void *ptr, const char *file, int line)
775 {
776 c_CRYPTO_free(ptr, file, line);
777 }
778
779 void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line)
780 {
781 c_CRYPTO_clear_free(ptr, num, file, line);
782 }
783
784 void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line)
785 {
786 return c_CRYPTO_realloc(addr, num, file, line);
787 }
788
789 void *CRYPTO_clear_realloc(void *addr, size_t old_num, size_t num,
790 const char *file, int line)
791 {
792 return c_CRYPTO_clear_realloc(addr, old_num, num, file, line);
793 }
794
795 void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
796 {
797 return c_CRYPTO_secure_malloc(num, file, line);
798 }
799
800 void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
801 {
802 return c_CRYPTO_secure_zalloc(num, file, line);
803 }
804
805 void CRYPTO_secure_free(void *ptr, const char *file, int line)
806 {
807 c_CRYPTO_secure_free(ptr, file, line);
808 }
809
810 void CRYPTO_secure_clear_free(void *ptr, size_t num, const char *file, int line)
811 {
812 c_CRYPTO_secure_clear_free(ptr, num, file, line);
813 }
814
815 int CRYPTO_secure_allocated(const void *ptr)
816 {
817 return c_CRYPTO_secure_allocated(ptr);
818 }
819
820 int BIO_snprintf(char *buf, size_t n, const char *format, ...)
821 {
822 va_list args;
823 int ret;
824
825 va_start(args, format);
826 ret = c_BIO_vsnprintf(buf, n, format, args);
827 va_end(args);
828 return ret;
829 }
A mirror of the official openssl repository