From: Shane Lontis <shane.lontis@oracle.com>
Date: Tue, 15 Sep 2020 04:32:40 +0000 (+1000)
Subject: Add a copy of OSSL_SELF_TEST_get_callback() to the fips module.
X-Git-Tag: openssl-3.0.0-alpha7~188
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8e747471ebb5e6d65264de91e26fbc439841bc4;p=thirdparty%2Fopenssl.git

Add a copy of OSSL_SELF_TEST_get_callback() to the fips module.

The user can set up a self test callback that should be activated when a keygen operation (e.g ec) occurs for the fips module.
The callback information is stored inside the applications library context, but this was not being triggered since the
library context used for the key generation operation was the internal library context used by the fips module (which is not
the same as the application's library context). During the keygen operation the OSSL_SELF_TEST_get_callback() function is used
to retrieve the callback info.
By having a seperate copy of OSSL_SELF_TEST_get_callback() for the fips module we can ensure that the parent library context
is used instead.
The core OSSL_SELF_TEST_get_callback() function pointer is passed across the boundary during the fips modules entry point
such that the fips version of the function can call it after changing the libctx.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12877)
---

diff --git a/crypto/self_test_core.c b/crypto/self_test_core.c
index ca8925abe50..7aa8490ddf4 100644
--- a/crypto/self_test_core.c
+++ b/crypto/self_test_core.c
@@ -31,6 +31,7 @@ struct ossl_self_test_st
     void *cb_arg;
 };
 
+#ifndef FIPS_MODULE
 static void *self_test_set_callback_new(OPENSSL_CTX *ctx)
 {
     SELF_TEST_CB *stcb;
@@ -55,7 +56,6 @@ static SELF_TEST_CB *get_self_test_callback(OPENSSL_CTX *libctx)
                                 &self_test_set_callback_method);
 }
 
-#ifndef FIPS_MODULE
 void OSSL_SELF_TEST_set_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK *cb,
                                  void *cbarg)
 {
@@ -66,7 +66,6 @@ void OSSL_SELF_TEST_set_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK *cb,
         stcb->cbarg = cbarg;
     }
 }
-#endif /* FIPS_MODULE */
 
 void OSSL_SELF_TEST_get_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK **cb,
                                  void **cbarg)
@@ -78,6 +77,7 @@ void OSSL_SELF_TEST_get_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK **cb,
     if (cbarg != NULL)
         *cbarg = (stcb != NULL ? stcb->cbarg : NULL);
 }
+#endif /* FIPS_MODULE */
 
 static void self_test_setparams(OSSL_SELF_TEST *st)
 {
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 9cf43eb4919..d2ea505230c 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -886,3 +886,20 @@ int FIPS_security_check_enabled(void)
 {
     return fips_security_checks;
 }
+
+void OSSL_SELF_TEST_get_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK **cb,
+                                 void **cbarg)
+{
+    if (libctx == NULL)
+        libctx = selftest_params.libctx;
+
+    if (c_stcbfn != NULL && c_get_libctx != NULL) {
+        /* Get the parent libctx */
+        c_stcbfn(c_get_libctx(FIPS_get_core_handle(libctx)), cb, cbarg);
+    } else {
+        if (cb != NULL)
+            *cb = NULL;
+        if (cbarg != NULL)
+            *cbarg = NULL;
+    }
+}
diff --git a/test/acvp_test.c b/test/acvp_test.c
index b33881d4dbf..3e9631065ad 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -14,6 +14,7 @@
  * providers/fips/self_test_kats.c
  */
 
+#include <string.h>
 #include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */
 #include <openssl/core_names.h>
 #include <openssl/evp.h>
@@ -23,14 +24,12 @@
 #include <openssl/rsa.h>
 #include <openssl/param_build.h>
 #include <openssl/provider.h>
+#include <openssl/self_test.h>
 #include "testutil.h"
 #include "testutil/output.h"
 #include "acvp_test.inc"
 #include "internal/nelem.h"
 
-static OSSL_PROVIDER *prov_null = NULL;
-static OPENSSL_CTX *libctx = NULL;
-
 typedef enum OPTION_choice {
     OPT_ERR = -1,
     OPT_EOF = 0,
@@ -38,6 +37,16 @@ typedef enum OPTION_choice {
     OPT_TEST_ENUM
 } OPTION_CHOICE;
 
+typedef struct st_args {
+    int enable;
+    int called;
+} SELF_TEST_ARGS;
+
+static OSSL_PROVIDER *prov_null = NULL;
+static OPENSSL_CTX *libctx = NULL;
+static SELF_TEST_ARGS self_test_args = { 0 };
+static OSSL_CALLBACK self_test_events;
+
 const OPTIONS *test_get_options(void)
 {
     static const OPTIONS test_options[] = {
@@ -119,10 +128,13 @@ static int ecdsa_keygen_test(int id)
     size_t priv_len = 0, pubx_len = 0, puby_len = 0;
     const struct ecdsa_keygen_st *tst = &ecdsa_keygen_data[id];
 
+    self_test_args.called = 0;
+    self_test_args.enable = 1;
     if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL))
         || !TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0)
         || !TEST_true(EVP_PKEY_CTX_set_group_name(ctx, tst->curve_name))
         || !TEST_int_gt(EVP_PKEY_keygen(ctx, &pkey), 0)
+        || !TEST_int_eq(self_test_args.called, 3)
         || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv,
                                         &priv_len))
         || !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_EC_PUB_X, &pubx,
@@ -136,6 +148,8 @@ static int ecdsa_keygen_test(int id)
     test_output_memory("d", priv, priv_len);
     ret = 1;
 err:
+    self_test_args.enable = 0;
+    self_test_args.called = 0;
     OPENSSL_clear_free(priv, priv_len);
     OPENSSL_free(pubx);
     OPENSSL_free(puby);
@@ -1292,6 +1306,37 @@ err:
 }
 #endif /* OPENSSL_NO_RSA */
 
+static int self_test_events(const OSSL_PARAM params[], void *varg)
+{
+    SELF_TEST_ARGS *args = varg;
+    const OSSL_PARAM *p = NULL;
+    const char *phase = NULL, *type = NULL, *desc = NULL;
+    int ret = 0;
+
+    if (!args->enable)
+        return 1;
+
+    args->called++;
+    p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
+    if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
+        goto err;
+    phase = (const char *)p->data;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
+    if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
+        goto err;
+    desc = (const char *)p->data;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
+    if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
+        goto err;
+    type = (const char *)p->data;
+
+    BIO_printf(bio_out, "%s %s %s\n", phase, desc, type);
+    ret = 1;
+err:
+    return ret;
+}
 
 int setup_tests(void)
 {
@@ -1324,6 +1369,7 @@ int setup_tests(void)
         opt_printf_stderr("Failed to load config\n");
         return 0;
     }
+    OSSL_SELF_TEST_set_callback(libctx, self_test_events, &self_test_args);
 
     ADD_ALL_TESTS(cipher_enc_dec_test, OSSL_NELEM(cipher_enc_data));
     ADD_ALL_TESTS(aes_ccm_enc_dec_test, OSSL_NELEM(aes_ccm_enc_data));
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index e42d6683e70..4325cc272fa 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -644,14 +644,11 @@ int setup_tests(void)
         return 0;
 
     libctx = OPENSSL_CTX_new();
-
     if (!TEST_ptr(libctx))
         return 0;
-
-    if (config_file != NULL) {
-        if (!TEST_true(OPENSSL_CTX_load_config(libctx, config_file)))
-            return 0;
-    }
+    if (config_file != NULL
+        && !TEST_true(OPENSSL_CTX_load_config(libctx, config_file)))
+        return 0;
 
     libprov = OSSL_PROVIDER_load(libctx, prov_name);
     if (!TEST_ptr(libprov))