From: Shane Lontis <shane.lontis@oracle.com>
Date: Tue, 21 Jul 2020 00:51:33 +0000 (+1000)
Subject: Cleanup fips provider init
X-Git-Tag: openssl-3.0.0-alpha6~76
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dcb71e1c21ad46bc9258d388b98156ae48de0af4;p=thirdparty%2Fopenssl.git

Cleanup fips provider init

Removed dummy evp_test
Changed all algorithm properties to use fips=yes (except for RAND_TEST) (This changes the DRBG and ECX settings)
Removed unused includes.
Added TODO(3.0) for issue(s) that need to be resolved.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12498)
---

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index c91ad1c6d73..77cd75fcdff 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -7,27 +7,13 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include <string.h>
-#include <stdio.h>
-#include <openssl/core.h>
 #include <openssl/core_dispatch.h>
 #include <openssl/core_names.h>
 #include <openssl/params.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/kdf.h>
-
-/* TODO(3.0): Needed for dummy_evp_call(). To be removed */
-#include <openssl/sha.h>
-#include <openssl/rand_drbg.h>
-#include <openssl/ec.h>
+#include <openssl/obj_mac.h> /* NIDs used by ossl_prov_util_nid_to_name() */
 #include <openssl/fips_names.h>
-
+#include <openssl/rand_drbg.h> /* OPENSSL_CTX_get0_public_drbg() */
 #include "internal/cryptlib.h"
-#include "internal/property.h"
-#include "internal/nelem.h"
-#include "openssl/param_build.h"
-#include "crypto/evp.h"
 #include "prov/implementations.h"
 #include "prov/provider_ctx.h"
 #include "prov/providercommon.h"
@@ -35,6 +21,9 @@
 #include "prov/provider_util.h"
 #include "self_test.h"
 
+static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
+static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
+
 /*
  * Forward declarations to ensure that interface functions are correctly
  * defined.
@@ -44,7 +33,7 @@ static OSSL_FUNC_provider_gettable_params_fn fips_gettable_params;
 static OSSL_FUNC_provider_get_params_fn fips_get_params;
 static OSSL_FUNC_provider_query_operation_fn fips_query;
 
-#define ALGC(NAMES, FUNC, CHECK) { { NAMES, "provider=fips,fips=yes", FUNC }, CHECK }
+#define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }
 #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
 
 extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
@@ -137,87 +126,6 @@ static OSSL_PARAM core_params[] =
     OSSL_PARAM_END
 };
 
-/* TODO(3.0): To be removed */
-static int dummy_evp_call(OPENSSL_CTX *libctx)
-{
-    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
-    EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
-    EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
-    unsigned char dgst[SHA256_DIGEST_LENGTH];
-    unsigned int dgstlen;
-    int ret = 0;
-    BN_CTX *bnctx = NULL;
-    BIGNUM *a = NULL, *b = NULL;
-    unsigned char randbuf[128];
-    RAND_DRBG *drbg = OPENSSL_CTX_get0_public_drbg(libctx);
-#ifndef OPENSSL_NO_EC
-    EC_KEY *key = NULL;
-#endif
-
-    static const char msg[] = "Hello World!";
-    static const unsigned char exptd[] = {
-        0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
-        0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
-        0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
-    };
-
-    if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
-        goto err;
-
-    if (!EVP_DigestInit_ex(ctx, sha256, NULL))
-        goto err;
-    if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
-        goto err;
-    if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
-        goto err;
-    if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
-        goto err;
-
-    bnctx = BN_CTX_new_ex(libctx);
-    if (bnctx == NULL)
-        goto err;
-    BN_CTX_start(bnctx);
-    a = BN_CTX_get(bnctx);
-    b = BN_CTX_get(bnctx);
-    if (b == NULL)
-        goto err;
-    BN_zero(a);
-    if (!BN_one(b)
-        || !BN_add(a, a, b)
-        || BN_cmp(a, b) != 0)
-        goto err;
-
-    if (RAND_DRBG_bytes(drbg, randbuf, sizeof(randbuf)) <= 0)
-        goto err;
-
-    if (!BN_rand_ex(a, 256, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, bnctx))
-        goto err;
-
-#ifndef OPENSSL_NO_EC
-    /* Do some dummy EC calls */
-    key = EC_KEY_new_by_curve_name_with_libctx(libctx, NULL, NID_X9_62_prime256v1);
-    if (key == NULL)
-        goto err;
-
-    if (!EC_KEY_generate_key(key))
-        goto err;
-#endif
-
-    ret = 1;
- err:
-    BN_CTX_end(bnctx);
-    BN_CTX_free(bnctx);
-
-    EVP_KDF_free(kdf);
-    EVP_MD_CTX_free(ctx);
-    EVP_MD_free(sha256);
-
-#ifndef OPENSSL_NO_EC
-    EC_KEY_free(key);
-#endif
-    return ret;
-}
-
 static const OSSL_PARAM *fips_gettable_params(void *provctx)
 {
     return fips_param_types;
@@ -241,6 +149,7 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
 }
 
 /* FIPS specific version of the function of the same name in provlib.c */
+/* TODO(3.0) - Is this function needed ? */
 const char *ossl_prov_util_nid_to_name(int nid)
 {
     /* We don't have OBJ_nid2n() in FIPS_MODULE so we have an explicit list */
@@ -362,32 +271,32 @@ const char *ossl_prov_util_nid_to_name(int nid)
  */
 static const OSSL_ALGORITHM fips_digests[] = {
     /* Our primary name:NiST name[:our older names] */
-    { "SHA1:SHA-1", "provider=fips,fips=yes", sha1_functions },
-    { "SHA2-224:SHA-224:SHA224", "provider=fips,fips=yes", sha224_functions },
-    { "SHA2-256:SHA-256:SHA256", "provider=fips,fips=yes", sha256_functions },
-    { "SHA2-384:SHA-384:SHA384", "provider=fips,fips=yes", sha384_functions },
-    { "SHA2-512:SHA-512:SHA512", "provider=fips,fips=yes", sha512_functions },
-    { "SHA2-512/224:SHA-512/224:SHA512-224", "provider=fips,fips=yes",
+    { "SHA1:SHA-1", FIPS_DEFAULT_PROPERTIES, sha1_functions },
+    { "SHA2-224:SHA-224:SHA224", FIPS_DEFAULT_PROPERTIES, sha224_functions },
+    { "SHA2-256:SHA-256:SHA256", FIPS_DEFAULT_PROPERTIES, sha256_functions },
+    { "SHA2-384:SHA-384:SHA384", FIPS_DEFAULT_PROPERTIES, sha384_functions },
+    { "SHA2-512:SHA-512:SHA512", FIPS_DEFAULT_PROPERTIES, sha512_functions },
+    { "SHA2-512/224:SHA-512/224:SHA512-224", FIPS_DEFAULT_PROPERTIES,
       sha512_224_functions },
-    { "SHA2-512/256:SHA-512/256:SHA512-256", "provider=fips,fips=yes",
+    { "SHA2-512/256:SHA-512/256:SHA512-256", FIPS_DEFAULT_PROPERTIES,
       sha512_256_functions },
 
     /* We agree with NIST here, so one name only */
-    { "SHA3-224", "provider=fips,fips=yes", sha3_224_functions },
-    { "SHA3-256", "provider=fips,fips=yes", sha3_256_functions },
-    { "SHA3-384", "provider=fips,fips=yes", sha3_384_functions },
-    { "SHA3-512", "provider=fips,fips=yes", sha3_512_functions },
+    { "SHA3-224", FIPS_DEFAULT_PROPERTIES, sha3_224_functions },
+    { "SHA3-256", FIPS_DEFAULT_PROPERTIES, sha3_256_functions },
+    { "SHA3-384", FIPS_DEFAULT_PROPERTIES, sha3_384_functions },
+    { "SHA3-512", FIPS_DEFAULT_PROPERTIES, sha3_512_functions },
 
-    { "SHAKE-128:SHAKE128", "provider=fips,fips=yes", shake_128_functions },
-    { "SHAKE-256:SHAKE256", "provider=fips,fips=yes", shake_256_functions },
+    { "SHAKE-128:SHAKE128", FIPS_DEFAULT_PROPERTIES, shake_128_functions },
+    { "SHAKE-256:SHAKE256", FIPS_DEFAULT_PROPERTIES, shake_256_functions },
 
     /*
      * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
      * KMAC128 and KMAC256.
      */
-    { "KECCAK-KMAC-128:KECCAK-KMAC128", "provider=fips,fips=yes",
+    { "KECCAK-KMAC-128:KECCAK-KMAC128", FIPS_DEFAULT_PROPERTIES,
       keccak_kmac_128_functions },
-    { "KECCAK-KMAC-256:KECCAK-KMAC256", "provider=fips,fips=yes",
+    { "KECCAK-KMAC-256:KECCAK-KMAC256", FIPS_DEFAULT_PROPERTIES,
       keccak_kmac_256_functions },
     { NULL, NULL, NULL }
 };
@@ -453,80 +362,80 @@ static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
 
 static const OSSL_ALGORITHM fips_macs[] = {
 #ifndef OPENSSL_NO_CMAC
-    { "CMAC", "provider=fips,fips=yes", cmac_functions },
+    { "CMAC", FIPS_DEFAULT_PROPERTIES, cmac_functions },
 #endif
-    { "GMAC", "provider=fips,fips=yes", gmac_functions },
-    { "HMAC", "provider=fips,fips=yes", hmac_functions },
-    { "KMAC-128:KMAC128", "provider=fips,fips=yes", kmac128_functions },
-    { "KMAC-256:KMAC256", "provider=fips,fips=yes", kmac256_functions },
+    { "GMAC", FIPS_DEFAULT_PROPERTIES, gmac_functions },
+    { "HMAC", FIPS_DEFAULT_PROPERTIES, hmac_functions },
+    { "KMAC-128:KMAC128", FIPS_DEFAULT_PROPERTIES, kmac128_functions },
+    { "KMAC-256:KMAC256", FIPS_DEFAULT_PROPERTIES, kmac256_functions },
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM fips_kdfs[] = {
-    { "HKDF", "provider=fips,fips=yes", kdf_hkdf_functions },
-    { "SSKDF", "provider=fips,fips=yes", kdf_sskdf_functions },
-    { "PBKDF2", "provider=fips,fips=yes", kdf_pbkdf2_functions },
-    { "SSHKDF", "provider=fips,fips=yes", kdf_sshkdf_functions },
-    { "X963KDF", "provider=fips,fips=yes", kdf_x963_kdf_functions },
-    { "TLS1-PRF", "provider=fips,fips=yes", kdf_tls1_prf_functions },
-    { "KBKDF", "provider=fips,fips=yes", kdf_kbkdf_functions },
+    { "HKDF", FIPS_DEFAULT_PROPERTIES, kdf_hkdf_functions },
+    { "SSKDF", FIPS_DEFAULT_PROPERTIES, kdf_sskdf_functions },
+    { "PBKDF2", FIPS_DEFAULT_PROPERTIES, kdf_pbkdf2_functions },
+    { "SSHKDF", FIPS_DEFAULT_PROPERTIES, kdf_sshkdf_functions },
+    { "X963KDF", FIPS_DEFAULT_PROPERTIES, kdf_x963_kdf_functions },
+    { "TLS1-PRF", FIPS_DEFAULT_PROPERTIES, kdf_tls1_prf_functions },
+    { "KBKDF", FIPS_DEFAULT_PROPERTIES, kdf_kbkdf_functions },
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM fips_rands[] = {
-    { "CTR-DRBG", "provider=fips", drbg_ctr_functions },
-    { "HASH-DRBG", "provider=fips", drbg_hash_functions },
-    { "HMAC-DRBG", "provider=fips", drbg_hmac_functions },
-    { "TEST-RAND", "provider=fips", test_rng_functions },
+    { "CTR-DRBG", FIPS_DEFAULT_PROPERTIES, drbg_ctr_functions },
+    { "HASH-DRBG", FIPS_DEFAULT_PROPERTIES, drbg_hash_functions },
+    { "HMAC-DRBG", FIPS_DEFAULT_PROPERTIES, drbg_hmac_functions },
+    { "TEST-RAND", FIPS_UNAPPROVED_PROPERTIES, test_rng_functions },
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM fips_keyexch[] = {
 #ifndef OPENSSL_NO_DH
-    { "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keyexch_functions },
+    { "DH:dhKeyAgreement", FIPS_DEFAULT_PROPERTIES, dh_keyexch_functions },
 #endif
 #ifndef OPENSSL_NO_EC
-    { "ECDH", "provider=fips,fips=yes", ecdh_keyexch_functions },
-    { "X25519", "provider=fips,fips=no", x25519_keyexch_functions },
-    { "X448", "provider=fips,fips=no", x448_keyexch_functions },
+    { "ECDH", FIPS_DEFAULT_PROPERTIES, ecdh_keyexch_functions },
+    { "X25519", FIPS_DEFAULT_PROPERTIES, x25519_keyexch_functions },
+    { "X448", FIPS_DEFAULT_PROPERTIES, x448_keyexch_functions },
 #endif
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM fips_signature[] = {
 #ifndef OPENSSL_NO_DSA
-    { "DSA:dsaEncryption", "provider=fips,fips=yes", dsa_signature_functions },
+    { "DSA:dsaEncryption", FIPS_DEFAULT_PROPERTIES, dsa_signature_functions },
 #endif
-    { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_signature_functions },
+    { "RSA:rsaEncryption", FIPS_DEFAULT_PROPERTIES, rsa_signature_functions },
 #ifndef OPENSSL_NO_EC
-    { "ED25519", "provider=fips,fips=no", ed25519_signature_functions },
-    { "ED448", "provider=fips,fips=no", ed448_signature_functions },
-    { "ECDSA", "provider=fips,fips=yes", ecdsa_signature_functions },
+    { "ED25519", FIPS_DEFAULT_PROPERTIES, ed25519_signature_functions },
+    { "ED448", FIPS_DEFAULT_PROPERTIES, ed448_signature_functions },
+    { "ECDSA", FIPS_DEFAULT_PROPERTIES, ecdsa_signature_functions },
 #endif
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM fips_asym_cipher[] = {
-    { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_asym_cipher_functions },
+    { "RSA:rsaEncryption", FIPS_DEFAULT_PROPERTIES, rsa_asym_cipher_functions },
     { NULL, NULL, NULL }
 };
 
 static const OSSL_ALGORITHM fips_keymgmt[] = {
 #ifndef OPENSSL_NO_DH
-    { "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keymgmt_functions },
+    { "DH:dhKeyAgreement", FIPS_DEFAULT_PROPERTIES, dh_keymgmt_functions },
 #endif
 #ifndef OPENSSL_NO_DSA
-    { "DSA", "provider=fips,fips=yes", dsa_keymgmt_functions },
+    { "DSA", FIPS_DEFAULT_PROPERTIES, dsa_keymgmt_functions },
 #endif
-    { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_keymgmt_functions },
-    { "RSA-PSS:RSASSA-PSS", "provider=fips,fips=yes",
+    { "RSA:rsaEncryption", FIPS_DEFAULT_PROPERTIES, rsa_keymgmt_functions },
+    { "RSA-PSS:RSASSA-PSS", FIPS_DEFAULT_PROPERTIES,
       rsapss_keymgmt_functions },
 #ifndef OPENSSL_NO_EC
-    { "EC:id-ecPublicKey", "provider=fips,fips=yes", ec_keymgmt_functions },
-    { "X25519", "provider=fips,fips=no", x25519_keymgmt_functions },
-    { "X448", "provider=fips,fips=no", x448_keymgmt_functions },
-    { "ED25519", "provider=fips,fips=no", ed25519_keymgmt_functions },
-    { "ED448", "provider=fips,fips=no", ed448_keymgmt_functions },
+    { "EC:id-ecPublicKey", FIPS_DEFAULT_PROPERTIES, ec_keymgmt_functions },
+    { "X25519", FIPS_DEFAULT_PROPERTIES, x25519_keymgmt_functions },
+    { "X448", FIPS_DEFAULT_PROPERTIES, x448_keymgmt_functions },
+    { "ED25519", FIPS_DEFAULT_PROPERTIES, ed25519_keymgmt_functions },
+    { "ED448", FIPS_DEFAULT_PROPERTIES, ed448_keymgmt_functions },
 #endif
     { NULL, NULL, NULL }
 };
@@ -732,12 +641,8 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
         goto err;
     }
 
-    /*
-     * TODO(3.0): Remove me. This is just a dummy call to demonstrate making
-     * EVP calls from within the FIPS module.
-     */
-    if (!dummy_evp_call(libctx))
-        goto err;
+    /* TODO(3.0): Tests will hang if this is removed */
+    (void)OPENSSL_CTX_get0_public_drbg(libctx);
 
     *out = fips_dispatch_table;
     return 1;