[openssl] master update

Matt Caswell matt at openssl.org
Thu Apr 4 22:14:58 UTC 2019


The branch master has been updated
       via  0be2cc5eb3faa2c79a705fee5977fa49841c1799 (commit)
       via  1576dfe090c9566737f026b7d66a9dd7657e499a (commit)
       via  e75455173bd0024ce11a83686bc9dad614068455 (commit)
       via  9efa0ae0b602c1c0e356009a58410a2e8b80201a (commit)
      from  ecbfaef2aad61fae0c29c04287913af11981b82e (commit)


- Log -----------------------------------------------------------------
commit 0be2cc5eb3faa2c79a705fee5977fa49841c1799
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 21 16:41:25 2019 +0000

    Complain if there are missing symbols when creating a provider .so file
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8537)

commit 1576dfe090c9566737f026b7d66a9dd7657e499a
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 21 11:57:35 2019 +0000

    Test that we can use the FIPS provider
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8537)

commit e75455173bd0024ce11a83686bc9dad614068455
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 20 14:29:05 2019 +0000

    Add a no-fips Configure option
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8537)

commit 9efa0ae0b602c1c0e356009a58410a2e8b80201a
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 20 14:27:52 2019 +0000

    Create a FIPS provider and put SHA256 in it
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8537)

-----------------------------------------------------------------------

Summary of changes:
 Configurations/shared-info.pl                      |  1 +
 Configure                                          |  7 +-
 INSTALL                                            |  3 +
 crypto/build.info                                  |  5 ++
 crypto/mem.c                                       | 12 +--
 crypto/params.c                                    |  8 ++
 crypto/sha/build.info                              |  2 +
 providers/build.info                               | 11 +++
 providers/common/digests/build.info                |  4 +-
 providers/fips/build.info                          |  2 +
 providers/{default/defltprov.c => fips/fipsprov.c} | 38 +++++-----
 test/build.info                                    |  3 +
 test/evp_extra_test.c                              | 86 +++++++++++++++++-----
 test/recipes/30-test_evp_extra.t                   |  5 +-
 14 files changed, 139 insertions(+), 48 deletions(-)
 create mode 100644 providers/fips/build.info
 copy providers/{default/defltprov.c => fips/fipsprov.c} (66%)

diff --git a/Configurations/shared-info.pl b/Configurations/shared-info.pl
index 3df12a3..f821ad7 100644
--- a/Configurations/shared-info.pl
+++ b/Configurations/shared-info.pl
@@ -32,6 +32,7 @@ my %shared_info;
         return {
             %{$shared_info{'gnu-shared'}},
             shared_defflag    => '-Wl,--version-script=',
+            dso_ldflags       => '-z defs',
         };
     },
     'bsd-gcc-shared' => sub { return $shared_info{'linux-shared'}; },
diff --git a/Configure b/Configure
index 62f4af5..6702bc6 100755
--- a/Configure
+++ b/Configure
@@ -369,6 +369,7 @@ my @disablables = (
     "err",
     "external-tests",
     "filenames",
+    "fips",
     "fuzz-libfuzzer",
     "fuzz-afl",
     "gost",
@@ -512,6 +513,8 @@ my @disable_cascades = (
     # or modules.
     "pic"               => [ "shared", "module" ],
 
+    "module"            => [ "fips" ],
+
     "engine"            => [ grep /eng$/, @disablables ],
     "hw"                => [ "padlockeng" ],
 
@@ -1221,8 +1224,8 @@ foreach my $what (sort keys %disabled) {
 
     $config{options} .= " no-$what";
 
-    if (!grep { $what eq $_ } ( 'buildtest-c++', 'threads', 'shared', 'module',
-                                'pic', 'dynamic-engine', 'makedepend',
+    if (!grep { $what eq $_ } ( 'buildtest-c++', 'fips', 'threads', 'shared',
+                                'module', 'pic', 'dynamic-engine', 'makedepend',
                                 'zlib-dynamic', 'zlib', 'sse2' )) {
         (my $WHAT = uc $what) =~ s|-|_|g;
         my $skipdir = $what;
diff --git a/INSTALL b/INSTALL
index 5185033..c496e79 100644
--- a/INSTALL
+++ b/INSTALL
@@ -394,6 +394,9 @@
                    Don't compile in filename and line number information (e.g.
                    for errors and memory allocation).
 
+  no-fips
+                   Don't compile the FIPS module
+
   enable-fuzz-libfuzzer, enable-fuzz-afl
                    Build with support for fuzzing using either libfuzzer or AFL.
                    These are developer options only. They may not work on all
diff --git a/crypto/build.info b/crypto/build.info
index a6f3524..77dcffb 100644
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -21,6 +21,11 @@ SOURCE[../libcrypto]=\
         trace.c provider.c params.c \
         {- $target{cpuid_asm_src} -} {- $target{uplink_aux_src} -}
 
+# FIPS module
+SOURCE[../providers/fips]=\
+        cryptlib.c mem.c mem_clr.c params.c
+
+
 DEPEND[cversion.o]=buildinf.h
 GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
 DEPEND[buildinf.h]=../configdata.pm
diff --git a/crypto/mem.c b/crypto/mem.c
index 5feece3..562d6b5 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -14,7 +14,7 @@
 #include <stdlib.h>
 #include <limits.h>
 #include <openssl/crypto.h>
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE) && !defined(FIPS_MODE)
 # include <execinfo.h>
 #endif
 
@@ -30,7 +30,7 @@ static void *(*realloc_impl)(void *, size_t, const char *, int)
 static void (*free_impl)(void *, const char *, int)
     = CRYPTO_free;
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
 # include "internal/tsan_assist.h"
 
 static TSAN_QUALIFIER int malloc_count;
@@ -94,7 +94,7 @@ void CRYPTO_get_mem_functions(
         *f = free_impl;
 }
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
 void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount)
 {
     if (mcount != NULL)
@@ -209,7 +209,7 @@ void *CRYPTO_malloc(size_t num, const char *file, int line)
          */
         allow_customize = 0;
     }
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
     if (call_malloc_debug) {
         CRYPTO_mem_debug_malloc(NULL, num, 0, file, line);
         ret = malloc(num);
@@ -250,7 +250,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)
         return NULL;
     }
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
     if (call_malloc_debug) {
         void *ret;
         CRYPTO_mem_debug_realloc(str, NULL, num, 0, file, line);
@@ -300,7 +300,7 @@ void CRYPTO_free(void *str, const char *file, int line)
         return;
     }
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
     if (call_malloc_debug) {
         CRYPTO_mem_debug_free(str, 0, file, line);
         free(str);
diff --git a/crypto/params.c b/crypto/params.c
index 367b2ab..8eef736 100644
--- a/crypto/params.c
+++ b/crypto/params.c
@@ -348,6 +348,13 @@ OSSL_PARAM OSSL_PARAM_construct_size_t(const char *key, size_t *buf,
     return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER, buf,
                                 sizeof(size_t), rsize); }
 
+#ifndef FIPS_MODE
+/*
+ * TODO(3.0): Make this available in FIPS mode.
+ *
+ * Temporarily we don't include these functions in FIPS mode to avoid pulling
+ * in the entire BN sub-library into the module at this point.
+ */
 int OSSL_PARAM_get_BN(const OSSL_PARAM *p, BIGNUM **val)
 {
     BIGNUM *b;
@@ -387,6 +394,7 @@ OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf,
     return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER,
                                 buf, bsize, rsize);
 }
+#endif
 
 int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val)
 {
diff --git a/crypto/sha/build.info b/crypto/sha/build.info
index 58d15bb..242a08e 100644
--- a/crypto/sha/build.info
+++ b/crypto/sha/build.info
@@ -3,6 +3,8 @@ SOURCE[../../libcrypto]=\
         sha1dgst.c sha1_one.c sha256.c sha512.c {- $target{sha1_asm_src} -} \
         {- $target{keccak1600_asm_src} -}
 
+SOURCE[../../providers/fips]= sha256.c
+
 GENERATE[sha1-586.s]=asm/sha1-586.pl \
         $(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR)
 DEPEND[sha1-586.s]=../perlasm/x86asm.pl
diff --git a/providers/build.info b/providers/build.info
index ec4162b..b2b5384 100644
--- a/providers/build.info
+++ b/providers/build.info
@@ -1 +1,12 @@
 SUBDIRS=common default
+
+IF[{- !$disabled{fips} -}]
+  SUBDIRS=fips
+  MODULES=fips
+  IF[{- defined $target{shared_defflag} -}]
+    SOURCE[fips]=fips.ld
+    GENERATE[fips.ld]=../util/providers.num
+  ENDIF
+  INCLUDE[fips]=.. ../include ../crypto/include
+  DEFINE[fips]=FIPS_MODE
+ENDIF
diff --git a/providers/common/digests/build.info b/providers/common/digests/build.info
index a3c2369..b98df29 100644
--- a/providers/common/digests/build.info
+++ b/providers/common/digests/build.info
@@ -1,3 +1,5 @@
-LIBS=../../../libcrypto
 SOURCE[../../../libcrypto]=\
         sha2.c
+
+SOURCE[../../fips]=\
+        sha2.c
diff --git a/providers/fips/build.info b/providers/fips/build.info
new file mode 100644
index 0000000..9372062
--- /dev/null
+++ b/providers/fips/build.info
@@ -0,0 +1,2 @@
+
+SOURCE[../fips]=fipsprov.c
diff --git a/providers/default/defltprov.c b/providers/fips/fipsprov.c
similarity index 66%
copy from providers/default/defltprov.c
copy to providers/fips/fipsprov.c
index 9b52429..d3671b5 100644
--- a/providers/default/defltprov.c
+++ b/providers/fips/fipsprov.c
@@ -19,25 +19,25 @@ static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
 static OSSL_core_get_params_fn *c_get_params = NULL;
 
 /* Parameters we provide to the core */
-static const OSSL_ITEM deflt_param_types[] = {
+static const OSSL_ITEM fips_param_types[] = {
     { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME },
     { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION },
     { OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO },
     { 0, NULL }
 };
 
-static const OSSL_ITEM *deflt_get_param_types(const OSSL_PROVIDER *prov)
+static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
 {
-    return deflt_param_types;
+    return fips_param_types;
 }
 
-static int deflt_get_params(const OSSL_PROVIDER *prov,
+static int fips_get_params(const OSSL_PROVIDER *prov,
                             const OSSL_PARAM params[])
 {
     const OSSL_PARAM *p;
 
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL Default Provider"))
+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
         return 0;
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
     if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
@@ -51,36 +51,34 @@ static int deflt_get_params(const OSSL_PROVIDER *prov,
 
 extern const OSSL_DISPATCH sha256_functions[];
 
-static const OSSL_ALGORITHM deflt_digests[] = {
-    { "SHA256", "default=yes", sha256_functions },
+static const OSSL_ALGORITHM fips_digests[] = {
+    { "SHA256", "fips=yes", sha256_functions },
     { NULL, NULL, NULL }
 };
 
-static const OSSL_ALGORITHM *deflt_query(OSSL_PROVIDER *prov,
+static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
                                          int operation_id,
                                          int *no_cache)
 {
     *no_cache = 0;
     switch (operation_id) {
     case OSSL_OP_DIGEST:
-        return deflt_digests;
+        return fips_digests;
     }
     return NULL;
 }
 
 /* Functions we provide to the core */
-static const OSSL_DISPATCH deflt_dispatch_table[] = {
-    { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))deflt_get_param_types },
-    { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))deflt_get_params },
-    { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))deflt_query },
+static const OSSL_DISPATCH fips_dispatch_table[] = {
+    { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
+    { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
+    { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
     { 0, NULL }
 };
 
-OSSL_provider_init_fn ossl_default_provider_init;
-
-int ossl_default_provider_init(const OSSL_PROVIDER *provider,
-                               const OSSL_DISPATCH *in,
-                               const OSSL_DISPATCH **out)
+int OSSL_provider_init(const OSSL_PROVIDER *provider,
+                       const OSSL_DISPATCH *in,
+                       const OSSL_DISPATCH **out)
 {
     for (; in->function_id != 0; in++) {
         switch (in->function_id) {
@@ -90,12 +88,12 @@ int ossl_default_provider_init(const OSSL_PROVIDER *provider,
         case OSSL_FUNC_CORE_GET_PARAMS:
             c_get_params = OSSL_get_core_get_params(in);
             break;
+        /* Just ignore anything we don't understand */
         default:
-            /* Just ignore anything we don't understand */
             break;
         }
     }
 
-    *out = deflt_dispatch_table;
+    *out = fips_dispatch_table;
     return 1;
 }
diff --git a/test/build.info b/test/build.info
index 8bf286e..ded3bd7 100644
--- a/test/build.info
+++ b/test/build.info
@@ -186,6 +186,9 @@ IF[{- !$disabled{tests} -}]
   SOURCE[evp_extra_test]=evp_extra_test.c
   INCLUDE[evp_extra_test]=../include ../apps/include ../crypto/include
   DEPEND[evp_extra_test]=../libcrypto libtestutil.a
+  IF[{- $disabled{fips} || !$target{dso_scheme} -}]
+    DEFINE[evp_extra_test]=NO_FIPS_MODULE
+  ENDIF
 
   SOURCE[igetest]=igetest.c
   INCLUDE[igetest]=../include ../apps/include
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index d09eb31..724a144 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -1098,12 +1098,14 @@ static int calculate_digest(const EVP_MD *md, const char *msg, size_t len,
  * Test 0: Test with the default OPENSSL_CTX
  * Test 1: Test with an explicit OPENSSL_CTX
  * Test 2: Explicit OPENSSL_CTX with explicit load of default provider
+ * Test 3: Explicit OPENSSL_CTX with explicit load of default and fips provider
+ * Test 4: Explicit OPENSSL_CTX with explicit load of fips provider
  */
 static int test_EVP_MD_fetch(int tst)
 {
     OPENSSL_CTX *ctx = NULL;
     EVP_MD *md = NULL;
-    OSSL_PROVIDER *prov = NULL;
+    OSSL_PROVIDER *defltprov = NULL, *fipsprov = NULL;
     int ret = 0;
     const char testmsg[] = "Hello world";
     const unsigned char exptd[] = {
@@ -1117,9 +1119,14 @@ static int test_EVP_MD_fetch(int tst)
         if (!TEST_ptr(ctx))
             goto err;
 
-        if (tst == 2) {
-            prov = OSSL_PROVIDER_load(ctx, "default");
-            if (!TEST_ptr(prov))
+        if (tst == 2 || tst == 3) {
+            defltprov = OSSL_PROVIDER_load(ctx, "default");
+            if (!TEST_ptr(defltprov))
+                goto err;
+        }
+        if (tst == 3 || tst == 4) {
+            fipsprov = OSSL_PROVIDER_load(ctx, "fips");
+            if (!TEST_ptr(fipsprov))
                 goto err;
         }
     }
@@ -1132,8 +1139,8 @@ static int test_EVP_MD_fetch(int tst)
         goto err;
 
     /*
-     * Test that without loading any providers or specifying any properties we
-     * can get a sha256 md from the default provider.
+     * Test that without specifying any properties we can get a sha256 md from a
+     * provider.
      */
     if (!TEST_ptr(md = EVP_MD_fetch(ctx, "SHA256", NULL))
             || !TEST_ptr(md)
@@ -1152,28 +1159,67 @@ static int test_EVP_MD_fetch(int tst)
     md = NULL;
 
     /*
-     * We've only loaded the default provider so explicitly asking for a
-     * non-default implementation should fail.
+     * In tests 0 - 2 we've only loaded the default provider so explicitly
+     * asking for a non-default implementation should fail. In tests 3 and 4 we
+     * have the FIPS provider loaded so we should succeed in that case.
      */
-    if (!TEST_ptr_null(md = EVP_MD_fetch(ctx, "SHA256", "default=no")))
-        goto err;
+    md = EVP_MD_fetch(ctx, "SHA256", "default=no");
+    if (tst == 3 || tst == 4) {
+        if (!TEST_ptr(md)
+                || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
+                                               exptd)))
+            goto err;
+    } else  {
+        if (!TEST_ptr_null(md))
+            goto err;
+    }
 
-    /* Explicitly asking for the default implementation should succeeed */
-    if (!TEST_ptr(md = EVP_MD_fetch(ctx, "SHA256", "default=yes"))
-            || !TEST_int_eq(EVP_MD_nid(md), NID_sha256)
-            || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), exptd))
-            || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH)
-            || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK))
-        goto err;
+    EVP_MD_meth_free(md);
+    md = NULL;
+
+    /*
+     * Explicitly asking for the default implementation should succeeed except
+     * in test 4 where the default provider is not loaded.
+     */
+    md = EVP_MD_fetch(ctx, "SHA256", "default=yes");
+    if (tst != 4) {
+        if (!TEST_ptr(md)
+                || !TEST_int_eq(EVP_MD_nid(md), NID_sha256)
+                || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
+                                               exptd))
+                || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH)
+                || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK))
+            goto err;
+    } else {
+        if (!TEST_ptr_null(md))
+            goto err;
+    }
 
     EVP_MD_meth_free(md);
     md = NULL;
 
+    /*
+     * Explicitly asking for a fips implementation should succeed if we have
+     * the FIPS provider loaded and fail otherwise
+     */
+    md = EVP_MD_fetch(ctx, "SHA256", "fips=yes");
+    if (tst == 3 || tst == 4) {
+        if (!TEST_ptr(md)
+                || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
+                                               exptd)))
+            goto err;
+    } else  {
+        if (!TEST_ptr_null(md))
+            goto err;
+    }
+
+
     ret = 1;
 
  err:
     EVP_MD_meth_free(md);
-    OSSL_PROVIDER_unload(prov);
+    OSSL_PROVIDER_unload(defltprov);
+    OSSL_PROVIDER_unload(fipsprov);
     OPENSSL_CTX_free(ctx);
     return ret;
 }
@@ -1207,6 +1253,10 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_invalide_ec_char2_pub_range_decode,
                   OSSL_NELEM(ec_der_pub_keys));
 #endif
+#ifdef NO_FIPS_MODULE
     ADD_ALL_TESTS(test_EVP_MD_fetch, 3);
+#else
+    ADD_ALL_TESTS(test_EVP_MD_fetch, 5);
+#endif
     return 1;
 }
diff --git a/test/recipes/30-test_evp_extra.t b/test/recipes/30-test_evp_extra.t
index 98ecf26..b6fd97a 100644
--- a/test/recipes/30-test_evp_extra.t
+++ b/test/recipes/30-test_evp_extra.t
@@ -10,9 +10,12 @@
 use strict;
 use warnings;
 
-use OpenSSL::Test;
+use OpenSSL::Test qw/:DEFAULT bldtop_dir/;
 
 setup("test_evp_extra");
 
 plan tests => 1;
+
+$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
+
 ok(run(test(["evp_extra_test"])), "running evp_extra_test");


More information about the openssl-commits mailing list