[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Sun Aug 18 23:35:01 UTC 2019
The branch master has been updated
via 25e601445ae244ed623b2f5d6b28788488d87663 (commit)
from 5e0d9c861bc44070c61b9b109884dc8aa5e2e8d1 (commit)
- Log -----------------------------------------------------------------
commit 25e601445ae244ed623b2f5d6b28788488d87663
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Mon Aug 19 09:18:33 2019 +1000
Add fips provider code for handling self test data
More PR's related to self test will be derived from this PR.
Note: the code removed in core_get_params() was causing a freeze since the
fips module was being loaded from a config file, which then called core_get_params()
which then tried to init the config fle again...
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9596)
-----------------------------------------------------------------------
Summary of changes:
crypto/provider_core.c | 18 ++++++-----
doc/man5/config.pod | 2 +-
doc/man5/fips_config.pod | 71 ++++++++++++++++++++++++++++++++++++++++++
doc/man7/provider-base.pod | 5 +++
include/openssl/core_names.h | 5 +++
include/openssl/core_numbers.h | 12 +++++++
include/openssl/fips_names.h | 46 +++++++++++++++++++++++++++
providers/fips/fipsprov.c | 45 ++++++++++++++++++++++++++
providers/fips/selftest.h | 29 +++++++++++++++++
9 files changed, 225 insertions(+), 8 deletions(-)
create mode 100644 doc/man5/fips_config.pod
create mode 100644 include/openssl/fips_names.h
create mode 100644 providers/fips/selftest.h
diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index 6abada3c4b..541a1e169b 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -9,6 +9,7 @@
#include <openssl/core.h>
#include <openssl/core_numbers.h>
+#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/opensslv.h>
#include "internal/cryptlib_int.h"
@@ -751,7 +752,7 @@ const OSSL_ALGORITHM *ossl_provider_query_operation(const OSSL_PROVIDER *prov,
* never knows.
*/
static const OSSL_PARAM param_types[] = {
- OSSL_PARAM_DEFN("openssl-verstion", OSSL_PARAM_UTF8_PTR, NULL, 0),
+ OSSL_PARAM_DEFN("openssl-version", OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN("provider-name", OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_END
};
@@ -781,16 +782,16 @@ static int core_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
int i;
OSSL_PARAM *p;
-#ifndef FIPS_MODE
- /* Load config before we attempt to read any provider parameters */
- OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
-#endif
-
if ((p = OSSL_PARAM_locate(params, "openssl-version")) != NULL)
OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR);
if ((p = OSSL_PARAM_locate(params, "provider-name")) != NULL)
OSSL_PARAM_set_utf8_ptr(p, prov->name);
+#ifndef FIPS_MODE
+ if ((p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_MODULE_FILENAME)) != NULL)
+ OSSL_PARAM_set_utf8_ptr(p, ossl_provider_module_path(prov));
+#endif
+
if (prov->parameters == NULL)
return 1;
@@ -800,7 +801,6 @@ static int core_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
if ((p = OSSL_PARAM_locate(params, pair->name)) != NULL)
OSSL_PARAM_set_utf8_ptr(p, pair->value);
}
-
return 1;
}
@@ -868,6 +868,10 @@ static const OSSL_DISPATCH core_dispatch_[] = {
{ OSSL_FUNC_CORE_NEW_ERROR, (void (*)(void))core_new_error },
{ OSSL_FUNC_CORE_SET_ERROR_DEBUG, (void (*)(void))core_set_error_debug },
{ OSSL_FUNC_CORE_VSET_ERROR, (void (*)(void))core_vset_error },
+ { OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))BIO_new_file },
+ { OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))BIO_new_mem_buf },
+ { OSSL_FUNC_BIO_READ, (void (*)(void))BIO_read },
+ { OSSL_FUNC_BIO_FREE, (void (*)(void))BIO_free },
#endif
{ OSSL_FUNC_CRYPTO_MALLOC, (void (*)(void))CRYPTO_malloc },
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index cac4ef6742..deed6d9e16 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -504,7 +504,7 @@ file.
=head1 SEE ALSO
-L<x509(1)>, L<req(1)>, L<ca(1)>
+L<x509(1)>, L<req(1)>, L<ca(1)>, L<fips_config(5)>
=head1 COPYRIGHT
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
new file mode 100644
index 0000000000..7f08fd06ff
--- /dev/null
+++ b/doc/man5/fips_config.pod
@@ -0,0 +1,71 @@
+=pod
+
+=head1 NAME
+
+OPENSSL FIPS CONFIGURATION
+
+=head1 DESCRIPTION
+
+A separate configuration file containing data related to FIPS 'self tests' is
+written to during installation time.
+This data is used for 2 purposes when the fips module is loaded:
+
+=over 4
+
+=item - Verify the module's checksum each time the fips module loads.
+
+=item - Run the startup FIPS self test KATS (known answer tests).
+This only needs to be run once during installation.
+
+=back
+
+The supported options are:
+
+=over 4
+
+=item B<module-checksum>
+
+The calculated MAC of the module file
+
+=item B<install-version>
+
+A version number for the fips install process. Should be 1.
+
+=item B<install-status>
+
+The install status indicator description that will be verified.
+If this field is not present the FIPS self tests will run when the fips module
+loads.
+This value should only be written to after the FIPS module has
+successfully passed its self tests during installation.
+
+=item B<install-checksum>
+
+The calculated MAC of the install status indicator.
+It is initially empty and is written to at the same time as the install_status.
+
+=back
+
+For example:
+
+ [fips_install]
+
+ install-version = 1
+ module-checksum = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
+ install-checksum = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
+ install-status = INSTALL_SELF_TEST_KATS_RUN
+
+=head1 SEE ALSO
+
+L<config(5)>
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod
index 0f28ce718f..6c43cdd59c 100644
--- a/doc/man7/provider-base.pod
+++ b/doc/man7/provider-base.pod
@@ -108,6 +108,10 @@ provider):
CRYPTO_secure_free OSSL_FUNC_CRYPTO_SECURE_FREE
CRYPTO_secure_clear_free OSSL_FUNC_CRYPTO_SECURE_CLEAR_FREE
CRYPTO_secure_allocated OSSL_FUNC_CRYPTO_SECURE_ALLOCATED
+ BIO_new_file OSSL_FUNC_BIO_NEW_FILE
+ BIO_new_mem_buf OSSL_FUNC_BIO_NEW_MEMBUF
+ BIO_read OSSL_FUNC_BIO_READ
+ BIO_free OSSL_FUNC_BIO_FREE
OPENSSL_cleanse OSSL_FUNC_OPENSSL_CLEANSE
OPENSSL_hexstr2buf OSSL_FUNC_OPENSSL_HEXSTR2BUF
@@ -178,6 +182,7 @@ CRYPTO_strndup(), CRYPTO_free(), CRYPTO_clear_free(),
CRYPTO_realloc(), CRYPTO_clear_realloc(), CRYPTO_secure_malloc(),
CRYPTO_secure_zalloc(), CRYPTO_secure_free(),
CRYPTO_secure_clear_free(), CRYPTO_secure_allocated(),
+BIO_new_file(), BIO_new_mem_buf(), BIO_read(), BIO_free(),
OPENSSL_cleanse(), and OPENSSL_hexstr2buf() correspond exactly to the
public functions with the same name.
As a matter of fact, the pointers in the B<OSSL_DISPATCH> array are
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index e2d16be964..c1bc3a7d7b 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -34,6 +34,11 @@ extern "C" {
*/
#define OSSL_PROV_PARAM_BUILDINFO "buildinfo"
+/*
+ * The module filename
+ * Type: OSSL_PARAM_OCTET_STRING
+ */
+#define OSSL_PROV_PARAM_MODULE_FILENAME "module-filename"
/* cipher parameters */
#define OSSL_CIPHER_PARAM_PADDING "padding" /* int */
diff --git a/include/openssl/core_numbers.h b/include/openssl/core_numbers.h
index ad8b345f87..95cfe46a2d 100644
--- a/include/openssl/core_numbers.h
+++ b/include/openssl/core_numbers.h
@@ -118,6 +118,18 @@ OSSL_CORE_MAKE_FUNC(int,
OSSL_CORE_MAKE_FUNC(void,
OPENSSL_cleanse, (void *ptr, size_t len))
+/* Bio functions provided by the core */
+#define OSSL_FUNC_BIO_NEW_FILE 22
+#define OSSL_FUNC_BIO_NEW_MEMBUF 23
+#define OSSL_FUNC_BIO_READ 24
+#define OSSL_FUNC_BIO_FREE 25
+
+OSSL_CORE_MAKE_FUNC(BIO *, BIO_new_file, (const char *filename, const char *mode))
+OSSL_CORE_MAKE_FUNC(BIO *, BIO_new_membuf, (const void *buf, int len))
+OSSL_CORE_MAKE_FUNC(int, BIO_read, (BIO *bio, void *data, size_t data_len,
+ size_t *bytes_read))
+OSSL_CORE_MAKE_FUNC(int, BIO_free, (BIO *bio))
+
/* Functions provided by the provider to the Core, reserved numbers 1024-1535 */
# define OSSL_FUNC_PROVIDER_TEARDOWN 1024
OSSL_CORE_MAKE_FUNC(void,provider_teardown,(void *provctx))
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
new file mode 100644
index 0000000000..28226f5f88
--- /dev/null
+++ b/include/openssl/fips_names.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_FIPS_NAMES_H
+# define OSSL_FIPS_NAMES_H
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+/*
+ * Parameter names that the FIPS Provider defines
+ */
+
+/*
+ * The calculated MAC of the module file (Used for FIPS Self Testing)
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_MODULE_MAC "module-checksum"
+/*
+ * A version number for the fips install process (Used for FIPS Self Testing)
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_INSTALL_VERSION "install-version"
+/*
+ * The calculated MAC of the install status indicator (Used for FIPS Self Testing)
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_INSTALL_MAC "install-checksum"
+/*
+ * The install status indicator (Used for FIPS Self Testing)
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_INSTALL_STATUS "install-status"
+
+# ifdef __cplusplus
+}
+# endif
+
+#endif /* OSSL_FIPS_NAMES_H */
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index d2d3e6044a..7afe4f911a 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -20,6 +20,7 @@
#include <openssl/sha.h>
#include <openssl/rand_drbg.h>
#include <openssl/ec.h>
+#include <openssl/fips_names.h>
#include "internal/cryptlib.h"
#include "internal/property.h"
@@ -27,6 +28,7 @@
#include "internal/provider_algs.h"
#include "internal/provider_ctx.h"
#include "internal/providercommon.h"
+#include "selftest.h"
extern OSSL_core_thread_start_fn *c_thread_start;
@@ -36,6 +38,9 @@ extern OSSL_core_thread_start_fn *c_thread_start;
* at the moment because c_put_error/c_add_error_vdata do not provide
* us with the OPENSSL_CTX as a parameter.
*/
+
+static SELF_TEST_POST_PARAMS selftest_params;
+
/* Functions provided by the core */
static OSSL_core_gettable_params_fn *c_gettable_params;
static OSSL_core_get_params_fn *c_get_params;
@@ -85,6 +90,31 @@ static const OSSL_PARAM fips_param_types[] = {
OSSL_PARAM_END
};
+/*
+ * Parameters to retrieve from the core provider - required for self testing.
+ * NOTE: inside core_get_params() these will be loaded from config items
+ * stored inside prov->parameters (except for OSSL_PROV_PARAM_MODULE_FILENAME).
+ */
+static OSSL_PARAM core_params[] =
+{
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_MODULE_FILENAME,
+ selftest_params.module_filename,
+ sizeof(selftest_params.module_filename)),
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC,
+ selftest_params.module_checksum_data,
+ sizeof(selftest_params.module_checksum_data)),
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
+ selftest_params.indicator_checksum_data,
+ sizeof(selftest_params.indicator_checksum_data)),
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
+ selftest_params.indicator_data,
+ sizeof(selftest_params.indicator_data)),
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
+ selftest_params.indicator_version,
+ sizeof(selftest_params.indicator_version)),
+ OSSL_PARAM_END
+};
+
/* TODO(3.0): To be removed */
static int dummy_evp_call(void *provctx)
{
@@ -384,12 +414,27 @@ int OSSL_provider_init(const OSSL_PROVIDER *provider,
case OSSL_FUNC_CRYPTO_SECURE_ALLOCATED:
c_CRYPTO_secure_allocated = OSSL_get_CRYPTO_secure_allocated(in);
break;
+ case OSSL_FUNC_BIO_NEW_FILE:
+ selftest_params.bio_new_file_cb = OSSL_get_BIO_new_file(in);
+ break;
+ case OSSL_FUNC_BIO_NEW_MEMBUF:
+ selftest_params.bio_new_buffer_cb = OSSL_get_BIO_new_membuf(in);
+ break;
+ case OSSL_FUNC_BIO_READ:
+ selftest_params.bio_read_cb = OSSL_get_BIO_read(in);
+ break;
+ case OSSL_FUNC_BIO_FREE:
+ selftest_params.bio_free_cb = OSSL_get_BIO_free(in);
+ break;
default:
/* Just ignore anything we don't understand */
break;
}
}
+ if (!c_get_params(provider, core_params))
+ return 0;
+
/* Create a context. */
if ((ctx = OPENSSL_CTX_new()) == NULL)
return 0;
diff --git a/providers/fips/selftest.h b/providers/fips/selftest.h
new file mode 100644
index 0000000000..3a183f4d02
--- /dev/null
+++ b/providers/fips/selftest.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/params.h>
+#include <openssl/core_numbers.h>
+
+typedef struct self_test_post_params_st {
+ /* FIPS module integrity check parameters */
+ const char *module_filename; /* Module file to perform MAC on */
+ const char *module_checksum_data; /* Expected module MAC integrity */
+
+ /* Used for KAT install indicator integrity check */
+ const char *indicator_version; /* version - for future proofing */
+ const char *indicator_data; /* data to perform MAC on */
+ const char *indicator_checksum_data; /* Expected MAC integrity value */
+
+ /* BIO callbacks supplied to the FIPS provider */
+ OSSL_BIO_new_file_fn *bio_new_file_cb;
+ OSSL_BIO_new_membuf_fn *bio_new_buffer_cb;
+ OSSL_BIO_read_fn *bio_read_cb;
+ OSSL_BIO_free_fn *bio_free_cb;
+
+} SELF_TEST_POST_PARAMS;
More information about the openssl-commits
mailing list