[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Wed Jul 22 11:16:31 UTC 2020
The branch master has been updated
via dcb71e1c21ad46bc9258d388b98156ae48de0af4 (commit)
from 7b9f218838ad93ab6b8dd9cd4545703839ec037a (commit)
- Log -----------------------------------------------------------------
commit dcb71e1c21ad46bc9258d388b98156ae48de0af4
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Tue Jul 21 10:51:33 2020 +1000
Cleanup fips provider init
Removed dummy evp_test
Changed all algorithm properties to use fips=yes (except for RAND_TEST) (This changes the DRBG and ECX settings)
Removed unused includes.
Added TODO(3.0) for issue(s) that need to be resolved.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12498)
-----------------------------------------------------------------------
Summary of changes:
providers/fips/fipsprov.c | 213 +++++++++++++---------------------------------
1 file changed, 59 insertions(+), 154 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index c91ad1c6d7..77cd75fcdf 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -7,27 +7,13 @@
* https://www.openssl.org/source/license.html
*/
-#include <string.h>
-#include <stdio.h>
-#include <openssl/core.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/kdf.h>
-
-/* TODO(3.0): Needed for dummy_evp_call(). To be removed */
-#include <openssl/sha.h>
-#include <openssl/rand_drbg.h>
-#include <openssl/ec.h>
+#include <openssl/obj_mac.h> /* NIDs used by ossl_prov_util_nid_to_name() */
#include <openssl/fips_names.h>
-
+#include <openssl/rand_drbg.h> /* OPENSSL_CTX_get0_public_drbg() */
#include "internal/cryptlib.h"
-#include "internal/property.h"
-#include "internal/nelem.h"
-#include "openssl/param_build.h"
-#include "crypto/evp.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
@@ -35,6 +21,9 @@
#include "prov/provider_util.h"
#include "self_test.h"
+static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
+static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
+
/*
* Forward declarations to ensure that interface functions are correctly
* defined.
@@ -44,7 +33,7 @@ static OSSL_FUNC_provider_gettable_params_fn fips_gettable_params;
static OSSL_FUNC_provider_get_params_fn fips_get_params;
static OSSL_FUNC_provider_query_operation_fn fips_query;
-#define ALGC(NAMES, FUNC, CHECK) { { NAMES, "provider=fips,fips=yes", FUNC }, CHECK }
+#define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
@@ -137,87 +126,6 @@ static OSSL_PARAM core_params[] =
OSSL_PARAM_END
};
-/* TODO(3.0): To be removed */
-static int dummy_evp_call(OPENSSL_CTX *libctx)
-{
- EVP_MD_CTX *ctx = EVP_MD_CTX_new();
- EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
- EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
- unsigned char dgst[SHA256_DIGEST_LENGTH];
- unsigned int dgstlen;
- int ret = 0;
- BN_CTX *bnctx = NULL;
- BIGNUM *a = NULL, *b = NULL;
- unsigned char randbuf[128];
- RAND_DRBG *drbg = OPENSSL_CTX_get0_public_drbg(libctx);
-#ifndef OPENSSL_NO_EC
- EC_KEY *key = NULL;
-#endif
-
- static const char msg[] = "Hello World!";
- static const unsigned char exptd[] = {
- 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
- 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
- 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
- };
-
- if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
- goto err;
-
- if (!EVP_DigestInit_ex(ctx, sha256, NULL))
- goto err;
- if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
- goto err;
- if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
- goto err;
- if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
- goto err;
-
- bnctx = BN_CTX_new_ex(libctx);
- if (bnctx == NULL)
- goto err;
- BN_CTX_start(bnctx);
- a = BN_CTX_get(bnctx);
- b = BN_CTX_get(bnctx);
- if (b == NULL)
- goto err;
- BN_zero(a);
- if (!BN_one(b)
- || !BN_add(a, a, b)
- || BN_cmp(a, b) != 0)
- goto err;
-
- if (RAND_DRBG_bytes(drbg, randbuf, sizeof(randbuf)) <= 0)
- goto err;
-
- if (!BN_rand_ex(a, 256, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, bnctx))
- goto err;
-
-#ifndef OPENSSL_NO_EC
- /* Do some dummy EC calls */
- key = EC_KEY_new_by_curve_name_with_libctx(libctx, NULL, NID_X9_62_prime256v1);
- if (key == NULL)
- goto err;
-
- if (!EC_KEY_generate_key(key))
- goto err;
-#endif
-
- ret = 1;
- err:
- BN_CTX_end(bnctx);
- BN_CTX_free(bnctx);
-
- EVP_KDF_free(kdf);
- EVP_MD_CTX_free(ctx);
- EVP_MD_free(sha256);
-
-#ifndef OPENSSL_NO_EC
- EC_KEY_free(key);
-#endif
- return ret;
-}
-
static const OSSL_PARAM *fips_gettable_params(void *provctx)
{
return fips_param_types;
@@ -241,6 +149,7 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
}
/* FIPS specific version of the function of the same name in provlib.c */
+/* TODO(3.0) - Is this function needed ? */
const char *ossl_prov_util_nid_to_name(int nid)
{
/* We don't have OBJ_nid2n() in FIPS_MODULE so we have an explicit list */
@@ -362,32 +271,32 @@ const char *ossl_prov_util_nid_to_name(int nid)
*/
static const OSSL_ALGORITHM fips_digests[] = {
/* Our primary name:NiST name[:our older names] */
- { "SHA1:SHA-1", "provider=fips,fips=yes", sha1_functions },
- { "SHA2-224:SHA-224:SHA224", "provider=fips,fips=yes", sha224_functions },
- { "SHA2-256:SHA-256:SHA256", "provider=fips,fips=yes", sha256_functions },
- { "SHA2-384:SHA-384:SHA384", "provider=fips,fips=yes", sha384_functions },
- { "SHA2-512:SHA-512:SHA512", "provider=fips,fips=yes", sha512_functions },
- { "SHA2-512/224:SHA-512/224:SHA512-224", "provider=fips,fips=yes",
+ { "SHA1:SHA-1", FIPS_DEFAULT_PROPERTIES, sha1_functions },
+ { "SHA2-224:SHA-224:SHA224", FIPS_DEFAULT_PROPERTIES, sha224_functions },
+ { "SHA2-256:SHA-256:SHA256", FIPS_DEFAULT_PROPERTIES, sha256_functions },
+ { "SHA2-384:SHA-384:SHA384", FIPS_DEFAULT_PROPERTIES, sha384_functions },
+ { "SHA2-512:SHA-512:SHA512", FIPS_DEFAULT_PROPERTIES, sha512_functions },
+ { "SHA2-512/224:SHA-512/224:SHA512-224", FIPS_DEFAULT_PROPERTIES,
sha512_224_functions },
- { "SHA2-512/256:SHA-512/256:SHA512-256", "provider=fips,fips=yes",
+ { "SHA2-512/256:SHA-512/256:SHA512-256", FIPS_DEFAULT_PROPERTIES,
sha512_256_functions },
/* We agree with NIST here, so one name only */
- { "SHA3-224", "provider=fips,fips=yes", sha3_224_functions },
- { "SHA3-256", "provider=fips,fips=yes", sha3_256_functions },
- { "SHA3-384", "provider=fips,fips=yes", sha3_384_functions },
- { "SHA3-512", "provider=fips,fips=yes", sha3_512_functions },
+ { "SHA3-224", FIPS_DEFAULT_PROPERTIES, sha3_224_functions },
+ { "SHA3-256", FIPS_DEFAULT_PROPERTIES, sha3_256_functions },
+ { "SHA3-384", FIPS_DEFAULT_PROPERTIES, sha3_384_functions },
+ { "SHA3-512", FIPS_DEFAULT_PROPERTIES, sha3_512_functions },
- { "SHAKE-128:SHAKE128", "provider=fips,fips=yes", shake_128_functions },
- { "SHAKE-256:SHAKE256", "provider=fips,fips=yes", shake_256_functions },
+ { "SHAKE-128:SHAKE128", FIPS_DEFAULT_PROPERTIES, shake_128_functions },
+ { "SHAKE-256:SHAKE256", FIPS_DEFAULT_PROPERTIES, shake_256_functions },
/*
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
- { "KECCAK-KMAC-128:KECCAK-KMAC128", "provider=fips,fips=yes",
+ { "KECCAK-KMAC-128:KECCAK-KMAC128", FIPS_DEFAULT_PROPERTIES,
keccak_kmac_128_functions },
- { "KECCAK-KMAC-256:KECCAK-KMAC256", "provider=fips,fips=yes",
+ { "KECCAK-KMAC-256:KECCAK-KMAC256", FIPS_DEFAULT_PROPERTIES,
keccak_kmac_256_functions },
{ NULL, NULL, NULL }
};
@@ -453,80 +362,80 @@ static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
static const OSSL_ALGORITHM fips_macs[] = {
#ifndef OPENSSL_NO_CMAC
- { "CMAC", "provider=fips,fips=yes", cmac_functions },
+ { "CMAC", FIPS_DEFAULT_PROPERTIES, cmac_functions },
#endif
- { "GMAC", "provider=fips,fips=yes", gmac_functions },
- { "HMAC", "provider=fips,fips=yes", hmac_functions },
- { "KMAC-128:KMAC128", "provider=fips,fips=yes", kmac128_functions },
- { "KMAC-256:KMAC256", "provider=fips,fips=yes", kmac256_functions },
+ { "GMAC", FIPS_DEFAULT_PROPERTIES, gmac_functions },
+ { "HMAC", FIPS_DEFAULT_PROPERTIES, hmac_functions },
+ { "KMAC-128:KMAC128", FIPS_DEFAULT_PROPERTIES, kmac128_functions },
+ { "KMAC-256:KMAC256", FIPS_DEFAULT_PROPERTIES, kmac256_functions },
{ NULL, NULL, NULL }
};
static const OSSL_ALGORITHM fips_kdfs[] = {
- { "HKDF", "provider=fips,fips=yes", kdf_hkdf_functions },
- { "SSKDF", "provider=fips,fips=yes", kdf_sskdf_functions },
- { "PBKDF2", "provider=fips,fips=yes", kdf_pbkdf2_functions },
- { "SSHKDF", "provider=fips,fips=yes", kdf_sshkdf_functions },
- { "X963KDF", "provider=fips,fips=yes", kdf_x963_kdf_functions },
- { "TLS1-PRF", "provider=fips,fips=yes", kdf_tls1_prf_functions },
- { "KBKDF", "provider=fips,fips=yes", kdf_kbkdf_functions },
+ { "HKDF", FIPS_DEFAULT_PROPERTIES, kdf_hkdf_functions },
+ { "SSKDF", FIPS_DEFAULT_PROPERTIES, kdf_sskdf_functions },
+ { "PBKDF2", FIPS_DEFAULT_PROPERTIES, kdf_pbkdf2_functions },
+ { "SSHKDF", FIPS_DEFAULT_PROPERTIES, kdf_sshkdf_functions },
+ { "X963KDF", FIPS_DEFAULT_PROPERTIES, kdf_x963_kdf_functions },
+ { "TLS1-PRF", FIPS_DEFAULT_PROPERTIES, kdf_tls1_prf_functions },
+ { "KBKDF", FIPS_DEFAULT_PROPERTIES, kdf_kbkdf_functions },
{ NULL, NULL, NULL }
};
static const OSSL_ALGORITHM fips_rands[] = {
- { "CTR-DRBG", "provider=fips", drbg_ctr_functions },
- { "HASH-DRBG", "provider=fips", drbg_hash_functions },
- { "HMAC-DRBG", "provider=fips", drbg_hmac_functions },
- { "TEST-RAND", "provider=fips", test_rng_functions },
+ { "CTR-DRBG", FIPS_DEFAULT_PROPERTIES, drbg_ctr_functions },
+ { "HASH-DRBG", FIPS_DEFAULT_PROPERTIES, drbg_hash_functions },
+ { "HMAC-DRBG", FIPS_DEFAULT_PROPERTIES, drbg_hmac_functions },
+ { "TEST-RAND", FIPS_UNAPPROVED_PROPERTIES, test_rng_functions },
{ NULL, NULL, NULL }
};
static const OSSL_ALGORITHM fips_keyexch[] = {
#ifndef OPENSSL_NO_DH
- { "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keyexch_functions },
+ { "DH:dhKeyAgreement", FIPS_DEFAULT_PROPERTIES, dh_keyexch_functions },
#endif
#ifndef OPENSSL_NO_EC
- { "ECDH", "provider=fips,fips=yes", ecdh_keyexch_functions },
- { "X25519", "provider=fips,fips=no", x25519_keyexch_functions },
- { "X448", "provider=fips,fips=no", x448_keyexch_functions },
+ { "ECDH", FIPS_DEFAULT_PROPERTIES, ecdh_keyexch_functions },
+ { "X25519", FIPS_DEFAULT_PROPERTIES, x25519_keyexch_functions },
+ { "X448", FIPS_DEFAULT_PROPERTIES, x448_keyexch_functions },
#endif
{ NULL, NULL, NULL }
};
static const OSSL_ALGORITHM fips_signature[] = {
#ifndef OPENSSL_NO_DSA
- { "DSA:dsaEncryption", "provider=fips,fips=yes", dsa_signature_functions },
+ { "DSA:dsaEncryption", FIPS_DEFAULT_PROPERTIES, dsa_signature_functions },
#endif
- { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_signature_functions },
+ { "RSA:rsaEncryption", FIPS_DEFAULT_PROPERTIES, rsa_signature_functions },
#ifndef OPENSSL_NO_EC
- { "ED25519", "provider=fips,fips=no", ed25519_signature_functions },
- { "ED448", "provider=fips,fips=no", ed448_signature_functions },
- { "ECDSA", "provider=fips,fips=yes", ecdsa_signature_functions },
+ { "ED25519", FIPS_DEFAULT_PROPERTIES, ed25519_signature_functions },
+ { "ED448", FIPS_DEFAULT_PROPERTIES, ed448_signature_functions },
+ { "ECDSA", FIPS_DEFAULT_PROPERTIES, ecdsa_signature_functions },
#endif
{ NULL, NULL, NULL }
};
static const OSSL_ALGORITHM fips_asym_cipher[] = {
- { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_asym_cipher_functions },
+ { "RSA:rsaEncryption", FIPS_DEFAULT_PROPERTIES, rsa_asym_cipher_functions },
{ NULL, NULL, NULL }
};
static const OSSL_ALGORITHM fips_keymgmt[] = {
#ifndef OPENSSL_NO_DH
- { "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keymgmt_functions },
+ { "DH:dhKeyAgreement", FIPS_DEFAULT_PROPERTIES, dh_keymgmt_functions },
#endif
#ifndef OPENSSL_NO_DSA
- { "DSA", "provider=fips,fips=yes", dsa_keymgmt_functions },
+ { "DSA", FIPS_DEFAULT_PROPERTIES, dsa_keymgmt_functions },
#endif
- { "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_keymgmt_functions },
- { "RSA-PSS:RSASSA-PSS", "provider=fips,fips=yes",
+ { "RSA:rsaEncryption", FIPS_DEFAULT_PROPERTIES, rsa_keymgmt_functions },
+ { "RSA-PSS:RSASSA-PSS", FIPS_DEFAULT_PROPERTIES,
rsapss_keymgmt_functions },
#ifndef OPENSSL_NO_EC
- { "EC:id-ecPublicKey", "provider=fips,fips=yes", ec_keymgmt_functions },
- { "X25519", "provider=fips,fips=no", x25519_keymgmt_functions },
- { "X448", "provider=fips,fips=no", x448_keymgmt_functions },
- { "ED25519", "provider=fips,fips=no", ed25519_keymgmt_functions },
- { "ED448", "provider=fips,fips=no", ed448_keymgmt_functions },
+ { "EC:id-ecPublicKey", FIPS_DEFAULT_PROPERTIES, ec_keymgmt_functions },
+ { "X25519", FIPS_DEFAULT_PROPERTIES, x25519_keymgmt_functions },
+ { "X448", FIPS_DEFAULT_PROPERTIES, x448_keymgmt_functions },
+ { "ED25519", FIPS_DEFAULT_PROPERTIES, ed25519_keymgmt_functions },
+ { "ED448", FIPS_DEFAULT_PROPERTIES, ed448_keymgmt_functions },
#endif
{ NULL, NULL, NULL }
};
@@ -732,12 +641,8 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
goto err;
}
- /*
- * TODO(3.0): Remove me. This is just a dummy call to demonstrate making
- * EVP calls from within the FIPS module.
- */
- if (!dummy_evp_call(libctx))
- goto err;
+ /* TODO(3.0): Tests will hang if this is removed */
+ (void)OPENSSL_CTX_get0_public_drbg(libctx);
*out = fips_dispatch_table;
return 1;
More information about the openssl-commits
mailing list