[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Sat Sep 19 08:37:35 UTC 2020
The branch master has been updated
via 7889e7aef821c0c9917188d59f53253645c07928 (commit)
via f8e747471ebb5e6d65264de91e26fbc439841bc4 (commit)
from 80f4fd18f72c0d3faae864da6979b83acc4f89a2 (commit)
- Log -----------------------------------------------------------------
commit 7889e7aef821c0c9917188d59f53253645c07928
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Tue Sep 15 14:45:49 2020 +1000
Fix ec keygen so that it passes the library context to SSL_SELF_TEST_get_callback().
This was written before the ec key contained a library context,
now that it contains a libctx it can be passed correctly to the callback.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12877)
commit f8e747471ebb5e6d65264de91e26fbc439841bc4
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Tue Sep 15 14:32:40 2020 +1000
Add a copy of OSSL_SELF_TEST_get_callback() to the fips module.
The user can set up a self test callback that should be activated when a keygen operation (e.g ec) occurs for the fips module.
The callback information is stored inside the applications library context, but this was not being triggered since the
library context used for the key generation operation was the internal library context used by the fips module (which is not
the same as the application's library context). During the keygen operation the OSSL_SELF_TEST_get_callback() function is used
to retrieve the callback info.
By having a seperate copy of OSSL_SELF_TEST_get_callback() for the fips module we can ensure that the parent library context
is used instead.
The core OSSL_SELF_TEST_get_callback() function pointer is passed across the boundary during the fips modules entry point
such that the fips version of the function can call it after changing the libctx.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12877)
-----------------------------------------------------------------------
Summary of changes:
crypto/ec/ec_key.c | 6 +++---
crypto/self_test_core.c | 4 ++--
include/crypto/ec.h | 1 -
providers/fips/fipsprov.c | 17 ++++++++++++++++
test/acvp_test.c | 52 ++++++++++++++++++++++++++++++++++++++++++++---
test/evp_libctx_test.c | 9 +++-----
6 files changed, 74 insertions(+), 15 deletions(-)
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index f1f325237e..75c3588a95 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -256,7 +256,7 @@ int ossl_ec_key_gen(EC_KEY *eckey)
* fails then the keypair is not generated,
* Returns 1 if the keypair was generated or 0 otherwise.
*/
-int ec_generate_key(OPENSSL_CTX *libctx, EC_KEY *eckey, int pairwise_test)
+static int ec_generate_key(EC_KEY *eckey, int pairwise_test)
{
int ok = 0;
BIGNUM *priv_key = NULL;
@@ -325,7 +325,7 @@ int ec_generate_key(OPENSSL_CTX *libctx, EC_KEY *eckey, int pairwise_test)
OSSL_CALLBACK *cb = NULL;
void *cbarg = NULL;
- OSSL_SELF_TEST_get_callback(libctx, &cb, &cbarg);
+ OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);
}
err:
@@ -345,7 +345,7 @@ err:
int ec_key_simple_generate_key(EC_KEY *eckey)
{
- return ec_generate_key(NULL, eckey, 0);
+ return ec_generate_key(eckey, 0);
}
int ec_key_simple_generate_public_key(EC_KEY *eckey)
diff --git a/crypto/self_test_core.c b/crypto/self_test_core.c
index ca8925abe5..7aa8490ddf 100644
--- a/crypto/self_test_core.c
+++ b/crypto/self_test_core.c
@@ -31,6 +31,7 @@ struct ossl_self_test_st
void *cb_arg;
};
+#ifndef FIPS_MODULE
static void *self_test_set_callback_new(OPENSSL_CTX *ctx)
{
SELF_TEST_CB *stcb;
@@ -55,7 +56,6 @@ static SELF_TEST_CB *get_self_test_callback(OPENSSL_CTX *libctx)
&self_test_set_callback_method);
}
-#ifndef FIPS_MODULE
void OSSL_SELF_TEST_set_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK *cb,
void *cbarg)
{
@@ -66,7 +66,6 @@ void OSSL_SELF_TEST_set_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK *cb,
stcb->cbarg = cbarg;
}
}
-#endif /* FIPS_MODULE */
void OSSL_SELF_TEST_get_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK **cb,
void **cbarg)
@@ -78,6 +77,7 @@ void OSSL_SELF_TEST_get_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK **cb,
if (cbarg != NULL)
*cbarg = (stcb != NULL ? stcb->cbarg : NULL);
}
+#endif /* FIPS_MODULE */
static void self_test_setparams(OSSL_SELF_TEST *st)
{
diff --git a/include/crypto/ec.h b/include/crypto/ec.h
index 071fbcad19..8e8fa3d825 100644
--- a/include/crypto/ec.h
+++ b/include/crypto/ec.h
@@ -49,7 +49,6 @@ int ecdh_KDF_X9_63(unsigned char *out, size_t outlen,
const unsigned char *sinfo, size_t sinfolen,
const EVP_MD *md, OPENSSL_CTX *libctx, const char *propq);
-int ec_generate_key(OPENSSL_CTX *libctx, EC_KEY *eckey, int pairwise_test);
int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx);
int ec_key_private_check(const EC_KEY *eckey);
int ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx);
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 9cf43eb491..d2ea505230 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -886,3 +886,20 @@ int FIPS_security_check_enabled(void)
{
return fips_security_checks;
}
+
+void OSSL_SELF_TEST_get_callback(OPENSSL_CTX *libctx, OSSL_CALLBACK **cb,
+ void **cbarg)
+{
+ if (libctx == NULL)
+ libctx = selftest_params.libctx;
+
+ if (c_stcbfn != NULL && c_get_libctx != NULL) {
+ /* Get the parent libctx */
+ c_stcbfn(c_get_libctx(FIPS_get_core_handle(libctx)), cb, cbarg);
+ } else {
+ if (cb != NULL)
+ *cb = NULL;
+ if (cbarg != NULL)
+ *cbarg = NULL;
+ }
+}
diff --git a/test/acvp_test.c b/test/acvp_test.c
index b33881d4db..3e9631065a 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -14,6 +14,7 @@
* providers/fips/self_test_kats.c
*/
+#include <string.h>
#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */
#include <openssl/core_names.h>
#include <openssl/evp.h>
@@ -23,14 +24,12 @@
#include <openssl/rsa.h>
#include <openssl/param_build.h>
#include <openssl/provider.h>
+#include <openssl/self_test.h>
#include "testutil.h"
#include "testutil/output.h"
#include "acvp_test.inc"
#include "internal/nelem.h"
-static OSSL_PROVIDER *prov_null = NULL;
-static OPENSSL_CTX *libctx = NULL;
-
typedef enum OPTION_choice {
OPT_ERR = -1,
OPT_EOF = 0,
@@ -38,6 +37,16 @@ typedef enum OPTION_choice {
OPT_TEST_ENUM
} OPTION_CHOICE;
+typedef struct st_args {
+ int enable;
+ int called;
+} SELF_TEST_ARGS;
+
+static OSSL_PROVIDER *prov_null = NULL;
+static OPENSSL_CTX *libctx = NULL;
+static SELF_TEST_ARGS self_test_args = { 0 };
+static OSSL_CALLBACK self_test_events;
+
const OPTIONS *test_get_options(void)
{
static const OPTIONS test_options[] = {
@@ -119,10 +128,13 @@ static int ecdsa_keygen_test(int id)
size_t priv_len = 0, pubx_len = 0, puby_len = 0;
const struct ecdsa_keygen_st *tst = &ecdsa_keygen_data[id];
+ self_test_args.called = 0;
+ self_test_args.enable = 1;
if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", NULL))
|| !TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0)
|| !TEST_true(EVP_PKEY_CTX_set_group_name(ctx, tst->curve_name))
|| !TEST_int_gt(EVP_PKEY_keygen(ctx, &pkey), 0)
+ || !TEST_int_eq(self_test_args.called, 3)
|| !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv,
&priv_len))
|| !TEST_true(pkey_get_bn_bytes(pkey, OSSL_PKEY_PARAM_EC_PUB_X, &pubx,
@@ -136,6 +148,8 @@ static int ecdsa_keygen_test(int id)
test_output_memory("d", priv, priv_len);
ret = 1;
err:
+ self_test_args.enable = 0;
+ self_test_args.called = 0;
OPENSSL_clear_free(priv, priv_len);
OPENSSL_free(pubx);
OPENSSL_free(puby);
@@ -1292,6 +1306,37 @@ err:
}
#endif /* OPENSSL_NO_RSA */
+static int self_test_events(const OSSL_PARAM params[], void *varg)
+{
+ SELF_TEST_ARGS *args = varg;
+ const OSSL_PARAM *p = NULL;
+ const char *phase = NULL, *type = NULL, *desc = NULL;
+ int ret = 0;
+
+ if (!args->enable)
+ return 1;
+
+ args->called++;
+ p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
+ if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
+ goto err;
+ phase = (const char *)p->data;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
+ if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
+ goto err;
+ desc = (const char *)p->data;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
+ if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
+ goto err;
+ type = (const char *)p->data;
+
+ BIO_printf(bio_out, "%s %s %s\n", phase, desc, type);
+ ret = 1;
+err:
+ return ret;
+}
int setup_tests(void)
{
@@ -1324,6 +1369,7 @@ int setup_tests(void)
opt_printf_stderr("Failed to load config\n");
return 0;
}
+ OSSL_SELF_TEST_set_callback(libctx, self_test_events, &self_test_args);
ADD_ALL_TESTS(cipher_enc_dec_test, OSSL_NELEM(cipher_enc_data));
ADD_ALL_TESTS(aes_ccm_enc_dec_test, OSSL_NELEM(aes_ccm_enc_data));
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index e42d6683e7..4325cc272f 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -644,14 +644,11 @@ int setup_tests(void)
return 0;
libctx = OPENSSL_CTX_new();
-
if (!TEST_ptr(libctx))
return 0;
-
- if (config_file != NULL) {
- if (!TEST_true(OPENSSL_CTX_load_config(libctx, config_file)))
- return 0;
- }
+ if (config_file != NULL
+ && !TEST_true(OPENSSL_CTX_load_config(libctx, config_file)))
+ return 0;
libprov = OSSL_PROVIDER_load(libctx, prov_name);
if (!TEST_ptr(libprov))
More information about the openssl-commits
mailing list