Make core code available within the FIPS module

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8728)

diff --git a/crypto/build.info b/crypto/build.info
index 63913f40e8de1ef9d960e658862021d327b5623b..546865bdc91869cdc955ca3e9aee419f309188da 100644 (file)
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -12,6 +12,9 @@ LIBS=../libcrypto
 SOURCE[../libcrypto]=provider_core.c provider_predefined.c provider_conf.c \
         core_fetch.c core_namemap.c
 
 SOURCE[../libcrypto]=provider_core.c provider_predefined.c provider_conf.c \
         core_fetch.c core_namemap.c
 

+SOURCE[../providers/fips]=provider_core.c provider_predefined.c \
+        core_fetch.c core_namemap.c
+

 # Central utilities
 SOURCE[../libcrypto]=\
         cryptlib.c mem.c mem_dbg.c cversion.c info.c ex_data.c cpt_err.c \
 # Central utilities
 SOURCE[../libcrypto]=\
         cryptlib.c mem.c mem_dbg.c cversion.c info.c ex_data.c cpt_err.c \


@@ -23,7 +26,8 @@ SOURCE[../libcrypto]=\
 
 # FIPS module
 SOURCE[../providers/fips]=\
 
 # FIPS module
 SOURCE[../providers/fips]=\

-        cryptlib.c mem.c mem_clr.c params.c bsearch.c
+        cryptlib.c mem.c mem_clr.c params.c bsearch.c ex_data.c o_str.c \
+        threads_pthread.c threads_win.c threads_none.c context.c

 
 
 DEPEND[cversion.o]=buildinf.h
 
 
 DEPEND[cversion.o]=buildinf.h

diff --git a/crypto/context.c b/crypto/context.c
index be2d348fec272bcc84799be4985bd56774124c0c..7a976c027057c23060d6ee0d90f224030df95787 100644 (file)
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -36,10 +36,10 @@ struct openssl_ctx_st {
 
 #ifndef FIPS_MODE
 static OPENSSL_CTX default_context_int;
 
 #ifndef FIPS_MODE
 static OPENSSL_CTX default_context_int;

-#endif

 
 /* Always points at default_context_int if it has been initialised */
 static OPENSSL_CTX *default_context = NULL;
 
 /* Always points at default_context_int if it has been initialised */
 static OPENSSL_CTX *default_context = NULL;

+#endif

 
 static int context_init(OPENSSL_CTX *ctx)
 {
 
 static int context_init(OPENSSL_CTX *ctx)
 {

diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index 36af52717fdce42007e5296bf6d79ebeb97452ab..36692b6ce41f34aa4c4d483bbb04cc01cd480385 100644 (file)
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -275,7 +275,9 @@ void ossl_provider_free(OSSL_PROVIDER *prov)
          * the store.  All we have to do here is clean it out.
          */
         if (ref == 0) {
          * the store.  All we have to do here is clean it out.
          */
         if (ref == 0) {

+#ifndef FIPS_MODE

             DSO_free(prov->module);
             DSO_free(prov->module);

+#endif

             OPENSSL_free(prov->name);
             OPENSSL_free(prov->path);
             sk_INFOPAIR_pop_free(prov->parameters, free_infopair);
             OPENSSL_free(prov->name);
             OPENSSL_free(prov->path);
             sk_INFOPAIR_pop_free(prov->parameters, free_infopair);


@@ -352,6 +354,9 @@ static int provider_activate(OSSL_PROVIDER *prov)
      * a loadable module.
      */
     if (prov->init_function == NULL) {
      * a loadable module.
      */
     if (prov->init_function == NULL) {

+#ifdef FIPS_MODE
+        return 0;
+#else

         if (prov->module == NULL) {
             char *allocated_path = NULL;
             const char *module_path = NULL;
         if (prov->module == NULL) {
             char *allocated_path = NULL;
             const char *module_path = NULL;


@@ -389,6 +394,7 @@ static int provider_activate(OSSL_PROVIDER *prov)
         if (prov->module != NULL)
             prov->init_function = (OSSL_provider_init_fn *)
                 DSO_bind_func(prov->module, "OSSL_provider_init");
         if (prov->module != NULL)
             prov->init_function = (OSSL_provider_init_fn *)
                 DSO_bind_func(prov->module, "OSSL_provider_init");

+#endif

     }
 
     if (prov->init_function == NULL
     }
 
     if (prov->init_function == NULL


@@ -396,8 +402,10 @@ static int provider_activate(OSSL_PROVIDER *prov)
                                 &prov->provctx)) {
         CRYPTOerr(CRYPTO_F_PROVIDER_ACTIVATE, ERR_R_INIT_FAIL);
         ERR_add_error_data(2, "name=", prov->name);
                                 &prov->provctx)) {
         CRYPTOerr(CRYPTO_F_PROVIDER_ACTIVATE, ERR_R_INIT_FAIL);
         ERR_add_error_data(2, "name=", prov->name);

+#ifndef FIPS_MODE

         DSO_free(prov->module);
         prov->module = NULL;
         DSO_free(prov->module);
         prov->module = NULL;

+#endif

         return 0;
     }
 
         return 0;
     }
 


@@ -557,13 +565,21 @@ const DSO *ossl_provider_dso(OSSL_PROVIDER *prov)
 
 const char *ossl_provider_module_name(OSSL_PROVIDER *prov)
 {
 
 const char *ossl_provider_module_name(OSSL_PROVIDER *prov)
 {

+#ifdef FIPS_MODE
+    return NULL;
+#else

     return DSO_get_filename(prov->module);
     return DSO_get_filename(prov->module);

+#endif

 }
 
 const char *ossl_provider_module_path(OSSL_PROVIDER *prov)
 {
 }
 
 const char *ossl_provider_module_path(OSSL_PROVIDER *prov)
 {

+#ifdef FIPS_MODE
+    return NULL;
+#else

     /* FIXME: Ensure it's a full path */
     return DSO_get_filename(prov->module);
     /* FIXME: Ensure it's a full path */
     return DSO_get_filename(prov->module);

+#endif

 }
 
 /* Wrappers around calls to the provider */
 }
 
 /* Wrappers around calls to the provider */


@@ -643,6 +659,8 @@ static int core_get_params(const OSSL_PROVIDER *prov, const OSSL_PARAM params[])
 static const OSSL_DISPATCH core_dispatch_[] = {
     { OSSL_FUNC_CORE_GET_PARAM_TYPES, (void (*)(void))core_get_param_types },
     { OSSL_FUNC_CORE_GET_PARAMS, (void (*)(void))core_get_params },
 static const OSSL_DISPATCH core_dispatch_[] = {
     { OSSL_FUNC_CORE_GET_PARAM_TYPES, (void (*)(void))core_get_param_types },
     { OSSL_FUNC_CORE_GET_PARAMS, (void (*)(void))core_get_params },

+    { OSSL_FUNC_CORE_PUT_ERROR, (void (*)(void))ERR_put_error },
+    { OSSL_FUNC_CORE_ADD_ERROR_VDATA, (void (*)(void))ERR_add_error_vdata },

     { 0, NULL }
 };
 static const OSSL_DISPATCH *core_dispatch = core_dispatch_;
     { 0, NULL }
 };
 static const OSSL_DISPATCH *core_dispatch = core_dispatch_;

diff --git a/crypto/provider_predefined.c b/crypto/provider_predefined.c
index d14cd5b96ea9454ddc9933061980901777397851..d1423b1c6ce6d0908ca5f8f43fe9380d9e820118 100644 (file)
--- a/crypto/provider_predefined.c
+++ b/crypto/provider_predefined.c
@@ -11,8 +11,13 @@
 #include "provider_local.h"
 
 OSSL_provider_init_fn ossl_default_provider_init;
 #include "provider_local.h"
 
 OSSL_provider_init_fn ossl_default_provider_init;

+OSSL_provider_init_fn fips_intern_provider_init;

 
 const struct predefined_providers_st predefined_providers[] = {
 
 const struct predefined_providers_st predefined_providers[] = {

+#ifdef FIPS_MODE
+    { "fips", fips_intern_provider_init, 1 },
+#else

     { "default", ossl_default_provider_init, 1 },
     { "default", ossl_default_provider_init, 1 },

+#endif

     { NULL, NULL, 0 }
 };
     { NULL, NULL, 0 }
 };

diff --git a/crypto/stack/build.info b/crypto/stack/build.info
index e5870210ac38744ec24d9452b3ed79178f6e206d..e4183e089c9e142d34dde1895c90d323a0704f70 100644 (file)
--- a/crypto/stack/build.info
+++ b/crypto/stack/build.info
@@ -1,2 +1,3 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=stack.c
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=stack.c

+SOURCE[../../providers/fips]=stack.c

diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c
index 0a6c903b8bb09dcf2a8804d6dde3c627fc632fe3..0d351ca6fa9ad79526d2b1af0b13a81ad2f9b663 100644 (file)
--- a/crypto/threads_pthread.c
+++ b/crypto/threads_pthread.c
@@ -175,7 +175,10 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock)
     return 1;
 }
 
     return 1;
 }
 

-# ifdef OPENSSL_SYS_UNIX
+# ifndef FIPS_MODE
+/* TODO(3.0): No fork protection in FIPS module yet! */
+
+#  ifdef OPENSSL_SYS_UNIX

 static pthread_once_t fork_once_control = PTHREAD_ONCE_INIT;
 
 static void fork_once_func(void)
 static pthread_once_t fork_once_control = PTHREAD_ONCE_INIT;
 
 static void fork_once_func(void)


@@ -183,14 +186,15 @@ static void fork_once_func(void)
     pthread_atfork(OPENSSL_fork_prepare,
                    OPENSSL_fork_parent, OPENSSL_fork_child);
 }
     pthread_atfork(OPENSSL_fork_prepare,
                    OPENSSL_fork_parent, OPENSSL_fork_child);
 }

-# endif
+#  endif

 
 int openssl_init_fork_handlers(void)
 {
 
 int openssl_init_fork_handlers(void)
 {

-# ifdef OPENSSL_SYS_UNIX
+#  ifdef OPENSSL_SYS_UNIX

     if (pthread_once(&fork_once_control, fork_once_func) == 0)
         return 1;
     if (pthread_once(&fork_once_control, fork_once_func) == 0)
         return 1;

-# endif
+#  endif

     return 0;
 }
     return 0;
 }

+# endif /* FIPS_MODE */

 #endif
 #endif

diff --git a/include/openssl/core_numbers.h b/include/openssl/core_numbers.h
index 8ce00c3e6fe3b127bd99e1668c52fa531de9024a..8d026f4a1738b35a47cdf3da2e4b18d1febf68d6 100644 (file)
--- a/include/openssl/core_numbers.h
+++ b/include/openssl/core_numbers.h
@@ -10,6 +10,7 @@
 #ifndef OSSL_CORE_NUMBERS_H
 # define OSSL_CORE_NUMBERS_H
 
 #ifndef OSSL_CORE_NUMBERS_H
 # define OSSL_CORE_NUMBERS_H
 

+# include <stdarg.h>

 # include <openssl/core.h>
 
 # ifdef __cplusplus
 # include <openssl/core.h>
 
 # ifdef __cplusplus


@@ -57,6 +58,12 @@ OSSL_CORE_MAKE_FUNC(const OSSL_ITEM *,
 # define OSSL_FUNC_CORE_GET_PARAMS             2
 OSSL_CORE_MAKE_FUNC(int,core_get_params,(const OSSL_PROVIDER *prov,
                                          const OSSL_PARAM params[]))
 # define OSSL_FUNC_CORE_GET_PARAMS             2
 OSSL_CORE_MAKE_FUNC(int,core_get_params,(const OSSL_PROVIDER *prov,
                                          const OSSL_PARAM params[]))

+# define OSSL_FUNC_CORE_PUT_ERROR              3
+OSSL_CORE_MAKE_FUNC(void,core_put_error,(int lib, int func, int reason,
+                                         const char *file, int line))
+# define OSSL_FUNC_CORE_ADD_ERROR_VDATA        4
+OSSL_CORE_MAKE_FUNC(void,core_add_error_vdata,(int num, va_list args))
+

 
 /* Functions provided by the provider to the Core, reserved numbers 1024-1535 */
 # define OSSL_FUNC_PROVIDER_TEARDOWN         1024
 
 /* Functions provided by the provider to the Core, reserved numbers 1024-1535 */
 # define OSSL_FUNC_PROVIDER_TEARDOWN         1024

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 1b8316388b31ab422ec8e0c6dba14cc19869613b..026dd2f9a98b3e159bd1f790e4dba7045df0e393 100644 (file)
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -13,10 +13,14 @@
 #include <openssl/core_numbers.h>
 #include <openssl/core_names.h>
 #include <openssl/params.h>
 #include <openssl/core_numbers.h>
 #include <openssl/core_names.h>
 #include <openssl/params.h>

+#include <openssl/err.h>
+#include "internal/cryptlib.h"

 
 /* Functions provided by the core */
 static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
 static OSSL_core_get_params_fn *c_get_params = NULL;
 
 /* Functions provided by the core */
 static OSSL_core_get_param_types_fn *c_get_param_types = NULL;
 static OSSL_core_get_params_fn *c_get_params = NULL;

+static OSSL_core_put_error_fn *c_put_error = NULL;
+static OSSL_core_add_error_vdata_fn *c_add_error_vdata = NULL;

 
 /* Parameters we provide to the core */
 static const OSSL_ITEM fips_param_types[] = {
 
 /* Parameters we provide to the core */
 static const OSSL_ITEM fips_param_types[] = {


@@ -26,6 +30,11 @@ static const OSSL_ITEM fips_param_types[] = {
     { 0, NULL }
 };
 
     { 0, NULL }
 };
 

+static void fips_teardown(void)
+{
+    do_default_context_deinit();
+}
+

 static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
 {
     return fips_param_types;
 static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
 {
     return fips_param_types;


@@ -70,6 +79,7 @@ static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
 
 /* Functions we provide to the core */
 static const OSSL_DISPATCH fips_dispatch_table[] = {
 
 /* Functions we provide to the core */
 static const OSSL_DISPATCH fips_dispatch_table[] = {

+    { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))fips_teardown },

     { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
     { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
     { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
     { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types },
     { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
     { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },


@@ -89,6 +99,12 @@ int OSSL_provider_init(const OSSL_PROVIDER *provider,
         case OSSL_FUNC_CORE_GET_PARAMS:
             c_get_params = OSSL_get_core_get_params(in);
             break;
         case OSSL_FUNC_CORE_GET_PARAMS:
             c_get_params = OSSL_get_core_get_params(in);
             break;

+        case OSSL_FUNC_CORE_PUT_ERROR:
+            c_put_error = OSSL_get_core_put_error(in);
+            break;
+        case OSSL_FUNC_CORE_ADD_ERROR_VDATA:
+            c_add_error_vdata = OSSL_get_core_add_error_vdata(in);
+            break;

         /* Just ignore anything we don't understand */
         default:
             break;
         /* Just ignore anything we don't understand */
         default:
             break;


@@ -98,3 +114,39 @@ int OSSL_provider_init(const OSSL_PROVIDER *provider,
     *out = fips_dispatch_table;
     return 1;
 }
     *out = fips_dispatch_table;
     return 1;
 }

+
+OSSL_provider_init_fn fips_intern_provider_init;
+int fips_intern_provider_init(const OSSL_PROVIDER *provider,
+                              const OSSL_DISPATCH *in,
+                              const OSSL_DISPATCH **out)
+{
+    /*
+     * The internal init function used when the FIPS module uses EVP to call
+     * another algorithm also in the FIPS module.
+     */
+    return 1;
+}
+
+void ERR_put_error(int lib, int func, int reason, const char *file, int line)
+{
+    /*
+     * TODO(3.0): This works for the FIPS module because we're going to be
+     * using lib/func/reason codes that libcrypto already knows about. This
+     * won't work for third party providers that have their own error mechanisms,
+     * so we'll need to come up with something else for them.
+     */
+    c_put_error(lib, func, reason, file, line);
+}
+
+void ERR_add_error_data(int num, ...)
+{
+    va_list args;
+    va_start(args, num);
+    ERR_add_error_vdata(num, args);
+    va_end(args);
+}
+
+void ERR_add_error_vdata(int num, va_list args)
+{
+    c_add_error_vdata(num, args);
+}