From 319e518a5ae17fb8def2bd9209675acbaa6c22c2 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 13 May 2019 06:41:06 +0100 Subject: Make some EVP code available from within the FIPS module Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8728) --- providers/fips/fipsprov.c | 79 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 71 insertions(+), 8 deletions(-) (limited to 'providers') diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 026dd2f..801a9fd 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -14,7 +14,12 @@ #include #include #include +#include +/* TODO(3.0): Needed for dummy_evp_call(). To be removed */ +#include #include "internal/cryptlib.h" +#include "internal/property.h" +#include "internal/evp_int.h" /* Functions provided by the core */ static OSSL_core_get_param_types_fn *c_get_param_types = NULL; @@ -30,9 +35,38 @@ static const OSSL_ITEM fips_param_types[] = { { 0, NULL } }; -static void fips_teardown(void) +/* TODO(3.0): To be removed */ +static int dummy_evp_call(OPENSSL_CTX *libctx) { - do_default_context_deinit(); + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL); + char msg[] = "Hello World!"; + const unsigned char exptd[] = { + 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, + 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28, + 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69 + }; + unsigned int dgstlen = 0; + unsigned char dgst[SHA256_DIGEST_LENGTH]; + int ret = 0; + + if (ctx == NULL || sha256 == NULL) + goto err; + + if (!EVP_DigestInit_ex(ctx, sha256, NULL)) + goto err; + if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1)) + goto err; + if (!EVP_DigestFinal(ctx, dgst, &dgstlen)) + goto err; + if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0) + goto err; + + ret = 1; + err: + EVP_MD_CTX_free(ctx); + EVP_MD_meth_free(sha256); + return ret; } static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov) @@ -79,18 +113,31 @@ static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov, /* Functions we provide to the core */ static const OSSL_DISPATCH fips_dispatch_table[] = { - { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))fips_teardown }, + /* + * To release our resources we just need to free the OPENSSL_CTX so we just + * use OPENSSL_CTX_free directly as our teardown function + */ + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OPENSSL_CTX_free }, { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types }, { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params }, { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query }, { 0, NULL } }; +/* Functions we provide to ourself */ +static const OSSL_DISPATCH intern_dispatch_table[] = { + { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query }, + { 0, NULL } +}; + + int OSSL_provider_init(const OSSL_PROVIDER *provider, const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, void **provctx) { + OPENSSL_CTX *ctx; + for (; in->function_id != 0; in++) { switch (in->function_id) { case OSSL_FUNC_CORE_GET_PARAM_TYPES: @@ -111,19 +158,35 @@ int OSSL_provider_init(const OSSL_PROVIDER *provider, } } + ctx = OPENSSL_CTX_new(); + if (ctx == NULL) + return 0; + + /* + * TODO(3.0): Remove me. This is just a dummy call to demonstrate making + * EVP calls from within the FIPS module. + */ + if (!dummy_evp_call(ctx)) { + OPENSSL_CTX_free(ctx); + return 0; + } + *out = fips_dispatch_table; + *provctx = ctx; return 1; } +/* + * The internal init function used when the FIPS module uses EVP to call + * another algorithm also in the FIPS module. + */ OSSL_provider_init_fn fips_intern_provider_init; int fips_intern_provider_init(const OSSL_PROVIDER *provider, const OSSL_DISPATCH *in, - const OSSL_DISPATCH **out) + const OSSL_DISPATCH **out, + void **provctx) { - /* - * The internal init function used when the FIPS module uses EVP to call - * another algorithm also in the FIPS module. - */ + *out = intern_dispatch_table; return 1; } -- cgit v1.1