mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
Cleanup fips provider init
Removed dummy evp_test Changed all algorithm properties to use fips=yes (except for RAND_TEST) (This changes the DRBG and ECX settings) Removed unused includes. Added TODO(3.0) for issue(s) that need to be resolved. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12498)
This commit is contained in:
parent
7b9f218838
commit
dcb71e1c21
@ -7,27 +7,13 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <openssl/core.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/kdf.h>
|
||||
|
||||
/* TODO(3.0): Needed for dummy_evp_call(). To be removed */
|
||||
#include <openssl/sha.h>
|
||||
#include <openssl/rand_drbg.h>
|
||||
#include <openssl/ec.h>
|
||||
#include <openssl/obj_mac.h> /* NIDs used by ossl_prov_util_nid_to_name() */
|
||||
#include <openssl/fips_names.h>
|
||||
|
||||
#include <openssl/rand_drbg.h> /* OPENSSL_CTX_get0_public_drbg() */
|
||||
#include "internal/cryptlib.h"
|
||||
#include "internal/property.h"
|
||||
#include "internal/nelem.h"
|
||||
#include "openssl/param_build.h"
|
||||
#include "crypto/evp.h"
|
||||
#include "prov/implementations.h"
|
||||
#include "prov/provider_ctx.h"
|
||||
#include "prov/providercommon.h"
|
||||
@ -35,6 +21,9 @@
|
||||
#include "prov/provider_util.h"
|
||||
#include "self_test.h"
|
||||
|
||||
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
|
||||
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
|
||||
|
||||
/*
|
||||
* Forward declarations to ensure that interface functions are correctly
|
||||
* defined.
|
||||
@ -44,7 +33,7 @@ static OSSL_FUNC_provider_gettable_params_fn fips_gettable_params;
|
||||
static OSSL_FUNC_provider_get_params_fn fips_get_params;
|
||||
static OSSL_FUNC_provider_query_operation_fn fips_query;
|
||||
|
||||
#define ALGC(NAMES, FUNC, CHECK) { { NAMES, "provider=fips,fips=yes", FUNC }, CHECK }
|
||||
#define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }
|
||||
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
|
||||
|
||||
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
||||
@ -137,87 +126,6 @@ static OSSL_PARAM core_params[] =
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
/* TODO(3.0): To be removed */
|
||||
static int dummy_evp_call(OPENSSL_CTX *libctx)
|
||||
{
|
||||
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
|
||||
EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA256", NULL);
|
||||
EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_PBKDF2, NULL);
|
||||
unsigned char dgst[SHA256_DIGEST_LENGTH];
|
||||
unsigned int dgstlen;
|
||||
int ret = 0;
|
||||
BN_CTX *bnctx = NULL;
|
||||
BIGNUM *a = NULL, *b = NULL;
|
||||
unsigned char randbuf[128];
|
||||
RAND_DRBG *drbg = OPENSSL_CTX_get0_public_drbg(libctx);
|
||||
#ifndef OPENSSL_NO_EC
|
||||
EC_KEY *key = NULL;
|
||||
#endif
|
||||
|
||||
static const char msg[] = "Hello World!";
|
||||
static const unsigned char exptd[] = {
|
||||
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
||||
0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
|
||||
0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
|
||||
};
|
||||
|
||||
if (ctx == NULL || sha256 == NULL || drbg == NULL || kdf == NULL)
|
||||
goto err;
|
||||
|
||||
if (!EVP_DigestInit_ex(ctx, sha256, NULL))
|
||||
goto err;
|
||||
if (!EVP_DigestUpdate(ctx, msg, sizeof(msg) - 1))
|
||||
goto err;
|
||||
if (!EVP_DigestFinal(ctx, dgst, &dgstlen))
|
||||
goto err;
|
||||
if (dgstlen != sizeof(exptd) || memcmp(dgst, exptd, sizeof(exptd)) != 0)
|
||||
goto err;
|
||||
|
||||
bnctx = BN_CTX_new_ex(libctx);
|
||||
if (bnctx == NULL)
|
||||
goto err;
|
||||
BN_CTX_start(bnctx);
|
||||
a = BN_CTX_get(bnctx);
|
||||
b = BN_CTX_get(bnctx);
|
||||
if (b == NULL)
|
||||
goto err;
|
||||
BN_zero(a);
|
||||
if (!BN_one(b)
|
||||
|| !BN_add(a, a, b)
|
||||
|| BN_cmp(a, b) != 0)
|
||||
goto err;
|
||||
|
||||
if (RAND_DRBG_bytes(drbg, randbuf, sizeof(randbuf)) <= 0)
|
||||
goto err;
|
||||
|
||||
if (!BN_rand_ex(a, 256, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, bnctx))
|
||||
goto err;
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
/* Do some dummy EC calls */
|
||||
key = EC_KEY_new_by_curve_name_with_libctx(libctx, NULL, NID_X9_62_prime256v1);
|
||||
if (key == NULL)
|
||||
goto err;
|
||||
|
||||
if (!EC_KEY_generate_key(key))
|
||||
goto err;
|
||||
#endif
|
||||
|
||||
ret = 1;
|
||||
err:
|
||||
BN_CTX_end(bnctx);
|
||||
BN_CTX_free(bnctx);
|
||||
|
||||
EVP_KDF_free(kdf);
|
||||
EVP_MD_CTX_free(ctx);
|
||||
EVP_MD_free(sha256);
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
EC_KEY_free(key);
|
||||
#endif
|
||||
return ret;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *fips_gettable_params(void *provctx)
|
||||
{
|
||||
return fips_param_types;
|
||||
@ -241,6 +149,7 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
|
||||
}
|
||||
|
||||
/* FIPS specific version of the function of the same name in provlib.c */
|
||||
/* TODO(3.0) - Is this function needed ? */
|
||||
const char *ossl_prov_util_nid_to_name(int nid)
|
||||
{
|
||||
/* We don't have OBJ_nid2n() in FIPS_MODULE so we have an explicit list */
|
||||
@ -362,32 +271,32 @@ const char *ossl_prov_util_nid_to_name(int nid)
|
||||
*/
|
||||
static const OSSL_ALGORITHM fips_digests[] = {
|
||||
/* Our primary name:NiST name[:our older names] */
|
||||
{ "SHA1:SHA-1", "provider=fips,fips=yes", sha1_functions },
|
||||
{ "SHA2-224:SHA-224:SHA224", "provider=fips,fips=yes", sha224_functions },
|
||||
{ "SHA2-256:SHA-256:SHA256", "provider=fips,fips=yes", sha256_functions },
|
||||
{ "SHA2-384:SHA-384:SHA384", "provider=fips,fips=yes", sha384_functions },
|
||||
{ "SHA2-512:SHA-512:SHA512", "provider=fips,fips=yes", sha512_functions },
|
||||
{ "SHA2-512/224:SHA-512/224:SHA512-224", "provider=fips,fips=yes",
|
||||
{ "SHA1:SHA-1", FIPS_DEFAULT_PROPERTIES, sha1_functions },
|
||||
{ "SHA2-224:SHA-224:SHA224", FIPS_DEFAULT_PROPERTIES, sha224_functions },
|
||||
{ "SHA2-256:SHA-256:SHA256", FIPS_DEFAULT_PROPERTIES, sha256_functions },
|
||||
{ "SHA2-384:SHA-384:SHA384", FIPS_DEFAULT_PROPERTIES, sha384_functions },
|
||||
{ "SHA2-512:SHA-512:SHA512", FIPS_DEFAULT_PROPERTIES, sha512_functions },
|
||||
{ "SHA2-512/224:SHA-512/224:SHA512-224", FIPS_DEFAULT_PROPERTIES,
|
||||
sha512_224_functions },
|
||||
{ "SHA2-512/256:SHA-512/256:SHA512-256", "provider=fips,fips=yes",
|
||||
{ "SHA2-512/256:SHA-512/256:SHA512-256", FIPS_DEFAULT_PROPERTIES,
|
||||
sha512_256_functions },
|
||||
|
||||
/* We agree with NIST here, so one name only */
|
||||
{ "SHA3-224", "provider=fips,fips=yes", sha3_224_functions },
|
||||
{ "SHA3-256", "provider=fips,fips=yes", sha3_256_functions },
|
||||
{ "SHA3-384", "provider=fips,fips=yes", sha3_384_functions },
|
||||
{ "SHA3-512", "provider=fips,fips=yes", sha3_512_functions },
|
||||
{ "SHA3-224", FIPS_DEFAULT_PROPERTIES, sha3_224_functions },
|
||||
{ "SHA3-256", FIPS_DEFAULT_PROPERTIES, sha3_256_functions },
|
||||
{ "SHA3-384", FIPS_DEFAULT_PROPERTIES, sha3_384_functions },
|
||||
{ "SHA3-512", FIPS_DEFAULT_PROPERTIES, sha3_512_functions },
|
||||
|
||||
{ "SHAKE-128:SHAKE128", "provider=fips,fips=yes", shake_128_functions },
|
||||
{ "SHAKE-256:SHAKE256", "provider=fips,fips=yes", shake_256_functions },
|
||||
{ "SHAKE-128:SHAKE128", FIPS_DEFAULT_PROPERTIES, shake_128_functions },
|
||||
{ "SHAKE-256:SHAKE256", FIPS_DEFAULT_PROPERTIES, shake_256_functions },
|
||||
|
||||
/*
|
||||
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
||||
* KMAC128 and KMAC256.
|
||||
*/
|
||||
{ "KECCAK-KMAC-128:KECCAK-KMAC128", "provider=fips,fips=yes",
|
||||
{ "KECCAK-KMAC-128:KECCAK-KMAC128", FIPS_DEFAULT_PROPERTIES,
|
||||
keccak_kmac_128_functions },
|
||||
{ "KECCAK-KMAC-256:KECCAK-KMAC256", "provider=fips,fips=yes",
|
||||
{ "KECCAK-KMAC-256:KECCAK-KMAC256", FIPS_DEFAULT_PROPERTIES,
|
||||
keccak_kmac_256_functions },
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
@ -453,80 +362,80 @@ static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
|
||||
|
||||
static const OSSL_ALGORITHM fips_macs[] = {
|
||||
#ifndef OPENSSL_NO_CMAC
|
||||
{ "CMAC", "provider=fips,fips=yes", cmac_functions },
|
||||
{ "CMAC", FIPS_DEFAULT_PROPERTIES, cmac_functions },
|
||||
#endif
|
||||
{ "GMAC", "provider=fips,fips=yes", gmac_functions },
|
||||
{ "HMAC", "provider=fips,fips=yes", hmac_functions },
|
||||
{ "KMAC-128:KMAC128", "provider=fips,fips=yes", kmac128_functions },
|
||||
{ "KMAC-256:KMAC256", "provider=fips,fips=yes", kmac256_functions },
|
||||
{ "GMAC", FIPS_DEFAULT_PROPERTIES, gmac_functions },
|
||||
{ "HMAC", FIPS_DEFAULT_PROPERTIES, hmac_functions },
|
||||
{ "KMAC-128:KMAC128", FIPS_DEFAULT_PROPERTIES, kmac128_functions },
|
||||
{ "KMAC-256:KMAC256", FIPS_DEFAULT_PROPERTIES, kmac256_functions },
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
static const OSSL_ALGORITHM fips_kdfs[] = {
|
||||
{ "HKDF", "provider=fips,fips=yes", kdf_hkdf_functions },
|
||||
{ "SSKDF", "provider=fips,fips=yes", kdf_sskdf_functions },
|
||||
{ "PBKDF2", "provider=fips,fips=yes", kdf_pbkdf2_functions },
|
||||
{ "SSHKDF", "provider=fips,fips=yes", kdf_sshkdf_functions },
|
||||
{ "X963KDF", "provider=fips,fips=yes", kdf_x963_kdf_functions },
|
||||
{ "TLS1-PRF", "provider=fips,fips=yes", kdf_tls1_prf_functions },
|
||||
{ "KBKDF", "provider=fips,fips=yes", kdf_kbkdf_functions },
|
||||
{ "HKDF", FIPS_DEFAULT_PROPERTIES, kdf_hkdf_functions },
|
||||
{ "SSKDF", FIPS_DEFAULT_PROPERTIES, kdf_sskdf_functions },
|
||||
{ "PBKDF2", FIPS_DEFAULT_PROPERTIES, kdf_pbkdf2_functions },
|
||||
{ "SSHKDF", FIPS_DEFAULT_PROPERTIES, kdf_sshkdf_functions },
|
||||
{ "X963KDF", FIPS_DEFAULT_PROPERTIES, kdf_x963_kdf_functions },
|
||||
{ "TLS1-PRF", FIPS_DEFAULT_PROPERTIES, kdf_tls1_prf_functions },
|
||||
{ "KBKDF", FIPS_DEFAULT_PROPERTIES, kdf_kbkdf_functions },
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
static const OSSL_ALGORITHM fips_rands[] = {
|
||||
{ "CTR-DRBG", "provider=fips", drbg_ctr_functions },
|
||||
{ "HASH-DRBG", "provider=fips", drbg_hash_functions },
|
||||
{ "HMAC-DRBG", "provider=fips", drbg_hmac_functions },
|
||||
{ "TEST-RAND", "provider=fips", test_rng_functions },
|
||||
{ "CTR-DRBG", FIPS_DEFAULT_PROPERTIES, drbg_ctr_functions },
|
||||
{ "HASH-DRBG", FIPS_DEFAULT_PROPERTIES, drbg_hash_functions },
|
||||
{ "HMAC-DRBG", FIPS_DEFAULT_PROPERTIES, drbg_hmac_functions },
|
||||
{ "TEST-RAND", FIPS_UNAPPROVED_PROPERTIES, test_rng_functions },
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
static const OSSL_ALGORITHM fips_keyexch[] = {
|
||||
#ifndef OPENSSL_NO_DH
|
||||
{ "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keyexch_functions },
|
||||
{ "DH:dhKeyAgreement", FIPS_DEFAULT_PROPERTIES, dh_keyexch_functions },
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC
|
||||
{ "ECDH", "provider=fips,fips=yes", ecdh_keyexch_functions },
|
||||
{ "X25519", "provider=fips,fips=no", x25519_keyexch_functions },
|
||||
{ "X448", "provider=fips,fips=no", x448_keyexch_functions },
|
||||
{ "ECDH", FIPS_DEFAULT_PROPERTIES, ecdh_keyexch_functions },
|
||||
{ "X25519", FIPS_DEFAULT_PROPERTIES, x25519_keyexch_functions },
|
||||
{ "X448", FIPS_DEFAULT_PROPERTIES, x448_keyexch_functions },
|
||||
#endif
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
static const OSSL_ALGORITHM fips_signature[] = {
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
{ "DSA:dsaEncryption", "provider=fips,fips=yes", dsa_signature_functions },
|
||||
{ "DSA:dsaEncryption", FIPS_DEFAULT_PROPERTIES, dsa_signature_functions },
|
||||
#endif
|
||||
{ "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_signature_functions },
|
||||
{ "RSA:rsaEncryption", FIPS_DEFAULT_PROPERTIES, rsa_signature_functions },
|
||||
#ifndef OPENSSL_NO_EC
|
||||
{ "ED25519", "provider=fips,fips=no", ed25519_signature_functions },
|
||||
{ "ED448", "provider=fips,fips=no", ed448_signature_functions },
|
||||
{ "ECDSA", "provider=fips,fips=yes", ecdsa_signature_functions },
|
||||
{ "ED25519", FIPS_DEFAULT_PROPERTIES, ed25519_signature_functions },
|
||||
{ "ED448", FIPS_DEFAULT_PROPERTIES, ed448_signature_functions },
|
||||
{ "ECDSA", FIPS_DEFAULT_PROPERTIES, ecdsa_signature_functions },
|
||||
#endif
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
static const OSSL_ALGORITHM fips_asym_cipher[] = {
|
||||
{ "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_asym_cipher_functions },
|
||||
{ "RSA:rsaEncryption", FIPS_DEFAULT_PROPERTIES, rsa_asym_cipher_functions },
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
static const OSSL_ALGORITHM fips_keymgmt[] = {
|
||||
#ifndef OPENSSL_NO_DH
|
||||
{ "DH:dhKeyAgreement", "provider=fips,fips=yes", dh_keymgmt_functions },
|
||||
{ "DH:dhKeyAgreement", FIPS_DEFAULT_PROPERTIES, dh_keymgmt_functions },
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
{ "DSA", "provider=fips,fips=yes", dsa_keymgmt_functions },
|
||||
{ "DSA", FIPS_DEFAULT_PROPERTIES, dsa_keymgmt_functions },
|
||||
#endif
|
||||
{ "RSA:rsaEncryption", "provider=fips,fips=yes", rsa_keymgmt_functions },
|
||||
{ "RSA-PSS:RSASSA-PSS", "provider=fips,fips=yes",
|
||||
{ "RSA:rsaEncryption", FIPS_DEFAULT_PROPERTIES, rsa_keymgmt_functions },
|
||||
{ "RSA-PSS:RSASSA-PSS", FIPS_DEFAULT_PROPERTIES,
|
||||
rsapss_keymgmt_functions },
|
||||
#ifndef OPENSSL_NO_EC
|
||||
{ "EC:id-ecPublicKey", "provider=fips,fips=yes", ec_keymgmt_functions },
|
||||
{ "X25519", "provider=fips,fips=no", x25519_keymgmt_functions },
|
||||
{ "X448", "provider=fips,fips=no", x448_keymgmt_functions },
|
||||
{ "ED25519", "provider=fips,fips=no", ed25519_keymgmt_functions },
|
||||
{ "ED448", "provider=fips,fips=no", ed448_keymgmt_functions },
|
||||
{ "EC:id-ecPublicKey", FIPS_DEFAULT_PROPERTIES, ec_keymgmt_functions },
|
||||
{ "X25519", FIPS_DEFAULT_PROPERTIES, x25519_keymgmt_functions },
|
||||
{ "X448", FIPS_DEFAULT_PROPERTIES, x448_keymgmt_functions },
|
||||
{ "ED25519", FIPS_DEFAULT_PROPERTIES, ed25519_keymgmt_functions },
|
||||
{ "ED448", FIPS_DEFAULT_PROPERTIES, ed448_keymgmt_functions },
|
||||
#endif
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
@ -732,12 +641,8 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* TODO(3.0): Remove me. This is just a dummy call to demonstrate making
|
||||
* EVP calls from within the FIPS module.
|
||||
*/
|
||||
if (!dummy_evp_call(libctx))
|
||||
goto err;
|
||||
/* TODO(3.0): Tests will hang if this is removed */
|
||||
(void)OPENSSL_CTX_get0_public_drbg(libctx);
|
||||
|
||||
*out = fips_dispatch_table;
|
||||
return 1;
|
||||
|
Loading…
Reference in New Issue
Block a user