The branch master has been updated
via 0be2cc5eb3faa2c79a705fee5977fa49841c1799 (commit)
via 1576dfe090c9566737f026b7d66a9dd7657e499a (commit)
via e75455173bd0024ce11a83686bc9dad614068455 (commit)
via 9efa0ae0b602c1c0e356009a58410a2e8b80201a (commit)
from ecbfaef2aad61fae0c29c04287913af11981b82e (commit)
- Log -----------------------------------------------------------------
commit 0be2cc5eb3faa2c79a705fee5977fa49841c1799
Author: Matt Caswell <m...@openssl.org>
Date: Thu Mar 21 16:41:25 2019 +0000
Complain if there are missing symbols when creating a provider .so file
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)
commit 1576dfe090c9566737f026b7d66a9dd7657e499a
Author: Matt Caswell <m...@openssl.org>
Date: Thu Mar 21 11:57:35 2019 +0000
Test that we can use the FIPS provider
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)
commit e75455173bd0024ce11a83686bc9dad614068455
Author: Matt Caswell <m...@openssl.org>
Date: Wed Mar 20 14:29:05 2019 +0000
Add a no-fips Configure option
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)
commit 9efa0ae0b602c1c0e356009a58410a2e8b80201a
Author: Matt Caswell <m...@openssl.org>
Date: Wed Mar 20 14:27:52 2019 +0000
Create a FIPS provider and put SHA256 in it
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)
-----------------------------------------------------------------------
Summary of changes:
Configurations/shared-info.pl | 1 +
Configure | 7 +-
INSTALL | 3 +
crypto/build.info | 5 ++
crypto/mem.c | 12 +--
crypto/params.c | 8 ++
crypto/sha/build.info | 2 +
providers/build.info | 11 +++
providers/common/digests/build.info | 4 +-
providers/fips/build.info | 2 +
providers/{default/defltprov.c => fips/fipsprov.c} | 38 +++++-----
test/build.info | 3 +
test/evp_extra_test.c | 86 +++++++++++++++++-----
test/recipes/30-test_evp_extra.t | 5 +-
14 files changed, 139 insertions(+), 48 deletions(-)
create mode 100644 providers/fips/build.info
copy providers/{default/defltprov.c => fips/fipsprov.c} (66%)
diff --git a/Configurations/shared-info.pl b/Configurations/shared-info.pl
index 3df12a3..f821ad7 100644
--- a/Configurations/shared-info.pl
+++ b/Configurations/shared-info.pl
@@ -32,6 +32,7 @@ my %shared_info;
return {
%{$shared_info{'gnu-shared'}},
shared_defflag => '-Wl,--version-script=',
+ dso_ldflags => '-z defs',
};
},
'bsd-gcc-shared' => sub { return $shared_info{'linux-shared'}; },
diff --git a/Configure b/Configure
index 62f4af5..6702bc6 100755
--- a/Configure
+++ b/Configure
@@ -369,6 +369,7 @@ my @disablables = (
"err",
"external-tests",
"filenames",
+ "fips",
"fuzz-libfuzzer",
"fuzz-afl",
"gost",
@@ -512,6 +513,8 @@ my @disable_cascades = (
# or modules.
"pic" => [ "shared", "module" ],
+ "module" => [ "fips" ],
+
"engine" => [ grep /eng$/, @disablables ],
"hw" => [ "padlockeng" ],
@@ -1221,8 +1224,8 @@ foreach my $what (sort keys %disabled) {
$config{options} .= " no-$what";
- if (!grep { $what eq $_ } ( 'buildtest-c++', 'threads', 'shared', 'module',
- 'pic', 'dynamic-engine', 'makedepend',
+ if (!grep { $what eq $_ } ( 'buildtest-c++', 'fips', 'threads', 'shared',
+ 'module', 'pic', 'dynamic-engine',
'makedepend',
'zlib-dynamic', 'zlib', 'sse2' )) {
(my $WHAT = uc $what) =~ s|-|_|g;
my $skipdir = $what;
diff --git a/INSTALL b/INSTALL
index 5185033..c496e79 100644
--- a/INSTALL
+++ b/INSTALL
@@ -394,6 +394,9 @@
Don't compile in filename and line number information (e.g.
for errors and memory allocation).
+ no-fips
+ Don't compile the FIPS module
+
enable-fuzz-libfuzzer, enable-fuzz-afl
Build with support for fuzzing using either libfuzzer or
AFL.
These are developer options only. They may not work on all
diff --git a/crypto/build.info b/crypto/build.info
index a6f3524..77dcffb 100644
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -21,6 +21,11 @@ SOURCE[../libcrypto]=\
trace.c provider.c params.c \
{- $target{cpuid_asm_src} -} {- $target{uplink_aux_src} -}
+# FIPS module
+SOURCE[../providers/fips]=\
+ cryptlib.c mem.c mem_clr.c params.c
+
+
DEPEND[cversion.o]=buildinf.h
GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)"
"$(PLATFORM)"
DEPEND[buildinf.h]=../configdata.pm
diff --git a/crypto/mem.c b/crypto/mem.c
index 5feece3..562d6b5 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -14,7 +14,7 @@
#include <stdlib.h>
#include <limits.h>
#include <openssl/crypto.h>
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE) && !defined(FIPS_MODE)
# include <execinfo.h>
#endif
@@ -30,7 +30,7 @@ static void *(*realloc_impl)(void *, size_t, const char *,
int)
static void (*free_impl)(void *, const char *, int)
= CRYPTO_free;
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
# include "internal/tsan_assist.h"
static TSAN_QUALIFIER int malloc_count;
@@ -94,7 +94,7 @@ void CRYPTO_get_mem_functions(
*f = free_impl;
}
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount)
{
if (mcount != NULL)
@@ -209,7 +209,7 @@ void *CRYPTO_malloc(size_t num, const char *file, int line)
*/
allow_customize = 0;
}
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
if (call_malloc_debug) {
CRYPTO_mem_debug_malloc(NULL, num, 0, file, line);
ret = malloc(num);
@@ -250,7 +250,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char
*file, int line)
return NULL;
}
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
if (call_malloc_debug) {
void *ret;
CRYPTO_mem_debug_realloc(str, NULL, num, 0, file, line);
@@ -300,7 +300,7 @@ void CRYPTO_free(void *str, const char *file, int line)
return;
}
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+#if !defined(OPENSSL_NO_CRYPTO_MDEBUG) && !defined(FIPS_MODE)
if (call_malloc_debug) {
CRYPTO_mem_debug_free(str, 0, file, line);
free(str);
diff --git a/crypto/params.c b/crypto/params.c
index 367b2ab..8eef736 100644
--- a/crypto/params.c
+++ b/crypto/params.c
@@ -348,6 +348,13 @@ OSSL_PARAM OSSL_PARAM_construct_size_t(const char *key,
size_t *buf,
return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER, buf,
sizeof(size_t), rsize); }
+#ifndef FIPS_MODE
+/*
+ * TODO(3.0): Make this available in FIPS mode.
+ *
+ * Temporarily we don't include these functions in FIPS mode to avoid pulling
+ * in the entire BN sub-library into the module at this point.
+ */
int OSSL_PARAM_get_BN(const OSSL_PARAM *p, BIGNUM **val)
{
BIGNUM *b;
@@ -387,6 +394,7 @@ OSSL_PARAM OSSL_PARAM_construct_BN(const char *key,
unsigned char *buf,
return ossl_param_construct(key, OSSL_PARAM_UNSIGNED_INTEGER,
buf, bsize, rsize);
}
+#endif
int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val)
{
diff --git a/crypto/sha/build.info b/crypto/sha/build.info
index 58d15bb..242a08e 100644
--- a/crypto/sha/build.info
+++ b/crypto/sha/build.info
@@ -3,6 +3,8 @@ SOURCE[../../libcrypto]=\
sha1dgst.c sha1_one.c sha256.c sha512.c {- $target{sha1_asm_src} -} \
{- $target{keccak1600_asm_src} -}
+SOURCE[../../providers/fips]= sha256.c
+
GENERATE[sha1-586.s]=asm/sha1-586.pl \
$(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR)
DEPEND[sha1-586.s]=../perlasm/x86asm.pl
diff --git a/providers/build.info b/providers/build.info
index ec4162b..b2b5384 100644
--- a/providers/build.info
+++ b/providers/build.info
@@ -1 +1,12 @@
SUBDIRS=common default
+
+IF[{- !$disabled{fips} -}]
+ SUBDIRS=fips
+ MODULES=fips
+ IF[{- defined $target{shared_defflag} -}]
+ SOURCE[fips]=fips.ld
+ GENERATE[fips.ld]=../util/providers.num
+ ENDIF
+ INCLUDE[fips]=.. ../include ../crypto/include
+ DEFINE[fips]=FIPS_MODE
+ENDIF
diff --git a/providers/common/digests/build.info
b/providers/common/digests/build.info
index a3c2369..b98df29 100644
--- a/providers/common/digests/build.info
+++ b/providers/common/digests/build.info
@@ -1,3 +1,5 @@
-LIBS=../../../libcrypto
SOURCE[../../../libcrypto]=\
sha2.c
+
+SOURCE[../../fips]=\
+ sha2.c
diff --git a/providers/fips/build.info b/providers/fips/build.info
new file mode 100644
index 0000000..9372062
--- /dev/null
+++ b/providers/fips/build.info
@@ -0,0 +1,2 @@
+
+SOURCE[../fips]=fipsprov.c
diff --git a/providers/default/defltprov.c b/providers/fips/fipsprov.c
similarity index 66%
copy from providers/default/defltprov.c
copy to providers/fips/fipsprov.c
index 9b52429..d3671b5 100644
--- a/providers/default/defltprov.c
+++ b/providers/fips/fipsprov.c
@@ -19,25 +19,25 @@ static OSSL_core_get_param_types_fn *c_get_param_types =
NULL;
static OSSL_core_get_params_fn *c_get_params = NULL;
/* Parameters we provide to the core */
-static const OSSL_ITEM deflt_param_types[] = {
+static const OSSL_ITEM fips_param_types[] = {
{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME },
{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION },
{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO },
{ 0, NULL }
};
-static const OSSL_ITEM *deflt_get_param_types(const OSSL_PROVIDER *prov)
+static const OSSL_ITEM *fips_get_param_types(const OSSL_PROVIDER *prov)
{
- return deflt_param_types;
+ return fips_param_types;
}
-static int deflt_get_params(const OSSL_PROVIDER *prov,
+static int fips_get_params(const OSSL_PROVIDER *prov,
const OSSL_PARAM params[])
{
const OSSL_PARAM *p;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL Default Provider"))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
@@ -51,36 +51,34 @@ static int deflt_get_params(const OSSL_PROVIDER *prov,
extern const OSSL_DISPATCH sha256_functions[];
-static const OSSL_ALGORITHM deflt_digests[] = {
- { "SHA256", "default=yes", sha256_functions },
+static const OSSL_ALGORITHM fips_digests[] = {
+ { "SHA256", "fips=yes", sha256_functions },
{ NULL, NULL, NULL }
};
-static const OSSL_ALGORITHM *deflt_query(OSSL_PROVIDER *prov,
+static const OSSL_ALGORITHM *fips_query(OSSL_PROVIDER *prov,
int operation_id,
int *no_cache)
{
*no_cache = 0;
switch (operation_id) {
case OSSL_OP_DIGEST:
- return deflt_digests;
+ return fips_digests;
}
return NULL;
}
/* Functions we provide to the core */
-static const OSSL_DISPATCH deflt_dispatch_table[] = {
- { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void
(*)(void))deflt_get_param_types },
- { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))deflt_get_params },
- { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))deflt_query },
+static const OSSL_DISPATCH fips_dispatch_table[] = {
+ { OSSL_FUNC_PROVIDER_GET_PARAM_TYPES, (void (*)(void))fips_get_param_types
},
+ { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))fips_get_params },
+ { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fips_query },
{ 0, NULL }
};
-OSSL_provider_init_fn ossl_default_provider_init;
-
-int ossl_default_provider_init(const OSSL_PROVIDER *provider,
- const OSSL_DISPATCH *in,
- const OSSL_DISPATCH **out)
+int OSSL_provider_init(const OSSL_PROVIDER *provider,
+ const OSSL_DISPATCH *in,
+ const OSSL_DISPATCH **out)
{
for (; in->function_id != 0; in++) {
switch (in->function_id) {
@@ -90,12 +88,12 @@ int ossl_default_provider_init(const OSSL_PROVIDER
*provider,
case OSSL_FUNC_CORE_GET_PARAMS:
c_get_params = OSSL_get_core_get_params(in);
break;
+ /* Just ignore anything we don't understand */
default:
- /* Just ignore anything we don't understand */
break;
}
}
- *out = deflt_dispatch_table;
+ *out = fips_dispatch_table;
return 1;
}
diff --git a/test/build.info b/test/build.info
index 8bf286e..ded3bd7 100644
--- a/test/build.info
+++ b/test/build.info
@@ -186,6 +186,9 @@ IF[{- !$disabled{tests} -}]
SOURCE[evp_extra_test]=evp_extra_test.c
INCLUDE[evp_extra_test]=../include ../apps/include ../crypto/include
DEPEND[evp_extra_test]=../libcrypto libtestutil.a
+ IF[{- $disabled{fips} || !$target{dso_scheme} -}]
+ DEFINE[evp_extra_test]=NO_FIPS_MODULE
+ ENDIF
SOURCE[igetest]=igetest.c
INCLUDE[igetest]=../include ../apps/include
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index d09eb31..724a144 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -1098,12 +1098,14 @@ static int calculate_digest(const EVP_MD *md, const
char *msg, size_t len,
* Test 0: Test with the default OPENSSL_CTX
* Test 1: Test with an explicit OPENSSL_CTX
* Test 2: Explicit OPENSSL_CTX with explicit load of default provider
+ * Test 3: Explicit OPENSSL_CTX with explicit load of default and fips provider
+ * Test 4: Explicit OPENSSL_CTX with explicit load of fips provider
*/
static int test_EVP_MD_fetch(int tst)
{
OPENSSL_CTX *ctx = NULL;
EVP_MD *md = NULL;
- OSSL_PROVIDER *prov = NULL;
+ OSSL_PROVIDER *defltprov = NULL, *fipsprov = NULL;
int ret = 0;
const char testmsg[] = "Hello world";
const unsigned char exptd[] = {
@@ -1117,9 +1119,14 @@ static int test_EVP_MD_fetch(int tst)
if (!TEST_ptr(ctx))
goto err;
- if (tst == 2) {
- prov = OSSL_PROVIDER_load(ctx, "default");
- if (!TEST_ptr(prov))
+ if (tst == 2 || tst == 3) {
+ defltprov = OSSL_PROVIDER_load(ctx, "default");
+ if (!TEST_ptr(defltprov))
+ goto err;
+ }
+ if (tst == 3 || tst == 4) {
+ fipsprov = OSSL_PROVIDER_load(ctx, "fips");
+ if (!TEST_ptr(fipsprov))
goto err;
}
}
@@ -1132,8 +1139,8 @@ static int test_EVP_MD_fetch(int tst)
goto err;
/*
- * Test that without loading any providers or specifying any properties we
- * can get a sha256 md from the default provider.
+ * Test that without specifying any properties we can get a sha256 md from
a
+ * provider.
*/
if (!TEST_ptr(md = EVP_MD_fetch(ctx, "SHA256", NULL))
|| !TEST_ptr(md)
@@ -1152,28 +1159,67 @@ static int test_EVP_MD_fetch(int tst)
md = NULL;
/*
- * We've only loaded the default provider so explicitly asking for a
- * non-default implementation should fail.
+ * In tests 0 - 2 we've only loaded the default provider so explicitly
+ * asking for a non-default implementation should fail. In tests 3 and 4 we
+ * have the FIPS provider loaded so we should succeed in that case.
*/
- if (!TEST_ptr_null(md = EVP_MD_fetch(ctx, "SHA256", "default=no")))
- goto err;
+ md = EVP_MD_fetch(ctx, "SHA256", "default=no");
+ if (tst == 3 || tst == 4) {
+ if (!TEST_ptr(md)
+ || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
+ exptd)))
+ goto err;
+ } else {
+ if (!TEST_ptr_null(md))
+ goto err;
+ }
- /* Explicitly asking for the default implementation should succeeed */
- if (!TEST_ptr(md = EVP_MD_fetch(ctx, "SHA256", "default=yes"))
- || !TEST_int_eq(EVP_MD_nid(md), NID_sha256)
- || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
exptd))
- || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH)
- || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK))
- goto err;
+ EVP_MD_meth_free(md);
+ md = NULL;
+
+ /*
+ * Explicitly asking for the default implementation should succeeed except
+ * in test 4 where the default provider is not loaded.
+ */
+ md = EVP_MD_fetch(ctx, "SHA256", "default=yes");
+ if (tst != 4) {
+ if (!TEST_ptr(md)
+ || !TEST_int_eq(EVP_MD_nid(md), NID_sha256)
+ || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
+ exptd))
+ || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH)
+ || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK))
+ goto err;
+ } else {
+ if (!TEST_ptr_null(md))
+ goto err;
+ }
EVP_MD_meth_free(md);
md = NULL;
+ /*
+ * Explicitly asking for a fips implementation should succeed if we have
+ * the FIPS provider loaded and fail otherwise
+ */
+ md = EVP_MD_fetch(ctx, "SHA256", "fips=yes");
+ if (tst == 3 || tst == 4) {
+ if (!TEST_ptr(md)
+ || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
+ exptd)))
+ goto err;
+ } else {
+ if (!TEST_ptr_null(md))
+ goto err;
+ }
+
+
ret = 1;
err:
EVP_MD_meth_free(md);
- OSSL_PROVIDER_unload(prov);
+ OSSL_PROVIDER_unload(defltprov);
+ OSSL_PROVIDER_unload(fipsprov);
OPENSSL_CTX_free(ctx);
return ret;
}
@@ -1207,6 +1253,10 @@ int setup_tests(void)
ADD_ALL_TESTS(test_invalide_ec_char2_pub_range_decode,
OSSL_NELEM(ec_der_pub_keys));
#endif
+#ifdef NO_FIPS_MODULE
ADD_ALL_TESTS(test_EVP_MD_fetch, 3);
+#else
+ ADD_ALL_TESTS(test_EVP_MD_fetch, 5);
+#endif
return 1;
}
diff --git a/test/recipes/30-test_evp_extra.t b/test/recipes/30-test_evp_extra.t
index 98ecf26..b6fd97a 100644
--- a/test/recipes/30-test_evp_extra.t
+++ b/test/recipes/30-test_evp_extra.t
@@ -10,9 +10,12 @@
use strict;
use warnings;
-use OpenSSL::Test;
+use OpenSSL::Test qw/:DEFAULT bldtop_dir/;
setup("test_evp_extra");
plan tests => 1;
+
+$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
+
ok(run(test(["evp_extra_test"])), "running evp_extra_test");
