Skip to content

Commit

Permalink
Ensure method flags are compatible with FIPS mode OpenSSL (#46)
Browse files Browse the repository at this point in the history
+ Copy flags from base methods for RSA and EVP methods
+ Specify the normally unused FIPS flags for ciphers and digests
  • Loading branch information
samuel-lee-msft authored May 3, 2022
1 parent 2962228 commit 055d83b
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 19 deletions.
16 changes: 7 additions & 9 deletions SymCryptEngine/src/scossl.c
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,8 @@ static SCOSSL_STATUS scossl_bind_engine(ENGINE* e)
scossl_module_initialized = 1;
}

scossl_rsa_method = RSA_meth_dup(RSA_PKCS1_OpenSSL());
scossl_eckey_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
scossl_rsa_method = RSA_meth_new("SCOSSL (SymCrypt engine for OpenSSL) RSA Method", 0);
// scossl_dsa_method = DSA_meth_dup(DSA_OpenSSL());
scossl_dh_method = DH_meth_dup(DH_OpenSSL());

Expand All @@ -76,6 +76,7 @@ static SCOSSL_STATUS scossl_bind_engine(ENGINE* e)

/* Setup RSA_METHOD */
if( (scossl_rsa_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, NULL)) == -1
|| !RSA_meth_set1_name(scossl_rsa_method, "SCOSSL (SymCrypt engine for OpenSSL) RSA Method")
|| !RSA_meth_set_pub_enc(scossl_rsa_method, scossl_rsa_pub_enc)
|| !RSA_meth_set_priv_dec(scossl_rsa_method, scossl_rsa_priv_dec)
|| !RSA_meth_set_priv_enc(scossl_rsa_method, scossl_rsa_priv_enc)
Expand All @@ -92,12 +93,12 @@ static SCOSSL_STATUS scossl_bind_engine(ENGINE* e)
goto end;
}

if( (scossl_eckey_idx = EC_KEY_get_ex_new_index(0, NULL, NULL, NULL, NULL)) == -1)
/* Setup EC_METHOD */
if( (scossl_eckey_idx = EC_KEY_get_ex_new_index(0, NULL, NULL, NULL, NULL)) == -1 )
{
goto end;
}

/* Setup EC_METHOD */
EC_KEY_METHOD_set_init(scossl_eckey_method,
NULL, // eckey_init - lazily initialize ex_data only when the engine needs to
scossl_eckey_finish,
Expand Down Expand Up @@ -128,13 +129,10 @@ static SCOSSL_STATUS scossl_bind_engine(ENGINE* e)
// goto end;
// }

if( (scossl_dh_idx = DH_get_ex_new_index(0, NULL, NULL, NULL, NULL)) == -1)
{
goto end;
}

// /* Setup DH METHOD */
if ( !DH_meth_set_generate_key(scossl_dh_method, scossl_dh_generate_key)
if ( (scossl_dh_idx = DH_get_ex_new_index(0, NULL, NULL, NULL, NULL)) == -1
|| !DH_meth_set1_name(scossl_dh_method, "SCOSSL (SymCrypt engine for OpenSSL) DH Method")
|| !DH_meth_set_generate_key(scossl_dh_method, scossl_dh_generate_key)
|| !DH_meth_set_compute_key(scossl_dh_method, scossl_dh_compute_key)
|| !DH_meth_set_finish(scossl_dh_method, scossl_dh_finish)
)
Expand Down
11 changes: 7 additions & 4 deletions SymCryptEngine/src/scossl_ciphers.c
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ SCOSSL_STATUS scossl_aes_cbc_cipher(
_Inout_ EVP_CIPHER_CTX *ctx, _Out_ unsigned char *out, _In_reads_bytes_(inl) const unsigned char *in, size_t inl);
static SCOSSL_STATUS scossl_aes_cbc_ctrl(_In_ EVP_CIPHER_CTX *ctx, int type, int arg, _Inout_ void *ptr);
#define AES_CBC_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY \
|EVP_CIPH_ALWAYS_CALL_INIT)
|EVP_CIPH_ALWAYS_CALL_INIT|EVP_CIPH_FLAG_FIPS)

/* AES128 - CBC */
static EVP_CIPHER *_hidden_aes_128_cbc = NULL;
Expand Down Expand Up @@ -205,7 +205,8 @@ SCOSSL_STATUS scossl_aes_ecb_init_key(
SCOSSL_STATUS scossl_aes_ecb_cipher(
_Inout_ EVP_CIPHER_CTX *ctx, _Out_ unsigned char *out, _In_reads_bytes_(inl) const unsigned char *in, size_t inl);
static SCOSSL_STATUS scossl_aes_ecb_ctrl(_In_ EVP_CIPHER_CTX *ctx, int type, int arg, _Inout_ void *ptr);
#define AES_ECB_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_ECB_MODE|EVP_CIPH_CUSTOM_COPY)
#define AES_ECB_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_ECB_MODE|EVP_CIPH_CUSTOM_COPY \
|EVP_CIPH_FLAG_FIPS)

/* AES128 - ecb */
static EVP_CIPHER *_hidden_aes_128_ecb = NULL;
Expand Down Expand Up @@ -313,7 +314,8 @@ SCOSSL_RETURNLENGTH scossl_aes_gcm_cipher(
static _Success_(return > 0) int scossl_aes_gcm_ctrl(_Inout_ EVP_CIPHER_CTX *ctx, int type, int arg, _Inout_ void *ptr);
#define AES_GCM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_GCM_MODE|EVP_CIPH_CUSTOM_COPY \
|EVP_CIPH_CUSTOM_IV|EVP_CIPH_CUSTOM_IV_LENGTH|EVP_CIPH_FLAG_CUSTOM_CIPHER \
|EVP_CIPH_ALWAYS_CALL_INIT|EVP_CIPH_CTRL_INIT|EVP_CIPH_FLAG_AEAD_CIPHER)
|EVP_CIPH_ALWAYS_CALL_INIT|EVP_CIPH_CTRL_INIT|EVP_CIPH_FLAG_AEAD_CIPHER \
|EVP_CIPH_FLAG_FIPS)

/* AES128 - GCM */
static EVP_CIPHER *_hidden_aes_128_gcm = NULL;
Expand Down Expand Up @@ -373,7 +375,8 @@ SCOSSL_RETURNLENGTH scossl_aes_ccm_cipher(
static _Success_(return > 0) int scossl_aes_ccm_ctrl(_Inout_ EVP_CIPHER_CTX *ctx, int type, int arg, _Inout_ void *ptr);
#define AES_CCM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_CCM_MODE|EVP_CIPH_CUSTOM_COPY \
|EVP_CIPH_CUSTOM_IV|EVP_CIPH_CUSTOM_IV_LENGTH|EVP_CIPH_FLAG_CUSTOM_CIPHER \
|EVP_CIPH_ALWAYS_CALL_INIT|EVP_CIPH_CTRL_INIT|EVP_CIPH_FLAG_AEAD_CIPHER)
|EVP_CIPH_ALWAYS_CALL_INIT|EVP_CIPH_CTRL_INIT|EVP_CIPH_FLAG_AEAD_CIPHER \
|EVP_CIPH_FLAG_FIPS )

/* AES128 - CCM */
static EVP_CIPHER *_hidden_aes_128_ccm = NULL;
Expand Down
8 changes: 4 additions & 4 deletions SymCryptEngine/src/scossl_digests.c
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ static const EVP_MD *scossl_digest_sha1(void)
|| !EVP_MD_meth_set_result_size(_hidden_sha1_md, SHA_DIGEST_LENGTH)
|| !EVP_MD_meth_set_input_blocksize(_hidden_sha1_md, SHA_CBLOCK)
|| !EVP_MD_meth_set_app_datasize(_hidden_sha1_md, sizeof(SYMCRYPT_SHA1_STATE))
|| !EVP_MD_meth_set_flags(_hidden_sha1_md, EVP_MD_FLAG_DIGALGID_ABSENT)
|| !EVP_MD_meth_set_flags(_hidden_sha1_md, EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS)
|| !EVP_MD_meth_set_init(_hidden_sha1_md, scossl_digest_sha1_init)
|| !EVP_MD_meth_set_update(_hidden_sha1_md, scossl_digest_sha1_update)
|| !EVP_MD_meth_set_final(_hidden_sha1_md, scossl_digest_sha1_final)
Expand All @@ -78,7 +78,7 @@ static const EVP_MD *scossl_digest_sha256(void)
|| !EVP_MD_meth_set_result_size(_hidden_sha256_md, SHA256_DIGEST_LENGTH)
|| !EVP_MD_meth_set_input_blocksize(_hidden_sha256_md, SHA256_CBLOCK)
|| !EVP_MD_meth_set_app_datasize(_hidden_sha256_md, sizeof(SYMCRYPT_SHA256_STATE))
|| !EVP_MD_meth_set_flags(_hidden_sha256_md, EVP_MD_FLAG_DIGALGID_ABSENT)
|| !EVP_MD_meth_set_flags(_hidden_sha256_md, EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS)
|| !EVP_MD_meth_set_init(_hidden_sha256_md, scossl_digest_sha256_init)
|| !EVP_MD_meth_set_update(_hidden_sha256_md, scossl_digest_sha256_update)
|| !EVP_MD_meth_set_final(_hidden_sha256_md, scossl_digest_sha256_final)
Expand All @@ -103,7 +103,7 @@ static const EVP_MD *scossl_digest_sha384(void)
|| !EVP_MD_meth_set_result_size(_hidden_sha384_md, SHA384_DIGEST_LENGTH)
|| !EVP_MD_meth_set_input_blocksize(_hidden_sha384_md, SHA512_CBLOCK)
|| !EVP_MD_meth_set_app_datasize(_hidden_sha384_md, sizeof(SYMCRYPT_SHA384_STATE))
|| !EVP_MD_meth_set_flags(_hidden_sha384_md, EVP_MD_FLAG_DIGALGID_ABSENT)
|| !EVP_MD_meth_set_flags(_hidden_sha384_md, EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS)
|| !EVP_MD_meth_set_init(_hidden_sha384_md, scossl_digest_sha384_init)
|| !EVP_MD_meth_set_update(_hidden_sha384_md, scossl_digest_sha384_update)
|| !EVP_MD_meth_set_final(_hidden_sha384_md, scossl_digest_sha384_final)
Expand All @@ -128,7 +128,7 @@ static const EVP_MD *scossl_digest_sha512(void)
|| !EVP_MD_meth_set_result_size(_hidden_sha512_md, SHA512_DIGEST_LENGTH)
|| !EVP_MD_meth_set_input_blocksize(_hidden_sha512_md, SHA512_CBLOCK)
|| !EVP_MD_meth_set_app_datasize(_hidden_sha512_md, sizeof(SYMCRYPT_SHA512_STATE))
|| !EVP_MD_meth_set_flags(_hidden_sha512_md, EVP_MD_FLAG_DIGALGID_ABSENT)
|| !EVP_MD_meth_set_flags(_hidden_sha512_md, EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS)
|| !EVP_MD_meth_set_init(_hidden_sha512_md, scossl_digest_sha512_init)
|| !EVP_MD_meth_set_update(_hidden_sha512_md, scossl_digest_sha512_update)
|| !EVP_MD_meth_set_final(_hidden_sha512_md, scossl_digest_sha512_final)
Expand Down
10 changes: 8 additions & 2 deletions SymCryptEngine/src/scossl_pkey_meths.c
Original file line number Diff line number Diff line change
Expand Up @@ -158,8 +158,11 @@ static EVP_PKEY_METHOD *scossl_pkey_tls1_prf(void)
{
int (*pctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2) = NULL;
int (*pctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value) = NULL;
int flags = 0;

EVP_PKEY_meth_get0_info( NULL, &flags, _openssl_pkey_tls1_prf );

if((_scossl_pkey_tls1_prf = EVP_PKEY_meth_new(EVP_PKEY_TLS1_PRF, 0)) != NULL)
if((_scossl_pkey_tls1_prf = EVP_PKEY_meth_new(EVP_PKEY_TLS1_PRF, flags)) != NULL)
{
// Use the default ctrl_str implementation, internally calls our ctrl method
EVP_PKEY_meth_get_ctrl(_openssl_pkey_tls1_prf, &pctrl, &pctrl_str);
Expand All @@ -180,8 +183,11 @@ static EVP_PKEY_METHOD *scossl_pkey_hkdf(void)
{
int (*pctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2) = NULL;
int (*pctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value) = NULL;
int flags = 0;

EVP_PKEY_meth_get0_info( NULL, &flags, _openssl_pkey_hkdf );

if((_scossl_pkey_hkdf = EVP_PKEY_meth_new(EVP_PKEY_HKDF, 0)) != NULL)
if((_scossl_pkey_hkdf = EVP_PKEY_meth_new(EVP_PKEY_HKDF, flags)) != NULL)
{
// Use the default ctrl_str implementation, internally calls our ctrl method
EVP_PKEY_meth_get_ctrl(_openssl_pkey_hkdf, &pctrl, &pctrl_str);
Expand Down

0 comments on commit 055d83b

Please sign in to comment.