Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fips openssl patch 3 f1 #23

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Fips openssl patch 3 f1 #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
86de767
support test for SymCrypt Openssl
xumia Jul 5, 2022
79dbc93
Add evpciph test back
xumia Jul 7, 2022
27dfde2
Move the change to e_ossltest.c to the test patch
xumia Jul 7, 2022
ef21548
Revert the change in test/testutil/main.c
xumia Jul 12, 2022
7eae306
Revert rules/openssl.mk change
xumia Jul 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 28 additions & 1 deletion .azure-pipelins/build-template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,35 @@ jobs:
set -ex
sudo mkdir -p $HOME
sudo pip3 install -r src/SymCrypt/scripts/requirements.txt
ARCH=${{ parameters.arch }} make symcrypt
sudo dpkg -i target/symcrypt-openssl*.deb
displayName: 'Build and install symcrypt'
- script: |
set -ex
ARCH=${{ parameters.arch }} make openssl
sudo dpkg -i target/libssl*.deb target/openssl*.deb
displayName: 'Build and install openssl'
- script: |
set -ex
sudo mkdir -p /etc/fips
echo 1 | sudo tee /etc/fips/fips_enable
openssl engine -v | grep -i symcrypt
pushd src/openssl
git clean -xdf
git checkout -- .
popd

ARCH=${{ parameters.arch }} TARGET_PATH=target-test make openssl
echo 0 | sudo tee /etc/fips/fips_enable
displayName: 'Test openssl with fips enabled'

- script: |
ARCH=${{ parameters.arch }} make all
displayName: 'Build'
displayName: 'Build others'
- publish: $(System.DefaultWorkingDirectory)/target
artifact: fips-symcrypt-${{ parameters.arch }}
displayName: "Archive packages"
- publish: $(Build.ArtifactStagingDirectory)
condition: failed()
artifact: '$fips-symcrypt-${{ parameters.arch }}-(System.JobAttempt)'
displayName: "Archive failed packages"
2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
target
target*
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ SHELL = /bin/bash
ARCH ?= amd64
SRC_PATH = src
RULES_PATH = rules
TARGET_PATH = target
TARGET_PATH ?= target
ROOT := $(shell pwd)
DEST = $(ROOT)/$(TARGET_PATH)

Expand Down
8 changes: 6 additions & 2 deletions src/SymCrypt-OpenSSL-Debian/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ LIB_INSTALL_NAME = arm-linux-gnueabihf
endif

INSTALL_PATH = $(BUILD_ROOT_DIR)/usr/lib/$(LIB_INSTALL_NAME)
ENGINES_PATH = $(INSTALL_PATH)/engines-1.1
DEBIAN_DIR = $(BUILD_ROOT_DIR)/DEBIAN

ROOT_PATH = $(shell realpath $(shell pwd)/../..)
Expand All @@ -46,20 +47,23 @@ $(LIBSYMCRYPT):

$(LIBSYMCRYPTENGINE): $(LIBSYMCRYPT)
cd ../SymCrypt-OpenSSL
cp $(LIBSYMCRYPT) ./
cp -P $(DEST)/libsymcrypt.so* ./
mkdir -p bin
cd bin
cmake .. -DCMAKE_TOOLCHAIN_FILE=../cmake-toolchain/LinuxUserMode-$(CMAKE_ARCH).cmake -DSYMCRYPT_ROOT_DIR=$(ROOT_PATH)/src/SymCrypt -DCMAKE_BUILD_TYPE=$(CMAKE_BUILD_TYPE)
cmake --build .
rm ../libsymcrypt.so
rm ../libsymcrypt.so*
cp SymCryptEngine/dynamic/symcryptengine.so $(LIBSYMCRYPTENGINE)

$(TARGET): $(DEPENDS)
mkdir -p $(INSTALL_PATH)
mkdir -p $(ENGINES_PATH)
mkdir -p $(DEBIAN_DIR)
mkdir -p $(BUILD_ROOT_DIR)/usr/lib/ssl
cp -a $(DEST)/libsymcrypt.so* $(INSTALL_PATH)/
cp $(LIBSYMCRYPTENGINE) $(INSTALL_PATH)
ln -sf $(shell basename $(LIBSYMCRYPTENGINE)) $(INSTALL_PATH)/symcryptengine.so
ln -sf ../$(shell basename $(LIBSYMCRYPTENGINE)) $(ENGINES_PATH)/symcryptengine.so
chmod o+r $(INSTALL_PATH)/*
cp -rf debian/* $(DEBIAN_DIR)/
cp openssl.cnf $(BUILD_ROOT_DIR)/usr/lib/ssl/openssl-fips.cnf
Expand Down
126 changes: 109 additions & 17 deletions src/openssl.patch/10-support-fips-mode.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,76 @@
diff --git a/crypto/init.c b/crypto/init.c
index 1b0d523bea..af171bda16 100644
index 1b0d523bea..31fbd42cd2 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -612,6 +612,70 @@ void OPENSSL_cleanup(void)
@@ -404,6 +404,67 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_afalg)
# endif
#endif

+# ifndef OPENSSL_NO_SYMCRYPT_ENGINE
+static CRYPTO_ONCE engine_symcrypt = CRYPTO_ONCE_STATIC_INIT;
+DEFINE_RUN_ONCE_STATIC(ossl_init_engine_symcrypt)
+{
+ int ret = 0;
+
+ // Get the default engine directory from the environment - may be NULL
+ char* load_dir = ossl_safe_getenv("OPENSSL_ENGINES");
+
+ #ifdef ENGINESDIR
+ // Use the default engines directory, if defined
+ if(load_dir == NULL)
+ {
+ load_dir = ENGINESDIR;
+ }
+ #endif
+
+ ENGINE *dynamic = NULL;
+ ENGINE *symcrypt = NULL;
+
+ dynamic = ENGINE_by_id("dynamic");
+ if (!dynamic)
+ goto err;
+
+ // Add the engines directory to the list of directories to load from and specify that loading
+ // from the directory list is mandatory (via DIR_LOAD = 2). Otherwise OpenSSL will try to load
+ // the engine from the default ld search path, fail, and skip loading from the engines dir.
+ if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_ADD", load_dir, 0))
+ goto err;
+ if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_LOAD", "2", 0))
+ goto err;
+ if (!ENGINE_ctrl_cmd_string(dynamic, "SO_PATH", "symcryptengine.so", 0))
+ goto err;
+ if (!ENGINE_ctrl_cmd_string(dynamic, "ID", "symcrypt", 0))
+ goto err;
+ if (!ENGINE_ctrl_cmd_string(dynamic, "LIST_ADD", "2", 0))
+ goto err;
+ if (!ENGINE_ctrl_cmd_string(dynamic, "LOAD", NULL, 0))
+ goto err;
+
+ symcrypt = ENGINE_by_id("symcrypt");
+ if (!symcrypt)
+ goto err;
+
+ // Make SymCrypt the default engine for all algorithms
+ if (!ENGINE_set_default_string(symcrypt, "ALL"))
+ goto err;
+
+err:
+ ENGINE_free(symcrypt);
+ ENGINE_free(dynamic);
+
+# ifdef OPENSSL_INIT_DEBUG
+ fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_symcrypt: %d\n",
+ ret);
+# endif
+
+ return ret;
+}
+# endif
+
#ifndef OPENSSL_NO_COMP
static CRYPTO_ONCE zlib = CRYPTO_ONCE_STATIC_INIT;

@@ -612,6 +673,72 @@ void OPENSSL_cleanup(void)
base_inited = 0;
}

Expand Down Expand Up @@ -54,8 +122,10 @@ index 1b0d523bea..af171bda16 100644
+ return enabled;
+}
+
+// Check if fips is enabled
+int ossl_fips_enabled(){
+// Init fips config
+static CRYPTO_ONCE fips_config = CRYPTO_ONCE_STATIC_INIT;
+DEFINE_RUN_ONCE_STATIC(ossl_init_fips_conf)
+{
+ g_fips_mode_enabled = 0;
+ if (ossl_fips_enabled_by_cmd() > 0){
+ g_fips_mode_enabled = 1;
Expand All @@ -67,26 +137,30 @@ index 1b0d523bea..af171bda16 100644
+ return 1;
+ }
+
+ return 0;
+ return 1;
+}
+
/*
* If this function is called with a non NULL settings value then it must be
* called prior to any threads making calls to any OpenSSL functions,
@@ -625,6 +689,13 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
@@ -723,9 +850,14 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
&& !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand))
return 0;
}

+ if (g_fips_mode_enabled == -1) {
+ int fips_enabled = ossl_fips_enabled();
+ if (fips_enabled) {
+ setenv("OPENSSL_CONF", FIPS_OPENSSL_CONFIG, 1);
+ }
# endif
- if ((opts & OPENSSL_INIT_ENGINE_DYNAMIC)
- && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
- return 0;
+ if (opts & OPENSSL_INIT_ENGINE_DYNAMIC)
+ {
+ if (!RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
+ return 0;
+ RUN_ONCE(&fips_config, ossl_init_fips_conf);
+ if (g_fips_mode_enabled == 1)
+ RUN_ONCE(&engine_symcrypt, ossl_init_engine_symcrypt);
+ }
+
/*
* When the caller specifies OPENSSL_INIT_BASE_ONLY, that should be the
* *only* option specified. With that option we return immediately after
# ifndef OPENSSL_NO_STATIC_ENGINE
# if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)
diff --git a/crypto/o_fips.c b/crypto/o_fips.c
index 050ea9c216..6e9ffdb1d9 100644
--- a/crypto/o_fips.c
Expand All @@ -104,3 +178,21 @@ index 050ea9c216..6e9ffdb1d9 100644
/* This version of the library does not support FIPS mode. */
return 0;
}
diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
index 474a60c9bf..874744a69b 100644
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@@ -10,6 +10,13 @@
#include "internal/cryptlib.h"
#include "eng_local.h"

+__attribute__((constructor))
+void ENGINE_static_initializer(void)
+{
+ OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_DYNAMIC, NULL);
+}
+
+
void ENGINE_load_builtin_engines(void)
{
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
15 changes: 15 additions & 0 deletions src/openssl.patch/debian.patch/20-support-fips-test.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
diff --git a/engines/e_ossltest.c b/engines/e_ossltest.c
index 64376247c3..70c8b62a68 100644
--- a/engines/e_ossltest.c
+++ b/engines/e_ossltest.c
@@ -319,6 +319,10 @@ static int bind_ossltest(ENGINE *e)
return 0;
}

+ ENGINE* scossl = ENGINE_by_id("symcrypt");
+ ENGINE_unregister_pkey_meths(scossl);
+ ENGINE_free(scossl);
+
return 1;
}

Loading