static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
{
RSA_PKEY_CTX *rctx = ctx->data;
RSA *rsa = ctx->pkey->pkey.rsa;
int rv = -1;
if (!FIPS_mode())
return 0;
if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
rv = 0;
if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
return -1;
if (rctx->md) {
const EVP_MD *fmd;
fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->md));
if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
return rv;
}
if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS)) {
const EVP_MD *fmd;
fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->mgf1md));
if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
return rv;
}
return 1;
}
const EVP_MD *evp_get_fips_md(const EVP_MD *md)
{
int nid = EVP_MD_type(md);
if (nid == NID_dsa)
return FIPS_evp_dss1();
else if (nid == NID_dsaWithSHA)
return FIPS_evp_dss();
else if (nid == NID_ecdsa_with_SHA1)
return FIPS_evp_ecdsa();
else
return FIPS_get_digestbynid(nid);
}
/*
* SHA
*/
jlong Java_org_keysupport_provider_SHA_jniInit(JNIEnv *env, jobject obj, jint jmdid) {
// LOGD("entering SHA_jniInit");
EVP_MD_CTX *ctx = 0;
const EVP_MD *md;
if (!(ctx = (EVP_MD_CTX *) malloc(sizeof(EVP_MD_CTX)))) {
throw_exception(env, "java/lang/RuntimeException", "allocating EVP_MD_CTX");
free(ctx);
return (0);
}
md = FIPS_get_digestbynid(jmdid);
ctx = EVP_MD_CTX_create();
FIPS_digestinit(ctx, md);
// LOGD("leaving SHA_jniInit");
return ((long) ctx);
}
jint Java_org_keysupport_provider_ECDSASignature_jniVerifyFinal(JNIEnv *env,
jobject obj, jbyteArray jmsg, jint jmdid, jbyteArray jsig) {
// LOGD("entering ECDSASignature_jniVerifyFinal");
EC_Ctx *ec;
EVP_MD_CTX *ctx = 0;
const EVP_MD *md;
jsize msgLen = 0;
jsize sigLen = 0;
const unsigned char *sig_ptr = NULL;
if (!(ec = get_ptr(env, obj))) {
LOGE("Failed to obtain key pointer");
return 0;
}
if (!(ctx = (EVP_MD_CTX *) malloc(sizeof(EVP_MD_CTX)))) {
throw_exception(env, "java/lang/RuntimeException",
"allocating EVP_MD_CTX");
destroy_ec_ctx(ec);
FIPS_md_ctx_destroy(ctx);
return 0;
}
md = FIPS_get_digestbynid(jmdid);
ctx = EVP_MD_CTX_create();
msgLen = (*env)->GetArrayLength(env, jmsg);
sigLen = (*env)->GetArrayLength(env, jsig);
jbyte msg[msgLen];
jbyte sig[sigLen];
(*env)->GetByteArrayRegion(env, jmsg, 0, msgLen, msg);
(*env)->GetByteArrayRegion(env, jsig, 0, sigLen, sig);
sig_ptr = sig;
ECDSA_SIG *esig = d2i_ECDSA_SIG(NULL, &sig_ptr, sigLen);
FIPS_digestinit(ctx, md);
int ok = FIPS_ecdsa_verify(ec->ec, msg, msgLen, md, esig);
/*
* This is handled a bit differently than the way OpenSSL
* handles RSA Signatures, so our error handling below is a bit different.
*
* returns
* 1: correct signature
* 0: incorrect signature
* -1: error
*/
// LOGD("FIPS_ecdsa_verify Returned: %d\n", ok);
FIPS_md_ctx_destroy(ctx);
FIPS_ecdsa_sig_free(esig);
if (ok == 0) {
throw_exception(env, "java/security/SignatureException",
"Bad Signature");
return 0;
} else if (ok == -1) {
/*
* TODO: Print any pending errors
* ERR_print_errors_fp(ANDROID_LOG_ERROR);
*/
ERR_load_crypto_strings();
LOGE("%s", ERR_error_string(ERR_peek_error(), NULL));
throw_exception(env, "java/security/SignatureException",
"jniVerifyFinal fail");
ERR_free_strings();
return 0;
}
// LOGD("leaving ECDSASignature_jniVerifyFinal");
return ok;
}
jint Java_org_keysupport_provider_RSASignature_jniVerifyFinal(JNIEnv *env,
jobject obj, jbyteArray jmsg, jint jmdid, jint jpadMode,
jbyteArray jsig) {
// LOGD("entering RSASignature_jniVerifyFinal");
jsize msgLen = 0;
jsize sigLen = 0;
RSA_Ctx *rsa;
EVP_MD_CTX *ctx = 0;
const EVP_MD *md;
const EVP_MD *mdMgf;
int saltLen = 0;
LOGI("FIPS Mode of operation: %d\n", FIPS_mode());
if (!(rsa = get_ptr(env, obj))) {
throw_exception(env,"java/lang/RuntimeException", "obtaining RSA_Ctx");
return 0;
}
if (jpadMode == RSA_PKCS1_PADDING) {
// LOGD("RSA PKCS#1 v1.5 Padding");
} else if (jpadMode == RSA_PKCS1_PSS_PADDING) {
// LOGD("RSA PSS Padding");
mdMgf = FIPS_get_digestbynid(jmdid);
saltLen = EVP_MD_size(mdMgf);
}
if (!(ctx = (EVP_MD_CTX *) malloc(sizeof(EVP_MD_CTX)))) {
throw_exception(env, "java/lang/RuntimeException", "allocating EVP_MD_CTX");
destroy_rsa_ctx(rsa);
FIPS_md_ctx_destroy(ctx);
return 0;
}
md = FIPS_get_digestbynid(jmdid);
ctx = EVP_MD_CTX_create();
msgLen = (*env)->GetArrayLength(env, jmsg);
sigLen = (*env)->GetArrayLength(env, jsig);
jbyte msg[msgLen];
jbyte sig[sigLen];
(*env)->GetByteArrayRegion(env, jmsg, 0, msgLen, msg);
(*env)->GetByteArrayRegion(env, jsig, 0, sigLen, sig);
FIPS_digestinit(ctx, md);
int ok = FIPS_rsa_verify(rsa->rsa, msg, msgLen, md, jpadMode, saltLen,
mdMgf, sig, sigLen);
// LOGD("FIPS_rsa_verify Returned: %d\n", ok);
FIPS_md_ctx_destroy(ctx);
if (ok == 0) {
/*
* TODO: Print any pending errors
* ERR_print_errors_fp(ANDROID_LOG_ERROR);
*/
ERR_load_crypto_strings();
LOGE("%s\n", ERR_error_string(ERR_peek_error(), NULL));
throw_exception(env, "java/security/SignatureException",
"Bad Signature");
ERR_free_strings();
return 0;
}
// LOGD("leaving RSASignature_jniVerifyFinal");
return ok;
}
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
const EVP_MD *md, ENGINE *impl)
{
int i, j, reset = 0;
unsigned char pad[HMAC_MAX_MD_CBLOCK];
#ifdef OPENSSL_FIPS
/* If FIPS mode switch to approved implementation if possible */
if (FIPS_mode()) {
const EVP_MD *fipsmd;
if (md) {
fipsmd = FIPS_get_digestbynid(EVP_MD_type(md));
if (fipsmd)
md = fipsmd;
}
}
if (FIPS_mode()) {
/* If we have an ENGINE need to allow non FIPS */
if ((impl || ctx->i_ctx.engine)
&& !(ctx->i_ctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
return 0;
}
/*
* Other algorithm blocking will be done in FIPS_cmac_init, via
* FIPS_hmac_init_ex().
*/
if (!impl && !ctx->i_ctx.engine)
return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
}
#endif
/* If we are changing MD then we must have a key */
if (md != NULL && md != ctx->md && (key == NULL || len < 0))
return 0;
if (md != NULL) {
reset = 1;
ctx->md = md;
} else if (ctx->md) {
md = ctx->md;
} else {
return 0;
}
if (key != NULL) {
reset = 1;
j = EVP_MD_block_size(md);
OPENSSL_assert(j <= (int)sizeof(ctx->key));
if (j < len) {
if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl))
goto err;
if (!EVP_DigestUpdate(&ctx->md_ctx, key, len))
goto err;
if (!EVP_DigestFinal_ex(&(ctx->md_ctx), ctx->key,
&ctx->key_length))
goto err;
} else {
if (len < 0 || len > (int)sizeof(ctx->key))
return 0;
memcpy(ctx->key, key, len);
ctx->key_length = len;
}
if (ctx->key_length != HMAC_MAX_MD_CBLOCK)
memset(&ctx->key[ctx->key_length], 0,
HMAC_MAX_MD_CBLOCK - ctx->key_length);
}
if (reset) {
for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
pad[i] = 0x36 ^ ctx->key[i];
if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl))
goto err;
if (!EVP_DigestUpdate(&ctx->i_ctx, pad, EVP_MD_block_size(md)))
goto err;
for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
pad[i] = 0x5c ^ ctx->key[i];
if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl))
goto err;
if (!EVP_DigestUpdate(&ctx->o_ctx, pad, EVP_MD_block_size(md)))
goto err;
}
if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx))
goto err;
return 1;
err:
return 0;
}