From 29b00cb2fc37c571078ee9ffbea320cecdffdb9c Mon Sep 17 00:00:00 2001 From: Nick Parker Date: Tue, 10 Mar 2015 14:33:43 -0500 Subject: [PATCH] Initial FIPS integration --- Makefile.msc | 7 +++++++ src/crypto.c | 7 +++++++ src/crypto.h | 11 ++++++++--- src/crypto_cc.c | 5 +++++ src/crypto_impl.c | 3 +++ src/crypto_libtomcrypt.c | 5 +++++ src/crypto_openssl.c | 14 +++++++++++++- src/sqlcipher.h | 1 + 8 files changed, 49 insertions(+), 4 deletions(-) diff --git a/Makefile.msc b/Makefile.msc index 3a9fa29..046583c 100644 --- a/Makefile.msc +++ b/Makefile.msc @@ -664,6 +664,13 @@ LIBRESOBJS = # All of the source code files. # SRC = \ + $(TOP)\src\crypto.c \ + $(TOP)\src\crypto_cc.c \ + $(TOP)\src\crypto_impl.c \ + $(TOP)\src\crypto_libtomcrypt.c \ + $(TOP)\src\crypto_openssl.c \ + $(TOP)\src\crypto.h \ + $(TOP)\src\sqlcipher.h \ $(TOP)\src\alter.c \ $(TOP)\src\analyze.c \ $(TOP)\src\attach.c \ diff --git a/src/crypto.c b/src/crypto.c index c0109fb..976e19d 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -89,6 +89,13 @@ int sqlcipher_codec_pragma(sqlite3* db, int iDb, Parse *pParse, const char *zLef CODEC_TRACE(("sqlcipher_codec_pragma: entered db=%p iDb=%d pParse=%p zLeft=%s zRight=%s ctx=%p\n", db, iDb, pParse, zLeft, zRight, ctx)); + if( sqlite3StrICmp(zLeft, "cipher_fips_status")== 0 && !zRight ){ + if(ctx) { + char *fips_mode_status = sqlite3_mprintf("%d", sqlcipher_codec_fips_status(ctx)); + codec_vdbe_return_static_string(pParse, "cipher_fips_status", fips_mode_status); + sqlite3_free(fips_mode_status); + } + } else if( sqlite3StrICmp(zLeft, "cipher_store_pass")==0 && zRight ) { sqlcipher_codec_set_store_pass(ctx, sqlite3GetBoolean(zRight, 1)); } else diff --git a/src/crypto.h b/src/crypto.h index 8a83a0b..0ce3737 100644 --- a/src/crypto.h +++ b/src/crypto.h @@ -44,8 +44,12 @@ #define FILE_HEADER_SZ 16 #ifndef CIPHER_VERSION +#ifdef SQLCIPHER_FIPS +#define CIPHER_VERSION "3.2.0 FIPS" +#else #define CIPHER_VERSION "3.2.0" #endif +#endif #ifndef CIPHER #define CIPHER "aes-256-cbc" @@ -219,9 +223,10 @@ int sqlcipher_codec_ctx_migrate(codec_ctx *ctx); int sqlcipher_codec_add_random(codec_ctx *ctx, const char *data, int random_sz); int sqlcipher_cipher_profile(sqlite3 *db, const char *destination); static void sqlcipher_profile_callback(void *file, const char *sql, sqlite3_uint64 run_time); -int sqlcipher_codec_get_store_pass(codec_ctx *ctx); -void sqlcipher_codec_get_pass(codec_ctx *ctx, void **zKey, int *nKey); -void sqlcipher_codec_set_store_pass(codec_ctx *ctx, int value); +static int sqlcipher_codec_get_store_pass(codec_ctx *ctx); +static void sqlcipher_codec_get_pass(codec_ctx *ctx, void **zKey, int *nKey); +static void sqlcipher_codec_set_store_pass(codec_ctx *ctx, int value); +int sqlcipher_codec_fips_status(codec_ctx *ctx); #endif #endif diff --git a/src/crypto_cc.c b/src/crypto_cc.c index 1e18dc7..8872424 100644 --- a/src/crypto_cc.c +++ b/src/crypto_cc.c @@ -120,6 +120,10 @@ static int sqlcipher_cc_ctx_free(void **ctx) { return SQLITE_OK; } +static int sqlcipher_cc_fips_status(void *ctx) { + return 0; +} + int sqlcipher_cc_setup(sqlcipher_provider *p) { p->random = sqlcipher_cc_random; p->get_provider_name = sqlcipher_cc_get_provider_name; @@ -137,6 +141,7 @@ int sqlcipher_cc_setup(sqlcipher_provider *p) { p->ctx_init = sqlcipher_cc_ctx_init; p->ctx_free = sqlcipher_cc_ctx_free; p->add_random = sqlcipher_cc_add_random; + p->fips_status = sqlcipher_cc_fips_status; return SQLITE_OK; } diff --git a/src/crypto_impl.c b/src/crypto_impl.c index b4bf052..8c891d5 100644 --- a/src/crypto_impl.c +++ b/src/crypto_impl.c @@ -1227,6 +1227,9 @@ static void sqlcipher_profile_callback(void *file, const char *sql, sqlite3_uint if( f ) fprintf(f, "Elapsed time:%.3f ms - %s\n", elapsed, sql); } +int sqlcipher_codec_fips_status(codec_ctx *ctx) { + return ctx->read_ctx->provider->fips_status(ctx->read_ctx); +} #endif /* END SQLCIPHER */ diff --git a/src/crypto_libtomcrypt.c b/src/crypto_libtomcrypt.c index 22f4efc..02dc845 100644 --- a/src/crypto_libtomcrypt.c +++ b/src/crypto_libtomcrypt.c @@ -227,6 +227,10 @@ static int sqlcipher_ltc_ctx_free(void **ctx) { return SQLITE_OK; } +static int sqlcipher_ltc_fips_status(void *ctx) { + return 0; +} + int sqlcipher_ltc_setup(sqlcipher_provider *p) { p->activate = sqlcipher_ltc_activate; p->deactivate = sqlcipher_ltc_deactivate; @@ -246,6 +250,7 @@ int sqlcipher_ltc_setup(sqlcipher_provider *p) { p->ctx_init = sqlcipher_ltc_ctx_init; p->ctx_free = sqlcipher_ltc_ctx_free; p->add_random = sqlcipher_ltc_add_random; + p->fips_status = sqlcipher_ltc_fips_status; return SQLITE_OK; } diff --git a/src/crypto_openssl.c b/src/crypto_openssl.c index 150ab92..92b3ca3 100644 --- a/src/crypto_openssl.c +++ b/src/crypto_openssl.c @@ -42,7 +42,7 @@ typedef struct { EVP_CIPHER *evp_cipher; } openssl_ctx; - +static int openssl_fips_status = 0; static unsigned int openssl_external_init = 0; static unsigned int openssl_init_count = 0; static sqlite3_mutex* openssl_rand_mutex = NULL; @@ -78,6 +78,13 @@ static int sqlcipher_openssl_activate(void *ctx) { } if(openssl_init_count == 0 && openssl_external_init == 0) { +#ifdef SQLCIPHER_FIPS + openssl_fips_status = FIPS_mode_set(1); + if(!openssl_fips_status){ + ERR_load_crypto_strings(); + ERR_print_errors_fp(stdout); + } +#endif /* if the library was not externally initialized, then should be now */ OpenSSL_add_all_algorithms(); } @@ -224,6 +231,10 @@ static int sqlcipher_openssl_ctx_free(void **ctx) { return SQLITE_OK; } +static int sqlcipher_openssl_fips_status(void *ctx) { + return openssl_fips_status; +} + int sqlcipher_openssl_setup(sqlcipher_provider *p) { p->activate = sqlcipher_openssl_activate; p->deactivate = sqlcipher_openssl_deactivate; @@ -243,6 +254,7 @@ int sqlcipher_openssl_setup(sqlcipher_provider *p) { p->ctx_init = sqlcipher_openssl_ctx_init; p->ctx_free = sqlcipher_openssl_ctx_free; p->add_random = sqlcipher_openssl_add_random; + p->fips_status = sqlcipher_openssl_fips_status; return SQLITE_OK; } diff --git a/src/sqlcipher.h b/src/sqlcipher.h index 37ecf3b..d73a551 100644 --- a/src/sqlcipher.h +++ b/src/sqlcipher.h @@ -55,6 +55,7 @@ typedef struct { int (*ctx_cmp)(void *c1, void *c2); int (*ctx_init)(void **ctx); int (*ctx_free)(void **ctx); + int (*fips_status)(void *ctx); } sqlcipher_provider; /* utility functions */