Minor code changes

Signed-off-by: Robin Dubey <[email protected]>

Author: robindubeyibm

icc/extsig.c

@@ -74,7 +74,6 @@ Equivalent environment variable (none)
 #include "openssl/evp.h"
 #include "openssl/rsa.h"
 
-
 #include "extsig.h"
 #include "iccversion.h"
 #   if !defined(STANDALONE)
@@ -150,7 +149,6 @@ static long HashCore(FILE *fin, long pos, EVP_MD_CTX *md_ctx,
                      const EVP_MD *md) {
   size_t len = 0;
   long amt = 0;
-  int rc = 0;
 
   if (NULL != fin) {
     if (0 == pos) {
@@ -159,10 +157,7 @@ static long HashCore(FILE *fin, long pos, EVP_MD_CTX *md_ctx,
     }
     fseek(fin, 0, SEEK_SET);
     EVP_MD_CTX_cleanup(md_ctx);
-    rc = EVP_DigestInit(md_ctx, md);
-    if (1 != rc) {
-       printf("HashCore:EVP_DigestInit failed %d\n", rc);
-    }
+    EVP_DigestInit(md_ctx, md);
     /* Work out how much to read */
     while (pos > 0) {
       amt = sizeof(fbuf);
@@ -171,14 +166,14 @@ static long HashCore(FILE *fin, long pos, EVP_MD_CTX *md_ctx,
       }
       len = fread(fbuf, 1, amt, fin);
       if (len > 0) {
+        int rc = 0;
         rc = EVP_DigestUpdate(md_ctx, fbuf, len);
-        if (1 != rc) {
-           printf("HashCore:EVP_DigestUpdate failed %d\n", rc);
+        if (rc <= 0) {
+           return -1;
         }
         pos -= (long)len;
       } else {
-         printf("HashCore:fread failed\n");
-         break;
+        break;
       }
     }
   }
@@ -210,14 +205,26 @@ static int GenHash(FILE *fin, unsigned char *hashout, long pos) {
     md = EVP_get_digestbyname("SHA256");
     if (NULL != md_ctx && NULL != md) {
       pos = HashCore(fin, pos, md_ctx, md);
-      /* printf("Unread %ld\n",pos); */
+      if (pos > 0) {
+         printf("Error: GenHash: HashCore: Unread %ld\n", pos);
+         return 0;
+      }
+      else if (pos < 0) {
+         printf("Error: GenHash: HashCore\n");
+         return 0;
+      }
       evpRC = EVP_DigestFinal(md_ctx, hashout, &signL);
       if (1 != evpRC) {
         signL = 0;
+        printf("Error: GenHash: failed: EVP_DigestFinal %d\n", evpRC);
       }
       EVP_MD_CTX_cleanup(md_ctx);
       EVP_MD_CTX_free(md_ctx);
     }
+    else {
+       const char* x = md_ctx ? "md" : "md_ctx";
+       printf("Error: GenHash: failed: EVP_get_digestbyname %s\n", x);
+    }
   }
   return (int)signL;
 }
@@ -626,24 +633,31 @@ static int GenSig(FILE *fin, unsigned char *sigout, EVP_PKEY *key, long pos) {
     md_ctx = EVP_MD_CTX_new();
     md = EVP_get_digestbyname("SHA256");
     if (NULL != md_ctx && NULL != md) {
-      HashCore(fin, pos, md_ctx, md);
+      long unread = HashCore(fin, pos, md_ctx, md);
+      if (unread > 0) {
+         printf("Error: GenSig: HashCore: Unread %ld\n", unread);
+         return 0;
+      }
+      else if (unread < 0) {
+         printf("Error: GenSig: HashCore\n");
+         return 0;
+      }
       evpRC = EVP_SignFinal(md_ctx, sigout, &signL, key);
       if (1 != evpRC) {
-         printf("GenSig: EVP_SignFinal error %d\n", evpRC);
+         printf("failed: GenSig: EVP_SignFinal %d\n", evpRC);
          signL = 0;
       }
       EVP_MD_CTX_free(md_ctx);
     }
     else {
-       printf("GenSig: EVP error\n");
+       const char* x = md_ctx ? "md" : "md_ctx";
+       printf("failed: GenSig: EVP_get_digestbyname %s\n", x);
     }
     fseek(fin, pos, SEEK_SET);
   }
-  else {
-     printf("GenSig: fin error\n");
-  }
   return (int)signL;
 }
+
 static void usage(char *pname, char *str) {
   printf("usage:\t %s sigfile keyfile [-v(erify)] [-SELF] [-FILE file] "
          "[\"X=Y\"] ...[\"Z=K\"]\n",
@@ -701,9 +715,9 @@ int main(int argc, char *argv[]) {
   {
      int rc = 0;
      rc = OPENSSL_init_crypto(
-      OPENSSL_INIT_NO_LOAD_CONFIG | OPENSSL_INIT_LOAD_CRYPTO_STRINGS |
-          OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_ADD_ALL_CIPHERS,
-      NULL);
+        OPENSSL_INIT_NO_LOAD_CONFIG | OPENSSL_INIT_LOAD_CRYPTO_STRINGS |
+        OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_ADD_ALL_CIPHERS,
+        NULL);
      if (rc != 1) {
         usage("OpenSSL", "OPENSSL_init_crypto");
         exit(1);
@@ -802,7 +816,7 @@ int main(int argc, char *argv[]) {
     /* At this point, we should have everything, start pushing it out */
     fprintf(sigf, "# IBM Crypto for C.%s", EOL);
     fprintf(sigf, "# ICC Version %d.%d.%d.%d%s", ICC_VERSION_VER,
-            ICC_VERSION_REL, ICC_VERSION_MOD, ICC_VERSION_FIX, EOL);
+       ICC_VERSION_REL, ICC_VERSION_MOD, ICC_VERSION_FIX, EOL);
     fprintf(sigf,
             "#%s# Note the signed library contains a copy of cryptographic "
             "code from OpenSSL (www.openssl.org),%s",
@@ -876,13 +890,13 @@ int main(int argc, char *argv[]) {
     }
     fflush(sigf);
     fprintf(sigf, "%s#Do not edit before this line%s#", EOL, EOL);
+    fprintf(sigf, "%s# Global Settings%s", EOL, EOL);
     if (NULL != tweaks[0]) {
-      fprintf(sigf, "%s# Global Settings%s", EOL, EOL);
       for (i = 0; NULL != tweaks[i]; i++) {
         fprintf(sigf, "%s%s", tweaks[i], EOL);
       }
-      fprintf(sigf, "#%s", EOL);
     }
+    fprintf(sigf, "#%s", EOL);
   }
   fseek(sigf, 0, SEEK_SET);
   fseek(bfile, 0, SEEK_SET);
@@ -906,13 +920,9 @@ int main(int argc, char *argv[]) {
   }
 
   for (i = 0; i < MAXTWEAKS; i++) {
-    if (NULL != tweaks[i]) {
-      free(tweaks[i]);
-    } else {
-      break;
-    }
+     free(tweaks[i]);
   }
-  printf("%d config items found\n", ReadConfigItems(sigf, tweaks, 20));
+  printf("%d config items found\n", ReadConfigItems(sigf, tweaks, MAXTWEAKS));
 
   fclose(sigf);
   fclose(bfile);
@@ -923,11 +933,7 @@ int main(int argc, char *argv[]) {
   }
 
   for (i = 0; i < MAXTWEAKS; i++) {
-    if (NULL != tweaks[i]) {
-      free(tweaks[i]);
-    } else {
-      break;
-    }
+    free(tweaks[i]);
   }
   OPENSSL_cleanup();
   return 0;

icc/fips.c

@@ -1,6 +1,6 @@
 /*************************************************************************
 // Copyright IBM Corp. 2025
-//
+//                                                                             
 // Licensed under the Apache License 2.0 (the "License"). You may not use
 // this file except in compliance with the License. You can obtain a copy
 // in the file LICENSE in the source distribution.
@@ -10,7 +10,7 @@
 // Description:                                                                
 //        The functions contained within implement operations to conform       
 //        to the FIPS 140-3 startup and self test for a cryptographic          
-//        module. 
+//        module.                                                              
 //
 *************************************************************************/
 
@@ -525,21 +525,21 @@ static const unsigned char RSA_key[] =
         0x59, 0x33, 0xA7, 0xE9, 0x72, 0x9D, 0x7E, 0xC1};
 
 static const unsigned char RSA_PKCS_sig[] = {
-    0xAB, 0xBC, 0x2A, 0x22, 0xA1, 0xD1, 0xFC, 0x5D, 0x66, 0xB4, 0x4B, 0x42, 0xC8, 0xE2, 0x63, 0xE6,
-    0xE8, 0x3D, 0x33, 0xB9, 0x0A, 0xDF, 0xA3, 0x38, 0x8B, 0x7C, 0x64, 0x0E, 0x34, 0x41, 0x60, 0xCB,
-    0x37, 0xBC, 0xB0, 0xB4, 0x0D, 0x15, 0x2D, 0x5B, 0x09, 0xEB, 0x7F, 0xD9, 0x6C, 0x70, 0x0B, 0xCE,
-    0x62, 0x13, 0x3A, 0xA0, 0x7C, 0x36, 0x7C, 0x48, 0xC4, 0x64, 0x38, 0xA4, 0x98, 0x83, 0x1B, 0x3C,
-    0xA0, 0x79, 0x11, 0xC4, 0x3A, 0xE1, 0x54, 0xD2, 0xD8, 0xF8, 0xF7, 0x95, 0x2D, 0x29, 0xA8, 0x98,
-    0x1B, 0x56, 0x89, 0x2E, 0xAE, 0x41, 0x06, 0x2C, 0xFD, 0x6F, 0xA0, 0x05, 0xA5, 0xCE, 0xD5, 0xC3,
-    0xCB, 0xC4, 0xA1, 0x4F, 0x85, 0xA8, 0xA9, 0xF3, 0x45, 0x1E, 0x28, 0xCA, 0x1D, 0xCA, 0xFF, 0x81,
-    0xEE, 0x02, 0x2E, 0x82, 0xBD, 0x8F, 0x6E, 0x55, 0x23, 0x04, 0x01, 0x1E, 0xCA, 0x86, 0xC6, 0x55,
-    0x06, 0xEC, 0x44, 0x91, 0x42, 0x35, 0x74, 0xBF, 0x6E, 0x95, 0x25, 0xEF, 0x53, 0xD5, 0x0C, 0x7A,
-    0xC5, 0x92, 0x31, 0xB5, 0xC3, 0x70, 0xF8, 0x55, 0x91, 0x29, 0xA6, 0xBA, 0x83, 0x5B, 0x34, 0x33,
-    0x9E, 0x26, 0x2E, 0x51, 0x15, 0x74, 0x95, 0x2B, 0x5E, 0xBF, 0xDA, 0x86, 0x10, 0xC1, 0xAA, 0x7B,
-    0x8C, 0xBF, 0xFA, 0x63, 0x2D, 0xFA, 0x4D, 0x6C, 0x17, 0x0C, 0x13, 0xCF, 0x08, 0xB8, 0x81, 0x7C,
-    0x7C, 0x5E, 0x96, 0xF1, 0x3D, 0x72, 0x82, 0xD8, 0xB4, 0x30, 0xCA, 0x58, 0x9A, 0x54, 0x48, 0x1E,
-    0x2C, 0x2D, 0x15, 0x1A, 0x4F, 0xB3, 0x22, 0xB3, 0x89, 0xD1, 0xDE, 0x32, 0x97, 0x51, 0xAB, 0x28,
-    0xF7, 0x6E, 0x37, 0xD1, 0xCE, 0x39, 0x53, 0xDA, 0x3D, 0x0E, 0x10, 0x56, 0x05, 0x02, 0x5B, 0xA3,
+  0xAB,0xBC,0x2A,0x22,0xA1,0xD1,0xFC,0x5D,0x66,0xB4,0x4B,0x42,0xC8,0xE2,0x63,0xE6,
+  0xE8,0x3D,0x33,0xB9,0x0A,0xDF,0xA3,0x38,0x8B,0x7C,0x64,0x0E,0x34,0x41,0x60,0xCB,
+  0x37,0xBC,0xB0,0xB4,0x0D,0x15,0x2D,0x5B,0x09,0xEB,0x7F,0xD9,0x6C,0x70,0x0B,0xCE,
+  0x62,0x13,0x3A,0xA0,0x7C,0x36,0x7C,0x48,0xC4,0x64,0x38,0xA4,0x98,0x83,0x1B,0x3C,
+  0xA0,0x79,0x11,0xC4,0x3A,0xE1,0x54,0xD2,0xD8,0xF8,0xF7,0x95,0x2D,0x29,0xA8,0x98,
+  0x1B,0x56,0x89,0x2E,0xAE,0x41,0x06,0x2C,0xFD,0x6F,0xA0,0x05,0xA5,0xCE,0xD5,0xC3,
+  0xCB,0xC4,0xA1,0x4F,0x85,0xA8,0xA9,0xF3,0x45,0x1E,0x28,0xCA,0x1D,0xCA,0xFF,0x81,
+  0xEE,0x02,0x2E,0x82,0xBD,0x8F,0x6E,0x55,0x23,0x04,0x01,0x1E,0xCA,0x86,0xC6,0x55,
+  0x06,0xEC,0x44,0x91,0x42,0x35,0x74,0xBF,0x6E,0x95,0x25,0xEF,0x53,0xD5,0x0C,0x7A,
+  0xC5,0x92,0x31,0xB5,0xC3,0x70,0xF8,0x55,0x91,0x29,0xA6,0xBA,0x83,0x5B,0x34,0x33,
+  0x9E,0x26,0x2E,0x51,0x15,0x74,0x95,0x2B,0x5E,0xBF,0xDA,0x86,0x10,0xC1,0xAA,0x7B,
+  0x8C,0xBF,0xFA,0x63,0x2D,0xFA,0x4D,0x6C,0x17,0x0C,0x13,0xCF,0x08,0xB8,0x81,0x7C,
+  0x7C,0x5E,0x96,0xF1,0x3D,0x72,0x82,0xD8,0xB4,0x30,0xCA,0x58,0x9A,0x54,0x48,0x1E,
+  0x2C,0x2D,0x15,0x1A,0x4F,0xB3,0x22,0xB3,0x89,0xD1,0xDE,0x32,0x97,0x51,0xAB,0x28,
+  0xF7,0x6E,0x37,0xD1,0xCE,0x39,0x53,0xDA,0x3D,0x0E,0x10,0x56,0x05,0x02,0x5B,0xA3,
   0xFE,0xA1,0x0E,0xF7,0x15,0x68,0x28,0x73,0xBB,0x20,0xA0,0xA2,0x33,0x30,0x8F,0x0C,
 };
 static const unsigned char RSA_PSS_sig[] = {
@@ -4148,23 +4148,23 @@ static int DoVeryBrokenTests(ICClib *pcb, ICC_STATUS *stat)
 
 #if defined(KNOWN)
   printf("\nKnown answers with a broken RNG\n\n");
+  printf("RSA PKCS1.5\n");
+  iccGenerateRSASig(stat,RSA_key,sizeof(RSA_key),RSA_PKCS1_PADDING);
+  printf("RSA-PSS\n");
+  iccGenerateRSASig(stat,RSA_key,sizeof(RSA_key),RSA_PKCS1_PSS_PADDING);
   printf("EC_key_P384\n");
   iccGenerateECDSASig(stat,EC_key_P384,sizeof(EC_key_P384),0,"P-384");
   printf("EC_key_B233\n");
   iccGenerateECDSASig(stat,EC_key_B233,sizeof(EC_key_B233),0,"B-233");
   printf("EC_key_K233\n");
   iccGenerateECDSASig(stat,EC_key_K233,sizeof(EC_key_K233),0,"K-233");
-  printf("EC_key_X448\n");
-  iccGenerateECDSASig(stat,EC_key_X448,sizeof(EC_key_X448),0,"X448");
-   printf("EC_key_X25519\n");
-  iccGenerateECDSASig(stat,EC_key_X25519,sizeof(EC_key_X448),0,"X25519");
+  // printf("EC_key_X448\n");
+  // iccGenerateECDSASig(stat,EC_key_X448,sizeof(EC_key_X448),0,"X448");
+  //  printf("EC_key_X25519\n");
+  // iccGenerateECDSASig(stat,EC_key_X25519,sizeof(EC_key_X448),0,"X25519");
 
   printf("DSA_key\n");
   iccGenerateDSASig(stat,DSA_key,sizeof(DSA_key));
-  /*
-  printf("RSA_key, PSS, SHA256\n");
-  iccGenerateRSASig(stat,RSA_key,sizeof(RSA_key),RSA_PKCS1_PSS_PADDING);
-  */
   printf("\nEnd known answers with a broken RNG\n\n");
 #endif
 

icc/functions.txt

@@ -13,9 +13,9 @@
 #;
 #;
 #;
-#Comments start with an # and end with an ;
-#In fact, all statements must end with an ;
-# AND NO TABS ;
+# Comments start with an # and end with an ;
+# In fact, all statements must end with an ;
+# And no tabs ;
 #;
 # Namespacing;
 #;
@@ -795,8 +795,8 @@ OPENSSLPREFIX=;
 #! @param callback Feedback for a progress indicator. See the OpenSSL docs. Typically, set this to NULL.;  
 #! @param cb_arg Information to be passed to the callback method when it is called. Typically, set this to NULL;
 #! @return an pointer to a newly allocated RSA structure containing both the public and private RSA keys or NULL on failure;
-#! @note The callback and cb_arg parameters should be set to NULL for ICC consumers. ;
-#! While in theory these paramaters could be used we can envisage no ICC consumer scenario ;
+#! @note The callback and cb_arg parameters should be set to NULL in IBM applications. ;
+#! While in theory these paramaters could be used we can envisage no IBM application scenario ;
 #! where it would be useful to set these to non-NULL values ;
 
 0abcdEPMC  RSA *  RSA_generate_key(int bits, unsigned long e,void (*callback)(int,int,void *),void *cb_arg);
@@ -2119,24 +2119,24 @@ OPENSSLPREFIX=;
 #! @note All the aad wanted must be supplied before any data is supplied, but both aad and data can;
 #! be supplied in segments;
 
-0abcdE int AES_GCM_EncryptUpdate(AES_GCM_CTX *aes_gcm_ctx,unsigned char *aad, unsigned long aadlen,unsigned char *data,unsigned long datalen,unsigned char *out, unsigned long *outlen);
+0abcdE int AES_GCM_EncryptUpdate(AES_GCM_CTX *aes_gcm_ctx,const unsigned char *aad, unsigned long aadlen, const unsigned char *data, unsigned long datalen, unsigned char *out, unsigned long *outlen);
 
 #;
-#! @brief Update phase of a AES_GCM encrypt operation;
+#! @brief Update phase of a AES_GCM Decrypt operation;
 #! @param aes_gcm_ctx a pointer to a AES_GCM_CTX;
 #! @param aad a pointer to Additional Authentication Data to hash;
 #! @param aadlen the length of the aad 0 <= aadlen <= 2^56 bytes TOTAL - not per call;
-#! @param data a pointer to the data to encrypt and hash ;
+#! @param data a pointer to the ciphertext data to decrypt and authenticate ;
 #! @param datalen the length of the data 0 <= datalen <= 2^56 bytes TOTAL - not per call ;  
-#! @param out a pointer to a place to hold up to one block of residual data from the previous update ;
+#! @param out a pointer to a buffer to receive decrypted plaintext. May contain up to one block of residual data from the previous update ;
 #! @param outlen a place to store the length of any returned data ;
 #! @return ICC_OSSL_SUCCESS on success, ICC_FAILURE on failure;
 #! @note blocked/aligned data will be more efficient, but this will;
 #! survive incorrectly blocked/misaligned aad/data;
 #! @note All the aad wanted must be supplied before any data is supplied, but both aad and data can;
 #! be supplied in segments;
 
-0abcdE int AES_GCM_DecryptUpdate(AES_GCM_CTX *aes_gcm_ctx,unsigned char *aad, unsigned long aadlen,unsigned char *data,unsigned long datalen,unsigned char *out, unsigned long *outlen);
+0abcdE int AES_GCM_DecryptUpdate(AES_GCM_CTX *aes_gcm_ctx, const unsigned char *aad, unsigned long aadlen, const unsigned char *data, unsigned long datalen, unsigned char *out, unsigned long *outlen);
 
 #;
 #! @brief Finish a AES_GCM encrypt operation and return any remaining ciphertext and the auth tag;
@@ -2216,7 +2216,7 @@ OPENSSLPREFIX=;
 #!  @note AES_CCM is (by specification and design) a one shot algorithm;
 #!  you have to feed everything into this one call;
 
-0abcdEP int AES_CCM_Encrypt(unsigned char *nonce,unsigned int nlen, unsigned char *key,unsigned int keylen,unsigned char *aad, unsigned long aadlen,unsigned char *data,unsigned long datalen,unsigned char *out, unsigned long *outlen,unsigned int taglen);
+0abcdEP int AES_CCM_Encrypt(const unsigned char *nonce,unsigned int nlen, const unsigned char *key,unsigned int keylen,const unsigned char *aad, unsigned long aadlen,const unsigned char *data,unsigned long datalen,unsigned char *out, unsigned long *outlen,unsigned int taglen);
 
 #;
 #! @brief Perform an AES CCM Decrypt operation,;
@@ -2246,7 +2246,7 @@ OPENSSLPREFIX=;
 #! @note datalen in this call INCLUDES the length of the tag generated ;
 #! by the corresponding Encrypt call;
 
-0abcdEP int AES_CCM_Decrypt(unsigned char *nonce,unsigned int nlen,unsigned char *key, unsigned int keylen, unsigned char *aad, unsigned long aadlen, unsigned char *data, unsigned long datalen, unsigned char *out, unsigned long *outlen, unsigned int taglen);
+0abcdEP int AES_CCM_Decrypt(const unsigned char *nonce,unsigned int nlen,const unsigned char *key, unsigned int keylen, const unsigned char *aad, unsigned long aadlen, const unsigned char *data, unsigned long datalen, unsigned char *out, unsigned long *outlen, unsigned int taglen);
 
 #;
 #! @brief Get an ICC RNG handle;