Initial FIPS integration

developernotes · developernotes · commit 29b00cb2fc37 · 2015-03-10T14:33:43.000-05:00
diff --git a/Makefile.msc b/Makefile.msc
@@ -664,6 +664,13 @@ LIBRESOBJS =
 # All of the source code files.
 #
 SRC = \
+	$(TOP)\src\crypto.c \
+	$(TOP)\src\crypto_cc.c \
+	$(TOP)\src\crypto_impl.c \
+	$(TOP)\src\crypto_libtomcrypt.c \
+	$(TOP)\src\crypto_openssl.c \
+	$(TOP)\src\crypto.h \
+	$(TOP)\src\sqlcipher.h \
   $(TOP)\src\alter.c \
   $(TOP)\src\analyze.c \
   $(TOP)\src\attach.c \
diff --git a/src/crypto.c b/src/crypto.c
@@ -89,6 +89,13 @@ int sqlcipher_codec_pragma(sqlite3* db, int iDb, Parse *pParse, const char *zLef
 
   CODEC_TRACE(("sqlcipher_codec_pragma: entered db=%p iDb=%d pParse=%p zLeft=%s zRight=%s ctx=%p\n", db, iDb, pParse, zLeft, zRight, ctx));
   
+  if( sqlite3StrICmp(zLeft, "cipher_fips_status")== 0 && !zRight ){
+    if(ctx) {
+      char *fips_mode_status = sqlite3_mprintf("%d", sqlcipher_codec_fips_status(ctx));
+      codec_vdbe_return_static_string(pParse, "cipher_fips_status", fips_mode_status);
+      sqlite3_free(fips_mode_status);
+    }
+  } else
   if( sqlite3StrICmp(zLeft, "cipher_store_pass")==0 && zRight ) {
     sqlcipher_codec_set_store_pass(ctx, sqlite3GetBoolean(zRight, 1));
   } else
diff --git a/src/crypto.h b/src/crypto.h
@@ -44,8 +44,12 @@
 #define FILE_HEADER_SZ 16
 
 #ifndef CIPHER_VERSION
+#ifdef SQLCIPHER_FIPS
+#define CIPHER_VERSION "3.2.0 FIPS"
+#else
 #define CIPHER_VERSION "3.2.0"
 #endif
+#endif
 
 #ifndef CIPHER
 #define CIPHER "aes-256-cbc"
@@ -219,9 +223,10 @@ int sqlcipher_codec_ctx_migrate(codec_ctx *ctx);
 int sqlcipher_codec_add_random(codec_ctx *ctx, const char *data, int random_sz);
 int sqlcipher_cipher_profile(sqlite3 *db, const char *destination);
 static void sqlcipher_profile_callback(void *file, const char *sql, sqlite3_uint64 run_time);
-int sqlcipher_codec_get_store_pass(codec_ctx *ctx);
-void sqlcipher_codec_get_pass(codec_ctx *ctx, void **zKey, int *nKey);
-void sqlcipher_codec_set_store_pass(codec_ctx *ctx, int value);
+static int sqlcipher_codec_get_store_pass(codec_ctx *ctx);
+static void sqlcipher_codec_get_pass(codec_ctx *ctx, void **zKey, int *nKey);
+static void sqlcipher_codec_set_store_pass(codec_ctx *ctx, int value);
+int sqlcipher_codec_fips_status(codec_ctx *ctx);
 
 #endif
 #endif
diff --git a/src/crypto_cc.c b/src/crypto_cc.c
@@ -120,6 +120,10 @@ static int sqlcipher_cc_ctx_free(void **ctx) {
   return SQLITE_OK;
 }
 
+static int sqlcipher_cc_fips_status(void *ctx) {
+  return 0;
+}
+
 int sqlcipher_cc_setup(sqlcipher_provider *p) {
   p->random = sqlcipher_cc_random;
   p->get_provider_name = sqlcipher_cc_get_provider_name;
@@ -137,6 +141,7 @@ int sqlcipher_cc_setup(sqlcipher_provider *p) {
   p->ctx_init = sqlcipher_cc_ctx_init;
   p->ctx_free = sqlcipher_cc_ctx_free;
   p->add_random = sqlcipher_cc_add_random;
+  p->fips_status = sqlcipher_cc_fips_status;
   return SQLITE_OK;
 }
 
diff --git a/src/crypto_impl.c b/src/crypto_impl.c
@@ -1227,6 +1227,9 @@ static void sqlcipher_profile_callback(void *file, const char *sql, sqlite3_uint
   if( f ) fprintf(f, "Elapsed time:%.3f ms - %s\n", elapsed, sql);
 }
 
+int sqlcipher_codec_fips_status(codec_ctx *ctx) {
+  return ctx->read_ctx->provider->fips_status(ctx->read_ctx);
+}
 
 #endif
 /* END SQLCIPHER */
diff --git a/src/crypto_libtomcrypt.c b/src/crypto_libtomcrypt.c
@@ -227,6 +227,10 @@ static int sqlcipher_ltc_ctx_free(void **ctx) {
   return SQLITE_OK;
 }
 
+static int sqlcipher_ltc_fips_status(void *ctx) {
+  return 0;
+}
+
 int sqlcipher_ltc_setup(sqlcipher_provider *p) {
   p->activate = sqlcipher_ltc_activate;
   p->deactivate = sqlcipher_ltc_deactivate;
@@ -246,6 +250,7 @@ int sqlcipher_ltc_setup(sqlcipher_provider *p) {
   p->ctx_init = sqlcipher_ltc_ctx_init;
   p->ctx_free = sqlcipher_ltc_ctx_free;
   p->add_random = sqlcipher_ltc_add_random;
+  p->fips_status = sqlcipher_ltc_fips_status;
   return SQLITE_OK;
 }
 
diff --git a/src/crypto_openssl.c b/src/crypto_openssl.c
@@ -42,7 +42,7 @@ typedef struct {
   EVP_CIPHER *evp_cipher;
 } openssl_ctx;
 
-
+static int openssl_fips_status = 0;
 static unsigned int openssl_external_init = 0;
 static unsigned int openssl_init_count = 0;
 static sqlite3_mutex* openssl_rand_mutex = NULL;
@@ -78,6 +78,13 @@ static int sqlcipher_openssl_activate(void *ctx) {
   }
 
   if(openssl_init_count == 0 && openssl_external_init == 0)  {
+#ifdef SQLCIPHER_FIPS
+    openssl_fips_status = FIPS_mode_set(1);
+    if(!openssl_fips_status){
+      ERR_load_crypto_strings();
+      ERR_print_errors_fp(stdout);
+    }
+#endif
     /* if the library was not externally initialized, then should be now */
     OpenSSL_add_all_algorithms();
   } 
@@ -224,6 +231,10 @@ static int sqlcipher_openssl_ctx_free(void **ctx) {
   return SQLITE_OK;
 }
 
+static int sqlcipher_openssl_fips_status(void *ctx) {
+  return openssl_fips_status;
+}
+
 int sqlcipher_openssl_setup(sqlcipher_provider *p) {
   p->activate = sqlcipher_openssl_activate;  
   p->deactivate = sqlcipher_openssl_deactivate;
@@ -243,6 +254,7 @@ int sqlcipher_openssl_setup(sqlcipher_provider *p) {
   p->ctx_init = sqlcipher_openssl_ctx_init;
   p->ctx_free = sqlcipher_openssl_ctx_free;
   p->add_random = sqlcipher_openssl_add_random;
+  p->fips_status = sqlcipher_openssl_fips_status;
   return SQLITE_OK;
 }
 
diff --git a/src/sqlcipher.h b/src/sqlcipher.h
@@ -55,6 +55,7 @@ typedef struct {
   int (*ctx_cmp)(void *c1, void *c2);
   int (*ctx_init)(void **ctx);
   int (*ctx_free)(void **ctx);
+  int (*fips_status)(void *ctx);
 } sqlcipher_provider;
 
 /* utility functions */

Original file line number	Diff line number	Diff line change
`@@ -1227,6 +1227,9 @@ static void sqlcipher_profile_callback(void file, const char sql, sqlite3_uint`
`1227`	`1227`	`if( f ) fprintf(f, "Elapsed time:%.3f ms - %s\n", elapsed, sql);`
`1228`	`1228`	`}`
`1229`	`1229`
	`1230`	`+int sqlcipher_codec_fips_status(codec_ctx *ctx) {`
	`1231`	`+ return ctx->read_ctx->provider->fips_status(ctx->read_ctx);`
	`1232`	`+}`
`1230`	`1233`
`1231`	`1234`	`#endif`
`1232`	`1235`	`/* END SQLCIPHER */`