Browse Source

kdf: add FIPS error state handling

Check for provider being disabled on new and derive.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
master
Pauli 2 years ago
parent
commit
2b9e4e956b
10 changed files with 91 additions and 10 deletions
  1. +9
    -1
      providers/implementations/kdfs/hkdf.c
  2. +7
    -0
      providers/implementations/kdfs/kbkdf.c
  3. +11
    -2
      providers/implementations/kdfs/krb5kdf.c
  4. +9
    -1
      providers/implementations/kdfs/pbkdf2.c
  5. +9
    -1
      providers/implementations/kdfs/pkcs12kdf.c
  6. +7
    -0
      providers/implementations/kdfs/scrypt.c
  7. +10
    -2
      providers/implementations/kdfs/sshkdf.c
  8. +13
    -2
      providers/implementations/kdfs/sskdf.c
  9. +7
    -0
      providers/implementations/kdfs/tls1_prf.c
  10. +9
    -1
      providers/implementations/kdfs/x942kdf.c

+ 9
- 1
providers/implementations/kdfs/hkdf.c View File

@ -24,6 +24,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@ -70,6 +71,9 @@ static void *kdf_hkdf_new(void *provctx)
{
KDF_HKDF *ctx;
if (!ossl_prov_is_running())
return NULL;
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
else
@ -122,8 +126,12 @@ static size_t kdf_hkdf_size(KDF_HKDF *ctx)
static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen)
{
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
const EVP_MD *md;
if (!ossl_prov_is_running())
return 0;
md = ossl_prov_digest_md(&ctx->digest);
if (md == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;


+ 7
- 0
providers/implementations/kdfs/kbkdf.c View File

@ -41,6 +41,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "e_os.h"
@ -99,6 +100,9 @@ static void *kbkdf_new(void *provctx)
{
KBKDF *ctx;
if (!ossl_prov_is_running())
return NULL;
ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@ -192,6 +196,9 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen)
uint32_t l = be32(keylen * 8);
size_t h = 0;
if (!ossl_prov_is_running())
return 0;
/* label, context, and iv are permitted to be empty. Check everything
* else. */
if (ctx->ctx_init == NULL) {


+ 11
- 2
providers/implementations/kdfs/krb5kdf.c View File

@ -28,6 +28,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
/* KRB5 KDF defined in RFC 3961, Section 5.1 */
@ -59,6 +60,9 @@ static void *krb5kdf_new(void *provctx)
{
KRB5KDF_CTX *ctx;
if (!ossl_prov_is_running())
return NULL;
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@ -99,9 +103,13 @@ static int krb5kdf_derive(void *vctx, unsigned char *key,
size_t keylen)
{
KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
const EVP_CIPHER *cipher = ossl_prov_cipher_cipher(&ctx->cipher);
ENGINE *engine = ossl_prov_cipher_engine(&ctx->cipher);
const EVP_CIPHER *cipher;
ENGINE *engine;
if (!ossl_prov_is_running())
return 0;
cipher = ossl_prov_cipher_cipher(&ctx->cipher);
if (cipher == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
return 0;
@ -114,6 +122,7 @@ static int krb5kdf_derive(void *vctx, unsigned char *key,
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONSTANT);
return 0;
}
engine = ossl_prov_cipher_engine(&ctx->cipher);
return KRB5KDF(cipher, engine, ctx->key, ctx->key_len,
ctx->constant, ctx->constant_len,
key, keylen);


+ 9
- 1
providers/implementations/kdfs/pbkdf2.c View File

@ -24,6 +24,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@ -66,6 +67,9 @@ static void *kdf_pbkdf2_new(void *provctx)
{
KDF_PBKDF2 *ctx;
if (!ossl_prov_is_running())
return NULL;
ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@ -139,7 +143,10 @@ static int kdf_pbkdf2_derive(void *vctx, unsigned char *key,
size_t keylen)
{
KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
const EVP_MD *md;
if (!ossl_prov_is_running())
return 0;
if (ctx->pass == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
@ -151,6 +158,7 @@ static int kdf_pbkdf2_derive(void *vctx, unsigned char *key,
return 0;
}
md = ossl_prov_digest_md(&ctx->digest);
return pbkdf2_derive((char *)ctx->pass, ctx->pass_len,
ctx->salt, ctx->salt_len, ctx->iter,
md, key, keylen, ctx->lower_bound_checks);


+ 9
- 1
providers/implementations/kdfs/pkcs12kdf.c View File

@ -18,6 +18,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@ -138,6 +139,9 @@ static void *kdf_pkcs12_new(void *provctx)
{
KDF_PKCS12 *ctx;
if (!ossl_prov_is_running())
return NULL;
ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@ -195,7 +199,10 @@ static int kdf_pkcs12_derive(void *vctx, unsigned char *key,
size_t keylen)
{
KDF_PKCS12 *ctx = (KDF_PKCS12 *)vctx;
const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
const EVP_MD *md;
if (!ossl_prov_is_running())
return 0;
if (ctx->pass == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
@ -207,6 +214,7 @@ static int kdf_pkcs12_derive(void *vctx, unsigned char *key,
return 0;
}
md = ossl_prov_digest_md(&ctx->digest);
return pkcs12kdf_derive(ctx->pass, ctx->pass_len, ctx->salt, ctx->salt_len,
ctx->id, ctx->iter, md, key, keylen);
}


+ 7
- 0
providers/implementations/kdfs/scrypt.c View File

@ -18,6 +18,7 @@
#include "internal/numbers.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
@ -56,6 +57,9 @@ static void *kdf_scrypt_new(void *provctx)
{
KDF_SCRYPT *ctx;
if (!ossl_prov_is_running())
return NULL;
ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@ -127,6 +131,9 @@ static int kdf_scrypt_derive(void *vctx, unsigned char *key,
{
KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;
if (!ossl_prov_is_running())
return 0;
if (ctx->pass == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
return 0;


+ 10
- 2
providers/implementations/kdfs/sshkdf.c View File

@ -17,9 +17,10 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
# include "prov/provider_util.h"
#include "prov/provider_util.h"
/* See RFC 4253, Section 7.2 */
static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new;
@ -53,6 +54,9 @@ static void *kdf_sshkdf_new(void *provctx)
{
KDF_SSHKDF *ctx;
if (!ossl_prov_is_running())
return NULL;
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@ -94,8 +98,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key,
size_t keylen)
{
KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
const EVP_MD *md;
if (!ossl_prov_is_running())
return 0;
md = ossl_prov_digest_md(&ctx->digest);
if (md == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;


+ 13
- 2
providers/implementations/kdfs/sskdf.c View File

@ -46,6 +46,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@ -293,6 +294,9 @@ static void *sskdf_new(void *provctx)
{
KDF_SSKDF *ctx;
if (!ossl_prov_is_running())
return NULL;
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@ -349,12 +353,15 @@ static size_t sskdf_size(KDF_SSKDF *ctx)
static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen)
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
const EVP_MD *md;
if (!ossl_prov_is_running())
return 0;
if (ctx->secret == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
return 0;
}
md = ossl_prov_digest_md(&ctx->digest);
if (ctx->macctx != NULL) {
/* H(x) = KMAC or H(x) = HMAC */
@ -420,7 +427,10 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen)
static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen)
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
const EVP_MD *md;
if (!ossl_prov_is_running())
return 0;
if (ctx->secret == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
@ -433,6 +443,7 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen)
}
/* H(x) = hash */
md = ossl_prov_digest_md(&ctx->digest);
if (md == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;


+ 7
- 0
providers/implementations/kdfs/tls1_prf.c View File

@ -56,6 +56,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@ -98,6 +99,9 @@ static void *kdf_tls1_prf_new(void *provctx)
{
TLS1_PRF *ctx;
if (!ossl_prov_is_running())
return NULL;
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@ -132,6 +136,9 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key,
{
TLS1_PRF *ctx = (TLS1_PRF *)vctx;
if (!ossl_prov_is_running())
return 0;
if (ctx->P_hash == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;


+ 9
- 1
providers/implementations/kdfs/x942kdf.c View File

@ -17,6 +17,7 @@
#include "internal/packet.h"
#include "internal/der.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@ -276,6 +277,9 @@ static void *x942kdf_new(void *provctx)
{
KDF_X942 *ctx;
if (!ossl_prov_is_running())
return 0;
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@ -331,16 +335,20 @@ static size_t x942kdf_size(KDF_X942 *ctx)
static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen)
{
KDF_X942 *ctx = (KDF_X942 *)vctx;
const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
const EVP_MD *md;
int ret = 0;
unsigned char *ctr;
unsigned char *der = NULL;
size_t der_len = 0;
if (!ossl_prov_is_running())
return 0;
if (ctx->secret == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
return 0;
}
md = ossl_prov_digest_md(&ctx->digest);
if (md == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;


Loading…
Cancel
Save