leviathan
/
openssl
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Store some FIPS global variables in the FIPS_GLOBAL structure

Browse Source 
We had some FIPS global variables that were based on values from the
config file. In theory if two instances of the fips module are loaded
they could be based on different config files which would cause this to
fail. Instead we store them in the FIPS_GLOBAL structure.

Fixes #14364

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14814)
master
Matt Caswell 2 years ago
parent 81cc5ce1a0
commit 6ce58488bd
12 changed files with 171 additions and 115 deletions
Show Stats Download Patch File Download Diff File

18
providers/common/include/prov/securitycheck.h
Unescape Escape View File

@ -10,18 +10,20 @@
#include "crypto/types.h"
/* Functions that are common */
int ossl_rsa_check_key(const RSA *rsa, int operation);
int ossl_ec_check_key(const EC_KEY *ec, int protect);
int ossl_dsa_check_key(const DSA *dsa, int sign);
int ossl_dh_check_key(const DH *dh);
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation);
int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect);
int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign);
int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh);
int ossl_digest_is_allowed(const EVP_MD *md);
int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed);
int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md);
int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
int sha1_allowed);
/* Functions that are common */
int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
int ossl_digest_get_approved_nid(const EVP_MD *md);
/* Functions that have different implementations for the FIPS_MODULE */
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed);
int ossl_securitycheck_enabled(void);
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
int sha1_allowed);
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx);

25
providers/common/securitycheck.c
Unescape Escape View File

@ -26,7 +26,7 @@
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
*/
int ossl_rsa_check_key(const RSA *rsa, int operation)
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
{
int protect = 0;
@ -58,7 +58,7 @@ int ossl_rsa_check_key(const RSA *rsa, int operation)
}
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
if (ossl_securitycheck_enabled()) {
if (ossl_securitycheck_enabled(ctx)) {
int sz = RSA_bits(rsa);
if (protect ? (sz < 2048) : (sz < 1024)) {
@ -89,10 +89,10 @@ int ossl_rsa_check_key(const RSA *rsa, int operation)
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
* "Table 2"
*/
int ossl_ec_check_key(const EC_KEY *ec, int protect)
int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
if (ossl_securitycheck_enabled()) {
if (ossl_securitycheck_enabled(ctx)) {
int nid, strength;
const char *curve_name;
const EC_GROUP *group = EC_KEY_get0_group(ec);
@ -147,10 +147,10 @@ int ossl_ec_check_key(const EC_KEY *ec, int protect)
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
* "Table 2"
*/
int ossl_dsa_check_key(const DSA *dsa, int sign)
int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
if (ossl_securitycheck_enabled()) {
if (ossl_securitycheck_enabled(ctx)) {
size_t L, N;
const BIGNUM *p, *q;
@ -191,10 +191,10 @@ int ossl_dsa_check_key(const DSA *dsa, int sign)
* "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
* "Appendix D" FFC Safe-prime Groups
*/
int ossl_dh_check_key(const DH *dh)
int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
if (ossl_securitycheck_enabled()) {
if (ossl_securitycheck_enabled(ctx)) {
size_t L, N;
const BIGNUM *p, *q;
@ -224,12 +224,13 @@ int ossl_dh_check_key(const DH *dh)
}
#endif /* OPENSSL_NO_DH */
int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
int sha1_allowed)
{
int mdnid = ossl_digest_get_approved_nid(md);
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
if (ossl_securitycheck_enabled()) {
if (ossl_securitycheck_enabled(ctx)) {
if (mdnid == NID_sha1 && !sha1_allowed)
mdnid = NID_undef;
}
@ -237,10 +238,10 @@ int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
return mdnid;
}
int ossl_digest_is_allowed(const EVP_MD *md)
int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
if (ossl_securitycheck_enabled())
if (ossl_securitycheck_enabled(ctx))
return ossl_digest_get_approved_nid(md) != NID_undef;
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
return 1;

6
providers/common/securitycheck_default.c
Unescape Escape View File

@ -17,12 +17,12 @@
#include "internal/nelem.h"
/* Disable the security checks in the default provider */
int ossl_securitycheck_enabled(void)
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
{
return 0;
}
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md,
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
ossl_unused int sha1_allowed)
{
int mdnid;
@ -36,7 +36,7 @@ int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md,
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
};
mdnid = ossl_digest_get_approved_nid_with_sha1(md, 1);
mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
if (mdnid == NID_undef)
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
return mdnid;

13
providers/common/securitycheck_fips.c
Unescape Escape View File

@ -19,22 +19,23 @@
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
extern int FIPS_security_check_enabled(void);
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
int ossl_securitycheck_enabled(void)
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
{
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
return FIPS_security_check_enabled();
return FIPS_security_check_enabled(libctx);
#else
return 0;
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
}
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
int sha1_allowed)
{
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
if (ossl_securitycheck_enabled())
return ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
if (ossl_securitycheck_enabled(ctx))
return ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed);
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
return ossl_digest_get_approved_nid(md);
}

191
providers/fips/fipsprov.c
Unescape Escape View File

@ -7,6 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include <assert.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
@ -37,19 +38,13 @@ static OSSL_FUNC_provider_query_operation_fn fips_query;
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
int FIPS_security_check_enabled(void);
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
/*
* TODO(3.0): Should these be stored in the provider side provctx? Could they
* ever be different from one init to the next? Unfortunately we can't do this
* at the moment because c_put_error/c_add_error_vdata do not provide
* us with the OSSL_LIB_CTX as a parameter.
* Should these function pointers be stored in the provider side provctx? Could
* they ever be different from one init to the next? We assume not for now.
*/
static SELF_TEST_POST_PARAMS selftest_params;
static int fips_security_checks = 1;
static const char *fips_security_check_option = "1";
/* Functions provided by the core */
static OSSL_FUNC_core_gettable_params_fn *c_gettable_params;
static OSSL_FUNC_core_get_params_fn *c_get_params;
@ -77,12 +72,20 @@ static OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL;
typedef struct fips_global_st {
const OSSL_CORE_HANDLE *handle;
SELF_TEST_POST_PARAMS selftest_params;
int fips_security_checks;
const char *fips_security_check_option;
} FIPS_GLOBAL;
static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
{
FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl));
if (fgbl == NULL)
return NULL;
fgbl->fips_security_checks = 1;
fgbl->fips_security_check_option = "1";
return fgbl;
}
@ -107,38 +110,54 @@ static const OSSL_PARAM fips_param_types[] = {
OSSL_PARAM_END
};
/*
* Parameters to retrieve from the core provider - required for self testing.
* NOTE: inside core_get_params() these will be loaded from config items
* stored inside prov->parameters (except for
* OSSL_PROV_PARAM_CORE_MODULE_FILENAME).
* OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter.
*/
static OSSL_PARAM core_params[] =
{
OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_CORE_MODULE_FILENAME,
&selftest_params.module_filename,
sizeof(selftest_params.module_filename)),
OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC,
&selftest_params.module_checksum_data,
sizeof(selftest_params.module_checksum_data)),
OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
&selftest_params.indicator_checksum_data,
sizeof(selftest_params.indicator_checksum_data)),
OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
&selftest_params.indicator_data,
sizeof(selftest_params.indicator_data)),
OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
&selftest_params.indicator_version,
sizeof(selftest_params.indicator_version)),
OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
&selftest_params.conditional_error_check,
sizeof(selftest_params.conditional_error_check)),
OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
&fips_security_check_option,
sizeof(fips_security_check_option)),
OSSL_PARAM_END
};
static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
{
/*
* Parameters to retrieve from the core provider - required for self testing.
* NOTE: inside core_get_params() these will be loaded from config items
* stored inside prov->parameters (except for
* OSSL_PROV_PARAM_CORE_MODULE_FILENAME).
* OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter.
*/
OSSL_PARAM core_params[8], *p = core_params;
*p++ = OSSL_PARAM_construct_utf8_ptr(
OSSL_PROV_PARAM_CORE_MODULE_FILENAME,
(char **)&fgbl->selftest_params.module_filename,
sizeof(fgbl->selftest_params.module_filename));
*p++ = OSSL_PARAM_construct_utf8_ptr(
OSSL_PROV_FIPS_PARAM_MODULE_MAC,
(char **)&fgbl->selftest_params.module_checksum_data,
sizeof(fgbl->selftest_params.module_checksum_data));
*p++ = OSSL_PARAM_construct_utf8_ptr(
OSSL_PROV_FIPS_PARAM_INSTALL_MAC,
(char **)&fgbl->selftest_params.indicator_checksum_data,
sizeof(fgbl->selftest_params.indicator_checksum_data));
*p++ = OSSL_PARAM_construct_utf8_ptr(
OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
(char **)&fgbl->selftest_params.indicator_data,
sizeof(fgbl->selftest_params.indicator_data));
*p++ = OSSL_PARAM_construct_utf8_ptr(
OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
(char **)&fgbl->selftest_params.indicator_version,
sizeof(fgbl->selftest_params.indicator_version));
*p++ = OSSL_PARAM_construct_utf8_ptr(
OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
(char **)&fgbl->selftest_params.conditional_error_check,
sizeof(fgbl->selftest_params.conditional_error_check));
*p++ = OSSL_PARAM_construct_utf8_ptr(
OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
(char **)&fgbl->fips_security_check_option,
sizeof(fgbl->fips_security_check_option));
*p = OSSL_PARAM_construct_end();
if (!c_get_params(fgbl->handle, core_params)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
return 1;
}
static const OSSL_PARAM *fips_gettable_params(void *provctx)
{
@ -148,6 +167,9 @@ static const OSSL_PARAM *fips_gettable_params(void *provctx)
static int fips_get_params(void *provctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
OSSL_LIB_CTX_FIPS_PROV_INDEX,
&fips_prov_ossl_ctx_method);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
@ -162,26 +184,33 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS);
if (p != NULL && !OSSL_PARAM_set_int(p, fips_security_checks))
if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks))
return 0;
return 1;
}
static void set_self_test_cb(const OSSL_CORE_HANDLE *handle)
static void set_self_test_cb(FIPS_GLOBAL *fgbl)
{
const OSSL_CORE_HANDLE *handle =
FIPS_get_core_handle(fgbl->selftest_params.libctx);
if (c_stcbfn != NULL && c_get_libctx != NULL) {
c_stcbfn(c_get_libctx(handle), &selftest_params.cb,
&selftest_params.cb_arg);
c_stcbfn(c_get_libctx(handle), &fgbl->selftest_params.cb,
&fgbl->selftest_params.cb_arg);
} else {
selftest_params.cb = NULL;
selftest_params.cb_arg = NULL;
fgbl->selftest_params.cb = NULL;
fgbl->selftest_params.cb_arg = NULL;
}
}
static int fips_self_test(void *provctx)
{
set_self_test_cb(FIPS_get_core_handle(selftest_params.libctx));
return SELF_TEST_post(&selftest_params, 1) ? 1 : 0;
FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
OSSL_LIB_CTX_FIPS_PROV_INDEX,
&fips_prov_ossl_ctx_method);
set_self_test_cb(fgbl);
return SELF_TEST_post(&fgbl->selftest_params, 1) ? 1 : 0;
}
/*
@ -506,6 +535,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
{
FIPS_GLOBAL *fgbl;
OSSL_LIB_CTX *libctx = NULL;
SELF_TEST_POST_PARAMS selftest_params;
memset(&selftest_params, 0, sizeof(selftest_params));
if (!ossl_prov_seeding_from_dispatch(in))
return 0;
@ -578,7 +610,8 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
selftest_params.bio_new_file_cb = OSSL_FUNC_BIO_new_file(in);
break;
case OSSL_FUNC_BIO_NEW_MEMBUF:
selftest_params.bio_new_buffer_cb = OSSL_FUNC_BIO_new_membuf(in);
selftest_params.bio_new_buffer_cb
= OSSL_FUNC_BIO_new_membuf(in);
break;
case OSSL_FUNC_BIO_READ_EX:
selftest_params.bio_read_ex_cb = OSSL_FUNC_BIO_read_ex(in);
@ -598,22 +631,6 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
}
}
set_self_test_cb(handle);
if (!c_get_params(handle, core_params)) {
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
/* Disable the conditional error check if is disabled in the fips config file*/
if (selftest_params.conditional_error_check != NULL
&& strcmp(selftest_params.conditional_error_check, "0") == 0)
SELF_TEST_disable_conditional_error_state();
/* Disable the security check if is disabled in the fips config file*/
if (fips_security_check_option != NULL
&& strcmp(fips_security_check_option, "0") == 0)
fips_security_checks = 0;
/* Create a context. */
if ((*provctx = ossl_prov_ctx_new()) == NULL
|| (libctx = OSSL_LIB_CTX_new()) == NULL) {
@ -634,10 +651,37 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
fgbl->handle = handle;
/*
* We did initial set up of selftest_params in a local copy, because we
* could not create fgbl until c_CRYPTO_zalloc was defined in the loop
* above.
*/
fgbl->selftest_params = selftest_params;
fgbl->selftest_params.libctx = libctx;
set_self_test_cb(fgbl);
if (!fips_get_params_from_core(fgbl)) {
/* Error already raised */
return 0;
}
/*
* Disable the conditional error check if is disabled in the fips config
* file
*/
if (fgbl->selftest_params.conditional_error_check != NULL
&& strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0)
SELF_TEST_disable_conditional_error_state();
/* Disable the security check if is disabled in the fips config file */
if (fgbl->fips_security_check_option != NULL
&& strcmp(fgbl->fips_security_check_option, "0") == 0)
fgbl->fips_security_checks = 0;
ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
selftest_params.libctx = libctx;
if (!SELF_TEST_post(&selftest_params, 0)) {
if (!SELF_TEST_post(&fgbl->selftest_params, 0)) {
ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_POST_FAILURE);
goto err;
}
@ -819,16 +863,19 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...)
return ret;
}
int FIPS_security_check_enabled(void)
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx)
{
return fips_security_checks;
FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx,
OSSL_LIB_CTX_FIPS_PROV_INDEX,
&fips_prov_ossl_ctx_method);
return fgbl->fips_security_checks;
}
void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb,
void **cbarg)
{
if (libctx == NULL)
libctx = selftest_params.libctx;
assert(libctx != NULL);
if (c_stcbfn != NULL && c_get_libctx != NULL) {
/* Get the parent libctx */

2
providers/implementations/asymciphers/rsa_enc.c
Unescape Escape View File

@ -99,7 +99,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[],
if (!ossl_prov_is_running() || prsactx == NULL || vrsa == NULL)
return 0;
if (!ossl_rsa_check_key(vrsa, operation))
if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
return 0;
if (!RSA_up_ref(vrsa))

5
providers/implementations/exchange/dh_exch.c
Unescape Escape View File

@ -105,7 +105,8 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[])
DH_free(pdhctx->dh);
pdhctx->dh = vdh;
pdhctx->kdf_type = PROV_DH_KDF_NONE;
return dh_set_ctx_params(pdhctx, params) && ossl_dh_check_key(vdh);
return dh_set_ctx_params(pdhctx, params)
&& ossl_dh_check_key(pdhctx->libctx, vdh);
}
/* The 2 parties must share the same domain parameters */
@ -345,7 +346,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
EVP_MD_free(pdhctx->kdf_md);
pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
if (!ossl_digest_is_allowed(pdhctx->kdf_md)) {
if (!ossl_digest_is_allowed(pdhctx->libctx, pdhctx->kdf_md)) {
EVP_MD_free(pdhctx->kdf_md);
pdhctx->kdf_md = NULL;
}

6
providers/implementations/exchange/ecdh_exch.c
Unescape Escape View File

@ -113,7 +113,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[])
pecdhctx->cofactor_mode = -1;
pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
return ecdh_set_ctx_params(pecdhctx, params)
&& ossl_ec_check_key(vecdh, 1);
&& ossl_ec_check_key(pecdhctx->libctx, vecdh, 1);
}
static
@ -147,7 +147,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
|| pecdhctx == NULL
|| vecdh == NULL
|| !ecdh_match_params(pecdhctx->k, vecdh)
|| !ossl_ec_check_key(vecdh, 1)
|| !ossl_ec_check_key(pecdhctx->libctx, vecdh, 1)
|| !EC_KEY_up_ref(vecdh))
return 0;
@ -283,7 +283,7 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
EVP_MD_free(pectx->kdf_md);
pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
if (!ossl_digest_is_allowed(pectx->kdf_md)) {
if (!ossl_digest_is_allowed(pectx->libctx, pectx->kdf_md)) {
EVP_MD_free(pectx->kdf_md);
pectx->kdf_md = NULL;
}

2
providers/implementations/kem/rsa_kem.c
Unescape Escape View File

@ -125,7 +125,7 @@ static int rsakem_init(void *vprsactx, void *vrsa,
if (prsactx == NULL || vrsa == NULL)
return 0;
if (!ossl_rsa_check_key(vrsa, operation))
if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
return 0;
if (!RSA_up_ref(vrsa))

6
providers/implementations/signature/dsa.c
Unescape Escape View File

@ -127,7 +127,8 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
WPACKET pkt;
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
size_t mdname_len = strlen(mdname);
if (md == NULL || md_nid == NID_undef) {
@ -188,7 +189,8 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa,
if (!dsa_set_ctx_params(pdsactx, params))
return 0;
if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
if (!ossl_dsa_check_key(pdsactx->libctx, vdsa,
operation == EVP_PKEY_OP_SIGN)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}

5
providers/implementations/signature/ecdsa.c
Unescape Escape View File

@ -140,7 +140,7 @@ static int ecdsa_signverify_init(void *vctx, void *ec,
ctx->operation = operation;
if (!ecdsa_set_ctx_params(ctx, params))
return 0;
return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
return ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN);
}
static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[])
@ -225,7 +225,8 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
return 0;
}
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
if (md_nid == NID_undef) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);

7
providers/implementations/signature/rsa.c
Unescape Escape View File

@ -284,7 +284,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
if (mdname != NULL) {
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed);
int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
sha1_allowed);
size_t mdname_len = strlen(mdname);
if (md == NULL
@ -343,7 +344,7 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
return 0;
}
/* The default for mgf1 is SHA1 - so allow SHA1 */
if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef
if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) == NID_undef
|| !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
if (mdnid == NID_undef)
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
@ -377,7 +378,7 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
if (prsactx == NULL || vrsa == NULL)
return 0;
if (!ossl_rsa_check_key(vrsa, operation))
if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
return 0;
if (!RSA_up_ref(vrsa))

Write Preview
Loading…
Cancel
Save