]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/evp/digest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix an EVP_MD_CTX leak
[thirdparty/openssl.git] / crypto / evp / digest.c
1 /*
2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /* We need to use some engine deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12
13 #include <stdio.h>
14 #include <openssl/objects.h>
15 #include <openssl/evp.h>
16 #include <openssl/ec.h>
17 #include <openssl/engine.h>
18 #include <openssl/params.h>
19 #include <openssl/core_names.h>
20 #include "internal/cryptlib.h"
21 #include "crypto/evp.h"
22 #include "internal/provider.h"
23 #include "evp_local.h"
24
25
26 void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force)
27 {
28 EVP_MD_free(ctx->fetched_digest);
29 ctx->fetched_digest = NULL;
30 ctx->reqdigest = NULL;
31
32 if (ctx->provctx != NULL) {
33 if (ctx->digest->freectx != NULL)
34 ctx->digest->freectx(ctx->provctx);
35 ctx->provctx = NULL;
36 EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
37 }
38
39 /* TODO(3.0): Remove legacy code below */
40
41 /*
42 * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
43 * sometimes only copies of the context are ever finalised.
44 */
45 if (ctx->digest && ctx->digest->cleanup
46 && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
47 ctx->digest->cleanup(ctx);
48 if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
49 && (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE) || force))
50 OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
51 if (force)
52 ctx->digest = NULL;
53
54 #if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_ENGINE)
55 ENGINE_finish(ctx->engine);
56 ctx->engine = NULL;
57 #endif
58 }
59
60 /* This call frees resources associated with the context */
61 int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
62 {
63 if (ctx == NULL)
64 return 1;
65
66 #ifndef FIPS_MODULE
67 /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
68 /*
69 * pctx should be freed by the user of EVP_MD_CTX
70 * if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set
71 */
72 if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX)) {
73 EVP_PKEY_CTX_free(ctx->pctx);
74 ctx->pctx = NULL;
75 }
76 #endif
77
78 evp_md_ctx_clear_digest(ctx, 0);
79 OPENSSL_cleanse(ctx, sizeof(*ctx));
80
81 return 1;
82 }
83
84 #ifndef FIPS_MODULE
85 EVP_MD_CTX *evp_md_ctx_new_with_libctx(EVP_PKEY *pkey,
86 const ASN1_OCTET_STRING *id,
87 OPENSSL_CTX *libctx, const char *propq)
88 {
89 EVP_MD_CTX *ctx;
90 EVP_PKEY_CTX *pctx = NULL;
91
92 if ((ctx = EVP_MD_CTX_new()) == NULL
93 || (pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq)) == NULL) {
94 ASN1err(0, ERR_R_MALLOC_FAILURE);
95 goto err;
96 }
97
98 # ifndef OPENSSL_NO_EC
99 if (id != NULL && EVP_PKEY_CTX_set1_id(pctx, id->data, id->length) <= 0) {
100 ASN1err(0, ERR_R_MALLOC_FAILURE);
101 goto err;
102 }
103 # endif
104
105 EVP_MD_CTX_set_pkey_ctx(ctx, pctx);
106 return ctx;
107
108 err:
109 EVP_PKEY_CTX_free(pctx);
110 EVP_MD_CTX_free(ctx);
111 return NULL;
112 }
113 #endif
114
115 EVP_MD_CTX *EVP_MD_CTX_new(void)
116 {
117 return OPENSSL_zalloc(sizeof(EVP_MD_CTX));
118 }
119
120 void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
121 {
122 if (ctx == NULL)
123 return;
124
125 EVP_MD_CTX_reset(ctx);
126
127 OPENSSL_free(ctx);
128 return;
129 }
130
131 int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
132 {
133 EVP_MD_CTX_reset(ctx);
134 return EVP_DigestInit_ex(ctx, type, NULL);
135 }
136
137 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
138 {
139 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
140 ENGINE *tmpimpl = NULL;
141 #endif
142
143 EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
144
145 if (ctx->provctx != NULL) {
146 if (!ossl_assert(ctx->digest != NULL)) {
147 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
148 return 0;
149 }
150 if (ctx->digest->freectx != NULL)
151 ctx->digest->freectx(ctx->provctx);
152 ctx->provctx = NULL;
153 }
154
155 if (type != NULL)
156 ctx->reqdigest = type;
157
158 /* TODO(3.0): Legacy work around code below. Remove this */
159 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
160 /*
161 * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
162 * this context may already have an ENGINE! Try to avoid releasing the
163 * previous handle, re-querying for an ENGINE, and having a
164 * reinitialisation, when it may all be unnecessary.
165 */
166 if (ctx->engine && ctx->digest &&
167 (type == NULL || (type->type == ctx->digest->type)))
168 goto skip_to_init;
169
170 if (type != NULL) {
171 /*
172 * Ensure an ENGINE left lying around from last time is cleared (the
173 * previous check attempted to avoid this if the same ENGINE and
174 * EVP_MD could be used).
175 */
176 ENGINE_finish(ctx->engine);
177 ctx->engine = NULL;
178 }
179
180 if (type != NULL && impl == NULL)
181 tmpimpl = ENGINE_get_digest_engine(type->type);
182 #endif
183
184 /*
185 * If there are engines involved or EVP_MD_CTX_FLAG_NO_INIT is set then we
186 * should use legacy handling for now.
187 */
188 if (ctx->engine != NULL
189 || impl != NULL
190 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
191 || tmpimpl != NULL
192 #endif
193 || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0) {
194 if (ctx->digest == ctx->fetched_digest)
195 ctx->digest = NULL;
196 EVP_MD_free(ctx->fetched_digest);
197 ctx->fetched_digest = NULL;
198 goto legacy;
199 }
200
201 if (ctx->digest != NULL && ctx->digest->ctx_size > 0) {
202 OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
203 ctx->md_data = NULL;
204 }
205
206 /* TODO(3.0): Start of non-legacy code below */
207
208 if (type->prov == NULL) {
209 #ifdef FIPS_MODULE
210 /* We only do explicit fetches inside the FIPS module */
211 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
212 return 0;
213 #else
214 EVP_MD *provmd = EVP_MD_fetch(NULL, OBJ_nid2sn(type->type), "");
215
216 if (provmd == NULL) {
217 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
218 return 0;
219 }
220 type = provmd;
221 EVP_MD_free(ctx->fetched_digest);
222 ctx->fetched_digest = provmd;
223 #endif
224 }
225
226 if (ctx->provctx != NULL && ctx->digest != NULL && ctx->digest != type) {
227 if (ctx->digest->freectx != NULL)
228 ctx->digest->freectx(ctx->provctx);
229 ctx->provctx = NULL;
230 }
231 ctx->digest = type;
232 if (ctx->provctx == NULL) {
233 ctx->provctx = ctx->digest->newctx(ossl_provider_ctx(type->prov));
234 if (ctx->provctx == NULL) {
235 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
236 return 0;
237 }
238 }
239
240 if (ctx->digest->dinit == NULL) {
241 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
242 return 0;
243 }
244
245 return ctx->digest->dinit(ctx->provctx);
246
247 /* TODO(3.0): Remove legacy code below */
248 legacy:
249
250 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
251 if (type) {
252 if (impl != NULL) {
253 if (!ENGINE_init(impl)) {
254 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
255 return 0;
256 }
257 } else {
258 /* Ask if an ENGINE is reserved for this job */
259 impl = tmpimpl;
260 }
261 if (impl != NULL) {
262 /* There's an ENGINE for this job ... (apparently) */
263 const EVP_MD *d = ENGINE_get_digest(impl, type->type);
264
265 if (d == NULL) {
266 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
267 ENGINE_finish(impl);
268 return 0;
269 }
270 /* We'll use the ENGINE's private digest definition */
271 type = d;
272 /*
273 * Store the ENGINE functional reference so we know 'type' came
274 * from an ENGINE and we need to release it when done.
275 */
276 ctx->engine = impl;
277 } else
278 ctx->engine = NULL;
279 } else {
280 if (!ctx->digest) {
281 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_NO_DIGEST_SET);
282 return 0;
283 }
284 type = ctx->digest;
285 }
286 #endif
287 if (ctx->digest != type) {
288 if (ctx->digest && ctx->digest->ctx_size) {
289 OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
290 ctx->md_data = NULL;
291 }
292 ctx->digest = type;
293 if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
294 ctx->update = type->update;
295 ctx->md_data = OPENSSL_zalloc(type->ctx_size);
296 if (ctx->md_data == NULL) {
297 EVPerr(EVP_F_EVP_DIGESTINIT_EX, ERR_R_MALLOC_FAILURE);
298 return 0;
299 }
300 }
301 }
302 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
303 skip_to_init:
304 #endif
305 #ifndef FIPS_MODULE
306 /*
307 * TODO(3.0): Temporarily no support for EVP_DigestSign* inside FIPS module
308 * or when using providers.
309 */
310 if (ctx->pctx != NULL
311 && (!EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx->pctx)
312 || ctx->pctx->op.sig.signature == NULL)) {
313 int r;
314 r = EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
315 EVP_PKEY_CTRL_DIGESTINIT, 0, ctx);
316 if (r <= 0 && (r != -2))
317 return 0;
318 }
319 #endif
320 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
321 return 1;
322 return ctx->digest->init(ctx);
323 }
324
325 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
326 {
327 if (count == 0)
328 return 1;
329
330 if (ctx->pctx != NULL
331 && EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx->pctx)
332 && ctx->pctx->op.sig.sigprovctx != NULL) {
333 /*
334 * Prior to OpenSSL 3.0 EVP_DigestSignUpdate() and
335 * EVP_DigestVerifyUpdate() were just macros for EVP_DigestUpdate().
336 * Some code calls EVP_DigestUpdate() directly even when initialised
337 * with EVP_DigestSignInit_with_libctx() or
338 * EVP_DigestVerifyInit_with_libctx(), so we detect that and redirect to
339 * the correct EVP_Digest*Update() function
340 */
341 if (ctx->pctx->operation == EVP_PKEY_OP_SIGNCTX)
342 return EVP_DigestSignUpdate(ctx, data, count);
343 if (ctx->pctx->operation == EVP_PKEY_OP_VERIFYCTX)
344 return EVP_DigestVerifyUpdate(ctx, data, count);
345 EVPerr(EVP_F_EVP_DIGESTUPDATE, EVP_R_UPDATE_ERROR);
346 return 0;
347 }
348
349 if (ctx->digest == NULL
350 || ctx->digest->prov == NULL
351 || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0)
352 goto legacy;
353
354 if (ctx->digest->dupdate == NULL) {
355 EVPerr(EVP_F_EVP_DIGESTUPDATE, EVP_R_UPDATE_ERROR);
356 return 0;
357 }
358 return ctx->digest->dupdate(ctx->provctx, data, count);
359
360 /* TODO(3.0): Remove legacy code below */
361 legacy:
362 return ctx->update(ctx, data, count);
363 }
364
365 /* The caller can assume that this removes any secret data from the context */
366 int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
367 {
368 int ret;
369 ret = EVP_DigestFinal_ex(ctx, md, size);
370 EVP_MD_CTX_reset(ctx);
371 return ret;
372 }
373
374 /* The caller can assume that this removes any secret data from the context */
375 int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *isize)
376 {
377 int ret, sz;
378 size_t size = 0;
379 size_t mdsize = 0;
380
381 if (ctx->digest == NULL)
382 return 0;
383
384 sz = EVP_MD_size(ctx->digest);
385 if (sz < 0)
386 return 0;
387 mdsize = sz;
388 if (ctx->digest->prov == NULL)
389 goto legacy;
390
391 if (ctx->digest->dfinal == NULL) {
392 EVPerr(EVP_F_EVP_DIGESTFINAL_EX, EVP_R_FINAL_ERROR);
393 return 0;
394 }
395
396 ret = ctx->digest->dfinal(ctx->provctx, md, &size, mdsize);
397
398 if (isize != NULL) {
399 if (size <= UINT_MAX) {
400 *isize = (int)size;
401 } else {
402 EVPerr(EVP_F_EVP_DIGESTFINAL_EX, EVP_R_FINAL_ERROR);
403 ret = 0;
404 }
405 }
406
407 return ret;
408
409 /* TODO(3.0): Remove legacy code below */
410 legacy:
411 OPENSSL_assert(mdsize <= EVP_MAX_MD_SIZE);
412 ret = ctx->digest->final(ctx, md);
413 if (isize != NULL)
414 *isize = mdsize;
415 if (ctx->digest->cleanup) {
416 ctx->digest->cleanup(ctx);
417 EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
418 }
419 OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
420 return ret;
421 }
422
423 int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
424 {
425 int ret = 0;
426 OSSL_PARAM params[2];
427 size_t i = 0;
428
429 if (ctx->digest == NULL || ctx->digest->prov == NULL)
430 goto legacy;
431
432 if (ctx->digest->dfinal == NULL) {
433 EVPerr(EVP_F_EVP_DIGESTFINALXOF, EVP_R_FINAL_ERROR);
434 return 0;
435 }
436
437 params[i++] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN, &size);
438 params[i++] = OSSL_PARAM_construct_end();
439
440 if (EVP_MD_CTX_set_params(ctx, params) > 0)
441 ret = ctx->digest->dfinal(ctx->provctx, md, &size, size);
442 EVP_MD_CTX_reset(ctx);
443 return ret;
444
445 legacy:
446 if (ctx->digest->flags & EVP_MD_FLAG_XOF
447 && size <= INT_MAX
448 && ctx->digest->md_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, (int)size, NULL)) {
449 ret = ctx->digest->final(ctx, md);
450 if (ctx->digest->cleanup != NULL) {
451 ctx->digest->cleanup(ctx);
452 EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
453 }
454 OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
455 } else {
456 EVPerr(EVP_F_EVP_DIGESTFINALXOF, EVP_R_NOT_XOF_OR_INVALID_LENGTH);
457 }
458
459 return ret;
460 }
461
462 int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
463 {
464 EVP_MD_CTX_reset(out);
465 return EVP_MD_CTX_copy_ex(out, in);
466 }
467
468 int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
469 {
470 unsigned char *tmp_buf;
471
472 if (in == NULL || in->digest == NULL) {
473 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, EVP_R_INPUT_NOT_INITIALIZED);
474 return 0;
475 }
476
477 if (in->digest->prov == NULL
478 || (in->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0)
479 goto legacy;
480
481 if (in->digest->dupctx == NULL) {
482 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, EVP_R_NOT_ABLE_TO_COPY_CTX);
483 return 0;
484 }
485
486 EVP_MD_CTX_reset(out);
487 if (out->fetched_digest != NULL)
488 EVP_MD_free(out->fetched_digest);
489 *out = *in;
490 /* NULL out pointers in case of error */
491 out->pctx = NULL;
492 out->provctx = NULL;
493
494 if (in->fetched_digest != NULL)
495 EVP_MD_up_ref(in->fetched_digest);
496
497 if (in->provctx != NULL) {
498 out->provctx = in->digest->dupctx(in->provctx);
499 if (out->provctx == NULL) {
500 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, EVP_R_NOT_ABLE_TO_COPY_CTX);
501 return 0;
502 }
503 }
504
505 /* copied EVP_MD_CTX should free the copied EVP_PKEY_CTX */
506 EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
507 #ifndef FIPS_MODULE
508 /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
509 if (in->pctx != NULL) {
510 out->pctx = EVP_PKEY_CTX_dup(in->pctx);
511 if (out->pctx == NULL) {
512 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, EVP_R_NOT_ABLE_TO_COPY_CTX);
513 EVP_MD_CTX_reset(out);
514 return 0;
515 }
516 }
517 #endif
518
519 return 1;
520
521 /* TODO(3.0): Remove legacy code below */
522 legacy:
523 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
524 /* Make sure it's safe to copy a digest context using an ENGINE */
525 if (in->engine && !ENGINE_init(in->engine)) {
526 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, ERR_R_ENGINE_LIB);
527 return 0;
528 }
529 #endif
530
531 if (out->digest == in->digest) {
532 tmp_buf = out->md_data;
533 EVP_MD_CTX_set_flags(out, EVP_MD_CTX_FLAG_REUSE);
534 } else
535 tmp_buf = NULL;
536 EVP_MD_CTX_reset(out);
537 memcpy(out, in, sizeof(*out));
538
539 /* copied EVP_MD_CTX should free the copied EVP_PKEY_CTX */
540 EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
541
542 /* Null these variables, since they are getting fixed up
543 * properly below. Anything else may cause a memleak and/or
544 * double free if any of the memory allocations below fail
545 */
546 out->md_data = NULL;
547 out->pctx = NULL;
548
549 if (in->md_data && out->digest->ctx_size) {
550 if (tmp_buf)
551 out->md_data = tmp_buf;
552 else {
553 out->md_data = OPENSSL_malloc(out->digest->ctx_size);
554 if (out->md_data == NULL) {
555 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, ERR_R_MALLOC_FAILURE);
556 return 0;
557 }
558 }
559 memcpy(out->md_data, in->md_data, out->digest->ctx_size);
560 }
561
562 out->update = in->update;
563
564 #ifndef FIPS_MODULE
565 /* TODO(3.0): Temporarily no support for EVP_DigestSign* in FIPS module */
566 if (in->pctx) {
567 out->pctx = EVP_PKEY_CTX_dup(in->pctx);
568 if (!out->pctx) {
569 EVP_MD_CTX_reset(out);
570 return 0;
571 }
572 }
573 #endif
574
575 if (out->digest->copy)
576 return out->digest->copy(out, in);
577
578 return 1;
579 }
580
581 int EVP_Digest(const void *data, size_t count,
582 unsigned char *md, unsigned int *size, const EVP_MD *type,
583 ENGINE *impl)
584 {
585 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
586 int ret;
587
588 if (ctx == NULL)
589 return 0;
590 EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT);
591 ret = EVP_DigestInit_ex(ctx, type, impl)
592 && EVP_DigestUpdate(ctx, data, count)
593 && EVP_DigestFinal_ex(ctx, md, size);
594 EVP_MD_CTX_free(ctx);
595
596 return ret;
597 }
598
599 int EVP_MD_get_params(const EVP_MD *digest, OSSL_PARAM params[])
600 {
601 if (digest != NULL && digest->get_params != NULL)
602 return digest->get_params(params);
603 return 0;
604 }
605
606 const OSSL_PARAM *EVP_MD_gettable_params(const EVP_MD *digest)
607 {
608 if (digest != NULL && digest->gettable_params != NULL)
609 return digest->gettable_params(
610 ossl_provider_ctx(EVP_MD_provider(digest)));
611 return NULL;
612 }
613
614 int EVP_MD_CTX_set_params(EVP_MD_CTX *ctx, const OSSL_PARAM params[])
615 {
616 EVP_PKEY_CTX *pctx = ctx->pctx;
617
618 /* If we have a pctx then we should try that first */
619 if (pctx != NULL
620 && (pctx->operation == EVP_PKEY_OP_VERIFYCTX
621 || pctx->operation == EVP_PKEY_OP_SIGNCTX)
622 && pctx->op.sig.sigprovctx != NULL
623 && pctx->op.sig.signature->set_ctx_md_params != NULL)
624 return pctx->op.sig.signature->set_ctx_md_params(pctx->op.sig.sigprovctx,
625 params);
626
627 if (ctx->digest != NULL && ctx->digest->set_ctx_params != NULL)
628 return ctx->digest->set_ctx_params(ctx->provctx, params);
629
630 return 0;
631 }
632
633 const OSSL_PARAM *EVP_MD_settable_ctx_params(const EVP_MD *md)
634 {
635 if (md != NULL && md->settable_ctx_params != NULL)
636 return md->settable_ctx_params(ossl_provider_ctx(EVP_MD_provider(md)));
637 return NULL;
638 }
639
640 const OSSL_PARAM *EVP_MD_CTX_settable_params(EVP_MD_CTX *ctx)
641 {
642 EVP_PKEY_CTX *pctx;
643
644 if (ctx == NULL)
645 return NULL;
646
647 /* If we have a pctx then we should try that first */
648 pctx = ctx->pctx;
649 if (pctx != NULL
650 && (pctx->operation == EVP_PKEY_OP_VERIFYCTX
651 || pctx->operation == EVP_PKEY_OP_SIGNCTX)
652 && pctx->op.sig.sigprovctx != NULL
653 && pctx->op.sig.signature->settable_ctx_md_params != NULL)
654 return pctx->op.sig.signature->settable_ctx_md_params(
655 pctx->op.sig.sigprovctx);
656
657 if (ctx->digest != NULL && ctx->digest->settable_ctx_params != NULL)
658 return ctx->digest->settable_ctx_params(
659 ossl_provider_ctx(EVP_MD_provider(ctx->digest)));
660
661 return NULL;
662 }
663
664 int EVP_MD_CTX_get_params(EVP_MD_CTX *ctx, OSSL_PARAM params[])
665 {
666 EVP_PKEY_CTX *pctx = ctx->pctx;
667
668 /* If we have a pctx then we should try that first */
669 if (pctx != NULL
670 && (pctx->operation == EVP_PKEY_OP_VERIFYCTX
671 || pctx->operation == EVP_PKEY_OP_SIGNCTX)
672 && pctx->op.sig.sigprovctx != NULL
673 && pctx->op.sig.signature->get_ctx_md_params != NULL)
674 return pctx->op.sig.signature->get_ctx_md_params(pctx->op.sig.sigprovctx,
675 params);
676
677 if (ctx->digest != NULL && ctx->digest->get_params != NULL)
678 return ctx->digest->get_ctx_params(ctx->provctx, params);
679
680 return 0;
681 }
682
683 const OSSL_PARAM *EVP_MD_gettable_ctx_params(const EVP_MD *md)
684 {
685 if (md != NULL && md->gettable_ctx_params != NULL)
686 return md->gettable_ctx_params(ossl_provider_ctx(EVP_MD_provider(md)));
687 return NULL;
688 }
689
690 const OSSL_PARAM *EVP_MD_CTX_gettable_params(EVP_MD_CTX *ctx)
691 {
692 EVP_PKEY_CTX *pctx;
693
694 if (ctx == NULL)
695 return NULL;
696
697 /* If we have a pctx then we should try that first */
698 pctx = ctx->pctx;
699 if (pctx != NULL
700 && (pctx->operation == EVP_PKEY_OP_VERIFYCTX
701 || pctx->operation == EVP_PKEY_OP_SIGNCTX)
702 && pctx->op.sig.sigprovctx != NULL
703 && pctx->op.sig.signature->gettable_ctx_md_params != NULL)
704 return pctx->op.sig.signature->gettable_ctx_md_params(
705 pctx->op.sig.sigprovctx);
706
707 if (ctx->digest != NULL
708 && ctx->digest->gettable_ctx_params != NULL)
709 return ctx->digest->gettable_ctx_params(
710 ossl_provider_ctx(EVP_MD_provider(ctx->digest)));
711
712 return NULL;
713 }
714
715 /* TODO(3.0): Remove legacy code below - only used by engines & DigestSign */
716 int EVP_MD_CTX_ctrl(EVP_MD_CTX *ctx, int cmd, int p1, void *p2)
717 {
718 int ret = EVP_CTRL_RET_UNSUPPORTED;
719 int set_params = 1;
720 size_t sz;
721 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
722
723 if (ctx == NULL) {
724 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
725 return 0;
726 }
727
728 if (ctx->digest != NULL && ctx->digest->prov == NULL)
729 goto legacy;
730
731 switch (cmd) {
732 case EVP_MD_CTRL_XOF_LEN:
733 sz = (size_t)p1;
734 params[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN, &sz);
735 break;
736 case EVP_MD_CTRL_MICALG:
737 set_params = 0;
738 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_DIGEST_PARAM_MICALG,
739 p2, p1 ? p1 : 9999);
740 break;
741 case EVP_CTRL_SSL3_MASTER_SECRET:
742 params[0] = OSSL_PARAM_construct_octet_string(OSSL_DIGEST_PARAM_SSL3_MS,
743 p2, p1);
744 break;
745 default:
746 goto conclude;
747 }
748
749 if (set_params)
750 ret = EVP_MD_CTX_set_params(ctx, params);
751 else
752 ret = EVP_MD_CTX_get_params(ctx, params);
753 goto conclude;
754
755
756 /* TODO(3.0): Remove legacy code below */
757 legacy:
758 if (ctx->digest->md_ctrl == NULL) {
759 ERR_raise(ERR_LIB_EVP, EVP_R_CTRL_NOT_IMPLEMENTED);
760 return 0;
761 }
762
763 ret = ctx->digest->md_ctrl(ctx, cmd, p1, p2);
764 conclude:
765 if (ret <= 0)
766 return 0;
767 return ret;
768 }
769
770 EVP_MD *evp_md_new(void)
771 {
772 EVP_MD *md = OPENSSL_zalloc(sizeof(*md));
773
774 if (md != NULL) {
775 md->lock = CRYPTO_THREAD_lock_new();
776 if (md->lock == NULL) {
777 OPENSSL_free(md);
778 return NULL;
779 }
780 md->refcnt = 1;
781 }
782 return md;
783 }
784
785 /*
786 * FIPS module note: since internal fetches will be entirely
787 * provider based, we know that none of its code depends on legacy
788 * NIDs or any functionality that use them.
789 */
790 #ifndef FIPS_MODULE
791 /* TODO(3.x) get rid of the need for legacy NIDs */
792 static void set_legacy_nid(const char *name, void *vlegacy_nid)
793 {
794 int nid;
795 int *legacy_nid = vlegacy_nid;
796 /*
797 * We use lowest level function to get the associated method, because
798 * higher level functions such as EVP_get_digestbyname() have changed
799 * to look at providers too.
800 */
801 const void *legacy_method = OBJ_NAME_get(name, OBJ_NAME_TYPE_MD_METH);
802
803 if (*legacy_nid == -1) /* We found a clash already */
804 return;
805
806 if (legacy_method == NULL)
807 return;
808 nid = EVP_MD_nid(legacy_method);
809 if (*legacy_nid != NID_undef && *legacy_nid != nid) {
810 *legacy_nid = -1;
811 return;
812 }
813 *legacy_nid = nid;
814 }
815 #endif
816
817 static void *evp_md_from_dispatch(int name_id,
818 const OSSL_DISPATCH *fns,
819 OSSL_PROVIDER *prov)
820 {
821 EVP_MD *md = NULL;
822 int fncnt = 0;
823
824 /* EVP_MD_fetch() will set the legacy NID if available */
825 if ((md = evp_md_new()) == NULL) {
826 EVPerr(0, ERR_R_MALLOC_FAILURE);
827 return NULL;
828 }
829
830 #ifndef FIPS_MODULE
831 /* TODO(3.x) get rid of the need for legacy NIDs */
832 md->type = NID_undef;
833 evp_names_do_all(prov, name_id, set_legacy_nid, &md->type);
834 if (md->type == -1) {
835 ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
836 EVP_MD_free(md);
837 return NULL;
838 }
839 #endif
840
841 md->name_id = name_id;
842
843 for (; fns->function_id != 0; fns++) {
844 switch (fns->function_id) {
845 case OSSL_FUNC_DIGEST_NEWCTX:
846 if (md->newctx == NULL) {
847 md->newctx = OSSL_FUNC_digest_newctx(fns);
848 fncnt++;
849 }
850 break;
851 case OSSL_FUNC_DIGEST_INIT:
852 if (md->dinit == NULL) {
853 md->dinit = OSSL_FUNC_digest_init(fns);
854 fncnt++;
855 }
856 break;
857 case OSSL_FUNC_DIGEST_UPDATE:
858 if (md->dupdate == NULL) {
859 md->dupdate = OSSL_FUNC_digest_update(fns);
860 fncnt++;
861 }
862 break;
863 case OSSL_FUNC_DIGEST_FINAL:
864 if (md->dfinal == NULL) {
865 md->dfinal = OSSL_FUNC_digest_final(fns);
866 fncnt++;
867 }
868 break;
869 case OSSL_FUNC_DIGEST_DIGEST:
870 if (md->digest == NULL)
871 md->digest = OSSL_FUNC_digest_digest(fns);
872 /* We don't increment fnct for this as it is stand alone */
873 break;
874 case OSSL_FUNC_DIGEST_FREECTX:
875 if (md->freectx == NULL) {
876 md->freectx = OSSL_FUNC_digest_freectx(fns);
877 fncnt++;
878 }
879 break;
880 case OSSL_FUNC_DIGEST_DUPCTX:
881 if (md->dupctx == NULL)
882 md->dupctx = OSSL_FUNC_digest_dupctx(fns);
883 break;
884 case OSSL_FUNC_DIGEST_GET_PARAMS:
885 if (md->get_params == NULL)
886 md->get_params = OSSL_FUNC_digest_get_params(fns);
887 break;
888 case OSSL_FUNC_DIGEST_SET_CTX_PARAMS:
889 if (md->set_ctx_params == NULL)
890 md->set_ctx_params = OSSL_FUNC_digest_set_ctx_params(fns);
891 break;
892 case OSSL_FUNC_DIGEST_GET_CTX_PARAMS:
893 if (md->get_ctx_params == NULL)
894 md->get_ctx_params = OSSL_FUNC_digest_get_ctx_params(fns);
895 break;
896 case OSSL_FUNC_DIGEST_GETTABLE_PARAMS:
897 if (md->gettable_params == NULL)
898 md->gettable_params = OSSL_FUNC_digest_gettable_params(fns);
899 break;
900 case OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS:
901 if (md->settable_ctx_params == NULL)
902 md->settable_ctx_params =
903 OSSL_FUNC_digest_settable_ctx_params(fns);
904 break;
905 case OSSL_FUNC_DIGEST_GETTABLE_CTX_PARAMS:
906 if (md->gettable_ctx_params == NULL)
907 md->gettable_ctx_params =
908 OSSL_FUNC_digest_gettable_ctx_params(fns);
909 break;
910 }
911 }
912 if ((fncnt != 0 && fncnt != 5)
913 || (fncnt == 0 && md->digest == NULL)) {
914 /*
915 * In order to be a consistent set of functions we either need the
916 * whole set of init/update/final etc functions or none of them.
917 * The "digest" function can standalone. We at least need one way to
918 * generate digests.
919 */
920 EVP_MD_free(md);
921 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
922 return NULL;
923 }
924 md->prov = prov;
925 if (prov != NULL)
926 ossl_provider_up_ref(prov);
927
928 return md;
929 }
930
931 static int evp_md_up_ref(void *md)
932 {
933 return EVP_MD_up_ref(md);
934 }
935
936 static void evp_md_free(void *md)
937 {
938 EVP_MD_free(md);
939 }
940
941 EVP_MD *EVP_MD_fetch(OPENSSL_CTX *ctx, const char *algorithm,
942 const char *properties)
943 {
944 EVP_MD *md =
945 evp_generic_fetch(ctx, OSSL_OP_DIGEST, algorithm, properties,
946 evp_md_from_dispatch, evp_md_up_ref, evp_md_free);
947
948 return md;
949 }
950
951 int EVP_MD_up_ref(EVP_MD *md)
952 {
953 int ref = 0;
954
955 CRYPTO_UP_REF(&md->refcnt, &ref, md->lock);
956 return 1;
957 }
958
959 void EVP_MD_free(EVP_MD *md)
960 {
961 int i;
962
963 if (md == NULL)
964 return;
965
966 CRYPTO_DOWN_REF(&md->refcnt, &i, md->lock);
967 if (i > 0)
968 return;
969 ossl_provider_free(md->prov);
970 CRYPTO_THREAD_lock_free(md->lock);
971 OPENSSL_free(md);
972 }
973
974 void EVP_MD_do_all_provided(OPENSSL_CTX *libctx,
975 void (*fn)(EVP_MD *mac, void *arg),
976 void *arg)
977 {
978 evp_generic_do_all(libctx, OSSL_OP_DIGEST,
979 (void (*)(void *, void *))fn, arg,
980 evp_md_from_dispatch, evp_md_free);
981 }
A mirror of the official openssl repository