keys and digests.
Partial fix for #12964
This adds ossl_ names for the following symbols:
digest_get_approved_nid, digest_get_approved_nid_with_sha1
digest_is_allowed, digest_md_to_nid, digest_rsa_sign_get_md_nid,
securitycheck_enabled,
dh_check_key, dsa_check_key, ec_check_key,
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14211)
* Internal library code deals with NIDs, so we need to translate from a name.
* We do so using EVP_MD_is_a(), and therefore need a name to NID map.
*/
-int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len)
+int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len)
{
size_t i;
* Retrieve one of the FIPs approved hash algorithms by nid.
* See FIPS 180-4 "Secure Hash Standard" and FIPS 202 - SHA-3.
*/
-int digest_get_approved_nid(const EVP_MD *md)
+int ossl_digest_get_approved_nid(const EVP_MD *md)
{
static const OSSL_ITEM name_to_nid[] = {
{ NID_sha1, OSSL_DIGEST_NAME_SHA1 },
{ NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 },
};
- return digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
+ return ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
}
/* Functions that are common */
int ossl_rsa_check_key(const RSA *rsa, int protect);
-int ec_check_key(const EC_KEY *ec, int protect);
-int dsa_check_key(const DSA *dsa, int sign);
-int dh_check_key(const DH *dh);
+int ossl_ec_check_key(const EC_KEY *ec, int protect);
+int ossl_dsa_check_key(const DSA *dsa, int sign);
+int ossl_dh_check_key(const DH *dh);
-int digest_is_allowed(const EVP_MD *md);
-int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed);
+int ossl_digest_is_allowed(const EVP_MD *md);
+int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed);
/* Functions that are common */
-int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
-int digest_get_approved_nid(const EVP_MD *md);
+int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
+int ossl_digest_get_approved_nid(const EVP_MD *md);
/* Functions that have different implementations for the FIPS_MODULE */
-int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed);
-int securitycheck_enabled(void);
+int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed);
+int ossl_securitycheck_enabled(void);
int ossl_rsa_check_key(const RSA *rsa, int protect)
{
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- if (securitycheck_enabled()) {
+ if (ossl_securitycheck_enabled()) {
int sz = RSA_bits(rsa);
return protect ? (sz >= 2048) : (sz >= 1024);
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
* "Table 2"
*/
-int ec_check_key(const EC_KEY *ec, int protect)
+int ossl_ec_check_key(const EC_KEY *ec, int protect)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- if (securitycheck_enabled()) {
+ if (ossl_securitycheck_enabled()) {
int nid, strength;
const char *curve_name;
const EC_GROUP *group = EC_KEY_get0_group(ec);
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
* "Table 2"
*/
-int dsa_check_key(const DSA *dsa, int sign)
+int ossl_dsa_check_key(const DSA *dsa, int sign)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- if (securitycheck_enabled()) {
+ if (ossl_securitycheck_enabled()) {
size_t L, N;
const BIGNUM *p, *q;
* "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
* "Appendix D" FFC Safe-prime Groups
*/
-int dh_check_key(const DH *dh)
+int ossl_dh_check_key(const DH *dh)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- if (securitycheck_enabled()) {
+ if (ossl_securitycheck_enabled()) {
size_t L, N;
const BIGNUM *p, *q;
}
#endif /* OPENSSL_NO_DH */
-int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
+int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
{
- int mdnid = digest_get_approved_nid(md);
+ int mdnid = ossl_digest_get_approved_nid(md);
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- if (securitycheck_enabled()) {
+ if (ossl_securitycheck_enabled()) {
if (mdnid == NID_sha1 && !sha1_allowed)
mdnid = NID_undef;
}
return mdnid;
}
-int digest_is_allowed(const EVP_MD *md)
+int ossl_digest_is_allowed(const EVP_MD *md)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- if (securitycheck_enabled())
- return digest_get_approved_nid(md) != NID_undef;
+ if (ossl_securitycheck_enabled())
+ return ossl_digest_get_approved_nid(md) != NID_undef;
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
return 1;
}
#include "internal/nelem.h"
/* Disable the security checks in the default provider */
-int securitycheck_enabled(void)
+int ossl_securitycheck_enabled(void)
{
return 0;
}
-int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed)
+int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md,
+ ossl_unused int sha1_allowed)
{
int mdnid;
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
};
- mdnid = digest_get_approved_nid_with_sha1(md, 1);
+ mdnid = ossl_digest_get_approved_nid_with_sha1(md, 1);
if (mdnid == NID_undef)
- mdnid = digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
+ mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
return mdnid;
}
extern int FIPS_security_check_enabled(void);
-int securitycheck_enabled(void)
+int ossl_securitycheck_enabled(void)
{
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
return FIPS_security_check_enabled();
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
}
-int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
+int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
{
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- if (securitycheck_enabled())
- return digest_get_approved_nid_with_sha1(md, sha1_allowed);
+ if (ossl_securitycheck_enabled())
+ return ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
- return digest_get_approved_nid(md);
+ return ossl_digest_get_approved_nid(md);
}
DH_free(pdhctx->dh);
pdhctx->dh = vdh;
pdhctx->kdf_type = PROV_DH_KDF_NONE;
- return dh_check_key(vdh);
+ return ossl_dh_check_key(vdh);
}
static int dh_set_peer(void *vpdhctx, void *vdh)
EVP_MD_free(pdhctx->kdf_md);
pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
- if (!digest_is_allowed(pdhctx->kdf_md)) {
+ if (!ossl_digest_is_allowed(pdhctx->kdf_md)) {
EVP_MD_free(pdhctx->kdf_md);
pdhctx->kdf_md = NULL;
}
pecdhctx->k = vecdh;
pecdhctx->cofactor_mode = -1;
pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
- return ec_check_key(vecdh, 1);
+ return ossl_ec_check_key(vecdh, 1);
}
static
return 0;
EC_KEY_free(pecdhctx->peerk);
pecdhctx->peerk = vecdh;
- return ec_check_key(vecdh, 1);
+ return ossl_ec_check_key(vecdh, 1);
}
static
EVP_MD_free(pectx->kdf_md);
pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
- if (!digest_is_allowed(pectx->kdf_md)) {
+ if (!ossl_digest_is_allowed(pectx->kdf_md)) {
EVP_MD_free(pectx->kdf_md);
pectx->kdf_md = NULL;
}
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
WPACKET pkt;
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
- int md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed);
+ int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
size_t mdname_len = strlen(mdname);
if (md == NULL || md_nid == NID_undef) {
DSA_free(pdsactx->dsa);
pdsactx->dsa = vdsa;
pdsactx->operation = operation;
- if (!dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
+ if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
EC_KEY_free(ctx->ec);
ctx->ec = ec;
ctx->operation = operation;
- return ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
+ return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
}
static int ecdsa_sign_init(void *vctx, void *ec)
return 0;
}
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
- md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed);
+ md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
if (md_nid == NID_undef) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
if (mdname != NULL) {
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
- int md_nid = digest_rsa_sign_get_md_nid(md, sha1_allowed);
+ int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed);
size_t mdname_len = strlen(mdname);
if (md == NULL
return 0;
}
/* The default for mgf1 is SHA1 - so allow SHA1 */
- if ((mdnid = digest_rsa_sign_get_md_nid(md, 1)) == NID_undef
+ if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef
|| !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
if (mdnid == NID_undef)
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,