From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 14 Sep 2021 07:34:32 +0000 (+0200)
Subject: providers: Do not use global EVP_CIPHERs and EVP_MDs
X-Git-Tag: openssl-3.2.0-alpha1~3566
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e59bfbaa2dbd680f77e1121e382502bd522a466c;p=thirdparty%2Fopenssl.git

providers: Do not use global EVP_CIPHERs and EVP_MDs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16600)
---

diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c
index 662175c2f3b..fcfbab632d5 100644
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@@ -16,6 +16,7 @@
 #include <openssl/proverr.h>
 #ifndef FIPS_MODULE
 # include <openssl/engine.h>
+# include "crypto/evp.h"
 #endif
 #include "prov/provider_util.h"
 #include "internal/nelem.h"
@@ -90,8 +91,14 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc,
     ERR_set_mark();
     pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery);
 #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy ciphers */
-    if (pc->cipher == NULL)
-        pc->cipher = EVP_get_cipherbyname(p->data);
+    if (pc->cipher == NULL) {
+        const EVP_CIPHER *cipher;
+
+        cipher = EVP_get_cipherbyname(p->data);
+        /* Do not use global EVP_CIPHERs */
+        if (cipher != NULL && cipher->origin != EVP_ORIG_GLOBAL)
+            pc->cipher = cipher;
+    }
 #endif
     if (pc->cipher != NULL)
         ERR_pop_to_mark();
@@ -159,8 +166,14 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
     ERR_set_mark();
     ossl_prov_digest_fetch(pd, ctx, p->data, propquery);
 #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */
-    if (pd->md == NULL)
-        pd->md = EVP_get_digestbyname(p->data);
+    if (pd->md == NULL) {
+        const EVP_MD *md;
+
+        md = EVP_get_digestbyname(p->data);
+        /* Do not use global EVP_MDs */
+        if (md != NULL && md->origin != EVP_ORIG_GLOBAL)
+            pd->md = md;
+    }
 #endif
     if (pd->md != NULL)
         ERR_pop_to_mark();
diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c
index 4b3df38b5f4..145e64fbdb4 100644
--- a/test/evp_kdf_test.c
+++ b/test/evp_kdf_test.c
@@ -502,7 +502,8 @@ static int test_kdf_pbkdf1(void)
     unsigned int iterations = 4096;
     OSSL_LIB_CTX *libctx = NULL;
     OSSL_PARAM *params = NULL;
-    OSSL_PROVIDER *prov = NULL;
+    OSSL_PROVIDER *legacyprov = NULL;
+    OSSL_PROVIDER *defprov = NULL;
     const unsigned char expected[sizeof(out)] = {
         0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
         0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
@@ -513,12 +514,15 @@ static int test_kdf_pbkdf1(void)
         goto err;
 
     /* PBKDF1 only available in the legacy provider */
-    prov = OSSL_PROVIDER_load(libctx, "legacy");
-    if (prov == NULL) {
+    legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
+    if (legacyprov == NULL) {
         OSSL_LIB_CTX_free(libctx);
         return TEST_skip("PBKDF1 only available in legacy provider");
     }
 
+    if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
+        goto err;
+
     params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
                                      "saltSALTsaltSALTsaltSALTsaltSALTsalt",
                                      &iterations);
@@ -534,7 +538,8 @@ static int test_kdf_pbkdf1(void)
 err:
     EVP_KDF_CTX_free(kctx);
     OPENSSL_free(params);
-    OSSL_PROVIDER_unload(prov);
+    OSSL_PROVIDER_unload(defprov);
+    OSSL_PROVIDER_unload(legacyprov);
     OSSL_LIB_CTX_free(libctx);
     return ret;
 }