From 6ce58488bdce66584a7075e19821add29445d746 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 9 Apr 2021 17:26:34 +0100 Subject: [PATCH] Store some FIPS global variables in the FIPS_GLOBAL structure We had some FIPS global variables that were based on values from the config file. In theory if two instances of the fips module are loaded they could be based on different config files which would cause this to fail. Instead we store them in the FIPS_GLOBAL structure. Fixes #14364 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14814) --- providers/common/include/prov/securitycheck.h | 18 +- providers/common/securitycheck.c | 25 +-- providers/common/securitycheck_default.c | 6 +- providers/common/securitycheck_fips.c | 13 +- providers/fips/fipsprov.c | 191 +++++++++++------- .../implementations/asymciphers/rsa_enc.c | 2 +- providers/implementations/exchange/dh_exch.c | 5 +- .../implementations/exchange/ecdh_exch.c | 6 +- providers/implementations/kem/rsa_kem.c | 2 +- providers/implementations/signature/dsa.c | 6 +- providers/implementations/signature/ecdsa.c | 5 +- providers/implementations/signature/rsa.c | 7 +- 12 files changed, 171 insertions(+), 115 deletions(-) diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h index 7d163f70fa..7635c24973 100644 --- a/providers/common/include/prov/securitycheck.h +++ b/providers/common/include/prov/securitycheck.h @@ -10,18 +10,20 @@ #include "crypto/types.h" /* Functions that are common */ -int ossl_rsa_check_key(const RSA *rsa, int operation); -int ossl_ec_check_key(const EC_KEY *ec, int protect); -int ossl_dsa_check_key(const DSA *dsa, int sign); -int ossl_dh_check_key(const DH *dh); +int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation); +int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect); +int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign); +int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh); -int ossl_digest_is_allowed(const EVP_MD *md); -int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed); +int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md); +int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed); /* Functions that are common */ int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len); int ossl_digest_get_approved_nid(const EVP_MD *md); /* Functions that have different implementations for the FIPS_MODULE */ -int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed); -int ossl_securitycheck_enabled(void); +int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed); +int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index 08582d6346..4f36ce4593 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -26,7 +26,7 @@ * Set protect = 1 for encryption or signing operations, or 0 otherwise. See * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. */ -int ossl_rsa_check_key(const RSA *rsa, int operation) +int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) { int protect = 0; @@ -58,7 +58,7 @@ int ossl_rsa_check_key(const RSA *rsa, int operation) } #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { int sz = RSA_bits(rsa); if (protect ? (sz < 2048) : (sz < 1024)) { @@ -89,10 +89,10 @@ int ossl_rsa_check_key(const RSA *rsa, int operation) * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ -int ossl_ec_check_key(const EC_KEY *ec, int protect) +int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { int nid, strength; const char *curve_name; const EC_GROUP *group = EC_KEY_get0_group(ec); @@ -147,10 +147,10 @@ int ossl_ec_check_key(const EC_KEY *ec, int protect) * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ -int ossl_dsa_check_key(const DSA *dsa, int sign) +int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { size_t L, N; const BIGNUM *p, *q; @@ -191,10 +191,10 @@ int ossl_dsa_check_key(const DSA *dsa, int sign) * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and * "Appendix D" FFC Safe-prime Groups */ -int ossl_dh_check_key(const DH *dh) +int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { size_t L, N; const BIGNUM *p, *q; @@ -224,12 +224,13 @@ int ossl_dh_check_key(const DH *dh) } #endif /* OPENSSL_NO_DH */ -int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) +int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) { int mdnid = ossl_digest_get_approved_nid(md); # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { if (mdnid == NID_sha1 && !sha1_allowed) mdnid = NID_undef; } @@ -237,10 +238,10 @@ int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) return mdnid; } -int ossl_digest_is_allowed(const EVP_MD *md) +int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) + if (ossl_securitycheck_enabled(ctx)) return ossl_digest_get_approved_nid(md) != NID_undef; # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c index c3a9325a1f..de7f0d3a0a 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -17,12 +17,12 @@ #include "internal/nelem.h" /* Disable the security checks in the default provider */ -int ossl_securitycheck_enabled(void) +int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) { return 0; } -int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, +int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, ossl_unused int sha1_allowed) { int mdnid; @@ -36,7 +36,7 @@ int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, }; - mdnid = ossl_digest_get_approved_nid_with_sha1(md, 1); + mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1); if (mdnid == NID_undef) mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); return mdnid; diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index 42e5f46009..b7659bd395 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -19,22 +19,23 @@ #include #include "prov/securitycheck.h" -extern int FIPS_security_check_enabled(void); +int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); -int ossl_securitycheck_enabled(void) +int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - return FIPS_security_check_enabled(); + return FIPS_security_check_enabled(libctx); #else return 0; #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ } -int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed) +int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) - return ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); + if (ossl_securitycheck_enabled(ctx)) + return ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed); #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return ossl_digest_get_approved_nid(md); } diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index f6a405d58e..3c22d2a80c 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include #include #include #include @@ -37,19 +38,13 @@ static OSSL_FUNC_provider_query_operation_fn fips_query; #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) extern OSSL_FUNC_core_thread_start_fn *c_thread_start; -int FIPS_security_check_enabled(void); +int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); /* - * TODO(3.0): Should these be stored in the provider side provctx? Could they - * ever be different from one init to the next? Unfortunately we can't do this - * at the moment because c_put_error/c_add_error_vdata do not provide - * us with the OSSL_LIB_CTX as a parameter. + * Should these function pointers be stored in the provider side provctx? Could + * they ever be different from one init to the next? We assume not for now. */ -static SELF_TEST_POST_PARAMS selftest_params; -static int fips_security_checks = 1; -static const char *fips_security_check_option = "1"; - /* Functions provided by the core */ static OSSL_FUNC_core_gettable_params_fn *c_gettable_params; static OSSL_FUNC_core_get_params_fn *c_get_params; @@ -77,12 +72,20 @@ static OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL; typedef struct fips_global_st { const OSSL_CORE_HANDLE *handle; + SELF_TEST_POST_PARAMS selftest_params; + int fips_security_checks; + const char *fips_security_check_option; } FIPS_GLOBAL; static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) { FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl)); + if (fgbl == NULL) + return NULL; + fgbl->fips_security_checks = 1; + fgbl->fips_security_check_option = "1"; + return fgbl; } @@ -107,38 +110,54 @@ static const OSSL_PARAM fips_param_types[] = { OSSL_PARAM_END }; -/* - * Parameters to retrieve from the core provider - required for self testing. - * NOTE: inside core_get_params() these will be loaded from config items - * stored inside prov->parameters (except for - * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). - * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. - */ -static OSSL_PARAM core_params[] = -{ - OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_CORE_MODULE_FILENAME, - &selftest_params.module_filename, - sizeof(selftest_params.module_filename)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC, - &selftest_params.module_checksum_data, - sizeof(selftest_params.module_checksum_data)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC, - &selftest_params.indicator_checksum_data, - sizeof(selftest_params.indicator_checksum_data)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS, - &selftest_params.indicator_data, - sizeof(selftest_params.indicator_data)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION, - &selftest_params.indicator_version, - sizeof(selftest_params.indicator_version)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, - &selftest_params.conditional_error_check, - sizeof(selftest_params.conditional_error_check)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, - &fips_security_check_option, - sizeof(fips_security_check_option)), - OSSL_PARAM_END -}; +static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) +{ + /* + * Parameters to retrieve from the core provider - required for self testing. + * NOTE: inside core_get_params() these will be loaded from config items + * stored inside prov->parameters (except for + * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). + * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. + */ + OSSL_PARAM core_params[8], *p = core_params; + + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_PARAM_CORE_MODULE_FILENAME, + (char **)&fgbl->selftest_params.module_filename, + sizeof(fgbl->selftest_params.module_filename)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_MODULE_MAC, + (char **)&fgbl->selftest_params.module_checksum_data, + sizeof(fgbl->selftest_params.module_checksum_data)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_INSTALL_MAC, + (char **)&fgbl->selftest_params.indicator_checksum_data, + sizeof(fgbl->selftest_params.indicator_checksum_data)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_INSTALL_STATUS, + (char **)&fgbl->selftest_params.indicator_data, + sizeof(fgbl->selftest_params.indicator_data)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_INSTALL_VERSION, + (char **)&fgbl->selftest_params.indicator_version, + sizeof(fgbl->selftest_params.indicator_version)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, + (char **)&fgbl->selftest_params.conditional_error_check, + sizeof(fgbl->selftest_params.conditional_error_check)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, + (char **)&fgbl->fips_security_check_option, + sizeof(fgbl->fips_security_check_option)); + *p = OSSL_PARAM_construct_end(); + + if (!c_get_params(fgbl->handle, core_params)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + + return 1; +} static const OSSL_PARAM *fips_gettable_params(void *provctx) { @@ -148,6 +167,9 @@ static const OSSL_PARAM *fips_gettable_params(void *provctx) static int fips_get_params(void *provctx, OSSL_PARAM params[]) { OSSL_PARAM *p; + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), + OSSL_LIB_CTX_FIPS_PROV_INDEX, + &fips_prov_ossl_ctx_method); p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) @@ -162,26 +184,33 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); - if (p != NULL && !OSSL_PARAM_set_int(p, fips_security_checks)) + if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks)) return 0; return 1; } -static void set_self_test_cb(const OSSL_CORE_HANDLE *handle) +static void set_self_test_cb(FIPS_GLOBAL *fgbl) { + const OSSL_CORE_HANDLE *handle = + FIPS_get_core_handle(fgbl->selftest_params.libctx); + if (c_stcbfn != NULL && c_get_libctx != NULL) { - c_stcbfn(c_get_libctx(handle), &selftest_params.cb, - &selftest_params.cb_arg); + c_stcbfn(c_get_libctx(handle), &fgbl->selftest_params.cb, + &fgbl->selftest_params.cb_arg); } else { - selftest_params.cb = NULL; - selftest_params.cb_arg = NULL; + fgbl->selftest_params.cb = NULL; + fgbl->selftest_params.cb_arg = NULL; } } static int fips_self_test(void *provctx) { - set_self_test_cb(FIPS_get_core_handle(selftest_params.libctx)); - return SELF_TEST_post(&selftest_params, 1) ? 1 : 0; + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), + OSSL_LIB_CTX_FIPS_PROV_INDEX, + &fips_prov_ossl_ctx_method); + + set_self_test_cb(fgbl); + return SELF_TEST_post(&fgbl->selftest_params, 1) ? 1 : 0; } /* @@ -506,6 +535,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, { FIPS_GLOBAL *fgbl; OSSL_LIB_CTX *libctx = NULL; + SELF_TEST_POST_PARAMS selftest_params; + + memset(&selftest_params, 0, sizeof(selftest_params)); if (!ossl_prov_seeding_from_dispatch(in)) return 0; @@ -578,7 +610,8 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, selftest_params.bio_new_file_cb = OSSL_FUNC_BIO_new_file(in); break; case OSSL_FUNC_BIO_NEW_MEMBUF: - selftest_params.bio_new_buffer_cb = OSSL_FUNC_BIO_new_membuf(in); + selftest_params.bio_new_buffer_cb + = OSSL_FUNC_BIO_new_membuf(in); break; case OSSL_FUNC_BIO_READ_EX: selftest_params.bio_read_ex_cb = OSSL_FUNC_BIO_read_ex(in); @@ -598,22 +631,6 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, } } - set_self_test_cb(handle); - - if (!c_get_params(handle, core_params)) { - ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); - return 0; - } - /* Disable the conditional error check if is disabled in the fips config file*/ - if (selftest_params.conditional_error_check != NULL - && strcmp(selftest_params.conditional_error_check, "0") == 0) - SELF_TEST_disable_conditional_error_state(); - - /* Disable the security check if is disabled in the fips config file*/ - if (fips_security_check_option != NULL - && strcmp(fips_security_check_option, "0") == 0) - fips_security_checks = 0; - /* Create a context. */ if ((*provctx = ossl_prov_ctx_new()) == NULL || (libctx = OSSL_LIB_CTX_new()) == NULL) { @@ -634,10 +651,37 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, fgbl->handle = handle; + /* + * We did initial set up of selftest_params in a local copy, because we + * could not create fgbl until c_CRYPTO_zalloc was defined in the loop + * above. + */ + fgbl->selftest_params = selftest_params; + + fgbl->selftest_params.libctx = libctx; + + set_self_test_cb(fgbl); + + if (!fips_get_params_from_core(fgbl)) { + /* Error already raised */ + return 0; + } + /* + * Disable the conditional error check if is disabled in the fips config + * file + */ + if (fgbl->selftest_params.conditional_error_check != NULL + && strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0) + SELF_TEST_disable_conditional_error_state(); + + /* Disable the security check if is disabled in the fips config file */ + if (fgbl->fips_security_check_option != NULL + && strcmp(fgbl->fips_security_check_option, "0") == 0) + fgbl->fips_security_checks = 0; + ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); - selftest_params.libctx = libctx; - if (!SELF_TEST_post(&selftest_params, 0)) { + if (!SELF_TEST_post(&fgbl->selftest_params, 0)) { ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_POST_FAILURE); goto err; } @@ -819,16 +863,19 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...) return ret; } -int FIPS_security_check_enabled(void) +int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx) { - return fips_security_checks; + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, + OSSL_LIB_CTX_FIPS_PROV_INDEX, + &fips_prov_ossl_ctx_method); + + return fgbl->fips_security_checks; } void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, void **cbarg) { - if (libctx == NULL) - libctx = selftest_params.libctx; + assert(libctx != NULL); if (c_stcbfn != NULL && c_get_libctx != NULL) { /* Get the parent libctx */ diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c index ab84d53512..354c234939 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -99,7 +99,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], if (!ossl_prov_is_running() || prsactx == NULL || vrsa == NULL) return 0; - if (!ossl_rsa_check_key(vrsa, operation)) + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) return 0; if (!RSA_up_ref(vrsa)) diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 0ecc6c7a4c..67a73d36ef 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -105,7 +105,8 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[]) DH_free(pdhctx->dh); pdhctx->dh = vdh; pdhctx->kdf_type = PROV_DH_KDF_NONE; - return dh_set_ctx_params(pdhctx, params) && ossl_dh_check_key(vdh); + return dh_set_ctx_params(pdhctx, params) + && ossl_dh_check_key(pdhctx->libctx, vdh); } /* The 2 parties must share the same domain parameters */ @@ -345,7 +346,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[]) EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops); - if (!ossl_digest_is_allowed(pdhctx->kdf_md)) { + if (!ossl_digest_is_allowed(pdhctx->libctx, pdhctx->kdf_md)) { EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = NULL; } diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index ba2b493a76..7748340248 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -113,7 +113,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[]) pecdhctx->cofactor_mode = -1; pecdhctx->kdf_type = PROV_ECDH_KDF_NONE; return ecdh_set_ctx_params(pecdhctx, params) - && ossl_ec_check_key(vecdh, 1); + && ossl_ec_check_key(pecdhctx->libctx, vecdh, 1); } static @@ -147,7 +147,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh) || pecdhctx == NULL || vecdh == NULL || !ecdh_match_params(pecdhctx->k, vecdh) - || !ossl_ec_check_key(vecdh, 1) + || !ossl_ec_check_key(pecdhctx->libctx, vecdh, 1) || !EC_KEY_up_ref(vecdh)) return 0; @@ -283,7 +283,7 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) EVP_MD_free(pectx->kdf_md); pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); - if (!ossl_digest_is_allowed(pectx->kdf_md)) { + if (!ossl_digest_is_allowed(pectx->libctx, pectx->kdf_md)) { EVP_MD_free(pectx->kdf_md); pectx->kdf_md = NULL; } diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 3809bfb8b1..9aa0a7aaee 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -125,7 +125,7 @@ static int rsakem_init(void *vprsactx, void *vrsa, if (prsactx == NULL || vrsa == NULL) return 0; - if (!ossl_rsa_check_key(vrsa, operation)) + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) return 0; if (!RSA_up_ref(vrsa)) diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c index 88a8102cff..dde689903d 100644 --- a/providers/implementations/signature/dsa.c +++ b/providers/implementations/signature/dsa.c @@ -127,7 +127,8 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); WPACKET pkt; EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); - int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); + int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL || md_nid == NID_undef) { @@ -188,7 +189,8 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, if (!dsa_set_ctx_params(pdsactx, params)) return 0; - if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) { + if (!ossl_dsa_check_key(pdsactx->libctx, vdsa, + operation == EVP_PKEY_OP_SIGN)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c index 4f90032af3..8c4648106f 100644 --- a/providers/implementations/signature/ecdsa.c +++ b/providers/implementations/signature/ecdsa.c @@ -140,7 +140,7 @@ static int ecdsa_signverify_init(void *vctx, void *ec, ctx->operation = operation; if (!ecdsa_set_ctx_params(ctx, params)) return 0; - return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN); + return ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN); } static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[]) @@ -225,7 +225,8 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, return 0; } sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); if (md_nid == NID_undef) { ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 96366a9a6b..16025bffc0 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -284,7 +284,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed); + int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, + sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL @@ -343,7 +344,7 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, return 0; } /* The default for mgf1 is SHA1 - so allow SHA1 */ - if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef + if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) == NID_undef || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { if (mdnid == NID_undef) ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, @@ -377,7 +378,7 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, if (prsactx == NULL || vrsa == NULL) return 0; - if (!ossl_rsa_check_key(vrsa, operation)) + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) return 0; if (!RSA_up_ref(vrsa)) -- 2.39.2