diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2021-02-17 20:01:34 +1000 |
|---|---|---|
| committer | Pauli <ppzgs1@gmail.com> | 2021-02-18 21:14:32 +1000 |
| commit | 7b676cc8c60823570e283fbe325b263670c6ccc2 (patch) | |
| tree | c38119319f0dff73868b5716a86c643142caed0a | |
| parent | 47c076acfc5debbae386c552bdb423e832042ae7 (diff) | |
Fix external symbols related to provider related security checks for
keys and digests.
Partial fix for #12964
This adds ossl_ names for the following symbols:
digest_get_approved_nid, digest_get_approved_nid_with_sha1
digest_is_allowed, digest_md_to_nid, digest_rsa_sign_get_md_nid,
securitycheck_enabled,
dh_check_key, dsa_check_key, ec_check_key,
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14211)
| -rw-r--r-- | providers/common/digest_to_nid.c | 6 | ||||
| -rw-r--r-- | providers/common/include/prov/securitycheck.h | 18 | ||||
| -rw-r--r-- | providers/common/securitycheck.c | 26 | ||||
| -rw-r--r-- | providers/common/securitycheck_default.c | 9 | ||||
| -rw-r--r-- | providers/common/securitycheck_fips.c | 10 | ||||
| -rw-r--r-- | providers/implementations/exchange/dh_exch.c | 4 | ||||
| -rw-r--r-- | providers/implementations/exchange/ecdh_exch.c | 6 | ||||
| -rw-r--r-- | providers/implementations/signature/dsa.c | 4 | ||||
| -rw-r--r-- | providers/implementations/signature/ecdsa.c | 4 | ||||
| -rw-r--r-- | providers/implementations/signature/rsa.c | 4 |
10 files changed, 46 insertions, 45 deletions
diff --git a/providers/common/digest_to_nid.c b/providers/common/digest_to_nid.c index 496d814173..f66b61b4fa 100644 --- a/providers/common/digest_to_nid.c +++ b/providers/common/digest_to_nid.c @@ -20,7 +20,7 @@ * Internal library code deals with NIDs, so we need to translate from a name. * We do so using EVP_MD_is_a(), and therefore need a name to NID map. */ -int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len) +int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len) { size_t i; @@ -37,7 +37,7 @@ int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len) * Retrieve one of the FIPs approved hash algorithms by nid. * See FIPS 180-4 "Secure Hash Standard" and FIPS 202 - SHA-3. */ -int digest_get_approved_nid(const EVP_MD *md) +int ossl_digest_get_approved_nid(const EVP_MD *md) { static const OSSL_ITEM name_to_nid[] = { { NID_sha1, OSSL_DIGEST_NAME_SHA1 }, @@ -53,5 +53,5 @@ int digest_get_approved_nid(const EVP_MD *md) { NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 }, }; - return digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); + return ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); } diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h index a9e69c8a29..2b81092f30 100644 --- a/providers/common/include/prov/securitycheck.h +++ b/providers/common/include/prov/securitycheck.h @@ -11,17 +11,17 @@ /* Functions that are common */ int ossl_rsa_check_key(const RSA *rsa, int protect); -int ec_check_key(const EC_KEY *ec, int protect); -int dsa_check_key(const DSA *dsa, int sign); -int dh_check_key(const DH *dh); +int ossl_ec_check_key(const EC_KEY *ec, int protect); +int ossl_dsa_check_key(const DSA *dsa, int sign); +int ossl_dh_check_key(const DH *dh); -int digest_is_allowed(const EVP_MD *md); -int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed); +int ossl_digest_is_allowed(const EVP_MD *md); +int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed); /* Functions that are common */ -int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len); -int digest_get_approved_nid(const EVP_MD *md); +int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len); +int ossl_digest_get_approved_nid(const EVP_MD *md); /* Functions that have different implementations for the FIPS_MODULE */ -int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed); -int securitycheck_enabled(void); +int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed); +int ossl_securitycheck_enabled(void); diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index 9457f4b53a..547b74fe3a 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -28,7 +28,7 @@ int ossl_rsa_check_key(const RSA *rsa, int protect) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { int sz = RSA_bits(rsa); return protect ? (sz >= 2048) : (sz >= 1024); @@ -52,10 +52,10 @@ int ossl_rsa_check_key(const RSA *rsa, int protect) * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ -int ec_check_key(const EC_KEY *ec, int protect) +int ossl_ec_check_key(const EC_KEY *ec, int protect) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { int nid, strength; const char *curve_name; const EC_GROUP *group = EC_KEY_get0_group(ec); @@ -110,10 +110,10 @@ int ec_check_key(const EC_KEY *ec, int protect) * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ -int dsa_check_key(const DSA *dsa, int sign) +int ossl_dsa_check_key(const DSA *dsa, int sign) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { size_t L, N; const BIGNUM *p, *q; @@ -154,10 +154,10 @@ int dsa_check_key(const DSA *dsa, int sign) * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and * "Appendix D" FFC Safe-prime Groups */ -int dh_check_key(const DH *dh) +int ossl_dh_check_key(const DH *dh) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { size_t L, N; const BIGNUM *p, *q; @@ -187,12 +187,12 @@ int dh_check_key(const DH *dh) } #endif /* OPENSSL_NO_DH */ -int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) +int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) { - int mdnid = digest_get_approved_nid(md); + int mdnid = ossl_digest_get_approved_nid(md); # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) { + if (ossl_securitycheck_enabled()) { if (mdnid == NID_sha1 && !sha1_allowed) mdnid = NID_undef; } @@ -200,11 +200,11 @@ int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) return mdnid; } -int digest_is_allowed(const EVP_MD *md) +int ossl_digest_is_allowed(const EVP_MD *md) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) - return digest_get_approved_nid(md) != NID_undef; + if (ossl_securitycheck_enabled()) + return ossl_digest_get_approved_nid(md) != NID_undef; # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; } diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c index e88b642ae2..7bb5639882 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -17,12 +17,13 @@ #include "internal/nelem.h" /* Disable the security checks in the default provider */ -int securitycheck_enabled(void) +int ossl_securitycheck_enabled(void) { return 0; } -int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed) +int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, + ossl_unused int sha1_allowed) { int mdnid; @@ -35,8 +36,8 @@ int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed) { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, }; - mdnid = digest_get_approved_nid_with_sha1(md, 1); + mdnid = ossl_digest_get_approved_nid_with_sha1(md, 1); if (mdnid == NID_undef) - mdnid = digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); + mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); return mdnid; } diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index 5bf59c9a35..35f82433db 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -21,7 +21,7 @@ extern int FIPS_security_check_enabled(void); -int securitycheck_enabled(void) +int ossl_securitycheck_enabled(void) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) return FIPS_security_check_enabled(); @@ -30,11 +30,11 @@ int securitycheck_enabled(void) #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ } -int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed) +int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (securitycheck_enabled()) - return digest_get_approved_nid_with_sha1(md, sha1_allowed); + if (ossl_securitycheck_enabled()) + return ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ - return digest_get_approved_nid(md); + return ossl_digest_get_approved_nid(md); } diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index df412ccf73..32ce2ee0ed 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -104,7 +104,7 @@ static int dh_init(void *vpdhctx, void *vdh) DH_free(pdhctx->dh); pdhctx->dh = vdh; pdhctx->kdf_type = PROV_DH_KDF_NONE; - return dh_check_key(vdh); + return ossl_dh_check_key(vdh); } static int dh_set_peer(void *vpdhctx, void *vdh) @@ -321,7 +321,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[]) EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops); - if (!digest_is_allowed(pdhctx->kdf_md)) { + if (!ossl_digest_is_allowed(pdhctx->kdf_md)) { EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = NULL; } diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index a1b17443ba..8d3f748f9b 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -111,7 +111,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh) pecdhctx->k = vecdh; pecdhctx->cofactor_mode = -1; pecdhctx->kdf_type = PROV_ECDH_KDF_NONE; - return ec_check_key(vecdh, 1); + return ossl_ec_check_key(vecdh, 1); } static @@ -126,7 +126,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh) return 0; EC_KEY_free(pecdhctx->peerk); pecdhctx->peerk = vecdh; - return ec_check_key(vecdh, 1); + return ossl_ec_check_key(vecdh, 1); } static @@ -254,7 +254,7 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) EVP_MD_free(pectx->kdf_md); pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); - if (!digest_is_allowed(pectx->kdf_md)) { + if (!ossl_digest_is_allowed(pectx->kdf_md)) { EVP_MD_free(pectx->kdf_md); pectx->kdf_md = NULL; } diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c index be1a8fca3f..e6dd538708 100644 --- a/providers/implementations/signature/dsa.c +++ b/providers/implementations/signature/dsa.c @@ -127,7 +127,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); WPACKET pkt; EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); - int md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed); + int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL || md_nid == NID_undef) { @@ -183,7 +183,7 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, int operation) DSA_free(pdsactx->dsa); pdsactx->dsa = vdsa; pdsactx->operation = operation; - if (!dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) { + if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c index ed21ac79c3..aff3724435 100644 --- a/providers/implementations/signature/ecdsa.c +++ b/providers/implementations/signature/ecdsa.c @@ -137,7 +137,7 @@ static int ecdsa_signverify_init(void *vctx, void *ec, int operation) EC_KEY_free(ctx->ec); ctx->ec = ec; ctx->operation = operation; - return ec_check_key(ec, operation == EVP_PKEY_OP_SIGN); + return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN); } static int ecdsa_sign_init(void *vctx, void *ec) @@ -222,7 +222,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, return 0; } sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed); + md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); if (md_nid == NID_undef) { ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 4cdd90a5c6..a69981a36a 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -276,7 +276,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - int md_nid = digest_rsa_sign_get_md_nid(md, sha1_allowed); + int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL @@ -335,7 +335,7 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, return 0; } /* The default for mgf1 is SHA1 - so allow SHA1 */ - if ((mdnid = digest_rsa_sign_get_md_nid(md, 1)) == NID_undef + if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { if (mdnid == NID_undef) ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, |