diff options
| author | Pauli <paul.dale@oracle.com> | 2020-09-07 13:26:20 +1000 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2020-09-12 16:46:20 +1000 |
| commit | ca94057fc3aabdcdd87c6c6cc9b68459bd433fc7 (patch) | |
| tree | 8f4d4ac5927d7f848b7a09a28558fc25df155a07 /providers/implementations/exchange | |
| parent | 2b9e4e956b37ee49b29a73c7782f525ac8c58cc5 (diff) | |
exchange: add FIPS error state handling
The functions that check for the provider being runnable are: newctx, dupctx,
init, derive and set peer.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Diffstat (limited to 'providers/implementations/exchange')
| -rw-r--r-- | providers/implementations/exchange/dh_exch.c | 23 | ||||
| -rw-r--r-- | providers/implementations/exchange/ecdh_exch.c | 20 | ||||
| -rw-r--r-- | providers/implementations/exchange/ecx_exch.c | 19 | ||||
| -rw-r--r-- | providers/implementations/exchange/kdf_exch.c | 17 |
4 files changed, 70 insertions, 9 deletions
diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 3c3bd4dd38..fad38ec93d 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -20,6 +20,7 @@ #include <openssl/dh.h> #include <openssl/err.h> #include <openssl/params.h> +#include "prov/providercommon.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "crypto/dh.h" @@ -77,8 +78,12 @@ typedef struct { static void *dh_newctx(void *provctx) { - PROV_DH_CTX *pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX)); + PROV_DH_CTX *pdhctx; + if (!ossl_prov_is_running()) + return NULL; + + pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX)); if (pdhctx == NULL) return NULL; pdhctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx); @@ -90,7 +95,10 @@ static int dh_init(void *vpdhctx, void *vdh) { PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx; - if (pdhctx == NULL || vdh == NULL || !DH_up_ref(vdh)) + if (!ossl_prov_is_running() + || pdhctx == NULL + || vdh == NULL + || !DH_up_ref(vdh)) return 0; DH_free(pdhctx->dh); pdhctx->dh = vdh; @@ -102,7 +110,10 @@ static int dh_set_peer(void *vpdhctx, void *vdh) { PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx; - if (pdhctx == NULL || vdh == NULL || !DH_up_ref(vdh)) + if (!ossl_prov_is_running() + || pdhctx == NULL + || vdh == NULL + || !DH_up_ref(vdh)) return 0; DH_free(pdhctx->dhpeer); pdhctx->dhpeer = vdh; @@ -189,6 +200,9 @@ static int dh_derive(void *vpdhctx, unsigned char *secret, { PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx; + if (!ossl_prov_is_running()) + return 0; + switch (pdhctx->kdf_type) { case PROV_DH_KDF_NONE: return dh_plain_derive(pdhctx, secret, psecretlen, outlen); @@ -219,6 +233,9 @@ static void *dh_dupctx(void *vpdhctx) PROV_DH_CTX *srcctx = (PROV_DH_CTX *)vpdhctx; PROV_DH_CTX *dstctx; + if (!ossl_prov_is_running()) + return NULL; + dstctx = OPENSSL_zalloc(sizeof(*srcctx)); if (dstctx == NULL) return NULL; diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index 88f9c7c9bf..8e6cf10dc5 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -22,6 +22,7 @@ #include <openssl/params.h> #include <openssl/err.h> #include "prov/provider_ctx.h" +#include "prov/providercommon.h" #include "prov/implementations.h" #include "crypto/ec.h" /* ecdh_KDF_X9_63() */ @@ -79,8 +80,12 @@ typedef struct { static void *ecdh_newctx(void *provctx) { - PROV_ECDH_CTX *pectx = OPENSSL_zalloc(sizeof(*pectx)); + PROV_ECDH_CTX *pectx; + if (!ossl_prov_is_running()) + return NULL; + + pectx = OPENSSL_zalloc(sizeof(*pectx)); if (pectx == NULL) return NULL; @@ -96,7 +101,10 @@ int ecdh_init(void *vpecdhctx, void *vecdh) { PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; - if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh)) + if (!ossl_prov_is_running() + || pecdhctx == NULL + || vecdh == NULL + || !EC_KEY_up_ref(vecdh)) return 0; EC_KEY_free(pecdhctx->k); pecdhctx->k = vecdh; @@ -110,7 +118,10 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh) { PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx; - if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh)) + if (!ossl_prov_is_running() + || pecdhctx == NULL + || vecdh == NULL + || !EC_KEY_up_ref(vecdh)) return 0; EC_KEY_free(pecdhctx->peerk); pecdhctx->peerk = vecdh; @@ -137,6 +148,9 @@ void *ecdh_dupctx(void *vpecdhctx) PROV_ECDH_CTX *srcctx = (PROV_ECDH_CTX *)vpecdhctx; PROV_ECDH_CTX *dstctx; + if (!ossl_prov_is_running()) + return NULL; + dstctx = OPENSSL_zalloc(sizeof(*srcctx)); if (dstctx == NULL) return NULL; diff --git a/providers/implementations/exchange/ecx_exch.c b/providers/implementations/exchange/ecx_exch.c index 4840b8802f..2a7ea2b8e1 100644 --- a/providers/implementations/exchange/ecx_exch.c +++ b/providers/implementations/exchange/ecx_exch.c @@ -15,6 +15,7 @@ #include "internal/cryptlib.h" #include "crypto/ecx.h" #include "prov/implementations.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #ifdef S390X_EC_ASM # include "s390x_arch.h" @@ -42,8 +43,12 @@ typedef struct { static void *ecx_newctx(void *provctx, size_t keylen) { - PROV_ECX_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_ECX_CTX)); + PROV_ECX_CTX *ctx; + if (!ossl_prov_is_running()) + return NULL; + + ctx = OPENSSL_zalloc(sizeof(PROV_ECX_CTX)); if (ctx == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return NULL; @@ -69,6 +74,9 @@ static int ecx_init(void *vecxctx, void *vkey) PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx; ECX_KEY *key = vkey; + if (!ossl_prov_is_running()) + return 0; + if (ecxctx == NULL || key == NULL || key->keylen != ecxctx->keylen @@ -88,6 +96,9 @@ static int ecx_set_peer(void *vecxctx, void *vkey) PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx; ECX_KEY *key = vkey; + if (!ossl_prov_is_running()) + return 0; + if (ecxctx == NULL || key == NULL || key->keylen != ecxctx->keylen @@ -106,6 +117,9 @@ static int ecx_derive(void *vecxctx, unsigned char *secret, size_t *secretlen, { PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx; + if (!ossl_prov_is_running()) + return 0; + if (ecxctx->key == NULL || ecxctx->key->privkey == NULL || ecxctx->peerkey == NULL) { @@ -179,6 +193,9 @@ static void *ecx_dupctx(void *vecxctx) PROV_ECX_CTX *srcctx = (PROV_ECX_CTX *)vecxctx; PROV_ECX_CTX *dstctx; + if (!ossl_prov_is_running()) + return NULL; + dstctx = OPENSSL_zalloc(sizeof(*srcctx)); if (dstctx == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c index 80164e10c6..4d549e832d 100644 --- a/providers/implementations/exchange/kdf_exch.c +++ b/providers/implementations/exchange/kdf_exch.c @@ -15,6 +15,7 @@ #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/kdfexchange.h" +#include "prov/providercommon.h" static OSSL_FUNC_keyexch_newctx_fn kdf_tls1_prf_newctx; static OSSL_FUNC_keyexch_newctx_fn kdf_hkdf_newctx; @@ -36,9 +37,13 @@ typedef struct { static void *kdf_newctx(const char *kdfname, void *provctx) { - PROV_KDF_CTX *kdfctx = OPENSSL_zalloc(sizeof(PROV_KDF_CTX)); + PROV_KDF_CTX *kdfctx; EVP_KDF *kdf = NULL; + if (!ossl_prov_is_running()) + return NULL; + + kdfctx = OPENSSL_zalloc(sizeof(PROV_KDF_CTX)); if (kdfctx == NULL) return NULL; @@ -73,7 +78,10 @@ static int kdf_init(void *vpkdfctx, void *vkdf) { PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx; - if (pkdfctx == NULL || vkdf == NULL || !kdf_data_up_ref(vkdf)) + if (!ossl_prov_is_running() + || pkdfctx == NULL + || vkdf == NULL + || !kdf_data_up_ref(vkdf)) return 0; pkdfctx->kdfdata = vkdf; @@ -85,6 +93,8 @@ static int kdf_derive(void *vpkdfctx, unsigned char *secret, size_t *secretlen, { PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx; + if (!ossl_prov_is_running()) + return 0; return EVP_KDF_derive(pkdfctx->kdfctx, secret, *secretlen); } @@ -103,6 +113,9 @@ static void *kdf_dupctx(void *vpkdfctx) PROV_KDF_CTX *srcctx = (PROV_KDF_CTX *)vpkdfctx; PROV_KDF_CTX *dstctx; + if (!ossl_prov_is_running()) + return NULL; + dstctx = OPENSSL_zalloc(sizeof(*srcctx)); if (dstctx == NULL) return NULL; |