diff options
| author | Pauli <paul.dale@oracle.com> | 2020-09-07 13:13:10 +1000 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2020-09-12 16:46:20 +1000 |
| commit | 2b9e4e956b37ee49b29a73c7782f525ac8c58cc5 (patch) | |
| tree | 31c29b78c8c07e474207bf72748385f3086f8191 /providers/implementations | |
| parent | 5b104a81f088ae0da6b0d2d2c746237694ab0a2c (diff) | |
kdf: add FIPS error state handling
Check for provider being disabled on new and derive.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Diffstat (limited to 'providers/implementations')
| -rw-r--r-- | providers/implementations/kdfs/hkdf.c | 10 | ||||
| -rw-r--r-- | providers/implementations/kdfs/kbkdf.c | 7 | ||||
| -rw-r--r-- | providers/implementations/kdfs/krb5kdf.c | 13 | ||||
| -rw-r--r-- | providers/implementations/kdfs/pbkdf2.c | 10 | ||||
| -rw-r--r-- | providers/implementations/kdfs/pkcs12kdf.c | 10 | ||||
| -rw-r--r-- | providers/implementations/kdfs/scrypt.c | 7 | ||||
| -rw-r--r-- | providers/implementations/kdfs/sshkdf.c | 12 | ||||
| -rw-r--r-- | providers/implementations/kdfs/sskdf.c | 15 | ||||
| -rw-r--r-- | providers/implementations/kdfs/tls1_prf.c | 7 | ||||
| -rw-r--r-- | providers/implementations/kdfs/x942kdf.c | 10 |
10 files changed, 91 insertions, 10 deletions
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 32c0fdabef..987f1b28bf 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -24,6 +24,7 @@ #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" @@ -70,6 +71,9 @@ static void *kdf_hkdf_new(void *provctx) { KDF_HKDF *ctx; + if (!ossl_prov_is_running()) + return NULL; + if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); else @@ -122,8 +126,12 @@ static size_t kdf_hkdf_size(KDF_HKDF *ctx) static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen) { KDF_HKDF *ctx = (KDF_HKDF *)vctx; - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + const EVP_MD *md; + + if (!ossl_prov_is_running()) + return 0; + md = ossl_prov_digest_md(&ctx->digest); if (md == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return 0; diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index f3122ac1bd..c8b5cdf8c6 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -41,6 +41,7 @@ #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/provider_util.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #include "e_os.h" @@ -99,6 +100,9 @@ static void *kbkdf_new(void *provctx) { KBKDF *ctx; + if (!ossl_prov_is_running()) + return NULL; + ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); @@ -192,6 +196,9 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen) uint32_t l = be32(keylen * 8); size_t h = 0; + if (!ossl_prov_is_running()) + return 0; + /* label, context, and iv are permitted to be empty. Check everything * else. */ if (ctx->ctx_init == NULL) { diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c index 9a4cf57bc2..0492b09ccc 100644 --- a/providers/implementations/kdfs/krb5kdf.c +++ b/providers/implementations/kdfs/krb5kdf.c @@ -28,6 +28,7 @@ #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/provider_util.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" /* KRB5 KDF defined in RFC 3961, Section 5.1 */ @@ -59,6 +60,9 @@ static void *krb5kdf_new(void *provctx) { KRB5KDF_CTX *ctx; + if (!ossl_prov_is_running()) + return NULL; + if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ctx->provctx = provctx; @@ -99,9 +103,13 @@ static int krb5kdf_derive(void *vctx, unsigned char *key, size_t keylen) { KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx; - const EVP_CIPHER *cipher = ossl_prov_cipher_cipher(&ctx->cipher); - ENGINE *engine = ossl_prov_cipher_engine(&ctx->cipher); + const EVP_CIPHER *cipher; + ENGINE *engine; + if (!ossl_prov_is_running()) + return 0; + + cipher = ossl_prov_cipher_cipher(&ctx->cipher); if (cipher == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER); return 0; @@ -114,6 +122,7 @@ static int krb5kdf_derive(void *vctx, unsigned char *key, ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONSTANT); return 0; } + engine = ossl_prov_cipher_engine(&ctx->cipher); return KRB5KDF(cipher, engine, ctx->key, ctx->key_len, ctx->constant, ctx->constant_len, key, keylen); diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index a71758169a..46c10fa698 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -24,6 +24,7 @@ #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" @@ -66,6 +67,9 @@ static void *kdf_pbkdf2_new(void *provctx) { KDF_PBKDF2 *ctx; + if (!ossl_prov_is_running()) + return NULL; + ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); @@ -139,7 +143,10 @@ static int kdf_pbkdf2_derive(void *vctx, unsigned char *key, size_t keylen) { KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + const EVP_MD *md; + + if (!ossl_prov_is_running()) + return 0; if (ctx->pass == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS); @@ -151,6 +158,7 @@ static int kdf_pbkdf2_derive(void *vctx, unsigned char *key, return 0; } + md = ossl_prov_digest_md(&ctx->digest); return pbkdf2_derive((char *)ctx->pass, ctx->pass_len, ctx->salt, ctx->salt_len, ctx->iter, md, key, keylen, ctx->lower_bound_checks); diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c index 2cebc2d240..52b8305261 100644 --- a/providers/implementations/kdfs/pkcs12kdf.c +++ b/providers/implementations/kdfs/pkcs12kdf.c @@ -18,6 +18,7 @@ #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" @@ -138,6 +139,9 @@ static void *kdf_pkcs12_new(void *provctx) { KDF_PKCS12 *ctx; + if (!ossl_prov_is_running()) + return NULL; + ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); @@ -195,7 +199,10 @@ static int kdf_pkcs12_derive(void *vctx, unsigned char *key, size_t keylen) { KDF_PKCS12 *ctx = (KDF_PKCS12 *)vctx; - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + const EVP_MD *md; + + if (!ossl_prov_is_running()) + return 0; if (ctx->pass == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS); @@ -207,6 +214,7 @@ static int kdf_pkcs12_derive(void *vctx, unsigned char *key, return 0; } + md = ossl_prov_digest_md(&ctx->digest); return pkcs12kdf_derive(ctx->pass, ctx->pass_len, ctx->salt, ctx->salt_len, ctx->id, ctx->iter, md, key, keylen); } diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c index 76b0a58e1f..f412f1f8db 100644 --- a/providers/implementations/kdfs/scrypt.c +++ b/providers/implementations/kdfs/scrypt.c @@ -18,6 +18,7 @@ #include "internal/numbers.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #include "prov/implementations.h" @@ -56,6 +57,9 @@ static void *kdf_scrypt_new(void *provctx) { KDF_SCRYPT *ctx; + if (!ossl_prov_is_running()) + return NULL; + ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); @@ -127,6 +131,9 @@ static int kdf_scrypt_derive(void *vctx, unsigned char *key, { KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; + if (!ossl_prov_is_running()) + return 0; + if (ctx->pass == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS); return 0; diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index 84338e1a1f..aa3b6030b9 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -17,9 +17,10 @@ #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #include "prov/implementations.h" -# include "prov/provider_util.h" +#include "prov/provider_util.h" /* See RFC 4253, Section 7.2 */ static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new; @@ -53,6 +54,9 @@ static void *kdf_sshkdf_new(void *provctx) { KDF_SSHKDF *ctx; + if (!ossl_prov_is_running()) + return NULL; + if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ctx->provctx = provctx; @@ -94,8 +98,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen) { KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx; - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + const EVP_MD *md; + + if (!ossl_prov_is_running()) + return 0; + md = ossl_prov_digest_md(&ctx->digest); if (md == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return 0; diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index bad372cc5e..22c65d26ba 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -46,6 +46,7 @@ #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" @@ -293,6 +294,9 @@ static void *sskdf_new(void *provctx) { KDF_SSKDF *ctx; + if (!ossl_prov_is_running()) + return NULL; + if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ctx->provctx = provctx; @@ -349,12 +353,15 @@ static size_t sskdf_size(KDF_SSKDF *ctx) static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen) { KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + const EVP_MD *md; + if (!ossl_prov_is_running()) + return 0; if (ctx->secret == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); return 0; } + md = ossl_prov_digest_md(&ctx->digest); if (ctx->macctx != NULL) { /* H(x) = KMAC or H(x) = HMAC */ @@ -420,7 +427,10 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen) static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen) { KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + const EVP_MD *md; + + if (!ossl_prov_is_running()) + return 0; if (ctx->secret == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); @@ -433,6 +443,7 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen) } /* H(x) = hash */ + md = ossl_prov_digest_md(&ctx->digest); if (md == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return 0; diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index 191041db5b..ca6c605351 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -56,6 +56,7 @@ #include "internal/numbers.h" #include "crypto/evp.h" #include "prov/provider_ctx.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" @@ -98,6 +99,9 @@ static void *kdf_tls1_prf_new(void *provctx) { TLS1_PRF *ctx; + if (!ossl_prov_is_running()) + return NULL; + if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ctx->provctx = provctx; @@ -132,6 +136,9 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, { TLS1_PRF *ctx = (TLS1_PRF *)vctx; + if (!ossl_prov_is_running()) + return 0; + if (ctx->P_hash == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return 0; diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c index d1a1ee443c..9dfa8693de 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -17,6 +17,7 @@ #include "internal/packet.h" #include "internal/der.h" #include "prov/provider_ctx.h" +#include "prov/providercommon.h" #include "prov/providercommonerr.h" #include "prov/implementations.h" #include "prov/provider_util.h" @@ -276,6 +277,9 @@ static void *x942kdf_new(void *provctx) { KDF_X942 *ctx; + if (!ossl_prov_is_running()) + return 0; + if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ctx->provctx = provctx; @@ -331,16 +335,20 @@ static size_t x942kdf_size(KDF_X942 *ctx) static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen) { KDF_X942 *ctx = (KDF_X942 *)vctx; - const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); + const EVP_MD *md; int ret = 0; unsigned char *ctr; unsigned char *der = NULL; size_t der_len = 0; + if (!ossl_prov_is_running()) + return 0; + if (ctx->secret == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET); return 0; } + md = ossl_prov_digest_md(&ctx->digest); if (md == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST); return 0; |