diff options
| author | Matt Caswell <matt@openssl.org> | 2021-04-09 17:26:34 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2021-04-16 14:27:28 +0100 |
| commit | 6ce58488bdce66584a7075e19821add29445d746 (patch) | |
| tree | a5b5bde99d963808dabc07b430a48a140036d6e1 /providers/implementations | |
| parent | 81cc5ce1a0f996f88051f031bda1079961ee4a5c (diff) | |
Store some FIPS global variables in the FIPS_GLOBAL structure
We had some FIPS global variables that were based on values from the
config file. In theory if two instances of the fips module are loaded
they could be based on different config files which would cause this to
fail. Instead we store them in the FIPS_GLOBAL structure.
Fixes #14364
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14814)
Diffstat (limited to 'providers/implementations')
| -rw-r--r-- | providers/implementations/asymciphers/rsa_enc.c | 2 | ||||
| -rw-r--r-- | providers/implementations/exchange/dh_exch.c | 5 | ||||
| -rw-r--r-- | providers/implementations/exchange/ecdh_exch.c | 6 | ||||
| -rw-r--r-- | providers/implementations/kem/rsa_kem.c | 2 | ||||
| -rw-r--r-- | providers/implementations/signature/dsa.c | 6 | ||||
| -rw-r--r-- | providers/implementations/signature/ecdsa.c | 5 | ||||
| -rw-r--r-- | providers/implementations/signature/rsa.c | 7 |
7 files changed, 19 insertions, 14 deletions
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c index ab84d53512..354c234939 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -99,7 +99,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], if (!ossl_prov_is_running() || prsactx == NULL || vrsa == NULL) return 0; - if (!ossl_rsa_check_key(vrsa, operation)) + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) return 0; if (!RSA_up_ref(vrsa)) diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 0ecc6c7a4c..67a73d36ef 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -105,7 +105,8 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[]) DH_free(pdhctx->dh); pdhctx->dh = vdh; pdhctx->kdf_type = PROV_DH_KDF_NONE; - return dh_set_ctx_params(pdhctx, params) && ossl_dh_check_key(vdh); + return dh_set_ctx_params(pdhctx, params) + && ossl_dh_check_key(pdhctx->libctx, vdh); } /* The 2 parties must share the same domain parameters */ @@ -345,7 +346,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[]) EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops); - if (!ossl_digest_is_allowed(pdhctx->kdf_md)) { + if (!ossl_digest_is_allowed(pdhctx->libctx, pdhctx->kdf_md)) { EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = NULL; } diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index ba2b493a76..7748340248 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -113,7 +113,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[]) pecdhctx->cofactor_mode = -1; pecdhctx->kdf_type = PROV_ECDH_KDF_NONE; return ecdh_set_ctx_params(pecdhctx, params) - && ossl_ec_check_key(vecdh, 1); + && ossl_ec_check_key(pecdhctx->libctx, vecdh, 1); } static @@ -147,7 +147,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh) || pecdhctx == NULL || vecdh == NULL || !ecdh_match_params(pecdhctx->k, vecdh) - || !ossl_ec_check_key(vecdh, 1) + || !ossl_ec_check_key(pecdhctx->libctx, vecdh, 1) || !EC_KEY_up_ref(vecdh)) return 0; @@ -283,7 +283,7 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) EVP_MD_free(pectx->kdf_md); pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); - if (!ossl_digest_is_allowed(pectx->kdf_md)) { + if (!ossl_digest_is_allowed(pectx->libctx, pectx->kdf_md)) { EVP_MD_free(pectx->kdf_md); pectx->kdf_md = NULL; } diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 3809bfb8b1..9aa0a7aaee 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -125,7 +125,7 @@ static int rsakem_init(void *vprsactx, void *vrsa, if (prsactx == NULL || vrsa == NULL) return 0; - if (!ossl_rsa_check_key(vrsa, operation)) + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) return 0; if (!RSA_up_ref(vrsa)) diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c index 88a8102cff..dde689903d 100644 --- a/providers/implementations/signature/dsa.c +++ b/providers/implementations/signature/dsa.c @@ -127,7 +127,8 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); WPACKET pkt; EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); - int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); + int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL || md_nid == NID_undef) { @@ -188,7 +189,8 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, if (!dsa_set_ctx_params(pdsactx, params)) return 0; - if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) { + if (!ossl_dsa_check_key(pdsactx->libctx, vdsa, + operation == EVP_PKEY_OP_SIGN)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c index 4f90032af3..8c4648106f 100644 --- a/providers/implementations/signature/ecdsa.c +++ b/providers/implementations/signature/ecdsa.c @@ -140,7 +140,7 @@ static int ecdsa_signverify_init(void *vctx, void *ec, ctx->operation = operation; if (!ecdsa_set_ctx_params(ctx, params)) return 0; - return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN); + return ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN); } static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[]) @@ -225,7 +225,8 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, return 0; } sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); if (md_nid == NID_undef) { ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 96366a9a6b..16025bffc0 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -284,7 +284,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed); + int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, + sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL @@ -343,7 +344,7 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, return 0; } /* The default for mgf1 is SHA1 - so allow SHA1 */ - if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef + if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) == NID_undef || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { if (mdnid == NID_undef) ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, @@ -377,7 +378,7 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, if (prsactx == NULL || vrsa == NULL) return 0; - if (!ossl_rsa_check_key(vrsa, operation)) + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) return 0; if (!RSA_up_ref(vrsa)) |