diff options
| author | Tomas Mraz <tomas@openssl.org> | 2021-11-04 15:38:51 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-11-12 16:41:54 +0100 |
| commit | 433c6cab4b4bc187f8120dc2ca0505f81d7b56e6 (patch) | |
| tree | cedf7c91e246a34e19d3ef6f69156de29568d40a /providers | |
| parent | 2e11cb796e1b46159615625c1df34800a1ebae94 (diff) | |
providers: Allow possible reinitialization in all signature algorithms
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
(cherry picked from commit 3ffd23e9529d725903bc97fd45489a77b831876f)
Diffstat (limited to 'providers')
| -rw-r--r-- | providers/implementations/signature/dsa_sig.c | 40 | ||||
| -rw-r--r-- | providers/implementations/signature/ecdsa_sig.c | 36 | ||||
| -rw-r--r-- | providers/implementations/signature/eddsa_sig.c | 9 | ||||
| -rw-r--r-- | providers/implementations/signature/mac_legacy_sig.c | 9 | ||||
| -rw-r--r-- | providers/implementations/signature/rsa_sig.c | 31 | ||||
| -rw-r--r-- | providers/implementations/signature/sm2_sig.c | 33 |
6 files changed, 108 insertions, 50 deletions
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c index 2acab0b481..28fd7c498e 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c @@ -189,22 +189,31 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx; if (!ossl_prov_is_running() - || pdsactx == NULL - || vdsa == NULL - || !DSA_up_ref(vdsa)) + || pdsactx == NULL) return 0; - DSA_free(pdsactx->dsa); - pdsactx->dsa = vdsa; + + if (vdsa == NULL && pdsactx->dsa == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); + return 0; + } + + if (vdsa != NULL) { + if (!ossl_dsa_check_key(pdsactx->libctx, vdsa, + operation == EVP_PKEY_OP_SIGN)) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } + if (!DSA_up_ref(vdsa)) + return 0; + DSA_free(pdsactx->dsa); + pdsactx->dsa = vdsa; + } + pdsactx->operation = operation; if (!dsa_set_ctx_params(pdsactx, params)) return 0; - if (!ossl_dsa_check_key(pdsactx->libctx, vdsa, - operation == EVP_PKEY_OP_SIGN)) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); - return 0; - } return 1; } @@ -278,9 +287,12 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname, return 0; pdsactx->flag_allow_md = 0; - pdsactx->mdctx = EVP_MD_CTX_new(); - if (pdsactx->mdctx == NULL) - goto error; + + if (pdsactx->mdctx == NULL) { + pdsactx->mdctx = EVP_MD_CTX_new(); + if (pdsactx->mdctx == NULL) + goto error; + } if (!EVP_DigestInit_ex2(pdsactx->mdctx, pdsactx->md, params)) goto error; @@ -289,9 +301,7 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname, error: EVP_MD_CTX_free(pdsactx->mdctx); - EVP_MD_free(pdsactx->md); pdsactx->mdctx = NULL; - pdsactx->md = NULL; return 0; } diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c index 64be0657c3..865d49d100 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c @@ -131,16 +131,29 @@ static int ecdsa_signverify_init(void *vctx, void *ec, PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; if (!ossl_prov_is_running() - || ctx == NULL - || ec == NULL - || !EC_KEY_up_ref(ec)) + || ctx == NULL) return 0; - EC_KEY_free(ctx->ec); - ctx->ec = ec; + + if (ec == NULL && ctx->ec == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); + return 0; + } + + if (ec != NULL) { + if (!ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN)) + return 0; + if (!EC_KEY_up_ref(ec)) + return 0; + EC_KEY_free(ctx->ec); + ctx->ec = ec; + } + ctx->operation = operation; + if (!ecdsa_set_ctx_params(ctx, params)) return 0; - return ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN); + + return 1; } static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[]) @@ -279,18 +292,19 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname, return 0; ctx->flag_allow_md = 0; - ctx->mdctx = EVP_MD_CTX_new(); - if (ctx->mdctx == NULL) - goto error; + + if (ctx->mdctx == NULL) { + ctx->mdctx = EVP_MD_CTX_new(); + if (ctx->mdctx == NULL) + goto error; + } if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params)) goto error; return 1; error: EVP_MD_CTX_free(ctx->mdctx); - EVP_MD_free(ctx->md); ctx->mdctx = NULL; - ctx->md = NULL; return 0; } diff --git a/providers/implementations/signature/eddsa_sig.c b/providers/implementations/signature/eddsa_sig.c index 148c143cc0..eb1a769128 100644 --- a/providers/implementations/signature/eddsa_sig.c +++ b/providers/implementations/signature/eddsa_sig.c @@ -100,6 +100,14 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, return 0; } + if (edkey == NULL) { + if (peddsactx->key != NULL) + /* there is nothing to do on reinit */ + return 1; + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); + return 0; + } + if (!ossl_ecx_key_up_ref(edkey)) { ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); return 0; @@ -124,6 +132,7 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, default: /* Should never happen */ ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); + ossl_ecx_key_free(edkey); return 0; } if (ret && WPACKET_finish(&pkt)) { diff --git a/providers/implementations/signature/mac_legacy_sig.c b/providers/implementations/signature/mac_legacy_sig.c index 0866e68d9b..6be605c8c6 100644 --- a/providers/implementations/signature/mac_legacy_sig.c +++ b/providers/implementations/signature/mac_legacy_sig.c @@ -16,6 +16,7 @@ #include <openssl/core_names.h> #include <openssl/params.h> #include <openssl/err.h> +#include <openssl/proverr.h> #ifndef FIPS_MODULE # include <openssl/engine.h> #endif @@ -101,10 +102,14 @@ static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey, const char *ciphername = NULL, *engine = NULL; if (!ossl_prov_is_running() - || pmacctx == NULL - || (pmacctx->key == NULL && vkey == NULL)) + || pmacctx == NULL) return 0; + if (pmacctx->key == NULL && vkey == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); + return 0; + } + if (vkey != NULL) { if (!ossl_mac_key_up_ref(vkey)) return 0; diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c index 298d789b74..7dcdf952a3 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -386,19 +386,24 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - if (!ossl_prov_is_running()) + if (!ossl_prov_is_running() || prsactx == NULL) return 0; - if (prsactx == NULL || vrsa == NULL) + if (vrsa == NULL && prsactx->rsa == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); return 0; + } - if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) - return 0; + if (vrsa != NULL) { + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) + return 0; + + if (!RSA_up_ref(vrsa)) + return 0; + RSA_free(prsactx->rsa); + prsactx->rsa = vrsa; + } - if (!RSA_up_ref(vrsa)) - return 0; - RSA_free(prsactx->rsa); - prsactx->rsa = vrsa; prsactx->operation = operation; if (!rsa_set_ctx_params(prsactx, params)) @@ -842,6 +847,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, if (!rsa_signverify_init(vprsactx, vrsa, params, operation)) return 0; + if (mdname != NULL /* was rsa_setup_md already called in rsa_signverify_init()? */ && (mdname[0] == '\0' || strcasecmp(prsactx->mdname, mdname) != 0) @@ -849,10 +855,11 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, return 0; prsactx->flag_allow_md = 0; - prsactx->mdctx = EVP_MD_CTX_new(); + if (prsactx->mdctx == NULL) { - ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); - goto error; + prsactx->mdctx = EVP_MD_CTX_new(); + if (prsactx->mdctx == NULL) + goto error; } if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params)) @@ -862,9 +869,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, error: EVP_MD_CTX_free(prsactx->mdctx); - EVP_MD_free(prsactx->md); prsactx->mdctx = NULL; - prsactx->md = NULL; return 0; } diff --git a/providers/implementations/signature/sm2_sig.c b/providers/implementations/signature/sm2_sig.c index 10a9496904..3c700ac887 100644 --- a/providers/implementations/signature/sm2_sig.c +++ b/providers/implementations/signature/sm2_sig.c @@ -27,6 +27,7 @@ #include "internal/cryptlib.h" #include "internal/sm3.h" #include "prov/implementations.h" +#include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "crypto/ec.h" #include "crypto/sm2.h" @@ -97,6 +98,9 @@ static int sm2sig_set_mdname(PROV_SM2_CTX *psm2ctx, const char *mdname) if (psm2ctx->md == NULL) return 0; + if (mdname == NULL) + return 1; + if (strlen(mdname) >= sizeof(psm2ctx->mdname) || !EVP_MD_is_a(psm2ctx->md, mdname)) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, "digest=%s", @@ -131,10 +135,22 @@ static int sm2sig_signature_init(void *vpsm2ctx, void *ec, { PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx; - if (psm2ctx == NULL || ec == NULL || !EC_KEY_up_ref(ec)) + if (!ossl_prov_is_running() + || psm2ctx == NULL) + return 0; + + if (ec == NULL && psm2ctx->ec == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); return 0; - EC_KEY_free(psm2ctx->ec); - psm2ctx->ec = ec; + } + + if (ec != NULL) { + if (!EC_KEY_up_ref(ec)) + return 0; + EC_KEY_free(psm2ctx->ec); + psm2ctx->ec = ec; + } + return sm2sig_set_ctx_params(psm2ctx, params); } @@ -197,10 +213,11 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname, || !sm2sig_set_mdname(ctx, mdname)) return ret; - EVP_MD_CTX_free(ctx->mdctx); - ctx->mdctx = EVP_MD_CTX_new(); - if (ctx->mdctx == NULL) - goto error; + if (ctx->mdctx == NULL) { + ctx->mdctx = EVP_MD_CTX_new(); + if (ctx->mdctx == NULL) + goto error; + } md_nid = EVP_MD_get_type(ctx->md); @@ -228,8 +245,6 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname, ret = 1; error: - if (!ret) - free_md(ctx); return ret; } |