Move digests to providers

Move digest code into the relevant providers (fips, default, legacy). The headers are temporarily moved to be internal, and will be moved into providers after all external references are resolved. The deprecated digest code can not be removed until EVP_PKEY (signing) is supported by providers. EVP_MD data can also not yet be cleaned up for the same reasons. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8763)
author: Shane Lontis <shane.lontis@oracle.com> 2019-04-11 20:27:59 +1000
committer: Shane Lontis <shane.lontis@oracle.com> 2019-06-04 12:09:50 +1000
commit: d5e5e2ffafc7dbc861f7d285508cf129c5e8f5ac (patch)
tree: 3920b0febd6d2716940fb022b57894fe2ebf565d /ssl
parent: bf5b04ea25d6ac7d31e388b4e87d3eb5cd1e1e2b (diff)
3 files changed, 37 insertions, 14 deletions
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index de4e678c93..c666014327 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -12,6 +12,7 @@
 #include "ssl_locl.h"
 #include <openssl/evp.h>
 #include <openssl/md5.h>
+#include <openssl/core_names.h>
 #include "internal/cryptlib.h"
 
 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
@@ -410,6 +411,21 @@ int ssl3_digest_cached_records(SSL *s, int keep)
     return 1;
 }
 
+void ssl3_digest_master_key_set_params(const SSL_SESSION *session,
+                                       OSSL_PARAM params[])
+{
+    int n = 0;
+    int cmd = EVP_CTRL_SSL3_MASTER_SECRET;
+
+    params[n++] = OSSL_PARAM_construct_int(OSSL_DIGEST_PARAM_CMD, &cmd,
+                                           NULL);
+    params[n++] = OSSL_PARAM_construct_octet_ptr(OSSL_DIGEST_PARAM_MSG,
+                                                (void **)&session->master_key,
+                                                 session->master_key_length,
+                                                 NULL);
+    params[n++] = OSSL_PARAM_construct_end();
+}
+
 size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len,
                              unsigned char *p)
 {
@@ -448,14 +464,17 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len,
         goto err;
     }
 
-    if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0)
-        || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET,
-                           (int)s->session->master_key_length,
-                           s->session->master_key) <= 0
-        || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC,
-                 ERR_R_INTERNAL_ERROR);
-        ret = 0;
+    if (sender != NULL) {
+        OSSL_PARAM digest_cmd_params[3];
+
+        ssl3_digest_master_key_set_params(s->session, digest_cmd_params);
+        if (EVP_DigestUpdate(ctx, sender, len) <= 0
+            || EVP_MD_CTX_set_params(ctx, digest_cmd_params) <= 0
+            || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC,
+                         ERR_R_INTERNAL_ERROR);
+                ret = 0;
+        }
     }
 
  err:
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4a72864980..79b78f093d 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2362,6 +2362,8 @@ __owur int ssl3_num_ciphers(void);
 __owur const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
 int ssl3_renegotiate(SSL *ssl);
 int ssl3_renegotiate_check(SSL *ssl, int initok);
+void ssl3_digest_master_key_set_params(const SSL_SESSION *session,
+                                       OSSL_PARAM params[]);
 __owur int ssl3_dispatch_alert(SSL *s);
 __owur size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t slen,
                                     unsigned char *p);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 8c7d5e2a60..e59b49bb3d 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -285,10 +285,11 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
         }
     }
     if (s->version == SSL3_VERSION) {
+        OSSL_PARAM digest_cmd_params[3];
+
+        ssl3_digest_master_key_set_params(s->session, digest_cmd_params);
         if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
-            || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
-                                (int)s->session->master_key_length,
-                                s->session->master_key)
+            || EVP_MD_CTX_set_params(mctx, digest_cmd_params) <= 0
             || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
 
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
@@ -473,10 +474,11 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
         }
     }
     if (s->version == SSL3_VERSION) {
+        OSSL_PARAM digest_cmd_params[3];
+
+        ssl3_digest_master_key_set_params(s->session, digest_cmd_params);
         if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
-                || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
-                                    (int)s->session->master_key_length,
-                                    s->session->master_key)) {
+                || EVP_MD_CTX_set_params(mctx, digest_cmd_params) <= 0) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
                      ERR_R_EVP_LIB);
             goto err;
author	Shane Lontis <shane.lontis@oracle.com>	2019-04-11 20:27:59 +1000
committer	Shane Lontis <shane.lontis@oracle.com>	2019-06-04 12:09:50 +1000
commit	d5e5e2ffafc7dbc861f7d285508cf129c5e8f5ac (patch)
tree	3920b0febd6d2716940fb022b57894fe2ebf565d /ssl
parent	bf5b04ea25d6ac7d31e388b4e87d3eb5cd1e1e2b (diff)