mirror of https://github.com/openssl/openssl
Fix external symbols related to provider related security checks for
keys and digests. Partial fix for #12964 This adds ossl_ names for the following symbols: digest_get_approved_nid, digest_get_approved_nid_with_sha1 digest_is_allowed, digest_md_to_nid, digest_rsa_sign_get_md_nid, securitycheck_enabled, dh_check_key, dsa_check_key, ec_check_key, Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14211)
This commit is contained in:
parent
47c076acfc
commit
7b676cc8c6
|
@ -20,7 +20,7 @@
|
|||
* Internal library code deals with NIDs, so we need to translate from a name.
|
||||
* We do so using EVP_MD_is_a(), and therefore need a name to NID map.
|
||||
*/
|
||||
int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len)
|
||||
int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
|
@ -37,7 +37,7 @@ int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len)
|
|||
* Retrieve one of the FIPs approved hash algorithms by nid.
|
||||
* See FIPS 180-4 "Secure Hash Standard" and FIPS 202 - SHA-3.
|
||||
*/
|
||||
int digest_get_approved_nid(const EVP_MD *md)
|
||||
int ossl_digest_get_approved_nid(const EVP_MD *md)
|
||||
{
|
||||
static const OSSL_ITEM name_to_nid[] = {
|
||||
{ NID_sha1, OSSL_DIGEST_NAME_SHA1 },
|
||||
|
@ -53,5 +53,5 @@ int digest_get_approved_nid(const EVP_MD *md)
|
|||
{ NID_sha3_512, OSSL_DIGEST_NAME_SHA3_512 },
|
||||
};
|
||||
|
||||
return digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
||||
return ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
||||
}
|
||||
|
|
|
@ -11,17 +11,17 @@
|
|||
|
||||
/* Functions that are common */
|
||||
int ossl_rsa_check_key(const RSA *rsa, int protect);
|
||||
int ec_check_key(const EC_KEY *ec, int protect);
|
||||
int dsa_check_key(const DSA *dsa, int sign);
|
||||
int dh_check_key(const DH *dh);
|
||||
int ossl_ec_check_key(const EC_KEY *ec, int protect);
|
||||
int ossl_dsa_check_key(const DSA *dsa, int sign);
|
||||
int ossl_dh_check_key(const DH *dh);
|
||||
|
||||
int digest_is_allowed(const EVP_MD *md);
|
||||
int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed);
|
||||
int ossl_digest_is_allowed(const EVP_MD *md);
|
||||
int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed);
|
||||
|
||||
/* Functions that are common */
|
||||
int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
|
||||
int digest_get_approved_nid(const EVP_MD *md);
|
||||
int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
|
||||
int ossl_digest_get_approved_nid(const EVP_MD *md);
|
||||
|
||||
/* Functions that have different implementations for the FIPS_MODULE */
|
||||
int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed);
|
||||
int securitycheck_enabled(void);
|
||||
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed);
|
||||
int ossl_securitycheck_enabled(void);
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
int ossl_rsa_check_key(const RSA *rsa, int protect)
|
||||
{
|
||||
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||
if (securitycheck_enabled()) {
|
||||
if (ossl_securitycheck_enabled()) {
|
||||
int sz = RSA_bits(rsa);
|
||||
|
||||
return protect ? (sz >= 2048) : (sz >= 1024);
|
||||
|
@ -52,10 +52,10 @@ int ossl_rsa_check_key(const RSA *rsa, int protect)
|
|||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
|
||||
* "Table 2"
|
||||
*/
|
||||
int ec_check_key(const EC_KEY *ec, int protect)
|
||||
int ossl_ec_check_key(const EC_KEY *ec, int protect)
|
||||
{
|
||||
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||
if (securitycheck_enabled()) {
|
||||
if (ossl_securitycheck_enabled()) {
|
||||
int nid, strength;
|
||||
const char *curve_name;
|
||||
const EC_GROUP *group = EC_KEY_get0_group(ec);
|
||||
|
@ -110,10 +110,10 @@ int ec_check_key(const EC_KEY *ec, int protect)
|
|||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
|
||||
* "Table 2"
|
||||
*/
|
||||
int dsa_check_key(const DSA *dsa, int sign)
|
||||
int ossl_dsa_check_key(const DSA *dsa, int sign)
|
||||
{
|
||||
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||
if (securitycheck_enabled()) {
|
||||
if (ossl_securitycheck_enabled()) {
|
||||
size_t L, N;
|
||||
const BIGNUM *p, *q;
|
||||
|
||||
|
@ -154,10 +154,10 @@ int dsa_check_key(const DSA *dsa, int sign)
|
|||
* "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
|
||||
* "Appendix D" FFC Safe-prime Groups
|
||||
*/
|
||||
int dh_check_key(const DH *dh)
|
||||
int ossl_dh_check_key(const DH *dh)
|
||||
{
|
||||
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||
if (securitycheck_enabled()) {
|
||||
if (ossl_securitycheck_enabled()) {
|
||||
size_t L, N;
|
||||
const BIGNUM *p, *q;
|
||||
|
||||
|
@ -187,12 +187,12 @@ int dh_check_key(const DH *dh)
|
|||
}
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
|
||||
int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
|
||||
{
|
||||
int mdnid = digest_get_approved_nid(md);
|
||||
int mdnid = ossl_digest_get_approved_nid(md);
|
||||
|
||||
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||
if (securitycheck_enabled()) {
|
||||
if (ossl_securitycheck_enabled()) {
|
||||
if (mdnid == NID_sha1 && !sha1_allowed)
|
||||
mdnid = NID_undef;
|
||||
}
|
||||
|
@ -200,11 +200,11 @@ int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
|
|||
return mdnid;
|
||||
}
|
||||
|
||||
int digest_is_allowed(const EVP_MD *md)
|
||||
int ossl_digest_is_allowed(const EVP_MD *md)
|
||||
{
|
||||
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||
if (securitycheck_enabled())
|
||||
return digest_get_approved_nid(md) != NID_undef;
|
||||
if (ossl_securitycheck_enabled())
|
||||
return ossl_digest_get_approved_nid(md) != NID_undef;
|
||||
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -17,12 +17,13 @@
|
|||
#include "internal/nelem.h"
|
||||
|
||||
/* Disable the security checks in the default provider */
|
||||
int securitycheck_enabled(void)
|
||||
int ossl_securitycheck_enabled(void)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed)
|
||||
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md,
|
||||
ossl_unused int sha1_allowed)
|
||||
{
|
||||
int mdnid;
|
||||
|
||||
|
@ -35,8 +36,8 @@ int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed)
|
|||
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
|
||||
};
|
||||
|
||||
mdnid = digest_get_approved_nid_with_sha1(md, 1);
|
||||
mdnid = ossl_digest_get_approved_nid_with_sha1(md, 1);
|
||||
if (mdnid == NID_undef)
|
||||
mdnid = digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
||||
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
||||
return mdnid;
|
||||
}
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
extern int FIPS_security_check_enabled(void);
|
||||
|
||||
int securitycheck_enabled(void)
|
||||
int ossl_securitycheck_enabled(void)
|
||||
{
|
||||
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||
return FIPS_security_check_enabled();
|
||||
|
@ -30,11 +30,11 @@ int securitycheck_enabled(void)
|
|||
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
}
|
||||
|
||||
int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
|
||||
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
|
||||
{
|
||||
#if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||
if (securitycheck_enabled())
|
||||
return digest_get_approved_nid_with_sha1(md, sha1_allowed);
|
||||
if (ossl_securitycheck_enabled())
|
||||
return ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
|
||||
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
return digest_get_approved_nid(md);
|
||||
return ossl_digest_get_approved_nid(md);
|
||||
}
|
||||
|
|
|
@ -104,7 +104,7 @@ static int dh_init(void *vpdhctx, void *vdh)
|
|||
DH_free(pdhctx->dh);
|
||||
pdhctx->dh = vdh;
|
||||
pdhctx->kdf_type = PROV_DH_KDF_NONE;
|
||||
return dh_check_key(vdh);
|
||||
return ossl_dh_check_key(vdh);
|
||||
}
|
||||
|
||||
static int dh_set_peer(void *vpdhctx, void *vdh)
|
||||
|
@ -321,7 +321,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
|
|||
|
||||
EVP_MD_free(pdhctx->kdf_md);
|
||||
pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
|
||||
if (!digest_is_allowed(pdhctx->kdf_md)) {
|
||||
if (!ossl_digest_is_allowed(pdhctx->kdf_md)) {
|
||||
EVP_MD_free(pdhctx->kdf_md);
|
||||
pdhctx->kdf_md = NULL;
|
||||
}
|
||||
|
|
|
@ -111,7 +111,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh)
|
|||
pecdhctx->k = vecdh;
|
||||
pecdhctx->cofactor_mode = -1;
|
||||
pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
|
||||
return ec_check_key(vecdh, 1);
|
||||
return ossl_ec_check_key(vecdh, 1);
|
||||
}
|
||||
|
||||
static
|
||||
|
@ -126,7 +126,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
|
|||
return 0;
|
||||
EC_KEY_free(pecdhctx->peerk);
|
||||
pecdhctx->peerk = vecdh;
|
||||
return ec_check_key(vecdh, 1);
|
||||
return ossl_ec_check_key(vecdh, 1);
|
||||
}
|
||||
|
||||
static
|
||||
|
@ -254,7 +254,7 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
|
|||
|
||||
EVP_MD_free(pectx->kdf_md);
|
||||
pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
|
||||
if (!digest_is_allowed(pectx->kdf_md)) {
|
||||
if (!ossl_digest_is_allowed(pectx->kdf_md)) {
|
||||
EVP_MD_free(pectx->kdf_md);
|
||||
pectx->kdf_md = NULL;
|
||||
}
|
||||
|
|
|
@ -127,7 +127,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
|||
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
WPACKET pkt;
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
int md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed);
|
||||
int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
|
||||
size_t mdname_len = strlen(mdname);
|
||||
|
||||
if (md == NULL || md_nid == NID_undef) {
|
||||
|
@ -183,7 +183,7 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, int operation)
|
|||
DSA_free(pdsactx->dsa);
|
||||
pdsactx->dsa = vdsa;
|
||||
pdsactx->operation = operation;
|
||||
if (!dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
|
||||
if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -137,7 +137,7 @@ static int ecdsa_signverify_init(void *vctx, void *ec, int operation)
|
|||
EC_KEY_free(ctx->ec);
|
||||
ctx->ec = ec;
|
||||
ctx->operation = operation;
|
||||
return ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
|
||||
return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
|
||||
}
|
||||
|
||||
static int ecdsa_sign_init(void *vctx, void *ec)
|
||||
|
@ -222,7 +222,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
|||
return 0;
|
||||
}
|
||||
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed);
|
||||
md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
|
||||
if (md_nid == NID_undef) {
|
||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
|
||||
"digest=%s", mdname);
|
||||
|
|
|
@ -276,7 +276,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
|||
if (mdname != NULL) {
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
int md_nid = digest_rsa_sign_get_md_nid(md, sha1_allowed);
|
||||
int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed);
|
||||
size_t mdname_len = strlen(mdname);
|
||||
|
||||
if (md == NULL
|
||||
|
@ -335,7 +335,7 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
|
|||
return 0;
|
||||
}
|
||||
/* The default for mgf1 is SHA1 - so allow SHA1 */
|
||||
if ((mdnid = digest_rsa_sign_get_md_nid(md, 1)) == NID_undef
|
||||
if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef
|
||||
|| !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
|
||||
if (mdnid == NID_undef)
|
||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
|
||||
|
|
Loading…
Reference in New Issue