Fix external symbols related to provider related security checks for

keys and digests.

Partial fix for #12964

This adds ossl_ names for the following symbols:

digest_get_approved_nid, digest_get_approved_nid_with_sha1
digest_is_allowed, digest_md_to_nid, digest_rsa_sign_get_md_nid,
securitycheck_enabled,
dh_check_key, dsa_check_key, ec_check_key,

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14211)

providers/common/digest_to_nid.c

@@ -20,7 +20,7 @@
  * Internal library code deals with NIDs, so we need to translate from a name.
  * We do so using EVP_MD_is_a(), and therefore need a name to NID map.
  */
-int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len)
+int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len)
 {
     size_t i;
 
@@ -37,7 +37,7 @@ int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len)
  * Retrieve one of the FIPs approved hash algorithms by nid.
  * See FIPS 180-4 "Secure Hash Standard" and FIPS 202 - SHA-3.
  */
-int digest_get_approved_nid(const EVP_MD *md)
+int ossl_digest_get_approved_nid(const EVP_MD *md)
 {
     static const OSSL_ITEM name_to_nid[] = {
         { NID_sha1,      OSSL_DIGEST_NAME_SHA1      },
@@ -53,5 +53,5 @@ int digest_get_approved_nid(const EVP_MD *md)
         { NID_sha3_512,  OSSL_DIGEST_NAME_SHA3_512  },
     };
 
-    return digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
+    return ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
 }

providers/common/include/prov/securitycheck.h

@@ -11,17 +11,17 @@
 
 /* Functions that are common */
 int ossl_rsa_check_key(const RSA *rsa, int protect);
-int ec_check_key(const EC_KEY *ec, int protect);
-int dsa_check_key(const DSA *dsa, int sign);
-int dh_check_key(const DH *dh);
+int ossl_ec_check_key(const EC_KEY *ec, int protect);
+int ossl_dsa_check_key(const DSA *dsa, int sign);
+int ossl_dh_check_key(const DH *dh);
 
-int digest_is_allowed(const EVP_MD *md);
-int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed);
+int ossl_digest_is_allowed(const EVP_MD *md);
+int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed);
 
 /* Functions that are common */
-int digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
-int digest_get_approved_nid(const EVP_MD *md);
+int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len);
+int ossl_digest_get_approved_nid(const EVP_MD *md);
 
 /* Functions that have different implementations for the FIPS_MODULE */
-int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed);
-int securitycheck_enabled(void);
+int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed);
+int ossl_securitycheck_enabled(void);

providers/common/securitycheck.c

@@ -28,7 +28,7 @@
 int ossl_rsa_check_key(const RSA *rsa, int protect)
 {
 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
-    if (securitycheck_enabled()) {
+    if (ossl_securitycheck_enabled()) {
         int sz = RSA_bits(rsa);
 
         return protect ? (sz >= 2048) : (sz >= 1024);
@@ -52,10 +52,10 @@ int ossl_rsa_check_key(const RSA *rsa, int protect)
  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
  * "Table 2"
  */
-int ec_check_key(const EC_KEY *ec, int protect)
+int ossl_ec_check_key(const EC_KEY *ec, int protect)
 {
 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
-    if (securitycheck_enabled()) {
+    if (ossl_securitycheck_enabled()) {
         int nid, strength;
         const char *curve_name;
         const EC_GROUP *group = EC_KEY_get0_group(ec);
@@ -110,10 +110,10 @@ int ec_check_key(const EC_KEY *ec, int protect)
  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
  * "Table 2"
  */
-int dsa_check_key(const DSA *dsa, int sign)
+int ossl_dsa_check_key(const DSA *dsa, int sign)
 {
 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
-    if (securitycheck_enabled()) {
+    if (ossl_securitycheck_enabled()) {
         size_t L, N;
         const BIGNUM *p, *q;
 
@@ -154,10 +154,10 @@ int dsa_check_key(const DSA *dsa, int sign)
  * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
  * "Appendix D" FFC Safe-prime Groups
  */
-int dh_check_key(const DH *dh)
+int ossl_dh_check_key(const DH *dh)
 {
 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
-    if (securitycheck_enabled()) {
+    if (ossl_securitycheck_enabled()) {
         size_t L, N;
         const BIGNUM *p, *q;
 
@@ -187,12 +187,12 @@ int dh_check_key(const DH *dh)
 }
 #endif /* OPENSSL_NO_DH */
 
-int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
+int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
 {
-    int mdnid = digest_get_approved_nid(md);
+    int mdnid = ossl_digest_get_approved_nid(md);
 
 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
-    if (securitycheck_enabled()) {
+    if (ossl_securitycheck_enabled()) {
         if (mdnid == NID_sha1 && !sha1_allowed)
             mdnid = NID_undef;
     }
@@ -200,11 +200,11 @@ int digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed)
     return mdnid;
 }
 
-int digest_is_allowed(const EVP_MD *md)
+int ossl_digest_is_allowed(const EVP_MD *md)
 {
 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
-    if (securitycheck_enabled())
-        return digest_get_approved_nid(md) != NID_undef;
+    if (ossl_securitycheck_enabled())
+        return ossl_digest_get_approved_nid(md) != NID_undef;
 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
     return 1;
 }

providers/common/securitycheck_default.c

@@ -17,12 +17,13 @@
 #include "internal/nelem.h"
 
 /* Disable the security checks in the default provider */
-int securitycheck_enabled(void)
+int ossl_securitycheck_enabled(void)
 {
     return 0;
 }
 
-int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed)
+int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md,
+                                    ossl_unused int sha1_allowed)
 {
     int mdnid;
 
@@ -35,8 +36,8 @@ int digest_rsa_sign_get_md_nid(const EVP_MD *md, ossl_unused int sha1_allowed)
         { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
     };
 
-    mdnid = digest_get_approved_nid_with_sha1(md, 1);
+    mdnid = ossl_digest_get_approved_nid_with_sha1(md, 1);
     if (mdnid == NID_undef)
-        mdnid = digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
+        mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
     return mdnid;
 }

providers/common/securitycheck_fips.c

@@ -21,7 +21,7 @@
 
 extern int FIPS_security_check_enabled(void);
 
-int securitycheck_enabled(void)
+int ossl_securitycheck_enabled(void)
 {
 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
     return FIPS_security_check_enabled();
@@ -30,11 +30,11 @@ int securitycheck_enabled(void)
 #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
 }
 
-int digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
+int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed)
 {
 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
-    if (securitycheck_enabled())
-        return digest_get_approved_nid_with_sha1(md, sha1_allowed);
+    if (ossl_securitycheck_enabled())
+        return ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
 #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
-    return digest_get_approved_nid(md);
+    return ossl_digest_get_approved_nid(md);
 }

providers/implementations/exchange/dh_exch.c

@@ -104,7 +104,7 @@ static int dh_init(void *vpdhctx, void *vdh)
     DH_free(pdhctx->dh);
     pdhctx->dh = vdh;
     pdhctx->kdf_type = PROV_DH_KDF_NONE;
-    return dh_check_key(vdh);
+    return ossl_dh_check_key(vdh);
 }
 
 static int dh_set_peer(void *vpdhctx, void *vdh)
@@ -321,7 +321,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
 
         EVP_MD_free(pdhctx->kdf_md);
         pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
-        if (!digest_is_allowed(pdhctx->kdf_md)) {
+        if (!ossl_digest_is_allowed(pdhctx->kdf_md)) {
             EVP_MD_free(pdhctx->kdf_md);
             pdhctx->kdf_md = NULL;
         }

providers/implementations/exchange/ecdh_exch.c

@@ -111,7 +111,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh)
     pecdhctx->k = vecdh;
     pecdhctx->cofactor_mode = -1;
     pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
-    return ec_check_key(vecdh, 1);
+    return ossl_ec_check_key(vecdh, 1);
 }
 
 static
@@ -126,7 +126,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
         return 0;
     EC_KEY_free(pecdhctx->peerk);
     pecdhctx->peerk = vecdh;
-    return ec_check_key(vecdh, 1);
+    return ossl_ec_check_key(vecdh, 1);
 }
 
 static
@@ -254,7 +254,7 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
 
         EVP_MD_free(pectx->kdf_md);
         pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
-        if (!digest_is_allowed(pectx->kdf_md)) {
+        if (!ossl_digest_is_allowed(pectx->kdf_md)) {
             EVP_MD_free(pectx->kdf_md);
             pectx->kdf_md = NULL;
         }

providers/implementations/signature/dsa.c

@@ -127,7 +127,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
         int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
         WPACKET pkt;
         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
-        int md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed);
+        int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
         size_t mdname_len = strlen(mdname);
 
         if (md == NULL || md_nid == NID_undef) {
@@ -183,7 +183,7 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, int operation)
     DSA_free(pdsactx->dsa);
     pdsactx->dsa = vdsa;
     pdsactx->operation = operation;
-    if (!dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
+    if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
         return 0;
     }

providers/implementations/signature/ecdsa.c

@@ -137,7 +137,7 @@ static int ecdsa_signverify_init(void *vctx, void *ec, int operation)
     EC_KEY_free(ctx->ec);
     ctx->ec = ec;
     ctx->operation = operation;
-    return ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
+    return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
 }
 
 static int ecdsa_sign_init(void *vctx, void *ec)
@@ -222,7 +222,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
         return 0;
     }
     sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-    md_nid = digest_get_approved_nid_with_sha1(md, sha1_allowed);
+    md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
     if (md_nid == NID_undef) {
         ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
                        "digest=%s", mdname);

providers/implementations/signature/rsa.c

@@ -276,7 +276,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
     if (mdname != NULL) {
         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
         int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-        int md_nid = digest_rsa_sign_get_md_nid(md, sha1_allowed);
+        int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed);
         size_t mdname_len = strlen(mdname);
 
         if (md == NULL
@@ -335,7 +335,7 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
         return 0;
     }
     /* The default for mgf1 is SHA1 - so allow SHA1 */
-    if ((mdnid = digest_rsa_sign_get_md_nid(md, 1)) == NID_undef
+    if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef
         || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
         if (mdnid == NID_undef)
             ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,