mirror of https://github.com/openssl/openssl
fix provider exchange operations
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
This commit is contained in:
parent
49ed5ba8f6
commit
850a485f25
|
@ -1,12 +1,14 @@
|
|||
# We make separate GOAL variables for each algorithm, to make it easy to
|
||||
# switch each to the Legacy provider when needed.
|
||||
|
||||
$DH_GOAL=../../libimplementations.a
|
||||
$ECDH_GOAL=../../libimplementations.a
|
||||
$ECX_GOAL=../../libimplementations.a
|
||||
$ECDH_GOAL=../../libimplementations.a
|
||||
$KDF_GOAL=../../libimplementations.a
|
||||
|
||||
IF[{- !$disabled{dh} -}]
|
||||
SOURCE[../../libfips.a]=dh_exch.c
|
||||
SOURCE[../../libnonfips.a]=dh_exch.c
|
||||
SOURCE[$DH_GOAL]=dh_exch.c
|
||||
ENDIF
|
||||
|
||||
IF[{- !$disabled{asm} -}]
|
||||
|
@ -22,8 +24,7 @@ ENDIF
|
|||
IF[{- !$disabled{ec} -}]
|
||||
SOURCE[$ECX_GOAL]=ecx_exch.c
|
||||
DEFINE[$ECX_GOAL]=$ECDEF
|
||||
SOURCE[../../libfips.a]=ecdh_exch.c
|
||||
SOURCE[../../libnonfips.a]=ecdh_exch.c
|
||||
SOURCE[$ECDH_GOAL]=ecdh_exch.c
|
||||
ENDIF
|
||||
|
||||
SOURCE[$KDF_GOAL]=kdf_exch.c
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
#include "prov/providercommon.h"
|
||||
#include "prov/implementations.h"
|
||||
#include "prov/provider_ctx.h"
|
||||
#include "prov/provider_util.h"
|
||||
#include "prov/check.h"
|
||||
#include "crypto/dh.h"
|
||||
|
||||
static OSSL_FUNC_keyexch_newctx_fn dh_newctx;
|
||||
|
@ -92,43 +92,6 @@ static void *dh_newctx(void *provctx)
|
|||
return pdhctx;
|
||||
}
|
||||
|
||||
/*
|
||||
* For DH key agreement refer to SP800-56A
|
||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
|
||||
* "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and
|
||||
* "Appendix D" FFC Safe-prime Groups
|
||||
*/
|
||||
static int dh_check_key(const DH *dh)
|
||||
{
|
||||
#ifdef FIPS_MODULE
|
||||
size_t L, N;
|
||||
const BIGNUM *p, *q;
|
||||
|
||||
if (dh == NULL)
|
||||
return 0;
|
||||
|
||||
p = DH_get0_p(dh);
|
||||
q = DH_get0_q(dh);
|
||||
if (p == NULL || q == NULL)
|
||||
return 0;
|
||||
|
||||
L = BN_num_bits(p);
|
||||
if (L < 2048)
|
||||
return 0;
|
||||
|
||||
/* If it is a safe prime group then it is ok */
|
||||
if (DH_get_nid(dh))
|
||||
return 1;
|
||||
|
||||
/* If not then it must be FFC, which only allows certain sizes. */
|
||||
N = BN_num_bits(q);
|
||||
|
||||
return (L == 2048 && (N == 224 || N == 256));
|
||||
#else
|
||||
return 1;
|
||||
#endif
|
||||
}
|
||||
|
||||
static int dh_init(void *vpdhctx, void *vdh)
|
||||
{
|
||||
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
|
||||
|
@ -358,12 +321,10 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
|
|||
|
||||
EVP_MD_free(pdhctx->kdf_md);
|
||||
pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops);
|
||||
#ifdef FIPS_MODULE
|
||||
if (!ossl_prov_digest_get_approved_nid(pdhctx->kdf_md, 1)) {
|
||||
if (!digest_is_allowed(pdhctx->kdf_md)) {
|
||||
EVP_MD_free(pdhctx->kdf_md);
|
||||
pdhctx->kdf_md = NULL;
|
||||
}
|
||||
#endif
|
||||
if (pdhctx->kdf_md == NULL)
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
#include "prov/provider_ctx.h"
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/implementations.h"
|
||||
#include "prov/provider_util.h"
|
||||
#include "prov/check.h"
|
||||
#include "crypto/ec.h" /* ecdh_KDF_X9_63() */
|
||||
|
||||
static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
|
||||
|
@ -111,7 +111,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh)
|
|||
pecdhctx->k = vecdh;
|
||||
pecdhctx->cofactor_mode = -1;
|
||||
pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
|
||||
return ossl_prov_ec_check(vecdh, 1);
|
||||
return ec_check_key(vecdh, 1);
|
||||
}
|
||||
|
||||
static
|
||||
|
@ -126,7 +126,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
|
|||
return 0;
|
||||
EC_KEY_free(pecdhctx->peerk);
|
||||
pecdhctx->peerk = vecdh;
|
||||
return ossl_prov_ec_check(vecdh, 1);
|
||||
return ec_check_key(vecdh, 1);
|
||||
}
|
||||
|
||||
static
|
||||
|
@ -254,12 +254,10 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
|
|||
|
||||
EVP_MD_free(pectx->kdf_md);
|
||||
pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
|
||||
#ifdef FIPS_MODULE
|
||||
if (!ossl_prov_digest_get_approved_nid(pectx->kdf_md, 1)) {
|
||||
if (!digest_is_allowed(pectx->kdf_md)) {
|
||||
EVP_MD_free(pectx->kdf_md);
|
||||
pectx->kdf_md = NULL;
|
||||
}
|
||||
#endif
|
||||
if (pectx->kdf_md == NULL)
|
||||
return 0;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue