diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h index 7d163f70fa..7635c24973 100644 --- a/providers/common/include/prov/securitycheck.h +++ b/providers/common/include/prov/securitycheck.h @@ -10,18 +10,20 @@ #include "crypto/types.h" /* Functions that are common */ -int ossl_rsa_check_key(const RSA *rsa, int operation); -int ossl_ec_check_key(const EC_KEY *ec, int protect); -int ossl_dsa_check_key(const DSA *dsa, int sign); -int ossl_dh_check_key(const DH *dh); +int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation); +int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect); +int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign); +int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh); -int ossl_digest_is_allowed(const EVP_MD *md); -int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed); +int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md); +int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed); /* Functions that are common */ int ossl_digest_md_to_nid(const EVP_MD *md, const OSSL_ITEM *it, size_t it_len); int ossl_digest_get_approved_nid(const EVP_MD *md); /* Functions that have different implementations for the FIPS_MODULE */ -int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed); -int ossl_securitycheck_enabled(void); +int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed); +int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index 08582d6346..4f36ce4593 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -26,7 +26,7 @@ * Set protect = 1 for encryption or signing operations, or 0 otherwise. See * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. */ -int ossl_rsa_check_key(const RSA *rsa, int operation) +int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) { int protect = 0; @@ -58,7 +58,7 @@ int ossl_rsa_check_key(const RSA *rsa, int operation) } #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { int sz = RSA_bits(rsa); if (protect ? (sz < 2048) : (sz < 1024)) { @@ -89,10 +89,10 @@ int ossl_rsa_check_key(const RSA *rsa, int operation) * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ -int ossl_ec_check_key(const EC_KEY *ec, int protect) +int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { int nid, strength; const char *curve_name; const EC_GROUP *group = EC_KEY_get0_group(ec); @@ -147,10 +147,10 @@ int ossl_ec_check_key(const EC_KEY *ec, int protect) * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf * "Table 2" */ -int ossl_dsa_check_key(const DSA *dsa, int sign) +int ossl_dsa_check_key(OSSL_LIB_CTX *ctx, const DSA *dsa, int sign) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { size_t L, N; const BIGNUM *p, *q; @@ -191,10 +191,10 @@ int ossl_dsa_check_key(const DSA *dsa, int sign) * "Section 5.5.1.1FFC Domain Parameter Selection/Generation" and * "Appendix D" FFC Safe-prime Groups */ -int ossl_dh_check_key(const DH *dh) +int ossl_dh_check_key(OSSL_LIB_CTX *ctx, const DH *dh) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { size_t L, N; const BIGNUM *p, *q; @@ -224,12 +224,13 @@ int ossl_dh_check_key(const DH *dh) } #endif /* OPENSSL_NO_DH */ -int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) +int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) { int mdnid = ossl_digest_get_approved_nid(md); # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) { + if (ossl_securitycheck_enabled(ctx)) { if (mdnid == NID_sha1 && !sha1_allowed) mdnid = NID_undef; } @@ -237,10 +238,10 @@ int ossl_digest_get_approved_nid_with_sha1(const EVP_MD *md, int sha1_allowed) return mdnid; } -int ossl_digest_is_allowed(const EVP_MD *md) +int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) + if (ossl_securitycheck_enabled(ctx)) return ossl_digest_get_approved_nid(md) != NID_undef; # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c index c3a9325a1f..de7f0d3a0a 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -17,12 +17,12 @@ #include "internal/nelem.h" /* Disable the security checks in the default provider */ -int ossl_securitycheck_enabled(void) +int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) { return 0; } -int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, +int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, ossl_unused int sha1_allowed) { int mdnid; @@ -36,7 +36,7 @@ int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, }; - mdnid = ossl_digest_get_approved_nid_with_sha1(md, 1); + mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1); if (mdnid == NID_undef) mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); return mdnid; diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index 42e5f46009..b7659bd395 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -19,22 +19,23 @@ #include #include "prov/securitycheck.h" -extern int FIPS_security_check_enabled(void); +int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); -int ossl_securitycheck_enabled(void) +int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - return FIPS_security_check_enabled(); + return FIPS_security_check_enabled(libctx); #else return 0; #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ } -int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md, int sha1_allowed) +int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - if (ossl_securitycheck_enabled()) - return ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); + if (ossl_securitycheck_enabled(ctx)) + return ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed); #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return ossl_digest_get_approved_nid(md); } diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index f6a405d58e..3c22d2a80c 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include #include #include #include @@ -37,19 +38,13 @@ static OSSL_FUNC_provider_query_operation_fn fips_query; #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) extern OSSL_FUNC_core_thread_start_fn *c_thread_start; -int FIPS_security_check_enabled(void); +int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); /* - * TODO(3.0): Should these be stored in the provider side provctx? Could they - * ever be different from one init to the next? Unfortunately we can't do this - * at the moment because c_put_error/c_add_error_vdata do not provide - * us with the OSSL_LIB_CTX as a parameter. + * Should these function pointers be stored in the provider side provctx? Could + * they ever be different from one init to the next? We assume not for now. */ -static SELF_TEST_POST_PARAMS selftest_params; -static int fips_security_checks = 1; -static const char *fips_security_check_option = "1"; - /* Functions provided by the core */ static OSSL_FUNC_core_gettable_params_fn *c_gettable_params; static OSSL_FUNC_core_get_params_fn *c_get_params; @@ -77,12 +72,20 @@ static OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL; typedef struct fips_global_st { const OSSL_CORE_HANDLE *handle; + SELF_TEST_POST_PARAMS selftest_params; + int fips_security_checks; + const char *fips_security_check_option; } FIPS_GLOBAL; static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) { FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl)); + if (fgbl == NULL) + return NULL; + fgbl->fips_security_checks = 1; + fgbl->fips_security_check_option = "1"; + return fgbl; } @@ -107,38 +110,54 @@ static const OSSL_PARAM fips_param_types[] = { OSSL_PARAM_END }; -/* - * Parameters to retrieve from the core provider - required for self testing. - * NOTE: inside core_get_params() these will be loaded from config items - * stored inside prov->parameters (except for - * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). - * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. - */ -static OSSL_PARAM core_params[] = +static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) { - OSSL_PARAM_utf8_ptr(OSSL_PROV_PARAM_CORE_MODULE_FILENAME, - &selftest_params.module_filename, - sizeof(selftest_params.module_filename)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_MODULE_MAC, - &selftest_params.module_checksum_data, - sizeof(selftest_params.module_checksum_data)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_MAC, - &selftest_params.indicator_checksum_data, - sizeof(selftest_params.indicator_checksum_data)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_STATUS, - &selftest_params.indicator_data, - sizeof(selftest_params.indicator_data)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION, - &selftest_params.indicator_version, - sizeof(selftest_params.indicator_version)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, - &selftest_params.conditional_error_check, - sizeof(selftest_params.conditional_error_check)), - OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, - &fips_security_check_option, - sizeof(fips_security_check_option)), - OSSL_PARAM_END -}; + /* + * Parameters to retrieve from the core provider - required for self testing. + * NOTE: inside core_get_params() these will be loaded from config items + * stored inside prov->parameters (except for + * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). + * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. + */ + OSSL_PARAM core_params[8], *p = core_params; + + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_PARAM_CORE_MODULE_FILENAME, + (char **)&fgbl->selftest_params.module_filename, + sizeof(fgbl->selftest_params.module_filename)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_MODULE_MAC, + (char **)&fgbl->selftest_params.module_checksum_data, + sizeof(fgbl->selftest_params.module_checksum_data)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_INSTALL_MAC, + (char **)&fgbl->selftest_params.indicator_checksum_data, + sizeof(fgbl->selftest_params.indicator_checksum_data)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_INSTALL_STATUS, + (char **)&fgbl->selftest_params.indicator_data, + sizeof(fgbl->selftest_params.indicator_data)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_INSTALL_VERSION, + (char **)&fgbl->selftest_params.indicator_version, + sizeof(fgbl->selftest_params.indicator_version)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, + (char **)&fgbl->selftest_params.conditional_error_check, + sizeof(fgbl->selftest_params.conditional_error_check)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, + (char **)&fgbl->fips_security_check_option, + sizeof(fgbl->fips_security_check_option)); + *p = OSSL_PARAM_construct_end(); + + if (!c_get_params(fgbl->handle, core_params)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + + return 1; +} static const OSSL_PARAM *fips_gettable_params(void *provctx) { @@ -148,6 +167,9 @@ static const OSSL_PARAM *fips_gettable_params(void *provctx) static int fips_get_params(void *provctx, OSSL_PARAM params[]) { OSSL_PARAM *p; + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), + OSSL_LIB_CTX_FIPS_PROV_INDEX, + &fips_prov_ossl_ctx_method); p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) @@ -162,26 +184,33 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); - if (p != NULL && !OSSL_PARAM_set_int(p, fips_security_checks)) + if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks)) return 0; return 1; } -static void set_self_test_cb(const OSSL_CORE_HANDLE *handle) +static void set_self_test_cb(FIPS_GLOBAL *fgbl) { + const OSSL_CORE_HANDLE *handle = + FIPS_get_core_handle(fgbl->selftest_params.libctx); + if (c_stcbfn != NULL && c_get_libctx != NULL) { - c_stcbfn(c_get_libctx(handle), &selftest_params.cb, - &selftest_params.cb_arg); + c_stcbfn(c_get_libctx(handle), &fgbl->selftest_params.cb, + &fgbl->selftest_params.cb_arg); } else { - selftest_params.cb = NULL; - selftest_params.cb_arg = NULL; + fgbl->selftest_params.cb = NULL; + fgbl->selftest_params.cb_arg = NULL; } } static int fips_self_test(void *provctx) { - set_self_test_cb(FIPS_get_core_handle(selftest_params.libctx)); - return SELF_TEST_post(&selftest_params, 1) ? 1 : 0; + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), + OSSL_LIB_CTX_FIPS_PROV_INDEX, + &fips_prov_ossl_ctx_method); + + set_self_test_cb(fgbl); + return SELF_TEST_post(&fgbl->selftest_params, 1) ? 1 : 0; } /* @@ -506,6 +535,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, { FIPS_GLOBAL *fgbl; OSSL_LIB_CTX *libctx = NULL; + SELF_TEST_POST_PARAMS selftest_params; + + memset(&selftest_params, 0, sizeof(selftest_params)); if (!ossl_prov_seeding_from_dispatch(in)) return 0; @@ -578,7 +610,8 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, selftest_params.bio_new_file_cb = OSSL_FUNC_BIO_new_file(in); break; case OSSL_FUNC_BIO_NEW_MEMBUF: - selftest_params.bio_new_buffer_cb = OSSL_FUNC_BIO_new_membuf(in); + selftest_params.bio_new_buffer_cb + = OSSL_FUNC_BIO_new_membuf(in); break; case OSSL_FUNC_BIO_READ_EX: selftest_params.bio_read_ex_cb = OSSL_FUNC_BIO_read_ex(in); @@ -598,22 +631,6 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, } } - set_self_test_cb(handle); - - if (!c_get_params(handle, core_params)) { - ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); - return 0; - } - /* Disable the conditional error check if is disabled in the fips config file*/ - if (selftest_params.conditional_error_check != NULL - && strcmp(selftest_params.conditional_error_check, "0") == 0) - SELF_TEST_disable_conditional_error_state(); - - /* Disable the security check if is disabled in the fips config file*/ - if (fips_security_check_option != NULL - && strcmp(fips_security_check_option, "0") == 0) - fips_security_checks = 0; - /* Create a context. */ if ((*provctx = ossl_prov_ctx_new()) == NULL || (libctx = OSSL_LIB_CTX_new()) == NULL) { @@ -634,10 +651,37 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, fgbl->handle = handle; + /* + * We did initial set up of selftest_params in a local copy, because we + * could not create fgbl until c_CRYPTO_zalloc was defined in the loop + * above. + */ + fgbl->selftest_params = selftest_params; + + fgbl->selftest_params.libctx = libctx; + + set_self_test_cb(fgbl); + + if (!fips_get_params_from_core(fgbl)) { + /* Error already raised */ + return 0; + } + /* + * Disable the conditional error check if is disabled in the fips config + * file + */ + if (fgbl->selftest_params.conditional_error_check != NULL + && strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0) + SELF_TEST_disable_conditional_error_state(); + + /* Disable the security check if is disabled in the fips config file */ + if (fgbl->fips_security_check_option != NULL + && strcmp(fgbl->fips_security_check_option, "0") == 0) + fgbl->fips_security_checks = 0; + ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); - selftest_params.libctx = libctx; - if (!SELF_TEST_post(&selftest_params, 0)) { + if (!SELF_TEST_post(&fgbl->selftest_params, 0)) { ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_POST_FAILURE); goto err; } @@ -819,16 +863,19 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...) return ret; } -int FIPS_security_check_enabled(void) +int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx) { - return fips_security_checks; + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, + OSSL_LIB_CTX_FIPS_PROV_INDEX, + &fips_prov_ossl_ctx_method); + + return fgbl->fips_security_checks; } void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, void **cbarg) { - if (libctx == NULL) - libctx = selftest_params.libctx; + assert(libctx != NULL); if (c_stcbfn != NULL && c_get_libctx != NULL) { /* Get the parent libctx */ diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c index ab84d53512..354c234939 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -99,7 +99,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], if (!ossl_prov_is_running() || prsactx == NULL || vrsa == NULL) return 0; - if (!ossl_rsa_check_key(vrsa, operation)) + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) return 0; if (!RSA_up_ref(vrsa)) diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 0ecc6c7a4c..67a73d36ef 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -105,7 +105,8 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[]) DH_free(pdhctx->dh); pdhctx->dh = vdh; pdhctx->kdf_type = PROV_DH_KDF_NONE; - return dh_set_ctx_params(pdhctx, params) && ossl_dh_check_key(vdh); + return dh_set_ctx_params(pdhctx, params) + && ossl_dh_check_key(pdhctx->libctx, vdh); } /* The 2 parties must share the same domain parameters */ @@ -345,7 +346,7 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[]) EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops); - if (!ossl_digest_is_allowed(pdhctx->kdf_md)) { + if (!ossl_digest_is_allowed(pdhctx->libctx, pdhctx->kdf_md)) { EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = NULL; } diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index ba2b493a76..7748340248 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -113,7 +113,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[]) pecdhctx->cofactor_mode = -1; pecdhctx->kdf_type = PROV_ECDH_KDF_NONE; return ecdh_set_ctx_params(pecdhctx, params) - && ossl_ec_check_key(vecdh, 1); + && ossl_ec_check_key(pecdhctx->libctx, vecdh, 1); } static @@ -147,7 +147,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh) || pecdhctx == NULL || vecdh == NULL || !ecdh_match_params(pecdhctx->k, vecdh) - || !ossl_ec_check_key(vecdh, 1) + || !ossl_ec_check_key(pecdhctx->libctx, vecdh, 1) || !EC_KEY_up_ref(vecdh)) return 0; @@ -283,7 +283,7 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) EVP_MD_free(pectx->kdf_md); pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); - if (!ossl_digest_is_allowed(pectx->kdf_md)) { + if (!ossl_digest_is_allowed(pectx->libctx, pectx->kdf_md)) { EVP_MD_free(pectx->kdf_md); pectx->kdf_md = NULL; } diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 3809bfb8b1..9aa0a7aaee 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -125,7 +125,7 @@ static int rsakem_init(void *vprsactx, void *vrsa, if (prsactx == NULL || vrsa == NULL) return 0; - if (!ossl_rsa_check_key(vrsa, operation)) + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) return 0; if (!RSA_up_ref(vrsa)) diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c index 88a8102cff..dde689903d 100644 --- a/providers/implementations/signature/dsa.c +++ b/providers/implementations/signature/dsa.c @@ -127,7 +127,8 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); WPACKET pkt; EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); - int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); + int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL || md_nid == NID_undef) { @@ -188,7 +189,8 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, if (!dsa_set_ctx_params(pdsactx, params)) return 0; - if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) { + if (!ossl_dsa_check_key(pdsactx->libctx, vdsa, + operation == EVP_PKEY_OP_SIGN)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c index 4f90032af3..8c4648106f 100644 --- a/providers/implementations/signature/ecdsa.c +++ b/providers/implementations/signature/ecdsa.c @@ -140,7 +140,7 @@ static int ecdsa_signverify_init(void *vctx, void *ec, ctx->operation = operation; if (!ecdsa_set_ctx_params(ctx, params)) return 0; - return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN); + return ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN); } static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[]) @@ -225,7 +225,8 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, return 0; } sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed); + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); if (md_nid == NID_undef) { ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 96366a9a6b..16025bffc0 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -284,7 +284,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed); + int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, + sha1_allowed); size_t mdname_len = strlen(mdname); if (md == NULL @@ -343,7 +344,7 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, return 0; } /* The default for mgf1 is SHA1 - so allow SHA1 */ - if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef + if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) == NID_undef || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { if (mdnid == NID_undef) ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, @@ -377,7 +378,7 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, if (prsactx == NULL || vrsa == NULL) return 0; - if (!ossl_rsa_check_key(vrsa, operation)) + if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation)) return 0; if (!RSA_up_ref(vrsa))