Skip to content

Commit

Permalink
exchange: add FIPS error state handling
Browse files Browse the repository at this point in the history 
The functions that check for the provider being runnable are: newctx, dupctx,
init, derive and set peer.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #12801)
  • Loading branch information
@paulidale
paulidale committed Sep 12, 2020
1 parent 2b9e4e9 commit ca94057
Show file tree
Hide file tree
Showing 4 changed files with 70 additions and 9 deletions.
23 changes: 20 additions & 3 deletions providers/implementations/exchange/dh_exch.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/params.h>
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "crypto/dh.h"
Expand Down Expand Up @@ -77,8 +78,12 @@ typedef struct {

static void *dh_newctx(void *provctx)
{
PROV_DH_CTX *pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
PROV_DH_CTX *pdhctx;

if (!ossl_prov_is_running())
return NULL;

pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
if (pdhctx == NULL)
return NULL;
pdhctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
Expand All @@ -90,7 +95,10 @@ static int dh_init(void *vpdhctx, void *vdh)
{
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

if (pdhctx == NULL || vdh == NULL || !DH_up_ref(vdh))
if (!ossl_prov_is_running()
|| pdhctx == NULL
|| vdh == NULL
|| !DH_up_ref(vdh))
return 0;
DH_free(pdhctx->dh);
pdhctx->dh = vdh;
Expand All @@ -102,7 +110,10 @@ static int dh_set_peer(void *vpdhctx, void *vdh)
{
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

if (pdhctx == NULL || vdh == NULL || !DH_up_ref(vdh))
if (!ossl_prov_is_running()
|| pdhctx == NULL
|| vdh == NULL
|| !DH_up_ref(vdh))
return 0;
DH_free(pdhctx->dhpeer);
pdhctx->dhpeer = vdh;
Expand Down Expand Up @@ -189,6 +200,9 @@ static int dh_derive(void *vpdhctx, unsigned char *secret,
{
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;

if (!ossl_prov_is_running())
return 0;

switch (pdhctx->kdf_type) {
case PROV_DH_KDF_NONE:
return dh_plain_derive(pdhctx, secret, psecretlen, outlen);
Expand Down Expand Up @@ -219,6 +233,9 @@ static void *dh_dupctx(void *vpdhctx)
PROV_DH_CTX *srcctx = (PROV_DH_CTX *)vpdhctx;
PROV_DH_CTX *dstctx;

if (!ossl_prov_is_running())
return NULL;

dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
Expand Down
20 changes: 17 additions & 3 deletions providers/implementations/exchange/ecdh_exch.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
#include <openssl/params.h>
#include <openssl/err.h>
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "crypto/ec.h" /* ecdh_KDF_X9_63() */

Expand Down Expand Up @@ -79,8 +80,12 @@ typedef struct {
static
void *ecdh_newctx(void *provctx)
{
PROV_ECDH_CTX *pectx = OPENSSL_zalloc(sizeof(*pectx));
PROV_ECDH_CTX *pectx;

if (!ossl_prov_is_running())
return NULL;

pectx = OPENSSL_zalloc(sizeof(*pectx));
if (pectx == NULL)
return NULL;

Expand All @@ -96,7 +101,10 @@ int ecdh_init(void *vpecdhctx, void *vecdh)
{
PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;

if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh))
if (!ossl_prov_is_running()
|| pecdhctx == NULL
|| vecdh == NULL
|| !EC_KEY_up_ref(vecdh))
return 0;
EC_KEY_free(pecdhctx->k);
pecdhctx->k = vecdh;
Expand All @@ -110,7 +118,10 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
{
PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;

if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh))
if (!ossl_prov_is_running()
|| pecdhctx == NULL
|| vecdh == NULL
|| !EC_KEY_up_ref(vecdh))
return 0;
EC_KEY_free(pecdhctx->peerk);
pecdhctx->peerk = vecdh;
Expand All @@ -137,6 +148,9 @@ void *ecdh_dupctx(void *vpecdhctx)
PROV_ECDH_CTX *srcctx = (PROV_ECDH_CTX *)vpecdhctx;
PROV_ECDH_CTX *dstctx;

if (!ossl_prov_is_running())
return NULL;

dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
Expand Down
19 changes: 18 additions & 1 deletion providers/implementations/exchange/ecx_exch.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
#include "internal/cryptlib.h"
#include "crypto/ecx.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#ifdef S390X_EC_ASM
# include "s390x_arch.h"
Expand Down Expand Up @@ -42,8 +43,12 @@ typedef struct {

static void *ecx_newctx(void *provctx, size_t keylen)
{
PROV_ECX_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_ECX_CTX));
PROV_ECX_CTX *ctx;

if (!ossl_prov_is_running())
return NULL;

ctx = OPENSSL_zalloc(sizeof(PROV_ECX_CTX));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
Expand All @@ -69,6 +74,9 @@ static int ecx_init(void *vecxctx, void *vkey)
PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx;
ECX_KEY *key = vkey;

if (!ossl_prov_is_running())
return 0;

if (ecxctx == NULL
|| key == NULL
|| key->keylen != ecxctx->keylen
Expand All @@ -88,6 +96,9 @@ static int ecx_set_peer(void *vecxctx, void *vkey)
PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx;
ECX_KEY *key = vkey;

if (!ossl_prov_is_running())
return 0;

if (ecxctx == NULL
|| key == NULL
|| key->keylen != ecxctx->keylen
Expand All @@ -106,6 +117,9 @@ static int ecx_derive(void *vecxctx, unsigned char *secret, size_t *secretlen,
{
PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx;

if (!ossl_prov_is_running())
return 0;

if (ecxctx->key == NULL
|| ecxctx->key->privkey == NULL
|| ecxctx->peerkey == NULL) {
Expand Down Expand Up @@ -179,6 +193,9 @@ static void *ecx_dupctx(void *vecxctx)
PROV_ECX_CTX *srcctx = (PROV_ECX_CTX *)vecxctx;
PROV_ECX_CTX *dstctx;

if (!ossl_prov_is_running())
return NULL;

dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
Expand Down
17 changes: 15 additions & 2 deletions providers/implementations/exchange/kdf_exch.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/kdfexchange.h"
#include "prov/providercommon.h"

static OSSL_FUNC_keyexch_newctx_fn kdf_tls1_prf_newctx;
static OSSL_FUNC_keyexch_newctx_fn kdf_hkdf_newctx;
Expand All @@ -36,9 +37,13 @@ typedef struct {

static void *kdf_newctx(const char *kdfname, void *provctx)
{
PROV_KDF_CTX *kdfctx = OPENSSL_zalloc(sizeof(PROV_KDF_CTX));
PROV_KDF_CTX *kdfctx;
EVP_KDF *kdf = NULL;

if (!ossl_prov_is_running())
return NULL;

kdfctx = OPENSSL_zalloc(sizeof(PROV_KDF_CTX));
if (kdfctx == NULL)
return NULL;

Expand Down Expand Up @@ -73,7 +78,10 @@ static int kdf_init(void *vpkdfctx, void *vkdf)
{
PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;

if (pkdfctx == NULL || vkdf == NULL || !kdf_data_up_ref(vkdf))
if (!ossl_prov_is_running()
|| pkdfctx == NULL
|| vkdf == NULL
|| !kdf_data_up_ref(vkdf))
return 0;
pkdfctx->kdfdata = vkdf;

Expand All @@ -85,6 +93,8 @@ static int kdf_derive(void *vpkdfctx, unsigned char *secret, size_t *secretlen,
{
PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;

if (!ossl_prov_is_running())
return 0;
return EVP_KDF_derive(pkdfctx->kdfctx, secret, *secretlen);
}

Expand All @@ -103,6 +113,9 @@ static void *kdf_dupctx(void *vpkdfctx)
PROV_KDF_CTX *srcctx = (PROV_KDF_CTX *)vpkdfctx;
PROV_KDF_CTX *dstctx;

if (!ossl_prov_is_running())
return NULL;

dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
Expand Down

0 comments on commit ca94057

Please sign in to comment.