/*
- * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/params.h>
#include <openssl/evp.h>
#include <openssl/err.h>
+#include <openssl/proverr.h>
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/cryptlib.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
-#include "prov/providercommonerr.h"
#include "prov/provider_ctx.h"
-#include "prov/provider_util.h"
+#include "prov/securitycheck.h"
#include "crypto/dsa.h"
#include "prov/der_dsa.h"
*/
typedef struct {
- OPENSSL_CTX *libctx;
+ OSSL_LIB_CTX *libctx;
char *propq;
DSA *dsa;
/* main digest */
EVP_MD *md;
EVP_MD_CTX *mdctx;
- size_t mdsize;
int operation;
-
} PROV_DSA_CTX;
-/*
- * Check for valid key sizes if fips mode. Refer to
- * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
- * "Table 2"
- */
-static int dsa_check_key_size(const PROV_DSA_CTX *ctx)
-{
-#ifdef FIPS_MODULE
- size_t L, N;
- const BIGNUM *p, *q;
- DSA *dsa = ctx->dsa;
-
- if (dsa == NULL)
- return 0;
-
- p = DSA_get0_p(dsa);
- q = DSA_get0_q(dsa);
- if (p == NULL || q == NULL)
- return 0;
-
- L = BN_num_bits(p);
- N = BN_num_bits(q);
-
- /*
- * Valid sizes or verification - Note this could be a fips186-2 type
- * key - so we allow 512 also. When this is no longer suppported the
- * lower bound should be increased to 1024.
- */
- if (ctx->operation != EVP_PKEY_OP_SIGN)
- return (L >= 512 && N >= 160);
-
- /* Valid sizes for both sign and verify */
- if (L == 2048 && (N == 224 || N == 256))
- return 1;
- return (L == 3072 && N == 256);
-#else
- return 1;
-#endif
-}
static size_t dsa_get_md_size(const PROV_DSA_CTX *pdsactx)
{
return 0;
}
-static int dsa_get_md_nid(const PROV_DSA_CTX *ctx, const EVP_MD *md)
-{
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-
- return ossl_prov_digest_get_approved_nid(md, sha1_allowed);
-}
-
static void *dsa_newctx(void *provctx, const char *propq)
{
PROV_DSA_CTX *pdsactx;
if (pdsactx == NULL)
return NULL;
- pdsactx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
+ pdsactx->libctx = PROV_LIBCTX_OF(provctx);
pdsactx->flag_allow_md = 1;
if (propq != NULL && (pdsactx->propq = OPENSSL_strdup(propq)) == NULL) {
OPENSSL_free(pdsactx);
mdprops = ctx->propq;
if (mdname != NULL) {
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
WPACKET pkt;
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
- int md_nid = dsa_get_md_nid(ctx, md);
+ int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
size_t mdname_len = strlen(mdname);
if (md == NULL || md_nid == NID_undef) {
*/
ctx->aid_len = 0;
if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
- && DER_w_algorithmIdentifier_DSA_with_MD(&pkt, -1, ctx->dsa,
- md_nid)
+ && ossl_DER_w_algorithmIdentifier_DSA_with_MD(&pkt, -1, ctx->dsa,
+ md_nid)
&& WPACKET_finish(&pkt)) {
WPACKET_get_total_written(&pkt, &ctx->aid_len);
ctx->aid = WPACKET_get_curr(&pkt);
DSA_free(pdsactx->dsa);
pdsactx->dsa = vdsa;
pdsactx->operation = operation;
- if (!dsa_check_key_size(pdsactx)) {
+ if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
if (mdsize != 0 && tbslen != mdsize)
return 0;
- ret = dsa_sign_int(0, tbs, tbslen, sig, &sltmp, pdsactx->dsa);
+ ret = ossl_dsa_sign_int(0, tbs, tbslen, sig, &sltmp, pdsactx->dsa);
if (ret <= 0)
return 0;
ctx->propq = NULL;
ctx->mdctx = NULL;
ctx->md = NULL;
- ctx->mdsize = 0;
DSA_free(ctx->dsa);
OPENSSL_free(ctx);
}
dstctx->dsa = NULL;
dstctx->md = NULL;
dstctx->mdctx = NULL;
+ dstctx->propq = NULL;
if (srcctx->dsa != NULL && !DSA_up_ref(srcctx->dsa))
goto err;
|| !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
goto err;
}
+ if (srcctx->propq != NULL) {
+ dstctx->propq = OPENSSL_strdup(srcctx->propq);
+ if (dstctx->propq == NULL)
+ goto err;
+ }
return dstctx;
err:
return EVP_MD_settable_ctx_params(pdsactx->md);
}
-const OSSL_DISPATCH dsa_signature_functions[] = {
+const OSSL_DISPATCH ossl_dsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))dsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))dsa_sign_init },
{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))dsa_sign },