seal: make EVP_SealInit() library context aware

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15300)

diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c
index 9371d110e9a546b403d5a8ad365989c6b2337c58..76d3278b8cb021b5a8327e72ee176c79d33a836a 100644 (file)
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@@ -9,6 +9,7 @@
 
 #include <stdio.h>
 #include "internal/cryptlib.h"
+#include "internal/provider.h"
 #include <openssl/rand.h>
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
@@ -20,6 +21,9 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
                  EVP_PKEY **pubk, int npubk)
 {
     unsigned char key[EVP_MAX_KEY_LENGTH];
+    const OSSL_PROVIDER *prov = EVP_CIPHER_provider(type);
+    OSSL_LIB_CTX *libctx = prov != NULL ? ossl_provider_libctx(prov) : NULL;
+    EVP_PKEY_CTX *pctx = NULL;
     int i, len;
     int rv = 0;
 
@@ -35,7 +39,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
         return 0;
 
     len = EVP_CIPHER_CTX_iv_length(ctx);
-    if (len < 0 || RAND_bytes(iv, len) <= 0)
+    if (len < 0 || RAND_priv_bytes_ex(libctx, iv, len) <= 0)
         goto err;
 
     len = EVP_CIPHER_CTX_key_length(ctx);
@@ -47,9 +51,9 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 
     for (i = 0; i < npubk; i++) {
         size_t keylen = len;
-        EVP_PKEY_CTX *pctx = NULL;
 
-        if ((pctx = EVP_PKEY_CTX_new(pubk[i], NULL)) == NULL) {
+        pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pubk[i], NULL);
+        if (pctx == NULL) {
             ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
             goto err;
         }
@@ -60,8 +64,10 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
         ekl[i] = (int)keylen;
         EVP_PKEY_CTX_free(pctx);
     }
+    pctx = NULL;
     rv = npubk;
 err:
+    EVP_PKEY_CTX_free(pctx);
     OPENSSL_cleanse(key, sizeof(key));
     return rv;
 }

diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 56522e4af9e71f74666ed337c9daeea098a16800..10ab4bfc9e63f8c71e7ae89ae910db4b9113b4c9 100644 (file)
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -818,7 +818,11 @@ static int test_EC_priv_only_legacy(void)
 # endif /* OPENSSL_NO_DEPRECATED_3_0 */
 #endif /* OPENSSL_NO_EC */
 
-static int test_EVP_Enveloped(void)
+/*
+ * n = 0 => test using legacy cipher
+ * n = 1 => test using fetched cipher
+ */
+static int test_EVP_Enveloped(int n)
 {
     int ret = 0;
     EVP_CIPHER_CTX *ctx = NULL;
@@ -828,12 +832,16 @@ static int test_EVP_Enveloped(void)
     static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
     int len, kek_len, ciphertext_len, plaintext_len;
     unsigned char ciphertext[32], plaintext[16];
-    const EVP_CIPHER *type = NULL;
+    EVP_CIPHER *type = NULL;
 
     if (nullprov != NULL)
         return TEST_skip("Test does not support a non-default library context");
 
-    type = EVP_aes_256_cbc();
+    if (n == 0)
+        type = (EVP_CIPHER *)EVP_aes_256_cbc();
+    else if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, "AES-256-CBC",
+                                               testpropq)))
+        goto err;
 
     if (!TEST_ptr(keypair = load_example_rsa_key())
             || !TEST_ptr(kek = OPENSSL_zalloc(EVP_PKEY_size(keypair)))
@@ -860,6 +868,8 @@ static int test_EVP_Enveloped(void)
 
     ret = 1;
 err:
+    if (n != 0)
+        EVP_CIPHER_free(type);
     OPENSSL_free(kek);
     EVP_PKEY_free(keypair);
     EVP_CIPHER_CTX_free(ctx);
@@ -2925,7 +2935,7 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_EVP_DigestSignInit, 9);
     ADD_TEST(test_EVP_DigestVerifyInit);
     ADD_TEST(test_EVP_Digest);
-    ADD_TEST(test_EVP_Enveloped);
+    ADD_ALL_TESTS(test_EVP_Enveloped, 2);
     ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata));
     ADD_TEST(test_privatekey_to_pkcs8);
     ADD_TEST(test_EVP_PKCS82PKEY_wrong_tag);