[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Sat Sep 12 06:50:06 UTC 2020
The branch master has been updated
via 35e6ea3bdc2741c1818337e75756b45d6a2a6122 (commit)
via 801ed9edbad11b3f0646b396c672dbae33353de2 (commit)
via 5736923f12af58fea158c86291307c41c9f2c859 (commit)
via f99d3eedf7c3e1e2b10aad911f469f1fc783a395 (commit)
via 422cbcee6167faa20f439726a8b7bff0af51edc9 (commit)
via f590a5ea1ad7597c10dacab7c3a8c786cf4a7ea7 (commit)
via ca94057fc3aabdcdd87c6c6cc9b68459bd433fc7 (commit)
via 2b9e4e956b37ee49b29a73c7782f525ac8c58cc5 (commit)
via 5b104a81f088ae0da6b0d2d2c746237694ab0a2c (commit)
via aef30ad0b6811fd6ef1232ec67d24a77c17831ba (commit)
via 87fe138d35035617ed41a203eacbdec4395e3753 (commit)
via 1c1daab94cdec0a26139fd70e3382ab4a076531e (commit)
via 6cf37302677a87539fd017e3466813510ce51023 (commit)
via eab7b4240dc87e27d8b12b5af23d3cf20dd06f55 (commit)
from 5e8cd0a4f48f06df2542e7c74dcbb4310bce7c4c (commit)
- Log -----------------------------------------------------------------
commit 35e6ea3bdc2741c1818337e75756b45d6a2a6122
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Thu Sep 10 14:01:30 2020 +1000
keygen: add FIPS error state management to conditional self tests
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit 801ed9edbad11b3f0646b396c672dbae33353de2
Author: Pauli <paul.dale at oracle.com>
Date: Thu Sep 10 07:09:16 2020 +1000
CRNGT: enter FIPS error state if the test fails
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit 5736923f12af58fea158c86291307c41c9f2c859
Author: Pauli <paul.dale at oracle.com>
Date: Thu Sep 10 07:08:57 2020 +1000
FIPS: error mode is set from failed self tests and produced a limited number of errors when algorithm accesses are attempted
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit f99d3eedf7c3e1e2b10aad911f469f1fc783a395
Author: Pauli <paul.dale at oracle.com>
Date: Tue Sep 8 12:56:34 2020 +1000
ciphers: add FIPS error state handling
The functions that check for the provider being runnable are: new, init, final
and dupctx.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit 422cbcee6167faa20f439726a8b7bff0af51edc9
Author: Pauli <paul.dale at oracle.com>
Date: Tue Sep 8 08:23:46 2020 +1000
keymgmt: add FIPS error state handling
The functions that check for the provider being runnable are: new, gen_init,
gen, gen_set_template, load, has, match, validate, import and export.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit f590a5ea1ad7597c10dacab7c3a8c786cf4a7ea7
Author: Pauli <paul.dale at oracle.com>
Date: Mon Sep 7 13:44:17 2020 +1000
signature: add FIPS error state handling
The functions that check for the provider being runnable are: newctx, dupctx,
sign init, sign, verify init, verify, verify recover init, verify recover,
digest sign init, digest sign final, digest verify init and digest verify final.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit ca94057fc3aabdcdd87c6c6cc9b68459bd433fc7
Author: Pauli <paul.dale at oracle.com>
Date: Mon Sep 7 13:26:20 2020 +1000
exchange: add FIPS error state handling
The functions that check for the provider being runnable are: newctx, dupctx,
init, derive and set peer.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit 2b9e4e956b37ee49b29a73c7782f525ac8c58cc5
Author: Pauli <paul.dale at oracle.com>
Date: Mon Sep 7 13:13:10 2020 +1000
kdf: add FIPS error state handling
Check for provider being disabled on new and derive.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit 5b104a81f088ae0da6b0d2d2c746237694ab0a2c
Author: Pauli <paul.dale at oracle.com>
Date: Mon Sep 7 13:03:07 2020 +1000
mac: add FIPS error state handling
Check for provider being runnable in new, dup, init and final calls.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit aef30ad0b6811fd6ef1232ec67d24a77c17831ba
Author: Pauli <paul.dale at oracle.com>
Date: Mon Sep 7 12:50:57 2020 +1000
rand: add FIPS error state handling
Check for provider being runnable in instantiate, reseed, generate and new calls.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit 87fe138d35035617ed41a203eacbdec4395e3753
Author: Pauli <paul.dale at oracle.com>
Date: Mon Sep 7 12:44:59 2020 +1000
asymciphers: add FIPS error state handling
Check for provider being runnable in newctx, init, encrypt and decrypt.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit 1c1daab94cdec0a26139fd70e3382ab4a076531e
Author: Pauli <paul.dale at oracle.com>
Date: Mon Sep 7 12:41:00 2020 +1000
digests: add FIPS error state handling
Check for providering being runnable in init, final, newctx and dupctx.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit 6cf37302677a87539fd017e3466813510ce51023
Author: Pauli <paul.dale at oracle.com>
Date: Mon Sep 7 11:58:48 2020 +1000
FIPS: rename the status call to is_running.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
commit eab7b4240dc87e27d8b12b5af23d3cf20dd06f55
Author: Pauli <paul.dale at oracle.com>
Date: Mon Sep 7 11:58:03 2020 +1000
provider: add an 'is_running' call to all providers.
It can be accessed (read only) via the status parameter.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
-----------------------------------------------------------------------
Summary of changes:
apps/fipsinstall.c | 48 +++++++++-----
crypto/dsa/dsa_key.c | 2 +
crypto/ec/ec_key.c | 2 +
crypto/err/openssl.txt | 5 +-
crypto/rsa/rsa_gen.c | 2 +
doc/man1/openssl-fipsinstall.pod.in | 18 +++++
include/openssl/fips_names.h | 7 ++
include/openssl/self_test.h | 1 +
providers/baseprov.c | 4 ++
providers/build.info | 4 +-
providers/common/include/prov/providercommon.h | 6 ++
providers/common/include/prov/providercommonerr.h | 5 +-
providers/common/provider_err.c | 6 ++
providers/defltprov.c | 3 +-
providers/fips/fipsprov.c | 13 +++-
providers/fips/self_test.c | 45 +++++++++++--
providers/fips/self_test.h | 6 +-
providers/implementations/asymciphers/rsa_enc.c | 20 +++++-
providers/implementations/ciphers/cipher_aes.c | 7 +-
.../ciphers/cipher_aes_cbc_hmac_sha.c | 13 +++-
providers/implementations/ciphers/cipher_aes_ccm.c | 7 +-
providers/implementations/ciphers/cipher_aes_gcm.c | 7 +-
providers/implementations/ciphers/cipher_aes_ocb.c | 76 +++++++++++++---------
providers/implementations/ciphers/cipher_aes_siv.c | 22 ++++++-
providers/implementations/ciphers/cipher_aes_wrp.c | 19 +++++-
providers/implementations/ciphers/cipher_aes_xts.c | 12 +++-
providers/implementations/ciphers/cipher_aria.c | 7 +-
.../implementations/ciphers/cipher_aria_ccm.c | 7 +-
.../implementations/ciphers/cipher_aria_gcm.c | 7 +-
.../implementations/ciphers/cipher_blowfish.c | 7 +-
.../implementations/ciphers/cipher_camellia.c | 7 +-
providers/implementations/ciphers/cipher_cast5.c | 7 +-
.../implementations/ciphers/cipher_chacha20.c | 15 +++--
.../ciphers/cipher_chacha20_poly1305.c | 15 ++++-
providers/implementations/ciphers/cipher_des.c | 16 ++++-
providers/implementations/ciphers/cipher_idea.c | 7 +-
providers/implementations/ciphers/cipher_null.c | 16 +++++
providers/implementations/ciphers/cipher_rc2.c | 12 +++-
providers/implementations/ciphers/cipher_rc4.c | 12 +++-
.../implementations/ciphers/cipher_rc4_hmac_md5.c | 7 +-
providers/implementations/ciphers/cipher_rc5.c | 12 +++-
providers/implementations/ciphers/cipher_seed.c | 7 +-
providers/implementations/ciphers/cipher_sm4.c | 7 +-
.../implementations/ciphers/cipher_tdes_common.c | 16 ++++-
.../implementations/ciphers/cipher_tdes_wrap.c | 4 ++
providers/implementations/ciphers/ciphercommon.c | 13 ++++
.../implementations/ciphers/ciphercommon_ccm.c | 15 ++++-
.../implementations/ciphers/ciphercommon_gcm.c | 14 +++-
providers/implementations/digests/sha3_prov.c | 17 ++++-
providers/implementations/exchange/dh_exch.c | 23 ++++++-
providers/implementations/exchange/ecdh_exch.c | 20 +++++-
providers/implementations/exchange/ecx_exch.c | 19 +++++-
providers/implementations/exchange/kdf_exch.c | 17 ++++-
.../implementations/include/prov/ciphercommon.h | 3 +-
.../implementations/include/prov/digestcommon.h | 16 +++--
providers/implementations/kdfs/hkdf.c | 10 ++-
providers/implementations/kdfs/kbkdf.c | 7 ++
providers/implementations/kdfs/krb5kdf.c | 13 +++-
providers/implementations/kdfs/pbkdf2.c | 10 ++-
providers/implementations/kdfs/pkcs12kdf.c | 10 ++-
providers/implementations/kdfs/scrypt.c | 7 ++
providers/implementations/kdfs/sshkdf.c | 12 +++-
providers/implementations/kdfs/sskdf.c | 15 ++++-
providers/implementations/kdfs/tls1_prf.c | 7 ++
providers/implementations/kdfs/x942kdf.c | 10 ++-
providers/implementations/keymgmt/dh_kmgmt.c | 31 ++++++---
providers/implementations/keymgmt/dsa_kmgmt.c | 22 +++++--
providers/implementations/keymgmt/ec_kmgmt.c | 22 ++++---
providers/implementations/keymgmt/ecx_kmgmt.c | 35 ++++++++--
.../implementations/keymgmt/kdf_legacy_kmgmt.c | 16 ++++-
.../implementations/keymgmt/mac_legacy_kmgmt.c | 40 ++++++++++--
providers/implementations/keymgmt/rsa_kmgmt.c | 31 +++++++--
providers/implementations/macs/blake2_mac_impl.c | 16 ++++-
providers/implementations/macs/cmac_prov.c | 24 +++++--
providers/implementations/macs/gmac_prov.c | 15 ++++-
providers/implementations/macs/hmac_prov.c | 17 ++++-
providers/implementations/macs/kmac_prov.c | 15 ++++-
providers/implementations/macs/poly1305_prov.c | 15 ++++-
providers/implementations/macs/siphash_prov.c | 15 +++--
providers/implementations/rands/crngt.c | 14 +++-
providers/implementations/rands/drbg.c | 16 ++++-
providers/implementations/signature/dsa.c | 28 ++++++--
providers/implementations/signature/ecdsa.c | 27 ++++++--
providers/implementations/signature/eddsa.c | 24 +++++--
providers/implementations/signature/mac_legacy.c | 17 ++++-
providers/implementations/signature/rsa.c | 36 +++++++++-
providers/legacyprov.c | 4 +-
providers/nullprov.c | 8 ++-
.../ciphers/cipher_aes_cts.h => prov_running.c} | 16 +++--
89 files changed, 1096 insertions(+), 214 deletions(-)
copy providers/{implementations/ciphers/cipher_aes_cts.h => prov_running.c} (54%)
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 104806c1b7..2df7d0f024 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -38,7 +38,8 @@ typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_IN, OPT_OUT, OPT_MODULE,
OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
- OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG
+ OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
+ OPT_NO_CONDITIONAL_ERRORS
} OPTION_CHOICE;
const OPTIONS fipsinstall_options[] = {
@@ -50,7 +51,9 @@ const OPTIONS fipsinstall_options[] = {
{"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
{"section_name", OPT_SECTION_NAME, 's',
"FIPS Provider config section name (optional)"},
-
+ {"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
+ "Disable the ability of the fips module to enter an error state if"
+ " any conditional self tests fail"},
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input config file, used when verifying"},
@@ -132,24 +135,28 @@ static int write_config_header(BIO *out, const char *prov_name,
/*
* Outputs a fips related config file that contains entries for the fips
- * module checksum and the installation indicator checksum.
+ * module checksum, installation indicator checksum and the option
+ * conditional_errors.
*
* Returns 1 if the config file is written otherwise it returns 0 on error.
*/
static int write_config_fips_section(BIO *out, const char *section,
unsigned char *module_mac,
size_t module_mac_len,
+ int conditional_errors,
unsigned char *install_mac,
size_t install_mac_len)
{
int ret = 0;
- if (!(BIO_printf(out, "[%s]\n", section) > 0
- && BIO_printf(out, "activate = 1\n") > 0
- && BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
- VERSION_VAL) > 0
- && print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
- module_mac_len)))
+ if (BIO_printf(out, "[%s]\n", section) <= 0
+ || BIO_printf(out, "activate = 1\n") <= 0
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
+ VERSION_VAL) <= 0
+ || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
+ conditional_errors ? "1" : "0") <= 0
+ || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
+ module_mac_len))
goto end;
if (install_mac != NULL) {
@@ -168,7 +175,8 @@ end:
static CONF *generate_config_and_load(const char *prov_name,
const char *section,
unsigned char *module_mac,
- size_t module_mac_len)
+ size_t module_mac_len,
+ int conditional_errors)
{
BIO *mem_bio = NULL;
CONF *conf = NULL;
@@ -177,8 +185,10 @@ static CONF *generate_config_and_load(const char *prov_name,
if (mem_bio == NULL)
return 0;
if (!write_config_header(mem_bio, prov_name, section)
- || !write_config_fips_section(mem_bio, section, module_mac,
- module_mac_len, NULL, 0))
+ || !write_config_fips_section(mem_bio, section,
+ module_mac, module_mac_len,
+ conditional_errors,
+ NULL, 0))
goto end;
conf = app_load_config_bio(mem_bio, NULL);
@@ -272,6 +282,7 @@ end:
int fipsinstall_main(int argc, char **argv)
{
int ret = 1, verify = 0, gotkey = 0, gotdigest = 0;
+ int enable_conditional_errors = 1;
const char *section_name = "fips_sect";
const char *mac_name = "HMAC";
const char *prov_name = "fips";
@@ -311,6 +322,9 @@ opthelp:
case OPT_OUT:
out_fname = opt_arg();
break;
+ case OPT_NO_CONDITIONAL_ERRORS:
+ enable_conditional_errors = 0;
+ break;
case OPT_QUIET:
quiet = 1;
/* FALLTHROUGH */
@@ -457,7 +471,8 @@ opthelp:
} else {
conf = generate_config_and_load(prov_name, section_name, module_mac,
- module_mac_len);
+ module_mac_len,
+ enable_conditional_errors);
if (conf == NULL)
goto end;
if (!load_fips_prov_and_run_self_test(prov_name))
@@ -468,9 +483,10 @@ opthelp:
BIO_printf(bio_err, "Failed to open file\n");
goto end;
}
- if (!write_config_fips_section(fout, section_name, module_mac,
- module_mac_len, install_mac,
- install_mac_len))
+ if (!write_config_fips_section(fout, section_name,
+ module_mac, module_mac_len,
+ enable_conditional_errors,
+ install_mac, install_mac_len))
goto end;
if (!quiet)
BIO_printf(bio_out, "INSTALL PASSED\n");
diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
index b537ec0b3c..bf9d8a269c 100644
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@@ -18,6 +18,7 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/self_test.h>
+#include "prov/providercommon.h"
#include "crypto/dsa.h"
#include "dsa_local.h"
@@ -113,6 +114,7 @@ static int dsa_keygen(DSA *dsa, int pairwise_test)
OSSL_SELF_TEST_get_callback(dsa->libctx, &cb, &cbarg);
ok = dsa_keygen_pairwise_test(dsa, cb, cbarg);
if (!ok) {
+ ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
BN_free(dsa->pub_key);
BN_clear_free(dsa->priv_key);
dsa->pub_key = NULL;
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 84ce095693..84e1b96c48 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -21,6 +21,7 @@
#include <openssl/err.h>
#include <openssl/engine.h>
#include <openssl/self_test.h>
+#include "prov/providercommon.h"
#include "crypto/bn.h"
static int ecdsa_keygen_pairwise_test(EC_KEY *eckey, OSSL_CALLBACK *cb,
@@ -330,6 +331,7 @@ int ec_generate_key(OPENSSL_CTX *libctx, EC_KEY *eckey, int pairwise_test)
err:
/* Step (9): If there is an error return an invalid keypair. */
if (!ok) {
+ ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
BN_clear(eckey->priv_key);
if (eckey->pub_key != NULL)
EC_POINT_set_to_infinity(group, eckey->pub_key);
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index d0ba9c47be..35c1dd6bdc 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2877,6 +2877,9 @@ PROV_R_FAILED_TO_GENERATE_KEY:121:failed to generate key
PROV_R_FAILED_TO_GET_PARAMETER:103:failed to get parameter
PROV_R_FAILED_TO_SET_PARAMETER:104:failed to set parameter
PROV_R_FAILED_TO_SIGN:175:failed to sign
+PROV_R_FIPS_MODULE_CONDITIONAL_ERROR:227:fips module conditional error
+PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE:224:fips module entering error state
+PROV_R_FIPS_MODULE_IN_ERROR_STATE:225:fips module in error state
PROV_R_GENERATE_ERROR:191:generate error
PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\
illegal or unsupported padding mode
@@ -2934,7 +2937,7 @@ PROV_R_MODULE_INTEGRITY_FAILURE:214:module integrity failure
PROV_R_NOT_A_PRIVATE_KEY:221:not a private key
PROV_R_NOT_A_PUBLIC_KEY:220:not a public key
PROV_R_NOT_INSTANTIATED:193:not instantiated
-PROV_R_NOT_PARAMETERS:224:not parameters
+PROV_R_NOT_PARAMETERS:226:not parameters
PROV_R_NOT_SUPPORTED:136:not supported
PROV_R_NOT_XOF_OR_INVALID_LENGTH:113:not xof or invalid length
PROV_R_NO_KEY_SET:114:no key set
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index b7a37b77a2..dc4ec0a8d3 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -24,6 +24,7 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/self_test.h>
+#include "prov/providercommon.h"
#include "rsa_local.h"
static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg);
@@ -444,6 +445,7 @@ static int rsa_keygen(OPENSSL_CTX *libctx, RSA *rsa, int bits, int primes,
OSSL_SELF_TEST_get_callback(libctx, &stcb, &stcbarg);
ok = rsa_keygen_pairwise_test(rsa, stcb, stcbarg);
if (!ok) {
+ ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
/* Clear intermediate results */
BN_clear_free(rsa->d);
BN_clear_free(rsa->p);
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index 451e8a775d..7fb6ad5636 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -19,6 +19,7 @@ B<openssl fipsinstall>
[B<-macopt> I<nm>:I<v>]
[B<-noout>]
[B<-quiet>]
+[B<-no_conditional_errors>]
[B<-corrupt_desc> I<selftest_description>]
[B<-corrupt_type> I<selftest_type>]
[B<-config> I<parent_config>]
@@ -43,6 +44,17 @@ This indicates if the Known Answer Self Tests (KAT's) have successfully run.
=item - A MAC of the status indicator.
+=item - A control for conditional self tests errors.
+
+By default if a continuous test (e.g a key pair test) fails then the FIPS module
+will enter an error state, and no services or cryptographic algorithms will be
+able to be accessed after this point.
+The default value of '1' will cause the fips module error state to be entered.
+If the value is '0' then the module error state will not be entered.
+Regardless of whether the error state is entered or not, the current operation
+(e.g. key generation) will return an error. The user is responsible for retrying
+the operation if the module error state is not entered.
+
=back
This file is described in L<fips_config(5)>.
@@ -133,6 +145,12 @@ The default digest is SHA-256.
Disable logging of the self tests.
+=item B<-no_conditional_errors>
+
+Configure the module to not enter an error state if a conditional self test
+fails as described above.
+
+
=item B<-quiet>
Do not output pass/fail messages. Implies B<-noout>.
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
index 493ddb046d..7dec75fcea 100644
--- a/include/openssl/fips_names.h
+++ b/include/openssl/fips_names.h
@@ -39,6 +39,13 @@ extern "C" {
*/
# define OSSL_PROV_FIPS_PARAM_INSTALL_STATUS "install-status"
+/*
+ * A boolean that determines if the FIPS conditional test errors result in
+ * the module entering an error state.
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS "conditional-errors"
+
# ifdef __cplusplus
}
# endif
diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h
index ff6e1b8e08..aa153581fa 100644
--- a/include/openssl/self_test.h
+++ b/include/openssl/self_test.h
@@ -27,6 +27,7 @@ extern "C" {
# define OSSL_SELF_TEST_TYPE_NONE "None"
# define OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY "Module_Integrity"
# define OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY "Install_Integrity"
+# define OSSL_SELF_TEST_TYPE_CRNG "Continuous_RNG_Test"
# define OSSL_SELF_TEST_TYPE_PCT "Pairwise_Consistency_Test"
# define OSSL_SELF_TEST_TYPE_KAT_CIPHER "KAT_Cipher"
# define OSSL_SELF_TEST_TYPE_KAT_DIGEST "KAT_Digest"
diff --git a/providers/baseprov.c b/providers/baseprov.c
index e9502f68cd..0904e46333 100644
--- a/providers/baseprov.c
+++ b/providers/baseprov.c
@@ -38,6 +38,7 @@ static const OSSL_PARAM base_param_types[] = {
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_END
};
@@ -60,6 +61,9 @@ static int base_get_params(void *provctx, OSSL_PARAM params[])
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
return 0;
+ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
+ if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
+ return 0;
return 1;
}
diff --git a/providers/build.info b/providers/build.info
index 8d82d3f911..f2e0d433c9 100644
--- a/providers/build.info
+++ b/providers/build.info
@@ -188,6 +188,6 @@ ENDIF
# Because the null provider is built in, it means that libcrypto must
# include all the object files that are needed.
$NULLGOAL=../libcrypto
-SOURCE[$NULLGOAL]=nullprov.c
-
+SOURCE[$NULLGOAL]=nullprov.c prov_running.c
+SOURCE[$LIBNONFIPS]=prov_running.c
diff --git a/providers/common/include/prov/providercommon.h b/providers/common/include/prov/providercommon.h
index f39d2e313f..44e9c812aa 100644
--- a/providers/common/include/prov/providercommon.h
+++ b/providers/common/include/prov/providercommon.h
@@ -18,3 +18,9 @@ int cipher_capable_aes_cbc_hmac_sha1(void);
int cipher_capable_aes_cbc_hmac_sha256(void);
OSSL_FUNC_provider_get_capabilities_fn provider_get_capabilities;
+
+/* Set the error state if this is a FIPS module */
+void ossl_set_error_state(const char *type);
+
+/* Return true if the module is in a usable condition */
+int ossl_prov_is_running(void);
diff --git a/providers/common/include/prov/providercommonerr.h b/providers/common/include/prov/providercommonerr.h
index 68bcfb4828..d972a819e2 100644
--- a/providers/common/include/prov/providercommonerr.h
+++ b/providers/common/include/prov/providercommonerr.h
@@ -75,6 +75,9 @@ int ERR_load_PROV_strings(void);
# define PROV_R_FAILED_TO_GET_PARAMETER 103
# define PROV_R_FAILED_TO_SET_PARAMETER 104
# define PROV_R_FAILED_TO_SIGN 175
+# define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227
+# define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224
+# define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225
# define PROV_R_GENERATE_ERROR 191
# define PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 165
# define PROV_R_INAVLID_UKM_LENGTH 146
@@ -131,7 +134,7 @@ int ERR_load_PROV_strings(void);
# define PROV_R_NOT_A_PRIVATE_KEY 221
# define PROV_R_NOT_A_PUBLIC_KEY 220
# define PROV_R_NOT_INSTANTIATED 193
-# define PROV_R_NOT_PARAMETERS 224
+# define PROV_R_NOT_PARAMETERS 226
# define PROV_R_NOT_SUPPORTED 136
# define PROV_R_NOT_XOF_OR_INVALID_LENGTH 113
# define PROV_R_NO_KEY_SET 114
diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c
index 75f24f88d7..606d78cc57 100644
--- a/providers/common/provider_err.c
+++ b/providers/common/provider_err.c
@@ -58,6 +58,12 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
"failed to set parameter"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"},
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR),
+ "fips module conditional error"},
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
+ "fips module entering error state"},
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_IN_ERROR_STATE),
+ "fips module in error state"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_GENERATE_ERROR), "generate error"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE),
"illegal or unsupported padding mode"},
diff --git a/providers/defltprov.c b/providers/defltprov.c
index 371d942f4a..d95964539b 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -41,6 +41,7 @@ static const OSSL_PARAM deflt_param_types[] = {
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_END
};
@@ -63,7 +64,7 @@ static int deflt_get_params(void *provctx, OSSL_PARAM params[])
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
- if (p != NULL && !OSSL_PARAM_set_uint(p, 1))
+ if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
return 0;
return 1;
}
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index c9867f998c..4290a87e6e 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -99,7 +99,7 @@ static const OSSL_PARAM fips_param_types[] = {
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
- OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_UNSIGNED_INTEGER, NULL, 0),
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_END
};
@@ -126,6 +126,9 @@ static OSSL_PARAM core_params[] =
OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
selftest_params.indicator_version,
sizeof(selftest_params.indicator_version)),
+ OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
+ selftest_params.conditional_error_check,
+ sizeof(selftest_params.conditional_error_check)),
OSSL_PARAM_END
};
@@ -148,7 +151,7 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
- if (p != NULL && !OSSL_PARAM_set_uint(p, FIPS_is_running()))
+ if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
return 0;
return 1;
}
@@ -480,7 +483,7 @@ static const OSSL_ALGORITHM *fips_query(void *provctx, int operation_id,
{
*no_cache = 0;
- if (!FIPS_is_running())
+ if (!ossl_prov_is_running())
return NULL;
switch (operation_id) {
@@ -645,6 +648,10 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
+ /* Disable the conditional error check if is disabled in the fips config file*/
+ if (selftest_params.conditional_error_check != NULL
+ && strcmp(selftest_params.conditional_error_check, "0") == 0)
+ SELF_TEST_disable_conditional_error_state();
/* Create a context. */
if ((*provctx = PROV_CTX_new()) == NULL
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index 978440adf1..9d95f0ccf1 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -15,6 +15,8 @@
#include <openssl/err.h>
#include "e_os.h"
#include "prov/providercommonerr.h"
+#include "prov/providercommon.h"
+
/*
* We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
* module because all such initialisation should be associated with an
@@ -30,12 +32,19 @@
#define FIPS_STATE_RUNNING 2
#define FIPS_STATE_ERROR 3
+/*
+ * The number of times the module will report it is in the error state
+ * before going quiet.
+ */
+#define FIPS_ERROR_REPORTING_RATE_LIMIT 10
+
/* The size of a temp buffer used to read in data */
#define INTEGRITY_BUF_SIZE (4096)
#define MAX_MD_SIZE 64
#define MAC_NAME "HMAC"
#define DIGEST_NAME "SHA256"
+static int FIPS_conditional_error_check = 1;
static int FIPS_state = FIPS_STATE_INIT;
static CRYPTO_RWLOCK *self_test_lock = NULL;
static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS };
@@ -300,15 +309,43 @@ end:
(*st->bio_free_cb)(bio_indicator);
(*st->bio_free_cb)(bio_module);
}
- FIPS_state = ok ? FIPS_STATE_RUNNING : FIPS_STATE_ERROR;
+ if (ok)
+ FIPS_state = FIPS_STATE_RUNNING;
+ else
+ ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE);
CRYPTO_THREAD_unlock(self_test_lock);
return ok;
}
+void SELF_TEST_disable_conditional_error_state(void)
+{
+ FIPS_conditional_error_check = 0;
+}
+
+void ossl_set_error_state(const char *type)
+{
+ int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0);
+
+ if (!cond_test || (FIPS_conditional_error_check == 1)) {
+ FIPS_state = FIPS_STATE_ERROR;
+ ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
+ } else {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR);
+ }
+}
-unsigned int FIPS_is_running(void)
+int ossl_prov_is_running(void)
{
- return FIPS_state == FIPS_STATE_RUNNING
- || FIPS_state == FIPS_STATE_SELFTEST;
+ const int res = FIPS_state == FIPS_STATE_RUNNING
+ || FIPS_state == FIPS_STATE_SELFTEST;
+ static unsigned int rate_limit = 0;
+
+ if (res) {
+ rate_limit = 0;
+ } else if (FIPS_state == FIPS_STATE_ERROR) {
+ if (rate_limit++ < FIPS_ERROR_REPORTING_RATE_LIMIT)
+ ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IN_ERROR_STATE);
+ }
+ return res;
}
diff --git a/providers/fips/self_test.h b/providers/fips/self_test.h
index f40788581c..205623cc3d 100644
--- a/providers/fips/self_test.h
+++ b/providers/fips/self_test.h
@@ -21,6 +21,9 @@ typedef struct self_test_post_params_st {
const char *indicator_data; /* data to perform MAC on */
const char *indicator_checksum_data; /* Expected MAC integrity value */
+ /* Used for continuous tests */
+ const char *conditional_error_check;
+
/* BIO callbacks supplied to the FIPS provider */
OSSL_FUNC_BIO_new_file_fn *bio_new_file_cb;
OSSL_FUNC_BIO_new_membuf_fn *bio_new_buffer_cb;
@@ -34,4 +37,5 @@ typedef struct self_test_post_params_st {
int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test);
int SELF_TEST_kats(OSSL_SELF_TEST *event, OPENSSL_CTX *libctx);
-unsigned int FIPS_is_running(void);
+
+void SELF_TEST_disable_conditional_error_state(void);
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 817f705b53..f53284ca49 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -28,6 +28,7 @@
#include "prov/providercommonerr.h"
#include "prov/provider_ctx.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include <stdlib.h>
@@ -77,8 +78,11 @@ typedef struct {
static void *rsa_newctx(void *provctx)
{
- PROV_RSA_CTX *prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX));
+ PROV_RSA_CTX *prsactx;
+ if (!ossl_prov_is_running())
+ return NULL;
+ prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX));
if (prsactx == NULL)
return NULL;
prsactx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
@@ -90,7 +94,10 @@ static int rsa_init(void *vprsactx, void *vrsa)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
- if (prsactx == NULL || vrsa == NULL || !RSA_up_ref(vrsa))
+ if (!ossl_prov_is_running()
+ || prsactx == NULL
+ || vrsa == NULL
+ || !RSA_up_ref(vrsa))
return 0;
RSA_free(prsactx->rsa);
prsactx->rsa = vrsa;
@@ -113,6 +120,9 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (out == NULL) {
size_t len = RSA_size(prsactx->rsa);
@@ -171,6 +181,9 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
int ret;
size_t len = RSA_size(prsactx->rsa);
+ if (!ossl_prov_is_running())
+ return 0;
+
if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
if (out == NULL) {
*outlen = SSL_MAX_MASTER_KEY_LENGTH;
@@ -269,6 +282,9 @@ static void *rsa_dupctx(void *vprsactx)
PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
PROV_RSA_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
diff --git a/providers/implementations/ciphers/cipher_aes.c b/providers/implementations/ciphers/cipher_aes.c
index b0c716e3b7..4fa197024a 100644
--- a/providers/implementations/ciphers/cipher_aes.c
+++ b/providers/implementations/ciphers/cipher_aes.c
@@ -18,6 +18,7 @@
#include "cipher_aes.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static OSSL_FUNC_cipher_freectx_fn aes_freectx;
static OSSL_FUNC_cipher_dupctx_fn aes_dupctx;
@@ -33,8 +34,12 @@ static void aes_freectx(void *vctx)
static void *aes_dupctx(void *ctx)
{
PROV_AES_CTX *in = (PROV_AES_CTX *)ctx;
- PROV_AES_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_AES_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
index 9c927352a2..6f5ecc12fb 100644
--- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
+++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
@@ -20,6 +20,7 @@
#include <openssl/ssl.h>
#include "cipher_aes_cbc_hmac_sha.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#ifndef AES_CBC_HMAC_SHA_CAPABLE
# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags) \
@@ -299,8 +300,12 @@ static void *aes_cbc_hmac_sha1_newctx(void *provctx, size_t kbits,
size_t blkbits, size_t ivbits,
uint64_t flags)
{
- PROV_AES_HMAC_SHA1_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_AES_HMAC_SHA1_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
base_init(provctx, &ctx->base_ctx,
PROV_CIPHER_HW_aes_cbc_hmac_sha1(), kbits, blkbits,
@@ -322,8 +327,12 @@ static void *aes_cbc_hmac_sha256_newctx(void *provctx, size_t kbits,
size_t blkbits, size_t ivbits,
uint64_t flags)
{
- PROV_AES_HMAC_SHA256_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_AES_HMAC_SHA256_CTX *ctx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
base_init(provctx, &ctx->base_ctx,
PROV_CIPHER_HW_aes_cbc_hmac_sha256(), kbits, blkbits,
diff --git a/providers/implementations/ciphers/cipher_aes_ccm.c b/providers/implementations/ciphers/cipher_aes_ccm.c
index ae32e34d25..e45de7bca2 100644
--- a/providers/implementations/ciphers/cipher_aes_ccm.c
+++ b/providers/implementations/ciphers/cipher_aes_ccm.c
@@ -18,11 +18,16 @@
#include "cipher_aes_ccm.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static void *aes_ccm_newctx(void *provctx, size_t keybits)
{
- PROV_AES_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_AES_CCM_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
ccm_initctx(&ctx->base, keybits, PROV_AES_HW_ccm(keybits));
return ctx;
diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c
index 92a0ad1795..2f22c32067 100644
--- a/providers/implementations/ciphers/cipher_aes_gcm.c
+++ b/providers/implementations/ciphers/cipher_aes_gcm.c
@@ -18,11 +18,16 @@
#include "cipher_aes_gcm.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static void *aes_gcm_newctx(void *provctx, size_t keybits)
{
- PROV_AES_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_AES_GCM_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
gcm_initctx(provctx, &ctx->base, keybits, PROV_AES_HW_gcm(keybits), 8);
return ctx;
diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c
index d6190695a2..27edd455ed 100644
--- a/providers/implementations/ciphers/cipher_aes_ocb.c
+++ b/providers/implementations/ciphers/cipher_aes_ocb.c
@@ -15,6 +15,7 @@
#include "internal/deprecated.h"
#include "cipher_aes_ocb.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/ciphercommon_aead.h"
#include "prov/implementations.h"
@@ -103,33 +104,36 @@ static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
static int aes_ocb_init(void *vctx, const unsigned char *key, size_t keylen,
const unsigned char *iv, size_t ivlen, int enc)
{
- PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
-
- ctx->aad_buf_len = 0;
- ctx->data_buf_len = 0;
- ctx->base.enc = enc;
-
- if (iv != NULL) {
- if (ivlen != ctx->base.ivlen) {
- /* IV len must be 1 to 15 */
- if (ivlen < OCB_MIN_IV_LEN || ivlen > OCB_MAX_IV_LEN) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
- return 0;
- }
- ctx->base.ivlen = ivlen;
- }
- if (!cipher_generic_initiv(&ctx->base, iv, ivlen))
- return 0;
- ctx->iv_state = IV_STATE_BUFFERED;
- }
- if (key != NULL) {
- if (keylen != ctx->base.keylen) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
- return 0;
- }
- return ctx->base.hw->init(&ctx->base, key, keylen);
- }
- return 1;
+ PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+
+ if (!ossl_prov_is_running())
+ return 0;
+
+ ctx->aad_buf_len = 0;
+ ctx->data_buf_len = 0;
+ ctx->base.enc = enc;
+
+ if (iv != NULL) {
+ if (ivlen != ctx->base.ivlen) {
+ /* IV len must be 1 to 15 */
+ if (ivlen < OCB_MIN_IV_LEN || ivlen > OCB_MAX_IV_LEN) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+ return 0;
+ }
+ ctx->base.ivlen = ivlen;
+ }
+ if (!cipher_generic_initiv(&ctx->base, iv, ivlen))
+ return 0;
+ ctx->iv_state = IV_STATE_BUFFERED;
+ }
+ if (key != NULL) {
+ if (keylen != ctx->base.keylen) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ return ctx->base.hw->init(&ctx->base, key, keylen);
+ }
+ return 1;
}
static int aes_ocb_einit(void *vctx, const unsigned char *key, size_t keylen,
@@ -254,6 +258,9 @@ static int aes_ocb_block_final(void *vctx, unsigned char *out, size_t *outl,
{
PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
/* If no block_update has run then the iv still needs to be set */
if (!ctx->key_set || !update_iv(ctx))
return 0;
@@ -293,8 +300,12 @@ static int aes_ocb_block_final(void *vctx, unsigned char *out, size_t *outl,
static void *aes_ocb_newctx(void *provctx, size_t kbits, size_t blkbits,
size_t ivbits, unsigned int mode, uint64_t flags)
{
- PROV_AES_OCB_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_AES_OCB_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL) {
cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
PROV_CIPHER_HW_aes_ocb(kbits), NULL);
@@ -317,8 +328,12 @@ static void aes_ocb_freectx(void *vctx)
static void *aes_ocb_dupctx(void *vctx)
{
PROV_AES_OCB_CTX *in = (PROV_AES_OCB_CTX *)vctx;
- PROV_AES_OCB_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_AES_OCB_CTX *ret;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -473,6 +488,9 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl,
{
PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (outsize < inl) {
ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c
index b2e07bc228..6894567fb2 100644
--- a/providers/implementations/ciphers/cipher_aes_siv.c
+++ b/providers/implementations/ciphers/cipher_aes_siv.c
@@ -17,6 +17,7 @@
#include "cipher_aes_siv.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/ciphercommon_aead.h"
#include "prov/provider_ctx.h"
@@ -27,8 +28,12 @@
static void *aes_siv_newctx(void *provctx, size_t keybits, unsigned int mode,
uint64_t flags)
{
- PROV_AES_SIV_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_AES_SIV_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL) {
ctx->taglen = SIV_LEN;
ctx->mode = mode;
@@ -53,8 +58,12 @@ static void aes_siv_freectx(void *vctx)
static void *siv_dupctx(void *vctx)
{
PROV_AES_SIV_CTX *in = (PROV_AES_SIV_CTX *)vctx;
- PROV_AES_SIV_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_AES_SIV_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -71,6 +80,9 @@ static int siv_init(void *vctx, const unsigned char *key, size_t keylen,
{
PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
ctx->enc = enc;
if (key != NULL) {
@@ -100,6 +112,9 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
{
PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (inl == 0) {
*outl = 0;
return 1;
@@ -123,6 +138,9 @@ static int siv_stream_final(void *vctx, unsigned char *out, size_t *outl,
{
PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (!ctx->hw->cipher(vctx, out, NULL, 0))
return 0;
diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c
index 5c2ab1c507..df10a65a87 100644
--- a/providers/implementations/ciphers/cipher_aes_wrp.c
+++ b/providers/implementations/ciphers/cipher_aes_wrp.c
@@ -14,6 +14,7 @@
#include "internal/deprecated.h"
#include "cipher_aes.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
@@ -49,9 +50,14 @@ typedef struct prov_aes_wrap_ctx_st {
static void *aes_wrap_newctx(size_t kbits, size_t blkbits,
size_t ivbits, unsigned int mode, uint64_t flags)
{
- PROV_AES_WRAP_CTX *wctx = OPENSSL_zalloc(sizeof(*wctx));
- PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)wctx;
+ PROV_AES_WRAP_CTX *wctx;
+ PROV_CIPHER_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ wctx = OPENSSL_zalloc(sizeof(*wctx));
+ ctx = (PROV_CIPHER_CTX *)wctx;
if (ctx != NULL) {
cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags,
NULL, NULL);
@@ -75,6 +81,9 @@ static int aes_wrap_init(void *vctx, const unsigned char *key,
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
ctx->enc = enc;
ctx->block = enc ? (block128_f)AES_encrypt : (block128_f)AES_decrypt;
if (ctx->pad)
@@ -160,6 +169,9 @@ static int aes_wrap_cipher_internal(void *vctx, unsigned char *out,
static int aes_wrap_final(void *vctx, unsigned char *out, size_t *outl,
size_t outsize)
{
+ if (!ossl_prov_is_running())
+ return 0;
+
*outl = 0;
return 1;
}
@@ -171,6 +183,9 @@ static int aes_wrap_cipher(void *vctx,
PROV_AES_WRAP_CTX *ctx = (PROV_AES_WRAP_CTX *)vctx;
size_t len;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (inl == 0) {
*outl = 0;
return 1;
diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c
index 33d8c7fbb5..72ed2334b1 100644
--- a/providers/implementations/ciphers/cipher_aes_xts.c
+++ b/providers/implementations/ciphers/cipher_aes_xts.c
@@ -16,6 +16,7 @@
#include "cipher_aes_xts.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
/* TODO (3.0) Figure out what flags need to be set */
@@ -74,6 +75,9 @@ static int aes_xts_init(void *vctx, const unsigned char *key, size_t keylen,
PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
PROV_CIPHER_CTX *ctx = &xctx->base;
+ if (!ossl_prov_is_running())
+ return 0;
+
ctx->enc = enc;
if (iv != NULL) {
@@ -129,6 +133,9 @@ static void *aes_xts_dupctx(void *vctx)
PROV_AES_XTS_CTX *in = (PROV_AES_XTS_CTX *)vctx;
PROV_AES_XTS_CTX *ret = NULL;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if (in->xts.key1 != NULL) {
if (in->xts.key1 != &in->ks1)
return NULL;
@@ -151,7 +158,8 @@ static int aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl,
{
PROV_AES_XTS_CTX *ctx = (PROV_AES_XTS_CTX *)vctx;
- if (ctx->xts.key1 == NULL
+ if (!ossl_prov_is_running()
+ || ctx->xts.key1 == NULL
|| ctx->xts.key2 == NULL
|| !ctx->base.iv_set
|| out == NULL
@@ -202,6 +210,8 @@ static int aes_xts_stream_update(void *vctx, unsigned char *out, size_t *outl,
static int aes_xts_stream_final(void *vctx, unsigned char *out, size_t *outl,
size_t outsize)
{
+ if (!ossl_prov_is_running())
+ return 0;
*outl = 0;
return 1;
}
diff --git a/providers/implementations/ciphers/cipher_aria.c b/providers/implementations/ciphers/cipher_aria.c
index a079617928..9f4c8dda7b 100644
--- a/providers/implementations/ciphers/cipher_aria.c
+++ b/providers/implementations/ciphers/cipher_aria.c
@@ -11,6 +11,7 @@
#include "cipher_aria.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static OSSL_FUNC_cipher_freectx_fn aria_freectx;
static OSSL_FUNC_cipher_dupctx_fn aria_dupctx;
@@ -26,8 +27,12 @@ static void aria_freectx(void *vctx)
static void *aria_dupctx(void *ctx)
{
PROV_ARIA_CTX *in = (PROV_ARIA_CTX *)ctx;
- PROV_ARIA_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_ARIA_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/providers/implementations/ciphers/cipher_aria_ccm.c b/providers/implementations/ciphers/cipher_aria_ccm.c
index ffc8166d68..7f89b223f1 100644
--- a/providers/implementations/ciphers/cipher_aria_ccm.c
+++ b/providers/implementations/ciphers/cipher_aria_ccm.c
@@ -11,13 +11,18 @@
#include "cipher_aria_ccm.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static OSSL_FUNC_cipher_freectx_fn aria_ccm_freectx;
static void *aria_ccm_newctx(void *provctx, size_t keybits)
{
- PROV_ARIA_CCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_ARIA_CCM_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
ccm_initctx(&ctx->base, keybits, PROV_ARIA_HW_ccm(keybits));
return ctx;
diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c
index 7205522d7d..de228a0755 100644
--- a/providers/implementations/ciphers/cipher_aria_gcm.c
+++ b/providers/implementations/ciphers/cipher_aria_gcm.c
@@ -11,11 +11,16 @@
#include "cipher_aria_gcm.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static void *aria_gcm_newctx(void *provctx, size_t keybits)
{
- PROV_ARIA_GCM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_ARIA_GCM_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
gcm_initctx(provctx, &ctx->base, keybits, PROV_ARIA_HW_gcm(keybits), 4);
return ctx;
diff --git a/providers/implementations/ciphers/cipher_blowfish.c b/providers/implementations/ciphers/cipher_blowfish.c
index 3eb4ebead2..f4ab8f5352 100644
--- a/providers/implementations/ciphers/cipher_blowfish.c
+++ b/providers/implementations/ciphers/cipher_blowfish.c
@@ -17,6 +17,7 @@
#include "cipher_blowfish.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#define BF_FLAGS (EVP_CIPH_VARIABLE_LENGTH)
@@ -34,8 +35,12 @@ static void blowfish_freectx(void *vctx)
static void *blowfish_dupctx(void *ctx)
{
PROV_BLOWFISH_CTX *in = (PROV_BLOWFISH_CTX *)ctx;
- PROV_BLOWFISH_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_BLOWFISH_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/providers/implementations/ciphers/cipher_camellia.c b/providers/implementations/ciphers/cipher_camellia.c
index ffb23b475a..84d5aaaa89 100644
--- a/providers/implementations/ciphers/cipher_camellia.c
+++ b/providers/implementations/ciphers/cipher_camellia.c
@@ -17,6 +17,7 @@
#include "cipher_camellia.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static OSSL_FUNC_cipher_freectx_fn camellia_freectx;
static OSSL_FUNC_cipher_dupctx_fn camellia_dupctx;
@@ -32,8 +33,12 @@ static void camellia_freectx(void *vctx)
static void *camellia_dupctx(void *ctx)
{
PROV_CAMELLIA_CTX *in = (PROV_CAMELLIA_CTX *)ctx;
- PROV_CAMELLIA_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_CAMELLIA_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/providers/implementations/ciphers/cipher_cast5.c b/providers/implementations/ciphers/cipher_cast5.c
index 938b8d2013..bc3088f81b 100644
--- a/providers/implementations/ciphers/cipher_cast5.c
+++ b/providers/implementations/ciphers/cipher_cast5.c
@@ -17,6 +17,7 @@
#include "cipher_cast.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#define CAST5_FLAGS (EVP_CIPH_VARIABLE_LENGTH)
@@ -35,8 +36,12 @@ static void cast5_freectx(void *vctx)
static void *cast5_dupctx(void *ctx)
{
PROV_CAST_CTX *in = (PROV_CAST_CTX *)ctx;
- PROV_CAST_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_CAST_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c
index 4e02ce9493..56bc1b95af 100644
--- a/providers/implementations/ciphers/cipher_chacha20.c
+++ b/providers/implementations/ciphers/cipher_chacha20.c
@@ -11,6 +11,7 @@
#include "cipher_chacha20.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#define CHACHA20_KEYLEN (CHACHA_KEY_SIZE)
@@ -43,11 +44,15 @@ void chacha20_initctx(PROV_CHACHA20_CTX *ctx)
static void *chacha20_newctx(void *provctx)
{
- PROV_CHACHA20_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_CHACHA20_CTX *ctx;
- if (ctx != NULL)
- chacha20_initctx(ctx);
- return ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx != NULL)
+ chacha20_initctx(ctx);
+ return ctx;
}
static void chacha20_freectx(void *vctx)
@@ -141,6 +146,7 @@ int chacha20_einit(void *vctx, const unsigned char *key, size_t keylen,
{
int ret;
+ /* The generic function checks for ossl_prov_is_running() */
ret= cipher_generic_einit(vctx, key, keylen, iv, ivlen);
if (ret && iv != NULL) {
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
@@ -156,6 +162,7 @@ int chacha20_dinit(void *vctx, const unsigned char *key, size_t keylen,
{
int ret;
+ /* The generic function checks for ossl_prov_is_running() */
ret= cipher_generic_dinit(vctx, key, keylen, iv, ivlen);
if (ret && iv != NULL) {
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c
index 90ff4ce1f5..da47e34fdf 100644
--- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c
+++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c
@@ -11,6 +11,7 @@
#include "cipher_chacha20_poly1305.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
@@ -43,8 +44,12 @@ static OSSL_FUNC_cipher_gettable_ctx_params_fn chacha20_poly1305_gettable_ctx_pa
static void *chacha20_poly1305_newctx(void *provctx)
{
- PROV_CHACHA20_POLY1305_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_CHACHA20_POLY1305_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL) {
cipher_generic_initkey(&ctx->base, CHACHA20_POLY1305_KEYLEN * 8,
CHACHA20_POLY1305_BLKLEN * 8,
@@ -229,6 +234,7 @@ static int chacha20_poly1305_einit(void *vctx, const unsigned char *key,
{
int ret;
+ /* The generic function checks for ossl_prov_is_running() */
ret = cipher_generic_einit(vctx, key, keylen, iv, ivlen);
if (ret && iv != NULL) {
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
@@ -246,6 +252,7 @@ static int chacha20_poly1305_dinit(void *vctx, const unsigned char *key,
{
int ret;
+ /* The generic function checks for ossl_prov_is_running() */
ret = cipher_generic_dinit(vctx, key, keylen, iv, ivlen);
if (ret && iv != NULL) {
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
@@ -265,6 +272,9 @@ static int chacha20_poly1305_cipher(void *vctx, unsigned char *out,
PROV_CIPHER_HW_CHACHA20_POLY1305 *hw =
(PROV_CIPHER_HW_CHACHA20_POLY1305 *)ctx->hw;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (inl == 0) {
*outl = 0;
return 1;
@@ -288,6 +298,9 @@ static int chacha20_poly1305_final(void *vctx, unsigned char *out, size_t *outl,
PROV_CIPHER_HW_CHACHA20_POLY1305 *hw =
(PROV_CIPHER_HW_CHACHA20_POLY1305 *)ctx->hw;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (hw->aead_cipher(ctx, out, outl, NULL, 0) <= 0)
return 0;
diff --git a/providers/implementations/ciphers/cipher_des.c b/providers/implementations/ciphers/cipher_des.c
index 4974234efd..269125c63d 100644
--- a/providers/implementations/ciphers/cipher_des.c
+++ b/providers/implementations/ciphers/cipher_des.c
@@ -17,6 +17,7 @@
#include "cipher_des.h"
#include <openssl/rand.h>
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
/* TODO(3.0) Figure out what flags need to be here */
@@ -32,8 +33,12 @@ static void *des_newctx(void *provctx, size_t kbits, size_t blkbits,
size_t ivbits, unsigned int mode, uint64_t flags,
const PROV_CIPHER_HW *hw)
{
- PROV_DES_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_DES_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
cipher_generic_initkey(ctx, kbits, blkbits, ivbits, mode, flags, hw,
provctx);
@@ -43,8 +48,12 @@ static void *des_newctx(void *provctx, size_t kbits, size_t blkbits,
static void *des_dupctx(void *ctx)
{
PROV_DES_CTX *in = (PROV_DES_CTX *)ctx;
- PROV_DES_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_DES_CTX *ret;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -67,6 +76,9 @@ static int des_init(void *vctx, const unsigned char *key, size_t keylen,
{
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
ctx->num = 0;
ctx->bufsz = 0;
ctx->enc = enc;
diff --git a/providers/implementations/ciphers/cipher_idea.c b/providers/implementations/ciphers/cipher_idea.c
index 7fc5d8403d..07a6d4b997 100644
--- a/providers/implementations/ciphers/cipher_idea.c
+++ b/providers/implementations/ciphers/cipher_idea.c
@@ -18,6 +18,7 @@
#include "cipher_idea.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static OSSL_FUNC_cipher_freectx_fn idea_freectx;
static OSSL_FUNC_cipher_dupctx_fn idea_dupctx;
@@ -33,8 +34,12 @@ static void idea_freectx(void *vctx)
static void *idea_dupctx(void *ctx)
{
PROV_IDEA_CTX *in = (PROV_IDEA_CTX *)ctx;
- PROV_IDEA_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_IDEA_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/providers/implementations/ciphers/cipher_null.c b/providers/implementations/ciphers/cipher_null.c
index 3cf64c2271..c29fdd4b32 100644
--- a/providers/implementations/ciphers/cipher_null.c
+++ b/providers/implementations/ciphers/cipher_null.c
@@ -12,6 +12,7 @@
#include <openssl/core_dispatch.h>
#include "prov/implementations.h"
#include "prov/ciphercommon.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
typedef struct prov_cipher_null_ctx_st {
@@ -23,6 +24,9 @@ typedef struct prov_cipher_null_ctx_st {
static OSSL_FUNC_cipher_newctx_fn null_newctx;
static void *null_newctx(void *provctx)
{
+ if (!ossl_prov_is_running())
+ return NULL;
+
return OPENSSL_zalloc(sizeof(PROV_CIPHER_NULL_CTX));
}
@@ -38,6 +42,9 @@ static int null_einit(void *vctx, const unsigned char *key, size_t keylen,
{
PROV_CIPHER_NULL_CTX *ctx = (PROV_CIPHER_NULL_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
ctx->enc = 1;
return 1;
}
@@ -46,6 +53,9 @@ static OSSL_FUNC_cipher_decrypt_init_fn null_dinit;
static int null_dinit(void *vctx, const unsigned char *key, size_t keylen,
const unsigned char *iv, size_t ivlen)
{
+ if (!ossl_prov_is_running())
+ return 0;
+
return 1;
}
@@ -55,6 +65,9 @@ static int null_cipher(void *vctx, unsigned char *out, size_t *outl,
{
PROV_CIPHER_NULL_CTX *ctx = (PROV_CIPHER_NULL_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (!ctx->enc && ctx->tlsmacsize > 0) {
/*
* TLS NULL cipher as per:
@@ -77,6 +90,9 @@ static OSSL_FUNC_cipher_final_fn null_final;
static int null_final(void *vctx, unsigned char *out, size_t *outl,
size_t outsize)
{
+ if (!ossl_prov_is_running())
+ return 0;
+
*outl = 0;
return 1;
}
diff --git a/providers/implementations/ciphers/cipher_rc2.c b/providers/implementations/ciphers/cipher_rc2.c
index d1558be002..85151718ee 100644
--- a/providers/implementations/ciphers/cipher_rc2.c
+++ b/providers/implementations/ciphers/cipher_rc2.c
@@ -17,6 +17,7 @@
#include "cipher_rc2.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#define RC2_40_MAGIC 0xa0
@@ -39,8 +40,12 @@ static void rc2_freectx(void *vctx)
static void *rc2_dupctx(void *ctx)
{
PROV_RC2_CTX *in = (PROV_RC2_CTX *)ctx;
- PROV_RC2_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_RC2_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -198,7 +203,10 @@ static int alg##_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \
static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_##lcmode##_newctx; \
static void * alg##_##kbits##_##lcmode##_newctx(void *provctx) \
{ \
- PROV_##UCALG##_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
+ PROV_##UCALG##_CTX *ctx; \
+ if (!ossl_prov_is_running()) \
+ return NULL; \
+ ctx = OPENSSL_zalloc(sizeof(*ctx)); \
if (ctx != NULL) { \
cipher_generic_initkey(ctx, kbits, blkbits, ivbits, \
EVP_CIPH_##UCMODE##_MODE, flags, \
diff --git a/providers/implementations/ciphers/cipher_rc4.c b/providers/implementations/ciphers/cipher_rc4.c
index 4660185d45..02fff58acd 100644
--- a/providers/implementations/ciphers/cipher_rc4.c
+++ b/providers/implementations/ciphers/cipher_rc4.c
@@ -17,6 +17,7 @@
#include "cipher_rc4.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
/* TODO (3.0) Figure out what flags are required */
#define RC4_FLAGS EVP_CIPH_FLAG_DEFAULT_ASN1
@@ -35,8 +36,12 @@ static void rc4_freectx(void *vctx)
static void *rc4_dupctx(void *ctx)
{
PROV_RC4_CTX *in = (PROV_RC4_CTX *)ctx;
- PROV_RC4_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_RC4_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -56,7 +61,10 @@ static int alg##_##kbits##_get_params(OSSL_PARAM params[]) \
static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_newctx; \
static void * alg##_##kbits##_newctx(void *provctx) \
{ \
- PROV_##UCALG##_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
+ PROV_##UCALG##_CTX *ctx; \
+ if (!ossl_prov_is_running()) \
+ return NULL; \
+ ctx = OPENSSL_zalloc(sizeof(*ctx)); \
if (ctx != NULL) { \
cipher_generic_initkey(ctx, kbits, blkbits, ivbits, 0, flags, \
PROV_CIPHER_HW_##alg(kbits), NULL); \
diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
index 736857ec13..18886ee16c 100644
--- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
+++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
@@ -17,6 +17,7 @@
#include "cipher_rc4_hmac_md5.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
/* TODO(3.0) Figure out what flags are required */
@@ -46,8 +47,12 @@ static OSSL_FUNC_cipher_get_params_fn rc4_hmac_md5_get_params;
static void *rc4_hmac_md5_newctx(void *provctx)
{
- PROV_RC4_HMAC_MD5_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ PROV_RC4_HMAC_MD5_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
cipher_generic_initkey(ctx, RC4_HMAC_MD5_KEY_BITS,
RC4_HMAC_MD5_BLOCK_BITS,
diff --git a/providers/implementations/ciphers/cipher_rc5.c b/providers/implementations/ciphers/cipher_rc5.c
index 68ce6fdd91..848b80d2a7 100644
--- a/providers/implementations/ciphers/cipher_rc5.c
+++ b/providers/implementations/ciphers/cipher_rc5.c
@@ -17,6 +17,7 @@
#include "cipher_rc5.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
static OSSL_FUNC_cipher_freectx_fn rc5_freectx;
@@ -35,8 +36,12 @@ static void rc5_freectx(void *vctx)
static void *rc5_dupctx(void *ctx)
{
PROV_RC5_CTX *in = (PROV_RC5_CTX *)ctx;
- PROV_RC5_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_RC5_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -109,7 +114,10 @@ static int alg##_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \
static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_##lcmode##_newctx; \
static void * alg##_##kbits##_##lcmode##_newctx(void *provctx) \
{ \
- PROV_##UCALG##_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
+ PROV_##UCALG##_CTX *ctx; \
+ if (!ossl_prov_is_running()) \
+ return NULL; \
+ ctx = OPENSSL_zalloc(sizeof(*ctx)); \
if (ctx != NULL) { \
cipher_generic_initkey(ctx, kbits, blkbits, ivbits, \
EVP_CIPH_##UCMODE##_MODE, flags, \
diff --git a/providers/implementations/ciphers/cipher_seed.c b/providers/implementations/ciphers/cipher_seed.c
index 53520b3c4d..92cdbf4a43 100644
--- a/providers/implementations/ciphers/cipher_seed.c
+++ b/providers/implementations/ciphers/cipher_seed.c
@@ -17,6 +17,7 @@
#include "cipher_seed.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static OSSL_FUNC_cipher_freectx_fn seed_freectx;
static OSSL_FUNC_cipher_dupctx_fn seed_dupctx;
@@ -32,8 +33,12 @@ static void seed_freectx(void *vctx)
static void *seed_dupctx(void *ctx)
{
PROV_SEED_CTX *in = (PROV_SEED_CTX *)ctx;
- PROV_SEED_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_SEED_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/providers/implementations/ciphers/cipher_sm4.c b/providers/implementations/ciphers/cipher_sm4.c
index a5920562fc..a917e8e29a 100644
--- a/providers/implementations/ciphers/cipher_sm4.c
+++ b/providers/implementations/ciphers/cipher_sm4.c
@@ -11,6 +11,7 @@
#include "cipher_sm4.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
static OSSL_FUNC_cipher_freectx_fn sm4_freectx;
static OSSL_FUNC_cipher_dupctx_fn sm4_dupctx;
@@ -26,8 +27,12 @@ static void sm4_freectx(void *vctx)
static void *sm4_dupctx(void *ctx)
{
PROV_SM4_CTX *in = (PROV_SM4_CTX *)ctx;
- PROV_SM4_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_SM4_CTX *ret;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c
index a226e2aac4..1340c6034b 100644
--- a/providers/implementations/ciphers/cipher_tdes_common.c
+++ b/providers/implementations/ciphers/cipher_tdes_common.c
@@ -17,13 +17,18 @@
#include "cipher_tdes.h"
#include <openssl/rand.h>
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
void *tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits,
size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw)
{
- PROV_TDES_CTX *tctx = OPENSSL_zalloc(sizeof(*tctx));
+ PROV_TDES_CTX *tctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ tctx = OPENSSL_zalloc(sizeof(*tctx));
if (tctx != NULL)
cipher_generic_initkey(tctx, kbits, blkbits, ivbits, mode, flags, hw,
provctx);
@@ -33,8 +38,12 @@ void *tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits,
void *tdes_dupctx(void *ctx)
{
PROV_TDES_CTX *in = (PROV_TDES_CTX *)ctx;
- PROV_TDES_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ PROV_TDES_CTX *ret;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -57,6 +66,9 @@ static int tdes_init(void *vctx, const unsigned char *key, size_t keylen,
{
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
ctx->num = 0;
ctx->bufsz = 0;
ctx->enc = enc;
diff --git a/providers/implementations/ciphers/cipher_tdes_wrap.c b/providers/implementations/ciphers/cipher_tdes_wrap.c
index 73d00a58d5..8fc086c343 100644
--- a/providers/implementations/ciphers/cipher_tdes_wrap.c
+++ b/providers/implementations/ciphers/cipher_tdes_wrap.c
@@ -18,6 +18,7 @@
#include "cipher_tdes_default.h"
#include "crypto/evp.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
/* TODO (3.0) Figure out what flags are required */
@@ -133,6 +134,9 @@ static int tdes_wrap_cipher(void *vctx,
int ret;
*outl = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (outsize < inl) {
PROVerr(0, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
index b49f27f29d..08693080bd 100644
--- a/providers/implementations/ciphers/ciphercommon.c
+++ b/providers/implementations/ciphers/ciphercommon.c
@@ -15,6 +15,7 @@
#include <openssl/ssl.h>
#include "ciphercommon_local.h"
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
/*-
@@ -155,6 +156,9 @@ static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
ctx->updated = 0;
ctx->enc = enc ? 1 : 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (iv != NULL && ctx->mode != EVP_CIPH_ECB_MODE) {
if (!cipher_generic_initiv(ctx, iv, ivlen))
return 0;
@@ -334,6 +338,9 @@ int cipher_generic_block_final(void *vctx, unsigned char *out, size_t *outl,
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
size_t blksz = ctx->blocksize;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (ctx->tlsversion > 0) {
/* We never finalize TLS, so this is an error */
ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
@@ -433,6 +440,9 @@ int cipher_generic_stream_update(void *vctx, unsigned char *out, size_t *outl,
int cipher_generic_stream_final(void *vctx, unsigned char *out, size_t *outl,
size_t outsize)
{
+ if (!ossl_prov_is_running())
+ return 0;
+
*outl = 0;
return 1;
}
@@ -443,6 +453,9 @@ int cipher_generic_cipher(void *vctx,
{
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (outsize < inl) {
ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c b/providers/implementations/ciphers/ciphercommon_ccm.c
index bdbfa74d40..b7f21b3df6 100644
--- a/providers/implementations/ciphers/ciphercommon_ccm.c
+++ b/providers/implementations/ciphers/ciphercommon_ccm.c
@@ -11,6 +11,7 @@
#include "prov/ciphercommon.h"
#include "prov/ciphercommon_ccm.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
@@ -21,7 +22,7 @@ static int ccm_tls_init(PROV_CCM_CTX *ctx, unsigned char *aad, size_t alen)
{
size_t len;
- if (alen != EVP_AEAD_TLS1_AAD_LEN)
+ if (!ossl_prov_is_running() || alen != EVP_AEAD_TLS1_AAD_LEN)
return 0;
/* Save the aad for later use. */
@@ -220,6 +221,9 @@ static int ccm_init(void *vctx, const unsigned char *key, size_t keylen,
{
PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
ctx->enc = enc;
if (iv != NULL) {
@@ -276,6 +280,9 @@ int ccm_stream_final(void *vctx, unsigned char *out, size_t *outl,
PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
int i;
+ if (!ossl_prov_is_running())
+ return 0;
+
i = ccm_cipher_internal(ctx, out, outl, NULL, 0);
if (i <= 0)
return 0;
@@ -290,6 +297,9 @@ int ccm_cipher(void *vctx,
{
PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (outsize < inl) {
ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
@@ -320,6 +330,9 @@ static int ccm_tls_cipher(PROV_CCM_CTX *ctx,
int rv = 0;
size_t olen = 0;
+ if (!ossl_prov_is_running())
+ goto err;
+
/* Encrypt/decrypt must be performed in place */
if (in == NULL || out != in || len < EVP_CCM_TLS_EXPLICIT_IV_LEN + ctx->m)
goto err;
diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
index 06649b3dc3..abe2e9ace0 100644
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
@@ -11,6 +11,7 @@
#include "prov/ciphercommon.h"
#include "prov/ciphercommon_gcm.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include <openssl/rand.h>
#include "prov/provider_ctx.h"
@@ -43,6 +44,9 @@ static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
{
PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
ctx->enc = enc;
if (iv != NULL) {
@@ -311,6 +315,9 @@ int gcm_stream_final(void *vctx, unsigned char *out, size_t *outl,
PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
int i;
+ if (!ossl_prov_is_running())
+ return 0;
+
i = gcm_cipher_internal(ctx, out, outl, NULL, 0);
if (i <= 0)
return 0;
@@ -325,6 +332,9 @@ int gcm_cipher(void *vctx,
{
PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (outsize < inl) {
ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
@@ -424,7 +434,7 @@ static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len)
unsigned char *buf;
size_t len;
- if (aad_len != EVP_AEAD_TLS1_AAD_LEN)
+ if (!ossl_prov_is_running() || aad_len != EVP_AEAD_TLS1_AAD_LEN)
return 0;
/* Save the aad for later use. */
@@ -489,7 +499,7 @@ static int gcm_tls_cipher(PROV_GCM_CTX *ctx, unsigned char *out, size_t *padlen,
size_t plen = 0;
unsigned char *tag = NULL;
- if (!ctx->key_set)
+ if (!ossl_prov_is_running() || !ctx->key_set)
goto err;
/* Encrypt/decrypt must be performed in place */
diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
index 8cd9c95ab9..4c22448940 100644
--- a/providers/implementations/digests/sha3_prov.c
+++ b/providers/implementations/digests/sha3_prov.c
@@ -47,6 +47,8 @@ static sha3_final_fn generic_sha3_final;
static int keccak_init(void *vctx)
{
+ if (!ossl_prov_is_running())
+ return 0;
/* The newctx() handles most of the ctx fixed setup. */
sha3_reset((KECCAK1600_CTX *)vctx);
return 1;
@@ -95,6 +97,8 @@ static int keccak_final(void *vctx, unsigned char *out, size_t *outl,
int ret = 1;
KECCAK1600_CTX *ctx = vctx;
+ if (!ossl_prov_is_running())
+ return 0;
if (outsz > 0)
ret = ctx->meth.final(out, ctx);
@@ -145,6 +149,8 @@ static int s390x_sha3_final(unsigned char *md, void *vctx)
{
KECCAK1600_CTX *ctx = vctx;
+ if (!ossl_prov_is_running())
+ return 0;
s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
memcpy(md, ctx->A, ctx->md_size);
return 1;
@@ -154,6 +160,8 @@ static int s390x_shake_final(unsigned char *md, void *vctx)
{
KECCAK1600_CTX *ctx = vctx;
+ if (!ossl_prov_is_running())
+ return 0;
s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A);
return 1;
}
@@ -185,7 +193,8 @@ static PROV_SHA3_METHOD shake_s390x_md =
static OSSL_FUNC_digest_newctx_fn name##_newctx; \
static void *name##_newctx(void *provctx) \
{ \
- KECCAK1600_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
+ KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) \
+ : NULL; \
\
if (ctx == NULL) \
return NULL; \
@@ -198,7 +207,8 @@ static void *name##_newctx(void *provctx) \
static OSSL_FUNC_digest_newctx_fn uname##_newctx; \
static void *uname##_newctx(void *provctx) \
{ \
- KECCAK1600_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
+ KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) \
+ : NULL; \
\
if (ctx == NULL) \
return NULL; \
@@ -239,7 +249,8 @@ static void keccak_freectx(void *vctx)
static void *keccak_dupctx(void *ctx)
{
KECCAK1600_CTX *in = (KECCAK1600_CTX *)ctx;
- KECCAK1600_CTX *ret = OPENSSL_malloc(sizeof(*ret));
+ KECCAK1600_CTX *ret = ossl_prov_is_running() ? OPENSSL_malloc(sizeof(*ret))
+ : NULL;
if (ret != NULL)
*ret = *in;
diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index 3c3bd4dd38..fad38ec93d 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -20,6 +20,7 @@
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/params.h>
+#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "crypto/dh.h"
@@ -77,8 +78,12 @@ typedef struct {
static void *dh_newctx(void *provctx)
{
- PROV_DH_CTX *pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
+ PROV_DH_CTX *pdhctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ pdhctx = OPENSSL_zalloc(sizeof(PROV_DH_CTX));
if (pdhctx == NULL)
return NULL;
pdhctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
@@ -90,7 +95,10 @@ static int dh_init(void *vpdhctx, void *vdh)
{
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
- if (pdhctx == NULL || vdh == NULL || !DH_up_ref(vdh))
+ if (!ossl_prov_is_running()
+ || pdhctx == NULL
+ || vdh == NULL
+ || !DH_up_ref(vdh))
return 0;
DH_free(pdhctx->dh);
pdhctx->dh = vdh;
@@ -102,7 +110,10 @@ static int dh_set_peer(void *vpdhctx, void *vdh)
{
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
- if (pdhctx == NULL || vdh == NULL || !DH_up_ref(vdh))
+ if (!ossl_prov_is_running()
+ || pdhctx == NULL
+ || vdh == NULL
+ || !DH_up_ref(vdh))
return 0;
DH_free(pdhctx->dhpeer);
pdhctx->dhpeer = vdh;
@@ -189,6 +200,9 @@ static int dh_derive(void *vpdhctx, unsigned char *secret,
{
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
switch (pdhctx->kdf_type) {
case PROV_DH_KDF_NONE:
return dh_plain_derive(pdhctx, secret, psecretlen, outlen);
@@ -219,6 +233,9 @@ static void *dh_dupctx(void *vpdhctx)
PROV_DH_CTX *srcctx = (PROV_DH_CTX *)vpdhctx;
PROV_DH_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 88f9c7c9bf..8e6cf10dc5 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -22,6 +22,7 @@
#include <openssl/params.h>
#include <openssl/err.h>
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "crypto/ec.h" /* ecdh_KDF_X9_63() */
@@ -79,8 +80,12 @@ typedef struct {
static
void *ecdh_newctx(void *provctx)
{
- PROV_ECDH_CTX *pectx = OPENSSL_zalloc(sizeof(*pectx));
+ PROV_ECDH_CTX *pectx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ pectx = OPENSSL_zalloc(sizeof(*pectx));
if (pectx == NULL)
return NULL;
@@ -96,7 +101,10 @@ int ecdh_init(void *vpecdhctx, void *vecdh)
{
PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
- if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh))
+ if (!ossl_prov_is_running()
+ || pecdhctx == NULL
+ || vecdh == NULL
+ || !EC_KEY_up_ref(vecdh))
return 0;
EC_KEY_free(pecdhctx->k);
pecdhctx->k = vecdh;
@@ -110,7 +118,10 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
{
PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
- if (pecdhctx == NULL || vecdh == NULL || !EC_KEY_up_ref(vecdh))
+ if (!ossl_prov_is_running()
+ || pecdhctx == NULL
+ || vecdh == NULL
+ || !EC_KEY_up_ref(vecdh))
return 0;
EC_KEY_free(pecdhctx->peerk);
pecdhctx->peerk = vecdh;
@@ -137,6 +148,9 @@ void *ecdh_dupctx(void *vpecdhctx)
PROV_ECDH_CTX *srcctx = (PROV_ECDH_CTX *)vpecdhctx;
PROV_ECDH_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
diff --git a/providers/implementations/exchange/ecx_exch.c b/providers/implementations/exchange/ecx_exch.c
index 4840b8802f..2a7ea2b8e1 100644
--- a/providers/implementations/exchange/ecx_exch.c
+++ b/providers/implementations/exchange/ecx_exch.c
@@ -15,6 +15,7 @@
#include "internal/cryptlib.h"
#include "crypto/ecx.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#ifdef S390X_EC_ASM
# include "s390x_arch.h"
@@ -42,8 +43,12 @@ typedef struct {
static void *ecx_newctx(void *provctx, size_t keylen)
{
- PROV_ECX_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_ECX_CTX));
+ PROV_ECX_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(PROV_ECX_CTX));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -69,6 +74,9 @@ static int ecx_init(void *vecxctx, void *vkey)
PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx;
ECX_KEY *key = vkey;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (ecxctx == NULL
|| key == NULL
|| key->keylen != ecxctx->keylen
@@ -88,6 +96,9 @@ static int ecx_set_peer(void *vecxctx, void *vkey)
PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx;
ECX_KEY *key = vkey;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (ecxctx == NULL
|| key == NULL
|| key->keylen != ecxctx->keylen
@@ -106,6 +117,9 @@ static int ecx_derive(void *vecxctx, unsigned char *secret, size_t *secretlen,
{
PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (ecxctx->key == NULL
|| ecxctx->key->privkey == NULL
|| ecxctx->peerkey == NULL) {
@@ -179,6 +193,9 @@ static void *ecx_dupctx(void *vecxctx)
PROV_ECX_CTX *srcctx = (PROV_ECX_CTX *)vecxctx;
PROV_ECX_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c
index 80164e10c6..4d549e832d 100644
--- a/providers/implementations/exchange/kdf_exch.c
+++ b/providers/implementations/exchange/kdf_exch.c
@@ -15,6 +15,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/kdfexchange.h"
+#include "prov/providercommon.h"
static OSSL_FUNC_keyexch_newctx_fn kdf_tls1_prf_newctx;
static OSSL_FUNC_keyexch_newctx_fn kdf_hkdf_newctx;
@@ -36,9 +37,13 @@ typedef struct {
static void *kdf_newctx(const char *kdfname, void *provctx)
{
- PROV_KDF_CTX *kdfctx = OPENSSL_zalloc(sizeof(PROV_KDF_CTX));
+ PROV_KDF_CTX *kdfctx;
EVP_KDF *kdf = NULL;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ kdfctx = OPENSSL_zalloc(sizeof(PROV_KDF_CTX));
if (kdfctx == NULL)
return NULL;
@@ -73,7 +78,10 @@ static int kdf_init(void *vpkdfctx, void *vkdf)
{
PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
- if (pkdfctx == NULL || vkdf == NULL || !kdf_data_up_ref(vkdf))
+ if (!ossl_prov_is_running()
+ || pkdfctx == NULL
+ || vkdf == NULL
+ || !kdf_data_up_ref(vkdf))
return 0;
pkdfctx->kdfdata = vkdf;
@@ -85,6 +93,8 @@ static int kdf_derive(void *vpkdfctx, unsigned char *secret, size_t *secretlen,
{
PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
+ if (!ossl_prov_is_running())
+ return 0;
return EVP_KDF_derive(pkdfctx->kdfctx, secret, *secretlen);
}
@@ -103,6 +113,9 @@ static void *kdf_dupctx(void *vpkdfctx)
PROV_KDF_CTX *srcctx = (PROV_KDF_CTX *)vpkdfctx;
PROV_KDF_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h
index 90f6d39d39..3789f4c00d 100644
--- a/providers/implementations/include/prov/ciphercommon.h
+++ b/providers/implementations/include/prov/ciphercommon.h
@@ -181,7 +181,8 @@ static int alg##_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \
static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_##lcmode##_newctx; \
static void * alg##_##kbits##_##lcmode##_newctx(void *provctx) \
{ \
- PROV_##UCALG##_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
+ PROV_##UCALG##_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx))\
+ : NULL; \
if (ctx != NULL) { \
cipher_generic_initkey(ctx, kbits, blkbits, ivbits, \
EVP_CIPH_##UCMODE##_MODE, flags, \
diff --git a/providers/implementations/include/prov/digestcommon.h b/providers/implementations/include/prov/digestcommon.h
index 7d3d5f1e23..8ca87f9e58 100644
--- a/providers/implementations/include/prov/digestcommon.h
+++ b/providers/implementations/include/prov/digestcommon.h
@@ -13,6 +13,7 @@
# include <openssl/core_dispatch.h>
# include <openssl/core_names.h>
# include <openssl/params.h>
+# include "prov/providercommon.h"
# ifdef __cplusplus
extern "C" {
@@ -37,7 +38,7 @@ static OSSL_FUNC_digest_freectx_fn name##_freectx;
static OSSL_FUNC_digest_dupctx_fn name##_dupctx; \
static void *name##_newctx(void *prov_ctx) \
{ \
- CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
+ CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) : NULL; \
return ctx; \
} \
static void name##_freectx(void *vctx) \
@@ -48,16 +49,21 @@ static void name##_freectx(void *vctx) \
static void *name##_dupctx(void *ctx) \
{ \
CTX *in = (CTX *)ctx; \
- CTX *ret = OPENSSL_malloc(sizeof(*ret)); \
+ CTX *ret = ossl_prov_is_running() ? OPENSSL_malloc(sizeof(*ret)) : NULL; \
if (ret != NULL) \
*ret = *in; \
return ret; \
} \
-static OSSL_FUNC_digest_final_fn name##_internal_final; \
+static OSSL_FUNC_digest_init_fn name##_internal_init; \
+static int name##_internal_init(void *ctx) \
+{ \
+ return ossl_prov_is_running() ? init(ctx) : 0; \
+} \
+static OSSL_FUNC_digest_final_fn name##_internal_final; \
static int name##_internal_final(void *ctx, unsigned char *out, size_t *outl, \
size_t outsz) \
{ \
- if (outsz >= dgstsize && fin(out, ctx)) { \
+ if (ossl_prov_is_running() && outsz >= dgstsize && fin(out, ctx)) { \
*outl = dgstsize; \
return 1; \
} \
@@ -66,7 +72,7 @@ static int name##_internal_final(void *ctx, unsigned char *out, size_t *outl, \
PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \
const OSSL_DISPATCH name##_functions[] = { \
{ OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx }, \
- { OSSL_FUNC_DIGEST_INIT, (void (*)(void))init }, \
+ { OSSL_FUNC_DIGEST_INIT, (void (*)(void))name##_internal_init }, \
{ OSSL_FUNC_DIGEST_UPDATE, (void (*)(void))upd }, \
{ OSSL_FUNC_DIGEST_FINAL, (void (*)(void))name##_internal_final }, \
{ OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))name##_freectx }, \
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index 32c0fdabef..987f1b28bf 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -24,6 +24,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@@ -70,6 +71,9 @@ static void *kdf_hkdf_new(void *provctx)
{
KDF_HKDF *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
else
@@ -122,8 +126,12 @@ static size_t kdf_hkdf_size(KDF_HKDF *ctx)
static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen)
{
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
- const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running())
+ return 0;
+ md = ossl_prov_digest_md(&ctx->digest);
if (md == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
index f3122ac1bd..c8b5cdf8c6 100644
--- a/providers/implementations/kdfs/kbkdf.c
+++ b/providers/implementations/kdfs/kbkdf.c
@@ -41,6 +41,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "e_os.h"
@@ -99,6 +100,9 @@ static void *kbkdf_new(void *provctx)
{
KBKDF *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@@ -192,6 +196,9 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen)
uint32_t l = be32(keylen * 8);
size_t h = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
/* label, context, and iv are permitted to be empty. Check everything
* else. */
if (ctx->ctx_init == NULL) {
diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c
index 9a4cf57bc2..0492b09ccc 100644
--- a/providers/implementations/kdfs/krb5kdf.c
+++ b/providers/implementations/kdfs/krb5kdf.c
@@ -28,6 +28,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
/* KRB5 KDF defined in RFC 3961, Section 5.1 */
@@ -59,6 +60,9 @@ static void *krb5kdf_new(void *provctx)
{
KRB5KDF_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@@ -99,9 +103,13 @@ static int krb5kdf_derive(void *vctx, unsigned char *key,
size_t keylen)
{
KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
- const EVP_CIPHER *cipher = ossl_prov_cipher_cipher(&ctx->cipher);
- ENGINE *engine = ossl_prov_cipher_engine(&ctx->cipher);
+ const EVP_CIPHER *cipher;
+ ENGINE *engine;
+ if (!ossl_prov_is_running())
+ return 0;
+
+ cipher = ossl_prov_cipher_cipher(&ctx->cipher);
if (cipher == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
return 0;
@@ -114,6 +122,7 @@ static int krb5kdf_derive(void *vctx, unsigned char *key,
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONSTANT);
return 0;
}
+ engine = ossl_prov_cipher_engine(&ctx->cipher);
return KRB5KDF(cipher, engine, ctx->key, ctx->key_len,
ctx->constant, ctx->constant_len,
key, keylen);
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index a71758169a..46c10fa698 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -24,6 +24,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@@ -66,6 +67,9 @@ static void *kdf_pbkdf2_new(void *provctx)
{
KDF_PBKDF2 *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@@ -139,7 +143,10 @@ static int kdf_pbkdf2_derive(void *vctx, unsigned char *key,
size_t keylen)
{
KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
- const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running())
+ return 0;
if (ctx->pass == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
@@ -151,6 +158,7 @@ static int kdf_pbkdf2_derive(void *vctx, unsigned char *key,
return 0;
}
+ md = ossl_prov_digest_md(&ctx->digest);
return pbkdf2_derive((char *)ctx->pass, ctx->pass_len,
ctx->salt, ctx->salt_len, ctx->iter,
md, key, keylen, ctx->lower_bound_checks);
diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c
index 2cebc2d240..52b8305261 100644
--- a/providers/implementations/kdfs/pkcs12kdf.c
+++ b/providers/implementations/kdfs/pkcs12kdf.c
@@ -18,6 +18,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@@ -138,6 +139,9 @@ static void *kdf_pkcs12_new(void *provctx)
{
KDF_PKCS12 *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@@ -195,7 +199,10 @@ static int kdf_pkcs12_derive(void *vctx, unsigned char *key,
size_t keylen)
{
KDF_PKCS12 *ctx = (KDF_PKCS12 *)vctx;
- const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running())
+ return 0;
if (ctx->pass == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
@@ -207,6 +214,7 @@ static int kdf_pkcs12_derive(void *vctx, unsigned char *key,
return 0;
}
+ md = ossl_prov_digest_md(&ctx->digest);
return pkcs12kdf_derive(ctx->pass, ctx->pass_len, ctx->salt, ctx->salt_len,
ctx->id, ctx->iter, md, key, keylen);
}
diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c
index 76b0a58e1f..f412f1f8db 100644
--- a/providers/implementations/kdfs/scrypt.c
+++ b/providers/implementations/kdfs/scrypt.c
@@ -18,6 +18,7 @@
#include "internal/numbers.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
@@ -56,6 +57,9 @@ static void *kdf_scrypt_new(void *provctx)
{
KDF_SCRYPT *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@@ -127,6 +131,9 @@ static int kdf_scrypt_derive(void *vctx, unsigned char *key,
{
KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (ctx->pass == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
return 0;
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
index 84338e1a1f..aa3b6030b9 100644
--- a/providers/implementations/kdfs/sshkdf.c
+++ b/providers/implementations/kdfs/sshkdf.c
@@ -17,9 +17,10 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
-# include "prov/provider_util.h"
+#include "prov/provider_util.h"
/* See RFC 4253, Section 7.2 */
static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new;
@@ -53,6 +54,9 @@ static void *kdf_sshkdf_new(void *provctx)
{
KDF_SSHKDF *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@@ -94,8 +98,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key,
size_t keylen)
{
KDF_SSHKDF *ctx = (KDF_SSHKDF *)vctx;
- const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running())
+ return 0;
+ md = ossl_prov_digest_md(&ctx->digest);
if (md == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
index bad372cc5e..22c65d26ba 100644
--- a/providers/implementations/kdfs/sskdf.c
+++ b/providers/implementations/kdfs/sskdf.c
@@ -46,6 +46,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@@ -293,6 +294,9 @@ static void *sskdf_new(void *provctx)
{
KDF_SSKDF *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@@ -349,12 +353,15 @@ static size_t sskdf_size(KDF_SSKDF *ctx)
static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen)
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
- const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+ const EVP_MD *md;
+ if (!ossl_prov_is_running())
+ return 0;
if (ctx->secret == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
return 0;
}
+ md = ossl_prov_digest_md(&ctx->digest);
if (ctx->macctx != NULL) {
/* H(x) = KMAC or H(x) = HMAC */
@@ -420,7 +427,10 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen)
static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen)
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
- const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+ const EVP_MD *md;
+
+ if (!ossl_prov_is_running())
+ return 0;
if (ctx->secret == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
@@ -433,6 +443,7 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen)
}
/* H(x) = hash */
+ md = ossl_prov_digest_md(&ctx->digest);
if (md == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
index 191041db5b..ca6c605351 100644
--- a/providers/implementations/kdfs/tls1_prf.c
+++ b/providers/implementations/kdfs/tls1_prf.c
@@ -56,6 +56,7 @@
#include "internal/numbers.h"
#include "crypto/evp.h"
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@@ -98,6 +99,9 @@ static void *kdf_tls1_prf_new(void *provctx)
{
TLS1_PRF *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@@ -132,6 +136,9 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key,
{
TLS1_PRF *ctx = (TLS1_PRF *)vctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (ctx->P_hash == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
index d1a1ee443c..9dfa8693de 100644
--- a/providers/implementations/kdfs/x942kdf.c
+++ b/providers/implementations/kdfs/x942kdf.c
@@ -17,6 +17,7 @@
#include "internal/packet.h"
#include "internal/der.h"
#include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"
@@ -276,6 +277,9 @@ static void *x942kdf_new(void *provctx)
{
KDF_X942 *ctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
ctx->provctx = provctx;
@@ -331,16 +335,20 @@ static size_t x942kdf_size(KDF_X942 *ctx)
static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen)
{
KDF_X942 *ctx = (KDF_X942 *)vctx;
- const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+ const EVP_MD *md;
int ret = 0;
unsigned char *ctr;
unsigned char *der = NULL;
size_t der_len = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (ctx->secret == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SECRET);
return 0;
}
+ md = ossl_prov_digest_md(&ctx->digest);
if (md == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
return 0;
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 002cdec1f9..b198f117d1 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -135,10 +135,12 @@ static void *dh_newdata(void *provctx)
{
DH *dh = NULL;
- dh = dh_new_with_libctx(PROV_LIBRARY_CONTEXT_OF(provctx));
- if (dh != NULL) {
- DH_clear_flags(dh, DH_FLAG_TYPE_MASK);
- DH_set_flags(dh, DH_FLAG_TYPE_DH);
+ if (ossl_prov_is_running()) {
+ dh = dh_new_with_libctx(PROV_LIBRARY_CONTEXT_OF(provctx));
+ if (dh != NULL) {
+ DH_clear_flags(dh, DH_FLAG_TYPE_MASK);
+ DH_set_flags(dh, DH_FLAG_TYPE_DH);
+ }
}
return dh;
}
@@ -165,7 +167,7 @@ static int dh_has(void *keydata, int selection)
DH *dh = keydata;
int ok = 0;
- if (dh != NULL) {
+ if (ossl_prov_is_running() && dh != NULL) {
if ((selection & DH_POSSIBLE_SELECTIONS) != 0)
ok = 1;
@@ -185,6 +187,9 @@ static int dh_match(const void *keydata1, const void *keydata2, int selection)
const DH *dh2 = keydata2;
int ok = 1;
+ if (!ossl_prov_is_running())
+ return 0;
+
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
ok = ok && BN_cmp(DH_get0_pub_key(dh1), DH_get0_pub_key(dh2)) == 0;
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
@@ -203,7 +208,7 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
DH *dh = keydata;
int ok = 1;
- if (dh == NULL)
+ if (!ossl_prov_is_running() || dh == NULL)
return 0;
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
@@ -226,7 +231,7 @@ static int dh_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
OSSL_PARAM *params = NULL;
int ok = 1;
- if (dh == NULL)
+ if (!ossl_prov_is_running() || dh == NULL)
return 0;
tmpl = OSSL_PARAM_BLD_new();
@@ -402,6 +407,9 @@ static int dh_validate(void *keydata, int selection)
DH *dh = keydata;
int ok = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if ((selection & DH_POSSIBLE_SELECTIONS) != 0)
ok = 1;
@@ -425,6 +433,9 @@ static void *dh_gen_init_base(void *provctx, int selection, int type)
OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
struct dh_gen_ctx *gctx = NULL;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((selection & (OSSL_KEYMGMT_SELECT_KEYPAIR
| OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) == 0)
return NULL;
@@ -460,7 +471,7 @@ static int dh_gen_set_template(void *genctx, void *templ)
struct dh_gen_ctx *gctx = genctx;
DH *dh = templ;
- if (gctx == NULL || dh == NULL)
+ if (!ossl_prov_is_running() || gctx == NULL || dh == NULL)
return 0;
gctx->ffc_params = dh_get0_params(dh);
return 1;
@@ -587,7 +598,7 @@ static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
BN_GENCB *gencb = NULL;
FFC_PARAMS *ffc;
- if (gctx == NULL)
+ if (!ossl_prov_is_running() || gctx == NULL)
return NULL;
/* For parameter generation - If there is a group name just create it */
@@ -686,7 +697,7 @@ void *dh_load(const void *reference, size_t reference_sz)
{
DH *dh = NULL;
- if (reference_sz == sizeof(dh)) {
+ if (ossl_prov_is_running() && reference_sz == sizeof(dh)) {
/* The contents of the reference is the address to our object */
dh = *(DH **)reference;
/* We grabbed, so we detach it */
diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c
index 855fa18c38..8e63d1380d 100644
--- a/providers/implementations/keymgmt/dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/dsa_kmgmt.c
@@ -111,6 +111,8 @@ static int dsa_key_todata(DSA *dsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[])
static void *dsa_newdata(void *provctx)
{
+ if (!ossl_prov_is_running())
+ return NULL;
return dsa_new_with_ctx(PROV_LIBRARY_CONTEXT_OF(provctx));
}
@@ -124,7 +126,7 @@ static int dsa_has(void *keydata, int selection)
DSA *dsa = keydata;
int ok = 0;
- if (dsa != NULL) {
+ if (ossl_prov_is_running() && dsa != NULL) {
if ((selection & DSA_POSSIBLE_SELECTIONS) != 0)
ok = 1;
@@ -144,6 +146,9 @@ static int dsa_match(const void *keydata1, const void *keydata2, int selection)
const DSA *dsa2 = keydata2;
int ok = 1;
+ if (!ossl_prov_is_running())
+ return 0;
+
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
ok = ok
&& BN_cmp(DSA_get0_pub_key(dsa1), DSA_get0_pub_key(dsa2)) == 0;
@@ -164,7 +169,7 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
DSA *dsa = keydata;
int ok = 1;
- if (dsa == NULL)
+ if (!ossl_prov_is_running() || dsa == NULL)
return 0;
if ((selection & DSA_POSSIBLE_SELECTIONS) == 0)
@@ -186,7 +191,7 @@ static int dsa_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
OSSL_PARAM *params = NULL;
int ok = 1;
- if (dsa == NULL)
+ if (!ossl_prov_is_running() || dsa == NULL)
goto err;
if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
@@ -334,6 +339,9 @@ static int dsa_validate(void *keydata, int selection)
DSA *dsa = keydata;
int ok = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if ((selection & DSA_POSSIBLE_SELECTIONS) != 0)
ok = 1;
@@ -358,7 +366,7 @@ static void *dsa_gen_init(void *provctx, int selection)
OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
struct dsa_gen_ctx *gctx = NULL;
- if ((selection & DSA_POSSIBLE_SELECTIONS) == 0)
+ if (!ossl_prov_is_running() || (selection & DSA_POSSIBLE_SELECTIONS) == 0)
return NULL;
if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) {
@@ -379,7 +387,7 @@ static int dsa_gen_set_template(void *genctx, void *templ)
struct dsa_gen_ctx *gctx = genctx;
DSA *dsa = templ;
- if (gctx == NULL || dsa == NULL)
+ if (!ossl_prov_is_running() || gctx == NULL || dsa == NULL)
return 0;
gctx->ffc_params = dsa_get0_params(dsa);
return 1;
@@ -490,7 +498,7 @@ static void *dsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
int ret = 0;
FFC_PARAMS *ffc;
- if (gctx == NULL)
+ if (!ossl_prov_is_running() || gctx == NULL)
return NULL;
dsa = dsa_new_with_ctx(gctx->libctx);
if (dsa == NULL)
@@ -564,7 +572,7 @@ void *dsa_load(const void *reference, size_t reference_sz)
{
DSA *dsa = NULL;
- if (reference_sz == sizeof(dsa)) {
+ if (ossl_prov_is_running() && reference_sz == sizeof(dsa)) {
/* The contents of the reference is the address to our object */
dsa = *(DSA **)reference;
/* We grabbed, so we detach it */
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 9c2e627e37..6e493caa3b 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -212,6 +212,8 @@ int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl,
static
void *ec_newdata(void *provctx)
{
+ if (!ossl_prov_is_running())
+ return NULL;
return EC_KEY_new_with_libctx(PROV_LIBRARY_CONTEXT_OF(provctx), NULL);
}
@@ -227,7 +229,7 @@ int ec_has(void *keydata, int selection)
EC_KEY *ec = keydata;
int ok = 0;
- if (ec != NULL) {
+ if (ossl_prov_is_running() && ec != NULL) {
if ((selection & EC_POSSIBLE_SELECTIONS) != 0)
ok = 1;
@@ -255,6 +257,9 @@ static int ec_match(const void *keydata1, const void *keydata2, int selection)
BN_CTX *ctx = BN_CTX_new_ex(ec_key_get_libctx(ec1));
int ok = 1;
+ if (!ossl_prov_is_running())
+ return 0;
+
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
ok = ok && group_a != NULL && group_b != NULL
&& EC_GROUP_cmp(group_a, group_b, ctx) == 0;
@@ -280,7 +285,7 @@ int ec_import(void *keydata, int selection, const OSSL_PARAM params[])
EC_KEY *ec = keydata;
int ok = 1;
- if (ec == NULL)
+ if (!ossl_prov_is_running() || ec == NULL)
return 0;
/*
@@ -327,7 +332,7 @@ int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
BN_CTX *bnctx = NULL;
int ok = 1;
- if (ec == NULL)
+ if (!ossl_prov_is_running() || ec == NULL)
return 0;
/*
@@ -681,7 +686,7 @@ int ec_validate(void *keydata, int selection)
int ok = 0;
BN_CTX *ctx = BN_CTX_new_ex(ec_key_get_libctx(eck));
- if (ctx == NULL)
+ if (!ossl_prov_is_running() || ctx == NULL)
return 0;
if ((selection & EC_POSSIBLE_SELECTIONS) != 0)
@@ -721,7 +726,7 @@ static void *ec_gen_init(void *provctx, int selection)
OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
struct ec_gen_ctx *gctx = NULL;
- if ((selection & (EC_POSSIBLE_SELECTIONS)) == 0)
+ if (!ossl_prov_is_running() || (selection & (EC_POSSIBLE_SELECTIONS)) == 0)
return NULL;
if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) {
@@ -753,7 +758,7 @@ static int ec_gen_set_template(void *genctx, void *templ)
EC_KEY *ec = templ;
const EC_GROUP *ec_group;
- if (gctx == NULL || ec == NULL)
+ if (!ossl_prov_is_running() || gctx == NULL || ec == NULL)
return 0;
if ((ec_group = EC_KEY_get0_group(ec)) == NULL)
return 0;
@@ -935,7 +940,8 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
EC_KEY *ec = NULL;
int ret = 0;
- if (gctx == NULL
+ if (!ossl_prov_is_running()
+ || gctx == NULL
|| (ec = EC_KEY_new_with_libctx(gctx->libctx, NULL)) == NULL)
return NULL;
@@ -994,7 +1000,7 @@ void *ec_load(const void *reference, size_t reference_sz)
{
EC_KEY *ec = NULL;
- if (reference_sz == sizeof(ec)) {
+ if (ossl_prov_is_running() && reference_sz == sizeof(ec)) {
/* The contents of the reference is the address to our object */
ec = *(EC_KEY **)reference;
/* We grabbed, so we detach it */
diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c
index fff50ef0bf..6e1a2c91c8 100644
--- a/providers/implementations/keymgmt/ecx_kmgmt.c
+++ b/providers/implementations/keymgmt/ecx_kmgmt.c
@@ -82,21 +82,29 @@ static void *s390x_ecd_keygen448(struct ecx_gen_ctx *gctx);
static void *x25519_new_key(void *provctx)
{
+ if (!ossl_prov_is_running())
+ return 0;
return ecx_key_new(PROV_LIBRARY_CONTEXT_OF(provctx), ECX_KEY_TYPE_X25519, 0);
}
static void *x448_new_key(void *provctx)
{
+ if (!ossl_prov_is_running())
+ return 0;
return ecx_key_new(PROV_LIBRARY_CONTEXT_OF(provctx), ECX_KEY_TYPE_X448, 0);
}
static void *ed25519_new_key(void *provctx)
{
+ if (!ossl_prov_is_running())
+ return 0;
return ecx_key_new(PROV_LIBRARY_CONTEXT_OF(provctx), ECX_KEY_TYPE_ED25519, 0);
}
static void *ed448_new_key(void *provctx)
{
+ if (!ossl_prov_is_running())
+ return 0;
return ecx_key_new(PROV_LIBRARY_CONTEXT_OF(provctx), ECX_KEY_TYPE_ED448, 0);
}
@@ -105,7 +113,7 @@ static int ecx_has(void *keydata, int selection)
ECX_KEY *key = keydata;
int ok = 0;
- if (key != NULL) {
+ if (ossl_prov_is_running() && key != NULL) {
/*
* ECX keys always have all the parameters they need (i.e. none).
* Therefore we always return with 1, if asked about parameters.
@@ -127,6 +135,9 @@ static int ecx_match(const void *keydata1, const void *keydata2, int selection)
const ECX_KEY *key2 = keydata2;
int ok = 1;
+ if (!ossl_prov_is_running())
+ return 0;
+
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
ok = ok && key1->type == key2->type;
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
@@ -157,7 +168,7 @@ static int ecx_import(void *keydata, int selection, const OSSL_PARAM params[])
int ok = 1;
int include_private = 0;
- if (key == NULL)
+ if (!ossl_prov_is_running() || key == NULL)
return 0;
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
@@ -197,7 +208,7 @@ static int ecx_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
OSSL_PARAM *params = NULL;
int ret = 0;
- if (key == NULL)
+ if (!ossl_prov_is_running() || key == NULL)
return 0;
tmpl = OSSL_PARAM_BLD_new();
@@ -409,6 +420,9 @@ static void *ecx_gen_init(void *provctx, int selection, ECX_KEY_TYPE type)
OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
struct ecx_gen_ctx *gctx = NULL;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((gctx = OPENSSL_malloc(sizeof(*gctx))) != NULL) {
gctx->libctx = libctx;
gctx->type = type;
@@ -539,6 +553,9 @@ static void *x25519_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
{
struct ecx_gen_ctx *gctx = genctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
#ifdef S390X_EC_ASM
if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519))
return s390x_ecx_keygen25519(gctx);
@@ -550,6 +567,9 @@ static void *x448_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
{
struct ecx_gen_ctx *gctx = genctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
#ifdef S390X_EC_ASM
if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448))
return s390x_ecx_keygen448(gctx);
@@ -560,6 +580,10 @@ static void *x448_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
static void *ed25519_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
{
struct ecx_gen_ctx *gctx = genctx;
+
+ if (!ossl_prov_is_running())
+ return 0;
+
#ifdef S390X_EC_ASM
if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519)
&& OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519)
@@ -574,6 +598,9 @@ static void *ed448_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
{
struct ecx_gen_ctx *gctx = genctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
#ifdef S390X_EC_ASM
if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448)
&& OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448)
@@ -594,7 +621,7 @@ void *ecx_load(const void *reference, size_t reference_sz)
{
ECX_KEY *key = NULL;
- if (reference_sz == sizeof(key)) {
+ if (ossl_prov_is_running() && reference_sz == sizeof(key)) {
/* The contents of the reference is the address to our object */
key = *(ECX_KEY **)reference;
/* We grabbed, so we detach it */
diff --git a/providers/implementations/keymgmt/kdf_legacy_kmgmt.c b/providers/implementations/keymgmt/kdf_legacy_kmgmt.c
index 33cf87e350..f721184ab4 100644
--- a/providers/implementations/keymgmt/kdf_legacy_kmgmt.c
+++ b/providers/implementations/keymgmt/kdf_legacy_kmgmt.c
@@ -28,8 +28,12 @@ static OSSL_FUNC_keymgmt_has_fn kdf_has;
KDF_DATA *kdf_data_new(void *provctx)
{
- KDF_DATA *kdfdata = OPENSSL_zalloc(sizeof(*kdfdata));
+ KDF_DATA *kdfdata;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ kdfdata = OPENSSL_zalloc(sizeof(*kdfdata));
if (kdfdata == NULL)
return NULL;
@@ -63,6 +67,16 @@ int kdf_data_up_ref(KDF_DATA *kdfdata)
{
int ref = 0;
+ /* This is effectively doing a new operation on the KDF_DATA and should be
+ * adequately guarded again modules' error states. However, both current
+ * calls here are guarded propery in exchange/kdf_exch.c. Thus, it
+ * could be removed here. The concern is that something in the future
+ * might call this function without adequate guards. It's a cheap call,
+ * it seems best to leave it even though it is currently redundant.
+ */
+ if (!ossl_prov_is_running())
+ return 0;
+
CRYPTO_UP_REF(&kdfdata->refcnt, &ref, kdfdata->lock);
return 1;
}
diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c
index dd18eecf12..a0ae3add90 100644
--- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c
+++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c
@@ -29,6 +29,8 @@ static OSSL_FUNC_keymgmt_free_fn mac_free;
static OSSL_FUNC_keymgmt_gen_init_fn mac_gen_init;
static OSSL_FUNC_keymgmt_gen_fn mac_gen;
static OSSL_FUNC_keymgmt_gen_cleanup_fn mac_gen_cleanup;
+static OSSL_FUNC_keymgmt_gen_set_params_fn mac_gen_set_params;
+static OSSL_FUNC_keymgmt_gen_settable_params_fn mac_gen_settable_params;
static OSSL_FUNC_keymgmt_get_params_fn mac_get_params;
static OSSL_FUNC_keymgmt_gettable_params_fn mac_gettable_params;
static OSSL_FUNC_keymgmt_set_params_fn mac_set_params;
@@ -40,6 +42,13 @@ static OSSL_FUNC_keymgmt_import_types_fn mac_imexport_types;
static OSSL_FUNC_keymgmt_export_fn mac_export;
static OSSL_FUNC_keymgmt_export_types_fn mac_imexport_types;
+static OSSL_FUNC_keymgmt_new_fn mac_new_cmac;
+static OSSL_FUNC_keymgmt_gettable_params_fn cmac_gettable_params;
+static OSSL_FUNC_keymgmt_import_types_fn cmac_imexport_types;
+static OSSL_FUNC_keymgmt_export_types_fn cmac_imexport_types;
+static OSSL_FUNC_keymgmt_gen_set_params_fn cmac_gen_set_params;
+static OSSL_FUNC_keymgmt_gen_settable_params_fn cmac_gen_settable_params;
+
struct mac_gen_ctx {
OPENSSL_CTX *libctx;
int selection;
@@ -50,8 +59,12 @@ struct mac_gen_ctx {
MAC_KEY *mac_key_new(OPENSSL_CTX *libctx, int cmac)
{
- MAC_KEY *mackey = OPENSSL_zalloc(sizeof(*mackey));
+ MAC_KEY *mackey;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ mackey = OPENSSL_zalloc(sizeof(*mackey));
if (mackey == NULL)
return NULL;
@@ -89,6 +102,16 @@ int mac_key_up_ref(MAC_KEY *mackey)
{
int ref = 0;
+ /* This is effectively doing a new operation on the MAC_KEY and should be
+ * adequately guarded again modules' error states. However, both current
+ * calls here are guarded propery in signature/mac_legacy.c. Thus, it
+ * could be removed here. The concern is that something in the future
+ * might call this function without adequate guards. It's a cheap call,
+ * it seems best to leave it even though it is currently redundant.
+ */
+ if (!ossl_prov_is_running())
+ return 0;
+
CRYPTO_UP_REF(&mackey->refcnt, &ref, mackey->lock);
return 1;
}
@@ -113,7 +136,7 @@ static int mac_has(void *keydata, int selection)
MAC_KEY *key = keydata;
int ok = 0;
- if (key != NULL) {
+ if (ossl_prov_is_running() && key != NULL) {
/*
* MAC keys always have all the parameters they need (i.e. none).
* Therefore we always return with 1, if asked about parameters.
@@ -133,6 +156,9 @@ static int mac_match(const void *keydata1, const void *keydata2, int selection)
const MAC_KEY *key2 = keydata2;
int ok = 1;
+ if (!ossl_prov_is_running())
+ return 0;
+
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
if ((key1->priv_key == NULL && key2->priv_key != NULL)
|| (key1->priv_key != NULL && key2->priv_key == NULL)
@@ -201,7 +227,7 @@ static int mac_import(void *keydata, int selection, const OSSL_PARAM params[])
{
MAC_KEY *key = keydata;
- if (key == NULL)
+ if (!ossl_prov_is_running() || key == NULL)
return 0;
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) == 0)
@@ -247,7 +273,7 @@ static int mac_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
OSSL_PARAM *params = NULL;
int ret = 0;
- if (key == NULL)
+ if (!ossl_prov_is_running() || key == NULL)
return 0;
tmpl = OSSL_PARAM_BLD_new();
@@ -349,6 +375,9 @@ static void *mac_gen_init(void *provctx, int selection)
OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
struct mac_gen_ctx *gctx = NULL;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) {
gctx->libctx = libctx;
gctx->selection = selection;
@@ -422,7 +451,7 @@ static void *mac_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg)
struct mac_gen_ctx *gctx = genctx;
MAC_KEY *key;
- if (gctx == NULL)
+ if (!ossl_prov_is_running() || gctx == NULL)
return NULL;
if ((key = mac_key_new(gctx->libctx, 0)) == NULL) {
@@ -511,3 +540,4 @@ const OSSL_DISPATCH cmac_legacy_keymgmt_functions[] = {
{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))mac_gen_cleanup },
{ 0, NULL }
};
+
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index ab2325d4bd..5a8da35d60 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -74,8 +74,12 @@ static int pss_params_fromdata(RSA_PSS_PARAMS_30 *pss_params,
static void *rsa_newdata(void *provctx)
{
OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
- RSA *rsa = rsa_new_with_ctx(libctx);
+ RSA *rsa;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ rsa = rsa_new_with_ctx(libctx);
if (rsa != NULL) {
RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
RSA_set_flags(rsa, RSA_FLAG_TYPE_RSA);
@@ -86,8 +90,12 @@ static void *rsa_newdata(void *provctx)
static void *rsapss_newdata(void *provctx)
{
OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
- RSA *rsa = rsa_new_with_ctx(libctx);
+ RSA *rsa;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ rsa = rsa_new_with_ctx(libctx);
if (rsa != NULL) {
RSA_clear_flags(rsa, RSA_FLAG_TYPE_MASK);
RSA_set_flags(rsa, RSA_FLAG_TYPE_RSASSAPSS);
@@ -105,7 +113,7 @@ static int rsa_has(void *keydata, int selection)
RSA *rsa = keydata;
int ok = 0;
- if (rsa != NULL) {
+ if (rsa != NULL && ossl_prov_is_running()) {
if ((selection & RSA_POSSIBLE_SELECTIONS) != 0)
ok = 1;
@@ -128,6 +136,9 @@ static int rsa_match(const void *keydata1, const void *keydata2, int selection)
const RSA *rsa2 = keydata2;
int ok = 1;
+ if (!ossl_prov_is_running())
+ return 0;
+
/* There is always an |e| */
ok = ok && BN_cmp(RSA_get0_e(rsa1), RSA_get0_e(rsa2)) == 0;
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
@@ -143,7 +154,7 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
int rsa_type;
int ok = 1;
- if (rsa == NULL)
+ if (!ossl_prov_is_running() || rsa == NULL)
return 0;
if ((selection & RSA_POSSIBLE_SELECTIONS) == 0)
@@ -171,7 +182,7 @@ static int rsa_export(void *keydata, int selection,
OSSL_PARAM *params = NULL;
int ok = 1;
- if (rsa == NULL)
+ if (!ossl_prov_is_running() || rsa == NULL)
return 0;
/* TODO(3.0) OAEP should bring on parameters */
@@ -351,6 +362,9 @@ static int rsa_validate(void *keydata, int selection)
RSA *rsa = keydata;
int ok = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if ((selection & RSA_POSSIBLE_SELECTIONS) != 0)
ok = 1;
@@ -404,6 +418,9 @@ static void *gen_init(void *provctx, int selection, int rsa_type)
OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
struct rsa_gen_ctx *gctx = NULL;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
return NULL;
@@ -507,7 +524,7 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
RSA *rsa = NULL, *rsa_tmp = NULL;
BN_GENCB *gencb = NULL;
- if (gctx == NULL)
+ if (!ossl_prov_is_running() || gctx == NULL)
return NULL;
switch (gctx->rsa_type) {
@@ -581,7 +598,7 @@ void *rsa_load(const void *reference, size_t reference_sz)
{
RSA *rsa = NULL;
- if (reference_sz == sizeof(rsa)) {
+ if (ossl_prov_is_running() && reference_sz == sizeof(rsa)) {
/* The contents of the reference is the address to our object */
rsa = *(RSA **)reference;
/* We grabbed, so we detach it */
diff --git a/providers/implementations/macs/blake2_mac_impl.c b/providers/implementations/macs/blake2_mac_impl.c
index c2f292f9bb..f7b6bd3e4f 100644
--- a/providers/implementations/macs/blake2_mac_impl.c
+++ b/providers/implementations/macs/blake2_mac_impl.c
@@ -15,6 +15,7 @@
#include "internal/cryptlib.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
/*
* Forward declaration of everything implemented here. This is not strictly
@@ -42,8 +43,12 @@ static size_t blake2_mac_size(void *vmacctx);
static void *blake2_mac_new(void *unused_provctx)
{
- struct blake2_mac_data_st *macctx = OPENSSL_zalloc(sizeof(*macctx));
+ struct blake2_mac_data_st *macctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ macctx = OPENSSL_zalloc(sizeof(*macctx));
if (macctx != NULL) {
BLAKE2_PARAM_INIT(&macctx->params);
/* ctx initialization is deferred to BLAKE2b_Init() */
@@ -56,6 +61,9 @@ static void *blake2_mac_dup(void *vsrc)
struct blake2_mac_data_st *dst;
struct blake2_mac_data_st *src = vsrc;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dst = OPENSSL_zalloc(sizeof(*dst));
if (dst == NULL)
return NULL;
@@ -78,6 +86,9 @@ static int blake2_mac_init(void *vmacctx)
{
struct blake2_mac_data_st *macctx = vmacctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
/* Check key has been set */
if (macctx->params.key_length == 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
@@ -104,6 +115,9 @@ static int blake2_mac_final(void *vmacctx,
{
struct blake2_mac_data_st *macctx = vmacctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
*outl = blake2_mac_size(macctx);
return BLAKE2_FINAL(out, &macctx->ctx);
}
diff --git a/providers/implementations/macs/cmac_prov.c b/providers/implementations/macs/cmac_prov.c
index df73b0c11b..61b58e0177 100644
--- a/providers/implementations/macs/cmac_prov.c
+++ b/providers/implementations/macs/cmac_prov.c
@@ -23,6 +23,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
+#include "prov/providercommon.h"
/*
* Forward declaration of everything implemented here. This is not strictly
@@ -52,6 +53,9 @@ static void *cmac_new(void *provctx)
{
struct cmac_data_st *macctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((macctx = OPENSSL_zalloc(sizeof(*macctx))) == NULL
|| (macctx->ctx = CMAC_CTX_new()) == NULL) {
OPENSSL_free(macctx);
@@ -77,8 +81,12 @@ static void cmac_free(void *vmacctx)
static void *cmac_dup(void *vsrc)
{
struct cmac_data_st *src = vsrc;
- struct cmac_data_st *dst = cmac_new(src->provctx);
+ struct cmac_data_st *dst;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ dst = cmac_new(src->provctx);
if (!CMAC_CTX_copy(dst->ctx, src->ctx)
|| !ossl_prov_cipher_copy(&dst->cipher, &src->cipher)) {
cmac_free(dst);
@@ -97,9 +105,14 @@ static size_t cmac_size(void *vmacctx)
static int cmac_init(void *vmacctx)
{
struct cmac_data_st *macctx = vmacctx;
- int rv = CMAC_Init(macctx->ctx, NULL, 0,
- ossl_prov_cipher_cipher(&macctx->cipher),
- ossl_prov_cipher_engine(&macctx->cipher));
+ int rv;
+
+ if (!ossl_prov_is_running())
+ return 0;
+
+ rv = CMAC_Init(macctx->ctx, NULL, 0,
+ ossl_prov_cipher_cipher(&macctx->cipher),
+ ossl_prov_cipher_engine(&macctx->cipher));
ossl_prov_cipher_reset(&macctx->cipher);
return rv;
@@ -118,6 +131,9 @@ static int cmac_final(void *vmacctx, unsigned char *out, size_t *outl,
{
struct cmac_data_st *macctx = vmacctx;
+ if (!ossl_prov_is_running())
+ return 0;
+
return CMAC_Final(macctx->ctx, out, outl);
}
diff --git a/providers/implementations/macs/gmac_prov.c b/providers/implementations/macs/gmac_prov.c
index c44dea3ec1..1beb7c20b1 100644
--- a/providers/implementations/macs/gmac_prov.c
+++ b/providers/implementations/macs/gmac_prov.c
@@ -19,6 +19,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
+#include "prov/providercommon.h"
/*
* Forward declaration of everything implemented here. This is not strictly
@@ -61,6 +62,9 @@ static void *gmac_new(void *provctx)
{
struct gmac_data_st *macctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((macctx = OPENSSL_zalloc(sizeof(*macctx))) == NULL
|| (macctx->ctx = EVP_CIPHER_CTX_new()) == NULL) {
gmac_free(macctx);
@@ -74,8 +78,12 @@ static void *gmac_new(void *provctx)
static void *gmac_dup(void *vsrc)
{
struct gmac_data_st *src = vsrc;
- struct gmac_data_st *dst = gmac_new(src->provctx);
+ struct gmac_data_st *dst;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ dst = gmac_new(src->provctx);
if (dst == NULL)
return NULL;
@@ -89,7 +97,7 @@ static void *gmac_dup(void *vsrc)
static int gmac_init(void *vmacctx)
{
- return 1;
+ return ossl_prov_is_running();
}
static int gmac_update(void *vmacctx, const unsigned char *data,
@@ -117,6 +125,9 @@ static int gmac_final(void *vmacctx, unsigned char *out, size_t *outl,
struct gmac_data_st *macctx = vmacctx;
int hlen = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (!EVP_EncryptFinal_ex(macctx->ctx, out, &hlen))
return 0;
diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
index f6cb544f64..2f99e75a88 100644
--- a/providers/implementations/macs/hmac_prov.c
+++ b/providers/implementations/macs/hmac_prov.c
@@ -25,6 +25,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
+#include "prov/providercommon.h"
/*
* Forward declaration of everything implemented here. This is not strictly
@@ -76,6 +77,9 @@ static void *hmac_new(void *provctx)
{
struct hmac_data_st *macctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((macctx = OPENSSL_zalloc(sizeof(*macctx))) == NULL
|| (macctx->ctx = HMAC_CTX_new()) == NULL) {
OPENSSL_free(macctx);
@@ -102,9 +106,12 @@ static void hmac_free(void *vmacctx)
static void *hmac_dup(void *vsrc)
{
struct hmac_data_st *src = vsrc;
- struct hmac_data_st *dst = hmac_new(src->provctx);
+ struct hmac_data_st *dst;
HMAC_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+ dst = hmac_new(src->provctx);
if (dst == NULL)
return NULL;
@@ -140,9 +147,13 @@ static size_t hmac_size(void *vmacctx)
static int hmac_init(void *vmacctx)
{
struct hmac_data_st *macctx = vmacctx;
- const EVP_MD *digest = ossl_prov_digest_md(&macctx->digest);
+ const EVP_MD *digest;
int rv = 1;
+ if (!ossl_prov_is_running())
+ return 0;
+
+ digest = ossl_prov_digest_md(&macctx->digest);
/* HMAC_Init_ex doesn't tolerate all zero params, so we must be careful */
if (macctx->tls_data_size == 0 && digest != NULL)
rv = HMAC_Init_ex(macctx->ctx, NULL, 0, digest,
@@ -191,6 +202,8 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
unsigned int hlen;
struct hmac_data_st *macctx = vmacctx;
+ if (!ossl_prov_is_running())
+ return 0;
if (macctx->tls_data_size > 0) {
if (macctx->tls_mac_out_size == 0)
return 0;
diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c
index ce3247baa2..b8c3419e0a 100644
--- a/providers/implementations/macs/kmac_prov.c
+++ b/providers/implementations/macs/kmac_prov.c
@@ -58,6 +58,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
+#include "prov/providercommon.h"
/*
* Forward declaration of everything implemented here. This is not strictly
@@ -158,6 +159,9 @@ static struct kmac_data_st *kmac_new(void *provctx)
{
struct kmac_data_st *kctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL
|| (kctx->ctx = EVP_MD_CTX_new()) == NULL) {
kmac_free(kctx);
@@ -206,8 +210,12 @@ static void *kmac256_new(void *provctx)
static void *kmac_dup(void *vsrc)
{
struct kmac_data_st *src = vsrc;
- struct kmac_data_st *dst = kmac_new(src->provctx);
+ struct kmac_data_st *dst;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ dst = kmac_new(src->provctx);
if (dst == NULL)
return NULL;
@@ -239,6 +247,8 @@ static int kmac_init(void *vmacctx)
unsigned char out[KMAC_MAX_BLOCKSIZE];
int out_len, block_len;
+ if (!ossl_prov_is_running())
+ return 0;
/* Check key has been set */
if (kctx->key_len == 0) {
@@ -292,6 +302,9 @@ static int kmac_final(void *vmacctx, unsigned char *out, size_t *outl,
unsigned char encoded_outlen[KMAC_MAX_ENCODED_HEADER_LEN];
int ok;
+ if (!ossl_prov_is_running())
+ return 0;
+
/* KMAC XOF mode sets the encoded length to 0 */
lbits = (kctx->xof_mode ? 0 : (kctx->out_len * 8));
diff --git a/providers/implementations/macs/poly1305_prov.c b/providers/implementations/macs/poly1305_prov.c
index 36546eb95d..57dba2307e 100644
--- a/providers/implementations/macs/poly1305_prov.c
+++ b/providers/implementations/macs/poly1305_prov.c
@@ -17,6 +17,7 @@
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
/*
* Forward declaration of everything implemented here. This is not strictly
@@ -43,8 +44,11 @@ static size_t poly1305_size(void);
static void *poly1305_new(void *provctx)
{
- struct poly1305_data_st *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ struct poly1305_data_st *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
ctx->provctx = provctx;
return ctx;
@@ -58,8 +62,11 @@ static void poly1305_free(void *vmacctx)
static void *poly1305_dup(void *vsrc)
{
struct poly1305_data_st *src = vsrc;
- struct poly1305_data_st *dst = poly1305_new(src->provctx);
+ struct poly1305_data_st *dst;
+ if (!ossl_prov_is_running())
+ return NULL;
+ dst = poly1305_new(src->provctx);
if (dst == NULL)
return NULL;
@@ -75,7 +82,7 @@ static size_t poly1305_size(void)
static int poly1305_init(void *vmacctx)
{
/* initialize the context in MAC_ctrl function */
- return 1;
+ return ossl_prov_is_running();
}
static int poly1305_update(void *vmacctx, const unsigned char *data,
@@ -96,6 +103,8 @@ static int poly1305_final(void *vmacctx, unsigned char *out, size_t *outl,
{
struct poly1305_data_st *ctx = vmacctx;
+ if (!ossl_prov_is_running())
+ return 0;
Poly1305_Final(&ctx->poly1305, out);
*outl = poly1305_size();
return 1;
diff --git a/providers/implementations/macs/siphash_prov.c b/providers/implementations/macs/siphash_prov.c
index 1bea7a2787..6567473076 100644
--- a/providers/implementations/macs/siphash_prov.c
+++ b/providers/implementations/macs/siphash_prov.c
@@ -24,6 +24,7 @@
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
/*
* Forward declaration of everything implemented here. This is not strictly
@@ -49,8 +50,11 @@ struct siphash_data_st {
static void *siphash_new(void *provctx)
{
- struct siphash_data_st *ctx = OPENSSL_zalloc(sizeof(*ctx));
+ struct siphash_data_st *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx != NULL)
ctx->provctx = provctx;
return ctx;
@@ -64,8 +68,11 @@ static void siphash_free(void *vmacctx)
static void *siphash_dup(void *vsrc)
{
struct siphash_data_st *ssrc = vsrc;
- struct siphash_data_st *sdst = siphash_new(ssrc->provctx);
+ struct siphash_data_st *sdst;
+ if (!ossl_prov_is_running())
+ return NULL;
+ sdst = siphash_new(ssrc->provctx);
if (sdst == NULL)
return NULL;
@@ -83,7 +90,7 @@ static size_t siphash_size(void *vmacctx)
static int siphash_init(void *vmacctx)
{
/* Not much to do here, actual initialization happens through controls */
- return 1;
+ return ossl_prov_is_running();
}
static int siphash_update(void *vmacctx, const unsigned char *data,
@@ -104,7 +111,7 @@ static int siphash_final(void *vmacctx, unsigned char *out, size_t *outl,
struct siphash_data_st *ctx = vmacctx;
size_t hlen = siphash_size(ctx);
- if (outsize < hlen)
+ if (!ossl_prov_is_running() || outsize < hlen)
return 0;
*outl = hlen;
diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c
index 538de37468..e23485291b 100644
--- a/providers/implementations/rands/crngt.c
+++ b/providers/implementations/rands/crngt.c
@@ -16,6 +16,7 @@
#include <openssl/evp.h>
#include <openssl/core_dispatch.h>
#include <openssl/params.h>
+#include <openssl/self_test.h>
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "internal/cryptlib.h"
@@ -92,6 +93,17 @@ static const OPENSSL_CTX_METHOD rand_crng_ossl_ctx_method = {
rand_crng_ossl_ctx_free,
};
+static int prov_crngt_compare_previous(const unsigned char *prev,
+ const unsigned char *cur,
+ size_t sz)
+{
+ const int res = memcmp(prev, cur, sz) != 0;
+
+ if (!res)
+ ossl_set_error_state(OSSL_SELF_TEST_TYPE_CRNG);
+ return res;
+}
+
size_t prov_crngt_get_entropy(PROV_DRBG *drbg,
unsigned char **pout,
int entropy, size_t min_len, size_t max_len,
@@ -117,7 +129,7 @@ size_t prov_crngt_get_entropy(PROV_DRBG *drbg,
s = q > sizeof(buf) ? sizeof(buf) : q;
if (!crngt_get_entropy(libctx, crngt_glob->crngt_pool, buf, md,
&sz)
- || memcmp(crngt_glob->crngt_prev, md, sz) == 0
+ || !prov_crngt_compare_previous(crngt_glob->crngt_prev, md, sz)
|| !rand_pool_add(pool, buf, s, s * 8))
goto err;
memcpy(crngt_glob->crngt_prev, md, sz);
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index a4a9b177a3..5d364b1a21 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -20,6 +20,7 @@
#include "prov/rand_pool.h"
#include "prov/provider_ctx.h"
#include "prov/providercommonerr.h"
+#include "prov/providercommon.h"
/*
* Support framework for NIST SP 800-90A DRBG
@@ -397,6 +398,9 @@ int PROV_DRBG_instantiate(PROV_DRBG *drbg, unsigned int strength,
size_t noncelen = 0, entropylen = 0;
size_t min_entropy, min_entropylen, max_entropylen;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (strength > drbg->strength) {
PROVerr(0, PROV_R_INSUFFICIENT_DRBG_STRENGTH);
goto end;
@@ -536,6 +540,9 @@ int PROV_DRBG_reseed(PROV_DRBG *drbg, int prediction_resistance,
unsigned char *entropy = NULL;
size_t entropylen = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (drbg->state != EVP_RAND_STATE_READY) {
/* try to recover from previous errors */
rand_drbg_restart(drbg);
@@ -647,6 +654,9 @@ int PROV_DRBG_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
int fork_id;
int reseed_required = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (drbg->state != EVP_RAND_STATE_READY) {
/* try to recover from previous errors */
rand_drbg_restart(drbg);
@@ -810,10 +820,14 @@ PROV_DRBG *prov_rand_drbg_new
int (*generate)(PROV_DRBG *, unsigned char *out, size_t outlen,
const unsigned char *adin, size_t adin_len))
{
- PROV_DRBG *drbg = OPENSSL_zalloc(sizeof(*drbg));
+ PROV_DRBG *drbg;
unsigned int p_str;
const OSSL_DISPATCH *pfunc;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ drbg = OPENSSL_zalloc(sizeof(*drbg));
if (drbg == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c
index 0b29ad6368..f18f90ec63 100644
--- a/providers/implementations/signature/dsa.c
+++ b/providers/implementations/signature/dsa.c
@@ -26,7 +26,7 @@
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/cryptlib.h"
-#include "prov/providercommonerr.h"
+#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/providercommonerr.h"
#include "prov/provider_ctx.h"
@@ -134,8 +134,12 @@ static int dsa_get_md_nid(const EVP_MD *md)
static void *dsa_newctx(void *provctx, const char *propq)
{
- PROV_DSA_CTX *pdsactx = OPENSSL_zalloc(sizeof(PROV_DSA_CTX));
+ PROV_DSA_CTX *pdsactx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ pdsactx = OPENSSL_zalloc(sizeof(PROV_DSA_CTX));
if (pdsactx == NULL)
return NULL;
@@ -196,7 +200,10 @@ static int dsa_signature_init(void *vpdsactx, void *vdsa)
{
PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
- if (pdsactx == NULL || vdsa == NULL || !DSA_up_ref(vdsa))
+ if (!ossl_prov_is_running()
+ || pdsactx == NULL
+ || vdsa == NULL
+ || !DSA_up_ref(vdsa))
return 0;
DSA_free(pdsactx->dsa);
pdsactx->dsa = vdsa;
@@ -212,6 +219,9 @@ static int dsa_sign(void *vpdsactx, unsigned char *sig, size_t *siglen,
size_t dsasize = DSA_size(pdsactx->dsa);
size_t mdsize = dsa_get_md_size(pdsactx);
+ if (!ossl_prov_is_running())
+ return 0;
+
if (sig == NULL) {
*siglen = dsasize;
return 1;
@@ -237,7 +247,7 @@ static int dsa_verify(void *vpdsactx, const unsigned char *sig, size_t siglen,
PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
size_t mdsize = dsa_get_md_size(pdsactx);
- if (mdsize != 0 && tbslen != mdsize)
+ if (!ossl_prov_is_running() || (mdsize != 0 && tbslen != mdsize))
return 0;
return DSA_verify(0, tbs, tbslen, sig, siglen, pdsactx->dsa);
@@ -248,6 +258,9 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname,
{
PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
+ if (!ossl_prov_is_running())
+ return 0;
+
pdsactx->flag_allow_md = 0;
if (!dsa_signature_init(vpdsactx, vdsa))
return 0;
@@ -290,7 +303,7 @@ int dsa_digest_sign_final(void *vpdsactx, unsigned char *sig, size_t *siglen,
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
- if (pdsactx == NULL || pdsactx->mdctx == NULL)
+ if (!ossl_prov_is_running() || pdsactx == NULL || pdsactx->mdctx == NULL)
return 0;
/*
@@ -320,7 +333,7 @@ int dsa_digest_verify_final(void *vpdsactx, const unsigned char *sig,
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
- if (pdsactx == NULL || pdsactx->mdctx == NULL)
+ if (!ossl_prov_is_running() || pdsactx == NULL || pdsactx->mdctx == NULL)
return 0;
/*
@@ -356,6 +369,9 @@ static void *dsa_dupctx(void *vpdsactx)
PROV_DSA_CTX *srcctx = (PROV_DSA_CTX *)vpdsactx;
PROV_DSA_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c
index d60a996a83..2862fb0e31 100644
--- a/providers/implementations/signature/ecdsa.c
+++ b/providers/implementations/signature/ecdsa.c
@@ -24,6 +24,7 @@
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/cryptlib.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
@@ -95,8 +96,12 @@ typedef struct {
static void *ecdsa_newctx(void *provctx, const char *propq)
{
- PROV_ECDSA_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));
+ PROV_ECDSA_CTX *ctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(PROV_ECDSA_CTX));
if (ctx == NULL)
return NULL;
@@ -113,7 +118,10 @@ static int ecdsa_signature_init(void *vctx, void *ec)
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
- if (ctx == NULL || ec == NULL || !EC_KEY_up_ref(ec))
+ if (!ossl_prov_is_running()
+ || ctx == NULL
+ || ec == NULL
+ || !EC_KEY_up_ref(ec))
return 0;
EC_KEY_free(ctx->ec);
ctx->ec = ec;
@@ -128,6 +136,9 @@ static int ecdsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
unsigned int sltmp;
size_t ecsize = ECDSA_size(ctx->ec);
+ if (!ossl_prov_is_running())
+ return 0;
+
if (sig == NULL) {
*siglen = ecsize;
return 1;
@@ -157,7 +168,7 @@ static int ecdsa_verify(void *vctx, const unsigned char *sig, size_t siglen,
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
- if (ctx->mdsize != 0 && tbslen != ctx->mdsize)
+ if (!ossl_prov_is_running() || (ctx->mdsize != 0 && tbslen != ctx->mdsize))
return 0;
return ECDSA_verify(0, tbs, tbslen, sig, siglen, ctx->ec);
@@ -221,6 +232,9 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
int md_nid = NID_undef;
WPACKET pkt;
+ if (!ossl_prov_is_running())
+ return 0;
+
free_md(ctx);
if (!ecdsa_signature_init(vctx, ec))
@@ -277,7 +291,7 @@ int ecdsa_digest_sign_final(void *vctx, unsigned char *sig, size_t *siglen,
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
- if (ctx == NULL || ctx->mdctx == NULL)
+ if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL)
return 0;
/*
@@ -304,7 +318,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
- if (ctx == NULL || ctx->mdctx == NULL)
+ if (!ossl_prov_is_running() || ctx == NULL || ctx->mdctx == NULL)
return 0;
/*
@@ -334,6 +348,9 @@ static void *ecdsa_dupctx(void *vctx)
PROV_ECDSA_CTX *srcctx = (PROV_ECDSA_CTX *)vctx;
PROV_ECDSA_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
diff --git a/providers/implementations/signature/eddsa.c b/providers/implementations/signature/eddsa.c
index c8e6c7cd3c..eda5ae1e60 100644
--- a/providers/implementations/signature/eddsa.c
+++ b/providers/implementations/signature/eddsa.c
@@ -16,7 +16,7 @@
#include <openssl/err.h>
#include "internal/nelem.h"
#include "internal/sizes.h"
-#include "prov/providercommonerr.h"
+#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/providercommonerr.h"
#include "prov/provider_ctx.h"
@@ -38,8 +38,12 @@ typedef struct {
static void *eddsa_newctx(void *provctx, const char *propq_unused)
{
- PROV_EDDSA_CTX *peddsactx = OPENSSL_zalloc(sizeof(PROV_EDDSA_CTX));
+ PROV_EDDSA_CTX *peddsactx;
+
+ if (!ossl_prov_is_running())
+ return NULL;
+ peddsactx = OPENSSL_zalloc(sizeof(PROV_EDDSA_CTX));
if (peddsactx == NULL) {
PROVerr(0, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -56,6 +60,9 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
ECX_KEY *edkey = (ECX_KEY *)vedkey;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (mdname != NULL && mdname[0] != '\0') {
PROVerr(0, PROV_R_INVALID_DIGEST);
return 0;
@@ -78,6 +85,9 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret,
PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
const ECX_KEY *edkey = peddsactx->key;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (sigret == NULL) {
*siglen = ED25519_SIGSIZE;
return 1;
@@ -103,6 +113,9 @@ int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret,
PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
const ECX_KEY *edkey = peddsactx->key;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (sigret == NULL) {
*siglen = ED448_SIGSIZE;
return 1;
@@ -128,7 +141,7 @@ int ed25519_digest_verify(void *vpeddsactx, const unsigned char *sig,
PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
const ECX_KEY *edkey = peddsactx->key;
- if (siglen != ED25519_SIGSIZE)
+ if (!ossl_prov_is_running() || siglen != ED25519_SIGSIZE)
return 0;
return ED25519_verify(tbs, tbslen, sig, edkey->pubkey, peddsactx->libctx,
@@ -142,7 +155,7 @@ int ed448_digest_verify(void *vpeddsactx, const unsigned char *sig,
PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
const ECX_KEY *edkey = peddsactx->key;
- if (siglen != ED448_SIGSIZE)
+ if (!ossl_prov_is_running() || siglen != ED448_SIGSIZE)
return 0;
return ED448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey,
@@ -163,6 +176,9 @@ static void *eddsa_dupctx(void *vpeddsactx)
PROV_EDDSA_CTX *srcctx = (PROV_EDDSA_CTX *)vpeddsactx;
PROV_EDDSA_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c
index 3c6366756d..0b1415a9c9 100644
--- a/providers/implementations/signature/mac_legacy.c
+++ b/providers/implementations/signature/mac_legacy.c
@@ -19,6 +19,7 @@
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/macsignature.h"
+#include "prov/providercommon.h"
static OSSL_FUNC_signature_newctx_fn mac_hmac_newctx;
static OSSL_FUNC_signature_newctx_fn mac_siphash_newctx;
@@ -44,9 +45,13 @@ typedef struct {
static void *mac_newctx(void *provctx, const char *propq, const char *macname)
{
- PROV_MAC_CTX *pmacctx = OPENSSL_zalloc(sizeof(PROV_MAC_CTX));
+ PROV_MAC_CTX *pmacctx;
EVP_MAC *mac = NULL;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ pmacctx = OPENSSL_zalloc(sizeof(PROV_MAC_CTX));
if (pmacctx == NULL)
return NULL;
@@ -90,7 +95,10 @@ static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey)
PROV_MAC_CTX *pmacctx = (PROV_MAC_CTX *)vpmacctx;
const char *ciphername = NULL, *engine = NULL;
- if (pmacctx == NULL || vkey == NULL || !mac_key_up_ref(vkey))
+ if (!ossl_prov_is_running()
+ || pmacctx == NULL
+ || vkey == NULL
+ || !mac_key_up_ref(vkey))
return 0;
mac_key_free(pmacctx->key);
@@ -134,7 +142,7 @@ int mac_digest_sign_final(void *vpmacctx, unsigned char *mac, size_t *maclen,
{
PROV_MAC_CTX *pmacctx = (PROV_MAC_CTX *)vpmacctx;
- if (pmacctx == NULL || pmacctx->macctx == NULL)
+ if (!ossl_prov_is_running() || pmacctx == NULL || pmacctx->macctx == NULL)
return 0;
return EVP_MAC_final(pmacctx->macctx, mac, maclen, macsize);
@@ -155,6 +163,9 @@ static void *mac_dupctx(void *vpmacctx)
PROV_MAC_CTX *srcctx = (PROV_MAC_CTX *)vpmacctx;
PROV_MAC_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL)
return NULL;
diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c
index ca7f6f23b9..678d3e7b66 100644
--- a/providers/implementations/signature/rsa.c
+++ b/providers/implementations/signature/rsa.c
@@ -25,6 +25,7 @@
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "crypto/rsa.h"
+#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
@@ -198,6 +199,9 @@ static void *rsa_newctx(void *provctx, const char *propq)
PROV_RSA_CTX *prsactx = NULL;
char *propq_copy = NULL;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL
|| (propq != NULL
&& (propq_copy = OPENSSL_strdup(propq)) == NULL)) {
@@ -303,6 +307,9 @@ static int rsa_signature_init(void *vprsactx, void *vrsa, int operation)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (prsactx == NULL || vrsa == NULL || !RSA_up_ref(vrsa))
return 0;
@@ -404,6 +411,8 @@ static void free_tbuf(PROV_RSA_CTX *ctx)
static int rsa_sign_init(void *vprsactx, void *vrsa)
{
+ if (!ossl_prov_is_running())
+ return 0;
return rsa_signature_init(vprsactx, vrsa, EVP_PKEY_OP_SIGN);
}
@@ -415,6 +424,9 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
size_t rsasize = RSA_size(prsactx->rsa);
size_t mdsize = rsa_get_md_size(prsactx);
+ if (!ossl_prov_is_running())
+ return 0;
+
if (sig == NULL) {
*siglen = rsasize;
return 1;
@@ -552,6 +564,8 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
static int rsa_verify_recover_init(void *vprsactx, void *vrsa)
{
+ if (!ossl_prov_is_running())
+ return 0;
return rsa_signature_init(vprsactx, vrsa, EVP_PKEY_OP_VERIFYRECOVER);
}
@@ -565,6 +579,9 @@ static int rsa_verify_recover(void *vprsactx,
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (rout == NULL) {
*routlen = RSA_size(prsactx->rsa);
return 1;
@@ -638,6 +655,8 @@ static int rsa_verify_recover(void *vprsactx,
static int rsa_verify_init(void *vprsactx, void *vrsa)
{
+ if (!ossl_prov_is_running())
+ return 0;
return rsa_signature_init(vprsactx, vrsa, EVP_PKEY_OP_VERIFY);
}
@@ -647,6 +666,8 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
size_t rslen;
+ if (!ossl_prov_is_running())
+ return 0;
if (prsactx->md != NULL) {
switch (prsactx->pad_mode) {
case RSA_PKCS1_PADDING:
@@ -725,6 +746,9 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (prsactx != NULL)
prsactx->flag_allow_md = 0;
if (!rsa_signature_init(vprsactx, vrsa, operation)
@@ -765,6 +789,8 @@ static int rsa_digest_signverify_update(void *vprsactx,
static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
void *vrsa)
{
+ if (!ossl_prov_is_running())
+ return 0;
return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
EVP_PKEY_OP_SIGN);
}
@@ -776,7 +802,7 @@ static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
- if (prsactx == NULL)
+ if (!ossl_prov_is_running() || prsactx == NULL)
return 0;
prsactx->flag_allow_md = 1;
if (prsactx->mdctx == NULL)
@@ -801,6 +827,8 @@ static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
void *vrsa)
{
+ if (!ossl_prov_is_running())
+ return 0;
return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
EVP_PKEY_OP_VERIFY);
}
@@ -812,6 +840,9 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
+ if (!ossl_prov_is_running())
+ return 0;
+
if (prsactx == NULL)
return 0;
prsactx->flag_allow_md = 1;
@@ -851,6 +882,9 @@ static void *rsa_dupctx(void *vprsactx)
PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
PROV_RSA_CTX *dstctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
dstctx = OPENSSL_zalloc(sizeof(*srcctx));
if (dstctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
diff --git a/providers/legacyprov.c b/providers/legacyprov.c
index 549906a68a..50c4479b38 100644
--- a/providers/legacyprov.c
+++ b/providers/legacyprov.c
@@ -15,6 +15,7 @@
#include <openssl/params.h>
#include "prov/provider_ctx.h"
#include "prov/implementations.h"
+#include "prov/providercommon.h"
/*
* Forward declarations to ensure that interface functions are correctly
@@ -40,6 +41,7 @@ static const OSSL_PARAM legacy_param_types[] = {
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_END
};
@@ -62,7 +64,7 @@ static int legacy_get_params(void *provctx, OSSL_PARAM params[])
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
- if (p != NULL && !OSSL_PARAM_set_uint(p, 1))
+ if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
return 0;
return 1;
}
diff --git a/providers/nullprov.c b/providers/nullprov.c
index bdad5f15e6..537c90b78f 100644
--- a/providers/nullprov.c
+++ b/providers/nullprov.c
@@ -14,6 +14,7 @@
#include <openssl/core_names.h>
#include <openssl/params.h>
#include "prov/implementations.h"
+#include "prov/providercommon.h"
OSSL_provider_init_fn ossl_null_provider_init;
@@ -22,6 +23,7 @@ static const OSSL_ITEM null_param_types[] = {
{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_NAME },
{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_VERSION },
{ OSSL_PARAM_UTF8_PTR, OSSL_PROV_PARAM_BUILDINFO },
+ { OSSL_PARAM_INTEGER, OSSL_PROV_PARAM_STATUS },
{ 0, NULL }
};
@@ -30,7 +32,7 @@ static const OSSL_ITEM *null_gettable_params(const OSSL_PROVIDER *prov)
return null_param_types;
}
-static int null_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
+static int null_get_params(const OSSL_PROVIDER *provctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
@@ -43,7 +45,9 @@ static int null_get_params(const OSSL_PROVIDER *prov, OSSL_PARAM params[])
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
return 0;
-
+ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
+ if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
+ return 0;
return 1;
}
diff --git a/providers/implementations/ciphers/cipher_aes_cts.h b/providers/prov_running.c
similarity index 54%
copy from providers/implementations/ciphers/cipher_aes_cts.h
copy to providers/prov_running.c
index 6b0dfdd2c1..379fd5d25c 100644
--- a/providers/implementations/ciphers/cipher_aes_cts.h
+++ b/providers/prov_running.c
@@ -7,10 +7,16 @@
* https://www.openssl.org/source/license.html
*/
-#include "crypto/evp.h"
+#include <openssl/e_os2.h>
+#include "prov/providercommon.h"
-OSSL_FUNC_cipher_update_fn aes_cbc_cts_block_update;
-OSSL_FUNC_cipher_final_fn aes_cbc_cts_block_final;
+/* By default, our providers don't have an error state */
+void ossl_set_error_state(const char *type)
+{
+}
-const char *aes_cbc_cts_mode_id2name(unsigned int id);
-int aes_cbc_cts_mode_name2id(const char *name);
+/* By default, our providers are always in a happy state */
+int ossl_prov_is_running(void)
+{
+ return 1;
+}
More information about the openssl-commits
mailing list