[openssl] master update
tomas at openssl.org
tomas at openssl.org
Fri Jul 16 09:24:11 UTC 2021
The branch master has been updated
via ca638147c8cdb7c49621f3f0acc628c090989b6a (commit)
via f096691b91413363e8c45a0e093018d1c86de941 (commit)
via 033e987c03e025fa15eeae036578384e65f49af0 (commit)
via 59f66d8cf98a2c11404826bfecd7d6f210ddc048 (commit)
from 09c1db3399d682523443af64158e1862082da23e (commit)
- Log -----------------------------------------------------------------
commit ca638147c8cdb7c49621f3f0acc628c090989b6a
Author: Tomas Mraz <tomas at openssl.org>
Date: Wed Jul 14 15:51:29 2021 +0200
Drop daily run-checker build with just enable-acvp-tests
Having just enable-acvp-tests without enable-fips does not make
much sense as this just builds the test but it is skipped.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)
commit f096691b91413363e8c45a0e093018d1c86de941
Author: Tomas Mraz <tomas at openssl.org>
Date: Wed Jul 14 15:49:31 2021 +0200
CI: have enable-acvp-tests in some CI build
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)
commit 033e987c03e025fa15eeae036578384e65f49af0
Author: Tomas Mraz <tomas at openssl.org>
Date: Wed Jul 14 15:41:22 2021 +0200
Signature algos: allow having identical digest in params
The flag_allow_md prevents setting a digest in params however
this is unnecessarily strict. If the digest is the same as the
one already set, we do not return an error.
Fixes #16071
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)
commit 59f66d8cf98a2c11404826bfecd7d6f210ddc048
Author: Tomas Mraz <tomas at openssl.org>
Date: Wed Jul 14 15:41:00 2021 +0200
acvp_test: Fix incorrect parenthesis
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)
-----------------------------------------------------------------------
Summary of changes:
.github/workflows/ci.yml | 2 +-
.github/workflows/run-checker-daily.yml | 1 -
providers/implementations/signature/dsa_sig.c | 16 +++++++++++----
providers/implementations/signature/ecdsa_sig.c | 27 +++++++++++++++++--------
providers/implementations/signature/rsa_sig.c | 17 +++++++++++-----
test/acvp_test.c | 4 ++--
6 files changed, 46 insertions(+), 21 deletions(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5ff0750681..fa650e4d6c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -215,7 +215,7 @@ jobs:
mkdir ./build
mkdir ./install
- name: config
- run: ../config --banner=Configured enable-fips --strict-warnings --prefix=$(cd ../install; pwd) && perl configdata.pm --dump
+ run: ../config --banner=Configured enable-fips enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) && perl configdata.pm --dump
working-directory: ./build
- name: make
run: make -s -j4
diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml
index a85ad2cb71..c66241743a 100644
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -11,7 +11,6 @@ jobs:
matrix:
opt: [
386,
- enable-acvp-tests,
no-afalgeng,
no-aria,
no-asan,
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index 138fbce5e9..2acab0b481 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -145,6 +145,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
return 0;
}
+ if (!ctx->flag_allow_md) {
+ if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+ "digest %s != %s", mdname, ctx->mdname);
+ EVP_MD_free(md);
+ return 0;
+ }
+ EVP_MD_free(md);
+ return 1;
+ }
+
EVP_MD_CTX_free(ctx->mdctx);
EVP_MD_free(ctx->md);
@@ -260,13 +271,13 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname,
if (!ossl_prov_is_running())
return 0;
- pdsactx->flag_allow_md = 0;
if (!dsa_signverify_init(vpdsactx, vdsa, params, operation))
return 0;
if (!dsa_setup_md(pdsactx, mdname, NULL))
return 0;
+ pdsactx->flag_allow_md = 0;
pdsactx->mdctx = EVP_MD_CTX_new();
if (pdsactx->mdctx == NULL)
goto error;
@@ -463,9 +474,6 @@ static int dsa_set_ctx_params(void *vpdsactx, const OSSL_PARAM params[])
return 1;
p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
- /* Not allowed during certain operations */
- if (p != NULL && !pdsactx->flag_allow_md)
- return 0;
if (p != NULL) {
char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname;
char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops;
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index c32641f1eb..64be0657c3 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -234,6 +234,17 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
return 0;
}
+ if (!ctx->flag_allow_md) {
+ if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+ "digest %s != %s", mdname, ctx->mdname);
+ EVP_MD_free(md);
+ return 0;
+ }
+ EVP_MD_free(md);
+ return 1;
+ }
+
EVP_MD_CTX_free(ctx->mdctx);
EVP_MD_free(ctx->md);
@@ -263,11 +274,11 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
if (!ossl_prov_is_running())
return 0;
- ctx->flag_allow_md = 0;
if (!ecdsa_signverify_init(vctx, ec, params, operation)
|| !ecdsa_setup_md(ctx, mdname, NULL))
return 0;
+ ctx->flag_allow_md = 0;
ctx->mdctx = EVP_MD_CTX_new();
if (ctx->mdctx == NULL)
goto error;
@@ -452,6 +463,7 @@ static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
const OSSL_PARAM *p;
+ size_t mdsize = 0;
if (ctx == NULL)
return 0;
@@ -465,9 +477,6 @@ static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
#endif
p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
- /* Not allowed during certain operations */
- if (p != NULL && !ctx->flag_allow_md)
- return 0;
if (p != NULL) {
char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname;
char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops;
@@ -485,10 +494,12 @@ static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
}
p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE);
- if (p != NULL
- && (!ctx->flag_allow_md
- || !OSSL_PARAM_get_size_t(p, &ctx->mdsize)))
- return 0;
+ if (p != NULL) {
+ if (!OSSL_PARAM_get_size_t(p, &mdsize)
+ || (!ctx->flag_allow_md && mdsize != ctx->mdsize))
+ return 0;
+ ctx->mdsize = mdsize;
+ }
return 1;
}
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 30fd43e0e5..40a97c0165 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -305,6 +305,17 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
return 0;
}
+ if (!ctx->flag_allow_md) {
+ if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+ "digest %s != %s", mdname, ctx->mdname);
+ EVP_MD_free(md);
+ return 0;
+ }
+ EVP_MD_free(md);
+ return 1;
+ }
+
if (!ctx->mgf1_md_set) {
if (!EVP_MD_up_ref(md)) {
EVP_MD_free(md);
@@ -826,8 +837,6 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
if (!ossl_prov_is_running())
return 0;
- if (prsactx != NULL)
- prsactx->flag_allow_md = 0;
if (!rsa_signverify_init(vprsactx, vrsa, params, operation))
return 0;
if (mdname != NULL
@@ -836,6 +845,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
&& !rsa_setup_md(prsactx, mdname, prsactx->propq))
return 0;
+ prsactx->flag_allow_md = 0;
prsactx->mdctx = EVP_MD_CTX_new();
if (prsactx->mdctx == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@@ -1141,9 +1151,6 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
saltlen = prsactx->saltlen;
p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
- /* Not allowed during certain operations */
- if (p != NULL && !prsactx->flag_allow_md)
- return 0;
if (p != NULL) {
const OSSL_PARAM *propsp =
OSSL_PARAM_locate_const(params,
diff --git a/test/acvp_test.c b/test/acvp_test.c
index 05a328a6ad..ce0ef66b8b 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1227,10 +1227,10 @@ static int rsa_sigver_test(int id)
|| !TEST_ptr(md_ctx = EVP_MD_CTX_new())
|| !TEST_true(EVP_DigestVerifyInit_ex(md_ctx, &pkey_ctx,
tst->digest_alg, libctx, NULL,
- pkey, NULL)
+ pkey, NULL))
|| !TEST_true(EVP_PKEY_CTX_set_params(pkey_ctx, params))
|| !TEST_int_eq(EVP_DigestVerify(md_ctx, tst->sig, tst->sig_len,
- tst->msg, tst->msg_len), tst->pass)))
+ tst->msg, tst->msg_len), tst->pass))
goto err;
ret = 1;
err:
More information about the openssl-commits
mailing list