[openssl] openssl-3.0 update

tomas at openssl.org tomas at openssl.org
Fri Nov 12 15:42:00 UTC 2021


The branch openssl-3.0 has been updated
       via  433c6cab4b4bc187f8120dc2ca0505f81d7b56e6 (commit)
      from  2e11cb796e1b46159615625c1df34800a1ebae94 (commit)


- Log -----------------------------------------------------------------
commit 433c6cab4b4bc187f8120dc2ca0505f81d7b56e6
Author: Tomas Mraz <tomas at openssl.org>
Date:   Thu Nov 4 15:38:51 2021 +0100

    providers: Allow possible reinitialization in all signature algorithms
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16964)
    
    (cherry picked from commit 3ffd23e9529d725903bc97fd45489a77b831876f)

-----------------------------------------------------------------------

Summary of changes:
 providers/implementations/signature/dsa_sig.c      | 40 ++++++++++++++--------
 providers/implementations/signature/ecdsa_sig.c    | 36 +++++++++++++------
 providers/implementations/signature/eddsa_sig.c    |  9 +++++
 .../implementations/signature/mac_legacy_sig.c     |  9 +++--
 providers/implementations/signature/rsa_sig.c      | 31 ++++++++++-------
 providers/implementations/signature/sm2_sig.c      | 33 +++++++++++++-----
 6 files changed, 108 insertions(+), 50 deletions(-)

diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index 2acab0b481..28fd7c498e 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -189,22 +189,31 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa,
     PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
 
     if (!ossl_prov_is_running()
-            || pdsactx == NULL
-            || vdsa == NULL
-            || !DSA_up_ref(vdsa))
+            || pdsactx == NULL)
         return 0;
-    DSA_free(pdsactx->dsa);
-    pdsactx->dsa = vdsa;
+
+    if (vdsa == NULL && pdsactx->dsa == NULL) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return 0;
+    }
+
+    if (vdsa != NULL) {
+        if (!ossl_dsa_check_key(pdsactx->libctx, vdsa,
+                                operation == EVP_PKEY_OP_SIGN)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+            return 0;
+        }
+        if (!DSA_up_ref(vdsa))
+            return 0;
+        DSA_free(pdsactx->dsa);
+        pdsactx->dsa = vdsa;
+    }
+
     pdsactx->operation = operation;
 
     if (!dsa_set_ctx_params(pdsactx, params))
         return 0;
 
-    if (!ossl_dsa_check_key(pdsactx->libctx, vdsa,
-                            operation == EVP_PKEY_OP_SIGN)) {
-        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
-        return 0;
-    }
     return 1;
 }
 
@@ -278,9 +287,12 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname,
         return 0;
 
     pdsactx->flag_allow_md = 0;
-    pdsactx->mdctx = EVP_MD_CTX_new();
-    if (pdsactx->mdctx == NULL)
-        goto error;
+
+    if (pdsactx->mdctx == NULL) {
+        pdsactx->mdctx = EVP_MD_CTX_new();
+        if (pdsactx->mdctx == NULL)
+            goto error;
+    }
 
     if (!EVP_DigestInit_ex2(pdsactx->mdctx, pdsactx->md, params))
         goto error;
@@ -289,9 +301,7 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname,
 
  error:
     EVP_MD_CTX_free(pdsactx->mdctx);
-    EVP_MD_free(pdsactx->md);
     pdsactx->mdctx = NULL;
-    pdsactx->md = NULL;
     return 0;
 }
 
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 64be0657c3..865d49d100 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -131,16 +131,29 @@ static int ecdsa_signverify_init(void *vctx, void *ec,
     PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
 
     if (!ossl_prov_is_running()
-            || ctx == NULL
-            || ec == NULL
-            || !EC_KEY_up_ref(ec))
+            || ctx == NULL)
         return 0;
-    EC_KEY_free(ctx->ec);
-    ctx->ec = ec;
+
+    if (ec == NULL && ctx->ec == NULL) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return 0;
+    }
+
+    if (ec != NULL) {
+        if (!ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN))
+            return 0;
+        if (!EC_KEY_up_ref(ec))
+            return 0;
+        EC_KEY_free(ctx->ec);
+        ctx->ec = ec;
+    }
+
     ctx->operation = operation;
+
     if (!ecdsa_set_ctx_params(ctx, params))
         return 0;
-    return ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN);
+
+    return 1;
 }
 
 static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[])
@@ -279,18 +292,19 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
         return 0;
 
     ctx->flag_allow_md = 0;
-    ctx->mdctx = EVP_MD_CTX_new();
-    if (ctx->mdctx == NULL)
-        goto error;
+
+    if (ctx->mdctx == NULL) {
+        ctx->mdctx = EVP_MD_CTX_new();
+        if (ctx->mdctx == NULL)
+            goto error;
+    }
 
     if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params))
         goto error;
     return 1;
 error:
     EVP_MD_CTX_free(ctx->mdctx);
-    EVP_MD_free(ctx->md);
     ctx->mdctx = NULL;
-    ctx->md = NULL;
     return 0;
 }
 
diff --git a/providers/implementations/signature/eddsa_sig.c b/providers/implementations/signature/eddsa_sig.c
index 148c143cc0..eb1a769128 100644
--- a/providers/implementations/signature/eddsa_sig.c
+++ b/providers/implementations/signature/eddsa_sig.c
@@ -100,6 +100,14 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
         return 0;
     }
 
+    if (edkey == NULL) {
+        if (peddsactx->key != NULL)
+            /* there is nothing to do on reinit */
+            return 1;
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return 0;
+    }
+
     if (!ossl_ecx_key_up_ref(edkey)) {
         ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
         return 0;
@@ -124,6 +132,7 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
     default:
         /* Should never happen */
         ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
+        ossl_ecx_key_free(edkey);
         return 0;
     }
     if (ret && WPACKET_finish(&pkt)) {
diff --git a/providers/implementations/signature/mac_legacy_sig.c b/providers/implementations/signature/mac_legacy_sig.c
index 0866e68d9b..6be605c8c6 100644
--- a/providers/implementations/signature/mac_legacy_sig.c
+++ b/providers/implementations/signature/mac_legacy_sig.c
@@ -16,6 +16,7 @@
 #include <openssl/core_names.h>
 #include <openssl/params.h>
 #include <openssl/err.h>
+#include <openssl/proverr.h>
 #ifndef FIPS_MODULE
 # include <openssl/engine.h>
 #endif
@@ -101,10 +102,14 @@ static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey,
     const char *ciphername = NULL, *engine = NULL;
 
     if (!ossl_prov_is_running()
-        || pmacctx == NULL
-        || (pmacctx->key == NULL && vkey == NULL))
+        || pmacctx == NULL)
         return 0;
 
+    if (pmacctx->key == NULL && vkey == NULL) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return 0;
+    }
+
     if (vkey != NULL) {
         if (!ossl_mac_key_up_ref(vkey))
             return 0;
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 298d789b74..7dcdf952a3 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -386,19 +386,24 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
 {
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 
-    if (!ossl_prov_is_running())
+    if (!ossl_prov_is_running() || prsactx == NULL)
         return 0;
 
-    if (prsactx == NULL || vrsa == NULL)
+    if (vrsa == NULL && prsactx->rsa == NULL) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
         return 0;
+    }
 
-    if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
-        return 0;
+    if (vrsa != NULL) {
+        if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
+            return 0;
+
+        if (!RSA_up_ref(vrsa))
+            return 0;
+        RSA_free(prsactx->rsa);
+        prsactx->rsa = vrsa;
+    }
 
-    if (!RSA_up_ref(vrsa))
-        return 0;
-    RSA_free(prsactx->rsa);
-    prsactx->rsa = vrsa;
     prsactx->operation = operation;
 
     if (!rsa_set_ctx_params(prsactx, params))
@@ -842,6 +847,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
 
     if (!rsa_signverify_init(vprsactx, vrsa, params, operation))
         return 0;
+
     if (mdname != NULL
         /* was rsa_setup_md already called in rsa_signverify_init()? */
         && (mdname[0] == '\0' || strcasecmp(prsactx->mdname, mdname) != 0)
@@ -849,10 +855,11 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
         return 0;
 
     prsactx->flag_allow_md = 0;
-    prsactx->mdctx = EVP_MD_CTX_new();
+
     if (prsactx->mdctx == NULL) {
-        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
-        goto error;
+        prsactx->mdctx = EVP_MD_CTX_new();
+        if (prsactx->mdctx == NULL)
+            goto error;
     }
 
     if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
@@ -862,9 +869,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
 
  error:
     EVP_MD_CTX_free(prsactx->mdctx);
-    EVP_MD_free(prsactx->md);
     prsactx->mdctx = NULL;
-    prsactx->md = NULL;
     return 0;
 }
 
diff --git a/providers/implementations/signature/sm2_sig.c b/providers/implementations/signature/sm2_sig.c
index 10a9496904..3c700ac887 100644
--- a/providers/implementations/signature/sm2_sig.c
+++ b/providers/implementations/signature/sm2_sig.c
@@ -27,6 +27,7 @@
 #include "internal/cryptlib.h"
 #include "internal/sm3.h"
 #include "prov/implementations.h"
+#include "prov/providercommon.h"
 #include "prov/provider_ctx.h"
 #include "crypto/ec.h"
 #include "crypto/sm2.h"
@@ -97,6 +98,9 @@ static int sm2sig_set_mdname(PROV_SM2_CTX *psm2ctx, const char *mdname)
     if (psm2ctx->md == NULL)
         return 0;
 
+    if (mdname == NULL)
+        return 1;
+
     if (strlen(mdname) >= sizeof(psm2ctx->mdname)
         || !EVP_MD_is_a(psm2ctx->md, mdname)) {
         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, "digest=%s",
@@ -131,10 +135,22 @@ static int sm2sig_signature_init(void *vpsm2ctx, void *ec,
 {
     PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
 
-    if (psm2ctx == NULL || ec == NULL || !EC_KEY_up_ref(ec))
+    if (!ossl_prov_is_running()
+            || psm2ctx == NULL)
+        return 0;
+
+    if (ec == NULL && psm2ctx->ec == NULL) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
         return 0;
-    EC_KEY_free(psm2ctx->ec);
-    psm2ctx->ec = ec;
+    }
+
+    if (ec != NULL) {
+        if (!EC_KEY_up_ref(ec))
+            return 0;
+        EC_KEY_free(psm2ctx->ec);
+        psm2ctx->ec = ec;
+    }
+
     return sm2sig_set_ctx_params(psm2ctx, params);
 }
 
@@ -197,10 +213,11 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname,
         || !sm2sig_set_mdname(ctx, mdname))
         return ret;
 
-    EVP_MD_CTX_free(ctx->mdctx);
-    ctx->mdctx = EVP_MD_CTX_new();
-    if (ctx->mdctx == NULL)
-        goto error;
+    if (ctx->mdctx == NULL) {
+        ctx->mdctx = EVP_MD_CTX_new();
+        if (ctx->mdctx == NULL)
+            goto error;
+    }
 
     md_nid = EVP_MD_get_type(ctx->md);
 
@@ -228,8 +245,6 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname,
     ret = 1;
 
  error:
-    if (!ret)
-        free_md(ctx);
     return ret;
 }
 


More information about the openssl-commits mailing list