[openssl] master update
tomas at openssl.org
tomas at openssl.org
Wed Sep 15 12:08:07 UTC 2021
The branch master has been updated
via e59bfbaa2dbd680f77e1121e382502bd522a466c (commit)
from 1ed3249f253e4490a813279e2eb253c8e5cfaabb (commit)
- Log -----------------------------------------------------------------
commit e59bfbaa2dbd680f77e1121e382502bd522a466c
Author: Tomas Mraz <tomas at openssl.org>
Date: Tue Sep 14 09:34:32 2021 +0200
providers: Do not use global EVP_CIPHERs and EVP_MDs
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16600)
-----------------------------------------------------------------------
Summary of changes:
providers/common/provider_util.c | 21 +++++++++++++++++----
test/evp_kdf_test.c | 13 +++++++++----
2 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c
index 662175c2f3..fcfbab632d 100644
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@@ -16,6 +16,7 @@
#include <openssl/proverr.h>
#ifndef FIPS_MODULE
# include <openssl/engine.h>
+# include "crypto/evp.h"
#endif
#include "prov/provider_util.h"
#include "internal/nelem.h"
@@ -90,8 +91,14 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc,
ERR_set_mark();
pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery);
#ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy ciphers */
- if (pc->cipher == NULL)
- pc->cipher = EVP_get_cipherbyname(p->data);
+ if (pc->cipher == NULL) {
+ const EVP_CIPHER *cipher;
+
+ cipher = EVP_get_cipherbyname(p->data);
+ /* Do not use global EVP_CIPHERs */
+ if (cipher != NULL && cipher->origin != EVP_ORIG_GLOBAL)
+ pc->cipher = cipher;
+ }
#endif
if (pc->cipher != NULL)
ERR_pop_to_mark();
@@ -159,8 +166,14 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
ERR_set_mark();
ossl_prov_digest_fetch(pd, ctx, p->data, propquery);
#ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */
- if (pd->md == NULL)
- pd->md = EVP_get_digestbyname(p->data);
+ if (pd->md == NULL) {
+ const EVP_MD *md;
+
+ md = EVP_get_digestbyname(p->data);
+ /* Do not use global EVP_MDs */
+ if (md != NULL && md->origin != EVP_ORIG_GLOBAL)
+ pd->md = md;
+ }
#endif
if (pd->md != NULL)
ERR_pop_to_mark();
diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c
index 4b3df38b5f..145e64fbdb 100644
--- a/test/evp_kdf_test.c
+++ b/test/evp_kdf_test.c
@@ -502,7 +502,8 @@ static int test_kdf_pbkdf1(void)
unsigned int iterations = 4096;
OSSL_LIB_CTX *libctx = NULL;
OSSL_PARAM *params = NULL;
- OSSL_PROVIDER *prov = NULL;
+ OSSL_PROVIDER *legacyprov = NULL;
+ OSSL_PROVIDER *defprov = NULL;
const unsigned char expected[sizeof(out)] = {
0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
@@ -513,12 +514,15 @@ static int test_kdf_pbkdf1(void)
goto err;
/* PBKDF1 only available in the legacy provider */
- prov = OSSL_PROVIDER_load(libctx, "legacy");
- if (prov == NULL) {
+ legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
+ if (legacyprov == NULL) {
OSSL_LIB_CTX_free(libctx);
return TEST_skip("PBKDF1 only available in legacy provider");
}
+ if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
+ goto err;
+
params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
"saltSALTsaltSALTsaltSALTsaltSALTsalt",
&iterations);
@@ -534,7 +538,8 @@ static int test_kdf_pbkdf1(void)
err:
EVP_KDF_CTX_free(kctx);
OPENSSL_free(params);
- OSSL_PROVIDER_unload(prov);
+ OSSL_PROVIDER_unload(defprov);
+ OSSL_PROVIDER_unload(legacyprov);
OSSL_LIB_CTX_free(libctx);
return ret;
}
More information about the openssl-commits
mailing list