Store some FIPS global variables in the FIPS_GLOBAL structure

We had some FIPS global variables that were based on values from the config file. In theory if two instances of the fips module are loaded they could be based on different config files which would cause this to fail. Instead we store them in the FIPS_GLOBAL structure. Fixes #14364 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14814)
author: Matt Caswell <matt@openssl.org> 2021-04-09 17:26:34 +0100
committer: Matt Caswell <matt@openssl.org> 2021-04-16 14:27:28 +0100
commit: 6ce58488bdce66584a7075e19821add29445d746 (patch)
tree: a5b5bde99d963808dabc07b430a48a140036d6e1 /providers/implementations/signature
parent: 81cc5ce1a0f996f88051f031bda1079961ee4a5c (diff)
download: openssl-new-6ce58488bdce66584a7075e19821add29445d746.tar.gz
3 files changed, 11 insertions, 7 deletions
diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c
index 88a8102cff..dde689903d 100644
--- a/providers/implementations/signature/dsa.c
+++ b/providers/implementations/signature/dsa.c
@@ -127,7 +127,8 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
         int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
         WPACKET pkt;
         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
-        int md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
+        int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+                                                            sha1_allowed);
         size_t mdname_len = strlen(mdname);
 
         if (md == NULL || md_nid == NID_undef) {
@@ -188,7 +189,8 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa,
     if (!dsa_set_ctx_params(pdsactx, params))
         return 0;
 
-    if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
+    if (!ossl_dsa_check_key(pdsactx->libctx, vdsa,
+                            operation == EVP_PKEY_OP_SIGN)) {
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
         return 0;
     }
diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c
index 4f90032af3..8c4648106f 100644
--- a/providers/implementations/signature/ecdsa.c
+++ b/providers/implementations/signature/ecdsa.c
@@ -140,7 +140,7 @@ static int ecdsa_signverify_init(void *vctx, void *ec,
     ctx->operation = operation;
     if (!ecdsa_set_ctx_params(ctx, params))
         return 0;
-    return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
+    return ossl_ec_check_key(ctx->libctx, ec, operation == EVP_PKEY_OP_SIGN);
 }
 
 static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[])
@@ -225,7 +225,8 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
         return 0;
     }
     sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-    md_nid = ossl_digest_get_approved_nid_with_sha1(md, sha1_allowed);
+    md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+                                                    sha1_allowed);
     if (md_nid == NID_undef) {
         ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
                        "digest=%s", mdname);
diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c
index 96366a9a6b..16025bffc0 100644
--- a/providers/implementations/signature/rsa.c
+++ b/providers/implementations/signature/rsa.c
@@ -284,7 +284,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
     if (mdname != NULL) {
         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
         int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-        int md_nid = ossl_digest_rsa_sign_get_md_nid(md, sha1_allowed);
+        int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
+                                                     sha1_allowed);
         size_t mdname_len = strlen(mdname);
 
         if (md == NULL
@@ -343,7 +344,7 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
         return 0;
     }
     /* The default for mgf1 is SHA1 - so allow SHA1 */
-    if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md, 1)) == NID_undef
+    if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) == NID_undef
         || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
         if (mdnid == NID_undef)
             ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
@@ -377,7 +378,7 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
     if (prsactx == NULL || vrsa == NULL)
         return 0;
 
-    if (!ossl_rsa_check_key(vrsa, operation))
+    if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
         return 0;
 
     if (!RSA_up_ref(vrsa))
author	Matt Caswell <matt@openssl.org>	2021-04-09 17:26:34 +0100
committer	Matt Caswell <matt@openssl.org>	2021-04-16 14:27:28 +0100
commit	6ce58488bdce66584a7075e19821add29445d746 (patch)
tree	a5b5bde99d963808dabc07b430a48a140036d6e1 /providers/implementations/signature
parent	81cc5ce1a0f996f88051f031bda1079961ee4a5c (diff)
download	openssl-new-6ce58488bdce66584a7075e19821add29445d746.tar.gz