summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/evp/digest.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/evp/digest.c')
-rw-r--r--src/lib/libcrypto/evp/digest.c211
1 files changed, 137 insertions, 74 deletions
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index 982ba2b136..3bc2d1295c 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -116,6 +116,7 @@
116#ifndef OPENSSL_NO_ENGINE 116#ifndef OPENSSL_NO_ENGINE
117#include <openssl/engine.h> 117#include <openssl/engine.h>
118#endif 118#endif
119#include "evp_locl.h"
119 120
120void EVP_MD_CTX_init(EVP_MD_CTX *ctx) 121void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
121 { 122 {
@@ -126,8 +127,7 @@ EVP_MD_CTX *EVP_MD_CTX_create(void)
126 { 127 {
127 EVP_MD_CTX *ctx=OPENSSL_malloc(sizeof *ctx); 128 EVP_MD_CTX *ctx=OPENSSL_malloc(sizeof *ctx);
128 129
129 if (ctx) 130 EVP_MD_CTX_init(ctx);
130 EVP_MD_CTX_init(ctx);
131 131
132 return ctx; 132 return ctx;
133 } 133 }
@@ -138,18 +138,77 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
138 return EVP_DigestInit_ex(ctx, type, NULL); 138 return EVP_DigestInit_ex(ctx, type, NULL);
139 } 139 }
140 140
141int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) 141#ifdef OPENSSL_FIPS
142
143/* The purpose of these is to trap programs that attempt to use non FIPS
144 * algorithms in FIPS mode and ignore the errors.
145 */
146
147static int bad_init(EVP_MD_CTX *ctx)
148 { FIPS_ERROR_IGNORED("Digest init"); return 0;}
149
150static int bad_update(EVP_MD_CTX *ctx,const void *data,size_t count)
151 { FIPS_ERROR_IGNORED("Digest update"); return 0;}
152
153static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
154 { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
155
156static const EVP_MD bad_md =
142 { 157 {
143 EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); 158 0,
159 0,
160 0,
161 0,
162 bad_init,
163 bad_update,
164 bad_final,
165 NULL,
166 NULL,
167 NULL,
168 0,
169 {0,0,0,0},
170 };
171
172#endif
173
144#ifndef OPENSSL_NO_ENGINE 174#ifndef OPENSSL_NO_ENGINE
145 /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts 175
146 * so this context may already have an ENGINE! Try to avoid releasing 176#ifdef OPENSSL_FIPS
147 * the previous handle, re-querying for an ENGINE, and having a 177
148 * reinitialisation, when it may all be unecessary. */ 178static int do_engine_null(ENGINE *impl) { return 0;}
149 if (ctx->engine && ctx->digest && (!type || 179static int do_evp_md_engine_null(EVP_MD_CTX *ctx,
150 (type && (type->type == ctx->digest->type)))) 180 const EVP_MD **ptype, ENGINE *impl)
151 goto skip_to_init; 181 { return 1; }
152 if (type) 182
183static int (*do_engine_init)(ENGINE *impl)
184 = do_engine_null;
185
186static int (*do_engine_finish)(ENGINE *impl)
187 = do_engine_null;
188
189static int (*do_evp_md_engine)
190 (EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl)
191 = do_evp_md_engine_null;
192
193void int_EVP_MD_set_engine_callbacks(
194 int (*eng_md_init)(ENGINE *impl),
195 int (*eng_md_fin)(ENGINE *impl),
196 int (*eng_md_evp)
197 (EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl))
198 {
199 do_engine_init = eng_md_init;
200 do_engine_finish = eng_md_fin;
201 do_evp_md_engine = eng_md_evp;
202 }
203
204#else
205
206#define do_engine_init ENGINE_init
207#define do_engine_finish ENGINE_finish
208
209static int do_evp_md_engine(EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl)
210 {
211 if (*ptype)
153 { 212 {
154 /* Ensure an ENGINE left lying around from last time is cleared 213 /* Ensure an ENGINE left lying around from last time is cleared
155 * (the previous check attempted to avoid this if the same 214 * (the previous check attempted to avoid this if the same
@@ -160,26 +219,25 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
160 { 219 {
161 if (!ENGINE_init(impl)) 220 if (!ENGINE_init(impl))
162 { 221 {
163 EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_INITIALIZATION_ERROR); 222 EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_INITIALIZATION_ERROR);
164 return 0; 223 return 0;
165 } 224 }
166 } 225 }
167 else 226 else
168 /* Ask if an ENGINE is reserved for this job */ 227 /* Ask if an ENGINE is reserved for this job */
169 impl = ENGINE_get_digest_engine(type->type); 228 impl = ENGINE_get_digest_engine((*ptype)->type);
170 if(impl) 229 if(impl)
171 { 230 {
172 /* There's an ENGINE for this job ... (apparently) */ 231 /* There's an ENGINE for this job ... (apparently) */
173 const EVP_MD *d = ENGINE_get_digest(impl, type->type); 232 const EVP_MD *d = ENGINE_get_digest(impl, (*ptype)->type);
174 if(!d) 233 if(!d)
175 { 234 {
176 /* Same comment from evp_enc.c */ 235 /* Same comment from evp_enc.c */
177 EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_INITIALIZATION_ERROR); 236 EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_INITIALIZATION_ERROR);
178 ENGINE_finish(impl);
179 return 0; 237 return 0;
180 } 238 }
181 /* We'll use the ENGINE's private digest definition */ 239 /* We'll use the ENGINE's private digest definition */
182 type = d; 240 *ptype = d;
183 /* Store the ENGINE functional reference so we know 241 /* Store the ENGINE functional reference so we know
184 * 'type' came from an ENGINE and we need to release 242 * 'type' came from an ENGINE and we need to release
185 * it when done. */ 243 * it when done. */
@@ -191,46 +249,71 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
191 else 249 else
192 if(!ctx->digest) 250 if(!ctx->digest)
193 { 251 {
194 EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_NO_DIGEST_SET); 252 EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_NO_DIGEST_SET);
195 return 0; 253 return 0;
196 } 254 }
255 return 1;
256 }
257
258#endif
259
260#endif
261
262int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
263 {
264 M_EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
265#ifdef OPENSSL_FIPS
266 if(FIPS_selftest_failed())
267 {
268 FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
269 ctx->digest = &bad_md;
270 return 0;
271 }
272#endif
273#ifndef OPENSSL_NO_ENGINE
274 /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
275 * so this context may already have an ENGINE! Try to avoid releasing
276 * the previous handle, re-querying for an ENGINE, and having a
277 * reinitialisation, when it may all be unecessary. */
278 if (ctx->engine && ctx->digest && (!type ||
279 (type && (type->type == ctx->digest->type))))
280 goto skip_to_init;
281 if (!do_evp_md_engine(ctx, &type, impl))
282 return 0;
197#endif 283#endif
198 if (ctx->digest != type) 284 if (ctx->digest != type)
199 { 285 {
200 if (ctx->digest && ctx->digest->ctx_size) 286#ifdef OPENSSL_FIPS
201 OPENSSL_free(ctx->md_data); 287 if (FIPS_mode())
202 ctx->digest=type;
203 if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size)
204 { 288 {
205 ctx->update = type->update; 289 if (!(type->flags & EVP_MD_FLAG_FIPS)
206 ctx->md_data=OPENSSL_malloc(type->ctx_size); 290 && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
207 if (ctx->md_data == NULL)
208 { 291 {
209 EVPerr(EVP_F_EVP_DIGESTINIT_EX, 292 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
210 ERR_R_MALLOC_FAILURE); 293 ctx->digest = &bad_md;
211 return 0; 294 return 0;
212 } 295 }
213 } 296 }
297#endif
298 if (ctx->digest && ctx->digest->ctx_size)
299 OPENSSL_free(ctx->md_data);
300 ctx->digest=type;
301 if (type->ctx_size)
302 ctx->md_data=OPENSSL_malloc(type->ctx_size);
214 } 303 }
215#ifndef OPENSSL_NO_ENGINE 304#ifndef OPENSSL_NO_ENGINE
216skip_to_init: 305 skip_to_init:
217#endif 306#endif
218 if (ctx->pctx)
219 {
220 int r;
221 r = EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
222 EVP_PKEY_CTRL_DIGESTINIT, 0, ctx);
223 if (r <= 0 && (r != -2))
224 return 0;
225 }
226 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
227 return 1;
228 return ctx->digest->init(ctx); 307 return ctx->digest->init(ctx);
229 } 308 }
230 309
231int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) 310int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data,
311 size_t count)
232 { 312 {
233 return ctx->update(ctx,data,count); 313#ifdef OPENSSL_FIPS
314 FIPS_selftest_check();
315#endif
316 return ctx->digest->update(ctx,data,count);
234 } 317 }
235 318
236/* The caller can assume that this removes any secret data from the context */ 319/* The caller can assume that this removes any secret data from the context */
@@ -246,6 +329,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
246int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) 329int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
247 { 330 {
248 int ret; 331 int ret;
332#ifdef OPENSSL_FIPS
333 FIPS_selftest_check();
334#endif
249 335
250 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); 336 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
251 ret=ctx->digest->final(ctx,md); 337 ret=ctx->digest->final(ctx,md);
@@ -254,7 +340,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
254 if (ctx->digest->cleanup) 340 if (ctx->digest->cleanup)
255 { 341 {
256 ctx->digest->cleanup(ctx); 342 ctx->digest->cleanup(ctx);
257 EVP_MD_CTX_set_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); 343 M_EVP_MD_CTX_set_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
258 } 344 }
259 memset(ctx->md_data,0,ctx->digest->ctx_size); 345 memset(ctx->md_data,0,ctx->digest->ctx_size);
260 return ret; 346 return ret;
@@ -276,7 +362,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
276 } 362 }
277#ifndef OPENSSL_NO_ENGINE 363#ifndef OPENSSL_NO_ENGINE
278 /* Make sure it's safe to copy a digest context using an ENGINE */ 364 /* Make sure it's safe to copy a digest context using an ENGINE */
279 if (in->engine && !ENGINE_init(in->engine)) 365 if (in->engine && !do_engine_init(in->engine))
280 { 366 {
281 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_ENGINE_LIB); 367 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_ENGINE_LIB);
282 return 0; 368 return 0;
@@ -286,40 +372,19 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
286 if (out->digest == in->digest) 372 if (out->digest == in->digest)
287 { 373 {
288 tmp_buf = out->md_data; 374 tmp_buf = out->md_data;
289 EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE); 375 M_EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE);
290 } 376 }
291 else tmp_buf = NULL; 377 else tmp_buf = NULL;
292 EVP_MD_CTX_cleanup(out); 378 EVP_MD_CTX_cleanup(out);
293 memcpy(out,in,sizeof *out); 379 memcpy(out,in,sizeof *out);
294 380
295 if (in->md_data && out->digest->ctx_size) 381 if (out->digest->ctx_size)
296 { 382 {
297 if (tmp_buf) 383 if (tmp_buf) out->md_data = tmp_buf;
298 out->md_data = tmp_buf; 384 else out->md_data=OPENSSL_malloc(out->digest->ctx_size);
299 else
300 {
301 out->md_data=OPENSSL_malloc(out->digest->ctx_size);
302 if (!out->md_data)
303 {
304 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_MALLOC_FAILURE);
305 return 0;
306 }
307 }
308 memcpy(out->md_data,in->md_data,out->digest->ctx_size); 385 memcpy(out->md_data,in->md_data,out->digest->ctx_size);
309 } 386 }
310 387
311 out->update = in->update;
312
313 if (in->pctx)
314 {
315 out->pctx = EVP_PKEY_CTX_dup(in->pctx);
316 if (!out->pctx)
317 {
318 EVP_MD_CTX_cleanup(out);
319 return 0;
320 }
321 }
322
323 if (out->digest->copy) 388 if (out->digest->copy)
324 return out->digest->copy(out,in); 389 return out->digest->copy(out,in);
325 390
@@ -333,7 +398,7 @@ int EVP_Digest(const void *data, size_t count,
333 int ret; 398 int ret;
334 399
335 EVP_MD_CTX_init(&ctx); 400 EVP_MD_CTX_init(&ctx);
336 EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT); 401 M_EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT);
337 ret=EVP_DigestInit_ex(&ctx, type, impl) 402 ret=EVP_DigestInit_ex(&ctx, type, impl)
338 && EVP_DigestUpdate(&ctx, data, count) 403 && EVP_DigestUpdate(&ctx, data, count)
339 && EVP_DigestFinal_ex(&ctx, md, size); 404 && EVP_DigestFinal_ex(&ctx, md, size);
@@ -355,21 +420,19 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
355 * because sometimes only copies of the context are ever finalised. 420 * because sometimes only copies of the context are ever finalised.
356 */ 421 */
357 if (ctx->digest && ctx->digest->cleanup 422 if (ctx->digest && ctx->digest->cleanup
358 && !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED)) 423 && !M_EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED))
359 ctx->digest->cleanup(ctx); 424 ctx->digest->cleanup(ctx);
360 if (ctx->digest && ctx->digest->ctx_size && ctx->md_data 425 if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
361 && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) 426 && !M_EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE))
362 { 427 {
363 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); 428 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
364 OPENSSL_free(ctx->md_data); 429 OPENSSL_free(ctx->md_data);
365 } 430 }
366 if (ctx->pctx)
367 EVP_PKEY_CTX_free(ctx->pctx);
368#ifndef OPENSSL_NO_ENGINE 431#ifndef OPENSSL_NO_ENGINE
369 if(ctx->engine) 432 if(ctx->engine)
370 /* The EVP_MD we used belongs to an ENGINE, release the 433 /* The EVP_MD we used belongs to an ENGINE, release the
371 * functional reference we held for this reason. */ 434 * functional reference we held for this reason. */
372 ENGINE_finish(ctx->engine); 435 do_engine_finish(ctx->engine);
373#endif 436#endif
374 memset(ctx,'\0',sizeof *ctx); 437 memset(ctx,'\0',sizeof *ctx);
375 438