[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Mon Dec 14 23:06:40 UTC 2015
The branch master has been updated
via 0c497e96c42c4b466676d495b0c9bd72e27f7bd8 (commit)
via 6745fcf62784005edd5532c009e789440b8d8964 (commit)
via c01ff880d47392b82cce2f93ac4a9bb8c68f8cc7 (commit)
via 2872dbe1c46eceb20c38bc55a5fe2a4c4c52fe9d (commit)
via 2986ecdc08016de978f1134315623778420b51e5 (commit)
from d911097d7c93e4cfeab624b34d73fe51da158b69 (commit)
- Log -----------------------------------------------------------------
commit 0c497e96c42c4b466676d495b0c9bd72e27f7bd8
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Dec 14 18:10:16 2015 +0000
Update EVP_PKEY documentation.
Add EVP_PKEY_up_ref() documentation and fix various typos.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
commit 6745fcf62784005edd5532c009e789440b8d8964
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Dec 14 14:15:45 2015 +0000
make update
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
commit c01ff880d47392b82cce2f93ac4a9bb8c68f8cc7
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Dec 14 13:13:32 2015 +0000
New function X509_get0_pubkey
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
commit 2872dbe1c46eceb20c38bc55a5fe2a4c4c52fe9d
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Dec 13 17:57:01 2015 +0000
Add EVP_PKEY_get0_* functions.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
commit 2986ecdc08016de978f1134315623778420b51e5
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Dec 13 17:28:40 2015 +0000
Extend EVP_PKEY_copy_parameters()
Make EVP_PKEY_copy_parameters() work if the destination has no type
(e.g. if obtained from EVP_PKEY_new()) or the underlying key is NULL.
This is useful where we want to copy the parameters from an existing
key to a new key.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 6 ++--
apps/crl.c | 3 +-
apps/s_cb.c | 3 +-
apps/s_client.c | 3 +-
apps/x509.c | 9 ++----
crypto/asn1/x_pubkey.c | 23 +++++++++------
crypto/async/Makefile | 12 ++++----
crypto/dh/dh_ameth.c | 5 ++++
crypto/dsa/dsa_ameth.c | 6 ++++
crypto/ec/ec_ameth.c | 5 ++++
crypto/evp/evp_err.c | 10 +++----
crypto/evp/p_lib.c | 62 +++++++++++++++++++++++++++++++---------
crypto/x509/t_x509.c | 3 +-
crypto/x509/x509_cmp.c | 18 +++++++-----
crypto/x509/x509_err.c | 2 +-
crypto/x509/x509_vfy.c | 19 ++++--------
doc/crypto/EVP_PKEY_new.pod | 34 ++++++++++++----------
doc/crypto/EVP_PKEY_set1_RSA.pod | 12 ++++++++
doc/crypto/X509_get_pubkey.pod | 11 ++++---
include/openssl/evp.h | 15 ++++++----
include/openssl/x509.h | 4 ++-
util/libeay.num | 7 +++++
22 files changed, 174 insertions(+), 98 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 535526c..6404e48 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1402,12 +1402,11 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
BIO_printf(bio_err, "Check that the request matches the signature\n");
- if ((pktmp = X509_get_pubkey(req)) == NULL) {
+ if ((pktmp = X509_get0_pubkey(req)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
}
i = X509_verify(req, pktmp);
- EVP_PKEY_free(pktmp);
if (i < 0) {
ok = 0;
BIO_printf(bio_err, "Signature verification problems....\n");
@@ -1890,11 +1889,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
}
}
- pktmp = X509_get_pubkey(ret);
+ pktmp = X509_get0_pubkey(ret);
if (EVP_PKEY_missing_parameters(pktmp) &&
!EVP_PKEY_missing_parameters(pkey))
EVP_PKEY_copy_parameters(pktmp, pkey);
- EVP_PKEY_free(pktmp);
if (!do_X509_sign(ret, pkey, dgst, sigopts))
goto end;
diff --git a/apps/crl.c b/apps/crl.c
index b2a5d7f..3f64cdd 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -253,14 +253,13 @@ int crl_main(int argc, char **argv)
BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
goto end;
}
- pkey = X509_get_pubkey(xobj.data.x509);
+ pkey = X509_get0_pubkey(xobj.data.x509);
X509_OBJECT_free_contents(&xobj);
if (!pkey) {
BIO_printf(bio_err, "Error getting CRL issuer public key\n");
goto end;
}
i = X509_CRL_verify(x, pkey);
- EVP_PKEY_free(pkey);
if (i < 0)
goto end;
if (i == 0)
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 734d57f..7a4bf29 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1402,13 +1402,12 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
int sig_nid = X509_get_signature_nid(other);
BIO_puts(sdb->out, OBJ_nid2sn(sig_nid));
} else {
- EVP_PKEY *pkey = X509_get_pubkey(other);
+ EVP_PKEY *pkey = X509_get0_pubkey(other);
const char *algname = "";
EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
&algname, EVP_PKEY_get0_asn1(pkey));
BIO_printf(sdb->out, "%s, bits=%d",
algname, EVP_PKEY_bits(pkey));
- EVP_PKEY_free(pkey);
}
break;
}
diff --git a/apps/s_client.c b/apps/s_client.c
index f93ae35..5aa1adc 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -2206,10 +2206,9 @@ static void print_stuff(BIO *bio, SSL *s, int full)
SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
if (peer != NULL) {
EVP_PKEY *pktmp;
- pktmp = X509_get_pubkey(peer);
+ pktmp = X509_get0_pubkey(peer);
BIO_printf(bio, "Server public key is %d bit\n",
EVP_PKEY_bits(pktmp));
- EVP_PKEY_free(pktmp);
}
BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
diff --git a/apps/x509.c b/apps/x509.c
index 7155b33..1677ba5 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -723,7 +723,7 @@ int x509_main(int argc, char **argv)
} else if (modulus == i) {
EVP_PKEY *pkey;
- pkey = X509_get_pubkey(x);
+ pkey = X509_get0_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio_err, "Modulus=unavailable\n");
ERR_print_errors(bio_err);
@@ -742,18 +742,16 @@ int x509_main(int argc, char **argv)
#endif
BIO_printf(out, "Wrong Algorithm type");
BIO_printf(out, "\n");
- EVP_PKEY_free(pkey);
} else if (pubkey == i) {
EVP_PKEY *pkey;
- pkey = X509_get_pubkey(x);
+ pkey = X509_get0_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio_err, "Error getting public key\n");
ERR_print_errors(bio_err);
goto end;
}
PEM_write_bio_PUBKEY(out, pkey);
- EVP_PKEY_free(pkey);
} else if (C == i) {
unsigned char *d;
char *m;
@@ -991,9 +989,8 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
X509_STORE_CTX xsc;
EVP_PKEY *upkey;
- upkey = X509_get_pubkey(xca);
+ upkey = X509_get0_pubkey(xca);
EVP_PKEY_copy_parameters(upkey, pkey);
- EVP_PKEY_free(upkey);
if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) {
BIO_printf(bio_err, "Error initialising X509 store\n");
diff --git a/crypto/asn1/x_pubkey.c b/crypto/asn1/x_pubkey.c
index d200190..36a130d 100644
--- a/crypto/asn1/x_pubkey.c
+++ b/crypto/asn1/x_pubkey.c
@@ -121,38 +121,36 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
return 0;
}
-EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
+EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key)
{
EVP_PKEY *ret = NULL;
if (key == NULL)
goto error;
- if (key->pkey != NULL) {
- CRYPTO_add(&key->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+ if (key->pkey != NULL)
return key->pkey;
- }
if (key->public_key == NULL)
goto error;
if ((ret = EVP_PKEY_new()) == NULL) {
- X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_PUBKEY_GET0, ERR_R_MALLOC_FAILURE);
goto error;
}
if (!EVP_PKEY_set_type(ret, OBJ_obj2nid(key->algor->algorithm))) {
- X509err(X509_F_X509_PUBKEY_GET, X509_R_UNSUPPORTED_ALGORITHM);
+ X509err(X509_F_X509_PUBKEY_GET0, X509_R_UNSUPPORTED_ALGORITHM);
goto error;
}
if (ret->ameth->pub_decode) {
if (!ret->ameth->pub_decode(ret, key)) {
- X509err(X509_F_X509_PUBKEY_GET, X509_R_PUBLIC_KEY_DECODE_ERROR);
+ X509err(X509_F_X509_PUBKEY_GET0, X509_R_PUBLIC_KEY_DECODE_ERROR);
goto error;
}
} else {
- X509err(X509_F_X509_PUBKEY_GET, X509_R_METHOD_NOT_SUPPORTED);
+ X509err(X509_F_X509_PUBKEY_GET0, X509_R_METHOD_NOT_SUPPORTED);
goto error;
}
@@ -166,7 +164,6 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
key->pkey = ret;
CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
}
- CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
return ret;
@@ -175,6 +172,14 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
return (NULL);
}
+EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
+{
+ EVP_PKEY *ret = X509_PUBKEY_get0(key);
+ if (ret != NULL)
+ EVP_PKEY_up_ref(ret);
+ return ret;
+}
+
/*
* Now two pseudo ASN1 routines that take an EVP_PKEY structure and encode or
* decode as X509_PUBKEY
diff --git a/crypto/async/Makefile b/crypto/async/Makefile
index 7b1dd56..44da77f 100644
--- a/crypto/async/Makefile
+++ b/crypto/async/Makefile
@@ -76,8 +76,8 @@ clean:
# DO NOT DELETE THIS LINE -- make depend depends on it.
-arch/async_null.o: ../../include/openssl/async.h ../../include/openssl/crypto.h
-arch/async_null.o: ../../include/openssl/e_os2.h
+arch/async_null.o: ../../e_os.h ../../include/openssl/async.h
+arch/async_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
arch/async_null.o: ../../include/openssl/opensslconf.h
arch/async_null.o: ../../include/openssl/opensslv.h
arch/async_null.o: ../../include/openssl/ossl_typ.h
@@ -86,7 +86,7 @@ arch/async_null.o: ../../include/openssl/stack.h
arch/async_null.o: ../../include/openssl/symhacks.h arch/../arch/async_null.h
arch/async_null.o: arch/../arch/async_posix.h arch/../arch/async_win.h
arch/async_null.o: arch/../async_locl.h arch/async_null.c
-arch/async_posix.o: ../../include/openssl/async.h
+arch/async_posix.o: ../../e_os.h ../../include/openssl/async.h
arch/async_posix.o: ../../include/openssl/crypto.h
arch/async_posix.o: ../../include/openssl/e_os2.h
arch/async_posix.o: ../../include/openssl/opensslconf.h
@@ -97,8 +97,8 @@ arch/async_posix.o: ../../include/openssl/stack.h
arch/async_posix.o: ../../include/openssl/symhacks.h arch/../arch/async_null.h
arch/async_posix.o: arch/../arch/async_posix.h arch/../arch/async_win.h
arch/async_posix.o: arch/../async_locl.h arch/async_posix.c
-arch/async_win.o: ../../include/openssl/async.h ../../include/openssl/crypto.h
-arch/async_win.o: ../../include/openssl/e_os2.h
+arch/async_win.o: ../../e_os.h ../../include/openssl/async.h
+arch/async_win.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
arch/async_win.o: ../../include/openssl/opensslconf.h
arch/async_win.o: ../../include/openssl/opensslv.h
arch/async_win.o: ../../include/openssl/ossl_typ.h
@@ -107,7 +107,7 @@ arch/async_win.o: ../../include/openssl/stack.h
arch/async_win.o: ../../include/openssl/symhacks.h arch/../arch/async_null.h
arch/async_win.o: arch/../arch/async_posix.h arch/../arch/async_win.h
arch/async_win.o: arch/../async_locl.h arch/async_win.c
-async.o: ../../include/openssl/async.h ../../include/openssl/bio.h
+async.o: ../../e_os.h ../../include/openssl/async.h ../../include/openssl/bio.h
async.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
async.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
async.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 43cba87..7a3d923 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -507,6 +507,11 @@ DH *DHparams_dup(DH *dh)
static int dh_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
{
+ if (to->pkey.dh == NULL) {
+ to->pkey.dh = DH_new();
+ if (to->pkey.dh == NULL)
+ return 0;
+ }
return int_dh_param_copy(to->pkey.dh, from->pkey.dh,
from->ameth == &dhx_asn1_meth);
}
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index d1d32c6..92976bc3 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -364,6 +364,12 @@ static int dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
{
BIGNUM *a;
+ if (to->pkey.dsa == NULL) {
+ to->pkey.dsa = DSA_new();
+ if (to->pkey.dsa == NULL)
+ return 0;
+ }
+
if ((a = BN_dup(from->pkey.dsa->p)) == NULL)
return 0;
BN_free(to->pkey.dsa->p);
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 19932d5..fb07262 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -402,6 +402,11 @@ static int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec));
if (group == NULL)
return 0;
+ if (to->pkey.ec == NULL) {
+ to->pkey.ec = EC_KEY_new();
+ if (to->pkey.ec == NULL)
+ return 0;
+ }
if (EC_KEY_set_group(to->pkey.ec, group) == 0)
return 0;
EC_GROUP_free(group);
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index 94e32b5..c008d2b 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -118,11 +118,11 @@ static ERR_STRING_DATA EVP_str_functs[] = {
{ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT), "EVP_PKEY_encrypt"},
{ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT_INIT), "EVP_PKEY_encrypt_init"},
{ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT_OLD), "EVP_PKEY_encrypt_old"},
- {ERR_FUNC(EVP_F_EVP_PKEY_GET1_DH), "EVP_PKEY_get1_DH"},
- {ERR_FUNC(EVP_F_EVP_PKEY_GET1_DSA), "EVP_PKEY_get1_DSA"},
- {ERR_FUNC(EVP_F_EVP_PKEY_GET1_ECDSA), "EVP_PKEY_GET1_ECDSA"},
- {ERR_FUNC(EVP_F_EVP_PKEY_GET1_EC_KEY), "EVP_PKEY_get1_EC_KEY"},
- {ERR_FUNC(EVP_F_EVP_PKEY_GET1_RSA), "EVP_PKEY_get1_RSA"},
+ {ERR_FUNC(EVP_F_EVP_PKEY_GET0_DH), "EVP_PKEY_get0_DH"},
+ {ERR_FUNC(EVP_F_EVP_PKEY_GET0_DSA), "EVP_PKEY_get0_DSA"},
+ {ERR_FUNC(EVP_F_EVP_PKEY_GET0_ECDSA), "EVP_PKEY_GET0_ECDSA"},
+ {ERR_FUNC(EVP_F_EVP_PKEY_GET0_EC_KEY), "EVP_PKEY_get0_EC_KEY"},
+ {ERR_FUNC(EVP_F_EVP_PKEY_GET0_RSA), "EVP_PKEY_get0_RSA"},
{ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN), "EVP_PKEY_keygen"},
{ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN_INIT), "EVP_PKEY_keygen_init"},
{ERR_FUNC(EVP_F_EVP_PKEY_NEW), "EVP_PKEY_new"},
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index f07d7e5..7d255af 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -129,7 +129,10 @@ int EVP_PKEY_save_parameters(EVP_PKEY *pkey, int mode)
int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
{
- if (to->type != from->type) {
+ if (to->type == EVP_PKEY_NONE) {
+ if (EVP_PKEY_set_type(to, from->type) == 0)
+ return 0;
+ } else if (to->type != from->type) {
EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS, EVP_R_DIFFERENT_KEY_TYPES);
goto err;
}
@@ -201,6 +204,11 @@ EVP_PKEY *EVP_PKEY_new(void)
return (ret);
}
+void EVP_PKEY_up_ref(EVP_PKEY *pkey)
+{
+ CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+}
+
/*
* Setup a public key ASN1 method and ENGINE from a NID or a string. If pkey
* is NULL just return 1 or 0 if the algorithm exists.
@@ -281,15 +289,22 @@ int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
return ret;
}
-RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
{
if (pkey->type != EVP_PKEY_RSA) {
- EVPerr(EVP_F_EVP_PKEY_GET1_RSA, EVP_R_EXPECTING_AN_RSA_KEY);
+ EVPerr(EVP_F_EVP_PKEY_GET0_RSA, EVP_R_EXPECTING_AN_RSA_KEY);
return NULL;
}
- RSA_up_ref(pkey->pkey.rsa);
return pkey->pkey.rsa;
}
+
+RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
+{
+ RSA *ret = EVP_PKEY_get0_RSA(pkey);
+ if (ret != NULL)
+ RSA_up_ref(ret);
+ return ret;
+}
#endif
#ifndef OPENSSL_NO_DSA
@@ -301,15 +316,22 @@ int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key)
return ret;
}
-DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
+DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
{
if (pkey->type != EVP_PKEY_DSA) {
- EVPerr(EVP_F_EVP_PKEY_GET1_DSA, EVP_R_EXPECTING_A_DSA_KEY);
+ EVPerr(EVP_F_EVP_PKEY_GET0_DSA, EVP_R_EXPECTING_A_DSA_KEY);
return NULL;
}
- DSA_up_ref(pkey->pkey.dsa);
return pkey->pkey.dsa;
}
+
+DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
+{
+ DSA *ret = EVP_PKEY_get0_DSA(pkey);
+ if (ret != NULL)
+ DSA_up_ref(ret);
+ return ret;
+}
#endif
#ifndef OPENSSL_NO_EC
@@ -322,15 +344,22 @@ int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key)
return ret;
}
-EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
+EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
{
if (pkey->type != EVP_PKEY_EC) {
- EVPerr(EVP_F_EVP_PKEY_GET1_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
+ EVPerr(EVP_F_EVP_PKEY_GET0_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
return NULL;
}
- EC_KEY_up_ref(pkey->pkey.ec);
return pkey->pkey.ec;
}
+
+EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
+{
+ EC_KEY *ret = EVP_PKEY_get0_EC_KEY(pkey);
+ if (ret != NULL)
+ EC_KEY_up_ref(ret);
+ return ret;
+}
#endif
#ifndef OPENSSL_NO_DH
@@ -343,15 +372,22 @@ int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
return ret;
}
-DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
+DH *EVP_PKEY_get0_DH(EVP_PKEY *pkey)
{
if (pkey->type != EVP_PKEY_DH && pkey->type != EVP_PKEY_DHX) {
- EVPerr(EVP_F_EVP_PKEY_GET1_DH, EVP_R_EXPECTING_A_DH_KEY);
+ EVPerr(EVP_F_EVP_PKEY_GET0_DH, EVP_R_EXPECTING_A_DH_KEY);
return NULL;
}
- DH_up_ref(pkey->pkey.dh);
return pkey->pkey.dh;
}
+
+DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
+{
+ DH *ret = EVP_PKEY_get0_DH(pkey);
+ if (ret != NULL)
+ DH_up_ref(ret);
+ return ret;
+}
#endif
int EVP_PKEY_type(int type)
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 3a29f40..204aed4 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -209,13 +209,12 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
if (BIO_puts(bp, "\n") <= 0)
goto err;
- pkey = X509_get_pubkey(x);
+ pkey = X509_get0_pubkey(x);
if (pkey == NULL) {
BIO_printf(bp, "%12sUnable to load Public Key\n", "");
ERR_print_errors(bp);
} else {
EVP_PKEY_print_public(bp, pkey, 16, NULL);
- EVP_PKEY_free(pkey);
}
}
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 5c3ac6a..9d9ea4b 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -305,11 +305,18 @@ X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
return (NULL);
}
+EVP_PKEY *X509_get0_pubkey(X509 *x)
+{
+ if (x == NULL)
+ return NULL;
+ return X509_PUBKEY_get0(x->cert_info.key);
+}
+
EVP_PKEY *X509_get_pubkey(X509 *x)
{
if (x == NULL)
- return (NULL);
- return (X509_PUBKEY_get(x->cert_info.key));
+ return NULL;
+ return X509_PUBKEY_get(x->cert_info.key);
}
ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
@@ -324,7 +331,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
EVP_PKEY *xk;
int ret;
- xk = X509_get_pubkey(x);
+ xk = X509_get0_pubkey(x);
if (xk)
ret = EVP_PKEY_cmp(xk, k);
@@ -343,7 +350,6 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
case -2:
X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_UNKNOWN_KEY_TYPE);
}
- EVP_PKEY_free(xk);
if (ret > 0)
return 1;
return 0;
@@ -411,7 +417,7 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
goto end;
}
- pk = X509_get_pubkey(x);
+ pk = X509_get0_pubkey(x);
/* Check EE key only */
rv = check_suite_b(pk, -1, &tflags);
if (rv != X509_V_OK) {
@@ -426,7 +432,6 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
goto end;
}
- EVP_PKEY_free(pk);
pk = X509_get_pubkey(x);
rv = check_suite_b(pk, sign_nid, &tflags);
if (rv != X509_V_OK)
@@ -436,7 +441,6 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
/* Final check: root CA signature */
rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags);
end:
- EVP_PKEY_free(pk);
if (rv != X509_V_OK) {
/* Invalid signature or LOS errors are for previous cert */
if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index a6fae61..25f90ea 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -109,7 +109,7 @@ static ERR_STRING_DATA X509_str_functs[] = {
{ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"},
{ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"},
{ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"},
- {ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"},
+ {ERR_FUNC(X509_F_X509_PUBKEY_GET0), "X509_PUBKEY_get0"},
{ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"},
{ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY),
"X509_REQ_check_private_key"},
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3156e04..3acb374 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1559,7 +1559,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
}
/* Attempt to get issuer certificate public key */
- ikey = X509_get_pubkey(issuer);
+ ikey = X509_get0_pubkey(issuer);
if (!ikey) {
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
@@ -1588,7 +1588,6 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
ok = 1;
err:
- EVP_PKEY_free(ikey);
return ok;
}
@@ -1769,7 +1768,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
if (!xs->valid
&& (xs != xi
|| (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
- if ((pkey = X509_get_pubkey(xi)) == NULL) {
+ if ((pkey = X509_get0_pubkey(xi)) == NULL) {
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ctx->current_cert = xi;
ok = (*cb) (0, ctx);
@@ -1779,13 +1778,9 @@ static int internal_verify(X509_STORE_CTX *ctx)
ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert = xs;
ok = (*cb) (0, ctx);
- if (!ok) {
- EVP_PKEY_free(pkey);
+ if (!ok)
goto end;
- }
}
- EVP_PKEY_free(pkey);
- pkey = NULL;
}
xs->valid = 1;
@@ -1973,7 +1968,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
return 1;
for (i = 0; i < sk_X509_num(chain); i++) {
- ktmp = X509_get_pubkey(sk_X509_value(chain, i));
+ ktmp = X509_get0_pubkey(sk_X509_value(chain, i));
if (ktmp == NULL) {
X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
@@ -1981,8 +1976,6 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
}
if (!EVP_PKEY_missing_parameters(ktmp))
break;
- EVP_PKEY_free(ktmp);
- ktmp = NULL;
}
if (ktmp == NULL) {
X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
@@ -1992,14 +1985,12 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
/* first, populate the other certs */
for (j = i - 1; j >= 0; j--) {
- ktmp2 = X509_get_pubkey(sk_X509_value(chain, j));
+ ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j));
EVP_PKEY_copy_parameters(ktmp2, ktmp);
- EVP_PKEY_free(ktmp2);
}
if (pkey != NULL)
EVP_PKEY_copy_parameters(pkey, ktmp);
- EVP_PKEY_free(ktmp);
return 1;
}
diff --git a/doc/crypto/EVP_PKEY_new.pod b/doc/crypto/EVP_PKEY_new.pod
index acdfd00..05ac087 100644
--- a/doc/crypto/EVP_PKEY_new.pod
+++ b/doc/crypto/EVP_PKEY_new.pod
@@ -2,40 +2,42 @@
=head1 NAME
-EVP_PKEY_new, EVP_PKEY_free - private key allocation functions.
+EVP_PKEY_new, EVP_PKEY_up_ref, EVP_PKEY_free - private key allocation functions.
=head1 SYNOPSIS
#include <openssl/evp.h>
EVP_PKEY *EVP_PKEY_new(void);
+ void EVP_PKEY_up_ref(EVP_PKEY *key);
void EVP_PKEY_free(EVP_PKEY *key);
=head1 DESCRIPTION
-The EVP_PKEY_new() function allocates an empty B<EVP_PKEY>
-structure which is used by OpenSSL to store private keys.
+The EVP_PKEY_new() function allocates an empty B<EVP_PKEY> structure which is
+used by OpenSSL to store private keys. The reference count is set to B<1>.
-EVP_PKEY_free() frees up the private key B<key>.
-If B<key> is NULL, nothing is done.
+EVP_PKEY_up_ref() increments the reference count of B<key>.
+
+EVP_PKEY_free() decrements the reference count of B<key> and, if the reference
+count is zero, frees it up. If B<key> is NULL, nothing is done.
=head1 NOTES
-The B<EVP_PKEY> structure is used by various OpenSSL functions
-which require a general private key without reference to any
-particular algorithm.
+The B<EVP_PKEY> structure is used by various OpenSSL functions which require a
+general private key without reference to any particular algorithm.
-The structure returned by EVP_PKEY_new() is empty. To add a
-private key to this empty structure the functions described in
-L<EVP_PKEY_set1_RSA(3)> should be used.
+The structure returned by EVP_PKEY_new() is empty. To add a private key to this
+empty structure the functions described in L<EVP_PKEY_set1_RSA(3)> should be
+used.
=head1 RETURN VALUES
-EVP_PKEY_new() returns either the newly allocated B<EVP_PKEY>
-structure of B<NULL> if an error occurred.
+EVP_PKEY_new() returns either the newly allocated B<EVP_PKEY> structure or
+B<NULL> if an error occurred.
-EVP_PKEY_free() does not return a value.
+EVP_PKEY_up_ref() and EVP_PKEY_free() do not return a value.
=head1 SEE ALSO
@@ -43,6 +45,8 @@ L<EVP_PKEY_set1_RSA(3)>
=head1 HISTORY
-TBA
+EVP_PKEY_new() and EVP_PKEY_free() exist in all versions of OpenSSL.
+
+EVP_PKEY_up_ref() was first added to OpenSSL 1.1.0.
=cut
diff --git a/doc/crypto/EVP_PKEY_set1_RSA.pod b/doc/crypto/EVP_PKEY_set1_RSA.pod
index bb164ed..09b43ba 100644
--- a/doc/crypto/EVP_PKEY_set1_RSA.pod
+++ b/doc/crypto/EVP_PKEY_set1_RSA.pod
@@ -4,6 +4,7 @@
EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY,
EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY,
+EVP_PKEY_get0_RSA, EVP_PKEY_get0_DSA, EVP_PKEY_get0_DH, EVP_PKEY_get0_EC_KEY,
EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH, EVP_PKEY_assign_EC_KEY,
EVP_PKEY_type - EVP_PKEY assignment functions.
@@ -21,6 +22,11 @@ EVP_PKEY_type - EVP_PKEY assignment functions.
DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
+ RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
+ DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);
+ DH *EVP_PKEY_get0_DH(EVP_PKEY *pkey);
+ EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
+
int EVP_PKEY_assign_RSA(EVP_PKEY *pkey,RSA *key);
int EVP_PKEY_assign_DSA(EVP_PKEY *pkey,DSA *key);
int EVP_PKEY_assign_DH(EVP_PKEY *pkey,DH *key);
@@ -37,6 +43,12 @@ EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
EVP_PKEY_get1_EC_KEY() return the referenced key in B<pkey> or
B<NULL> if the key is not of the correct type.
+EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH() and
+EVP_PKEY_get0_EC_KEY() also return the referenced key in B<pkey> or
+B<NULL> if the key is not of the correct type but the reference
+count of the returned key is B<not> incremented and so must not
+be freed up after use.
+
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
and EVP_PKEY_assign_EC_KEY() also set the referenced key to B<key>
however these use the supplied B<key> internally and so B<key>
diff --git a/doc/crypto/X509_get_pubkey.pod b/doc/crypto/X509_get_pubkey.pod
index c59ce2a..2740f98 100644
--- a/doc/crypto/X509_get_pubkey.pod
+++ b/doc/crypto/X509_get_pubkey.pod
@@ -2,7 +2,7 @@
=head1 NAME
-X509_get_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY,
+X509_get_pubkey, X509_get0_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY,
X509_REQ_get_pubkey, X509_REQ_set_pubkey, X509_REQ_get_X509_PUBKEY - get or
set certificate or certificate request public key.
@@ -11,6 +11,7 @@ set certificate or certificate request public key.
#include <openssl/x509.h>
EVP_PKEY *X509_get_pubkey(X509 *x);
+ EVP_PKEY *X509_get0_pubkey(X509 *x);
int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
X509_PUBKEY *X509_get_X509_PUBKEY(X509 *x);
@@ -23,6 +24,8 @@ set certificate or certificate request public key.
X509_get_pubkey() attempts to decode the public key for certificate B<x>. If
successful it returns the public key as an B<EVP_PKEY> pointer with its
reference count incremented: this means the returned key must be freed up
+after use. X509_get0_pubkey() is similar except it does B<not> increment
+the reference count of the returned B<EVP_PKEY> so it must not be freed up
after use.
X509_get_X509_PUBKEY() returns an internal pointer to the B<X509_PUBKEY>
@@ -44,9 +47,9 @@ improve performance.
=head1 RETURN VALUES
-X509_get_pubkey(), X509_get_X509_PUBKEY(), X509_REQ_get_pubkey() and
-X509_REQ_get_X509_PUBKEY() return a public key or B<NULL> if an error
-occurred.
+X509_get_pubkey(), X509_get0_pubkey(), X509_get_X509_PUBKEY(),
+X509_REQ_get_pubkey() and X509_REQ_get_X509_PUBKEY() return a public key or
+B<NULL> if an error occurred.
X509_set_pubkey() and X509_REQ_set_pubkey() rerturn 1 for success and 0
for failure.
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 40708f2..d93bb1e 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -966,25 +966,30 @@ void *EVP_PKEY_get0(EVP_PKEY *pkey);
# ifndef OPENSSL_NO_RSA
struct rsa_st;
int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key);
+struct rsa_st *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
# endif
# ifndef OPENSSL_NO_DSA
struct dsa_st;
int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, struct dsa_st *key);
+struct dsa_st *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);
struct dsa_st *EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
# endif
# ifndef OPENSSL_NO_DH
struct dh_st;
int EVP_PKEY_set1_DH(EVP_PKEY *pkey, struct dh_st *key);
+struct dh_st *EVP_PKEY_get0_DH(EVP_PKEY *pkey);
struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
# endif
# ifndef OPENSSL_NO_EC
struct ec_key_st;
int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key);
+struct ec_key_st *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
# endif
EVP_PKEY *EVP_PKEY_new(void);
+void EVP_PKEY_up_ref(EVP_PKEY *pkey);
void EVP_PKEY_free(EVP_PKEY *pkey);
EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
@@ -1543,11 +1548,11 @@ void ERR_load_EVP_strings(void);
# define EVP_F_EVP_PKEY_ENCRYPT 105
# define EVP_F_EVP_PKEY_ENCRYPT_INIT 139
# define EVP_F_EVP_PKEY_ENCRYPT_OLD 152
-# define EVP_F_EVP_PKEY_GET1_DH 119
-# define EVP_F_EVP_PKEY_GET1_DSA 120
-# define EVP_F_EVP_PKEY_GET1_ECDSA 130
-# define EVP_F_EVP_PKEY_GET1_EC_KEY 131
-# define EVP_F_EVP_PKEY_GET1_RSA 121
+# define EVP_F_EVP_PKEY_GET0_DH 119
+# define EVP_F_EVP_PKEY_GET0_DSA 120
+# define EVP_F_EVP_PKEY_GET0_ECDSA 130
+# define EVP_F_EVP_PKEY_GET0_EC_KEY 131
+# define EVP_F_EVP_PKEY_GET0_RSA 121
# define EVP_F_EVP_PKEY_KEYGEN 146
# define EVP_F_EVP_PKEY_KEYGEN_INIT 147
# define EVP_F_EVP_PKEY_NEW 106
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index d33bcec..167aae8 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -575,6 +575,7 @@ DECLARE_ASN1_FUNCTIONS(X509_VAL)
DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
+EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key);
EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key);
int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain);
int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp);
@@ -708,6 +709,7 @@ STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
void X509_get0_uids(ASN1_BIT_STRING **piuid, ASN1_BIT_STRING **psuid, X509 *x);
X509_ALGOR *X509_get0_tbs_sigalg(X509 *x);
+EVP_PKEY *X509_get0_pubkey(X509 *x);
EVP_PKEY *X509_get_pubkey(X509 *x);
ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
int X509_certificate_type(X509 *x, EVP_PKEY *pubkey /* optional */ );
@@ -1097,7 +1099,7 @@ void ERR_load_X509_strings(void);
# define X509_F_X509_NAME_ONELINE 116
# define X509_F_X509_NAME_PRINT 117
# define X509_F_X509_PRINT_EX_FP 118
-# define X509_F_X509_PUBKEY_GET 119
+# define X509_F_X509_PUBKEY_GET0 119
# define X509_F_X509_PUBKEY_SET 120
# define X509_F_X509_REQ_CHECK_PRIVATE_KEY 144
# define X509_F_X509_REQ_PRINT_EX 121
diff --git a/util/libeay.num b/util/libeay.num
index 7e0ae75..fb94dc8 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4732,3 +4732,10 @@ TLS_FEATURE_new 5094 EXIST::FUNCTION:
EVP_ENCODE_CTX_free 5095 EXIST::FUNCTION:
EVP_ENCODE_CTX_num 5096 EXIST::FUNCTION:
EVP_ENCODE_CTX_new 5097 EXIST::FUNCTION:
+EVP_PKEY_up_ref 5098 EXIST::FUNCTION:
+EVP_PKEY_get0_EC_KEY 5099 EXIST::FUNCTION:EC
+EVP_PKEY_get0_DSA 5100 EXIST::FUNCTION:DSA
+EVP_PKEY_get0_DH 5101 EXIST::FUNCTION:DH
+X509_get0_pubkey 5102 EXIST::FUNCTION:
+X509_PUBKEY_get0 5103 EXIST::FUNCTION:
+EVP_PKEY_get0_RSA 5104 EXIST::FUNCTION:RSA
More information about the openssl-commits
mailing list