[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Dr. Stephen Henson
steve at openssl.org
Thu Oct 12 00:05:00 UTC 2017
The branch OpenSSL_1_1_0-stable has been updated
via aa09c24325b621981f1eab6986dbcbb81c81e065 (commit)
via b30d184aaeab32e9a472429857d6fd262005229e (commit)
via aa4c32ebefacdad250b192b5ebd7560f4015f641 (commit)
via f042e93d82a71c6d996eb765263cda5199a67084 (commit)
via a5d0541b1b07e2be305dadb0d01226ea58ff2994 (commit)
from 0cf65a0f5fdd72b950887e717f1f20d66ba30942 (commit)
- Log -----------------------------------------------------------------
commit aa09c24325b621981f1eab6986dbcbb81c81e065
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Oct 10 13:42:24 2017 +0100
Document EVP_PKEY_set1_engine()
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
(cherry picked from commit 8e826a339f8cda20a4311fa88a1de782972cf40d)
commit b30d184aaeab32e9a472429857d6fd262005229e
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Oct 12 00:11:21 2017 +0100
make update
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
commit aa4c32ebefacdad250b192b5ebd7560f4015f641
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Oct 9 15:21:11 2017 +0100
Add EVP_PKEY_set1_engine() function.
Add an ENGINE to EVP_PKEY structure which can be used for cryptographic
operations: this will typically be used by an HSM key to redirect calls
to a custom EVP_PKEY_METHOD.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
(cherry picked from commit d19b01ad79f9e2aac5c87496b5ca5f80016daeb7)
commit f042e93d82a71c6d996eb765263cda5199a67084
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Oct 9 23:24:26 2017 +0100
Fix memory leak on lookup failure
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
(cherry picked from commit 918a27facd3558444c69b1edbedb49478e82dff5)
commit a5d0541b1b07e2be305dadb0d01226ea58ff2994
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Mon Oct 9 14:37:21 2017 +0100
Don't ignore passed ENGINE.
If we are passed an ENGINE to use in int_ctx_new e.g. via EVP_PKEY_CTX_new()
use it instead of the default.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
(cherry picked from commit c2976edf4b22691d8bebb0e3ca2db18b3d0c71c6)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/evp_err.c | 3 ++-
crypto/evp/p_lib.c | 26 ++++++++++++++++++++++++--
crypto/evp/pmeth_lib.c | 10 +++++++---
crypto/include/internal/evp_int.h | 1 +
doc/crypto/EVP_PKEY_set1_RSA.pod | 19 +++++++++++++++----
include/openssl/evp.h | 4 ++++
util/libcrypto.num | 1 +
7 files changed, 54 insertions(+), 10 deletions(-)
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index e32a1c0..ab4b614 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -72,6 +72,7 @@ static ERR_STRING_DATA EVP_str_functs[] = {
{ERR_FUNC(EVP_F_EVP_PKEY_NEW), "EVP_PKEY_new"},
{ERR_FUNC(EVP_F_EVP_PKEY_PARAMGEN), "EVP_PKEY_paramgen"},
{ERR_FUNC(EVP_F_EVP_PKEY_PARAMGEN_INIT), "EVP_PKEY_paramgen_init"},
+ {ERR_FUNC(EVP_F_EVP_PKEY_SET1_ENGINE), "EVP_PKEY_set1_engine"},
{ERR_FUNC(EVP_F_EVP_PKEY_SIGN), "EVP_PKEY_sign"},
{ERR_FUNC(EVP_F_EVP_PKEY_SIGN_INIT), "EVP_PKEY_sign_init"},
{ERR_FUNC(EVP_F_EVP_PKEY_VERIFY), "EVP_PKEY_verify"},
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 9828620..d7372aa 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -187,9 +187,11 @@ static int pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len)
if ((type == pkey->save_type) && pkey->ameth)
return 1;
#ifndef OPENSSL_NO_ENGINE
- /* If we have an ENGINE release it */
+ /* If we have ENGINEs release them */
ENGINE_finish(pkey->engine);
pkey->engine = NULL;
+ ENGINE_finish(pkey->pmeth_engine);
+ pkey->pmeth_engine = NULL;
#endif
}
if (str)
@@ -223,7 +225,25 @@ int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len)
{
return pkey_set_type(pkey, EVP_PKEY_NONE, str, len);
}
-
+#ifndef OPENSSL_NO_ENGINE
+int EVP_PKEY_set1_engine(EVP_PKEY *pkey, ENGINE *e)
+{
+ if (e != NULL) {
+ if (!ENGINE_init(e)) {
+ EVPerr(EVP_F_EVP_PKEY_SET1_ENGINE, ERR_R_ENGINE_LIB);
+ return 0;
+ }
+ if (ENGINE_get_pkey_meth(e, pkey->type) == NULL) {
+ ENGINE_finish(e);
+ EVPerr(EVP_F_EVP_PKEY_SET1_ENGINE, EVP_R_UNSUPPORTED_ALGORITHM);
+ return 0;
+ }
+ }
+ ENGINE_finish(pkey->pmeth_engine);
+ pkey->pmeth_engine = e;
+ return 1;
+}
+#endif
int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key)
{
if (pkey == NULL || !EVP_PKEY_set_type(pkey, type))
@@ -413,6 +433,8 @@ static void EVP_PKEY_free_it(EVP_PKEY *x)
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(x->engine);
x->engine = NULL;
+ ENGINE_finish(x->pmeth_engine);
+ x->pmeth_engine = NULL;
#endif
}
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index b7f06be..5e650a9 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -89,16 +89,17 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
id = pkey->ameth->pkey_id;
}
#ifndef OPENSSL_NO_ENGINE
- if (pkey && pkey->engine)
- e = pkey->engine;
+ if (e == NULL && pkey != NULL)
+ e = pkey->pmeth_engine != NULL ? pkey->pmeth_engine : pkey->engine;
/* Try to find an ENGINE which implements this method */
if (e) {
if (!ENGINE_init(e)) {
EVPerr(EVP_F_INT_CTX_NEW, ERR_R_ENGINE_LIB);
return NULL;
}
- } else
+ } else {
e = ENGINE_get_pkey_meth_engine(id);
+ }
/*
* If an ENGINE handled this method look it up. Otherwise use internal
@@ -112,6 +113,9 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
pmeth = EVP_PKEY_meth_find(id);
if (pmeth == NULL) {
+#ifndef OPENSSL_NO_ENGINE
+ ENGINE_finish(e);
+#endif
EVPerr(EVP_F_INT_CTX_NEW, EVP_R_UNSUPPORTED_ALGORITHM);
return NULL;
}
diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h
index c9ef582..6cc2f92 100644
--- a/crypto/include/internal/evp_int.h
+++ b/crypto/include/internal/evp_int.h
@@ -356,6 +356,7 @@ struct evp_pkey_st {
int references;
const EVP_PKEY_ASN1_METHOD *ameth;
ENGINE *engine;
+ ENGINE *pmeth_engine; /* If not NULL public key ENGINE to use */
union {
void *ptr;
# ifndef OPENSSL_NO_RSA
diff --git a/doc/crypto/EVP_PKEY_set1_RSA.pod b/doc/crypto/EVP_PKEY_set1_RSA.pod
index e1b7110..884cf91 100644
--- a/doc/crypto/EVP_PKEY_set1_RSA.pod
+++ b/doc/crypto/EVP_PKEY_set1_RSA.pod
@@ -5,10 +5,9 @@
EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY,
EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY,
EVP_PKEY_get0_RSA, EVP_PKEY_get0_DSA, EVP_PKEY_get0_DH, EVP_PKEY_get0_EC_KEY,
-EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH, EVP_PKEY_assign_EC_KEY,
-EVP_PKEY_get0_hmac,
-EVP_PKEY_type, EVP_PKEY_id, EVP_PKEY_base_id
-- EVP_PKEY assignment functions
+EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH,
+EVP_PKEY_assign_EC_KEY, EVP_PKEY_get0_hmac, EVP_PKEY_type, EVP_PKEY_id,
+EVP_PKEY_base_id, EVP_PKEY_set1_engine - EVP_PKEY assignment functions
=head1 SYNOPSIS
@@ -39,6 +38,8 @@ EVP_PKEY_type, EVP_PKEY_id, EVP_PKEY_base_id
int EVP_PKEY_base_id(const EVP_PKEY *pkey);
int EVP_PKEY_type(int type);
+ int EVP_PKEY_set1_engine(EVP_PKEY *pkey, ENGINE *engine);
+
=head1 DESCRIPTION
EVP_PKEY_set1_RSA(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_DH() and
@@ -72,6 +73,11 @@ often seen in practice.
EVP_PKEY_type() returns the underlying type of the NID B<type>. For example
EVP_PKEY_type(EVP_PKEY_RSA2) will return B<EVP_PKEY_RSA>.
+EVP_PKEY_set1_engine() sets the ENGINE handling B<pkey> to B<engine>. It
+must be called after the key algorithm and components are set up.
+If B<engine> does not include an B<EVP_PKEY_METHOD> for B<pkey> an
+error occurs.
+
=head1 NOTES
In accordance with the OpenSSL naming convention the key obtained
@@ -89,6 +95,9 @@ Previous versions of this document suggested using EVP_PKEY_type(pkey->type)
to determine the type of a key. Since B<EVP_PKEY> is now opaque this
is no longer possible: the equivalent is EVP_PKEY_base_id(pkey).
+EVP_PKEY_set1_engine() is typically used by an ENGINE returning an HSM
+key as part of its routine to load a private key.
+
=head1 RETURN VALUES
EVP_PKEY_set1_RSA(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_DH() and
@@ -104,6 +113,8 @@ and EVP_PKEY_assign_EC_KEY() return 1 for success and 0 for failure.
EVP_PKEY_base_id(), EVP_PKEY_id() and EVP_PKEY_type() return a key
type or B<NID_undef> (equivalently B<EVP_PKEY_NONE>) on error.
+EVP_PKEY_set1_engine() returns 1 for success and 0 for failure.
+
=head1 SEE ALSO
L<EVP_PKEY_new(3)>
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 01f51b7..41920fa 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -900,6 +900,9 @@ int EVP_PKEY_security_bits(const EVP_PKEY *pkey);
int EVP_PKEY_size(EVP_PKEY *pkey);
int EVP_PKEY_set_type(EVP_PKEY *pkey, int type);
int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len);
+# ifndef OPENSSL_NO_ENGINE
+int EVP_PKEY_set1_engine(EVP_PKEY *pkey, ENGINE *e);
+# endif
int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key);
void *EVP_PKEY_get0(const EVP_PKEY *pkey);
const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len);
@@ -1505,6 +1508,7 @@ int ERR_load_EVP_strings(void);
# define EVP_F_EVP_PKEY_NEW 106
# define EVP_F_EVP_PKEY_PARAMGEN 148
# define EVP_F_EVP_PKEY_PARAMGEN_INIT 149
+# define EVP_F_EVP_PKEY_SET1_ENGINE 187
# define EVP_F_EVP_PKEY_SIGN 140
# define EVP_F_EVP_PKEY_SIGN_INIT 141
# define EVP_F_EVP_PKEY_VERIFY 142
diff --git a/util/libcrypto.num b/util/libcrypto.num
index fddb49b..a6d313f 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4231,3 +4231,4 @@ UINT32_it 4214 1_1_0f EXIST:EXPORT_VAR_AS_FUNCTION
ZINT64_it 4215 1_1_0f EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
ZINT64_it 4215 1_1_0f EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
CRYPTO_secure_clear_free 4315 1_1_0g EXIST::FUNCTION:
+EVP_PKEY_set1_engine 4347 1_1_0g EXIST::FUNCTION:ENGINE
More information about the openssl-commits
mailing list