[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Fri May 18 09:20:07 UTC 2018 

The branch master has been updated
       via  f3021aca4a154c2ff9bd0030f7974eb6a719550d (commit)
      from  8a59c08583424d59ac30c1261eedff40d653f8b0 (commit)


- Log -----------------------------------------------------------------
commit f3021aca4a154c2ff9bd0030f7974eb6a719550d
Author: Matt Caswell <matt at openssl.org>
Date:   Thu May 17 16:24:29 2018 +0100

    Allow the ca application to use EdDSA
    
    Using the ca application to sign certificates with EdDSA failed because it
    is not possible to set the digest to "null". This adds the capability and
    updates the documentation accordingly.
    
    Fixes #6201
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6286)

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c            | 22 +++++++++++++---------
 crypto/ec/ecx_meth.c |  2 +-
 doc/man1/ca.pod      |  3 ++-
 3 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index afc5e34..60c8f6c 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -735,17 +735,21 @@ end_of_options:
     if (md == NULL && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL)
         goto end;
 
-    if (strcmp(md, "default") == 0) {
-        int def_nid;
-        if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
-            BIO_puts(bio_err, "no default digest\n");
-            goto end;
+    if (strcmp(md, "null") == 0) {
+        dgst = EVP_md_null();
+    } else {
+        if (strcmp(md, "default") == 0) {
+            int def_nid;
+            if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
+                BIO_puts(bio_err, "no default digest\n");
+                goto end;
+            }
+            md = (char *)OBJ_nid2sn(def_nid);
         }
-        md = (char *)OBJ_nid2sn(def_nid);
-    }
 
-    if (!opt_md(md, &dgst)) {
-        goto end;
+        if (!opt_md(md, &dgst)) {
+            goto end;
+        }
     }
 
     if (req) {
diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c
index 501daec..ea56df0 100644
--- a/crypto/ec/ecx_meth.c
+++ b/crypto/ec/ecx_meth.c
@@ -778,7 +778,7 @@ static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
     switch (type) {
     case EVP_PKEY_CTRL_MD:
         /* Only NULL allowed as digest */
-        if (p2 == NULL)
+        if (p2 == NULL || (const EVP_MD *)p2 == EVP_md_null())
             return 1;
         ECerr(EC_F_PKEY_ECD_CTRL, EC_R_INVALID_DIGEST_TYPE);
         return 0;
diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod
index 9b25345..ebd8a43 100644
--- a/doc/man1/ca.pod
+++ b/doc/man1/ca.pod
@@ -184,7 +184,8 @@ The number of days to certify the certificate for.
 =item B<-md alg>
 
 The message digest to use.
-Any digest supported by the OpenSSL B<dgst> command can be used.
+Any digest supported by the OpenSSL B<dgst> command can be used. If the signing
+key is using Ed25519 or Ed448 then you should specify "null" for the digest.
 This option also applies to CRLs.
 
 =item B<-policy arg>

More information about the openssl-commits mailing list