[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Thu Apr 8 01:33:25 UTC 2021
The branch master has been updated
via e6c2f96489fc0c006845c8597f8ceed2f01f76ee (commit)
from 09fba0b44032c2f66d5e7e8c732869e031ce74c8 (commit)
- Log -----------------------------------------------------------------
commit e6c2f96489fc0c006845c8597f8ceed2f01f76ee
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Wed Mar 31 15:10:22 2021 +1000
Fix more certificate related lib_ctx settings.
Fixes #13732
Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.
Added X509_CRL_new_ex().
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14752)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 2 +-
apps/ocsp.c | 11 ++++++-----
apps/req.c | 2 +-
crypto/asn1/a_sign.c | 1 +
crypto/ocsp/ocsp_cl.c | 2 +-
crypto/ocsp/ocsp_local.h | 46 +++++++++++++++++++++++++++-------------------
crypto/ocsp/ocsp_srv.c | 7 ++++---
crypto/ocsp/ocsp_vfy.c | 4 ++--
crypto/x509/x509_vfy.c | 2 +-
crypto/x509/x_all.c | 19 +++++++++++--------
crypto/x509/x_crl.c | 17 +++++++++++++++--
doc/man3/X509_dup.pod | 8 +++++---
doc/man3/X509_new.pod | 3 ++-
include/openssl/x509.h.in | 1 +
util/libcrypto.num | 1 +
15 files changed, 79 insertions(+), 47 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 9cec43cf8b..268bd76912 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1178,7 +1178,7 @@ end_of_options:
if (verbose)
BIO_printf(bio_err, "making CRL\n");
- if ((crl = X509_CRL_new()) == NULL)
+ if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
goto end;
if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
goto end;
diff --git a/apps/ocsp.c b/apps/ocsp.c
index cd3a3bd695..7d64ee2d02 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -469,7 +469,8 @@ int ocsp_main(int argc, char **argv)
case OPT_RSIGOPT:
if (rsign_sigopts == NULL)
rsign_sigopts = sk_OPENSSL_STRING_new_null();
- if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
+ if (rsign_sigopts == NULL
+ || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
goto end;
break;
case OPT_HEADER:
@@ -676,8 +677,8 @@ redo_accept:
if (key == NULL)
goto end;
- if (!OCSP_request_sign
- (req, signer, key, NULL, sign_other, sign_flags)) {
+ if (!OCSP_request_sign(req, signer, key, NULL,
+ sign_other, sign_flags)) {
BIO_printf(bio_err, "Error signing OCSP request\n");
goto end;
}
@@ -696,8 +697,8 @@ redo_accept:
if (rdb != NULL) {
make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey,
- rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig,
- resp_certid_md);
+ rsign_md, rsign_sigopts, rother, rflags, nmin, ndays,
+ badsig, resp_certid_md);
if (cbio != NULL)
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
diff --git a/apps/req.c b/apps/req.c
index 4056b18f51..04774db399 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -802,7 +802,7 @@ int req_main(int argc, char **argv)
}
if (req == NULL) {
- req = X509_REQ_new();
+ req = X509_REQ_new_ex(app_get0_libctx(), app_get0_propq());
if (req == NULL) {
goto end;
}
diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c
index 911d61453a..fe55373b34 100644
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -136,6 +136,7 @@ int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1,
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return 0;
}
+ /* We can use the non _ex variant here since the pkey is already setup */
if (!EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))
goto err;
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index cfa85af240..c1dda38414 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -94,7 +94,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err;
}
- if (!OCSP_REQUEST_sign(req, key, dgst))
+ if (!OCSP_REQUEST_sign(req, key, dgst, signer->libctx, signer->propq))
goto err;
}
diff --git a/crypto/ocsp/ocsp_local.h b/crypto/ocsp/ocsp_local.h
index 6542febc98..e1633403c6 100644
--- a/crypto/ocsp/ocsp_local.h
+++ b/crypto/ocsp/ocsp_local.h
@@ -217,22 +217,30 @@ struct ocsp_service_locator_st {
STACK_OF(ACCESS_DESCRIPTION) *locator;
};
-# define OCSP_REQUEST_sign(o,pkey,md) \
- ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
- &(o)->optionalSignature->signatureAlgorithm,NULL,\
- (o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md)
-
-# define OCSP_BASICRESP_sign(o,pkey,md,d) \
- ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
- NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
-
-# define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
- ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
- NULL,(o)->signature,&(o)->tbsResponseData,ctx)
-
-# define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
- &(a)->optionalSignature->signatureAlgorithm,\
- (a)->optionalSignature->signature,&(a)->tbsRequest,r)
-
-# define OCSP_BASICRESP_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
- &(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r)
+# define OCSP_REQUEST_sign(o, pkey, md, libctx, propq)\
+ ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
+ &(o)->optionalSignature->signatureAlgorithm, NULL,\
+ (o)->optionalSignature->signature, &(o)->tbsRequest,\
+ NULL, pkey, md, libctx, propq)
+
+# define OCSP_BASICRESP_sign(o, pkey, md, d, libctx, propq)\
+ ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+ &(o)->signatureAlgorithm, NULL,\
+ (o)->signature, &(o)->tbsResponseData,\
+ NULL, pkey, md, libctx, propq)
+
+# define OCSP_BASICRESP_sign_ctx(o, ctx, d)\
+ ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+ &(o)->signatureAlgorithm, NULL,\
+ (o)->signature, &(o)->tbsResponseData, ctx)
+
+# define OCSP_REQUEST_verify(a, r, libctx, propq)\
+ ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
+ &(a)->optionalSignature->signatureAlgorithm,\
+ (a)->optionalSignature->signature, &(a)->tbsRequest,\
+ NULL, r, libctx, propq)
+
+# define OCSP_BASICRESP_verify(a, r, libctx, propq)\
+ ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+ &(a)->signatureAlgorithm, (a)->signature,\
+ &(a)->tbsResponseData, NULL, r, libctx, propq)
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index af1277942e..4187446e1c 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -223,7 +223,8 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
if (ctx == NULL)
return 0;
- if (!EVP_DigestSignInit(ctx, &pkctx, dgst, NULL, key)) {
+ if (!EVP_DigestSignInit_ex(ctx, &pkctx, EVP_MD_name(dgst),
+ signer->libctx, signer->propq, key, NULL)) {
EVP_MD_CTX_free(ctx);
return 0;
}
@@ -277,7 +278,7 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
{
- return OCSP_RESPID_set_by_key_ex(respid, cert, NULL, NULL);
+ return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
}
int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
@@ -318,5 +319,5 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
{
- return OCSP_RESPID_match_ex(respid, cert, NULL, NULL);
+ return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
}
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 544748851f..fe878043ca 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -84,9 +84,9 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs,
return -1;
}
if (req != NULL)
- ret = OCSP_REQUEST_verify(req, skey);
+ ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq);
else
- ret = OCSP_BASICRESP_verify(bs, skey);
+ ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq);
if (ret <= 0)
ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE);
}
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 6c6d5442f2..01871b9090 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2052,7 +2052,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
return NULL;
}
/* Create new CRL */
- crl = X509_CRL_new();
+ crl = X509_CRL_new_ex(base->libctx, base->propq);
if (crl == NULL || !X509_CRL_set_version(crl, 1))
goto memerr;
/* Set issuer name */
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 042425456c..9733597d37 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -59,8 +59,9 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->cert_info.enc.modified = 1;
- return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
- &x->sig_alg, &x->signature, &x->cert_info, pkey, md);
+ return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
+ &x->sig_alg, &x->signature, &x->cert_info, NULL,
+ pkey, md, x->libctx, x->propq);
}
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
@@ -89,8 +90,9 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
{
- return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
- x->signature, &x->req_info, pkey, md);
+ return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
+ x->signature, &x->req_info, NULL,
+ pkey, md, x->libctx, x->propq);
}
int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
@@ -103,8 +105,9 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->crl.enc.modified = 1;
- return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
- &x->sig_alg, &x->signature, &x->crl, pkey, md);
+ return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
+ &x->sig_alg, &x->signature, &x->crl, NULL,
+ pkey, md, x->libctx, x->propq);
}
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
@@ -123,8 +126,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
{
- return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
- x->signature, x->spkac, pkey, md);
+ return ASN1_item_sign_ex(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
+ x->signature, x->spkac, NULL, pkey, md, NULL, NULL);
}
#ifndef OPENSSL_NO_STDIO
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index dfe3da37eb..4b90e5b756 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -340,6 +340,18 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
(ASN1_STRING *)&(*b)->serialNumber));
}
+X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
+{
+ X509_CRL *crl = NULL;
+
+ crl = (X509_CRL *)ASN1_item_new((X509_CRL_it()));
+ if (!ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
+ X509_CRL_free(crl);
+ crl = NULL;
+ }
+ return crl;
+}
+
int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
{
X509_CRL_INFO *inf;
@@ -381,8 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
{
- return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
- &crl->sig_alg, &crl->signature, &crl->crl, r));
+ return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
+ &crl->sig_alg, &crl->signature, &crl->crl, NULL,
+ r, crl->libctx, crl->propq));
}
static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index 66668d0481..9629082310 100644
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -274,6 +274,7 @@ X509_CRL_INFO_free,
X509_CRL_INFO_new,
X509_CRL_dup,
X509_CRL_free,
+X509_CRL_new_ex,
X509_CRL_new,
X509_EXTENSION_dup,
X509_EXTENSION_free,
@@ -349,7 +350,8 @@ The object returned must be released by calling B<I<TYPE>_free>().
B<I<TYPE>_new_ex>() is similiar to B<I<TYPE>_new>() but also passes the
library context I<libctx> and the property query I<propq> to use when retrieving
-algorithms from providers.
+algorithms from providers. This created object can then be used when loading
+binary data using B<d2i_I<TYPE>>().
B<I<TYPE>_dup>() copies an existing object, leaving it untouched.
@@ -371,8 +373,8 @@ B<I<TYPE>_print_ctx>() returns 1 on success or zero on failure.
=head1 HISTORY
-The functions PKCS7_new_ex() and CMS_ContentInfo_new_ex() were
-added in OpenSSL 3.0.
+The functions X509_REQ_new_ex(), X509_CRL_new_ex(), PKCS7_new_ex() and
+CMS_ContentInfo_new_ex() were added in OpenSSL 3.0.
The functions DSAparams_dup(), RSAPrivateKey_dup() and RSAPublicKey_dup() were
deprecated in 3.0.
diff --git a/doc/man3/X509_new.pod b/doc/man3/X509_new.pod
index a437b3f264..2514ae34ce 100644
--- a/doc/man3/X509_new.pod
+++ b/doc/man3/X509_new.pod
@@ -25,7 +25,8 @@ X509_new_ex() allocates and initializes a X509 structure with a
library context of I<libctx>, property query of <propq> and a reference
count of B<1>. Many X509 functions such as X509_check_purpose(), and
X509_verify() use this library context to select which providers supply the
-fetched algorithms (SHA1 is used internally).
+fetched algorithms (SHA1 is used internally). This created X509 object can then
+be used when loading binary data using d2i_X509().
X509_new() is similar to X509_new_ex() but sets the library context
and property query to NULL. This results in the default (NULL) library context
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 50d8712e41..0205781e0c 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -642,6 +642,7 @@ STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x);
DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
DECLARE_ASN1_FUNCTIONS(X509_CRL)
+X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
int X509_CRL_get0_by_serial(X509_CRL *crl,
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 49fc731085..f8f5b58a94 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5347,3 +5347,4 @@ EVP_ASYM_CIPHER_description ? 3_0_0 EXIST::FUNCTION:
EVP_KEM_description ? 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_description ? 3_0_0 EXIST::FUNCTION:
EVP_KDF_description ? 3_0_0 EXIST::FUNCTION:
+X509_CRL_new_ex ? 3_0_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list