[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Tue Apr 20 23:29:23 UTC 2021
The branch master has been updated
via 2ec6491669d1a93a5c4a445715aae6b1582cb2a4 (commit)
via c4685815bf7edbc546add24b9fa99b632a2ba366 (commit)
via 42e7d043f09f7a54005800fb00cb11a0c38e891f (commit)
via 3f700d4b95f249308e03c0f1fcb3c9620dad94fe (commit)
via e27fea4640defe3adc9309a4b573101055228ef3 (commit)
via 27344bb82a65ce13de4c9f6c78615fa91d93d3eb (commit)
via 192d50087881c031ee60307c8e0460d8470efaa9 (commit)
from 6bcbc3698557739da03495920a57be4ffe219fa4 (commit)
- Log -----------------------------------------------------------------
commit 2ec6491669d1a93a5c4a445715aae6b1582cb2a4
Author: Pauli <pauli at openssl.org>
Date: Thu Apr 15 10:42:01 2021 +1000
asn1: fix indentation
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit c4685815bf7edbc546add24b9fa99b632a2ba366
Author: Pauli <pauli at openssl.org>
Date: Wed Apr 14 16:38:07 2021 +1000
dsa: remove unused macro
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit 42e7d043f09f7a54005800fb00cb11a0c38e891f
Author: Pauli <pauli at openssl.org>
Date: Thu Apr 15 10:35:28 2021 +1000
srp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit 3f700d4b95f249308e03c0f1fcb3c9620dad94fe
Author: Pauli <pauli at openssl.org>
Date: Thu Apr 15 10:35:08 2021 +1000
pem: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit e27fea4640defe3adc9309a4b573101055228ef3
Author: Pauli <pauli at openssl.org>
Date: Thu Apr 15 10:34:48 2021 +1000
ocsp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit 27344bb82a65ce13de4c9f6c78615fa91d93d3eb
Author: Pauli <pauli at openssl.org>
Date: Thu Apr 15 10:33:59 2021 +1000
cms: remove most references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit 192d50087881c031ee60307c8e0460d8470efaa9
Author: Pauli <pauli at openssl.org>
Date: Thu Apr 15 10:31:58 2021 +1000
x509: remove most references to EVP_sha1()
Fixes #14387
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_digest.c | 4 ++--
crypto/cms/cms_smime.c | 4 ++++
crypto/dsa/dsa_depr.c | 7 -------
crypto/evp/p5_crpt2.c | 10 ++++++++--
crypto/ocsp/ocsp_lib.c | 1 +
crypto/ocsp/ocsp_vfy.c | 18 ++++++++++++------
crypto/pem/pvkfmt.c | 7 +++++--
crypto/srp/srp_vfy.c | 13 ++++++++++---
crypto/x509/t_x509.c | 13 ++++++++++---
crypto/x509/v3_skid.c | 19 +++++++++++++++----
10 files changed, 67 insertions(+), 29 deletions(-)
diff --git a/crypto/asn1/a_digest.c b/crypto/asn1/a_digest.c
index cac6c327da..9d7efcdb70 100644
--- a/crypto/asn1/a_digest.c
+++ b/crypto/asn1/a_digest.c
@@ -75,8 +75,8 @@ int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *md, void *asn,
#endif
fetched_md = EVP_MD_fetch(libctx, EVP_MD_name(md), propq);
}
- if (fetched_md == NULL)
- goto err;
+ if (fetched_md == NULL)
+ goto err;
ret = EVP_Digest(str, i, data, len, fetched_md, NULL);
err:
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 3ab4cd2e6f..d48bbcb6c7 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -169,6 +169,10 @@ CMS_ContentInfo *CMS_digest_create_ex(BIO *in, const EVP_MD *md,
{
CMS_ContentInfo *cms;
+ /*
+ * Because the EVP_MD is cached and can be a legacy algorithm, we
+ * cannot fetch the algorithm if it isn't supplied.
+ */
if (md == NULL)
md = EVP_sha1();
cms = ossl_cms_DigestedData_create(md, ctx, propq);
diff --git a/crypto/dsa/dsa_depr.c b/crypto/dsa/dsa_depr.c
index 1149c50c8b..57f6ce4faf 100644
--- a/crypto/dsa/dsa_depr.c
+++ b/crypto/dsa/dsa_depr.c
@@ -18,13 +18,6 @@
*/
#include "internal/deprecated.h"
-/*
- * Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
- * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in FIPS PUB
- * 180-1)
- */
-#define xxxHASH EVP_sha1()
-
#include <openssl/opensslconf.h>
#include <stdio.h>
diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c
index d2fe56a87f..b8edf4b5a8 100644
--- a/crypto/evp/p5_crpt2.c
+++ b/crypto/evp/p5_crpt2.c
@@ -92,8 +92,14 @@ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
const unsigned char *salt, int saltlen, int iter,
int keylen, unsigned char *out)
{
- return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, EVP_sha1(),
- keylen, out);
+ EVP_MD *digest;
+ int r = 0;
+
+ if ((digest = EVP_MD_fetch(NULL, SN_sha1, NULL)) != NULL)
+ r = ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, iter,
+ digest, keylen, out, NULL, NULL);
+ EVP_MD_free(digest);
+ return r;
}
/*
diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
index c7b7a0a620..776ffdde97 100644
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@@ -25,6 +25,7 @@ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
const X509_NAME *iname;
const ASN1_INTEGER *serial;
ASN1_BIT_STRING *ikey;
+
if (!dgst)
dgst = EVP_sha1();
if (subject) {
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index fe878043ca..02af58437c 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -187,8 +187,9 @@ static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
{
- int i;
+ int i, r;
unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
+ EVP_MD *md;
X509 *x;
/* Easy if lookup by name */
@@ -203,11 +204,16 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
keyhash = id->value.byKey->data;
/* Calculate hash of each key and compare */
for (i = 0; i < sk_X509_num(certs); i++) {
- x = sk_X509_value(certs, i);
- if (!X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL))
- break;
- if (memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0)
- return x;
+ if ((x = sk_X509_value(certs, i)) != NULL) {
+ if ((md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq)) == NULL)
+ break;
+ r = X509_pubkey_digest(x, md, tmphash, NULL);
+ EVP_MD_free(md);
+ if (!r)
+ break;
+ if (memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0)
+ return x;
+ }
}
return NULL;
}
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 432fd34618..51d3ec476b 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -795,16 +795,19 @@ static int derive_pvk_key(unsigned char *key,
const unsigned char *pass, int passlen)
{
EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+ EVP_MD *md = EVP_MD_fetch(NULL, SN_sha1, NULL);
int rv = 1;
- if (mctx == NULL
- || !EVP_DigestInit_ex(mctx, EVP_sha1(), NULL)
+ if (md == NULL
+ || mctx == NULL
+ || !EVP_DigestInit_ex(mctx, md, NULL)
|| !EVP_DigestUpdate(mctx, salt, saltlen)
|| !EVP_DigestUpdate(mctx, pass, passlen)
|| !EVP_DigestFinal_ex(mctx, key, NULL))
rv = 0;
EVP_MD_CTX_free(mctx);
+ EVP_MD_free(md);
return rv;
}
#endif
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 2c2ec11cd4..85e2c96e1a 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -551,6 +551,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username)
unsigned char digv[SHA_DIGEST_LENGTH];
unsigned char digs[SHA_DIGEST_LENGTH];
EVP_MD_CTX *ctxt = NULL;
+ EVP_MD *md = NULL;
if (vb == NULL)
return NULL;
@@ -574,21 +575,27 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username)
if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0)
goto err;
+ md = EVP_MD_fetch(NULL, SN_sha1, NULL);
+ if (md == NULL)
+ goto err;
ctxt = EVP_MD_CTX_new();
if (ctxt == NULL
- || !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL)
+ || !EVP_DigestInit_ex(ctxt, md, NULL)
|| !EVP_DigestUpdate(ctxt, vb->seed_key, strlen(vb->seed_key))
|| !EVP_DigestUpdate(ctxt, username, strlen(username))
|| !EVP_DigestFinal_ex(ctxt, digs, NULL))
goto err;
EVP_MD_CTX_free(ctxt);
ctxt = NULL;
+ EVP_MD_free(md);
+ md = NULL;
if (SRP_user_pwd_set0_sv(user,
- BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL),
- BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL)))
+ BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL),
+ BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL)))
return user;
err:
+ EVP_MD_free(md);
EVP_MD_CTX_free(ctxt);
SRP_user_pwd_free(user);
return NULL;
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 0c6d5f72fe..78d4452156 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -228,7 +228,10 @@ int X509_ocspid_print(BIO *bp, X509 *x)
unsigned char SHA1md[SHA_DIGEST_LENGTH];
ASN1_BIT_STRING *keybstr;
const X509_NAME *subj;
+ EVP_MD *md = NULL;
+ if (x == NULL || bp == NULL)
+ return 0;
/*
* display the hash of the subject as it would appear in OCSP requests
*/
@@ -242,7 +245,10 @@ int X509_ocspid_print(BIO *bp, X509 *x)
goto err;
i2d_X509_NAME(subj, &dertmp);
- if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL))
+ md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq);
+ if (md == NULL)
+ goto err;
+ if (!EVP_Digest(der, derlen, SHA1md, NULL, md, NULL))
goto err;
for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
@@ -263,18 +269,19 @@ int X509_ocspid_print(BIO *bp, X509 *x)
goto err;
if (!EVP_Digest(ASN1_STRING_get0_data(keybstr),
- ASN1_STRING_length(keybstr), SHA1md, NULL, EVP_sha1(),
- NULL))
+ ASN1_STRING_length(keybstr), SHA1md, NULL, md, NULL))
goto err;
for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
goto err;
}
BIO_printf(bp, "\n");
+ EVP_MD_free(md);
return 1;
err:
OPENSSL_free(der);
+ EVP_MD_free(md);
return 0;
}
diff --git a/crypto/x509/v3_skid.c b/crypto/x509/v3_skid.c
index 8a8718d77a..bab88898e6 100644
--- a/crypto/x509/v3_skid.c
+++ b/crypto/x509/v3_skid.c
@@ -59,20 +59,31 @@ ASN1_OCTET_STRING *ossl_x509_pubkey_hash(X509_PUBKEY *pubkey)
int pklen;
unsigned char pkey_dig[EVP_MAX_MD_SIZE];
unsigned int diglen;
+ const char *propq;
+ OSSL_LIB_CTX *libctx;
+ EVP_MD *md;
if (pubkey == NULL) {
ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY);
return NULL;
}
- if ((oct = ASN1_OCTET_STRING_new()) == NULL)
+ if (!ossl_x509_PUBKEY_get0_libctx(&libctx, &propq, pubkey))
return NULL;
+ if ((md = EVP_MD_fetch(libctx, SN_sha1, propq)) == NULL)
+ return NULL;
+ if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
+ EVP_MD_free(md);
+ return NULL;
+ }
X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey);
- /* TODO(3.0) - explicitly fetch the digest */
- if (EVP_Digest(pk, pklen, pkey_dig, &diglen, EVP_sha1(), NULL)
- && ASN1_OCTET_STRING_set(oct, pkey_dig, diglen))
+ if (EVP_Digest(pk, pklen, pkey_dig, &diglen, md, NULL)
+ && ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
+ EVP_MD_free(md);
return oct;
+ }
+ EVP_MD_free(md);
ASN1_OCTET_STRING_free(oct);
return NULL;
}
More information about the openssl-commits
mailing list