[openssl] master update
tomas at openssl.org
tomas at openssl.org
Wed Apr 28 07:38:53 UTC 2021
The branch master has been updated
via 8365652287a27179143ee67b88c607a087f5d6f8 (commit)
via 680dbd16dc35c6f004c551d19090869e70040af1 (commit)
via eaf8a40d97d642ccd2c55fbf8bb8ee3242aec04a (commit)
from c0a79e9836a9aa30912978f69fab3b3bb3a8ddc5 (commit)
- Log -----------------------------------------------------------------
commit 8365652287a27179143ee67b88c607a087f5d6f8
Author: Tomas Mraz <tomas at openssl.org>
Date: Mon Apr 26 15:04:53 2021 +0200
Use "canonical" names when matching the output of the commands
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
commit 680dbd16dc35c6f004c551d19090869e70040af1
Author: Tomas Mraz <tomas at openssl.org>
Date: Mon Apr 26 13:12:28 2021 +0200
Skip GOST engine tests in out of tree builds
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
commit eaf8a40d97d642ccd2c55fbf8bb8ee3242aec04a
Author: Tomas Mraz <tomas at openssl.org>
Date: Mon Apr 26 12:08:27 2021 +0200
Prefer fetch over legacy get_digestby/get_cipherby
Fixes #14198
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
-----------------------------------------------------------------------
Summary of changes:
apps/include/opt.h | 2 +
apps/lib/opt.c | 53 +++++++++++++-----
apps/req.c | 11 ++--
apps/speed.c | 86 +++++++----------------------
crypto/crmf/crmf_lib.c | 19 ++++++-
crypto/ess/ess_lib.c | 50 +++++++++++------
crypto/ocsp/ocsp_vfy.c | 50 +++++++++++------
crypto/ts/ts_rsp_verify.c | 26 +++++++--
test/recipes/20-test_dgst.t | 4 +-
test/recipes/25-test_crl.t | 2 +-
test/recipes/95-test_external_gost_engine.t | 4 +-
11 files changed, 177 insertions(+), 130 deletions(-)
diff --git a/apps/include/opt.h b/apps/include/opt.h
index c8024975b2..f9ac5accae 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -368,7 +368,9 @@ int opt_umax(const char *arg, uintmax_t *result);
int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
int opt_string(const char *name, const char **options);
int opt_cipher(const char *name, EVP_CIPHER **cipherp);
+int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp);
int opt_md(const char *name, EVP_MD **mdp);
+int opt_md_silent(const char *name, EVP_MD **mdp);
char *opt_name(void);
char *opt_arg(void);
char *opt_flag(void);
diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index 0c7405a921..83ae28cdc1 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -22,6 +22,7 @@
#include <errno.h>
#include <ctype.h>
#include <limits.h>
+#include <openssl/err.h>
#include <openssl/bio.h>
#include <openssl/x509v3.h>
@@ -359,34 +360,56 @@ void print_format_error(int format, unsigned long flags)
}
/* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */
-int opt_cipher(const char *name, EVP_CIPHER **cipherp)
+int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp)
{
- *cipherp = EVP_CIPHER_fetch(NULL, name, NULL);
- if (*cipherp != NULL)
- return 1;
- *cipherp = (EVP_CIPHER *)EVP_get_cipherbyname(name);
- if (*cipherp != NULL)
+ EVP_CIPHER_free(*cipherp);
+
+ ERR_set_mark();
+ if ((*cipherp = EVP_CIPHER_fetch(NULL, name, NULL)) != NULL
+ || (*cipherp = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL) {
+ ERR_pop_to_mark();
return 1;
- opt_printf_stderr("%s: Unknown cipher: %s\n", prog, name);
+ }
+ ERR_clear_last_mark();
return 0;
}
+int opt_cipher(const char *name, EVP_CIPHER **cipherp)
+{
+ int ret;
+
+ if ((ret = opt_cipher_silent(name, cipherp)) == 0)
+ opt_printf_stderr("%s: Unknown cipher: %s\n", prog, name);
+ return ret;
+}
+
/*
* Parse message digest name, put it in *EVP_MD; return 0 on failure, else 1.
*/
-int opt_md(const char *name, EVP_MD **mdp)
+int opt_md_silent(const char *name, EVP_MD **mdp)
{
- *mdp = (EVP_MD *)EVP_get_digestbyname(name);
- if (*mdp != NULL)
- return 1;
- *mdp = EVP_MD_fetch(NULL, name, NULL);
- if (*mdp != NULL)
+ EVP_MD_free(*mdp);
+
+ ERR_set_mark();
+ if ((*mdp = EVP_MD_fetch(NULL, name, NULL)) != NULL
+ || (*mdp = (EVP_MD *)EVP_get_digestbyname(name)) != NULL) {
+ ERR_pop_to_mark();
return 1;
- opt_printf_stderr("%s: Unknown option or message digest: %s\n", prog,
- name != NULL ? name : "\"\"");
+ }
+ ERR_clear_last_mark();
return 0;
}
+int opt_md(const char *name, EVP_MD **mdp)
+{
+ int ret;
+
+ if ((ret = opt_md_silent(name, mdp)) == 0)
+ opt_printf_stderr("%s: Unknown option or message digest: %s\n", prog,
+ name != NULL ? name : "\"\"");
+ return ret;
+}
+
/* Look through a list of name/value pairs. */
int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
{
diff --git a/apps/req.c b/apps/req.c
index 4e1cae6ba6..89bde55b93 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -240,7 +240,7 @@ int req_main(int argc, char **argv)
X509 *new_x509 = NULL, *CAcert = NULL;
X509_REQ *req = NULL;
EVP_CIPHER *cipher = NULL;
- EVP_MD *md_alg = NULL, *digest = NULL;
+ EVP_MD *digest = NULL;
int ext_copy = EXT_COPY_UNSET;
BIO *addext_bio = NULL;
char *extensions = NULL;
@@ -482,9 +482,8 @@ int req_main(int argc, char **argv)
goto end;
if (digestname != NULL) {
- if (!opt_md(digestname, &md_alg))
+ if (!opt_md(digestname, &digest))
goto opthelp;
- digest = md_alg;
}
if (!gen_x509) {
@@ -536,14 +535,13 @@ int req_main(int argc, char **argv)
if (!add_oid_section(req_conf))
goto end;
- if (md_alg == NULL) {
+ if (digest == NULL) {
p = NCONF_get_string(req_conf, section, "default_md");
if (p == NULL) {
ERR_clear_error();
} else {
- if (!opt_md(p, &md_alg))
+ if (!opt_md(p, &digest))
goto opthelp;
- digest = md_alg;
}
}
@@ -1058,7 +1056,6 @@ int req_main(int argc, char **argv)
BIO_free(addext_bio);
BIO_free_all(out);
EVP_PKEY_free(pkey);
- EVP_MD_free(md_alg);
EVP_MD_free(digest);
EVP_PKEY_CTX_free(genctx);
sk_OPENSSL_STRING_free(pkeyopts);
diff --git a/apps/speed.c b/apps/speed.c
index 939baf934d..5363b0d7f8 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -502,73 +502,35 @@ static const char *evp_md_name = NULL;
static char *evp_mac_ciphername = "aes-128-cbc";
static char *evp_cmac_name = NULL;
-static EVP_MD *obtain_md(const char *name, int *fetched)
-{
- EVP_MD *md = NULL;
-
- *fetched = 0;
- /* Look through providers' digests */
- ERR_set_mark();
- md = EVP_MD_fetch(NULL, name, NULL);
- ERR_pop_to_mark();
- if (md != NULL) {
- *fetched = 1;
- return md;
- }
-
- return (EVP_MD *)EVP_get_digestbyname(name);
-}
-
static int have_md(const char *name)
{
- int fetched = 0;
int ret = 0;
- EVP_MD *md = obtain_md(name, &fetched);
+ EVP_MD *md = NULL;
- if (md != NULL) {
+ if (opt_md_silent(name, &md)) {
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
if (ctx != NULL && EVP_DigestInit(ctx, md) > 0)
ret = 1;
EVP_MD_CTX_free(ctx);
- if (fetched)
- EVP_MD_free(md);
+ EVP_MD_free(md);
}
return ret;
}
-static EVP_CIPHER *obtain_cipher(const char *name, int *fetched)
-{
- EVP_CIPHER *cipher = NULL;
-
- *fetched = 0;
- /* Look through providers' digests */
- ERR_set_mark();
- cipher = EVP_CIPHER_fetch(NULL, name, NULL);
- ERR_pop_to_mark();
- if (cipher != NULL) {
- *fetched = 1;
- return cipher;
- }
-
- return (EVP_CIPHER *)EVP_get_cipherbyname(name);
-}
-
static int have_cipher(const char *name)
{
- int fetched = 0;
int ret = 0;
- EVP_CIPHER *cipher = obtain_cipher(name, &fetched);
+ EVP_CIPHER *cipher = NULL;
- if (cipher != NULL) {
+ if (opt_cipher_silent(name, &cipher)) {
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
if (ctx != NULL
&& EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 1) > 0)
ret = 1;
EVP_CIPHER_CTX_free(ctx);
- if (fetched)
- EVP_CIPHER_free(cipher);
+ EVP_CIPHER_free(cipher);
}
return ret;
}
@@ -578,10 +540,10 @@ static int EVP_Digest_loop(const char *mdname, int algindex, void *args)
loopargs_t *tempargs = *(loopargs_t **) args;
unsigned char *buf = tempargs->buf;
unsigned char digest[EVP_MAX_MD_SIZE];
- int count, fetched = 0;
- EVP_MD *md = obtain_md(mdname, &fetched);
+ int count;
+ EVP_MD *md = NULL;
- if (md == NULL)
+ if (!opt_md_silent(mdname, &md))
return -1;
for (count = 0; COND(c[algindex][testnum]); count++) {
if (!EVP_Digest(buf, (size_t)lengths[testnum], digest, NULL, md,
@@ -590,8 +552,7 @@ static int EVP_Digest_loop(const char *mdname, int algindex, void *args)
break;
}
}
- if (fetched)
- EVP_MD_free(md);
+ EVP_MD_free(md);
return count;
}
@@ -714,10 +675,9 @@ static EVP_CIPHER_CTX *init_evp_cipher_ctx(const char *ciphername,
int keylen)
{
EVP_CIPHER_CTX *ctx = NULL;
- int fetched = 0;
- EVP_CIPHER *cipher = obtain_cipher(ciphername, &fetched);
+ EVP_CIPHER *cipher = NULL;
- if (cipher == NULL)
+ if (!opt_cipher_silent(ciphername, &cipher))
return NULL;
if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
@@ -742,8 +702,7 @@ static EVP_CIPHER_CTX *init_evp_cipher_ctx(const char *ciphername,
}
end:
- if (fetched)
- EVP_CIPHER_free(cipher);
+ EVP_CIPHER_free(cipher);
return ctx;
}
@@ -1388,7 +1347,6 @@ int speed_main(int argc, char **argv)
unsigned int i, k, loopargs_len = 0, async_jobs = 0;
int keylen;
int buflen;
- int fetched_cipher = 0;
BIGNUM *bn = NULL;
EVP_PKEY_CTX *genctx = NULL;
#ifndef NO_FORK
@@ -1533,17 +1491,19 @@ int speed_main(int argc, char **argv)
BIO_printf(bio_err, "%s: -evp option cannot be used more than once\n", prog);
goto opterr;
}
- evp_cipher = obtain_cipher(opt_arg(), &fetched_cipher);
- if (evp_cipher == NULL) {
+ ERR_set_mark();
+ if (!opt_cipher_silent(opt_arg(), &evp_cipher)) {
if (have_md(opt_arg()))
evp_md_name = opt_arg();
}
if (evp_cipher == NULL && evp_md_name == NULL) {
+ ERR_clear_last_mark();
BIO_printf(bio_err,
"%s: %s is an unknown cipher or digest\n",
prog, opt_arg());
goto end;
}
+ ERR_pop_to_mark();
doit[D_EVP] = 1;
break;
case OPT_HMAC:
@@ -2294,17 +2254,15 @@ int speed_main(int argc, char **argv)
if (doit[D_EVP_CMAC]) {
EVP_MAC *mac = EVP_MAC_fetch(NULL, "CMAC", NULL);
OSSL_PARAM params[3];
- EVP_CIPHER *cipher;
- int fetched = 0;
+ EVP_CIPHER *cipher = NULL;
if (mac == NULL || evp_mac_ciphername == NULL)
goto end;
- if ((cipher = obtain_cipher(evp_mac_ciphername, &fetched)) == NULL)
+ if (!opt_cipher(evp_mac_ciphername, &cipher))
goto end;
keylen = EVP_CIPHER_key_length(cipher);
- if (fetched)
- EVP_CIPHER_free(cipher);
+ EVP_CIPHER_free(cipher);
if (keylen <= 0 || keylen > (int)sizeof(key32)) {
BIO_printf(bio_err, "\nRequested CMAC cipher with unsupported key length.\n");
goto end;
@@ -3360,9 +3318,7 @@ int speed_main(int argc, char **argv)
}
OPENSSL_free(loopargs);
release_engine(e);
- if (fetched_cipher) {
- EVP_CIPHER_free(evp_cipher);
- }
+ EVP_CIPHER_free(evp_cipher);
return ret;
}
diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
index 6cea644cfc..e26637d0a4 100644
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -30,6 +30,7 @@
#include "crmf_local.h"
#include "internal/constant_time.h"
+#include "internal/sizes.h"
/* explicit #includes not strictly needed since implied by the above: */
#include <openssl/crmf.h>
@@ -589,24 +590,37 @@ X509
EVP_CIPHER_CTX *evp_ctx = NULL; /* context for symmetric encryption */
unsigned char *ek = NULL; /* decrypted symmetric encryption key */
size_t eksize = 0; /* size of decrypted symmetric encryption key */
- const EVP_CIPHER *cipher = NULL; /* used cipher */
+ EVP_CIPHER *cipher = NULL; /* used cipher */
int cikeysize = 0; /* key size from cipher */
unsigned char *iv = NULL; /* initial vector for symmetric encryption */
unsigned char *outbuf = NULL; /* decryption output buffer */
const unsigned char *p = NULL; /* needed for decoding ASN1 */
int n, outlen = 0;
EVP_PKEY_CTX *pkctx = NULL; /* private key context */
+ char name[OSSL_MAX_NAME_SIZE];
if (ecert == NULL || ecert->symmAlg == NULL || ecert->encSymmKey == NULL
|| ecert->encValue == NULL || pkey == NULL) {
ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
return NULL;
}
+
/* select symmetric cipher based on algorithm given in message */
- if ((cipher = EVP_get_cipherbyobj(ecert->symmAlg->algorithm)) == NULL) {
+ OBJ_obj2txt(name, sizeof(name), ecert->symmAlg->algorithm, 0);
+
+ (void)ERR_set_mark();
+ cipher = EVP_CIPHER_fetch(NULL, name, NULL);
+
+ if (cipher == NULL)
+ cipher = (EVP_CIPHER *)EVP_get_cipherbyname(name);
+
+ if (cipher == NULL) {
+ (void)ERR_clear_last_mark();
ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_CIPHER);
goto end;
}
+ (void)ERR_pop_to_mark();
+
cikeysize = EVP_CIPHER_key_length(cipher);
/* first the symmetric key needs to be decrypted */
pkctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
@@ -670,6 +684,7 @@ X509
EVP_PKEY_CTX_free(pkctx);
OPENSSL_free(outbuf);
EVP_CIPHER_CTX_free(evp_ctx);
+ EVP_CIPHER_free(cipher);
OPENSSL_clear_free(ek, eksize);
OPENSSL_free(iv);
return cert;
diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c
index ebfe5b93c7..6ded9f6328 100644
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@@ -11,6 +11,7 @@
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/ess.h>
+#include "internal/sizes.h"
#include "crypto/ess.h"
#include "crypto/x509.h"
@@ -302,36 +303,48 @@ static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
int index, const STACK_OF(X509) *certs)
{
const X509 *cert;
- const EVP_MD *md;
+ EVP_MD *md = NULL;
+ char name[OSSL_MAX_NAME_SIZE];
unsigned char cert_digest[EVP_MAX_MD_SIZE];
unsigned int len, cid_hash_len;
const ESS_ISSUER_SERIAL *is;
int i;
+ int ret = -1;
if (cid == NULL && cid_v2 == NULL) {
ERR_raise(ERR_LIB_ESS, ERR_R_PASSED_INVALID_ARGUMENT);
return -1;
}
+ if (cid != NULL)
+ strcpy(name, "SHA1");
+ else if (cid_v2->hash_alg == NULL)
+ strcpy(name, "SHA256");
+ else
+ OBJ_obj2txt(name, sizeof(name), cid_v2->hash_alg->algorithm, 0);
+
+ (void)ERR_set_mark();
+ md = EVP_MD_fetch(NULL, name, NULL);
+
+ if (md == NULL)
+ md = (EVP_MD *)EVP_get_digestbyname(name);
+
+ if (md == NULL) {
+ (void)ERR_clear_last_mark();
+ ERR_raise(ERR_LIB_ESS, ESS_R_ESS_DIGEST_ALG_UNKNOWN);
+ goto end;
+ }
+ (void)ERR_pop_to_mark();
+
/* Look for cert with cid in the certs. */
for (i = 0; i < sk_X509_num(certs); ++i) {
cert = sk_X509_value(certs, i);
- if (cid != NULL)
- md = EVP_sha1();
- else
- md = cid_v2->hash_alg == NULL ? EVP_sha256() :
- EVP_get_digestbyobj(cid_v2->hash_alg->algorithm);
- if (md == NULL) {
- ERR_raise(ERR_LIB_ESS, ESS_R_ESS_DIGEST_ALG_UNKNOWN);
- return -1;
- }
-
cid_hash_len = cid != NULL ? cid->hash->length : cid_v2->hash->length;
if (!X509_digest(cert, md, cert_digest, &len)
|| cid_hash_len != len) {
ERR_raise(ERR_LIB_ESS, ESS_R_ESS_CERT_DIGEST_ERROR);
- return -1;
+ goto end;
}
if (memcmp(cid != NULL ? cid->hash->data : cid_v2->hash->data,
@@ -339,16 +352,21 @@ static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
is = cid != NULL ? cid->issuer_serial : cid_v2->issuer_serial;
/* Well, it's not really required to match the serial numbers. */
if (is == NULL || ess_issuer_serial_cmp(is, cert) == 0) {
- if ((i == 0) == (index == 0))
- return i + 1;
+ if ((i == 0) == (index == 0)) {
+ ret = i + 1;
+ goto end;
+ }
ERR_raise(ERR_LIB_ESS, ESS_R_ESS_CERT_ID_WRONG_ORDER);
- return -1;
+ goto end;
}
}
}
+ ret = 0;
ERR_raise(ERR_LIB_ESS, ESS_R_ESS_CERT_ID_NOT_FOUND);
- return 0;
+end:
+ EVP_MD_free(md);
+ return ret;
}
/*
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 02af58437c..4231c3f2b2 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -7,10 +7,11 @@
* https://www.openssl.org/source/license.html
*/
+#include <string.h>
#include <openssl/ocsp.h>
-#include "ocsp_local.h"
#include <openssl/err.h>
-#include <string.h>
+#include "internal/sizes.h"
+#include "ocsp_local.h"
static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
STACK_OF(X509) *certs, unsigned long flags);
@@ -302,42 +303,56 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
STACK_OF(OCSP_SINGLERESP) *sresp)
{
+ int ret = -1;
+ EVP_MD *dgst = NULL;
+
/* If only one ID to match then do it */
if (cid != NULL) {
- const EVP_MD *dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm);
+ char name[OSSL_MAX_NAME_SIZE];
const X509_NAME *iname;
int mdlen;
unsigned char md[EVP_MAX_MD_SIZE];
+ OBJ_obj2txt(name, sizeof(name), cid->hashAlgorithm.algorithm, 0);
+
+ (void)ERR_set_mark();
+ dgst = EVP_MD_fetch(NULL, name, NULL);
+ if (dgst == NULL)
+ dgst = (EVP_MD *)EVP_get_digestbyname(name);
+
if (dgst == NULL) {
+ (void)ERR_clear_last_mark();
ERR_raise(ERR_LIB_OCSP, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
- return -1;
+ goto end;
}
+ (void)ERR_pop_to_mark();
mdlen = EVP_MD_size(dgst);
if (mdlen < 0) {
ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_SIZE_ERR);
- return -1;
+ goto end;
}
if (cid->issuerNameHash.length != mdlen ||
- cid->issuerKeyHash.length != mdlen)
- return 0;
+ cid->issuerKeyHash.length != mdlen) {
+ ret = 0;
+ goto end;
+ }
iname = X509_get_subject_name(cert);
- if (!X509_NAME_digest(iname, dgst, md, NULL)) {
- ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_NAME_ERR);
- return -1;
+ if (!X509_NAME_digest(iname, dgst, md, NULL))
+ goto end;
+ if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0) {
+ ret = 0;
+ goto end;
}
- if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0)
- return 0;
if (!X509_pubkey_digest(cert, dgst, md, NULL)) {
ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_ERR);
- return -1;
+ goto end;
}
- if (memcmp(md, cid->issuerKeyHash.data, mdlen) != 0)
- return 0;
+ ret = memcmp(md, cid->issuerKeyHash.data, mdlen) == 0;
+ goto end;
} else {
/* We have to match the whole lot */
- int i, ret;
+ int i;
OCSP_CERTID *tmpid;
for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
@@ -348,6 +363,9 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
}
}
return 1;
+end:
+ EVP_MD_free(dgst);
+ return ret;
}
static int ocsp_check_delegated(X509 *x)
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index f307e29fda..09daa2a449 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -8,12 +8,13 @@
*/
#include <stdio.h>
-#include "internal/cryptlib.h"
#include <openssl/objects.h>
#include <openssl/ts.h>
#include <openssl/pkcs7.h>
-#include "ts_local.h"
+#include "internal/cryptlib.h"
+#include "internal/sizes.h"
#include "crypto/ess.h"
+#include "ts_local.h"
static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
X509 *signer, STACK_OF(X509) **chain);
@@ -395,9 +396,10 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
{
TS_MSG_IMPRINT *msg_imprint = tst_info->msg_imprint;
X509_ALGOR *md_alg_resp = msg_imprint->hash_algo;
- const EVP_MD *md;
+ EVP_MD *md = NULL;
EVP_MD_CTX *md_ctx = NULL;
unsigned char buffer[4096];
+ char name[OSSL_MAX_NAME_SIZE];
int length;
*md_alg = NULL;
@@ -405,10 +407,21 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
if ((*md_alg = X509_ALGOR_dup(md_alg_resp)) == NULL)
goto err;
- if ((md = EVP_get_digestbyobj((*md_alg)->algorithm)) == NULL) {
- ERR_raise(ERR_LIB_TS, TS_R_UNSUPPORTED_MD_ALGORITHM);
+
+ OBJ_obj2txt(name, sizeof(name), md_alg_resp->algorithm, 0);
+
+ (void)ERR_set_mark();
+ md = EVP_MD_fetch(NULL, name, NULL);
+
+ if (md == NULL)
+ md = (EVP_MD *)EVP_get_digestbyname(name);
+
+ if (md == NULL) {
+ (void)ERR_clear_last_mark();
goto err;
}
+ (void)ERR_pop_to_mark();
+
length = EVP_MD_size(md);
if (length < 0)
goto err;
@@ -425,6 +438,8 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
}
if (!EVP_DigestInit(md_ctx, md))
goto err;
+ EVP_MD_free(md);
+ md = NULL;
while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) {
if (!EVP_DigestUpdate(md_ctx, buffer, length))
goto err;
@@ -436,6 +451,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
return 1;
err:
EVP_MD_CTX_free(md_ctx);
+ EVP_MD_free(md);
X509_ALGOR_free(*md_alg);
*md_alg = NULL;
OPENSSL_free(*imprint);
diff --git a/test/recipes/20-test_dgst.t b/test/recipes/20-test_dgst.t
index 0c19c029a0..451bcabbb1 100644
--- a/test/recipes/20-test_dgst.t
+++ b/test/recipes/20-test_dgst.t
@@ -111,7 +111,7 @@ subtest "HMAC generation with `dgst` CLI" => sub {
my @hmacdata = run(app(['openssl', 'dgst', '-sha256', '-hmac', '123456',
$testdata, $testdata]), capture => 1);
chomp(@hmacdata);
- my $expected = qr/HMAC-SHA256\(\Q$testdata\E\)= 6f12484129c4a761747f13d8234a1ff0e074adb34e9e9bf3a155c391b97b9a7c/;
+ my $expected = qr/HMAC-SHA2-256\(\Q$testdata\E\)= 6f12484129c4a761747f13d8234a1ff0e074adb34e9e9bf3a155c391b97b9a7c/;
ok($hmacdata[0] =~ $expected, "HMAC: Check HMAC value is as expected ($hmacdata[0]) vs ($expected)");
ok($hmacdata[1] =~ $expected,
"HMAC: Check second HMAC value is consistent with the first ($hmacdata[1]) vs ($expected)");
@@ -125,7 +125,7 @@ subtest "Custom length XOF digest generation with `dgst` CLI" => sub {
my @xofdata = run(app(['openssl', 'dgst', '-shake128', '-xoflen', '64',
$testdata, $testdata]), capture => 1);
chomp(@xofdata);
- my $expected = qr/SHAKE128\(\Q$testdata\E\)= bb565dac72640109e1c926ef441d3fa64ffd0b3e2bf8cd73d5182dfba19b6a8a2eab96d2df854b647b3795ef090582abe41ba4e0717dc4df40bc4e17d88e4677/;
+ my $expected = qr/SHAKE-128\(\Q$testdata\E\)= bb565dac72640109e1c926ef441d3fa64ffd0b3e2bf8cd73d5182dfba19b6a8a2eab96d2df854b647b3795ef090582abe41ba4e0717dc4df40bc4e17d88e4677/;
ok($xofdata[0] =~ $expected, "XOF: Check digest value is as expected ($xofdata[0]) vs ($expected)");
ok($xofdata[1] =~ $expected,
"XOF: Check second digest value is consistent with the first ($xofdata[1]) vs ($expected)");
diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t
index 4b487867f5..128ad116ff 100644
--- a/test/recipes/25-test_crl.t
+++ b/test/recipes/25-test_crl.t
@@ -34,7 +34,7 @@ ok(compare1stline([qw{openssl crl -noout -fingerprint -in},
'SHA1 Fingerprint=BA:F4:1B:AD:7A:9B:2F:09:16:BC:60:A7:0E:CE:79:2E:36:00:E7:B2'));
ok(compare1stline([qw{openssl crl -noout -fingerprint -sha256 -in},
srctop_file('test', 'testcrl.pem')],
- 'SHA256 Fingerprint=B3:A9:FD:A7:2E:8C:3D:DF:D0:F1:C3:1A:96:60:B5:FD:B0:99:7C:7F:0E:E4:34:F5:DB:87:62:36:BC:F1:BC:1B'));
+ 'SHA2-256 Fingerprint=B3:A9:FD:A7:2E:8C:3D:DF:D0:F1:C3:1A:96:60:B5:FD:B0:99:7C:7F:0E:E4:34:F5:DB:87:62:36:BC:F1:BC:1B'));
ok(run(app(["openssl", "crl", "-text", "-in", $pem, "-out", $out,
"-nameopt", "utf8"])));
diff --git a/test/recipes/95-test_external_gost_engine.t b/test/recipes/95-test_external_gost_engine.t
index 643e45fc93..37daaf7eca 100644
--- a/test/recipes/95-test_external_gost_engine.t
+++ b/test/recipes/95-test_external_gost_engine.t
@@ -9,7 +9,7 @@
use OpenSSL::Test;
use OpenSSL::Test::Utils;
-use OpenSSL::Test qw/:DEFAULT bldtop_file data_file srctop_file cmdstr/;
+use OpenSSL::Test qw/:DEFAULT data_file bldtop_dir srctop_dir cmdstr/;
setup("test_external_gost_engine");
@@ -19,6 +19,8 @@ plan skip_all => "GOST engine tests not available on Windows or VMS"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "GOST engine tests only available in a shared build"
if disabled("shared");
+plan skip_all => "GOST engine tests not supported in out of tree builds"
+ if bldtop_dir() ne srctop_dir();
plan tests => 1;
More information about the openssl-commits
mailing list