[openssl] master update
beldmit at gmail.com
beldmit at gmail.com
Fri Apr 30 19:04:00 UTC 2021
The branch master has been updated
via 91034b68b39e3525f09fb263b9272de410a3ba4c (commit)
from 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 (commit)
- Log -----------------------------------------------------------------
commit 91034b68b39e3525f09fb263b9272de410a3ba4c
Author: Petr Gotthard <petr.gotthard at centrum.cz>
Date: Sat Apr 24 12:40:36 2021 +0200
apps/ca,req,x509: Switch to EVP_DigestSignInit_ex
Switch lib/apps.c do_sign_init() to use EVP_DigestSignInit_ex, so it
works with external providers.
Since EVP_DigestSignInit_ex requires a digest name instead of
an EVP_MD pointer, the apps using do_sign_init() had to be modified
to pass char* instead of EVP_MD*.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15014)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 47 +++++++++++++++++++++--------------------------
apps/include/apps.h | 6 +++---
apps/lib/apps.c | 20 +++++++++++---------
apps/req.c | 19 +++++--------------
apps/x509.c | 32 ++++++++++++++++++--------------
5 files changed, 58 insertions(+), 66 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 2476343fdd..4f125b22a9 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -90,7 +90,7 @@ static char *lookup_conf(const CONF *conf, const char *group, const char *tag);
static int certify(X509 **xret, const char *infile, int informat,
EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst,
+ const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
@@ -102,7 +102,7 @@ static int certify(X509 **xret, const char *infile, int informat,
int default_op, int ext_copy, int selfsign);
static int certify_cert(X509 **xret, const char *infile, int certformat,
const char *passin, EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst,
+ const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
@@ -112,7 +112,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,
CONF *conf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy);
static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
- X509 *x509, const EVP_MD *dgst,
+ X509 *x509, const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, const char *subj, unsigned long chtype,
@@ -121,7 +121,7 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+ const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
const char *subj, unsigned long chtype, int multirdn,
int email_dn, const char *startdate, const char *enddate, long days,
@@ -270,9 +270,9 @@ int ca_main(int argc, char **argv)
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL;
STACK_OF(X509) *cert_sk = NULL;
X509_CRL *crl = NULL;
- EVP_MD *dgst = NULL;
char *configfile = default_config_file, *section = NULL;
- char *md = NULL, *policy = NULL, *keyfile = NULL;
+ char def_dgst[80] = "";
+ char *dgst = NULL, *policy = NULL, *keyfile = NULL;
char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL;
int certformat = FORMAT_PEM, informat = FORMAT_PEM;
const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
@@ -291,7 +291,7 @@ int ca_main(int argc, char **argv)
int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
- int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret;
+ int rand_ser = 0, i, j, selfsign = 0, def_ret;
char *crl_lastupdate = NULL, *crl_nextupdate = NULL;
long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
unsigned long chtype = MBSTRING_ASC, certopt = 0;
@@ -358,7 +358,7 @@ opthelp:
days = atoi(opt_arg());
break;
case OPT_MD:
- md = opt_arg();
+ dgst = opt_arg();
break;
case OPT_POLICY:
policy = opt_arg();
@@ -788,28 +788,25 @@ end_of_options:
}
}
- def_ret = EVP_PKEY_get_default_digest_nid(pkey, &def_nid);
+ def_ret = EVP_PKEY_get_default_digest_name(pkey, def_dgst, sizeof(def_dgst));
/*
- * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is
+ * EVP_PKEY_get_default_digest_name() returns 2 if the digest is
* mandatory for this algorithm.
*/
- if (def_ret == 2 && def_nid == NID_undef) {
+ if (def_ret == 2 && strcmp(def_dgst, "UNDEF") == 0) {
/* The signing algorithm requires there to be no digest */
- dgst = (EVP_MD *)EVP_md_null();
- } else if (md == NULL
- && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) {
+ dgst = NULL;
+ } else if (dgst == NULL
+ && (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) {
goto end;
} else {
- if (strcmp(md, "default") == 0) {
+ if (strcmp(dgst, "default") == 0) {
if (def_ret <= 0) {
BIO_puts(bio_err, "no default digest\n");
goto end;
}
- md = (char *)OBJ_nid2sn(def_nid);
+ dgst = def_dgst;
}
-
- if (!opt_md(md, &dgst))
- goto end;
}
if (req) {
@@ -821,8 +818,7 @@ end_of_options:
email_dn = 0;
}
if (verbose)
- BIO_printf(bio_err, "message digest is %s\n",
- EVP_MD_name(dgst));
+ BIO_printf(bio_err, "message digest is %s\n", dgst);
if (policy == NULL
&& (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL)
goto end;
@@ -1330,7 +1326,6 @@ end_of_options:
sk_OPENSSL_STRING_free(sigopts);
sk_OPENSSL_STRING_free(vfyopts);
EVP_PKEY_free(pkey);
- EVP_MD_free(dgst);
X509_free(x509);
X509_CRL_free(crl);
NCONF_free(conf);
@@ -1349,7 +1344,7 @@ static char *lookup_conf(const CONF *conf, const char *section, const char *tag)
static int certify(X509 **xret, const char *infile, int informat,
EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst,
+ const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
@@ -1407,7 +1402,7 @@ static int certify(X509 **xret, const char *infile, int informat,
static int certify_cert(X509 **xret, const char *infile, int certformat,
const char *passin, EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst,
+ const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
@@ -1463,7 +1458,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,
}
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+ const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
const char *subj, unsigned long chtype, int multirdn,
int email_dn, const char *startdate, const char *enddate, long days,
@@ -1964,7 +1959,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
}
static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
- X509 *x509, const EVP_MD *dgst,
+ X509 *x509, const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, const char *subj, unsigned long chtype,
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 9532d396eb..a8556b8132 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -241,14 +241,14 @@ int x509_req_ctrl_string(X509_REQ *x, const char *value);
int init_gen_str(EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq);
-int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
-int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *vfyopts);
-int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts);
extern char *psk_key;
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index d715e25ff1..bfea59bdc8 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2152,23 +2152,25 @@ static int do_x509_req_init(X509_REQ *x, STACK_OF(OPENSSL_STRING) *opts)
}
static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
- const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
+ const char *md, STACK_OF(OPENSSL_STRING) *sigopts)
{
EVP_PKEY_CTX *pkctx = NULL;
- int def_nid;
+ char def_md[80];
if (ctx == NULL)
return 0;
/*
- * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory
+ * EVP_PKEY_get_default_digest_name() returns 2 if the digest is mandatory
* for this algorithm.
*/
- if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2
- && def_nid == NID_undef) {
+ if (EVP_PKEY_get_default_digest_name(pkey, def_md, sizeof(def_md)) == 2
+ && strcmp(def_md, "UNDEF") == 0) {
/* The signing algorithm requires there to be no digest */
md = NULL;
}
- return EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)
+
+ return EVP_DigestSignInit_ex(ctx, &pkctx, md, app_get0_libctx(),
+ app_get0_propq(), pkey, NULL)
&& do_pkey_ctx_init(pkctx, sigopts);
}
@@ -2201,7 +2203,7 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx,
}
/* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */
-int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx)
{
const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert);
@@ -2240,7 +2242,7 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md,
}
/* Sign the certificate request info */
-int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts)
{
int rv = 0;
@@ -2253,7 +2255,7 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
}
/* Sign the CRL info */
-int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts)
{
int rv = 0;
diff --git a/apps/req.c b/apps/req.c
index 0a524118f0..5408dc7505 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -240,12 +240,11 @@ int req_main(int argc, char **argv)
X509 *new_x509 = NULL, *CAcert = NULL;
X509_REQ *req = NULL;
EVP_CIPHER *cipher = NULL;
- EVP_MD *digest = NULL;
int ext_copy = EXT_COPY_UNSET;
BIO *addext_bio = NULL;
char *extensions = NULL;
const char *infile = NULL, *CAfile = NULL, *CAkeyfile = NULL;
- char *outfile = NULL, *keyfile = NULL, *digestname = NULL;
+ char *outfile = NULL, *keyfile = NULL, *digest = NULL;
char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
char *passin = NULL, *passout = NULL;
char *nofree_passin = NULL, *nofree_passout = NULL;
@@ -468,7 +467,7 @@ int req_main(int argc, char **argv)
newreq = precert = 1;
break;
case OPT_MD:
- digestname = opt_unknown();
+ digest = opt_unknown();
break;
}
}
@@ -481,11 +480,6 @@ int req_main(int argc, char **argv)
if (!app_RAND_load())
goto end;
- if (digestname != NULL) {
- if (!opt_md(digestname, &digest))
- goto opthelp;
- }
-
if (!gen_x509) {
if (days != UNSET_DAYS)
BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n");
@@ -537,12 +531,10 @@ int req_main(int argc, char **argv)
if (digest == NULL) {
p = NCONF_get_string(req_conf, section, "default_md");
- if (p == NULL) {
+ if (p == NULL)
ERR_clear_error();
- } else {
- if (!opt_md(p, &digest))
- goto opthelp;
- }
+ else
+ digest = p;
}
if (extensions == NULL) {
@@ -1056,7 +1048,6 @@ int req_main(int argc, char **argv)
BIO_free(addext_bio);
BIO_free_all(out);
EVP_PKEY_free(pkey);
- EVP_MD_free(digest);
EVP_PKEY_CTX_free(genctx);
sk_OPENSSL_STRING_free(pkeyopts);
sk_OPENSSL_STRING_free(sigopts);
diff --git a/apps/x509.c b/apps/x509.c
index 3c67855e6a..50453c4b7c 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -189,7 +189,7 @@ static void warn_copying(ASN1_OBJECT *excluded, const char *names)
sn);
}
-static X509_REQ *x509_to_req(X509 *cert, EVP_PKEY *pkey, const EVP_MD *digest,
+static X509_REQ *x509_to_req(X509 *cert, EVP_PKEY *pkey, const char *digest,
STACK_OF(OPENSSL_STRING) *sigopts,
int ext_copy, const char *names)
{
@@ -249,7 +249,7 @@ int x509_main(int argc, char **argv)
EVP_PKEY *privkey = NULL, *CAkey = NULL, *pubkey = NULL;
EVP_PKEY *pkey;
int newcert = 0;
- char *subj = NULL, *digestname = NULL;
+ char *subj = NULL, *digest = NULL;
X509_NAME *fsubj = NULL;
const unsigned long chtype = MBSTRING_ASC;
const int multirdn = 1;
@@ -258,7 +258,6 @@ int x509_main(int argc, char **argv)
X509 *x = NULL, *xca = NULL, *issuer_cert;
X509_REQ *req = NULL, *rq = NULL;
X509_STORE *ctx = NULL;
- EVP_MD *digest = NULL;
char *CAkeyfile = NULL, *CAserial = NULL, *pubkeyfile = NULL, *alias = NULL;
char *checkhost = NULL, *checkemail = NULL, *checkip = NULL;
char *ext_names = NULL;
@@ -568,7 +567,7 @@ int x509_main(int argc, char **argv)
preserve_dates = 1;
break;
case OPT_MD:
- digestname = opt_unknown();
+ digest = opt_unknown();
break;
}
}
@@ -581,10 +580,6 @@ int x509_main(int argc, char **argv)
if (!app_RAND_load())
goto end;
- if (digestname != NULL) {
- if (!opt_md(digestname, &digest))
- goto opthelp;
- }
if (preserve_dates && days != UNSET_DAYS) {
BIO_printf(bio_err, "Cannot use -preserve_dates with -days option\n");
goto end;
@@ -971,16 +966,26 @@ int x509_main(int argc, char **argv)
} else if (i == fingerprint) {
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
- const EVP_MD *fdig = digest;
+ const char *fdigname = digest;
+ EVP_MD *fdig;
+ int digres;
- if (fdig == NULL)
- fdig = EVP_sha1();
+ if (fdigname == NULL)
+ fdigname = "SHA1";
- if (!X509_digest(x, fdig, md, &n)) {
+ if ((fdig = EVP_MD_fetch(app_get0_libctx(), fdigname,
+ app_get0_propq())) == NULL) {
+ BIO_printf(bio_err, "Unknown digest\n");
+ goto end;
+ }
+ digres = X509_digest(x, fdig, md, &n);
+ EVP_MD_free(fdig);
+ if (!digres) {
BIO_printf(bio_err, "Out of memory\n");
goto end;
}
- BIO_printf(out, "%s Fingerprint=", EVP_MD_name(fdig));
+
+ BIO_printf(out, "%s Fingerprint=", fdigname);
for (j = 0; j < (int)n; j++)
BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':');
} else if (i == ocspid) {
@@ -1038,7 +1043,6 @@ int x509_main(int argc, char **argv)
EVP_PKEY_free(privkey);
EVP_PKEY_free(CAkey);
EVP_PKEY_free(pubkey);
- EVP_MD_free(digest);
sk_OPENSSL_STRING_free(sigopts);
sk_OPENSSL_STRING_free(vfyopts);
X509_REQ_free(rq);
More information about the openssl-commits
mailing list