[openssl] master update

Dr. Paul Dale pauli at openssl.org
Fri Feb 5 00:24:25 UTC 2021


The branch master has been updated
       via  7dc67708c8ae6ec06c7fec34781225ed60b5e68d (commit)
      from  88444854affe31ce08a5daaf4b6afc86e6972c63 (commit)


- Log -----------------------------------------------------------------
commit 7dc67708c8ae6ec06c7fec34781225ed60b5e68d
Author: Petr Gotthard <petr.gotthard at centrum.cz>
Date:   Sat Dec 26 21:32:14 2020 +0100

    apps/openssl: add -propquery command line option
    
    Fixes #13656. Right now all openssl commands use a NULL propq. This
    patch adds a possibility to specify a custom propq.
    
    The implementation follows the example of set_nameopt/get_nameopt.
    
    Various tools had to be modified to call app_get0_propq after it has
    been populated. Otherwise the -propquery has no effect.
    
    The tests then verify the -propquery affects the tool behaviour by
    requesting a non-existing property.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/13707)

-----------------------------------------------------------------------

Summary of changes:
 apps/cms.c                    | 26 ++++++++++++--------------
 apps/genpkey.c                |  5 ++---
 apps/include/apps.h           |  1 +
 apps/include/opt.h            |  8 +++++---
 apps/lib/app_provider.c       |  2 ++
 apps/lib/apps.c               | 11 +++++++++--
 apps/mac.c                    |  2 +-
 apps/pkcs7.c                  |  3 +--
 apps/pkeyutl.c                | 12 ++++++------
 apps/smime.c                  |  7 +++----
 apps/storeutl.c               | 11 +++++------
 doc/man1/openssl.pod          | 20 ++++++++++++++++++++
 doc/perlvars.pm               |  5 ++++-
 test/recipes/15-test_genrsa.t |  5 ++++-
 test/recipes/20-test_mac.t    |  5 +++++
 15 files changed, 80 insertions(+), 43 deletions(-)

diff --git a/apps/cms.c b/apps/cms.c
index e8254cb85c..36fb88e15c 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -28,7 +28,7 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx);
 static void receipt_request_print(CMS_ContentInfo *cms);
 static CMS_ReceiptRequest *make_receipt_request(
     STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
-    STACK_OF(OPENSSL_STRING) *rr_from, OSSL_LIB_CTX *libctx, const char *propq);
+    STACK_OF(OPENSSL_STRING) *rr_from, OSSL_LIB_CTX *libctx);
 static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
                               STACK_OF(OPENSSL_STRING) *param);
 
@@ -303,7 +303,6 @@ int cms_main(int argc, char **argv)
     const char *mime_eol = "\n";
     OPTION_CHOICE o;
     OSSL_LIB_CTX *libctx = app_get0_libctx();
-    const char *propq = app_get0_propq();
 
     if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
         return 1;
@@ -457,7 +456,7 @@ int cms_main(int argc, char **argv)
                     goto opthelp;
             } else {
                 rcms = load_content_info(rctformat, rctin, NULL, "recipient",
-                                         libctx, propq);
+                                         libctx, app_get0_propq());
             }
             break;
         case OPT_CERTFILE:
@@ -870,7 +869,7 @@ int cms_main(int argc, char **argv)
         goto end;
 
     if (operation & SMIME_IP) {
-        cms = load_content_info(informat, in, &indata, "SMIME", libctx, propq);
+        cms = load_content_info(informat, in, &indata, "SMIME", libctx, app_get0_propq());
         if (cms == NULL)
             goto end;
         if (contfile != NULL) {
@@ -901,7 +900,7 @@ int cms_main(int argc, char **argv)
         }
 
         rcms = load_content_info(rctformat, rctin, NULL, "recipient", libctx,
-                                 propq);
+                                 app_get0_propq());
         if (rcms == NULL)
             goto end;
     }
@@ -922,15 +921,15 @@ int cms_main(int argc, char **argv)
     ret = 3;
 
     if (operation == SMIME_DATA_CREATE) {
-        cms = CMS_data_create_ex(in, flags, libctx, propq);
+        cms = CMS_data_create_ex(in, flags, libctx, app_get0_propq());
     } else if (operation == SMIME_DIGEST_CREATE) {
-        cms = CMS_digest_create_ex(in, sign_md, flags, libctx, propq);
+        cms = CMS_digest_create_ex(in, sign_md, flags, libctx, app_get0_propq());
     } else if (operation == SMIME_COMPRESS) {
         cms = CMS_compress(in, -1, flags);
     } else if (operation == SMIME_ENCRYPT) {
         int i;
         flags |= CMS_PARTIAL;
-        cms = CMS_encrypt_ex(NULL, in, cipher, flags, libctx, propq);
+        cms = CMS_encrypt_ex(NULL, in, cipher, flags, libctx, app_get0_propq());
         if (cms == NULL)
             goto end;
         for (i = 0; i < sk_X509_num(encerts); i++) {
@@ -996,7 +995,7 @@ int cms_main(int argc, char **argv)
         }
     } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
         cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key,
-                                           secret_keylen, flags, libctx, propq);
+                                           secret_keylen, flags, libctx, app_get0_propq());
 
     } else if (operation == SMIME_SIGN_RECEIPT) {
         CMS_ContentInfo *srcms = NULL;
@@ -1024,15 +1023,14 @@ int cms_main(int argc, char **argv)
                     flags |= CMS_STREAM;
             }
             flags |= CMS_PARTIAL;
-            cms = CMS_sign_ex(NULL, NULL, other, in, flags, libctx, propq);
+            cms = CMS_sign_ex(NULL, NULL, other, in, flags, libctx, app_get0_propq());
             if (cms == NULL)
                 goto end;
             if (econtent_type != NULL)
                 CMS_set1_eContentType(cms, econtent_type);
 
             if (rr_to != NULL) {
-                rr = make_receipt_request(rr_to, rr_allorfirst, rr_from, libctx,
-                                          propq);
+                rr = make_receipt_request(rr_to, rr_allorfirst, rr_from, libctx);
                 if (rr == NULL) {
                     BIO_puts(bio_err,
                              "Signed Receipt Request Creation Error\n");
@@ -1389,7 +1387,7 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
 static CMS_ReceiptRequest *make_receipt_request(
    STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
    STACK_OF(OPENSSL_STRING) *rr_from,
-   OSSL_LIB_CTX *libctx, const char *propq)
+   OSSL_LIB_CTX *libctx)
 {
     STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL;
     CMS_ReceiptRequest *rr;
@@ -1404,7 +1402,7 @@ static CMS_ReceiptRequest *make_receipt_request(
         rct_from = NULL;
     }
     rr = CMS_ReceiptRequest_create0_ex(NULL, -1, rr_allorfirst, rct_from,
-                                       rct_to, libctx, propq);
+                                       rct_to, libctx, app_get0_propq());
     return rr;
  err:
     sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free);
diff --git a/apps/genpkey.c b/apps/genpkey.c
index 83af5ec88f..bdd8b43e47 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -68,7 +68,6 @@ int genpkey_main(int argc, char **argv)
     int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
     int private = 0;
     OSSL_LIB_CTX *libctx = app_get0_libctx();
-    const char *propq = app_get0_propq();
 
     prog = opt_init(argc, argv, genpkey_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -98,11 +97,11 @@ int genpkey_main(int argc, char **argv)
         case OPT_PARAMFILE:
             if (do_param == 1)
                 goto opthelp;
-            if (!init_keygen_file(&ctx, opt_arg(), e, libctx, propq))
+            if (!init_keygen_file(&ctx, opt_arg(), e, libctx, app_get0_propq()))
                 goto end;
             break;
         case OPT_ALGORITHM:
-            if (!init_gen_str(&ctx, opt_arg(), e, do_param, libctx, propq))
+            if (!init_gen_str(&ctx, opt_arg(), e, do_param, libctx, app_get0_propq()))
                 goto end;
             break;
         case OPT_PKEYOPT:
diff --git a/apps/include/apps.h b/apps/include/apps.h
index c0e351b3b9..d4241fa61e 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -323,6 +323,7 @@ int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name);
 void app_providers_cleanup(void);
 
 OSSL_LIB_CTX *app_get0_libctx(void);
+int app_set_propq(const char *arg);
 const char *app_get0_propq(void);
 
 #endif
diff --git a/apps/include/opt.h b/apps/include/opt.h
index 5f3efe5105..d23bf262fc 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -270,7 +270,7 @@
  */
 # define OPT_PROV_ENUM \
         OPT_PROV__FIRST=1600, \
-        OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, \
+        OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
         OPT_PROV__LAST
 
 # define OPT_CONFIG_OPTION \
@@ -279,12 +279,14 @@
 # define OPT_PROV_OPTIONS \
         OPT_SECTION("Provider"), \
         { "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
-        { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }
+        { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
+        { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" }
 
 # define OPT_PROV_CASES \
         OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
         case OPT_PROV_PROVIDER: \
-        case OPT_PROV_PROVIDER_PATH
+        case OPT_PROV_PROVIDER_PATH: \
+        case OPT_PROV_PROPQUERY
 
 /*
  * Option parsing.
diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c
index 490960521c..1a1757a5bd 100644
--- a/apps/lib/app_provider.c
+++ b/apps/lib/app_provider.c
@@ -70,6 +70,8 @@ int opt_provider(int opt)
         return app_provider_load(app_get0_libctx(), opt_arg());
     case OPT_PROV_PROVIDER_PATH:
         return opt_provider_path(opt_arg());
+    case OPT_PROV_PROPQUERY:
+        return app_set_propq(opt_arg());
     }
     return 0;
 }
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 51c7c82eae..f53f1b2003 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -331,10 +331,17 @@ OSSL_LIB_CTX *app_get0_libctx(void)
     return app_libctx;
 }
 
-/* TODO(3.0): Make this an environment variable if required */
+static const char *app_propq = NULL;
+
+int app_set_propq(const char *arg)
+{
+    app_propq = arg;
+    return 1;
+}
+
 const char *app_get0_propq(void)
 {
-    return NULL;
+    return app_propq;
 }
 
 OSSL_LIB_CTX *app_create_libctx(void)
diff --git a/apps/mac.c b/apps/mac.c
index ea75b33623..ce00ff92e0 100644
--- a/apps/mac.c
+++ b/apps/mac.c
@@ -105,7 +105,7 @@ opthelp:
     if (argc != 1)
         goto opthelp;
 
-    mac = EVP_MAC_fetch(NULL, argv[0], NULL);
+    mac = EVP_MAC_fetch(app_get0_libctx(), argv[0], app_get0_propq());
     if (mac == NULL) {
         BIO_printf(bio_err, "Invalid MAC name %s\n", argv[0]);
         goto opthelp;
diff --git a/apps/pkcs7.c b/apps/pkcs7.c
index efc58b10c9..d970feb30e 100644
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -61,7 +61,6 @@ int pkcs7_main(int argc, char **argv)
     int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, ret = 1;
     OPTION_CHOICE o;
     OSSL_LIB_CTX *libctx = app_get0_libctx();
-    const char *propq = app_get0_propq();
 
     prog = opt_init(argc, argv, pkcs7_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -120,7 +119,7 @@ int pkcs7_main(int argc, char **argv)
     if (in == NULL)
         goto end;
 
-    p7 = PKCS7_new_ex(libctx, propq);
+    p7 = PKCS7_new_ex(libctx, app_get0_propq());
     if (p7 == NULL) {
         BIO_printf(bio_err, "unable to allocate PKCS7 object\n");
         ERR_print_errors(bio_err);
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index a88a6ca7a3..4eb15c30f4 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -24,7 +24,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
                               const char *keyfile, int keyform, int key_type,
                               char *passinarg, int pkey_op, ENGINE *e,
                               const int impl, int rawin, EVP_PKEY **ppkey,
-                              OSSL_LIB_CTX *libctx, const char *propq);
+                              OSSL_LIB_CTX *libctx);
 
 static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
                       ENGINE *e);
@@ -125,7 +125,6 @@ int pkeyutl_main(int argc, char **argv)
     const EVP_MD *md = NULL;
     int filesize = -1;
     OSSL_LIB_CTX *libctx = app_get0_libctx();
-    const char *propq = NULL;
 
     prog = opt_init(argc, argv, pkeyutl_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -293,7 +292,7 @@ int pkeyutl_main(int argc, char **argv)
     }
     ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
                    passinarg, pkey_op, e, engine_impl, rawin, &pkey,
-                   libctx, propq);
+                   libctx);
     if (ctx == NULL) {
         BIO_printf(bio_err, "%s: Error initializing context\n", prog);
         ERR_print_errors(bio_err);
@@ -514,7 +513,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
                               char *passinarg, int pkey_op, ENGINE *e,
                               const int engine_impl, int rawin,
                               EVP_PKEY **ppkey,
-                              OSSL_LIB_CTX *libctx, const char *propq)
+                              OSSL_LIB_CTX *libctx)
 {
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
@@ -522,6 +521,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
     char *passin = NULL;
     int rv = -1;
     X509 *x;
+
     if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
          || (pkey_op == EVP_PKEY_OP_DERIVE))
         && (key_type != KEY_PRIVKEY && kdfalg == NULL)) {
@@ -573,7 +573,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
         if (impl != NULL)
             ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
         else
-            ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, propq);
+            ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, app_get0_propq());
     } else {
         if (pkey == NULL)
             goto end;
@@ -582,7 +582,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
         if (impl != NULL)
             ctx = EVP_PKEY_CTX_new(pkey, impl);
         else
-            ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
+            ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, app_get0_propq());
         if (ppkey != NULL)
             *ppkey = pkey;
         EVP_PKEY_free(pkey);
diff --git a/apps/smime.c b/apps/smime.c
index 2e35009709..2a9ee27a34 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -155,7 +155,6 @@ int smime_main(int argc, char **argv)
     ENGINE *e = NULL;
     const char *mime_eol = "\n";
     OSSL_LIB_CTX *libctx = app_get0_libctx();
-    const char *propq = app_get0_propq();
 
     if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
         return 1;
@@ -487,7 +486,7 @@ int smime_main(int argc, char **argv)
     if (operation & SMIME_IP) {
         PKCS7 *p7_in = NULL;
 
-        p7 = PKCS7_new_ex(libctx, propq);
+        p7 = PKCS7_new_ex(libctx, app_get0_propq());
         if (p7 == NULL) {
             BIO_printf(bio_err, "Error allocating PKCS7 object\n");
             goto end;
@@ -534,7 +533,7 @@ int smime_main(int argc, char **argv)
     if (operation == SMIME_ENCRYPT) {
         if (indef)
             flags |= PKCS7_STREAM;
-        p7 = PKCS7_encrypt_ex(encerts, in, cipher, flags, libctx, propq);
+        p7 = PKCS7_encrypt_ex(encerts, in, cipher, flags, libctx, app_get0_propq());
     } else if (operation & SMIME_SIGNERS) {
         int i;
         /*
@@ -549,7 +548,7 @@ int smime_main(int argc, char **argv)
                 flags |= PKCS7_STREAM;
             }
             flags |= PKCS7_PARTIAL;
-            p7 = PKCS7_sign_ex(NULL, NULL, other, in, flags, libctx, propq);
+            p7 = PKCS7_sign_ex(NULL, NULL, other, in, flags, libctx, app_get0_propq());
             if (p7 == NULL)
                 goto end;
             if (flags & PKCS7_NOCERTS) {
diff --git a/apps/storeutl.c b/apps/storeutl.c
index 0ec65ab047..9333c478f2 100644
--- a/apps/storeutl.c
+++ b/apps/storeutl.c
@@ -19,7 +19,7 @@
 static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
                    int expected, int criterion, OSSL_STORE_SEARCH *search,
                    int text, int noout, int recursive, int indent, BIO *out,
-                   const char *prog, OSSL_LIB_CTX *libctx, const char *propq);
+                   const char *prog, OSSL_LIB_CTX *libctx);
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE, OPT_OUT, OPT_PASSIN,
@@ -85,7 +85,6 @@ int storeutl_main(int argc, char *argv[])
     OSSL_STORE_SEARCH *search = NULL;
     const EVP_MD *digest = NULL;
     OSSL_LIB_CTX *libctx = app_get0_libctx();
-    const char *propq = app_get0_propq();
 
     while ((o = opt_next()) != OPT_EOF) {
         switch (o) {
@@ -315,7 +314,7 @@ int storeutl_main(int argc, char *argv[])
 
     ret = process(argv[0], get_ui_method(), &pw_cb_data,
                   expected, criterion, search,
-                  text, noout, recursive, 0, out, prog, libctx, propq);
+                  text, noout, recursive, 0, out, prog, libctx);
 
  end:
     OPENSSL_free(fingerprint);
@@ -346,12 +345,12 @@ static int indent_printf(int indent, BIO *bio, const char *format, ...)
 static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
                    int expected, int criterion, OSSL_STORE_SEARCH *search,
                    int text, int noout, int recursive, int indent, BIO *out,
-                   const char *prog, OSSL_LIB_CTX *libctx, const char *propq)
+                   const char *prog, OSSL_LIB_CTX *libctx)
 {
     OSSL_STORE_CTX *store_ctx = NULL;
     int ret = 1, items = 0;
 
-    if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, propq, uimeth, uidata,
+    if ((store_ctx = OSSL_STORE_open_ex(uri, libctx, app_get0_propq(), uimeth, uidata,
                                         NULL, NULL))
         == NULL) {
         BIO_printf(bio_err, "Couldn't open file or uri %s\n", uri);
@@ -436,7 +435,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
                 ret += process(suburi, uimeth, uidata,
                                expected, criterion, search,
                                text, noout, recursive, indent + 2, out, prog,
-                               libctx, propq);
+                               libctx);
             }
             break;
         case OSSL_STORE_INFO_PARAMS:
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index 3176c19eee..8e30f81fe9 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -645,6 +645,26 @@ the PKCS#11 URI as defined in RFC 7512 should be possible to use directly:
 
     -key pkcs11:object=some-private-key;pin-value=1234
 
+=head2 Provider Options
+
+=over 4
+
+=item B<-provider> I<name>
+
+Load and initialize the provider identified by I<name>.
+
+=item B<-provider-path> I<path>
+
+Specifies the search path that is to be used for looking for providers.
+
+=item B<-propquery> I<propq>
+
+Specifies the I<property query clause> to be used when fetching algorithms
+from the loaded providers.
+See L<property(7)> for a more detailed description.
+
+=back
+
 =head1 ENVIRONMENT
 
 The OpenSSL library can be take some configuration parameters from the
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index d4fbba9a64..47f813d51e 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -93,12 +93,15 @@ $OpenSSL::safe::opt_r_item = ""
 # Provider options
 $OpenSSL::safe::opt_provider_synopsis = ""
 . "[B<-provider> I<name>]\n"
-. "[B<-provider-path> I<path>]";
+. "[B<-provider-path> I<path>]\n"
+. "[B<-propquery> I<propq>]";
 $OpenSSL::safe::opt_provider_item = ""
 . "=item B<-provider> I<name>\n"
 . "\n"
 . "=item B<-provider-path> I<path>\n"
 . "\n"
+. "=item B<-propquery> I<propq>\n"
+. "\n"
 . "See L<openssl(1)/Provider Options>.";
 
 # Configuration option
diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t
index ffa334f15e..16bad16d65 100644
--- a/test/recipes/15-test_genrsa.t
+++ b/test/recipes/15-test_genrsa.t
@@ -26,7 +26,7 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
 plan tests =>
     ($no_fips ? 0 : 2)          # FIPS install test + fips related test
-    + 12;
+    + 13;
 
 # We want to know that an absurdly small number of bits isn't support
 if (disabled("deprecated-3.0")) {
@@ -101,6 +101,9 @@ ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'RSA',
              '-pkeyopt', 'e:65538',
              '-out', 'genrsatest.pem' ])),
    "genpkey with a even public exponent should fail");
+ok(!run(app([ 'openssl', 'genpkey', '-propquery', 'unknown',
+             '-algorithm', 'RSA' ])),
+   "genpkey requesting unknown=yes property should fail");
 
 
  SKIP: {
diff --git a/test/recipes/20-test_mac.t b/test/recipes/20-test_mac.t
index e34381c025..61f6161b0c 100644
--- a/test/recipes/20-test_mac.t
+++ b/test/recipes/20-test_mac.t
@@ -78,6 +78,11 @@ my @mac_fail_tests = (
       input => '00',
       err => 'EVP_MAC_Init',
       desc => 'KMAC128 Fail no key' },
+    { cmd => [qw{openssl mac -propquery unknown -macopt hexkey:404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F}],
+      type => 'KMAC128',
+      input => '00',
+      err => 'Invalid MAC name KMAC128',
+      desc => 'KMAC128 Fail unknown property' },
 );
 
 my @siphash_fail_tests = (


More information about the openssl-commits mailing list