[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Thu Feb 11 22:35:56 UTC 2021
The branch master has been updated
via 22040fb790c854cefb04bed98ed38ea6357daf83 (commit)
via 03bbd346f4410c329d472cc043fb6c49f6688eba (commit)
via d0190e11639956677747f6bc7bb5bcd610fd8600 (commit)
via 51e5df0ed01efa47335940425cc8744ecff1b6ae (commit)
via 182717bd8a7a438c110d3a3b28387477833b4edc (commit)
via 50ca7e18954d901ee9215a1a4bb3ecf00b95642a (commit)
from 1baad060f9d440b8043a33ecf3fd4fc87534e075 (commit)
- Log -----------------------------------------------------------------
commit 22040fb790c854cefb04bed98ed38ea6357daf83
Author: Rich Salz <rsalz at akamai.com>
Date: Wed Feb 10 13:33:41 2021 -0500
Allow -rand to be repeated
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)
commit 03bbd346f4410c329d472cc043fb6c49f6688eba
Author: Rich Salz <rsalz at akamai.com>
Date: Mon Feb 8 14:20:01 2021 -0500
Fetch cipher after loading providers
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)
commit d0190e11639956677747f6bc7bb5bcd610fd8600
Author: Rich Salz <rsalz at akamai.com>
Date: Mon Feb 8 14:03:35 2021 -0500
Process digest option after loading providers
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)
commit 51e5df0ed01efa47335940425cc8744ecff1b6ae
Author: Rich Salz <rsalz at akamai.com>
Date: Mon Feb 8 13:45:23 2021 -0500
Load rand state after loading providers
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)
commit 182717bd8a7a438c110d3a3b28387477833b4edc
Author: Rich Salz <rsalz at akamai.com>
Date: Sun Feb 7 10:42:23 2021 -0500
Fetch alg, etc., after loading providers
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)
commit 50ca7e18954d901ee9215a1a4bb3ecf00b95642a
Author: Rich Salz <rsalz at akamai.com>
Date: Fri Feb 5 15:38:07 2021 -0500
Fetch algorithm after loading providers
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 3 ++-
apps/cms.c | 20 +++++++++-----
apps/crl.c | 8 ++++--
apps/dgst.c | 13 +++++----
apps/dhparam.c | 1 +
apps/dsa.c | 9 ++++---
apps/dsaparam.c | 1 +
apps/ec.c | 9 ++++---
apps/ecparam.c | 1 +
apps/enc.c | 39 +++++++++++++--------------
apps/gendsa.c | 12 ++++++---
apps/genpkey.c | 76 +++++++++++++++++++++++++++++------------------------
apps/genrsa.c | 10 ++++---
apps/include/apps.h | 1 +
apps/lib/app_rand.c | 24 ++++++++++++++++-
apps/ocsp.c | 10 ++++---
apps/passwd.c | 1 +
apps/pkcs12.c | 26 +++++++++++-------
apps/pkcs8.c | 10 ++++---
apps/pkey.c | 9 ++++---
apps/pkeyutl.c | 11 +++++---
apps/rand.c | 1 +
apps/req.c | 13 ++++++---
apps/rsa.c | 9 ++++---
apps/rsautl.c | 1 +
apps/s_client.c | 5 ++--
apps/s_server.c | 1 +
apps/smime.c | 18 +++++++++----
apps/speed.c | 1 +
apps/srp.c | 1 +
apps/storeutl.c | 11 +++++---
apps/ts.c | 10 ++++---
apps/x509.c | 11 +++++---
33 files changed, 250 insertions(+), 126 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 61e49336d0..29f62f86f2 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
OPT_SECTION("Signing"),
- {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
+ {"md", OPT_MD, 's', "Digest to use, such as sha256"},
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
{"keyform", OPT_KEYFORM, 'f',
"Private key file format (ENGINE, other values ignored)"},
@@ -521,6 +521,7 @@ end_of_options:
goto end;
app_RAND_load_conf(conf, BASE_SECTION);
+ app_RAND_load();
f = NCONF_get_string(conf, section, STRING_MASK);
if (f == NULL)
diff --git a/apps/cms.c b/apps/cms.c
index 36fb88e15c..67cbb9379a 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -286,10 +286,11 @@ int cms_main(int argc, char **argv)
X509_VERIFY_PARAM *vpm = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
- char *certsoutfile = NULL;
+ char *certsoutfile = NULL, *digestname = NULL;
int noCAfile = 0, noCApath = 0, noCAstore = 0;
char *infile = NULL, *outfile = NULL, *rctfile = NULL;
- char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *originatorfile = NULL, *recipfile = NULL;
+ char *passinarg = NULL, *passin = NULL, *signerfile = NULL;
+ char *originatorfile = NULL, *recipfile = NULL, *ciphername = NULL;
char *to = NULL, *from = NULL, *subject = NULL, *prog;
cms_key_param *key_first = NULL, *key_param = NULL;
int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
@@ -565,8 +566,7 @@ int cms_main(int argc, char **argv)
certsoutfile = opt_arg();
break;
case OPT_MD:
- if (!opt_md(opt_arg(), &sign_md))
- goto end;
+ digestname = opt_arg();
break;
case OPT_SIGNER:
/* If previous -signer argument add signer to list */
@@ -625,8 +625,7 @@ int cms_main(int argc, char **argv)
}
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &cipher))
- goto end;
+ ciphername = opt_unknown();
break;
case OPT_KEYOPT:
keyidx = -1;
@@ -698,6 +697,15 @@ int cms_main(int argc, char **argv)
break;
}
}
+ app_RAND_load();
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &sign_md))
+ goto end;
+ }
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &cipher))
+ goto end;
+ }
/* Remaining args are files to process. */
argc = opt_num_rest();
diff --git a/apps/crl.c b/apps/crl.c
index ddbf96bfca..dd9d41e8ea 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -84,6 +84,7 @@ int crl_main(int argc, char **argv)
EVP_PKEY *pkey;
const EVP_MD *digest = EVP_sha1();
char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
+ char *digestname = NULL;
const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog;
OPTION_CHOICE o;
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
@@ -192,8 +193,7 @@ int crl_main(int argc, char **argv)
goto opthelp;
break;
case OPT_MD:
- if (!opt_md(opt_unknown(), &digest))
- goto opthelp;
+ digestname = opt_unknown();
break;
case OPT_PROV_CASES:
if (!opt_provider(o))
@@ -207,6 +207,10 @@ int crl_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &digest))
+ goto opthelp;
+ }
x = load_crl(infile, "CRL");
if (x == NULL)
goto end;
diff --git a/apps/dgst.c b/apps/dgst.c
index 0eb84f5169..891cf79279 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -97,9 +97,9 @@ int dgst_main(int argc, char **argv)
EVP_PKEY *sigkey = NULL;
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
char *hmac_key = NULL;
- char *mac_name = NULL;
+ char *mac_name = NULL, *digestname = NULL;
char *passinarg = NULL, *passin = NULL;
- const EVP_MD *md = NULL, *m;
+ const EVP_MD *md = NULL;
const char *outfile = NULL, *keyfile = NULL, *prog = NULL;
const char *sigfile = NULL;
const char *md_name = NULL;
@@ -209,9 +209,7 @@ int dgst_main(int argc, char **argv)
goto opthelp;
break;
case OPT_DIGEST:
- if (!opt_md(opt_unknown(), &m))
- goto opthelp;
- md = m;
+ digestname = opt_unknown();
break;
case OPT_PROV_CASES:
if (!opt_provider(o))
@@ -227,6 +225,11 @@ int dgst_main(int argc, char **argv)
BIO_printf(bio_err, "%s: Can only sign or verify one file.\n", prog);
goto end;
}
+ app_RAND_load();
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &md))
+ goto opthelp;
+ }
if (do_verify && sigfile == NULL) {
BIO_printf(bio_err,
diff --git a/apps/dhparam.c b/apps/dhparam.c
index cfa399e459..30fdfbbf6e 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -158,6 +158,7 @@ int dhparam_main(int argc, char **argv)
} else if (argc != 0) {
goto opthelp;
}
+ app_RAND_load();
if (g && !num)
diff --git a/apps/dsa.c b/apps/dsa.c
index ebb841fa53..c4baaf7de9 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -87,7 +87,7 @@ int dsa_main(int argc, char **argv)
int modulus = 0, pubin = 0, pubout = 0, ret = 1;
int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
int private = 0;
- const char *output_type = NULL;
+ const char *output_type = NULL, *ciphername = NULL;
const char *output_structure = NULL;
int selection = 0;
OSSL_ENCODER_CTX *ectx = NULL;
@@ -151,8 +151,7 @@ int dsa_main(int argc, char **argv)
pubout = 1;
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &enc))
- goto end;
+ ciphername = opt_unknown();
break;
case OPT_PROV_CASES:
if (!opt_provider(o))
@@ -166,6 +165,10 @@ int dsa_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &enc))
+ goto end;
+ }
private = pubin || pubout ? 0 : 1;
if (text && !pubin)
private = 1;
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index f09318f54b..70c698dbec 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -135,6 +135,7 @@ int dsaparam_main(int argc, char **argv)
} else if (argc != 0) {
goto opthelp;
}
+ app_RAND_load();
/* generate a key */
numbits = num;
diff --git a/apps/ec.c b/apps/ec.c
index 495e8e6617..d89c580020 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -70,7 +70,7 @@ int ec_main(int argc, char **argv)
BIO *in = NULL, *out = NULL;
ENGINE *e = NULL;
const EVP_CIPHER *enc = NULL;
- char *infile = NULL, *outfile = NULL, *prog;
+ char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
@@ -131,8 +131,7 @@ int ec_main(int argc, char **argv)
e = setup_engine(opt_arg(), 0);
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &enc))
- goto opthelp;
+ ciphername = opt_unknown();
break;
case OPT_CONV_FORM:
point_format = opt_arg();
@@ -162,6 +161,10 @@ int ec_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &enc))
+ goto opthelp;
+ }
private = param_out || pubin || pubout ? 0 : 1;
if (text && !pubin)
private = 1;
diff --git a/apps/ecparam.c b/apps/ecparam.c
index 762da3f2c9..e05a3a495f 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -190,6 +190,7 @@ int ecparam_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ app_RAND_load();
private = genkey ? 1 : 0;
in = bio_open_default(infile, 'r', informat);
diff --git a/apps/enc.c b/apps/enc.c
index 81e52c10ce..9982337c01 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -109,11 +109,13 @@ int enc_main(int argc, char **argv)
BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
NULL, *wbio = NULL;
EVP_CIPHER_CTX *ctx = NULL;
- const EVP_CIPHER *cipher = NULL, *c;
+ const EVP_CIPHER *cipher = NULL;
const EVP_MD *dgst = NULL;
+ const char *digestname = NULL;
char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p;
- char *infile = NULL, *outfile = NULL, *prog, *arg0;
+ char *infile = NULL, *outfile = NULL, *prog;
char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL;
+ const char *ciphername = NULL;
char mbuf[sizeof(magic) - 1];
OPTION_CHOICE o;
int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0;
@@ -132,20 +134,14 @@ int enc_main(int argc, char **argv)
#endif
/* first check the command name */
- arg0 = argv[0];
- if (strcmp(arg0, "base64") == 0) {
+ if (strcmp(argv[0], "base64") == 0)
base64 = 1;
#ifdef ZLIB
- } else if (strcmp(arg0, "zlib") == 0) {
+ else if (strcmp(argv[0], "zlib") == 0)
do_zlib = 1;
#endif
- } else {
- cipher = EVP_get_cipherbyname(arg0);
- if (cipher == NULL && strcmp(arg0, "enc") != 0) {
- BIO_printf(bio_err, "%s is not a known cipher\n", arg0);
- goto end;
- }
- }
+ else if (strcmp(argv[0], "enc") != 0)
+ ciphername = argv[0];
prog = opt_init(argc, argv, enc_options);
while ((o = opt_next()) != OPT_EOF) {
@@ -264,13 +260,10 @@ int enc_main(int argc, char **argv)
hiv = opt_arg();
break;
case OPT_MD:
- if (!opt_md(opt_arg(), &dgst))
- goto opthelp;
+ digestname = opt_arg();
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &c))
- goto opthelp;
- cipher = c;
+ ciphername = opt_unknown();
break;
case OPT_ITER:
if (!opt_int(opt_arg(), &iter))
@@ -300,17 +293,25 @@ int enc_main(int argc, char **argv)
argc = opt_num_rest();
if (argc != 0)
goto opthelp;
+ app_RAND_load();
+ /* Get the cipher name, either from progname (if set) or flag. */
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &cipher))
+ goto opthelp;
+ }
if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog);
goto end;
}
-
if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) {
BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog);
goto end;
}
-
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &dgst))
+ goto opthelp;
+ }
if (dgst == NULL)
dgst = EVP_sha256();
diff --git a/apps/gendsa.c b/apps/gendsa.c
index c90a01d979..c6c84c9a56 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -57,7 +57,7 @@ int gendsa_main(int argc, char **argv)
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
const EVP_CIPHER *enc = NULL;
- char *dsaparams = NULL;
+ char *dsaparams = NULL, *ciphername = NULL;
char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
OPTION_CHOICE o;
int ret = 1, private = 0, verbose = 0;
@@ -93,8 +93,7 @@ int gendsa_main(int argc, char **argv)
goto end;
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &enc))
- goto end;
+ ciphername = opt_unknown();
break;
case OPT_VERBOSE:
verbose = 1;
@@ -107,8 +106,13 @@ int gendsa_main(int argc, char **argv)
argv = opt_rest();
if (argc != 1)
goto opthelp;
-
dsaparams = argv[0];
+
+ app_RAND_load();
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &enc))
+ goto end;
+ }
private = 1;
if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
diff --git a/apps/genpkey.c b/apps/genpkey.c
index bdd8b43e47..4d28b4ecc2 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -62,14 +62,19 @@ int genpkey_main(int argc, char **argv)
ENGINE *e = NULL;
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
- char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog;
+ char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog, *p;
+ const char *ciphername = NULL, *paramfile = NULL, *algname = NULL;
const EVP_CIPHER *cipher = NULL;
OPTION_CHOICE o;
int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
- int private = 0;
+ int private = 0, i, m;
OSSL_LIB_CTX *libctx = app_get0_libctx();
+ STACK_OF(OPENSSL_STRING) *keyopt = NULL;
prog = opt_init(argc, argv, genpkey_options);
+ keyopt = sk_OPENSSL_STRING_new_null();
+ if (keyopt == NULL)
+ goto end;
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
@@ -97,49 +102,23 @@ int genpkey_main(int argc, char **argv)
case OPT_PARAMFILE:
if (do_param == 1)
goto opthelp;
- if (!init_keygen_file(&ctx, opt_arg(), e, libctx, app_get0_propq()))
- goto end;
+ paramfile = opt_arg();
break;
case OPT_ALGORITHM:
- if (!init_gen_str(&ctx, opt_arg(), e, do_param, libctx, app_get0_propq()))
- goto end;
+ algname = opt_arg();
break;
case OPT_PKEYOPT:
- if (ctx == NULL) {
- BIO_printf(bio_err, "%s: No keytype specified.\n", prog);
- goto opthelp;
- }
- if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
- BIO_printf(bio_err,
- "%s: Error setting %s parameter:\n",
- prog, opt_arg());
- ERR_print_errors(bio_err);
+ if (!sk_OPENSSL_STRING_push(keyopt, opt_arg()))
goto end;
- }
break;
case OPT_GENPARAM:
- if (ctx != NULL) {
- BIO_printf(bio_err,
- "%s: '-genparam' option must be set before"
- " the '-algorithm' option.\n", prog);
- goto opthelp;
- }
do_param = 1;
break;
case OPT_TEXT:
text = 1;
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &cipher)
- || do_param == 1)
- goto opthelp;
- if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE ||
- EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE ||
- EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE ||
- EVP_CIPHER_mode(cipher) == EVP_CIPH_OCB_MODE) {
- BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
- goto end;
- }
+ ciphername = opt_unknown();
break;
case OPT_CONFIG:
conf = app_load_config_modules(opt_arg());
@@ -158,11 +137,39 @@ int genpkey_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
- private = do_param ? 0 : 1;
-
+ /* Fetch cipher, etc. */
+ if (paramfile != NULL) {
+ if (!init_keygen_file(&ctx, paramfile, e, libctx, app_get0_propq()))
+ goto end;
+ }
+ if (algname != NULL) {
+ if (!init_gen_str(&ctx, algname, e, do_param, libctx, app_get0_propq()))
+ goto end;
+ }
if (ctx == NULL)
goto opthelp;
+ for (i = 0; i < sk_OPENSSL_STRING_num(keyopt); i++) {
+ p = sk_OPENSSL_STRING_value(keyopt, i);
+ if (pkey_ctrl_string(ctx, p) <= 0) {
+ BIO_printf(bio_err, "%s: Error setting %s parameter:\n", prog, p);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &cipher) || do_param == 1)
+ goto opthelp;
+ m = EVP_CIPHER_mode(cipher);
+ if (m == EVP_CIPH_GCM_MODE || m == EVP_CIPH_CCM_MODE
+ || m == EVP_CIPH_XTS_MODE || m == EVP_CIPH_OCB_MODE) {
+ BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
+ goto end;
+ }
+ }
+
+ private = do_param ? 0 : 1;
+
if (!app_passwd(passarg, NULL, &pass, NULL)) {
BIO_puts(bio_err, "Error getting password\n");
goto end;
@@ -224,6 +231,7 @@ int genpkey_main(int argc, char **argv)
}
end:
+ sk_OPENSSL_STRING_free(keyopt);
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(ctx);
BIO_free_all(out);
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 2cc1abfbe5..cd99b53a3b 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -86,7 +86,7 @@ int genrsa_main(int argc, char **argv)
int ret = 1, num = DEFBITS, private = 0, primes = DEFPRIMES;
unsigned long f4 = RSA_F4;
char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
- char *prog, *hexe, *dece;
+ char *prog, *hexe, *dece, *ciphername = NULL;
OPTION_CHOICE o;
int traditional = 0;
@@ -131,8 +131,7 @@ opthelp:
passoutarg = opt_arg();
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &enc))
- goto end;
+ ciphername = opt_unknown();
break;
case OPT_PRIMES:
if (!opt_int(opt_arg(), &primes))
@@ -164,7 +163,12 @@ opthelp:
goto opthelp;
}
+ app_RAND_load();
private = 1;
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &enc))
+ goto end;
+ }
if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
diff --git a/apps/include/apps.h b/apps/include/apps.h
index d4241fa61e..45a9c4e758 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -47,6 +47,7 @@
void app_RAND_load_conf(CONF *c, const char *section);
void app_RAND_write(void);
+int app_RAND_load(void);
extern char *default_config_file; /* may be "" */
extern BIO *bio_in;
diff --git a/apps/lib/app_rand.c b/apps/lib/app_rand.c
index 1861343a9c..913e66e73f 100644
--- a/apps/lib/app_rand.c
+++ b/apps/lib/app_rand.c
@@ -14,6 +14,7 @@
#include <openssl/conf.h>
static char *save_rand_file;
+static STACK_OF(OPENSSL_STRING) *randfiles;
void app_RAND_load_conf(CONF *c, const char *section)
{
@@ -57,6 +58,23 @@ static int loadfiles(char *name)
return ret;
}
+int app_RAND_load(void)
+{
+ char *p;
+ int i, ret = 1;
+
+ if (randfiles == NULL)
+ return 1;
+
+ for (i = 0; i < sk_OPENSSL_STRING_num(randfiles); i++) {
+ p = sk_OPENSSL_STRING_value(randfiles, i);
+ if (!loadfiles(p))
+ ret = 0;
+ }
+ sk_OPENSSL_STRING_free(randfiles);
+ return ret;
+}
+
void app_RAND_write(void)
{
if (save_rand_file == NULL)
@@ -82,7 +100,11 @@ int opt_rand(int opt)
case OPT_R__LAST:
break;
case OPT_R_RAND:
- return loadfiles(opt_arg());
+ if (randfiles == NULL
+ && (randfiles = sk_OPENSSL_STRING_new_null()) == NULL)
+ return 0;
+ if (!sk_OPENSSL_STRING_push(randfiles, opt_arg()))
+ return 0;
break;
case OPT_R_WRITERAND:
OPENSSL_free(save_rand_file);
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 982423d1ef..dd1677b1c1 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -223,7 +223,7 @@ int ocsp_main(int argc, char **argv)
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
- char *header, *value;
+ char *header, *value, *respdigname = NULL;
char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
@@ -467,8 +467,7 @@ int ocsp_main(int argc, char **argv)
rcertfile = opt_arg();
break;
case OPT_RMD: /* Response MessageDigest */
- if (!opt_md(opt_arg(), &rsign_md))
- goto end;
+ respdigname = opt_arg();
break;
case OPT_RSIGOPT:
if (rsign_sigopts == NULL)
@@ -526,6 +525,11 @@ int ocsp_main(int argc, char **argv)
goto opthelp;
}
+ if (respdigname != NULL) {
+ if (!opt_md(respdigname, &rsign_md))
+ goto end;
+ }
+
/* Have we anything to do? */
if (req == NULL && reqin == NULL
&& respin == NULL && !(port != NULL && ridx_filename != NULL))
diff --git a/apps/passwd.c b/apps/passwd.c
index f8a0493c4c..08b94622da 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -195,6 +195,7 @@ int passwd_main(int argc, char **argv)
passwds = argv;
}
+ app_RAND_load();
if (mode == passwd_unset) {
/* use default */
mode = passwd_md5;
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 60e12cf932..e96f9ec4a4 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -145,7 +145,7 @@ const OPTIONS pkcs12_options[] = {
int pkcs12_main(int argc, char **argv)
{
char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL;
- char *untrusted = NULL;
+ char *untrusted = NULL, *ciphername = NULL, *enc_flag = NULL;
char *passcertsarg = NULL, *passcerts = NULL;
char *name = NULL, *csp_name = NULL;
char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = "";
@@ -164,7 +164,6 @@ int pkcs12_main(int argc, char **argv)
BIO *in = NULL, *out = NULL;
PKCS12 *p12 = NULL;
STACK_OF(OPENSSL_STRING) *canames = NULL;
- const char *enc_flag = NULL;
const EVP_CIPHER *const default_enc = EVP_aes_256_cbc();
const EVP_CIPHER *enc = default_enc;
OPTION_CHOICE o;
@@ -220,10 +219,19 @@ int pkcs12_main(int argc, char **argv)
case OPT_EXPORT:
export_pkcs12 = 1;
break;
+ case OPT_NODES:
+ case OPT_NOENC:
+ /*
+ * |enc_flag| stores the name of the option used so it
+ * can be printed if an error message is output.
+ */
+ enc_flag = opt_flag() + 1;
+ enc = NULL;
+ ciphername = NULL;
+ break;
case OPT_CIPHER:
+ ciphername = opt_unknown();
enc_flag = opt_unknown();
- if (!opt_cipher(enc_flag, &enc))
- goto opthelp;
break;
case OPT_ITER:
if (!opt_int(opt_arg(), &iter))
@@ -246,11 +254,6 @@ int pkcs12_main(int argc, char **argv)
case OPT_MACALG:
macalg = opt_arg();
break;
- case OPT_NODES:
- case OPT_NOENC:
- enc_flag = opt_flag() + 1;
- enc = NULL;
- break;
case OPT_CERTPBE:
if (!set_pbe(&cert_pbe, opt_arg()))
goto opthelp;
@@ -341,6 +344,11 @@ int pkcs12_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ app_RAND_load();
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &enc))
+ goto opthelp;
+ }
if (export_pkcs12) {
if ((options & INFO) != 0)
WARN_EXPORT("info");
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index ae0824c6d2..674007498a 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -75,7 +75,7 @@ int pkcs8_main(int argc, char **argv)
PKCS8_PRIV_KEY_INFO *p8inf = NULL;
X509_SIG *p8 = NULL;
const EVP_CIPHER *cipher = NULL;
- char *infile = NULL, *outfile = NULL;
+ char *infile = NULL, *outfile = NULL, *ciphername = NULL;
char *passinarg = NULL, *passoutarg = NULL, *prog;
#ifndef OPENSSL_NO_UI_CONSOLE
char pass[APP_PASS_LEN];
@@ -136,8 +136,7 @@ int pkcs8_main(int argc, char **argv)
traditional = 1;
break;
case OPT_V2:
- if (!opt_cipher(opt_arg(), &cipher))
- goto opthelp;
+ ciphername = opt_arg();
break;
case OPT_V1:
pbe_nid = OBJ_txt2nid(opt_arg());
@@ -200,6 +199,11 @@ int pkcs8_main(int argc, char **argv)
goto opthelp;
private = 1;
+ app_RAND_load();
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &cipher))
+ goto opthelp;
+ }
if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
diff --git a/apps/pkey.c b/apps/pkey.c
index a48c9856bf..1a53447401 100644
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -73,7 +73,7 @@ int pkey_main(int argc, char **argv)
EVP_PKEY_CTX *ctx = NULL;
const EVP_CIPHER *cipher = NULL;
char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL;
- char *passinarg = NULL, *passoutarg = NULL, *prog;
+ char *passinarg = NULL, *passoutarg = NULL, *ciphername = NULL, *prog;
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM;
int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1;
@@ -143,8 +143,7 @@ int pkey_main(int argc, char **argv)
pub_check = 1;
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &cipher))
- goto opthelp;
+ ciphername = opt_unknown();
break;
case OPT_EC_CONV_FORM:
#ifdef OPENSSL_NO_EC
@@ -187,6 +186,10 @@ int pkey_main(int argc, char **argv)
"Warning: The -traditional is ignored since there is no PEM output\n");
private = (!noout && !pubout) || (text && !text_pub);
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &cipher))
+ goto opthelp;
+ }
if (cipher == NULL) {
if (passoutarg != NULL)
BIO_printf(bio_err,
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 4eb15c30f4..b70f9935b6 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -117,7 +117,7 @@ int pkeyutl_main(int argc, char **argv)
size_t buf_outlen;
const char *inkey = NULL;
const char *peerkey = NULL;
- const char *kdfalg = NULL;
+ const char *kdfalg = NULL, *digestname = NULL;
int kdflen = 0;
STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL;
@@ -244,8 +244,7 @@ int pkeyutl_main(int argc, char **argv)
rawin = 1;
break;
case OPT_DIGEST:
- if (!opt_md(opt_arg(), &md))
- goto end;
+ digestname = opt_arg();
break;
}
}
@@ -255,6 +254,12 @@ int pkeyutl_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ app_RAND_load();
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &md))
+ goto end;
+ }
+
if (rawin && pkey_op != EVP_PKEY_OP_SIGN && pkey_op != EVP_PKEY_OP_VERIFY) {
BIO_printf(bio_err,
"%s: -rawin can only be used with -sign or -verify\n",
diff --git a/apps/rand.c b/apps/rand.c
index c78123e161..69a13f975e 100644
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -99,6 +99,7 @@ int rand_main(int argc, char **argv)
goto opthelp;
}
+ app_RAND_load();
out = bio_open_default(outfile, 'w', format);
if (out == NULL)
goto end;
diff --git a/apps/req.c b/apps/req.c
index 75840ae387..881cbb45c7 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -245,7 +245,7 @@ int req_main(int argc, char **argv)
BIO *addext_bio = NULL;
char *extensions = NULL;
const char *infile = NULL, *CAfile = NULL, *CAkeyfile = NULL;
- char *outfile = NULL, *keyfile = NULL;
+ char *outfile = NULL, *keyfile = NULL, *digestname = NULL;
char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
char *passin = NULL, *passout = NULL;
char *nofree_passin = NULL, *nofree_passout = NULL;
@@ -468,9 +468,7 @@ int req_main(int argc, char **argv)
newreq = precert = 1;
break;
case OPT_MD:
- if (!opt_md(opt_unknown(), &md_alg))
- goto opthelp;
- digest = md_alg;
+ digestname = opt_unknown();
break;
}
}
@@ -480,6 +478,13 @@ int req_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ app_RAND_load();
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &md_alg))
+ goto opthelp;
+ digest = md_alg;
+ }
+
if (!gen_x509) {
if (days != UNSET_DAYS)
BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n");
diff --git a/apps/rsa.c b/apps/rsa.c
index b65c8fc793..1a75681c70 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -93,7 +93,7 @@ int rsa_main(int argc, char **argv)
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *pctx;
const EVP_CIPHER *enc = NULL;
- char *infile = NULL, *outfile = NULL, *prog;
+ char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
int private = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
@@ -171,8 +171,7 @@ int rsa_main(int argc, char **argv)
check = 1;
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &enc))
- goto opthelp;
+ ciphername = opt_unknown();
break;
case OPT_PROV_CASES:
if (!opt_provider(o))
@@ -189,6 +188,10 @@ int rsa_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &enc))
+ goto opthelp;
+ }
private = (text && !pubin) || (!pubout && !noout) ? 1 : 0;
if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
diff --git a/apps/rsautl.c b/apps/rsautl.c
index 333edb9363..ae4855f8f5 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -177,6 +177,7 @@ int rsautl_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ app_RAND_load();
if (need_priv && (key_type != KEY_PRIVKEY)) {
BIO_printf(bio_err, "A private key is needed for this operation\n");
goto end;
diff --git a/apps/s_client.c b/apps/s_client.c
index 188ce26a8f..90f9411f45 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1574,9 +1574,7 @@ int s_client_main(int argc, char **argv)
/* Optional argument is connect string if -connect not used. */
argc = opt_num_rest();
if (argc == 1) {
- /*
- * Don't allow -connect and a separate argument.
- */
+ /* Don't allow -connect and a separate argument. */
if (connectstr != NULL) {
BIO_printf(bio_err,
"%s: cannot provide both -connect option and target parameter\n",
@@ -1588,6 +1586,7 @@ int s_client_main(int argc, char **argv)
} else if (argc != 0) {
goto opthelp;
}
+ app_RAND_load();
if (count4or6 >= 2) {
BIO_printf(bio_err, "%s: Can't use both -4 and -6\n", prog);
diff --git a/apps/s_server.c b/apps/s_server.c
index 2f9b469953..498e629dbf 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1662,6 +1662,7 @@ int s_server_main(int argc, char *argv[])
if (argc != 0)
goto opthelp;
+ app_RAND_load();
#ifndef OPENSSL_NO_NEXTPROTONEG
if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
diff --git a/apps/smime.c b/apps/smime.c
index 2a9ee27a34..63578f28d5 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -145,7 +145,8 @@ int smime_main(int argc, char **argv)
const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = NULL;
- char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL, *subject = NULL;
+ char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL;
+ char *subject = NULL, *digestname = NULL, *ciphername = NULL;
OPTION_CHOICE o;
int noCApath = 0, noCAfile = 0, noCAstore = 0;
int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0;
@@ -293,12 +294,10 @@ int smime_main(int argc, char **argv)
recipfile = opt_arg();
break;
case OPT_MD:
- if (!opt_md(opt_arg(), &sign_md))
- goto opthelp;
+ digestname = opt_arg();
break;
case OPT_CIPHER:
- if (!opt_cipher(opt_unknown(), &cipher))
- goto opthelp;
+ ciphername = opt_unknown();
break;
case OPT_INKEY:
/* If previous -inkey argument add signer to list */
@@ -360,6 +359,15 @@ int smime_main(int argc, char **argv)
argc = opt_num_rest();
argv = opt_rest();
+ app_RAND_load();
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &sign_md))
+ goto opthelp;
+ }
+ if (ciphername != NULL) {
+ if (!opt_cipher(ciphername, &cipher))
+ goto opthelp;
+ }
if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) {
BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
goto opthelp;
diff --git a/apps/speed.c b/apps/speed.c
index fd2a8e951a..c41fca483f 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1854,6 +1854,7 @@ int speed_main(int argc, char **argv)
argc = opt_num_rest();
argv = opt_rest();
+ app_RAND_load();
for (; *argv; argv++) {
const char *algo = *argv;
diff --git a/apps/srp.c b/apps/srp.c
index 764dba2c6b..2edc448c6c 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -306,6 +306,7 @@ int srp_main(int argc, char **argv)
argc = opt_num_rest();
argv = opt_rest();
+ app_RAND_load();
if (srpvfile != NULL && configfile != NULL) {
BIO_printf(bio_err,
"-srpvfile and -configfile cannot be specified together.\n");
diff --git a/apps/storeutl.c b/apps/storeutl.c
index 9333c478f2..7c13092fe5 100644
--- a/apps/storeutl.c
+++ b/apps/storeutl.c
@@ -81,7 +81,7 @@ int storeutl_main(int argc, char *argv[])
ASN1_INTEGER *serial = NULL;
unsigned char *fingerprint = NULL;
size_t fingerprintlen = 0;
- char *alias = NULL;
+ char *alias = NULL, *digestname = NULL;
OSSL_STORE_SEARCH *search = NULL;
const EVP_MD *digest = NULL;
OSSL_LIB_CTX *libctx = app_get0_libctx();
@@ -247,8 +247,8 @@ int storeutl_main(int argc, char *argv[])
e = setup_engine(opt_arg(), 0);
break;
case OPT_MD:
- if (!opt_md(opt_unknown(), &digest))
- goto opthelp;
+ digestname = opt_unknown();
+ break;
case OPT_PROV_CASES:
if (!opt_provider(o))
goto end;
@@ -262,6 +262,11 @@ int storeutl_main(int argc, char *argv[])
if (argc != 1)
goto opthelp;
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &digest))
+ goto opthelp;
+ }
+
if (criterion != 0) {
switch (criterion) {
case OSSL_STORE_SEARCH_BY_NAME:
diff --git a/apps/ts.c b/apps/ts.c
index 5ff80062ef..8500968a0c 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -160,7 +160,7 @@ int ts_main(int argc, char **argv)
CONF *conf = NULL;
const char *CAfile = NULL, *untrusted = NULL, *prog;
const char *configfile = default_config_file, *engine = NULL;
- const char *section = NULL;
+ const char *section = NULL, *digestname = NULL;
char **helpp;
char *password = NULL;
char *data = NULL, *digest = NULL, *policy = NULL;
@@ -276,8 +276,7 @@ int ts_main(int argc, char **argv)
engine = opt_arg();
break;
case OPT_MD:
- if (!opt_md(opt_unknown(), &md))
- goto opthelp;
+ digestname = opt_unknown();
break;
case OPT_V_CASES:
if (!opt_verify(o, vpm))
@@ -292,6 +291,11 @@ int ts_main(int argc, char **argv)
if (argc != 0 || mode == OPT_ERR)
goto opthelp;
+ app_RAND_load();
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &md))
+ goto opthelp;
+ }
if (mode == OPT_REPLY && passin &&
!app_passwd(passin, NULL, &password, NULL)) {
BIO_printf(bio_err, "Error getting password.\n");
diff --git a/apps/x509.c b/apps/x509.c
index 3fdd44f2f3..67895c8169 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -246,7 +246,7 @@ int x509_main(int argc, char **argv)
X509V3_CTX ext_ctx;
EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL;
int newcert = 0;
- char *subj = NULL;
+ char *subj = NULL, *digestname = NULL;
X509_NAME *fsubj = NULL;
const unsigned long chtype = MBSTRING_ASC;
const int multirdn = 1;
@@ -569,8 +569,8 @@ int x509_main(int argc, char **argv)
preserve_dates = 1;
break;
case OPT_MD:
- if (!opt_md(opt_unknown(), &digest))
- goto opthelp;
+ digestname = opt_unknown();
+ break;
}
}
@@ -579,6 +579,11 @@ int x509_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
+ app_RAND_load();
+ if (digestname != NULL) {
+ if (!opt_md(digestname, &digest))
+ goto opthelp;
+ }
if (preserve_dates && days != UNSET_DAYS) {
BIO_printf(bio_err, "Cannot use -preserve_dates with -days option\n");
goto end;
More information about the openssl-commits
mailing list