[openssl] master update

Dr. Paul Dale pauli at openssl.org
Thu Feb 11 22:35:56 UTC 2021


The branch master has been updated
       via  22040fb790c854cefb04bed98ed38ea6357daf83 (commit)
       via  03bbd346f4410c329d472cc043fb6c49f6688eba (commit)
       via  d0190e11639956677747f6bc7bb5bcd610fd8600 (commit)
       via  51e5df0ed01efa47335940425cc8744ecff1b6ae (commit)
       via  182717bd8a7a438c110d3a3b28387477833b4edc (commit)
       via  50ca7e18954d901ee9215a1a4bb3ecf00b95642a (commit)
      from  1baad060f9d440b8043a33ecf3fd4fc87534e075 (commit)


- Log -----------------------------------------------------------------
commit 22040fb790c854cefb04bed98ed38ea6357daf83
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Feb 10 13:33:41 2021 -0500

    Allow -rand to be repeated
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14135)

commit 03bbd346f4410c329d472cc043fb6c49f6688eba
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Feb 8 14:20:01 2021 -0500

    Fetch cipher after loading providers
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14135)

commit d0190e11639956677747f6bc7bb5bcd610fd8600
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Feb 8 14:03:35 2021 -0500

    Process digest option after loading providers
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14135)

commit 51e5df0ed01efa47335940425cc8744ecff1b6ae
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Feb 8 13:45:23 2021 -0500

    Load rand state after loading providers
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14135)

commit 182717bd8a7a438c110d3a3b28387477833b4edc
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Feb 7 10:42:23 2021 -0500

    Fetch alg, etc., after loading providers
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14135)

commit 50ca7e18954d901ee9215a1a4bb3ecf00b95642a
Author: Rich Salz <rsalz at akamai.com>
Date:   Fri Feb 5 15:38:07 2021 -0500

    Fetch algorithm after loading providers
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14135)

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c           |  3 ++-
 apps/cms.c          | 20 +++++++++-----
 apps/crl.c          |  8 ++++--
 apps/dgst.c         | 13 +++++----
 apps/dhparam.c      |  1 +
 apps/dsa.c          |  9 ++++---
 apps/dsaparam.c     |  1 +
 apps/ec.c           |  9 ++++---
 apps/ecparam.c      |  1 +
 apps/enc.c          | 39 +++++++++++++--------------
 apps/gendsa.c       | 12 ++++++---
 apps/genpkey.c      | 76 +++++++++++++++++++++++++++++------------------------
 apps/genrsa.c       | 10 ++++---
 apps/include/apps.h |  1 +
 apps/lib/app_rand.c | 24 ++++++++++++++++-
 apps/ocsp.c         | 10 ++++---
 apps/passwd.c       |  1 +
 apps/pkcs12.c       | 26 +++++++++++-------
 apps/pkcs8.c        | 10 ++++---
 apps/pkey.c         |  9 ++++---
 apps/pkeyutl.c      | 11 +++++---
 apps/rand.c         |  1 +
 apps/req.c          | 13 ++++++---
 apps/rsa.c          |  9 ++++---
 apps/rsautl.c       |  1 +
 apps/s_client.c     |  5 ++--
 apps/s_server.c     |  1 +
 apps/smime.c        | 18 +++++++++----
 apps/speed.c        |  1 +
 apps/srp.c          |  1 +
 apps/storeutl.c     | 11 +++++---
 apps/ts.c           | 10 ++++---
 apps/x509.c         | 11 +++++---
 33 files changed, 250 insertions(+), 126 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index 61e49336d0..29f62f86f2 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
     {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
 
     OPT_SECTION("Signing"),
-    {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
+    {"md", OPT_MD, 's', "Digest to use, such as sha256"},
     {"keyfile", OPT_KEYFILE, 's', "The CA private key"},
     {"keyform", OPT_KEYFORM, 'f',
      "Private key file format (ENGINE, other values ignored)"},
@@ -521,6 +521,7 @@ end_of_options:
         goto end;
 
     app_RAND_load_conf(conf, BASE_SECTION);
+    app_RAND_load();
 
     f = NCONF_get_string(conf, section, STRING_MASK);
     if (f == NULL)
diff --git a/apps/cms.c b/apps/cms.c
index 36fb88e15c..67cbb9379a 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -286,10 +286,11 @@ int cms_main(int argc, char **argv)
     X509_VERIFY_PARAM *vpm = NULL;
     char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
     const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
-    char *certsoutfile = NULL;
+    char *certsoutfile = NULL, *digestname = NULL;
     int noCAfile = 0, noCApath = 0, noCAstore = 0;
     char *infile = NULL, *outfile = NULL, *rctfile = NULL;
-    char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *originatorfile = NULL, *recipfile = NULL;
+    char *passinarg = NULL, *passin = NULL, *signerfile = NULL;
+    char *originatorfile = NULL, *recipfile = NULL, *ciphername = NULL;
     char *to = NULL, *from = NULL, *subject = NULL, *prog;
     cms_key_param *key_first = NULL, *key_param = NULL;
     int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
@@ -565,8 +566,7 @@ int cms_main(int argc, char **argv)
             certsoutfile = opt_arg();
             break;
         case OPT_MD:
-            if (!opt_md(opt_arg(), &sign_md))
-                goto end;
+            digestname = opt_arg();
             break;
         case OPT_SIGNER:
             /* If previous -signer argument add signer to list */
@@ -625,8 +625,7 @@ int cms_main(int argc, char **argv)
             }
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &cipher))
-                goto end;
+            ciphername = opt_unknown();
             break;
         case OPT_KEYOPT:
             keyidx = -1;
@@ -698,6 +697,15 @@ int cms_main(int argc, char **argv)
             break;
         }
     }
+    app_RAND_load();
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &sign_md))
+            goto end;
+    }
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &cipher))
+            goto end;
+    }
 
     /* Remaining args are files to process. */
     argc = opt_num_rest();
diff --git a/apps/crl.c b/apps/crl.c
index ddbf96bfca..dd9d41e8ea 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -84,6 +84,7 @@ int crl_main(int argc, char **argv)
     EVP_PKEY *pkey;
     const EVP_MD *digest = EVP_sha1();
     char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
+    char *digestname = NULL;
     const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog;
     OPTION_CHOICE o;
     int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
@@ -192,8 +193,7 @@ int crl_main(int argc, char **argv)
                 goto opthelp;
             break;
         case OPT_MD:
-            if (!opt_md(opt_unknown(), &digest))
-                goto opthelp;
+            digestname = opt_unknown();
             break;
         case OPT_PROV_CASES:
             if (!opt_provider(o))
@@ -207,6 +207,10 @@ int crl_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &digest))
+            goto opthelp;
+    }
     x = load_crl(infile, "CRL");
     if (x == NULL)
         goto end;
diff --git a/apps/dgst.c b/apps/dgst.c
index 0eb84f5169..891cf79279 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -97,9 +97,9 @@ int dgst_main(int argc, char **argv)
     EVP_PKEY *sigkey = NULL;
     STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
     char *hmac_key = NULL;
-    char *mac_name = NULL;
+    char *mac_name = NULL, *digestname = NULL;
     char *passinarg = NULL, *passin = NULL;
-    const EVP_MD *md = NULL, *m;
+    const EVP_MD *md = NULL;
     const char *outfile = NULL, *keyfile = NULL, *prog = NULL;
     const char *sigfile = NULL;
     const char *md_name = NULL;
@@ -209,9 +209,7 @@ int dgst_main(int argc, char **argv)
                 goto opthelp;
             break;
         case OPT_DIGEST:
-            if (!opt_md(opt_unknown(), &m))
-                goto opthelp;
-            md = m;
+            digestname = opt_unknown();
             break;
         case OPT_PROV_CASES:
             if (!opt_provider(o))
@@ -227,6 +225,11 @@ int dgst_main(int argc, char **argv)
         BIO_printf(bio_err, "%s: Can only sign or verify one file.\n", prog);
         goto end;
     }
+    app_RAND_load();
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &md))
+            goto opthelp;
+    }
 
     if (do_verify && sigfile == NULL) {
         BIO_printf(bio_err,
diff --git a/apps/dhparam.c b/apps/dhparam.c
index cfa399e459..30fdfbbf6e 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -158,6 +158,7 @@ int dhparam_main(int argc, char **argv)
     } else if (argc != 0) {
         goto opthelp;
     }
+    app_RAND_load();
 
 
     if (g && !num)
diff --git a/apps/dsa.c b/apps/dsa.c
index ebb841fa53..c4baaf7de9 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -87,7 +87,7 @@ int dsa_main(int argc, char **argv)
     int modulus = 0, pubin = 0, pubout = 0, ret = 1;
     int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
     int private = 0;
-    const char *output_type = NULL;
+    const char *output_type = NULL, *ciphername = NULL;
     const char *output_structure = NULL;
     int selection = 0;
     OSSL_ENCODER_CTX *ectx = NULL;
@@ -151,8 +151,7 @@ int dsa_main(int argc, char **argv)
             pubout = 1;
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &enc))
-                goto end;
+            ciphername = opt_unknown();
             break;
         case OPT_PROV_CASES:
             if (!opt_provider(o))
@@ -166,6 +165,10 @@ int dsa_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &enc))
+            goto end;
+    }
     private = pubin || pubout ? 0 : 1;
     if (text && !pubin)
         private = 1;
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index f09318f54b..70c698dbec 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -135,6 +135,7 @@ int dsaparam_main(int argc, char **argv)
     } else if (argc != 0) {
         goto opthelp;
     }
+    app_RAND_load();
 
     /* generate a key */
     numbits = num;
diff --git a/apps/ec.c b/apps/ec.c
index 495e8e6617..d89c580020 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -70,7 +70,7 @@ int ec_main(int argc, char **argv)
     BIO *in = NULL, *out = NULL;
     ENGINE *e = NULL;
     const EVP_CIPHER *enc = NULL;
-    char *infile = NULL, *outfile = NULL, *prog;
+    char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
     OPTION_CHOICE o;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
@@ -131,8 +131,7 @@ int ec_main(int argc, char **argv)
             e = setup_engine(opt_arg(), 0);
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &enc))
-                goto opthelp;
+            ciphername = opt_unknown();
             break;
         case OPT_CONV_FORM:
             point_format = opt_arg();
@@ -162,6 +161,10 @@ int ec_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &enc))
+            goto opthelp;
+    }
     private = param_out || pubin || pubout ? 0 : 1;
     if (text && !pubin)
         private = 1;
diff --git a/apps/ecparam.c b/apps/ecparam.c
index 762da3f2c9..e05a3a495f 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -190,6 +190,7 @@ int ecparam_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    app_RAND_load();
     private = genkey ? 1 : 0;
 
     in = bio_open_default(infile, 'r', informat);
diff --git a/apps/enc.c b/apps/enc.c
index 81e52c10ce..9982337c01 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -109,11 +109,13 @@ int enc_main(int argc, char **argv)
     BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
         NULL, *wbio = NULL;
     EVP_CIPHER_CTX *ctx = NULL;
-    const EVP_CIPHER *cipher = NULL, *c;
+    const EVP_CIPHER *cipher = NULL;
     const EVP_MD *dgst = NULL;
+    const char *digestname = NULL;
     char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p;
-    char *infile = NULL, *outfile = NULL, *prog, *arg0;
+    char *infile = NULL, *outfile = NULL, *prog;
     char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL;
+    const char *ciphername = NULL;
     char mbuf[sizeof(magic) - 1];
     OPTION_CHOICE o;
     int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0;
@@ -132,20 +134,14 @@ int enc_main(int argc, char **argv)
 #endif
 
     /* first check the command name */
-    arg0 = argv[0];
-    if (strcmp(arg0, "base64") == 0) {
+    if (strcmp(argv[0], "base64") == 0)
         base64 = 1;
 #ifdef ZLIB
-    } else if (strcmp(arg0, "zlib") == 0) {
+    else if (strcmp(argv[0], "zlib") == 0)
         do_zlib = 1;
 #endif
-    } else {
-        cipher = EVP_get_cipherbyname(arg0);
-        if (cipher == NULL && strcmp(arg0, "enc") != 0) {
-            BIO_printf(bio_err, "%s is not a known cipher\n", arg0);
-            goto end;
-        }
-    }
+    else if (strcmp(argv[0], "enc") != 0)
+        ciphername = argv[0];
 
     prog = opt_init(argc, argv, enc_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -264,13 +260,10 @@ int enc_main(int argc, char **argv)
             hiv = opt_arg();
             break;
         case OPT_MD:
-            if (!opt_md(opt_arg(), &dgst))
-                goto opthelp;
+            digestname = opt_arg();
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &c))
-                goto opthelp;
-            cipher = c;
+            ciphername = opt_unknown();
             break;
         case OPT_ITER:
             if (!opt_int(opt_arg(), &iter))
@@ -300,17 +293,25 @@ int enc_main(int argc, char **argv)
     argc = opt_num_rest();
     if (argc != 0)
         goto opthelp;
+    app_RAND_load();
 
+    /* Get the cipher name, either from progname (if set) or flag. */
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &cipher))
+            goto opthelp;
+    }
     if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
         BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog);
         goto end;
     }
-
     if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) {
         BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog);
         goto end;
     }
-
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &dgst))
+            goto opthelp;
+    }
     if (dgst == NULL)
         dgst = EVP_sha256();
 
diff --git a/apps/gendsa.c b/apps/gendsa.c
index c90a01d979..c6c84c9a56 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -57,7 +57,7 @@ int gendsa_main(int argc, char **argv)
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
     const EVP_CIPHER *enc = NULL;
-    char *dsaparams = NULL;
+    char *dsaparams = NULL, *ciphername = NULL;
     char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
     OPTION_CHOICE o;
     int ret = 1, private = 0, verbose = 0;
@@ -93,8 +93,7 @@ int gendsa_main(int argc, char **argv)
                 goto end;
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &enc))
-                goto end;
+            ciphername = opt_unknown();
             break;
         case OPT_VERBOSE:
             verbose = 1;
@@ -107,8 +106,13 @@ int gendsa_main(int argc, char **argv)
     argv = opt_rest();
     if (argc != 1)
         goto opthelp;
-
     dsaparams = argv[0];
+
+    app_RAND_load();
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &enc))
+            goto end;
+    }
     private = 1;
 
     if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
diff --git a/apps/genpkey.c b/apps/genpkey.c
index bdd8b43e47..4d28b4ecc2 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -62,14 +62,19 @@ int genpkey_main(int argc, char **argv)
     ENGINE *e = NULL;
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
-    char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog;
+    char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog, *p;
+    const char *ciphername = NULL, *paramfile = NULL, *algname = NULL;
     const EVP_CIPHER *cipher = NULL;
     OPTION_CHOICE o;
     int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
-    int private = 0;
+    int private = 0, i, m;
     OSSL_LIB_CTX *libctx = app_get0_libctx();
+    STACK_OF(OPENSSL_STRING) *keyopt = NULL;
 
     prog = opt_init(argc, argv, genpkey_options);
+    keyopt = sk_OPENSSL_STRING_new_null();
+    if (keyopt == NULL)
+        goto end;
     while ((o = opt_next()) != OPT_EOF) {
         switch (o) {
         case OPT_EOF:
@@ -97,49 +102,23 @@ int genpkey_main(int argc, char **argv)
         case OPT_PARAMFILE:
             if (do_param == 1)
                 goto opthelp;
-            if (!init_keygen_file(&ctx, opt_arg(), e, libctx, app_get0_propq()))
-                goto end;
+            paramfile = opt_arg();
             break;
         case OPT_ALGORITHM:
-            if (!init_gen_str(&ctx, opt_arg(), e, do_param, libctx, app_get0_propq()))
-                goto end;
+            algname = opt_arg();
             break;
         case OPT_PKEYOPT:
-            if (ctx == NULL) {
-                BIO_printf(bio_err, "%s: No keytype specified.\n", prog);
-                goto opthelp;
-            }
-            if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
-                BIO_printf(bio_err,
-                           "%s: Error setting %s parameter:\n",
-                           prog, opt_arg());
-                ERR_print_errors(bio_err);
+            if (!sk_OPENSSL_STRING_push(keyopt, opt_arg()))
                 goto end;
-            }
             break;
         case OPT_GENPARAM:
-            if (ctx != NULL) {
-                BIO_printf(bio_err,
-                           "%s: '-genparam' option must be set before"
-                            " the '-algorithm' option.\n", prog);
-                goto opthelp;
-            }
             do_param = 1;
             break;
         case OPT_TEXT:
             text = 1;
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &cipher)
-                || do_param == 1)
-                goto opthelp;
-            if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE ||
-                EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE ||
-                EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE ||
-                EVP_CIPHER_mode(cipher) == EVP_CIPH_OCB_MODE) {
-                BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
-                goto end;
-            }
+            ciphername = opt_unknown();
             break;
         case OPT_CONFIG:
             conf = app_load_config_modules(opt_arg());
@@ -158,11 +137,39 @@ int genpkey_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
-    private = do_param ? 0 : 1;
-
+    /* Fetch cipher, etc. */
+    if (paramfile != NULL) {
+        if (!init_keygen_file(&ctx, paramfile, e, libctx, app_get0_propq()))
+            goto end;
+    }
+    if (algname != NULL) {
+        if (!init_gen_str(&ctx, algname, e, do_param, libctx, app_get0_propq()))
+            goto end;
+    }
     if (ctx == NULL)
         goto opthelp;
 
+    for (i = 0; i < sk_OPENSSL_STRING_num(keyopt); i++) {
+        p = sk_OPENSSL_STRING_value(keyopt, i);
+        if (pkey_ctrl_string(ctx, p) <= 0) {
+            BIO_printf(bio_err, "%s: Error setting %s parameter:\n", prog, p);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &cipher) || do_param == 1)
+            goto opthelp;
+        m = EVP_CIPHER_mode(cipher);
+        if (m == EVP_CIPH_GCM_MODE || m == EVP_CIPH_CCM_MODE
+                || m == EVP_CIPH_XTS_MODE || m == EVP_CIPH_OCB_MODE) {
+            BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
+            goto end;
+        }
+    }
+
+    private = do_param ? 0 : 1;
+
     if (!app_passwd(passarg, NULL, &pass, NULL)) {
         BIO_puts(bio_err, "Error getting password\n");
         goto end;
@@ -224,6 +231,7 @@ int genpkey_main(int argc, char **argv)
     }
 
  end:
+    sk_OPENSSL_STRING_free(keyopt);
     EVP_PKEY_free(pkey);
     EVP_PKEY_CTX_free(ctx);
     BIO_free_all(out);
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 2cc1abfbe5..cd99b53a3b 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -86,7 +86,7 @@ int genrsa_main(int argc, char **argv)
     int ret = 1, num = DEFBITS, private = 0, primes = DEFPRIMES;
     unsigned long f4 = RSA_F4;
     char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
-    char *prog, *hexe, *dece;
+    char *prog, *hexe, *dece, *ciphername = NULL;
     OPTION_CHOICE o;
     int traditional = 0;
 
@@ -131,8 +131,7 @@ opthelp:
             passoutarg = opt_arg();
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &enc))
-                goto end;
+            ciphername = opt_unknown();
             break;
         case OPT_PRIMES:
             if (!opt_int(opt_arg(), &primes))
@@ -164,7 +163,12 @@ opthelp:
         goto opthelp;
     }
 
+    app_RAND_load();
     private = 1;
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &enc))
+            goto end;
+    }
     if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
         BIO_printf(bio_err, "Error getting password\n");
         goto end;
diff --git a/apps/include/apps.h b/apps/include/apps.h
index d4241fa61e..45a9c4e758 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -47,6 +47,7 @@
 
 void app_RAND_load_conf(CONF *c, const char *section);
 void app_RAND_write(void);
+int app_RAND_load(void);
 
 extern char *default_config_file; /* may be "" */
 extern BIO *bio_in;
diff --git a/apps/lib/app_rand.c b/apps/lib/app_rand.c
index 1861343a9c..913e66e73f 100644
--- a/apps/lib/app_rand.c
+++ b/apps/lib/app_rand.c
@@ -14,6 +14,7 @@
 #include <openssl/conf.h>
 
 static char *save_rand_file;
+static STACK_OF(OPENSSL_STRING) *randfiles;
 
 void app_RAND_load_conf(CONF *c, const char *section)
 {
@@ -57,6 +58,23 @@ static int loadfiles(char *name)
     return ret;
 }
 
+int app_RAND_load(void)
+{
+    char *p;
+    int i, ret = 1;
+
+    if (randfiles == NULL)
+        return 1;
+
+    for (i = 0; i < sk_OPENSSL_STRING_num(randfiles); i++) {
+        p = sk_OPENSSL_STRING_value(randfiles, i);
+        if (!loadfiles(p))
+            ret = 0;
+    }
+    sk_OPENSSL_STRING_free(randfiles);
+    return ret;
+}
+
 void app_RAND_write(void)
 {
     if (save_rand_file == NULL)
@@ -82,7 +100,11 @@ int opt_rand(int opt)
     case OPT_R__LAST:
         break;
     case OPT_R_RAND:
-        return loadfiles(opt_arg());
+        if (randfiles == NULL
+                && (randfiles = sk_OPENSSL_STRING_new_null()) == NULL)
+            return 0;
+        if (!sk_OPENSSL_STRING_push(randfiles, opt_arg()))
+            return 0;
         break;
     case OPT_R_WRITERAND:
         OPENSSL_free(save_rand_file);
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 982423d1ef..dd1677b1c1 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -223,7 +223,7 @@ int ocsp_main(int argc, char **argv)
     X509_STORE *store = NULL;
     X509_VERIFY_PARAM *vpm = NULL;
     const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
-    char *header, *value;
+    char *header, *value, *respdigname = NULL;
     char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
     char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
     char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
@@ -467,8 +467,7 @@ int ocsp_main(int argc, char **argv)
             rcertfile = opt_arg();
             break;
         case OPT_RMD:   /* Response MessageDigest */
-            if (!opt_md(opt_arg(), &rsign_md))
-                goto end;
+            respdigname = opt_arg();
             break;
         case OPT_RSIGOPT:
             if (rsign_sigopts == NULL)
@@ -526,6 +525,11 @@ int ocsp_main(int argc, char **argv)
         goto opthelp;
     }
 
+    if (respdigname != NULL) {
+        if (!opt_md(respdigname, &rsign_md))
+            goto end;
+    }
+
     /* Have we anything to do? */
     if (req == NULL && reqin == NULL
         && respin == NULL && !(port != NULL && ridx_filename != NULL))
diff --git a/apps/passwd.c b/apps/passwd.c
index f8a0493c4c..08b94622da 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -195,6 +195,7 @@ int passwd_main(int argc, char **argv)
         passwds = argv;
     }
 
+    app_RAND_load();
     if (mode == passwd_unset) {
         /* use default */
         mode = passwd_md5;
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 60e12cf932..e96f9ec4a4 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -145,7 +145,7 @@ const OPTIONS pkcs12_options[] = {
 int pkcs12_main(int argc, char **argv)
 {
     char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL;
-    char *untrusted = NULL;
+    char *untrusted = NULL, *ciphername = NULL, *enc_flag = NULL;
     char *passcertsarg = NULL, *passcerts = NULL;
     char *name = NULL, *csp_name = NULL;
     char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = "";
@@ -164,7 +164,6 @@ int pkcs12_main(int argc, char **argv)
     BIO *in = NULL, *out = NULL;
     PKCS12 *p12 = NULL;
     STACK_OF(OPENSSL_STRING) *canames = NULL;
-    const char *enc_flag = NULL;
     const EVP_CIPHER *const default_enc = EVP_aes_256_cbc();
     const EVP_CIPHER *enc = default_enc;
     OPTION_CHOICE o;
@@ -220,10 +219,19 @@ int pkcs12_main(int argc, char **argv)
         case OPT_EXPORT:
             export_pkcs12 = 1;
             break;
+        case OPT_NODES:
+        case OPT_NOENC:
+            /*
+             * |enc_flag| stores the name of the option used so it
+             * can be printed if an error message is output.
+             */
+            enc_flag = opt_flag() + 1;
+            enc = NULL;
+            ciphername = NULL;
+            break;
         case OPT_CIPHER:
+            ciphername = opt_unknown();
             enc_flag = opt_unknown();
-            if (!opt_cipher(enc_flag, &enc))
-                goto opthelp;
             break;
         case OPT_ITER:
             if (!opt_int(opt_arg(), &iter))
@@ -246,11 +254,6 @@ int pkcs12_main(int argc, char **argv)
         case OPT_MACALG:
             macalg = opt_arg();
             break;
-        case OPT_NODES:
-        case OPT_NOENC:
-            enc_flag = opt_flag() + 1;
-            enc = NULL;
-            break;
         case OPT_CERTPBE:
             if (!set_pbe(&cert_pbe, opt_arg()))
                 goto opthelp;
@@ -341,6 +344,11 @@ int pkcs12_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    app_RAND_load();
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &enc))
+            goto opthelp;
+    }
     if (export_pkcs12) {
         if ((options & INFO) != 0)
             WARN_EXPORT("info");
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index ae0824c6d2..674007498a 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -75,7 +75,7 @@ int pkcs8_main(int argc, char **argv)
     PKCS8_PRIV_KEY_INFO *p8inf = NULL;
     X509_SIG *p8 = NULL;
     const EVP_CIPHER *cipher = NULL;
-    char *infile = NULL, *outfile = NULL;
+    char *infile = NULL, *outfile = NULL, *ciphername = NULL;
     char *passinarg = NULL, *passoutarg = NULL, *prog;
 #ifndef OPENSSL_NO_UI_CONSOLE
     char pass[APP_PASS_LEN];
@@ -136,8 +136,7 @@ int pkcs8_main(int argc, char **argv)
             traditional = 1;
             break;
         case OPT_V2:
-            if (!opt_cipher(opt_arg(), &cipher))
-                goto opthelp;
+            ciphername = opt_arg();
             break;
         case OPT_V1:
             pbe_nid = OBJ_txt2nid(opt_arg());
@@ -200,6 +199,11 @@ int pkcs8_main(int argc, char **argv)
         goto opthelp;
 
     private = 1;
+    app_RAND_load();
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &cipher))
+            goto opthelp;
+    }
 
     if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
         BIO_printf(bio_err, "Error getting passwords\n");
diff --git a/apps/pkey.c b/apps/pkey.c
index a48c9856bf..1a53447401 100644
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -73,7 +73,7 @@ int pkey_main(int argc, char **argv)
     EVP_PKEY_CTX *ctx = NULL;
     const EVP_CIPHER *cipher = NULL;
     char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL;
-    char *passinarg = NULL, *passoutarg = NULL, *prog;
+    char *passinarg = NULL, *passoutarg = NULL, *ciphername = NULL, *prog;
     OPTION_CHOICE o;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM;
     int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1;
@@ -143,8 +143,7 @@ int pkey_main(int argc, char **argv)
             pub_check = 1;
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &cipher))
-                goto opthelp;
+            ciphername = opt_unknown();
             break;
         case OPT_EC_CONV_FORM:
 #ifdef OPENSSL_NO_EC
@@ -187,6 +186,10 @@ int pkey_main(int argc, char **argv)
                    "Warning: The -traditional is ignored since there is no PEM output\n");
     private = (!noout && !pubout) || (text && !text_pub);
 
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &cipher))
+            goto opthelp;
+    }
     if (cipher == NULL) {
         if (passoutarg != NULL)
             BIO_printf(bio_err,
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 4eb15c30f4..b70f9935b6 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -117,7 +117,7 @@ int pkeyutl_main(int argc, char **argv)
     size_t buf_outlen;
     const char *inkey = NULL;
     const char *peerkey = NULL;
-    const char *kdfalg = NULL;
+    const char *kdfalg = NULL, *digestname = NULL;
     int kdflen = 0;
     STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
     STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL;
@@ -244,8 +244,7 @@ int pkeyutl_main(int argc, char **argv)
             rawin = 1;
             break;
         case OPT_DIGEST:
-            if (!opt_md(opt_arg(), &md))
-                goto end;
+            digestname = opt_arg();
             break;
         }
     }
@@ -255,6 +254,12 @@ int pkeyutl_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    app_RAND_load();
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &md))
+            goto end;
+    }
+
     if (rawin && pkey_op != EVP_PKEY_OP_SIGN && pkey_op != EVP_PKEY_OP_VERIFY) {
         BIO_printf(bio_err,
                    "%s: -rawin can only be used with -sign or -verify\n",
diff --git a/apps/rand.c b/apps/rand.c
index c78123e161..69a13f975e 100644
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -99,6 +99,7 @@ int rand_main(int argc, char **argv)
         goto opthelp;
     }
 
+    app_RAND_load();
     out = bio_open_default(outfile, 'w', format);
     if (out == NULL)
         goto end;
diff --git a/apps/req.c b/apps/req.c
index 75840ae387..881cbb45c7 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -245,7 +245,7 @@ int req_main(int argc, char **argv)
     BIO *addext_bio = NULL;
     char *extensions = NULL;
     const char *infile = NULL, *CAfile = NULL, *CAkeyfile = NULL;
-    char *outfile = NULL, *keyfile = NULL;
+    char *outfile = NULL, *keyfile = NULL, *digestname = NULL;
     char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
     char *passin = NULL, *passout = NULL;
     char *nofree_passin = NULL, *nofree_passout = NULL;
@@ -468,9 +468,7 @@ int req_main(int argc, char **argv)
             newreq = precert = 1;
             break;
         case OPT_MD:
-            if (!opt_md(opt_unknown(), &md_alg))
-                goto opthelp;
-            digest = md_alg;
+            digestname = opt_unknown();
             break;
         }
     }
@@ -480,6 +478,13 @@ int req_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    app_RAND_load();
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &md_alg))
+            goto opthelp;
+        digest = md_alg;
+    }
+
     if (!gen_x509) {
         if (days != UNSET_DAYS)
             BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n");
diff --git a/apps/rsa.c b/apps/rsa.c
index b65c8fc793..1a75681c70 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -93,7 +93,7 @@ int rsa_main(int argc, char **argv)
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *pctx;
     const EVP_CIPHER *enc = NULL;
-    char *infile = NULL, *outfile = NULL, *prog;
+    char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
     int private = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
@@ -171,8 +171,7 @@ int rsa_main(int argc, char **argv)
             check = 1;
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &enc))
-                goto opthelp;
+            ciphername = opt_unknown();
             break;
         case OPT_PROV_CASES:
             if (!opt_provider(o))
@@ -189,6 +188,10 @@ int rsa_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &enc))
+            goto opthelp;
+    }
     private = (text && !pubin) || (!pubout && !noout) ? 1 : 0;
 
     if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
diff --git a/apps/rsautl.c b/apps/rsautl.c
index 333edb9363..ae4855f8f5 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -177,6 +177,7 @@ int rsautl_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    app_RAND_load();
     if (need_priv && (key_type != KEY_PRIVKEY)) {
         BIO_printf(bio_err, "A private key is needed for this operation\n");
         goto end;
diff --git a/apps/s_client.c b/apps/s_client.c
index 188ce26a8f..90f9411f45 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1574,9 +1574,7 @@ int s_client_main(int argc, char **argv)
     /* Optional argument is connect string if -connect not used. */
     argc = opt_num_rest();
     if (argc == 1) {
-        /*
-         * Don't allow -connect and a separate argument.
-         */
+        /* Don't allow -connect and a separate argument. */
         if (connectstr != NULL) {
             BIO_printf(bio_err,
                        "%s: cannot provide both -connect option and target parameter\n",
@@ -1588,6 +1586,7 @@ int s_client_main(int argc, char **argv)
     } else if (argc != 0) {
         goto opthelp;
     }
+    app_RAND_load();
 
     if (count4or6 >= 2) {
         BIO_printf(bio_err, "%s: Can't use both -4 and -6\n", prog);
diff --git a/apps/s_server.c b/apps/s_server.c
index 2f9b469953..498e629dbf 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1662,6 +1662,7 @@ int s_server_main(int argc, char *argv[])
     if (argc != 0)
         goto opthelp;
 
+    app_RAND_load();
 #ifndef OPENSSL_NO_NEXTPROTONEG
     if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
         BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
diff --git a/apps/smime.c b/apps/smime.c
index 2a9ee27a34..63578f28d5 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -145,7 +145,8 @@ int smime_main(int argc, char **argv)
     const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog = NULL;
     char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
     char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = NULL;
-    char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL, *subject = NULL;
+    char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL;
+    char *subject = NULL, *digestname = NULL, *ciphername = NULL;
     OPTION_CHOICE o;
     int noCApath = 0, noCAfile = 0, noCAstore = 0;
     int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0;
@@ -293,12 +294,10 @@ int smime_main(int argc, char **argv)
             recipfile = opt_arg();
             break;
         case OPT_MD:
-            if (!opt_md(opt_arg(), &sign_md))
-                goto opthelp;
+            digestname = opt_arg();
             break;
         case OPT_CIPHER:
-            if (!opt_cipher(opt_unknown(), &cipher))
-                goto opthelp;
+            ciphername = opt_unknown();
             break;
         case OPT_INKEY:
             /* If previous -inkey argument add signer to list */
@@ -360,6 +359,15 @@ int smime_main(int argc, char **argv)
     argc = opt_num_rest();
     argv = opt_rest();
 
+    app_RAND_load();
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &sign_md))
+            goto opthelp;
+    }
+    if (ciphername != NULL) {
+        if (!opt_cipher(ciphername, &cipher))
+            goto opthelp;
+    }
     if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) {
         BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
         goto opthelp;
diff --git a/apps/speed.c b/apps/speed.c
index fd2a8e951a..c41fca483f 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1854,6 +1854,7 @@ int speed_main(int argc, char **argv)
     argc = opt_num_rest();
     argv = opt_rest();
 
+    app_RAND_load();
     for (; *argv; argv++) {
         const char *algo = *argv;
 
diff --git a/apps/srp.c b/apps/srp.c
index 764dba2c6b..2edc448c6c 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -306,6 +306,7 @@ int srp_main(int argc, char **argv)
     argc = opt_num_rest();
     argv = opt_rest();
 
+    app_RAND_load();
     if (srpvfile != NULL && configfile != NULL) {
         BIO_printf(bio_err,
                    "-srpvfile and -configfile cannot be specified together.\n");
diff --git a/apps/storeutl.c b/apps/storeutl.c
index 9333c478f2..7c13092fe5 100644
--- a/apps/storeutl.c
+++ b/apps/storeutl.c
@@ -81,7 +81,7 @@ int storeutl_main(int argc, char *argv[])
     ASN1_INTEGER *serial = NULL;
     unsigned char *fingerprint = NULL;
     size_t fingerprintlen = 0;
-    char *alias = NULL;
+    char *alias = NULL, *digestname = NULL;
     OSSL_STORE_SEARCH *search = NULL;
     const EVP_MD *digest = NULL;
     OSSL_LIB_CTX *libctx = app_get0_libctx();
@@ -247,8 +247,8 @@ int storeutl_main(int argc, char *argv[])
             e = setup_engine(opt_arg(), 0);
             break;
         case OPT_MD:
-            if (!opt_md(opt_unknown(), &digest))
-                goto opthelp;
+            digestname = opt_unknown();
+            break;
         case OPT_PROV_CASES:
             if (!opt_provider(o))
                 goto end;
@@ -262,6 +262,11 @@ int storeutl_main(int argc, char *argv[])
     if (argc != 1)
         goto opthelp;
 
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &digest))
+            goto opthelp;
+    }
+
     if (criterion != 0) {
         switch (criterion) {
         case OSSL_STORE_SEARCH_BY_NAME:
diff --git a/apps/ts.c b/apps/ts.c
index 5ff80062ef..8500968a0c 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -160,7 +160,7 @@ int ts_main(int argc, char **argv)
     CONF *conf = NULL;
     const char *CAfile = NULL, *untrusted = NULL, *prog;
     const char *configfile = default_config_file, *engine = NULL;
-    const char *section = NULL;
+    const char *section = NULL, *digestname = NULL;
     char **helpp;
     char *password = NULL;
     char *data = NULL, *digest = NULL, *policy = NULL;
@@ -276,8 +276,7 @@ int ts_main(int argc, char **argv)
             engine = opt_arg();
             break;
         case OPT_MD:
-            if (!opt_md(opt_unknown(), &md))
-                goto opthelp;
+            digestname = opt_unknown();
             break;
         case OPT_V_CASES:
             if (!opt_verify(o, vpm))
@@ -292,6 +291,11 @@ int ts_main(int argc, char **argv)
     if (argc != 0 || mode == OPT_ERR)
         goto opthelp;
 
+    app_RAND_load();
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &md))
+            goto opthelp;
+    }
     if (mode == OPT_REPLY && passin &&
         !app_passwd(passin, NULL, &password, NULL)) {
         BIO_printf(bio_err, "Error getting password.\n");
diff --git a/apps/x509.c b/apps/x509.c
index 3fdd44f2f3..67895c8169 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -246,7 +246,7 @@ int x509_main(int argc, char **argv)
     X509V3_CTX ext_ctx;
     EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL;
     int newcert = 0;
-    char *subj = NULL;
+    char *subj = NULL, *digestname = NULL;
     X509_NAME *fsubj = NULL;
     const unsigned long chtype = MBSTRING_ASC;
     const int multirdn = 1;
@@ -569,8 +569,8 @@ int x509_main(int argc, char **argv)
             preserve_dates = 1;
             break;
         case OPT_MD:
-            if (!opt_md(opt_unknown(), &digest))
-                goto opthelp;
+            digestname = opt_unknown();
+            break;
         }
     }
 
@@ -579,6 +579,11 @@ int x509_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+    app_RAND_load();
+    if (digestname != NULL) {
+        if (!opt_md(digestname, &digest))
+            goto opthelp;
+    }
     if (preserve_dates && days != UNSET_DAYS) {
         BIO_printf(bio_err, "Cannot use -preserve_dates with -days option\n");
         goto end;


More information about the openssl-commits mailing list