[openssl] master update

Dr. Paul Dale pauli at openssl.org
Tue Jun 15 08:32:03 UTC 2021


The branch master has been updated
       via  a1fb5eb920fb156eda474f0e59d268316b6c893d (commit)
       via  c696f4bfc303d9b43a3167f48b3661972495211c (commit)
       via  09495e4301ea5805b51c8128f99587de64a20b6c (commit)
       via  4d574312dbeba89f3bf874aabbbd67a25b1cdf87 (commit)
       via  f147fa3e7def18076d158783d9c566619151878e (commit)
       via  f64851c5b3d8325121eb1b6669f4682ded51901a (commit)
       via  c8dd887d3c415bfeaabf12e719353b00d5d2e700 (commit)
       via  3334e039cf3de72dbb7dd6151db26110afa8c993 (commit)
       via  02288cbb65397841dd0a06ddaa1cb1cdd1b05c10 (commit)
       via  81743ed9d737d415a43aaf0259616dd007a9e3a4 (commit)
       via  e1a77f9cffbd7f8642ff900a3e5b7c81e8c26fb7 (commit)
      from  42e97dde808e6471575696fdec41e2f8d2ef9feb (commit)


- Log -----------------------------------------------------------------
commit a1fb5eb920fb156eda474f0e59d268316b6c893d
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 16:58:12 2021 +1000

    apps: move global libctx and property query into their own file
    
    The header has been split out so the functions should be as well.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit c696f4bfc303d9b43a3167f48b3661972495211c
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 12:05:28 2021 +1000

    speed: make sure to free any allocated EVP_MAC structures
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit 09495e4301ea5805b51c8128f99587de64a20b6c
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 11:27:44 2021 +1000

    pkcs12: use the app's libctx and property query when searching for algorithms
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit 4d574312dbeba89f3bf874aabbbd67a25b1cdf87
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 11:27:31 2021 +1000

    speed: use the app's libctx and property query when searching for algorithms
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit f147fa3e7def18076d158783d9c566619151878e
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 10:26:43 2021 +1000

    list: use the app's libctx and property query when searching for algorithms
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit f64851c5b3d8325121eb1b6669f4682ded51901a
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 10:26:43 2021 +1000

    kdf: use the app's libctx and property query when searching for algorithms
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit c8dd887d3c415bfeaabf12e719353b00d5d2e700
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 10:26:43 2021 +1000

    fipsinstall: use the app's libctx and property query when searching for algorithms
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit 3334e039cf3de72dbb7dd6151db26110afa8c993
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 11:35:26 2021 +1000

    add libctx and property query to fetch functions
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit 02288cbb65397841dd0a06ddaa1cb1cdd1b05c10
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 10:48:51 2021 +1000

    test: add SPKAC command test
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit 81743ed9d737d415a43aaf0259616dd007a9e3a4
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 10:33:13 2021 +1000

    spkac: document -digest option
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

commit e1a77f9cffbd7f8642ff900a3e5b7c81e8c26fb7
Author: Pauli <pauli at openssl.org>
Date:   Thu Jun 10 10:06:20 2021 +1000

    spkac: allow digests other than MD5 to be used for signing
    
    Fixes #15683
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15687)

-----------------------------------------------------------------------

Summary of changes:
 apps/fipsinstall.c                             |  2 +-
 test/filterprov.h => apps/include/app_libctx.h | 14 +++++---
 apps/include/apps.h                            |  7 +---
 apps/kdf.c                                     |  3 +-
 apps/lib/app_libctx.c                          | 48 ++++++++++++++++++++++++++
 apps/lib/apps.c                                | 43 ++---------------------
 apps/lib/build.info                            |  2 +-
 apps/lib/opt.c                                 |  1 +
 apps/list.c                                    | 38 +++++++++++---------
 apps/pkcs12.c                                  |  3 +-
 apps/speed.c                                   | 27 ++++++++++-----
 apps/spkac.c                                   | 14 ++++++--
 doc/man1/openssl-spkac.pod.in                  |  8 +++++
 test/recipes/20-test_spkac.t                   | 41 ++++++++++++++++++++++
 14 files changed, 169 insertions(+), 82 deletions(-)
 copy test/filterprov.h => apps/include/app_libctx.h (58%)
 create mode 100644 apps/lib/app_libctx.c
 create mode 100644 test/recipes/20-test_spkac.t

diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 4defa0ab81..d0efdf7643 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -431,7 +431,7 @@ opthelp:
     if (read_buffer == NULL)
         goto end;
 
-    mac = EVP_MAC_fetch(NULL, mac_name, NULL);
+    mac = EVP_MAC_fetch(app_get0_libctx(), mac_name, app_get0_propq());
     if (mac == NULL) {
         BIO_printf(bio_err, "Unable to get MAC of type %s\n", mac_name);
         goto end;
diff --git a/test/filterprov.h b/apps/include/app_libctx.h
similarity index 58%
copy from test/filterprov.h
copy to apps/include/app_libctx.h
index 3c63071556..17c0afc713 100644
--- a/test/filterprov.h
+++ b/apps/include/app_libctx.h
@@ -7,8 +7,14 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include <openssl/core_dispatch.h>
+#ifndef OSSL_APPS_LIBCTX_H
+# define OSSL_APPS_LIBCTX_H
 
-OSSL_provider_init_fn filter_provider_init;
-int filter_provider_set_filter(int operation, const char *name);
-int filter_provider_check_clean_finish(void);
+# include <openssl/types.h>
+
+OSSL_LIB_CTX *app_create_libctx(void);
+OSSL_LIB_CTX *app_get0_libctx(void);
+int app_set_propq(const char *arg);
+const char *app_get0_propq(void);
+
+#endif
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 4b5c34f2e2..bc8c6359f3 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -37,6 +37,7 @@
 # include "fmt.h"
 # include "platform.h"
 # include "engine_loader.h"
+# include "app_libctx.h"
 
 /*
  * quick macro when you need to pass an unsigned char instead of a char.
@@ -330,8 +331,6 @@ typedef struct verify_options_st {
 
 extern VERIFY_CB_ARGS verify_args;
 
-OSSL_LIB_CTX *app_create_libctx(void);
-OSSL_LIB_CTX *app_get0_libctx(void);
 OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
                                      const OSSL_PARAM *paramdefs);
 void app_params_free(OSSL_PARAM *params);
@@ -341,8 +340,4 @@ void app_providers_cleanup(void);
 EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose);
 EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg);
 
-OSSL_LIB_CTX *app_get0_libctx(void);
-int app_set_propq(const char *arg);
-const char *app_get0_propq(void);
-
 #endif
diff --git a/apps/kdf.c b/apps/kdf.c
index c4892ed20e..89ee1f69c7 100644
--- a/apps/kdf.c
+++ b/apps/kdf.c
@@ -138,7 +138,8 @@ opthelp:
     if (argc != 1)
         goto opthelp;
 
-    if ((kdf = EVP_KDF_fetch(NULL, argv[0], NULL)) == NULL) {
+    if ((kdf = EVP_KDF_fetch(app_get0_libctx(), argv[0],
+                             app_get0_propq())) == NULL) {
         BIO_printf(bio_err, "Invalid KDF name %s\n", argv[0]);
         goto opthelp;
     }
diff --git a/apps/lib/app_libctx.c b/apps/lib/app_libctx.c
new file mode 100644
index 0000000000..4b9ec40e85
--- /dev/null
+++ b/apps/lib/app_libctx.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include "app_libctx.h"
+#include "apps.h"
+
+static OSSL_LIB_CTX *app_libctx = NULL;
+static const char *app_propq = NULL;
+
+int app_set_propq(const char *arg)
+{
+    app_propq = arg;
+    return 1;
+}
+
+const char *app_get0_propq(void)
+{
+    return app_propq;
+}
+
+OSSL_LIB_CTX *app_get0_libctx(void)
+{
+    return app_libctx;
+}
+
+OSSL_LIB_CTX *app_create_libctx(void)
+{
+    /*
+     * Load the NULL provider into the default library context and create a
+     * library context which will then be used for any OPT_PROV options.
+     */
+    if (app_libctx == NULL) {
+        if (!app_provider_load(NULL, "null")) {
+            opt_printf_stderr( "Failed to create null provider\n");
+            return NULL;
+        }
+        app_libctx = OSSL_LIB_CTX_new();
+    }
+    if (app_libctx == NULL)
+        opt_printf_stderr("Failed to create library context\n");
+    return app_libctx;
+}
+
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 79fe4f8409..dfbc3ec522 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -69,8 +69,6 @@ typedef struct {
     unsigned long mask;
 } NAME_EX_TBL;
 
-static OSSL_LIB_CTX *app_libctx = NULL;
-
 static int set_table_opts(unsigned long *flags, const char *arg,
                           const NAME_EX_TBL * in_tbl);
 static int set_multi_opts(unsigned long *flags, const char *arg,
@@ -336,50 +334,13 @@ static char *app_get_pass(const char *arg, int keepbio)
     return OPENSSL_strdup(tpass);
 }
 
-OSSL_LIB_CTX *app_get0_libctx(void)
-{
-    return app_libctx;
-}
-
-static const char *app_propq = NULL;
-
-int app_set_propq(const char *arg)
-{
-    app_propq = arg;
-    return 1;
-}
-
-const char *app_get0_propq(void)
-{
-    return app_propq;
-}
-
-OSSL_LIB_CTX *app_create_libctx(void)
-{
-    /*
-     * Load the NULL provider into the default library context and create a
-     * library context which will then be used for any OPT_PROV options.
-     */
-    if (app_libctx == NULL) {
-
-        if (!app_provider_load(NULL, "null")) {
-            BIO_puts(bio_err, "Failed to create null provider\n");
-            return NULL;
-        }
-        app_libctx = OSSL_LIB_CTX_new();
-    }
-    if (app_libctx == NULL)
-        BIO_puts(bio_err, "Failed to create library context\n");
-    return app_libctx;
-}
-
 CONF *app_load_config_bio(BIO *in, const char *filename)
 {
     long errorline = -1;
     CONF *conf;
     int i;
 
-    conf = NCONF_new_ex(app_libctx, NULL);
+    conf = NCONF_new_ex(app_get0_libctx(), NULL);
     i = NCONF_load_bio(conf, in, &errorline);
     if (i > 0)
         return conf;
@@ -422,7 +383,7 @@ CONF *app_load_config_internal(const char *filename, int quiet)
         BIO_free(in);
     } else {
         /* Return empty config if filename is empty string. */
-        conf = NCONF_new_ex(app_libctx, NULL);
+        conf = NCONF_new_ex(app_get0_libctx(), NULL);
     }
     return conf;
 }
diff --git a/apps/lib/build.info b/apps/lib/build.info
index 340ce29b09..923ef5d92b 100644
--- a/apps/lib/build.info
+++ b/apps/lib/build.info
@@ -10,7 +10,7 @@ ENDIF
 # Source for libapps
 $LIBAPPSSRC=apps.c apps_ui.c opt.c fmt.c s_cb.c s_socket.c app_rand.c \
         columns.c app_params.c names.c app_provider.c app_x509.c http_server.c \
-        engine.c engine_loader.c
+        engine.c engine_loader.c app_libctx.c
 
 IF[{- !$disabled{apps} -}]
   LIBS{noinst}=../libapps.a
diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index 0f08da2df4..c6a506480a 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -12,6 +12,7 @@
  */
 #include "opt.h"
 #include "fmt.h"
+#include "app_libctx.h"
 #include "internal/nelem.h"
 #include <string.h>
 #if !defined(OPENSSL_SYS_MSDOS)
diff --git a/apps/list.c b/apps/list.c
index 612f55a311..9732d6625a 100644
--- a/apps/list.c
+++ b/apps/list.c
@@ -36,10 +36,11 @@ static const char *select_name = NULL;
     {                                                           \
         TYPE *impl;                                             \
         const char *propq = app_get0_propq();                   \
+        OSSL_LIB_CTX *libctx = app_get0_libctx();               \
         const char *name = TYPE ## _get0_name(alg);             \
                                                                 \
         ERR_set_mark();                                         \
-        impl = TYPE ## _fetch(NULL, name, propq);               \
+        impl = TYPE ## _fetch(libctx, name, propq);             \
         ERR_pop_to_mark();                                      \
         if (impl == NULL)                                       \
             return 0;                                           \
@@ -118,7 +119,7 @@ static void list_ciphers(void)
 #endif
 
     BIO_printf(bio_out, "Provided:\n");
-    EVP_CIPHER_do_all_provided(NULL, collect_ciphers, ciphers);
+    EVP_CIPHER_do_all_provided(app_get0_libctx(), collect_ciphers, ciphers);
     sk_EVP_CIPHER_sort(ciphers);
     for (i = 0; i < sk_EVP_CIPHER_num(ciphers); i++) {
         const EVP_CIPHER *c = sk_EVP_CIPHER_value(ciphers, i);
@@ -202,7 +203,7 @@ static void list_digests(void)
 #endif
 
     BIO_printf(bio_out, "Provided:\n");
-    EVP_MD_do_all_provided(NULL, collect_digests, digests);
+    EVP_MD_do_all_provided(app_get0_libctx(), collect_digests, digests);
     sk_EVP_MD_sort(digests);
     for (i = 0; i < sk_EVP_MD_num(digests); i++) {
         const EVP_MD *m = sk_EVP_MD_value(digests, i);
@@ -263,7 +264,7 @@ static void list_macs(void)
         return;
     }
     BIO_printf(bio_out, "Provided MACs:\n");
-    EVP_MAC_do_all_provided(NULL, collect_macs, macs);
+    EVP_MAC_do_all_provided(app_get0_libctx(), collect_macs, macs);
     sk_EVP_MAC_sort(macs);
     for (i = 0; i < sk_EVP_MAC_num(macs); i++) {
         const EVP_MAC *m = sk_EVP_MAC_value(macs, i);
@@ -327,7 +328,7 @@ static void list_kdfs(void)
         return;
     }
     BIO_printf(bio_out, "Provided KDFs and PDFs:\n");
-    EVP_KDF_do_all_provided(NULL, collect_kdfs, kdfs);
+    EVP_KDF_do_all_provided(app_get0_libctx(), collect_kdfs, kdfs);
     sk_EVP_KDF_sort(kdfs);
     for (i = 0; i < sk_EVP_KDF_num(kdfs); i++) {
         const EVP_KDF *k = sk_EVP_KDF_value(kdfs, i);
@@ -397,7 +398,7 @@ static void list_random_generators(void)
         return;
     }
     BIO_printf(bio_out, "Provided RNGs and seed sources:\n");
-    EVP_RAND_do_all_provided(NULL, collect_rands, rands);
+    EVP_RAND_do_all_provided(app_get0_libctx(), collect_rands, rands);
     sk_EVP_RAND_sort(rands);
     for (i = 0; i < sk_EVP_RAND_num(rands); i++) {
         const EVP_RAND *m = sk_EVP_RAND_value(rands, i);
@@ -524,7 +525,8 @@ static void list_encoders(void)
         return;
     }
     BIO_printf(bio_out, "Provided ENCODERs:\n");
-    OSSL_ENCODER_do_all_provided(NULL, collect_encoders, encoders);
+    OSSL_ENCODER_do_all_provided(app_get0_libctx(), collect_encoders,
+                                 encoders);
     sk_OSSL_ENCODER_sort(encoders);
 
     for (i = 0; i < sk_OSSL_ENCODER_num(encoders); i++) {
@@ -588,7 +590,7 @@ static void list_decoders(void)
         return;
     }
     BIO_printf(bio_out, "Provided DECODERs:\n");
-    OSSL_DECODER_do_all_provided(NULL, collect_decoders,
+    OSSL_DECODER_do_all_provided(app_get0_libctx(), collect_decoders,
                                  decoders);
     sk_OSSL_DECODER_sort(decoders);
 
@@ -644,7 +646,8 @@ static void list_keymanagers(void)
     int i;
     STACK_OF(EVP_KEYMGMT) *km_stack = sk_EVP_KEYMGMT_new(keymanager_cmp);
 
-    EVP_KEYMGMT_do_all_provided(NULL, collect_keymanagers, km_stack);
+    EVP_KEYMGMT_do_all_provided(app_get0_libctx(), collect_keymanagers,
+                                km_stack);
     sk_EVP_KEYMGMT_sort(km_stack);
 
     for (i = 0; i < sk_EVP_KEYMGMT_num(km_stack); i++) {
@@ -706,7 +709,8 @@ static void list_signatures(void)
     int i, count = 0;
     STACK_OF(EVP_SIGNATURE) *sig_stack = sk_EVP_SIGNATURE_new(signature_cmp);
 
-    EVP_SIGNATURE_do_all_provided(NULL, collect_signatures, sig_stack);
+    EVP_SIGNATURE_do_all_provided(app_get0_libctx(), collect_signatures,
+                                  sig_stack);
     sk_EVP_SIGNATURE_sort(sig_stack);
 
     for (i = 0; i < sk_EVP_SIGNATURE_num(sig_stack); i++) {
@@ -765,7 +769,7 @@ static void list_kems(void)
     int i, count = 0;
     STACK_OF(EVP_KEM) *kem_stack = sk_EVP_KEM_new(kem_cmp);
 
-    EVP_KEM_do_all_provided(NULL, collect_kem, kem_stack);
+    EVP_KEM_do_all_provided(app_get0_libctx(), collect_kem, kem_stack);
     sk_EVP_KEM_sort(kem_stack);
 
     for (i = 0; i < sk_EVP_KEM_num(kem_stack); i++) {
@@ -825,7 +829,8 @@ static void list_asymciphers(void)
     STACK_OF(EVP_ASYM_CIPHER) *asymciph_stack =
         sk_EVP_ASYM_CIPHER_new(asymcipher_cmp);
 
-    EVP_ASYM_CIPHER_do_all_provided(NULL, collect_asymciph, asymciph_stack);
+    EVP_ASYM_CIPHER_do_all_provided(app_get0_libctx(), collect_asymciph,
+                                    asymciph_stack);
     sk_EVP_ASYM_CIPHER_sort(asymciph_stack);
 
     for (i = 0; i < sk_EVP_ASYM_CIPHER_num(asymciph_stack); i++) {
@@ -885,7 +890,7 @@ static void list_keyexchanges(void)
     int i, count = 0;
     STACK_OF(EVP_KEYEXCH) *kex_stack = sk_EVP_KEYEXCH_new(kex_cmp);
 
-    EVP_KEYEXCH_do_all_provided(NULL, collect_kex, kex_stack);
+    EVP_KEYEXCH_do_all_provided(app_get0_libctx(), collect_kex, kex_stack);
     sk_EVP_KEYEXCH_sort(kex_stack);
 
     for (i = 0; i < sk_EVP_KEYEXCH_num(kex_stack); i++) {
@@ -1013,7 +1018,7 @@ static int is_md_available(const char *name)
 
     /* Look through providers' digests */
     ERR_set_mark();
-    md = EVP_MD_fetch(NULL, name, propq);
+    md = EVP_MD_fetch(app_get0_libctx(), name, propq);
     ERR_pop_to_mark();
     if (md != NULL) {
         EVP_MD_free(md);
@@ -1030,7 +1035,7 @@ static int is_cipher_available(const char *name)
 
     /* Look through providers' ciphers */
     ERR_set_mark();
-    cipher = EVP_CIPHER_fetch(NULL, name, propq);
+    cipher = EVP_CIPHER_fetch(app_get0_libctx(), name, propq);
     ERR_pop_to_mark();
     if (cipher != NULL) {
         EVP_CIPHER_free(cipher);
@@ -1170,7 +1175,8 @@ static void list_store_loaders(void)
         return;
     }
     BIO_printf(bio_out, "Provided STORE LOADERs:\n");
-    OSSL_STORE_LOADER_do_all_provided(NULL, collect_store_loaders, stores);
+    OSSL_STORE_LOADER_do_all_provided(app_get0_libctx(), collect_store_loaders,
+                                      stores);
     sk_OSSL_STORE_LOADER_sort(stores);
     for (i = 0; i < sk_OSSL_STORE_LOADER_num(stores); i++) {
         const OSSL_STORE_LOADER *m = sk_OSSL_STORE_LOADER_value(stores, i);
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 90550b1f44..5df5cb78ce 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -763,7 +763,8 @@ int pkcs12_main(int argc, char **argv)
     if (macver) {
         EVP_KDF *pkcs12kdf;
 
-        pkcs12kdf = EVP_KDF_fetch(NULL, "PKCS12KDF", NULL);
+        pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
+                                  app_get0_propq());
         if (pkcs12kdf == NULL) {
             BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
             BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
diff --git a/apps/speed.c b/apps/speed.c
index 6822b83db6..555e66afbc 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1337,6 +1337,7 @@ int speed_main(int argc, char **argv)
     const char *prog;
     const char *engine_id = NULL;
     EVP_CIPHER *evp_cipher = NULL;
+    EVP_MAC *mac = NULL;
     double d = 0.0;
     OPTION_CHOICE o;
     int async_init = 0, multiblock = 0, pr_header = 0;
@@ -1791,8 +1792,6 @@ int speed_main(int argc, char **argv)
 
     /* No parameters; turn on everything. */
     if (argc == 0 && !doit[D_EVP] && !doit[D_HMAC] && !doit[D_EVP_CMAC]) {
-        EVP_MAC *mac;
-
         memset(doit, 1, sizeof(doit));
         doit[D_EVP] = doit[D_EVP_CMAC] = 0;
         ERR_set_mark();
@@ -1804,14 +1803,20 @@ int speed_main(int argc, char **argv)
             if (!have_cipher(names[i]))
                 doit[i] = 0;
         }
-        if ((mac = EVP_MAC_fetch(NULL, "GMAC", NULL)) != NULL)
+        if ((mac = EVP_MAC_fetch(app_get0_libctx(), "GMAC",
+                                 app_get0_propq())) != NULL) {
             EVP_MAC_free(mac);
-        else
+            mac = NULL;
+        } else {
             doit[D_GHASH] = 0;
-        if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) != NULL)
+        }
+        if ((mac = EVP_MAC_fetch(app_get0_libctx(), "HMAC",
+                                 app_get0_propq())) != NULL) {
             EVP_MAC_free(mac);
-        else
+            mac = NULL;
+        } else {
             doit[D_HMAC] = 0;
+        }
         ERR_pop_to_mark();
         memset(rsa_doit, 1, sizeof(rsa_doit));
 #ifndef OPENSSL_NO_DH
@@ -1958,9 +1963,9 @@ int speed_main(int argc, char **argv)
     if (doit[D_HMAC]) {
         static const char hmac_key[] = "This is a key...";
         int len = strlen(hmac_key);
-        EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
         OSSL_PARAM params[3];
 
+        mac = EVP_MAC_fetch(app_get0_libctx(), "HMAC", app_get0_propq());
         if (mac == NULL || evp_mac_mdname == NULL)
             goto end;
 
@@ -1998,6 +2003,7 @@ int speed_main(int argc, char **argv)
         for (i = 0; i < loopargs_len; i++)
             EVP_MAC_CTX_free(loopargs[i].mctx);
         EVP_MAC_free(mac);
+        mac = NULL;
     }
 
     if (doit[D_CBC_DES]) {
@@ -2121,9 +2127,9 @@ int speed_main(int argc, char **argv)
     }
     if (doit[D_GHASH]) {
         static const char gmac_iv[] = "0123456789ab";
-        EVP_MAC *mac = EVP_MAC_fetch(NULL, "GMAC", NULL);
         OSSL_PARAM params[3];
 
+        mac = EVP_MAC_fetch(app_get0_libctx(), "GMAC", app_get0_propq());
         if (mac == NULL)
             goto end;
 
@@ -2155,6 +2161,7 @@ int speed_main(int argc, char **argv)
         for (i = 0; i < loopargs_len; i++)
             EVP_MAC_CTX_free(loopargs[i].mctx);
         EVP_MAC_free(mac);
+        mac = NULL;
     }
 
     if (doit[D_RAND]) {
@@ -2252,10 +2259,10 @@ int speed_main(int argc, char **argv)
     }
 
     if (doit[D_EVP_CMAC]) {
-        EVP_MAC *mac = EVP_MAC_fetch(NULL, "CMAC", NULL);
         OSSL_PARAM params[3];
         EVP_CIPHER *cipher = NULL;
 
+        mac = EVP_MAC_fetch(app_get0_libctx(), "CMAC", app_get0_propq());
         if (mac == NULL || evp_mac_ciphername == NULL)
             goto end;
         if (!opt_cipher(evp_mac_ciphername, &cipher))
@@ -2300,6 +2307,7 @@ int speed_main(int argc, char **argv)
         for (i = 0; i < loopargs_len; i++)
             EVP_MAC_CTX_free(loopargs[i].mctx);
         EVP_MAC_free(mac);
+        mac = NULL;
     }
 
     for (i = 0; i < loopargs_len; i++)
@@ -3319,6 +3327,7 @@ int speed_main(int argc, char **argv)
     OPENSSL_free(loopargs);
     release_engine(e);
     EVP_CIPHER_free(evp_cipher);
+    EVP_MAC_free(mac);
     return ret;
 }
 
diff --git a/apps/spkac.c b/apps/spkac.c
index 19576e4878..d92be7d645 100644
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -24,7 +24,7 @@ typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT,
     OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC,
-    OPT_SPKSECT, OPT_KEYFORM,
+    OPT_SPKSECT, OPT_KEYFORM, OPT_DIGEST,
     OPT_PROV_ENUM
 } OPTION_CHOICE;
 
@@ -46,6 +46,7 @@ const OPTIONS spkac_options[] = {
     {"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"},
 
     OPT_SECTION("Output"),
+    {"digest", OPT_DIGEST, 's', "Sign new SPKAC with the specified digest (default: MD5)" },
     {"out", OPT_OUT, '>', "Output file"},
     {"noout", OPT_NOOUT, '-', "Don't print SPKAC"},
     {"pubkey", OPT_PUBKEY, '-', "Output public key"},
@@ -66,6 +67,8 @@ int spkac_main(int argc, char **argv)
     char *infile = NULL, *outfile = NULL, *passinarg = NULL, *passin = NULL;
     char *spkstr = NULL, *prog;
     const char *spkac = "SPKAC", *spksect = "default";
+    const char *digest = "MD5";
+    EVP_MD *md = NULL;
     int i, ret = 1, verify = 0, noout = 0, pubkey = 0;
     int keyformat = FORMAT_UNDEF;
     OPTION_CHOICE o;
@@ -116,6 +119,9 @@ int spkac_main(int argc, char **argv)
         case OPT_SPKSECT:
             spksect = opt_arg();
             break;
+        case OPT_DIGEST:
+            digest = opt_arg();
+            break;
         case OPT_ENGINE:
             e = setup_engine(opt_arg(), 0);
             break;
@@ -137,6 +143,9 @@ int spkac_main(int argc, char **argv)
     }
 
     if (keyfile != NULL) {
+        if (!opt_md(digest, &md))
+            goto end;
+
         pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL,
                         keyformat, 1, passin, e, "private key");
         if (pkey == NULL)
@@ -151,7 +160,7 @@ int spkac_main(int argc, char **argv)
             BIO_printf(bio_err, "Error setting public key\n");
             goto end;
         }
-        i = NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
+        i = NETSCAPE_SPKI_sign(spki, pkey, md);
         if (i <= 0) {
             BIO_printf(bio_err, "Error signing SPKAC\n");
             goto end;
@@ -213,6 +222,7 @@ int spkac_main(int argc, char **argv)
     ret = 0;
 
  end:
+    EVP_MD_free(md);
     NCONF_free(conf);
     NETSCAPE_SPKI_free(spki);
     BIO_free_all(out);
diff --git a/doc/man1/openssl-spkac.pod.in b/doc/man1/openssl-spkac.pod.in
index 5669be13eb..5e55a7498b 100644
--- a/doc/man1/openssl-spkac.pod.in
+++ b/doc/man1/openssl-spkac.pod.in
@@ -15,6 +15,7 @@ B<openssl> B<spkac>
 [B<-help>]
 [B<-in> I<filename>]
 [B<-out> I<filename>]
+[B<-digest> I<digest>]
 [B<-key> I<filename>|I<uri>]
 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
 [B<-passin> I<arg>]
@@ -50,6 +51,11 @@ option is not specified. Ignored if the B<-key> option is used.
 Specifies the output filename to write to or standard output by
 default.
 
+=item B<-digest> I<digest>
+
+Use the specified I<digest> to sign a created SPKAC file.
+The default digest algorithm is MD5.
+
 =item B<-key> I<filename>|I<uri>
 
 Create an SPKAC file using the private key specified by I<filename> or I<uri>.
@@ -149,6 +155,8 @@ L<openssl-ca(1)>
 
 The B<-engine> option was deprecated in OpenSSL 3.0.
 
+The B<-digest> option was added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/test/recipes/20-test_spkac.t b/test/recipes/20-test_spkac.t
new file mode 100644
index 0000000000..cc4c71f325
--- /dev/null
+++ b/test/recipes/20-test_spkac.t
@@ -0,0 +1,41 @@
+#! /usr/bin/env perl
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use warnings;
+
+use File::Spec;
+use File::Basename;
+use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
+use OpenSSL::Test::Utils;
+
+setup("test_spkac");
+
+plan skip_all => "RSA is not supported by this OpenSSL build"
+    if disabled("rsa");
+
+plan tests => 4;
+
+# For the tests below we use the cert itself as the TBS file
+
+SKIP: {
+    skip "MD5 is not supported by this OpenSSL build", 2
+        if disabled("md5");
+
+    ok(run(app([ 'openssl', 'spkac', '-key', srctop_file("test", "testrsa.pem"),
+                 '-out', 'spkac-md5.pem'])),
+               "SPKAC MD5");
+    ok(run(app([ 'openssl', 'spkac', '-in', 'spkac-md5.pem'])),
+               "SPKAC MD5 verify");
+}
+
+ok(run(app([ 'openssl', 'spkac', '-key', srctop_file("test", "testrsa.pem"),
+             '-out', 'spkac-sha256.pem', '-digest', 'sha256'])),
+           "SPKAC SHA256");
+ok(run(app([ 'openssl', 'spkac', '-in', 'spkac-sha256.pem'])),
+           "SPKAC SHA256 verify");


More information about the openssl-commits mailing list