[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Wed Jun 16 08:33:22 UTC 2021
The branch master has been updated
via f7d2427ac3404ce1ed555bf61885eeb0432b5789 (commit)
via a89835f7e0e4f8155f658af486b93956feaae61d (commit)
via fa8ff9e4e8e0937eb04bf16d0159c3aedbd33547 (commit)
via 6920055ec3ead883dfc6b00d650f6ef86f84aa17 (commit)
from 43ba1573ce54777b77c1990973b50731062d45b7 (commit)
- Log -----------------------------------------------------------------
commit f7d2427ac3404ce1ed555bf61885eeb0432b5789
Author: Pauli <pauli at openssl.org>
Date: Tue Jun 15 14:07:51 2021 +1000
apps: remove AEAD/mode checks that are now redundant
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15747)
commit a89835f7e0e4f8155f658af486b93956feaae61d
Author: Pauli <pauli at openssl.org>
Date: Tue Jun 15 14:07:25 2021 +1000
apps: use get_cipher_any() instead of get_cipher() for commands that support these ciphers/modes
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15747)
commit fa8ff9e4e8e0937eb04bf16d0159c3aedbd33547
Author: Pauli <pauli at openssl.org>
Date: Tue Jun 15 14:06:17 2021 +1000
apps: limit get_cipher() to not return AEAD or XTS ciphers
Add a get_cipher_any() function to access these in addition to more normal ciphers
Fixes #7720
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15747)
commit 6920055ec3ead883dfc6b00d650f6ef86f84aa17
Author: Pauli <pauli at openssl.org>
Date: Tue Jun 15 14:05:05 2021 +1000
doc: document the various get_cipher functions in the commands lib.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15747)
-----------------------------------------------------------------------
Summary of changes:
apps/cms.c | 4 ++--
apps/enc.c | 14 +++-----------
apps/genpkey.c | 11 ++---------
apps/include/opt.h | 1 +
apps/lib/opt.c | 43 +++++++++++++++++++++++++++++++++++++------
apps/pkcs12.c | 2 +-
apps/smime.c | 2 +-
doc/internal/man3/OPTIONS.pod | 17 ++++++++++++-----
8 files changed, 59 insertions(+), 35 deletions(-)
diff --git a/apps/cms.c b/apps/cms.c
index 81112c5a38..58ce54e454 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -725,11 +725,11 @@ int cms_main(int argc, char **argv)
goto end;
}
if (ciphername != NULL) {
- if (!opt_cipher(ciphername, &cipher))
+ if (!opt_cipher_any(ciphername, &cipher))
goto end;
}
if (wrapname != NULL) {
- if (!opt_cipher(wrapname, &wrap_cipher))
+ if (!opt_cipher_any(wrapname, &wrap_cipher))
goto end;
}
diff --git a/apps/enc.c b/apps/enc.c
index f136c3f8df..3dd6098563 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -300,14 +300,6 @@ int enc_main(int argc, char **argv)
if (!opt_cipher(ciphername, &cipher))
goto opthelp;
}
- if (cipher && EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
- BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog);
- goto end;
- }
- if (cipher && (EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)) {
- BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog);
- goto end;
- }
if (digestname != NULL) {
if (!opt_md(digestname, &dgst))
goto opthelp;
@@ -660,9 +652,9 @@ static void show_ciphers(const OBJ_NAME *name, void *arg)
/* Filter out ciphers that we cannot use */
cipher = EVP_get_cipherbyname(name->name);
- if (cipher == NULL ||
- (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0 ||
- EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)
+ if (cipher == NULL
+ || (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
+ || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)
return;
BIO_printf(dec->bio, "-%-25s", name->name);
diff --git a/apps/genpkey.c b/apps/genpkey.c
index 5cde41b98b..d327bcab07 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -70,7 +70,7 @@ int genpkey_main(int argc, char **argv)
EVP_CIPHER *cipher = NULL;
OPTION_CHOICE o;
int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
- int private = 0, i, m;
+ int private = 0, i;
OSSL_LIB_CTX *libctx = app_get0_libctx();
STACK_OF(OPENSSL_STRING) *keyopt = NULL;
@@ -163,16 +163,9 @@ int genpkey_main(int argc, char **argv)
goto end;
}
}
- if (ciphername != NULL) {
+ if (ciphername != NULL)
if (!opt_cipher(ciphername, &cipher) || do_param == 1)
goto opthelp;
- m = EVP_CIPHER_get_mode(cipher);
- if (m == EVP_CIPH_GCM_MODE || m == EVP_CIPH_CCM_MODE
- || m == EVP_CIPH_XTS_MODE || m == EVP_CIPH_OCB_MODE) {
- BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
- goto end;
- }
- }
private = do_param ? 0 : 1;
diff --git a/apps/include/opt.h b/apps/include/opt.h
index 96e78e4b79..4a292213fd 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -366,6 +366,7 @@ char *opt_flag(void);
char *opt_arg(void);
char *opt_unknown(void);
int opt_cipher(const char *name, EVP_CIPHER **cipherp);
+int opt_cipher_any(const char *name, EVP_CIPHER **cipherp);
int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp);
int opt_md(const char *name, EVP_MD **mdp);
int opt_md_silent(const char *name, EVP_MD **mdp);
diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index c6a506480a..c88c99b5e6 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -368,27 +368,58 @@ void print_format_error(int format, unsigned long flags)
(void)opt_format_error(format2str(format), flags);
}
-/* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */
+/*
+ * Parse a cipher name, put it in *cipherp after freeing what was there, if
+ * cipherp is not NULL. Return 0 on failure, else 1.
+ */
int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp)
{
- EVP_CIPHER_free(*cipherp);
+ EVP_CIPHER *c;
ERR_set_mark();
- if ((*cipherp = EVP_CIPHER_fetch(NULL, name, NULL)) != NULL
- || (*cipherp = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL) {
+ if ((c = EVP_CIPHER_fetch(NULL, name, NULL)) != NULL
+ || (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL) {
ERR_pop_to_mark();
+ if (cipherp != NULL) {
+ EVP_CIPHER_free(*cipherp);
+ *cipherp = c;
+ } else {
+ EVP_CIPHER_free(c);
+ }
return 1;
}
ERR_clear_last_mark();
return 0;
}
-int opt_cipher(const char *name, EVP_CIPHER **cipherp)
+int opt_cipher_any(const char *name, EVP_CIPHER **cipherp)
{
int ret;
if ((ret = opt_cipher_silent(name, cipherp)) == 0)
- opt_printf_stderr("%s: Unknown cipher: %s\n", prog, name);
+ opt_printf_stderr("%s: Unknown cipher: %s\n", prog, name);
+ return ret;
+}
+
+int opt_cipher(const char *name, EVP_CIPHER **cipherp)
+{
+ int mode, ret = 0;
+ unsigned long int flags;
+ EVP_CIPHER *c = NULL;
+
+ if (opt_cipher_any(name, &c)) {
+ mode = EVP_CIPHER_get_mode(c);
+ flags = EVP_CIPHER_get_flags(c);
+ if (mode == EVP_CIPH_XTS_MODE) {
+ opt_printf_stderr("%s XTS ciphers not supported\n", prog);
+ } else if ((flags & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
+ opt_printf_stderr("%s: AEAD ciphers not supported\n", prog);
+ } else {
+ ret = 1;
+ if (cipherp != NULL)
+ *cipherp = c;
+ }
+ }
return ret;
}
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 5df5cb78ce..1234a69892 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -364,7 +364,7 @@ int pkcs12_main(int argc, char **argv)
goto end;
if (ciphername != NULL) {
- if (!opt_cipher(ciphername, &enc))
+ if (!opt_cipher_any(ciphername, &enc))
goto opthelp;
}
if (export_pkcs12) {
diff --git a/apps/smime.c b/apps/smime.c
index ea71121fb4..a2ff0b5be7 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -367,7 +367,7 @@ int smime_main(int argc, char **argv)
goto opthelp;
}
if (ciphername != NULL) {
- if (!opt_cipher(ciphername, &cipher))
+ if (!opt_cipher_any(ciphername, &cipher))
goto opthelp;
}
if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) {
diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod
index 29151b3761..d615aa3c28 100644
--- a/doc/internal/man3/OPTIONS.pod
+++ b/doc/internal/man3/OPTIONS.pod
@@ -4,7 +4,8 @@
OPTIONS, OPT_PAIR, OPT_COMMON, OPT_ERR, OPT_EOF, OPT_HELP,
opt_init, opt_progname, opt_appname, opt_getprog, opt_help,
-opt_begin, opt_next, opt_flag, opt_arg, opt_unknown, opt_cipher, opt_md,
+opt_begin, opt_next, opt_flag, opt_arg, opt_unknown, opt_cipher,
+opt_cipher_any, opt_cipher_silent, opt_md,
opt_int, opt_int_arg, opt_long, opt_ulong, opt_intmax, opt_uintmax,
opt_format, opt_isdir, opt_string, opt_pair,
opt_num_rest, opt_rest
@@ -33,6 +34,8 @@ opt_num_rest, opt_rest
char *opt_arg(void);
char *opt_unknown(void);
int opt_cipher(const char *name, EVP_CIPHER **cipherp);
+ int opt_cipher_any(const char *name, EVP_CIPHER **cipherp);
+ int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp);
int opt_md(const char *name, EVP_MD **mdp);
int opt_int(const char *value, int *result);
@@ -242,10 +245,14 @@ The opt_arg() function returns the option's argument value, if there is one.
The opt_unknown() function returns the unknown option.
In an option list, there can be at most one option with the empty string.
This is a "wildcard" or "unknown" option. For example, it allows an
-option to be be taken as digest algorithm, like C<-sha1>. The
-function opt_cipher() takes the specified I<name> and fills in
-the cipher into I<cipherp>. The function opt_md() does the same
-thing for message digest.
+option to be be taken as digest algorithm, like C<-sha1>. The function
+opt_md() takes the specified I<name> and fills in the digest into I<mdp>.
+The functions opt_cipher(), opt_cipher_any() and opt_cipher_silent()
+each takes the specified I<name> and fills in the cipher into I<cipherp>.
+The function opt_cipher() only accepts ciphers which are not
+AEAD and are not using XTS mode. The functions opt_cipher_any() and
+opt_cipher_silent() accept any cipher, the latter not emitting an error
+if the cipher is not located.
There are a several useful functions for parsing numbers. These are
opt_int(), opt_long(), opt_ulong(), opt_intmax(), and opt_uintmax(). They all
More information about the openssl-commits
mailing list