[openssl] master update
tomas at openssl.org
tomas at openssl.org
Mon Mar 22 14:40:18 UTC 2021
The branch master has been updated
via e72dbd8e13cbf5a16faaa6c911af5507593dd836 (commit)
from c781eb1c63c243cb64dbe3066a43dc172aaab3b8 (commit)
- Log -----------------------------------------------------------------
commit e72dbd8e13cbf5a16faaa6c911af5507593dd836
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Fri Mar 5 08:22:56 2021 +1000
Fix usages of const EVP_MD.
Partially fixes #13837
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14474)
-----------------------------------------------------------------------
Summary of changes:
crypto/cms/cms_sd.c | 2 +-
crypto/ec/ecx_meth.c | 22 +++++++++++++++++--
crypto/ess/ess_lib.c | 2 +-
crypto/ts/ts_local.h | 2 ++
crypto/ts/ts_rsp_sign.c | 37 ++++++++++++++++++++++++++------
crypto/x509/x509_cmp.c | 8 ++++++-
crypto/x509/x509_req.c | 2 +-
crypto/x509/x_all.c | 45 ++++++++++++++++++++-------------------
crypto/x509/x_req.c | 41 ++++++++++++++++++++++++++++++++++++
doc/build.info | 6 ++++++
doc/man3/TS_RESP_CTX_new.pod | 50 ++++++++++++++++++++++++++++++++++++++++++++
doc/man3/X509_dup.pod | 1 +
include/crypto/x509.h | 4 ++++
include/openssl/ts.h | 1 +
include/openssl/x509.h.in | 1 +
util/libcrypto.num | 2 ++
16 files changed, 192 insertions(+), 34 deletions(-)
create mode 100644 doc/man3/TS_RESP_CTX_new.pod
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index a57943513e..c98d118f4b 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -372,7 +372,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
ESS_SIGNING_CERT_V2 *sc2 = NULL;
int add_sc;
- if (md == EVP_sha1() || md == NULL) {
+ if (md == NULL || EVP_MD_is_a(md, SN_sha1)) {
if ((sc = ossl_ess_signing_cert_new_init(signer,
NULL, 1)) == NULL)
goto err;
diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c
index d476af0e3c..d68189036b 100644
--- a/crypto/ec/ecx_meth.c
+++ b/crypto/ec/ecx_meth.c
@@ -991,6 +991,8 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
ctx->propquery);
unsigned char *privkey = NULL, *pubkey;
unsigned int sz;
+ EVP_MD *md = NULL;
+ int rv;
if (key == NULL) {
ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
@@ -1008,7 +1010,13 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
if (RAND_priv_bytes_ex(ctx->libctx, privkey, ED25519_KEYLEN) <= 0)
goto err;
- if (!EVP_Digest(privkey, 32, buff, &sz, EVP_sha512(), NULL))
+ md = EVP_MD_fetch(ctx->libctx, "SHA512", ctx->propquery);
+ if (md == NULL)
+ goto err;
+
+ rv = EVP_Digest(privkey, 32, buff, &sz, md, NULL);
+ EVP_MD_free(md);
+ if (!rv)
goto err;
buff[0] &= 248;
@@ -1049,6 +1057,8 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
ctx->propquery);
unsigned char *privkey = NULL, *pubkey;
EVP_MD_CTX *hashctx = NULL;
+ EVP_MD *md = NULL;
+ int rv;
if (key == NULL) {
ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
@@ -1069,8 +1079,16 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
hashctx = EVP_MD_CTX_new();
if (hashctx == NULL)
goto err;
- if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1)
+
+ md = EVP_MD_fetch(ctx->libctx, "SHAKE256", ctx->propquery);
+ if (md == NULL)
+ goto err;
+
+ rv = EVP_DigestInit_ex(hashctx, md, NULL);
+ EVP_MD_free(md);
+ if (rv != 1)
goto err;
+
if (EVP_DigestUpdate(hashctx, privkey, 57) != 1)
goto err;
if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1)
diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c
index ebc76cb79c..96cb6d053f 100644
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@@ -145,7 +145,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
if ((cid = ESS_CERT_ID_V2_new()) == NULL)
goto err;
- if (hash_alg != EVP_sha256()) {
+ if (!EVP_MD_is_a(hash_alg, SN_sha256)) {
alg = X509_ALGOR_new();
if (alg == NULL)
goto err;
diff --git a/crypto/ts/ts_local.h b/crypto/ts/ts_local.h
index 320173376a..99a420dddf 100644
--- a/crypto/ts/ts_local.h
+++ b/crypto/ts/ts_local.h
@@ -124,6 +124,8 @@ struct TS_resp_ctx {
TS_REQ *request;
TS_RESP *response;
TS_TST_INFO *tst_info;
+ OSSL_LIB_CTX *libctx;
+ char *propq;
};
struct TS_verify_ctx {
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 0bbe0e2b6c..e29420232f 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -108,7 +108,7 @@ static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext,
/* TS_RESP_CTX management functions. */
-TS_RESP_CTX *TS_RESP_CTX_new(void)
+TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
{
TS_RESP_CTX *ctx;
@@ -117,8 +117,15 @@ TS_RESP_CTX *TS_RESP_CTX_new(void)
return NULL;
}
- ctx->signer_md = EVP_sha256();
-
+ if (propq != NULL) {
+ ctx->propq = OPENSSL_strdup(propq);
+ if (ctx->propq == NULL) {
+ OPENSSL_free(ctx);
+ ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ }
+ ctx->libctx = libctx;
ctx->serial_cb = def_serial_cb;
ctx->time_cb = def_time_cb;
ctx->extension_cb = def_extension_cb;
@@ -126,11 +133,17 @@ TS_RESP_CTX *TS_RESP_CTX_new(void)
return ctx;
}
+TS_RESP_CTX *TS_RESP_CTX_new(void)
+{
+ return TS_RESP_CTX_new_ex(NULL, NULL);
+}
+
void TS_RESP_CTX_free(TS_RESP_CTX *ctx)
{
if (!ctx)
return;
+ OPENSSL_free(ctx->propq);
X509_free(ctx->signer_cert);
EVP_PKEY_free(ctx->signer_key);
sk_X509_pop_free(ctx->certs, X509_free);
@@ -623,13 +636,14 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
ASN1_OBJECT *oid;
BIO *p7bio = NULL;
int i;
+ EVP_MD *signer_md = NULL;
if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) {
ERR_raise(ERR_LIB_TS, TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err;
}
- if ((p7 = PKCS7_new()) == NULL) {
+ if ((p7 = PKCS7_new_ex(ctx->libctx, ctx->propq)) == NULL) {
ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -648,8 +662,16 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
}
}
+ if (ctx->signer_md == NULL)
+ signer_md = EVP_MD_fetch(ctx->libctx, "SHA256", ctx->propq);
+ else if (EVP_MD_provider(ctx->signer_md) == NULL)
+ signer_md = EVP_MD_fetch(ctx->libctx, EVP_MD_name(ctx->signer_md),
+ ctx->propq);
+ else
+ signer_md = (EVP_MD *)ctx->signer_md;
+
if ((si = PKCS7_add_signature(p7, ctx->signer_cert,
- ctx->signer_key, ctx->signer_md)) == NULL) {
+ ctx->signer_key, signer_md)) == NULL) {
ERR_raise(ERR_LIB_TS, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
goto err;
}
@@ -663,7 +685,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
if (ctx->ess_cert_id_digest == NULL
- || ctx->ess_cert_id_digest == EVP_sha1()) {
+ || EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) {
if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert,
certs, 0)) == NULL)
goto err;
@@ -704,6 +726,9 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
ret = 1;
err:
+ if (signer_md != ctx->signer_md)
+ EVP_MD_free(signer_md);
+
if (!ret)
TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
"Error during signature "
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 3ced70b21f..51dc24b6fb 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -40,13 +40,18 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
unsigned char md[16];
char *f;
+ EVP_MD *digest = NULL;
if (ctx == NULL)
goto err;
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
if (f == NULL)
goto err;
- if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
+ digest = EVP_MD_fetch(a->libctx, SN_md5, a->propq);
+ if (digest == NULL)
+ goto err;
+
+ if (!EVP_DigestInit_ex(ctx, digest, NULL))
goto err;
if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
goto err;
@@ -61,6 +66,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
) & 0xffffffffL;
err:
+ EVP_MD_free(digest);
EVP_MD_CTX_free(ctx);
return ret;
}
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 29dec4e657..e3f5c2add1 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -26,7 +26,7 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
int i;
EVP_PKEY *pktmp;
- ret = X509_REQ_new();
+ ret = X509_REQ_new_ex(x->libctx, x->propq);
if (ret == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
goto err;
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index d21b0799f6..c5e0c0b1ec 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -52,16 +52,15 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
{
- return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
- &a->sig_algor, a->signature, a->spkac, r));
+ return ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
+ &a->sig_algor, a->signature, a->spkac, r);
}
int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->cert_info.enc.modified = 1;
- return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
- &x->sig_alg, &x->signature, &x->cert_info, pkey,
- md));
+ return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
+ &x->sig_alg, &x->signature, &x->cert_info, pkey, md);
}
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
@@ -90,8 +89,8 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
{
- return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
- x->signature, &x->req_info, pkey, md));
+ return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
+ x->signature, &x->req_info, pkey, md);
}
int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
@@ -104,8 +103,8 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->crl.enc.modified = 1;
- return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
- &x->sig_alg, &x->signature, &x->crl, pkey, md));
+ return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
+ &x->sig_alg, &x->signature, &x->crl, pkey, md);
}
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
@@ -124,8 +123,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
{
- return (ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
- x->signature, x->spkac, pkey, md));
+ return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
+ x->signature, x->spkac, pkey, md);
}
#ifndef OPENSSL_NO_STDIO
@@ -399,8 +398,8 @@ int X509_digest(const X509 *cert, const EVP_MD *md, unsigned char *data,
memcpy(data, cert->sha1_hash, sizeof(cert->sha1_hash));
return 1;
}
- return (ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert,
- data, len, cert->libctx, cert->propq));
+ return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert,
+ data, len, cert->libctx, cert->propq);
}
/* calculate cert digest using the same hash algorithm as in its signature */
@@ -435,7 +434,9 @@ ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert)
int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
- if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0
+ if (type != NULL
+ && EVP_MD_is_a(type, SN_sha1)
+ && (data->flags & EXFLAG_SET) != 0
&& (data->flags & EXFLAG_NO_FINGERPRINT) == 0) {
/* Asking for SHA1; always computed in CRL d2i. */
if (len != NULL)
@@ -443,30 +444,30 @@ int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
memcpy(md, data->sha1_hash, sizeof(data->sha1_hash));
return 1;
}
- return (ASN1_item_digest
- (ASN1_ITEM_rptr(X509_CRL), type, (char *)data, md, len));
+ return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_CRL), type, (char *)data,
+ md, len, data->libctx, data->propq);
}
int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
- return (ASN1_item_digest
- (ASN1_ITEM_rptr(X509_REQ), type, (char *)data, md, len));
+ return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_REQ), type, (char *)data,
+ md, len, data->libctx, data->propq);
}
int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
- return (ASN1_item_digest
- (ASN1_ITEM_rptr(X509_NAME), type, (char *)data, md, len));
+ return ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME), type, (char *)data,
+ md, len);
}
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,
const EVP_MD *type, unsigned char *md,
unsigned int *len)
{
- return (ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type,
- (char *)data, md, len));
+ return ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type,
+ (char *)data, md, len);
}
#ifndef OPENSSL_NO_STDIO
diff --git a/crypto/x509/x_req.c b/crypto/x509/x_req.c
index e821ffdb78..2a48d8ccd9 100644
--- a/crypto/x509/x_req.c
+++ b/crypto/x509/x_req.c
@@ -61,6 +61,14 @@ static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
case ASN1_OP_FREE_POST:
ASN1_OCTET_STRING_free(ret->distinguishing_id);
break;
+ case ASN1_OP_DUP_POST:
+ {
+ X509_REQ *old = exarg;
+
+ if (!ossl_x509_req_set0_libctx(ret, old->libctx, old->propq))
+ return 0;
+ }
+ break;
}
return 1;
@@ -98,3 +106,36 @@ ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x)
{
return x->distinguishing_id;
}
+
+/*
+ * This should only be used if the X509_REQ object was embedded inside another
+ * asn1 object and it needs a libctx to operate.
+ * Use X509_REQ_new_ex() instead if possible.
+ */
+int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx,
+ const char *propq)
+{
+ if (x != NULL) {
+ x->libctx = libctx;
+ OPENSSL_free(x->propq);
+ x->propq = NULL;
+ if (propq != NULL) {
+ x->propq = OPENSSL_strdup(propq);
+ if (x->propq == NULL)
+ return 0;
+ }
+ }
+ return 1;
+}
+
+X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
+{
+ X509_REQ *req = NULL;
+
+ req = (X509_REQ *)ASN1_item_new((X509_REQ_it()));
+ if (!ossl_x509_req_set0_libctx(req, libctx, propq)) {
+ X509_REQ_free(req);
+ req = NULL;
+ }
+ return req;
+}
diff --git a/doc/build.info b/doc/build.info
index 95627bed4d..8294725dd2 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -2502,6 +2502,10 @@ DEPEND[html/man3/SSL_write.html]=man3/SSL_write.pod
GENERATE[html/man3/SSL_write.html]=man3/SSL_write.pod
DEPEND[man/man3/SSL_write.3]=man3/SSL_write.pod
GENERATE[man/man3/SSL_write.3]=man3/SSL_write.pod
+DEPEND[html/man3/TS_RESP_CTX_new.html]=man3/TS_RESP_CTX_new.pod
+GENERATE[html/man3/TS_RESP_CTX_new.html]=man3/TS_RESP_CTX_new.pod
+DEPEND[man/man3/TS_RESP_CTX_new.3]=man3/TS_RESP_CTX_new.pod
+GENERATE[man/man3/TS_RESP_CTX_new.3]=man3/TS_RESP_CTX_new.pod
DEPEND[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod
GENERATE[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod
DEPEND[man/man3/TS_VERIFY_CTX_set_certs.3]=man3/TS_VERIFY_CTX_set_certs.pod
@@ -3263,6 +3267,7 @@ html/man3/SSL_shutdown.html \
html/man3/SSL_state_string.html \
html/man3/SSL_want.html \
html/man3/SSL_write.html \
+html/man3/TS_RESP_CTX_new.html \
html/man3/TS_VERIFY_CTX_set_certs.html \
html/man3/UI_STRING.html \
html/man3/UI_UTIL_read_pw.html \
@@ -3835,6 +3840,7 @@ man/man3/SSL_shutdown.3 \
man/man3/SSL_state_string.3 \
man/man3/SSL_want.3 \
man/man3/SSL_write.3 \
+man/man3/TS_RESP_CTX_new.3 \
man/man3/TS_VERIFY_CTX_set_certs.3 \
man/man3/UI_STRING.3 \
man/man3/UI_UTIL_read_pw.3 \
diff --git a/doc/man3/TS_RESP_CTX_new.pod b/doc/man3/TS_RESP_CTX_new.pod
new file mode 100644
index 0000000000..659946bf20
--- /dev/null
+++ b/doc/man3/TS_RESP_CTX_new.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+TS_RESP_CTX_new_ex, TS_RESP_CTX_new,
+TS_RESP_CTX_free - Timestamp response context object creation
+
+
+=head1 SYNOPSIS
+
+ #include <openssl/ts.h>
+
+ TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
+ TS_RESP_CTX *TS_RESP_CTX_new(void);
+ void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
+
+=head1 DESCRIPTION
+
+Creates a response context that can be used for generating responses.
+
+TS_RESP_CTX_new_ex() allocates and initializes a TS_RESP_CTX structure with a
+library context of I<libctx> and a property query of I<propq>.
+The library context and property query can be used to select which providers
+supply the fetched algorithms.
+
+TS_RESP_CTX_new() is similar to TS_RESP_CTX_new_ex() but sets the library context
+and property query to NULL. This results in the default (NULL) library context
+being used for any operations requiring algorithm fetches.
+
+TS_RESP_CTX_free() frees the B<TS_RESP_CTX> object I<ctx>.
+
+=head1 RETURN VALUES
+
+If the allocation fails, TS_RESP_CTX_new_ex() and TS_RESP_CTX_new() return NULL,
+otherwise it returns a pointer to the newly allocated structure.
+
+=head1 HISTORY
+
+The function TS_RESP_CTX_new_ex() was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index d3e164a6e0..5bf96bb575 100644
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -288,6 +288,7 @@ X509_REQ_INFO_new,
X509_REQ_dup,
X509_REQ_free,
X509_REQ_new,
+X509_REQ_new_ex,
X509_REVOKED_dup,
X509_REVOKED_free,
X509_REVOKED_new,
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 09b1fb15e3..3ff903541f 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -81,6 +81,8 @@ struct X509_req_st {
/* Set on live certificates for authentication purposes */
ASN1_OCTET_STRING *distinguishing_id;
+ OSSL_LIB_CTX *libctx;
+ char *propq;
};
struct X509_crl_info_st {
@@ -314,6 +316,8 @@ int ossl_x509_init_sig_info(X509 *x);
int ossl_x509_set0_libctx(X509 *x, OSSL_LIB_CTX *libctx, const char *propq);
int ossl_x509_crl_set0_libctx(X509_CRL *x, OSSL_LIB_CTX *libctx,
const char *propq);
+int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx,
+ const char *propq);
int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *type,
void *data, unsigned char *md, unsigned int *len,
OSSL_LIB_CTX *libctx, const char *propq);
diff --git a/include/openssl/ts.h b/include/openssl/ts.h
index e88ad44cfd..2269573dcf 100644
--- a/include/openssl/ts.h
+++ b/include/openssl/ts.h
@@ -266,6 +266,7 @@ typedef struct TS_resp_ctx TS_RESP_CTX;
/* Creates a response context that can be used for generating responses. */
TS_RESP_CTX *TS_RESP_CTX_new(void);
+TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
/* This parameter must be set. */
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 32aea0e0db..50d8712e41 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -579,6 +579,7 @@ void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
DECLARE_ASN1_FUNCTIONS(X509_REQ)
+X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 523971f1f4..3fd52714bc 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5328,3 +5328,5 @@ EVP_PKEY_derive_init_ex ? 3_0_0 EXIST::FUNCTION:
EVP_PKEY_print_public_fp ? 3_0_0 EXIST::FUNCTION:STDIO
EVP_PKEY_print_private_fp ? 3_0_0 EXIST::FUNCTION:STDIO
EVP_PKEY_print_params_fp ? 3_0_0 EXIST::FUNCTION:STDIO
+TS_RESP_CTX_new_ex ? 3_0_0 EXIST::FUNCTION:TS
+X509_REQ_new_ex ? 3_0_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list