[openssl] master update

tomas at openssl.org tomas at openssl.org
Mon Mar 22 14:40:18 UTC 2021


The branch master has been updated
       via  e72dbd8e13cbf5a16faaa6c911af5507593dd836 (commit)
      from  c781eb1c63c243cb64dbe3066a43dc172aaab3b8 (commit)


- Log -----------------------------------------------------------------
commit e72dbd8e13cbf5a16faaa6c911af5507593dd836
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Fri Mar 5 08:22:56 2021 +1000

    Fix usages of const EVP_MD.
    
    Partially fixes #13837
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14474)

-----------------------------------------------------------------------

Summary of changes:
 crypto/cms/cms_sd.c          |  2 +-
 crypto/ec/ecx_meth.c         | 22 +++++++++++++++++--
 crypto/ess/ess_lib.c         |  2 +-
 crypto/ts/ts_local.h         |  2 ++
 crypto/ts/ts_rsp_sign.c      | 37 ++++++++++++++++++++++++++------
 crypto/x509/x509_cmp.c       |  8 ++++++-
 crypto/x509/x509_req.c       |  2 +-
 crypto/x509/x_all.c          | 45 ++++++++++++++++++++-------------------
 crypto/x509/x_req.c          | 41 ++++++++++++++++++++++++++++++++++++
 doc/build.info               |  6 ++++++
 doc/man3/TS_RESP_CTX_new.pod | 50 ++++++++++++++++++++++++++++++++++++++++++++
 doc/man3/X509_dup.pod        |  1 +
 include/crypto/x509.h        |  4 ++++
 include/openssl/ts.h         |  1 +
 include/openssl/x509.h.in    |  1 +
 util/libcrypto.num           |  2 ++
 16 files changed, 192 insertions(+), 34 deletions(-)
 create mode 100644 doc/man3/TS_RESP_CTX_new.pod

diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index a57943513e..c98d118f4b 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -372,7 +372,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
             ESS_SIGNING_CERT_V2 *sc2 = NULL;
             int add_sc;
 
-            if (md == EVP_sha1() || md == NULL) {
+            if (md == NULL || EVP_MD_is_a(md, SN_sha1)) {
                 if ((sc = ossl_ess_signing_cert_new_init(signer,
                                                          NULL, 1)) == NULL)
                     goto err;
diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c
index d476af0e3c..d68189036b 100644
--- a/crypto/ec/ecx_meth.c
+++ b/crypto/ec/ecx_meth.c
@@ -991,6 +991,8 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
                                     ctx->propquery);
     unsigned char *privkey = NULL, *pubkey;
     unsigned int sz;
+    EVP_MD *md = NULL;
+    int rv;
 
     if (key == NULL) {
         ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
@@ -1008,7 +1010,13 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     if (RAND_priv_bytes_ex(ctx->libctx, privkey, ED25519_KEYLEN) <= 0)
         goto err;
 
-    if (!EVP_Digest(privkey, 32, buff, &sz, EVP_sha512(), NULL))
+    md = EVP_MD_fetch(ctx->libctx, "SHA512", ctx->propquery);
+    if (md == NULL)
+        goto err;
+
+    rv = EVP_Digest(privkey, 32, buff, &sz, md, NULL);
+    EVP_MD_free(md);
+    if (!rv)
         goto err;
 
     buff[0] &= 248;
@@ -1049,6 +1057,8 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
                                     ctx->propquery);
     unsigned char *privkey = NULL, *pubkey;
     EVP_MD_CTX *hashctx = NULL;
+    EVP_MD *md = NULL;
+    int rv;
 
     if (key == NULL) {
         ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
@@ -1069,8 +1079,16 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     hashctx = EVP_MD_CTX_new();
     if (hashctx == NULL)
         goto err;
-    if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1)
+
+    md = EVP_MD_fetch(ctx->libctx, "SHAKE256", ctx->propquery);
+    if (md == NULL)
+        goto err;
+
+    rv = EVP_DigestInit_ex(hashctx, md, NULL);
+    EVP_MD_free(md);
+    if (rv != 1)
         goto err;
+
     if (EVP_DigestUpdate(hashctx, privkey, 57) != 1)
         goto err;
     if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1)
diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c
index ebc76cb79c..96cb6d053f 100644
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@@ -145,7 +145,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
     if ((cid = ESS_CERT_ID_V2_new()) == NULL)
         goto err;
 
-    if (hash_alg != EVP_sha256()) {
+    if (!EVP_MD_is_a(hash_alg, SN_sha256)) {
         alg = X509_ALGOR_new();
         if (alg == NULL)
             goto err;
diff --git a/crypto/ts/ts_local.h b/crypto/ts/ts_local.h
index 320173376a..99a420dddf 100644
--- a/crypto/ts/ts_local.h
+++ b/crypto/ts/ts_local.h
@@ -124,6 +124,8 @@ struct TS_resp_ctx {
     TS_REQ *request;
     TS_RESP *response;
     TS_TST_INFO *tst_info;
+    OSSL_LIB_CTX *libctx;
+    char *propq;
 };
 
 struct TS_verify_ctx {
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 0bbe0e2b6c..e29420232f 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -108,7 +108,7 @@ static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext,
 
 /* TS_RESP_CTX management functions. */
 
-TS_RESP_CTX *TS_RESP_CTX_new(void)
+TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
 {
     TS_RESP_CTX *ctx;
 
@@ -117,8 +117,15 @@ TS_RESP_CTX *TS_RESP_CTX_new(void)
         return NULL;
     }
 
-    ctx->signer_md = EVP_sha256();
-
+    if (propq != NULL) {
+        ctx->propq = OPENSSL_strdup(propq);
+        if (ctx->propq == NULL) {
+            OPENSSL_free(ctx);
+            ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE);
+            return NULL;
+        }
+    }
+    ctx->libctx = libctx;
     ctx->serial_cb = def_serial_cb;
     ctx->time_cb = def_time_cb;
     ctx->extension_cb = def_extension_cb;
@@ -126,11 +133,17 @@ TS_RESP_CTX *TS_RESP_CTX_new(void)
     return ctx;
 }
 
+TS_RESP_CTX *TS_RESP_CTX_new(void)
+{
+    return TS_RESP_CTX_new_ex(NULL, NULL);
+}
+
 void TS_RESP_CTX_free(TS_RESP_CTX *ctx)
 {
     if (!ctx)
         return;
 
+    OPENSSL_free(ctx->propq);
     X509_free(ctx->signer_cert);
     EVP_PKEY_free(ctx->signer_key);
     sk_X509_pop_free(ctx->certs, X509_free);
@@ -623,13 +636,14 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
     ASN1_OBJECT *oid;
     BIO *p7bio = NULL;
     int i;
+    EVP_MD *signer_md = NULL;
 
     if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) {
         ERR_raise(ERR_LIB_TS, TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
         goto err;
     }
 
-    if ((p7 = PKCS7_new()) == NULL) {
+    if ((p7 = PKCS7_new_ex(ctx->libctx, ctx->propq)) == NULL) {
         ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -648,8 +662,16 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
         }
     }
 
+    if (ctx->signer_md == NULL)
+        signer_md = EVP_MD_fetch(ctx->libctx, "SHA256", ctx->propq);
+    else if (EVP_MD_provider(ctx->signer_md) == NULL)
+        signer_md = EVP_MD_fetch(ctx->libctx, EVP_MD_name(ctx->signer_md),
+                                 ctx->propq);
+    else
+        signer_md = (EVP_MD *)ctx->signer_md;
+
     if ((si = PKCS7_add_signature(p7, ctx->signer_cert,
-                                  ctx->signer_key, ctx->signer_md)) == NULL) {
+                                  ctx->signer_key, signer_md)) == NULL) {
         ERR_raise(ERR_LIB_TS, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
         goto err;
     }
@@ -663,7 +685,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
 
     certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
     if (ctx->ess_cert_id_digest == NULL
-        || ctx->ess_cert_id_digest == EVP_sha1()) {
+        || EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) {
         if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert,
                                                  certs, 0)) == NULL)
             goto err;
@@ -704,6 +726,9 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
 
     ret = 1;
  err:
+    if (signer_md != ctx->signer_md)
+        EVP_MD_free(signer_md);
+
     if (!ret)
         TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
                                          "Error during signature "
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 3ced70b21f..51dc24b6fb 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -40,13 +40,18 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
     unsigned char md[16];
     char *f;
+    EVP_MD *digest = NULL;
 
     if (ctx == NULL)
         goto err;
     f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
     if (f == NULL)
         goto err;
-    if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
+    digest = EVP_MD_fetch(a->libctx, SN_md5, a->propq);
+    if (digest == NULL)
+        goto err;
+
+    if (!EVP_DigestInit_ex(ctx, digest, NULL))
         goto err;
     if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
         goto err;
@@ -61,6 +66,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
            ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
         ) & 0xffffffffL;
  err:
+    EVP_MD_free(digest);
     EVP_MD_CTX_free(ctx);
     return ret;
 }
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 29dec4e657..e3f5c2add1 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -26,7 +26,7 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
     int i;
     EVP_PKEY *pktmp;
 
-    ret = X509_REQ_new();
+    ret = X509_REQ_new_ex(x->libctx, x->propq);
     if (ret == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
         goto err;
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index d21b0799f6..c5e0c0b1ec 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -52,16 +52,15 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
 
 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 {
-    return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
-                             &a->sig_algor, a->signature, a->spkac, r));
+    return ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
+                            &a->sig_algor, a->signature, a->spkac, r);
 }
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
     x->cert_info.enc.modified = 1;
-    return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
-                           &x->sig_alg, &x->signature, &x->cert_info, pkey,
-                           md));
+    return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
+                          &x->sig_alg, &x->signature, &x->cert_info, pkey, md);
 }
 
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
@@ -90,8 +89,8 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
 
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
-                           x->signature, &x->req_info, pkey, md));
+    return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
+                          x->signature, &x->req_info, pkey, md);
 }
 
 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
@@ -104,8 +103,8 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
     x->crl.enc.modified = 1;
-    return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
-                           &x->sig_alg, &x->signature, &x->crl, pkey, md));
+    return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
+                          &x->sig_alg, &x->signature, &x->crl, pkey, md);
 }
 
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
@@ -124,8 +123,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
 
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return (ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
-                           x->signature, x->spkac, pkey, md));
+    return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
+                          x->signature, x->spkac, pkey, md);
 }
 
 #ifndef OPENSSL_NO_STDIO
@@ -399,8 +398,8 @@ int X509_digest(const X509 *cert, const EVP_MD *md, unsigned char *data,
         memcpy(data, cert->sha1_hash, sizeof(cert->sha1_hash));
         return 1;
     }
-    return (ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert,
-                                     data, len, cert->libctx, cert->propq));
+    return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert,
+                                    data, len, cert->libctx, cert->propq);
 }
 
 /* calculate cert digest using the same hash algorithm as in its signature */
@@ -435,7 +434,9 @@ ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert)
 int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
                     unsigned char *md, unsigned int *len)
 {
-    if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0
+    if (type != NULL
+            && EVP_MD_is_a(type, SN_sha1)
+            && (data->flags & EXFLAG_SET) != 0
             && (data->flags & EXFLAG_NO_FINGERPRINT) == 0) {
         /* Asking for SHA1; always computed in CRL d2i. */
         if (len != NULL)
@@ -443,30 +444,30 @@ int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
         memcpy(md, data->sha1_hash, sizeof(data->sha1_hash));
         return 1;
     }
-    return (ASN1_item_digest
-            (ASN1_ITEM_rptr(X509_CRL), type, (char *)data, md, len));
+    return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_CRL), type, (char *)data,
+                                    md, len, data->libctx, data->propq);
 }
 
 int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type,
                     unsigned char *md, unsigned int *len)
 {
-    return (ASN1_item_digest
-            (ASN1_ITEM_rptr(X509_REQ), type, (char *)data, md, len));
+    return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_REQ), type, (char *)data,
+                                    md, len, data->libctx, data->propq);
 }
 
 int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type,
                      unsigned char *md, unsigned int *len)
 {
-    return (ASN1_item_digest
-            (ASN1_ITEM_rptr(X509_NAME), type, (char *)data, md, len));
+    return ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME), type, (char *)data,
+                            md, len);
 }
 
 int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,
                                    const EVP_MD *type, unsigned char *md,
                                    unsigned int *len)
 {
-    return (ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type,
-                             (char *)data, md, len));
+    return ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type,
+                            (char *)data, md, len);
 }
 
 #ifndef OPENSSL_NO_STDIO
diff --git a/crypto/x509/x_req.c b/crypto/x509/x_req.c
index e821ffdb78..2a48d8ccd9 100644
--- a/crypto/x509/x_req.c
+++ b/crypto/x509/x_req.c
@@ -61,6 +61,14 @@ static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
     case ASN1_OP_FREE_POST:
         ASN1_OCTET_STRING_free(ret->distinguishing_id);
         break;
+    case ASN1_OP_DUP_POST:
+        {
+            X509_REQ *old = exarg;
+
+            if (!ossl_x509_req_set0_libctx(ret, old->libctx, old->propq))
+                return 0;
+        }
+        break;
     }
 
     return 1;
@@ -98,3 +106,36 @@ ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x)
 {
     return x->distinguishing_id;
 }
+
+/*
+ * This should only be used if the X509_REQ object was embedded inside another
+ * asn1 object and it needs a libctx to operate.
+ * Use X509_REQ_new_ex() instead if possible.
+ */
+int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx,
+                              const char *propq)
+{
+    if (x != NULL) {
+        x->libctx = libctx;
+        OPENSSL_free(x->propq);
+        x->propq = NULL;
+        if (propq != NULL) {
+            x->propq = OPENSSL_strdup(propq);
+            if (x->propq == NULL)
+                return 0;
+        }
+    }
+    return 1;
+}
+
+X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
+{
+    X509_REQ *req = NULL;
+
+    req = (X509_REQ *)ASN1_item_new((X509_REQ_it()));
+    if (!ossl_x509_req_set0_libctx(req, libctx, propq)) {
+        X509_REQ_free(req);
+        req = NULL;
+    }
+    return req;
+}
diff --git a/doc/build.info b/doc/build.info
index 95627bed4d..8294725dd2 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -2502,6 +2502,10 @@ DEPEND[html/man3/SSL_write.html]=man3/SSL_write.pod
 GENERATE[html/man3/SSL_write.html]=man3/SSL_write.pod
 DEPEND[man/man3/SSL_write.3]=man3/SSL_write.pod
 GENERATE[man/man3/SSL_write.3]=man3/SSL_write.pod
+DEPEND[html/man3/TS_RESP_CTX_new.html]=man3/TS_RESP_CTX_new.pod
+GENERATE[html/man3/TS_RESP_CTX_new.html]=man3/TS_RESP_CTX_new.pod
+DEPEND[man/man3/TS_RESP_CTX_new.3]=man3/TS_RESP_CTX_new.pod
+GENERATE[man/man3/TS_RESP_CTX_new.3]=man3/TS_RESP_CTX_new.pod
 DEPEND[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod
 GENERATE[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod
 DEPEND[man/man3/TS_VERIFY_CTX_set_certs.3]=man3/TS_VERIFY_CTX_set_certs.pod
@@ -3263,6 +3267,7 @@ html/man3/SSL_shutdown.html \
 html/man3/SSL_state_string.html \
 html/man3/SSL_want.html \
 html/man3/SSL_write.html \
+html/man3/TS_RESP_CTX_new.html \
 html/man3/TS_VERIFY_CTX_set_certs.html \
 html/man3/UI_STRING.html \
 html/man3/UI_UTIL_read_pw.html \
@@ -3835,6 +3840,7 @@ man/man3/SSL_shutdown.3 \
 man/man3/SSL_state_string.3 \
 man/man3/SSL_want.3 \
 man/man3/SSL_write.3 \
+man/man3/TS_RESP_CTX_new.3 \
 man/man3/TS_VERIFY_CTX_set_certs.3 \
 man/man3/UI_STRING.3 \
 man/man3/UI_UTIL_read_pw.3 \
diff --git a/doc/man3/TS_RESP_CTX_new.pod b/doc/man3/TS_RESP_CTX_new.pod
new file mode 100644
index 0000000000..659946bf20
--- /dev/null
+++ b/doc/man3/TS_RESP_CTX_new.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+TS_RESP_CTX_new_ex, TS_RESP_CTX_new,
+TS_RESP_CTX_free - Timestamp response context object creation
+
+
+=head1 SYNOPSIS
+
+ #include <openssl/ts.h>
+
+ TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
+ TS_RESP_CTX *TS_RESP_CTX_new(void);
+ void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
+
+=head1 DESCRIPTION
+
+Creates a response context that can be used for generating responses.
+
+TS_RESP_CTX_new_ex() allocates and initializes a TS_RESP_CTX structure with a
+library context of I<libctx> and a property query of I<propq>.
+The library context and property query can be used to select which providers
+supply the fetched algorithms.
+
+TS_RESP_CTX_new() is similar to TS_RESP_CTX_new_ex() but sets the library context
+and property query to NULL. This results in the default (NULL) library context
+being used for any operations requiring algorithm fetches.
+
+TS_RESP_CTX_free() frees the B<TS_RESP_CTX> object I<ctx>.
+
+=head1 RETURN VALUES
+
+If the allocation fails, TS_RESP_CTX_new_ex() and TS_RESP_CTX_new() return NULL,
+otherwise it returns a pointer to the newly allocated structure.
+
+=head1 HISTORY
+
+The function TS_RESP_CTX_new_ex() was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index d3e164a6e0..5bf96bb575 100644
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -288,6 +288,7 @@ X509_REQ_INFO_new,
 X509_REQ_dup,
 X509_REQ_free,
 X509_REQ_new,
+X509_REQ_new_ex,
 X509_REVOKED_dup,
 X509_REVOKED_free,
 X509_REVOKED_new,
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 09b1fb15e3..3ff903541f 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -81,6 +81,8 @@ struct X509_req_st {
 
     /* Set on live certificates for authentication purposes */
     ASN1_OCTET_STRING *distinguishing_id;
+    OSSL_LIB_CTX *libctx;
+    char *propq;
 };
 
 struct X509_crl_info_st {
@@ -314,6 +316,8 @@ int ossl_x509_init_sig_info(X509 *x);
 int ossl_x509_set0_libctx(X509 *x, OSSL_LIB_CTX *libctx, const char *propq);
 int ossl_x509_crl_set0_libctx(X509_CRL *x, OSSL_LIB_CTX *libctx,
                               const char *propq);
+int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx,
+                              const char *propq);
 int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *type,
                              void *data, unsigned char *md, unsigned int *len,
                              OSSL_LIB_CTX *libctx, const char *propq);
diff --git a/include/openssl/ts.h b/include/openssl/ts.h
index e88ad44cfd..2269573dcf 100644
--- a/include/openssl/ts.h
+++ b/include/openssl/ts.h
@@ -266,6 +266,7 @@ typedef struct TS_resp_ctx TS_RESP_CTX;
 
 /* Creates a response context that can be used for generating responses. */
 TS_RESP_CTX *TS_RESP_CTX_new(void);
+TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
 void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
 
 /* This parameter must be set. */
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 32aea0e0db..50d8712e41 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -579,6 +579,7 @@ void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
 
 DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
 DECLARE_ASN1_FUNCTIONS(X509_REQ)
+X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
 
 DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
 X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 523971f1f4..3fd52714bc 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5328,3 +5328,5 @@ EVP_PKEY_derive_init_ex                 ?	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_print_public_fp                ?	3_0_0	EXIST::FUNCTION:STDIO
 EVP_PKEY_print_private_fp               ?	3_0_0	EXIST::FUNCTION:STDIO
 EVP_PKEY_print_params_fp                ?	3_0_0	EXIST::FUNCTION:STDIO
+TS_RESP_CTX_new_ex                      ?	3_0_0	EXIST::FUNCTION:TS
+X509_REQ_new_ex                         ?	3_0_0	EXIST::FUNCTION:


More information about the openssl-commits mailing list