[openssl] master update

tomas at openssl.org tomas at openssl.org
Thu May 13 11:19:56 UTC 2021


The branch master has been updated
       via  e9fe0f7e9df7e0909ca52a024b889e48616a29d9 (commit)
       via  3c39bd9b89198c6b3834c369c7da6f582788f645 (commit)
      from  a3c86ce9e8923bb7e5ba3e69eae17aac04dbc76d (commit)


- Log -----------------------------------------------------------------
commit e9fe0f7e9df7e0909ca52a024b889e48616a29d9
Author: Tomas Mraz <tomas at openssl.org>
Date:   Fri May 7 17:44:26 2021 +0200

    Replace EVP_PKEY_supports_digest_nid
    
    The EVP_PKEY_supports_digest_nid() is renamed to
    EVP_PKEY_digestsign_supports_digest() and implemented
    via EVP_DigestSignInit_ex().
    
    Fixes #14343
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15198)

commit 3c39bd9b89198c6b3834c369c7da6f582788f645
Author: Tomas Mraz <tomas at openssl.org>
Date:   Fri May 7 16:56:34 2021 +0200

    Drop ASN1_PKEY_CTRL_SUPPORTS_MD_NID
    
    This is a legacy ASN1_PKEY_CTRL that was added after
    1.1.1 and is not needed.
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15198)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/p_lib.c                               | 28 ++++++-------
 doc/build.info                                   | 12 +++---
 doc/man3/EVP_PKEY_ASN1_METHOD.pod                |  1 -
 doc/man3/EVP_PKEY_digestsign_supports_digest.pod | 44 ++++++++++++++++++++
 doc/man3/EVP_PKEY_get_default_digest_nid.pod     |  2 +-
 doc/man3/EVP_PKEY_supports_digest_nid.pod        | 53 ------------------------
 include/openssl/evp.h                            |  6 +--
 ssl/t1_lib.c                                     | 13 +++---
 util/libcrypto.num                               |  2 +-
 9 files changed, 76 insertions(+), 85 deletions(-)
 create mode 100644 doc/man3/EVP_PKEY_digestsign_supports_digest.pod
 delete mode 100644 doc/man3/EVP_PKEY_supports_digest_nid.pod

diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 5cfc7405f3..6a8dc9bbbb 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -1335,23 +1335,21 @@ int EVP_PKEY_get_group_name(const EVP_PKEY *pkey, char *gname, size_t gname_sz,
                                           gname, gname_sz, gname_len);
 }
 
-int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid)
+int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
+                                        const char *name, const char *propq)
 {
-    int rv, default_nid;
+    int rv;
+    EVP_MD_CTX *ctx = NULL;
 
-    rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SUPPORTS_MD_NID, nid, NULL);
-    if (rv == -2) {
-        /*
-         * If there is a mandatory default digest and this isn't it, then
-         * the answer is 'no'.
-         */
-        rv = EVP_PKEY_get_default_digest_nid(pkey, &default_nid);
-        if (rv == 2)
-            return (nid == default_nid);
-        /* zero is an error from EVP_PKEY_get_default_digest_nid() */
-        if (rv == 0)
-            return -1;
-    }
+    if ((ctx = EVP_MD_CTX_new()) == NULL)
+        return -1;
+
+    ERR_set_mark();
+    rv = EVP_DigestSignInit_ex(ctx, NULL, name, libctx,
+                               propq, pkey, NULL);
+    ERR_pop_to_mark();
+
+    EVP_MD_CTX_free(ctx);
     return rv;
 }
 
diff --git a/doc/build.info b/doc/build.info
index af0e0e0539..02882af91e 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -1198,6 +1198,10 @@ DEPEND[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod
 GENERATE[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod
 DEPEND[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod
 GENERATE[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod
+DEPEND[html/man3/EVP_PKEY_digestsign_supports_digest.html]=man3/EVP_PKEY_digestsign_supports_digest.pod
+GENERATE[html/man3/EVP_PKEY_digestsign_supports_digest.html]=man3/EVP_PKEY_digestsign_supports_digest.pod
+DEPEND[man/man3/EVP_PKEY_digestsign_supports_digest.3]=man3/EVP_PKEY_digestsign_supports_digest.pod
+GENERATE[man/man3/EVP_PKEY_digestsign_supports_digest.3]=man3/EVP_PKEY_digestsign_supports_digest.pod
 DEPEND[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod
 GENERATE[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod
 DEPEND[man/man3/EVP_PKEY_encapsulate.3]=man3/EVP_PKEY_encapsulate.pod
@@ -1274,10 +1278,6 @@ DEPEND[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod
 GENERATE[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod
 DEPEND[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod
 GENERATE[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod
-DEPEND[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod
-GENERATE[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod
-DEPEND[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod
-GENERATE[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod
 DEPEND[html/man3/EVP_PKEY_todata.html]=man3/EVP_PKEY_todata.pod
 GENERATE[html/man3/EVP_PKEY_todata.html]=man3/EVP_PKEY_todata.pod
 DEPEND[man/man3/EVP_PKEY_todata.3]=man3/EVP_PKEY_todata.pod
@@ -3001,6 +3001,7 @@ html/man3/EVP_PKEY_copy_parameters.html \
 html/man3/EVP_PKEY_decapsulate.html \
 html/man3/EVP_PKEY_decrypt.html \
 html/man3/EVP_PKEY_derive.html \
+html/man3/EVP_PKEY_digestsign_supports_digest.html \
 html/man3/EVP_PKEY_encapsulate.html \
 html/man3/EVP_PKEY_encrypt.html \
 html/man3/EVP_PKEY_fromdata.html \
@@ -3020,7 +3021,6 @@ html/man3/EVP_PKEY_set_type.html \
 html/man3/EVP_PKEY_settable_params.html \
 html/man3/EVP_PKEY_sign.html \
 html/man3/EVP_PKEY_size.html \
-html/man3/EVP_PKEY_supports_digest_nid.html \
 html/man3/EVP_PKEY_todata.html \
 html/man3/EVP_PKEY_verify.html \
 html/man3/EVP_PKEY_verify_recover.html \
@@ -3589,6 +3589,7 @@ man/man3/EVP_PKEY_copy_parameters.3 \
 man/man3/EVP_PKEY_decapsulate.3 \
 man/man3/EVP_PKEY_decrypt.3 \
 man/man3/EVP_PKEY_derive.3 \
+man/man3/EVP_PKEY_digestsign_supports_digest.3 \
 man/man3/EVP_PKEY_encapsulate.3 \
 man/man3/EVP_PKEY_encrypt.3 \
 man/man3/EVP_PKEY_fromdata.3 \
@@ -3608,7 +3609,6 @@ man/man3/EVP_PKEY_set_type.3 \
 man/man3/EVP_PKEY_settable_params.3 \
 man/man3/EVP_PKEY_sign.3 \
 man/man3/EVP_PKEY_size.3 \
-man/man3/EVP_PKEY_supports_digest_nid.3 \
 man/man3/EVP_PKEY_todata.3 \
 man/man3/EVP_PKEY_verify.3 \
 man/man3/EVP_PKEY_verify_recover.3 \
diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
index cbf735d333..4a515590cc 100644
--- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod
+++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
@@ -257,7 +257,6 @@ L<EVP_PKEY_set_type_str(3)>, and L<EVP_PKEY_assign(3)>.
 
 The pkey_ctrl() method adds extra algorithm specific control.
 It's called by L<EVP_PKEY_get_default_digest_nid(3)>,
-L<EVP_PKEY_supports_digest_nid(3)>,
 L<EVP_PKEY_set1_encoded_public_key(3)>,
 L<EVP_PKEY_get1_encoded_public_key(3)>, L<PKCS7_SIGNER_INFO_set(3)>,
 L<PKCS7_RECIP_INFO_set(3)>, ...
diff --git a/doc/man3/EVP_PKEY_digestsign_supports_digest.pod b/doc/man3/EVP_PKEY_digestsign_supports_digest.pod
new file mode 100644
index 0000000000..c043ce4e95
--- /dev/null
+++ b/doc/man3/EVP_PKEY_digestsign_supports_digest.pod
@@ -0,0 +1,44 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_digestsign_supports_digest - indicate support for signature digest
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+ int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
+                                         const char *name, const char *propq);
+
+=head1 DESCRIPTION
+
+The EVP_PKEY_digestsign_supports_digest() function queries whether the message
+digest I<name> is supported for public key signature operations associated with
+key I<pkey>. The query is done within an optional library context I<libctx> and
+with an optional property query I<propq>.
+
+=head1 RETURN VALUES
+
+The EVP_PKEY_digestsign_supports_digest() function returns 1 if the message
+digest algorithm identified by I<name> can be used for public key signature
+operations associated with key I<pkey> and 0 if it cannot be used. It returns
+a negative value for failure.
+
+=head1 SEE ALSO
+
+L<EVP_DigestSignInit_ex(3)>,
+
+=head1 HISTORY
+
+The EVP_PKEY_digestsign_supports_digest() function was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/EVP_PKEY_get_default_digest_nid.pod b/doc/man3/EVP_PKEY_get_default_digest_nid.pod
index 2213a024c7..d680ffef1a 100644
--- a/doc/man3/EVP_PKEY_get_default_digest_nid.pod
+++ b/doc/man3/EVP_PKEY_get_default_digest_nid.pod
@@ -47,7 +47,7 @@ algorithm.
 
 L<EVP_PKEY_CTX_new(3)>,
 L<EVP_PKEY_sign(3)>,
-L<EVP_PKEY_supports_digest_nid(3)>,
+L<EVP_PKEY_digestsign_supports_digest(3)>,
 L<EVP_PKEY_verify(3)>,
 L<EVP_PKEY_verify_recover(3)>,
 
diff --git a/doc/man3/EVP_PKEY_supports_digest_nid.pod b/doc/man3/EVP_PKEY_supports_digest_nid.pod
deleted file mode 100644
index b3f51346ca..0000000000
--- a/doc/man3/EVP_PKEY_supports_digest_nid.pod
+++ /dev/null
@@ -1,53 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_supports_digest_nid - indicate support for signature digest
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
- int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_supports_digest_nid() function queries whether the message digest
-NID B<nid> is supported for public key signature operations associated with key
-B<pkey>.
-
-=head1 NOTES
-
-If the EVP_PKEY implementation does not explicitly support this method, but
-L<EVP_PKEY_get_default_digest_nid(3)> returns a mandatory digest result, then
-only that mandatory digest will be supported.
-
-=head1 RETURN VALUES
-
-The EVP_PKEY_supports_digest_nid() function returns 1 if the message digest
-algorithm identified by B<nid> can be used for public key signature operations
-associated with key B<pkey> and 0 if it cannot be used. It returns a negative
-value for failure. In particular a return value of -2 indicates the query
-operation is not supported by the public key algorithm.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_get_default_digest_nid(3)>,
-L<EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)>,
-
-=head1 HISTORY
-
-The EVP_PKEY_supports_digest_nid() function was added in OpenSSL 3.0.
-
-=head1 COPYRIGHT
-
-Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 9d4867ea99..27e14d07b6 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1398,7 +1398,8 @@ int EVP_PKEY_print_params_fp(FILE *fp, const EVP_PKEY *pkey,
 int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
 int EVP_PKEY_get_default_digest_name(EVP_PKEY *pkey,
                                      char *mdname, size_t mdname_sz);
-int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid);
+int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
+                                        const char *name, const char *propq);
 
 # ifndef OPENSSL_NO_DEPRECATED_3_0
 /*
@@ -1513,8 +1514,7 @@ int EVP_PBE_get(int *ptype, int *ppbe_nid, size_t num);
 
 # define ASN1_PKEY_CTRL_SET1_TLS_ENCPT   0x9
 # define ASN1_PKEY_CTRL_GET1_TLS_ENCPT   0xa
-# define ASN1_PKEY_CTRL_SUPPORTS_MD_NID  0xb
-# define ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED 0xc
+# define ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED 0xb
 
 int EVP_PKEY_asn1_get_count(void);
 const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 14c16e355d..1dc57af43a 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3052,15 +3052,18 @@ static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
     const SIGALG_LOOKUP *lu;
     int mdnid, pknid, supported;
     size_t i;
+    const char *mdname = NULL;
 
     /*
-     * If the given EVP_PKEY cannot supporting signing with this sigalg,
+     * If the given EVP_PKEY cannot support signing with this digest,
      * the answer is simply 'no'.
      */
-    ERR_set_mark();
-    supported = EVP_PKEY_supports_digest_nid(pkey, sig->hash);
-    ERR_pop_to_mark();
-    if (supported == 0)
+    if (sig->hash != NID_undef)
+        mdname = OBJ_nid2sn(sig->hash);
+    supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx,
+                                                    mdname,
+                                                    s->ctx->propq);
+    if (supported <= 0)
         return 0;
 
     /*
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 69b8f63e32..67bf50af4d 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4414,7 +4414,7 @@ EVP_MAC_update                          ?	3_0_0	EXIST::FUNCTION:
 EVP_MAC_final                           ?	3_0_0	EXIST::FUNCTION:
 EVP_MAC_finalXOF                        ?	3_0_0	EXIST::FUNCTION:
 OSSL_EC_curve_nid2name                  ?	3_0_0	EXIST::FUNCTION:
-EVP_PKEY_supports_digest_nid            ?	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_digestsign_supports_digest     ?	3_0_0	EXIST::FUNCTION:
 SRP_VBASE_add0_user                     ?	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
 SRP_user_pwd_new                        ?	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
 SRP_user_pwd_set_gN                     ?	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP


More information about the openssl-commits mailing list