[openssl] master update
tomas at openssl.org
tomas at openssl.org
Thu May 13 11:19:56 UTC 2021
The branch master has been updated
via e9fe0f7e9df7e0909ca52a024b889e48616a29d9 (commit)
via 3c39bd9b89198c6b3834c369c7da6f582788f645 (commit)
from a3c86ce9e8923bb7e5ba3e69eae17aac04dbc76d (commit)
- Log -----------------------------------------------------------------
commit e9fe0f7e9df7e0909ca52a024b889e48616a29d9
Author: Tomas Mraz <tomas at openssl.org>
Date: Fri May 7 17:44:26 2021 +0200
Replace EVP_PKEY_supports_digest_nid
The EVP_PKEY_supports_digest_nid() is renamed to
EVP_PKEY_digestsign_supports_digest() and implemented
via EVP_DigestSignInit_ex().
Fixes #14343
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15198)
commit 3c39bd9b89198c6b3834c369c7da6f582788f645
Author: Tomas Mraz <tomas at openssl.org>
Date: Fri May 7 16:56:34 2021 +0200
Drop ASN1_PKEY_CTRL_SUPPORTS_MD_NID
This is a legacy ASN1_PKEY_CTRL that was added after
1.1.1 and is not needed.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15198)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/p_lib.c | 28 ++++++-------
doc/build.info | 12 +++---
doc/man3/EVP_PKEY_ASN1_METHOD.pod | 1 -
doc/man3/EVP_PKEY_digestsign_supports_digest.pod | 44 ++++++++++++++++++++
doc/man3/EVP_PKEY_get_default_digest_nid.pod | 2 +-
doc/man3/EVP_PKEY_supports_digest_nid.pod | 53 ------------------------
include/openssl/evp.h | 6 +--
ssl/t1_lib.c | 13 +++---
util/libcrypto.num | 2 +-
9 files changed, 76 insertions(+), 85 deletions(-)
create mode 100644 doc/man3/EVP_PKEY_digestsign_supports_digest.pod
delete mode 100644 doc/man3/EVP_PKEY_supports_digest_nid.pod
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 5cfc7405f3..6a8dc9bbbb 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -1335,23 +1335,21 @@ int EVP_PKEY_get_group_name(const EVP_PKEY *pkey, char *gname, size_t gname_sz,
gname, gname_sz, gname_len);
}
-int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid)
+int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
+ const char *name, const char *propq)
{
- int rv, default_nid;
+ int rv;
+ EVP_MD_CTX *ctx = NULL;
- rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SUPPORTS_MD_NID, nid, NULL);
- if (rv == -2) {
- /*
- * If there is a mandatory default digest and this isn't it, then
- * the answer is 'no'.
- */
- rv = EVP_PKEY_get_default_digest_nid(pkey, &default_nid);
- if (rv == 2)
- return (nid == default_nid);
- /* zero is an error from EVP_PKEY_get_default_digest_nid() */
- if (rv == 0)
- return -1;
- }
+ if ((ctx = EVP_MD_CTX_new()) == NULL)
+ return -1;
+
+ ERR_set_mark();
+ rv = EVP_DigestSignInit_ex(ctx, NULL, name, libctx,
+ propq, pkey, NULL);
+ ERR_pop_to_mark();
+
+ EVP_MD_CTX_free(ctx);
return rv;
}
diff --git a/doc/build.info b/doc/build.info
index af0e0e0539..02882af91e 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -1198,6 +1198,10 @@ DEPEND[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod
GENERATE[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod
DEPEND[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod
GENERATE[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod
+DEPEND[html/man3/EVP_PKEY_digestsign_supports_digest.html]=man3/EVP_PKEY_digestsign_supports_digest.pod
+GENERATE[html/man3/EVP_PKEY_digestsign_supports_digest.html]=man3/EVP_PKEY_digestsign_supports_digest.pod
+DEPEND[man/man3/EVP_PKEY_digestsign_supports_digest.3]=man3/EVP_PKEY_digestsign_supports_digest.pod
+GENERATE[man/man3/EVP_PKEY_digestsign_supports_digest.3]=man3/EVP_PKEY_digestsign_supports_digest.pod
DEPEND[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod
GENERATE[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod
DEPEND[man/man3/EVP_PKEY_encapsulate.3]=man3/EVP_PKEY_encapsulate.pod
@@ -1274,10 +1278,6 @@ DEPEND[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod
GENERATE[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod
DEPEND[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod
GENERATE[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod
-DEPEND[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod
-GENERATE[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod
-DEPEND[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod
-GENERATE[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod
DEPEND[html/man3/EVP_PKEY_todata.html]=man3/EVP_PKEY_todata.pod
GENERATE[html/man3/EVP_PKEY_todata.html]=man3/EVP_PKEY_todata.pod
DEPEND[man/man3/EVP_PKEY_todata.3]=man3/EVP_PKEY_todata.pod
@@ -3001,6 +3001,7 @@ html/man3/EVP_PKEY_copy_parameters.html \
html/man3/EVP_PKEY_decapsulate.html \
html/man3/EVP_PKEY_decrypt.html \
html/man3/EVP_PKEY_derive.html \
+html/man3/EVP_PKEY_digestsign_supports_digest.html \
html/man3/EVP_PKEY_encapsulate.html \
html/man3/EVP_PKEY_encrypt.html \
html/man3/EVP_PKEY_fromdata.html \
@@ -3020,7 +3021,6 @@ html/man3/EVP_PKEY_set_type.html \
html/man3/EVP_PKEY_settable_params.html \
html/man3/EVP_PKEY_sign.html \
html/man3/EVP_PKEY_size.html \
-html/man3/EVP_PKEY_supports_digest_nid.html \
html/man3/EVP_PKEY_todata.html \
html/man3/EVP_PKEY_verify.html \
html/man3/EVP_PKEY_verify_recover.html \
@@ -3589,6 +3589,7 @@ man/man3/EVP_PKEY_copy_parameters.3 \
man/man3/EVP_PKEY_decapsulate.3 \
man/man3/EVP_PKEY_decrypt.3 \
man/man3/EVP_PKEY_derive.3 \
+man/man3/EVP_PKEY_digestsign_supports_digest.3 \
man/man3/EVP_PKEY_encapsulate.3 \
man/man3/EVP_PKEY_encrypt.3 \
man/man3/EVP_PKEY_fromdata.3 \
@@ -3608,7 +3609,6 @@ man/man3/EVP_PKEY_set_type.3 \
man/man3/EVP_PKEY_settable_params.3 \
man/man3/EVP_PKEY_sign.3 \
man/man3/EVP_PKEY_size.3 \
-man/man3/EVP_PKEY_supports_digest_nid.3 \
man/man3/EVP_PKEY_todata.3 \
man/man3/EVP_PKEY_verify.3 \
man/man3/EVP_PKEY_verify_recover.3 \
diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
index cbf735d333..4a515590cc 100644
--- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod
+++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
@@ -257,7 +257,6 @@ L<EVP_PKEY_set_type_str(3)>, and L<EVP_PKEY_assign(3)>.
The pkey_ctrl() method adds extra algorithm specific control.
It's called by L<EVP_PKEY_get_default_digest_nid(3)>,
-L<EVP_PKEY_supports_digest_nid(3)>,
L<EVP_PKEY_set1_encoded_public_key(3)>,
L<EVP_PKEY_get1_encoded_public_key(3)>, L<PKCS7_SIGNER_INFO_set(3)>,
L<PKCS7_RECIP_INFO_set(3)>, ...
diff --git a/doc/man3/EVP_PKEY_digestsign_supports_digest.pod b/doc/man3/EVP_PKEY_digestsign_supports_digest.pod
new file mode 100644
index 0000000000..c043ce4e95
--- /dev/null
+++ b/doc/man3/EVP_PKEY_digestsign_supports_digest.pod
@@ -0,0 +1,44 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_digestsign_supports_digest - indicate support for signature digest
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+ int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
+ const char *name, const char *propq);
+
+=head1 DESCRIPTION
+
+The EVP_PKEY_digestsign_supports_digest() function queries whether the message
+digest I<name> is supported for public key signature operations associated with
+key I<pkey>. The query is done within an optional library context I<libctx> and
+with an optional property query I<propq>.
+
+=head1 RETURN VALUES
+
+The EVP_PKEY_digestsign_supports_digest() function returns 1 if the message
+digest algorithm identified by I<name> can be used for public key signature
+operations associated with key I<pkey> and 0 if it cannot be used. It returns
+a negative value for failure.
+
+=head1 SEE ALSO
+
+L<EVP_DigestSignInit_ex(3)>,
+
+=head1 HISTORY
+
+The EVP_PKEY_digestsign_supports_digest() function was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/EVP_PKEY_get_default_digest_nid.pod b/doc/man3/EVP_PKEY_get_default_digest_nid.pod
index 2213a024c7..d680ffef1a 100644
--- a/doc/man3/EVP_PKEY_get_default_digest_nid.pod
+++ b/doc/man3/EVP_PKEY_get_default_digest_nid.pod
@@ -47,7 +47,7 @@ algorithm.
L<EVP_PKEY_CTX_new(3)>,
L<EVP_PKEY_sign(3)>,
-L<EVP_PKEY_supports_digest_nid(3)>,
+L<EVP_PKEY_digestsign_supports_digest(3)>,
L<EVP_PKEY_verify(3)>,
L<EVP_PKEY_verify_recover(3)>,
diff --git a/doc/man3/EVP_PKEY_supports_digest_nid.pod b/doc/man3/EVP_PKEY_supports_digest_nid.pod
deleted file mode 100644
index b3f51346ca..0000000000
--- a/doc/man3/EVP_PKEY_supports_digest_nid.pod
+++ /dev/null
@@ -1,53 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_supports_digest_nid - indicate support for signature digest
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
- int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_supports_digest_nid() function queries whether the message digest
-NID B<nid> is supported for public key signature operations associated with key
-B<pkey>.
-
-=head1 NOTES
-
-If the EVP_PKEY implementation does not explicitly support this method, but
-L<EVP_PKEY_get_default_digest_nid(3)> returns a mandatory digest result, then
-only that mandatory digest will be supported.
-
-=head1 RETURN VALUES
-
-The EVP_PKEY_supports_digest_nid() function returns 1 if the message digest
-algorithm identified by B<nid> can be used for public key signature operations
-associated with key B<pkey> and 0 if it cannot be used. It returns a negative
-value for failure. In particular a return value of -2 indicates the query
-operation is not supported by the public key algorithm.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_get_default_digest_nid(3)>,
-L<EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)>,
-
-=head1 HISTORY
-
-The EVP_PKEY_supports_digest_nid() function was added in OpenSSL 3.0.
-
-=head1 COPYRIGHT
-
-Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 9d4867ea99..27e14d07b6 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1398,7 +1398,8 @@ int EVP_PKEY_print_params_fp(FILE *fp, const EVP_PKEY *pkey,
int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
int EVP_PKEY_get_default_digest_name(EVP_PKEY *pkey,
char *mdname, size_t mdname_sz);
-int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid);
+int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
+ const char *name, const char *propq);
# ifndef OPENSSL_NO_DEPRECATED_3_0
/*
@@ -1513,8 +1514,7 @@ int EVP_PBE_get(int *ptype, int *ppbe_nid, size_t num);
# define ASN1_PKEY_CTRL_SET1_TLS_ENCPT 0x9
# define ASN1_PKEY_CTRL_GET1_TLS_ENCPT 0xa
-# define ASN1_PKEY_CTRL_SUPPORTS_MD_NID 0xb
-# define ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED 0xc
+# define ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED 0xb
int EVP_PKEY_asn1_get_count(void);
const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 14c16e355d..1dc57af43a 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3052,15 +3052,18 @@ static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
const SIGALG_LOOKUP *lu;
int mdnid, pknid, supported;
size_t i;
+ const char *mdname = NULL;
/*
- * If the given EVP_PKEY cannot supporting signing with this sigalg,
+ * If the given EVP_PKEY cannot support signing with this digest,
* the answer is simply 'no'.
*/
- ERR_set_mark();
- supported = EVP_PKEY_supports_digest_nid(pkey, sig->hash);
- ERR_pop_to_mark();
- if (supported == 0)
+ if (sig->hash != NID_undef)
+ mdname = OBJ_nid2sn(sig->hash);
+ supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx,
+ mdname,
+ s->ctx->propq);
+ if (supported <= 0)
return 0;
/*
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 69b8f63e32..67bf50af4d 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4414,7 +4414,7 @@ EVP_MAC_update ? 3_0_0 EXIST::FUNCTION:
EVP_MAC_final ? 3_0_0 EXIST::FUNCTION:
EVP_MAC_finalXOF ? 3_0_0 EXIST::FUNCTION:
OSSL_EC_curve_nid2name ? 3_0_0 EXIST::FUNCTION:
-EVP_PKEY_supports_digest_nid ? 3_0_0 EXIST::FUNCTION:
+EVP_PKEY_digestsign_supports_digest ? 3_0_0 EXIST::FUNCTION:
SRP_VBASE_add0_user ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
SRP_user_pwd_new ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
SRP_user_pwd_set_gN ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
More information about the openssl-commits
mailing list