QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-26 17:54:37 +00:00
Code Issues Projects Releases Wiki Activity

Fix usages of const EVP_MD.

Browse Source 
Partially fixes #13837

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14474)
This commit is contained in:
Shane Lontis 2021-03-05 08:22:56 +10:00 committed by Tomas Mraz
parent c781eb1c63
commit e72dbd8e13
16 changed files with 192 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/cms/cms_sd.c
View File

@ -372,7 +372,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
ESS_SIGNING_CERT_V2 *sc2 = NULL;
int add_sc;
if (md == EVP_sha1() || md == NULL) {
if (md == NULL || EVP_MD_is_a(md, SN_sha1)) {
if ((sc = ossl_ess_signing_cert_new_init(signer,
NULL, 1)) == NULL)
goto err;

22
crypto/ec/ecx_meth.c
View File

@ -991,6 +991,8 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
ctx->propquery);
unsigned char *privkey = NULL, *pubkey;
unsigned int sz;
EVP_MD *md = NULL;
int rv;
if (key == NULL) {
ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
@ -1008,7 +1010,13 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
if (RAND_priv_bytes_ex(ctx->libctx, privkey, ED25519_KEYLEN) <= 0)
goto err;
if (!EVP_Digest(privkey, 32, buff, &sz, EVP_sha512(), NULL))
md = EVP_MD_fetch(ctx->libctx, "SHA512", ctx->propquery);
if (md == NULL)
goto err;
rv = EVP_Digest(privkey, 32, buff, &sz, md, NULL);
EVP_MD_free(md);
if (!rv)
goto err;
buff[0] &= 248;
@ -1049,6 +1057,8 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
ctx->propquery);
unsigned char *privkey = NULL, *pubkey;
EVP_MD_CTX *hashctx = NULL;
EVP_MD *md = NULL;
int rv;
if (key == NULL) {
ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
@ -1069,8 +1079,16 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
hashctx = EVP_MD_CTX_new();
if (hashctx == NULL)
goto err;
if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1)
md = EVP_MD_fetch(ctx->libctx, "SHAKE256", ctx->propquery);
if (md == NULL)
goto err;
rv = EVP_DigestInit_ex(hashctx, md, NULL);
EVP_MD_free(md);
if (rv != 1)
goto err;
if (EVP_DigestUpdate(hashctx, privkey, 57) != 1)
goto err;
if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1)

2
crypto/ess/ess_lib.c
View File

@ -145,7 +145,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
if ((cid = ESS_CERT_ID_V2_new()) == NULL)
goto err;
if (hash_alg != EVP_sha256()) {
if (!EVP_MD_is_a(hash_alg, SN_sha256)) {
alg = X509_ALGOR_new();
if (alg == NULL)
goto err;

2
crypto/ts/ts_local.h
View File

@ -124,6 +124,8 @@ struct TS_resp_ctx {
TS_REQ *request;
TS_RESP *response;
TS_TST_INFO *tst_info;
OSSL_LIB_CTX *libctx;
char *propq;
};
struct TS_verify_ctx {

37
crypto/ts/ts_rsp_sign.c
View File

@ -108,7 +108,7 @@ static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext,
/* TS_RESP_CTX management functions. */
TS_RESP_CTX *TS_RESP_CTX_new(void)
TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
{
TS_RESP_CTX *ctx;
@ -117,8 +117,15 @@ TS_RESP_CTX *TS_RESP_CTX_new(void)
return NULL;
}
ctx->signer_md = EVP_sha256();
if (propq != NULL) {
ctx->propq = OPENSSL_strdup(propq);
if (ctx->propq == NULL) {
OPENSSL_free(ctx);
ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE);
return NULL;
}
}
ctx->libctx = libctx;
ctx->serial_cb = def_serial_cb;
ctx->time_cb = def_time_cb;
ctx->extension_cb = def_extension_cb;
@ -126,11 +133,17 @@ TS_RESP_CTX *TS_RESP_CTX_new(void)
return ctx;
}
TS_RESP_CTX *TS_RESP_CTX_new(void)
{
return TS_RESP_CTX_new_ex(NULL, NULL);
}
void TS_RESP_CTX_free(TS_RESP_CTX *ctx)
{
if (!ctx)
return;
OPENSSL_free(ctx->propq);
X509_free(ctx->signer_cert);
EVP_PKEY_free(ctx->signer_key);
sk_X509_pop_free(ctx->certs, X509_free);
@ -623,13 +636,14 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
ASN1_OBJECT *oid;
BIO *p7bio = NULL;
int i;
EVP_MD *signer_md = NULL;
if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) {
ERR_raise(ERR_LIB_TS, TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err;
}
if ((p7 = PKCS7_new()) == NULL) {
if ((p7 = PKCS7_new_ex(ctx->libctx, ctx->propq)) == NULL) {
ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE);
goto err;
}
@ -648,8 +662,16 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
}
}
if (ctx->signer_md == NULL)
signer_md = EVP_MD_fetch(ctx->libctx, "SHA256", ctx->propq);
else if (EVP_MD_provider(ctx->signer_md) == NULL)
signer_md = EVP_MD_fetch(ctx->libctx, EVP_MD_name(ctx->signer_md),
ctx->propq);
else
signer_md = (EVP_MD *)ctx->signer_md;
if ((si = PKCS7_add_signature(p7, ctx->signer_cert,
ctx->signer_key, ctx->signer_md)) == NULL) {
ctx->signer_key, signer_md)) == NULL) {
ERR_raise(ERR_LIB_TS, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
goto err;
}
@ -663,7 +685,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
if (ctx->ess_cert_id_digest == NULL
|| ctx->ess_cert_id_digest == EVP_sha1()) {
|| EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) {
if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert,
certs, 0)) == NULL)
goto err;
@ -704,6 +726,9 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
ret = 1;
err:
if (signer_md != ctx->signer_md)
EVP_MD_free(signer_md);
if (!ret)
TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
"Error during signature "

8
crypto/x509/x509_cmp.c
View File

@ -40,13 +40,18 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
unsigned char md[16];
char *f;
EVP_MD *digest = NULL;
if (ctx == NULL)
goto err;
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
if (f == NULL)
goto err;
if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
digest = EVP_MD_fetch(a->libctx, SN_md5, a->propq);
if (digest == NULL)
goto err;
if (!EVP_DigestInit_ex(ctx, digest, NULL))
goto err;
if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
goto err;
@ -61,6 +66,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
) & 0xffffffffL;
err:
EVP_MD_free(digest);
EVP_MD_CTX_free(ctx);
return ret;
}

2
crypto/x509/x509_req.c
View File

@ -26,7 +26,7 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
int i;
EVP_PKEY *pktmp;
ret = X509_REQ_new();
ret = X509_REQ_new_ex(x->libctx, x->propq);
if (ret == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
goto err;

45
crypto/x509/x_all.c
View File

@ -52,16 +52,15 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
{
return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
&a->sig_algor, a->signature, a->spkac, r));
return ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
&a->sig_algor, a->signature, a->spkac, r);
}
int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->cert_info.enc.modified = 1;
return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
&x->sig_alg, &x->signature, &x->cert_info, pkey,
md));
return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
&x->sig_alg, &x->signature, &x->cert_info, pkey, md);
}
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
@ -90,8 +89,8 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
{
return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
x->signature, &x->req_info, pkey, md));
return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
x->signature, &x->req_info, pkey, md);
}
int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
@ -104,8 +103,8 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->crl.enc.modified = 1;
return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
&x->sig_alg, &x->signature, &x->crl, pkey, md));
return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
&x->sig_alg, &x->signature, &x->crl, pkey, md);
}
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
@ -124,8 +123,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
{
return (ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
x->signature, x->spkac, pkey, md));
return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
x->signature, x->spkac, pkey, md);
}
#ifndef OPENSSL_NO_STDIO
@ -399,8 +398,8 @@ int X509_digest(const X509 *cert, const EVP_MD *md, unsigned char *data,
memcpy(data, cert->sha1_hash, sizeof(cert->sha1_hash));
return 1;
}
return (ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert,
data, len, cert->libctx, cert->propq));
return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert,
data, len, cert->libctx, cert->propq);
}
/* calculate cert digest using the same hash algorithm as in its signature */
@ -435,7 +434,9 @@ ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert)
int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0
if (type != NULL
&& EVP_MD_is_a(type, SN_sha1)
&& (data->flags & EXFLAG_SET) != 0
&& (data->flags & EXFLAG_NO_FINGERPRINT) == 0) {
/* Asking for SHA1; always computed in CRL d2i. */
if (len != NULL)
@ -443,30 +444,30 @@ int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
memcpy(md, data->sha1_hash, sizeof(data->sha1_hash));
return 1;
}
return (ASN1_item_digest
(ASN1_ITEM_rptr(X509_CRL), type, (char *)data, md, len));
return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_CRL), type, (char *)data,
md, len, data->libctx, data->propq);
}
int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
return (ASN1_item_digest
(ASN1_ITEM_rptr(X509_REQ), type, (char *)data, md, len));
return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_REQ), type, (char *)data,
md, len, data->libctx, data->propq);
}
int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
return (ASN1_item_digest
(ASN1_ITEM_rptr(X509_NAME), type, (char *)data, md, len));
return ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME), type, (char *)data,
md, len);
}
int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,
const EVP_MD *type, unsigned char *md,
unsigned int *len)
{
return (ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type,
(char *)data, md, len));
return ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type,
(char *)data, md, len);
}
#ifndef OPENSSL_NO_STDIO

41
crypto/x509/x_req.c
View File

@ -61,6 +61,14 @@ static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
case ASN1_OP_FREE_POST:
ASN1_OCTET_STRING_free(ret->distinguishing_id);
break;
case ASN1_OP_DUP_POST:
{
X509_REQ *old = exarg;
if (!ossl_x509_req_set0_libctx(ret, old->libctx, old->propq))
return 0;
}
break;
}
return 1;
@ -98,3 +106,36 @@ ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x)
{
return x->distinguishing_id;
}
/*
* This should only be used if the X509_REQ object was embedded inside another
* asn1 object and it needs a libctx to operate.
* Use X509_REQ_new_ex() instead if possible.
*/
int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx,
const char *propq)
{
if (x != NULL) {
x->libctx = libctx;
OPENSSL_free(x->propq);
x->propq = NULL;
if (propq != NULL) {
x->propq = OPENSSL_strdup(propq);
if (x->propq == NULL)
return 0;
}
}
return 1;
}
X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
{
X509_REQ *req = NULL;
req = (X509_REQ *)ASN1_item_new((X509_REQ_it()));
if (!ossl_x509_req_set0_libctx(req, libctx, propq)) {
X509_REQ_free(req);
req = NULL;
}
return req;
}

6
doc/build.info
View File

@ -2502,6 +2502,10 @@ DEPEND[html/man3/SSL_write.html]=man3/SSL_write.pod
GENERATE[html/man3/SSL_write.html]=man3/SSL_write.pod
DEPEND[man/man3/SSL_write.3]=man3/SSL_write.pod
GENERATE[man/man3/SSL_write.3]=man3/SSL_write.pod
DEPEND[html/man3/TS_RESP_CTX_new.html]=man3/TS_RESP_CTX_new.pod
GENERATE[html/man3/TS_RESP_CTX_new.html]=man3/TS_RESP_CTX_new.pod
DEPEND[man/man3/TS_RESP_CTX_new.3]=man3/TS_RESP_CTX_new.pod
GENERATE[man/man3/TS_RESP_CTX_new.3]=man3/TS_RESP_CTX_new.pod
DEPEND[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod
GENERATE[html/man3/TS_VERIFY_CTX_set_certs.html]=man3/TS_VERIFY_CTX_set_certs.pod
DEPEND[man/man3/TS_VERIFY_CTX_set_certs.3]=man3/TS_VERIFY_CTX_set_certs.pod
@ -3263,6 +3267,7 @@ html/man3/SSL_shutdown.html \
html/man3/SSL_state_string.html \
html/man3/SSL_want.html \
html/man3/SSL_write.html \
html/man3/TS_RESP_CTX_new.html \
html/man3/TS_VERIFY_CTX_set_certs.html \
html/man3/UI_STRING.html \
html/man3/UI_UTIL_read_pw.html \
@ -3835,6 +3840,7 @@ man/man3/SSL_shutdown.3 \
man/man3/SSL_state_string.3 \
man/man3/SSL_want.3 \
man/man3/SSL_write.3 \
man/man3/TS_RESP_CTX_new.3 \
man/man3/TS_VERIFY_CTX_set_certs.3 \
man/man3/UI_STRING.3 \
man/man3/UI_UTIL_read_pw.3 \

50
doc/man3/TS_RESP_CTX_new.pod Normal file
View File

@ -0,0 +1,50 @@
=pod
=head1 NAME
TS_RESP_CTX_new_ex, TS_RESP_CTX_new,
TS_RESP_CTX_free - Timestamp response context object creation
=head1 SYNOPSIS
#include <openssl/ts.h>
TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
TS_RESP_CTX *TS_RESP_CTX_new(void);
void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
=head1 DESCRIPTION
Creates a response context that can be used for generating responses.
TS_RESP_CTX_new_ex() allocates and initializes a TS_RESP_CTX structure with a
library context of I<libctx> and a property query of I<propq>.
The library context and property query can be used to select which providers
supply the fetched algorithms.
TS_RESP_CTX_new() is similar to TS_RESP_CTX_new_ex() but sets the library context
and property query to NULL. This results in the default (NULL) library context
being used for any operations requiring algorithm fetches.
TS_RESP_CTX_free() frees the B<TS_RESP_CTX> object I<ctx>.
=head1 RETURN VALUES
If the allocation fails, TS_RESP_CTX_new_ex() and TS_RESP_CTX_new() return NULL,
otherwise it returns a pointer to the newly allocated structure.
=head1 HISTORY
The function TS_RESP_CTX_new_ex() was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

1
doc/man3/X509_dup.pod
View File

@ -288,6 +288,7 @@ X509_REQ_INFO_new,
X509_REQ_dup,
X509_REQ_free,
X509_REQ_new,
X509_REQ_new_ex,
X509_REVOKED_dup,
X509_REVOKED_free,
X509_REVOKED_new,

4
include/crypto/x509.h
View File

@ -81,6 +81,8 @@ struct X509_req_st {
/* Set on live certificates for authentication purposes */
ASN1_OCTET_STRING *distinguishing_id;
OSSL_LIB_CTX *libctx;
char *propq;
};
struct X509_crl_info_st {
@ -314,6 +316,8 @@ int ossl_x509_init_sig_info(X509 *x);
int ossl_x509_set0_libctx(X509 *x, OSSL_LIB_CTX *libctx, const char *propq);
int ossl_x509_crl_set0_libctx(X509_CRL *x, OSSL_LIB_CTX *libctx,
const char *propq);
int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx,
const char *propq);
int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *type,
void *data, unsigned char *md, unsigned int *len,
OSSL_LIB_CTX *libctx, const char *propq);

1
include/openssl/ts.h
View File

@ -266,6 +266,7 @@ typedef struct TS_resp_ctx TS_RESP_CTX;
/* Creates a response context that can be used for generating responses. */
TS_RESP_CTX *TS_RESP_CTX_new(void);
TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
/* This parameter must be set. */

1
include/openssl/x509.h.in
View File

@ -579,6 +579,7 @@ void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
DECLARE_ASN1_FUNCTIONS(X509_REQ)
X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);

2
util/libcrypto.num
View File

@ -5328,3 +5328,5 @@ EVP_PKEY_derive_init_ex ? 3_0_0 EXIST::FUNCTION:
EVP_PKEY_print_public_fp ? 3_0_0 EXIST::FUNCTION:STDIO
EVP_PKEY_print_private_fp ? 3_0_0 EXIST::FUNCTION:STDIO
EVP_PKEY_print_params_fp ? 3_0_0 EXIST::FUNCTION:STDIO
TS_RESP_CTX_new_ex ? 3_0_0 EXIST::FUNCTION:TS
X509_REQ_new_ex ? 3_0_0 EXIST::FUNCTION: