Fix more certificate related lib_ctx settings.

Fixes #13732

Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.

Added X509_CRL_new_ex().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14752)

4 files changed, 34 insertions, 25 deletions

diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index cfa85af240..c1dda38414 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -94,7 +94,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
                       OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
             goto err;
         }
-        if (!OCSP_REQUEST_sign(req, key, dgst))
+        if (!OCSP_REQUEST_sign(req, key, dgst, signer->libctx, signer->propq))
             goto err;
     }
 
diff --git a/crypto/ocsp/ocsp_local.h b/crypto/ocsp/ocsp_local.h
index 6542febc98..e1633403c6 100644
--- a/crypto/ocsp/ocsp_local.h
+++ b/crypto/ocsp/ocsp_local.h
@@ -217,22 +217,30 @@ struct ocsp_service_locator_st {
     STACK_OF(ACCESS_DESCRIPTION) *locator;
 };
 
-#  define OCSP_REQUEST_sign(o,pkey,md) \
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
-                &(o)->optionalSignature->signatureAlgorithm,NULL,\
-                (o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md)
-
-#  define OCSP_BASICRESP_sign(o,pkey,md,d) \
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
-                NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
-
-#  define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
-        ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
-                NULL,(o)->signature,&(o)->tbsResponseData,ctx)
-
-#  define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
-        &(a)->optionalSignature->signatureAlgorithm,\
-        (a)->optionalSignature->signature,&(a)->tbsRequest,r)
-
-#  define OCSP_BASICRESP_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
-        &(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r)
+#  define OCSP_REQUEST_sign(o, pkey, md, libctx, propq)\
+        ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
+                          &(o)->optionalSignature->signatureAlgorithm, NULL,\
+                         (o)->optionalSignature->signature, &(o)->tbsRequest,\
+                         NULL, pkey, md, libctx, propq)
+
+#  define OCSP_BASICRESP_sign(o, pkey, md, d, libctx, propq)\
+        ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+                          &(o)->signatureAlgorithm, NULL,\
+                          (o)->signature, &(o)->tbsResponseData,\
+                          NULL, pkey, md, libctx, propq)
+
+#  define OCSP_BASICRESP_sign_ctx(o, ctx, d)\
+        ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+                           &(o)->signatureAlgorithm, NULL,\
+                           (o)->signature, &(o)->tbsResponseData, ctx)
+
+#  define OCSP_REQUEST_verify(a, r, libctx, propq)\
+        ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
+                            &(a)->optionalSignature->signatureAlgorithm,\
+                            (a)->optionalSignature->signature, &(a)->tbsRequest,\
+                            NULL, r, libctx, propq)
+
+#  define OCSP_BASICRESP_verify(a, r, libctx, propq)\
+        ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+                            &(a)->signatureAlgorithm, (a)->signature,\
+                            &(a)->tbsResponseData, NULL, r, libctx, propq)
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index af1277942e..4187446e1c 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -223,7 +223,8 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
     if (ctx == NULL)
         return 0;
 
-    if (!EVP_DigestSignInit(ctx, &pkctx, dgst, NULL, key)) {
+    if (!EVP_DigestSignInit_ex(ctx, &pkctx, EVP_MD_name(dgst),
+                               signer->libctx, signer->propq, key, NULL)) {
         EVP_MD_CTX_free(ctx);
         return 0;
     }
@@ -277,7 +278,7 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
 
 int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
 {
-    return OCSP_RESPID_set_by_key_ex(respid, cert, NULL, NULL);
+    return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
 }
 
 int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
@@ -318,5 +319,5 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
 
 int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
 {
-    return OCSP_RESPID_match_ex(respid, cert, NULL, NULL);
+    return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
 }
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 544748851f..fe878043ca 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -84,9 +84,9 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs,
             return -1;
         }
         if (req != NULL)
-            ret = OCSP_REQUEST_verify(req, skey);
+            ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq);
         else
-            ret = OCSP_BASICRESP_verify(bs, skey);
+            ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq);
         if (ret <= 0)
             ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE);
     }