diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2021-03-05 08:22:56 +1000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-03-22 15:40:04 +0100 |
commit | e72dbd8e13cbf5a16faaa6c911af5507593dd836 (patch) | |
tree | ec450d9fef6ba2223cfc36ee1865512254f9dd23 /crypto | |
parent | c781eb1c63c243cb64dbe3066a43dc172aaab3b8 (diff) |
Fix usages of const EVP_MD.
Partially fixes #13837
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14474)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/cms/cms_sd.c | 2 | ||||
-rw-r--r-- | crypto/ec/ecx_meth.c | 22 | ||||
-rw-r--r-- | crypto/ess/ess_lib.c | 2 | ||||
-rw-r--r-- | crypto/ts/ts_local.h | 2 | ||||
-rw-r--r-- | crypto/ts/ts_rsp_sign.c | 37 | ||||
-rw-r--r-- | crypto/x509/x509_cmp.c | 8 | ||||
-rw-r--r-- | crypto/x509/x509_req.c | 2 | ||||
-rw-r--r-- | crypto/x509/x_all.c | 45 | ||||
-rw-r--r-- | crypto/x509/x_req.c | 41 |
9 files changed, 127 insertions, 34 deletions
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index a57943513e..c98d118f4b 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -372,7 +372,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, ESS_SIGNING_CERT_V2 *sc2 = NULL; int add_sc; - if (md == EVP_sha1() || md == NULL) { + if (md == NULL || EVP_MD_is_a(md, SN_sha1)) { if ((sc = ossl_ess_signing_cert_new_init(signer, NULL, 1)) == NULL) goto err; diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index d476af0e3c..d68189036b 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -991,6 +991,8 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ctx->propquery); unsigned char *privkey = NULL, *pubkey; unsigned int sz; + EVP_MD *md = NULL; + int rv; if (key == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); @@ -1008,7 +1010,13 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) if (RAND_priv_bytes_ex(ctx->libctx, privkey, ED25519_KEYLEN) <= 0) goto err; - if (!EVP_Digest(privkey, 32, buff, &sz, EVP_sha512(), NULL)) + md = EVP_MD_fetch(ctx->libctx, "SHA512", ctx->propquery); + if (md == NULL) + goto err; + + rv = EVP_Digest(privkey, 32, buff, &sz, md, NULL); + EVP_MD_free(md); + if (!rv) goto err; buff[0] &= 248; @@ -1049,6 +1057,8 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ctx->propquery); unsigned char *privkey = NULL, *pubkey; EVP_MD_CTX *hashctx = NULL; + EVP_MD *md = NULL; + int rv; if (key == NULL) { ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); @@ -1069,8 +1079,16 @@ static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) hashctx = EVP_MD_CTX_new(); if (hashctx == NULL) goto err; - if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1) + + md = EVP_MD_fetch(ctx->libctx, "SHAKE256", ctx->propquery); + if (md == NULL) + goto err; + + rv = EVP_DigestInit_ex(hashctx, md, NULL); + EVP_MD_free(md); + if (rv != 1) goto err; + if (EVP_DigestUpdate(hashctx, privkey, 57) != 1) goto err; if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1) diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c index ebc76cb79c..96cb6d053f 100644 --- a/crypto/ess/ess_lib.c +++ b/crypto/ess/ess_lib.c @@ -145,7 +145,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, if ((cid = ESS_CERT_ID_V2_new()) == NULL) goto err; - if (hash_alg != EVP_sha256()) { + if (!EVP_MD_is_a(hash_alg, SN_sha256)) { alg = X509_ALGOR_new(); if (alg == NULL) goto err; diff --git a/crypto/ts/ts_local.h b/crypto/ts/ts_local.h index 320173376a..99a420dddf 100644 --- a/crypto/ts/ts_local.h +++ b/crypto/ts/ts_local.h @@ -124,6 +124,8 @@ struct TS_resp_ctx { TS_REQ *request; TS_RESP *response; TS_TST_INFO *tst_info; + OSSL_LIB_CTX *libctx; + char *propq; }; struct TS_verify_ctx { diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 0bbe0e2b6c..e29420232f 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -108,7 +108,7 @@ static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext, /* TS_RESP_CTX management functions. */ -TS_RESP_CTX *TS_RESP_CTX_new(void) +TS_RESP_CTX *TS_RESP_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq) { TS_RESP_CTX *ctx; @@ -117,8 +117,15 @@ TS_RESP_CTX *TS_RESP_CTX_new(void) return NULL; } - ctx->signer_md = EVP_sha256(); - + if (propq != NULL) { + ctx->propq = OPENSSL_strdup(propq); + if (ctx->propq == NULL) { + OPENSSL_free(ctx); + ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE); + return NULL; + } + } + ctx->libctx = libctx; ctx->serial_cb = def_serial_cb; ctx->time_cb = def_time_cb; ctx->extension_cb = def_extension_cb; @@ -126,11 +133,17 @@ TS_RESP_CTX *TS_RESP_CTX_new(void) return ctx; } +TS_RESP_CTX *TS_RESP_CTX_new(void) +{ + return TS_RESP_CTX_new_ex(NULL, NULL); +} + void TS_RESP_CTX_free(TS_RESP_CTX *ctx) { if (!ctx) return; + OPENSSL_free(ctx->propq); X509_free(ctx->signer_cert); EVP_PKEY_free(ctx->signer_key); sk_X509_pop_free(ctx->certs, X509_free); @@ -623,13 +636,14 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) ASN1_OBJECT *oid; BIO *p7bio = NULL; int i; + EVP_MD *signer_md = NULL; if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) { ERR_raise(ERR_LIB_TS, TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); goto err; } - if ((p7 = PKCS7_new()) == NULL) { + if ((p7 = PKCS7_new_ex(ctx->libctx, ctx->propq)) == NULL) { ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE); goto err; } @@ -648,8 +662,16 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) } } + if (ctx->signer_md == NULL) + signer_md = EVP_MD_fetch(ctx->libctx, "SHA256", ctx->propq); + else if (EVP_MD_provider(ctx->signer_md) == NULL) + signer_md = EVP_MD_fetch(ctx->libctx, EVP_MD_name(ctx->signer_md), + ctx->propq); + else + signer_md = (EVP_MD *)ctx->signer_md; + if ((si = PKCS7_add_signature(p7, ctx->signer_cert, - ctx->signer_key, ctx->signer_md)) == NULL) { + ctx->signer_key, signer_md)) == NULL) { ERR_raise(ERR_LIB_TS, TS_R_PKCS7_ADD_SIGNATURE_ERROR); goto err; } @@ -663,7 +685,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL; if (ctx->ess_cert_id_digest == NULL - || ctx->ess_cert_id_digest == EVP_sha1()) { + || EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) { if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert, certs, 0)) == NULL) goto err; @@ -704,6 +726,9 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) ret = 1; err: + if (signer_md != ctx->signer_md) + EVP_MD_free(signer_md); + if (!ret) TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION, "Error during signature " diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 3ced70b21f..51dc24b6fb 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -40,13 +40,18 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) EVP_MD_CTX *ctx = EVP_MD_CTX_new(); unsigned char md[16]; char *f; + EVP_MD *digest = NULL; if (ctx == NULL) goto err; f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); if (f == NULL) goto err; - if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) + digest = EVP_MD_fetch(a->libctx, SN_md5, a->propq); + if (digest == NULL) + goto err; + + if (!EVP_DigestInit_ex(ctx, digest, NULL)) goto err; if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) goto err; @@ -61,6 +66,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) ) & 0xffffffffL; err: + EVP_MD_free(digest); EVP_MD_CTX_free(ctx); return ret; } diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index 29dec4e657..e3f5c2add1 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -26,7 +26,7 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) int i; EVP_PKEY *pktmp; - ret = X509_REQ_new(); + ret = X509_REQ_new_ex(x->libctx, x->propq); if (ret == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index d21b0799f6..c5e0c0b1ec 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -52,16 +52,15 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) { - return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC), - &a->sig_algor, a->signature, a->spkac, r)); + return ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC), + &a->sig_algor, a->signature, a->spkac, r); } int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { x->cert_info.enc.modified = 1; - return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, - &x->sig_alg, &x->signature, &x->cert_info, pkey, - md)); + return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, + &x->sig_alg, &x->signature, &x->cert_info, pkey, md); } int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) @@ -90,8 +89,8 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) { - return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, - x->signature, &x->req_info, pkey, md)); + return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, + x->signature, &x->req_info, pkey, md); } int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) @@ -104,8 +103,8 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { x->crl.enc.modified = 1; - return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, - &x->sig_alg, &x->signature, &x->crl, pkey, md)); + return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, + &x->sig_alg, &x->signature, &x->crl, pkey, md); } int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) @@ -124,8 +123,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) { - return (ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL, - x->signature, x->spkac, pkey, md)); + return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL, + x->signature, x->spkac, pkey, md); } #ifndef OPENSSL_NO_STDIO @@ -399,8 +398,8 @@ int X509_digest(const X509 *cert, const EVP_MD *md, unsigned char *data, memcpy(data, cert->sha1_hash, sizeof(cert->sha1_hash)); return 1; } - return (ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert, - data, len, cert->libctx, cert->propq)); + return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert, + data, len, cert->libctx, cert->propq); } /* calculate cert digest using the same hash algorithm as in its signature */ @@ -435,7 +434,9 @@ ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert) int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { - if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0 + if (type != NULL + && EVP_MD_is_a(type, SN_sha1) + && (data->flags & EXFLAG_SET) != 0 && (data->flags & EXFLAG_NO_FINGERPRINT) == 0) { /* Asking for SHA1; always computed in CRL d2i. */ if (len != NULL) @@ -443,30 +444,30 @@ int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, memcpy(md, data->sha1_hash, sizeof(data->sha1_hash)); return 1; } - return (ASN1_item_digest - (ASN1_ITEM_rptr(X509_CRL), type, (char *)data, md, len)); + return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_CRL), type, (char *)data, + md, len, data->libctx, data->propq); } int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { - return (ASN1_item_digest - (ASN1_ITEM_rptr(X509_REQ), type, (char *)data, md, len)); + return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_REQ), type, (char *)data, + md, len, data->libctx, data->propq); } int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { - return (ASN1_item_digest - (ASN1_ITEM_rptr(X509_NAME), type, (char *)data, md, len)); + return ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME), type, (char *)data, + md, len); } int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { - return (ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type, - (char *)data, md, len)); + return ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type, + (char *)data, md, len); } #ifndef OPENSSL_NO_STDIO diff --git a/crypto/x509/x_req.c b/crypto/x509/x_req.c index e821ffdb78..2a48d8ccd9 100644 --- a/crypto/x509/x_req.c +++ b/crypto/x509/x_req.c @@ -61,6 +61,14 @@ static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, case ASN1_OP_FREE_POST: ASN1_OCTET_STRING_free(ret->distinguishing_id); break; + case ASN1_OP_DUP_POST: + { + X509_REQ *old = exarg; + + if (!ossl_x509_req_set0_libctx(ret, old->libctx, old->propq)) + return 0; + } + break; } return 1; @@ -98,3 +106,36 @@ ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x) { return x->distinguishing_id; } + +/* + * This should only be used if the X509_REQ object was embedded inside another + * asn1 object and it needs a libctx to operate. + * Use X509_REQ_new_ex() instead if possible. + */ +int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx, + const char *propq) +{ + if (x != NULL) { + x->libctx = libctx; + OPENSSL_free(x->propq); + x->propq = NULL; + if (propq != NULL) { + x->propq = OPENSSL_strdup(propq); + if (x->propq == NULL) + return 0; + } + } + return 1; +} + +X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq) +{ + X509_REQ *req = NULL; + + req = (X509_REQ *)ASN1_item_new((X509_REQ_it())); + if (!ossl_x509_req_set0_libctx(req, libctx, propq)) { + X509_REQ_free(req); + req = NULL; + } + return req; +} |