The branch master has been updated via 93f99b681ab5a1cf7062053323e09b0cad5ff854 (commit) via 7674e92324648b59786d86d8e9014bbaed4e6d07 (commit) from 5606922c3d2e8c3d3ffda4347cb9fe3992d75f89 (commit)
- Log ----------------------------------------------------------------- commit 93f99b681ab5a1cf7062053323e09b0cad5ff854 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Thu May 21 10:37:22 2020 +0200 Fix X509_PUBKEY_cmp(), move to crypto/x509/x_pubkey.c, rename, export, and document it Fixes #11870 Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11894) commit 7674e92324648b59786d86d8e9014bbaed4e6d07 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Sun May 24 18:28:06 2020 +0200 Constify X509_PUBKEY_get(), X509_PUBKEY_get0(), and X509_PUBKEY_get0_param() Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11894) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/ameth_lib.c | 2 +- crypto/crmf/crmf_lib.c | 21 +-------------------- crypto/dh/dh_ameth.c | 2 +- crypto/dsa/dsa_ameth.c | 2 +- crypto/ec/ec_ameth.c | 2 +- crypto/ec/ecx_meth.c | 2 +- crypto/rsa/rsa_ameth.c | 2 +- crypto/x509/x_pubkey.c | 31 ++++++++++++++++++++++++++----- doc/man3/EVP_PKEY_ASN1_METHOD.pod | 2 +- doc/man3/X509_PUBKEY_new.pod | 19 ++++++++++++++----- include/crypto/asn1.h | 2 +- include/openssl/evp.h | 2 +- include/openssl/x509.h | 7 ++++--- util/libcrypto.num | 1 + 14 files changed, 55 insertions(+), 42 deletions(-) diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index a006c7624d..8c7df51fe4 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -277,7 +277,7 @@ void EVP_PKEY_asn1_free(EVP_PKEY_ASN1_METHOD *ameth) void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth, int (*pub_decode) (EVP_PKEY *pk, - X509_PUBKEY *pub), + const X509_PUBKEY *pub), int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk), int (*pub_cmp) (const EVP_PKEY *a, diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 89eb2c3775..c20a6da0f2 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -461,25 +461,6 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, return 0; } -/* returns 0 for equal, -1 for a < b or error on a, 1 for a > b or error on b */ -static int X509_PUBKEY_cmp(X509_PUBKEY *a, X509_PUBKEY *b) -{ - X509_ALGOR *algA = NULL, *algB = NULL; - int res = 0; - - if (a == b) - return 0; - if (a == NULL || !X509_PUBKEY_get0_param(NULL, NULL, NULL, &algA, a) - || algA == NULL) - return -1; - if (b == NULL || !X509_PUBKEY_get0_param(NULL, NULL, NULL, &algB, b) - || algB == NULL) - return 1; - if ((res = X509_ALGOR_cmp(algA, algB)) != 0) - return res; - return EVP_PKEY_cmp(X509_PUBKEY_get0(a), X509_PUBKEY_get0(b)); -} - /* verifies the Proof-of-Possession of the request with the given rid in reqs */ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, int rid, int acceptRAVerified) @@ -522,7 +503,7 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, CRMFerr(0, CRMF_R_POPO_MISSING_PUBLIC_KEY); return 0; } - if (X509_PUBKEY_cmp(pubkey, sig->poposkInput->publicKey) != 0) { + if (X509_PUBKEY_eq(pubkey, sig->poposkInput->publicKey) != 1) { CRMFerr(0, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY); return 0; } diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index e76b655f40..d93d519444 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -52,7 +52,7 @@ static void int_dh_free(EVP_PKEY *pkey) DH_free(pkey->pkey.dh); } -static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) +static int dh_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey) { const unsigned char *p, *pm; int pklen, pmlen; diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index f74b50ee9c..651b463235 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -27,7 +27,7 @@ #include "internal/ffc.h" #include "dsa_local.h" -static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) +static int dsa_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey) { const unsigned char *p, *pm; int pklen, pmlen; diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index cac0b682f9..6ccaef3815 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -141,7 +141,7 @@ static EC_KEY *eckey_type2param(int ptype, const void *pval) return NULL; } -static int eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) +static int eckey_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey) { const unsigned char *p = NULL; const void *pval; diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index eedb1c9259..8b63e6918d 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -126,7 +126,7 @@ static int ecx_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) return 1; } -static int ecx_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) +static int ecx_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey) { const unsigned char *p; int pklen; diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index e9eddde68e..6628e38342 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -101,7 +101,7 @@ static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) return 0; } -static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) +static int rsa_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey) { const unsigned char *p; int pklen; diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index d3e6af2552..14893adb2f 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -30,7 +30,7 @@ struct X509_pubkey_st { EVP_PKEY *pkey; }; -static int x509_pubkey_decode(EVP_PKEY **pk, X509_PUBKEY *key); +static int x509_pubkey_decode(EVP_PKEY **pk, const X509_PUBKEY *key); /* Minor tweak to operation: free up EVP_PKEY */ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, @@ -151,7 +151,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) */ -static int x509_pubkey_decode(EVP_PKEY **ppkey, X509_PUBKEY *key) +static int x509_pubkey_decode(EVP_PKEY **ppkey, const X509_PUBKEY *key) { EVP_PKEY *pkey = EVP_PKEY_new(); @@ -188,7 +188,7 @@ static int x509_pubkey_decode(EVP_PKEY **ppkey, X509_PUBKEY *key) return 0; } -EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key) +EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key) { EVP_PKEY *ret = NULL; @@ -216,7 +216,7 @@ EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key) return NULL; } -EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) +EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key) { EVP_PKEY *ret = X509_PUBKEY_get0(key); @@ -453,7 +453,7 @@ int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj, int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen, - X509_ALGOR **pa, X509_PUBKEY *pub) + X509_ALGOR **pa, const X509_PUBKEY *pub) { if (ppkalg) *ppkalg = pub->algor->algorithm; @@ -472,3 +472,24 @@ ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) return NULL; return x->cert_info.key->public_key; } + +/* Returns 1 for equal, 0, for non-equal, < 0 on error */ +int X509_PUBKEY_eq(const X509_PUBKEY *a, const X509_PUBKEY *b) +{ + X509_ALGOR *algA, *algB; + EVP_PKEY *pA, *pB; + + if (a == b) + return 1; + if (a == NULL || b == NULL) + return 0; + if (!X509_PUBKEY_get0_param(NULL, NULL, NULL, &algA, a) || algA == NULL + || !X509_PUBKEY_get0_param(NULL, NULL, NULL, &algB, b) || algB == NULL) + return -2; + if (X509_ALGOR_cmp(algA, algB) != 0) + return 0; + if ((pA = X509_PUBKEY_get0(a)) == NULL + || (pB = X509_PUBKEY_get0(b)) == NULL) + return -2; + return EVP_PKEY_cmp(pA, pB); +} diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod index ed44749cc2..989008db07 100644 --- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod +++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod @@ -43,7 +43,7 @@ EVP_PKEY_get0_asn1 void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth, int (*pub_decode) (EVP_PKEY *pk, - X509_PUBKEY *pub), + const X509_PUBKEY *pub), int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk), int (*pub_cmp) (const EVP_PKEY *a, diff --git a/doc/man3/X509_PUBKEY_new.pod b/doc/man3/X509_PUBKEY_new.pod index 551031b82b..60d1cd390e 100644 --- a/doc/man3/X509_PUBKEY_new.pod +++ b/doc/man3/X509_PUBKEY_new.pod @@ -5,8 +5,8 @@ X509_PUBKEY_new, X509_PUBKEY_free, X509_PUBKEY_dup, X509_PUBKEY_set, X509_PUBKEY_get0, X509_PUBKEY_get, d2i_PUBKEY, i2d_PUBKEY, d2i_PUBKEY_bio, d2i_PUBKEY_fp, -i2d_PUBKEY_fp, i2d_PUBKEY_bio, X509_PUBKEY_set0_param, -X509_PUBKEY_get0_param - SubjectPublicKeyInfo public key functions +i2d_PUBKEY_fp, i2d_PUBKEY_bio, X509_PUBKEY_set0_param, X509_PUBKEY_get0_param, +X509_PUBKEY_eq - SubjectPublicKeyInfo public key functions =head1 SYNOPSIS @@ -17,8 +17,8 @@ X509_PUBKEY_get0_param - SubjectPublicKeyInfo public key functions X509_PUBKEY *X509_PUBKEY_dup(const X509_PUBKEY *a); int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); - EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key); - EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); + EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key); + EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key); EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length); int i2d_PUBKEY(const EVP_PKEY *a, unsigned char **pp); @@ -34,7 +34,8 @@ X509_PUBKEY_get0_param - SubjectPublicKeyInfo public key functions unsigned char *penc, int penclen); int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen, - X509_ALGOR **pa, X509_PUBKEY *pub); + X509_ALGOR **pa, const X509_PUBKEY *pub); + int X509_PUBKEY_eq(X509_PUBKEY *a, X509_PUBKEY *b); =head1 DESCRIPTION @@ -81,6 +82,8 @@ parameters is not required it can be set to B<NULL>. All of the retrieved pointers are internal and must not be freed after the call. +X509_PUBKEY_eq() compares two B<X509_PUBKEY> values. + =head1 NOTES The B<X509_PUBKEY> functions can be used to encode and decode public keys @@ -104,12 +107,18 @@ structure or B<NULL> if an error occurs. X509_PUBKEY_set(), X509_PUBKEY_set0_param() and X509_PUBKEY_get0_param() return 1 for success and 0 if an error occurred. +X509_PUBKEY_eq() returns 1 for equal, 0 for different, and < 0 on error. + =head1 SEE ALSO L<d2i_X509(3)>, L<ERR_get_error(3)>, L<X509_get_pubkey(3)>, +=head1 HISTORY + +The X509_PUBKEY_eq() function was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h index aaf091f8a5..d3683649bc 100644 --- a/include/crypto/asn1.h +++ b/include/crypto/asn1.h @@ -19,7 +19,7 @@ struct evp_pkey_asn1_method_st { unsigned long pkey_flags; char *pem_str; char *info; - int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub); + int (*pub_decode) (EVP_PKEY *pk, const X509_PUBKEY *pub); int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk); int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b); int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent, diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 0d5ce07f31..3d2e161549 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1306,7 +1306,7 @@ void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst, void EVP_PKEY_asn1_free(EVP_PKEY_ASN1_METHOD *ameth); void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth, int (*pub_decode) (EVP_PKEY *pk, - X509_PUBKEY *pub), + const X509_PUBKEY *pub), int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk), int (*pub_cmp) (const EVP_PKEY *a, diff --git a/include/openssl/x509.h b/include/openssl/x509.h index d709c53ced..b0e33d5286 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -519,8 +519,8 @@ DECLARE_ASN1_FUNCTIONS(X509_VAL) DECLARE_ASN1_FUNCTIONS(X509_PUBKEY) int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); -EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key); -EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); +EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key); +EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key); int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain); long X509_get_pathlen(X509 *x); DECLARE_ASN1_ENCODE_FUNCTIONS_only(EVP_PKEY, PUBKEY) @@ -1052,7 +1052,8 @@ int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj, unsigned char *penc, int penclen); int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen, - X509_ALGOR **pa, X509_PUBKEY *pub); + X509_ALGOR **pa, const X509_PUBKEY *pub); +int X509_PUBKEY_eq(const X509_PUBKEY *a, const X509_PUBKEY *b); int X509_check_trust(X509 *x, int id, int flags); int X509_TRUST_get_count(void); diff --git a/util/libcrypto.num b/util/libcrypto.num index aea01e55fa..724d5038de 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5094,3 +5094,4 @@ EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen ? 3_0_0 EXIST::FUNCTION:RSA EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md ? 3_0_0 EXIST::FUNCTION:RSA EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name ? 3_0_0 EXIST::FUNCTION:RSA OSSL_PROVIDER_do_all ? 3_0_0 EXIST::FUNCTION: +X509_PUBKEY_eq ? 3_0_0 EXIST::FUNCTION: