The branch master has been updated
via 2ec6491669d1a93a5c4a445715aae6b1582cb2a4 (commit)
via c4685815bf7edbc546add24b9fa99b632a2ba366 (commit)
via 42e7d043f09f7a54005800fb00cb11a0c38e891f (commit)
via 3f700d4b95f249308e03c0f1fcb3c9620dad94fe (commit)
via e27fea4640defe3adc9309a4b573101055228ef3 (commit)
via 27344bb82a65ce13de4c9f6c78615fa91d93d3eb (commit)
via 192d50087881c031ee60307c8e0460d8470efaa9 (commit)
from 6bcbc3698557739da03495920a57be4ffe219fa4 (commit)
- Log -----------------------------------------------------------------
commit 2ec6491669d1a93a5c4a445715aae6b1582cb2a4
Author: Pauli <[email protected]>
Date: Thu Apr 15 10:42:01 2021 +1000
asn1: fix indentation
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit c4685815bf7edbc546add24b9fa99b632a2ba366
Author: Pauli <[email protected]>
Date: Wed Apr 14 16:38:07 2021 +1000
dsa: remove unused macro
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit 42e7d043f09f7a54005800fb00cb11a0c38e891f
Author: Pauli <[email protected]>
Date: Thu Apr 15 10:35:28 2021 +1000
srp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit 3f700d4b95f249308e03c0f1fcb3c9620dad94fe
Author: Pauli <[email protected]>
Date: Thu Apr 15 10:35:08 2021 +1000
pem: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit e27fea4640defe3adc9309a4b573101055228ef3
Author: Pauli <[email protected]>
Date: Thu Apr 15 10:34:48 2021 +1000
ocsp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit 27344bb82a65ce13de4c9f6c78615fa91d93d3eb
Author: Pauli <[email protected]>
Date: Thu Apr 15 10:33:59 2021 +1000
cms: remove most references to EVP_sha1()
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/14881)
commit 192d50087881c031ee60307c8e0460d8470efaa9
Author: Pauli <[email protected]>
Date: Thu Apr 15 10:31:58 2021 +1000
x509: remove most references to EVP_sha1()
Fixes #14387
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/14881)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_digest.c | 4 ++--
crypto/cms/cms_smime.c | 4 ++++
crypto/dsa/dsa_depr.c | 7 -------
crypto/evp/p5_crpt2.c | 10 ++++++++--
crypto/ocsp/ocsp_lib.c | 1 +
crypto/ocsp/ocsp_vfy.c | 18 ++++++++++++------
crypto/pem/pvkfmt.c | 7 +++++--
crypto/srp/srp_vfy.c | 13 ++++++++++---
crypto/x509/t_x509.c | 13 ++++++++++---
crypto/x509/v3_skid.c | 19 +++++++++++++++----
10 files changed, 67 insertions(+), 29 deletions(-)
diff --git a/crypto/asn1/a_digest.c b/crypto/asn1/a_digest.c
index cac6c327da..9d7efcdb70 100644
--- a/crypto/asn1/a_digest.c
+++ b/crypto/asn1/a_digest.c
@@ -75,8 +75,8 @@ int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const
EVP_MD *md, void *asn,
#endif
fetched_md = EVP_MD_fetch(libctx, EVP_MD_name(md), propq);
}
- if (fetched_md == NULL)
- goto err;
+ if (fetched_md == NULL)
+ goto err;
ret = EVP_Digest(str, i, data, len, fetched_md, NULL);
err:
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 3ab4cd2e6f..d48bbcb6c7 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -169,6 +169,10 @@ CMS_ContentInfo *CMS_digest_create_ex(BIO *in, const
EVP_MD *md,
{
CMS_ContentInfo *cms;
+ /*
+ * Because the EVP_MD is cached and can be a legacy algorithm, we
+ * cannot fetch the algorithm if it isn't supplied.
+ */
if (md == NULL)
md = EVP_sha1();
cms = ossl_cms_DigestedData_create(md, ctx, propq);
diff --git a/crypto/dsa/dsa_depr.c b/crypto/dsa/dsa_depr.c
index 1149c50c8b..57f6ce4faf 100644
--- a/crypto/dsa/dsa_depr.c
+++ b/crypto/dsa/dsa_depr.c
@@ -18,13 +18,6 @@
*/
#include "internal/deprecated.h"
-/*
- * Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
- * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in FIPS PUB
- * 180-1)
- */
-#define xxxHASH EVP_sha1()
-
#include <openssl/opensslconf.h>
#include <stdio.h>
diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c
index d2fe56a87f..b8edf4b5a8 100644
--- a/crypto/evp/p5_crpt2.c
+++ b/crypto/evp/p5_crpt2.c
@@ -92,8 +92,14 @@ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
const unsigned char *salt, int saltlen, int iter,
int keylen, unsigned char *out)
{
- return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, EVP_sha1(),
- keylen, out);
+ EVP_MD *digest;
+ int r = 0;
+
+ if ((digest = EVP_MD_fetch(NULL, SN_sha1, NULL)) != NULL)
+ r = ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, iter,
+ digest, keylen, out, NULL, NULL);
+ EVP_MD_free(digest);
+ return r;
}
/*
diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
index c7b7a0a620..776ffdde97 100644
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@@ -25,6 +25,7 @@ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509
*subject,
const X509_NAME *iname;
const ASN1_INTEGER *serial;
ASN1_BIT_STRING *ikey;
+
if (!dgst)
dgst = EVP_sha1();
if (subject) {
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index fe878043ca..02af58437c 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -187,8 +187,9 @@ static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP
*bs,
static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
{
- int i;
+ int i, r;
unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
+ EVP_MD *md;
X509 *x;
/* Easy if lookup by name */
@@ -203,11 +204,16 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs,
OCSP_RESPID *id)
keyhash = id->value.byKey->data;
/* Calculate hash of each key and compare */
for (i = 0; i < sk_X509_num(certs); i++) {
- x = sk_X509_value(certs, i);
- if (!X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL))
- break;
- if (memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0)
- return x;
+ if ((x = sk_X509_value(certs, i)) != NULL) {
+ if ((md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq)) == NULL)
+ break;
+ r = X509_pubkey_digest(x, md, tmphash, NULL);
+ EVP_MD_free(md);
+ if (!r)
+ break;
+ if (memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0)
+ return x;
+ }
}
return NULL;
}
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 432fd34618..51d3ec476b 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -795,16 +795,19 @@ static int derive_pvk_key(unsigned char *key,
const unsigned char *pass, int passlen)
{
EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+ EVP_MD *md = EVP_MD_fetch(NULL, SN_sha1, NULL);
int rv = 1;
- if (mctx == NULL
- || !EVP_DigestInit_ex(mctx, EVP_sha1(), NULL)
+ if (md == NULL
+ || mctx == NULL
+ || !EVP_DigestInit_ex(mctx, md, NULL)
|| !EVP_DigestUpdate(mctx, salt, saltlen)
|| !EVP_DigestUpdate(mctx, pass, passlen)
|| !EVP_DigestFinal_ex(mctx, key, NULL))
rv = 0;
EVP_MD_CTX_free(mctx);
+ EVP_MD_free(md);
return rv;
}
#endif
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 2c2ec11cd4..85e2c96e1a 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -551,6 +551,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char
*username)
unsigned char digv[SHA_DIGEST_LENGTH];
unsigned char digs[SHA_DIGEST_LENGTH];
EVP_MD_CTX *ctxt = NULL;
+ EVP_MD *md = NULL;
if (vb == NULL)
return NULL;
@@ -574,21 +575,27 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char
*username)
if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0)
goto err;
+ md = EVP_MD_fetch(NULL, SN_sha1, NULL);
+ if (md == NULL)
+ goto err;
ctxt = EVP_MD_CTX_new();
if (ctxt == NULL
- || !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL)
+ || !EVP_DigestInit_ex(ctxt, md, NULL)
|| !EVP_DigestUpdate(ctxt, vb->seed_key, strlen(vb->seed_key))
|| !EVP_DigestUpdate(ctxt, username, strlen(username))
|| !EVP_DigestFinal_ex(ctxt, digs, NULL))
goto err;
EVP_MD_CTX_free(ctxt);
ctxt = NULL;
+ EVP_MD_free(md);
+ md = NULL;
if (SRP_user_pwd_set0_sv(user,
- BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL),
- BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL)))
+ BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL),
+ BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL)))
return user;
err:
+ EVP_MD_free(md);
EVP_MD_CTX_free(ctxt);
SRP_user_pwd_free(user);
return NULL;
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 0c6d5f72fe..78d4452156 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -228,7 +228,10 @@ int X509_ocspid_print(BIO *bp, X509 *x)
unsigned char SHA1md[SHA_DIGEST_LENGTH];
ASN1_BIT_STRING *keybstr;
const X509_NAME *subj;
+ EVP_MD *md = NULL;
+ if (x == NULL || bp == NULL)
+ return 0;
/*
* display the hash of the subject as it would appear in OCSP requests
*/
@@ -242,7 +245,10 @@ int X509_ocspid_print(BIO *bp, X509 *x)
goto err;
i2d_X509_NAME(subj, &dertmp);
- if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL))
+ md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq);
+ if (md == NULL)
+ goto err;
+ if (!EVP_Digest(der, derlen, SHA1md, NULL, md, NULL))
goto err;
for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
@@ -263,18 +269,19 @@ int X509_ocspid_print(BIO *bp, X509 *x)
goto err;
if (!EVP_Digest(ASN1_STRING_get0_data(keybstr),
- ASN1_STRING_length(keybstr), SHA1md, NULL, EVP_sha1(),
- NULL))
+ ASN1_STRING_length(keybstr), SHA1md, NULL, md, NULL))
goto err;
for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
goto err;
}
BIO_printf(bp, "\n");
+ EVP_MD_free(md);
return 1;
err:
OPENSSL_free(der);
+ EVP_MD_free(md);
return 0;
}
diff --git a/crypto/x509/v3_skid.c b/crypto/x509/v3_skid.c
index 8a8718d77a..bab88898e6 100644
--- a/crypto/x509/v3_skid.c
+++ b/crypto/x509/v3_skid.c
@@ -59,20 +59,31 @@ ASN1_OCTET_STRING *ossl_x509_pubkey_hash(X509_PUBKEY
*pubkey)
int pklen;
unsigned char pkey_dig[EVP_MAX_MD_SIZE];
unsigned int diglen;
+ const char *propq;
+ OSSL_LIB_CTX *libctx;
+ EVP_MD *md;
if (pubkey == NULL) {
ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY);
return NULL;
}
- if ((oct = ASN1_OCTET_STRING_new()) == NULL)
+ if (!ossl_x509_PUBKEY_get0_libctx(&libctx, &propq, pubkey))
return NULL;
+ if ((md = EVP_MD_fetch(libctx, SN_sha1, propq)) == NULL)
+ return NULL;
+ if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
+ EVP_MD_free(md);
+ return NULL;
+ }
X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey);
- /* TODO(3.0) - explicitly fetch the digest */
- if (EVP_Digest(pk, pklen, pkey_dig, &diglen, EVP_sha1(), NULL)
- && ASN1_OCTET_STRING_set(oct, pkey_dig, diglen))
+ if (EVP_Digest(pk, pklen, pkey_dig, &diglen, md, NULL)
+ && ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
+ EVP_MD_free(md);
return oct;
+ }
+ EVP_MD_free(md);
ASN1_OCTET_STRING_free(oct);
return NULL;
}
