[openssl] master update
The branch master has been updated via a2c911c2d069b5c6f9e2a8f20764de83a82b1c99 (commit) from 9293046fb447b1fd0ef1753017d9db4c3c333860 (commit) - Log - commit a2c911c2d069b5c6f9e2a8f20764de83a82b1c99 Author: Dmitry Belyavskiy Date: Fri Mar 5 18:50:37 2021 +0100 Restore GOST macros compatibility with 1.1.1 Fixes #14440 Before IANA assigned the official codes for the GOST signature algorithms in TLS, the values from the Reserved for Private Use range were in use in Russia. The old values were renamed. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14448) --- Summary of changes: include/openssl/tls1.h | 5 + 1 file changed, 5 insertions(+) diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index f8e3e9ca0d..10332997de 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -1121,6 +1121,11 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb # define TLS_CT_GOST12_LEGACY_SIGN 238 # define TLS_CT_GOST12_LEGACY_512_SIGN 239 +# ifndef OPENSSL_NO_DEPRECATED_3_0 +# define TLS_CT_GOST12_SIGN TLS_CT_GOST12_LEGACY_SIGN +# define TLS_CT_GOST12_512_SIGN TLS_CT_GOST12_LEGACY_512_SIGN +# endif + /* * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see * comment there)
[openssl] master update
The branch master has been updated via 9293046fb447b1fd0ef1753017d9db4c3c333860 (commit) from 2de5d3b87a7980efdb1c1e8350760b60d3d53e1e (commit) - Log - commit 9293046fb447b1fd0ef1753017d9db4c3c333860 Author: Dr. David von Oheimb Date: Wed Jan 6 15:01:46 2021 +0100 apps/x509.c: Rename -signkey to -key for consistency with the req app Also because this better reflects that usually also the public portion is used. Retaining the old -signkey as an alias for backward compatibility. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14007) --- Summary of changes: apps/x509.c | 51 +++- doc/man1/openssl-x509.pod.in | 28 +++- 2 files changed, 45 insertions(+), 34 deletions(-) diff --git a/apps/x509.c b/apps/x509.c index 1108ff7ad4..163c1c8a67 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -42,7 +42,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM, OPT_CAKEYFORM, OPT_VFYOPT, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE, -OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, OPT_CAKEY, +OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_KEY, OPT_SIGNKEY, OPT_CA, OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_NEW, OPT_FORCE_PUBKEY, OPT_SUBJ, OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT, OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL, @@ -72,8 +72,10 @@ const OPTIONS x509_options[] = { {"inform", OPT_INFORM, 'f', "CSR input file format (DER or PEM) - default PEM"}, {"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"}, +{"key", OPT_KEY, 's', + "Key to be used in certificate or cert request"}, {"signkey", OPT_SIGNKEY, 's', - "Key used to self-sign certificate or cert request"}, + "Same as -key"}, {"keyform", OPT_KEYFORM, 'E', "Key input format (ENGINE, other values ignored)"}, {"out", OPT_OUT, '>', "Output file - default stdout"}, @@ -149,7 +151,7 @@ const OPTIONS x509_options[] = { OPT_SECTION("Micro-CA"), {"CA", OPT_CA, '<', - "Use the given CA certificate, conflicts with -signkey"}, + "Use the given CA certificate, conflicts with -key"}, {"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"}, {"CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg"}, {"CAkeyform", OPT_CAKEYFORM, 'E', @@ -244,7 +246,7 @@ int x509_main(int argc, char **argv) CONF *extconf = NULL; int ext_copy = EXT_COPY_UNSET; X509V3_CTX ext_ctx; -EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL; +EVP_PKEY *privkey = NULL, *CAkey = NULL, *pubkey = NULL; EVP_PKEY *pkey; int newcert = 0; char *subj = NULL, *digestname = NULL; @@ -261,7 +263,7 @@ int x509_main(int argc, char **argv) char *checkhost = NULL, *checkemail = NULL, *checkip = NULL; char *ext_names = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL; -char *infile = NULL, *outfile = NULL, *signkeyfile = NULL, *CAfile = NULL; +char *infile = NULL, *outfile = NULL, *privkeyfile = NULL, *CAfile = NULL; char *prog; int days = UNSET_DAYS; /* not explicitly set */ int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0; @@ -374,8 +376,9 @@ int x509_main(int argc, char **argv) case OPT_EXTENSIONS: extsect = opt_arg(); break; +case OPT_KEY: case OPT_SIGNKEY: -signkeyfile = opt_arg(); +privkeyfile = opt_arg(); break; case OPT_CA: CAfile = opt_arg(); @@ -605,9 +608,9 @@ int x509_main(int argc, char **argv) "The -req option cannot be used with -new\n"); goto end; } -if (signkeyfile != NULL) { -signkey = load_key(signkeyfile, keyformat, 0, passin, e, "private key"); -if (signkey == NULL) +if (privkeyfile != NULL) { +privkey = load_key(privkeyfile, keyformat, 0, passin, e, "private key"); +if (privkey == NULL) goto end; } if (pubkeyfile != NULL) { @@ -622,9 +625,9 @@ int x509_main(int argc, char **argv) "The -new option requires a subject to be set using -subj\n"); goto end; } -if (signkeyfile == NULL && pubkeyfile == NULL) { +if (privkeyfile == NULL && pubkeyfile == NULL) { BIO_printf(bio_err, - "The -new option without -signkey requires using -force_pubkey\n"); + "The -new option without -key requires using -force_pubkey\n"); goto end; } } @@ -635,8 +638,8 @@ int x509_main(int argc,
Build completed: openssl master.40467
Build openssl master.40467 completed Commit 0ffb165517 by Jon Spillett on 3/5/2021 6:28 AM: Updates after review. Added extra PKCS12 test for PKCS5 PBE Configure your notification preferences
[openssl] master update
The branch master has been updated via 2de5d3b87a7980efdb1c1e8350760b60d3d53e1e (commit) via 676d879cb2650dfb509d8eda256d5b8203acec0f (commit) via 73e6e3e03eaabd7b28b6a727383006c6ee1caaf7 (commit) from 0dca5ede0d7a98bc9061f4a50846732e50ffda0f (commit) - Log - commit 2de5d3b87a7980efdb1c1e8350760b60d3d53e1e Author: Dr. David von Oheimb Date: Mon Mar 1 12:43:05 2021 +0100 HTTP: Fix BIO_mem_d2i() on NULL mem input This fixes also failure behavior of OSSL_HTTP_REQ_CTX_sendreq_d2i(), OCSP_sendreq_nbio(), etc. Fixes #14322 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14356) commit 676d879cb2650dfb509d8eda256d5b8203acec0f Author: Dr. David von Oheimb Date: Mon Mar 1 11:47:18 2021 +0100 http_local.h: Remove unused declaration of HTTP_sendreq_bio() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14356) commit 73e6e3e03eaabd7b28b6a727383006c6ee1caaf7 Author: Dr. David von Oheimb Date: Mon Mar 1 14:06:32 2021 +0100 Simplify OCSP_sendreq_bio() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14356) --- Summary of changes: crypto/http/http_client.c | 19 ++- crypto/http/http_local.h | 8 crypto/ocsp/ocsp_http.c | 5 ++--- 3 files changed, 12 insertions(+), 20 deletions(-) diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index 259bad366b..2f59cb421a 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -736,9 +736,12 @@ static ASN1_VALUE *BIO_mem_d2i(BIO *mem, const ASN1_ITEM *it) { const unsigned char *p; long len = BIO_get_mem_data(mem, ); -ASN1_VALUE *resp = ASN1_item_d2i(NULL, , len, it); +ASN1_VALUE *resp; -if (resp == NULL) +if (mem == NULL) +return NULL; + +if ((resp = ASN1_item_d2i(NULL, , len, it)) == NULL) ERR_raise(ERR_LIB_HTTP, HTTP_R_RESPONSE_PARSE_ERROR); return resp; } @@ -1056,11 +1059,10 @@ ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url, ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); return NULL; } -if ((mem = OSSL_HTTP_get(url, proxy, no_proxy, bio, rbio, bio_update_fn, - arg, headers, maxline, max_resp_len, timeout, - expected_ct, 1 /* expect_asn1 */)) -!= NULL) -resp = BIO_mem_d2i(mem, rsp_it); +mem = OSSL_HTTP_get(url, proxy, no_proxy, bio, rbio, bio_update_fn, +arg, headers, maxline, max_resp_len, timeout, +expected_ct, 1 /* expect_asn1 */); +resp = BIO_mem_d2i(mem /* may be NULL */, rsp_it); BIO_free(mem); return resp; } @@ -1096,8 +1098,7 @@ ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port, max_resp_len, timeout, expected_ct, 1 /* expect_asn1 */, NULL); BIO_free(req_mem); -if (res_mem != NULL) -resp = BIO_mem_d2i(res_mem, rsp_it); +resp = BIO_mem_d2i(res_mem /* may be NULL */, rsp_it); BIO_free(res_mem); return resp; } diff --git a/crypto/http/http_local.h b/crypto/http/http_local.h index e6b0735102..3f52e0772f 100644 --- a/crypto/http/http_local.h +++ b/crypto/http/http_local.h @@ -23,14 +23,6 @@ OSSL_HTTP_REQ_CTX *HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int use_http_proxy, int timeout, const char *expected_content_type, int expect_asn1); -ASN1_VALUE *HTTP_sendreq_bio(BIO *bio, OSSL_HTTP_bio_cb_t bio_update_fn, - void *arg, const char *server, const char *port, - const char *path, int use_ssl, int use_proxy, - const STACK_OF(CONF_VALUE) *headers, - const char *content_type, - ASN1_VALUE *req, const ASN1_ITEM *req_it, - int maxline, unsigned long max_resp_len, - int timeout, const ASN1_ITEM *rsp_it); int http_use_proxy(const char *no_proxy, const char *server); const char *http_adapt_proxy(const char *proxy, const char *no_proxy, const char *server, int use_ssl); diff --git a/crypto/ocsp/ocsp_http.c b/crypto/ocsp/ocsp_http.c index 4867929424..907720aac1 100644 --- a/crypto/ocsp/ocsp_http.c +++ b/crypto/ocsp/ocsp_http.c @@ -50,17 +50,16 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req) { OCSP_RESPONSE *resp = NULL; OSSL_HTTP_REQ_CTX *ctx; -int rv; ctx = OCSP_sendreq_new(b, path, req, -1 /* default max resp line length */); if (ctx == NULL) return NULL;
Build failed: openssl master.40466
Build openssl master.40466 failed Commit 7c23e1ee56 by Pauli on 3/5/2021 2:18 AM: fixup! prov: changes to support a distinction between BIO and OSSL_CORE_BIO Configure your notification preferences
[openssl] master update
The branch master has been updated via 0dca5ede0d7a98bc9061f4a50846732e50ffda0f (commit) from 9b9d24f0331f7175137bc60023e7a165ee886551 (commit) - Log - commit 0dca5ede0d7a98bc9061f4a50846732e50ffda0f Author: Dr. David von Oheimb Date: Mon Feb 8 19:13:26 2021 +0100 Make more use of X509_add_certs(); minor related code & comments cleanup This is a follow-up on #12615. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14436) --- Summary of changes: crypto/ocsp/ocsp_cl.c | 38 -- crypto/ocsp/ocsp_srv.c | 13 ++--- crypto/x509/x509_cmp.c | 7 +++ 3 files changed, 13 insertions(+), 45 deletions(-) diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index 421b6ac341..2d544b444e 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -27,7 +27,6 @@ * Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ pointer: * useful if we want to add extensions. */ - OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) { OCSP_ONEREQ *one = NULL; @@ -45,7 +44,6 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) } /* Set requestorName from an X509_NAME structure */ - int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm) { GENERAL_NAME *gen = GENERAL_NAME_new(); @@ -63,19 +61,15 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm) } /* Add a certificate to an OCSP request */ - int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) { -OCSP_SIGNATURE *sig; - -if (req->optionalSignature == NULL) -req->optionalSignature = OCSP_SIGNATURE_new(); -sig = req->optionalSignature; -if (sig == NULL) +if (req->optionalSignature == NULL +&& (req->optionalSignature = OCSP_SIGNATURE_new()) == NULL) return 0; if (cert == NULL) return 1; -return ossl_x509_add_cert_new(>certs, cert, X509_ADD_FLAG_UP_REF); +return ossl_x509_add_cert_new(>optionalSignature->certs, cert, + X509_ADD_FLAG_UP_REF); } /* @@ -83,16 +77,12 @@ int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) * optional signers certificate and include one or more optional certificates * in the request. Behaves like PKCS7_sign(). */ - int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags) { -int i; -X509 *x; - if (!OCSP_request_set1_name(req, X509_get_subject_name(signer))) goto err; @@ -109,13 +99,10 @@ int OCSP_request_sign(OCSP_REQUEST *req, } if ((flags & OCSP_NOCERTS) == 0) { -if (!OCSP_request_add1_cert(req, signer)) +if (!OCSP_request_add1_cert(req, signer) +|| !X509_add_certs(req->optionalSignature->certs, certs, + X509_ADD_FLAG_UP_REF)) goto err; -for (i = 0; i < sk_X509_num(certs); i++) { -x = sk_X509_value(certs, i); -if (!OCSP_request_add1_cert(req, x)) -goto err; -} } return 1; @@ -126,7 +113,6 @@ int OCSP_request_sign(OCSP_REQUEST *req, } /* Get response status */ - int OCSP_response_status(OCSP_RESPONSE *resp) { return ASN1_ENUMERATED_get(resp->responseStatus); @@ -136,7 +122,6 @@ int OCSP_response_status(OCSP_RESPONSE *resp) * Extract basic response from OCSP_RESPONSE or NULL if no basic response * present. */ - OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp) { OCSP_RESPBYTES *rb = resp->responseBytes; @@ -168,9 +153,7 @@ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs) return >tbsResponseData; } -/* - * Return number of OCSP_SINGLERESP responses present in a basic response. - */ +/* Return number of OCSP_SINGLERESP responses present in a basic response */ int OCSP_resp_count(OCSP_BASICRESP *bs) { @@ -180,7 +163,6 @@ int OCSP_resp_count(OCSP_BASICRESP *bs) } /* Extract an OCSP_SINGLERESP response with a given index */ - OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx) { if (bs == NULL) @@ -237,7 +219,6 @@ int OCSP_resp_get1_id(const OCSP_BASICRESP *bs, } /* Look single response matching a given certificate ID */ - int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last) { int i; @@ -264,7 +245,6 @@ int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last) * revtime and reason values are only set if the certificate status is * revoked. Returns numerical value of status. */ - int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, ASN1_GENERALIZEDTIME **revtime,
[openssl] master update
The branch master has been updated via 9b9d24f0331f7175137bc60023e7a165ee886551 (commit) via f477cdfadd9604eef162a98f5f69c7ca61da5a26 (commit) from 29ce1066bc54838ecb835244b03d763b55d7fadb (commit) - Log - commit 9b9d24f0331f7175137bc60023e7a165ee886551 Author: Dr. David von Oheimb Date: Mon Mar 1 08:56:46 2021 +0100 OCSP_resp_find_status.pod: Complete the RETURN VALUES section Supersedes #11877. Also make order in NAME section consistent. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14347) commit f477cdfadd9604eef162a98f5f69c7ca61da5a26 Author: Dr. David von Oheimb Date: Mon Mar 1 08:54:52 2021 +0100 crypto/ocsp/ocsp_cl.c: coding style improvements Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14347) --- Summary of changes: crypto/ocsp/ocsp_cl.c | 46 ++- doc/man3/OCSP_resp_find_status.pod | 65 +++--- 2 files changed, 63 insertions(+), 48 deletions(-) diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index 40d26fb871..421b6ac341 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -38,21 +38,18 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid) one->reqCert = cid; if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) { one->reqCert = NULL; /* do not free on error */ -goto err; +OCSP_ONEREQ_free(one); +return NULL; } return one; - err: -OCSP_ONEREQ_free(one); -return NULL; } /* Set requestorName from an X509_NAME structure */ int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm) { -GENERAL_NAME *gen; +GENERAL_NAME *gen = GENERAL_NAME_new(); -gen = GENERAL_NAME_new(); if (gen == NULL) return 0; if (!X509_NAME_set(>d.directoryName, nm)) { @@ -70,6 +67,7 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm) int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) { OCSP_SIGNATURE *sig; + if (req->optionalSignature == NULL) req->optionalSignature = OCSP_SIGNATURE_new(); sig = req->optionalSignature; @@ -100,7 +98,7 @@ int OCSP_request_sign(OCSP_REQUEST *req, if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL) goto err; -if (key) { +if (key != NULL) { if (!X509_check_private_key(signer, key)) { ERR_raise(ERR_LIB_OCSP, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); @@ -110,7 +108,7 @@ int OCSP_request_sign(OCSP_REQUEST *req, goto err; } -if (!(flags & OCSP_NOCERTS)) { +if ((flags & OCSP_NOCERTS) == 0) { if (!OCSP_request_add1_cert(req, signer)) goto err; for (i = 0; i < sk_X509_num(certs); i++) { @@ -141,9 +139,9 @@ int OCSP_response_status(OCSP_RESPONSE *resp) OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp) { -OCSP_RESPBYTES *rb; -rb = resp->responseBytes; -if (!rb) { +OCSP_RESPBYTES *rb = resp->responseBytes; + +if (rb == NULL) { ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_RESPONSE_DATA); return NULL; } @@ -176,7 +174,7 @@ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs) int OCSP_resp_count(OCSP_BASICRESP *bs) { -if (!bs) +if (bs == NULL) return -1; return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses); } @@ -185,12 +183,12 @@ int OCSP_resp_count(OCSP_BASICRESP *bs) OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx) { -if (!bs) +if (bs == NULL) return NULL; return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx); } -const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs) +const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP *bs) { return bs->tbsResponseData.producedAt; } @@ -245,7 +243,8 @@ int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last) int i; STACK_OF(OCSP_SINGLERESP) *sresp; OCSP_SINGLERESP *single; -if (!bs) + +if (bs == NULL) return -1; if (last < 0) last = 0; @@ -273,12 +272,14 @@ int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, { int ret; OCSP_CERTSTATUS *cst; -if (!single) + +if (single == NULL) return -1; cst = single->certStatus; ret = cst->type; if (ret == V_OCSP_CERTSTATUS_REVOKED) { OCSP_REVOKEDINFO *rev = cst->value.revoked; + if (revtime) *revtime = rev->revocationTime; if (reason) { @@ -288,9 +289,9 @@ int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, *reason = -1; } } -if
[openssl] master update
The branch master has been updated via 29ce1066bc54838ecb835244b03d763b55d7fadb (commit) from a7a041c2301fcb7fc2080ddd22a6076060bbaa69 (commit) - Log - commit 29ce1066bc54838ecb835244b03d763b55d7fadb Author: Paul Nelson Date: Wed Feb 10 16:49:19 2021 -0600 Update the demos/README file because it is really old. New demos should provide best practice for API use. Add demonstration for computing a SHA3-512 digest - digest/EVP_MD_demo Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/14150) --- Summary of changes: demos/README.txt| 26 +-- demos/digest/BIO_f_md.c | 122 + demos/digest/EVP_MD_demo.c | 183 demos/digest/EVP_MD_stdin.c | 134 demos/digest/Makefile | 22 ++ 5 files changed, 481 insertions(+), 6 deletions(-) create mode 100755 demos/digest/BIO_f_md.c create mode 100644 demos/digest/EVP_MD_demo.c create mode 100755 demos/digest/EVP_MD_stdin.c create mode 100644 demos/digest/Makefile diff --git a/demos/README.txt b/demos/README.txt index d2155ef973..cfb2b3c82d 100644 --- a/demos/README.txt +++ b/demos/README.txt @@ -1,9 +1,23 @@ -NOTE: Don't expect any of these programs to work with current -OpenSSL releases, or even with later SSLeay releases. +OpenSSL Demonstration Applications -Original README: -= +This folder contains source code that demonstrates the proper use of the OpenSSL +library API. -Some demo programs sent to me by various people +bio: Demonstration of a simple TLS client and server. -eric +certs:Demonstration of creating certs, using OCSP + +ciphers: + +cms: + +digest: +EVP_MD_demo.c Compute a digest from multiple buffers +EVP_MD_stdin.c Compute a digest with data read from stdin +EVP_f_md.c Compute a digest using BIO and EVP_f_md + +smime: + +pkcs12: +pkread.c Print out a description of a PKCS12 file. +pkwrite.c Add a password to an existing PKCS12 file. diff --git a/demos/digest/BIO_f_md.c b/demos/digest/BIO_f_md.c new file mode 100755 index 00..ce1dfcc34a --- /dev/null +++ b/demos/digest/BIO_f_md.c @@ -0,0 +1,122 @@ +/*- + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * Example of using EVP_MD_fetch and EVP_Digest* methods to calculate + * a digest of static buffers + * You can find SHA3 test vectors from NIST here: + * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/sha3/sha-3bytetestvectors.zip + * For example, contains these lines: +Len = 80 +Msg = 1ca984dcc913344370cf +MD = 6915ea0eeffb99b9b246a0e34daf3947852684c3d618260119a22835659e4f23d4eb66a15d0affb8e93771578f5e8f25b7a5f2a55f511fb8b96325ba2cd14816 + * use xxd convert the hex message string to binary input for BIO_f_md: + * echo "1ca984dcc913344370cf" | xxd -r -p | ./BIO_f_md + * and then verify the output matches MD above. + */ + +#include +#include +#include +#include +#include + +/*- + * This demonstration will show how to digest data using + * a BIO configured with a message digest + * A message digest name may be passed as an argument. + * The default digest is SHA3-512 + */ + +int main(int argc, char * argv[]) +{ +int result = 1; +OSSL_LIB_CTX *library_context = NULL; +BIO *input = NULL; +BIO *bio_digest = NULL; +EVP_MD *md = NULL; +unsigned char buffer[512]; +size_t readct, writect; +size_t digest_size; +char *digest_value=NULL; +int j; + +input = BIO_new_fd( fileno(stdin), 1 ); +if (input == NULL) { +fprintf(stderr, "BIO_new_fd() for stdin returned NULL\n"); +goto cleanup; +} +library_context = OSSL_LIB_CTX_new(); +if (library_context == NULL) { +fprintf(stderr, "OSSL_LIB_CTX_new() returned NULL\n"); +goto cleanup; +} + +/* + * Fetch a message digest by name + * The algorithm name is case insensitive. + * See providers(7) for details about algorithm fetching + */ +md = EVP_MD_fetch( library_context, "SHA3-512", NULL ); +if (md == NULL) { +fprintf(stderr, "EVP_MD_fetch did not find SHA3-512.\n"); +goto cleanup; +} +digest_size = EVP_MD_size(md); +digest_value = OPENSSL_malloc(digest_size); +if (digest_value == NULL) { +fprintf(stderr, "Can't allocate %lu bytes