From e6c2f96489fc0c006845c8597f8ceed2f01f76ee Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Wed, 31 Mar 2021 15:10:22 +1000 Subject: [PATCH] Fix more certificate related lib_ctx settings. Fixes #13732 Fix a few places that were not using the '_ex' variants of ASN1_item_sign/verify. Added X509_CRL_new_ex(). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14752) --- apps/ca.c | 2 +- apps/ocsp.c | 11 +++++----- apps/req.c | 2 +- crypto/asn1/a_sign.c | 1 + crypto/ocsp/ocsp_cl.c | 2 +- crypto/ocsp/ocsp_local.h | 46 +++++++++++++++++++++++---------------- crypto/ocsp/ocsp_srv.c | 7 +++--- crypto/ocsp/ocsp_vfy.c | 4 ++-- crypto/x509/x509_vfy.c | 2 +- crypto/x509/x_all.c | 19 +++++++++------- crypto/x509/x_crl.c | 17 +++++++++++++-- doc/man3/X509_dup.pod | 8 ++++--- doc/man3/X509_new.pod | 3 ++- include/openssl/x509.h.in | 1 + util/libcrypto.num | 1 + 15 files changed, 79 insertions(+), 47 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 9cec43cf8b..268bd76912 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -1178,7 +1178,7 @@ end_of_options: if (verbose) BIO_printf(bio_err, "making CRL\n"); - if ((crl = X509_CRL_new()) == NULL) + if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) goto end; if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto end; diff --git a/apps/ocsp.c b/apps/ocsp.c index cd3a3bd695..7d64ee2d02 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -469,7 +469,8 @@ int ocsp_main(int argc, char **argv) case OPT_RSIGOPT: if (rsign_sigopts == NULL) rsign_sigopts = sk_OPENSSL_STRING_new_null(); - if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg())) + if (rsign_sigopts == NULL + || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg())) goto end; break; case OPT_HEADER: @@ -676,8 +677,8 @@ redo_accept: if (key == NULL) goto end; - if (!OCSP_request_sign - (req, signer, key, NULL, sign_other, sign_flags)) { + if (!OCSP_request_sign(req, signer, key, NULL, + sign_other, sign_flags)) { BIO_printf(bio_err, "Error signing OCSP request\n"); goto end; } @@ -696,8 +697,8 @@ redo_accept: if (rdb != NULL) { make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey, - rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig, - resp_certid_md); + rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, + badsig, resp_certid_md); if (cbio != NULL) send_ocsp_response(cbio, resp); } else if (host != NULL) { diff --git a/apps/req.c b/apps/req.c index 4056b18f51..04774db399 100644 --- a/apps/req.c +++ b/apps/req.c @@ -802,7 +802,7 @@ int req_main(int argc, char **argv) } if (req == NULL) { - req = X509_REQ_new(); + req = X509_REQ_new_ex(app_get0_libctx(), app_get0_propq()); if (req == NULL) { goto end; } diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c index 911d61453a..fe55373b34 100644 --- a/crypto/asn1/a_sign.c +++ b/crypto/asn1/a_sign.c @@ -136,6 +136,7 @@ int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1, ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return 0; } + /* We can use the non _ex variant here since the pkey is already setup */ if (!EVP_DigestSignInit(ctx, NULL, md, NULL, pkey)) goto err; diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index cfa85af240..c1dda38414 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -94,7 +94,7 @@ int OCSP_request_sign(OCSP_REQUEST *req, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); goto err; } - if (!OCSP_REQUEST_sign(req, key, dgst)) + if (!OCSP_REQUEST_sign(req, key, dgst, signer->libctx, signer->propq)) goto err; } diff --git a/crypto/ocsp/ocsp_local.h b/crypto/ocsp/ocsp_local.h index 6542febc98..e1633403c6 100644 --- a/crypto/ocsp/ocsp_local.h +++ b/crypto/ocsp/ocsp_local.h @@ -217,22 +217,30 @@ struct ocsp_service_locator_st { STACK_OF(ACCESS_DESCRIPTION) *locator; }; -# define OCSP_REQUEST_sign(o,pkey,md) \ - ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\ - &(o)->optionalSignature->signatureAlgorithm,NULL,\ - (o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md) - -# define OCSP_BASICRESP_sign(o,pkey,md,d) \ - ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\ - NULL,(o)->signature,&(o)->tbsResponseData,pkey,md) - -# define OCSP_BASICRESP_sign_ctx(o,ctx,d) \ - ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\ - NULL,(o)->signature,&(o)->tbsResponseData,ctx) - -# define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\ - &(a)->optionalSignature->signatureAlgorithm,\ - (a)->optionalSignature->signature,&(a)->tbsRequest,r) - -# define OCSP_BASICRESP_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\ - &(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r) +# define OCSP_REQUEST_sign(o, pkey, md, libctx, propq)\ + ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\ + &(o)->optionalSignature->signatureAlgorithm, NULL,\ + (o)->optionalSignature->signature, &(o)->tbsRequest,\ + NULL, pkey, md, libctx, propq) + +# define OCSP_BASICRESP_sign(o, pkey, md, d, libctx, propq)\ + ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\ + &(o)->signatureAlgorithm, NULL,\ + (o)->signature, &(o)->tbsResponseData,\ + NULL, pkey, md, libctx, propq) + +# define OCSP_BASICRESP_sign_ctx(o, ctx, d)\ + ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),\ + &(o)->signatureAlgorithm, NULL,\ + (o)->signature, &(o)->tbsResponseData, ctx) + +# define OCSP_REQUEST_verify(a, r, libctx, propq)\ + ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\ + &(a)->optionalSignature->signatureAlgorithm,\ + (a)->optionalSignature->signature, &(a)->tbsRequest,\ + NULL, r, libctx, propq) + +# define OCSP_BASICRESP_verify(a, r, libctx, propq)\ + ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\ + &(a)->signatureAlgorithm, (a)->signature,\ + &(a)->tbsResponseData, NULL, r, libctx, propq) diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index af1277942e..4187446e1c 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -223,7 +223,8 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp, if (ctx == NULL) return 0; - if (!EVP_DigestSignInit(ctx, &pkctx, dgst, NULL, key)) { + if (!EVP_DigestSignInit_ex(ctx, &pkctx, EVP_MD_name(dgst), + signer->libctx, signer->propq, key, NULL)) { EVP_MD_CTX_free(ctx); return 0; } @@ -277,7 +278,7 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) { - return OCSP_RESPID_set_by_key_ex(respid, cert, NULL, NULL); + return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq); } int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx, @@ -318,5 +319,5 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx, int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) { - return OCSP_RESPID_match_ex(respid, cert, NULL, NULL); + return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq); } diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 544748851f..fe878043ca 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -84,9 +84,9 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs, return -1; } if (req != NULL) - ret = OCSP_REQUEST_verify(req, skey); + ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq); else - ret = OCSP_BASICRESP_verify(bs, skey); + ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq); if (ret <= 0) ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE); } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 6c6d5442f2..01871b9090 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2052,7 +2052,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, return NULL; } /* Create new CRL */ - crl = X509_CRL_new(); + crl = X509_CRL_new_ex(base->libctx, base->propq); if (crl == NULL || !X509_CRL_set_version(crl, 1)) goto memerr; /* Set issuer name */ diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 042425456c..9733597d37 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -59,8 +59,9 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { x->cert_info.enc.modified = 1; - return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, - &x->sig_alg, &x->signature, &x->cert_info, pkey, md); + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, + &x->sig_alg, &x->signature, &x->cert_info, NULL, + pkey, md, x->libctx, x->propq); } int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) @@ -89,8 +90,9 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) { - return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, - x->signature, &x->req_info, pkey, md); + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, + x->signature, &x->req_info, NULL, + pkey, md, x->libctx, x->propq); } int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) @@ -103,8 +105,9 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { x->crl.enc.modified = 1; - return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, - &x->sig_alg, &x->signature, &x->crl, pkey, md); + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, + &x->sig_alg, &x->signature, &x->crl, NULL, + pkey, md, x->libctx, x->propq); } int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) @@ -123,8 +126,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) { - return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL, - x->signature, x->spkac, pkey, md); + return ASN1_item_sign_ex(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL, + x->signature, x->spkac, NULL, pkey, md, NULL, NULL); } #ifndef OPENSSL_NO_STDIO diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index dfe3da37eb..4b90e5b756 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -340,6 +340,18 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a, (ASN1_STRING *)&(*b)->serialNumber)); } +X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq) +{ + X509_CRL *crl = NULL; + + crl = (X509_CRL *)ASN1_item_new((X509_CRL_it())); + if (!ossl_x509_crl_set0_libctx(crl, libctx, propq)) { + X509_CRL_free(crl); + crl = NULL; + } + return crl; +} + int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) { X509_CRL_INFO *inf; @@ -381,8 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r) { - return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO), - &crl->sig_alg, &crl->signature, &crl->crl, r)); + return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO), + &crl->sig_alg, &crl->signature, &crl->crl, NULL, + r, crl->libctx, crl->propq)); } static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm, diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod index 66668d0481..9629082310 100644 --- a/doc/man3/X509_dup.pod +++ b/doc/man3/X509_dup.pod @@ -274,6 +274,7 @@ X509_CRL_INFO_free, X509_CRL_INFO_new, X509_CRL_dup, X509_CRL_free, +X509_CRL_new_ex, X509_CRL_new, X509_EXTENSION_dup, X509_EXTENSION_free, @@ -349,7 +350,8 @@ The object returned must be released by calling B_free>(). B_new_ex>() is similiar to B_new>() but also passes the library context I and the property query I to use when retrieving -algorithms from providers. +algorithms from providers. This created object can then be used when loading +binary data using B>(). B_dup>() copies an existing object, leaving it untouched. @@ -371,8 +373,8 @@ B_print_ctx>() returns 1 on success or zero on failure. =head1 HISTORY -The functions PKCS7_new_ex() and CMS_ContentInfo_new_ex() were -added in OpenSSL 3.0. +The functions X509_REQ_new_ex(), X509_CRL_new_ex(), PKCS7_new_ex() and +CMS_ContentInfo_new_ex() were added in OpenSSL 3.0. The functions DSAparams_dup(), RSAPrivateKey_dup() and RSAPublicKey_dup() were deprecated in 3.0. diff --git a/doc/man3/X509_new.pod b/doc/man3/X509_new.pod index a437b3f264..2514ae34ce 100644 --- a/doc/man3/X509_new.pod +++ b/doc/man3/X509_new.pod @@ -25,7 +25,8 @@ X509_new_ex() allocates and initializes a X509 structure with a library context of I, property query of and a reference count of B<1>. Many X509 functions such as X509_check_purpose(), and X509_verify() use this library context to select which providers supply the -fetched algorithms (SHA1 is used internally). +fetched algorithms (SHA1 is used internally). This created X509 object can then +be used when loading binary data using d2i_X509(). X509_new() is similar to X509_new_ex() but sets the library context and property query to NULL. This results in the default (NULL) library context diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 50d8712e41..0205781e0c 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -642,6 +642,7 @@ STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x); DECLARE_ASN1_FUNCTIONS(X509_REVOKED) DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO) DECLARE_ASN1_FUNCTIONS(X509_CRL) +X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq); int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); int X509_CRL_get0_by_serial(X509_CRL *crl, diff --git a/util/libcrypto.num b/util/libcrypto.num index 49fc731085..f8f5b58a94 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5347,3 +5347,4 @@ EVP_ASYM_CIPHER_description ? 3_0_0 EXIST::FUNCTION: EVP_KEM_description ? 3_0_0 EXIST::FUNCTION: EVP_KEYEXCH_description ? 3_0_0 EXIST::FUNCTION: EVP_KDF_description ? 3_0_0 EXIST::FUNCTION: +X509_CRL_new_ex ? 3_0_0 EXIST::FUNCTION: -- 2.34.1