From: Matt Caswell <matt@openssl.org>
Date: Fri, 3 Apr 2020 17:01:04 +0000 (+0100)
Subject: Create a libctx aware X509_verify_ex()
X-Git-Tag: openssl-3.0.0-alpha1~90
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=0820217441b68724d91b7644f3560e15149a1848

Create a libctx aware X509_verify_ex()

This is the same as X509_verify() except that it takes a libctx and propq
parameter and signature verification is done using those.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11507)
---

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 84a4bb2c60..c3eb261b94 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1763,7 +1763,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                 if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
                         X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
                     return 0;
-            } else if (X509_verify(xs, pkey) <= 0) {
+            } else if (X509_verify_ex(xs, pkey, ctx->libctx, ctx->propq) <= 0) {
                 if (!verify_cb_cert(ctx, xs, n,
                                     X509_V_ERR_CERT_SIGNATURE_FAILURE))
                     return 0;
@@ -2809,7 +2809,7 @@ static int check_dane_pkeys(X509_STORE_CTX *ctx)
         if (t->usage != DANETLS_USAGE_DANE_TA ||
             t->selector != DANETLS_SELECTOR_SPKI ||
             t->mtype != DANETLS_MATCHING_FULL ||
-            X509_verify(cert, t->spki) <= 0)
+            X509_verify_ex(cert, t->spki, ctx->libctx, ctx->propq) <= 0)
             continue;
 
         /* Clear any PKIX-?? matches that failed to extend to a full chain */
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 0f31c5155f..6d7f341c7f 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -34,13 +34,14 @@ static void clean_id_ctx(EVP_MD_CTX *ctx)
     EVP_MD_CTX_free(ctx);
 }
 
-static EVP_MD_CTX *make_id_ctx(EVP_PKEY *r, ASN1_OCTET_STRING *id)
+static EVP_MD_CTX *make_id_ctx(EVP_PKEY *r, ASN1_OCTET_STRING *id,
+                               OPENSSL_CTX *libctx, const char *propq)
 {
     EVP_MD_CTX *ctx = NULL;
     EVP_PKEY_CTX *pctx = NULL;
 
     if ((ctx = EVP_MD_CTX_new()) == NULL
-        || (pctx = EVP_PKEY_CTX_new(r, NULL)) == NULL) {
+        || (pctx = EVP_PKEY_CTX_new_from_pkey(libctx, r, propq)) == NULL) {
         X509err(0, ERR_R_MALLOC_FAILURE);
         goto error;
     }
@@ -63,7 +64,7 @@ static EVP_MD_CTX *make_id_ctx(EVP_PKEY *r, ASN1_OCTET_STRING *id)
     return NULL;
 }
 
-int X509_verify(X509 *a, EVP_PKEY *r)
+int X509_verify_ex(X509 *a, EVP_PKEY *r, OPENSSL_CTX *libctx, const char *propq)
 {
     int rv = 0;
     EVP_MD_CTX *ctx = NULL;
@@ -73,7 +74,7 @@ int X509_verify(X509 *a, EVP_PKEY *r)
         return 0;
 
     id = a->distinguishing_id;
-    if ((ctx = make_id_ctx(r, id)) != NULL) {
+    if ((ctx = make_id_ctx(r, id, libctx, propq)) != NULL) {
         rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg,
                                   &a->signature, &a->cert_info, ctx);
         clean_id_ctx(ctx);
@@ -81,14 +82,20 @@ int X509_verify(X509 *a, EVP_PKEY *r)
     return rv;
 }
 
-int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
+int X509_verify(X509 *a, EVP_PKEY *r)
+{
+    return X509_verify_ex(a, r, NULL, NULL);
+}
+
+int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OPENSSL_CTX *libctx,
+                       const char *propq)
 {
     int rv = 0;
     EVP_MD_CTX *ctx = NULL;
     ASN1_OCTET_STRING *id = NULL;
 
     id = a->distinguishing_id;
-    if ((ctx = make_id_ctx(r, id)) != NULL) {
+    if ((ctx = make_id_ctx(r, id, libctx, propq)) != NULL) {
         rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), &a->sig_alg,
                                   a->signature, &a->req_info, ctx);
         clean_id_ctx(ctx);
@@ -96,6 +103,11 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
     return rv;
 }
 
+int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
+{
+    return X509_REQ_verify_ex(a, r, NULL, NULL);
+}
+
 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 {
     return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 64156d495b..19ff55f46d 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -355,8 +355,11 @@ void *X509_CRL_get_meth_data(X509_CRL *crl);
 
 const char *X509_verify_cert_error_string(long n);
 
+int X509_verify_ex(X509 *a, EVP_PKEY *r, OPENSSL_CTX *libctx, const char *propq);
 int X509_verify(X509 *a, EVP_PKEY *r);
 
+int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OPENSSL_CTX *libctx,
+                       const char *propq);
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
 int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index e14688c8ef..adcf408d34 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5072,3 +5072,5 @@ EVP_PKEY_CTX_set_dh_paramgen_generator  ?	3_0_0	EXIST::FUNCTION:DH
 EVP_PKEY_CTX_set_dh_nid                 ?	3_0_0	EXIST::FUNCTION:DH
 EVP_PKEY_CTX_set_dh_rfc5114             ?	3_0_0	EXIST::FUNCTION:DH
 EVP_PKEY_CTX_set_dhx_rfc5114            ?	3_0_0	EXIST::FUNCTION:DH
+X509_verify_ex                          ?	3_0_0	EXIST::FUNCTION:
+X509_REQ_verify_ex                      ?	3_0_0	EXIST::FUNCTION: