diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index d997ae80e1..6a8dc9bbbb 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1335,22 +1335,21 @@ int EVP_PKEY_get_group_name(const EVP_PKEY *pkey, char *gname, size_t gname_sz, gname, gname_sz, gname_len); } -int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid) +int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx, + const char *name, const char *propq) { - int rv = -2, default_nid; + int rv; + EVP_MD_CTX *ctx = NULL; - if (rv == -2) { - /* - * If there is a mandatory default digest and this isn't it, then - * the answer is 'no'. - */ - rv = EVP_PKEY_get_default_digest_nid(pkey, &default_nid); - if (rv == 2) - return (nid == default_nid); - /* zero is an error from EVP_PKEY_get_default_digest_nid() */ - if (rv == 0) - return -1; - } + if ((ctx = EVP_MD_CTX_new()) == NULL) + return -1; + + ERR_set_mark(); + rv = EVP_DigestSignInit_ex(ctx, NULL, name, libctx, + propq, pkey, NULL); + ERR_pop_to_mark(); + + EVP_MD_CTX_free(ctx); return rv; } diff --git a/doc/build.info b/doc/build.info index af0e0e0539..02882af91e 100644 --- a/doc/build.info +++ b/doc/build.info @@ -1198,6 +1198,10 @@ DEPEND[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod GENERATE[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod DEPEND[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod GENERATE[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod +DEPEND[html/man3/EVP_PKEY_digestsign_supports_digest.html]=man3/EVP_PKEY_digestsign_supports_digest.pod +GENERATE[html/man3/EVP_PKEY_digestsign_supports_digest.html]=man3/EVP_PKEY_digestsign_supports_digest.pod +DEPEND[man/man3/EVP_PKEY_digestsign_supports_digest.3]=man3/EVP_PKEY_digestsign_supports_digest.pod +GENERATE[man/man3/EVP_PKEY_digestsign_supports_digest.3]=man3/EVP_PKEY_digestsign_supports_digest.pod DEPEND[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod GENERATE[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod DEPEND[man/man3/EVP_PKEY_encapsulate.3]=man3/EVP_PKEY_encapsulate.pod @@ -1274,10 +1278,6 @@ DEPEND[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod GENERATE[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod DEPEND[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod GENERATE[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod -DEPEND[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod -GENERATE[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod -DEPEND[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod -GENERATE[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod DEPEND[html/man3/EVP_PKEY_todata.html]=man3/EVP_PKEY_todata.pod GENERATE[html/man3/EVP_PKEY_todata.html]=man3/EVP_PKEY_todata.pod DEPEND[man/man3/EVP_PKEY_todata.3]=man3/EVP_PKEY_todata.pod @@ -3001,6 +3001,7 @@ html/man3/EVP_PKEY_copy_parameters.html \ html/man3/EVP_PKEY_decapsulate.html \ html/man3/EVP_PKEY_decrypt.html \ html/man3/EVP_PKEY_derive.html \ +html/man3/EVP_PKEY_digestsign_supports_digest.html \ html/man3/EVP_PKEY_encapsulate.html \ html/man3/EVP_PKEY_encrypt.html \ html/man3/EVP_PKEY_fromdata.html \ @@ -3020,7 +3021,6 @@ html/man3/EVP_PKEY_set_type.html \ html/man3/EVP_PKEY_settable_params.html \ html/man3/EVP_PKEY_sign.html \ html/man3/EVP_PKEY_size.html \ -html/man3/EVP_PKEY_supports_digest_nid.html \ html/man3/EVP_PKEY_todata.html \ html/man3/EVP_PKEY_verify.html \ html/man3/EVP_PKEY_verify_recover.html \ @@ -3589,6 +3589,7 @@ man/man3/EVP_PKEY_copy_parameters.3 \ man/man3/EVP_PKEY_decapsulate.3 \ man/man3/EVP_PKEY_decrypt.3 \ man/man3/EVP_PKEY_derive.3 \ +man/man3/EVP_PKEY_digestsign_supports_digest.3 \ man/man3/EVP_PKEY_encapsulate.3 \ man/man3/EVP_PKEY_encrypt.3 \ man/man3/EVP_PKEY_fromdata.3 \ @@ -3608,7 +3609,6 @@ man/man3/EVP_PKEY_set_type.3 \ man/man3/EVP_PKEY_settable_params.3 \ man/man3/EVP_PKEY_sign.3 \ man/man3/EVP_PKEY_size.3 \ -man/man3/EVP_PKEY_supports_digest_nid.3 \ man/man3/EVP_PKEY_todata.3 \ man/man3/EVP_PKEY_verify.3 \ man/man3/EVP_PKEY_verify_recover.3 \ diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod index cbf735d333..4a515590cc 100644 --- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod +++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod @@ -257,7 +257,6 @@ L, and L. The pkey_ctrl() method adds extra algorithm specific control. It's called by L, -L, L, L, L, L, ... diff --git a/doc/man3/EVP_PKEY_digestsign_supports_digest.pod b/doc/man3/EVP_PKEY_digestsign_supports_digest.pod new file mode 100644 index 0000000000..c043ce4e95 --- /dev/null +++ b/doc/man3/EVP_PKEY_digestsign_supports_digest.pod @@ -0,0 +1,44 @@ +=pod + +=head1 NAME + +EVP_PKEY_digestsign_supports_digest - indicate support for signature digest + +=head1 SYNOPSIS + + #include + int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx, + const char *name, const char *propq); + +=head1 DESCRIPTION + +The EVP_PKEY_digestsign_supports_digest() function queries whether the message +digest I is supported for public key signature operations associated with +key I. The query is done within an optional library context I and +with an optional property query I. + +=head1 RETURN VALUES + +The EVP_PKEY_digestsign_supports_digest() function returns 1 if the message +digest algorithm identified by I can be used for public key signature +operations associated with key I and 0 if it cannot be used. It returns +a negative value for failure. + +=head1 SEE ALSO + +L, + +=head1 HISTORY + +The EVP_PKEY_digestsign_supports_digest() function was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/EVP_PKEY_get_default_digest_nid.pod b/doc/man3/EVP_PKEY_get_default_digest_nid.pod index 2213a024c7..d680ffef1a 100644 --- a/doc/man3/EVP_PKEY_get_default_digest_nid.pod +++ b/doc/man3/EVP_PKEY_get_default_digest_nid.pod @@ -47,7 +47,7 @@ algorithm. L, L, -L, +L, L, L, diff --git a/doc/man3/EVP_PKEY_supports_digest_nid.pod b/doc/man3/EVP_PKEY_supports_digest_nid.pod deleted file mode 100644 index b3f51346ca..0000000000 --- a/doc/man3/EVP_PKEY_supports_digest_nid.pod +++ /dev/null @@ -1,53 +0,0 @@ -=pod - -=head1 NAME - -EVP_PKEY_supports_digest_nid - indicate support for signature digest - -=head1 SYNOPSIS - - #include - int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid); - -=head1 DESCRIPTION - -The EVP_PKEY_supports_digest_nid() function queries whether the message digest -NID B is supported for public key signature operations associated with key -B. - -=head1 NOTES - -If the EVP_PKEY implementation does not explicitly support this method, but -L returns a mandatory digest result, then -only that mandatory digest will be supported. - -=head1 RETURN VALUES - -The EVP_PKEY_supports_digest_nid() function returns 1 if the message digest -algorithm identified by B can be used for public key signature operations -associated with key B and 0 if it cannot be used. It returns a negative -value for failure. In particular a return value of -2 indicates the query -operation is not supported by the public key algorithm. - -=head1 SEE ALSO - -L, -L, -L, -L, -L, - -=head1 HISTORY - -The EVP_PKEY_supports_digest_nid() function was added in OpenSSL 3.0. - -=head1 COPYRIGHT - -Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the Apache License 2.0 (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L. - -=cut diff --git a/include/openssl/evp.h b/include/openssl/evp.h index e17dec8a2c..27e14d07b6 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1398,7 +1398,8 @@ int EVP_PKEY_print_params_fp(FILE *fp, const EVP_PKEY *pkey, int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid); int EVP_PKEY_get_default_digest_name(EVP_PKEY *pkey, char *mdname, size_t mdname_sz); -int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid); +int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx, + const char *name, const char *propq); # ifndef OPENSSL_NO_DEPRECATED_3_0 /* diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 14c16e355d..1dc57af43a 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3052,15 +3052,18 @@ static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, const SIGALG_LOOKUP *lu; int mdnid, pknid, supported; size_t i; + const char *mdname = NULL; /* - * If the given EVP_PKEY cannot supporting signing with this sigalg, + * If the given EVP_PKEY cannot support signing with this digest, * the answer is simply 'no'. */ - ERR_set_mark(); - supported = EVP_PKEY_supports_digest_nid(pkey, sig->hash); - ERR_pop_to_mark(); - if (supported == 0) + if (sig->hash != NID_undef) + mdname = OBJ_nid2sn(sig->hash); + supported = EVP_PKEY_digestsign_supports_digest(pkey, s->ctx->libctx, + mdname, + s->ctx->propq); + if (supported <= 0) return 0; /* diff --git a/util/libcrypto.num b/util/libcrypto.num index 69b8f63e32..67bf50af4d 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4414,7 +4414,7 @@ EVP_MAC_update ? 3_0_0 EXIST::FUNCTION: EVP_MAC_final ? 3_0_0 EXIST::FUNCTION: EVP_MAC_finalXOF ? 3_0_0 EXIST::FUNCTION: OSSL_EC_curve_nid2name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_supports_digest_nid ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_digestsign_supports_digest ? 3_0_0 EXIST::FUNCTION: SRP_VBASE_add0_user ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP SRP_user_pwd_new ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP SRP_user_pwd_set_gN ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP