fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!…

… fixup! fixup! CMP: add documentation
siemens · Jan 24, 2025 · 71d1447 · 71d1447
1 parent 4e2de86
commit 71d1447
Show file tree

Hide file tree

Showing 10 changed files with 40 additions and 30 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -89,7 +89,7 @@ OpenSSL 3.5
 
    This work was sponsored by Siemens AG.
 
-    *Rajeev Ranjan*
+   *Rajeev Ranjan*
 
  * Optionally allow the FIPS provider to use the `JITTER` entropy source.
    Note that using this option will require the resulting FIPS provider

diff --git a/apps/cmp.c b/apps/cmp.c
@@ -3860,21 +3860,26 @@ int cmp_main(int argc, char **argv)
             if (opt_centralkeygen) {
                 const EVP_CIPHER *cipher = NULL;
                 char *pass_string = NULL;
+                BIO *out;
                 EVP_PKEY *new_key = OSSL_CMP_CTX_get0_newPkey(cmp_ctx, 1 /* priv */);
-                BIO *out = bio_open_owner(opt_newkeyout, FORMAT_PEM, 1);
 
-                if (new_key == NULL || out == NULL)
+                if (new_key == NULL)
+                    goto err;
+                if ((out = bio_open_owner(opt_newkeyout, FORMAT_PEM, 1)) == NULL)
                     goto err;
                 if (opt_newkeypass != NULL) {
                     pass_string = get_passwd(opt_newkeypass,
                                              "Centrally generated private key password");
-                    cipher = EVP_aes_256_cbc();
+                    cipher = EVP_CIPHER_fetch(app_get0_libctx(), SN_aes_256_cbc, app_get0_propq());
                 }
 
                 CMP_info1("saving centrally generated key to file '%s'", opt_newkeyout);
                 if (PEM_write_bio_PrivateKey(out, new_key, cipher, NULL, 0, NULL,
-                                             (void *)pass_string) <= 0)
+                                             (void *)pass_string) <= 0) {
+                    BIO_free(out);
+                    clear_free(pass_string);
                     goto err;
+                }
                 BIO_free(out);
                 clear_free(pass_string);
             }

diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
@@ -376,15 +376,17 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
         /* Should return a cert produced from request template, see FR #16054 */
         goto err;
 
-    central_keygen = OSSL_CRMF_MSG_centralKeygen_requested(crm, p10cr);
+    central_keygen = OSSL_CRMF_MSG_centralkeygen_requested(crm, p10cr);
     if (central_keygen < 0)
         goto err;
     if (central_keygen == 1
         && (ctx->keyOut == NULL
             || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL
             || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
-                                          1 /* priv */, keyOut)))
+                                          1 /* priv */, keyOut))) {
+        EVP_PKEY_free(keyOut);
         goto err;
+    }
     /*
      * Note that this uses newPkey to return the private key
      * and does not check whether the 'popo' field is absent.

diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
@@ -470,8 +470,9 @@ static OSSL_CRMF_ENCRYPTEDKEY *enc_privkey(OSSL_CMP_CTX *ctx, const EVP_PKEY *pk
         goto err;
     ossl_cmp_set_own_chain(ctx);
     envData = ossl_cms_sign_encrypt(privbio, ctx->cert, ctx->chain, ctx->pkey, CMS_BINARY,
-                                    encryption_recips, EVP_aes_256_cbc(), CMS_BINARY,
-                                    ctx->libctx, ctx->propq);
+                                    encryption_recips,
+                                    EVP_CIPHER_fetch(ctx->libctx, SN_aes_256_cbc, ctx->propq),
+                                    CMS_BINARY, ctx->libctx, ctx->propq);
     if (envData == NULL)
         goto err;
     ek = OSSL_CRMF_ENCRYPTEDKEY_init_envdata(envData);

diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
@@ -264,7 +264,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
     }
     srv_ctx->certReqId = certReqId;
 
-    central_keygen = OSSL_CRMF_MSG_centralKeygen_requested(crm, p10cr);
+    central_keygen = OSSL_CRMF_MSG_centralkeygen_requested(crm, p10cr);
     if (central_keygen < 0)
         return NULL;
     if (central_keygen == 0

diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
@@ -544,7 +544,7 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
     return 1;
 }
 
-int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr)
+int OSSL_CRMF_MSG_centralkeygen_requested(const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr)
 {
     X509_PUBKEY *pubkey = NULL;
     const unsigned char *pk = NULL;
@@ -774,9 +774,9 @@ unsigned char
     int cikeysize = 0; /* key size from cipher */
     unsigned char *iv = NULL; /* initial vector for symmetric encryption */
     unsigned char *out = NULL; /* decryption output buffer */
-    int symmAlg = 0; /* NIDs for symmetric algorithm */
     int n, ret = 0;
     EVP_PKEY_CTX *pkctx = NULL; /* private key context */
+    char name[OSSL_MAX_NAME_SIZE];
 
     if (outlen == NULL) {
         ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
@@ -789,16 +789,18 @@ unsigned char
         return NULL;
     }
 
-    if ((symmAlg = OBJ_obj2nid(enc->symmAlg->algorithm)) == 0) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_CIPHER);
-        return NULL;
-    }
-
     /* select symmetric cipher based on algorithm given in message */
-    if ((cipher = EVP_get_cipherbynid(symmAlg)) == NULL) {
+    OBJ_obj2txt(name, sizeof(name), enc->symmAlg->algorithm, 0);
+    (void)ERR_set_mark();
+    cipher = EVP_CIPHER_fetch(libctx, name, propq);
+    if (cipher == NULL)
+        cipher = EVP_get_cipherbyobj(enc->symmAlg->algorithm);
+    if (cipher == NULL) {
+        (void)ERR_clear_last_mark();
         ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_CIPHER);
         goto end;
     }
+    (void)ERR_pop_to_mark();
 
     cikeysize = EVP_CIPHER_get_key_length(cipher);
     /* first the symmetric key needs to be decrypted */

diff --git a/doc/internal/man3/ossl_cms_sign_encrypt.pod b/doc/internal/man3/ossl_cms_sign_encrypt.pod
@@ -36,9 +36,9 @@ See L<CMS_encrypt_ex(3)> for more information.
 
 =head1 RETURN VALUES
 
-If the allocation fails, ossl_cms_sign_encrypt() return NULL and
-set an error code that can be obtained by L<ERR_get_error(3)>. 
-Otherwise, they return a pointer to the newly allocated structure.
+If the allocation fails, ossl_cms_sign_encrypt() returns NULL and
+sets an error code that can be obtained by L<ERR_get_error(3)>.
+Otherwise, it returns a pointer to the newly allocated structure.
 
 =head1 HISTORY
 

diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
@@ -16,7 +16,7 @@ OSSL_CRMF_ENCRYPTEDKEY_init_envdata,
 OSSL_CRMF_ENCRYPTEDVALUE_decrypt,
 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert,
 OSSL_CRMF_MSG_get_certReqId,
-OSSL_CRMF_MSG_centralKeygen_requested
+OSSL_CRMF_MSG_centralkeygen_requested
 - functions reading from CRMF CertReqMsg structures
 
 =head1 SYNOPSIS
@@ -61,7 +61,7 @@ OSSL_CRMF_MSG_centralKeygen_requested
                                         EVP_PKEY *pkey);
 
  int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm);
- int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm,
+ int OSSL_CRMF_MSG_centralkeygen_requested(const OSSL_CRMF_MSG *crm,
                                            const X509_REQ *p10cr);
 
 =head1 DESCRIPTION
@@ -97,11 +97,11 @@ The function returns the decrypted certificate as a copy, leaving its ownership
 with the caller, who is responsible for freeing it.
 
 OSSL_CRMF_ENCRYPTEDKEY_get1_pkey() decrypts the private key in I<encryptedKey>.
-If `encryptedKey` is not of type B<OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA>,
+If I<encryptedKey> is not of type B<OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA>,
 decryption uses the private key I<pkey>.
 The library context I<libctx> and property query I<propq> are taken into account as usual.
 The rest of this paragraph is relevant only if CMS support not disabled for the OpenSSL build
-and `encryptedKey` is of type case B<OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA>.
+and I<encryptedKey> is of type case B<OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA>.
 Decryption uses the I<secret> parameter if not NULL;
 otherwise uses the private key <pkey> and the certificate I<cert> 
 related to I<pkey>, where I<cert> is recommended to be given if available.
@@ -125,7 +125,7 @@ with the caller, who is responsible for freeing it.
 
 OSSL_CRMF_MSG_get_certReqId() retrieves the certReqId of I<crm>.
 
-OSSL_CRMF_MSG_centralKeygen_requested() returns 1 if central key generation
+OSSL_CRMF_MSG_centralkeygen_requested() returns 1 if central key generation
 is requested i.e., the public key in the certificate request (I<crm> is taken if it is non-NULL,
 otherwise I<p10cr>) is NULL or has an empty key value (with length zero).
 In case I<crm> is non-NULL, this is checked for consistency with its B<popo> field
@@ -137,7 +137,7 @@ Otherwise it returns 0, and on error a negative value.
 OSSL_CRMF_MSG_get_certReqId() returns the certificate request ID as a
 nonnegative integer or -1 on error.
 
-OSSL_CRMF_MSG_centralKeygen_requested() returns 1 if central key generation
+OSSL_CRMF_MSG_centralkeygen_requested() returns 1 if central key generation
 is requested, 0 if it is not requested, and a negative value on error.
 
 All other functions return a pointer with the intended result or NULL on error.
@@ -154,7 +154,7 @@ OSSL_CRMF_CERTTEMPLATE_get0_publicKey() was added in OpenSSL 3.2.
 
 OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(), OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(),
 OSSL_CRMF_ENCRYPTEDKEY_init_envdata(), OSSL_CRMF_ENCRYPTEDVALUE_decrypt()
-and OSSL_CRMF_MSG_centralKeygen_requested() were added in OpenSSL 3.5.
+and OSSL_CRMF_MSG_centralkeygen_requested() were added in OpenSSL 3.5.
 
 =head1 COPYRIGHT
 

diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in
@@ -195,7 +195,7 @@ EVP_PKEY *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(const OSSL_CRMF_ENCRYPTEDKEY *encrypt
                                            X509_STORE *ts, STACK_OF(X509) *extra, EVP_PKEY *pkey,
                                            X509 *cert, ASN1_OCTET_STRING *secret,
                                            OSSL_LIB_CTX *libctx, const char *propq);
-int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr);
+int OSSL_CRMF_MSG_centralkeygen_requested(const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr);
 #  ifndef OPENSSL_NO_CMS
 OSSL_CRMF_ENCRYPTEDKEY *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata);
 #  endif

diff --git a/util/libcrypto.num b/util/libcrypto.num
@@ -5743,7 +5743,7 @@ OSSL_CRMF_ENCRYPTEDKEY_it               ?	3_5_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDKEY_get1_encCert     ?	3_5_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDVALUE_decrypt        ?	3_5_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDKEY_get1_pkey        ?	3_5_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_centralKeygen_requested   ?	3_5_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_centralkeygen_requested   ?	3_5_0	EXIST::FUNCTION:CRMF
 CMS_EnvelopedData_dup                   ?	3_5_0	EXIST::FUNCTION:CMS
 OSSL_CRMF_ENCRYPTEDKEY_init_envdata     ?	3_5_0	EXIST::FUNCTION:CMS,CRMF
 EVP_get1_default_properties             ?	3_5_0	EXIST::FUNCTION: