From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Thu, 5 Mar 2020 08:16:29 +0000 (+0100)
Subject: Move OSSL_CMP_X509_digest() to x_all.c, renaming it to X509_digest_sig()
X-Git-Tag: openssl-3.0.0-alpha1~288
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=44387c9000197b219e7673d5522517a1a6499af8;p=oweals%2Fopenssl.git

Move OSSL_CMP_X509_digest() to x_all.c, renaming it to X509_digest_sig()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
---

diff --git a/apps/cmp_mock_srv.c b/apps/cmp_mock_srv.c
index 4cdda2417d..2e02104884 100644
--- a/apps/cmp_mock_srv.c
+++ b/apps/cmp_mock_srv.c
@@ -342,7 +342,7 @@ static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
         return 0;
     }
 
-    if ((digest = OSSL_CMP_X509_digest(ctx->certOut)) == NULL)
+    if ((digest = X509_digest_sig(ctx->certOut)) == NULL)
         return 0;
     if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
         ASN1_OCTET_STRING_free(digest);
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index c608568130..714c883a0d 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -713,7 +713,7 @@ OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
      * the hash of the certificate, using the same hash algorithm
      * as is used to create and verify the certificate signature
      */
-    if ((certHash = OSSL_CMP_X509_digest(ctx->newCert)) == NULL)
+    if ((certHash = X509_digest_sig(ctx->newCert)) == NULL)
         goto err;
 
     if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c
index f53ff889e6..70c060166a 100644
--- a/crypto/cmp/cmp_util.c
+++ b/crypto/cmp/cmp_util.c
@@ -384,39 +384,3 @@ int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
     *tgt = new;
     return 1;
 }
-
-/*
- * calculate a digest of the given certificate,
- * using the same hash algorithm as in the certificate signature.
- */
-ASN1_OCTET_STRING *OSSL_CMP_X509_digest(const X509 *cert)
-{
-    unsigned int len;
-    unsigned char hash[EVP_MAX_MD_SIZE];
-    int md_NID;
-    const EVP_MD *md = NULL;
-    ASN1_OCTET_STRING *new = NULL;
-
-    if (!ossl_assert(cert != NULL))
-        return NULL;
-
-    /*-
-     * select hash algorithm, as stated in CMP RFC 4210 Appendix F.
-     * Compilable ASN.1 defs:
-     * the hash of the certificate, using the same hash algorithm
-     * as is used to create and verify the certificate signature
-     */
-    if (!OBJ_find_sigid_algs(X509_get_signature_nid(cert), &md_NID, NULL)
-            || (md = EVP_get_digestbynid(md_NID)) == NULL) {
-        CMPerr(0, CMP_R_UNSUPPORTED_ALGORITHM);
-        return NULL;
-    }
-    if (!X509_digest(cert, md, hash, &len)
-            || (new = ASN1_OCTET_STRING_new()) == NULL)
-        return NULL;
-    if (!(ASN1_OCTET_STRING_set(new, hash, len))) {
-        ASN1_OCTET_STRING_free(new);
-        return NULL;
-    }
-    return new;
-}
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 6a6748bad4..2d7387b9e0 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -450,6 +450,35 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
             (ASN1_ITEM_rptr(X509), type, (char *)data, md, len));
 }
 
+/* calculate cert digest using the same hash algorithm as in its signature */
+ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert)
+{
+    unsigned int len;
+    unsigned char hash[EVP_MAX_MD_SIZE];
+    int md_NID;
+    const EVP_MD *md = NULL;
+    ASN1_OCTET_STRING *new = NULL;
+
+    if (cert == NULL) {
+        X509err(0, ERR_R_PASSED_NULL_PARAMETER);
+        return NULL;
+    }
+
+    if (!OBJ_find_sigid_algs(X509_get_signature_nid(cert), &md_NID, NULL)
+            || (md = EVP_get_digestbynid(md_NID)) == NULL) {
+        CMPerr(0, X509_R_UNSUPPORTED_ALGORITHM);
+        return NULL;
+    }
+    if (!X509_digest(cert, md, hash, &len)
+            || (new = ASN1_OCTET_STRING_new()) == NULL)
+        return NULL;
+    if (!(ASN1_OCTET_STRING_set(new, hash, len))) {
+        ASN1_OCTET_STRING_free(new);
+        return NULL;
+    }
+    return new;
+}
+
 int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
                     unsigned char *md, unsigned int *len)
 {
diff --git a/doc/man3/OSSL_CMP_X509_digest.pod b/doc/man3/OSSL_CMP_X509_digest.pod
deleted file mode 100644
index 824d3497c3..0000000000
--- a/doc/man3/OSSL_CMP_X509_digest.pod
+++ /dev/null
@@ -1,36 +0,0 @@
-=pod
-
-=head1 NAME
-
-OSSL_CMP_X509_digest
-- CMP certificate utility functions
-
-=head1 SYNOPSIS
-
- #include <openssl/cmp_util.h>
-
- ASN1_OCTET_STRING *OSSL_CMP_X509_digest(const X509 *cert);
-
-=head1 DESCRIPTION
-
-OSSL_CMP_X509_digest() calculates a digest of the given certificate
-using the same hash algorithm as in the certificate signature.
-
-=head1 RETURN VALUES
-
-OSSL_CMP_X509_digest() returns an ASN1_OCTET_STRING on success, else NULL.
-
-=head1 HISTORY
-
-The OpenSSL CMP support was added in OpenSSL 3.0.
-
-=head1 COPYRIGHT
-
-Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
diff --git a/doc/man3/X509_digest.pod b/doc/man3/X509_digest.pod
index 52eb522b36..dfddd12e10 100644
--- a/doc/man3/X509_digest.pod
+++ b/doc/man3/X509_digest.pod
@@ -2,7 +2,9 @@
 
 =head1 NAME
 
-X509_digest, X509_CRL_digest,
+X509_digest,
+X509_digest_sig,
+X509_CRL_digest,
 X509_pubkey_digest,
 X509_NAME_digest,
 X509_REQ_digest,
@@ -15,6 +17,7 @@ PKCS7_ISSUER_AND_SERIAL_digest
 
  int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
                  unsigned int *len);
+ ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert);
 
  int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
                      unsigned int *len);
@@ -36,8 +39,12 @@ PKCS7_ISSUER_AND_SERIAL_digest
 
 =head1 DESCRIPTION
 
+X509_digest_sig() calculates a digest of the given certificate
+using the same hash algorithm as in its signature.
+
 X509_pubkey_digest() returns a digest of the DER representation of the public
 key in the specified X509 B<data> object.
+
 All other functions described here return a digest of the DER representation
 of their entire B<data> objects.
 
@@ -49,12 +56,18 @@ to a place where the digest size will be stored.
 
 =head1 RETURN VALUES
 
-All functions described here return 1 for success and 0 for failure.
+X509_digest_sig() returns an ASN1_OCTET_STRING on success, else NULL.
+
+All other functions described here return 1 for success and 0 for failure.
 
 =head1 SEE ALSO
 
 L<EVP_sha1(3)>
 
+=head1 HISTORY
+
+The X509_digest_sig() function was added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/cmp_util.h b/include/openssl/cmp_util.h
index 3177893a34..6b6025b6ce 100644
--- a/include/openssl/cmp_util.h
+++ b/include/openssl/cmp_util.h
@@ -47,8 +47,6 @@ int OSSL_CMP_print_to_bio(BIO *bio, const char *component, const char *file,
 /* use of the logging callback for outputting error queue */
 void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn);
 
-ASN1_OCTET_STRING *OSSL_CMP_X509_digest(const X509 *cert);
-
 #  ifdef  __cplusplus
 }
 #  endif
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index a2d6e44e96..80328cb2eb 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -382,6 +382,7 @@ int X509_pubkey_digest(const X509 *data, const EVP_MD *type,
                        unsigned char *md, unsigned int *len);
 int X509_digest(const X509 *data, const EVP_MD *type,
                 unsigned char *md, unsigned int *len);
+ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert);
 int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
                     unsigned char *md, unsigned int *len);
 int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type,
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 76c3832d5f..15dd512a49 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4956,6 +4956,7 @@ OSSL_SELF_TEST_onbegin                  ?	3_0_0	EXIST::FUNCTION:
 OSSL_SELF_TEST_oncorrupt_byte           ?	3_0_0	EXIST::FUNCTION:
 OSSL_SELF_TEST_onend                    ?	3_0_0	EXIST::FUNCTION:
 OSSL_PROVIDER_set_default_search_path   ?	3_0_0	EXIST::FUNCTION:
+X509_digest_sig                         ?	3_0_0	EXIST::FUNCTION:
 OSSL_CMP_MSG_dup                        ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_ITAV_dup                       ?	3_0_0	EXIST::FUNCTION:CMP
 d2i_OSSL_CMP_PKISI                      ?	3_0_0	EXIST::FUNCTION:CMP
@@ -4979,4 +4980,3 @@ OSSL_CMP_SRV_CTX_set_send_unprotected_errors ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_SRV_CTX_set_accept_unprotected ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_SRV_CTX_set_accept_raverified  ?	3_0_0	EXIST::FUNCTION:CMP
 OSSL_CMP_SRV_CTX_set_grant_implicit_confirm ?	3_0_0	EXIST::FUNCTION:CMP
-OSSL_CMP_X509_digest                    ?	3_0_0	EXIST::FUNCTION:CMP