From: Richard Levitte Date: Fri, 24 Jan 2020 17:45:23 +0000 (+0100) Subject: Adapt some 'openssl' commands for SM2 changes. X-Git-Tag: openssl-3.0.0-alpha1~570 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=bac1030ae4f93f22b3a81e3a2d9d3c5db363d96f;p=oweals%2Fopenssl.git Adapt some 'openssl' commands for SM2 changes. There's no longer any need to make an EVP_PKEY type change for SM2 keys, so we trim away that code. Reviewed-by: Matt Caswell Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/10942) --- diff --git a/apps/req.c b/apps/req.c index 87994ceb7c..7140705f09 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1674,41 +1674,16 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx) return 1; } -#ifndef OPENSSL_NO_SM2 -static int ec_pkey_is_sm2(EVP_PKEY *pkey) -{ - EC_KEY *eckey = NULL; - const EC_GROUP *group = NULL; - - if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) - return 1; - if (EVP_PKEY_id(pkey) == EVP_PKEY_EC - && (eckey = EVP_PKEY_get0_EC_KEY(pkey)) != NULL - && (group = EC_KEY_get0_group(eckey)) != NULL - && EC_GROUP_get_curve_name(group) == NID_sm2) - return 1; - return 0; -} -#endif - static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { EVP_PKEY_CTX *pkctx = NULL; -#ifndef OPENSSL_NO_SM2 EVP_PKEY_CTX *pctx = NULL; -#endif int i, def_nid, ret = 0; if (ctx == NULL) goto err; -#ifndef OPENSSL_NO_SM2 - if (ec_pkey_is_sm2(pkey)) { - /* initialize some SM2-specific code */ - if (!EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)) { - BIO_printf(bio_err, "Internal error.\n"); - goto err; - } + if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) { pctx = EVP_PKEY_CTX_new(pkey, NULL); if (pctx == NULL) { BIO_printf(bio_err, "memory allocation failure.\n"); @@ -1725,7 +1700,6 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, } EVP_MD_CTX_set_pkey_ctx(ctx, pctx); } -#endif /* * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory * for this algorithm. @@ -1748,90 +1722,63 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, ret = 1; err: -#ifndef OPENSSL_NO_SM2 if (!ret) EVP_PKEY_CTX_free(pctx); -#endif return ret; } +static void do_sign_cleanup(EVP_MD_CTX *ctx, EVP_PKEY *pkey) +{ + /* + * With SM2, do_sign_init() attached an EVP_PKEY_CTX to the EVP_MD_CTX, + * and we have to free it explicitly. + */ + if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) { + EVP_PKEY_CTX *pctx = EVP_MD_CTX_pkey_ctx(ctx); + + EVP_MD_CTX_set_pkey_ctx(ctx, NULL); + EVP_PKEY_CTX_free(pctx); + } +} + int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { - int rv; + int rv = 0; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); -#ifndef OPENSSL_NO_SM2 - EVP_PKEY_CTX *pctx = NULL; -#endif - rv = do_sign_init(mctx, pkey, md, sigopts); - if (rv > 0) { - rv = X509_sign_ctx(x, mctx); -#ifndef OPENSSL_NO_SM2 - /* - * only in SM2 case we need to free the pctx explicitly - * if do_sign_init() fails, pctx is already freed in it - */ - if (ec_pkey_is_sm2(pkey)) { - pctx = EVP_MD_CTX_pkey_ctx(mctx); - EVP_PKEY_CTX_free(pctx); - } -#endif + if (do_sign_init(mctx, pkey, md, sigopts) > 0) { + rv = (X509_sign_ctx(x, mctx) > 0); + do_sign_cleanup(mctx, pkey); } EVP_MD_CTX_free(mctx); - return rv > 0 ? 1 : 0; + return rv; } int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { - int rv; + int rv = 0; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); -#ifndef OPENSSL_NO_SM2 - EVP_PKEY_CTX *pctx = NULL; -#endif - rv = do_sign_init(mctx, pkey, md, sigopts); - if (rv > 0) { - rv = X509_REQ_sign_ctx(x, mctx); -#ifndef OPENSSL_NO_SM2 - /* - * only in SM2 case we need to free the pctx explicitly - * if do_sign_init() fails, pctx is already freed in it - */ - if (ec_pkey_is_sm2(pkey)) { - pctx = EVP_MD_CTX_pkey_ctx(mctx); - EVP_PKEY_CTX_free(pctx); - } -#endif + if (do_sign_init(mctx, pkey, md, sigopts) > 0) { + rv = (X509_REQ_sign_ctx(x, mctx) > 0); + do_sign_cleanup(mctx, pkey); } EVP_MD_CTX_free(mctx); - return rv > 0 ? 1 : 0; + return rv; } int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { - int rv; + int rv = 0; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); -#ifndef OPENSSL_NO_SM2 - EVP_PKEY_CTX *pctx = NULL; -#endif - rv = do_sign_init(mctx, pkey, md, sigopts); - if (rv > 0) { - rv = X509_CRL_sign_ctx(x, mctx); -#ifndef OPENSSL_NO_SM2 - /* - * only in SM2 case we need to free the pctx explicitly - * if do_sign_init() fails, no need to double free pctx - */ - if (ec_pkey_is_sm2(pkey)) { - pctx = EVP_MD_CTX_pkey_ctx(mctx); - EVP_PKEY_CTX_free(pctx); - } -#endif + if (do_sign_init(mctx, pkey, md, sigopts) > 0) { + rv = (X509_CRL_sign_ctx(x, mctx) > 0); + do_sign_cleanup(mctx, pkey); } EVP_MD_CTX_free(mctx); - return rv > 0 ? 1 : 0; + return rv; } diff --git a/apps/speed.c b/apps/speed.c index a978bdf17a..d2afebb2c6 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -3399,8 +3399,6 @@ int speed_main(int argc, char **argv) /* attach it sooner to rely on main final cleanup */ loopargs[i].sm2_pkey[testnum] = sm2_pkey; loopargs[i].sigsize = ECDSA_size(EVP_PKEY_get0_EC_KEY(sm2_pkey)); - if (!EVP_PKEY_set_alias_type(sm2_pkey, EVP_PKEY_SM2)) - break; sm2_pctx = EVP_PKEY_CTX_new(sm2_pkey, NULL); sm2_vfy_pctx = EVP_PKEY_CTX_new(sm2_pkey, NULL);