Backport forgotten backports [1.1.1]

CHANGES

@@ -9,6 +9,11 @@
 
  Changes between 1.1.1d and 1.1.1e [xx XXX xxxx]
 
+  *) Added newline escaping functionality to a filename when using openssl dgst.
+     This output format is to replicate the output format found in the '*sum'
+     checksum programs. This aims to preserve backward compatibility.
+     [Matt Eaton, Richard Levitte, and Paul Dale]
+
   *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
      the first value.
      [Jon Spillett]

apps/dgst.c

@@ -413,13 +413,52 @@ int dgst_main(int argc, char **argv)
     return ret;
 }
 
+/*
+ * The newline_escape_filename function performs newline escaping for any
+ * filename that contains a newline.  This function also takes a pointer
+ * to backslash. The backslash pointer is a flag to indicating whether a newline
+ * is present in the filename.  If a newline is present, the backslash flag is
+ * set and the output format will contain a backslash at the beginning of the
+ * digest output. This output format is to replicate the output format found
+ * in the '*sum' checksum programs. This aims to preserve backward
+ * compatibility.
+ */
+static const char *newline_escape_filename(const char *file, int * backslash)
+{
+    size_t i, e = 0, length = strlen(file), newline_count = 0, mem_len = 0;
+    char *file_cpy = NULL;
+
+    for (i = 0; i < length; i++)
+        if (file[i] == '\n')
+            newline_count++;
+
+    mem_len = length + newline_count + 1;
+    file_cpy = app_malloc(mem_len, file);
+    i = 0;
+
+    while(e < length) {
+        const char c = file[e];
+        if (c == '\n') {
+            file_cpy[i++] = '\\';
+            file_cpy[i++] = 'n';
+            *backslash = 1;
+        } else {
+            file_cpy[i++] = c;
+        }
+        e++;
+    }
+    file_cpy[i] = '\0';
+    return (const char*)file_cpy;
+}
+
+
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
           EVP_PKEY *key, unsigned char *sigin, int siglen,
           const char *sig_name, const char *md_name,
           const char *file)
 {
     size_t len;
-    int i;
+    int i, backslash = 0;
 
     while (BIO_pending(bp) || !BIO_eof(bp)) {
         i = BIO_read(bp, (char *)buf, BUFSIZE);
@@ -467,9 +506,16 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
     if (binout) {
         BIO_write(out, buf, len);
     } else if (sep == 2) {
+        file = newline_escape_filename(file, &backslash);
+
+        if (backslash == 1)
+            BIO_puts(out, "\\");
+
         for (i = 0; i < (int)len; i++)
             BIO_printf(out, "%02x", buf[i]);
+
         BIO_printf(out, " *%s\n", file);
+        OPENSSL_free((char *)file);
     } else {
         if (sig_name != NULL) {
             BIO_puts(out, sig_name);

crypto/dsa/dsa_pmeth.c

@@ -178,9 +178,7 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx,
     }
     if (strcmp(type, "dsa_paramgen_q_bits") == 0) {
         int qbits = atoi(value);
-        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN,
-                                 EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits,
-                                 NULL);
+        return EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, qbits);
     }
     if (strcmp(type, "dsa_paramgen_md") == 0) {
         const EVP_MD *md = EVP_get_digestbyname(value);
@@ -189,9 +187,7 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx,
             DSAerr(DSA_F_PKEY_DSA_CTRL_STR, DSA_R_INVALID_DIGEST_TYPE);
             return 0;
         }
-        return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN,
-                                 EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0,
-                                 (void *)md);
+        return EVP_PKEY_CTX_set_dsa_paramgen_md(ctx, md);
     }
     return -2;
 }

doc/man1/ca.pod

@@ -51,6 +51,7 @@ B<openssl> B<ca>
 [B<-engine id>]
 [B<-subj arg>]
 [B<-utf8>]
+[B<-sigopt nm:v>]
 [B<-create_serial>]
 [B<-rand_serial>]
 [B<-multivalue-rdn>]
@@ -134,6 +135,11 @@ The private key to sign requests with.
 The format of the data in the private key file.
 The default is PEM.
 
+=item B<-sigopt nm:v>
+
+Pass options to the signature algorithm during sign or verify operations.
+Names and values of these options are algorithm-specific.
+
 =item B<-key password>
 
 The password used to encrypt the private key. Since on some

doc/man1/dgst.pod

@@ -22,6 +22,7 @@ B<openssl dgst>
 [B<-verify filename>]
 [B<-prverify filename>]
 [B<-signature filename>]
+[B<-sigopt nm:v>]
 [B<-hmac key>]
 [B<-fips-fingerprint>]
 [B<-rand file...>]
@@ -78,7 +79,8 @@ Output the digest or signature in binary form.
 
 =item B<-r>
 
-Output the digest in the "coreutils" format used by programs like B<sha1sum>.
+Output the digest in the "coreutils" format, including newlines.
+Used by programs like B<sha1sum>.
 
 =item B<-out filename>
 

doc/man1/req.pod

@@ -46,6 +46,7 @@ B<openssl> B<req>
 [B<-reqopt>]
 [B<-subject>]
 [B<-subj arg>]
+[B<-sigopt nm:v>]
 [B<-batch>]
 [B<-verbose>]
 [B<-engine id>]
@@ -82,6 +83,11 @@ This specifies the input filename to read a request from or standard input
 if this option is not specified. A request is only read if the creation
 options (B<-new> and B<-newkey>) are not specified.
 
+=item B<-sigopt nm:v>
+
+Pass options to the signature algorithm during sign or verify operations.
+Names and values of these options are algorithm-specific.
+
 =item B<-passin arg>
 
 The input file password source. For more information about the format of B<arg>
@@ -689,7 +695,7 @@ L<x509v3_config(5)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man1/x509.pod

@@ -61,6 +61,7 @@ B<openssl> B<x509>
 [B<-clrext>]
 [B<-extfile filename>]
 [B<-extensions section>]
+[B<-sigopt nm:v>]
 [B<-rand file...>]
 [B<-writerand file>]
 [B<-engine id>]
@@ -366,6 +367,11 @@ If the input is a certificate request then a self signed certificate
 is created using the supplied private key using the subject name in
 the request.
 
+=item B<-sigopt nm:v>
+
+Pass options to the signature algorithm during sign or verify operations.
+Names and values of these options are algorithm-specific.
+
 =item B<-passin arg>
 
 The key password source. For more information about the format of B<arg>

doc/man3/EVP_DigestInit.pod

@@ -2,17 +2,17 @@
 
 =head1 NAME
 
-EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy_ex,
-EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags,
-EVP_MD_CTX_test_flags, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate,
+EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy,
+EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags,
+EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags,
+EVP_Digest, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate,
 EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal,
-EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
-EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size,
-EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_MD_CTX_md_data,
+EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_flags,
+EVP_MD_CTX_md, EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size,
+EVP_MD_CTX_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn,
 EVP_md_null,
-EVP_get_digestbyname, EVP_get_digestbynid,
-EVP_get_digestbyobj,
-EVP_MD_CTX_set_pkey_ctx - EVP digest routines
+EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj,
+EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_set_pkey_ctx - EVP digest routines
 
 =head1 SYNOPSIS
 
@@ -26,6 +26,8 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines
  void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags);
  int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags);
 
+ int EVP_Digest(const void *data, size_t count, unsigned char *md,
+                unsigned int *size, const EVP_MD *type, ENGINE *impl);
  int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
  int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
  int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s);
@@ -42,19 +44,26 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines
  int EVP_MD_pkey_type(const EVP_MD *md);
  int EVP_MD_size(const EVP_MD *md);
  int EVP_MD_block_size(const EVP_MD *md);
+ unsigned long EVP_MD_flags(const EVP_MD *md);
 
  const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
  int EVP_MD_CTX_size(const EVP_MD_CTX *ctx);
  int EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx);
  int EVP_MD_CTX_type(const EVP_MD_CTX *ctx);
  void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx);
+ int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx,
+                                              const void *data, size_t count);
+ void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx,
+                               int (*update)(EVP_MD_CTX *ctx,
+                                             const void *data, size_t count));
 
  const EVP_MD *EVP_md_null(void);
 
  const EVP_MD *EVP_get_digestbyname(const char *name);
  const EVP_MD *EVP_get_digestbynid(int type);
  const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *o);
 
+ EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx);
  void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx);
 
 =head1 DESCRIPTION
@@ -79,12 +88,24 @@ Cleans up digest context B<ctx> and frees up the space allocated to it.
 
 =item EVP_MD_CTX_ctrl()
 
-Performs digest-specific control actions on context B<ctx>.
+Performs digest-specific control actions on context B<ctx>. The control command
+is indicated in B<cmd> and any additional arguments in B<p1> and B<p2>.
+EVP_MD_CTX_ctrl() must be called after EVP_DigestInit_ex(). Other restrictions
+may apply depending on the control type and digest implementation.
+See L</CONTROLS> below for more information.
 
 =item EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags()
 
 Sets, clears and tests B<ctx> flags.  See L</FLAGS> below for more information.
 
+=item EVP_Digest()
+
+A wrapper around the Digest Init_ex, Update and Final_ex functions.
+Hashes B<count> bytes of data at B<data> using a digest B<type> from ENGINE
+B<impl>. The digest value is placed in B<md> and its length is written at B<size>
+if the pointer is not NULL. At most B<EVP_MAX_MD_SIZE> bytes will be written.
+If B<impl> is NULL the default implementation of digest B<type> is used.
+
 =item EVP_DigestInit_ex()
 
 Sets up digest context B<ctx> to use a digest B<type> from ENGINE B<impl>.
@@ -163,6 +184,21 @@ EVP_MD_meth_set_app_datasize().
 
 Returns the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>.
 
+=item EVP_MD_CTX_set_update_fn()
+
+Sets the update function for B<ctx> to B<update>.
+This is the function that is called by EVP_DigestUpdate. If not set, the
+update function from the B<EVP_MD> type specified at initialization is used.
+
+=item EVP_MD_CTX_update_fn()
+
+Returns the update function for B<ctx>.
+
+=item EVP_MD_flags()
+
+Returns the B<md> flags. Note that these are different from the B<EVP_MD_CTX>
+ones. See L<EVP_MD_meth_set_flags(3)> for more information.
+
 =item EVP_MD_pkey_type()
 
 Returns the NID of the public key signing algorithm associated with this
@@ -182,17 +218,43 @@ EVP_get_digestbyobj()
 Returns an B<EVP_MD> structure when passed a digest name, a digest B<NID> or an
 B<ASN1_OBJECT> structure respectively.
 
+=item EVP_MD_CTX_pkey_ctx()
+
+Returns the B<EVP_PKEY_CTX> assigned to B<ctx>. The returned pointer should not
+be freed by the caller.
+
 =item EVP_MD_CTX_set_pkey_ctx()
 
 Assigns an B<EVP_PKEY_CTX> to B<EVP_MD_CTX>. This is usually used to provide
-a customzied B<EVP_PKEY_CTX> to L<EVP_DigestSignInit(3)> or
+a customized B<EVP_PKEY_CTX> to L<EVP_DigestSignInit(3)> or
 L<EVP_DigestVerifyInit(3)>. The B<pctx> passed to this function should be freed
 by the caller. A NULL B<pctx> pointer is also allowed to clear the B<EVP_PKEY_CTX>
 assigned to B<ctx>. In such case, freeing the cleared B<EVP_PKEY_CTX> or not
 depends on how the B<EVP_PKEY_CTX> is created.
 
 =back
 
+=head1 CONTROLS
+
+EVP_MD_CTX_ctrl() can be used to send the following standard controls:
+
+=over 4
+
+=item EVP_MD_CTRL_MICALG
+
+Gets the digest Message Integrity Check algorithm string. This is used when
+creating S/MIME multipart/signed messages, as specified in RFC 3851.
+The string value is written to B<p2>.
+
+=item EVP_MD_CTRL_XOF_LEN
+
+This control sets the digest length for extendable output functions to B<p1>.
+Sending this control directly should not be necessary, the use of
+C<EVP_DigestFinalXOF()> is preferred.
+Currently used by SHAKE.
+
+=back
+
 =head1 FLAGS
 
 EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags() and EVP_MD_CTX_test_flags()
@@ -245,8 +307,7 @@ Returns 1 if successful or 0 for failure.
 Returns 1 if successful or 0 for failure.
 
 =item EVP_MD_type(),
-EVP_MD_pkey_type(),
-EVP_MD_type()
+EVP_MD_pkey_type()
 
 Returns the NID of the corresponding OBJECT IDENTIFIER or NID_undef if none
 exists.
@@ -350,6 +411,7 @@ digest name passed on the command line.
 
 =head1 SEE ALSO
 
+L<EVP_MD_meth_new(3)>,
 L<dgst(1)>,
 L<evp(7)>