[pull] master from openssl:master

apps/enc.c

@@ -142,15 +142,15 @@ const OPTIONS enc_options[] = {
 };
 
 static EVP_SKEY *skey_from_params(const EVP_CIPHER *cipher, const char *skeymgmt,
-                                  STACK_OF(OPENSSL_STRING) *opts)
+    STACK_OF(OPENSSL_STRING) *opts)
 {
     EVP_SKEY *skey = NULL;
     EVP_SKEYMGMT *mgmt = NULL;
     OSSL_PARAM *params = NULL;
 
     mgmt = EVP_SKEYMGMT_fetch(app_get0_libctx(),
-                              skeymgmt != NULL ? skeymgmt : EVP_CIPHER_name(cipher),
-                              app_get0_propq());
+        skeymgmt != NULL ? skeymgmt : EVP_CIPHER_name(cipher),
+        app_get0_propq());
     if (mgmt == NULL)
         return NULL;
 
@@ -161,7 +161,7 @@ static EVP_SKEY *skey_from_params(const EVP_CIPHER *cipher, const char *skeymgmt
     }
 
     skey = EVP_SKEY_import(app_get0_libctx(), EVP_SKEYMGMT_get0_name(mgmt),
-                           app_get0_propq(), OSSL_SKEYMGMT_SELECT_ALL, params);
+        app_get0_propq(), OSSL_SKEYMGMT_SELECT_ALL, params);
     OSSL_PARAM_free(params);
     EVP_SKEYMGMT_free(mgmt);
 
@@ -749,7 +749,7 @@ int enc_main(int argc, char **argv)
                 skey = skey_from_params(cipher, skeymgmt, skeyopts);
                 if (skey == NULL) {
                     BIO_printf(bio_err, "Error creating opaque key object for skeymgmt %s\n",
-                               skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
+                        skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
                     goto end;
                 }
             }

apps/genpkey.c

@@ -22,6 +22,7 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file,
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_OUTFORM,
+    OPT_ENCOPT,
     OPT_OUT,
     OPT_PASS,
     OPT_PARAMFILE,
@@ -53,6 +54,7 @@ const OPTIONS genpkey_options[] = {
     { "out", OPT_OUT, '>', "Output (private key) file" },
     { "outpubkey", OPT_OUTPUBKEY, '>', "Output public key file" },
     { "outform", OPT_OUTFORM, 'F', "output format (DER or PEM)" },
+    { "encopt", OPT_ENCOPT, 's', "Private key encoder parameter" },
     { "pass", OPT_PASS, 's', "Output file pass phrase source" },
     { "genparam", OPT_GENPARAM, '-', "Generate parameters, not key" },
     { "text", OPT_TEXT, '-', "Print the private key in text" },
@@ -130,6 +132,7 @@ int genpkey_main(int argc, char **argv)
     OPTION_CHOICE o;
     int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
     int private = 0, i;
+    STACK_OF(OPENSSL_STRING) *encopt = NULL;
     OSSL_LIB_CTX *libctx = app_get0_libctx();
     STACK_OF(OPENSSL_STRING) *keyopt = NULL;
 
@@ -154,6 +157,12 @@ int genpkey_main(int argc, char **argv)
             if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                 goto opthelp;
             break;
+        case OPT_ENCOPT:
+            if (encopt == NULL)
+                encopt = sk_OPENSSL_STRING_new_null();
+            if (!sk_OPENSSL_STRING_push(encopt, opt_arg()))
+                goto end;
+            break;
         case OPT_OUT:
             outfile = opt_arg();
             break;
@@ -272,12 +281,12 @@ int genpkey_main(int argc, char **argv)
         rv = PEM_write_bio_Parameters(mem_out, pkey);
     } else if (outformat == FORMAT_PEM) {
         assert(private);
-        rv = PEM_write_bio_PrivateKey(mem_out, pkey, cipher, NULL, 0, NULL, pass);
+        rv = encode_private_key(mem_out, "PEM", pkey, encopt, cipher, pass);
         if (rv > 0 && mem_outpubkey != NULL)
             rv = PEM_write_bio_PUBKEY(mem_outpubkey, pkey);
     } else if (outformat == FORMAT_ASN1) {
         assert(private);
-        rv = i2d_PrivateKey_bio(mem_out, pkey);
+        rv = encode_private_key(mem_out, "DER", pkey, encopt, cipher, pass);
         if (rv > 0 && mem_outpubkey != NULL)
             rv = i2d_PUBKEY_bio(mem_outpubkey, pkey);
     } else {
@@ -322,6 +331,7 @@ int genpkey_main(int argc, char **argv)
                     outfile, strerror(errno));
         }
     }
+    sk_OPENSSL_STRING_free(encopt);
     EVP_PKEY_free(pkey);
     EVP_PKEY_CTX_free(ctx);
     EVP_CIPHER_free(cipher);

apps/include/apps.h

@@ -102,6 +102,10 @@ int wrap_password_callback(char *buf, int bufsiz, int verify, void *cb_data);
 int progress_cb(EVP_PKEY_CTX *ctx);
 
 void dump_cert_text(BIO *out, X509 *x);
+int encode_private_key(
+    BIO *out, const char *output_type, const EVP_PKEY *pkey,
+    const STACK_OF(OPENSSL_STRING) *encopt, const EVP_CIPHER *cipher,
+    const char *pass);
 void print_name(BIO *out, const char *title, const X509_NAME *nm);
 void print_bignum_var(BIO *, const BIGNUM *, const char *,
     int, unsigned char *);

apps/lib/apps.c

@@ -39,6 +39,7 @@
 #include <openssl/bn.h>
 #include <openssl/ssl.h>
 #include <openssl/core_names.h>
+#include <openssl/encoder.h>
 #include "s_apps.h"
 #include "apps.h"
 
@@ -606,12 +607,12 @@ EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
 }
 
 EVP_SKEY *load_skey(const char *uri, int format, int may_stdin,
-                    const char *pass, int quiet)
+    const char *pass, int quiet)
 {
     EVP_SKEY *skey = NULL;
 
     (void)load_key_certs_crls(uri, format, may_stdin, pass, NULL, 0,
-                              NULL, NULL, NULL, NULL, NULL, NULL, NULL, &skey);
+        NULL, NULL, NULL, NULL, NULL, NULL, NULL, &skey);
 
     return skey;
 }
@@ -2109,6 +2110,65 @@ int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
     return rv;
 }
 
+static int
+encoder_ctrl_string(OSSL_ENCODER_CTX *ctx, const char *value)
+{
+    int rv = 0;
+    char *stmp, *vtmp = NULL;
+
+    stmp = OPENSSL_strdup(value);
+    if (stmp == NULL)
+        return -1;
+    vtmp = strchr(stmp, ':');
+    if (vtmp == NULL) {
+        BIO_printf(bio_err,
+            "Missing encoder option value: %s\n", value);
+        goto end;
+    }
+
+    *vtmp = 0;
+    vtmp++;
+    rv = OSSL_ENCODER_CTX_ctrl_string(ctx, stmp, vtmp);
+
+end:
+    OPENSSL_free(stmp);
+    return rv;
+}
+
+int encode_private_key(BIO *out, const char *output_type, const EVP_PKEY *pkey,
+    const STACK_OF(OPENSSL_STRING) *encopt,
+    const EVP_CIPHER *cipher, const char *pass)
+{
+    int ret = 0;
+    OSSL_ENCODER_CTX *ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, EVP_PKEY_PRIVATE_KEY,
+        output_type, "PrivateKeyInfo", NULL);
+
+    if (ectx == NULL)
+        return 0;
+
+    if (cipher != NULL)
+        if (!OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(cipher), NULL)
+            || !OSSL_ENCODER_CTX_set_passphrase(ectx, (const unsigned char *)pass,
+                strlen(pass)))
+            goto end;
+
+    if (encopt != NULL) {
+        int i, n = sk_OPENSSL_STRING_num(encopt);
+
+        for (i = 0; i < n; ++i) {
+            const char *opt = sk_OPENSSL_STRING_value(encopt, i);
+
+            if (encoder_ctrl_string(ectx, opt) <= 0)
+                goto end;
+        }
+    }
+
+    ret = OSSL_ENCODER_to_bio(ectx, out);
+end:
+    OSSL_ENCODER_CTX_free(ectx);
+    return ret;
+}
+
 static void nodes_print(const char *name, STACK_OF(X509_POLICY_NODE) *nodes)
 {
     X509_POLICY_NODE *node;

apps/pkey.c

@@ -14,13 +14,15 @@
 #include "ec_common.h"
 #include <openssl/pem.h>
 #include <openssl/err.h>
+#include <openssl/encoder.h>
 #include <openssl/evp.h>
 #include <openssl/core_names.h>
 
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_INFORM,
     OPT_OUTFORM,
+    OPT_ENCOPT,
     OPT_PASSIN,
     OPT_PASSOUT,
     OPT_IN,
@@ -57,6 +59,7 @@ const OPTIONS pkey_options[] = {
     OPT_SECTION("Output"),
     { "out", OPT_OUT, '>', "Output file for encoded and/or text output" },
     { "outform", OPT_OUTFORM, 'F', "Output encoding format (DER or PEM)" },
+    { "encopt", OPT_ENCOPT, 's', "Private key encoder parameter" },
     { "", OPT_CIPHER, '-', "Any supported cipher to be used for encryption" },
     { "passout", OPT_PASSOUT, 's', "Output PEM file pass phrase source" },
     { "traditional", OPT_TRADITIONAL, '-',
@@ -86,6 +89,7 @@ int pkey_main(int argc, char **argv)
     int informat = FORMAT_UNDEF, outformat = FORMAT_PEM;
     int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1;
     int private = 0, traditional = 0, check = 0, pub_check = 0;
+    STACK_OF(OPENSSL_STRING) *encopt = NULL;
 #ifndef OPENSSL_NO_EC
     char *asn1_encoding = NULL;
     char *point_format = NULL;
@@ -112,6 +116,12 @@ int pkey_main(int argc, char **argv)
             if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                 goto opthelp;
             break;
+        case OPT_ENCOPT:
+            if (encopt == NULL)
+                encopt = sk_OPENSSL_STRING_new_null();
+            if (!sk_OPENSSL_STRING_push(encopt, opt_arg()))
+                goto end;
+            break;
         case OPT_PASSIN:
             passinarg = opt_arg();
             break;
@@ -201,10 +211,21 @@ int pkey_main(int argc, char **argv)
         if (passoutarg != NULL)
             BIO_printf(bio_err,
                 "Warning: The -passout option is ignored without a cipher option\n");
+    } else if (noout) {
+        EVP_CIPHER_free(cipher);
+        cipher = NULL;
     } else {
-        if (noout || outformat != FORMAT_PEM) {
+        switch (outformat) {
+        case FORMAT_PEM:
+            break;
+        case FORMAT_ASN1:
+            if (!traditional)
+                break;
+            /* FALLTHROUGH */
+        default:
             BIO_printf(bio_err,
-                "Error: Cipher options are supported only for PEM output\n");
+                "Error: Cipher options are supported only in PEM "
+                "and non-traditional DER output forms\n");
             goto end;
         }
     }
@@ -284,8 +305,7 @@ int pkey_main(int argc, char **argv)
                             passout))
                         goto end;
                 } else {
-                    if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
-                            NULL, 0, NULL, passout))
+                    if (!encode_private_key(out, "PEM", pkey, encopt, cipher, passout))
                         goto end;
                 }
             }
@@ -304,8 +324,7 @@ int pkey_main(int argc, char **argv)
                     if (!i2d_PrivateKey_bio(out, pkey))
                         goto end;
                 } else {
-                    if (!i2d_PKCS8PrivateKey_bio(out, pkey, NULL, NULL, 0,
-                            NULL, NULL))
+                    if (!encode_private_key(out, "DER", pkey, encopt, cipher, passout))
                         goto end;
                 }
             }
@@ -329,6 +348,7 @@ int pkey_main(int argc, char **argv)
 end:
     if (ret != 0)
         ERR_print_errors(bio_err);
+    sk_OPENSSL_STRING_free(encopt);
     EVP_PKEY_CTX_free(ctx);
     EVP_PKEY_free(pkey);
     EVP_CIPHER_free(cipher);

apps/req.c

@@ -719,7 +719,7 @@ int req_main(int argc, char **argv)
             else
                 BIO_printf(bio_err, "'%s'\n", keyout);
         }
-        out = bio_open_owner(keyout, outformat, newreq);
+        out = bio_open_owner(keyout, outformat, 1);
         if (out == NULL)
             goto end;
 

crypto/arm_arch.h

@@ -192,7 +192,9 @@ extern unsigned int OPENSSL_armv8_rsa_neonized;
 #endif
 
 #if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0
-.pushsection.note.gnu.property, "a";
+/* clang-format off */
+.pushsection .note.gnu.property, "a";
+/* clang-format on */
 .balign 8;
 .long 4;
 .long 0x10;

crypto/asn1/evp_asn1.c

@@ -89,7 +89,7 @@ ASN1_SEQUENCE(asn1_int_oct) = {
     ASN1_SIMPLE(asn1_int_oct, oct, ASN1_OCTET_STRING)
 } static_ASN1_SEQUENCE_END(asn1_int_oct)
 
-    DECLARE_ASN1_ITEM(asn1_int_oct)
+DECLARE_ASN1_ITEM(asn1_int_oct)
 
 int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
     int len)
@@ -145,7 +145,7 @@ ASN1_SEQUENCE(asn1_oct_int) = {
     ASN1_EMBED(asn1_oct_int, num, INT32)
 } static_ASN1_SEQUENCE_END(asn1_oct_int)
 
-    DECLARE_ASN1_ITEM(asn1_oct_int)
+DECLARE_ASN1_ITEM(asn1_oct_int)
 
 int ossl_asn1_type_set_octetstring_int(ASN1_TYPE *a, long num,
     unsigned char *data, int len)

crypto/asn1/n_pkey.c

@@ -52,6 +52,6 @@ ASN1_SEQUENCE(NETSCAPE_PKEY) = {
     ASN1_SIMPLE(NETSCAPE_PKEY, private_key, ASN1_OCTET_STRING)
 } static_ASN1_SEQUENCE_END(NETSCAPE_PKEY)
 
-    DECLARE_ASN1_FUNCTIONS(NETSCAPE_PKEY)
+DECLARE_ASN1_FUNCTIONS(NETSCAPE_PKEY)
 DECLARE_ASN1_ENCODE_FUNCTIONS_name(NETSCAPE_PKEY, NETSCAPE_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS(NETSCAPE_PKEY)