[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Sat Sep 5 23:18:43 UTC 2015
The branch master has been updated
via 551a2f26aa54f0a9210128f3b4c1c4a7e8a85e41 (commit)
via a8d8e06b0ac06c421fd11cc1772126dcb98f79ae (commit)
via f728254a840bf7fdd2252fe09e11a0e99c7df1d4 (commit)
from fda23e2d93761736b880cdfd7eb393cc623d9b7a (commit)
- Log -----------------------------------------------------------------
commit 551a2f26aa54f0a9210128f3b4c1c4a7e8a85e41
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Sep 3 18:40:19 2015 +0100
make update
Reviewed-by: Tim Hudson <tjh at openssl.org>
commit a8d8e06b0ac06c421fd11cc1772126dcb98f79ae
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Sep 2 22:01:18 2015 +0100
Avoid direct X509 structure access
Reviewed-by: Tim Hudson <tjh at openssl.org>
commit f728254a840bf7fdd2252fe09e11a0e99c7df1d4
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Sep 2 21:46:39 2015 +0100
Replace X509 macros with functions
Reviewed-by: Tim Hudson <tjh at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 23 ++++++-----------------
apps/x509.c | 9 +++++++--
crypto/ocsp/ocsp_vfy.c | 4 ++--
crypto/pkcs7/pk7_doit.c | 6 +++---
crypto/ts/ts_rsp_sign.c | 6 +++---
crypto/ts/ts_rsp_verify.c | 14 +++++++-------
crypto/x509/x509_set.c | 25 +++++++++++++++++++++++++
crypto/x509/x509type.c | 2 +-
crypto/x509v3/pcy_tree.c | 14 +++++++++-----
include/openssl/x509.h | 21 ++++++++++-----------
ssl/ssl_cert.c | 3 +--
ssl/ssl_lib.c | 36 ++++++++++++------------------------
test/ssltest.c | 2 +-
util/libeay.num | 5 +++++
14 files changed, 92 insertions(+), 78 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index b93cff5..5cd8002 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1052,13 +1052,14 @@ end_of_options:
if (verbose)
BIO_printf(bio_err, "writing new certificates\n");
for (i = 0; i < sk_X509_num(cert_sk); i++) {
+ ASN1_INTEGER *serialNumber = X509_get_serialNumber(x);
int k;
char *n;
x = sk_X509_value(cert_sk, i);
- j = x->cert_info->serialNumber->length;
- p = (const char *)x->cert_info->serialNumber->data;
+ j = ASN1_STRING_length(serialNumber);
+ p = (const char *)ASN1_STRING_data(serialNumber);
if (strlen(outdir) >= (size_t)(j ? BSIZE - j * 2 - 6 : BSIZE - 8)) {
BIO_printf(bio_err, "certificate file name too long\n");
@@ -1450,7 +1451,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
ASN1_STRING *str, *str2;
ASN1_OBJECT *obj;
X509 *ret = NULL;
- X509_CINF *ci;
X509_NAME_ENTRY *ne;
X509_NAME_ENTRY *tne, *push;
EVP_PKEY *pktmp;
@@ -1546,7 +1546,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
if (selfsign)
CAname = X509_NAME_dup(name);
else
- CAname = X509_NAME_dup(x509->cert_info->subject);
+ CAname = X509_NAME_dup(X509_get_subject_name(x509));
if (CAname == NULL)
goto end;
str = str2 = NULL;
@@ -1755,7 +1755,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
if ((ret = X509_new()) == NULL)
goto end;
- ci = ret->cert_info;
#ifdef X509_V3
/* Make it an X509 v3 certificate. */
@@ -1763,7 +1762,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
goto end;
#endif
- if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
+ if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
goto end;
if (selfsign) {
if (!X509_set_issuer_name(ret, subject))
@@ -1799,17 +1798,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
/* Lets add the extensions, if there are any */
if (ext_sect) {
X509V3_CTX ctx;
- if (ci->version == NULL)
- if ((ci->version = ASN1_INTEGER_new()) == NULL)
- goto end;
- ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
-
- /*
- * Free the current entries if any, there should not be any I believe
- */
- sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free);
-
- ci->extensions = NULL;
+ X509_set_version(ret, 2);
/* Initialize the context structure */
if (selfsign)
diff --git a/apps/x509.c b/apps/x509.c
index 6b41a75..acce9e9 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -894,8 +894,13 @@ int x509_main(int argc, char **argv)
goto end;
}
- if (badsig)
- x->signature->data[x->signature->length - 1] ^= 0x1;
+ if (badsig) {
+ ASN1_BIT_STRING *signature;
+ unsigned char *s;
+ X509_get0_signature(&signature, NULL, x);
+ s = ASN1_STRING_data(signature);
+ s[ASN1_STRING_length(signature) - 1] ^= 0x1;
+ }
if (outformat == FORMAT_ASN1)
i = i2d_X509_bio(out, x);
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index d2693c7..9dd3f3a 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -355,8 +355,8 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
static int ocsp_check_delegated(X509 *x, int flags)
{
- X509_check_purpose(x, -1, 0);
- if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
+ if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)
+ && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))
return 1;
OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
return 0;
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index cc2f3be..1ac6893 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -393,11 +393,11 @@ static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert)
{
int ret;
ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
- pcert->cert_info->issuer);
+ X509_get_issuer_name(pcert));
if (ret)
return ret;
- return ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
- ri->issuer_and_serial->serial);
+ return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert),
+ ri->issuer_and_serial->serial);
}
/* int */
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 3343dce..f7fb762 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -657,7 +657,7 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx,
goto end;
tsa_name->type = GEN_DIRNAME;
tsa_name->d.dirn =
- X509_NAME_dup(ctx->signer_cert->cert_info->subject);
+ X509_NAME_dup(X509_get_subject_name(ctx->signer_cert));
if (!tsa_name->d.dirn)
goto end;
if (!TS_TST_INFO_set_tsa(tst_info, tsa_name))
@@ -869,7 +869,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
if ((name = GENERAL_NAME_new()) == NULL)
goto err;
name->type = GEN_DIRNAME;
- if ((name->d.dirn = X509_NAME_dup(cert->cert_info->issuer)) == NULL)
+ if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
goto err;
if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
goto err;
@@ -877,7 +877,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
/* Setting the serial number. */
ASN1_INTEGER_free(cid->issuer_serial->serial);
if (!(cid->issuer_serial->serial =
- ASN1_INTEGER_dup(cert->cert_info->serialNumber)))
+ ASN1_INTEGER_dup(X509_get_serialNumber(cert))))
goto err;
}
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index c01d6a6..93a775e 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -72,7 +72,7 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
STACK_OF(X509) *chain);
static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si);
static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert);
-static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo);
+static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert);
static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
PKCS7 *token, TS_TST_INFO *tst_info);
static int ts_check_status_info(TS_RESP *response);
@@ -328,7 +328,7 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
sizeof(cert->sha1_hash))) {
/* Check the issuer/serial as well if specified. */
ESS_ISSUER_SERIAL *is = cid->issuer_serial;
- if (!is || !ts_issuer_serial_cmp(is, cert->cert_info))
+ if (!is || !ts_issuer_serial_cmp(is, cert))
return i;
}
}
@@ -336,21 +336,21 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
return -1;
}
-static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo)
+static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert)
{
GENERAL_NAME *issuer;
- if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1)
+ if (!is || !cert || sk_GENERAL_NAME_num(is->issuer) != 1)
return -1;
/* Check the issuer first. It must be a directory name. */
issuer = sk_GENERAL_NAME_value(is->issuer, 0);
if (issuer->type != GEN_DIRNAME
- || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer))
+ || X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert)))
return -1;
/* Check the serial number, too. */
- if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber))
+ if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert)))
return -1;
return 0;
@@ -687,7 +687,7 @@ static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
/* Check the subject name first. */
if (tsa_name->type == GEN_DIRNAME
- && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0)
+ && X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0)
return 1;
/* Check all the alternative names. */
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index 1ccfdb9..cfff563 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -155,3 +155,28 @@ void X509_up_ref(X509 *x)
{
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
}
+
+long X509_get_version(X509 *x)
+{
+ return ASN1_INTEGER_get(x->cert_info->version);
+}
+
+ASN1_TIME * X509_get_notBefore(X509 *x)
+{
+ return x->cert_info->validity->notBefore;
+}
+
+ASN1_TIME *X509_get_notAfter(X509 *x)
+{
+ return x->cert_info->validity->notAfter;
+}
+
+int X509_get_signature_type(const X509 *x)
+{
+ return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg->algorithm));
+}
+
+X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
+{
+ return x->cert_info->key;
+}
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 232ba9b..8332d9e 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -100,7 +100,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
break;
}
- i = OBJ_obj2nid(x->sig_alg->algorithm);
+ i = X509_get_signature_nid(x);
if (i && OBJ_find_sigid_algs(i, NULL, &i)) {
switch (i) {
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index c6be015..bbc9ada 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -184,7 +184,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
* explicit_policy value at this point.
*/
for (i = n - 2; i >= 0; i--) {
+ uint32_t ex_flags;
x = sk_X509_value(certs, i);
+ ex_flags = X509_get_extension_flags(x);
X509_check_purpose(x, -1, -1);
cache = policy_cache_set(x);
/* If cache NULL something bad happened: return immediately */
@@ -193,7 +195,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
/*
* If inconsistent extensions keep a note of it but continue
*/
- if (x->ex_flags & EXFLAG_INVALID_POLICY)
+ if (ex_flags & EXFLAG_INVALID_POLICY)
ret = -1;
/*
* Otherwise if we have no data (hence no CertificatePolicies) and
@@ -202,7 +204,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
else if ((ret == 1) && !cache->data)
ret = 2;
if (explicit_policy > 0) {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
explicit_policy--;
if ((cache->explicit_skip != -1)
&& (cache->explicit_skip < explicit_policy))
@@ -235,8 +237,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
goto bad_tree;
for (i = n - 2; i >= 0; i--) {
+ uint32_t ex_flags;
level++;
x = sk_X509_value(certs, i);
+ ex_flags = X509_get_extension_flags(x);
cache = policy_cache_set(x);
X509_up_ref(x);
level->cert = x;
@@ -250,10 +254,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
* Any matching allowed if certificate is self issued and not the
* last in the chain.
*/
- if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
+ if (!(ex_flags & EXFLAG_SI) || (i == 0))
level->flags |= X509_V_FLAG_INHIBIT_ANY;
} else {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
any_skip--;
if ((cache->any_skip >= 0)
&& (cache->any_skip < any_skip))
@@ -263,7 +267,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
if (map_skip == 0)
level->flags |= X509_V_FLAG_INHIBIT_MAP;
else {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
map_skip--;
if ((cache->map_skip >= 0)
&& (cache->map_skip < map_skip))
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 661d81c..751150d 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -445,14 +445,9 @@ extern "C" {
# define X509_EXT_PACK_UNKNOWN 1
# define X509_EXT_PACK_STRING 2
-# define X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version)
-/* #define X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */
-# define X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
-# define X509_get_notAfter(x) ((x)->cert_info->validity->notAfter)
# define X509_extract_key(x) X509_get_pubkey(x)/*****/
# define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
# define X509_name_cmp(a,b) X509_NAME_cmp((a),(b))
-# define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm))
void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl),
@@ -468,12 +463,6 @@ void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
void *X509_CRL_get_meth_data(X509_CRL *crl);
-/*
- * This one is only used so that a binary form can output, as in
- * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf)
- */
-# define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
-
const char *X509_verify_cert_error_string(long n);
int X509_verify(X509 *a, EVP_PKEY *r);
@@ -736,6 +725,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
void *asn, EVP_MD_CTX *ctx);
+long X509_get_version(X509 *x);
int X509_set_version(X509 *x, long version);
int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
ASN1_INTEGER *X509_get_serialNumber(X509 *x);
@@ -743,10 +733,19 @@ int X509_set_issuer_name(X509 *x, X509_NAME *name);
X509_NAME *X509_get_issuer_name(X509 *a);
int X509_set_subject_name(X509 *x, X509_NAME *name);
X509_NAME *X509_get_subject_name(X509 *a);
+ASN1_TIME * X509_get_notBefore(X509 *x);
int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
+ASN1_TIME *X509_get_notAfter(X509 *x);
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
void X509_up_ref(X509 *x);
+int X509_get_signature_type(const X509 *x);
+/*
+ * This one is only used so that a binary form can output, as in
+ * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf)
+ */
+X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
+
EVP_PKEY *X509_get_pubkey(X509 *x);
ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
int X509_certificate_type(X509 *x, EVP_PKEY *pubkey /* optional */ );
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index c3e2c2e..555b1d7 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1028,8 +1028,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
if (sk_X509_num(chain) > 0) {
/* See if last cert is self signed */
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
- X509_check_purpose(x, -1, 0);
- if (x->ex_flags & EXFLAG_SS) {
+ if (X509_get_extension_flags(x) & EXFLAG_SS) {
x = sk_X509_pop(chain);
X509_free(x);
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index fe07d2c..c84ea15 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1900,7 +1900,7 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
int have_ecdh_tmp, ecdh_ok;
X509 *x = NULL;
EVP_PKEY *ecc_pkey = NULL;
- int signature_nid = 0, pk_nid = 0, md_nid = 0;
+ int pk_nid = 0, md_nid = 0;
#endif
if (c == NULL)
return;
@@ -2004,23 +2004,18 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
*/
#ifndef OPENSSL_NO_EC
if (have_ecc_cert) {
+ uint32_t ex_kusage;
cpk = &c->pkeys[SSL_PKEY_ECC];
x = cpk->x509;
- /* This call populates extension flags (ex_flags) */
- X509_check_purpose(x, -1, 0);
- ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
- (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
- ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
- (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
+ ex_kusage = X509_get_key_usage(x);
+ ecdh_ok = ex_kusage & X509v3_KU_KEY_AGREEMENT;
+ ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
ecdsa_ok = 0;
ecc_pkey = X509_get_pubkey(x);
ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0;
EVP_PKEY_free(ecc_pkey);
- if ((x->sig_alg) && (x->sig_alg->algorithm)) {
- signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
- OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
- }
+ OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
if (ecdh_ok) {
if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
@@ -2074,10 +2069,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
s->s3->tmp.export_mask_a = emask_a;
}
-/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
-#define ku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-
#ifndef OPENSSL_NO_EC
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
@@ -2085,8 +2076,9 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
unsigned long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
int keysize = 0;
- int signature_nid = 0, md_nid = 0, pk_nid = 0;
+ int md_nid = 0, pk_nid = 0;
const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
+ uint32_t ex_kusage = X509_get_key_usage(x);
alg_k = cs->algorithm_mkey;
alg_a = cs->algorithm_auth;
@@ -2102,15 +2094,11 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
return 0;
}
- /* This call populates the ex_flags field correctly */
- X509_check_purpose(x, -1, 0);
- if ((x->sig_alg) && (x->sig_alg->algorithm)) {
- signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
- OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
- }
+ OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
+
if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
/* key usage, if present, must allow key agreement */
- if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
+ if (!(ex_kusage & X509v3_KU_KEY_AGREEMENT)) {
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
return 0;
@@ -2135,7 +2123,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
}
if (alg_a & SSL_aECDSA) {
/* key usage, if present, must allow signing */
- if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {
+ if (!(ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) {
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
SSL_R_ECC_CERT_NOT_FOR_SIGNING);
return 0;
diff --git a/test/ssltest.c b/test/ssltest.c
index adf1368..6f9d16c 100644
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -2422,7 +2422,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx)
if (ok == 1) {
X509 *xs = ctx->current_cert;
- if (xs->ex_flags & EXFLAG_PROXY) {
+ if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx,
get_proxy_auth_ex_data_idx
());
diff --git a/util/libeay.num b/util/libeay.num
index 39c9020..e5998bc 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4610,3 +4610,8 @@ X509_CRL_get_REVOKED 4960 EXIST::FUNCTION:
X509_CRL_get_version 4961 EXIST::FUNCTION:
X509_CRL_get_lastUpdate 4962 EXIST::FUNCTION:
EVP_PBE_get 4964 EXIST::FUNCTION:
+X509_get_version 4965 EXIST::FUNCTION:
+X509_get_X509_PUBKEY 4966 EXIST::FUNCTION:
+X509_get_notBefore 4967 EXIST::FUNCTION:
+X509_get_notAfter 4968 EXIST::FUNCTION:
+X509_get_signature_type 4969 EXIST::FUNCTION:
More information about the openssl-commits
mailing list