[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Sat Sep 5 23:18:43 UTC 2015


The branch master has been updated
       via  551a2f26aa54f0a9210128f3b4c1c4a7e8a85e41 (commit)
       via  a8d8e06b0ac06c421fd11cc1772126dcb98f79ae (commit)
       via  f728254a840bf7fdd2252fe09e11a0e99c7df1d4 (commit)
      from  fda23e2d93761736b880cdfd7eb393cc623d9b7a (commit)


- Log -----------------------------------------------------------------
commit 551a2f26aa54f0a9210128f3b4c1c4a7e8a85e41
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Sep 3 18:40:19 2015 +0100

    make update
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit a8d8e06b0ac06c421fd11cc1772126dcb98f79ae
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Sep 2 22:01:18 2015 +0100

    Avoid direct X509 structure access
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit f728254a840bf7fdd2252fe09e11a0e99c7df1d4
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Sep 2 21:46:39 2015 +0100

    Replace X509 macros with functions
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c                 | 23 ++++++-----------------
 apps/x509.c               |  9 +++++++--
 crypto/ocsp/ocsp_vfy.c    |  4 ++--
 crypto/pkcs7/pk7_doit.c   |  6 +++---
 crypto/ts/ts_rsp_sign.c   |  6 +++---
 crypto/ts/ts_rsp_verify.c | 14 +++++++-------
 crypto/x509/x509_set.c    | 25 +++++++++++++++++++++++++
 crypto/x509/x509type.c    |  2 +-
 crypto/x509v3/pcy_tree.c  | 14 +++++++++-----
 include/openssl/x509.h    | 21 ++++++++++-----------
 ssl/ssl_cert.c            |  3 +--
 ssl/ssl_lib.c             | 36 ++++++++++++------------------------
 test/ssltest.c            |  2 +-
 util/libeay.num           |  5 +++++
 14 files changed, 92 insertions(+), 78 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index b93cff5..5cd8002 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1052,13 +1052,14 @@ end_of_options:
         if (verbose)
             BIO_printf(bio_err, "writing new certificates\n");
         for (i = 0; i < sk_X509_num(cert_sk); i++) {
+            ASN1_INTEGER *serialNumber = X509_get_serialNumber(x);
             int k;
             char *n;
 
             x = sk_X509_value(cert_sk, i);
 
-            j = x->cert_info->serialNumber->length;
-            p = (const char *)x->cert_info->serialNumber->data;
+            j = ASN1_STRING_length(serialNumber);
+            p = (const char *)ASN1_STRING_data(serialNumber);
 
             if (strlen(outdir) >= (size_t)(j ? BSIZE - j * 2 - 6 : BSIZE - 8)) {
                 BIO_printf(bio_err, "certificate file name too long\n");
@@ -1450,7 +1451,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     ASN1_STRING *str, *str2;
     ASN1_OBJECT *obj;
     X509 *ret = NULL;
-    X509_CINF *ci;
     X509_NAME_ENTRY *ne;
     X509_NAME_ENTRY *tne, *push;
     EVP_PKEY *pktmp;
@@ -1546,7 +1546,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     if (selfsign)
         CAname = X509_NAME_dup(name);
     else
-        CAname = X509_NAME_dup(x509->cert_info->subject);
+        CAname = X509_NAME_dup(X509_get_subject_name(x509));
     if (CAname == NULL)
         goto end;
     str = str2 = NULL;
@@ -1755,7 +1755,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
 
     if ((ret = X509_new()) == NULL)
         goto end;
-    ci = ret->cert_info;
 
 #ifdef X509_V3
     /* Make it an X509 v3 certificate. */
@@ -1763,7 +1762,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         goto end;
 #endif
 
-    if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
+    if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
         goto end;
     if (selfsign) {
         if (!X509_set_issuer_name(ret, subject))
@@ -1799,17 +1798,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     /* Lets add the extensions, if there are any */
     if (ext_sect) {
         X509V3_CTX ctx;
-        if (ci->version == NULL)
-            if ((ci->version = ASN1_INTEGER_new()) == NULL)
-                goto end;
-        ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
-
-        /*
-         * Free the current entries if any, there should not be any I believe
-         */
-        sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free);
-
-        ci->extensions = NULL;
+        X509_set_version(ret, 2);
 
         /* Initialize the context structure */
         if (selfsign)
diff --git a/apps/x509.c b/apps/x509.c
index 6b41a75..acce9e9 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -894,8 +894,13 @@ int x509_main(int argc, char **argv)
         goto end;
     }
 
-    if (badsig)
-        x->signature->data[x->signature->length - 1] ^= 0x1;
+    if (badsig) {
+        ASN1_BIT_STRING *signature;
+        unsigned char *s;
+        X509_get0_signature(&signature, NULL, x);
+        s = ASN1_STRING_data(signature);
+        s[ASN1_STRING_length(signature) - 1] ^= 0x1;
+    }
 
     if (outformat == FORMAT_ASN1)
         i = i2d_X509_bio(out, x);
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index d2693c7..9dd3f3a 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -355,8 +355,8 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
 
 static int ocsp_check_delegated(X509 *x, int flags)
 {
-    X509_check_purpose(x, -1, 0);
-    if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
+    if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)
+        && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))
         return 1;
     OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
     return 0;
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index cc2f3be..1ac6893 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -393,11 +393,11 @@ static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert)
 {
     int ret;
     ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
-                        pcert->cert_info->issuer);
+                        X509_get_issuer_name(pcert));
     if (ret)
         return ret;
-    return ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
-                              ri->issuer_and_serial->serial);
+    return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert),
+                            ri->issuer_and_serial->serial);
 }
 
 /* int */
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 3343dce..f7fb762 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -657,7 +657,7 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx,
             goto end;
         tsa_name->type = GEN_DIRNAME;
         tsa_name->d.dirn =
-            X509_NAME_dup(ctx->signer_cert->cert_info->subject);
+            X509_NAME_dup(X509_get_subject_name(ctx->signer_cert));
         if (!tsa_name->d.dirn)
             goto end;
         if (!TS_TST_INFO_set_tsa(tst_info, tsa_name))
@@ -869,7 +869,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
         if ((name = GENERAL_NAME_new()) == NULL)
             goto err;
         name->type = GEN_DIRNAME;
-        if ((name->d.dirn = X509_NAME_dup(cert->cert_info->issuer)) == NULL)
+        if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
             goto err;
         if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
             goto err;
@@ -877,7 +877,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
         /* Setting the serial number. */
         ASN1_INTEGER_free(cid->issuer_serial->serial);
         if (!(cid->issuer_serial->serial =
-              ASN1_INTEGER_dup(cert->cert_info->serialNumber)))
+              ASN1_INTEGER_dup(X509_get_serialNumber(cert))))
             goto err;
     }
 
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index c01d6a6..93a775e 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -72,7 +72,7 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
                                   STACK_OF(X509) *chain);
 static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si);
 static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert);
-static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo);
+static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert);
 static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
                                     PKCS7 *token, TS_TST_INFO *tst_info);
 static int ts_check_status_info(TS_RESP *response);
@@ -328,7 +328,7 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
                        sizeof(cert->sha1_hash))) {
             /* Check the issuer/serial as well if specified. */
             ESS_ISSUER_SERIAL *is = cid->issuer_serial;
-            if (!is || !ts_issuer_serial_cmp(is, cert->cert_info))
+            if (!is || !ts_issuer_serial_cmp(is, cert))
                 return i;
         }
     }
@@ -336,21 +336,21 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
     return -1;
 }
 
-static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo)
+static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert)
 {
     GENERAL_NAME *issuer;
 
-    if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1)
+    if (!is || !cert || sk_GENERAL_NAME_num(is->issuer) != 1)
         return -1;
 
     /* Check the issuer first. It must be a directory name. */
     issuer = sk_GENERAL_NAME_value(is->issuer, 0);
     if (issuer->type != GEN_DIRNAME
-        || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer))
+        || X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert)))
         return -1;
 
     /* Check the serial number, too. */
-    if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber))
+    if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert)))
         return -1;
 
     return 0;
@@ -687,7 +687,7 @@ static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
 
     /* Check the subject name first. */
     if (tsa_name->type == GEN_DIRNAME
-        && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0)
+        && X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0)
         return 1;
 
     /* Check all the alternative names. */
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index 1ccfdb9..cfff563 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -155,3 +155,28 @@ void X509_up_ref(X509 *x)
 {
     CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
 }
+
+long X509_get_version(X509 *x)
+{
+    return ASN1_INTEGER_get(x->cert_info->version);
+}
+
+ASN1_TIME * X509_get_notBefore(X509 *x)
+{
+    return x->cert_info->validity->notBefore;
+}
+
+ASN1_TIME *X509_get_notAfter(X509 *x)
+{
+    return x->cert_info->validity->notAfter;
+}
+
+int X509_get_signature_type(const X509 *x)
+{
+    return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg->algorithm));
+}
+
+X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
+{
+    return x->cert_info->key;
+}
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 232ba9b..8332d9e 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -100,7 +100,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
         break;
     }
 
-    i = OBJ_obj2nid(x->sig_alg->algorithm);
+    i = X509_get_signature_nid(x);
     if (i && OBJ_find_sigid_algs(i, NULL, &i)) {
 
         switch (i) {
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index c6be015..bbc9ada 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -184,7 +184,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
      * explicit_policy value at this point.
      */
     for (i = n - 2; i >= 0; i--) {
+        uint32_t ex_flags;
         x = sk_X509_value(certs, i);
+        ex_flags = X509_get_extension_flags(x);
         X509_check_purpose(x, -1, -1);
         cache = policy_cache_set(x);
         /* If cache NULL something bad happened: return immediately */
@@ -193,7 +195,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         /*
          * If inconsistent extensions keep a note of it but continue
          */
-        if (x->ex_flags & EXFLAG_INVALID_POLICY)
+        if (ex_flags & EXFLAG_INVALID_POLICY)
             ret = -1;
         /*
          * Otherwise if we have no data (hence no CertificatePolicies) and
@@ -202,7 +204,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         else if ((ret == 1) && !cache->data)
             ret = 2;
         if (explicit_policy > 0) {
-            if (!(x->ex_flags & EXFLAG_SI))
+            if (!(ex_flags & EXFLAG_SI))
                 explicit_policy--;
             if ((cache->explicit_skip != -1)
                 && (cache->explicit_skip < explicit_policy))
@@ -235,8 +237,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         goto bad_tree;
 
     for (i = n - 2; i >= 0; i--) {
+        uint32_t ex_flags;
         level++;
         x = sk_X509_value(certs, i);
+        ex_flags = X509_get_extension_flags(x);
         cache = policy_cache_set(x);
         X509_up_ref(x);
         level->cert = x;
@@ -250,10 +254,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
              * Any matching allowed if certificate is self issued and not the
              * last in the chain.
              */
-            if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
+            if (!(ex_flags & EXFLAG_SI) || (i == 0))
                 level->flags |= X509_V_FLAG_INHIBIT_ANY;
         } else {
-            if (!(x->ex_flags & EXFLAG_SI))
+            if (!(ex_flags & EXFLAG_SI))
                 any_skip--;
             if ((cache->any_skip >= 0)
                 && (cache->any_skip < any_skip))
@@ -263,7 +267,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         if (map_skip == 0)
             level->flags |= X509_V_FLAG_INHIBIT_MAP;
         else {
-            if (!(x->ex_flags & EXFLAG_SI))
+            if (!(ex_flags & EXFLAG_SI))
                 map_skip--;
             if ((cache->map_skip >= 0)
                 && (cache->map_skip < map_skip))
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 661d81c..751150d 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -445,14 +445,9 @@ extern "C" {
 # define X509_EXT_PACK_UNKNOWN   1
 # define X509_EXT_PACK_STRING    2
 
-# define         X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version)
-/* #define      X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */
-# define         X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
-# define         X509_get_notAfter(x) ((x)->cert_info->validity->notAfter)
 # define         X509_extract_key(x)     X509_get_pubkey(x)/*****/
 # define         X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
 # define         X509_name_cmp(a,b)      X509_NAME_cmp((a),(b))
-# define         X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm))
 
 void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
 X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl),
@@ -468,12 +463,6 @@ void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
 void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
 void *X509_CRL_get_meth_data(X509_CRL *crl);
 
-/*
- * This one is only used so that a binary form can output, as in
- * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf)
- */
-# define         X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
-
 const char *X509_verify_cert_error_string(long n);
 
 int X509_verify(X509 *a, EVP_PKEY *r);
@@ -736,6 +725,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
                        X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
                        void *asn, EVP_MD_CTX *ctx);
 
+long X509_get_version(X509 *x);
 int X509_set_version(X509 *x, long version);
 int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
 ASN1_INTEGER *X509_get_serialNumber(X509 *x);
@@ -743,10 +733,19 @@ int X509_set_issuer_name(X509 *x, X509_NAME *name);
 X509_NAME *X509_get_issuer_name(X509 *a);
 int X509_set_subject_name(X509 *x, X509_NAME *name);
 X509_NAME *X509_get_subject_name(X509 *a);
+ASN1_TIME * X509_get_notBefore(X509 *x);
 int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
+ASN1_TIME *X509_get_notAfter(X509 *x);
 int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
 int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
 void X509_up_ref(X509 *x);
+int X509_get_signature_type(const X509 *x);
+/*
+ * This one is only used so that a binary form can output, as in
+ * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf)
+ */
+X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
+
 EVP_PKEY *X509_get_pubkey(X509 *x);
 ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
 int X509_certificate_type(X509 *x, EVP_PKEY *pubkey /* optional */ );
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index c3e2c2e..555b1d7 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1028,8 +1028,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
         if (sk_X509_num(chain) > 0) {
             /* See if last cert is self signed */
             x = sk_X509_value(chain, sk_X509_num(chain) - 1);
-            X509_check_purpose(x, -1, 0);
-            if (x->ex_flags & EXFLAG_SS) {
+            if (X509_get_extension_flags(x) & EXFLAG_SS) {
                 x = sk_X509_pop(chain);
                 X509_free(x);
             }
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index fe07d2c..c84ea15 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1900,7 +1900,7 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
     int have_ecdh_tmp, ecdh_ok;
     X509 *x = NULL;
     EVP_PKEY *ecc_pkey = NULL;
-    int signature_nid = 0, pk_nid = 0, md_nid = 0;
+    int pk_nid = 0, md_nid = 0;
 #endif
     if (c == NULL)
         return;
@@ -2004,23 +2004,18 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
      */
 #ifndef OPENSSL_NO_EC
     if (have_ecc_cert) {
+        uint32_t ex_kusage;
         cpk = &c->pkeys[SSL_PKEY_ECC];
         x = cpk->x509;
-        /* This call populates extension flags (ex_flags) */
-        X509_check_purpose(x, -1, 0);
-        ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
-            (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
-        ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
-            (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
+        ex_kusage = X509_get_key_usage(x);
+        ecdh_ok = ex_kusage & X509v3_KU_KEY_AGREEMENT;
+        ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
         if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
             ecdsa_ok = 0;
         ecc_pkey = X509_get_pubkey(x);
         ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0;
         EVP_PKEY_free(ecc_pkey);
-        if ((x->sig_alg) && (x->sig_alg->algorithm)) {
-            signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
-            OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
-        }
+        OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
         if (ecdh_ok) {
 
             if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
@@ -2074,10 +2069,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
     s->s3->tmp.export_mask_a = emask_a;
 }
 
-/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
-#define ku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-
 #ifndef OPENSSL_NO_EC
 
 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
@@ -2085,8 +2076,9 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
     unsigned long alg_k, alg_a;
     EVP_PKEY *pkey = NULL;
     int keysize = 0;
-    int signature_nid = 0, md_nid = 0, pk_nid = 0;
+    int md_nid = 0, pk_nid = 0;
     const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
+    uint32_t ex_kusage = X509_get_key_usage(x);
 
     alg_k = cs->algorithm_mkey;
     alg_a = cs->algorithm_auth;
@@ -2102,15 +2094,11 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
             return 0;
     }
 
-    /* This call populates the ex_flags field correctly */
-    X509_check_purpose(x, -1, 0);
-    if ((x->sig_alg) && (x->sig_alg->algorithm)) {
-        signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
-        OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
-    }
+    OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
+
     if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
         /* key usage, if present, must allow key agreement */
-        if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
+        if (!(ex_kusage & X509v3_KU_KEY_AGREEMENT)) {
             SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
                    SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
             return 0;
@@ -2135,7 +2123,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
     }
     if (alg_a & SSL_aECDSA) {
         /* key usage, if present, must allow signing */
-        if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {
+        if (!(ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) {
             SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
                    SSL_R_ECC_CERT_NOT_FOR_SIGNING);
             return 0;
diff --git a/test/ssltest.c b/test/ssltest.c
index adf1368..6f9d16c 100644
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -2422,7 +2422,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx)
 
     if (ok == 1) {
         X509 *xs = ctx->current_cert;
-        if (xs->ex_flags & EXFLAG_PROXY) {
+        if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
             unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx,
                                                                get_proxy_auth_ex_data_idx
                                                                ());
diff --git a/util/libeay.num b/util/libeay.num
index 39c9020..e5998bc 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4610,3 +4610,8 @@ X509_CRL_get_REVOKED                    4960	EXIST::FUNCTION:
 X509_CRL_get_version                    4961	EXIST::FUNCTION:
 X509_CRL_get_lastUpdate                 4962	EXIST::FUNCTION:
 EVP_PBE_get                             4964	EXIST::FUNCTION:
+X509_get_version                        4965	EXIST::FUNCTION:
+X509_get_X509_PUBKEY                    4966	EXIST::FUNCTION:
+X509_get_notBefore                      4967	EXIST::FUNCTION:
+X509_get_notAfter                       4968	EXIST::FUNCTION:
+X509_get_signature_type                 4969	EXIST::FUNCTION:


More information about the openssl-commits mailing list