[openssl-commits] [openssl] master update

Mon Apr 4 19:05:29 UTC 2016

The branch master has been updated
       via  f6c006ea76304a52cf9212695525e1bcc6cf6c22 (commit)
       via  c5137473bdc7bcf7c43b4bd5d28827f8ddd70490 (commit)
       via  97458daade31c32ea8816b7e065e3bda3be588fa (commit)
       via  0517538d1a39bc5eb664928a6c40b4a0afad01da (commit)
      from  6c13488c4e75ef839bc07a3ce428289aef4bd267 (commit)


- Log -----------------------------------------------------------------
commit f6c006ea76304a52cf9212695525e1bcc6cf6c22
Author: FdaSilvaYY <fdasilvayy at gmail.com>
Date:   Sun Apr 3 23:37:58 2016 +0200

    Fix a possible leak on NETSCAPE_SPKI_verify failure.
    
    Reviewed-by: Stephen Henson <steve at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit c5137473bdc7bcf7c43b4bd5d28827f8ddd70490
Author: FdaSilvaYY <fdasilvayy at gmail.com>
Date:   Sun Apr 3 23:37:32 2016 +0200

    Use X509_REQ_get0_pubkey
    
    Reviewed-by: Stephen Henson <steve at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 97458daade31c32ea8816b7e065e3bda3be588fa
Author: FdaSilvaYY <fdasilvayy at gmail.com>
Date:   Sun Apr 3 23:24:51 2016 +0200

    Add X509_REQ_get0_pubkey method
    
    Reviewed-by: Stephen Henson <steve at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 0517538d1a39bc5eb664928a6c40b4a0afad01da
Author: FdaSilvaYY <fdasilvayy at gmail.com>
Date:   Thu Mar 17 00:15:48 2016 +0100

    Fix two leaks in X509_REQ_to_X509
    
    Issue #182
    
    Reviewed-by: Stephen Henson <steve at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c                      |  6 +++---
 apps/req.c                     | 19 +++++++------------
 apps/x509.c                    |  6 ++----
 crypto/x509/x509_r2x.c         | 11 +++++++----
 crypto/x509/x509_req.c         |  7 +++++++
 doc/crypto/X509_get_pubkey.pod | 12 +++++++-----
 include/openssl/x509.h         |  1 +
 util/libcrypto.num             |  1 +
 8 files changed, 35 insertions(+), 28 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index 3062d7e..cc74c5b 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1351,12 +1351,12 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
         ok = 0;
         goto end;
     }
-    if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
+    if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {
         BIO_printf(bio_err, "error unpacking public key\n");
         goto end;
     }
     i = X509_REQ_verify(req, pktmp);
-    EVP_PKEY_free(pktmp);
+    pktmp = NULL;
     if (i < 0) {
         ok = 0;
         BIO_printf(bio_err, "Signature verification problems....\n");
@@ -1790,7 +1790,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
 
     pktmp = X509_REQ_get_pubkey(req);
     i = X509_set_pubkey(ret, pktmp);
-    EVP_PKEY_free(pktmp);
     if (!i)
         goto end;
 
@@ -2072,6 +2071,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
 
     j = NETSCAPE_SPKI_verify(spki, pktmp);
     if (j <= 0) {
+        EVP_PKEY_free(pktmp);
         BIO_printf(bio_err,
                    "signature verification failed on SPKAC public key\n");
         goto end;
diff --git a/apps/req.c b/apps/req.c
index edf998b..561cccc 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -375,6 +375,7 @@ int req_main(int argc, char **argv)
     if (!nmflag_set)
         nmflag = XN_FLAG_ONELINE;
 
+    /* TODO: simplify this as pkey is still always NULL here */ 
     private = newreq && (pkey == NULL) ? 1 : 0;
 
     if (!app_passwd(passargin, passargout, &passin, &passout)) {
@@ -666,10 +667,9 @@ int req_main(int argc, char **argv)
             if (!X509_set_subject_name
                 (x509ss, X509_REQ_get_subject_name(req)))
                 goto end;
-            tmppkey = X509_REQ_get_pubkey(req);
+            tmppkey = X509_REQ_get0_pubkey(req);
             if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
                 goto end;
-            EVP_PKEY_free(tmppkey);
 
             /* Set up V3 context struct */
 
@@ -739,20 +739,15 @@ int req_main(int argc, char **argv)
     }
 
     if (verify && !x509) {
-        int tmp = 0;
+        EVP_PKEY *pubkey = pkey;
 
-        if (pkey == NULL) {
-            pkey = X509_REQ_get_pubkey(req);
-            tmp = 1;
-            if (pkey == NULL)
+        if (pubkey == NULL) {
+            pubkey = X509_REQ_get0_pubkey(req);
+            if (pubkey == NULL)
                 goto end;
         }
 
-        i = X509_REQ_verify(req, pkey);
-        if (tmp) {
-            EVP_PKEY_free(pkey);
-            pkey = NULL;
-        }
+        i = X509_REQ_verify(req, pubkey);
 
         if (i < 0) {
             goto end;
diff --git a/apps/x509.c b/apps/x509.c
index 00c0d97..bc56233 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -562,12 +562,11 @@ int x509_main(int argc, char **argv)
             goto end;
         }
 
-        if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
+        if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) {
             BIO_printf(bio_err, "error unpacking public key\n");
             goto end;
         }
         i = X509_REQ_verify(req, pkey);
-        EVP_PKEY_free(pkey);
         if (i < 0) {
             BIO_printf(bio_err, "Signature verification error\n");
             ERR_print_errors(bio_err);
@@ -607,9 +606,8 @@ int x509_main(int argc, char **argv)
         if (fkey)
             X509_set_pubkey(x, fkey);
         else {
-            pkey = X509_REQ_get_pubkey(req);
+            pkey = X509_REQ_get0_pubkey(req);
             X509_set_pubkey(x, pkey);
-            EVP_PKEY_free(pkey);
         }
     } else
         x = load_cert(infile, informat, "Certificate");
diff --git a/crypto/x509/x509_r2x.c b/crypto/x509/x509_r2x.c
index a6c5941..d082636 100644
--- a/crypto/x509/x509_r2x.c
+++ b/crypto/x509/x509_r2x.c
@@ -70,10 +70,11 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
     X509 *ret = NULL;
     X509_CINF *xi = NULL;
     X509_NAME *xn;
+    EVP_PKEY *pubkey = NULL;
 
     if ((ret = X509_new()) == NULL) {
         X509err(X509_F_X509_REQ_TO_X509, ERR_R_MALLOC_FAILURE);
-        goto err;
+        return NULL;
     }
 
     /* duplicate the request */
@@ -89,9 +90,9 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
     }
 
     xn = X509_REQ_get_subject_name(r);
-    if (X509_set_subject_name(ret, X509_NAME_dup(xn)) == 0)
+    if (X509_set_subject_name(ret, xn) == 0)
         goto err;
-    if (X509_set_issuer_name(ret, X509_NAME_dup(xn)) == 0)
+    if (X509_set_issuer_name(ret, xn) == 0)
         goto err;
 
     if (X509_gmtime_adj(xi->validity.notBefore, 0) == NULL)
@@ -100,7 +101,9 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
         NULL)
         goto err;
 
-    X509_set_pubkey(ret, X509_REQ_get_pubkey(r));
+    pubkey = X509_REQ_get0_pubkey(r);
+    if (pubkey == NULL || !X509_set_pubkey(ret, pubkey))
+        goto err;
 
     if (!X509_sign(ret, pkey, EVP_md5()))
         goto err;
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index c67f609..2b2cbce 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -115,6 +115,13 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
     return (X509_PUBKEY_get(req->req_info.pubkey));
 }
 
+EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req)
+{
+    if (req == NULL)
+        return NULL;
+    return (X509_PUBKEY_get0(req->req_info.pubkey));
+}
+
 X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *req)
 {
     return req->req_info.pubkey;
diff --git a/doc/crypto/X509_get_pubkey.pod b/doc/crypto/X509_get_pubkey.pod
index 2740f98..c2fb5c0 100644
--- a/doc/crypto/X509_get_pubkey.pod
+++ b/doc/crypto/X509_get_pubkey.pod
@@ -3,8 +3,9 @@
 =head1 NAME
 
 X509_get_pubkey, X509_get0_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY,
-X509_REQ_get_pubkey, X509_REQ_set_pubkey, X509_REQ_get_X509_PUBKEY - get or
-set certificate or certificate request public key.
+X509_REQ_get_pubkey, X509_REQ_get0_pubkey, X509_REQ_set_pubkey, 
+X509_REQ_get_X509_PUBKEY - get or set certificate or certificate request 
+public key.
 
 =head1 SYNOPSIS
 
@@ -16,6 +17,7 @@ set certificate or certificate request public key.
  X509_PUBKEY *X509_get_X509_PUBKEY(X509 *x);
 
  EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
+ EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req);
  int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
  X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *x);
 
@@ -35,8 +37,8 @@ must not be freed up after use.
 X509_set_pubkey() attempts to set the public key for certificate B<x> to
 B<pkey>. The key B<pkey> should be freed up after use.
 
-X509_REQ_get_pubkey(), X509_REQ_set_pubkey() and X509_REQ_get_X509_PUBKEY()
-are similar but operate on certificate request B<req>.
+X509_REQ_get_pubkey(), X509_REQ_get0_pubkey(), X509_REQ_set_pubkey() and 
+X509_REQ_get_X509_PUBKEY() are similar but operate on certificate request B<req>.
 
 =head1 NOTES
 
@@ -51,7 +53,7 @@ X509_get_pubkey(), X509_get0_pubkey(), X509_get_X509_PUBKEY(),
 X509_REQ_get_pubkey() and X509_REQ_get_X509_PUBKEY() return a public key or
 B<NULL> if an error occurred.
 
-X509_set_pubkey() and X509_REQ_set_pubkey() rerturn 1 for success and 0
+X509_set_pubkey() and X509_REQ_set_pubkey() return 1 for success and 0
 for failure.
 
 =head1 SEE ALSO
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 4f22dc3..ae2fb1d 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -696,6 +696,7 @@ int X509_REQ_get_signature_nid(const X509_REQ *req);
 int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp);
 int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
 EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
+EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req);
 X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *req);
 int X509_REQ_extension_nid(int nid);
 int *X509_REQ_get_extension_nids(void);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index e1ca4ef..581a84b 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4124,3 +4124,4 @@ DSA_meth_get_sign_setup                 3989	1_1_0	EXIST::FUNCTION:DSA
 DSA_get0_engine                         3990	1_1_0	EXIST::FUNCTION:DSA
 X509_VERIFY_PARAM_set_auth_level        3991	1_1_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_get_auth_level        3992	1_1_0	EXIST::FUNCTION:
+X509_REQ_get0_pubkey                    3993	1_1_0	EXIST::FUNCTION:
