[openssl-commits] [openssl] master update

Wed Aug 17 16:49:31 UTC 2016

The branch master has been updated
       via  67a014bfda5f8596e8fa19ab0293343ee0c806ac (commit)
       via  59b4da05b4072df79e85b5f8bbf4cf049431b9b6 (commit)
      from  d6073e27ebdbab63bf0add13fa0f66dcaa6e39e8 (commit)


- Log -----------------------------------------------------------------
commit 67a014bfda5f8596e8fa19ab0293343ee0c806ac
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Aug 17 17:29:18 2016 +0100

    make update
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 59b4da05b4072df79e85b5f8bbf4cf049431b9b6
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Aug 17 17:27:05 2016 +0100

    Constify X509_SIG.
    
    Constify X509_SIG_get0() and order arguments to mactch new standard.
    
    Add X509_SIG_get0_mutable() to support modification or initialisation
    of an X509_SIG structure.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/pkcs12.c                | 14 +++++++-------
 crypto/asn1/x_sig.c          | 13 +++++++++++--
 crypto/pkcs12/p12_decr.c     | 10 +++++-----
 crypto/pkcs12/p12_mutl.c     | 22 ++++++++++++----------
 crypto/pkcs12/p12_npas.c     | 12 +++++++-----
 crypto/pkcs12/p12_p8d.c      |  8 ++++----
 doc/crypto/X509_SIG_get0.pod | 12 ++++++++----
 include/openssl/pkcs12.h     | 19 +++++++++++--------
 include/openssl/x509.h       |  6 ++++--
 util/libcrypto.num           |  1 +
 10 files changed, 70 insertions(+), 47 deletions(-)

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 1fcd713..7b12221 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -40,7 +40,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass,
 int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
                   const char *name);
 void hex_prin(BIO *out, unsigned char *buf, int len);
-static int alg_print(X509_ALGOR *alg);
+static int alg_print(const X509_ALGOR *alg);
 int cert_load(BIO *in, STACK_OF(X509) *sk);
 static int set_pbe(int *ppbe, const char *str);
 
@@ -521,8 +521,8 @@ int pkcs12_main(int argc, char **argv)
         OPENSSL_strlcpy(macpass, pass, sizeof macpass);
 
     if ((options & INFO) && PKCS12_mac_present(p12)) {
-        ASN1_INTEGER *tmaciter;
-        X509_ALGOR *macalgid;
+        const ASN1_INTEGER *tmaciter;
+        const X509_ALGOR *macalgid;
         const ASN1_OBJECT *macobj;
         PKCS12_get0_mac(NULL, &macalgid, NULL, &tmaciter, p12);
         X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
@@ -650,12 +650,12 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 
     case NID_pkcs8ShroudedKeyBag:
         if (options & INFO) {
-            X509_SIG *tp8;
-            X509_ALGOR *tp8alg;
+            const X509_SIG *tp8;
+            const X509_ALGOR *tp8alg;
 
             BIO_printf(bio_err, "Shrouded Keybag: ");
             tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
-            X509_SIG_get0(&tp8alg, NULL, tp8);
+            X509_SIG_get0(tp8, &tp8alg, NULL);
             alg_print(tp8alg);
         }
         if (options & NOKEYS)
@@ -740,7 +740,7 @@ end:
     return i;
 }
 
-static int alg_print(X509_ALGOR *alg)
+static int alg_print(const X509_ALGOR *alg)
 {
     int pbenid, aparamtype;
     const ASN1_OBJECT *aoid;
diff --git a/crypto/asn1/x_sig.c b/crypto/asn1/x_sig.c
index d5b0b69..1e835cb 100644
--- a/crypto/asn1/x_sig.c
+++ b/crypto/asn1/x_sig.c
@@ -20,8 +20,17 @@ ASN1_SEQUENCE(X509_SIG) = {
 
 IMPLEMENT_ASN1_FUNCTIONS(X509_SIG)
 
-void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
-                   X509_SIG *sig)
+void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg,
+                   const ASN1_OCTET_STRING **pdigest)
+{
+    if (palg)
+        *palg = sig->algor;
+    if (pdigest)
+        *pdigest = sig->digest;
+}
+
+void X509_SIG_get0_mutable(X509_SIG *sig, X509_ALGOR **palg,
+                           ASN1_OCTET_STRING **pdigest)
 {
     if (palg)
         *palg = sig->algor;
diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
index 9ad17d7..3c86058 100644
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@@ -20,9 +20,9 @@
  * Encrypt/Decrypt a buffer based on password and algor, result in a
  * OPENSSL_malloc'ed buffer
  */
-
-unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
-                                int passlen, unsigned char *in, int inlen,
+unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
+                                const char *pass, int passlen,
+                                const unsigned char *in, int inlen,
                                 unsigned char **data, int *datalen, int en_de)
 {
     unsigned char *out = NULL;
@@ -79,9 +79,9 @@ unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
  * after use.
  */
 
-void *PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
+void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
                               const char *pass, int passlen,
-                              ASN1_OCTET_STRING *oct, int zbuf)
+                              const ASN1_OCTET_STRING *oct, int zbuf)
 {
     unsigned char *out;
     const unsigned char *p;
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 9ab2659..87c40ee 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -20,12 +20,14 @@ int PKCS12_mac_present(PKCS12 *p12)
     return p12->mac ? 1 : 0;
 }
 
-void PKCS12_get0_mac(ASN1_OCTET_STRING **pmac, X509_ALGOR **pmacalg,
-                     ASN1_OCTET_STRING **psalt, ASN1_INTEGER **piter,
-                     PKCS12 *p12)
+void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
+                     const X509_ALGOR **pmacalg,
+                     const ASN1_OCTET_STRING **psalt,
+                     const ASN1_INTEGER **piter,
+                     const PKCS12 *p12)
 {
     if (p12->mac) {
-        X509_SIG_get0(pmacalg, pmac, p12->mac->dinfo);
+        X509_SIG_get0(p12->mac->dinfo, pmacalg, pmac);
         if (psalt)
             *psalt = p12->mac->salt;
         if (piter)
@@ -74,7 +76,7 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
     int saltlen, iter;
     int md_size = 0;
     int md_type_nid;
-    X509_ALGOR *macalg;
+    const X509_ALGOR *macalg;
     const ASN1_OBJECT *macoid;
 
     if (!PKCS7_type_is_data(p12->authsafes)) {
@@ -88,7 +90,7 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
         iter = 1;
     else
         iter = ASN1_INTEGER_get(p12->mac->iter);
-    X509_SIG_get0(&macalg, NULL, p12->mac->dinfo);
+    X509_SIG_get0(p12->mac->dinfo, &macalg, NULL);
     X509_ALGOR_get0(&macoid, NULL, NULL, macalg);
     if ((md_type = EVP_get_digestbyobj(macoid)) == NULL) {
         PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
@@ -131,7 +133,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
 {
     unsigned char mac[EVP_MAX_MD_SIZE];
     unsigned int maclen;
-    ASN1_OCTET_STRING *macoct;
+    const ASN1_OCTET_STRING *macoct;
 
     if (p12->mac == NULL) {
         PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT);
@@ -141,7 +143,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
         PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_GENERATION_ERROR);
         return 0;
     }
-    X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
+    X509_SIG_get0(p12->mac->dinfo, NULL, &macoct);
     if ((maclen != (unsigned int)ASN1_STRING_length(macoct))
         || CRYPTO_memcmp(mac, ASN1_STRING_get0_data(macoct), maclen))
         return 0;
@@ -168,7 +170,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
         PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_GENERATION_ERROR);
         return 0;
     }
-    X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
+    X509_SIG_get0_mutable(p12->mac->dinfo, NULL, &macoct);
     if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) {
         PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_STRING_SET_ERROR);
         return 0;
@@ -206,7 +208,7 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
             return 0;
     } else
         memcpy(p12->mac->salt->data, salt, saltlen);
-    X509_SIG_get0(&macalg, NULL, p12->mac->dinfo);
+    X509_SIG_get0_mutable(p12->mac->dinfo, &macalg, NULL);
     if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_type(md_type)),
                          V_ASN1_NULL, NULL)) {
         PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
index 21bd772..f075bca 100644
--- a/crypto/pkcs12/p12_npas.c
+++ b/crypto/pkcs12/p12_npas.c
@@ -22,7 +22,8 @@ static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass,
                         const char *newpass);
 static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass,
                         const char *newpass);
-static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
+static int alg_get(const X509_ALGOR *alg, int *pnid, int *piter,
+                   int *psaltlen);
 
 /*
  * Change the password on a PKCS#12 structure.
@@ -109,7 +110,7 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
 
     if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen))
         goto err;
-    X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
+    X509_SIG_get0_mutable(p12->mac->dinfo, NULL, &macoct);
     if (!ASN1_OCTET_STRING_set(macoct, mac, maclen))
         goto err;
 
@@ -148,14 +149,14 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass,
     PKCS8_PRIV_KEY_INFO *p8;
     X509_SIG *p8new;
     int p8_nid, p8_saltlen, p8_iter;
-    X509_ALGOR *shalg;
+    const X509_ALGOR *shalg;
 
     if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag)
         return 1;
 
     if ((p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)) == NULL)
         return 0;
-    X509_SIG_get0(&shalg, NULL, bag->value.shkeybag);
+    X509_SIG_get0(bag->value.shkeybag, &shalg, NULL);
     if (!alg_get(shalg, &p8_nid, &p8_iter, &p8_saltlen))
         return 0;
     p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
@@ -168,7 +169,8 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass,
     return 1;
 }
 
-static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
+static int alg_get(const X509_ALGOR *alg, int *pnid, int *piter,
+                   int *psaltlen)
 {
     PBEPARAM *pbe;
     pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), alg->parameter);
diff --git a/crypto/pkcs12/p12_p8d.c b/crypto/pkcs12/p12_p8d.c
index 97577da..d926a77 100644
--- a/crypto/pkcs12/p12_p8d.c
+++ b/crypto/pkcs12/p12_p8d.c
@@ -11,12 +11,12 @@
 #include "internal/cryptlib.h"
 #include <openssl/pkcs12.h>
 
-PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass,
+PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass,
                                    int passlen)
 {
-    X509_ALGOR *dalg;
-    ASN1_OCTET_STRING *doct;
-    X509_SIG_get0(&dalg, &doct, p8);
+    const X509_ALGOR *dalg;
+    const ASN1_OCTET_STRING *doct;
+    X509_SIG_get0(p8, &dalg, &doct);
     return PKCS12_item_decrypt_d2i(dalg,
                                    ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass,
                                    passlen, doct, 1);
diff --git a/doc/crypto/X509_SIG_get0.pod b/doc/crypto/X509_SIG_get0.pod
index 1d61497..a47ae44 100644
--- a/doc/crypto/X509_SIG_get0.pod
+++ b/doc/crypto/X509_SIG_get0.pod
@@ -2,19 +2,23 @@
 
 =head1 NAME
 
-X509_SIG_get0 - Get DigestInfo functions
+X509_SIG_get0, X509_SIG_get0_mutable - DigestInfo functions
 
 =head1 SYNOPSIS
 
  #include <openssl/x509.h>
 
- void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
-                    X509_SIG *sig);
+ void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg,
+                    const ASN1_OCTET_STRING **pdigest);
+ void X509_SIG_get0_mutable(X509_SIG *sig, X509_ALGOR **palg,
+                            ASN1_OCTET_STRING **pdigest,
 
 =head1 DESCRIPTION
 
 X509_SIG_get0() returns pointers to the algorithm identifier and digest
-value in B<sig>. These values can then be examined or initialised.
+value in B<sig>. X509_SIG_get0_mutable() is identical to X509_SIG_get0()
+except the pointers returned are not constant and can be modified:
+for example to initialise them.
 
 =head1 SEE ALSO
 
diff --git a/include/openssl/pkcs12.h b/include/openssl/pkcs12.h
index 775f20a..663f298 100644
--- a/include/openssl/pkcs12.h
+++ b/include/openssl/pkcs12.h
@@ -84,9 +84,11 @@ typedef struct pkcs12_bag_st PKCS12_BAGS;
 
 ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid);
 int PKCS12_mac_present(PKCS12 *p12);
-void PKCS12_get0_mac(ASN1_OCTET_STRING **pmac, X509_ALGOR **pmacalg,
-                     ASN1_OCTET_STRING **psalt, ASN1_INTEGER **piter,
-                     PKCS12 *p12);
+void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
+                     const X509_ALGOR **pmacalg,
+                     const ASN1_OCTET_STRING **psalt,
+                     const ASN1_INTEGER **piter,
+                     const PKCS12 *p12);
 
 ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(PKCS12_SAFEBAG *bag, int attr_nid);
 ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(PKCS12_SAFEBAG *bag);
@@ -112,7 +114,7 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
 
 PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
                                          int nid1, int nid2);
-PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass,
+PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass,
                                    int passlen);
 PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag,
                                          const char *pass, int passlen);
@@ -145,13 +147,14 @@ ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
                                int attr_nid);
 char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
 STACK_OF(X509_ATTRIBUTE) *PKCS12_SAFEBAG_get0_attrs(PKCS12_SAFEBAG *bag);
-unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
-                                int passlen, unsigned char *in, int inlen,
+unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
+                                const char *pass, int passlen,
+                                const unsigned char *in, int inlen,
                                 unsigned char **data, int *datalen,
                                 int en_de);
-void *PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
+void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
                               const char *pass, int passlen,
-                              ASN1_OCTET_STRING *oct, int zbuf);
+                              const ASN1_OCTET_STRING *oct, int zbuf);
 ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor,
                                            const ASN1_ITEM *it,
                                            const char *pass, int passlen,
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 2238529..1a63ba5 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -516,8 +516,10 @@ EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length);
 # endif
 
 DECLARE_ASN1_FUNCTIONS(X509_SIG)
-void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
-                   X509_SIG *sig);
+void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg,
+                   const ASN1_OCTET_STRING **pdigest);
+void X509_SIG_get0_mutable(X509_SIG *sig, X509_ALGOR **palg,
+                           ASN1_OCTET_STRING **pdigest);
 
 DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
 DECLARE_ASN1_FUNCTIONS(X509_REQ)
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 7fb02f7..a55fbff 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4191,3 +4191,4 @@ DSA_bits                                4137	1_1_0	EXIST::FUNCTION:DSA
 EVP_PKEY_set1_tls_encodedpoint          4138	1_1_0	EXIST::FUNCTION:
 EVP_PKEY_get1_tls_encodedpoint          4139	1_1_0	EXIST::FUNCTION:
 ASN1_STRING_get0_data                   4140	1_1_0	EXIST::FUNCTION:
+X509_SIG_get0_mutable                   4141	1_1_0	EXIST::FUNCTION:
