[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Fri Mar 11 17:43:21 UTC 2016
The branch master has been updated
via bf8bdbc678caacf5f91b7e669422862c2d0583c9 (commit)
via a6eb1ce6a989d01bb00e9749789b690744be506c (commit)
from bb26842d1c8f99c1267b45361a2fc76822c0f913 (commit)
- Log -----------------------------------------------------------------
commit bf8bdbc678caacf5f91b7e669422862c2d0583c9
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Mar 11 17:41:24 2016 +0000
make update
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit a6eb1ce6a989d01bb00e9749789b690744be506c
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Mar 10 15:04:46 2016 +0000
Make X509_SIG opaque.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/pkcs12.c | 4 +++-
crypto/asn1/x_sig.c | 10 ++++++++++
crypto/include/internal/x509_int.h | 5 +++++
crypto/pkcs12/p12_mutl.c | 31 +++++++++++++++++++------------
crypto/pkcs12/p12_npas.c | 14 ++++++--------
crypto/pkcs12/p12_p8d.c | 7 +++++--
crypto/pkcs12/p12_p8e.c | 7 ++++---
crypto/rsa/rsa_sign.c | 1 +
doc/crypto/d2i_X509_SIG.pod | 12 +++++++++---
include/openssl/x509.h | 8 ++++----
util/libcrypto.num | 1 +
11 files changed, 67 insertions(+), 33 deletions(-)
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 5ed2122..1fd1fad 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -668,10 +668,12 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
case NID_pkcs8ShroudedKeyBag:
if (options & INFO) {
X509_SIG *tp8;
+ X509_ALGOR *tp8alg;
BIO_printf(bio_err, "Shrouded Keybag: ");
tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
- alg_print(tp8->algor);
+ X509_SIG_get0(&tp8alg, NULL, tp8);
+ alg_print(tp8alg);
}
if (options & NOKEYS)
return 1;
diff --git a/crypto/asn1/x_sig.c b/crypto/asn1/x_sig.c
index 8197d2a..b880e24 100644
--- a/crypto/asn1/x_sig.c
+++ b/crypto/asn1/x_sig.c
@@ -59,6 +59,7 @@
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
ASN1_SEQUENCE(X509_SIG) = {
ASN1_SIMPLE(X509_SIG, algor, X509_ALGOR),
@@ -66,3 +67,12 @@ ASN1_SEQUENCE(X509_SIG) = {
} ASN1_SEQUENCE_END(X509_SIG)
IMPLEMENT_ASN1_FUNCTIONS(X509_SIG)
+
+void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
+ X509_SIG *sig)
+{
+ if (palg)
+ *palg = sig->algor;
+ if (pdigest)
+ *pdigest = sig->digest;
+}
diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index eec024c..fc032ae 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -225,3 +225,8 @@ struct pkcs8_priv_key_info_st {
ASN1_OCTET_STRING *pkey;
STACK_OF(X509_ATTRIBUTE) *attributes;
};
+
+struct X509_sig_st {
+ X509_ALGOR *algor;
+ ASN1_OCTET_STRING *digest;
+};
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 230f3e6..0395358 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -74,10 +74,7 @@ void PKCS12_get0_mac(ASN1_OCTET_STRING **pmac, X509_ALGOR **pmacalg,
PKCS12 *p12)
{
if (p12->mac) {
- if (pmac)
- *pmac = p12->mac->dinfo->digest;
- if (pmacalg)
- *pmacalg = p12->mac->dinfo->algor;
+ X509_SIG_get0(pmacalg, pmac, p12->mac->dinfo);
if (psalt)
*psalt = p12->mac->salt;
if (piter)
@@ -126,6 +123,8 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
int saltlen, iter;
int md_size = 0;
int md_type_nid;
+ X509_ALGOR *macalg;
+ ASN1_OBJECT *macoid;
if (!PKCS7_type_is_data(p12->authsafes)) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_CONTENT_TYPE_NOT_DATA);
@@ -138,8 +137,9 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
iter = 1;
else
iter = ASN1_INTEGER_get(p12->mac->iter);
- if ((md_type = EVP_get_digestbyobj(p12->mac->dinfo->algor->algorithm))
- == NULL) {
+ X509_SIG_get0(&macalg, NULL, p12->mac->dinfo);
+ X509_ALGOR_get0(&macoid, NULL, NULL, macalg);
+ if ((md_type = EVP_get_digestbyobj(macoid)) == NULL) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
return 0;
}
@@ -180,6 +180,8 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
{
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
+ ASN1_OCTET_STRING *macoct;
+
if (p12->mac == NULL) {
PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT);
return 0;
@@ -188,8 +190,9 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_GENERATION_ERROR);
return 0;
}
- if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
- || CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen))
+ X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
+ if ((maclen != (unsigned int)ASN1_STRING_length(macoct))
+ || CRYPTO_memcmp(mac, ASN1_STRING_data(macoct), maclen))
return 0;
return 1;
}
@@ -202,6 +205,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
{
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
+ ASN1_OCTET_STRING *macoct;
if (!md_type)
md_type = EVP_sha1();
@@ -213,7 +217,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_GENERATION_ERROR);
return 0;
}
- if (!(ASN1_OCTET_STRING_set(p12->mac->dinfo->digest, mac, maclen))) {
+ X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
+ if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) {
PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_STRING_SET_ERROR);
return 0;
}
@@ -224,6 +229,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
const EVP_MD *md_type)
{
+ X509_ALGOR *macalg;
+
if ((p12->mac = PKCS12_MAC_DATA_new()) == NULL)
return PKCS12_ERROR;
if (iter > 1) {
@@ -248,12 +255,12 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
return 0;
} else
memcpy(p12->mac->salt->data, salt, saltlen);
- p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
- if ((p12->mac->dinfo->algor->parameter = ASN1_TYPE_new()) == NULL) {
+ X509_SIG_get0(&macalg, NULL, p12->mac->dinfo);
+ if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_type(md_type)),
+ V_ASN1_NULL, NULL)) {
PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
return 0;
}
- p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL;
return 1;
}
diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
index f2fc12f..e23d035 100644
--- a/crypto/pkcs12/p12_npas.c
+++ b/crypto/pkcs12/p12_npas.c
@@ -109,7 +109,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
STACK_OF(PKCS12_SAFEBAG) *bags;
int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;
PKCS7 *p7, *p7new;
- ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
+ ASN1_OCTET_STRING *p12_data_tmp = NULL, *macoct = NULL;
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
@@ -165,12 +165,9 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen))
goto saferr;
- if ((macnew = ASN1_OCTET_STRING_new()) == NULL)
+ X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
+ if (!ASN1_OCTET_STRING_set(macoct, mac, maclen))
goto saferr;
- if (!ASN1_OCTET_STRING_set(macnew, mac, maclen))
- goto saferr;
- ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);
- p12->mac->dinfo->digest = macnew;
ASN1_OCTET_STRING_free(p12_data_tmp);
return 1;
@@ -178,7 +175,6 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
saferr:
/* Restore old safe */
ASN1_OCTET_STRING_free(p12->authsafes->d.data);
- ASN1_OCTET_STRING_free(macnew);
p12->authsafes->d.data = p12_data_tmp;
return 0;
@@ -202,13 +198,15 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
PKCS8_PRIV_KEY_INFO *p8;
X509_SIG *p8new;
int p8_nid, p8_saltlen, p8_iter;
+ X509_ALGOR *shalg;
if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag)
return 1;
if ((p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)) == NULL)
return 0;
- if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen))
+ X509_SIG_get0(&shalg, NULL, bag->value.shkeybag);
+ if (!alg_get(shalg, &p8_nid, &p8_iter, &p8_saltlen))
return 0;
if ((p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
p8_iter, p8)) == NULL)
diff --git a/crypto/pkcs12/p12_p8d.c b/crypto/pkcs12/p12_p8d.c
index 9bdfd3f..8980abe 100644
--- a/crypto/pkcs12/p12_p8d.c
+++ b/crypto/pkcs12/p12_p8d.c
@@ -63,7 +63,10 @@
PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass,
int passlen)
{
- return PKCS12_item_decrypt_d2i(p8->algor,
+ X509_ALGOR *dalg;
+ ASN1_OCTET_STRING *doct;
+ X509_SIG_get0(&dalg, &doct, p8);
+ return PKCS12_item_decrypt_d2i(dalg,
ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass,
- passlen, p8->digest, 1);
+ passlen, doct, 1);
}
diff --git a/crypto/pkcs12/p12_p8e.c b/crypto/pkcs12/p12_p8e.c
index a625515..b79ca64 100644
--- a/crypto/pkcs12/p12_p8e.c
+++ b/crypto/pkcs12/p12_p8e.c
@@ -59,6 +59,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/pkcs12.h>
+#include "internal/x509_int.h"
X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
const char *pass, int passlen,
@@ -103,13 +104,13 @@ X509_SIG *PKCS8_set0_pbe(const char *pass, int passlen,
return NULL;
}
- if ((p8 = X509_SIG_new()) == NULL) {
+ p8 = OPENSSL_zalloc(sizeof(*p8));
+
+ if (p8 == NULL) {
PKCS12err(PKCS12_F_PKCS8_SET0_PBE, ERR_R_MALLOC_FAILURE);
ASN1_OCTET_STRING_free(enckey);
return NULL;
}
- X509_ALGOR_free(p8->algor);
- ASN1_OCTET_STRING_free(p8->digest);
p8->algor = pbe;
p8->digest = enckey;
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 61f91b9..439d699 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -61,6 +61,7 @@
#include <openssl/rsa.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
#include "rsa_locl.h"
/* Size of an SSL signature: MD5+SHA1 */
diff --git a/doc/crypto/d2i_X509_SIG.pod b/doc/crypto/d2i_X509_SIG.pod
index 3efb556..08d0876 100644
--- a/doc/crypto/d2i_X509_SIG.pod
+++ b/doc/crypto/d2i_X509_SIG.pod
@@ -10,15 +10,21 @@ d2i_X509_SIG, i2d_X509_SIG - DigestInfo functions.
X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length);
int i2d_X509_SIG(X509_SIG *a, unsigned char **pp);
+ void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
+ X509_SIG *sig);
=head1 DESCRIPTION
-These functions decode and encode an X509_SIG structure which is
-equivalent to the B<DigestInfo> structure defined in PKCS#1 and PKCS#7.
+The functions d2i_X509_SIG() and i2d_X509_SIG() decode and encode an
+X509_SIG structure which is equivalent to the B<DigestInfo> structure
+defined in PKCS#1 and PKCS#7.
-Otherwise these behave in a similar way to d2i_X509() and i2d_X509()
+Otherwise they behave in a similar way to d2i_X509() and i2d_X509()
described in the L<d2i_X509(3)> manual page.
+X509_SIG_get0() returns pointers to the algorithm identifier and digest
+value in B<sig>. These values can then be examined or initialised.
+
=head1 SEE ALSO
L<d2i_X509(3)>
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index fe60dc8..5c138ca 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -136,10 +136,7 @@ struct X509_pubkey_st {
CRYPTO_RWLOCK *lock;
};
-typedef struct X509_sig_st {
- X509_ALGOR *algor;
- ASN1_OCTET_STRING *digest;
-} X509_SIG;
+typedef struct X509_sig_st X509_SIG;
typedef struct X509_name_entry_st X509_NAME_ENTRY;
@@ -586,6 +583,9 @@ EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length);
# endif
DECLARE_ASN1_FUNCTIONS(X509_SIG)
+void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
+ X509_SIG *sig);
+
DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
DECLARE_ASN1_FUNCTIONS(X509_REQ)
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 7691769..7a86ac8 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4059,3 +4059,4 @@ DHparams_it 3925 1_1_0 EXIST:!EXPORT_VAR_AS_FUNCTION
DHparams_it 3925 1_1_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DH
EVP_blake2s256 3926 1_1_0 EXIST::FUNCTION:BLAKE2
EVP_blake2b512 3927 1_1_0 EXIST::FUNCTION:BLAKE2
+X509_SIG_get0 3928 1_1_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list