[openssl] master update
dev at ddvo.net
dev at ddvo.net
Thu Feb 18 15:50:36 UTC 2021
The branch master has been updated
via c1be4d617cf9435e8326ebba643aa4d7cbcb3645 (commit)
via daf1300b80443b6bf0dec19085056ec407925d89 (commit)
from 937984efc6ed1664e5aeb0e06067d31520066960 (commit)
- Log -----------------------------------------------------------------
commit c1be4d617cf9435e8326ebba643aa4d7cbcb3645
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Feb 17 12:29:39 2021 +0100
Rename internal X509_add_cert_new() to ossl_x509_add_cert_new()
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14039)
commit daf1300b80443b6bf0dec19085056ec407925d89
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Dec 23 16:06:05 2020 +0100
Add internal X509_add_certs_new(), which simplifies matters
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14039)
-----------------------------------------------------------------------
Summary of changes:
crypto/cmp/cmp_ctx.c | 16 ++++++----------
crypto/cmp/cmp_local.h | 1 +
crypto/cmp/cmp_msg.c | 12 ++++--------
crypto/cmp/cmp_protect.c | 17 ++++++-----------
crypto/cmp/cmp_util.c | 8 +++-----
crypto/cmp/cmp_vfy.c | 1 -
crypto/cms/cms_lib.c | 4 ++--
crypto/cms/cms_sd.c | 6 +++---
crypto/ocsp/ocsp_cl.c | 2 +-
crypto/ocsp/ocsp_local.h | 2 +-
crypto/ocsp/ocsp_srv.c | 2 +-
crypto/ocsp/ocsp_vfy.c | 4 ----
crypto/pkcs12/p12_kiss.c | 4 ++--
crypto/pkcs7/pk7_lib.c | 2 +-
crypto/x509/x509_cmp.c | 23 +++++++++++++++++------
crypto/x509/x509_vfy.c | 2 +-
include/crypto/x509.h | 4 +++-
test/helpers/cmp_testlib.h | 1 -
18 files changed, 52 insertions(+), 59 deletions(-)
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 26274611a8..e65dabe323 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -12,7 +12,6 @@
#include <openssl/trace.h>
#include <openssl/bio.h>
#include <openssl/ocsp.h> /* for OCSP_REVOKED_STATUS_* */
-#include "crypto/x509.h" /* for x509v3_cache_extensions() */
#include "cmp_local.h"
@@ -65,15 +64,14 @@ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx)
*/
int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
{
- STACK_OF(X509) *untrusted;
+ STACK_OF(X509) *untrusted = NULL;
+
if (ctx == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
- if ((untrusted = sk_X509_new_null()) == NULL)
- return 0;
- if (X509_add_certs(untrusted, certs,
- X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) != 1)
+ if (!ossl_x509_add_certs_new(&untrusted, certs,
+ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
goto err;
sk_X509_pop_free(ctx->untrusted, X509_free);
ctx->untrusted = untrusted;
@@ -731,10 +729,8 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
return 0;
}
- if (ctx->untrusted != NULL ?
- !X509_add_certs(ctx->untrusted, candidates,
- X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) :
- !OSSL_CMP_CTX_set1_untrusted(ctx, candidates))
+ if (!ossl_x509_add_certs_new(&ctx->untrusted, candidates,
+ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
return 0;
ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index c615865864..a4d3cf9ea4 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -23,6 +23,7 @@
# include <openssl/safestack.h>
# include <openssl/x509.h>
# include <openssl/x509v3.h>
+# include "crypto/x509.h"
/*
* this structure is used to store the context for CMP sessions
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 4e94d5c1fd..36256b3d1d 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -19,7 +19,6 @@
#include <openssl/crmf.h>
#include <openssl/err.h>
#include <openssl/x509.h>
-#include "crypto/x509.h" /* for x509_set0_libctx() */
OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
{
@@ -466,13 +465,10 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
&& (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
goto err;
- if (sk_X509_num(chain) > 0) {
- msg->extraCerts = sk_X509_new_reserve(NULL, sk_X509_num(chain));
- if (msg->extraCerts == NULL
- || !X509_add_certs(msg->extraCerts, chain,
- X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
- goto err;
- }
+ if (sk_X509_num(chain) > 0
+ && !ossl_x509_add_certs_new(&msg->extraCerts, chain,
+ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
+ goto err;
if (!unprotectedErrors
|| ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c
index fce2ebc468..dcc0232e01 100644
--- a/crypto/cmp/cmp_protect.c
+++ b/crypto/cmp/cmp_protect.c
@@ -134,14 +134,10 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
if (!ossl_assert(ctx != NULL && msg != NULL))
return 0;
- if (msg->extraCerts == NULL
- && (msg->extraCerts = sk_X509_new_null()) == NULL)
- return 0;
-
/* Add first ctx->cert and its chain if using signature-based protection */
if (!ctx->unprotectedSend && ctx->secretValue == NULL
&& ctx->cert != NULL && ctx->pkey != NULL) {
- int flags_prepend = X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
+ int prepend = X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_PREPEND | X509_ADD_FLAG_NO_SS;
/* if not yet done try to build chain using available untrusted certs */
@@ -162,20 +158,19 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
}
}
if (ctx->chain != NULL) {
- if (!X509_add_certs(msg->extraCerts, ctx->chain, flags_prepend))
+ if (!ossl_x509_add_certs_new(&msg->extraCerts, ctx->chain, prepend))
return 0;
} else {
/* make sure that at least our own signer cert is included first */
- if (!X509_add_cert(msg->extraCerts, ctx->cert, flags_prepend))
+ if (!ossl_x509_add_cert_new(&msg->extraCerts, ctx->cert, prepend))
return 0;
- ossl_cmp_debug(ctx,
- "fallback: adding just own CMP signer cert");
+ ossl_cmp_debug(ctx, "fallback: adding just own CMP signer cert");
}
}
/* add any additional certificates from ctx->extraCertsOut */
- if (!X509_add_certs(msg->extraCerts, ctx->extraCertsOut,
- X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
+ if (!ossl_x509_add_certs_new(&msg->extraCerts, ctx->extraCertsOut,
+ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
return 0;
/* in case extraCerts are empty list avoid empty ASN.1 sequence */
diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c
index 4f9714a64a..d246047943 100644
--- a/crypto/cmp/cmp_util.c
+++ b/crypto/cmp/cmp_util.c
@@ -248,11 +248,9 @@ STACK_OF(X509)
chain = X509_STORE_CTX_get0_chain(csc);
/* result list to store the up_ref'ed not self-signed certificates */
- if ((result = sk_X509_new_null()) == NULL)
- goto err;
- if (!X509_add_certs(result, chain,
- X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
- | X509_ADD_FLAG_NO_SS)) {
+ if (!ossl_x509_add_certs_new(&result, chain,
+ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
+ | X509_ADD_FLAG_NO_SS)) {
sk_X509_free(result);
result = NULL;
}
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 8b6e856d1a..f525c691de 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -20,7 +20,6 @@
#include <openssl/crmf.h>
#include <openssl/err.h>
#include <openssl/x509.h>
-#include "crypto/x509.h"
/* Verify a message protected by signature according to RFC section 5.1.3.3 */
static int verify_signature(const OSSL_CMP_CTX *cmp_ctx,
diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c
index 8c4f252ee8..3e2907fc16 100644
--- a/crypto/cms/cms_lib.c
+++ b/crypto/cms/cms_lib.c
@@ -627,8 +627,8 @@ STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms)
for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) {
cch = sk_CMS_CertificateChoices_value(*pcerts, i);
if (cch->type == 0) {
- if (!X509_add_cert_new(&certs, cch->d.certificate,
- X509_ADD_FLAG_UP_REF)) {
+ if (!ossl_x509_add_cert_new(&certs, cch->d.certificate,
+ X509_ADD_FLAG_UP_REF)) {
sk_X509_pop_free(certs, X509_free);
return NULL;
}
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index 57dd85d561..b0519f3894 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -20,7 +20,7 @@
#include "crypto/evp.h"
#include "crypto/cms.h"
#include "crypto/ess.h"
-#include "crypto/x509.h" /* for X509_add_cert_new() */
+#include "crypto/x509.h" /* for ossl_x509_add_cert_new() */
/* CMS SignedData Utilities */
@@ -509,8 +509,8 @@ STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms)
for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
si = sk_CMS_SignerInfo_value(sinfos, i);
if (si->signer != NULL) {
- if (!X509_add_cert_new(&signers, si->signer,
- X509_ADD_FLAG_DEFAULT)) {
+ if (!ossl_x509_add_cert_new(&signers, si->signer,
+ X509_ADD_FLAG_DEFAULT)) {
sk_X509_free(signers);
return NULL;
}
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index 2d4bd036ad..40d26fb871 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -77,7 +77,7 @@ int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
return 0;
if (cert == NULL)
return 1;
- return X509_add_cert_new(&sig->certs, cert, X509_ADD_FLAG_UP_REF);
+ return ossl_x509_add_cert_new(&sig->certs, cert, X509_ADD_FLAG_UP_REF);
}
/*
diff --git a/crypto/ocsp/ocsp_local.h b/crypto/ocsp/ocsp_local.h
index 1e7de1384f..a7e6e86685 100644
--- a/crypto/ocsp/ocsp_local.h
+++ b/crypto/ocsp/ocsp_local.h
@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
-#include "crypto/x509.h" /* for X509_add_cert_new() */
+#include "crypto/x509.h" /* for ossl_x509_add_cert_new() */
/*- CertID ::= SEQUENCE {
* hashAlgorithm AlgorithmIdentifier,
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 2c8b38f723..4a864f2d79 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -158,7 +158,7 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
{
- return X509_add_cert_new(&resp->certs, cert, X509_ADD_FLAG_UP_REF);
+ return ossl_x509_add_cert_new(&resp->certs, cert, X509_ADD_FLAG_UP_REF);
}
/*
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index cd9274dd31..544748851f 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -118,10 +118,6 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
goto end;
if (!X509_add_certs(untrusted, certs, X509_ADD_FLAG_DEFAULT))
goto end;
- } else if (certs != NULL) {
- untrusted = certs;
- } else {
- untrusted = bs->certs;
}
ret = ocsp_verify_signer(signer, 1, st, flags, untrusted, &chain);
if (ret <= 0)
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index 9b2e8a55c5..140a690cbb 100644
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -10,7 +10,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/pkcs12.h>
-#include "crypto/x509.h" /* for X509_add_cert_new() */
+#include "crypto/x509.h" /* for ossl_x509_add_cert_new() */
/* Simplified PKCS#12 routines */
@@ -104,7 +104,7 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
}
if (ca != NULL) {
- if (!X509_add_cert_new(ca, x, X509_ADD_FLAG_DEFAULT))
+ if (!ossl_x509_add_cert_new(ca, x, X509_ADD_FLAG_DEFAULT))
goto err;
continue;
}
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index baecff28fa..95aab3368a 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -257,7 +257,7 @@ int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
return 0;
}
- return X509_add_cert_new(sk, x509, X509_ADD_FLAG_UP_REF);
+ return ossl_x509_add_cert_new(sk, x509, X509_ADD_FLAG_UP_REF);
}
int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index a74311e92d..c29fe3cc5f 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -175,14 +175,14 @@ int X509_cmp(const X509 *a, const X509 *b)
return rv < 0 ? -1 : rv > 0;
}
-int X509_add_cert_new(STACK_OF(X509) **sk, X509 *cert, int flags)
+int ossl_x509_add_cert_new(STACK_OF(X509) **p_sk, X509 *cert, int flags)
{
- if (*sk == NULL
- && (*sk = sk_X509_new_null()) == NULL) {
+ if (*p_sk == NULL
+ && (*p_sk = sk_X509_new_null()) == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return 0;
}
- return X509_add_cert(*sk, cert, flags);
+ return X509_add_cert(*p_sk, cert, flags);
}
int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
@@ -218,14 +218,25 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags)
/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
{
- int n = sk_X509_num(certs); /* certs may be NULL */
+ if (sk == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+ return ossl_x509_add_certs_new(&sk, certs, flags);
+}
+
+int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs,
+ int flags)
+/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
+{
+ int n = sk_X509_num(certs /* may be NULL */);
int i;
for (i = 0; i < n; i++) {
int j = (flags & X509_ADD_FLAG_PREPEND) == 0 ? i : n - 1 - i;
/* if prepend, add certs in reverse order to keep original order */
- if (!X509_add_cert(sk, sk_X509_value(certs, j), flags))
+ if (!ossl_x509_add_cert_new(p_sk, sk_X509_value(certs, j), flags))
return 0;
}
return 1;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 83dddeeb3d..f4f78eec9d 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -281,7 +281,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
return -1;
}
- if (!X509_add_cert_new(&ctx->chain, ctx->cert, X509_ADD_FLAG_UP_REF)) {
+ if (!ossl_x509_add_cert_new(&ctx->chain, ctx->cert, X509_ADD_FLAG_UP_REF)) {
ctx->error = X509_V_ERR_OUT_OF_MEM;
return -1;
}
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 93cb814017..809f6e328e 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -318,7 +318,9 @@ int x509_init_sig_info(X509 *x);
int asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *type, void *data,
unsigned char *md, unsigned int *len,
OSSL_LIB_CTX *libctx, const char *propq);
-int X509_add_cert_new(STACK_OF(X509) **sk, X509 *cert, int flags);
+int ossl_x509_add_cert_new(STACK_OF(X509) **sk, X509 *cert, int flags);
+int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs,
+ int flags);
int X509_PUBKEY_get0_libctx(OSSL_LIB_CTX **plibctx, const char **ppropq,
const X509_PUBKEY *key);
diff --git a/test/helpers/cmp_testlib.h b/test/helpers/cmp_testlib.h
index cb881465bc..681b06ae22 100644
--- a/test/helpers/cmp_testlib.h
+++ b/test/helpers/cmp_testlib.h
@@ -15,7 +15,6 @@
# include <openssl/cmp.h>
# include <openssl/pem.h>
# include <openssl/rand.h>
-# include "crypto/x509.h" /* for x509_set0_libctx() and x509_dup_ex() */
# include "../../crypto/cmp/cmp_local.h"
# include "../testutil.h"
More information about the openssl-commits
mailing list