import OpenSSL-1.0.1c

author: djm <> 2012-10-13 21:23:50 +0000
committer: djm <> 2012-10-13 21:23:50 +0000
commit: 228cae30b117c2493f69ad3c195341cd6ec8d430 (patch)
tree: 29ff00b10d52c0978077c4fd83c33b065bade73e /src/lib/libcrypto/asn1/a_verify.c
parent: 731838c66b52c0ae5888333005b74115a620aa96 (diff)
download: openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.gz
openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.bz2
openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.zip
1 files changed, 54 insertions, 23 deletions
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index cecdb13c70..432722e409 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -101,8 +101,13 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
        p=buf_in;
        i2d(data,&p);
-        EVP_VerifyInit_ex(&ctx,type, NULL);
+        if (!EVP_VerifyInit_ex(&ctx,type, NULL)
-        EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
+                || !EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl))
+                {
+                ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+                ret=0;
+                goto err;
+                }
        OPENSSL_cleanse(buf_in,(unsigned int)inl);
        OPENSSL_free(buf_in);
@@ -126,11 +131,10 @@ err:
 #endif
-int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signature,
+int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
-             void *asn, EVP_PKEY *pkey)
+                ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
        {
        EVP_MD_CTX ctx;
-        const EVP_MD *type = NULL;
        unsigned char *buf_in=NULL;
        int ret= -1,inl;
@@ -144,25 +148,47 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
                ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
                goto err;
                }
-        type=EVP_get_digestbynid(mdnid);
+        if (mdnid == NID_undef)
-        if (type == NULL)
                {
-                ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+                if (!pkey->ameth || !pkey->ameth->item_verify)
-                goto err;
+                        {
+                        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
+                        goto err;
+                        }
+                ret = pkey->ameth->item_verify(&ctx, it, asn, a,
+                                                        signature, pkey);
+                /* Return value of 2 means carry on, anything else means we
+                 * exit straight away: either a fatal error of the underlying
+                 * verification routine handles all verification.
+                 */
+                if (ret != 2)
+                        goto err;
+                ret = -1;
                }
+        else
-        /* Check public key OID matches public key type */
-        if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id)
                {
-                ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_WRONG_PUBLIC_KEY_TYPE);
+                const EVP_MD *type;
-                goto err;
+                type=EVP_get_digestbynid(mdnid);
-                }
+                if (type == NULL)
+                        {
+                        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+                        goto err;
+                        }
+                /* Check public key OID matches public key type */
+                if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id)
+                        {
+                        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_WRONG_PUBLIC_KEY_TYPE);
+                        goto err;
+                        }
+                if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey))
+                        {
+                        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
+                        ret=0;
+                        goto err;
+                        }
-        if (!EVP_VerifyInit_ex(&ctx,type, NULL))
-                {
-                ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
-                ret=0;
-                goto err;
                }
        inl = ASN1_item_i2d(asn, &buf_in, it);
@@ -173,13 +199,18 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
                goto err;
                }
-        EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
+        if (!EVP_DigestVerifyUpdate(&ctx,buf_in,inl))
+                {
+                ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
+                ret=0;
+                goto err;
+                }
        OPENSSL_cleanse(buf_in,(unsigned int)inl);
        OPENSSL_free(buf_in);
-        if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
+        if (EVP_DigestVerifyFinal(&ctx,signature->data,
-                        (unsigned int)signature->length,pkey) <= 0)
+                        (size_t)signature->length) <= 0)
                {
                ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
                ret=0;
author	djm <>	2012-10-13 21:23:50 +0000
committer	djm <>	2012-10-13 21:23:50 +0000
commit	228cae30b117c2493f69ad3c195341cd6ec8d430 (patch)
tree	29ff00b10d52c0978077c4fd83c33b065bade73e /src/lib/libcrypto/asn1/a_verify.c
parent	731838c66b52c0ae5888333005b74115a620aa96 (diff)
download	openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.gz openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.bz2 openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.zip

diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c index cecdb13c70..432722e409 100644 --- a/src/lib/libcrypto/asn1/a_verify.c +++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -101,8 +101,13 @@ int ASN1_verify(i2d_of_void i2d, X509_ALGOR a, ASN1_BIT_STRING *signature,
101	p=buf_in;	101	p=buf_in;
102		102
103	i2d(data,&p);	103	i2d(data,&p);
104	EVP_VerifyInit_ex(&ctx,type, NULL);	104	if (!EVP_VerifyInit_ex(&ctx,type, NULL)
105	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);	105	\|\| !EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl))
		106	{
		107	ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
		108	ret=0;
		109	goto err;
		110	}
106		111
107	OPENSSL_cleanse(buf_in,(unsigned int)inl);	112	OPENSSL_cleanse(buf_in,(unsigned int)inl);
108	OPENSSL_free(buf_in);	113	OPENSSL_free(buf_in);
@@ -126,11 +131,10 @@ err:
126	#endif	131	#endif
127		132
128		133
129	int ASN1_item_verify(const ASN1_ITEM it, X509_ALGOR a, ASN1_BIT_STRING *signature,	134	int ASN1_item_verify(const ASN1_ITEM it, X509_ALGOR a,
130	void asn, EVP_PKEY pkey)	135	ASN1_BIT_STRING signature, void asn, EVP_PKEY *pkey)
131	{	136	{
132	EVP_MD_CTX ctx;	137	EVP_MD_CTX ctx;
133	const EVP_MD *type = NULL;
134	unsigned char *buf_in=NULL;	138	unsigned char *buf_in=NULL;
135	int ret= -1,inl;	139	int ret= -1,inl;
136		140
@@ -144,25 +148,47 @@ int ASN1_item_verify(const ASN1_ITEM it, X509_ALGOR a, ASN1_BIT_STRING *signat
144	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);	148	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
145	goto err;	149	goto err;
146	}	150	}
147	type=EVP_get_digestbynid(mdnid);	151	if (mdnid == NID_undef)
148	if (type == NULL)
149	{	152	{
150	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);	153	if (!pkey->ameth \|\| !pkey->ameth->item_verify)
151	goto err;	154	{
		155	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
		156	goto err;
		157	}
		158	ret = pkey->ameth->item_verify(&ctx, it, asn, a,
		159	signature, pkey);
		160	/* Return value of 2 means carry on, anything else means we
		161	* exit straight away: either a fatal error of the underlying
		162	* verification routine handles all verification.
		163	*/
		164	if (ret != 2)
		165	goto err;
		166	ret = -1;
152	}	167	}
153		168	else
154	/* Check public key OID matches public key type */
155	if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id)
156	{	169	{
157	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_WRONG_PUBLIC_KEY_TYPE);	170	const EVP_MD *type;
158	goto err;	171	type=EVP_get_digestbynid(mdnid);
159	}	172	if (type == NULL)
		173	{
		174	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
		175	goto err;
		176	}
		177
		178	/* Check public key OID matches public key type */
		179	if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id)
		180	{
		181	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_WRONG_PUBLIC_KEY_TYPE);
		182	goto err;
		183	}
		184
		185	if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey))
		186	{
		187	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
		188	ret=0;
		189	goto err;
		190	}
160		191
161	if (!EVP_VerifyInit_ex(&ctx,type, NULL))
162	{
163	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
164	ret=0;
165	goto err;
166	}	192	}
167		193
168	inl = ASN1_item_i2d(asn, &buf_in, it);	194	inl = ASN1_item_i2d(asn, &buf_in, it);
@@ -173,13 +199,18 @@ int ASN1_item_verify(const ASN1_ITEM it, X509_ALGOR a, ASN1_BIT_STRING *signat
173	goto err;	199	goto err;
174	}	200	}
175		201
176	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);	202	if (!EVP_DigestVerifyUpdate(&ctx,buf_in,inl))
		203	{
		204	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
		205	ret=0;
		206	goto err;
		207	}
177		208
178	OPENSSL_cleanse(buf_in,(unsigned int)inl);	209	OPENSSL_cleanse(buf_in,(unsigned int)inl);
179	OPENSSL_free(buf_in);	210	OPENSSL_free(buf_in);
180		211
181	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,	212	if (EVP_DigestVerifyFinal(&ctx,signature->data,
182	(unsigned int)signature->length,pkey) <= 0)	213	(size_t)signature->length) <= 0)
183	{	214	{
184	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);	215	ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
185	ret=0;	216	ret=0;