summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/pkcs7/pk7_doit.c
diff options
context:
space:
mode:
authorjsing <>2014-06-29 17:05:36 +0000
committerjsing <>2014-06-29 17:05:36 +0000
commit27b7b9b8fab110ef186831220c8eda6eee8f63f0 (patch)
treea4b77bc415a0ed73aa4cc548cf42bb540b90de9d /src/lib/libcrypto/pkcs7/pk7_doit.c
parent9d44d3784f281c21a4fc03e18b10241744da5af5 (diff)
downloadopenbsd-27b7b9b8fab110ef186831220c8eda6eee8f63f0.tar.gz
openbsd-27b7b9b8fab110ef186831220c8eda6eee8f63f0.tar.bz2
openbsd-27b7b9b8fab110ef186831220c8eda6eee8f63f0.zip
KNF.
I just spent too long chasing a bug in here and really should have done this first. Gem of the day... is it an if test or a for loop? No, it is a super ifloop! if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers); k++) {
Diffstat (limited to 'src/lib/libcrypto/pkcs7/pk7_doit.c')
-rw-r--r--src/lib/libcrypto/pkcs7/pk7_doit.c1186
1 files changed, 565 insertions, 621 deletions
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 5d85f6e124..46f9c2b8c6 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,25 +1,25 @@
1/* $OpenBSD: pk7_doit.c,v 1.22 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: pk7_doit.c,v 1.23 2014/06/29 17:05:36 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -65,82 +65,82 @@
65#include <openssl/err.h> 65#include <openssl/err.h>
66 66
67static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 67static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
68 void *value); 68 void *value);
69static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); 69static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid);
70 70
71static int PKCS7_type_is_other(PKCS7* p7) 71static int
72 { 72PKCS7_type_is_other(PKCS7* p7)
73 int isOther=1; 73{
74 74 int isOther = 1;
75 int nid=OBJ_obj2nid(p7->type); 75
76 int nid = OBJ_obj2nid(p7->type);
76 77
77 switch( nid ) 78 switch (nid ) {
78 {
79 case NID_pkcs7_data: 79 case NID_pkcs7_data:
80 case NID_pkcs7_signed: 80 case NID_pkcs7_signed:
81 case NID_pkcs7_enveloped: 81 case NID_pkcs7_enveloped:
82 case NID_pkcs7_signedAndEnveloped: 82 case NID_pkcs7_signedAndEnveloped:
83 case NID_pkcs7_digest: 83 case NID_pkcs7_digest:
84 case NID_pkcs7_encrypted: 84 case NID_pkcs7_encrypted:
85 isOther=0; 85 isOther = 0;
86 break; 86 break;
87 default: 87 default:
88 isOther=1; 88 isOther = 1;
89 } 89 }
90 90
91 return isOther; 91 return isOther;
92 92
93 } 93}
94 94
95static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7) 95static ASN1_OCTET_STRING *
96 { 96PKCS7_get_octet_string(PKCS7 *p7)
97 if ( PKCS7_type_is_data(p7)) 97{
98 if (PKCS7_type_is_data(p7))
98 return p7->d.data; 99 return p7->d.data;
99 if ( PKCS7_type_is_other(p7) && p7->d.other 100 if (PKCS7_type_is_other(p7) && p7->d.other &&
100 && (p7->d.other->type == V_ASN1_OCTET_STRING)) 101 (p7->d.other->type == V_ASN1_OCTET_STRING))
101 return p7->d.other->value.octet_string; 102 return p7->d.other->value.octet_string;
102 return NULL; 103 return NULL;
103 } 104}
104 105
105static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) 106static int
106 { 107PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg)
108{
107 BIO *btmp; 109 BIO *btmp;
108 const EVP_MD *md; 110 const EVP_MD *md;
109 if ((btmp=BIO_new(BIO_f_md())) == NULL) 111 if ((btmp = BIO_new(BIO_f_md())) == NULL) {
110 { 112 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB);
111 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,ERR_R_BIO_LIB);
112 goto err; 113 goto err;
113 } 114 }
114 115
115 md=EVP_get_digestbyobj(alg->algorithm); 116 md = EVP_get_digestbyobj(alg->algorithm);
116 if (md == NULL) 117 if (md == NULL) {
117 { 118 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,
118 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,PKCS7_R_UNKNOWN_DIGEST_TYPE); 119 PKCS7_R_UNKNOWN_DIGEST_TYPE);
119 goto err; 120 goto err;
120 } 121 }
121 122
122 BIO_set_md(btmp,md); 123 BIO_set_md(btmp, md);
123 if (*pbio == NULL) 124 if (*pbio == NULL)
124 *pbio=btmp; 125 *pbio = btmp;
125 else if (!BIO_push(*pbio,btmp)) 126 else if (!BIO_push(*pbio, btmp)) {
126 { 127 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB);
127 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,ERR_R_BIO_LIB);
128 goto err; 128 goto err;
129 } 129 }
130 btmp=NULL; 130 btmp = NULL;
131 131
132 return 1; 132 return 1;
133 133
134 err: 134err:
135 if (btmp) 135 if (btmp)
136 BIO_free(btmp); 136 BIO_free(btmp);
137 return 0; 137 return 0;
138 138
139 } 139}
140 140
141static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, 141static int
142 unsigned char *key, int keylen) 142pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, unsigned char *key, int keylen)
143 { 143{
144 EVP_PKEY_CTX *pctx = NULL; 144 EVP_PKEY_CTX *pctx = NULL;
145 EVP_PKEY *pkey = NULL; 145 EVP_PKEY *pkey = NULL;
146 unsigned char *ek = NULL; 146 unsigned char *ek = NULL;
@@ -148,7 +148,6 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
148 size_t eklen; 148 size_t eklen;
149 149
150 pkey = X509_get_pubkey(ri->cert); 150 pkey = X509_get_pubkey(ri->cert);
151
152 if (!pkey) 151 if (!pkey)
153 return 0; 152 return 0;
154 153
@@ -160,22 +159,20 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
160 goto err; 159 goto err;
161 160
162 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, 161 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT,
163 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) 162 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) {
164 {
165 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, PKCS7_R_CTRL_ERROR); 163 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, PKCS7_R_CTRL_ERROR);
166 goto err; 164 goto err;
167 } 165 }
168 166
169 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0) 167 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0)
170 goto err; 168 goto err;
171 169
172 ek = malloc(eklen); 170 ek = malloc(eklen);
173 171
174 if (ek == NULL) 172 if (ek == NULL) {
175 {
176 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, ERR_R_MALLOC_FAILURE); 173 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, ERR_R_MALLOC_FAILURE);
177 goto err; 174 goto err;
178 } 175 }
179 176
180 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0) 177 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0)
181 goto err; 178 goto err;
@@ -185,20 +182,20 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
185 182
186 ret = 1; 183 ret = 1;
187 184
188 err: 185err:
189 if (pkey) 186 if (pkey)
190 EVP_PKEY_free(pkey); 187 EVP_PKEY_free(pkey);
191 if (pctx) 188 if (pctx)
192 EVP_PKEY_CTX_free(pctx); 189 EVP_PKEY_CTX_free(pctx);
193 free(ek); 190 free(ek);
194 return ret; 191 return ret;
195 192}
196 }
197 193
198 194
199static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, 195static int
200 PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey) 196pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri,
201 { 197 EVP_PKEY *pkey)
198{
202 EVP_PKEY_CTX *pctx = NULL; 199 EVP_PKEY_CTX *pctx = NULL;
203 unsigned char *ek = NULL; 200 unsigned char *ek = NULL;
204 size_t eklen; 201 size_t eklen;
@@ -213,95 +210,88 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
213 goto err; 210 goto err;
214 211
215 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, 212 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT,
216 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) 213 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) {
217 {
218 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, PKCS7_R_CTRL_ERROR); 214 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, PKCS7_R_CTRL_ERROR);
219 goto err; 215 goto err;
220 } 216 }
221 217
222 if (EVP_PKEY_decrypt(pctx, NULL, &eklen, 218 if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
223 ri->enc_key->data, ri->enc_key->length) <= 0) 219 ri->enc_key->data, ri->enc_key->length) <= 0)
224 goto err; 220 goto err;
225 221
226 ek = malloc(eklen); 222 ek = malloc(eklen);
227 223 if (ek == NULL) {
228 if (ek == NULL)
229 {
230 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_MALLOC_FAILURE); 224 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_MALLOC_FAILURE);
231 goto err; 225 goto err;
232 } 226 }
233 227
234 if (EVP_PKEY_decrypt(pctx, ek, &eklen, 228 if (EVP_PKEY_decrypt(pctx, ek, &eklen,
235 ri->enc_key->data, ri->enc_key->length) <= 0) 229 ri->enc_key->data, ri->enc_key->length) <= 0) {
236 {
237 ret = 0; 230 ret = 0;
238 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); 231 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
239 goto err; 232 goto err;
240 } 233 }
241 234
242 ret = 1; 235 ret = 1;
243 236
244 if (*pek) 237 if (*pek) {
245 {
246 OPENSSL_cleanse(*pek, *peklen); 238 OPENSSL_cleanse(*pek, *peklen);
247 free(*pek); 239 free(*pek);
248 } 240 }
249 241
250 *pek = ek; 242 *pek = ek;
251 *peklen = eklen; 243 *peklen = eklen;
252 244
253 err: 245err:
254 if (pctx) 246 if (pctx)
255 EVP_PKEY_CTX_free(pctx); 247 EVP_PKEY_CTX_free(pctx);
256 if (!ret && ek) 248 if (!ret && ek)
257 free(ek); 249 free(ek);
258 250
259 return ret; 251 return ret;
260 } 252}
261 253
262BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) 254BIO *
263 { 255PKCS7_dataInit(PKCS7 *p7, BIO *bio)
256{
264 int i; 257 int i;
265 BIO *out=NULL,*btmp=NULL; 258 BIO *out = NULL, *btmp = NULL;
266 X509_ALGOR *xa = NULL; 259 X509_ALGOR *xa = NULL;
267 const EVP_CIPHER *evp_cipher=NULL; 260 const EVP_CIPHER *evp_cipher = NULL;
268 STACK_OF(X509_ALGOR) *md_sk=NULL; 261 STACK_OF(X509_ALGOR) *md_sk = NULL;
269 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; 262 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL;
270 X509_ALGOR *xalg=NULL; 263 X509_ALGOR *xalg = NULL;
271 PKCS7_RECIP_INFO *ri=NULL; 264 PKCS7_RECIP_INFO *ri = NULL;
272 ASN1_OCTET_STRING *os=NULL; 265 ASN1_OCTET_STRING *os = NULL;
273 266
274 i=OBJ_obj2nid(p7->type); 267 i = OBJ_obj2nid(p7->type);
275 p7->state=PKCS7_S_HEADER; 268 p7->state = PKCS7_S_HEADER;
276 269
277 switch (i) 270 switch (i) {
278 {
279 case NID_pkcs7_signed: 271 case NID_pkcs7_signed:
280 md_sk=p7->d.sign->md_algs; 272 md_sk = p7->d.sign->md_algs;
281 os = PKCS7_get_octet_string(p7->d.sign->contents); 273 os = PKCS7_get_octet_string(p7->d.sign->contents);
282 break; 274 break;
283 case NID_pkcs7_signedAndEnveloped: 275 case NID_pkcs7_signedAndEnveloped:
284 rsk=p7->d.signed_and_enveloped->recipientinfo; 276 rsk = p7->d.signed_and_enveloped->recipientinfo;
285 md_sk=p7->d.signed_and_enveloped->md_algs; 277 md_sk = p7->d.signed_and_enveloped->md_algs;
286 xalg=p7->d.signed_and_enveloped->enc_data->algorithm; 278 xalg = p7->d.signed_and_enveloped->enc_data->algorithm;
287 evp_cipher=p7->d.signed_and_enveloped->enc_data->cipher; 279 evp_cipher = p7->d.signed_and_enveloped->enc_data->cipher;
288 if (evp_cipher == NULL) 280 if (evp_cipher == NULL) {
289 {
290 PKCS7err(PKCS7_F_PKCS7_DATAINIT, 281 PKCS7err(PKCS7_F_PKCS7_DATAINIT,
291 PKCS7_R_CIPHER_NOT_INITIALIZED); 282 PKCS7_R_CIPHER_NOT_INITIALIZED);
292 goto err; 283 goto err;
293 } 284 }
294 break; 285 break;
295 case NID_pkcs7_enveloped: 286 case NID_pkcs7_enveloped:
296 rsk=p7->d.enveloped->recipientinfo; 287 rsk = p7->d.enveloped->recipientinfo;
297 xalg=p7->d.enveloped->enc_data->algorithm; 288 xalg = p7->d.enveloped->enc_data->algorithm;
298 evp_cipher=p7->d.enveloped->enc_data->cipher; 289 evp_cipher = p7->d.enveloped->enc_data->cipher;
299 if (evp_cipher == NULL) 290 if (evp_cipher == NULL) {
300 {
301 PKCS7err(PKCS7_F_PKCS7_DATAINIT, 291 PKCS7err(PKCS7_F_PKCS7_DATAINIT,
302 PKCS7_R_CIPHER_NOT_INITIALIZED); 292 PKCS7_R_CIPHER_NOT_INITIALIZED);
303 goto err; 293 goto err;
304 } 294 }
305 break; 295 break;
306 case NID_pkcs7_digest: 296 case NID_pkcs7_digest:
307 xa = p7->d.digest->md; 297 xa = p7->d.digest->md;
@@ -310,37 +300,37 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
310 case NID_pkcs7_data: 300 case NID_pkcs7_data:
311 break; 301 break;
312 default: 302 default:
313 PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 303 PKCS7err(PKCS7_F_PKCS7_DATAINIT,
314 goto err; 304 PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
315 } 305 goto err;
306 }
316 307
317 for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) 308 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++)
318 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i))) 309 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i)))
319 goto err; 310 goto err;
320 311
321 if (xa && !PKCS7_bio_add_digest(&out, xa)) 312 if (xa && !PKCS7_bio_add_digest(&out, xa))
322 goto err; 313 goto err;
323 314
324 if (evp_cipher != NULL) 315 if (evp_cipher != NULL) {
325 {
326 unsigned char key[EVP_MAX_KEY_LENGTH]; 316 unsigned char key[EVP_MAX_KEY_LENGTH];
327 unsigned char iv[EVP_MAX_IV_LENGTH]; 317 unsigned char iv[EVP_MAX_IV_LENGTH];
328 int keylen,ivlen; 318 int keylen, ivlen;
329 EVP_CIPHER_CTX *ctx; 319 EVP_CIPHER_CTX *ctx;
330 320
331 if ((btmp=BIO_new(BIO_f_cipher())) == NULL) 321 if ((btmp = BIO_new(BIO_f_cipher())) == NULL) {
332 { 322 PKCS7err(PKCS7_F_PKCS7_DATAINIT, ERR_R_BIO_LIB);
333 PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB);
334 goto err; 323 goto err;
335 } 324 }
336 BIO_get_cipher_ctx(btmp, &ctx); 325 BIO_get_cipher_ctx(btmp, &ctx);
337 keylen=EVP_CIPHER_key_length(evp_cipher); 326 keylen = EVP_CIPHER_key_length(evp_cipher);
338 ivlen=EVP_CIPHER_iv_length(evp_cipher); 327 ivlen = EVP_CIPHER_iv_length(evp_cipher);
339 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); 328 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
340 if (ivlen > 0) 329 if (ivlen > 0)
341 if (RAND_pseudo_bytes(iv,ivlen) <= 0) 330 if (RAND_pseudo_bytes(iv, ivlen) <= 0)
342 goto err; 331 goto err;
343 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1)<=0) 332 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL,
333 NULL, 1) <= 0)
344 goto err; 334 goto err;
345 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) 335 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
346 goto err; 336 goto err;
@@ -353,167 +343,162 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
353 if (xalg->parameter == NULL) 343 if (xalg->parameter == NULL)
354 goto err; 344 goto err;
355 } 345 }
356 if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) 346 if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0)
357 goto err; 347 goto err;
358 } 348 }
359 349
360 /* Lets do the pub key stuff :-) */ 350 /* Lets do the pub key stuff :-) */
361 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) 351 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
362 { 352 ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
363 ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
364 if (pkcs7_encode_rinfo(ri, key, keylen) <= 0) 353 if (pkcs7_encode_rinfo(ri, key, keylen) <= 0)
365 goto err; 354 goto err;
366 } 355 }
367 OPENSSL_cleanse(key, keylen); 356 OPENSSL_cleanse(key, keylen);
368 357
369 if (out == NULL) 358 if (out == NULL)
370 out=btmp; 359 out = btmp;
371 else 360 else
372 BIO_push(out,btmp); 361 BIO_push(out, btmp);
373 btmp=NULL; 362 btmp = NULL;
374 } 363 }
375 364
376 if (bio == NULL) 365 if (bio == NULL) {
377 {
378 if (PKCS7_is_detached(p7)) 366 if (PKCS7_is_detached(p7))
379 bio=BIO_new(BIO_s_null()); 367 bio = BIO_new(BIO_s_null());
380 else if (os && os->length > 0) 368 else if (os && os->length > 0)
381 bio = BIO_new_mem_buf(os->data, os->length); 369 bio = BIO_new_mem_buf(os->data, os->length);
382 if(bio == NULL) 370 if (bio == NULL) {
383 { 371 bio = BIO_new(BIO_s_mem());
384 bio=BIO_new(BIO_s_mem());
385 if (bio == NULL) 372 if (bio == NULL)
386 goto err; 373 goto err;
387 BIO_set_mem_eof_return(bio,0); 374 BIO_set_mem_eof_return(bio, 0);
388 }
389 } 375 }
376 }
390 if (out) 377 if (out)
391 BIO_push(out,bio); 378 BIO_push(out, bio);
392 else 379 else
393 out = bio; 380 out = bio;
394 bio=NULL; 381 bio = NULL;
395 if (0) 382 if (0) {
396 {
397err: 383err:
398 if (out != NULL) 384 if (out != NULL)
399 BIO_free_all(out); 385 BIO_free_all(out);
400 if (btmp != NULL) 386 if (btmp != NULL)
401 BIO_free_all(btmp); 387 BIO_free_all(btmp);
402 out=NULL; 388 out = NULL;
403 }
404 return(out);
405 } 389 }
390 return (out);
391}
406 392
407static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) 393static int
408 { 394pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert)
395{
409 int ret; 396 int ret;
397
410 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, 398 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
411 pcert->cert_info->issuer); 399 pcert->cert_info->issuer);
412 if (ret) 400 if (ret)
413 return ret; 401 return ret;
414 return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, 402 return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
415 ri->issuer_and_serial->serial); 403 ri->issuer_and_serial->serial);
416 } 404}
417 405
418/* int */ 406/* int */
419BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) 407BIO *
420 { 408PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
421 int i,j; 409{
422 BIO *out=NULL,*btmp=NULL,*etmp=NULL,*bio=NULL; 410 int i, j;
411 BIO *out = NULL, *btmp = NULL, *etmp = NULL, *bio = NULL;
423 X509_ALGOR *xa; 412 X509_ALGOR *xa;
424 ASN1_OCTET_STRING *data_body=NULL; 413 ASN1_OCTET_STRING *data_body = NULL;
425 const EVP_MD *evp_md; 414 const EVP_MD *evp_md;
426 const EVP_CIPHER *evp_cipher=NULL; 415 const EVP_CIPHER *evp_cipher = NULL;
427 EVP_CIPHER_CTX *evp_ctx=NULL; 416 EVP_CIPHER_CTX *evp_ctx = NULL;
428 X509_ALGOR *enc_alg=NULL; 417 X509_ALGOR *enc_alg = NULL;
429 STACK_OF(X509_ALGOR) *md_sk=NULL; 418 STACK_OF(X509_ALGOR) *md_sk = NULL;
430 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; 419 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL;
431 PKCS7_RECIP_INFO *ri=NULL; 420 PKCS7_RECIP_INFO *ri = NULL;
432 unsigned char *ek = NULL, *tkey = NULL; 421 unsigned char *ek = NULL, *tkey = NULL;
433 int eklen = 0, tkeylen = 0; 422 int eklen = 0, tkeylen = 0;
434 423
435 i=OBJ_obj2nid(p7->type); 424 i = OBJ_obj2nid(p7->type);
436 p7->state=PKCS7_S_HEADER; 425 p7->state = PKCS7_S_HEADER;
437 426
438 switch (i) 427 switch (i) {
439 {
440 case NID_pkcs7_signed: 428 case NID_pkcs7_signed:
441 data_body=PKCS7_get_octet_string(p7->d.sign->contents); 429 data_body = PKCS7_get_octet_string(p7->d.sign->contents);
442 md_sk=p7->d.sign->md_algs; 430 md_sk = p7->d.sign->md_algs;
443 break; 431 break;
444 case NID_pkcs7_signedAndEnveloped: 432 case NID_pkcs7_signedAndEnveloped:
445 rsk=p7->d.signed_and_enveloped->recipientinfo; 433 rsk = p7->d.signed_and_enveloped->recipientinfo;
446 md_sk=p7->d.signed_and_enveloped->md_algs; 434 md_sk = p7->d.signed_and_enveloped->md_algs;
447 data_body=p7->d.signed_and_enveloped->enc_data->enc_data; 435 data_body = p7->d.signed_and_enveloped->enc_data->enc_data;
448 enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; 436 enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm;
449 evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); 437 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
450 if (evp_cipher == NULL) 438 if (evp_cipher == NULL) {
451 { 439 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
452 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 440 PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
453 goto err; 441 goto err;
454 } 442 }
455 break; 443 break;
456 case NID_pkcs7_enveloped: 444 case NID_pkcs7_enveloped:
457 rsk=p7->d.enveloped->recipientinfo; 445 rsk = p7->d.enveloped->recipientinfo;
458 enc_alg=p7->d.enveloped->enc_data->algorithm; 446 enc_alg = p7->d.enveloped->enc_data->algorithm;
459 data_body=p7->d.enveloped->enc_data->enc_data; 447 data_body = p7->d.enveloped->enc_data->enc_data;
460 evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); 448 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
461 if (evp_cipher == NULL) 449 if (evp_cipher == NULL) {
462 { 450 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
463 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 451 PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
464 goto err; 452 goto err;
465 } 453 }
466 break; 454 break;
467 default: 455 default:
468 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 456 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
469 goto err; 457 PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
470 } 458 goto err;
459 }
471 460
472 /* We will be checking the signature */ 461 /* We will be checking the signature */
473 if (md_sk != NULL) 462 if (md_sk != NULL) {
474 { 463 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
475 for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) 464 xa = sk_X509_ALGOR_value(md_sk, i);
476 { 465 if ((btmp = BIO_new(BIO_f_md())) == NULL) {
477 xa=sk_X509_ALGOR_value(md_sk,i); 466 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
478 if ((btmp=BIO_new(BIO_f_md())) == NULL) 467 ERR_R_BIO_LIB);
479 {
480 PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
481 goto err; 468 goto err;
482 } 469 }
483 470
484 j=OBJ_obj2nid(xa->algorithm); 471 j = OBJ_obj2nid(xa->algorithm);
485 evp_md=EVP_get_digestbynid(j); 472 evp_md = EVP_get_digestbynid(j);
486 if (evp_md == NULL) 473 if (evp_md == NULL) {
487 { 474 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
488 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNKNOWN_DIGEST_TYPE); 475 PKCS7_R_UNKNOWN_DIGEST_TYPE);
489 goto err; 476 goto err;
490 } 477 }
491 478
492 BIO_set_md(btmp,evp_md); 479 BIO_set_md(btmp, evp_md);
493 if (out == NULL) 480 if (out == NULL)
494 out=btmp; 481 out = btmp;
495 else 482 else
496 BIO_push(out,btmp); 483 BIO_push(out, btmp);
497 btmp=NULL; 484 btmp = NULL;
498 }
499 } 485 }
486 }
500 487
501 if (evp_cipher != NULL) 488 if (evp_cipher != NULL) {
502 {
503#if 0 489#if 0
504 unsigned char key[EVP_MAX_KEY_LENGTH]; 490 unsigned char key[EVP_MAX_KEY_LENGTH];
505 unsigned char iv[EVP_MAX_IV_LENGTH]; 491 unsigned char iv[EVP_MAX_IV_LENGTH];
506 unsigned char *p; 492 unsigned char *p;
507 int keylen,ivlen; 493 int keylen, ivlen;
508 int max; 494 int max;
509 X509_OBJECT ret; 495 X509_OBJECT ret;
510#endif 496#endif
511 497
512 if ((etmp=BIO_new(BIO_f_cipher())) == NULL) 498 if ((etmp = BIO_new(BIO_f_cipher())) == NULL) {
513 { 499 PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB);
514 PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
515 goto err; 500 goto err;
516 } 501 }
517 502
518 /* It was encrypted, we need to decrypt the secret key 503 /* It was encrypted, we need to decrypt the secret key
519 * with the private key */ 504 * with the private key */
@@ -521,54 +506,47 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
521 /* Find the recipientInfo which matches the passed certificate 506 /* Find the recipientInfo which matches the passed certificate
522 * (if any) 507 * (if any)
523 */ 508 */
524 509 if (pcert) {
525 if (pcert) 510 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
526 { 511 ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
527 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
528 {
529 ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
530 if (!pkcs7_cmp_ri(ri, pcert)) 512 if (!pkcs7_cmp_ri(ri, pcert))
531 break; 513 break;
532 ri=NULL; 514 ri = NULL;
533 } 515 }
534 if (ri == NULL) 516 if (ri == NULL) {
535 {
536 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 517 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
537 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); 518 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE);
538 goto err; 519 goto err;
539 }
540 } 520 }
521 }
541 522
542 /* If we haven't got a certificate try each ri in turn */ 523 /* If we haven't got a certificate try each ri in turn */
543 if (pcert == NULL) 524 if (pcert == NULL) {
544 {
545 /* Always attempt to decrypt all rinfo even 525 /* Always attempt to decrypt all rinfo even
546 * after sucess as a defence against MMA timing 526 * after sucess as a defence against MMA timing
547 * attacks. 527 * attacks.
548 */ 528 */
549 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) 529 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
550 { 530 ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
551 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); 531
552
553 if (pkcs7_decrypt_rinfo(&ek, &eklen, 532 if (pkcs7_decrypt_rinfo(&ek, &eklen,
554 ri, pkey) < 0) 533 ri, pkey) < 0)
555 goto err; 534 goto err;
556 ERR_clear_error(); 535 ERR_clear_error();
557 }
558 } 536 }
559 else 537 } else {
560 {
561 /* Only exit on fatal errors, not decrypt failure */ 538 /* Only exit on fatal errors, not decrypt failure */
562 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) 539 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
563 goto err; 540 goto err;
564 ERR_clear_error(); 541 ERR_clear_error();
565 } 542 }
566 543
567 evp_ctx=NULL; 544 evp_ctx = NULL;
568 BIO_get_cipher_ctx(etmp,&evp_ctx); 545 BIO_get_cipher_ctx(etmp, &evp_ctx);
569 if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0) 546 if (EVP_CipherInit_ex(evp_ctx, evp_cipher, NULL, NULL,
547 NULL, 0) <= 0)
570 goto err; 548 goto err;
571 if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) 549 if (EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) < 0)
572 goto err; 550 goto err;
573 /* Generate random key as MMA defence */ 551 /* Generate random key as MMA defence */
574 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx); 552 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx);
@@ -577,257 +555,245 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
577 goto err; 555 goto err;
578 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0) 556 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0)
579 goto err; 557 goto err;
580 if (ek == NULL) 558 if (ek == NULL) {
581 {
582 ek = tkey; 559 ek = tkey;
583 eklen = tkeylen; 560 eklen = tkeylen;
584 tkey = NULL; 561 tkey = NULL;
585 } 562 }
586 563
587 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) { 564 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) {
588 /* Some S/MIME clients don't use the same key 565 /* Some S/MIME clients don't use the same key
589 * and effective key length. The key length is 566 * and effective key length. The key length is
590 * determined by the size of the decrypted RSA key. 567 * determined by the size of the decrypted RSA key.
591 */ 568 */
592 if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) 569 if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) {
593 {
594 /* Use random key as MMA defence */ 570 /* Use random key as MMA defence */
595 OPENSSL_cleanse(ek, eklen); 571 OPENSSL_cleanse(ek, eklen);
596 free(ek); 572 free(ek);
597 ek = tkey; 573 ek = tkey;
598 eklen = tkeylen; 574 eklen = tkeylen;
599 tkey = NULL; 575 tkey = NULL;
600 } 576 }
601 } 577 }
602 /* Clear errors so we don't leak information useful in MMA */ 578 /* Clear errors so we don't leak information useful in MMA */
603 ERR_clear_error(); 579 ERR_clear_error();
604 if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0) 580 if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0)
605 goto err; 581 goto err;
606 582
607 if (ek) 583 if (ek) {
608 { 584 OPENSSL_cleanse(ek, eklen);
609 OPENSSL_cleanse(ek,eklen);
610 free(ek); 585 free(ek);
611 ek = NULL; 586 ek = NULL;
612 } 587 }
613 if (tkey) 588 if (tkey) {
614 { 589 OPENSSL_cleanse(tkey, tkeylen);
615 OPENSSL_cleanse(tkey,tkeylen);
616 free(tkey); 590 free(tkey);
617 tkey = NULL; 591 tkey = NULL;
618 } 592 }
619 593
620 if (out == NULL) 594 if (out == NULL)
621 out=etmp; 595 out = etmp;
622 else 596 else
623 BIO_push(out,etmp); 597 BIO_push(out, etmp);
624 etmp=NULL; 598 etmp = NULL;
625 } 599 }
626 600
627#if 1 601#if 1
628 if (PKCS7_is_detached(p7) || (in_bio != NULL)) 602 if (PKCS7_is_detached(p7) || (in_bio != NULL)) {
629 { 603 bio = in_bio;
630 bio=in_bio; 604 } else {
631 }
632 else
633 {
634#if 0 605#if 0
635 bio=BIO_new(BIO_s_mem()); 606 bio = BIO_new(BIO_s_mem());
636 /* We need to set this so that when we have read all 607 /* We need to set this so that when we have read all
637 * the data, the encrypt BIO, if present, will read 608 * the data, the encrypt BIO, if present, will read
638 * EOF and encode the last few bytes */ 609 * EOF and encode the last few bytes */
639 BIO_set_mem_eof_return(bio,0); 610 BIO_set_mem_eof_return(bio, 0);
640 611
641 if (data_body != NULL && data_body->length > 0) 612 if (data_body != NULL && data_body->length > 0)
642 BIO_write(bio,(char *)data_body->data,data_body->length); 613 BIO_write(bio, (char *)data_body->data, data_body->length);
643#else 614#else
644 if (data_body != NULL && data_body->length > 0) 615 if (data_body != NULL && data_body->length > 0)
645 bio = BIO_new_mem_buf(data_body->data,data_body->length); 616 bio = BIO_new_mem_buf(data_body->data, data_body->length);
646 else { 617 else {
647 bio=BIO_new(BIO_s_mem()); 618 bio = BIO_new(BIO_s_mem());
648 BIO_set_mem_eof_return(bio,0); 619 BIO_set_mem_eof_return(bio, 0);
649 } 620 }
650 if (bio == NULL) 621 if (bio == NULL)
651 goto err; 622 goto err;
652#endif 623#endif
653 } 624 }
654 BIO_push(out,bio); 625 BIO_push(out, bio);
655 bio=NULL; 626 bio = NULL;
656#endif 627#endif
657 if (0) 628 if (0) {
658 {
659err: 629err:
660 if (ek) 630 if (ek) {
661 { 631 OPENSSL_cleanse(ek, eklen);
662 OPENSSL_cleanse(ek,eklen); 632 free(ek);
663 free(ek); 633 }
664 } 634 if (tkey) {
665 if (tkey) 635 OPENSSL_cleanse(tkey, tkeylen);
666 { 636 free(tkey);
667 OPENSSL_cleanse(tkey,tkeylen);
668 free(tkey);
669 }
670 if (out != NULL) BIO_free_all(out);
671 if (btmp != NULL) BIO_free_all(btmp);
672 if (etmp != NULL) BIO_free_all(etmp);
673 if (bio != NULL) BIO_free_all(bio);
674 out=NULL;
675 } 637 }
676 return(out); 638 if (out != NULL)
639 BIO_free_all(out);
640 if (btmp != NULL)
641 BIO_free_all(btmp);
642 if (etmp != NULL)
643 BIO_free_all(etmp);
644 if (bio != NULL)
645 BIO_free_all(bio);
646 out = NULL;
677 } 647 }
648 return (out);
649}
678 650
679static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) 651static BIO *
680 { 652PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid)
681 for (;;) 653{
682 { 654 for (;;) {
683 bio=BIO_find_type(bio,BIO_TYPE_MD); 655 bio = BIO_find_type(bio, BIO_TYPE_MD);
684 if (bio == NULL) 656 if (bio == NULL) {
685 { 657 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,
686 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 658 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
687 return NULL;
688 }
689 BIO_get_md_ctx(bio,pmd);
690 if (*pmd == NULL)
691 {
692 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,ERR_R_INTERNAL_ERROR);
693 return NULL; 659 return NULL;
694 } 660 }
661 BIO_get_md_ctx(bio, pmd);
662 if (*pmd == NULL) {
663 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,
664 ERR_R_INTERNAL_ERROR);
665 return NULL;
666 }
695 if (EVP_MD_CTX_type(*pmd) == nid) 667 if (EVP_MD_CTX_type(*pmd) == nid)
696 return bio; 668 return bio;
697 bio=BIO_next(bio); 669 bio = BIO_next(bio);
698 }
699 return NULL;
700 } 670 }
671 return NULL;
672}
701 673
702static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx) 674static int
703 { 675do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx)
676{
704 unsigned char md_data[EVP_MAX_MD_SIZE]; 677 unsigned char md_data[EVP_MAX_MD_SIZE];
705 unsigned int md_len; 678 unsigned int md_len;
706 679
707 /* Add signing time if not already present */ 680 /* Add signing time if not already present */
708 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) 681 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) {
709 { 682 if (!PKCS7_add0_attrib_signing_time(si, NULL)) {
710 if (!PKCS7_add0_attrib_signing_time(si, NULL))
711 {
712 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, 683 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB,
713 ERR_R_MALLOC_FAILURE); 684 ERR_R_MALLOC_FAILURE);
714 return 0; 685 return 0;
715 }
716 } 686 }
687 }
717 688
718 /* Add digest */ 689 /* Add digest */
719 if (!EVP_DigestFinal_ex(mctx, md_data,&md_len)) 690 if (!EVP_DigestFinal_ex(mctx, md_data, &md_len)) {
720 {
721 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_EVP_LIB); 691 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_EVP_LIB);
722 return 0; 692 return 0;
723 } 693 }
724 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) 694 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) {
725 {
726 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE); 695 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE);
727 return 0; 696 return 0;
728 } 697 }
729 698
730 /* Now sign the attributes */ 699 /* Now sign the attributes */
731 if (!PKCS7_SIGNER_INFO_sign(si)) 700 if (!PKCS7_SIGNER_INFO_sign(si))
732 return 0; 701 return 0;
733 702
734 return 1; 703 return 1;
735 } 704}
736 705
737 706
738int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) 707int
739 { 708PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
740 int ret=0; 709{
741 int i,j; 710 int ret = 0;
711 int i, j;
742 BIO *btmp; 712 BIO *btmp;
743 PKCS7_SIGNER_INFO *si; 713 PKCS7_SIGNER_INFO *si;
744 EVP_MD_CTX *mdc,ctx_tmp; 714 EVP_MD_CTX *mdc, ctx_tmp;
745 STACK_OF(X509_ATTRIBUTE) *sk; 715 STACK_OF(X509_ATTRIBUTE) *sk;
746 STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; 716 STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
747 ASN1_OCTET_STRING *os=NULL; 717 ASN1_OCTET_STRING *os = NULL;
748 718
749 EVP_MD_CTX_init(&ctx_tmp); 719 EVP_MD_CTX_init(&ctx_tmp);
750 i=OBJ_obj2nid(p7->type); 720 i = OBJ_obj2nid(p7->type);
751 p7->state=PKCS7_S_HEADER; 721 p7->state = PKCS7_S_HEADER;
752 722
753 switch (i) 723 switch (i) {
754 {
755 case NID_pkcs7_data: 724 case NID_pkcs7_data:
756 os = p7->d.data; 725 os = p7->d.data;
757 break; 726 break;
758 case NID_pkcs7_signedAndEnveloped: 727 case NID_pkcs7_signedAndEnveloped:
759 /* XXX */ 728 /* XXX */
760 si_sk=p7->d.signed_and_enveloped->signer_info; 729 si_sk = p7->d.signed_and_enveloped->signer_info;
761 os = p7->d.signed_and_enveloped->enc_data->enc_data; 730 os = p7->d.signed_and_enveloped->enc_data->enc_data;
762 if (!os) 731 if (!os) {
763 { 732 os = M_ASN1_OCTET_STRING_new();
764 os=M_ASN1_OCTET_STRING_new(); 733 if (!os) {
765 if (!os) 734 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
766 { 735 ERR_R_MALLOC_FAILURE);
767 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE);
768 goto err; 736 goto err;
769 }
770 p7->d.signed_and_enveloped->enc_data->enc_data=os;
771 } 737 }
738 p7->d.signed_and_enveloped->enc_data->enc_data = os;
739 }
772 break; 740 break;
773 case NID_pkcs7_enveloped: 741 case NID_pkcs7_enveloped:
774 /* XXX */ 742 /* XXX */
775 os = p7->d.enveloped->enc_data->enc_data; 743 os = p7->d.enveloped->enc_data->enc_data;
776 if (!os) 744 if (!os) {
777 { 745 os = M_ASN1_OCTET_STRING_new();
778 os=M_ASN1_OCTET_STRING_new(); 746 if (!os) {
779 if (!os) 747 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
780 { 748 ERR_R_MALLOC_FAILURE);
781 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE);
782 goto err; 749 goto err;
783 }
784 p7->d.enveloped->enc_data->enc_data=os;
785 } 750 }
751 p7->d.enveloped->enc_data->enc_data = os;
752 }
786 break; 753 break;
787 case NID_pkcs7_signed: 754 case NID_pkcs7_signed:
788 si_sk=p7->d.sign->signer_info; 755 si_sk = p7->d.sign->signer_info;
789 os=PKCS7_get_octet_string(p7->d.sign->contents); 756 os = PKCS7_get_octet_string(p7->d.sign->contents);
790 if (os == NULL) { 757 if (os == NULL) {
791 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_DECODE_ERROR); 758 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_DECODE_ERROR);
792 goto err; 759 goto err;
793 } 760 }
794 /* If detached data then the content is excluded */ 761 /* If detached data then the content is excluded */
795 if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { 762 if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
796 M_ASN1_OCTET_STRING_free(os); 763 M_ASN1_OCTET_STRING_free(os);
797 p7->d.sign->contents->d.data = NULL; 764 p7->d.sign->contents->d.data = NULL;
798 } 765 }
799 break; 766 break;
800 767
801 case NID_pkcs7_digest: 768 case NID_pkcs7_digest:
802 os=PKCS7_get_octet_string(p7->d.digest->contents); 769 os = PKCS7_get_octet_string(p7->d.digest->contents);
803 if (os == NULL) { 770 if (os == NULL) {
804 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_DECODE_ERROR); 771 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_DECODE_ERROR);
805 goto err; 772 goto err;
806 } 773 }
807 /* If detached data then the content is excluded */ 774 /* If detached data then the content is excluded */
808 if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) 775 if (PKCS7_type_is_data(p7->d.digest->contents) &&
809 { 776 p7->detached) {
810 M_ASN1_OCTET_STRING_free(os); 777 M_ASN1_OCTET_STRING_free(os);
811 p7->d.digest->contents->d.data = NULL; 778 p7->d.digest->contents->d.data = NULL;
812 } 779 }
813 break; 780 break;
814 781
815 default: 782 default:
816 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 783 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
817 goto err; 784 PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
818 } 785 goto err;
786 }
819 787
820 if (si_sk != NULL) 788 if (si_sk != NULL) {
821 { 789 for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(si_sk); i++) {
822 for (i=0; i<sk_PKCS7_SIGNER_INFO_num(si_sk); i++) 790 si = sk_PKCS7_SIGNER_INFO_value(si_sk, i);
823 {
824 si=sk_PKCS7_SIGNER_INFO_value(si_sk,i);
825 if (si->pkey == NULL) 791 if (si->pkey == NULL)
826 continue; 792 continue;
827 793
828 j = OBJ_obj2nid(si->digest_alg->algorithm); 794 j = OBJ_obj2nid(si->digest_alg->algorithm);
829 795
830 btmp=bio; 796 btmp = bio;
831 797
832 btmp = PKCS7_find_digest(&mdc, btmp, j); 798 btmp = PKCS7_find_digest(&mdc, btmp, j);
833 799
@@ -836,20 +802,17 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
836 802
837 /* We now have the EVP_MD_CTX, lets do the 803 /* We now have the EVP_MD_CTX, lets do the
838 * signing. */ 804 * signing. */
839 if (!EVP_MD_CTX_copy_ex(&ctx_tmp,mdc)) 805 if (!EVP_MD_CTX_copy_ex(&ctx_tmp, mdc))
840 goto err; 806 goto err;
841 807
842 sk=si->auth_attr; 808 sk = si->auth_attr;
843 809
844 /* If there are attributes, we add the digest 810 /* If there are attributes, we add the digest
845 * attribute and only sign the attributes */ 811 * attribute and only sign the attributes */
846 if (sk_X509_ATTRIBUTE_num(sk) > 0) 812 if (sk_X509_ATTRIBUTE_num(sk) > 0) {
847 {
848 if (!do_pkcs7_signed_attrib(si, &ctx_tmp)) 813 if (!do_pkcs7_signed_attrib(si, &ctx_tmp))
849 goto err; 814 goto err;
850 } 815 } else {
851 else
852 {
853 unsigned char *abuf = NULL; 816 unsigned char *abuf = NULL;
854 unsigned int abuflen; 817 unsigned int abuflen;
855 abuflen = EVP_PKEY_size(si->pkey); 818 abuflen = EVP_PKEY_size(si->pkey);
@@ -858,38 +821,34 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
858 goto err; 821 goto err;
859 822
860 if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, 823 if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen,
861 si->pkey)) 824 si->pkey)) {
862 {
863 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, 825 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
864 ERR_R_EVP_LIB); 826 ERR_R_EVP_LIB);
865 goto err; 827 goto err;
866 }
867 ASN1_STRING_set0(si->enc_digest, abuf, abuflen);
868 } 828 }
829 ASN1_STRING_set0(si->enc_digest, abuf, abuflen);
869 } 830 }
870 } 831 }
871 else if (i == NID_pkcs7_digest) 832 } else if (i == NID_pkcs7_digest) {
872 {
873 unsigned char md_data[EVP_MAX_MD_SIZE]; 833 unsigned char md_data[EVP_MAX_MD_SIZE];
874 unsigned int md_len; 834 unsigned int md_len;
875 if (!PKCS7_find_digest(&mdc, bio, 835 if (!PKCS7_find_digest(&mdc, bio,
876 OBJ_obj2nid(p7->d.digest->md->algorithm))) 836 OBJ_obj2nid(p7->d.digest->md->algorithm)))
877 goto err; 837 goto err;
878 if (!EVP_DigestFinal_ex(mdc,md_data,&md_len)) 838 if (!EVP_DigestFinal_ex(mdc, md_data, &md_len))
879 goto err; 839 goto err;
880 M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); 840 M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
881 } 841 }
882 842
883 if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) 843 if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) {
884 {
885 char *cont; 844 char *cont;
886 long contlen; 845 long contlen;
887 btmp=BIO_find_type(bio,BIO_TYPE_MEM); 846 btmp = BIO_find_type(bio, BIO_TYPE_MEM);
888 if (btmp == NULL) 847 if (btmp == NULL) {
889 { 848 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
890 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); 849 PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
891 goto err; 850 goto err;
892 } 851 }
893 contlen = BIO_get_mem_data(btmp, &cont); 852 contlen = BIO_get_mem_data(btmp, &cont);
894 /* Mark the BIO read only then we can use its copy of the data 853 /* Mark the BIO read only then we can use its copy of the data
895 * instead of making an extra copy. 854 * instead of making an extra copy.
@@ -897,15 +856,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
897 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); 856 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
898 BIO_set_mem_eof_return(btmp, 0); 857 BIO_set_mem_eof_return(btmp, 0);
899 ASN1_STRING_set0(os, (unsigned char *)cont, contlen); 858 ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
900 } 859 }
901 ret=1; 860 ret = 1;
902err: 861err:
903 EVP_MD_CTX_cleanup(&ctx_tmp); 862 EVP_MD_CTX_cleanup(&ctx_tmp);
904 return(ret); 863 return (ret);
905 } 864}
906 865
907int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) 866int
908 { 867PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
868{
909 EVP_MD_CTX mctx; 869 EVP_MD_CTX mctx;
910 EVP_PKEY_CTX *pctx; 870 EVP_PKEY_CTX *pctx;
911 unsigned char *abuf = NULL; 871 unsigned char *abuf = NULL;
@@ -918,38 +878,36 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
918 return 0; 878 return 0;
919 879
920 EVP_MD_CTX_init(&mctx); 880 EVP_MD_CTX_init(&mctx);
921 if (EVP_DigestSignInit(&mctx, &pctx, md,NULL, si->pkey) <= 0) 881 if (EVP_DigestSignInit(&mctx, &pctx, md, NULL, si->pkey) <= 0)
922 goto err; 882 goto err;
923 883
924 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 884 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
925 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) 885 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) {
926 {
927 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); 886 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR);
928 goto err; 887 goto err;
929 } 888 }
930 889
931 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr,&abuf, 890 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf,
932 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); 891 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
933 if(!abuf) 892 if (!abuf)
934 goto err; 893 goto err;
935 if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0) 894 if (EVP_DigestSignUpdate(&mctx, abuf, alen) <= 0)
936 goto err; 895 goto err;
937 free(abuf); 896 free(abuf);
938 abuf = NULL; 897 abuf = NULL;
939 if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) 898 if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
940 goto err; 899 goto err;
941 abuf = malloc(siglen); 900 abuf = malloc(siglen);
942 if(!abuf) 901 if (!abuf)
943 goto err; 902 goto err;
944 if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0) 903 if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0)
945 goto err; 904 goto err;
946 905
947 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 906 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
948 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) 907 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) {
949 {
950 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); 908 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR);
951 goto err; 909 goto err;
952 } 910 }
953 911
954 EVP_MD_CTX_cleanup(&mctx); 912 EVP_MD_CTX_cleanup(&mctx);
955 913
@@ -957,73 +915,66 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
957 915
958 return 1; 916 return 1;
959 917
960 err: 918err:
961 free(abuf); 919 free(abuf);
962 EVP_MD_CTX_cleanup(&mctx); 920 EVP_MD_CTX_cleanup(&mctx);
963 return 0; 921 return 0;
922}
964 923
965 } 924int
966 925PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
967int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, 926 PKCS7 *p7, PKCS7_SIGNER_INFO *si)
968 PKCS7 *p7, PKCS7_SIGNER_INFO *si) 927{
969 {
970 PKCS7_ISSUER_AND_SERIAL *ias; 928 PKCS7_ISSUER_AND_SERIAL *ias;
971 int ret=0,i; 929 int ret = 0, i;
972 STACK_OF(X509) *cert; 930 STACK_OF(X509) *cert;
973 X509 *x509; 931 X509 *x509;
974 932
975 if (PKCS7_type_is_signed(p7)) 933 if (PKCS7_type_is_signed(p7)) {
976 { 934 cert = p7->d.sign->cert;
977 cert=p7->d.sign->cert; 935 } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
978 } 936 cert = p7->d.signed_and_enveloped->cert;
979 else if (PKCS7_type_is_signedAndEnveloped(p7)) 937 } else {
980 { 938 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_WRONG_PKCS7_TYPE);
981 cert=p7->d.signed_and_enveloped->cert;
982 }
983 else
984 {
985 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_WRONG_PKCS7_TYPE);
986 goto err; 939 goto err;
987 } 940 }
988 /* XXXX */ 941 /* XXXX */
989 ias=si->issuer_and_serial; 942 ias = si->issuer_and_serial;
990 943
991 x509=X509_find_by_issuer_and_serial(cert,ias->issuer,ias->serial); 944 x509 = X509_find_by_issuer_and_serial(cert, ias->issuer, ias->serial);
992 945
993 /* were we able to find the cert in passed to us */ 946 /* were we able to find the cert in passed to us */
994 if (x509 == NULL) 947 if (x509 == NULL) {
995 { 948 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,
996 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); 949 PKCS7_R_UNABLE_TO_FIND_CERTIFICATE);
997 goto err; 950 goto err;
998 } 951 }
999 952
1000 /* Lets verify */ 953 /* Lets verify */
1001 if(!X509_STORE_CTX_init(ctx,cert_store,x509,cert)) 954 if (!X509_STORE_CTX_init(ctx, cert_store, x509, cert)) {
1002 { 955 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB);
1003 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
1004 goto err; 956 goto err;
1005 } 957 }
1006 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN); 958 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
1007 i=X509_verify_cert(ctx); 959 i = X509_verify_cert(ctx);
1008 if (i <= 0) 960 if (i <= 0) {
1009 { 961 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB);
1010 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
1011 X509_STORE_CTX_cleanup(ctx); 962 X509_STORE_CTX_cleanup(ctx);
1012 goto err; 963 goto err;
1013 } 964 }
1014 X509_STORE_CTX_cleanup(ctx); 965 X509_STORE_CTX_cleanup(ctx);
1015 966
1016 return PKCS7_signatureVerify(bio, p7, si, x509); 967 return PKCS7_signatureVerify(bio, p7, si, x509);
1017 err: 968err:
1018 return ret; 969 return ret;
1019 } 970}
1020 971
1021int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, 972int
1022 X509 *x509) 973PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509)
1023 { 974{
1024 ASN1_OCTET_STRING *os; 975 ASN1_OCTET_STRING *os;
1025 EVP_MD_CTX mdc_tmp,*mdc; 976 EVP_MD_CTX mdc_tmp, *mdc;
1026 int ret=0,i; 977 int ret = 0, i;
1027 int md_type; 978 int md_type;
1028 STACK_OF(X509_ATTRIBUTE) *sk; 979 STACK_OF(X509_ATTRIBUTE) *sk;
1029 BIO *btmp; 980 BIO *btmp;
@@ -1031,32 +982,29 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
1031 982
1032 EVP_MD_CTX_init(&mdc_tmp); 983 EVP_MD_CTX_init(&mdc_tmp);
1033 984
1034 if (!PKCS7_type_is_signed(p7) && 985 if (!PKCS7_type_is_signed(p7) &&
1035 !PKCS7_type_is_signedAndEnveloped(p7)) { 986 !PKCS7_type_is_signedAndEnveloped(p7)) {
1036 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 987 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
1037 PKCS7_R_WRONG_PKCS7_TYPE); 988 PKCS7_R_WRONG_PKCS7_TYPE);
1038 goto err; 989 goto err;
1039 } 990 }
1040 991
1041 md_type=OBJ_obj2nid(si->digest_alg->algorithm); 992 md_type = OBJ_obj2nid(si->digest_alg->algorithm);
1042 993
1043 btmp=bio; 994 btmp = bio;
1044 for (;;) 995 for (;;) {
1045 {
1046 if ((btmp == NULL) || 996 if ((btmp == NULL) ||
1047 ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL)) 997 ((btmp = BIO_find_type(btmp, BIO_TYPE_MD)) == NULL)) {
1048 {
1049 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 998 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
1050 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 999 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
1051 goto err; 1000 goto err;
1052 } 1001 }
1053 BIO_get_md_ctx(btmp,&mdc); 1002 BIO_get_md_ctx(btmp, &mdc);
1054 if (mdc == NULL) 1003 if (mdc == NULL) {
1055 {
1056 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1004 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
1057 ERR_R_INTERNAL_ERROR); 1005 ERR_R_INTERNAL_ERROR);
1058 goto err; 1006 goto err;
1059 } 1007 }
1060 if (EVP_MD_CTX_type(mdc) == md_type) 1008 if (EVP_MD_CTX_type(mdc) == md_type)
1061 break; 1009 break;
1062 /* Workaround for some broken clients that put the signature 1010 /* Workaround for some broken clients that put the signature
@@ -1064,243 +1012,239 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
1064 */ 1012 */
1065 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) 1013 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type)
1066 break; 1014 break;
1067 btmp=BIO_next(btmp); 1015 btmp = BIO_next(btmp);
1068 } 1016 }
1069 1017
1070 /* mdc is the digest ctx that we want, unless there are attributes, 1018 /* mdc is the digest ctx that we want, unless there are attributes,
1071 * in which case the digest is the signed attributes */ 1019 * in which case the digest is the signed attributes */
1072 if (!EVP_MD_CTX_copy_ex(&mdc_tmp,mdc)) 1020 if (!EVP_MD_CTX_copy_ex(&mdc_tmp, mdc))
1073 goto err; 1021 goto err;
1074 1022
1075 sk=si->auth_attr; 1023 sk = si->auth_attr;
1076 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) 1024 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) {
1077 {
1078 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; 1025 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL;
1079 unsigned int md_len; 1026 unsigned int md_len;
1080 int alen; 1027 int alen;
1081 ASN1_OCTET_STRING *message_digest; 1028 ASN1_OCTET_STRING *message_digest;
1082 1029
1083 if (!EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len)) 1030 if (!EVP_DigestFinal_ex(&mdc_tmp, md_dat, &md_len))
1084 goto err; 1031 goto err;
1085 message_digest=PKCS7_digest_from_attributes(sk); 1032 message_digest = PKCS7_digest_from_attributes(sk);
1086 if (!message_digest) 1033 if (!message_digest) {
1087 {
1088 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1034 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
1089 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1035 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
1090 goto err; 1036 goto err;
1091 } 1037 }
1092 if ((message_digest->length != (int)md_len) || 1038 if ((message_digest->length != (int)md_len) ||
1093 (memcmp(message_digest->data,md_dat,md_len))) 1039 (memcmp(message_digest->data, md_dat, md_len))) {
1094 {
1095#if 0 1040#if 0
1096{ 1041 {
1097int ii; 1042 int ii;
1098for (ii=0; ii<message_digest->length; ii++) 1043 for (ii = 0; ii < message_digest->length; ii++)
1099 printf("%02X",message_digest->data[ii]); printf(" sent\n"); 1044 printf("%02X",message_digest->data[ii]); printf(" sent\n");
1100for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n"); 1045 for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
1101} 1046 }
1102#endif 1047#endif
1103 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1048 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
1104 PKCS7_R_DIGEST_FAILURE); 1049 PKCS7_R_DIGEST_FAILURE);
1105 ret= -1; 1050 ret = -1;
1106 goto err; 1051 goto err;
1107 } 1052 }
1108 1053
1109 if (!EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL)) 1054 if (!EVP_VerifyInit_ex(&mdc_tmp, EVP_get_digestbynid(md_type),
1055 NULL))
1110 goto err; 1056 goto err;
1111 1057
1112 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, 1058 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
1113 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY)); 1059 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY));
1114 if (alen <= 0) 1060 if (alen <= 0) {
1115 { 1061 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_ASN1_LIB);
1116 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,ERR_R_ASN1_LIB);
1117 ret = -1; 1062 ret = -1;
1118 goto err; 1063 goto err;
1119 } 1064 }
1120 if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) 1065 if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen))
1121 goto err; 1066 goto err;
1122 1067
1123 free(abuf); 1068 free(abuf);
1124 } 1069 }
1125 1070
1126 os=si->enc_digest; 1071 os = si->enc_digest;
1127 pkey = X509_get_pubkey(x509); 1072 pkey = X509_get_pubkey(x509);
1128 if (!pkey) 1073 if (!pkey) {
1129 {
1130 ret = -1; 1074 ret = -1;
1131 goto err; 1075 goto err;
1132 } 1076 }
1133 1077
1134 i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey); 1078 i = EVP_VerifyFinal(&mdc_tmp, os->data, os->length, pkey);
1135 EVP_PKEY_free(pkey); 1079 EVP_PKEY_free(pkey);
1136 if (i <= 0) 1080 if (i <= 0) {
1137 {
1138 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1081 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
1139 PKCS7_R_SIGNATURE_FAILURE); 1082 PKCS7_R_SIGNATURE_FAILURE);
1140 ret= -1; 1083 ret = -1;
1141 goto err; 1084 goto err;
1142 } 1085 } else
1143 else 1086 ret = 1;
1144 ret=1;
1145err: 1087err:
1146 EVP_MD_CTX_cleanup(&mdc_tmp); 1088 EVP_MD_CTX_cleanup(&mdc_tmp);
1147 return(ret); 1089 return (ret);
1148 } 1090}
1149 1091
1150PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) 1092PKCS7_ISSUER_AND_SERIAL *
1151 { 1093PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
1094{
1152 STACK_OF(PKCS7_RECIP_INFO) *rsk; 1095 STACK_OF(PKCS7_RECIP_INFO) *rsk;
1153 PKCS7_RECIP_INFO *ri; 1096 PKCS7_RECIP_INFO *ri;
1154 int i; 1097 int i;
1155 1098
1156 i=OBJ_obj2nid(p7->type); 1099 i = OBJ_obj2nid(p7->type);
1157 if (i != NID_pkcs7_signedAndEnveloped) 1100 if (i != NID_pkcs7_signedAndEnveloped)
1158 return NULL; 1101 return NULL;
1159 if (p7->d.signed_and_enveloped == NULL) 1102 if (p7->d.signed_and_enveloped == NULL)
1160 return NULL; 1103 return NULL;
1161 rsk=p7->d.signed_and_enveloped->recipientinfo; 1104 rsk = p7->d.signed_and_enveloped->recipientinfo;
1162 if (rsk == NULL) 1105 if (rsk == NULL)
1163 return NULL; 1106 return NULL;
1164 ri=sk_PKCS7_RECIP_INFO_value(rsk,0); 1107 ri = sk_PKCS7_RECIP_INFO_value(rsk, 0);
1165 if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) return(NULL); 1108 if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
1166 ri=sk_PKCS7_RECIP_INFO_value(rsk,idx); 1109 return (NULL);
1167 return(ri->issuer_and_serial); 1110 ri = sk_PKCS7_RECIP_INFO_value(rsk, idx);
1168 } 1111 return (ri->issuer_and_serial);
1112}
1169 1113
1170ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) 1114ASN1_TYPE *
1171 { 1115PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid)
1172 return(get_attribute(si->auth_attr,nid)); 1116{
1173 } 1117 return (get_attribute(si->auth_attr, nid));
1118}
1174 1119
1175ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) 1120ASN1_TYPE *
1176 { 1121PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid)
1177 return(get_attribute(si->unauth_attr,nid)); 1122{
1178 } 1123 return (get_attribute(si->unauth_attr, nid));
1124}
1179 1125
1180static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) 1126static ASN1_TYPE *
1181 { 1127get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
1128{
1182 int i; 1129 int i;
1183 X509_ATTRIBUTE *xa; 1130 X509_ATTRIBUTE *xa;
1184 ASN1_OBJECT *o; 1131 ASN1_OBJECT *o;
1185 1132
1186 o=OBJ_nid2obj(nid); 1133 o = OBJ_nid2obj(nid);
1187 if (!o || !sk) return(NULL); 1134 if (!o || !sk)
1188 for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++) 1135 return (NULL);
1189 { 1136 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
1190 xa=sk_X509_ATTRIBUTE_value(sk,i); 1137 xa = sk_X509_ATTRIBUTE_value(sk, i);
1191 if (OBJ_cmp(xa->object,o) == 0) 1138 if (OBJ_cmp(xa->object, o) == 0) {
1192 {
1193 if (!xa->single && sk_ASN1_TYPE_num(xa->value.set)) 1139 if (!xa->single && sk_ASN1_TYPE_num(xa->value.set))
1194 return(sk_ASN1_TYPE_value(xa->value.set,0)); 1140 return (sk_ASN1_TYPE_value(xa->value.set, 0));
1195 else 1141 else
1196 return(NULL); 1142 return (NULL);
1197 }
1198 } 1143 }
1199 return(NULL);
1200 } 1144 }
1145 return (NULL);
1146}
1201 1147
1202ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) 1148ASN1_OCTET_STRING *
1149PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
1203{ 1150{
1204 ASN1_TYPE *astype; 1151 ASN1_TYPE *astype;
1205 if(!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) return NULL; 1152
1153 if (!(astype = get_attribute(sk, NID_pkcs9_messageDigest)))
1154 return NULL;
1206 return astype->value.octet_string; 1155 return astype->value.octet_string;
1207} 1156}
1208 1157
1209int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, 1158int
1210 STACK_OF(X509_ATTRIBUTE) *sk) 1159PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
1211 { 1160 STACK_OF(X509_ATTRIBUTE) *sk)
1161{
1212 int i; 1162 int i;
1213 1163
1214 if (p7si->auth_attr != NULL) 1164 if (p7si->auth_attr != NULL)
1215 sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr,X509_ATTRIBUTE_free); 1165 sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr,
1216 p7si->auth_attr=sk_X509_ATTRIBUTE_dup(sk); 1166 X509_ATTRIBUTE_free);
1167 p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk);
1217 if (p7si->auth_attr == NULL) 1168 if (p7si->auth_attr == NULL)
1218 return 0; 1169 return 0;
1219 for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++) 1170 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
1220 { 1171 if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr, i,
1221 if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr,i, 1172 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i))))
1222 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i))))
1223 == NULL) 1173 == NULL)
1224 return(0); 1174 return (0);
1225 }
1226 return(1);
1227 } 1175 }
1176 return (1);
1177}
1228 1178
1229int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) 1179int
1230 { 1180PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk)
1181{
1231 int i; 1182 int i;
1232 1183
1233 if (p7si->unauth_attr != NULL) 1184 if (p7si->unauth_attr != NULL)
1234 sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, 1185 sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr,
1235 X509_ATTRIBUTE_free); 1186 X509_ATTRIBUTE_free);
1236 p7si->unauth_attr=sk_X509_ATTRIBUTE_dup(sk); 1187 p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk);
1237 if (p7si->unauth_attr == NULL) 1188 if (p7si->unauth_attr == NULL)
1238 return 0; 1189 return 0;
1239 for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++) 1190 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
1240 { 1191 if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr, i,
1241 if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr,i, 1192 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i))))
1242 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i))))
1243 == NULL) 1193 == NULL)
1244 return(0); 1194 return (0);
1245 }
1246 return(1);
1247 } 1195 }
1196 return (1);
1197}
1248 1198
1249int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1199int
1250 void *value) 1200PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
1251 { 1201 void *value)
1252 return(add_attribute(&(p7si->auth_attr),nid,atrtype,value)); 1202{
1253 } 1203 return (add_attribute(&(p7si->auth_attr), nid, atrtype, value));
1204}
1254 1205
1255int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1206int
1256 void *value) 1207PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value)
1257 { 1208{
1258 return(add_attribute(&(p7si->unauth_attr),nid,atrtype,value)); 1209 return (add_attribute(&(p7si->unauth_attr), nid, atrtype, value));
1259 } 1210}
1260 1211
1261static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 1212static int
1262 void *value) 1213add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value)
1263 { 1214{
1264 X509_ATTRIBUTE *attr=NULL; 1215 X509_ATTRIBUTE *attr = NULL;
1265 1216
1266 if (*sk == NULL) 1217 if (*sk == NULL) {
1267 {
1268 *sk = sk_X509_ATTRIBUTE_new_null(); 1218 *sk = sk_X509_ATTRIBUTE_new_null();
1269 if (*sk == NULL) 1219 if (*sk == NULL)
1270 return 0; 1220 return 0;
1271new_attrib: 1221new_attrib:
1272 if (!(attr=X509_ATTRIBUTE_create(nid,atrtype,value))) 1222 if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value)))
1273 return 0; 1223 return 0;
1274 if (!sk_X509_ATTRIBUTE_push(*sk,attr)) 1224 if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
1275 {
1276 X509_ATTRIBUTE_free(attr); 1225 X509_ATTRIBUTE_free(attr);
1277 return 0; 1226 return 0;
1278 }
1279 } 1227 }
1280 else 1228 } else {
1281 {
1282 int i; 1229 int i;
1283 1230
1284 for (i=0; i<sk_X509_ATTRIBUTE_num(*sk); i++) 1231 for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
1285 { 1232 attr = sk_X509_ATTRIBUTE_value(*sk, i);
1286 attr=sk_X509_ATTRIBUTE_value(*sk,i); 1233 if (OBJ_obj2nid(attr->object) == nid) {
1287 if (OBJ_obj2nid(attr->object) == nid)
1288 {
1289 X509_ATTRIBUTE_free(attr); 1234 X509_ATTRIBUTE_free(attr);
1290 attr=X509_ATTRIBUTE_create(nid,atrtype,value); 1235 attr = X509_ATTRIBUTE_create(nid, atrtype,
1236 value);
1291 if (attr == NULL) 1237 if (attr == NULL)
1292 return 0; 1238 return 0;
1293 if (!sk_X509_ATTRIBUTE_set(*sk,i,attr)) 1239 if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) {
1294 {
1295 X509_ATTRIBUTE_free(attr); 1240 X509_ATTRIBUTE_free(attr);
1296 return 0; 1241 return 0;
1297 }
1298 goto end;
1299 } 1242 }
1243 goto end;
1300 } 1244 }
1301 goto new_attrib;
1302 } 1245 }
1303end: 1246 goto new_attrib;
1304 return(1);
1305 } 1247 }
1306 1248end:
1249 return (1);
1250}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-16 05:16:55 +0000