summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509
diff options
context:
space:
mode:
authordjm <>2012-10-13 21:23:50 +0000
committerdjm <>2012-10-13 21:23:50 +0000
commit228cae30b117c2493f69ad3c195341cd6ec8d430 (patch)
tree29ff00b10d52c0978077c4fd83c33b065bade73e /src/lib/libcrypto/x509
parent731838c66b52c0ae5888333005b74115a620aa96 (diff)
downloadopenbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.gz
openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.bz2
openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.zip
import OpenSSL-1.0.1c
Diffstat (limited to 'src/lib/libcrypto/x509')
-rw-r--r--src/lib/libcrypto/x509/x509.h11
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c27
-rw-r--r--src/lib/libcrypto/x509/x509_lu.c2
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c5
-rw-r--r--src/lib/libcrypto/x509/x509type.c32
-rw-r--r--src/lib/libcrypto/x509/x_all.c19
6 files changed, 70 insertions, 26 deletions
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index e6f8a40395..092dd7450d 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -657,11 +657,15 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
657 657
658int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki); 658int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
659 659
660int X509_signature_dump(BIO *bp,const ASN1_STRING *sig, int indent);
660int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig); 661int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig);
661 662
662int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); 663int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
664int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
663int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md); 665int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
666int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
664int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); 667int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
668int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
665int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md); 669int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
666 670
667int X509_pubkey_digest(const X509 *data,const EVP_MD *type, 671int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
@@ -763,6 +767,7 @@ X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
763int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval); 767int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
764void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, 768void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
765 X509_ALGOR *algor); 769 X509_ALGOR *algor);
770void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
766 771
767X509_NAME *X509_NAME_dup(X509_NAME *xn); 772X509_NAME *X509_NAME_dup(X509_NAME *xn);
768X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); 773X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
@@ -896,6 +901,9 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
896int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, 901int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
897 ASN1_BIT_STRING *signature, 902 ASN1_BIT_STRING *signature,
898 void *data, EVP_PKEY *pkey, const EVP_MD *type); 903 void *data, EVP_PKEY *pkey, const EVP_MD *type);
904int ASN1_item_sign_ctx(const ASN1_ITEM *it,
905 X509_ALGOR *algor1, X509_ALGOR *algor2,
906 ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx);
899#endif 907#endif
900 908
901int X509_set_version(X509 *x,long version); 909int X509_set_version(X509 *x,long version);
@@ -1161,6 +1169,9 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
1161 unsigned char *salt, int saltlen, 1169 unsigned char *salt, int saltlen,
1162 unsigned char *aiv, int prf_nid); 1170 unsigned char *aiv, int prf_nid);
1163 1171
1172X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
1173 int prf_nid, int keylen);
1174
1164/* PKCS#8 utilities */ 1175/* PKCS#8 utilities */
1165 1176
1166DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) 1177DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 4bc9da07e0..7c2aaee2e9 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -87,15 +87,20 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
87 EVP_MD_CTX_init(&ctx); 87 EVP_MD_CTX_init(&ctx);
88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); 88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
89 ret=strlen(f); 89 ret=strlen(f);
90 EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); 90 if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
91 EVP_DigestUpdate(&ctx,(unsigned char *)f,ret); 91 goto err;
92 if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret))
93 goto err;
92 OPENSSL_free(f); 94 OPENSSL_free(f);
93 EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data, 95 if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
94 (unsigned long)a->cert_info->serialNumber->length); 96 (unsigned long)a->cert_info->serialNumber->length))
95 EVP_DigestFinal_ex(&ctx,&(md[0]),NULL); 97 goto err;
98 if (!EVP_DigestFinal_ex(&ctx,&(md[0]),NULL))
99 goto err;
96 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| 100 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
97 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 101 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
98 )&0xffffffffL; 102 )&0xffffffffL;
103 err:
99 EVP_MD_CTX_cleanup(&ctx); 104 EVP_MD_CTX_cleanup(&ctx);
100 return(ret); 105 return(ret);
101 } 106 }
@@ -219,7 +224,9 @@ unsigned long X509_NAME_hash(X509_NAME *x)
219 224
220 /* Make sure X509_NAME structure contains valid cached encoding */ 225 /* Make sure X509_NAME structure contains valid cached encoding */
221 i2d_X509_NAME(x,NULL); 226 i2d_X509_NAME(x,NULL);
222 EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL); 227 if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(),
228 NULL))
229 return 0;
223 230
224 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| 231 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
225 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 232 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
@@ -234,12 +241,18 @@ unsigned long X509_NAME_hash(X509_NAME *x)
234 241
235unsigned long X509_NAME_hash_old(X509_NAME *x) 242unsigned long X509_NAME_hash_old(X509_NAME *x)
236 { 243 {
244 EVP_MD_CTX md_ctx;
237 unsigned long ret=0; 245 unsigned long ret=0;
238 unsigned char md[16]; 246 unsigned char md[16];
239 247
240 /* Make sure X509_NAME structure contains valid cached encoding */ 248 /* Make sure X509_NAME structure contains valid cached encoding */
241 i2d_X509_NAME(x,NULL); 249 i2d_X509_NAME(x,NULL);
242 EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); 250 EVP_MD_CTX_init(&md_ctx);
251 EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
252 EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
253 EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
254 EVP_DigestFinal_ex(&md_ctx,md,NULL);
255 EVP_MD_CTX_cleanup(&md_ctx);
243 256
244 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| 257 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
245 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 258 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 3a6e04a1de..38525a8cdd 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -87,7 +87,7 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx)
87 if (ctx == NULL) return; 87 if (ctx == NULL) return;
88 if ( (ctx->method != NULL) && 88 if ( (ctx->method != NULL) &&
89 (ctx->method->free != NULL)) 89 (ctx->method->free != NULL))
90 ctx->method->free(ctx); 90 (*ctx->method->free)(ctx);
91 OPENSSL_free(ctx); 91 OPENSSL_free(ctx);
92 } 92 }
93 93
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 701ec565e9..b0779db023 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -153,7 +153,6 @@ static int x509_subject_cmp(X509 **a, X509 **b)
153int X509_verify_cert(X509_STORE_CTX *ctx) 153int X509_verify_cert(X509_STORE_CTX *ctx)
154 { 154 {
155 X509 *x,*xtmp,*chain_ss=NULL; 155 X509 *x,*xtmp,*chain_ss=NULL;
156 X509_NAME *xn;
157 int bad_chain = 0; 156 int bad_chain = 0;
158 X509_VERIFY_PARAM *param = ctx->param; 157 X509_VERIFY_PARAM *param = ctx->param;
159 int depth,i,ok=0; 158 int depth,i,ok=0;
@@ -205,7 +204,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
205 */ 204 */
206 205
207 /* If we are self signed, we break */ 206 /* If we are self signed, we break */
208 xn=X509_get_issuer_name(x);
209 if (ctx->check_issued(ctx, x,x)) break; 207 if (ctx->check_issued(ctx, x,x)) break;
210 208
211 /* If we were passed a cert chain, use it first */ 209 /* If we were passed a cert chain, use it first */
@@ -242,7 +240,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
242 240
243 i=sk_X509_num(ctx->chain); 241 i=sk_X509_num(ctx->chain);
244 x=sk_X509_value(ctx->chain,i-1); 242 x=sk_X509_value(ctx->chain,i-1);
245 xn = X509_get_subject_name(x);
246 if (ctx->check_issued(ctx, x, x)) 243 if (ctx->check_issued(ctx, x, x))
247 { 244 {
248 /* we have a self signed certificate */ 245 /* we have a self signed certificate */
@@ -291,7 +288,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
291 if (depth < num) break; 288 if (depth < num) break;
292 289
293 /* If we are self signed, we break */ 290 /* If we are self signed, we break */
294 xn=X509_get_issuer_name(x);
295 if (ctx->check_issued(ctx,x,x)) break; 291 if (ctx->check_issued(ctx,x,x)) break;
296 292
297 ok = ctx->get_issuer(&xtmp, ctx, x); 293 ok = ctx->get_issuer(&xtmp, ctx, x);
@@ -310,7 +306,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
310 } 306 }
311 307
312 /* we now have our chain, lets check it... */ 308 /* we now have our chain, lets check it... */
313 xn=X509_get_issuer_name(x);
314 309
315 /* Is last certificate looked up self signed? */ 310 /* Is last certificate looked up self signed? */
316 if (!ctx->check_issued(ctx,x,x)) 311 if (!ctx->check_issued(ctx,x,x))
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
index 3385ad3f67..9702ec5310 100644
--- a/src/lib/libcrypto/x509/x509type.c
+++ b/src/lib/libcrypto/x509/x509type.c
@@ -100,20 +100,26 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
100 break; 100 break;
101 } 101 }
102 102
103 i=X509_get_signature_type(x); 103 i=OBJ_obj2nid(x->sig_alg->algorithm);
104 switch (i) 104 if (i && OBJ_find_sigid_algs(i, NULL, &i))
105 { 105 {
106 case EVP_PKEY_RSA: 106
107 ret|=EVP_PKS_RSA; 107 switch (i)
108 break; 108 {
109 case EVP_PKEY_DSA: 109 case NID_rsaEncryption:
110 ret|=EVP_PKS_DSA; 110 case NID_rsa:
111 break; 111 ret|=EVP_PKS_RSA;
112 case EVP_PKEY_EC: 112 break;
113 ret|=EVP_PKS_EC; 113 case NID_dsa:
114 break; 114 case NID_dsa_2:
115 default: 115 ret|=EVP_PKS_DSA;
116 break; 116 break;
117 case NID_X9_62_id_ecPublicKey:
118 ret|=EVP_PKS_EC;
119 break;
120 default:
121 break;
122 }
117 } 123 }
118 124
119 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look 125 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index 8ec88c215a..b94aeeb873 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -95,12 +95,25 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
95 x->sig_alg, x->signature, x->cert_info,pkey,md)); 95 x->sig_alg, x->signature, x->cert_info,pkey,md));
96 } 96 }
97 97
98int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
99 {
100 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
101 x->cert_info->signature,
102 x->sig_alg, x->signature, x->cert_info, ctx);
103 }
104
98int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) 105int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
99 { 106 {
100 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL, 107 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL,
101 x->signature, x->req_info,pkey,md)); 108 x->signature, x->req_info,pkey,md));
102 } 109 }
103 110
111int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
112 {
113 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
114 x->sig_alg, NULL, x->signature, x->req_info, ctx);
115 }
116
104int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) 117int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
105 { 118 {
106 x->crl->enc.modified = 1; 119 x->crl->enc.modified = 1;
@@ -108,6 +121,12 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
108 x->sig_alg, x->signature, x->crl,pkey,md)); 121 x->sig_alg, x->signature, x->crl,pkey,md));
109 } 122 }
110 123
124int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
125 {
126 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
127 x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
128 }
129
111int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) 130int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
112 { 131 {
113 return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL, 132 return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL,