diff options
author | djm <> | 2012-10-13 21:23:50 +0000 |
---|---|---|
committer | djm <> | 2012-10-13 21:23:50 +0000 |
commit | 228cae30b117c2493f69ad3c195341cd6ec8d430 (patch) | |
tree | 29ff00b10d52c0978077c4fd83c33b065bade73e /src/lib/libcrypto/x509 | |
parent | 731838c66b52c0ae5888333005b74115a620aa96 (diff) | |
download | openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.gz openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.tar.bz2 openbsd-228cae30b117c2493f69ad3c195341cd6ec8d430.zip |
import OpenSSL-1.0.1c
Diffstat (limited to 'src/lib/libcrypto/x509')
-rw-r--r-- | src/lib/libcrypto/x509/x509.h | 11 | ||||
-rw-r--r-- | src/lib/libcrypto/x509/x509_cmp.c | 27 | ||||
-rw-r--r-- | src/lib/libcrypto/x509/x509_lu.c | 2 | ||||
-rw-r--r-- | src/lib/libcrypto/x509/x509_vfy.c | 5 | ||||
-rw-r--r-- | src/lib/libcrypto/x509/x509type.c | 32 | ||||
-rw-r--r-- | src/lib/libcrypto/x509/x_all.c | 19 |
6 files changed, 70 insertions, 26 deletions
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h index e6f8a40395..092dd7450d 100644 --- a/src/lib/libcrypto/x509/x509.h +++ b/src/lib/libcrypto/x509/x509.h | |||
@@ -657,11 +657,15 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey); | |||
657 | 657 | ||
658 | int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki); | 658 | int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki); |
659 | 659 | ||
660 | int X509_signature_dump(BIO *bp,const ASN1_STRING *sig, int indent); | ||
660 | int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig); | 661 | int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig); |
661 | 662 | ||
662 | int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); | 663 | int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); |
664 | int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx); | ||
663 | int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md); | 665 | int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md); |
666 | int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx); | ||
664 | int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); | 667 | int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); |
668 | int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx); | ||
665 | int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md); | 669 | int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md); |
666 | 670 | ||
667 | int X509_pubkey_digest(const X509 *data,const EVP_MD *type, | 671 | int X509_pubkey_digest(const X509 *data,const EVP_MD *type, |
@@ -763,6 +767,7 @@ X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); | |||
763 | int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval); | 767 | int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval); |
764 | void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, | 768 | void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, |
765 | X509_ALGOR *algor); | 769 | X509_ALGOR *algor); |
770 | void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); | ||
766 | 771 | ||
767 | X509_NAME *X509_NAME_dup(X509_NAME *xn); | 772 | X509_NAME *X509_NAME_dup(X509_NAME *xn); |
768 | X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); | 773 | X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); |
@@ -896,6 +901,9 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1, | |||
896 | int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, | 901 | int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, |
897 | ASN1_BIT_STRING *signature, | 902 | ASN1_BIT_STRING *signature, |
898 | void *data, EVP_PKEY *pkey, const EVP_MD *type); | 903 | void *data, EVP_PKEY *pkey, const EVP_MD *type); |
904 | int ASN1_item_sign_ctx(const ASN1_ITEM *it, | ||
905 | X509_ALGOR *algor1, X509_ALGOR *algor2, | ||
906 | ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx); | ||
899 | #endif | 907 | #endif |
900 | 908 | ||
901 | int X509_set_version(X509 *x,long version); | 909 | int X509_set_version(X509 *x,long version); |
@@ -1161,6 +1169,9 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, | |||
1161 | unsigned char *salt, int saltlen, | 1169 | unsigned char *salt, int saltlen, |
1162 | unsigned char *aiv, int prf_nid); | 1170 | unsigned char *aiv, int prf_nid); |
1163 | 1171 | ||
1172 | X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, | ||
1173 | int prf_nid, int keylen); | ||
1174 | |||
1164 | /* PKCS#8 utilities */ | 1175 | /* PKCS#8 utilities */ |
1165 | 1176 | ||
1166 | DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) | 1177 | DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) |
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c index 4bc9da07e0..7c2aaee2e9 100644 --- a/src/lib/libcrypto/x509/x509_cmp.c +++ b/src/lib/libcrypto/x509/x509_cmp.c | |||
@@ -87,15 +87,20 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) | |||
87 | EVP_MD_CTX_init(&ctx); | 87 | EVP_MD_CTX_init(&ctx); |
88 | f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); | 88 | f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); |
89 | ret=strlen(f); | 89 | ret=strlen(f); |
90 | EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); | 90 | if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) |
91 | EVP_DigestUpdate(&ctx,(unsigned char *)f,ret); | 91 | goto err; |
92 | if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret)) | ||
93 | goto err; | ||
92 | OPENSSL_free(f); | 94 | OPENSSL_free(f); |
93 | EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data, | 95 | if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data, |
94 | (unsigned long)a->cert_info->serialNumber->length); | 96 | (unsigned long)a->cert_info->serialNumber->length)) |
95 | EVP_DigestFinal_ex(&ctx,&(md[0]),NULL); | 97 | goto err; |
98 | if (!EVP_DigestFinal_ex(&ctx,&(md[0]),NULL)) | ||
99 | goto err; | ||
96 | ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| | 100 | ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| |
97 | ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) | 101 | ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) |
98 | )&0xffffffffL; | 102 | )&0xffffffffL; |
103 | err: | ||
99 | EVP_MD_CTX_cleanup(&ctx); | 104 | EVP_MD_CTX_cleanup(&ctx); |
100 | return(ret); | 105 | return(ret); |
101 | } | 106 | } |
@@ -219,7 +224,9 @@ unsigned long X509_NAME_hash(X509_NAME *x) | |||
219 | 224 | ||
220 | /* Make sure X509_NAME structure contains valid cached encoding */ | 225 | /* Make sure X509_NAME structure contains valid cached encoding */ |
221 | i2d_X509_NAME(x,NULL); | 226 | i2d_X509_NAME(x,NULL); |
222 | EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL); | 227 | if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), |
228 | NULL)) | ||
229 | return 0; | ||
223 | 230 | ||
224 | ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| | 231 | ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| |
225 | ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) | 232 | ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) |
@@ -234,12 +241,18 @@ unsigned long X509_NAME_hash(X509_NAME *x) | |||
234 | 241 | ||
235 | unsigned long X509_NAME_hash_old(X509_NAME *x) | 242 | unsigned long X509_NAME_hash_old(X509_NAME *x) |
236 | { | 243 | { |
244 | EVP_MD_CTX md_ctx; | ||
237 | unsigned long ret=0; | 245 | unsigned long ret=0; |
238 | unsigned char md[16]; | 246 | unsigned char md[16]; |
239 | 247 | ||
240 | /* Make sure X509_NAME structure contains valid cached encoding */ | 248 | /* Make sure X509_NAME structure contains valid cached encoding */ |
241 | i2d_X509_NAME(x,NULL); | 249 | i2d_X509_NAME(x,NULL); |
242 | EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); | 250 | EVP_MD_CTX_init(&md_ctx); |
251 | EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | ||
252 | EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL); | ||
253 | EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length); | ||
254 | EVP_DigestFinal_ex(&md_ctx,md,NULL); | ||
255 | EVP_MD_CTX_cleanup(&md_ctx); | ||
243 | 256 | ||
244 | ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| | 257 | ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| |
245 | ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) | 258 | ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) |
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c index 3a6e04a1de..38525a8cdd 100644 --- a/src/lib/libcrypto/x509/x509_lu.c +++ b/src/lib/libcrypto/x509/x509_lu.c | |||
@@ -87,7 +87,7 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx) | |||
87 | if (ctx == NULL) return; | 87 | if (ctx == NULL) return; |
88 | if ( (ctx->method != NULL) && | 88 | if ( (ctx->method != NULL) && |
89 | (ctx->method->free != NULL)) | 89 | (ctx->method->free != NULL)) |
90 | ctx->method->free(ctx); | 90 | (*ctx->method->free)(ctx); |
91 | OPENSSL_free(ctx); | 91 | OPENSSL_free(ctx); |
92 | } | 92 | } |
93 | 93 | ||
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 701ec565e9..b0779db023 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c | |||
@@ -153,7 +153,6 @@ static int x509_subject_cmp(X509 **a, X509 **b) | |||
153 | int X509_verify_cert(X509_STORE_CTX *ctx) | 153 | int X509_verify_cert(X509_STORE_CTX *ctx) |
154 | { | 154 | { |
155 | X509 *x,*xtmp,*chain_ss=NULL; | 155 | X509 *x,*xtmp,*chain_ss=NULL; |
156 | X509_NAME *xn; | ||
157 | int bad_chain = 0; | 156 | int bad_chain = 0; |
158 | X509_VERIFY_PARAM *param = ctx->param; | 157 | X509_VERIFY_PARAM *param = ctx->param; |
159 | int depth,i,ok=0; | 158 | int depth,i,ok=0; |
@@ -205,7 +204,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) | |||
205 | */ | 204 | */ |
206 | 205 | ||
207 | /* If we are self signed, we break */ | 206 | /* If we are self signed, we break */ |
208 | xn=X509_get_issuer_name(x); | ||
209 | if (ctx->check_issued(ctx, x,x)) break; | 207 | if (ctx->check_issued(ctx, x,x)) break; |
210 | 208 | ||
211 | /* If we were passed a cert chain, use it first */ | 209 | /* If we were passed a cert chain, use it first */ |
@@ -242,7 +240,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) | |||
242 | 240 | ||
243 | i=sk_X509_num(ctx->chain); | 241 | i=sk_X509_num(ctx->chain); |
244 | x=sk_X509_value(ctx->chain,i-1); | 242 | x=sk_X509_value(ctx->chain,i-1); |
245 | xn = X509_get_subject_name(x); | ||
246 | if (ctx->check_issued(ctx, x, x)) | 243 | if (ctx->check_issued(ctx, x, x)) |
247 | { | 244 | { |
248 | /* we have a self signed certificate */ | 245 | /* we have a self signed certificate */ |
@@ -291,7 +288,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) | |||
291 | if (depth < num) break; | 288 | if (depth < num) break; |
292 | 289 | ||
293 | /* If we are self signed, we break */ | 290 | /* If we are self signed, we break */ |
294 | xn=X509_get_issuer_name(x); | ||
295 | if (ctx->check_issued(ctx,x,x)) break; | 291 | if (ctx->check_issued(ctx,x,x)) break; |
296 | 292 | ||
297 | ok = ctx->get_issuer(&xtmp, ctx, x); | 293 | ok = ctx->get_issuer(&xtmp, ctx, x); |
@@ -310,7 +306,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) | |||
310 | } | 306 | } |
311 | 307 | ||
312 | /* we now have our chain, lets check it... */ | 308 | /* we now have our chain, lets check it... */ |
313 | xn=X509_get_issuer_name(x); | ||
314 | 309 | ||
315 | /* Is last certificate looked up self signed? */ | 310 | /* Is last certificate looked up self signed? */ |
316 | if (!ctx->check_issued(ctx,x,x)) | 311 | if (!ctx->check_issued(ctx,x,x)) |
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c index 3385ad3f67..9702ec5310 100644 --- a/src/lib/libcrypto/x509/x509type.c +++ b/src/lib/libcrypto/x509/x509type.c | |||
@@ -100,20 +100,26 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) | |||
100 | break; | 100 | break; |
101 | } | 101 | } |
102 | 102 | ||
103 | i=X509_get_signature_type(x); | 103 | i=OBJ_obj2nid(x->sig_alg->algorithm); |
104 | switch (i) | 104 | if (i && OBJ_find_sigid_algs(i, NULL, &i)) |
105 | { | 105 | { |
106 | case EVP_PKEY_RSA: | 106 | |
107 | ret|=EVP_PKS_RSA; | 107 | switch (i) |
108 | break; | 108 | { |
109 | case EVP_PKEY_DSA: | 109 | case NID_rsaEncryption: |
110 | ret|=EVP_PKS_DSA; | 110 | case NID_rsa: |
111 | break; | 111 | ret|=EVP_PKS_RSA; |
112 | case EVP_PKEY_EC: | 112 | break; |
113 | ret|=EVP_PKS_EC; | 113 | case NID_dsa: |
114 | break; | 114 | case NID_dsa_2: |
115 | default: | 115 | ret|=EVP_PKS_DSA; |
116 | break; | 116 | break; |
117 | case NID_X9_62_id_ecPublicKey: | ||
118 | ret|=EVP_PKS_EC; | ||
119 | break; | ||
120 | default: | ||
121 | break; | ||
122 | } | ||
117 | } | 123 | } |
118 | 124 | ||
119 | if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look | 125 | if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look |
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c index 8ec88c215a..b94aeeb873 100644 --- a/src/lib/libcrypto/x509/x_all.c +++ b/src/lib/libcrypto/x509/x_all.c | |||
@@ -95,12 +95,25 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) | |||
95 | x->sig_alg, x->signature, x->cert_info,pkey,md)); | 95 | x->sig_alg, x->signature, x->cert_info,pkey,md)); |
96 | } | 96 | } |
97 | 97 | ||
98 | int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) | ||
99 | { | ||
100 | return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), | ||
101 | x->cert_info->signature, | ||
102 | x->sig_alg, x->signature, x->cert_info, ctx); | ||
103 | } | ||
104 | |||
98 | int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) | 105 | int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) |
99 | { | 106 | { |
100 | return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL, | 107 | return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL, |
101 | x->signature, x->req_info,pkey,md)); | 108 | x->signature, x->req_info,pkey,md)); |
102 | } | 109 | } |
103 | 110 | ||
111 | int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) | ||
112 | { | ||
113 | return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), | ||
114 | x->sig_alg, NULL, x->signature, x->req_info, ctx); | ||
115 | } | ||
116 | |||
104 | int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) | 117 | int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) |
105 | { | 118 | { |
106 | x->crl->enc.modified = 1; | 119 | x->crl->enc.modified = 1; |
@@ -108,6 +121,12 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) | |||
108 | x->sig_alg, x->signature, x->crl,pkey,md)); | 121 | x->sig_alg, x->signature, x->crl,pkey,md)); |
109 | } | 122 | } |
110 | 123 | ||
124 | int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) | ||
125 | { | ||
126 | return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), | ||
127 | x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx); | ||
128 | } | ||
129 | |||
111 | int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) | 130 | int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) |
112 | { | 131 | { |
113 | return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL, | 132 | return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL, |