summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509
diff options
context:
space:
mode:
authordjm <>2008-09-06 12:17:54 +0000
committerdjm <>2008-09-06 12:17:54 +0000
commit38ce604e3cc97706b876b0525ddff0121115456d (patch)
tree7ccc28afe1789ea3dbedf72365f955d5b8e105b5 /src/lib/libcrypto/x509
parent12867252827c8efaa8ddd1fa3b3d6e321e2bcdef (diff)
downloadopenbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.gz
openbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.bz2
openbsd-38ce604e3cc97706b876b0525ddff0121115456d.zip
resolve conflicts
Diffstat (limited to 'src/lib/libcrypto/x509')
-rw-r--r--src/lib/libcrypto/x509/by_dir.c10
-rw-r--r--src/lib/libcrypto/x509/x509.h140
-rw-r--r--src/lib/libcrypto/x509/x509_att.c45
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c59
-rw-r--r--src/lib/libcrypto/x509/x509_err.c19
-rw-r--r--src/lib/libcrypto/x509/x509_lu.c30
-rw-r--r--src/lib/libcrypto/x509/x509_r2x.c6
-rw-r--r--src/lib/libcrypto/x509/x509_req.c49
-rw-r--r--src/lib/libcrypto/x509/x509_trs.c4
-rw-r--r--src/lib/libcrypto/x509/x509_txt.c10
-rw-r--r--src/lib/libcrypto/x509/x509_v3.c10
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c481
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h143
-rw-r--r--src/lib/libcrypto/x509/x509spki.c3
-rw-r--r--src/lib/libcrypto/x509/x509type.c6
-rw-r--r--src/lib/libcrypto/x509/x_all.c137
16 files changed, 849 insertions, 303 deletions
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index ea689aed1a..37f9a48206 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -189,7 +189,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
189 189
190 s=dir; 190 s=dir;
191 p=s; 191 p=s;
192 for (;;) 192 for (;;p++)
193 { 193 {
194 if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) 194 if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
195 { 195 {
@@ -198,8 +198,11 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
198 len=(int)(p-ss); 198 len=(int)(p-ss);
199 if (len == 0) continue; 199 if (len == 0) continue;
200 for (j=0; j<ctx->num_dirs; j++) 200 for (j=0; j<ctx->num_dirs; j++)
201 if (strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0) 201 if (strlen(ctx->dirs[j]) == (size_t)len &&
202 continue; 202 strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0)
203 break;
204 if (j<ctx->num_dirs)
205 continue;
203 if (ctx->num_dirs_alloced < (ctx->num_dirs+1)) 206 if (ctx->num_dirs_alloced < (ctx->num_dirs+1))
204 { 207 {
205 ctx->num_dirs_alloced+=10; 208 ctx->num_dirs_alloced+=10;
@@ -231,7 +234,6 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
231 ctx->num_dirs++; 234 ctx->num_dirs++;
232 } 235 }
233 if (*p == '\0') break; 236 if (*p == '\0') break;
234 p++;
235 } 237 }
236 return(1); 238 return(1);
237 } 239 }
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index e8c1a59cf2..e71b5257e5 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -55,10 +55,16 @@
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * ECDH support in OpenSSL originally developed by
61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
62 */
58 63
59#ifndef HEADER_X509_H 64#ifndef HEADER_X509_H
60#define HEADER_X509_H 65#define HEADER_X509_H
61 66
67#include <openssl/e_os2.h>
62#include <openssl/symhacks.h> 68#include <openssl/symhacks.h>
63#ifndef OPENSSL_NO_BUFFER 69#ifndef OPENSSL_NO_BUFFER
64#include <openssl/buffer.h> 70#include <openssl/buffer.h>
@@ -73,21 +79,33 @@
73#include <openssl/asn1.h> 79#include <openssl/asn1.h>
74#include <openssl/safestack.h> 80#include <openssl/safestack.h>
75 81
82#ifndef OPENSSL_NO_EC
83#include <openssl/ec.h>
84#endif
85
86#ifndef OPENSSL_NO_ECDSA
87#include <openssl/ecdsa.h>
88#endif
89
90#ifndef OPENSSL_NO_ECDH
91#include <openssl/ecdh.h>
92#endif
93
94#ifndef OPENSSL_NO_DEPRECATED
76#ifndef OPENSSL_NO_RSA 95#ifndef OPENSSL_NO_RSA
77#include <openssl/rsa.h> 96#include <openssl/rsa.h>
78#endif 97#endif
79
80#ifndef OPENSSL_NO_DSA 98#ifndef OPENSSL_NO_DSA
81#include <openssl/dsa.h> 99#include <openssl/dsa.h>
82#endif 100#endif
83
84#ifndef OPENSSL_NO_DH 101#ifndef OPENSSL_NO_DH
85#include <openssl/dh.h> 102#include <openssl/dh.h>
86#endif 103#endif
104#endif
105
87#ifndef OPENSSL_NO_SHA 106#ifndef OPENSSL_NO_SHA
88#include <openssl/sha.h> 107#include <openssl/sha.h>
89#endif 108#endif
90#include <openssl/e_os2.h>
91#include <openssl/ossl_typ.h> 109#include <openssl/ossl_typ.h>
92 110
93#ifdef __cplusplus 111#ifdef __cplusplus
@@ -95,8 +113,9 @@ extern "C" {
95#endif 113#endif
96 114
97#ifdef OPENSSL_SYS_WIN32 115#ifdef OPENSSL_SYS_WIN32
98/* Under Win32 this is defined in wincrypt.h */ 116/* Under Win32 these are defined in wincrypt.h */
99#undef X509_NAME 117#undef X509_NAME
118#undef X509_CERT_PAIR
100#endif 119#endif
101 120
102#define X509_FILETYPE_PEM 1 121#define X509_FILETYPE_PEM 1
@@ -117,8 +136,8 @@ extern "C" {
117typedef struct X509_objects_st 136typedef struct X509_objects_st
118 { 137 {
119 int nid; 138 int nid;
120 int (*a2i)(); 139 int (*a2i)(void);
121 int (*i2a)(); 140 int (*i2a)(void);
122 } X509_OBJECTS; 141 } X509_OBJECTS;
123 142
124struct X509_algor_st 143struct X509_algor_st
@@ -127,9 +146,10 @@ struct X509_algor_st
127 ASN1_TYPE *parameter; 146 ASN1_TYPE *parameter;
128 } /* X509_ALGOR */; 147 } /* X509_ALGOR */;
129 148
130DECLARE_STACK_OF(X509_ALGOR)
131DECLARE_ASN1_SET_OF(X509_ALGOR) 149DECLARE_ASN1_SET_OF(X509_ALGOR)
132 150
151typedef STACK_OF(X509_ALGOR) X509_ALGORS;
152
133typedef struct X509_val_st 153typedef struct X509_val_st
134 { 154 {
135 ASN1_TIME *notBefore; 155 ASN1_TIME *notBefore;
@@ -184,6 +204,8 @@ typedef struct X509_extension_st
184 ASN1_OCTET_STRING *value; 204 ASN1_OCTET_STRING *value;
185 } X509_EXTENSION; 205 } X509_EXTENSION;
186 206
207typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
208
187DECLARE_STACK_OF(X509_EXTENSION) 209DECLARE_STACK_OF(X509_EXTENSION)
188DECLARE_ASN1_SET_OF(X509_EXTENSION) 210DECLARE_ASN1_SET_OF(X509_EXTENSION)
189 211
@@ -261,12 +283,18 @@ struct x509_st
261 CRYPTO_EX_DATA ex_data; 283 CRYPTO_EX_DATA ex_data;
262 /* These contain copies of various extension values */ 284 /* These contain copies of various extension values */
263 long ex_pathlen; 285 long ex_pathlen;
286 long ex_pcpathlen;
264 unsigned long ex_flags; 287 unsigned long ex_flags;
265 unsigned long ex_kusage; 288 unsigned long ex_kusage;
266 unsigned long ex_xkusage; 289 unsigned long ex_xkusage;
267 unsigned long ex_nscert; 290 unsigned long ex_nscert;
268 ASN1_OCTET_STRING *skid; 291 ASN1_OCTET_STRING *skid;
269 struct AUTHORITY_KEYID_st *akid; 292 struct AUTHORITY_KEYID_st *akid;
293 X509_POLICY_CACHE *policy_cache;
294#ifndef OPENSSL_NO_RFC3779
295 STACK_OF(IPAddressFamily) *rfc3779_addr;
296 struct ASIdentifiers_st *rfc3779_asid;
297#endif
270#ifndef OPENSSL_NO_SHA 298#ifndef OPENSSL_NO_SHA
271 unsigned char sha1_hash[SHA_DIGEST_LENGTH]; 299 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
272#endif 300#endif
@@ -289,6 +317,11 @@ typedef struct x509_trust_st {
289 317
290DECLARE_STACK_OF(X509_TRUST) 318DECLARE_STACK_OF(X509_TRUST)
291 319
320typedef struct x509_cert_pair_st {
321 X509 *forward;
322 X509 *reverse;
323} X509_CERT_PAIR;
324
292/* standard trust ids */ 325/* standard trust ids */
293 326
294#define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */ 327#define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */
@@ -655,6 +688,17 @@ extern "C" {
655#define i2d_DSAPrivateKey_bio(bp,dsa) ASN1_i2d_bio(i2d_DSAPrivateKey,bp, \ 688#define i2d_DSAPrivateKey_bio(bp,dsa) ASN1_i2d_bio(i2d_DSAPrivateKey,bp, \
656 (unsigned char *)dsa) 689 (unsigned char *)dsa)
657 690
691#define d2i_ECPrivateKey_fp(fp,ecdsa) (EC_KEY *)ASN1_d2i_fp((char *(*)())\
692 EC_KEY_new,(char *(*)())d2i_ECPrivateKey, (fp), \
693 (unsigned char **)(ecdsa))
694#define i2d_ECPrivateKey_fp(fp,ecdsa) ASN1_i2d_fp(i2d_ECPrivateKey,fp, \
695 (unsigned char *)ecdsa)
696#define d2i_ECPrivateKey_bio(bp,ecdsa) (EC_KEY *)ASN1_d2i_bio((char *(*)())\
697 EC_KEY_new,(char *(*)())d2i_ECPrivateKey, (bp), \
698 (unsigned char **)(ecdsa))
699#define i2d_ECPrivateKey_bio(bp,ecdsa) ASN1_i2d_bio(i2d_ECPrivateKey,bp, \
700 (unsigned char *)ecdsa)
701
658#define X509_ALGOR_dup(xn) (X509_ALGOR *)ASN1_dup((int (*)())i2d_X509_ALGOR,\ 702#define X509_ALGOR_dup(xn) (X509_ALGOR *)ASN1_dup((int (*)())i2d_X509_ALGOR,\
659 (char *(*)())d2i_X509_ALGOR,(char *)xn) 703 (char *(*)())d2i_X509_ALGOR,(char *)xn)
660 704
@@ -758,6 +802,12 @@ int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
758DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); 802DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
759int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); 803int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
760#endif 804#endif
805#ifndef OPENSSL_NO_EC
806EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
807int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
808EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
809int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
810#endif
761X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8); 811X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
762int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8); 812int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
763PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, 813PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
@@ -791,6 +841,12 @@ int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
791DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); 841DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
792int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa); 842int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
793#endif 843#endif
844#ifndef OPENSSL_NO_EC
845EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
846int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
847EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
848int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
849#endif
794X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8); 850X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8);
795int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8); 851int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
796PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, 852PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
@@ -809,6 +865,10 @@ X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex);
809X509_CRL *X509_CRL_dup(X509_CRL *crl); 865X509_CRL *X509_CRL_dup(X509_CRL *crl);
810X509_REQ *X509_REQ_dup(X509_REQ *req); 866X509_REQ *X509_REQ_dup(X509_REQ *req);
811X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); 867X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
868int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
869void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
870 X509_ALGOR *algor);
871
812X509_NAME *X509_NAME_dup(X509_NAME *xn); 872X509_NAME *X509_NAME_dup(X509_NAME *xn);
813X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); 873X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
814 874
@@ -830,6 +890,7 @@ X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
830X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey); 890X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
831 891
832DECLARE_ASN1_FUNCTIONS(X509_ALGOR) 892DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
893DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
833DECLARE_ASN1_FUNCTIONS(X509_VAL) 894DECLARE_ASN1_FUNCTIONS(X509_VAL)
834 895
835DECLARE_ASN1_FUNCTIONS(X509_PUBKEY) 896DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
@@ -839,16 +900,21 @@ EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key);
839int X509_get_pubkey_parameters(EVP_PKEY *pkey, 900int X509_get_pubkey_parameters(EVP_PKEY *pkey,
840 STACK_OF(X509) *chain); 901 STACK_OF(X509) *chain);
841int i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp); 902int i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
842EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,unsigned char **pp, 903EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
843 long length); 904 long length);
844#ifndef OPENSSL_NO_RSA 905#ifndef OPENSSL_NO_RSA
845int i2d_RSA_PUBKEY(RSA *a,unsigned char **pp); 906int i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
846RSA * d2i_RSA_PUBKEY(RSA **a,unsigned char **pp, 907RSA * d2i_RSA_PUBKEY(RSA **a,const unsigned char **pp,
847 long length); 908 long length);
848#endif 909#endif
849#ifndef OPENSSL_NO_DSA 910#ifndef OPENSSL_NO_DSA
850int i2d_DSA_PUBKEY(DSA *a,unsigned char **pp); 911int i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
851DSA * d2i_DSA_PUBKEY(DSA **a,unsigned char **pp, 912DSA * d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp,
913 long length);
914#endif
915#ifndef OPENSSL_NO_EC
916int i2d_EC_PUBKEY(EC_KEY *a, unsigned char **pp);
917EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp,
852 long length); 918 long length);
853#endif 919#endif
854 920
@@ -860,6 +926,7 @@ DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
860X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value); 926X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
861 927
862DECLARE_ASN1_FUNCTIONS(X509_EXTENSION) 928DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
929DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
863 930
864DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY) 931DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
865 932
@@ -872,16 +939,19 @@ DECLARE_ASN1_FUNCTIONS(X509_CINF)
872DECLARE_ASN1_FUNCTIONS(X509) 939DECLARE_ASN1_FUNCTIONS(X509)
873DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) 940DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
874 941
942DECLARE_ASN1_FUNCTIONS(X509_CERT_PAIR)
943
875int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 944int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
876 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 945 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
877int X509_set_ex_data(X509 *r, int idx, void *arg); 946int X509_set_ex_data(X509 *r, int idx, void *arg);
878void *X509_get_ex_data(X509 *r, int idx); 947void *X509_get_ex_data(X509 *r, int idx);
879int i2d_X509_AUX(X509 *a,unsigned char **pp); 948int i2d_X509_AUX(X509 *a,unsigned char **pp);
880X509 * d2i_X509_AUX(X509 **a,unsigned char **pp,long length); 949X509 * d2i_X509_AUX(X509 **a,const unsigned char **pp,long length);
881 950
882int X509_alias_set1(X509 *x, unsigned char *name, int len); 951int X509_alias_set1(X509 *x, unsigned char *name, int len);
883int X509_keyid_set1(X509 *x, unsigned char *id, int len); 952int X509_keyid_set1(X509 *x, unsigned char *id, int len);
884unsigned char * X509_alias_get0(X509 *x, int *len); 953unsigned char * X509_alias_get0(X509 *x, int *len);
954unsigned char * X509_keyid_get0(X509 *x, int *len);
885int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int); 955int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
886int X509_TRUST_set(int *t, int trust); 956int X509_TRUST_set(int *t, int trust);
887int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); 957int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
@@ -898,7 +968,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
898X509_PKEY * X509_PKEY_new(void ); 968X509_PKEY * X509_PKEY_new(void );
899void X509_PKEY_free(X509_PKEY *a); 969void X509_PKEY_free(X509_PKEY *a);
900int i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp); 970int i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp);
901X509_PKEY * d2i_X509_PKEY(X509_PKEY **a,unsigned char **pp,long length); 971X509_PKEY * d2i_X509_PKEY(X509_PKEY **a,const unsigned char **pp,long length);
902 972
903DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI) 973DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
904DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC) 974DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
@@ -909,15 +979,15 @@ X509_INFO * X509_INFO_new(void);
909void X509_INFO_free(X509_INFO *a); 979void X509_INFO_free(X509_INFO *a);
910char * X509_NAME_oneline(X509_NAME *a,char *buf,int size); 980char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
911 981
912int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1, 982int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *algor1,
913 ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey); 983 ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
914 984
915int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data, 985int ASN1_digest(i2d_of_void *i2d,const EVP_MD *type,char *data,
916 unsigned char *md,unsigned int *len); 986 unsigned char *md,unsigned int *len);
917 987
918int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2, 988int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1,
919 ASN1_BIT_STRING *signature, 989 X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
920 char *data,EVP_PKEY *pkey, const EVP_MD *type); 990 char *data,EVP_PKEY *pkey, const EVP_MD *type);
921 991
922int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data, 992int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data,
923 unsigned char *md,unsigned int *len); 993 unsigned char *md,unsigned int *len);
@@ -982,6 +1052,8 @@ int X509_CRL_sort(X509_CRL *crl);
982int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); 1052int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
983int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); 1053int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
984 1054
1055int X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey);
1056
985int X509_check_private_key(X509 *x509,EVP_PKEY *pkey); 1057int X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
986 1058
987int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b); 1059int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
@@ -1128,6 +1200,8 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
1128STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x, 1200STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
1129 const char *attrname, int type, 1201 const char *attrname, int type,
1130 const unsigned char *bytes, int len); 1202 const unsigned char *bytes, int len);
1203void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
1204 ASN1_OBJECT *obj, int lastpos, int type);
1131X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, 1205X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
1132 int atrtype, const void *data, int len); 1206 int atrtype, const void *data, int len);
1133X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr, 1207X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
@@ -1142,6 +1216,24 @@ int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
1142ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); 1216ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
1143ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx); 1217ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
1144 1218
1219int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
1220int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid,
1221 int lastpos);
1222int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj,
1223 int lastpos);
1224X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
1225X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc);
1226int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr);
1227int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
1228 const ASN1_OBJECT *obj, int type,
1229 const unsigned char *bytes, int len);
1230int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
1231 int nid, int type,
1232 const unsigned char *bytes, int len);
1233int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
1234 const char *attrname, int type,
1235 const unsigned char *bytes, int len);
1236
1145int X509_verify_cert(X509_STORE_CTX *ctx); 1237int X509_verify_cert(X509_STORE_CTX *ctx);
1146 1238
1147/* lookup a cert from a X509 STACK */ 1239/* lookup a cert from a X509 STACK */
@@ -1188,18 +1280,20 @@ void ERR_load_X509_strings(void);
1188/* Function codes. */ 1280/* Function codes. */
1189#define X509_F_ADD_CERT_DIR 100 1281#define X509_F_ADD_CERT_DIR 100
1190#define X509_F_BY_FILE_CTRL 101 1282#define X509_F_BY_FILE_CTRL 101
1283#define X509_F_CHECK_POLICY 145
1191#define X509_F_DIR_CTRL 102 1284#define X509_F_DIR_CTRL 102
1192#define X509_F_GET_CERT_BY_SUBJECT 103 1285#define X509_F_GET_CERT_BY_SUBJECT 103
1193#define X509_F_NETSCAPE_SPKI_B64_DECODE 129 1286#define X509_F_NETSCAPE_SPKI_B64_DECODE 129
1194#define X509_F_NETSCAPE_SPKI_B64_ENCODE 130 1287#define X509_F_NETSCAPE_SPKI_B64_ENCODE 130
1288#define X509_F_X509AT_ADD1_ATTR 135
1195#define X509_F_X509V3_ADD_EXT 104 1289#define X509_F_X509V3_ADD_EXT 104
1196#define X509_F_X509_ADD_ATTR 135
1197#define X509_F_X509_ATTRIBUTE_CREATE_BY_NID 136 1290#define X509_F_X509_ATTRIBUTE_CREATE_BY_NID 136
1198#define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ 137 1291#define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ 137
1199#define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT 140 1292#define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT 140
1200#define X509_F_X509_ATTRIBUTE_GET0_DATA 139 1293#define X509_F_X509_ATTRIBUTE_GET0_DATA 139
1201#define X509_F_X509_ATTRIBUTE_SET1_DATA 138 1294#define X509_F_X509_ATTRIBUTE_SET1_DATA 138
1202#define X509_F_X509_CHECK_PRIVATE_KEY 128 1295#define X509_F_X509_CHECK_PRIVATE_KEY 128
1296#define X509_F_X509_CRL_PRINT_FP 147
1203#define X509_F_X509_EXTENSION_CREATE_BY_NID 108 1297#define X509_F_X509_EXTENSION_CREATE_BY_NID 108
1204#define X509_F_X509_EXTENSION_CREATE_BY_OBJ 109 1298#define X509_F_X509_EXTENSION_CREATE_BY_OBJ 109
1205#define X509_F_X509_GET_PUBKEY_PARAMETERS 110 1299#define X509_F_X509_GET_PUBKEY_PARAMETERS 110
@@ -1212,14 +1306,16 @@ void ERR_load_X509_strings(void);
1212#define X509_F_X509_NAME_ENTRY_SET_OBJECT 115 1306#define X509_F_X509_NAME_ENTRY_SET_OBJECT 115
1213#define X509_F_X509_NAME_ONELINE 116 1307#define X509_F_X509_NAME_ONELINE 116
1214#define X509_F_X509_NAME_PRINT 117 1308#define X509_F_X509_NAME_PRINT 117
1215#define X509_F_X509_PRINT_FP 118 1309#define X509_F_X509_PRINT_EX_FP 118
1216#define X509_F_X509_PUBKEY_GET 119 1310#define X509_F_X509_PUBKEY_GET 119
1217#define X509_F_X509_PUBKEY_SET 120 1311#define X509_F_X509_PUBKEY_SET 120
1218#define X509_F_X509_REQ_PRINT 121 1312#define X509_F_X509_REQ_CHECK_PRIVATE_KEY 144
1313#define X509_F_X509_REQ_PRINT_EX 121
1219#define X509_F_X509_REQ_PRINT_FP 122 1314#define X509_F_X509_REQ_PRINT_FP 122
1220#define X509_F_X509_REQ_TO_X509 123 1315#define X509_F_X509_REQ_TO_X509 123
1221#define X509_F_X509_STORE_ADD_CERT 124 1316#define X509_F_X509_STORE_ADD_CERT 124
1222#define X509_F_X509_STORE_ADD_CRL 125 1317#define X509_F_X509_STORE_ADD_CRL 125
1318#define X509_F_X509_STORE_CTX_GET1_ISSUER 146
1223#define X509_F_X509_STORE_CTX_INIT 143 1319#define X509_F_X509_STORE_CTX_INIT 143
1224#define X509_F_X509_STORE_CTX_NEW 142 1320#define X509_F_X509_STORE_CTX_NEW 142
1225#define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 134 1321#define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 134
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index 0bae3d32a1..511b49d589 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -67,8 +67,7 @@
67 67
68int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x) 68int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
69{ 69{
70 if (!x) return 0; 70 return sk_X509_ATTRIBUTE_num(x);
71 return(sk_X509_ATTRIBUTE_num(x));
72} 71}
73 72
74int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid, 73int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
@@ -125,7 +124,13 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
125 X509_ATTRIBUTE *new_attr=NULL; 124 X509_ATTRIBUTE *new_attr=NULL;
126 STACK_OF(X509_ATTRIBUTE) *sk=NULL; 125 STACK_OF(X509_ATTRIBUTE) *sk=NULL;
127 126
128 if ((x != NULL) && (*x == NULL)) 127 if (x == NULL)
128 {
129 X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
130 goto err2;
131 }
132
133 if (*x == NULL)
129 { 134 {
130 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL) 135 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
131 goto err; 136 goto err;
@@ -137,11 +142,11 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
137 goto err2; 142 goto err2;
138 if (!sk_X509_ATTRIBUTE_push(sk,new_attr)) 143 if (!sk_X509_ATTRIBUTE_push(sk,new_attr))
139 goto err; 144 goto err;
140 if ((x != NULL) && (*x == NULL)) 145 if (*x == NULL)
141 *x=sk; 146 *x=sk;
142 return(sk); 147 return(sk);
143err: 148err:
144 X509err(X509_F_X509_ADD_ATTR,ERR_R_MALLOC_FAILURE); 149 X509err(X509_F_X509AT_ADD1_ATTR,ERR_R_MALLOC_FAILURE);
145err2: 150err2:
146 if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr); 151 if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr);
147 if (sk != NULL) sk_X509_ATTRIBUTE_free(sk); 152 if (sk != NULL) sk_X509_ATTRIBUTE_free(sk);
@@ -187,6 +192,22 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
187 return ret; 192 return ret;
188} 193}
189 194
195void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
196 ASN1_OBJECT *obj, int lastpos, int type)
197{
198 int i;
199 X509_ATTRIBUTE *at;
200 i = X509at_get_attr_by_OBJ(x, obj, lastpos);
201 if (i == -1)
202 return NULL;
203 if ((lastpos <= -2) && (X509at_get_attr_by_OBJ(x, obj, i) != -1))
204 return NULL;
205 at = X509at_get_attr(x, i);
206 if (lastpos <= -3 && (X509_ATTRIBUTE_count(at) != 1))
207 return NULL;
208 return X509_ATTRIBUTE_get0_data(at, 0, type, NULL);
209}
210
190X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, 211X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
191 int atrtype, const void *data, int len) 212 int atrtype, const void *data, int len)
192{ 213{
@@ -264,8 +285,8 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
264int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len) 285int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
265{ 286{
266 ASN1_TYPE *ttmp; 287 ASN1_TYPE *ttmp;
267 ASN1_STRING *stmp; 288 ASN1_STRING *stmp = NULL;
268 int atype; 289 int atype = 0;
269 if (!attr) return 0; 290 if (!attr) return 0;
270 if(attrtype & MBSTRING_FLAG) { 291 if(attrtype & MBSTRING_FLAG) {
271 stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype, 292 stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype,
@@ -275,16 +296,22 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
275 return 0; 296 return 0;
276 } 297 }
277 atype = stmp->type; 298 atype = stmp->type;
278 } else { 299 } else if (len != -1){
279 if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err; 300 if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err;
280 if(!ASN1_STRING_set(stmp, data, len)) goto err; 301 if(!ASN1_STRING_set(stmp, data, len)) goto err;
281 atype = attrtype; 302 atype = attrtype;
282 } 303 }
283 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err; 304 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
284 if(!(ttmp = ASN1_TYPE_new())) goto err; 305 if(!(ttmp = ASN1_TYPE_new())) goto err;
306 if (len == -1)
307 {
308 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
309 goto err;
310 }
311 else
312 ASN1_TYPE_set(ttmp, atype, stmp);
285 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err; 313 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
286 attr->single = 0; 314 attr->single = 0;
287 ASN1_TYPE_set(ttmp, atype, stmp);
288 return 1; 315 return 1;
289 err: 316 err:
290 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE); 317 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 030d0966fc..0d6bc653b2 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -322,16 +322,10 @@ unsigned long X509_NAME_hash(X509_NAME *x)
322 { 322 {
323 unsigned long ret=0; 323 unsigned long ret=0;
324 unsigned char md[16]; 324 unsigned char md[16];
325 EVP_MD_CTX md_ctx;
326 325
327 /* Make sure X509_NAME structure contains valid cached encoding */ 326 /* Make sure X509_NAME structure contains valid cached encoding */
328 i2d_X509_NAME(x,NULL); 327 i2d_X509_NAME(x,NULL);
329 EVP_MD_CTX_init(&md_ctx); 328 EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
330 EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
331 EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
332 EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
333 EVP_DigestFinal_ex(&md_ctx,md,NULL);
334 EVP_MD_CTX_cleanup(&md_ctx);
335 329
336 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| 330 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
337 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 331 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
@@ -396,45 +390,36 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
396 int ok=0; 390 int ok=0;
397 391
398 xk=X509_get_pubkey(x); 392 xk=X509_get_pubkey(x);
399 if (xk->type != k->type) 393 switch (EVP_PKEY_cmp(xk, k))
400 {
401 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
402 goto err;
403 }
404 switch (k->type)
405 { 394 {
406#ifndef OPENSSL_NO_RSA 395 case 1:
407 case EVP_PKEY_RSA: 396 ok=1;
408 if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0
409 || BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0)
410 {
411 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
412 goto err;
413 }
414 break; 397 break;
415#endif 398 case 0:
416#ifndef OPENSSL_NO_DSA 399 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
417 case EVP_PKEY_DSA: 400 break;
418 if (BN_cmp(xk->pkey.dsa->pub_key,k->pkey.dsa->pub_key) != 0) 401 case -1:
419 { 402 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
420 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
421 goto err;
422 }
423 break; 403 break;
404 case -2:
405#ifndef OPENSSL_NO_EC
406 if (k->type == EVP_PKEY_EC)
407 {
408 X509err(X509_F_X509_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
409 break;
410 }
424#endif 411#endif
425#ifndef OPENSSL_NO_DH 412#ifndef OPENSSL_NO_DH
426 case EVP_PKEY_DH: 413 if (k->type == EVP_PKEY_DH)
427 /* No idea */ 414 {
428 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY); 415 /* No idea */
429 goto err; 416 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
417 break;
418 }
430#endif 419#endif
431 default:
432 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); 420 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
433 goto err;
434 } 421 }
435 422
436 ok=1;
437err:
438 EVP_PKEY_free(xk); 423 EVP_PKEY_free(xk);
439 return(ok); 424 return(ok);
440 } 425 }
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c
index d44d046027..fb377292da 100644
--- a/src/lib/libcrypto/x509/x509_err.c
+++ b/src/lib/libcrypto/x509/x509_err.c
@@ -72,18 +72,20 @@ static ERR_STRING_DATA X509_str_functs[]=
72 { 72 {
73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"}, 73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"}, 74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
75{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
75{ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"}, 76{ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"},
76{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"}, 77{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"},
77{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE), "NETSCAPE_SPKI_b64_decode"}, 78{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE), "NETSCAPE_SPKI_b64_decode"},
78{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE), "NETSCAPE_SPKI_b64_encode"}, 79{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE), "NETSCAPE_SPKI_b64_encode"},
80{ERR_FUNC(X509_F_X509AT_ADD1_ATTR), "X509at_add1_attr"},
79{ERR_FUNC(X509_F_X509V3_ADD_EXT), "X509v3_add_ext"}, 81{ERR_FUNC(X509_F_X509V3_ADD_EXT), "X509v3_add_ext"},
80{ERR_FUNC(X509_F_X509_ADD_ATTR), "X509_ADD_ATTR"},
81{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID), "X509_ATTRIBUTE_create_by_NID"}, 82{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID), "X509_ATTRIBUTE_create_by_NID"},
82{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ), "X509_ATTRIBUTE_create_by_OBJ"}, 83{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ), "X509_ATTRIBUTE_create_by_OBJ"},
83{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT), "X509_ATTRIBUTE_create_by_txt"}, 84{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT), "X509_ATTRIBUTE_create_by_txt"},
84{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA), "X509_ATTRIBUTE_get0_data"}, 85{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA), "X509_ATTRIBUTE_get0_data"},
85{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA), "X509_ATTRIBUTE_set1_data"}, 86{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA), "X509_ATTRIBUTE_set1_data"},
86{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY), "X509_check_private_key"}, 87{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY), "X509_check_private_key"},
88{ERR_FUNC(X509_F_X509_CRL_PRINT_FP), "X509_CRL_print_fp"},
87{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID), "X509_EXTENSION_create_by_NID"}, 89{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID), "X509_EXTENSION_create_by_NID"},
88{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ), "X509_EXTENSION_create_by_OBJ"}, 90{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ), "X509_EXTENSION_create_by_OBJ"},
89{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS), "X509_get_pubkey_parameters"}, 91{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS), "X509_get_pubkey_parameters"},
@@ -96,14 +98,16 @@ static ERR_STRING_DATA X509_str_functs[]=
96{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT), "X509_NAME_ENTRY_set_object"}, 98{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT), "X509_NAME_ENTRY_set_object"},
97{ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"}, 99{ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"},
98{ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"}, 100{ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"},
99{ERR_FUNC(X509_F_X509_PRINT_FP), "X509_print_fp"}, 101{ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"},
100{ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"}, 102{ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"},
101{ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"}, 103{ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"},
102{ERR_FUNC(X509_F_X509_REQ_PRINT), "X509_REQ_print"}, 104{ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY), "X509_REQ_check_private_key"},
105{ERR_FUNC(X509_F_X509_REQ_PRINT_EX), "X509_REQ_print_ex"},
103{ERR_FUNC(X509_F_X509_REQ_PRINT_FP), "X509_REQ_print_fp"}, 106{ERR_FUNC(X509_F_X509_REQ_PRINT_FP), "X509_REQ_print_fp"},
104{ERR_FUNC(X509_F_X509_REQ_TO_X509), "X509_REQ_to_X509"}, 107{ERR_FUNC(X509_F_X509_REQ_TO_X509), "X509_REQ_to_X509"},
105{ERR_FUNC(X509_F_X509_STORE_ADD_CERT), "X509_STORE_add_cert"}, 108{ERR_FUNC(X509_F_X509_STORE_ADD_CERT), "X509_STORE_add_cert"},
106{ERR_FUNC(X509_F_X509_STORE_ADD_CRL), "X509_STORE_add_crl"}, 109{ERR_FUNC(X509_F_X509_STORE_ADD_CRL), "X509_STORE_add_crl"},
110{ERR_FUNC(X509_F_X509_STORE_CTX_GET1_ISSUER), "X509_STORE_CTX_get1_issuer"},
107{ERR_FUNC(X509_F_X509_STORE_CTX_INIT), "X509_STORE_CTX_init"}, 111{ERR_FUNC(X509_F_X509_STORE_CTX_INIT), "X509_STORE_CTX_init"},
108{ERR_FUNC(X509_F_X509_STORE_CTX_NEW), "X509_STORE_CTX_new"}, 112{ERR_FUNC(X509_F_X509_STORE_CTX_NEW), "X509_STORE_CTX_new"},
109{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT), "X509_STORE_CTX_purpose_inherit"}, 113{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT), "X509_STORE_CTX_purpose_inherit"},
@@ -146,15 +150,12 @@ static ERR_STRING_DATA X509_str_reasons[]=
146 150
147void ERR_load_X509_strings(void) 151void ERR_load_X509_strings(void)
148 { 152 {
149 static int init=1; 153#ifndef OPENSSL_NO_ERR
150 154
151 if (init) 155 if (ERR_func_error_string(X509_str_functs[0].error) == NULL)
152 { 156 {
153 init=0;
154#ifndef OPENSSL_NO_ERR
155 ERR_load_strings(0,X509_str_functs); 157 ERR_load_strings(0,X509_str_functs);
156 ERR_load_strings(0,X509_str_reasons); 158 ERR_load_strings(0,X509_str_reasons);
157#endif
158
159 } 159 }
160#endif
160 } 161 }
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index b780dae5e2..cd2cfb6d85 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -187,10 +187,8 @@ X509_STORE *X509_STORE_new(void)
187 ret->verify=0; 187 ret->verify=0;
188 ret->verify_cb=0; 188 ret->verify_cb=0;
189 189
190 ret->purpose = 0; 190 if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
191 ret->trust = 0; 191 return NULL;
192
193 ret->flags = 0;
194 192
195 ret->get_issuer = 0; 193 ret->get_issuer = 0;
196 ret->check_issued = 0; 194 ret->check_issued = 0;
@@ -202,7 +200,6 @@ X509_STORE *X509_STORE_new(void)
202 200
203 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data); 201 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data);
204 ret->references=1; 202 ret->references=1;
205 ret->depth=0;
206 return ret; 203 return ret;
207 } 204 }
208 205
@@ -244,6 +241,8 @@ void X509_STORE_free(X509_STORE *vfy)
244 sk_X509_OBJECT_pop_free(vfy->objs, cleanup); 241 sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
245 242
246 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data); 243 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
244 if (vfy->param)
245 X509_VERIFY_PARAM_free(vfy->param);
247 OPENSSL_free(vfy); 246 OPENSSL_free(vfy);
248 } 247 }
249 248
@@ -498,7 +497,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
498 if (ok == X509_LU_RETRY) 497 if (ok == X509_LU_RETRY)
499 { 498 {
500 X509_OBJECT_free_contents(&obj); 499 X509_OBJECT_free_contents(&obj);
501 X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY); 500 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
502 return -1; 501 return -1;
503 } 502 }
504 else if (ok != X509_LU_FAIL) 503 else if (ok != X509_LU_FAIL)
@@ -538,19 +537,30 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
538 return 0; 537 return 0;
539} 538}
540 539
541void X509_STORE_set_flags(X509_STORE *ctx, long flags) 540int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
542 { 541 {
543 ctx->flags |= flags; 542 return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
543 }
544
545int X509_STORE_set_depth(X509_STORE *ctx, int depth)
546 {
547 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
548 return 1;
544 } 549 }
545 550
546int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) 551int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
547 { 552 {
548 return X509_PURPOSE_set(&ctx->purpose, purpose); 553 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
549 } 554 }
550 555
551int X509_STORE_set_trust(X509_STORE *ctx, int trust) 556int X509_STORE_set_trust(X509_STORE *ctx, int trust)
552 { 557 {
553 return X509_TRUST_set(&ctx->trust, trust); 558 return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
559 }
560
561int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
562 {
563 return X509_VERIFY_PARAM_set1(ctx->param, param);
554 } 564 }
555 565
556IMPLEMENT_STACK_OF(X509_LOOKUP) 566IMPLEMENT_STACK_OF(X509_LOOKUP)
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index fb8a78dabe..254a14693d 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -89,8 +89,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
89 } 89 }
90 90
91 xn=X509_REQ_get_subject_name(r); 91 xn=X509_REQ_get_subject_name(r);
92 X509_set_subject_name(ret,X509_NAME_dup(xn)); 92 if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
93 X509_set_issuer_name(ret,X509_NAME_dup(xn)); 93 goto err;
94 if (X509_set_issuer_name(ret,X509_NAME_dup(xn)) == 0)
95 goto err;
94 96
95 if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL) 97 if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
96 goto err; 98 goto err;
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 59fc6ca548..3872e1fb64 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -113,6 +113,46 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
113 return(X509_PUBKEY_get(req->req_info->pubkey)); 113 return(X509_PUBKEY_get(req->req_info->pubkey));
114 } 114 }
115 115
116int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
117 {
118 EVP_PKEY *xk=NULL;
119 int ok=0;
120
121 xk=X509_REQ_get_pubkey(x);
122 switch (EVP_PKEY_cmp(xk, k))
123 {
124 case 1:
125 ok=1;
126 break;
127 case 0:
128 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
129 break;
130 case -1:
131 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
132 break;
133 case -2:
134#ifndef OPENSSL_NO_EC
135 if (k->type == EVP_PKEY_EC)
136 {
137 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
138 break;
139 }
140#endif
141#ifndef OPENSSL_NO_DH
142 if (k->type == EVP_PKEY_DH)
143 {
144 /* No idea */
145 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
146 break;
147 }
148#endif
149 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
150 }
151
152 EVP_PKEY_free(xk);
153 return(ok);
154 }
155
116/* It seems several organisations had the same idea of including a list of 156/* It seems several organisations had the same idea of including a list of
117 * extensions in a certificate request. There are at least two OIDs that are 157 * extensions in a certificate request. There are at least two OIDs that are
118 * used and there may be more: so the list is configurable. 158 * used and there may be more: so the list is configurable.
@@ -147,7 +187,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
147 X509_ATTRIBUTE *attr; 187 X509_ATTRIBUTE *attr;
148 ASN1_TYPE *ext = NULL; 188 ASN1_TYPE *ext = NULL;
149 int idx, *pnid; 189 int idx, *pnid;
150 unsigned char *p; 190 const unsigned char *p;
151 191
152 if ((req == NULL) || (req->req_info == NULL) || !ext_nids) 192 if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
153 return(NULL); 193 return(NULL);
@@ -169,7 +209,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
169 ext->value.sequence->length, 209 ext->value.sequence->length,
170 d2i_X509_EXTENSION, X509_EXTENSION_free, 210 d2i_X509_EXTENSION, X509_EXTENSION_free,
171 V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); 211 V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
172 } 212}
173 213
174/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs 214/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
175 * in case we want to create a non standard one. 215 * in case we want to create a non standard one.
@@ -202,6 +242,11 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
202 at = NULL; 242 at = NULL;
203 attr->single = 0; 243 attr->single = 0;
204 attr->object = OBJ_nid2obj(nid); 244 attr->object = OBJ_nid2obj(nid);
245 if (!req->req_info->attributes)
246 {
247 if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
248 goto err;
249 }
205 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err; 250 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
206 return 1; 251 return 1;
207 err: 252 err:
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 881252608d..9c84a59d52 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -128,7 +128,7 @@ int X509_TRUST_get_count(void)
128X509_TRUST * X509_TRUST_get0(int idx) 128X509_TRUST * X509_TRUST_get0(int idx)
129{ 129{
130 if(idx < 0) return NULL; 130 if(idx < 0) return NULL;
131 if(idx < X509_TRUST_COUNT) return trstandard + idx; 131 if(idx < (int)X509_TRUST_COUNT) return trstandard + idx;
132 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); 132 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
133} 133}
134 134
@@ -219,7 +219,7 @@ static void trtable_free(X509_TRUST *p)
219 219
220void X509_TRUST_cleanup(void) 220void X509_TRUST_cleanup(void)
221{ 221{
222 int i; 222 unsigned int i;
223 for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i); 223 for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
224 sk_X509_TRUST_pop_free(trtable, trtable_free); 224 sk_X509_TRUST_pop_free(trtable, trtable_free);
225 trtable = NULL; 225 trtable = NULL;
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index f19e66a238..73a8ec726f 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -129,7 +129,7 @@ const char *X509_verify_cert_error_string(long n)
129 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: 129 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
130 return("proxy path length constraint exceeded"); 130 return("proxy path length constraint exceeded");
131 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: 131 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
132 return("proxy cerificates not allowed, please set the appropriate flag"); 132 return("proxy certificates not allowed, please set the appropriate flag");
133 case X509_V_ERR_INVALID_PURPOSE: 133 case X509_V_ERR_INVALID_PURPOSE:
134 return ("unsupported certificate purpose"); 134 return ("unsupported certificate purpose");
135 case X509_V_ERR_CERT_UNTRUSTED: 135 case X509_V_ERR_CERT_UNTRUSTED:
@@ -156,6 +156,14 @@ const char *X509_verify_cert_error_string(long n)
156 return("key usage does not include digital signature"); 156 return("key usage does not include digital signature");
157 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: 157 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
158 return("unhandled critical CRL extension"); 158 return("unhandled critical CRL extension");
159 case X509_V_ERR_INVALID_EXTENSION:
160 return("invalid or inconsistent certificate extension");
161 case X509_V_ERR_INVALID_POLICY_EXTENSION:
162 return("invalid or inconsistent certificate policy extension");
163 case X509_V_ERR_NO_EXPLICIT_POLICY:
164 return("no explicit policy");
165 case X509_V_ERR_UNNESTED_RESOURCE:
166 return("RFC 3779 resource not subset of parent's resources");
159 default: 167 default:
160 BIO_snprintf(buf,sizeof buf,"error number %ld",n); 168 BIO_snprintf(buf,sizeof buf,"error number %ld",n);
161 return(buf); 169 return(buf);
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index 67b1796a92..42e6f0ab05 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -147,7 +147,13 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
147 int n; 147 int n;
148 STACK_OF(X509_EXTENSION) *sk=NULL; 148 STACK_OF(X509_EXTENSION) *sk=NULL;
149 149
150 if ((x != NULL) && (*x == NULL)) 150 if (x == NULL)
151 {
152 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
153 goto err2;
154 }
155
156 if (*x == NULL)
151 { 157 {
152 if ((sk=sk_X509_EXTENSION_new_null()) == NULL) 158 if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
153 goto err; 159 goto err;
@@ -163,7 +169,7 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
163 goto err2; 169 goto err2;
164 if (!sk_X509_EXTENSION_insert(sk,new_ex,loc)) 170 if (!sk_X509_EXTENSION_insert(sk,new_ex,loc))
165 goto err; 171 goto err;
166 if ((x != NULL) && (*x == NULL)) 172 if (*x == NULL)
167 *x=sk; 173 *x=sk;
168 return(sk); 174 return(sk);
169err: 175err:
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 383e082aba..9a62ebcf67 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -77,8 +77,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx);
77static int check_trust(X509_STORE_CTX *ctx); 77static int check_trust(X509_STORE_CTX *ctx);
78static int check_revocation(X509_STORE_CTX *ctx); 78static int check_revocation(X509_STORE_CTX *ctx);
79static int check_cert(X509_STORE_CTX *ctx); 79static int check_cert(X509_STORE_CTX *ctx);
80static int check_policy(X509_STORE_CTX *ctx);
80static int internal_verify(X509_STORE_CTX *ctx); 81static int internal_verify(X509_STORE_CTX *ctx);
81const char *X509_version="X.509" OPENSSL_VERSION_PTEXT; 82const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
82 83
83 84
84static int null_callback(int ok, X509_STORE_CTX *e) 85static int null_callback(int ok, X509_STORE_CTX *e)
@@ -97,11 +98,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
97 { 98 {
98 X509 *x,*xtmp,*chain_ss=NULL; 99 X509 *x,*xtmp,*chain_ss=NULL;
99 X509_NAME *xn; 100 X509_NAME *xn;
101 int bad_chain = 0;
102 X509_VERIFY_PARAM *param = ctx->param;
100 int depth,i,ok=0; 103 int depth,i,ok=0;
101 int num; 104 int num;
102 int (*cb)(); 105 int (*cb)(int xok,X509_STORE_CTX *xctx);
103 STACK_OF(X509) *sktmp=NULL; 106 STACK_OF(X509) *sktmp=NULL;
104
105 if (ctx->cert == NULL) 107 if (ctx->cert == NULL)
106 { 108 {
107 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 109 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
@@ -134,7 +136,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
134 136
135 num=sk_X509_num(ctx->chain); 137 num=sk_X509_num(ctx->chain);
136 x=sk_X509_value(ctx->chain,num-1); 138 x=sk_X509_value(ctx->chain,num-1);
137 depth=ctx->depth; 139 depth=param->depth;
138 140
139 141
140 for (;;) 142 for (;;)
@@ -162,7 +164,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
162 goto end; 164 goto end;
163 } 165 }
164 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); 166 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
165 sk_X509_delete_ptr(sktmp,xtmp); 167 (void)sk_X509_delete_ptr(sktmp,xtmp);
166 ctx->last_untrusted++; 168 ctx->last_untrusted++;
167 x=xtmp; 169 x=xtmp;
168 num++; 170 num++;
@@ -201,6 +203,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
201 ctx->current_cert=x; 203 ctx->current_cert=x;
202 ctx->error_depth=i-1; 204 ctx->error_depth=i-1;
203 if (ok == 1) X509_free(xtmp); 205 if (ok == 1) X509_free(xtmp);
206 bad_chain = 1;
204 ok=cb(0,ctx); 207 ok=cb(0,ctx);
205 if (!ok) goto end; 208 if (!ok) goto end;
206 } 209 }
@@ -211,7 +214,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
211 */ 214 */
212 X509_free(x); 215 X509_free(x);
213 x = xtmp; 216 x = xtmp;
214 sk_X509_set(ctx->chain, i - 1, x); 217 (void)sk_X509_set(ctx->chain, i - 1, x);
215 ctx->last_untrusted=0; 218 ctx->last_untrusted=0;
216 } 219 }
217 } 220 }
@@ -276,6 +279,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
276 } 279 }
277 280
278 ctx->error_depth=num-1; 281 ctx->error_depth=num-1;
282 bad_chain = 1;
279 ok=cb(0,ctx); 283 ok=cb(0,ctx);
280 if (!ok) goto end; 284 if (!ok) goto end;
281 } 285 }
@@ -287,7 +291,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
287 291
288 /* The chain extensions are OK: check trust */ 292 /* The chain extensions are OK: check trust */
289 293
290 if (ctx->trust > 0) ok = check_trust(ctx); 294 if (param->trust > 0) ok = check_trust(ctx);
291 295
292 if (!ok) goto end; 296 if (!ok) goto end;
293 297
@@ -301,11 +305,25 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
301 ok = ctx->check_revocation(ctx); 305 ok = ctx->check_revocation(ctx);
302 if(!ok) goto end; 306 if(!ok) goto end;
303 307
304 /* At this point, we have a chain and just need to verify it */ 308 /* At this point, we have a chain and need to verify it */
305 if (ctx->verify != NULL) 309 if (ctx->verify != NULL)
306 ok=ctx->verify(ctx); 310 ok=ctx->verify(ctx);
307 else 311 else
308 ok=internal_verify(ctx); 312 ok=internal_verify(ctx);
313 if(!ok) goto end;
314
315#ifndef OPENSSL_NO_RFC3779
316 /* RFC 3779 path validation, now that CRL check has been done */
317 ok = v3_asid_validate_path(ctx);
318 if (!ok) goto end;
319 ok = v3_addr_validate_path(ctx);
320 if (!ok) goto end;
321#endif
322
323 /* If we get this far evaluate policies */
324 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
325 ok = ctx->check_policy(ctx);
326 if(!ok) goto end;
309 if (0) 327 if (0)
310 { 328 {
311end: 329end:
@@ -342,7 +360,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
342 if (ret == X509_V_OK) 360 if (ret == X509_V_OK)
343 return 1; 361 return 1;
344 /* If we haven't asked for issuer errors don't set ctx */ 362 /* If we haven't asked for issuer errors don't set ctx */
345 if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK)) 363 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
346 return 0; 364 return 0;
347 365
348 ctx->error = ret; 366 ctx->error = ret;
@@ -365,7 +383,7 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
365 else 383 else
366 return 0; 384 return 0;
367} 385}
368 386
369 387
370/* Check a certificate chains extensions for consistency 388/* Check a certificate chains extensions for consistency
371 * with the supplied purpose 389 * with the supplied purpose
@@ -378,9 +396,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
378#else 396#else
379 int i, ok=0, must_be_ca; 397 int i, ok=0, must_be_ca;
380 X509 *x; 398 X509 *x;
381 int (*cb)(); 399 int (*cb)(int xok,X509_STORE_CTX *xctx);
382 int proxy_path_length = 0; 400 int proxy_path_length = 0;
383 int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); 401 int allow_proxy_certs =
402 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
384 cb=ctx->verify_cb; 403 cb=ctx->verify_cb;
385 404
386 /* must_be_ca can have 1 of 3 values: 405 /* must_be_ca can have 1 of 3 values:
@@ -403,7 +422,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
403 { 422 {
404 int ret; 423 int ret;
405 x = sk_X509_value(ctx->chain, i); 424 x = sk_X509_value(ctx->chain, i);
406 if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) 425 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
407 && (x->ex_flags & EXFLAG_CRITICAL)) 426 && (x->ex_flags & EXFLAG_CRITICAL))
408 { 427 {
409 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 428 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
@@ -424,7 +443,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
424 switch(must_be_ca) 443 switch(must_be_ca)
425 { 444 {
426 case -1: 445 case -1:
427 if ((ctx->flags & X509_V_FLAG_X509_STRICT) 446 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
428 && (ret != 1) && (ret != 0)) 447 && (ret != 1) && (ret != 0))
429 { 448 {
430 ret = 0; 449 ret = 0;
@@ -444,7 +463,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
444 break; 463 break;
445 default: 464 default:
446 if ((ret == 0) 465 if ((ret == 0)
447 || ((ctx->flags & X509_V_FLAG_X509_STRICT) 466 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
448 && (ret != 1))) 467 && (ret != 1)))
449 { 468 {
450 ret = 0; 469 ret = 0;
@@ -461,12 +480,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
461 ok=cb(0,ctx); 480 ok=cb(0,ctx);
462 if (!ok) goto end; 481 if (!ok) goto end;
463 } 482 }
464 if (ctx->purpose > 0) 483 if (ctx->param->purpose > 0)
465 { 484 {
466 ret = X509_check_purpose(x, ctx->purpose, 485 ret = X509_check_purpose(x, ctx->param->purpose,
467 must_be_ca > 0); 486 must_be_ca > 0);
468 if ((ret == 0) 487 if ((ret == 0)
469 || ((ctx->flags & X509_V_FLAG_X509_STRICT) 488 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
470 && (ret != 1))) 489 && (ret != 1)))
471 { 490 {
472 ctx->error = X509_V_ERR_INVALID_PURPOSE; 491 ctx->error = X509_V_ERR_INVALID_PURPOSE;
@@ -492,21 +511,15 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
492 CA certificate. */ 511 CA certificate. */
493 if (x->ex_flags & EXFLAG_PROXY) 512 if (x->ex_flags & EXFLAG_PROXY)
494 { 513 {
495 PROXY_CERT_INFO_EXTENSION *pci = 514 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
496 X509_get_ext_d2i(x, NID_proxyCertInfo,
497 NULL, NULL);
498 if (pci->pcPathLengthConstraint &&
499 ASN1_INTEGER_get(pci->pcPathLengthConstraint)
500 < i)
501 { 515 {
502 PROXY_CERT_INFO_EXTENSION_free(pci); 516 ctx->error =
503 ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 517 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
504 ctx->error_depth = i; 518 ctx->error_depth = i;
505 ctx->current_cert = x; 519 ctx->current_cert = x;
506 ok=cb(0,ctx); 520 ok=cb(0,ctx);
507 if (!ok) goto end; 521 if (!ok) goto end;
508 } 522 }
509 PROXY_CERT_INFO_EXTENSION_free(pci);
510 proxy_path_length++; 523 proxy_path_length++;
511 must_be_ca = 0; 524 must_be_ca = 0;
512 } 525 }
@@ -526,12 +539,12 @@ static int check_trust(X509_STORE_CTX *ctx)
526#else 539#else
527 int i, ok; 540 int i, ok;
528 X509 *x; 541 X509 *x;
529 int (*cb)(); 542 int (*cb)(int xok,X509_STORE_CTX *xctx);
530 cb=ctx->verify_cb; 543 cb=ctx->verify_cb;
531/* For now just check the last certificate in the chain */ 544/* For now just check the last certificate in the chain */
532 i = sk_X509_num(ctx->chain) - 1; 545 i = sk_X509_num(ctx->chain) - 1;
533 x = sk_X509_value(ctx->chain, i); 546 x = sk_X509_value(ctx->chain, i);
534 ok = X509_check_trust(x, ctx->trust, 0); 547 ok = X509_check_trust(x, ctx->param->trust, 0);
535 if (ok == X509_TRUST_TRUSTED) 548 if (ok == X509_TRUST_TRUSTED)
536 return 1; 549 return 1;
537 ctx->error_depth = i; 550 ctx->error_depth = i;
@@ -548,9 +561,9 @@ static int check_trust(X509_STORE_CTX *ctx)
548static int check_revocation(X509_STORE_CTX *ctx) 561static int check_revocation(X509_STORE_CTX *ctx)
549 { 562 {
550 int i, last, ok; 563 int i, last, ok;
551 if (!(ctx->flags & X509_V_FLAG_CRL_CHECK)) 564 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
552 return 1; 565 return 1;
553 if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL) 566 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
554 last = sk_X509_num(ctx->chain) - 1; 567 last = sk_X509_num(ctx->chain) - 1;
555 else 568 else
556 last = 0; 569 last = 0;
@@ -593,17 +606,124 @@ static int check_cert(X509_STORE_CTX *ctx)
593 606
594 } 607 }
595 608
609/* Check CRL times against values in X509_STORE_CTX */
610
611static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
612 {
613 time_t *ptime;
614 int i;
615 ctx->current_crl = crl;
616 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
617 ptime = &ctx->param->check_time;
618 else
619 ptime = NULL;
620
621 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
622 if (i == 0)
623 {
624 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
625 if (!notify || !ctx->verify_cb(0, ctx))
626 return 0;
627 }
628
629 if (i > 0)
630 {
631 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
632 if (!notify || !ctx->verify_cb(0, ctx))
633 return 0;
634 }
635
636 if(X509_CRL_get_nextUpdate(crl))
637 {
638 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
639
640 if (i == 0)
641 {
642 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
643 if (!notify || !ctx->verify_cb(0, ctx))
644 return 0;
645 }
646
647 if (i < 0)
648 {
649 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
650 if (!notify || !ctx->verify_cb(0, ctx))
651 return 0;
652 }
653 }
654
655 ctx->current_crl = NULL;
656
657 return 1;
658 }
659
660/* Lookup CRLs from the supplied list. Look for matching isser name
661 * and validity. If we can't find a valid CRL return the last one
662 * with matching name. This gives more meaningful error codes. Otherwise
663 * we'd get a CRL not found error if a CRL existed with matching name but
664 * was invalid.
665 */
666
667static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl,
668 X509_NAME *nm, STACK_OF(X509_CRL) *crls)
669 {
670 int i;
671 X509_CRL *crl, *best_crl = NULL;
672 for (i = 0; i < sk_X509_CRL_num(crls); i++)
673 {
674 crl = sk_X509_CRL_value(crls, i);
675 if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
676 continue;
677 if (check_crl_time(ctx, crl, 0))
678 {
679 *pcrl = crl;
680 CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509);
681 return 1;
682 }
683 best_crl = crl;
684 }
685 if (best_crl)
686 {
687 *pcrl = best_crl;
688 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
689 }
690
691 return 0;
692 }
693
596/* Retrieve CRL corresponding to certificate: currently just a 694/* Retrieve CRL corresponding to certificate: currently just a
597 * subject lookup: maybe use AKID later... 695 * subject lookup: maybe use AKID later...
598 * Also might look up any included CRLs too (e.g PKCS#7 signedData).
599 */ 696 */
600static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x) 697static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x)
601 { 698 {
602 int ok; 699 int ok;
700 X509_CRL *crl = NULL;
603 X509_OBJECT xobj; 701 X509_OBJECT xobj;
604 ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj); 702 X509_NAME *nm;
605 if (!ok) return 0; 703 nm = X509_get_issuer_name(x);
606 *crl = xobj.data.crl; 704 ok = get_crl_sk(ctx, &crl, nm, ctx->crls);
705 if (ok)
706 {
707 *pcrl = crl;
708 return 1;
709 }
710
711 ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj);
712
713 if (!ok)
714 {
715 /* If we got a near match from get_crl_sk use that */
716 if (crl)
717 {
718 *pcrl = crl;
719 return 1;
720 }
721 return 0;
722 }
723
724 *pcrl = xobj.data.crl;
725 if (crl)
726 X509_CRL_free(crl);
607 return 1; 727 return 1;
608 } 728 }
609 729
@@ -612,8 +732,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
612 { 732 {
613 X509 *issuer = NULL; 733 X509 *issuer = NULL;
614 EVP_PKEY *ikey = NULL; 734 EVP_PKEY *ikey = NULL;
615 int ok = 0, chnum, cnum, i; 735 int ok = 0, chnum, cnum;
616 time_t *ptime;
617 cnum = ctx->error_depth; 736 cnum = ctx->error_depth;
618 chnum = sk_X509_num(ctx->chain) - 1; 737 chnum = sk_X509_num(ctx->chain) - 1;
619 /* Find CRL issuer: if not last certificate then issuer 738 /* Find CRL issuer: if not last certificate then issuer
@@ -665,45 +784,9 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
665 } 784 }
666 } 785 }
667 786
668 /* OK, CRL signature valid check times */ 787 ok = check_crl_time(ctx, crl, 1);
669 if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) 788 if (!ok)
670 ptime = &ctx->check_time; 789 goto err;
671 else
672 ptime = NULL;
673
674 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
675 if (i == 0)
676 {
677 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
678 ok = ctx->verify_cb(0, ctx);
679 if (!ok) goto err;
680 }
681
682 if (i > 0)
683 {
684 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
685 ok = ctx->verify_cb(0, ctx);
686 if (!ok) goto err;
687 }
688
689 if(X509_CRL_get_nextUpdate(crl))
690 {
691 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
692
693 if (i == 0)
694 {
695 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
696 ok = ctx->verify_cb(0, ctx);
697 if (!ok) goto err;
698 }
699
700 if (i < 0)
701 {
702 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
703 ok = ctx->verify_cb(0, ctx);
704 if (!ok) goto err;
705 }
706 }
707 790
708 ok = 1; 791 ok = 1;
709 792
@@ -741,7 +824,7 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
741 if (!ok) return 0; 824 if (!ok) return 0;
742 } 825 }
743 826
744 if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) 827 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
745 return 1; 828 return 1;
746 829
747 /* See if we have any critical CRL extensions: since we 830 /* See if we have any critical CRL extensions: since we
@@ -768,13 +851,106 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
768 return 1; 851 return 1;
769 } 852 }
770 853
854static int check_policy(X509_STORE_CTX *ctx)
855 {
856 int ret;
857 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
858 ctx->param->policies, ctx->param->flags);
859 if (ret == 0)
860 {
861 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
862 return 0;
863 }
864 /* Invalid or inconsistent extensions */
865 if (ret == -1)
866 {
867 /* Locate certificates with bad extensions and notify
868 * callback.
869 */
870 X509 *x;
871 int i;
872 for (i = 1; i < sk_X509_num(ctx->chain); i++)
873 {
874 x = sk_X509_value(ctx->chain, i);
875 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
876 continue;
877 ctx->current_cert = x;
878 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
879 ret = ctx->verify_cb(0, ctx);
880 }
881 return 1;
882 }
883 if (ret == -2)
884 {
885 ctx->current_cert = NULL;
886 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
887 return ctx->verify_cb(0, ctx);
888 }
889
890 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
891 {
892 ctx->current_cert = NULL;
893 ctx->error = X509_V_OK;
894 if (!ctx->verify_cb(2, ctx))
895 return 0;
896 }
897
898 return 1;
899 }
900
901static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
902 {
903 time_t *ptime;
904 int i;
905
906 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
907 ptime = &ctx->param->check_time;
908 else
909 ptime = NULL;
910
911 i=X509_cmp_time(X509_get_notBefore(x), ptime);
912 if (i == 0)
913 {
914 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
915 ctx->current_cert=x;
916 if (!ctx->verify_cb(0, ctx))
917 return 0;
918 }
919
920 if (i > 0)
921 {
922 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
923 ctx->current_cert=x;
924 if (!ctx->verify_cb(0, ctx))
925 return 0;
926 }
927
928 i=X509_cmp_time(X509_get_notAfter(x), ptime);
929 if (i == 0)
930 {
931 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
932 ctx->current_cert=x;
933 if (!ctx->verify_cb(0, ctx))
934 return 0;
935 }
936
937 if (i < 0)
938 {
939 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
940 ctx->current_cert=x;
941 if (!ctx->verify_cb(0, ctx))
942 return 0;
943 }
944
945 return 1;
946 }
947
771static int internal_verify(X509_STORE_CTX *ctx) 948static int internal_verify(X509_STORE_CTX *ctx)
772 { 949 {
773 int i,ok=0,n; 950 int ok=0,n;
774 X509 *xs,*xi; 951 X509 *xs,*xi;
775 EVP_PKEY *pkey=NULL; 952 EVP_PKEY *pkey=NULL;
776 time_t *ptime; 953 int (*cb)(int xok,X509_STORE_CTX *xctx);
777 int (*cb)();
778 954
779 cb=ctx->verify_cb; 955 cb=ctx->verify_cb;
780 956
@@ -782,10 +958,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
782 ctx->error_depth=n-1; 958 ctx->error_depth=n-1;
783 n--; 959 n--;
784 xi=sk_X509_value(ctx->chain,n); 960 xi=sk_X509_value(ctx->chain,n);
785 if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) 961
786 ptime = &ctx->check_time;
787 else
788 ptime = NULL;
789 if (ctx->check_issued(ctx, xi, xi)) 962 if (ctx->check_issued(ctx, xi, xi))
790 xs=xi; 963 xs=xi;
791 else 964 else
@@ -838,41 +1011,13 @@ static int internal_verify(X509_STORE_CTX *ctx)
838 } 1011 }
839 EVP_PKEY_free(pkey); 1012 EVP_PKEY_free(pkey);
840 pkey=NULL; 1013 pkey=NULL;
841
842 i=X509_cmp_time(X509_get_notBefore(xs), ptime);
843 if (i == 0)
844 {
845 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
846 ctx->current_cert=xs;
847 ok=(*cb)(0,ctx);
848 if (!ok) goto end;
849 }
850 if (i > 0)
851 {
852 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
853 ctx->current_cert=xs;
854 ok=(*cb)(0,ctx);
855 if (!ok) goto end;
856 }
857 xs->valid=1;
858 } 1014 }
859 1015
860 i=X509_cmp_time(X509_get_notAfter(xs), ptime); 1016 xs->valid = 1;
861 if (i == 0)
862 {
863 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
864 ctx->current_cert=xs;
865 ok=(*cb)(0,ctx);
866 if (!ok) goto end;
867 }
868 1017
869 if (i < 0) 1018 ok = check_cert_time(ctx, xs);
870 { 1019 if (!ok)
871 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; 1020 goto end;
872 ctx->current_cert=xs;
873 ok=(*cb)(0,ctx);
874 if (!ok) goto end;
875 }
876 1021
877 /* The last error (if any) is still in the error value */ 1022 /* The last error (if any) is still in the error value */
878 ctx->current_issuer=xi; 1023 ctx->current_issuer=xi;
@@ -1105,6 +1250,11 @@ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1105 ctx->untrusted=sk; 1250 ctx->untrusted=sk;
1106 } 1251 }
1107 1252
1253void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1254 {
1255 ctx->crls=sk;
1256 }
1257
1108int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) 1258int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1109 { 1259 {
1110 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); 1260 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
@@ -1168,8 +1318,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1168 } 1318 }
1169 } 1319 }
1170 1320
1171 if (purpose && !ctx->purpose) ctx->purpose = purpose; 1321 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1172 if (trust && !ctx->trust) ctx->trust = trust; 1322 if (trust && !ctx->param->trust) ctx->param->trust = trust;
1173 return 1; 1323 return 1;
1174} 1324}
1175 1325
@@ -1195,20 +1345,30 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1195int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, 1345int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1196 STACK_OF(X509) *chain) 1346 STACK_OF(X509) *chain)
1197 { 1347 {
1348 int ret = 1;
1198 ctx->ctx=store; 1349 ctx->ctx=store;
1199 ctx->current_method=0; 1350 ctx->current_method=0;
1200 ctx->cert=x509; 1351 ctx->cert=x509;
1201 ctx->untrusted=chain; 1352 ctx->untrusted=chain;
1353 ctx->crls = NULL;
1202 ctx->last_untrusted=0; 1354 ctx->last_untrusted=0;
1203 ctx->check_time=0;
1204 ctx->other_ctx=NULL; 1355 ctx->other_ctx=NULL;
1205 ctx->valid=0; 1356 ctx->valid=0;
1206 ctx->chain=NULL; 1357 ctx->chain=NULL;
1207 ctx->depth=9;
1208 ctx->error=0; 1358 ctx->error=0;
1359 ctx->explicit_policy=0;
1209 ctx->error_depth=0; 1360 ctx->error_depth=0;
1210 ctx->current_cert=NULL; 1361 ctx->current_cert=NULL;
1211 ctx->current_issuer=NULL; 1362 ctx->current_issuer=NULL;
1363 ctx->tree = NULL;
1364
1365 ctx->param = X509_VERIFY_PARAM_new();
1366
1367 if (!ctx->param)
1368 {
1369 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
1370 return 0;
1371 }
1212 1372
1213 /* Inherit callbacks and flags from X509_STORE if not set 1373 /* Inherit callbacks and flags from X509_STORE if not set
1214 * use defaults. 1374 * use defaults.
@@ -1216,18 +1376,26 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1216 1376
1217 1377
1218 if (store) 1378 if (store)
1379 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
1380 else
1381 ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
1382
1383 if (store)
1219 { 1384 {
1220 ctx->purpose=store->purpose; 1385 ctx->verify_cb = store->verify_cb;
1221 ctx->trust=store->trust;
1222 ctx->flags = store->flags;
1223 ctx->cleanup = store->cleanup; 1386 ctx->cleanup = store->cleanup;
1224 } 1387 }
1225 else 1388 else
1226 {
1227 ctx->purpose = 0;
1228 ctx->trust = 0;
1229 ctx->flags = 0;
1230 ctx->cleanup = 0; 1389 ctx->cleanup = 0;
1390
1391 if (ret)
1392 ret = X509_VERIFY_PARAM_inherit(ctx->param,
1393 X509_VERIFY_PARAM_lookup("default"));
1394
1395 if (ret == 0)
1396 {
1397 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
1398 return 0;
1231 } 1399 }
1232 1400
1233 if (store && store->check_issued) 1401 if (store && store->check_issued)
@@ -1270,6 +1438,8 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1270 else 1438 else
1271 ctx->cert_crl = cert_crl; 1439 ctx->cert_crl = cert_crl;
1272 1440
1441 ctx->check_policy = check_policy;
1442
1273 1443
1274 /* This memset() can't make any sense anyway, so it's removed. As 1444 /* This memset() can't make any sense anyway, so it's removed. As
1275 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a 1445 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
@@ -1298,6 +1468,16 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1298void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 1468void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
1299 { 1469 {
1300 if (ctx->cleanup) ctx->cleanup(ctx); 1470 if (ctx->cleanup) ctx->cleanup(ctx);
1471 if (ctx->param != NULL)
1472 {
1473 X509_VERIFY_PARAM_free(ctx->param);
1474 ctx->param=NULL;
1475 }
1476 if (ctx->tree != NULL)
1477 {
1478 X509_policy_tree_free(ctx->tree);
1479 ctx->tree=NULL;
1480 }
1301 if (ctx->chain != NULL) 1481 if (ctx->chain != NULL)
1302 { 1482 {
1303 sk_X509_pop_free(ctx->chain,X509_free); 1483 sk_X509_pop_free(ctx->chain,X509_free);
@@ -1307,15 +1487,19 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
1307 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); 1487 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
1308 } 1488 }
1309 1489
1310void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags) 1490void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
1311 { 1491 {
1312 ctx->flags |= flags; 1492 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
1313 } 1493 }
1314 1494
1315void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t) 1495void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
1316 { 1496 {
1317 ctx->check_time = t; 1497 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
1318 ctx->flags |= X509_V_FLAG_USE_CHECK_TIME; 1498 }
1499
1500void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
1501 {
1502 X509_VERIFY_PARAM_set_time(ctx->param, t);
1319 } 1503 }
1320 1504
1321void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 1505void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
@@ -1324,6 +1508,37 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
1324 ctx->verify_cb=verify_cb; 1508 ctx->verify_cb=verify_cb;
1325 } 1509 }
1326 1510
1511X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
1512 {
1513 return ctx->tree;
1514 }
1515
1516int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
1517 {
1518 return ctx->explicit_policy;
1519 }
1520
1521int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
1522 {
1523 const X509_VERIFY_PARAM *param;
1524 param = X509_VERIFY_PARAM_lookup(name);
1525 if (!param)
1526 return 0;
1527 return X509_VERIFY_PARAM_inherit(ctx->param, param);
1528 }
1529
1530X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
1531 {
1532 return ctx->param;
1533 }
1534
1535void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
1536 {
1537 if (ctx->param)
1538 X509_VERIFY_PARAM_free(ctx->param);
1539 ctx->param = param;
1540 }
1541
1327IMPLEMENT_STACK_OF(X509) 1542IMPLEMENT_STACK_OF(X509)
1328IMPLEMENT_ASN1_SET_OF(X509) 1543IMPLEMENT_ASN1_SET_OF(X509)
1329 1544
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 7fd1f0bc4d..76c76e1719 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -65,6 +65,7 @@
65#ifndef HEADER_X509_VFY_H 65#ifndef HEADER_X509_VFY_H
66#define HEADER_X509_VFY_H 66#define HEADER_X509_VFY_H
67 67
68#include <openssl/opensslconf.h>
68#ifndef OPENSSL_NO_LHASH 69#ifndef OPENSSL_NO_LHASH
69#include <openssl/lhash.h> 70#include <openssl/lhash.h>
70#endif 71#endif
@@ -155,6 +156,25 @@ typedef struct x509_lookup_method_st
155 X509_OBJECT *ret); 156 X509_OBJECT *ret);
156 } X509_LOOKUP_METHOD; 157 } X509_LOOKUP_METHOD;
157 158
159/* This structure hold all parameters associated with a verify operation
160 * by including an X509_VERIFY_PARAM structure in related structures the
161 * parameters used can be customized
162 */
163
164typedef struct X509_VERIFY_PARAM_st
165 {
166 char *name;
167 time_t check_time; /* Time to use */
168 unsigned long inh_flags; /* Inheritance flags */
169 unsigned long flags; /* Various verify flags */
170 int purpose; /* purpose to check untrusted certificates */
171 int trust; /* trust setting to check */
172 int depth; /* Verify depth */
173 STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */
174 } X509_VERIFY_PARAM;
175
176DECLARE_STACK_OF(X509_VERIFY_PARAM)
177
158/* This is used to hold everything. It is used for all certificate 178/* This is used to hold everything. It is used for all certificate
159 * validation. Once we have a certificate chain, the 'verify' 179 * validation. Once we have a certificate chain, the 'verify'
160 * function is then called to actually check the cert chain. */ 180 * function is then called to actually check the cert chain. */
@@ -167,13 +187,8 @@ struct x509_store_st
167 /* These are external lookup methods */ 187 /* These are external lookup methods */
168 STACK_OF(X509_LOOKUP) *get_cert_methods; 188 STACK_OF(X509_LOOKUP) *get_cert_methods;
169 189
170 /* The following fields are not used by X509_STORE but are 190 X509_VERIFY_PARAM *param;
171 * inherited by X509_STORE_CTX when it is initialised.
172 */
173 191
174 unsigned long flags; /* Various verify flags */
175 int purpose;
176 int trust;
177 /* Callbacks for various operations */ 192 /* Callbacks for various operations */
178 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ 193 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
179 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ 194 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
@@ -187,10 +202,9 @@ struct x509_store_st
187 202
188 CRYPTO_EX_DATA ex_data; 203 CRYPTO_EX_DATA ex_data;
189 int references; 204 int references;
190 int depth; /* how deep to look (still unused -- X509_STORE_CTX's depth is used) */
191 } /* X509_STORE */; 205 } /* X509_STORE */;
192 206
193#define X509_STORE_set_depth(ctx,d) ((ctx)->depth=(d)) 207int X509_STORE_set_depth(X509_STORE *store, int depth);
194 208
195#define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func)) 209#define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
196#define X509_STORE_set_verify_func(ctx,func) ((ctx)->verify=(func)) 210#define X509_STORE_set_verify_func(ctx,func) ((ctx)->verify=(func))
@@ -217,10 +231,9 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
217 /* The following are set by the caller */ 231 /* The following are set by the caller */
218 X509 *cert; /* The cert to check */ 232 X509 *cert; /* The cert to check */
219 STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ 233 STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */
220 int purpose; /* purpose to check untrusted certificates */ 234 STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */
221 int trust; /* trust setting to check */ 235
222 time_t check_time; /* time to make verify at */ 236 X509_VERIFY_PARAM *param;
223 unsigned long flags; /* Various verify flags */
224 void *other_ctx; /* Other info for use with get_issuer() */ 237 void *other_ctx; /* Other info for use with get_issuer() */
225 238
226 /* Callbacks for various operations */ 239 /* Callbacks for various operations */
@@ -232,13 +245,16 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
232 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ 245 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
233 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ 246 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
234 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ 247 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
248 int (*check_policy)(X509_STORE_CTX *ctx);
235 int (*cleanup)(X509_STORE_CTX *ctx); 249 int (*cleanup)(X509_STORE_CTX *ctx);
236 250
237 /* The following is built up */ 251 /* The following is built up */
238 int depth; /* how far to go looking up certs */
239 int valid; /* if 0, rebuild chain */ 252 int valid; /* if 0, rebuild chain */
240 int last_untrusted; /* index of last untrusted cert */ 253 int last_untrusted; /* index of last untrusted cert */
241 STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ 254 STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */
255 X509_POLICY_TREE *tree; /* Valid policy tree */
256
257 int explicit_policy; /* Require explicit policy value */
242 258
243 /* When something goes wrong, this is why */ 259 /* When something goes wrong, this is why */
244 int error_depth; 260 int error_depth;
@@ -250,7 +266,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
250 CRYPTO_EX_DATA ex_data; 266 CRYPTO_EX_DATA ex_data;
251 } /* X509_STORE_CTX */; 267 } /* X509_STORE_CTX */;
252 268
253#define X509_STORE_CTX_set_depth(ctx,d) ((ctx)->depth=(d)) 269void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
254 270
255#define X509_STORE_CTX_set_app_data(ctx,data) \ 271#define X509_STORE_CTX_set_app_data(ctx,data) \
256 X509_STORE_CTX_set_ex_data(ctx,0,data) 272 X509_STORE_CTX_set_ex_data(ctx,0,data)
@@ -311,6 +327,12 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
311#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 327#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
312#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 328#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
313 329
330#define X509_V_ERR_INVALID_EXTENSION 41
331#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
332#define X509_V_ERR_NO_EXPLICIT_POLICY 43
333
334#define X509_V_ERR_UNNESTED_RESOURCE 44
335
314/* The application is not happy */ 336/* The application is not happy */
315#define X509_V_ERR_APPLICATION_VERIFICATION 50 337#define X509_V_ERR_APPLICATION_VERIFICATION 50
316 338
@@ -330,6 +352,28 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
330#define X509_V_FLAG_X509_STRICT 0x20 352#define X509_V_FLAG_X509_STRICT 0x20
331/* Enable proxy certificate validation */ 353/* Enable proxy certificate validation */
332#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 354#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
355/* Enable policy checking */
356#define X509_V_FLAG_POLICY_CHECK 0x80
357/* Policy variable require-explicit-policy */
358#define X509_V_FLAG_EXPLICIT_POLICY 0x100
359/* Policy variable inhibit-any-policy */
360#define X509_V_FLAG_INHIBIT_ANY 0x200
361/* Policy variable inhibit-policy-mapping */
362#define X509_V_FLAG_INHIBIT_MAP 0x400
363/* Notify callback that policy is OK */
364#define X509_V_FLAG_NOTIFY_POLICY 0x800
365
366#define X509_VP_FLAG_DEFAULT 0x1
367#define X509_VP_FLAG_OVERWRITE 0x2
368#define X509_VP_FLAG_RESET_FLAGS 0x4
369#define X509_VP_FLAG_LOCKED 0x8
370#define X509_VP_FLAG_ONCE 0x10
371
372/* Internal use: mask of policy related options */
373#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
374 | X509_V_FLAG_EXPLICIT_POLICY \
375 | X509_V_FLAG_INHIBIT_ANY \
376 | X509_V_FLAG_INHIBIT_MAP)
333 377
334int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, 378int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
335 X509_NAME *name); 379 X509_NAME *name);
@@ -340,9 +384,10 @@ void X509_OBJECT_free_contents(X509_OBJECT *a);
340X509_STORE *X509_STORE_new(void ); 384X509_STORE *X509_STORE_new(void );
341void X509_STORE_free(X509_STORE *v); 385void X509_STORE_free(X509_STORE *v);
342 386
343void X509_STORE_set_flags(X509_STORE *ctx, long flags); 387int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
344int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); 388int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
345int X509_STORE_set_trust(X509_STORE *ctx, int trust); 389int X509_STORE_set_trust(X509_STORE *ctx, int trust);
390int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
346 391
347X509_STORE_CTX *X509_STORE_CTX_new(void); 392X509_STORE_CTX *X509_STORE_CTX_new(void);
348 393
@@ -406,14 +451,78 @@ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
406STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); 451STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
407void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x); 452void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
408void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk); 453void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
454void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c,STACK_OF(X509_CRL) *sk);
409int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); 455int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
410int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); 456int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
411int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, 457int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
412 int purpose, int trust); 458 int purpose, int trust);
413void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags); 459void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
414void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t); 460void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
461 time_t t);
415void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 462void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
416 int (*verify_cb)(int, X509_STORE_CTX *)); 463 int (*verify_cb)(int, X509_STORE_CTX *));
464
465X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
466int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
467
468X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
469void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
470int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
471
472/* X509_VERIFY_PARAM functions */
473
474X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void);
475void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param);
476int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to,
477 const X509_VERIFY_PARAM *from);
478int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
479 const X509_VERIFY_PARAM *from);
480int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name);
481int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
482int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
483 unsigned long flags);
484unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
485int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
486int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
487void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
488void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
489int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
490 ASN1_OBJECT *policy);
491int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
492 STACK_OF(ASN1_OBJECT) *policies);
493int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
494
495int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
496const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
497void X509_VERIFY_PARAM_table_cleanup(void);
498
499int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
500 STACK_OF(X509) *certs,
501 STACK_OF(ASN1_OBJECT) *policy_oids,
502 unsigned int flags);
503
504void X509_policy_tree_free(X509_POLICY_TREE *tree);
505
506int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
507X509_POLICY_LEVEL *
508 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
509
510STACK_OF(X509_POLICY_NODE) *
511 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
512
513STACK_OF(X509_POLICY_NODE) *
514 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
515
516int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
517
518X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
519
520const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
521
522STACK_OF(POLICYQUALINFO) *
523 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
524const X509_POLICY_NODE *
525 X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
417 526
418#ifdef __cplusplus 527#ifdef __cplusplus
419} 528}
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
index 4c3af946ec..ed868b838e 100644
--- a/src/lib/libcrypto/x509/x509spki.c
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -77,7 +77,8 @@ EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x)
77 77
78NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len) 78NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
79{ 79{
80 unsigned char *spki_der, *p; 80 unsigned char *spki_der;
81 const unsigned char *p;
81 int spki_len; 82 int spki_len;
82 NETSCAPE_SPKI *spki; 83 NETSCAPE_SPKI *spki;
83 if(len <= 0) len = strlen(str); 84 if(len <= 0) len = strlen(str);
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
index c25959a742..2cd994c5b0 100644
--- a/src/lib/libcrypto/x509/x509type.c
+++ b/src/lib/libcrypto/x509/x509type.c
@@ -86,6 +86,9 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
86 case EVP_PKEY_DSA: 86 case EVP_PKEY_DSA:
87 ret=EVP_PK_DSA|EVP_PKT_SIGN; 87 ret=EVP_PK_DSA|EVP_PKT_SIGN;
88 break; 88 break;
89 case EVP_PKEY_EC:
90 ret=EVP_PK_EC|EVP_PKT_SIGN|EVP_PKT_EXCH;
91 break;
89 case EVP_PKEY_DH: 92 case EVP_PKEY_DH:
90 ret=EVP_PK_DH|EVP_PKT_EXCH; 93 ret=EVP_PK_DH|EVP_PKT_EXCH;
91 break; 94 break;
@@ -102,6 +105,9 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
102 case EVP_PKEY_DSA: 105 case EVP_PKEY_DSA:
103 ret|=EVP_PKS_DSA; 106 ret|=EVP_PKS_DSA;
104 break; 107 break;
108 case EVP_PKEY_EC:
109 ret|=EVP_PKS_EC;
110 break;
105 default: 111 default:
106 break; 112 break;
107 } 113 }
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index ac6dea493a..9039caad60 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -64,6 +64,12 @@
64#include <openssl/asn1.h> 64#include <openssl/asn1.h>
65#include <openssl/evp.h> 65#include <openssl/evp.h>
66#include <openssl/x509.h> 66#include <openssl/x509.h>
67#ifndef OPENSSL_NO_RSA
68#include <openssl/rsa.h>
69#endif
70#ifndef OPENSSL_NO_DSA
71#include <openssl/dsa.h>
72#endif
67 73
68int X509_verify(X509 *a, EVP_PKEY *r) 74int X509_verify(X509 *a, EVP_PKEY *r)
69 { 75 {
@@ -223,9 +229,9 @@ RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
223 229
224RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa) 230RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
225 { 231 {
226 return((RSA *)ASN1_d2i_fp((char *(*)()) 232 return ASN1_d2i_fp((void *(*)(void))
227 RSA_new,(char *(*)())d2i_RSA_PUBKEY, (fp), 233 RSA_new,(D2I_OF(void))d2i_RSA_PUBKEY, fp,
228 (unsigned char **)(rsa))); 234 (void **)rsa);
229 } 235 }
230 236
231int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa) 237int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
@@ -235,7 +241,7 @@ int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
235 241
236int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa) 242int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
237 { 243 {
238 return(ASN1_i2d_fp(i2d_RSA_PUBKEY,fp,(unsigned char *)rsa)); 244 return ASN1_i2d_fp((I2D_OF(void))i2d_RSA_PUBKEY,fp,rsa);
239 } 245 }
240#endif 246#endif
241 247
@@ -257,9 +263,7 @@ RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
257 263
258RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa) 264RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
259 { 265 {
260 return((RSA *)ASN1_d2i_bio((char *(*)()) 266 return ASN1_d2i_bio_of(RSA,RSA_new,d2i_RSA_PUBKEY,bp,rsa);
261 RSA_new,(char *(*)())d2i_RSA_PUBKEY, (bp),
262 (unsigned char **)(rsa)));
263 } 267 }
264 268
265int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa) 269int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
@@ -269,7 +273,7 @@ int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
269 273
270int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa) 274int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
271 { 275 {
272 return(ASN1_i2d_bio(i2d_RSA_PUBKEY,bp,(unsigned char *)rsa)); 276 return ASN1_i2d_bio_of(RSA,i2d_RSA_PUBKEY,bp,rsa);
273 } 277 }
274#endif 278#endif
275 279
@@ -277,55 +281,92 @@ int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
277#ifndef OPENSSL_NO_FP_API 281#ifndef OPENSSL_NO_FP_API
278DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa) 282DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
279 { 283 {
280 return((DSA *)ASN1_d2i_fp((char *(*)()) 284 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSAPrivateKey,fp,dsa);
281 DSA_new,(char *(*)())d2i_DSAPrivateKey, (fp),
282 (unsigned char **)(dsa)));
283 } 285 }
284 286
285int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa) 287int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
286 { 288 {
287 return(ASN1_i2d_fp(i2d_DSAPrivateKey,fp,(unsigned char *)dsa)); 289 return ASN1_i2d_fp_of_const(DSA,i2d_DSAPrivateKey,fp,dsa);
288 } 290 }
289 291
290DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa) 292DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa)
291 { 293 {
292 return((DSA *)ASN1_d2i_fp((char *(*)()) 294 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSA_PUBKEY,fp,dsa);
293 DSA_new,(char *(*)())d2i_DSA_PUBKEY, (fp),
294 (unsigned char **)(dsa)));
295 } 295 }
296 296
297int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa) 297int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa)
298 { 298 {
299 return(ASN1_i2d_fp(i2d_DSA_PUBKEY,fp,(unsigned char *)dsa)); 299 return ASN1_i2d_fp_of(DSA,i2d_DSA_PUBKEY,fp,dsa);
300 } 300 }
301#endif 301#endif
302 302
303DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa) 303DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
304 { 304 {
305 return((DSA *)ASN1_d2i_bio((char *(*)()) 305 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSAPrivateKey,bp,dsa
306 DSA_new,(char *(*)())d2i_DSAPrivateKey, (bp), 306);
307 (unsigned char **)(dsa)));
308 } 307 }
309 308
310int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa) 309int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa)
311 { 310 {
312 return(ASN1_i2d_bio(i2d_DSAPrivateKey,bp,(unsigned char *)dsa)); 311 return ASN1_i2d_bio_of_const(DSA,i2d_DSAPrivateKey,bp,dsa);
313 } 312 }
314 313
315DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa) 314DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa)
316 { 315 {
317 return((DSA *)ASN1_d2i_bio((char *(*)()) 316 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSA_PUBKEY,bp,dsa);
318 DSA_new,(char *(*)())d2i_DSA_PUBKEY, (bp),
319 (unsigned char **)(dsa)));
320 } 317 }
321 318
322int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa) 319int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
323 { 320 {
324 return(ASN1_i2d_bio(i2d_DSA_PUBKEY,bp,(unsigned char *)dsa)); 321 return ASN1_i2d_bio_of(DSA,i2d_DSA_PUBKEY,bp,dsa);
325 } 322 }
326 323
327#endif 324#endif
328 325
326#ifndef OPENSSL_NO_EC
327#ifndef OPENSSL_NO_FP_API
328EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey)
329 {
330 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,fp,eckey);
331 }
332
333int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey)
334 {
335 return ASN1_i2d_fp_of(EC_KEY,i2d_EC_PUBKEY,fp,eckey);
336 }
337
338EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey)
339 {
340 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,fp,eckey);
341 }
342
343int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey)
344 {
345 return ASN1_i2d_fp_of(EC_KEY,i2d_ECPrivateKey,fp,eckey);
346 }
347#endif
348EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey)
349 {
350 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,bp,eckey);
351 }
352
353int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *ecdsa)
354 {
355 return ASN1_i2d_bio_of(EC_KEY,i2d_EC_PUBKEY,bp,ecdsa);
356 }
357
358EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey)
359 {
360 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,bp,eckey);
361 }
362
363int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey)
364 {
365 return ASN1_i2d_bio_of(EC_KEY,i2d_ECPrivateKey,bp,eckey);
366 }
367#endif
368
369
329int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md, 370int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
330 unsigned int *len) 371 unsigned int *len)
331 { 372 {
@@ -370,40 +411,37 @@ int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *
370#ifndef OPENSSL_NO_FP_API 411#ifndef OPENSSL_NO_FP_API
371X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8) 412X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
372 { 413 {
373 return((X509_SIG *)ASN1_d2i_fp((char *(*)())X509_SIG_new, 414 return ASN1_d2i_fp_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,fp,p8);
374 (char *(*)())d2i_X509_SIG, (fp),(unsigned char **)(p8)));
375 } 415 }
376 416
377int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8) 417int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8)
378 { 418 {
379 return(ASN1_i2d_fp(i2d_X509_SIG,fp,(unsigned char *)p8)); 419 return ASN1_i2d_fp_of(X509_SIG,i2d_X509_SIG,fp,p8);
380 } 420 }
381#endif 421#endif
382 422
383X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8) 423X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8)
384 { 424 {
385 return((X509_SIG *)ASN1_d2i_bio((char *(*)())X509_SIG_new, 425 return ASN1_d2i_bio_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,bp,p8);
386 (char *(*)())d2i_X509_SIG, (bp),(unsigned char **)(p8)));
387 } 426 }
388 427
389int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8) 428int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
390 { 429 {
391 return(ASN1_i2d_bio(i2d_X509_SIG,bp,(unsigned char *)p8)); 430 return ASN1_i2d_bio_of(X509_SIG,i2d_X509_SIG,bp,p8);
392 } 431 }
393 432
394#ifndef OPENSSL_NO_FP_API 433#ifndef OPENSSL_NO_FP_API
395PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, 434PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
396 PKCS8_PRIV_KEY_INFO **p8inf) 435 PKCS8_PRIV_KEY_INFO **p8inf)
397 { 436 {
398 return((PKCS8_PRIV_KEY_INFO *)ASN1_d2i_fp( 437 return ASN1_d2i_fp_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
399 (char *(*)())PKCS8_PRIV_KEY_INFO_new, 438 d2i_PKCS8_PRIV_KEY_INFO,fp,p8inf);
400 (char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (fp),
401 (unsigned char **)(p8inf)));
402 } 439 }
403 440
404int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf) 441int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf)
405 { 442 {
406 return(ASN1_i2d_fp(i2d_PKCS8_PRIV_KEY_INFO,fp,(unsigned char *)p8inf)); 443 return ASN1_i2d_fp_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,fp,
444 p8inf);
407 } 445 }
408 446
409int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key) 447int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
@@ -419,24 +457,22 @@ int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
419 457
420int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey) 458int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey)
421 { 459 {
422 return(ASN1_i2d_fp(i2d_PrivateKey,fp,(unsigned char *)pkey)); 460 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PrivateKey,fp,pkey);
423 } 461 }
424 462
425EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a) 463EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
426{ 464{
427 return((EVP_PKEY *)ASN1_d2i_fp((char *(*)())EVP_PKEY_new, 465 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,fp,a);
428 (char *(*)())d2i_AutoPrivateKey, (fp),(unsigned char **)(a)));
429} 466}
430 467
431int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey) 468int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey)
432 { 469 {
433 return(ASN1_i2d_fp(i2d_PUBKEY,fp,(unsigned char *)pkey)); 470 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PUBKEY,fp,pkey);
434 } 471 }
435 472
436EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a) 473EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
437{ 474{
438 return((EVP_PKEY *)ASN1_d2i_fp((char *(*)())EVP_PKEY_new, 475 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,fp,a);
439 (char *(*)())d2i_PUBKEY, (fp),(unsigned char **)(a)));
440} 476}
441 477
442#endif 478#endif
@@ -444,15 +480,14 @@ EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
444PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, 480PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
445 PKCS8_PRIV_KEY_INFO **p8inf) 481 PKCS8_PRIV_KEY_INFO **p8inf)
446 { 482 {
447 return((PKCS8_PRIV_KEY_INFO *)ASN1_d2i_bio( 483 return ASN1_d2i_bio_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
448 (char *(*)())PKCS8_PRIV_KEY_INFO_new, 484 d2i_PKCS8_PRIV_KEY_INFO,bp,p8inf);
449 (char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (bp),
450 (unsigned char **)(p8inf)));
451 } 485 }
452 486
453int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf) 487int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf)
454 { 488 {
455 return(ASN1_i2d_bio(i2d_PKCS8_PRIV_KEY_INFO,bp,(unsigned char *)p8inf)); 489 return ASN1_i2d_bio_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,bp,
490 p8inf);
456 } 491 }
457 492
458int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key) 493int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
@@ -468,22 +503,20 @@ int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
468 503
469int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey) 504int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey)
470 { 505 {
471 return(ASN1_i2d_bio(i2d_PrivateKey,bp,(unsigned char *)pkey)); 506 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PrivateKey,bp,pkey);
472 } 507 }
473 508
474EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a) 509EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
475 { 510 {
476 return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new, 511 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,bp,a);
477 (char *(*)())d2i_AutoPrivateKey, (bp),(unsigned char **)(a)));
478 } 512 }
479 513
480int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey) 514int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey)
481 { 515 {
482 return(ASN1_i2d_bio(i2d_PUBKEY,bp,(unsigned char *)pkey)); 516 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PUBKEY,bp,pkey);
483 } 517 }
484 518
485EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a) 519EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a)
486 { 520 {
487 return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new, 521 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,bp,a);
488 (char *(*)())d2i_PUBKEY, (bp),(unsigned char **)(a)));
489 } 522 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-26 06:49:58 +0000