summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libcrypto/pkcs12/p12_add.c112
-rw-r--r--src/lib/libcrypto/pkcs12/p12_asn.c45
-rw-r--r--src/lib/libcrypto/pkcs12/p12_attr.c62
-rw-r--r--src/lib/libcrypto/pkcs12/p12_crpt.c30
-rw-r--r--src/lib/libcrypto/pkcs12/p12_crt.c191
-rw-r--r--src/lib/libcrypto/pkcs12/p12_decr.c85
-rw-r--r--src/lib/libcrypto/pkcs12/p12_init.c32
-rw-r--r--src/lib/libcrypto/pkcs12/p12_key.c91
-rw-r--r--src/lib/libcrypto/pkcs12/p12_kiss.c150
-rw-r--r--src/lib/libcrypto/pkcs12/p12_mutl.c113
-rw-r--r--src/lib/libcrypto/pkcs12/p12_npas.c114
-rw-r--r--src/lib/libcrypto/pkcs12/p12_p8d.c12
-rw-r--r--src/lib/libcrypto/pkcs12/p12_p8e.c28
-rw-r--r--src/lib/libcrypto/pkcs12/p12_utl.c87
-rw-r--r--src/lib/libcrypto/pkcs12/pk12err.c137
-rw-r--r--src/lib/libcrypto/pkcs12/pkcs12.h124
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_add.c112
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_asn.c45
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_attr.c62
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_crpt.c30
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_crt.c191
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_decr.c85
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_init.c32
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_key.c91
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_kiss.c150
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_mutl.c113
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_npas.c114
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_p8d.c12
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_p8e.c28
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/p12_utl.c87
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/pk12err.c137
-rw-r--r--src/lib/libssl/src/crypto/pkcs12/pkcs12.h124
32 files changed, 1514 insertions, 1312 deletions
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index 57cca926d8..6aa872631e 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_add.c,v 1.9 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_add.c,v 1.10 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,22 +62,26 @@
62 62
63/* Pack an object into an OCTET STRING and turn into a safebag */ 63/* Pack an object into an OCTET STRING and turn into a safebag */
64 64
65PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, 65PKCS12_SAFEBAG *
66 int nid2) 66PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, int nid2)
67{ 67{
68 PKCS12_BAGS *bag; 68 PKCS12_BAGS *bag;
69 PKCS12_SAFEBAG *safebag; 69 PKCS12_SAFEBAG *safebag;
70
70 if (!(bag = PKCS12_BAGS_new())) { 71 if (!(bag = PKCS12_BAGS_new())) {
71 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE); 72 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG,
73 ERR_R_MALLOC_FAILURE);
72 return NULL; 74 return NULL;
73 } 75 }
74 bag->type = OBJ_nid2obj(nid1); 76 bag->type = OBJ_nid2obj(nid1);
75 if (!ASN1_item_pack(obj, it, &bag->value.octet)) { 77 if (!ASN1_item_pack(obj, it, &bag->value.octet)) {
76 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE); 78 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG,
79 ERR_R_MALLOC_FAILURE);
77 return NULL; 80 return NULL;
78 } 81 }
79 if (!(safebag = PKCS12_SAFEBAG_new())) { 82 if (!(safebag = PKCS12_SAFEBAG_new())) {
80 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE); 83 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG,
84 ERR_R_MALLOC_FAILURE);
81 return NULL; 85 return NULL;
82 } 86 }
83 safebag->value.bag = bag; 87 safebag->value.bag = bag;
@@ -87,11 +91,13 @@ PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid
87 91
88/* Turn PKCS8 object into a keybag */ 92/* Turn PKCS8 object into a keybag */
89 93
90PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8) 94PKCS12_SAFEBAG *
95PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
91{ 96{
92 PKCS12_SAFEBAG *bag; 97 PKCS12_SAFEBAG *bag;
98
93 if (!(bag = PKCS12_SAFEBAG_new())) { 99 if (!(bag = PKCS12_SAFEBAG_new())) {
94 PKCS12err(PKCS12_F_PKCS12_MAKE_KEYBAG,ERR_R_MALLOC_FAILURE); 100 PKCS12err(PKCS12_F_PKCS12_MAKE_KEYBAG, ERR_R_MALLOC_FAILURE);
95 return NULL; 101 return NULL;
96 } 102 }
97 bag->type = OBJ_nid2obj(NID_keyBag); 103 bag->type = OBJ_nid2obj(NID_keyBag);
@@ -101,9 +107,9 @@ PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
101 107
102/* Turn PKCS8 object into a shrouded keybag */ 108/* Turn PKCS8 object into a shrouded keybag */
103 109
104PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, 110PKCS12_SAFEBAG *
105 int passlen, unsigned char *salt, int saltlen, int iter, 111PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, int passlen,
106 PKCS8_PRIV_KEY_INFO *p8) 112 unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8)
107{ 113{
108 PKCS12_SAFEBAG *bag; 114 PKCS12_SAFEBAG *bag;
109 const EVP_CIPHER *pbe_ciph; 115 const EVP_CIPHER *pbe_ciph;
@@ -121,9 +127,8 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
121 if (pbe_ciph) 127 if (pbe_ciph)
122 pbe_nid = -1; 128 pbe_nid = -1;
123 129
124 if (!(bag->value.shkeybag = 130 if (!(bag->value.shkeybag = PKCS8_encrypt(pbe_nid, pbe_ciph, pass,
125 PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter, 131 passlen, salt, saltlen, iter, p8))) {
126 p8))) {
127 PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE); 132 PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
128 return NULL; 133 return NULL;
129 } 134 }
@@ -132,9 +137,11 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
132} 137}
133 138
134/* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */ 139/* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
135PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk) 140PKCS7 *
141PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
136{ 142{
137 PKCS7 *p7; 143 PKCS7 *p7;
144
138 if (!(p7 = PKCS7_new())) { 145 if (!(p7 = PKCS7_new())) {
139 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE); 146 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
140 return NULL; 147 return NULL;
@@ -144,41 +151,44 @@ PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
144 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE); 151 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
145 return NULL; 152 return NULL;
146 } 153 }
147 154
148 if (!ASN1_item_pack(sk, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), &p7->d.data)) { 155 if (!ASN1_item_pack(sk, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), &p7->d.data)) {
149 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, PKCS12_R_CANT_PACK_STRUCTURE); 156 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA,
157 PKCS12_R_CANT_PACK_STRUCTURE);
150 return NULL; 158 return NULL;
151 } 159 }
152 return p7; 160 return p7;
153} 161}
154 162
155/* Unpack SAFEBAGS from PKCS#7 data ContentInfo */ 163/* Unpack SAFEBAGS from PKCS#7 data ContentInfo */
156STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) 164STACK_OF(PKCS12_SAFEBAG) *
165PKCS12_unpack_p7data(PKCS7 *p7)
157{ 166{
158 if(!PKCS7_type_is_data(p7)) 167 if (!PKCS7_type_is_data(p7)) {
159 { 168 PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,
160 PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,PKCS12_R_CONTENT_TYPE_NOT_DATA); 169 PKCS12_R_CONTENT_TYPE_NOT_DATA);
161 return NULL; 170 return NULL;
162 } 171 }
163 return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); 172 return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
164} 173}
165 174
166/* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */ 175/* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */
167 176
168PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, 177PKCS7 *
169 unsigned char *salt, int saltlen, int iter, 178PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
170 STACK_OF(PKCS12_SAFEBAG) *bags) 179 unsigned char *salt, int saltlen, int iter, STACK_OF(PKCS12_SAFEBAG) *bags)
171{ 180{
172 PKCS7 *p7; 181 PKCS7 *p7;
173 X509_ALGOR *pbe; 182 X509_ALGOR *pbe;
174 const EVP_CIPHER *pbe_ciph; 183 const EVP_CIPHER *pbe_ciph;
184
175 if (!(p7 = PKCS7_new())) { 185 if (!(p7 = PKCS7_new())) {
176 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE); 186 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
177 return NULL; 187 return NULL;
178 } 188 }
179 if(!PKCS7_set_type(p7, NID_pkcs7_encrypted)) { 189 if (!PKCS7_set_type(p7, NID_pkcs7_encrypted)) {
180 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, 190 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA,
181 PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE); 191 PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
182 return NULL; 192 return NULL;
183 } 193 }
184 194
@@ -196,45 +206,49 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
196 X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm); 206 X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm);
197 p7->d.encrypted->enc_data->algorithm = pbe; 207 p7->d.encrypted->enc_data->algorithm = pbe;
198 M_ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data); 208 M_ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
199 if (!(p7->d.encrypted->enc_data->enc_data = 209 if (!(p7->d.encrypted->enc_data->enc_data = PKCS12_item_i2d_encrypt(
200 PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen, 210 pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen, bags, 1))) {
201 bags, 1))) { 211 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA,
202 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ENCRYPT_ERROR); 212 PKCS12_R_ENCRYPT_ERROR);
203 return NULL; 213 return NULL;
204 } 214 }
205 215
206 return p7; 216 return p7;
207} 217}
208 218
209STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen) 219STACK_OF(PKCS12_SAFEBAG) *
220PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen)
210{ 221{
211 if(!PKCS7_type_is_encrypted(p7)) return NULL; 222 if (!PKCS7_type_is_encrypted(p7))
223 return NULL;
212 return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, 224 return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
213 ASN1_ITEM_rptr(PKCS12_SAFEBAGS), 225 ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen,
214 pass, passlen, 226 p7->d.encrypted->enc_data->enc_data, 1);
215 p7->d.encrypted->enc_data->enc_data, 1);
216} 227}
217 228
218PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass, 229PKCS8_PRIV_KEY_INFO *
219 int passlen) 230PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass, int passlen)
220{ 231{
221 return PKCS8_decrypt(bag->value.shkeybag, pass, passlen); 232 return PKCS8_decrypt(bag->value.shkeybag, pass, passlen);
222} 233}
223 234
224int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes) 235int
236PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes)
225{ 237{
226 if(ASN1_item_pack(safes, ASN1_ITEM_rptr(PKCS12_AUTHSAFES), 238 if (ASN1_item_pack(safes, ASN1_ITEM_rptr(PKCS12_AUTHSAFES),
227 &p12->authsafes->d.data)) 239 &p12->authsafes->d.data))
228 return 1; 240 return 1;
229 return 0; 241 return 0;
230} 242}
231 243
232STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12) 244STACK_OF(PKCS7) *
245PKCS12_unpack_authsafes(PKCS12 *p12)
233{ 246{
234 if (!PKCS7_type_is_data(p12->authsafes)) 247 if (!PKCS7_type_is_data(p12->authsafes)) {
235 { 248 PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
236 PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,PKCS12_R_CONTENT_TYPE_NOT_DATA); 249 PKCS12_R_CONTENT_TYPE_NOT_DATA);
237 return NULL; 250 return NULL;
238 } 251 }
239 return ASN1_item_unpack(p12->authsafes->d.data, ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); 252 return ASN1_item_unpack(p12->authsafes->d.data,
253 ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
240} 254}
diff --git a/src/lib/libcrypto/pkcs12/p12_asn.c b/src/lib/libcrypto/pkcs12/p12_asn.c
index e3987752b6..b72db76383 100644
--- a/src/lib/libcrypto/pkcs12/p12_asn.c
+++ b/src/lib/libcrypto/pkcs12/p12_asn.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_asn.c,v 1.4 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_asn.c,v 1.5 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -79,12 +79,16 @@ ASN1_SEQUENCE(PKCS12_MAC_DATA) = {
79 79
80IMPLEMENT_ASN1_FUNCTIONS(PKCS12_MAC_DATA) 80IMPLEMENT_ASN1_FUNCTIONS(PKCS12_MAC_DATA)
81 81
82ASN1_ADB_TEMPLATE(bag_default) = ASN1_EXP(PKCS12_BAGS, value.other, ASN1_ANY, 0); 82ASN1_ADB_TEMPLATE(bag_default) =
83 ASN1_EXP(PKCS12_BAGS, value.other, ASN1_ANY, 0);
83 84
84ASN1_ADB(PKCS12_BAGS) = { 85ASN1_ADB(PKCS12_BAGS) = {
85 ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509cert, ASN1_OCTET_STRING, 0)), 86 ADB_ENTRY(NID_x509Certificate,
86 ADB_ENTRY(NID_x509Crl, ASN1_EXP(PKCS12_BAGS, value.x509crl, ASN1_OCTET_STRING, 0)), 87 ASN1_EXP(PKCS12_BAGS, value.x509cert, ASN1_OCTET_STRING, 0)),
87 ADB_ENTRY(NID_sdsiCertificate, ASN1_EXP(PKCS12_BAGS, value.sdsicert, ASN1_IA5STRING, 0)), 88 ADB_ENTRY(NID_x509Crl,
89 ASN1_EXP(PKCS12_BAGS, value.x509crl, ASN1_OCTET_STRING, 0)),
90 ADB_ENTRY(NID_sdsiCertificate,
91 ASN1_EXP(PKCS12_BAGS, value.sdsicert, ASN1_IA5STRING, 0)),
88} ASN1_ADB_END(PKCS12_BAGS, 0, type, 0, &bag_default_tt, NULL); 92} ASN1_ADB_END(PKCS12_BAGS, 0, type, 0, &bag_default_tt, NULL);
89 93
90ASN1_SEQUENCE(PKCS12_BAGS) = { 94ASN1_SEQUENCE(PKCS12_BAGS) = {
@@ -94,15 +98,22 @@ ASN1_SEQUENCE(PKCS12_BAGS) = {
94 98
95IMPLEMENT_ASN1_FUNCTIONS(PKCS12_BAGS) 99IMPLEMENT_ASN1_FUNCTIONS(PKCS12_BAGS)
96 100
97ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ANY, 0); 101ASN1_ADB_TEMPLATE(safebag_default) =
102 ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ANY, 0);
98 103
99ASN1_ADB(PKCS12_SAFEBAG) = { 104ASN1_ADB(PKCS12_SAFEBAG) = {
100 ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)), 105 ADB_ENTRY(NID_keyBag,
101 ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)), 106 ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
102 ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), 107 ADB_ENTRY(NID_pkcs8ShroudedKeyBag,
103 ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), 108 ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)),
104 ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), 109 ADB_ENTRY(NID_safeContentsBag,
105 ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)) 110 ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
111 ADB_ENTRY(NID_certBag,
112 ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
113 ADB_ENTRY(NID_crlBag,
114 ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
115 ADB_ENTRY(NID_secretBag,
116 ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0))
106} ASN1_ADB_END(PKCS12_SAFEBAG, 0, type, 0, &safebag_default_tt, NULL); 117} ASN1_ADB_END(PKCS12_SAFEBAG, 0, type, 0, &safebag_default_tt, NULL);
107 118
108ASN1_SEQUENCE(PKCS12_SAFEBAG) = { 119ASN1_SEQUENCE(PKCS12_SAFEBAG) = {
@@ -114,12 +125,12 @@ ASN1_SEQUENCE(PKCS12_SAFEBAG) = {
114IMPLEMENT_ASN1_FUNCTIONS(PKCS12_SAFEBAG) 125IMPLEMENT_ASN1_FUNCTIONS(PKCS12_SAFEBAG)
115 126
116/* SEQUENCE OF SafeBag */ 127/* SEQUENCE OF SafeBag */
117ASN1_ITEM_TEMPLATE(PKCS12_SAFEBAGS) = 128ASN1_ITEM_TEMPLATE(PKCS12_SAFEBAGS) =
118 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_SAFEBAGS, PKCS12_SAFEBAG) 129ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_SAFEBAGS, PKCS12_SAFEBAG)
119ASN1_ITEM_TEMPLATE_END(PKCS12_SAFEBAGS) 130ASN1_ITEM_TEMPLATE_END(PKCS12_SAFEBAGS)
120 131
121/* Authsafes: SEQUENCE OF PKCS7 */ 132/* Authsafes: SEQUENCE OF PKCS7 */
122ASN1_ITEM_TEMPLATE(PKCS12_AUTHSAFES) = 133ASN1_ITEM_TEMPLATE(PKCS12_AUTHSAFES) =
123 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_AUTHSAFES, PKCS7) 134ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_AUTHSAFES, PKCS7)
124ASN1_ITEM_TEMPLATE_END(PKCS12_AUTHSAFES) 135ASN1_ITEM_TEMPLATE_END(PKCS12_AUTHSAFES)
125 136
diff --git a/src/lib/libcrypto/pkcs12/p12_attr.c b/src/lib/libcrypto/pkcs12/p12_attr.c
index 67ffb392ab..05e9b11fd1 100644
--- a/src/lib/libcrypto/pkcs12/p12_attr.c
+++ b/src/lib/libcrypto/pkcs12/p12_attr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_attr.c,v 1.8 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_attr.c,v 1.9 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,24 +62,26 @@
62 62
63/* Add a local keyid to a safebag */ 63/* Add a local keyid to a safebag */
64 64
65int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, 65int
66 int namelen) 66PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
67{ 67{
68 if (X509at_add1_attr_by_NID(&bag->attrib, NID_localKeyID, 68 if (X509at_add1_attr_by_NID(&bag->attrib, NID_localKeyID,
69 V_ASN1_OCTET_STRING, name, namelen)) 69 V_ASN1_OCTET_STRING, name, namelen))
70 return 1; 70 return 1;
71 else 71 else
72 return 0; 72 return 0;
73} 73}
74 74
75/* Add key usage to PKCS#8 structure */ 75/* Add key usage to PKCS#8 structure */
76 76
77int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage) 77int
78PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
78{ 79{
79 unsigned char us_val; 80 unsigned char us_val;
81
80 us_val = (unsigned char) usage; 82 us_val = (unsigned char) usage;
81 if (X509at_add1_attr_by_NID(&p8->attributes, NID_key_usage, 83 if (X509at_add1_attr_by_NID(&p8->attributes, NID_key_usage,
82 V_ASN1_BIT_STRING, &us_val, 1)) 84 V_ASN1_BIT_STRING, &us_val, 1))
83 return 1; 85 return 1;
84 else 86 else
85 return 0; 87 return 0;
@@ -87,59 +89,67 @@ int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
87 89
88/* Add a friendlyname to a safebag */ 90/* Add a friendlyname to a safebag */
89 91
90int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name, 92int
91 int namelen) 93PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen)
92{ 94{
93 if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName, 95 if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
94 MBSTRING_ASC, (unsigned char *)name, namelen)) 96 MBSTRING_ASC, (unsigned char *)name, namelen))
95 return 1; 97 return 1;
96 else 98 else
97 return 0; 99 return 0;
98} 100}
99 101
100 102
101int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, 103int
102 const unsigned char *name, int namelen) 104PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name,
105 int namelen)
103{ 106{
104 if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName, 107 if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
105 MBSTRING_BMP, name, namelen)) 108 MBSTRING_BMP, name, namelen))
106 return 1; 109 return 1;
107 else 110 else
108 return 0; 111 return 0;
109} 112}
110 113
111int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, 114int
112 int namelen) 115PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen)
113{ 116{
114 if (X509at_add1_attr_by_NID(&bag->attrib, NID_ms_csp_name, 117 if (X509at_add1_attr_by_NID(&bag->attrib, NID_ms_csp_name,
115 MBSTRING_ASC, (unsigned char *)name, namelen)) 118 MBSTRING_ASC, (unsigned char *)name, namelen))
116 return 1; 119 return 1;
117 else 120 else
118 return 0; 121 return 0;
119} 122}
120 123
121ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid) 124ASN1_TYPE *
125PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
122{ 126{
123 X509_ATTRIBUTE *attrib; 127 X509_ATTRIBUTE *attrib;
124 int i; 128 int i;
125 if (!attrs) return NULL; 129
130 if (!attrs)
131 return NULL;
126 for (i = 0; i < sk_X509_ATTRIBUTE_num (attrs); i++) { 132 for (i = 0; i < sk_X509_ATTRIBUTE_num (attrs); i++) {
127 attrib = sk_X509_ATTRIBUTE_value (attrs, i); 133 attrib = sk_X509_ATTRIBUTE_value (attrs, i);
128 if (OBJ_obj2nid (attrib->object) == attr_nid) { 134 if (OBJ_obj2nid (attrib->object) == attr_nid) {
129 if (sk_ASN1_TYPE_num (attrib->value.set)) 135 if (sk_ASN1_TYPE_num (attrib->value.set))
130 return sk_ASN1_TYPE_value(attrib->value.set, 0); 136 return sk_ASN1_TYPE_value(attrib->value.set, 0);
131 else return NULL; 137 else
138 return NULL;
132 } 139 }
133 } 140 }
134 return NULL; 141 return NULL;
135} 142}
136 143
137char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag) 144char *
145PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
138{ 146{
139 ASN1_TYPE *atype; 147 ASN1_TYPE *atype;
140 if (!(atype = PKCS12_get_attr(bag, NID_friendlyName))) return NULL; 148
141 if (atype->type != V_ASN1_BMPSTRING) return NULL; 149 if (!(atype = PKCS12_get_attr(bag, NID_friendlyName)))
150 return NULL;
151 if (atype->type != V_ASN1_BMPSTRING)
152 return NULL;
142 return OPENSSL_uni2asc(atype->value.bmpstring->data, 153 return OPENSSL_uni2asc(atype->value.bmpstring->data,
143 atype->value.bmpstring->length); 154 atype->value.bmpstring->length);
144} 155}
145
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
index c0b41f9252..1709b30d5e 100644
--- a/src/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_crpt.c,v 1.9 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_crpt.c,v 1.10 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,12 +62,14 @@
62 62
63/* PKCS#12 PBE algorithms now in static table */ 63/* PKCS#12 PBE algorithms now in static table */
64 64
65void PKCS12_PBE_add(void) 65void
66PKCS12_PBE_add(void)
66{ 67{
67} 68}
68 69
69int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, 70int
70 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de) 71PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
72 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
71{ 73{
72 PBEPARAM *pbe; 74 PBEPARAM *pbe;
73 int saltlen, iter, ret; 75 int saltlen, iter, ret;
@@ -78,29 +80,31 @@ int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
78 /* Extract useful info from parameter */ 80 /* Extract useful info from parameter */
79 if (param == NULL || param->type != V_ASN1_SEQUENCE || 81 if (param == NULL || param->type != V_ASN1_SEQUENCE ||
80 param->value.sequence == NULL) { 82 param->value.sequence == NULL) {
81 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_DECODE_ERROR); 83 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_DECODE_ERROR);
82 return 0; 84 return 0;
83 } 85 }
84 86
85 pbuf = param->value.sequence->data; 87 pbuf = param->value.sequence->data;
86 if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) { 88 if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
87 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_DECODE_ERROR); 89 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_DECODE_ERROR);
88 return 0; 90 return 0;
89 } 91 }
90 92
91 if (!pbe->iter) iter = 1; 93 if (!pbe->iter)
92 else iter = ASN1_INTEGER_get (pbe->iter); 94 iter = 1;
95 else
96 iter = ASN1_INTEGER_get (pbe->iter);
93 salt = pbe->salt->data; 97 salt = pbe->salt->data;
94 saltlen = pbe->salt->length; 98 saltlen = pbe->salt->length;
95 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_KEY_ID, 99 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_KEY_ID,
96 iter, EVP_CIPHER_key_length(cipher), key, md)) { 100 iter, EVP_CIPHER_key_length(cipher), key, md)) {
97 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_KEY_GEN_ERROR); 101 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_KEY_GEN_ERROR);
98 PBEPARAM_free(pbe); 102 PBEPARAM_free(pbe);
99 return 0; 103 return 0;
100 } 104 }
101 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_IV_ID, 105 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_IV_ID,
102 iter, EVP_CIPHER_iv_length(cipher), iv, md)) { 106 iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
103 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_IV_GEN_ERROR); 107 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_IV_GEN_ERROR);
104 PBEPARAM_free(pbe); 108 PBEPARAM_free(pbe);
105 return 0; 109 return 0;
106 } 110 }
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index a5dffcebd7..538637e78a 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_crt.c,v 1.13 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_crt.c,v 1.14 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project. 3 * project.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -61,12 +61,15 @@
61#include <openssl/pkcs12.h> 61#include <openssl/pkcs12.h>
62 62
63 63
64static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); 64static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
65 PKCS12_SAFEBAG *bag);
65 66
66static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) 67static int
67 { 68copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
69{
68 int idx; 70 int idx;
69 X509_ATTRIBUTE *attr; 71 X509_ATTRIBUTE *attr;
72
70 idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1); 73 idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1);
71 if (idx < 0) 74 if (idx < 0)
72 return 1; 75 return 1;
@@ -74,11 +77,12 @@ static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
74 if (!X509at_add1_attr(&bag->attrib, attr)) 77 if (!X509at_add1_attr(&bag->attrib, attr))
75 return 0; 78 return 0;
76 return 1; 79 return 1;
77 } 80}
78 81
79PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, 82PKCS12 *
80 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, 83PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
81 int keytype) 84 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
85 int keytype)
82{ 86{
83 PKCS12 *p12 = NULL; 87 PKCS12 *p12 = NULL;
84 STACK_OF(PKCS7) *safes = NULL; 88 STACK_OF(PKCS7) *safes = NULL;
@@ -89,10 +93,9 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
89 unsigned int keyidlen = 0; 93 unsigned int keyidlen = 0;
90 94
91 /* Set defaults */ 95 /* Set defaults */
92 if (!nid_cert) 96 if (!nid_cert) {
93 {
94 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; 97 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
95 } 98 }
96 if (!nid_key) 99 if (!nid_key)
97 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 100 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
98 if (!iter) 101 if (!iter)
@@ -100,43 +103,39 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
100 if (!mac_iter) 103 if (!mac_iter)
101 mac_iter = 1; 104 mac_iter = 1;
102 105
103 if(!pkey && !cert && !ca) 106 if (!pkey && !cert && !ca) {
104 { 107 PKCS12err(PKCS12_F_PKCS12_CREATE,
105 PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT); 108 PKCS12_R_INVALID_NULL_ARGUMENT);
106 return NULL; 109 return NULL;
107 } 110 }
108 111
109 if (pkey && cert) 112 if (pkey && cert) {
110 { 113 if (!X509_check_private_key(cert, pkey))
111 if(!X509_check_private_key(cert, pkey))
112 return NULL; 114 return NULL;
113 X509_digest(cert, EVP_sha1(), keyid, &keyidlen); 115 X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
114 } 116 }
115 117
116 if (cert) 118 if (cert) {
117 {
118 bag = PKCS12_add_cert(&bags, cert); 119 bag = PKCS12_add_cert(&bags, cert);
119 if(name && !PKCS12_add_friendlyname(bag, name, -1)) 120 if (name && !PKCS12_add_friendlyname(bag, name, -1))
120 goto err; 121 goto err;
121 if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 122 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
122 goto err; 123 goto err;
123 } 124 }
124 125
125 /* Add all other certificates */ 126 /* Add all other certificates */
126 for(i = 0; i < sk_X509_num(ca); i++) 127 for (i = 0; i < sk_X509_num(ca); i++) {
127 {
128 if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i))) 128 if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i)))
129 goto err; 129 goto err;
130 } 130 }
131 131
132 if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass)) 132 if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass))
133 goto err; 133 goto err;
134 134
135 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 135 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
136 bags = NULL; 136 bags = NULL;
137 137
138 if (pkey) 138 if (pkey) {
139 {
140 bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass); 139 bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
141 140
142 if (!bag) 141 if (!bag)
@@ -147,14 +146,14 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
147 if (!copy_bag_attr(bag, pkey, NID_LocalKeySet)) 146 if (!copy_bag_attr(bag, pkey, NID_LocalKeySet))
148 goto err; 147 goto err;
149 148
150 if(name && !PKCS12_add_friendlyname(bag, name, -1)) 149 if (name && !PKCS12_add_friendlyname(bag, name, -1))
151 goto err; 150 goto err;
152 if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 151 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
153 goto err; 152 goto err;
154 } 153 }
155 154
156 if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL)) 155 if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL))
157 goto err; 156 goto err;
158 157
159 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 158 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
160 bags = NULL; 159 bags = NULL;
@@ -169,13 +168,12 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
169 safes = NULL; 168 safes = NULL;
170 169
171 if ((mac_iter != -1) && 170 if ((mac_iter != -1) &&
172 !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL)) 171 !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL))
173 goto err; 172 goto err;
174 173
175 return p12; 174 return p12;
176 175
177 err: 176err:
178
179 if (p12) 177 if (p12)
180 PKCS12_free(p12); 178 PKCS12_free(p12);
181 if (safes) 179 if (safes)
@@ -183,11 +181,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
183 if (bags) 181 if (bags)
184 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 182 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
185 return NULL; 183 return NULL;
186
187} 184}
188 185
189PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) 186PKCS12_SAFEBAG *
190 { 187PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
188{
191 PKCS12_SAFEBAG *bag = NULL; 189 PKCS12_SAFEBAG *bag = NULL;
192 char *name; 190 char *name;
193 int namelen = -1; 191 int namelen = -1;
@@ -195,21 +193,19 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
195 int keyidlen = -1; 193 int keyidlen = -1;
196 194
197 /* Add user certificate */ 195 /* Add user certificate */
198 if(!(bag = PKCS12_x5092certbag(cert))) 196 if (!(bag = PKCS12_x5092certbag(cert)))
199 goto err; 197 goto err;
200 198
201 /* Use friendlyName and localKeyID in certificate. 199 /* Use friendlyName and localKeyID in certificate.
202 * (if present) 200 * (if present)
203 */ 201 */
204
205 name = (char *)X509_alias_get0(cert, &namelen); 202 name = (char *)X509_alias_get0(cert, &namelen);
206 203 if (name && !PKCS12_add_friendlyname(bag, name, namelen))
207 if(name && !PKCS12_add_friendlyname(bag, name, namelen))
208 goto err; 204 goto err;
209 205
210 keyid = X509_keyid_get0(cert, &keyidlen); 206 keyid = X509_keyid_get0(cert, &keyidlen);
211 207
212 if(keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 208 if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
213 goto err; 209 goto err;
214 210
215 if (!pkcs12_add_bag(pbags, bag)) 211 if (!pkcs12_add_bag(pbags, bag))
@@ -217,37 +213,33 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
217 213
218 return bag; 214 return bag;
219 215
220 err: 216err:
221
222 if (bag) 217 if (bag)
223 PKCS12_SAFEBAG_free(bag); 218 PKCS12_SAFEBAG_free(bag);
224 219
225 return NULL; 220 return NULL;
221}
226 222
227 } 223PKCS12_SAFEBAG *
228 224PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, int key_usage,
229PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, 225 int iter, int nid_key, char *pass)
230 int key_usage, int iter, 226{
231 int nid_key, char *pass)
232 {
233
234 PKCS12_SAFEBAG *bag = NULL; 227 PKCS12_SAFEBAG *bag = NULL;
235 PKCS8_PRIV_KEY_INFO *p8 = NULL; 228 PKCS8_PRIV_KEY_INFO *p8 = NULL;
236 229
237 /* Make a PKCS#8 structure */ 230 /* Make a PKCS#8 structure */
238 if(!(p8 = EVP_PKEY2PKCS8(key))) 231 if (!(p8 = EVP_PKEY2PKCS8(key)))
239 goto err; 232 goto err;
240 if(key_usage && !PKCS8_add_keyusage(p8, key_usage)) 233 if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
241 goto err; 234 goto err;
242 if (nid_key != -1) 235 if (nid_key != -1) {
243 { 236 bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0,
244 bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, iter, p8); 237 iter, p8);
245 PKCS8_PRIV_KEY_INFO_free(p8); 238 PKCS8_PRIV_KEY_INFO_free(p8);
246 } 239 } else
247 else
248 bag = PKCS12_MAKE_KEYBAG(p8); 240 bag = PKCS12_MAKE_KEYBAG(p8);
249 241
250 if(!bag) 242 if (!bag)
251 goto err; 243 goto err;
252 244
253 if (!pkcs12_add_bag(pbags, bag)) 245 if (!pkcs12_add_bag(pbags, bag))
@@ -255,29 +247,26 @@ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key,
255 247
256 return bag; 248 return bag;
257 249
258 err: 250err:
259
260 if (bag) 251 if (bag)
261 PKCS12_SAFEBAG_free(bag); 252 PKCS12_SAFEBAG_free(bag);
262 253
263 return NULL; 254 return NULL;
255}
264 256
265 } 257int
266 258PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
267int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, 259 int nid_safe, int iter, char *pass)
268 int nid_safe, int iter, char *pass) 260{
269 {
270 PKCS7 *p7 = NULL; 261 PKCS7 *p7 = NULL;
271 int free_safes = 0; 262 int free_safes = 0;
272 263
273 if (!*psafes) 264 if (!*psafes) {
274 {
275 *psafes = sk_PKCS7_new_null(); 265 *psafes = sk_PKCS7_new_null();
276 if (!*psafes) 266 if (!*psafes)
277 return 0; 267 return 0;
278 free_safes = 1; 268 free_safes = 1;
279 } 269 } else
280 else
281 free_safes = 0; 270 free_safes = 0;
282 271
283 if (nid_safe == 0) 272 if (nid_safe == 0)
@@ -287,7 +276,7 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
287 p7 = PKCS12_pack_p7data(bags); 276 p7 = PKCS12_pack_p7data(bags);
288 else 277 else
289 p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0, 278 p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0,
290 iter, bags); 279 iter, bags);
291 if (!p7) 280 if (!p7)
292 goto err; 281 goto err;
293 282
@@ -296,53 +285,49 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
296 285
297 return 1; 286 return 1;
298 287
299 err: 288err:
300 if (free_safes) 289 if (free_safes) {
301 {
302 sk_PKCS7_free(*psafes); 290 sk_PKCS7_free(*psafes);
303 *psafes = NULL; 291 *psafes = NULL;
304 } 292 }
305 293
306 if (p7) 294 if (p7)
307 PKCS7_free(p7); 295 PKCS7_free(p7);
308 296
309 return 0; 297 return 0;
298}
310 299
311 } 300static int
312 301pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag)
313static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag) 302{
314 {
315 int free_bags; 303 int free_bags;
304
316 if (!pbags) 305 if (!pbags)
317 return 1; 306 return 1;
318 if (!*pbags) 307 if (!*pbags) {
319 {
320 *pbags = sk_PKCS12_SAFEBAG_new_null(); 308 *pbags = sk_PKCS12_SAFEBAG_new_null();
321 if (!*pbags) 309 if (!*pbags)
322 return 0; 310 return 0;
323 free_bags = 1; 311 free_bags = 1;
324 } 312 } else
325 else
326 free_bags = 0; 313 free_bags = 0;
327 314
328 if (!sk_PKCS12_SAFEBAG_push(*pbags, bag)) 315 if (!sk_PKCS12_SAFEBAG_push(*pbags, bag)) {
329 { 316 if (free_bags) {
330 if (free_bags)
331 {
332 sk_PKCS12_SAFEBAG_free(*pbags); 317 sk_PKCS12_SAFEBAG_free(*pbags);
333 *pbags = NULL; 318 *pbags = NULL;
334 }
335 return 0;
336 } 319 }
320 return 0;
321 }
337 322
338 return 1; 323 return 1;
324}
339 325
340 } 326PKCS12 *
341 327PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
342 328{
343PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
344 {
345 PKCS12 *p12; 329 PKCS12 *p12;
330
346 if (nid_p7 <= 0) 331 if (nid_p7 <= 0)
347 nid_p7 = NID_pkcs7_data; 332 nid_p7 = NID_pkcs7_data;
348 p12 = PKCS12_init(nid_p7); 333 p12 = PKCS12_init(nid_p7);
@@ -350,12 +335,10 @@ PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
350 if (!p12) 335 if (!p12)
351 return NULL; 336 return NULL;
352 337
353 if(!PKCS12_pack_authsafes(p12, safes)) 338 if (!PKCS12_pack_authsafes(p12, safes)) {
354 {
355 PKCS12_free(p12); 339 PKCS12_free(p12);
356 return NULL; 340 return NULL;
357 } 341 }
358 342
359 return p12; 343 return p12;
360 344}
361 }
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
index 01fe24835f..577bb06f80 100644
--- a/src/lib/libcrypto/pkcs12/p12_decr.c
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_decr.c,v 1.10 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_decr.c,v 1.11 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -68,9 +68,9 @@
68 * malloc'ed buffer 68 * malloc'ed buffer
69 */ 69 */
70 70
71unsigned char * PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, 71unsigned char *
72 int passlen, unsigned char *in, int inlen, unsigned char **data, 72PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, int passlen,
73 int *datalen, int en_de) 73 unsigned char *in, int inlen, unsigned char **data, int *datalen, int en_de)
74{ 74{
75 unsigned char *out; 75 unsigned char *out;
76 int outlen, i; 76 int outlen, i;
@@ -78,47 +78,52 @@ unsigned char * PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
78 78
79 EVP_CIPHER_CTX_init(&ctx); 79 EVP_CIPHER_CTX_init(&ctx);
80 /* Decrypt data */ 80 /* Decrypt data */
81 if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen, 81 if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen,
82 algor->parameter, &ctx, en_de)) { 82 algor->parameter, &ctx, en_de)) {
83 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR); 83 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
84 PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
84 return NULL; 85 return NULL;
85 } 86 }
86 87
87 if(!(out = malloc(inlen + EVP_CIPHER_CTX_block_size(&ctx)))) { 88 if (!(out = malloc(inlen + EVP_CIPHER_CTX_block_size(&ctx)))) {
88 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,ERR_R_MALLOC_FAILURE); 89 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE);
89 goto err; 90 goto err;
90 } 91 }
91 92
92 if (!EVP_CipherUpdate(&ctx, out, &i, in, inlen)) 93 if (!EVP_CipherUpdate(&ctx, out, &i, in, inlen)) {
93 {
94 free(out); 94 free(out);
95 out = NULL; 95 out = NULL;
96 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,ERR_R_EVP_LIB); 96 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_EVP_LIB);
97 goto err; 97 goto err;
98 } 98 }
99 99
100 outlen = i; 100 outlen = i;
101 if(!EVP_CipherFinal_ex(&ctx, out + i, &i)) { 101 if (!EVP_CipherFinal_ex(&ctx, out + i, &i)) {
102 free(out); 102 free(out);
103 out = NULL; 103 out = NULL;
104 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_CIPHERFINAL_ERROR); 104 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
105 PKCS12_R_PKCS12_CIPHERFINAL_ERROR);
105 goto err; 106 goto err;
106 } 107 }
107 outlen += i; 108 outlen += i;
108 if (datalen) *datalen = outlen; 109 if (datalen)
109 if (data) *data = out; 110 *datalen = outlen;
110 err: 111 if (data)
112 *data = out;
113
114err:
111 EVP_CIPHER_CTX_cleanup(&ctx); 115 EVP_CIPHER_CTX_cleanup(&ctx);
112 return out; 116 return out;
113 117
114} 118}
115 119
116/* Decrypt an OCTET STRING and decode ASN1 structure 120/* Decrypt an OCTET STRING and decode ASN1 structure
117 * if zbuf set zero buffer after use. 121 * if zbuf set zero buffer after use.
118 */ 122 */
119 123
120void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, 124void *
121 const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf) 125PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
126 const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf)
122{ 127{
123 unsigned char *out; 128 unsigned char *out;
124 const unsigned char *p; 129 const unsigned char *p;
@@ -126,8 +131,9 @@ void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
126 int outlen; 131 int outlen;
127 132
128 if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length, 133 if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
129 &out, &outlen, 0)) { 134 &out, &outlen, 0)) {
130 PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR); 135 PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
136 PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
131 return NULL; 137 return NULL;
132 } 138 }
133 p = out; 139 p = out;
@@ -144,39 +150,48 @@ void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
144 } 150 }
145#endif 151#endif
146 ret = ASN1_item_d2i(NULL, &p, outlen, it); 152 ret = ASN1_item_d2i(NULL, &p, outlen, it);
147 if (zbuf) OPENSSL_cleanse(out, outlen); 153 if (zbuf)
148 if(!ret) PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,PKCS12_R_DECODE_ERROR); 154 OPENSSL_cleanse(out, outlen);
155 if (!ret)
156 PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
157 PKCS12_R_DECODE_ERROR);
149 free(out); 158 free(out);
150 return ret; 159 return ret;
151} 160}
152 161
153/* Encode ASN1 structure and encrypt, return OCTET STRING 162/* Encode ASN1 structure and encrypt, return OCTET STRING
154 * if zbuf set zero encoding. 163 * if zbuf set zero encoding.
155 */ 164 */
156 165
157ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it, 166ASN1_OCTET_STRING *
158 const char *pass, int passlen, 167PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it,
159 void *obj, int zbuf) 168 const char *pass, int passlen,
169 void *obj, int zbuf)
160{ 170{
161 ASN1_OCTET_STRING *oct; 171 ASN1_OCTET_STRING *oct;
162 unsigned char *in = NULL; 172 unsigned char *in = NULL;
163 int inlen; 173 int inlen;
174
164 if (!(oct = M_ASN1_OCTET_STRING_new ())) { 175 if (!(oct = M_ASN1_OCTET_STRING_new ())) {
165 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE); 176 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,
177 ERR_R_MALLOC_FAILURE);
166 return NULL; 178 return NULL;
167 } 179 }
168 inlen = ASN1_item_i2d(obj, &in, it); 180 inlen = ASN1_item_i2d(obj, &in, it);
169 if (!in) { 181 if (!in) {
170 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR); 182 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,
183 PKCS12_R_ENCODE_ERROR);
171 return NULL; 184 return NULL;
172 } 185 }
173 if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data, 186 if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data,
174 &oct->length, 1)) { 187 &oct->length, 1)) {
175 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR); 188 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,
189 PKCS12_R_ENCRYPT_ERROR);
176 free(in); 190 free(in);
177 return NULL; 191 return NULL;
178 } 192 }
179 if (zbuf) OPENSSL_cleanse(in, inlen); 193 if (zbuf)
194 OPENSSL_cleanse(in, inlen);
180 free(in); 195 free(in);
181 return oct; 196 return oct;
182} 197}
diff --git a/src/lib/libcrypto/pkcs12/p12_init.c b/src/lib/libcrypto/pkcs12/p12_init.c
index e9c55ea265..b4da7be77c 100644
--- a/src/lib/libcrypto/pkcs12/p12_init.c
+++ b/src/lib/libcrypto/pkcs12/p12_init.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_init.c,v 1.7 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_init.c,v 1.8 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,31 +62,35 @@
62 62
63/* Initialise a PKCS12 structure to take data */ 63/* Initialise a PKCS12 structure to take data */
64 64
65PKCS12 *PKCS12_init(int mode) 65PKCS12 *
66PKCS12_init(int mode)
66{ 67{
67 PKCS12 *pkcs12; 68 PKCS12 *pkcs12;
69
68 if (!(pkcs12 = PKCS12_new())) { 70 if (!(pkcs12 = PKCS12_new())) {
69 PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE); 71 PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
70 return NULL; 72 return NULL;
71 } 73 }
72 ASN1_INTEGER_set(pkcs12->version, 3); 74 ASN1_INTEGER_set(pkcs12->version, 3);
73 pkcs12->authsafes->type = OBJ_nid2obj(mode); 75 pkcs12->authsafes->type = OBJ_nid2obj(mode);
74 switch (mode) { 76 switch (mode) {
75 case NID_pkcs7_data: 77 case NID_pkcs7_data:
76 if (!(pkcs12->authsafes->d.data = 78 if (!(pkcs12->authsafes->d.data =
77 M_ASN1_OCTET_STRING_new())) { 79 M_ASN1_OCTET_STRING_new())) {
78 PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE); 80 PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
79 goto err; 81 goto err;
80 } 82 }
81 break; 83 break;
82 default: 84 default:
83 PKCS12err(PKCS12_F_PKCS12_INIT, 85 PKCS12err(PKCS12_F_PKCS12_INIT,
84 PKCS12_R_UNSUPPORTED_PKCS12_MODE); 86 PKCS12_R_UNSUPPORTED_PKCS12_MODE);
85 goto err; 87 goto err;
86 } 88 }
87 89
88 return pkcs12; 90 return pkcs12;
91
89err: 92err:
90 if (pkcs12 != NULL) PKCS12_free(pkcs12); 93 if (pkcs12 != NULL)
94 PKCS12_free(pkcs12);
91 return NULL; 95 return NULL;
92} 96}
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index 24c86b7fc8..ffa736a04f 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_key.c,v 1.15 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_key.c,v 1.16 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -74,35 +74,37 @@ void h__dump (unsigned char *p, int len);
74#define min(a,b) ((a) < (b) ? (a) : (b)) 74#define min(a,b) ((a) < (b) ? (a) : (b))
75#endif 75#endif
76 76
77int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, 77int
78 int saltlen, int id, int iter, int n, unsigned char *out, 78PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
79 const EVP_MD *md_type) 79 int saltlen, int id, int iter, int n, unsigned char *out,
80 const EVP_MD *md_type)
80{ 81{
81 int ret; 82 int ret;
82 unsigned char *unipass; 83 unsigned char *unipass;
83 int uniplen; 84 int uniplen;
84 85
85 if(!pass) { 86 if (!pass) {
86 unipass = NULL; 87 unipass = NULL;
87 uniplen = 0; 88 uniplen = 0;
88 } else if (!OPENSSL_asc2uni(pass, passlen, &unipass, &uniplen)) { 89 } else if (!OPENSSL_asc2uni(pass, passlen, &unipass, &uniplen)) {
89 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE); 90 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC, ERR_R_MALLOC_FAILURE);
90 return 0; 91 return 0;
91 } 92 }
92 ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen, 93 ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
93 id, iter, n, out, md_type); 94 id, iter, n, out, md_type);
94 if (ret <= 0) 95 if (ret <= 0)
95 return 0; 96 return 0;
96 if(unipass) { 97 if (unipass) {
97 OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */ 98 OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */
98 free(unipass); 99 free(unipass);
99 } 100 }
100 return ret; 101 return ret;
101} 102}
102 103
103int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, 104int
104 int saltlen, int id, int iter, int n, unsigned char *out, 105PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
105 const EVP_MD *md_type) 106 int saltlen, int id, int iter, int n, unsigned char *out,
107 const EVP_MD *md_type)
106{ 108{
107 unsigned char *B, *D, *I, *p, *Ai; 109 unsigned char *B, *D, *I, *p, *Ai;
108 int Slen, Plen, Ilen, Ijlen; 110 int Slen, Plen, Ilen, Ijlen;
@@ -117,7 +119,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
117 119
118#if 0 120#if 0
119 if (!pass) { 121 if (!pass) {
120 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_PASSED_NULL_PARAMETER); 122 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI, ERR_R_PASSED_NULL_PARAMETER);
121 return 0; 123 return 0;
122 } 124 }
123#endif 125#endif
@@ -131,37 +133,42 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
131 fprintf(stderr, "Salt (length %d):\n", saltlen); 133 fprintf(stderr, "Salt (length %d):\n", saltlen);
132 h__dump(salt, saltlen); 134 h__dump(salt, saltlen);
133#endif 135#endif
134 v = EVP_MD_block_size (md_type); 136 v = EVP_MD_block_size(md_type);
135 u = EVP_MD_size (md_type); 137 u = EVP_MD_size(md_type);
136 if (u < 0) 138 if (u < 0)
137 return 0; 139 return 0;
138 D = malloc (v); 140 D = malloc(v);
139 Ai = malloc (u); 141 Ai = malloc(u);
140 B = malloc (v + 1); 142 B = malloc(v + 1);
141 Slen = v * ((saltlen+v-1)/v); 143 Slen = v * ((saltlen + v - 1) / v);
142 if(passlen) Plen = v * ((passlen+v-1)/v); 144 if (passlen)
143 else Plen = 0; 145 Plen = v * ((passlen + v - 1)/v);
146 else
147 Plen = 0;
144 Ilen = Slen + Plen; 148 Ilen = Slen + Plen;
145 I = malloc (Ilen); 149 I = malloc(Ilen);
146 Ij = BN_new(); 150 Ij = BN_new();
147 Bpl1 = BN_new(); 151 Bpl1 = BN_new();
148 if (!D || !Ai || !B || !I || !Ij || !Bpl1) 152 if (!D || !Ai || !B || !I || !Ij || !Bpl1)
149 goto err; 153 goto err;
150 for (i = 0; i < v; i++) D[i] = id; 154 for (i = 0; i < v; i++)
155 D[i] = id;
151 p = I; 156 p = I;
152 for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen]; 157 for (i = 0; i < Slen; i++)
153 for (i = 0; i < Plen; i++) *p++ = pass[i % passlen]; 158 *p++ = salt[i % saltlen];
159 for (i = 0; i < Plen; i++)
160 *p++ = pass[i % passlen];
154 for (;;) { 161 for (;;) {
155 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) 162 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
156 || !EVP_DigestUpdate(&ctx, D, v) 163 !EVP_DigestUpdate(&ctx, D, v) ||
157 || !EVP_DigestUpdate(&ctx, I, Ilen) 164 !EVP_DigestUpdate(&ctx, I, Ilen) ||
158 || !EVP_DigestFinal_ex(&ctx, Ai, NULL)) 165 !EVP_DigestFinal_ex(&ctx, Ai, NULL))
159 goto err; 166 goto err;
160 for (j = 1; j < iter; j++) { 167 for (j = 1; j < iter; j++) {
161 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) 168 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
162 || !EVP_DigestUpdate(&ctx, Ai, u) 169 !EVP_DigestUpdate(&ctx, Ai, u) ||
163 || !EVP_DigestFinal_ex(&ctx, Ai, NULL)) 170 !EVP_DigestFinal_ex(&ctx, Ai, NULL))
164 goto err; 171 goto err;
165 } 172 }
166 memcpy (out, Ai, min (n, u)); 173 memcpy (out, Ai, min (n, u));
167 if (u >= n) { 174 if (u >= n) {
@@ -174,13 +181,14 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
174 } 181 }
175 n -= u; 182 n -= u;
176 out += u; 183 out += u;
177 for (j = 0; j < v; j++) B[j] = Ai[j % u]; 184 for (j = 0; j < v; j++)
185 B[j] = Ai[j % u];
178 /* Work out B + 1 first then can use B as tmp space */ 186 /* Work out B + 1 first then can use B as tmp space */
179 if (!BN_bin2bn (B, v, Bpl1)) 187 if (!BN_bin2bn (B, v, Bpl1))
180 goto err; 188 goto err;
181 if (!BN_add_word (Bpl1, 1)) 189 if (!BN_add_word (Bpl1, 1))
182 goto err; 190 goto err;
183 for (j = 0; j < Ilen ; j+=v) { 191 for (j = 0; j < Ilen; j += v) {
184 if (!BN_bin2bn(I + j, v, Ij)) 192 if (!BN_bin2bn(I + j, v, Ij))
185 goto err; 193 goto err;
186 if (!BN_add(Ij, Ij, Bpl1)) 194 if (!BN_add(Ij, Ij, Bpl1))
@@ -194,7 +202,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
194 goto err; 202 goto err;
195 memcpy (I + j, B + 1, v); 203 memcpy (I + j, B + 1, v);
196#ifndef PKCS12_BROKEN_KEYGEN 204#ifndef PKCS12_BROKEN_KEYGEN
197 /* If less than v bytes pad with zeroes */ 205 /* If less than v bytes pad with zeroes */
198 } else if (Ijlen < v) { 206 } else if (Ijlen < v) {
199 memset(I + j, 0, v - Ijlen); 207 memset(I + j, 0, v - Ijlen);
200 if (!BN_bn2bin(Ij, I + j + v - Ijlen)) 208 if (!BN_bn2bin(Ij, I + j + v - Ijlen))
@@ -206,7 +214,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
206 } 214 }
207 215
208err: 216err:
209 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE); 217 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI, ERR_R_MALLOC_FAILURE);
210 218
211end: 219end:
212 free (Ai); 220 free (Ai);
@@ -221,7 +229,8 @@ end:
221#ifdef DEBUG_KEYGEN 229#ifdef DEBUG_KEYGEN
222void h__dump (unsigned char *p, int len) 230void h__dump (unsigned char *p, int len)
223{ 231{
224 for (; len --; p++) fprintf(stderr, "%02X", *p); 232 for (; len --; p++)
225 fprintf(stderr, "\n"); 233 fprintf(stderr, "%02X", *p);
234 fprintf(stderr, "\n");
226} 235}
227#endif 236#endif
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index 0772fa65af..4063ba4b82 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_kiss.c,v 1.14 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_kiss.c,v 1.15 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -63,13 +63,13 @@
63/* Simplified PKCS#12 routines */ 63/* Simplified PKCS#12 routines */
64 64
65static int parse_pk12( PKCS12 *p12, const char *pass, int passlen, 65static int parse_pk12( PKCS12 *p12, const char *pass, int passlen,
66 EVP_PKEY **pkey, STACK_OF(X509) *ocerts); 66 EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
67 67
68static int parse_bags( STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass, 68static int parse_bags( STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
69 int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts); 69 int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
70 70
71static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen, 71static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
72 EVP_PKEY **pkey, STACK_OF(X509) *ocerts); 72 EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
73 73
74/* Parse and decrypt a PKCS#12 structure returning user key, user cert 74/* Parse and decrypt a PKCS#12 structure returning user key, user cert
75 * and other (CA) certs. Note either ca should be NULL, *ca should be NULL, 75 * and other (CA) certs. Note either ca should be NULL, *ca should be NULL,
@@ -77,22 +77,23 @@ static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
77 * passed unitialised. 77 * passed unitialised.
78 */ 78 */
79 79
80int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, 80int
81 STACK_OF(X509) **ca) 81PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
82 STACK_OF(X509) **ca)
82{ 83{
83 STACK_OF(X509) *ocerts = NULL; 84 STACK_OF(X509) *ocerts = NULL;
84 X509 *x = NULL; 85 X509 *x = NULL;
85 /* Check for NULL PKCS12 structure */ 86 /* Check for NULL PKCS12 structure */
86 87
87 if(!p12) 88 if (!p12) {
88 { 89 PKCS12err(PKCS12_F_PKCS12_PARSE,
89 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER); 90 PKCS12_R_INVALID_NULL_PKCS12_POINTER);
90 return 0; 91 return 0;
91 } 92 }
92 93
93 if(pkey) 94 if (pkey)
94 *pkey = NULL; 95 *pkey = NULL;
95 if(cert) 96 if (cert)
96 *cert = NULL; 97 *cert = NULL;
97 98
98 /* Check the mac */ 99 /* Check the mac */
@@ -103,46 +104,42 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
103 * password are two different things... 104 * password are two different things...
104 */ 105 */
105 106
106 if(!pass || !*pass) { 107 if (!pass || !*pass) {
107 if(PKCS12_verify_mac(p12, NULL, 0)) pass = NULL; 108 if (PKCS12_verify_mac(p12, NULL, 0))
108 else if(PKCS12_verify_mac(p12, "", 0)) pass = ""; 109 pass = NULL;
110 else if (PKCS12_verify_mac(p12, "", 0))
111 pass = "";
109 else { 112 else {
110 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE); 113 PKCS12err(PKCS12_F_PKCS12_PARSE,
114 PKCS12_R_MAC_VERIFY_FAILURE);
111 goto err; 115 goto err;
112 } 116 }
113 } else if (!PKCS12_verify_mac(p12, pass, -1)) { 117 } else if (!PKCS12_verify_mac(p12, pass, -1)) {
114 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE); 118 PKCS12err(PKCS12_F_PKCS12_PARSE, PKCS12_R_MAC_VERIFY_FAILURE);
115 goto err; 119 goto err;
116 } 120 }
117 121
118 /* Allocate stack for other certificates */ 122 /* Allocate stack for other certificates */
119 ocerts = sk_X509_new_null(); 123 ocerts = sk_X509_new_null();
120 124 if (!ocerts) {
121 if (!ocerts) 125 PKCS12err(PKCS12_F_PKCS12_PARSE, ERR_R_MALLOC_FAILURE);
122 {
123 PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
124 return 0; 126 return 0;
125 } 127 }
126 128
127 if (!parse_pk12 (p12, pass, -1, pkey, ocerts)) 129 if (!parse_pk12 (p12, pass, -1, pkey, ocerts)) {
128 { 130 PKCS12err(PKCS12_F_PKCS12_PARSE, PKCS12_R_PARSE_ERROR);
129 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);
130 goto err; 131 goto err;
131 } 132 }
132 133
133 while ((x = sk_X509_pop(ocerts))) 134 while ((x = sk_X509_pop(ocerts))) {
134 { 135 if (pkey && *pkey && cert && !*cert) {
135 if (pkey && *pkey && cert && !*cert) 136 if (X509_check_private_key(x, *pkey)) {
136 {
137 if (X509_check_private_key(x, *pkey))
138 {
139 *cert = x; 137 *cert = x;
140 x = NULL; 138 x = NULL;
141 }
142 } 139 }
140 }
143 141
144 if (ca && x) 142 if (ca && x) {
145 {
146 if (!*ca) 143 if (!*ca)
147 *ca = sk_X509_new_null(); 144 *ca = sk_X509_new_null();
148 if (!*ca) 145 if (!*ca)
@@ -150,18 +147,17 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
150 if (!sk_X509_push(*ca, x)) 147 if (!sk_X509_push(*ca, x))
151 goto err; 148 goto err;
152 x = NULL; 149 x = NULL;
153 } 150 }
154 if (x) 151 if (x)
155 X509_free(x); 152 X509_free(x);
156 } 153 }
157 154
158 if (ocerts) 155 if (ocerts)
159 sk_X509_pop_free(ocerts, X509_free); 156 sk_X509_pop_free(ocerts, X509_free);
160 157
161 return 1; 158 return 1;
162 159
163 err: 160err:
164
165 if (pkey && *pkey) 161 if (pkey && *pkey)
166 EVP_PKEY_free(*pkey); 162 EVP_PKEY_free(*pkey);
167 if (cert && *cert) 163 if (cert && *cert)
@@ -171,20 +167,21 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
171 if (ocerts) 167 if (ocerts)
172 sk_X509_pop_free(ocerts, X509_free); 168 sk_X509_pop_free(ocerts, X509_free);
173 return 0; 169 return 0;
174
175} 170}
176 171
177/* Parse the outer PKCS#12 structure */ 172/* Parse the outer PKCS#12 structure */
178 173
179static int parse_pk12(PKCS12 *p12, const char *pass, int passlen, 174static int
180 EVP_PKEY **pkey, STACK_OF(X509) *ocerts) 175parse_pk12(PKCS12 *p12, const char *pass, int passlen, EVP_PKEY **pkey,
176 STACK_OF(X509) *ocerts)
181{ 177{
182 STACK_OF(PKCS7) *asafes; 178 STACK_OF(PKCS7) *asafes;
183 STACK_OF(PKCS12_SAFEBAG) *bags; 179 STACK_OF(PKCS12_SAFEBAG) *bags;
184 int i, bagnid; 180 int i, bagnid;
185 PKCS7 *p7; 181 PKCS7 *p7;
186 182
187 if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0; 183 if (!(asafes = PKCS12_unpack_authsafes (p12)))
184 return 0;
188 for (i = 0; i < sk_PKCS7_num (asafes); i++) { 185 for (i = 0; i < sk_PKCS7_num (asafes); i++) {
189 p7 = sk_PKCS7_value (asafes, i); 186 p7 = sk_PKCS7_value (asafes, i);
190 bagnid = OBJ_obj2nid (p7->type); 187 bagnid = OBJ_obj2nid (p7->type);
@@ -192,12 +189,13 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
192 bags = PKCS12_unpack_p7data(p7); 189 bags = PKCS12_unpack_p7data(p7);
193 } else if (bagnid == NID_pkcs7_encrypted) { 190 } else if (bagnid == NID_pkcs7_encrypted) {
194 bags = PKCS12_unpack_p7encdata(p7, pass, passlen); 191 bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
195 } else continue; 192 } else
193 continue;
196 if (!bags) { 194 if (!bags) {
197 sk_PKCS7_pop_free(asafes, PKCS7_free); 195 sk_PKCS7_pop_free(asafes, PKCS7_free);
198 return 0; 196 return 0;
199 } 197 }
200 if (!parse_bags(bags, pass, passlen, pkey, ocerts)) { 198 if (!parse_bags(bags, pass, passlen, pkey, ocerts)) {
201 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 199 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
202 sk_PKCS7_pop_free(asafes, PKCS7_free); 200 sk_PKCS7_pop_free(asafes, PKCS7_free);
203 return 0; 201 return 0;
@@ -208,21 +206,23 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
208 return 1; 206 return 1;
209} 207}
210 208
211 209static int
212static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass, 210parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass, int passlen,
213 int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts) 211 EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
214{ 212{
215 int i; 213 int i;
214
216 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { 215 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
217 if (!parse_bag(sk_PKCS12_SAFEBAG_value (bags, i), 216 if (!parse_bag(sk_PKCS12_SAFEBAG_value(bags, i), pass, passlen,
218 pass, passlen, pkey, ocerts)) 217 pkey, ocerts))
219 return 0; 218 return 0;
220 } 219 }
221 return 1; 220 return 1;
222} 221}
223 222
224static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, 223static int
225 EVP_PKEY **pkey, STACK_OF(X509) *ocerts) 224parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey,
225 STACK_OF(X509) *ocerts)
226{ 226{
227 PKCS8_PRIV_KEY_INFO *p8; 227 PKCS8_PRIV_KEY_INFO *p8;
228 X509 *x509; 228 X509 *x509;
@@ -236,67 +236,63 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
236 if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) 236 if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
237 lkid = attrib->value.octet_string; 237 lkid = attrib->value.octet_string;
238 238
239 switch (M_PKCS12_bag_type(bag)) 239 switch (M_PKCS12_bag_type(bag)) {
240 {
241 case NID_keyBag: 240 case NID_keyBag:
242 if (!pkey || *pkey) 241 if (!pkey || *pkey)
243 return 1; 242 return 1;
244 if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag))) 243 if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag)))
245 return 0; 244 return 0;
246 break; 245 break;
247 246
248 case NID_pkcs8ShroudedKeyBag: 247 case NID_pkcs8ShroudedKeyBag:
249 if (!pkey || *pkey) 248 if (!pkey || *pkey)
250 return 1; 249 return 1;
251 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen))) 250 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
252 return 0; 251 return 0;
253 *pkey = EVP_PKCS82PKEY(p8); 252 *pkey = EVP_PKCS82PKEY(p8);
254 PKCS8_PRIV_KEY_INFO_free(p8); 253 PKCS8_PRIV_KEY_INFO_free(p8);
255 if (!(*pkey)) return 0; 254 if (!(*pkey))
256 break; 255 return 0;
256 break;
257 257
258 case NID_certBag: 258 case NID_certBag:
259 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate ) 259 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
260 return 1; 260 return 1;
261 if (!(x509 = PKCS12_certbag2x509(bag))) 261 if (!(x509 = PKCS12_certbag2x509(bag)))
262 return 0; 262 return 0;
263 if(lkid && !X509_keyid_set1(x509, lkid->data, lkid->length)) 263 if (lkid && !X509_keyid_set1(x509, lkid->data, lkid->length)) {
264 {
265 X509_free(x509); 264 X509_free(x509);
266 return 0; 265 return 0;
267 } 266 }
268 if(fname) { 267 if (fname) {
269 int len, r; 268 int len, r;
270 unsigned char *data; 269 unsigned char *data;
271 len = ASN1_STRING_to_UTF8(&data, fname); 270 len = ASN1_STRING_to_UTF8(&data, fname);
272 if(len >= 0) { 271 if (len >= 0) {
273 r = X509_alias_set1(x509, data, len); 272 r = X509_alias_set1(x509, data, len);
274 free(data); 273 free(data);
275 if (!r) 274 if (!r) {
276 {
277 X509_free(x509); 275 X509_free(x509);
278 return 0; 276 return 0;
279 } 277 }
280 } 278 }
281 } 279 }
282 280
283 if(!sk_X509_push(ocerts, x509)) 281 if (!sk_X509_push(ocerts, x509)) {
284 {
285 X509_free(x509); 282 X509_free(x509);
286 return 0; 283 return 0;
287 } 284 }
288 285
289 break; 286 break;
290 287
291 case NID_safeContentsBag: 288 case NID_safeContentsBag:
292 return parse_bags(bag->value.safes, pass, passlen, 289 return parse_bags(bag->value.safes, pass, passlen,
293 pkey, ocerts); 290 pkey, ocerts);
294 break; 291 break;
295 292
296 default: 293 default:
297 return 1; 294 return 1;
298 break; 295 break;
299 } 296 }
300 return 1; 297 return 1;
301} 298}
302
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 203480fb15..7a2fab1666 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_mutl.c,v 1.13 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_mutl.c,v 1.14 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,8 +64,9 @@
64#include <openssl/pkcs12.h> 64#include <openssl/pkcs12.h>
65 65
66/* Generate a MAC */ 66/* Generate a MAC */
67int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, 67int
68 unsigned char *mac, unsigned int *maclen) 68PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
69 unsigned char *mac, unsigned int *maclen)
69{ 70{
70 const EVP_MD *md_type; 71 const EVP_MD *md_type;
71 HMAC_CTX hmac; 72 HMAC_CTX hmac;
@@ -73,101 +74,115 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
73 int saltlen, iter; 74 int saltlen, iter;
74 int md_size; 75 int md_size;
75 76
76 if (!PKCS7_type_is_data(p12->authsafes)) 77 if (!PKCS7_type_is_data(p12->authsafes)) {
77 { 78 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,
78 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_CONTENT_TYPE_NOT_DATA); 79 PKCS12_R_CONTENT_TYPE_NOT_DATA);
79 return 0; 80 return 0;
80 } 81 }
81 82
82 salt = p12->mac->salt->data; 83 salt = p12->mac->salt->data;
83 saltlen = p12->mac->salt->length; 84 saltlen = p12->mac->salt->length;
84 if (!p12->mac->iter) iter = 1; 85 if (!p12->mac->iter)
85 else iter = ASN1_INTEGER_get (p12->mac->iter); 86 iter = 1;
86 if(!(md_type = 87 else
87 EVP_get_digestbyobj (p12->mac->dinfo->algor->algorithm))) { 88 iter = ASN1_INTEGER_get(p12->mac->iter);
88 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_UNKNOWN_DIGEST_ALGORITHM); 89 if (!(md_type = EVP_get_digestbyobj(
90 p12->mac->dinfo->algor->algorithm))) {
91 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,
92 PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
89 return 0; 93 return 0;
90 } 94 }
91 md_size = EVP_MD_size(md_type); 95 md_size = EVP_MD_size(md_type);
92 if (md_size < 0) 96 if (md_size < 0)
93 return 0; 97 return 0;
94 if(!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter, 98 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
95 md_size, key, md_type)) { 99 md_size, key, md_type)) {
96 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR); 100 PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
97 return 0; 101 return 0;
98 } 102 }
99 HMAC_CTX_init(&hmac); 103 HMAC_CTX_init(&hmac);
100 if (!HMAC_Init_ex(&hmac, key, md_size, md_type, NULL) 104 if (!HMAC_Init_ex(&hmac, key, md_size, md_type, NULL) ||
101 || !HMAC_Update(&hmac, p12->authsafes->d.data->data, 105 !HMAC_Update(&hmac, p12->authsafes->d.data->data,
102 p12->authsafes->d.data->length) 106 p12->authsafes->d.data->length) ||
103 || !HMAC_Final(&hmac, mac, maclen)) 107 !HMAC_Final(&hmac, mac, maclen)) {
104 { 108 HMAC_CTX_cleanup(&hmac);
105 HMAC_CTX_cleanup(&hmac);
106 return 0; 109 return 0;
107 } 110 }
108 HMAC_CTX_cleanup(&hmac); 111 HMAC_CTX_cleanup(&hmac);
109 return 1; 112 return 1;
110} 113}
111 114
112/* Verify the mac */ 115/* Verify the mac */
113int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) 116int
117PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
114{ 118{
115 unsigned char mac[EVP_MAX_MD_SIZE]; 119 unsigned char mac[EVP_MAX_MD_SIZE];
116 unsigned int maclen; 120 unsigned int maclen;
117 if(p12->mac == NULL) { 121 if (p12->mac == NULL) {
118 PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,PKCS12_R_MAC_ABSENT); 122 PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT);
119 return 0; 123 return 0;
120 } 124 }
121 if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) { 125 if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
122 PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR); 126 PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,
127 PKCS12_R_MAC_GENERATION_ERROR);
123 return 0; 128 return 0;
124 } 129 }
125 if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) 130 if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) ||
126 || memcmp (mac, p12->mac->dinfo->digest->data, maclen)) return 0; 131 memcmp(mac, p12->mac->dinfo->digest->data, maclen))
132 return 0;
127 return 1; 133 return 1;
128} 134}
129 135
130/* Set a mac */ 136/* Set a mac */
131 137
132int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, 138int
133 unsigned char *salt, int saltlen, int iter, const EVP_MD *md_type) 139PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, unsigned char *salt,
140 int saltlen, int iter, const EVP_MD *md_type)
134{ 141{
135 unsigned char mac[EVP_MAX_MD_SIZE]; 142 unsigned char mac[EVP_MAX_MD_SIZE];
136 unsigned int maclen; 143 unsigned int maclen;
137 144
138 if (!md_type) md_type = EVP_sha1(); 145 if (!md_type)
146 md_type = EVP_sha1();
139 if (PKCS12_setup_mac (p12, iter, salt, saltlen, md_type) == 147 if (PKCS12_setup_mac (p12, iter, salt, saltlen, md_type) ==
140 PKCS12_ERROR) { 148 PKCS12_ERROR) {
141 PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_SETUP_ERROR); 149 PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_SETUP_ERROR);
142 return 0; 150 return 0;
143 } 151 }
144 if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) { 152 if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
145 PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_GENERATION_ERROR); 153 PKCS12err(PKCS12_F_PKCS12_SET_MAC,
154 PKCS12_R_MAC_GENERATION_ERROR);
146 return 0; 155 return 0;
147 } 156 }
148 if (!(M_ASN1_OCTET_STRING_set (p12->mac->dinfo->digest, mac, maclen))) { 157 if (!(M_ASN1_OCTET_STRING_set (p12->mac->dinfo->digest, mac, maclen))) {
149 PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_STRING_SET_ERROR); 158 PKCS12err(PKCS12_F_PKCS12_SET_MAC,
150 return 0; 159 PKCS12_R_MAC_STRING_SET_ERROR);
160 return 0;
151 } 161 }
152 return 1; 162 return 1;
153} 163}
154 164
155/* Set up a mac structure */ 165/* Set up a mac structure */
156int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, 166int
157 const EVP_MD *md_type) 167PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
168 const EVP_MD *md_type)
158{ 169{
159 if (!(p12->mac = PKCS12_MAC_DATA_new())) return PKCS12_ERROR; 170 if (!(p12->mac = PKCS12_MAC_DATA_new()))
171 return PKCS12_ERROR;
160 if (iter > 1) { 172 if (iter > 1) {
161 if(!(p12->mac->iter = M_ASN1_INTEGER_new())) { 173 if (!(p12->mac->iter = M_ASN1_INTEGER_new())) {
162 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); 174 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC,
175 ERR_R_MALLOC_FAILURE);
163 return 0; 176 return 0;
164 } 177 }
165 if (!ASN1_INTEGER_set(p12->mac->iter, iter)) { 178 if (!ASN1_INTEGER_set(p12->mac->iter, iter)) {
166 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); 179 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC,
180 ERR_R_MALLOC_FAILURE);
167 return 0; 181 return 0;
168 } 182 }
169 } 183 }
170 if (!saltlen) saltlen = PKCS12_SALT_LEN; 184 if (!saltlen)
185 saltlen = PKCS12_SALT_LEN;
171 p12->mac->salt->length = saltlen; 186 p12->mac->salt->length = saltlen;
172 if (!(p12->mac->salt->data = malloc (saltlen))) { 187 if (!(p12->mac->salt->data = malloc (saltlen))) {
173 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); 188 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
@@ -176,15 +191,15 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
176 if (!salt) { 191 if (!salt) {
177 if (RAND_pseudo_bytes (p12->mac->salt->data, saltlen) < 0) 192 if (RAND_pseudo_bytes (p12->mac->salt->data, saltlen) < 0)
178 return 0; 193 return 0;
179 } 194 } else
180 else memcpy (p12->mac->salt->data, salt, saltlen); 195 memcpy (p12->mac->salt->data, salt, saltlen);
181 p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type)); 196 p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
182 if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) { 197 if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
183 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); 198 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
184 return 0; 199 return 0;
185 } 200 }
186 p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL; 201 p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL;
187 202
188 return 1; 203 return 1;
189} 204}
190#endif 205#endif
diff --git a/src/lib/libcrypto/pkcs12/p12_npas.c b/src/lib/libcrypto/pkcs12/p12_npas.c
index 9477de4a08..ab7bdc6458 100644
--- a/src/lib/libcrypto/pkcs12/p12_npas.c
+++ b/src/lib/libcrypto/pkcs12/p12_npas.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_npas.c,v 1.8 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_npas.c,v 1.9 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -67,32 +67,34 @@
67 67
68static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass); 68static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass);
69static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, 69static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass,
70 char *newpass); 70 char *newpass);
71static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass); 71static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass);
72static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen); 72static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
73 73
74/* 74/*
75 * Change the password on a PKCS#12 structure. 75 * Change the password on a PKCS#12 structure.
76 */ 76 */
77 77
78int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass) 78int
79PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
79{ 80{
80 /* Check for NULL PKCS12 structure */ 81 /* Check for NULL PKCS12 structure */
81 82
82 if(!p12) { 83 if (!p12) {
83 PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER); 84 PKCS12err(PKCS12_F_PKCS12_NEWPASS,
85 PKCS12_R_INVALID_NULL_PKCS12_POINTER);
84 return 0; 86 return 0;
85 } 87 }
86 88
87 /* Check the mac */ 89 /* Check the mac */
88 90
89 if (!PKCS12_verify_mac(p12, oldpass, -1)) { 91 if (!PKCS12_verify_mac(p12, oldpass, -1)) {
90 PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE); 92 PKCS12err(PKCS12_F_PKCS12_NEWPASS, PKCS12_R_MAC_VERIFY_FAILURE);
91 return 0; 93 return 0;
92 } 94 }
93 95
94 if (!newpass_p12(p12, oldpass, newpass)) { 96 if (!newpass_p12(p12, oldpass, newpass)) {
95 PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR); 97 PKCS12err(PKCS12_F_PKCS12_NEWPASS, PKCS12_R_PARSE_ERROR);
96 return 0; 98 return 0;
97 } 99 }
98 100
@@ -101,7 +103,8 @@ int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
101 103
102/* Parse the outer PKCS#12 structure */ 104/* Parse the outer PKCS#12 structure */
103 105
104static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) 106static int
107newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
105{ 108{
106 STACK_OF(PKCS7) *asafes, *newsafes; 109 STACK_OF(PKCS7) *asafes, *newsafes;
107 STACK_OF(PKCS12_SAFEBAG) *bags; 110 STACK_OF(PKCS12_SAFEBAG) *bags;
@@ -111,8 +114,10 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
111 unsigned char mac[EVP_MAX_MD_SIZE]; 114 unsigned char mac[EVP_MAX_MD_SIZE];
112 unsigned int maclen; 115 unsigned int maclen;
113 116
114 if (!(asafes = PKCS12_unpack_authsafes(p12))) return 0; 117 if (!(asafes = PKCS12_unpack_authsafes(p12)))
115 if(!(newsafes = sk_PKCS7_new_null())) return 0; 118 return 0;
119 if (!(newsafes = sk_PKCS7_new_null()))
120 return 0;
116 for (i = 0; i < sk_PKCS7_num (asafes); i++) { 121 for (i = 0; i < sk_PKCS7_num (asafes); i++) {
117 p7 = sk_PKCS7_value(asafes, i); 122 p7 = sk_PKCS7_value(asafes, i);
118 bagnid = OBJ_obj2nid(p7->type); 123 bagnid = OBJ_obj2nid(p7->type);
@@ -121,28 +126,30 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
121 } else if (bagnid == NID_pkcs7_encrypted) { 126 } else if (bagnid == NID_pkcs7_encrypted) {
122 bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); 127 bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
123 if (!alg_get(p7->d.encrypted->enc_data->algorithm, 128 if (!alg_get(p7->d.encrypted->enc_data->algorithm,
124 &pbe_nid, &pbe_iter, &pbe_saltlen)) 129 &pbe_nid, &pbe_iter, &pbe_saltlen)) {
125 {
126 sk_PKCS12_SAFEBAG_pop_free(bags, 130 sk_PKCS12_SAFEBAG_pop_free(bags,
127 PKCS12_SAFEBAG_free); 131 PKCS12_SAFEBAG_free);
128 bags = NULL; 132 bags = NULL;
129 } 133 }
130 } else continue; 134 } else
135 continue;
131 if (!bags) { 136 if (!bags) {
132 sk_PKCS7_pop_free(asafes, PKCS7_free); 137 sk_PKCS7_pop_free(asafes, PKCS7_free);
133 return 0; 138 return 0;
134 } 139 }
135 if (!newpass_bags(bags, oldpass, newpass)) { 140 if (!newpass_bags(bags, oldpass, newpass)) {
136 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 141 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
137 sk_PKCS7_pop_free(asafes, PKCS7_free); 142 sk_PKCS7_pop_free(asafes, PKCS7_free);
138 return 0; 143 return 0;
139 } 144 }
140 /* Repack bag in same form with new password */ 145 /* Repack bag in same form with new password */
141 if (bagnid == NID_pkcs7_data) p7new = PKCS12_pack_p7data(bags); 146 if (bagnid == NID_pkcs7_data)
142 else p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1, NULL, 147 p7new = PKCS12_pack_p7data(bags);
143 pbe_saltlen, pbe_iter, bags); 148 else
149 p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1,
150 NULL, pbe_saltlen, pbe_iter, bags);
144 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 151 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
145 if(!p7new) { 152 if (!p7new) {
146 sk_PKCS7_pop_free(asafes, PKCS7_free); 153 sk_PKCS7_pop_free(asafes, PKCS7_free);
147 return 0; 154 return 0;
148 } 155 }
@@ -153,73 +160,82 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
153 /* Repack safe: save old safe in case of error */ 160 /* Repack safe: save old safe in case of error */
154 161
155 p12_data_tmp = p12->authsafes->d.data; 162 p12_data_tmp = p12->authsafes->d.data;
156 if(!(p12->authsafes->d.data = ASN1_OCTET_STRING_new())) goto saferr; 163 if (!(p12->authsafes->d.data = ASN1_OCTET_STRING_new()))
157 if(!PKCS12_pack_authsafes(p12, newsafes)) goto saferr; 164 goto saferr;
158 165 if (!PKCS12_pack_authsafes(p12, newsafes))
159 if(!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) goto saferr; 166 goto saferr;
160 if(!(macnew = ASN1_OCTET_STRING_new())) goto saferr; 167
161 if(!ASN1_OCTET_STRING_set(macnew, mac, maclen)) goto saferr; 168 if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen))
169 goto saferr;
170 if (!(macnew = ASN1_OCTET_STRING_new()))
171 goto saferr;
172 if (!ASN1_OCTET_STRING_set(macnew, mac, maclen))
173 goto saferr;
162 ASN1_OCTET_STRING_free(p12->mac->dinfo->digest); 174 ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);
163 p12->mac->dinfo->digest = macnew; 175 p12->mac->dinfo->digest = macnew;
164 ASN1_OCTET_STRING_free(p12_data_tmp); 176 ASN1_OCTET_STRING_free(p12_data_tmp);
165 177
166 return 1; 178 return 1;
167 179
168 saferr: 180saferr:
169 /* Restore old safe */ 181 /* Restore old safe */
170 ASN1_OCTET_STRING_free(p12->authsafes->d.data); 182 ASN1_OCTET_STRING_free(p12->authsafes->d.data);
171 ASN1_OCTET_STRING_free(macnew); 183 ASN1_OCTET_STRING_free(macnew);
172 p12->authsafes->d.data = p12_data_tmp; 184 p12->authsafes->d.data = p12_data_tmp;
173 return 0; 185 return 0;
174
175} 186}
176 187
177 188
178static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, 189static int
179 char *newpass) 190newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, char *newpass)
180{ 191{
181 int i; 192 int i;
193
182 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { 194 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
183 if (!newpass_bag(sk_PKCS12_SAFEBAG_value(bags, i), 195 if (!newpass_bag(sk_PKCS12_SAFEBAG_value(bags, i),
184 oldpass, newpass)) 196 oldpass, newpass))
185 return 0; 197 return 0;
186 } 198 }
187 return 1; 199 return 1;
188} 200}
189 201
190/* Change password of safebag: only needs handle shrouded keybags */ 202/* Change password of safebag: only needs handle shrouded keybags */
191 203
192static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass) 204static int
205newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
193{ 206{
194 PKCS8_PRIV_KEY_INFO *p8; 207 PKCS8_PRIV_KEY_INFO *p8;
195 X509_SIG *p8new; 208 X509_SIG *p8new;
196 int p8_nid, p8_saltlen, p8_iter; 209 int p8_nid, p8_saltlen, p8_iter;
197 210
198 if(M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag) return 1; 211 if (M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag)
212 return 1;
199 213
200 if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1))) return 0; 214 if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)))
215 return 0;
201 if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, 216 if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter,
202 &p8_saltlen)) 217 &p8_saltlen))
203 return 0; 218 return 0;
204 if(!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen, 219 if (!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
205 p8_iter, p8))) return 0; 220 p8_iter, p8))) return 0;
206 X509_SIG_free(bag->value.shkeybag); 221 X509_SIG_free(bag->value.shkeybag);
207 bag->value.shkeybag = p8new; 222 bag->value.shkeybag = p8new;
208 return 1; 223 return 1;
209} 224}
210 225
211static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen) 226static int
227alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
212{ 228{
213 PBEPARAM *pbe; 229 PBEPARAM *pbe;
214 const unsigned char *p; 230 const unsigned char *p;
215 231
216 p = alg->parameter->value.sequence->data; 232 p = alg->parameter->value.sequence->data;
217 pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length); 233 pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
218 if (!pbe) 234 if (!pbe)
219 return 0; 235 return 0;
220 *pnid = OBJ_obj2nid(alg->algorithm); 236 *pnid = OBJ_obj2nid(alg->algorithm);
221 *piter = ASN1_INTEGER_get(pbe->iter); 237 *piter = ASN1_INTEGER_get(pbe->iter);
222 *psaltlen = pbe->salt->length; 238 *psaltlen = pbe->salt->length;
223 PBEPARAM_free(pbe); 239 PBEPARAM_free(pbe);
224 return 1; 240 return 1;
225} 241}
diff --git a/src/lib/libcrypto/pkcs12/p12_p8d.c b/src/lib/libcrypto/pkcs12/p12_p8d.c
index f6a333baa5..4aceae6a9f 100644
--- a/src/lib/libcrypto/pkcs12/p12_p8d.c
+++ b/src/lib/libcrypto/pkcs12/p12_p8d.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_p8d.c,v 1.3 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_p8d.c,v 1.4 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -60,9 +60,9 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/pkcs12.h> 61#include <openssl/pkcs12.h>
62 62
63PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen) 63PKCS8_PRIV_KEY_INFO *
64PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen)
64{ 65{
65 return PKCS12_item_decrypt_d2i(p8->algor, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass, 66 return PKCS12_item_decrypt_d2i(p8->algor,
66 passlen, p8->digest, 1); 67 ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass, passlen, p8->digest, 1);
67} 68}
68
diff --git a/src/lib/libcrypto/pkcs12/p12_p8e.c b/src/lib/libcrypto/pkcs12/p12_p8e.c
index 3d71a02a1c..1ee6a32f6a 100644
--- a/src/lib/libcrypto/pkcs12/p12_p8e.c
+++ b/src/lib/libcrypto/pkcs12/p12_p8e.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_p8e.c,v 1.3 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_p8e.c,v 1.4 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -60,10 +60,10 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/pkcs12.h> 61#include <openssl/pkcs12.h>
62 62
63X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, 63X509_SIG *
64 const char *pass, int passlen, 64PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
65 unsigned char *salt, int saltlen, int iter, 65 int passlen, unsigned char *salt, int saltlen, int iter,
66 PKCS8_PRIV_KEY_INFO *p8inf) 66 PKCS8_PRIV_KEY_INFO *p8inf)
67{ 67{
68 X509_SIG *p8 = NULL; 68 X509_SIG *p8 = NULL;
69 X509_ALGOR *pbe; 69 X509_ALGOR *pbe;
@@ -73,25 +73,27 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
73 goto err; 73 goto err;
74 } 74 }
75 75
76 if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen); 76 if (pbe_nid == -1)
77 else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen); 77 pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
78 if(!pbe) { 78 else
79 pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
80 if (!pbe) {
79 PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB); 81 PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
80 goto err; 82 goto err;
81 } 83 }
82 X509_ALGOR_free(p8->algor); 84 X509_ALGOR_free(p8->algor);
83 p8->algor = pbe; 85 p8->algor = pbe;
84 M_ASN1_OCTET_STRING_free(p8->digest); 86 M_ASN1_OCTET_STRING_free(p8->digest);
85 p8->digest = PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), 87 p8->digest = PKCS12_item_i2d_encrypt(pbe,
86 pass, passlen, p8inf, 1); 88 ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass, passlen, p8inf, 1);
87 if(!p8->digest) { 89 if (!p8->digest) {
88 PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR); 90 PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
89 goto err; 91 goto err;
90 } 92 }
91 93
92 return p8; 94 return p8;
93 95
94 err: 96err:
95 X509_SIG_free(p8); 97 X509_SIG_free(p8);
96 return NULL; 98 return NULL;
97} 99}
diff --git a/src/lib/libcrypto/pkcs12/p12_utl.c b/src/lib/libcrypto/pkcs12/p12_utl.c
index 372b94e412..618e6c699f 100644
--- a/src/lib/libcrypto/pkcs12/p12_utl.c
+++ b/src/lib/libcrypto/pkcs12/p12_utl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_utl.c,v 1.9 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_utl.c,v 1.10 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,81 +62,106 @@
62 62
63/* Cheap and nasty Unicode stuff */ 63/* Cheap and nasty Unicode stuff */
64 64
65unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) 65unsigned char *
66OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen)
66{ 67{
67 int ulen, i; 68 int ulen, i;
68 unsigned char *unitmp; 69 unsigned char *unitmp;
69 if (asclen == -1) asclen = strlen(asc); 70
70 ulen = asclen*2 + 2; 71 if (asclen == -1)
71 if (!(unitmp = malloc(ulen))) return NULL; 72 asclen = strlen(asc);
72 for (i = 0; i < ulen - 2; i+=2) { 73 ulen = asclen * 2 + 2;
74 if (!(unitmp = malloc(ulen)))
75 return NULL;
76 for (i = 0; i < ulen - 2; i += 2) {
73 unitmp[i] = 0; 77 unitmp[i] = 0;
74 unitmp[i + 1] = asc[i>>1]; 78 unitmp[i + 1] = asc[i >> 1];
75 } 79 }
76 /* Make result double null terminated */ 80 /* Make result double null terminated */
77 unitmp[ulen - 2] = 0; 81 unitmp[ulen - 2] = 0;
78 unitmp[ulen - 1] = 0; 82 unitmp[ulen - 1] = 0;
79 if (unilen) *unilen = ulen; 83 if (unilen)
80 if (uni) *uni = unitmp; 84 *unilen = ulen;
85 if (uni)
86 *uni = unitmp;
81 return unitmp; 87 return unitmp;
82} 88}
83 89
84char *OPENSSL_uni2asc(unsigned char *uni, int unilen) 90char *
91OPENSSL_uni2asc(unsigned char *uni, int unilen)
85{ 92{
86 int asclen, i; 93 int asclen, i;
87 char *asctmp; 94 char *asctmp;
95
88 asclen = unilen / 2; 96 asclen = unilen / 2;
89 /* If no terminating zero allow for one */ 97 /* If no terminating zero allow for one */
90 if (!unilen || uni[unilen - 1]) asclen++; 98 if (!unilen || uni[unilen - 1])
99 asclen++;
91 uni++; 100 uni++;
92 if (!(asctmp = malloc(asclen))) return NULL; 101 if (!(asctmp = malloc(asclen)))
93 for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i]; 102 return NULL;
103 for (i = 0; i < unilen; i += 2)
104 asctmp[i >> 1] = uni[i];
94 asctmp[asclen - 1] = 0; 105 asctmp[asclen - 1] = 0;
95 return asctmp; 106 return asctmp;
96} 107}
97 108
98int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12) 109int
110i2d_PKCS12_bio(BIO *bp, PKCS12 *p12)
99{ 111{
100 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS12), bp, p12); 112 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS12), bp, p12);
101} 113}
102 114
103int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12) 115int
116i2d_PKCS12_fp(FILE *fp, PKCS12 *p12)
104{ 117{
105 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS12), fp, p12); 118 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS12), fp, p12);
106} 119}
107 120
108PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12) 121PKCS12 *
122d2i_PKCS12_bio(BIO *bp, PKCS12 **p12)
109{ 123{
110 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS12), bp, p12); 124 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS12), bp, p12);
111} 125}
112PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12) 126
127PKCS12 *
128d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
113{ 129{
114 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS12), fp, p12); 130 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS12), fp, p12);
115} 131}
116 132
117PKCS12_SAFEBAG *PKCS12_x5092certbag(X509 *x509) 133PKCS12_SAFEBAG *
134PKCS12_x5092certbag(X509 *x509)
118{ 135{
119 return PKCS12_item_pack_safebag(x509, ASN1_ITEM_rptr(X509), 136 return PKCS12_item_pack_safebag(x509, ASN1_ITEM_rptr(X509),
120 NID_x509Certificate, NID_certBag); 137 NID_x509Certificate, NID_certBag);
121} 138}
122 139
123PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl) 140PKCS12_SAFEBAG *
141PKCS12_x509crl2certbag(X509_CRL *crl)
124{ 142{
125 return PKCS12_item_pack_safebag(crl, ASN1_ITEM_rptr(X509_CRL), 143 return PKCS12_item_pack_safebag(crl, ASN1_ITEM_rptr(X509_CRL),
126 NID_x509Crl, NID_crlBag); 144 NID_x509Crl, NID_crlBag);
127} 145}
128 146
129X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag) 147X509 *
148PKCS12_certbag2x509(PKCS12_SAFEBAG *bag)
130{ 149{
131 if(M_PKCS12_bag_type(bag) != NID_certBag) return NULL; 150 if (M_PKCS12_bag_type(bag) != NID_certBag)
132 if(M_PKCS12_cert_bag_type(bag) != NID_x509Certificate) return NULL; 151 return NULL;
133 return ASN1_item_unpack(bag->value.bag->value.octet, ASN1_ITEM_rptr(X509)); 152 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
153 return NULL;
154 return ASN1_item_unpack(bag->value.bag->value.octet,
155 ASN1_ITEM_rptr(X509));
134} 156}
135 157
136X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag) 158X509_CRL *
159PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag)
137{ 160{
138 if(M_PKCS12_bag_type(bag) != NID_crlBag) return NULL; 161 if (M_PKCS12_bag_type(bag) != NID_crlBag)
139 if(M_PKCS12_cert_bag_type(bag) != NID_x509Crl) return NULL; 162 return NULL;
163 if (M_PKCS12_cert_bag_type(bag) != NID_x509Crl)
164 return NULL;
140 return ASN1_item_unpack(bag->value.bag->value.octet, 165 return ASN1_item_unpack(bag->value.bag->value.octet,
141 ASN1_ITEM_rptr(X509_CRL)); 166 ASN1_ITEM_rptr(X509_CRL));
142} 167}
diff --git a/src/lib/libcrypto/pkcs12/pk12err.c b/src/lib/libcrypto/pkcs12/pk12err.c
index 5f54a7d062..12f418eb23 100644
--- a/src/lib/libcrypto/pkcs12/pk12err.c
+++ b/src/lib/libcrypto/pkcs12/pk12err.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: pk12err.c,v 1.8 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: pk12err.c,v 1.9 2014/07/08 09:24:53 jsing Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -7,7 +7,7 @@
7 * are met: 7 * are met:
8 * 8 *
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 11 *
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in 13 * notice, this list of conditions and the following disclaimer in
@@ -68,77 +68,74 @@
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0) 68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason) 69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason)
70 70
71static ERR_STRING_DATA PKCS12_str_functs[]= 71static ERR_STRING_DATA PKCS12_str_functs[]= {
72 { 72 {ERR_FUNC(PKCS12_F_PARSE_BAG), "PARSE_BAG"},
73{ERR_FUNC(PKCS12_F_PARSE_BAG), "PARSE_BAG"}, 73 {ERR_FUNC(PKCS12_F_PARSE_BAGS), "PARSE_BAGS"},
74{ERR_FUNC(PKCS12_F_PARSE_BAGS), "PARSE_BAGS"}, 74 {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME), "PKCS12_ADD_FRIENDLYNAME"},
75{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME), "PKCS12_ADD_FRIENDLYNAME"}, 75 {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC), "PKCS12_add_friendlyname_asc"},
76{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC), "PKCS12_add_friendlyname_asc"}, 76 {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI), "PKCS12_add_friendlyname_uni"},
77{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI), "PKCS12_add_friendlyname_uni"}, 77 {ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID), "PKCS12_add_localkeyid"},
78{ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID), "PKCS12_add_localkeyid"}, 78 {ERR_FUNC(PKCS12_F_PKCS12_CREATE), "PKCS12_create"},
79{ERR_FUNC(PKCS12_F_PKCS12_CREATE), "PKCS12_create"}, 79 {ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC), "PKCS12_gen_mac"},
80{ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC), "PKCS12_gen_mac"}, 80 {ERR_FUNC(PKCS12_F_PKCS12_INIT), "PKCS12_init"},
81{ERR_FUNC(PKCS12_F_PKCS12_INIT), "PKCS12_init"}, 81 {ERR_FUNC(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I), "PKCS12_item_decrypt_d2i"},
82{ERR_FUNC(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I), "PKCS12_item_decrypt_d2i"}, 82 {ERR_FUNC(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT), "PKCS12_item_i2d_encrypt"},
83{ERR_FUNC(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT), "PKCS12_item_i2d_encrypt"}, 83 {ERR_FUNC(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG), "PKCS12_item_pack_safebag"},
84{ERR_FUNC(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG), "PKCS12_item_pack_safebag"}, 84 {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC), "PKCS12_key_gen_asc"},
85{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC), "PKCS12_key_gen_asc"}, 85 {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI), "PKCS12_key_gen_uni"},
86{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI), "PKCS12_key_gen_uni"}, 86 {ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG), "PKCS12_MAKE_KEYBAG"},
87{ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG), "PKCS12_MAKE_KEYBAG"}, 87 {ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG), "PKCS12_MAKE_SHKEYBAG"},
88{ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG), "PKCS12_MAKE_SHKEYBAG"}, 88 {ERR_FUNC(PKCS12_F_PKCS12_NEWPASS), "PKCS12_newpass"},
89{ERR_FUNC(PKCS12_F_PKCS12_NEWPASS), "PKCS12_newpass"}, 89 {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA), "PKCS12_pack_p7data"},
90{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA), "PKCS12_pack_p7data"}, 90 {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA), "PKCS12_pack_p7encdata"},
91{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA), "PKCS12_pack_p7encdata"}, 91 {ERR_FUNC(PKCS12_F_PKCS12_PARSE), "PKCS12_parse"},
92{ERR_FUNC(PKCS12_F_PKCS12_PARSE), "PKCS12_parse"}, 92 {ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT), "PKCS12_pbe_crypt"},
93{ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT), "PKCS12_pbe_crypt"}, 93 {ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN), "PKCS12_PBE_keyivgen"},
94{ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN), "PKCS12_PBE_keyivgen"}, 94 {ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC), "PKCS12_setup_mac"},
95{ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC), "PKCS12_setup_mac"}, 95 {ERR_FUNC(PKCS12_F_PKCS12_SET_MAC), "PKCS12_set_mac"},
96{ERR_FUNC(PKCS12_F_PKCS12_SET_MAC), "PKCS12_set_mac"}, 96 {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES), "PKCS12_unpack_authsafes"},
97{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES), "PKCS12_unpack_authsafes"}, 97 {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA), "PKCS12_unpack_p7data"},
98{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA), "PKCS12_unpack_p7data"}, 98 {ERR_FUNC(PKCS12_F_PKCS12_VERIFY_MAC), "PKCS12_verify_mac"},
99{ERR_FUNC(PKCS12_F_PKCS12_VERIFY_MAC), "PKCS12_verify_mac"}, 99 {ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE), "PKCS8_add_keyusage"},
100{ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE), "PKCS8_add_keyusage"}, 100 {ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT), "PKCS8_encrypt"},
101{ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT), "PKCS8_encrypt"}, 101 {0, NULL}
102{0,NULL} 102};
103 };
104 103
105static ERR_STRING_DATA PKCS12_str_reasons[]= 104static ERR_STRING_DATA PKCS12_str_reasons[]= {
106 { 105 {ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE), "cant pack structure"},
107{ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE),"cant pack structure"}, 106 {ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA), "content type not data"},
108{ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA),"content type not data"}, 107 {ERR_REASON(PKCS12_R_DECODE_ERROR) , "decode error"},
109{ERR_REASON(PKCS12_R_DECODE_ERROR) ,"decode error"}, 108 {ERR_REASON(PKCS12_R_ENCODE_ERROR) , "encode error"},
110{ERR_REASON(PKCS12_R_ENCODE_ERROR) ,"encode error"}, 109 {ERR_REASON(PKCS12_R_ENCRYPT_ERROR) , "encrypt error"},
111{ERR_REASON(PKCS12_R_ENCRYPT_ERROR) ,"encrypt error"}, 110 {ERR_REASON(PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE), "error setting encrypted data type"},
112{ERR_REASON(PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE),"error setting encrypted data type"}, 111 {ERR_REASON(PKCS12_R_INVALID_NULL_ARGUMENT), "invalid null argument"},
113{ERR_REASON(PKCS12_R_INVALID_NULL_ARGUMENT),"invalid null argument"}, 112 {ERR_REASON(PKCS12_R_INVALID_NULL_PKCS12_POINTER), "invalid null pkcs12 pointer"},
114{ERR_REASON(PKCS12_R_INVALID_NULL_PKCS12_POINTER),"invalid null pkcs12 pointer"}, 113 {ERR_REASON(PKCS12_R_IV_GEN_ERROR) , "iv gen error"},
115{ERR_REASON(PKCS12_R_IV_GEN_ERROR) ,"iv gen error"}, 114 {ERR_REASON(PKCS12_R_KEY_GEN_ERROR) , "key gen error"},
116{ERR_REASON(PKCS12_R_KEY_GEN_ERROR) ,"key gen error"}, 115 {ERR_REASON(PKCS12_R_MAC_ABSENT) , "mac absent"},
117{ERR_REASON(PKCS12_R_MAC_ABSENT) ,"mac absent"}, 116 {ERR_REASON(PKCS12_R_MAC_GENERATION_ERROR), "mac generation error"},
118{ERR_REASON(PKCS12_R_MAC_GENERATION_ERROR),"mac generation error"}, 117 {ERR_REASON(PKCS12_R_MAC_SETUP_ERROR) , "mac setup error"},
119{ERR_REASON(PKCS12_R_MAC_SETUP_ERROR) ,"mac setup error"}, 118 {ERR_REASON(PKCS12_R_MAC_STRING_SET_ERROR), "mac string set error"},
120{ERR_REASON(PKCS12_R_MAC_STRING_SET_ERROR),"mac string set error"}, 119 {ERR_REASON(PKCS12_R_MAC_VERIFY_ERROR) , "mac verify error"},
121{ERR_REASON(PKCS12_R_MAC_VERIFY_ERROR) ,"mac verify error"}, 120 {ERR_REASON(PKCS12_R_MAC_VERIFY_FAILURE) , "mac verify failure"},
122{ERR_REASON(PKCS12_R_MAC_VERIFY_FAILURE) ,"mac verify failure"}, 121 {ERR_REASON(PKCS12_R_PARSE_ERROR) , "parse error"},
123{ERR_REASON(PKCS12_R_PARSE_ERROR) ,"parse error"}, 122 {ERR_REASON(PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR), "pkcs12 algor cipherinit error"},
124{ERR_REASON(PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR),"pkcs12 algor cipherinit error"}, 123 {ERR_REASON(PKCS12_R_PKCS12_CIPHERFINAL_ERROR), "pkcs12 cipherfinal error"},
125{ERR_REASON(PKCS12_R_PKCS12_CIPHERFINAL_ERROR),"pkcs12 cipherfinal error"}, 124 {ERR_REASON(PKCS12_R_PKCS12_PBE_CRYPT_ERROR), "pkcs12 pbe crypt error"},
126{ERR_REASON(PKCS12_R_PKCS12_PBE_CRYPT_ERROR),"pkcs12 pbe crypt error"}, 125 {ERR_REASON(PKCS12_R_UNKNOWN_DIGEST_ALGORITHM), "unknown digest algorithm"},
127{ERR_REASON(PKCS12_R_UNKNOWN_DIGEST_ALGORITHM),"unknown digest algorithm"}, 126 {ERR_REASON(PKCS12_R_UNSUPPORTED_PKCS12_MODE), "unsupported pkcs12 mode"},
128{ERR_REASON(PKCS12_R_UNSUPPORTED_PKCS12_MODE),"unsupported pkcs12 mode"}, 127 {0, NULL}
129{0,NULL} 128};
130 };
131 129
132#endif 130#endif
133 131
134void ERR_load_PKCS12_strings(void) 132void
135 { 133ERR_load_PKCS12_strings(void)
134{
136#ifndef OPENSSL_NO_ERR 135#ifndef OPENSSL_NO_ERR
137 136 if (ERR_func_error_string(PKCS12_str_functs[0].error) == NULL) {
138 if (ERR_func_error_string(PKCS12_str_functs[0].error) == NULL) 137 ERR_load_strings(0, PKCS12_str_functs);
139 { 138 ERR_load_strings(0, PKCS12_str_reasons);
140 ERR_load_strings(0,PKCS12_str_functs);
141 ERR_load_strings(0,PKCS12_str_reasons);
142 }
143#endif
144 } 139 }
140#endif
141}
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index 5e61e4086c..ead29fd717 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: pkcs12.h,v 1.12 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: pkcs12.h,v 1.13 2014/07/08 09:27:21 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -97,27 +97,27 @@ extern "C" {
97#define KEY_SIG 0x80 97#define KEY_SIG 0x80
98 98
99typedef struct { 99typedef struct {
100X509_SIG *dinfo; 100 X509_SIG *dinfo;
101ASN1_OCTET_STRING *salt; 101 ASN1_OCTET_STRING *salt;
102ASN1_INTEGER *iter; /* defaults to 1 */ 102 ASN1_INTEGER *iter; /* defaults to 1 */
103} PKCS12_MAC_DATA; 103} PKCS12_MAC_DATA;
104 104
105typedef struct { 105typedef struct {
106ASN1_INTEGER *version; 106 ASN1_INTEGER *version;
107PKCS12_MAC_DATA *mac; 107 PKCS12_MAC_DATA *mac;
108PKCS7 *authsafes; 108 PKCS7 *authsafes;
109} PKCS12; 109} PKCS12;
110 110
111typedef struct { 111typedef struct {
112ASN1_OBJECT *type; 112 ASN1_OBJECT *type;
113union { 113 union {
114 struct pkcs12_bag_st *bag; /* secret, crl and certbag */ 114 struct pkcs12_bag_st *bag; /* secret, crl and certbag */
115 struct pkcs8_priv_key_info_st *keybag; /* keybag */ 115 struct pkcs8_priv_key_info_st *keybag; /* keybag */
116 X509_SIG *shkeybag; /* shrouded key bag */ 116 X509_SIG *shkeybag; /* shrouded key bag */
117 STACK_OF(PKCS12_SAFEBAG) *safes; 117 STACK_OF(PKCS12_SAFEBAG) *safes;
118 ASN1_TYPE *other; 118 ASN1_TYPE *other;
119}value; 119 } value;
120STACK_OF(X509_ATTRIBUTE) *attrib; 120 STACK_OF(X509_ATTRIBUTE) *attrib;
121} PKCS12_SAFEBAG; 121} PKCS12_SAFEBAG;
122 122
123DECLARE_STACK_OF(PKCS12_SAFEBAG) 123DECLARE_STACK_OF(PKCS12_SAFEBAG)
@@ -125,14 +125,14 @@ DECLARE_ASN1_SET_OF(PKCS12_SAFEBAG)
125DECLARE_PKCS12_STACK_OF(PKCS12_SAFEBAG) 125DECLARE_PKCS12_STACK_OF(PKCS12_SAFEBAG)
126 126
127typedef struct pkcs12_bag_st { 127typedef struct pkcs12_bag_st {
128ASN1_OBJECT *type; 128 ASN1_OBJECT *type;
129union { 129 union {
130 ASN1_OCTET_STRING *x509cert; 130 ASN1_OCTET_STRING *x509cert;
131 ASN1_OCTET_STRING *x509crl; 131 ASN1_OCTET_STRING *x509crl;
132 ASN1_OCTET_STRING *octet; 132 ASN1_OCTET_STRING *octet;
133 ASN1_IA5STRING *sdsicert; 133 ASN1_IA5STRING *sdsicert;
134 ASN1_TYPE *other; /* Secret or other bag */ 134 ASN1_TYPE *other; /* Secret or other bag */
135}value; 135 } value;
136} PKCS12_BAGS; 136} PKCS12_BAGS;
137 137
138#define PKCS12_ERROR 0 138#define PKCS12_ERROR 0
@@ -144,7 +144,7 @@ union {
144#define M_PKCS12_x509crl2certbag PKCS12_x509crl2certbag 144#define M_PKCS12_x509crl2certbag PKCS12_x509crl2certbag
145 145
146#define M_PKCS12_certbag2x509 PKCS12_certbag2x509 146#define M_PKCS12_certbag2x509 PKCS12_certbag2x509
147#define M_PKCS12_certbag2x509crl PKCS12_certbag2x509crl 147#define M_PKCS12_certbag2x509crl PKCS12_certbag2x509crl
148 148
149#define M_PKCS12_unpack_p7data PKCS12_unpack_p7data 149#define M_PKCS12_unpack_p7data PKCS12_unpack_p7data
150#define M_PKCS12_pack_authsafes PKCS12_pack_authsafes 150#define M_PKCS12_pack_authsafes PKCS12_pack_authsafes
@@ -172,65 +172,66 @@ PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl);
172X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag); 172X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag);
173X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag); 173X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag);
174 174
175PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, 175PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
176 int nid2); 176 int nid1, int nid2);
177PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8); 177PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
178PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen); 178PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen);
179PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass, 179PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass,
180 int passlen); 180 int passlen);
181X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, 181X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
182 const char *pass, int passlen, 182 const char *pass, int passlen, unsigned char *salt, int saltlen, int iter,
183 unsigned char *salt, int saltlen, int iter, 183 PKCS8_PRIV_KEY_INFO *p8);
184 PKCS8_PRIV_KEY_INFO *p8);
185PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, 184PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
186 int passlen, unsigned char *salt, 185 int passlen, unsigned char *salt, int saltlen, int iter,
187 int saltlen, int iter, 186 PKCS8_PRIV_KEY_INFO *p8);
188 PKCS8_PRIV_KEY_INFO *p8);
189PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk); 187PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk);
190STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7); 188STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7);
191PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, 189PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
192 unsigned char *salt, int saltlen, int iter, 190 unsigned char *salt, int saltlen, int iter, STACK_OF(PKCS12_SAFEBAG) *bags);
193 STACK_OF(PKCS12_SAFEBAG) *bags); 191STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
194STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen); 192 int passlen);
195 193
196int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes); 194int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes);
197STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12); 195STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12);
198 196
199int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen); 197int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name,
198 int namelen);
200int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name, 199int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
201 int namelen); 200 int namelen);
202int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, 201int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name,
203 int namelen); 202 int namelen);
204int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name, 203int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name,
205 int namelen); 204 int namelen);
206int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage); 205int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
207ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid); 206ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid);
208char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag); 207char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
209unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, 208unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
210 int passlen, unsigned char *in, int inlen, 209 int passlen, unsigned char *in, int inlen, unsigned char **data,
211 unsigned char **data, int *datalen, int en_de); 210 int *datalen, int en_de);
212void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, 211void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
213 const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf); 212 const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf);
214ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it, 213ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor,
215 const char *pass, int passlen, 214 const ASN1_ITEM *it, const char *pass, int passlen, void *obj, int zbuf);
216 void *obj, int zbuf);
217PKCS12 *PKCS12_init(int mode); 215PKCS12 *PKCS12_init(int mode);
218int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, 216int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
219 int saltlen, int id, int iter, int n, 217 int saltlen, int id, int iter, int n, unsigned char *out,
220 unsigned char *out, const EVP_MD *md_type); 218 const EVP_MD *md_type);
221int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type); 219int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
220 int saltlen, int id, int iter, int n, unsigned char *out,
221 const EVP_MD *md_type);
222int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, 222int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
223 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md_type, 223 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md_type,
224 int en_de); 224 int en_de);
225int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, 225int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
226 unsigned char *mac, unsigned int *maclen); 226 unsigned char *mac, unsigned int *maclen);
227int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen); 227int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen);
228int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, 228int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
229 unsigned char *salt, int saltlen, int iter, 229 unsigned char *salt, int saltlen, int iter,
230 const EVP_MD *md_type); 230 const EVP_MD *md_type);
231int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, 231int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
232 int saltlen, const EVP_MD *md_type); 232 int saltlen, const EVP_MD *md_type);
233unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen); 233unsigned char *OPENSSL_asc2uni(const char *asc, int asclen,
234 unsigned char **uni, int *unilen);
234char *OPENSSL_uni2asc(unsigned char *uni, int unilen); 235char *OPENSSL_uni2asc(unsigned char *uni, int unilen);
235 236
236DECLARE_ASN1_FUNCTIONS(PKCS12) 237DECLARE_ASN1_FUNCTIONS(PKCS12)
@@ -243,17 +244,16 @@ DECLARE_ASN1_ITEM(PKCS12_AUTHSAFES)
243 244
244void PKCS12_PBE_add(void); 245void PKCS12_PBE_add(void);
245int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, 246int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
246 STACK_OF(X509) **ca); 247 STACK_OF(X509) **ca);
247PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, 248PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
248 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, 249 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter,
249 int mac_iter, int keytype); 250 int mac_iter, int keytype);
250 251
251PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert); 252PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert);
252PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, 253PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key,
253 int key_usage, int iter, 254 int key_usage, int iter, int key_nid, char *pass);
254 int key_nid, char *pass);
255int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, 255int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
256 int safe_nid, int iter, char *pass); 256 int safe_nid, int iter, char *pass);
257PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid); 257PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid);
258 258
259int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12); 259int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_add.c b/src/lib/libssl/src/crypto/pkcs12/p12_add.c
index 57cca926d8..6aa872631e 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_add.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_add.c,v 1.9 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_add.c,v 1.10 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,22 +62,26 @@
62 62
63/* Pack an object into an OCTET STRING and turn into a safebag */ 63/* Pack an object into an OCTET STRING and turn into a safebag */
64 64
65PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, 65PKCS12_SAFEBAG *
66 int nid2) 66PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, int nid2)
67{ 67{
68 PKCS12_BAGS *bag; 68 PKCS12_BAGS *bag;
69 PKCS12_SAFEBAG *safebag; 69 PKCS12_SAFEBAG *safebag;
70
70 if (!(bag = PKCS12_BAGS_new())) { 71 if (!(bag = PKCS12_BAGS_new())) {
71 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE); 72 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG,
73 ERR_R_MALLOC_FAILURE);
72 return NULL; 74 return NULL;
73 } 75 }
74 bag->type = OBJ_nid2obj(nid1); 76 bag->type = OBJ_nid2obj(nid1);
75 if (!ASN1_item_pack(obj, it, &bag->value.octet)) { 77 if (!ASN1_item_pack(obj, it, &bag->value.octet)) {
76 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE); 78 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG,
79 ERR_R_MALLOC_FAILURE);
77 return NULL; 80 return NULL;
78 } 81 }
79 if (!(safebag = PKCS12_SAFEBAG_new())) { 82 if (!(safebag = PKCS12_SAFEBAG_new())) {
80 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE); 83 PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG,
84 ERR_R_MALLOC_FAILURE);
81 return NULL; 85 return NULL;
82 } 86 }
83 safebag->value.bag = bag; 87 safebag->value.bag = bag;
@@ -87,11 +91,13 @@ PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid
87 91
88/* Turn PKCS8 object into a keybag */ 92/* Turn PKCS8 object into a keybag */
89 93
90PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8) 94PKCS12_SAFEBAG *
95PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
91{ 96{
92 PKCS12_SAFEBAG *bag; 97 PKCS12_SAFEBAG *bag;
98
93 if (!(bag = PKCS12_SAFEBAG_new())) { 99 if (!(bag = PKCS12_SAFEBAG_new())) {
94 PKCS12err(PKCS12_F_PKCS12_MAKE_KEYBAG,ERR_R_MALLOC_FAILURE); 100 PKCS12err(PKCS12_F_PKCS12_MAKE_KEYBAG, ERR_R_MALLOC_FAILURE);
95 return NULL; 101 return NULL;
96 } 102 }
97 bag->type = OBJ_nid2obj(NID_keyBag); 103 bag->type = OBJ_nid2obj(NID_keyBag);
@@ -101,9 +107,9 @@ PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
101 107
102/* Turn PKCS8 object into a shrouded keybag */ 108/* Turn PKCS8 object into a shrouded keybag */
103 109
104PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, 110PKCS12_SAFEBAG *
105 int passlen, unsigned char *salt, int saltlen, int iter, 111PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, int passlen,
106 PKCS8_PRIV_KEY_INFO *p8) 112 unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8)
107{ 113{
108 PKCS12_SAFEBAG *bag; 114 PKCS12_SAFEBAG *bag;
109 const EVP_CIPHER *pbe_ciph; 115 const EVP_CIPHER *pbe_ciph;
@@ -121,9 +127,8 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
121 if (pbe_ciph) 127 if (pbe_ciph)
122 pbe_nid = -1; 128 pbe_nid = -1;
123 129
124 if (!(bag->value.shkeybag = 130 if (!(bag->value.shkeybag = PKCS8_encrypt(pbe_nid, pbe_ciph, pass,
125 PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter, 131 passlen, salt, saltlen, iter, p8))) {
126 p8))) {
127 PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE); 132 PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
128 return NULL; 133 return NULL;
129 } 134 }
@@ -132,9 +137,11 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
132} 137}
133 138
134/* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */ 139/* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
135PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk) 140PKCS7 *
141PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
136{ 142{
137 PKCS7 *p7; 143 PKCS7 *p7;
144
138 if (!(p7 = PKCS7_new())) { 145 if (!(p7 = PKCS7_new())) {
139 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE); 146 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
140 return NULL; 147 return NULL;
@@ -144,41 +151,44 @@ PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
144 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE); 151 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
145 return NULL; 152 return NULL;
146 } 153 }
147 154
148 if (!ASN1_item_pack(sk, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), &p7->d.data)) { 155 if (!ASN1_item_pack(sk, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), &p7->d.data)) {
149 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, PKCS12_R_CANT_PACK_STRUCTURE); 156 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA,
157 PKCS12_R_CANT_PACK_STRUCTURE);
150 return NULL; 158 return NULL;
151 } 159 }
152 return p7; 160 return p7;
153} 161}
154 162
155/* Unpack SAFEBAGS from PKCS#7 data ContentInfo */ 163/* Unpack SAFEBAGS from PKCS#7 data ContentInfo */
156STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) 164STACK_OF(PKCS12_SAFEBAG) *
165PKCS12_unpack_p7data(PKCS7 *p7)
157{ 166{
158 if(!PKCS7_type_is_data(p7)) 167 if (!PKCS7_type_is_data(p7)) {
159 { 168 PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,
160 PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,PKCS12_R_CONTENT_TYPE_NOT_DATA); 169 PKCS12_R_CONTENT_TYPE_NOT_DATA);
161 return NULL; 170 return NULL;
162 } 171 }
163 return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); 172 return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
164} 173}
165 174
166/* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */ 175/* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */
167 176
168PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, 177PKCS7 *
169 unsigned char *salt, int saltlen, int iter, 178PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
170 STACK_OF(PKCS12_SAFEBAG) *bags) 179 unsigned char *salt, int saltlen, int iter, STACK_OF(PKCS12_SAFEBAG) *bags)
171{ 180{
172 PKCS7 *p7; 181 PKCS7 *p7;
173 X509_ALGOR *pbe; 182 X509_ALGOR *pbe;
174 const EVP_CIPHER *pbe_ciph; 183 const EVP_CIPHER *pbe_ciph;
184
175 if (!(p7 = PKCS7_new())) { 185 if (!(p7 = PKCS7_new())) {
176 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE); 186 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
177 return NULL; 187 return NULL;
178 } 188 }
179 if(!PKCS7_set_type(p7, NID_pkcs7_encrypted)) { 189 if (!PKCS7_set_type(p7, NID_pkcs7_encrypted)) {
180 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, 190 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA,
181 PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE); 191 PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
182 return NULL; 192 return NULL;
183 } 193 }
184 194
@@ -196,45 +206,49 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
196 X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm); 206 X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm);
197 p7->d.encrypted->enc_data->algorithm = pbe; 207 p7->d.encrypted->enc_data->algorithm = pbe;
198 M_ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data); 208 M_ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
199 if (!(p7->d.encrypted->enc_data->enc_data = 209 if (!(p7->d.encrypted->enc_data->enc_data = PKCS12_item_i2d_encrypt(
200 PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen, 210 pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen, bags, 1))) {
201 bags, 1))) { 211 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA,
202 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ENCRYPT_ERROR); 212 PKCS12_R_ENCRYPT_ERROR);
203 return NULL; 213 return NULL;
204 } 214 }
205 215
206 return p7; 216 return p7;
207} 217}
208 218
209STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen) 219STACK_OF(PKCS12_SAFEBAG) *
220PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen)
210{ 221{
211 if(!PKCS7_type_is_encrypted(p7)) return NULL; 222 if (!PKCS7_type_is_encrypted(p7))
223 return NULL;
212 return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, 224 return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
213 ASN1_ITEM_rptr(PKCS12_SAFEBAGS), 225 ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen,
214 pass, passlen, 226 p7->d.encrypted->enc_data->enc_data, 1);
215 p7->d.encrypted->enc_data->enc_data, 1);
216} 227}
217 228
218PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass, 229PKCS8_PRIV_KEY_INFO *
219 int passlen) 230PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass, int passlen)
220{ 231{
221 return PKCS8_decrypt(bag->value.shkeybag, pass, passlen); 232 return PKCS8_decrypt(bag->value.shkeybag, pass, passlen);
222} 233}
223 234
224int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes) 235int
236PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes)
225{ 237{
226 if(ASN1_item_pack(safes, ASN1_ITEM_rptr(PKCS12_AUTHSAFES), 238 if (ASN1_item_pack(safes, ASN1_ITEM_rptr(PKCS12_AUTHSAFES),
227 &p12->authsafes->d.data)) 239 &p12->authsafes->d.data))
228 return 1; 240 return 1;
229 return 0; 241 return 0;
230} 242}
231 243
232STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12) 244STACK_OF(PKCS7) *
245PKCS12_unpack_authsafes(PKCS12 *p12)
233{ 246{
234 if (!PKCS7_type_is_data(p12->authsafes)) 247 if (!PKCS7_type_is_data(p12->authsafes)) {
235 { 248 PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
236 PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,PKCS12_R_CONTENT_TYPE_NOT_DATA); 249 PKCS12_R_CONTENT_TYPE_NOT_DATA);
237 return NULL; 250 return NULL;
238 } 251 }
239 return ASN1_item_unpack(p12->authsafes->d.data, ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); 252 return ASN1_item_unpack(p12->authsafes->d.data,
253 ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
240} 254}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_asn.c b/src/lib/libssl/src/crypto/pkcs12/p12_asn.c
index e3987752b6..b72db76383 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_asn.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_asn.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_asn.c,v 1.4 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_asn.c,v 1.5 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -79,12 +79,16 @@ ASN1_SEQUENCE(PKCS12_MAC_DATA) = {
79 79
80IMPLEMENT_ASN1_FUNCTIONS(PKCS12_MAC_DATA) 80IMPLEMENT_ASN1_FUNCTIONS(PKCS12_MAC_DATA)
81 81
82ASN1_ADB_TEMPLATE(bag_default) = ASN1_EXP(PKCS12_BAGS, value.other, ASN1_ANY, 0); 82ASN1_ADB_TEMPLATE(bag_default) =
83 ASN1_EXP(PKCS12_BAGS, value.other, ASN1_ANY, 0);
83 84
84ASN1_ADB(PKCS12_BAGS) = { 85ASN1_ADB(PKCS12_BAGS) = {
85 ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509cert, ASN1_OCTET_STRING, 0)), 86 ADB_ENTRY(NID_x509Certificate,
86 ADB_ENTRY(NID_x509Crl, ASN1_EXP(PKCS12_BAGS, value.x509crl, ASN1_OCTET_STRING, 0)), 87 ASN1_EXP(PKCS12_BAGS, value.x509cert, ASN1_OCTET_STRING, 0)),
87 ADB_ENTRY(NID_sdsiCertificate, ASN1_EXP(PKCS12_BAGS, value.sdsicert, ASN1_IA5STRING, 0)), 88 ADB_ENTRY(NID_x509Crl,
89 ASN1_EXP(PKCS12_BAGS, value.x509crl, ASN1_OCTET_STRING, 0)),
90 ADB_ENTRY(NID_sdsiCertificate,
91 ASN1_EXP(PKCS12_BAGS, value.sdsicert, ASN1_IA5STRING, 0)),
88} ASN1_ADB_END(PKCS12_BAGS, 0, type, 0, &bag_default_tt, NULL); 92} ASN1_ADB_END(PKCS12_BAGS, 0, type, 0, &bag_default_tt, NULL);
89 93
90ASN1_SEQUENCE(PKCS12_BAGS) = { 94ASN1_SEQUENCE(PKCS12_BAGS) = {
@@ -94,15 +98,22 @@ ASN1_SEQUENCE(PKCS12_BAGS) = {
94 98
95IMPLEMENT_ASN1_FUNCTIONS(PKCS12_BAGS) 99IMPLEMENT_ASN1_FUNCTIONS(PKCS12_BAGS)
96 100
97ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ANY, 0); 101ASN1_ADB_TEMPLATE(safebag_default) =
102 ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ANY, 0);
98 103
99ASN1_ADB(PKCS12_SAFEBAG) = { 104ASN1_ADB(PKCS12_SAFEBAG) = {
100 ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)), 105 ADB_ENTRY(NID_keyBag,
101 ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)), 106 ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
102 ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), 107 ADB_ENTRY(NID_pkcs8ShroudedKeyBag,
103 ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), 108 ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)),
104 ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), 109 ADB_ENTRY(NID_safeContentsBag,
105 ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)) 110 ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
111 ADB_ENTRY(NID_certBag,
112 ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
113 ADB_ENTRY(NID_crlBag,
114 ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
115 ADB_ENTRY(NID_secretBag,
116 ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0))
106} ASN1_ADB_END(PKCS12_SAFEBAG, 0, type, 0, &safebag_default_tt, NULL); 117} ASN1_ADB_END(PKCS12_SAFEBAG, 0, type, 0, &safebag_default_tt, NULL);
107 118
108ASN1_SEQUENCE(PKCS12_SAFEBAG) = { 119ASN1_SEQUENCE(PKCS12_SAFEBAG) = {
@@ -114,12 +125,12 @@ ASN1_SEQUENCE(PKCS12_SAFEBAG) = {
114IMPLEMENT_ASN1_FUNCTIONS(PKCS12_SAFEBAG) 125IMPLEMENT_ASN1_FUNCTIONS(PKCS12_SAFEBAG)
115 126
116/* SEQUENCE OF SafeBag */ 127/* SEQUENCE OF SafeBag */
117ASN1_ITEM_TEMPLATE(PKCS12_SAFEBAGS) = 128ASN1_ITEM_TEMPLATE(PKCS12_SAFEBAGS) =
118 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_SAFEBAGS, PKCS12_SAFEBAG) 129ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_SAFEBAGS, PKCS12_SAFEBAG)
119ASN1_ITEM_TEMPLATE_END(PKCS12_SAFEBAGS) 130ASN1_ITEM_TEMPLATE_END(PKCS12_SAFEBAGS)
120 131
121/* Authsafes: SEQUENCE OF PKCS7 */ 132/* Authsafes: SEQUENCE OF PKCS7 */
122ASN1_ITEM_TEMPLATE(PKCS12_AUTHSAFES) = 133ASN1_ITEM_TEMPLATE(PKCS12_AUTHSAFES) =
123 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_AUTHSAFES, PKCS7) 134ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_AUTHSAFES, PKCS7)
124ASN1_ITEM_TEMPLATE_END(PKCS12_AUTHSAFES) 135ASN1_ITEM_TEMPLATE_END(PKCS12_AUTHSAFES)
125 136
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_attr.c b/src/lib/libssl/src/crypto/pkcs12/p12_attr.c
index 67ffb392ab..05e9b11fd1 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_attr.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_attr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_attr.c,v 1.8 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_attr.c,v 1.9 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,24 +62,26 @@
62 62
63/* Add a local keyid to a safebag */ 63/* Add a local keyid to a safebag */
64 64
65int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, 65int
66 int namelen) 66PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
67{ 67{
68 if (X509at_add1_attr_by_NID(&bag->attrib, NID_localKeyID, 68 if (X509at_add1_attr_by_NID(&bag->attrib, NID_localKeyID,
69 V_ASN1_OCTET_STRING, name, namelen)) 69 V_ASN1_OCTET_STRING, name, namelen))
70 return 1; 70 return 1;
71 else 71 else
72 return 0; 72 return 0;
73} 73}
74 74
75/* Add key usage to PKCS#8 structure */ 75/* Add key usage to PKCS#8 structure */
76 76
77int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage) 77int
78PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
78{ 79{
79 unsigned char us_val; 80 unsigned char us_val;
81
80 us_val = (unsigned char) usage; 82 us_val = (unsigned char) usage;
81 if (X509at_add1_attr_by_NID(&p8->attributes, NID_key_usage, 83 if (X509at_add1_attr_by_NID(&p8->attributes, NID_key_usage,
82 V_ASN1_BIT_STRING, &us_val, 1)) 84 V_ASN1_BIT_STRING, &us_val, 1))
83 return 1; 85 return 1;
84 else 86 else
85 return 0; 87 return 0;
@@ -87,59 +89,67 @@ int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
87 89
88/* Add a friendlyname to a safebag */ 90/* Add a friendlyname to a safebag */
89 91
90int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name, 92int
91 int namelen) 93PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen)
92{ 94{
93 if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName, 95 if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
94 MBSTRING_ASC, (unsigned char *)name, namelen)) 96 MBSTRING_ASC, (unsigned char *)name, namelen))
95 return 1; 97 return 1;
96 else 98 else
97 return 0; 99 return 0;
98} 100}
99 101
100 102
101int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, 103int
102 const unsigned char *name, int namelen) 104PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name,
105 int namelen)
103{ 106{
104 if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName, 107 if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
105 MBSTRING_BMP, name, namelen)) 108 MBSTRING_BMP, name, namelen))
106 return 1; 109 return 1;
107 else 110 else
108 return 0; 111 return 0;
109} 112}
110 113
111int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, 114int
112 int namelen) 115PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen)
113{ 116{
114 if (X509at_add1_attr_by_NID(&bag->attrib, NID_ms_csp_name, 117 if (X509at_add1_attr_by_NID(&bag->attrib, NID_ms_csp_name,
115 MBSTRING_ASC, (unsigned char *)name, namelen)) 118 MBSTRING_ASC, (unsigned char *)name, namelen))
116 return 1; 119 return 1;
117 else 120 else
118 return 0; 121 return 0;
119} 122}
120 123
121ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid) 124ASN1_TYPE *
125PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
122{ 126{
123 X509_ATTRIBUTE *attrib; 127 X509_ATTRIBUTE *attrib;
124 int i; 128 int i;
125 if (!attrs) return NULL; 129
130 if (!attrs)
131 return NULL;
126 for (i = 0; i < sk_X509_ATTRIBUTE_num (attrs); i++) { 132 for (i = 0; i < sk_X509_ATTRIBUTE_num (attrs); i++) {
127 attrib = sk_X509_ATTRIBUTE_value (attrs, i); 133 attrib = sk_X509_ATTRIBUTE_value (attrs, i);
128 if (OBJ_obj2nid (attrib->object) == attr_nid) { 134 if (OBJ_obj2nid (attrib->object) == attr_nid) {
129 if (sk_ASN1_TYPE_num (attrib->value.set)) 135 if (sk_ASN1_TYPE_num (attrib->value.set))
130 return sk_ASN1_TYPE_value(attrib->value.set, 0); 136 return sk_ASN1_TYPE_value(attrib->value.set, 0);
131 else return NULL; 137 else
138 return NULL;
132 } 139 }
133 } 140 }
134 return NULL; 141 return NULL;
135} 142}
136 143
137char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag) 144char *
145PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
138{ 146{
139 ASN1_TYPE *atype; 147 ASN1_TYPE *atype;
140 if (!(atype = PKCS12_get_attr(bag, NID_friendlyName))) return NULL; 148
141 if (atype->type != V_ASN1_BMPSTRING) return NULL; 149 if (!(atype = PKCS12_get_attr(bag, NID_friendlyName)))
150 return NULL;
151 if (atype->type != V_ASN1_BMPSTRING)
152 return NULL;
142 return OPENSSL_uni2asc(atype->value.bmpstring->data, 153 return OPENSSL_uni2asc(atype->value.bmpstring->data,
143 atype->value.bmpstring->length); 154 atype->value.bmpstring->length);
144} 155}
145
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
index c0b41f9252..1709b30d5e 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_crpt.c,v 1.9 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_crpt.c,v 1.10 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,12 +62,14 @@
62 62
63/* PKCS#12 PBE algorithms now in static table */ 63/* PKCS#12 PBE algorithms now in static table */
64 64
65void PKCS12_PBE_add(void) 65void
66PKCS12_PBE_add(void)
66{ 67{
67} 68}
68 69
69int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, 70int
70 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de) 71PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
72 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
71{ 73{
72 PBEPARAM *pbe; 74 PBEPARAM *pbe;
73 int saltlen, iter, ret; 75 int saltlen, iter, ret;
@@ -78,29 +80,31 @@ int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
78 /* Extract useful info from parameter */ 80 /* Extract useful info from parameter */
79 if (param == NULL || param->type != V_ASN1_SEQUENCE || 81 if (param == NULL || param->type != V_ASN1_SEQUENCE ||
80 param->value.sequence == NULL) { 82 param->value.sequence == NULL) {
81 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_DECODE_ERROR); 83 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_DECODE_ERROR);
82 return 0; 84 return 0;
83 } 85 }
84 86
85 pbuf = param->value.sequence->data; 87 pbuf = param->value.sequence->data;
86 if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) { 88 if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
87 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_DECODE_ERROR); 89 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_DECODE_ERROR);
88 return 0; 90 return 0;
89 } 91 }
90 92
91 if (!pbe->iter) iter = 1; 93 if (!pbe->iter)
92 else iter = ASN1_INTEGER_get (pbe->iter); 94 iter = 1;
95 else
96 iter = ASN1_INTEGER_get (pbe->iter);
93 salt = pbe->salt->data; 97 salt = pbe->salt->data;
94 saltlen = pbe->salt->length; 98 saltlen = pbe->salt->length;
95 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_KEY_ID, 99 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_KEY_ID,
96 iter, EVP_CIPHER_key_length(cipher), key, md)) { 100 iter, EVP_CIPHER_key_length(cipher), key, md)) {
97 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_KEY_GEN_ERROR); 101 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_KEY_GEN_ERROR);
98 PBEPARAM_free(pbe); 102 PBEPARAM_free(pbe);
99 return 0; 103 return 0;
100 } 104 }
101 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_IV_ID, 105 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_IV_ID,
102 iter, EVP_CIPHER_iv_length(cipher), iv, md)) { 106 iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
103 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_IV_GEN_ERROR); 107 PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_IV_GEN_ERROR);
104 PBEPARAM_free(pbe); 108 PBEPARAM_free(pbe);
105 return 0; 109 return 0;
106 } 110 }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
index a5dffcebd7..538637e78a 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_crt.c,v 1.13 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_crt.c,v 1.14 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project. 3 * project.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -61,12 +61,15 @@
61#include <openssl/pkcs12.h> 61#include <openssl/pkcs12.h>
62 62
63 63
64static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); 64static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
65 PKCS12_SAFEBAG *bag);
65 66
66static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) 67static int
67 { 68copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
69{
68 int idx; 70 int idx;
69 X509_ATTRIBUTE *attr; 71 X509_ATTRIBUTE *attr;
72
70 idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1); 73 idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1);
71 if (idx < 0) 74 if (idx < 0)
72 return 1; 75 return 1;
@@ -74,11 +77,12 @@ static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
74 if (!X509at_add1_attr(&bag->attrib, attr)) 77 if (!X509at_add1_attr(&bag->attrib, attr))
75 return 0; 78 return 0;
76 return 1; 79 return 1;
77 } 80}
78 81
79PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, 82PKCS12 *
80 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, 83PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
81 int keytype) 84 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
85 int keytype)
82{ 86{
83 PKCS12 *p12 = NULL; 87 PKCS12 *p12 = NULL;
84 STACK_OF(PKCS7) *safes = NULL; 88 STACK_OF(PKCS7) *safes = NULL;
@@ -89,10 +93,9 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
89 unsigned int keyidlen = 0; 93 unsigned int keyidlen = 0;
90 94
91 /* Set defaults */ 95 /* Set defaults */
92 if (!nid_cert) 96 if (!nid_cert) {
93 {
94 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; 97 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
95 } 98 }
96 if (!nid_key) 99 if (!nid_key)
97 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 100 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
98 if (!iter) 101 if (!iter)
@@ -100,43 +103,39 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
100 if (!mac_iter) 103 if (!mac_iter)
101 mac_iter = 1; 104 mac_iter = 1;
102 105
103 if(!pkey && !cert && !ca) 106 if (!pkey && !cert && !ca) {
104 { 107 PKCS12err(PKCS12_F_PKCS12_CREATE,
105 PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT); 108 PKCS12_R_INVALID_NULL_ARGUMENT);
106 return NULL; 109 return NULL;
107 } 110 }
108 111
109 if (pkey && cert) 112 if (pkey && cert) {
110 { 113 if (!X509_check_private_key(cert, pkey))
111 if(!X509_check_private_key(cert, pkey))
112 return NULL; 114 return NULL;
113 X509_digest(cert, EVP_sha1(), keyid, &keyidlen); 115 X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
114 } 116 }
115 117
116 if (cert) 118 if (cert) {
117 {
118 bag = PKCS12_add_cert(&bags, cert); 119 bag = PKCS12_add_cert(&bags, cert);
119 if(name && !PKCS12_add_friendlyname(bag, name, -1)) 120 if (name && !PKCS12_add_friendlyname(bag, name, -1))
120 goto err; 121 goto err;
121 if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 122 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
122 goto err; 123 goto err;
123 } 124 }
124 125
125 /* Add all other certificates */ 126 /* Add all other certificates */
126 for(i = 0; i < sk_X509_num(ca); i++) 127 for (i = 0; i < sk_X509_num(ca); i++) {
127 {
128 if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i))) 128 if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i)))
129 goto err; 129 goto err;
130 } 130 }
131 131
132 if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass)) 132 if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass))
133 goto err; 133 goto err;
134 134
135 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 135 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
136 bags = NULL; 136 bags = NULL;
137 137
138 if (pkey) 138 if (pkey) {
139 {
140 bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass); 139 bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
141 140
142 if (!bag) 141 if (!bag)
@@ -147,14 +146,14 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
147 if (!copy_bag_attr(bag, pkey, NID_LocalKeySet)) 146 if (!copy_bag_attr(bag, pkey, NID_LocalKeySet))
148 goto err; 147 goto err;
149 148
150 if(name && !PKCS12_add_friendlyname(bag, name, -1)) 149 if (name && !PKCS12_add_friendlyname(bag, name, -1))
151 goto err; 150 goto err;
152 if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 151 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
153 goto err; 152 goto err;
154 } 153 }
155 154
156 if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL)) 155 if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL))
157 goto err; 156 goto err;
158 157
159 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 158 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
160 bags = NULL; 159 bags = NULL;
@@ -169,13 +168,12 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
169 safes = NULL; 168 safes = NULL;
170 169
171 if ((mac_iter != -1) && 170 if ((mac_iter != -1) &&
172 !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL)) 171 !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL))
173 goto err; 172 goto err;
174 173
175 return p12; 174 return p12;
176 175
177 err: 176err:
178
179 if (p12) 177 if (p12)
180 PKCS12_free(p12); 178 PKCS12_free(p12);
181 if (safes) 179 if (safes)
@@ -183,11 +181,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
183 if (bags) 181 if (bags)
184 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 182 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
185 return NULL; 183 return NULL;
186
187} 184}
188 185
189PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) 186PKCS12_SAFEBAG *
190 { 187PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
188{
191 PKCS12_SAFEBAG *bag = NULL; 189 PKCS12_SAFEBAG *bag = NULL;
192 char *name; 190 char *name;
193 int namelen = -1; 191 int namelen = -1;
@@ -195,21 +193,19 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
195 int keyidlen = -1; 193 int keyidlen = -1;
196 194
197 /* Add user certificate */ 195 /* Add user certificate */
198 if(!(bag = PKCS12_x5092certbag(cert))) 196 if (!(bag = PKCS12_x5092certbag(cert)))
199 goto err; 197 goto err;
200 198
201 /* Use friendlyName and localKeyID in certificate. 199 /* Use friendlyName and localKeyID in certificate.
202 * (if present) 200 * (if present)
203 */ 201 */
204
205 name = (char *)X509_alias_get0(cert, &namelen); 202 name = (char *)X509_alias_get0(cert, &namelen);
206 203 if (name && !PKCS12_add_friendlyname(bag, name, namelen))
207 if(name && !PKCS12_add_friendlyname(bag, name, namelen))
208 goto err; 204 goto err;
209 205
210 keyid = X509_keyid_get0(cert, &keyidlen); 206 keyid = X509_keyid_get0(cert, &keyidlen);
211 207
212 if(keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 208 if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
213 goto err; 209 goto err;
214 210
215 if (!pkcs12_add_bag(pbags, bag)) 211 if (!pkcs12_add_bag(pbags, bag))
@@ -217,37 +213,33 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
217 213
218 return bag; 214 return bag;
219 215
220 err: 216err:
221
222 if (bag) 217 if (bag)
223 PKCS12_SAFEBAG_free(bag); 218 PKCS12_SAFEBAG_free(bag);
224 219
225 return NULL; 220 return NULL;
221}
226 222
227 } 223PKCS12_SAFEBAG *
228 224PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, int key_usage,
229PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, 225 int iter, int nid_key, char *pass)
230 int key_usage, int iter, 226{
231 int nid_key, char *pass)
232 {
233
234 PKCS12_SAFEBAG *bag = NULL; 227 PKCS12_SAFEBAG *bag = NULL;
235 PKCS8_PRIV_KEY_INFO *p8 = NULL; 228 PKCS8_PRIV_KEY_INFO *p8 = NULL;
236 229
237 /* Make a PKCS#8 structure */ 230 /* Make a PKCS#8 structure */
238 if(!(p8 = EVP_PKEY2PKCS8(key))) 231 if (!(p8 = EVP_PKEY2PKCS8(key)))
239 goto err; 232 goto err;
240 if(key_usage && !PKCS8_add_keyusage(p8, key_usage)) 233 if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
241 goto err; 234 goto err;
242 if (nid_key != -1) 235 if (nid_key != -1) {
243 { 236 bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0,
244 bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, iter, p8); 237 iter, p8);
245 PKCS8_PRIV_KEY_INFO_free(p8); 238 PKCS8_PRIV_KEY_INFO_free(p8);
246 } 239 } else
247 else
248 bag = PKCS12_MAKE_KEYBAG(p8); 240 bag = PKCS12_MAKE_KEYBAG(p8);
249 241
250 if(!bag) 242 if (!bag)
251 goto err; 243 goto err;
252 244
253 if (!pkcs12_add_bag(pbags, bag)) 245 if (!pkcs12_add_bag(pbags, bag))
@@ -255,29 +247,26 @@ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key,
255 247
256 return bag; 248 return bag;
257 249
258 err: 250err:
259
260 if (bag) 251 if (bag)
261 PKCS12_SAFEBAG_free(bag); 252 PKCS12_SAFEBAG_free(bag);
262 253
263 return NULL; 254 return NULL;
255}
264 256
265 } 257int
266 258PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
267int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, 259 int nid_safe, int iter, char *pass)
268 int nid_safe, int iter, char *pass) 260{
269 {
270 PKCS7 *p7 = NULL; 261 PKCS7 *p7 = NULL;
271 int free_safes = 0; 262 int free_safes = 0;
272 263
273 if (!*psafes) 264 if (!*psafes) {
274 {
275 *psafes = sk_PKCS7_new_null(); 265 *psafes = sk_PKCS7_new_null();
276 if (!*psafes) 266 if (!*psafes)
277 return 0; 267 return 0;
278 free_safes = 1; 268 free_safes = 1;
279 } 269 } else
280 else
281 free_safes = 0; 270 free_safes = 0;
282 271
283 if (nid_safe == 0) 272 if (nid_safe == 0)
@@ -287,7 +276,7 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
287 p7 = PKCS12_pack_p7data(bags); 276 p7 = PKCS12_pack_p7data(bags);
288 else 277 else
289 p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0, 278 p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0,
290 iter, bags); 279 iter, bags);
291 if (!p7) 280 if (!p7)
292 goto err; 281 goto err;
293 282
@@ -296,53 +285,49 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
296 285
297 return 1; 286 return 1;
298 287
299 err: 288err:
300 if (free_safes) 289 if (free_safes) {
301 {
302 sk_PKCS7_free(*psafes); 290 sk_PKCS7_free(*psafes);
303 *psafes = NULL; 291 *psafes = NULL;
304 } 292 }
305 293
306 if (p7) 294 if (p7)
307 PKCS7_free(p7); 295 PKCS7_free(p7);
308 296
309 return 0; 297 return 0;
298}
310 299
311 } 300static int
312 301pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag)
313static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag) 302{
314 {
315 int free_bags; 303 int free_bags;
304
316 if (!pbags) 305 if (!pbags)
317 return 1; 306 return 1;
318 if (!*pbags) 307 if (!*pbags) {
319 {
320 *pbags = sk_PKCS12_SAFEBAG_new_null(); 308 *pbags = sk_PKCS12_SAFEBAG_new_null();
321 if (!*pbags) 309 if (!*pbags)
322 return 0; 310 return 0;
323 free_bags = 1; 311 free_bags = 1;
324 } 312 } else
325 else
326 free_bags = 0; 313 free_bags = 0;
327 314
328 if (!sk_PKCS12_SAFEBAG_push(*pbags, bag)) 315 if (!sk_PKCS12_SAFEBAG_push(*pbags, bag)) {
329 { 316 if (free_bags) {
330 if (free_bags)
331 {
332 sk_PKCS12_SAFEBAG_free(*pbags); 317 sk_PKCS12_SAFEBAG_free(*pbags);
333 *pbags = NULL; 318 *pbags = NULL;
334 }
335 return 0;
336 } 319 }
320 return 0;
321 }
337 322
338 return 1; 323 return 1;
324}
339 325
340 } 326PKCS12 *
341 327PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
342 328{
343PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
344 {
345 PKCS12 *p12; 329 PKCS12 *p12;
330
346 if (nid_p7 <= 0) 331 if (nid_p7 <= 0)
347 nid_p7 = NID_pkcs7_data; 332 nid_p7 = NID_pkcs7_data;
348 p12 = PKCS12_init(nid_p7); 333 p12 = PKCS12_init(nid_p7);
@@ -350,12 +335,10 @@ PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7)
350 if (!p12) 335 if (!p12)
351 return NULL; 336 return NULL;
352 337
353 if(!PKCS12_pack_authsafes(p12, safes)) 338 if (!PKCS12_pack_authsafes(p12, safes)) {
354 {
355 PKCS12_free(p12); 339 PKCS12_free(p12);
356 return NULL; 340 return NULL;
357 } 341 }
358 342
359 return p12; 343 return p12;
360 344}
361 }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_decr.c b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
index 01fe24835f..577bb06f80 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_decr.c,v 1.10 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_decr.c,v 1.11 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -68,9 +68,9 @@
68 * malloc'ed buffer 68 * malloc'ed buffer
69 */ 69 */
70 70
71unsigned char * PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, 71unsigned char *
72 int passlen, unsigned char *in, int inlen, unsigned char **data, 72PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, int passlen,
73 int *datalen, int en_de) 73 unsigned char *in, int inlen, unsigned char **data, int *datalen, int en_de)
74{ 74{
75 unsigned char *out; 75 unsigned char *out;
76 int outlen, i; 76 int outlen, i;
@@ -78,47 +78,52 @@ unsigned char * PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
78 78
79 EVP_CIPHER_CTX_init(&ctx); 79 EVP_CIPHER_CTX_init(&ctx);
80 /* Decrypt data */ 80 /* Decrypt data */
81 if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen, 81 if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen,
82 algor->parameter, &ctx, en_de)) { 82 algor->parameter, &ctx, en_de)) {
83 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR); 83 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
84 PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
84 return NULL; 85 return NULL;
85 } 86 }
86 87
87 if(!(out = malloc(inlen + EVP_CIPHER_CTX_block_size(&ctx)))) { 88 if (!(out = malloc(inlen + EVP_CIPHER_CTX_block_size(&ctx)))) {
88 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,ERR_R_MALLOC_FAILURE); 89 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE);
89 goto err; 90 goto err;
90 } 91 }
91 92
92 if (!EVP_CipherUpdate(&ctx, out, &i, in, inlen)) 93 if (!EVP_CipherUpdate(&ctx, out, &i, in, inlen)) {
93 {
94 free(out); 94 free(out);
95 out = NULL; 95 out = NULL;
96 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,ERR_R_EVP_LIB); 96 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_EVP_LIB);
97 goto err; 97 goto err;
98 } 98 }
99 99
100 outlen = i; 100 outlen = i;
101 if(!EVP_CipherFinal_ex(&ctx, out + i, &i)) { 101 if (!EVP_CipherFinal_ex(&ctx, out + i, &i)) {
102 free(out); 102 free(out);
103 out = NULL; 103 out = NULL;
104 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_CIPHERFINAL_ERROR); 104 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
105 PKCS12_R_PKCS12_CIPHERFINAL_ERROR);
105 goto err; 106 goto err;
106 } 107 }
107 outlen += i; 108 outlen += i;
108 if (datalen) *datalen = outlen; 109 if (datalen)
109 if (data) *data = out; 110 *datalen = outlen;
110 err: 111 if (data)
112 *data = out;
113
114err:
111 EVP_CIPHER_CTX_cleanup(&ctx); 115 EVP_CIPHER_CTX_cleanup(&ctx);
112 return out; 116 return out;
113 117
114} 118}
115 119
116/* Decrypt an OCTET STRING and decode ASN1 structure 120/* Decrypt an OCTET STRING and decode ASN1 structure
117 * if zbuf set zero buffer after use. 121 * if zbuf set zero buffer after use.
118 */ 122 */
119 123
120void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, 124void *
121 const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf) 125PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
126 const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf)
122{ 127{
123 unsigned char *out; 128 unsigned char *out;
124 const unsigned char *p; 129 const unsigned char *p;
@@ -126,8 +131,9 @@ void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
126 int outlen; 131 int outlen;
127 132
128 if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length, 133 if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
129 &out, &outlen, 0)) { 134 &out, &outlen, 0)) {
130 PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR); 135 PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
136 PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
131 return NULL; 137 return NULL;
132 } 138 }
133 p = out; 139 p = out;
@@ -144,39 +150,48 @@ void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
144 } 150 }
145#endif 151#endif
146 ret = ASN1_item_d2i(NULL, &p, outlen, it); 152 ret = ASN1_item_d2i(NULL, &p, outlen, it);
147 if (zbuf) OPENSSL_cleanse(out, outlen); 153 if (zbuf)
148 if(!ret) PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,PKCS12_R_DECODE_ERROR); 154 OPENSSL_cleanse(out, outlen);
155 if (!ret)
156 PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
157 PKCS12_R_DECODE_ERROR);
149 free(out); 158 free(out);
150 return ret; 159 return ret;
151} 160}
152 161
153/* Encode ASN1 structure and encrypt, return OCTET STRING 162/* Encode ASN1 structure and encrypt, return OCTET STRING
154 * if zbuf set zero encoding. 163 * if zbuf set zero encoding.
155 */ 164 */
156 165
157ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it, 166ASN1_OCTET_STRING *
158 const char *pass, int passlen, 167PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it,
159 void *obj, int zbuf) 168 const char *pass, int passlen,
169 void *obj, int zbuf)
160{ 170{
161 ASN1_OCTET_STRING *oct; 171 ASN1_OCTET_STRING *oct;
162 unsigned char *in = NULL; 172 unsigned char *in = NULL;
163 int inlen; 173 int inlen;
174
164 if (!(oct = M_ASN1_OCTET_STRING_new ())) { 175 if (!(oct = M_ASN1_OCTET_STRING_new ())) {
165 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE); 176 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,
177 ERR_R_MALLOC_FAILURE);
166 return NULL; 178 return NULL;
167 } 179 }
168 inlen = ASN1_item_i2d(obj, &in, it); 180 inlen = ASN1_item_i2d(obj, &in, it);
169 if (!in) { 181 if (!in) {
170 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR); 182 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,
183 PKCS12_R_ENCODE_ERROR);
171 return NULL; 184 return NULL;
172 } 185 }
173 if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data, 186 if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data,
174 &oct->length, 1)) { 187 &oct->length, 1)) {
175 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR); 188 PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT,
189 PKCS12_R_ENCRYPT_ERROR);
176 free(in); 190 free(in);
177 return NULL; 191 return NULL;
178 } 192 }
179 if (zbuf) OPENSSL_cleanse(in, inlen); 193 if (zbuf)
194 OPENSSL_cleanse(in, inlen);
180 free(in); 195 free(in);
181 return oct; 196 return oct;
182} 197}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_init.c b/src/lib/libssl/src/crypto/pkcs12/p12_init.c
index e9c55ea265..b4da7be77c 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_init.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_init.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_init.c,v 1.7 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_init.c,v 1.8 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,31 +62,35 @@
62 62
63/* Initialise a PKCS12 structure to take data */ 63/* Initialise a PKCS12 structure to take data */
64 64
65PKCS12 *PKCS12_init(int mode) 65PKCS12 *
66PKCS12_init(int mode)
66{ 67{
67 PKCS12 *pkcs12; 68 PKCS12 *pkcs12;
69
68 if (!(pkcs12 = PKCS12_new())) { 70 if (!(pkcs12 = PKCS12_new())) {
69 PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE); 71 PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
70 return NULL; 72 return NULL;
71 } 73 }
72 ASN1_INTEGER_set(pkcs12->version, 3); 74 ASN1_INTEGER_set(pkcs12->version, 3);
73 pkcs12->authsafes->type = OBJ_nid2obj(mode); 75 pkcs12->authsafes->type = OBJ_nid2obj(mode);
74 switch (mode) { 76 switch (mode) {
75 case NID_pkcs7_data: 77 case NID_pkcs7_data:
76 if (!(pkcs12->authsafes->d.data = 78 if (!(pkcs12->authsafes->d.data =
77 M_ASN1_OCTET_STRING_new())) { 79 M_ASN1_OCTET_STRING_new())) {
78 PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE); 80 PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
79 goto err; 81 goto err;
80 } 82 }
81 break; 83 break;
82 default: 84 default:
83 PKCS12err(PKCS12_F_PKCS12_INIT, 85 PKCS12err(PKCS12_F_PKCS12_INIT,
84 PKCS12_R_UNSUPPORTED_PKCS12_MODE); 86 PKCS12_R_UNSUPPORTED_PKCS12_MODE);
85 goto err; 87 goto err;
86 } 88 }
87 89
88 return pkcs12; 90 return pkcs12;
91
89err: 92err:
90 if (pkcs12 != NULL) PKCS12_free(pkcs12); 93 if (pkcs12 != NULL)
94 PKCS12_free(pkcs12);
91 return NULL; 95 return NULL;
92} 96}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_key.c b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
index 24c86b7fc8..ffa736a04f 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_key.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_key.c,v 1.15 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_key.c,v 1.16 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -74,35 +74,37 @@ void h__dump (unsigned char *p, int len);
74#define min(a,b) ((a) < (b) ? (a) : (b)) 74#define min(a,b) ((a) < (b) ? (a) : (b))
75#endif 75#endif
76 76
77int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, 77int
78 int saltlen, int id, int iter, int n, unsigned char *out, 78PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
79 const EVP_MD *md_type) 79 int saltlen, int id, int iter, int n, unsigned char *out,
80 const EVP_MD *md_type)
80{ 81{
81 int ret; 82 int ret;
82 unsigned char *unipass; 83 unsigned char *unipass;
83 int uniplen; 84 int uniplen;
84 85
85 if(!pass) { 86 if (!pass) {
86 unipass = NULL; 87 unipass = NULL;
87 uniplen = 0; 88 uniplen = 0;
88 } else if (!OPENSSL_asc2uni(pass, passlen, &unipass, &uniplen)) { 89 } else if (!OPENSSL_asc2uni(pass, passlen, &unipass, &uniplen)) {
89 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE); 90 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC, ERR_R_MALLOC_FAILURE);
90 return 0; 91 return 0;
91 } 92 }
92 ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen, 93 ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
93 id, iter, n, out, md_type); 94 id, iter, n, out, md_type);
94 if (ret <= 0) 95 if (ret <= 0)
95 return 0; 96 return 0;
96 if(unipass) { 97 if (unipass) {
97 OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */ 98 OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */
98 free(unipass); 99 free(unipass);
99 } 100 }
100 return ret; 101 return ret;
101} 102}
102 103
103int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, 104int
104 int saltlen, int id, int iter, int n, unsigned char *out, 105PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
105 const EVP_MD *md_type) 106 int saltlen, int id, int iter, int n, unsigned char *out,
107 const EVP_MD *md_type)
106{ 108{
107 unsigned char *B, *D, *I, *p, *Ai; 109 unsigned char *B, *D, *I, *p, *Ai;
108 int Slen, Plen, Ilen, Ijlen; 110 int Slen, Plen, Ilen, Ijlen;
@@ -117,7 +119,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
117 119
118#if 0 120#if 0
119 if (!pass) { 121 if (!pass) {
120 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_PASSED_NULL_PARAMETER); 122 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI, ERR_R_PASSED_NULL_PARAMETER);
121 return 0; 123 return 0;
122 } 124 }
123#endif 125#endif
@@ -131,37 +133,42 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
131 fprintf(stderr, "Salt (length %d):\n", saltlen); 133 fprintf(stderr, "Salt (length %d):\n", saltlen);
132 h__dump(salt, saltlen); 134 h__dump(salt, saltlen);
133#endif 135#endif
134 v = EVP_MD_block_size (md_type); 136 v = EVP_MD_block_size(md_type);
135 u = EVP_MD_size (md_type); 137 u = EVP_MD_size(md_type);
136 if (u < 0) 138 if (u < 0)
137 return 0; 139 return 0;
138 D = malloc (v); 140 D = malloc(v);
139 Ai = malloc (u); 141 Ai = malloc(u);
140 B = malloc (v + 1); 142 B = malloc(v + 1);
141 Slen = v * ((saltlen+v-1)/v); 143 Slen = v * ((saltlen + v - 1) / v);
142 if(passlen) Plen = v * ((passlen+v-1)/v); 144 if (passlen)
143 else Plen = 0; 145 Plen = v * ((passlen + v - 1)/v);
146 else
147 Plen = 0;
144 Ilen = Slen + Plen; 148 Ilen = Slen + Plen;
145 I = malloc (Ilen); 149 I = malloc(Ilen);
146 Ij = BN_new(); 150 Ij = BN_new();
147 Bpl1 = BN_new(); 151 Bpl1 = BN_new();
148 if (!D || !Ai || !B || !I || !Ij || !Bpl1) 152 if (!D || !Ai || !B || !I || !Ij || !Bpl1)
149 goto err; 153 goto err;
150 for (i = 0; i < v; i++) D[i] = id; 154 for (i = 0; i < v; i++)
155 D[i] = id;
151 p = I; 156 p = I;
152 for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen]; 157 for (i = 0; i < Slen; i++)
153 for (i = 0; i < Plen; i++) *p++ = pass[i % passlen]; 158 *p++ = salt[i % saltlen];
159 for (i = 0; i < Plen; i++)
160 *p++ = pass[i % passlen];
154 for (;;) { 161 for (;;) {
155 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) 162 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
156 || !EVP_DigestUpdate(&ctx, D, v) 163 !EVP_DigestUpdate(&ctx, D, v) ||
157 || !EVP_DigestUpdate(&ctx, I, Ilen) 164 !EVP_DigestUpdate(&ctx, I, Ilen) ||
158 || !EVP_DigestFinal_ex(&ctx, Ai, NULL)) 165 !EVP_DigestFinal_ex(&ctx, Ai, NULL))
159 goto err; 166 goto err;
160 for (j = 1; j < iter; j++) { 167 for (j = 1; j < iter; j++) {
161 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) 168 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
162 || !EVP_DigestUpdate(&ctx, Ai, u) 169 !EVP_DigestUpdate(&ctx, Ai, u) ||
163 || !EVP_DigestFinal_ex(&ctx, Ai, NULL)) 170 !EVP_DigestFinal_ex(&ctx, Ai, NULL))
164 goto err; 171 goto err;
165 } 172 }
166 memcpy (out, Ai, min (n, u)); 173 memcpy (out, Ai, min (n, u));
167 if (u >= n) { 174 if (u >= n) {
@@ -174,13 +181,14 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
174 } 181 }
175 n -= u; 182 n -= u;
176 out += u; 183 out += u;
177 for (j = 0; j < v; j++) B[j] = Ai[j % u]; 184 for (j = 0; j < v; j++)
185 B[j] = Ai[j % u];
178 /* Work out B + 1 first then can use B as tmp space */ 186 /* Work out B + 1 first then can use B as tmp space */
179 if (!BN_bin2bn (B, v, Bpl1)) 187 if (!BN_bin2bn (B, v, Bpl1))
180 goto err; 188 goto err;
181 if (!BN_add_word (Bpl1, 1)) 189 if (!BN_add_word (Bpl1, 1))
182 goto err; 190 goto err;
183 for (j = 0; j < Ilen ; j+=v) { 191 for (j = 0; j < Ilen; j += v) {
184 if (!BN_bin2bn(I + j, v, Ij)) 192 if (!BN_bin2bn(I + j, v, Ij))
185 goto err; 193 goto err;
186 if (!BN_add(Ij, Ij, Bpl1)) 194 if (!BN_add(Ij, Ij, Bpl1))
@@ -194,7 +202,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
194 goto err; 202 goto err;
195 memcpy (I + j, B + 1, v); 203 memcpy (I + j, B + 1, v);
196#ifndef PKCS12_BROKEN_KEYGEN 204#ifndef PKCS12_BROKEN_KEYGEN
197 /* If less than v bytes pad with zeroes */ 205 /* If less than v bytes pad with zeroes */
198 } else if (Ijlen < v) { 206 } else if (Ijlen < v) {
199 memset(I + j, 0, v - Ijlen); 207 memset(I + j, 0, v - Ijlen);
200 if (!BN_bn2bin(Ij, I + j + v - Ijlen)) 208 if (!BN_bn2bin(Ij, I + j + v - Ijlen))
@@ -206,7 +214,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
206 } 214 }
207 215
208err: 216err:
209 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE); 217 PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI, ERR_R_MALLOC_FAILURE);
210 218
211end: 219end:
212 free (Ai); 220 free (Ai);
@@ -221,7 +229,8 @@ end:
221#ifdef DEBUG_KEYGEN 229#ifdef DEBUG_KEYGEN
222void h__dump (unsigned char *p, int len) 230void h__dump (unsigned char *p, int len)
223{ 231{
224 for (; len --; p++) fprintf(stderr, "%02X", *p); 232 for (; len --; p++)
225 fprintf(stderr, "\n"); 233 fprintf(stderr, "%02X", *p);
234 fprintf(stderr, "\n");
226} 235}
227#endif 236#endif
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c b/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c
index 0772fa65af..4063ba4b82 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_kiss.c,v 1.14 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_kiss.c,v 1.15 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -63,13 +63,13 @@
63/* Simplified PKCS#12 routines */ 63/* Simplified PKCS#12 routines */
64 64
65static int parse_pk12( PKCS12 *p12, const char *pass, int passlen, 65static int parse_pk12( PKCS12 *p12, const char *pass, int passlen,
66 EVP_PKEY **pkey, STACK_OF(X509) *ocerts); 66 EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
67 67
68static int parse_bags( STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass, 68static int parse_bags( STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
69 int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts); 69 int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
70 70
71static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen, 71static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
72 EVP_PKEY **pkey, STACK_OF(X509) *ocerts); 72 EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
73 73
74/* Parse and decrypt a PKCS#12 structure returning user key, user cert 74/* Parse and decrypt a PKCS#12 structure returning user key, user cert
75 * and other (CA) certs. Note either ca should be NULL, *ca should be NULL, 75 * and other (CA) certs. Note either ca should be NULL, *ca should be NULL,
@@ -77,22 +77,23 @@ static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen,
77 * passed unitialised. 77 * passed unitialised.
78 */ 78 */
79 79
80int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, 80int
81 STACK_OF(X509) **ca) 81PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
82 STACK_OF(X509) **ca)
82{ 83{
83 STACK_OF(X509) *ocerts = NULL; 84 STACK_OF(X509) *ocerts = NULL;
84 X509 *x = NULL; 85 X509 *x = NULL;
85 /* Check for NULL PKCS12 structure */ 86 /* Check for NULL PKCS12 structure */
86 87
87 if(!p12) 88 if (!p12) {
88 { 89 PKCS12err(PKCS12_F_PKCS12_PARSE,
89 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER); 90 PKCS12_R_INVALID_NULL_PKCS12_POINTER);
90 return 0; 91 return 0;
91 } 92 }
92 93
93 if(pkey) 94 if (pkey)
94 *pkey = NULL; 95 *pkey = NULL;
95 if(cert) 96 if (cert)
96 *cert = NULL; 97 *cert = NULL;
97 98
98 /* Check the mac */ 99 /* Check the mac */
@@ -103,46 +104,42 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
103 * password are two different things... 104 * password are two different things...
104 */ 105 */
105 106
106 if(!pass || !*pass) { 107 if (!pass || !*pass) {
107 if(PKCS12_verify_mac(p12, NULL, 0)) pass = NULL; 108 if (PKCS12_verify_mac(p12, NULL, 0))
108 else if(PKCS12_verify_mac(p12, "", 0)) pass = ""; 109 pass = NULL;
110 else if (PKCS12_verify_mac(p12, "", 0))
111 pass = "";
109 else { 112 else {
110 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE); 113 PKCS12err(PKCS12_F_PKCS12_PARSE,
114 PKCS12_R_MAC_VERIFY_FAILURE);
111 goto err; 115 goto err;
112 } 116 }
113 } else if (!PKCS12_verify_mac(p12, pass, -1)) { 117 } else if (!PKCS12_verify_mac(p12, pass, -1)) {
114 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE); 118 PKCS12err(PKCS12_F_PKCS12_PARSE, PKCS12_R_MAC_VERIFY_FAILURE);
115 goto err; 119 goto err;
116 } 120 }
117 121
118 /* Allocate stack for other certificates */ 122 /* Allocate stack for other certificates */
119 ocerts = sk_X509_new_null(); 123 ocerts = sk_X509_new_null();
120 124 if (!ocerts) {
121 if (!ocerts) 125 PKCS12err(PKCS12_F_PKCS12_PARSE, ERR_R_MALLOC_FAILURE);
122 {
123 PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
124 return 0; 126 return 0;
125 } 127 }
126 128
127 if (!parse_pk12 (p12, pass, -1, pkey, ocerts)) 129 if (!parse_pk12 (p12, pass, -1, pkey, ocerts)) {
128 { 130 PKCS12err(PKCS12_F_PKCS12_PARSE, PKCS12_R_PARSE_ERROR);
129 PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);
130 goto err; 131 goto err;
131 } 132 }
132 133
133 while ((x = sk_X509_pop(ocerts))) 134 while ((x = sk_X509_pop(ocerts))) {
134 { 135 if (pkey && *pkey && cert && !*cert) {
135 if (pkey && *pkey && cert && !*cert) 136 if (X509_check_private_key(x, *pkey)) {
136 {
137 if (X509_check_private_key(x, *pkey))
138 {
139 *cert = x; 137 *cert = x;
140 x = NULL; 138 x = NULL;
141 }
142 } 139 }
140 }
143 141
144 if (ca && x) 142 if (ca && x) {
145 {
146 if (!*ca) 143 if (!*ca)
147 *ca = sk_X509_new_null(); 144 *ca = sk_X509_new_null();
148 if (!*ca) 145 if (!*ca)
@@ -150,18 +147,17 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
150 if (!sk_X509_push(*ca, x)) 147 if (!sk_X509_push(*ca, x))
151 goto err; 148 goto err;
152 x = NULL; 149 x = NULL;
153 } 150 }
154 if (x) 151 if (x)
155 X509_free(x); 152 X509_free(x);
156 } 153 }
157 154
158 if (ocerts) 155 if (ocerts)
159 sk_X509_pop_free(ocerts, X509_free); 156 sk_X509_pop_free(ocerts, X509_free);
160 157
161 return 1; 158 return 1;
162 159
163 err: 160err:
164
165 if (pkey && *pkey) 161 if (pkey && *pkey)
166 EVP_PKEY_free(*pkey); 162 EVP_PKEY_free(*pkey);
167 if (cert && *cert) 163 if (cert && *cert)
@@ -171,20 +167,21 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
171 if (ocerts) 167 if (ocerts)
172 sk_X509_pop_free(ocerts, X509_free); 168 sk_X509_pop_free(ocerts, X509_free);
173 return 0; 169 return 0;
174
175} 170}
176 171
177/* Parse the outer PKCS#12 structure */ 172/* Parse the outer PKCS#12 structure */
178 173
179static int parse_pk12(PKCS12 *p12, const char *pass, int passlen, 174static int
180 EVP_PKEY **pkey, STACK_OF(X509) *ocerts) 175parse_pk12(PKCS12 *p12, const char *pass, int passlen, EVP_PKEY **pkey,
176 STACK_OF(X509) *ocerts)
181{ 177{
182 STACK_OF(PKCS7) *asafes; 178 STACK_OF(PKCS7) *asafes;
183 STACK_OF(PKCS12_SAFEBAG) *bags; 179 STACK_OF(PKCS12_SAFEBAG) *bags;
184 int i, bagnid; 180 int i, bagnid;
185 PKCS7 *p7; 181 PKCS7 *p7;
186 182
187 if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0; 183 if (!(asafes = PKCS12_unpack_authsafes (p12)))
184 return 0;
188 for (i = 0; i < sk_PKCS7_num (asafes); i++) { 185 for (i = 0; i < sk_PKCS7_num (asafes); i++) {
189 p7 = sk_PKCS7_value (asafes, i); 186 p7 = sk_PKCS7_value (asafes, i);
190 bagnid = OBJ_obj2nid (p7->type); 187 bagnid = OBJ_obj2nid (p7->type);
@@ -192,12 +189,13 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
192 bags = PKCS12_unpack_p7data(p7); 189 bags = PKCS12_unpack_p7data(p7);
193 } else if (bagnid == NID_pkcs7_encrypted) { 190 } else if (bagnid == NID_pkcs7_encrypted) {
194 bags = PKCS12_unpack_p7encdata(p7, pass, passlen); 191 bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
195 } else continue; 192 } else
193 continue;
196 if (!bags) { 194 if (!bags) {
197 sk_PKCS7_pop_free(asafes, PKCS7_free); 195 sk_PKCS7_pop_free(asafes, PKCS7_free);
198 return 0; 196 return 0;
199 } 197 }
200 if (!parse_bags(bags, pass, passlen, pkey, ocerts)) { 198 if (!parse_bags(bags, pass, passlen, pkey, ocerts)) {
201 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 199 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
202 sk_PKCS7_pop_free(asafes, PKCS7_free); 200 sk_PKCS7_pop_free(asafes, PKCS7_free);
203 return 0; 201 return 0;
@@ -208,21 +206,23 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
208 return 1; 206 return 1;
209} 207}
210 208
211 209static int
212static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass, 210parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass, int passlen,
213 int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts) 211 EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
214{ 212{
215 int i; 213 int i;
214
216 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { 215 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
217 if (!parse_bag(sk_PKCS12_SAFEBAG_value (bags, i), 216 if (!parse_bag(sk_PKCS12_SAFEBAG_value(bags, i), pass, passlen,
218 pass, passlen, pkey, ocerts)) 217 pkey, ocerts))
219 return 0; 218 return 0;
220 } 219 }
221 return 1; 220 return 1;
222} 221}
223 222
224static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, 223static int
225 EVP_PKEY **pkey, STACK_OF(X509) *ocerts) 224parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey,
225 STACK_OF(X509) *ocerts)
226{ 226{
227 PKCS8_PRIV_KEY_INFO *p8; 227 PKCS8_PRIV_KEY_INFO *p8;
228 X509 *x509; 228 X509 *x509;
@@ -236,67 +236,63 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
236 if ((attrib = PKCS12_get_attr (bag, NID_localKeyID))) 236 if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
237 lkid = attrib->value.octet_string; 237 lkid = attrib->value.octet_string;
238 238
239 switch (M_PKCS12_bag_type(bag)) 239 switch (M_PKCS12_bag_type(bag)) {
240 {
241 case NID_keyBag: 240 case NID_keyBag:
242 if (!pkey || *pkey) 241 if (!pkey || *pkey)
243 return 1; 242 return 1;
244 if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag))) 243 if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag)))
245 return 0; 244 return 0;
246 break; 245 break;
247 246
248 case NID_pkcs8ShroudedKeyBag: 247 case NID_pkcs8ShroudedKeyBag:
249 if (!pkey || *pkey) 248 if (!pkey || *pkey)
250 return 1; 249 return 1;
251 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen))) 250 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
252 return 0; 251 return 0;
253 *pkey = EVP_PKCS82PKEY(p8); 252 *pkey = EVP_PKCS82PKEY(p8);
254 PKCS8_PRIV_KEY_INFO_free(p8); 253 PKCS8_PRIV_KEY_INFO_free(p8);
255 if (!(*pkey)) return 0; 254 if (!(*pkey))
256 break; 255 return 0;
256 break;
257 257
258 case NID_certBag: 258 case NID_certBag:
259 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate ) 259 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
260 return 1; 260 return 1;
261 if (!(x509 = PKCS12_certbag2x509(bag))) 261 if (!(x509 = PKCS12_certbag2x509(bag)))
262 return 0; 262 return 0;
263 if(lkid && !X509_keyid_set1(x509, lkid->data, lkid->length)) 263 if (lkid && !X509_keyid_set1(x509, lkid->data, lkid->length)) {
264 {
265 X509_free(x509); 264 X509_free(x509);
266 return 0; 265 return 0;
267 } 266 }
268 if(fname) { 267 if (fname) {
269 int len, r; 268 int len, r;
270 unsigned char *data; 269 unsigned char *data;
271 len = ASN1_STRING_to_UTF8(&data, fname); 270 len = ASN1_STRING_to_UTF8(&data, fname);
272 if(len >= 0) { 271 if (len >= 0) {
273 r = X509_alias_set1(x509, data, len); 272 r = X509_alias_set1(x509, data, len);
274 free(data); 273 free(data);
275 if (!r) 274 if (!r) {
276 {
277 X509_free(x509); 275 X509_free(x509);
278 return 0; 276 return 0;
279 } 277 }
280 } 278 }
281 } 279 }
282 280
283 if(!sk_X509_push(ocerts, x509)) 281 if (!sk_X509_push(ocerts, x509)) {
284 {
285 X509_free(x509); 282 X509_free(x509);
286 return 0; 283 return 0;
287 } 284 }
288 285
289 break; 286 break;
290 287
291 case NID_safeContentsBag: 288 case NID_safeContentsBag:
292 return parse_bags(bag->value.safes, pass, passlen, 289 return parse_bags(bag->value.safes, pass, passlen,
293 pkey, ocerts); 290 pkey, ocerts);
294 break; 291 break;
295 292
296 default: 293 default:
297 return 1; 294 return 1;
298 break; 295 break;
299 } 296 }
300 return 1; 297 return 1;
301} 298}
302
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c b/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
index 203480fb15..7a2fab1666 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_mutl.c,v 1.13 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_mutl.c,v 1.14 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,8 +64,9 @@
64#include <openssl/pkcs12.h> 64#include <openssl/pkcs12.h>
65 65
66/* Generate a MAC */ 66/* Generate a MAC */
67int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, 67int
68 unsigned char *mac, unsigned int *maclen) 68PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
69 unsigned char *mac, unsigned int *maclen)
69{ 70{
70 const EVP_MD *md_type; 71 const EVP_MD *md_type;
71 HMAC_CTX hmac; 72 HMAC_CTX hmac;
@@ -73,101 +74,115 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
73 int saltlen, iter; 74 int saltlen, iter;
74 int md_size; 75 int md_size;
75 76
76 if (!PKCS7_type_is_data(p12->authsafes)) 77 if (!PKCS7_type_is_data(p12->authsafes)) {
77 { 78 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,
78 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_CONTENT_TYPE_NOT_DATA); 79 PKCS12_R_CONTENT_TYPE_NOT_DATA);
79 return 0; 80 return 0;
80 } 81 }
81 82
82 salt = p12->mac->salt->data; 83 salt = p12->mac->salt->data;
83 saltlen = p12->mac->salt->length; 84 saltlen = p12->mac->salt->length;
84 if (!p12->mac->iter) iter = 1; 85 if (!p12->mac->iter)
85 else iter = ASN1_INTEGER_get (p12->mac->iter); 86 iter = 1;
86 if(!(md_type = 87 else
87 EVP_get_digestbyobj (p12->mac->dinfo->algor->algorithm))) { 88 iter = ASN1_INTEGER_get(p12->mac->iter);
88 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_UNKNOWN_DIGEST_ALGORITHM); 89 if (!(md_type = EVP_get_digestbyobj(
90 p12->mac->dinfo->algor->algorithm))) {
91 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,
92 PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
89 return 0; 93 return 0;
90 } 94 }
91 md_size = EVP_MD_size(md_type); 95 md_size = EVP_MD_size(md_type);
92 if (md_size < 0) 96 if (md_size < 0)
93 return 0; 97 return 0;
94 if(!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter, 98 if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
95 md_size, key, md_type)) { 99 md_size, key, md_type)) {
96 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR); 100 PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
97 return 0; 101 return 0;
98 } 102 }
99 HMAC_CTX_init(&hmac); 103 HMAC_CTX_init(&hmac);
100 if (!HMAC_Init_ex(&hmac, key, md_size, md_type, NULL) 104 if (!HMAC_Init_ex(&hmac, key, md_size, md_type, NULL) ||
101 || !HMAC_Update(&hmac, p12->authsafes->d.data->data, 105 !HMAC_Update(&hmac, p12->authsafes->d.data->data,
102 p12->authsafes->d.data->length) 106 p12->authsafes->d.data->length) ||
103 || !HMAC_Final(&hmac, mac, maclen)) 107 !HMAC_Final(&hmac, mac, maclen)) {
104 { 108 HMAC_CTX_cleanup(&hmac);
105 HMAC_CTX_cleanup(&hmac);
106 return 0; 109 return 0;
107 } 110 }
108 HMAC_CTX_cleanup(&hmac); 111 HMAC_CTX_cleanup(&hmac);
109 return 1; 112 return 1;
110} 113}
111 114
112/* Verify the mac */ 115/* Verify the mac */
113int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) 116int
117PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
114{ 118{
115 unsigned char mac[EVP_MAX_MD_SIZE]; 119 unsigned char mac[EVP_MAX_MD_SIZE];
116 unsigned int maclen; 120 unsigned int maclen;
117 if(p12->mac == NULL) { 121 if (p12->mac == NULL) {
118 PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,PKCS12_R_MAC_ABSENT); 122 PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT);
119 return 0; 123 return 0;
120 } 124 }
121 if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) { 125 if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
122 PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR); 126 PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC,
127 PKCS12_R_MAC_GENERATION_ERROR);
123 return 0; 128 return 0;
124 } 129 }
125 if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) 130 if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) ||
126 || memcmp (mac, p12->mac->dinfo->digest->data, maclen)) return 0; 131 memcmp(mac, p12->mac->dinfo->digest->data, maclen))
132 return 0;
127 return 1; 133 return 1;
128} 134}
129 135
130/* Set a mac */ 136/* Set a mac */
131 137
132int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, 138int
133 unsigned char *salt, int saltlen, int iter, const EVP_MD *md_type) 139PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, unsigned char *salt,
140 int saltlen, int iter, const EVP_MD *md_type)
134{ 141{
135 unsigned char mac[EVP_MAX_MD_SIZE]; 142 unsigned char mac[EVP_MAX_MD_SIZE];
136 unsigned int maclen; 143 unsigned int maclen;
137 144
138 if (!md_type) md_type = EVP_sha1(); 145 if (!md_type)
146 md_type = EVP_sha1();
139 if (PKCS12_setup_mac (p12, iter, salt, saltlen, md_type) == 147 if (PKCS12_setup_mac (p12, iter, salt, saltlen, md_type) ==
140 PKCS12_ERROR) { 148 PKCS12_ERROR) {
141 PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_SETUP_ERROR); 149 PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_SETUP_ERROR);
142 return 0; 150 return 0;
143 } 151 }
144 if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) { 152 if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
145 PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_GENERATION_ERROR); 153 PKCS12err(PKCS12_F_PKCS12_SET_MAC,
154 PKCS12_R_MAC_GENERATION_ERROR);
146 return 0; 155 return 0;
147 } 156 }
148 if (!(M_ASN1_OCTET_STRING_set (p12->mac->dinfo->digest, mac, maclen))) { 157 if (!(M_ASN1_OCTET_STRING_set (p12->mac->dinfo->digest, mac, maclen))) {
149 PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_STRING_SET_ERROR); 158 PKCS12err(PKCS12_F_PKCS12_SET_MAC,
150 return 0; 159 PKCS12_R_MAC_STRING_SET_ERROR);
160 return 0;
151 } 161 }
152 return 1; 162 return 1;
153} 163}
154 164
155/* Set up a mac structure */ 165/* Set up a mac structure */
156int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, 166int
157 const EVP_MD *md_type) 167PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
168 const EVP_MD *md_type)
158{ 169{
159 if (!(p12->mac = PKCS12_MAC_DATA_new())) return PKCS12_ERROR; 170 if (!(p12->mac = PKCS12_MAC_DATA_new()))
171 return PKCS12_ERROR;
160 if (iter > 1) { 172 if (iter > 1) {
161 if(!(p12->mac->iter = M_ASN1_INTEGER_new())) { 173 if (!(p12->mac->iter = M_ASN1_INTEGER_new())) {
162 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); 174 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC,
175 ERR_R_MALLOC_FAILURE);
163 return 0; 176 return 0;
164 } 177 }
165 if (!ASN1_INTEGER_set(p12->mac->iter, iter)) { 178 if (!ASN1_INTEGER_set(p12->mac->iter, iter)) {
166 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); 179 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC,
180 ERR_R_MALLOC_FAILURE);
167 return 0; 181 return 0;
168 } 182 }
169 } 183 }
170 if (!saltlen) saltlen = PKCS12_SALT_LEN; 184 if (!saltlen)
185 saltlen = PKCS12_SALT_LEN;
171 p12->mac->salt->length = saltlen; 186 p12->mac->salt->length = saltlen;
172 if (!(p12->mac->salt->data = malloc (saltlen))) { 187 if (!(p12->mac->salt->data = malloc (saltlen))) {
173 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); 188 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
@@ -176,15 +191,15 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
176 if (!salt) { 191 if (!salt) {
177 if (RAND_pseudo_bytes (p12->mac->salt->data, saltlen) < 0) 192 if (RAND_pseudo_bytes (p12->mac->salt->data, saltlen) < 0)
178 return 0; 193 return 0;
179 } 194 } else
180 else memcpy (p12->mac->salt->data, salt, saltlen); 195 memcpy (p12->mac->salt->data, salt, saltlen);
181 p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type)); 196 p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
182 if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) { 197 if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
183 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); 198 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
184 return 0; 199 return 0;
185 } 200 }
186 p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL; 201 p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL;
187 202
188 return 1; 203 return 1;
189} 204}
190#endif 205#endif
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_npas.c b/src/lib/libssl/src/crypto/pkcs12/p12_npas.c
index 9477de4a08..ab7bdc6458 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_npas.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_npas.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_npas.c,v 1.8 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_npas.c,v 1.9 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -67,32 +67,34 @@
67 67
68static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass); 68static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass);
69static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, 69static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass,
70 char *newpass); 70 char *newpass);
71static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass); 71static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass);
72static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen); 72static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
73 73
74/* 74/*
75 * Change the password on a PKCS#12 structure. 75 * Change the password on a PKCS#12 structure.
76 */ 76 */
77 77
78int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass) 78int
79PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
79{ 80{
80 /* Check for NULL PKCS12 structure */ 81 /* Check for NULL PKCS12 structure */
81 82
82 if(!p12) { 83 if (!p12) {
83 PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER); 84 PKCS12err(PKCS12_F_PKCS12_NEWPASS,
85 PKCS12_R_INVALID_NULL_PKCS12_POINTER);
84 return 0; 86 return 0;
85 } 87 }
86 88
87 /* Check the mac */ 89 /* Check the mac */
88 90
89 if (!PKCS12_verify_mac(p12, oldpass, -1)) { 91 if (!PKCS12_verify_mac(p12, oldpass, -1)) {
90 PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE); 92 PKCS12err(PKCS12_F_PKCS12_NEWPASS, PKCS12_R_MAC_VERIFY_FAILURE);
91 return 0; 93 return 0;
92 } 94 }
93 95
94 if (!newpass_p12(p12, oldpass, newpass)) { 96 if (!newpass_p12(p12, oldpass, newpass)) {
95 PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR); 97 PKCS12err(PKCS12_F_PKCS12_NEWPASS, PKCS12_R_PARSE_ERROR);
96 return 0; 98 return 0;
97 } 99 }
98 100
@@ -101,7 +103,8 @@ int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
101 103
102/* Parse the outer PKCS#12 structure */ 104/* Parse the outer PKCS#12 structure */
103 105
104static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) 106static int
107newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
105{ 108{
106 STACK_OF(PKCS7) *asafes, *newsafes; 109 STACK_OF(PKCS7) *asafes, *newsafes;
107 STACK_OF(PKCS12_SAFEBAG) *bags; 110 STACK_OF(PKCS12_SAFEBAG) *bags;
@@ -111,8 +114,10 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
111 unsigned char mac[EVP_MAX_MD_SIZE]; 114 unsigned char mac[EVP_MAX_MD_SIZE];
112 unsigned int maclen; 115 unsigned int maclen;
113 116
114 if (!(asafes = PKCS12_unpack_authsafes(p12))) return 0; 117 if (!(asafes = PKCS12_unpack_authsafes(p12)))
115 if(!(newsafes = sk_PKCS7_new_null())) return 0; 118 return 0;
119 if (!(newsafes = sk_PKCS7_new_null()))
120 return 0;
116 for (i = 0; i < sk_PKCS7_num (asafes); i++) { 121 for (i = 0; i < sk_PKCS7_num (asafes); i++) {
117 p7 = sk_PKCS7_value(asafes, i); 122 p7 = sk_PKCS7_value(asafes, i);
118 bagnid = OBJ_obj2nid(p7->type); 123 bagnid = OBJ_obj2nid(p7->type);
@@ -121,28 +126,30 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
121 } else if (bagnid == NID_pkcs7_encrypted) { 126 } else if (bagnid == NID_pkcs7_encrypted) {
122 bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); 127 bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
123 if (!alg_get(p7->d.encrypted->enc_data->algorithm, 128 if (!alg_get(p7->d.encrypted->enc_data->algorithm,
124 &pbe_nid, &pbe_iter, &pbe_saltlen)) 129 &pbe_nid, &pbe_iter, &pbe_saltlen)) {
125 {
126 sk_PKCS12_SAFEBAG_pop_free(bags, 130 sk_PKCS12_SAFEBAG_pop_free(bags,
127 PKCS12_SAFEBAG_free); 131 PKCS12_SAFEBAG_free);
128 bags = NULL; 132 bags = NULL;
129 } 133 }
130 } else continue; 134 } else
135 continue;
131 if (!bags) { 136 if (!bags) {
132 sk_PKCS7_pop_free(asafes, PKCS7_free); 137 sk_PKCS7_pop_free(asafes, PKCS7_free);
133 return 0; 138 return 0;
134 } 139 }
135 if (!newpass_bags(bags, oldpass, newpass)) { 140 if (!newpass_bags(bags, oldpass, newpass)) {
136 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 141 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
137 sk_PKCS7_pop_free(asafes, PKCS7_free); 142 sk_PKCS7_pop_free(asafes, PKCS7_free);
138 return 0; 143 return 0;
139 } 144 }
140 /* Repack bag in same form with new password */ 145 /* Repack bag in same form with new password */
141 if (bagnid == NID_pkcs7_data) p7new = PKCS12_pack_p7data(bags); 146 if (bagnid == NID_pkcs7_data)
142 else p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1, NULL, 147 p7new = PKCS12_pack_p7data(bags);
143 pbe_saltlen, pbe_iter, bags); 148 else
149 p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1,
150 NULL, pbe_saltlen, pbe_iter, bags);
144 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 151 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
145 if(!p7new) { 152 if (!p7new) {
146 sk_PKCS7_pop_free(asafes, PKCS7_free); 153 sk_PKCS7_pop_free(asafes, PKCS7_free);
147 return 0; 154 return 0;
148 } 155 }
@@ -153,73 +160,82 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
153 /* Repack safe: save old safe in case of error */ 160 /* Repack safe: save old safe in case of error */
154 161
155 p12_data_tmp = p12->authsafes->d.data; 162 p12_data_tmp = p12->authsafes->d.data;
156 if(!(p12->authsafes->d.data = ASN1_OCTET_STRING_new())) goto saferr; 163 if (!(p12->authsafes->d.data = ASN1_OCTET_STRING_new()))
157 if(!PKCS12_pack_authsafes(p12, newsafes)) goto saferr; 164 goto saferr;
158 165 if (!PKCS12_pack_authsafes(p12, newsafes))
159 if(!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) goto saferr; 166 goto saferr;
160 if(!(macnew = ASN1_OCTET_STRING_new())) goto saferr; 167
161 if(!ASN1_OCTET_STRING_set(macnew, mac, maclen)) goto saferr; 168 if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen))
169 goto saferr;
170 if (!(macnew = ASN1_OCTET_STRING_new()))
171 goto saferr;
172 if (!ASN1_OCTET_STRING_set(macnew, mac, maclen))
173 goto saferr;
162 ASN1_OCTET_STRING_free(p12->mac->dinfo->digest); 174 ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);
163 p12->mac->dinfo->digest = macnew; 175 p12->mac->dinfo->digest = macnew;
164 ASN1_OCTET_STRING_free(p12_data_tmp); 176 ASN1_OCTET_STRING_free(p12_data_tmp);
165 177
166 return 1; 178 return 1;
167 179
168 saferr: 180saferr:
169 /* Restore old safe */ 181 /* Restore old safe */
170 ASN1_OCTET_STRING_free(p12->authsafes->d.data); 182 ASN1_OCTET_STRING_free(p12->authsafes->d.data);
171 ASN1_OCTET_STRING_free(macnew); 183 ASN1_OCTET_STRING_free(macnew);
172 p12->authsafes->d.data = p12_data_tmp; 184 p12->authsafes->d.data = p12_data_tmp;
173 return 0; 185 return 0;
174
175} 186}
176 187
177 188
178static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, 189static int
179 char *newpass) 190newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, char *newpass)
180{ 191{
181 int i; 192 int i;
193
182 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { 194 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
183 if (!newpass_bag(sk_PKCS12_SAFEBAG_value(bags, i), 195 if (!newpass_bag(sk_PKCS12_SAFEBAG_value(bags, i),
184 oldpass, newpass)) 196 oldpass, newpass))
185 return 0; 197 return 0;
186 } 198 }
187 return 1; 199 return 1;
188} 200}
189 201
190/* Change password of safebag: only needs handle shrouded keybags */ 202/* Change password of safebag: only needs handle shrouded keybags */
191 203
192static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass) 204static int
205newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
193{ 206{
194 PKCS8_PRIV_KEY_INFO *p8; 207 PKCS8_PRIV_KEY_INFO *p8;
195 X509_SIG *p8new; 208 X509_SIG *p8new;
196 int p8_nid, p8_saltlen, p8_iter; 209 int p8_nid, p8_saltlen, p8_iter;
197 210
198 if(M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag) return 1; 211 if (M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag)
212 return 1;
199 213
200 if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1))) return 0; 214 if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)))
215 return 0;
201 if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, 216 if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter,
202 &p8_saltlen)) 217 &p8_saltlen))
203 return 0; 218 return 0;
204 if(!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen, 219 if (!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
205 p8_iter, p8))) return 0; 220 p8_iter, p8))) return 0;
206 X509_SIG_free(bag->value.shkeybag); 221 X509_SIG_free(bag->value.shkeybag);
207 bag->value.shkeybag = p8new; 222 bag->value.shkeybag = p8new;
208 return 1; 223 return 1;
209} 224}
210 225
211static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen) 226static int
227alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
212{ 228{
213 PBEPARAM *pbe; 229 PBEPARAM *pbe;
214 const unsigned char *p; 230 const unsigned char *p;
215 231
216 p = alg->parameter->value.sequence->data; 232 p = alg->parameter->value.sequence->data;
217 pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length); 233 pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
218 if (!pbe) 234 if (!pbe)
219 return 0; 235 return 0;
220 *pnid = OBJ_obj2nid(alg->algorithm); 236 *pnid = OBJ_obj2nid(alg->algorithm);
221 *piter = ASN1_INTEGER_get(pbe->iter); 237 *piter = ASN1_INTEGER_get(pbe->iter);
222 *psaltlen = pbe->salt->length; 238 *psaltlen = pbe->salt->length;
223 PBEPARAM_free(pbe); 239 PBEPARAM_free(pbe);
224 return 1; 240 return 1;
225} 241}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_p8d.c b/src/lib/libssl/src/crypto/pkcs12/p12_p8d.c
index f6a333baa5..4aceae6a9f 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_p8d.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_p8d.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_p8d.c,v 1.3 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_p8d.c,v 1.4 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -60,9 +60,9 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/pkcs12.h> 61#include <openssl/pkcs12.h>
62 62
63PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen) 63PKCS8_PRIV_KEY_INFO *
64PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen)
64{ 65{
65 return PKCS12_item_decrypt_d2i(p8->algor, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass, 66 return PKCS12_item_decrypt_d2i(p8->algor,
66 passlen, p8->digest, 1); 67 ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass, passlen, p8->digest, 1);
67} 68}
68
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_p8e.c b/src/lib/libssl/src/crypto/pkcs12/p12_p8e.c
index 3d71a02a1c..1ee6a32f6a 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_p8e.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_p8e.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_p8e.c,v 1.3 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_p8e.c,v 1.4 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -60,10 +60,10 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/pkcs12.h> 61#include <openssl/pkcs12.h>
62 62
63X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, 63X509_SIG *
64 const char *pass, int passlen, 64PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
65 unsigned char *salt, int saltlen, int iter, 65 int passlen, unsigned char *salt, int saltlen, int iter,
66 PKCS8_PRIV_KEY_INFO *p8inf) 66 PKCS8_PRIV_KEY_INFO *p8inf)
67{ 67{
68 X509_SIG *p8 = NULL; 68 X509_SIG *p8 = NULL;
69 X509_ALGOR *pbe; 69 X509_ALGOR *pbe;
@@ -73,25 +73,27 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
73 goto err; 73 goto err;
74 } 74 }
75 75
76 if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen); 76 if (pbe_nid == -1)
77 else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen); 77 pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
78 if(!pbe) { 78 else
79 pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
80 if (!pbe) {
79 PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB); 81 PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
80 goto err; 82 goto err;
81 } 83 }
82 X509_ALGOR_free(p8->algor); 84 X509_ALGOR_free(p8->algor);
83 p8->algor = pbe; 85 p8->algor = pbe;
84 M_ASN1_OCTET_STRING_free(p8->digest); 86 M_ASN1_OCTET_STRING_free(p8->digest);
85 p8->digest = PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), 87 p8->digest = PKCS12_item_i2d_encrypt(pbe,
86 pass, passlen, p8inf, 1); 88 ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass, passlen, p8inf, 1);
87 if(!p8->digest) { 89 if (!p8->digest) {
88 PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR); 90 PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
89 goto err; 91 goto err;
90 } 92 }
91 93
92 return p8; 94 return p8;
93 95
94 err: 96err:
95 X509_SIG_free(p8); 97 X509_SIG_free(p8);
96 return NULL; 98 return NULL;
97} 99}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_utl.c b/src/lib/libssl/src/crypto/pkcs12/p12_utl.c
index 372b94e412..618e6c699f 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_utl.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_utl.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: p12_utl.c,v 1.9 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: p12_utl.c,v 1.10 2014/07/08 09:24:53 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,81 +62,106 @@
62 62
63/* Cheap and nasty Unicode stuff */ 63/* Cheap and nasty Unicode stuff */
64 64
65unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) 65unsigned char *
66OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen)
66{ 67{
67 int ulen, i; 68 int ulen, i;
68 unsigned char *unitmp; 69 unsigned char *unitmp;
69 if (asclen == -1) asclen = strlen(asc); 70
70 ulen = asclen*2 + 2; 71 if (asclen == -1)
71 if (!(unitmp = malloc(ulen))) return NULL; 72 asclen = strlen(asc);
72 for (i = 0; i < ulen - 2; i+=2) { 73 ulen = asclen * 2 + 2;
74 if (!(unitmp = malloc(ulen)))
75 return NULL;
76 for (i = 0; i < ulen - 2; i += 2) {
73 unitmp[i] = 0; 77 unitmp[i] = 0;
74 unitmp[i + 1] = asc[i>>1]; 78 unitmp[i + 1] = asc[i >> 1];
75 } 79 }
76 /* Make result double null terminated */ 80 /* Make result double null terminated */
77 unitmp[ulen - 2] = 0; 81 unitmp[ulen - 2] = 0;
78 unitmp[ulen - 1] = 0; 82 unitmp[ulen - 1] = 0;
79 if (unilen) *unilen = ulen; 83 if (unilen)
80 if (uni) *uni = unitmp; 84 *unilen = ulen;
85 if (uni)
86 *uni = unitmp;
81 return unitmp; 87 return unitmp;
82} 88}
83 89
84char *OPENSSL_uni2asc(unsigned char *uni, int unilen) 90char *
91OPENSSL_uni2asc(unsigned char *uni, int unilen)
85{ 92{
86 int asclen, i; 93 int asclen, i;
87 char *asctmp; 94 char *asctmp;
95
88 asclen = unilen / 2; 96 asclen = unilen / 2;
89 /* If no terminating zero allow for one */ 97 /* If no terminating zero allow for one */
90 if (!unilen || uni[unilen - 1]) asclen++; 98 if (!unilen || uni[unilen - 1])
99 asclen++;
91 uni++; 100 uni++;
92 if (!(asctmp = malloc(asclen))) return NULL; 101 if (!(asctmp = malloc(asclen)))
93 for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i]; 102 return NULL;
103 for (i = 0; i < unilen; i += 2)
104 asctmp[i >> 1] = uni[i];
94 asctmp[asclen - 1] = 0; 105 asctmp[asclen - 1] = 0;
95 return asctmp; 106 return asctmp;
96} 107}
97 108
98int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12) 109int
110i2d_PKCS12_bio(BIO *bp, PKCS12 *p12)
99{ 111{
100 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS12), bp, p12); 112 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS12), bp, p12);
101} 113}
102 114
103int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12) 115int
116i2d_PKCS12_fp(FILE *fp, PKCS12 *p12)
104{ 117{
105 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS12), fp, p12); 118 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS12), fp, p12);
106} 119}
107 120
108PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12) 121PKCS12 *
122d2i_PKCS12_bio(BIO *bp, PKCS12 **p12)
109{ 123{
110 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS12), bp, p12); 124 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS12), bp, p12);
111} 125}
112PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12) 126
127PKCS12 *
128d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
113{ 129{
114 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS12), fp, p12); 130 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS12), fp, p12);
115} 131}
116 132
117PKCS12_SAFEBAG *PKCS12_x5092certbag(X509 *x509) 133PKCS12_SAFEBAG *
134PKCS12_x5092certbag(X509 *x509)
118{ 135{
119 return PKCS12_item_pack_safebag(x509, ASN1_ITEM_rptr(X509), 136 return PKCS12_item_pack_safebag(x509, ASN1_ITEM_rptr(X509),
120 NID_x509Certificate, NID_certBag); 137 NID_x509Certificate, NID_certBag);
121} 138}
122 139
123PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl) 140PKCS12_SAFEBAG *
141PKCS12_x509crl2certbag(X509_CRL *crl)
124{ 142{
125 return PKCS12_item_pack_safebag(crl, ASN1_ITEM_rptr(X509_CRL), 143 return PKCS12_item_pack_safebag(crl, ASN1_ITEM_rptr(X509_CRL),
126 NID_x509Crl, NID_crlBag); 144 NID_x509Crl, NID_crlBag);
127} 145}
128 146
129X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag) 147X509 *
148PKCS12_certbag2x509(PKCS12_SAFEBAG *bag)
130{ 149{
131 if(M_PKCS12_bag_type(bag) != NID_certBag) return NULL; 150 if (M_PKCS12_bag_type(bag) != NID_certBag)
132 if(M_PKCS12_cert_bag_type(bag) != NID_x509Certificate) return NULL; 151 return NULL;
133 return ASN1_item_unpack(bag->value.bag->value.octet, ASN1_ITEM_rptr(X509)); 152 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
153 return NULL;
154 return ASN1_item_unpack(bag->value.bag->value.octet,
155 ASN1_ITEM_rptr(X509));
134} 156}
135 157
136X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag) 158X509_CRL *
159PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag)
137{ 160{
138 if(M_PKCS12_bag_type(bag) != NID_crlBag) return NULL; 161 if (M_PKCS12_bag_type(bag) != NID_crlBag)
139 if(M_PKCS12_cert_bag_type(bag) != NID_x509Crl) return NULL; 162 return NULL;
163 if (M_PKCS12_cert_bag_type(bag) != NID_x509Crl)
164 return NULL;
140 return ASN1_item_unpack(bag->value.bag->value.octet, 165 return ASN1_item_unpack(bag->value.bag->value.octet,
141 ASN1_ITEM_rptr(X509_CRL)); 166 ASN1_ITEM_rptr(X509_CRL));
142} 167}
diff --git a/src/lib/libssl/src/crypto/pkcs12/pk12err.c b/src/lib/libssl/src/crypto/pkcs12/pk12err.c
index 5f54a7d062..12f418eb23 100644
--- a/src/lib/libssl/src/crypto/pkcs12/pk12err.c
+++ b/src/lib/libssl/src/crypto/pkcs12/pk12err.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: pk12err.c,v 1.8 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: pk12err.c,v 1.9 2014/07/08 09:24:53 jsing Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -7,7 +7,7 @@
7 * are met: 7 * are met:
8 * 8 *
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 11 *
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in 13 * notice, this list of conditions and the following disclaimer in
@@ -68,77 +68,74 @@
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0) 68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason) 69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason)
70 70
71static ERR_STRING_DATA PKCS12_str_functs[]= 71static ERR_STRING_DATA PKCS12_str_functs[]= {
72 { 72 {ERR_FUNC(PKCS12_F_PARSE_BAG), "PARSE_BAG"},
73{ERR_FUNC(PKCS12_F_PARSE_BAG), "PARSE_BAG"}, 73 {ERR_FUNC(PKCS12_F_PARSE_BAGS), "PARSE_BAGS"},
74{ERR_FUNC(PKCS12_F_PARSE_BAGS), "PARSE_BAGS"}, 74 {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME), "PKCS12_ADD_FRIENDLYNAME"},
75{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME), "PKCS12_ADD_FRIENDLYNAME"}, 75 {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC), "PKCS12_add_friendlyname_asc"},
76{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC), "PKCS12_add_friendlyname_asc"}, 76 {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI), "PKCS12_add_friendlyname_uni"},
77{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI), "PKCS12_add_friendlyname_uni"}, 77 {ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID), "PKCS12_add_localkeyid"},
78{ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID), "PKCS12_add_localkeyid"}, 78 {ERR_FUNC(PKCS12_F_PKCS12_CREATE), "PKCS12_create"},
79{ERR_FUNC(PKCS12_F_PKCS12_CREATE), "PKCS12_create"}, 79 {ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC), "PKCS12_gen_mac"},
80{ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC), "PKCS12_gen_mac"}, 80 {ERR_FUNC(PKCS12_F_PKCS12_INIT), "PKCS12_init"},
81{ERR_FUNC(PKCS12_F_PKCS12_INIT), "PKCS12_init"}, 81 {ERR_FUNC(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I), "PKCS12_item_decrypt_d2i"},
82{ERR_FUNC(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I), "PKCS12_item_decrypt_d2i"}, 82 {ERR_FUNC(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT), "PKCS12_item_i2d_encrypt"},
83{ERR_FUNC(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT), "PKCS12_item_i2d_encrypt"}, 83 {ERR_FUNC(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG), "PKCS12_item_pack_safebag"},
84{ERR_FUNC(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG), "PKCS12_item_pack_safebag"}, 84 {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC), "PKCS12_key_gen_asc"},
85{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC), "PKCS12_key_gen_asc"}, 85 {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI), "PKCS12_key_gen_uni"},
86{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI), "PKCS12_key_gen_uni"}, 86 {ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG), "PKCS12_MAKE_KEYBAG"},
87{ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG), "PKCS12_MAKE_KEYBAG"}, 87 {ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG), "PKCS12_MAKE_SHKEYBAG"},
88{ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG), "PKCS12_MAKE_SHKEYBAG"}, 88 {ERR_FUNC(PKCS12_F_PKCS12_NEWPASS), "PKCS12_newpass"},
89{ERR_FUNC(PKCS12_F_PKCS12_NEWPASS), "PKCS12_newpass"}, 89 {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA), "PKCS12_pack_p7data"},
90{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA), "PKCS12_pack_p7data"}, 90 {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA), "PKCS12_pack_p7encdata"},
91{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA), "PKCS12_pack_p7encdata"}, 91 {ERR_FUNC(PKCS12_F_PKCS12_PARSE), "PKCS12_parse"},
92{ERR_FUNC(PKCS12_F_PKCS12_PARSE), "PKCS12_parse"}, 92 {ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT), "PKCS12_pbe_crypt"},
93{ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT), "PKCS12_pbe_crypt"}, 93 {ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN), "PKCS12_PBE_keyivgen"},
94{ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN), "PKCS12_PBE_keyivgen"}, 94 {ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC), "PKCS12_setup_mac"},
95{ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC), "PKCS12_setup_mac"}, 95 {ERR_FUNC(PKCS12_F_PKCS12_SET_MAC), "PKCS12_set_mac"},
96{ERR_FUNC(PKCS12_F_PKCS12_SET_MAC), "PKCS12_set_mac"}, 96 {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES), "PKCS12_unpack_authsafes"},
97{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES), "PKCS12_unpack_authsafes"}, 97 {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA), "PKCS12_unpack_p7data"},
98{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA), "PKCS12_unpack_p7data"}, 98 {ERR_FUNC(PKCS12_F_PKCS12_VERIFY_MAC), "PKCS12_verify_mac"},
99{ERR_FUNC(PKCS12_F_PKCS12_VERIFY_MAC), "PKCS12_verify_mac"}, 99 {ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE), "PKCS8_add_keyusage"},
100{ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE), "PKCS8_add_keyusage"}, 100 {ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT), "PKCS8_encrypt"},
101{ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT), "PKCS8_encrypt"}, 101 {0, NULL}
102{0,NULL} 102};
103 };
104 103
105static ERR_STRING_DATA PKCS12_str_reasons[]= 104static ERR_STRING_DATA PKCS12_str_reasons[]= {
106 { 105 {ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE), "cant pack structure"},
107{ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE),"cant pack structure"}, 106 {ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA), "content type not data"},
108{ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA),"content type not data"}, 107 {ERR_REASON(PKCS12_R_DECODE_ERROR) , "decode error"},
109{ERR_REASON(PKCS12_R_DECODE_ERROR) ,"decode error"}, 108 {ERR_REASON(PKCS12_R_ENCODE_ERROR) , "encode error"},
110{ERR_REASON(PKCS12_R_ENCODE_ERROR) ,"encode error"}, 109 {ERR_REASON(PKCS12_R_ENCRYPT_ERROR) , "encrypt error"},
111{ERR_REASON(PKCS12_R_ENCRYPT_ERROR) ,"encrypt error"}, 110 {ERR_REASON(PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE), "error setting encrypted data type"},
112{ERR_REASON(PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE),"error setting encrypted data type"}, 111 {ERR_REASON(PKCS12_R_INVALID_NULL_ARGUMENT), "invalid null argument"},
113{ERR_REASON(PKCS12_R_INVALID_NULL_ARGUMENT),"invalid null argument"}, 112 {ERR_REASON(PKCS12_R_INVALID_NULL_PKCS12_POINTER), "invalid null pkcs12 pointer"},
114{ERR_REASON(PKCS12_R_INVALID_NULL_PKCS12_POINTER),"invalid null pkcs12 pointer"}, 113 {ERR_REASON(PKCS12_R_IV_GEN_ERROR) , "iv gen error"},
115{ERR_REASON(PKCS12_R_IV_GEN_ERROR) ,"iv gen error"}, 114 {ERR_REASON(PKCS12_R_KEY_GEN_ERROR) , "key gen error"},
116{ERR_REASON(PKCS12_R_KEY_GEN_ERROR) ,"key gen error"}, 115 {ERR_REASON(PKCS12_R_MAC_ABSENT) , "mac absent"},
117{ERR_REASON(PKCS12_R_MAC_ABSENT) ,"mac absent"}, 116 {ERR_REASON(PKCS12_R_MAC_GENERATION_ERROR), "mac generation error"},
118{ERR_REASON(PKCS12_R_MAC_GENERATION_ERROR),"mac generation error"}, 117 {ERR_REASON(PKCS12_R_MAC_SETUP_ERROR) , "mac setup error"},
119{ERR_REASON(PKCS12_R_MAC_SETUP_ERROR) ,"mac setup error"}, 118 {ERR_REASON(PKCS12_R_MAC_STRING_SET_ERROR), "mac string set error"},
120{ERR_REASON(PKCS12_R_MAC_STRING_SET_ERROR),"mac string set error"}, 119 {ERR_REASON(PKCS12_R_MAC_VERIFY_ERROR) , "mac verify error"},
121{ERR_REASON(PKCS12_R_MAC_VERIFY_ERROR) ,"mac verify error"}, 120 {ERR_REASON(PKCS12_R_MAC_VERIFY_FAILURE) , "mac verify failure"},
122{ERR_REASON(PKCS12_R_MAC_VERIFY_FAILURE) ,"mac verify failure"}, 121 {ERR_REASON(PKCS12_R_PARSE_ERROR) , "parse error"},
123{ERR_REASON(PKCS12_R_PARSE_ERROR) ,"parse error"}, 122 {ERR_REASON(PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR), "pkcs12 algor cipherinit error"},
124{ERR_REASON(PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR),"pkcs12 algor cipherinit error"}, 123 {ERR_REASON(PKCS12_R_PKCS12_CIPHERFINAL_ERROR), "pkcs12 cipherfinal error"},
125{ERR_REASON(PKCS12_R_PKCS12_CIPHERFINAL_ERROR),"pkcs12 cipherfinal error"}, 124 {ERR_REASON(PKCS12_R_PKCS12_PBE_CRYPT_ERROR), "pkcs12 pbe crypt error"},
126{ERR_REASON(PKCS12_R_PKCS12_PBE_CRYPT_ERROR),"pkcs12 pbe crypt error"}, 125 {ERR_REASON(PKCS12_R_UNKNOWN_DIGEST_ALGORITHM), "unknown digest algorithm"},
127{ERR_REASON(PKCS12_R_UNKNOWN_DIGEST_ALGORITHM),"unknown digest algorithm"}, 126 {ERR_REASON(PKCS12_R_UNSUPPORTED_PKCS12_MODE), "unsupported pkcs12 mode"},
128{ERR_REASON(PKCS12_R_UNSUPPORTED_PKCS12_MODE),"unsupported pkcs12 mode"}, 127 {0, NULL}
129{0,NULL} 128};
130 };
131 129
132#endif 130#endif
133 131
134void ERR_load_PKCS12_strings(void) 132void
135 { 133ERR_load_PKCS12_strings(void)
134{
136#ifndef OPENSSL_NO_ERR 135#ifndef OPENSSL_NO_ERR
137 136 if (ERR_func_error_string(PKCS12_str_functs[0].error) == NULL) {
138 if (ERR_func_error_string(PKCS12_str_functs[0].error) == NULL) 137 ERR_load_strings(0, PKCS12_str_functs);
139 { 138 ERR_load_strings(0, PKCS12_str_reasons);
140 ERR_load_strings(0,PKCS12_str_functs);
141 ERR_load_strings(0,PKCS12_str_reasons);
142 }
143#endif
144 } 139 }
140#endif
141}
diff --git a/src/lib/libssl/src/crypto/pkcs12/pkcs12.h b/src/lib/libssl/src/crypto/pkcs12/pkcs12.h
index 5e61e4086c..ead29fd717 100644
--- a/src/lib/libssl/src/crypto/pkcs12/pkcs12.h
+++ b/src/lib/libssl/src/crypto/pkcs12/pkcs12.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: pkcs12.h,v 1.12 2014/06/12 15:49:30 deraadt Exp $ */ 1/* $OpenBSD: pkcs12.h,v 1.13 2014/07/08 09:27:21 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -97,27 +97,27 @@ extern "C" {
97#define KEY_SIG 0x80 97#define KEY_SIG 0x80
98 98
99typedef struct { 99typedef struct {
100X509_SIG *dinfo; 100 X509_SIG *dinfo;
101ASN1_OCTET_STRING *salt; 101 ASN1_OCTET_STRING *salt;
102ASN1_INTEGER *iter; /* defaults to 1 */ 102 ASN1_INTEGER *iter; /* defaults to 1 */
103} PKCS12_MAC_DATA; 103} PKCS12_MAC_DATA;
104 104
105typedef struct { 105typedef struct {
106ASN1_INTEGER *version; 106 ASN1_INTEGER *version;
107PKCS12_MAC_DATA *mac; 107 PKCS12_MAC_DATA *mac;
108PKCS7 *authsafes; 108 PKCS7 *authsafes;
109} PKCS12; 109} PKCS12;
110 110
111typedef struct { 111typedef struct {
112ASN1_OBJECT *type; 112 ASN1_OBJECT *type;
113union { 113 union {
114 struct pkcs12_bag_st *bag; /* secret, crl and certbag */ 114 struct pkcs12_bag_st *bag; /* secret, crl and certbag */
115 struct pkcs8_priv_key_info_st *keybag; /* keybag */ 115 struct pkcs8_priv_key_info_st *keybag; /* keybag */
116 X509_SIG *shkeybag; /* shrouded key bag */ 116 X509_SIG *shkeybag; /* shrouded key bag */
117 STACK_OF(PKCS12_SAFEBAG) *safes; 117 STACK_OF(PKCS12_SAFEBAG) *safes;
118 ASN1_TYPE *other; 118 ASN1_TYPE *other;
119}value; 119 } value;
120STACK_OF(X509_ATTRIBUTE) *attrib; 120 STACK_OF(X509_ATTRIBUTE) *attrib;
121} PKCS12_SAFEBAG; 121} PKCS12_SAFEBAG;
122 122
123DECLARE_STACK_OF(PKCS12_SAFEBAG) 123DECLARE_STACK_OF(PKCS12_SAFEBAG)
@@ -125,14 +125,14 @@ DECLARE_ASN1_SET_OF(PKCS12_SAFEBAG)
125DECLARE_PKCS12_STACK_OF(PKCS12_SAFEBAG) 125DECLARE_PKCS12_STACK_OF(PKCS12_SAFEBAG)
126 126
127typedef struct pkcs12_bag_st { 127typedef struct pkcs12_bag_st {
128ASN1_OBJECT *type; 128 ASN1_OBJECT *type;
129union { 129 union {
130 ASN1_OCTET_STRING *x509cert; 130 ASN1_OCTET_STRING *x509cert;
131 ASN1_OCTET_STRING *x509crl; 131 ASN1_OCTET_STRING *x509crl;
132 ASN1_OCTET_STRING *octet; 132 ASN1_OCTET_STRING *octet;
133 ASN1_IA5STRING *sdsicert; 133 ASN1_IA5STRING *sdsicert;
134 ASN1_TYPE *other; /* Secret or other bag */ 134 ASN1_TYPE *other; /* Secret or other bag */
135}value; 135 } value;
136} PKCS12_BAGS; 136} PKCS12_BAGS;
137 137
138#define PKCS12_ERROR 0 138#define PKCS12_ERROR 0
@@ -144,7 +144,7 @@ union {
144#define M_PKCS12_x509crl2certbag PKCS12_x509crl2certbag 144#define M_PKCS12_x509crl2certbag PKCS12_x509crl2certbag
145 145
146#define M_PKCS12_certbag2x509 PKCS12_certbag2x509 146#define M_PKCS12_certbag2x509 PKCS12_certbag2x509
147#define M_PKCS12_certbag2x509crl PKCS12_certbag2x509crl 147#define M_PKCS12_certbag2x509crl PKCS12_certbag2x509crl
148 148
149#define M_PKCS12_unpack_p7data PKCS12_unpack_p7data 149#define M_PKCS12_unpack_p7data PKCS12_unpack_p7data
150#define M_PKCS12_pack_authsafes PKCS12_pack_authsafes 150#define M_PKCS12_pack_authsafes PKCS12_pack_authsafes
@@ -172,65 +172,66 @@ PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl);
172X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag); 172X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag);
173X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag); 173X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag);
174 174
175PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, 175PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
176 int nid2); 176 int nid1, int nid2);
177PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8); 177PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
178PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen); 178PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen);
179PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass, 179PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass,
180 int passlen); 180 int passlen);
181X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, 181X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
182 const char *pass, int passlen, 182 const char *pass, int passlen, unsigned char *salt, int saltlen, int iter,
183 unsigned char *salt, int saltlen, int iter, 183 PKCS8_PRIV_KEY_INFO *p8);
184 PKCS8_PRIV_KEY_INFO *p8);
185PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, 184PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
186 int passlen, unsigned char *salt, 185 int passlen, unsigned char *salt, int saltlen, int iter,
187 int saltlen, int iter, 186 PKCS8_PRIV_KEY_INFO *p8);
188 PKCS8_PRIV_KEY_INFO *p8);
189PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk); 187PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk);
190STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7); 188STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7);
191PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, 189PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
192 unsigned char *salt, int saltlen, int iter, 190 unsigned char *salt, int saltlen, int iter, STACK_OF(PKCS12_SAFEBAG) *bags);
193 STACK_OF(PKCS12_SAFEBAG) *bags); 191STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
194STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen); 192 int passlen);
195 193
196int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes); 194int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes);
197STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12); 195STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12);
198 196
199int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen); 197int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name,
198 int namelen);
200int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name, 199int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
201 int namelen); 200 int namelen);
202int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, 201int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name,
203 int namelen); 202 int namelen);
204int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name, 203int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name,
205 int namelen); 204 int namelen);
206int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage); 205int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
207ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid); 206ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid);
208char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag); 207char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
209unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, 208unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
210 int passlen, unsigned char *in, int inlen, 209 int passlen, unsigned char *in, int inlen, unsigned char **data,
211 unsigned char **data, int *datalen, int en_de); 210 int *datalen, int en_de);
212void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, 211void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
213 const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf); 212 const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf);
214ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it, 213ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor,
215 const char *pass, int passlen, 214 const ASN1_ITEM *it, const char *pass, int passlen, void *obj, int zbuf);
216 void *obj, int zbuf);
217PKCS12 *PKCS12_init(int mode); 215PKCS12 *PKCS12_init(int mode);
218int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, 216int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
219 int saltlen, int id, int iter, int n, 217 int saltlen, int id, int iter, int n, unsigned char *out,
220 unsigned char *out, const EVP_MD *md_type); 218 const EVP_MD *md_type);
221int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type); 219int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
220 int saltlen, int id, int iter, int n, unsigned char *out,
221 const EVP_MD *md_type);
222int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, 222int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
223 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md_type, 223 ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md_type,
224 int en_de); 224 int en_de);
225int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, 225int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
226 unsigned char *mac, unsigned int *maclen); 226 unsigned char *mac, unsigned int *maclen);
227int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen); 227int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen);
228int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, 228int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
229 unsigned char *salt, int saltlen, int iter, 229 unsigned char *salt, int saltlen, int iter,
230 const EVP_MD *md_type); 230 const EVP_MD *md_type);
231int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, 231int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
232 int saltlen, const EVP_MD *md_type); 232 int saltlen, const EVP_MD *md_type);
233unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen); 233unsigned char *OPENSSL_asc2uni(const char *asc, int asclen,
234 unsigned char **uni, int *unilen);
234char *OPENSSL_uni2asc(unsigned char *uni, int unilen); 235char *OPENSSL_uni2asc(unsigned char *uni, int unilen);
235 236
236DECLARE_ASN1_FUNCTIONS(PKCS12) 237DECLARE_ASN1_FUNCTIONS(PKCS12)
@@ -243,17 +244,16 @@ DECLARE_ASN1_ITEM(PKCS12_AUTHSAFES)
243 244
244void PKCS12_PBE_add(void); 245void PKCS12_PBE_add(void);
245int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, 246int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
246 STACK_OF(X509) **ca); 247 STACK_OF(X509) **ca);
247PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, 248PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
248 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, 249 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter,
249 int mac_iter, int keytype); 250 int mac_iter, int keytype);
250 251
251PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert); 252PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert);
252PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, 253PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key,
253 int key_usage, int iter, 254 int key_usage, int iter, int key_nid, char *pass);
254 int key_nid, char *pass);
255int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, 255int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
256 int safe_nid, int iter, char *pass); 256 int safe_nid, int iter, char *pass);
257PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid); 257PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid);
258 258
259int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12); 259int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 12:24:50 +0000