1 files changed, 44 insertions, 179 deletions
diff --git a/src/lib/libcrypto/asn1/x_req.c b/src/lib/libcrypto/asn1/x_req.c
index ff0be13d37..b3f18ebc12 100644
--- a/src/lib/libcrypto/asn1/x_req.c
+++ b/src/lib/libcrypto/asn1/x_req.c
@@ -58,190 +58,55 @@
 #include <stdio.h>
 #include "cryptlib.h"
-#include "asn1_mac.h"
+#include <openssl/asn1t.h>
-#include "x509.h"
+#include <openssl/x509.h>
-/*
+/* X509_REQ_INFO is handled in an unusual way to get round
- * ASN1err(ASN1_F_D2I_X509_REQ,ASN1_R_LENGTH_MISMATCH);
+ * invalid encodings. Some broken certificate requests don't
- * ASN1err(ASN1_F_D2I_X509_REQ_INFO,ASN1_R_LENGTH_MISMATCH);
+ * encode the attributes field if it is empty. This is in
- * ASN1err(ASN1_F_X509_REQ_NEW,ASN1_R_LENGTH_MISMATCH);
+ * violation of PKCS#10 but we need to tolerate it. We do
- * ASN1err(ASN1_F_X509_REQ_INFO_NEW,ASN1_R_LENGTH_MISMATCH);
+ * this by making the attributes field OPTIONAL then using
+ * the callback to initialise it to an empty STACK. 
+ *
+ * This means that the field will be correctly encoded unless
+ * we NULL out the field.
+ *
+ * As a result we no longer need the req_kludge field because
+ * the information is now contained in the attributes field:
+ * 1. If it is NULL then it's the invalid omission.
+ * 2. If it is empty it is the correct encoding.
+ * 3. If it is not empty then some attributes are present.
+ *
 */
-int i2d_X509_REQ_INFO(a,pp)
+static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
-X509_REQ_INFO *a;
+{
-unsigned char **pp;
+        X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;
-        {
-        M_ASN1_I2D_vars(a);
-        M_ASN1_I2D_len(a->version,              i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len(a->subject,              i2d_X509_NAME);
-        M_ASN1_I2D_len(a->pubkey,               i2d_X509_PUBKEY);
-        /* this is a *nasty* hack reported to be required to
-         * allow some CA Software to accept the cert request.
-         * It is not following the PKCS standards ...
-         * PKCS#10 pg 5
-         * attributes [0] IMPLICIT Attibutes
-         * NOTE: no OPTIONAL ... so it *must* be there
-         */
-        if (a->req_kludge) 
-                {
-                M_ASN1_I2D_len_IMP_set_opt(a->attributes,i2d_X509_ATTRIBUTE,0);
-                }
-        else
-                {
-                M_ASN1_I2D_len_IMP_set(a->attributes,   i2d_X509_ATTRIBUTE,0);
-                }
-        
-        M_ASN1_I2D_seq_total();
-        M_ASN1_I2D_put(a->version,              i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put(a->subject,              i2d_X509_NAME);
-        M_ASN1_I2D_put(a->pubkey,               i2d_X509_PUBKEY);
-        /* this is a *nasty* hack reported to be required by some CA's.
-         * It is not following the PKCS standards ...
-         * PKCS#10 pg 5
-         * attributes [0] IMPLICIT Attibutes
-         * NOTE: no OPTIONAL ... so it *must* be there
-         */
-        if (a->req_kludge)
-                {
-                M_ASN1_I2D_put_IMP_set_opt(a->attributes,i2d_X509_ATTRIBUTE,0);
-                }
-        else
-                {
-                M_ASN1_I2D_put_IMP_set(a->attributes,i2d_X509_ATTRIBUTE,0);
-                }
-        M_ASN1_I2D_finish();
+        if(operation == ASN1_OP_NEW_POST) {
+                rinf->attributes = sk_X509_ATTRIBUTE_new_null();
+                if(!rinf->attributes) return 0;
        }
+        return 1;
-X509_REQ_INFO *d2i_X509_REQ_INFO(a,pp,length)
+}
-X509_REQ_INFO **a;
-unsigned char **pp;
+ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
-long length;
+        ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
-        {
+        ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
-        M_ASN1_D2I_vars(a,X509_REQ_INFO *,X509_REQ_INFO_new);
+        ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
+        /* This isn't really OPTIONAL but it gets round invalid
-        M_ASN1_D2I_Init();
+         * encodings
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
-        M_ASN1_D2I_get(ret->subject,d2i_X509_NAME);
-        M_ASN1_D2I_get(ret->pubkey,d2i_X509_PUBKEY);
-        /* this is a *nasty* hack to allow for some CA's that
-         * have been reported as requiring it.
-         * It is not following the PKCS standards ...
-         * PKCS#10 pg 5
-         * attributes [0] IMPLICIT Attibutes
-         * NOTE: no OPTIONAL ... so it *must* be there
         */
-        if (asn1_Finish(&c))
+        ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
-                ret->req_kludge=1;
+} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
-        else
-                {
-                M_ASN1_D2I_get_IMP_set(ret->attributes,d2i_X509_ATTRIBUTE,0);
-                }
-        M_ASN1_D2I_Finish(a,X509_REQ_INFO_free,ASN1_F_D2I_X509_REQ_INFO);
-        }
-X509_REQ_INFO *X509_REQ_INFO_new()
-        {
-        X509_REQ_INFO *ret=NULL;
-        M_ASN1_New_Malloc(ret,X509_REQ_INFO);
+IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
-        M_ASN1_New(ret->version,ASN1_INTEGER_new);
-        M_ASN1_New(ret->subject,X509_NAME_new);
-        M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
-        M_ASN1_New(ret->attributes,sk_new_null);
-        ret->req_kludge=0;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_REQ_INFO_NEW);
-        }
-        
-void X509_REQ_INFO_free(a)
-X509_REQ_INFO *a;
-        {
-        if (a == NULL) return;
-        ASN1_INTEGER_free(a->version);
-        X509_NAME_free(a->subject);
-        X509_PUBKEY_free(a->pubkey);
-        sk_pop_free(a->attributes,X509_ATTRIBUTE_free);
-        Free((char *)a);
-        }
-int i2d_X509_REQ(a,pp)
-X509_REQ *a;
-unsigned char **pp;
-        {
-        M_ASN1_I2D_vars(a);
-        M_ASN1_I2D_len(a->req_info,     i2d_X509_REQ_INFO);
-        M_ASN1_I2D_len(a->sig_alg,      i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->signature,    i2d_ASN1_BIT_STRING);
-        M_ASN1_I2D_seq_total();
-        M_ASN1_I2D_put(a->req_info,     i2d_X509_REQ_INFO);
-        M_ASN1_I2D_put(a->sig_alg,      i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->signature,    i2d_ASN1_BIT_STRING);
-        M_ASN1_I2D_finish();
-        }
-X509_REQ *d2i_X509_REQ(a,pp,length)
-X509_REQ **a;
-unsigned char **pp;
-long length;
-        {
-        M_ASN1_D2I_vars(a,X509_REQ *,X509_REQ_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->req_info,d2i_X509_REQ_INFO);
-        M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
-        M_ASN1_D2I_Finish(a,X509_REQ_free,ASN1_F_D2I_X509_REQ);
-        }
-X509_REQ *X509_REQ_new()
-        {
-        X509_REQ *ret=NULL;
-        M_ASN1_New_Malloc(ret,X509_REQ);
-        ret->references=1;
-        M_ASN1_New(ret->req_info,X509_REQ_INFO_new);
-        M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-        M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_REQ_NEW);
-        }
-void X509_REQ_free(a)
-X509_REQ *a;
-        {
-        int i;
-        if (a == NULL) return;
-        i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509_REQ);
-#ifdef REF_PRINT
-        REF_PRINT("X509_REQ",a);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"X509_REQ_free, bad reference count\n");
-                abort();
-                }
-#endif
-        X509_REQ_INFO_free(a->req_info);
-        X509_ALGOR_free(a->sig_alg);
-        ASN1_BIT_STRING_free(a->signature);
-        Free((char *)a);
-        }
+ASN1_SEQUENCE_ref(X509_REQ, 0, CRYPTO_LOCK_X509_INFO) = {
+        ASN1_SIMPLE(X509_REQ, req_info, X509_REQ_INFO),
+        ASN1_SIMPLE(X509_REQ, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
+IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)

diff --git a/src/lib/libcrypto/asn1/x_req.c b/src/lib/libcrypto/asn1/x_req.c index ff0be13d37..b3f18ebc12 100644 --- a/src/lib/libcrypto/asn1/x_req.c +++ b/src/lib/libcrypto/asn1/x_req.c
@@ -58,190 +58,55 @@
58		58
59	#include <stdio.h>	59	#include <stdio.h>
60	#include "cryptlib.h"	60	#include "cryptlib.h"
61	#include "asn1_mac.h"	61	#include <openssl/asn1t.h>
62	#include "x509.h"	62	#include <openssl/x509.h>
63		63
64	/*	64	/* X509_REQ_INFO is handled in an unusual way to get round
65	* ASN1err(ASN1_F_D2I_X509_REQ,ASN1_R_LENGTH_MISMATCH);	65	* invalid encodings. Some broken certificate requests don't
66	* ASN1err(ASN1_F_D2I_X509_REQ_INFO,ASN1_R_LENGTH_MISMATCH);	66	* encode the attributes field if it is empty. This is in
67	* ASN1err(ASN1_F_X509_REQ_NEW,ASN1_R_LENGTH_MISMATCH);	67	* violation of PKCS#10 but we need to tolerate it. We do
68	* ASN1err(ASN1_F_X509_REQ_INFO_NEW,ASN1_R_LENGTH_MISMATCH);	68	* this by making the attributes field OPTIONAL then using
		69	* the callback to initialise it to an empty STACK.
		70	*
		71	* This means that the field will be correctly encoded unless
		72	* we NULL out the field.
		73	*
		74	* As a result we no longer need the req_kludge field because
		75	* the information is now contained in the attributes field:
		76	* 1. If it is NULL then it's the invalid omission.
		77	* 2. If it is empty it is the correct encoding.
		78	* 3. If it is not empty then some attributes are present.
		79	*
69	*/	80	*/
70		81
71	int i2d_X509_REQ_INFO(a,pp)	82	static int rinf_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it)
72	X509_REQ_INFO *a;	83	{
73	unsigned char **pp;	84	X509_REQ_INFO rinf = (X509_REQ_INFO )*pval;
74	{
75	M_ASN1_I2D_vars(a);
76
77	M_ASN1_I2D_len(a->version, i2d_ASN1_INTEGER);
78	M_ASN1_I2D_len(a->subject, i2d_X509_NAME);
79	M_ASN1_I2D_len(a->pubkey, i2d_X509_PUBKEY);
80
81	/* this is a nasty hack reported to be required to
82	* allow some CA Software to accept the cert request.
83	* It is not following the PKCS standards ...
84	* PKCS#10 pg 5
85	* attributes [0] IMPLICIT Attibutes
86	* NOTE: no OPTIONAL ... so it must be there
87	*/
88	if (a->req_kludge)
89	{
90	M_ASN1_I2D_len_IMP_set_opt(a->attributes,i2d_X509_ATTRIBUTE,0);
91	}
92	else
93	{
94	M_ASN1_I2D_len_IMP_set(a->attributes, i2d_X509_ATTRIBUTE,0);
95	}
96
97	M_ASN1_I2D_seq_total();
98	M_ASN1_I2D_put(a->version, i2d_ASN1_INTEGER);
99	M_ASN1_I2D_put(a->subject, i2d_X509_NAME);
100	M_ASN1_I2D_put(a->pubkey, i2d_X509_PUBKEY);
101
102	/* this is a nasty hack reported to be required by some CA's.
103	* It is not following the PKCS standards ...
104	* PKCS#10 pg 5
105	* attributes [0] IMPLICIT Attibutes
106	* NOTE: no OPTIONAL ... so it must be there
107	*/
108	if (a->req_kludge)
109	{
110	M_ASN1_I2D_put_IMP_set_opt(a->attributes,i2d_X509_ATTRIBUTE,0);
111	}
112	else
113	{
114	M_ASN1_I2D_put_IMP_set(a->attributes,i2d_X509_ATTRIBUTE,0);
115	}
116		85
117	M_ASN1_I2D_finish();	86	if(operation == ASN1_OP_NEW_POST) {
		87	rinf->attributes = sk_X509_ATTRIBUTE_new_null();
		88	if(!rinf->attributes) return 0;
118	}	89	}
119		90	return 1;
120	X509_REQ_INFO *d2i_X509_REQ_INFO(a,pp,length)	91	}
121	X509_REQ_INFO **a;	92
122	unsigned char **pp;	93	ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
123	long length;	94	ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
124	{	95	ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
125	M_ASN1_D2I_vars(a,X509_REQ_INFO *,X509_REQ_INFO_new);	96	ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
126		97	/* This isn't really OPTIONAL but it gets round invalid
127	M_ASN1_D2I_Init();	98	* encodings
128	M_ASN1_D2I_start_sequence();
129	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
130	M_ASN1_D2I_get(ret->subject,d2i_X509_NAME);
131	M_ASN1_D2I_get(ret->pubkey,d2i_X509_PUBKEY);
132
133	/* this is a nasty hack to allow for some CA's that
134	* have been reported as requiring it.
135	* It is not following the PKCS standards ...
136	* PKCS#10 pg 5
137	* attributes [0] IMPLICIT Attibutes
138	* NOTE: no OPTIONAL ... so it must be there
139	*/	99	*/
140	if (asn1_Finish(&c))	100	ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
141	ret->req_kludge=1;	101	} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
142	else
143	{
144	M_ASN1_D2I_get_IMP_set(ret->attributes,d2i_X509_ATTRIBUTE,0);
145	}
146
147	M_ASN1_D2I_Finish(a,X509_REQ_INFO_free,ASN1_F_D2I_X509_REQ_INFO);
148	}
149
150	X509_REQ_INFO *X509_REQ_INFO_new()
151	{
152	X509_REQ_INFO *ret=NULL;
153		102
154	M_ASN1_New_Malloc(ret,X509_REQ_INFO);	103	IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
155	M_ASN1_New(ret->version,ASN1_INTEGER_new);
156	M_ASN1_New(ret->subject,X509_NAME_new);
157	M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
158	M_ASN1_New(ret->attributes,sk_new_null);
159	ret->req_kludge=0;
160	return(ret);
161	M_ASN1_New_Error(ASN1_F_X509_REQ_INFO_NEW);
162	}
163
164	void X509_REQ_INFO_free(a)
165	X509_REQ_INFO *a;
166	{
167	if (a == NULL) return;
168	ASN1_INTEGER_free(a->version);
169	X509_NAME_free(a->subject);
170	X509_PUBKEY_free(a->pubkey);
171	sk_pop_free(a->attributes,X509_ATTRIBUTE_free);
172	Free((char *)a);
173	}
174
175	int i2d_X509_REQ(a,pp)
176	X509_REQ *a;
177	unsigned char **pp;
178	{
179	M_ASN1_I2D_vars(a);
180	M_ASN1_I2D_len(a->req_info, i2d_X509_REQ_INFO);
181	M_ASN1_I2D_len(a->sig_alg, i2d_X509_ALGOR);
182	M_ASN1_I2D_len(a->signature, i2d_ASN1_BIT_STRING);
183
184	M_ASN1_I2D_seq_total();
185
186	M_ASN1_I2D_put(a->req_info, i2d_X509_REQ_INFO);
187	M_ASN1_I2D_put(a->sig_alg, i2d_X509_ALGOR);
188	M_ASN1_I2D_put(a->signature, i2d_ASN1_BIT_STRING);
189
190	M_ASN1_I2D_finish();
191	}
192
193	X509_REQ *d2i_X509_REQ(a,pp,length)
194	X509_REQ **a;
195	unsigned char **pp;
196	long length;
197	{
198	M_ASN1_D2I_vars(a,X509_REQ *,X509_REQ_new);
199
200	M_ASN1_D2I_Init();
201	M_ASN1_D2I_start_sequence();
202	M_ASN1_D2I_get(ret->req_info,d2i_X509_REQ_INFO);
203	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
204	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
205	M_ASN1_D2I_Finish(a,X509_REQ_free,ASN1_F_D2I_X509_REQ);
206	}
207
208	X509_REQ *X509_REQ_new()
209	{
210	X509_REQ *ret=NULL;
211
212	M_ASN1_New_Malloc(ret,X509_REQ);
213	ret->references=1;
214	M_ASN1_New(ret->req_info,X509_REQ_INFO_new);
215	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
216	M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
217	return(ret);
218	M_ASN1_New_Error(ASN1_F_X509_REQ_NEW);
219	}
220
221	void X509_REQ_free(a)
222	X509_REQ *a;
223	{
224	int i;
225
226	if (a == NULL) return;
227
228	i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509_REQ);
229	#ifdef REF_PRINT
230	REF_PRINT("X509_REQ",a);
231	#endif
232	if (i > 0) return;
233	#ifdef REF_CHECK
234	if (i < 0)
235	{
236	fprintf(stderr,"X509_REQ_free, bad reference count\n");
237	abort();
238	}
239	#endif
240
241	X509_REQ_INFO_free(a->req_info);
242	X509_ALGOR_free(a->sig_alg);
243	ASN1_BIT_STRING_free(a->signature);
244	Free((char *)a);
245	}
246		104
		105	ASN1_SEQUENCE_ref(X509_REQ, 0, CRYPTO_LOCK_X509_INFO) = {
		106	ASN1_SIMPLE(X509_REQ, req_info, X509_REQ_INFO),
		107	ASN1_SIMPLE(X509_REQ, sig_alg, X509_ALGOR),
		108	ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
		109	} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
247		110
		111	IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
		112	IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)