1 files changed, 43 insertions, 188 deletions
diff --git a/src/lib/libcrypto/asn1/x_req.c b/src/lib/libcrypto/asn1/x_req.c
index 6dddd4f653..b3f18ebc12 100644
--- a/src/lib/libcrypto/asn1/x_req.c
+++ b/src/lib/libcrypto/asn1/x_req.c
@@ -58,200 +58,55 @@
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
-int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **pp)
+/* X509_REQ_INFO is handled in an unusual way to get round
-        {
+ * invalid encodings. Some broken certificate requests don't
-        M_ASN1_I2D_vars(a);
+ * encode the attributes field if it is empty. This is in
+ * violation of PKCS#10 but we need to tolerate it. We do
-        if(a->asn1) {
+ * this by making the attributes field OPTIONAL then using
-                if(pp) {
+ * the callback to initialise it to an empty STACK. 
-                        memcpy(*pp, a->asn1, a->length);
+ *
-                        *pp += a->length;
+ * This means that the field will be correctly encoded unless
-                }
+ * we NULL out the field.
-                return a->length;
+ *
-        }
+ * As a result we no longer need the req_kludge field because
+ * the information is now contained in the attributes field:
-        M_ASN1_I2D_len(a->version,              i2d_ASN1_INTEGER);
+ * 1. If it is NULL then it's the invalid omission.
-        M_ASN1_I2D_len(a->subject,              i2d_X509_NAME);
+ * 2. If it is empty it is the correct encoding.
-        M_ASN1_I2D_len(a->pubkey,               i2d_X509_PUBKEY);
+ * 3. If it is not empty then some attributes are present.
+ *
-        /* this is a *nasty* hack reported to be required to
+ */
-         * allow some CA Software to accept the cert request.
-         * It is not following the PKCS standards ...
-         * PKCS#10 pg 5
-         * attributes [0] IMPLICIT Attributes
-         * NOTE: no OPTIONAL ... so it *must* be there
-         */
-        if (a->req_kludge) 
-                {
-                M_ASN1_I2D_len_IMP_SET_opt_type(X509_ATTRIBUTE,a->attributes,i2d_X509_ATTRIBUTE,0);
-                }
-        else
-                {
-                M_ASN1_I2D_len_IMP_SET_type(X509_ATTRIBUTE,a->attributes,
-                                            i2d_X509_ATTRIBUTE,0);
-                }
-        
-        M_ASN1_I2D_seq_total();
-        M_ASN1_I2D_put(a->version,              i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put(a->subject,              i2d_X509_NAME);
-        M_ASN1_I2D_put(a->pubkey,               i2d_X509_PUBKEY);
-        /* this is a *nasty* hack reported to be required by some CA's.
+static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
-         * It is not following the PKCS standards ...
+{
-         * PKCS#10 pg 5
+        X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;
-         * attributes [0] IMPLICIT Attributes
-         * NOTE: no OPTIONAL ... so it *must* be there
-         */
-        if (a->req_kludge)
-                {
-                M_ASN1_I2D_put_IMP_SET_opt_type(X509_ATTRIBUTE,a->attributes,
-                                                i2d_X509_ATTRIBUTE,0);
-                }
-        else
-                {
-                M_ASN1_I2D_put_IMP_SET_type(X509_ATTRIBUTE,a->attributes,
-                                            i2d_X509_ATTRIBUTE,0);
-                }
-        M_ASN1_I2D_finish();
+        if(operation == ASN1_OP_NEW_POST) {
+                rinf->attributes = sk_X509_ATTRIBUTE_new_null();
+                if(!rinf->attributes) return 0;
        }
+        return 1;
-X509_REQ_INFO *d2i_X509_REQ_INFO(X509_REQ_INFO **a, unsigned char **pp,
+}
-             long length)
-        {
+ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
-        M_ASN1_D2I_vars(a,X509_REQ_INFO *,X509_REQ_INFO_new);
+        ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
-        M_ASN1_D2I_Init();
+        ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
-        M_ASN1_D2I_start_sequence();
+        /* This isn't really OPTIONAL but it gets round invalid
-        M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
+         * encodings
-        M_ASN1_D2I_get(ret->subject,d2i_X509_NAME);
-        M_ASN1_D2I_get(ret->pubkey,d2i_X509_PUBKEY);
-        /* this is a *nasty* hack to allow for some CA's that
-         * have been reported as requiring it.
-         * It is not following the PKCS standards ...
-         * PKCS#10 pg 5
-         * attributes [0] IMPLICIT Attributes
-         * NOTE: no OPTIONAL ... so it *must* be there
         */
-        if (asn1_Finish(&c))
+        ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
-                ret->req_kludge=1;
+} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
-        else
-                {
-                M_ASN1_D2I_get_IMP_set_type(X509_ATTRIBUTE,ret->attributes,
-                                            d2i_X509_ATTRIBUTE,
-                                            X509_ATTRIBUTE_free,0);
-                }
-        M_ASN1_D2I_Finish(a,X509_REQ_INFO_free,ASN1_F_D2I_X509_REQ_INFO);
-        }
-X509_REQ_INFO *X509_REQ_INFO_new(void)
-        {
-        X509_REQ_INFO *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret,X509_REQ_INFO);
-        M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
-        M_ASN1_New(ret->subject,X509_NAME_new);
-        M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
-        M_ASN1_New(ret->attributes,sk_X509_ATTRIBUTE_new_null);
-        ret->req_kludge=0;
-        ret->asn1 = NULL;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_REQ_INFO_NEW);
-        }
-        
-void X509_REQ_INFO_free(X509_REQ_INFO *a)
-        {
-        if (a == NULL) return;
-        if(a->asn1) OPENSSL_free(a->asn1);
-        M_ASN1_INTEGER_free(a->version);
-        X509_NAME_free(a->subject);
-        X509_PUBKEY_free(a->pubkey);
-        sk_X509_ATTRIBUTE_pop_free(a->attributes,X509_ATTRIBUTE_free);
-        OPENSSL_free(a);
-        }
-int i2d_X509_REQ(X509_REQ *a, unsigned char **pp)
+IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
-        {
-        M_ASN1_I2D_vars(a);
-        M_ASN1_I2D_len(a->req_info,     i2d_X509_REQ_INFO);
-        M_ASN1_I2D_len(a->sig_alg,      i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->signature,    i2d_ASN1_BIT_STRING);
-        M_ASN1_I2D_seq_total();
-        M_ASN1_I2D_put(a->req_info,     i2d_X509_REQ_INFO);
-        M_ASN1_I2D_put(a->sig_alg,      i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->signature,    i2d_ASN1_BIT_STRING);
-        M_ASN1_I2D_finish();
-        }
-X509_REQ *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length)
-        {
-        M_ASN1_D2I_vars(a,X509_REQ *,X509_REQ_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->req_info,d2i_X509_REQ_INFO);
-        /* Keep a copy of the original encoding for signature checking */
-        ret->req_info->length = c.p - c.q;
-        if(!(ret->req_info->asn1 = OPENSSL_malloc(ret->req_info->length))) {
-                c.line=__LINE__;
-                c.error = ERR_R_MALLOC_FAILURE;
-                goto err;
-        }
-        memcpy(ret->req_info->asn1, c.q, ret->req_info->length);
-        M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
-        M_ASN1_D2I_Finish(a,X509_REQ_free,ASN1_F_D2I_X509_REQ);
-        }
-X509_REQ *X509_REQ_new(void)
-        {
-        X509_REQ *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret,X509_REQ);
-        ret->references=1;
-        M_ASN1_New(ret->req_info,X509_REQ_INFO_new);
-        M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-        M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_REQ_NEW);
-        }
-void X509_REQ_free(X509_REQ *a)
-        {
-        int i;
-        if (a == NULL) return;
-        i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509_REQ);
-#ifdef REF_PRINT
-        REF_PRINT("X509_REQ",a);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"X509_REQ_free, bad reference count\n");
-                abort();
-                }
-#endif
-        X509_REQ_INFO_free(a->req_info);
-        X509_ALGOR_free(a->sig_alg);
-        M_ASN1_BIT_STRING_free(a->signature);
-        OPENSSL_free(a);
-        }
+ASN1_SEQUENCE_ref(X509_REQ, 0, CRYPTO_LOCK_X509_INFO) = {
+        ASN1_SIMPLE(X509_REQ, req_info, X509_REQ_INFO),
+        ASN1_SIMPLE(X509_REQ, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
+IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)

diff --git a/src/lib/libcrypto/asn1/x_req.c b/src/lib/libcrypto/asn1/x_req.c index 6dddd4f653..b3f18ebc12 100644 --- a/src/lib/libcrypto/asn1/x_req.c +++ b/src/lib/libcrypto/asn1/x_req.c
@@ -58,200 +58,55 @@
58		58
59	#include <stdio.h>	59	#include <stdio.h>
60	#include "cryptlib.h"	60	#include "cryptlib.h"
61	#include <openssl/asn1_mac.h>	61	#include <openssl/asn1t.h>
62	#include <openssl/x509.h>	62	#include <openssl/x509.h>
63		63
64	int i2d_X509_REQ_INFO(X509_REQ_INFO a, unsigned char *pp)	64	/* X509_REQ_INFO is handled in an unusual way to get round
65	{	65	* invalid encodings. Some broken certificate requests don't
66	M_ASN1_I2D_vars(a);	66	* encode the attributes field if it is empty. This is in
67		67	* violation of PKCS#10 but we need to tolerate it. We do
68	if(a->asn1) {	68	* this by making the attributes field OPTIONAL then using
69	if(pp) {	69	* the callback to initialise it to an empty STACK.
70	memcpy(*pp, a->asn1, a->length);	70	*
71	*pp += a->length;	71	* This means that the field will be correctly encoded unless
72	}	72	* we NULL out the field.
73	return a->length;	73	*
74	}	74	* As a result we no longer need the req_kludge field because
75		75	* the information is now contained in the attributes field:
76	M_ASN1_I2D_len(a->version, i2d_ASN1_INTEGER);	76	* 1. If it is NULL then it's the invalid omission.
77	M_ASN1_I2D_len(a->subject, i2d_X509_NAME);	77	* 2. If it is empty it is the correct encoding.
78	M_ASN1_I2D_len(a->pubkey, i2d_X509_PUBKEY);	78	* 3. If it is not empty then some attributes are present.
79		79	*
80	/* this is a nasty hack reported to be required to	80	*/
81	* allow some CA Software to accept the cert request.
82	* It is not following the PKCS standards ...
83	* PKCS#10 pg 5
84	* attributes [0] IMPLICIT Attributes
85	* NOTE: no OPTIONAL ... so it must be there
86	*/
87	if (a->req_kludge)
88	{
89	M_ASN1_I2D_len_IMP_SET_opt_type(X509_ATTRIBUTE,a->attributes,i2d_X509_ATTRIBUTE,0);
90	}
91	else
92	{
93	M_ASN1_I2D_len_IMP_SET_type(X509_ATTRIBUTE,a->attributes,
94	i2d_X509_ATTRIBUTE,0);
95	}
96
97	M_ASN1_I2D_seq_total();
98	M_ASN1_I2D_put(a->version, i2d_ASN1_INTEGER);
99	M_ASN1_I2D_put(a->subject, i2d_X509_NAME);
100	M_ASN1_I2D_put(a->pubkey, i2d_X509_PUBKEY);
101		81
102	/* this is a nasty hack reported to be required by some CA's.	82	static int rinf_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it)
103	* It is not following the PKCS standards ...	83	{
104	* PKCS#10 pg 5	84	X509_REQ_INFO rinf = (X509_REQ_INFO )*pval;
105	* attributes [0] IMPLICIT Attributes
106	* NOTE: no OPTIONAL ... so it must be there
107	*/
108	if (a->req_kludge)
109	{
110	M_ASN1_I2D_put_IMP_SET_opt_type(X509_ATTRIBUTE,a->attributes,
111	i2d_X509_ATTRIBUTE,0);
112	}
113	else
114	{
115	M_ASN1_I2D_put_IMP_SET_type(X509_ATTRIBUTE,a->attributes,
116	i2d_X509_ATTRIBUTE,0);
117	}
118		85
119	M_ASN1_I2D_finish();	86	if(operation == ASN1_OP_NEW_POST) {
		87	rinf->attributes = sk_X509_ATTRIBUTE_new_null();
		88	if(!rinf->attributes) return 0;
120	}	89	}
121		90	return 1;
122	X509_REQ_INFO d2i_X509_REQ_INFO(X509_REQ_INFO a, unsigned char *pp,	91	}
123	long length)	92
124	{	93	ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
125	M_ASN1_D2I_vars(a,X509_REQ_INFO *,X509_REQ_INFO_new);	94	ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
126		95	ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
127	M_ASN1_D2I_Init();	96	ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
128	M_ASN1_D2I_start_sequence();	97	/* This isn't really OPTIONAL but it gets round invalid
129	M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);	98	* encodings
130	M_ASN1_D2I_get(ret->subject,d2i_X509_NAME);
131	M_ASN1_D2I_get(ret->pubkey,d2i_X509_PUBKEY);
132
133	/* this is a nasty hack to allow for some CA's that
134	* have been reported as requiring it.
135	* It is not following the PKCS standards ...
136	* PKCS#10 pg 5
137	* attributes [0] IMPLICIT Attributes
138	* NOTE: no OPTIONAL ... so it must be there
139	*/	99	*/
140	if (asn1_Finish(&c))	100	ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
141	ret->req_kludge=1;	101	} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
142	else
143	{
144	M_ASN1_D2I_get_IMP_set_type(X509_ATTRIBUTE,ret->attributes,
145	d2i_X509_ATTRIBUTE,
146	X509_ATTRIBUTE_free,0);
147	}
148
149	M_ASN1_D2I_Finish(a,X509_REQ_INFO_free,ASN1_F_D2I_X509_REQ_INFO);
150	}
151
152	X509_REQ_INFO *X509_REQ_INFO_new(void)
153	{
154	X509_REQ_INFO *ret=NULL;
155	ASN1_CTX c;
156
157	M_ASN1_New_Malloc(ret,X509_REQ_INFO);
158	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
159	M_ASN1_New(ret->subject,X509_NAME_new);
160	M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
161	M_ASN1_New(ret->attributes,sk_X509_ATTRIBUTE_new_null);
162	ret->req_kludge=0;
163	ret->asn1 = NULL;
164	return(ret);
165	M_ASN1_New_Error(ASN1_F_X509_REQ_INFO_NEW);
166	}
167
168	void X509_REQ_INFO_free(X509_REQ_INFO *a)
169	{
170	if (a == NULL) return;
171	if(a->asn1) OPENSSL_free(a->asn1);
172	M_ASN1_INTEGER_free(a->version);
173	X509_NAME_free(a->subject);
174	X509_PUBKEY_free(a->pubkey);
175	sk_X509_ATTRIBUTE_pop_free(a->attributes,X509_ATTRIBUTE_free);
176	OPENSSL_free(a);
177	}
178		102
179	int i2d_X509_REQ(X509_REQ a, unsigned char *pp)	103	IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
180	{
181	M_ASN1_I2D_vars(a);
182	M_ASN1_I2D_len(a->req_info, i2d_X509_REQ_INFO);
183	M_ASN1_I2D_len(a->sig_alg, i2d_X509_ALGOR);
184	M_ASN1_I2D_len(a->signature, i2d_ASN1_BIT_STRING);
185
186	M_ASN1_I2D_seq_total();
187
188	M_ASN1_I2D_put(a->req_info, i2d_X509_REQ_INFO);
189	M_ASN1_I2D_put(a->sig_alg, i2d_X509_ALGOR);
190	M_ASN1_I2D_put(a->signature, i2d_ASN1_BIT_STRING);
191
192	M_ASN1_I2D_finish();
193	}
194
195	X509_REQ d2i_X509_REQ(X509_REQ a, unsigned char *pp, long length)
196	{
197	M_ASN1_D2I_vars(a,X509_REQ *,X509_REQ_new);
198
199	M_ASN1_D2I_Init();
200	M_ASN1_D2I_start_sequence();
201	M_ASN1_D2I_get(ret->req_info,d2i_X509_REQ_INFO);
202
203	/* Keep a copy of the original encoding for signature checking */
204	ret->req_info->length = c.p - c.q;
205	if(!(ret->req_info->asn1 = OPENSSL_malloc(ret->req_info->length))) {
206	c.line=__LINE__;
207	c.error = ERR_R_MALLOC_FAILURE;
208	goto err;
209	}
210
211	memcpy(ret->req_info->asn1, c.q, ret->req_info->length);
212
213	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
214	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
215	M_ASN1_D2I_Finish(a,X509_REQ_free,ASN1_F_D2I_X509_REQ);
216	}
217
218	X509_REQ *X509_REQ_new(void)
219	{
220	X509_REQ *ret=NULL;
221	ASN1_CTX c;
222
223	M_ASN1_New_Malloc(ret,X509_REQ);
224	ret->references=1;
225	M_ASN1_New(ret->req_info,X509_REQ_INFO_new);
226	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
227	M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
228	return(ret);
229	M_ASN1_New_Error(ASN1_F_X509_REQ_NEW);
230	}
231
232	void X509_REQ_free(X509_REQ *a)
233	{
234	int i;
235
236	if (a == NULL) return;
237
238	i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509_REQ);
239	#ifdef REF_PRINT
240	REF_PRINT("X509_REQ",a);
241	#endif
242	if (i > 0) return;
243	#ifdef REF_CHECK
244	if (i < 0)
245	{
246	fprintf(stderr,"X509_REQ_free, bad reference count\n");
247	abort();
248	}
249	#endif
250
251	X509_REQ_INFO_free(a->req_info);
252	X509_ALGOR_free(a->sig_alg);
253	M_ASN1_BIT_STRING_free(a->signature);
254	OPENSSL_free(a);
255	}
256		104
		105	ASN1_SEQUENCE_ref(X509_REQ, 0, CRYPTO_LOCK_X509_INFO) = {
		106	ASN1_SIMPLE(X509_REQ, req_info, X509_REQ_INFO),
		107	ASN1_SIMPLE(X509_REQ, sig_alg, X509_ALGOR),
		108	ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
		109	} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
257		110
		111	IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
		112	IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)