1 files changed, 112 insertions, 54 deletions
diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c
index 52463aa3a3..f2e17806db 100644
--- a/src/lib/libcrypto/pkcs7/pk7_attr.c
+++ b/src/lib/libcrypto/pkcs7/pk7_attr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_attr.c,v 1.15 2024/02/19 15:37:44 tb Exp $ */
+/* $OpenBSD: pk7_attr.c,v 1.22 2025/07/31 02:24:21 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -59,23 +59,48 @@
 #include <stdio.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/x509.h>
+#include "asn1_local.h"
+#include "err_local.h"
+#include "x509_local.h"
 int
 PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap)
 {
-        ASN1_STRING *seq;
+        ASN1_STRING *seq = NULL;
-        if (!(seq = ASN1_STRING_new())) {
+        unsigned char *data = NULL;
+        int len = 0;
+        int ret = 0;
+        if ((len = i2d_X509_ALGORS(cap, &data)) <= 0) {
+                len = 0;
+                goto err;
+        }
+        if ((seq = ASN1_STRING_new()) == NULL) {
                PKCS7error(ERR_R_MALLOC_FAILURE);
-                return 0;
+                goto err;
        }
-        seq->length = ASN1_item_i2d((ASN1_VALUE *)cap, &seq->data,
-            &X509_ALGORS_it);
+        ASN1_STRING_set0(seq, data, len);
-        return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
+        data = NULL;
-            V_ASN1_SEQUENCE, seq);
+        len = 0;
+        if (!PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
+            V_ASN1_SEQUENCE, seq))
+                goto err;
+        seq = NULL;
+        ret = 1;
+ err:
+        ASN1_STRING_free(seq);
+        freezero(data, len);
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_add_attrib_smimecap);
@@ -84,51 +109,60 @@ PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
 {
        ASN1_TYPE *cap;
        const unsigned char *p;
+        int len;
-        cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
+        if ((cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities)) == NULL)
-        if (!cap || (cap->type != V_ASN1_SEQUENCE))
+                return NULL;
+        if (cap->type != V_ASN1_SEQUENCE)
                return NULL;
        p = cap->value.sequence->data;
-        return (STACK_OF(X509_ALGOR) *)
+        len = cap->value.sequence->length;
-        ASN1_item_d2i(NULL, &p, cap->value.sequence->length,
-            &X509_ALGORS_it);
+        return d2i_X509_ALGORS(NULL, &p, len);
 }
 LCRYPTO_ALIAS(PKCS7_get_smimecap);
-/* Basic smime-capabilities OID and optional integer arg */
+/*
+ * Add AlgorithmIdentifier OID of type |nid| to the SMIMECapability attribute
+ * set |sk| (see RFC 3851, section 2.5.2). If keysize > 0, the OID has an
+ * integer parameter of value |keysize|, otherwise parameters are omitted.
+ *
+ * See also CMS_add_simple_smimecap().
+ */
 int
-PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
+PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int keysize)
 {
-        X509_ALGOR *alg;
+        X509_ALGOR *alg = NULL;
+        ASN1_INTEGER *parameter = NULL;
+        int parameter_type = V_ASN1_UNDEF;
+        int ret = 0;
-        if (!(alg = X509_ALGOR_new())) {
+        if (keysize > 0) {
-                PKCS7error(ERR_R_MALLOC_FAILURE);
+                if ((parameter = ASN1_INTEGER_new()) == NULL)
-                return 0;
-        }
-        ASN1_OBJECT_free(alg->algorithm);
-        alg->algorithm = OBJ_nid2obj(nid);
-        if (arg > 0) {
-                ASN1_INTEGER *nbit;
-                if (!(alg->parameter = ASN1_TYPE_new()))
-                        goto err;
-                if (!(nbit = ASN1_INTEGER_new()))
                        goto err;
-                if (!ASN1_INTEGER_set(nbit, arg)) {
+                if (!ASN1_INTEGER_set(parameter, keysize))
-                        ASN1_INTEGER_free(nbit);
                        goto err;
-                }
+                parameter_type = V_ASN1_INTEGER;
-                alg->parameter->value.integer = nbit;
-                alg->parameter->type = V_ASN1_INTEGER;
        }
-        if (sk_X509_ALGOR_push(sk, alg) == 0)
+        if ((alg = X509_ALGOR_new()) == NULL)
                goto err;
-        return 1;
+        if (!X509_ALGOR_set0_by_nid(alg, nid, parameter_type, parameter))
+                goto err;
+        parameter = NULL;
+        if (sk_X509_ALGOR_push(sk, alg) <= 0)
+                goto err;
+        alg = NULL;
-err:
+        ret = 1;
-        PKCS7error(ERR_R_MALLOC_FAILURE);
+ err:
        X509_ALGOR_free(alg);
-        return 0;
+        ASN1_INTEGER_free(parameter);
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_simple_smimecap);
@@ -147,30 +181,54 @@ LCRYPTO_ALIAS(PKCS7_add_attrib_content_type);
 int
 PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t)
 {
-        if (!t && !(t = X509_gmtime_adj(NULL, 0))) {
+        ASN1_TIME *tm;
+        int ret = 0;
+        if ((tm = t) == NULL)
+                tm = X509_gmtime_adj(NULL, 0);
+        if (tm == NULL) {
                PKCS7error(ERR_R_MALLOC_FAILURE);
-                return 0;
+                goto err;
        }
-        return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime,
-            V_ASN1_UTCTIME, t);
+        /* RFC 5652, section 11.3 - UTCTime for the years 1950-2049. */
+        if (ASN1_time_parse(tm->data, tm->length, NULL, tm->type) == -1)
+                goto err;
+        if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, tm->type, tm))
+                goto err;
+        tm = NULL;
+        ret = 1;
+ err:
+        if (tm != t)
+                ASN1_TIME_free(tm);
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_add0_attrib_signing_time);
 int
 PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO *si, const unsigned char *md,
-    int mdlen)
+    int md_len)
 {
        ASN1_OCTET_STRING *os;
+        int ret = 0;
-        os = ASN1_OCTET_STRING_new();
+        if ((os = ASN1_OCTET_STRING_new()) == NULL)
-        if (!os)
+                goto err;
-                return 0;
+        if (!ASN1_STRING_set(os, md, md_len))
-        if (!ASN1_STRING_set(os, md, mdlen) ||
+                goto err;
-            !PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest,
+        if (!PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest,
-            V_ASN1_OCTET_STRING, os)) {
+            V_ASN1_OCTET_STRING, os))
-                ASN1_OCTET_STRING_free(os);
+                goto err;
-                return 0;
+        os = NULL;
-        }
-        return 1;
+        ret = 1;
+ err:
+        ASN1_OCTET_STRING_free(os);
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_add1_attrib_digest);

diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c index 52463aa3a3..f2e17806db 100644 --- a/src/lib/libcrypto/pkcs7/pk7_attr.c +++ b/src/lib/libcrypto/pkcs7/pk7_attr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pk7_attr.c,v 1.15 2024/02/19 15:37:44 tb Exp $ */	1	/* $OpenBSD: pk7_attr.c,v 1.22 2025/07/31 02:24:21 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2001.	3	* project 2001.
4	*/	4	*/
@@ -59,23 +59,48 @@
59	#include <stdio.h>	59	#include <stdio.h>
60		60
61	#include <openssl/asn1.h>	61	#include <openssl/asn1.h>
62	#include <openssl/err.h>
63	#include <openssl/objects.h>	62	#include <openssl/objects.h>
64	#include <openssl/pkcs7.h>	63	#include <openssl/pkcs7.h>
65	#include <openssl/x509.h>	64	#include <openssl/x509.h>
66		65
		66	#include "asn1_local.h"
		67	#include "err_local.h"
		68	#include "x509_local.h"
		69
67	int	70	int
68	PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO si, STACK_OF(X509_ALGOR) cap)	71	PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO si, STACK_OF(X509_ALGOR) cap)
69	{	72	{
70	ASN1_STRING *seq;	73	ASN1_STRING *seq = NULL;
71	if (!(seq = ASN1_STRING_new())) {	74	unsigned char *data = NULL;
		75	int len = 0;
		76	int ret = 0;
		77
		78	if ((len = i2d_X509_ALGORS(cap, &data)) <= 0) {
		79	len = 0;
		80	goto err;
		81	}
		82
		83	if ((seq = ASN1_STRING_new()) == NULL) {
72	PKCS7error(ERR_R_MALLOC_FAILURE);	84	PKCS7error(ERR_R_MALLOC_FAILURE);
73	return 0;	85	goto err;
74	}	86	}
75	seq->length = ASN1_item_i2d((ASN1_VALUE *)cap, &seq->data,	87
76	&X509_ALGORS_it);	88	ASN1_STRING_set0(seq, data, len);
77	return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,	89	data = NULL;
78	V_ASN1_SEQUENCE, seq);	90	len = 0;
		91
		92	if (!PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
		93	V_ASN1_SEQUENCE, seq))
		94	goto err;
		95	seq = NULL;
		96
		97	ret = 1;
		98
		99	err:
		100	ASN1_STRING_free(seq);
		101	freezero(data, len);
		102
		103	return ret;
79	}	104	}
80	LCRYPTO_ALIAS(PKCS7_add_attrib_smimecap);	105	LCRYPTO_ALIAS(PKCS7_add_attrib_smimecap);
81		106
@@ -84,51 +109,60 @@ PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
84	{	109	{
85	ASN1_TYPE *cap;	110	ASN1_TYPE *cap;
86	const unsigned char *p;	111	const unsigned char *p;
		112	int len;
87		113
88	cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);	114	if ((cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities)) == NULL)
89	if (!cap \|\| (cap->type != V_ASN1_SEQUENCE))	115	return NULL;
		116	if (cap->type != V_ASN1_SEQUENCE)
90	return NULL;	117	return NULL;
		118
91	p = cap->value.sequence->data;	119	p = cap->value.sequence->data;
92	return (STACK_OF(X509_ALGOR) *)	120	len = cap->value.sequence->length;
93	ASN1_item_d2i(NULL, &p, cap->value.sequence->length,	121
94	&X509_ALGORS_it);	122	return d2i_X509_ALGORS(NULL, &p, len);
95	}	123	}
96	LCRYPTO_ALIAS(PKCS7_get_smimecap);	124	LCRYPTO_ALIAS(PKCS7_get_smimecap);
97		125
98	/* Basic smime-capabilities OID and optional integer arg */	126	/*
		127	* Add AlgorithmIdentifier OID of type \|nid\| to the SMIMECapability attribute
		128	* set \|sk\| (see RFC 3851, section 2.5.2). If keysize > 0, the OID has an
		129	* integer parameter of value \|keysize\|, otherwise parameters are omitted.
		130	*
		131	* See also CMS_add_simple_smimecap().
		132	*/
99	int	133	int
100	PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)	134	PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int keysize)
101	{	135	{
102	X509_ALGOR *alg;	136	X509_ALGOR *alg = NULL;
		137	ASN1_INTEGER *parameter = NULL;
		138	int parameter_type = V_ASN1_UNDEF;
		139	int ret = 0;
103		140
104	if (!(alg = X509_ALGOR_new())) {	141	if (keysize > 0) {
105	PKCS7error(ERR_R_MALLOC_FAILURE);	142	if ((parameter = ASN1_INTEGER_new()) == NULL)
106	return 0;
107	}
108	ASN1_OBJECT_free(alg->algorithm);
109	alg->algorithm = OBJ_nid2obj(nid);
110	if (arg > 0) {
111	ASN1_INTEGER *nbit;
112
113	if (!(alg->parameter = ASN1_TYPE_new()))
114	goto err;
115	if (!(nbit = ASN1_INTEGER_new()))
116	goto err;	143	goto err;
117	if (!ASN1_INTEGER_set(nbit, arg)) {	144	if (!ASN1_INTEGER_set(parameter, keysize))
118	ASN1_INTEGER_free(nbit);
119	goto err;	145	goto err;
120	}	146	parameter_type = V_ASN1_INTEGER;
121	alg->parameter->value.integer = nbit;
122	alg->parameter->type = V_ASN1_INTEGER;
123	}	147	}
124	if (sk_X509_ALGOR_push(sk, alg) == 0)	148
		149	if ((alg = X509_ALGOR_new()) == NULL)
125	goto err;	150	goto err;
126	return 1;	151	if (!X509_ALGOR_set0_by_nid(alg, nid, parameter_type, parameter))
		152	goto err;
		153	parameter = NULL;
		154
		155	if (sk_X509_ALGOR_push(sk, alg) <= 0)
		156	goto err;
		157	alg = NULL;
127		158
128	err:	159	ret = 1;
129	PKCS7error(ERR_R_MALLOC_FAILURE);	160
		161	err:
130	X509_ALGOR_free(alg);	162	X509_ALGOR_free(alg);
131	return 0;	163	ASN1_INTEGER_free(parameter);
		164
		165	return ret;
132	}	166	}
133	LCRYPTO_ALIAS(PKCS7_simple_smimecap);	167	LCRYPTO_ALIAS(PKCS7_simple_smimecap);
134		168
@@ -147,30 +181,54 @@ LCRYPTO_ALIAS(PKCS7_add_attrib_content_type);
147	int	181	int
148	PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO si, ASN1_TIME t)	182	PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO si, ASN1_TIME t)
149	{	183	{
150	if (!t && !(t = X509_gmtime_adj(NULL, 0))) {	184	ASN1_TIME *tm;
		185	int ret = 0;
		186
		187	if ((tm = t) == NULL)
		188	tm = X509_gmtime_adj(NULL, 0);
		189	if (tm == NULL) {
151	PKCS7error(ERR_R_MALLOC_FAILURE);	190	PKCS7error(ERR_R_MALLOC_FAILURE);
152	return 0;	191	goto err;
153	}	192	}
154	return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime,	193
155	V_ASN1_UTCTIME, t);	194	/* RFC 5652, section 11.3 - UTCTime for the years 1950-2049. */
		195	if (ASN1_time_parse(tm->data, tm->length, NULL, tm->type) == -1)
		196	goto err;
		197	if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, tm->type, tm))
		198	goto err;
		199	tm = NULL;
		200
		201	ret = 1;
		202
		203	err:
		204	if (tm != t)
		205	ASN1_TIME_free(tm);
		206
		207	return ret;
156	}	208	}
157	LCRYPTO_ALIAS(PKCS7_add0_attrib_signing_time);	209	LCRYPTO_ALIAS(PKCS7_add0_attrib_signing_time);
158		210
159	int	211	int
160	PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO si, const unsigned char md,	212	PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO si, const unsigned char md,
161	int mdlen)	213	int md_len)
162	{	214	{
163	ASN1_OCTET_STRING *os;	215	ASN1_OCTET_STRING *os;
		216	int ret = 0;
164		217
165	os = ASN1_OCTET_STRING_new();	218	if ((os = ASN1_OCTET_STRING_new()) == NULL)
166	if (!os)	219	goto err;
167	return 0;	220	if (!ASN1_STRING_set(os, md, md_len))
168	if (!ASN1_STRING_set(os, md, mdlen) \|\|	221	goto err;
169	!PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest,	222	if (!PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest,
170	V_ASN1_OCTET_STRING, os)) {	223	V_ASN1_OCTET_STRING, os))
171	ASN1_OCTET_STRING_free(os);	224	goto err;
172	return 0;	225	os = NULL;
173	}	226
174	return 1;	227	ret = 1;
		228
		229	err:
		230	ASN1_OCTET_STRING_free(os);
		231
		232	return ret;
175	}	233	}
176	LCRYPTO_ALIAS(PKCS7_add1_attrib_digest);	234	LCRYPTO_ALIAS(PKCS7_add1_attrib_digest);