1 files changed, 103 insertions, 14 deletions
diff --git a/src/lib/libcrypto/pkcs7/pk7_lib.c b/src/lib/libcrypto/pkcs7/pk7_lib.c
index ee1817c7af..f2490941a3 100644
--- a/src/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/src/lib/libcrypto/pkcs7/pk7_lib.c
@@ -138,6 +138,10 @@ int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
                p7->d.sign->contents=p7_data;
                break;
        case NID_pkcs7_digest:
+                if (p7->d.digest->contents != NULL)
+                        PKCS7_free(p7->d.digest->contents);
+                p7->d.digest->contents=p7_data;
+                break;
        case NID_pkcs7_data:
        case NID_pkcs7_enveloped:
        case NID_pkcs7_signedAndEnveloped:
@@ -206,6 +210,12 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                break;
        case NID_pkcs7_digest:
+                p7->type=obj;
+                if ((p7->d.digest=PKCS7_DIGEST_new())
+                        == NULL) goto err;
+                if (!ASN1_INTEGER_set(p7->d.digest->version,0))
+                        goto err;
+                break;
        default:
                PKCS7err(PKCS7_F_PKCS7_SET_TYPE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
                goto err;
@@ -215,6 +225,13 @@ err:
        return(0);
        }
+int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other)
+        {
+        p7->type = OBJ_nid2obj(type);
+        p7->d.other = other;
+        return 1;
+        }
 int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
        {
        int i,j,nid;
@@ -254,16 +271,23 @@ int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
        if (!j) /* we need to add another algorithm */
                {
                if(!(alg=X509_ALGOR_new())
-                        || !(alg->parameter = ASN1_TYPE_new())) {
+                        || !(alg->parameter = ASN1_TYPE_new()))
+                        {
+                        X509_ALGOR_free(alg);
                        PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER,ERR_R_MALLOC_FAILURE);
                        return(0);
-                }
+                        }
                alg->algorithm=OBJ_nid2obj(nid);
                alg->parameter->type = V_ASN1_NULL;
-                sk_X509_ALGOR_push(md_sk,alg);
+                if (!sk_X509_ALGOR_push(md_sk,alg))
+                        {
+                        X509_ALGOR_free(alg);
+                        return 0;
+                        }
                }
-        sk_PKCS7_SIGNER_INFO_push(signer_sk,psi);
+        if (!sk_PKCS7_SIGNER_INFO_push(signer_sk,psi))
+                return 0;
        return(1);
        }
@@ -288,8 +312,17 @@ int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
        if (*sk == NULL)
                *sk=sk_X509_new_null();
+        if (*sk == NULL)
+                {
+                PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
        CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
-        sk_X509_push(*sk,x509);
+        if (!sk_X509_push(*sk,x509))
+                {
+                X509_free(x509);
+                return 0;
+                }
        return(1);
        }
@@ -314,18 +347,31 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
        if (*sk == NULL)
                *sk=sk_X509_CRL_new_null();
+        if (*sk == NULL)
+                {
+                PKCS7err(PKCS7_F_PKCS7_ADD_CRL,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
        CRYPTO_add(&crl->references,1,CRYPTO_LOCK_X509_CRL);
-        sk_X509_CRL_push(*sk,crl);
+        if (!sk_X509_CRL_push(*sk,crl))
+                {
+                X509_CRL_free(crl);
+                return 0;
+                }
        return(1);
        }
 int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
             const EVP_MD *dgst)
        {
+        int nid;
        char is_dsa;
-        if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;
-        else is_dsa = 0;
+        if (pkey->type == EVP_PKEY_DSA || pkey->type == EVP_PKEY_EC)
+                is_dsa = 1;
+        else
+                is_dsa = 0;
        /* We now need to add another PKCS7_SIGNER_INFO entry */
        if (!ASN1_INTEGER_set(p7i->version,1))
                goto err;
@@ -355,16 +401,38 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
                goto err;
        p7i->digest_alg->parameter->type=V_ASN1_NULL;
-        p7i->digest_enc_alg->algorithm=OBJ_nid2obj(EVP_PKEY_type(pkey->type));
        if (p7i->digest_enc_alg->parameter != NULL)
                ASN1_TYPE_free(p7i->digest_enc_alg->parameter);
-        if(is_dsa) p7i->digest_enc_alg->parameter = NULL;
+        nid = EVP_PKEY_type(pkey->type);
-        else {
+        if (nid == EVP_PKEY_RSA)
+                {
+                p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_rsaEncryption);
                if (!(p7i->digest_enc_alg->parameter=ASN1_TYPE_new()))
                        goto err;
                p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
-        }
+                }
+        else if (nid == EVP_PKEY_DSA)
+                {
+#if 1
+                /* use 'dsaEncryption' OID for compatibility with other software
+                 * (PKCS #7 v1.5 does specify how to handle DSA) ... */
+                p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_dsa);
+#else
+                /* ... although the 'dsaWithSHA1' OID (as required by RFC 2630 for CMS)
+                 * would make more sense. */
+                p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_dsaWithSHA1);
+#endif
+                p7i->digest_enc_alg->parameter = NULL; /* special case for DSA: omit 'parameter'! */
+                }
+        else if (nid == EVP_PKEY_EC)
+                {
+                p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_ecdsa_with_SHA1);
+                if (!(p7i->digest_enc_alg->parameter=ASN1_TYPE_new()))
+                        goto err;
+                p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
+                }
+        else
+                return(0);
        return(1);
 err:
@@ -381,9 +449,28 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
        if (!PKCS7_add_signer(p7,si)) goto err;
        return(si);
 err:
+        PKCS7_SIGNER_INFO_free(si);
        return(NULL);
        }
+int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
+        {
+        if (PKCS7_type_is_digest(p7))
+                {
+                if(!(p7->d.digest->md->parameter = ASN1_TYPE_new()))
+                        {
+                        PKCS7err(PKCS7_F_PKCS7_SET_DIGEST,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                p7->d.digest->md->parameter->type = V_ASN1_NULL;
+                p7->d.digest->md->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
+                return 1;
+                }
+                
+        PKCS7err(PKCS7_F_PKCS7_SET_DIGEST,PKCS7_R_WRONG_CONTENT_TYPE);
+        return 1;
+        }
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
        {
        if (PKCS7_type_is_signed(p7))
@@ -407,6 +494,7 @@ PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509)
        if (!PKCS7_add_recipient_info(p7,ri)) goto err;
        return(ri);
 err:
+        PKCS7_RECIP_INFO_free(ri);
        return(NULL);
        }
@@ -429,7 +517,8 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
                return(0);
                }
-        sk_PKCS7_RECIP_INFO_push(sk,ri);
+        if (!sk_PKCS7_RECIP_INFO_push(sk,ri))
+                return 0;
        return(1);
        }

diff --git a/src/lib/libcrypto/pkcs7/pk7_lib.c b/src/lib/libcrypto/pkcs7/pk7_lib.c index ee1817c7af..f2490941a3 100644 --- a/src/lib/libcrypto/pkcs7/pk7_lib.c +++ b/src/lib/libcrypto/pkcs7/pk7_lib.c
@@ -138,6 +138,10 @@ int PKCS7_set_content(PKCS7 p7, PKCS7 p7_data)
138	p7->d.sign->contents=p7_data;	138	p7->d.sign->contents=p7_data;
139	break;	139	break;
140	case NID_pkcs7_digest:	140	case NID_pkcs7_digest:
		141	if (p7->d.digest->contents != NULL)
		142	PKCS7_free(p7->d.digest->contents);
		143	p7->d.digest->contents=p7_data;
		144	break;
141	case NID_pkcs7_data:	145	case NID_pkcs7_data:
142	case NID_pkcs7_enveloped:	146	case NID_pkcs7_enveloped:
143	case NID_pkcs7_signedAndEnveloped:	147	case NID_pkcs7_signedAndEnveloped:
@@ -206,6 +210,12 @@ int PKCS7_set_type(PKCS7 *p7, int type)
206	break;	210	break;
207		211
208	case NID_pkcs7_digest:	212	case NID_pkcs7_digest:
		213	p7->type=obj;
		214	if ((p7->d.digest=PKCS7_DIGEST_new())
		215	== NULL) goto err;
		216	if (!ASN1_INTEGER_set(p7->d.digest->version,0))
		217	goto err;
		218	break;
209	default:	219	default:
210	PKCS7err(PKCS7_F_PKCS7_SET_TYPE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);	220	PKCS7err(PKCS7_F_PKCS7_SET_TYPE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
211	goto err;	221	goto err;
@@ -215,6 +225,13 @@ err:
215	return(0);	225	return(0);
216	}	226	}
217		227
		228	int PKCS7_set0_type_other(PKCS7 p7, int type, ASN1_TYPE other)
		229	{
		230	p7->type = OBJ_nid2obj(type);
		231	p7->d.other = other;
		232	return 1;
		233	}
		234
218	int PKCS7_add_signer(PKCS7 p7, PKCS7_SIGNER_INFO psi)	235	int PKCS7_add_signer(PKCS7 p7, PKCS7_SIGNER_INFO psi)
219	{	236	{
220	int i,j,nid;	237	int i,j,nid;
@@ -254,16 +271,23 @@ int PKCS7_add_signer(PKCS7 p7, PKCS7_SIGNER_INFO psi)
254	if (!j) /* we need to add another algorithm */	271	if (!j) /* we need to add another algorithm */
255	{	272	{
256	if(!(alg=X509_ALGOR_new())	273	if(!(alg=X509_ALGOR_new())
257	\|\| !(alg->parameter = ASN1_TYPE_new())) {	274	\|\| !(alg->parameter = ASN1_TYPE_new()))
		275	{
		276	X509_ALGOR_free(alg);
258	PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER,ERR_R_MALLOC_FAILURE);	277	PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER,ERR_R_MALLOC_FAILURE);
259	return(0);	278	return(0);
260	}	279	}
261	alg->algorithm=OBJ_nid2obj(nid);	280	alg->algorithm=OBJ_nid2obj(nid);
262	alg->parameter->type = V_ASN1_NULL;	281	alg->parameter->type = V_ASN1_NULL;
263	sk_X509_ALGOR_push(md_sk,alg);	282	if (!sk_X509_ALGOR_push(md_sk,alg))
		283	{
		284	X509_ALGOR_free(alg);
		285	return 0;
		286	}
264	}	287	}
265		288
266	sk_PKCS7_SIGNER_INFO_push(signer_sk,psi);	289	if (!sk_PKCS7_SIGNER_INFO_push(signer_sk,psi))
		290	return 0;
267	return(1);	291	return(1);
268	}	292	}
269		293
@@ -288,8 +312,17 @@ int PKCS7_add_certificate(PKCS7 p7, X509 x509)
288		312
289	if (*sk == NULL)	313	if (*sk == NULL)
290	*sk=sk_X509_new_null();	314	*sk=sk_X509_new_null();
		315	if (*sk == NULL)
		316	{
		317	PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE,ERR_R_MALLOC_FAILURE);
		318	return 0;
		319	}
291	CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);	320	CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
292	sk_X509_push(*sk,x509);	321	if (!sk_X509_push(*sk,x509))
		322	{
		323	X509_free(x509);
		324	return 0;
		325	}
293	return(1);	326	return(1);
294	}	327	}
295		328
@@ -314,18 +347,31 @@ int PKCS7_add_crl(PKCS7 p7, X509_CRL crl)
314		347
315	if (*sk == NULL)	348	if (*sk == NULL)
316	*sk=sk_X509_CRL_new_null();	349	*sk=sk_X509_CRL_new_null();
		350	if (*sk == NULL)
		351	{
		352	PKCS7err(PKCS7_F_PKCS7_ADD_CRL,ERR_R_MALLOC_FAILURE);
		353	return 0;
		354	}
317		355
318	CRYPTO_add(&crl->references,1,CRYPTO_LOCK_X509_CRL);	356	CRYPTO_add(&crl->references,1,CRYPTO_LOCK_X509_CRL);
319	sk_X509_CRL_push(*sk,crl);	357	if (!sk_X509_CRL_push(*sk,crl))
		358	{
		359	X509_CRL_free(crl);
		360	return 0;
		361	}
320	return(1);	362	return(1);
321	}	363	}
322		364
323	int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO p7i, X509 x509, EVP_PKEY *pkey,	365	int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO p7i, X509 x509, EVP_PKEY *pkey,
324	const EVP_MD *dgst)	366	const EVP_MD *dgst)
325	{	367	{
		368	int nid;
326	char is_dsa;	369	char is_dsa;
327	if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;	370
328	else is_dsa = 0;	371	if (pkey->type == EVP_PKEY_DSA \|\| pkey->type == EVP_PKEY_EC)
		372	is_dsa = 1;
		373	else
		374	is_dsa = 0;
329	/* We now need to add another PKCS7_SIGNER_INFO entry */	375	/* We now need to add another PKCS7_SIGNER_INFO entry */
330	if (!ASN1_INTEGER_set(p7i->version,1))	376	if (!ASN1_INTEGER_set(p7i->version,1))
331	goto err;	377	goto err;
@@ -355,16 +401,38 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO p7i, X509 x509, EVP_PKEY *pkey,
355	goto err;	401	goto err;
356	p7i->digest_alg->parameter->type=V_ASN1_NULL;	402	p7i->digest_alg->parameter->type=V_ASN1_NULL;
357		403
358	p7i->digest_enc_alg->algorithm=OBJ_nid2obj(EVP_PKEY_type(pkey->type));
359
360	if (p7i->digest_enc_alg->parameter != NULL)	404	if (p7i->digest_enc_alg->parameter != NULL)
361	ASN1_TYPE_free(p7i->digest_enc_alg->parameter);	405	ASN1_TYPE_free(p7i->digest_enc_alg->parameter);
362	if(is_dsa) p7i->digest_enc_alg->parameter = NULL;	406	nid = EVP_PKEY_type(pkey->type);
363	else {	407	if (nid == EVP_PKEY_RSA)
		408	{
		409	p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_rsaEncryption);
364	if (!(p7i->digest_enc_alg->parameter=ASN1_TYPE_new()))	410	if (!(p7i->digest_enc_alg->parameter=ASN1_TYPE_new()))
365	goto err;	411	goto err;
366	p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;	412	p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
367	}	413	}
		414	else if (nid == EVP_PKEY_DSA)
		415	{
		416	#if 1
		417	/* use 'dsaEncryption' OID for compatibility with other software
		418	* (PKCS #7 v1.5 does specify how to handle DSA) ... */
		419	p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_dsa);
		420	#else
		421	/* ... although the 'dsaWithSHA1' OID (as required by RFC 2630 for CMS)
		422	* would make more sense. */
		423	p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_dsaWithSHA1);
		424	#endif
		425	p7i->digest_enc_alg->parameter = NULL; /* special case for DSA: omit 'parameter'! */
		426	}
		427	else if (nid == EVP_PKEY_EC)
		428	{
		429	p7i->digest_enc_alg->algorithm=OBJ_nid2obj(NID_ecdsa_with_SHA1);
		430	if (!(p7i->digest_enc_alg->parameter=ASN1_TYPE_new()))
		431	goto err;
		432	p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
		433	}
		434	else
		435	return(0);
368		436
369	return(1);	437	return(1);
370	err:	438	err:
@@ -381,9 +449,28 @@ PKCS7_SIGNER_INFO PKCS7_add_signature(PKCS7 p7, X509 x509, EVP_PKEY pkey,
381	if (!PKCS7_add_signer(p7,si)) goto err;	449	if (!PKCS7_add_signer(p7,si)) goto err;
382	return(si);	450	return(si);
383	err:	451	err:
		452	PKCS7_SIGNER_INFO_free(si);
384	return(NULL);	453	return(NULL);
385	}	454	}
386		455
		456	int PKCS7_set_digest(PKCS7 p7, const EVP_MD md)
		457	{
		458	if (PKCS7_type_is_digest(p7))
		459	{
		460	if(!(p7->d.digest->md->parameter = ASN1_TYPE_new()))
		461	{
		462	PKCS7err(PKCS7_F_PKCS7_SET_DIGEST,ERR_R_MALLOC_FAILURE);
		463	return 0;
		464	}
		465	p7->d.digest->md->parameter->type = V_ASN1_NULL;
		466	p7->d.digest->md->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
		467	return 1;
		468	}
		469
		470	PKCS7err(PKCS7_F_PKCS7_SET_DIGEST,PKCS7_R_WRONG_CONTENT_TYPE);
		471	return 1;
		472	}
		473
387	STACK_OF(PKCS7_SIGNER_INFO) PKCS7_get_signer_info(PKCS7 p7)	474	STACK_OF(PKCS7_SIGNER_INFO) PKCS7_get_signer_info(PKCS7 p7)
388	{	475	{
389	if (PKCS7_type_is_signed(p7))	476	if (PKCS7_type_is_signed(p7))
@@ -407,6 +494,7 @@ PKCS7_RECIP_INFO PKCS7_add_recipient(PKCS7 p7, X509 *x509)
407	if (!PKCS7_add_recipient_info(p7,ri)) goto err;	494	if (!PKCS7_add_recipient_info(p7,ri)) goto err;
408	return(ri);	495	return(ri);
409	err:	496	err:
		497	PKCS7_RECIP_INFO_free(ri);
410	return(NULL);	498	return(NULL);
411	}	499	}
412		500
@@ -429,7 +517,8 @@ int PKCS7_add_recipient_info(PKCS7 p7, PKCS7_RECIP_INFO ri)
429	return(0);	517	return(0);
430	}	518	}
431		519
432	sk_PKCS7_RECIP_INFO_push(sk,ri);	520	if (!sk_PKCS7_RECIP_INFO_push(sk,ri))
		521	return 0;
433	return(1);	522	return(1);
434	}	523	}
435		524