1 files changed, 97 insertions, 64 deletions
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
index bf43d030ad..4a4ff340ce 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
@@ -67,6 +67,38 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
                         void *value);
 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid);
+static int PKCS7_type_is_other(PKCS7* p7)
+        {
+        int isOther=1;
+        
+        int nid=OBJ_obj2nid(p7->type);
+        switch( nid )
+                {
+        case NID_pkcs7_data:
+        case NID_pkcs7_signed:
+        case NID_pkcs7_enveloped:
+        case NID_pkcs7_signedAndEnveloped:
+        case NID_pkcs7_digest:
+        case NID_pkcs7_encrypted:
+                isOther=0;
+                break;
+        default:
+                isOther=1;
+                }
+        return isOther;
+        }
+static int PKCS7_type_is_octet_string(PKCS7* p7)
+        {
+        if ( 0==PKCS7_type_is_other(p7) )
+                return 0;
+        return (V_ASN1_OCTET_STRING==p7->d.other->type) ? 1 : 0;
+        }
 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
        {
        int i,j;
@@ -165,7 +197,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                        goto err;
                xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
                if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);
-                EVP_CipherInit(ctx, evp_cipher, key, iv, 1);
+                EVP_CipherInit_ex(ctx, evp_cipher, NULL, key, iv, 1);
                if (ivlen > 0) {
                        if (xalg->parameter == NULL) 
@@ -219,16 +251,23 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                }
        if (bio == NULL) {
-                if (p7->detached)
+                if (PKCS7_is_detached(p7))
                        bio=BIO_new(BIO_s_null());
                else {
-                        if (PKCS7_type_is_signed(p7) &&
+                        if (PKCS7_type_is_signed(p7) ) { 
-                                PKCS7_type_is_data(p7->d.sign->contents)) {
+                                if ( PKCS7_type_is_data(p7->d.sign->contents)) {
-                                ASN1_OCTET_STRING *os;
+                                        ASN1_OCTET_STRING *os;
-                                os=p7->d.sign->contents->d.data;
+                                        os=p7->d.sign->contents->d.data;
-                                if (os->length > 0) bio = 
+                                        if (os->length > 0)
-                                        BIO_new_mem_buf(os->data, os->length);
+                                                bio = BIO_new_mem_buf(os->data, os->length);
-                        } 
+                                }
+                                else if ( PKCS7_type_is_octet_string(p7->d.sign->contents) ) {
+                                        ASN1_OCTET_STRING *os;
+                                        os=p7->d.sign->contents->d.other->value.octet_string;
+                                        if (os->length > 0)
+                                                bio = BIO_new_mem_buf(os->data, os->length);
+                                }
+                        }
                        if(bio == NULL) {
                                bio=BIO_new(BIO_s_mem());
                                BIO_set_mem_eof_return(bio,0);
@@ -391,7 +430,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                evp_ctx=NULL;
                BIO_get_cipher_ctx(etmp,&evp_ctx);
-                EVP_CipherInit(evp_ctx,evp_cipher,NULL,NULL,0);
+                EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0);
                if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
                        goto err;
@@ -407,7 +446,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                                goto err;
                                }
                } 
-                EVP_CipherInit(evp_ctx,NULL,tmp,NULL,0);
+                EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0);
                memset(tmp,0,jj);
@@ -419,7 +458,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                }
 #if 1
-        if (p7->detached || (in_bio != NULL))
+        if (PKCS7_is_detached(p7) || (in_bio != NULL))
                {
                bio=in_bio;
                }
@@ -471,10 +510,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
        EVP_MD_CTX *mdc,ctx_tmp;
        STACK_OF(X509_ATTRIBUTE) *sk;
        STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
-        unsigned char *p,*pp=NULL;
-        int x;
        ASN1_OCTET_STRING *os=NULL;
+        EVP_MD_CTX_init(&ctx_tmp);
        i=OBJ_obj2nid(p7->type);
        p7->state=PKCS7_S_HEADER;
@@ -528,7 +566,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                                BIO_get_md_ctx(btmp,&mdc);
                                if (mdc == NULL)
                                        {
-                                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_INTERNAL_ERROR);
+                                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_INTERNAL_ERROR);
                                        goto err;
                                        }
                                if (EVP_MD_CTX_type(mdc) == j)
@@ -539,7 +577,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                        
                        /* We now have the EVP_MD_CTX, lets do the
                         * signing. */
-                        memcpy(&ctx_tmp,mdc,sizeof(ctx_tmp));
+                        EVP_MD_CTX_copy_ex(&ctx_tmp,mdc);
                        if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey)))
                                {
                                PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
@@ -552,43 +590,41 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                         * attribute and only sign the attributes */
                        if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
                                {
-                                unsigned char md_data[EVP_MAX_MD_SIZE];
+                                unsigned char md_data[EVP_MAX_MD_SIZE], *abuf=NULL;
-                                unsigned int md_len;
+                                unsigned int md_len, alen;
                                ASN1_OCTET_STRING *digest;
                                ASN1_UTCTIME *sign_time;
                                const EVP_MD *md_tmp;
-                                /* Add signing time */
+                                /* Add signing time if not already present */
-                                sign_time=X509_gmtime_adj(NULL,0);
+                                if (!PKCS7_get_signed_attribute(si,
-                                PKCS7_add_signed_attribute(si,
+                                                        NID_pkcs9_signingTime))
-                                        NID_pkcs9_signingTime,
+                                        {
-                                        V_ASN1_UTCTIME,sign_time);
+                                        sign_time=X509_gmtime_adj(NULL,0);
+                                        PKCS7_add_signed_attribute(si,
+                                                NID_pkcs9_signingTime,
+                                                V_ASN1_UTCTIME,sign_time);
+                                        }
                                /* Add digest */
                                md_tmp=EVP_MD_CTX_md(&ctx_tmp);
-                                EVP_DigestFinal(&ctx_tmp,md_data,&md_len);
+                                EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len);
                                digest=M_ASN1_OCTET_STRING_new();
                                M_ASN1_OCTET_STRING_set(digest,md_data,md_len);
                                PKCS7_add_signed_attribute(si,
                                        NID_pkcs9_messageDigest,
                                        V_ASN1_OCTET_STRING,digest);
-                                /* Now sign the mess */
+                                /* Now sign the attributes */
-                                EVP_SignInit(&ctx_tmp,md_tmp);
+                                EVP_SignInit_ex(&ctx_tmp,md_tmp,NULL);
-                                x=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,
+                                alen = ASN1_item_i2d((ASN1_VALUE *)sk,&abuf,
-                                           i2d_X509_ATTRIBUTE,
+                                                        ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
-                                           V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
+                                if(!abuf) goto err;
-                                pp=(unsigned char *)OPENSSL_malloc(x);
+                                EVP_SignUpdate(&ctx_tmp,abuf,alen);
-                                p=pp;
+                                OPENSSL_free(abuf);
-                                i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,
-                                           i2d_X509_ATTRIBUTE,
-                                           V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
-                                EVP_SignUpdate(&ctx_tmp,pp,x);
-                                OPENSSL_free(pp);
-                                pp=NULL;
                                }
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                        if (si->pkey->type == EVP_PKEY_DSA)
                                ctx_tmp.digest=EVP_dss1();
 #endif
@@ -608,7 +644,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                        }
                }
-        if (!p7->detached)
+        if (!PKCS7_is_detached(p7))
                {
                btmp=BIO_find_type(bio,BIO_TYPE_MEM);
                if (btmp == NULL)
@@ -629,11 +665,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                        (unsigned char *)buf_mem->data,buf_mem->length);
 #endif
                }
-        if (pp != NULL) OPENSSL_free(pp);
-        pp=NULL;
        ret=1;
 err:
+        EVP_MD_CTX_cleanup(&ctx_tmp);
        if (buf != NULL) BUF_MEM_free(buf);
        return(ret);
        }
@@ -672,7 +706,11 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
                }
        /* Lets verify */
-        X509_STORE_CTX_init(ctx,cert_store,x509,cert);
+        if(!X509_STORE_CTX_init(ctx,cert_store,x509,cert))
+                {
+                PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
+                goto err;
+                }
        X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
        i=X509_verify_cert(ctx);
        if (i <= 0) 
@@ -693,13 +731,14 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
        {
        ASN1_OCTET_STRING *os;
        EVP_MD_CTX mdc_tmp,*mdc;
-        unsigned char *pp,*p;
        int ret=0,i;
        int md_type;
        STACK_OF(X509_ATTRIBUTE) *sk;
        BIO *btmp;
        EVP_PKEY *pkey;
+        EVP_MD_CTX_init(&mdc_tmp);
        if (!PKCS7_type_is_signed(p7) && 
                                !PKCS7_type_is_signedAndEnveloped(p7)) {
                PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
@@ -723,7 +762,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
                if (mdc == NULL)
                        {
                        PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
-                                                        PKCS7_R_INTERNAL_ERROR);
+                                                        ERR_R_INTERNAL_ERROR);
                        goto err;
                        }
                if (EVP_MD_CTX_type(mdc) == md_type)
@@ -733,16 +772,16 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
        /* mdc is the digest ctx that we want, unless there are attributes,
         * in which case the digest is the signed attributes */
-        memcpy(&mdc_tmp,mdc,sizeof(mdc_tmp));
+        EVP_MD_CTX_copy_ex(&mdc_tmp,mdc);
        sk=si->auth_attr;
        if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
                {
-                unsigned char md_dat[EVP_MAX_MD_SIZE];
+                unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL;
-                unsigned int md_len;
+                unsigned int md_len, alen;
                ASN1_OCTET_STRING *message_digest;
-                EVP_DigestFinal(&mdc_tmp,md_dat,&md_len);
+                EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len);
                message_digest=PKCS7_digest_from_attributes(sk);
                if (!message_digest)
                        {
@@ -767,20 +806,13 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
                        goto err;
                        }
-                EVP_VerifyInit(&mdc_tmp,EVP_get_digestbynid(md_type));
+                EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL);
-                /* Note: when forming the encoding of the attributes we
-                 * shouldn't reorder them or this will break the signature.
+                alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
-                 * This is done by using the IS_SEQUENCE flag.
+                                                ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY));
-                 */
+                EVP_VerifyUpdate(&mdc_tmp, abuf, alen);
-                i=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,i2d_X509_ATTRIBUTE,
-                        V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
-                pp=OPENSSL_malloc(i);
-                p=pp;
-                i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,i2d_X509_ATTRIBUTE,
-                        V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
-                EVP_VerifyUpdate(&mdc_tmp,pp,i);
-                OPENSSL_free(pp);
+                OPENSSL_free(abuf);
                }
        os=si->enc_digest;
@@ -790,7 +822,7 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
                ret = -1;
                goto err;
                }
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
        if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
 #endif
@@ -806,6 +838,7 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
        else
                ret=1;
 err:
+        EVP_MD_CTX_cleanup(&mdc_tmp);
        return(ret);
        }
@@ -847,7 +880,7 @@ static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
                xa=sk_X509_ATTRIBUTE_value(sk,i);
                if (OBJ_cmp(xa->object,o) == 0)
                        {
-                        if (xa->set && sk_ASN1_TYPE_num(xa->value.set))
+                        if (!xa->single && sk_ASN1_TYPE_num(xa->value.set))
                                return(sk_ASN1_TYPE_value(xa->value.set,0));
                        else
                                return(NULL);

diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c index bf43d030ad..4a4ff340ce 100644 --- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c +++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
@@ -67,6 +67,38 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
67	void *value);	67	void *value);
68	static ASN1_TYPE get_attribute(STACK_OF(X509_ATTRIBUTE) sk, int nid);	68	static ASN1_TYPE get_attribute(STACK_OF(X509_ATTRIBUTE) sk, int nid);
69		69
		70	static int PKCS7_type_is_other(PKCS7* p7)
		71	{
		72	int isOther=1;
		73
		74	int nid=OBJ_obj2nid(p7->type);
		75
		76	switch( nid )
		77	{
		78	case NID_pkcs7_data:
		79	case NID_pkcs7_signed:
		80	case NID_pkcs7_enveloped:
		81	case NID_pkcs7_signedAndEnveloped:
		82	case NID_pkcs7_digest:
		83	case NID_pkcs7_encrypted:
		84	isOther=0;
		85	break;
		86	default:
		87	isOther=1;
		88	}
		89
		90	return isOther;
		91
		92	}
		93
		94	static int PKCS7_type_is_octet_string(PKCS7* p7)
		95	{
		96	if ( 0==PKCS7_type_is_other(p7) )
		97	return 0;
		98
		99	return (V_ASN1_OCTET_STRING==p7->d.other->type) ? 1 : 0;
		100	}
		101
70	BIO PKCS7_dataInit(PKCS7 p7, BIO *bio)	102	BIO PKCS7_dataInit(PKCS7 p7, BIO *bio)
71	{	103	{
72	int i,j;	104	int i,j;
@@ -165,7 +197,7 @@ BIO PKCS7_dataInit(PKCS7 p7, BIO *bio)
165	goto err;	197	goto err;
166	xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));	198	xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
167	if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);	199	if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);
168	EVP_CipherInit(ctx, evp_cipher, key, iv, 1);	200	EVP_CipherInit_ex(ctx, evp_cipher, NULL, key, iv, 1);
169		201
170	if (ivlen > 0) {	202	if (ivlen > 0) {
171	if (xalg->parameter == NULL)	203	if (xalg->parameter == NULL)
@@ -219,16 +251,23 @@ BIO PKCS7_dataInit(PKCS7 p7, BIO *bio)
219	}	251	}
220		252
221	if (bio == NULL) {	253	if (bio == NULL) {
222	if (p7->detached)	254	if (PKCS7_is_detached(p7))
223	bio=BIO_new(BIO_s_null());	255	bio=BIO_new(BIO_s_null());
224	else {	256	else {
225	if (PKCS7_type_is_signed(p7) &&	257	if (PKCS7_type_is_signed(p7) ) {
226	PKCS7_type_is_data(p7->d.sign->contents)) {	258	if ( PKCS7_type_is_data(p7->d.sign->contents)) {
227	ASN1_OCTET_STRING *os;	259	ASN1_OCTET_STRING *os;
228	os=p7->d.sign->contents->d.data;	260	os=p7->d.sign->contents->d.data;
229	if (os->length > 0) bio =	261	if (os->length > 0)
230	BIO_new_mem_buf(os->data, os->length);	262	bio = BIO_new_mem_buf(os->data, os->length);
231	}	263	}
		264	else if ( PKCS7_type_is_octet_string(p7->d.sign->contents) ) {
		265	ASN1_OCTET_STRING *os;
		266	os=p7->d.sign->contents->d.other->value.octet_string;
		267	if (os->length > 0)
		268	bio = BIO_new_mem_buf(os->data, os->length);
		269	}
		270	}
232	if(bio == NULL) {	271	if(bio == NULL) {
233	bio=BIO_new(BIO_s_mem());	272	bio=BIO_new(BIO_s_mem());
234	BIO_set_mem_eof_return(bio,0);	273	BIO_set_mem_eof_return(bio,0);
@@ -391,7 +430,7 @@ BIO PKCS7_dataDecode(PKCS7 p7, EVP_PKEY pkey, BIO in_bio, X509 *pcert)
391		430
392	evp_ctx=NULL;	431	evp_ctx=NULL;
393	BIO_get_cipher_ctx(etmp,&evp_ctx);	432	BIO_get_cipher_ctx(etmp,&evp_ctx);
394	EVP_CipherInit(evp_ctx,evp_cipher,NULL,NULL,0);	433	EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0);
395	if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)	434	if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
396	goto err;	435	goto err;
397		436
@@ -407,7 +446,7 @@ BIO PKCS7_dataDecode(PKCS7 p7, EVP_PKEY pkey, BIO in_bio, X509 *pcert)
407	goto err;	446	goto err;
408	}	447	}
409	}	448	}
410	EVP_CipherInit(evp_ctx,NULL,tmp,NULL,0);	449	EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0);
411		450
412	memset(tmp,0,jj);	451	memset(tmp,0,jj);
413		452
@@ -419,7 +458,7 @@ BIO PKCS7_dataDecode(PKCS7 p7, EVP_PKEY pkey, BIO in_bio, X509 *pcert)
419	}	458	}
420		459
421	#if 1	460	#if 1
422	if (p7->detached \|\| (in_bio != NULL))	461	if (PKCS7_is_detached(p7) \|\| (in_bio != NULL))
423	{	462	{
424	bio=in_bio;	463	bio=in_bio;
425	}	464	}
@@ -471,10 +510,9 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
471	EVP_MD_CTX *mdc,ctx_tmp;	510	EVP_MD_CTX *mdc,ctx_tmp;
472	STACK_OF(X509_ATTRIBUTE) *sk;	511	STACK_OF(X509_ATTRIBUTE) *sk;
473	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;	512	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
474	unsigned char p,pp=NULL;
475	int x;
476	ASN1_OCTET_STRING *os=NULL;	513	ASN1_OCTET_STRING *os=NULL;
477		514
		515	EVP_MD_CTX_init(&ctx_tmp);
478	i=OBJ_obj2nid(p7->type);	516	i=OBJ_obj2nid(p7->type);
479	p7->state=PKCS7_S_HEADER;	517	p7->state=PKCS7_S_HEADER;
480		518
@@ -528,7 +566,7 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
528	BIO_get_md_ctx(btmp,&mdc);	566	BIO_get_md_ctx(btmp,&mdc);
529	if (mdc == NULL)	567	if (mdc == NULL)
530	{	568	{
531	PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_INTERNAL_ERROR);	569	PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_INTERNAL_ERROR);
532	goto err;	570	goto err;
533	}	571	}
534	if (EVP_MD_CTX_type(mdc) == j)	572	if (EVP_MD_CTX_type(mdc) == j)
@@ -539,7 +577,7 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
539		577
540	/* We now have the EVP_MD_CTX, lets do the	578	/* We now have the EVP_MD_CTX, lets do the
541	* signing. */	579	* signing. */
542	memcpy(&ctx_tmp,mdc,sizeof(ctx_tmp));	580	EVP_MD_CTX_copy_ex(&ctx_tmp,mdc);
543	if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey)))	581	if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey)))
544	{	582	{
545	PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);	583	PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
@@ -552,43 +590,41 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
552	* attribute and only sign the attributes */	590	* attribute and only sign the attributes */
553	if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))	591	if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
554	{	592	{
555	unsigned char md_data[EVP_MAX_MD_SIZE];	593	unsigned char md_data[EVP_MAX_MD_SIZE], *abuf=NULL;
556	unsigned int md_len;	594	unsigned int md_len, alen;
557	ASN1_OCTET_STRING *digest;	595	ASN1_OCTET_STRING *digest;
558	ASN1_UTCTIME *sign_time;	596	ASN1_UTCTIME *sign_time;
559	const EVP_MD *md_tmp;	597	const EVP_MD *md_tmp;
560		598
561	/* Add signing time */	599	/* Add signing time if not already present */
562	sign_time=X509_gmtime_adj(NULL,0);	600	if (!PKCS7_get_signed_attribute(si,
563	PKCS7_add_signed_attribute(si,	601	NID_pkcs9_signingTime))
564	NID_pkcs9_signingTime,	602	{
565	V_ASN1_UTCTIME,sign_time);	603	sign_time=X509_gmtime_adj(NULL,0);
		604	PKCS7_add_signed_attribute(si,
		605	NID_pkcs9_signingTime,
		606	V_ASN1_UTCTIME,sign_time);
		607	}
566		608
567	/* Add digest */	609	/* Add digest */
568	md_tmp=EVP_MD_CTX_md(&ctx_tmp);	610	md_tmp=EVP_MD_CTX_md(&ctx_tmp);
569	EVP_DigestFinal(&ctx_tmp,md_data,&md_len);	611	EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len);
570	digest=M_ASN1_OCTET_STRING_new();	612	digest=M_ASN1_OCTET_STRING_new();
571	M_ASN1_OCTET_STRING_set(digest,md_data,md_len);	613	M_ASN1_OCTET_STRING_set(digest,md_data,md_len);
572	PKCS7_add_signed_attribute(si,	614	PKCS7_add_signed_attribute(si,
573	NID_pkcs9_messageDigest,	615	NID_pkcs9_messageDigest,
574	V_ASN1_OCTET_STRING,digest);	616	V_ASN1_OCTET_STRING,digest);
575		617
576	/* Now sign the mess */	618	/* Now sign the attributes */
577	EVP_SignInit(&ctx_tmp,md_tmp);	619	EVP_SignInit_ex(&ctx_tmp,md_tmp,NULL);
578	x=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,	620	alen = ASN1_item_i2d((ASN1_VALUE *)sk,&abuf,
579	i2d_X509_ATTRIBUTE,	621	ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
580	V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);	622	if(!abuf) goto err;
581	pp=(unsigned char *)OPENSSL_malloc(x);	623	EVP_SignUpdate(&ctx_tmp,abuf,alen);
582	p=pp;	624	OPENSSL_free(abuf);
583	i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,
584	i2d_X509_ATTRIBUTE,
585	V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
586	EVP_SignUpdate(&ctx_tmp,pp,x);
587	OPENSSL_free(pp);
588	pp=NULL;
589	}	625	}
590		626
591	#ifndef NO_DSA	627	#ifndef OPENSSL_NO_DSA
592	if (si->pkey->type == EVP_PKEY_DSA)	628	if (si->pkey->type == EVP_PKEY_DSA)
593	ctx_tmp.digest=EVP_dss1();	629	ctx_tmp.digest=EVP_dss1();
594	#endif	630	#endif
@@ -608,7 +644,7 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
608	}	644	}
609	}	645	}
610		646
611	if (!p7->detached)	647	if (!PKCS7_is_detached(p7))
612	{	648	{
613	btmp=BIO_find_type(bio,BIO_TYPE_MEM);	649	btmp=BIO_find_type(bio,BIO_TYPE_MEM);
614	if (btmp == NULL)	650	if (btmp == NULL)
@@ -629,11 +665,9 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
629	(unsigned char *)buf_mem->data,buf_mem->length);	665	(unsigned char *)buf_mem->data,buf_mem->length);
630	#endif	666	#endif
631	}	667	}
632	if (pp != NULL) OPENSSL_free(pp);
633	pp=NULL;
634
635	ret=1;	668	ret=1;
636	err:	669	err:
		670	EVP_MD_CTX_cleanup(&ctx_tmp);
637	if (buf != NULL) BUF_MEM_free(buf);	671	if (buf != NULL) BUF_MEM_free(buf);
638	return(ret);	672	return(ret);
639	}	673	}
@@ -672,7 +706,11 @@ int PKCS7_dataVerify(X509_STORE cert_store, X509_STORE_CTX ctx, BIO *bio,
672	}	706	}
673		707
674	/* Lets verify */	708	/* Lets verify */
675	X509_STORE_CTX_init(ctx,cert_store,x509,cert);	709	if(!X509_STORE_CTX_init(ctx,cert_store,x509,cert))
		710	{
		711	PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
		712	goto err;
		713	}
676	X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);	714	X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
677	i=X509_verify_cert(ctx);	715	i=X509_verify_cert(ctx);
678	if (i <= 0)	716	if (i <= 0)
@@ -693,13 +731,14 @@ int PKCS7_signatureVerify(BIO bio, PKCS7 p7, PKCS7_SIGNER_INFO *si,
693	{	731	{
694	ASN1_OCTET_STRING *os;	732	ASN1_OCTET_STRING *os;
695	EVP_MD_CTX mdc_tmp,*mdc;	733	EVP_MD_CTX mdc_tmp,*mdc;
696	unsigned char pp,p;
697	int ret=0,i;	734	int ret=0,i;
698	int md_type;	735	int md_type;
699	STACK_OF(X509_ATTRIBUTE) *sk;	736	STACK_OF(X509_ATTRIBUTE) *sk;
700	BIO *btmp;	737	BIO *btmp;
701	EVP_PKEY *pkey;	738	EVP_PKEY *pkey;
702		739
		740	EVP_MD_CTX_init(&mdc_tmp);
		741
703	if (!PKCS7_type_is_signed(p7) &&	742	if (!PKCS7_type_is_signed(p7) &&
704	!PKCS7_type_is_signedAndEnveloped(p7)) {	743	!PKCS7_type_is_signedAndEnveloped(p7)) {
705	PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,	744	PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
@@ -723,7 +762,7 @@ int PKCS7_signatureVerify(BIO bio, PKCS7 p7, PKCS7_SIGNER_INFO *si,
723	if (mdc == NULL)	762	if (mdc == NULL)
724	{	763	{
725	PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,	764	PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
726	PKCS7_R_INTERNAL_ERROR);	765	ERR_R_INTERNAL_ERROR);
727	goto err;	766	goto err;
728	}	767	}
729	if (EVP_MD_CTX_type(mdc) == md_type)	768	if (EVP_MD_CTX_type(mdc) == md_type)
@@ -733,16 +772,16 @@ int PKCS7_signatureVerify(BIO bio, PKCS7 p7, PKCS7_SIGNER_INFO *si,
733		772
734	/* mdc is the digest ctx that we want, unless there are attributes,	773	/* mdc is the digest ctx that we want, unless there are attributes,
735	* in which case the digest is the signed attributes */	774	* in which case the digest is the signed attributes */
736	memcpy(&mdc_tmp,mdc,sizeof(mdc_tmp));	775	EVP_MD_CTX_copy_ex(&mdc_tmp,mdc);
737		776
738	sk=si->auth_attr;	777	sk=si->auth_attr;
739	if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))	778	if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
740	{	779	{
741	unsigned char md_dat[EVP_MAX_MD_SIZE];	780	unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL;
742	unsigned int md_len;	781	unsigned int md_len, alen;
743	ASN1_OCTET_STRING *message_digest;	782	ASN1_OCTET_STRING *message_digest;
744		783
745	EVP_DigestFinal(&mdc_tmp,md_dat,&md_len);	784	EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len);
746	message_digest=PKCS7_digest_from_attributes(sk);	785	message_digest=PKCS7_digest_from_attributes(sk);
747	if (!message_digest)	786	if (!message_digest)
748	{	787	{
@@ -767,20 +806,13 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
767	goto err;	806	goto err;
768	}	807	}
769		808
770	EVP_VerifyInit(&mdc_tmp,EVP_get_digestbynid(md_type));	809	EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL);
771	/* Note: when forming the encoding of the attributes we	810
772	* shouldn't reorder them or this will break the signature.	811	alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
773	* This is done by using the IS_SEQUENCE flag.	812	ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY));
774	*/	813	EVP_VerifyUpdate(&mdc_tmp, abuf, alen);
775	i=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,i2d_X509_ATTRIBUTE,
776	V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
777	pp=OPENSSL_malloc(i);
778	p=pp;
779	i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,i2d_X509_ATTRIBUTE,
780	V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
781	EVP_VerifyUpdate(&mdc_tmp,pp,i);
782		814
783	OPENSSL_free(pp);	815	OPENSSL_free(abuf);
784	}	816	}
785		817
786	os=si->enc_digest;	818	os=si->enc_digest;
@@ -790,7 +822,7 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
790	ret = -1;	822	ret = -1;
791	goto err;	823	goto err;
792	}	824	}
793	#ifndef NO_DSA	825	#ifndef OPENSSL_NO_DSA
794	if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();	826	if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
795	#endif	827	#endif
796		828
@@ -806,6 +838,7 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
806	else	838	else
807	ret=1;	839	ret=1;
808	err:	840	err:
		841	EVP_MD_CTX_cleanup(&mdc_tmp);
809	return(ret);	842	return(ret);
810	}	843	}
811		844
@@ -847,7 +880,7 @@ static ASN1_TYPE get_attribute(STACK_OF(X509_ATTRIBUTE) sk, int nid)
847	xa=sk_X509_ATTRIBUTE_value(sk,i);	880	xa=sk_X509_ATTRIBUTE_value(sk,i);
848	if (OBJ_cmp(xa->object,o) == 0)	881	if (OBJ_cmp(xa->object,o) == 0)
849	{	882	{
850	if (xa->set && sk_ASN1_TYPE_num(xa->value.set))	883	if (!xa->single && sk_ASN1_TYPE_num(xa->value.set))
851	return(sk_ASN1_TYPE_value(xa->value.set,0));	884	return(sk_ASN1_TYPE_value(xa->value.set,0));
852	else	885	else
853	return(NULL);	886	return(NULL);