From 59b4da05b4072df79e85b5f8bbf4cf049431b9b6 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 17 Aug 2016 17:27:05 +0100 Subject: [PATCH] Constify X509_SIG. Constify X509_SIG_get0() and order arguments to mactch new standard. Add X509_SIG_get0_mutable() to support modification or initialisation of an X509_SIG structure. Reviewed-by: Matt Caswell --- apps/pkcs12.c | 14 +++++++------- crypto/asn1/x_sig.c | 13 +++++++++++-- crypto/pkcs12/p12_decr.c | 10 +++++----- crypto/pkcs12/p12_mutl.c | 22 ++++++++++++---------- crypto/pkcs12/p12_npas.c | 12 +++++++----- crypto/pkcs12/p12_p8d.c | 8 ++++---- doc/crypto/X509_SIG_get0.pod | 12 ++++++++---- include/openssl/pkcs12.h | 19 +++++++++++-------- include/openssl/x509.h | 6 ++++-- 9 files changed, 69 insertions(+), 47 deletions(-) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 1fcd713309..7b12221ae1 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -40,7 +40,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst, const char *name); void hex_prin(BIO *out, unsigned char *buf, int len); -static int alg_print(X509_ALGOR *alg); +static int alg_print(const X509_ALGOR *alg); int cert_load(BIO *in, STACK_OF(X509) *sk); static int set_pbe(int *ppbe, const char *str); @@ -521,8 +521,8 @@ int pkcs12_main(int argc, char **argv) OPENSSL_strlcpy(macpass, pass, sizeof macpass); if ((options & INFO) && PKCS12_mac_present(p12)) { - ASN1_INTEGER *tmaciter; - X509_ALGOR *macalgid; + const ASN1_INTEGER *tmaciter; + const X509_ALGOR *macalgid; const ASN1_OBJECT *macobj; PKCS12_get0_mac(NULL, &macalgid, NULL, &tmaciter, p12); X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); @@ -650,12 +650,12 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, case NID_pkcs8ShroudedKeyBag: if (options & INFO) { - X509_SIG *tp8; - X509_ALGOR *tp8alg; + const X509_SIG *tp8; + const X509_ALGOR *tp8alg; BIO_printf(bio_err, "Shrouded Keybag: "); tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag); - X509_SIG_get0(&tp8alg, NULL, tp8); + X509_SIG_get0(tp8, &tp8alg, NULL); alg_print(tp8alg); } if (options & NOKEYS) @@ -740,7 +740,7 @@ end: return i; } -static int alg_print(X509_ALGOR *alg) +static int alg_print(const X509_ALGOR *alg) { int pbenid, aparamtype; const ASN1_OBJECT *aoid; diff --git a/crypto/asn1/x_sig.c b/crypto/asn1/x_sig.c index d5b0b69dde..1e835cb191 100644 --- a/crypto/asn1/x_sig.c +++ b/crypto/asn1/x_sig.c @@ -20,8 +20,17 @@ ASN1_SEQUENCE(X509_SIG) = { IMPLEMENT_ASN1_FUNCTIONS(X509_SIG) -void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest, - X509_SIG *sig) +void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg, + const ASN1_OCTET_STRING **pdigest) +{ + if (palg) + *palg = sig->algor; + if (pdigest) + *pdigest = sig->digest; +} + +void X509_SIG_get0_mutable(X509_SIG *sig, X509_ALGOR **palg, + ASN1_OCTET_STRING **pdigest) { if (palg) *palg = sig->algor; diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index 9ad17d7f8a..3c860584e8 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -20,9 +20,9 @@ * Encrypt/Decrypt a buffer based on password and algor, result in a * OPENSSL_malloc'ed buffer */ - -unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, - int passlen, unsigned char *in, int inlen, +unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, + const char *pass, int passlen, + const unsigned char *in, int inlen, unsigned char **data, int *datalen, int en_de) { unsigned char *out = NULL; @@ -79,9 +79,9 @@ unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, * after use. */ -void *PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, +void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, const char *pass, int passlen, - ASN1_OCTET_STRING *oct, int zbuf) + const ASN1_OCTET_STRING *oct, int zbuf) { unsigned char *out; const unsigned char *p; diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index 9ab2659293..87c40ee46e 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -20,12 +20,14 @@ int PKCS12_mac_present(PKCS12 *p12) return p12->mac ? 1 : 0; } -void PKCS12_get0_mac(ASN1_OCTET_STRING **pmac, X509_ALGOR **pmacalg, - ASN1_OCTET_STRING **psalt, ASN1_INTEGER **piter, - PKCS12 *p12) +void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, + const X509_ALGOR **pmacalg, + const ASN1_OCTET_STRING **psalt, + const ASN1_INTEGER **piter, + const PKCS12 *p12) { if (p12->mac) { - X509_SIG_get0(pmacalg, pmac, p12->mac->dinfo); + X509_SIG_get0(p12->mac->dinfo, pmacalg, pmac); if (psalt) *psalt = p12->mac->salt; if (piter) @@ -74,7 +76,7 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, int saltlen, iter; int md_size = 0; int md_type_nid; - X509_ALGOR *macalg; + const X509_ALGOR *macalg; const ASN1_OBJECT *macoid; if (!PKCS7_type_is_data(p12->authsafes)) { @@ -88,7 +90,7 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, iter = 1; else iter = ASN1_INTEGER_get(p12->mac->iter); - X509_SIG_get0(&macalg, NULL, p12->mac->dinfo); + X509_SIG_get0(p12->mac->dinfo, &macalg, NULL); X509_ALGOR_get0(&macoid, NULL, NULL, macalg); if ((md_type = EVP_get_digestbyobj(macoid)) == NULL) { PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM); @@ -131,7 +133,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) { unsigned char mac[EVP_MAX_MD_SIZE]; unsigned int maclen; - ASN1_OCTET_STRING *macoct; + const ASN1_OCTET_STRING *macoct; if (p12->mac == NULL) { PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT); @@ -141,7 +143,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_GENERATION_ERROR); return 0; } - X509_SIG_get0(NULL, &macoct, p12->mac->dinfo); + X509_SIG_get0(p12->mac->dinfo, NULL, &macoct); if ((maclen != (unsigned int)ASN1_STRING_length(macoct)) || CRYPTO_memcmp(mac, ASN1_STRING_get0_data(macoct), maclen)) return 0; @@ -168,7 +170,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_GENERATION_ERROR); return 0; } - X509_SIG_get0(NULL, &macoct, p12->mac->dinfo); + X509_SIG_get0_mutable(p12->mac->dinfo, NULL, &macoct); if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) { PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_STRING_SET_ERROR); return 0; @@ -206,7 +208,7 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, return 0; } else memcpy(p12->mac->salt->data, salt, saltlen); - X509_SIG_get0(&macalg, NULL, p12->mac->dinfo); + X509_SIG_get0_mutable(p12->mac->dinfo, &macalg, NULL); if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_type(md_type)), V_ASN1_NULL, NULL)) { PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index 21bd772476..f075bcacc3 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -22,7 +22,8 @@ static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass, const char *newpass); static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass, const char *newpass); -static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen); +static int alg_get(const X509_ALGOR *alg, int *pnid, int *piter, + int *psaltlen); /* * Change the password on a PKCS#12 structure. @@ -109,7 +110,7 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) goto err; - X509_SIG_get0(NULL, &macoct, p12->mac->dinfo); + X509_SIG_get0_mutable(p12->mac->dinfo, NULL, &macoct); if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) goto err; @@ -148,14 +149,14 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass, PKCS8_PRIV_KEY_INFO *p8; X509_SIG *p8new; int p8_nid, p8_saltlen, p8_iter; - X509_ALGOR *shalg; + const X509_ALGOR *shalg; if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag) return 1; if ((p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)) == NULL) return 0; - X509_SIG_get0(&shalg, NULL, bag->value.shkeybag); + X509_SIG_get0(bag->value.shkeybag, &shalg, NULL); if (!alg_get(shalg, &p8_nid, &p8_iter, &p8_saltlen)) return 0; p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen, @@ -168,7 +169,8 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass, return 1; } -static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen) +static int alg_get(const X509_ALGOR *alg, int *pnid, int *piter, + int *psaltlen) { PBEPARAM *pbe; pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), alg->parameter); diff --git a/crypto/pkcs12/p12_p8d.c b/crypto/pkcs12/p12_p8d.c index 97577da26e..d926a77df8 100644 --- a/crypto/pkcs12/p12_p8d.c +++ b/crypto/pkcs12/p12_p8d.c @@ -11,12 +11,12 @@ #include "internal/cryptlib.h" #include -PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, +PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass, int passlen) { - X509_ALGOR *dalg; - ASN1_OCTET_STRING *doct; - X509_SIG_get0(&dalg, &doct, p8); + const X509_ALGOR *dalg; + const ASN1_OCTET_STRING *doct; + X509_SIG_get0(p8, &dalg, &doct); return PKCS12_item_decrypt_d2i(dalg, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass, passlen, doct, 1); diff --git a/doc/crypto/X509_SIG_get0.pod b/doc/crypto/X509_SIG_get0.pod index 1d61497c1c..a47ae448cc 100644 --- a/doc/crypto/X509_SIG_get0.pod +++ b/doc/crypto/X509_SIG_get0.pod @@ -2,19 +2,23 @@ =head1 NAME -X509_SIG_get0 - Get DigestInfo functions +X509_SIG_get0, X509_SIG_get0_mutable - DigestInfo functions =head1 SYNOPSIS #include - void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest, - X509_SIG *sig); + void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg, + const ASN1_OCTET_STRING **pdigest); + void X509_SIG_get0_mutable(X509_SIG *sig, X509_ALGOR **palg, + ASN1_OCTET_STRING **pdigest, =head1 DESCRIPTION X509_SIG_get0() returns pointers to the algorithm identifier and digest -value in B. These values can then be examined or initialised. +value in B. X509_SIG_get0_mutable() is identical to X509_SIG_get0() +except the pointers returned are not constant and can be modified: +for example to initialise them. =head1 SEE ALSO diff --git a/include/openssl/pkcs12.h b/include/openssl/pkcs12.h index 775f20a4ee..663f298d95 100644 --- a/include/openssl/pkcs12.h +++ b/include/openssl/pkcs12.h @@ -84,9 +84,11 @@ typedef struct pkcs12_bag_st PKCS12_BAGS; ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid); int PKCS12_mac_present(PKCS12 *p12); -void PKCS12_get0_mac(ASN1_OCTET_STRING **pmac, X509_ALGOR **pmacalg, - ASN1_OCTET_STRING **psalt, ASN1_INTEGER **piter, - PKCS12 *p12); +void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, + const X509_ALGOR **pmacalg, + const ASN1_OCTET_STRING **psalt, + const ASN1_INTEGER **piter, + const PKCS12 *p12); ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(PKCS12_SAFEBAG *bag, int attr_nid); ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(PKCS12_SAFEBAG *bag); @@ -112,7 +114,7 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, int nid2); -PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, +PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass, int passlen); PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass, int passlen); @@ -145,13 +147,14 @@ ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid); char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag); STACK_OF(X509_ATTRIBUTE) *PKCS12_SAFEBAG_get0_attrs(PKCS12_SAFEBAG *bag); -unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, - int passlen, unsigned char *in, int inlen, +unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, + const char *pass, int passlen, + const unsigned char *in, int inlen, unsigned char **data, int *datalen, int en_de); -void *PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, +void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, const char *pass, int passlen, - ASN1_OCTET_STRING *oct, int zbuf); + const ASN1_OCTET_STRING *oct, int zbuf); ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it, const char *pass, int passlen, diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 22385295e3..1a63ba571b 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -516,8 +516,10 @@ EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length); # endif DECLARE_ASN1_FUNCTIONS(X509_SIG) -void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest, - X509_SIG *sig); +void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg, + const ASN1_OCTET_STRING **pdigest); +void X509_SIG_get0_mutable(X509_SIG *sig, X509_ALGOR **palg, + ASN1_OCTET_STRING **pdigest); DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO) DECLARE_ASN1_FUNCTIONS(X509_REQ) -- 2.25.1