From a6eb1ce6a989d01bb00e9749789b690744be506c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 10 Mar 2016 15:04:46 +0000 Subject: [PATCH] Make X509_SIG opaque. Reviewed-by: Rich Salz --- apps/pkcs12.c | 4 +++- crypto/asn1/x_sig.c | 10 ++++++++++ crypto/include/internal/x509_int.h | 5 +++++ crypto/pkcs12/p12_mutl.c | 31 ++++++++++++++++++------------ crypto/pkcs12/p12_npas.c | 14 ++++++-------- crypto/pkcs12/p12_p8d.c | 7 +++++-- crypto/pkcs12/p12_p8e.c | 7 ++++--- crypto/rsa/rsa_sign.c | 1 + doc/crypto/d2i_X509_SIG.pod | 12 +++++++++--- include/openssl/x509.h | 8 ++++---- 10 files changed, 66 insertions(+), 33 deletions(-) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 5ed2122da6..1fd1fad001 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -668,10 +668,12 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, case NID_pkcs8ShroudedKeyBag: if (options & INFO) { X509_SIG *tp8; + X509_ALGOR *tp8alg; BIO_printf(bio_err, "Shrouded Keybag: "); tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag); - alg_print(tp8->algor); + X509_SIG_get0(&tp8alg, NULL, tp8); + alg_print(tp8alg); } if (options & NOKEYS) return 1; diff --git a/crypto/asn1/x_sig.c b/crypto/asn1/x_sig.c index 8197d2a30a..b880e2420b 100644 --- a/crypto/asn1/x_sig.c +++ b/crypto/asn1/x_sig.c @@ -59,6 +59,7 @@ #include "internal/cryptlib.h" #include #include +#include "internal/x509_int.h" ASN1_SEQUENCE(X509_SIG) = { ASN1_SIMPLE(X509_SIG, algor, X509_ALGOR), @@ -66,3 +67,12 @@ ASN1_SEQUENCE(X509_SIG) = { } ASN1_SEQUENCE_END(X509_SIG) IMPLEMENT_ASN1_FUNCTIONS(X509_SIG) + +void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest, + X509_SIG *sig) +{ + if (palg) + *palg = sig->algor; + if (pdigest) + *pdigest = sig->digest; +} diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index eec024c95d..fc032ae07d 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -225,3 +225,8 @@ struct pkcs8_priv_key_info_st { ASN1_OCTET_STRING *pkey; STACK_OF(X509_ATTRIBUTE) *attributes; }; + +struct X509_sig_st { + X509_ALGOR *algor; + ASN1_OCTET_STRING *digest; +}; diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index 230f3e6b30..0395358325 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -74,10 +74,7 @@ void PKCS12_get0_mac(ASN1_OCTET_STRING **pmac, X509_ALGOR **pmacalg, PKCS12 *p12) { if (p12->mac) { - if (pmac) - *pmac = p12->mac->dinfo->digest; - if (pmacalg) - *pmacalg = p12->mac->dinfo->algor; + X509_SIG_get0(pmacalg, pmac, p12->mac->dinfo); if (psalt) *psalt = p12->mac->salt; if (piter) @@ -126,6 +123,8 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, int saltlen, iter; int md_size = 0; int md_type_nid; + X509_ALGOR *macalg; + ASN1_OBJECT *macoid; if (!PKCS7_type_is_data(p12->authsafes)) { PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_CONTENT_TYPE_NOT_DATA); @@ -138,8 +137,9 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, iter = 1; else iter = ASN1_INTEGER_get(p12->mac->iter); - if ((md_type = EVP_get_digestbyobj(p12->mac->dinfo->algor->algorithm)) - == NULL) { + X509_SIG_get0(&macalg, NULL, p12->mac->dinfo); + X509_ALGOR_get0(&macoid, NULL, NULL, macalg); + if ((md_type = EVP_get_digestbyobj(macoid)) == NULL) { PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM); return 0; } @@ -180,6 +180,8 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) { unsigned char mac[EVP_MAX_MD_SIZE]; unsigned int maclen; + ASN1_OCTET_STRING *macoct; + if (p12->mac == NULL) { PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT); return 0; @@ -188,8 +190,9 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_GENERATION_ERROR); return 0; } - if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) - || CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen)) + X509_SIG_get0(NULL, &macoct, p12->mac->dinfo); + if ((maclen != (unsigned int)ASN1_STRING_length(macoct)) + || CRYPTO_memcmp(mac, ASN1_STRING_data(macoct), maclen)) return 0; return 1; } @@ -202,6 +205,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, { unsigned char mac[EVP_MAX_MD_SIZE]; unsigned int maclen; + ASN1_OCTET_STRING *macoct; if (!md_type) md_type = EVP_sha1(); @@ -213,7 +217,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_GENERATION_ERROR); return 0; } - if (!(ASN1_OCTET_STRING_set(p12->mac->dinfo->digest, mac, maclen))) { + X509_SIG_get0(NULL, &macoct, p12->mac->dinfo); + if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) { PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_STRING_SET_ERROR); return 0; } @@ -224,6 +229,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, const EVP_MD *md_type) { + X509_ALGOR *macalg; + if ((p12->mac = PKCS12_MAC_DATA_new()) == NULL) return PKCS12_ERROR; if (iter > 1) { @@ -248,12 +255,12 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, return 0; } else memcpy(p12->mac->salt->data, salt, saltlen); - p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type)); - if ((p12->mac->dinfo->algor->parameter = ASN1_TYPE_new()) == NULL) { + X509_SIG_get0(&macalg, NULL, p12->mac->dinfo); + if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_type(md_type)), + V_ASN1_NULL, NULL)) { PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); return 0; } - p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL; return 1; } diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index f2fc12f752..e23d0352c7 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -109,7 +109,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) STACK_OF(PKCS12_SAFEBAG) *bags; int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0; PKCS7 *p7, *p7new; - ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL; + ASN1_OCTET_STRING *p12_data_tmp = NULL, *macoct = NULL; unsigned char mac[EVP_MAX_MD_SIZE]; unsigned int maclen; @@ -165,12 +165,9 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) goto saferr; - if ((macnew = ASN1_OCTET_STRING_new()) == NULL) + X509_SIG_get0(NULL, &macoct, p12->mac->dinfo); + if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) goto saferr; - if (!ASN1_OCTET_STRING_set(macnew, mac, maclen)) - goto saferr; - ASN1_OCTET_STRING_free(p12->mac->dinfo->digest); - p12->mac->dinfo->digest = macnew; ASN1_OCTET_STRING_free(p12_data_tmp); return 1; @@ -178,7 +175,6 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) saferr: /* Restore old safe */ ASN1_OCTET_STRING_free(p12->authsafes->d.data); - ASN1_OCTET_STRING_free(macnew); p12->authsafes->d.data = p12_data_tmp; return 0; @@ -202,13 +198,15 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass) PKCS8_PRIV_KEY_INFO *p8; X509_SIG *p8new; int p8_nid, p8_saltlen, p8_iter; + X509_ALGOR *shalg; if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag) return 1; if ((p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)) == NULL) return 0; - if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen)) + X509_SIG_get0(&shalg, NULL, bag->value.shkeybag); + if (!alg_get(shalg, &p8_nid, &p8_iter, &p8_saltlen)) return 0; if ((p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen, p8_iter, p8)) == NULL) diff --git a/crypto/pkcs12/p12_p8d.c b/crypto/pkcs12/p12_p8d.c index 9bdfd3f77f..8980abe9b9 100644 --- a/crypto/pkcs12/p12_p8d.c +++ b/crypto/pkcs12/p12_p8d.c @@ -63,7 +63,10 @@ PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen) { - return PKCS12_item_decrypt_d2i(p8->algor, + X509_ALGOR *dalg; + ASN1_OCTET_STRING *doct; + X509_SIG_get0(&dalg, &doct, p8); + return PKCS12_item_decrypt_d2i(dalg, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass, - passlen, p8->digest, 1); + passlen, doct, 1); } diff --git a/crypto/pkcs12/p12_p8e.c b/crypto/pkcs12/p12_p8e.c index a6255155ba..b79ca64272 100644 --- a/crypto/pkcs12/p12_p8e.c +++ b/crypto/pkcs12/p12_p8e.c @@ -59,6 +59,7 @@ #include #include "internal/cryptlib.h" #include +#include "internal/x509_int.h" X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass, int passlen, @@ -103,13 +104,13 @@ X509_SIG *PKCS8_set0_pbe(const char *pass, int passlen, return NULL; } - if ((p8 = X509_SIG_new()) == NULL) { + p8 = OPENSSL_zalloc(sizeof(*p8)); + + if (p8 == NULL) { PKCS12err(PKCS12_F_PKCS8_SET0_PBE, ERR_R_MALLOC_FAILURE); ASN1_OCTET_STRING_free(enckey); return NULL; } - X509_ALGOR_free(p8->algor); - ASN1_OCTET_STRING_free(p8->digest); p8->algor = pbe; p8->digest = enckey; diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 61f91b9856..439d699f78 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -61,6 +61,7 @@ #include #include #include +#include "internal/x509_int.h" #include "rsa_locl.h" /* Size of an SSL signature: MD5+SHA1 */ diff --git a/doc/crypto/d2i_X509_SIG.pod b/doc/crypto/d2i_X509_SIG.pod index 3efb556a06..08d08766ce 100644 --- a/doc/crypto/d2i_X509_SIG.pod +++ b/doc/crypto/d2i_X509_SIG.pod @@ -10,15 +10,21 @@ d2i_X509_SIG, i2d_X509_SIG - DigestInfo functions. X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length); int i2d_X509_SIG(X509_SIG *a, unsigned char **pp); + void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest, + X509_SIG *sig); =head1 DESCRIPTION -These functions decode and encode an X509_SIG structure which is -equivalent to the B structure defined in PKCS#1 and PKCS#7. +The functions d2i_X509_SIG() and i2d_X509_SIG() decode and encode an +X509_SIG structure which is equivalent to the B structure +defined in PKCS#1 and PKCS#7. -Otherwise these behave in a similar way to d2i_X509() and i2d_X509() +Otherwise they behave in a similar way to d2i_X509() and i2d_X509() described in the L manual page. +X509_SIG_get0() returns pointers to the algorithm identifier and digest +value in B. These values can then be examined or initialised. + =head1 SEE ALSO L diff --git a/include/openssl/x509.h b/include/openssl/x509.h index fe60dc82a2..5c138ca971 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -136,10 +136,7 @@ struct X509_pubkey_st { CRYPTO_RWLOCK *lock; }; -typedef struct X509_sig_st { - X509_ALGOR *algor; - ASN1_OCTET_STRING *digest; -} X509_SIG; +typedef struct X509_sig_st X509_SIG; typedef struct X509_name_entry_st X509_NAME_ENTRY; @@ -586,6 +583,9 @@ EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length); # endif DECLARE_ASN1_FUNCTIONS(X509_SIG) +void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest, + X509_SIG *sig); + DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO) DECLARE_ASN1_FUNCTIONS(X509_REQ) -- 2.25.1