summaryrefslogtreecommitdiff
path: root/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c
diff options
context:
space:
mode:
authorSteve Langasek <steve.langasek@canonical.com>2019-02-09 21:28:06 -0800
committerSteve Langasek <steve.langasek@canonical.com>2019-02-09 21:32:44 -0800
commitab4c731c1dd379acd3e95971af57401fb0a650a1 (patch)
tree6a26fb8d0746cbbaa6c2d4b242c73442bcc1df06 /Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c
parent0d63079c7da8e86104ce4bbdae2f6cb8d2ea40c6 (diff)
parent9c12130f9cd2ae11a9336813dd1f1669c0b64ad0 (diff)
downloadefi-boot-shim-debian/15+1533136590.3beb971-1.tar.gz
efi-boot-shim-debian/15+1533136590.3beb971-1.zip
* New upstream release.debian/15+1533136590.3beb971-1
- debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. - debian/patches/sbsigntool-no-pesign: dropped; no longer needed. * Drop remaining patches that were not being applied. * Sync packaging from Ubuntu: - debian/copyright: Update upstream source location. - debian/control: add a Build-Depends on libelf-dev. - Enable arm64 build. - debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. - debian/rules, debian/shim.install: use the upstream install target as intended, and move files to the target directory using dh_install. - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. - Set EFIDIR=$distro for dh_auto_install; that will let files be installed in the "right" final directories, and makes boot.csv for us. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager.
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c')
-rw-r--r--Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c321
1 files changed, 102 insertions, 219 deletions
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c
index 946aaa65..bc6bd30f 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c
@@ -1,63 +1,14 @@
-/* crypto/pkcs7/pk7_doit.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
+/*
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
*
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
@@ -128,8 +79,7 @@ static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg)
return 1;
err:
- if (btmp)
- BIO_free(btmp);
+ BIO_free(btmp);
return 0;
}
@@ -143,7 +93,7 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
int ret = 0;
size_t eklen;
- pkey = X509_get_pubkey(ri->cert);
+ pkey = X509_get0_pubkey(ri->cert);
if (!pkey)
return 0;
@@ -180,12 +130,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
ret = 1;
err:
- if (pkey)
- EVP_PKEY_free(pkey);
- if (pctx)
- EVP_PKEY_CTX_free(pctx);
- if (ek)
- OPENSSL_free(ek);
+ EVP_PKEY_CTX_free(pctx);
+ OPENSSL_free(ek);
return ret;
}
@@ -232,18 +178,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
ret = 1;
- if (*pek) {
- OPENSSL_cleanse(*pek, *peklen);
- OPENSSL_free(*pek);
- }
-
+ OPENSSL_clear_free(*pek, *peklen);
*pek = ek;
*peklen = eklen;
err:
- if (pctx)
- EVP_PKEY_CTX_free(pctx);
- if (!ret && ek)
+ EVP_PKEY_CTX_free(pctx);
+ if (!ret)
OPENSSL_free(ek);
return ret;
@@ -340,7 +281,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
ivlen = EVP_CIPHER_iv_length(evp_cipher);
xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
if (ivlen > 0)
- if (RAND_pseudo_bytes(iv, ivlen) <= 0)
+ if (RAND_bytes(iv, ivlen) <= 0)
goto err;
if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1) <= 0)
goto err;
@@ -390,27 +331,23 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
BIO_push(out, bio);
else
out = bio;
- bio = NULL;
- if (0) {
+ return out;
+
err:
- if (out != NULL)
- BIO_free_all(out);
- if (btmp != NULL)
- BIO_free_all(btmp);
- out = NULL;
- }
- return (out);
+ BIO_free_all(out);
+ BIO_free_all(btmp);
+ return NULL;
}
static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert)
{
int ret;
ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
- pcert->cert_info->issuer);
+ X509_get_issuer_name(pcert));
if (ret)
return ret;
- return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
- ri->issuer_and_serial->serial);
+ return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert),
+ ri->issuer_and_serial->serial);
}
/* int */
@@ -522,15 +459,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
}
if (evp_cipher != NULL) {
-#if 0
- unsigned char key[EVP_MAX_KEY_LENGTH];
- unsigned char iv[EVP_MAX_IV_LENGTH];
- unsigned char *p;
- int keylen, ivlen;
- int max;
- X509_OBJECT ret;
-#endif
-
if ((etmp = BIO_new(BIO_f_cipher())) == NULL) {
PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB);
goto err;
@@ -563,7 +491,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
/* If we haven't got a certificate try each ri in turn */
if (pcert == NULL) {
/*
- * Always attempt to decrypt all rinfo even after sucess as a
+ * Always attempt to decrypt all rinfo even after success as a
* defence against MMA timing attacks.
*/
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
@@ -589,7 +517,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
/* Generate random key as MMA defence */
tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx);
tkey = OPENSSL_malloc(tkeylen);
- if (!tkey)
+ if (tkey == NULL)
goto err;
if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0)
goto err;
@@ -607,8 +535,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
*/
if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) {
/* Use random key as MMA defence */
- OPENSSL_cleanse(ek, eklen);
- OPENSSL_free(ek);
+ OPENSSL_clear_free(ek, eklen);
ek = tkey;
eklen = tkeylen;
tkey = NULL;
@@ -619,16 +546,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0)
goto err;
- if (ek) {
- OPENSSL_cleanse(ek, eklen);
- OPENSSL_free(ek);
- ek = NULL;
- }
- if (tkey) {
- OPENSSL_cleanse(tkey, tkeylen);
- OPENSSL_free(tkey);
- tkey = NULL;
- }
+ OPENSSL_clear_free(ek, eklen);
+ ek = NULL;
+ OPENSSL_clear_free(tkey, tkeylen);
+ tkey = NULL;
if (out == NULL)
out = etmp;
@@ -636,22 +557,9 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
BIO_push(out, etmp);
etmp = NULL;
}
-#if 1
if (in_bio != NULL) {
bio = in_bio;
} else {
-# if 0
- bio = BIO_new(BIO_s_mem());
- /*
- * We need to set this so that when we have read all the data, the
- * encrypt BIO, if present, will read EOF and encode the last few
- * bytes
- */
- BIO_set_mem_eof_return(bio, 0);
-
- if (data_body->length > 0)
- BIO_write(bio, (char *)data_body->data, data_body->length);
-# else
if (data_body->length > 0)
bio = BIO_new_mem_buf(data_body->data, data_body->length);
else {
@@ -662,32 +570,19 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
}
if (bio == NULL)
goto err;
-# endif
}
BIO_push(out, bio);
bio = NULL;
-#endif
- if (0) {
+ return out;
+
err:
- if (ek) {
- OPENSSL_cleanse(ek, eklen);
- OPENSSL_free(ek);
- }
- if (tkey) {
- OPENSSL_cleanse(tkey, tkeylen);
- OPENSSL_free(tkey);
- }
- if (out != NULL)
- BIO_free_all(out);
- if (btmp != NULL)
- BIO_free_all(btmp);
- if (etmp != NULL)
- BIO_free_all(etmp);
- if (bio != NULL)
- BIO_free_all(bio);
- out = NULL;
- }
- return (out);
+ OPENSSL_clear_free(ek, eklen);
+ OPENSSL_clear_free(tkey, tkeylen);
+ BIO_free_all(out);
+ BIO_free_all(btmp);
+ BIO_free_all(etmp);
+ BIO_free_all(bio);
+ return NULL;
}
static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid)
@@ -747,7 +642,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
int i, j;
BIO *btmp;
PKCS7_SIGNER_INFO *si;
- EVP_MD_CTX *mdc, ctx_tmp;
+ EVP_MD_CTX *mdc, *ctx_tmp;
STACK_OF(X509_ATTRIBUTE) *sk;
STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
ASN1_OCTET_STRING *os = NULL;
@@ -762,7 +657,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
return 0;
}
- EVP_MD_CTX_init(&ctx_tmp);
+ ctx_tmp = EVP_MD_CTX_new();
+ if (ctx_tmp == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
i = OBJ_obj2nid(p7->type);
p7->state = PKCS7_S_HEADER;
@@ -774,9 +674,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
/* XXXXXXXXXXXXXXXX */
si_sk = p7->d.signed_and_enveloped->signer_info;
os = p7->d.signed_and_enveloped->enc_data->enc_data;
- if (!os) {
- os = M_ASN1_OCTET_STRING_new();
- if (!os) {
+ if (os == NULL) {
+ os = ASN1_OCTET_STRING_new();
+ if (os == NULL) {
PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -786,9 +686,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
case NID_pkcs7_enveloped:
/* XXXXXXXXXXXXXXXX */
os = p7->d.enveloped->enc_data->enc_data;
- if (!os) {
- os = M_ASN1_OCTET_STRING_new();
- if (!os) {
+ if (os == NULL) {
+ os = ASN1_OCTET_STRING_new();
+ if (os == NULL) {
PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -800,7 +700,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
os = PKCS7_get_octet_string(p7->d.sign->contents);
/* If detached data then the content is excluded */
if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
- M_ASN1_OCTET_STRING_free(os);
+ ASN1_OCTET_STRING_free(os);
os = NULL;
p7->d.sign->contents->d.data = NULL;
}
@@ -810,7 +710,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
os = PKCS7_get_octet_string(p7->d.digest->contents);
/* If detached data then the content is excluded */
if (PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) {
- M_ASN1_OCTET_STRING_free(os);
+ ASN1_OCTET_STRING_free(os);
os = NULL;
p7->d.digest->contents->d.data = NULL;
}
@@ -839,7 +739,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
/*
* We now have the EVP_MD_CTX, lets do the signing.
*/
- if (!EVP_MD_CTX_copy_ex(&ctx_tmp, mdc))
+ if (!EVP_MD_CTX_copy_ex(ctx_tmp, mdc))
goto err;
sk = si->auth_attr;
@@ -849,17 +749,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
* sign the attributes
*/
if (sk_X509_ATTRIBUTE_num(sk) > 0) {
- if (!do_pkcs7_signed_attrib(si, &ctx_tmp))
+ if (!do_pkcs7_signed_attrib(si, ctx_tmp))
goto err;
} else {
unsigned char *abuf = NULL;
unsigned int abuflen;
abuflen = EVP_PKEY_size(si->pkey);
abuf = OPENSSL_malloc(abuflen);
- if (!abuf)
+ if (abuf == NULL)
goto err;
- if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, si->pkey)) {
+ if (!EVP_SignFinal(ctx_tmp, abuf, &abuflen, si->pkey)) {
+ OPENSSL_free(abuf);
PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_EVP_LIB);
goto err;
}
@@ -874,7 +775,8 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
goto err;
if (!EVP_DigestFinal_ex(mdc, md_data, &md_len))
goto err;
- M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
+ if (!ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len))
+ goto err;
}
if (!PKCS7_is_detached(p7)) {
@@ -904,13 +806,13 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
}
ret = 1;
err:
- EVP_MD_CTX_cleanup(&ctx_tmp);
+ EVP_MD_CTX_free(ctx_tmp);
return (ret);
}
int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
{
- EVP_MD_CTX mctx;
+ EVP_MD_CTX *mctx;
EVP_PKEY_CTX *pctx;
unsigned char *abuf = NULL;
int alen;
@@ -921,8 +823,13 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
if (md == NULL)
return 0;
- EVP_MD_CTX_init(&mctx);
- if (EVP_DigestSignInit(&mctx, &pctx, md, NULL, si->pkey) <= 0)
+ mctx = EVP_MD_CTX_new();
+ if (mctx == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0)
goto err;
if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
@@ -935,16 +842,16 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
if (!abuf)
goto err;
- if (EVP_DigestSignUpdate(&mctx, abuf, alen) <= 0)
+ if (EVP_DigestSignUpdate(mctx, abuf, alen) <= 0)
goto err;
OPENSSL_free(abuf);
abuf = NULL;
- if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
+ if (EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0)
goto err;
abuf = OPENSSL_malloc(siglen);
- if (!abuf)
+ if (abuf == NULL)
goto err;
- if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0)
+ if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0)
goto err;
if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
@@ -953,16 +860,15 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
goto err;
}
- EVP_MD_CTX_cleanup(&mctx);
+ EVP_MD_CTX_free(mctx);
ASN1_STRING_set0(si->enc_digest, abuf, siglen);
return 1;
err:
- if (abuf)
- OPENSSL_free(abuf);
- EVP_MD_CTX_cleanup(&mctx);
+ OPENSSL_free(abuf);
+ EVP_MD_CTX_free(mctx);
return 0;
}
@@ -1028,14 +934,18 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
X509 *x509)
{
ASN1_OCTET_STRING *os;
- EVP_MD_CTX mdc_tmp, *mdc;
+ EVP_MD_CTX *mdc_tmp, *mdc;
int ret = 0, i;
int md_type;
STACK_OF(X509_ATTRIBUTE) *sk;
BIO *btmp;
EVP_PKEY *pkey;
- EVP_MD_CTX_init(&mdc_tmp);
+ mdc_tmp = EVP_MD_CTX_new();
+ if (mdc_tmp == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
if (!PKCS7_type_is_signed(p7) && !PKCS7_type_is_signedAndEnveloped(p7)) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_WRONG_PKCS7_TYPE);
@@ -1072,7 +982,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
* mdc is the digest ctx that we want, unless there are attributes, in
* which case the digest is the signed attributes
*/
- if (!EVP_MD_CTX_copy_ex(&mdc_tmp, mdc))
+ if (!EVP_MD_CTX_copy_ex(mdc_tmp, mdc))
goto err;
sk = si->auth_attr;
@@ -1082,7 +992,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
int alen;
ASN1_OCTET_STRING *message_digest;
- if (!EVP_DigestFinal_ex(&mdc_tmp, md_dat, &md_len))
+ if (!EVP_DigestFinal_ex(mdc_tmp, md_dat, &md_len))
goto err;
message_digest = PKCS7_digest_from_attributes(sk);
if (!message_digest) {
@@ -1092,23 +1002,12 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
}
if ((message_digest->length != (int)md_len) ||
(memcmp(message_digest->data, md_dat, md_len))) {
-#if 0
- {
- int ii;
- for (ii = 0; ii < message_digest->length; ii++)
- printf("%02X", message_digest->data[ii]);
- printf(" sent\n");
- for (ii = 0; ii < md_len; ii++)
- printf("%02X", md_dat[ii]);
- printf(" calc\n");
- }
-#endif
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_DIGEST_FAILURE);
ret = -1;
goto err;
}
- if (!EVP_VerifyInit_ex(&mdc_tmp, EVP_get_digestbynid(md_type), NULL))
+ if (!EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL))
goto err;
alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
@@ -1118,29 +1017,28 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
ret = -1;
goto err;
}
- if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen))
+ if (!EVP_VerifyUpdate(mdc_tmp, abuf, alen))
goto err;
OPENSSL_free(abuf);
}
os = si->enc_digest;
- pkey = X509_get_pubkey(x509);
+ pkey = X509_get0_pubkey(x509);
if (!pkey) {
ret = -1;
goto err;
}
- i = EVP_VerifyFinal(&mdc_tmp, os->data, os->length, pkey);
- EVP_PKEY_free(pkey);
+ i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey);
if (i <= 0) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE);
ret = -1;
goto err;
- } else
- ret = 1;
+ }
+ ret = 1;
err:
- EVP_MD_CTX_cleanup(&mdc_tmp);
+ EVP_MD_CTX_free(mdc_tmp);
return (ret);
}
@@ -1176,29 +1074,17 @@ ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid)
static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
{
- int i;
+ int idx;
X509_ATTRIBUTE *xa;
- ASN1_OBJECT *o;
-
- o = OBJ_nid2obj(nid);
- if (!o || !sk)
- return (NULL);
- for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
- xa = sk_X509_ATTRIBUTE_value(sk, i);
- if (OBJ_cmp(xa->object, o) == 0) {
- if (!xa->single && sk_ASN1_TYPE_num(xa->value.set))
- return (sk_ASN1_TYPE_value(xa->value.set, 0));
- else
- return (NULL);
- }
- }
- return (NULL);
+ idx = X509at_get_attr_by_NID(sk, nid, -1);
+ xa = X509at_get_attr(sk, idx);
+ return X509_ATTRIBUTE_get0_type(xa, 0);
}
ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
{
ASN1_TYPE *astype;
- if (!(astype = get_attribute(sk, NID_pkcs9_messageDigest)))
+ if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
return NULL;
return astype->value.octet_string;
}
@@ -1208,8 +1094,7 @@ int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
{
int i;
- if (p7si->auth_attr != NULL)
- sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, X509_ATTRIBUTE_free);
+ sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, X509_ATTRIBUTE_free);
p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk);
if (p7si->auth_attr == NULL)
return 0;
@@ -1228,8 +1113,7 @@ int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,
{
int i;
- if (p7si->unauth_attr != NULL)
- sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free);
+ sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free);
p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk);
if (p7si->unauth_attr == NULL)
return 0;
@@ -1261,11 +1145,10 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
X509_ATTRIBUTE *attr = NULL;
if (*sk == NULL) {
- *sk = sk_X509_ATTRIBUTE_new_null();
- if (*sk == NULL)
+ if ((*sk = sk_X509_ATTRIBUTE_new_null()) == NULL)
return 0;
new_attrib:
- if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value)))
+ if ((attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
return 0;
if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
X509_ATTRIBUTE_free(attr);
@@ -1276,7 +1159,7 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
attr = sk_X509_ATTRIBUTE_value(*sk, i);
- if (OBJ_obj2nid(attr->object) == nid) {
+ if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) {
X509_ATTRIBUTE_free(attr);
attr = X509_ATTRIBUTE_create(nid, atrtype, value);
if (attr == NULL)
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-02 09:10:43 +0000