diff options
Diffstat (limited to 'Cryptlib/OpenSSL')
73 files changed, 450 insertions, 5615 deletions
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index f8055fd3..1b80e02d 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -3,22 +3,22 @@ EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_IN CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ -ffreestanding -std=gnu89 -I$(shell $(CC) -print-file-name=include) \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + -Wall $(EFI_INCLUDES) -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC ifeq ($(ARCH),x86_64) CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ - -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG \ - -DNO_BUILTIN_VA_FUNCS + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ + -UNO_BUILTIN_VA_FUNCS -DMDE_CPU_IA64 endif ifeq ($(ARCH),ia32) CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ - -m32 -DTHIRTY_TWO_BIT + -m32 -DMDE_CPU_IA32 endif ifeq ($(ARCH),aarch64) - CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG + CFLAGS += -O2 -DMDE_CPU_AARCH64 endif ifeq ($(ARCH),arm) - CFLAGS += -O2 -DTHIRTY_TWO_BIT + CFLAGS += -O2 -DMDE_CPU_ARM endif LDFLAGS = -nostdlib -znocombreloc @@ -459,18 +459,6 @@ OBJS = crypto/cryptlib.o \ crypto/ui/ui_util.o \ crypto/ui/ui_compat.o \ crypto/krb5/krb5_asn.o \ - crypto/pqueue/pqueue.o \ - crypto/ts/ts_err.o \ - crypto/ts/ts_req_utils.o \ - crypto/ts/ts_req_print.o \ - crypto/ts/ts_rsp_utils.o \ - crypto/ts/ts_rsp_print.o \ - crypto/ts/ts_rsp_sign.o \ - crypto/ts/ts_rsp_verify.o \ - crypto/ts/ts_verify_ctx.o \ - crypto/ts/ts_lib.o \ - crypto/ts/ts_conf.o \ - crypto/ts/ts_asn1.o \ crypto/cmac/cmac.o \ crypto/cmac/cm_ameth.o \ crypto/cmac/cm_pmeth.o \ diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c index a5d2da10..0ca985a2 100644 --- a/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c +++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c @@ -62,6 +62,10 @@ #include <openssl/objects.h> #include <openssl/asn1.h> +#ifndef ASN1_PARSE_MAXDEPTH +#define ASN1_PARSE_MAXDEPTH 128 +#endif + static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed, int indent); static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, @@ -128,6 +132,12 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, #else dump_indent = 6; /* Because we know BIO_dump_indent() */ #endif + + if (depth > ASN1_PARSE_MAXDEPTH) { + BIO_puts(bp, "BAD RECURSION DEPTH\n"); + return 0; + } + p = *pp; tot = p + length; op = p - 1; diff --git a/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c b/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c index c96da091..d21829af 100644 --- a/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c +++ b/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c @@ -72,6 +72,7 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) { EVP_PKEY *ret; + const unsigned char *p = *pp; if ((a == NULL) || (*a == NULL)) { if ((ret = EVP_PKEY_new()) == NULL) { @@ -94,21 +95,23 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, } if (!ret->ameth->old_priv_decode || - !ret->ameth->old_priv_decode(ret, pp, length)) { + !ret->ameth->old_priv_decode(ret, &p, length)) { if (ret->ameth->priv_decode) { PKCS8_PRIV_KEY_INFO *p8 = NULL; - p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, pp, length); + p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); if (!p8) goto err; EVP_PKEY_free(ret); ret = EVP_PKCS82PKEY(p8); PKCS8_PRIV_KEY_INFO_free(p8); - + if (ret == NULL) + goto err; } else { ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB); goto err; } } + *pp = p; if (a != NULL) (*a) = ret; return (ret); @@ -136,6 +139,7 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, * input is surrounded by an ASN1 SEQUENCE. */ inkey = d2i_ASN1_SEQUENCE_ANY(NULL, &p, length); + p = *pp; /* * Since we only need to discern "traditional format" RSA and DSA keys we * can just count the elements. @@ -146,7 +150,7 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, keytype = EVP_PKEY_EC; else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not * traditional format */ - PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, pp, length); + PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); EVP_PKEY *ret; sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); @@ -157,6 +161,9 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, } ret = EVP_PKCS82PKEY(p8); PKCS8_PRIV_KEY_INFO_free(p8); + if (ret == NULL) + return NULL; + *pp = p; if (a) { *a = ret; } diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c index 7fd336a4..9256049d 100644 --- a/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c +++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c @@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + int combine = aclass & ASN1_TFLG_COMBINE; + aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; if (aux && aux->asn1_cb) @@ -350,9 +352,9 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, } asn1_set_choice_selector(pval, i, it); - *in = p; if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) goto auxerr; + *in = p; return 1; case ASN1_ITYPE_NDEF_SEQUENCE: @@ -489,9 +491,9 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, /* Save encoding */ if (!asn1_enc_save(pval, *in, p - *in, it)) goto auxerr; - *in = p; if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) goto auxerr; + *in = p; return 1; default: @@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, auxerr: ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); err: - ASN1_item_ex_free(pval, it); + if (combine == 0) + ASN1_item_ex_free(pval, it); if (errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname); @@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, } else { /* Nothing special */ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, opt, ctx); + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c b/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c index a5a403c2..eaf04663 100644 --- a/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c +++ b/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c @@ -141,8 +141,9 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { BIGNUM *bn; - if (!*pval) - bn_new(pval, it); + + if (*pval == NULL && !bn_new(pval, it)) + return 0; bn = (BIGNUM *)*pval; if (!BN_bin2bn(cont, len, bn)) { bn_free(pval, it); diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c b/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c index 4b682018..6c57a797 100644 --- a/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c +++ b/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c @@ -188,13 +188,16 @@ EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length) { X509_PUBKEY *xpk; EVP_PKEY *pktmp; - xpk = d2i_X509_PUBKEY(NULL, pp, length); + const unsigned char *q; + q = *pp; + xpk = d2i_X509_PUBKEY(NULL, &q, length); if (!xpk) return NULL; pktmp = X509_PUBKEY_get(xpk); X509_PUBKEY_free(xpk); if (!pktmp) return NULL; + *pp = q; if (a) { EVP_PKEY_free(*a); *a = pktmp; diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_x509.c b/Cryptlib/OpenSSL/crypto/asn1/x_x509.c index 5f266a26..e2cac836 100644 --- a/Cryptlib/OpenSSL/crypto/asn1/x_x509.c +++ b/Cryptlib/OpenSSL/crypto/asn1/x_x509.c @@ -180,16 +180,15 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) if (!a || *a == NULL) { freeret = 1; } - ret = d2i_X509(a, pp, length); + ret = d2i_X509(a, &q, length); /* If certificate unreadable then forget it */ if (!ret) return NULL; /* update length */ - length -= *pp - q; - if (!length) - return ret; - if (!d2i_X509_CERT_AUX(&ret->aux, pp, length)) + length -= q - *pp; + if (length > 0 && !d2i_X509_CERT_AUX(&ret->aux, &q, length)) goto err; + *pp = q; return ret; err: if (freeret) { diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c b/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c index 76bbc137..ad93592a 100644 --- a/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c +++ b/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c @@ -163,10 +163,13 @@ int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj) if (!(objtmp = OBJ_dup(obj))) return 0; if (!(aux = aux_get(x))) - return 0; + goto err; if (!aux->reject && !(aux->reject = sk_ASN1_OBJECT_new_null())) - return 0; + goto err; return sk_ASN1_OBJECT_push(aux->reject, objtmp); + err: + ASN1_OBJECT_free(objtmp); + return 0; } void X509_trust_clear(X509 *x) diff --git a/Cryptlib/OpenSSL/crypto/bio/b_dump.c b/Cryptlib/OpenSSL/crypto/bio/b_dump.c index ed8e5214..ccf0e287 100644 --- a/Cryptlib/OpenSSL/crypto/bio/b_dump.c +++ b/Cryptlib/OpenSSL/crypto/bio/b_dump.c @@ -104,7 +104,6 @@ int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u), if ((rows * dump_width) < len) rows++; for (i = 0; i < rows; i++) { - buf[0] = '\0'; /* start with empty string */ BUF_strlcpy(buf, str, sizeof buf); BIO_snprintf(tmp, sizeof tmp, "%04x - ", i * dump_width); BUF_strlcat(buf, tmp, sizeof buf); diff --git a/Cryptlib/OpenSSL/crypto/bio/b_print.c b/Cryptlib/OpenSSL/crypto/bio/b_print.c index 4695827e..9091d56d 100644 --- a/Cryptlib/OpenSSL/crypto/bio/b_print.c +++ b/Cryptlib/OpenSSL/crypto/bio/b_print.c @@ -751,11 +751,7 @@ doapr_outch(char **sbuffer, /***************************************************************************/ -#if defined(OPENSSL_SYS_UEFI) -int EFIAPI BIO_printf(BIO *bio, const char *format, ...) -#else int BIO_printf(BIO *bio, const char *format, ...) -#endif { va_list args; int ret; @@ -799,11 +795,7 @@ int BIO_vprintf(BIO *bio, const char *format, va_list args) * closely related to BIO_printf, and we need *some* name prefix ... (XXX the * function should be renamed, but to what?) */ -#if defined(OPENSSL_SYS_UEFI) -int EFIAPI BIO_snprintf(char *buf, size_t n, const char *format, ...) -#else int BIO_snprintf(char *buf, size_t n, const char *format, ...) -#endif { va_list args; int ret; diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_file.c b/Cryptlib/OpenSSL/crypto/bio/bss_file.c index 153b6fa2..4f13d1b4 100644 --- a/Cryptlib/OpenSSL/crypto/bio/bss_file.c +++ b/Cryptlib/OpenSSL/crypto/bio/bss_file.c @@ -115,9 +115,8 @@ static BIO_METHOD methods_filep = { NULL, }; -BIO *BIO_new_file(const char *filename, const char *mode) +static FILE *file_fopen(const char *filename, const char *mode) { - BIO *ret; FILE *file = NULL; # if defined(_WIN32) && defined(CP_UTF8) @@ -164,6 +163,14 @@ BIO *BIO_new_file(const char *filename, const char *mode) # else file = fopen(filename, mode); # endif + return (file); +} + +BIO *BIO_new_file(const char *filename, const char *mode) +{ + BIO *ret; + FILE *file = file_fopen(filename, mode); + if (file == NULL) { SYSerr(SYS_F_FOPEN, get_last_sys_error()); ERR_add_error_data(5, "fopen('", filename, "','", mode, "')"); @@ -386,7 +393,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) else strcat(p, "t"); # endif - fp = fopen(ptr, p); + fp = file_fopen(ptr, p); if (fp == NULL) { SYSerr(SYS_F_FOPEN, get_last_sys_error()); ERR_add_error_data(5, "fopen('", ptr, "','", p, "')"); diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_exp.c b/Cryptlib/OpenSSL/crypto/bn/bn_exp.c index 24afdd60..50cf3231 100644 --- a/Cryptlib/OpenSSL/crypto/bn/bn_exp.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_exp.c @@ -662,12 +662,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, bn_check_top(p); bn_check_top(m); - top = m->top; - - if (!(m->d[0] & 1)) { + if (!BN_is_odd(m)) { BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS); return (0); } + + top = m->top; + bits = BN_num_bits(p); if (bits == 0) { ret = BN_one(rr); diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c b/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c index 97c55ab7..ce59fe70 100644 --- a/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c @@ -583,6 +583,7 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, * BN_div_no_branch will be called eventually. */ pB = &local_B; + local_B.flags = 0; BN_with_flags(pB, B, BN_FLG_CONSTTIME); if (!BN_nnmod(B, pB, A, ctx)) goto err; @@ -610,6 +611,7 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, * BN_div_no_branch will be called eventually. */ pA = &local_A; + local_A.flags = 0; BN_with_flags(pA, A, BN_FLG_CONSTTIME); /* (D, M) := (A/B, A%B) ... */ diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c index cfa1c7ce..2c61da11 100644 --- a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c @@ -575,7 +575,7 @@ int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[], bn_check_top(a); BN_CTX_start(ctx); if ((s = BN_CTX_get(ctx)) == NULL) - return 0; + goto err; if (!bn_wexpand(s, 2 * a->top)) goto err; @@ -699,18 +699,21 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) int top = p->top; BN_ULONG *udp, *bdp, *vdp, *cdp; - bn_wexpand(u, top); + if (!bn_wexpand(u, top)) + goto err; udp = u->d; for (i = u->top; i < top; i++) udp[i] = 0; u->top = top; - bn_wexpand(b, top); + if (!bn_wexpand(b, top)) + goto err; bdp = b->d; bdp[0] = 1; for (i = 1; i < top; i++) bdp[i] = 0; b->top = top; - bn_wexpand(c, top); + if (!bn_wexpand(c, top)) + goto err; cdp = c->d; for (i = 0; i < top; i++) cdp[i] = 0; diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c index aadd5db1..be95bd55 100644 --- a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c @@ -361,9 +361,9 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont) if (mont == NULL) return; - BN_free(&(mont->RR)); - BN_free(&(mont->N)); - BN_free(&(mont->Ni)); + BN_clear_free(&(mont->RR)); + BN_clear_free(&(mont->N)); + BN_clear_free(&(mont->Ni)); if (mont->flags & BN_FLG_MALLOCED) OPENSSL_free(mont); } @@ -373,6 +373,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) int ret = 0; BIGNUM *Ri, *R; + if (BN_is_zero(mod)) + return 0; + BN_CTX_start(ctx); if ((Ri = BN_CTX_get(ctx)) == NULL) goto err; diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_recp.c b/Cryptlib/OpenSSL/crypto/bn/bn_recp.c index 6826f93b..7497ac62 100644 --- a/Cryptlib/OpenSSL/crypto/bn/bn_recp.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_recp.c @@ -152,8 +152,10 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, if (BN_ucmp(m, &(recp->N)) < 0) { BN_zero(d); - if (!BN_copy(r, m)) + if (!BN_copy(r, m)) { + BN_CTX_end(ctx); return 0; + } BN_CTX_end(ctx); return (1); } diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c b/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c index 6d76b128..efa48bdf 100644 --- a/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c @@ -213,14 +213,14 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) * exceeded. */ if (!BN_rand(Xp, nbits, 1, 0)) - return 0; + goto err; BN_CTX_start(ctx); t = BN_CTX_get(ctx); for (i = 0; i < 1000; i++) { if (!BN_rand(Xq, nbits, 1, 0)) - return 0; + goto err; /* Check that |Xp - Xq| > 2^(nbits - 100) */ BN_sub(t, Xp, Xq); if (BN_num_bits(t) > (nbits - 100)) @@ -234,6 +234,9 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) return 0; + err: + BN_CTX_end(ctx); + return 0; } /* diff --git a/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h b/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h index 33361de9..229e181f 100644 --- a/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h +++ b/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h @@ -1,32 +1,44 @@ -/****************************************************************************** -* Copyright(c) 2012, Intel Corp. -* Developers and authors: -* Shay Gueron (1, 2), and Vlad Krasnov (1) -* (1) Intel Corporation, Israel Development Center, Haifa, Israel -* (2) University of Haifa, Israel +/***************************************************************************** +* * +* Copyright (c) 2012, Intel Corporation * +* * +* All rights reserved. * +* * +* Redistribution and use in source and binary forms, with or without * +* modification, are permitted provided that the following conditions are * +* met: * +* * +* * Redistributions of source code must retain the above copyright * +* notice, this list of conditions and the following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above copyright * +* notice, this list of conditions and the following disclaimer in the * +* documentation and/or other materials provided with the * +* distribution. * +* * +* * Neither the name of the Intel Corporation nor the names of its * +* contributors may be used to endorse or promote products derived from * +* this software without specific prior written permission. * +* * +* * +* THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY * +* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * +* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * +* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR * +* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * +* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * +* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * +* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * +* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * +* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * +* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +* * ****************************************************************************** -* LICENSE: -* This submission to OpenSSL is to be made available under the OpenSSL -* license, and only to the OpenSSL project, in order to allow integration -* into the publicly distributed code. -* The use of this code, or portions of this code, or concepts embedded in -* this code, or modification of this code and/or algorithm(s) in it, or the -* use of this code for any other purpose than stated above, requires special -* licensing. -****************************************************************************** -* DISCLAIMER: -* THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS AND THE COPYRIGHT OWNERS -* ``AS IS''. ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS OR THE COPYRIGHT -* OWNERS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -* POSSIBILITY OF SUCH DAMAGE. -******************************************************************************/ +* Developers and authors: * +* Shay Gueron (1, 2), and Vlad Krasnov (1) * +* (1) Intel Corporation, Israel Development Center, Haifa, Israel * +* (2) University of Haifa, Israel * +*****************************************************************************/ #ifndef RSAZ_EXP_H # define RSAZ_EXP_H diff --git a/Cryptlib/OpenSSL/crypto/buffer/buf_str.c b/Cryptlib/OpenSSL/crypto/buffer/buf_str.c index ebc5ab46..fa0d608e 100644 --- a/Cryptlib/OpenSSL/crypto/buffer/buf_str.c +++ b/Cryptlib/OpenSSL/crypto/buffer/buf_str.c @@ -58,6 +58,7 @@ #include <stdio.h> #include "cryptlib.h" +#include <limits.h> #include <openssl/buffer.h> size_t BUF_strnlen(const char *str, size_t maxlen) @@ -72,7 +73,7 @@ size_t BUF_strnlen(const char *str, size_t maxlen) char *BUF_strdup(const char *str) { if (str == NULL) - return (NULL); + return NULL; return BUF_strndup(str, strlen(str)); } @@ -81,16 +82,22 @@ char *BUF_strndup(const char *str, size_t siz) char *ret; if (str == NULL) - return (NULL); + return NULL; siz = BUF_strnlen(str, siz); + if (siz >= INT_MAX) + return NULL; + ret = OPENSSL_malloc(siz + 1); if (ret == NULL) { BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE); - return (NULL); + return NULL; } - BUF_strlcpy(ret, str, siz + 1); + + memcpy(ret, str, siz); + ret[siz] = '\0'; + return (ret); } @@ -98,13 +105,13 @@ void *BUF_memdup(const void *data, size_t siz) { void *ret; - if (data == NULL) - return (NULL); + if (data == NULL || siz >= INT_MAX) + return NULL; ret = OPENSSL_malloc(siz); if (ret == NULL) { BUFerr(BUF_F_BUF_MEMDUP, ERR_R_MALLOC_FAILURE); - return (NULL); + return NULL; } return memcpy(ret, data, siz); } diff --git a/Cryptlib/OpenSSL/crypto/comp/c_zlib.c b/Cryptlib/OpenSSL/crypto/comp/c_zlib.c index 6731af8b..9c32614d 100644 --- a/Cryptlib/OpenSSL/crypto/comp/c_zlib.c +++ b/Cryptlib/OpenSSL/crypto/comp/c_zlib.c @@ -404,8 +404,9 @@ COMP_METHOD *COMP_zlib(void) void COMP_zlib_cleanup(void) { #ifdef ZLIB_SHARED - if (zlib_dso) + if (zlib_dso != NULL) DSO_free(zlib_dso); + zlib_dso = NULL; #endif } diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_def.c b/Cryptlib/OpenSSL/crypto/conf/conf_def.c index faca9aeb..68c77cec 100644 --- a/Cryptlib/OpenSSL/crypto/conf/conf_def.c +++ b/Cryptlib/OpenSSL/crypto/conf/conf_def.c @@ -225,12 +225,11 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) goto err; } - section = (char *)OPENSSL_malloc(10); + section = BUF_strdup("default"); if (section == NULL) { CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE); goto err; } - BUF_strlcpy(section, "default", 10); if (_CONF_new_data(conf) == 0) { CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE); diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_sap.c b/Cryptlib/OpenSSL/crypto/conf/conf_sap.c index 544fe973..c042cf22 100644 --- a/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +++ b/Cryptlib/OpenSSL/crypto/conf/conf_sap.c @@ -90,6 +90,7 @@ void OPENSSL_config(const char *config_name) CONF_modules_load_file(NULL, config_name, CONF_MFLAGS_DEFAULT_SECTION | CONF_MFLAGS_IGNORE_MISSING_FILE); + openssl_configured = 1; } void OPENSSL_no_config() diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.c b/Cryptlib/OpenSSL/crypto/cryptlib.c index 0a59342d..c9f674ba 100644 --- a/Cryptlib/OpenSSL/crypto/cryptlib.c +++ b/Cryptlib/OpenSSL/crypto/cryptlib.c @@ -953,20 +953,32 @@ void OPENSSL_showfatal(const char *fmta, ...) # if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333 /* this -------------v--- guards NT-specific calls */ if (check_winnt() && OPENSSL_isservice() > 0) { - HANDLE h = RegisterEventSource(0, _T("OPENSSL")); - const TCHAR *pmsg = buf; - ReportEvent(h, EVENTLOG_ERROR_TYPE, 0, 0, 0, 1, 0, &pmsg, 0); - DeregisterEventSource(h); + HANDLE hEventLog = RegisterEventSource(NULL, _T("OpenSSL")); + + if (hEventLog != NULL) { + const TCHAR *pmsg = buf; + + if (!ReportEvent(hEventLog, EVENTLOG_ERROR_TYPE, 0, 0, NULL, + 1, 0, &pmsg, NULL)) { +#if defined(DEBUG) + /* + * We are in a situation where we tried to report a critical + * error and this failed for some reason. As a last resort, + * in debug builds, send output to the debugger or any other + * tool like DebugView which can monitor the output. + */ + OutputDebugString(pmsg); +#endif + } + + (void)DeregisterEventSource(hEventLog); + } } else # endif - MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP); + MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONERROR); } #else -# if defined(OPENSSL_SYS_UEFI) -void EFIAPI OPENSSL_showfatal(const char *fmta, ...) -# else void OPENSSL_showfatal(const char *fmta, ...) -# endif { va_list ap; diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.h b/Cryptlib/OpenSSL/crypto/cryptlib.h index 7ca4c99f..fba180a6 100644 --- a/Cryptlib/OpenSSL/crypto/cryptlib.h +++ b/Cryptlib/OpenSSL/crypto/cryptlib.h @@ -100,11 +100,7 @@ extern "C" { void OPENSSL_cpuid_setup(void); extern unsigned int OPENSSL_ia32cap_P[]; -# if defined(OPENSSL_SYS_UEFI) -void EFIAPI OPENSSL_showfatal(const char *fmta, ...); -# else void OPENSSL_showfatal(const char *fmta, ...); -# endif void *OPENSSL_stderr(void); extern int OPENSSL_NONPIC_relocated; diff --git a/Cryptlib/OpenSSL/crypto/err/err.c b/Cryptlib/OpenSSL/crypto/err/err.c index f98cce6a..e77d963b 100644 --- a/Cryptlib/OpenSSL/crypto/err/err.c +++ b/Cryptlib/OpenSSL/crypto/err/err.c @@ -1072,12 +1072,7 @@ void ERR_set_error_data(char *data, int flags) es->err_data_flags[i] = flags; } -/* Add EFIAPI for UEFI version. */ -#if defined(OPENSSL_SYS_UEFI) -void EFIAPI ERR_add_error_data(int num, ...) -#else void ERR_add_error_data(int num, ...) -#endif { va_list args; va_start(args, num); diff --git a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c index b1c586e6..37800213 100644 --- a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -498,7 +498,18 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, iv = AES_BLOCK_SIZE; # if defined(STITCHED_CALL) + /* + * Assembly stitch handles AVX-capable processors, but its + * performance is not optimal on AMD Jaguar, ~40% worse, for + * unknown reasons. Incidentally processor in question supports + * AVX, but not AMD-specific XOP extension, which can be used + * to identify it and avoid stitch invocation. So that after we + * establish that current CPU supports AVX, we even see if it's + * either even XOP-capable Bulldozer-based or GenuineIntel one. + */ if (OPENSSL_ia32cap_P[1] & (1 << (60 - 32)) && /* AVX? */ + ((OPENSSL_ia32cap_P[1] & (1 << (43 - 32))) /* XOP? */ + | (OPENSSL_ia32cap_P[0] & (1<<30))) && /* "Intel CPU"? */ plen > (sha_off + iv) && (blocks = (plen - (sha_off + iv)) / SHA256_CBLOCK)) { SHA256_Update(&key->md, in + iv, sha_off); @@ -816,8 +827,6 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, if (arg != EVP_AEAD_TLS1_AAD_LEN) return -1; - len = p[arg - 2] << 8 | p[arg - 1]; - if (ctx->encrypt) { key->payload_length = len; if ((key->aux.tls_ver = diff --git a/Cryptlib/OpenSSL/crypto/evp/e_des3.c b/Cryptlib/OpenSSL/crypto/evp/e_des3.c index 96f272eb..bf6c1d2d 100644 --- a/Cryptlib/OpenSSL/crypto/evp/e_des3.c +++ b/Cryptlib/OpenSSL/crypto/evp/e_des3.c @@ -289,7 +289,7 @@ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, # endif # ifdef EVP_CHECK_DES_KEY if (DES_set_key_checked(&deskey[0], &dat->ks1) - ! !DES_set_key_checked(&deskey[1], &dat->ks2)) + || DES_set_key_checked(&deskey[1], &dat->ks2)) return 0; # else DES_set_key_unchecked(&deskey[0], &dat->ks1); diff --git a/Cryptlib/OpenSSL/crypto/evp/encode.c b/Cryptlib/OpenSSL/crypto/evp/encode.c index c361d1f0..c6abc4ae 100644 --- a/Cryptlib/OpenSSL/crypto/evp/encode.c +++ b/Cryptlib/OpenSSL/crypto/evp/encode.c @@ -60,9 +60,9 @@ #include "cryptlib.h" #include <openssl/evp.h> +static unsigned char conv_ascii2bin(unsigned char a); #ifndef CHARSET_EBCDIC # define conv_bin2ascii(a) (data_bin2ascii[(a)&0x3f]) -# define conv_ascii2bin(a) (data_ascii2bin[(a)&0x7f]) #else /* * We assume that PEM encoded files are EBCDIC files (i.e., printable text @@ -71,7 +71,6 @@ * as the underlying textstring data_bin2ascii[] is already EBCDIC) */ # define conv_bin2ascii(a) (data_bin2ascii[(a)&0x3f]) -# define conv_ascii2bin(a) (data_ascii2bin[os_toascii[a]&0x7f]) #endif /*- @@ -103,6 +102,7 @@ abcdefghijklmnopqrstuvwxyz0123456789+/"; #define B64_WS 0xE0 #define B64_ERROR 0xFF #define B64_NOT_BASE64(a) (((a)|0x13) == 0xF3) +#define B64_BASE64(a) !B64_NOT_BASE64(a) static const unsigned char data_ascii2bin[128] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, @@ -123,6 +123,23 @@ static const unsigned char data_ascii2bin[128] = { 0x31, 0x32, 0x33, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, }; +#ifndef CHARSET_EBCDIC +static unsigned char conv_ascii2bin(unsigned char a) +{ + if (a & 0x80) + return B64_ERROR; + return data_ascii2bin[a]; +} +#else +static unsigned char conv_ascii2bin(unsigned char a) +{ + a = os_toascii[a]; + if (a & 0x80) + return B64_ERROR; + return data_ascii2bin[a]; +} +#endif + void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) { ctx->length = 48; @@ -218,8 +235,9 @@ int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int dlen) void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) { - ctx->length = 30; + /* Only ctx->num is used during decoding. */ ctx->num = 0; + ctx->length = 0; ctx->line_num = 0; ctx->expect_nl = 0; } @@ -228,139 +246,123 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) * -1 for error * 0 for last line * 1 for full line + * + * Note: even though EVP_DecodeUpdate attempts to detect and report end of + * content, the context doesn't currently remember it and will accept more data + * in the next call. Therefore, the caller is responsible for checking and + * rejecting a 0 return value in the middle of content. + * + * Note: even though EVP_DecodeUpdate has historically tried to detect end of + * content based on line length, this has never worked properly. Therefore, + * we now return 0 when one of the following is true: + * - Padding or B64_EOF was detected and the last block is complete. + * - Input has zero-length. + * -1 is returned if: + * - Invalid characters are detected. + * - There is extra trailing padding, or data after padding. + * - B64_EOF is detected after an incomplete base64 block. */ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { - int seof = -1, eof = 0, rv = -1, ret = 0, i, v, tmp, n, ln, exp_nl; + int seof = 0, eof = 0, rv = -1, ret = 0, i, v, tmp, n, decoded_len; unsigned char *d; n = ctx->num; d = ctx->enc_data; - ln = ctx->line_num; - exp_nl = ctx->expect_nl; - /* last line of input. */ - if ((inl == 0) || ((n == 0) && (conv_ascii2bin(in[0]) == B64_EOF))) { + if (n > 0 && d[n - 1] == '=') { + eof++; + if (n > 1 && d[n - 2] == '=') + eof++; + } + + /* Legacy behaviour: an empty input chunk signals end of input. */ + if (inl == 0) { rv = 0; goto end; } - /* We parse the input data */ for (i = 0; i < inl; i++) { - /* If the current line is > 80 characters, scream a lot */ - if (ln >= 80) { - rv = -1; - goto end; - } - - /* Get char and put it into the buffer */ tmp = *(in++); v = conv_ascii2bin(tmp); - /* only save the good data :-) */ - if (!B64_NOT_BASE64(v)) { - OPENSSL_assert(n < (int)sizeof(ctx->enc_data)); - d[n++] = tmp; - ln++; - } else if (v == B64_ERROR) { + if (v == B64_ERROR) { rv = -1; goto end; } - /* - * have we seen a '=' which is 'definitly' the last input line. seof - * will point to the character that holds it. and eof will hold how - * many characters to chop off. - */ if (tmp == '=') { - if (seof == -1) - seof = n; eof++; + } else if (eof > 0 && B64_BASE64(v)) { + /* More data after padding. */ + rv = -1; + goto end; } - if (v == B64_CR) { - ln = 0; - if (exp_nl) - continue; + if (eof > 2) { + rv = -1; + goto end; } - /* eoln */ - if (v == B64_EOLN) { - ln = 0; - if (exp_nl) { - exp_nl = 0; - continue; - } - } - exp_nl = 0; - - /* - * If we are at the end of input and it looks like a line, process - * it. - */ - if (((i + 1) == inl) && (((n & 3) == 0) || eof)) { - v = B64_EOF; - /* - * In case things were given us in really small records (so two - * '=' were given in separate updates), eof may contain the - * incorrect number of ending bytes to skip, so let's redo the - * count - */ - eof = 0; - if (d[n - 1] == '=') - eof++; - if (d[n - 2] == '=') - eof++; - /* There will never be more than two '=' */ + if (v == B64_EOF) { + seof = 1; + goto tail; } - if ((v == B64_EOF && (n & 3) == 0) || (n >= 64)) { - /* - * This is needed to work correctly on 64 byte input lines. We - * process the line and then need to accept the '\n' - */ - if ((v != B64_EOF) && (n >= 64)) - exp_nl = 1; - if (n > 0) { - v = EVP_DecodeBlock(out, d, n); - n = 0; - if (v < 0) { - rv = 0; - goto end; - } - if (eof > v) { - rv = -1; - goto end; - } - ret += (v - eof); - } else { - eof = 1; - v = 0; + /* Only save valid base64 characters. */ + if (B64_BASE64(v)) { + if (n >= 64) { + /* + * We increment n once per loop, and empty the buffer as soon as + * we reach 64 characters, so this can only happen if someone's + * manually messed with the ctx. Refuse to write any more data. + */ + rv = -1; + goto end; } + OPENSSL_assert(n < (int)sizeof(ctx->enc_data)); + d[n++] = tmp; + } - /* - * This is the case where we have had a short but valid input - * line - */ - if ((v < ctx->length) && eof) { - rv = 0; + if (n == 64) { + decoded_len = EVP_DecodeBlock(out, d, n); + n = 0; + if (decoded_len < 0 || eof > decoded_len) { + rv = -1; goto end; - } else - ctx->length = v; + } + ret += decoded_len - eof; + out += decoded_len - eof; + } + } - if (seof >= 0) { - rv = 0; + /* + * Legacy behaviour: if the current line is a full base64-block (i.e., has + * 0 mod 4 base64 characters), it is processed immediately. We keep this + * behaviour as applications may not be calling EVP_DecodeFinal properly. + */ +tail: + if (n > 0) { + if ((n & 3) == 0) { + decoded_len = EVP_DecodeBlock(out, d, n); + n = 0; + if (decoded_len < 0 || eof > decoded_len) { + rv = -1; goto end; } - out += v; + ret += (decoded_len - eof); + } else if (seof) { + /* EOF in the middle of a base64 block. */ + rv = -1; + goto end; } } - rv = 1; - end: + + rv = seof || (n == 0 && eof) ? 0 : 1; +end: + /* Legacy behaviour. This should probably rather be zeroed on error. */ *outl = ret; ctx->num = n; - ctx->line_num = ln; - ctx->expect_nl = exp_nl; return (rv); } diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_key.c b/Cryptlib/OpenSSL/crypto/evp/evp_key.c index 71fa627b..5be9e336 100644 --- a/Cryptlib/OpenSSL/crypto/evp/evp_key.c +++ b/Cryptlib/OpenSSL/crypto/evp/evp_key.c @@ -104,6 +104,8 @@ int EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt, if ((prompt == NULL) && (prompt_string[0] != '\0')) prompt = prompt_string; ui = UI_new(); + if (ui == NULL) + return -1; UI_add_input_string(ui, prompt, 0, buf, min, (len >= BUFSIZ) ? BUFSIZ - 1 : len); if (verify) @@ -137,7 +139,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, EVP_MD_CTX_init(&c); for (;;) { if (!EVP_DigestInit_ex(&c, md, NULL)) - return 0; + goto err; if (addmd++) if (!EVP_DigestUpdate(&c, &(md_buf[0]), mds)) goto err; @@ -188,6 +190,6 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, rv = type->key_len; err: EVP_MD_CTX_cleanup(&c); - OPENSSL_cleanse(&(md_buf[0]), EVP_MAX_MD_SIZE); + OPENSSL_cleanse(md_buf, sizeof(md_buf)); return rv; } diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c index a53a27ca..7e0bab90 100644 --- a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c +++ b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c @@ -72,11 +72,22 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) if (c->cipher->set_asn1_parameters != NULL) ret = c->cipher->set_asn1_parameters(c, type); else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) { - if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE) { - ASN1_TYPE_set(type, V_ASN1_NULL, NULL); + switch (EVP_CIPHER_CTX_mode(c)) { + case EVP_CIPH_WRAP_MODE: + if (EVP_CIPHER_CTX_nid(c) == NID_id_smime_alg_CMS3DESwrap) + ASN1_TYPE_set(type, V_ASN1_NULL, NULL); ret = 1; - } else + break; + + case EVP_CIPH_GCM_MODE: + case EVP_CIPH_CCM_MODE: + case EVP_CIPH_XTS_MODE: + ret = -1; + break; + + default: ret = EVP_CIPHER_set_asn1_iv(c, type); + } } else ret = -1; return (ret); @@ -89,9 +100,22 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type) if (c->cipher->get_asn1_parameters != NULL) ret = c->cipher->get_asn1_parameters(c, type); else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) { - if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE) - return 1; - ret = EVP_CIPHER_get_asn1_iv(c, type); + switch (EVP_CIPHER_CTX_mode(c)) { + + case EVP_CIPH_WRAP_MODE: + ret = 1; + break; + + case EVP_CIPH_GCM_MODE: + case EVP_CIPH_CCM_MODE: + case EVP_CIPH_XTS_MODE: + ret = -1; + break; + + default: + ret = EVP_CIPHER_get_asn1_iv(c, type); + break; + } } else ret = -1; return (ret); diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c b/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c index e3fa95db..7934c95f 100644 --- a/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c +++ b/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c @@ -228,12 +228,16 @@ int EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid, EVP_PBE_KEYGEN *keygen) { EVP_PBE_CTL *pbe_tmp; - if (!pbe_algs) + + if (pbe_algs == NULL) { pbe_algs = sk_EVP_PBE_CTL_new(pbe_cmp); - if (!(pbe_tmp = (EVP_PBE_CTL *)OPENSSL_malloc(sizeof(EVP_PBE_CTL)))) { - EVPerr(EVP_F_EVP_PBE_ALG_ADD_TYPE, ERR_R_MALLOC_FAILURE); - return 0; + if (pbe_algs == NULL) + goto err; } + + if ((pbe_tmp = OPENSSL_malloc(sizeof(*pbe_tmp))) == NULL) + goto err; + pbe_tmp->pbe_type = pbe_type; pbe_tmp->pbe_nid = pbe_nid; pbe_tmp->cipher_nid = cipher_nid; @@ -242,6 +246,10 @@ int EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, sk_EVP_PBE_CTL_push(pbe_algs, pbe_tmp); return 1; + + err: + EVPerr(EVP_F_EVP_PBE_ALG_ADD_TYPE, ERR_R_MALLOC_FAILURE); + return 0; } int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md, diff --git a/Cryptlib/OpenSSL/crypto/evp/p_lib.c b/Cryptlib/OpenSSL/crypto/evp/p_lib.c index 1171d308..c0171244 100644 --- a/Cryptlib/OpenSSL/crypto/evp/p_lib.c +++ b/Cryptlib/OpenSSL/crypto/evp/p_lib.c @@ -253,7 +253,7 @@ int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len) int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { - if (!EVP_PKEY_set_type(pkey, type)) + if (pkey == NULL || !EVP_PKEY_set_type(pkey, type)) return 0; pkey->pkey.ptr = key; return (key != NULL); diff --git a/Cryptlib/OpenSSL/crypto/evp/pmeth_gn.c b/Cryptlib/OpenSSL/crypto/evp/pmeth_gn.c index 59f81342..6435f1b6 100644 --- a/Cryptlib/OpenSSL/crypto/evp/pmeth_gn.c +++ b/Cryptlib/OpenSSL/crypto/evp/pmeth_gn.c @@ -96,12 +96,17 @@ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) return -1; } - if (!ppkey) + if (ppkey == NULL) return -1; - if (!*ppkey) + if (*ppkey == NULL) *ppkey = EVP_PKEY_new(); + if (*ppkey == NULL) { + EVPerr(EVP_F_EVP_PKEY_PARAMGEN, ERR_R_MALLOC_FAILURE); + return -1; + } + ret = ctx->pmeth->paramgen(ctx, *ppkey); if (ret <= 0) { EVP_PKEY_free(*ppkey); diff --git a/Cryptlib/OpenSSL/crypto/hmac/hm_ameth.c b/Cryptlib/OpenSSL/crypto/hmac/hm_ameth.c index 29b2b5df..944c6c85 100644 --- a/Cryptlib/OpenSSL/crypto/hmac/hm_ameth.c +++ b/Cryptlib/OpenSSL/crypto/hmac/hm_ameth.c @@ -108,9 +108,14 @@ static int old_hmac_decode(EVP_PKEY *pkey, ASN1_OCTET_STRING *os; os = ASN1_OCTET_STRING_new(); if (!os || !ASN1_OCTET_STRING_set(os, *pder, derlen)) - return 0; - EVP_PKEY_assign(pkey, EVP_PKEY_HMAC, os); + goto err; + if (!EVP_PKEY_assign(pkey, EVP_PKEY_HMAC, os)) + goto err; return 1; + + err: + ASN1_OCTET_STRING_free(os); + return 0; } static int old_hmac_encode(const EVP_PKEY *pkey, unsigned char **pder) diff --git a/Cryptlib/OpenSSL/crypto/mem_clr.c b/Cryptlib/OpenSSL/crypto/mem_clr.c index 3df1f392..1a06636d 100644 --- a/Cryptlib/OpenSSL/crypto/mem_clr.c +++ b/Cryptlib/OpenSSL/crypto/mem_clr.c @@ -66,6 +66,10 @@ void OPENSSL_cleanse(void *ptr, size_t len) { unsigned char *p = ptr; size_t loop = len, ctr = cleanse_ctr; + + if (ptr == NULL) + return; + while (loop--) { *(p++) = (unsigned char)ctr; ctr += (17 + ((size_t)p & 0xF)); diff --git a/Cryptlib/OpenSSL/crypto/modes/wrap128.c b/Cryptlib/OpenSSL/crypto/modes/wrap128.c index 4dcaf032..38497837 100644 --- a/Cryptlib/OpenSSL/crypto/modes/wrap128.c +++ b/Cryptlib/OpenSSL/crypto/modes/wrap128.c @@ -76,7 +76,7 @@ size_t CRYPTO_128_wrap(void *key, const unsigned char *iv, return 0; A = B; t = 1; - memcpy(out + 8, in, inlen); + memmove(out + 8, in, inlen); if (!iv) iv = default_iv; @@ -113,7 +113,7 @@ size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv, A = B; t = 6 * (inlen >> 3); memcpy(A, in, 8); - memcpy(out, in + 8, inlen); + memmove(out, in + 8, inlen); for (j = 0; j < 6; j++) { R = out + inlen - 8; for (i = 0; i < inlen; i += 8, t--, R -= 8) { diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c index 442a5b63..cabf5393 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c @@ -246,12 +246,6 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, if ((p = strchr(p, ':'))) { *p = 0; port = p + 1; - } else { - /* Not found: set default port */ - if (*pssl) - port = "443"; - else - port = "80"; } *pport = BUF_strdup(port); diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c index 1834256a..47d5f83e 100644 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c @@ -212,8 +212,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags) return 1; } - i = ASN1_STRING_length(rb->response); - if (!(br = OCSP_response_get1_basic(o))) + if ((br = OCSP_response_get1_basic(o)) == NULL) goto err; rd = br->tbsResponseData; l = ASN1_INTEGER_get(rd->version); diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_info.c b/Cryptlib/OpenSSL/crypto/pem/pem_info.c index 68747d16..4d736a1d 100644 --- a/Cryptlib/OpenSSL/crypto/pem/pem_info.c +++ b/Cryptlib/OpenSSL/crypto/pem/pem_info.c @@ -172,6 +172,8 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, xi->enc_len = 0; xi->x_pkey = X509_PKEY_new(); + if (xi->x_pkey == NULL) + goto err; ptype = EVP_PKEY_RSA; pp = &xi->x_pkey->dec_pkey; if ((int)strlen(header) > 10) /* assume encrypted */ @@ -193,6 +195,8 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, xi->enc_len = 0; xi->x_pkey = X509_PKEY_new(); + if (xi->x_pkey == NULL) + goto err; ptype = EVP_PKEY_DSA; pp = &xi->x_pkey->dec_pkey; if ((int)strlen(header) > 10) /* assume encrypted */ @@ -214,6 +218,8 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, xi->enc_len = 0; xi->x_pkey = X509_PKEY_new(); + if (xi->x_pkey == NULL) + goto err; ptype = EVP_PKEY_EC; pp = &xi->x_pkey->dec_pkey; if ((int)strlen(header) > 10) /* assume encrypted */ diff --git a/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c b/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c index ee4b6a82..82d45273 100644 --- a/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c +++ b/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c @@ -624,13 +624,11 @@ static int do_PVK_header(const unsigned char **in, unsigned int length, PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT); return 0; } - length -= 20; } else { if (length < 24) { PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT); return 0; } - length -= 24; pvk_magic = read_ledword(&p); if (pvk_magic != MS_PVKMAGIC) { PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_BAD_MAGIC_NUMBER); @@ -692,23 +690,23 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); if (inlen <= 0) { PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ); - return NULL; + goto err; } enctmp = OPENSSL_malloc(keylen + 8); if (!enctmp) { PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf, inlen)) - return NULL; + goto err; p += saltlen; /* Copy BLOBHEADER across, decrypt rest */ memcpy(enctmp, p, 8); p += 8; if (keylen < 8) { PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT); - return NULL; + goto err; } inlen = keylen - 8; q = enctmp + 8; diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c index 982805d9..d9f03a39 100644 --- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c +++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c @@ -75,15 +75,19 @@ PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, bag->type = OBJ_nid2obj(nid1); if (!ASN1_item_pack(obj, it, &bag->value.octet)) { PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } if (!(safebag = PKCS12_SAFEBAG_new())) { PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } safebag->value.bag = bag; safebag->type = OBJ_nid2obj(nid2); return safebag; + + err: + PKCS12_BAGS_free(bag); + return NULL; } /* Turn PKCS8 object into a keybag */ @@ -127,6 +131,7 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter, p8))) { PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE); + PKCS12_SAFEBAG_free(bag); return NULL; } @@ -144,14 +149,18 @@ PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk) p7->type = OBJ_nid2obj(NID_pkcs7_data); if (!(p7->d.data = M_ASN1_OCTET_STRING_new())) { PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } if (!ASN1_item_pack(sk, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), &p7->d.data)) { PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, PKCS12_R_CANT_PACK_STRUCTURE); - return NULL; + goto err; } return p7; + + err: + PKCS7_free(p7); + return NULL; } /* Unpack SAFEBAGS from PKCS#7 data ContentInfo */ @@ -181,7 +190,7 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, if (!PKCS7_set_type(p7, NID_pkcs7_encrypted)) { PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE); - return NULL; + goto err; } pbe_ciph = EVP_get_cipherbynid(pbe_nid); @@ -193,7 +202,7 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, if (!pbe) { PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm); p7->d.encrypted->enc_data->algorithm = pbe; @@ -202,10 +211,14 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen, bags, 1))) { PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ENCRYPT_ERROR); - return NULL; + goto err; } return p7; + + err: + PKCS7_free(p7); + return NULL; } STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c index 3a166e61..9c2dcab0 100644 --- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c +++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c @@ -77,6 +77,9 @@ int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, const unsigned char *pbuf; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; + if (cipher == NULL) + return 0; + /* Extract useful info from parameter */ if (param == NULL || param->type != V_ASN1_SEQUENCE || param->value.sequence == NULL) { diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c index 5ab4bf29..a9277827 100644 --- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c +++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c @@ -173,11 +173,11 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, } if (!saltlen) saltlen = PKCS12_SALT_LEN; - p12->mac->salt->length = saltlen; - if (!(p12->mac->salt->data = OPENSSL_malloc(saltlen))) { + if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) { PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); return 0; } + p12->mac->salt->length = saltlen; if (!salt) { if (RAND_pseudo_bytes(p12->mac->salt->data, saltlen) < 0) return 0; diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c index c8d7db01..946aaa65 100644 --- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c +++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c @@ -656,6 +656,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) bio = BIO_new_mem_buf(data_body->data, data_body->length); else { bio = BIO_new(BIO_s_mem()); + if (bio == NULL) + goto err; BIO_set_mem_eof_return(bio, 0); } if (bio == NULL) @@ -1156,7 +1158,6 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) rsk = p7->d.signed_and_enveloped->recipientinfo; if (rsk == NULL) return NULL; - ri = sk_PKCS7_RECIP_INFO_value(rsk, 0); if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) return (NULL); ri = sk_PKCS7_RECIP_INFO_value(rsk, idx); diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c index 71afa212..75491d12 100644 --- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c +++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c @@ -257,8 +257,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, char *buf = NULL; int bufsiz; int i, j = 0, k, ret = 0; - BIO *p7bio; - BIO *tmpin, *tmpout; + BIO *p7bio = NULL; + BIO *tmpin = NULL, *tmpout = NULL; if (!p7) { PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_INVALID_NULL_POINTER); @@ -275,18 +275,6 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT); return 0; } -#if 0 - /* - * NB: this test commented out because some versions of Netscape - * illegally include zero length content when signing data. - */ - - /* Check for data and content: two sets of data */ - if (!PKCS7_get_detached(p7) && indata) { - PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT); - return 0; - } -#endif sinfos = PKCS7_get_signer_info(p7); @@ -296,7 +284,6 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, } signers = PKCS7_get0_signers(p7, certs, flags); - if (!signers) return 0; @@ -309,14 +296,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, if (!X509_STORE_CTX_init(&cert_ctx, store, signer, p7->d.sign->cert)) { PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB); - sk_X509_free(signers); - return 0; + goto err; } X509_STORE_CTX_set_default(&cert_ctx, "smime_sign"); } else if (!X509_STORE_CTX_init(&cert_ctx, store, signer, NULL)) { PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB); - sk_X509_free(signers); - return 0; + goto err; } if (!(flags & PKCS7_NOCRL)) X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl); @@ -329,8 +314,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, PKCS7_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(j)); - sk_X509_free(signers); - return 0; + goto err; } /* Check for revocation status here */ } @@ -349,7 +333,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, tmpin = BIO_new_mem_buf(ptr, len); if (tmpin == NULL) { PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } } else tmpin = indata; @@ -404,19 +388,16 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, ret = 1; err: - if (tmpin == indata) { if (indata) BIO_pop(p7bio); } BIO_free_all(p7bio); - sk_X509_free(signers); if (buf != NULL) { OPENSSL_free(buf); } - return ret; } diff --git a/Cryptlib/OpenSSL/crypto/pqueue/pqueue.c b/Cryptlib/OpenSSL/crypto/pqueue/pqueue.c deleted file mode 100644 index 75f97349..00000000 --- a/Cryptlib/OpenSSL/crypto/pqueue/pqueue.c +++ /dev/null @@ -1,235 +0,0 @@ -/* crypto/pqueue/pqueue.c */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include "cryptlib.h" -#include <openssl/bn.h> -#include "pqueue.h" - -typedef struct _pqueue { - pitem *items; - int count; -} pqueue_s; - -pitem *pitem_new(unsigned char *prio64be, void *data) -{ - pitem *item = (pitem *)OPENSSL_malloc(sizeof(pitem)); - if (item == NULL) - return NULL; - - memcpy(item->priority, prio64be, sizeof(item->priority)); - - item->data = data; - item->next = NULL; - - return item; -} - -void pitem_free(pitem *item) -{ - if (item == NULL) - return; - - OPENSSL_free(item); -} - -pqueue_s *pqueue_new() -{ - pqueue_s *pq = (pqueue_s *)OPENSSL_malloc(sizeof(pqueue_s)); - if (pq == NULL) - return NULL; - - memset(pq, 0x00, sizeof(pqueue_s)); - return pq; -} - -void pqueue_free(pqueue_s *pq) -{ - if (pq == NULL) - return; - - OPENSSL_free(pq); -} - -pitem *pqueue_insert(pqueue_s *pq, pitem *item) -{ - pitem *curr, *next; - - if (pq->items == NULL) { - pq->items = item; - return item; - } - - for (curr = NULL, next = pq->items; - next != NULL; curr = next, next = next->next) { - /* - * we can compare 64-bit value in big-endian encoding with memcmp:-) - */ - int cmp = memcmp(next->priority, item->priority, 8); - if (cmp > 0) { /* next > item */ - item->next = next; - - if (curr == NULL) - pq->items = item; - else - curr->next = item; - - return item; - } - - else if (cmp == 0) /* duplicates not allowed */ - return NULL; - } - - item->next = NULL; - curr->next = item; - - return item; -} - -pitem *pqueue_peek(pqueue_s *pq) -{ - return pq->items; -} - -pitem *pqueue_pop(pqueue_s *pq) -{ - pitem *item = pq->items; - - if (pq->items != NULL) - pq->items = pq->items->next; - - return item; -} - -pitem *pqueue_find(pqueue_s *pq, unsigned char *prio64be) -{ - pitem *next; - pitem *found = NULL; - - if (pq->items == NULL) - return NULL; - - for (next = pq->items; next->next != NULL; next = next->next) { - if (memcmp(next->priority, prio64be, 8) == 0) { - found = next; - break; - } - } - - /* check the one last node */ - if (memcmp(next->priority, prio64be, 8) == 0) - found = next; - - if (!found) - return NULL; - -#if 0 /* find works in peek mode */ - if (prev == NULL) - pq->items = next->next; - else - prev->next = next->next; -#endif - - return found; -} - -void pqueue_print(pqueue_s *pq) -{ - pitem *item = pq->items; - - while (item != NULL) { - printf("item\t%02x%02x%02x%02x%02x%02x%02x%02x\n", - item->priority[0], item->priority[1], - item->priority[2], item->priority[3], - item->priority[4], item->priority[5], - item->priority[6], item->priority[7]); - item = item->next; - } -} - -pitem *pqueue_iterator(pqueue_s *pq) -{ - return pqueue_peek(pq); -} - -pitem *pqueue_next(pitem **item) -{ - pitem *ret; - - if (item == NULL || *item == NULL) - return NULL; - - /* *item != NULL */ - ret = *item; - *item = (*item)->next; - - return ret; -} - -int pqueue_size(pqueue_s *pq) -{ - pitem *item = pq->items; - int count = 0; - - while (item != NULL) { - count++; - item = item->next; - } - return count; -} diff --git a/Cryptlib/OpenSSL/crypto/pqueue/pqueue.h b/Cryptlib/OpenSSL/crypto/pqueue/pqueue.h deleted file mode 100644 index d40d9c7d..00000000 --- a/Cryptlib/OpenSSL/crypto/pqueue/pqueue.h +++ /dev/null @@ -1,99 +0,0 @@ -/* crypto/pqueue/pqueue.h */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef HEADER_PQUEUE_H -# define HEADER_PQUEUE_H - -# include <stdio.h> -# include <stdlib.h> -# include <string.h> - -#ifdef __cplusplus -extern "C" { -#endif -typedef struct _pqueue *pqueue; - -typedef struct _pitem { - unsigned char priority[8]; /* 64-bit value in big-endian encoding */ - void *data; - struct _pitem *next; -} pitem; - -typedef struct _pitem *piterator; - -pitem *pitem_new(unsigned char *prio64be, void *data); -void pitem_free(pitem *item); - -pqueue pqueue_new(void); -void pqueue_free(pqueue pq); - -pitem *pqueue_insert(pqueue pq, pitem *item); -pitem *pqueue_peek(pqueue pq); -pitem *pqueue_pop(pqueue pq); -pitem *pqueue_find(pqueue pq, unsigned char *prio64be); -pitem *pqueue_iterator(pqueue pq); -pitem *pqueue_next(piterator *iter); - -void pqueue_print(pqueue pq); -int pqueue_size(pqueue pq); - -#ifdef __cplusplus -} -#endif -#endif /* ! HEADER_PQUEUE_H */ diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_ameth.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_ameth.c index cc9c3ce5..f591f0fd 100644 --- a/Cryptlib/OpenSSL/crypto/rsa/rsa_ameth.c +++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_ameth.c @@ -270,7 +270,7 @@ static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg) { const unsigned char *p; int plen; - if (alg == NULL) + if (alg == NULL || alg->parameter == NULL) return NULL; if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) return NULL; diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c index 2465fbde..7f7dca39 100644 --- a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c +++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c @@ -69,6 +69,8 @@ #include <openssl/rsa.h> #ifdef OPENSSL_FIPS # include <openssl/fips.h> +extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, + BN_GENCB *cb); #endif static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, @@ -94,7 +96,7 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); #ifdef OPENSSL_FIPS if (FIPS_mode()) - return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb); + return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb); #endif return rsa_builtin_keygen(rsa, bits, e_value, cb); } diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c index 19461c63..82ca8324 100644 --- a/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c +++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c @@ -218,14 +218,13 @@ int int_rsa_verify(int dtype, const unsigned char *m, memcpy(rm, s + 2, 16); *prm_len = 16; ret = 1; - } else if (memcmp(m, s + 2, 16)) + } else if (memcmp(m, s + 2, 16)) { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE); - else + } else { ret = 1; - } - - /* Special case: SSL signature */ - if (dtype == NID_md5_sha1) { + } + } else if (dtype == NID_md5_sha1) { + /* Special case: SSL signature */ if ((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH)) RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE); else diff --git a/Cryptlib/OpenSSL/crypto/ts/ts.h b/Cryptlib/OpenSSL/crypto/ts/ts.h deleted file mode 100644 index 16eccbb3..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts.h +++ /dev/null @@ -1,862 +0,0 @@ -/* crypto/ts/ts.h */ -/* - * Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL project - * 2002, 2003, 2004. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef HEADER_TS_H -# define HEADER_TS_H - -# include <openssl/opensslconf.h> -# include <openssl/symhacks.h> -# ifndef OPENSSL_NO_BUFFER -# include <openssl/buffer.h> -# endif -# ifndef OPENSSL_NO_EVP -# include <openssl/evp.h> -# endif -# ifndef OPENSSL_NO_BIO -# include <openssl/bio.h> -# endif -# include <openssl/stack.h> -# include <openssl/asn1.h> -# include <openssl/safestack.h> - -# ifndef OPENSSL_NO_RSA -# include <openssl/rsa.h> -# endif - -# ifndef OPENSSL_NO_DSA -# include <openssl/dsa.h> -# endif - -# ifndef OPENSSL_NO_DH -# include <openssl/dh.h> -# endif - -#ifdef __cplusplus -extern "C" { -#endif - -# ifdef WIN32 -/* Under Win32 this is defined in wincrypt.h */ -# undef X509_NAME -# endif - -# include <openssl/x509.h> -# include <openssl/x509v3.h> - -/*- -MessageImprint ::= SEQUENCE { - hashAlgorithm AlgorithmIdentifier, - hashedMessage OCTET STRING } -*/ - -typedef struct TS_msg_imprint_st { - X509_ALGOR *hash_algo; - ASN1_OCTET_STRING *hashed_msg; -} TS_MSG_IMPRINT; - -/*- -TimeStampReq ::= SEQUENCE { - version INTEGER { v1(1) }, - messageImprint MessageImprint, - --a hash algorithm OID and the hash value of the data to be - --time-stamped - reqPolicy TSAPolicyId OPTIONAL, - nonce INTEGER OPTIONAL, - certReq BOOLEAN DEFAULT FALSE, - extensions [0] IMPLICIT Extensions OPTIONAL } -*/ - -typedef struct TS_req_st { - ASN1_INTEGER *version; - TS_MSG_IMPRINT *msg_imprint; - ASN1_OBJECT *policy_id; /* OPTIONAL */ - ASN1_INTEGER *nonce; /* OPTIONAL */ - ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */ - STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */ -} TS_REQ; - -/*- -Accuracy ::= SEQUENCE { - seconds INTEGER OPTIONAL, - millis [0] INTEGER (1..999) OPTIONAL, - micros [1] INTEGER (1..999) OPTIONAL } -*/ - -typedef struct TS_accuracy_st { - ASN1_INTEGER *seconds; - ASN1_INTEGER *millis; - ASN1_INTEGER *micros; -} TS_ACCURACY; - -/*- -TSTInfo ::= SEQUENCE { - version INTEGER { v1(1) }, - policy TSAPolicyId, - messageImprint MessageImprint, - -- MUST have the same value as the similar field in - -- TimeStampReq - serialNumber INTEGER, - -- Time-Stamping users MUST be ready to accommodate integers - -- up to 160 bits. - genTime GeneralizedTime, - accuracy Accuracy OPTIONAL, - ordering BOOLEAN DEFAULT FALSE, - nonce INTEGER OPTIONAL, - -- MUST be present if the similar field was present - -- in TimeStampReq. In that case it MUST have the same value. - tsa [0] GeneralName OPTIONAL, - extensions [1] IMPLICIT Extensions OPTIONAL } -*/ - -typedef struct TS_tst_info_st { - ASN1_INTEGER *version; - ASN1_OBJECT *policy_id; - TS_MSG_IMPRINT *msg_imprint; - ASN1_INTEGER *serial; - ASN1_GENERALIZEDTIME *time; - TS_ACCURACY *accuracy; - ASN1_BOOLEAN ordering; - ASN1_INTEGER *nonce; - GENERAL_NAME *tsa; - STACK_OF(X509_EXTENSION) *extensions; -} TS_TST_INFO; - -/*- -PKIStatusInfo ::= SEQUENCE { - status PKIStatus, - statusString PKIFreeText OPTIONAL, - failInfo PKIFailureInfo OPTIONAL } - -From RFC 1510 - section 3.1.1: -PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String - -- text encoded as UTF-8 String (note: each UTF8String SHOULD - -- include an RFC 1766 language tag to indicate the language - -- of the contained text) -*/ - -/* Possible values for status. See ts_resp_print.c && ts_resp_verify.c. */ - -# define TS_STATUS_GRANTED 0 -# define TS_STATUS_GRANTED_WITH_MODS 1 -# define TS_STATUS_REJECTION 2 -# define TS_STATUS_WAITING 3 -# define TS_STATUS_REVOCATION_WARNING 4 -# define TS_STATUS_REVOCATION_NOTIFICATION 5 - -/* - * Possible values for failure_info. See ts_resp_print.c && ts_resp_verify.c - */ - -# define TS_INFO_BAD_ALG 0 -# define TS_INFO_BAD_REQUEST 2 -# define TS_INFO_BAD_DATA_FORMAT 5 -# define TS_INFO_TIME_NOT_AVAILABLE 14 -# define TS_INFO_UNACCEPTED_POLICY 15 -# define TS_INFO_UNACCEPTED_EXTENSION 16 -# define TS_INFO_ADD_INFO_NOT_AVAILABLE 17 -# define TS_INFO_SYSTEM_FAILURE 25 - -typedef struct TS_status_info_st { - ASN1_INTEGER *status; - STACK_OF(ASN1_UTF8STRING) *text; - ASN1_BIT_STRING *failure_info; -} TS_STATUS_INFO; - -DECLARE_STACK_OF(ASN1_UTF8STRING) -DECLARE_ASN1_SET_OF(ASN1_UTF8STRING) - -/*- -TimeStampResp ::= SEQUENCE { - status PKIStatusInfo, - timeStampToken TimeStampToken OPTIONAL } -*/ - -typedef struct TS_resp_st { - TS_STATUS_INFO *status_info; - PKCS7 *token; - TS_TST_INFO *tst_info; -} TS_RESP; - -/* The structure below would belong to the ESS component. */ - -/*- -IssuerSerial ::= SEQUENCE { - issuer GeneralNames, - serialNumber CertificateSerialNumber - } -*/ - -typedef struct ESS_issuer_serial { - STACK_OF(GENERAL_NAME) *issuer; - ASN1_INTEGER *serial; -} ESS_ISSUER_SERIAL; - -/*- -ESSCertID ::= SEQUENCE { - certHash Hash, - issuerSerial IssuerSerial OPTIONAL -} -*/ - -typedef struct ESS_cert_id { - ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ - ESS_ISSUER_SERIAL *issuer_serial; -} ESS_CERT_ID; - -DECLARE_STACK_OF(ESS_CERT_ID) -DECLARE_ASN1_SET_OF(ESS_CERT_ID) - -/*- -SigningCertificate ::= SEQUENCE { - certs SEQUENCE OF ESSCertID, - policies SEQUENCE OF PolicyInformation OPTIONAL -} -*/ - -typedef struct ESS_signing_cert { - STACK_OF(ESS_CERT_ID) *cert_ids; - STACK_OF(POLICYINFO) *policy_info; -} ESS_SIGNING_CERT; - -TS_REQ *TS_REQ_new(void); -void TS_REQ_free(TS_REQ *a); -int i2d_TS_REQ(const TS_REQ *a, unsigned char **pp); -TS_REQ *d2i_TS_REQ(TS_REQ **a, const unsigned char **pp, long length); - -TS_REQ *TS_REQ_dup(TS_REQ *a); - -TS_REQ *d2i_TS_REQ_fp(FILE *fp, TS_REQ **a); -int i2d_TS_REQ_fp(FILE *fp, TS_REQ *a); -TS_REQ *d2i_TS_REQ_bio(BIO *fp, TS_REQ **a); -int i2d_TS_REQ_bio(BIO *fp, TS_REQ *a); - -TS_MSG_IMPRINT *TS_MSG_IMPRINT_new(void); -void TS_MSG_IMPRINT_free(TS_MSG_IMPRINT *a); -int i2d_TS_MSG_IMPRINT(const TS_MSG_IMPRINT *a, unsigned char **pp); -TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT(TS_MSG_IMPRINT **a, - const unsigned char **pp, long length); - -TS_MSG_IMPRINT *TS_MSG_IMPRINT_dup(TS_MSG_IMPRINT *a); - -TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a); -int i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a); -TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_bio(BIO *fp, TS_MSG_IMPRINT **a); -int i2d_TS_MSG_IMPRINT_bio(BIO *fp, TS_MSG_IMPRINT *a); - -TS_RESP *TS_RESP_new(void); -void TS_RESP_free(TS_RESP *a); -int i2d_TS_RESP(const TS_RESP *a, unsigned char **pp); -TS_RESP *d2i_TS_RESP(TS_RESP **a, const unsigned char **pp, long length); -TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token); -TS_RESP *TS_RESP_dup(TS_RESP *a); - -TS_RESP *d2i_TS_RESP_fp(FILE *fp, TS_RESP **a); -int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a); -TS_RESP *d2i_TS_RESP_bio(BIO *fp, TS_RESP **a); -int i2d_TS_RESP_bio(BIO *fp, TS_RESP *a); - -TS_STATUS_INFO *TS_STATUS_INFO_new(void); -void TS_STATUS_INFO_free(TS_STATUS_INFO *a); -int i2d_TS_STATUS_INFO(const TS_STATUS_INFO *a, unsigned char **pp); -TS_STATUS_INFO *d2i_TS_STATUS_INFO(TS_STATUS_INFO **a, - const unsigned char **pp, long length); -TS_STATUS_INFO *TS_STATUS_INFO_dup(TS_STATUS_INFO *a); - -TS_TST_INFO *TS_TST_INFO_new(void); -void TS_TST_INFO_free(TS_TST_INFO *a); -int i2d_TS_TST_INFO(const TS_TST_INFO *a, unsigned char **pp); -TS_TST_INFO *d2i_TS_TST_INFO(TS_TST_INFO **a, const unsigned char **pp, - long length); -TS_TST_INFO *TS_TST_INFO_dup(TS_TST_INFO *a); - -TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a); -int i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a); -TS_TST_INFO *d2i_TS_TST_INFO_bio(BIO *fp, TS_TST_INFO **a); -int i2d_TS_TST_INFO_bio(BIO *fp, TS_TST_INFO *a); - -TS_ACCURACY *TS_ACCURACY_new(void); -void TS_ACCURACY_free(TS_ACCURACY *a); -int i2d_TS_ACCURACY(const TS_ACCURACY *a, unsigned char **pp); -TS_ACCURACY *d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **pp, - long length); -TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a); - -ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void); -void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a); -int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a, unsigned char **pp); -ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a, - const unsigned char **pp, - long length); -ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a); - -ESS_CERT_ID *ESS_CERT_ID_new(void); -void ESS_CERT_ID_free(ESS_CERT_ID *a); -int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp); -ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp, - long length); -ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a); - -ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void); -void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a); -int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a, unsigned char **pp); -ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a, - const unsigned char **pp, long length); -ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a); - -void ERR_load_TS_strings(void); - -int TS_REQ_set_version(TS_REQ *a, long version); -long TS_REQ_get_version(const TS_REQ *a); - -int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint); -TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a); - -int TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg); -X509_ALGOR *TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a); - -int TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len); -ASN1_OCTET_STRING *TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a); - -int TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy); -ASN1_OBJECT *TS_REQ_get_policy_id(TS_REQ *a); - -int TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce); -const ASN1_INTEGER *TS_REQ_get_nonce(const TS_REQ *a); - -int TS_REQ_set_cert_req(TS_REQ *a, int cert_req); -int TS_REQ_get_cert_req(const TS_REQ *a); - -STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a); -void TS_REQ_ext_free(TS_REQ *a); -int TS_REQ_get_ext_count(TS_REQ *a); -int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos); -int TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos); -int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos); -X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc); -X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc); -int TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc); -void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx); - -/* Function declarations for TS_REQ defined in ts/ts_req_print.c */ - -int TS_REQ_print_bio(BIO *bio, TS_REQ *a); - -/* Function declarations for TS_RESP defined in ts/ts_resp_utils.c */ - -int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *info); -TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a); - -/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */ -void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info); -PKCS7 *TS_RESP_get_token(TS_RESP *a); -TS_TST_INFO *TS_RESP_get_tst_info(TS_RESP *a); - -int TS_TST_INFO_set_version(TS_TST_INFO *a, long version); -long TS_TST_INFO_get_version(const TS_TST_INFO *a); - -int TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy_id); -ASN1_OBJECT *TS_TST_INFO_get_policy_id(TS_TST_INFO *a); - -int TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint); -TS_MSG_IMPRINT *TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a); - -int TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial); -const ASN1_INTEGER *TS_TST_INFO_get_serial(const TS_TST_INFO *a); - -int TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime); -const ASN1_GENERALIZEDTIME *TS_TST_INFO_get_time(const TS_TST_INFO *a); - -int TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy); -TS_ACCURACY *TS_TST_INFO_get_accuracy(TS_TST_INFO *a); - -int TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds); -const ASN1_INTEGER *TS_ACCURACY_get_seconds(const TS_ACCURACY *a); - -int TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis); -const ASN1_INTEGER *TS_ACCURACY_get_millis(const TS_ACCURACY *a); - -int TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros); -const ASN1_INTEGER *TS_ACCURACY_get_micros(const TS_ACCURACY *a); - -int TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering); -int TS_TST_INFO_get_ordering(const TS_TST_INFO *a); - -int TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce); -const ASN1_INTEGER *TS_TST_INFO_get_nonce(const TS_TST_INFO *a); - -int TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa); -GENERAL_NAME *TS_TST_INFO_get_tsa(TS_TST_INFO *a); - -STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a); -void TS_TST_INFO_ext_free(TS_TST_INFO *a); -int TS_TST_INFO_get_ext_count(TS_TST_INFO *a); -int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos); -int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos); -int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos); -X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc); -X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc); -int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc); -void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx); - -/* - * Declarations related to response generation, defined in ts/ts_resp_sign.c. - */ - -/* Optional flags for response generation. */ - -/* Don't include the TSA name in response. */ -# define TS_TSA_NAME 0x01 - -/* Set ordering to true in response. */ -# define TS_ORDERING 0x02 - -/* - * Include the signer certificate and the other specified certificates in - * the ESS signing certificate attribute beside the PKCS7 signed data. - * Only the signer certificates is included by default. - */ -# define TS_ESS_CERT_ID_CHAIN 0x04 - -/* Forward declaration. */ -struct TS_resp_ctx; - -/* This must return a unique number less than 160 bits long. */ -typedef ASN1_INTEGER *(*TS_serial_cb) (struct TS_resp_ctx *, void *); - -/* - * This must return the seconds and microseconds since Jan 1, 1970 in the sec - * and usec variables allocated by the caller. Return non-zero for success - * and zero for failure. - */ -typedef int (*TS_time_cb) (struct TS_resp_ctx *, void *, long *sec, - long *usec); - -/* - * This must process the given extension. It can modify the TS_TST_INFO - * object of the context. Return values: !0 (processed), 0 (error, it must - * set the status info/failure info of the response). - */ -typedef int (*TS_extension_cb) (struct TS_resp_ctx *, X509_EXTENSION *, - void *); - -typedef struct TS_resp_ctx { - X509 *signer_cert; - EVP_PKEY *signer_key; - STACK_OF(X509) *certs; /* Certs to include in signed data. */ - STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ - ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ - STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */ - ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ - ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ - ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ - unsigned clock_precision_digits; /* fraction of seconds in time stamp - * token. */ - unsigned flags; /* Optional info, see values above. */ - /* Callback functions. */ - TS_serial_cb serial_cb; - void *serial_cb_data; /* User data for serial_cb. */ - TS_time_cb time_cb; - void *time_cb_data; /* User data for time_cb. */ - TS_extension_cb extension_cb; - void *extension_cb_data; /* User data for extension_cb. */ - /* These members are used only while creating the response. */ - TS_REQ *request; - TS_RESP *response; - TS_TST_INFO *tst_info; -} TS_RESP_CTX; - -DECLARE_STACK_OF(EVP_MD) -DECLARE_ASN1_SET_OF(EVP_MD) - -/* Creates a response context that can be used for generating responses. */ -TS_RESP_CTX *TS_RESP_CTX_new(void); -void TS_RESP_CTX_free(TS_RESP_CTX *ctx); - -/* This parameter must be set. */ -int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer); - -/* This parameter must be set. */ -int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key); - -/* This parameter must be set. */ -int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy); - -/* No additional certs are included in the response by default. */ -int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs); - -/* - * Adds a new acceptable policy, only the default policy is accepted by - * default. - */ -int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy); - -/* - * Adds a new acceptable message digest. Note that no message digests are - * accepted by default. The md argument is shared with the caller. - */ -int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md); - -/* Accuracy is not included by default. */ -int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx, - int secs, int millis, int micros); - -/* - * Clock precision digits, i.e. the number of decimal digits: '0' means sec, - * '3' msec, '6' usec, and so on. Default is 0. - */ -int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, - unsigned clock_precision_digits); -/* At most we accept usec precision. */ -# define TS_MAX_CLOCK_PRECISION_DIGITS 6 - -/* No flags are set by default. */ -void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags); - -/* Default callback always returns a constant. */ -void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data); - -/* Default callback uses the gettimeofday() and gmtime() system calls. */ -void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data); - -/* - * Default callback rejects all extensions. The extension callback is called - * when the TS_TST_INFO object is already set up and not signed yet. - */ -/* FIXME: extension handling is not tested yet. */ -void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx, - TS_extension_cb cb, void *data); - -/* The following methods can be used in the callbacks. */ -int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx, - int status, const char *text); - -/* Sets the status info only if it is still TS_STATUS_GRANTED. */ -int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, - int status, const char *text); - -int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure); - -/* The get methods below can be used in the extension callback. */ -TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx); - -TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx); - -/* - * Creates the signed TS_TST_INFO and puts it in TS_RESP. - * In case of errors it sets the status info properly. - * Returns NULL only in case of memory allocation/fatal error. - */ -TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio); - -/* - * Declarations related to response verification, - * they are defined in ts/ts_resp_verify.c. - */ - -int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, - X509_STORE *store, X509 **signer_out); - -/* Context structure for the generic verify method. */ - -/* Verify the signer's certificate and the signature of the response. */ -# define TS_VFY_SIGNATURE (1u << 0) -/* Verify the version number of the response. */ -# define TS_VFY_VERSION (1u << 1) -/* Verify if the policy supplied by the user matches the policy of the TSA. */ -# define TS_VFY_POLICY (1u << 2) -/* - * Verify the message imprint provided by the user. This flag should not be - * specified with TS_VFY_DATA. - */ -# define TS_VFY_IMPRINT (1u << 3) -/* - * Verify the message imprint computed by the verify method from the user - * provided data and the MD algorithm of the response. This flag should not - * be specified with TS_VFY_IMPRINT. - */ -# define TS_VFY_DATA (1u << 4) -/* Verify the nonce value. */ -# define TS_VFY_NONCE (1u << 5) -/* Verify if the TSA name field matches the signer certificate. */ -# define TS_VFY_SIGNER (1u << 6) -/* Verify if the TSA name field equals to the user provided name. */ -# define TS_VFY_TSA_NAME (1u << 7) - -/* You can use the following convenience constants. */ -# define TS_VFY_ALL_IMPRINT (TS_VFY_SIGNATURE \ - | TS_VFY_VERSION \ - | TS_VFY_POLICY \ - | TS_VFY_IMPRINT \ - | TS_VFY_NONCE \ - | TS_VFY_SIGNER \ - | TS_VFY_TSA_NAME) -# define TS_VFY_ALL_DATA (TS_VFY_SIGNATURE \ - | TS_VFY_VERSION \ - | TS_VFY_POLICY \ - | TS_VFY_DATA \ - | TS_VFY_NONCE \ - | TS_VFY_SIGNER \ - | TS_VFY_TSA_NAME) - -typedef struct TS_verify_ctx { - /* Set this to the union of TS_VFY_... flags you want to carry out. */ - unsigned flags; - /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */ - X509_STORE *store; - STACK_OF(X509) *certs; - /* Must be set only with TS_VFY_POLICY. */ - ASN1_OBJECT *policy; - /* - * Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, the - * algorithm from the response is used. - */ - X509_ALGOR *md_alg; - unsigned char *imprint; - unsigned imprint_len; - /* Must be set only with TS_VFY_DATA. */ - BIO *data; - /* Must be set only with TS_VFY_TSA_NAME. */ - ASN1_INTEGER *nonce; - /* Must be set only with TS_VFY_TSA_NAME. */ - GENERAL_NAME *tsa_name; -} TS_VERIFY_CTX; - -int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response); -int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token); - -/* - * Declarations related to response verification context, - * they are defined in ts/ts_verify_ctx.c. - */ - -/* Set all fields to zero. */ -TS_VERIFY_CTX *TS_VERIFY_CTX_new(void); -void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx); -void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx); -void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); - -/*- - * If ctx is NULL, it allocates and returns a new object, otherwise - * it returns ctx. It initialises all the members as follows: - * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE) - * certs = NULL - * store = NULL - * policy = policy from the request or NULL if absent (in this case - * TS_VFY_POLICY is cleared from flags as well) - * md_alg = MD algorithm from request - * imprint, imprint_len = imprint from request - * data = NULL - * nonce, nonce_len = nonce from the request or NULL if absent (in this case - * TS_VFY_NONCE is cleared from flags as well) - * tsa_name = NULL - * Important: after calling this method TS_VFY_SIGNATURE should be added! - */ -TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx); - -/* Function declarations for TS_RESP defined in ts/ts_resp_print.c */ - -int TS_RESP_print_bio(BIO *bio, TS_RESP *a); -int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a); -int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a); - -/* Common utility functions defined in ts/ts_lib.c */ - -int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num); -int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj); -int TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions); -int TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg); -int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *msg); - -/* - * Function declarations for handling configuration options, defined in - * ts/ts_conf.c - */ - -X509 *TS_CONF_load_cert(const char *file); -STACK_OF(X509) *TS_CONF_load_certs(const char *file); -EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass); -const char *TS_CONF_get_tsa_section(CONF *conf, const char *section); -int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb, - TS_RESP_CTX *ctx); -int TS_CONF_set_crypto_device(CONF *conf, const char *section, - const char *device); -int TS_CONF_set_default_engine(const char *name); -int TS_CONF_set_signer_cert(CONF *conf, const char *section, - const char *cert, TS_RESP_CTX *ctx); -int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs, - TS_RESP_CTX *ctx); -int TS_CONF_set_signer_key(CONF *conf, const char *section, - const char *key, const char *pass, - TS_RESP_CTX *ctx); -int TS_CONF_set_def_policy(CONF *conf, const char *section, - const char *policy, TS_RESP_CTX *ctx); -int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx); -int TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx); -int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx); -int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section, - TS_RESP_CTX *ctx); -int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx); -int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx); -int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, - TS_RESP_CTX *ctx); - -/* -------------------------------------------------- */ -/* BEGIN ERROR CODES */ -/* - * The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ -void ERR_load_TS_strings(void); - -/* Error codes for the TS functions. */ - -/* Function codes. */ -# define TS_F_D2I_TS_RESP 147 -# define TS_F_DEF_SERIAL_CB 110 -# define TS_F_DEF_TIME_CB 111 -# define TS_F_ESS_ADD_SIGNING_CERT 112 -# define TS_F_ESS_CERT_ID_NEW_INIT 113 -# define TS_F_ESS_SIGNING_CERT_NEW_INIT 114 -# define TS_F_INT_TS_RESP_VERIFY_TOKEN 149 -# define TS_F_PKCS7_TO_TS_TST_INFO 148 -# define TS_F_TS_ACCURACY_SET_MICROS 115 -# define TS_F_TS_ACCURACY_SET_MILLIS 116 -# define TS_F_TS_ACCURACY_SET_SECONDS 117 -# define TS_F_TS_CHECK_IMPRINTS 100 -# define TS_F_TS_CHECK_NONCES 101 -# define TS_F_TS_CHECK_POLICY 102 -# define TS_F_TS_CHECK_SIGNING_CERTS 103 -# define TS_F_TS_CHECK_STATUS_INFO 104 -# define TS_F_TS_COMPUTE_IMPRINT 145 -# define TS_F_TS_CONF_SET_DEFAULT_ENGINE 146 -# define TS_F_TS_GET_STATUS_TEXT 105 -# define TS_F_TS_MSG_IMPRINT_SET_ALGO 118 -# define TS_F_TS_REQ_SET_MSG_IMPRINT 119 -# define TS_F_TS_REQ_SET_NONCE 120 -# define TS_F_TS_REQ_SET_POLICY_ID 121 -# define TS_F_TS_RESP_CREATE_RESPONSE 122 -# define TS_F_TS_RESP_CREATE_TST_INFO 123 -# define TS_F_TS_RESP_CTX_ADD_FAILURE_INFO 124 -# define TS_F_TS_RESP_CTX_ADD_MD 125 -# define TS_F_TS_RESP_CTX_ADD_POLICY 126 -# define TS_F_TS_RESP_CTX_NEW 127 -# define TS_F_TS_RESP_CTX_SET_ACCURACY 128 -# define TS_F_TS_RESP_CTX_SET_CERTS 129 -# define TS_F_TS_RESP_CTX_SET_DEF_POLICY 130 -# define TS_F_TS_RESP_CTX_SET_SIGNER_CERT 131 -# define TS_F_TS_RESP_CTX_SET_STATUS_INFO 132 -# define TS_F_TS_RESP_GET_POLICY 133 -# define TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION 134 -# define TS_F_TS_RESP_SET_STATUS_INFO 135 -# define TS_F_TS_RESP_SET_TST_INFO 150 -# define TS_F_TS_RESP_SIGN 136 -# define TS_F_TS_RESP_VERIFY_SIGNATURE 106 -# define TS_F_TS_RESP_VERIFY_TOKEN 107 -# define TS_F_TS_TST_INFO_SET_ACCURACY 137 -# define TS_F_TS_TST_INFO_SET_MSG_IMPRINT 138 -# define TS_F_TS_TST_INFO_SET_NONCE 139 -# define TS_F_TS_TST_INFO_SET_POLICY_ID 140 -# define TS_F_TS_TST_INFO_SET_SERIAL 141 -# define TS_F_TS_TST_INFO_SET_TIME 142 -# define TS_F_TS_TST_INFO_SET_TSA 143 -# define TS_F_TS_VERIFY 108 -# define TS_F_TS_VERIFY_CERT 109 -# define TS_F_TS_VERIFY_CTX_NEW 144 - -/* Reason codes. */ -# define TS_R_BAD_PKCS7_TYPE 132 -# define TS_R_BAD_TYPE 133 -# define TS_R_CERTIFICATE_VERIFY_ERROR 100 -# define TS_R_COULD_NOT_SET_ENGINE 127 -# define TS_R_COULD_NOT_SET_TIME 115 -# define TS_R_D2I_TS_RESP_INT_FAILED 128 -# define TS_R_DETACHED_CONTENT 134 -# define TS_R_ESS_ADD_SIGNING_CERT_ERROR 116 -# define TS_R_ESS_SIGNING_CERTIFICATE_ERROR 101 -# define TS_R_INVALID_NULL_POINTER 102 -# define TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE 117 -# define TS_R_MESSAGE_IMPRINT_MISMATCH 103 -# define TS_R_NONCE_MISMATCH 104 -# define TS_R_NONCE_NOT_RETURNED 105 -# define TS_R_NO_CONTENT 106 -# define TS_R_NO_TIME_STAMP_TOKEN 107 -# define TS_R_PKCS7_ADD_SIGNATURE_ERROR 118 -# define TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR 119 -# define TS_R_PKCS7_TO_TS_TST_INFO_FAILED 129 -# define TS_R_POLICY_MISMATCH 108 -# define TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 120 -# define TS_R_RESPONSE_SETUP_ERROR 121 -# define TS_R_SIGNATURE_FAILURE 109 -# define TS_R_THERE_MUST_BE_ONE_SIGNER 110 -# define TS_R_TIME_SYSCALL_ERROR 122 -# define TS_R_TOKEN_NOT_PRESENT 130 -# define TS_R_TOKEN_PRESENT 131 -# define TS_R_TSA_NAME_MISMATCH 111 -# define TS_R_TSA_UNTRUSTED 112 -# define TS_R_TST_INFO_SETUP_ERROR 123 -# define TS_R_TS_DATASIGN 124 -# define TS_R_UNACCEPTABLE_POLICY 125 -# define TS_R_UNSUPPORTED_MD_ALGORITHM 126 -# define TS_R_UNSUPPORTED_VERSION 113 -# define TS_R_WRONG_CONTENT_TYPE 114 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_asn1.c b/Cryptlib/OpenSSL/crypto/ts/ts_asn1.c deleted file mode 100644 index 657dc4ca..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_asn1.c +++ /dev/null @@ -1,326 +0,0 @@ -/* crypto/ts/ts_asn1.c */ -/* - * Written by Nils Larsch for the OpenSSL project 2004. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <openssl/ts.h> -#include <openssl/err.h> -#include <openssl/asn1t.h> - -ASN1_SEQUENCE(TS_MSG_IMPRINT) = { - ASN1_SIMPLE(TS_MSG_IMPRINT, hash_algo, X509_ALGOR), - ASN1_SIMPLE(TS_MSG_IMPRINT, hashed_msg, ASN1_OCTET_STRING) -} ASN1_SEQUENCE_END(TS_MSG_IMPRINT) - -IMPLEMENT_ASN1_FUNCTIONS_const(TS_MSG_IMPRINT) -IMPLEMENT_ASN1_DUP_FUNCTION(TS_MSG_IMPRINT) -#ifndef OPENSSL_NO_BIO -TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT **a) -{ - return ASN1_d2i_bio_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new, - d2i_TS_MSG_IMPRINT, bp, a); -} - -int i2d_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT *a) -{ - return ASN1_i2d_bio_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, bp, a); -} -#endif -#ifndef OPENSSL_NO_FP_API -TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a) -{ - return ASN1_d2i_fp_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new, - d2i_TS_MSG_IMPRINT, fp, a); -} - -int i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a) -{ - return ASN1_i2d_fp_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, fp, a); -} -#endif - -ASN1_SEQUENCE(TS_REQ) = { - ASN1_SIMPLE(TS_REQ, version, ASN1_INTEGER), - ASN1_SIMPLE(TS_REQ, msg_imprint, TS_MSG_IMPRINT), - ASN1_OPT(TS_REQ, policy_id, ASN1_OBJECT), - ASN1_OPT(TS_REQ, nonce, ASN1_INTEGER), - ASN1_OPT(TS_REQ, cert_req, ASN1_FBOOLEAN), - ASN1_IMP_SEQUENCE_OF_OPT(TS_REQ, extensions, X509_EXTENSION, 0) -} ASN1_SEQUENCE_END(TS_REQ) - -IMPLEMENT_ASN1_FUNCTIONS_const(TS_REQ) -IMPLEMENT_ASN1_DUP_FUNCTION(TS_REQ) -#ifndef OPENSSL_NO_BIO -TS_REQ *d2i_TS_REQ_bio(BIO *bp, TS_REQ **a) -{ - return ASN1_d2i_bio_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, bp, a); -} - -int i2d_TS_REQ_bio(BIO *bp, TS_REQ *a) -{ - return ASN1_i2d_bio_of_const(TS_REQ, i2d_TS_REQ, bp, a); -} -#endif -#ifndef OPENSSL_NO_FP_API -TS_REQ *d2i_TS_REQ_fp(FILE *fp, TS_REQ **a) -{ - return ASN1_d2i_fp_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, fp, a); -} - -int i2d_TS_REQ_fp(FILE *fp, TS_REQ *a) -{ - return ASN1_i2d_fp_of_const(TS_REQ, i2d_TS_REQ, fp, a); -} -#endif - -ASN1_SEQUENCE(TS_ACCURACY) = { - ASN1_OPT(TS_ACCURACY, seconds, ASN1_INTEGER), - ASN1_IMP_OPT(TS_ACCURACY, millis, ASN1_INTEGER, 0), - ASN1_IMP_OPT(TS_ACCURACY, micros, ASN1_INTEGER, 1) -} ASN1_SEQUENCE_END(TS_ACCURACY) - -IMPLEMENT_ASN1_FUNCTIONS_const(TS_ACCURACY) -IMPLEMENT_ASN1_DUP_FUNCTION(TS_ACCURACY) - -ASN1_SEQUENCE(TS_TST_INFO) = { - ASN1_SIMPLE(TS_TST_INFO, version, ASN1_INTEGER), - ASN1_SIMPLE(TS_TST_INFO, policy_id, ASN1_OBJECT), - ASN1_SIMPLE(TS_TST_INFO, msg_imprint, TS_MSG_IMPRINT), - ASN1_SIMPLE(TS_TST_INFO, serial, ASN1_INTEGER), - ASN1_SIMPLE(TS_TST_INFO, time, ASN1_GENERALIZEDTIME), - ASN1_OPT(TS_TST_INFO, accuracy, TS_ACCURACY), - ASN1_OPT(TS_TST_INFO, ordering, ASN1_FBOOLEAN), - ASN1_OPT(TS_TST_INFO, nonce, ASN1_INTEGER), - ASN1_EXP_OPT(TS_TST_INFO, tsa, GENERAL_NAME, 0), - ASN1_IMP_SEQUENCE_OF_OPT(TS_TST_INFO, extensions, X509_EXTENSION, 1) -} ASN1_SEQUENCE_END(TS_TST_INFO) - -IMPLEMENT_ASN1_FUNCTIONS_const(TS_TST_INFO) -IMPLEMENT_ASN1_DUP_FUNCTION(TS_TST_INFO) -#ifndef OPENSSL_NO_BIO -TS_TST_INFO *d2i_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO **a) -{ - return ASN1_d2i_bio_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO, bp, - a); -} - -int i2d_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO *a) -{ - return ASN1_i2d_bio_of_const(TS_TST_INFO, i2d_TS_TST_INFO, bp, a); -} -#endif -#ifndef OPENSSL_NO_FP_API -TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a) -{ - return ASN1_d2i_fp_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO, fp, - a); -} - -int i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a) -{ - return ASN1_i2d_fp_of_const(TS_TST_INFO, i2d_TS_TST_INFO, fp, a); -} -#endif - -ASN1_SEQUENCE(TS_STATUS_INFO) = { - ASN1_SIMPLE(TS_STATUS_INFO, status, ASN1_INTEGER), - ASN1_SEQUENCE_OF_OPT(TS_STATUS_INFO, text, ASN1_UTF8STRING), - ASN1_OPT(TS_STATUS_INFO, failure_info, ASN1_BIT_STRING) -} ASN1_SEQUENCE_END(TS_STATUS_INFO) - -IMPLEMENT_ASN1_FUNCTIONS_const(TS_STATUS_INFO) -IMPLEMENT_ASN1_DUP_FUNCTION(TS_STATUS_INFO) - -static int ts_resp_set_tst_info(TS_RESP *a) -{ - long status; - - status = ASN1_INTEGER_get(a->status_info->status); - - if (a->token) { - if (status != 0 && status != 1) { - TSerr(TS_F_TS_RESP_SET_TST_INFO, TS_R_TOKEN_PRESENT); - return 0; - } - if (a->tst_info != NULL) - TS_TST_INFO_free(a->tst_info); - a->tst_info = PKCS7_to_TS_TST_INFO(a->token); - if (!a->tst_info) { - TSerr(TS_F_TS_RESP_SET_TST_INFO, - TS_R_PKCS7_TO_TS_TST_INFO_FAILED); - return 0; - } - } else if (status == 0 || status == 1) { - TSerr(TS_F_TS_RESP_SET_TST_INFO, TS_R_TOKEN_NOT_PRESENT); - return 0; - } - - return 1; -} - -static int ts_resp_cb(int op, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) -{ - TS_RESP *ts_resp = (TS_RESP *)*pval; - if (op == ASN1_OP_NEW_POST) { - ts_resp->tst_info = NULL; - } else if (op == ASN1_OP_FREE_POST) { - if (ts_resp->tst_info != NULL) - TS_TST_INFO_free(ts_resp->tst_info); - } else if (op == ASN1_OP_D2I_POST) { - if (ts_resp_set_tst_info(ts_resp) == 0) - return 0; - } - return 1; -} - -ASN1_SEQUENCE_cb(TS_RESP, ts_resp_cb) = { - ASN1_SIMPLE(TS_RESP, status_info, TS_STATUS_INFO), - ASN1_OPT(TS_RESP, token, PKCS7), -} ASN1_SEQUENCE_END_cb(TS_RESP, TS_RESP) - -IMPLEMENT_ASN1_FUNCTIONS_const(TS_RESP) - -IMPLEMENT_ASN1_DUP_FUNCTION(TS_RESP) - -#ifndef OPENSSL_NO_BIO -TS_RESP *d2i_TS_RESP_bio(BIO *bp, TS_RESP **a) -{ - return ASN1_d2i_bio_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, bp, a); -} - -int i2d_TS_RESP_bio(BIO *bp, TS_RESP *a) -{ - return ASN1_i2d_bio_of_const(TS_RESP, i2d_TS_RESP, bp, a); -} -#endif -#ifndef OPENSSL_NO_FP_API -TS_RESP *d2i_TS_RESP_fp(FILE *fp, TS_RESP **a) -{ - return ASN1_d2i_fp_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, fp, a); -} - -int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a) -{ - return ASN1_i2d_fp_of_const(TS_RESP, i2d_TS_RESP, fp, a); -} -#endif - -ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = { - ASN1_SEQUENCE_OF(ESS_ISSUER_SERIAL, issuer, GENERAL_NAME), - ASN1_SIMPLE(ESS_ISSUER_SERIAL, serial, ASN1_INTEGER) -} ASN1_SEQUENCE_END(ESS_ISSUER_SERIAL) - -IMPLEMENT_ASN1_FUNCTIONS_const(ESS_ISSUER_SERIAL) -IMPLEMENT_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL) - -ASN1_SEQUENCE(ESS_CERT_ID) = { - ASN1_SIMPLE(ESS_CERT_ID, hash, ASN1_OCTET_STRING), - ASN1_OPT(ESS_CERT_ID, issuer_serial, ESS_ISSUER_SERIAL) -} ASN1_SEQUENCE_END(ESS_CERT_ID) - -IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID) -IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID) - -ASN1_SEQUENCE(ESS_SIGNING_CERT) = { - ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID), - ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO) -} ASN1_SEQUENCE_END(ESS_SIGNING_CERT) - -IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT) -IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT) - -/* Getting encapsulated TS_TST_INFO object from PKCS7. */ -TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token) -{ - PKCS7_SIGNED *pkcs7_signed; - PKCS7 *enveloped; - ASN1_TYPE *tst_info_wrapper; - ASN1_OCTET_STRING *tst_info_der; - const unsigned char *p; - - if (!PKCS7_type_is_signed(token)) { - TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE); - return NULL; - } - - /* Content must be present. */ - if (PKCS7_get_detached(token)) { - TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_DETACHED_CONTENT); - return NULL; - } - - /* We have a signed data with content. */ - pkcs7_signed = token->d.sign; - enveloped = pkcs7_signed->contents; - if (OBJ_obj2nid(enveloped->type) != NID_id_smime_ct_TSTInfo) { - TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE); - return NULL; - } - - /* We have a DER encoded TST_INFO as the signed data. */ - tst_info_wrapper = enveloped->d.other; - if (tst_info_wrapper->type != V_ASN1_OCTET_STRING) { - TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_TYPE); - return NULL; - } - - /* We have the correct ASN1_OCTET_STRING type. */ - tst_info_der = tst_info_wrapper->value.octet_string; - /* At last, decode the TST_INFO. */ - p = tst_info_der->data; - return d2i_TS_TST_INFO(NULL, &p, tst_info_der->length); -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_conf.c b/Cryptlib/OpenSSL/crypto/ts/ts_conf.c deleted file mode 100644 index 4716b233..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_conf.c +++ /dev/null @@ -1,491 +0,0 @@ -/* crypto/ts/ts_conf.c */ -/* - * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project - * 2002. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <string.h> - -#include <openssl/crypto.h> -#include "cryptlib.h" -#include <openssl/pem.h> -#ifndef OPENSSL_NO_ENGINE -# include <openssl/engine.h> -#endif -#include <openssl/ts.h> - -/* Macro definitions for the configuration file. */ - -#define BASE_SECTION "tsa" -#define ENV_DEFAULT_TSA "default_tsa" -#define ENV_SERIAL "serial" -#define ENV_CRYPTO_DEVICE "crypto_device" -#define ENV_SIGNER_CERT "signer_cert" -#define ENV_CERTS "certs" -#define ENV_SIGNER_KEY "signer_key" -#define ENV_DEFAULT_POLICY "default_policy" -#define ENV_OTHER_POLICIES "other_policies" -#define ENV_DIGESTS "digests" -#define ENV_ACCURACY "accuracy" -#define ENV_ORDERING "ordering" -#define ENV_TSA_NAME "tsa_name" -#define ENV_ESS_CERT_ID_CHAIN "ess_cert_id_chain" -#define ENV_VALUE_SECS "secs" -#define ENV_VALUE_MILLISECS "millisecs" -#define ENV_VALUE_MICROSECS "microsecs" -#define ENV_CLOCK_PRECISION_DIGITS "clock_precision_digits" -#define ENV_VALUE_YES "yes" -#define ENV_VALUE_NO "no" - -/* Function definitions for certificate and key loading. */ - -X509 *TS_CONF_load_cert(const char *file) -{ - BIO *cert = NULL; - X509 *x = NULL; - - if ((cert = BIO_new_file(file, "r")) == NULL) - goto end; - x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL); - end: - if (x == NULL) - fprintf(stderr, "unable to load certificate: %s\n", file); - BIO_free(cert); - return x; -} - -STACK_OF(X509) *TS_CONF_load_certs(const char *file) -{ - BIO *certs = NULL; - STACK_OF(X509) *othercerts = NULL; - STACK_OF(X509_INFO) *allcerts = NULL; - int i; - - if (!(certs = BIO_new_file(file, "r"))) - goto end; - - if (!(othercerts = sk_X509_new_null())) - goto end; - allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL); - for (i = 0; i < sk_X509_INFO_num(allcerts); i++) { - X509_INFO *xi = sk_X509_INFO_value(allcerts, i); - if (xi->x509) { - sk_X509_push(othercerts, xi->x509); - xi->x509 = NULL; - } - } - end: - if (othercerts == NULL) - fprintf(stderr, "unable to load certificates: %s\n", file); - sk_X509_INFO_pop_free(allcerts, X509_INFO_free); - BIO_free(certs); - return othercerts; -} - -EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass) -{ - BIO *key = NULL; - EVP_PKEY *pkey = NULL; - - if (!(key = BIO_new_file(file, "r"))) - goto end; - pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, (char *)pass); - end: - if (pkey == NULL) - fprintf(stderr, "unable to load private key: %s\n", file); - BIO_free(key); - return pkey; -} - -/* Function definitions for handling configuration options. */ - -static void TS_CONF_lookup_fail(const char *name, const char *tag) -{ - fprintf(stderr, "variable lookup failed for %s::%s\n", name, tag); -} - -static void TS_CONF_invalid(const char *name, const char *tag) -{ - fprintf(stderr, "invalid variable value for %s::%s\n", name, tag); -} - -const char *TS_CONF_get_tsa_section(CONF *conf, const char *section) -{ - if (!section) { - section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_TSA); - if (!section) - TS_CONF_lookup_fail(BASE_SECTION, ENV_DEFAULT_TSA); - } - return section; -} - -int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb, - TS_RESP_CTX *ctx) -{ - int ret = 0; - char *serial = NCONF_get_string(conf, section, ENV_SERIAL); - if (!serial) { - TS_CONF_lookup_fail(section, ENV_SERIAL); - goto err; - } - TS_RESP_CTX_set_serial_cb(ctx, cb, serial); - - ret = 1; - err: - return ret; -} - -#ifndef OPENSSL_NO_ENGINE - -int TS_CONF_set_crypto_device(CONF *conf, const char *section, - const char *device) -{ - int ret = 0; - - if (!device) - device = NCONF_get_string(conf, section, ENV_CRYPTO_DEVICE); - - if (device && !TS_CONF_set_default_engine(device)) { - TS_CONF_invalid(section, ENV_CRYPTO_DEVICE); - goto err; - } - ret = 1; - err: - return ret; -} - -int TS_CONF_set_default_engine(const char *name) -{ - ENGINE *e = NULL; - int ret = 0; - - /* Leave the default if builtin specified. */ - if (strcmp(name, "builtin") == 0) - return 1; - - if (!(e = ENGINE_by_id(name))) - goto err; - /* Enable the use of the NCipher HSM for forked children. */ - if (strcmp(name, "chil") == 0) - ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0); - /* All the operations are going to be carried out by the engine. */ - if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) - goto err; - ret = 1; - err: - if (!ret) { - TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE, TS_R_COULD_NOT_SET_ENGINE); - ERR_add_error_data(2, "engine:", name); - } - if (e) - ENGINE_free(e); - return ret; -} - -#endif - -int TS_CONF_set_signer_cert(CONF *conf, const char *section, - const char *cert, TS_RESP_CTX *ctx) -{ - int ret = 0; - X509 *cert_obj = NULL; - if (!cert) - cert = NCONF_get_string(conf, section, ENV_SIGNER_CERT); - if (!cert) { - TS_CONF_lookup_fail(section, ENV_SIGNER_CERT); - goto err; - } - if (!(cert_obj = TS_CONF_load_cert(cert))) - goto err; - if (!TS_RESP_CTX_set_signer_cert(ctx, cert_obj)) - goto err; - - ret = 1; - err: - X509_free(cert_obj); - return ret; -} - -int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs, - TS_RESP_CTX *ctx) -{ - int ret = 0; - STACK_OF(X509) *certs_obj = NULL; - if (!certs) - certs = NCONF_get_string(conf, section, ENV_CERTS); - /* Certificate chain is optional. */ - if (!certs) - goto end; - if (!(certs_obj = TS_CONF_load_certs(certs))) - goto err; - if (!TS_RESP_CTX_set_certs(ctx, certs_obj)) - goto err; - end: - ret = 1; - err: - sk_X509_pop_free(certs_obj, X509_free); - return ret; -} - -int TS_CONF_set_signer_key(CONF *conf, const char *section, - const char *key, const char *pass, - TS_RESP_CTX *ctx) -{ - int ret = 0; - EVP_PKEY *key_obj = NULL; - if (!key) - key = NCONF_get_string(conf, section, ENV_SIGNER_KEY); - if (!key) { - TS_CONF_lookup_fail(section, ENV_SIGNER_KEY); - goto err; - } - if (!(key_obj = TS_CONF_load_key(key, pass))) - goto err; - if (!TS_RESP_CTX_set_signer_key(ctx, key_obj)) - goto err; - - ret = 1; - err: - EVP_PKEY_free(key_obj); - return ret; -} - -int TS_CONF_set_def_policy(CONF *conf, const char *section, - const char *policy, TS_RESP_CTX *ctx) -{ - int ret = 0; - ASN1_OBJECT *policy_obj = NULL; - if (!policy) - policy = NCONF_get_string(conf, section, ENV_DEFAULT_POLICY); - if (!policy) { - TS_CONF_lookup_fail(section, ENV_DEFAULT_POLICY); - goto err; - } - if (!(policy_obj = OBJ_txt2obj(policy, 0))) { - TS_CONF_invalid(section, ENV_DEFAULT_POLICY); - goto err; - } - if (!TS_RESP_CTX_set_def_policy(ctx, policy_obj)) - goto err; - - ret = 1; - err: - ASN1_OBJECT_free(policy_obj); - return ret; -} - -int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx) -{ - int ret = 0; - int i; - STACK_OF(CONF_VALUE) *list = NULL; - char *policies = NCONF_get_string(conf, section, - ENV_OTHER_POLICIES); - /* If no other policy is specified, that's fine. */ - if (policies && !(list = X509V3_parse_list(policies))) { - TS_CONF_invalid(section, ENV_OTHER_POLICIES); - goto err; - } - for (i = 0; i < sk_CONF_VALUE_num(list); ++i) { - CONF_VALUE *val = sk_CONF_VALUE_value(list, i); - const char *extval = val->value ? val->value : val->name; - ASN1_OBJECT *objtmp; - if (!(objtmp = OBJ_txt2obj(extval, 0))) { - TS_CONF_invalid(section, ENV_OTHER_POLICIES); - goto err; - } - if (!TS_RESP_CTX_add_policy(ctx, objtmp)) - goto err; - ASN1_OBJECT_free(objtmp); - } - - ret = 1; - err: - sk_CONF_VALUE_pop_free(list, X509V3_conf_free); - return ret; -} - -int TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx) -{ - int ret = 0; - int i; - STACK_OF(CONF_VALUE) *list = NULL; - char *digests = NCONF_get_string(conf, section, ENV_DIGESTS); - if (!digests) { - TS_CONF_lookup_fail(section, ENV_DIGESTS); - goto err; - } - if (!(list = X509V3_parse_list(digests))) { - TS_CONF_invalid(section, ENV_DIGESTS); - goto err; - } - if (sk_CONF_VALUE_num(list) == 0) { - TS_CONF_invalid(section, ENV_DIGESTS); - goto err; - } - for (i = 0; i < sk_CONF_VALUE_num(list); ++i) { - CONF_VALUE *val = sk_CONF_VALUE_value(list, i); - const char *extval = val->value ? val->value : val->name; - const EVP_MD *md; - if (!(md = EVP_get_digestbyname(extval))) { - TS_CONF_invalid(section, ENV_DIGESTS); - goto err; - } - if (!TS_RESP_CTX_add_md(ctx, md)) - goto err; - } - - ret = 1; - err: - sk_CONF_VALUE_pop_free(list, X509V3_conf_free); - return ret; -} - -int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx) -{ - int ret = 0; - int i; - int secs = 0, millis = 0, micros = 0; - STACK_OF(CONF_VALUE) *list = NULL; - char *accuracy = NCONF_get_string(conf, section, ENV_ACCURACY); - - if (accuracy && !(list = X509V3_parse_list(accuracy))) { - TS_CONF_invalid(section, ENV_ACCURACY); - goto err; - } - for (i = 0; i < sk_CONF_VALUE_num(list); ++i) { - CONF_VALUE *val = sk_CONF_VALUE_value(list, i); - if (strcmp(val->name, ENV_VALUE_SECS) == 0) { - if (val->value) - secs = atoi(val->value); - } else if (strcmp(val->name, ENV_VALUE_MILLISECS) == 0) { - if (val->value) - millis = atoi(val->value); - } else if (strcmp(val->name, ENV_VALUE_MICROSECS) == 0) { - if (val->value) - micros = atoi(val->value); - } else { - TS_CONF_invalid(section, ENV_ACCURACY); - goto err; - } - } - if (!TS_RESP_CTX_set_accuracy(ctx, secs, millis, micros)) - goto err; - - ret = 1; - err: - sk_CONF_VALUE_pop_free(list, X509V3_conf_free); - return ret; -} - -int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section, - TS_RESP_CTX *ctx) -{ - int ret = 0; - long digits = 0; - - /* - * If not specified, set the default value to 0, i.e. sec precision - */ - if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS, - &digits)) - digits = 0; - if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS) { - TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS); - goto err; - } - - if (!TS_RESP_CTX_set_clock_precision_digits(ctx, digits)) - goto err; - - return 1; - err: - return ret; -} - -static int TS_CONF_add_flag(CONF *conf, const char *section, - const char *field, int flag, TS_RESP_CTX *ctx) -{ - /* Default is false. */ - const char *value = NCONF_get_string(conf, section, field); - if (value) { - if (strcmp(value, ENV_VALUE_YES) == 0) - TS_RESP_CTX_add_flags(ctx, flag); - else if (strcmp(value, ENV_VALUE_NO) != 0) { - TS_CONF_invalid(section, field); - return 0; - } - } - - return 1; -} - -int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx) -{ - return TS_CONF_add_flag(conf, section, ENV_ORDERING, TS_ORDERING, ctx); -} - -int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx) -{ - return TS_CONF_add_flag(conf, section, ENV_TSA_NAME, TS_TSA_NAME, ctx); -} - -int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, - TS_RESP_CTX *ctx) -{ - return TS_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN, - TS_ESS_CERT_ID_CHAIN, ctx); -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_err.c b/Cryptlib/OpenSSL/crypto/ts/ts_err.c deleted file mode 100644 index ff1abf45..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_err.c +++ /dev/null @@ -1,188 +0,0 @@ -/* crypto/ts/ts_err.c */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* - * NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - -#include <stdio.h> -#include <openssl/err.h> -#include <openssl/ts.h> - -/* BEGIN ERROR CODES */ -#ifndef OPENSSL_NO_ERR - -# define ERR_FUNC(func) ERR_PACK(ERR_LIB_TS,func,0) -# define ERR_REASON(reason) ERR_PACK(ERR_LIB_TS,0,reason) - -static ERR_STRING_DATA TS_str_functs[] = { - {ERR_FUNC(TS_F_D2I_TS_RESP), "d2i_TS_RESP"}, - {ERR_FUNC(TS_F_DEF_SERIAL_CB), "DEF_SERIAL_CB"}, - {ERR_FUNC(TS_F_DEF_TIME_CB), "DEF_TIME_CB"}, - {ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT), "ESS_ADD_SIGNING_CERT"}, - {ERR_FUNC(TS_F_ESS_CERT_ID_NEW_INIT), "ESS_CERT_ID_NEW_INIT"}, - {ERR_FUNC(TS_F_ESS_SIGNING_CERT_NEW_INIT), "ESS_SIGNING_CERT_NEW_INIT"}, - {ERR_FUNC(TS_F_INT_TS_RESP_VERIFY_TOKEN), "INT_TS_RESP_VERIFY_TOKEN"}, - {ERR_FUNC(TS_F_PKCS7_TO_TS_TST_INFO), "PKCS7_to_TS_TST_INFO"}, - {ERR_FUNC(TS_F_TS_ACCURACY_SET_MICROS), "TS_ACCURACY_set_micros"}, - {ERR_FUNC(TS_F_TS_ACCURACY_SET_MILLIS), "TS_ACCURACY_set_millis"}, - {ERR_FUNC(TS_F_TS_ACCURACY_SET_SECONDS), "TS_ACCURACY_set_seconds"}, - {ERR_FUNC(TS_F_TS_CHECK_IMPRINTS), "TS_CHECK_IMPRINTS"}, - {ERR_FUNC(TS_F_TS_CHECK_NONCES), "TS_CHECK_NONCES"}, - {ERR_FUNC(TS_F_TS_CHECK_POLICY), "TS_CHECK_POLICY"}, - {ERR_FUNC(TS_F_TS_CHECK_SIGNING_CERTS), "TS_CHECK_SIGNING_CERTS"}, - {ERR_FUNC(TS_F_TS_CHECK_STATUS_INFO), "TS_CHECK_STATUS_INFO"}, - {ERR_FUNC(TS_F_TS_COMPUTE_IMPRINT), "TS_COMPUTE_IMPRINT"}, - {ERR_FUNC(TS_F_TS_CONF_SET_DEFAULT_ENGINE), "TS_CONF_set_default_engine"}, - {ERR_FUNC(TS_F_TS_GET_STATUS_TEXT), "TS_GET_STATUS_TEXT"}, - {ERR_FUNC(TS_F_TS_MSG_IMPRINT_SET_ALGO), "TS_MSG_IMPRINT_set_algo"}, - {ERR_FUNC(TS_F_TS_REQ_SET_MSG_IMPRINT), "TS_REQ_set_msg_imprint"}, - {ERR_FUNC(TS_F_TS_REQ_SET_NONCE), "TS_REQ_set_nonce"}, - {ERR_FUNC(TS_F_TS_REQ_SET_POLICY_ID), "TS_REQ_set_policy_id"}, - {ERR_FUNC(TS_F_TS_RESP_CREATE_RESPONSE), "TS_RESP_create_response"}, - {ERR_FUNC(TS_F_TS_RESP_CREATE_TST_INFO), "TS_RESP_CREATE_TST_INFO"}, - {ERR_FUNC(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO), - "TS_RESP_CTX_add_failure_info"}, - {ERR_FUNC(TS_F_TS_RESP_CTX_ADD_MD), "TS_RESP_CTX_add_md"}, - {ERR_FUNC(TS_F_TS_RESP_CTX_ADD_POLICY), "TS_RESP_CTX_add_policy"}, - {ERR_FUNC(TS_F_TS_RESP_CTX_NEW), "TS_RESP_CTX_new"}, - {ERR_FUNC(TS_F_TS_RESP_CTX_SET_ACCURACY), "TS_RESP_CTX_set_accuracy"}, - {ERR_FUNC(TS_F_TS_RESP_CTX_SET_CERTS), "TS_RESP_CTX_set_certs"}, - {ERR_FUNC(TS_F_TS_RESP_CTX_SET_DEF_POLICY), "TS_RESP_CTX_set_def_policy"}, - {ERR_FUNC(TS_F_TS_RESP_CTX_SET_SIGNER_CERT), - "TS_RESP_CTX_set_signer_cert"}, - {ERR_FUNC(TS_F_TS_RESP_CTX_SET_STATUS_INFO), - "TS_RESP_CTX_set_status_info"}, - {ERR_FUNC(TS_F_TS_RESP_GET_POLICY), "TS_RESP_GET_POLICY"}, - {ERR_FUNC(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION), - "TS_RESP_SET_GENTIME_WITH_PRECISION"}, - {ERR_FUNC(TS_F_TS_RESP_SET_STATUS_INFO), "TS_RESP_set_status_info"}, - {ERR_FUNC(TS_F_TS_RESP_SET_TST_INFO), "TS_RESP_set_tst_info"}, - {ERR_FUNC(TS_F_TS_RESP_SIGN), "TS_RESP_SIGN"}, - {ERR_FUNC(TS_F_TS_RESP_VERIFY_SIGNATURE), "TS_RESP_verify_signature"}, - {ERR_FUNC(TS_F_TS_RESP_VERIFY_TOKEN), "TS_RESP_verify_token"}, - {ERR_FUNC(TS_F_TS_TST_INFO_SET_ACCURACY), "TS_TST_INFO_set_accuracy"}, - {ERR_FUNC(TS_F_TS_TST_INFO_SET_MSG_IMPRINT), - "TS_TST_INFO_set_msg_imprint"}, - {ERR_FUNC(TS_F_TS_TST_INFO_SET_NONCE), "TS_TST_INFO_set_nonce"}, - {ERR_FUNC(TS_F_TS_TST_INFO_SET_POLICY_ID), "TS_TST_INFO_set_policy_id"}, - {ERR_FUNC(TS_F_TS_TST_INFO_SET_SERIAL), "TS_TST_INFO_set_serial"}, - {ERR_FUNC(TS_F_TS_TST_INFO_SET_TIME), "TS_TST_INFO_set_time"}, - {ERR_FUNC(TS_F_TS_TST_INFO_SET_TSA), "TS_TST_INFO_set_tsa"}, - {ERR_FUNC(TS_F_TS_VERIFY), "TS_VERIFY"}, - {ERR_FUNC(TS_F_TS_VERIFY_CERT), "TS_VERIFY_CERT"}, - {ERR_FUNC(TS_F_TS_VERIFY_CTX_NEW), "TS_VERIFY_CTX_new"}, - {0, NULL} -}; - -static ERR_STRING_DATA TS_str_reasons[] = { - {ERR_REASON(TS_R_BAD_PKCS7_TYPE), "bad pkcs7 type"}, - {ERR_REASON(TS_R_BAD_TYPE), "bad type"}, - {ERR_REASON(TS_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"}, - {ERR_REASON(TS_R_COULD_NOT_SET_ENGINE), "could not set engine"}, - {ERR_REASON(TS_R_COULD_NOT_SET_TIME), "could not set time"}, - {ERR_REASON(TS_R_D2I_TS_RESP_INT_FAILED), "d2i ts resp int failed"}, - {ERR_REASON(TS_R_DETACHED_CONTENT), "detached content"}, - {ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_ERROR), - "ess add signing cert error"}, - {ERR_REASON(TS_R_ESS_SIGNING_CERTIFICATE_ERROR), - "ess signing certificate error"}, - {ERR_REASON(TS_R_INVALID_NULL_POINTER), "invalid null pointer"}, - {ERR_REASON(TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE), - "invalid signer certificate purpose"}, - {ERR_REASON(TS_R_MESSAGE_IMPRINT_MISMATCH), "message imprint mismatch"}, - {ERR_REASON(TS_R_NONCE_MISMATCH), "nonce mismatch"}, - {ERR_REASON(TS_R_NONCE_NOT_RETURNED), "nonce not returned"}, - {ERR_REASON(TS_R_NO_CONTENT), "no content"}, - {ERR_REASON(TS_R_NO_TIME_STAMP_TOKEN), "no time stamp token"}, - {ERR_REASON(TS_R_PKCS7_ADD_SIGNATURE_ERROR), "pkcs7 add signature error"}, - {ERR_REASON(TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR), - "pkcs7 add signed attr error"}, - {ERR_REASON(TS_R_PKCS7_TO_TS_TST_INFO_FAILED), - "pkcs7 to ts tst info failed"}, - {ERR_REASON(TS_R_POLICY_MISMATCH), "policy mismatch"}, - {ERR_REASON(TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), - "private key does not match certificate"}, - {ERR_REASON(TS_R_RESPONSE_SETUP_ERROR), "response setup error"}, - {ERR_REASON(TS_R_SIGNATURE_FAILURE), "signature failure"}, - {ERR_REASON(TS_R_THERE_MUST_BE_ONE_SIGNER), "there must be one signer"}, - {ERR_REASON(TS_R_TIME_SYSCALL_ERROR), "time syscall error"}, - {ERR_REASON(TS_R_TOKEN_NOT_PRESENT), "token not present"}, - {ERR_REASON(TS_R_TOKEN_PRESENT), "token present"}, - {ERR_REASON(TS_R_TSA_NAME_MISMATCH), "tsa name mismatch"}, - {ERR_REASON(TS_R_TSA_UNTRUSTED), "tsa untrusted"}, - {ERR_REASON(TS_R_TST_INFO_SETUP_ERROR), "tst info setup error"}, - {ERR_REASON(TS_R_TS_DATASIGN), "ts datasign"}, - {ERR_REASON(TS_R_UNACCEPTABLE_POLICY), "unacceptable policy"}, - {ERR_REASON(TS_R_UNSUPPORTED_MD_ALGORITHM), "unsupported md algorithm"}, - {ERR_REASON(TS_R_UNSUPPORTED_VERSION), "unsupported version"}, - {ERR_REASON(TS_R_WRONG_CONTENT_TYPE), "wrong content type"}, - {0, NULL} -}; - -#endif - -void ERR_load_TS_strings(void) -{ -#ifndef OPENSSL_NO_ERR - - if (ERR_func_error_string(TS_str_functs[0].error) == NULL) { - ERR_load_strings(0, TS_str_functs); - ERR_load_strings(0, TS_str_reasons); - } -#endif -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_lib.c b/Cryptlib/OpenSSL/crypto/ts/ts_lib.c deleted file mode 100644 index c51538a1..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_lib.c +++ /dev/null @@ -1,143 +0,0 @@ -/* crypto/ts/ts_lib.c */ -/* - * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project - * 2002. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/objects.h> -#include <openssl/bn.h> -#include <openssl/x509v3.h> -#include "ts.h" - -/* Local function declarations. */ - -/* Function definitions. */ - -int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num) -{ - BIGNUM num_bn; - int result = 0; - char *hex; - - BN_init(&num_bn); - ASN1_INTEGER_to_BN(num, &num_bn); - if ((hex = BN_bn2hex(&num_bn))) { - result = BIO_write(bio, "0x", 2) > 0; - result = result && BIO_write(bio, hex, strlen(hex)) > 0; - OPENSSL_free(hex); - } - BN_free(&num_bn); - - return result; -} - -int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj) -{ - char obj_txt[128]; - - int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); - BIO_write(bio, obj_txt, len); - BIO_write(bio, "\n", 1); - - return 1; -} - -int TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions) -{ - int i, critical, n; - X509_EXTENSION *ex; - ASN1_OBJECT *obj; - - BIO_printf(bio, "Extensions:\n"); - n = X509v3_get_ext_count(extensions); - for (i = 0; i < n; i++) { - ex = X509v3_get_ext(extensions, i); - obj = X509_EXTENSION_get_object(ex); - i2a_ASN1_OBJECT(bio, obj); - critical = X509_EXTENSION_get_critical(ex); - BIO_printf(bio, ": %s\n", critical ? "critical" : ""); - if (!X509V3_EXT_print(bio, ex, 0, 4)) { - BIO_printf(bio, "%4s", ""); - M_ASN1_OCTET_STRING_print(bio, ex->value); - } - BIO_write(bio, "\n", 1); - } - - return 1; -} - -int TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg) -{ - int i = OBJ_obj2nid(alg->algorithm); - return BIO_printf(bio, "Hash Algorithm: %s\n", - (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i)); -} - -int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a) -{ - const ASN1_OCTET_STRING *msg; - - TS_X509_ALGOR_print_bio(bio, TS_MSG_IMPRINT_get_algo(a)); - - BIO_printf(bio, "Message data:\n"); - msg = TS_MSG_IMPRINT_get_msg(a); - BIO_dump_indent(bio, (const char *)M_ASN1_STRING_data(msg), - M_ASN1_STRING_length(msg), 4); - - return 1; -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_req_print.c b/Cryptlib/OpenSSL/crypto/ts/ts_req_print.c deleted file mode 100644 index 31940eef..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_req_print.c +++ /dev/null @@ -1,104 +0,0 @@ -/* crypto/ts/ts_req_print.c */ -/* - * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project - * 2002. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/objects.h> -#include <openssl/bn.h> -#include <openssl/x509v3.h> -#include <openssl/ts.h> - -/* Function definitions. */ - -int TS_REQ_print_bio(BIO *bio, TS_REQ *a) -{ - int v; - ASN1_OBJECT *policy_id; - const ASN1_INTEGER *nonce; - - if (a == NULL) - return 0; - - v = TS_REQ_get_version(a); - BIO_printf(bio, "Version: %d\n", v); - - TS_MSG_IMPRINT_print_bio(bio, TS_REQ_get_msg_imprint(a)); - - BIO_printf(bio, "Policy OID: "); - policy_id = TS_REQ_get_policy_id(a); - if (policy_id == NULL) - BIO_printf(bio, "unspecified\n"); - else - TS_OBJ_print_bio(bio, policy_id); - - BIO_printf(bio, "Nonce: "); - nonce = TS_REQ_get_nonce(a); - if (nonce == NULL) - BIO_printf(bio, "unspecified"); - else - TS_ASN1_INTEGER_print_bio(bio, nonce); - BIO_write(bio, "\n", 1); - - BIO_printf(bio, "Certificate required: %s\n", - TS_REQ_get_cert_req(a) ? "yes" : "no"); - - TS_ext_print_bio(bio, TS_REQ_get_exts(a)); - - return 1; -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_req_utils.c b/Cryptlib/OpenSSL/crypto/ts/ts_req_utils.c deleted file mode 100644 index 362e5e58..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_req_utils.c +++ /dev/null @@ -1,232 +0,0 @@ -/* crypto/ts/ts_req_utils.c */ -/* - * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project - * 2002. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/objects.h> -#include <openssl/x509v3.h> -#include <openssl/ts.h> - -int TS_REQ_set_version(TS_REQ *a, long version) -{ - return ASN1_INTEGER_set(a->version, version); -} - -long TS_REQ_get_version(const TS_REQ *a) -{ - return ASN1_INTEGER_get(a->version); -} - -int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint) -{ - TS_MSG_IMPRINT *new_msg_imprint; - - if (a->msg_imprint == msg_imprint) - return 1; - new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint); - if (new_msg_imprint == NULL) { - TSerr(TS_F_TS_REQ_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE); - return 0; - } - TS_MSG_IMPRINT_free(a->msg_imprint); - a->msg_imprint = new_msg_imprint; - return 1; -} - -TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a) -{ - return a->msg_imprint; -} - -int TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg) -{ - X509_ALGOR *new_alg; - - if (a->hash_algo == alg) - return 1; - new_alg = X509_ALGOR_dup(alg); - if (new_alg == NULL) { - TSerr(TS_F_TS_MSG_IMPRINT_SET_ALGO, ERR_R_MALLOC_FAILURE); - return 0; - } - X509_ALGOR_free(a->hash_algo); - a->hash_algo = new_alg; - return 1; -} - -X509_ALGOR *TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a) -{ - return a->hash_algo; -} - -int TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len) -{ - return ASN1_OCTET_STRING_set(a->hashed_msg, d, len); -} - -ASN1_OCTET_STRING *TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a) -{ - return a->hashed_msg; -} - -int TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy) -{ - ASN1_OBJECT *new_policy; - - if (a->policy_id == policy) - return 1; - new_policy = OBJ_dup(policy); - if (new_policy == NULL) { - TSerr(TS_F_TS_REQ_SET_POLICY_ID, ERR_R_MALLOC_FAILURE); - return 0; - } - ASN1_OBJECT_free(a->policy_id); - a->policy_id = new_policy; - return 1; -} - -ASN1_OBJECT *TS_REQ_get_policy_id(TS_REQ *a) -{ - return a->policy_id; -} - -int TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce) -{ - ASN1_INTEGER *new_nonce; - - if (a->nonce == nonce) - return 1; - new_nonce = ASN1_INTEGER_dup(nonce); - if (new_nonce == NULL) { - TSerr(TS_F_TS_REQ_SET_NONCE, ERR_R_MALLOC_FAILURE); - return 0; - } - ASN1_INTEGER_free(a->nonce); - a->nonce = new_nonce; - return 1; -} - -const ASN1_INTEGER *TS_REQ_get_nonce(const TS_REQ *a) -{ - return a->nonce; -} - -int TS_REQ_set_cert_req(TS_REQ *a, int cert_req) -{ - a->cert_req = cert_req ? 0xFF : 0x00; - return 1; -} - -int TS_REQ_get_cert_req(const TS_REQ *a) -{ - return a->cert_req ? 1 : 0; -} - -STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a) -{ - return a->extensions; -} - -void TS_REQ_ext_free(TS_REQ *a) -{ - if (!a) - return; - sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free); - a->extensions = NULL; -} - -int TS_REQ_get_ext_count(TS_REQ *a) -{ - return X509v3_get_ext_count(a->extensions); -} - -int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos) -{ - return X509v3_get_ext_by_NID(a->extensions, nid, lastpos); -} - -int TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos) -{ - return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos); -} - -int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos) -{ - return X509v3_get_ext_by_critical(a->extensions, crit, lastpos); -} - -X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc) -{ - return X509v3_get_ext(a->extensions, loc); -} - -X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc) -{ - return X509v3_delete_ext(a->extensions, loc); -} - -int TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc) -{ - return X509v3_add_ext(&a->extensions, ex, loc) != NULL; -} - -void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx) -{ - return X509V3_get_d2i(a->extensions, nid, crit, idx); -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_rsp_print.c b/Cryptlib/OpenSSL/crypto/ts/ts_rsp_print.c deleted file mode 100644 index e706a568..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_rsp_print.c +++ /dev/null @@ -1,281 +0,0 @@ -/* crypto/ts/ts_resp_print.c */ -/* - * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project - * 2002. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/objects.h> -#include <openssl/bn.h> -#include <openssl/x509v3.h> -#include "ts.h" - -struct status_map_st { - int bit; - const char *text; -}; - -/* Local function declarations. */ - -static int TS_status_map_print(BIO *bio, struct status_map_st *a, - ASN1_BIT_STRING *v); -static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy); - -/* Function definitions. */ - -int TS_RESP_print_bio(BIO *bio, TS_RESP *a) -{ - TS_TST_INFO *tst_info; - - BIO_printf(bio, "Status info:\n"); - TS_STATUS_INFO_print_bio(bio, TS_RESP_get_status_info(a)); - - BIO_printf(bio, "\nTST info:\n"); - tst_info = TS_RESP_get_tst_info(a); - if (tst_info != NULL) - TS_TST_INFO_print_bio(bio, TS_RESP_get_tst_info(a)); - else - BIO_printf(bio, "Not included.\n"); - - return 1; -} - -int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a) -{ - static const char *status_map[] = { - "Granted.", - "Granted with modifications.", - "Rejected.", - "Waiting.", - "Revocation warning.", - "Revoked." - }; - static struct status_map_st failure_map[] = { - {TS_INFO_BAD_ALG, - "unrecognized or unsupported algorithm identifier"}, - {TS_INFO_BAD_REQUEST, - "transaction not permitted or supported"}, - {TS_INFO_BAD_DATA_FORMAT, - "the data submitted has the wrong format"}, - {TS_INFO_TIME_NOT_AVAILABLE, - "the TSA's time source is not available"}, - {TS_INFO_UNACCEPTED_POLICY, - "the requested TSA policy is not supported by the TSA"}, - {TS_INFO_UNACCEPTED_EXTENSION, - "the requested extension is not supported by the TSA"}, - {TS_INFO_ADD_INFO_NOT_AVAILABLE, - "the additional information requested could not be understood " - "or is not available"}, - {TS_INFO_SYSTEM_FAILURE, - "the request cannot be handled due to system failure"}, - {-1, NULL} - }; - long status; - int i, lines = 0; - - /* Printing status code. */ - BIO_printf(bio, "Status: "); - status = ASN1_INTEGER_get(a->status); - if (0 <= status - && status < (long)(sizeof(status_map) / sizeof(status_map[0]))) - BIO_printf(bio, "%s\n", status_map[status]); - else - BIO_printf(bio, "out of bounds\n"); - - /* Printing status description. */ - BIO_printf(bio, "Status description: "); - for (i = 0; i < sk_ASN1_UTF8STRING_num(a->text); ++i) { - if (i > 0) - BIO_puts(bio, "\t"); - ASN1_STRING_print_ex(bio, sk_ASN1_UTF8STRING_value(a->text, i), 0); - BIO_puts(bio, "\n"); - } - if (i == 0) - BIO_printf(bio, "unspecified\n"); - - /* Printing failure information. */ - BIO_printf(bio, "Failure info: "); - if (a->failure_info != NULL) - lines = TS_status_map_print(bio, failure_map, a->failure_info); - if (lines == 0) - BIO_printf(bio, "unspecified"); - BIO_printf(bio, "\n"); - - return 1; -} - -static int TS_status_map_print(BIO *bio, struct status_map_st *a, - ASN1_BIT_STRING *v) -{ - int lines = 0; - - for (; a->bit >= 0; ++a) { - if (ASN1_BIT_STRING_get_bit(v, a->bit)) { - if (++lines > 1) - BIO_printf(bio, ", "); - BIO_printf(bio, "%s", a->text); - } - } - - return lines; -} - -int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a) -{ - int v; - ASN1_OBJECT *policy_id; - const ASN1_INTEGER *serial; - const ASN1_GENERALIZEDTIME *gtime; - TS_ACCURACY *accuracy; - const ASN1_INTEGER *nonce; - GENERAL_NAME *tsa_name; - - if (a == NULL) - return 0; - - /* Print version. */ - v = TS_TST_INFO_get_version(a); - BIO_printf(bio, "Version: %d\n", v); - - /* Print policy id. */ - BIO_printf(bio, "Policy OID: "); - policy_id = TS_TST_INFO_get_policy_id(a); - TS_OBJ_print_bio(bio, policy_id); - - /* Print message imprint. */ - TS_MSG_IMPRINT_print_bio(bio, TS_TST_INFO_get_msg_imprint(a)); - - /* Print serial number. */ - BIO_printf(bio, "Serial number: "); - serial = TS_TST_INFO_get_serial(a); - if (serial == NULL) - BIO_printf(bio, "unspecified"); - else - TS_ASN1_INTEGER_print_bio(bio, serial); - BIO_write(bio, "\n", 1); - - /* Print time stamp. */ - BIO_printf(bio, "Time stamp: "); - gtime = TS_TST_INFO_get_time(a); - ASN1_GENERALIZEDTIME_print(bio, gtime); - BIO_write(bio, "\n", 1); - - /* Print accuracy. */ - BIO_printf(bio, "Accuracy: "); - accuracy = TS_TST_INFO_get_accuracy(a); - if (accuracy == NULL) - BIO_printf(bio, "unspecified"); - else - TS_ACCURACY_print_bio(bio, accuracy); - BIO_write(bio, "\n", 1); - - /* Print ordering. */ - BIO_printf(bio, "Ordering: %s\n", - TS_TST_INFO_get_ordering(a) ? "yes" : "no"); - - /* Print nonce. */ - BIO_printf(bio, "Nonce: "); - nonce = TS_TST_INFO_get_nonce(a); - if (nonce == NULL) - BIO_printf(bio, "unspecified"); - else - TS_ASN1_INTEGER_print_bio(bio, nonce); - BIO_write(bio, "\n", 1); - - /* Print TSA name. */ - BIO_printf(bio, "TSA: "); - tsa_name = TS_TST_INFO_get_tsa(a); - if (tsa_name == NULL) - BIO_printf(bio, "unspecified"); - else { - STACK_OF(CONF_VALUE) *nval; - if ((nval = i2v_GENERAL_NAME(NULL, tsa_name, NULL))) - X509V3_EXT_val_prn(bio, nval, 0, 0); - sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); - } - BIO_write(bio, "\n", 1); - - /* Print extensions. */ - TS_ext_print_bio(bio, TS_TST_INFO_get_exts(a)); - - return 1; -} - -static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy) -{ - const ASN1_INTEGER *seconds = TS_ACCURACY_get_seconds(accuracy); - const ASN1_INTEGER *millis = TS_ACCURACY_get_millis(accuracy); - const ASN1_INTEGER *micros = TS_ACCURACY_get_micros(accuracy); - - if (seconds != NULL) - TS_ASN1_INTEGER_print_bio(bio, seconds); - else - BIO_printf(bio, "unspecified"); - BIO_printf(bio, " seconds, "); - if (millis != NULL) - TS_ASN1_INTEGER_print_bio(bio, millis); - else - BIO_printf(bio, "unspecified"); - BIO_printf(bio, " millis, "); - if (micros != NULL) - TS_ASN1_INTEGER_print_bio(bio, micros); - else - BIO_printf(bio, "unspecified"); - BIO_printf(bio, " micros"); - - return 1; -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_rsp_sign.c b/Cryptlib/OpenSSL/crypto/ts/ts_rsp_sign.c deleted file mode 100644 index db6ce324..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_rsp_sign.c +++ /dev/null @@ -1,1020 +0,0 @@ -/* crypto/ts/ts_resp_sign.c */ -/* - * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project - * 2002. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include "cryptlib.h" - -#if defined(OPENSSL_SYS_UNIX) -# include <sys/time.h> -#endif - -#include <openssl/objects.h> -#include <openssl/ts.h> -#include <openssl/pkcs7.h> - -/* Private function declarations. */ - -static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *); -static int def_time_cb(struct TS_resp_ctx *, void *, long *sec, long *usec); -static int def_extension_cb(struct TS_resp_ctx *, X509_EXTENSION *, void *); - -static void TS_RESP_CTX_init(TS_RESP_CTX *ctx); -static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx); -static int TS_RESP_check_request(TS_RESP_CTX *ctx); -static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx); -static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx, - ASN1_OBJECT *policy); -static int TS_RESP_process_extensions(TS_RESP_CTX *ctx); -static int TS_RESP_sign(TS_RESP_CTX *ctx); - -static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, - STACK_OF(X509) *certs); -static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed); -static int TS_TST_INFO_content_new(PKCS7 *p7); -static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); - -static ASN1_GENERALIZEDTIME -*TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *, long, long, - unsigned); - -/* Default callbacks for response generation. */ - -static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data) -{ - ASN1_INTEGER *serial = ASN1_INTEGER_new(); - if (!serial) - goto err; - if (!ASN1_INTEGER_set(serial, 1)) - goto err; - return serial; - err: - TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE); - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Error during serial number generation."); - return NULL; -} - -#if defined(OPENSSL_SYS_UNIX) - -/* Use the gettimeofday function call. */ -static int def_time_cb(struct TS_resp_ctx *ctx, void *data, - long *sec, long *usec) -{ - struct timeval tv; - if (gettimeofday(&tv, NULL) != 0) { - TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR); - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Time is not available."); - TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE); - return 0; - } - /* Return time to caller. */ - *sec = tv.tv_sec; - *usec = tv.tv_usec; - - return 1; -} - -#else - -/* Use the time function call that provides only seconds precision. */ -static int def_time_cb(struct TS_resp_ctx *ctx, void *data, - long *sec, long *usec) -{ - time_t t; - if (time(&t) == (time_t)-1) { - TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR); - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Time is not available."); - TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE); - return 0; - } - /* Return time to caller, only second precision. */ - *sec = (long)t; - *usec = 0; - - return 1; -} - -#endif - -static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext, - void *data) -{ - /* No extensions are processed here. */ - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Unsupported extension."); - TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_EXTENSION); - return 0; -} - -/* TS_RESP_CTX management functions. */ - -TS_RESP_CTX *TS_RESP_CTX_new() -{ - TS_RESP_CTX *ctx; - - if (!(ctx = (TS_RESP_CTX *)OPENSSL_malloc(sizeof(TS_RESP_CTX)))) { - TSerr(TS_F_TS_RESP_CTX_NEW, ERR_R_MALLOC_FAILURE); - return NULL; - } - memset(ctx, 0, sizeof(TS_RESP_CTX)); - - /* Setting default callbacks. */ - ctx->serial_cb = def_serial_cb; - ctx->time_cb = def_time_cb; - ctx->extension_cb = def_extension_cb; - - return ctx; -} - -void TS_RESP_CTX_free(TS_RESP_CTX *ctx) -{ - if (!ctx) - return; - - X509_free(ctx->signer_cert); - EVP_PKEY_free(ctx->signer_key); - sk_X509_pop_free(ctx->certs, X509_free); - sk_ASN1_OBJECT_pop_free(ctx->policies, ASN1_OBJECT_free); - ASN1_OBJECT_free(ctx->default_policy); - sk_EVP_MD_free(ctx->mds); /* No EVP_MD_free method exists. */ - ASN1_INTEGER_free(ctx->seconds); - ASN1_INTEGER_free(ctx->millis); - ASN1_INTEGER_free(ctx->micros); - OPENSSL_free(ctx); -} - -int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer) -{ - if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1) { - TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT, - TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE); - return 0; - } - if (ctx->signer_cert) - X509_free(ctx->signer_cert); - ctx->signer_cert = signer; - CRYPTO_add(&ctx->signer_cert->references, +1, CRYPTO_LOCK_X509); - return 1; -} - -int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key) -{ - if (ctx->signer_key) - EVP_PKEY_free(ctx->signer_key); - ctx->signer_key = key; - CRYPTO_add(&ctx->signer_key->references, +1, CRYPTO_LOCK_EVP_PKEY); - - return 1; -} - -int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy) -{ - if (ctx->default_policy) - ASN1_OBJECT_free(ctx->default_policy); - if (!(ctx->default_policy = OBJ_dup(def_policy))) - goto err; - return 1; - err: - TSerr(TS_F_TS_RESP_CTX_SET_DEF_POLICY, ERR_R_MALLOC_FAILURE); - return 0; -} - -int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs) -{ - - if (ctx->certs) { - sk_X509_pop_free(ctx->certs, X509_free); - ctx->certs = NULL; - } - if (!certs) - return 1; - if (!(ctx->certs = X509_chain_up_ref(certs))) { - TSerr(TS_F_TS_RESP_CTX_SET_CERTS, ERR_R_MALLOC_FAILURE); - return 0; - } - - return 1; -} - -int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy) -{ - ASN1_OBJECT *copy = NULL; - - /* Create new policy stack if necessary. */ - if (!ctx->policies && !(ctx->policies = sk_ASN1_OBJECT_new_null())) - goto err; - if (!(copy = OBJ_dup(policy))) - goto err; - if (!sk_ASN1_OBJECT_push(ctx->policies, copy)) - goto err; - - return 1; - err: - TSerr(TS_F_TS_RESP_CTX_ADD_POLICY, ERR_R_MALLOC_FAILURE); - ASN1_OBJECT_free(copy); - return 0; -} - -int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md) -{ - /* Create new md stack if necessary. */ - if (!ctx->mds && !(ctx->mds = sk_EVP_MD_new_null())) - goto err; - /* Add the shared md, no copy needed. */ - if (!sk_EVP_MD_push(ctx->mds, (EVP_MD *)md)) - goto err; - - return 1; - err: - TSerr(TS_F_TS_RESP_CTX_ADD_MD, ERR_R_MALLOC_FAILURE); - return 0; -} - -#define TS_RESP_CTX_accuracy_free(ctx) \ - ASN1_INTEGER_free(ctx->seconds); \ - ctx->seconds = NULL; \ - ASN1_INTEGER_free(ctx->millis); \ - ctx->millis = NULL; \ - ASN1_INTEGER_free(ctx->micros); \ - ctx->micros = NULL; - -int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx, - int secs, int millis, int micros) -{ - - TS_RESP_CTX_accuracy_free(ctx); - if (secs && (!(ctx->seconds = ASN1_INTEGER_new()) - || !ASN1_INTEGER_set(ctx->seconds, secs))) - goto err; - if (millis && (!(ctx->millis = ASN1_INTEGER_new()) - || !ASN1_INTEGER_set(ctx->millis, millis))) - goto err; - if (micros && (!(ctx->micros = ASN1_INTEGER_new()) - || !ASN1_INTEGER_set(ctx->micros, micros))) - goto err; - - return 1; - err: - TS_RESP_CTX_accuracy_free(ctx); - TSerr(TS_F_TS_RESP_CTX_SET_ACCURACY, ERR_R_MALLOC_FAILURE); - return 0; -} - -void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags) -{ - ctx->flags |= flags; -} - -void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data) -{ - ctx->serial_cb = cb; - ctx->serial_cb_data = data; -} - -void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data) -{ - ctx->time_cb = cb; - ctx->time_cb_data = data; -} - -void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx, - TS_extension_cb cb, void *data) -{ - ctx->extension_cb = cb; - ctx->extension_cb_data = data; -} - -int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx, - int status, const char *text) -{ - TS_STATUS_INFO *si = NULL; - ASN1_UTF8STRING *utf8_text = NULL; - int ret = 0; - - if (!(si = TS_STATUS_INFO_new())) - goto err; - if (!ASN1_INTEGER_set(si->status, status)) - goto err; - if (text) { - if (!(utf8_text = ASN1_UTF8STRING_new()) - || !ASN1_STRING_set(utf8_text, text, strlen(text))) - goto err; - if (!si->text && !(si->text = sk_ASN1_UTF8STRING_new_null())) - goto err; - if (!sk_ASN1_UTF8STRING_push(si->text, utf8_text)) - goto err; - utf8_text = NULL; /* Ownership is lost. */ - } - if (!TS_RESP_set_status_info(ctx->response, si)) - goto err; - ret = 1; - err: - if (!ret) - TSerr(TS_F_TS_RESP_CTX_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE); - TS_STATUS_INFO_free(si); - ASN1_UTF8STRING_free(utf8_text); - return ret; -} - -int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, - int status, const char *text) -{ - int ret = 1; - TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); - - if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) { - /* Status has not been set, set it now. */ - ret = TS_RESP_CTX_set_status_info(ctx, status, text); - } - return ret; -} - -int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure) -{ - TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); - if (!si->failure_info && !(si->failure_info = ASN1_BIT_STRING_new())) - goto err; - if (!ASN1_BIT_STRING_set_bit(si->failure_info, failure, 1)) - goto err; - return 1; - err: - TSerr(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO, ERR_R_MALLOC_FAILURE); - return 0; -} - -TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx) -{ - return ctx->request; -} - -TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx) -{ - return ctx->tst_info; -} - -int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, - unsigned precision) -{ - if (precision > TS_MAX_CLOCK_PRECISION_DIGITS) - return 0; - ctx->clock_precision_digits = precision; - return 1; -} - -/* Main entry method of the response generation. */ -TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio) -{ - ASN1_OBJECT *policy; - TS_RESP *response; - int result = 0; - - TS_RESP_CTX_init(ctx); - - /* Creating the response object. */ - if (!(ctx->response = TS_RESP_new())) { - TSerr(TS_F_TS_RESP_CREATE_RESPONSE, ERR_R_MALLOC_FAILURE); - goto end; - } - - /* Parsing DER request. */ - if (!(ctx->request = d2i_TS_REQ_bio(req_bio, NULL))) { - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Bad request format or " "system error."); - TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT); - goto end; - } - - /* Setting default status info. */ - if (!TS_RESP_CTX_set_status_info(ctx, TS_STATUS_GRANTED, NULL)) - goto end; - - /* Checking the request format. */ - if (!TS_RESP_check_request(ctx)) - goto end; - - /* Checking acceptable policies. */ - if (!(policy = TS_RESP_get_policy(ctx))) - goto end; - - /* Creating the TS_TST_INFO object. */ - if (!(ctx->tst_info = TS_RESP_create_tst_info(ctx, policy))) - goto end; - - /* Processing extensions. */ - if (!TS_RESP_process_extensions(ctx)) - goto end; - - /* Generating the signature. */ - if (!TS_RESP_sign(ctx)) - goto end; - - /* Everything was successful. */ - result = 1; - end: - if (!result) { - TSerr(TS_F_TS_RESP_CREATE_RESPONSE, TS_R_RESPONSE_SETUP_ERROR); - if (ctx->response != NULL) { - if (TS_RESP_CTX_set_status_info_cond(ctx, - TS_STATUS_REJECTION, - "Error during response " - "generation.") == 0) { - TS_RESP_free(ctx->response); - ctx->response = NULL; - } - } - } - response = ctx->response; - ctx->response = NULL; /* Ownership will be returned to caller. */ - TS_RESP_CTX_cleanup(ctx); - return response; -} - -/* Initializes the variable part of the context. */ -static void TS_RESP_CTX_init(TS_RESP_CTX *ctx) -{ - ctx->request = NULL; - ctx->response = NULL; - ctx->tst_info = NULL; -} - -/* Cleans up the variable part of the context. */ -static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx) -{ - TS_REQ_free(ctx->request); - ctx->request = NULL; - TS_RESP_free(ctx->response); - ctx->response = NULL; - TS_TST_INFO_free(ctx->tst_info); - ctx->tst_info = NULL; -} - -/* Checks the format and content of the request. */ -static int TS_RESP_check_request(TS_RESP_CTX *ctx) -{ - TS_REQ *request = ctx->request; - TS_MSG_IMPRINT *msg_imprint; - X509_ALGOR *md_alg; - int md_alg_id; - const ASN1_OCTET_STRING *digest; - EVP_MD *md = NULL; - int i; - - /* Checking request version. */ - if (TS_REQ_get_version(request) != 1) { - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Bad request version."); - TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_REQUEST); - return 0; - } - - /* Checking message digest algorithm. */ - msg_imprint = TS_REQ_get_msg_imprint(request); - md_alg = TS_MSG_IMPRINT_get_algo(msg_imprint); - md_alg_id = OBJ_obj2nid(md_alg->algorithm); - for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i) { - EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i); - if (md_alg_id == EVP_MD_type(current_md)) - md = current_md; - } - if (!md) { - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Message digest algorithm is " - "not supported."); - TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG); - return 0; - } - - /* No message digest takes parameter. */ - if (md_alg->parameter && ASN1_TYPE_get(md_alg->parameter) != V_ASN1_NULL) { - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Superfluous message digest " - "parameter."); - TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG); - return 0; - } - /* Checking message digest size. */ - digest = TS_MSG_IMPRINT_get_msg(msg_imprint); - if (digest->length != EVP_MD_size(md)) { - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Bad message digest."); - TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT); - return 0; - } - - return 1; -} - -/* Returns the TSA policy based on the requested and acceptable policies. */ -static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx) -{ - ASN1_OBJECT *requested = TS_REQ_get_policy_id(ctx->request); - ASN1_OBJECT *policy = NULL; - int i; - - if (ctx->default_policy == NULL) { - TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_INVALID_NULL_POINTER); - return NULL; - } - /* - * Return the default policy if none is requested or the default is - * requested. - */ - if (!requested || !OBJ_cmp(requested, ctx->default_policy)) - policy = ctx->default_policy; - - /* Check if the policy is acceptable. */ - for (i = 0; !policy && i < sk_ASN1_OBJECT_num(ctx->policies); ++i) { - ASN1_OBJECT *current = sk_ASN1_OBJECT_value(ctx->policies, i); - if (!OBJ_cmp(requested, current)) - policy = current; - } - if (!policy) { - TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_UNACCEPTABLE_POLICY); - TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, - "Requested policy is not " "supported."); - TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_POLICY); - } - return policy; -} - -/* Creates the TS_TST_INFO object based on the settings of the context. */ -static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx, - ASN1_OBJECT *policy) -{ - int result = 0; - TS_TST_INFO *tst_info = NULL; - ASN1_INTEGER *serial = NULL; - ASN1_GENERALIZEDTIME *asn1_time = NULL; - long sec, usec; - TS_ACCURACY *accuracy = NULL; - const ASN1_INTEGER *nonce; - GENERAL_NAME *tsa_name = NULL; - - if (!(tst_info = TS_TST_INFO_new())) - goto end; - if (!TS_TST_INFO_set_version(tst_info, 1)) - goto end; - if (!TS_TST_INFO_set_policy_id(tst_info, policy)) - goto end; - if (!TS_TST_INFO_set_msg_imprint(tst_info, ctx->request->msg_imprint)) - goto end; - if (!(serial = (*ctx->serial_cb) (ctx, ctx->serial_cb_data)) - || !TS_TST_INFO_set_serial(tst_info, serial)) - goto end; - if (!(*ctx->time_cb) (ctx, ctx->time_cb_data, &sec, &usec) - || !(asn1_time = TS_RESP_set_genTime_with_precision(NULL, - sec, usec, - ctx->clock_precision_digits)) - || !TS_TST_INFO_set_time(tst_info, asn1_time)) - goto end; - - /* Setting accuracy if needed. */ - if ((ctx->seconds || ctx->millis || ctx->micros) - && !(accuracy = TS_ACCURACY_new())) - goto end; - - if (ctx->seconds && !TS_ACCURACY_set_seconds(accuracy, ctx->seconds)) - goto end; - if (ctx->millis && !TS_ACCURACY_set_millis(accuracy, ctx->millis)) - goto end; - if (ctx->micros && !TS_ACCURACY_set_micros(accuracy, ctx->micros)) - goto end; - if (accuracy && !TS_TST_INFO_set_accuracy(tst_info, accuracy)) - goto end; - - /* Setting ordering. */ - if ((ctx->flags & TS_ORDERING) - && !TS_TST_INFO_set_ordering(tst_info, 1)) - goto end; - - /* Setting nonce if needed. */ - if ((nonce = TS_REQ_get_nonce(ctx->request)) != NULL - && !TS_TST_INFO_set_nonce(tst_info, nonce)) - goto end; - - /* Setting TSA name to subject of signer certificate. */ - if (ctx->flags & TS_TSA_NAME) { - if (!(tsa_name = GENERAL_NAME_new())) - goto end; - tsa_name->type = GEN_DIRNAME; - tsa_name->d.dirn = - X509_NAME_dup(ctx->signer_cert->cert_info->subject); - if (!tsa_name->d.dirn) - goto end; - if (!TS_TST_INFO_set_tsa(tst_info, tsa_name)) - goto end; - } - - result = 1; - end: - if (!result) { - TS_TST_INFO_free(tst_info); - tst_info = NULL; - TSerr(TS_F_TS_RESP_CREATE_TST_INFO, TS_R_TST_INFO_SETUP_ERROR); - TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION, - "Error during TSTInfo " - "generation."); - } - GENERAL_NAME_free(tsa_name); - TS_ACCURACY_free(accuracy); - ASN1_GENERALIZEDTIME_free(asn1_time); - ASN1_INTEGER_free(serial); - - return tst_info; -} - -/* Processing the extensions of the request. */ -static int TS_RESP_process_extensions(TS_RESP_CTX *ctx) -{ - STACK_OF(X509_EXTENSION) *exts = TS_REQ_get_exts(ctx->request); - int i; - int ok = 1; - - for (i = 0; ok && i < sk_X509_EXTENSION_num(exts); ++i) { - X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); - /* - * XXXXX The last argument was previously (void *)ctx->extension_cb, - * but ISO C doesn't permit converting a function pointer to void *. - * For lack of better information, I'm placing a NULL there instead. - * The callback can pick its own address out from the ctx anyway... - */ - ok = (*ctx->extension_cb) (ctx, ext, NULL); - } - - return ok; -} - -/* Functions for signing the TS_TST_INFO structure of the context. */ -static int TS_RESP_sign(TS_RESP_CTX *ctx) -{ - int ret = 0; - PKCS7 *p7 = NULL; - PKCS7_SIGNER_INFO *si; - STACK_OF(X509) *certs; /* Certificates to include in sc. */ - ESS_SIGNING_CERT *sc = NULL; - ASN1_OBJECT *oid; - BIO *p7bio = NULL; - int i; - - /* Check if signcert and pkey match. */ - if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) { - TSerr(TS_F_TS_RESP_SIGN, TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); - goto err; - } - - /* Create a new PKCS7 signed object. */ - if (!(p7 = PKCS7_new())) { - TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE); - goto err; - } - if (!PKCS7_set_type(p7, NID_pkcs7_signed)) - goto err; - - /* Force SignedData version to be 3 instead of the default 1. */ - if (!ASN1_INTEGER_set(p7->d.sign->version, 3)) - goto err; - - /* Add signer certificate and optional certificate chain. */ - if (TS_REQ_get_cert_req(ctx->request)) { - PKCS7_add_certificate(p7, ctx->signer_cert); - if (ctx->certs) { - for (i = 0; i < sk_X509_num(ctx->certs); ++i) { - X509 *cert = sk_X509_value(ctx->certs, i); - PKCS7_add_certificate(p7, cert); - } - } - } - - /* Add a new signer info. */ - if (!(si = PKCS7_add_signature(p7, ctx->signer_cert, - ctx->signer_key, EVP_sha1()))) { - TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR); - goto err; - } - - /* Add content type signed attribute to the signer info. */ - oid = OBJ_nid2obj(NID_id_smime_ct_TSTInfo); - if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, - V_ASN1_OBJECT, oid)) { - TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR); - goto err; - } - - /* - * Create the ESS SigningCertificate attribute which contains the signer - * certificate id and optionally the certificate chain. - */ - certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL; - if (!(sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs))) - goto err; - - /* Add SigningCertificate signed attribute to the signer info. */ - if (!ESS_add_signing_cert(si, sc)) { - TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR); - goto err; - } - - /* Add a new empty NID_id_smime_ct_TSTInfo encapsulated content. */ - if (!TS_TST_INFO_content_new(p7)) - goto err; - - /* Add the DER encoded tst_info to the PKCS7 structure. */ - if (!(p7bio = PKCS7_dataInit(p7, NULL))) { - TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* Convert tst_info to DER. */ - if (!i2d_TS_TST_INFO_bio(p7bio, ctx->tst_info)) { - TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN); - goto err; - } - - /* Create the signature and add it to the signer info. */ - if (!PKCS7_dataFinal(p7, p7bio)) { - TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN); - goto err; - } - - /* Set new PKCS7 and TST_INFO objects. */ - TS_RESP_set_tst_info(ctx->response, p7, ctx->tst_info); - p7 = NULL; /* Ownership is lost. */ - ctx->tst_info = NULL; /* Ownership is lost. */ - - ret = 1; - err: - if (!ret) - TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION, - "Error during signature " - "generation."); - BIO_free_all(p7bio); - ESS_SIGNING_CERT_free(sc); - PKCS7_free(p7); - return ret; -} - -static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, - STACK_OF(X509) *certs) -{ - ESS_CERT_ID *cid; - ESS_SIGNING_CERT *sc = NULL; - int i; - - /* Creating the ESS_CERT_ID stack. */ - if (!(sc = ESS_SIGNING_CERT_new())) - goto err; - if (!sc->cert_ids && !(sc->cert_ids = sk_ESS_CERT_ID_new_null())) - goto err; - - /* Adding the signing certificate id. */ - if (!(cid = ESS_CERT_ID_new_init(signcert, 0)) - || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) - goto err; - /* Adding the certificate chain ids. */ - for (i = 0; i < sk_X509_num(certs); ++i) { - X509 *cert = sk_X509_value(certs, i); - if (!(cid = ESS_CERT_ID_new_init(cert, 1)) - || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) - goto err; - } - - return sc; - err: - ESS_SIGNING_CERT_free(sc); - TSerr(TS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE); - return NULL; -} - -static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) -{ - ESS_CERT_ID *cid = NULL; - GENERAL_NAME *name = NULL; - - /* Recompute SHA1 hash of certificate if necessary (side effect). */ - X509_check_purpose(cert, -1, 0); - - if (!(cid = ESS_CERT_ID_new())) - goto err; - if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash, - sizeof(cert->sha1_hash))) - goto err; - - /* Setting the issuer/serial if requested. */ - if (issuer_needed) { - /* Creating issuer/serial structure. */ - if (!cid->issuer_serial - && !(cid->issuer_serial = ESS_ISSUER_SERIAL_new())) - goto err; - /* Creating general name from the certificate issuer. */ - if (!(name = GENERAL_NAME_new())) - goto err; - name->type = GEN_DIRNAME; - if (!(name->d.dirn = X509_NAME_dup(cert->cert_info->issuer))) - goto err; - if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) - goto err; - name = NULL; /* Ownership is lost. */ - /* Setting the serial number. */ - ASN1_INTEGER_free(cid->issuer_serial->serial); - if (!(cid->issuer_serial->serial = - ASN1_INTEGER_dup(cert->cert_info->serialNumber))) - goto err; - } - - return cid; - err: - GENERAL_NAME_free(name); - ESS_CERT_ID_free(cid); - TSerr(TS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE); - return NULL; -} - -static int TS_TST_INFO_content_new(PKCS7 *p7) -{ - PKCS7 *ret = NULL; - ASN1_OCTET_STRING *octet_string = NULL; - - /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */ - if (!(ret = PKCS7_new())) - goto err; - if (!(ret->d.other = ASN1_TYPE_new())) - goto err; - ret->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo); - if (!(octet_string = ASN1_OCTET_STRING_new())) - goto err; - ASN1_TYPE_set(ret->d.other, V_ASN1_OCTET_STRING, octet_string); - octet_string = NULL; - - /* Add encapsulated content to signed PKCS7 structure. */ - if (!PKCS7_set_content(p7, ret)) - goto err; - - return 1; - err: - ASN1_OCTET_STRING_free(octet_string); - PKCS7_free(ret); - return 0; -} - -static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) -{ - ASN1_STRING *seq = NULL; - unsigned char *p, *pp = NULL; - int len; - - len = i2d_ESS_SIGNING_CERT(sc, NULL); - if (!(pp = (unsigned char *)OPENSSL_malloc(len))) { - TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE); - goto err; - } - p = pp; - i2d_ESS_SIGNING_CERT(sc, &p); - if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) { - TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE); - goto err; - } - OPENSSL_free(pp); - pp = NULL; - return PKCS7_add_signed_attribute(si, - NID_id_smime_aa_signingCertificate, - V_ASN1_SEQUENCE, seq); - err: - ASN1_STRING_free(seq); - OPENSSL_free(pp); - - return 0; -} - -static ASN1_GENERALIZEDTIME -*TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time, - long sec, long usec, unsigned precision) -{ - time_t time_sec = (time_t)sec; - struct tm *tm = NULL; - char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS]; - char *p = genTime_str; - char *p_end = genTime_str + sizeof(genTime_str); - - if (precision > TS_MAX_CLOCK_PRECISION_DIGITS) - goto err; - - if (!(tm = gmtime(&time_sec))) - goto err; - - /* - * Put "genTime_str" in GeneralizedTime format. We work around the - * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST - * NOT include fractional seconds") and OpenSSL related functions to - * meet the rfc3161 requirement: "GeneralizedTime syntax can include - * fraction-of-second details". - */ - p += BIO_snprintf(p, p_end - p, - "%04d%02d%02d%02d%02d%02d", - tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec); - if (precision > 0) { - /* Add fraction of seconds (leave space for dot and null). */ - BIO_snprintf(p, 2 + precision, ".%06ld", usec); - /* - * We cannot use the snprintf return value, because it might have - * been truncated. - */ - p += strlen(p); - - /* - * To make things a bit harder, X.690 | ISO/IEC 8825-1 provides the - * following restrictions for a DER-encoding, which OpenSSL - * (specifically ASN1_GENERALIZEDTIME_check() function) doesn't - * support: "The encoding MUST terminate with a "Z" (which means - * "Zulu" time). The decimal point element, if present, MUST be the - * point option ".". The fractional-seconds elements, if present, - * MUST omit all trailing 0's; if the elements correspond to 0, they - * MUST be wholly omitted, and the decimal point element also MUST be - * omitted." - */ - /* - * Remove trailing zeros. The dot guarantees the exit condition of - * this loop even if all the digits are zero. - */ - while (*--p == '0') - /* - * empty - */ ; - /* p points to either the dot or the last non-zero digit. */ - if (*p != '.') - ++p; - } - /* Add the trailing Z and the terminating null. */ - *p++ = 'Z'; - *p++ = '\0'; - - /* Now call OpenSSL to check and set our genTime value */ - if (!asn1_time && !(asn1_time = M_ASN1_GENERALIZEDTIME_new())) - goto err; - if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) { - ASN1_GENERALIZEDTIME_free(asn1_time); - goto err; - } - - return asn1_time; - err: - TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION, TS_R_COULD_NOT_SET_TIME); - return NULL; -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_rsp_utils.c b/Cryptlib/OpenSSL/crypto/ts/ts_rsp_utils.c deleted file mode 100644 index f6f63329..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_rsp_utils.c +++ /dev/null @@ -1,396 +0,0 @@ -/* crypto/ts/ts_resp_utils.c */ -/* - * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project - * 2002. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/objects.h> -#include <openssl/ts.h> -#include <openssl/pkcs7.h> - -/* Function definitions. */ - -int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *status_info) -{ - TS_STATUS_INFO *new_status_info; - - if (a->status_info == status_info) - return 1; - new_status_info = TS_STATUS_INFO_dup(status_info); - if (new_status_info == NULL) { - TSerr(TS_F_TS_RESP_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE); - return 0; - } - TS_STATUS_INFO_free(a->status_info); - a->status_info = new_status_info; - - return 1; -} - -TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a) -{ - return a->status_info; -} - -/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */ -void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info) -{ - /* Set new PKCS7 and TST_INFO objects. */ - PKCS7_free(a->token); - a->token = p7; - TS_TST_INFO_free(a->tst_info); - a->tst_info = tst_info; -} - -PKCS7 *TS_RESP_get_token(TS_RESP *a) -{ - return a->token; -} - -TS_TST_INFO *TS_RESP_get_tst_info(TS_RESP *a) -{ - return a->tst_info; -} - -int TS_TST_INFO_set_version(TS_TST_INFO *a, long version) -{ - return ASN1_INTEGER_set(a->version, version); -} - -long TS_TST_INFO_get_version(const TS_TST_INFO *a) -{ - return ASN1_INTEGER_get(a->version); -} - -int TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy) -{ - ASN1_OBJECT *new_policy; - - if (a->policy_id == policy) - return 1; - new_policy = OBJ_dup(policy); - if (new_policy == NULL) { - TSerr(TS_F_TS_TST_INFO_SET_POLICY_ID, ERR_R_MALLOC_FAILURE); - return 0; - } - ASN1_OBJECT_free(a->policy_id); - a->policy_id = new_policy; - return 1; -} - -ASN1_OBJECT *TS_TST_INFO_get_policy_id(TS_TST_INFO *a) -{ - return a->policy_id; -} - -int TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint) -{ - TS_MSG_IMPRINT *new_msg_imprint; - - if (a->msg_imprint == msg_imprint) - return 1; - new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint); - if (new_msg_imprint == NULL) { - TSerr(TS_F_TS_TST_INFO_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE); - return 0; - } - TS_MSG_IMPRINT_free(a->msg_imprint); - a->msg_imprint = new_msg_imprint; - return 1; -} - -TS_MSG_IMPRINT *TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a) -{ - return a->msg_imprint; -} - -int TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial) -{ - ASN1_INTEGER *new_serial; - - if (a->serial == serial) - return 1; - new_serial = ASN1_INTEGER_dup(serial); - if (new_serial == NULL) { - TSerr(TS_F_TS_TST_INFO_SET_SERIAL, ERR_R_MALLOC_FAILURE); - return 0; - } - ASN1_INTEGER_free(a->serial); - a->serial = new_serial; - return 1; -} - -const ASN1_INTEGER *TS_TST_INFO_get_serial(const TS_TST_INFO *a) -{ - return a->serial; -} - -int TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime) -{ - ASN1_GENERALIZEDTIME *new_time; - - if (a->time == gtime) - return 1; - new_time = M_ASN1_GENERALIZEDTIME_dup(gtime); - if (new_time == NULL) { - TSerr(TS_F_TS_TST_INFO_SET_TIME, ERR_R_MALLOC_FAILURE); - return 0; - } - ASN1_GENERALIZEDTIME_free(a->time); - a->time = new_time; - return 1; -} - -const ASN1_GENERALIZEDTIME *TS_TST_INFO_get_time(const TS_TST_INFO *a) -{ - return a->time; -} - -int TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy) -{ - TS_ACCURACY *new_accuracy; - - if (a->accuracy == accuracy) - return 1; - new_accuracy = TS_ACCURACY_dup(accuracy); - if (new_accuracy == NULL) { - TSerr(TS_F_TS_TST_INFO_SET_ACCURACY, ERR_R_MALLOC_FAILURE); - return 0; - } - TS_ACCURACY_free(a->accuracy); - a->accuracy = new_accuracy; - return 1; -} - -TS_ACCURACY *TS_TST_INFO_get_accuracy(TS_TST_INFO *a) -{ - return a->accuracy; -} - -int TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds) -{ - ASN1_INTEGER *new_seconds; - - if (a->seconds == seconds) - return 1; - new_seconds = ASN1_INTEGER_dup(seconds); - if (new_seconds == NULL) { - TSerr(TS_F_TS_ACCURACY_SET_SECONDS, ERR_R_MALLOC_FAILURE); - return 0; - } - ASN1_INTEGER_free(a->seconds); - a->seconds = new_seconds; - return 1; -} - -const ASN1_INTEGER *TS_ACCURACY_get_seconds(const TS_ACCURACY *a) -{ - return a->seconds; -} - -int TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis) -{ - ASN1_INTEGER *new_millis = NULL; - - if (a->millis == millis) - return 1; - if (millis != NULL) { - new_millis = ASN1_INTEGER_dup(millis); - if (new_millis == NULL) { - TSerr(TS_F_TS_ACCURACY_SET_MILLIS, ERR_R_MALLOC_FAILURE); - return 0; - } - } - ASN1_INTEGER_free(a->millis); - a->millis = new_millis; - return 1; -} - -const ASN1_INTEGER *TS_ACCURACY_get_millis(const TS_ACCURACY *a) -{ - return a->millis; -} - -int TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros) -{ - ASN1_INTEGER *new_micros = NULL; - - if (a->micros == micros) - return 1; - if (micros != NULL) { - new_micros = ASN1_INTEGER_dup(micros); - if (new_micros == NULL) { - TSerr(TS_F_TS_ACCURACY_SET_MICROS, ERR_R_MALLOC_FAILURE); - return 0; - } - } - ASN1_INTEGER_free(a->micros); - a->micros = new_micros; - return 1; -} - -const ASN1_INTEGER *TS_ACCURACY_get_micros(const TS_ACCURACY *a) -{ - return a->micros; -} - -int TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering) -{ - a->ordering = ordering ? 0xFF : 0x00; - return 1; -} - -int TS_TST_INFO_get_ordering(const TS_TST_INFO *a) -{ - return a->ordering ? 1 : 0; -} - -int TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce) -{ - ASN1_INTEGER *new_nonce; - - if (a->nonce == nonce) - return 1; - new_nonce = ASN1_INTEGER_dup(nonce); - if (new_nonce == NULL) { - TSerr(TS_F_TS_TST_INFO_SET_NONCE, ERR_R_MALLOC_FAILURE); - return 0; - } - ASN1_INTEGER_free(a->nonce); - a->nonce = new_nonce; - return 1; -} - -const ASN1_INTEGER *TS_TST_INFO_get_nonce(const TS_TST_INFO *a) -{ - return a->nonce; -} - -int TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa) -{ - GENERAL_NAME *new_tsa; - - if (a->tsa == tsa) - return 1; - new_tsa = GENERAL_NAME_dup(tsa); - if (new_tsa == NULL) { - TSerr(TS_F_TS_TST_INFO_SET_TSA, ERR_R_MALLOC_FAILURE); - return 0; - } - GENERAL_NAME_free(a->tsa); - a->tsa = new_tsa; - return 1; -} - -GENERAL_NAME *TS_TST_INFO_get_tsa(TS_TST_INFO *a) -{ - return a->tsa; -} - -STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a) -{ - return a->extensions; -} - -void TS_TST_INFO_ext_free(TS_TST_INFO *a) -{ - if (!a) - return; - sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free); - a->extensions = NULL; -} - -int TS_TST_INFO_get_ext_count(TS_TST_INFO *a) -{ - return X509v3_get_ext_count(a->extensions); -} - -int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos) -{ - return X509v3_get_ext_by_NID(a->extensions, nid, lastpos); -} - -int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos) -{ - return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos); -} - -int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos) -{ - return X509v3_get_ext_by_critical(a->extensions, crit, lastpos); -} - -X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc) -{ - return X509v3_get_ext(a->extensions, loc); -} - -X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc) -{ - return X509v3_delete_ext(a->extensions, loc); -} - -int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc) -{ - return X509v3_add_ext(&a->extensions, ex, loc) != NULL; -} - -void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx) -{ - return X509V3_get_d2i(a->extensions, nid, crit, idx); -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_rsp_verify.c b/Cryptlib/OpenSSL/crypto/ts/ts_rsp_verify.c deleted file mode 100644 index 3ce765df..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_rsp_verify.c +++ /dev/null @@ -1,736 +0,0 @@ -/* crypto/ts/ts_resp_verify.c */ -/* - * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project - * 2002. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/objects.h> -#include <openssl/ts.h> -#include <openssl/pkcs7.h> - -/* Private function declarations. */ - -static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, - X509 *signer, STACK_OF(X509) **chain); -static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, - STACK_OF(X509) *chain); -static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si); -static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); -static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo); -static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, - PKCS7 *token, TS_TST_INFO *tst_info); -static int TS_check_status_info(TS_RESP *response); -static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text); -static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info); -static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, - X509_ALGOR **md_alg, - unsigned char **imprint, unsigned *imprint_len); -static int TS_check_imprints(X509_ALGOR *algor_a, - unsigned char *imprint_a, unsigned len_a, - TS_TST_INFO *tst_info); -static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info); -static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer); -static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, - GENERAL_NAME *name); - -/* - * Local mapping between response codes and descriptions. - * Don't forget to change TS_STATUS_BUF_SIZE when modifying - * the elements of this array. - */ -static const char *TS_status_text[] = { "granted", - "grantedWithMods", - "rejection", - "waiting", - "revocationWarning", - "revocationNotification" -}; - -#define TS_STATUS_TEXT_SIZE (sizeof(TS_status_text)/sizeof(*TS_status_text)) - -/* - * This must be greater or equal to the sum of the strings in TS_status_text - * plus the number of its elements. - */ -#define TS_STATUS_BUF_SIZE 256 - -static struct { - int code; - const char *text; -} TS_failure_info[] = { - { - TS_INFO_BAD_ALG, "badAlg" - }, - { - TS_INFO_BAD_REQUEST, "badRequest" - }, - { - TS_INFO_BAD_DATA_FORMAT, "badDataFormat" - }, - { - TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable" - }, - { - TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy" - }, - { - TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension" - }, - { - TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable" - }, - { - TS_INFO_SYSTEM_FAILURE, "systemFailure" - } -}; - -#define TS_FAILURE_INFO_SIZE (sizeof(TS_failure_info) / \ - sizeof(*TS_failure_info)) - -/* Functions for verifying a signed TS_TST_INFO structure. */ - -/*- - * This function carries out the following tasks: - * - Checks if there is one and only one signer. - * - Search for the signing certificate in 'certs' and in the response. - * - Check the extended key usage and key usage fields of the signer - * certificate (done by the path validation). - * - Build and validate the certificate path. - * - Check if the certificate path meets the requirements of the - * SigningCertificate ESS signed attribute. - * - Verify the signature value. - * - Returns the signer certificate in 'signer', if 'signer' is not NULL. - */ -int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, - X509_STORE *store, X509 **signer_out) -{ - STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL; - PKCS7_SIGNER_INFO *si; - STACK_OF(X509) *signers = NULL; - X509 *signer; - STACK_OF(X509) *chain = NULL; - char buf[4096]; - int i, j = 0, ret = 0; - BIO *p7bio = NULL; - - /* Some sanity checks first. */ - if (!token) { - TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER); - goto err; - } - - /* Check for the correct content type */ - if (!PKCS7_type_is_signed(token)) { - TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE); - goto err; - } - - /* Check if there is one and only one signer. */ - sinfos = PKCS7_get_signer_info(token); - if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) { - TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_THERE_MUST_BE_ONE_SIGNER); - goto err; - } - si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0); - - /* Check for no content: no data to verify signature. */ - if (PKCS7_get_detached(token)) { - TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT); - goto err; - } - - /* - * Get hold of the signer certificate, search only internal certificates - * if it was requested. - */ - signers = PKCS7_get0_signers(token, certs, 0); - if (!signers || sk_X509_num(signers) != 1) - goto err; - signer = sk_X509_value(signers, 0); - - /* Now verify the certificate. */ - if (!TS_verify_cert(store, certs, signer, &chain)) - goto err; - - /* - * Check if the signer certificate is consistent with the ESS extension. - */ - if (!TS_check_signing_certs(si, chain)) - goto err; - - /* Creating the message digest. */ - p7bio = PKCS7_dataInit(token, NULL); - - /* We now have to 'read' from p7bio to calculate digests etc. */ - while ((i = BIO_read(p7bio, buf, sizeof(buf))) > 0) ; - - /* Verifying the signature. */ - j = PKCS7_signatureVerify(p7bio, token, si, signer); - if (j <= 0) { - TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE); - goto err; - } - - /* Return the signer certificate if needed. */ - if (signer_out) { - *signer_out = signer; - CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509); - } - - ret = 1; - - err: - BIO_free_all(p7bio); - sk_X509_pop_free(chain, X509_free); - sk_X509_free(signers); - - return ret; -} - -/* - * The certificate chain is returned in chain. Caller is responsible for - * freeing the vector. - */ -static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, - X509 *signer, STACK_OF(X509) **chain) -{ - X509_STORE_CTX cert_ctx; - int i; - int ret = 1; - - /* chain is an out argument. */ - *chain = NULL; - X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted); - X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN); - i = X509_verify_cert(&cert_ctx); - if (i <= 0) { - int j = X509_STORE_CTX_get_error(&cert_ctx); - TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR); - ERR_add_error_data(2, "Verify error:", - X509_verify_cert_error_string(j)); - ret = 0; - } else { - /* Get a copy of the certificate chain. */ - *chain = X509_STORE_CTX_get1_chain(&cert_ctx); - } - - X509_STORE_CTX_cleanup(&cert_ctx); - - return ret; -} - -static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, - STACK_OF(X509) *chain) -{ - ESS_SIGNING_CERT *ss = ESS_get_signing_cert(si); - STACK_OF(ESS_CERT_ID) *cert_ids = NULL; - X509 *cert; - int i = 0; - int ret = 0; - - if (!ss) - goto err; - cert_ids = ss->cert_ids; - /* The signer certificate must be the first in cert_ids. */ - cert = sk_X509_value(chain, 0); - if (TS_find_cert(cert_ids, cert) != 0) - goto err; - - /* - * Check the other certificates of the chain if there are more than one - * certificate ids in cert_ids. - */ - if (sk_ESS_CERT_ID_num(cert_ids) > 1) { - /* All the certificates of the chain must be in cert_ids. */ - for (i = 1; i < sk_X509_num(chain); ++i) { - cert = sk_X509_value(chain, i); - if (TS_find_cert(cert_ids, cert) < 0) - goto err; - } - } - ret = 1; - err: - if (!ret) - TSerr(TS_F_TS_CHECK_SIGNING_CERTS, - TS_R_ESS_SIGNING_CERTIFICATE_ERROR); - ESS_SIGNING_CERT_free(ss); - return ret; -} - -static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si) -{ - ASN1_TYPE *attr; - const unsigned char *p; - attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate); - if (!attr) - return NULL; - p = attr->value.sequence->data; - return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); -} - -/* Returns < 0 if certificate is not found, certificate index otherwise. */ -static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) -{ - int i; - - if (!cert_ids || !cert) - return -1; - - /* Recompute SHA1 hash of certificate if necessary (side effect). */ - X509_check_purpose(cert, -1, 0); - - /* Look for cert in the cert_ids vector. */ - for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) { - ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i); - - /* Check the SHA-1 hash first. */ - if (cid->hash->length == sizeof(cert->sha1_hash) - && !memcmp(cid->hash->data, cert->sha1_hash, - sizeof(cert->sha1_hash))) { - /* Check the issuer/serial as well if specified. */ - ESS_ISSUER_SERIAL *is = cid->issuer_serial; - if (!is || !TS_issuer_serial_cmp(is, cert->cert_info)) - return i; - } - } - - return -1; -} - -static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) -{ - GENERAL_NAME *issuer; - - if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1) - return -1; - - /* Check the issuer first. It must be a directory name. */ - issuer = sk_GENERAL_NAME_value(is->issuer, 0); - if (issuer->type != GEN_DIRNAME - || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer)) - return -1; - - /* Check the serial number, too. */ - if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber)) - return -1; - - return 0; -} - -/*- - * Verifies whether 'response' contains a valid response with regards - * to the settings of the context: - * - Gives an error message if the TS_TST_INFO is not present. - * - Calls _TS_RESP_verify_token to verify the token content. - */ -int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response) -{ - PKCS7 *token = TS_RESP_get_token(response); - TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); - int ret = 0; - - /* Check if we have a successful TS_TST_INFO object in place. */ - if (!TS_check_status_info(response)) - goto err; - - /* Check the contents of the time stamp token. */ - if (!int_TS_RESP_verify_token(ctx, token, tst_info)) - goto err; - - ret = 1; - err: - return ret; -} - -/* - * Tries to extract a TS_TST_INFO structure from the PKCS7 token and - * calls the internal int_TS_RESP_verify_token function for verifying it. - */ -int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token) -{ - TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token); - int ret = 0; - if (tst_info) { - ret = int_TS_RESP_verify_token(ctx, token, tst_info); - TS_TST_INFO_free(tst_info); - } - return ret; -} - -/*- - * Verifies whether the 'token' contains a valid time stamp token - * with regards to the settings of the context. Only those checks are - * carried out that are specified in the context: - * - Verifies the signature of the TS_TST_INFO. - * - Checks the version number of the response. - * - Check if the requested and returned policies math. - * - Check if the message imprints are the same. - * - Check if the nonces are the same. - * - Check if the TSA name matches the signer. - * - Check if the TSA name is the expected TSA. - */ -static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, - PKCS7 *token, TS_TST_INFO *tst_info) -{ - X509 *signer = NULL; - GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info); - X509_ALGOR *md_alg = NULL; - unsigned char *imprint = NULL; - unsigned imprint_len = 0; - int ret = 0; - - /* Verify the signature. */ - if ((ctx->flags & TS_VFY_SIGNATURE) - && !TS_RESP_verify_signature(token, ctx->certs, ctx->store, &signer)) - goto err; - - /* Check version number of response. */ - if ((ctx->flags & TS_VFY_VERSION) - && TS_TST_INFO_get_version(tst_info) != 1) { - TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION); - goto err; - } - - /* Check policies. */ - if ((ctx->flags & TS_VFY_POLICY) - && !TS_check_policy(ctx->policy, tst_info)) - goto err; - - /* Check message imprints. */ - if ((ctx->flags & TS_VFY_IMPRINT) - && !TS_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len, - tst_info)) - goto err; - - /* Compute and check message imprints. */ - if ((ctx->flags & TS_VFY_DATA) - && (!TS_compute_imprint(ctx->data, tst_info, - &md_alg, &imprint, &imprint_len) - || !TS_check_imprints(md_alg, imprint, imprint_len, tst_info))) - goto err; - - /* Check nonces. */ - if ((ctx->flags & TS_VFY_NONCE) - && !TS_check_nonces(ctx->nonce, tst_info)) - goto err; - - /* Check whether TSA name and signer certificate match. */ - if ((ctx->flags & TS_VFY_SIGNER) - && tsa_name && !TS_check_signer_name(tsa_name, signer)) { - TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH); - goto err; - } - - /* Check whether the TSA is the expected one. */ - if ((ctx->flags & TS_VFY_TSA_NAME) - && !TS_check_signer_name(ctx->tsa_name, signer)) { - TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED); - goto err; - } - - ret = 1; - err: - X509_free(signer); - X509_ALGOR_free(md_alg); - OPENSSL_free(imprint); - return ret; -} - -static int TS_check_status_info(TS_RESP *response) -{ - TS_STATUS_INFO *info = TS_RESP_get_status_info(response); - long status = ASN1_INTEGER_get(info->status); - const char *status_text = NULL; - char *embedded_status_text = NULL; - char failure_text[TS_STATUS_BUF_SIZE] = ""; - - /* Check if everything went fine. */ - if (status == 0 || status == 1) - return 1; - - /* There was an error, get the description in status_text. */ - if (0 <= status && status < (long)TS_STATUS_TEXT_SIZE) - status_text = TS_status_text[status]; - else - status_text = "unknown code"; - - /* Set the embedded_status_text to the returned description. */ - if (sk_ASN1_UTF8STRING_num(info->text) > 0 - && !(embedded_status_text = TS_get_status_text(info->text))) - return 0; - - /* Filling in failure_text with the failure information. */ - if (info->failure_info) { - int i; - int first = 1; - for (i = 0; i < (int)TS_FAILURE_INFO_SIZE; ++i) { - if (ASN1_BIT_STRING_get_bit(info->failure_info, - TS_failure_info[i].code)) { - if (!first) - strcpy(failure_text, ","); - else - first = 0; - strcat(failure_text, TS_failure_info[i].text); - } - } - } - if (failure_text[0] == '\0') - strcpy(failure_text, "unspecified"); - - /* Making up the error string. */ - TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN); - ERR_add_error_data(6, - "status code: ", status_text, - ", status text: ", embedded_status_text ? - embedded_status_text : "unspecified", - ", failure codes: ", failure_text); - OPENSSL_free(embedded_status_text); - - return 0; -} - -static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text) -{ - int i; - unsigned int length = 0; - char *result = NULL; - char *p; - - /* Determine length first. */ - for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) { - ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i); - length += ASN1_STRING_length(current); - length += 1; /* separator character */ - } - /* Allocate memory (closing '\0' included). */ - if (!(result = OPENSSL_malloc(length))) { - TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE); - return NULL; - } - /* Concatenate the descriptions. */ - for (i = 0, p = result; i < sk_ASN1_UTF8STRING_num(text); ++i) { - ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i); - length = ASN1_STRING_length(current); - if (i > 0) - *p++ = '/'; - strncpy(p, (const char *)ASN1_STRING_data(current), length); - p += length; - } - /* We do have space for this, too. */ - *p = '\0'; - - return result; -} - -static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info) -{ - ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info); - - if (OBJ_cmp(req_oid, resp_oid) != 0) { - TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH); - return 0; - } - - return 1; -} - -static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, - X509_ALGOR **md_alg, - unsigned char **imprint, unsigned *imprint_len) -{ - TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info); - X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint); - const EVP_MD *md; - EVP_MD_CTX md_ctx; - unsigned char buffer[4096]; - int length; - - *md_alg = NULL; - *imprint = NULL; - - /* Return the MD algorithm of the response. */ - if (!(*md_alg = X509_ALGOR_dup(md_alg_resp))) - goto err; - - /* Getting the MD object. */ - if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) { - TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM); - goto err; - } - - /* Compute message digest. */ - length = EVP_MD_size(md); - if (length < 0) - goto err; - *imprint_len = length; - if (!(*imprint = OPENSSL_malloc(*imprint_len))) { - TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE); - goto err; - } - - if (!EVP_DigestInit(&md_ctx, md)) - goto err; - while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) { - if (!EVP_DigestUpdate(&md_ctx, buffer, length)) - goto err; - } - if (!EVP_DigestFinal(&md_ctx, *imprint, NULL)) - goto err; - - return 1; - err: - X509_ALGOR_free(*md_alg); - OPENSSL_free(*imprint); - *imprint_len = 0; - *imprint = 0; - return 0; -} - -static int TS_check_imprints(X509_ALGOR *algor_a, - unsigned char *imprint_a, unsigned len_a, - TS_TST_INFO *tst_info) -{ - TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info); - X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b); - int ret = 0; - - /* algor_a is optional. */ - if (algor_a) { - /* Compare algorithm OIDs. */ - if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm)) - goto err; - - /* The parameter must be NULL in both. */ - if ((algor_a->parameter - && ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL) - || (algor_b->parameter - && ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL)) - goto err; - } - - /* Compare octet strings. */ - ret = len_a == (unsigned)ASN1_STRING_length(b->hashed_msg) && - memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0; - err: - if (!ret) - TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH); - return ret; -} - -static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info) -{ - const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info); - - /* Error if nonce is missing. */ - if (!b) { - TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED); - return 0; - } - - /* No error if a nonce is returned without being requested. */ - if (ASN1_INTEGER_cmp(a, b) != 0) { - TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH); - return 0; - } - - return 1; -} - -/* - * Check if the specified TSA name matches either the subject or one of the - * subject alternative names of the TSA certificate. - */ -static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) -{ - STACK_OF(GENERAL_NAME) *gen_names = NULL; - int idx = -1; - int found = 0; - - /* Check the subject name first. */ - if (tsa_name->type == GEN_DIRNAME - && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) - return 1; - - /* Check all the alternative names. */ - gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, NULL, &idx); - while (gen_names != NULL - && !(found = TS_find_name(gen_names, tsa_name) >= 0)) { - /* - * Get the next subject alternative name, although there should be no - * more than one. - */ - GENERAL_NAMES_free(gen_names); - gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, - NULL, &idx); - } - if (gen_names) - GENERAL_NAMES_free(gen_names); - - return found; -} - -/* Returns 1 if name is in gen_names, 0 otherwise. */ -static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name) -{ - int i, found; - for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names); ++i) { - GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i); - found = GENERAL_NAME_cmp(current, name) == 0; - } - return found ? i - 1 : -1; -} diff --git a/Cryptlib/OpenSSL/crypto/ts/ts_verify_ctx.c b/Cryptlib/OpenSSL/crypto/ts/ts_verify_ctx.c deleted file mode 100644 index 3e6fcb57..00000000 --- a/Cryptlib/OpenSSL/crypto/ts/ts_verify_ctx.c +++ /dev/null @@ -1,162 +0,0 @@ -/* crypto/ts/ts_verify_ctx.c */ -/* - * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project - * 2003. - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include "cryptlib.h" -#include <openssl/objects.h> -#include <openssl/ts.h> - -TS_VERIFY_CTX *TS_VERIFY_CTX_new(void) -{ - TS_VERIFY_CTX *ctx = - (TS_VERIFY_CTX *)OPENSSL_malloc(sizeof(TS_VERIFY_CTX)); - if (ctx) - memset(ctx, 0, sizeof(TS_VERIFY_CTX)); - else - TSerr(TS_F_TS_VERIFY_CTX_NEW, ERR_R_MALLOC_FAILURE); - return ctx; -} - -void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx) -{ - OPENSSL_assert(ctx != NULL); - memset(ctx, 0, sizeof(TS_VERIFY_CTX)); -} - -void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx) -{ - if (!ctx) - return; - - TS_VERIFY_CTX_cleanup(ctx); - OPENSSL_free(ctx); -} - -void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx) -{ - if (!ctx) - return; - - X509_STORE_free(ctx->store); - sk_X509_pop_free(ctx->certs, X509_free); - - ASN1_OBJECT_free(ctx->policy); - - X509_ALGOR_free(ctx->md_alg); - OPENSSL_free(ctx->imprint); - - BIO_free_all(ctx->data); - - ASN1_INTEGER_free(ctx->nonce); - - GENERAL_NAME_free(ctx->tsa_name); - - TS_VERIFY_CTX_init(ctx); -} - -TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx) -{ - TS_VERIFY_CTX *ret = ctx; - ASN1_OBJECT *policy; - TS_MSG_IMPRINT *imprint; - X509_ALGOR *md_alg; - ASN1_OCTET_STRING *msg; - const ASN1_INTEGER *nonce; - - OPENSSL_assert(req != NULL); - if (ret) - TS_VERIFY_CTX_cleanup(ret); - else if (!(ret = TS_VERIFY_CTX_new())) - return NULL; - - /* Setting flags. */ - ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE); - - /* Setting policy. */ - if ((policy = TS_REQ_get_policy_id(req)) != NULL) { - if (!(ret->policy = OBJ_dup(policy))) - goto err; - } else - ret->flags &= ~TS_VFY_POLICY; - - /* Setting md_alg, imprint and imprint_len. */ - imprint = TS_REQ_get_msg_imprint(req); - md_alg = TS_MSG_IMPRINT_get_algo(imprint); - if (!(ret->md_alg = X509_ALGOR_dup(md_alg))) - goto err; - msg = TS_MSG_IMPRINT_get_msg(imprint); - ret->imprint_len = ASN1_STRING_length(msg); - if (!(ret->imprint = OPENSSL_malloc(ret->imprint_len))) - goto err; - memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len); - - /* Setting nonce. */ - if ((nonce = TS_REQ_get_nonce(req)) != NULL) { - if (!(ret->nonce = ASN1_INTEGER_dup(nonce))) - goto err; - } else - ret->flags &= ~TS_VFY_NONCE; - - return ret; - err: - if (ctx) - TS_VERIFY_CTX_cleanup(ctx); - else - TS_VERIFY_CTX_free(ret); - return NULL; -} diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c index b0d65390..50120a4d 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c @@ -536,8 +536,6 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) X509_OBJECT *obj, xobj; sk = sk_X509_CRL_new_null(); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); - /* Check cache first */ - idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt); /* * Always do lookup to possibly add new CRLs to cache diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c index c085c134..259bc065 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c @@ -249,7 +249,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { ok = ctx->get_issuer(&xtmp, ctx, x); if (ok < 0) - return ok; + goto end; /* * If successful for now free up cert so it will be picked up * again later. @@ -347,14 +347,15 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ok = ctx->get_issuer(&xtmp, ctx, x); if (ok < 0) - return ok; + goto end; if (ok == 0) break; x = xtmp; if (!sk_X509_push(ctx->chain, x)) { X509_free(xtmp); X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); - return 0; + ok = 0; + goto end; } num++; } @@ -752,6 +753,10 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id) int n = sk_OPENSSL_STRING_num(id->hosts); char *name; + if (id->peername != NULL) { + OPENSSL_free(id->peername); + id->peername = NULL; + } for (i = 0; i < n; ++i) { name = sk_OPENSSL_STRING_value(id->hosts, i); if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0) @@ -935,6 +940,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; + else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) + return 1; else ptime = NULL; @@ -1653,15 +1660,13 @@ static int check_policy(X509_STORE_CTX *ctx) static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { -#ifdef OPENSSL_SYS_UEFI - /* Bypass Certificate Time Checking for UEFI version. */ - return 1; -#else time_t *ptime; int i; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; + else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) + return 1; else ptime = NULL; @@ -1696,7 +1701,6 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) } return 1; -#endif } static int internal_verify(X509_STORE_CTX *ctx) diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c index 1ea0c69f..592a8a5f 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c @@ -155,6 +155,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) } if (paramid->peername) OPENSSL_free(paramid->peername); + paramid->peername = NULL; if (paramid->email) { OPENSSL_free(paramid->email); paramid->email = NULL; @@ -165,7 +166,6 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) paramid->ip = NULL; paramid->iplen = 0; } - } X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) @@ -176,13 +176,20 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) param = OPENSSL_malloc(sizeof *param); if (!param) return NULL; - paramid = OPENSSL_malloc(sizeof *paramid); + memset(param, 0, sizeof(*param)); + + paramid = OPENSSL_malloc(sizeof(*paramid)); if (!paramid) { OPENSSL_free(param); return NULL; } - memset(param, 0, sizeof *param); - memset(paramid, 0, sizeof *paramid); + memset(paramid, 0, sizeof(*paramid)); + /* Exotic platforms may have non-zero bit representation of NULL */ + paramid->hosts = NULL; + paramid->peername = NULL; + paramid->email = NULL; + paramid->ip = NULL; + param->id = paramid; x509_verify_param_zero(param); return param; diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c index 0febc1b3..d97f6226 100644 --- a/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c +++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c @@ -186,6 +186,10 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, goto err; } pol = POLICYINFO_new(); + if (pol == NULL) { + X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); + goto err; + } pol->policyid = pobj; } if (!sk_POLICYINFO_push(pols, pol)) { diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c index b97ed271..28552696 100644 --- a/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c +++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c @@ -132,6 +132,8 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, } tval.value = val->value; sub = GENERAL_SUBTREE_new(); + if (sub == NULL) + goto memerr; if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1)) goto err; if (!*ptree) diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c index fe0d8063..48ac0959 100644 --- a/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c @@ -3,7 +3,7 @@ * Contributed to the OpenSSL Project 2004 by Richard Levitte * (richard@levitte.org) */ -/* Copyright (c) 2004 Kungliga Tekniska Högskolan +/* Copyright (c) 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c index 350b3988..43fd362a 100644 --- a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c +++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c @@ -3,7 +3,7 @@ * Contributed to the OpenSSL Project 2004 by Richard Levitte * (richard@levitte.org) */ -/* Copyright (c) 2004 Kungliga Tekniska Högskolan +/* Copyright (c) 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c index 36b0d87a..845be673 100644 --- a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c +++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c @@ -380,6 +380,14 @@ static void setup_crldp(X509 *x) setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); } +#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) +#define ku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) +#define xku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) +#define ns_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) + static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; @@ -499,7 +507,8 @@ static void x509v3_cache_extensions(X509 *x) if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { x->ex_flags |= EXFLAG_SI; /* If SKID matches AKID also indicate self signed */ - if (X509_check_akid(x, x->akid) == X509_V_OK) + if (X509_check_akid(x, x->akid) == X509_V_OK && + !ku_reject(x, KU_KEY_CERT_SIGN)) x->ex_flags |= EXFLAG_SS; } x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); @@ -538,14 +547,6 @@ static void x509v3_cache_extensions(X509 *x) * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ -#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) -#define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#define xku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) -#define ns_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) - static int check_ca(const X509 *x) { /* keyUsage if present should allow cert signing */ diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c index bdd7b95f..4d1ecc58 100644 --- a/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c +++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c @@ -926,7 +926,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES *gens = NULL; X509_NAME *name = NULL; int i; - int cnid; + int cnid = NID_undef; int alt_type; int san_present = 0; int rv = 0; @@ -949,7 +949,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, else equal = equal_wildcard; } else { - cnid = 0; alt_type = V_ASN1_OCTET_STRING; equal = equal_case; } @@ -980,11 +979,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES_free(gens); if (rv != 0) return rv; - if (!cnid + if (cnid == NID_undef || (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))) return 0; } + + /* We're done if CN-ID is not pertinent */ + if (cnid == NID_undef) + return 0; + i = -1; name = X509_get_subject_name(x); while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) { diff --git a/Cryptlib/OpenSSL/e_os.h b/Cryptlib/OpenSSL/e_os.h index 45fef691..3e9dae2e 100644 --- a/Cryptlib/OpenSSL/e_os.h +++ b/Cryptlib/OpenSSL/e_os.h @@ -136,7 +136,7 @@ extern "C" { # define MSDOS # endif -# if defined(MSDOS) && !defined(GETPID_IS_MEANINGLESS) +# if (defined(MSDOS) || defined(OPENSSL_SYS_UEFI)) && !defined(GETPID_IS_MEANINGLESS) # define GETPID_IS_MEANINGLESS # endif @@ -619,7 +619,7 @@ struct servent *PASCAL getservbyname(const char *, const char *); # include <sys/select.h> # endif -# if defined(sun) +# if defined(__sun) || defined(sun) # include <sys/filio.h> # else # ifndef VMS @@ -661,7 +661,7 @@ struct servent *PASCAL getservbyname(const char *, const char *); # endif -# if defined(sun) && !defined(__svr4__) && !defined(__SVR4) +# if (defined(__sun) || defined(sun)) && !defined(__svr4__) && !defined(__SVR4) /* include headers first, so our defines don't break it */ # include <stdlib.h> # include <string.h> diff --git a/Cryptlib/OpenSSL/update.sh b/Cryptlib/OpenSSL/update.sh index 03f94593..a40f7338 100755 --- a/Cryptlib/OpenSSL/update.sh +++ b/Cryptlib/OpenSSL/update.sh @@ -1,6 +1,6 @@ #/bin/sh DIR=$1 -version="1.0.2d" +version="1.0.2e" install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/e_os.h e_os.h install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/constant_time_locl.h crypto/constant_time_locl.h @@ -474,20 +474,6 @@ install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_lib.c install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_util.c crypto/ui/ui_util.c install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_compat.c crypto/ui/ui_compat.c install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/krb5/krb5_asn.c crypto/krb5/krb5_asn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pqueue/pqueue.h crypto/pqueue/pqueue.h -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pqueue/pqueue.c crypto/pqueue/pqueue.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts.h crypto/ts/ts.h -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_err.c crypto/ts/ts_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_req_utils.c crypto/ts/ts_req_utils.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_req_print.c crypto/ts/ts_req_print.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_rsp_utils.c crypto/ts/ts_rsp_utils.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_rsp_print.c crypto/ts/ts_rsp_print.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_rsp_sign.c crypto/ts/ts_rsp_sign.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_rsp_verify.c crypto/ts/ts_rsp_verify.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_verify_ctx.c crypto/ts/ts_verify_ctx.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_lib.c crypto/ts/ts_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_conf.c crypto/ts/ts_conf.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ts/ts_asn1.c crypto/ts/ts_asn1.c install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cmac/cmac.c crypto/cmac/cmac.c install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cmac/cm_ameth.c crypto/cmac/cm_ameth.c install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cmac/cm_pmeth.c crypto/cmac/cm_pmeth.c |