diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2005-04-29 05:39:34 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2005-04-29 05:39:34 +0000 |
commit | 96d1d9b6e08bc96e9e2ca66809e78057a7ad7715 (patch) | |
tree | 3c21c706afbaf02026085e88634587633cdae96a /lib/libcrypto/pkcs7 | |
parent | ccd50423df222a7b368ec130192398b49e23114a (diff) |
resolve conflicts
Diffstat (limited to 'lib/libcrypto/pkcs7')
-rw-r--r-- | lib/libcrypto/pkcs7/pk7_attr.c | 9 | ||||
-rw-r--r-- | lib/libcrypto/pkcs7/pk7_doit.c | 42 | ||||
-rw-r--r-- | lib/libcrypto/pkcs7/pk7_lib.c | 44 | ||||
-rw-r--r-- | lib/libcrypto/pkcs7/pk7_smime.c | 46 |
4 files changed, 109 insertions, 32 deletions
diff --git a/lib/libcrypto/pkcs7/pk7_attr.c b/lib/libcrypto/pkcs7/pk7_attr.c index 5ff5a88b5cf..039141027a6 100644 --- a/lib/libcrypto/pkcs7/pk7_attr.c +++ b/lib/libcrypto/pkcs7/pk7_attr.c @@ -3,7 +3,7 @@ * project 2001. */ /* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -94,17 +94,18 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap) } STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) -{ + { ASN1_TYPE *cap; unsigned char *p; cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities); - if (!cap) return NULL; + if (!cap || (cap->type != V_ASN1_SEQUENCE)) + return NULL; p = cap->value.sequence->data; return d2i_ASN1_SET_OF_X509_ALGOR(NULL, &p, cap->value.sequence->length, d2i_X509_ALGOR, X509_ALGOR_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); -} + } /* Basic smime-capabilities OID and optional integer arg */ int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg) diff --git a/lib/libcrypto/pkcs7/pk7_doit.c b/lib/libcrypto/pkcs7/pk7_doit.c index b78e22819cd..4ac29ae14d6 100644 --- a/lib/libcrypto/pkcs7/pk7_doit.c +++ b/lib/libcrypto/pkcs7/pk7_doit.c @@ -239,7 +239,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) OPENSSL_free(tmp); goto err; } - M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj); + if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj)) + { + PKCS7err(PKCS7_F_PKCS7_DATAINIT, + ERR_R_MALLOC_FAILURE); + OPENSSL_free(tmp); + goto err; + } } OPENSSL_free(tmp); OPENSSL_cleanse(key, keylen); @@ -520,12 +526,20 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) case NID_pkcs7_signedAndEnveloped: /* XXXXXXXXXXXXXXXX */ si_sk=p7->d.signed_and_enveloped->signer_info; - os=M_ASN1_OCTET_STRING_new(); + if (!(os=M_ASN1_OCTET_STRING_new())) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE); + goto err; + } p7->d.signed_and_enveloped->enc_data->enc_data=os; break; case NID_pkcs7_enveloped: /* XXXXXXXXXXXXXXXX */ - os=M_ASN1_OCTET_STRING_new(); + if (!(os=M_ASN1_OCTET_STRING_new())) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE); + goto err; + } p7->d.enveloped->enc_data->enc_data=os; break; case NID_pkcs7_signed: @@ -599,7 +613,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) { - sign_time=X509_gmtime_adj(NULL,0); + if (!(sign_time=X509_gmtime_adj(NULL,0))) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN, + ERR_R_MALLOC_FAILURE); + goto err; + } PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,sign_time); @@ -608,8 +627,19 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) /* Add digest */ md_tmp=EVP_MD_CTX_md(&ctx_tmp); EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len); - digest=M_ASN1_OCTET_STRING_new(); - M_ASN1_OCTET_STRING_set(digest,md_data,md_len); + if (!(digest=M_ASN1_OCTET_STRING_new())) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN, + ERR_R_MALLOC_FAILURE); + goto err; + } + if (!M_ASN1_OCTET_STRING_set(digest,md_data, + md_len)) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN, + ERR_R_MALLOC_FAILURE); + goto err; + } PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest, V_ASN1_OCTET_STRING,digest); diff --git a/lib/libcrypto/pkcs7/pk7_lib.c b/lib/libcrypto/pkcs7/pk7_lib.c index 985b07245cc..ee1817c7af9 100644 --- a/lib/libcrypto/pkcs7/pk7_lib.c +++ b/lib/libcrypto/pkcs7/pk7_lib.c @@ -164,7 +164,12 @@ int PKCS7_set_type(PKCS7 *p7, int type) p7->type=obj; if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.sign->version,1); + if (!ASN1_INTEGER_set(p7->d.sign->version,1)) + { + PKCS7_SIGNED_free(p7->d.sign); + p7->d.sign=NULL; + goto err; + } break; case NID_pkcs7_data: p7->type=obj; @@ -176,6 +181,8 @@ int PKCS7_set_type(PKCS7 *p7, int type) if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new()) == NULL) goto err; ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1); + if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1)) + goto err; p7->d.signed_and_enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; @@ -183,7 +190,8 @@ int PKCS7_set_type(PKCS7 *p7, int type) p7->type=obj; if ((p7->d.enveloped=PKCS7_ENVELOPE_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.enveloped->version,0); + if (!ASN1_INTEGER_set(p7->d.enveloped->version,0)) + goto err; p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; @@ -191,7 +199,8 @@ int PKCS7_set_type(PKCS7 *p7, int type) p7->type=obj; if ((p7->d.encrypted=PKCS7_ENCRYPT_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.encrypted->version,0); + if (!ASN1_INTEGER_set(p7->d.encrypted->version,0)) + goto err; p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; @@ -318,15 +327,18 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, if (pkey->type == EVP_PKEY_DSA) is_dsa = 1; else is_dsa = 0; /* We now need to add another PKCS7_SIGNER_INFO entry */ - ASN1_INTEGER_set(p7i->version,1); - X509_NAME_set(&p7i->issuer_and_serial->issuer, - X509_get_issuer_name(x509)); + if (!ASN1_INTEGER_set(p7i->version,1)) + goto err; + if (!X509_NAME_set(&p7i->issuer_and_serial->issuer, + X509_get_issuer_name(x509))) + goto err; /* because ASN1_INTEGER_set is used to set a 'long' we will do * things the ugly way. */ M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial); - p7i->issuer_and_serial->serial= - M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)); + if (!(p7i->issuer_and_serial->serial= + M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) + goto err; /* lets keep the pkey around for a while */ CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); @@ -423,16 +435,20 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) { - ASN1_INTEGER_set(p7i->version,0); - X509_NAME_set(&p7i->issuer_and_serial->issuer, - X509_get_issuer_name(x509)); + if (!ASN1_INTEGER_set(p7i->version,0)) + return 0; + if (!X509_NAME_set(&p7i->issuer_and_serial->issuer, + X509_get_issuer_name(x509))) + return 0; M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial); - p7i->issuer_and_serial->serial= - M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)); + if (!(p7i->issuer_and_serial->serial= + M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) + return 0; X509_ALGOR_free(p7i->key_enc_algor); - p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor); + if (!(p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor))) + return 0; CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); p7i->cert=x509; diff --git a/lib/libcrypto/pkcs7/pk7_smime.c b/lib/libcrypto/pkcs7/pk7_smime.c index 6e5735de118..a852b492358 100644 --- a/lib/libcrypto/pkcs7/pk7_smime.c +++ b/lib/libcrypto/pkcs7/pk7_smime.c @@ -155,7 +155,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, char buf[4096]; int i, j=0, k, ret = 0; BIO *p7bio; - BIO *tmpout; + BIO *tmpin, *tmpout; if(!p7) { PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER); @@ -228,7 +228,30 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, /* Check for revocation status here */ } - p7bio=PKCS7_dataInit(p7,indata); + /* Performance optimization: if the content is a memory BIO then + * store its contents in a temporary read only memory BIO. This + * avoids potentially large numbers of slow copies of data which will + * occur when reading from a read write memory BIO when signatures + * are calculated. + */ + + if (indata && (BIO_method_type(indata) == BIO_TYPE_MEM)) + { + char *ptr; + long len; + len = BIO_get_mem_data(indata, &ptr); + tmpin = BIO_new_mem_buf(ptr, len); + if (tmpin == NULL) + { + PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE); + return 0; + } + } + else + tmpin = indata; + + + p7bio=PKCS7_dataInit(p7,tmpin); if(flags & PKCS7_TEXT) { if(!(tmpout = BIO_new(BIO_s_mem()))) { @@ -270,9 +293,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, ret = 1; err: + + if (tmpin == indata) + { + if(indata) BIO_pop(p7bio); + BIO_free_all(p7bio); + } + else + BIO_free_all(tmpin); - if(indata) BIO_pop(p7bio); - BIO_free_all(p7bio); sk_X509_free(signers); return ret; @@ -296,10 +325,6 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE); return NULL; } - if(!(signers = sk_X509_new_null())) { - PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE); - return NULL; - } /* Collect all the signers together */ @@ -310,6 +335,11 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) return 0; } + if(!(signers = sk_X509_new_null())) { + PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE); + return NULL; + } + for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { si = sk_PKCS7_SIGNER_INFO_value(sinfos, i); |