summaryrefslogtreecommitdiff
path: root/lib/libcrypto/pkcs7
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2005-04-29 05:39:34 +0000
committerDamien Miller <djm@cvs.openbsd.org>2005-04-29 05:39:34 +0000
commit96d1d9b6e08bc96e9e2ca66809e78057a7ad7715 (patch)
tree3c21c706afbaf02026085e88634587633cdae96a /lib/libcrypto/pkcs7
parentccd50423df222a7b368ec130192398b49e23114a (diff)
resolve conflicts
Diffstat (limited to 'lib/libcrypto/pkcs7')
-rw-r--r--lib/libcrypto/pkcs7/pk7_attr.c9
-rw-r--r--lib/libcrypto/pkcs7/pk7_doit.c42
-rw-r--r--lib/libcrypto/pkcs7/pk7_lib.c44
-rw-r--r--lib/libcrypto/pkcs7/pk7_smime.c46
4 files changed, 109 insertions, 32 deletions
diff --git a/lib/libcrypto/pkcs7/pk7_attr.c b/lib/libcrypto/pkcs7/pk7_attr.c
index 5ff5a88b5cf..039141027a6 100644
--- a/lib/libcrypto/pkcs7/pk7_attr.c
+++ b/lib/libcrypto/pkcs7/pk7_attr.c
@@ -3,7 +3,7 @@
* project 2001.
*/
/* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2001-2004 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -94,17 +94,18 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap)
}
STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
-{
+ {
ASN1_TYPE *cap;
unsigned char *p;
cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
- if (!cap) return NULL;
+ if (!cap || (cap->type != V_ASN1_SEQUENCE))
+ return NULL;
p = cap->value.sequence->data;
return d2i_ASN1_SET_OF_X509_ALGOR(NULL, &p,
cap->value.sequence->length,
d2i_X509_ALGOR, X509_ALGOR_free,
V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
+ }
/* Basic smime-capabilities OID and optional integer arg */
int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
diff --git a/lib/libcrypto/pkcs7/pk7_doit.c b/lib/libcrypto/pkcs7/pk7_doit.c
index b78e22819cd..4ac29ae14d6 100644
--- a/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/lib/libcrypto/pkcs7/pk7_doit.c
@@ -239,7 +239,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
OPENSSL_free(tmp);
goto err;
}
- M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
+ if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj))
+ {
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT,
+ ERR_R_MALLOC_FAILURE);
+ OPENSSL_free(tmp);
+ goto err;
+ }
}
OPENSSL_free(tmp);
OPENSSL_cleanse(key, keylen);
@@ -520,12 +526,20 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
case NID_pkcs7_signedAndEnveloped:
/* XXXXXXXXXXXXXXXX */
si_sk=p7->d.signed_and_enveloped->signer_info;
- os=M_ASN1_OCTET_STRING_new();
+ if (!(os=M_ASN1_OCTET_STRING_new()))
+ {
+ PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
p7->d.signed_and_enveloped->enc_data->enc_data=os;
break;
case NID_pkcs7_enveloped:
/* XXXXXXXXXXXXXXXX */
- os=M_ASN1_OCTET_STRING_new();
+ if (!(os=M_ASN1_OCTET_STRING_new()))
+ {
+ PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
p7->d.enveloped->enc_data->enc_data=os;
break;
case NID_pkcs7_signed:
@@ -599,7 +613,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
if (!PKCS7_get_signed_attribute(si,
NID_pkcs9_signingTime))
{
- sign_time=X509_gmtime_adj(NULL,0);
+ if (!(sign_time=X509_gmtime_adj(NULL,0)))
+ {
+ PKCS7err(PKCS7_F_PKCS7_DATASIGN,
+ ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
PKCS7_add_signed_attribute(si,
NID_pkcs9_signingTime,
V_ASN1_UTCTIME,sign_time);
@@ -608,8 +627,19 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
/* Add digest */
md_tmp=EVP_MD_CTX_md(&ctx_tmp);
EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len);
- digest=M_ASN1_OCTET_STRING_new();
- M_ASN1_OCTET_STRING_set(digest,md_data,md_len);
+ if (!(digest=M_ASN1_OCTET_STRING_new()))
+ {
+ PKCS7err(PKCS7_F_PKCS7_DATASIGN,
+ ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ if (!M_ASN1_OCTET_STRING_set(digest,md_data,
+ md_len))
+ {
+ PKCS7err(PKCS7_F_PKCS7_DATASIGN,
+ ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
PKCS7_add_signed_attribute(si,
NID_pkcs9_messageDigest,
V_ASN1_OCTET_STRING,digest);
diff --git a/lib/libcrypto/pkcs7/pk7_lib.c b/lib/libcrypto/pkcs7/pk7_lib.c
index 985b07245cc..ee1817c7af9 100644
--- a/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/lib/libcrypto/pkcs7/pk7_lib.c
@@ -164,7 +164,12 @@ int PKCS7_set_type(PKCS7 *p7, int type)
p7->type=obj;
if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL)
goto err;
- ASN1_INTEGER_set(p7->d.sign->version,1);
+ if (!ASN1_INTEGER_set(p7->d.sign->version,1))
+ {
+ PKCS7_SIGNED_free(p7->d.sign);
+ p7->d.sign=NULL;
+ goto err;
+ }
break;
case NID_pkcs7_data:
p7->type=obj;
@@ -176,6 +181,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new())
== NULL) goto err;
ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1);
+ if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1))
+ goto err;
p7->d.signed_and_enveloped->enc_data->content_type
= OBJ_nid2obj(NID_pkcs7_data);
break;
@@ -183,7 +190,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
p7->type=obj;
if ((p7->d.enveloped=PKCS7_ENVELOPE_new())
== NULL) goto err;
- ASN1_INTEGER_set(p7->d.enveloped->version,0);
+ if (!ASN1_INTEGER_set(p7->d.enveloped->version,0))
+ goto err;
p7->d.enveloped->enc_data->content_type
= OBJ_nid2obj(NID_pkcs7_data);
break;
@@ -191,7 +199,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
p7->type=obj;
if ((p7->d.encrypted=PKCS7_ENCRYPT_new())
== NULL) goto err;
- ASN1_INTEGER_set(p7->d.encrypted->version,0);
+ if (!ASN1_INTEGER_set(p7->d.encrypted->version,0))
+ goto err;
p7->d.encrypted->enc_data->content_type
= OBJ_nid2obj(NID_pkcs7_data);
break;
@@ -318,15 +327,18 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;
else is_dsa = 0;
/* We now need to add another PKCS7_SIGNER_INFO entry */
- ASN1_INTEGER_set(p7i->version,1);
- X509_NAME_set(&p7i->issuer_and_serial->issuer,
- X509_get_issuer_name(x509));
+ if (!ASN1_INTEGER_set(p7i->version,1))
+ goto err;
+ if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
+ X509_get_issuer_name(x509)))
+ goto err;
/* because ASN1_INTEGER_set is used to set a 'long' we will do
* things the ugly way. */
M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
- p7i->issuer_and_serial->serial=
- M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+ if (!(p7i->issuer_and_serial->serial=
+ M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+ goto err;
/* lets keep the pkey around for a while */
CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -423,16 +435,20 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
{
- ASN1_INTEGER_set(p7i->version,0);
- X509_NAME_set(&p7i->issuer_and_serial->issuer,
- X509_get_issuer_name(x509));
+ if (!ASN1_INTEGER_set(p7i->version,0))
+ return 0;
+ if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
+ X509_get_issuer_name(x509)))
+ return 0;
M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
- p7i->issuer_and_serial->serial=
- M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+ if (!(p7i->issuer_and_serial->serial=
+ M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+ return 0;
X509_ALGOR_free(p7i->key_enc_algor);
- p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor);
+ if (!(p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor)))
+ return 0;
CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
p7i->cert=x509;
diff --git a/lib/libcrypto/pkcs7/pk7_smime.c b/lib/libcrypto/pkcs7/pk7_smime.c
index 6e5735de118..a852b492358 100644
--- a/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/lib/libcrypto/pkcs7/pk7_smime.c
@@ -155,7 +155,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
char buf[4096];
int i, j=0, k, ret = 0;
BIO *p7bio;
- BIO *tmpout;
+ BIO *tmpin, *tmpout;
if(!p7) {
PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER);
@@ -228,7 +228,30 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
/* Check for revocation status here */
}
- p7bio=PKCS7_dataInit(p7,indata);
+ /* Performance optimization: if the content is a memory BIO then
+ * store its contents in a temporary read only memory BIO. This
+ * avoids potentially large numbers of slow copies of data which will
+ * occur when reading from a read write memory BIO when signatures
+ * are calculated.
+ */
+
+ if (indata && (BIO_method_type(indata) == BIO_TYPE_MEM))
+ {
+ char *ptr;
+ long len;
+ len = BIO_get_mem_data(indata, &ptr);
+ tmpin = BIO_new_mem_buf(ptr, len);
+ if (tmpin == NULL)
+ {
+ PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ }
+ else
+ tmpin = indata;
+
+
+ p7bio=PKCS7_dataInit(p7,tmpin);
if(flags & PKCS7_TEXT) {
if(!(tmpout = BIO_new(BIO_s_mem()))) {
@@ -270,9 +293,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
ret = 1;
err:
+
+ if (tmpin == indata)
+ {
+ if(indata) BIO_pop(p7bio);
+ BIO_free_all(p7bio);
+ }
+ else
+ BIO_free_all(tmpin);
- if(indata) BIO_pop(p7bio);
- BIO_free_all(p7bio);
sk_X509_free(signers);
return ret;
@@ -296,10 +325,6 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE);
return NULL;
}
- if(!(signers = sk_X509_new_null())) {
- PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
- return NULL;
- }
/* Collect all the signers together */
@@ -310,6 +335,11 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
return 0;
}
+ if(!(signers = sk_X509_new_null())) {
+ PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
{
si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);