summaryrefslogtreecommitdiff
path: root/lib/libcrypto/x509
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2012-10-13 21:25:15 +0000
committerDamien Miller <djm@cvs.openbsd.org>2012-10-13 21:25:15 +0000
commit426a154a830ca2d9bae74612741ff86332f5c66e (patch)
tree7937e26cb4336f7a8bfd41a8238859a89e83e4b3 /lib/libcrypto/x509
parent1ab62f029308adf86f7a805afd722d5170be8c34 (diff)
resolve conflicts
Diffstat (limited to 'lib/libcrypto/x509')
-rw-r--r--lib/libcrypto/x509/x509.h11
-rw-r--r--lib/libcrypto/x509/x509_cmp.c27
-rw-r--r--lib/libcrypto/x509/x509_lu.c2
-rw-r--r--lib/libcrypto/x509/x509_vfy.c5
-rw-r--r--lib/libcrypto/x509/x509type.c32
-rw-r--r--lib/libcrypto/x509/x_all.c19
6 files changed, 70 insertions, 26 deletions
diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h
index e6f8a40395b..092dd7450d3 100644
--- a/lib/libcrypto/x509/x509.h
+++ b/lib/libcrypto/x509/x509.h
@@ -657,11 +657,15 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
+int X509_signature_dump(BIO *bp,const ASN1_STRING *sig, int indent);
int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig);
int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
+int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
+int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
+int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
@@ -763,6 +767,7 @@ X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
X509_ALGOR *algor);
+void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
X509_NAME *X509_NAME_dup(X509_NAME *xn);
X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
@@ -896,6 +901,9 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
ASN1_BIT_STRING *signature,
void *data, EVP_PKEY *pkey, const EVP_MD *type);
+int ASN1_item_sign_ctx(const ASN1_ITEM *it,
+ X509_ALGOR *algor1, X509_ALGOR *algor2,
+ ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx);
#endif
int X509_set_version(X509 *x,long version);
@@ -1161,6 +1169,9 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
unsigned char *salt, int saltlen,
unsigned char *aiv, int prf_nid);
+X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
+ int prf_nid, int keylen);
+
/* PKCS#8 utilities */
DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c
index 4bc9da07e06..7c2aaee2e9a 100644
--- a/lib/libcrypto/x509/x509_cmp.c
+++ b/lib/libcrypto/x509/x509_cmp.c
@@ -87,15 +87,20 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
EVP_MD_CTX_init(&ctx);
f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
ret=strlen(f);
- EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
- EVP_DigestUpdate(&ctx,(unsigned char *)f,ret);
+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
+ goto err;
+ if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret))
+ goto err;
OPENSSL_free(f);
- EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
- (unsigned long)a->cert_info->serialNumber->length);
- EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
+ if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
+ (unsigned long)a->cert_info->serialNumber->length))
+ goto err;
+ if (!EVP_DigestFinal_ex(&ctx,&(md[0]),NULL))
+ goto err;
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
)&0xffffffffL;
+ err:
EVP_MD_CTX_cleanup(&ctx);
return(ret);
}
@@ -219,7 +224,9 @@ unsigned long X509_NAME_hash(X509_NAME *x)
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x,NULL);
- EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL);
+ if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(),
+ NULL))
+ return 0;
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
@@ -234,12 +241,18 @@ unsigned long X509_NAME_hash(X509_NAME *x)
unsigned long X509_NAME_hash_old(X509_NAME *x)
{
+ EVP_MD_CTX md_ctx;
unsigned long ret=0;
unsigned char md[16];
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x,NULL);
- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
+ EVP_MD_CTX_init(&md_ctx);
+ EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
+ EVP_DigestFinal_ex(&md_ctx,md,NULL);
+ EVP_MD_CTX_cleanup(&md_ctx);
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/lib/libcrypto/x509/x509_lu.c b/lib/libcrypto/x509/x509_lu.c
index 3a6e04a1dee..38525a8cddb 100644
--- a/lib/libcrypto/x509/x509_lu.c
+++ b/lib/libcrypto/x509/x509_lu.c
@@ -87,7 +87,7 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx)
if (ctx == NULL) return;
if ( (ctx->method != NULL) &&
(ctx->method->free != NULL))
- ctx->method->free(ctx);
+ (*ctx->method->free)(ctx);
OPENSSL_free(ctx);
}
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 701ec565e93..b0779db0231 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -153,7 +153,6 @@ static int x509_subject_cmp(X509 **a, X509 **b)
int X509_verify_cert(X509_STORE_CTX *ctx)
{
X509 *x,*xtmp,*chain_ss=NULL;
- X509_NAME *xn;
int bad_chain = 0;
X509_VERIFY_PARAM *param = ctx->param;
int depth,i,ok=0;
@@ -205,7 +204,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
*/
/* If we are self signed, we break */
- xn=X509_get_issuer_name(x);
if (ctx->check_issued(ctx, x,x)) break;
/* If we were passed a cert chain, use it first */
@@ -242,7 +240,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
i=sk_X509_num(ctx->chain);
x=sk_X509_value(ctx->chain,i-1);
- xn = X509_get_subject_name(x);
if (ctx->check_issued(ctx, x, x))
{
/* we have a self signed certificate */
@@ -291,7 +288,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
if (depth < num) break;
/* If we are self signed, we break */
- xn=X509_get_issuer_name(x);
if (ctx->check_issued(ctx,x,x)) break;
ok = ctx->get_issuer(&xtmp, ctx, x);
@@ -310,7 +306,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
}
/* we now have our chain, lets check it... */
- xn=X509_get_issuer_name(x);
/* Is last certificate looked up self signed? */
if (!ctx->check_issued(ctx,x,x))
diff --git a/lib/libcrypto/x509/x509type.c b/lib/libcrypto/x509/x509type.c
index 3385ad3f67c..9702ec53103 100644
--- a/lib/libcrypto/x509/x509type.c
+++ b/lib/libcrypto/x509/x509type.c
@@ -100,20 +100,26 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
break;
}
- i=X509_get_signature_type(x);
- switch (i)
+ i=OBJ_obj2nid(x->sig_alg->algorithm);
+ if (i && OBJ_find_sigid_algs(i, NULL, &i))
{
- case EVP_PKEY_RSA:
- ret|=EVP_PKS_RSA;
- break;
- case EVP_PKEY_DSA:
- ret|=EVP_PKS_DSA;
- break;
- case EVP_PKEY_EC:
- ret|=EVP_PKS_EC;
- break;
- default:
- break;
+
+ switch (i)
+ {
+ case NID_rsaEncryption:
+ case NID_rsa:
+ ret|=EVP_PKS_RSA;
+ break;
+ case NID_dsa:
+ case NID_dsa_2:
+ ret|=EVP_PKS_DSA;
+ break;
+ case NID_X9_62_id_ecPublicKey:
+ ret|=EVP_PKS_EC;
+ break;
+ default:
+ break;
+ }
}
if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
diff --git a/lib/libcrypto/x509/x_all.c b/lib/libcrypto/x509/x_all.c
index 8ec88c215a4..b94aeeb873f 100644
--- a/lib/libcrypto/x509/x_all.c
+++ b/lib/libcrypto/x509/x_all.c
@@ -95,12 +95,25 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
x->sig_alg, x->signature, x->cert_info,pkey,md));
}
+int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
+ {
+ return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
+ x->cert_info->signature,
+ x->sig_alg, x->signature, x->cert_info, ctx);
+ }
+
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
{
return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL,
x->signature, x->req_info,pkey,md));
}
+int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
+ {
+ return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
+ x->sig_alg, NULL, x->signature, x->req_info, ctx);
+ }
+
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->crl->enc.modified = 1;
@@ -108,6 +121,12 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
x->sig_alg, x->signature, x->crl,pkey,md));
}
+int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
+ {
+ return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
+ x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
+ }
+
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
{
return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL,