The branch master has been updated via f51e5ed6b4b91d12228da873db72aa28109d1797 (commit) via 34a42e1489bf4f45bfad069eceba56315d4713be (commit) via 81e4943843773a04067703e0dc1668ec5d3b4cf1 (commit) via 4392479c08392feb4be2ecb9d1b5decc50e32df0 (commit) via 272d917deb0534a6a9b13e22ff16e4c95406d1ed (commit) via 4002da0f52828dc4a495f7ac163d9e77c2774f3e (commit) from f4f78ff7daf15f609a8bef1179d01cc982e37478 (commit)
- Log ----------------------------------------------------------------- commit f51e5ed6b4b91d12228da873db72aa28109d1797 Author: Dr. Stephen Henson <st...@openssl.org> Date: Wed Aug 5 03:21:40 2015 +0100 Fix self signed handling. Don't mark a certificate as self signed if keyUsage is present and certificate signing not asserted. PR#3979 Reviewed-by: Matt Caswell <m...@openssl.org> commit 34a42e1489bf4f45bfad069eceba56315d4713be Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Oct 11 21:13:42 2015 +0100 embed CRL serial number and signature fields Reviewed-by: Rich Salz <rs...@openssl.org> commit 81e4943843773a04067703e0dc1668ec5d3b4cf1 Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Oct 11 21:05:49 2015 +0100 embed certificate serial number and signature fields Reviewed-by: Rich Salz <rs...@openssl.org> commit 4392479c08392feb4be2ecb9d1b5decc50e32df0 Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Oct 11 20:44:07 2015 +0100 embed value field of X509_EXTENSION Reviewed-by: Rich Salz <rs...@openssl.org> commit 272d917deb0534a6a9b13e22ff16e4c95406d1ed Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Oct 11 21:20:19 2015 +0100 add CHANGES entry for embed Reviewed-by: Rich Salz <rs...@openssl.org> commit 4002da0f52828dc4a495f7ac163d9e77c2774f3e Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Oct 11 23:25:08 2015 +0100 Handle embed flag in ASN1_STRING_copy(). Reviewed-by: Rich Salz <rs...@openssl.org> ----------------------------------------------------------------------- Summary of changes: CHANGES | 21 +++++++++++++++++++++ crypto/asn1/asn1_lib.c | 4 +++- crypto/include/internal/x509_int.h | 8 ++++---- crypto/x509/t_x509.c | 2 +- crypto/x509/x509_cmp.c | 10 +++++----- crypto/x509/x509_lcl.h | 2 +- crypto/x509/x509_set.c | 15 +++++---------- crypto/x509/x509_v3.c | 4 ++-- crypto/x509/x509_vfy.c | 2 +- crypto/x509/x509cset.c | 17 ++++++----------- crypto/x509/x_all.c | 11 ++++++----- crypto/x509/x_crl.c | 14 +++++++------- crypto/x509/x_exten.c | 2 +- crypto/x509/x_x509.c | 6 +++--- crypto/x509v3/v3_purp.c | 19 ++++++++++--------- 15 files changed, 76 insertions(+), 61 deletions(-) diff --git a/CHANGES b/CHANGES index 3d9c183..cfbb7a7 100644 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,27 @@ _______________ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] + + *) New ASN.1 embed macro. + + New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the + structure is not allocated: it is part of the parent. That is instead of + + FOO *x; + + it must be: + + FOO x; + + This reduces memory fragmentation and make it impossible to accidentally + set a mandatory field to NULL. + + This currently only works for some fields specifically a SEQUENCE, CHOICE, + or ASN1_STRING type which is part of a parent SEQUENCE. Since it is + equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or + SEQUENCE OF. + [Steve Henson] + *) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled. [Emilia Käsper] diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 12248db..ef9223c 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -284,7 +284,9 @@ int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str) dst->type = str->type; if (!ASN1_STRING_set(dst, str->data, str->length)) return 0; - dst->flags = str->flags; + /* Copy flags but preserve embed value */ + dst->flags &= ASN1_STRING_FLAG_EMBED; + dst->flags |= str->flags & ~ASN1_STRING_FLAG_EMBED; return 1; } diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index 8fd0bcf..5997a21 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -121,7 +121,7 @@ struct X509_crl_info_st { struct X509_crl_st { X509_CRL_INFO crl; /* signed CRL data */ X509_ALGOR sig_alg; /* CRL signature algorithm */ - ASN1_BIT_STRING *signature; /* CRL signature */ + ASN1_BIT_STRING signature; /* CRL signature */ int references; int flags; /* @@ -145,7 +145,7 @@ struct X509_crl_st { }; struct x509_revoked_st { - ASN1_INTEGER *serialNumber; /* revoked entry serial number */ + ASN1_INTEGER serialNumber; /* revoked entry serial number */ ASN1_TIME *revocationDate; /* revocation date */ STACK_OF(X509_EXTENSION) *extensions; /* CRL entry extensions: optional */ /* decoded value of CRLissuer extension: set if indirect CRL */ @@ -176,7 +176,7 @@ struct x509_cert_aux_st { struct x509_cinf_st { ASN1_INTEGER *version; /* [ 0 ] default of v1 */ - ASN1_INTEGER *serialNumber; + ASN1_INTEGER serialNumber; X509_ALGOR signature; X509_NAME *issuer; X509_VAL validity; @@ -191,7 +191,7 @@ struct x509_cinf_st { struct x509_st { X509_CINF cert_info; X509_ALGOR sig_alg; - ASN1_BIT_STRING *signature; + ASN1_BIT_STRING signature; int valid; int references; char *name; diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 4cab108..5a73db1 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -238,7 +238,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, ci->extensions, cflag, 8); if (!(cflag & X509_FLAG_NO_SIGDUMP)) { - if (X509_signature_print(bp, &x->sig_alg, x->signature) <= 0) + if (X509_signature_print(bp, &x->sig_alg, &x->signature) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_AUX)) { diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 1e469f9..4017545 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -72,7 +72,7 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) ai = &a->cert_info; bi = &b->cert_info; - i = ASN1_INTEGER_cmp(ai->serialNumber, bi->serialNumber); + i = ASN1_INTEGER_cmp(&ai->serialNumber, &bi->serialNumber); if (i) return (i); return (X509_NAME_cmp(ai->issuer, bi->issuer)); @@ -94,8 +94,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) goto err; OPENSSL_free(f); if (!EVP_DigestUpdate - (&ctx, (unsigned char *)a->cert_info.serialNumber->data, - (unsigned long)a->cert_info.serialNumber->length)) + (&ctx, (unsigned char *)a->cert_info.serialNumber.data, + (unsigned long)a->cert_info.serialNumber.length)) goto err; if (!EVP_DigestFinal_ex(&ctx, &(md[0]), NULL)) goto err; @@ -152,7 +152,7 @@ X509_NAME *X509_get_subject_name(X509 *a) ASN1_INTEGER *X509_get_serialNumber(X509 *a) { - return (a->cert_info.serialNumber); + return &a->cert_info.serialNumber; } unsigned long X509_subject_name_hash(X509 *x) @@ -278,7 +278,7 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, if (!sk) return NULL; - x.cert_info.serialNumber = serial; + x.cert_info.serialNumber = *serial; x.cert_info.issuer = name; for (i = 0; i < sk_X509_num(sk); i++) { diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h index 71c8a2a..af04341 100644 --- a/crypto/x509/x509_lcl.h +++ b/crypto/x509/x509_lcl.h @@ -98,7 +98,7 @@ struct x509_attributes_st { struct X509_extension_st { ASN1_OBJECT *object; ASN1_BOOLEAN critical; - ASN1_OCTET_STRING *value; + ASN1_OCTET_STRING value; }; /* diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index 7873edf..38ec0db 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -85,16 +85,11 @@ int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) ASN1_INTEGER *in; if (x == NULL) - return (0); - in = x->cert_info.serialNumber; - if (in != serial) { - in = ASN1_INTEGER_dup(serial); - if (in != NULL) { - ASN1_INTEGER_free(x->cert_info.serialNumber); - x->cert_info.serialNumber = in; - } - } - return (in != NULL); + return 0; + in = &x->cert_info.serialNumber; + if (in != serial) + return ASN1_STRING_copy(in, serial); + return 1; } int X509_set_issuer_name(X509 *x, X509_NAME *name) diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c index 4e9c8f5..f192979 100644 --- a/crypto/x509/x509_v3.c +++ b/crypto/x509/x509_v3.c @@ -253,7 +253,7 @@ int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) if (ex == NULL) return (0); - i = ASN1_OCTET_STRING_set(ex->value, data->data, data->length); + i = ASN1_OCTET_STRING_set(&ex->value, data->data, data->length); if (!i) return (0); return (1); @@ -270,7 +270,7 @@ ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) { if (ex == NULL) return (NULL); - return (ex->value); + return &ex->value; } int X509_EXTENSION_get_critical(X509_EXTENSION *ex) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9cecde7..1ae3675 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2088,7 +2088,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, * Add only if not also in base. TODO: need something cleverer here * for some more complex CRLs covering multiple CAs. */ - if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) { + if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) { rvtmp = X509_REVOKED_dup(rvn); if (!rvtmp) goto memerr; diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c index a779fd4..899d492 100644 --- a/crypto/x509/x509cset.c +++ b/crypto/x509/x509cset.c @@ -172,7 +172,7 @@ void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509_CRL *crl) { if (psig != NULL) - *psig = crl->signature; + *psig = &crl->signature; if (palg != NULL) *palg = &crl->sig_alg; } @@ -206,7 +206,7 @@ int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x) { - return x->serialNumber; + return &x->serialNumber; } int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) @@ -215,15 +215,10 @@ int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) if (x == NULL) return (0); - in = x->serialNumber; - if (in != serial) { - in = ASN1_INTEGER_dup(serial); - if (in != NULL) { - ASN1_INTEGER_free(x->serialNumber); - x->serialNumber = in; - } - } - return (in != NULL); + in = &x->serialNumber; + if (in != serial) + return ASN1_STRING_copy(in, serial); + return 1; } STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(X509_REVOKED *r) diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 1db66f6..5c5f573 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -77,7 +77,7 @@ int X509_verify(X509 *a, EVP_PKEY *r) if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature)) return 0; return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg, - a->signature, &a->cert_info, r)); + &a->signature, &a->cert_info, r)); } int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) @@ -96,7 +96,8 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { x->cert_info.enc.modified = 1; return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, - &x->sig_alg, x->signature, &x->cert_info, pkey, md)); + &x->sig_alg, &x->signature, &x->cert_info, pkey, + md)); } int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) @@ -104,7 +105,7 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) x->cert_info.enc.modified = 1; return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, - &x->sig_alg, x->signature, &x->cert_info, ctx); + &x->sig_alg, &x->signature, &x->cert_info, ctx); } int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert) @@ -130,14 +131,14 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { x->crl.enc.modified = 1; return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, - &x->sig_alg, x->signature, &x->crl, pkey, md)); + &x->sig_alg, &x->signature, &x->crl, pkey, md)); } int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) { x->crl.enc.modified = 1; return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), - &x->crl.sig_alg, &x->sig_alg, x->signature, + &x->crl.sig_alg, &x->sig_alg, &x->signature, &x->crl, ctx); } diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index c8889d1..79fa5ca 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -69,7 +69,7 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a, static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp); ASN1_SEQUENCE(X509_REVOKED) = { - ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER), + ASN1_EMBED(X509_REVOKED,serialNumber, ASN1_INTEGER), ASN1_SIMPLE(X509_REVOKED,revocationDate, ASN1_TIME), ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION) } ASN1_SEQUENCE_END(X509_REVOKED) @@ -333,7 +333,7 @@ static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = { ASN1_EMBED(X509_CRL, crl, X509_CRL_INFO), ASN1_EMBED(X509_CRL, sig_alg, X509_ALGOR), - ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING) + ASN1_EMBED(X509_CRL, signature, ASN1_BIT_STRING) } ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL) IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED) @@ -349,8 +349,8 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL) static int X509_REVOKED_cmp(const X509_REVOKED *const *a, const X509_REVOKED *const *b) { - return (ASN1_STRING_cmp((ASN1_STRING *)(*a)->serialNumber, - (ASN1_STRING *)(*b)->serialNumber)); + return (ASN1_STRING_cmp((ASN1_STRING *)&(*a)->serialNumber, + (ASN1_STRING *)&(*b)->serialNumber)); } int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) @@ -394,7 +394,7 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r) { return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO), - &crl->sig_alg, crl->signature, &crl->crl, r)); + &crl->sig_alg, &crl->signature, &crl->crl, r)); } static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm, @@ -430,7 +430,7 @@ static int def_crl_lookup(X509_CRL *crl, { X509_REVOKED rtmp, *rev; int idx; - rtmp.serialNumber = serial; + rtmp.serialNumber = *serial; /* * Sort revoked into serial number order if not already sorted. Do this * under a lock to avoid race condition. @@ -446,7 +446,7 @@ static int def_crl_lookup(X509_CRL *crl, /* Need to look for matching name */ for (; idx < sk_X509_REVOKED_num(crl->crl.revoked); idx++) { rev = sk_X509_REVOKED_value(crl->crl.revoked, idx); - if (ASN1_INTEGER_cmp(rev->serialNumber, serial)) + if (ASN1_INTEGER_cmp(&rev->serialNumber, serial)) return 0; if (crl_revoked_issuer_match(crl, issuer, rev)) { if (ret) diff --git a/crypto/x509/x_exten.c b/crypto/x509/x_exten.c index c0d4c96..c5b391f 100644 --- a/crypto/x509/x_exten.c +++ b/crypto/x509/x_exten.c @@ -66,7 +66,7 @@ ASN1_SEQUENCE(X509_EXTENSION) = { ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT), ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN), - ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING) + ASN1_EMBED(X509_EXTENSION, value, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(X509_EXTENSION) ASN1_ITEM_TEMPLATE(X509_EXTENSIONS) = diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index 92d4fa3..ad2309c 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -66,7 +66,7 @@ ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = { ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0), - ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER), + ASN1_EMBED(X509_CINF, serialNumber, ASN1_INTEGER), ASN1_EMBED(X509_CINF, signature, X509_ALGOR), ASN1_SIMPLE(X509_CINF, issuer, X509_NAME), ASN1_EMBED(X509_CINF, validity, X509_VAL), @@ -135,7 +135,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, ASN1_SEQUENCE_ref(X509, x509_cb, CRYPTO_LOCK_X509) = { ASN1_EMBED(X509, cert_info, X509_CINF), ASN1_EMBED(X509, sig_alg, X509_ALGOR), - ASN1_SIMPLE(X509, signature, ASN1_BIT_STRING) + ASN1_EMBED(X509, signature, ASN1_BIT_STRING) } ASN1_SEQUENCE_END_ref(X509, X509) IMPLEMENT_ASN1_FUNCTIONS(X509) @@ -215,7 +215,7 @@ int i2d_re_X509_tbs(X509 *x, unsigned char **pp) void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509 *x) { if (psig) - *psig = x->signature; + *psig = &x->signature; if (palg) *palg = &x->sig_alg; } diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 43f3551..90b3abc 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -380,6 +380,14 @@ static void setup_crldp(X509 *x) setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); } +#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) +#define ku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) +#define xku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) +#define ns_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) + static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; @@ -497,7 +505,8 @@ static void x509v3_cache_extensions(X509 *x) if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { x->ex_flags |= EXFLAG_SI; /* If SKID matches AKID also indicate self signed */ - if (X509_check_akid(x, x->akid) == X509_V_OK) + if (X509_check_akid(x, x->akid) == X509_V_OK && + !ku_reject(x, KU_KEY_CERT_SIGN)) x->ex_flags |= EXFLAG_SS; } x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); @@ -536,14 +545,6 @@ static void x509v3_cache_extensions(X509 *x) * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ -#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) -#define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#define xku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) -#define ns_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) - static int check_ca(const X509 *x) { /* keyUsage if present should allow cert signing */ _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits