New function X509_get0_pubkey
authorDr. Stephen Henson <steve@openssl.org>
Mon, 14 Dec 2015 13:13:32 +0000 (13:13 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 14 Dec 2015 23:06:14 +0000 (23:06 +0000)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
12 files changed:
apps/ca.c
apps/crl.c
apps/s_cb.c
apps/s_client.c
apps/x509.c
crypto/asn1/x_pubkey.c
crypto/x509/t_x509.c
crypto/x509/x509_cmp.c
crypto/x509/x509_err.c
crypto/x509/x509_vfy.c
doc/crypto/X509_get_pubkey.pod
include/openssl/x509.h

index 535526c..6404e48 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1402,12 +1402,11 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 
     BIO_printf(bio_err, "Check that the request matches the signature\n");
 
-    if ((pktmp = X509_get_pubkey(req)) == NULL) {
+    if ((pktmp = X509_get0_pubkey(req)) == NULL) {
         BIO_printf(bio_err, "error unpacking public key\n");
         goto end;
     }
     i = X509_verify(req, pktmp);
-    EVP_PKEY_free(pktmp);
     if (i < 0) {
         ok = 0;
         BIO_printf(bio_err, "Signature verification problems....\n");
@@ -1890,11 +1889,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         }
     }
 
-    pktmp = X509_get_pubkey(ret);
+    pktmp = X509_get0_pubkey(ret);
     if (EVP_PKEY_missing_parameters(pktmp) &&
         !EVP_PKEY_missing_parameters(pkey))
         EVP_PKEY_copy_parameters(pktmp, pkey);
-    EVP_PKEY_free(pktmp);
 
     if (!do_X509_sign(ret, pkey, dgst, sigopts))
         goto end;
index b2a5d7f..3f64cdd 100644 (file)
@@ -253,14 +253,13 @@ int crl_main(int argc, char **argv)
             BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
             goto end;
         }
-        pkey = X509_get_pubkey(xobj.data.x509);
+        pkey = X509_get0_pubkey(xobj.data.x509);
         X509_OBJECT_free_contents(&xobj);
         if (!pkey) {
             BIO_printf(bio_err, "Error getting CRL issuer public key\n");
             goto end;
         }
         i = X509_CRL_verify(x, pkey);
-        EVP_PKEY_free(pkey);
         if (i < 0)
             goto end;
         if (i == 0)
index 734d57f..7a4bf29 100644 (file)
@@ -1402,13 +1402,12 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
                 int sig_nid = X509_get_signature_nid(other);
                 BIO_puts(sdb->out, OBJ_nid2sn(sig_nid));
             } else {
-                EVP_PKEY *pkey = X509_get_pubkey(other);
+                EVP_PKEY *pkey = X509_get0_pubkey(other);
                 const char *algname = "";
                 EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
                                         &algname, EVP_PKEY_get0_asn1(pkey));
                 BIO_printf(sdb->out, "%s, bits=%d",
                            algname, EVP_PKEY_bits(pkey));
-                EVP_PKEY_free(pkey);
             }
             break;
         }
index f93ae35..5aa1adc 100644 (file)
@@ -2206,10 +2206,9 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
     if (peer != NULL) {
         EVP_PKEY *pktmp;
-        pktmp = X509_get_pubkey(peer);
+        pktmp = X509_get0_pubkey(peer);
         BIO_printf(bio, "Server public key is %d bit\n",
                    EVP_PKEY_bits(pktmp));
-        EVP_PKEY_free(pktmp);
     }
     BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
                SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
index 7155b33..1677ba5 100644 (file)
@@ -723,7 +723,7 @@ int x509_main(int argc, char **argv)
             } else if (modulus == i) {
                 EVP_PKEY *pkey;
 
-                pkey = X509_get_pubkey(x);
+                pkey = X509_get0_pubkey(x);
                 if (pkey == NULL) {
                     BIO_printf(bio_err, "Modulus=unavailable\n");
                     ERR_print_errors(bio_err);
@@ -742,18 +742,16 @@ int x509_main(int argc, char **argv)
 #endif
                     BIO_printf(out, "Wrong Algorithm type");
                 BIO_printf(out, "\n");
-                EVP_PKEY_free(pkey);
             } else if (pubkey == i) {
                 EVP_PKEY *pkey;
 
-                pkey = X509_get_pubkey(x);
+                pkey = X509_get0_pubkey(x);
                 if (pkey == NULL) {
                     BIO_printf(bio_err, "Error getting public key\n");
                     ERR_print_errors(bio_err);
                     goto end;
                 }
                 PEM_write_bio_PUBKEY(out, pkey);
-                EVP_PKEY_free(pkey);
             } else if (C == i) {
                 unsigned char *d;
                 char *m;
@@ -991,9 +989,8 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
     X509_STORE_CTX xsc;
     EVP_PKEY *upkey;
 
-    upkey = X509_get_pubkey(xca);
+    upkey = X509_get0_pubkey(xca);
     EVP_PKEY_copy_parameters(upkey, pkey);
-    EVP_PKEY_free(upkey);
 
     if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) {
         BIO_printf(bio_err, "Error initialising X509 store\n");
index d200190..36a130d 100644 (file)
@@ -121,38 +121,36 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
     return 0;
 }
 
-EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
+EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key)
 {
     EVP_PKEY *ret = NULL;
 
     if (key == NULL)
         goto error;
 
-    if (key->pkey != NULL) {
-        CRYPTO_add(&key->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+    if (key->pkey != NULL)
         return key->pkey;
-    }
 
     if (key->public_key == NULL)
         goto error;
 
     if ((ret = EVP_PKEY_new()) == NULL) {
-        X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
+        X509err(X509_F_X509_PUBKEY_GET0, ERR_R_MALLOC_FAILURE);
         goto error;
     }
 
     if (!EVP_PKEY_set_type(ret, OBJ_obj2nid(key->algor->algorithm))) {
-        X509err(X509_F_X509_PUBKEY_GET, X509_R_UNSUPPORTED_ALGORITHM);
+        X509err(X509_F_X509_PUBKEY_GET0, X509_R_UNSUPPORTED_ALGORITHM);
         goto error;
     }
 
     if (ret->ameth->pub_decode) {
         if (!ret->ameth->pub_decode(ret, key)) {
-            X509err(X509_F_X509_PUBKEY_GET, X509_R_PUBLIC_KEY_DECODE_ERROR);
+            X509err(X509_F_X509_PUBKEY_GET0, X509_R_PUBLIC_KEY_DECODE_ERROR);
             goto error;
         }
     } else {
-        X509err(X509_F_X509_PUBKEY_GET, X509_R_METHOD_NOT_SUPPORTED);
+        X509err(X509_F_X509_PUBKEY_GET0, X509_R_METHOD_NOT_SUPPORTED);
         goto error;
     }
 
@@ -166,7 +164,6 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
         key->pkey = ret;
         CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
     }
-    CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
 
     return ret;
 
@@ -175,6 +172,14 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
     return (NULL);
 }
 
+EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
+{
+    EVP_PKEY *ret = X509_PUBKEY_get0(key);
+    if (ret != NULL)
+        EVP_PKEY_up_ref(ret);
+    return ret;
+}
+
 /*
  * Now two pseudo ASN1 routines that take an EVP_PKEY structure and encode or
  * decode as X509_PUBKEY
index 3a29f40..204aed4 100644 (file)
@@ -209,13 +209,12 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
         if (BIO_puts(bp, "\n") <= 0)
             goto err;
 
-        pkey = X509_get_pubkey(x);
+        pkey = X509_get0_pubkey(x);
         if (pkey == NULL) {
             BIO_printf(bp, "%12sUnable to load Public Key\n", "");
             ERR_print_errors(bp);
         } else {
             EVP_PKEY_print_public(bp, pkey, 16, NULL);
-            EVP_PKEY_free(pkey);
         }
     }
 
index 5c3ac6a..9d9ea4b 100644 (file)
@@ -305,11 +305,18 @@ X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
     return (NULL);
 }
 
+EVP_PKEY *X509_get0_pubkey(X509 *x)
+{
+    if (x == NULL)
+        return NULL;
+    return X509_PUBKEY_get0(x->cert_info.key);
+}
+
 EVP_PKEY *X509_get_pubkey(X509 *x)
 {
     if (x == NULL)
-        return (NULL);
-    return (X509_PUBKEY_get(x->cert_info.key));
+        return NULL;
+    return X509_PUBKEY_get(x->cert_info.key);
 }
 
 ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
@@ -324,7 +331,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
     EVP_PKEY *xk;
     int ret;
 
-    xk = X509_get_pubkey(x);
+    xk = X509_get0_pubkey(x);
 
     if (xk)
         ret = EVP_PKEY_cmp(xk, k);
@@ -343,7 +350,6 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
     case -2:
         X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_UNKNOWN_KEY_TYPE);
     }
-    EVP_PKEY_free(xk);
     if (ret > 0)
         return 1;
     return 0;
@@ -411,7 +417,7 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
         goto end;
     }
 
-    pk = X509_get_pubkey(x);
+    pk = X509_get0_pubkey(x);
     /* Check EE key only */
     rv = check_suite_b(pk, -1, &tflags);
     if (rv != X509_V_OK) {
@@ -426,7 +432,6 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
             rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
             goto end;
         }
-        EVP_PKEY_free(pk);
         pk = X509_get_pubkey(x);
         rv = check_suite_b(pk, sign_nid, &tflags);
         if (rv != X509_V_OK)
@@ -436,7 +441,6 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
     /* Final check: root CA signature */
     rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags);
  end:
-    EVP_PKEY_free(pk);
     if (rv != X509_V_OK) {
         /* Invalid signature or LOS errors are for previous cert */
         if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
index a6fae61..25f90ea 100644 (file)
@@ -109,7 +109,7 @@ static ERR_STRING_DATA X509_str_functs[] = {
     {ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"},
     {ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"},
     {ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"},
-    {ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"},
+    {ERR_FUNC(X509_F_X509_PUBKEY_GET0), "X509_PUBKEY_get0"},
     {ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"},
     {ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY),
      "X509_REQ_check_private_key"},
index 3156e04..3acb374 100644 (file)
@@ -1559,7 +1559,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
         }
 
         /* Attempt to get issuer certificate public key */
-        ikey = X509_get_pubkey(issuer);
+        ikey = X509_get0_pubkey(issuer);
 
         if (!ikey) {
             ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
@@ -1588,7 +1588,6 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
     ok = 1;
 
  err:
-    EVP_PKEY_free(ikey);
     return ok;
 }
 
@@ -1769,7 +1768,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
         if (!xs->valid
             && (xs != xi
                 || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
-            if ((pkey = X509_get_pubkey(xi)) == NULL) {
+            if ((pkey = X509_get0_pubkey(xi)) == NULL) {
                 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
                 ctx->current_cert = xi;
                 ok = (*cb) (0, ctx);
@@ -1779,13 +1778,9 @@ static int internal_verify(X509_STORE_CTX *ctx)
                 ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
                 ctx->current_cert = xs;
                 ok = (*cb) (0, ctx);
-                if (!ok) {
-                    EVP_PKEY_free(pkey);
+                if (!ok)
                     goto end;
-                }
             }
-            EVP_PKEY_free(pkey);
-            pkey = NULL;
         }
 
         xs->valid = 1;
@@ -1973,7 +1968,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         return 1;
 
     for (i = 0; i < sk_X509_num(chain); i++) {
-        ktmp = X509_get_pubkey(sk_X509_value(chain, i));
+        ktmp = X509_get0_pubkey(sk_X509_value(chain, i));
         if (ktmp == NULL) {
             X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
                     X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
@@ -1981,8 +1976,6 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         }
         if (!EVP_PKEY_missing_parameters(ktmp))
             break;
-        EVP_PKEY_free(ktmp);
-        ktmp = NULL;
     }
     if (ktmp == NULL) {
         X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
@@ -1992,14 +1985,12 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
 
     /* first, populate the other certs */
     for (j = i - 1; j >= 0; j--) {
-        ktmp2 = X509_get_pubkey(sk_X509_value(chain, j));
+        ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j));
         EVP_PKEY_copy_parameters(ktmp2, ktmp);
-        EVP_PKEY_free(ktmp2);
     }
 
     if (pkey != NULL)
         EVP_PKEY_copy_parameters(pkey, ktmp);
-    EVP_PKEY_free(ktmp);
     return 1;
 }
 
index c59ce2a..2740f98 100644 (file)
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-X509_get_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY,
+X509_get_pubkey, X509_get0_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY,
 X509_REQ_get_pubkey, X509_REQ_set_pubkey, X509_REQ_get_X509_PUBKEY - get or
 set certificate or certificate request public key.
 
@@ -11,6 +11,7 @@ set certificate or certificate request public key.
  #include <openssl/x509.h>
 
  EVP_PKEY *X509_get_pubkey(X509 *x);
+ EVP_PKEY *X509_get0_pubkey(X509 *x);
  int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
  X509_PUBKEY *X509_get_X509_PUBKEY(X509 *x);
 
@@ -23,6 +24,8 @@ set certificate or certificate request public key.
 X509_get_pubkey() attempts to decode the public key for certificate B<x>. If
 successful it returns the public key as an B<EVP_PKEY> pointer with its
 reference count incremented: this means the returned key must be freed up
+after use. X509_get0_pubkey() is similar except it does B<not> increment
+the reference count of the returned B<EVP_PKEY> so it must not be freed up
 after use.
 
 X509_get_X509_PUBKEY() returns an internal pointer to the B<X509_PUBKEY>
@@ -44,9 +47,9 @@ improve performance.
 
 =head1 RETURN VALUES
 
-X509_get_pubkey(), X509_get_X509_PUBKEY(), X509_REQ_get_pubkey() and
-X509_REQ_get_X509_PUBKEY() return a public key or B<NULL> if an error
-occurred.
+X509_get_pubkey(), X509_get0_pubkey(), X509_get_X509_PUBKEY(),
+X509_REQ_get_pubkey() and X509_REQ_get_X509_PUBKEY() return a public key or
+B<NULL> if an error occurred.
 
 X509_set_pubkey() and X509_REQ_set_pubkey() rerturn 1 for success and 0
 for failure.
index d33bcec..167aae8 100644 (file)
@@ -575,6 +575,7 @@ DECLARE_ASN1_FUNCTIONS(X509_VAL)
 DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
 
 int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
+EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key);
 EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key);
 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain);
 int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp);
@@ -708,6 +709,7 @@ STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
 void X509_get0_uids(ASN1_BIT_STRING **piuid, ASN1_BIT_STRING **psuid, X509 *x);
 X509_ALGOR *X509_get0_tbs_sigalg(X509 *x);
 
+EVP_PKEY *X509_get0_pubkey(X509 *x);
 EVP_PKEY *X509_get_pubkey(X509 *x);
 ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
 int X509_certificate_type(X509 *x, EVP_PKEY *pubkey /* optional */ );
@@ -1097,7 +1099,7 @@ void ERR_load_X509_strings(void);
 # define X509_F_X509_NAME_ONELINE                         116
 # define X509_F_X509_NAME_PRINT                           117
 # define X509_F_X509_PRINT_EX_FP                          118
-# define X509_F_X509_PUBKEY_GET                           119
+# define X509_F_X509_PUBKEY_GET0                          119
 # define X509_F_X509_PUBKEY_SET                           120
 # define X509_F_X509_REQ_CHECK_PRIVATE_KEY                144
 # define X509_F_X509_REQ_PRINT_EX                         121