Also update and slightly extend the respective documentation and simplify some code.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16251)
goto err;
}
- if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL)
- paramtype = V_ASN1_NULL;
- else
- paramtype = V_ASN1_UNDEF;
-
- if (algor1)
- X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL);
- if (algor2)
- X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL);
-
+ paramtype = pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL ?
+ V_ASN1_NULL : V_ASN1_UNDEF;
+ if (algor1 != NULL
+ && !X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL))
+ goto err;
+ if (algor2 != NULL
+ && !X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL))
+ goto err;
}
buf_len = ASN1_item_i2d(data, &buf_in, it);
if (alg == NULL)
return 0;
- if (ptype != V_ASN1_UNDEF) {
- if (alg->parameter == NULL)
- alg->parameter = ASN1_TYPE_new();
- if (alg->parameter == NULL)
- return 0;
- }
+ if (ptype != V_ASN1_UNDEF && alg->parameter == NULL
+ && (alg->parameter = ASN1_TYPE_new()) == NULL)
+ return 0;
ASN1_OBJECT_free(alg->algorithm);
alg->algorithm = aobj;
err:
X509_ALGOR_free(alg);
- ASN1_OBJECT_free(algo);
+ /* ASN1_OBJECT_free(algo) is not needed due to OBJ_nid2obj() */
return NULL;
}
}
/* Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD */
-
void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md)
{
- int param_type;
-
- if (md->flags & EVP_MD_FLAG_DIGALGID_ABSENT)
- param_type = V_ASN1_UNDEF;
- else
- param_type = V_ASN1_NULL;
-
- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_get_type(md)), param_type, NULL);
+ int type = md->flags & EVP_MD_FLAG_DIGALGID_ABSENT ? V_ASN1_UNDEF
+ : V_ASN1_NULL;
+ (void)X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_get_type(md)), type, NULL);
}
int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
/* allocate and set algorithm ID from EVP_MD, default SHA1 */
int ossl_x509_algor_new_from_md(X509_ALGOR **palg, const EVP_MD *md)
{
+ X509_ALGOR *alg;
+
/* Default is SHA1 so no need to create it - still success */
if (md == NULL || EVP_MD_is_a(md, "SHA1"))
return 1;
- *palg = X509_ALGOR_new();
- if (*palg == NULL)
+ if ((alg = X509_ALGOR_new()) == NULL)
return 0;
- X509_ALGOR_set_md(*palg, md);
+ X509_ALGOR_set_md(alg, md);
+ *palg = alg;
return 1;
}
cd->version = 0;
- X509_ALGOR_set0(cd->compressionAlgorithm,
- OBJ_nid2obj(NID_zlib_compression), V_ASN1_UNDEF, NULL);
+ (void)X509_ALGOR_set0(cd->compressionAlgorithm,
+ OBJ_nid2obj(NID_zlib_compression),
+ V_ASN1_UNDEF, NULL); /* cannot fail */
cd->encapContentInfo->eContentType = OBJ_nid2obj(NID_pkcs7_data);
pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
penc = NULL;
- X509_ALGOR_set0(talg, OBJ_nid2obj(NID_dhpublicnumber),
- V_ASN1_UNDEF, NULL);
+ (void)X509_ALGOR_set0(talg, OBJ_nid2obj(NID_dhpublicnumber),
+ V_ASN1_UNDEF, NULL); /* cannot fail */
}
/* See if custom parameters set */
goto err;
ASN1_STRING_set0(wrap_str, penc, penclen);
penc = NULL;
- X509_ALGOR_set0(talg, OBJ_nid2obj(NID_id_smime_alg_ESDH),
- V_ASN1_SEQUENCE, wrap_str);
-
- rv = 1;
+ rv = X509_ALGOR_set0(talg, OBJ_nid2obj(NID_id_smime_alg_ESDH),
+ V_ASN1_SEQUENCE, wrap_str);
+ if (!rv)
+ ASN1_STRING_free(wrap_str);
err:
OPENSSL_free(penc);
pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
penc = NULL;
- X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
- V_ASN1_UNDEF, NULL);
+ (void)X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
+ V_ASN1_UNDEF, NULL); /* cannot fail */
}
/* See if custom parameters set */
goto err;
ASN1_STRING_set0(wrap_str, penc, penclen);
penc = NULL;
- X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str);
-
- rv = 1;
+ rv = X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str);
+ if (!rv)
+ ASN1_STRING_free(wrap_str);
err:
OPENSSL_free(penc);
{
assert(verify == 0 || verify == 1);
- if (verify == 0) {
+ if (!verify) {
int snid, hnid;
X509_ALGOR *alg1, *alg2;
EVP_PKEY *pkey = si->pkey;
return -1;
if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_get_id(pkey)))
return -1;
- X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
+ return X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, NULL);
}
return 1;
}
kekri->kekid->other->keyAttr = otherType;
}
- X509_ALGOR_set0(kekri->keyEncryptionAlgorithm,
- OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL);
+ (void)X509_ALGOR_set0(kekri->keyEncryptionAlgorithm, OBJ_nid2obj(nid),
+ V_ASN1_UNDEF, NULL); /* cannot fail */
return ri;
if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
return 0;
}
- if (pad_mode == RSA_PKCS1_PADDING) {
- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
- return 1;
- }
+ if (pad_mode == RSA_PKCS1_PADDING)
+ return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
+ V_ASN1_NULL, NULL);
+
/* Not supported */
if (pad_mode != RSA_PKCS1_OAEP_PADDING)
return 0;
}
/* create string with pss parameter encoding. */
if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os))
- goto err;
- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
+ goto err;
+ if (!X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os))
+ goto err;
os = NULL;
rv = 1;
err:
if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
return 0;
}
- if (pad_mode == RSA_PKCS1_PADDING) {
- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
- return 1;
- }
+ if (pad_mode == RSA_PKCS1_PADDING)
+ return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
+ V_ASN1_NULL, NULL);
+
/* We don't support it */
if (pad_mode != RSA_PKCS1_PSS_PADDING)
return 0;
os = ossl_rsa_ctx_to_pss_string(pkctx);
if (os == NULL)
return 0;
- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
- return 1;
+ if (X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
+ V_ASN1_SEQUENCE, os))
+ return 1;
+ ASN1_STRING_free(os);
+ return 0;
}
static int rsa_cms_verify(CMS_SignerInfo *si)
if (md == NULL) {
int def_nid;
+
if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0)
goto err;
md = EVP_get_digestbynid(def_nid);
}
}
- if (!md) {
- ERR_raise(ERR_LIB_CMS, CMS_R_NO_DIGEST_SET);
- goto err;
- }
-
if (md == NULL) {
ERR_raise(ERR_LIB_CMS, CMS_R_NO_DIGEST_SET);
goto err;
}
if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) {
- alg = X509_ALGOR_new();
- if (alg == NULL)
+ if ((alg = X509_ALGOR_new()) == NULL)
goto merr;
X509_ALGOR_set_md(alg, md);
if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) {
return 2;
}
+static int ecd_item_sign(X509_ALGOR *alg1, X509_ALGOR *alg2, int nid)
+{
+ /* Note that X509_ALGOR_set0(..., ..., V_ASN1_UNDEF, ...) cannot fail */
+ /* Set algorithms identifiers */
+ (void)X509_ALGOR_set0(alg1, OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL);
+ if (alg2 != NULL)
+ (void)X509_ALGOR_set0(alg2, OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL);
+ /* Algorithm identifiers set: carry on as normal */
+ return 3;
+}
+
static int ecd_item_sign25519(EVP_MD_CTX *ctx, const ASN1_ITEM *it,
const void *asn,
X509_ALGOR *alg1, X509_ALGOR *alg2,
ASN1_BIT_STRING *str)
{
- /* Set algorithms identifiers */
- X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
- if (alg2)
- X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
- /* Algorithm identifiers set: carry on as normal */
- return 3;
+ return ecd_item_sign(alg1, alg2, NID_ED25519);
}
static int ecd_sig_info_set25519(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
X509_ALGOR *alg1, X509_ALGOR *alg2,
ASN1_BIT_STRING *str)
{
- /* Set algorithm identifier */
- X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL);
- if (alg2 != NULL)
- X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED448), V_ASN1_UNDEF, NULL);
- /* Algorithm identifier set: carry on as normal */
- return 3;
+ return ecd_item_sign(alg1, alg2, NID_ED448);
}
static int ecd_sig_info_set448(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
static int pkcs7_ecdsa_or_dsa_sign_verify_setup(PKCS7_SIGNER_INFO *si,
int verify)
{
- if (verify == 0) {
+ if (!verify) {
int snid, hnid;
X509_ALGOR *alg1, *alg2;
EVP_PKEY *pkey = si->pkey;
return -1;
if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_get_id(pkey)))
return -1;
- X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
+ return X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, NULL);
}
return 1;
}
static int pkcs7_rsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, int verify)
{
- if (verify == 0) {
+ if (!verify) {
X509_ALGOR *alg = NULL;
PKCS7_SIGNER_INFO_get0_algs(si, NULL, NULL, &alg);
if (alg != NULL)
- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
+ return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
+ V_ASN1_NULL, NULL);
}
return 1;
}
/* We now need to add another PKCS7_SIGNER_INFO entry */
if (!ASN1_INTEGER_set(p7i->version, 1))
- goto err;
+ return 0;
if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
X509_get_issuer_name(x509)))
- goto err;
+ return 0;
/*
* because ASN1_INTEGER_set is used to set a 'long' we will do things the
ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
if (!(p7i->issuer_and_serial->serial =
ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
- goto err;
+ return 0;
/* lets keep the pkey around for a while */
EVP_PKEY_up_ref(pkey);
/* Set the algorithms */
- X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_get_type(dgst)),
- V_ASN1_NULL, NULL);
+ if (!X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_get_type(dgst)),
+ V_ASN1_NULL, NULL))
+ return 0;
if (EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "DSA"))
return pkcs7_ecdsa_or_dsa_sign_verify_setup(p7i, 0);
}
}
ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
- err:
return 0;
}
{
X509_ALGOR *alg = NULL;
- if (decrypt == 0) {
+ if (!decrypt) {
PKCS7_RECIP_INFO_get0_alg(ri, &alg);
if (alg != NULL)
- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
+ return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
+ V_ASN1_NULL, NULL);
}
return 1;
}
if (pad_mode == RSA_PKCS1_PADDING)
return 2;
if (pad_mode == RSA_PKCS1_PSS_PADDING) {
- ASN1_STRING *os1 = NULL;
- os1 = ossl_rsa_ctx_to_pss_string(pkctx);
- if (!os1)
+ ASN1_STRING *os1 = ossl_rsa_ctx_to_pss_string(pkctx);
+
+ if (os1 == NULL)
return 0;
/* Duplicate parameters if we have to */
- if (alg2) {
+ if (alg2 != NULL) {
ASN1_STRING *os2 = ASN1_STRING_dup(os1);
- if (!os2) {
- ASN1_STRING_free(os1);
- return 0;
+
+ if (os2 == NULL)
+ goto err;
+ if (!X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
+ V_ASN1_SEQUENCE, os2)) {
+ ASN1_STRING_free(os2);
+ goto err;
}
- X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
- V_ASN1_SEQUENCE, os2);
}
- X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
- V_ASN1_SEQUENCE, os1);
+ if (!X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
+ V_ASN1_SEQUENCE, os1))
+ goto err;
return 3;
+ err:
+ ASN1_STRING_free(os1);
+ return 0;
}
return 2;
}
=head1 NAME
-X509_ALGOR_dup, X509_ALGOR_set0, X509_ALGOR_get0, X509_ALGOR_set_md, X509_ALGOR_cmp, X509_ALGOR_copy - AlgorithmIdentifier functions
+X509_ALGOR_dup,
+X509_ALGOR_set0, X509_ALGOR_get0,
+X509_ALGOR_set_md, X509_ALGOR_cmp,
+X509_ALGOR_copy - AlgorithmIdentifier functions
=head1 SYNOPSIS
=head1 DESCRIPTION
-X509_ALGOR_dup() returns a copy of B<alg>.
+X509_ALGOR_dup() returns a copy of I<alg>.
-X509_ALGOR_set0() sets the algorithm OID of B<alg> to B<aobj> and the
-associated parameter type to B<ptype> with value B<pval>. If B<ptype> is
-B<V_ASN1_UNDEF> the parameter is omitted, otherwise B<ptype> and B<pval> have
-the same meaning as the B<type> and B<value> parameters to ASN1_TYPE_set().
+X509_ALGOR_set0() sets the algorithm OID of I<alg> to I<aobj> and the
+associated parameter type to I<ptype> with value I<pval>. If I<ptype> is
+B<V_ASN1_UNDEF> the parameter is omitted, otherwise I<ptype> and I<pval> have
+the same meaning as the I<type> and I<value> parameters to ASN1_TYPE_set().
All the supplied parameters are used internally so must B<NOT> be freed after
-this call.
+this call succeeded;
+otherwise ownership remains with the caller and I<alg> remains untouched.
X509_ALGOR_get0() is the inverse of X509_ALGOR_set0(): it returns the
-algorithm OID in B<*paobj> and the associated parameter in B<*pptype>
-and B<*ppval> from the B<AlgorithmIdentifier> B<alg>.
+algorithm OID in I<*paobj> and the associated parameter in I<*pptype>
+and I<*ppval> from the B<AlgorithmIdentifier> I<alg>.
-X509_ALGOR_set_md() sets the B<AlgorithmIdentifier> B<alg> to appropriate
-values for the message digest B<md>.
+X509_ALGOR_set_md() sets the B<AlgorithmIdentifier> I<alg> to appropriate
+values for the message digest I<md>.
-X509_ALGOR_cmp() compares B<a> and B<b> and returns 0 if they have identical
+X509_ALGOR_cmp() compares I<a> and I<b> and returns 0 if they have identical
encodings and nonzero otherwise.
X509_ALGOR_copy() copies the source values into the dest structs; making