Reviewed-by: Rich Salz <rsalz@openssl.org>
- pk = X509_get_pubkey(recip);
+ pk = X509_get0_pubkey(recip);
if (!pk) {
CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
goto err;
if (!pk) {
CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
goto err;
if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri))
goto merr;
if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri))
goto merr;
return ri;
merr:
CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE);
err:
M_ASN1_free_of(ri, CMS_RecipientInfo);
return ri;
merr:
CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE);
err:
M_ASN1_free_of(ri, CMS_RecipientInfo);
flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey;
flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey;
- skey = X509_get_pubkey(signer);
- if (skey) {
+ skey = X509_get0_pubkey(signer);
+ if (skey)
ret = OCSP_BASICRESP_verify(bs, skey, 0);
ret = OCSP_BASICRESP_verify(bs, skey, 0);
- EVP_PKEY_free(skey);
- }
if (!skey || ret <= 0) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
goto end;
if (!skey || ret <= 0) {
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
goto end;
flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey;
flags |= OCSP_NOVERIFY;
if (!(flags & OCSP_NOSIGS)) {
EVP_PKEY *skey;
- skey = X509_get_pubkey(signer);
+ skey = X509_get0_pubkey(signer);
ret = OCSP_REQUEST_verify(req, skey);
ret = OCSP_REQUEST_verify(req, skey);
if (ret <= 0) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
return 0;
if (ret <= 0) {
OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
return 0;
int ret = 0;
size_t eklen;
int ret = 0;
size_t eklen;
- pkey = X509_get_pubkey(ri->cert);
+ pkey = X509_get0_pubkey(ri->cert);
EVP_PKEY_CTX_free(pctx);
OPENSSL_free(ek);
return ret;
EVP_PKEY_CTX_free(pctx);
OPENSSL_free(ek);
return ret;
- pkey = X509_get_pubkey(x509);
+ pkey = X509_get0_pubkey(x509);
if (!pkey) {
ret = -1;
goto err;
}
i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey);
if (!pkey) {
ret = -1;
goto err;
}
i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey);
if (i <= 0) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE);
ret = -1;
if (i <= 0) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE);
ret = -1;
ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
return 0;
ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
return 0;
- pkey = X509_get_pubkey(x509);
+ pkey = X509_get0_pubkey(x509);
if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) {
PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) {
PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
X509_up_ref(x509);
p7i->cert = x509;
return 1;
err:
X509_up_ref(x509);
p7i->cert = x509;
return 1;
err:
rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
goto end;
}
rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
goto end;
}
- pk = X509_get_pubkey(x);
+ pk = X509_get0_pubkey(x);
rv = check_suite_b(pk, sign_nid, &tflags);
if (rv != X509_V_OK)
goto end;
rv = check_suite_b(pk, sign_nid, &tflags);
if (rv != X509_V_OK)
goto end;
if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
goto err;
if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
goto err;
- pktmp = X509_get_pubkey(x);
+ pktmp = X509_get0_pubkey(x);
if (pktmp == NULL)
goto err;
i = X509_REQ_set_pubkey(ret, pktmp);
if (pktmp == NULL)
goto err;
i = X509_REQ_set_pubkey(ret, pktmp);
return (0);
if (pkey == NULL)
return (0);
if (pkey == NULL)
- pk = X509_get_pubkey(x);
+ pk = X509_get0_pubkey(x);
- if (pkey == NULL)
- EVP_PKEY_free(pk);
if (c->pkeys[i].x509 != NULL) {
EVP_PKEY *pktmp;
if (c->pkeys[i].x509 != NULL) {
EVP_PKEY *pktmp;
- pktmp = X509_get_pubkey(c->pkeys[i].x509);
+ pktmp = X509_get0_pubkey(c->pkeys[i].x509);
if (pktmp == NULL) {
SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE);
if (pktmp == NULL) {
SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE);
* ignored. Some EVP_PKEY types cannot do this.
*/
EVP_PKEY_copy_parameters(pktmp, pkey);
* ignored. Some EVP_PKEY types cannot do this.
*/
EVP_PKEY_copy_parameters(pktmp, pkey);
ERR_clear_error();
#ifndef OPENSSL_NO_RSA
ERR_clear_error();
#ifndef OPENSSL_NO_RSA
- pkey = X509_get_pubkey(x);
+ pkey = X509_get0_pubkey(x);
if (pkey == NULL) {
SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
return (0);
if (pkey == NULL) {
SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
return (0);
i = ssl_cert_type(x, pkey);
if (i < 0) {
SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
i = ssl_cert_type(x, pkey);
if (i < 0) {
SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
- EVP_PKEY_free(pkey);
- return (0);
}
if (c->pkeys[i].privatekey != NULL) {
}
if (c->pkeys[i].privatekey != NULL) {
X509_free(c->pkeys[i].x509);
X509_up_ref(x);
c->pkeys[i].x509 = x;
c->key = &(c->pkeys[i]);
X509_free(c->pkeys[i].x509);
X509_up_ref(x);
c->pkeys[i].x509 = x;
c->key = &(c->pkeys[i]);
}
#ifndef OPENSSL_NO_STDIO
}
#ifndef OPENSSL_NO_STDIO
* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end
*/
* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end
*/
- pkey = X509_get_pubkey(x);
+ pkey = X509_get0_pubkey(x);
if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
x = NULL;
if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
x = NULL;
err:
ossl_statem_set_error(s);
done:
err:
ossl_statem_set_error(s);
done:
X509_free(x);
sk_X509_pop_free(sk, X509_free);
return ret;
X509_free(x);
sk_X509_pop_free(sk, X509_free);
return ret;
/* We must check if there is a certificate */
if (alg_a & (SSL_aRSA|SSL_aDSS))
/* We must check if there is a certificate */
if (alg_a & (SSL_aRSA|SSL_aDSS))
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
}
#endif /* !OPENSSL_NO_SRP */
#ifndef OPENSSL_NO_DH
}
#endif /* !OPENSSL_NO_SRP */
#ifndef OPENSSL_NO_DH
goto f_err;
}
if (alg_a & (SSL_aRSA|SSL_aDSS))
goto f_err;
}
if (alg_a & (SSL_aRSA|SSL_aDSS))
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
/* else anonymous DH, so no certificate or pkey. */
}
#endif /* !OPENSSL_NO_DH */
/* else anonymous DH, so no certificate or pkey. */
}
#endif /* !OPENSSL_NO_DH */
if (0) ;
# ifndef OPENSSL_NO_RSA
else if (alg_a & SSL_aRSA)
if (0) ;
# ifndef OPENSSL_NO_RSA
else if (alg_a & SSL_aRSA)
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
# endif
# ifndef OPENSSL_NO_EC
else if (alg_a & SSL_aECDSA)
# endif
# ifndef OPENSSL_NO_EC
else if (alg_a & SSL_aECDSA)
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
# endif
/* else anonymous ECDH, so no certificate or pkey. */
} else if (alg_k) {
# endif
/* else anonymous ECDH, so no certificate or pkey. */
} else if (alg_k) {
EVP_MD_CTX_free(md_ctx);
return MSG_PROCESS_CONTINUE_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
EVP_MD_CTX_free(md_ctx);
return MSG_PROCESS_CONTINUE_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
#ifndef OPENSSL_NO_RSA
RSA_free(rsa);
#endif
#ifndef OPENSSL_NO_RSA
RSA_free(rsa);
#endif
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
|| (pkey->pkey.rsa == NULL)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
|| (pkey->pkey.rsa == NULL)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
unsigned int md_len;
unsigned char shared_ukm[32], tmp[256];
EVP_MD_CTX *ukm_hash;
unsigned int md_len;
unsigned char shared_ukm[32], tmp[256];
EVP_MD_CTX *ukm_hash;
int dgst_nid = NID_id_GostR3411_94;
if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
dgst_nid = NID_id_GostR3411_2012_256;
int dgst_nid = NID_id_GostR3411_94;
if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
dgst_nid = NID_id_GostR3411_2012_256;
- pkey_ctx = EVP_PKEY_CTX_new(pub_key =
- X509_get_pubkey(peer_cert), NULL);
+ pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
if (pkey_ctx == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_MALLOC_FAILURE);
if (pkey_ctx == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_MALLOC_FAILURE);
s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
}
EVP_PKEY_CTX_free(pkey_ctx);
s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
}
EVP_PKEY_CTX_free(pkey_ctx);
- EVP_PKEY_free(pub_key);
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
i = X509_certificate_type(s->session->peer, pkey);
i = X509_certificate_type(s->session->peer, pkey);
/* Check that we have a certificate if we require one */
if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) {
/* Check that we have a certificate if we require one */
if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) {
* EVP_PKEY_derive_set_peer, because it is completely valid to use a
* client certificate for authorization only.
*/
* EVP_PKEY_derive_set_peer, because it is completely valid to use a
* client certificate for authorization only.
*/
- client_pub_pkey = X509_get_pubkey(s->session->peer);
+ client_pub_pkey = X509_get0_pubkey(s->session->peer);
if (client_pub_pkey) {
if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
ERR_clear_error();
if (client_pub_pkey) {
if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
ERR_clear_error();
(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
s->statem.no_cert_verify = 1;
(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
s->statem.no_cert_verify = 1;
- EVP_PKEY_free(client_pub_pkey);
EVP_PKEY_CTX_free(pkey_ctx);
return MSG_PROCESS_CONTINUE_PROCESSING;
gerr:
EVP_PKEY_CTX_free(pkey_ctx);
return MSG_PROCESS_CONTINUE_PROCESSING;
gerr:
- EVP_PKEY_free(client_pub_pkey);
EVP_PKEY_CTX_free(pkey_ctx);
goto f_err;
} else
EVP_PKEY_CTX_free(pkey_ctx);
goto f_err;
} else
}
peer = s->session->peer;
}
peer = s->session->peer;
- pkey = X509_get_pubkey(peer);
+ pkey = X509_get0_pubkey(peer);
type = X509_certificate_type(peer, pkey);
if (!(type & EVP_PKT_SIGN)) {
type = X509_certificate_type(peer, pkey);
if (!(type & EVP_PKT_SIGN)) {
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
EVP_MD_CTX_free(mctx);
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
EVP_MD_CTX_free(mctx);
al = SSL_AD_HANDSHAKE_FAILURE;
goto f_err;
}
al = SSL_AD_HANDSHAKE_FAILURE;
goto f_err;
}
- pkey = X509_get_pubkey(sk_X509_value(sk, 0));
+ pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
if (pkey == NULL) {
al = SSL3_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_UNKNOWN_CERTIFICATE_TYPE);
goto f_err;
}
if (pkey == NULL) {
al = SSL3_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_UNKNOWN_CERTIFICATE_TYPE);
goto f_err;
}
}
X509_free(s->session->peer);
}
X509_free(s->session->peer);
unsigned char comp_id, curve_id[2];
EVP_PKEY *pkey;
int rv;
unsigned char comp_id, curve_id[2];
EVP_PKEY *pkey;
int rv;
- pkey = X509_get_pubkey(x);
+ pkey = X509_get0_pubkey(x);
if (!pkey)
return 0;
/* If not EC nothing to do */
if (!pkey)
return 0;
/* If not EC nothing to do */
- if (pkey->type != EVP_PKEY_EC) {
- EVP_PKEY_free(pkey);
+ if (pkey->type != EVP_PKEY_EC)
rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
{
int secbits = -1;
static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
{
int secbits = -1;
- EVP_PKEY *pkey = X509_get_pubkey(x);
+ EVP_PKEY *pkey = X509_get0_pubkey(x);
if (pkey) {
/*
* If no parameters this will return -1 and fail using the default
if (pkey) {
/*
* If no parameters this will return -1 and fail using the default
* omission of parameters is never (?) done in practice.
*/
secbits = EVP_PKEY_security_bits(pkey);
* omission of parameters is never (?) done in practice.
*/
secbits = EVP_PKEY_security_bits(pkey);
}
if (s)
return ssl_security(s, op, secbits, 0, x);
}
if (s)
return ssl_security(s, op, secbits, 0, x);
projects / openssl.git / commitdiff