diff options
Diffstat (limited to 'crypto/cms')
| -rw-r--r-- | crypto/cms/cms_asn1.c | 30 | ||||
| -rw-r--r-- | crypto/cms/cms_dh.c | 15 | ||||
| -rw-r--r-- | crypto/cms/cms_ec.c | 16 | ||||
| -rw-r--r-- | crypto/cms/cms_local.h | 5 | ||||
| -rw-r--r-- | crypto/cms/cms_rsa.c | 33 | ||||
| -rw-r--r-- | crypto/cms/cms_smime.c | 6 |
6 files changed, 62 insertions, 43 deletions
diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 580850bc9395..fb87f6c6ad27 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,7 +23,7 @@ ASN1_SEQUENCE(CMS_OtherCertificateFormat) = { ASN1_OPT(CMS_OtherCertificateFormat, otherCert, ASN1_ANY) } static_ASN1_SEQUENCE_END(CMS_OtherCertificateFormat) - ASN1_CHOICE(CMS_CertificateChoices) +ASN1_CHOICE(CMS_CertificateChoices) = { ASN1_SIMPLE(CMS_CertificateChoices, d.certificate, X509), ASN1_IMP(CMS_CertificateChoices, d.extendedCertificate, ASN1_SEQUENCE, 0), ASN1_IMP(CMS_CertificateChoices, d.v1AttrCert, ASN1_SEQUENCE, 1), ASN1_IMP(CMS_CertificateChoices, d.v2AttrCert, ASN1_SEQUENCE, 2), ASN1_IMP(CMS_CertificateChoices, d.other, CMS_OtherCertificateFormat, 3) } ASN1_CHOICE_END(CMS_CertificateChoices) ASN1_CHOICE(CMS_SignerIdentifier) = { @@ -31,11 +31,11 @@ ASN1_CHOICE(CMS_SignerIdentifier) = { ASN1_IMP(CMS_SignerIdentifier, d.subjectKeyIdentifier, ASN1_OCTET_STRING, 0) } static_ASN1_CHOICE_END(CMS_SignerIdentifier) - ASN1_NDEF_SEQUENCE(CMS_EncapsulatedContentInfo) +ASN1_NDEF_SEQUENCE(CMS_EncapsulatedContentInfo) = { ASN1_SIMPLE(CMS_EncapsulatedContentInfo, eContentType, ASN1_OBJECT), ASN1_NDEF_EXP_OPT(CMS_EncapsulatedContentInfo, eContent, ASN1_OCTET_STRING_NDEF, 0) } static_ASN1_NDEF_SEQUENCE_END(CMS_EncapsulatedContentInfo) - /* Minor tweak to operation: free up signer key, cert */ - static int cms_si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +/* Minor tweak to operation: free up signer key, cert */ +static int cms_si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { if (operation == ASN1_OP_FREE_POST) { CMS_SignerInfo *si = (CMS_SignerInfo *)*pval; @@ -62,7 +62,7 @@ ASN1_SEQUENCE(CMS_OtherRevocationInfoFormat) = { ASN1_OPT(CMS_OtherRevocationInfoFormat, otherRevInfo, ASN1_ANY) } static_ASN1_SEQUENCE_END(CMS_OtherRevocationInfoFormat) - ASN1_CHOICE(CMS_RevocationInfoChoice) +ASN1_CHOICE(CMS_RevocationInfoChoice) = { ASN1_SIMPLE(CMS_RevocationInfoChoice, d.crl, X509_CRL), ASN1_IMP(CMS_RevocationInfoChoice, d.other, CMS_OtherRevocationInfoFormat, 1) } ASN1_CHOICE_END(CMS_RevocationInfoChoice) ASN1_NDEF_SEQUENCE(CMS_SignedData) = { @@ -80,7 +80,7 @@ ASN1_SEQUENCE(CMS_OriginatorInfo) = { ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1) } static_ASN1_SEQUENCE_END(CMS_OriginatorInfo) - static int cms_ec_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +static int cms_ec_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { CMS_EncryptedContentInfo *ec = (CMS_EncryptedContentInfo *)*pval; @@ -118,7 +118,7 @@ ASN1_CHOICE(CMS_KeyAgreeRecipientIdentifier) = { ASN1_IMP(CMS_KeyAgreeRecipientIdentifier, d.rKeyId, CMS_RecipientKeyIdentifier, 0) } static_ASN1_CHOICE_END(CMS_KeyAgreeRecipientIdentifier) - static int cms_rek_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +static int cms_rek_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { CMS_RecipientEncryptedKey *rek = (CMS_RecipientEncryptedKey *)*pval; if (operation == ASN1_OP_FREE_POST) { @@ -143,7 +143,7 @@ ASN1_CHOICE(CMS_OriginatorIdentifierOrKey) = { ASN1_IMP(CMS_OriginatorIdentifierOrKey, d.originatorKey, CMS_OriginatorPublicKey, 1) } static_ASN1_CHOICE_END(CMS_OriginatorIdentifierOrKey) - static int cms_kari_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +static int cms_kari_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { CMS_KeyAgreeRecipientInfo *kari = (CMS_KeyAgreeRecipientInfo *)*pval; if (operation == ASN1_OP_NEW_POST) { @@ -173,7 +173,7 @@ ASN1_SEQUENCE(CMS_KEKIdentifier) = { ASN1_OPT(CMS_KEKIdentifier, other, CMS_OtherKeyAttribute) } static_ASN1_SEQUENCE_END(CMS_KEKIdentifier) - ASN1_SEQUENCE(CMS_KEKRecipientInfo) +ASN1_SEQUENCE(CMS_KEKRecipientInfo) = { ASN1_EMBED(CMS_KEKRecipientInfo, version, INT32), ASN1_SIMPLE(CMS_KEKRecipientInfo, kekid, CMS_KEKIdentifier), ASN1_SIMPLE(CMS_KEKRecipientInfo, keyEncryptionAlgorithm, X509_ALGOR), ASN1_SIMPLE(CMS_KEKRecipientInfo, encryptedKey, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(CMS_KEKRecipientInfo) ASN1_SEQUENCE(CMS_PasswordRecipientInfo) = { @@ -188,8 +188,8 @@ ASN1_SEQUENCE(CMS_OtherRecipientInfo) = { ASN1_OPT(CMS_OtherRecipientInfo, oriValue, ASN1_ANY) } static_ASN1_SEQUENCE_END(CMS_OtherRecipientInfo) - /* Free up RecipientInfo additional data */ - static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +/* Free up RecipientInfo additional data */ +static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { if (operation == ASN1_OP_FREE_PRE) { CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval; @@ -262,7 +262,7 @@ ASN1_NDEF_SEQUENCE(CMS_AuthenticatedData) = { ASN1_IMP_SET_OF_OPT(CMS_AuthenticatedData, unauthAttrs, X509_ALGOR, 3) } static_ASN1_NDEF_SEQUENCE_END(CMS_AuthenticatedData) - ASN1_NDEF_SEQUENCE(CMS_CompressedData) +ASN1_NDEF_SEQUENCE(CMS_CompressedData) = { ASN1_EMBED(CMS_CompressedData, version, INT32), ASN1_SIMPLE(CMS_CompressedData, compressionAlgorithm, X509_ALGOR), @@ -348,7 +348,7 @@ ASN1_CHOICE(CMS_ReceiptsFrom) = { ASN1_IMP_SEQUENCE_OF(CMS_ReceiptsFrom, d.receiptList, GENERAL_NAMES, 1) } static_ASN1_CHOICE_END(CMS_ReceiptsFrom) - ASN1_SEQUENCE(CMS_ReceiptRequest) +ASN1_SEQUENCE(CMS_ReceiptRequest) = { ASN1_SIMPLE(CMS_ReceiptRequest, signedContentIdentifier, ASN1_OCTET_STRING), ASN1_SIMPLE(CMS_ReceiptRequest, receiptsFrom, CMS_ReceiptsFrom), ASN1_SEQUENCE_OF(CMS_ReceiptRequest, receiptsTo, GENERAL_NAMES) } ASN1_SEQUENCE_END(CMS_ReceiptRequest) ASN1_SEQUENCE(CMS_Receipt) = { @@ -375,7 +375,7 @@ ASN1_SEQUENCE(CMS_SharedInfo) = { ASN1_EXP_OPT(CMS_SharedInfo, suppPubInfo, ASN1_OCTET_STRING, 2), } static_ASN1_SEQUENCE_END(CMS_SharedInfo) - int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, ASN1_OCTET_STRING *ukm, int keylen) +int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, ASN1_OCTET_STRING *ukm, int keylen) { union { CMS_SharedInfo *pecsi; diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c index ab3453d1c7c1..9c0b3c85e173 100644 --- a/crypto/cms/cms_dh.c +++ b/crypto/cms/cms_dh.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -89,16 +89,21 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) int keylen, plen; EVP_CIPHER *kekcipher = NULL; EVP_CIPHER_CTX *kekctx; + const ASN1_OBJECT *aoid; + const void *parameter = NULL; + int ptype = 0; char name[OSSL_MAX_NAME_SIZE]; if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) goto err; + X509_ALGOR_get0(&aoid, &ptype, ¶meter, alg); + /* * For DH we only have one OID permissible. If ever any more get defined * we will need something cleverer. */ - if (OBJ_obj2nid(alg->algorithm) != NID_id_smime_alg_ESDH) { + if (OBJ_obj2nid(aoid) != NID_id_smime_alg_ESDH) { ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR); goto err; } @@ -107,11 +112,11 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) || EVP_PKEY_CTX_set_dh_kdf_md(pctx, EVP_sha1()) <= 0) goto err; - if (alg->parameter->type != V_ASN1_SEQUENCE) + if (ptype != V_ASN1_SEQUENCE) goto err; - p = alg->parameter->value.sequence->data; - plen = alg->parameter->value.sequence->length; + p = ASN1_STRING_get0_data(parameter); + plen = ASN1_STRING_length(parameter); kekalg = d2i_X509_ALGOR(NULL, &p, plen); if (kekalg == NULL) goto err; diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c index ff8adad61668..917bf784daeb 100644 --- a/crypto/cms/cms_ec.c +++ b/crypto/cms/cms_ec.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -166,21 +166,27 @@ static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) int plen, keylen; EVP_CIPHER *kekcipher = NULL; EVP_CIPHER_CTX *kekctx; + const ASN1_OBJECT *aoid = NULL; + int ptype = 0; + const void *parameter = NULL; + char name[OSSL_MAX_NAME_SIZE]; if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) return 0; - if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) { + X509_ALGOR_get0(&aoid, &ptype, ¶meter, alg); + + if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(aoid))) { ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR); return 0; } - if (alg->parameter->type != V_ASN1_SEQUENCE) + if (ptype != V_ASN1_SEQUENCE) return 0; - p = alg->parameter->value.sequence->data; - plen = alg->parameter->value.sequence->length; + p = ASN1_STRING_get0_data(parameter); + plen = ASN1_STRING_length(parameter); kekalg = d2i_X509_ALGOR(NULL, &p, plen); if (kekalg == NULL) goto err; diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index b412a74c7773..94496b3823ef 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -35,8 +35,7 @@ typedef struct CMS_OriginatorPublicKey_st CMS_OriginatorPublicKey; typedef struct CMS_OriginatorIdentifierOrKey_st CMS_OriginatorIdentifierOrKey; typedef struct CMS_KeyAgreeRecipientInfo_st CMS_KeyAgreeRecipientInfo; typedef struct CMS_RecipientKeyIdentifier_st CMS_RecipientKeyIdentifier; -typedef struct CMS_KeyAgreeRecipientIdentifier_st - CMS_KeyAgreeRecipientIdentifier; +typedef struct CMS_KeyAgreeRecipientIdentifier_st CMS_KeyAgreeRecipientIdentifier; typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier; typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo; typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo; diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c index 6b65842cc14e..9bf8284a8272 100644 --- a/crypto/cms/cms_rsa.c +++ b/crypto/cms/cms_rsa.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -42,10 +42,13 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) X509_ALGOR *cmsalg; int nid; int rv = -1; - unsigned char *label = NULL; + const unsigned char *label = NULL; int labellen = 0; const EVP_MD *mgf1md = NULL, *md = NULL; RSA_OAEP_PARAMS *oaep; + const ASN1_OBJECT *aoid; + const void *parameter = NULL; + int ptype = 0; pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); if (pkctx == NULL) @@ -75,21 +78,19 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) goto err; if (oaep->pSourceFunc != NULL) { - X509_ALGOR *plab = oaep->pSourceFunc; + X509_ALGOR_get0(&aoid, &ptype, ¶meter, oaep->pSourceFunc); - if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { + if (OBJ_obj2nid(aoid) != NID_pSpecified) { ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_LABEL_SOURCE); goto err; } - if (plab->parameter->type != V_ASN1_OCTET_STRING) { + if (ptype != V_ASN1_OCTET_STRING) { ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_LABEL); goto err; } - label = plab->parameter->value.octet_string->data; - /* Stop label being freed when OAEP parameters are freed */ - plab->parameter->value.octet_string->data = NULL; - labellen = plab->parameter->value.octet_string->length; + label = ASN1_STRING_get0_data(parameter); + labellen = ASN1_STRING_length(parameter); } if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) @@ -98,10 +99,16 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) goto err; if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) goto err; - if (label != NULL - && EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) { - OPENSSL_free(label); - goto err; + if (label != NULL) { + unsigned char *dup_label = OPENSSL_memdup(label, labellen); + + if (dup_label == NULL) + goto err; + + if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) { + OPENSSL_free(dup_label); + goto err; + } } /* Carry on */ rv = 1; diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 920464b3deec..4b5009b9d5bf 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2026 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -474,8 +474,10 @@ err: } else { if (dcont && (tmpin == dcont)) do_free_upto(cmsbio, dcont); - else + else if (cmsbio != NULL) BIO_free_all(cmsbio); + else + BIO_free(tmpin); } if (out != tmpout) |