SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync with OpenBSD -current

Browse source
This commit is contained in:
purplerain 2024-01-11 02:33:10 +00:00
parent 46994dfb53
commit caf62be22c
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
18 changed files with 499 additions and 445 deletions
Download patch file Download diff file Expand all files Collapse all files

14
lib/libcrypto/err/err_prn.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: err_prn.c,v 1.20 2023/07/07 13:54:45 beck Exp $ */
/* $OpenBSD: err_prn.c,v 1.22 2024/01/10 14:23:37 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -56,6 +56,7 @@
* [including the GNU Public Licence.]
*/
#include <limits.h>
#include <stdio.h>
#include <string.h>
@ -93,12 +94,9 @@ LCRYPTO_ALIAS(ERR_print_errors_cb);
static int
print_fp(const char *str, size_t len, void *fp)
{
BIO bio;
BIO_set(&bio, BIO_s_file());
BIO_set_fp(&bio, fp, BIO_NOCLOSE);
return BIO_printf(&bio, "%s", str);
if (len > INT_MAX)
return -1;
return fprintf(fp, "%.*s", (int)len, str);
}
void
@ -111,7 +109,7 @@ LCRYPTO_ALIAS(ERR_print_errors_fp);
static int
print_bio(const char *str, size_t len, void *bp)
{
return BIO_write((BIO *)bp, str, len);
return BIO_write(bp, str, len);
}
void

20
lib/libcrypto/rsa/rsa_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa_ameth.c,v 1.56 2024/01/04 17:01:26 tb Exp $ */
/* $OpenBSD: rsa_ameth.c,v 1.57 2024/01/10 14:59:19 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -74,10 +74,6 @@
#include "rsa_local.h"
#include "x509_local.h"
/* Macros to test if a pkey or ctx is for a PSS key */
#define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
#define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
#ifndef OPENSSL_NO_CMS
static int rsa_cms_sign(CMS_SignerInfo *si);
static int rsa_cms_verify(CMS_SignerInfo *si);
@ -453,7 +449,8 @@ pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
if (!BIO_indent(bp, off, 128))
goto err;
if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0)
if (BIO_printf(bp, "%s ",
pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS ? "RSA-PSS" : "RSA") <= 0)
goto err;
if (priv && x->d != NULL) {
@ -485,7 +482,8 @@ pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv)
if (!bn_printf(bp, x->iqmp, off, "coefficient:"))
goto err;
}
if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off))
if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS &&
!rsa_pss_param_print(bp, 1, x->pss, off))
goto err;
ret = 1;
err:
@ -539,7 +537,7 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
break;
case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
if (pkey_is_pss(pkey))
if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
return -2;
if (arg1 == 0)
PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
@ -553,7 +551,7 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
break;
case ASN1_PKEY_CTRL_CMS_ENVELOPE:
if (pkey_is_pss(pkey))
if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
return -2;
if (arg1 == 0)
return rsa_cms_encrypt(arg2);
@ -562,7 +560,7 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
break;
case ASN1_PKEY_CTRL_CMS_RI_TYPE:
if (pkey_is_pss(pkey))
if (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
return -2;
*(int *)arg2 = CMS_RECIPINFO_TRANS;
return 1;
@ -852,7 +850,7 @@ rsa_cms_verify(CMS_SignerInfo *si)
if (nid == EVP_PKEY_RSA_PSS)
return rsa_pss_to_ctx(NULL, pkey_ctx, alg, NULL);
/* Only PSS allowed for PSS keys */
if (pkey_ctx_is_pss(pkey_ctx)) {
if (pkey_ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
return 0;
}

127
lib/libcrypto/x509/x509_trs.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_trs.c,v 1.35 2024/01/08 03:32:01 tb Exp $ */
/* $OpenBSD: x509_trs.c,v 1.39 2024/01/10 21:34:53 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@ -57,19 +57,72 @@
*/
#include <stdio.h>
#include <string.h>
#include <openssl/asn1.h>
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "x509_local.h"
static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);
static int trust_compat(X509_TRUST *trust, X509 *x, int flags);
static int
obj_trust(int id, X509 *x, int flags)
{
ASN1_OBJECT *obj;
int i, nid;
X509_CERT_AUX *ax;
static int obj_trust(int id, X509 *x, int flags);
static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
ax = x->aux;
if (!ax)
return X509_TRUST_UNTRUSTED;
if (ax->reject) {
for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
obj = sk_ASN1_OBJECT_value(ax->reject, i);
nid = OBJ_obj2nid(obj);
if (nid == id || nid == NID_anyExtendedKeyUsage)
return X509_TRUST_REJECTED;
}
}
if (ax->trust) {
for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
obj = sk_ASN1_OBJECT_value(ax->trust, i);
nid = OBJ_obj2nid(obj);
if (nid == id || nid == NID_anyExtendedKeyUsage)
return X509_TRUST_TRUSTED;
}
}
return X509_TRUST_UNTRUSTED;
}
static int
trust_compat(X509_TRUST *trust, X509 *x, int flags)
{
X509_check_purpose(x, -1, 0);
if (x->ex_flags & EXFLAG_SS)
return X509_TRUST_TRUSTED;
else
return X509_TRUST_UNTRUSTED;
}
static int
trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
{
if (x->aux && (x->aux->trust || x->aux->reject))
return obj_trust(trust->arg1, x, flags);
/* we don't have any trust settings: for compatibility
* we return trusted if it is self signed
*/
return trust_compat(trust, x, flags);
}
static int
trust_1oid(X509_TRUST *trust, X509 *x, int flags)
{
if (x->aux)
return obj_trust(trust->arg1, x, flags);
return X509_TRUST_UNTRUSTED;
}
/* WARNING: the following table should be kept in order of trust
* and without any gaps so we can just subtract the minimum trust
@ -128,6 +181,8 @@ static X509_TRUST trstandard[] = {
#define X509_TRUST_COUNT (sizeof(trstandard) / sizeof(trstandard[0]))
static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
int
(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
{
@ -249,61 +304,3 @@ X509_TRUST_get_trust(const X509_TRUST *xp)
return xp->trust;
}
LCRYPTO_ALIAS(X509_TRUST_get_trust);
static int
trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
{
if (x->aux && (x->aux->trust || x->aux->reject))
return obj_trust(trust->arg1, x, flags);
/* we don't have any trust settings: for compatibility
* we return trusted if it is self signed
*/
return trust_compat(trust, x, flags);
}
static int
trust_1oid(X509_TRUST *trust, X509 *x, int flags)
{
if (x->aux)
return obj_trust(trust->arg1, x, flags);
return X509_TRUST_UNTRUSTED;
}
static int
trust_compat(X509_TRUST *trust, X509 *x, int flags)
{
X509_check_purpose(x, -1, 0);
if (x->ex_flags & EXFLAG_SS)
return X509_TRUST_TRUSTED;
else
return X509_TRUST_UNTRUSTED;
}
static int
obj_trust(int id, X509 *x, int flags)
{
ASN1_OBJECT *obj;
int i, nid;
X509_CERT_AUX *ax;
ax = x->aux;
if (!ax)
return X509_TRUST_UNTRUSTED;
if (ax->reject) {
for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
obj = sk_ASN1_OBJECT_value(ax->reject, i);
nid = OBJ_obj2nid(obj);
if (nid == id || nid == NID_anyExtendedKeyUsage)
return X509_TRUST_REJECTED;
}
}
if (ax->trust) {
for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
obj = sk_ASN1_OBJECT_value(ax->trust, i);
nid = OBJ_obj2nid(obj);
if (nid == id || nid == NID_anyExtendedKeyUsage)
return X509_TRUST_TRUSTED;
}
}
return X509_TRUST_UNTRUSTED;
}

71
lib/libcrypto/x509/x509_vfy.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_vfy.c,v 1.138 2024/01/09 07:25:57 tb Exp $ */
/* $OpenBSD: x509_vfy.c,v 1.139 2024/01/10 17:31:28 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -2182,54 +2182,53 @@ X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
}
LCRYPTO_ALIAS(X509_STORE_CTX_purpose_inherit);
static int
x509_vfy_purpose_inherit(X509_STORE_CTX *ctx, int purpose, int trust)
int
X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose_id)
{
/* If we have a purpose then check it is valid */
if (purpose != 0) {
const X509_PURPOSE *purp;
int purpose_idx;
const X509_PURPOSE *purpose;
int idx;
if (purpose < X509_PURPOSE_MIN || purpose > X509_PURPOSE_MAX) {
X509error(X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
purpose_idx = purpose - X509_PURPOSE_MIN;
if ((purp = X509_PURPOSE_get0(purpose_idx)) == NULL) {
X509error(X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
/* XXX - Match wacky/documented behavior. Do we need to keep this? */
if (purpose_id == 0)
return 1;
/* If trust is unset, use the purpose's trust. */
if (trust == 0)
trust = purp->trust;
if (purpose_id < X509_PURPOSE_MIN || purpose_id > X509_PURPOSE_MAX) {
X509error(X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
if (trust != 0) {
if (trust < X509_TRUST_MIN || trust > X509_TRUST_MAX) {
X509error(X509_R_UNKNOWN_TRUST_ID);
return 0;
}
idx = purpose_id - X509_PURPOSE_MIN;
if ((purpose = X509_PURPOSE_get0(idx)) == NULL) {
X509error(X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
if (purpose != 0 && ctx->param->purpose == 0)
ctx->param->purpose = purpose;
if (trust != 0 && ctx->param->trust == 0)
ctx->param->trust = trust;
/* XXX - Succeeding while ignoring purpose_id and trust is awful. */
if (ctx->param->purpose == 0)
ctx->param->purpose = purpose_id;
if (ctx->param->trust == 0)
ctx->param->trust = purpose->trust;
return 1;
}
int
X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
{
return x509_vfy_purpose_inherit(ctx, purpose, 0);
}
LCRYPTO_ALIAS(X509_STORE_CTX_set_purpose);
int
X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust_id)
{
return x509_vfy_purpose_inherit(ctx, 0, trust);
/* XXX - Match wacky/documented behavior. Do we need to keep this? */
if (trust_id == 0)
return 1;
if (trust_id < X509_TRUST_MIN || trust_id > X509_TRUST_MAX) {
X509error(X509_R_UNKNOWN_TRUST_ID);
return 0;
}
/* XXX - Succeeding while ignoring the trust_id is awful. */
if (ctx->param->trust == 0)
ctx->param->trust = trust_id;
return 1;
}
LCRYPTO_ALIAS(X509_STORE_CTX_set_trust);