From f0e0fd51fd8307f6eae64862ad9aaea113f1177a Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Thu, 14 Apr 2016 23:59:26 -0400 Subject: Make many X509_xxx types opaque. Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD opaque. Remove unused X509_CERT_FILE_CTX Reviewed-by: Richard Levitte Reviewed-by: Dr. Stephen Henson --- apps/crl.c | 24 ++++++++++++------------ apps/pkcs12.c | 23 +++++++++++++++-------- apps/s_server.c | 28 ++++++++++++++++------------ apps/verify.c | 2 +- apps/x509.c | 13 +++++++------ 5 files changed, 51 insertions(+), 39 deletions(-) (limited to 'apps') diff --git a/apps/crl.c b/apps/crl.c index c6fc9e6675..915c9ac741 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -112,9 +112,9 @@ int crl_main(int argc, char **argv) X509_CRL *x = NULL; BIO *out = NULL; X509_STORE *store = NULL; - X509_STORE_CTX ctx; + X509_STORE_CTX *ctx = NULL; X509_LOOKUP *lookup = NULL; - X509_OBJECT xobj; + X509_OBJECT *xobj = NULL; EVP_PKEY *pkey; const EVP_MD *digest = EVP_sha1(); unsigned long nmflag = 0; @@ -243,24 +243,26 @@ int crl_main(int argc, char **argv) lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if (lookup == NULL) goto end; - if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) { + ctx = X509_STORE_CTX_new(); + if (!X509_STORE_CTX_init(ctx, store, NULL, NULL)) { BIO_printf(bio_err, "Error initialising X509 store\n"); goto end; } - i = X509_STORE_get_by_subject(&ctx, X509_LU_X509, - X509_CRL_get_issuer(x), &xobj); - if (i <= 0) { + xobj = X509_STORE_get_X509_by_subject(ctx, X509_LU_X509, + X509_CRL_get_issuer(x)); + if (xobj == NULL) { BIO_printf(bio_err, "Error getting CRL issuer certificate\n"); goto end; } - pkey = X509_get0_pubkey(xobj.data.x509); - X509_OBJECT_free_contents(&xobj); + pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj)); + X509_OBJECT_free(xobj); if (!pkey) { BIO_printf(bio_err, "Error getting CRL issuer public key\n"); goto end; } i = X509_CRL_verify(x, pkey); + EVP_PKEY_free(pkey); if (i < 0) goto end; if (i == 0) @@ -388,9 +390,7 @@ int crl_main(int argc, char **argv) ERR_print_errors(bio_err); BIO_free_all(out); X509_CRL_free(x); - if (store) { - X509_STORE_CTX_cleanup(&ctx); - X509_STORE_free(store); - } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); return (ret); } diff --git a/apps/pkcs12.c b/apps/pkcs12.c index ff3cb8845b..406b10328a 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -758,21 +758,28 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, static int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) { - X509_STORE_CTX store_ctx; + X509_STORE_CTX *store_ctx = NULL; STACK_OF(X509) *chn = NULL; int i = 0; - if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) { - *chain = NULL; - return X509_V_ERR_UNSPECIFIED; + store_ctx = X509_STORE_CTX_new(); + if (store_ctx == NULL) { + i = X509_V_ERR_UNSPECIFIED; + goto end; + } + if (!X509_STORE_CTX_init(store_ctx, store, cert, NULL)) { + i = X509_V_ERR_UNSPECIFIED; + goto end; } - if (X509_verify_cert(&store_ctx) > 0) - chn = X509_STORE_CTX_get1_chain(&store_ctx); - else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0) + + if (X509_verify_cert(store_ctx) > 0) + chn = X509_STORE_CTX_get1_chain(store_ctx); + else if ((i = X509_STORE_CTX_get_error(store_ctx)) == 0) i = X509_V_ERR_UNSPECIFIED; - X509_STORE_CTX_cleanup(&store_ctx); +end: + X509_STORE_CTX_free(store_ctx); *chain = chn; return i; } diff --git a/apps/s_server.c b/apps/s_server.c index e0aa2ae4f8..6c8541eec9 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -622,8 +622,8 @@ static int cert_status_cb(SSL *s, void *arg) int rspderlen; STACK_OF(OPENSSL_STRING) *aia = NULL; X509 *x = NULL; - X509_STORE_CTX inctx; - X509_OBJECT obj; + X509_STORE_CTX *inctx = NULL; + X509_OBJECT *obj; OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; OCSP_CERTID *id = NULL; @@ -657,22 +657,24 @@ static int cert_status_cb(SSL *s, void *arg) use_ssl = srctx->use_ssl; } - if (!X509_STORE_CTX_init(&inctx, + inctx = X509_STORE_CTX_new(); + if (inctx == NULL) + goto err; + if (!X509_STORE_CTX_init(inctx, SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), NULL, NULL)) goto err; - if (X509_STORE_get_by_subject(&inctx, X509_LU_X509, - X509_get_issuer_name(x), &obj) <= 0) { + obj = X509_STORE_get_X509_by_subject(inctx, X509_LU_X509, + X509_get_issuer_name(x)); + if (obj == NULL) { BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n"); - X509_STORE_CTX_cleanup(&inctx); goto done; } req = OCSP_REQUEST_new(); if (req == NULL) goto err; - id = OCSP_cert_to_id(NULL, x, obj.data.x509); - X509_free(obj.data.x509); - X509_STORE_CTX_cleanup(&inctx); + id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj)); + X509_OBJECT_free(obj); if (!id) goto err; if (!OCSP_request_add0_id(req, id)) @@ -700,6 +702,10 @@ static int cert_status_cb(SSL *s, void *arg) OCSP_RESPONSE_print(bio_err, resp, 2); } ret = SSL_TLSEXT_ERR_OK; + goto done; + + err: + ret = SSL_TLSEXT_ERR_ALERT_FATAL; done: if (ret != SSL_TLSEXT_ERR_OK) ERR_print_errors(bio_err); @@ -712,10 +718,8 @@ static int cert_status_cb(SSL *s, void *arg) OCSP_CERTID_free(id); OCSP_REQUEST_free(req); OCSP_RESPONSE_free(resp); + X509_STORE_CTX_free(inctx); return ret; - err: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - goto done; } #endif diff --git a/apps/verify.c b/apps/verify.c index 58a48c7f63..fa517830cf 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -269,7 +269,7 @@ static int check(X509_STORE *ctx, char *file, goto end; } if (tchain) - X509_STORE_CTX_trusted_stack(csc, tchain); + X509_STORE_CTX_set0_trusted_stack(csc, tchain); if (crls) X509_STORE_CTX_set0_crls(csc, crls); i = X509_verify_cert(csc); diff --git a/apps/x509.c b/apps/x509.c index d8be179d43..6e6ee08ad2 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -987,13 +987,14 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, { int ret = 0; ASN1_INTEGER *bs = NULL; - X509_STORE_CTX xsc; + X509_STORE_CTX *xsc = NULL; EVP_PKEY *upkey; upkey = X509_get0_pubkey(xca); EVP_PKEY_copy_parameters(upkey, pkey); - if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) { + xsc = X509_STORE_CTX_new(); + if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) { BIO_printf(bio_err, "Error initialising X509 store\n"); goto end; } @@ -1006,9 +1007,9 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, * NOTE: this certificate can/should be self signed, unless it was a * certificate request in which case it is not. */ - X509_STORE_CTX_set_cert(&xsc, x); - X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); - if (!reqfile && X509_verify_cert(&xsc) <= 0) + X509_STORE_CTX_set_cert(xsc, x); + X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); + if (!reqfile && X509_verify_cert(xsc) <= 0) goto end; if (!X509_check_private_key(xca, pkey)) { @@ -1047,7 +1048,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, goto end; ret = 1; end: - X509_STORE_CTX_cleanup(&xsc); + X509_STORE_CTX_free(xsc); if (!ret) ERR_print_errors(bio_err); if (!sno) -- cgit v1.2.3