From a8d8e06b0ac06c421fd11cc1772126dcb98f79ae Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 2 Sep 2015 22:01:18 +0100 Subject: Avoid direct X509 structure access Reviewed-by: Tim Hudson --- crypto/ocsp/ocsp_vfy.c | 4 ++-- crypto/pkcs7/pk7_doit.c | 6 +++--- crypto/ts/ts_rsp_sign.c | 6 +++--- crypto/ts/ts_rsp_verify.c | 14 +++++++------- crypto/x509/x509type.c | 2 +- crypto/x509v3/pcy_tree.c | 14 +++++++++----- 6 files changed, 25 insertions(+), 21 deletions(-) (limited to 'crypto') diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index d2693c7c54..9dd3f3a20a 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -355,8 +355,8 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, static int ocsp_check_delegated(X509 *x, int flags) { - X509_check_purpose(x, -1, 0); - if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN)) + if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE) + && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN)) return 1; OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); return 0; diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index cc2f3be554..1ac68937eb 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -393,11 +393,11 @@ static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) { int ret; ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, - pcert->cert_info->issuer); + X509_get_issuer_name(pcert)); if (ret) return ret; - return ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, - ri->issuer_and_serial->serial); + return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert), + ri->issuer_and_serial->serial); } /* int */ diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 3343dce275..f7fb762d5b 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -657,7 +657,7 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx, goto end; tsa_name->type = GEN_DIRNAME; tsa_name->d.dirn = - X509_NAME_dup(ctx->signer_cert->cert_info->subject); + X509_NAME_dup(X509_get_subject_name(ctx->signer_cert)); if (!tsa_name->d.dirn) goto end; if (!TS_TST_INFO_set_tsa(tst_info, tsa_name)) @@ -869,7 +869,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed) if ((name = GENERAL_NAME_new()) == NULL) goto err; name->type = GEN_DIRNAME; - if ((name->d.dirn = X509_NAME_dup(cert->cert_info->issuer)) == NULL) + if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL) goto err; if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) goto err; @@ -877,7 +877,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed) /* Setting the serial number. */ ASN1_INTEGER_free(cid->issuer_serial->serial); if (!(cid->issuer_serial->serial = - ASN1_INTEGER_dup(cert->cert_info->serialNumber))) + ASN1_INTEGER_dup(X509_get_serialNumber(cert)))) goto err; } diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index c01d6a6565..93a775efec 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -72,7 +72,7 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si); static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); -static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo); +static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert); static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token, TS_TST_INFO *tst_info); static int ts_check_status_info(TS_RESP *response); @@ -328,7 +328,7 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) sizeof(cert->sha1_hash))) { /* Check the issuer/serial as well if specified. */ ESS_ISSUER_SERIAL *is = cid->issuer_serial; - if (!is || !ts_issuer_serial_cmp(is, cert->cert_info)) + if (!is || !ts_issuer_serial_cmp(is, cert)) return i; } } @@ -336,21 +336,21 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) return -1; } -static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) +static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert) { GENERAL_NAME *issuer; - if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1) + if (!is || !cert || sk_GENERAL_NAME_num(is->issuer) != 1) return -1; /* Check the issuer first. It must be a directory name. */ issuer = sk_GENERAL_NAME_value(is->issuer, 0); if (issuer->type != GEN_DIRNAME - || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer)) + || X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert))) return -1; /* Check the serial number, too. */ - if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber)) + if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert))) return -1; return 0; @@ -687,7 +687,7 @@ static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) /* Check the subject name first. */ if (tsa_name->type == GEN_DIRNAME - && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) + && X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0) return 1; /* Check all the alternative names. */ diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index 232ba9bc79..8332d9e9d4 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -100,7 +100,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; } - i = OBJ_obj2nid(x->sig_alg->algorithm); + i = X509_get_signature_nid(x); if (i && OBJ_find_sigid_algs(i, NULL, &i)) { switch (i) { diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index c6be015193..bbc9ada143 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -184,7 +184,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * explicit_policy value at this point. */ for (i = n - 2; i >= 0; i--) { + uint32_t ex_flags; x = sk_X509_value(certs, i); + ex_flags = X509_get_extension_flags(x); X509_check_purpose(x, -1, -1); cache = policy_cache_set(x); /* If cache NULL something bad happened: return immediately */ @@ -193,7 +195,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, /* * If inconsistent extensions keep a note of it but continue */ - if (x->ex_flags & EXFLAG_INVALID_POLICY) + if (ex_flags & EXFLAG_INVALID_POLICY) ret = -1; /* * Otherwise if we have no data (hence no CertificatePolicies) and @@ -202,7 +204,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, else if ((ret == 1) && !cache->data) ret = 2; if (explicit_policy > 0) { - if (!(x->ex_flags & EXFLAG_SI)) + if (!(ex_flags & EXFLAG_SI)) explicit_policy--; if ((cache->explicit_skip != -1) && (cache->explicit_skip < explicit_policy)) @@ -235,8 +237,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, goto bad_tree; for (i = n - 2; i >= 0; i--) { + uint32_t ex_flags; level++; x = sk_X509_value(certs, i); + ex_flags = X509_get_extension_flags(x); cache = policy_cache_set(x); X509_up_ref(x); level->cert = x; @@ -250,10 +254,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * Any matching allowed if certificate is self issued and not the * last in the chain. */ - if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) + if (!(ex_flags & EXFLAG_SI) || (i == 0)) level->flags |= X509_V_FLAG_INHIBIT_ANY; } else { - if (!(x->ex_flags & EXFLAG_SI)) + if (!(ex_flags & EXFLAG_SI)) any_skip--; if ((cache->any_skip >= 0) && (cache->any_skip < any_skip)) @@ -263,7 +267,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, if (map_skip == 0) level->flags |= X509_V_FLAG_INHIBIT_MAP; else { - if (!(x->ex_flags & EXFLAG_SI)) + if (!(ex_flags & EXFLAG_SI)) map_skip--; if ((cache->map_skip >= 0) && (cache->map_skip < map_skip)) -- cgit v1.2.3