Commit f0e0fd51 authored Apr 14, 2016 by Rich Salz

Make many X509_xxx types opaque.



Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP,
and X509_LOOKUP_METHOD opaque.
Remove unused X509_CERT_FILE_CTX

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

parent 34da11b3

CHANGES

+5 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,11 @@

		Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]

		*) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
		X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type
		X509_CERT_FILE_CTX was removed.
		[Rich Salz]

		*) "shared" builds are now the default. To create only static libraries use
		the "no-shared" Configure option.
		[Matt Caswell]

NEWS

+2 −2

Original line number	Diff line number	Diff line
		@@ -15,8 +15,8 @@
		o Support for extended master secret
		o CCM ciphersuites
		o Reworked test suite, now based on perl, Test::Harness and Test::More
		o Various libcrypto structures made opaque including: BIGNUM, EVP_MD,
		EVP_MD_CTX, HMAC_CTX, EVP_CIPHER and EVP_CIPHER_CTX.
		o Most libcrypto and libssl structures were made opaque including:
		<TBA>
		o libssl internal structures made opaque
		o SSLv2 support removed
		o Kerberos ciphersuite support removed

apps/crl.c

+12 −12

Original line number	Diff line number	Diff line
		@@ -112,9 +112,9 @@ int crl_main(int argc, char **argv)
		X509_CRL *x = NULL;
		BIO *out = NULL;
		X509_STORE *store = NULL;
		X509_STORE_CTX ctx;
		X509_STORE_CTX *ctx = NULL;
		X509_LOOKUP *lookup = NULL;
		X509_OBJECT xobj;
		X509_OBJECT *xobj = NULL;
		EVP_PKEY *pkey;
		const EVP_MD *digest = EVP_sha1();
		unsigned long nmflag = 0;
		@@ -243,24 +243,26 @@ int crl_main(int argc, char **argv)
		lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
		if (lookup == NULL)
		goto end;
		if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
		ctx = X509_STORE_CTX_new();
		if (!X509_STORE_CTX_init(ctx, store, NULL, NULL)) {
		BIO_printf(bio_err, "Error initialising X509 store\n");
		goto end;
		}

		i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
		X509_CRL_get_issuer(x), &xobj);
		if (i <= 0) {
		xobj = X509_STORE_get_X509_by_subject(ctx, X509_LU_X509,
		X509_CRL_get_issuer(x));
		if (xobj == NULL) {
		BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
		goto end;
		}
		pkey = X509_get0_pubkey(xobj.data.x509);
		X509_OBJECT_free_contents(&xobj);
		pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj));
		X509_OBJECT_free(xobj);
		if (!pkey) {
		BIO_printf(bio_err, "Error getting CRL issuer public key\n");
		goto end;
		}
		i = X509_CRL_verify(x, pkey);
		EVP_PKEY_free(pkey);
		if (i < 0)
		goto end;
		if (i == 0)
		@@ -388,9 +390,7 @@ int crl_main(int argc, char **argv)
		ERR_print_errors(bio_err);
		BIO_free_all(out);
		X509_CRL_free(x);
		if (store) {
		X509_STORE_CTX_cleanup(&ctx);
		X509_STORE_CTX_free(ctx);
		X509_STORE_free(store);
		}
		return (ret);
		}

apps/pkcs12.c

+15 −8

Original line number	Diff line number	Diff line
		@@ -758,21 +758,28 @@ int dump_certs_pkeys_bag(BIO out, PKCS12_SAFEBAG bag, char *pass,
		static int get_cert_chain(X509 cert, X509_STORE store,
		STACK_OF(X509) **chain)
		{
		X509_STORE_CTX store_ctx;
		X509_STORE_CTX *store_ctx = NULL;
		STACK_OF(X509) *chn = NULL;
		int i = 0;

		if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) {
		*chain = NULL;
		return X509_V_ERR_UNSPECIFIED;
		store_ctx = X509_STORE_CTX_new();
		if (store_ctx == NULL) {
		i = X509_V_ERR_UNSPECIFIED;
		goto end;
		}
		if (!X509_STORE_CTX_init(store_ctx, store, cert, NULL)) {
		i = X509_V_ERR_UNSPECIFIED;
		goto end;
		}


		if (X509_verify_cert(&store_ctx) > 0)
		chn = X509_STORE_CTX_get1_chain(&store_ctx);
		else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0)
		if (X509_verify_cert(store_ctx) > 0)
		chn = X509_STORE_CTX_get1_chain(store_ctx);
		else if ((i = X509_STORE_CTX_get_error(store_ctx)) == 0)
		i = X509_V_ERR_UNSPECIFIED;

		X509_STORE_CTX_cleanup(&store_ctx);
		end:
		X509_STORE_CTX_free(store_ctx);
		*chain = chn;
		return i;
		}

apps/s_server.c

+16 −12

Original line number	Diff line number	Diff line
		@@ -622,8 +622,8 @@ static int cert_status_cb(SSL s, void arg)
		int rspderlen;
		STACK_OF(OPENSSL_STRING) *aia = NULL;
		X509 *x = NULL;
		X509_STORE_CTX inctx;
		X509_OBJECT obj;
		X509_STORE_CTX *inctx = NULL;
		X509_OBJECT *obj;
		OCSP_REQUEST *req = NULL;
		OCSP_RESPONSE *resp = NULL;
		OCSP_CERTID *id = NULL;
		@@ -657,22 +657,24 @@ static int cert_status_cb(SSL s, void arg)
		use_ssl = srctx->use_ssl;
		}

		if (!X509_STORE_CTX_init(&inctx,
		inctx = X509_STORE_CTX_new();
		if (inctx == NULL)
		goto err;
		if (!X509_STORE_CTX_init(inctx,
		SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
		NULL, NULL))
		goto err;
		if (X509_STORE_get_by_subject(&inctx, X509_LU_X509,
		X509_get_issuer_name(x), &obj) <= 0) {
		obj = X509_STORE_get_X509_by_subject(inctx, X509_LU_X509,
		X509_get_issuer_name(x));
		if (obj == NULL) {
		BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
		X509_STORE_CTX_cleanup(&inctx);
		goto done;
		}
		req = OCSP_REQUEST_new();
		if (req == NULL)
		goto err;
		id = OCSP_cert_to_id(NULL, x, obj.data.x509);
		X509_free(obj.data.x509);
		X509_STORE_CTX_cleanup(&inctx);
		id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj));
		X509_OBJECT_free(obj);
		if (!id)
		goto err;
		if (!OCSP_request_add0_id(req, id))
		@@ -700,6 +702,10 @@ static int cert_status_cb(SSL s, void arg)
		OCSP_RESPONSE_print(bio_err, resp, 2);
		}
		ret = SSL_TLSEXT_ERR_OK;
		goto done;

		err:
		ret = SSL_TLSEXT_ERR_ALERT_FATAL;
		done:
		if (ret != SSL_TLSEXT_ERR_OK)
		ERR_print_errors(bio_err);
		@@ -712,10 +718,8 @@ static int cert_status_cb(SSL s, void arg)
		OCSP_CERTID_free(id);
		OCSP_REQUEST_free(req);
		OCSP_RESPONSE_free(resp);
		X509_STORE_CTX_free(inctx);
		return ret;
		err:
		ret = SSL_TLSEXT_ERR_ALERT_FATAL;
		goto done;
		}
		#endif