diff options
Diffstat (limited to 'content/fetchers/about/certificate.c')
-rw-r--r-- | content/fetchers/about/certificate.c | 331 |
1 files changed, 28 insertions, 303 deletions
diff --git a/content/fetchers/about/certificate.c b/content/fetchers/about/certificate.c index 554f06eb8..6f634d22a 100644 --- a/content/fetchers/about/certificate.c +++ b/content/fetchers/about/certificate.c @@ -134,26 +134,29 @@ static nserror free_ns_cert_info(struct ns_cert_info *cinfo) #include <openssl/ssl.h> #include <openssl/x509v3.h> -/* OpenSSL 1.0.x, 1.0.2, 1.1.0 and 1.1.1 API all changed - * LibreSSL declares its OpenSSL version as 2.1 but only supports 1.0.x API - */ -#if (defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x1010000fL)) -/* 1.0.x */ +#if (OPENSSL_VERSION_NUMBER < 0x30000000L) +/* OpenSSL 1.1.1 or LibreSSL */ + +# if defined(LIBRESSL_VERSION_NUMBER) + /* LibreSSL */ +# if (LIBRESSL_VERSION_NUMBER < 0x3050000fL) + /* LibreSSL <3.5.0 */ -#if (defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x1000200fL)) -/* pre 1.0.2 */ +# if (LIBRESSL_VERSION_NUMBER < 0x2070000fL) + /* LibreSSL <2.7.0 */ static int ns_X509_get_signature_nid(X509 *cert) { return OBJ_obj2nid(cert->cert_info->key->algor->algorithm); } -#else -#define ns_X509_get_signature_nid X509_get_signature_nid -#endif static const unsigned char *ns_ASN1_STRING_get0_data(ASN1_STRING *asn1str) { return (const unsigned char *)ASN1_STRING_data(asn1str); } +# else +# define ns_X509_get_signature_nid X509_get_signature_nid +# define ns_ASN1_STRING_get0_data ASN1_STRING_get0_data +# endif static const BIGNUM *ns_RSA_get0_n(const RSA *d) { @@ -164,298 +167,20 @@ static const BIGNUM *ns_RSA_get0_e(const RSA *d) { return d->e; } - -static int ns_EVP_PKEY_get_bn_param(const EVP_PKEY *pkey, - const char *key_name, BIGNUM **bn) { - RSA *rsa; - BIGNUM *result = NULL; - - /* Check parameters: only support allocation-form *bn */ - if (pkey == NULL || key_name == NULL || bn == NULL || *bn != NULL) - return 0; - - /* Only support RSA keys */ - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) - return 0; - - rsa = EVP_PKEY_get1_RSA((EVP_PKEY *) pkey); - if (rsa == NULL) - return 0; - - if (strcmp(key_name, "n") == 0) { - const BIGNUM *n = ns_RSA_get0_n(rsa); - if (n != NULL) - result = BN_dup(n); - } else if (strcmp(key_name, "e") == 0) { - const BIGNUM *e = ns_RSA_get0_e(rsa); - if (e != NULL) - result = BN_dup(e); - } - - RSA_free(rsa); - - *bn = result; - - return (result != NULL) ? 1 : 0; -} - -static int ns_EVP_PKEY_get_utf8_string_param(const EVP_PKEY *pkey, - const char *key_name, char *str, size_t max_len, - size_t *out_len) -{ - const EC_GROUP *ecgroup; - const char *group; - EC_KEY *ec; - int ret = 0; - - if (pkey == NULL || key_name == NULL) - return 0; - - /* Only support EC keys */ - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) - return 0; - - /* Only support fetching the group */ - if (strcmp(key_name, "group") != 0) - return 0; - - ec = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) pkey); - - ecgroup = EC_KEY_get0_group(ec); - if (ecgroup == NULL) { - group = ""; - } else { - group = OBJ_nid2ln(EC_GROUP_get_curve_name(ecgroup)); - } - - if (str != NULL && max_len > strlen(group)) { - strcpy(str, group); - str[strlen(group)] = '\0'; - ret = 1; - } - if (out_len != NULL) - *out_len = strlen(group); - - EC_KEY_free(ec); - - return ret; -} - -static int ns_EVP_PKEY_get_octet_string_param(const EVP_PKEY *pkey, - const char *key_name, unsigned char *buf, size_t max_len, - size_t *out_len) -{ - const EC_GROUP *ecgroup; - const EC_POINT *ecpoint; - size_t len; - BN_CTX *bnctx; - EC_KEY *ec; - int ret = 0; - - if (pkey == NULL || key_name == NULL) - return 0; - - /* Only support EC keys */ - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) - return 0; - - if (strcmp(key_name, "encoded-pub-key") != 0) - return 0; - - ec = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) pkey); - if (ec == NULL) - return 0; - - ecgroup = EC_KEY_get0_group(ec); - if (ecgroup != NULL) { - ecpoint = EC_KEY_get0_public_key(ec); - if (ecpoint != NULL) { - bnctx = BN_CTX_new(); - len = EC_POINT_point2oct(ecgroup, - ecpoint, - POINT_CONVERSION_UNCOMPRESSED, - NULL, - 0, - bnctx); - if (len != 0 && len <= max_len) { - if (EC_POINT_point2oct(ecgroup, - ecpoint, - POINT_CONVERSION_UNCOMPRESSED, - buf, - len, - bnctx) == len) - ret = 1; - } - if (out_len != NULL) - *out_len = len; - BN_CTX_free(bnctx); - } - } - - EC_KEY_free(ec); - - return ret; -} -#elif (OPENSSL_VERSION_NUMBER < 0x1010100fL) -/* 1.1.0 */ -#define ns_X509_get_signature_nid X509_get_signature_nid -#define ns_ASN1_STRING_get0_data ASN1_STRING_get0_data - -static const BIGNUM *ns_RSA_get0_n(const RSA *r) -{ - const BIGNUM *n; - const BIGNUM *e; - const BIGNUM *d; - RSA_get0_key(r, &n, &e, &d); - return n; -} - -static const BIGNUM *ns_RSA_get0_e(const RSA *r) -{ - const BIGNUM *n; - const BIGNUM *e; - const BIGNUM *d; - RSA_get0_key(r, &n, &e, &d); - return e; -} - -static int ns_EVP_PKEY_get_bn_param(const EVP_PKEY *pkey, - const char *key_name, BIGNUM **bn) { - RSA *rsa; - BIGNUM *result = NULL; - - /* Check parameters: only support allocation-form *bn */ - if (pkey == NULL || key_name == NULL || bn == NULL || *bn != NULL) - return 0; - - /* Only support RSA keys */ - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) - return 0; - - rsa = EVP_PKEY_get1_RSA((EVP_PKEY *) pkey); - if (rsa == NULL) - return 0; - - if (strcmp(key_name, "n") == 0) { - const BIGNUM *n = ns_RSA_get0_n(rsa); - if (n != NULL) - result = BN_dup(n); - } else if (strcmp(key_name, "e") == 0) { - const BIGNUM *e = ns_RSA_get0_e(rsa); - if (e != NULL) - result = BN_dup(e); - } - - RSA_free(rsa); - - *bn = result; - - return (result != NULL) ? 1 : 0; -} - -static int ns_EVP_PKEY_get_utf8_string_param(const EVP_PKEY *pkey, - const char *key_name, char *str, size_t max_len, - size_t *out_len) -{ - const EC_GROUP *ecgroup; - const char *group; - EC_KEY *ec; - int ret = 0; - - if (pkey == NULL || key_name == NULL) - return 0; - - /* Only support EC keys */ - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) - return 0; - - /* Only support fetching the group */ - if (strcmp(key_name, "group") != 0) - return 0; - - ec = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) pkey); - - ecgroup = EC_KEY_get0_group(ec); - if (ecgroup == NULL) { - group = ""; - } else { - group = OBJ_nid2ln(EC_GROUP_get_curve_name(ecgroup)); - } - - if (str != NULL && max_len > strlen(group)) { - strcpy(str, group); - str[strlen(group)] = '\0'; - ret = 1; - } - if (out_len != NULL) - *out_len = strlen(group); - - EC_KEY_free(ec); - - return ret; -} - -static int ns_EVP_PKEY_get_octet_string_param(const EVP_PKEY *pkey, - const char *key_name, unsigned char *buf, size_t max_len, - size_t *out_len) -{ - const EC_GROUP *ecgroup; - const EC_POINT *ecpoint; - size_t len; - BN_CTX *bnctx; - EC_KEY *ec; - int ret = 0; - - if (pkey == NULL || key_name == NULL) - return 0; - - /* Only support EC keys */ - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) - return 0; - - if (strcmp(key_name, "encoded-pub-key") != 0) - return 0; - - ec = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) pkey); - if (ec == NULL) - return 0; - - ecgroup = EC_KEY_get0_group(ec); - if (ecgroup != NULL) { - ecpoint = EC_KEY_get0_public_key(ec); - if (ecpoint != NULL) { - bnctx = BN_CTX_new(); - len = EC_POINT_point2oct(ecgroup, - ecpoint, - POINT_CONVERSION_UNCOMPRESSED, - NULL, - 0, - bnctx); - if (len != 0 && len <= max_len) { - if (EC_POINT_point2oct(ecgroup, - ecpoint, - POINT_CONVERSION_UNCOMPRESSED, - buf, - len, - bnctx) == len) - ret = 1; - } - if (out_len != NULL) - *out_len = len; - BN_CTX_free(bnctx); - } - } - - EC_KEY_free(ec); - - return ret; -} -#elif (OPENSSL_VERSION_NUMBER < 0x30000000L) -/* 1.1.1 */ -#define ns_X509_get_signature_nid X509_get_signature_nid -#define ns_ASN1_STRING_get0_data ASN1_STRING_get0_data -#define ns_RSA_get0_n RSA_get0_n -#define ns_RSA_get0_e RSA_get0_e +# else + /* LibreSSL >= 3.5.0 */ +# define ns_X509_get_signature_nid X509_get_signature_nid +# define ns_ASN1_STRING_get0_data ASN1_STRING_get0_data +# define ns_RSA_get0_n RSA_get0_n +# define ns_RSA_get0_e RSA_get0_e +# endif +# else + /* OpenSSL 1.1.1 */ +# define ns_X509_get_signature_nid X509_get_signature_nid +# define ns_ASN1_STRING_get0_data ASN1_STRING_get0_data +# define ns_RSA_get0_n RSA_get0_n +# define ns_RSA_get0_e RSA_get0_e +# endif static int ns_EVP_PKEY_get_bn_param(const EVP_PKEY *pkey, const char *key_name, BIGNUM **bn) { @@ -589,7 +314,7 @@ static int ns_EVP_PKEY_get_octet_string_param(const EVP_PKEY *pkey, return ret; } #else -/* 3.x and later */ +/* OpenSSL 3.x and later */ #define ns_X509_get_signature_nid X509_get_signature_nid #define ns_ASN1_STRING_get0_data ASN1_STRING_get0_data #define ns_RSA_get0_n RSA_get0_n |