From 5199c5b98a264b30a1dae25e582e34e095a2b863 Mon Sep 17 00:00:00 2001 From: Hasebur Sinha Date: Sat, 18 Apr 2026 23:58:07 +0600 Subject: [PATCH] Use accessors for ASN1_STRING internally in PKCS7 To make data structures opaque, replaced direct member access (->data, ->length) with the equivalent ASN1_STRING accessor functions in the PKCS7 module. Fixes #29861 CLA: trivial Reviewed-by: Nikola Pajkovsky Reviewed-by: Frederik Wedel-Heinen MergeDate: Thu Apr 30 07:19:58 2026 (Merged from https://github.com/openssl/openssl/pull/30896) --- crypto/pkcs7/pk7_attr.c | 6 +++--- crypto/pkcs7/pk7_doit.c | 27 +++++++++++++++++---------- crypto/pkcs7/pk7_smime.c | 2 +- 3 files changed, 21 insertions(+), 14 deletions(-) diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c index 79ae7281bb0..b865d973565 100644 --- a/crypto/pkcs7/pk7_attr.c +++ b/crypto/pkcs7/pk7_attr.c @@ -30,7 +30,7 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, } seq->length = ASN1_item_i2d((ASN1_VALUE *)cap, &seq->data, ASN1_ITEM_rptr(X509_ALGORS)); - if (seq->length <= 0 || seq->data == NULL) { + if (ASN1_STRING_length(seq) <= 0 || ASN1_STRING_get0_data(seq) == NULL) { ASN1_STRING_free(seq); return 1; } @@ -50,9 +50,9 @@ STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities); if (cap == NULL || (cap->type != V_ASN1_SEQUENCE)) return NULL; - p = cap->value.sequence->data; + p = ASN1_STRING_get0_data(cap->value.sequence); return (STACK_OF(X509_ALGOR) *) - ASN1_item_d2i(NULL, &p, cap->value.sequence->length, + ASN1_item_d2i(NULL, &p, ASN1_STRING_length(cap->value.sequence), ASN1_ITEM_rptr(X509_ALGORS)); } diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 28d43dfaf6f..bc8028e1b19 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -74,8 +74,8 @@ static ASN1_OCTET_STRING *pkcs7_get1_data(PKCS7 *p7) if (PKCS7_type_is_other(p7) && (p7->d.other != NULL) && (p7->d.other->type == V_ASN1_SEQUENCE) && (p7->d.other->value.sequence != NULL) - && (p7->d.other->value.sequence->length > 0)) { - const unsigned char *data = p7->d.other->value.sequence->data; + && (ASN1_STRING_length(p7->d.other->value.sequence) > 0)) { + const unsigned char *data = ASN1_STRING_get0_data(p7->d.other->value.sequence); long len; int inf, tag, class; @@ -83,7 +83,7 @@ static ASN1_OCTET_STRING *pkcs7_get1_data(PKCS7 *p7) if (os == NULL) return NULL; inf = ASN1_get_object(&data, &len, &tag, &class, - p7->d.other->value.sequence->length); + ASN1_STRING_length(p7->d.other->value.sequence)); if (inf != V_ASN1_CONSTRUCTED || tag != V_ASN1_SEQUENCE || !ASN1_OCTET_STRING_set(os, data, len)) { ASN1_OCTET_STRING_free(os); @@ -205,7 +205,7 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); ret = evp_pkey_decrypt_alloc(pctx, &ek, &eklen, fixlen, - ri->enc_key->data, ri->enc_key->length); + ASN1_STRING_get0_data(ri->enc_key), ASN1_STRING_length(ri->enc_key)); if (ret <= 0) goto err; @@ -378,7 +378,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) if (bio == NULL) { if (PKCS7_is_detached(p7)) { bio = BIO_new(BIO_s_null()); - } else if (os != NULL && os->length > 0) { + } else if (os != NULL && ASN1_STRING_length(os) > 0) { /* * bio needs a copy of os->data instead of a pointer because * the data will be used after os has been freed @@ -386,7 +386,9 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) bio = BIO_new(BIO_s_mem()); if (bio != NULL) { BIO_set_mem_eof_return(bio, 0); - if (BIO_write(bio, os->data, os->length) != os->length) { + const unsigned char *os_data = ASN1_STRING_get0_data(os); + int os_len = ASN1_STRING_length(os); + if (BIO_write(bio, os_data, os_len) != os_len) { BIO_free_all(bio); bio = NULL; } @@ -661,8 +663,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) if (in_bio != NULL) { bio = in_bio; } else { - if (data_body->length > 0) - bio = BIO_new_mem_buf(data_body->data, data_body->length); + int data_body_len = ASN1_STRING_length(data_body); + if (data_body_len > 0) + bio = BIO_new_mem_buf(ASN1_STRING_get0_data(data_body), + data_body_len); else { bio = BIO_new(BIO_s_mem()); if (bio == NULL) @@ -1113,7 +1117,8 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); goto err; } - if ((message_digest->length != (int)md_len) || (memcmp(message_digest->data, md_dat, md_len))) { + if ((ASN1_STRING_length(message_digest) != (int)md_len) + || (memcmp(ASN1_STRING_get0_data(message_digest), md_dat, md_len))) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_DIGEST_FAILURE); ret = -1; goto err; @@ -1143,7 +1148,9 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, goto err; } - i = EVP_VerifyFinal_ex(mdc_tmp, os->data, os->length, pkey, libctx, propq); + const unsigned char *sig_data = ASN1_STRING_get0_data(os); + int sig_len = ASN1_STRING_length(os); + i = EVP_VerifyFinal_ex(mdc_tmp, sig_data, sig_len, pkey, libctx, propq); if (i <= 0) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNATURE_FAILURE); ret = -1; diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index ccceffd380e..4bf26331c1a 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -200,7 +200,7 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si) } if (osdig != NULL) - return PKCS7_add1_attrib_digest(si, osdig->data, osdig->length); + return PKCS7_add1_attrib_digest(si, ASN1_STRING_get0_data(osdig), ASN1_STRING_length(osdig)); ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_MATCHING_DIGEST_TYPE_FOUND); return 0; -- 2.47.3