1 /* $OpenBSD: asn1_item.c,v 1.5 2022/05/24 20:20:19 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <limits.h>
113
114 #include <openssl/buffer.h>
115 #include <openssl/err.h>
116 #include <openssl/evp.h>
117 #include <openssl/x509.h>
118
119 #include "asn1_locl.h"
120 #include "evp_locl.h"
121
122 /*
123 * ASN1_ITEM version of dup: this follows the model above except we don't need
124 * to allocate the buffer. At some point this could be rewritten to directly dup
125 * the underlying structure instead of doing and encode and decode.
126 */
127
128 int
ASN1_item_digest(const ASN1_ITEM * it,const EVP_MD * type,void * asn,unsigned char * md,unsigned int * len)129 ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *asn,
130 unsigned char *md, unsigned int *len)
131 {
132 int i;
133 unsigned char *str = NULL;
134
135 i = ASN1_item_i2d(asn, &str, it);
136 if (!str)
137 return (0);
138
139 if (!EVP_Digest(str, i, md, len, type, NULL)) {
140 free(str);
141 return (0);
142 }
143
144 free(str);
145 return (1);
146 }
147
148 void *
ASN1_item_dup(const ASN1_ITEM * it,void * x)149 ASN1_item_dup(const ASN1_ITEM *it, void *x)
150 {
151 unsigned char *b = NULL;
152 const unsigned char *p;
153 long i;
154 void *ret;
155
156 if (x == NULL)
157 return (NULL);
158
159 i = ASN1_item_i2d(x, &b, it);
160 if (b == NULL) {
161 ASN1error(ERR_R_MALLOC_FAILURE);
162 return (NULL);
163 }
164 p = b;
165 ret = ASN1_item_d2i(NULL, &p, i, it);
166 free(b);
167 return (ret);
168 }
169
170 /* Pack an ASN1 object into an ASN1_STRING. */
171 ASN1_STRING *
ASN1_item_pack(void * obj,const ASN1_ITEM * it,ASN1_STRING ** oct)172 ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
173 {
174 ASN1_STRING *octmp;
175
176 if (!oct || !*oct) {
177 if (!(octmp = ASN1_STRING_new ())) {
178 ASN1error(ERR_R_MALLOC_FAILURE);
179 return NULL;
180 }
181 } else
182 octmp = *oct;
183
184 free(octmp->data);
185 octmp->data = NULL;
186
187 if (!(octmp->length = ASN1_item_i2d(obj, &octmp->data, it))) {
188 ASN1error(ASN1_R_ENCODE_ERROR);
189 goto err;
190 }
191 if (!octmp->data) {
192 ASN1error(ERR_R_MALLOC_FAILURE);
193 goto err;
194 }
195 if (oct)
196 *oct = octmp;
197 return octmp;
198 err:
199 if (!oct || octmp != *oct)
200 ASN1_STRING_free(octmp);
201 return NULL;
202 }
203
204 /* Extract an ASN1 object from an ASN1_STRING. */
205 void *
ASN1_item_unpack(const ASN1_STRING * oct,const ASN1_ITEM * it)206 ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it)
207 {
208 const unsigned char *p;
209 void *ret;
210
211 p = oct->data;
212 if (!(ret = ASN1_item_d2i(NULL, &p, oct->length, it)))
213 ASN1error(ASN1_R_DECODE_ERROR);
214 return ret;
215 }
216
217 int
ASN1_item_sign(const ASN1_ITEM * it,X509_ALGOR * algor1,X509_ALGOR * algor2,ASN1_BIT_STRING * signature,void * asn,EVP_PKEY * pkey,const EVP_MD * type)218 ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
219 ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey, const EVP_MD *type)
220 {
221 EVP_MD_CTX ctx;
222 EVP_MD_CTX_init(&ctx);
223 if (!EVP_DigestSignInit(&ctx, NULL, type, NULL, pkey)) {
224 EVP_MD_CTX_cleanup(&ctx);
225 return 0;
226 }
227 return ASN1_item_sign_ctx(it, algor1, algor2, signature, asn, &ctx);
228 }
229
230 int
ASN1_item_sign_ctx(const ASN1_ITEM * it,X509_ALGOR * algor1,X509_ALGOR * algor2,ASN1_BIT_STRING * signature,void * asn,EVP_MD_CTX * ctx)231 ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
232 ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx)
233 {
234 const EVP_MD *type;
235 EVP_PKEY *pkey;
236 unsigned char *buf_in = NULL, *buf_out = NULL;
237 size_t buf_out_len = 0;
238 int in_len = 0, out_len = 0;
239 int signid, paramtype;
240 int rv = 2;
241 int ret = 0;
242
243 type = EVP_MD_CTX_md(ctx);
244 pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx);
245
246 if (!type || !pkey) {
247 ASN1error(ASN1_R_CONTEXT_NOT_INITIALISED);
248 return 0;
249 }
250
251 if (pkey->ameth->item_sign) {
252 rv = pkey->ameth->item_sign(ctx, it, asn, algor1, algor2,
253 signature);
254 if (rv == 1)
255 out_len = signature->length;
256 /* Return value meanings:
257 * <=0: error.
258 * 1: method does everything.
259 * 2: carry on as normal.
260 * 3: ASN1 method sets algorithm identifiers: just sign.
261 */
262 if (rv <= 0)
263 ASN1error(ERR_R_EVP_LIB);
264 if (rv <= 1)
265 goto err;
266 }
267
268 if (rv == 2) {
269 if (!pkey->ameth ||
270 !OBJ_find_sigid_by_algs(&signid, EVP_MD_nid(type),
271 pkey->ameth->pkey_id)) {
272 ASN1error(ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
273 return 0;
274 }
275
276 if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL)
277 paramtype = V_ASN1_NULL;
278 else
279 paramtype = V_ASN1_UNDEF;
280
281 if (algor1)
282 X509_ALGOR_set0(algor1,
283 OBJ_nid2obj(signid), paramtype, NULL);
284 if (algor2)
285 X509_ALGOR_set0(algor2,
286 OBJ_nid2obj(signid), paramtype, NULL);
287
288 }
289
290 if ((in_len = ASN1_item_i2d(asn, &buf_in, it)) <= 0) {
291 in_len = 0;
292 goto err;
293 }
294
295 if ((out_len = EVP_PKEY_size(pkey)) <= 0) {
296 out_len = 0;
297 goto err;
298 }
299
300 if ((buf_out = malloc(out_len)) == NULL) {
301 ASN1error(ERR_R_MALLOC_FAILURE);
302 goto err;
303 }
304
305 buf_out_len = out_len;
306 if (!EVP_DigestSignUpdate(ctx, buf_in, in_len) ||
307 !EVP_DigestSignFinal(ctx, buf_out, &buf_out_len)) {
308 ASN1error(ERR_R_EVP_LIB);
309 goto err;
310 }
311
312 if (buf_out_len > INT_MAX) {
313 ASN1error(ASN1_R_TOO_LONG);
314 goto err;
315 }
316
317 ASN1_STRING_set0(signature, buf_out, (int)buf_out_len);
318 buf_out = NULL;
319
320 if (!asn1_abs_set_unused_bits(signature, 0)) {
321 ASN1error(ERR_R_ASN1_LIB);
322 goto err;
323 }
324
325 ret = (int)buf_out_len;
326 err:
327 EVP_MD_CTX_cleanup(ctx);
328 freezero(buf_in, in_len);
329 freezero(buf_out, out_len);
330
331 return ret;
332 }
333
334 int
ASN1_item_verify(const ASN1_ITEM * it,X509_ALGOR * a,ASN1_BIT_STRING * signature,void * asn,EVP_PKEY * pkey)335 ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
336 ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
337 {
338 EVP_MD_CTX ctx;
339 unsigned char *buf_in = NULL;
340 int ret = -1, inl;
341
342 int mdnid, pknid;
343
344 if (!pkey) {
345 ASN1error(ERR_R_PASSED_NULL_PARAMETER);
346 return -1;
347 }
348
349 if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
350 {
351 ASN1error(ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
352 return -1;
353 }
354
355 EVP_MD_CTX_init(&ctx);
356
357 /* Convert signature OID into digest and public key OIDs */
358 if (!OBJ_find_sigid_algs(OBJ_obj2nid(a->algorithm), &mdnid, &pknid)) {
359 ASN1error(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
360 goto err;
361 }
362 if (mdnid == NID_undef) {
363 if (!pkey->ameth || !pkey->ameth->item_verify) {
364 ASN1error(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
365 goto err;
366 }
367 ret = pkey->ameth->item_verify(&ctx, it, asn, a,
368 signature, pkey);
369 /* Return value of 2 means carry on, anything else means we
370 * exit straight away: either a fatal error of the underlying
371 * verification routine handles all verification.
372 */
373 if (ret != 2)
374 goto err;
375 ret = -1;
376 } else {
377 const EVP_MD *type;
378 type = EVP_get_digestbynid(mdnid);
379 if (type == NULL) {
380 ASN1error(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
381 goto err;
382 }
383
384 /* Check public key OID matches public key type */
385 if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id) {
386 ASN1error(ASN1_R_WRONG_PUBLIC_KEY_TYPE);
387 goto err;
388 }
389
390 if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey)) {
391 ASN1error(ERR_R_EVP_LIB);
392 ret = 0;
393 goto err;
394 }
395
396 }
397
398 inl = ASN1_item_i2d(asn, &buf_in, it);
399
400 if (buf_in == NULL) {
401 ASN1error(ERR_R_MALLOC_FAILURE);
402 goto err;
403 }
404
405 if (!EVP_DigestVerifyUpdate(&ctx, buf_in, inl)) {
406 ASN1error(ERR_R_EVP_LIB);
407 ret = 0;
408 goto err;
409 }
410
411 freezero(buf_in, (unsigned int)inl);
412
413 if (EVP_DigestVerifyFinal(&ctx, signature->data,
414 (size_t)signature->length) <= 0) {
415 ASN1error(ERR_R_EVP_LIB);
416 ret = 0;
417 goto err;
418 }
419 /* we don't need to zero the 'ctx' because we just checked
420 * public information */
421 /* memset(&ctx,0,sizeof(ctx)); */
422 ret = 1;
423
424 err:
425 EVP_MD_CTX_cleanup(&ctx);
426 return (ret);
427 }
428
429 #define HEADER_SIZE 8
430 #define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
431 int
asn1_d2i_read_bio(BIO * in,BUF_MEM ** pb)432 asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
433 {
434 BUF_MEM *b;
435 unsigned char *p;
436 const unsigned char *q;
437 long slen;
438 int i, inf, tag, xclass;
439 size_t want = HEADER_SIZE;
440 int eos = 0;
441 size_t off = 0;
442 size_t len = 0;
443
444 b = BUF_MEM_new();
445 if (b == NULL) {
446 ASN1error(ERR_R_MALLOC_FAILURE);
447 return -1;
448 }
449
450 ERR_clear_error();
451 for (;;) {
452 if (want >= (len - off)) {
453 want -= (len - off);
454
455 if (len + want < len ||
456 !BUF_MEM_grow_clean(b, len + want)) {
457 ASN1error(ERR_R_MALLOC_FAILURE);
458 goto err;
459 }
460 i = BIO_read(in, &(b->data[len]), want);
461 if ((i < 0) && ((len - off) == 0)) {
462 ASN1error(ASN1_R_NOT_ENOUGH_DATA);
463 goto err;
464 }
465 if (i > 0) {
466 if (len + i < len) {
467 ASN1error(ASN1_R_TOO_LONG);
468 goto err;
469 }
470 len += i;
471 }
472 }
473 /* else data already loaded */
474
475 p = (unsigned char *) & (b->data[off]);
476 q = p;
477 inf = ASN1_get_object(&q, &slen, &tag, &xclass, len - off);
478 if (inf & 0x80) {
479 unsigned long e;
480
481 e = ERR_GET_REASON(ERR_peek_error());
482 if (e != ASN1_R_TOO_LONG)
483 goto err;
484 else
485 ERR_clear_error(); /* clear error */
486 }
487 i = q - p; /* header length */
488 off += i; /* end of data */
489
490 if (inf & 1) {
491 /* no data body so go round again */
492 eos++;
493 if (eos < 0) {
494 ASN1error(ASN1_R_HEADER_TOO_LONG);
495 goto err;
496 }
497 want = HEADER_SIZE;
498 } else if (eos && slen == 0 && tag == V_ASN1_EOC) {
499 /* eos value, so go back and read another header */
500 eos--;
501 if (eos <= 0)
502 break;
503 else
504 want = HEADER_SIZE;
505 } else {
506 /* suck in slen bytes of data */
507 want = slen;
508 if (want > (len - off)) {
509 size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
510
511 want -= (len - off);
512 if (want > INT_MAX /* BIO_read takes an int length */ ||
513 len+want < len) {
514 ASN1error(ASN1_R_TOO_LONG);
515 goto err;
516 }
517 while (want > 0) {
518 /*
519 * Read content in chunks of increasing size
520 * so we can return an error for EOF without
521 * having to allocate the entire content length
522 * in one go.
523 */
524 size_t chunk = want > chunk_max ? chunk_max : want;
525
526 if (!BUF_MEM_grow_clean(b, len + chunk)) {
527 ASN1error(ERR_R_MALLOC_FAILURE);
528 goto err;
529 }
530 want -= chunk;
531 while (chunk > 0) {
532 i = BIO_read(in, &(b->data[len]), chunk);
533 if (i <= 0) {
534 ASN1error(ASN1_R_NOT_ENOUGH_DATA);
535 goto err;
536 }
537 /*
538 * This can't overflow because |len+want|
539 * didn't overflow.
540 */
541 len += i;
542 chunk -= i;
543 }
544 if (chunk_max < INT_MAX/2)
545 chunk_max *= 2;
546 }
547 }
548 if (off + slen < off) {
549 ASN1error(ASN1_R_TOO_LONG);
550 goto err;
551 }
552 off += slen;
553 if (eos <= 0) {
554 break;
555 } else
556 want = HEADER_SIZE;
557 }
558 }
559
560 if (off > INT_MAX) {
561 ASN1error(ASN1_R_TOO_LONG);
562 goto err;
563 }
564
565 *pb = b;
566 return off;
567
568 err:
569 if (b != NULL)
570 BUF_MEM_free(b);
571 return -1;
572 }
573
574 void *
ASN1_item_d2i_bio(const ASN1_ITEM * it,BIO * in,void * x)575 ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x)
576 {
577 BUF_MEM *b = NULL;
578 const unsigned char *p;
579 void *ret = NULL;
580 int len;
581
582 len = asn1_d2i_read_bio(in, &b);
583 if (len < 0)
584 goto err;
585
586 p = (const unsigned char *)b->data;
587 ret = ASN1_item_d2i(x, &p, len, it);
588
589 err:
590 if (b != NULL)
591 BUF_MEM_free(b);
592 return (ret);
593 }
594
595 void *
ASN1_item_d2i_fp(const ASN1_ITEM * it,FILE * in,void * x)596 ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
597 {
598 BIO *b;
599 char *ret;
600
601 if ((b = BIO_new(BIO_s_file())) == NULL) {
602 ASN1error(ERR_R_BUF_LIB);
603 return (NULL);
604 }
605 BIO_set_fp(b, in, BIO_NOCLOSE);
606 ret = ASN1_item_d2i_bio(it, b, x);
607 BIO_free(b);
608 return (ret);
609 }
610
611 int
ASN1_item_i2d_bio(const ASN1_ITEM * it,BIO * out,void * x)612 ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x)
613 {
614 unsigned char *b = NULL;
615 int i, j = 0, n, ret = 1;
616
617 n = ASN1_item_i2d(x, &b, it);
618 if (b == NULL) {
619 ASN1error(ERR_R_MALLOC_FAILURE);
620 return (0);
621 }
622
623 for (;;) {
624 i = BIO_write(out, &(b[j]), n);
625 if (i == n)
626 break;
627 if (i <= 0) {
628 ret = 0;
629 break;
630 }
631 j += i;
632 n -= i;
633 }
634 free(b);
635 return (ret);
636 }
637
638 int
ASN1_item_i2d_fp(const ASN1_ITEM * it,FILE * out,void * x)639 ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x)
640 {
641 BIO *b;
642 int ret;
643
644 if ((b = BIO_new(BIO_s_file())) == NULL) {
645 ASN1error(ERR_R_BUF_LIB);
646 return (0);
647 }
648 BIO_set_fp(b, out, BIO_NOCLOSE);
649 ret = ASN1_item_i2d_bio(it, b, x);
650 BIO_free(b);
651 return (ret);
652 }
653