mirror of
https://github.com/ossrs/srs.git
synced 2025-03-09 15:49:59 +00:00
AppleM1: Update openssl to v1.1.1l
This commit is contained in:
parent
1fe12b8e8c
commit
b787656eea
990 changed files with 13406 additions and 18710 deletions
|
@ -10,9 +10,9 @@
|
|||
#include "internal/cryptlib.h"
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
|
||||
#include "pcy_int.h"
|
||||
#include "pcy_local.h"
|
||||
|
||||
static int policy_data_cmp(const X509_POLICY_DATA *const *a,
|
||||
const X509_POLICY_DATA *const *b);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -11,7 +11,7 @@
|
|||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#include "pcy_int.h"
|
||||
#include "pcy_local.h"
|
||||
|
||||
/* Policy Node routines */
|
||||
|
||||
|
@ -52,6 +52,7 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
|
|||
ret = OPENSSL_zalloc(sizeof(*ret));
|
||||
if (ret == NULL) {
|
||||
X509V3err(X509V3_F_POLICY_DATA_NEW, ERR_R_MALLOC_FAILURE);
|
||||
ASN1_OBJECT_free(id);
|
||||
return NULL;
|
||||
}
|
||||
ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#include "pcy_int.h"
|
||||
#include "pcy_local.h"
|
||||
|
||||
/* accessor functions */
|
||||
|
||||
|
|
|
@ -10,9 +10,9 @@
|
|||
#include "internal/cryptlib.h"
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
|
||||
#include "pcy_int.h"
|
||||
#include "pcy_local.h"
|
||||
|
||||
/*
|
||||
* Set policy mapping entries in cache. Note: this modifies the passed
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
#include <openssl/x509v3.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
#include "pcy_int.h"
|
||||
#include "pcy_local.h"
|
||||
|
||||
static int node_cmp(const X509_POLICY_NODE *const *a,
|
||||
const X509_POLICY_NODE *const *b)
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#include "pcy_int.h"
|
||||
#include "pcy_local.h"
|
||||
|
||||
/*
|
||||
* Enable this to print out the complete policy tree at various point during
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
#include <openssl/asn1t.h>
|
||||
#include <openssl/buffer.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
#include "ext_dat.h"
|
||||
|
||||
#ifndef OPENSSL_NO_RFC3779
|
||||
|
|
|
@ -7,8 +7,8 @@
|
|||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef HEADER_V3_ADMISSION_H
|
||||
# define HEADER_V3_ADMISSION_H
|
||||
#ifndef OSSL_CRYPTO_X509V3_V3_ADMIS_H
|
||||
# define OSSL_CRYPTO_X509V3_V3_ADMIS_H
|
||||
|
||||
struct NamingAuthority_st {
|
||||
ASN1_OBJECT* namingAuthorityId;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -39,20 +39,48 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
|
|||
STACK_OF(CONF_VALUE)
|
||||
*extlist)
|
||||
{
|
||||
char *tmp;
|
||||
char *tmp = NULL;
|
||||
STACK_OF(CONF_VALUE) *origextlist = extlist, *tmpextlist;
|
||||
|
||||
if (akeyid->keyid) {
|
||||
tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length);
|
||||
X509V3_add_value("keyid", tmp, &extlist);
|
||||
if (tmp == NULL) {
|
||||
X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);
|
||||
return NULL;
|
||||
}
|
||||
if (!X509V3_add_value("keyid", tmp, &extlist)) {
|
||||
OPENSSL_free(tmp);
|
||||
X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB);
|
||||
goto err;
|
||||
}
|
||||
OPENSSL_free(tmp);
|
||||
}
|
||||
if (akeyid->issuer)
|
||||
extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
|
||||
if (akeyid->issuer) {
|
||||
tmpextlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
|
||||
if (tmpextlist == NULL) {
|
||||
X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB);
|
||||
goto err;
|
||||
}
|
||||
extlist = tmpextlist;
|
||||
}
|
||||
if (akeyid->serial) {
|
||||
tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length);
|
||||
X509V3_add_value("serial", tmp, &extlist);
|
||||
if (tmp == NULL) {
|
||||
X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
if (!X509V3_add_value("serial", tmp, &extlist)) {
|
||||
OPENSSL_free(tmp);
|
||||
X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB);
|
||||
goto err;
|
||||
}
|
||||
OPENSSL_free(tmp);
|
||||
}
|
||||
return extlist;
|
||||
err:
|
||||
if (origextlist == NULL)
|
||||
sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*-
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -9,6 +9,7 @@
|
|||
|
||||
#include <stdio.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include "crypto/x509.h"
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include "ext_dat.h"
|
||||
|
@ -52,11 +53,24 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
|
|||
{
|
||||
int i;
|
||||
GENERAL_NAME *gen;
|
||||
STACK_OF(CONF_VALUE) *tmpret = NULL, *origret = ret;
|
||||
|
||||
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
||||
gen = sk_GENERAL_NAME_value(gens, i);
|
||||
ret = i2v_GENERAL_NAME(method, gen, ret);
|
||||
/*
|
||||
* i2v_GENERAL_NAME allocates ret if it is NULL. If something goes
|
||||
* wrong we need to free the stack - but only if it was empty when we
|
||||
* originally entered this function.
|
||||
*/
|
||||
tmpret = i2v_GENERAL_NAME(method, gen, ret);
|
||||
if (tmpret == NULL) {
|
||||
if (origret == NULL)
|
||||
sk_CONF_VALUE_pop_free(ret, X509V3_conf_free);
|
||||
return NULL;
|
||||
}
|
||||
ret = tmpret;
|
||||
}
|
||||
if (!ret)
|
||||
if (ret == NULL)
|
||||
return sk_CONF_VALUE_new_null();
|
||||
return ret;
|
||||
}
|
||||
|
@ -86,17 +100,20 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
|
|||
break;
|
||||
|
||||
case GEN_EMAIL:
|
||||
if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
|
||||
if (!x509v3_add_len_value_uchar("email", gen->d.ia5->data,
|
||||
gen->d.ia5->length, &ret))
|
||||
return NULL;
|
||||
break;
|
||||
|
||||
case GEN_DNS:
|
||||
if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
|
||||
if (!x509v3_add_len_value_uchar("DNS", gen->d.ia5->data,
|
||||
gen->d.ia5->length, &ret))
|
||||
return NULL;
|
||||
break;
|
||||
|
||||
case GEN_URI:
|
||||
if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
|
||||
if (!x509v3_add_len_value_uchar("URI", gen->d.ia5->data,
|
||||
gen->d.ia5->length, &ret))
|
||||
return NULL;
|
||||
break;
|
||||
|
||||
|
@ -157,15 +174,18 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
|
|||
break;
|
||||
|
||||
case GEN_EMAIL:
|
||||
BIO_printf(out, "email:%s", gen->d.ia5->data);
|
||||
BIO_printf(out, "email:");
|
||||
ASN1_STRING_print(out, gen->d.ia5);
|
||||
break;
|
||||
|
||||
case GEN_DNS:
|
||||
BIO_printf(out, "DNS:%s", gen->d.ia5->data);
|
||||
BIO_printf(out, "DNS:");
|
||||
ASN1_STRING_print(out, gen->d.ia5);
|
||||
break;
|
||||
|
||||
case GEN_URI:
|
||||
BIO_printf(out, "URI:%s", gen->d.ia5->data);
|
||||
BIO_printf(out, "URI:");
|
||||
ASN1_STRING_print(out, gen->d.ia5);
|
||||
break;
|
||||
|
||||
case GEN_DIRNAME:
|
||||
|
@ -259,6 +279,7 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
|
|||
num = sk_GENERAL_NAME_num(ialt);
|
||||
if (!sk_GENERAL_NAME_reserve(gens, num)) {
|
||||
X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
|
||||
sk_GENERAL_NAME_free(ialt);
|
||||
goto err;
|
||||
}
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
#include <openssl/asn1t.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include <openssl/x509.h>
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
#include <openssl/bn.h>
|
||||
#include "ext_dat.h"
|
||||
|
||||
|
@ -256,6 +256,7 @@ static int extract_min_max(ASIdOrRange *aor,
|
|||
static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
|
||||
{
|
||||
ASN1_INTEGER *a_max_plus_one = NULL;
|
||||
ASN1_INTEGER *orig;
|
||||
BIGNUM *bn = NULL;
|
||||
int i, ret = 0;
|
||||
|
||||
|
@ -298,9 +299,15 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
|
|||
*/
|
||||
if ((bn == NULL && (bn = BN_new()) == NULL) ||
|
||||
ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
|
||||
!BN_add_word(bn, 1) ||
|
||||
(a_max_plus_one =
|
||||
BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
|
||||
!BN_add_word(bn, 1)) {
|
||||
X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ((a_max_plus_one =
|
||||
BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
|
||||
a_max_plus_one = orig;
|
||||
X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
goto done;
|
||||
|
@ -351,6 +358,7 @@ int X509v3_asid_is_canonical(ASIdentifiers *asid)
|
|||
static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
|
||||
{
|
||||
ASN1_INTEGER *a_max_plus_one = NULL;
|
||||
ASN1_INTEGER *orig;
|
||||
BIGNUM *bn = NULL;
|
||||
int i, ret = 0;
|
||||
|
||||
|
@ -416,9 +424,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
|
|||
*/
|
||||
if ((bn == NULL && (bn = BN_new()) == NULL) ||
|
||||
ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
|
||||
!BN_add_word(bn, 1) ||
|
||||
(a_max_plus_one =
|
||||
BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
|
||||
!BN_add_word(bn, 1)) {
|
||||
X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ((a_max_plus_one =
|
||||
BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
|
||||
a_max_plus_one = orig;
|
||||
X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
goto done;
|
||||
|
|
|
@ -10,11 +10,11 @@
|
|||
/* extension creation utilities */
|
||||
|
||||
#include <stdio.h>
|
||||
#include "internal/ctype.h"
|
||||
#include "crypto/ctype.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/x509.h>
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
static int v3_check_critical(const char **value);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -14,7 +14,7 @@
|
|||
#include <openssl/asn1t.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#include "pcy_int.h"
|
||||
#include "pcy_local.h"
|
||||
#include "ext_dat.h"
|
||||
|
||||
/* Certificate policies extension support: this one is a bit complex... */
|
||||
|
@ -422,7 +422,8 @@ static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
|
|||
qualinfo = sk_POLICYQUALINFO_value(quals, i);
|
||||
switch (OBJ_obj2nid(qualinfo->pqualid)) {
|
||||
case NID_id_qt_cps:
|
||||
BIO_printf(out, "%*sCPS: %s\n", indent, "",
|
||||
BIO_printf(out, "%*sCPS: %.*s\n", indent, "",
|
||||
qualinfo->d.cpsuri->length,
|
||||
qualinfo->d.cpsuri->data);
|
||||
break;
|
||||
|
||||
|
@ -447,7 +448,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
|
|||
if (notice->noticeref) {
|
||||
NOTICEREF *ref;
|
||||
ref = notice->noticeref;
|
||||
BIO_printf(out, "%*sOrganization: %s\n", indent, "",
|
||||
BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
|
||||
ref->organization->length,
|
||||
ref->organization->data);
|
||||
BIO_printf(out, "%*sNumber%s: ", indent, "",
|
||||
sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
|
||||
|
@ -470,7 +472,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
|
|||
BIO_puts(out, "\n");
|
||||
}
|
||||
if (notice->exptext)
|
||||
BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
|
||||
BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
|
||||
notice->exptext->length,
|
||||
notice->exptext->data);
|
||||
}
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
#include <openssl/asn1t.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
#include "ext_dat.h"
|
||||
|
||||
static void *v2i_crld(const X509V3_EXT_METHOD *method,
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -22,8 +22,9 @@ ASN1_SEQUENCE(OTHERNAME) = {
|
|||
IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
|
||||
|
||||
ASN1_SEQUENCE(EDIPARTYNAME) = {
|
||||
ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
|
||||
ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
|
||||
/* DirectoryString is a CHOICE type so use explicit tagging */
|
||||
ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
|
||||
ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
|
||||
} ASN1_SEQUENCE_END(EDIPARTYNAME)
|
||||
|
||||
IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
|
||||
|
@ -57,6 +58,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
|
|||
(char *)a);
|
||||
}
|
||||
|
||||
static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
|
||||
{
|
||||
int res;
|
||||
|
||||
if (a == NULL || b == NULL) {
|
||||
/*
|
||||
* Shouldn't be possible in a valid GENERAL_NAME, but we handle it
|
||||
* anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
|
||||
*/
|
||||
return -1;
|
||||
}
|
||||
if (a->nameAssigner == NULL && b->nameAssigner != NULL)
|
||||
return -1;
|
||||
if (a->nameAssigner != NULL && b->nameAssigner == NULL)
|
||||
return 1;
|
||||
/* If we get here then both have nameAssigner set, or both unset */
|
||||
if (a->nameAssigner != NULL) {
|
||||
res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
|
||||
if (res != 0)
|
||||
return res;
|
||||
}
|
||||
/*
|
||||
* partyName is required, so these should never be NULL. We treat it in
|
||||
* the same way as the a == NULL || b == NULL case above
|
||||
*/
|
||||
if (a->partyName == NULL || b->partyName == NULL)
|
||||
return -1;
|
||||
|
||||
return ASN1_STRING_cmp(a->partyName, b->partyName);
|
||||
}
|
||||
|
||||
/* Returns 0 if they are equal, != 0 otherwise. */
|
||||
int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
|
||||
{
|
||||
|
@ -66,8 +98,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
|
|||
return -1;
|
||||
switch (a->type) {
|
||||
case GEN_X400:
|
||||
result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
|
||||
break;
|
||||
|
||||
case GEN_EDIPARTY:
|
||||
result = ASN1_TYPE_cmp(a->d.other, b->d.other);
|
||||
result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
|
||||
break;
|
||||
|
||||
case GEN_OTHERNAME:
|
||||
|
@ -114,8 +149,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
|
|||
{
|
||||
switch (type) {
|
||||
case GEN_X400:
|
||||
a->d.x400Address = value;
|
||||
break;
|
||||
|
||||
case GEN_EDIPARTY:
|
||||
a->d.other = value;
|
||||
a->d.ediPartyName = value;
|
||||
break;
|
||||
|
||||
case GEN_OTHERNAME:
|
||||
|
@ -143,14 +181,16 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
|
|||
a->type = type;
|
||||
}
|
||||
|
||||
void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
|
||||
void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype)
|
||||
{
|
||||
if (ptype)
|
||||
*ptype = a->type;
|
||||
switch (a->type) {
|
||||
case GEN_X400:
|
||||
return a->d.x400Address;
|
||||
|
||||
case GEN_EDIPARTY:
|
||||
return a->d.other;
|
||||
return a->d.ediPartyName;
|
||||
|
||||
case GEN_OTHERNAME:
|
||||
return a->d.otherName;
|
||||
|
@ -188,7 +228,7 @@ int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
|
|||
return 1;
|
||||
}
|
||||
|
||||
int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
|
||||
int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen,
|
||||
ASN1_OBJECT **poid, ASN1_TYPE **pvalue)
|
||||
{
|
||||
if (gen->type != GEN_OTHERNAME)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2003-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -10,12 +10,12 @@
|
|||
#include "internal/cryptlib.h"
|
||||
#include "internal/numbers.h"
|
||||
#include <stdio.h>
|
||||
#include "internal/asn1_int.h"
|
||||
#include "crypto/asn1.h"
|
||||
#include <openssl/asn1t.h>
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
#include "ext_dat.h"
|
||||
|
||||
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
|
||||
|
@ -63,8 +63,31 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
|
|||
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
|
||||
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
|
||||
|
||||
|
||||
#define IA5_OFFSET_LEN(ia5base, offset) \
|
||||
((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data))
|
||||
|
||||
/* Like memchr but for ASN1_IA5STRING. Additionally you can specify the
|
||||
* starting point to search from
|
||||
*/
|
||||
# define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start))
|
||||
|
||||
/* Like memrrchr but for ASN1_IA5STRING */
|
||||
static char *ia5memrchr(ASN1_IA5STRING *str, int c)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = str->length; i > 0 && str->data[i - 1] != c; i--);
|
||||
|
||||
if (i == 0)
|
||||
return NULL;
|
||||
|
||||
return (char *)&str->data[i - 1];
|
||||
}
|
||||
|
||||
/*
|
||||
* We cannot use strncasecmp here because that applies locale specific rules.
|
||||
* We cannot use strncasecmp here because that applies locale specific rules. It
|
||||
* also doesn't work with ASN1_STRINGs that may have embedded NUL characters.
|
||||
* For example in Turkish 'I' is not the uppercase character for 'i'. We need to
|
||||
* do a simple ASCII case comparison ignoring the locale (that is why we use
|
||||
* numeric constants below).
|
||||
|
@ -89,20 +112,12 @@ static int ia5ncasecmp(const char *s1, const char *s2, size_t n)
|
|||
|
||||
/* c1 > c2 */
|
||||
return 1;
|
||||
} else if (*s1 == 0) {
|
||||
/* If we get here we know that *s2 == 0 too */
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int ia5casecmp(const char *s1, const char *s2)
|
||||
{
|
||||
return ia5ncasecmp(s1, s2, SIZE_MAX);
|
||||
}
|
||||
|
||||
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
|
||||
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
|
||||
{
|
||||
|
@ -337,7 +352,7 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
|
|||
--utf8_length;
|
||||
|
||||
/* Reject *embedded* NULs */
|
||||
if ((size_t)utf8_length != strlen((char *)utf8_value)) {
|
||||
if (memchr(utf8_value, 0, utf8_length) != NULL) {
|
||||
OPENSSL_free(utf8_value);
|
||||
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
||||
}
|
||||
|
@ -536,9 +551,14 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
|
|||
{
|
||||
char *baseptr = (char *)base->data;
|
||||
char *dnsptr = (char *)dns->data;
|
||||
|
||||
/* Empty matches everything */
|
||||
if (!*baseptr)
|
||||
if (base->length == 0)
|
||||
return X509_V_OK;
|
||||
|
||||
if (dns->length < base->length)
|
||||
return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
|
||||
/*
|
||||
* Otherwise can add zero or more components on the left so compare RHS
|
||||
* and if dns is longer and expect '.' as preceding character.
|
||||
|
@ -549,7 +569,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
|
|||
return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
}
|
||||
|
||||
if (ia5casecmp(baseptr, dnsptr))
|
||||
if (ia5ncasecmp(baseptr, dnsptr, base->length))
|
||||
return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
|
||||
return X509_V_OK;
|
||||
|
@ -560,16 +580,17 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
|
|||
{
|
||||
const char *baseptr = (char *)base->data;
|
||||
const char *emlptr = (char *)eml->data;
|
||||
const char *baseat = ia5memrchr(base, '@');
|
||||
const char *emlat = ia5memrchr(eml, '@');
|
||||
size_t basehostlen, emlhostlen;
|
||||
|
||||
const char *baseat = strchr(baseptr, '@');
|
||||
const char *emlat = strchr(emlptr, '@');
|
||||
if (!emlat)
|
||||
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
||||
/* Special case: initial '.' is RHS match */
|
||||
if (!baseat && (*baseptr == '.')) {
|
||||
if (!baseat && base->length > 0 && (*baseptr == '.')) {
|
||||
if (eml->length > base->length) {
|
||||
emlptr += eml->length - base->length;
|
||||
if (ia5casecmp(baseptr, emlptr) == 0)
|
||||
if (ia5ncasecmp(baseptr, emlptr, base->length) == 0)
|
||||
return X509_V_OK;
|
||||
}
|
||||
return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
|
@ -589,8 +610,10 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
|
|||
baseptr = baseat + 1;
|
||||
}
|
||||
emlptr = emlat + 1;
|
||||
basehostlen = IA5_OFFSET_LEN(base, baseptr);
|
||||
emlhostlen = IA5_OFFSET_LEN(eml, emlptr);
|
||||
/* Just have hostname left to match: case insensitive */
|
||||
if (ia5casecmp(baseptr, emlptr))
|
||||
if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen))
|
||||
return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
|
||||
return X509_V_OK;
|
||||
|
@ -601,10 +624,14 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
|
|||
{
|
||||
const char *baseptr = (char *)base->data;
|
||||
const char *hostptr = (char *)uri->data;
|
||||
const char *p = strchr(hostptr, ':');
|
||||
const char *p = ia5memchr(uri, (char *)uri->data, ':');
|
||||
int hostlen;
|
||||
|
||||
/* Check for foo:// and skip past it */
|
||||
if (!p || (p[1] != '/') || (p[2] != '/'))
|
||||
if (p == NULL
|
||||
|| IA5_OFFSET_LEN(uri, p) < 3
|
||||
|| p[1] != '/'
|
||||
|| p[2] != '/')
|
||||
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
||||
hostptr = p + 3;
|
||||
|
||||
|
@ -612,13 +639,13 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
|
|||
|
||||
/* Look for a port indicator as end of hostname first */
|
||||
|
||||
p = strchr(hostptr, ':');
|
||||
p = ia5memchr(uri, hostptr, ':');
|
||||
/* Otherwise look for trailing slash */
|
||||
if (!p)
|
||||
p = strchr(hostptr, '/');
|
||||
if (p == NULL)
|
||||
p = ia5memchr(uri, hostptr, '/');
|
||||
|
||||
if (!p)
|
||||
hostlen = strlen(hostptr);
|
||||
if (p == NULL)
|
||||
hostlen = IA5_OFFSET_LEN(uri, hostptr);
|
||||
else
|
||||
hostlen = p - hostptr;
|
||||
|
||||
|
@ -626,7 +653,7 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
|
|||
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
||||
|
||||
/* Special case: initial '.' is RHS match */
|
||||
if (*baseptr == '.') {
|
||||
if (base->length > 0 && *baseptr == '.') {
|
||||
if (hostlen > base->length) {
|
||||
p = hostptr + hostlen - base->length;
|
||||
if (ia5ncasecmp(p, baseptr, base->length) == 0)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -77,7 +77,8 @@ static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
|
|||
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
|
||||
BIO_puts(out, "\n");
|
||||
if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
|
||||
BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
|
||||
BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",
|
||||
pci->proxyPolicy->policy->length,
|
||||
pci->proxyPolicy->policy->data);
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -12,7 +12,8 @@
|
|||
#include "internal/numbers.h"
|
||||
#include <openssl/x509v3.h>
|
||||
#include <openssl/x509_vfy.h>
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
#include "../x509/x509_local.h" /* for x509_signing_allowed() */
|
||||
#include "internal/tsan_assist.h"
|
||||
|
||||
static void x509v3_cache_extensions(X509 *x);
|
||||
|
@ -81,6 +82,8 @@ int X509_check_purpose(X509 *x, int id, int ca)
|
|||
const X509_PURPOSE *pt;
|
||||
|
||||
x509v3_cache_extensions(x);
|
||||
if (x->ex_flags & EXFLAG_INVALID)
|
||||
return -1;
|
||||
|
||||
/* Return if side-effect only call */
|
||||
if (id == -1)
|
||||
|
@ -300,10 +303,11 @@ int X509_supported_extension(X509_EXTENSION *ex)
|
|||
return 0;
|
||||
}
|
||||
|
||||
static void setup_dp(X509 *x, DIST_POINT *dp)
|
||||
static int setup_dp(X509 *x, DIST_POINT *dp)
|
||||
{
|
||||
X509_NAME *iname = NULL;
|
||||
int i;
|
||||
|
||||
if (dp->reasons) {
|
||||
if (dp->reasons->length > 0)
|
||||
dp->dp_reasons = dp->reasons->data[0];
|
||||
|
@ -313,7 +317,7 @@ static void setup_dp(X509 *x, DIST_POINT *dp)
|
|||
} else
|
||||
dp->dp_reasons = CRLDP_ALL_REASONS;
|
||||
if (!dp->distpoint || (dp->distpoint->type != 1))
|
||||
return;
|
||||
return 1;
|
||||
for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
|
||||
GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
|
||||
if (gen->type == GEN_DIRNAME) {
|
||||
|
@ -324,16 +328,39 @@ static void setup_dp(X509 *x, DIST_POINT *dp)
|
|||
if (!iname)
|
||||
iname = X509_get_issuer_name(x);
|
||||
|
||||
DIST_POINT_set_dpname(dp->distpoint, iname);
|
||||
|
||||
return DIST_POINT_set_dpname(dp->distpoint, iname);
|
||||
}
|
||||
|
||||
static void setup_crldp(X509 *x)
|
||||
static int setup_crldp(X509 *x)
|
||||
{
|
||||
int i;
|
||||
x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
|
||||
for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
|
||||
setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
|
||||
|
||||
x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL);
|
||||
if (x->crldp == NULL && i != -1)
|
||||
return 0;
|
||||
for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
|
||||
if (!setup_dp(x, sk_DIST_POINT_value(x->crldp, i)))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Check that issuer public key algorithm matches subject signature algorithm */
|
||||
static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject)
|
||||
{
|
||||
int pkey_sig_nid, subj_sig_nid;
|
||||
|
||||
if (pkey == NULL)
|
||||
return X509_V_ERR_NO_ISSUER_PUBLIC_KEY;
|
||||
if (OBJ_find_sigid_algs(EVP_PKEY_base_id(pkey),
|
||||
NULL, &pkey_sig_nid) == 0)
|
||||
pkey_sig_nid = EVP_PKEY_base_id(pkey);
|
||||
if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm),
|
||||
NULL, &subj_sig_nid) == 0)
|
||||
return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM;
|
||||
if (pkey_sig_nid != EVP_PKEY_type(subj_sig_nid))
|
||||
return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH;
|
||||
return X509_V_OK;
|
||||
}
|
||||
|
||||
#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
|
||||
|
@ -366,28 +393,36 @@ static void x509v3_cache_extensions(X509 *x)
|
|||
return;
|
||||
}
|
||||
|
||||
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
|
||||
if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL))
|
||||
x->ex_flags |= (EXFLAG_NO_FINGERPRINT | EXFLAG_INVALID);
|
||||
|
||||
/* V1 should mean no extensions ... */
|
||||
if (!X509_get_version(x))
|
||||
x->ex_flags |= EXFLAG_V1;
|
||||
/* Handle basic constraints */
|
||||
if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
|
||||
if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) {
|
||||
if (bs->ca)
|
||||
x->ex_flags |= EXFLAG_CA;
|
||||
if (bs->pathlen) {
|
||||
if ((bs->pathlen->type == V_ASN1_NEG_INTEGER)
|
||||
|| !bs->ca) {
|
||||
if (bs->pathlen->type == V_ASN1_NEG_INTEGER) {
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
x->ex_pathlen = 0;
|
||||
} else
|
||||
} else {
|
||||
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
|
||||
if (!bs->ca && x->ex_pathlen != 0) {
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
x->ex_pathlen = 0;
|
||||
}
|
||||
}
|
||||
} else
|
||||
x->ex_pathlen = -1;
|
||||
BASIC_CONSTRAINTS_free(bs);
|
||||
x->ex_flags |= EXFLAG_BCONS;
|
||||
} else if (i != -1) {
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
}
|
||||
/* Handle proxy certificates */
|
||||
if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
|
||||
if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) {
|
||||
if (x->ex_flags & EXFLAG_CA
|
||||
|| X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
|
||||
|| X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
|
||||
|
@ -399,9 +434,11 @@ static void x509v3_cache_extensions(X509 *x)
|
|||
x->ex_pcpathlen = -1;
|
||||
PROXY_CERT_INFO_EXTENSION_free(pci);
|
||||
x->ex_flags |= EXFLAG_PROXY;
|
||||
} else if (i != -1) {
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
}
|
||||
/* Handle key usage */
|
||||
if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
|
||||
if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) {
|
||||
if (usage->length > 0) {
|
||||
x->ex_kusage = usage->data[0];
|
||||
if (usage->length > 1)
|
||||
|
@ -410,9 +447,11 @@ static void x509v3_cache_extensions(X509 *x)
|
|||
x->ex_kusage = 0;
|
||||
x->ex_flags |= EXFLAG_KUSAGE;
|
||||
ASN1_BIT_STRING_free(usage);
|
||||
} else if (i != -1) {
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
}
|
||||
x->ex_xkusage = 0;
|
||||
if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
|
||||
if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL))) {
|
||||
x->ex_flags |= EXFLAG_XKUSAGE;
|
||||
for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
|
||||
switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
|
||||
|
@ -455,36 +494,50 @@ static void x509v3_cache_extensions(X509 *x)
|
|||
}
|
||||
}
|
||||
sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
|
||||
} else if (i != -1) {
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
}
|
||||
|
||||
if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
|
||||
if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL))) {
|
||||
if (ns->length > 0)
|
||||
x->ex_nscert = ns->data[0];
|
||||
else
|
||||
x->ex_nscert = 0;
|
||||
x->ex_flags |= EXFLAG_NSCERT;
|
||||
ASN1_BIT_STRING_free(ns);
|
||||
} else if (i != -1) {
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
}
|
||||
x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
|
||||
x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
|
||||
x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL);
|
||||
if (x->skid == NULL && i != -1)
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL);
|
||||
if (x->akid == NULL && i != -1)
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
/* Does subject name match issuer ? */
|
||||
if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
|
||||
x->ex_flags |= EXFLAG_SI;
|
||||
/* If SKID matches AKID also indicate self signed */
|
||||
if (X509_check_akid(x, x->akid) == X509_V_OK &&
|
||||
!ku_reject(x, KU_KEY_CERT_SIGN))
|
||||
x->ex_flags |= EXFLAG_SS;
|
||||
x->ex_flags |= EXFLAG_SI; /* cert is self-issued */
|
||||
if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */
|
||||
/* .. and the signature alg matches the PUBKEY alg: */
|
||||
&& check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK)
|
||||
x->ex_flags |= EXFLAG_SS; /* indicate self-signed */
|
||||
}
|
||||
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
|
||||
x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
|
||||
if (!x->nc && (i != -1))
|
||||
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL);
|
||||
if (x->altname == NULL && i != -1)
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
|
||||
if (x->nc == NULL && i != -1)
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
if (!setup_crldp(x))
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
setup_crldp(x);
|
||||
|
||||
#ifndef OPENSSL_NO_RFC3779
|
||||
x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
|
||||
x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
|
||||
NULL, NULL);
|
||||
x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL);
|
||||
if (x->rfc3779_addr == NULL && i != -1)
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL);
|
||||
if (x->rfc3779_asid == NULL && i != -1)
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
#endif
|
||||
for (i = 0; i < X509_get_ext_count(x); i++) {
|
||||
ex = X509_get_ext(x, i);
|
||||
|
@ -516,9 +569,11 @@ static void x509v3_cache_extensions(X509 *x)
|
|||
* return codes:
|
||||
* 0 not a CA
|
||||
* 1 is a CA
|
||||
* 2 basicConstraints absent so "maybe" a CA
|
||||
* 2 Only possible in older versions of openSSL when basicConstraints are absent
|
||||
* new versions will not return this value. May be a CA
|
||||
* 3 basicConstraints absent but self signed V1.
|
||||
* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
|
||||
* 5 Netscape specific CA Flags present
|
||||
*/
|
||||
|
||||
static int check_ca(const X509 *x)
|
||||
|
@ -757,6 +812,23 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
|
|||
return 1;
|
||||
}
|
||||
|
||||
/*-
|
||||
* Check if certificate I<issuer> is allowed to issue certificate I<subject>
|
||||
* according to the B<keyUsage> field of I<issuer> if present
|
||||
* depending on any proxyCertInfo extension of I<subject>.
|
||||
* Returns 0 for OK, or positive for reason for rejection
|
||||
* where reason codes match those for X509_verify_cert().
|
||||
*/
|
||||
int x509_signing_allowed(const X509 *issuer, const X509 *subject)
|
||||
{
|
||||
if (subject->ex_flags & EXFLAG_PROXY) {
|
||||
if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
|
||||
return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
|
||||
} else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
|
||||
return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
|
||||
return X509_V_OK;
|
||||
}
|
||||
|
||||
/*-
|
||||
* Various checks to see if one certificate issued the second.
|
||||
* This can be used to prune a set of possible issuer certificates
|
||||
|
@ -765,19 +837,34 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
|
|||
* These are:
|
||||
* 1. Check issuer_name(subject) == subject_name(issuer)
|
||||
* 2. If akid(subject) exists check it matches issuer
|
||||
* 3. If key_usage(issuer) exists check it supports certificate signing
|
||||
* 3. Check that issuer public key algorithm matches subject signature algorithm
|
||||
* 4. If key_usage(issuer) exists check it supports certificate signing
|
||||
* returns 0 for OK, positive for reason for mismatch, reasons match
|
||||
* codes for X509_verify_cert()
|
||||
*/
|
||||
|
||||
int X509_check_issued(X509 *issuer, X509 *subject)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if ((ret = x509_likely_issued(issuer, subject)) != X509_V_OK)
|
||||
return ret;
|
||||
return x509_signing_allowed(issuer, subject);
|
||||
}
|
||||
|
||||
/* do the checks 1., 2., and 3. as described above for X509_check_issued() */
|
||||
int x509_likely_issued(X509 *issuer, X509 *subject)
|
||||
{
|
||||
if (X509_NAME_cmp(X509_get_subject_name(issuer),
|
||||
X509_get_issuer_name(subject)))
|
||||
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
|
||||
|
||||
x509v3_cache_extensions(issuer);
|
||||
if (issuer->ex_flags & EXFLAG_INVALID)
|
||||
return X509_V_ERR_UNSPECIFIED;
|
||||
x509v3_cache_extensions(subject);
|
||||
if (subject->ex_flags & EXFLAG_INVALID)
|
||||
return X509_V_ERR_UNSPECIFIED;
|
||||
|
||||
if (subject->akid) {
|
||||
int ret = X509_check_akid(issuer, subject->akid);
|
||||
|
@ -785,12 +872,8 @@ int X509_check_issued(X509 *issuer, X509 *subject)
|
|||
return ret;
|
||||
}
|
||||
|
||||
if (subject->ex_flags & EXFLAG_PROXY) {
|
||||
if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
|
||||
return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
|
||||
} else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
|
||||
return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
|
||||
return X509_V_OK;
|
||||
/* check if the subject signature alg matches the issuer's PUBKEY alg */
|
||||
return check_sig_alg_match(X509_get0_pubkey(issuer), subject);
|
||||
}
|
||||
|
||||
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
|
||||
|
@ -842,7 +925,8 @@ uint32_t X509_get_extension_flags(X509 *x)
|
|||
uint32_t X509_get_key_usage(X509 *x)
|
||||
{
|
||||
/* Call for side-effect of computing hash and caching extensions */
|
||||
X509_check_purpose(x, -1, -1);
|
||||
if (X509_check_purpose(x, -1, -1) != 1)
|
||||
return 0;
|
||||
if (x->ex_flags & EXFLAG_KUSAGE)
|
||||
return x->ex_kusage;
|
||||
return UINT32_MAX;
|
||||
|
@ -851,7 +935,8 @@ uint32_t X509_get_key_usage(X509 *x)
|
|||
uint32_t X509_get_extended_key_usage(X509 *x)
|
||||
{
|
||||
/* Call for side-effect of computing hash and caching extensions */
|
||||
X509_check_purpose(x, -1, -1);
|
||||
if (X509_check_purpose(x, -1, -1) != 1)
|
||||
return 0;
|
||||
if (x->ex_flags & EXFLAG_XKUSAGE)
|
||||
return x->ex_xkusage;
|
||||
return UINT32_MAX;
|
||||
|
@ -860,17 +945,35 @@ uint32_t X509_get_extended_key_usage(X509 *x)
|
|||
const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x)
|
||||
{
|
||||
/* Call for side-effect of computing hash and caching extensions */
|
||||
X509_check_purpose(x, -1, -1);
|
||||
if (X509_check_purpose(x, -1, -1) != 1)
|
||||
return NULL;
|
||||
return x->skid;
|
||||
}
|
||||
|
||||
const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x)
|
||||
{
|
||||
/* Call for side-effect of computing hash and caching extensions */
|
||||
X509_check_purpose(x, -1, -1);
|
||||
if (X509_check_purpose(x, -1, -1) != 1)
|
||||
return NULL;
|
||||
return (x->akid != NULL ? x->akid->keyid : NULL);
|
||||
}
|
||||
|
||||
const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x)
|
||||
{
|
||||
/* Call for side-effect of computing hash and caching extensions */
|
||||
if (X509_check_purpose(x, -1, -1) != 1)
|
||||
return NULL;
|
||||
return (x->akid != NULL ? x->akid->issuer : NULL);
|
||||
}
|
||||
|
||||
const ASN1_INTEGER *X509_get0_authority_serial(X509 *x)
|
||||
{
|
||||
/* Call for side-effect of computing hash and caching extensions */
|
||||
if (X509_check_purpose(x, -1, -1) != 1)
|
||||
return NULL;
|
||||
return (x->akid != NULL ? x->akid->serial : NULL);
|
||||
}
|
||||
|
||||
long X509_get_pathlen(X509 *x)
|
||||
{
|
||||
/* Called for side effect of caching extensions */
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
#include <stdio.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/x509v3.h>
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
#include "ext_dat.h"
|
||||
|
||||
static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -12,11 +12,12 @@
|
|||
#include "e_os.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include <stdio.h>
|
||||
#include "internal/ctype.h"
|
||||
#include <string.h>
|
||||
#include "crypto/ctype.h"
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include "internal/x509_int.h"
|
||||
#include "crypto/x509.h"
|
||||
#include <openssl/bn.h>
|
||||
#include "ext_dat.h"
|
||||
|
||||
|
@ -34,17 +35,26 @@ static int ipv6_hex(unsigned char *out, const char *in, int inlen);
|
|||
|
||||
/* Add a CONF_VALUE name value pair to stack */
|
||||
|
||||
int X509V3_add_value(const char *name, const char *value,
|
||||
STACK_OF(CONF_VALUE) **extlist)
|
||||
static int x509v3_add_len_value(const char *name, const char *value,
|
||||
size_t vallen, STACK_OF(CONF_VALUE) **extlist)
|
||||
{
|
||||
CONF_VALUE *vtmp = NULL;
|
||||
char *tname = NULL, *tvalue = NULL;
|
||||
int sk_allocated = (*extlist == NULL);
|
||||
|
||||
if (name && (tname = OPENSSL_strdup(name)) == NULL)
|
||||
goto err;
|
||||
if (value && (tvalue = OPENSSL_strdup(value)) == NULL)
|
||||
if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)
|
||||
goto err;
|
||||
if (value != NULL && vallen > 0) {
|
||||
/*
|
||||
* We tolerate a single trailing NUL character, but otherwise no
|
||||
* embedded NULs
|
||||
*/
|
||||
if (memchr(value, 0, vallen - 1) != NULL)
|
||||
goto err;
|
||||
tvalue = OPENSSL_strndup(value, vallen);
|
||||
if (tvalue == NULL)
|
||||
goto err;
|
||||
}
|
||||
if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
|
||||
goto err;
|
||||
if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL)
|
||||
|
@ -56,7 +66,7 @@ int X509V3_add_value(const char *name, const char *value,
|
|||
goto err;
|
||||
return 1;
|
||||
err:
|
||||
X509V3err(X509V3_F_X509V3_ADD_VALUE, ERR_R_MALLOC_FAILURE);
|
||||
X509V3err(X509V3_F_X509V3_ADD_LEN_VALUE, ERR_R_MALLOC_FAILURE);
|
||||
if (sk_allocated) {
|
||||
sk_CONF_VALUE_free(*extlist);
|
||||
*extlist = NULL;
|
||||
|
@ -67,10 +77,26 @@ int X509V3_add_value(const char *name, const char *value,
|
|||
return 0;
|
||||
}
|
||||
|
||||
int X509V3_add_value(const char *name, const char *value,
|
||||
STACK_OF(CONF_VALUE) **extlist)
|
||||
{
|
||||
return x509v3_add_len_value(name, value,
|
||||
value != NULL ? strlen((const char *)value) : 0,
|
||||
extlist);
|
||||
}
|
||||
|
||||
int X509V3_add_value_uchar(const char *name, const unsigned char *value,
|
||||
STACK_OF(CONF_VALUE) **extlist)
|
||||
{
|
||||
return X509V3_add_value(name, (const char *)value, extlist);
|
||||
return x509v3_add_len_value(name, (const char *)value,
|
||||
value != NULL ? strlen((const char *)value) : 0,
|
||||
extlist);
|
||||
}
|
||||
|
||||
int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,
|
||||
size_t vallen, STACK_OF(CONF_VALUE) **extlist)
|
||||
{
|
||||
return x509v3_add_len_value(name, (const char *)value, vallen, extlist);
|
||||
}
|
||||
|
||||
/* Free function for STACK_OF(CONF_VALUE) */
|
||||
|
@ -502,18 +528,26 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email
|
|||
/* First some sanity checks */
|
||||
if (email->type != V_ASN1_IA5STRING)
|
||||
return 1;
|
||||
if (!email->data || !email->length)
|
||||
if (email->data == NULL || email->length == 0)
|
||||
return 1;
|
||||
if (memchr(email->data, 0, email->length) != NULL)
|
||||
return 1;
|
||||
if (*sk == NULL)
|
||||
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
|
||||
if (*sk == NULL)
|
||||
return 0;
|
||||
|
||||
emtmp = OPENSSL_strndup((char *)email->data, email->length);
|
||||
if (emtmp == NULL)
|
||||
return 0;
|
||||
|
||||
/* Don't add duplicates */
|
||||
if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
|
||||
if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
|
||||
OPENSSL_free(emtmp);
|
||||
return 1;
|
||||
emtmp = OPENSSL_strdup((char *)email->data);
|
||||
if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
|
||||
OPENSSL_free(emtmp); /* free on push failure */
|
||||
}
|
||||
if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
|
||||
OPENSSL_free(emtmp); /* free on push failure */
|
||||
X509_email_free(*sk);
|
||||
*sk = NULL;
|
||||
return 0;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -39,6 +39,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = {
|
|||
"i2s_ASN1_INTEGER"},
|
||||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_INFO_ACCESS, 0),
|
||||
"i2v_AUTHORITY_INFO_ACCESS"},
|
||||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_KEYID, 0),
|
||||
"i2v_AUTHORITY_KEYID"},
|
||||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_LEVEL_ADD_NODE, 0), "level_add_node"},
|
||||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_NOTICE_SECTION, 0), "notice_section"},
|
||||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_NREF_NOS, 0), "nref_nos"},
|
||||
|
@ -104,6 +106,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = {
|
|||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_V3_GENERIC_EXTENSION, 0),
|
||||
"v3_generic_extension"},
|
||||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD1_I2D, 0), "X509V3_add1_i2d"},
|
||||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD_LEN_VALUE, 0),
|
||||
"x509v3_add_len_value"},
|
||||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD_VALUE, 0),
|
||||
"X509V3_add_value"},
|
||||
{ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_ADD, 0), "X509V3_EXT_add"},
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue