Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing. Discussed with tb@ (who also tested the release build)
author: jsing <> 2020-06-04 15:19:32 +0000
committer: jsing <> 2020-06-04 15:19:32 +0000
commit: 9da6320d732214906f0d716131fbd8f1db6422f4 (patch)
tree: 411b4651398530f74e1d80dc3b975b56dc6c9009 /src/lib/libcrypto/x509/x509_lib.c
parent: ccbb438ec06397c1b8d88c61577810aab63bda79 (diff)
download: openbsd-9da6320d732214906f0d716131fbd8f1db6422f4.tar.gz
openbsd-9da6320d732214906f0d716131fbd8f1db6422f4.tar.bz2
openbsd-9da6320d732214906f0d716131fbd8f1db6422f4.zip
1 files changed, 358 insertions, 0 deletions
diff --git a/src/lib/libcrypto/x509/x509_lib.c b/src/lib/libcrypto/x509/x509_lib.c
new file mode 100644
index 0000000000..3af090fde6
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_lib.c
@@ -0,0 +1,358 @@
+/* $OpenBSD: x509_lib.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+#include <stdio.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+#include "ext_dat.h"
+static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
+static int ext_cmp(const X509V3_EXT_METHOD * const *a,
+    const X509V3_EXT_METHOD * const *b);
+static void ext_list_free(X509V3_EXT_METHOD *ext);
+int
+X509V3_EXT_add(X509V3_EXT_METHOD *ext)
+{
+        if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
+                X509V3error(ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
+                X509V3error(ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        return 1;
+}
+static int
+ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b)
+{
+        return ((*a)->ext_nid - (*b)->ext_nid);
+}
+static int ext_cmp_BSEARCH_CMP_FN(const void *, const void *);
+static int ext_cmp(const X509V3_EXT_METHOD * const *, const X509V3_EXT_METHOD * const *);
+static const X509V3_EXT_METHOD * *OBJ_bsearch_ext(const X509V3_EXT_METHOD * *key, const X509V3_EXT_METHOD * const *base, int num);
+static int
+ext_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
+{
+        const X509V3_EXT_METHOD * const *a = a_;
+        const X509V3_EXT_METHOD * const *b = b_;
+        return ext_cmp(a, b);
+}
+static const X509V3_EXT_METHOD **
+OBJ_bsearch_ext(const X509V3_EXT_METHOD **key,
+    const X509V3_EXT_METHOD *const *base, int num)
+{
+        return (const X509V3_EXT_METHOD **)OBJ_bsearch_(key, base, num,
+            sizeof(const X509V3_EXT_METHOD *), ext_cmp_BSEARCH_CMP_FN);
+}
+const X509V3_EXT_METHOD *
+X509V3_EXT_get_nid(int nid)
+{
+        X509V3_EXT_METHOD tmp;
+        const X509V3_EXT_METHOD *t = &tmp, * const *ret;
+        int idx;
+        if (nid < 0)
+                return NULL;
+        tmp.ext_nid = nid;
+        ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
+        if (ret)
+                return *ret;
+        if (!ext_list)
+                return NULL;
+        idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
+        if (idx == -1)
+                return NULL;
+        return sk_X509V3_EXT_METHOD_value(ext_list, idx);
+}
+const X509V3_EXT_METHOD *
+X509V3_EXT_get(X509_EXTENSION *ext)
+{
+        int nid;
+        if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
+                return NULL;
+        return X509V3_EXT_get_nid(nid);
+}
+int
+X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
+{
+        for (; extlist->ext_nid!=-1; extlist++)
+                if (!X509V3_EXT_add(extlist))
+                        return 0;
+        return 1;
+}
+int
+X509V3_EXT_add_alias(int nid_to, int nid_from)
+{
+        const X509V3_EXT_METHOD *ext;
+        X509V3_EXT_METHOD *tmpext;
+        if (!(ext = X509V3_EXT_get_nid(nid_from))) {
+                X509V3error(X509V3_R_EXTENSION_NOT_FOUND);
+                return 0;
+        }
+        if (!(tmpext = malloc(sizeof(X509V3_EXT_METHOD)))) {
+                X509V3error(ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        *tmpext = *ext;
+        tmpext->ext_nid = nid_to;
+        tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
+        return X509V3_EXT_add(tmpext);
+}
+void
+X509V3_EXT_cleanup(void)
+{
+        sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
+        ext_list = NULL;
+}
+static void
+ext_list_free(X509V3_EXT_METHOD *ext)
+{
+        if (ext->ext_flags & X509V3_EXT_DYNAMIC)
+                free(ext);
+}
+/* Legacy function: we don't need to add standard extensions
+ * any more because they are now kept in ext_dat.h.
+ */
+int
+X509V3_add_standard_extensions(void)
+{
+        return 1;
+}
+/* Return an extension internal structure */
+void *
+X509V3_EXT_d2i(X509_EXTENSION *ext)
+{
+        const X509V3_EXT_METHOD *method;
+        const unsigned char *p;
+        if (!(method = X509V3_EXT_get(ext)))
+                return NULL;
+        p = ext->value->data;
+        if (method->it)
+                return ASN1_item_d2i(NULL, &p, ext->value->length,
+                    method->it);
+        return method->d2i(NULL, &p, ext->value->length);
+}
+/* Get critical flag and decoded version of extension from a NID.
+ * The "idx" variable returns the last found extension and can
+ * be used to retrieve multiple extensions of the same NID.
+ * However multiple extensions with the same NID is usually
+ * due to a badly encoded certificate so if idx is NULL we
+ * choke if multiple extensions exist.
+ * The "crit" variable is set to the critical value.
+ * The return value is the decoded extension or NULL on
+ * error. The actual error can have several different causes,
+ * the value of *crit reflects the cause:
+ * >= 0, extension found but not decoded (reflects critical value).
+ * -1 extension not found.
+ * -2 extension occurs more than once.
+ */
+void *
+X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
+{
+        int lastpos, i;
+        X509_EXTENSION *ex, *found_ex = NULL;
+        if (!x) {
+                if (idx)
+                        *idx = -1;
+                if (crit)
+                        *crit = -1;
+                return NULL;
+        }
+        if (idx)
+                lastpos = *idx + 1;
+        else
+                lastpos = 0;
+        if (lastpos < 0)
+                lastpos = 0;
+        for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
+                ex = sk_X509_EXTENSION_value(x, i);
+                if (OBJ_obj2nid(ex->object) == nid) {
+                        if (idx) {
+                                *idx = i;
+                                found_ex = ex;
+                                break;
+                        } else if (found_ex) {
+                                /* Found more than one */
+                                if (crit)
+                                        *crit = -2;
+                                return NULL;
+                        }
+                        found_ex = ex;
+                }
+        }
+        if (found_ex) {
+                /* Found it */
+                if (crit)
+                        *crit = X509_EXTENSION_get_critical(found_ex);
+                return X509V3_EXT_d2i(found_ex);
+        }
+        /* Extension not found */
+        if (idx)
+                *idx = -1;
+        if (crit)
+                *crit = -1;
+        return NULL;
+}
+/* This function is a general extension append, replace and delete utility.
+ * The precise operation is governed by the 'flags' value. The 'crit' and
+ * 'value' arguments (if relevant) are the extensions internal structure.
+ */
+int
+X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
+    int crit, unsigned long flags)
+{
+        int extidx = -1;
+        int errcode;
+        X509_EXTENSION *ext, *extmp;
+        unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
+        /* If appending we don't care if it exists, otherwise
+         * look for existing extension.
+         */
+        if (ext_op != X509V3_ADD_APPEND)
+                extidx = X509v3_get_ext_by_NID(*x, nid, -1);
+        /* See if extension exists */
+        if (extidx >= 0) {
+                /* If keep existing, nothing to do */
+                if (ext_op == X509V3_ADD_KEEP_EXISTING)
+                        return 1;
+                /* If default then its an error */
+                if (ext_op == X509V3_ADD_DEFAULT) {
+                        errcode = X509V3_R_EXTENSION_EXISTS;
+                        goto err;
+                }
+                /* If delete, just delete it */
+                if (ext_op == X509V3_ADD_DELETE) {
+                        if (!sk_X509_EXTENSION_delete(*x, extidx))
+                                return -1;
+                        return 1;
+                }
+        } else {
+                /* If replace existing or delete, error since
+                 * extension must exist
+                 */
+                if ((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
+                    (ext_op == X509V3_ADD_DELETE)) {
+                        errcode = X509V3_R_EXTENSION_NOT_FOUND;
+                        goto err;
+                }
+        }
+        /* If we get this far then we have to create an extension:
+         * could have some flags for alternative encoding schemes...
+         */
+        ext = X509V3_EXT_i2d(nid, crit, value);
+        if (!ext) {
+                X509V3error(X509V3_R_ERROR_CREATING_EXTENSION);
+                return 0;
+        }
+        /* If extension exists replace it.. */
+        if (extidx >= 0) {
+                extmp = sk_X509_EXTENSION_value(*x, extidx);
+                X509_EXTENSION_free(extmp);
+                if (!sk_X509_EXTENSION_set(*x, extidx, ext))
+                        return -1;
+                return 1;
+        }
+        if (!*x && !(*x = sk_X509_EXTENSION_new_null()))
+                return -1;
+        if (!sk_X509_EXTENSION_push(*x, ext))
+                return -1;
+        return 1;
+err:
+        if (!(flags & X509V3_ADD_SILENT))
+                X509V3error(errcode);
+        return 0;
+}
author	jsing <>	2020-06-04 15:19:32 +0000
committer	jsing <>	2020-06-04 15:19:32 +0000
commit	9da6320d732214906f0d716131fbd8f1db6422f4 (patch)
tree	411b4651398530f74e1d80dc3b975b56dc6c9009 /src/lib/libcrypto/x509/x509_lib.c
parent	ccbb438ec06397c1b8d88c61577810aab63bda79 (diff)
download	openbsd-9da6320d732214906f0d716131fbd8f1db6422f4.tar.gz openbsd-9da6320d732214906f0d716131fbd8f1db6422f4.tar.bz2 openbsd-9da6320d732214906f0d716131fbd8f1db6422f4.zip

diff --git a/src/lib/libcrypto/x509/x509_lib.c b/src/lib/libcrypto/x509/x509_lib.c new file mode 100644 index 0000000000..3af090fde6 --- /dev/null +++ b/src/lib/libcrypto/x509/x509_lib.c
@@ -0,0 +1,358 @@
	1	/* $OpenBSD: x509_lib.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
	3	* project 1999.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58	/* X509 v3 extension utilities */
	59
	60	#include <stdio.h>
	61
	62	#include <openssl/conf.h>
	63	#include <openssl/err.h>
	64	#include <openssl/x509v3.h>
	65
	66	#include "ext_dat.h"
	67
	68	static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
	69
	70	static int ext_cmp(const X509V3_EXT_METHOD * const *a,
	71	const X509V3_EXT_METHOD * const *b);
	72	static void ext_list_free(X509V3_EXT_METHOD *ext);
	73
	74	int
	75	X509V3_EXT_add(X509V3_EXT_METHOD *ext)
	76	{
	77	if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
	78	X509V3error(ERR_R_MALLOC_FAILURE);
	79	return 0;
	80	}
	81	if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
	82	X509V3error(ERR_R_MALLOC_FAILURE);
	83	return 0;
	84	}
	85	return 1;
	86	}
	87
	88	static int
	89	ext_cmp(const X509V3_EXT_METHOD * const a, const X509V3_EXT_METHOD const *b)
	90	{
	91	return ((a)->ext_nid - (b)->ext_nid);
	92	}
	93
	94	static int ext_cmp_BSEARCH_CMP_FN(const void , const void );
	95	static int ext_cmp(const X509V3_EXT_METHOD * const , const X509V3_EXT_METHOD const *);
	96	static const X509V3_EXT_METHOD * OBJ_bsearch_ext(const X509V3_EXT_METHOD key, const X509V3_EXT_METHOD const *base, int num);
	97
	98	static int
	99	ext_cmp_BSEARCH_CMP_FN(const void a_, const void b_)
	100	{
	101	const X509V3_EXT_METHOD * const *a = a_;
	102	const X509V3_EXT_METHOD * const *b = b_;
	103	return ext_cmp(a, b);
	104	}
	105
	106	static const X509V3_EXT_METHOD **
	107	OBJ_bsearch_ext(const X509V3_EXT_METHOD **key,
	108	const X509V3_EXT_METHOD const base, int num)
	109	{
	110	return (const X509V3_EXT_METHOD **)OBJ_bsearch_(key, base, num,
	111	sizeof(const X509V3_EXT_METHOD *), ext_cmp_BSEARCH_CMP_FN);
	112	}
	113
	114	const X509V3_EXT_METHOD *
	115	X509V3_EXT_get_nid(int nid)
	116	{
	117	X509V3_EXT_METHOD tmp;
	118	const X509V3_EXT_METHOD t = &tmp, const *ret;
	119	int idx;
	120
	121	if (nid < 0)
	122	return NULL;
	123	tmp.ext_nid = nid;
	124	ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
	125	if (ret)
	126	return *ret;
	127	if (!ext_list)
	128	return NULL;
	129	idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
	130	if (idx == -1)
	131	return NULL;
	132	return sk_X509V3_EXT_METHOD_value(ext_list, idx);
	133	}
	134
	135	const X509V3_EXT_METHOD *
	136	X509V3_EXT_get(X509_EXTENSION *ext)
	137	{
	138	int nid;
	139
	140	if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
	141	return NULL;
	142	return X509V3_EXT_get_nid(nid);
	143	}
	144
	145	int
	146	X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
	147	{
	148	for (; extlist->ext_nid!=-1; extlist++)
	149	if (!X509V3_EXT_add(extlist))
	150	return 0;
	151	return 1;
	152	}
	153
	154	int
	155	X509V3_EXT_add_alias(int nid_to, int nid_from)
	156	{
	157	const X509V3_EXT_METHOD *ext;
	158	X509V3_EXT_METHOD *tmpext;
	159
	160	if (!(ext = X509V3_EXT_get_nid(nid_from))) {
	161	X509V3error(X509V3_R_EXTENSION_NOT_FOUND);
	162	return 0;
	163	}
	164	if (!(tmpext = malloc(sizeof(X509V3_EXT_METHOD)))) {
	165	X509V3error(ERR_R_MALLOC_FAILURE);
	166	return 0;
	167	}
	168	tmpext = ext;
	169	tmpext->ext_nid = nid_to;
	170	tmpext->ext_flags \|= X509V3_EXT_DYNAMIC;
	171	return X509V3_EXT_add(tmpext);
	172	}
	173
	174	void
	175	X509V3_EXT_cleanup(void)
	176	{
	177	sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
	178	ext_list = NULL;
	179	}
	180
	181	static void
	182	ext_list_free(X509V3_EXT_METHOD *ext)
	183	{
	184	if (ext->ext_flags & X509V3_EXT_DYNAMIC)
	185	free(ext);
	186	}
	187
	188	/* Legacy function: we don't need to add standard extensions
	189	* any more because they are now kept in ext_dat.h.
	190	*/
	191
	192	int
	193	X509V3_add_standard_extensions(void)
	194	{
	195	return 1;
	196	}
	197
	198	/* Return an extension internal structure */
	199
	200	void *
	201	X509V3_EXT_d2i(X509_EXTENSION *ext)
	202	{
	203	const X509V3_EXT_METHOD *method;
	204	const unsigned char *p;
	205
	206	if (!(method = X509V3_EXT_get(ext)))
	207	return NULL;
	208	p = ext->value->data;
	209	if (method->it)
	210	return ASN1_item_d2i(NULL, &p, ext->value->length,
	211	method->it);
	212	return method->d2i(NULL, &p, ext->value->length);
	213	}
	214
	215	/* Get critical flag and decoded version of extension from a NID.
	216	* The "idx" variable returns the last found extension and can
	217	* be used to retrieve multiple extensions of the same NID.
	218	* However multiple extensions with the same NID is usually
	219	* due to a badly encoded certificate so if idx is NULL we
	220	* choke if multiple extensions exist.
	221	* The "crit" variable is set to the critical value.
	222	* The return value is the decoded extension or NULL on
	223	* error. The actual error can have several different causes,
	224	* the value of *crit reflects the cause:
	225	* >= 0, extension found but not decoded (reflects critical value).
	226	* -1 extension not found.
	227	* -2 extension occurs more than once.
	228	*/
	229
	230	void *
	231	X509V3_get_d2i(const STACK_OF(X509_EXTENSION) x, int nid, int crit, int *idx)
	232	{
	233	int lastpos, i;
	234	X509_EXTENSION ex, found_ex = NULL;
	235
	236	if (!x) {
	237	if (idx)
	238	*idx = -1;
	239	if (crit)
	240	*crit = -1;
	241	return NULL;
	242	}
	243	if (idx)
	244	lastpos = *idx + 1;
	245	else
	246	lastpos = 0;
	247	if (lastpos < 0)
	248	lastpos = 0;
	249	for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
	250	ex = sk_X509_EXTENSION_value(x, i);
	251	if (OBJ_obj2nid(ex->object) == nid) {
	252	if (idx) {
	253	*idx = i;
	254	found_ex = ex;
	255	break;
	256	} else if (found_ex) {
	257	/* Found more than one */
	258	if (crit)
	259	*crit = -2;
	260	return NULL;
	261	}
	262	found_ex = ex;
	263	}
	264	}
	265	if (found_ex) {
	266	/* Found it */
	267	if (crit)
	268	*crit = X509_EXTENSION_get_critical(found_ex);
	269	return X509V3_EXT_d2i(found_ex);
	270	}
	271
	272	/* Extension not found */
	273	if (idx)
	274	*idx = -1;
	275	if (crit)
	276	*crit = -1;
	277	return NULL;
	278	}
	279
	280	/* This function is a general extension append, replace and delete utility.
	281	* The precise operation is governed by the 'flags' value. The 'crit' and
	282	* 'value' arguments (if relevant) are the extensions internal structure.
	283	*/
	284
	285	int
	286	X509V3_add1_i2d(STACK_OF(X509_EXTENSION) *x, int nid, void value,
	287	int crit, unsigned long flags)
	288	{
	289	int extidx = -1;
	290	int errcode;
	291	X509_EXTENSION ext, extmp;
	292	unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
	293
	294	/* If appending we don't care if it exists, otherwise
	295	* look for existing extension.
	296	*/
	297	if (ext_op != X509V3_ADD_APPEND)
	298	extidx = X509v3_get_ext_by_NID(*x, nid, -1);
	299
	300	/* See if extension exists */
	301	if (extidx >= 0) {
	302	/* If keep existing, nothing to do */
	303	if (ext_op == X509V3_ADD_KEEP_EXISTING)
	304	return 1;
	305	/* If default then its an error */
	306	if (ext_op == X509V3_ADD_DEFAULT) {
	307	errcode = X509V3_R_EXTENSION_EXISTS;
	308	goto err;
	309	}
	310	/* If delete, just delete it */
	311	if (ext_op == X509V3_ADD_DELETE) {
	312	if (!sk_X509_EXTENSION_delete(*x, extidx))
	313	return -1;
	314	return 1;
	315	}
	316	} else {
	317	/* If replace existing or delete, error since
	318	* extension must exist
	319	*/
	320	if ((ext_op == X509V3_ADD_REPLACE_EXISTING) \|\|
	321	(ext_op == X509V3_ADD_DELETE)) {
	322	errcode = X509V3_R_EXTENSION_NOT_FOUND;
	323	goto err;
	324	}
	325	}
	326
	327	/* If we get this far then we have to create an extension:
	328	* could have some flags for alternative encoding schemes...
	329	*/
	330
	331	ext = X509V3_EXT_i2d(nid, crit, value);
	332
	333	if (!ext) {
	334	X509V3error(X509V3_R_ERROR_CREATING_EXTENSION);
	335	return 0;
	336	}
	337
	338	/* If extension exists replace it.. */
	339	if (extidx >= 0) {
	340	extmp = sk_X509_EXTENSION_value(*x, extidx);
	341	X509_EXTENSION_free(extmp);
	342	if (!sk_X509_EXTENSION_set(*x, extidx, ext))
	343	return -1;
	344	return 1;
	345	}
	346
	347	if (!x && !(x = sk_X509_EXTENSION_new_null()))
	348	return -1;
	349	if (!sk_X509_EXTENSION_push(*x, ext))
	350	return -1;
	351
	352	return 1;
	353
	354	err:
	355	if (!(flags & X509V3_ADD_SILENT))
	356	X509V3error(errcode);
	357	return 0;
	358	}