summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509v3
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2016-07-23 19:31:36 +0000
committercvs2svn <admin@example.com>2016-07-23 19:31:36 +0000
commit86c49b31af735796dfde37aa29473a30d36367db (patch)
treee9a354a92a348338fe2b361e2eda703cae23cfab /src/lib/libcrypto/x509v3
parent19d5fe348e8926bac4521c5807aa64c45b8f7a41 (diff)
downloadopenbsd-OPENBSD_6_0_BASE.tar.gz
openbsd-OPENBSD_6_0_BASE.tar.bz2
openbsd-OPENBSD_6_0_BASE.zip
This commit was manufactured by cvs2git to create tag 'OPENBSD_6_0_BASE'.OPENBSD_6_0_BASE
Diffstat (limited to 'src/lib/libcrypto/x509v3')
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h129
-rw-r--r--src/lib/libcrypto/x509v3/pcy_cache.c271
-rw-r--r--src/lib/libcrypto/x509v3/pcy_data.c129
-rw-r--r--src/lib/libcrypto/x509v3/pcy_int.h206
-rw-r--r--src/lib/libcrypto/x509v3/pcy_lib.c157
-rw-r--r--src/lib/libcrypto/x509v3/pcy_map.c126
-rw-r--r--src/lib/libcrypto/x509v3/pcy_node.c199
-rw-r--r--src/lib/libcrypto/x509v3/pcy_tree.c768
-rw-r--r--src/lib/libcrypto/x509v3/v3_akey.c215
-rw-r--r--src/lib/libcrypto/x509v3/v3_akeya.c124
-rw-r--r--src/lib/libcrypto/x509v3/v3_alt.c671
-rw-r--r--src/lib/libcrypto/x509v3/v3_bcons.c185
-rw-r--r--src/lib/libcrypto/x509v3/v3_bitst.c175
-rw-r--r--src/lib/libcrypto/x509v3/v3_conf.c576
-rw-r--r--src/lib/libcrypto/x509v3/v3_cpols.c775
-rw-r--r--src/lib/libcrypto/x509v3/v3_crld.c816
-rw-r--r--src/lib/libcrypto/x509v3/v3_enum.c107
-rw-r--r--src/lib/libcrypto/x509v3/v3_extku.c205
-rw-r--r--src/lib/libcrypto/x509v3/v3_genn.c474
-rw-r--r--src/lib/libcrypto/x509v3/v3_ia5.c239
-rw-r--r--src/lib/libcrypto/x509v3/v3_info.c307
-rw-r--r--src/lib/libcrypto/x509v3/v3_int.c110
-rw-r--r--src/lib/libcrypto/x509v3/v3_lib.c345
-rw-r--r--src/lib/libcrypto/x509v3/v3_ncons.c560
-rw-r--r--src/lib/libcrypto/x509v3/v3_ocsp.c380
-rw-r--r--src/lib/libcrypto/x509v3/v3_pci.c332
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcia.c145
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcons.c183
-rw-r--r--src/lib/libcrypto/x509v3/v3_pku.c166
-rw-r--r--src/lib/libcrypto/x509v3/v3_pmaps.c218
-rw-r--r--src/lib/libcrypto/x509v3/v3_prn.c225
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c861
-rw-r--r--src/lib/libcrypto/x509v3/v3_skey.c160
-rw-r--r--src/lib/libcrypto/x509v3/v3_sxnet.c386
-rw-r--r--src/lib/libcrypto/x509v3/v3_utl.c925
-rw-r--r--src/lib/libcrypto/x509v3/v3err.c226
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h862
37 files changed, 0 insertions, 12938 deletions
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
deleted file mode 100644
index f8bf7916b3..0000000000
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ /dev/null
@@ -1,129 +0,0 @@
1/* $OpenBSD: ext_dat.h,v 1.12 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/opensslconf.h>
60
61/* This file contains a table of "standard" extensions */
62
63extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
64extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
65extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
66extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
67extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
68extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
69extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
70extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
71extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
72extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
73extern X509V3_EXT_METHOD v3_addr, v3_asid;
74
75/* This table will be searched using OBJ_bsearch so it *must* kept in
76 * order of the ext_nid values.
77 */
78
79static const X509V3_EXT_METHOD *standard_exts[] = {
80 &v3_nscert,
81 &v3_ns_ia5_list[0],
82 &v3_ns_ia5_list[1],
83 &v3_ns_ia5_list[2],
84 &v3_ns_ia5_list[3],
85 &v3_ns_ia5_list[4],
86 &v3_ns_ia5_list[5],
87 &v3_ns_ia5_list[6],
88 &v3_skey_id,
89 &v3_key_usage,
90 &v3_pkey_usage_period,
91 &v3_alt[0],
92 &v3_alt[1],
93 &v3_bcons,
94 &v3_crl_num,
95 &v3_cpols,
96 &v3_akey_id,
97 &v3_crld,
98 &v3_ext_ku,
99 &v3_delta_crl,
100 &v3_crl_reason,
101#ifndef OPENSSL_NO_OCSP
102 &v3_crl_invdate,
103#endif
104 &v3_sxnet,
105 &v3_info,
106#ifndef OPENSSL_NO_OCSP
107 &v3_ocsp_nonce,
108 &v3_ocsp_crlid,
109 &v3_ocsp_accresp,
110 &v3_ocsp_nocheck,
111 &v3_ocsp_acutoff,
112 &v3_ocsp_serviceloc,
113#endif
114 &v3_sinfo,
115 &v3_policy_constraints,
116#ifndef OPENSSL_NO_OCSP
117 &v3_crl_hold,
118#endif
119 &v3_pci,
120 &v3_name_constraints,
121 &v3_policy_mappings,
122 &v3_inhibit_anyp,
123 &v3_idp,
124 &v3_alt[2],
125 &v3_freshest_crl,
126};
127
128/* Number of standard extensions */
129#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
diff --git a/src/lib/libcrypto/x509v3/pcy_cache.c b/src/lib/libcrypto/x509v3/pcy_cache.c
deleted file mode 100644
index 9c8ba8298b..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_cache.c
+++ /dev/null
@@ -1,271 +0,0 @@
1/* $OpenBSD: pcy_cache.c,v 1.5 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64static int policy_data_cmp(const X509_POLICY_DATA * const *a,
65 const X509_POLICY_DATA * const *b);
66static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
67
68/* Set cache entry according to CertificatePolicies extension.
69 * Note: this destroys the passed CERTIFICATEPOLICIES structure.
70 */
71
72static int
73policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies, int crit)
74{
75 int i;
76 int ret = 0;
77 X509_POLICY_CACHE *cache = x->policy_cache;
78 X509_POLICY_DATA *data = NULL;
79 POLICYINFO *policy;
80
81 if (sk_POLICYINFO_num(policies) == 0)
82 goto bad_policy;
83 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
84 if (!cache->data)
85 goto bad_policy;
86 for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
87 policy = sk_POLICYINFO_value(policies, i);
88 data = policy_data_new(policy, NULL, crit);
89 if (!data)
90 goto bad_policy;
91 /* Duplicate policy OIDs are illegal: reject if matches
92 * found.
93 */
94 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
95 if (cache->anyPolicy) {
96 ret = -1;
97 goto bad_policy;
98 }
99 cache->anyPolicy = data;
100 } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
101 ret = -1;
102 goto bad_policy;
103 } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
104 goto bad_policy;
105 data = NULL;
106 }
107 ret = 1;
108
109bad_policy:
110 if (ret == -1)
111 x->ex_flags |= EXFLAG_INVALID_POLICY;
112 if (data)
113 policy_data_free(data);
114 sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
115 if (ret <= 0) {
116 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
117 cache->data = NULL;
118 }
119 return ret;
120}
121
122static int
123policy_cache_new(X509 *x)
124{
125 X509_POLICY_CACHE *cache;
126 ASN1_INTEGER *ext_any = NULL;
127 POLICY_CONSTRAINTS *ext_pcons = NULL;
128 CERTIFICATEPOLICIES *ext_cpols = NULL;
129 POLICY_MAPPINGS *ext_pmaps = NULL;
130 int i;
131
132 cache = malloc(sizeof(X509_POLICY_CACHE));
133 if (!cache)
134 return 0;
135 cache->anyPolicy = NULL;
136 cache->data = NULL;
137 cache->any_skip = -1;
138 cache->explicit_skip = -1;
139 cache->map_skip = -1;
140
141 x->policy_cache = cache;
142
143 /* Handle requireExplicitPolicy *first*. Need to process this
144 * even if we don't have any policies.
145 */
146 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
147
148 if (!ext_pcons) {
149 if (i != -1)
150 goto bad_cache;
151 } else {
152 if (!ext_pcons->requireExplicitPolicy &&
153 !ext_pcons->inhibitPolicyMapping)
154 goto bad_cache;
155 if (!policy_cache_set_int(&cache->explicit_skip,
156 ext_pcons->requireExplicitPolicy))
157 goto bad_cache;
158 if (!policy_cache_set_int(&cache->map_skip,
159 ext_pcons->inhibitPolicyMapping))
160 goto bad_cache;
161 }
162
163 /* Process CertificatePolicies */
164
165 ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
166 /* If no CertificatePolicies extension or problem decoding then
167 * there is no point continuing because the valid policies will be
168 * NULL.
169 */
170 if (!ext_cpols) {
171 /* If not absent some problem with extension */
172 if (i != -1)
173 goto bad_cache;
174 return 1;
175 }
176
177 i = policy_cache_create(x, ext_cpols, i);
178
179 /* NB: ext_cpols freed by policy_cache_set_policies */
180
181 if (i <= 0)
182 return i;
183
184 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
185
186 if (!ext_pmaps) {
187 /* If not absent some problem with extension */
188 if (i != -1)
189 goto bad_cache;
190 } else {
191 i = policy_cache_set_mapping(x, ext_pmaps);
192 if (i <= 0)
193 goto bad_cache;
194 }
195
196 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
197
198 if (!ext_any) {
199 if (i != -1)
200 goto bad_cache;
201 } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
202 goto bad_cache;
203
204 if (0) {
205bad_cache:
206 x->ex_flags |= EXFLAG_INVALID_POLICY;
207 }
208
209 if (ext_pcons)
210 POLICY_CONSTRAINTS_free(ext_pcons);
211
212 if (ext_any)
213 ASN1_INTEGER_free(ext_any);
214
215 return 1;
216}
217
218void
219policy_cache_free(X509_POLICY_CACHE *cache)
220{
221 if (!cache)
222 return;
223 if (cache->anyPolicy)
224 policy_data_free(cache->anyPolicy);
225 if (cache->data)
226 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
227 free(cache);
228}
229
230const X509_POLICY_CACHE *
231policy_cache_set(X509 *x)
232{
233 if (x->policy_cache == NULL) {
234 CRYPTO_w_lock(CRYPTO_LOCK_X509);
235 policy_cache_new(x);
236 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
237 }
238
239 return x->policy_cache;
240}
241
242X509_POLICY_DATA *
243policy_cache_find_data(const X509_POLICY_CACHE *cache, const ASN1_OBJECT *id)
244{
245 int idx;
246 X509_POLICY_DATA tmp;
247
248 tmp.valid_policy = (ASN1_OBJECT *)id;
249 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
250 if (idx == -1)
251 return NULL;
252 return sk_X509_POLICY_DATA_value(cache->data, idx);
253}
254
255static int
256policy_data_cmp(const X509_POLICY_DATA * const *a,
257 const X509_POLICY_DATA * const *b)
258{
259 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
260}
261
262static int
263policy_cache_set_int(long *out, ASN1_INTEGER *value)
264{
265 if (value == NULL)
266 return 1;
267 if (value->type == V_ASN1_NEG_INTEGER)
268 return 0;
269 *out = ASN1_INTEGER_get(value);
270 return 1;
271}
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
deleted file mode 100644
index b3699b0280..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ /dev/null
@@ -1,129 +0,0 @@
1/* $OpenBSD: pcy_data.c,v 1.9 2015/07/15 16:53:42 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* Policy Node routines */
65
66void
67policy_data_free(X509_POLICY_DATA *data)
68{
69 ASN1_OBJECT_free(data->valid_policy);
70 /* Don't free qualifiers if shared */
71 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
72 sk_POLICYQUALINFO_pop_free(data->qualifier_set,
73 POLICYQUALINFO_free);
74 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
75 free(data);
76}
77
78/* Create a data based on an existing policy. If 'id' is NULL use the
79 * oid in the policy, otherwise use 'id'. This behaviour covers the two
80 * types of data in RFC3280: data with from a CertificatePolcies extension
81 * and additional data with just the qualifiers of anyPolicy and ID from
82 * another source.
83 */
84
85X509_POLICY_DATA *
86policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *cid, int crit)
87{
88 X509_POLICY_DATA *ret = NULL;
89 ASN1_OBJECT *id = NULL;
90
91 if (policy == NULL && cid == NULL)
92 return NULL;
93 if (cid != NULL) {
94 id = OBJ_dup(cid);
95 if (id == NULL)
96 return NULL;
97 }
98 ret = malloc(sizeof(X509_POLICY_DATA));
99 if (ret == NULL)
100 goto err;
101 ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
102 if (ret->expected_policy_set == NULL)
103 goto err;
104
105 if (crit)
106 ret->flags = POLICY_DATA_FLAG_CRITICAL;
107 else
108 ret->flags = 0;
109
110 if (id != NULL)
111 ret->valid_policy = id;
112 else {
113 ret->valid_policy = policy->policyid;
114 policy->policyid = NULL;
115 }
116
117 if (policy != NULL) {
118 ret->qualifier_set = policy->qualifiers;
119 policy->qualifiers = NULL;
120 } else
121 ret->qualifier_set = NULL;
122
123 return ret;
124
125err:
126 free(ret);
127 ASN1_OBJECT_free(id);
128 return NULL;
129}
diff --git a/src/lib/libcrypto/x509v3/pcy_int.h b/src/lib/libcrypto/x509v3/pcy_int.h
deleted file mode 100644
index 50ed7cbfcf..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_int.h
+++ /dev/null
@@ -1,206 +0,0 @@
1/* $OpenBSD: pcy_int.h,v 1.4 2015/07/18 00:01:05 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
61
62DECLARE_STACK_OF(X509_POLICY_DATA)
63
64/* Internal structures */
65
66/* This structure and the field names correspond to the Policy 'node' of
67 * RFC3280. NB this structure contains no pointers to parent or child
68 * data: X509_POLICY_NODE contains that. This means that the main policy data
69 * can be kept static and cached with the certificate.
70 */
71
72struct X509_POLICY_DATA_st {
73 unsigned int flags;
74 /* Policy OID and qualifiers for this data */
75 ASN1_OBJECT *valid_policy;
76 STACK_OF(POLICYQUALINFO) *qualifier_set;
77 STACK_OF(ASN1_OBJECT) *expected_policy_set;
78};
79
80/* X509_POLICY_DATA flags values */
81
82/* This flag indicates the structure has been mapped using a policy mapping
83 * extension. If policy mapping is not active its references get deleted.
84 */
85
86#define POLICY_DATA_FLAG_MAPPED 0x1
87
88/* This flag indicates the data doesn't correspond to a policy in Certificate
89 * Policies: it has been mapped to any policy.
90 */
91
92#define POLICY_DATA_FLAG_MAPPED_ANY 0x2
93
94/* AND with flags to see if any mapping has occurred */
95
96#define POLICY_DATA_FLAG_MAP_MASK 0x3
97
98/* qualifiers are shared and shouldn't be freed */
99
100#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4
101
102/* Parent node is an extra node and should be freed */
103
104#define POLICY_DATA_FLAG_EXTRA_NODE 0x8
105
106/* Corresponding CertificatePolicies is critical */
107
108#define POLICY_DATA_FLAG_CRITICAL 0x10
109
110/* This structure is cached with a certificate */
111
112struct X509_POLICY_CACHE_st {
113 /* anyPolicy data or NULL if no anyPolicy */
114 X509_POLICY_DATA *anyPolicy;
115 /* other policy data */
116 STACK_OF(X509_POLICY_DATA) *data;
117 /* If InhibitAnyPolicy present this is its value or -1 if absent. */
118 long any_skip;
119 /* If policyConstraints and requireExplicitPolicy present this is its
120 * value or -1 if absent.
121 */
122 long explicit_skip;
123 /* If policyConstraints and policyMapping present this is its
124 * value or -1 if absent.
125 */
126 long map_skip;
127};
128
129/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/
130
131/* This structure represents the relationship between nodes */
132
133struct X509_POLICY_NODE_st {
134 /* node data this refers to */
135 const X509_POLICY_DATA *data;
136 /* Parent node */
137 X509_POLICY_NODE *parent;
138 /* Number of child nodes */
139 int nchild;
140};
141
142struct X509_POLICY_LEVEL_st {
143 /* Cert for this level */
144 X509 *cert;
145 /* nodes at this level */
146 STACK_OF(X509_POLICY_NODE) *nodes;
147 /* anyPolicy node */
148 X509_POLICY_NODE *anyPolicy;
149 /* Extra data */
150 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/
151 unsigned int flags;
152};
153
154struct X509_POLICY_TREE_st {
155 /* This is the tree 'level' data */
156 X509_POLICY_LEVEL *levels;
157 int nlevel;
158 /* Extra policy data when additional nodes (not from the certificate)
159 * are required.
160 */
161 STACK_OF(X509_POLICY_DATA) *extra_data;
162 /* This is the authority constained policy set */
163 STACK_OF(X509_POLICY_NODE) *auth_policies;
164 STACK_OF(X509_POLICY_NODE) *user_policies;
165 unsigned int flags;
166};
167
168/* Set if anyPolicy present in user policies */
169#define POLICY_FLAG_ANY_POLICY 0x2
170
171/* Useful macros */
172
173#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
174#define node_critical(node) node_data_critical(node->data)
175
176/* Internal functions */
177
178X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
179 int crit);
180void policy_data_free(X509_POLICY_DATA *data);
181
182X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
183 const ASN1_OBJECT *id);
184int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
185
186
187STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
188
189void policy_cache_init(void);
190
191void policy_cache_free(X509_POLICY_CACHE *cache);
192
193X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
194 const X509_POLICY_NODE *parent, const ASN1_OBJECT *id);
195
196X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
197 const ASN1_OBJECT *id);
198
199int level_add_node(X509_POLICY_LEVEL *level,
200 const X509_POLICY_DATA *data, X509_POLICY_NODE *parent,
201 X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep);
202void policy_node_free(X509_POLICY_NODE *node);
203int policy_node_match(const X509_POLICY_LEVEL *lvl,
204 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
205
206const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/src/lib/libcrypto/x509v3/pcy_lib.c b/src/lib/libcrypto/x509v3/pcy_lib.c
deleted file mode 100644
index 6f37064063..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_lib.c
+++ /dev/null
@@ -1,157 +0,0 @@
1/* $OpenBSD: pcy_lib.c,v 1.5 2015/02/07 13:19:15 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* accessor functions */
65
66/* X509_POLICY_TREE stuff */
67
68int
69X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
70{
71 if (!tree)
72 return 0;
73 return tree->nlevel;
74}
75
76X509_POLICY_LEVEL *
77X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
78{
79 if (!tree || (i < 0) || (i >= tree->nlevel))
80 return NULL;
81 return tree->levels + i;
82}
83
84STACK_OF(X509_POLICY_NODE) *
85X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
86{
87 if (!tree)
88 return NULL;
89 return tree->auth_policies;
90}
91
92STACK_OF(X509_POLICY_NODE) *
93X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
94{
95 if (!tree)
96 return NULL;
97 if (tree->flags & POLICY_FLAG_ANY_POLICY)
98 return tree->auth_policies;
99 else
100 return tree->user_policies;
101}
102
103/* X509_POLICY_LEVEL stuff */
104
105int
106X509_policy_level_node_count(X509_POLICY_LEVEL *level)
107{
108 int n;
109 if (!level)
110 return 0;
111 if (level->anyPolicy)
112 n = 1;
113 else
114 n = 0;
115 if (level->nodes)
116 n += sk_X509_POLICY_NODE_num(level->nodes);
117 return n;
118}
119
120X509_POLICY_NODE *
121X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
122{
123 if (!level)
124 return NULL;
125 if (level->anyPolicy) {
126 if (i == 0)
127 return level->anyPolicy;
128 i--;
129 }
130 return sk_X509_POLICY_NODE_value(level->nodes, i);
131}
132
133/* X509_POLICY_NODE stuff */
134
135const ASN1_OBJECT *
136X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
137{
138 if (!node)
139 return NULL;
140 return node->data->valid_policy;
141}
142
143STACK_OF(POLICYQUALINFO) *
144X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
145{
146 if (!node)
147 return NULL;
148 return node->data->qualifier_set;
149}
150
151const X509_POLICY_NODE *
152X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
153{
154 if (!node)
155 return NULL;
156 return node->parent;
157}
diff --git a/src/lib/libcrypto/x509v3/pcy_map.c b/src/lib/libcrypto/x509v3/pcy_map.c
deleted file mode 100644
index 6ee1ffe895..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_map.c
+++ /dev/null
@@ -1,126 +0,0 @@
1/* $OpenBSD: pcy_map.c,v 1.4 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* Set policy mapping entries in cache.
65 * Note: this modifies the passed POLICY_MAPPINGS structure
66 */
67
68int
69policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
70{
71 POLICY_MAPPING *map;
72 X509_POLICY_DATA *data;
73 X509_POLICY_CACHE *cache = x->policy_cache;
74 int i;
75 int ret = 0;
76
77 if (sk_POLICY_MAPPING_num(maps) == 0) {
78 ret = -1;
79 goto bad_mapping;
80 }
81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
82 map = sk_POLICY_MAPPING_value(maps, i);
83 /* Reject if map to or from anyPolicy */
84 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) ||
85 (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
86 ret = -1;
87 goto bad_mapping;
88 }
89
90 /* Attempt to find matching policy data */
91 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
92 /* If we don't have anyPolicy can't map */
93 if (!data && !cache->anyPolicy)
94 continue;
95
96 /* Create a NODE from anyPolicy */
97 if (!data) {
98 data = policy_data_new(NULL, map->issuerDomainPolicy,
99 cache->anyPolicy->flags &
100 POLICY_DATA_FLAG_CRITICAL);
101 if (!data)
102 goto bad_mapping;
103 data->qualifier_set = cache->anyPolicy->qualifier_set;
104 /*map->issuerDomainPolicy = NULL;*/
105 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
106 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
107 if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
108 policy_data_free(data);
109 goto bad_mapping;
110 }
111 } else
112 data->flags |= POLICY_DATA_FLAG_MAPPED;
113 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
114 map->subjectDomainPolicy))
115 goto bad_mapping;
116 map->subjectDomainPolicy = NULL;
117 }
118
119 ret = 1;
120
121bad_mapping:
122 if (ret == -1)
123 x->ex_flags |= EXFLAG_INVALID_POLICY;
124 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
125 return ret;
126}
diff --git a/src/lib/libcrypto/x509v3/pcy_node.c b/src/lib/libcrypto/x509v3/pcy_node.c
deleted file mode 100644
index ba22b267bf..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_node.c
+++ /dev/null
@@ -1,199 +0,0 @@
1/* $OpenBSD: pcy_node.c,v 1.6 2015/07/18 00:01:05 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/asn1.h>
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int
66node_cmp(const X509_POLICY_NODE * const *a, const X509_POLICY_NODE * const *b)
67{
68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
69}
70
71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void)
72{
73 return sk_X509_POLICY_NODE_new(node_cmp);
74}
75
76X509_POLICY_NODE *
77tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, const ASN1_OBJECT *id)
78{
79 X509_POLICY_DATA n;
80 X509_POLICY_NODE l;
81 int idx;
82
83 n.valid_policy = (ASN1_OBJECT *)id;
84 l.data = &n;
85
86 idx = sk_X509_POLICY_NODE_find(nodes, &l);
87 if (idx == -1)
88 return NULL;
89
90 return sk_X509_POLICY_NODE_value(nodes, idx);
91}
92
93X509_POLICY_NODE *
94level_find_node(const X509_POLICY_LEVEL *level, const X509_POLICY_NODE *parent,
95 const ASN1_OBJECT *id)
96{
97 X509_POLICY_NODE *node;
98 int i;
99
100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
101 node = sk_X509_POLICY_NODE_value(level->nodes, i);
102 if (node->parent == parent) {
103 if (!OBJ_cmp(node->data->valid_policy, id))
104 return node;
105 }
106 }
107 return NULL;
108}
109
110
111int
112level_add_node(X509_POLICY_LEVEL *level, const X509_POLICY_DATA *data,
113 X509_POLICY_NODE *parent, X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep)
114{
115 X509_POLICY_NODE *node = NULL;
116
117 if (level) {
118 node = malloc(sizeof(X509_POLICY_NODE));
119 if (!node)
120 goto node_error;
121 node->data = data;
122 node->parent = parent;
123 node->nchild = 0;
124 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
125 if (level->anyPolicy)
126 goto node_error;
127 level->anyPolicy = node;
128 if (parent)
129 parent->nchild++;
130 } else {
131
132 if (!level->nodes)
133 level->nodes = policy_node_cmp_new();
134 if (!level->nodes)
135 goto node_error;
136 if (!sk_X509_POLICY_NODE_push(level->nodes, node))
137 goto node_error;
138 if (parent)
139 parent->nchild++;
140 }
141 }
142
143 if (tree) {
144 if (!tree->extra_data)
145 tree->extra_data = sk_X509_POLICY_DATA_new_null();
146 if (!tree->extra_data)
147 goto node_error_cond;
148 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
149 goto node_error_cond;
150 }
151
152 if (nodep)
153 *nodep = node;
154
155 return 1;
156
157node_error_cond:
158 if (level)
159 node = NULL;
160node_error:
161 policy_node_free(node);
162 node = NULL;
163 if (nodep)
164 *nodep = node;
165 return 0;
166}
167
168void
169policy_node_free(X509_POLICY_NODE *node)
170{
171 free(node);
172}
173
174/* See if a policy node matches a policy OID. If mapping enabled look through
175 * expected policy set otherwise just valid policy.
176 */
177
178int
179policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node,
180 const ASN1_OBJECT *oid)
181{
182 int i;
183 ASN1_OBJECT *policy_oid;
184 const X509_POLICY_DATA *x = node->data;
185
186 if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) ||
187 !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
188 if (!OBJ_cmp(x->valid_policy, oid))
189 return 1;
190 return 0;
191 }
192
193 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
194 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
195 if (!OBJ_cmp(policy_oid, oid))
196 return 1;
197 }
198 return 0;
199}
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
deleted file mode 100644
index 7b28acbe1f..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ /dev/null
@@ -1,768 +0,0 @@
1/* $OpenBSD: pcy_tree.c,v 1.16 2016/03/11 07:08:45 mmcc Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* Enable this to print out the complete policy tree at various point during
65 * evaluation.
66 */
67
68/*#define OPENSSL_POLICY_DEBUG*/
69
70#ifdef OPENSSL_POLICY_DEBUG
71
72static void
73expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
74 int indent)
75{
76 if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) ||
77 !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
78 BIO_puts(err, " Not Mapped\n");
79 else {
80 int i;
81 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
82 ASN1_OBJECT *oid;
83 BIO_puts(err, " Expected: ");
84 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
85 oid = sk_ASN1_OBJECT_value(pset, i);
86 if (i)
87 BIO_puts(err, ", ");
88 i2a_ASN1_OBJECT(err, oid);
89 }
90 BIO_puts(err, "\n");
91 }
92}
93
94static void
95tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
96{
97 X509_POLICY_LEVEL *plev;
98 X509_POLICY_NODE *node;
99 int i;
100 BIO *err;
101
102 err = BIO_new_fp(stderr, BIO_NOCLOSE);
103 if (!curr)
104 curr = tree->levels + tree->nlevel;
105 else
106 curr++;
107 BIO_printf(err, "Level print after %s\n", str);
108 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
109 for (plev = tree->levels; plev != curr; plev++) {
110 BIO_printf(err, "Level %ld, flags = %x\n",
111 plev - tree->levels, plev->flags);
112 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
113 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
114 X509_POLICY_NODE_print(err, node, 2);
115 expected_print(err, plev, node, 2);
116 BIO_printf(err, " Flags: %x\n", node->data->flags);
117 }
118 if (plev->anyPolicy)
119 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
120 }
121
122 BIO_free(err);
123}
124#else
125
126#define tree_print(a,b,c) /* */
127
128#endif
129
130/* Initialize policy tree. Return values:
131 * 0 Some internal error occured.
132 * -1 Inconsistent or invalid extensions in certificates.
133 * 1 Tree initialized OK.
134 * 2 Policy tree is empty.
135 * 5 Tree OK and requireExplicitPolicy true.
136 * 6 Tree empty and requireExplicitPolicy true.
137 */
138
139static int
140tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, unsigned int flags)
141{
142 X509_POLICY_TREE *tree;
143 X509_POLICY_LEVEL *level;
144 const X509_POLICY_CACHE *cache;
145 X509_POLICY_DATA *data = NULL;
146 X509 *x;
147 int ret = 1;
148 int i, n;
149 int explicit_policy;
150 int any_skip;
151 int map_skip;
152
153 *ptree = NULL;
154 n = sk_X509_num(certs);
155
156 if (flags & X509_V_FLAG_EXPLICIT_POLICY)
157 explicit_policy = 0;
158 else
159 explicit_policy = n + 1;
160
161 if (flags & X509_V_FLAG_INHIBIT_ANY)
162 any_skip = 0;
163 else
164 any_skip = n + 1;
165
166 if (flags & X509_V_FLAG_INHIBIT_MAP)
167 map_skip = 0;
168 else
169 map_skip = n + 1;
170
171 /* Can't do anything with just a trust anchor */
172 if (n == 1)
173 return 1;
174 /* First setup policy cache in all certificates apart from the
175 * trust anchor. Note any bad cache results on the way. Also can
176 * calculate explicit_policy value at this point.
177 */
178 for (i = n - 2; i >= 0; i--) {
179 x = sk_X509_value(certs, i);
180 X509_check_purpose(x, -1, -1);
181 cache = policy_cache_set(x);
182 /* If cache NULL something bad happened: return immediately */
183 if (cache == NULL)
184 return 0;
185 /* If inconsistent extensions keep a note of it but continue */
186 if (x->ex_flags & EXFLAG_INVALID_POLICY)
187 ret = -1;
188 /* Otherwise if we have no data (hence no CertificatePolicies)
189 * and haven't already set an inconsistent code note it.
190 */
191 else if ((ret == 1) && !cache->data)
192 ret = 2;
193 if (explicit_policy > 0) {
194 if (!(x->ex_flags & EXFLAG_SI))
195 explicit_policy--;
196 if ((cache->explicit_skip != -1) &&
197 (cache->explicit_skip < explicit_policy))
198 explicit_policy = cache->explicit_skip;
199 }
200 }
201
202 if (ret != 1) {
203 if (ret == 2 && !explicit_policy)
204 return 6;
205 return ret;
206 }
207
208
209 /* If we get this far initialize the tree */
210
211 tree = malloc(sizeof(X509_POLICY_TREE));
212
213 if (!tree)
214 return 0;
215
216 tree->flags = 0;
217 tree->levels = calloc(n, sizeof(X509_POLICY_LEVEL));
218 tree->nlevel = 0;
219 tree->extra_data = NULL;
220 tree->auth_policies = NULL;
221 tree->user_policies = NULL;
222
223 if (!tree->levels) {
224 free(tree);
225 return 0;
226 }
227
228 tree->nlevel = n;
229
230 level = tree->levels;
231
232 /* Root data: initialize to anyPolicy */
233
234 data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
235
236 if (!data || !level_add_node(level, data, NULL, tree, NULL))
237 goto bad_tree;
238
239 for (i = n - 2; i >= 0; i--) {
240 level++;
241 x = sk_X509_value(certs, i);
242 cache = policy_cache_set(x);
243 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
244 level->cert = x;
245
246 if (!cache->anyPolicy)
247 level->flags |= X509_V_FLAG_INHIBIT_ANY;
248
249 /* Determine inhibit any and inhibit map flags */
250 if (any_skip == 0) {
251 /* Any matching allowed if certificate is self
252 * issued and not the last in the chain.
253 */
254 if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
255 level->flags |= X509_V_FLAG_INHIBIT_ANY;
256 } else {
257 if (!(x->ex_flags & EXFLAG_SI))
258 any_skip--;
259 if ((cache->any_skip >= 0) &&
260 (cache->any_skip < any_skip))
261 any_skip = cache->any_skip;
262 }
263
264 if (map_skip == 0)
265 level->flags |= X509_V_FLAG_INHIBIT_MAP;
266 else {
267 if (!(x->ex_flags & EXFLAG_SI))
268 map_skip--;
269 if ((cache->map_skip >= 0) &&
270 (cache->map_skip < map_skip))
271 map_skip = cache->map_skip;
272 }
273
274 }
275
276 *ptree = tree;
277
278 if (explicit_policy)
279 return 1;
280 else
281 return 5;
282
283bad_tree:
284 X509_policy_tree_free(tree);
285
286 return 0;
287}
288
289static int
290tree_link_matching_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_DATA *data)
291{
292 X509_POLICY_LEVEL *last = curr - 1;
293 X509_POLICY_NODE *node;
294 int i, matched = 0;
295
296 /* Iterate through all in nodes linking matches */
297 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
298 node = sk_X509_POLICY_NODE_value(last->nodes, i);
299 if (policy_node_match(last, node, data->valid_policy)) {
300 if (!level_add_node(curr, data, node, NULL, NULL))
301 return 0;
302 matched = 1;
303 }
304 }
305 if (!matched && last->anyPolicy) {
306 if (!level_add_node(curr, data, last->anyPolicy, NULL, NULL))
307 return 0;
308 }
309 return 1;
310}
311
312/* This corresponds to RFC3280 6.1.3(d)(1):
313 * link any data from CertificatePolicies onto matching parent
314 * or anyPolicy if no match.
315 */
316
317static int
318tree_link_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache)
319{
320 int i;
321 X509_POLICY_DATA *data;
322
323 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
324 data = sk_X509_POLICY_DATA_value(cache->data, i);
325 /* Look for matching nodes in previous level */
326 if (!tree_link_matching_nodes(curr, data))
327 return 0;
328 }
329 return 1;
330}
331
332/* This corresponds to RFC3280 6.1.3(d)(2):
333 * Create new data for any unmatched policies in the parent and link
334 * to anyPolicy.
335 */
336
337static int
338tree_add_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
339 const ASN1_OBJECT *id, X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
340{
341 X509_POLICY_DATA *data;
342
343 if (id == NULL)
344 id = node->data->valid_policy;
345 /* Create a new node with qualifiers from anyPolicy and
346 * id from unmatched node.
347 */
348 data = policy_data_new(NULL, id, node_critical(node));
349
350 if (data == NULL)
351 return 0;
352 /* Curr may not have anyPolicy */
353 data->qualifier_set = cache->anyPolicy->qualifier_set;
354 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
355 if (!level_add_node(curr, data, node, tree, NULL)) {
356 policy_data_free(data);
357 return 0;
358 }
359
360 return 1;
361}
362
363static int
364tree_link_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
365 X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
366{
367 const X509_POLICY_LEVEL *last = curr - 1;
368 int i;
369
370 if ((last->flags & X509_V_FLAG_INHIBIT_MAP) ||
371 !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
372 /* If no policy mapping: matched if one child present */
373 if (node->nchild)
374 return 1;
375 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
376 return 0;
377 /* Add it */
378 } else {
379 /* If mapping: matched if one child per expected policy set */
380 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
381 if (node->nchild == sk_ASN1_OBJECT_num(expset))
382 return 1;
383 /* Locate unmatched nodes */
384 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
385 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
386 if (level_find_node(curr, node, oid))
387 continue;
388 if (!tree_add_unmatched(curr, cache, oid, node, tree))
389 return 0;
390 }
391 }
392
393 return 1;
394}
395
396static int
397tree_link_any(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
398 X509_POLICY_TREE *tree)
399{
400 int i;
401 X509_POLICY_NODE *node;
402 X509_POLICY_LEVEL *last = curr - 1;
403
404 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
405 node = sk_X509_POLICY_NODE_value(last->nodes, i);
406
407 if (!tree_link_unmatched(curr, cache, node, tree))
408 return 0;
409 }
410 /* Finally add link to anyPolicy */
411 if (last->anyPolicy) {
412 if (!level_add_node(curr, cache->anyPolicy,
413 last->anyPolicy, NULL, NULL))
414 return 0;
415 }
416 return 1;
417}
418
419/* Prune the tree: delete any child mapped child data on the current level
420 * then proceed up the tree deleting any data with no children. If we ever
421 * have no data on a level we can halt because the tree will be empty.
422 */
423
424static int
425tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
426{
427 STACK_OF(X509_POLICY_NODE) *nodes;
428 X509_POLICY_NODE *node;
429 int i;
430
431 nodes = curr->nodes;
432 if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
433 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
434 node = sk_X509_POLICY_NODE_value(nodes, i);
435 /* Delete any mapped data: see RFC3280 XXXX */
436 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
437 node->parent->nchild--;
438 free(node);
439 (void)sk_X509_POLICY_NODE_delete(nodes, i);
440 }
441 }
442 }
443
444 for (;;) {
445 --curr;
446 nodes = curr->nodes;
447 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
448 node = sk_X509_POLICY_NODE_value(nodes, i);
449 if (node->nchild == 0) {
450 node->parent->nchild--;
451 free(node);
452 (void)sk_X509_POLICY_NODE_delete(nodes, i);
453 }
454 }
455 if (curr->anyPolicy && !curr->anyPolicy->nchild) {
456 if (curr->anyPolicy->parent)
457 curr->anyPolicy->parent->nchild--;
458 free(curr->anyPolicy);
459 curr->anyPolicy = NULL;
460 }
461 if (curr == tree->levels) {
462 /* If we zapped anyPolicy at top then tree is empty */
463 if (!curr->anyPolicy)
464 return 2;
465 return 1;
466 }
467 }
468
469 return 1;
470}
471
472static int
473tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, X509_POLICY_NODE *pcy)
474{
475 if (!*pnodes) {
476 *pnodes = policy_node_cmp_new();
477 if (!*pnodes)
478 return 0;
479 } else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
480 return 1;
481
482 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
483 return 0;
484
485 return 1;
486}
487
488/* Calculate the authority set based on policy tree.
489 * The 'pnodes' parameter is used as a store for the set of policy nodes
490 * used to calculate the user set. If the authority set is not anyPolicy
491 * then pnodes will just point to the authority set. If however the authority
492 * set is anyPolicy then the set of valid policies (other than anyPolicy)
493 * is store in pnodes. The return value of '2' is used in this case to indicate
494 * that pnodes should be freed.
495 */
496
497static int
498tree_calculate_authority_set(X509_POLICY_TREE *tree,
499 STACK_OF(X509_POLICY_NODE) **pnodes)
500{
501 X509_POLICY_LEVEL *curr;
502 X509_POLICY_NODE *node, *anyptr;
503 STACK_OF(X509_POLICY_NODE) **addnodes;
504 int i, j;
505
506 curr = tree->levels + tree->nlevel - 1;
507
508 /* If last level contains anyPolicy set is anyPolicy */
509 if (curr->anyPolicy) {
510 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
511 return 0;
512 addnodes = pnodes;
513 } else
514 /* Add policies to authority set */
515 addnodes = &tree->auth_policies;
516
517 curr = tree->levels;
518 for (i = 1; i < tree->nlevel; i++) {
519 /* If no anyPolicy node on this this level it can't
520 * appear on lower levels so end search.
521 */
522 if (!(anyptr = curr->anyPolicy))
523 break;
524 curr++;
525 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
526 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
527 if ((node->parent == anyptr) &&
528 !tree_add_auth_node(addnodes, node))
529 return 0;
530 }
531 }
532
533 if (addnodes == pnodes)
534 return 2;
535
536 *pnodes = tree->auth_policies;
537
538 return 1;
539}
540
541static int
542tree_calculate_user_set(X509_POLICY_TREE *tree,
543 STACK_OF(ASN1_OBJECT) *policy_oids, STACK_OF(X509_POLICY_NODE) *auth_nodes)
544{
545 int i;
546 X509_POLICY_NODE *node;
547 ASN1_OBJECT *oid;
548 X509_POLICY_NODE *anyPolicy;
549 X509_POLICY_DATA *extra;
550
551 /* Check if anyPolicy present in authority constrained policy set:
552 * this will happen if it is a leaf node.
553 */
554
555 if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
556 return 1;
557
558 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
559
560 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
561 oid = sk_ASN1_OBJECT_value(policy_oids, i);
562 if (OBJ_obj2nid(oid) == NID_any_policy) {
563 tree->flags |= POLICY_FLAG_ANY_POLICY;
564 return 1;
565 }
566 }
567
568 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
569 oid = sk_ASN1_OBJECT_value(policy_oids, i);
570 node = tree_find_sk(auth_nodes, oid);
571 if (!node) {
572 if (!anyPolicy)
573 continue;
574 /* Create a new node with policy ID from user set
575 * and qualifiers from anyPolicy.
576 */
577 extra = policy_data_new(NULL, oid,
578 node_critical(anyPolicy));
579 if (!extra)
580 return 0;
581 extra->qualifier_set = anyPolicy->data->qualifier_set;
582 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS |
583 POLICY_DATA_FLAG_EXTRA_NODE;
584 (void) level_add_node(NULL, extra, anyPolicy->parent,
585 tree, &node);
586 }
587 if (!tree->user_policies) {
588 tree->user_policies = sk_X509_POLICY_NODE_new_null();
589 if (!tree->user_policies)
590 return 1;
591 }
592 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
593 return 0;
594 }
595 return 1;
596}
597
598static int
599tree_evaluate(X509_POLICY_TREE *tree)
600{
601 int ret, i;
602 X509_POLICY_LEVEL *curr = tree->levels + 1;
603 const X509_POLICY_CACHE *cache;
604
605 for (i = 1; i < tree->nlevel; i++, curr++) {
606 cache = policy_cache_set(curr->cert);
607 if (!tree_link_nodes(curr, cache))
608 return 0;
609
610 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) &&
611 !tree_link_any(curr, cache, tree))
612 return 0;
613 tree_print("before tree_prune()", tree, curr);
614 ret = tree_prune(tree, curr);
615 if (ret != 1)
616 return ret;
617 }
618
619 return 1;
620}
621
622static void
623exnode_free(X509_POLICY_NODE *node)
624{
625 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
626 free(node);
627}
628
629void
630X509_policy_tree_free(X509_POLICY_TREE *tree)
631{
632 X509_POLICY_LEVEL *curr;
633 int i;
634
635 if (!tree)
636 return;
637
638 sk_X509_POLICY_NODE_free(tree->auth_policies);
639 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
640
641 for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
642 X509_free(curr->cert);
643 if (curr->nodes)
644 sk_X509_POLICY_NODE_pop_free(curr->nodes,
645 policy_node_free);
646 if (curr->anyPolicy)
647 policy_node_free(curr->anyPolicy);
648 }
649
650 if (tree->extra_data)
651 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
652 policy_data_free);
653
654 free(tree->levels);
655 free(tree);
656}
657
658/* Application policy checking function.
659 * Return codes:
660 * 0 Internal Error.
661 * 1 Successful.
662 * -1 One or more certificates contain invalid or inconsistent extensions
663 * -2 User constrained policy set empty and requireExplicit true.
664 */
665
666int
667X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
668 STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
669 unsigned int flags)
670{
671 int ret, ret2;
672 X509_POLICY_TREE *tree = NULL;
673 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
674
675 *ptree = NULL;
676 *pexplicit_policy = 0;
677 ret = tree_init(&tree, certs, flags);
678
679 switch (ret) {
680
681 /* Tree empty requireExplicit False: OK */
682 case 2:
683 return 1;
684
685 /* Some internal error */
686 case -1:
687 return -1;
688
689 /* Some internal error */
690 case 0:
691 return 0;
692
693 /* Tree empty requireExplicit True: Error */
694
695 case 6:
696 *pexplicit_policy = 1;
697 return -2;
698
699 /* Tree OK requireExplicit True: OK and continue */
700 case 5:
701 *pexplicit_policy = 1;
702 break;
703
704 /* Tree OK: continue */
705
706 case 1:
707 if (!tree)
708 /*
709 * tree_init() returns success and a null tree
710 * if it's just looking at a trust anchor.
711 * I'm not sure that returning success here is
712 * correct, but I'm sure that reporting this
713 * as an internal error which our caller
714 * interprets as a malloc failure is wrong.
715 */
716 return 1;
717 break;
718 }
719
720 if (!tree)
721 goto error;
722 ret = tree_evaluate(tree);
723
724 tree_print("tree_evaluate()", tree, NULL);
725
726 if (ret <= 0)
727 goto error;
728
729 /* Return value 2 means tree empty */
730 if (ret == 2) {
731 X509_policy_tree_free(tree);
732 if (*pexplicit_policy)
733 return -2;
734 else
735 return 1;
736 }
737
738 /* Tree is not empty: continue */
739
740 ret = tree_calculate_authority_set(tree, &auth_nodes);
741 if (ret == 0)
742 goto error;
743
744 ret2 = tree_calculate_user_set(tree, policy_oids, auth_nodes);
745
746 /* Return value 2 means auth_nodes needs to be freed */
747 if (ret == 2)
748 sk_X509_POLICY_NODE_free(auth_nodes);
749
750 if (ret2 == 0)
751 goto error;
752
753 if (tree)
754 *ptree = tree;
755
756 if (*pexplicit_policy) {
757 nodes = X509_policy_tree_get0_user_policies(tree);
758 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
759 return -2;
760 }
761
762 return 1;
763
764error:
765 X509_policy_tree_free(tree);
766
767 return 0;
768}
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
deleted file mode 100644
index 3071baf9ac..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akey.c
+++ /dev/null
@@ -1,215 +0,0 @@
1/* $OpenBSD: v3_akey.c,v 1.17 2015/09/30 18:41:06 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
69 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
70static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
72
73const X509V3_EXT_METHOD v3_akey_id = {
74 .ext_nid = NID_authority_key_identifier,
75 .ext_flags = X509V3_EXT_MULTILINE,
76 .it = ASN1_ITEM_ref(AUTHORITY_KEYID),
77 .ext_new = NULL,
78 .ext_free = NULL,
79 .d2i = NULL,
80 .i2d = NULL,
81 .i2s = NULL,
82 .s2i = NULL,
83 .i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
84 .v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
85 .i2r = NULL,
86 .r2i = NULL,
87 .usr_data = NULL,
88};
89
90static
91STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
92 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
93{
94 char *tmp;
95
96 if (akeyid->keyid) {
97 tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
98 X509V3_add_value("keyid", tmp, &extlist);
99 free(tmp);
100 }
101 if (akeyid->issuer)
102 extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
103 if (akeyid->serial) {
104 tmp = hex_to_string(akeyid->serial->data,
105 akeyid->serial->length);
106 X509V3_add_value("serial", tmp, &extlist);
107 free(tmp);
108 }
109 return extlist;
110}
111
112/* Currently two options:
113 * keyid: use the issuers subject keyid, the value 'always' means its is
114 * an error if the issuer certificate doesn't have a key id.
115 * issuer: use the issuers cert issuer and serial number. The default is
116 * to only use this if keyid is not present. With the option 'always'
117 * this is always included.
118 */
119
120static AUTHORITY_KEYID *
121v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
122 STACK_OF(CONF_VALUE) *values)
123{
124 char keyid = 0, issuer = 0;
125 int i;
126 CONF_VALUE *cnf;
127 ASN1_OCTET_STRING *ikeyid = NULL;
128 X509_NAME *isname = NULL;
129 STACK_OF(GENERAL_NAME) *gens = NULL;
130 GENERAL_NAME *gen = NULL;
131 ASN1_INTEGER *serial = NULL;
132 X509_EXTENSION *ext;
133 X509 *cert;
134 AUTHORITY_KEYID *akeyid = NULL;
135
136 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
137 cnf = sk_CONF_VALUE_value(values, i);
138 if (!strcmp(cnf->name, "keyid")) {
139 keyid = 1;
140 if (cnf->value && !strcmp(cnf->value, "always"))
141 keyid = 2;
142 }
143 else if (!strcmp(cnf->name, "issuer")) {
144 issuer = 1;
145 if (cnf->value && !strcmp(cnf->value, "always"))
146 issuer = 2;
147 } else {
148 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
149 X509V3_R_UNKNOWN_OPTION);
150 ERR_asprintf_error_data("name=%s", cnf->name);
151 return NULL;
152 }
153 }
154
155 if (!ctx || !ctx->issuer_cert) {
156 if (ctx && (ctx->flags == CTX_TEST))
157 return AUTHORITY_KEYID_new();
158 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
159 X509V3_R_NO_ISSUER_CERTIFICATE);
160 return NULL;
161 }
162
163 cert = ctx->issuer_cert;
164
165 if (keyid) {
166 i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
167 if ((i >= 0) && (ext = X509_get_ext(cert, i)))
168 ikeyid = X509V3_EXT_d2i(ext);
169 if (keyid == 2 && !ikeyid) {
170 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
171 X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
172 return NULL;
173 }
174 }
175
176 if ((issuer && !ikeyid) || (issuer == 2)) {
177 isname = X509_NAME_dup(X509_get_issuer_name(cert));
178 serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
179 if (!isname || !serial) {
180 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
181 X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
182 goto err;
183 }
184 }
185
186 if (!(akeyid = AUTHORITY_KEYID_new()))
187 goto err;
188
189 if (isname) {
190 if (!(gens = sk_GENERAL_NAME_new_null()) ||
191 !(gen = GENERAL_NAME_new()) ||
192 !sk_GENERAL_NAME_push(gens, gen)) {
193 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
194 ERR_R_MALLOC_FAILURE);
195 goto err;
196 }
197 gen->type = GEN_DIRNAME;
198 gen->d.dirn = isname;
199 }
200
201 akeyid->issuer = gens;
202 akeyid->serial = serial;
203 akeyid->keyid = ikeyid;
204
205 return akeyid;
206
207err:
208 AUTHORITY_KEYID_free(akeyid);
209 GENERAL_NAME_free(gen);
210 sk_GENERAL_NAME_free(gens);
211 X509_NAME_free(isname);
212 ASN1_INTEGER_free(serial);
213 ASN1_OCTET_STRING_free(ikeyid);
214 return NULL;
215}
diff --git a/src/lib/libcrypto/x509v3/v3_akeya.c b/src/lib/libcrypto/x509v3/v3_akeya.c
deleted file mode 100644
index 83ef1b5838..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akeya.c
+++ /dev/null
@@ -1,124 +0,0 @@
1/* $OpenBSD: v3_akeya.c,v 1.7 2015/07/25 16:00:14 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1.h>
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static const ASN1_TEMPLATE AUTHORITY_KEYID_seq_tt[] = {
67 {
68 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
69 .tag = 0,
70 .offset = offsetof(AUTHORITY_KEYID, keyid),
71 .field_name = "keyid",
72 .item = &ASN1_OCTET_STRING_it,
73 },
74 {
75 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
76 .tag = 1,
77 .offset = offsetof(AUTHORITY_KEYID, issuer),
78 .field_name = "issuer",
79 .item = &GENERAL_NAME_it,
80 },
81 {
82 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
83 .tag = 2,
84 .offset = offsetof(AUTHORITY_KEYID, serial),
85 .field_name = "serial",
86 .item = &ASN1_INTEGER_it,
87 },
88};
89
90const ASN1_ITEM AUTHORITY_KEYID_it = {
91 .itype = ASN1_ITYPE_SEQUENCE,
92 .utype = V_ASN1_SEQUENCE,
93 .templates = AUTHORITY_KEYID_seq_tt,
94 .tcount = sizeof(AUTHORITY_KEYID_seq_tt) / sizeof(ASN1_TEMPLATE),
95 .funcs = NULL,
96 .size = sizeof(AUTHORITY_KEYID),
97 .sname = "AUTHORITY_KEYID",
98};
99
100
101AUTHORITY_KEYID *
102d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len)
103{
104 return (AUTHORITY_KEYID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
105 &AUTHORITY_KEYID_it);
106}
107
108int
109i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **out)
110{
111 return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_KEYID_it);
112}
113
114AUTHORITY_KEYID *
115AUTHORITY_KEYID_new(void)
116{
117 return (AUTHORITY_KEYID *)ASN1_item_new(&AUTHORITY_KEYID_it);
118}
119
120void
121AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
122{
123 ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_KEYID_it);
124}
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
deleted file mode 100644
index 75c68d3cdb..0000000000
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ /dev/null
@@ -1,671 +0,0 @@
1/* $OpenBSD: v3_alt.c,v 1.25 2015/09/30 18:21:50 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
70static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
71static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
72static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
73static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
74
75const X509V3_EXT_METHOD v3_alt[] = {
76 {
77 .ext_nid = NID_subject_alt_name,
78 .ext_flags = 0,
79 .it = ASN1_ITEM_ref(GENERAL_NAMES),
80 .ext_new = NULL,
81 .ext_free = NULL,
82 .d2i = NULL,
83 .i2d = NULL,
84 .i2s = NULL,
85 .s2i = NULL,
86 .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
87 .v2i = (X509V3_EXT_V2I)v2i_subject_alt,
88 .i2r = NULL,
89 .r2i = NULL,
90 .usr_data = NULL,
91 },
92 {
93 .ext_nid = NID_issuer_alt_name,
94 .ext_flags = 0,
95 .it = ASN1_ITEM_ref(GENERAL_NAMES),
96 .ext_new = NULL,
97 .ext_free = NULL,
98 .d2i = NULL,
99 .i2d = NULL,
100 .i2s = NULL,
101 .s2i = NULL,
102 .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
103 .v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
104 .i2r = NULL,
105 .r2i = NULL,
106 .usr_data = NULL,
107 },
108 {
109 .ext_nid = NID_certificate_issuer,
110 .ext_flags = 0,
111 .it = ASN1_ITEM_ref(GENERAL_NAMES),
112 .ext_new = NULL,
113 .ext_free = NULL,
114 .d2i = NULL,
115 .i2d = NULL,
116 .i2s = NULL,
117 .s2i = NULL,
118 .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
119 .v2i = NULL,
120 .i2r = NULL,
121 .r2i = NULL,
122 .usr_data = NULL,
123 },
124};
125
126STACK_OF(CONF_VALUE) *
127i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens,
128 STACK_OF(CONF_VALUE) *ret)
129{
130 int i;
131 GENERAL_NAME *gen;
132
133 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
134 gen = sk_GENERAL_NAME_value(gens, i);
135 ret = i2v_GENERAL_NAME(method, gen, ret);
136 }
137 if (!ret)
138 return sk_CONF_VALUE_new_null();
139 return ret;
140}
141
142STACK_OF(CONF_VALUE) *
143i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen,
144 STACK_OF(CONF_VALUE) *ret)
145{
146 unsigned char *p;
147 char oline[256], htmp[5];
148 int i;
149
150 switch (gen->type) {
151 case GEN_OTHERNAME:
152 X509V3_add_value("othername", "<unsupported>", &ret);
153 break;
154
155 case GEN_X400:
156 X509V3_add_value("X400Name", "<unsupported>", &ret);
157 break;
158
159 case GEN_EDIPARTY:
160 X509V3_add_value("EdiPartyName", "<unsupported>", &ret);
161 break;
162
163 case GEN_EMAIL:
164 X509V3_add_value_uchar("email", gen->d.ia5->data, &ret);
165 break;
166
167 case GEN_DNS:
168 X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret);
169 break;
170
171 case GEN_URI:
172 X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret);
173 break;
174
175 case GEN_DIRNAME:
176 X509_NAME_oneline(gen->d.dirn, oline, 256);
177 X509V3_add_value("DirName", oline, &ret);
178 break;
179
180 case GEN_IPADD:
181 p = gen->d.ip->data;
182 if (gen->d.ip->length == 4)
183 (void) snprintf(oline, sizeof oline,
184 "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
185 else if (gen->d.ip->length == 16) {
186 oline[0] = 0;
187 for (i = 0; i < 8; i++) {
188 (void) snprintf(htmp, sizeof htmp,
189 "%X", p[0] << 8 | p[1]);
190 p += 2;
191 strlcat(oline, htmp, sizeof(oline));
192 if (i != 7)
193 strlcat(oline, ":", sizeof(oline));
194 }
195 } else {
196 X509V3_add_value("IP Address", "<invalid>", &ret);
197 break;
198 }
199 X509V3_add_value("IP Address", oline, &ret);
200 break;
201
202 case GEN_RID:
203 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
204 X509V3_add_value("Registered ID", oline, &ret);
205 break;
206 }
207 return ret;
208}
209
210int
211GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
212{
213 unsigned char *p;
214 int i;
215
216 switch (gen->type) {
217 case GEN_OTHERNAME:
218 BIO_printf(out, "othername:<unsupported>");
219 break;
220
221 case GEN_X400:
222 BIO_printf(out, "X400Name:<unsupported>");
223 break;
224
225 case GEN_EDIPARTY:
226 /* Maybe fix this: it is supported now */
227 BIO_printf(out, "EdiPartyName:<unsupported>");
228 break;
229
230 case GEN_EMAIL:
231 BIO_printf(out, "email:%s", gen->d.ia5->data);
232 break;
233
234 case GEN_DNS:
235 BIO_printf(out, "DNS:%s", gen->d.ia5->data);
236 break;
237
238 case GEN_URI:
239 BIO_printf(out, "URI:%s", gen->d.ia5->data);
240 break;
241
242 case GEN_DIRNAME:
243 BIO_printf(out, "DirName: ");
244 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
245 break;
246
247 case GEN_IPADD:
248 p = gen->d.ip->data;
249 if (gen->d.ip->length == 4)
250 BIO_printf(out, "IP Address:%d.%d.%d.%d",
251 p[0], p[1], p[2], p[3]);
252 else if (gen->d.ip->length == 16) {
253 BIO_printf(out, "IP Address");
254 for (i = 0; i < 8; i++) {
255 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
256 p += 2;
257 }
258 BIO_puts(out, "\n");
259 } else {
260 BIO_printf(out, "IP Address:<invalid>");
261 break;
262 }
263 break;
264
265 case GEN_RID:
266 BIO_printf(out, "Registered ID");
267 i2a_ASN1_OBJECT(out, gen->d.rid);
268 break;
269 }
270 return 1;
271}
272
273static GENERAL_NAMES *
274v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
275 STACK_OF(CONF_VALUE) *nval)
276{
277 GENERAL_NAMES *gens = NULL;
278 CONF_VALUE *cnf;
279 int i;
280
281 if ((gens = sk_GENERAL_NAME_new_null()) == NULL) {
282 X509V3err(X509V3_F_V2I_ISSUER_ALT, ERR_R_MALLOC_FAILURE);
283 return NULL;
284 }
285 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
286 cnf = sk_CONF_VALUE_value(nval, i);
287 if (name_cmp(cnf->name, "issuer") == 0 && cnf->value != NULL &&
288 strcmp(cnf->value, "copy") == 0) {
289 if (!copy_issuer(ctx, gens))
290 goto err;
291 } else {
292 GENERAL_NAME *gen;
293 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
294 goto err;
295 if (sk_GENERAL_NAME_push(gens, gen) == 0) {
296 GENERAL_NAME_free(gen);
297 goto err;
298 }
299 }
300 }
301 return gens;
302
303err:
304 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
305 return NULL;
306}
307
308/* Append subject altname of issuer to issuer alt name of subject */
309
310static int
311copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
312{
313 GENERAL_NAMES *ialt;
314 GENERAL_NAME *gen;
315 X509_EXTENSION *ext;
316 int i;
317
318 if (ctx && (ctx->flags == CTX_TEST))
319 return 1;
320 if (!ctx || !ctx->issuer_cert) {
321 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_NO_ISSUER_DETAILS);
322 goto err;
323 }
324 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
325 if (i < 0)
326 return 1;
327 if (!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
328 !(ialt = X509V3_EXT_d2i(ext))) {
329 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_ISSUER_DECODE_ERROR);
330 goto err;
331 }
332
333 for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
334 gen = sk_GENERAL_NAME_value(ialt, i);
335 if (!sk_GENERAL_NAME_push(gens, gen)) {
336 X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
337 goto err;
338 }
339 }
340 sk_GENERAL_NAME_free(ialt);
341
342 return 1;
343
344err:
345 return 0;
346
347}
348
349static GENERAL_NAMES *
350v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
351 STACK_OF(CONF_VALUE) *nval)
352{
353 GENERAL_NAMES *gens = NULL;
354 CONF_VALUE *cnf;
355 int i;
356
357 if (!(gens = sk_GENERAL_NAME_new_null())) {
358 X509V3err(X509V3_F_V2I_SUBJECT_ALT, ERR_R_MALLOC_FAILURE);
359 return NULL;
360 }
361 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
362 cnf = sk_CONF_VALUE_value(nval, i);
363 if (!name_cmp(cnf->name, "email") && cnf->value &&
364 !strcmp(cnf->value, "copy")) {
365 if (!copy_email(ctx, gens, 0))
366 goto err;
367 } else if (!name_cmp(cnf->name, "email") && cnf->value &&
368 !strcmp(cnf->value, "move")) {
369 if (!copy_email(ctx, gens, 1))
370 goto err;
371 } else {
372 GENERAL_NAME *gen;
373 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
374 goto err;
375 if (sk_GENERAL_NAME_push(gens, gen) == 0) {
376 GENERAL_NAME_free(gen);
377 goto err;
378 }
379 }
380 }
381 return gens;
382
383err:
384 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
385 return NULL;
386}
387
388/* Copy any email addresses in a certificate or request to
389 * GENERAL_NAMES
390 */
391
392static int
393copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
394{
395 X509_NAME *nm;
396 ASN1_IA5STRING *email = NULL;
397 X509_NAME_ENTRY *ne;
398 GENERAL_NAME *gen = NULL;
399 int i;
400
401 if (ctx != NULL && ctx->flags == CTX_TEST)
402 return 1;
403 if (!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
404 X509V3err(X509V3_F_COPY_EMAIL, X509V3_R_NO_SUBJECT_DETAILS);
405 goto err;
406 }
407 /* Find the subject name */
408 if (ctx->subject_cert)
409 nm = X509_get_subject_name(ctx->subject_cert);
410 else
411 nm = X509_REQ_get_subject_name(ctx->subject_req);
412
413 /* Now add any email address(es) to STACK */
414 i = -1;
415 while ((i = X509_NAME_get_index_by_NID(nm,
416 NID_pkcs9_emailAddress, i)) >= 0) {
417 ne = X509_NAME_get_entry(nm, i);
418 email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
419 if (move_p) {
420 X509_NAME_delete_entry(nm, i);
421 X509_NAME_ENTRY_free(ne);
422 i--;
423 }
424 if (!email || !(gen = GENERAL_NAME_new())) {
425 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
426 goto err;
427 }
428 gen->d.ia5 = email;
429 email = NULL;
430 gen->type = GEN_EMAIL;
431 if (!sk_GENERAL_NAME_push(gens, gen)) {
432 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
433 goto err;
434 }
435 gen = NULL;
436 }
437
438 return 1;
439
440err:
441 GENERAL_NAME_free(gen);
442 ASN1_IA5STRING_free(email);
443 return 0;
444}
445
446GENERAL_NAMES *
447v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
448 STACK_OF(CONF_VALUE) *nval)
449{
450 GENERAL_NAME *gen;
451 GENERAL_NAMES *gens = NULL;
452 CONF_VALUE *cnf;
453 int i;
454
455 if (!(gens = sk_GENERAL_NAME_new_null())) {
456 X509V3err(X509V3_F_V2I_GENERAL_NAMES, ERR_R_MALLOC_FAILURE);
457 return NULL;
458 }
459 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
460 cnf = sk_CONF_VALUE_value(nval, i);
461 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
462 goto err;
463 if (sk_GENERAL_NAME_push(gens, gen) == 0) {
464 GENERAL_NAME_free(gen);
465 goto err;
466 }
467 }
468 return gens;
469
470err:
471 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
472 return NULL;
473}
474
475GENERAL_NAME *
476v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
477 CONF_VALUE *cnf)
478{
479 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
480}
481
482GENERAL_NAME *
483a2i_GENERAL_NAME(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
484 X509V3_CTX *ctx, int gen_type, char *value, int is_nc)
485{
486 char is_string = 0;
487 GENERAL_NAME *gen = NULL;
488
489 if (!value) {
490 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_MISSING_VALUE);
491 return NULL;
492 }
493
494 if (out)
495 gen = out;
496 else {
497 gen = GENERAL_NAME_new();
498 if (gen == NULL) {
499 X509V3err(X509V3_F_A2I_GENERAL_NAME,
500 ERR_R_MALLOC_FAILURE);
501 return NULL;
502 }
503 }
504
505 switch (gen_type) {
506 case GEN_URI:
507 case GEN_EMAIL:
508 case GEN_DNS:
509 is_string = 1;
510 break;
511
512 case GEN_RID:
513 {
514 ASN1_OBJECT *obj;
515 if (!(obj = OBJ_txt2obj(value, 0))) {
516 X509V3err(X509V3_F_A2I_GENERAL_NAME,
517 X509V3_R_BAD_OBJECT);
518 ERR_asprintf_error_data("value=%s", value);
519 goto err;
520 }
521 gen->d.rid = obj;
522 }
523 break;
524
525 case GEN_IPADD:
526 if (is_nc)
527 gen->d.ip = a2i_IPADDRESS_NC(value);
528 else
529 gen->d.ip = a2i_IPADDRESS(value);
530 if (gen->d.ip == NULL) {
531 X509V3err(X509V3_F_A2I_GENERAL_NAME,
532 X509V3_R_BAD_IP_ADDRESS);
533 ERR_asprintf_error_data("value=%s", value);
534 goto err;
535 }
536 break;
537
538 case GEN_DIRNAME:
539 if (!do_dirname(gen, value, ctx)) {
540 X509V3err(X509V3_F_A2I_GENERAL_NAME,
541 X509V3_R_DIRNAME_ERROR);
542 goto err;
543 }
544 break;
545
546 case GEN_OTHERNAME:
547 if (!do_othername(gen, value, ctx)) {
548 X509V3err(X509V3_F_A2I_GENERAL_NAME,
549 X509V3_R_OTHERNAME_ERROR);
550 goto err;
551 }
552 break;
553
554 default:
555 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_UNSUPPORTED_TYPE);
556 goto err;
557 }
558
559 if (is_string) {
560 if (!(gen->d.ia5 = ASN1_IA5STRING_new()) ||
561 !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
562 strlen(value))) {
563 X509V3err(X509V3_F_A2I_GENERAL_NAME,
564 ERR_R_MALLOC_FAILURE);
565 goto err;
566 }
567 }
568
569 gen->type = gen_type;
570
571 return gen;
572
573err:
574 if (out == NULL)
575 GENERAL_NAME_free(gen);
576 return NULL;
577}
578
579GENERAL_NAME *
580v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
581 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
582{
583 int type;
584 char *name, *value;
585
586 name = cnf->name;
587 value = cnf->value;
588
589 if (!value) {
590 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_MISSING_VALUE);
591 return NULL;
592 }
593
594 if (!name_cmp(name, "email"))
595 type = GEN_EMAIL;
596 else if (!name_cmp(name, "URI"))
597 type = GEN_URI;
598 else if (!name_cmp(name, "DNS"))
599 type = GEN_DNS;
600 else if (!name_cmp(name, "RID"))
601 type = GEN_RID;
602 else if (!name_cmp(name, "IP"))
603 type = GEN_IPADD;
604 else if (!name_cmp(name, "dirName"))
605 type = GEN_DIRNAME;
606 else if (!name_cmp(name, "otherName"))
607 type = GEN_OTHERNAME;
608 else {
609 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,
610 X509V3_R_UNSUPPORTED_OPTION);
611 ERR_asprintf_error_data("name=%s", name);
612 return NULL;
613 }
614
615 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
616}
617
618static int
619do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
620{
621 char *objtmp = NULL, *p;
622 int objlen;
623
624 if (!(p = strchr(value, ';')))
625 return 0;
626 if (!(gen->d.otherName = OTHERNAME_new()))
627 return 0;
628 /* Free this up because we will overwrite it.
629 * no need to free type_id because it is static
630 */
631 ASN1_TYPE_free(gen->d.otherName->value);
632 if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
633 return 0;
634 objlen = p - value;
635 objtmp = malloc(objlen + 1);
636 if (objtmp) {
637 strlcpy(objtmp, value, objlen + 1);
638 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
639 free(objtmp);
640 } else
641 gen->d.otherName->type_id = NULL;
642 if (!gen->d.otherName->type_id)
643 return 0;
644 return 1;
645}
646
647static int
648do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
649{
650 int ret;
651 STACK_OF(CONF_VALUE) *sk;
652 X509_NAME *nm;
653
654 if (!(nm = X509_NAME_new()))
655 return 0;
656 sk = X509V3_get_section(ctx, value);
657 if (!sk) {
658 X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND);
659 ERR_asprintf_error_data("section=%s", value);
660 X509_NAME_free(nm);
661 return 0;
662 }
663 /* FIXME: should allow other character types... */
664 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
665 if (!ret)
666 X509_NAME_free(nm);
667 gen->d.dirn = nm;
668 X509V3_section_free(ctx, sk);
669
670 return ret;
671}
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
deleted file mode 100644
index 292705a8d6..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bcons.c
+++ /dev/null
@@ -1,185 +0,0 @@
1/* $OpenBSD: v3_bcons.c,v 1.13 2015/07/29 16:13:48 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
69 BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
70static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
72
73const X509V3_EXT_METHOD v3_bcons = {
74 .ext_nid = NID_basic_constraints,
75 .ext_flags = 0,
76 .it = ASN1_ITEM_ref(BASIC_CONSTRAINTS),
77 .ext_new = NULL,
78 .ext_free = NULL,
79 .d2i = NULL,
80 .i2d = NULL,
81 .i2s = NULL,
82 .s2i = NULL,
83 .i2v = (X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
84 .v2i = (X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
85 .i2r = NULL,
86 .r2i = NULL,
87 .usr_data = NULL,
88};
89
90static const ASN1_TEMPLATE BASIC_CONSTRAINTS_seq_tt[] = {
91 {
92 .flags = ASN1_TFLG_OPTIONAL,
93 .tag = 0,
94 .offset = offsetof(BASIC_CONSTRAINTS, ca),
95 .field_name = "ca",
96 .item = &ASN1_FBOOLEAN_it,
97 },
98 {
99 .flags = ASN1_TFLG_OPTIONAL,
100 .tag = 0,
101 .offset = offsetof(BASIC_CONSTRAINTS, pathlen),
102 .field_name = "pathlen",
103 .item = &ASN1_INTEGER_it,
104 },
105};
106
107const ASN1_ITEM BASIC_CONSTRAINTS_it = {
108 .itype = ASN1_ITYPE_SEQUENCE,
109 .utype = V_ASN1_SEQUENCE,
110 .templates = BASIC_CONSTRAINTS_seq_tt,
111 .tcount = sizeof(BASIC_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
112 .funcs = NULL,
113 .size = sizeof(BASIC_CONSTRAINTS),
114 .sname = "BASIC_CONSTRAINTS",
115};
116
117
118BASIC_CONSTRAINTS *
119d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned char **in, long len)
120{
121 return (BASIC_CONSTRAINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
122 &BASIC_CONSTRAINTS_it);
123}
124
125int
126i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out)
127{
128 return ASN1_item_i2d((ASN1_VALUE *)a, out, &BASIC_CONSTRAINTS_it);
129}
130
131BASIC_CONSTRAINTS *
132BASIC_CONSTRAINTS_new(void)
133{
134 return (BASIC_CONSTRAINTS *)ASN1_item_new(&BASIC_CONSTRAINTS_it);
135}
136
137void
138BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
139{
140 ASN1_item_free((ASN1_VALUE *)a, &BASIC_CONSTRAINTS_it);
141}
142
143
144static STACK_OF(CONF_VALUE) *
145i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons,
146 STACK_OF(CONF_VALUE) *extlist)
147{
148 X509V3_add_value_bool("CA", bcons->ca, &extlist);
149 X509V3_add_value_int("pathlen", bcons->pathlen, &extlist);
150 return extlist;
151}
152
153static BASIC_CONSTRAINTS *
154v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
155 STACK_OF(CONF_VALUE) *values)
156{
157 BASIC_CONSTRAINTS *bcons = NULL;
158 CONF_VALUE *val;
159 int i;
160
161 if (!(bcons = BASIC_CONSTRAINTS_new())) {
162 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
163 return NULL;
164 }
165 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
166 val = sk_CONF_VALUE_value(values, i);
167 if (!strcmp(val->name, "CA")) {
168 if (!X509V3_get_value_bool(val, &bcons->ca))
169 goto err;
170 } else if (!strcmp(val->name, "pathlen")) {
171 if (!X509V3_get_value_int(val, &bcons->pathlen))
172 goto err;
173 } else {
174 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS,
175 X509V3_R_INVALID_NAME);
176 X509V3_conf_err(val);
177 goto err;
178 }
179 }
180 return bcons;
181
182err:
183 BASIC_CONSTRAINTS_free(bcons);
184 return NULL;
185}
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
deleted file mode 100644
index 0670aa306e..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ /dev/null
@@ -1,175 +0,0 @@
1/* $OpenBSD: v3_bitst.c,v 1.12 2015/09/29 13:54:40 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66static BIT_STRING_BITNAME ns_cert_type_table[] = {
67 {0, "SSL Client", "client"},
68 {1, "SSL Server", "server"},
69 {2, "S/MIME", "email"},
70 {3, "Object Signing", "objsign"},
71 {4, "Unused", "reserved"},
72 {5, "SSL CA", "sslCA"},
73 {6, "S/MIME CA", "emailCA"},
74 {7, "Object Signing CA", "objCA"},
75 {-1, NULL, NULL}
76};
77
78static BIT_STRING_BITNAME key_usage_type_table[] = {
79 {0, "Digital Signature", "digitalSignature"},
80 {1, "Non Repudiation", "nonRepudiation"},
81 {2, "Key Encipherment", "keyEncipherment"},
82 {3, "Data Encipherment", "dataEncipherment"},
83 {4, "Key Agreement", "keyAgreement"},
84 {5, "Certificate Sign", "keyCertSign"},
85 {6, "CRL Sign", "cRLSign"},
86 {7, "Encipher Only", "encipherOnly"},
87 {8, "Decipher Only", "decipherOnly"},
88 {-1, NULL, NULL}
89};
90
91const X509V3_EXT_METHOD v3_nscert = {
92 .ext_nid = NID_netscape_cert_type,
93 .ext_flags = 0,
94 .it = ASN1_ITEM_ref(ASN1_BIT_STRING),
95 .ext_new = NULL,
96 .ext_free = NULL,
97 .d2i = NULL,
98 .i2d = NULL,
99 .i2s = NULL,
100 .s2i = NULL,
101 .i2v = (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING,
102 .v2i = (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING,
103 .i2r = NULL,
104 .r2i = NULL,
105 .usr_data = ns_cert_type_table,
106};
107
108const X509V3_EXT_METHOD v3_key_usage = {
109 .ext_nid = NID_key_usage,
110 .ext_flags = 0,
111 .it = ASN1_ITEM_ref(ASN1_BIT_STRING),
112 .ext_new = NULL,
113 .ext_free = NULL,
114 .d2i = NULL,
115 .i2d = NULL,
116 .i2s = NULL,
117 .s2i = NULL,
118 .i2v = (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING,
119 .v2i = (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING,
120 .i2r = NULL,
121 .r2i = NULL,
122 .usr_data = key_usage_type_table,
123};
124
125STACK_OF(CONF_VALUE) *
126i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits,
127 STACK_OF(CONF_VALUE) *ret)
128{
129 BIT_STRING_BITNAME *bnam;
130
131 for (bnam = method->usr_data; bnam->lname; bnam++) {
132 if (ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
133 X509V3_add_value(bnam->lname, NULL, &ret);
134 }
135 return ret;
136}
137
138ASN1_BIT_STRING *
139v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
140 STACK_OF(CONF_VALUE) *nval)
141{
142 CONF_VALUE *val;
143 ASN1_BIT_STRING *bs;
144 int i;
145 BIT_STRING_BITNAME *bnam;
146
147 if (!(bs = ASN1_BIT_STRING_new())) {
148 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, ERR_R_MALLOC_FAILURE);
149 return NULL;
150 }
151 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
152 val = sk_CONF_VALUE_value(nval, i);
153 for (bnam = method->usr_data; bnam->lname; bnam++) {
154 if (!strcmp(bnam->sname, val->name) ||
155 !strcmp(bnam->lname, val->name) ) {
156 if (!ASN1_BIT_STRING_set_bit(bs,
157 bnam->bitnum, 1)) {
158 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
159 ERR_R_MALLOC_FAILURE);
160 ASN1_BIT_STRING_free(bs);
161 return NULL;
162 }
163 break;
164 }
165 }
166 if (!bnam->lname) {
167 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
168 X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
169 X509V3_conf_err(val);
170 ASN1_BIT_STRING_free(bs);
171 return NULL;
172 }
173 }
174 return bs;
175}
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
deleted file mode 100644
index 20e156ce87..0000000000
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ /dev/null
@@ -1,576 +0,0 @@
1/* $OpenBSD: v3_conf.c,v 1.19 2015/12/14 03:39:14 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* extension creation utilities */
59
60#include <ctype.h>
61#include <stdio.h>
62#include <string.h>
63
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509.h>
67#include <openssl/x509v3.h>
68
69static int v3_check_critical(char **value);
70static int v3_check_generic(char **value);
71static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
72 int crit, char *value);
73static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
74 int crit, int type, X509V3_CTX *ctx);
75static char *conf_lhash_get_string(void *db, char *section, char *value);
76static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
77static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
78 int crit, void *ext_struc);
79static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
80
81/* CONF *conf: Config file */
82/* char *name: Name */
83/* char *value: Value */
84X509_EXTENSION *
85X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value)
86{
87 int crit;
88 int ext_type;
89 X509_EXTENSION *ret;
90
91 crit = v3_check_critical(&value);
92 if ((ext_type = v3_check_generic(&value)))
93 return v3_generic_extension(name, value, crit, ext_type, ctx);
94 ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
95 if (!ret) {
96 X509V3err(X509V3_F_X509V3_EXT_NCONF,
97 X509V3_R_ERROR_IN_EXTENSION);
98 ERR_asprintf_error_data("name=%s, value=%s", name, value);
99 }
100 return ret;
101}
102
103/* CONF *conf: Config file */
104/* char *value: Value */
105X509_EXTENSION *
106X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value)
107{
108 int crit;
109 int ext_type;
110
111 crit = v3_check_critical(&value);
112 if ((ext_type = v3_check_generic(&value)))
113 return v3_generic_extension(OBJ_nid2sn(ext_nid),
114 value, crit, ext_type, ctx);
115 return do_ext_nconf(conf, ctx, ext_nid, crit, value);
116}
117
118/* CONF *conf: Config file */
119/* char *value: Value */
120static X509_EXTENSION *
121do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value)
122{
123 const X509V3_EXT_METHOD *method;
124 X509_EXTENSION *ext;
125 void *ext_struc;
126
127 if (ext_nid == NID_undef) {
128 X509V3err(X509V3_F_DO_EXT_NCONF,
129 X509V3_R_UNKNOWN_EXTENSION_NAME);
130 return NULL;
131 }
132 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
133 X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION);
134 return NULL;
135 }
136 /* Now get internal extension representation based on type */
137 if (method->v2i) {
138 STACK_OF(CONF_VALUE) *nval;
139
140 if (*value == '@')
141 nval = NCONF_get_section(conf, value + 1);
142 else
143 nval = X509V3_parse_list(value);
144 if (sk_CONF_VALUE_num(nval) <= 0) {
145 X509V3err(X509V3_F_DO_EXT_NCONF,
146 X509V3_R_INVALID_EXTENSION_STRING);
147 ERR_asprintf_error_data("name=%s,section=%s",
148 OBJ_nid2sn(ext_nid), value);
149 if (*value != '@')
150 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
151 return NULL;
152 }
153 ext_struc = method->v2i(method, ctx, nval);
154 if (*value != '@')
155 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
156 } else if (method->s2i) {
157 ext_struc = method->s2i(method, ctx, value);
158 } else if (method->r2i) {
159 if (!ctx->db || !ctx->db_meth) {
160 X509V3err(X509V3_F_DO_EXT_NCONF,
161 X509V3_R_NO_CONFIG_DATABASE);
162 return NULL;
163 }
164 ext_struc = method->r2i(method, ctx, value);
165 } else {
166 X509V3err(X509V3_F_DO_EXT_NCONF,
167 X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
168 ERR_asprintf_error_data("name=%s", OBJ_nid2sn(ext_nid));
169 return NULL;
170 }
171 if (ext_struc == NULL)
172 return NULL;
173
174 ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
175 if (method->it)
176 ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
177 else
178 method->ext_free(ext_struc);
179 return ext;
180}
181
182static X509_EXTENSION *
183do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid, int crit,
184 void *ext_struc)
185{
186 unsigned char *ext_der;
187 int ext_len;
188 ASN1_OCTET_STRING *ext_oct = NULL;
189 X509_EXTENSION *ext;
190
191 /* Convert internal representation to DER */
192 if (method->it) {
193 ext_der = NULL;
194 ext_len = ASN1_item_i2d(ext_struc, &ext_der,
195 ASN1_ITEM_ptr(method->it));
196 if (ext_len < 0)
197 goto merr;
198 } else {
199 unsigned char *p;
200 ext_len = method->i2d(ext_struc, NULL);
201 if (!(ext_der = malloc(ext_len)))
202 goto merr;
203 p = ext_der;
204 method->i2d(ext_struc, &p);
205 }
206 if (!(ext_oct = ASN1_OCTET_STRING_new()))
207 goto merr;
208 ext_oct->data = ext_der;
209 ext_oct->length = ext_len;
210
211 ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
212 if (!ext)
213 goto merr;
214 ASN1_OCTET_STRING_free(ext_oct);
215
216 return ext;
217
218merr:
219 ASN1_OCTET_STRING_free(ext_oct);
220 X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
221 return NULL;
222
223}
224
225/* Given an internal structure, nid and critical flag create an extension */
226
227X509_EXTENSION *
228X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
229{
230 const X509V3_EXT_METHOD *method;
231
232 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
233 X509V3err(X509V3_F_X509V3_EXT_I2D, X509V3_R_UNKNOWN_EXTENSION);
234 return NULL;
235 }
236 return do_ext_i2d(method, ext_nid, crit, ext_struc);
237}
238
239/* Check the extension string for critical flag */
240static int
241v3_check_critical(char **value)
242{
243 char *p = *value;
244
245 if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
246 return 0;
247 p += 9;
248 while (isspace((unsigned char)*p)) p++;
249 *value = p;
250 return 1;
251}
252
253/* Check extension string for generic extension and return the type */
254static int
255v3_check_generic(char **value)
256{
257 int gen_type = 0;
258 char *p = *value;
259
260 if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) {
261 p += 4;
262 gen_type = 1;
263 } else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
264 p += 5;
265 gen_type = 2;
266 } else
267 return 0;
268
269 while (isspace((unsigned char)*p))
270 p++;
271 *value = p;
272 return gen_type;
273}
274
275/* Create a generic extension: for now just handle DER type */
276static X509_EXTENSION *
277v3_generic_extension(const char *ext, char *value, int crit, int gen_type,
278 X509V3_CTX *ctx)
279{
280 unsigned char *ext_der = NULL;
281 long ext_len = 0;
282 ASN1_OBJECT *obj = NULL;
283 ASN1_OCTET_STRING *oct = NULL;
284 X509_EXTENSION *extension = NULL;
285
286 if (!(obj = OBJ_txt2obj(ext, 0))) {
287 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
288 X509V3_R_EXTENSION_NAME_ERROR);
289 ERR_asprintf_error_data("name=%s", ext);
290 goto err;
291 }
292
293 if (gen_type == 1)
294 ext_der = string_to_hex(value, &ext_len);
295 else if (gen_type == 2)
296 ext_der = generic_asn1(value, ctx, &ext_len);
297 else {
298 ERR_asprintf_error_data("Unexpected generic extension type %d", gen_type);
299 goto err;
300 }
301
302 if (ext_der == NULL) {
303 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
304 X509V3_R_EXTENSION_VALUE_ERROR);
305 ERR_asprintf_error_data("value=%s", value);
306 goto err;
307 }
308
309 if (!(oct = ASN1_OCTET_STRING_new())) {
310 X509V3err(X509V3_F_V3_GENERIC_EXTENSION, ERR_R_MALLOC_FAILURE);
311 goto err;
312 }
313
314 oct->data = ext_der;
315 oct->length = ext_len;
316 ext_der = NULL;
317
318 extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
319
320err:
321 ASN1_OBJECT_free(obj);
322 ASN1_OCTET_STRING_free(oct);
323 free(ext_der);
324 return extension;
325}
326
327static unsigned char *
328generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
329{
330 ASN1_TYPE *typ;
331 unsigned char *ext_der = NULL;
332
333 typ = ASN1_generate_v3(value, ctx);
334 if (typ == NULL)
335 return NULL;
336 *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
337 ASN1_TYPE_free(typ);
338 return ext_der;
339}
340
341/* This is the main function: add a bunch of extensions based on a config file
342 * section to an extension STACK.
343 */
344
345int
346X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
347 STACK_OF(X509_EXTENSION) **sk)
348{
349 X509_EXTENSION *ext;
350 STACK_OF(CONF_VALUE) *nval;
351 CONF_VALUE *val;
352 int i;
353
354 if (!(nval = NCONF_get_section(conf, section)))
355 return 0;
356 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
357 val = sk_CONF_VALUE_value(nval, i);
358 if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
359 return 0;
360 if (sk)
361 X509v3_add_ext(sk, ext, -1);
362 X509_EXTENSION_free(ext);
363 }
364 return 1;
365}
366
367/* Convenience functions to add extensions to a certificate, CRL and request */
368
369int
370X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert)
371{
372 STACK_OF(X509_EXTENSION) **sk = NULL;
373
374 if (cert)
375 sk = &cert->cert_info->extensions;
376 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
377}
378
379/* Same as above but for a CRL */
380
381int
382X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
383 X509_CRL *crl)
384{
385 STACK_OF(X509_EXTENSION) **sk = NULL;
386
387 if (crl)
388 sk = &crl->crl->extensions;
389 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
390}
391
392/* Add extensions to certificate request */
393
394int
395X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
396 X509_REQ *req)
397{
398 STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
399 int i;
400
401 if (req)
402 sk = &extlist;
403 i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
404 if (!i || !sk)
405 return i;
406 i = X509_REQ_add_extensions(req, extlist);
407 sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
408 return i;
409}
410
411/* Config database functions */
412
413char *
414X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
415{
416 if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
417 X509V3err(X509V3_F_X509V3_GET_STRING,
418 X509V3_R_OPERATION_NOT_DEFINED);
419 return NULL;
420 }
421 if (ctx->db_meth->get_string)
422 return ctx->db_meth->get_string(ctx->db, name, section);
423 return NULL;
424}
425
426STACK_OF(CONF_VALUE) *
427X509V3_get_section(X509V3_CTX *ctx, char *section)
428{
429 if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
430 X509V3err(X509V3_F_X509V3_GET_SECTION,
431 X509V3_R_OPERATION_NOT_DEFINED);
432 return NULL;
433 }
434 if (ctx->db_meth->get_section)
435 return ctx->db_meth->get_section(ctx->db, section);
436 return NULL;
437}
438
439void
440X509V3_string_free(X509V3_CTX *ctx, char *str)
441{
442 if (!str)
443 return;
444 if (ctx->db_meth->free_string)
445 ctx->db_meth->free_string(ctx->db, str);
446}
447
448void
449X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
450{
451 if (!section)
452 return;
453 if (ctx->db_meth->free_section)
454 ctx->db_meth->free_section(ctx->db, section);
455}
456
457static char *
458nconf_get_string(void *db, char *section, char *value)
459{
460 return NCONF_get_string(db, section, value);
461}
462
463static
464STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
465{
466 return NCONF_get_section(db, section);
467}
468
469static X509V3_CONF_METHOD nconf_method = {
470 nconf_get_string,
471 nconf_get_section,
472 NULL,
473 NULL
474};
475
476void
477X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
478{
479 ctx->db_meth = &nconf_method;
480 ctx->db = conf;
481}
482
483void
484X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
485 X509_CRL *crl, int flags)
486{
487 ctx->issuer_cert = issuer;
488 ctx->subject_cert = subj;
489 ctx->crl = crl;
490 ctx->subject_req = req;
491 ctx->flags = flags;
492}
493
494/* Old conf compatibility functions */
495
496X509_EXTENSION *
497X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, char *name,
498 char *value)
499{
500 CONF ctmp;
501
502 CONF_set_nconf(&ctmp, conf);
503 return X509V3_EXT_nconf(&ctmp, ctx, name, value);
504}
505
506/* LHASH *conf: Config file */
507/* char *value: Value */
508X509_EXTENSION *
509X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int ext_nid,
510 char *value)
511{
512 CONF ctmp;
513
514 CONF_set_nconf(&ctmp, conf);
515 return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
516}
517
518static char *
519conf_lhash_get_string(void *db, char *section, char *value)
520{
521 return CONF_get_string(db, section, value);
522}
523
524static STACK_OF(CONF_VALUE) *
525conf_lhash_get_section(void *db, char *section)
526{
527 return CONF_get_section(db, section);
528}
529
530static X509V3_CONF_METHOD conf_lhash_method = {
531 conf_lhash_get_string,
532 conf_lhash_get_section,
533 NULL,
534 NULL
535};
536
537void
538X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
539{
540 ctx->db_meth = &conf_lhash_method;
541 ctx->db = lhash;
542}
543
544int
545X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, char *section,
546 X509 *cert)
547{
548 CONF ctmp;
549
550 CONF_set_nconf(&ctmp, conf);
551 return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
552}
553
554/* Same as above but for a CRL */
555
556int
557X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
558 char *section, X509_CRL *crl)
559{
560 CONF ctmp;
561
562 CONF_set_nconf(&ctmp, conf);
563 return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
564}
565
566/* Add extensions to certificate request */
567
568int
569X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
570 char *section, X509_REQ *req)
571{
572 CONF ctmp;
573
574 CONF_set_nconf(&ctmp, conf);
575 return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
576}
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
deleted file mode 100644
index 5ca001ad55..0000000000
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ /dev/null
@@ -1,775 +0,0 @@
1/* $OpenBSD: v3_cpols.c,v 1.23 2015/09/30 18:21:50 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68#include "pcy_int.h"
69
70/* Certificate policies extension support: this one is a bit complex... */
71
72static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
73 BIO *out, int indent);
74static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
75 X509V3_CTX *ctx, char *value);
76static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
77 int indent);
78static void print_notice(BIO *out, USERNOTICE *notice, int indent);
79static POLICYINFO *policy_section(X509V3_CTX *ctx,
80 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
81static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
82 STACK_OF(CONF_VALUE) *unot, int ia5org);
83static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
84
85const X509V3_EXT_METHOD v3_cpols = {
86 .ext_nid = NID_certificate_policies,
87 .ext_flags = 0,
88 .it = ASN1_ITEM_ref(CERTIFICATEPOLICIES),
89 .ext_new = NULL,
90 .ext_free = NULL,
91 .d2i = NULL,
92 .i2d = NULL,
93 .i2s = NULL,
94 .s2i = NULL,
95 .i2v = NULL,
96 .v2i = NULL,
97 .i2r = (X509V3_EXT_I2R)i2r_certpol,
98 .r2i = (X509V3_EXT_R2I)r2i_certpol,
99 .usr_data = NULL,
100};
101
102static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = {
103 .flags = ASN1_TFLG_SEQUENCE_OF,
104 .tag = 0,
105 .offset = 0,
106 .field_name = "CERTIFICATEPOLICIES",
107 .item = &POLICYINFO_it,
108};
109
110const ASN1_ITEM CERTIFICATEPOLICIES_it = {
111 .itype = ASN1_ITYPE_PRIMITIVE,
112 .utype = -1,
113 .templates = &CERTIFICATEPOLICIES_item_tt,
114 .tcount = 0,
115 .funcs = NULL,
116 .size = 0,
117 .sname = "CERTIFICATEPOLICIES",
118};
119
120
121CERTIFICATEPOLICIES *
122d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long len)
123{
124 return (CERTIFICATEPOLICIES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
125 &CERTIFICATEPOLICIES_it);
126}
127
128int
129i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out)
130{
131 return ASN1_item_i2d((ASN1_VALUE *)a, out, &CERTIFICATEPOLICIES_it);
132}
133
134CERTIFICATEPOLICIES *
135CERTIFICATEPOLICIES_new(void)
136{
137 return (CERTIFICATEPOLICIES *)ASN1_item_new(&CERTIFICATEPOLICIES_it);
138}
139
140void
141CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a)
142{
143 ASN1_item_free((ASN1_VALUE *)a, &CERTIFICATEPOLICIES_it);
144}
145
146static const ASN1_TEMPLATE POLICYINFO_seq_tt[] = {
147 {
148 .flags = 0,
149 .tag = 0,
150 .offset = offsetof(POLICYINFO, policyid),
151 .field_name = "policyid",
152 .item = &ASN1_OBJECT_it,
153 },
154 {
155 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
156 .tag = 0,
157 .offset = offsetof(POLICYINFO, qualifiers),
158 .field_name = "qualifiers",
159 .item = &POLICYQUALINFO_it,
160 },
161};
162
163const ASN1_ITEM POLICYINFO_it = {
164 .itype = ASN1_ITYPE_SEQUENCE,
165 .utype = V_ASN1_SEQUENCE,
166 .templates = POLICYINFO_seq_tt,
167 .tcount = sizeof(POLICYINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
168 .funcs = NULL,
169 .size = sizeof(POLICYINFO),
170 .sname = "POLICYINFO",
171};
172
173
174POLICYINFO *
175d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len)
176{
177 return (POLICYINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
178 &POLICYINFO_it);
179}
180
181int
182i2d_POLICYINFO(POLICYINFO *a, unsigned char **out)
183{
184 return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYINFO_it);
185}
186
187POLICYINFO *
188POLICYINFO_new(void)
189{
190 return (POLICYINFO *)ASN1_item_new(&POLICYINFO_it);
191}
192
193void
194POLICYINFO_free(POLICYINFO *a)
195{
196 ASN1_item_free((ASN1_VALUE *)a, &POLICYINFO_it);
197}
198
199static const ASN1_TEMPLATE policydefault_tt = {
200 .flags = 0,
201 .tag = 0,
202 .offset = offsetof(POLICYQUALINFO, d.other),
203 .field_name = "d.other",
204 .item = &ASN1_ANY_it,
205};
206
207static const ASN1_ADB_TABLE POLICYQUALINFO_adbtbl[] = {
208 {
209 .value = NID_id_qt_cps,
210 .tt = {
211 .flags = 0,
212 .tag = 0,
213 .offset = offsetof(POLICYQUALINFO, d.cpsuri),
214 .field_name = "d.cpsuri",
215 .item = &ASN1_IA5STRING_it,
216 },
217
218 },
219 {
220 .value = NID_id_qt_unotice,
221 .tt = {
222 .flags = 0,
223 .tag = 0,
224 .offset = offsetof(POLICYQUALINFO, d.usernotice),
225 .field_name = "d.usernotice",
226 .item = &USERNOTICE_it,
227 },
228
229 },
230};
231
232static const ASN1_ADB POLICYQUALINFO_adb = {
233 .flags = 0,
234 .offset = offsetof(POLICYQUALINFO, pqualid),
235 .app_items = 0,
236 .tbl = POLICYQUALINFO_adbtbl,
237 .tblcount = sizeof(POLICYQUALINFO_adbtbl) / sizeof(ASN1_ADB_TABLE),
238 .default_tt = &policydefault_tt,
239 .null_tt = NULL,
240};
241
242static const ASN1_TEMPLATE POLICYQUALINFO_seq_tt[] = {
243 {
244 .flags = 0,
245 .tag = 0,
246 .offset = offsetof(POLICYQUALINFO, pqualid),
247 .field_name = "pqualid",
248 .item = &ASN1_OBJECT_it,
249 },
250 {
251 .flags = ASN1_TFLG_ADB_OID,
252 .tag = -1,
253 .offset = 0,
254 .field_name = "POLICYQUALINFO",
255 .item = (const ASN1_ITEM *)&POLICYQUALINFO_adb,
256 },
257};
258
259const ASN1_ITEM POLICYQUALINFO_it = {
260 .itype = ASN1_ITYPE_SEQUENCE,
261 .utype = V_ASN1_SEQUENCE,
262 .templates = POLICYQUALINFO_seq_tt,
263 .tcount = sizeof(POLICYQUALINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
264 .funcs = NULL,
265 .size = sizeof(POLICYQUALINFO),
266 .sname = "POLICYQUALINFO",
267};
268
269
270POLICYQUALINFO *
271d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len)
272{
273 return (POLICYQUALINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
274 &POLICYQUALINFO_it);
275}
276
277int
278i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out)
279{
280 return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYQUALINFO_it);
281}
282
283POLICYQUALINFO *
284POLICYQUALINFO_new(void)
285{
286 return (POLICYQUALINFO *)ASN1_item_new(&POLICYQUALINFO_it);
287}
288
289void
290POLICYQUALINFO_free(POLICYQUALINFO *a)
291{
292 ASN1_item_free((ASN1_VALUE *)a, &POLICYQUALINFO_it);
293}
294
295static const ASN1_TEMPLATE USERNOTICE_seq_tt[] = {
296 {
297 .flags = ASN1_TFLG_OPTIONAL,
298 .tag = 0,
299 .offset = offsetof(USERNOTICE, noticeref),
300 .field_name = "noticeref",
301 .item = &NOTICEREF_it,
302 },
303 {
304 .flags = ASN1_TFLG_OPTIONAL,
305 .tag = 0,
306 .offset = offsetof(USERNOTICE, exptext),
307 .field_name = "exptext",
308 .item = &DISPLAYTEXT_it,
309 },
310};
311
312const ASN1_ITEM USERNOTICE_it = {
313 .itype = ASN1_ITYPE_SEQUENCE,
314 .utype = V_ASN1_SEQUENCE,
315 .templates = USERNOTICE_seq_tt,
316 .tcount = sizeof(USERNOTICE_seq_tt) / sizeof(ASN1_TEMPLATE),
317 .funcs = NULL,
318 .size = sizeof(USERNOTICE),
319 .sname = "USERNOTICE",
320};
321
322
323USERNOTICE *
324d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len)
325{
326 return (USERNOTICE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
327 &USERNOTICE_it);
328}
329
330int
331i2d_USERNOTICE(USERNOTICE *a, unsigned char **out)
332{
333 return ASN1_item_i2d((ASN1_VALUE *)a, out, &USERNOTICE_it);
334}
335
336USERNOTICE *
337USERNOTICE_new(void)
338{
339 return (USERNOTICE *)ASN1_item_new(&USERNOTICE_it);
340}
341
342void
343USERNOTICE_free(USERNOTICE *a)
344{
345 ASN1_item_free((ASN1_VALUE *)a, &USERNOTICE_it);
346}
347
348static const ASN1_TEMPLATE NOTICEREF_seq_tt[] = {
349 {
350 .flags = 0,
351 .tag = 0,
352 .offset = offsetof(NOTICEREF, organization),
353 .field_name = "organization",
354 .item = &DISPLAYTEXT_it,
355 },
356 {
357 .flags = ASN1_TFLG_SEQUENCE_OF,
358 .tag = 0,
359 .offset = offsetof(NOTICEREF, noticenos),
360 .field_name = "noticenos",
361 .item = &ASN1_INTEGER_it,
362 },
363};
364
365const ASN1_ITEM NOTICEREF_it = {
366 .itype = ASN1_ITYPE_SEQUENCE,
367 .utype = V_ASN1_SEQUENCE,
368 .templates = NOTICEREF_seq_tt,
369 .tcount = sizeof(NOTICEREF_seq_tt) / sizeof(ASN1_TEMPLATE),
370 .funcs = NULL,
371 .size = sizeof(NOTICEREF),
372 .sname = "NOTICEREF",
373};
374
375
376NOTICEREF *
377d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len)
378{
379 return (NOTICEREF *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
380 &NOTICEREF_it);
381}
382
383int
384i2d_NOTICEREF(NOTICEREF *a, unsigned char **out)
385{
386 return ASN1_item_i2d((ASN1_VALUE *)a, out, &NOTICEREF_it);
387}
388
389NOTICEREF *
390NOTICEREF_new(void)
391{
392 return (NOTICEREF *)ASN1_item_new(&NOTICEREF_it);
393}
394
395void
396NOTICEREF_free(NOTICEREF *a)
397{
398 ASN1_item_free((ASN1_VALUE *)a, &NOTICEREF_it);
399}
400
401static
402STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
403 char *value)
404{
405 STACK_OF(POLICYINFO) *pols = NULL;
406 char *pstr;
407 POLICYINFO *pol;
408 ASN1_OBJECT *pobj;
409 STACK_OF(CONF_VALUE) *vals;
410 CONF_VALUE *cnf;
411 int i, ia5org;
412
413 pols = sk_POLICYINFO_new_null();
414 if (pols == NULL) {
415 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
416 return NULL;
417 }
418 vals = X509V3_parse_list(value);
419 if (vals == NULL) {
420 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
421 goto err;
422 }
423 ia5org = 0;
424 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
425 cnf = sk_CONF_VALUE_value(vals, i);
426 if (cnf->value || !cnf->name) {
427 X509V3err(X509V3_F_R2I_CERTPOL,
428 X509V3_R_INVALID_POLICY_IDENTIFIER);
429 X509V3_conf_err(cnf);
430 goto err;
431 }
432 pstr = cnf->name;
433 if (!strcmp(pstr, "ia5org")) {
434 ia5org = 1;
435 continue;
436 } else if (*pstr == '@') {
437 STACK_OF(CONF_VALUE) *polsect;
438 polsect = X509V3_get_section(ctx, pstr + 1);
439 if (!polsect) {
440 X509V3err(X509V3_F_R2I_CERTPOL,
441 X509V3_R_INVALID_SECTION);
442 X509V3_conf_err(cnf);
443 goto err;
444 }
445 pol = policy_section(ctx, polsect, ia5org);
446 X509V3_section_free(ctx, polsect);
447 if (!pol)
448 goto err;
449 } else {
450 if (!(pobj = OBJ_txt2obj(cnf->name, 0))) {
451 X509V3err(X509V3_F_R2I_CERTPOL,
452 X509V3_R_INVALID_OBJECT_IDENTIFIER);
453 X509V3_conf_err(cnf);
454 goto err;
455 }
456 pol = POLICYINFO_new();
457 pol->policyid = pobj;
458 }
459 if (!sk_POLICYINFO_push(pols, pol)){
460 POLICYINFO_free(pol);
461 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
462 goto err;
463 }
464 }
465 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
466 return pols;
467
468err:
469 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
470 sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
471 return NULL;
472}
473
474static POLICYINFO *
475policy_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *polstrs, int ia5org)
476{
477 int i;
478 CONF_VALUE *cnf;
479 POLICYINFO *pol;
480 POLICYQUALINFO *nqual = NULL;
481
482 if ((pol = POLICYINFO_new()) == NULL)
483 goto merr;
484 for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
485 cnf = sk_CONF_VALUE_value(polstrs, i);
486 if (strcmp(cnf->name, "policyIdentifier") == 0) {
487 ASN1_OBJECT *pobj;
488
489 if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
490 X509V3err(X509V3_F_POLICY_SECTION,
491 X509V3_R_INVALID_OBJECT_IDENTIFIER);
492 X509V3_conf_err(cnf);
493 goto err;
494 }
495 pol->policyid = pobj;
496 } else if (name_cmp(cnf->name, "CPS") == 0) {
497 if ((nqual = POLICYQUALINFO_new()) == NULL)
498 goto merr;
499 nqual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
500 nqual->d.cpsuri = ASN1_IA5STRING_new();
501 if (nqual->d.cpsuri == NULL)
502 goto merr;
503 if (ASN1_STRING_set(nqual->d.cpsuri, cnf->value,
504 strlen(cnf->value)) == 0)
505 goto merr;
506
507 if (pol->qualifiers == NULL) {
508 pol->qualifiers = sk_POLICYQUALINFO_new_null();
509 if (pol->qualifiers == NULL)
510 goto merr;
511 }
512 if (sk_POLICYQUALINFO_push(pol->qualifiers, nqual) == 0)
513 goto merr;
514 nqual = NULL;
515 } else if (name_cmp(cnf->name, "userNotice") == 0) {
516 STACK_OF(CONF_VALUE) *unot;
517 POLICYQUALINFO *qual;
518
519 if (*cnf->value != '@') {
520 X509V3err(X509V3_F_POLICY_SECTION,
521 X509V3_R_EXPECTED_A_SECTION_NAME);
522 X509V3_conf_err(cnf);
523 goto err;
524 }
525 unot = X509V3_get_section(ctx, cnf->value + 1);
526 if (unot == NULL) {
527 X509V3err(X509V3_F_POLICY_SECTION,
528 X509V3_R_INVALID_SECTION);
529 X509V3_conf_err(cnf);
530 goto err;
531 }
532 qual = notice_section(ctx, unot, ia5org);
533 X509V3_section_free(ctx, unot);
534 if (qual == NULL)
535 goto err;
536
537 if (pol->qualifiers == NULL) {
538 pol->qualifiers = sk_POLICYQUALINFO_new_null();
539 if (pol->qualifiers == NULL)
540 goto merr;
541 }
542 if (sk_POLICYQUALINFO_push(pol->qualifiers, qual) == 0)
543 goto merr;
544 } else {
545 X509V3err(X509V3_F_POLICY_SECTION,
546 X509V3_R_INVALID_OPTION);
547 X509V3_conf_err(cnf);
548 goto err;
549 }
550 }
551 if (pol->policyid == NULL) {
552 X509V3err(X509V3_F_POLICY_SECTION,
553 X509V3_R_NO_POLICY_IDENTIFIER);
554 goto err;
555 }
556
557 return pol;
558
559merr:
560 X509V3err(X509V3_F_POLICY_SECTION, ERR_R_MALLOC_FAILURE);
561
562err:
563 POLICYQUALINFO_free(nqual);
564 POLICYINFO_free(pol);
565 return NULL;
566}
567
568static POLICYQUALINFO *
569notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org)
570{
571 int i, ret;
572 CONF_VALUE *cnf;
573 USERNOTICE *not;
574 POLICYQUALINFO *qual;
575
576 if (!(qual = POLICYQUALINFO_new()))
577 goto merr;
578 qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
579 if (!(not = USERNOTICE_new()))
580 goto merr;
581 qual->d.usernotice = not;
582 for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
583 cnf = sk_CONF_VALUE_value(unot, i);
584 if (!strcmp(cnf->name, "explicitText")) {
585 if (not->exptext == NULL) {
586 not->exptext = ASN1_VISIBLESTRING_new();
587 if (not->exptext == NULL)
588 goto merr;
589 }
590 if (!ASN1_STRING_set(not->exptext, cnf->value,
591 strlen(cnf->value)))
592 goto merr;
593 } else if (!strcmp(cnf->name, "organization")) {
594 NOTICEREF *nref;
595 if (!not->noticeref) {
596 if (!(nref = NOTICEREF_new()))
597 goto merr;
598 not->noticeref = nref;
599 } else
600 nref = not->noticeref;
601 if (ia5org)
602 nref->organization->type = V_ASN1_IA5STRING;
603 else
604 nref->organization->type = V_ASN1_VISIBLESTRING;
605 if (!ASN1_STRING_set(nref->organization, cnf->value,
606 strlen(cnf->value)))
607 goto merr;
608 } else if (!strcmp(cnf->name, "noticeNumbers")) {
609 NOTICEREF *nref;
610 STACK_OF(CONF_VALUE) *nos;
611 if (!not->noticeref) {
612 if (!(nref = NOTICEREF_new()))
613 goto merr;
614 not->noticeref = nref;
615 } else
616 nref = not->noticeref;
617 nos = X509V3_parse_list(cnf->value);
618 if (!nos || !sk_CONF_VALUE_num(nos)) {
619 X509V3err(X509V3_F_NOTICE_SECTION,
620 X509V3_R_INVALID_NUMBERS);
621 X509V3_conf_err(cnf);
622 if (nos != NULL)
623 sk_CONF_VALUE_pop_free(nos,
624 X509V3_conf_free);
625 goto err;
626 }
627 ret = nref_nos(nref->noticenos, nos);
628 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
629 if (!ret)
630 goto err;
631 } else {
632 X509V3err(X509V3_F_NOTICE_SECTION,
633 X509V3_R_INVALID_OPTION);
634 X509V3_conf_err(cnf);
635 goto err;
636 }
637 }
638
639 if (not->noticeref &&
640 (!not->noticeref->noticenos || !not->noticeref->organization)) {
641 X509V3err(X509V3_F_NOTICE_SECTION,
642 X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
643 goto err;
644 }
645
646 return qual;
647
648merr:
649 X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_MALLOC_FAILURE);
650
651err:
652 POLICYQUALINFO_free(qual);
653 return NULL;
654}
655
656static int
657nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
658{
659 CONF_VALUE *cnf;
660 ASN1_INTEGER *aint;
661 int i;
662
663 for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
664 cnf = sk_CONF_VALUE_value(nos, i);
665 if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
666 X509V3err(X509V3_F_NREF_NOS, X509V3_R_INVALID_NUMBER);
667 goto err;
668 }
669 if (!sk_ASN1_INTEGER_push(nnums, aint))
670 goto merr;
671 }
672 return 1;
673
674merr:
675 X509V3err(X509V3_F_NREF_NOS, ERR_R_MALLOC_FAILURE);
676
677err:
678 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
679 return 0;
680}
681
682static int
683i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out,
684 int indent)
685{
686 int i;
687 POLICYINFO *pinfo;
688
689 /* First print out the policy OIDs */
690 for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
691 pinfo = sk_POLICYINFO_value(pol, i);
692 BIO_printf(out, "%*sPolicy: ", indent, "");
693 i2a_ASN1_OBJECT(out, pinfo->policyid);
694 BIO_puts(out, "\n");
695 if (pinfo->qualifiers)
696 print_qualifiers(out, pinfo->qualifiers, indent + 2);
697 }
698 return 1;
699}
700
701static void
702print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent)
703{
704 POLICYQUALINFO *qualinfo;
705 int i;
706
707 for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
708 qualinfo = sk_POLICYQUALINFO_value(quals, i);
709 switch (OBJ_obj2nid(qualinfo->pqualid)) {
710 case NID_id_qt_cps:
711 BIO_printf(out, "%*sCPS: %s\n", indent, "",
712 qualinfo->d.cpsuri->data);
713 break;
714
715 case NID_id_qt_unotice:
716 BIO_printf(out, "%*sUser Notice:\n", indent, "");
717 print_notice(out, qualinfo->d.usernotice, indent + 2);
718 break;
719
720 default:
721 BIO_printf(out, "%*sUnknown Qualifier: ",
722 indent + 2, "");
723
724 i2a_ASN1_OBJECT(out, qualinfo->pqualid);
725 BIO_puts(out, "\n");
726 break;
727 }
728 }
729}
730
731static void
732print_notice(BIO *out, USERNOTICE *notice, int indent)
733{
734 int i;
735
736 if (notice->noticeref) {
737 NOTICEREF *ref;
738 ref = notice->noticeref;
739 BIO_printf(out, "%*sOrganization: %s\n", indent, "",
740 ref->organization->data);
741 BIO_printf(out, "%*sNumber%s: ", indent, "",
742 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
743 for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
744 ASN1_INTEGER *num;
745 char *tmp;
746 num = sk_ASN1_INTEGER_value(ref->noticenos, i);
747 if (i)
748 BIO_puts(out, ", ");
749 tmp = i2s_ASN1_INTEGER(NULL, num);
750 BIO_puts(out, tmp);
751 free(tmp);
752 }
753 BIO_puts(out, "\n");
754 }
755 if (notice->exptext)
756 BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
757 notice->exptext->data);
758}
759
760void
761X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
762{
763 const X509_POLICY_DATA *dat = node->data;
764
765 BIO_printf(out, "%*sPolicy: ", indent, "");
766
767 i2a_ASN1_OBJECT(out, dat->valid_policy);
768 BIO_puts(out, "\n");
769 BIO_printf(out, "%*s%s\n", indent + 2, "",
770 node_data_critical(dat) ? "Critical" : "Non Critical");
771 if (dat->qualifier_set)
772 print_qualifiers(out, dat->qualifier_set, indent + 2);
773 else
774 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
775}
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
deleted file mode 100644
index a72d0ab500..0000000000
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ /dev/null
@@ -1,816 +0,0 @@
1/* $OpenBSD: v3_crld.c,v 1.19 2015/07/29 16:13:48 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static void *v2i_crld(const X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
70static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
71 int indent);
72
73const X509V3_EXT_METHOD v3_crld = {
74 .ext_nid = NID_crl_distribution_points,
75 .ext_flags = 0,
76 .it = ASN1_ITEM_ref(CRL_DIST_POINTS),
77 .ext_new = NULL,
78 .ext_free = NULL,
79 .d2i = NULL,
80 .i2d = NULL,
81 .i2s = NULL,
82 .s2i = NULL,
83 .i2v = NULL,
84 .v2i = v2i_crld,
85 .i2r = i2r_crldp,
86 .r2i = NULL,
87 .usr_data = NULL,
88};
89
90const X509V3_EXT_METHOD v3_freshest_crl = {
91 .ext_nid = NID_freshest_crl,
92 .ext_flags = 0,
93 .it = ASN1_ITEM_ref(CRL_DIST_POINTS),
94 .ext_new = NULL,
95 .ext_free = NULL,
96 .d2i = NULL,
97 .i2d = NULL,
98 .i2s = NULL,
99 .s2i = NULL,
100 .i2v = NULL,
101 .v2i = v2i_crld,
102 .i2r = i2r_crldp,
103 .r2i = NULL,
104 .usr_data = NULL,
105};
106
107static
108STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
109{
110 STACK_OF(CONF_VALUE) *gnsect;
111 STACK_OF(GENERAL_NAME) *gens;
112
113 if (*sect == '@')
114 gnsect = X509V3_get_section(ctx, sect + 1);
115 else
116 gnsect = X509V3_parse_list(sect);
117 if (!gnsect) {
118 X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
119 X509V3_R_SECTION_NOT_FOUND);
120 return NULL;
121 }
122 gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
123 if (*sect == '@')
124 X509V3_section_free(ctx, gnsect);
125 else
126 sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
127 return gens;
128}
129
130static int
131set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, CONF_VALUE *cnf)
132{
133 STACK_OF(GENERAL_NAME) *fnm = NULL;
134 STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
135
136 if (!strncmp(cnf->name, "fullname", 9)) {
137 fnm = gnames_from_sectname(ctx, cnf->value);
138 if (!fnm)
139 goto err;
140 } else if (!strcmp(cnf->name, "relativename")) {
141 int ret;
142 STACK_OF(CONF_VALUE) *dnsect;
143 X509_NAME *nm;
144 nm = X509_NAME_new();
145 if (!nm)
146 return -1;
147 dnsect = X509V3_get_section(ctx, cnf->value);
148 if (!dnsect) {
149 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
150 X509V3_R_SECTION_NOT_FOUND);
151 X509_NAME_free(nm);
152 return -1;
153 }
154 ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
155 X509V3_section_free(ctx, dnsect);
156 rnm = nm->entries;
157 nm->entries = NULL;
158 X509_NAME_free(nm);
159 if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
160 goto err;
161 /* Since its a name fragment can't have more than one
162 * RDNSequence
163 */
164 if (sk_X509_NAME_ENTRY_value(rnm,
165 sk_X509_NAME_ENTRY_num(rnm) - 1)->set) {
166 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
167 X509V3_R_INVALID_MULTIPLE_RDNS);
168 goto err;
169 }
170 } else
171 return 0;
172
173 if (*pdp) {
174 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
175 X509V3_R_DISTPOINT_ALREADY_SET);
176 goto err;
177 }
178
179 *pdp = DIST_POINT_NAME_new();
180 if (!*pdp)
181 goto err;
182 if (fnm) {
183 (*pdp)->type = 0;
184 (*pdp)->name.fullname = fnm;
185 } else {
186 (*pdp)->type = 1;
187 (*pdp)->name.relativename = rnm;
188 }
189
190 return 1;
191
192err:
193 if (fnm)
194 sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
195 if (rnm)
196 sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
197 return -1;
198}
199
200static const BIT_STRING_BITNAME reason_flags[] = {
201 {0, "Unused", "unused"},
202 {1, "Key Compromise", "keyCompromise"},
203 {2, "CA Compromise", "CACompromise"},
204 {3, "Affiliation Changed", "affiliationChanged"},
205 {4, "Superseded", "superseded"},
206 {5, "Cessation Of Operation", "cessationOfOperation"},
207 {6, "Certificate Hold", "certificateHold"},
208 {7, "Privilege Withdrawn", "privilegeWithdrawn"},
209 {8, "AA Compromise", "AACompromise"},
210 {-1, NULL, NULL}
211};
212
213static int
214set_reasons(ASN1_BIT_STRING **preas, char *value)
215{
216 STACK_OF(CONF_VALUE) *rsk = NULL;
217 const BIT_STRING_BITNAME *pbn;
218 const char *bnam;
219 int i, ret = 0;
220
221 if (*preas != NULL)
222 return 0;
223 rsk = X509V3_parse_list(value);
224 if (rsk == NULL)
225 return 0;
226 for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
227 bnam = sk_CONF_VALUE_value(rsk, i)->name;
228 if (!*preas) {
229 *preas = ASN1_BIT_STRING_new();
230 if (!*preas)
231 goto err;
232 }
233 for (pbn = reason_flags; pbn->lname; pbn++) {
234 if (!strcmp(pbn->sname, bnam)) {
235 if (!ASN1_BIT_STRING_set_bit(*preas,
236 pbn->bitnum, 1))
237 goto err;
238 break;
239 }
240 }
241 if (!pbn->lname)
242 goto err;
243 }
244 ret = 1;
245
246err:
247 sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
248 return ret;
249}
250
251static int
252print_reasons(BIO *out, const char *rname, ASN1_BIT_STRING *rflags, int indent)
253{
254 int first = 1;
255 const BIT_STRING_BITNAME *pbn;
256
257 BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
258 for (pbn = reason_flags; pbn->lname; pbn++) {
259 if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) {
260 if (first)
261 first = 0;
262 else
263 BIO_puts(out, ", ");
264 BIO_puts(out, pbn->lname);
265 }
266 }
267 if (first)
268 BIO_puts(out, "<EMPTY>\n");
269 else
270 BIO_puts(out, "\n");
271 return 1;
272}
273
274static DIST_POINT *
275crldp_from_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
276{
277 int i;
278 CONF_VALUE *cnf;
279 DIST_POINT *point = NULL;
280
281 point = DIST_POINT_new();
282 if (!point)
283 goto err;
284 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
285 int ret;
286 cnf = sk_CONF_VALUE_value(nval, i);
287 ret = set_dist_point_name(&point->distpoint, ctx, cnf);
288 if (ret > 0)
289 continue;
290 if (ret < 0)
291 goto err;
292 if (!strcmp(cnf->name, "reasons")) {
293 if (!set_reasons(&point->reasons, cnf->value))
294 goto err;
295 }
296 else if (!strcmp(cnf->name, "CRLissuer")) {
297 point->CRLissuer =
298 gnames_from_sectname(ctx, cnf->value);
299 if (!point->CRLissuer)
300 goto err;
301 }
302 }
303
304 return point;
305
306err:
307 if (point)
308 DIST_POINT_free(point);
309 return NULL;
310}
311
312static void *
313v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
314 STACK_OF(CONF_VALUE) *nval)
315{
316 STACK_OF(DIST_POINT) *crld = NULL;
317 GENERAL_NAMES *gens = NULL;
318 GENERAL_NAME *gen = NULL;
319 CONF_VALUE *cnf;
320 int i;
321
322 if (!(crld = sk_DIST_POINT_new_null()))
323 goto merr;
324 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
325 DIST_POINT *point;
326 cnf = sk_CONF_VALUE_value(nval, i);
327 if (!cnf->value) {
328 STACK_OF(CONF_VALUE) *dpsect;
329 dpsect = X509V3_get_section(ctx, cnf->name);
330 if (!dpsect)
331 goto err;
332 point = crldp_from_section(ctx, dpsect);
333 X509V3_section_free(ctx, dpsect);
334 if (!point)
335 goto err;
336 if (!sk_DIST_POINT_push(crld, point)) {
337 DIST_POINT_free(point);
338 goto merr;
339 }
340 } else {
341 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
342 goto err;
343 if (!(gens = GENERAL_NAMES_new()))
344 goto merr;
345 if (!sk_GENERAL_NAME_push(gens, gen))
346 goto merr;
347 gen = NULL;
348 if (!(point = DIST_POINT_new()))
349 goto merr;
350 if (!sk_DIST_POINT_push(crld, point)) {
351 DIST_POINT_free(point);
352 goto merr;
353 }
354 if (!(point->distpoint = DIST_POINT_NAME_new()))
355 goto merr;
356 point->distpoint->name.fullname = gens;
357 point->distpoint->type = 0;
358 gens = NULL;
359 }
360 }
361 return crld;
362
363merr:
364 X509V3err(X509V3_F_V2I_CRLD, ERR_R_MALLOC_FAILURE);
365err:
366 GENERAL_NAME_free(gen);
367 GENERAL_NAMES_free(gens);
368 sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
369 return NULL;
370}
371
372static int
373dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
374{
375 DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
376
377 switch (operation) {
378 case ASN1_OP_NEW_POST:
379 dpn->dpname = NULL;
380 break;
381
382 case ASN1_OP_FREE_POST:
383 if (dpn->dpname)
384 X509_NAME_free(dpn->dpname);
385 break;
386 }
387 return 1;
388}
389
390
391static const ASN1_AUX DIST_POINT_NAME_aux = {
392 .app_data = NULL,
393 .flags = 0,
394 .ref_offset = 0,
395 .ref_lock = 0,
396 .asn1_cb = dpn_cb,
397 .enc_offset = 0,
398};
399static const ASN1_TEMPLATE DIST_POINT_NAME_ch_tt[] = {
400 {
401 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF,
402 .tag = 0,
403 .offset = offsetof(DIST_POINT_NAME, name.fullname),
404 .field_name = "name.fullname",
405 .item = &GENERAL_NAME_it,
406 },
407 {
408 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF,
409 .tag = 1,
410 .offset = offsetof(DIST_POINT_NAME, name.relativename),
411 .field_name = "name.relativename",
412 .item = &X509_NAME_ENTRY_it,
413 },
414};
415
416const ASN1_ITEM DIST_POINT_NAME_it = {
417 .itype = ASN1_ITYPE_CHOICE,
418 .utype = offsetof(DIST_POINT_NAME, type),
419 .templates = DIST_POINT_NAME_ch_tt,
420 .tcount = sizeof(DIST_POINT_NAME_ch_tt) / sizeof(ASN1_TEMPLATE),
421 .funcs = &DIST_POINT_NAME_aux,
422 .size = sizeof(DIST_POINT_NAME),
423 .sname = "DIST_POINT_NAME",
424};
425
426
427
428DIST_POINT_NAME *
429d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len)
430{
431 return (DIST_POINT_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
432 &DIST_POINT_NAME_it);
433}
434
435int
436i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out)
437{
438 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_NAME_it);
439}
440
441DIST_POINT_NAME *
442DIST_POINT_NAME_new(void)
443{
444 return (DIST_POINT_NAME *)ASN1_item_new(&DIST_POINT_NAME_it);
445}
446
447void
448DIST_POINT_NAME_free(DIST_POINT_NAME *a)
449{
450 ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_NAME_it);
451}
452
453static const ASN1_TEMPLATE DIST_POINT_seq_tt[] = {
454 {
455 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
456 .tag = 0,
457 .offset = offsetof(DIST_POINT, distpoint),
458 .field_name = "distpoint",
459 .item = &DIST_POINT_NAME_it,
460 },
461 {
462 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
463 .tag = 1,
464 .offset = offsetof(DIST_POINT, reasons),
465 .field_name = "reasons",
466 .item = &ASN1_BIT_STRING_it,
467 },
468 {
469 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
470 .tag = 2,
471 .offset = offsetof(DIST_POINT, CRLissuer),
472 .field_name = "CRLissuer",
473 .item = &GENERAL_NAME_it,
474 },
475};
476
477const ASN1_ITEM DIST_POINT_it = {
478 .itype = ASN1_ITYPE_SEQUENCE,
479 .utype = V_ASN1_SEQUENCE,
480 .templates = DIST_POINT_seq_tt,
481 .tcount = sizeof(DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
482 .funcs = NULL,
483 .size = sizeof(DIST_POINT),
484 .sname = "DIST_POINT",
485};
486
487
488DIST_POINT *
489d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len)
490{
491 return (DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
492 &DIST_POINT_it);
493}
494
495int
496i2d_DIST_POINT(DIST_POINT *a, unsigned char **out)
497{
498 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_it);
499}
500
501DIST_POINT *
502DIST_POINT_new(void)
503{
504 return (DIST_POINT *)ASN1_item_new(&DIST_POINT_it);
505}
506
507void
508DIST_POINT_free(DIST_POINT *a)
509{
510 ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_it);
511}
512
513static const ASN1_TEMPLATE CRL_DIST_POINTS_item_tt = {
514 .flags = ASN1_TFLG_SEQUENCE_OF,
515 .tag = 0,
516 .offset = 0,
517 .field_name = "CRLDistributionPoints",
518 .item = &DIST_POINT_it,
519};
520
521const ASN1_ITEM CRL_DIST_POINTS_it = {
522 .itype = ASN1_ITYPE_PRIMITIVE,
523 .utype = -1,
524 .templates = &CRL_DIST_POINTS_item_tt,
525 .tcount = 0,
526 .funcs = NULL,
527 .size = 0,
528 .sname = "CRL_DIST_POINTS",
529};
530
531
532CRL_DIST_POINTS *
533d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len)
534{
535 return (CRL_DIST_POINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
536 &CRL_DIST_POINTS_it);
537}
538
539int
540i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out)
541{
542 return ASN1_item_i2d((ASN1_VALUE *)a, out, &CRL_DIST_POINTS_it);
543}
544
545CRL_DIST_POINTS *
546CRL_DIST_POINTS_new(void)
547{
548 return (CRL_DIST_POINTS *)ASN1_item_new(&CRL_DIST_POINTS_it);
549}
550
551void
552CRL_DIST_POINTS_free(CRL_DIST_POINTS *a)
553{
554 ASN1_item_free((ASN1_VALUE *)a, &CRL_DIST_POINTS_it);
555}
556
557static const ASN1_TEMPLATE ISSUING_DIST_POINT_seq_tt[] = {
558 {
559 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
560 .tag = 0,
561 .offset = offsetof(ISSUING_DIST_POINT, distpoint),
562 .field_name = "distpoint",
563 .item = &DIST_POINT_NAME_it,
564 },
565 {
566 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
567 .tag = 1,
568 .offset = offsetof(ISSUING_DIST_POINT, onlyuser),
569 .field_name = "onlyuser",
570 .item = &ASN1_FBOOLEAN_it,
571 },
572 {
573 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
574 .tag = 2,
575 .offset = offsetof(ISSUING_DIST_POINT, onlyCA),
576 .field_name = "onlyCA",
577 .item = &ASN1_FBOOLEAN_it,
578 },
579 {
580 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
581 .tag = 3,
582 .offset = offsetof(ISSUING_DIST_POINT, onlysomereasons),
583 .field_name = "onlysomereasons",
584 .item = &ASN1_BIT_STRING_it,
585 },
586 {
587 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
588 .tag = 4,
589 .offset = offsetof(ISSUING_DIST_POINT, indirectCRL),
590 .field_name = "indirectCRL",
591 .item = &ASN1_FBOOLEAN_it,
592 },
593 {
594 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
595 .tag = 5,
596 .offset = offsetof(ISSUING_DIST_POINT, onlyattr),
597 .field_name = "onlyattr",
598 .item = &ASN1_FBOOLEAN_it,
599 },
600};
601
602const ASN1_ITEM ISSUING_DIST_POINT_it = {
603 .itype = ASN1_ITYPE_SEQUENCE,
604 .utype = V_ASN1_SEQUENCE,
605 .templates = ISSUING_DIST_POINT_seq_tt,
606 .tcount = sizeof(ISSUING_DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
607 .funcs = NULL,
608 .size = sizeof(ISSUING_DIST_POINT),
609 .sname = "ISSUING_DIST_POINT",
610};
611
612
613ISSUING_DIST_POINT *
614d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long len)
615{
616 return (ISSUING_DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
617 &ISSUING_DIST_POINT_it);
618}
619
620int
621i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out)
622{
623 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ISSUING_DIST_POINT_it);
624}
625
626ISSUING_DIST_POINT *
627ISSUING_DIST_POINT_new(void)
628{
629 return (ISSUING_DIST_POINT *)ASN1_item_new(&ISSUING_DIST_POINT_it);
630}
631
632void
633ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a)
634{
635 ASN1_item_free((ASN1_VALUE *)a, &ISSUING_DIST_POINT_it);
636}
637
638static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
639 int indent);
640static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
641 STACK_OF(CONF_VALUE) *nval);
642
643const X509V3_EXT_METHOD v3_idp = {
644 NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
645 ASN1_ITEM_ref(ISSUING_DIST_POINT),
646 0, 0, 0, 0,
647 0, 0,
648 0,
649 v2i_idp,
650 i2r_idp, 0,
651 NULL
652};
653
654static void *
655v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
656 STACK_OF(CONF_VALUE) *nval)
657{
658 ISSUING_DIST_POINT *idp = NULL;
659 CONF_VALUE *cnf;
660 char *name, *val;
661 int i, ret;
662
663 idp = ISSUING_DIST_POINT_new();
664 if (!idp)
665 goto merr;
666 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
667 cnf = sk_CONF_VALUE_value(nval, i);
668 name = cnf->name;
669 val = cnf->value;
670 ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
671 if (ret > 0)
672 continue;
673 if (ret < 0)
674 goto err;
675 if (!strcmp(name, "onlyuser")) {
676 if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
677 goto err;
678 }
679 else if (!strcmp(name, "onlyCA")) {
680 if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
681 goto err;
682 }
683 else if (!strcmp(name, "onlyAA")) {
684 if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
685 goto err;
686 }
687 else if (!strcmp(name, "indirectCRL")) {
688 if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
689 goto err;
690 }
691 else if (!strcmp(name, "onlysomereasons")) {
692 if (!set_reasons(&idp->onlysomereasons, val))
693 goto err;
694 } else {
695 X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
696 X509V3_conf_err(cnf);
697 goto err;
698 }
699 }
700 return idp;
701
702merr:
703 X509V3err(X509V3_F_V2I_IDP, ERR_R_MALLOC_FAILURE);
704err:
705 ISSUING_DIST_POINT_free(idp);
706 return NULL;
707}
708
709static int
710print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
711{
712 int i;
713
714 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
715 BIO_printf(out, "%*s", indent + 2, "");
716 GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
717 BIO_puts(out, "\n");
718 }
719 return 1;
720}
721
722static int
723print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
724{
725 if (dpn->type == 0) {
726 BIO_printf(out, "%*sFull Name:\n", indent, "");
727 print_gens(out, dpn->name.fullname, indent);
728 } else {
729 X509_NAME ntmp;
730 ntmp.entries = dpn->name.relativename;
731 BIO_printf(out, "%*sRelative Name:\n%*s",
732 indent, "", indent + 2, "");
733 X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
734 BIO_puts(out, "\n");
735 }
736 return 1;
737}
738
739static int
740i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent)
741{
742 ISSUING_DIST_POINT *idp = pidp;
743
744 if (idp->distpoint)
745 print_distpoint(out, idp->distpoint, indent);
746 if (idp->onlyuser > 0)
747 BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
748 if (idp->onlyCA > 0)
749 BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
750 if (idp->indirectCRL > 0)
751 BIO_printf(out, "%*sIndirect CRL\n", indent, "");
752 if (idp->onlysomereasons)
753 print_reasons(out, "Only Some Reasons",
754 idp->onlysomereasons, indent);
755 if (idp->onlyattr > 0)
756 BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
757 if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) &&
758 (idp->indirectCRL <= 0) && !idp->onlysomereasons &&
759 (idp->onlyattr <= 0))
760 BIO_printf(out, "%*s<EMPTY>\n", indent, "");
761
762 return 1;
763}
764
765static int
766i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, int indent)
767{
768 STACK_OF(DIST_POINT) *crld = pcrldp;
769 DIST_POINT *point;
770 int i;
771
772 for (i = 0; i < sk_DIST_POINT_num(crld); i++) {
773 BIO_puts(out, "\n");
774 point = sk_DIST_POINT_value(crld, i);
775 if (point->distpoint)
776 print_distpoint(out, point->distpoint, indent);
777 if (point->reasons)
778 print_reasons(out, "Reasons", point->reasons,
779 indent);
780 if (point->CRLissuer) {
781 BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
782 print_gens(out, point->CRLissuer, indent);
783 }
784 }
785 return 1;
786}
787
788int
789DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
790{
791 int i;
792 STACK_OF(X509_NAME_ENTRY) *frag;
793 X509_NAME_ENTRY *ne;
794
795 if (!dpn || (dpn->type != 1))
796 return 1;
797 frag = dpn->name.relativename;
798 dpn->dpname = X509_NAME_dup(iname);
799 if (!dpn->dpname)
800 return 0;
801 for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) {
802 ne = sk_X509_NAME_ENTRY_value(frag, i);
803 if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) {
804 X509_NAME_free(dpn->dpname);
805 dpn->dpname = NULL;
806 return 0;
807 }
808 }
809 /* generate cached encoding of name */
810 if (i2d_X509_NAME(dpn->dpname, NULL) < 0) {
811 X509_NAME_free(dpn->dpname);
812 dpn->dpname = NULL;
813 return 0;
814 }
815 return 1;
816}
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
deleted file mode 100644
index 7f35a57012..0000000000
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ /dev/null
@@ -1,107 +0,0 @@
1/* $OpenBSD: v3_enum.c,v 1.11 2015/07/29 16:13:48 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61#include <openssl/x509v3.h>
62
63static ENUMERATED_NAMES crl_reasons[] = {
64 {CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
65 {CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"},
66 {CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"},
67 {CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
68 {CRL_REASON_SUPERSEDED, "Superseded", "superseded"},
69 {CRL_REASON_CESSATION_OF_OPERATION,
70 "Cessation Of Operation", "cessationOfOperation"},
71 {CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"},
72 {CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"},
73 {CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
74 {CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"},
75 {-1, NULL, NULL}
76};
77
78const X509V3_EXT_METHOD v3_crl_reason = {
79 .ext_nid = NID_crl_reason,
80 .ext_flags = 0,
81 .it = ASN1_ITEM_ref(ASN1_ENUMERATED),
82 .ext_new = NULL,
83 .ext_free = NULL,
84 .d2i = NULL,
85 .i2d = NULL,
86 .i2s = (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
87 .s2i = NULL,
88 .i2v = NULL,
89 .v2i = NULL,
90 .i2r = NULL,
91 .r2i = NULL,
92 .usr_data = crl_reasons,
93};
94
95char *
96i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *e)
97{
98 ENUMERATED_NAMES *enam;
99 long strval;
100
101 strval = ASN1_ENUMERATED_get(e);
102 for (enam = method->usr_data; enam->lname; enam++) {
103 if (strval == enam->bitnum)
104 return strdup(enam->lname);
105 }
106 return i2s_ASN1_ENUMERATED(method, e);
107}
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
deleted file mode 100644
index d502175593..0000000000
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ /dev/null
@@ -1,205 +0,0 @@
1/* $OpenBSD: v3_extku.c,v 1.13 2015/07/29 16:13:48 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1t.h>
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
69 const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);
70
71const X509V3_EXT_METHOD v3_ext_ku = {
72 .ext_nid = NID_ext_key_usage,
73 .ext_flags = 0,
74 .it = ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
75 .ext_new = NULL,
76 .ext_free = NULL,
77 .d2i = NULL,
78 .i2d = NULL,
79 .i2s = NULL,
80 .s2i = NULL,
81 .i2v = i2v_EXTENDED_KEY_USAGE,
82 .v2i = v2i_EXTENDED_KEY_USAGE,
83 .i2r = NULL,
84 .r2i = NULL,
85 .usr_data = NULL,
86};
87
88/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
89const X509V3_EXT_METHOD v3_ocsp_accresp = {
90 .ext_nid = NID_id_pkix_OCSP_acceptableResponses,
91 .ext_flags = 0,
92 .it = ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
93 .ext_new = NULL,
94 .ext_free = NULL,
95 .d2i = NULL,
96 .i2d = NULL,
97 .i2s = NULL,
98 .s2i = NULL,
99 .i2v = i2v_EXTENDED_KEY_USAGE,
100 .v2i = v2i_EXTENDED_KEY_USAGE,
101 .i2r = NULL,
102 .r2i = NULL,
103 .usr_data = NULL,
104};
105
106static const ASN1_TEMPLATE EXTENDED_KEY_USAGE_item_tt = {
107 .flags = ASN1_TFLG_SEQUENCE_OF,
108 .tag = 0,
109 .offset = 0,
110 .field_name = "EXTENDED_KEY_USAGE",
111 .item = &ASN1_OBJECT_it,
112};
113
114const ASN1_ITEM EXTENDED_KEY_USAGE_it = {
115 .itype = ASN1_ITYPE_PRIMITIVE,
116 .utype = -1,
117 .templates = &EXTENDED_KEY_USAGE_item_tt,
118 .tcount = 0,
119 .funcs = NULL,
120 .size = 0,
121 .sname = "EXTENDED_KEY_USAGE",
122};
123
124
125EXTENDED_KEY_USAGE *
126d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long len)
127{
128 return (EXTENDED_KEY_USAGE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
129 &EXTENDED_KEY_USAGE_it);
130}
131
132int
133i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out)
134{
135 return ASN1_item_i2d((ASN1_VALUE *)a, out, &EXTENDED_KEY_USAGE_it);
136}
137
138EXTENDED_KEY_USAGE *
139EXTENDED_KEY_USAGE_new(void)
140{
141 return (EXTENDED_KEY_USAGE *)ASN1_item_new(&EXTENDED_KEY_USAGE_it);
142}
143
144void
145EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a)
146{
147 ASN1_item_free((ASN1_VALUE *)a, &EXTENDED_KEY_USAGE_it);
148}
149
150static STACK_OF(CONF_VALUE) *
151i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
152 STACK_OF(CONF_VALUE) *ext_list)
153{
154 EXTENDED_KEY_USAGE *eku = a;
155 int i;
156 ASN1_OBJECT *obj;
157 char obj_tmp[80];
158
159 for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
160 obj = sk_ASN1_OBJECT_value(eku, i);
161 i2t_ASN1_OBJECT(obj_tmp, 80, obj);
162 X509V3_add_value(NULL, obj_tmp, &ext_list);
163 }
164 return ext_list;
165}
166
167static void *
168v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
169 STACK_OF(CONF_VALUE) *nval)
170{
171 EXTENDED_KEY_USAGE *extku;
172 char *extval;
173 ASN1_OBJECT *objtmp;
174 CONF_VALUE *val;
175 int i;
176
177 if (!(extku = sk_ASN1_OBJECT_new_null())) {
178 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
179 ERR_R_MALLOC_FAILURE);
180 return NULL;
181 }
182
183 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
184 val = sk_CONF_VALUE_value(nval, i);
185 if (val->value)
186 extval = val->value;
187 else
188 extval = val->name;
189 if (!(objtmp = OBJ_txt2obj(extval, 0))) {
190 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
191 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
192 X509V3_R_INVALID_OBJECT_IDENTIFIER);
193 X509V3_conf_err(val);
194 return NULL;
195 }
196 if (sk_ASN1_OBJECT_push(extku, objtmp) == 0) {
197 ASN1_OBJECT_free(objtmp);
198 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
199 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
200 ERR_R_MALLOC_FAILURE);
201 return NULL;
202 }
203 }
204 return extku;
205}
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
deleted file mode 100644
index a6b7a18b17..0000000000
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ /dev/null
@@ -1,474 +0,0 @@
1/* $OpenBSD: v3_genn.c,v 1.12 2015/09/26 17:38:41 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static const ASN1_TEMPLATE OTHERNAME_seq_tt[] = {
67 {
68 .flags = 0,
69 .tag = 0,
70 .offset = offsetof(OTHERNAME, type_id),
71 .field_name = "type_id",
72 .item = &ASN1_OBJECT_it,
73 },
74 /* Maybe have a true ANY DEFINED BY later */
75 {
76 .flags = ASN1_TFLG_EXPLICIT,
77 .tag = 0,
78 .offset = offsetof(OTHERNAME, value),
79 .field_name = "value",
80 .item = &ASN1_ANY_it,
81 },
82};
83
84const ASN1_ITEM OTHERNAME_it = {
85 .itype = ASN1_ITYPE_SEQUENCE,
86 .utype = V_ASN1_SEQUENCE,
87 .templates = OTHERNAME_seq_tt,
88 .tcount = sizeof(OTHERNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
89 .funcs = NULL,
90 .size = sizeof(OTHERNAME),
91 .sname = "OTHERNAME",
92};
93
94
95OTHERNAME *
96d2i_OTHERNAME(OTHERNAME **a, const unsigned char **in, long len)
97{
98 return (OTHERNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
99 &OTHERNAME_it);
100}
101
102int
103i2d_OTHERNAME(OTHERNAME *a, unsigned char **out)
104{
105 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OTHERNAME_it);
106}
107
108OTHERNAME *
109OTHERNAME_new(void)
110{
111 return (OTHERNAME *)ASN1_item_new(&OTHERNAME_it);
112}
113
114void
115OTHERNAME_free(OTHERNAME *a)
116{
117 ASN1_item_free((ASN1_VALUE *)a, &OTHERNAME_it);
118}
119
120static const ASN1_TEMPLATE EDIPARTYNAME_seq_tt[] = {
121 {
122 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
123 .tag = 0,
124 .offset = offsetof(EDIPARTYNAME, nameAssigner),
125 .field_name = "nameAssigner",
126 .item = &DIRECTORYSTRING_it,
127 },
128 {
129 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
130 .tag = 1,
131 .offset = offsetof(EDIPARTYNAME, partyName),
132 .field_name = "partyName",
133 .item = &DIRECTORYSTRING_it,
134 },
135};
136
137const ASN1_ITEM EDIPARTYNAME_it = {
138 .itype = ASN1_ITYPE_SEQUENCE,
139 .utype = V_ASN1_SEQUENCE,
140 .templates = EDIPARTYNAME_seq_tt,
141 .tcount = sizeof(EDIPARTYNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
142 .funcs = NULL,
143 .size = sizeof(EDIPARTYNAME),
144 .sname = "EDIPARTYNAME",
145};
146
147
148EDIPARTYNAME *
149d2i_EDIPARTYNAME(EDIPARTYNAME **a, const unsigned char **in, long len)
150{
151 return (EDIPARTYNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
152 &EDIPARTYNAME_it);
153}
154
155int
156i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out)
157{
158 return ASN1_item_i2d((ASN1_VALUE *)a, out, &EDIPARTYNAME_it);
159}
160
161EDIPARTYNAME *
162EDIPARTYNAME_new(void)
163{
164 return (EDIPARTYNAME *)ASN1_item_new(&EDIPARTYNAME_it);
165}
166
167void
168EDIPARTYNAME_free(EDIPARTYNAME *a)
169{
170 ASN1_item_free((ASN1_VALUE *)a, &EDIPARTYNAME_it);
171}
172
173static const ASN1_TEMPLATE GENERAL_NAME_ch_tt[] = {
174 {
175 .flags = ASN1_TFLG_IMPLICIT,
176 .tag = GEN_OTHERNAME,
177 .offset = offsetof(GENERAL_NAME, d.otherName),
178 .field_name = "d.otherName",
179 .item = &OTHERNAME_it,
180 },
181 {
182 .flags = ASN1_TFLG_IMPLICIT,
183 .tag = GEN_EMAIL,
184 .offset = offsetof(GENERAL_NAME, d.rfc822Name),
185 .field_name = "d.rfc822Name",
186 .item = &ASN1_IA5STRING_it,
187 },
188 {
189 .flags = ASN1_TFLG_IMPLICIT,
190 .tag = GEN_DNS,
191 .offset = offsetof(GENERAL_NAME, d.dNSName),
192 .field_name = "d.dNSName",
193 .item = &ASN1_IA5STRING_it,
194 },
195 /* Don't decode this */
196 {
197 .flags = ASN1_TFLG_IMPLICIT,
198 .tag = GEN_X400,
199 .offset = offsetof(GENERAL_NAME, d.x400Address),
200 .field_name = "d.x400Address",
201 .item = &ASN1_SEQUENCE_it,
202 },
203 /* X509_NAME is a CHOICE type so use EXPLICIT */
204 {
205 .flags = ASN1_TFLG_EXPLICIT,
206 .tag = GEN_DIRNAME,
207 .offset = offsetof(GENERAL_NAME, d.directoryName),
208 .field_name = "d.directoryName",
209 .item = &X509_NAME_it,
210 },
211 {
212 .flags = ASN1_TFLG_IMPLICIT,
213 .tag = GEN_EDIPARTY,
214 .offset = offsetof(GENERAL_NAME, d.ediPartyName),
215 .field_name = "d.ediPartyName",
216 .item = &EDIPARTYNAME_it,
217 },
218 {
219 .flags = ASN1_TFLG_IMPLICIT,
220 .tag = GEN_URI,
221 .offset = offsetof(GENERAL_NAME, d.uniformResourceIdentifier),
222 .field_name = "d.uniformResourceIdentifier",
223 .item = &ASN1_IA5STRING_it,
224 },
225 {
226 .flags = ASN1_TFLG_IMPLICIT,
227 .tag = GEN_IPADD,
228 .offset = offsetof(GENERAL_NAME, d.iPAddress),
229 .field_name = "d.iPAddress",
230 .item = &ASN1_OCTET_STRING_it,
231 },
232 {
233 .flags = ASN1_TFLG_IMPLICIT,
234 .tag = GEN_RID,
235 .offset = offsetof(GENERAL_NAME, d.registeredID),
236 .field_name = "d.registeredID",
237 .item = &ASN1_OBJECT_it,
238 },
239};
240
241const ASN1_ITEM GENERAL_NAME_it = {
242 .itype = ASN1_ITYPE_CHOICE,
243 .utype = offsetof(GENERAL_NAME, type),
244 .templates = GENERAL_NAME_ch_tt,
245 .tcount = sizeof(GENERAL_NAME_ch_tt) / sizeof(ASN1_TEMPLATE),
246 .funcs = NULL,
247 .size = sizeof(GENERAL_NAME),
248 .sname = "GENERAL_NAME",
249};
250
251
252GENERAL_NAME *
253d2i_GENERAL_NAME(GENERAL_NAME **a, const unsigned char **in, long len)
254{
255 return (GENERAL_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
256 &GENERAL_NAME_it);
257}
258
259int
260i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **out)
261{
262 return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAME_it);
263}
264
265GENERAL_NAME *
266GENERAL_NAME_new(void)
267{
268 return (GENERAL_NAME *)ASN1_item_new(&GENERAL_NAME_it);
269}
270
271void
272GENERAL_NAME_free(GENERAL_NAME *a)
273{
274 ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAME_it);
275}
276
277static const ASN1_TEMPLATE GENERAL_NAMES_item_tt = {
278 .flags = ASN1_TFLG_SEQUENCE_OF,
279 .tag = 0,
280 .offset = 0,
281 .field_name = "GeneralNames",
282 .item = &GENERAL_NAME_it,
283};
284
285const ASN1_ITEM GENERAL_NAMES_it = {
286 .itype = ASN1_ITYPE_PRIMITIVE,
287 .utype = -1,
288 .templates = &GENERAL_NAMES_item_tt,
289 .tcount = 0,
290 .funcs = NULL,
291 .size = 0,
292 .sname = "GENERAL_NAMES",
293};
294
295
296GENERAL_NAMES *
297d2i_GENERAL_NAMES(GENERAL_NAMES **a, const unsigned char **in, long len)
298{
299 return (GENERAL_NAMES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
300 &GENERAL_NAMES_it);
301}
302
303int
304i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out)
305{
306 return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAMES_it);
307}
308
309GENERAL_NAMES *
310GENERAL_NAMES_new(void)
311{
312 return (GENERAL_NAMES *)ASN1_item_new(&GENERAL_NAMES_it);
313}
314
315void
316GENERAL_NAMES_free(GENERAL_NAMES *a)
317{
318 ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAMES_it);
319}
320
321GENERAL_NAME *
322GENERAL_NAME_dup(GENERAL_NAME *a)
323{
324 return ASN1_item_dup(&GENERAL_NAME_it, a);
325}
326
327/* Returns 0 if they are equal, != 0 otherwise. */
328int
329GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
330{
331 int result = -1;
332
333 if (!a || !b || a->type != b->type)
334 return -1;
335 switch (a->type) {
336 case GEN_X400:
337 case GEN_EDIPARTY:
338 result = ASN1_TYPE_cmp(a->d.other, b->d.other);
339 break;
340
341 case GEN_OTHERNAME:
342 result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
343 break;
344
345 case GEN_EMAIL:
346 case GEN_DNS:
347 case GEN_URI:
348 result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
349 break;
350
351 case GEN_DIRNAME:
352 result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
353 break;
354
355 case GEN_IPADD:
356 result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
357 break;
358
359 case GEN_RID:
360 result = OBJ_cmp(a->d.rid, b->d.rid);
361 break;
362 }
363 return result;
364}
365
366/* Returns 0 if they are equal, != 0 otherwise. */
367int
368OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
369{
370 int result = -1;
371
372 if (!a || !b)
373 return -1;
374 /* Check their type first. */
375 if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
376 return result;
377 /* Check the value. */
378 result = ASN1_TYPE_cmp(a->value, b->value);
379 return result;
380}
381
382void
383GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
384{
385 switch (type) {
386 case GEN_X400:
387 case GEN_EDIPARTY:
388 a->d.other = value;
389 break;
390
391 case GEN_OTHERNAME:
392 a->d.otherName = value;
393 break;
394
395 case GEN_EMAIL:
396 case GEN_DNS:
397 case GEN_URI:
398 a->d.ia5 = value;
399 break;
400
401 case GEN_DIRNAME:
402 a->d.dirn = value;
403 break;
404
405 case GEN_IPADD:
406 a->d.ip = value;
407 break;
408
409 case GEN_RID:
410 a->d.rid = value;
411 break;
412 }
413 a->type = type;
414}
415
416void *
417GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
418{
419 if (ptype)
420 *ptype = a->type;
421 switch (a->type) {
422 case GEN_X400:
423 case GEN_EDIPARTY:
424 return a->d.other;
425
426 case GEN_OTHERNAME:
427 return a->d.otherName;
428
429 case GEN_EMAIL:
430 case GEN_DNS:
431 case GEN_URI:
432 return a->d.ia5;
433
434 case GEN_DIRNAME:
435 return a->d.dirn;
436
437 case GEN_IPADD:
438 return a->d.ip;
439
440 case GEN_RID:
441 return a->d.rid;
442
443 default:
444 return NULL;
445 }
446}
447
448int
449GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid,
450 ASN1_TYPE *value)
451{
452 OTHERNAME *oth;
453
454 oth = OTHERNAME_new();
455 if (!oth)
456 return 0;
457 oth->type_id = oid;
458 oth->value = value;
459 GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
460 return 1;
461}
462
463int
464GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid,
465 ASN1_TYPE **pvalue)
466{
467 if (gen->type != GEN_OTHERNAME)
468 return 0;
469 if (poid)
470 *poid = gen->d.otherName->type_id;
471 if (pvalue)
472 *pvalue = gen->d.otherName->value;
473 return 1;
474}
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
deleted file mode 100644
index 20e44ec2b1..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ /dev/null
@@ -1,239 +0,0 @@
1/* $OpenBSD: v3_ia5.c,v 1.15 2015/09/30 18:21:50 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/conf.h>
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66
67static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
68static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, char *str);
70
71const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
72 {
73 .ext_nid = NID_netscape_base_url,
74 .ext_flags = 0,
75 .it = ASN1_ITEM_ref(ASN1_IA5STRING),
76 .ext_new = NULL,
77 .ext_free = NULL,
78 .d2i = NULL,
79 .i2d = NULL,
80 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
81 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
82 .i2v = NULL,
83 .v2i = NULL,
84 .i2r = NULL,
85 .r2i = NULL,
86 .usr_data = NULL,
87 },
88 {
89 .ext_nid = NID_netscape_revocation_url,
90 .ext_flags = 0,
91 .it = ASN1_ITEM_ref(ASN1_IA5STRING),
92 .ext_new = NULL,
93 .ext_free = NULL,
94 .d2i = NULL,
95 .i2d = NULL,
96 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
97 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
98 .i2v = NULL,
99 .v2i = NULL,
100 .i2r = NULL,
101 .r2i = NULL,
102 .usr_data = NULL,
103 },
104 {
105 .ext_nid = NID_netscape_ca_revocation_url,
106 .ext_flags = 0,
107 .it = ASN1_ITEM_ref(ASN1_IA5STRING),
108 .ext_new = NULL,
109 .ext_free = NULL,
110 .d2i = NULL,
111 .i2d = NULL,
112 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
113 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
114 .i2v = NULL,
115 .v2i = NULL,
116 .i2r = NULL,
117 .r2i = NULL,
118 .usr_data = NULL,
119 },
120 {
121 .ext_nid = NID_netscape_renewal_url,
122 .ext_flags = 0,
123 .it = ASN1_ITEM_ref(ASN1_IA5STRING),
124 .ext_new = NULL,
125 .ext_free = NULL,
126 .d2i = NULL,
127 .i2d = NULL,
128 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
129 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
130 .i2v = NULL,
131 .v2i = NULL,
132 .i2r = NULL,
133 .r2i = NULL,
134 .usr_data = NULL,
135 },
136 {
137 .ext_nid = NID_netscape_ca_policy_url,
138 .ext_flags = 0,
139 .it = ASN1_ITEM_ref(ASN1_IA5STRING),
140 .ext_new = NULL,
141 .ext_free = NULL,
142 .d2i = NULL,
143 .i2d = NULL,
144 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
145 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
146 .i2v = NULL,
147 .v2i = NULL,
148 .i2r = NULL,
149 .r2i = NULL,
150 .usr_data = NULL,
151 },
152 {
153 .ext_nid = NID_netscape_ssl_server_name,
154 .ext_flags = 0,
155 .it = ASN1_ITEM_ref(ASN1_IA5STRING),
156 .ext_new = NULL,
157 .ext_free = NULL,
158 .d2i = NULL,
159 .i2d = NULL,
160 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
161 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
162 .i2v = NULL,
163 .v2i = NULL,
164 .i2r = NULL,
165 .r2i = NULL,
166 .usr_data = NULL,
167 },
168 {
169 .ext_nid = NID_netscape_comment,
170 .ext_flags = 0,
171 .it = ASN1_ITEM_ref(ASN1_IA5STRING),
172 .ext_new = NULL,
173 .ext_free = NULL,
174 .d2i = NULL,
175 .i2d = NULL,
176 .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
177 .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
178 .i2v = NULL,
179 .v2i = NULL,
180 .i2r = NULL,
181 .r2i = NULL,
182 .usr_data = NULL,
183 },
184 {
185 .ext_nid = -1,
186 .ext_flags = 0,
187 .it = NULL,
188 .ext_new = NULL,
189 .ext_free = NULL,
190 .d2i = NULL,
191 .i2d = NULL,
192 .i2s = NULL,
193 .s2i = NULL,
194 .i2v = NULL,
195 .v2i = NULL,
196 .i2r = NULL,
197 .r2i = NULL,
198 .usr_data = NULL,
199 },
200};
201
202static char *
203i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
204{
205 char *tmp;
206
207 if (!ia5 || !ia5->length)
208 return NULL;
209 if (!(tmp = malloc(ia5->length + 1))) {
210 X509V3err(X509V3_F_I2S_ASN1_IA5STRING, ERR_R_MALLOC_FAILURE);
211 return NULL;
212 }
213 memcpy(tmp, ia5->data, ia5->length);
214 tmp[ia5->length] = 0;
215 return tmp;
216}
217
218static ASN1_IA5STRING *
219s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
220{
221 ASN1_IA5STRING *ia5;
222 if (!str) {
223 X509V3err(X509V3_F_S2I_ASN1_IA5STRING,
224 X509V3_R_INVALID_NULL_ARGUMENT);
225 return NULL;
226 }
227 if (!(ia5 = ASN1_IA5STRING_new()))
228 goto err;
229 if (!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
230 strlen(str))) {
231 ASN1_IA5STRING_free(ia5);
232 goto err;
233 }
234 return ia5;
235
236err:
237 X509V3err(X509V3_F_S2I_ASN1_IA5STRING, ERR_R_MALLOC_FAILURE);
238 return NULL;
239}
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
deleted file mode 100644
index 3b96222187..0000000000
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ /dev/null
@@ -1,307 +0,0 @@
1/* $OpenBSD: v3_info.c,v 1.23 2015/07/29 16:13:48 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
69 X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo,
70 STACK_OF(CONF_VALUE) *ret);
71static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(
72 X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
73
74const X509V3_EXT_METHOD v3_info = {
75 .ext_nid = NID_info_access,
76 .ext_flags = X509V3_EXT_MULTILINE,
77 .it = ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
78 .ext_new = NULL,
79 .ext_free = NULL,
80 .d2i = NULL,
81 .i2d = NULL,
82 .i2s = NULL,
83 .s2i = NULL,
84 .i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
85 .v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
86 .i2r = NULL,
87 .r2i = NULL,
88 .usr_data = NULL,
89};
90
91const X509V3_EXT_METHOD v3_sinfo = {
92 .ext_nid = NID_sinfo_access,
93 .ext_flags = X509V3_EXT_MULTILINE,
94 .it = ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
95 .ext_new = NULL,
96 .ext_free = NULL,
97 .d2i = NULL,
98 .i2d = NULL,
99 .i2s = NULL,
100 .s2i = NULL,
101 .i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
102 .v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
103 .i2r = NULL,
104 .r2i = NULL,
105 .usr_data = NULL,
106};
107
108static const ASN1_TEMPLATE ACCESS_DESCRIPTION_seq_tt[] = {
109 {
110 .flags = 0,
111 .tag = 0,
112 .offset = offsetof(ACCESS_DESCRIPTION, method),
113 .field_name = "method",
114 .item = &ASN1_OBJECT_it,
115 },
116 {
117 .flags = 0,
118 .tag = 0,
119 .offset = offsetof(ACCESS_DESCRIPTION, location),
120 .field_name = "location",
121 .item = &GENERAL_NAME_it,
122 },
123};
124
125const ASN1_ITEM ACCESS_DESCRIPTION_it = {
126 .itype = ASN1_ITYPE_SEQUENCE,
127 .utype = V_ASN1_SEQUENCE,
128 .templates = ACCESS_DESCRIPTION_seq_tt,
129 .tcount = sizeof(ACCESS_DESCRIPTION_seq_tt) / sizeof(ASN1_TEMPLATE),
130 .funcs = NULL,
131 .size = sizeof(ACCESS_DESCRIPTION),
132 .sname = "ACCESS_DESCRIPTION",
133};
134
135
136ACCESS_DESCRIPTION *
137d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, const unsigned char **in, long len)
138{
139 return (ACCESS_DESCRIPTION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
140 &ACCESS_DESCRIPTION_it);
141}
142
143int
144i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **out)
145{
146 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ACCESS_DESCRIPTION_it);
147}
148
149ACCESS_DESCRIPTION *
150ACCESS_DESCRIPTION_new(void)
151{
152 return (ACCESS_DESCRIPTION *)ASN1_item_new(&ACCESS_DESCRIPTION_it);
153}
154
155void
156ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
157{
158 ASN1_item_free((ASN1_VALUE *)a, &ACCESS_DESCRIPTION_it);
159}
160
161static const ASN1_TEMPLATE AUTHORITY_INFO_ACCESS_item_tt = {
162 .flags = ASN1_TFLG_SEQUENCE_OF,
163 .tag = 0,
164 .offset = 0,
165 .field_name = "GeneralNames",
166 .item = &ACCESS_DESCRIPTION_it,
167};
168
169const ASN1_ITEM AUTHORITY_INFO_ACCESS_it = {
170 .itype = ASN1_ITYPE_PRIMITIVE,
171 .utype = -1,
172 .templates = &AUTHORITY_INFO_ACCESS_item_tt,
173 .tcount = 0,
174 .funcs = NULL,
175 .size = 0,
176 .sname = "AUTHORITY_INFO_ACCESS",
177};
178
179
180AUTHORITY_INFO_ACCESS *
181d2i_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS **a, const unsigned char **in, long len)
182{
183 return (AUTHORITY_INFO_ACCESS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
184 &AUTHORITY_INFO_ACCESS_it);
185}
186
187int
188i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *a, unsigned char **out)
189{
190 return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_INFO_ACCESS_it);
191}
192
193AUTHORITY_INFO_ACCESS *
194AUTHORITY_INFO_ACCESS_new(void)
195{
196 return (AUTHORITY_INFO_ACCESS *)ASN1_item_new(&AUTHORITY_INFO_ACCESS_it);
197}
198
199void
200AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a)
201{
202 ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_INFO_ACCESS_it);
203}
204
205static STACK_OF(CONF_VALUE) *
206i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
207 AUTHORITY_INFO_ACCESS *ainfo, STACK_OF(CONF_VALUE) *ret)
208{
209 ACCESS_DESCRIPTION *desc;
210 int i, nlen;
211 char objtmp[80], *ntmp;
212 CONF_VALUE *vtmp;
213
214 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
215 desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);
216 ret = i2v_GENERAL_NAME(method, desc->location, ret);
217 if (!ret)
218 break;
219 vtmp = sk_CONF_VALUE_value(ret, i);
220 i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
221 nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
222 ntmp = malloc(nlen);
223 if (!ntmp) {
224 X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
225 ERR_R_MALLOC_FAILURE);
226 return NULL;
227 }
228 strlcpy(ntmp, objtmp, nlen);
229 strlcat(ntmp, " - ", nlen);
230 strlcat(ntmp, vtmp->name, nlen);
231 free(vtmp->name);
232 vtmp->name = ntmp;
233
234 }
235 if (!ret)
236 return sk_CONF_VALUE_new_null();
237 return ret;
238}
239
240static AUTHORITY_INFO_ACCESS *
241v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
242 STACK_OF(CONF_VALUE) *nval)
243{
244 AUTHORITY_INFO_ACCESS *ainfo = NULL;
245 CONF_VALUE *cnf, ctmp;
246 ACCESS_DESCRIPTION *acc;
247 int i, objlen;
248 char *objtmp, *ptmp;
249
250 if (!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
251 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
252 ERR_R_MALLOC_FAILURE);
253 return NULL;
254 }
255 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
256 cnf = sk_CONF_VALUE_value(nval, i);
257 if ((acc = ACCESS_DESCRIPTION_new()) == NULL) {
258 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
259 ERR_R_MALLOC_FAILURE);
260 goto err;
261 }
262 if (sk_ACCESS_DESCRIPTION_push(ainfo, acc) == 0) {
263 ACCESS_DESCRIPTION_free(acc);
264 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
265 ERR_R_MALLOC_FAILURE);
266 goto err;
267 }
268 ptmp = strchr(cnf->name, ';');
269 if (!ptmp) {
270 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
271 X509V3_R_INVALID_SYNTAX);
272 goto err;
273 }
274 objlen = ptmp - cnf->name;
275 ctmp.name = ptmp + 1;
276 ctmp.value = cnf->value;
277 if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
278 goto err;
279 if (!(objtmp = malloc(objlen + 1))) {
280 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
281 ERR_R_MALLOC_FAILURE);
282 goto err;
283 }
284 strlcpy(objtmp, cnf->name, objlen + 1);
285 acc->method = OBJ_txt2obj(objtmp, 0);
286 if (!acc->method) {
287 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
288 X509V3_R_BAD_OBJECT);
289 ERR_asprintf_error_data("value=%s", objtmp);
290 free(objtmp);
291 goto err;
292 }
293 free(objtmp);
294 }
295 return ainfo;
296
297err:
298 sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
299 return NULL;
300}
301
302int
303i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a)
304{
305 i2a_ASN1_OBJECT(bp, a->method);
306 return 2;
307}
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
deleted file mode 100644
index bd059b7269..0000000000
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ /dev/null
@@ -1,110 +0,0 @@
1/* $OpenBSD: v3_int.c,v 1.10 2015/07/29 16:13:48 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/x509v3.h>
62
63const X509V3_EXT_METHOD v3_crl_num = {
64 .ext_nid = NID_crl_number,
65 .ext_flags = 0,
66 .it = ASN1_ITEM_ref(ASN1_INTEGER),
67 .ext_new = NULL,
68 .ext_free = NULL,
69 .d2i = NULL,
70 .i2d = NULL,
71 .i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
72 .s2i = NULL,
73 .i2v = NULL,
74 .v2i = NULL,
75 .i2r = NULL,
76 .r2i = NULL,
77 .usr_data = NULL,
78};
79
80const X509V3_EXT_METHOD v3_delta_crl = {
81 .ext_nid = NID_delta_crl,
82 .ext_flags = 0,
83 .it = ASN1_ITEM_ref(ASN1_INTEGER),
84 .ext_new = NULL,
85 .ext_free = NULL,
86 .d2i = NULL,
87 .i2d = NULL,
88 .i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
89 .s2i = NULL,
90 .i2v = NULL,
91 .v2i = NULL,
92 .i2r = NULL,
93 .r2i = NULL,
94 .usr_data = NULL,
95};
96
97static void *
98s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
99{
100 return s2i_ASN1_INTEGER(meth, value);
101}
102
103const X509V3_EXT_METHOD v3_inhibit_anyp = {
104 NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER),
105 0, 0, 0, 0,
106 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
107 (X509V3_EXT_S2I)s2i_asn1_int,
108 0, 0, 0, 0,
109 NULL
110};
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
deleted file mode 100644
index 7731c7c544..0000000000
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ /dev/null
@@ -1,345 +0,0 @@
1/* $OpenBSD: v3_lib.c,v 1.14 2015/02/10 11:22:22 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66#include "ext_dat.h"
67
68static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
69
70static int ext_cmp(const X509V3_EXT_METHOD * const *a,
71 const X509V3_EXT_METHOD * const *b);
72static void ext_list_free(X509V3_EXT_METHOD *ext);
73
74int
75X509V3_EXT_add(X509V3_EXT_METHOD *ext)
76{
77 if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
78 X509V3err(X509V3_F_X509V3_EXT_ADD, ERR_R_MALLOC_FAILURE);
79 return 0;
80 }
81 if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
82 X509V3err(X509V3_F_X509V3_EXT_ADD, ERR_R_MALLOC_FAILURE);
83 return 0;
84 }
85 return 1;
86}
87
88static int
89ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b)
90{
91 return ((*a)->ext_nid - (*b)->ext_nid);
92}
93
94DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
95 const X509V3_EXT_METHOD *, ext);
96IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
97 const X509V3_EXT_METHOD *, ext);
98
99const X509V3_EXT_METHOD *
100X509V3_EXT_get_nid(int nid)
101{
102 X509V3_EXT_METHOD tmp;
103 const X509V3_EXT_METHOD *t = &tmp, * const *ret;
104 int idx;
105
106 if (nid < 0)
107 return NULL;
108 tmp.ext_nid = nid;
109 ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
110 if (ret)
111 return *ret;
112 if (!ext_list)
113 return NULL;
114 idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
115 if (idx == -1)
116 return NULL;
117 return sk_X509V3_EXT_METHOD_value(ext_list, idx);
118}
119
120const X509V3_EXT_METHOD *
121X509V3_EXT_get(X509_EXTENSION *ext)
122{
123 int nid;
124
125 if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
126 return NULL;
127 return X509V3_EXT_get_nid(nid);
128}
129
130int
131X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
132{
133 for (; extlist->ext_nid!=-1; extlist++)
134 if (!X509V3_EXT_add(extlist))
135 return 0;
136 return 1;
137}
138
139int
140X509V3_EXT_add_alias(int nid_to, int nid_from)
141{
142 const X509V3_EXT_METHOD *ext;
143 X509V3_EXT_METHOD *tmpext;
144
145 if (!(ext = X509V3_EXT_get_nid(nid_from))) {
146 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,
147 X509V3_R_EXTENSION_NOT_FOUND);
148 return 0;
149 }
150 if (!(tmpext = malloc(sizeof(X509V3_EXT_METHOD)))) {
151 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS, ERR_R_MALLOC_FAILURE);
152 return 0;
153 }
154 *tmpext = *ext;
155 tmpext->ext_nid = nid_to;
156 tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
157 return X509V3_EXT_add(tmpext);
158}
159
160void
161X509V3_EXT_cleanup(void)
162{
163 sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
164 ext_list = NULL;
165}
166
167static void
168ext_list_free(X509V3_EXT_METHOD *ext)
169{
170 if (ext->ext_flags & X509V3_EXT_DYNAMIC)
171 free(ext);
172}
173
174/* Legacy function: we don't need to add standard extensions
175 * any more because they are now kept in ext_dat.h.
176 */
177
178int
179X509V3_add_standard_extensions(void)
180{
181 return 1;
182}
183
184/* Return an extension internal structure */
185
186void *
187X509V3_EXT_d2i(X509_EXTENSION *ext)
188{
189 const X509V3_EXT_METHOD *method;
190 const unsigned char *p;
191
192 if (!(method = X509V3_EXT_get(ext)))
193 return NULL;
194 p = ext->value->data;
195 if (method->it)
196 return ASN1_item_d2i(NULL, &p, ext->value->length,
197 ASN1_ITEM_ptr(method->it));
198 return method->d2i(NULL, &p, ext->value->length);
199}
200
201/* Get critical flag and decoded version of extension from a NID.
202 * The "idx" variable returns the last found extension and can
203 * be used to retrieve multiple extensions of the same NID.
204 * However multiple extensions with the same NID is usually
205 * due to a badly encoded certificate so if idx is NULL we
206 * choke if multiple extensions exist.
207 * The "crit" variable is set to the critical value.
208 * The return value is the decoded extension or NULL on
209 * error. The actual error can have several different causes,
210 * the value of *crit reflects the cause:
211 * >= 0, extension found but not decoded (reflects critical value).
212 * -1 extension not found.
213 * -2 extension occurs more than once.
214 */
215
216void *
217X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
218{
219 int lastpos, i;
220 X509_EXTENSION *ex, *found_ex = NULL;
221
222 if (!x) {
223 if (idx)
224 *idx = -1;
225 if (crit)
226 *crit = -1;
227 return NULL;
228 }
229 if (idx)
230 lastpos = *idx + 1;
231 else
232 lastpos = 0;
233 if (lastpos < 0)
234 lastpos = 0;
235 for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
236 ex = sk_X509_EXTENSION_value(x, i);
237 if (OBJ_obj2nid(ex->object) == nid) {
238 if (idx) {
239 *idx = i;
240 found_ex = ex;
241 break;
242 } else if (found_ex) {
243 /* Found more than one */
244 if (crit)
245 *crit = -2;
246 return NULL;
247 }
248 found_ex = ex;
249 }
250 }
251 if (found_ex) {
252 /* Found it */
253 if (crit)
254 *crit = X509_EXTENSION_get_critical(found_ex);
255 return X509V3_EXT_d2i(found_ex);
256 }
257
258 /* Extension not found */
259 if (idx)
260 *idx = -1;
261 if (crit)
262 *crit = -1;
263 return NULL;
264}
265
266/* This function is a general extension append, replace and delete utility.
267 * The precise operation is governed by the 'flags' value. The 'crit' and
268 * 'value' arguments (if relevant) are the extensions internal structure.
269 */
270
271int
272X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
273 int crit, unsigned long flags)
274{
275 int extidx = -1;
276 int errcode;
277 X509_EXTENSION *ext, *extmp;
278 unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
279
280 /* If appending we don't care if it exists, otherwise
281 * look for existing extension.
282 */
283 if (ext_op != X509V3_ADD_APPEND)
284 extidx = X509v3_get_ext_by_NID(*x, nid, -1);
285
286 /* See if extension exists */
287 if (extidx >= 0) {
288 /* If keep existing, nothing to do */
289 if (ext_op == X509V3_ADD_KEEP_EXISTING)
290 return 1;
291 /* If default then its an error */
292 if (ext_op == X509V3_ADD_DEFAULT) {
293 errcode = X509V3_R_EXTENSION_EXISTS;
294 goto err;
295 }
296 /* If delete, just delete it */
297 if (ext_op == X509V3_ADD_DELETE) {
298 if (!sk_X509_EXTENSION_delete(*x, extidx))
299 return -1;
300 return 1;
301 }
302 } else {
303 /* If replace existing or delete, error since
304 * extension must exist
305 */
306 if ((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
307 (ext_op == X509V3_ADD_DELETE)) {
308 errcode = X509V3_R_EXTENSION_NOT_FOUND;
309 goto err;
310 }
311 }
312
313 /* If we get this far then we have to create an extension:
314 * could have some flags for alternative encoding schemes...
315 */
316
317 ext = X509V3_EXT_i2d(nid, crit, value);
318
319 if (!ext) {
320 X509V3err(X509V3_F_X509V3_ADD1_I2D,
321 X509V3_R_ERROR_CREATING_EXTENSION);
322 return 0;
323 }
324
325 /* If extension exists replace it.. */
326 if (extidx >= 0) {
327 extmp = sk_X509_EXTENSION_value(*x, extidx);
328 X509_EXTENSION_free(extmp);
329 if (!sk_X509_EXTENSION_set(*x, extidx, ext))
330 return -1;
331 return 1;
332 }
333
334 if (!*x && !(*x = sk_X509_EXTENSION_new_null()))
335 return -1;
336 if (!sk_X509_EXTENSION_push(*x, ext))
337 return -1;
338
339 return 1;
340
341err:
342 if (!(flags & X509V3_ADD_SILENT))
343 X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
344 return 0;
345}
diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
deleted file mode 100644
index 2af15726a8..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ncons.c
+++ /dev/null
@@ -1,560 +0,0 @@
1/* $OpenBSD: v3_ncons.c,v 1.9 2015/07/29 16:13:48 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66
67static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
68 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
69static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
70 void *a, BIO *bp, int ind);
71static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
72 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74
75static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
76static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
77static int nc_dn(X509_NAME *sub, X509_NAME *nm);
78static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
79static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
80static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
81
82const X509V3_EXT_METHOD v3_name_constraints = {
83 .ext_nid = NID_name_constraints,
84 .ext_flags = 0,
85 .it = ASN1_ITEM_ref(NAME_CONSTRAINTS),
86 .ext_new = NULL,
87 .ext_free = NULL,
88 .d2i = NULL,
89 .i2d = NULL,
90 .i2s = NULL,
91 .s2i = NULL,
92 .i2v = NULL,
93 .v2i = v2i_NAME_CONSTRAINTS,
94 .i2r = i2r_NAME_CONSTRAINTS,
95 .r2i = NULL,
96 .usr_data = NULL,
97};
98
99static const ASN1_TEMPLATE GENERAL_SUBTREE_seq_tt[] = {
100 {
101 .flags = 0,
102 .tag = 0,
103 .offset = offsetof(GENERAL_SUBTREE, base),
104 .field_name = "base",
105 .item = &GENERAL_NAME_it,
106 },
107 {
108 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
109 .tag = 0,
110 .offset = offsetof(GENERAL_SUBTREE, minimum),
111 .field_name = "minimum",
112 .item = &ASN1_INTEGER_it,
113 },
114 {
115 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
116 .tag = 1,
117 .offset = offsetof(GENERAL_SUBTREE, maximum),
118 .field_name = "maximum",
119 .item = &ASN1_INTEGER_it,
120 },
121};
122
123const ASN1_ITEM GENERAL_SUBTREE_it = {
124 .itype = ASN1_ITYPE_SEQUENCE,
125 .utype = V_ASN1_SEQUENCE,
126 .templates = GENERAL_SUBTREE_seq_tt,
127 .tcount = sizeof(GENERAL_SUBTREE_seq_tt) / sizeof(ASN1_TEMPLATE),
128 .funcs = NULL,
129 .size = sizeof(GENERAL_SUBTREE),
130 .sname = "GENERAL_SUBTREE",
131};
132
133static const ASN1_TEMPLATE NAME_CONSTRAINTS_seq_tt[] = {
134 {
135 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
136 .tag = 0,
137 .offset = offsetof(NAME_CONSTRAINTS, permittedSubtrees),
138 .field_name = "permittedSubtrees",
139 .item = &GENERAL_SUBTREE_it,
140 },
141 {
142 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
143 .tag = 1,
144 .offset = offsetof(NAME_CONSTRAINTS, excludedSubtrees),
145 .field_name = "excludedSubtrees",
146 .item = &GENERAL_SUBTREE_it,
147 },
148};
149
150const ASN1_ITEM NAME_CONSTRAINTS_it = {
151 .itype = ASN1_ITYPE_SEQUENCE,
152 .utype = V_ASN1_SEQUENCE,
153 .templates = NAME_CONSTRAINTS_seq_tt,
154 .tcount = sizeof(NAME_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
155 .funcs = NULL,
156 .size = sizeof(NAME_CONSTRAINTS),
157 .sname = "NAME_CONSTRAINTS",
158};
159
160
161GENERAL_SUBTREE *
162GENERAL_SUBTREE_new(void)
163{
164 return (GENERAL_SUBTREE*)ASN1_item_new(&GENERAL_SUBTREE_it);
165}
166
167void
168GENERAL_SUBTREE_free(GENERAL_SUBTREE *a)
169{
170 ASN1_item_free((ASN1_VALUE *)a, &GENERAL_SUBTREE_it);
171}
172
173NAME_CONSTRAINTS *
174NAME_CONSTRAINTS_new(void)
175{
176 return (NAME_CONSTRAINTS*)ASN1_item_new(&NAME_CONSTRAINTS_it);
177}
178
179void
180NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *a)
181{
182 ASN1_item_free((ASN1_VALUE *)a, &NAME_CONSTRAINTS_it);
183}
184
185static void *
186v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
187 STACK_OF(CONF_VALUE) *nval)
188{
189 int i;
190 CONF_VALUE tval, *val;
191 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
192 NAME_CONSTRAINTS *ncons = NULL;
193 GENERAL_SUBTREE *sub = NULL;
194
195 ncons = NAME_CONSTRAINTS_new();
196 if (!ncons)
197 goto memerr;
198 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
199 val = sk_CONF_VALUE_value(nval, i);
200 if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
201 ptree = &ncons->permittedSubtrees;
202 tval.name = val->name + 10;
203 } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
204 ptree = &ncons->excludedSubtrees;
205 tval.name = val->name + 9;
206 } else {
207 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS,
208 X509V3_R_INVALID_SYNTAX);
209 goto err;
210 }
211 tval.value = val->value;
212 sub = GENERAL_SUBTREE_new();
213 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
214 goto err;
215 if (!*ptree)
216 *ptree = sk_GENERAL_SUBTREE_new_null();
217 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
218 goto memerr;
219 sub = NULL;
220 }
221
222 return ncons;
223
224memerr:
225 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
226err:
227 if (ncons)
228 NAME_CONSTRAINTS_free(ncons);
229 if (sub)
230 GENERAL_SUBTREE_free(sub);
231
232 return NULL;
233}
234
235static int
236i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, BIO *bp, int ind)
237{
238 NAME_CONSTRAINTS *ncons = a;
239
240 do_i2r_name_constraints(method, ncons->permittedSubtrees,
241 bp, ind, "Permitted");
242 do_i2r_name_constraints(method, ncons->excludedSubtrees,
243 bp, ind, "Excluded");
244 return 1;
245}
246
247static int
248do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
249 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name)
250{
251 GENERAL_SUBTREE *tree;
252 int i;
253
254 if (sk_GENERAL_SUBTREE_num(trees) > 0)
255 BIO_printf(bp, "%*s%s:\n", ind, "", name);
256 for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
257 tree = sk_GENERAL_SUBTREE_value(trees, i);
258 BIO_printf(bp, "%*s", ind + 2, "");
259 if (tree->base->type == GEN_IPADD)
260 print_nc_ipadd(bp, tree->base->d.ip);
261 else
262 GENERAL_NAME_print(bp, tree->base);
263 BIO_puts(bp, "\n");
264 }
265 return 1;
266}
267
268static int
269print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
270{
271 int i, len;
272 unsigned char *p;
273
274 p = ip->data;
275 len = ip->length;
276 BIO_puts(bp, "IP:");
277 if (len == 8) {
278 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
279 p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
280 } else if (len == 32) {
281 for (i = 0; i < 16; i++) {
282 BIO_printf(bp, "%X", p[0] << 8 | p[1]);
283 p += 2;
284 if (i == 7)
285 BIO_puts(bp, "/");
286 else if (i != 15)
287 BIO_puts(bp, ":");
288 }
289 } else
290 BIO_printf(bp, "IP Address:<invalid>");
291 return 1;
292}
293
294/* Check a certificate conforms to a specified set of constraints.
295 * Return values:
296 * X509_V_OK: All constraints obeyed.
297 * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
298 * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
299 * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
300 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
301 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
302 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
303 */
304
305int
306NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
307{
308 int r, i;
309 X509_NAME *nm;
310
311 nm = X509_get_subject_name(x);
312
313 if (X509_NAME_entry_count(nm) > 0) {
314 GENERAL_NAME gntmp;
315 gntmp.type = GEN_DIRNAME;
316 gntmp.d.directoryName = nm;
317
318 r = nc_match(&gntmp, nc);
319
320 if (r != X509_V_OK)
321 return r;
322
323 gntmp.type = GEN_EMAIL;
324
325 /* Process any email address attributes in subject name */
326
327 for (i = -1;;) {
328 X509_NAME_ENTRY *ne;
329 i = X509_NAME_get_index_by_NID(nm,
330 NID_pkcs9_emailAddress, i);
331 if (i == -1)
332 break;
333 ne = X509_NAME_get_entry(nm, i);
334 gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
335 if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
336 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
337
338 r = nc_match(&gntmp, nc);
339
340 if (r != X509_V_OK)
341 return r;
342 }
343
344 }
345
346 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
347 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
348 r = nc_match(gen, nc);
349 if (r != X509_V_OK)
350 return r;
351 }
352
353 return X509_V_OK;
354}
355
356static int
357nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
358{
359 GENERAL_SUBTREE *sub;
360 int i, r, match = 0;
361
362 /* Permitted subtrees: if any subtrees exist of matching the type
363 * at least one subtree must match.
364 */
365
366 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
367 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
368 if (gen->type != sub->base->type)
369 continue;
370 if (sub->minimum || sub->maximum)
371 return X509_V_ERR_SUBTREE_MINMAX;
372 /* If we already have a match don't bother trying any more */
373 if (match == 2)
374 continue;
375 if (match == 0)
376 match = 1;
377 r = nc_match_single(gen, sub->base);
378 if (r == X509_V_OK)
379 match = 2;
380 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
381 return r;
382 }
383
384 if (match == 1)
385 return X509_V_ERR_PERMITTED_VIOLATION;
386
387 /* Excluded subtrees: must not match any of these */
388
389 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
390 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
391 if (gen->type != sub->base->type)
392 continue;
393 if (sub->minimum || sub->maximum)
394 return X509_V_ERR_SUBTREE_MINMAX;
395
396 r = nc_match_single(gen, sub->base);
397 if (r == X509_V_OK)
398 return X509_V_ERR_EXCLUDED_VIOLATION;
399 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
400 return r;
401
402 }
403
404 return X509_V_OK;
405}
406
407static int
408nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
409{
410 switch (base->type) {
411 case GEN_DIRNAME:
412 return nc_dn(gen->d.directoryName, base->d.directoryName);
413
414 case GEN_DNS:
415 return nc_dns(gen->d.dNSName, base->d.dNSName);
416
417 case GEN_EMAIL:
418 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
419
420 case GEN_URI:
421 return nc_uri(gen->d.uniformResourceIdentifier,
422 base->d.uniformResourceIdentifier);
423
424 default:
425 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
426 }
427}
428
429/* directoryName name constraint matching.
430 * The canonical encoding of X509_NAME makes this comparison easy. It is
431 * matched if the subtree is a subset of the name.
432 */
433
434static int
435nc_dn(X509_NAME *nm, X509_NAME *base)
436{
437 /* Ensure canonical encodings are up to date. */
438 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
439 return X509_V_ERR_OUT_OF_MEM;
440 if (base->modified && i2d_X509_NAME(base, NULL) < 0)
441 return X509_V_ERR_OUT_OF_MEM;
442 if (base->canon_enclen > nm->canon_enclen)
443 return X509_V_ERR_PERMITTED_VIOLATION;
444 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
445 return X509_V_ERR_PERMITTED_VIOLATION;
446 return X509_V_OK;
447}
448
449static int
450nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
451{
452 char *baseptr = (char *)base->data;
453 char *dnsptr = (char *)dns->data;
454
455 /* Empty matches everything */
456 if (!*baseptr)
457 return X509_V_OK;
458 /* Otherwise can add zero or more components on the left so
459 * compare RHS and if dns is longer and expect '.' as preceding
460 * character.
461 */
462 if (dns->length > base->length) {
463 dnsptr += dns->length - base->length;
464 if (dnsptr[-1] != '.')
465 return X509_V_ERR_PERMITTED_VIOLATION;
466 }
467
468 if (strcasecmp(baseptr, dnsptr))
469 return X509_V_ERR_PERMITTED_VIOLATION;
470
471 return X509_V_OK;
472}
473
474static int
475nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
476{
477 const char *baseptr = (char *)base->data;
478 const char *emlptr = (char *)eml->data;
479 const char *baseat = strchr(baseptr, '@');
480 const char *emlat = strchr(emlptr, '@');
481
482 if (!emlat)
483 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
484 /* Special case: inital '.' is RHS match */
485 if (!baseat && (*baseptr == '.')) {
486 if (eml->length > base->length) {
487 emlptr += eml->length - base->length;
488 if (!strcasecmp(baseptr, emlptr))
489 return X509_V_OK;
490 }
491 return X509_V_ERR_PERMITTED_VIOLATION;
492 }
493
494 /* If we have anything before '@' match local part */
495
496 if (baseat) {
497 if (baseat != baseptr) {
498 if ((baseat - baseptr) != (emlat - emlptr))
499 return X509_V_ERR_PERMITTED_VIOLATION;
500 /* Case sensitive match of local part */
501 if (strncmp(baseptr, emlptr, emlat - emlptr))
502 return X509_V_ERR_PERMITTED_VIOLATION;
503 }
504 /* Position base after '@' */
505 baseptr = baseat + 1;
506 }
507 emlptr = emlat + 1;
508 /* Just have hostname left to match: case insensitive */
509 if (strcasecmp(baseptr, emlptr))
510 return X509_V_ERR_PERMITTED_VIOLATION;
511
512 return X509_V_OK;
513}
514
515static int
516nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
517{
518 const char *baseptr = (char *)base->data;
519 const char *hostptr = (char *)uri->data;
520 const char *p = strchr(hostptr, ':');
521 int hostlen;
522
523 /* Check for foo:// and skip past it */
524 if (!p || (p[1] != '/') || (p[2] != '/'))
525 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
526 hostptr = p + 3;
527
528 /* Determine length of hostname part of URI */
529
530 /* Look for a port indicator as end of hostname first */
531
532 p = strchr(hostptr, ':');
533 /* Otherwise look for trailing slash */
534 if (!p)
535 p = strchr(hostptr, '/');
536
537 if (!p)
538 hostlen = strlen(hostptr);
539 else
540 hostlen = p - hostptr;
541
542 if (hostlen == 0)
543 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
544
545 /* Special case: inital '.' is RHS match */
546 if (*baseptr == '.') {
547 if (hostlen > base->length) {
548 p = hostptr + hostlen - base->length;
549 if (!strncasecmp(p, baseptr, base->length))
550 return X509_V_OK;
551 }
552 return X509_V_ERR_PERMITTED_VIOLATION;
553 }
554
555 if ((base->length != (int)hostlen) ||
556 strncasecmp(hostptr, baseptr, hostlen))
557 return X509_V_ERR_PERMITTED_VIOLATION;
558
559 return X509_V_OK;
560}
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
deleted file mode 100644
index 696eee5adc..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ /dev/null
@@ -1,380 +0,0 @@
1/* $OpenBSD: v3_ocsp.c,v 1.13 2015/09/30 18:41:06 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/opensslconf.h>
63
64#ifndef OPENSSL_NO_OCSP
65
66#include <openssl/asn1.h>
67#include <openssl/conf.h>
68#include <openssl/err.h>
69#include <openssl/ocsp.h>
70#include <openssl/x509v3.h>
71
72/* OCSP extensions and a couple of CRL entry extensions
73 */
74
75static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
76 BIO *out, int indent);
77static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
78 BIO *out, int indent);
79static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
80 int indent);
81
82static void *ocsp_nonce_new(void);
83static int i2d_ocsp_nonce(void *a, unsigned char **pp);
84static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
85static void ocsp_nonce_free(void *a);
86static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
87 BIO *out, int indent);
88
89static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
90 void *nocheck, BIO *out, int indent);
91static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
92 const char *str);
93static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
94 BIO *bp, int ind);
95
96const X509V3_EXT_METHOD v3_ocsp_crlid = {
97 .ext_nid = NID_id_pkix_OCSP_CrlID,
98 .ext_flags = 0,
99 .it = ASN1_ITEM_ref(OCSP_CRLID),
100 .ext_new = NULL,
101 .ext_free = NULL,
102 .d2i = NULL,
103 .i2d = NULL,
104 .i2s = NULL,
105 .s2i = NULL,
106 .i2v = NULL,
107 .v2i = NULL,
108 .i2r = i2r_ocsp_crlid,
109 .r2i = NULL,
110 .usr_data = NULL,
111};
112
113const X509V3_EXT_METHOD v3_ocsp_acutoff = {
114 .ext_nid = NID_id_pkix_OCSP_archiveCutoff,
115 .ext_flags = 0,
116 .it = ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
117 .ext_new = NULL,
118 .ext_free = NULL,
119 .d2i = NULL,
120 .i2d = NULL,
121 .i2s = NULL,
122 .s2i = NULL,
123 .i2v = NULL,
124 .v2i = NULL,
125 .i2r = i2r_ocsp_acutoff,
126 .r2i = NULL,
127 .usr_data = NULL,
128};
129
130const X509V3_EXT_METHOD v3_crl_invdate = {
131 .ext_nid = NID_invalidity_date,
132 .ext_flags = 0,
133 .it = ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
134 .ext_new = NULL,
135 .ext_free = NULL,
136 .d2i = NULL,
137 .i2d = NULL,
138 .i2s = NULL,
139 .s2i = NULL,
140 .i2v = NULL,
141 .v2i = NULL,
142 .i2r = i2r_ocsp_acutoff,
143 .r2i = NULL,
144 .usr_data = NULL,
145};
146
147const X509V3_EXT_METHOD v3_crl_hold = {
148 .ext_nid = NID_hold_instruction_code,
149 .ext_flags = 0,
150 .it = ASN1_ITEM_ref(ASN1_OBJECT),
151 .ext_new = NULL,
152 .ext_free = NULL,
153 .d2i = NULL,
154 .i2d = NULL,
155 .i2s = NULL,
156 .s2i = NULL,
157 .i2v = NULL,
158 .v2i = NULL,
159 .i2r = i2r_object,
160 .r2i = NULL,
161 .usr_data = NULL,
162};
163
164const X509V3_EXT_METHOD v3_ocsp_nonce = {
165 .ext_nid = NID_id_pkix_OCSP_Nonce,
166 .ext_flags = 0,
167 .it = NULL,
168 .ext_new = ocsp_nonce_new,
169 .ext_free = ocsp_nonce_free,
170 .d2i = d2i_ocsp_nonce,
171 .i2d = i2d_ocsp_nonce,
172 .i2s = NULL,
173 .s2i = NULL,
174 .i2v = NULL,
175 .v2i = NULL,
176 .i2r = i2r_ocsp_nonce,
177 .r2i = NULL,
178 .usr_data = NULL,
179};
180
181const X509V3_EXT_METHOD v3_ocsp_nocheck = {
182 .ext_nid = NID_id_pkix_OCSP_noCheck,
183 .ext_flags = 0,
184 .it = ASN1_ITEM_ref(ASN1_NULL),
185 .ext_new = NULL,
186 .ext_free = NULL,
187 .d2i = NULL,
188 .i2d = NULL,
189 .i2s = NULL,
190 .s2i = s2i_ocsp_nocheck,
191 .i2v = NULL,
192 .v2i = NULL,
193 .i2r = i2r_ocsp_nocheck,
194 .r2i = NULL,
195 .usr_data = NULL,
196};
197
198const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
199 .ext_nid = NID_id_pkix_OCSP_serviceLocator,
200 .ext_flags = 0,
201 .it = ASN1_ITEM_ref(OCSP_SERVICELOC),
202 .ext_new = NULL,
203 .ext_free = NULL,
204 .d2i = NULL,
205 .i2d = NULL,
206 .i2s = NULL,
207 .s2i = NULL,
208 .i2v = NULL,
209 .v2i = NULL,
210 .i2r = i2r_ocsp_serviceloc,
211 .r2i = NULL,
212 .usr_data = NULL,
213};
214
215static int
216i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
217{
218 OCSP_CRLID *a = in;
219 if (a->crlUrl) {
220 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0)
221 goto err;
222 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl))
223 goto err;
224 if (BIO_write(bp, "\n", 1) <= 0)
225 goto err;
226 }
227 if (a->crlNum) {
228 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0)
229 goto err;
230 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0)
231 goto err;
232 if (BIO_write(bp, "\n", 1) <= 0)
233 goto err;
234 }
235 if (a->crlTime) {
236 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0)
237 goto err;
238 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime))
239 goto err;
240 if (BIO_write(bp, "\n", 1) <= 0)
241 goto err;
242 }
243 return 1;
244
245err:
246 return 0;
247}
248
249static int
250i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, BIO *bp,
251 int ind)
252{
253 if (BIO_printf(bp, "%*s", ind, "") <= 0)
254 return 0;
255 if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
256 return 0;
257 return 1;
258}
259
260static int
261i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
262{
263 if (BIO_printf(bp, "%*s", ind, "") <= 0)
264 return 0;
265 if (i2a_ASN1_OBJECT(bp, oid) <= 0)
266 return 0;
267 return 1;
268}
269
270/* OCSP nonce. This is needs special treatment because it doesn't have
271 * an ASN1 encoding at all: it just contains arbitrary data.
272 */
273
274static void *
275ocsp_nonce_new(void)
276{
277 return ASN1_OCTET_STRING_new();
278}
279
280static int
281i2d_ocsp_nonce(void *a, unsigned char **pp)
282{
283 ASN1_OCTET_STRING *os = a;
284
285 if (pp) {
286 memcpy(*pp, os->data, os->length);
287 *pp += os->length;
288 }
289 return os->length;
290}
291
292static void *
293d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
294{
295 ASN1_OCTET_STRING *os, **pos;
296
297 pos = a;
298 if (pos == NULL || *pos == NULL) {
299 os = ASN1_OCTET_STRING_new();
300 if (os == NULL)
301 goto err;
302 } else
303 os = *pos;
304 if (ASN1_OCTET_STRING_set(os, *pp, length) == 0)
305 goto err;
306
307 *pp += length;
308
309 if (pos != NULL)
310 *pos = os;
311 return os;
312
313err:
314 if (pos == NULL || *pos != os)
315 ASN1_OCTET_STRING_free(os);
316 OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
317 return NULL;
318}
319
320static void
321ocsp_nonce_free(void *a)
322{
323 ASN1_OCTET_STRING_free(a);
324}
325
326static int
327i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, BIO *out,
328 int indent)
329{
330 if (BIO_printf(out, "%*s", indent, "") <= 0)
331 return 0;
332 if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0)
333 return 0;
334 return 1;
335}
336
337/* Nocheck is just a single NULL. Don't print anything and always set it */
338
339static int
340i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
341 int indent)
342{
343 return 1;
344}
345
346static void *
347s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
348 const char *str)
349{
350 return ASN1_NULL_new();
351}
352
353static int
354i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
355{
356 int i;
357 OCSP_SERVICELOC *a = in;
358 ACCESS_DESCRIPTION *ad;
359
360 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0)
361 goto err;
362 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0)
363 goto err;
364 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) {
365 ad = sk_ACCESS_DESCRIPTION_value(a->locator, i);
366 if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0)
367 goto err;
368 if (i2a_ASN1_OBJECT(bp, ad->method) <= 0)
369 goto err;
370 if (BIO_puts(bp, " - ") <= 0)
371 goto err;
372 if (GENERAL_NAME_print(bp, ad->location) <= 0)
373 goto err;
374 }
375 return 1;
376
377err:
378 return 0;
379}
380#endif
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c
deleted file mode 100644
index ff1d087667..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pci.c
+++ /dev/null
@@ -1,332 +0,0 @@
1/* $OpenBSD: v3_pci.c,v 1.10 2015/07/29 16:13:49 jsing Exp $ */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <stdio.h>
38#include <string.h>
39
40#include <openssl/conf.h>
41#include <openssl/err.h>
42#include <openssl/x509v3.h>
43
44static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
45 BIO *out, int indent);
46static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
47 X509V3_CTX *ctx, char *str);
48
49const X509V3_EXT_METHOD v3_pci = {
50 .ext_nid = NID_proxyCertInfo,
51 .ext_flags = 0,
52 .it = ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
53 .ext_new = NULL,
54 .ext_free = NULL,
55 .d2i = NULL,
56 .i2d = NULL,
57 .i2s = NULL,
58 .s2i = NULL,
59 .i2v = NULL,
60 .v2i = NULL,
61 .i2r = (X509V3_EXT_I2R)i2r_pci,
62 .r2i = (X509V3_EXT_R2I)r2i_pci,
63 .usr_data = NULL,
64};
65
66static int
67i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
68 int indent)
69{
70 BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
71 if (pci->pcPathLengthConstraint)
72 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
73 else
74 BIO_printf(out, "infinite");
75 BIO_puts(out, "\n");
76 BIO_printf(out, "%*sPolicy Language: ", indent, "");
77 i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
78 BIO_puts(out, "\n");
79 if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
80 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
81 pci->proxyPolicy->policy->data);
82 return 1;
83}
84
85static int
86process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
87 ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
88{
89 int free_policy = 0;
90
91 if (strcmp(val->name, "language") == 0) {
92 if (*language) {
93 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
94 X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
95 X509V3_conf_err(val);
96 return 0;
97 }
98 if (!(*language = OBJ_txt2obj(val->value, 0))) {
99 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
100 X509V3_R_INVALID_OBJECT_IDENTIFIER);
101 X509V3_conf_err(val);
102 return 0;
103 }
104 }
105 else if (strcmp(val->name, "pathlen") == 0) {
106 if (*pathlen) {
107 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
108 X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
109 X509V3_conf_err(val);
110 return 0;
111 }
112 if (!X509V3_get_value_int(val, pathlen)) {
113 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
114 X509V3_R_POLICY_PATH_LENGTH);
115 X509V3_conf_err(val);
116 return 0;
117 }
118 }
119 else if (strcmp(val->name, "policy") == 0) {
120 unsigned char *tmp_data = NULL;
121 long val_len;
122 if (!*policy) {
123 *policy = ASN1_OCTET_STRING_new();
124 if (!*policy) {
125 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
126 ERR_R_MALLOC_FAILURE);
127 X509V3_conf_err(val);
128 return 0;
129 }
130 free_policy = 1;
131 }
132 if (strncmp(val->value, "hex:", 4) == 0) {
133 unsigned char *tmp_data2 =
134 string_to_hex(val->value + 4, &val_len);
135
136 if (!tmp_data2) {
137 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
138 X509V3_R_ILLEGAL_HEX_DIGIT);
139 X509V3_conf_err(val);
140 goto err;
141 }
142
143 tmp_data = realloc((*policy)->data,
144 (*policy)->length + val_len + 1);
145 if (tmp_data) {
146 (*policy)->data = tmp_data;
147 memcpy(&(*policy)->data[(*policy)->length],
148 tmp_data2, val_len);
149 (*policy)->length += val_len;
150 (*policy)->data[(*policy)->length] = '\0';
151 } else {
152 free(tmp_data2);
153 free((*policy)->data);
154 (*policy)->data = NULL;
155 (*policy)->length = 0;
156 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
157 ERR_R_MALLOC_FAILURE);
158 X509V3_conf_err(val);
159 goto err;
160 }
161 free(tmp_data2);
162 }
163 else if (strncmp(val->value, "file:", 5) == 0) {
164 unsigned char buf[2048];
165 int n;
166 BIO *b = BIO_new_file(val->value + 5, "r");
167 if (!b) {
168 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
169 ERR_R_BIO_LIB);
170 X509V3_conf_err(val);
171 goto err;
172 }
173 while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
174 (n == 0 && BIO_should_retry(b))) {
175 if (!n)
176 continue;
177
178 tmp_data = realloc((*policy)->data,
179 (*policy)->length + n + 1);
180
181 if (!tmp_data)
182 break;
183
184 (*policy)->data = tmp_data;
185 memcpy(&(*policy)->data[(*policy)->length],
186 buf, n);
187 (*policy)->length += n;
188 (*policy)->data[(*policy)->length] = '\0';
189 }
190 BIO_free_all(b);
191
192 if (n < 0) {
193 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
194 ERR_R_BIO_LIB);
195 X509V3_conf_err(val);
196 goto err;
197 }
198 }
199 else if (strncmp(val->value, "text:", 5) == 0) {
200 val_len = strlen(val->value + 5);
201 tmp_data = realloc((*policy)->data,
202 (*policy)->length + val_len + 1);
203 if (tmp_data) {
204 (*policy)->data = tmp_data;
205 memcpy(&(*policy)->data[(*policy)->length],
206 val->value + 5, val_len);
207 (*policy)->length += val_len;
208 (*policy)->data[(*policy)->length] = '\0';
209 } else {
210 free((*policy)->data);
211 (*policy)->data = NULL;
212 (*policy)->length = 0;
213 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
214 ERR_R_MALLOC_FAILURE);
215 X509V3_conf_err(val);
216 goto err;
217 }
218 } else {
219 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
220 X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
221 X509V3_conf_err(val);
222 goto err;
223 }
224 if (!tmp_data) {
225 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
226 ERR_R_MALLOC_FAILURE);
227 X509V3_conf_err(val);
228 goto err;
229 }
230 }
231 return 1;
232
233err:
234 if (free_policy) {
235 ASN1_OCTET_STRING_free(*policy);
236 *policy = NULL;
237 }
238 return 0;
239}
240
241static PROXY_CERT_INFO_EXTENSION *
242r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
243{
244 PROXY_CERT_INFO_EXTENSION *pci = NULL;
245 STACK_OF(CONF_VALUE) *vals;
246 ASN1_OBJECT *language = NULL;
247 ASN1_INTEGER *pathlen = NULL;
248 ASN1_OCTET_STRING *policy = NULL;
249 int i, j;
250
251 vals = X509V3_parse_list(value);
252 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
253 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
254 if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
255 X509V3err(X509V3_F_R2I_PCI,
256 X509V3_R_INVALID_PROXY_POLICY_SETTING);
257 X509V3_conf_err(cnf);
258 goto err;
259 }
260 if (*cnf->name == '@') {
261 STACK_OF(CONF_VALUE) *sect;
262 int success_p = 1;
263
264 sect = X509V3_get_section(ctx, cnf->name + 1);
265 if (!sect) {
266 X509V3err(X509V3_F_R2I_PCI,
267 X509V3_R_INVALID_SECTION);
268 X509V3_conf_err(cnf);
269 goto err;
270 }
271 for (j = 0; success_p &&
272 j < sk_CONF_VALUE_num(sect); j++) {
273 success_p = process_pci_value(
274 sk_CONF_VALUE_value(sect, j),
275 &language, &pathlen, &policy);
276 }
277 X509V3_section_free(ctx, sect);
278 if (!success_p)
279 goto err;
280 } else {
281 if (!process_pci_value(cnf,
282 &language, &pathlen, &policy)) {
283 X509V3_conf_err(cnf);
284 goto err;
285 }
286 }
287 }
288
289 /* Language is mandatory */
290 if (!language) {
291 X509V3err(X509V3_F_R2I_PCI,
292 X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
293 goto err;
294 }
295 i = OBJ_obj2nid(language);
296 if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
297 X509V3err(X509V3_F_R2I_PCI,
298 X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
299 goto err;
300 }
301
302 pci = PROXY_CERT_INFO_EXTENSION_new();
303 if (!pci) {
304 X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE);
305 goto err;
306 }
307
308 pci->proxyPolicy->policyLanguage = language;
309 language = NULL;
310 pci->proxyPolicy->policy = policy;
311 policy = NULL;
312 pci->pcPathLengthConstraint = pathlen;
313 pathlen = NULL;
314 goto end;
315
316err:
317 if (language) {
318 ASN1_OBJECT_free(language);
319 language = NULL;
320 }
321 if (pathlen) {
322 ASN1_INTEGER_free(pathlen);
323 pathlen = NULL;
324 }
325 if (policy) {
326 ASN1_OCTET_STRING_free(policy);
327 policy = NULL;
328 }
329end:
330 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
331 return pci;
332}
diff --git a/src/lib/libcrypto/x509v3/v3_pcia.c b/src/lib/libcrypto/x509v3/v3_pcia.c
deleted file mode 100644
index f9ec02c00a..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcia.c
+++ /dev/null
@@ -1,145 +0,0 @@
1/* $OpenBSD: v3_pcia.c,v 1.6 2015/07/25 16:00:14 jsing Exp $ */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <openssl/asn1.h>
38#include <openssl/asn1t.h>
39#include <openssl/x509v3.h>
40
41static const ASN1_TEMPLATE PROXY_POLICY_seq_tt[] = {
42 {
43 .flags = 0,
44 .tag = 0,
45 .offset = offsetof(PROXY_POLICY, policyLanguage),
46 .field_name = "policyLanguage",
47 .item = &ASN1_OBJECT_it,
48 },
49 {
50 .flags = ASN1_TFLG_OPTIONAL,
51 .tag = 0,
52 .offset = offsetof(PROXY_POLICY, policy),
53 .field_name = "policy",
54 .item = &ASN1_OCTET_STRING_it,
55 },
56};
57
58const ASN1_ITEM PROXY_POLICY_it = {
59 .itype = ASN1_ITYPE_SEQUENCE,
60 .utype = V_ASN1_SEQUENCE,
61 .templates = PROXY_POLICY_seq_tt,
62 .tcount = sizeof(PROXY_POLICY_seq_tt) / sizeof(ASN1_TEMPLATE),
63 .funcs = NULL,
64 .size = sizeof(PROXY_POLICY),
65 .sname = "PROXY_POLICY",
66};
67
68
69PROXY_POLICY *
70d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len)
71{
72 return (PROXY_POLICY *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
73 &PROXY_POLICY_it);
74}
75
76int
77i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out)
78{
79 return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_POLICY_it);
80}
81
82PROXY_POLICY *
83PROXY_POLICY_new(void)
84{
85 return (PROXY_POLICY *)ASN1_item_new(&PROXY_POLICY_it);
86}
87
88void
89PROXY_POLICY_free(PROXY_POLICY *a)
90{
91 ASN1_item_free((ASN1_VALUE *)a, &PROXY_POLICY_it);
92}
93
94static const ASN1_TEMPLATE PROXY_CERT_INFO_EXTENSION_seq_tt[] = {
95 {
96 .flags = ASN1_TFLG_OPTIONAL,
97 .tag = 0,
98 .offset = offsetof(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint),
99 .field_name = "pcPathLengthConstraint",
100 .item = &ASN1_INTEGER_it,
101 },
102 {
103 .flags = 0,
104 .tag = 0,
105 .offset = offsetof(PROXY_CERT_INFO_EXTENSION, proxyPolicy),
106 .field_name = "proxyPolicy",
107 .item = &PROXY_POLICY_it,
108 },
109};
110
111const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it = {
112 .itype = ASN1_ITYPE_SEQUENCE,
113 .utype = V_ASN1_SEQUENCE,
114 .templates = PROXY_CERT_INFO_EXTENSION_seq_tt,
115 .tcount = sizeof(PROXY_CERT_INFO_EXTENSION_seq_tt) / sizeof(ASN1_TEMPLATE),
116 .funcs = NULL,
117 .size = sizeof(PROXY_CERT_INFO_EXTENSION),
118 .sname = "PROXY_CERT_INFO_EXTENSION",
119};
120
121
122PROXY_CERT_INFO_EXTENSION *
123d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len)
124{
125 return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
126 &PROXY_CERT_INFO_EXTENSION_it);
127}
128
129int
130i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out)
131{
132 return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_CERT_INFO_EXTENSION_it);
133}
134
135PROXY_CERT_INFO_EXTENSION *
136PROXY_CERT_INFO_EXTENSION_new(void)
137{
138 return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_new(&PROXY_CERT_INFO_EXTENSION_it);
139}
140
141void
142PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a)
143{
144 ASN1_item_free((ASN1_VALUE *)a, &PROXY_CERT_INFO_EXTENSION_it);
145}
diff --git a/src/lib/libcrypto/x509v3/v3_pcons.c b/src/lib/libcrypto/x509v3/v3_pcons.c
deleted file mode 100644
index a5a8d8a025..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcons.c
+++ /dev/null
@@ -1,183 +0,0 @@
1/* $OpenBSD: v3_pcons.c,v 1.9 2015/07/29 16:13:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *
69i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
70 STACK_OF(CONF_VALUE) *extlist);
71static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
72 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
73
74const X509V3_EXT_METHOD v3_policy_constraints = {
75 .ext_nid = NID_policy_constraints,
76 .ext_flags = 0,
77 .it = ASN1_ITEM_ref(POLICY_CONSTRAINTS),
78 .ext_new = NULL,
79 .ext_free = NULL,
80 .d2i = NULL,
81 .i2d = NULL,
82 .i2s = NULL,
83 .s2i = NULL,
84 .i2v = i2v_POLICY_CONSTRAINTS,
85 .v2i = v2i_POLICY_CONSTRAINTS,
86 .i2r = NULL,
87 .r2i = NULL,
88 .usr_data = NULL,
89};
90
91static const ASN1_TEMPLATE POLICY_CONSTRAINTS_seq_tt[] = {
92 {
93 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
94 .tag = 0,
95 .offset = offsetof(POLICY_CONSTRAINTS, requireExplicitPolicy),
96 .field_name = "requireExplicitPolicy",
97 .item = &ASN1_INTEGER_it,
98 },
99 {
100 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
101 .tag = 1,
102 .offset = offsetof(POLICY_CONSTRAINTS, inhibitPolicyMapping),
103 .field_name = "inhibitPolicyMapping",
104 .item = &ASN1_INTEGER_it,
105 },
106};
107
108const ASN1_ITEM POLICY_CONSTRAINTS_it = {
109 .itype = ASN1_ITYPE_SEQUENCE,
110 .utype = V_ASN1_SEQUENCE,
111 .templates = POLICY_CONSTRAINTS_seq_tt,
112 .tcount = sizeof(POLICY_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
113 .funcs = NULL,
114 .size = sizeof(POLICY_CONSTRAINTS),
115 .sname = "POLICY_CONSTRAINTS",
116};
117
118
119POLICY_CONSTRAINTS *
120POLICY_CONSTRAINTS_new(void)
121{
122 return (POLICY_CONSTRAINTS*)ASN1_item_new(&POLICY_CONSTRAINTS_it);
123}
124
125void
126POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *a)
127{
128 ASN1_item_free((ASN1_VALUE *)a, &POLICY_CONSTRAINTS_it);
129}
130
131static STACK_OF(CONF_VALUE) *
132i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
133 STACK_OF(CONF_VALUE) *extlist)
134{
135 POLICY_CONSTRAINTS *pcons = a;
136
137 X509V3_add_value_int("Require Explicit Policy",
138 pcons->requireExplicitPolicy, &extlist);
139 X509V3_add_value_int("Inhibit Policy Mapping",
140 pcons->inhibitPolicyMapping, &extlist);
141 return extlist;
142}
143
144static void *
145v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
146 STACK_OF(CONF_VALUE) *values)
147{
148 POLICY_CONSTRAINTS *pcons = NULL;
149 CONF_VALUE *val;
150 int i;
151
152 if (!(pcons = POLICY_CONSTRAINTS_new())) {
153 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
154 ERR_R_MALLOC_FAILURE);
155 return NULL;
156 }
157 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
158 val = sk_CONF_VALUE_value(values, i);
159 if (!strcmp(val->name, "requireExplicitPolicy")) {
160 if (!X509V3_get_value_int(val,
161 &pcons->requireExplicitPolicy)) goto err;
162 } else if (!strcmp(val->name, "inhibitPolicyMapping")) {
163 if (!X509V3_get_value_int(val,
164 &pcons->inhibitPolicyMapping)) goto err;
165 } else {
166 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
167 X509V3_R_INVALID_NAME);
168 X509V3_conf_err(val);
169 goto err;
170 }
171 }
172 if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
173 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
174 X509V3_R_ILLEGAL_EMPTY_EXTENSION);
175 goto err;
176 }
177
178 return pcons;
179
180err:
181 POLICY_CONSTRAINTS_free(pcons);
182 return NULL;
183}
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
deleted file mode 100644
index caa3608859..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pku.c
+++ /dev/null
@@ -1,166 +0,0 @@
1/* $OpenBSD: v3_pku.c,v 1.12 2015/07/29 16:13:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1.h>
62#include <openssl/asn1t.h>
63#include <openssl/x509v3.h>
64
65static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
66 PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
67/*
68static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
69*/
70const X509V3_EXT_METHOD v3_pkey_usage_period = {
71 .ext_nid = NID_private_key_usage_period,
72 .ext_flags = 0,
73 .it = ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
74 .ext_new = NULL,
75 .ext_free = NULL,
76 .d2i = NULL,
77 .i2d = NULL,
78 .i2s = NULL,
79 .s2i = NULL,
80 .i2v = NULL,
81 .v2i = NULL,
82 .i2r = (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD,
83 .r2i = NULL,
84 .usr_data = NULL,
85};
86
87static const ASN1_TEMPLATE PKEY_USAGE_PERIOD_seq_tt[] = {
88 {
89 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
90 .tag = 0,
91 .offset = offsetof(PKEY_USAGE_PERIOD, notBefore),
92 .field_name = "notBefore",
93 .item = &ASN1_GENERALIZEDTIME_it,
94 },
95 {
96 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
97 .tag = 1,
98 .offset = offsetof(PKEY_USAGE_PERIOD, notAfter),
99 .field_name = "notAfter",
100 .item = &ASN1_GENERALIZEDTIME_it,
101 },
102};
103
104const ASN1_ITEM PKEY_USAGE_PERIOD_it = {
105 .itype = ASN1_ITYPE_SEQUENCE,
106 .utype = V_ASN1_SEQUENCE,
107 .templates = PKEY_USAGE_PERIOD_seq_tt,
108 .tcount = sizeof(PKEY_USAGE_PERIOD_seq_tt) / sizeof(ASN1_TEMPLATE),
109 .funcs = NULL,
110 .size = sizeof(PKEY_USAGE_PERIOD),
111 .sname = "PKEY_USAGE_PERIOD",
112};
113
114
115PKEY_USAGE_PERIOD *
116d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, const unsigned char **in, long len)
117{
118 return (PKEY_USAGE_PERIOD *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
119 &PKEY_USAGE_PERIOD_it);
120}
121
122int
123i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **out)
124{
125 return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKEY_USAGE_PERIOD_it);
126}
127
128PKEY_USAGE_PERIOD *
129PKEY_USAGE_PERIOD_new(void)
130{
131 return (PKEY_USAGE_PERIOD *)ASN1_item_new(&PKEY_USAGE_PERIOD_it);
132}
133
134void
135PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
136{
137 ASN1_item_free((ASN1_VALUE *)a, &PKEY_USAGE_PERIOD_it);
138}
139
140static int
141i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage,
142 BIO *out, int indent)
143{
144 BIO_printf(out, "%*s", indent, "");
145 if (usage->notBefore) {
146 BIO_write(out, "Not Before: ", 12);
147 ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
148 if (usage->notAfter)
149 BIO_write(out, ", ", 2);
150 }
151 if (usage->notAfter) {
152 BIO_write(out, "Not After: ", 11);
153 ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
154 }
155 return 1;
156}
157
158/*
159static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values)
160X509V3_EXT_METHOD *method;
161X509V3_CTX *ctx;
162STACK_OF(CONF_VALUE) *values;
163{
164return NULL;
165}
166*/
diff --git a/src/lib/libcrypto/x509v3/v3_pmaps.c b/src/lib/libcrypto/x509v3/v3_pmaps.c
deleted file mode 100644
index f2d9090157..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pmaps.c
+++ /dev/null
@@ -1,218 +0,0 @@
1/* $OpenBSD: v3_pmaps.c,v 1.9 2015/07/29 16:13:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66
67static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
68 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
69static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
70 const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
71
72const X509V3_EXT_METHOD v3_policy_mappings = {
73 .ext_nid = NID_policy_mappings,
74 .ext_flags = 0,
75 .it = ASN1_ITEM_ref(POLICY_MAPPINGS),
76 .ext_new = NULL,
77 .ext_free = NULL,
78 .d2i = NULL,
79 .i2d = NULL,
80 .i2s = NULL,
81 .s2i = NULL,
82 .i2v = i2v_POLICY_MAPPINGS,
83 .v2i = v2i_POLICY_MAPPINGS,
84 .i2r = NULL,
85 .r2i = NULL,
86 .usr_data = NULL,
87};
88
89static const ASN1_TEMPLATE POLICY_MAPPING_seq_tt[] = {
90 {
91 .flags = 0,
92 .tag = 0,
93 .offset = offsetof(POLICY_MAPPING, issuerDomainPolicy),
94 .field_name = "issuerDomainPolicy",
95 .item = &ASN1_OBJECT_it,
96 },
97 {
98 .flags = 0,
99 .tag = 0,
100 .offset = offsetof(POLICY_MAPPING, subjectDomainPolicy),
101 .field_name = "subjectDomainPolicy",
102 .item = &ASN1_OBJECT_it,
103 },
104};
105
106const ASN1_ITEM POLICY_MAPPING_it = {
107 .itype = ASN1_ITYPE_SEQUENCE,
108 .utype = V_ASN1_SEQUENCE,
109 .templates = POLICY_MAPPING_seq_tt,
110 .tcount = sizeof(POLICY_MAPPING_seq_tt) / sizeof(ASN1_TEMPLATE),
111 .funcs = NULL,
112 .size = sizeof(POLICY_MAPPING),
113 .sname = "POLICY_MAPPING",
114};
115
116static const ASN1_TEMPLATE POLICY_MAPPINGS_item_tt = {
117 .flags = ASN1_TFLG_SEQUENCE_OF,
118 .tag = 0,
119 .offset = 0,
120 .field_name = "POLICY_MAPPINGS",
121 .item = &POLICY_MAPPING_it,
122};
123
124const ASN1_ITEM POLICY_MAPPINGS_it = {
125 .itype = ASN1_ITYPE_PRIMITIVE,
126 .utype = -1,
127 .templates = &POLICY_MAPPINGS_item_tt,
128 .tcount = 0,
129 .funcs = NULL,
130 .size = 0,
131 .sname = "POLICY_MAPPINGS",
132};
133
134
135POLICY_MAPPING *
136POLICY_MAPPING_new(void)
137{
138 return (POLICY_MAPPING*)ASN1_item_new(&POLICY_MAPPING_it);
139}
140
141void
142POLICY_MAPPING_free(POLICY_MAPPING *a)
143{
144 ASN1_item_free((ASN1_VALUE *)a, &POLICY_MAPPING_it);
145}
146
147static STACK_OF(CONF_VALUE) *
148i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
149 STACK_OF(CONF_VALUE) *ext_list)
150{
151 POLICY_MAPPINGS *pmaps = a;
152 POLICY_MAPPING *pmap;
153 int i;
154 char obj_tmp1[80];
155 char obj_tmp2[80];
156
157 for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
158 pmap = sk_POLICY_MAPPING_value(pmaps, i);
159 i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
160 i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
161 X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list);
162 }
163 return ext_list;
164}
165
166static void *
167v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
168 STACK_OF(CONF_VALUE) *nval)
169{
170 POLICY_MAPPINGS *pmaps = NULL;
171 POLICY_MAPPING *pmap = NULL;
172 ASN1_OBJECT *obj1 = NULL, *obj2 = NULL;
173 CONF_VALUE *val;
174 int i, rc;
175
176 if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
177 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE);
178 return NULL;
179 }
180
181 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
182 val = sk_CONF_VALUE_value(nval, i);
183 if (!val->value || !val->name) {
184 rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
185 goto err;
186 }
187 obj1 = OBJ_txt2obj(val->name, 0);
188 obj2 = OBJ_txt2obj(val->value, 0);
189 if (!obj1 || !obj2) {
190 rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
191 goto err;
192 }
193 pmap = POLICY_MAPPING_new();
194 if (!pmap) {
195 rc = ERR_R_MALLOC_FAILURE;
196 goto err;
197 }
198 pmap->issuerDomainPolicy = obj1;
199 pmap->subjectDomainPolicy = obj2;
200 obj1 = obj2 = NULL;
201 if (sk_POLICY_MAPPING_push(pmaps, pmap) == 0) {
202 rc = ERR_R_MALLOC_FAILURE;
203 goto err;
204 }
205 pmap = NULL;
206 }
207 return pmaps;
208
209err:
210 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
211 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, rc);
212 if (rc == X509V3_R_INVALID_OBJECT_IDENTIFIER)
213 X509V3_conf_err(val);
214 ASN1_OBJECT_free(obj1);
215 ASN1_OBJECT_free(obj2);
216 POLICY_MAPPING_free(pmap);
217 return NULL;
218}
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
deleted file mode 100644
index e2d8dd8c87..0000000000
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ /dev/null
@@ -1,225 +0,0 @@
1/* $OpenBSD: v3_prn.c,v 1.18 2015/07/29 14:58:34 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61
62#include <openssl/conf.h>
63#include <openssl/x509v3.h>
64
65/* Extension printing routines */
66
67static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
68 int indent, int supported);
69
70/* Print out a name+value stack */
71
72void
73X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
74{
75 int i;
76 CONF_VALUE *nval;
77
78 if (!val)
79 return;
80 if (!ml || !sk_CONF_VALUE_num(val)) {
81 BIO_printf(out, "%*s", indent, "");
82 if (!sk_CONF_VALUE_num(val))
83 BIO_puts(out, "<EMPTY>\n");
84 }
85 for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
86 if (ml)
87 BIO_printf(out, "%*s", indent, "");
88 else if (i > 0) BIO_printf(out, ", ");
89 nval = sk_CONF_VALUE_value(val, i);
90 if (!nval->name)
91 BIO_puts(out, nval->value);
92 else if (!nval->value)
93 BIO_puts(out, nval->name);
94 else
95 BIO_printf(out, "%s:%s", nval->name, nval->value);
96 if (ml)
97 BIO_puts(out, "\n");
98 }
99}
100
101/* Main routine: print out a general extension */
102
103int
104X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
105{
106 void *ext_str = NULL;
107 char *value = NULL;
108 const unsigned char *p;
109 const X509V3_EXT_METHOD *method;
110 STACK_OF(CONF_VALUE) *nval = NULL;
111 int ok = 1;
112
113 if (!(method = X509V3_EXT_get(ext)))
114 return unknown_ext_print(out, ext, flag, indent, 0);
115 p = ext->value->data;
116 if (method->it)
117 ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,
118 ASN1_ITEM_ptr(method->it));
119 else
120 ext_str = method->d2i(NULL, &p, ext->value->length);
121
122 if (!ext_str)
123 return unknown_ext_print(out, ext, flag, indent, 1);
124
125 if (method->i2s) {
126 if (!(value = method->i2s(method, ext_str))) {
127 ok = 0;
128 goto err;
129 }
130 BIO_printf(out, "%*s%s", indent, "", value);
131 } else if (method->i2v) {
132 if (!(nval = method->i2v(method, ext_str, NULL))) {
133 ok = 0;
134 goto err;
135 }
136 X509V3_EXT_val_prn(out, nval, indent,
137 method->ext_flags & X509V3_EXT_MULTILINE);
138 } else if (method->i2r) {
139 if (!method->i2r(method, ext_str, out, indent))
140 ok = 0;
141 } else
142 ok = 0;
143
144err:
145 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
146 free(value);
147 if (method->it)
148 ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
149 else
150 method->ext_free(ext_str);
151 return ok;
152}
153
154int
155X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts,
156 unsigned long flag, int indent)
157{
158 int i, j;
159
160 if (sk_X509_EXTENSION_num(exts) <= 0)
161 return 1;
162
163 if (title) {
164 BIO_printf(bp, "%*s%s:\n",indent, "", title);
165 indent += 4;
166 }
167
168 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
169 ASN1_OBJECT *obj;
170 X509_EXTENSION *ex;
171 ex = sk_X509_EXTENSION_value(exts, i);
172 if (indent && BIO_printf(bp, "%*s",indent, "") <= 0)
173 return 0;
174 obj = X509_EXTENSION_get_object(ex);
175 i2a_ASN1_OBJECT(bp, obj);
176 j = X509_EXTENSION_get_critical(ex);
177 if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0)
178 return 0;
179 if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
180 BIO_printf(bp, "%*s", indent + 4, "");
181 ASN1_STRING_print(bp, ex->value);
182 }
183 if (BIO_write(bp, "\n",1) <= 0)
184 return 0;
185 }
186 return 1;
187}
188
189static int
190unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
191 int indent, int supported)
192{
193 switch (flag & X509V3_EXT_UNKNOWN_MASK) {
194 case X509V3_EXT_DEFAULT:
195 return 0;
196 case X509V3_EXT_ERROR_UNKNOWN:
197 if (supported)
198 BIO_printf(out, "%*s<Parse Error>", indent, "");
199 else
200 BIO_printf(out, "%*s<Not Supported>", indent, "");
201 return 1;
202 case X509V3_EXT_PARSE_UNKNOWN:
203 return ASN1_parse_dump(out,
204 ext->value->data, ext->value->length, indent, -1);
205 case X509V3_EXT_DUMP_UNKNOWN:
206 return BIO_dump_indent(out, (char *)ext->value->data,
207 ext->value->length, indent);
208 default:
209 return 1;
210 }
211}
212
213
214int
215X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
216{
217 BIO *bio_tmp;
218 int ret;
219
220 if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
221 return 0;
222 ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
223 BIO_free(bio_tmp);
224 return ret;
225}
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
deleted file mode 100644
index 69a8d05f26..0000000000
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ /dev/null
@@ -1,861 +0,0 @@
1/* $OpenBSD: v3_purp.c,v 1.26 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/opensslconf.h>
63
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66#include <openssl/x509_vfy.h>
67
68static void x509v3_cache_extensions(X509 *x);
69
70static int check_ssl_ca(const X509 *x);
71static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
72 int ca);
73static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
74 int ca);
75static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
76 int ca);
77static int purpose_smime(const X509 *x, int ca);
78static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
79 int ca);
80static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
81 int ca);
82static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
83 int ca);
84static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
85 int ca);
86static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
87static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
88
89static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b);
90static void xptable_free(X509_PURPOSE *p);
91
92static X509_PURPOSE xstandard[] = {
93 {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
94 {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
95 {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
96 {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
97 {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
98 {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
99 {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
100 {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
101 {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
102};
103
104#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
105
106static STACK_OF(X509_PURPOSE) *xptable = NULL;
107
108static int
109xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b)
110{
111 return (*a)->purpose - (*b)->purpose;
112}
113
114/* As much as I'd like to make X509_check_purpose use a "const" X509*
115 * I really can't because it does recalculate hashes and do other non-const
116 * things. */
117int
118X509_check_purpose(X509 *x, int id, int ca)
119{
120 int idx;
121 const X509_PURPOSE *pt;
122
123 if (!(x->ex_flags & EXFLAG_SET)) {
124 CRYPTO_w_lock(CRYPTO_LOCK_X509);
125 x509v3_cache_extensions(x);
126 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
127 }
128 if (id == -1)
129 return 1;
130 idx = X509_PURPOSE_get_by_id(id);
131 if (idx == -1)
132 return -1;
133 pt = X509_PURPOSE_get0(idx);
134 return pt->check_purpose(pt, x, ca);
135}
136
137int
138X509_PURPOSE_set(int *p, int purpose)
139{
140 if (X509_PURPOSE_get_by_id(purpose) == -1) {
141 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
142 return 0;
143 }
144 *p = purpose;
145 return 1;
146}
147
148int
149X509_PURPOSE_get_count(void)
150{
151 if (!xptable)
152 return X509_PURPOSE_COUNT;
153 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
154}
155
156X509_PURPOSE *
157X509_PURPOSE_get0(int idx)
158{
159 if (idx < 0)
160 return NULL;
161 if (idx < (int)X509_PURPOSE_COUNT)
162 return xstandard + idx;
163 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
164}
165
166int
167X509_PURPOSE_get_by_sname(char *sname)
168{
169 int i;
170 X509_PURPOSE *xptmp;
171
172 for (i = 0; i < X509_PURPOSE_get_count(); i++) {
173 xptmp = X509_PURPOSE_get0(i);
174 if (!strcmp(xptmp->sname, sname))
175 return i;
176 }
177 return -1;
178}
179
180int
181X509_PURPOSE_get_by_id(int purpose)
182{
183 X509_PURPOSE tmp;
184 int idx;
185
186 if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
187 return purpose - X509_PURPOSE_MIN;
188 tmp.purpose = purpose;
189 if (!xptable)
190 return -1;
191 idx = sk_X509_PURPOSE_find(xptable, &tmp);
192 if (idx == -1)
193 return -1;
194 return idx + X509_PURPOSE_COUNT;
195}
196
197int
198X509_PURPOSE_add(int id, int trust, int flags,
199 int (*ck)(const X509_PURPOSE *, const X509 *, int), char *name,
200 char *sname, void *arg)
201{
202 int idx;
203 X509_PURPOSE *ptmp;
204 char *name_dup, *sname_dup;
205
206 name_dup = sname_dup = NULL;
207
208 if (name == NULL || sname == NULL) {
209 X509V3err(X509V3_F_X509_PURPOSE_ADD,
210 X509V3_R_INVALID_NULL_ARGUMENT);
211 return 0;
212 }
213
214 /* This is set according to what we change: application can't set it */
215 flags &= ~X509_PURPOSE_DYNAMIC;
216 /* This will always be set for application modified trust entries */
217 flags |= X509_PURPOSE_DYNAMIC_NAME;
218 /* Get existing entry if any */
219 idx = X509_PURPOSE_get_by_id(id);
220 /* Need a new entry */
221 if (idx == -1) {
222 if ((ptmp = malloc(sizeof(X509_PURPOSE))) == NULL) {
223 X509V3err(X509V3_F_X509_PURPOSE_ADD,
224 ERR_R_MALLOC_FAILURE);
225 return 0;
226 }
227 ptmp->flags = X509_PURPOSE_DYNAMIC;
228 } else
229 ptmp = X509_PURPOSE_get0(idx);
230
231 if ((name_dup = strdup(name)) == NULL)
232 goto err;
233 if ((sname_dup = strdup(sname)) == NULL)
234 goto err;
235
236 /* free existing name if dynamic */
237 if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
238 free(ptmp->name);
239 free(ptmp->sname);
240 }
241 /* dup supplied name */
242 ptmp->name = name_dup;
243 ptmp->sname = sname_dup;
244 /* Keep the dynamic flag of existing entry */
245 ptmp->flags &= X509_PURPOSE_DYNAMIC;
246 /* Set all other flags */
247 ptmp->flags |= flags;
248
249 ptmp->purpose = id;
250 ptmp->trust = trust;
251 ptmp->check_purpose = ck;
252 ptmp->usr_data = arg;
253
254 /* If its a new entry manage the dynamic table */
255 if (idx == -1) {
256 if (xptable == NULL &&
257 (xptable = sk_X509_PURPOSE_new(xp_cmp)) == NULL)
258 goto err;
259 if (sk_X509_PURPOSE_push(xptable, ptmp) == 0)
260 goto err;
261 }
262 return 1;
263
264err:
265 free(name_dup);
266 free(sname_dup);
267 if (idx == -1)
268 free(ptmp);
269 X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
270 return 0;
271}
272
273static void
274xptable_free(X509_PURPOSE *p)
275{
276 if (!p)
277 return;
278 if (p->flags & X509_PURPOSE_DYNAMIC) {
279 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
280 free(p->name);
281 free(p->sname);
282 }
283 free(p);
284 }
285}
286
287void
288X509_PURPOSE_cleanup(void)
289{
290 unsigned int i;
291
292 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
293 for(i = 0; i < X509_PURPOSE_COUNT; i++)
294 xptable_free(xstandard + i);
295 xptable = NULL;
296}
297
298int
299X509_PURPOSE_get_id(X509_PURPOSE *xp)
300{
301 return xp->purpose;
302}
303
304char *
305X509_PURPOSE_get0_name(X509_PURPOSE *xp)
306{
307 return xp->name;
308}
309
310char *
311X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
312{
313 return xp->sname;
314}
315
316int
317X509_PURPOSE_get_trust(X509_PURPOSE *xp)
318{
319 return xp->trust;
320}
321
322static int
323nid_cmp(const int *a, const int *b)
324{
325 return *a - *b;
326}
327
328DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
329IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
330
331int
332X509_supported_extension(X509_EXTENSION *ex)
333{
334 /* This table is a list of the NIDs of supported extensions:
335 * that is those which are used by the verify process. If
336 * an extension is critical and doesn't appear in this list
337 * then the verify process will normally reject the certificate.
338 * The list must be kept in numerical order because it will be
339 * searched using bsearch.
340 */
341
342 static const int supported_nids[] = {
343 NID_netscape_cert_type, /* 71 */
344 NID_key_usage, /* 83 */
345 NID_subject_alt_name, /* 85 */
346 NID_basic_constraints, /* 87 */
347 NID_certificate_policies, /* 89 */
348 NID_ext_key_usage, /* 126 */
349 NID_policy_constraints, /* 401 */
350 NID_proxyCertInfo, /* 663 */
351 NID_name_constraints, /* 666 */
352 NID_policy_mappings, /* 747 */
353 NID_inhibit_any_policy /* 748 */
354 };
355
356 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
357
358 if (ex_nid == NID_undef)
359 return 0;
360
361 if (OBJ_bsearch_nid(&ex_nid, supported_nids,
362 sizeof(supported_nids) / sizeof(int)))
363 return 1;
364 return 0;
365}
366
367static void
368setup_dp(X509 *x, DIST_POINT *dp)
369{
370 X509_NAME *iname = NULL;
371 int i;
372
373 if (dp->reasons) {
374 if (dp->reasons->length > 0)
375 dp->dp_reasons = dp->reasons->data[0];
376 if (dp->reasons->length > 1)
377 dp->dp_reasons |= (dp->reasons->data[1] << 8);
378 dp->dp_reasons &= CRLDP_ALL_REASONS;
379 } else
380 dp->dp_reasons = CRLDP_ALL_REASONS;
381 if (!dp->distpoint || (dp->distpoint->type != 1))
382 return;
383 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
384 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
385 if (gen->type == GEN_DIRNAME) {
386 iname = gen->d.directoryName;
387 break;
388 }
389 }
390 if (!iname)
391 iname = X509_get_issuer_name(x);
392
393 DIST_POINT_set_dpname(dp->distpoint, iname);
394
395}
396
397static void
398setup_crldp(X509 *x)
399{
400 int i;
401
402 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
403 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
404 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
405}
406
407static void
408x509v3_cache_extensions(X509 *x)
409{
410 BASIC_CONSTRAINTS *bs;
411 PROXY_CERT_INFO_EXTENSION *pci;
412 ASN1_BIT_STRING *usage;
413 ASN1_BIT_STRING *ns;
414 EXTENDED_KEY_USAGE *extusage;
415 X509_EXTENSION *ex;
416
417 int i;
418 if (x->ex_flags & EXFLAG_SET)
419 return;
420#ifndef OPENSSL_NO_SHA
421 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
422#endif
423 /* Does subject name match issuer ? */
424 if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
425 x->ex_flags |= EXFLAG_SI;
426 /* V1 should mean no extensions ... */
427 if (!X509_get_version(x))
428 x->ex_flags |= EXFLAG_V1;
429 /* Handle basic constraints */
430 if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
431 if (bs->ca)
432 x->ex_flags |= EXFLAG_CA;
433 if (bs->pathlen) {
434 if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) ||
435 !bs->ca) {
436 x->ex_flags |= EXFLAG_INVALID;
437 x->ex_pathlen = 0;
438 } else
439 x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
440 } else
441 x->ex_pathlen = -1;
442 BASIC_CONSTRAINTS_free(bs);
443 x->ex_flags |= EXFLAG_BCONS;
444 }
445 /* Handle proxy certificates */
446 if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
447 if (x->ex_flags & EXFLAG_CA ||
448 X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
449 X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
450 x->ex_flags |= EXFLAG_INVALID;
451 }
452 if (pci->pcPathLengthConstraint) {
453 x->ex_pcpathlen =
454 ASN1_INTEGER_get(pci->pcPathLengthConstraint);
455 } else
456 x->ex_pcpathlen = -1;
457 PROXY_CERT_INFO_EXTENSION_free(pci);
458 x->ex_flags |= EXFLAG_PROXY;
459 }
460 /* Handle key usage */
461 if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
462 if (usage->length > 0) {
463 x->ex_kusage = usage->data[0];
464 if (usage->length > 1)
465 x->ex_kusage |= usage->data[1] << 8;
466 } else
467 x->ex_kusage = 0;
468 x->ex_flags |= EXFLAG_KUSAGE;
469 ASN1_BIT_STRING_free(usage);
470 }
471 x->ex_xkusage = 0;
472 if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
473 x->ex_flags |= EXFLAG_XKUSAGE;
474 for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
475 switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
476 case NID_server_auth:
477 x->ex_xkusage |= XKU_SSL_SERVER;
478 break;
479
480 case NID_client_auth:
481 x->ex_xkusage |= XKU_SSL_CLIENT;
482 break;
483
484 case NID_email_protect:
485 x->ex_xkusage |= XKU_SMIME;
486 break;
487
488 case NID_code_sign:
489 x->ex_xkusage |= XKU_CODE_SIGN;
490 break;
491
492 case NID_ms_sgc:
493 case NID_ns_sgc:
494 x->ex_xkusage |= XKU_SGC;
495 break;
496
497 case NID_OCSP_sign:
498 x->ex_xkusage |= XKU_OCSP_SIGN;
499 break;
500
501 case NID_time_stamp:
502 x->ex_xkusage |= XKU_TIMESTAMP;
503 break;
504
505 case NID_dvcs:
506 x->ex_xkusage |= XKU_DVCS;
507 break;
508 }
509 }
510 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
511 }
512
513 if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
514 if (ns->length > 0)
515 x->ex_nscert = ns->data[0];
516 else
517 x->ex_nscert = 0;
518 x->ex_flags |= EXFLAG_NSCERT;
519 ASN1_BIT_STRING_free(ns);
520 }
521
522 x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
523 x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
524 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
525 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
526 if (!x->nc && (i != -1))
527 x->ex_flags |= EXFLAG_INVALID;
528 setup_crldp(x);
529
530 for (i = 0; i < X509_get_ext_count(x); i++) {
531 ex = X509_get_ext(x, i);
532 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
533 NID_freshest_crl)
534 x->ex_flags |= EXFLAG_FRESHEST;
535 if (!X509_EXTENSION_get_critical(ex))
536 continue;
537 if (!X509_supported_extension(ex)) {
538 x->ex_flags |= EXFLAG_CRITICAL;
539 break;
540 }
541 }
542 x->ex_flags |= EXFLAG_SET;
543}
544
545/* CA checks common to all purposes
546 * return codes:
547 * 0 not a CA
548 * 1 is a CA
549 * 2 basicConstraints absent so "maybe" a CA
550 * 3 basicConstraints absent but self signed V1.
551 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
552 */
553
554#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
555#define ku_reject(x, usage) \
556 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
557#define xku_reject(x, usage) \
558 (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
559#define ns_reject(x, usage) \
560 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
561
562static int
563check_ca(const X509 *x)
564{
565 /* keyUsage if present should allow cert signing */
566 if (ku_reject(x, KU_KEY_CERT_SIGN))
567 return 0;
568 if (x->ex_flags & EXFLAG_BCONS) {
569 if (x->ex_flags & EXFLAG_CA)
570 return 1;
571 /* If basicConstraints says not a CA then say so */
572 else
573 return 0;
574 } else {
575 /* we support V1 roots for... uh, I don't really know why. */
576 if ((x->ex_flags & V1_ROOT) == V1_ROOT)
577 return 3;
578 /* If key usage present it must have certSign so tolerate it */
579 else if (x->ex_flags & EXFLAG_KUSAGE)
580 return 4;
581 /* Older certificates could have Netscape-specific CA types */
582 else if (x->ex_flags & EXFLAG_NSCERT &&
583 x->ex_nscert & NS_ANY_CA)
584 return 5;
585 /* can this still be regarded a CA certificate? I doubt it */
586 return 0;
587 }
588}
589
590int
591X509_check_ca(X509 *x)
592{
593 if (!(x->ex_flags & EXFLAG_SET)) {
594 CRYPTO_w_lock(CRYPTO_LOCK_X509);
595 x509v3_cache_extensions(x);
596 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
597 }
598
599 return check_ca(x);
600}
601
602/* Check SSL CA: common checks for SSL client and server */
603static int
604check_ssl_ca(const X509 *x)
605{
606 int ca_ret;
607
608 ca_ret = check_ca(x);
609 if (!ca_ret)
610 return 0;
611 /* check nsCertType if present */
612 if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
613 return ca_ret;
614 else
615 return 0;
616}
617
618static int
619check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
620{
621 if (xku_reject(x, XKU_SSL_CLIENT))
622 return 0;
623 if (ca)
624 return check_ssl_ca(x);
625 /* We need to do digital signatures with it */
626 if (ku_reject(x, KU_DIGITAL_SIGNATURE))
627 return 0;
628 /* nsCertType if present should allow SSL client use */
629 if (ns_reject(x, NS_SSL_CLIENT))
630 return 0;
631 return 1;
632}
633
634static int
635check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
636{
637 if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC))
638 return 0;
639 if (ca)
640 return check_ssl_ca(x);
641
642 if (ns_reject(x, NS_SSL_SERVER))
643 return 0;
644 /* Now as for keyUsage: we'll at least need to sign OR encipher */
645 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT))
646 return 0;
647
648 return 1;
649}
650
651static int
652check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
653{
654 int ret;
655
656 ret = check_purpose_ssl_server(xp, x, ca);
657 if (!ret || ca)
658 return ret;
659 /* We need to encipher or Netscape complains */
660 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
661 return 0;
662 return ret;
663}
664
665/* common S/MIME checks */
666static int
667purpose_smime(const X509 *x, int ca)
668{
669 if (xku_reject(x, XKU_SMIME))
670 return 0;
671 if (ca) {
672 int ca_ret;
673 ca_ret = check_ca(x);
674 if (!ca_ret)
675 return 0;
676 /* check nsCertType if present */
677 if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
678 return ca_ret;
679 else
680 return 0;
681 }
682 if (x->ex_flags & EXFLAG_NSCERT) {
683 if (x->ex_nscert & NS_SMIME)
684 return 1;
685 /* Workaround for some buggy certificates */
686 if (x->ex_nscert & NS_SSL_CLIENT)
687 return 2;
688 return 0;
689 }
690 return 1;
691}
692
693static int
694check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
695{
696 int ret;
697
698 ret = purpose_smime(x, ca);
699 if (!ret || ca)
700 return ret;
701 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION))
702 return 0;
703 return ret;
704}
705
706static int
707check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
708{
709 int ret;
710
711 ret = purpose_smime(x, ca);
712 if (!ret || ca)
713 return ret;
714 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
715 return 0;
716 return ret;
717}
718
719static int
720check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
721{
722 if (ca) {
723 int ca_ret;
724 if ((ca_ret = check_ca(x)) != 2)
725 return ca_ret;
726 else
727 return 0;
728 }
729 if (ku_reject(x, KU_CRL_SIGN))
730 return 0;
731 return 1;
732}
733
734/* OCSP helper: this is *not* a full OCSP check. It just checks that
735 * each CA is valid. Additional checks must be made on the chain.
736 */
737static int
738ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
739{
740 /* Must be a valid CA. Should we really support the "I don't know"
741 value (2)? */
742 if (ca)
743 return check_ca(x);
744 /* leaf certificate is checked in OCSP_verify() */
745 return 1;
746}
747
748static int
749check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
750{
751 int i_ext;
752
753 /* If ca is true we must return if this is a valid CA certificate. */
754 if (ca)
755 return check_ca(x);
756
757 /*
758 * Check the optional key usage field:
759 * if Key Usage is present, it must be one of digitalSignature
760 * and/or nonRepudiation (other values are not consistent and shall
761 * be rejected).
762 */
763 if ((x->ex_flags & EXFLAG_KUSAGE) &&
764 ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
765 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
766 return 0;
767
768 /* Only time stamp key usage is permitted and it's required. */
769 if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
770 return 0;
771
772 /* Extended Key Usage MUST be critical */
773 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
774 if (i_ext >= 0) {
775 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
776 if (!X509_EXTENSION_get_critical(ext))
777 return 0;
778 }
779
780 return 1;
781}
782
783static int
784no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
785{
786 return 1;
787}
788
789/* Various checks to see if one certificate issued the second.
790 * This can be used to prune a set of possible issuer certificates
791 * which have been looked up using some simple method such as by
792 * subject name.
793 * These are:
794 * 1. Check issuer_name(subject) == subject_name(issuer)
795 * 2. If akid(subject) exists check it matches issuer
796 * 3. If key_usage(issuer) exists check it supports certificate signing
797 * returns 0 for OK, positive for reason for mismatch, reasons match
798 * codes for X509_verify_cert()
799 */
800
801int
802X509_check_issued(X509 *issuer, X509 *subject)
803{
804 if (X509_NAME_cmp(X509_get_subject_name(issuer),
805 X509_get_issuer_name(subject)))
806 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
807 x509v3_cache_extensions(issuer);
808 x509v3_cache_extensions(subject);
809
810 if (subject->akid) {
811 int ret = X509_check_akid(issuer, subject->akid);
812 if (ret != X509_V_OK)
813 return ret;
814 }
815
816 if (subject->ex_flags & EXFLAG_PROXY) {
817 if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
818 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
819 } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
820 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
821 return X509_V_OK;
822}
823
824int
825X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
826{
827 if (!akid)
828 return X509_V_OK;
829
830 /* Check key ids (if present) */
831 if (akid->keyid && issuer->skid &&
832 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
833 return X509_V_ERR_AKID_SKID_MISMATCH;
834 /* Check serial number */
835 if (akid->serial &&
836 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
837 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
838 /* Check issuer name */
839 if (akid->issuer) {
840 /* Ugh, for some peculiar reason AKID includes
841 * SEQUENCE OF GeneralName. So look for a DirName.
842 * There may be more than one but we only take any
843 * notice of the first.
844 */
845 GENERAL_NAMES *gens;
846 GENERAL_NAME *gen;
847 X509_NAME *nm = NULL;
848 int i;
849 gens = akid->issuer;
850 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
851 gen = sk_GENERAL_NAME_value(gens, i);
852 if (gen->type == GEN_DIRNAME) {
853 nm = gen->d.dirn;
854 break;
855 }
856 }
857 if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
858 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
859 }
860 return X509_V_OK;
861}
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
deleted file mode 100644
index f742b67b33..0000000000
--- a/src/lib/libcrypto/x509v3/v3_skey.c
+++ /dev/null
@@ -1,160 +0,0 @@
1/* $OpenBSD: v3_skey.c,v 1.13 2015/09/30 18:41:06 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/err.h>
63#include <openssl/x509v3.h>
64
65static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
66 X509V3_CTX *ctx, char *str);
67
68const X509V3_EXT_METHOD v3_skey_id = {
69 .ext_nid = NID_subject_key_identifier,
70 .ext_flags = 0,
71 .it = ASN1_ITEM_ref(ASN1_OCTET_STRING),
72 .ext_new = NULL,
73 .ext_free = NULL,
74 .d2i = NULL,
75 .i2d = NULL,
76 .i2s = (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
77 .s2i = (X509V3_EXT_S2I)s2i_skey_id,
78 .i2v = NULL,
79 .v2i = NULL,
80 .i2r = NULL,
81 .r2i = NULL,
82 .usr_data = NULL,
83};
84
85char *
86i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct)
87{
88 return hex_to_string(oct->data, oct->length);
89}
90
91ASN1_OCTET_STRING *
92s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
93{
94 ASN1_OCTET_STRING *oct;
95 long length;
96
97 if (!(oct = ASN1_OCTET_STRING_new())) {
98 X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
99 return NULL;
100 }
101
102 if (!(oct->data = string_to_hex(str, &length))) {
103 ASN1_OCTET_STRING_free(oct);
104 return NULL;
105 }
106
107 oct->length = length;
108
109 return oct;
110}
111
112static ASN1_OCTET_STRING *
113s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
114{
115 ASN1_OCTET_STRING *oct;
116 ASN1_BIT_STRING *pk;
117 unsigned char pkey_dig[EVP_MAX_MD_SIZE];
118 unsigned int diglen;
119
120 if (strcmp(str, "hash"))
121 return s2i_ASN1_OCTET_STRING(method, ctx, str);
122
123 if (!(oct = ASN1_OCTET_STRING_new())) {
124 X509V3err(X509V3_F_S2I_SKEY_ID, ERR_R_MALLOC_FAILURE);
125 return NULL;
126 }
127
128 if (ctx && (ctx->flags == CTX_TEST))
129 return oct;
130
131 if (!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
132 X509V3err(X509V3_F_S2I_SKEY_ID, X509V3_R_NO_PUBLIC_KEY);
133 goto err;
134 }
135
136 if (ctx->subject_req)
137 pk = ctx->subject_req->req_info->pubkey->public_key;
138 else
139 pk = ctx->subject_cert->cert_info->key->public_key;
140
141 if (!pk) {
142 X509V3err(X509V3_F_S2I_SKEY_ID, X509V3_R_NO_PUBLIC_KEY);
143 goto err;
144 }
145
146 if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen,
147 EVP_sha1(), NULL))
148 goto err;
149
150 if (!ASN1_STRING_set(oct, pkey_dig, diglen)) {
151 X509V3err(X509V3_F_S2I_SKEY_ID, ERR_R_MALLOC_FAILURE);
152 goto err;
153 }
154
155 return oct;
156
157err:
158 ASN1_OCTET_STRING_free(oct);
159 return NULL;
160}
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
deleted file mode 100644
index 29976b1d68..0000000000
--- a/src/lib/libcrypto/x509v3/v3_sxnet.c
+++ /dev/null
@@ -1,386 +0,0 @@
1/* $OpenBSD: v3_sxnet.c,v 1.17 2015/09/30 17:30:16 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68/* Support for Thawte strong extranet extension */
69
70#define SXNET_TEST
71
72static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
73 int indent);
74#ifdef SXNET_TEST
75static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
76 STACK_OF(CONF_VALUE) *nval);
77#endif
78
79const X509V3_EXT_METHOD v3_sxnet = {
80 .ext_nid = NID_sxnet,
81 .ext_flags = X509V3_EXT_MULTILINE,
82 .it = ASN1_ITEM_ref(SXNET),
83 .ext_new = NULL,
84 .ext_free = NULL,
85 .d2i = NULL,
86 .i2d = NULL,
87 .i2s = NULL,
88 .s2i = NULL,
89 .i2v = NULL,
90#ifdef SXNET_TEST
91 .v2i = (X509V3_EXT_V2I)sxnet_v2i,
92#else
93 .v2i = NULL,
94#endif
95 .i2r = (X509V3_EXT_I2R)sxnet_i2r,
96 .r2i = NULL,
97 .usr_data = NULL,
98};
99
100static const ASN1_TEMPLATE SXNETID_seq_tt[] = {
101 {
102 .flags = 0,
103 .tag = 0,
104 .offset = offsetof(SXNETID, zone),
105 .field_name = "zone",
106 .item = &ASN1_INTEGER_it,
107 },
108 {
109 .flags = 0,
110 .tag = 0,
111 .offset = offsetof(SXNETID, user),
112 .field_name = "user",
113 .item = &ASN1_OCTET_STRING_it,
114 },
115};
116
117const ASN1_ITEM SXNETID_it = {
118 .itype = ASN1_ITYPE_SEQUENCE,
119 .utype = V_ASN1_SEQUENCE,
120 .templates = SXNETID_seq_tt,
121 .tcount = sizeof(SXNETID_seq_tt) / sizeof(ASN1_TEMPLATE),
122 .funcs = NULL,
123 .size = sizeof(SXNETID),
124 .sname = "SXNETID",
125};
126
127
128SXNETID *
129d2i_SXNETID(SXNETID **a, const unsigned char **in, long len)
130{
131 return (SXNETID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
132 &SXNETID_it);
133}
134
135int
136i2d_SXNETID(SXNETID *a, unsigned char **out)
137{
138 return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNETID_it);
139}
140
141SXNETID *
142SXNETID_new(void)
143{
144 return (SXNETID *)ASN1_item_new(&SXNETID_it);
145}
146
147void
148SXNETID_free(SXNETID *a)
149{
150 ASN1_item_free((ASN1_VALUE *)a, &SXNETID_it);
151}
152
153static const ASN1_TEMPLATE SXNET_seq_tt[] = {
154 {
155 .flags = 0,
156 .tag = 0,
157 .offset = offsetof(SXNET, version),
158 .field_name = "version",
159 .item = &ASN1_INTEGER_it,
160 },
161 {
162 .flags = ASN1_TFLG_SEQUENCE_OF,
163 .tag = 0,
164 .offset = offsetof(SXNET, ids),
165 .field_name = "ids",
166 .item = &SXNETID_it,
167 },
168};
169
170const ASN1_ITEM SXNET_it = {
171 .itype = ASN1_ITYPE_SEQUENCE,
172 .utype = V_ASN1_SEQUENCE,
173 .templates = SXNET_seq_tt,
174 .tcount = sizeof(SXNET_seq_tt) / sizeof(ASN1_TEMPLATE),
175 .funcs = NULL,
176 .size = sizeof(SXNET),
177 .sname = "SXNET",
178};
179
180
181SXNET *
182d2i_SXNET(SXNET **a, const unsigned char **in, long len)
183{
184 return (SXNET *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
185 &SXNET_it);
186}
187
188int
189i2d_SXNET(SXNET *a, unsigned char **out)
190{
191 return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNET_it);
192}
193
194SXNET *
195SXNET_new(void)
196{
197 return (SXNET *)ASN1_item_new(&SXNET_it);
198}
199
200void
201SXNET_free(SXNET *a)
202{
203 ASN1_item_free((ASN1_VALUE *)a, &SXNET_it);
204}
205
206static int
207sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent)
208{
209 long v;
210 char *tmp;
211 SXNETID *id;
212 int i;
213
214 v = ASN1_INTEGER_get(sx->version);
215 BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
216 for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
217 id = sk_SXNETID_value(sx->ids, i);
218 tmp = i2s_ASN1_INTEGER(NULL, id->zone);
219 BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
220 free(tmp);
221 ASN1_STRING_print(out, id->user);
222 }
223 return 1;
224}
225
226#ifdef SXNET_TEST
227
228/* NBB: this is used for testing only. It should *not* be used for anything
229 * else because it will just take static IDs from the configuration file and
230 * they should really be separate values for each user.
231 */
232
233static SXNET *
234sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
235 STACK_OF(CONF_VALUE) *nval)
236{
237 CONF_VALUE *cnf;
238 SXNET *sx = NULL;
239 int i;
240
241 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
242 cnf = sk_CONF_VALUE_value(nval, i);
243 if (!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
244 return NULL;
245 }
246 return sx;
247}
248
249#endif
250
251/* Strong Extranet utility functions */
252
253/* Add an id given the zone as an ASCII number */
254
255int
256SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen)
257{
258 ASN1_INTEGER *izone = NULL;
259
260 if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
261 X509V3err(X509V3_F_SXNET_ADD_ID_ASC,
262 X509V3_R_ERROR_CONVERTING_ZONE);
263 return 0;
264 }
265 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
266}
267
268/* Add an id given the zone as an unsigned long */
269
270int
271SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen)
272{
273 ASN1_INTEGER *izone = NULL;
274
275 if (!(izone = ASN1_INTEGER_new()) ||
276 !ASN1_INTEGER_set(izone, lzone)) {
277 X509V3err(X509V3_F_SXNET_ADD_ID_ULONG, ERR_R_MALLOC_FAILURE);
278 ASN1_INTEGER_free(izone);
279 return 0;
280 }
281 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
282}
283
284/* Add an id given the zone as an ASN1_INTEGER.
285 * Note this version uses the passed integer and doesn't make a copy so don't
286 * free it up afterwards.
287 */
288
289int
290SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user, int userlen)
291{
292 SXNET *sx = NULL;
293 SXNETID *id = NULL;
294
295 if (!psx || !zone || !user) {
296 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,
297 X509V3_R_INVALID_NULL_ARGUMENT);
298 return 0;
299 }
300 if (userlen == -1)
301 userlen = strlen(user);
302 if (userlen > 64) {
303 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,
304 X509V3_R_USER_TOO_LONG);
305 return 0;
306 }
307 if (!*psx) {
308 if (!(sx = SXNET_new()))
309 goto err;
310 if (!ASN1_INTEGER_set(sx->version, 0))
311 goto err;
312 *psx = sx;
313 } else
314 sx = *psx;
315 if (SXNET_get_id_INTEGER(sx, zone)) {
316 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,
317 X509V3_R_DUPLICATE_ZONE_ID);
318 return 0;
319 }
320
321 if (!(id = SXNETID_new()))
322 goto err;
323 if (userlen == -1)
324 userlen = strlen(user);
325
326 if (!ASN1_STRING_set(id->user, user, userlen))
327 goto err;
328 if (!sk_SXNETID_push(sx->ids, id))
329 goto err;
330 id->zone = zone;
331 return 1;
332
333err:
334 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER, ERR_R_MALLOC_FAILURE);
335 SXNETID_free(id);
336 SXNET_free(sx);
337 *psx = NULL;
338 return 0;
339}
340
341ASN1_OCTET_STRING *
342SXNET_get_id_asc(SXNET *sx, char *zone)
343{
344 ASN1_INTEGER *izone = NULL;
345 ASN1_OCTET_STRING *oct;
346
347 if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
348 X509V3err(X509V3_F_SXNET_GET_ID_ASC,
349 X509V3_R_ERROR_CONVERTING_ZONE);
350 return NULL;
351 }
352 oct = SXNET_get_id_INTEGER(sx, izone);
353 ASN1_INTEGER_free(izone);
354 return oct;
355}
356
357ASN1_OCTET_STRING *
358SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
359{
360 ASN1_INTEGER *izone = NULL;
361 ASN1_OCTET_STRING *oct;
362
363 if (!(izone = ASN1_INTEGER_new()) ||
364 !ASN1_INTEGER_set(izone, lzone)) {
365 X509V3err(X509V3_F_SXNET_GET_ID_ULONG, ERR_R_MALLOC_FAILURE);
366 ASN1_INTEGER_free(izone);
367 return NULL;
368 }
369 oct = SXNET_get_id_INTEGER(sx, izone);
370 ASN1_INTEGER_free(izone);
371 return oct;
372}
373
374ASN1_OCTET_STRING *
375SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
376{
377 SXNETID *id;
378 int i;
379
380 for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
381 id = sk_SXNETID_value(sx->ids, i);
382 if (!ASN1_STRING_cmp(id->zone, zone))
383 return id->user;
384 }
385 return NULL;
386}
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
deleted file mode 100644
index ee135a0b52..0000000000
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ /dev/null
@@ -1,925 +0,0 @@
1/* $OpenBSD: v3_utl.c,v 1.24 2015/02/07 13:19:15 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <ctype.h>
61#include <stdio.h>
62#include <string.h>
63
64#include <openssl/bn.h>
65#include <openssl/conf.h>
66#include <openssl/err.h>
67#include <openssl/x509v3.h>
68
69static char *strip_spaces(char *name);
70static int sk_strcmp(const char * const *a, const char * const *b);
71static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
72 GENERAL_NAMES *gens);
73static void str_free(OPENSSL_STRING str);
74static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
75
76static int ipv4_from_asc(unsigned char *v4, const char *in);
77static int ipv6_from_asc(unsigned char *v6, const char *in);
78static int ipv6_cb(const char *elem, int len, void *usr);
79static int ipv6_hex(unsigned char *out, const char *in, int inlen);
80
81/* Add a CONF_VALUE name value pair to stack */
82
83int
84X509V3_add_value(const char *name, const char *value,
85 STACK_OF(CONF_VALUE) **extlist)
86{
87 CONF_VALUE *vtmp = NULL;
88 char *tname = NULL, *tvalue = NULL;
89
90 if (name && !(tname = strdup(name)))
91 goto err;
92 if (value && !(tvalue = strdup(value)))
93 goto err;
94 if (!(vtmp = malloc(sizeof(CONF_VALUE))))
95 goto err;
96 if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null()))
97 goto err;
98 vtmp->section = NULL;
99 vtmp->name = tname;
100 vtmp->value = tvalue;
101 if (!sk_CONF_VALUE_push(*extlist, vtmp))
102 goto err;
103 return 1;
104
105err:
106 X509V3err(X509V3_F_X509V3_ADD_VALUE, ERR_R_MALLOC_FAILURE);
107 free(vtmp);
108 free(tname);
109 free(tvalue);
110 return 0;
111}
112
113int
114X509V3_add_value_uchar(const char *name, const unsigned char *value,
115 STACK_OF(CONF_VALUE) **extlist)
116{
117 return X509V3_add_value(name, (const char *)value, extlist);
118}
119
120/* Free function for STACK_OF(CONF_VALUE) */
121
122void
123X509V3_conf_free(CONF_VALUE *conf)
124{
125 if (!conf)
126 return;
127 free(conf->name);
128 free(conf->value);
129 free(conf->section);
130 free(conf);
131}
132
133int
134X509V3_add_value_bool(const char *name, int asn1_bool,
135 STACK_OF(CONF_VALUE) **extlist)
136{
137 if (asn1_bool)
138 return X509V3_add_value(name, "TRUE", extlist);
139 return X509V3_add_value(name, "FALSE", extlist);
140}
141
142int
143X509V3_add_value_bool_nf(char *name, int asn1_bool,
144 STACK_OF(CONF_VALUE) **extlist)
145{
146 if (asn1_bool)
147 return X509V3_add_value(name, "TRUE", extlist);
148 return 1;
149}
150
151
152char *
153i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
154{
155 BIGNUM *bntmp = NULL;
156 char *strtmp = NULL;
157
158 if (!a)
159 return NULL;
160 if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
161 !(strtmp = BN_bn2dec(bntmp)))
162 X509V3err(X509V3_F_I2S_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
163 BN_free(bntmp);
164 return strtmp;
165}
166
167char *
168i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
169{
170 BIGNUM *bntmp = NULL;
171 char *strtmp = NULL;
172
173 if (!a)
174 return NULL;
175 if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
176 !(strtmp = BN_bn2dec(bntmp)))
177 X509V3err(X509V3_F_I2S_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
178 BN_free(bntmp);
179 return strtmp;
180}
181
182ASN1_INTEGER *
183s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
184{
185 BIGNUM *bn = NULL;
186 ASN1_INTEGER *aint;
187 int isneg, ishex;
188 int ret;
189
190 if (!value) {
191 X509V3err(X509V3_F_S2I_ASN1_INTEGER,
192 X509V3_R_INVALID_NULL_VALUE);
193 return 0;
194 }
195 bn = BN_new();
196 if (value[0] == '-') {
197 value++;
198 isneg = 1;
199 } else
200 isneg = 0;
201
202 if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
203 value += 2;
204 ishex = 1;
205 } else
206 ishex = 0;
207
208 if (ishex)
209 ret = BN_hex2bn(&bn, value);
210 else
211 ret = BN_dec2bn(&bn, value);
212
213 if (!ret || value[ret]) {
214 BN_free(bn);
215 X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_BN_DEC2BN_ERROR);
216 return 0;
217 }
218
219 if (isneg && BN_is_zero(bn))
220 isneg = 0;
221
222 aint = BN_to_ASN1_INTEGER(bn, NULL);
223 BN_free(bn);
224 if (!aint) {
225 X509V3err(X509V3_F_S2I_ASN1_INTEGER,
226 X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
227 return 0;
228 }
229 if (isneg)
230 aint->type |= V_ASN1_NEG;
231 return aint;
232}
233
234int
235X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
236 STACK_OF(CONF_VALUE) **extlist)
237{
238 char *strtmp;
239 int ret;
240
241 if (!aint)
242 return 1;
243 if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint)))
244 return 0;
245 ret = X509V3_add_value(name, strtmp, extlist);
246 free(strtmp);
247 return ret;
248}
249
250int
251X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
252{
253 char *btmp;
254
255 if (!(btmp = value->value))
256 goto err;
257 if (!strcmp(btmp, "TRUE") || !strcmp(btmp, "true") ||
258 !strcmp(btmp, "Y") || !strcmp(btmp, "y") ||
259 !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
260 *asn1_bool = 0xff;
261 return 1;
262 } else if (!strcmp(btmp, "FALSE") || !strcmp(btmp, "false") ||
263 !strcmp(btmp, "N") || !strcmp(btmp, "n") ||
264 !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
265 *asn1_bool = 0;
266 return 1;
267 }
268
269err:
270 X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,
271 X509V3_R_INVALID_BOOLEAN_STRING);
272 X509V3_conf_err(value);
273 return 0;
274}
275
276int
277X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
278{
279 ASN1_INTEGER *itmp;
280
281 if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
282 X509V3_conf_err(value);
283 return 0;
284 }
285 *aint = itmp;
286 return 1;
287}
288
289#define HDR_NAME 1
290#define HDR_VALUE 2
291
292/*#define DEBUG*/
293
294STACK_OF(CONF_VALUE) *
295X509V3_parse_list(const char *line)
296{
297 char *p, *q, c;
298 char *ntmp, *vtmp;
299 STACK_OF(CONF_VALUE) *values = NULL;
300 char *linebuf;
301 int state;
302
303 /* We are going to modify the line so copy it first */
304 if ((linebuf = strdup(line)) == NULL) {
305 X509V3err(X509V3_F_X509V3_PARSE_LIST, ERR_R_MALLOC_FAILURE);
306 goto err;
307 }
308 state = HDR_NAME;
309 ntmp = NULL;
310
311 /* Go through all characters */
312 for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') &&
313 (c != '\n'); p++) {
314
315 switch (state) {
316 case HDR_NAME:
317 if (c == ':') {
318 state = HDR_VALUE;
319 *p = 0;
320 ntmp = strip_spaces(q);
321 if (!ntmp) {
322 X509V3err(X509V3_F_X509V3_PARSE_LIST,
323 X509V3_R_INVALID_NULL_NAME);
324 goto err;
325 }
326 q = p + 1;
327 } else if (c == ',') {
328 *p = 0;
329 ntmp = strip_spaces(q);
330 q = p + 1;
331 if (!ntmp) {
332 X509V3err(X509V3_F_X509V3_PARSE_LIST,
333 X509V3_R_INVALID_NULL_NAME);
334 goto err;
335 }
336 X509V3_add_value(ntmp, NULL, &values);
337 }
338 break;
339
340 case HDR_VALUE:
341 if (c == ',') {
342 state = HDR_NAME;
343 *p = 0;
344 vtmp = strip_spaces(q);
345 if (!vtmp) {
346 X509V3err(X509V3_F_X509V3_PARSE_LIST,
347 X509V3_R_INVALID_NULL_VALUE);
348 goto err;
349 }
350 X509V3_add_value(ntmp, vtmp, &values);
351 ntmp = NULL;
352 q = p + 1;
353 }
354
355 }
356 }
357
358 if (state == HDR_VALUE) {
359 vtmp = strip_spaces(q);
360 if (!vtmp) {
361 X509V3err(X509V3_F_X509V3_PARSE_LIST,
362 X509V3_R_INVALID_NULL_VALUE);
363 goto err;
364 }
365 X509V3_add_value(ntmp, vtmp, &values);
366 } else {
367 ntmp = strip_spaces(q);
368 if (!ntmp) {
369 X509V3err(X509V3_F_X509V3_PARSE_LIST,
370 X509V3_R_INVALID_NULL_NAME);
371 goto err;
372 }
373 X509V3_add_value(ntmp, NULL, &values);
374 }
375 free(linebuf);
376 return values;
377
378err:
379 free(linebuf);
380 sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
381 return NULL;
382
383}
384
385/* Delete leading and trailing spaces from a string */
386static char *
387strip_spaces(char *name)
388{
389 char *p, *q;
390
391 /* Skip over leading spaces */
392 p = name;
393 while (*p && isspace((unsigned char)*p))
394 p++;
395 if (!*p)
396 return NULL;
397 q = p + strlen(p) - 1;
398 while ((q != p) && isspace((unsigned char)*q))
399 q--;
400 if (p != q)
401 q[1] = 0;
402 if (!*p)
403 return NULL;
404 return p;
405}
406
407/* hex string utilities */
408
409/* Given a buffer of length 'len' return a malloc'ed string with its
410 * hex representation
411 */
412char *
413hex_to_string(const unsigned char *buffer, long len)
414{
415 char *tmp, *q;
416 const unsigned char *p;
417 int i;
418 static const char hexdig[] = "0123456789ABCDEF";
419
420 if (!buffer || !len)
421 return NULL;
422 if (!(tmp = malloc(len * 3 + 1))) {
423 X509V3err(X509V3_F_HEX_TO_STRING, ERR_R_MALLOC_FAILURE);
424 return NULL;
425 }
426 q = tmp;
427 for (i = 0, p = buffer; i < len; i++, p++) {
428 *q++ = hexdig[(*p >> 4) & 0xf];
429 *q++ = hexdig[*p & 0xf];
430 *q++ = ':';
431 }
432 q[-1] = 0;
433 return tmp;
434}
435
436/* Give a string of hex digits convert to
437 * a buffer
438 */
439
440unsigned char *
441string_to_hex(const char *str, long *len)
442{
443 unsigned char *hexbuf, *q;
444 unsigned char ch, cl, *p;
445 if (!str) {
446 X509V3err(X509V3_F_STRING_TO_HEX,
447 X509V3_R_INVALID_NULL_ARGUMENT);
448 return NULL;
449 }
450 if (!(hexbuf = malloc(strlen(str) >> 1)))
451 goto err;
452 for (p = (unsigned char *)str, q = hexbuf; *p; ) {
453 ch = *p++;
454 if (ch == ':')
455 continue;
456 cl = *p++;
457 if (!cl) {
458 X509V3err(X509V3_F_STRING_TO_HEX,
459 X509V3_R_ODD_NUMBER_OF_DIGITS);
460 free(hexbuf);
461 return NULL;
462 }
463 ch = tolower(ch);
464 cl = tolower(cl);
465
466 if ((ch >= '0') && (ch <= '9'))
467 ch -= '0';
468 else if ((ch >= 'a') && (ch <= 'f'))
469 ch -= 'a' - 10;
470 else
471 goto badhex;
472
473 if ((cl >= '0') && (cl <= '9'))
474 cl -= '0';
475 else if ((cl >= 'a') && (cl <= 'f'))
476 cl -= 'a' - 10;
477 else
478 goto badhex;
479
480 *q++ = (ch << 4) | cl;
481 }
482
483 if (len)
484 *len = q - hexbuf;
485
486 return hexbuf;
487
488err:
489 free(hexbuf);
490 X509V3err(X509V3_F_STRING_TO_HEX, ERR_R_MALLOC_FAILURE);
491 return NULL;
492
493badhex:
494 free(hexbuf);
495 X509V3err(X509V3_F_STRING_TO_HEX, X509V3_R_ILLEGAL_HEX_DIGIT);
496 return NULL;
497}
498
499/* V2I name comparison function: returns zero if 'name' matches
500 * cmp or cmp.*
501 */
502
503int
504name_cmp(const char *name, const char *cmp)
505{
506 int len, ret;
507 char c;
508
509 len = strlen(cmp);
510 if ((ret = strncmp(name, cmp, len)))
511 return ret;
512 c = name[len];
513 if (!c || (c=='.'))
514 return 0;
515 return 1;
516}
517
518static int
519sk_strcmp(const char * const *a, const char * const *b)
520{
521 return strcmp(*a, *b);
522}
523
524STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
525{
526 GENERAL_NAMES *gens;
527 STACK_OF(OPENSSL_STRING) *ret;
528
529 gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
530 ret = get_email(X509_get_subject_name(x), gens);
531 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
532 return ret;
533}
534
535STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
536{
537 AUTHORITY_INFO_ACCESS *info;
538 STACK_OF(OPENSSL_STRING) *ret = NULL;
539 int i;
540
541 info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
542 if (!info)
543 return NULL;
544 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
545 ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
546 if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
547 if (ad->location->type == GEN_URI) {
548 if (!append_ia5(&ret,
549 ad->location->d.uniformResourceIdentifier))
550 break;
551 }
552 }
553 }
554 AUTHORITY_INFO_ACCESS_free(info);
555 return ret;
556}
557
558STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
559{
560 GENERAL_NAMES *gens;
561 STACK_OF(X509_EXTENSION) *exts;
562 STACK_OF(OPENSSL_STRING) *ret;
563
564 exts = X509_REQ_get_extensions(x);
565 gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
566 ret = get_email(X509_REQ_get_subject_name(x), gens);
567 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
568 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
569 return ret;
570}
571
572
573static
574STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens)
575{
576 STACK_OF(OPENSSL_STRING) *ret = NULL;
577 X509_NAME_ENTRY *ne;
578 ASN1_IA5STRING *email;
579 GENERAL_NAME *gen;
580 int i;
581
582 /* Now add any email address(es) to STACK */
583 i = -1;
584
585 /* First supplied X509_NAME */
586 while ((i = X509_NAME_get_index_by_NID(name,
587 NID_pkcs9_emailAddress, i)) >= 0) {
588 ne = X509_NAME_get_entry(name, i);
589 email = X509_NAME_ENTRY_get_data(ne);
590 if (!append_ia5(&ret, email))
591 return NULL;
592 }
593 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
594 gen = sk_GENERAL_NAME_value(gens, i);
595 if (gen->type != GEN_EMAIL)
596 continue;
597 if (!append_ia5(&ret, gen->d.ia5))
598 return NULL;
599 }
600 return ret;
601}
602
603static void
604str_free(OPENSSL_STRING str)
605{
606 free(str);
607}
608
609static int
610append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
611{
612 char *emtmp;
613
614 /* First some sanity checks */
615 if (email->type != V_ASN1_IA5STRING)
616 return 1;
617 if (!email->data || !email->length)
618 return 1;
619 if (!*sk)
620 *sk = sk_OPENSSL_STRING_new(sk_strcmp);
621 if (!*sk)
622 return 0;
623 /* Don't add duplicates */
624 if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
625 return 1;
626 emtmp = strdup((char *)email->data);
627 if (!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
628 X509_email_free(*sk);
629 *sk = NULL;
630 return 0;
631 }
632 return 1;
633}
634
635void
636X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
637{
638 sk_OPENSSL_STRING_pop_free(sk, str_free);
639}
640
641/* Convert IP addresses both IPv4 and IPv6 into an
642 * OCTET STRING compatible with RFC3280.
643 */
644
645ASN1_OCTET_STRING *
646a2i_IPADDRESS(const char *ipasc)
647{
648 unsigned char ipout[16];
649 ASN1_OCTET_STRING *ret;
650 int iplen;
651
652 /* If string contains a ':' assume IPv6 */
653
654 iplen = a2i_ipadd(ipout, ipasc);
655
656 if (!iplen)
657 return NULL;
658
659 ret = ASN1_OCTET_STRING_new();
660 if (!ret)
661 return NULL;
662 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
663 ASN1_OCTET_STRING_free(ret);
664 return NULL;
665 }
666 return ret;
667}
668
669ASN1_OCTET_STRING *
670a2i_IPADDRESS_NC(const char *ipasc)
671{
672 ASN1_OCTET_STRING *ret = NULL;
673 unsigned char ipout[32];
674 char *iptmp = NULL, *p;
675 int iplen1, iplen2;
676
677 p = strchr(ipasc, '/');
678 if (!p)
679 return NULL;
680 iptmp = strdup(ipasc);
681 if (!iptmp)
682 return NULL;
683 p = iptmp + (p - ipasc);
684 *p++ = 0;
685
686 iplen1 = a2i_ipadd(ipout, iptmp);
687
688 if (!iplen1)
689 goto err;
690
691 iplen2 = a2i_ipadd(ipout + iplen1, p);
692
693 free(iptmp);
694 iptmp = NULL;
695
696 if (!iplen2 || (iplen1 != iplen2))
697 goto err;
698
699 ret = ASN1_OCTET_STRING_new();
700 if (!ret)
701 goto err;
702 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
703 goto err;
704
705 return ret;
706
707err:
708 free(iptmp);
709 if (ret)
710 ASN1_OCTET_STRING_free(ret);
711 return NULL;
712}
713
714
715int
716a2i_ipadd(unsigned char *ipout, const char *ipasc)
717{
718 /* If string contains a ':' assume IPv6 */
719
720 if (strchr(ipasc, ':')) {
721 if (!ipv6_from_asc(ipout, ipasc))
722 return 0;
723 return 16;
724 } else {
725 if (!ipv4_from_asc(ipout, ipasc))
726 return 0;
727 return 4;
728 }
729}
730
731static int
732ipv4_from_asc(unsigned char *v4, const char *in)
733{
734 int a0, a1, a2, a3;
735 if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
736 return 0;
737 if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) ||
738 (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
739 return 0;
740 v4[0] = a0;
741 v4[1] = a1;
742 v4[2] = a2;
743 v4[3] = a3;
744 return 1;
745}
746
747typedef struct {
748 /* Temporary store for IPV6 output */
749 unsigned char tmp[16];
750 /* Total number of bytes in tmp */
751 int total;
752 /* The position of a zero (corresponding to '::') */
753 int zero_pos;
754 /* Number of zeroes */
755 int zero_cnt;
756} IPV6_STAT;
757
758
759static int
760ipv6_from_asc(unsigned char *v6, const char *in)
761{
762 IPV6_STAT v6stat;
763
764 v6stat.total = 0;
765 v6stat.zero_pos = -1;
766 v6stat.zero_cnt = 0;
767
768 /* Treat the IPv6 representation as a list of values
769 * separated by ':'. The presence of a '::' will parse
770 * as one, two or three zero length elements.
771 */
772 if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
773 return 0;
774
775 /* Now for some sanity checks */
776
777 if (v6stat.zero_pos == -1) {
778 /* If no '::' must have exactly 16 bytes */
779 if (v6stat.total != 16)
780 return 0;
781 } else {
782 /* If '::' must have less than 16 bytes */
783 if (v6stat.total == 16)
784 return 0;
785 /* More than three zeroes is an error */
786 if (v6stat.zero_cnt > 3)
787 return 0;
788 /* Can only have three zeroes if nothing else present */
789 else if (v6stat.zero_cnt == 3) {
790 if (v6stat.total > 0)
791 return 0;
792 }
793 /* Can only have two zeroes if at start or end */
794 else if (v6stat.zero_cnt == 2) {
795 if ((v6stat.zero_pos != 0) &&
796 (v6stat.zero_pos != v6stat.total))
797 return 0;
798 } else
799 /* Can only have one zero if *not* start or end */
800 {
801 if ((v6stat.zero_pos == 0) ||
802 (v6stat.zero_pos == v6stat.total))
803 return 0;
804 }
805 }
806
807 /* Format result */
808
809 if (v6stat.zero_pos >= 0) {
810 /* Copy initial part */
811 memcpy(v6, v6stat.tmp, v6stat.zero_pos);
812 /* Zero middle */
813 memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
814 /* Copy final part */
815 if (v6stat.total != v6stat.zero_pos)
816 memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
817 v6stat.tmp + v6stat.zero_pos,
818 v6stat.total - v6stat.zero_pos);
819 } else
820 memcpy(v6, v6stat.tmp, 16);
821
822 return 1;
823}
824
825static int
826ipv6_cb(const char *elem, int len, void *usr)
827{
828 IPV6_STAT *s = usr;
829
830 /* Error if 16 bytes written */
831 if (s->total == 16)
832 return 0;
833 if (len == 0) {
834 /* Zero length element, corresponds to '::' */
835 if (s->zero_pos == -1)
836 s->zero_pos = s->total;
837 /* If we've already got a :: its an error */
838 else if (s->zero_pos != s->total)
839 return 0;
840 s->zero_cnt++;
841 } else {
842 /* If more than 4 characters could be final a.b.c.d form */
843 if (len > 4) {
844 /* Need at least 4 bytes left */
845 if (s->total > 12)
846 return 0;
847 /* Must be end of string */
848 if (elem[len])
849 return 0;
850 if (!ipv4_from_asc(s->tmp + s->total, elem))
851 return 0;
852 s->total += 4;
853 } else {
854 if (!ipv6_hex(s->tmp + s->total, elem, len))
855 return 0;
856 s->total += 2;
857 }
858 }
859 return 1;
860}
861
862/* Convert a string of up to 4 hex digits into the corresponding
863 * IPv6 form.
864 */
865
866static int
867ipv6_hex(unsigned char *out, const char *in, int inlen)
868{
869 unsigned char c;
870 unsigned int num = 0;
871
872 if (inlen > 4)
873 return 0;
874 while (inlen--) {
875 c = *in++;
876 num <<= 4;
877 if ((c >= '0') && (c <= '9'))
878 num |= c - '0';
879 else if ((c >= 'A') && (c <= 'F'))
880 num |= c - 'A' + 10;
881 else if ((c >= 'a') && (c <= 'f'))
882 num |= c - 'a' + 10;
883 else
884 return 0;
885 }
886 out[0] = num >> 8;
887 out[1] = num & 0xff;
888 return 1;
889}
890
891int
892X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
893 unsigned long chtype)
894{
895 CONF_VALUE *v;
896 int i, mval;
897 char *p, *type;
898
899 if (!nm)
900 return 0;
901
902 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
903 v = sk_CONF_VALUE_value(dn_sk, i);
904 type = v->name;
905 /* Skip past any leading X. X: X, etc to allow for
906 * multiple instances
907 */
908 for (p = type; *p; p++)
909 if ((*p == ':') || (*p == ',') || (*p == '.')) {
910 p++;
911 if (*p)
912 type = p;
913 break;
914 }
915 if (*type == '+') {
916 mval = -1;
917 type++;
918 } else
919 mval = 0;
920 if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
921 (unsigned char *) v->value, -1, -1, mval))
922 return 0;
923 }
924 return 1;
925}
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
deleted file mode 100644
index a49632a069..0000000000
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ /dev/null
@@ -1,226 +0,0 @@
1/* $OpenBSD: v3err.c,v 1.11 2014/07/10 22:45:58 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68/* BEGIN ERROR CODES */
69#ifndef OPENSSL_NO_ERR
70
71#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
73
74static ERR_STRING_DATA X509V3_str_functs[] = {
75 {ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"},
76 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
77 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
78 {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
79 {ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
80 {ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
81 {ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
82 {ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
83 {ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
84 {ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
85 {ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"},
86 {ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
87 {ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
88 {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
89 {ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"},
90 {ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"},
91 {ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
92 {ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
93 {ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
94 {ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
95 {ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
96 {ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
97 {ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
98 {ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
99 {ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
100 {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
101 {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
102 {ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"},
103 {ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
104 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
105 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
106 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
107 {ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
108 {ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
109 {ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
110 {ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
111 {ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"},
112 {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
113 {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
114 {ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
115 {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
116 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
117 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
118 {ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
119 {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
120 {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
121 {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
122 {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
123 {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
124 {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
125 {ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"},
126 {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
127 {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
128 {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
129 {ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
130 {ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
131 {ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
132 {ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
133 {ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
134 {ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
135 {ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"},
136 {ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"},
137 {ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"},
138 {ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"},
139 {ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"},
140 {0, NULL}
141};
142
143static ERR_STRING_DATA X509V3_str_reasons[] = {
144 {ERR_REASON(X509V3_R_BAD_IP_ADDRESS) , "bad ip address"},
145 {ERR_REASON(X509V3_R_BAD_OBJECT) , "bad object"},
146 {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) , "bn dec2bn error"},
147 {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"},
148 {ERR_REASON(X509V3_R_DIRNAME_ERROR) , "dirname error"},
149 {ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"},
150 {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) , "duplicate zone id"},
151 {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"},
152 {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION), "error creating extension"},
153 {ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) , "error in extension"},
154 {ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"},
155 {ERR_REASON(X509V3_R_EXTENSION_EXISTS) , "extension exists"},
156 {ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"},
157 {ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"},
158 {ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "extension setting not supported"},
159 {ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"},
160 {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"},
161 {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) , "illegal hex digit"},
162 {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "incorrect policy syntax tag"},
163 {ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"},
164 {ERR_REASON(X509V3_R_INVALID_ASNUMBER) , "invalid asnumber"},
165 {ERR_REASON(X509V3_R_INVALID_ASRANGE) , "invalid asrange"},
166 {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"},
167 {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING), "invalid extension string"},
168 {ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"},
169 {ERR_REASON(X509V3_R_INVALID_IPADDRESS) , "invalid ipaddress"},
170 {ERR_REASON(X509V3_R_INVALID_NAME) , "invalid name"},
171 {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"},
172 {ERR_REASON(X509V3_R_INVALID_NULL_NAME) , "invalid null name"},
173 {ERR_REASON(X509V3_R_INVALID_NULL_VALUE) , "invalid null value"},
174 {ERR_REASON(X509V3_R_INVALID_NUMBER) , "invalid number"},
175 {ERR_REASON(X509V3_R_INVALID_NUMBERS) , "invalid numbers"},
176 {ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER), "invalid object identifier"},
177 {ERR_REASON(X509V3_R_INVALID_OPTION) , "invalid option"},
178 {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER), "invalid policy identifier"},
179 {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING), "invalid proxy policy setting"},
180 {ERR_REASON(X509V3_R_INVALID_PURPOSE) , "invalid purpose"},
181 {ERR_REASON(X509V3_R_INVALID_SAFI) , "invalid safi"},
182 {ERR_REASON(X509V3_R_INVALID_SECTION) , "invalid section"},
183 {ERR_REASON(X509V3_R_INVALID_SYNTAX) , "invalid syntax"},
184 {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"},
185 {ERR_REASON(X509V3_R_MISSING_VALUE) , "missing value"},
186 {ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "need organization and numbers"},
187 {ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) , "no config database"},
188 {ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"},
189 {ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) , "no issuer details"},
190 {ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"},
191 {ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "no proxy cert policy language defined"},
192 {ERR_REASON(X509V3_R_NO_PUBLIC_KEY) , "no public key"},
193 {ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) , "no subject details"},
194 {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"},
195 {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"},
196 {ERR_REASON(X509V3_R_OTHERNAME_ERROR) , "othername error"},
197 {ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "policy language already defined"},
198 {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) , "policy path length"},
199 {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "policy path length already defined"},
200 {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "policy syntax not currently supported"},
201 {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "policy when proxy language requires no policy"},
202 {ERR_REASON(X509V3_R_SECTION_NOT_FOUND) , "section not found"},
203 {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "unable to get issuer details"},
204 {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "unable to get issuer keyid"},
205 {ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "unknown bit string argument"},
206 {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) , "unknown extension"},
207 {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"},
208 {ERR_REASON(X509V3_R_UNKNOWN_OPTION) , "unknown option"},
209 {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) , "unsupported option"},
210 {ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) , "unsupported type"},
211 {ERR_REASON(X509V3_R_USER_TOO_LONG) , "user too long"},
212 {0, NULL}
213};
214
215#endif
216
217void
218ERR_load_X509V3_strings(void)
219{
220#ifndef OPENSSL_NO_ERR
221 if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) {
222 ERR_load_strings(0, X509V3_str_functs);
223 ERR_load_strings(0, X509V3_str_reasons);
224 }
225#endif
226}
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
deleted file mode 100644
index b45626a885..0000000000
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ /dev/null
@@ -1,862 +0,0 @@
1/* $OpenBSD: x509v3.h,v 1.16 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#ifndef HEADER_X509V3_H
59#define HEADER_X509V3_H
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/bio.h>
64#include <openssl/x509.h>
65#include <openssl/conf.h>
66
67#ifdef __cplusplus
68extern "C" {
69#endif
70
71/* Forward reference */
72struct v3_ext_method;
73struct v3_ext_ctx;
74
75/* Useful typedefs */
76
77typedef void * (*X509V3_EXT_NEW)(void);
78typedef void (*X509V3_EXT_FREE)(void *);
79typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
80typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
81typedef STACK_OF(CONF_VALUE) *
82 (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
83 STACK_OF(CONF_VALUE) *extlist);
84typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
85 struct v3_ext_ctx *ctx,
86 STACK_OF(CONF_VALUE) *values);
87typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
88typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
89 struct v3_ext_ctx *ctx, const char *str);
90typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
91 BIO *out, int indent);
92typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
93 struct v3_ext_ctx *ctx, const char *str);
94
95/* V3 extension structure */
96
97struct v3_ext_method {
98int ext_nid;
99int ext_flags;
100/* If this is set the following four fields are ignored */
101ASN1_ITEM_EXP *it;
102/* Old style ASN1 calls */
103X509V3_EXT_NEW ext_new;
104X509V3_EXT_FREE ext_free;
105X509V3_EXT_D2I d2i;
106X509V3_EXT_I2D i2d;
107
108/* The following pair is used for string extensions */
109X509V3_EXT_I2S i2s;
110X509V3_EXT_S2I s2i;
111
112/* The following pair is used for multi-valued extensions */
113X509V3_EXT_I2V i2v;
114X509V3_EXT_V2I v2i;
115
116/* The following are used for raw extensions */
117X509V3_EXT_I2R i2r;
118X509V3_EXT_R2I r2i;
119
120void *usr_data; /* Any extension specific data */
121};
122
123typedef struct X509V3_CONF_METHOD_st {
124char * (*get_string)(void *db, char *section, char *value);
125STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
126void (*free_string)(void *db, char * string);
127void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
128} X509V3_CONF_METHOD;
129
130/* Context specific info */
131struct v3_ext_ctx {
132#define CTX_TEST 0x1
133int flags;
134X509 *issuer_cert;
135X509 *subject_cert;
136X509_REQ *subject_req;
137X509_CRL *crl;
138X509V3_CONF_METHOD *db_meth;
139void *db;
140/* Maybe more here */
141};
142
143typedef struct v3_ext_method X509V3_EXT_METHOD;
144
145DECLARE_STACK_OF(X509V3_EXT_METHOD)
146
147/* ext_flags values */
148#define X509V3_EXT_DYNAMIC 0x1
149#define X509V3_EXT_CTX_DEP 0x2
150#define X509V3_EXT_MULTILINE 0x4
151
152typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
153
154typedef struct BASIC_CONSTRAINTS_st {
155int ca;
156ASN1_INTEGER *pathlen;
157} BASIC_CONSTRAINTS;
158
159
160typedef struct PKEY_USAGE_PERIOD_st {
161ASN1_GENERALIZEDTIME *notBefore;
162ASN1_GENERALIZEDTIME *notAfter;
163} PKEY_USAGE_PERIOD;
164
165typedef struct otherName_st {
166ASN1_OBJECT *type_id;
167ASN1_TYPE *value;
168} OTHERNAME;
169
170typedef struct EDIPartyName_st {
171 ASN1_STRING *nameAssigner;
172 ASN1_STRING *partyName;
173} EDIPARTYNAME;
174
175typedef struct GENERAL_NAME_st {
176
177#define GEN_OTHERNAME 0
178#define GEN_EMAIL 1
179#define GEN_DNS 2
180#define GEN_X400 3
181#define GEN_DIRNAME 4
182#define GEN_EDIPARTY 5
183#define GEN_URI 6
184#define GEN_IPADD 7
185#define GEN_RID 8
186
187int type;
188union {
189 char *ptr;
190 OTHERNAME *otherName; /* otherName */
191 ASN1_IA5STRING *rfc822Name;
192 ASN1_IA5STRING *dNSName;
193 ASN1_TYPE *x400Address;
194 X509_NAME *directoryName;
195 EDIPARTYNAME *ediPartyName;
196 ASN1_IA5STRING *uniformResourceIdentifier;
197 ASN1_OCTET_STRING *iPAddress;
198 ASN1_OBJECT *registeredID;
199
200 /* Old names */
201 ASN1_OCTET_STRING *ip; /* iPAddress */
202 X509_NAME *dirn; /* dirn */
203 ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
204 ASN1_OBJECT *rid; /* registeredID */
205 ASN1_TYPE *other; /* x400Address */
206} d;
207} GENERAL_NAME;
208
209typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
210
211typedef struct ACCESS_DESCRIPTION_st {
212 ASN1_OBJECT *method;
213 GENERAL_NAME *location;
214} ACCESS_DESCRIPTION;
215
216typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
217
218typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
219
220DECLARE_STACK_OF(GENERAL_NAME)
221DECLARE_ASN1_SET_OF(GENERAL_NAME)
222
223DECLARE_STACK_OF(ACCESS_DESCRIPTION)
224DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION)
225
226typedef struct DIST_POINT_NAME_st {
227int type;
228union {
229 GENERAL_NAMES *fullname;
230 STACK_OF(X509_NAME_ENTRY) *relativename;
231} name;
232/* If relativename then this contains the full distribution point name */
233X509_NAME *dpname;
234} DIST_POINT_NAME;
235/* All existing reasons */
236#define CRLDP_ALL_REASONS 0x807f
237
238#define CRL_REASON_NONE -1
239#define CRL_REASON_UNSPECIFIED 0
240#define CRL_REASON_KEY_COMPROMISE 1
241#define CRL_REASON_CA_COMPROMISE 2
242#define CRL_REASON_AFFILIATION_CHANGED 3
243#define CRL_REASON_SUPERSEDED 4
244#define CRL_REASON_CESSATION_OF_OPERATION 5
245#define CRL_REASON_CERTIFICATE_HOLD 6
246#define CRL_REASON_REMOVE_FROM_CRL 8
247#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
248#define CRL_REASON_AA_COMPROMISE 10
249
250struct DIST_POINT_st {
251DIST_POINT_NAME *distpoint;
252ASN1_BIT_STRING *reasons;
253GENERAL_NAMES *CRLissuer;
254int dp_reasons;
255};
256
257typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
258
259DECLARE_STACK_OF(DIST_POINT)
260DECLARE_ASN1_SET_OF(DIST_POINT)
261
262struct AUTHORITY_KEYID_st {
263ASN1_OCTET_STRING *keyid;
264GENERAL_NAMES *issuer;
265ASN1_INTEGER *serial;
266};
267
268/* Strong extranet structures */
269
270typedef struct SXNET_ID_st {
271 ASN1_INTEGER *zone;
272 ASN1_OCTET_STRING *user;
273} SXNETID;
274
275DECLARE_STACK_OF(SXNETID)
276DECLARE_ASN1_SET_OF(SXNETID)
277
278typedef struct SXNET_st {
279 ASN1_INTEGER *version;
280 STACK_OF(SXNETID) *ids;
281} SXNET;
282
283typedef struct NOTICEREF_st {
284 ASN1_STRING *organization;
285 STACK_OF(ASN1_INTEGER) *noticenos;
286} NOTICEREF;
287
288typedef struct USERNOTICE_st {
289 NOTICEREF *noticeref;
290 ASN1_STRING *exptext;
291} USERNOTICE;
292
293typedef struct POLICYQUALINFO_st {
294 ASN1_OBJECT *pqualid;
295 union {
296 ASN1_IA5STRING *cpsuri;
297 USERNOTICE *usernotice;
298 ASN1_TYPE *other;
299 } d;
300} POLICYQUALINFO;
301
302DECLARE_STACK_OF(POLICYQUALINFO)
303DECLARE_ASN1_SET_OF(POLICYQUALINFO)
304
305typedef struct POLICYINFO_st {
306 ASN1_OBJECT *policyid;
307 STACK_OF(POLICYQUALINFO) *qualifiers;
308} POLICYINFO;
309
310typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
311
312DECLARE_STACK_OF(POLICYINFO)
313DECLARE_ASN1_SET_OF(POLICYINFO)
314
315typedef struct POLICY_MAPPING_st {
316 ASN1_OBJECT *issuerDomainPolicy;
317 ASN1_OBJECT *subjectDomainPolicy;
318} POLICY_MAPPING;
319
320DECLARE_STACK_OF(POLICY_MAPPING)
321
322typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
323
324typedef struct GENERAL_SUBTREE_st {
325 GENERAL_NAME *base;
326 ASN1_INTEGER *minimum;
327 ASN1_INTEGER *maximum;
328} GENERAL_SUBTREE;
329
330DECLARE_STACK_OF(GENERAL_SUBTREE)
331
332struct NAME_CONSTRAINTS_st {
333 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
334 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
335};
336
337typedef struct POLICY_CONSTRAINTS_st {
338 ASN1_INTEGER *requireExplicitPolicy;
339 ASN1_INTEGER *inhibitPolicyMapping;
340} POLICY_CONSTRAINTS;
341
342/* Proxy certificate structures, see RFC 3820 */
343typedef struct PROXY_POLICY_st
344 {
345 ASN1_OBJECT *policyLanguage;
346 ASN1_OCTET_STRING *policy;
347 } PROXY_POLICY;
348
349typedef struct PROXY_CERT_INFO_EXTENSION_st
350 {
351 ASN1_INTEGER *pcPathLengthConstraint;
352 PROXY_POLICY *proxyPolicy;
353 } PROXY_CERT_INFO_EXTENSION;
354
355DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
356DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
357
358struct ISSUING_DIST_POINT_st
359 {
360 DIST_POINT_NAME *distpoint;
361 int onlyuser;
362 int onlyCA;
363 ASN1_BIT_STRING *onlysomereasons;
364 int indirectCRL;
365 int onlyattr;
366 };
367
368/* Values in idp_flags field */
369/* IDP present */
370#define IDP_PRESENT 0x1
371/* IDP values inconsistent */
372#define IDP_INVALID 0x2
373/* onlyuser true */
374#define IDP_ONLYUSER 0x4
375/* onlyCA true */
376#define IDP_ONLYCA 0x8
377/* onlyattr true */
378#define IDP_ONLYATTR 0x10
379/* indirectCRL true */
380#define IDP_INDIRECT 0x20
381/* onlysomereasons present */
382#define IDP_REASONS 0x40
383
384#define X509V3_conf_err(val) ERR_asprintf_error_data( \
385 "section:%s,name:%s,value:%s", val->section, \
386 val->name, val->value);
387
388#define X509V3_set_ctx_test(ctx) \
389 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
390#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
391
392#define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
393 0,0,0,0, \
394 0,0, \
395 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
396 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
397 NULL, NULL, \
398 table}
399
400#define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
401 0,0,0,0, \
402 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
403 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
404 0,0,0,0, \
405 NULL}
406
407#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
408
409
410/* X509_PURPOSE stuff */
411
412#define EXFLAG_BCONS 0x1
413#define EXFLAG_KUSAGE 0x2
414#define EXFLAG_XKUSAGE 0x4
415#define EXFLAG_NSCERT 0x8
416
417#define EXFLAG_CA 0x10
418/* Really self issued not necessarily self signed */
419#define EXFLAG_SI 0x20
420#define EXFLAG_SS 0x20
421#define EXFLAG_V1 0x40
422#define EXFLAG_INVALID 0x80
423#define EXFLAG_SET 0x100
424#define EXFLAG_CRITICAL 0x200
425#define EXFLAG_PROXY 0x400
426
427#define EXFLAG_INVALID_POLICY 0x800
428#define EXFLAG_FRESHEST 0x1000
429
430#define KU_DIGITAL_SIGNATURE 0x0080
431#define KU_NON_REPUDIATION 0x0040
432#define KU_KEY_ENCIPHERMENT 0x0020
433#define KU_DATA_ENCIPHERMENT 0x0010
434#define KU_KEY_AGREEMENT 0x0008
435#define KU_KEY_CERT_SIGN 0x0004
436#define KU_CRL_SIGN 0x0002
437#define KU_ENCIPHER_ONLY 0x0001
438#define KU_DECIPHER_ONLY 0x8000
439
440#define NS_SSL_CLIENT 0x80
441#define NS_SSL_SERVER 0x40
442#define NS_SMIME 0x20
443#define NS_OBJSIGN 0x10
444#define NS_SSL_CA 0x04
445#define NS_SMIME_CA 0x02
446#define NS_OBJSIGN_CA 0x01
447#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
448
449#define XKU_SSL_SERVER 0x1
450#define XKU_SSL_CLIENT 0x2
451#define XKU_SMIME 0x4
452#define XKU_CODE_SIGN 0x8
453#define XKU_SGC 0x10
454#define XKU_OCSP_SIGN 0x20
455#define XKU_TIMESTAMP 0x40
456#define XKU_DVCS 0x80
457
458#define X509_PURPOSE_DYNAMIC 0x1
459#define X509_PURPOSE_DYNAMIC_NAME 0x2
460
461typedef struct x509_purpose_st {
462 int purpose;
463 int trust; /* Default trust ID */
464 int flags;
465 int (*check_purpose)(const struct x509_purpose_st *,
466 const X509 *, int);
467 char *name;
468 char *sname;
469 void *usr_data;
470} X509_PURPOSE;
471
472#define X509_PURPOSE_SSL_CLIENT 1
473#define X509_PURPOSE_SSL_SERVER 2
474#define X509_PURPOSE_NS_SSL_SERVER 3
475#define X509_PURPOSE_SMIME_SIGN 4
476#define X509_PURPOSE_SMIME_ENCRYPT 5
477#define X509_PURPOSE_CRL_SIGN 6
478#define X509_PURPOSE_ANY 7
479#define X509_PURPOSE_OCSP_HELPER 8
480#define X509_PURPOSE_TIMESTAMP_SIGN 9
481
482#define X509_PURPOSE_MIN 1
483#define X509_PURPOSE_MAX 9
484
485/* Flags for X509V3_EXT_print() */
486
487#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
488/* Return error for unknown extensions */
489#define X509V3_EXT_DEFAULT 0
490/* Print error for unknown extensions */
491#define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
492/* ASN1 parse unknown extensions */
493#define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
494/* BIO_dump unknown extensions */
495#define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
496
497/* Flags for X509V3_add1_i2d */
498
499#define X509V3_ADD_OP_MASK 0xfL
500#define X509V3_ADD_DEFAULT 0L
501#define X509V3_ADD_APPEND 1L
502#define X509V3_ADD_REPLACE 2L
503#define X509V3_ADD_REPLACE_EXISTING 3L
504#define X509V3_ADD_KEEP_EXISTING 4L
505#define X509V3_ADD_DELETE 5L
506#define X509V3_ADD_SILENT 0x10
507
508DECLARE_STACK_OF(X509_PURPOSE)
509
510DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
511
512DECLARE_ASN1_FUNCTIONS(SXNET)
513DECLARE_ASN1_FUNCTIONS(SXNETID)
514
515int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen);
516int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen);
517int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user, int userlen);
518
519ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone);
520ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
521ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
522
523DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
524
525DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
526
527DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
528GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
529int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
530
531
532
533ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
534 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
535STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
536 ASN1_BIT_STRING *bits,
537 STACK_OF(CONF_VALUE) *extlist);
538
539STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
540int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
541
542DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
543
544STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
545 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
546GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
547 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
548
549DECLARE_ASN1_FUNCTIONS(OTHERNAME)
550DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
551int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
552void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
553void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
554int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
555 ASN1_OBJECT *oid, ASN1_TYPE *value);
556int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
557 ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
558
559char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
560ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
561
562DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
563int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a);
564
565DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
566DECLARE_ASN1_FUNCTIONS(POLICYINFO)
567DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
568DECLARE_ASN1_FUNCTIONS(USERNOTICE)
569DECLARE_ASN1_FUNCTIONS(NOTICEREF)
570
571DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
572DECLARE_ASN1_FUNCTIONS(DIST_POINT)
573DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
574DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
575
576int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
577
578int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
579
580DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
581DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
582
583DECLARE_ASN1_ITEM(POLICY_MAPPING)
584DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
585DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
586
587DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
588DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
589
590DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
591DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
592
593DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
594DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
595
596GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
597 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
598 int gen_type, char *value, int is_nc);
599
600#ifdef HEADER_CONF_H
601GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
602 CONF_VALUE *cnf);
603GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
604 const X509V3_EXT_METHOD *method,
605 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
606void X509V3_conf_free(CONF_VALUE *val);
607
608X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
609X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value);
610int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, STACK_OF(X509_EXTENSION) **sk);
611int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert);
612int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
613int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
614
615X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
616 int ext_nid, char *value);
617X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
618 char *name, char *value);
619int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
620 char *section, X509 *cert);
621int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
622 char *section, X509_REQ *req);
623int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
624 char *section, X509_CRL *crl);
625
626int X509V3_add_value_bool_nf(char *name, int asn1_bool,
627 STACK_OF(CONF_VALUE) **extlist);
628int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
629int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
630void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
631void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
632#endif
633
634char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
635STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
636void X509V3_string_free(X509V3_CTX *ctx, char *str);
637void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
638void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
639 X509_REQ *req, X509_CRL *crl, int flags);
640
641int X509V3_add_value(const char *name, const char *value,
642 STACK_OF(CONF_VALUE) **extlist);
643int X509V3_add_value_uchar(const char *name, const unsigned char *value,
644 STACK_OF(CONF_VALUE) **extlist);
645int X509V3_add_value_bool(const char *name, int asn1_bool,
646 STACK_OF(CONF_VALUE) **extlist);
647int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
648 STACK_OF(CONF_VALUE) **extlist);
649char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
650ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
651char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
652char * i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
653int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
654int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
655int X509V3_EXT_add_alias(int nid_to, int nid_from);
656void X509V3_EXT_cleanup(void);
657
658const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
659const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
660int X509V3_add_standard_extensions(void);
661STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
662void *X509V3_EXT_d2i(X509_EXTENSION *ext);
663void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
664
665
666X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
667int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
668
669char *hex_to_string(const unsigned char *buffer, long len);
670unsigned char *string_to_hex(const char *str, long *len);
671int name_cmp(const char *name, const char *cmp);
672
673void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
674 int ml);
675int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent);
676int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
677
678int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
679
680int X509_check_ca(X509 *x);
681int X509_check_purpose(X509 *x, int id, int ca);
682int X509_supported_extension(X509_EXTENSION *ex);
683int X509_PURPOSE_set(int *p, int purpose);
684int X509_check_issued(X509 *issuer, X509 *subject);
685int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
686int X509_PURPOSE_get_count(void);
687X509_PURPOSE * X509_PURPOSE_get0(int idx);
688int X509_PURPOSE_get_by_sname(char *sname);
689int X509_PURPOSE_get_by_id(int id);
690int X509_PURPOSE_add(int id, int trust, int flags,
691 int (*ck)(const X509_PURPOSE *, const X509 *, int),
692 char *name, char *sname, void *arg);
693char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
694char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
695int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
696void X509_PURPOSE_cleanup(void);
697int X509_PURPOSE_get_id(X509_PURPOSE *);
698
699STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
700STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
701void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
702STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
703
704ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
705ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
706int a2i_ipadd(unsigned char *ipout, const char *ipasc);
707int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
708 unsigned long chtype);
709
710void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
711DECLARE_STACK_OF(X509_POLICY_NODE)
712
713
714/* BEGIN ERROR CODES */
715/* The following lines are auto generated by the script mkerr.pl. Any changes
716 * made after this point may be overwritten when the script is next run.
717 */
718void ERR_load_X509V3_strings(void);
719
720/* Error codes for the X509V3 functions. */
721
722/* Function codes. */
723#define X509V3_F_A2I_GENERAL_NAME 164
724#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
725#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
726#define X509V3_F_COPY_EMAIL 122
727#define X509V3_F_COPY_ISSUER 123
728#define X509V3_F_DO_DIRNAME 144
729#define X509V3_F_DO_EXT_CONF 124
730#define X509V3_F_DO_EXT_I2D 135
731#define X509V3_F_DO_EXT_NCONF 151
732#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
733#define X509V3_F_GNAMES_FROM_SECTNAME 156
734#define X509V3_F_HEX_TO_STRING 111
735#define X509V3_F_I2S_ASN1_ENUMERATED 121
736#define X509V3_F_I2S_ASN1_IA5STRING 149
737#define X509V3_F_I2S_ASN1_INTEGER 120
738#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
739#define X509V3_F_NOTICE_SECTION 132
740#define X509V3_F_NREF_NOS 133
741#define X509V3_F_POLICY_SECTION 131
742#define X509V3_F_PROCESS_PCI_VALUE 150
743#define X509V3_F_R2I_CERTPOL 130
744#define X509V3_F_R2I_PCI 155
745#define X509V3_F_S2I_ASN1_IA5STRING 100
746#define X509V3_F_S2I_ASN1_INTEGER 108
747#define X509V3_F_S2I_ASN1_OCTET_STRING 112
748#define X509V3_F_S2I_ASN1_SKEY_ID 114
749#define X509V3_F_S2I_SKEY_ID 115
750#define X509V3_F_SET_DIST_POINT_NAME 158
751#define X509V3_F_STRING_TO_HEX 113
752#define X509V3_F_SXNET_ADD_ID_ASC 125
753#define X509V3_F_SXNET_ADD_ID_INTEGER 126
754#define X509V3_F_SXNET_ADD_ID_ULONG 127
755#define X509V3_F_SXNET_GET_ID_ASC 128
756#define X509V3_F_SXNET_GET_ID_ULONG 129
757#define X509V3_F_V2I_ASIDENTIFIERS 163
758#define X509V3_F_V2I_ASN1_BIT_STRING 101
759#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
760#define X509V3_F_V2I_AUTHORITY_KEYID 119
761#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
762#define X509V3_F_V2I_CRLD 134
763#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
764#define X509V3_F_V2I_GENERAL_NAMES 118
765#define X509V3_F_V2I_GENERAL_NAME_EX 117
766#define X509V3_F_V2I_IDP 157
767#define X509V3_F_V2I_IPADDRBLOCKS 159
768#define X509V3_F_V2I_ISSUER_ALT 153
769#define X509V3_F_V2I_NAME_CONSTRAINTS 147
770#define X509V3_F_V2I_POLICY_CONSTRAINTS 146
771#define X509V3_F_V2I_POLICY_MAPPINGS 145
772#define X509V3_F_V2I_SUBJECT_ALT 154
773#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
774#define X509V3_F_V3_GENERIC_EXTENSION 116
775#define X509V3_F_X509V3_ADD1_I2D 140
776#define X509V3_F_X509V3_ADD_VALUE 105
777#define X509V3_F_X509V3_EXT_ADD 104
778#define X509V3_F_X509V3_EXT_ADD_ALIAS 106
779#define X509V3_F_X509V3_EXT_CONF 107
780#define X509V3_F_X509V3_EXT_I2D 136
781#define X509V3_F_X509V3_EXT_NCONF 152
782#define X509V3_F_X509V3_GET_SECTION 142
783#define X509V3_F_X509V3_GET_STRING 143
784#define X509V3_F_X509V3_GET_VALUE_BOOL 110
785#define X509V3_F_X509V3_PARSE_LIST 109
786#define X509V3_F_X509_PURPOSE_ADD 137
787#define X509V3_F_X509_PURPOSE_SET 141
788
789/* Reason codes. */
790#define X509V3_R_BAD_IP_ADDRESS 118
791#define X509V3_R_BAD_OBJECT 119
792#define X509V3_R_BN_DEC2BN_ERROR 100
793#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
794#define X509V3_R_DIRNAME_ERROR 149
795#define X509V3_R_DISTPOINT_ALREADY_SET 160
796#define X509V3_R_DUPLICATE_ZONE_ID 133
797#define X509V3_R_ERROR_CONVERTING_ZONE 131
798#define X509V3_R_ERROR_CREATING_EXTENSION 144
799#define X509V3_R_ERROR_IN_EXTENSION 128
800#define X509V3_R_EXPECTED_A_SECTION_NAME 137
801#define X509V3_R_EXTENSION_EXISTS 145
802#define X509V3_R_EXTENSION_NAME_ERROR 115
803#define X509V3_R_EXTENSION_NOT_FOUND 102
804#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
805#define X509V3_R_EXTENSION_VALUE_ERROR 116
806#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
807#define X509V3_R_ILLEGAL_HEX_DIGIT 113
808#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
809#define X509V3_R_INVALID_MULTIPLE_RDNS 161
810#define X509V3_R_INVALID_ASNUMBER 162
811#define X509V3_R_INVALID_ASRANGE 163
812#define X509V3_R_INVALID_BOOLEAN_STRING 104
813#define X509V3_R_INVALID_EXTENSION_STRING 105
814#define X509V3_R_INVALID_INHERITANCE 165
815#define X509V3_R_INVALID_IPADDRESS 166
816#define X509V3_R_INVALID_NAME 106
817#define X509V3_R_INVALID_NULL_ARGUMENT 107
818#define X509V3_R_INVALID_NULL_NAME 108
819#define X509V3_R_INVALID_NULL_VALUE 109
820#define X509V3_R_INVALID_NUMBER 140
821#define X509V3_R_INVALID_NUMBERS 141
822#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
823#define X509V3_R_INVALID_OPTION 138
824#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
825#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
826#define X509V3_R_INVALID_PURPOSE 146
827#define X509V3_R_INVALID_SAFI 164
828#define X509V3_R_INVALID_SECTION 135
829#define X509V3_R_INVALID_SYNTAX 143
830#define X509V3_R_ISSUER_DECODE_ERROR 126
831#define X509V3_R_MISSING_VALUE 124
832#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 142
833#define X509V3_R_NO_CONFIG_DATABASE 136
834#define X509V3_R_NO_ISSUER_CERTIFICATE 121
835#define X509V3_R_NO_ISSUER_DETAILS 127
836#define X509V3_R_NO_POLICY_IDENTIFIER 139
837#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
838#define X509V3_R_NO_PUBLIC_KEY 114
839#define X509V3_R_NO_SUBJECT_DETAILS 125
840#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
841#define X509V3_R_OPERATION_NOT_DEFINED 148
842#define X509V3_R_OTHERNAME_ERROR 147
843#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
844#define X509V3_R_POLICY_PATH_LENGTH 156
845#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
846#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
847#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
848#define X509V3_R_SECTION_NOT_FOUND 150
849#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
850#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
851#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
852#define X509V3_R_UNKNOWN_EXTENSION 129
853#define X509V3_R_UNKNOWN_EXTENSION_NAME 130
854#define X509V3_R_UNKNOWN_OPTION 120
855#define X509V3_R_UNSUPPORTED_OPTION 117
856#define X509V3_R_UNSUPPORTED_TYPE 167
857#define X509V3_R_USER_TOO_LONG 132
858
859#ifdef __cplusplus
860}
861#endif
862#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-09 13:08:58 +0000