update to openssl-0.9.8i; tested by several, especially krw@

author: djm <> 2009-01-05 21:36:39 +0000
committer: djm <> 2009-01-05 21:36:39 +0000
commit: 3be551b5922b665fd4e18cd65b857b9f92a0b6c8 (patch)
tree: e0d2d687fbd4e4e9eb6bc4b178ea069817f0aba4 /src/lib/libcrypto/x509v3
parent: 822633f8798a6b4646a8b092e7c67f511cdbdba2 (diff)
download: openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.tar.gz
openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.tar.bz2
openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.zip
6 files changed, 32 insertions, 18 deletions
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
index 614d2b4935..4711b1ee92 100644
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
        X509_POLICY_DATA *ret;
        if (!policy && !id)
                return NULL;
+        if (id)
+                {
+                id = OBJ_dup(id);
+                if (!id)
+                        return NULL;
+                }
        ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
        if (!ret)
                return NULL;
@@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
        if (!ret->expected_policy_set)
                {
                OPENSSL_free(ret);
+                if (id)
+                        ASN1_OBJECT_free(id);
                return NULL;
                }
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
index 4fda1d419a..b1ce77b9af 100644
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -130,9 +130,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        ret = 2;
                if (explicit_policy > 0)
                        {
-                        explicit_policy--;
+                        if (!(x->ex_flags & EXFLAG_SI))
-                        if (!(x->ex_flags & EXFLAG_SS)
+                                explicit_policy--;
-                                && (cache->explicit_skip != -1)
+                        if ((cache->explicit_skip != -1)
                                && (cache->explicit_skip < explicit_policy))
                                explicit_policy = cache->explicit_skip;
                        }
@@ -197,13 +197,14 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        /* Any matching allowed if certificate is self
                         * issued and not the last in the chain.
                         */
-                        if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
+                        if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
                                level->flags |= X509_V_FLAG_INHIBIT_ANY;
                        }
                else
                        {
-                        any_skip--;
+                        if (!(x->ex_flags & EXFLAG_SI))
-                        if ((cache->any_skip > 0)
+                                any_skip--;
+                        if ((cache->any_skip >= 0)
                                && (cache->any_skip < any_skip))
                                any_skip = cache->any_skip;
                        }
@@ -213,7 +214,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                else
                        {
                        map_skip--;
-                        if ((cache->map_skip > 0)
+                        if ((cache->map_skip >= 0)
                                && (cache->map_skip < map_skip))
                                map_skip = cache->map_skip;
                        }
@@ -310,7 +311,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
                if (data == NULL)
                        return 0;
-                data->qualifier_set = curr->anyPolicy->data->qualifier_set;
+                /* Curr may not have anyPolicy */
+                data->qualifier_set = cache->anyPolicy->qualifier_set;
                data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
                if (!level_add_node(curr, data, node, tree))
                        {
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
index ed9847b307..c6730ab3fd 100644
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -594,10 +594,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
    return NULL;
  switch (afi) {
  case IANA_AFI_IPV4:
-    sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
    break;
  case IANA_AFI_IPV6:
-    sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
    break;
  }
  f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -854,7 +854,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
      if (!make_addressRange(&merged, a_min, b_max, length))
        return 0;
      sk_IPAddressOrRange_set(aors, i, merged);
-      sk_IPAddressOrRange_delete(aors, i + 1);
+      (void)sk_IPAddressOrRange_delete(aors, i + 1);
      IPAddressOrRange_free(a);
      IPAddressOrRange_free(b);
      --i;
@@ -1122,7 +1122,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
    return 1;
  if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
    return 0;
-  sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
  for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
    IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
    int j = sk_IPAddressFamily_find(b, fa);
@@ -1183,7 +1183,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
  }
  if (!v3_addr_is_canonical(ext))
    validation_err(X509_V_ERR_INVALID_EXTENSION);
-  sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
  if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
    X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
    ret = 0;
@@ -1209,7 +1209,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
      }
      continue;
    }
-    sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+    (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
    for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
      IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
      int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
index 271930f967..abd497ed1f 100644
--- a/src/lib/libcrypto/x509v3/v3_asid.c
+++ b/src/lib/libcrypto/x509v3/v3_asid.c
@@ -466,7 +466,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
        break;
      }
      ASIdOrRange_free(b);
-      sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
+      (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
      i--;
      continue;
    }
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index b2f5cdfa05..c54e7887c7 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -291,7 +291,9 @@ int X509_supported_extension(X509_EXTENSION *ex)
                NID_sbgp_ipAddrBlock,   /* 290 */
                NID_sbgp_autonomousSysNum, /* 291 */
 #endif
-                NID_proxyCertInfo       /* 661 */
+                NID_policy_constraints, /* 401 */
+                NID_proxyCertInfo,      /* 661 */
+                NID_inhibit_any_policy  /* 748 */
        };
        int ex_nid;
@@ -325,7 +327,7 @@ static void x509v3_cache_extensions(X509 *x)
 #endif
        /* Does subject name match issuer ? */
        if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                         x->ex_flags |= EXFLAG_SS;
+                         x->ex_flags |= EXFLAG_SI;
        /* V1 should mean no extensions ... */
        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
        /* Handle basic constraints */
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index db2b0482c1..5ba59f71c9 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_NSCERT           0x8
 #define EXFLAG_CA               0x10
+/* Really self issued not necessarily self signed */
+#define EXFLAG_SI               0x20
 #define EXFLAG_SS               0x20
 #define EXFLAG_V1               0x40
 #define EXFLAG_INVALID          0x80
@@ -370,7 +372,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_CRITICAL         0x200
 #define EXFLAG_PROXY            0x400
-#define EXFLAG_INVALID_POLICY   0x400
+#define EXFLAG_INVALID_POLICY   0x800
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040
author	djm <>	2009-01-05 21:36:39 +0000
committer	djm <>	2009-01-05 21:36:39 +0000
commit	3be551b5922b665fd4e18cd65b857b9f92a0b6c8 (patch)
tree	e0d2d687fbd4e4e9eb6bc4b178ea069817f0aba4 /src/lib/libcrypto/x509v3
parent	822633f8798a6b4646a8b092e7c67f511cdbdba2 (diff)
download	openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.tar.gz openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.tar.bz2 openbsd-3be551b5922b665fd4e18cd65b857b9f92a0b6c8.zip