summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509v3
diff options
context:
space:
mode:
authordjm <>2010-10-01 22:54:21 +0000
committerdjm <>2010-10-01 22:54:21 +0000
commit829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2 (patch)
treee03b9f1bd051e844b971936729e9df549a209130 /src/lib/libcrypto/x509v3
parente6b755d2a53d3cac7a344dfdd6bf7c951cac754c (diff)
downloadopenbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.tar.gz
openbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.tar.bz2
openbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.zip
import OpenSSL-1.0.0a
Diffstat (limited to 'src/lib/libcrypto/x509v3')
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h13
-rw-r--r--src/lib/libcrypto/x509v3/pcy_cache.c1
-rw-r--r--src/lib/libcrypto/x509v3/pcy_data.c12
-rw-r--r--src/lib/libcrypto/x509v3/pcy_int.h25
-rw-r--r--src/lib/libcrypto/x509v3/pcy_map.c56
-rw-r--r--src/lib/libcrypto/x509v3/pcy_node.c43
-rw-r--r--src/lib/libcrypto/x509v3/pcy_tree.c235
-rw-r--r--src/lib/libcrypto/x509v3/v3_alt.c136
-rw-r--r--src/lib/libcrypto/x509v3/v3_conf.c51
-rw-r--r--src/lib/libcrypto/x509v3/v3_cpols.c5
-rw-r--r--src/lib/libcrypto/x509v3/v3_crld.c552
-rw-r--r--src/lib/libcrypto/x509v3/v3_enum.c19
-rw-r--r--src/lib/libcrypto/x509v3/v3_extku.c16
-rw-r--r--src/lib/libcrypto/x509v3/v3_genn.c153
-rw-r--r--src/lib/libcrypto/x509v3/v3_lib.c24
-rw-r--r--src/lib/libcrypto/x509v3/v3_ncons.c312
-rw-r--r--src/lib/libcrypto/x509v3/v3_ocsp.c62
-rw-r--r--src/lib/libcrypto/x509v3/v3_pci.c32
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcons.c20
-rw-r--r--src/lib/libcrypto/x509v3/v3_pmaps.c18
-rw-r--r--src/lib/libcrypto/x509v3/v3_prn.c2
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c194
-rw-r--r--src/lib/libcrypto/x509v3/v3_utl.c45
-rw-r--r--src/lib/libcrypto/x509v3/v3err.c13
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h173
25 files changed, 1776 insertions, 436 deletions
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 3eaec46f8a..76daee6fcd 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -61,21 +61,19 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
61extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; 61extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
62extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; 62extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
63extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; 63extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
64extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld; 64extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
65extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; 65extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
66extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; 66extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
67extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; 67extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
68extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; 68extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
69extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp; 69extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
70#ifndef OPENSSL_NO_RFC3779
71extern X509V3_EXT_METHOD v3_addr, v3_asid; 70extern X509V3_EXT_METHOD v3_addr, v3_asid;
72#endif
73 71
74/* This table will be searched using OBJ_bsearch so it *must* kept in 72/* This table will be searched using OBJ_bsearch so it *must* kept in
75 * order of the ext_nid values. 73 * order of the ext_nid values.
76 */ 74 */
77 75
78static X509V3_EXT_METHOD *standard_exts[] = { 76static const X509V3_EXT_METHOD *standard_exts[] = {
79&v3_nscert, 77&v3_nscert,
80&v3_ns_ia5_list[0], 78&v3_ns_ia5_list[0],
81&v3_ns_ia5_list[1], 79&v3_ns_ia5_list[1],
@@ -122,7 +120,10 @@ static X509V3_EXT_METHOD *standard_exts[] = {
122&v3_pci, 120&v3_pci,
123&v3_name_constraints, 121&v3_name_constraints,
124&v3_policy_mappings, 122&v3_policy_mappings,
125&v3_inhibit_anyp 123&v3_inhibit_anyp,
124&v3_idp,
125&v3_alt[2],
126&v3_freshest_crl,
126}; 127};
127 128
128/* Number of standard extensions */ 129/* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/pcy_cache.c b/src/lib/libcrypto/x509v3/pcy_cache.c
index 1030931b71..172b7e7ee4 100644
--- a/src/lib/libcrypto/x509v3/pcy_cache.c
+++ b/src/lib/libcrypto/x509v3/pcy_cache.c
@@ -139,7 +139,6 @@ static int policy_cache_new(X509 *x)
139 return 0; 139 return 0;
140 cache->anyPolicy = NULL; 140 cache->anyPolicy = NULL;
141 cache->data = NULL; 141 cache->data = NULL;
142 cache->maps = NULL;
143 cache->any_skip = -1; 142 cache->any_skip = -1;
144 cache->explicit_skip = -1; 143 cache->explicit_skip = -1;
145 cache->map_skip = -1; 144 cache->map_skip = -1;
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
index fb392b901f..3444b03195 100644
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -82,17 +82,21 @@ void policy_data_free(X509_POLICY_DATA *data)
82 * another source. 82 * another source.
83 */ 83 */
84 84
85X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) 85X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
86 const ASN1_OBJECT *cid, int crit)
86 { 87 {
87 X509_POLICY_DATA *ret; 88 X509_POLICY_DATA *ret;
88 if (!policy && !id) 89 ASN1_OBJECT *id;
90 if (!policy && !cid)
89 return NULL; 91 return NULL;
90 if (id) 92 if (cid)
91 { 93 {
92 id = OBJ_dup(id); 94 id = OBJ_dup(cid);
93 if (!id) 95 if (!id)
94 return NULL; 96 return NULL;
95 } 97 }
98 else
99 id = NULL;
96 ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); 100 ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
97 if (!ret) 101 if (!ret)
98 return NULL; 102 return NULL;
diff --git a/src/lib/libcrypto/x509v3/pcy_int.h b/src/lib/libcrypto/x509v3/pcy_int.h
index 3780de4fcd..ccff92846e 100644
--- a/src/lib/libcrypto/x509v3/pcy_int.h
+++ b/src/lib/libcrypto/x509v3/pcy_int.h
@@ -56,12 +56,10 @@
56 * 56 *
57 */ 57 */
58 58
59DECLARE_STACK_OF(X509_POLICY_DATA)
60DECLARE_STACK_OF(X509_POLICY_REF)
61DECLARE_STACK_OF(X509_POLICY_NODE)
62 59
63typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; 60typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
64typedef struct X509_POLICY_REF_st X509_POLICY_REF; 61
62DECLARE_STACK_OF(X509_POLICY_DATA)
65 63
66/* Internal structures */ 64/* Internal structures */
67 65
@@ -110,16 +108,6 @@ struct X509_POLICY_DATA_st
110 108
111#define POLICY_DATA_FLAG_CRITICAL 0x10 109#define POLICY_DATA_FLAG_CRITICAL 0x10
112 110
113/* This structure is an entry from a table of mapped policies which
114 * cross reference the policy it refers to.
115 */
116
117struct X509_POLICY_REF_st
118 {
119 ASN1_OBJECT *subjectDomainPolicy;
120 const X509_POLICY_DATA *data;
121 };
122
123/* This structure is cached with a certificate */ 111/* This structure is cached with a certificate */
124 112
125struct X509_POLICY_CACHE_st { 113struct X509_POLICY_CACHE_st {
@@ -127,8 +115,6 @@ struct X509_POLICY_CACHE_st {
127 X509_POLICY_DATA *anyPolicy; 115 X509_POLICY_DATA *anyPolicy;
128 /* other policy data */ 116 /* other policy data */
129 STACK_OF(X509_POLICY_DATA) *data; 117 STACK_OF(X509_POLICY_DATA) *data;
130 /* If policyMappings extension present a table of mapped policies */
131 STACK_OF(X509_POLICY_REF) *maps;
132 /* If InhibitAnyPolicy present this is its value or -1 if absent. */ 118 /* If InhibitAnyPolicy present this is its value or -1 if absent. */
133 long any_skip; 119 long any_skip;
134 /* If policyConstraints and requireExplicitPolicy present this is its 120 /* If policyConstraints and requireExplicitPolicy present this is its
@@ -193,7 +179,7 @@ struct X509_POLICY_TREE_st
193 179
194/* Internal functions */ 180/* Internal functions */
195 181
196X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, 182X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
197 int crit); 183 int crit);
198void policy_data_free(X509_POLICY_DATA *data); 184void policy_data_free(X509_POLICY_DATA *data);
199 185
@@ -209,15 +195,18 @@ void policy_cache_init(void);
209void policy_cache_free(X509_POLICY_CACHE *cache); 195void policy_cache_free(X509_POLICY_CACHE *cache);
210 196
211X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, 197X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
198 const X509_POLICY_NODE *parent,
212 const ASN1_OBJECT *id); 199 const ASN1_OBJECT *id);
213 200
214X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, 201X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
215 const ASN1_OBJECT *id); 202 const ASN1_OBJECT *id);
216 203
217X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, 204X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
218 X509_POLICY_DATA *data, 205 const X509_POLICY_DATA *data,
219 X509_POLICY_NODE *parent, 206 X509_POLICY_NODE *parent,
220 X509_POLICY_TREE *tree); 207 X509_POLICY_TREE *tree);
221void policy_node_free(X509_POLICY_NODE *node); 208void policy_node_free(X509_POLICY_NODE *node);
209int policy_node_match(const X509_POLICY_LEVEL *lvl,
210 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
222 211
223const X509_POLICY_CACHE *policy_cache_set(X509 *x); 212const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/src/lib/libcrypto/x509v3/pcy_map.c b/src/lib/libcrypto/x509v3/pcy_map.c
index f28796e6d4..21163b529d 100644
--- a/src/lib/libcrypto/x509v3/pcy_map.c
+++ b/src/lib/libcrypto/x509v3/pcy_map.c
@@ -62,31 +62,6 @@
62 62
63#include "pcy_int.h" 63#include "pcy_int.h"
64 64
65static int ref_cmp(const X509_POLICY_REF * const *a,
66 const X509_POLICY_REF * const *b)
67 {
68 return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy);
69 }
70
71static void policy_map_free(X509_POLICY_REF *map)
72 {
73 if (map->subjectDomainPolicy)
74 ASN1_OBJECT_free(map->subjectDomainPolicy);
75 OPENSSL_free(map);
76 }
77
78static X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *id)
79 {
80 X509_POLICY_REF tmp;
81 int idx;
82 tmp.subjectDomainPolicy = id;
83
84 idx = sk_X509_POLICY_REF_find(cache->maps, &tmp);
85 if (idx == -1)
86 return NULL;
87 return sk_X509_POLICY_REF_value(cache->maps, idx);
88 }
89
90/* Set policy mapping entries in cache. 65/* Set policy mapping entries in cache.
91 * Note: this modifies the passed POLICY_MAPPINGS structure 66 * Note: this modifies the passed POLICY_MAPPINGS structure
92 */ 67 */
@@ -94,7 +69,6 @@ static X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *i
94int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) 69int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
95 { 70 {
96 POLICY_MAPPING *map; 71 POLICY_MAPPING *map;
97 X509_POLICY_REF *ref = NULL;
98 X509_POLICY_DATA *data; 72 X509_POLICY_DATA *data;
99 X509_POLICY_CACHE *cache = x->policy_cache; 73 X509_POLICY_CACHE *cache = x->policy_cache;
100 int i; 74 int i;
@@ -104,7 +78,6 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
104 ret = -1; 78 ret = -1;
105 goto bad_mapping; 79 goto bad_mapping;
106 } 80 }
107 cache->maps = sk_X509_POLICY_REF_new(ref_cmp);
108 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) 81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++)
109 { 82 {
110 map = sk_POLICY_MAPPING_value(maps, i); 83 map = sk_POLICY_MAPPING_value(maps, i);
@@ -116,13 +89,6 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
116 goto bad_mapping; 89 goto bad_mapping;
117 } 90 }
118 91
119 /* If we've already mapped from this OID bad mapping */
120 if (policy_map_find(cache, map->subjectDomainPolicy) != NULL)
121 {
122 ret = -1;
123 goto bad_mapping;
124 }
125
126 /* Attempt to find matching policy data */ 92 /* Attempt to find matching policy data */
127 data = policy_cache_find_data(cache, map->issuerDomainPolicy); 93 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
128 /* If we don't have anyPolicy can't map */ 94 /* If we don't have anyPolicy can't map */
@@ -138,7 +104,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
138 if (!data) 104 if (!data)
139 goto bad_mapping; 105 goto bad_mapping;
140 data->qualifier_set = cache->anyPolicy->qualifier_set; 106 data->qualifier_set = cache->anyPolicy->qualifier_set;
141 map->issuerDomainPolicy = NULL; 107 /*map->issuerDomainPolicy = NULL;*/
142 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; 108 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
143 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; 109 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
144 if (!sk_X509_POLICY_DATA_push(cache->data, data)) 110 if (!sk_X509_POLICY_DATA_push(cache->data, data))
@@ -149,23 +115,10 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
149 } 115 }
150 else 116 else
151 data->flags |= POLICY_DATA_FLAG_MAPPED; 117 data->flags |= POLICY_DATA_FLAG_MAPPED;
152
153 if (!sk_ASN1_OBJECT_push(data->expected_policy_set, 118 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
154 map->subjectDomainPolicy)) 119 map->subjectDomainPolicy))
155 goto bad_mapping; 120 goto bad_mapping;
156
157 ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
158 if (!ref)
159 goto bad_mapping;
160
161 ref->subjectDomainPolicy = map->subjectDomainPolicy;
162 map->subjectDomainPolicy = NULL; 121 map->subjectDomainPolicy = NULL;
163 ref->data = data;
164
165 if (!sk_X509_POLICY_REF_push(cache->maps, ref))
166 goto bad_mapping;
167
168 ref = NULL;
169 122
170 } 123 }
171 124
@@ -173,13 +126,6 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
173 bad_mapping: 126 bad_mapping:
174 if (ret == -1) 127 if (ret == -1)
175 x->ex_flags |= EXFLAG_INVALID_POLICY; 128 x->ex_flags |= EXFLAG_INVALID_POLICY;
176 if (ref)
177 policy_map_free(ref);
178 if (ret <= 0)
179 {
180 sk_X509_POLICY_REF_pop_free(cache->maps, policy_map_free);
181 cache->maps = NULL;
182 }
183 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); 129 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
184 return ret; 130 return ret;
185 131
diff --git a/src/lib/libcrypto/x509v3/pcy_node.c b/src/lib/libcrypto/x509v3/pcy_node.c
index 6587cb05ab..bd1e7f1ae8 100644
--- a/src/lib/libcrypto/x509v3/pcy_node.c
+++ b/src/lib/libcrypto/x509v3/pcy_node.c
@@ -92,13 +92,25 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
92 } 92 }
93 93
94X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, 94X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
95 const X509_POLICY_NODE *parent,
95 const ASN1_OBJECT *id) 96 const ASN1_OBJECT *id)
96 { 97 {
97 return tree_find_sk(level->nodes, id); 98 X509_POLICY_NODE *node;
99 int i;
100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++)
101 {
102 node = sk_X509_POLICY_NODE_value(level->nodes, i);
103 if (node->parent == parent)
104 {
105 if (!OBJ_cmp(node->data->valid_policy, id))
106 return node;
107 }
108 }
109 return NULL;
98 } 110 }
99 111
100X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, 112X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
101 X509_POLICY_DATA *data, 113 const X509_POLICY_DATA *data,
102 X509_POLICY_NODE *parent, 114 X509_POLICY_NODE *parent,
103 X509_POLICY_TREE *tree) 115 X509_POLICY_TREE *tree)
104 { 116 {
@@ -155,4 +167,31 @@ void policy_node_free(X509_POLICY_NODE *node)
155 OPENSSL_free(node); 167 OPENSSL_free(node);
156 } 168 }
157 169
170/* See if a policy node matches a policy OID. If mapping enabled look through
171 * expected policy set otherwise just valid policy.
172 */
173
174int policy_node_match(const X509_POLICY_LEVEL *lvl,
175 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid)
176 {
177 int i;
178 ASN1_OBJECT *policy_oid;
179 const X509_POLICY_DATA *x = node->data;
180
181 if ( (lvl->flags & X509_V_FLAG_INHIBIT_MAP)
182 || !(x->flags & POLICY_DATA_FLAG_MAP_MASK))
183 {
184 if (!OBJ_cmp(x->valid_policy, oid))
185 return 1;
186 return 0;
187 }
188
189 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++)
190 {
191 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
192 if (!OBJ_cmp(policy_oid, oid))
193 return 1;
194 }
195 return 0;
158 196
197 }
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
index 6c87a7f506..92f6b24556 100644
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -62,6 +62,75 @@
62 62
63#include "pcy_int.h" 63#include "pcy_int.h"
64 64
65/* Enable this to print out the complete policy tree at various point during
66 * evaluation.
67 */
68
69/*#define OPENSSL_POLICY_DEBUG*/
70
71#ifdef OPENSSL_POLICY_DEBUG
72
73static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
74 X509_POLICY_NODE *node, int indent)
75 {
76 if ( (lev->flags & X509_V_FLAG_INHIBIT_MAP)
77 || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
78 BIO_puts(err, " Not Mapped\n");
79 else
80 {
81 int i;
82 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
83 ASN1_OBJECT *oid;
84 BIO_puts(err, " Expected: ");
85 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++)
86 {
87 oid = sk_ASN1_OBJECT_value(pset, i);
88 if (i)
89 BIO_puts(err, ", ");
90 i2a_ASN1_OBJECT(err, oid);
91 }
92 BIO_puts(err, "\n");
93 }
94 }
95
96static void tree_print(char *str, X509_POLICY_TREE *tree,
97 X509_POLICY_LEVEL *curr)
98 {
99 X509_POLICY_LEVEL *plev;
100 X509_POLICY_NODE *node;
101 int i;
102 BIO *err;
103 err = BIO_new_fp(stderr, BIO_NOCLOSE);
104 if (!curr)
105 curr = tree->levels + tree->nlevel;
106 else
107 curr++;
108 BIO_printf(err, "Level print after %s\n", str);
109 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
110 for (plev = tree->levels; plev != curr; plev++)
111 {
112 BIO_printf(err, "Level %ld, flags = %x\n",
113 plev - tree->levels, plev->flags);
114 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++)
115 {
116 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
117 X509_POLICY_NODE_print(err, node, 2);
118 expected_print(err, plev, node, 2);
119 BIO_printf(err, " Flags: %x\n", node->data->flags);
120 }
121 if (plev->anyPolicy)
122 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
123 }
124
125 BIO_free(err);
126
127 }
128#else
129
130#define tree_print(a,b,c) /* */
131
132#endif
133
65/* Initialize policy tree. Return values: 134/* Initialize policy tree. Return values:
66 * 0 Some internal error occured. 135 * 0 Some internal error occured.
67 * -1 Inconsistent or invalid extensions in certificates. 136 * -1 Inconsistent or invalid extensions in certificates.
@@ -87,8 +156,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
87 *ptree = NULL; 156 *ptree = NULL;
88 n = sk_X509_num(certs); 157 n = sk_X509_num(certs);
89 158
159#if 0
90 /* Disable policy mapping for now... */ 160 /* Disable policy mapping for now... */
91 flags |= X509_V_FLAG_INHIBIT_MAP; 161 flags |= X509_V_FLAG_INHIBIT_MAP;
162#endif
92 163
93 if (flags & X509_V_FLAG_EXPLICIT_POLICY) 164 if (flags & X509_V_FLAG_EXPLICIT_POLICY)
94 explicit_policy = 0; 165 explicit_policy = 0;
@@ -160,7 +231,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
160 tree->auth_policies = NULL; 231 tree->auth_policies = NULL;
161 tree->user_policies = NULL; 232 tree->user_policies = NULL;
162 233
163 if (!tree) 234 if (!tree->levels)
164 { 235 {
165 OPENSSL_free(tree); 236 OPENSSL_free(tree);
166 return 0; 237 return 0;
@@ -184,7 +255,6 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
184 level++; 255 level++;
185 x = sk_X509_value(certs, i); 256 x = sk_X509_value(certs, i);
186 cache = policy_cache_set(x); 257 cache = policy_cache_set(x);
187
188 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 258 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
189 level->cert = x; 259 level->cert = x;
190 260
@@ -213,13 +283,13 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
213 level->flags |= X509_V_FLAG_INHIBIT_MAP; 283 level->flags |= X509_V_FLAG_INHIBIT_MAP;
214 else 284 else
215 { 285 {
216 map_skip--; 286 if (!(x->ex_flags & EXFLAG_SI))
287 map_skip--;
217 if ((cache->map_skip >= 0) 288 if ((cache->map_skip >= 0)
218 && (cache->map_skip < map_skip)) 289 && (cache->map_skip < map_skip))
219 map_skip = cache->map_skip; 290 map_skip = cache->map_skip;
220 } 291 }
221 292
222
223 } 293 }
224 294
225 *ptree = tree; 295 *ptree = tree;
@@ -237,7 +307,32 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
237 307
238 } 308 }
239 309
240/* This corresponds to RFC3280 XXXX XXXXX: 310static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
311 const X509_POLICY_DATA *data)
312 {
313 X509_POLICY_LEVEL *last = curr - 1;
314 X509_POLICY_NODE *node;
315 int i, matched = 0;
316 /* Iterate through all in nodes linking matches */
317 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
318 {
319 node = sk_X509_POLICY_NODE_value(last->nodes, i);
320 if (policy_node_match(last, node, data->valid_policy))
321 {
322 if (!level_add_node(curr, data, node, NULL))
323 return 0;
324 matched = 1;
325 }
326 }
327 if (!matched && last->anyPolicy)
328 {
329 if (!level_add_node(curr, data, last->anyPolicy, NULL))
330 return 0;
331 }
332 return 1;
333 }
334
335/* This corresponds to RFC3280 6.1.3(d)(1):
241 * link any data from CertificatePolicies onto matching parent 336 * link any data from CertificatePolicies onto matching parent
242 * or anyPolicy if no match. 337 * or anyPolicy if no match.
243 */ 338 */
@@ -248,7 +343,6 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
248 int i; 343 int i;
249 X509_POLICY_LEVEL *last; 344 X509_POLICY_LEVEL *last;
250 X509_POLICY_DATA *data; 345 X509_POLICY_DATA *data;
251 X509_POLICY_NODE *parent;
252 last = curr - 1; 346 last = curr - 1;
253 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) 347 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
254 { 348 {
@@ -261,40 +355,109 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
261 * link because then it will have the mapping flags 355 * link because then it will have the mapping flags
262 * right and we can prune it later. 356 * right and we can prune it later.
263 */ 357 */
358#if 0
264 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY) 359 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
265 && !(curr->flags & X509_V_FLAG_INHIBIT_ANY)) 360 && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
266 continue; 361 continue;
267 /* Look for matching node in parent */ 362#endif
268 parent = level_find_node(last, data->valid_policy); 363 /* Look for matching nodes in previous level */
269 /* If no match link to anyPolicy */ 364 if (!tree_link_matching_nodes(curr, data))
270 if (!parent)
271 parent = last->anyPolicy;
272 if (parent && !level_add_node(curr, data, parent, NULL))
273 return 0; 365 return 0;
274 } 366 }
275 return 1; 367 return 1;
276 } 368 }
277 369
278/* This corresponds to RFC3280 XXXX XXXXX: 370/* This corresponds to RFC3280 6.1.3(d)(2):
279 * Create new data for any unmatched policies in the parent and link 371 * Create new data for any unmatched policies in the parent and link
280 * to anyPolicy. 372 * to anyPolicy.
281 */ 373 */
282 374
375static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
376 const X509_POLICY_CACHE *cache,
377 const ASN1_OBJECT *id,
378 X509_POLICY_NODE *node,
379 X509_POLICY_TREE *tree)
380 {
381 X509_POLICY_DATA *data;
382 if (id == NULL)
383 id = node->data->valid_policy;
384 /* Create a new node with qualifiers from anyPolicy and
385 * id from unmatched node.
386 */
387 data = policy_data_new(NULL, id, node_critical(node));
388
389 if (data == NULL)
390 return 0;
391 /* Curr may not have anyPolicy */
392 data->qualifier_set = cache->anyPolicy->qualifier_set;
393 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
394 if (!level_add_node(curr, data, node, tree))
395 {
396 policy_data_free(data);
397 return 0;
398 }
399
400 return 1;
401 }
402
403static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
404 const X509_POLICY_CACHE *cache,
405 X509_POLICY_NODE *node,
406 X509_POLICY_TREE *tree)
407 {
408 const X509_POLICY_LEVEL *last = curr - 1;
409 int i;
410
411 if ( (last->flags & X509_V_FLAG_INHIBIT_MAP)
412 || !(node->data->flags & POLICY_DATA_FLAG_MAPPED))
413 {
414 /* If no policy mapping: matched if one child present */
415 if (node->nchild)
416 return 1;
417 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
418 return 0;
419 /* Add it */
420 }
421 else
422 {
423 /* If mapping: matched if one child per expected policy set */
424 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
425 if (node->nchild == sk_ASN1_OBJECT_num(expset))
426 return 1;
427 /* Locate unmatched nodes */
428 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++)
429 {
430 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
431 if (level_find_node(curr, node, oid))
432 continue;
433 if (!tree_add_unmatched(curr, cache, oid, node, tree))
434 return 0;
435 }
436
437 }
438
439 return 1;
440
441 }
442
283static int tree_link_any(X509_POLICY_LEVEL *curr, 443static int tree_link_any(X509_POLICY_LEVEL *curr,
284 const X509_POLICY_CACHE *cache, 444 const X509_POLICY_CACHE *cache,
285 X509_POLICY_TREE *tree) 445 X509_POLICY_TREE *tree)
286 { 446 {
287 int i; 447 int i;
288 X509_POLICY_DATA *data; 448 /*X509_POLICY_DATA *data;*/
289 X509_POLICY_NODE *node; 449 X509_POLICY_NODE *node;
290 X509_POLICY_LEVEL *last; 450 X509_POLICY_LEVEL *last = curr - 1;
291
292 last = curr - 1;
293 451
294 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) 452 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
295 { 453 {
296 node = sk_X509_POLICY_NODE_value(last->nodes, i); 454 node = sk_X509_POLICY_NODE_value(last->nodes, i);
297 455
456 if (!tree_link_unmatched(curr, cache, node, tree))
457 return 0;
458
459#if 0
460
298 /* Skip any node with any children: we only want unmathced 461 /* Skip any node with any children: we only want unmathced
299 * nodes. 462 * nodes.
300 * 463 *
@@ -303,6 +466,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
303 */ 466 */
304 if (node->nchild) 467 if (node->nchild)
305 continue; 468 continue;
469
306 /* Create a new node with qualifiers from anyPolicy and 470 /* Create a new node with qualifiers from anyPolicy and
307 * id from unmatched node. 471 * id from unmatched node.
308 */ 472 */
@@ -319,6 +483,9 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
319 policy_data_free(data); 483 policy_data_free(data);
320 return 0; 484 return 0;
321 } 485 }
486
487#endif
488
322 } 489 }
323 /* Finally add link to anyPolicy */ 490 /* Finally add link to anyPolicy */
324 if (last->anyPolicy) 491 if (last->anyPolicy)
@@ -337,30 +504,36 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
337 504
338static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) 505static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
339 { 506 {
507 STACK_OF(X509_POLICY_NODE) *nodes;
340 X509_POLICY_NODE *node; 508 X509_POLICY_NODE *node;
341 int i; 509 int i;
342 for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--) 510 nodes = curr->nodes;
511 if (curr->flags & X509_V_FLAG_INHIBIT_MAP)
343 { 512 {
344 node = sk_X509_POLICY_NODE_value(curr->nodes, i); 513 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
345 /* Delete any mapped data: see RFC3280 XXXX */
346 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
347 { 514 {
348 node->parent->nchild--; 515 node = sk_X509_POLICY_NODE_value(nodes, i);
349 OPENSSL_free(node); 516 /* Delete any mapped data: see RFC3280 XXXX */
350 (void)sk_X509_POLICY_NODE_delete(curr->nodes, i); 517 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
518 {
519 node->parent->nchild--;
520 OPENSSL_free(node);
521 (void)sk_X509_POLICY_NODE_delete(nodes,i);
522 }
351 } 523 }
352 } 524 }
353 525
354 for(;;) { 526 for(;;) {
355 --curr; 527 --curr;
356 for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--) 528 nodes = curr->nodes;
529 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
357 { 530 {
358 node = sk_X509_POLICY_NODE_value(curr->nodes, i); 531 node = sk_X509_POLICY_NODE_value(nodes, i);
359 if (node->nchild == 0) 532 if (node->nchild == 0)
360 { 533 {
361 node->parent->nchild--; 534 node->parent->nchild--;
362 OPENSSL_free(node); 535 OPENSSL_free(node);
363 (void)sk_X509_POLICY_NODE_delete(curr->nodes, i); 536 (void)sk_X509_POLICY_NODE_delete(nodes, i);
364 } 537 }
365 } 538 }
366 if (curr->anyPolicy && !curr->anyPolicy->nchild) 539 if (curr->anyPolicy && !curr->anyPolicy->nchild)
@@ -536,6 +709,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
536 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) 709 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
537 && !tree_link_any(curr, cache, tree)) 710 && !tree_link_any(curr, cache, tree))
538 return 0; 711 return 0;
712 tree_print("before tree_prune()", tree, curr);
539 ret = tree_prune(tree, curr); 713 ret = tree_prune(tree, curr);
540 if (ret != 1) 714 if (ret != 1)
541 return ret; 715 return ret;
@@ -604,7 +778,6 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
604 *pexplicit_policy = 0; 778 *pexplicit_policy = 0;
605 ret = tree_init(&tree, certs, flags); 779 ret = tree_init(&tree, certs, flags);
606 780
607
608 switch (ret) 781 switch (ret)
609 { 782 {
610 783
@@ -613,6 +786,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
613 return 1; 786 return 1;
614 787
615 /* Some internal error */ 788 /* Some internal error */
789 case -1:
790 return -1;
791
792 /* Some internal error */
616 case 0: 793 case 0:
617 return 0; 794 return 0;
618 795
@@ -646,6 +823,8 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
646 if (!tree) goto error; 823 if (!tree) goto error;
647 ret = tree_evaluate(tree); 824 ret = tree_evaluate(tree);
648 825
826 tree_print("tree_evaluate()", tree, NULL);
827
649 if (ret <= 0) 828 if (ret <= 0)
650 goto error; 829 goto error;
651 830
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
index 58b2952478..d29d94338e 100644
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -82,6 +82,12 @@ NULL, NULL, NULL},
82(X509V3_EXT_I2V)i2v_GENERAL_NAMES, 82(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
83(X509V3_EXT_V2I)v2i_issuer_alt, 83(X509V3_EXT_V2I)v2i_issuer_alt,
84NULL, NULL, NULL}, 84NULL, NULL, NULL},
85
86{ NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
870,0,0,0,
880,0,
89(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
90NULL, NULL, NULL, NULL},
85}; 91};
86 92
87STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, 93STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
@@ -360,6 +366,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
360 if (move_p) 366 if (move_p)
361 { 367 {
362 X509_NAME_delete_entry(nm, i); 368 X509_NAME_delete_entry(nm, i);
369 X509_NAME_ENTRY_free(ne);
363 i--; 370 i--;
364 } 371 }
365 if(!email || !(gen = GENERAL_NAME_new())) { 372 if(!email || !(gen = GENERAL_NAME_new())) {
@@ -386,8 +393,8 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
386 393
387} 394}
388 395
389GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method, 396GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
390 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) 397 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
391{ 398{
392 GENERAL_NAME *gen; 399 GENERAL_NAME *gen;
393 GENERAL_NAMES *gens = NULL; 400 GENERAL_NAMES *gens = NULL;
@@ -408,28 +415,22 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
408 return NULL; 415 return NULL;
409} 416}
410 417
411GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, 418GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
412 CONF_VALUE *cnf) 419 CONF_VALUE *cnf)
413 { 420 {
414 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0); 421 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
415 } 422 }
416 423
417GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, 424GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
418 X509V3_EXT_METHOD *method, X509V3_CTX *ctx, 425 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
419 CONF_VALUE *cnf, int is_nc) 426 int gen_type, char *value, int is_nc)
420 { 427 {
421 char is_string = 0; 428 char is_string = 0;
422 int type;
423 GENERAL_NAME *gen = NULL; 429 GENERAL_NAME *gen = NULL;
424 430
425 char *name, *value;
426
427 name = cnf->name;
428 value = cnf->value;
429
430 if(!value) 431 if(!value)
431 { 432 {
432 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE); 433 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
433 return NULL; 434 return NULL;
434 } 435 }
435 436
@@ -440,74 +441,62 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
440 gen = GENERAL_NAME_new(); 441 gen = GENERAL_NAME_new();
441 if(gen == NULL) 442 if(gen == NULL)
442 { 443 {
443 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE); 444 X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
444 return NULL; 445 return NULL;
445 } 446 }
446 } 447 }
447 448
448 if(!name_cmp(name, "email")) 449 switch (gen_type)
449 {
450 is_string = 1;
451 type = GEN_EMAIL;
452 }
453 else if(!name_cmp(name, "URI"))
454 {
455 is_string = 1;
456 type = GEN_URI;
457 }
458 else if(!name_cmp(name, "DNS"))
459 { 450 {
451 case GEN_URI:
452 case GEN_EMAIL:
453 case GEN_DNS:
460 is_string = 1; 454 is_string = 1;
461 type = GEN_DNS; 455 break;
462 } 456
463 else if(!name_cmp(name, "RID")) 457 case GEN_RID:
464 { 458 {
465 ASN1_OBJECT *obj; 459 ASN1_OBJECT *obj;
466 if(!(obj = OBJ_txt2obj(value,0))) 460 if(!(obj = OBJ_txt2obj(value,0)))
467 { 461 {
468 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_OBJECT); 462 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
469 ERR_add_error_data(2, "value=", value); 463 ERR_add_error_data(2, "value=", value);
470 goto err; 464 goto err;
471 } 465 }
472 gen->d.rid = obj; 466 gen->d.rid = obj;
473 type = GEN_RID;
474 } 467 }
475 else if(!name_cmp(name, "IP")) 468 break;
476 { 469
470 case GEN_IPADD:
477 if (is_nc) 471 if (is_nc)
478 gen->d.ip = a2i_IPADDRESS_NC(value); 472 gen->d.ip = a2i_IPADDRESS_NC(value);
479 else 473 else
480 gen->d.ip = a2i_IPADDRESS(value); 474 gen->d.ip = a2i_IPADDRESS(value);
481 if(gen->d.ip == NULL) 475 if(gen->d.ip == NULL)
482 { 476 {
483 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_IP_ADDRESS); 477 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
484 ERR_add_error_data(2, "value=", value); 478 ERR_add_error_data(2, "value=", value);
485 goto err; 479 goto err;
486 } 480 }
487 type = GEN_IPADD; 481 break;
488 } 482
489 else if(!name_cmp(name, "dirName")) 483 case GEN_DIRNAME:
490 {
491 type = GEN_DIRNAME;
492 if (!do_dirname(gen, value, ctx)) 484 if (!do_dirname(gen, value, ctx))
493 { 485 {
494 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_DIRNAME_ERROR); 486 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_DIRNAME_ERROR);
495 goto err; 487 goto err;
496 } 488 }
497 } 489 break;
498 else if(!name_cmp(name, "otherName")) 490
499 { 491 case GEN_OTHERNAME:
500 if (!do_othername(gen, value, ctx)) 492 if (!do_othername(gen, value, ctx))
501 { 493 {
502 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_OTHERNAME_ERROR); 494 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_OTHERNAME_ERROR);
503 goto err; 495 goto err;
504 } 496 }
505 type = GEN_OTHERNAME; 497 break;
506 } 498 default:
507 else 499 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_TYPE);
508 {
509 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
510 ERR_add_error_data(2, "name=", name);
511 goto err; 500 goto err;
512 } 501 }
513 502
@@ -517,12 +506,12 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
517 !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value, 506 !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
518 strlen(value))) 507 strlen(value)))
519 { 508 {
520 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE); 509 X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
521 goto err; 510 goto err;
522 } 511 }
523 } 512 }
524 513
525 gen->type = type; 514 gen->type = gen_type;
526 515
527 return gen; 516 return gen;
528 517
@@ -532,6 +521,48 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
532 return NULL; 521 return NULL;
533 } 522 }
534 523
524GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
525 const X509V3_EXT_METHOD *method,
526 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
527 {
528 int type;
529
530 char *name, *value;
531
532 name = cnf->name;
533 value = cnf->value;
534
535 if(!value)
536 {
537 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
538 return NULL;
539 }
540
541 if(!name_cmp(name, "email"))
542 type = GEN_EMAIL;
543 else if(!name_cmp(name, "URI"))
544 type = GEN_URI;
545 else if(!name_cmp(name, "DNS"))
546 type = GEN_DNS;
547 else if(!name_cmp(name, "RID"))
548 type = GEN_RID;
549 else if(!name_cmp(name, "IP"))
550 type = GEN_IPADD;
551 else if(!name_cmp(name, "dirName"))
552 type = GEN_DIRNAME;
553 else if(!name_cmp(name, "otherName"))
554 type = GEN_OTHERNAME;
555 else
556 {
557 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
558 ERR_add_error_data(2, "name=", name);
559 return NULL;
560 }
561
562 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
563
564 }
565
535static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) 566static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
536 { 567 {
537 char *objtmp = NULL, *p; 568 char *objtmp = NULL, *p;
@@ -577,6 +608,7 @@ static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
577 if (!ret) 608 if (!ret)
578 X509_NAME_free(nm); 609 X509_NAME_free(nm);
579 gen->d.dirn = nm; 610 gen->d.dirn = nm;
611 X509V3_section_free(ctx, sk);
580 612
581 return ret; 613 return ret;
582 } 614 }
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
index 11eb6b7fd5..6730f9a6ee 100644
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -72,14 +72,14 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, in
72static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx); 72static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
73static char *conf_lhash_get_string(void *db, char *section, char *value); 73static char *conf_lhash_get_string(void *db, char *section, char *value);
74static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section); 74static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
75static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid, 75static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
76 int crit, void *ext_struc); 76 int crit, void *ext_struc);
77static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len); 77static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
78/* CONF *conf: Config file */ 78/* CONF *conf: Config file */
79/* char *name: Name */ 79/* char *name: Name */
80/* char *value: Value */ 80/* char *value: Value */
81X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, 81X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
82 char *value) 82 char *value)
83 { 83 {
84 int crit; 84 int crit;
85 int ext_type; 85 int ext_type;
@@ -99,7 +99,7 @@ X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
99/* CONF *conf: Config file */ 99/* CONF *conf: Config file */
100/* char *value: Value */ 100/* char *value: Value */
101X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, 101X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
102 char *value) 102 char *value)
103 { 103 {
104 int crit; 104 int crit;
105 int ext_type; 105 int ext_type;
@@ -113,9 +113,9 @@ X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
113/* CONF *conf: Config file */ 113/* CONF *conf: Config file */
114/* char *value: Value */ 114/* char *value: Value */
115static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, 115static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
116 int crit, char *value) 116 int crit, char *value)
117 { 117 {
118 X509V3_EXT_METHOD *method; 118 const X509V3_EXT_METHOD *method;
119 X509_EXTENSION *ext; 119 X509_EXTENSION *ext;
120 STACK_OF(CONF_VALUE) *nval; 120 STACK_OF(CONF_VALUE) *nval;
121 void *ext_struc; 121 void *ext_struc;
@@ -172,8 +172,8 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
172 172
173 } 173 }
174 174
175static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid, 175static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
176 int crit, void *ext_struc) 176 int crit, void *ext_struc)
177 { 177 {
178 unsigned char *ext_der; 178 unsigned char *ext_der;
179 int ext_len; 179 int ext_len;
@@ -214,7 +214,7 @@ static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
214 214
215X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc) 215X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
216 { 216 {
217 X509V3_EXT_METHOD *method; 217 const X509V3_EXT_METHOD *method;
218 if (!(method = X509V3_EXT_get_nid(ext_nid))) { 218 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
219 X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION); 219 X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
220 return NULL; 220 return NULL;
@@ -258,7 +258,8 @@ static int v3_check_generic(char **value)
258 258
259/* Create a generic extension: for now just handle DER type */ 259/* Create a generic extension: for now just handle DER type */
260static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, 260static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
261 int crit, int gen_type, X509V3_CTX *ctx) 261 int crit, int gen_type,
262 X509V3_CTX *ctx)
262 { 263 {
263 unsigned char *ext_der=NULL; 264 unsigned char *ext_der=NULL;
264 long ext_len; 265 long ext_len;
@@ -322,7 +323,7 @@ static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
322 323
323 324
324int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, 325int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
325 STACK_OF(X509_EXTENSION) **sk) 326 STACK_OF(X509_EXTENSION) **sk)
326 { 327 {
327 X509_EXTENSION *ext; 328 X509_EXTENSION *ext;
328 STACK_OF(CONF_VALUE) *nval; 329 STACK_OF(CONF_VALUE) *nval;
@@ -343,7 +344,7 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
343/* Convenience functions to add extensions to a certificate, CRL and request */ 344/* Convenience functions to add extensions to a certificate, CRL and request */
344 345
345int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, 346int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
346 X509 *cert) 347 X509 *cert)
347 { 348 {
348 STACK_OF(X509_EXTENSION) **sk = NULL; 349 STACK_OF(X509_EXTENSION) **sk = NULL;
349 if (cert) 350 if (cert)
@@ -354,7 +355,7 @@ int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
354/* Same as above but for a CRL */ 355/* Same as above but for a CRL */
355 356
356int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, 357int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
357 X509_CRL *crl) 358 X509_CRL *crl)
358 { 359 {
359 STACK_OF(X509_EXTENSION) **sk = NULL; 360 STACK_OF(X509_EXTENSION) **sk = NULL;
360 if (crl) 361 if (crl)
@@ -443,7 +444,7 @@ void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
443 } 444 }
444 445
445void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req, 446void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
446 X509_CRL *crl, int flags) 447 X509_CRL *crl, int flags)
447 { 448 {
448 ctx->issuer_cert = issuer; 449 ctx->issuer_cert = issuer;
449 ctx->subject_cert = subj; 450 ctx->subject_cert = subj;
@@ -454,8 +455,8 @@ void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
454 455
455/* Old conf compatibility functions */ 456/* Old conf compatibility functions */
456 457
457X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, 458X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
458 char *value) 459 char *name, char *value)
459 { 460 {
460 CONF ctmp; 461 CONF ctmp;
461 CONF_set_nconf(&ctmp, conf); 462 CONF_set_nconf(&ctmp, conf);
@@ -464,8 +465,8 @@ X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
464 465
465/* LHASH *conf: Config file */ 466/* LHASH *conf: Config file */
466/* char *value: Value */ 467/* char *value: Value */
467X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, 468X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
468 char *value) 469 int ext_nid, char *value)
469 { 470 {
470 CONF ctmp; 471 CONF ctmp;
471 CONF_set_nconf(&ctmp, conf); 472 CONF_set_nconf(&ctmp, conf);
@@ -489,14 +490,14 @@ NULL,
489NULL 490NULL
490}; 491};
491 492
492void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash) 493void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
493 { 494 {
494 ctx->db_meth = &conf_lhash_method; 495 ctx->db_meth = &conf_lhash_method;
495 ctx->db = lhash; 496 ctx->db = lhash;
496 } 497 }
497 498
498int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, 499int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
499 X509 *cert) 500 char *section, X509 *cert)
500 { 501 {
501 CONF ctmp; 502 CONF ctmp;
502 CONF_set_nconf(&ctmp, conf); 503 CONF_set_nconf(&ctmp, conf);
@@ -505,8 +506,8 @@ int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
505 506
506/* Same as above but for a CRL */ 507/* Same as above but for a CRL */
507 508
508int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, 509int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
509 X509_CRL *crl) 510 char *section, X509_CRL *crl)
510 { 511 {
511 CONF ctmp; 512 CONF ctmp;
512 CONF_set_nconf(&ctmp, conf); 513 CONF_set_nconf(&ctmp, conf);
@@ -515,8 +516,8 @@ int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
515 516
516/* Add extensions to certificate request */ 517/* Add extensions to certificate request */
517 518
518int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, 519int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
519 X509_REQ *req) 520 char *section, X509_REQ *req)
520 { 521 {
521 CONF ctmp; 522 CONF ctmp;
522 CONF_set_nconf(&ctmp, conf); 523 CONF_set_nconf(&ctmp, conf);
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
index ad0506d75c..1f0798b946 100644
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -450,5 +450,8 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
450 else 450 else
451 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); 451 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
452 } 452 }
453 453
454
454IMPLEMENT_STACK_OF(X509_POLICY_NODE) 455IMPLEMENT_STACK_OF(X509_POLICY_NODE)
456IMPLEMENT_STACK_OF(X509_POLICY_DATA)
457
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
index 181a8977b1..790a6dd032 100644
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -3,7 +3,7 @@
3 * project 1999. 3 * project 1999.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -63,45 +63,254 @@
63#include <openssl/asn1t.h> 63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65 65
66static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method, 66static void *v2i_crld(const X509V3_EXT_METHOD *method,
67 STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist); 67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method, 68static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 69 int indent);
70 70
71const X509V3_EXT_METHOD v3_crld = { 71const X509V3_EXT_METHOD v3_crld =
72NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS), 72 {
730,0,0,0, 73 NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
740,0, 74 0,0,0,0,
75(X509V3_EXT_I2V)i2v_crld, 75 0,0,
76(X509V3_EXT_V2I)v2i_crld, 76 0,
770,0, 77 v2i_crld,
78NULL 78 i2r_crldp,0,
79 NULL
80 };
81
82const X509V3_EXT_METHOD v3_freshest_crl =
83 {
84 NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
85 0,0,0,0,
86 0,0,
87 0,
88 v2i_crld,
89 i2r_crldp,0,
90 NULL
91 };
92
93static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
94 {
95 STACK_OF(CONF_VALUE) *gnsect;
96 STACK_OF(GENERAL_NAME) *gens;
97 if (*sect == '@')
98 gnsect = X509V3_get_section(ctx, sect + 1);
99 else
100 gnsect = X509V3_parse_list(sect);
101 if (!gnsect)
102 {
103 X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
104 X509V3_R_SECTION_NOT_FOUND);
105 return NULL;
106 }
107 gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
108 if (*sect == '@')
109 X509V3_section_free(ctx, gnsect);
110 else
111 sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
112 return gens;
113 }
114
115static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
116 CONF_VALUE *cnf)
117 {
118 STACK_OF(GENERAL_NAME) *fnm = NULL;
119 STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
120 if (!strncmp(cnf->name, "fullname", 9))
121 {
122 fnm = gnames_from_sectname(ctx, cnf->value);
123 if (!fnm)
124 goto err;
125 }
126 else if (!strcmp(cnf->name, "relativename"))
127 {
128 int ret;
129 STACK_OF(CONF_VALUE) *dnsect;
130 X509_NAME *nm;
131 nm = X509_NAME_new();
132 if (!nm)
133 return -1;
134 dnsect = X509V3_get_section(ctx, cnf->value);
135 if (!dnsect)
136 {
137 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
138 X509V3_R_SECTION_NOT_FOUND);
139 return -1;
140 }
141 ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
142 X509V3_section_free(ctx, dnsect);
143 rnm = nm->entries;
144 nm->entries = NULL;
145 X509_NAME_free(nm);
146 if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
147 goto err;
148 /* Since its a name fragment can't have more than one
149 * RDNSequence
150 */
151 if (sk_X509_NAME_ENTRY_value(rnm,
152 sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
153 {
154 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
155 X509V3_R_INVALID_MULTIPLE_RDNS);
156 goto err;
157 }
158 }
159 else
160 return 0;
161
162 if (*pdp)
163 {
164 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
165 X509V3_R_DISTPOINT_ALREADY_SET);
166 goto err;
167 }
168
169 *pdp = DIST_POINT_NAME_new();
170 if (!*pdp)
171 goto err;
172 if (fnm)
173 {
174 (*pdp)->type = 0;
175 (*pdp)->name.fullname = fnm;
176 }
177 else
178 {
179 (*pdp)->type = 1;
180 (*pdp)->name.relativename = rnm;
181 }
182
183 return 1;
184
185 err:
186 if (fnm)
187 sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
188 if (rnm)
189 sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
190 return -1;
191 }
192
193static const BIT_STRING_BITNAME reason_flags[] = {
194{0, "Unused", "unused"},
195{1, "Key Compromise", "keyCompromise"},
196{2, "CA Compromise", "CACompromise"},
197{3, "Affiliation Changed", "affiliationChanged"},
198{4, "Superseded", "superseded"},
199{5, "Cessation Of Operation", "cessationOfOperation"},
200{6, "Certificate Hold", "certificateHold"},
201{7, "Privilege Withdrawn", "privilegeWithdrawn"},
202{8, "AA Compromise", "AACompromise"},
203{-1, NULL, NULL}
79}; 204};
80 205
81static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method, 206static int set_reasons(ASN1_BIT_STRING **preas, char *value)
82 STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts) 207 {
83{ 208 STACK_OF(CONF_VALUE) *rsk = NULL;
84 DIST_POINT *point; 209 const BIT_STRING_BITNAME *pbn;
210 const char *bnam;
211 int i, ret = 0;
212 rsk = X509V3_parse_list(value);
213 if (!rsk)
214 return 0;
215 if (*preas)
216 return 0;
217 for (i = 0; i < sk_CONF_VALUE_num(rsk); i++)
218 {
219 bnam = sk_CONF_VALUE_value(rsk, i)->name;
220 if (!*preas)
221 {
222 *preas = ASN1_BIT_STRING_new();
223 if (!*preas)
224 goto err;
225 }
226 for (pbn = reason_flags; pbn->lname; pbn++)
227 {
228 if (!strcmp(pbn->sname, bnam))
229 {
230 if (!ASN1_BIT_STRING_set_bit(*preas,
231 pbn->bitnum, 1))
232 goto err;
233 break;
234 }
235 }
236 if (!pbn->lname)
237 goto err;
238 }
239 ret = 1;
240
241 err:
242 sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
243 return ret;
244 }
245
246static int print_reasons(BIO *out, const char *rname,
247 ASN1_BIT_STRING *rflags, int indent)
248 {
249 int first = 1;
250 const BIT_STRING_BITNAME *pbn;
251 BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
252 for (pbn = reason_flags; pbn->lname; pbn++)
253 {
254 if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
255 {
256 if (first)
257 first = 0;
258 else
259 BIO_puts(out, ", ");
260 BIO_puts(out, pbn->lname);
261 }
262 }
263 if (first)
264 BIO_puts(out, "<EMPTY>\n");
265 else
266 BIO_puts(out, "\n");
267 return 1;
268 }
269
270static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
271 STACK_OF(CONF_VALUE) *nval)
272 {
85 int i; 273 int i;
86 for(i = 0; i < sk_DIST_POINT_num(crld); i++) { 274 CONF_VALUE *cnf;
87 point = sk_DIST_POINT_value(crld, i); 275 DIST_POINT *point = NULL;
88 if(point->distpoint) { 276 point = DIST_POINT_new();
89 if(point->distpoint->type == 0) 277 if (!point)
90 exts = i2v_GENERAL_NAMES(NULL, 278 goto err;
91 point->distpoint->name.fullname, exts); 279 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
92 else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts); 280 {
281 int ret;
282 cnf = sk_CONF_VALUE_value(nval, i);
283 ret = set_dist_point_name(&point->distpoint, ctx, cnf);
284 if (ret > 0)
285 continue;
286 if (ret < 0)
287 goto err;
288 if (!strcmp(cnf->name, "reasons"))
289 {
290 if (!set_reasons(&point->reasons, cnf->value))
291 goto err;
292 }
293 else if (!strcmp(cnf->name, "CRLissuer"))
294 {
295 point->CRLissuer =
296 gnames_from_sectname(ctx, cnf->value);
297 if (!point->CRLissuer)
298 goto err;
299 }
93 } 300 }
94 if(point->reasons) 301
95 X509V3_add_value("reasons","<UNSUPPORTED>", &exts); 302 return point;
96 if(point->CRLissuer) 303
97 X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts); 304
305 err:
306 if (point)
307 DIST_POINT_free(point);
308 return NULL;
98 } 309 }
99 return exts;
100}
101 310
102static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method, 311static void *v2i_crld(const X509V3_EXT_METHOD *method,
103 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) 312 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
104{ 313 {
105 STACK_OF(DIST_POINT) *crld = NULL; 314 STACK_OF(DIST_POINT) *crld = NULL;
106 GENERAL_NAMES *gens = NULL; 315 GENERAL_NAMES *gens = NULL;
107 GENERAL_NAME *gen = NULL; 316 GENERAL_NAME *gen = NULL;
@@ -111,19 +320,44 @@ static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
111 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { 320 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
112 DIST_POINT *point; 321 DIST_POINT *point;
113 cnf = sk_CONF_VALUE_value(nval, i); 322 cnf = sk_CONF_VALUE_value(nval, i);
114 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 323 if (!cnf->value)
115 if(!(gens = GENERAL_NAMES_new())) goto merr; 324 {
116 if(!sk_GENERAL_NAME_push(gens, gen)) goto merr; 325 STACK_OF(CONF_VALUE) *dpsect;
117 gen = NULL; 326 dpsect = X509V3_get_section(ctx, cnf->name);
118 if(!(point = DIST_POINT_new())) goto merr; 327 if (!dpsect)
119 if(!sk_DIST_POINT_push(crld, point)) { 328 goto err;
120 DIST_POINT_free(point); 329 point = crldp_from_section(ctx, dpsect);
121 goto merr; 330 X509V3_section_free(ctx, dpsect);
122 } 331 if (!point)
123 if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr; 332 goto err;
124 point->distpoint->name.fullname = gens; 333 if(!sk_DIST_POINT_push(crld, point))
125 point->distpoint->type = 0; 334 {
126 gens = NULL; 335 DIST_POINT_free(point);
336 goto merr;
337 }
338 }
339 else
340 {
341 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
342 goto err;
343 if(!(gens = GENERAL_NAMES_new()))
344 goto merr;
345 if(!sk_GENERAL_NAME_push(gens, gen))
346 goto merr;
347 gen = NULL;
348 if(!(point = DIST_POINT_new()))
349 goto merr;
350 if(!sk_DIST_POINT_push(crld, point))
351 {
352 DIST_POINT_free(point);
353 goto merr;
354 }
355 if(!(point->distpoint = DIST_POINT_NAME_new()))
356 goto merr;
357 point->distpoint->name.fullname = gens;
358 point->distpoint->type = 0;
359 gens = NULL;
360 }
127 } 361 }
128 return crld; 362 return crld;
129 363
@@ -139,11 +373,31 @@ static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
139IMPLEMENT_STACK_OF(DIST_POINT) 373IMPLEMENT_STACK_OF(DIST_POINT)
140IMPLEMENT_ASN1_SET_OF(DIST_POINT) 374IMPLEMENT_ASN1_SET_OF(DIST_POINT)
141 375
376static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
377 void *exarg)
378 {
379 DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
380
381 switch(operation)
382 {
383 case ASN1_OP_NEW_POST:
384 dpn->dpname = NULL;
385 break;
386
387 case ASN1_OP_FREE_POST:
388 if (dpn->dpname)
389 X509_NAME_free(dpn->dpname);
390 break;
391 }
392 return 1;
393 }
394
142 395
143ASN1_CHOICE(DIST_POINT_NAME) = { 396ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
144 ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0), 397 ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
145 ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1) 398 ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
146} ASN1_CHOICE_END(DIST_POINT_NAME) 399} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
400
147 401
148IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME) 402IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
149 403
@@ -160,3 +414,203 @@ ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
160ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS) 414ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
161 415
162IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS) 416IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
417
418ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
419 ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
420 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
421 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
422 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
423 ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
424 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
425} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
426
427IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
428
429static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
430 int indent);
431static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
432 STACK_OF(CONF_VALUE) *nval);
433
434const X509V3_EXT_METHOD v3_idp =
435 {
436 NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
437 ASN1_ITEM_ref(ISSUING_DIST_POINT),
438 0,0,0,0,
439 0,0,
440 0,
441 v2i_idp,
442 i2r_idp,0,
443 NULL
444 };
445
446static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
447 STACK_OF(CONF_VALUE) *nval)
448 {
449 ISSUING_DIST_POINT *idp = NULL;
450 CONF_VALUE *cnf;
451 char *name, *val;
452 int i, ret;
453 idp = ISSUING_DIST_POINT_new();
454 if (!idp)
455 goto merr;
456 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
457 {
458 cnf = sk_CONF_VALUE_value(nval, i);
459 name = cnf->name;
460 val = cnf->value;
461 ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
462 if (ret > 0)
463 continue;
464 if (ret < 0)
465 goto err;
466 if (!strcmp(name, "onlyuser"))
467 {
468 if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
469 goto err;
470 }
471 else if (!strcmp(name, "onlyCA"))
472 {
473 if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
474 goto err;
475 }
476 else if (!strcmp(name, "onlyAA"))
477 {
478 if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
479 goto err;
480 }
481 else if (!strcmp(name, "indirectCRL"))
482 {
483 if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
484 goto err;
485 }
486 else if (!strcmp(name, "onlysomereasons"))
487 {
488 if (!set_reasons(&idp->onlysomereasons, val))
489 goto err;
490 }
491 else
492 {
493 X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
494 X509V3_conf_err(cnf);
495 goto err;
496 }
497 }
498 return idp;
499
500 merr:
501 X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE);
502 err:
503 ISSUING_DIST_POINT_free(idp);
504 return NULL;
505 }
506
507static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
508 {
509 int i;
510 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
511 {
512 BIO_printf(out, "%*s", indent + 2, "");
513 GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
514 BIO_puts(out, "\n");
515 }
516 return 1;
517 }
518
519static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
520 {
521 if (dpn->type == 0)
522 {
523 BIO_printf(out, "%*sFull Name:\n", indent, "");
524 print_gens(out, dpn->name.fullname, indent);
525 }
526 else
527 {
528 X509_NAME ntmp;
529 ntmp.entries = dpn->name.relativename;
530 BIO_printf(out, "%*sRelative Name:\n%*s",
531 indent, "", indent + 2, "");
532 X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
533 BIO_puts(out, "\n");
534 }
535 return 1;
536 }
537
538static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
539 int indent)
540 {
541 ISSUING_DIST_POINT *idp = pidp;
542 if (idp->distpoint)
543 print_distpoint(out, idp->distpoint, indent);
544 if (idp->onlyuser > 0)
545 BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
546 if (idp->onlyCA > 0)
547 BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
548 if (idp->indirectCRL > 0)
549 BIO_printf(out, "%*sIndirect CRL\n", indent, "");
550 if (idp->onlysomereasons)
551 print_reasons(out, "Only Some Reasons",
552 idp->onlysomereasons, indent);
553 if (idp->onlyattr > 0)
554 BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
555 if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
556 && (idp->indirectCRL <= 0) && !idp->onlysomereasons
557 && (idp->onlyattr <= 0))
558 BIO_printf(out, "%*s<EMPTY>\n", indent, "");
559
560 return 1;
561 }
562
563static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
564 int indent)
565 {
566 STACK_OF(DIST_POINT) *crld = pcrldp;
567 DIST_POINT *point;
568 int i;
569 for(i = 0; i < sk_DIST_POINT_num(crld); i++)
570 {
571 BIO_puts(out, "\n");
572 point = sk_DIST_POINT_value(crld, i);
573 if(point->distpoint)
574 print_distpoint(out, point->distpoint, indent);
575 if(point->reasons)
576 print_reasons(out, "Reasons", point->reasons,
577 indent);
578 if(point->CRLissuer)
579 {
580 BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
581 print_gens(out, point->CRLissuer, indent);
582 }
583 }
584 return 1;
585 }
586
587int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
588 {
589 int i;
590 STACK_OF(X509_NAME_ENTRY) *frag;
591 X509_NAME_ENTRY *ne;
592 if (!dpn || (dpn->type != 1))
593 return 1;
594 frag = dpn->name.relativename;
595 dpn->dpname = X509_NAME_dup(iname);
596 if (!dpn->dpname)
597 return 0;
598 for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++)
599 {
600 ne = sk_X509_NAME_ENTRY_value(frag, i);
601 if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1))
602 {
603 X509_NAME_free(dpn->dpname);
604 dpn->dpname = NULL;
605 return 0;
606 }
607 }
608 /* generate cached encoding of name */
609 if (i2d_X509_NAME(dpn->dpname, NULL) < 0)
610 {
611 X509_NAME_free(dpn->dpname);
612 dpn->dpname = NULL;
613 return 0;
614 }
615 return 1;
616 }
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
index 36576eaa4d..c0575e368d 100644
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ b/src/lib/libcrypto/x509v3/v3_enum.c
@@ -61,14 +61,17 @@
61#include <openssl/x509v3.h> 61#include <openssl/x509v3.h>
62 62
63static ENUMERATED_NAMES crl_reasons[] = { 63static ENUMERATED_NAMES crl_reasons[] = {
64{0, "Unspecified", "unspecified"}, 64{CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
65{1, "Key Compromise", "keyCompromise"}, 65{CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"},
66{2, "CA Compromise", "CACompromise"}, 66{CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"},
67{3, "Affiliation Changed", "affiliationChanged"}, 67{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
68{4, "Superseded", "superseded"}, 68{CRL_REASON_SUPERSEDED, "Superseded", "superseded"},
69{5, "Cessation Of Operation", "cessationOfOperation"}, 69{CRL_REASON_CESSATION_OF_OPERATION,
70{6, "Certificate Hold", "certificateHold"}, 70 "Cessation Of Operation", "cessationOfOperation"},
71{8, "Remove From CRL", "removeFromCRL"}, 71{CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"},
72{CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"},
73{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
74{CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"},
72{-1, NULL, NULL} 75{-1, NULL, NULL}
73}; 76};
74 77
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
index c0d14500ed..1c66532757 100644
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ b/src/lib/libcrypto/x509v3/v3_extku.c
@@ -63,9 +63,10 @@
63#include <openssl/conf.h> 63#include <openssl/conf.h>
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65 65
66static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method, 66static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 67 X509V3_CTX *ctx,
68static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method, 68 STACK_OF(CONF_VALUE) *nval);
69static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
69 void *eku, STACK_OF(CONF_VALUE) *extlist); 70 void *eku, STACK_OF(CONF_VALUE) *extlist);
70 71
71const X509V3_EXT_METHOD v3_ext_ku = { 72const X509V3_EXT_METHOD v3_ext_ku = {
@@ -97,8 +98,9 @@ ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE)
97 98
98IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE) 99IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
99 100
100static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method, 101static STACK_OF(CONF_VALUE) *
101 void *a, STACK_OF(CONF_VALUE) *ext_list) 102 i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
103 STACK_OF(CONF_VALUE) *ext_list)
102{ 104{
103 EXTENDED_KEY_USAGE *eku = a; 105 EXTENDED_KEY_USAGE *eku = a;
104 int i; 106 int i;
@@ -112,8 +114,8 @@ static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
112 return ext_list; 114 return ext_list;
113} 115}
114 116
115static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method, 117static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
116 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) 118 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
117{ 119{
118 EXTENDED_KEY_USAGE *extku; 120 EXTENDED_KEY_USAGE *extku;
119 char *extval; 121 char *extval;
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
index 84b4b1c881..b628357301 100644
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ b/src/lib/libcrypto/x509v3/v3_genn.c
@@ -3,7 +3,7 @@
3 * project 1999. 3 * project 1999.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -99,3 +99,154 @@ ASN1_ITEM_TEMPLATE(GENERAL_NAMES) =
99ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES) 99ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)
100 100
101IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES) 101IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES)
102
103GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
104 {
105 return (GENERAL_NAME *) ASN1_dup((i2d_of_void *) i2d_GENERAL_NAME,
106 (d2i_of_void *) d2i_GENERAL_NAME,
107 (char *) a);
108 }
109
110/* Returns 0 if they are equal, != 0 otherwise. */
111int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
112 {
113 int result = -1;
114
115 if (!a || !b || a->type != b->type) return -1;
116 switch(a->type)
117 {
118 case GEN_X400:
119 case GEN_EDIPARTY:
120 result = ASN1_TYPE_cmp(a->d.other, b->d.other);
121 break;
122
123 case GEN_OTHERNAME:
124 result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
125 break;
126
127 case GEN_EMAIL:
128 case GEN_DNS:
129 case GEN_URI:
130 result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
131 break;
132
133 case GEN_DIRNAME:
134 result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
135 break;
136
137 case GEN_IPADD:
138 result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
139 break;
140
141 case GEN_RID:
142 result = OBJ_cmp(a->d.rid, b->d.rid);
143 break;
144 }
145 return result;
146 }
147
148/* Returns 0 if they are equal, != 0 otherwise. */
149int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
150 {
151 int result = -1;
152
153 if (!a || !b) return -1;
154 /* Check their type first. */
155 if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
156 return result;
157 /* Check the value. */
158 result = ASN1_TYPE_cmp(a->value, b->value);
159 return result;
160 }
161
162void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
163 {
164 switch(type)
165 {
166 case GEN_X400:
167 case GEN_EDIPARTY:
168 a->d.other = value;
169 break;
170
171 case GEN_OTHERNAME:
172 a->d.otherName = value;
173 break;
174
175 case GEN_EMAIL:
176 case GEN_DNS:
177 case GEN_URI:
178 a->d.ia5 = value;
179 break;
180
181 case GEN_DIRNAME:
182 a->d.dirn = value;
183 break;
184
185 case GEN_IPADD:
186 a->d.ip = value;
187 break;
188
189 case GEN_RID:
190 a->d.rid = value;
191 break;
192 }
193 a->type = type;
194 }
195
196void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
197 {
198 if (ptype)
199 *ptype = a->type;
200 switch(a->type)
201 {
202 case GEN_X400:
203 case GEN_EDIPARTY:
204 return a->d.other;
205
206 case GEN_OTHERNAME:
207 return a->d.otherName;
208
209 case GEN_EMAIL:
210 case GEN_DNS:
211 case GEN_URI:
212 return a->d.ia5;
213
214 case GEN_DIRNAME:
215 return a->d.dirn;
216
217 case GEN_IPADD:
218 return a->d.ip;
219
220 case GEN_RID:
221 return a->d.rid;
222
223 default:
224 return NULL;
225 }
226 }
227
228int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
229 ASN1_OBJECT *oid, ASN1_TYPE *value)
230 {
231 OTHERNAME *oth;
232 oth = OTHERNAME_new();
233 if (!oth)
234 return 0;
235 oth->type_id = oid;
236 oth->value = value;
237 GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
238 return 1;
239 }
240
241int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
242 ASN1_OBJECT **poid, ASN1_TYPE **pvalue)
243 {
244 if (gen->type != GEN_OTHERNAME)
245 return 0;
246 if (poid)
247 *poid = gen->d.otherName->type_id;
248 if (pvalue)
249 *pvalue = gen->d.otherName->value;
250 return 1;
251 }
252
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
index df3a48f43e..0f1e1d4422 100644
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -84,20 +84,24 @@ int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
84} 84}
85 85
86static int ext_cmp(const X509V3_EXT_METHOD * const *a, 86static int ext_cmp(const X509V3_EXT_METHOD * const *a,
87 const X509V3_EXT_METHOD * const *b) 87 const X509V3_EXT_METHOD * const *b)
88{ 88{
89 return ((*a)->ext_nid - (*b)->ext_nid); 89 return ((*a)->ext_nid - (*b)->ext_nid);
90} 90}
91 91
92X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid) 92DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, const X509V3_EXT_METHOD *,
93 ext);
94IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
95 const X509V3_EXT_METHOD *, ext);
96
97const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
93{ 98{
94 X509V3_EXT_METHOD tmp, *t = &tmp, **ret; 99 X509V3_EXT_METHOD tmp;
100 const X509V3_EXT_METHOD *t = &tmp, * const *ret;
95 int idx; 101 int idx;
96 if(nid < 0) return NULL; 102 if(nid < 0) return NULL;
97 tmp.ext_nid = nid; 103 tmp.ext_nid = nid;
98 ret = (X509V3_EXT_METHOD **) OBJ_bsearch((char *)&t, 104 ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
99 (char *)standard_exts, STANDARD_EXTENSION_COUNT,
100 sizeof(X509V3_EXT_METHOD *), (int (*)(const void *, const void *))ext_cmp);
101 if(ret) return *ret; 105 if(ret) return *ret;
102 if(!ext_list) return NULL; 106 if(!ext_list) return NULL;
103 idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp); 107 idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
@@ -105,7 +109,7 @@ X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
105 return sk_X509V3_EXT_METHOD_value(ext_list, idx); 109 return sk_X509V3_EXT_METHOD_value(ext_list, idx);
106} 110}
107 111
108X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext) 112const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
109{ 113{
110 int nid; 114 int nid;
111 if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL; 115 if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
@@ -122,7 +126,9 @@ int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
122 126
123int X509V3_EXT_add_alias(int nid_to, int nid_from) 127int X509V3_EXT_add_alias(int nid_to, int nid_from)
124{ 128{
125 X509V3_EXT_METHOD *ext, *tmpext; 129 const X509V3_EXT_METHOD *ext;
130 X509V3_EXT_METHOD *tmpext;
131
126 if(!(ext = X509V3_EXT_get_nid(nid_from))) { 132 if(!(ext = X509V3_EXT_get_nid(nid_from))) {
127 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND); 133 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
128 return 0; 134 return 0;
@@ -161,7 +167,7 @@ int X509V3_add_standard_extensions(void)
161 167
162void *X509V3_EXT_d2i(X509_EXTENSION *ext) 168void *X509V3_EXT_d2i(X509_EXTENSION *ext)
163{ 169{
164 X509V3_EXT_METHOD *method; 170 const X509V3_EXT_METHOD *method;
165 const unsigned char *p; 171 const unsigned char *p;
166 172
167 if(!(method = X509V3_EXT_get(ext))) return NULL; 173 if(!(method = X509V3_EXT_get(ext))) return NULL;
diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
index 4e706be3e1..689df46acd 100644
--- a/src/lib/libcrypto/x509v3/v3_ncons.c
+++ b/src/lib/libcrypto/x509v3/v3_ncons.c
@@ -63,15 +63,22 @@
63#include <openssl/conf.h> 63#include <openssl/conf.h>
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65 65
66static void *v2i_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method, 66static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method, 68static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
69 void *a, BIO *bp, int ind); 69 void *a, BIO *bp, int ind);
70static int do_i2r_name_constraints(X509V3_EXT_METHOD *method, 70static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
71 STACK_OF(GENERAL_SUBTREE) *trees, 71 STACK_OF(GENERAL_SUBTREE) *trees,
72 BIO *bp, int ind, char *name); 72 BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); 73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74 74
75static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
76static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
77static int nc_dn(X509_NAME *sub, X509_NAME *nm);
78static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
79static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
80static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
81
75const X509V3_EXT_METHOD v3_name_constraints = { 82const X509V3_EXT_METHOD v3_name_constraints = {
76 NID_name_constraints, 0, 83 NID_name_constraints, 0,
77 ASN1_ITEM_ref(NAME_CONSTRAINTS), 84 ASN1_ITEM_ref(NAME_CONSTRAINTS),
@@ -99,8 +106,8 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
99IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) 106IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
100IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) 107IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
101 108
102static void *v2i_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method, 109static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
103 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) 110 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
104 { 111 {
105 int i; 112 int i;
106 CONF_VALUE tval, *val; 113 CONF_VALUE tval, *val;
@@ -155,8 +162,8 @@ static void *v2i_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
155 162
156 163
157 164
158static int i2r_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method, 165static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
159 void *a, BIO *bp, int ind) 166 BIO *bp, int ind)
160 { 167 {
161 NAME_CONSTRAINTS *ncons = a; 168 NAME_CONSTRAINTS *ncons = a;
162 do_i2r_name_constraints(method, ncons->permittedSubtrees, 169 do_i2r_name_constraints(method, ncons->permittedSubtrees,
@@ -166,9 +173,9 @@ static int i2r_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
166 return 1; 173 return 1;
167 } 174 }
168 175
169static int do_i2r_name_constraints(X509V3_EXT_METHOD *method, 176static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
170 STACK_OF(GENERAL_SUBTREE) *trees, 177 STACK_OF(GENERAL_SUBTREE) *trees,
171 BIO *bp, int ind, char *name) 178 BIO *bp, int ind, char *name)
172 { 179 {
173 GENERAL_SUBTREE *tree; 180 GENERAL_SUBTREE *tree;
174 int i; 181 int i;
@@ -218,3 +225,282 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
218 return 1; 225 return 1;
219 } 226 }
220 227
228/* Check a certificate conforms to a specified set of constraints.
229 * Return values:
230 * X509_V_OK: All constraints obeyed.
231 * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
232 * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
233 * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
234 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
235 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
236 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
237
238 */
239
240int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
241 {
242 int r, i;
243 X509_NAME *nm;
244
245 nm = X509_get_subject_name(x);
246
247 if (X509_NAME_entry_count(nm) > 0)
248 {
249 GENERAL_NAME gntmp;
250 gntmp.type = GEN_DIRNAME;
251 gntmp.d.directoryName = nm;
252
253 r = nc_match(&gntmp, nc);
254
255 if (r != X509_V_OK)
256 return r;
257
258 gntmp.type = GEN_EMAIL;
259
260
261 /* Process any email address attributes in subject name */
262
263 for (i = -1;;)
264 {
265 X509_NAME_ENTRY *ne;
266 i = X509_NAME_get_index_by_NID(nm,
267 NID_pkcs9_emailAddress,
268 i);
269 if (i == -1)
270 break;
271 ne = X509_NAME_get_entry(nm, i);
272 gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
273 if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
274 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
275
276 r = nc_match(&gntmp, nc);
277
278 if (r != X509_V_OK)
279 return r;
280 }
281
282 }
283
284 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++)
285 {
286 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
287 r = nc_match(gen, nc);
288 if (r != X509_V_OK)
289 return r;
290 }
291
292 return X509_V_OK;
293
294 }
295
296static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
297 {
298 GENERAL_SUBTREE *sub;
299 int i, r, match = 0;
300
301 /* Permitted subtrees: if any subtrees exist of matching the type
302 * at least one subtree must match.
303 */
304
305 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++)
306 {
307 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
308 if (gen->type != sub->base->type)
309 continue;
310 if (sub->minimum || sub->maximum)
311 return X509_V_ERR_SUBTREE_MINMAX;
312 /* If we already have a match don't bother trying any more */
313 if (match == 2)
314 continue;
315 if (match == 0)
316 match = 1;
317 r = nc_match_single(gen, sub->base);
318 if (r == X509_V_OK)
319 match = 2;
320 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
321 return r;
322 }
323
324 if (match == 1)
325 return X509_V_ERR_PERMITTED_VIOLATION;
326
327 /* Excluded subtrees: must not match any of these */
328
329 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++)
330 {
331 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
332 if (gen->type != sub->base->type)
333 continue;
334 if (sub->minimum || sub->maximum)
335 return X509_V_ERR_SUBTREE_MINMAX;
336
337 r = nc_match_single(gen, sub->base);
338 if (r == X509_V_OK)
339 return X509_V_ERR_EXCLUDED_VIOLATION;
340 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
341 return r;
342
343 }
344
345 return X509_V_OK;
346
347 }
348
349static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
350 {
351 switch(base->type)
352 {
353 case GEN_DIRNAME:
354 return nc_dn(gen->d.directoryName, base->d.directoryName);
355
356 case GEN_DNS:
357 return nc_dns(gen->d.dNSName, base->d.dNSName);
358
359 case GEN_EMAIL:
360 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
361
362 case GEN_URI:
363 return nc_uri(gen->d.uniformResourceIdentifier,
364 base->d.uniformResourceIdentifier);
365
366 default:
367 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
368 }
369
370 }
371
372/* directoryName name constraint matching.
373 * The canonical encoding of X509_NAME makes this comparison easy. It is
374 * matched if the subtree is a subset of the name.
375 */
376
377static int nc_dn(X509_NAME *nm, X509_NAME *base)
378 {
379 /* Ensure canonical encodings are up to date. */
380 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
381 return X509_V_ERR_OUT_OF_MEM;
382 if (base->modified && i2d_X509_NAME(base, NULL) < 0)
383 return X509_V_ERR_OUT_OF_MEM;
384 if (base->canon_enclen > nm->canon_enclen)
385 return X509_V_ERR_PERMITTED_VIOLATION;
386 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
387 return X509_V_ERR_PERMITTED_VIOLATION;
388 return X509_V_OK;
389 }
390
391static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
392 {
393 char *baseptr = (char *)base->data;
394 char *dnsptr = (char *)dns->data;
395 /* Empty matches everything */
396 if (!*baseptr)
397 return X509_V_OK;
398 /* Otherwise can add zero or more components on the left so
399 * compare RHS and if dns is longer and expect '.' as preceding
400 * character.
401 */
402 if (dns->length > base->length)
403 {
404 dnsptr += dns->length - base->length;
405 if (dnsptr[-1] != '.')
406 return X509_V_ERR_PERMITTED_VIOLATION;
407 }
408
409 if (strcasecmp(baseptr, dnsptr))
410 return X509_V_ERR_PERMITTED_VIOLATION;
411
412 return X509_V_OK;
413
414 }
415
416static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
417 {
418 const char *baseptr = (char *)base->data;
419 const char *emlptr = (char *)eml->data;
420
421 const char *baseat = strchr(baseptr, '@');
422 const char *emlat = strchr(emlptr, '@');
423 if (!emlat)
424 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
425 /* Special case: inital '.' is RHS match */
426 if (!baseat && (*baseptr == '.'))
427 {
428 if (eml->length > base->length)
429 {
430 emlptr += eml->length - base->length;
431 if (!strcasecmp(baseptr, emlptr))
432 return X509_V_OK;
433 }
434 return X509_V_ERR_PERMITTED_VIOLATION;
435 }
436
437 /* If we have anything before '@' match local part */
438
439 if (baseat)
440 {
441 if (baseat != baseptr)
442 {
443 if ((baseat - baseptr) != (emlat - emlptr))
444 return X509_V_ERR_PERMITTED_VIOLATION;
445 /* Case sensitive match of local part */
446 if (strncmp(baseptr, emlptr, emlat - emlptr))
447 return X509_V_ERR_PERMITTED_VIOLATION;
448 }
449 /* Position base after '@' */
450 baseptr = baseat + 1;
451 }
452 emlptr = emlat + 1;
453 /* Just have hostname left to match: case insensitive */
454 if (strcasecmp(baseptr, emlptr))
455 return X509_V_ERR_PERMITTED_VIOLATION;
456
457 return X509_V_OK;
458
459 }
460
461static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
462 {
463 const char *baseptr = (char *)base->data;
464 const char *hostptr = (char *)uri->data;
465 const char *p = strchr(hostptr, ':');
466 int hostlen;
467 /* Check for foo:// and skip past it */
468 if (!p || (p[1] != '/') || (p[2] != '/'))
469 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
470 hostptr = p + 3;
471
472 /* Determine length of hostname part of URI */
473
474 /* Look for a port indicator as end of hostname first */
475
476 p = strchr(hostptr, ':');
477 /* Otherwise look for trailing slash */
478 if (!p)
479 p = strchr(hostptr, '/');
480
481 if (!p)
482 hostlen = strlen(hostptr);
483 else
484 hostlen = p - hostptr;
485
486 if (hostlen == 0)
487 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
488
489 /* Special case: inital '.' is RHS match */
490 if (*baseptr == '.')
491 {
492 if (hostlen > base->length)
493 {
494 p = hostptr + hostlen - base->length;
495 if (!strncasecmp(p, baseptr, base->length))
496 return X509_V_OK;
497 }
498 return X509_V_ERR_PERMITTED_VIOLATION;
499 }
500
501 if ((base->length != (int)hostlen) || strncasecmp(hostptr, baseptr, hostlen))
502 return X509_V_ERR_PERMITTED_VIOLATION;
503
504 return X509_V_OK;
505
506 }
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
index e426ea930c..0c165af314 100644
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -68,19 +68,26 @@
68/* OCSP extensions and a couple of CRL entry extensions 68/* OCSP extensions and a couple of CRL entry extensions
69 */ 69 */
70 70
71static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent); 71static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
72static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent); 72 BIO *out, int indent);
73static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent); 73static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
74 BIO *out, int indent);
75static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
76 int indent);
74 77
75static void *ocsp_nonce_new(void); 78static void *ocsp_nonce_new(void);
76static int i2d_ocsp_nonce(void *a, unsigned char **pp); 79static int i2d_ocsp_nonce(void *a, unsigned char **pp);
77static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length); 80static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
78static void ocsp_nonce_free(void *a); 81static void ocsp_nonce_free(void *a);
79static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent); 82static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
83 BIO *out, int indent);
80 84
81static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent); 85static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
82static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str); 86 void *nocheck, BIO *out, int indent);
83static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind); 87static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
88 const char *str);
89static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
90 BIO *bp, int ind);
84 91
85const X509V3_EXT_METHOD v3_ocsp_crlid = { 92const X509V3_EXT_METHOD v3_ocsp_crlid = {
86 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID), 93 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
@@ -148,44 +155,47 @@ const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
148 NULL 155 NULL
149}; 156};
150 157
151static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind) 158static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp,
159 int ind)
152{ 160{
153 OCSP_CRLID *a = in; 161 OCSP_CRLID *a = in;
154 if (a->crlUrl) 162 if (a->crlUrl)
155 { 163 {
156 if (!BIO_printf(bp, "%*scrlUrl: ", ind, "")) goto err; 164 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err;
157 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err; 165 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
158 if (!BIO_write(bp, "\n", 1)) goto err; 166 if (BIO_write(bp, "\n", 1) <= 0) goto err;
159 } 167 }
160 if (a->crlNum) 168 if (a->crlNum)
161 { 169 {
162 if (!BIO_printf(bp, "%*scrlNum: ", ind, "")) goto err; 170 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err;
163 if (!i2a_ASN1_INTEGER(bp, a->crlNum)) goto err; 171 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err;
164 if (!BIO_write(bp, "\n", 1)) goto err; 172 if (BIO_write(bp, "\n", 1) <= 0) goto err;
165 } 173 }
166 if (a->crlTime) 174 if (a->crlTime)
167 { 175 {
168 if (!BIO_printf(bp, "%*scrlTime: ", ind, "")) goto err; 176 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err;
169 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err; 177 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
170 if (!BIO_write(bp, "\n", 1)) goto err; 178 if (BIO_write(bp, "\n", 1) <= 0) goto err;
171 } 179 }
172 return 1; 180 return 1;
173 err: 181 err:
174 return 0; 182 return 0;
175} 183}
176 184
177static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, int ind) 185static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
186 BIO *bp, int ind)
178{ 187{
179 if (!BIO_printf(bp, "%*s", ind, "")) return 0; 188 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
180 if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0; 189 if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
181 return 1; 190 return 1;
182} 191}
183 192
184 193
185static int i2r_object(X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind) 194static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
195 int ind)
186{ 196{
187 if (!BIO_printf(bp, "%*s", ind, "")) return 0; 197 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
188 if(!i2a_ASN1_OBJECT(bp, oid)) return 0; 198 if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0;
189 return 1; 199 return 1;
190} 200}
191 201
@@ -232,7 +242,8 @@ static void ocsp_nonce_free(void *a)
232 M_ASN1_OCTET_STRING_free(a); 242 M_ASN1_OCTET_STRING_free(a);
233} 243}
234 244
235static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent) 245static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
246 BIO *out, int indent)
236{ 247{
237 if(BIO_printf(out, "%*s", indent, "") <= 0) return 0; 248 if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
238 if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0; 249 if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
@@ -241,17 +252,20 @@ static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int
241 252
242/* Nocheck is just a single NULL. Don't print anything and always set it */ 253/* Nocheck is just a single NULL. Don't print anything and always set it */
243 254
244static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent) 255static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
256 BIO *out, int indent)
245{ 257{
246 return 1; 258 return 1;
247} 259}
248 260
249static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str) 261static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
262 const char *str)
250{ 263{
251 return ASN1_NULL_new(); 264 return ASN1_NULL_new();
252} 265}
253 266
254static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind) 267static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
268 BIO *bp, int ind)
255 { 269 {
256 int i; 270 int i;
257 OCSP_SERVICELOC *a = in; 271 OCSP_SERVICELOC *a = in;
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c
index 601211f416..0dcfa004fe 100644
--- a/src/lib/libcrypto/x509v3/v3_pci.c
+++ b/src/lib/libcrypto/x509v3/v3_pci.c
@@ -82,7 +82,7 @@ static int process_pci_value(CONF_VALUE *val,
82 { 82 {
83 if (*language) 83 if (*language)
84 { 84 {
85 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED); 85 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
86 X509V3_conf_err(val); 86 X509V3_conf_err(val);
87 return 0; 87 return 0;
88 } 88 }
@@ -97,7 +97,7 @@ static int process_pci_value(CONF_VALUE *val,
97 { 97 {
98 if (*pathlen) 98 if (*pathlen)
99 { 99 {
100 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED); 100 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
101 X509V3_conf_err(val); 101 X509V3_conf_err(val);
102 return 0; 102 return 0;
103 } 103 }
@@ -128,7 +128,12 @@ static int process_pci_value(CONF_VALUE *val,
128 unsigned char *tmp_data2 = 128 unsigned char *tmp_data2 =
129 string_to_hex(val->value + 4, &val_len); 129 string_to_hex(val->value + 4, &val_len);
130 130
131 if (!tmp_data2) goto err; 131 if (!tmp_data2)
132 {
133 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);
134 X509V3_conf_err(val);
135 goto err;
136 }
132 137
133 tmp_data = OPENSSL_realloc((*policy)->data, 138 tmp_data = OPENSSL_realloc((*policy)->data,
134 (*policy)->length + val_len + 1); 139 (*policy)->length + val_len + 1);
@@ -140,6 +145,17 @@ static int process_pci_value(CONF_VALUE *val,
140 (*policy)->length += val_len; 145 (*policy)->length += val_len;
141 (*policy)->data[(*policy)->length] = '\0'; 146 (*policy)->data[(*policy)->length] = '\0';
142 } 147 }
148 else
149 {
150 OPENSSL_free(tmp_data2);
151 /* realloc failure implies the original data space is b0rked too! */
152 (*policy)->data = NULL;
153 (*policy)->length = 0;
154 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
155 X509V3_conf_err(val);
156 goto err;
157 }
158 OPENSSL_free(tmp_data2);
143 } 159 }
144 else if (strncmp(val->value, "file:", 5) == 0) 160 else if (strncmp(val->value, "file:", 5) == 0)
145 { 161 {
@@ -169,6 +185,7 @@ static int process_pci_value(CONF_VALUE *val,
169 (*policy)->length += n; 185 (*policy)->length += n;
170 (*policy)->data[(*policy)->length] = '\0'; 186 (*policy)->data[(*policy)->length] = '\0';
171 } 187 }
188 BIO_free_all(b);
172 189
173 if (n < 0) 190 if (n < 0)
174 { 191 {
@@ -190,6 +207,15 @@ static int process_pci_value(CONF_VALUE *val,
190 (*policy)->length += val_len; 207 (*policy)->length += val_len;
191 (*policy)->data[(*policy)->length] = '\0'; 208 (*policy)->data[(*policy)->length] = '\0';
192 } 209 }
210 else
211 {
212 /* realloc failure implies the original data space is b0rked too! */
213 (*policy)->data = NULL;
214 (*policy)->length = 0;
215 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
216 X509V3_conf_err(val);
217 goto err;
218 }
193 } 219 }
194 else 220 else
195 { 221 {
diff --git a/src/lib/libcrypto/x509v3/v3_pcons.c b/src/lib/libcrypto/x509v3/v3_pcons.c
index 86c0ff70e6..30ca652351 100644
--- a/src/lib/libcrypto/x509v3/v3_pcons.c
+++ b/src/lib/libcrypto/x509v3/v3_pcons.c
@@ -64,10 +64,12 @@
64#include <openssl/conf.h> 64#include <openssl/conf.h>
65#include <openssl/x509v3.h> 65#include <openssl/x509v3.h>
66 66
67static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, 67static STACK_OF(CONF_VALUE) *
68 void *bcons, STACK_OF(CONF_VALUE) *extlist); 68i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
69static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, 69 STACK_OF(CONF_VALUE) *extlist);
70 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); 70static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx,
72 STACK_OF(CONF_VALUE) *values);
71 73
72const X509V3_EXT_METHOD v3_policy_constraints = { 74const X509V3_EXT_METHOD v3_policy_constraints = {
73NID_policy_constraints, 0, 75NID_policy_constraints, 0,
@@ -88,8 +90,9 @@ ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
88IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) 90IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
89 91
90 92
91static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, 93static STACK_OF(CONF_VALUE) *
92 void *a, STACK_OF(CONF_VALUE) *extlist) 94i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
95 STACK_OF(CONF_VALUE) *extlist)
93{ 96{
94 POLICY_CONSTRAINTS *pcons = a; 97 POLICY_CONSTRAINTS *pcons = a;
95 X509V3_add_value_int("Require Explicit Policy", 98 X509V3_add_value_int("Require Explicit Policy",
@@ -99,8 +102,9 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
99 return extlist; 102 return extlist;
100} 103}
101 104
102static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, 105static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
103 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values) 106 X509V3_CTX *ctx,
107 STACK_OF(CONF_VALUE) *values)
104{ 108{
105 POLICY_CONSTRAINTS *pcons=NULL; 109 POLICY_CONSTRAINTS *pcons=NULL;
106 CONF_VALUE *val; 110 CONF_VALUE *val;
diff --git a/src/lib/libcrypto/x509v3/v3_pmaps.c b/src/lib/libcrypto/x509v3/v3_pmaps.c
index da03bbc35d..865bcd3980 100644
--- a/src/lib/libcrypto/x509v3/v3_pmaps.c
+++ b/src/lib/libcrypto/x509v3/v3_pmaps.c
@@ -63,10 +63,11 @@
63#include <openssl/conf.h> 63#include <openssl/conf.h>
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65 65
66static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, 66static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, 68static STACK_OF(CONF_VALUE) *
69 void *pmps, STACK_OF(CONF_VALUE) *extlist); 69i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *pmps,
70 STACK_OF(CONF_VALUE) *extlist);
70 71
71const X509V3_EXT_METHOD v3_policy_mappings = { 72const X509V3_EXT_METHOD v3_policy_mappings = {
72 NID_policy_mappings, 0, 73 NID_policy_mappings, 0,
@@ -92,8 +93,9 @@ ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)
92IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) 93IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
93 94
94 95
95static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, 96static STACK_OF(CONF_VALUE) *
96 void *a, STACK_OF(CONF_VALUE) *ext_list) 97i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
98 STACK_OF(CONF_VALUE) *ext_list)
97{ 99{
98 POLICY_MAPPINGS *pmaps = a; 100 POLICY_MAPPINGS *pmaps = a;
99 POLICY_MAPPING *pmap; 101 POLICY_MAPPING *pmap;
@@ -109,8 +111,8 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
109 return ext_list; 111 return ext_list;
110} 112}
111 113
112static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, 114static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
113 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) 115 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
114{ 116{
115 POLICY_MAPPINGS *pmaps; 117 POLICY_MAPPINGS *pmaps;
116 POLICY_MAPPING *pmap; 118 POLICY_MAPPING *pmap;
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
index c1bb17f105..3146218708 100644
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -110,7 +110,7 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int inde
110 void *ext_str = NULL; 110 void *ext_str = NULL;
111 char *value = NULL; 111 char *value = NULL;
112 const unsigned char *p; 112 const unsigned char *p;
113 X509V3_EXT_METHOD *method; 113 const X509V3_EXT_METHOD *method;
114 STACK_OF(CONF_VALUE) *nval = NULL; 114 STACK_OF(CONF_VALUE) *nval = NULL;
115 int ok = 1; 115 int ok = 1;
116 116
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index e18751e01c..181bd34979 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -71,6 +71,7 @@ static int purpose_smime(const X509 *x, int ca);
71static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); 71static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
72static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca); 72static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
73static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca); 73static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
74static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
74static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); 75static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
75static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); 76static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
76 77
@@ -87,6 +88,7 @@ static X509_PURPOSE xstandard[] = {
87 {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL}, 88 {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
88 {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL}, 89 {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
89 {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, 90 {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
91 {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
90}; 92};
91 93
92#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE)) 94#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
@@ -265,11 +267,14 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
265 return xp->trust; 267 return xp->trust;
266} 268}
267 269
268static int nid_cmp(int *a, int *b) 270static int nid_cmp(const int *a, const int *b)
269 { 271 {
270 return *a - *b; 272 return *a - *b;
271 } 273 }
272 274
275DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
276IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
277
273int X509_supported_extension(X509_EXTENSION *ex) 278int X509_supported_extension(X509_EXTENSION *ex)
274 { 279 {
275 /* This table is a list of the NIDs of supported extensions: 280 /* This table is a list of the NIDs of supported extensions:
@@ -280,7 +285,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
280 * searched using bsearch. 285 * searched using bsearch.
281 */ 286 */
282 287
283 static int supported_nids[] = { 288 static const int supported_nids[] = {
284 NID_netscape_cert_type, /* 71 */ 289 NID_netscape_cert_type, /* 71 */
285 NID_key_usage, /* 83 */ 290 NID_key_usage, /* 83 */
286 NID_subject_alt_name, /* 85 */ 291 NID_subject_alt_name, /* 85 */
@@ -292,24 +297,62 @@ int X509_supported_extension(X509_EXTENSION *ex)
292 NID_sbgp_autonomousSysNum, /* 291 */ 297 NID_sbgp_autonomousSysNum, /* 291 */
293#endif 298#endif
294 NID_policy_constraints, /* 401 */ 299 NID_policy_constraints, /* 401 */
295 NID_proxyCertInfo, /* 661 */ 300 NID_proxyCertInfo, /* 663 */
301 NID_name_constraints, /* 666 */
302 NID_policy_mappings, /* 747 */
296 NID_inhibit_any_policy /* 748 */ 303 NID_inhibit_any_policy /* 748 */
297 }; 304 };
298 305
299 int ex_nid; 306 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
300
301 ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
302 307
303 if (ex_nid == NID_undef) 308 if (ex_nid == NID_undef)
304 return 0; 309 return 0;
305 310
306 if (OBJ_bsearch((char *)&ex_nid, (char *)supported_nids, 311 if (OBJ_bsearch_nid(&ex_nid, supported_nids,
307 sizeof(supported_nids)/sizeof(int), sizeof(int), 312 sizeof(supported_nids)/sizeof(int)))
308 (int (*)(const void *, const void *))nid_cmp))
309 return 1; 313 return 1;
310 return 0; 314 return 0;
311 } 315 }
312 316
317static void setup_dp(X509 *x, DIST_POINT *dp)
318 {
319 X509_NAME *iname = NULL;
320 int i;
321 if (dp->reasons)
322 {
323 if (dp->reasons->length > 0)
324 dp->dp_reasons = dp->reasons->data[0];
325 if (dp->reasons->length > 1)
326 dp->dp_reasons |= (dp->reasons->data[1] << 8);
327 dp->dp_reasons &= CRLDP_ALL_REASONS;
328 }
329 else
330 dp->dp_reasons = CRLDP_ALL_REASONS;
331 if (!dp->distpoint || (dp->distpoint->type != 1))
332 return;
333 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
334 {
335 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
336 if (gen->type == GEN_DIRNAME)
337 {
338 iname = gen->d.directoryName;
339 break;
340 }
341 }
342 if (!iname)
343 iname = X509_get_issuer_name(x);
344
345 DIST_POINT_set_dpname(dp->distpoint, iname);
346
347 }
348
349static void setup_crldp(X509 *x)
350 {
351 int i;
352 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
353 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
354 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
355 }
313 356
314static void x509v3_cache_extensions(X509 *x) 357static void x509v3_cache_extensions(X509 *x)
315{ 358{
@@ -417,16 +460,25 @@ static void x509v3_cache_extensions(X509 *x)
417 } 460 }
418 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); 461 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
419 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); 462 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
463 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
464 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
465 if (!x->nc && (i != -1))
466 x->ex_flags |= EXFLAG_INVALID;
467 setup_crldp(x);
468
420#ifndef OPENSSL_NO_RFC3779 469#ifndef OPENSSL_NO_RFC3779
421 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); 470 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
422 x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, 471 x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
423 NULL, NULL); 472 NULL, NULL);
424#endif 473#endif
425 for (i = 0; i < X509_get_ext_count(x); i++) 474 for (i = 0; i < X509_get_ext_count(x); i++)
426 { 475 {
427 ex = X509_get_ext(x, i); 476 ex = X509_get_ext(x, i);
428 if (!X509_EXTENSION_get_critical(ex)) 477 if (!X509_EXTENSION_get_critical(ex))
429 continue; 478 continue;
479 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
480 == NID_freshest_crl)
481 x->ex_flags |= EXFLAG_FRESHEST;
430 if (!X509_supported_extension(ex)) 482 if (!X509_supported_extension(ex))
431 { 483 {
432 x->ex_flags |= EXFLAG_CRITICAL; 484 x->ex_flags |= EXFLAG_CRITICAL;
@@ -594,6 +646,41 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
594 return 1; 646 return 1;
595} 647}
596 648
649static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
650 int ca)
651{
652 int i_ext;
653
654 /* If ca is true we must return if this is a valid CA certificate. */
655 if (ca) return check_ca(x);
656
657 /*
658 * Check the optional key usage field:
659 * if Key Usage is present, it must be one of digitalSignature
660 * and/or nonRepudiation (other values are not consistent and shall
661 * be rejected).
662 */
663 if ((x->ex_flags & EXFLAG_KUSAGE)
664 && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
665 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
666 return 0;
667
668 /* Only time stamp key usage is permitted and it's required. */
669 if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
670 return 0;
671
672 /* Extended Key Usage MUST be critical */
673 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
674 if (i_ext >= 0)
675 {
676 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
677 if (!X509_EXTENSION_get_critical(ext))
678 return 0;
679 }
680
681 return 1;
682}
683
597static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) 684static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
598{ 685{
599 return 1; 686 return 1;
@@ -618,39 +705,14 @@ int X509_check_issued(X509 *issuer, X509 *subject)
618 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; 705 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
619 x509v3_cache_extensions(issuer); 706 x509v3_cache_extensions(issuer);
620 x509v3_cache_extensions(subject); 707 x509v3_cache_extensions(subject);
621 if(subject->akid) { 708
622 /* Check key ids (if present) */ 709 if(subject->akid)
623 if(subject->akid->keyid && issuer->skid && 710 {
624 ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) ) 711 int ret = X509_check_akid(issuer, subject->akid);
625 return X509_V_ERR_AKID_SKID_MISMATCH; 712 if (ret != X509_V_OK)
626 /* Check serial number */ 713 return ret;
627 if(subject->akid->serial &&
628 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer),
629 subject->akid->serial))
630 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
631 /* Check issuer name */
632 if(subject->akid->issuer) {
633 /* Ugh, for some peculiar reason AKID includes
634 * SEQUENCE OF GeneralName. So look for a DirName.
635 * There may be more than one but we only take any
636 * notice of the first.
637 */
638 GENERAL_NAMES *gens;
639 GENERAL_NAME *gen;
640 X509_NAME *nm = NULL;
641 int i;
642 gens = subject->akid->issuer;
643 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
644 gen = sk_GENERAL_NAME_value(gens, i);
645 if(gen->type == GEN_DIRNAME) {
646 nm = gen->d.dirn;
647 break;
648 }
649 }
650 if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
651 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
652 } 714 }
653 } 715
654 if(subject->ex_flags & EXFLAG_PROXY) 716 if(subject->ex_flags & EXFLAG_PROXY)
655 { 717 {
656 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE)) 718 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
@@ -661,3 +723,45 @@ int X509_check_issued(X509 *issuer, X509 *subject)
661 return X509_V_OK; 723 return X509_V_OK;
662} 724}
663 725
726int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
727 {
728
729 if(!akid)
730 return X509_V_OK;
731
732 /* Check key ids (if present) */
733 if(akid->keyid && issuer->skid &&
734 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
735 return X509_V_ERR_AKID_SKID_MISMATCH;
736 /* Check serial number */
737 if(akid->serial &&
738 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
739 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
740 /* Check issuer name */
741 if(akid->issuer)
742 {
743 /* Ugh, for some peculiar reason AKID includes
744 * SEQUENCE OF GeneralName. So look for a DirName.
745 * There may be more than one but we only take any
746 * notice of the first.
747 */
748 GENERAL_NAMES *gens;
749 GENERAL_NAME *gen;
750 X509_NAME *nm = NULL;
751 int i;
752 gens = akid->issuer;
753 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
754 {
755 gen = sk_GENERAL_NAME_value(gens, i);
756 if(gen->type == GEN_DIRNAME)
757 {
758 nm = gen->d.dirn;
759 break;
760 }
761 }
762 if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
763 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
764 }
765 return X509_V_OK;
766 }
767
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
index 7a45216c00..e030234540 100644
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -67,9 +67,9 @@
67 67
68static char *strip_spaces(char *name); 68static char *strip_spaces(char *name);
69static int sk_strcmp(const char * const *a, const char * const *b); 69static int sk_strcmp(const char * const *a, const char * const *b);
70static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens); 70static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens);
71static void str_free(void *str); 71static void str_free(OPENSSL_STRING str);
72static int append_ia5(STACK **sk, ASN1_IA5STRING *email); 72static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
73 73
74static int ipv4_from_asc(unsigned char *v4, const char *in); 74static int ipv4_from_asc(unsigned char *v4, const char *in);
75static int ipv6_from_asc(unsigned char *v6, const char *in); 75static int ipv6_from_asc(unsigned char *v6, const char *in);
@@ -360,10 +360,10 @@ static char *strip_spaces(char *name)
360 * @@@ (Contents of buffer are always kept in ASCII, also on EBCDIC machines) 360 * @@@ (Contents of buffer are always kept in ASCII, also on EBCDIC machines)
361 */ 361 */
362 362
363char *hex_to_string(unsigned char *buffer, long len) 363char *hex_to_string(const unsigned char *buffer, long len)
364{ 364{
365 char *tmp, *q; 365 char *tmp, *q;
366 unsigned char *p; 366 const unsigned char *p;
367 int i; 367 int i;
368 const static char hexdig[] = "0123456789ABCDEF"; 368 const static char hexdig[] = "0123456789ABCDEF";
369 if(!buffer || !len) return NULL; 369 if(!buffer || !len) return NULL;
@@ -389,7 +389,7 @@ char *hex_to_string(unsigned char *buffer, long len)
389 * a buffer 389 * a buffer
390 */ 390 */
391 391
392unsigned char *string_to_hex(char *str, long *len) 392unsigned char *string_to_hex(const char *str, long *len)
393{ 393{
394 unsigned char *hexbuf, *q; 394 unsigned char *hexbuf, *q;
395 unsigned char ch, cl, *p; 395 unsigned char ch, cl, *p;
@@ -463,21 +463,23 @@ static int sk_strcmp(const char * const *a, const char * const *b)
463 return strcmp(*a, *b); 463 return strcmp(*a, *b);
464} 464}
465 465
466STACK *X509_get1_email(X509 *x) 466STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
467{ 467{
468 GENERAL_NAMES *gens; 468 GENERAL_NAMES *gens;
469 STACK *ret; 469 STACK_OF(OPENSSL_STRING) *ret;
470
470 gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); 471 gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
471 ret = get_email(X509_get_subject_name(x), gens); 472 ret = get_email(X509_get_subject_name(x), gens);
472 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); 473 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
473 return ret; 474 return ret;
474} 475}
475 476
476STACK *X509_get1_ocsp(X509 *x) 477STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
477{ 478{
478 AUTHORITY_INFO_ACCESS *info; 479 AUTHORITY_INFO_ACCESS *info;
479 STACK *ret = NULL; 480 STACK_OF(OPENSSL_STRING) *ret = NULL;
480 int i; 481 int i;
482
481 info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL); 483 info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
482 if (!info) 484 if (!info)
483 return NULL; 485 return NULL;
@@ -497,11 +499,12 @@ STACK *X509_get1_ocsp(X509 *x)
497 return ret; 499 return ret;
498} 500}
499 501
500STACK *X509_REQ_get1_email(X509_REQ *x) 502STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
501{ 503{
502 GENERAL_NAMES *gens; 504 GENERAL_NAMES *gens;
503 STACK_OF(X509_EXTENSION) *exts; 505 STACK_OF(X509_EXTENSION) *exts;
504 STACK *ret; 506 STACK_OF(OPENSSL_STRING) *ret;
507
505 exts = X509_REQ_get_extensions(x); 508 exts = X509_REQ_get_extensions(x);
506 gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL); 509 gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
507 ret = get_email(X509_REQ_get_subject_name(x), gens); 510 ret = get_email(X509_REQ_get_subject_name(x), gens);
@@ -511,9 +514,9 @@ STACK *X509_REQ_get1_email(X509_REQ *x)
511} 514}
512 515
513 516
514static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens) 517static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens)
515{ 518{
516 STACK *ret = NULL; 519 STACK_OF(OPENSSL_STRING) *ret = NULL;
517 X509_NAME_ENTRY *ne; 520 X509_NAME_ENTRY *ne;
518 ASN1_IA5STRING *email; 521 ASN1_IA5STRING *email;
519 GENERAL_NAME *gen; 522 GENERAL_NAME *gen;
@@ -536,23 +539,23 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens)
536 return ret; 539 return ret;
537} 540}
538 541
539static void str_free(void *str) 542static void str_free(OPENSSL_STRING str)
540{ 543{
541 OPENSSL_free(str); 544 OPENSSL_free(str);
542} 545}
543 546
544static int append_ia5(STACK **sk, ASN1_IA5STRING *email) 547static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
545{ 548{
546 char *emtmp; 549 char *emtmp;
547 /* First some sanity checks */ 550 /* First some sanity checks */
548 if(email->type != V_ASN1_IA5STRING) return 1; 551 if(email->type != V_ASN1_IA5STRING) return 1;
549 if(!email->data || !email->length) return 1; 552 if(!email->data || !email->length) return 1;
550 if(!*sk) *sk = sk_new(sk_strcmp); 553 if(!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp);
551 if(!*sk) return 0; 554 if(!*sk) return 0;
552 /* Don't add duplicates */ 555 /* Don't add duplicates */
553 if(sk_find(*sk, (char *)email->data) != -1) return 1; 556 if(sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) return 1;
554 emtmp = BUF_strdup((char *)email->data); 557 emtmp = BUF_strdup((char *)email->data);
555 if(!emtmp || !sk_push(*sk, emtmp)) { 558 if(!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
556 X509_email_free(*sk); 559 X509_email_free(*sk);
557 *sk = NULL; 560 *sk = NULL;
558 return 0; 561 return 0;
@@ -560,9 +563,9 @@ static int append_ia5(STACK **sk, ASN1_IA5STRING *email)
560 return 1; 563 return 1;
561} 564}
562 565
563void X509_email_free(STACK *sk) 566void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
564{ 567{
565 sk_pop_free(sk, str_free); 568 sk_OPENSSL_STRING_pop_free(sk, str_free);
566} 569}
567 570
568/* Convert IP addresses both IPv4 and IPv6 into an 571/* Convert IP addresses both IPv4 and IPv6 into an
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
index d538ad8b80..f9f6f1f91f 100644
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -1,6 +1,6 @@
1/* crypto/x509v3/v3err.c */ 1/* crypto/x509v3/v3err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -70,6 +70,7 @@
70 70
71static ERR_STRING_DATA X509V3_str_functs[]= 71static ERR_STRING_DATA X509V3_str_functs[]=
72 { 72 {
73{ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"},
73{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"}, 74{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
74{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"}, 75{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
75{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"}, 76{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
@@ -79,6 +80,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
79{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"}, 80{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
80{ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"}, 81{ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
81{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"}, 82{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
83{ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"},
82{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"}, 84{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
83{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"}, 85{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
84{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"}, 86{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
@@ -95,6 +97,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
95{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"}, 97{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
96{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"}, 98{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
97{ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"}, 99{ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
100{ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"},
98{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"}, 101{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
99{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"}, 102{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
100{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"}, 103{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
@@ -110,6 +113,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
110{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"}, 113{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
111{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"}, 114{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
112{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"}, 115{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
116{ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
113{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"}, 117{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
114{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"}, 118{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
115{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"}, 119{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
@@ -141,6 +145,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
141{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"}, 145{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"},
142{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"}, 146{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
143{ERR_REASON(X509V3_R_DIRNAME_ERROR) ,"dirname error"}, 147{ERR_REASON(X509V3_R_DIRNAME_ERROR) ,"dirname error"},
148{ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET),"distpoint already set"},
144{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"}, 149{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"},
145{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"}, 150{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
146{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"}, 151{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
@@ -154,6 +159,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
154{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"}, 159{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
155{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"}, 160{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"},
156{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"}, 161{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
162{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS),"invalid multiple rdns"},
157{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"}, 163{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"},
158{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"}, 164{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"},
159{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"}, 165{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
@@ -187,9 +193,9 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
187{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"}, 193{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
188{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"}, 194{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
189{ERR_REASON(X509V3_R_OTHERNAME_ERROR) ,"othername error"}, 195{ERR_REASON(X509V3_R_OTHERNAME_ERROR) ,"othername error"},
190{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"}, 196{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),"policy language already defined"},
191{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"}, 197{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
192{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"}, 198{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),"policy path length already defined"},
193{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"}, 199{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
194{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"}, 200{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
195{ERR_REASON(X509V3_R_SECTION_NOT_FOUND) ,"section not found"}, 201{ERR_REASON(X509V3_R_SECTION_NOT_FOUND) ,"section not found"},
@@ -200,6 +206,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
200{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"}, 206{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"},
201{ERR_REASON(X509V3_R_UNKNOWN_OPTION) ,"unknown option"}, 207{ERR_REASON(X509V3_R_UNKNOWN_OPTION) ,"unknown option"},
202{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"}, 208{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"},
209{ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) ,"unsupported type"},
203{ERR_REASON(X509V3_R_USER_TOO_LONG) ,"user too long"}, 210{ERR_REASON(X509V3_R_USER_TOO_LONG) ,"user too long"},
204{0,NULL} 211{0,NULL}
205 }; 212 };
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index 9ef83da755..b308abe7cd 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -76,12 +76,19 @@ typedef void * (*X509V3_EXT_NEW)(void);
76typedef void (*X509V3_EXT_FREE)(void *); 76typedef void (*X509V3_EXT_FREE)(void *);
77typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long); 77typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
78typedef int (*X509V3_EXT_I2D)(void *, unsigned char **); 78typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
79typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist); 79typedef STACK_OF(CONF_VALUE) *
80typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values); 80 (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
81typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext); 81 STACK_OF(CONF_VALUE) *extlist);
82typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str); 82typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
83typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent); 83 struct v3_ext_ctx *ctx,
84typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str); 84 STACK_OF(CONF_VALUE) *values);
85typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
86typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
87 struct v3_ext_ctx *ctx, const char *str);
88typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
89 BIO *out, int indent);
90typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
91 struct v3_ext_ctx *ctx, const char *str);
85 92
86/* V3 extension structure */ 93/* V3 extension structure */
87 94
@@ -220,24 +227,41 @@ union {
220 GENERAL_NAMES *fullname; 227 GENERAL_NAMES *fullname;
221 STACK_OF(X509_NAME_ENTRY) *relativename; 228 STACK_OF(X509_NAME_ENTRY) *relativename;
222} name; 229} name;
230/* If relativename then this contains the full distribution point name */
231X509_NAME *dpname;
223} DIST_POINT_NAME; 232} DIST_POINT_NAME;
224 233/* All existing reasons */
225typedef struct DIST_POINT_st { 234#define CRLDP_ALL_REASONS 0x807f
235
236#define CRL_REASON_NONE -1
237#define CRL_REASON_UNSPECIFIED 0
238#define CRL_REASON_KEY_COMPROMISE 1
239#define CRL_REASON_CA_COMPROMISE 2
240#define CRL_REASON_AFFILIATION_CHANGED 3
241#define CRL_REASON_SUPERSEDED 4
242#define CRL_REASON_CESSATION_OF_OPERATION 5
243#define CRL_REASON_CERTIFICATE_HOLD 6
244#define CRL_REASON_REMOVE_FROM_CRL 8
245#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
246#define CRL_REASON_AA_COMPROMISE 10
247
248struct DIST_POINT_st {
226DIST_POINT_NAME *distpoint; 249DIST_POINT_NAME *distpoint;
227ASN1_BIT_STRING *reasons; 250ASN1_BIT_STRING *reasons;
228GENERAL_NAMES *CRLissuer; 251GENERAL_NAMES *CRLissuer;
229} DIST_POINT; 252int dp_reasons;
253};
230 254
231typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; 255typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
232 256
233DECLARE_STACK_OF(DIST_POINT) 257DECLARE_STACK_OF(DIST_POINT)
234DECLARE_ASN1_SET_OF(DIST_POINT) 258DECLARE_ASN1_SET_OF(DIST_POINT)
235 259
236typedef struct AUTHORITY_KEYID_st { 260struct AUTHORITY_KEYID_st {
237ASN1_OCTET_STRING *keyid; 261ASN1_OCTET_STRING *keyid;
238GENERAL_NAMES *issuer; 262GENERAL_NAMES *issuer;
239ASN1_INTEGER *serial; 263ASN1_INTEGER *serial;
240} AUTHORITY_KEYID; 264};
241 265
242/* Strong extranet structures */ 266/* Strong extranet structures */
243 267
@@ -303,10 +327,10 @@ typedef struct GENERAL_SUBTREE_st {
303 327
304DECLARE_STACK_OF(GENERAL_SUBTREE) 328DECLARE_STACK_OF(GENERAL_SUBTREE)
305 329
306typedef struct NAME_CONSTRAINTS_st { 330struct NAME_CONSTRAINTS_st {
307 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; 331 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
308 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; 332 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
309} NAME_CONSTRAINTS; 333};
310 334
311typedef struct POLICY_CONSTRAINTS_st { 335typedef struct POLICY_CONSTRAINTS_st {
312 ASN1_INTEGER *requireExplicitPolicy; 336 ASN1_INTEGER *requireExplicitPolicy;
@@ -329,6 +353,31 @@ typedef struct PROXY_CERT_INFO_EXTENSION_st
329DECLARE_ASN1_FUNCTIONS(PROXY_POLICY) 353DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
330DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) 354DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
331 355
356struct ISSUING_DIST_POINT_st
357 {
358 DIST_POINT_NAME *distpoint;
359 int onlyuser;
360 int onlyCA;
361 ASN1_BIT_STRING *onlysomereasons;
362 int indirectCRL;
363 int onlyattr;
364 };
365
366/* Values in idp_flags field */
367/* IDP present */
368#define IDP_PRESENT 0x1
369/* IDP values inconsistent */
370#define IDP_INVALID 0x2
371/* onlyuser true */
372#define IDP_ONLYUSER 0x4
373/* onlyCA true */
374#define IDP_ONLYCA 0x8
375/* onlyattr true */
376#define IDP_ONLYATTR 0x10
377/* indirectCRL true */
378#define IDP_INDIRECT 0x20
379/* onlysomereasons present */
380#define IDP_REASONS 0x40
332 381
333#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ 382#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
334",name:", val->name, ",value:", val->value); 383",name:", val->name, ",value:", val->value);
@@ -373,6 +422,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
373#define EXFLAG_PROXY 0x400 422#define EXFLAG_PROXY 0x400
374 423
375#define EXFLAG_INVALID_POLICY 0x800 424#define EXFLAG_INVALID_POLICY 0x800
425#define EXFLAG_FRESHEST 0x1000
376 426
377#define KU_DIGITAL_SIGNATURE 0x0080 427#define KU_DIGITAL_SIGNATURE 0x0080
378#define KU_NON_REPUDIATION 0x0040 428#define KU_NON_REPUDIATION 0x0040
@@ -424,9 +474,10 @@ typedef struct x509_purpose_st {
424#define X509_PURPOSE_CRL_SIGN 6 474#define X509_PURPOSE_CRL_SIGN 6
425#define X509_PURPOSE_ANY 7 475#define X509_PURPOSE_ANY 7
426#define X509_PURPOSE_OCSP_HELPER 8 476#define X509_PURPOSE_OCSP_HELPER 8
477#define X509_PURPOSE_TIMESTAMP_SIGN 9
427 478
428#define X509_PURPOSE_MIN 1 479#define X509_PURPOSE_MIN 1
429#define X509_PURPOSE_MAX 8 480#define X509_PURPOSE_MAX 9
430 481
431/* Flags for X509V3_EXT_print() */ 482/* Flags for X509V3_EXT_print() */
432 483
@@ -471,6 +522,9 @@ DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
471DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD) 522DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
472 523
473DECLARE_ASN1_FUNCTIONS(GENERAL_NAME) 524DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
525GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
526int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
527
474 528
475 529
476ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, 530ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
@@ -486,11 +540,18 @@ DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
486 540
487STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, 541STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
488 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist); 542 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
489GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method, 543GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
490 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 544 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
491 545
492DECLARE_ASN1_FUNCTIONS(OTHERNAME) 546DECLARE_ASN1_FUNCTIONS(OTHERNAME)
493DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME) 547DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
548int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
549void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
550void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
551int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
552 ASN1_OBJECT *oid, ASN1_TYPE *value);
553int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
554 ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
494 555
495char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5); 556char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
496ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); 557ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
@@ -507,6 +568,11 @@ DECLARE_ASN1_FUNCTIONS(NOTICEREF)
507DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS) 568DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
508DECLARE_ASN1_FUNCTIONS(DIST_POINT) 569DECLARE_ASN1_FUNCTIONS(DIST_POINT)
509DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME) 570DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
571DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
572
573int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
574
575int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
510 576
511DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) 577DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
512DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) 578DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
@@ -524,11 +590,16 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
524DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) 590DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
525DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) 591DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
526 592
593GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
594 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
595 int gen_type, char *value, int is_nc);
596
527#ifdef HEADER_CONF_H 597#ifdef HEADER_CONF_H
528GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, 598GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
529 CONF_VALUE *cnf); 599 CONF_VALUE *cnf);
530GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_EXT_METHOD *method, 600GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
531 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc); 601 const X509V3_EXT_METHOD *method,
602 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
532void X509V3_conf_free(CONF_VALUE *val); 603void X509V3_conf_free(CONF_VALUE *val);
533 604
534X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value); 605X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
@@ -538,18 +609,23 @@ int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert)
538int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req); 609int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
539int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl); 610int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
540 611
541X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value); 612X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
542X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value); 613 int ext_nid, char *value);
543int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert); 614X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
544int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_REQ *req); 615 char *name, char *value);
545int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl); 616int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
617 char *section, X509 *cert);
618int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
619 char *section, X509_REQ *req);
620int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
621 char *section, X509_CRL *crl);
546 622
547int X509V3_add_value_bool_nf(char *name, int asn1_bool, 623int X509V3_add_value_bool_nf(char *name, int asn1_bool,
548 STACK_OF(CONF_VALUE) **extlist); 624 STACK_OF(CONF_VALUE) **extlist);
549int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool); 625int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
550int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint); 626int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
551void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf); 627void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
552void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash); 628void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
553#endif 629#endif
554 630
555char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section); 631char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
@@ -576,8 +652,8 @@ int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
576int X509V3_EXT_add_alias(int nid_to, int nid_from); 652int X509V3_EXT_add_alias(int nid_to, int nid_from);
577void X509V3_EXT_cleanup(void); 653void X509V3_EXT_cleanup(void);
578 654
579X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext); 655const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
580X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); 656const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
581int X509V3_add_standard_extensions(void); 657int X509V3_add_standard_extensions(void);
582STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); 658STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
583void *X509V3_EXT_d2i(X509_EXTENSION *ext); 659void *X509V3_EXT_d2i(X509_EXTENSION *ext);
@@ -587,8 +663,8 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
587X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); 663X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
588int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags); 664int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
589 665
590char *hex_to_string(unsigned char *buffer, long len); 666char *hex_to_string(const unsigned char *buffer, long len);
591unsigned char *string_to_hex(char *str, long *len); 667unsigned char *string_to_hex(const char *str, long *len);
592int name_cmp(const char *name, const char *cmp); 668int name_cmp(const char *name, const char *cmp);
593 669
594void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, 670void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
@@ -603,6 +679,7 @@ int X509_check_purpose(X509 *x, int id, int ca);
603int X509_supported_extension(X509_EXTENSION *ex); 679int X509_supported_extension(X509_EXTENSION *ex);
604int X509_PURPOSE_set(int *p, int purpose); 680int X509_PURPOSE_set(int *p, int purpose);
605int X509_check_issued(X509 *issuer, X509 *subject); 681int X509_check_issued(X509 *issuer, X509 *subject);
682int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
606int X509_PURPOSE_get_count(void); 683int X509_PURPOSE_get_count(void);
607X509_PURPOSE * X509_PURPOSE_get0(int idx); 684X509_PURPOSE * X509_PURPOSE_get0(int idx);
608int X509_PURPOSE_get_by_sname(char *sname); 685int X509_PURPOSE_get_by_sname(char *sname);
@@ -616,10 +693,10 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
616void X509_PURPOSE_cleanup(void); 693void X509_PURPOSE_cleanup(void);
617int X509_PURPOSE_get_id(X509_PURPOSE *); 694int X509_PURPOSE_get_id(X509_PURPOSE *);
618 695
619STACK *X509_get1_email(X509 *x); 696STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
620STACK *X509_REQ_get1_email(X509_REQ *x); 697STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
621void X509_email_free(STACK *sk); 698void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
622STACK *X509_get1_ocsp(X509 *x); 699STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
623 700
624ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); 701ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
625ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); 702ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
@@ -628,6 +705,7 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
628 unsigned long chtype); 705 unsigned long chtype);
629 706
630void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); 707void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
708DECLARE_STACK_OF(X509_POLICY_NODE)
631 709
632#ifndef OPENSSL_NO_RFC3779 710#ifndef OPENSSL_NO_RFC3779
633 711
@@ -787,8 +865,9 @@ void ERR_load_X509V3_strings(void);
787/* Error codes for the X509V3 functions. */ 865/* Error codes for the X509V3 functions. */
788 866
789/* Function codes. */ 867/* Function codes. */
790#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 156 868#define X509V3_F_A2I_GENERAL_NAME 164
791#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 157 869#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
870#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
792#define X509V3_F_COPY_EMAIL 122 871#define X509V3_F_COPY_EMAIL 122
793#define X509V3_F_COPY_ISSUER 123 872#define X509V3_F_COPY_ISSUER 123
794#define X509V3_F_DO_DIRNAME 144 873#define X509V3_F_DO_DIRNAME 144
@@ -796,6 +875,7 @@ void ERR_load_X509V3_strings(void);
796#define X509V3_F_DO_EXT_I2D 135 875#define X509V3_F_DO_EXT_I2D 135
797#define X509V3_F_DO_EXT_NCONF 151 876#define X509V3_F_DO_EXT_NCONF 151
798#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148 877#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
878#define X509V3_F_GNAMES_FROM_SECTNAME 156
799#define X509V3_F_HEX_TO_STRING 111 879#define X509V3_F_HEX_TO_STRING 111
800#define X509V3_F_I2S_ASN1_ENUMERATED 121 880#define X509V3_F_I2S_ASN1_ENUMERATED 121
801#define X509V3_F_I2S_ASN1_IA5STRING 149 881#define X509V3_F_I2S_ASN1_IA5STRING 149
@@ -812,13 +892,14 @@ void ERR_load_X509V3_strings(void);
812#define X509V3_F_S2I_ASN1_OCTET_STRING 112 892#define X509V3_F_S2I_ASN1_OCTET_STRING 112
813#define X509V3_F_S2I_ASN1_SKEY_ID 114 893#define X509V3_F_S2I_ASN1_SKEY_ID 114
814#define X509V3_F_S2I_SKEY_ID 115 894#define X509V3_F_S2I_SKEY_ID 115
895#define X509V3_F_SET_DIST_POINT_NAME 158
815#define X509V3_F_STRING_TO_HEX 113 896#define X509V3_F_STRING_TO_HEX 113
816#define X509V3_F_SXNET_ADD_ID_ASC 125 897#define X509V3_F_SXNET_ADD_ID_ASC 125
817#define X509V3_F_SXNET_ADD_ID_INTEGER 126 898#define X509V3_F_SXNET_ADD_ID_INTEGER 126
818#define X509V3_F_SXNET_ADD_ID_ULONG 127 899#define X509V3_F_SXNET_ADD_ID_ULONG 127
819#define X509V3_F_SXNET_GET_ID_ASC 128 900#define X509V3_F_SXNET_GET_ID_ASC 128
820#define X509V3_F_SXNET_GET_ID_ULONG 129 901#define X509V3_F_SXNET_GET_ID_ULONG 129
821#define X509V3_F_V2I_ASIDENTIFIERS 158 902#define X509V3_F_V2I_ASIDENTIFIERS 163
822#define X509V3_F_V2I_ASN1_BIT_STRING 101 903#define X509V3_F_V2I_ASN1_BIT_STRING 101
823#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139 904#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
824#define X509V3_F_V2I_AUTHORITY_KEYID 119 905#define X509V3_F_V2I_AUTHORITY_KEYID 119
@@ -827,6 +908,7 @@ void ERR_load_X509V3_strings(void);
827#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103 908#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
828#define X509V3_F_V2I_GENERAL_NAMES 118 909#define X509V3_F_V2I_GENERAL_NAMES 118
829#define X509V3_F_V2I_GENERAL_NAME_EX 117 910#define X509V3_F_V2I_GENERAL_NAME_EX 117
911#define X509V3_F_V2I_IDP 157
830#define X509V3_F_V2I_IPADDRBLOCKS 159 912#define X509V3_F_V2I_IPADDRBLOCKS 159
831#define X509V3_F_V2I_ISSUER_ALT 153 913#define X509V3_F_V2I_ISSUER_ALT 153
832#define X509V3_F_V2I_NAME_CONSTRAINTS 147 914#define X509V3_F_V2I_NAME_CONSTRAINTS 147
@@ -855,6 +937,7 @@ void ERR_load_X509V3_strings(void);
855#define X509V3_R_BN_DEC2BN_ERROR 100 937#define X509V3_R_BN_DEC2BN_ERROR 100
856#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101 938#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
857#define X509V3_R_DIRNAME_ERROR 149 939#define X509V3_R_DIRNAME_ERROR 149
940#define X509V3_R_DISTPOINT_ALREADY_SET 160
858#define X509V3_R_DUPLICATE_ZONE_ID 133 941#define X509V3_R_DUPLICATE_ZONE_ID 133
859#define X509V3_R_ERROR_CONVERTING_ZONE 131 942#define X509V3_R_ERROR_CONVERTING_ZONE 131
860#define X509V3_R_ERROR_CREATING_EXTENSION 144 943#define X509V3_R_ERROR_CREATING_EXTENSION 144
@@ -868,12 +951,13 @@ void ERR_load_X509V3_strings(void);
868#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151 951#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
869#define X509V3_R_ILLEGAL_HEX_DIGIT 113 952#define X509V3_R_ILLEGAL_HEX_DIGIT 113
870#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152 953#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
871#define X509V3_R_INVALID_ASNUMBER 160 954#define X509V3_R_INVALID_MULTIPLE_RDNS 161
872#define X509V3_R_INVALID_ASRANGE 161 955#define X509V3_R_INVALID_ASNUMBER 162
956#define X509V3_R_INVALID_ASRANGE 163
873#define X509V3_R_INVALID_BOOLEAN_STRING 104 957#define X509V3_R_INVALID_BOOLEAN_STRING 104
874#define X509V3_R_INVALID_EXTENSION_STRING 105 958#define X509V3_R_INVALID_EXTENSION_STRING 105
875#define X509V3_R_INVALID_INHERITANCE 162 959#define X509V3_R_INVALID_INHERITANCE 165
876#define X509V3_R_INVALID_IPADDRESS 163 960#define X509V3_R_INVALID_IPADDRESS 166
877#define X509V3_R_INVALID_NAME 106 961#define X509V3_R_INVALID_NAME 106
878#define X509V3_R_INVALID_NULL_ARGUMENT 107 962#define X509V3_R_INVALID_NULL_ARGUMENT 107
879#define X509V3_R_INVALID_NULL_NAME 108 963#define X509V3_R_INVALID_NULL_NAME 108
@@ -901,9 +985,9 @@ void ERR_load_X509V3_strings(void);
901#define X509V3_R_ODD_NUMBER_OF_DIGITS 112 985#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
902#define X509V3_R_OPERATION_NOT_DEFINED 148 986#define X509V3_R_OPERATION_NOT_DEFINED 148
903#define X509V3_R_OTHERNAME_ERROR 147 987#define X509V3_R_OTHERNAME_ERROR 147
904#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 155 988#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
905#define X509V3_R_POLICY_PATH_LENGTH 156 989#define X509V3_R_POLICY_PATH_LENGTH 156
906#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 157 990#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
907#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158 991#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
908#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159 992#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
909#define X509V3_R_SECTION_NOT_FOUND 150 993#define X509V3_R_SECTION_NOT_FOUND 150
@@ -914,6 +998,7 @@ void ERR_load_X509V3_strings(void);
914#define X509V3_R_UNKNOWN_EXTENSION_NAME 130 998#define X509V3_R_UNKNOWN_EXTENSION_NAME 130
915#define X509V3_R_UNKNOWN_OPTION 120 999#define X509V3_R_UNKNOWN_OPTION 120
916#define X509V3_R_UNSUPPORTED_OPTION 117 1000#define X509V3_R_UNSUPPORTED_OPTION 117
1001#define X509V3_R_UNSUPPORTED_TYPE 167
917#define X509V3_R_USER_TOO_LONG 132 1002#define X509V3_R_USER_TOO_LONG 132
918 1003
919#ifdef __cplusplus 1004#ifdef __cplusplus
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-19 20:27:47 +0000