summaryrefslogtreecommitdiff
path: root/src/lib/libssl/src
diff options
context:
space:
mode:
authorjsing <>2014-05-26 12:10:11 +0000
committerjsing <>2014-05-26 12:10:11 +0000
commit33d783c1622ba04dd4fa76702755414fdb7ab824 (patch)
tree1adbb75e5e24e4d93c2bd12fb748f9eb26f2d739 /src/lib/libssl/src
parent91d87cc338cea3fa53756c9f6b9121893ac9ca27 (diff)
downloadopenbsd-33d783c1622ba04dd4fa76702755414fdb7ab824.tar.gz
openbsd-33d783c1622ba04dd4fa76702755414fdb7ab824.tar.bz2
openbsd-33d783c1622ba04dd4fa76702755414fdb7ab824.zip
KNF.
Diffstat (limited to 'src/lib/libssl/src')
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_pci.c309
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_pcia.c15
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_pcons.c74
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_pku.c27
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_pmaps.c51
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_prn.c168
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_purp.c550
7 files changed, 656 insertions, 538 deletions
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_pci.c b/src/lib/libssl/src/crypto/x509v3/v3_pci.c
index 9cef94258c..ab09a36436 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_pci.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_pci.c
@@ -40,209 +40,196 @@
40#include <openssl/x509v3.h> 40#include <openssl/x509v3.h>
41 41
42static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, 42static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
43 BIO *out, int indent); 43 BIO *out, int indent);
44static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, 44static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
45 X509V3_CTX *ctx, char *str); 45 X509V3_CTX *ctx, char *str);
46 46
47const X509V3_EXT_METHOD v3_pci = 47const X509V3_EXT_METHOD v3_pci = {
48 { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), 48 NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
49 0,0,0,0, 49 0, 0, 0, 0, 0, 0, NULL, NULL,
50 0,0, 50 (X509V3_EXT_I2R)i2r_pci,
51 NULL, NULL, 51 (X509V3_EXT_R2I)r2i_pci,
52 (X509V3_EXT_I2R)i2r_pci, 52 NULL,
53 (X509V3_EXT_R2I)r2i_pci, 53};
54 NULL,
55 };
56 54
57static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, 55static int
58 BIO *out, int indent) 56i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
59 { 57 int indent)
58{
60 BIO_printf(out, "%*sPath Length Constraint: ", indent, ""); 59 BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
61 if (pci->pcPathLengthConstraint) 60 if (pci->pcPathLengthConstraint)
62 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); 61 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
63 else 62 else
64 BIO_printf(out, "infinite"); 63 BIO_printf(out, "infinite");
65 BIO_puts(out, "\n"); 64 BIO_puts(out, "\n");
66 BIO_printf(out, "%*sPolicy Language: ", indent, ""); 65 BIO_printf(out, "%*sPolicy Language: ", indent, "");
67 i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); 66 i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
68 BIO_puts(out, "\n"); 67 BIO_puts(out, "\n");
69 if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) 68 if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
70 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", 69 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
71 pci->proxyPolicy->policy->data); 70 pci->proxyPolicy->policy->data);
72 return 1; 71 return 1;
73 } 72}
74 73
75static int process_pci_value(CONF_VALUE *val, 74static int
76 ASN1_OBJECT **language, ASN1_INTEGER **pathlen, 75process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
77 ASN1_OCTET_STRING **policy) 76 ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
78 { 77{
79 int free_policy = 0; 78 int free_policy = 0;
80 79
81 if (strcmp(val->name, "language") == 0) 80 if (strcmp(val->name, "language") == 0) {
82 { 81 if (*language) {
83 if (*language) 82 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
84 { 83 X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
85 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
86 X509V3_conf_err(val); 84 X509V3_conf_err(val);
87 return 0; 85 return 0;
88 } 86 }
89 if (!(*language = OBJ_txt2obj(val->value, 0))) 87 if (!(*language = OBJ_txt2obj(val->value, 0))) {
90 { 88 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
91 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER); 89 X509V3_R_INVALID_OBJECT_IDENTIFIER);
92 X509V3_conf_err(val); 90 X509V3_conf_err(val);
93 return 0; 91 return 0;
94 }
95 } 92 }
96 else if (strcmp(val->name, "pathlen") == 0) 93 }
97 { 94 else if (strcmp(val->name, "pathlen") == 0) {
98 if (*pathlen) 95 if (*pathlen) {
99 { 96 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
100 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED); 97 X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
101 X509V3_conf_err(val); 98 X509V3_conf_err(val);
102 return 0; 99 return 0;
103 } 100 }
104 if (!X509V3_get_value_int(val, pathlen)) 101 if (!X509V3_get_value_int(val, pathlen)) {
105 { 102 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
106 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH); 103 X509V3_R_POLICY_PATH_LENGTH);
107 X509V3_conf_err(val); 104 X509V3_conf_err(val);
108 return 0; 105 return 0;
109 }
110 } 106 }
111 else if (strcmp(val->name, "policy") == 0) 107 }
112 { 108 else if (strcmp(val->name, "policy") == 0) {
113 unsigned char *tmp_data = NULL; 109 unsigned char *tmp_data = NULL;
114 long val_len; 110 long val_len;
115 if (!*policy) 111 if (!*policy) {
116 {
117 *policy = ASN1_OCTET_STRING_new(); 112 *policy = ASN1_OCTET_STRING_new();
118 if (!*policy) 113 if (!*policy) {
119 { 114 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
120 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); 115 ERR_R_MALLOC_FAILURE);
121 X509V3_conf_err(val); 116 X509V3_conf_err(val);
122 return 0; 117 return 0;
123 }
124 free_policy = 1;
125 } 118 }
126 if (strncmp(val->value, "hex:", 4) == 0) 119 free_policy = 1;
127 { 120 }
121 if (strncmp(val->value, "hex:", 4) == 0) {
128 unsigned char *tmp_data2 = 122 unsigned char *tmp_data2 =
129 string_to_hex(val->value + 4, &val_len); 123 string_to_hex(val->value + 4, &val_len);
130 124
131 if (!tmp_data2) 125 if (!tmp_data2) {
132 { 126 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
133 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT); 127 X509V3_R_ILLEGAL_HEX_DIGIT);
134 X509V3_conf_err(val); 128 X509V3_conf_err(val);
135 goto err; 129 goto err;
136 } 130 }
137 131
138 tmp_data = realloc((*policy)->data, 132 tmp_data = realloc((*policy)->data,
139 (*policy)->length + val_len + 1); 133 (*policy)->length + val_len + 1);
140 if (tmp_data) 134 if (tmp_data) {
141 {
142 (*policy)->data = tmp_data; 135 (*policy)->data = tmp_data;
143 memcpy(&(*policy)->data[(*policy)->length], 136 memcpy(&(*policy)->data[(*policy)->length],
144 tmp_data2, val_len); 137 tmp_data2, val_len);
145 (*policy)->length += val_len; 138 (*policy)->length += val_len;
146 (*policy)->data[(*policy)->length] = '\0'; 139 (*policy)->data[(*policy)->length] = '\0';
147 } 140 } else {
148 else
149 {
150 free(tmp_data2); 141 free(tmp_data2);
151 /* realloc failure implies the original data space is b0rked too! */ 142 /* realloc failure implies the original data space is b0rked too! */
152 (*policy)->data = NULL; 143 (*policy)->data = NULL;
153 (*policy)->length = 0; 144 (*policy)->length = 0;
154 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); 145 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
146 ERR_R_MALLOC_FAILURE);
155 X509V3_conf_err(val); 147 X509V3_conf_err(val);
156 goto err; 148 goto err;
157 }
158 free(tmp_data2);
159 } 149 }
160 else if (strncmp(val->value, "file:", 5) == 0) 150 free(tmp_data2);
161 { 151 }
152 else if (strncmp(val->value, "file:", 5) == 0) {
162 unsigned char buf[2048]; 153 unsigned char buf[2048];
163 int n; 154 int n;
164 BIO *b = BIO_new_file(val->value + 5, "r"); 155 BIO *b = BIO_new_file(val->value + 5, "r");
165 if (!b) 156 if (!b) {
166 { 157 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
167 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB); 158 ERR_R_BIO_LIB);
168 X509V3_conf_err(val); 159 X509V3_conf_err(val);
169 goto err; 160 goto err;
170 } 161 }
171 while((n = BIO_read(b, buf, sizeof(buf))) > 0 162 while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
172 || (n == 0 && BIO_should_retry(b))) 163 (n == 0 && BIO_should_retry(b))) {
173 { 164 if (!n)
174 if (!n) continue; 165 continue;
175 166
176 tmp_data = realloc((*policy)->data, 167 tmp_data = realloc((*policy)->data,
177 (*policy)->length + n + 1); 168 (*policy)->length + n + 1);
178 169
179 if (!tmp_data) 170 if (!tmp_data)
180 break; 171 break;
181 172
182 (*policy)->data = tmp_data; 173 (*policy)->data = tmp_data;
183 memcpy(&(*policy)->data[(*policy)->length], 174 memcpy(&(*policy)->data[(*policy)->length],
184 buf, n); 175 buf, n);
185 (*policy)->length += n; 176 (*policy)->length += n;
186 (*policy)->data[(*policy)->length] = '\0'; 177 (*policy)->data[(*policy)->length] = '\0';
187 } 178 }
188 BIO_free_all(b); 179 BIO_free_all(b);
189 180
190 if (n < 0) 181 if (n < 0) {
191 { 182 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
192 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB); 183 ERR_R_BIO_LIB);
193 X509V3_conf_err(val); 184 X509V3_conf_err(val);
194 goto err; 185 goto err;
195 }
196 } 186 }
197 else if (strncmp(val->value, "text:", 5) == 0) 187 }
198 { 188 else if (strncmp(val->value, "text:", 5) == 0) {
199 val_len = strlen(val->value + 5); 189 val_len = strlen(val->value + 5);
200 tmp_data = realloc((*policy)->data, 190 tmp_data = realloc((*policy)->data,
201 (*policy)->length + val_len + 1); 191 (*policy)->length + val_len + 1);
202 if (tmp_data) 192 if (tmp_data) {
203 {
204 (*policy)->data = tmp_data; 193 (*policy)->data = tmp_data;
205 memcpy(&(*policy)->data[(*policy)->length], 194 memcpy(&(*policy)->data[(*policy)->length],
206 val->value + 5, val_len); 195 val->value + 5, val_len);
207 (*policy)->length += val_len; 196 (*policy)->length += val_len;
208 (*policy)->data[(*policy)->length] = '\0'; 197 (*policy)->data[(*policy)->length] = '\0';
209 } 198 } else {
210 else
211 {
212 /* realloc failure implies the original data space is b0rked too! */ 199 /* realloc failure implies the original data space is b0rked too! */
213 (*policy)->data = NULL; 200 (*policy)->data = NULL;
214 (*policy)->length = 0; 201 (*policy)->length = 0;
215 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); 202 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
203 ERR_R_MALLOC_FAILURE);
216 X509V3_conf_err(val); 204 X509V3_conf_err(val);
217 goto err; 205 goto err;
218 }
219 } 206 }
220 else 207 } else {
221 { 208 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
222 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); 209 X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
223 X509V3_conf_err(val); 210 X509V3_conf_err(val);
224 goto err; 211 goto err;
225 } 212 }
226 if (!tmp_data) 213 if (!tmp_data) {
227 { 214 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
228 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); 215 ERR_R_MALLOC_FAILURE);
229 X509V3_conf_err(val); 216 X509V3_conf_err(val);
230 goto err; 217 goto err;
231 }
232 } 218 }
219 }
233 return 1; 220 return 1;
221
234err: 222err:
235 if (free_policy) 223 if (free_policy) {
236 {
237 ASN1_OCTET_STRING_free(*policy); 224 ASN1_OCTET_STRING_free(*policy);
238 *policy = NULL; 225 *policy = NULL;
239 }
240 return 0;
241 } 226 }
227 return 0;
228}
242 229
243static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, 230static PROXY_CERT_INFO_EXTENSION *
244 X509V3_CTX *ctx, char *value) 231r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
245 { 232{
246 PROXY_CERT_INFO_EXTENSION *pci = NULL; 233 PROXY_CERT_INFO_EXTENSION *pci = NULL;
247 STACK_OF(CONF_VALUE) *vals; 234 STACK_OF(CONF_VALUE) *vals;
248 ASN1_OBJECT *language = NULL; 235 ASN1_OBJECT *language = NULL;
@@ -251,78 +238,88 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
251 int i, j; 238 int i, j;
252 239
253 vals = X509V3_parse_list(value); 240 vals = X509V3_parse_list(value);
254 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) 241 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
255 {
256 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i); 242 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
257 if (!cnf->name || (*cnf->name != '@' && !cnf->value)) 243 if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
258 { 244 X509V3err(X509V3_F_R2I_PCI,
259 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING); 245 X509V3_R_INVALID_PROXY_POLICY_SETTING);
260 X509V3_conf_err(cnf); 246 X509V3_conf_err(cnf);
261 goto err; 247 goto err;
262 } 248 }
263 if (*cnf->name == '@') 249 if (*cnf->name == '@') {
264 {
265 STACK_OF(CONF_VALUE) *sect; 250 STACK_OF(CONF_VALUE) *sect;
266 int success_p = 1; 251 int success_p = 1;
267 252
268 sect = X509V3_get_section(ctx, cnf->name + 1); 253 sect = X509V3_get_section(ctx, cnf->name + 1);
269 if (!sect) 254 if (!sect) {
270 { 255 X509V3err(X509V3_F_R2I_PCI,
271 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION); 256 X509V3_R_INVALID_SECTION);
272 X509V3_conf_err(cnf); 257 X509V3_conf_err(cnf);
273 goto err; 258 goto err;
274 } 259 }
275 for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++) 260 for (j = 0; success_p &&
276 { 261 j < sk_CONF_VALUE_num(sect); j++) {
277 success_p = 262 success_p = process_pci_value(
278 process_pci_value(sk_CONF_VALUE_value(sect, j), 263 sk_CONF_VALUE_value(sect, j),
279 &language, &pathlen, &policy); 264 &language, &pathlen, &policy);
280 } 265 }
281 X509V3_section_free(ctx, sect); 266 X509V3_section_free(ctx, sect);
282 if (!success_p) 267 if (!success_p)
283 goto err; 268 goto err;
284 } 269 } else {
285 else
286 {
287 if (!process_pci_value(cnf, 270 if (!process_pci_value(cnf,
288 &language, &pathlen, &policy)) 271 &language, &pathlen, &policy)) {
289 {
290 X509V3_conf_err(cnf); 272 X509V3_conf_err(cnf);
291 goto err; 273 goto err;
292 }
293 } 274 }
294 } 275 }
276 }
295 277
296 /* Language is mandatory */ 278 /* Language is mandatory */
297 if (!language) 279 if (!language) {
298 { 280 X509V3err(X509V3_F_R2I_PCI,
299 X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED); 281 X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
300 goto err; 282 goto err;
301 } 283 }
302 i = OBJ_obj2nid(language); 284 i = OBJ_obj2nid(language);
303 if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) 285 if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
304 { 286 X509V3err(X509V3_F_R2I_PCI,
305 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY); 287 X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
306 goto err; 288 goto err;
307 } 289 }
308 290
309 pci = PROXY_CERT_INFO_EXTENSION_new(); 291 pci = PROXY_CERT_INFO_EXTENSION_new();
310 if (!pci) 292 if (!pci) {
311 { 293 X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE);
312 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
313 goto err; 294 goto err;
314 } 295 }
315 296
316 pci->proxyPolicy->policyLanguage = language; language = NULL; 297 pci->proxyPolicy->policyLanguage = language;
317 pci->proxyPolicy->policy = policy; policy = NULL; 298 language = NULL;
318 pci->pcPathLengthConstraint = pathlen; pathlen = NULL; 299 pci->proxyPolicy->policy = policy;
300 policy = NULL;
301 pci->pcPathLengthConstraint = pathlen;
302 pathlen = NULL;
319 goto end; 303 goto end;
304
320err: 305err:
321 if (language) { ASN1_OBJECT_free(language); language = NULL; } 306 if (language) {
322 if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; } 307 ASN1_OBJECT_free(language);
323 if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; } 308 language = NULL;
324 if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; } 309 }
310 if (pathlen) {
311 ASN1_INTEGER_free(pathlen);
312 pathlen = NULL;
313 }
314 if (policy) {
315 ASN1_OCTET_STRING_free(policy);
316 policy = NULL;
317 }
318 if (pci) {
319 PROXY_CERT_INFO_EXTENSION_free(pci);
320 pci = NULL;
321 }
325end: 322end:
326 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); 323 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
327 return pci; 324 return pci;
328 } 325}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_pcia.c b/src/lib/libssl/src/crypto/x509v3/v3_pcia.c
index bb362e0e5a..ae5d58a009 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_pcia.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_pcia.c
@@ -38,18 +38,17 @@
38#include <openssl/asn1t.h> 38#include <openssl/asn1t.h>
39#include <openssl/x509v3.h> 39#include <openssl/x509v3.h>
40 40
41ASN1_SEQUENCE(PROXY_POLICY) = 41ASN1_SEQUENCE(PROXY_POLICY) = {
42 { 42 ASN1_SIMPLE(PROXY_POLICY, policyLanguage, ASN1_OBJECT),
43 ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT), 43 ASN1_OPT(PROXY_POLICY, policy, ASN1_OCTET_STRING)
44 ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING)
45} ASN1_SEQUENCE_END(PROXY_POLICY) 44} ASN1_SEQUENCE_END(PROXY_POLICY)
46 45
47IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY) 46IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY)
48 47
49ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = 48ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = {
50 { 49 ASN1_OPT(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint,
51 ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER), 50 ASN1_INTEGER),
52 ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY) 51 ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION, proxyPolicy, PROXY_POLICY)
53} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION) 52} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)
54 53
55IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) 54IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_pcons.c b/src/lib/libssl/src/crypto/x509v3/v3_pcons.c
index 30ca652351..c622cae85a 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_pcons.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_pcons.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -66,75 +66,79 @@
66 66
67static STACK_OF(CONF_VALUE) * 67static STACK_OF(CONF_VALUE) *
68i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons, 68i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
69 STACK_OF(CONF_VALUE) *extlist); 69 STACK_OF(CONF_VALUE) *extlist);
70static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, 70static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx, 71 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
72 STACK_OF(CONF_VALUE) *values);
73 72
74const X509V3_EXT_METHOD v3_policy_constraints = { 73const X509V3_EXT_METHOD v3_policy_constraints = {
75NID_policy_constraints, 0, 74 NID_policy_constraints, 0,
76ASN1_ITEM_ref(POLICY_CONSTRAINTS), 75 ASN1_ITEM_ref(POLICY_CONSTRAINTS),
770,0,0,0, 76 0, 0, 0, 0,
780,0, 77 0, 0,
79i2v_POLICY_CONSTRAINTS, 78 i2v_POLICY_CONSTRAINTS,
80v2i_POLICY_CONSTRAINTS, 79 v2i_POLICY_CONSTRAINTS,
81NULL,NULL, 80 NULL, NULL,
82NULL 81 NULL
83}; 82};
84 83
85ASN1_SEQUENCE(POLICY_CONSTRAINTS) = { 84ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
86 ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0), 85 ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy,
87 ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1) 86 ASN1_INTEGER, 0),
87 ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER, 1)
88} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS) 88} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
89 89
90IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) 90IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
91 91
92
93static STACK_OF(CONF_VALUE) * 92static STACK_OF(CONF_VALUE) *
94i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, 93i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
95 STACK_OF(CONF_VALUE) *extlist) 94 STACK_OF(CONF_VALUE) *extlist)
96{ 95{
97 POLICY_CONSTRAINTS *pcons = a; 96 POLICY_CONSTRAINTS *pcons = a;
97
98 X509V3_add_value_int("Require Explicit Policy", 98 X509V3_add_value_int("Require Explicit Policy",
99 pcons->requireExplicitPolicy, &extlist); 99 pcons->requireExplicitPolicy, &extlist);
100 X509V3_add_value_int("Inhibit Policy Mapping", 100 X509V3_add_value_int("Inhibit Policy Mapping",
101 pcons->inhibitPolicyMapping, &extlist); 101 pcons->inhibitPolicyMapping, &extlist);
102 return extlist; 102 return extlist;
103} 103}
104 104
105static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, 105static void *
106 X509V3_CTX *ctx, 106v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
107 STACK_OF(CONF_VALUE) *values) 107 STACK_OF(CONF_VALUE) *values)
108{ 108{
109 POLICY_CONSTRAINTS *pcons=NULL; 109 POLICY_CONSTRAINTS *pcons = NULL;
110 CONF_VALUE *val; 110 CONF_VALUE *val;
111 int i; 111 int i;
112 if(!(pcons = POLICY_CONSTRAINTS_new())) { 112
113 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE); 113 if (!(pcons = POLICY_CONSTRAINTS_new())) {
114 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
115 ERR_R_MALLOC_FAILURE);
114 return NULL; 116 return NULL;
115 } 117 }
116 for(i = 0; i < sk_CONF_VALUE_num(values); i++) { 118 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
117 val = sk_CONF_VALUE_value(values, i); 119 val = sk_CONF_VALUE_value(values, i);
118 if(!strcmp(val->name, "requireExplicitPolicy")) { 120 if (!strcmp(val->name, "requireExplicitPolicy")) {
119 if(!X509V3_get_value_int(val, 121 if (!X509V3_get_value_int(val,
120 &pcons->requireExplicitPolicy)) goto err; 122 &pcons->requireExplicitPolicy)) goto err;
121 } else if(!strcmp(val->name, "inhibitPolicyMapping")) { 123 } else if (!strcmp(val->name, "inhibitPolicyMapping")) {
122 if(!X509V3_get_value_int(val, 124 if (!X509V3_get_value_int(val,
123 &pcons->inhibitPolicyMapping)) goto err; 125 &pcons->inhibitPolicyMapping)) goto err;
124 } else { 126 } else {
125 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME); 127 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
128 X509V3_R_INVALID_NAME);
126 X509V3_conf_err(val); 129 X509V3_conf_err(val);
127 goto err; 130 goto err;
128 } 131 }
129 } 132 }
130 if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) { 133 if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
131 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION); 134 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
135 X509V3_R_ILLEGAL_EMPTY_EXTENSION);
132 goto err; 136 goto err;
133 } 137 }
134 138
135 return pcons; 139 return pcons;
136 err: 140
141err:
137 POLICY_CONSTRAINTS_free(pcons); 142 POLICY_CONSTRAINTS_free(pcons);
138 return NULL; 143 return NULL;
139} 144}
140
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_pku.c b/src/lib/libssl/src/crypto/x509v3/v3_pku.c
index 076f3ff48e..860b247159 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_pku.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_pku.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -62,16 +62,17 @@
62#include <openssl/asn1t.h> 62#include <openssl/asn1t.h>
63#include <openssl/x509v3.h> 63#include <openssl/x509v3.h>
64 64
65static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent); 65static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
66 PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
66/* 67/*
67static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); 68static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
68*/ 69*/
69const X509V3_EXT_METHOD v3_pkey_usage_period = { 70const X509V3_EXT_METHOD v3_pkey_usage_period = {
70NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD), 71 NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
710,0,0,0, 72 0, 0, 0, 0,
720,0,0,0, 73 0, 0, 0, 0,
73(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL, 74 (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
74NULL 75 NULL
75}; 76};
76 77
77ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = { 78ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {
@@ -81,16 +82,18 @@ ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {
81 82
82IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD) 83IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
83 84
84static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, 85static int
85 PKEY_USAGE_PERIOD *usage, BIO *out, int indent) 86i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage,
87 BIO *out, int indent)
86{ 88{
87 BIO_printf(out, "%*s", indent, ""); 89 BIO_printf(out, "%*s", indent, "");
88 if(usage->notBefore) { 90 if (usage->notBefore) {
89 BIO_write(out, "Not Before: ", 12); 91 BIO_write(out, "Not Before: ", 12);
90 ASN1_GENERALIZEDTIME_print(out, usage->notBefore); 92 ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
91 if(usage->notAfter) BIO_write(out, ", ", 2); 93 if (usage->notAfter)
94 BIO_write(out, ", ", 2);
92 } 95 }
93 if(usage->notAfter) { 96 if (usage->notAfter) {
94 BIO_write(out, "Not After: ", 11); 97 BIO_write(out, "Not After: ", 11);
95 ASN1_GENERALIZEDTIME_print(out, usage->notAfter); 98 ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
96 } 99 }
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_pmaps.c b/src/lib/libssl/src/crypto/x509v3/v3_pmaps.c
index 865bcd3980..bf5f291877 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_pmaps.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_pmaps.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,19 +64,18 @@
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65 65
66static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, 66static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(CONF_VALUE) * 68static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
69i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *pmps, 69 const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
70 STACK_OF(CONF_VALUE) *extlist);
71 70
72const X509V3_EXT_METHOD v3_policy_mappings = { 71const X509V3_EXT_METHOD v3_policy_mappings = {
73 NID_policy_mappings, 0, 72 NID_policy_mappings, 0,
74 ASN1_ITEM_ref(POLICY_MAPPINGS), 73 ASN1_ITEM_ref(POLICY_MAPPINGS),
75 0,0,0,0, 74 0, 0, 0, 0,
76 0,0, 75 0, 0,
77 i2v_POLICY_MAPPINGS, 76 i2v_POLICY_MAPPINGS,
78 v2i_POLICY_MAPPINGS, 77 v2i_POLICY_MAPPINGS,
79 0,0, 78 0, 0,
80 NULL 79 NULL
81}; 80};
82 81
@@ -85,24 +84,24 @@ ASN1_SEQUENCE(POLICY_MAPPING) = {
85 ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT) 84 ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT)
86} ASN1_SEQUENCE_END(POLICY_MAPPING) 85} ASN1_SEQUENCE_END(POLICY_MAPPING)
87 86
88ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) = 87ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =
89 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS, 88ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,
90 POLICY_MAPPING) 89 POLICY_MAPPING)
91ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS) 90ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)
92 91
93IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) 92IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
94 93
95
96static STACK_OF(CONF_VALUE) * 94static STACK_OF(CONF_VALUE) *
97i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a, 95i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
98 STACK_OF(CONF_VALUE) *ext_list) 96 STACK_OF(CONF_VALUE) *ext_list)
99{ 97{
100 POLICY_MAPPINGS *pmaps = a; 98 POLICY_MAPPINGS *pmaps = a;
101 POLICY_MAPPING *pmap; 99 POLICY_MAPPING *pmap;
102 int i; 100 int i;
103 char obj_tmp1[80]; 101 char obj_tmp1[80];
104 char obj_tmp2[80]; 102 char obj_tmp2[80];
105 for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) { 103
104 for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
106 pmap = sk_POLICY_MAPPING_value(pmaps, i); 105 pmap = sk_POLICY_MAPPING_value(pmaps, i);
107 i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy); 106 i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
108 i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy); 107 i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
@@ -111,8 +110,9 @@ i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
111 return ext_list; 110 return ext_list;
112} 111}
113 112
114static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, 113static void *
115 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) 114v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
115 STACK_OF(CONF_VALUE) *nval)
116{ 116{
117 POLICY_MAPPINGS *pmaps; 117 POLICY_MAPPINGS *pmaps;
118 POLICY_MAPPING *pmap; 118 POLICY_MAPPING *pmap;
@@ -120,31 +120,34 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
120 CONF_VALUE *val; 120 CONF_VALUE *val;
121 int i; 121 int i;
122 122
123 if(!(pmaps = sk_POLICY_MAPPING_new_null())) { 123 if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
124 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE); 124 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE);
125 return NULL; 125 return NULL;
126 } 126 }
127 127
128 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { 128 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
129 val = sk_CONF_VALUE_value(nval, i); 129 val = sk_CONF_VALUE_value(nval, i);
130 if(!val->value || !val->name) { 130 if (!val->value || !val->name) {
131 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free); 131 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
132 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER); 132 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
133 X509V3_R_INVALID_OBJECT_IDENTIFIER);
133 X509V3_conf_err(val); 134 X509V3_conf_err(val);
134 return NULL; 135 return NULL;
135 } 136 }
136 obj1 = OBJ_txt2obj(val->name, 0); 137 obj1 = OBJ_txt2obj(val->name, 0);
137 obj2 = OBJ_txt2obj(val->value, 0); 138 obj2 = OBJ_txt2obj(val->value, 0);
138 if(!obj1 || !obj2) { 139 if (!obj1 || !obj2) {
139 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free); 140 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
140 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER); 141 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
142 X509V3_R_INVALID_OBJECT_IDENTIFIER);
141 X509V3_conf_err(val); 143 X509V3_conf_err(val);
142 return NULL; 144 return NULL;
143 } 145 }
144 pmap = POLICY_MAPPING_new(); 146 pmap = POLICY_MAPPING_new();
145 if (!pmap) { 147 if (!pmap) {
146 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free); 148 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
147 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE); 149 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
150 ERR_R_MALLOC_FAILURE);
148 return NULL; 151 return NULL;
149 } 152 }
150 pmap->issuerDomainPolicy = obj1; 153 pmap->issuerDomainPolicy = obj1;
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_prn.c b/src/lib/libssl/src/crypto/x509v3/v3_prn.c
index 565937af47..3874ded51c 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_prn.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_prn.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,139 +64,163 @@
64 64
65/* Extension printing routines */ 65/* Extension printing routines */
66 66
67static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported); 67static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
68 int indent, int supported);
68 69
69/* Print out a name+value stack */ 70/* Print out a name+value stack */
70 71
71void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) 72void
73X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
72{ 74{
73 int i; 75 int i;
74 CONF_VALUE *nval; 76 CONF_VALUE *nval;
75 if(!val) return; 77
76 if(!ml || !sk_CONF_VALUE_num(val)) { 78 if (!val)
79 return;
80 if (!ml || !sk_CONF_VALUE_num(val)) {
77 BIO_printf(out, "%*s", indent, ""); 81 BIO_printf(out, "%*s", indent, "");
78 if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n"); 82 if (!sk_CONF_VALUE_num(val))
83 BIO_puts(out, "<EMPTY>\n");
79 } 84 }
80 for(i = 0; i < sk_CONF_VALUE_num(val); i++) { 85 for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
81 if(ml) BIO_printf(out, "%*s", indent, ""); 86 if (ml)
82 else if(i > 0) BIO_printf(out, ", "); 87 BIO_printf(out, "%*s", indent, "");
83 nval = sk_CONF_VALUE_value(val, i); 88 else if (i > 0) BIO_printf(out, ", ");
84 if(!nval->name) BIO_puts(out, nval->value); 89 nval = sk_CONF_VALUE_value(val, i);
85 else if(!nval->value) BIO_puts(out, nval->name); 90 if (!nval->name)
86 else BIO_printf(out, "%s:%s", nval->name, nval->value); 91 BIO_puts(out, nval->value);
87 if(ml) BIO_puts(out, "\n"); 92 else if (!nval->value)
93 BIO_puts(out, nval->name);
94 else
95 BIO_printf(out, "%s:%s", nval->name, nval->value);
96 if (ml)
97 BIO_puts(out, "\n");
88 } 98 }
89} 99}
90 100
91/* Main routine: print out a general extension */ 101/* Main routine: print out a general extension */
92 102
93int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent) 103int
104X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
94{ 105{
95 void *ext_str = NULL; 106 void *ext_str = NULL;
96 char *value = NULL; 107 char *value = NULL;
97 const unsigned char *p; 108 const unsigned char *p;
98 const X509V3_EXT_METHOD *method; 109 const X509V3_EXT_METHOD *method;
99 STACK_OF(CONF_VALUE) *nval = NULL; 110 STACK_OF(CONF_VALUE) *nval = NULL;
100 int ok = 1; 111 int ok = 1;
101 112
102 if(!(method = X509V3_EXT_get(ext))) 113 if (!(method = X509V3_EXT_get(ext)))
103 return unknown_ext_print(out, ext, flag, indent, 0); 114 return unknown_ext_print(out, ext, flag, indent, 0);
104 p = ext->value->data; 115 p = ext->value->data;
105 if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it)); 116 if (method->it)
106 else ext_str = method->d2i(NULL, &p, ext->value->length); 117 ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,
118 ASN1_ITEM_ptr(method->it));
119 else
120 ext_str = method->d2i(NULL, &p, ext->value->length);
107 121
108 if(!ext_str) return unknown_ext_print(out, ext, flag, indent, 1); 122 if (!ext_str)
123 return unknown_ext_print(out, ext, flag, indent, 1);
109 124
110 if(method->i2s) { 125 if (method->i2s) {
111 if(!(value = method->i2s(method, ext_str))) { 126 if (!(value = method->i2s(method, ext_str))) {
112 ok = 0; 127 ok = 0;
113 goto err; 128 goto err;
114 } 129 }
115 BIO_printf(out, "%*s%s", indent, "", value); 130 BIO_printf(out, "%*s%s", indent, "", value);
116 } else if(method->i2v) { 131 } else if (method->i2v) {
117 if(!(nval = method->i2v(method, ext_str, NULL))) { 132 if (!(nval = method->i2v(method, ext_str, NULL))) {
118 ok = 0; 133 ok = 0;
119 goto err; 134 goto err;
120 } 135 }
121 X509V3_EXT_val_prn(out, nval, indent, 136 X509V3_EXT_val_prn(out, nval, indent,
122 method->ext_flags & X509V3_EXT_MULTILINE); 137 method->ext_flags & X509V3_EXT_MULTILINE);
123 } else if(method->i2r) { 138 } else if (method->i2r) {
124 if(!method->i2r(method, ext_str, out, indent)) ok = 0; 139 if (!method->i2r(method, ext_str, out, indent))
125 } else ok = 0; 140 ok = 0;
126 141 } else
127 err: 142 ok = 0;
128 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); 143
129 if(value) free(value); 144err:
130 if(method->it) ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it)); 145 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
131 else method->ext_free(ext_str); 146 if (value)
132 return ok; 147 free(value);
148 if (method->it)
149 ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
150 else
151 method->ext_free(ext_str);
152 return ok;
133} 153}
134 154
135int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent) 155int
156X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts,
157 unsigned long flag, int indent)
136{ 158{
137 int i, j; 159 int i, j;
138 160
139 if(sk_X509_EXTENSION_num(exts) <= 0) return 1; 161 if (sk_X509_EXTENSION_num(exts) <= 0)
162 return 1;
140 163
141 if(title) 164 if (title) {
142 { 165 BIO_printf(bp, "%*s%s:\n",indent, "", title);
143 BIO_printf(bp,"%*s%s:\n",indent, "", title);
144 indent += 4; 166 indent += 4;
145 } 167 }
146 168
147 for (i=0; i<sk_X509_EXTENSION_num(exts); i++) 169 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
148 {
149 ASN1_OBJECT *obj; 170 ASN1_OBJECT *obj;
150 X509_EXTENSION *ex; 171 X509_EXTENSION *ex;
151 ex=sk_X509_EXTENSION_value(exts, i); 172 ex = sk_X509_EXTENSION_value(exts, i);
152 if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0; 173 if (indent && BIO_printf(bp, "%*s",indent, "") <= 0)
153 obj=X509_EXTENSION_get_object(ex);
154 i2a_ASN1_OBJECT(bp,obj);
155 j=X509_EXTENSION_get_critical(ex);
156 if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
157 return 0; 174 return 0;
158 if(!X509V3_EXT_print(bp, ex, flag, indent + 4)) 175 obj = X509_EXTENSION_get_object(ex);
159 { 176 i2a_ASN1_OBJECT(bp, obj);
177 j = X509_EXTENSION_get_critical(ex);
178 if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0)
179 return 0;
180 if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
160 BIO_printf(bp, "%*s", indent + 4, ""); 181 BIO_printf(bp, "%*s", indent + 4, "");
161 M_ASN1_OCTET_STRING_print(bp,ex->value); 182 M_ASN1_OCTET_STRING_print(bp, ex->value);
162 }
163 if (BIO_write(bp,"\n",1) <= 0) return 0;
164 } 183 }
184 if (BIO_write(bp, "\n",1) <= 0)
185 return 0;
186 }
165 return 1; 187 return 1;
166} 188}
167 189
168static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported) 190static int
191unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
192 int indent, int supported)
169{ 193{
170 switch(flag & X509V3_EXT_UNKNOWN_MASK) { 194 switch (flag & X509V3_EXT_UNKNOWN_MASK) {
171 195 case X509V3_EXT_DEFAULT:
172 case X509V3_EXT_DEFAULT:
173 return 0; 196 return 0;
174 197 case X509V3_EXT_ERROR_UNKNOWN:
175 case X509V3_EXT_ERROR_UNKNOWN: 198 if (supported)
176 if(supported)
177 BIO_printf(out, "%*s<Parse Error>", indent, ""); 199 BIO_printf(out, "%*s<Parse Error>", indent, "");
178 else 200 else
179 BIO_printf(out, "%*s<Not Supported>", indent, ""); 201 BIO_printf(out, "%*s<Not Supported>", indent, "");
180 return 1; 202 return 1;
181 203 case X509V3_EXT_PARSE_UNKNOWN:
182 case X509V3_EXT_PARSE_UNKNOWN: 204 return ASN1_parse_dump(out,
183 return ASN1_parse_dump(out, 205 ext->value->data, ext->value->length, indent, -1);
184 ext->value->data, ext->value->length, indent, -1); 206 case X509V3_EXT_DUMP_UNKNOWN:
185 case X509V3_EXT_DUMP_UNKNOWN: 207 return BIO_dump_indent(out, (char *)ext->value->data,
186 return BIO_dump_indent(out, (char *)ext->value->data, ext->value->length, indent); 208 ext->value->length, indent);
187 209 default:
188 default:
189 return 1; 210 return 1;
190 } 211 }
191} 212}
192 213
193 214
194#ifndef OPENSSL_NO_FP_API 215#ifndef OPENSSL_NO_FP_API
195int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent) 216int
217X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
196{ 218{
197 BIO *bio_tmp; 219 BIO *bio_tmp;
198 int ret; 220 int ret;
199 if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0; 221
222 if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
223 return 0;
200 ret = X509V3_EXT_print(bio_tmp, ext, flag, indent); 224 ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
201 BIO_free(bio_tmp); 225 BIO_free(bio_tmp);
202 return ret; 226 return ret;
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_purp.c b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
index 45d7251c29..2bf110c179 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_purp.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,19 +64,25 @@
64static void x509v3_cache_extensions(X509 *x); 64static void x509v3_cache_extensions(X509 *x);
65 65
66static int check_ssl_ca(const X509 *x); 66static int check_ssl_ca(const X509 *x);
67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); 67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
68static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); 68 int ca);
69static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); 69static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
70 int ca);
71static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
72 int ca);
70static int purpose_smime(const X509 *x, int ca); 73static int purpose_smime(const X509 *x, int ca);
71static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); 74static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
72static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca); 75 int ca);
73static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca); 76static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
74static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca); 77 int ca);
78static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
79 int ca);
80static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
81 int ca);
75static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); 82static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
76static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); 83static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
77 84
78static int xp_cmp(const X509_PURPOSE * const *a, 85static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b);
79 const X509_PURPOSE * const *b);
80static void xptable_free(X509_PURPOSE *p); 86static void xptable_free(X509_PURPOSE *p);
81 87
82static X509_PURPOSE xstandard[] = { 88static X509_PURPOSE xstandard[] = {
@@ -97,8 +103,8 @@ IMPLEMENT_STACK_OF(X509_PURPOSE)
97 103
98static STACK_OF(X509_PURPOSE) *xptable = NULL; 104static STACK_OF(X509_PURPOSE) *xptable = NULL;
99 105
100static int xp_cmp(const X509_PURPOSE * const *a, 106static int
101 const X509_PURPOSE * const *b) 107xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b)
102{ 108{
103 return (*a)->purpose - (*b)->purpose; 109 return (*a)->purpose - (*b)->purpose;
104} 110}
@@ -106,25 +112,30 @@ static int xp_cmp(const X509_PURPOSE * const *a,
106/* As much as I'd like to make X509_check_purpose use a "const" X509* 112/* As much as I'd like to make X509_check_purpose use a "const" X509*
107 * I really can't because it does recalculate hashes and do other non-const 113 * I really can't because it does recalculate hashes and do other non-const
108 * things. */ 114 * things. */
109int X509_check_purpose(X509 *x, int id, int ca) 115int
116X509_check_purpose(X509 *x, int id, int ca)
110{ 117{
111 int idx; 118 int idx;
112 const X509_PURPOSE *pt; 119 const X509_PURPOSE *pt;
113 if(!(x->ex_flags & EXFLAG_SET)) { 120
121 if (!(x->ex_flags & EXFLAG_SET)) {
114 CRYPTO_w_lock(CRYPTO_LOCK_X509); 122 CRYPTO_w_lock(CRYPTO_LOCK_X509);
115 x509v3_cache_extensions(x); 123 x509v3_cache_extensions(x);
116 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 124 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
117 } 125 }
118 if(id == -1) return 1; 126 if (id == -1)
127 return 1;
119 idx = X509_PURPOSE_get_by_id(id); 128 idx = X509_PURPOSE_get_by_id(id);
120 if(idx == -1) return -1; 129 if (idx == -1)
130 return -1;
121 pt = X509_PURPOSE_get0(idx); 131 pt = X509_PURPOSE_get0(idx);
122 return pt->check_purpose(pt, x, ca); 132 return pt->check_purpose(pt, x, ca);
123} 133}
124 134
125int X509_PURPOSE_set(int *p, int purpose) 135int
136X509_PURPOSE_set(int *p, int purpose)
126{ 137{
127 if(X509_PURPOSE_get_by_id(purpose) == -1) { 138 if (X509_PURPOSE_get_by_id(purpose) == -1) {
128 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE); 139 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
129 return 0; 140 return 0;
130 } 141 }
@@ -132,49 +143,63 @@ int X509_PURPOSE_set(int *p, int purpose)
132 return 1; 143 return 1;
133} 144}
134 145
135int X509_PURPOSE_get_count(void) 146int
147X509_PURPOSE_get_count(void)
136{ 148{
137 if(!xptable) return X509_PURPOSE_COUNT; 149 if (!xptable)
150 return X509_PURPOSE_COUNT;
138 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT; 151 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
139} 152}
140 153
141X509_PURPOSE * X509_PURPOSE_get0(int idx) 154X509_PURPOSE *
155X509_PURPOSE_get0(int idx)
142{ 156{
143 if(idx < 0) return NULL; 157 if (idx < 0)
144 if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx; 158 return NULL;
159 if (idx < (int)X509_PURPOSE_COUNT)
160 return xstandard + idx;
145 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); 161 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
146} 162}
147 163
148int X509_PURPOSE_get_by_sname(char *sname) 164int
165X509_PURPOSE_get_by_sname(char *sname)
149{ 166{
150 int i; 167 int i;
151 X509_PURPOSE *xptmp; 168 X509_PURPOSE *xptmp;
152 for(i = 0; i < X509_PURPOSE_get_count(); i++) { 169
170 for (i = 0; i < X509_PURPOSE_get_count(); i++) {
153 xptmp = X509_PURPOSE_get0(i); 171 xptmp = X509_PURPOSE_get0(i);
154 if(!strcmp(xptmp->sname, sname)) return i; 172 if (!strcmp(xptmp->sname, sname))
173 return i;
155 } 174 }
156 return -1; 175 return -1;
157} 176}
158 177
159int X509_PURPOSE_get_by_id(int purpose) 178int
179X509_PURPOSE_get_by_id(int purpose)
160{ 180{
161 X509_PURPOSE tmp; 181 X509_PURPOSE tmp;
162 int idx; 182 int idx;
163 if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) 183
184 if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
164 return purpose - X509_PURPOSE_MIN; 185 return purpose - X509_PURPOSE_MIN;
165 tmp.purpose = purpose; 186 tmp.purpose = purpose;
166 if(!xptable) return -1; 187 if (!xptable)
188 return -1;
167 idx = sk_X509_PURPOSE_find(xptable, &tmp); 189 idx = sk_X509_PURPOSE_find(xptable, &tmp);
168 if(idx == -1) return -1; 190 if (idx == -1)
191 return -1;
169 return idx + X509_PURPOSE_COUNT; 192 return idx + X509_PURPOSE_COUNT;
170} 193}
171 194
172int X509_PURPOSE_add(int id, int trust, int flags, 195int
173 int (*ck)(const X509_PURPOSE *, const X509 *, int), 196X509_PURPOSE_add(int id, int trust, int flags,
174 char *name, char *sname, void *arg) 197 int (*ck)(const X509_PURPOSE *, const X509 *, int), char *name,
198 char *sname, void *arg)
175{ 199{
176 int idx; 200 int idx;
177 X509_PURPOSE *ptmp; 201 X509_PURPOSE *ptmp;
202
178 /* This is set according to what we change: application can't set it */ 203 /* This is set according to what we change: application can't set it */
179 flags &= ~X509_PURPOSE_DYNAMIC; 204 flags &= ~X509_PURPOSE_DYNAMIC;
180 /* This will always be set for application modified trust entries */ 205 /* This will always be set for application modified trust entries */
@@ -182,24 +207,26 @@ int X509_PURPOSE_add(int id, int trust, int flags,
182 /* Get existing entry if any */ 207 /* Get existing entry if any */
183 idx = X509_PURPOSE_get_by_id(id); 208 idx = X509_PURPOSE_get_by_id(id);
184 /* Need a new entry */ 209 /* Need a new entry */
185 if(idx == -1) { 210 if (idx == -1) {
186 if(!(ptmp = malloc(sizeof(X509_PURPOSE)))) { 211 if (!(ptmp = malloc(sizeof(X509_PURPOSE)))) {
187 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); 212 X509V3err(X509V3_F_X509_PURPOSE_ADD,
213 ERR_R_MALLOC_FAILURE);
188 return 0; 214 return 0;
189 } 215 }
190 ptmp->flags = X509_PURPOSE_DYNAMIC; 216 ptmp->flags = X509_PURPOSE_DYNAMIC;
191 } else ptmp = X509_PURPOSE_get0(idx); 217 } else
218 ptmp = X509_PURPOSE_get0(idx);
192 219
193 /* free existing name if dynamic */ 220 /* free existing name if dynamic */
194 if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) { 221 if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
195 free(ptmp->name); 222 free(ptmp->name);
196 free(ptmp->sname); 223 free(ptmp->sname);
197 } 224 }
198 /* dup supplied name */ 225 /* dup supplied name */
199 ptmp->name = BUF_strdup(name); 226 ptmp->name = BUF_strdup(name);
200 ptmp->sname = BUF_strdup(sname); 227 ptmp->sname = BUF_strdup(sname);
201 if(!ptmp->name || !ptmp->sname) { 228 if (!ptmp->name || !ptmp->sname) {
202 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); 229 X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
203 return 0; 230 return 0;
204 } 231 }
205 /* Keep the dynamic flag of existing entry */ 232 /* Keep the dynamic flag of existing entry */
@@ -213,70 +240,82 @@ int X509_PURPOSE_add(int id, int trust, int flags,
213 ptmp->usr_data = arg; 240 ptmp->usr_data = arg;
214 241
215 /* If its a new entry manage the dynamic table */ 242 /* If its a new entry manage the dynamic table */
216 if(idx == -1) { 243 if (idx == -1) {
217 if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) { 244 if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
218 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); 245 X509V3err(X509V3_F_X509_PURPOSE_ADD,
246 ERR_R_MALLOC_FAILURE);
219 return 0; 247 return 0;
220 } 248 }
221 if (!sk_X509_PURPOSE_push(xptable, ptmp)) { 249 if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
222 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); 250 X509V3err(X509V3_F_X509_PURPOSE_ADD,
251 ERR_R_MALLOC_FAILURE);
223 return 0; 252 return 0;
224 } 253 }
225 } 254 }
226 return 1; 255 return 1;
227} 256}
228 257
229static void xptable_free(X509_PURPOSE *p) 258static void
230 { 259xptable_free(X509_PURPOSE *p)
231 if(!p) return; 260{
232 if (p->flags & X509_PURPOSE_DYNAMIC) 261 if (!p)
233 { 262 return;
263 if (p->flags & X509_PURPOSE_DYNAMIC) {
234 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) { 264 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
235 free(p->name); 265 free(p->name);
236 free(p->sname); 266 free(p->sname);
237 } 267 }
238 free(p); 268 free(p);
239 }
240 } 269 }
270}
241 271
242void X509_PURPOSE_cleanup(void) 272void
273X509_PURPOSE_cleanup(void)
243{ 274{
244 unsigned int i; 275 unsigned int i;
276
245 sk_X509_PURPOSE_pop_free(xptable, xptable_free); 277 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
246 for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i); 278 for(i = 0; i < X509_PURPOSE_COUNT; i++)
279 xptable_free(xstandard + i);
247 xptable = NULL; 280 xptable = NULL;
248} 281}
249 282
250int X509_PURPOSE_get_id(X509_PURPOSE *xp) 283int
284X509_PURPOSE_get_id(X509_PURPOSE *xp)
251{ 285{
252 return xp->purpose; 286 return xp->purpose;
253} 287}
254 288
255char *X509_PURPOSE_get0_name(X509_PURPOSE *xp) 289char *
290X509_PURPOSE_get0_name(X509_PURPOSE *xp)
256{ 291{
257 return xp->name; 292 return xp->name;
258} 293}
259 294
260char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp) 295char *
296X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
261{ 297{
262 return xp->sname; 298 return xp->sname;
263} 299}
264 300
265int X509_PURPOSE_get_trust(X509_PURPOSE *xp) 301int
302X509_PURPOSE_get_trust(X509_PURPOSE *xp)
266{ 303{
267 return xp->trust; 304 return xp->trust;
268} 305}
269 306
270static int nid_cmp(const int *a, const int *b) 307static int
271 { 308nid_cmp(const int *a, const int *b)
309{
272 return *a - *b; 310 return *a - *b;
273 } 311}
274 312
275DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid); 313DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
276IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid); 314IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
277 315
278int X509_supported_extension(X509_EXTENSION *ex) 316int
279 { 317X509_supported_extension(X509_EXTENSION *ex)
318{
280 /* This table is a list of the NIDs of supported extensions: 319 /* This table is a list of the NIDs of supported extensions:
281 * that is those which are used by the verify process. If 320 * that is those which are used by the verify process. If
282 * an extension is critical and doesn't appear in this list 321 * an extension is critical and doesn't appear in this list
@@ -287,11 +326,11 @@ int X509_supported_extension(X509_EXTENSION *ex)
287 326
288 static const int supported_nids[] = { 327 static const int supported_nids[] = {
289 NID_netscape_cert_type, /* 71 */ 328 NID_netscape_cert_type, /* 71 */
290 NID_key_usage, /* 83 */ 329 NID_key_usage, /* 83 */
291 NID_subject_alt_name, /* 85 */ 330 NID_subject_alt_name, /* 85 */
292 NID_basic_constraints, /* 87 */ 331 NID_basic_constraints, /* 87 */
293 NID_certificate_policies, /* 89 */ 332 NID_certificate_policies, /* 89 */
294 NID_ext_key_usage, /* 126 */ 333 NID_ext_key_usage, /* 126 */
295#ifndef OPENSSL_NO_RFC3779 334#ifndef OPENSSL_NO_RFC3779
296 NID_sbgp_ipAddrBlock, /* 290 */ 335 NID_sbgp_ipAddrBlock, /* 290 */
297 NID_sbgp_autonomousSysNum, /* 291 */ 336 NID_sbgp_autonomousSysNum, /* 291 */
@@ -305,56 +344,57 @@ int X509_supported_extension(X509_EXTENSION *ex)
305 344
306 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); 345 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
307 346
308 if (ex_nid == NID_undef) 347 if (ex_nid == NID_undef)
309 return 0; 348 return 0;
310 349
311 if (OBJ_bsearch_nid(&ex_nid, supported_nids, 350 if (OBJ_bsearch_nid(&ex_nid, supported_nids,
312 sizeof(supported_nids)/sizeof(int))) 351 sizeof(supported_nids) / sizeof(int)))
313 return 1; 352 return 1;
314 return 0; 353 return 0;
315 } 354}
316 355
317static void setup_dp(X509 *x, DIST_POINT *dp) 356static void
318 { 357setup_dp(X509 *x, DIST_POINT *dp)
358{
319 X509_NAME *iname = NULL; 359 X509_NAME *iname = NULL;
320 int i; 360 int i;
321 if (dp->reasons) 361
322 { 362 if (dp->reasons) {
323 if (dp->reasons->length > 0) 363 if (dp->reasons->length > 0)
324 dp->dp_reasons = dp->reasons->data[0]; 364 dp->dp_reasons = dp->reasons->data[0];
325 if (dp->reasons->length > 1) 365 if (dp->reasons->length > 1)
326 dp->dp_reasons |= (dp->reasons->data[1] << 8); 366 dp->dp_reasons |= (dp->reasons->data[1] << 8);
327 dp->dp_reasons &= CRLDP_ALL_REASONS; 367 dp->dp_reasons &= CRLDP_ALL_REASONS;
328 } 368 } else
329 else
330 dp->dp_reasons = CRLDP_ALL_REASONS; 369 dp->dp_reasons = CRLDP_ALL_REASONS;
331 if (!dp->distpoint || (dp->distpoint->type != 1)) 370 if (!dp->distpoint || (dp->distpoint->type != 1))
332 return; 371 return;
333 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) 372 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
334 {
335 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); 373 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
336 if (gen->type == GEN_DIRNAME) 374 if (gen->type == GEN_DIRNAME) {
337 {
338 iname = gen->d.directoryName; 375 iname = gen->d.directoryName;
339 break; 376 break;
340 }
341 } 377 }
378 }
342 if (!iname) 379 if (!iname)
343 iname = X509_get_issuer_name(x); 380 iname = X509_get_issuer_name(x);
344 381
345 DIST_POINT_set_dpname(dp->distpoint, iname); 382 DIST_POINT_set_dpname(dp->distpoint, iname);
346 383
347 } 384}
348 385
349static void setup_crldp(X509 *x) 386static void
350 { 387setup_crldp(X509 *x)
388{
351 int i; 389 int i;
390
352 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); 391 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
353 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) 392 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
354 setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); 393 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
355 } 394}
356 395
357static void x509v3_cache_extensions(X509 *x) 396static void
397x509v3_cache_extensions(X509 *x)
358{ 398{
359 BASIC_CONSTRAINTS *bs; 399 BASIC_CONSTRAINTS *bs;
360 PROXY_CERT_INFO_EXTENSION *pci; 400 PROXY_CERT_INFO_EXTENSION *pci;
@@ -362,89 +402,96 @@ static void x509v3_cache_extensions(X509 *x)
362 ASN1_BIT_STRING *ns; 402 ASN1_BIT_STRING *ns;
363 EXTENDED_KEY_USAGE *extusage; 403 EXTENDED_KEY_USAGE *extusage;
364 X509_EXTENSION *ex; 404 X509_EXTENSION *ex;
365 405
366 int i; 406 int i;
367 if(x->ex_flags & EXFLAG_SET) return; 407 if (x->ex_flags & EXFLAG_SET)
408 return;
368#ifndef OPENSSL_NO_SHA 409#ifndef OPENSSL_NO_SHA
369 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); 410 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
370#endif 411#endif
371 /* Does subject name match issuer ? */ 412 /* Does subject name match issuer ? */
372 if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) 413 if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
373 x->ex_flags |= EXFLAG_SI; 414 x->ex_flags |= EXFLAG_SI;
374 /* V1 should mean no extensions ... */ 415 /* V1 should mean no extensions ... */
375 if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; 416 if (!X509_get_version(x))
417 x->ex_flags |= EXFLAG_V1;
376 /* Handle basic constraints */ 418 /* Handle basic constraints */
377 if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { 419 if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
378 if(bs->ca) x->ex_flags |= EXFLAG_CA; 420 if (bs->ca)
379 if(bs->pathlen) { 421 x->ex_flags |= EXFLAG_CA;
380 if((bs->pathlen->type == V_ASN1_NEG_INTEGER) 422 if (bs->pathlen) {
381 || !bs->ca) { 423 if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) ||
424 !bs->ca) {
382 x->ex_flags |= EXFLAG_INVALID; 425 x->ex_flags |= EXFLAG_INVALID;
383 x->ex_pathlen = 0; 426 x->ex_pathlen = 0;
384 } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); 427 } else
385 } else x->ex_pathlen = -1; 428 x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
429 } else
430 x->ex_pathlen = -1;
386 BASIC_CONSTRAINTS_free(bs); 431 BASIC_CONSTRAINTS_free(bs);
387 x->ex_flags |= EXFLAG_BCONS; 432 x->ex_flags |= EXFLAG_BCONS;
388 } 433 }
389 /* Handle proxy certificates */ 434 /* Handle proxy certificates */
390 if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { 435 if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
391 if (x->ex_flags & EXFLAG_CA 436 if (x->ex_flags & EXFLAG_CA ||
392 || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 437 X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
393 || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { 438 X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
394 x->ex_flags |= EXFLAG_INVALID; 439 x->ex_flags |= EXFLAG_INVALID;
395 } 440 }
396 if (pci->pcPathLengthConstraint) { 441 if (pci->pcPathLengthConstraint) {
397 x->ex_pcpathlen = 442 x->ex_pcpathlen =
398 ASN1_INTEGER_get(pci->pcPathLengthConstraint); 443 ASN1_INTEGER_get(pci->pcPathLengthConstraint);
399 } else x->ex_pcpathlen = -1; 444 } else
445 x->ex_pcpathlen = -1;
400 PROXY_CERT_INFO_EXTENSION_free(pci); 446 PROXY_CERT_INFO_EXTENSION_free(pci);
401 x->ex_flags |= EXFLAG_PROXY; 447 x->ex_flags |= EXFLAG_PROXY;
402 } 448 }
403 /* Handle key usage */ 449 /* Handle key usage */
404 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { 450 if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
405 if(usage->length > 0) { 451 if (usage->length > 0) {
406 x->ex_kusage = usage->data[0]; 452 x->ex_kusage = usage->data[0];
407 if(usage->length > 1) 453 if (usage->length > 1)
408 x->ex_kusage |= usage->data[1] << 8; 454 x->ex_kusage |= usage->data[1] << 8;
409 } else x->ex_kusage = 0; 455 } else
456 x->ex_kusage = 0;
410 x->ex_flags |= EXFLAG_KUSAGE; 457 x->ex_flags |= EXFLAG_KUSAGE;
411 ASN1_BIT_STRING_free(usage); 458 ASN1_BIT_STRING_free(usage);
412 } 459 }
413 x->ex_xkusage = 0; 460 x->ex_xkusage = 0;
414 if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { 461 if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
415 x->ex_flags |= EXFLAG_XKUSAGE; 462 x->ex_flags |= EXFLAG_XKUSAGE;
416 for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { 463 for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
417 switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) { 464 switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
418 case NID_server_auth: 465 case NID_server_auth:
419 x->ex_xkusage |= XKU_SSL_SERVER; 466 x->ex_xkusage |= XKU_SSL_SERVER;
420 break; 467 break;
421 468
422 case NID_client_auth: 469 case NID_client_auth:
423 x->ex_xkusage |= XKU_SSL_CLIENT; 470 x->ex_xkusage |= XKU_SSL_CLIENT;
424 break; 471 break;
425 472
426 case NID_email_protect: 473 case NID_email_protect:
427 x->ex_xkusage |= XKU_SMIME; 474 x->ex_xkusage |= XKU_SMIME;
428 break; 475 break;
429 476
430 case NID_code_sign: 477 case NID_code_sign:
431 x->ex_xkusage |= XKU_CODE_SIGN; 478 x->ex_xkusage |= XKU_CODE_SIGN;
432 break; 479 break;
433 480
434 case NID_ms_sgc: 481 case NID_ms_sgc:
435 case NID_ns_sgc: 482 case NID_ns_sgc:
436 x->ex_xkusage |= XKU_SGC; 483 x->ex_xkusage |= XKU_SGC;
437 break; 484 break;
438 485
439 case NID_OCSP_sign: 486 case NID_OCSP_sign:
440 x->ex_xkusage |= XKU_OCSP_SIGN; 487 x->ex_xkusage |= XKU_OCSP_SIGN;
441 break; 488 break;
442 489
443 case NID_time_stamp: 490 case NID_time_stamp:
444 x->ex_xkusage |= XKU_TIMESTAMP; 491 x->ex_xkusage |= XKU_TIMESTAMP;
445 break; 492 break;
446 493
447 case NID_dvcs: 494 case NID_dvcs:
448 x->ex_xkusage |= XKU_DVCS; 495 x->ex_xkusage |= XKU_DVCS;
449 break; 496 break;
450 } 497 }
@@ -452,14 +499,17 @@ static void x509v3_cache_extensions(X509 *x)
452 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); 499 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
453 } 500 }
454 501
455 if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { 502 if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
456 if(ns->length > 0) x->ex_nscert = ns->data[0]; 503 if (ns->length > 0)
457 else x->ex_nscert = 0; 504 x->ex_nscert = ns->data[0];
505 else
506 x->ex_nscert = 0;
458 x->ex_flags |= EXFLAG_NSCERT; 507 x->ex_flags |= EXFLAG_NSCERT;
459 ASN1_BIT_STRING_free(ns); 508 ASN1_BIT_STRING_free(ns);
460 } 509 }
461 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); 510
462 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); 511 x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
512 x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
463 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); 513 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
464 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); 514 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
465 if (!x->nc && (i != -1)) 515 if (!x->nc && (i != -1))
@@ -467,24 +517,22 @@ static void x509v3_cache_extensions(X509 *x)
467 setup_crldp(x); 517 setup_crldp(x);
468 518
469#ifndef OPENSSL_NO_RFC3779 519#ifndef OPENSSL_NO_RFC3779
470 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); 520 x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
471 x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, 521 x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
472 NULL, NULL); 522 NULL, NULL);
473#endif 523#endif
474 for (i = 0; i < X509_get_ext_count(x); i++) 524 for (i = 0; i < X509_get_ext_count(x); i++) {
475 {
476 ex = X509_get_ext(x, i); 525 ex = X509_get_ext(x, i);
477 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) 526 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
478 == NID_freshest_crl) 527 NID_freshest_crl)
479 x->ex_flags |= EXFLAG_FRESHEST; 528 x->ex_flags |= EXFLAG_FRESHEST;
480 if (!X509_EXTENSION_get_critical(ex)) 529 if (!X509_EXTENSION_get_critical(ex))
481 continue; 530 continue;
482 if (!X509_supported_extension(ex)) 531 if (!X509_supported_extension(ex)) {
483 {
484 x->ex_flags |= EXFLAG_CRITICAL; 532 x->ex_flags |= EXFLAG_CRITICAL;
485 break; 533 break;
486 }
487 } 534 }
535 }
488 x->ex_flags |= EXFLAG_SET; 536 x->ex_flags |= EXFLAG_SET;
489} 537}
490 538
@@ -505,30 +553,38 @@ static void x509v3_cache_extensions(X509 *x)
505#define ns_reject(x, usage) \ 553#define ns_reject(x, usage) \
506 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) 554 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
507 555
508static int check_ca(const X509 *x) 556static int
557check_ca(const X509 *x)
509{ 558{
510 /* keyUsage if present should allow cert signing */ 559 /* keyUsage if present should allow cert signing */
511 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; 560 if (ku_reject(x, KU_KEY_CERT_SIGN))
512 if(x->ex_flags & EXFLAG_BCONS) { 561 return 0;
513 if(x->ex_flags & EXFLAG_CA) return 1; 562 if (x->ex_flags & EXFLAG_BCONS) {
563 if (x->ex_flags & EXFLAG_CA)
564 return 1;
514 /* If basicConstraints says not a CA then say so */ 565 /* If basicConstraints says not a CA then say so */
515 else return 0; 566 else
567 return 0;
516 } else { 568 } else {
517 /* we support V1 roots for... uh, I don't really know why. */ 569 /* we support V1 roots for... uh, I don't really know why. */
518 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; 570 if ((x->ex_flags & V1_ROOT) == V1_ROOT)
571 return 3;
519 /* If key usage present it must have certSign so tolerate it */ 572 /* If key usage present it must have certSign so tolerate it */
520 else if (x->ex_flags & EXFLAG_KUSAGE) return 4; 573 else if (x->ex_flags & EXFLAG_KUSAGE)
574 return 4;
521 /* Older certificates could have Netscape-specific CA types */ 575 /* Older certificates could have Netscape-specific CA types */
522 else if (x->ex_flags & EXFLAG_NSCERT 576 else if (x->ex_flags & EXFLAG_NSCERT &&
523 && x->ex_nscert & NS_ANY_CA) return 5; 577 x->ex_nscert & NS_ANY_CA)
578 return 5;
524 /* can this still be regarded a CA certificate? I doubt it */ 579 /* can this still be regarded a CA certificate? I doubt it */
525 return 0; 580 return 0;
526 } 581 }
527} 582}
528 583
529int X509_check_ca(X509 *x) 584int
585X509_check_ca(X509 *x)
530{ 586{
531 if(!(x->ex_flags & EXFLAG_SET)) { 587 if (!(x->ex_flags & EXFLAG_SET)) {
532 CRYPTO_w_lock(CRYPTO_LOCK_X509); 588 CRYPTO_w_lock(CRYPTO_LOCK_X509);
533 x509v3_cache_extensions(x); 589 x509v3_cache_extensions(x);
534 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 590 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
@@ -538,131 +594,169 @@ int X509_check_ca(X509 *x)
538} 594}
539 595
540/* Check SSL CA: common checks for SSL client and server */ 596/* Check SSL CA: common checks for SSL client and server */
541static int check_ssl_ca(const X509 *x) 597static int
598check_ssl_ca(const X509 *x)
542{ 599{
543 int ca_ret; 600 int ca_ret;
601
544 ca_ret = check_ca(x); 602 ca_ret = check_ca(x);
545 if(!ca_ret) return 0; 603 if (!ca_ret)
604 return 0;
546 /* check nsCertType if present */ 605 /* check nsCertType if present */
547 if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; 606 if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
548 else return 0; 607 return ca_ret;
608 else
609 return 0;
549} 610}
550 611
551 612static int
552static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) 613check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
553{ 614{
554 if(xku_reject(x,XKU_SSL_CLIENT)) return 0; 615 if (xku_reject(x, XKU_SSL_CLIENT))
555 if(ca) return check_ssl_ca(x); 616 return 0;
617 if (ca)
618 return check_ssl_ca(x);
556 /* We need to do digital signatures with it */ 619 /* We need to do digital signatures with it */
557 if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; 620 if (ku_reject(x, KU_DIGITAL_SIGNATURE))
558 /* nsCertType if present should allow SSL client use */ 621 return 0;
559 if(ns_reject(x, NS_SSL_CLIENT)) return 0; 622 /* nsCertType if present should allow SSL client use */
623 if (ns_reject(x, NS_SSL_CLIENT))
624 return 0;
560 return 1; 625 return 1;
561} 626}
562 627
563static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) 628static int
629check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
564{ 630{
565 if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; 631 if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC))
566 if(ca) return check_ssl_ca(x); 632 return 0;
633 if (ca)
634 return check_ssl_ca(x);
567 635
568 if(ns_reject(x, NS_SSL_SERVER)) return 0; 636 if (ns_reject(x, NS_SSL_SERVER))
637 return 0;
569 /* Now as for keyUsage: we'll at least need to sign OR encipher */ 638 /* Now as for keyUsage: we'll at least need to sign OR encipher */
570 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0; 639 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT))
571 640 return 0;
572 return 1;
573 641
642 return 1;
574} 643}
575 644
576static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) 645static int
646check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
577{ 647{
578 int ret; 648 int ret;
649
579 ret = check_purpose_ssl_server(xp, x, ca); 650 ret = check_purpose_ssl_server(xp, x, ca);
580 if(!ret || ca) return ret; 651 if (!ret || ca)
652 return ret;
581 /* We need to encipher or Netscape complains */ 653 /* We need to encipher or Netscape complains */
582 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; 654 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
655 return 0;
583 return ret; 656 return ret;
584} 657}
585 658
586/* common S/MIME checks */ 659/* common S/MIME checks */
587static int purpose_smime(const X509 *x, int ca) 660static int
661purpose_smime(const X509 *x, int ca)
588{ 662{
589 if(xku_reject(x,XKU_SMIME)) return 0; 663 if (xku_reject(x, XKU_SMIME))
590 if(ca) { 664 return 0;
665 if (ca) {
591 int ca_ret; 666 int ca_ret;
592 ca_ret = check_ca(x); 667 ca_ret = check_ca(x);
593 if(!ca_ret) return 0; 668 if (!ca_ret)
669 return 0;
594 /* check nsCertType if present */ 670 /* check nsCertType if present */
595 if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; 671 if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
596 else return 0; 672 return ca_ret;
673 else
674 return 0;
597 } 675 }
598 if(x->ex_flags & EXFLAG_NSCERT) { 676 if (x->ex_flags & EXFLAG_NSCERT) {
599 if(x->ex_nscert & NS_SMIME) return 1; 677 if (x->ex_nscert & NS_SMIME)
678 return 1;
600 /* Workaround for some buggy certificates */ 679 /* Workaround for some buggy certificates */
601 if(x->ex_nscert & NS_SSL_CLIENT) return 2; 680 if (x->ex_nscert & NS_SSL_CLIENT)
681 return 2;
602 return 0; 682 return 0;
603 } 683 }
604 return 1; 684 return 1;
605} 685}
606 686
607static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) 687static int
688check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
608{ 689{
609 int ret; 690 int ret;
691
610 ret = purpose_smime(x, ca); 692 ret = purpose_smime(x, ca);
611 if(!ret || ca) return ret; 693 if (!ret || ca)
612 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; 694 return ret;
695 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION))
696 return 0;
613 return ret; 697 return ret;
614} 698}
615 699
616static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) 700static int
701check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
617{ 702{
618 int ret; 703 int ret;
704
619 ret = purpose_smime(x, ca); 705 ret = purpose_smime(x, ca);
620 if(!ret || ca) return ret; 706 if (!ret || ca)
621 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; 707 return ret;
708 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
709 return 0;
622 return ret; 710 return ret;
623} 711}
624 712
625static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) 713static int
714check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
626{ 715{
627 if(ca) { 716 if (ca) {
628 int ca_ret; 717 int ca_ret;
629 if((ca_ret = check_ca(x)) != 2) return ca_ret; 718 if ((ca_ret = check_ca(x)) != 2)
630 else return 0; 719 return ca_ret;
720 else
721 return 0;
631 } 722 }
632 if(ku_reject(x, KU_CRL_SIGN)) return 0; 723 if (ku_reject(x, KU_CRL_SIGN))
724 return 0;
633 return 1; 725 return 1;
634} 726}
635 727
636/* OCSP helper: this is *not* a full OCSP check. It just checks that 728/* OCSP helper: this is *not* a full OCSP check. It just checks that
637 * each CA is valid. Additional checks must be made on the chain. 729 * each CA is valid. Additional checks must be made on the chain.
638 */ 730 */
639 731static int
640static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) 732ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
641{ 733{
642 /* Must be a valid CA. Should we really support the "I don't know" 734 /* Must be a valid CA. Should we really support the "I don't know"
643 value (2)? */ 735 value (2)? */
644 if(ca) return check_ca(x); 736 if (ca)
737 return check_ca(x);
645 /* leaf certificate is checked in OCSP_verify() */ 738 /* leaf certificate is checked in OCSP_verify() */
646 return 1; 739 return 1;
647} 740}
648 741
649static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, 742static int
650 int ca) 743check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
651{ 744{
652 int i_ext; 745 int i_ext;
653 746
654 /* If ca is true we must return if this is a valid CA certificate. */ 747 /* If ca is true we must return if this is a valid CA certificate. */
655 if (ca) return check_ca(x); 748 if (ca)
749 return check_ca(x);
656 750
657 /* 751 /*
658 * Check the optional key usage field: 752 * Check the optional key usage field:
659 * if Key Usage is present, it must be one of digitalSignature 753 * if Key Usage is present, it must be one of digitalSignature
660 * and/or nonRepudiation (other values are not consistent and shall 754 * and/or nonRepudiation (other values are not consistent and shall
661 * be rejected). 755 * be rejected).
662 */ 756 */
663 if ((x->ex_flags & EXFLAG_KUSAGE) 757 if ((x->ex_flags & EXFLAG_KUSAGE) &&
664 && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) || 758 ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
665 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) 759 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
666 return 0; 760 return 0;
667 761
668 /* Only time stamp key usage is permitted and it's required. */ 762 /* Only time stamp key usage is permitted and it's required. */
@@ -671,17 +765,17 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
671 765
672 /* Extended Key Usage MUST be critical */ 766 /* Extended Key Usage MUST be critical */
673 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1); 767 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
674 if (i_ext >= 0) 768 if (i_ext >= 0) {
675 {
676 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext); 769 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
677 if (!X509_EXTENSION_get_critical(ext)) 770 if (!X509_EXTENSION_get_critical(ext))
678 return 0; 771 return 0;
679 } 772 }
680 773
681 return 1; 774 return 1;
682} 775}
683 776
684static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) 777static int
778no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
685{ 779{
686 return 1; 780 return 1;
687} 781}
@@ -698,48 +792,45 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
698 * codes for X509_verify_cert() 792 * codes for X509_verify_cert()
699 */ 793 */
700 794
701int X509_check_issued(X509 *issuer, X509 *subject) 795int
796X509_check_issued(X509 *issuer, X509 *subject)
702{ 797{
703 if(X509_NAME_cmp(X509_get_subject_name(issuer), 798 if (X509_NAME_cmp(X509_get_subject_name(issuer),
704 X509_get_issuer_name(subject))) 799 X509_get_issuer_name(subject)))
705 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; 800 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
706 x509v3_cache_extensions(issuer); 801 x509v3_cache_extensions(issuer);
707 x509v3_cache_extensions(subject); 802 x509v3_cache_extensions(subject);
708 803
709 if(subject->akid) 804 if (subject->akid) {
710 {
711 int ret = X509_check_akid(issuer, subject->akid); 805 int ret = X509_check_akid(issuer, subject->akid);
712 if (ret != X509_V_OK) 806 if (ret != X509_V_OK)
713 return ret; 807 return ret;
714 } 808 }
715 809
716 if(subject->ex_flags & EXFLAG_PROXY) 810 if (subject->ex_flags & EXFLAG_PROXY) {
717 { 811 if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
718 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
719 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; 812 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
720 } 813 } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
721 else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
722 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; 814 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
723 return X509_V_OK; 815 return X509_V_OK;
724} 816}
725 817
726int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) 818int
727 { 819X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
728 820{
729 if(!akid) 821 if (!akid)
730 return X509_V_OK; 822 return X509_V_OK;
731 823
732 /* Check key ids (if present) */ 824 /* Check key ids (if present) */
733 if(akid->keyid && issuer->skid && 825 if (akid->keyid && issuer->skid &&
734 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) ) 826 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
735 return X509_V_ERR_AKID_SKID_MISMATCH; 827 return X509_V_ERR_AKID_SKID_MISMATCH;
736 /* Check serial number */ 828 /* Check serial number */
737 if(akid->serial && 829 if (akid->serial &&
738 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) 830 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
739 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; 831 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
740 /* Check issuer name */ 832 /* Check issuer name */
741 if(akid->issuer) 833 if (akid->issuer) {
742 {
743 /* Ugh, for some peculiar reason AKID includes 834 /* Ugh, for some peculiar reason AKID includes
744 * SEQUENCE OF GeneralName. So look for a DirName. 835 * SEQUENCE OF GeneralName. So look for a DirName.
745 * There may be more than one but we only take any 836 * There may be more than one but we only take any
@@ -750,18 +841,15 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
750 X509_NAME *nm = NULL; 841 X509_NAME *nm = NULL;
751 int i; 842 int i;
752 gens = akid->issuer; 843 gens = akid->issuer;
753 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) 844 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
754 {
755 gen = sk_GENERAL_NAME_value(gens, i); 845 gen = sk_GENERAL_NAME_value(gens, i);
756 if(gen->type == GEN_DIRNAME) 846 if (gen->type == GEN_DIRNAME) {
757 {
758 nm = gen->d.dirn; 847 nm = gen->d.dirn;
759 break; 848 break;
760 }
761 } 849 }
762 if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
763 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
764 } 850 }
765 return X509_V_OK; 851 if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
852 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
766 } 853 }
767 854 return X509_V_OK;
855}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-20 11:36:53 +0000