1 files changed, 527 insertions, 0 deletions
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
new file mode 100644
index 0000000000..c51c690ba9
--- /dev/null
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -0,0 +1,527 @@
+/* crypto/asn1/x_crl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include "cryptlib.h"
+#include "asn1_locl.h"
+#include <openssl/asn1t.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
+                                const X509_REVOKED * const *b);
+static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);
+ASN1_SEQUENCE(X509_REVOKED) = {
+        ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_REVOKED,revocationDate, ASN1_TIME),
+        ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
+} ASN1_SEQUENCE_END(X509_REVOKED)
+static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r);
+static int def_crl_lookup(X509_CRL *crl,
+                X509_REVOKED **ret, ASN1_INTEGER *serial, X509_NAME *issuer);
+static X509_CRL_METHOD int_crl_meth =
+        {
+        0,
+        0,0,
+        def_crl_lookup,
+        def_crl_verify
+        };
+static const X509_CRL_METHOD *default_crl_method = &int_crl_meth;
+/* The X509_CRL_INFO structure needs a bit of customisation.
+ * Since we cache the original encoding the signature wont be affected by
+ * reordering of the revoked field.
+ */
+static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+                                                                void *exarg)
+{
+        X509_CRL_INFO *a = (X509_CRL_INFO *)*pval;
+        if(!a || !a->revoked) return 1;
+        switch(operation) {
+                /* Just set cmp function here. We don't sort because that
+                 * would affect the output of X509_CRL_print().
+                 */
+                case ASN1_OP_D2I_POST:
+                (void)sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp);
+                break;
+        }
+        return 1;
+}
+ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {
+        ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),
+        ASN1_SIMPLE(X509_CRL_INFO, lastUpdate, ASN1_TIME),
+        ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),
+        ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED),
+        ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)
+} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)
+/* Set CRL entry issuer according to CRL certificate issuer extension.
+ * Check for unhandled critical CRL entry extensions.
+ */
+static int crl_set_issuers(X509_CRL *crl)
+        {
+        int i, j;
+        GENERAL_NAMES *gens, *gtmp;
+        STACK_OF(X509_REVOKED) *revoked;
+        revoked = X509_CRL_get_REVOKED(crl);
+        gens = NULL;
+        for (i = 0; i < sk_X509_REVOKED_num(revoked); i++)
+                {
+                X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i);
+                STACK_OF(X509_EXTENSION) *exts;
+                ASN1_ENUMERATED *reason;
+                X509_EXTENSION *ext;
+                gtmp = X509_REVOKED_get_ext_d2i(rev, 
+                                                NID_certificate_issuer,
+                                                &j, NULL);
+                if (!gtmp && (j != -1))
+                        {
+                        crl->flags |= EXFLAG_INVALID;
+                        return 1;
+                        }
+                if (gtmp)
+                        {
+                        gens = gtmp;
+                        if (!crl->issuers)
+                                {
+                                crl->issuers = sk_GENERAL_NAMES_new_null();
+                                if (!crl->issuers)
+                                        return 0;
+                                }
+                        if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp))
+                                return 0;
+                        }
+                rev->issuer = gens;
+                reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason,
+                                                                &j, NULL);
+                if (!reason && (j != -1))
+                        {
+                        crl->flags |= EXFLAG_INVALID;
+                        return 1;
+                        }
+                if (reason)
+                        {
+                        rev->reason = ASN1_ENUMERATED_get(reason);
+                        ASN1_ENUMERATED_free(reason);
+                        }
+                else
+                        rev->reason = CRL_REASON_NONE;  
+                /* Check for critical CRL entry extensions */
+                exts = rev->extensions;
+                for (j = 0; j < sk_X509_EXTENSION_num(exts); j++)
+                        {
+                        ext = sk_X509_EXTENSION_value(exts, j);
+                        if (ext->critical > 0)
+                                {
+                                if (OBJ_obj2nid(ext->object) ==
+                                        NID_certificate_issuer)
+                                        continue;
+                                crl->flags |= EXFLAG_CRITICAL;
+                                break;
+                                }
+                        }
+                }
+        return 1;
+        }
+/* The X509_CRL structure needs a bit of customisation. Cache some extensions
+ * and hash of the whole CRL.
+ */
+static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+                                                                void *exarg)
+        {
+        X509_CRL *crl = (X509_CRL *)*pval;
+        STACK_OF(X509_EXTENSION) *exts;
+        X509_EXTENSION *ext;
+        int idx;
+        switch(operation)
+                {
+                case ASN1_OP_NEW_POST:
+                crl->idp = NULL;
+                crl->akid = NULL;
+                crl->flags = 0;
+                crl->idp_flags = 0;
+                crl->idp_reasons = CRLDP_ALL_REASONS;
+                crl->meth = default_crl_method;
+                crl->meth_data = NULL;
+                crl->issuers = NULL;
+                crl->crl_number = NULL;
+                crl->base_crl_number = NULL;
+                break;
+                case ASN1_OP_D2I_POST:
+#ifndef OPENSSL_NO_SHA
+                X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL);
+#endif
+                crl->idp = X509_CRL_get_ext_d2i(crl,
+                                NID_issuing_distribution_point, NULL, NULL);
+                if (crl->idp)
+                        setup_idp(crl, crl->idp);
+                crl->akid = X509_CRL_get_ext_d2i(crl,
+                                NID_authority_key_identifier, NULL, NULL);      
+                crl->crl_number = X509_CRL_get_ext_d2i(crl,
+                                NID_crl_number, NULL, NULL);    
+                crl->base_crl_number = X509_CRL_get_ext_d2i(crl,
+                                NID_delta_crl, NULL, NULL);     
+                /* Delta CRLs must have CRL number */
+                if (crl->base_crl_number && !crl->crl_number)
+                        crl->flags |= EXFLAG_INVALID;
+                /* See if we have any unhandled critical CRL extensions and 
+                 * indicate this in a flag. We only currently handle IDP so
+                 * anything else critical sets the flag.
+                 *
+                 * This code accesses the X509_CRL structure directly:
+                 * applications shouldn't do this.
+                 */
+                exts = crl->crl->extensions;
+                for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
+                        {
+                        int nid;
+                        ext = sk_X509_EXTENSION_value(exts, idx);
+                        nid = OBJ_obj2nid(ext->object);
+                        if (nid == NID_freshest_crl)
+                                crl->flags |= EXFLAG_FRESHEST;
+                        if (ext->critical > 0)
+                                {
+                                /* We handle IDP and deltas */
+                                if ((nid == NID_issuing_distribution_point)
+                                        || (nid == NID_delta_crl))
+                                        break;;
+                                crl->flags |= EXFLAG_CRITICAL;
+                                break;
+                                }
+                        }
+                if (!crl_set_issuers(crl))
+                        return 0;
+                if (crl->meth->crl_init)
+                        {
+                        if (crl->meth->crl_init(crl) == 0)
+                                return 0;
+                        }
+                break;
+                case ASN1_OP_FREE_POST:
+                if (crl->meth->crl_free)
+                        {
+                        if (!crl->meth->crl_free(crl))
+                                return 0;
+                        }
+                if (crl->akid)
+                        AUTHORITY_KEYID_free(crl->akid);
+                if (crl->idp)
+                        ISSUING_DIST_POINT_free(crl->idp);
+                ASN1_INTEGER_free(crl->crl_number);
+                ASN1_INTEGER_free(crl->base_crl_number);
+                sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free);
+                break;
+                }
+        return 1;
+        }
+/* Convert IDP into a more convenient form */
+static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
+        {
+        int idp_only = 0;
+        /* Set various flags according to IDP */
+        crl->idp_flags |= IDP_PRESENT;
+        if (idp->onlyuser > 0)
+                {
+                idp_only++;
+                crl->idp_flags |= IDP_ONLYUSER;
+                }
+        if (idp->onlyCA > 0)
+                {
+                idp_only++;
+                crl->idp_flags |= IDP_ONLYCA;
+                }
+        if (idp->onlyattr > 0)
+                {
+                idp_only++;
+                crl->idp_flags |= IDP_ONLYATTR;
+                }
+        if (idp_only > 1)
+                crl->idp_flags |= IDP_INVALID;
+        if (idp->indirectCRL > 0)
+                crl->idp_flags |= IDP_INDIRECT;
+        if (idp->onlysomereasons)
+                {
+                crl->idp_flags |= IDP_REASONS;
+                if (idp->onlysomereasons->length > 0)
+                        crl->idp_reasons = idp->onlysomereasons->data[0];
+                if (idp->onlysomereasons->length > 1)
+                        crl->idp_reasons |=
+                                (idp->onlysomereasons->data[1] << 8);
+                crl->idp_reasons &= CRLDP_ALL_REASONS;
+                }
+        DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
+        }
+ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = {
+        ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
+        ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL)
+IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED)
+IMPLEMENT_ASN1_FUNCTIONS(X509_CRL_INFO)
+IMPLEMENT_ASN1_FUNCTIONS(X509_CRL)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL)
+static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
+                        const X509_REVOKED * const *b)
+        {
+        return(ASN1_STRING_cmp(
+                (ASN1_STRING *)(*a)->serialNumber,
+                (ASN1_STRING *)(*b)->serialNumber));
+        }
+int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
+{
+        X509_CRL_INFO *inf;
+        inf = crl->crl;
+        if(!inf->revoked)
+                inf->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp);
+        if(!inf->revoked || !sk_X509_REVOKED_push(inf->revoked, rev)) {
+                ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        inf->enc.modified = 1;
+        return 1;
+}
+int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *r)
+        {
+        if (crl->meth->crl_verify)
+                return crl->meth->crl_verify(crl, r);
+        return 0;
+        }
+int X509_CRL_get0_by_serial(X509_CRL *crl,
+                X509_REVOKED **ret, ASN1_INTEGER *serial)
+        {
+        if (crl->meth->crl_lookup)
+                return crl->meth->crl_lookup(crl, ret, serial, NULL);
+        return 0;
+        }
+int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
+        {
+        if (crl->meth->crl_lookup)
+                return crl->meth->crl_lookup(crl, ret,
+                                                X509_get_serialNumber(x),
+                                                X509_get_issuer_name(x));
+        return 0;
+        }
+static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
+        {
+        return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
+                crl->sig_alg, crl->signature,crl->crl,r));
+        }
+static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm,
+                                                X509_REVOKED *rev)
+        {
+        int i;
+        if (!rev->issuer)
+                {
+                if (!nm)
+                        return 1;
+                if (!X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
+                        return 1;
+                return 0;
+                }
+        if (!nm)
+                nm = X509_CRL_get_issuer(crl);
+        for (i = 0; i < sk_GENERAL_NAME_num(rev->issuer); i++)
+                {
+                GENERAL_NAME *gen = sk_GENERAL_NAME_value(rev->issuer, i);
+                if (gen->type != GEN_DIRNAME)
+                        continue;
+                if (!X509_NAME_cmp(nm, gen->d.directoryName))
+                        return 1;
+                }
+        return 0;
+        }
+static int def_crl_lookup(X509_CRL *crl,
+                X509_REVOKED **ret, ASN1_INTEGER *serial, X509_NAME *issuer)
+        {
+        X509_REVOKED rtmp, *rev;
+        int idx;
+        rtmp.serialNumber = serial;
+        /* Sort revoked into serial number order if not already sorted.
+         * Do this under a lock to avoid race condition.
+         */
+        if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked))
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
+                sk_X509_REVOKED_sort(crl->crl->revoked);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
+                }
+        idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
+        if(idx < 0)
+                return 0;
+        /* Need to look for matching name */
+        for(;idx < sk_X509_REVOKED_num(crl->crl->revoked); idx++)
+                {
+                rev = sk_X509_REVOKED_value(crl->crl->revoked, idx);
+                if (ASN1_INTEGER_cmp(rev->serialNumber, serial))
+                        return 0;
+                if (crl_revoked_issuer_match(crl, issuer, rev))
+                        {
+                        if (ret)
+                                *ret = rev;
+                        if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
+                                return 2;
+                        return 1;
+                        }
+                }
+        return 0;
+        }
+void X509_CRL_set_default_method(const X509_CRL_METHOD *meth)
+        {
+        if (meth == NULL)
+                default_crl_method = &int_crl_meth;
+        else 
+                default_crl_method = meth;
+        }
+X509_CRL_METHOD *X509_CRL_METHOD_new(
+        int (*crl_init)(X509_CRL *crl),
+        int (*crl_free)(X509_CRL *crl),
+        int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret,
+                                ASN1_INTEGER *ser, X509_NAME *issuer),
+        int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk))
+        {
+        X509_CRL_METHOD *m;
+        m = OPENSSL_malloc(sizeof(X509_CRL_METHOD));
+        if (!m)
+                return NULL;
+        m->crl_init = crl_init;
+        m->crl_free = crl_free;
+        m->crl_lookup = crl_lookup;
+        m->crl_verify = crl_verify;
+        m->flags = X509_CRL_METHOD_DYNAMIC;
+        return m;
+        }
+void X509_CRL_METHOD_free(X509_CRL_METHOD *m)
+        {
+        if (!(m->flags & X509_CRL_METHOD_DYNAMIC))
+                return;
+        OPENSSL_free(m);
+        }
+void X509_CRL_set_meth_data(X509_CRL *crl, void *dat)
+        {
+        crl->meth_data = dat;
+        }
+void *X509_CRL_get_meth_data(X509_CRL *crl)
+        {
+        return crl->meth_data;
+        }
+IMPLEMENT_STACK_OF(X509_REVOKED)
+IMPLEMENT_ASN1_SET_OF(X509_REVOKED)
+IMPLEMENT_STACK_OF(X509_CRL)
+IMPLEMENT_ASN1_SET_OF(X509_CRL)

diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c new file mode 100644 index 0000000000..c51c690ba9 --- /dev/null +++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -0,0 +1,527 @@
	1	/* crypto/asn1/x_crl.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	#include <stdio.h>
	60	#include "cryptlib.h"
	61	#include "asn1_locl.h"
	62	#include <openssl/asn1t.h>
	63	#include <openssl/x509.h>
	64	#include <openssl/x509v3.h>
	65
	66	static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
	67	const X509_REVOKED * const *b);
	68	static void setup_idp(X509_CRL crl, ISSUING_DIST_POINT idp);
	69
	70	ASN1_SEQUENCE(X509_REVOKED) = {
	71	ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
	72	ASN1_SIMPLE(X509_REVOKED,revocationDate, ASN1_TIME),
	73	ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
	74	} ASN1_SEQUENCE_END(X509_REVOKED)
	75
	76	static int def_crl_verify(X509_CRL crl, EVP_PKEY r);
	77	static int def_crl_lookup(X509_CRL *crl,
	78	X509_REVOKED *ret, ASN1_INTEGER serial, X509_NAME *issuer);
	79
	80	static X509_CRL_METHOD int_crl_meth =
	81	{
	82	0,
	83	0,0,
	84	def_crl_lookup,
	85	def_crl_verify
	86	};
	87
	88	static const X509_CRL_METHOD *default_crl_method = &int_crl_meth;
	89
	90	/* The X509_CRL_INFO structure needs a bit of customisation.
	91	* Since we cache the original encoding the signature wont be affected by
	92	* reordering of the revoked field.
	93	*/
	94	static int crl_inf_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,
	95	void *exarg)
	96	{
	97	X509_CRL_INFO a = (X509_CRL_INFO )*pval;
	98
	99	if(!a \|\| !a->revoked) return 1;
	100	switch(operation) {
	101	/* Just set cmp function here. We don't sort because that
	102	* would affect the output of X509_CRL_print().
	103	*/
	104	case ASN1_OP_D2I_POST:
	105	(void)sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp);
	106	break;
	107	}
	108	return 1;
	109	}
	110
	111
	112	ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {
	113	ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),
	114	ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),
	115	ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),
	116	ASN1_SIMPLE(X509_CRL_INFO, lastUpdate, ASN1_TIME),
	117	ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),
	118	ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED),
	119	ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)
	120	} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)
	121
	122	/* Set CRL entry issuer according to CRL certificate issuer extension.
	123	* Check for unhandled critical CRL entry extensions.
	124	*/
	125
	126	static int crl_set_issuers(X509_CRL *crl)
	127	{
	128
	129	int i, j;
	130	GENERAL_NAMES gens, gtmp;
	131	STACK_OF(X509_REVOKED) *revoked;
	132
	133	revoked = X509_CRL_get_REVOKED(crl);
	134
	135	gens = NULL;
	136	for (i = 0; i < sk_X509_REVOKED_num(revoked); i++)
	137	{
	138	X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i);
	139	STACK_OF(X509_EXTENSION) *exts;
	140	ASN1_ENUMERATED *reason;
	141	X509_EXTENSION *ext;
	142	gtmp = X509_REVOKED_get_ext_d2i(rev,
	143	NID_certificate_issuer,
	144	&j, NULL);
	145	if (!gtmp && (j != -1))
	146	{
	147	crl->flags \|= EXFLAG_INVALID;
	148	return 1;
	149	}
	150
	151	if (gtmp)
	152	{
	153	gens = gtmp;
	154	if (!crl->issuers)
	155	{
	156	crl->issuers = sk_GENERAL_NAMES_new_null();
	157	if (!crl->issuers)
	158	return 0;
	159	}
	160	if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp))
	161	return 0;
	162	}
	163	rev->issuer = gens;
	164
	165	reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason,
	166	&j, NULL);
	167	if (!reason && (j != -1))
	168	{
	169	crl->flags \|= EXFLAG_INVALID;
	170	return 1;
	171	}
	172
	173	if (reason)
	174	{
	175	rev->reason = ASN1_ENUMERATED_get(reason);
	176	ASN1_ENUMERATED_free(reason);
	177	}
	178	else
	179	rev->reason = CRL_REASON_NONE;
	180
	181	/* Check for critical CRL entry extensions */
	182
	183	exts = rev->extensions;
	184
	185	for (j = 0; j < sk_X509_EXTENSION_num(exts); j++)
	186	{
	187	ext = sk_X509_EXTENSION_value(exts, j);
	188	if (ext->critical > 0)
	189	{
	190	if (OBJ_obj2nid(ext->object) ==
	191	NID_certificate_issuer)
	192	continue;
	193	crl->flags \|= EXFLAG_CRITICAL;
	194	break;
	195	}
	196	}
	197
	198
	199	}
	200
	201	return 1;
	202
	203	}
	204
	205	/* The X509_CRL structure needs a bit of customisation. Cache some extensions
	206	* and hash of the whole CRL.
	207	*/
	208	static int crl_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,
	209	void *exarg)
	210	{
	211	X509_CRL crl = (X509_CRL )*pval;
	212	STACK_OF(X509_EXTENSION) *exts;
	213	X509_EXTENSION *ext;
	214	int idx;
	215
	216	switch(operation)
	217	{
	218	case ASN1_OP_NEW_POST:
	219	crl->idp = NULL;
	220	crl->akid = NULL;
	221	crl->flags = 0;
	222	crl->idp_flags = 0;
	223	crl->idp_reasons = CRLDP_ALL_REASONS;
	224	crl->meth = default_crl_method;
	225	crl->meth_data = NULL;
	226	crl->issuers = NULL;
	227	crl->crl_number = NULL;
	228	crl->base_crl_number = NULL;
	229	break;
	230
	231	case ASN1_OP_D2I_POST:
	232	#ifndef OPENSSL_NO_SHA
	233	X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL);
	234	#endif
	235	crl->idp = X509_CRL_get_ext_d2i(crl,
	236	NID_issuing_distribution_point, NULL, NULL);
	237	if (crl->idp)
	238	setup_idp(crl, crl->idp);
	239
	240	crl->akid = X509_CRL_get_ext_d2i(crl,
	241	NID_authority_key_identifier, NULL, NULL);
	242
	243	crl->crl_number = X509_CRL_get_ext_d2i(crl,
	244	NID_crl_number, NULL, NULL);
	245
	246	crl->base_crl_number = X509_CRL_get_ext_d2i(crl,
	247	NID_delta_crl, NULL, NULL);
	248	/* Delta CRLs must have CRL number */
	249	if (crl->base_crl_number && !crl->crl_number)
	250	crl->flags \|= EXFLAG_INVALID;
	251
	252	/* See if we have any unhandled critical CRL extensions and
	253	* indicate this in a flag. We only currently handle IDP so
	254	* anything else critical sets the flag.
	255	*
	256	* This code accesses the X509_CRL structure directly:
	257	* applications shouldn't do this.
	258	*/
	259
	260	exts = crl->crl->extensions;
	261
	262	for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
	263	{
	264	int nid;
	265	ext = sk_X509_EXTENSION_value(exts, idx);
	266	nid = OBJ_obj2nid(ext->object);
	267	if (nid == NID_freshest_crl)
	268	crl->flags \|= EXFLAG_FRESHEST;
	269	if (ext->critical > 0)
	270	{
	271	/* We handle IDP and deltas */
	272	if ((nid == NID_issuing_distribution_point)
	273	\|\| (nid == NID_delta_crl))
	274	break;;
	275	crl->flags \|= EXFLAG_CRITICAL;
	276	break;
	277	}
	278	}
	279
	280
	281	if (!crl_set_issuers(crl))
	282	return 0;
	283
	284	if (crl->meth->crl_init)
	285	{
	286	if (crl->meth->crl_init(crl) == 0)
	287	return 0;
	288	}
	289	break;
	290
	291	case ASN1_OP_FREE_POST:
	292	if (crl->meth->crl_free)
	293	{
	294	if (!crl->meth->crl_free(crl))
	295	return 0;
	296	}
	297	if (crl->akid)
	298	AUTHORITY_KEYID_free(crl->akid);
	299	if (crl->idp)
	300	ISSUING_DIST_POINT_free(crl->idp);
	301	ASN1_INTEGER_free(crl->crl_number);
	302	ASN1_INTEGER_free(crl->base_crl_number);
	303	sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free);
	304	break;
	305	}
	306	return 1;
	307	}
	308
	309	/* Convert IDP into a more convenient form */
	310
	311	static void setup_idp(X509_CRL crl, ISSUING_DIST_POINT idp)
	312	{
	313	int idp_only = 0;
	314	/* Set various flags according to IDP */
	315	crl->idp_flags \|= IDP_PRESENT;
	316	if (idp->onlyuser > 0)
	317	{
	318	idp_only++;
	319	crl->idp_flags \|= IDP_ONLYUSER;
	320	}
	321	if (idp->onlyCA > 0)
	322	{
	323	idp_only++;
	324	crl->idp_flags \|= IDP_ONLYCA;
	325	}
	326	if (idp->onlyattr > 0)
	327	{
	328	idp_only++;
	329	crl->idp_flags \|= IDP_ONLYATTR;
	330	}
	331
	332	if (idp_only > 1)
	333	crl->idp_flags \|= IDP_INVALID;
	334
	335	if (idp->indirectCRL > 0)
	336	crl->idp_flags \|= IDP_INDIRECT;
	337
	338	if (idp->onlysomereasons)
	339	{
	340	crl->idp_flags \|= IDP_REASONS;
	341	if (idp->onlysomereasons->length > 0)
	342	crl->idp_reasons = idp->onlysomereasons->data[0];
	343	if (idp->onlysomereasons->length > 1)
	344	crl->idp_reasons \|=
	345	(idp->onlysomereasons->data[1] << 8);
	346	crl->idp_reasons &= CRLDP_ALL_REASONS;
	347	}
	348
	349	DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
	350	}
	351
	352	ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = {
	353	ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
	354	ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR),
	355	ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING)
	356	} ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL)
	357
	358	IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED)
	359	IMPLEMENT_ASN1_FUNCTIONS(X509_CRL_INFO)
	360	IMPLEMENT_ASN1_FUNCTIONS(X509_CRL)
	361	IMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL)
	362
	363	static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
	364	const X509_REVOKED * const *b)
	365	{
	366	return(ASN1_STRING_cmp(
	367	(ASN1_STRING )(a)->serialNumber,
	368	(ASN1_STRING )(b)->serialNumber));
	369	}
	370
	371	int X509_CRL_add0_revoked(X509_CRL crl, X509_REVOKED rev)
	372	{
	373	X509_CRL_INFO *inf;
	374	inf = crl->crl;
	375	if(!inf->revoked)
	376	inf->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp);
	377	if(!inf->revoked \|\| !sk_X509_REVOKED_push(inf->revoked, rev)) {
	378	ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE);
	379	return 0;
	380	}
	381	inf->enc.modified = 1;
	382	return 1;
	383	}
	384
	385	int X509_CRL_verify(X509_CRL crl, EVP_PKEY r)
	386	{
	387	if (crl->meth->crl_verify)
	388	return crl->meth->crl_verify(crl, r);
	389	return 0;
	390	}
	391
	392	int X509_CRL_get0_by_serial(X509_CRL *crl,
	393	X509_REVOKED *ret, ASN1_INTEGER serial)
	394	{
	395	if (crl->meth->crl_lookup)
	396	return crl->meth->crl_lookup(crl, ret, serial, NULL);
	397	return 0;
	398	}
	399
	400	int X509_CRL_get0_by_cert(X509_CRL crl, X509_REVOKED ret, X509 x)
	401	{
	402	if (crl->meth->crl_lookup)
	403	return crl->meth->crl_lookup(crl, ret,
	404	X509_get_serialNumber(x),
	405	X509_get_issuer_name(x));
	406	return 0;
	407	}
	408
	409	static int def_crl_verify(X509_CRL crl, EVP_PKEY r)
	410	{
	411	return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
	412	crl->sig_alg, crl->signature,crl->crl,r));
	413	}
	414
	415	static int crl_revoked_issuer_match(X509_CRL crl, X509_NAME nm,
	416	X509_REVOKED *rev)
	417	{
	418	int i;
	419
	420	if (!rev->issuer)
	421	{
	422	if (!nm)
	423	return 1;
	424	if (!X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
	425	return 1;
	426	return 0;
	427	}
	428
	429	if (!nm)
	430	nm = X509_CRL_get_issuer(crl);
	431
	432	for (i = 0; i < sk_GENERAL_NAME_num(rev->issuer); i++)
	433	{
	434	GENERAL_NAME *gen = sk_GENERAL_NAME_value(rev->issuer, i);
	435	if (gen->type != GEN_DIRNAME)
	436	continue;
	437	if (!X509_NAME_cmp(nm, gen->d.directoryName))
	438	return 1;
	439	}
	440	return 0;
	441
	442	}
	443
	444	static int def_crl_lookup(X509_CRL *crl,
	445	X509_REVOKED *ret, ASN1_INTEGER serial, X509_NAME *issuer)
	446	{
	447	X509_REVOKED rtmp, *rev;
	448	int idx;
	449	rtmp.serialNumber = serial;
	450	/* Sort revoked into serial number order if not already sorted.
	451	* Do this under a lock to avoid race condition.
	452	*/
	453	if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked))
	454	{
	455	CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
	456	sk_X509_REVOKED_sort(crl->crl->revoked);
	457	CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
	458	}
	459	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
	460	if(idx < 0)
	461	return 0;
	462	/* Need to look for matching name */
	463	for(;idx < sk_X509_REVOKED_num(crl->crl->revoked); idx++)
	464	{
	465	rev = sk_X509_REVOKED_value(crl->crl->revoked, idx);
	466	if (ASN1_INTEGER_cmp(rev->serialNumber, serial))
	467	return 0;
	468	if (crl_revoked_issuer_match(crl, issuer, rev))
	469	{
	470	if (ret)
	471	*ret = rev;
	472	if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
	473	return 2;
	474	return 1;
	475	}
	476	}
	477	return 0;
	478	}
	479
	480	void X509_CRL_set_default_method(const X509_CRL_METHOD *meth)
	481	{
	482	if (meth == NULL)
	483	default_crl_method = &int_crl_meth;
	484	else
	485	default_crl_method = meth;
	486	}
	487
	488	X509_CRL_METHOD *X509_CRL_METHOD_new(
	489	int (crl_init)(X509_CRL crl),
	490	int (crl_free)(X509_CRL crl),
	491	int (crl_lookup)(X509_CRL crl, X509_REVOKED **ret,
	492	ASN1_INTEGER ser, X509_NAME issuer),
	493	int (crl_verify)(X509_CRL crl, EVP_PKEY *pk))
	494	{
	495	X509_CRL_METHOD *m;
	496	m = OPENSSL_malloc(sizeof(X509_CRL_METHOD));
	497	if (!m)
	498	return NULL;
	499	m->crl_init = crl_init;
	500	m->crl_free = crl_free;
	501	m->crl_lookup = crl_lookup;
	502	m->crl_verify = crl_verify;
	503	m->flags = X509_CRL_METHOD_DYNAMIC;
	504	return m;
	505	}
	506
	507	void X509_CRL_METHOD_free(X509_CRL_METHOD *m)
	508	{
	509	if (!(m->flags & X509_CRL_METHOD_DYNAMIC))
	510	return;
	511	OPENSSL_free(m);
	512	}
	513
	514	void X509_CRL_set_meth_data(X509_CRL crl, void dat)
	515	{
	516	crl->meth_data = dat;
	517	}
	518
	519	void X509_CRL_get_meth_data(X509_CRL crl)
	520	{
	521	return crl->meth_data;
	522	}
	523
	524	IMPLEMENT_STACK_OF(X509_REVOKED)
	525	IMPLEMENT_ASN1_SET_OF(X509_REVOKED)
	526	IMPLEMENT_STACK_OF(X509_CRL)
	527	IMPLEMENT_ASN1_SET_OF(X509_CRL)