summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_constraints.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509/x509_constraints.c')
-rw-r--r--src/lib/libcrypto/x509/x509_constraints.c72
1 files changed, 42 insertions, 30 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c
index 27d87d4c11..6e88a94189 100644
--- a/src/lib/libcrypto/x509/x509_constraints.c
+++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_constraints.c,v 1.23 2022/03/13 17:23:02 tb Exp $ */ 1/* $OpenBSD: x509_constraints.c,v 1.24 2022/03/14 21:15:49 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -896,21 +896,34 @@ x509_constraints_extract_names(struct x509_constraints_names *names,
896 */ 896 */
897int 897int
898x509_constraints_validate(GENERAL_NAME *constraint, 898x509_constraints_validate(GENERAL_NAME *constraint,
899 struct x509_constraints_name *name, int *error) 899 struct x509_constraints_name **out_name, int *out_error)
900{ 900{
901 uint8_t *bytes = NULL; 901 uint8_t *bytes = NULL;
902 size_t len = 0; 902 size_t len = 0;
903 struct x509_constraints_name *name;
904 int error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX;
903 int name_type; 905 int name_type;
904 906
907 if (out_name == NULL || *out_name != NULL)
908 return 0;
909
910 if (out_error != NULL)
911 *out_error = 0;
912
913 if ((name = x509_constraints_name_new()) == NULL) {
914 error = X509_V_ERR_OUT_OF_MEM;
915 goto err;
916 }
917
905 name_type = x509_constraints_general_to_bytes(constraint, &bytes, &len); 918 name_type = x509_constraints_general_to_bytes(constraint, &bytes, &len);
906 switch (name_type) { 919 switch (name_type) {
907 case GEN_DIRNAME: 920 case GEN_DIRNAME:
908 if (bytes == NULL || (name->der = malloc(len)) == NULL) {
909 *error = X509_V_ERR_OUT_OF_MEM;
910 return 0;
911 }
912 if (len == 0) 921 if (len == 0)
913 goto err; /* XXX The RFCs are delightfully vague */ 922 goto err; /* XXX The RFCs are delightfully vague */
923 if (bytes == NULL || (name->der = malloc(len)) == NULL) {
924 error = X509_V_ERR_OUT_OF_MEM;
925 goto err;
926 }
914 memcpy(name->der, bytes, len); 927 memcpy(name->der, bytes, len);
915 name->der_len = len; 928 name->der_len = len;
916 name->type = GEN_DIRNAME; 929 name->type = GEN_DIRNAME;
@@ -919,8 +932,8 @@ x509_constraints_validate(GENERAL_NAME *constraint,
919 if (!x509_constraints_valid_domain_constraint(bytes, len)) 932 if (!x509_constraints_valid_domain_constraint(bytes, len))
920 goto err; 933 goto err;
921 if ((name->name = strdup(bytes)) == NULL) { 934 if ((name->name = strdup(bytes)) == NULL) {
922 *error = X509_V_ERR_OUT_OF_MEM; 935 error = X509_V_ERR_OUT_OF_MEM;
923 return 0; 936 goto err;
924 } 937 }
925 name->type = GEN_DNS; 938 name->type = GEN_DNS;
926 break; 939 break;
@@ -933,8 +946,8 @@ x509_constraints_validate(GENERAL_NAME *constraint,
933 len)) 946 len))
934 goto err; 947 goto err;
935 if ((name->name = strdup(bytes)) == NULL) { 948 if ((name->name = strdup(bytes)) == NULL) {
936 *error = X509_V_ERR_OUT_OF_MEM; 949 error = X509_V_ERR_OUT_OF_MEM;
937 return 0; 950 goto err;
938 } 951 }
939 } 952 }
940 name->type = GEN_EMAIL; 953 name->type = GEN_EMAIL;
@@ -954,17 +967,24 @@ x509_constraints_validate(GENERAL_NAME *constraint,
954 if (!x509_constraints_valid_domain_constraint(bytes, len)) 967 if (!x509_constraints_valid_domain_constraint(bytes, len))
955 goto err; 968 goto err;
956 if ((name->name = strdup(bytes)) == NULL) { 969 if ((name->name = strdup(bytes)) == NULL) {
957 *error = X509_V_ERR_OUT_OF_MEM; 970 error = X509_V_ERR_OUT_OF_MEM;
958 return 0; 971 goto err;
959 } 972 }
960 name->type = GEN_URI; 973 name->type = GEN_URI;
961 break; 974 break;
962 default: 975 default:
963 break; 976 break;
964 } 977 }
978
979 *out_name = name;
980
965 return 1; 981 return 1;
982
966 err: 983 err:
967 *error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; 984 x509_constraints_name_free(name);
985 if (out_error != NULL)
986 *out_error = error;
987
968 return 0; 988 return 0;
969} 989}
970 990
@@ -974,7 +994,7 @@ x509_constraints_extract_constraints(X509 *cert,
974 struct x509_constraints_names *excluded, 994 struct x509_constraints_names *excluded,
975 int *error) 995 int *error)
976{ 996{
977 struct x509_constraints_name *vname; 997 struct x509_constraints_name *vname = NULL;
978 NAME_CONSTRAINTS *nc = cert->nc; 998 NAME_CONSTRAINTS *nc = cert->nc;
979 GENERAL_SUBTREE *subtree; 999 GENERAL_SUBTREE *subtree;
980 int i; 1000 int i;
@@ -989,24 +1009,20 @@ x509_constraints_extract_constraints(X509 *cert,
989 *error = X509_V_ERR_SUBTREE_MINMAX; 1009 *error = X509_V_ERR_SUBTREE_MINMAX;
990 return 0; 1010 return 0;
991 } 1011 }
992 if ((vname = x509_constraints_name_new()) == NULL) { 1012 if (!x509_constraints_validate(subtree->base, &vname, error))
993 *error = X509_V_ERR_OUT_OF_MEM;
994 return 0;
995 }
996 if (x509_constraints_validate(subtree->base, vname, error) ==
997 0) {
998 x509_constraints_name_free(vname);
999 return 0; 1013 return 0;
1000 }
1001 if (vname->type == 0) { 1014 if (vname->type == 0) {
1002 x509_constraints_name_free(vname); 1015 x509_constraints_name_free(vname);
1016 vname = NULL;
1003 continue; 1017 continue;
1004 } 1018 }
1005 if (!x509_constraints_names_add(permitted, vname)) { 1019 if (!x509_constraints_names_add(permitted, vname)) {
1006 x509_constraints_name_free(vname); 1020 x509_constraints_name_free(vname);
1021 vname = NULL;
1007 *error = X509_V_ERR_OUT_OF_MEM; 1022 *error = X509_V_ERR_OUT_OF_MEM;
1008 return 0; 1023 return 0;
1009 } 1024 }
1025 vname = NULL;
1010 } 1026 }
1011 1027
1012 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) { 1028 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
@@ -1015,24 +1031,20 @@ x509_constraints_extract_constraints(X509 *cert,
1015 *error = X509_V_ERR_SUBTREE_MINMAX; 1031 *error = X509_V_ERR_SUBTREE_MINMAX;
1016 return 0; 1032 return 0;
1017 } 1033 }
1018 if ((vname = x509_constraints_name_new()) == NULL) { 1034 if (!x509_constraints_validate(subtree->base, &vname, error))
1019 *error = X509_V_ERR_OUT_OF_MEM;
1020 return 0; 1035 return 0;
1021 }
1022 if (x509_constraints_validate(subtree->base, vname, error) ==
1023 0) {
1024 x509_constraints_name_free(vname);
1025 return 0;
1026 }
1027 if (vname->type == 0) { 1036 if (vname->type == 0) {
1028 x509_constraints_name_free(vname); 1037 x509_constraints_name_free(vname);
1038 vname = NULL;
1029 continue; 1039 continue;
1030 } 1040 }
1031 if (!x509_constraints_names_add(excluded, vname)) { 1041 if (!x509_constraints_names_add(excluded, vname)) {
1032 x509_constraints_name_free(vname); 1042 x509_constraints_name_free(vname);
1043 vname = NULL;
1033 *error = X509_V_ERR_OUT_OF_MEM; 1044 *error = X509_V_ERR_OUT_OF_MEM;
1034 return 0; 1045 return 0;
1035 } 1046 }
1047 vname = NULL;
1036 } 1048 }
1037 1049
1038 return 1; 1050 return 1;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-11 08:06:25 +0000