summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/x509/Makefile407
-rw-r--r--src/lib/libcrypto/x509/by_dir.c482
-rw-r--r--src/lib/libcrypto/x509/by_file.c300
-rw-r--r--src/lib/libcrypto/x509/x509.h1286
-rw-r--r--src/lib/libcrypto/x509/x509_att.c359
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c331
-rw-r--r--src/lib/libcrypto/x509/x509_d2.c107
-rw-r--r--src/lib/libcrypto/x509/x509_def.c81
-rw-r--r--src/lib/libcrypto/x509/x509_err.c164
-rw-r--r--src/lib/libcrypto/x509/x509_ext.c210
-rw-r--r--src/lib/libcrypto/x509/x509_lu.c716
-rw-r--r--src/lib/libcrypto/x509/x509_obj.c226
-rw-r--r--src/lib/libcrypto/x509/x509_r2x.c114
-rw-r--r--src/lib/libcrypto/x509/x509_req.c316
-rw-r--r--src/lib/libcrypto/x509/x509_set.c150
-rw-r--r--src/lib/libcrypto/x509/x509_trs.c288
-rw-r--r--src/lib/libcrypto/x509/x509_txt.c193
-rw-r--r--src/lib/libcrypto/x509/x509_v3.c274
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c2219
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.h567
-rw-r--r--src/lib/libcrypto/x509/x509_vpm.c438
-rw-r--r--src/lib/libcrypto/x509/x509cset.c170
-rw-r--r--src/lib/libcrypto/x509/x509name.c383
-rw-r--r--src/lib/libcrypto/x509/x509rset.c83
-rw-r--r--src/lib/libcrypto/x509/x509spki.c121
-rw-r--r--src/lib/libcrypto/x509/x509type.c125
-rw-r--r--src/lib/libcrypto/x509/x_all.c516
-rw-r--r--src/lib/libcrypto/x509v3/Makefile591
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h132
-rw-r--r--src/lib/libcrypto/x509v3/pcy_cache.c286
-rw-r--r--src/lib/libcrypto/x509v3/pcy_data.c135
-rw-r--r--src/lib/libcrypto/x509v3/pcy_int.h212
-rw-r--r--src/lib/libcrypto/x509v3/pcy_lib.c167
-rw-r--r--src/lib/libcrypto/x509v3/pcy_map.c132
-rw-r--r--src/lib/libcrypto/x509v3/pcy_node.c197
-rw-r--r--src/lib/libcrypto/x509v3/pcy_tree.c872
-rw-r--r--src/lib/libcrypto/x509v3/tabtest.c88
-rw-r--r--src/lib/libcrypto/x509v3/v3_addr.c1338
-rw-r--r--src/lib/libcrypto/x509v3/v3_akey.c208
-rw-r--r--src/lib/libcrypto/x509v3/v3_akeya.c72
-rw-r--r--src/lib/libcrypto/x509v3/v3_alt.c614
-rw-r--r--src/lib/libcrypto/x509v3/v3_asid.c843
-rw-r--r--src/lib/libcrypto/x509v3/v3_bcons.c124
-rw-r--r--src/lib/libcrypto/x509v3/v3_bitst.c141
-rw-r--r--src/lib/libcrypto/x509v3/v3_conf.c525
-rw-r--r--src/lib/libcrypto/x509v3/v3_cpols.c457
-rw-r--r--src/lib/libcrypto/x509v3/v3_crld.c616
-rw-r--r--src/lib/libcrypto/x509v3/v3_enum.c97
-rw-r--r--src/lib/libcrypto/x509v3/v3_extku.c144
-rw-r--r--src/lib/libcrypto/x509v3/v3_genn.c252
-rw-r--r--src/lib/libcrypto/x509v3/v3_ia5.c116
-rw-r--r--src/lib/libcrypto/x509v3/v3_info.c193
-rw-r--r--src/lib/libcrypto/x509v3/v3_int.c89
-rw-r--r--src/lib/libcrypto/x509v3/v3_lib.c309
-rw-r--r--src/lib/libcrypto/x509v3/v3_ncons.c505
-rw-r--r--src/lib/libcrypto/x509v3/v3_ocsp.c289
-rw-r--r--src/lib/libcrypto/x509v3/v3_pci.c328
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcia.c55
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcons.c140
-rw-r--r--src/lib/libcrypto/x509v3/v3_pku.c108
-rw-r--r--src/lib/libcrypto/x509v3/v3_pmaps.c155
-rw-r--r--src/lib/libcrypto/x509v3/v3_prn.c234
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c767
-rw-r--r--src/lib/libcrypto/x509v3/v3_skey.c144
-rw-r--r--src/lib/libcrypto/x509v3/v3_sxnet.c262
-rw-r--r--src/lib/libcrypto/x509v3/v3_utl.c874
-rw-r--r--src/lib/libcrypto/x509v3/v3conf.c127
-rw-r--r--src/lib/libcrypto/x509v3/v3err.c226
-rw-r--r--src/lib/libcrypto/x509v3/v3prin.c99
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h1007
70 files changed, 0 insertions, 24896 deletions
diff --git a/src/lib/libcrypto/x509/Makefile b/src/lib/libcrypto/x509/Makefile
deleted file mode 100644
index 72c82278f4..0000000000
--- a/src/lib/libcrypto/x509/Makefile
+++ /dev/null
@@ -1,407 +0,0 @@
1#
2# OpenSSL/crypto/x509/Makefile
3#
4
5DIR= x509
6TOP= ../..
7CC= cc
8INCLUDES= -I.. -I$(TOP) -I../../include
9CFLAG=-g
10MAKEFILE= Makefile
11AR= ar r
12
13CFLAGS= $(INCLUDES) $(CFLAG)
14
15GENERAL=Makefile README
16TEST=
17APPS=
18
19LIB=$(TOP)/libcrypto.a
20LIBSRC= x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
21 x509_obj.c x509_req.c x509spki.c x509_vfy.c \
22 x509_set.c x509cset.c x509rset.c x509_err.c \
23 x509name.c x509_v3.c x509_ext.c x509_att.c \
24 x509type.c x509_lu.c x_all.c x509_txt.c \
25 x509_trs.c by_file.c by_dir.c x509_vpm.c
26LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
27 x509_obj.o x509_req.o x509spki.o x509_vfy.o \
28 x509_set.o x509cset.o x509rset.o x509_err.o \
29 x509name.o x509_v3.o x509_ext.o x509_att.o \
30 x509type.o x509_lu.o x_all.o x509_txt.o \
31 x509_trs.o by_file.o by_dir.o x509_vpm.o
32
33SRC= $(LIBSRC)
34
35EXHEADER= x509.h x509_vfy.h
36HEADER= $(EXHEADER)
37
38ALL= $(GENERAL) $(SRC) $(HEADER)
39
40top:
41 (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
42
43all: lib
44
45lib: $(LIBOBJ)
46 $(AR) $(LIB) $(LIBOBJ)
47 $(RANLIB) $(LIB) || echo Never mind.
48 @touch lib
49
50files:
51 $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
52
53links:
54 @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
55 @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
56 @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
57
58install:
59 @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
60 @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
61 do \
62 (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
63 chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
64 done;
65
66tags:
67 ctags $(SRC)
68
69tests:
70
71lint:
72 lint -DLINT $(INCLUDES) $(SRC)>fluff
73
74depend:
75 @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
76 $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
77
78dclean:
79 $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
80 mv -f Makefile.new $(MAKEFILE)
81
82clean:
83 rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
84
85# DO NOT DELETE THIS LINE -- make depend depends on it.
86
87by_dir.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
88by_dir.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
89by_dir.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
90by_dir.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
91by_dir.o: ../../include/openssl/err.h ../../include/openssl/evp.h
92by_dir.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
93by_dir.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
94by_dir.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
95by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
96by_dir.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
97by_dir.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
98by_dir.o: ../../include/openssl/x509_vfy.h ../cryptlib.h by_dir.c
99by_file.o: ../../e_os.h ../../include/openssl/asn1.h
100by_file.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
101by_file.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
102by_file.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
103by_file.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
104by_file.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
105by_file.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
106by_file.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
107by_file.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
108by_file.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
109by_file.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
110by_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
111by_file.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
112by_file.o: ../cryptlib.h by_file.c
113x509_att.o: ../../e_os.h ../../include/openssl/asn1.h
114x509_att.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
115x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
116x509_att.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
117x509_att.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
118x509_att.o: ../../include/openssl/err.h ../../include/openssl/evp.h
119x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
120x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
121x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
122x509_att.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
123x509_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
124x509_att.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
125x509_att.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
126x509_att.o: ../cryptlib.h x509_att.c
127x509_cmp.o: ../../e_os.h ../../include/openssl/asn1.h
128x509_cmp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
129x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
130x509_cmp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
131x509_cmp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
132x509_cmp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
133x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
134x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
135x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
136x509_cmp.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
137x509_cmp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
138x509_cmp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
139x509_cmp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
140x509_cmp.o: ../cryptlib.h x509_cmp.c
141x509_d2.o: ../../e_os.h ../../include/openssl/asn1.h
142x509_d2.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
143x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
144x509_d2.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
145x509_d2.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
146x509_d2.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
147x509_d2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
148x509_d2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
149x509_d2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
150x509_d2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
151x509_d2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
152x509_d2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
153x509_d2.o: ../cryptlib.h x509_d2.c
154x509_def.o: ../../e_os.h ../../include/openssl/asn1.h
155x509_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
156x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
157x509_def.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
158x509_def.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
159x509_def.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
160x509_def.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
161x509_def.o: ../../include/openssl/opensslconf.h
162x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
163x509_def.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
164x509_def.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
165x509_def.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
166x509_def.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_def.c
167x509_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
168x509_err.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
169x509_err.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
170x509_err.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
171x509_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
172x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
173x509_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
174x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
175x509_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
176x509_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
177x509_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
178x509_err.o: ../../include/openssl/x509_vfy.h x509_err.c
179x509_ext.o: ../../e_os.h ../../include/openssl/asn1.h
180x509_ext.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
181x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
182x509_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
183x509_ext.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
184x509_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
185x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
186x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
187x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
188x509_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
189x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
190x509_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
191x509_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
192x509_ext.o: ../cryptlib.h x509_ext.c
193x509_lu.o: ../../e_os.h ../../include/openssl/asn1.h
194x509_lu.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
195x509_lu.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
196x509_lu.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
197x509_lu.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
198x509_lu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
199x509_lu.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
200x509_lu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
201x509_lu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
202x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
203x509_lu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
204x509_lu.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
205x509_lu.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
206x509_lu.o: ../cryptlib.h x509_lu.c
207x509_obj.o: ../../e_os.h ../../include/openssl/asn1.h
208x509_obj.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
209x509_obj.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
210x509_obj.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
211x509_obj.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
212x509_obj.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
213x509_obj.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
214x509_obj.o: ../../include/openssl/opensslconf.h
215x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
216x509_obj.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
217x509_obj.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
218x509_obj.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
219x509_obj.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_obj.c
220x509_r2x.o: ../../e_os.h ../../include/openssl/asn1.h
221x509_r2x.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
222x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
223x509_r2x.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
224x509_r2x.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
225x509_r2x.o: ../../include/openssl/err.h ../../include/openssl/evp.h
226x509_r2x.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
227x509_r2x.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
228x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
229x509_r2x.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
230x509_r2x.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
231x509_r2x.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
232x509_r2x.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_r2x.c
233x509_req.o: ../../e_os.h ../../include/openssl/asn1.h
234x509_req.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
235x509_req.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
236x509_req.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
237x509_req.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
238x509_req.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
239x509_req.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
240x509_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
241x509_req.o: ../../include/openssl/opensslconf.h
242x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
243x509_req.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
244x509_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
245x509_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
246x509_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
247x509_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_req.c
248x509_set.o: ../../e_os.h ../../include/openssl/asn1.h
249x509_set.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
250x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
251x509_set.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
252x509_set.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
253x509_set.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
254x509_set.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
255x509_set.o: ../../include/openssl/opensslconf.h
256x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
257x509_set.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
258x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
259x509_set.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
260x509_set.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_set.c
261x509_trs.o: ../../e_os.h ../../include/openssl/asn1.h
262x509_trs.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
263x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
264x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
265x509_trs.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
266x509_trs.o: ../../include/openssl/err.h ../../include/openssl/evp.h
267x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
268x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
269x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
270x509_trs.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
271x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
272x509_trs.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
273x509_trs.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
274x509_trs.o: ../cryptlib.h x509_trs.c
275x509_txt.o: ../../e_os.h ../../include/openssl/asn1.h
276x509_txt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
277x509_txt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
278x509_txt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
279x509_txt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
280x509_txt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
281x509_txt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
282x509_txt.o: ../../include/openssl/opensslconf.h
283x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
284x509_txt.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
285x509_txt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
286x509_txt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
287x509_txt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_txt.c
288x509_v3.o: ../../e_os.h ../../include/openssl/asn1.h
289x509_v3.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
290x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
291x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
292x509_v3.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
293x509_v3.o: ../../include/openssl/err.h ../../include/openssl/evp.h
294x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
295x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
296x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
297x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
298x509_v3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
299x509_v3.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
300x509_v3.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
301x509_v3.o: ../cryptlib.h x509_v3.c
302x509_vfy.o: ../../e_os.h ../../include/openssl/asn1.h
303x509_vfy.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
304x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
305x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
306x509_vfy.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
307x509_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h
308x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
309x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
310x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
311x509_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
312x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
313x509_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
314x509_vfy.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
315x509_vfy.o: ../cryptlib.h x509_vfy.c
316x509_vpm.o: ../../e_os.h ../../include/openssl/asn1.h
317x509_vpm.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
318x509_vpm.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
319x509_vpm.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
320x509_vpm.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
321x509_vpm.o: ../../include/openssl/err.h ../../include/openssl/evp.h
322x509_vpm.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
323x509_vpm.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
324x509_vpm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
325x509_vpm.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
326x509_vpm.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
327x509_vpm.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
328x509_vpm.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
329x509_vpm.o: ../cryptlib.h x509_vpm.c
330x509cset.o: ../../e_os.h ../../include/openssl/asn1.h
331x509cset.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
332x509cset.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
333x509cset.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
334x509cset.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
335x509cset.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
336x509cset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
337x509cset.o: ../../include/openssl/opensslconf.h
338x509cset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
339x509cset.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
340x509cset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
341x509cset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
342x509cset.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509cset.c
343x509name.o: ../../e_os.h ../../include/openssl/asn1.h
344x509name.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
345x509name.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
346x509name.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
347x509name.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
348x509name.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
349x509name.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
350x509name.o: ../../include/openssl/opensslconf.h
351x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
352x509name.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
353x509name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
354x509name.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
355x509name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509name.c
356x509rset.o: ../../e_os.h ../../include/openssl/asn1.h
357x509rset.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
358x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
359x509rset.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
360x509rset.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
361x509rset.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
362x509rset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
363x509rset.o: ../../include/openssl/opensslconf.h
364x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
365x509rset.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
366x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
367x509rset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
368x509rset.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509rset.c
369x509spki.o: ../../e_os.h ../../include/openssl/asn1.h
370x509spki.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
371x509spki.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
372x509spki.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
373x509spki.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
374x509spki.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
375x509spki.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
376x509spki.o: ../../include/openssl/opensslconf.h
377x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
378x509spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
379x509spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
380x509spki.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
381x509spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509spki.c
382x509type.o: ../../e_os.h ../../include/openssl/asn1.h
383x509type.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
384x509type.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
385x509type.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
386x509type.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
387x509type.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
388x509type.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
389x509type.o: ../../include/openssl/opensslconf.h
390x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
391x509type.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
392x509type.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
393x509type.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
394x509type.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509type.c
395x_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
396x_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
397x_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
398x_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
399x_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
400x_all.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
401x_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
402x_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
403x_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
404x_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
405x_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
406x_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
407x_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_all.c
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
deleted file mode 100644
index 27ca5150c1..0000000000
--- a/src/lib/libcrypto/x509/by_dir.c
+++ /dev/null
@@ -1,482 +0,0 @@
1/* crypto/x509/by_dir.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64
65#ifndef NO_SYS_TYPES_H
66# include <sys/types.h>
67#endif
68#ifndef OPENSSL_NO_POSIX_IO
69# include <sys/stat.h>
70#endif
71
72#include <openssl/lhash.h>
73#include <openssl/x509.h>
74
75
76typedef struct lookup_dir_hashes_st
77 {
78 unsigned long hash;
79 int suffix;
80 } BY_DIR_HASH;
81
82typedef struct lookup_dir_entry_st
83 {
84 char *dir;
85 int dir_type;
86 STACK_OF(BY_DIR_HASH) *hashes;
87 } BY_DIR_ENTRY;
88
89typedef struct lookup_dir_st
90 {
91 BUF_MEM *buffer;
92 STACK_OF(BY_DIR_ENTRY) *dirs;
93 } BY_DIR;
94
95DECLARE_STACK_OF(BY_DIR_HASH)
96DECLARE_STACK_OF(BY_DIR_ENTRY)
97
98static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
99 char **ret);
100static int new_dir(X509_LOOKUP *lu);
101static void free_dir(X509_LOOKUP *lu);
102static int add_cert_dir(BY_DIR *ctx,const char *dir,int type);
103static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name,
104 X509_OBJECT *ret);
105X509_LOOKUP_METHOD x509_dir_lookup=
106 {
107 "Load certs from files in a directory",
108 new_dir, /* new */
109 free_dir, /* free */
110 NULL, /* init */
111 NULL, /* shutdown */
112 dir_ctrl, /* ctrl */
113 get_cert_by_subject, /* get_by_subject */
114 NULL, /* get_by_issuer_serial */
115 NULL, /* get_by_fingerprint */
116 NULL, /* get_by_alias */
117 };
118
119X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void)
120 {
121 return(&x509_dir_lookup);
122 }
123
124static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
125 char **retp)
126 {
127 int ret=0;
128 BY_DIR *ld;
129 char *dir = NULL;
130
131 ld=(BY_DIR *)ctx->method_data;
132
133 switch (cmd)
134 {
135 case X509_L_ADD_DIR:
136 if (argl == X509_FILETYPE_DEFAULT)
137 {
138 dir=(char *)getenv(X509_get_default_cert_dir_env());
139 if (dir)
140 ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
141 else
142 ret=add_cert_dir(ld,X509_get_default_cert_dir(),
143 X509_FILETYPE_PEM);
144 if (!ret)
145 {
146 X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
147 }
148 }
149 else
150 ret=add_cert_dir(ld,argp,(int)argl);
151 break;
152 }
153 return(ret);
154 }
155
156static int new_dir(X509_LOOKUP *lu)
157 {
158 BY_DIR *a;
159
160 if ((a=(BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL)
161 return(0);
162 if ((a->buffer=BUF_MEM_new()) == NULL)
163 {
164 OPENSSL_free(a);
165 return(0);
166 }
167 a->dirs=NULL;
168 lu->method_data=(char *)a;
169 return(1);
170 }
171
172static void by_dir_hash_free(BY_DIR_HASH *hash)
173 {
174 OPENSSL_free(hash);
175 }
176
177static int by_dir_hash_cmp(const BY_DIR_HASH * const *a,
178 const BY_DIR_HASH * const *b)
179 {
180 if ((*a)->hash > (*b)->hash)
181 return 1;
182 if ((*a)->hash < (*b)->hash)
183 return -1;
184 return 0;
185 }
186
187static void by_dir_entry_free(BY_DIR_ENTRY *ent)
188 {
189 if (ent->dir)
190 OPENSSL_free(ent->dir);
191 if (ent->hashes)
192 sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free);
193 OPENSSL_free(ent);
194 }
195
196static void free_dir(X509_LOOKUP *lu)
197 {
198 BY_DIR *a;
199
200 a=(BY_DIR *)lu->method_data;
201 if (a->dirs != NULL)
202 sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);
203 if (a->buffer != NULL)
204 BUF_MEM_free(a->buffer);
205 OPENSSL_free(a);
206 }
207
208static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
209 {
210 int j,len;
211 const char *s,*ss,*p;
212
213 if (dir == NULL || !*dir)
214 {
215 X509err(X509_F_ADD_CERT_DIR,X509_R_INVALID_DIRECTORY);
216 return 0;
217 }
218
219 s=dir;
220 p=s;
221 for (;;p++)
222 {
223 if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
224 {
225 BY_DIR_ENTRY *ent;
226 ss=s;
227 s=p+1;
228 len=(int)(p-ss);
229 if (len == 0) continue;
230 for (j=0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++)
231 {
232 ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
233 if (strlen(ent->dir) == (size_t)len &&
234 strncmp(ent->dir,ss,(unsigned int)len) == 0)
235 break;
236 }
237 if (j < sk_BY_DIR_ENTRY_num(ctx->dirs))
238 continue;
239 if (ctx->dirs == NULL)
240 {
241 ctx->dirs = sk_BY_DIR_ENTRY_new_null();
242 if (!ctx->dirs)
243 {
244 X509err(X509_F_ADD_CERT_DIR,ERR_R_MALLOC_FAILURE);
245 return 0;
246 }
247 }
248 ent = OPENSSL_malloc(sizeof(BY_DIR_ENTRY));
249 if (!ent)
250 return 0;
251 ent->dir_type = type;
252 ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp);
253 ent->dir = OPENSSL_malloc((unsigned int)len+1);
254 if (!ent->dir || !ent->hashes)
255 {
256 by_dir_entry_free(ent);
257 return 0;
258 }
259 strncpy(ent->dir,ss,(unsigned int)len);
260 ent->dir[len] = '\0';
261 if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent))
262 {
263 by_dir_entry_free(ent);
264 return 0;
265 }
266 }
267 if (*p == '\0')
268 break;
269 }
270 return 1;
271 }
272
273static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
274 X509_OBJECT *ret)
275 {
276 BY_DIR *ctx;
277 union {
278 struct {
279 X509 st_x509;
280 X509_CINF st_x509_cinf;
281 } x509;
282 struct {
283 X509_CRL st_crl;
284 X509_CRL_INFO st_crl_info;
285 } crl;
286 } data;
287 int ok=0;
288 int i,j,k;
289 unsigned long h;
290 BUF_MEM *b=NULL;
291 X509_OBJECT stmp,*tmp;
292 const char *postfix="";
293
294 if (name == NULL) return(0);
295
296 stmp.type=type;
297 if (type == X509_LU_X509)
298 {
299 data.x509.st_x509.cert_info= &data.x509.st_x509_cinf;
300 data.x509.st_x509_cinf.subject=name;
301 stmp.data.x509= &data.x509.st_x509;
302 postfix="";
303 }
304 else if (type == X509_LU_CRL)
305 {
306 data.crl.st_crl.crl= &data.crl.st_crl_info;
307 data.crl.st_crl_info.issuer=name;
308 stmp.data.crl= &data.crl.st_crl;
309 postfix="r";
310 }
311 else
312 {
313 X509err(X509_F_GET_CERT_BY_SUBJECT,X509_R_WRONG_LOOKUP_TYPE);
314 goto finish;
315 }
316
317 if ((b=BUF_MEM_new()) == NULL)
318 {
319 X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_BUF_LIB);
320 goto finish;
321 }
322
323 ctx=(BY_DIR *)xl->method_data;
324
325 h=X509_NAME_hash(name);
326 for (i=0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++)
327 {
328 BY_DIR_ENTRY *ent;
329 int idx;
330 BY_DIR_HASH htmp, *hent;
331 ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i);
332 j=strlen(ent->dir)+1+8+6+1+1;
333 if (!BUF_MEM_grow(b,j))
334 {
335 X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_MALLOC_FAILURE);
336 goto finish;
337 }
338 if (type == X509_LU_CRL && ent->hashes)
339 {
340 htmp.hash = h;
341 CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
342 idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
343 if (idx >= 0)
344 {
345 hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
346 k = hent->suffix;
347 }
348 else
349 {
350 hent = NULL;
351 k=0;
352 }
353 CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
354 }
355 else
356 {
357 k = 0;
358 hent = NULL;
359 }
360 for (;;)
361 {
362 char c = '/';
363#ifdef OPENSSL_SYS_VMS
364 c = ent->dir[strlen(ent->dir)-1];
365 if (c != ':' && c != '>' && c != ']')
366 {
367 /* If no separator is present, we assume the
368 directory specifier is a logical name, and
369 add a colon. We really should use better
370 VMS routines for merging things like this,
371 but this will do for now...
372 -- Richard Levitte */
373 c = ':';
374 }
375 else
376 {
377 c = '\0';
378 }
379#endif
380 if (c == '\0')
381 {
382 /* This is special. When c == '\0', no
383 directory separator should be added. */
384 BIO_snprintf(b->data,b->max,
385 "%s%08lx.%s%d",ent->dir,h,
386 postfix,k);
387 }
388 else
389 {
390 BIO_snprintf(b->data,b->max,
391 "%s%c%08lx.%s%d",ent->dir,c,h,
392 postfix,k);
393 }
394#ifndef OPENSSL_NO_POSIX_IO
395#ifdef _WIN32
396#define stat _stat
397#endif
398 {
399 struct stat st;
400 if (stat(b->data,&st) < 0)
401 break;
402 }
403#endif
404 /* found one. */
405 if (type == X509_LU_X509)
406 {
407 if ((X509_load_cert_file(xl,b->data,
408 ent->dir_type)) == 0)
409 break;
410 }
411 else if (type == X509_LU_CRL)
412 {
413 if ((X509_load_crl_file(xl,b->data,
414 ent->dir_type)) == 0)
415 break;
416 }
417 /* else case will caught higher up */
418 k++;
419 }
420
421 /* we have added it to the cache so now pull
422 * it out again */
423 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
424 j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
425 if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
426 else tmp = NULL;
427 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
428
429
430 /* If a CRL, update the last file suffix added for this */
431
432 if (type == X509_LU_CRL)
433 {
434 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
435 /* Look for entry again in case another thread added
436 * an entry first.
437 */
438 if (!hent)
439 {
440 htmp.hash = h;
441 idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
442 if (idx >= 0)
443 hent =
444 sk_BY_DIR_HASH_value(ent->hashes, idx);
445 }
446 if (!hent)
447 {
448 hent = OPENSSL_malloc(sizeof(BY_DIR_HASH));
449 hent->hash = h;
450 hent->suffix = k;
451 if (!sk_BY_DIR_HASH_push(ent->hashes, hent))
452 {
453 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
454 OPENSSL_free(hent);
455 ok = 0;
456 goto finish;
457 }
458 }
459 else if (hent->suffix < k)
460 hent->suffix = k;
461
462 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
463
464 }
465
466 if (tmp != NULL)
467 {
468 ok=1;
469 ret->type=tmp->type;
470 memcpy(&ret->data,&tmp->data,sizeof(ret->data));
471 /* If we were going to up the reference count,
472 * we would need to do it on a perl 'type'
473 * basis */
474 /* CRYPTO_add(&tmp->data.x509->references,1,
475 CRYPTO_LOCK_X509);*/
476 goto finish;
477 }
478 }
479finish:
480 if (b != NULL) BUF_MEM_free(b);
481 return(ok);
482 }
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
deleted file mode 100644
index 57b08ee094..0000000000
--- a/src/lib/libcrypto/x509/by_file.c
+++ /dev/null
@@ -1,300 +0,0 @@
1/* crypto/x509/by_file.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/lhash.h>
65#include <openssl/buffer.h>
66#include <openssl/x509.h>
67#include <openssl/pem.h>
68
69#ifndef OPENSSL_NO_STDIO
70
71static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
72 long argl, char **ret);
73X509_LOOKUP_METHOD x509_file_lookup=
74 {
75 "Load file into cache",
76 NULL, /* new */
77 NULL, /* free */
78 NULL, /* init */
79 NULL, /* shutdown */
80 by_file_ctrl, /* ctrl */
81 NULL, /* get_by_subject */
82 NULL, /* get_by_issuer_serial */
83 NULL, /* get_by_fingerprint */
84 NULL, /* get_by_alias */
85 };
86
87X509_LOOKUP_METHOD *X509_LOOKUP_file(void)
88 {
89 return(&x509_file_lookup);
90 }
91
92static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
93 char **ret)
94 {
95 int ok=0;
96 char *file;
97
98 switch (cmd)
99 {
100 case X509_L_FILE_LOAD:
101 if (argl == X509_FILETYPE_DEFAULT)
102 {
103 file = (char *)getenv(X509_get_default_cert_file_env());
104 if (file)
105 ok = (X509_load_cert_crl_file(ctx,file,
106 X509_FILETYPE_PEM) != 0);
107
108 else
109 ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
110 X509_FILETYPE_PEM) != 0);
111
112 if (!ok)
113 {
114 X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
115 }
116 }
117 else
118 {
119 if(argl == X509_FILETYPE_PEM)
120 ok = (X509_load_cert_crl_file(ctx,argp,
121 X509_FILETYPE_PEM) != 0);
122 else
123 ok = (X509_load_cert_file(ctx,argp,(int)argl) != 0);
124 }
125 break;
126 }
127 return(ok);
128 }
129
130int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
131 {
132 int ret=0;
133 BIO *in=NULL;
134 int i,count=0;
135 X509 *x=NULL;
136
137 if (file == NULL) return(1);
138 in=BIO_new(BIO_s_file_internal());
139
140 if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
141 {
142 X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_SYS_LIB);
143 goto err;
144 }
145
146 if (type == X509_FILETYPE_PEM)
147 {
148 for (;;)
149 {
150 x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
151 if (x == NULL)
152 {
153 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
154 PEM_R_NO_START_LINE) && (count > 0))
155 {
156 ERR_clear_error();
157 break;
158 }
159 else
160 {
161 X509err(X509_F_X509_LOAD_CERT_FILE,
162 ERR_R_PEM_LIB);
163 goto err;
164 }
165 }
166 i=X509_STORE_add_cert(ctx->store_ctx,x);
167 if (!i) goto err;
168 count++;
169 X509_free(x);
170 x=NULL;
171 }
172 ret=count;
173 }
174 else if (type == X509_FILETYPE_ASN1)
175 {
176 x=d2i_X509_bio(in,NULL);
177 if (x == NULL)
178 {
179 X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_ASN1_LIB);
180 goto err;
181 }
182 i=X509_STORE_add_cert(ctx->store_ctx,x);
183 if (!i) goto err;
184 ret=i;
185 }
186 else
187 {
188 X509err(X509_F_X509_LOAD_CERT_FILE,X509_R_BAD_X509_FILETYPE);
189 goto err;
190 }
191err:
192 if (x != NULL) X509_free(x);
193 if (in != NULL) BIO_free(in);
194 return(ret);
195 }
196
197int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
198 {
199 int ret=0;
200 BIO *in=NULL;
201 int i,count=0;
202 X509_CRL *x=NULL;
203
204 if (file == NULL) return(1);
205 in=BIO_new(BIO_s_file_internal());
206
207 if ((in == NULL) || (BIO_read_filename(in,file) <= 0))
208 {
209 X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_SYS_LIB);
210 goto err;
211 }
212
213 if (type == X509_FILETYPE_PEM)
214 {
215 for (;;)
216 {
217 x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
218 if (x == NULL)
219 {
220 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
221 PEM_R_NO_START_LINE) && (count > 0))
222 {
223 ERR_clear_error();
224 break;
225 }
226 else
227 {
228 X509err(X509_F_X509_LOAD_CRL_FILE,
229 ERR_R_PEM_LIB);
230 goto err;
231 }
232 }
233 i=X509_STORE_add_crl(ctx->store_ctx,x);
234 if (!i) goto err;
235 count++;
236 X509_CRL_free(x);
237 x=NULL;
238 }
239 ret=count;
240 }
241 else if (type == X509_FILETYPE_ASN1)
242 {
243 x=d2i_X509_CRL_bio(in,NULL);
244 if (x == NULL)
245 {
246 X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_ASN1_LIB);
247 goto err;
248 }
249 i=X509_STORE_add_crl(ctx->store_ctx,x);
250 if (!i) goto err;
251 ret=i;
252 }
253 else
254 {
255 X509err(X509_F_X509_LOAD_CRL_FILE,X509_R_BAD_X509_FILETYPE);
256 goto err;
257 }
258err:
259 if (x != NULL) X509_CRL_free(x);
260 if (in != NULL) BIO_free(in);
261 return(ret);
262 }
263
264int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
265{
266 STACK_OF(X509_INFO) *inf;
267 X509_INFO *itmp;
268 BIO *in;
269 int i, count = 0;
270 if(type != X509_FILETYPE_PEM)
271 return X509_load_cert_file(ctx, file, type);
272 in = BIO_new_file(file, "r");
273 if(!in) {
274 X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_SYS_LIB);
275 return 0;
276 }
277 inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
278 BIO_free(in);
279 if(!inf) {
280 X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
281 return 0;
282 }
283 for(i = 0; i < sk_X509_INFO_num(inf); i++) {
284 itmp = sk_X509_INFO_value(inf, i);
285 if(itmp->x509) {
286 X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
287 count++;
288 }
289 if(itmp->crl) {
290 X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
291 count++;
292 }
293 }
294 sk_X509_INFO_pop_free(inf, X509_INFO_free);
295 return count;
296}
297
298
299#endif /* OPENSSL_NO_STDIO */
300
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
deleted file mode 100644
index e6f8a40395..0000000000
--- a/src/lib/libcrypto/x509/x509.h
+++ /dev/null
@@ -1,1286 +0,0 @@
1/* crypto/x509/x509.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
60 * ECDH support in OpenSSL originally developed by
61 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
62 */
63
64#ifndef HEADER_X509_H
65#define HEADER_X509_H
66
67#include <openssl/e_os2.h>
68#include <openssl/symhacks.h>
69#ifndef OPENSSL_NO_BUFFER
70#include <openssl/buffer.h>
71#endif
72#ifndef OPENSSL_NO_EVP
73#include <openssl/evp.h>
74#endif
75#ifndef OPENSSL_NO_BIO
76#include <openssl/bio.h>
77#endif
78#include <openssl/stack.h>
79#include <openssl/asn1.h>
80#include <openssl/safestack.h>
81
82#ifndef OPENSSL_NO_EC
83#include <openssl/ec.h>
84#endif
85
86#ifndef OPENSSL_NO_ECDSA
87#include <openssl/ecdsa.h>
88#endif
89
90#ifndef OPENSSL_NO_ECDH
91#include <openssl/ecdh.h>
92#endif
93
94#ifndef OPENSSL_NO_DEPRECATED
95#ifndef OPENSSL_NO_RSA
96#include <openssl/rsa.h>
97#endif
98#ifndef OPENSSL_NO_DSA
99#include <openssl/dsa.h>
100#endif
101#ifndef OPENSSL_NO_DH
102#include <openssl/dh.h>
103#endif
104#endif
105
106#ifndef OPENSSL_NO_SHA
107#include <openssl/sha.h>
108#endif
109#include <openssl/ossl_typ.h>
110
111#ifdef __cplusplus
112extern "C" {
113#endif
114
115#ifdef OPENSSL_SYS_WIN32
116/* Under Win32 these are defined in wincrypt.h */
117#undef X509_NAME
118#undef X509_CERT_PAIR
119#undef X509_EXTENSIONS
120#endif
121
122#define X509_FILETYPE_PEM 1
123#define X509_FILETYPE_ASN1 2
124#define X509_FILETYPE_DEFAULT 3
125
126#define X509v3_KU_DIGITAL_SIGNATURE 0x0080
127#define X509v3_KU_NON_REPUDIATION 0x0040
128#define X509v3_KU_KEY_ENCIPHERMENT 0x0020
129#define X509v3_KU_DATA_ENCIPHERMENT 0x0010
130#define X509v3_KU_KEY_AGREEMENT 0x0008
131#define X509v3_KU_KEY_CERT_SIGN 0x0004
132#define X509v3_KU_CRL_SIGN 0x0002
133#define X509v3_KU_ENCIPHER_ONLY 0x0001
134#define X509v3_KU_DECIPHER_ONLY 0x8000
135#define X509v3_KU_UNDEF 0xffff
136
137typedef struct X509_objects_st
138 {
139 int nid;
140 int (*a2i)(void);
141 int (*i2a)(void);
142 } X509_OBJECTS;
143
144struct X509_algor_st
145 {
146 ASN1_OBJECT *algorithm;
147 ASN1_TYPE *parameter;
148 } /* X509_ALGOR */;
149
150DECLARE_ASN1_SET_OF(X509_ALGOR)
151
152typedef STACK_OF(X509_ALGOR) X509_ALGORS;
153
154typedef struct X509_val_st
155 {
156 ASN1_TIME *notBefore;
157 ASN1_TIME *notAfter;
158 } X509_VAL;
159
160struct X509_pubkey_st
161 {
162 X509_ALGOR *algor;
163 ASN1_BIT_STRING *public_key;
164 EVP_PKEY *pkey;
165 };
166
167typedef struct X509_sig_st
168 {
169 X509_ALGOR *algor;
170 ASN1_OCTET_STRING *digest;
171 } X509_SIG;
172
173typedef struct X509_name_entry_st
174 {
175 ASN1_OBJECT *object;
176 ASN1_STRING *value;
177 int set;
178 int size; /* temp variable */
179 } X509_NAME_ENTRY;
180
181DECLARE_STACK_OF(X509_NAME_ENTRY)
182DECLARE_ASN1_SET_OF(X509_NAME_ENTRY)
183
184/* we always keep X509_NAMEs in 2 forms. */
185struct X509_name_st
186 {
187 STACK_OF(X509_NAME_ENTRY) *entries;
188 int modified; /* true if 'bytes' needs to be built */
189#ifndef OPENSSL_NO_BUFFER
190 BUF_MEM *bytes;
191#else
192 char *bytes;
193#endif
194/* unsigned long hash; Keep the hash around for lookups */
195 unsigned char *canon_enc;
196 int canon_enclen;
197 } /* X509_NAME */;
198
199DECLARE_STACK_OF(X509_NAME)
200
201#define X509_EX_V_NETSCAPE_HACK 0x8000
202#define X509_EX_V_INIT 0x0001
203typedef struct X509_extension_st
204 {
205 ASN1_OBJECT *object;
206 ASN1_BOOLEAN critical;
207 ASN1_OCTET_STRING *value;
208 } X509_EXTENSION;
209
210typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
211
212DECLARE_STACK_OF(X509_EXTENSION)
213DECLARE_ASN1_SET_OF(X509_EXTENSION)
214
215/* a sequence of these are used */
216typedef struct x509_attributes_st
217 {
218 ASN1_OBJECT *object;
219 int single; /* 0 for a set, 1 for a single item (which is wrong) */
220 union {
221 char *ptr;
222/* 0 */ STACK_OF(ASN1_TYPE) *set;
223/* 1 */ ASN1_TYPE *single;
224 } value;
225 } X509_ATTRIBUTE;
226
227DECLARE_STACK_OF(X509_ATTRIBUTE)
228DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
229
230
231typedef struct X509_req_info_st
232 {
233 ASN1_ENCODING enc;
234 ASN1_INTEGER *version;
235 X509_NAME *subject;
236 X509_PUBKEY *pubkey;
237 /* d=2 hl=2 l= 0 cons: cont: 00 */
238 STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
239 } X509_REQ_INFO;
240
241typedef struct X509_req_st
242 {
243 X509_REQ_INFO *req_info;
244 X509_ALGOR *sig_alg;
245 ASN1_BIT_STRING *signature;
246 int references;
247 } X509_REQ;
248
249typedef struct x509_cinf_st
250 {
251 ASN1_INTEGER *version; /* [ 0 ] default of v1 */
252 ASN1_INTEGER *serialNumber;
253 X509_ALGOR *signature;
254 X509_NAME *issuer;
255 X509_VAL *validity;
256 X509_NAME *subject;
257 X509_PUBKEY *key;
258 ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
259 ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
260 STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
261 ASN1_ENCODING enc;
262 } X509_CINF;
263
264/* This stuff is certificate "auxiliary info"
265 * it contains details which are useful in certificate
266 * stores and databases. When used this is tagged onto
267 * the end of the certificate itself
268 */
269
270typedef struct x509_cert_aux_st
271 {
272 STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
273 STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
274 ASN1_UTF8STRING *alias; /* "friendly name" */
275 ASN1_OCTET_STRING *keyid; /* key id of private key */
276 STACK_OF(X509_ALGOR) *other; /* other unspecified info */
277 } X509_CERT_AUX;
278
279struct x509_st
280 {
281 X509_CINF *cert_info;
282 X509_ALGOR *sig_alg;
283 ASN1_BIT_STRING *signature;
284 int valid;
285 int references;
286 char *name;
287 CRYPTO_EX_DATA ex_data;
288 /* These contain copies of various extension values */
289 long ex_pathlen;
290 long ex_pcpathlen;
291 unsigned long ex_flags;
292 unsigned long ex_kusage;
293 unsigned long ex_xkusage;
294 unsigned long ex_nscert;
295 ASN1_OCTET_STRING *skid;
296 AUTHORITY_KEYID *akid;
297 X509_POLICY_CACHE *policy_cache;
298 STACK_OF(DIST_POINT) *crldp;
299 STACK_OF(GENERAL_NAME) *altname;
300 NAME_CONSTRAINTS *nc;
301#ifndef OPENSSL_NO_RFC3779
302 STACK_OF(IPAddressFamily) *rfc3779_addr;
303 struct ASIdentifiers_st *rfc3779_asid;
304#endif
305#ifndef OPENSSL_NO_SHA
306 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
307#endif
308 X509_CERT_AUX *aux;
309 } /* X509 */;
310
311DECLARE_STACK_OF(X509)
312DECLARE_ASN1_SET_OF(X509)
313
314/* This is used for a table of trust checking functions */
315
316typedef struct x509_trust_st {
317 int trust;
318 int flags;
319 int (*check_trust)(struct x509_trust_st *, X509 *, int);
320 char *name;
321 int arg1;
322 void *arg2;
323} X509_TRUST;
324
325DECLARE_STACK_OF(X509_TRUST)
326
327typedef struct x509_cert_pair_st {
328 X509 *forward;
329 X509 *reverse;
330} X509_CERT_PAIR;
331
332/* standard trust ids */
333
334#define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */
335
336#define X509_TRUST_COMPAT 1
337#define X509_TRUST_SSL_CLIENT 2
338#define X509_TRUST_SSL_SERVER 3
339#define X509_TRUST_EMAIL 4
340#define X509_TRUST_OBJECT_SIGN 5
341#define X509_TRUST_OCSP_SIGN 6
342#define X509_TRUST_OCSP_REQUEST 7
343#define X509_TRUST_TSA 8
344
345/* Keep these up to date! */
346#define X509_TRUST_MIN 1
347#define X509_TRUST_MAX 8
348
349
350/* trust_flags values */
351#define X509_TRUST_DYNAMIC 1
352#define X509_TRUST_DYNAMIC_NAME 2
353
354/* check_trust return codes */
355
356#define X509_TRUST_TRUSTED 1
357#define X509_TRUST_REJECTED 2
358#define X509_TRUST_UNTRUSTED 3
359
360/* Flags for X509_print_ex() */
361
362#define X509_FLAG_COMPAT 0
363#define X509_FLAG_NO_HEADER 1L
364#define X509_FLAG_NO_VERSION (1L << 1)
365#define X509_FLAG_NO_SERIAL (1L << 2)
366#define X509_FLAG_NO_SIGNAME (1L << 3)
367#define X509_FLAG_NO_ISSUER (1L << 4)
368#define X509_FLAG_NO_VALIDITY (1L << 5)
369#define X509_FLAG_NO_SUBJECT (1L << 6)
370#define X509_FLAG_NO_PUBKEY (1L << 7)
371#define X509_FLAG_NO_EXTENSIONS (1L << 8)
372#define X509_FLAG_NO_SIGDUMP (1L << 9)
373#define X509_FLAG_NO_AUX (1L << 10)
374#define X509_FLAG_NO_ATTRIBUTES (1L << 11)
375
376/* Flags specific to X509_NAME_print_ex() */
377
378/* The field separator information */
379
380#define XN_FLAG_SEP_MASK (0xf << 16)
381
382#define XN_FLAG_COMPAT 0 /* Traditional SSLeay: use old X509_NAME_print */
383#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) /* RFC2253 ,+ */
384#define XN_FLAG_SEP_CPLUS_SPC (2 << 16) /* ,+ spaced: more readable */
385#define XN_FLAG_SEP_SPLUS_SPC (3 << 16) /* ;+ spaced */
386#define XN_FLAG_SEP_MULTILINE (4 << 16) /* One line per field */
387
388#define XN_FLAG_DN_REV (1 << 20) /* Reverse DN order */
389
390/* How the field name is shown */
391
392#define XN_FLAG_FN_MASK (0x3 << 21)
393
394#define XN_FLAG_FN_SN 0 /* Object short name */
395#define XN_FLAG_FN_LN (1 << 21) /* Object long name */
396#define XN_FLAG_FN_OID (2 << 21) /* Always use OIDs */
397#define XN_FLAG_FN_NONE (3 << 21) /* No field names */
398
399#define XN_FLAG_SPC_EQ (1 << 23) /* Put spaces round '=' */
400
401/* This determines if we dump fields we don't recognise:
402 * RFC2253 requires this.
403 */
404
405#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
406
407#define XN_FLAG_FN_ALIGN (1 << 25) /* Align field names to 20 characters */
408
409/* Complete set of RFC2253 flags */
410
411#define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \
412 XN_FLAG_SEP_COMMA_PLUS | \
413 XN_FLAG_DN_REV | \
414 XN_FLAG_FN_SN | \
415 XN_FLAG_DUMP_UNKNOWN_FIELDS)
416
417/* readable oneline form */
418
419#define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \
420 ASN1_STRFLGS_ESC_QUOTE | \
421 XN_FLAG_SEP_CPLUS_SPC | \
422 XN_FLAG_SPC_EQ | \
423 XN_FLAG_FN_SN)
424
425/* readable multiline form */
426
427#define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \
428 ASN1_STRFLGS_ESC_MSB | \
429 XN_FLAG_SEP_MULTILINE | \
430 XN_FLAG_SPC_EQ | \
431 XN_FLAG_FN_LN | \
432 XN_FLAG_FN_ALIGN)
433
434struct x509_revoked_st
435 {
436 ASN1_INTEGER *serialNumber;
437 ASN1_TIME *revocationDate;
438 STACK_OF(X509_EXTENSION) /* optional */ *extensions;
439 /* Set up if indirect CRL */
440 STACK_OF(GENERAL_NAME) *issuer;
441 /* Revocation reason */
442 int reason;
443 int sequence; /* load sequence */
444 };
445
446DECLARE_STACK_OF(X509_REVOKED)
447DECLARE_ASN1_SET_OF(X509_REVOKED)
448
449typedef struct X509_crl_info_st
450 {
451 ASN1_INTEGER *version;
452 X509_ALGOR *sig_alg;
453 X509_NAME *issuer;
454 ASN1_TIME *lastUpdate;
455 ASN1_TIME *nextUpdate;
456 STACK_OF(X509_REVOKED) *revoked;
457 STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
458 ASN1_ENCODING enc;
459 } X509_CRL_INFO;
460
461struct X509_crl_st
462 {
463 /* actual signature */
464 X509_CRL_INFO *crl;
465 X509_ALGOR *sig_alg;
466 ASN1_BIT_STRING *signature;
467 int references;
468 int flags;
469 /* Copies of various extensions */
470 AUTHORITY_KEYID *akid;
471 ISSUING_DIST_POINT *idp;
472 /* Convenient breakdown of IDP */
473 int idp_flags;
474 int idp_reasons;
475 /* CRL and base CRL numbers for delta processing */
476 ASN1_INTEGER *crl_number;
477 ASN1_INTEGER *base_crl_number;
478#ifndef OPENSSL_NO_SHA
479 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
480#endif
481 STACK_OF(GENERAL_NAMES) *issuers;
482 const X509_CRL_METHOD *meth;
483 void *meth_data;
484 } /* X509_CRL */;
485
486DECLARE_STACK_OF(X509_CRL)
487DECLARE_ASN1_SET_OF(X509_CRL)
488
489typedef struct private_key_st
490 {
491 int version;
492 /* The PKCS#8 data types */
493 X509_ALGOR *enc_algor;
494 ASN1_OCTET_STRING *enc_pkey; /* encrypted pub key */
495
496 /* When decrypted, the following will not be NULL */
497 EVP_PKEY *dec_pkey;
498
499 /* used to encrypt and decrypt */
500 int key_length;
501 char *key_data;
502 int key_free; /* true if we should auto free key_data */
503
504 /* expanded version of 'enc_algor' */
505 EVP_CIPHER_INFO cipher;
506
507 int references;
508 } X509_PKEY;
509
510#ifndef OPENSSL_NO_EVP
511typedef struct X509_info_st
512 {
513 X509 *x509;
514 X509_CRL *crl;
515 X509_PKEY *x_pkey;
516
517 EVP_CIPHER_INFO enc_cipher;
518 int enc_len;
519 char *enc_data;
520
521 int references;
522 } X509_INFO;
523
524DECLARE_STACK_OF(X509_INFO)
525#endif
526
527/* The next 2 structures and their 8 routines were sent to me by
528 * Pat Richard <patr@x509.com> and are used to manipulate
529 * Netscapes spki structures - useful if you are writing a CA web page
530 */
531typedef struct Netscape_spkac_st
532 {
533 X509_PUBKEY *pubkey;
534 ASN1_IA5STRING *challenge; /* challenge sent in atlas >= PR2 */
535 } NETSCAPE_SPKAC;
536
537typedef struct Netscape_spki_st
538 {
539 NETSCAPE_SPKAC *spkac; /* signed public key and challenge */
540 X509_ALGOR *sig_algor;
541 ASN1_BIT_STRING *signature;
542 } NETSCAPE_SPKI;
543
544/* Netscape certificate sequence structure */
545typedef struct Netscape_certificate_sequence
546 {
547 ASN1_OBJECT *type;
548 STACK_OF(X509) *certs;
549 } NETSCAPE_CERT_SEQUENCE;
550
551/* Unused (and iv length is wrong)
552typedef struct CBCParameter_st
553 {
554 unsigned char iv[8];
555 } CBC_PARAM;
556*/
557
558/* Password based encryption structure */
559
560typedef struct PBEPARAM_st {
561ASN1_OCTET_STRING *salt;
562ASN1_INTEGER *iter;
563} PBEPARAM;
564
565/* Password based encryption V2 structures */
566
567typedef struct PBE2PARAM_st {
568X509_ALGOR *keyfunc;
569X509_ALGOR *encryption;
570} PBE2PARAM;
571
572typedef struct PBKDF2PARAM_st {
573ASN1_TYPE *salt; /* Usually OCTET STRING but could be anything */
574ASN1_INTEGER *iter;
575ASN1_INTEGER *keylength;
576X509_ALGOR *prf;
577} PBKDF2PARAM;
578
579
580/* PKCS#8 private key info structure */
581
582struct pkcs8_priv_key_info_st
583 {
584 int broken; /* Flag for various broken formats */
585#define PKCS8_OK 0
586#define PKCS8_NO_OCTET 1
587#define PKCS8_EMBEDDED_PARAM 2
588#define PKCS8_NS_DB 3
589#define PKCS8_NEG_PRIVKEY 4
590 ASN1_INTEGER *version;
591 X509_ALGOR *pkeyalg;
592 ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */
593 STACK_OF(X509_ATTRIBUTE) *attributes;
594 };
595
596#ifdef __cplusplus
597}
598#endif
599
600#include <openssl/x509_vfy.h>
601#include <openssl/pkcs7.h>
602
603#ifdef __cplusplus
604extern "C" {
605#endif
606
607#define X509_EXT_PACK_UNKNOWN 1
608#define X509_EXT_PACK_STRING 2
609
610#define X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version)
611/* #define X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */
612#define X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
613#define X509_get_notAfter(x) ((x)->cert_info->validity->notAfter)
614#define X509_extract_key(x) X509_get_pubkey(x) /*****/
615#define X509_REQ_get_version(x) ASN1_INTEGER_get((x)->req_info->version)
616#define X509_REQ_get_subject_name(x) ((x)->req_info->subject)
617#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
618#define X509_name_cmp(a,b) X509_NAME_cmp((a),(b))
619#define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm))
620
621#define X509_CRL_get_version(x) ASN1_INTEGER_get((x)->crl->version)
622#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
623#define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate)
624#define X509_CRL_get_issuer(x) ((x)->crl->issuer)
625#define X509_CRL_get_REVOKED(x) ((x)->crl->revoked)
626
627void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
628X509_CRL_METHOD *X509_CRL_METHOD_new(
629 int (*crl_init)(X509_CRL *crl),
630 int (*crl_free)(X509_CRL *crl),
631 int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret,
632 ASN1_INTEGER *ser, X509_NAME *issuer),
633 int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk));
634void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
635
636void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
637void *X509_CRL_get_meth_data(X509_CRL *crl);
638
639/* This one is only used so that a binary form can output, as in
640 * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) */
641#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
642
643
644const char *X509_verify_cert_error_string(long n);
645
646#ifndef OPENSSL_NO_EVP
647int X509_verify(X509 *a, EVP_PKEY *r);
648
649int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
650int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
651int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r);
652
653NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len);
654char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *x);
655EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x);
656int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
657
658int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
659
660int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig);
661
662int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
663int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
664int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
665int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
666
667int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
668 unsigned char *md, unsigned int *len);
669int X509_digest(const X509 *data,const EVP_MD *type,
670 unsigned char *md, unsigned int *len);
671int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type,
672 unsigned char *md, unsigned int *len);
673int X509_REQ_digest(const X509_REQ *data,const EVP_MD *type,
674 unsigned char *md, unsigned int *len);
675int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type,
676 unsigned char *md, unsigned int *len);
677#endif
678
679#ifndef OPENSSL_NO_FP_API
680X509 *d2i_X509_fp(FILE *fp, X509 **x509);
681int i2d_X509_fp(FILE *fp,X509 *x509);
682X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
683int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl);
684X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req);
685int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req);
686#ifndef OPENSSL_NO_RSA
687RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
688int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
689RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
690int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
691RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa);
692int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
693#endif
694#ifndef OPENSSL_NO_DSA
695DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
696int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
697DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
698int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
699#endif
700#ifndef OPENSSL_NO_EC
701EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
702int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
703EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
704int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
705#endif
706X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
707int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
708PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
709 PKCS8_PRIV_KEY_INFO **p8inf);
710int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
711int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
712int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
713EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
714int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
715EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
716#endif
717
718#ifndef OPENSSL_NO_BIO
719X509 *d2i_X509_bio(BIO *bp,X509 **x509);
720int i2d_X509_bio(BIO *bp,X509 *x509);
721X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
722int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl);
723X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req);
724int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req);
725#ifndef OPENSSL_NO_RSA
726RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
727int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
728RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
729int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
730RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa);
731int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa);
732#endif
733#ifndef OPENSSL_NO_DSA
734DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
735int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
736DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
737int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
738#endif
739#ifndef OPENSSL_NO_EC
740EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
741int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
742EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
743int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
744#endif
745X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8);
746int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
747PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
748 PKCS8_PRIV_KEY_INFO **p8inf);
749int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
750int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
751int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
752EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
753int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
754EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
755#endif
756
757X509 *X509_dup(X509 *x509);
758X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa);
759X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex);
760X509_CRL *X509_CRL_dup(X509_CRL *crl);
761X509_REQ *X509_REQ_dup(X509_REQ *req);
762X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
763int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
764void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
765 X509_ALGOR *algor);
766
767X509_NAME *X509_NAME_dup(X509_NAME *xn);
768X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
769
770int X509_cmp_time(const ASN1_TIME *s, time_t *t);
771int X509_cmp_current_time(const ASN1_TIME *s);
772ASN1_TIME * X509_time_adj(ASN1_TIME *s, long adj, time_t *t);
773ASN1_TIME * X509_time_adj_ex(ASN1_TIME *s,
774 int offset_day, long offset_sec, time_t *t);
775ASN1_TIME * X509_gmtime_adj(ASN1_TIME *s, long adj);
776
777const char * X509_get_default_cert_area(void );
778const char * X509_get_default_cert_dir(void );
779const char * X509_get_default_cert_file(void );
780const char * X509_get_default_cert_dir_env(void );
781const char * X509_get_default_cert_file_env(void );
782const char * X509_get_default_private_dir(void );
783
784X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
785X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
786
787DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
788DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
789DECLARE_ASN1_FUNCTIONS(X509_VAL)
790
791DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
792
793int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
794EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key);
795int X509_get_pubkey_parameters(EVP_PKEY *pkey,
796 STACK_OF(X509) *chain);
797int i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
798EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
799 long length);
800#ifndef OPENSSL_NO_RSA
801int i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
802RSA * d2i_RSA_PUBKEY(RSA **a,const unsigned char **pp,
803 long length);
804#endif
805#ifndef OPENSSL_NO_DSA
806int i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
807DSA * d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp,
808 long length);
809#endif
810#ifndef OPENSSL_NO_EC
811int i2d_EC_PUBKEY(EC_KEY *a, unsigned char **pp);
812EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp,
813 long length);
814#endif
815
816DECLARE_ASN1_FUNCTIONS(X509_SIG)
817DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
818DECLARE_ASN1_FUNCTIONS(X509_REQ)
819
820DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
821X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
822
823DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
824DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
825
826DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
827
828DECLARE_ASN1_FUNCTIONS(X509_NAME)
829
830int X509_NAME_set(X509_NAME **xn, X509_NAME *name);
831
832DECLARE_ASN1_FUNCTIONS(X509_CINF)
833
834DECLARE_ASN1_FUNCTIONS(X509)
835DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
836
837DECLARE_ASN1_FUNCTIONS(X509_CERT_PAIR)
838
839int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
840 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
841int X509_set_ex_data(X509 *r, int idx, void *arg);
842void *X509_get_ex_data(X509 *r, int idx);
843int i2d_X509_AUX(X509 *a,unsigned char **pp);
844X509 * d2i_X509_AUX(X509 **a,const unsigned char **pp,long length);
845
846int X509_alias_set1(X509 *x, unsigned char *name, int len);
847int X509_keyid_set1(X509 *x, unsigned char *id, int len);
848unsigned char * X509_alias_get0(X509 *x, int *len);
849unsigned char * X509_keyid_get0(X509 *x, int *len);
850int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
851int X509_TRUST_set(int *t, int trust);
852int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
853int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
854void X509_trust_clear(X509 *x);
855void X509_reject_clear(X509 *x);
856
857DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
858DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
859DECLARE_ASN1_FUNCTIONS(X509_CRL)
860
861int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
862int X509_CRL_get0_by_serial(X509_CRL *crl,
863 X509_REVOKED **ret, ASN1_INTEGER *serial);
864int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
865
866X509_PKEY * X509_PKEY_new(void );
867void X509_PKEY_free(X509_PKEY *a);
868int i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp);
869X509_PKEY * d2i_X509_PKEY(X509_PKEY **a,const unsigned char **pp,long length);
870
871DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
872DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
873DECLARE_ASN1_FUNCTIONS(NETSCAPE_CERT_SEQUENCE)
874
875#ifndef OPENSSL_NO_EVP
876X509_INFO * X509_INFO_new(void);
877void X509_INFO_free(X509_INFO *a);
878char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
879
880int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *algor1,
881 ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
882
883int ASN1_digest(i2d_of_void *i2d,const EVP_MD *type,char *data,
884 unsigned char *md,unsigned int *len);
885
886int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1,
887 X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
888 char *data,EVP_PKEY *pkey, const EVP_MD *type);
889
890int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data,
891 unsigned char *md,unsigned int *len);
892
893int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
894 ASN1_BIT_STRING *signature,void *data,EVP_PKEY *pkey);
895
896int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
897 ASN1_BIT_STRING *signature,
898 void *data, EVP_PKEY *pkey, const EVP_MD *type);
899#endif
900
901int X509_set_version(X509 *x,long version);
902int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
903ASN1_INTEGER * X509_get_serialNumber(X509 *x);
904int X509_set_issuer_name(X509 *x, X509_NAME *name);
905X509_NAME * X509_get_issuer_name(X509 *a);
906int X509_set_subject_name(X509 *x, X509_NAME *name);
907X509_NAME * X509_get_subject_name(X509 *a);
908int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
909int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
910int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
911EVP_PKEY * X509_get_pubkey(X509 *x);
912ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x);
913int X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */);
914
915int X509_REQ_set_version(X509_REQ *x,long version);
916int X509_REQ_set_subject_name(X509_REQ *req,X509_NAME *name);
917int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
918EVP_PKEY * X509_REQ_get_pubkey(X509_REQ *req);
919int X509_REQ_extension_nid(int nid);
920int * X509_REQ_get_extension_nids(void);
921void X509_REQ_set_extension_nids(int *nids);
922STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
923int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
924 int nid);
925int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts);
926int X509_REQ_get_attr_count(const X509_REQ *req);
927int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
928 int lastpos);
929int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
930 int lastpos);
931X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
932X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
933int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
934int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
935 const ASN1_OBJECT *obj, int type,
936 const unsigned char *bytes, int len);
937int X509_REQ_add1_attr_by_NID(X509_REQ *req,
938 int nid, int type,
939 const unsigned char *bytes, int len);
940int X509_REQ_add1_attr_by_txt(X509_REQ *req,
941 const char *attrname, int type,
942 const unsigned char *bytes, int len);
943
944int X509_CRL_set_version(X509_CRL *x, long version);
945int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
946int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
947int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
948int X509_CRL_sort(X509_CRL *crl);
949
950int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
951int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
952
953int X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey);
954
955int X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
956
957int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
958unsigned long X509_issuer_and_serial_hash(X509 *a);
959
960int X509_issuer_name_cmp(const X509 *a, const X509 *b);
961unsigned long X509_issuer_name_hash(X509 *a);
962
963int X509_subject_name_cmp(const X509 *a, const X509 *b);
964unsigned long X509_subject_name_hash(X509 *x);
965
966#ifndef OPENSSL_NO_MD5
967unsigned long X509_issuer_name_hash_old(X509 *a);
968unsigned long X509_subject_name_hash_old(X509 *x);
969#endif
970
971int X509_cmp(const X509 *a, const X509 *b);
972int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
973unsigned long X509_NAME_hash(X509_NAME *x);
974unsigned long X509_NAME_hash_old(X509_NAME *x);
975
976int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
977int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
978#ifndef OPENSSL_NO_FP_API
979int X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
980int X509_print_fp(FILE *bp,X509 *x);
981int X509_CRL_print_fp(FILE *bp,X509_CRL *x);
982int X509_REQ_print_fp(FILE *bp,X509_REQ *req);
983int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
984#endif
985
986#ifndef OPENSSL_NO_BIO
987int X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
988int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
989int X509_print_ex(BIO *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
990int X509_print(BIO *bp,X509 *x);
991int X509_ocspid_print(BIO *bp,X509 *x);
992int X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
993int X509_CRL_print(BIO *bp,X509_CRL *x);
994int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag);
995int X509_REQ_print(BIO *bp,X509_REQ *req);
996#endif
997
998int X509_NAME_entry_count(X509_NAME *name);
999int X509_NAME_get_text_by_NID(X509_NAME *name, int nid,
1000 char *buf,int len);
1001int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
1002 char *buf,int len);
1003
1004/* NOTE: you should be passsing -1, not 0 as lastpos. The functions that use
1005 * lastpos, search after that position on. */
1006int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos);
1007int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj,
1008 int lastpos);
1009X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc);
1010X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
1011int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne,
1012 int loc, int set);
1013int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
1014 unsigned char *bytes, int len, int loc, int set);
1015int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
1016 unsigned char *bytes, int len, int loc, int set);
1017X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
1018 const char *field, int type, const unsigned char *bytes, int len);
1019X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
1020 int type,unsigned char *bytes, int len);
1021int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
1022 const unsigned char *bytes, int len, int loc, int set);
1023X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
1024 ASN1_OBJECT *obj, int type,const unsigned char *bytes,
1025 int len);
1026int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
1027 ASN1_OBJECT *obj);
1028int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
1029 const unsigned char *bytes, int len);
1030ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
1031ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
1032
1033int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
1034int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
1035 int nid, int lastpos);
1036int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
1037 ASN1_OBJECT *obj,int lastpos);
1038int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
1039 int crit, int lastpos);
1040X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
1041X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc);
1042STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
1043 X509_EXTENSION *ex, int loc);
1044
1045int X509_get_ext_count(X509 *x);
1046int X509_get_ext_by_NID(X509 *x, int nid, int lastpos);
1047int X509_get_ext_by_OBJ(X509 *x,ASN1_OBJECT *obj,int lastpos);
1048int X509_get_ext_by_critical(X509 *x, int crit, int lastpos);
1049X509_EXTENSION *X509_get_ext(X509 *x, int loc);
1050X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
1051int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
1052void * X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
1053int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
1054 unsigned long flags);
1055
1056int X509_CRL_get_ext_count(X509_CRL *x);
1057int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos);
1058int X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int lastpos);
1059int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos);
1060X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
1061X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
1062int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
1063void * X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx);
1064int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
1065 unsigned long flags);
1066
1067int X509_REVOKED_get_ext_count(X509_REVOKED *x);
1068int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos);
1069int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x,ASN1_OBJECT *obj,int lastpos);
1070int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos);
1071X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc);
1072X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
1073int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
1074void * X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx);
1075int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
1076 unsigned long flags);
1077
1078X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
1079 int nid, int crit, ASN1_OCTET_STRING *data);
1080X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
1081 ASN1_OBJECT *obj,int crit,ASN1_OCTET_STRING *data);
1082int X509_EXTENSION_set_object(X509_EXTENSION *ex,ASN1_OBJECT *obj);
1083int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
1084int X509_EXTENSION_set_data(X509_EXTENSION *ex,
1085 ASN1_OCTET_STRING *data);
1086ASN1_OBJECT * X509_EXTENSION_get_object(X509_EXTENSION *ex);
1087ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
1088int X509_EXTENSION_get_critical(X509_EXTENSION *ex);
1089
1090int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
1091int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
1092 int lastpos);
1093int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
1094 int lastpos);
1095X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc);
1096X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
1097STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
1098 X509_ATTRIBUTE *attr);
1099STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
1100 const ASN1_OBJECT *obj, int type,
1101 const unsigned char *bytes, int len);
1102STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
1103 int nid, int type,
1104 const unsigned char *bytes, int len);
1105STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
1106 const char *attrname, int type,
1107 const unsigned char *bytes, int len);
1108void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
1109 ASN1_OBJECT *obj, int lastpos, int type);
1110X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
1111 int atrtype, const void *data, int len);
1112X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
1113 const ASN1_OBJECT *obj, int atrtype, const void *data, int len);
1114X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
1115 const char *atrname, int type, const unsigned char *bytes, int len);
1116int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
1117int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len);
1118void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
1119 int atrtype, void *data);
1120int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
1121ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
1122ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
1123
1124int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
1125int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid,
1126 int lastpos);
1127int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj,
1128 int lastpos);
1129X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
1130X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc);
1131int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr);
1132int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
1133 const ASN1_OBJECT *obj, int type,
1134 const unsigned char *bytes, int len);
1135int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
1136 int nid, int type,
1137 const unsigned char *bytes, int len);
1138int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
1139 const char *attrname, int type,
1140 const unsigned char *bytes, int len);
1141
1142int X509_verify_cert(X509_STORE_CTX *ctx);
1143
1144/* lookup a cert from a X509 STACK */
1145X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,X509_NAME *name,
1146 ASN1_INTEGER *serial);
1147X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name);
1148
1149DECLARE_ASN1_FUNCTIONS(PBEPARAM)
1150DECLARE_ASN1_FUNCTIONS(PBE2PARAM)
1151DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM)
1152
1153int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
1154 const unsigned char *salt, int saltlen);
1155
1156X509_ALGOR *PKCS5_pbe_set(int alg, int iter,
1157 const unsigned char *salt, int saltlen);
1158X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
1159 unsigned char *salt, int saltlen);
1160X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
1161 unsigned char *salt, int saltlen,
1162 unsigned char *aiv, int prf_nid);
1163
1164/* PKCS#8 utilities */
1165
1166DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
1167
1168EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
1169PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
1170PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken);
1171PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
1172
1173int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
1174 int version, int ptype, void *pval,
1175 unsigned char *penc, int penclen);
1176int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg,
1177 const unsigned char **pk, int *ppklen,
1178 X509_ALGOR **pa,
1179 PKCS8_PRIV_KEY_INFO *p8);
1180
1181int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
1182 int ptype, void *pval,
1183 unsigned char *penc, int penclen);
1184int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg,
1185 const unsigned char **pk, int *ppklen,
1186 X509_ALGOR **pa,
1187 X509_PUBKEY *pub);
1188
1189int X509_check_trust(X509 *x, int id, int flags);
1190int X509_TRUST_get_count(void);
1191X509_TRUST * X509_TRUST_get0(int idx);
1192int X509_TRUST_get_by_id(int id);
1193int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
1194 char *name, int arg1, void *arg2);
1195void X509_TRUST_cleanup(void);
1196int X509_TRUST_get_flags(X509_TRUST *xp);
1197char *X509_TRUST_get0_name(X509_TRUST *xp);
1198int X509_TRUST_get_trust(X509_TRUST *xp);
1199
1200/* BEGIN ERROR CODES */
1201/* The following lines are auto generated by the script mkerr.pl. Any changes
1202 * made after this point may be overwritten when the script is next run.
1203 */
1204void ERR_load_X509_strings(void);
1205
1206/* Error codes for the X509 functions. */
1207
1208/* Function codes. */
1209#define X509_F_ADD_CERT_DIR 100
1210#define X509_F_BY_FILE_CTRL 101
1211#define X509_F_CHECK_POLICY 145
1212#define X509_F_DIR_CTRL 102
1213#define X509_F_GET_CERT_BY_SUBJECT 103
1214#define X509_F_NETSCAPE_SPKI_B64_DECODE 129
1215#define X509_F_NETSCAPE_SPKI_B64_ENCODE 130
1216#define X509_F_X509AT_ADD1_ATTR 135
1217#define X509_F_X509V3_ADD_EXT 104
1218#define X509_F_X509_ATTRIBUTE_CREATE_BY_NID 136
1219#define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ 137
1220#define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT 140
1221#define X509_F_X509_ATTRIBUTE_GET0_DATA 139
1222#define X509_F_X509_ATTRIBUTE_SET1_DATA 138
1223#define X509_F_X509_CHECK_PRIVATE_KEY 128
1224#define X509_F_X509_CRL_PRINT_FP 147
1225#define X509_F_X509_EXTENSION_CREATE_BY_NID 108
1226#define X509_F_X509_EXTENSION_CREATE_BY_OBJ 109
1227#define X509_F_X509_GET_PUBKEY_PARAMETERS 110
1228#define X509_F_X509_LOAD_CERT_CRL_FILE 132
1229#define X509_F_X509_LOAD_CERT_FILE 111
1230#define X509_F_X509_LOAD_CRL_FILE 112
1231#define X509_F_X509_NAME_ADD_ENTRY 113
1232#define X509_F_X509_NAME_ENTRY_CREATE_BY_NID 114
1233#define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT 131
1234#define X509_F_X509_NAME_ENTRY_SET_OBJECT 115
1235#define X509_F_X509_NAME_ONELINE 116
1236#define X509_F_X509_NAME_PRINT 117
1237#define X509_F_X509_PRINT_EX_FP 118
1238#define X509_F_X509_PUBKEY_GET 119
1239#define X509_F_X509_PUBKEY_SET 120
1240#define X509_F_X509_REQ_CHECK_PRIVATE_KEY 144
1241#define X509_F_X509_REQ_PRINT_EX 121
1242#define X509_F_X509_REQ_PRINT_FP 122
1243#define X509_F_X509_REQ_TO_X509 123
1244#define X509_F_X509_STORE_ADD_CERT 124
1245#define X509_F_X509_STORE_ADD_CRL 125
1246#define X509_F_X509_STORE_CTX_GET1_ISSUER 146
1247#define X509_F_X509_STORE_CTX_INIT 143
1248#define X509_F_X509_STORE_CTX_NEW 142
1249#define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 134
1250#define X509_F_X509_TO_X509_REQ 126
1251#define X509_F_X509_TRUST_ADD 133
1252#define X509_F_X509_TRUST_SET 141
1253#define X509_F_X509_VERIFY_CERT 127
1254
1255/* Reason codes. */
1256#define X509_R_BAD_X509_FILETYPE 100
1257#define X509_R_BASE64_DECODE_ERROR 118
1258#define X509_R_CANT_CHECK_DH_KEY 114
1259#define X509_R_CERT_ALREADY_IN_HASH_TABLE 101
1260#define X509_R_ERR_ASN1_LIB 102
1261#define X509_R_INVALID_DIRECTORY 113
1262#define X509_R_INVALID_FIELD_NAME 119
1263#define X509_R_INVALID_TRUST 123
1264#define X509_R_KEY_TYPE_MISMATCH 115
1265#define X509_R_KEY_VALUES_MISMATCH 116
1266#define X509_R_LOADING_CERT_DIR 103
1267#define X509_R_LOADING_DEFAULTS 104
1268#define X509_R_METHOD_NOT_SUPPORTED 124
1269#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
1270#define X509_R_PUBLIC_KEY_DECODE_ERROR 125
1271#define X509_R_PUBLIC_KEY_ENCODE_ERROR 126
1272#define X509_R_SHOULD_RETRY 106
1273#define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN 107
1274#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY 108
1275#define X509_R_UNKNOWN_KEY_TYPE 117
1276#define X509_R_UNKNOWN_NID 109
1277#define X509_R_UNKNOWN_PURPOSE_ID 121
1278#define X509_R_UNKNOWN_TRUST_ID 120
1279#define X509_R_UNSUPPORTED_ALGORITHM 111
1280#define X509_R_WRONG_LOOKUP_TYPE 112
1281#define X509_R_WRONG_TYPE 122
1282
1283#ifdef __cplusplus
1284}
1285#endif
1286#endif
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
deleted file mode 100644
index 98460e8921..0000000000
--- a/src/lib/libcrypto/x509/x509_att.c
+++ /dev/null
@@ -1,359 +0,0 @@
1/* crypto/x509/x509_att.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
69{
70 return sk_X509_ATTRIBUTE_num(x);
71}
72
73int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
74 int lastpos)
75{
76 ASN1_OBJECT *obj;
77
78 obj=OBJ_nid2obj(nid);
79 if (obj == NULL) return(-2);
80 return(X509at_get_attr_by_OBJ(x,obj,lastpos));
81}
82
83int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
84 int lastpos)
85{
86 int n;
87 X509_ATTRIBUTE *ex;
88
89 if (sk == NULL) return(-1);
90 lastpos++;
91 if (lastpos < 0)
92 lastpos=0;
93 n=sk_X509_ATTRIBUTE_num(sk);
94 for ( ; lastpos < n; lastpos++)
95 {
96 ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
97 if (OBJ_cmp(ex->object,obj) == 0)
98 return(lastpos);
99 }
100 return(-1);
101}
102
103X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc)
104{
105 if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
106 return NULL;
107 else
108 return sk_X509_ATTRIBUTE_value(x,loc);
109}
110
111X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc)
112{
113 X509_ATTRIBUTE *ret;
114
115 if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
116 return(NULL);
117 ret=sk_X509_ATTRIBUTE_delete(x,loc);
118 return(ret);
119}
120
121STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
122 X509_ATTRIBUTE *attr)
123{
124 X509_ATTRIBUTE *new_attr=NULL;
125 STACK_OF(X509_ATTRIBUTE) *sk=NULL;
126
127 if (x == NULL)
128 {
129 X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER);
130 goto err2;
131 }
132
133 if (*x == NULL)
134 {
135 if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
136 goto err;
137 }
138 else
139 sk= *x;
140
141 if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
142 goto err2;
143 if (!sk_X509_ATTRIBUTE_push(sk,new_attr))
144 goto err;
145 if (*x == NULL)
146 *x=sk;
147 return(sk);
148err:
149 X509err(X509_F_X509AT_ADD1_ATTR,ERR_R_MALLOC_FAILURE);
150err2:
151 if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr);
152 if (sk != NULL) sk_X509_ATTRIBUTE_free(sk);
153 return(NULL);
154}
155
156STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
157 const ASN1_OBJECT *obj, int type,
158 const unsigned char *bytes, int len)
159{
160 X509_ATTRIBUTE *attr;
161 STACK_OF(X509_ATTRIBUTE) *ret;
162 attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
163 if(!attr) return 0;
164 ret = X509at_add1_attr(x, attr);
165 X509_ATTRIBUTE_free(attr);
166 return ret;
167}
168
169STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
170 int nid, int type,
171 const unsigned char *bytes, int len)
172{
173 X509_ATTRIBUTE *attr;
174 STACK_OF(X509_ATTRIBUTE) *ret;
175 attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
176 if(!attr) return 0;
177 ret = X509at_add1_attr(x, attr);
178 X509_ATTRIBUTE_free(attr);
179 return ret;
180}
181
182STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
183 const char *attrname, int type,
184 const unsigned char *bytes, int len)
185{
186 X509_ATTRIBUTE *attr;
187 STACK_OF(X509_ATTRIBUTE) *ret;
188 attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len);
189 if(!attr) return 0;
190 ret = X509at_add1_attr(x, attr);
191 X509_ATTRIBUTE_free(attr);
192 return ret;
193}
194
195void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
196 ASN1_OBJECT *obj, int lastpos, int type)
197{
198 int i;
199 X509_ATTRIBUTE *at;
200 i = X509at_get_attr_by_OBJ(x, obj, lastpos);
201 if (i == -1)
202 return NULL;
203 if ((lastpos <= -2) && (X509at_get_attr_by_OBJ(x, obj, i) != -1))
204 return NULL;
205 at = X509at_get_attr(x, i);
206 if (lastpos <= -3 && (X509_ATTRIBUTE_count(at) != 1))
207 return NULL;
208 return X509_ATTRIBUTE_get0_data(at, 0, type, NULL);
209}
210
211X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
212 int atrtype, const void *data, int len)
213{
214 ASN1_OBJECT *obj;
215 X509_ATTRIBUTE *ret;
216
217 obj=OBJ_nid2obj(nid);
218 if (obj == NULL)
219 {
220 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
221 return(NULL);
222 }
223 ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
224 if (ret == NULL) ASN1_OBJECT_free(obj);
225 return(ret);
226}
227
228X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
229 const ASN1_OBJECT *obj, int atrtype, const void *data, int len)
230{
231 X509_ATTRIBUTE *ret;
232
233 if ((attr == NULL) || (*attr == NULL))
234 {
235 if ((ret=X509_ATTRIBUTE_new()) == NULL)
236 {
237 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
238 return(NULL);
239 }
240 }
241 else
242 ret= *attr;
243
244 if (!X509_ATTRIBUTE_set1_object(ret,obj))
245 goto err;
246 if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
247 goto err;
248
249 if ((attr != NULL) && (*attr == NULL)) *attr=ret;
250 return(ret);
251err:
252 if ((attr == NULL) || (ret != *attr))
253 X509_ATTRIBUTE_free(ret);
254 return(NULL);
255}
256
257X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
258 const char *atrname, int type, const unsigned char *bytes, int len)
259 {
260 ASN1_OBJECT *obj;
261 X509_ATTRIBUTE *nattr;
262
263 obj=OBJ_txt2obj(atrname, 0);
264 if (obj == NULL)
265 {
266 X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
267 X509_R_INVALID_FIELD_NAME);
268 ERR_add_error_data(2, "name=", atrname);
269 return(NULL);
270 }
271 nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
272 ASN1_OBJECT_free(obj);
273 return nattr;
274 }
275
276int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
277{
278 if ((attr == NULL) || (obj == NULL))
279 return(0);
280 ASN1_OBJECT_free(attr->object);
281 attr->object=OBJ_dup(obj);
282 return(1);
283}
284
285int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
286{
287 ASN1_TYPE *ttmp;
288 ASN1_STRING *stmp = NULL;
289 int atype = 0;
290 if (!attr) return 0;
291 if(attrtype & MBSTRING_FLAG) {
292 stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype,
293 OBJ_obj2nid(attr->object));
294 if(!stmp) {
295 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_ASN1_LIB);
296 return 0;
297 }
298 atype = stmp->type;
299 } else if (len != -1){
300 if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err;
301 if(!ASN1_STRING_set(stmp, data, len)) goto err;
302 atype = attrtype;
303 }
304 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
305 attr->single = 0;
306 /* This is a bit naughty because the attribute should really have
307 * at least one value but some types use and zero length SET and
308 * require this.
309 */
310 if (attrtype == 0)
311 return 1;
312 if(!(ttmp = ASN1_TYPE_new())) goto err;
313 if ((len == -1) && !(attrtype & MBSTRING_FLAG))
314 {
315 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
316 goto err;
317 }
318 else
319 ASN1_TYPE_set(ttmp, atype, stmp);
320 if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
321 return 1;
322 err:
323 X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
324 return 0;
325}
326
327int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
328{
329 if(!attr->single) return sk_ASN1_TYPE_num(attr->value.set);
330 if(attr->value.single) return 1;
331 return 0;
332}
333
334ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
335{
336 if (attr == NULL) return(NULL);
337 return(attr->object);
338}
339
340void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
341 int atrtype, void *data)
342{
343 ASN1_TYPE *ttmp;
344 ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
345 if(!ttmp) return NULL;
346 if(atrtype != ASN1_TYPE_get(ttmp)){
347 X509err(X509_F_X509_ATTRIBUTE_GET0_DATA, X509_R_WRONG_TYPE);
348 return NULL;
349 }
350 return ttmp->value.ptr;
351}
352
353ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
354{
355 if (attr == NULL) return(NULL);
356 if(idx >= X509_ATTRIBUTE_count(attr)) return NULL;
357 if(!attr->single) return sk_ASN1_TYPE_value(attr->value.set, idx);
358 else return attr->value.single;
359}
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
deleted file mode 100644
index 4bc9da07e0..0000000000
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ /dev/null
@@ -1,331 +0,0 @@
1/* crypto/x509/x509_cmp.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <ctype.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/x509.h>
65#include <openssl/x509v3.h>
66
67int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
68 {
69 int i;
70 X509_CINF *ai,*bi;
71
72 ai=a->cert_info;
73 bi=b->cert_info;
74 i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
75 if (i) return(i);
76 return(X509_NAME_cmp(ai->issuer,bi->issuer));
77 }
78
79#ifndef OPENSSL_NO_MD5
80unsigned long X509_issuer_and_serial_hash(X509 *a)
81 {
82 unsigned long ret=0;
83 EVP_MD_CTX ctx;
84 unsigned char md[16];
85 char *f;
86
87 EVP_MD_CTX_init(&ctx);
88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
89 ret=strlen(f);
90 EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
91 EVP_DigestUpdate(&ctx,(unsigned char *)f,ret);
92 OPENSSL_free(f);
93 EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
94 (unsigned long)a->cert_info->serialNumber->length);
95 EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
96 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
97 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
98 )&0xffffffffL;
99 EVP_MD_CTX_cleanup(&ctx);
100 return(ret);
101 }
102#endif
103
104int X509_issuer_name_cmp(const X509 *a, const X509 *b)
105 {
106 return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
107 }
108
109int X509_subject_name_cmp(const X509 *a, const X509 *b)
110 {
111 return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
112 }
113
114int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
115 {
116 return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
117 }
118
119#ifndef OPENSSL_NO_SHA
120int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
121 {
122 return memcmp(a->sha1_hash, b->sha1_hash, 20);
123 }
124#endif
125
126X509_NAME *X509_get_issuer_name(X509 *a)
127 {
128 return(a->cert_info->issuer);
129 }
130
131unsigned long X509_issuer_name_hash(X509 *x)
132 {
133 return(X509_NAME_hash(x->cert_info->issuer));
134 }
135
136#ifndef OPENSSL_NO_MD5
137unsigned long X509_issuer_name_hash_old(X509 *x)
138 {
139 return(X509_NAME_hash_old(x->cert_info->issuer));
140 }
141#endif
142
143X509_NAME *X509_get_subject_name(X509 *a)
144 {
145 return(a->cert_info->subject);
146 }
147
148ASN1_INTEGER *X509_get_serialNumber(X509 *a)
149 {
150 return(a->cert_info->serialNumber);
151 }
152
153unsigned long X509_subject_name_hash(X509 *x)
154 {
155 return(X509_NAME_hash(x->cert_info->subject));
156 }
157
158#ifndef OPENSSL_NO_MD5
159unsigned long X509_subject_name_hash_old(X509 *x)
160 {
161 return(X509_NAME_hash_old(x->cert_info->subject));
162 }
163#endif
164
165#ifndef OPENSSL_NO_SHA
166/* Compare two certificates: they must be identical for
167 * this to work. NB: Although "cmp" operations are generally
168 * prototyped to take "const" arguments (eg. for use in
169 * STACKs), the way X509 handling is - these operations may
170 * involve ensuring the hashes are up-to-date and ensuring
171 * certain cert information is cached. So this is the point
172 * where the "depth-first" constification tree has to halt
173 * with an evil cast.
174 */
175int X509_cmp(const X509 *a, const X509 *b)
176{
177 /* ensure hash is valid */
178 X509_check_purpose((X509 *)a, -1, 0);
179 X509_check_purpose((X509 *)b, -1, 0);
180
181 return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
182}
183#endif
184
185
186int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
187 {
188 int ret;
189
190 /* Ensure canonical encoding is present and up to date */
191
192 if (!a->canon_enc || a->modified)
193 {
194 ret = i2d_X509_NAME((X509_NAME *)a, NULL);
195 if (ret < 0)
196 return -2;
197 }
198
199 if (!b->canon_enc || b->modified)
200 {
201 ret = i2d_X509_NAME((X509_NAME *)b, NULL);
202 if (ret < 0)
203 return -2;
204 }
205
206 ret = a->canon_enclen - b->canon_enclen;
207
208 if (ret)
209 return ret;
210
211 return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
212
213 }
214
215unsigned long X509_NAME_hash(X509_NAME *x)
216 {
217 unsigned long ret=0;
218 unsigned char md[SHA_DIGEST_LENGTH];
219
220 /* Make sure X509_NAME structure contains valid cached encoding */
221 i2d_X509_NAME(x,NULL);
222 EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL);
223
224 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
225 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
226 )&0xffffffffL;
227 return(ret);
228 }
229
230
231#ifndef OPENSSL_NO_MD5
232/* I now DER encode the name and hash it. Since I cache the DER encoding,
233 * this is reasonably efficient. */
234
235unsigned long X509_NAME_hash_old(X509_NAME *x)
236 {
237 unsigned long ret=0;
238 unsigned char md[16];
239
240 /* Make sure X509_NAME structure contains valid cached encoding */
241 i2d_X509_NAME(x,NULL);
242 EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
243
244 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
245 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
246 )&0xffffffffL;
247 return(ret);
248 }
249#endif
250
251/* Search a stack of X509 for a match */
252X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
253 ASN1_INTEGER *serial)
254 {
255 int i;
256 X509_CINF cinf;
257 X509 x,*x509=NULL;
258
259 if(!sk) return NULL;
260
261 x.cert_info= &cinf;
262 cinf.serialNumber=serial;
263 cinf.issuer=name;
264
265 for (i=0; i<sk_X509_num(sk); i++)
266 {
267 x509=sk_X509_value(sk,i);
268 if (X509_issuer_and_serial_cmp(x509,&x) == 0)
269 return(x509);
270 }
271 return(NULL);
272 }
273
274X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
275 {
276 X509 *x509;
277 int i;
278
279 for (i=0; i<sk_X509_num(sk); i++)
280 {
281 x509=sk_X509_value(sk,i);
282 if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
283 return(x509);
284 }
285 return(NULL);
286 }
287
288EVP_PKEY *X509_get_pubkey(X509 *x)
289 {
290 if ((x == NULL) || (x->cert_info == NULL))
291 return(NULL);
292 return(X509_PUBKEY_get(x->cert_info->key));
293 }
294
295ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
296 {
297 if(!x) return NULL;
298 return x->cert_info->key->public_key;
299 }
300
301int X509_check_private_key(X509 *x, EVP_PKEY *k)
302 {
303 EVP_PKEY *xk;
304 int ret;
305
306 xk=X509_get_pubkey(x);
307
308 if (xk)
309 ret = EVP_PKEY_cmp(xk, k);
310 else
311 ret = -2;
312
313 switch (ret)
314 {
315 case 1:
316 break;
317 case 0:
318 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
319 break;
320 case -1:
321 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
322 break;
323 case -2:
324 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
325 }
326 if (xk)
327 EVP_PKEY_free(xk);
328 if (ret > 0)
329 return 1;
330 return 0;
331 }
diff --git a/src/lib/libcrypto/x509/x509_d2.c b/src/lib/libcrypto/x509/x509_d2.c
deleted file mode 100644
index 51410cfd1a..0000000000
--- a/src/lib/libcrypto/x509/x509_d2.c
+++ /dev/null
@@ -1,107 +0,0 @@
1/* crypto/x509/x509_d2.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/crypto.h>
62#include <openssl/x509.h>
63
64#ifndef OPENSSL_NO_STDIO
65int X509_STORE_set_default_paths(X509_STORE *ctx)
66 {
67 X509_LOOKUP *lookup;
68
69 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
70 if (lookup == NULL) return(0);
71 X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
72
73 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
74 if (lookup == NULL) return(0);
75 X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
76
77 /* clear any errors */
78 ERR_clear_error();
79
80 return(1);
81 }
82
83int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
84 const char *path)
85 {
86 X509_LOOKUP *lookup;
87
88 if (file != NULL)
89 {
90 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
91 if (lookup == NULL) return(0);
92 if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
93 return(0);
94 }
95 if (path != NULL)
96 {
97 lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
98 if (lookup == NULL) return(0);
99 if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
100 return(0);
101 }
102 if ((path == NULL) && (file == NULL))
103 return(0);
104 return(1);
105 }
106
107#endif
diff --git a/src/lib/libcrypto/x509/x509_def.c b/src/lib/libcrypto/x509/x509_def.c
deleted file mode 100644
index e0ac151a76..0000000000
--- a/src/lib/libcrypto/x509/x509_def.c
+++ /dev/null
@@ -1,81 +0,0 @@
1/* crypto/x509/x509_def.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/crypto.h>
62#include <openssl/x509.h>
63
64const char *X509_get_default_private_dir(void)
65 { return(X509_PRIVATE_DIR); }
66
67const char *X509_get_default_cert_area(void)
68 { return(X509_CERT_AREA); }
69
70const char *X509_get_default_cert_dir(void)
71 { return(X509_CERT_DIR); }
72
73const char *X509_get_default_cert_file(void)
74 { return(X509_CERT_FILE); }
75
76const char *X509_get_default_cert_dir_env(void)
77 { return(X509_CERT_DIR_EVP); }
78
79const char *X509_get_default_cert_file_env(void)
80 { return(X509_CERT_FILE_EVP); }
81
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c
deleted file mode 100644
index a01402f416..0000000000
--- a/src/lib/libcrypto/x509/x509_err.c
+++ /dev/null
@@ -1,164 +0,0 @@
1/* crypto/x509/x509_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/x509.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
70
71static ERR_STRING_DATA X509_str_functs[]=
72 {
73{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
74{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
75{ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
76{ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"},
77{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"},
78{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE), "NETSCAPE_SPKI_b64_decode"},
79{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE), "NETSCAPE_SPKI_b64_encode"},
80{ERR_FUNC(X509_F_X509AT_ADD1_ATTR), "X509at_add1_attr"},
81{ERR_FUNC(X509_F_X509V3_ADD_EXT), "X509v3_add_ext"},
82{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID), "X509_ATTRIBUTE_create_by_NID"},
83{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ), "X509_ATTRIBUTE_create_by_OBJ"},
84{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT), "X509_ATTRIBUTE_create_by_txt"},
85{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA), "X509_ATTRIBUTE_get0_data"},
86{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA), "X509_ATTRIBUTE_set1_data"},
87{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY), "X509_check_private_key"},
88{ERR_FUNC(X509_F_X509_CRL_PRINT_FP), "X509_CRL_print_fp"},
89{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID), "X509_EXTENSION_create_by_NID"},
90{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ), "X509_EXTENSION_create_by_OBJ"},
91{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS), "X509_get_pubkey_parameters"},
92{ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE), "X509_load_cert_crl_file"},
93{ERR_FUNC(X509_F_X509_LOAD_CERT_FILE), "X509_load_cert_file"},
94{ERR_FUNC(X509_F_X509_LOAD_CRL_FILE), "X509_load_crl_file"},
95{ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY), "X509_NAME_add_entry"},
96{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID), "X509_NAME_ENTRY_create_by_NID"},
97{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT), "X509_NAME_ENTRY_create_by_txt"},
98{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT), "X509_NAME_ENTRY_set_object"},
99{ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"},
100{ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"},
101{ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"},
102{ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"},
103{ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"},
104{ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY), "X509_REQ_check_private_key"},
105{ERR_FUNC(X509_F_X509_REQ_PRINT_EX), "X509_REQ_print_ex"},
106{ERR_FUNC(X509_F_X509_REQ_PRINT_FP), "X509_REQ_print_fp"},
107{ERR_FUNC(X509_F_X509_REQ_TO_X509), "X509_REQ_to_X509"},
108{ERR_FUNC(X509_F_X509_STORE_ADD_CERT), "X509_STORE_add_cert"},
109{ERR_FUNC(X509_F_X509_STORE_ADD_CRL), "X509_STORE_add_crl"},
110{ERR_FUNC(X509_F_X509_STORE_CTX_GET1_ISSUER), "X509_STORE_CTX_get1_issuer"},
111{ERR_FUNC(X509_F_X509_STORE_CTX_INIT), "X509_STORE_CTX_init"},
112{ERR_FUNC(X509_F_X509_STORE_CTX_NEW), "X509_STORE_CTX_new"},
113{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT), "X509_STORE_CTX_purpose_inherit"},
114{ERR_FUNC(X509_F_X509_TO_X509_REQ), "X509_to_X509_REQ"},
115{ERR_FUNC(X509_F_X509_TRUST_ADD), "X509_TRUST_add"},
116{ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"},
117{ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"},
118{0,NULL}
119 };
120
121static ERR_STRING_DATA X509_str_reasons[]=
122 {
123{ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"},
124{ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"},
125{ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"},
126{ERR_REASON(X509_R_CERT_ALREADY_IN_HASH_TABLE),"cert already in hash table"},
127{ERR_REASON(X509_R_ERR_ASN1_LIB) ,"err asn1 lib"},
128{ERR_REASON(X509_R_INVALID_DIRECTORY) ,"invalid directory"},
129{ERR_REASON(X509_R_INVALID_FIELD_NAME) ,"invalid field name"},
130{ERR_REASON(X509_R_INVALID_TRUST) ,"invalid trust"},
131{ERR_REASON(X509_R_KEY_TYPE_MISMATCH) ,"key type mismatch"},
132{ERR_REASON(X509_R_KEY_VALUES_MISMATCH) ,"key values mismatch"},
133{ERR_REASON(X509_R_LOADING_CERT_DIR) ,"loading cert dir"},
134{ERR_REASON(X509_R_LOADING_DEFAULTS) ,"loading defaults"},
135{ERR_REASON(X509_R_METHOD_NOT_SUPPORTED) ,"method not supported"},
136{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),"no cert set for us to verify"},
137{ERR_REASON(X509_R_PUBLIC_KEY_DECODE_ERROR),"public key decode error"},
138{ERR_REASON(X509_R_PUBLIC_KEY_ENCODE_ERROR),"public key encode error"},
139{ERR_REASON(X509_R_SHOULD_RETRY) ,"should retry"},
140{ERR_REASON(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN),"unable to find parameters in chain"},
141{ERR_REASON(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY),"unable to get certs public key"},
142{ERR_REASON(X509_R_UNKNOWN_KEY_TYPE) ,"unknown key type"},
143{ERR_REASON(X509_R_UNKNOWN_NID) ,"unknown nid"},
144{ERR_REASON(X509_R_UNKNOWN_PURPOSE_ID) ,"unknown purpose id"},
145{ERR_REASON(X509_R_UNKNOWN_TRUST_ID) ,"unknown trust id"},
146{ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM),"unsupported algorithm"},
147{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"},
148{ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"},
149{0,NULL}
150 };
151
152#endif
153
154void ERR_load_X509_strings(void)
155 {
156#ifndef OPENSSL_NO_ERR
157
158 if (ERR_func_error_string(X509_str_functs[0].error) == NULL)
159 {
160 ERR_load_strings(0,X509_str_functs);
161 ERR_load_strings(0,X509_str_reasons);
162 }
163#endif
164 }
diff --git a/src/lib/libcrypto/x509/x509_ext.c b/src/lib/libcrypto/x509/x509_ext.c
deleted file mode 100644
index e7fdacb5e4..0000000000
--- a/src/lib/libcrypto/x509/x509_ext.c
+++ /dev/null
@@ -1,210 +0,0 @@
1/* crypto/x509/x509_ext.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68
69int X509_CRL_get_ext_count(X509_CRL *x)
70 {
71 return(X509v3_get_ext_count(x->crl->extensions));
72 }
73
74int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
75 {
76 return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos));
77 }
78
79int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
80 {
81 return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos));
82 }
83
84int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
85 {
86 return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos));
87 }
88
89X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
90 {
91 return(X509v3_get_ext(x->crl->extensions,loc));
92 }
93
94X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
95 {
96 return(X509v3_delete_ext(x->crl->extensions,loc));
97 }
98
99void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
100{
101 return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
102}
103
104int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
105 unsigned long flags)
106{
107 return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags);
108}
109
110int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
111 {
112 return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
113 }
114
115int X509_get_ext_count(X509 *x)
116 {
117 return(X509v3_get_ext_count(x->cert_info->extensions));
118 }
119
120int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
121 {
122 return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos));
123 }
124
125int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
126 {
127 return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos));
128 }
129
130int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
131 {
132 return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos));
133 }
134
135X509_EXTENSION *X509_get_ext(X509 *x, int loc)
136 {
137 return(X509v3_get_ext(x->cert_info->extensions,loc));
138 }
139
140X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
141 {
142 return(X509v3_delete_ext(x->cert_info->extensions,loc));
143 }
144
145int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
146 {
147 return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
148 }
149
150void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
151{
152 return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx);
153}
154
155int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
156 unsigned long flags)
157{
158 return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit,
159 flags);
160}
161
162int X509_REVOKED_get_ext_count(X509_REVOKED *x)
163 {
164 return(X509v3_get_ext_count(x->extensions));
165 }
166
167int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
168 {
169 return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos));
170 }
171
172int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
173 int lastpos)
174 {
175 return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos));
176 }
177
178int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
179 {
180 return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos));
181 }
182
183X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
184 {
185 return(X509v3_get_ext(x->extensions,loc));
186 }
187
188X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc)
189 {
190 return(X509v3_delete_ext(x->extensions,loc));
191 }
192
193int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
194 {
195 return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
196 }
197
198void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
199{
200 return X509V3_get_d2i(x->extensions, nid, crit, idx);
201}
202
203int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
204 unsigned long flags)
205{
206 return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags);
207}
208
209IMPLEMENT_STACK_OF(X509_EXTENSION)
210IMPLEMENT_ASN1_SET_OF(X509_EXTENSION)
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
deleted file mode 100644
index 3a6e04a1de..0000000000
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ /dev/null
@@ -1,716 +0,0 @@
1/* crypto/x509/x509_lu.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/lhash.h>
62#include <openssl/x509.h>
63#include <openssl/x509v3.h>
64
65X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
66 {
67 X509_LOOKUP *ret;
68
69 ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));
70 if (ret == NULL) return NULL;
71
72 ret->init=0;
73 ret->skip=0;
74 ret->method=method;
75 ret->method_data=NULL;
76 ret->store_ctx=NULL;
77 if ((method->new_item != NULL) && !method->new_item(ret))
78 {
79 OPENSSL_free(ret);
80 return NULL;
81 }
82 return ret;
83 }
84
85void X509_LOOKUP_free(X509_LOOKUP *ctx)
86 {
87 if (ctx == NULL) return;
88 if ( (ctx->method != NULL) &&
89 (ctx->method->free != NULL))
90 ctx->method->free(ctx);
91 OPENSSL_free(ctx);
92 }
93
94int X509_LOOKUP_init(X509_LOOKUP *ctx)
95 {
96 if (ctx->method == NULL) return 0;
97 if (ctx->method->init != NULL)
98 return ctx->method->init(ctx);
99 else
100 return 1;
101 }
102
103int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
104 {
105 if (ctx->method == NULL) return 0;
106 if (ctx->method->shutdown != NULL)
107 return ctx->method->shutdown(ctx);
108 else
109 return 1;
110 }
111
112int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
113 char **ret)
114 {
115 if (ctx->method == NULL) return -1;
116 if (ctx->method->ctrl != NULL)
117 return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
118 else
119 return 1;
120 }
121
122int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
123 X509_OBJECT *ret)
124 {
125 if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
126 return X509_LU_FAIL;
127 if (ctx->skip) return 0;
128 return ctx->method->get_by_subject(ctx,type,name,ret);
129 }
130
131int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
132 ASN1_INTEGER *serial, X509_OBJECT *ret)
133 {
134 if ((ctx->method == NULL) ||
135 (ctx->method->get_by_issuer_serial == NULL))
136 return X509_LU_FAIL;
137 return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
138 }
139
140int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
141 unsigned char *bytes, int len, X509_OBJECT *ret)
142 {
143 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
144 return X509_LU_FAIL;
145 return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
146 }
147
148int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
149 X509_OBJECT *ret)
150 {
151 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
152 return X509_LU_FAIL;
153 return ctx->method->get_by_alias(ctx,type,str,len,ret);
154 }
155
156
157static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
158 {
159 int ret;
160
161 ret=((*a)->type - (*b)->type);
162 if (ret) return ret;
163 switch ((*a)->type)
164 {
165 case X509_LU_X509:
166 ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
167 break;
168 case X509_LU_CRL:
169 ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);
170 break;
171 default:
172 /* abort(); */
173 return 0;
174 }
175 return ret;
176 }
177
178X509_STORE *X509_STORE_new(void)
179 {
180 X509_STORE *ret;
181
182 if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)
183 return NULL;
184 ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
185 ret->cache=1;
186 ret->get_cert_methods=sk_X509_LOOKUP_new_null();
187 ret->verify=0;
188 ret->verify_cb=0;
189
190 if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
191 return NULL;
192
193 ret->get_issuer = 0;
194 ret->check_issued = 0;
195 ret->check_revocation = 0;
196 ret->get_crl = 0;
197 ret->check_crl = 0;
198 ret->cert_crl = 0;
199 ret->lookup_certs = 0;
200 ret->lookup_crls = 0;
201 ret->cleanup = 0;
202
203 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
204 {
205 sk_X509_OBJECT_free(ret->objs);
206 OPENSSL_free(ret);
207 return NULL;
208 }
209
210 ret->references=1;
211 return ret;
212 }
213
214static void cleanup(X509_OBJECT *a)
215 {
216 if (a->type == X509_LU_X509)
217 {
218 X509_free(a->data.x509);
219 }
220 else if (a->type == X509_LU_CRL)
221 {
222 X509_CRL_free(a->data.crl);
223 }
224 else
225 {
226 /* abort(); */
227 }
228
229 OPENSSL_free(a);
230 }
231
232void X509_STORE_free(X509_STORE *vfy)
233 {
234 int i;
235 STACK_OF(X509_LOOKUP) *sk;
236 X509_LOOKUP *lu;
237
238 if (vfy == NULL)
239 return;
240
241 sk=vfy->get_cert_methods;
242 for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
243 {
244 lu=sk_X509_LOOKUP_value(sk,i);
245 X509_LOOKUP_shutdown(lu);
246 X509_LOOKUP_free(lu);
247 }
248 sk_X509_LOOKUP_free(sk);
249 sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
250
251 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
252 if (vfy->param)
253 X509_VERIFY_PARAM_free(vfy->param);
254 OPENSSL_free(vfy);
255 }
256
257X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
258 {
259 int i;
260 STACK_OF(X509_LOOKUP) *sk;
261 X509_LOOKUP *lu;
262
263 sk=v->get_cert_methods;
264 for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
265 {
266 lu=sk_X509_LOOKUP_value(sk,i);
267 if (m == lu->method)
268 {
269 return lu;
270 }
271 }
272 /* a new one */
273 lu=X509_LOOKUP_new(m);
274 if (lu == NULL)
275 return NULL;
276 else
277 {
278 lu->store_ctx=v;
279 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
280 return lu;
281 else
282 {
283 X509_LOOKUP_free(lu);
284 return NULL;
285 }
286 }
287 }
288
289int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
290 X509_OBJECT *ret)
291 {
292 X509_STORE *ctx=vs->ctx;
293 X509_LOOKUP *lu;
294 X509_OBJECT stmp,*tmp;
295 int i,j;
296
297 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
298 tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
299 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
300
301 if (tmp == NULL || type == X509_LU_CRL)
302 {
303 for (i=vs->current_method; i<sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
304 {
305 lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
306 j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
307 if (j < 0)
308 {
309 vs->current_method=j;
310 return j;
311 }
312 else if (j)
313 {
314 tmp= &stmp;
315 break;
316 }
317 }
318 vs->current_method=0;
319 if (tmp == NULL)
320 return 0;
321 }
322
323/* if (ret->data.ptr != NULL)
324 X509_OBJECT_free_contents(ret); */
325
326 ret->type=tmp->type;
327 ret->data.ptr=tmp->data.ptr;
328
329 X509_OBJECT_up_ref_count(ret);
330
331 return 1;
332 }
333
334int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
335 {
336 X509_OBJECT *obj;
337 int ret=1;
338
339 if (x == NULL) return 0;
340 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
341 if (obj == NULL)
342 {
343 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
344 return 0;
345 }
346 obj->type=X509_LU_X509;
347 obj->data.x509=x;
348
349 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
350
351 X509_OBJECT_up_ref_count(obj);
352
353 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
354 {
355 X509_OBJECT_free_contents(obj);
356 OPENSSL_free(obj);
357 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
358 ret=0;
359 }
360 else sk_X509_OBJECT_push(ctx->objs, obj);
361
362 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
363
364 return ret;
365 }
366
367int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
368 {
369 X509_OBJECT *obj;
370 int ret=1;
371
372 if (x == NULL) return 0;
373 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
374 if (obj == NULL)
375 {
376 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
377 return 0;
378 }
379 obj->type=X509_LU_CRL;
380 obj->data.crl=x;
381
382 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
383
384 X509_OBJECT_up_ref_count(obj);
385
386 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
387 {
388 X509_OBJECT_free_contents(obj);
389 OPENSSL_free(obj);
390 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
391 ret=0;
392 }
393 else sk_X509_OBJECT_push(ctx->objs, obj);
394
395 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
396
397 return ret;
398 }
399
400void X509_OBJECT_up_ref_count(X509_OBJECT *a)
401 {
402 switch (a->type)
403 {
404 case X509_LU_X509:
405 CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509);
406 break;
407 case X509_LU_CRL:
408 CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
409 break;
410 }
411 }
412
413void X509_OBJECT_free_contents(X509_OBJECT *a)
414 {
415 switch (a->type)
416 {
417 case X509_LU_X509:
418 X509_free(a->data.x509);
419 break;
420 case X509_LU_CRL:
421 X509_CRL_free(a->data.crl);
422 break;
423 }
424 }
425
426static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
427 X509_NAME *name, int *pnmatch)
428 {
429 X509_OBJECT stmp;
430 X509 x509_s;
431 X509_CINF cinf_s;
432 X509_CRL crl_s;
433 X509_CRL_INFO crl_info_s;
434 int idx;
435
436 stmp.type=type;
437 switch (type)
438 {
439 case X509_LU_X509:
440 stmp.data.x509= &x509_s;
441 x509_s.cert_info= &cinf_s;
442 cinf_s.subject=name;
443 break;
444 case X509_LU_CRL:
445 stmp.data.crl= &crl_s;
446 crl_s.crl= &crl_info_s;
447 crl_info_s.issuer=name;
448 break;
449 default:
450 /* abort(); */
451 return -1;
452 }
453
454 idx = sk_X509_OBJECT_find(h,&stmp);
455 if (idx >= 0 && pnmatch)
456 {
457 int tidx;
458 const X509_OBJECT *tobj, *pstmp;
459 *pnmatch = 1;
460 pstmp = &stmp;
461 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++)
462 {
463 tobj = sk_X509_OBJECT_value(h, tidx);
464 if (x509_object_cmp(&tobj, &pstmp))
465 break;
466 (*pnmatch)++;
467 }
468 }
469 return idx;
470 }
471
472
473int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
474 X509_NAME *name)
475 {
476 return x509_object_idx_cnt(h, type, name, NULL);
477 }
478
479X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
480 X509_NAME *name)
481 {
482 int idx;
483 idx = X509_OBJECT_idx_by_subject(h, type, name);
484 if (idx==-1) return NULL;
485 return sk_X509_OBJECT_value(h, idx);
486 }
487
488STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
489 {
490 int i, idx, cnt;
491 STACK_OF(X509) *sk;
492 X509 *x;
493 X509_OBJECT *obj;
494 sk = sk_X509_new_null();
495 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
496 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
497 if (idx < 0)
498 {
499 /* Nothing found in cache: do lookup to possibly add new
500 * objects to cache
501 */
502 X509_OBJECT xobj;
503 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
504 if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))
505 {
506 sk_X509_free(sk);
507 return NULL;
508 }
509 X509_OBJECT_free_contents(&xobj);
510 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
511 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
512 if (idx < 0)
513 {
514 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
515 sk_X509_free(sk);
516 return NULL;
517 }
518 }
519 for (i = 0; i < cnt; i++, idx++)
520 {
521 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
522 x = obj->data.x509;
523 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
524 if (!sk_X509_push(sk, x))
525 {
526 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
527 X509_free(x);
528 sk_X509_pop_free(sk, X509_free);
529 return NULL;
530 }
531 }
532 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
533 return sk;
534
535 }
536
537STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
538 {
539 int i, idx, cnt;
540 STACK_OF(X509_CRL) *sk;
541 X509_CRL *x;
542 X509_OBJECT *obj, xobj;
543 sk = sk_X509_CRL_new_null();
544 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
545 /* Check cache first */
546 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
547
548 /* Always do lookup to possibly add new CRLs to cache
549 */
550 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
551 if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))
552 {
553 sk_X509_CRL_free(sk);
554 return NULL;
555 }
556 X509_OBJECT_free_contents(&xobj);
557 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
558 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
559 if (idx < 0)
560 {
561 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
562 sk_X509_CRL_free(sk);
563 return NULL;
564 }
565
566 for (i = 0; i < cnt; i++, idx++)
567 {
568 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
569 x = obj->data.crl;
570 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
571 if (!sk_X509_CRL_push(sk, x))
572 {
573 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
574 X509_CRL_free(x);
575 sk_X509_CRL_pop_free(sk, X509_CRL_free);
576 return NULL;
577 }
578 }
579 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
580 return sk;
581 }
582
583X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
584 {
585 int idx, i;
586 X509_OBJECT *obj;
587 idx = sk_X509_OBJECT_find(h, x);
588 if (idx == -1) return NULL;
589 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
590 return sk_X509_OBJECT_value(h, idx);
591 for (i = idx; i < sk_X509_OBJECT_num(h); i++)
592 {
593 obj = sk_X509_OBJECT_value(h, i);
594 if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
595 return NULL;
596 if (x->type == X509_LU_X509)
597 {
598 if (!X509_cmp(obj->data.x509, x->data.x509))
599 return obj;
600 }
601 else if (x->type == X509_LU_CRL)
602 {
603 if (!X509_CRL_match(obj->data.crl, x->data.crl))
604 return obj;
605 }
606 else
607 return obj;
608 }
609 return NULL;
610 }
611
612
613/* Try to get issuer certificate from store. Due to limitations
614 * of the API this can only retrieve a single certificate matching
615 * a given subject name. However it will fill the cache with all
616 * matching certificates, so we can examine the cache for all
617 * matches.
618 *
619 * Return values are:
620 * 1 lookup successful.
621 * 0 certificate not found.
622 * -1 some other error.
623 */
624int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
625 {
626 X509_NAME *xn;
627 X509_OBJECT obj, *pobj;
628 int i, ok, idx, ret;
629 xn=X509_get_issuer_name(x);
630 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
631 if (ok != X509_LU_X509)
632 {
633 if (ok == X509_LU_RETRY)
634 {
635 X509_OBJECT_free_contents(&obj);
636 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
637 return -1;
638 }
639 else if (ok != X509_LU_FAIL)
640 {
641 X509_OBJECT_free_contents(&obj);
642 /* not good :-(, break anyway */
643 return -1;
644 }
645 return 0;
646 }
647 /* If certificate matches all OK */
648 if (ctx->check_issued(ctx, x, obj.data.x509))
649 {
650 *issuer = obj.data.x509;
651 return 1;
652 }
653 X509_OBJECT_free_contents(&obj);
654
655 /* Else find index of first cert accepted by 'check_issued' */
656 ret = 0;
657 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
658 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
659 if (idx != -1) /* should be true as we've had at least one match */
660 {
661 /* Look through all matching certs for suitable issuer */
662 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
663 {
664 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
665 /* See if we've run past the matches */
666 if (pobj->type != X509_LU_X509)
667 break;
668 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
669 break;
670 if (ctx->check_issued(ctx, x, pobj->data.x509))
671 {
672 *issuer = pobj->data.x509;
673 X509_OBJECT_up_ref_count(pobj);
674 ret = 1;
675 break;
676 }
677 }
678 }
679 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
680 return ret;
681 }
682
683int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
684 {
685 return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
686 }
687
688int X509_STORE_set_depth(X509_STORE *ctx, int depth)
689 {
690 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
691 return 1;
692 }
693
694int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
695 {
696 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
697 }
698
699int X509_STORE_set_trust(X509_STORE *ctx, int trust)
700 {
701 return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
702 }
703
704int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
705 {
706 return X509_VERIFY_PARAM_set1(ctx->param, param);
707 }
708
709void X509_STORE_set_verify_cb(X509_STORE *ctx,
710 int (*verify_cb)(int, X509_STORE_CTX *))
711 {
712 ctx->verify_cb = verify_cb;
713 }
714
715IMPLEMENT_STACK_OF(X509_LOOKUP)
716IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/src/lib/libcrypto/x509/x509_obj.c b/src/lib/libcrypto/x509/x509_obj.c
deleted file mode 100644
index 21fed9f838..0000000000
--- a/src/lib/libcrypto/x509/x509_obj.c
+++ /dev/null
@@ -1,226 +0,0 @@
1/* crypto/x509/x509_obj.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/lhash.h>
62#include <openssl/objects.h>
63#include <openssl/x509.h>
64#include <openssl/buffer.h>
65
66char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
67 {
68 X509_NAME_ENTRY *ne;
69int i;
70 int n,lold,l,l1,l2,num,j,type;
71 const char *s;
72 char *p;
73 unsigned char *q;
74 BUF_MEM *b=NULL;
75 static const char hex[17]="0123456789ABCDEF";
76 int gs_doit[4];
77 char tmp_buf[80];
78#ifdef CHARSET_EBCDIC
79 char ebcdic_buf[1024];
80#endif
81
82 if (buf == NULL)
83 {
84 if ((b=BUF_MEM_new()) == NULL) goto err;
85 if (!BUF_MEM_grow(b,200)) goto err;
86 b->data[0]='\0';
87 len=200;
88 }
89 if (a == NULL)
90 {
91 if(b)
92 {
93 buf=b->data;
94 OPENSSL_free(b);
95 }
96 strncpy(buf,"NO X509_NAME",len);
97 buf[len-1]='\0';
98 return buf;
99 }
100
101 len--; /* space for '\0' */
102 l=0;
103 for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++)
104 {
105 ne=sk_X509_NAME_ENTRY_value(a->entries,i);
106 n=OBJ_obj2nid(ne->object);
107 if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL))
108 {
109 i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
110 s=tmp_buf;
111 }
112 l1=strlen(s);
113
114 type=ne->value->type;
115 num=ne->value->length;
116 q=ne->value->data;
117#ifdef CHARSET_EBCDIC
118 if (type == V_ASN1_GENERALSTRING ||
119 type == V_ASN1_VISIBLESTRING ||
120 type == V_ASN1_PRINTABLESTRING ||
121 type == V_ASN1_TELETEXSTRING ||
122 type == V_ASN1_VISIBLESTRING ||
123 type == V_ASN1_IA5STRING) {
124 ascii2ebcdic(ebcdic_buf, q,
125 (num > sizeof ebcdic_buf)
126 ? sizeof ebcdic_buf : num);
127 q=ebcdic_buf;
128 }
129#endif
130
131 if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0))
132 {
133 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
134 for (j=0; j<num; j++)
135 if (q[j] != 0) gs_doit[j&3]=1;
136
137 if (gs_doit[0]|gs_doit[1]|gs_doit[2])
138 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
139 else
140 {
141 gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
142 gs_doit[3]=1;
143 }
144 }
145 else
146 gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
147
148 for (l2=j=0; j<num; j++)
149 {
150 if (!gs_doit[j&3]) continue;
151 l2++;
152#ifndef CHARSET_EBCDIC
153 if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
154#else
155 if ((os_toascii[q[j]] < os_toascii[' ']) ||
156 (os_toascii[q[j]] > os_toascii['~'])) l2+=3;
157#endif
158 }
159
160 lold=l;
161 l+=1+l1+1+l2;
162 if (b != NULL)
163 {
164 if (!BUF_MEM_grow(b,l+1)) goto err;
165 p= &(b->data[lold]);
166 }
167 else if (l > len)
168 {
169 break;
170 }
171 else
172 p= &(buf[lold]);
173 *(p++)='/';
174 memcpy(p,s,(unsigned int)l1); p+=l1;
175 *(p++)='=';
176
177#ifndef CHARSET_EBCDIC /* q was assigned above already. */
178 q=ne->value->data;
179#endif
180
181 for (j=0; j<num; j++)
182 {
183 if (!gs_doit[j&3]) continue;
184#ifndef CHARSET_EBCDIC
185 n=q[j];
186 if ((n < ' ') || (n > '~'))
187 {
188 *(p++)='\\';
189 *(p++)='x';
190 *(p++)=hex[(n>>4)&0x0f];
191 *(p++)=hex[n&0x0f];
192 }
193 else
194 *(p++)=n;
195#else
196 n=os_toascii[q[j]];
197 if ((n < os_toascii[' ']) ||
198 (n > os_toascii['~']))
199 {
200 *(p++)='\\';
201 *(p++)='x';
202 *(p++)=hex[(n>>4)&0x0f];
203 *(p++)=hex[n&0x0f];
204 }
205 else
206 *(p++)=q[j];
207#endif
208 }
209 *p='\0';
210 }
211 if (b != NULL)
212 {
213 p=b->data;
214 OPENSSL_free(b);
215 }
216 else
217 p=buf;
218 if (i == 0)
219 *p = '\0';
220 return(p);
221err:
222 X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE);
223 if (b != NULL) BUF_MEM_free(b);
224 return(NULL);
225 }
226
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
deleted file mode 100644
index 254a14693d..0000000000
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ /dev/null
@@ -1,114 +0,0 @@
1/* crypto/x509/x509_r2x.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/evp.h>
63#include <openssl/asn1.h>
64#include <openssl/x509.h>
65#include <openssl/objects.h>
66#include <openssl/buffer.h>
67
68X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
69 {
70 X509 *ret=NULL;
71 X509_CINF *xi=NULL;
72 X509_NAME *xn;
73
74 if ((ret=X509_new()) == NULL)
75 {
76 X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE);
77 goto err;
78 }
79
80 /* duplicate the request */
81 xi=ret->cert_info;
82
83 if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0)
84 {
85 if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
86 if (!ASN1_INTEGER_set(xi->version,2)) goto err;
87/* xi->extensions=ri->attributes; <- bad, should not ever be done
88 ri->attributes=NULL; */
89 }
90
91 xn=X509_REQ_get_subject_name(r);
92 if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0)
93 goto err;
94 if (X509_set_issuer_name(ret,X509_NAME_dup(xn)) == 0)
95 goto err;
96
97 if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
98 goto err;
99 if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL)
100 goto err;
101
102 X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
103
104 if (!X509_sign(ret,pkey,EVP_md5()))
105 goto err;
106 if (0)
107 {
108err:
109 X509_free(ret);
110 ret=NULL;
111 }
112 return(ret);
113 }
114
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
deleted file mode 100644
index 48183dc00c..0000000000
--- a/src/lib/libcrypto/x509/x509_req.c
+++ /dev/null
@@ -1,316 +0,0 @@
1/* crypto/x509/x509_req.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/bn.h>
62#include <openssl/evp.h>
63#include <openssl/asn1.h>
64#include <openssl/asn1t.h>
65#include <openssl/x509.h>
66#include <openssl/objects.h>
67#include <openssl/buffer.h>
68#include <openssl/pem.h>
69
70X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
71 {
72 X509_REQ *ret;
73 X509_REQ_INFO *ri;
74 int i;
75 EVP_PKEY *pktmp;
76
77 ret=X509_REQ_new();
78 if (ret == NULL)
79 {
80 X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE);
81 goto err;
82 }
83
84 ri=ret->req_info;
85
86 ri->version->length=1;
87 ri->version->data=(unsigned char *)OPENSSL_malloc(1);
88 if (ri->version->data == NULL) goto err;
89 ri->version->data[0]=0; /* version == 0 */
90
91 if (!X509_REQ_set_subject_name(ret,X509_get_subject_name(x)))
92 goto err;
93
94 pktmp = X509_get_pubkey(x);
95 i=X509_REQ_set_pubkey(ret,pktmp);
96 EVP_PKEY_free(pktmp);
97 if (!i) goto err;
98
99 if (pkey != NULL)
100 {
101 if (!X509_REQ_sign(ret,pkey,md))
102 goto err;
103 }
104 return(ret);
105err:
106 X509_REQ_free(ret);
107 return(NULL);
108 }
109
110EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
111 {
112 if ((req == NULL) || (req->req_info == NULL))
113 return(NULL);
114 return(X509_PUBKEY_get(req->req_info->pubkey));
115 }
116
117int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
118 {
119 EVP_PKEY *xk=NULL;
120 int ok=0;
121
122 xk=X509_REQ_get_pubkey(x);
123 switch (EVP_PKEY_cmp(xk, k))
124 {
125 case 1:
126 ok=1;
127 break;
128 case 0:
129 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
130 break;
131 case -1:
132 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
133 break;
134 case -2:
135#ifndef OPENSSL_NO_EC
136 if (k->type == EVP_PKEY_EC)
137 {
138 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
139 break;
140 }
141#endif
142#ifndef OPENSSL_NO_DH
143 if (k->type == EVP_PKEY_DH)
144 {
145 /* No idea */
146 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
147 break;
148 }
149#endif
150 X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
151 }
152
153 EVP_PKEY_free(xk);
154 return(ok);
155 }
156
157/* It seems several organisations had the same idea of including a list of
158 * extensions in a certificate request. There are at least two OIDs that are
159 * used and there may be more: so the list is configurable.
160 */
161
162static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
163
164static int *ext_nids = ext_nid_list;
165
166int X509_REQ_extension_nid(int req_nid)
167{
168 int i, nid;
169 for(i = 0; ; i++) {
170 nid = ext_nids[i];
171 if(nid == NID_undef) return 0;
172 else if (req_nid == nid) return 1;
173 }
174}
175
176int *X509_REQ_get_extension_nids(void)
177{
178 return ext_nids;
179}
180
181void X509_REQ_set_extension_nids(int *nids)
182{
183 ext_nids = nids;
184}
185
186STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
187 {
188 X509_ATTRIBUTE *attr;
189 ASN1_TYPE *ext = NULL;
190 int idx, *pnid;
191 const unsigned char *p;
192
193 if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
194 return(NULL);
195 for (pnid = ext_nids; *pnid != NID_undef; pnid++)
196 {
197 idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
198 if (idx == -1)
199 continue;
200 attr = X509_REQ_get_attr(req, idx);
201 if(attr->single) ext = attr->value.single;
202 else if(sk_ASN1_TYPE_num(attr->value.set))
203 ext = sk_ASN1_TYPE_value(attr->value.set, 0);
204 break;
205 }
206 if(!ext || (ext->type != V_ASN1_SEQUENCE))
207 return NULL;
208 p = ext->value.sequence->data;
209 return (STACK_OF(X509_EXTENSION) *)
210 ASN1_item_d2i(NULL, &p, ext->value.sequence->length,
211 ASN1_ITEM_rptr(X509_EXTENSIONS));
212}
213
214/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
215 * in case we want to create a non standard one.
216 */
217
218int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
219 int nid)
220{
221 ASN1_TYPE *at = NULL;
222 X509_ATTRIBUTE *attr = NULL;
223 if(!(at = ASN1_TYPE_new()) ||
224 !(at->value.sequence = ASN1_STRING_new())) goto err;
225
226 at->type = V_ASN1_SEQUENCE;
227 /* Generate encoding of extensions */
228 at->value.sequence->length =
229 ASN1_item_i2d((ASN1_VALUE *)exts,
230 &at->value.sequence->data,
231 ASN1_ITEM_rptr(X509_EXTENSIONS));
232 if(!(attr = X509_ATTRIBUTE_new())) goto err;
233 if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
234 if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
235 at = NULL;
236 attr->single = 0;
237 attr->object = OBJ_nid2obj(nid);
238 if (!req->req_info->attributes)
239 {
240 if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
241 goto err;
242 }
243 if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
244 return 1;
245 err:
246 X509_ATTRIBUTE_free(attr);
247 ASN1_TYPE_free(at);
248 return 0;
249}
250/* This is the normal usage: use the "official" OID */
251int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
252{
253 return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
254}
255
256/* Request attribute functions */
257
258int X509_REQ_get_attr_count(const X509_REQ *req)
259{
260 return X509at_get_attr_count(req->req_info->attributes);
261}
262
263int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
264 int lastpos)
265{
266 return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
267}
268
269int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
270 int lastpos)
271{
272 return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
273}
274
275X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
276{
277 return X509at_get_attr(req->req_info->attributes, loc);
278}
279
280X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
281{
282 return X509at_delete_attr(req->req_info->attributes, loc);
283}
284
285int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
286{
287 if(X509at_add1_attr(&req->req_info->attributes, attr)) return 1;
288 return 0;
289}
290
291int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
292 const ASN1_OBJECT *obj, int type,
293 const unsigned char *bytes, int len)
294{
295 if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
296 type, bytes, len)) return 1;
297 return 0;
298}
299
300int X509_REQ_add1_attr_by_NID(X509_REQ *req,
301 int nid, int type,
302 const unsigned char *bytes, int len)
303{
304 if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
305 type, bytes, len)) return 1;
306 return 0;
307}
308
309int X509_REQ_add1_attr_by_txt(X509_REQ *req,
310 const char *attrname, int type,
311 const unsigned char *bytes, int len)
312{
313 if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
314 type, bytes, len)) return 1;
315 return 0;
316}
diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
deleted file mode 100644
index 4b94fc5847..0000000000
--- a/src/lib/libcrypto/x509/x509_set.c
+++ /dev/null
@@ -1,150 +0,0 @@
1/* crypto/x509/x509_set.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_set_version(X509 *x, long version)
67 {
68 if (x == NULL) return(0);
69 if (x->cert_info->version == NULL)
70 {
71 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0);
73 }
74 return(ASN1_INTEGER_set(x->cert_info->version,version));
75 }
76
77int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
78 {
79 ASN1_INTEGER *in;
80
81 if (x == NULL) return(0);
82 in=x->cert_info->serialNumber;
83 if (in != serial)
84 {
85 in=M_ASN1_INTEGER_dup(serial);
86 if (in != NULL)
87 {
88 M_ASN1_INTEGER_free(x->cert_info->serialNumber);
89 x->cert_info->serialNumber=in;
90 }
91 }
92 return(in != NULL);
93 }
94
95int X509_set_issuer_name(X509 *x, X509_NAME *name)
96 {
97 if ((x == NULL) || (x->cert_info == NULL)) return(0);
98 return(X509_NAME_set(&x->cert_info->issuer,name));
99 }
100
101int X509_set_subject_name(X509 *x, X509_NAME *name)
102 {
103 if ((x == NULL) || (x->cert_info == NULL)) return(0);
104 return(X509_NAME_set(&x->cert_info->subject,name));
105 }
106
107int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
108 {
109 ASN1_TIME *in;
110
111 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
112 in=x->cert_info->validity->notBefore;
113 if (in != tm)
114 {
115 in=M_ASN1_TIME_dup(tm);
116 if (in != NULL)
117 {
118 M_ASN1_TIME_free(x->cert_info->validity->notBefore);
119 x->cert_info->validity->notBefore=in;
120 }
121 }
122 return(in != NULL);
123 }
124
125int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
126 {
127 ASN1_TIME *in;
128
129 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
130 in=x->cert_info->validity->notAfter;
131 if (in != tm)
132 {
133 in=M_ASN1_TIME_dup(tm);
134 if (in != NULL)
135 {
136 M_ASN1_TIME_free(x->cert_info->validity->notAfter);
137 x->cert_info->validity->notAfter=in;
138 }
139 }
140 return(in != NULL);
141 }
142
143int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
144 {
145 if ((x == NULL) || (x->cert_info == NULL)) return(0);
146 return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
147 }
148
149
150
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
deleted file mode 100644
index a6cb9c8b1b..0000000000
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ /dev/null
@@ -1,288 +0,0 @@
1/* x509_trs.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63
64static int tr_cmp(const X509_TRUST * const *a,
65 const X509_TRUST * const *b);
66static void trtable_free(X509_TRUST *p);
67
68static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
69static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);
70static int trust_compat(X509_TRUST *trust, X509 *x, int flags);
71
72static int obj_trust(int id, X509 *x, int flags);
73static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
74
75/* WARNING: the following table should be kept in order of trust
76 * and without any gaps so we can just subtract the minimum trust
77 * value to get an index into the table
78 */
79
80static X509_TRUST trstandard[] = {
81{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
82{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
83{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
84{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
85{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
86{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
87{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
88{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
89};
90
91#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
92
93IMPLEMENT_STACK_OF(X509_TRUST)
94
95static STACK_OF(X509_TRUST) *trtable = NULL;
96
97static int tr_cmp(const X509_TRUST * const *a,
98 const X509_TRUST * const *b)
99{
100 return (*a)->trust - (*b)->trust;
101}
102
103int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
104{
105 int (*oldtrust)(int , X509 *, int);
106 oldtrust = default_trust;
107 default_trust = trust;
108 return oldtrust;
109}
110
111
112int X509_check_trust(X509 *x, int id, int flags)
113{
114 X509_TRUST *pt;
115 int idx;
116 if(id == -1) return 1;
117 idx = X509_TRUST_get_by_id(id);
118 if(idx == -1) return default_trust(id, x, flags);
119 pt = X509_TRUST_get0(idx);
120 return pt->check_trust(pt, x, flags);
121}
122
123int X509_TRUST_get_count(void)
124{
125 if(!trtable) return X509_TRUST_COUNT;
126 return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
127}
128
129X509_TRUST * X509_TRUST_get0(int idx)
130{
131 if(idx < 0) return NULL;
132 if(idx < (int)X509_TRUST_COUNT) return trstandard + idx;
133 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
134}
135
136int X509_TRUST_get_by_id(int id)
137{
138 X509_TRUST tmp;
139 int idx;
140 if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
141 return id - X509_TRUST_MIN;
142 tmp.trust = id;
143 if(!trtable) return -1;
144 idx = sk_X509_TRUST_find(trtable, &tmp);
145 if(idx == -1) return -1;
146 return idx + X509_TRUST_COUNT;
147}
148
149int X509_TRUST_set(int *t, int trust)
150{
151 if(X509_TRUST_get_by_id(trust) == -1) {
152 X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
153 return 0;
154 }
155 *t = trust;
156 return 1;
157}
158
159int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
160 char *name, int arg1, void *arg2)
161{
162 int idx;
163 X509_TRUST *trtmp;
164 /* This is set according to what we change: application can't set it */
165 flags &= ~X509_TRUST_DYNAMIC;
166 /* This will always be set for application modified trust entries */
167 flags |= X509_TRUST_DYNAMIC_NAME;
168 /* Get existing entry if any */
169 idx = X509_TRUST_get_by_id(id);
170 /* Need a new entry */
171 if(idx == -1) {
172 if(!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {
173 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
174 return 0;
175 }
176 trtmp->flags = X509_TRUST_DYNAMIC;
177 } else trtmp = X509_TRUST_get0(idx);
178
179 /* OPENSSL_free existing name if dynamic */
180 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) OPENSSL_free(trtmp->name);
181 /* dup supplied name */
182 if(!(trtmp->name = BUF_strdup(name))) {
183 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
184 return 0;
185 }
186 /* Keep the dynamic flag of existing entry */
187 trtmp->flags &= X509_TRUST_DYNAMIC;
188 /* Set all other flags */
189 trtmp->flags |= flags;
190
191 trtmp->trust = id;
192 trtmp->check_trust = ck;
193 trtmp->arg1 = arg1;
194 trtmp->arg2 = arg2;
195
196 /* If its a new entry manage the dynamic table */
197 if(idx == -1) {
198 if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
199 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
200 return 0;
201 }
202 if (!sk_X509_TRUST_push(trtable, trtmp)) {
203 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
204 return 0;
205 }
206 }
207 return 1;
208}
209
210static void trtable_free(X509_TRUST *p)
211 {
212 if(!p) return;
213 if (p->flags & X509_TRUST_DYNAMIC)
214 {
215 if (p->flags & X509_TRUST_DYNAMIC_NAME)
216 OPENSSL_free(p->name);
217 OPENSSL_free(p);
218 }
219 }
220
221void X509_TRUST_cleanup(void)
222{
223 unsigned int i;
224 for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
225 sk_X509_TRUST_pop_free(trtable, trtable_free);
226 trtable = NULL;
227}
228
229int X509_TRUST_get_flags(X509_TRUST *xp)
230{
231 return xp->flags;
232}
233
234char *X509_TRUST_get0_name(X509_TRUST *xp)
235{
236 return xp->name;
237}
238
239int X509_TRUST_get_trust(X509_TRUST *xp)
240{
241 return xp->trust;
242}
243
244static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
245{
246 if(x->aux && (x->aux->trust || x->aux->reject))
247 return obj_trust(trust->arg1, x, flags);
248 /* we don't have any trust settings: for compatibility
249 * we return trusted if it is self signed
250 */
251 return trust_compat(trust, x, flags);
252}
253
254static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
255{
256 if(x->aux) return obj_trust(trust->arg1, x, flags);
257 return X509_TRUST_UNTRUSTED;
258}
259
260static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
261{
262 X509_check_purpose(x, -1, 0);
263 if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
264 else return X509_TRUST_UNTRUSTED;
265}
266
267static int obj_trust(int id, X509 *x, int flags)
268{
269 ASN1_OBJECT *obj;
270 int i;
271 X509_CERT_AUX *ax;
272 ax = x->aux;
273 if(!ax) return X509_TRUST_UNTRUSTED;
274 if(ax->reject) {
275 for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
276 obj = sk_ASN1_OBJECT_value(ax->reject, i);
277 if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
278 }
279 }
280 if(ax->trust) {
281 for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
282 obj = sk_ASN1_OBJECT_value(ax->trust, i);
283 if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
284 }
285 }
286 return X509_TRUST_UNTRUSTED;
287}
288
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
deleted file mode 100644
index c44f753c46..0000000000
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ /dev/null
@@ -1,193 +0,0 @@
1/* crypto/x509/x509_txt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/lhash.h>
65#include <openssl/buffer.h>
66#include <openssl/evp.h>
67#include <openssl/asn1.h>
68#include <openssl/x509.h>
69#include <openssl/objects.h>
70
71const char *X509_verify_cert_error_string(long n)
72 {
73 static char buf[100];
74
75 switch ((int)n)
76 {
77 case X509_V_OK:
78 return("ok");
79 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
80 return("unable to get issuer certificate");
81 case X509_V_ERR_UNABLE_TO_GET_CRL:
82 return("unable to get certificate CRL");
83 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
84 return("unable to decrypt certificate's signature");
85 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
86 return("unable to decrypt CRL's signature");
87 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
88 return("unable to decode issuer public key");
89 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
90 return("certificate signature failure");
91 case X509_V_ERR_CRL_SIGNATURE_FAILURE:
92 return("CRL signature failure");
93 case X509_V_ERR_CERT_NOT_YET_VALID:
94 return("certificate is not yet valid");
95 case X509_V_ERR_CRL_NOT_YET_VALID:
96 return("CRL is not yet valid");
97 case X509_V_ERR_CERT_HAS_EXPIRED:
98 return("certificate has expired");
99 case X509_V_ERR_CRL_HAS_EXPIRED:
100 return("CRL has expired");
101 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
102 return("format error in certificate's notBefore field");
103 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
104 return("format error in certificate's notAfter field");
105 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
106 return("format error in CRL's lastUpdate field");
107 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
108 return("format error in CRL's nextUpdate field");
109 case X509_V_ERR_OUT_OF_MEM:
110 return("out of memory");
111 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
112 return("self signed certificate");
113 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
114 return("self signed certificate in certificate chain");
115 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
116 return("unable to get local issuer certificate");
117 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
118 return("unable to verify the first certificate");
119 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
120 return("certificate chain too long");
121 case X509_V_ERR_CERT_REVOKED:
122 return("certificate revoked");
123 case X509_V_ERR_INVALID_CA:
124 return ("invalid CA certificate");
125 case X509_V_ERR_INVALID_NON_CA:
126 return ("invalid non-CA certificate (has CA markings)");
127 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
128 return ("path length constraint exceeded");
129 case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
130 return("proxy path length constraint exceeded");
131 case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
132 return("proxy certificates not allowed, please set the appropriate flag");
133 case X509_V_ERR_INVALID_PURPOSE:
134 return ("unsupported certificate purpose");
135 case X509_V_ERR_CERT_UNTRUSTED:
136 return ("certificate not trusted");
137 case X509_V_ERR_CERT_REJECTED:
138 return ("certificate rejected");
139 case X509_V_ERR_APPLICATION_VERIFICATION:
140 return("application verification failure");
141 case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
142 return("subject issuer mismatch");
143 case X509_V_ERR_AKID_SKID_MISMATCH:
144 return("authority and subject key identifier mismatch");
145 case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
146 return("authority and issuer serial number mismatch");
147 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
148 return("key usage does not include certificate signing");
149 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
150 return("unable to get CRL issuer certificate");
151 case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
152 return("unhandled critical extension");
153 case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
154 return("key usage does not include CRL signing");
155 case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
156 return("key usage does not include digital signature");
157 case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
158 return("unhandled critical CRL extension");
159 case X509_V_ERR_INVALID_EXTENSION:
160 return("invalid or inconsistent certificate extension");
161 case X509_V_ERR_INVALID_POLICY_EXTENSION:
162 return("invalid or inconsistent certificate policy extension");
163 case X509_V_ERR_NO_EXPLICIT_POLICY:
164 return("no explicit policy");
165 case X509_V_ERR_DIFFERENT_CRL_SCOPE:
166 return("Different CRL scope");
167 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
168 return("Unsupported extension feature");
169 case X509_V_ERR_UNNESTED_RESOURCE:
170 return("RFC 3779 resource not subset of parent's resources");
171
172 case X509_V_ERR_PERMITTED_VIOLATION:
173 return("permitted subtree violation");
174 case X509_V_ERR_EXCLUDED_VIOLATION:
175 return("excluded subtree violation");
176 case X509_V_ERR_SUBTREE_MINMAX:
177 return("name constraints minimum and maximum not supported");
178 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
179 return("unsupported name constraint type");
180 case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
181 return("unsupported or invalid name constraint syntax");
182 case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
183 return("unsupported or invalid name syntax");
184 case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
185 return("CRL path validation error");
186
187 default:
188 BIO_snprintf(buf,sizeof buf,"error number %ld",n);
189 return(buf);
190 }
191 }
192
193
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
deleted file mode 100644
index 42e6f0ab05..0000000000
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ /dev/null
@@ -1,274 +0,0 @@
1/* crypto/x509/x509_v3.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
69 {
70 if (x == NULL) return(0);
71 return(sk_X509_EXTENSION_num(x));
72 }
73
74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
75 int lastpos)
76 {
77 ASN1_OBJECT *obj;
78
79 obj=OBJ_nid2obj(nid);
80 if (obj == NULL) return(-2);
81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
82 }
83
84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
85 int lastpos)
86 {
87 int n;
88 X509_EXTENSION *ex;
89
90 if (sk == NULL) return(-1);
91 lastpos++;
92 if (lastpos < 0)
93 lastpos=0;
94 n=sk_X509_EXTENSION_num(sk);
95 for ( ; lastpos < n; lastpos++)
96 {
97 ex=sk_X509_EXTENSION_value(sk,lastpos);
98 if (OBJ_cmp(ex->object,obj) == 0)
99 return(lastpos);
100 }
101 return(-1);
102 }
103
104int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
105 int lastpos)
106 {
107 int n;
108 X509_EXTENSION *ex;
109
110 if (sk == NULL) return(-1);
111 lastpos++;
112 if (lastpos < 0)
113 lastpos=0;
114 n=sk_X509_EXTENSION_num(sk);
115 for ( ; lastpos < n; lastpos++)
116 {
117 ex=sk_X509_EXTENSION_value(sk,lastpos);
118 if ( ((ex->critical > 0) && crit) ||
119 ((ex->critical <= 0) && !crit))
120 return(lastpos);
121 }
122 return(-1);
123 }
124
125X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
126 {
127 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
128 return NULL;
129 else
130 return sk_X509_EXTENSION_value(x,loc);
131 }
132
133X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
134 {
135 X509_EXTENSION *ret;
136
137 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
138 return(NULL);
139 ret=sk_X509_EXTENSION_delete(x,loc);
140 return(ret);
141 }
142
143STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
144 X509_EXTENSION *ex, int loc)
145 {
146 X509_EXTENSION *new_ex=NULL;
147 int n;
148 STACK_OF(X509_EXTENSION) *sk=NULL;
149
150 if (x == NULL)
151 {
152 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
153 goto err2;
154 }
155
156 if (*x == NULL)
157 {
158 if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
159 goto err;
160 }
161 else
162 sk= *x;
163
164 n=sk_X509_EXTENSION_num(sk);
165 if (loc > n) loc=n;
166 else if (loc < 0) loc=n;
167
168 if ((new_ex=X509_EXTENSION_dup(ex)) == NULL)
169 goto err2;
170 if (!sk_X509_EXTENSION_insert(sk,new_ex,loc))
171 goto err;
172 if (*x == NULL)
173 *x=sk;
174 return(sk);
175err:
176 X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE);
177err2:
178 if (new_ex != NULL) X509_EXTENSION_free(new_ex);
179 if (sk != NULL) sk_X509_EXTENSION_free(sk);
180 return(NULL);
181 }
182
183X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
184 int crit, ASN1_OCTET_STRING *data)
185 {
186 ASN1_OBJECT *obj;
187 X509_EXTENSION *ret;
188
189 obj=OBJ_nid2obj(nid);
190 if (obj == NULL)
191 {
192 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
193 return(NULL);
194 }
195 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
196 if (ret == NULL) ASN1_OBJECT_free(obj);
197 return(ret);
198 }
199
200X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
201 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
202 {
203 X509_EXTENSION *ret;
204
205 if ((ex == NULL) || (*ex == NULL))
206 {
207 if ((ret=X509_EXTENSION_new()) == NULL)
208 {
209 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
210 return(NULL);
211 }
212 }
213 else
214 ret= *ex;
215
216 if (!X509_EXTENSION_set_object(ret,obj))
217 goto err;
218 if (!X509_EXTENSION_set_critical(ret,crit))
219 goto err;
220 if (!X509_EXTENSION_set_data(ret,data))
221 goto err;
222
223 if ((ex != NULL) && (*ex == NULL)) *ex=ret;
224 return(ret);
225err:
226 if ((ex == NULL) || (ret != *ex))
227 X509_EXTENSION_free(ret);
228 return(NULL);
229 }
230
231int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
232 {
233 if ((ex == NULL) || (obj == NULL))
234 return(0);
235 ASN1_OBJECT_free(ex->object);
236 ex->object=OBJ_dup(obj);
237 return(1);
238 }
239
240int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
241 {
242 if (ex == NULL) return(0);
243 ex->critical=(crit)?0xFF:-1;
244 return(1);
245 }
246
247int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
248 {
249 int i;
250
251 if (ex == NULL) return(0);
252 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
253 if (!i) return(0);
254 return(1);
255 }
256
257ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
258 {
259 if (ex == NULL) return(NULL);
260 return(ex->object);
261 }
262
263ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
264 {
265 if (ex == NULL) return(NULL);
266 return(ex->value);
267 }
268
269int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
270 {
271 if (ex == NULL) return(0);
272 if(ex->critical > 0) return 1;
273 return 0;
274 }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
deleted file mode 100644
index 701ec565e9..0000000000
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ /dev/null
@@ -1,2219 +0,0 @@
1/* crypto/x509/x509_vfy.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/crypto.h>
65#include <openssl/lhash.h>
66#include <openssl/buffer.h>
67#include <openssl/evp.h>
68#include <openssl/asn1.h>
69#include <openssl/x509.h>
70#include <openssl/x509v3.h>
71#include <openssl/objects.h>
72
73/* CRL score values */
74
75/* No unhandled critical extensions */
76
77#define CRL_SCORE_NOCRITICAL 0x100
78
79/* certificate is within CRL scope */
80
81#define CRL_SCORE_SCOPE 0x080
82
83/* CRL times valid */
84
85#define CRL_SCORE_TIME 0x040
86
87/* Issuer name matches certificate */
88
89#define CRL_SCORE_ISSUER_NAME 0x020
90
91/* If this score or above CRL is probably valid */
92
93#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
94
95/* CRL issuer is certificate issuer */
96
97#define CRL_SCORE_ISSUER_CERT 0x018
98
99/* CRL issuer is on certificate path */
100
101#define CRL_SCORE_SAME_PATH 0x008
102
103/* CRL issuer matches CRL AKID */
104
105#define CRL_SCORE_AKID 0x004
106
107/* Have a delta CRL with valid times */
108
109#define CRL_SCORE_TIME_DELTA 0x002
110
111static int null_callback(int ok,X509_STORE_CTX *e);
112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
114static int check_chain_extensions(X509_STORE_CTX *ctx);
115static int check_name_constraints(X509_STORE_CTX *ctx);
116static int check_trust(X509_STORE_CTX *ctx);
117static int check_revocation(X509_STORE_CTX *ctx);
118static int check_cert(X509_STORE_CTX *ctx);
119static int check_policy(X509_STORE_CTX *ctx);
120
121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
122 unsigned int *preasons,
123 X509_CRL *crl, X509 *x);
124static int get_crl_delta(X509_STORE_CTX *ctx,
125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
126static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
127 X509_CRL *base, STACK_OF(X509_CRL) *crls);
128static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
129 X509 **pissuer, int *pcrl_score);
130static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
131 unsigned int *preasons);
132static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
133static int check_crl_chain(X509_STORE_CTX *ctx,
134 STACK_OF(X509) *cert_path,
135 STACK_OF(X509) *crl_path);
136
137static int internal_verify(X509_STORE_CTX *ctx);
138const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139
140
141static int null_callback(int ok, X509_STORE_CTX *e)
142 {
143 return ok;
144 }
145
146#if 0
147static int x509_subject_cmp(X509 **a, X509 **b)
148 {
149 return X509_subject_name_cmp(*a,*b);
150 }
151#endif
152
153int X509_verify_cert(X509_STORE_CTX *ctx)
154 {
155 X509 *x,*xtmp,*chain_ss=NULL;
156 X509_NAME *xn;
157 int bad_chain = 0;
158 X509_VERIFY_PARAM *param = ctx->param;
159 int depth,i,ok=0;
160 int num;
161 int (*cb)(int xok,X509_STORE_CTX *xctx);
162 STACK_OF(X509) *sktmp=NULL;
163 if (ctx->cert == NULL)
164 {
165 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
166 return -1;
167 }
168
169 cb=ctx->verify_cb;
170
171 /* first we make sure the chain we are going to build is
172 * present and that the first entry is in place */
173 if (ctx->chain == NULL)
174 {
175 if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
176 (!sk_X509_push(ctx->chain,ctx->cert)))
177 {
178 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
179 goto end;
180 }
181 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
182 ctx->last_untrusted=1;
183 }
184
185 /* We use a temporary STACK so we can chop and hack at it */
186 if (ctx->untrusted != NULL
187 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
188 {
189 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
190 goto end;
191 }
192
193 num=sk_X509_num(ctx->chain);
194 x=sk_X509_value(ctx->chain,num-1);
195 depth=param->depth;
196
197
198 for (;;)
199 {
200 /* If we have enough, we break */
201 if (depth < num) break; /* FIXME: If this happens, we should take
202 * note of it and, if appropriate, use the
203 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
204 * code later.
205 */
206
207 /* If we are self signed, we break */
208 xn=X509_get_issuer_name(x);
209 if (ctx->check_issued(ctx, x,x)) break;
210
211 /* If we were passed a cert chain, use it first */
212 if (ctx->untrusted != NULL)
213 {
214 xtmp=find_issuer(ctx, sktmp,x);
215 if (xtmp != NULL)
216 {
217 if (!sk_X509_push(ctx->chain,xtmp))
218 {
219 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
220 goto end;
221 }
222 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
223 (void)sk_X509_delete_ptr(sktmp,xtmp);
224 ctx->last_untrusted++;
225 x=xtmp;
226 num++;
227 /* reparse the full chain for
228 * the next one */
229 continue;
230 }
231 }
232 break;
233 }
234
235 /* at this point, chain should contain a list of untrusted
236 * certificates. We now need to add at least one trusted one,
237 * if possible, otherwise we complain. */
238
239 /* Examine last certificate in chain and see if it
240 * is self signed.
241 */
242
243 i=sk_X509_num(ctx->chain);
244 x=sk_X509_value(ctx->chain,i-1);
245 xn = X509_get_subject_name(x);
246 if (ctx->check_issued(ctx, x, x))
247 {
248 /* we have a self signed certificate */
249 if (sk_X509_num(ctx->chain) == 1)
250 {
251 /* We have a single self signed certificate: see if
252 * we can find it in the store. We must have an exact
253 * match to avoid possible impersonation.
254 */
255 ok = ctx->get_issuer(&xtmp, ctx, x);
256 if ((ok <= 0) || X509_cmp(x, xtmp))
257 {
258 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
259 ctx->current_cert=x;
260 ctx->error_depth=i-1;
261 if (ok == 1) X509_free(xtmp);
262 bad_chain = 1;
263 ok=cb(0,ctx);
264 if (!ok) goto end;
265 }
266 else
267 {
268 /* We have a match: replace certificate with store version
269 * so we get any trust settings.
270 */
271 X509_free(x);
272 x = xtmp;
273 (void)sk_X509_set(ctx->chain, i - 1, x);
274 ctx->last_untrusted=0;
275 }
276 }
277 else
278 {
279 /* extract and save self signed certificate for later use */
280 chain_ss=sk_X509_pop(ctx->chain);
281 ctx->last_untrusted--;
282 num--;
283 x=sk_X509_value(ctx->chain,num-1);
284 }
285 }
286
287 /* We now lookup certs from the certificate store */
288 for (;;)
289 {
290 /* If we have enough, we break */
291 if (depth < num) break;
292
293 /* If we are self signed, we break */
294 xn=X509_get_issuer_name(x);
295 if (ctx->check_issued(ctx,x,x)) break;
296
297 ok = ctx->get_issuer(&xtmp, ctx, x);
298
299 if (ok < 0) return ok;
300 if (ok == 0) break;
301
302 x = xtmp;
303 if (!sk_X509_push(ctx->chain,x))
304 {
305 X509_free(xtmp);
306 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
307 return 0;
308 }
309 num++;
310 }
311
312 /* we now have our chain, lets check it... */
313 xn=X509_get_issuer_name(x);
314
315 /* Is last certificate looked up self signed? */
316 if (!ctx->check_issued(ctx,x,x))
317 {
318 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
319 {
320 if (ctx->last_untrusted >= num)
321 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
322 else
323 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
324 ctx->current_cert=x;
325 }
326 else
327 {
328
329 sk_X509_push(ctx->chain,chain_ss);
330 num++;
331 ctx->last_untrusted=num;
332 ctx->current_cert=chain_ss;
333 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
334 chain_ss=NULL;
335 }
336
337 ctx->error_depth=num-1;
338 bad_chain = 1;
339 ok=cb(0,ctx);
340 if (!ok) goto end;
341 }
342
343 /* We have the chain complete: now we need to check its purpose */
344 ok = check_chain_extensions(ctx);
345
346 if (!ok) goto end;
347
348 /* Check name constraints */
349
350 ok = check_name_constraints(ctx);
351
352 if (!ok) goto end;
353
354 /* The chain extensions are OK: check trust */
355
356 if (param->trust > 0) ok = check_trust(ctx);
357
358 if (!ok) goto end;
359
360 /* We may as well copy down any DSA parameters that are required */
361 X509_get_pubkey_parameters(NULL,ctx->chain);
362
363 /* Check revocation status: we do this after copying parameters
364 * because they may be needed for CRL signature verification.
365 */
366
367 ok = ctx->check_revocation(ctx);
368 if(!ok) goto end;
369
370 /* At this point, we have a chain and need to verify it */
371 if (ctx->verify != NULL)
372 ok=ctx->verify(ctx);
373 else
374 ok=internal_verify(ctx);
375 if(!ok) goto end;
376
377#ifndef OPENSSL_NO_RFC3779
378 /* RFC 3779 path validation, now that CRL check has been done */
379 ok = v3_asid_validate_path(ctx);
380 if (!ok) goto end;
381 ok = v3_addr_validate_path(ctx);
382 if (!ok) goto end;
383#endif
384
385 /* If we get this far evaluate policies */
386 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
387 ok = ctx->check_policy(ctx);
388 if(!ok) goto end;
389 if (0)
390 {
391end:
392 X509_get_pubkey_parameters(NULL,ctx->chain);
393 }
394 if (sktmp != NULL) sk_X509_free(sktmp);
395 if (chain_ss != NULL) X509_free(chain_ss);
396 return ok;
397 }
398
399
400/* Given a STACK_OF(X509) find the issuer of cert (if any)
401 */
402
403static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
404{
405 int i;
406 X509 *issuer;
407 for (i = 0; i < sk_X509_num(sk); i++)
408 {
409 issuer = sk_X509_value(sk, i);
410 if (ctx->check_issued(ctx, x, issuer))
411 return issuer;
412 }
413 return NULL;
414}
415
416/* Given a possible certificate and issuer check them */
417
418static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
419{
420 int ret;
421 ret = X509_check_issued(issuer, x);
422 if (ret == X509_V_OK)
423 return 1;
424 /* If we haven't asked for issuer errors don't set ctx */
425 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
426 return 0;
427
428 ctx->error = ret;
429 ctx->current_cert = x;
430 ctx->current_issuer = issuer;
431 return ctx->verify_cb(0, ctx);
432 return 0;
433}
434
435/* Alternative lookup method: look from a STACK stored in other_ctx */
436
437static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
438{
439 *issuer = find_issuer(ctx, ctx->other_ctx, x);
440 if (*issuer)
441 {
442 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
443 return 1;
444 }
445 else
446 return 0;
447}
448
449
450/* Check a certificate chains extensions for consistency
451 * with the supplied purpose
452 */
453
454static int check_chain_extensions(X509_STORE_CTX *ctx)
455{
456#ifdef OPENSSL_NO_CHAIN_VERIFY
457 return 1;
458#else
459 int i, ok=0, must_be_ca, plen = 0;
460 X509 *x;
461 int (*cb)(int xok,X509_STORE_CTX *xctx);
462 int proxy_path_length = 0;
463 int purpose;
464 int allow_proxy_certs;
465 cb=ctx->verify_cb;
466
467 /* must_be_ca can have 1 of 3 values:
468 -1: we accept both CA and non-CA certificates, to allow direct
469 use of self-signed certificates (which are marked as CA).
470 0: we only accept non-CA certificates. This is currently not
471 used, but the possibility is present for future extensions.
472 1: we only accept CA certificates. This is currently used for
473 all certificates in the chain except the leaf certificate.
474 */
475 must_be_ca = -1;
476
477 /* CRL path validation */
478 if (ctx->parent)
479 {
480 allow_proxy_certs = 0;
481 purpose = X509_PURPOSE_CRL_SIGN;
482 }
483 else
484 {
485 allow_proxy_certs =
486 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
487 /* A hack to keep people who don't want to modify their
488 software happy */
489 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
490 allow_proxy_certs = 1;
491 purpose = ctx->param->purpose;
492 }
493
494 /* Check all untrusted certificates */
495 for (i = 0; i < ctx->last_untrusted; i++)
496 {
497 int ret;
498 x = sk_X509_value(ctx->chain, i);
499 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
500 && (x->ex_flags & EXFLAG_CRITICAL))
501 {
502 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
503 ctx->error_depth = i;
504 ctx->current_cert = x;
505 ok=cb(0,ctx);
506 if (!ok) goto end;
507 }
508 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
509 {
510 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
511 ctx->error_depth = i;
512 ctx->current_cert = x;
513 ok=cb(0,ctx);
514 if (!ok) goto end;
515 }
516 ret = X509_check_ca(x);
517 switch(must_be_ca)
518 {
519 case -1:
520 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
521 && (ret != 1) && (ret != 0))
522 {
523 ret = 0;
524 ctx->error = X509_V_ERR_INVALID_CA;
525 }
526 else
527 ret = 1;
528 break;
529 case 0:
530 if (ret != 0)
531 {
532 ret = 0;
533 ctx->error = X509_V_ERR_INVALID_NON_CA;
534 }
535 else
536 ret = 1;
537 break;
538 default:
539 if ((ret == 0)
540 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
541 && (ret != 1)))
542 {
543 ret = 0;
544 ctx->error = X509_V_ERR_INVALID_CA;
545 }
546 else
547 ret = 1;
548 break;
549 }
550 if (ret == 0)
551 {
552 ctx->error_depth = i;
553 ctx->current_cert = x;
554 ok=cb(0,ctx);
555 if (!ok) goto end;
556 }
557 if (ctx->param->purpose > 0)
558 {
559 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
560 if ((ret == 0)
561 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
562 && (ret != 1)))
563 {
564 ctx->error = X509_V_ERR_INVALID_PURPOSE;
565 ctx->error_depth = i;
566 ctx->current_cert = x;
567 ok=cb(0,ctx);
568 if (!ok) goto end;
569 }
570 }
571 /* Check pathlen if not self issued */
572 if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
573 && (x->ex_pathlen != -1)
574 && (plen > (x->ex_pathlen + proxy_path_length + 1)))
575 {
576 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
577 ctx->error_depth = i;
578 ctx->current_cert = x;
579 ok=cb(0,ctx);
580 if (!ok) goto end;
581 }
582 /* Increment path length if not self issued */
583 if (!(x->ex_flags & EXFLAG_SI))
584 plen++;
585 /* If this certificate is a proxy certificate, the next
586 certificate must be another proxy certificate or a EE
587 certificate. If not, the next certificate must be a
588 CA certificate. */
589 if (x->ex_flags & EXFLAG_PROXY)
590 {
591 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
592 {
593 ctx->error =
594 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
595 ctx->error_depth = i;
596 ctx->current_cert = x;
597 ok=cb(0,ctx);
598 if (!ok) goto end;
599 }
600 proxy_path_length++;
601 must_be_ca = 0;
602 }
603 else
604 must_be_ca = 1;
605 }
606 ok = 1;
607 end:
608 return ok;
609#endif
610}
611
612static int check_name_constraints(X509_STORE_CTX *ctx)
613 {
614 X509 *x;
615 int i, j, rv;
616 /* Check name constraints for all certificates */
617 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
618 {
619 x = sk_X509_value(ctx->chain, i);
620 /* Ignore self issued certs unless last in chain */
621 if (i && (x->ex_flags & EXFLAG_SI))
622 continue;
623 /* Check against constraints for all certificates higher in
624 * chain including trust anchor. Trust anchor not strictly
625 * speaking needed but if it includes constraints it is to be
626 * assumed it expects them to be obeyed.
627 */
628 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--)
629 {
630 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
631 if (nc)
632 {
633 rv = NAME_CONSTRAINTS_check(x, nc);
634 if (rv != X509_V_OK)
635 {
636 ctx->error = rv;
637 ctx->error_depth = i;
638 ctx->current_cert = x;
639 if (!ctx->verify_cb(0,ctx))
640 return 0;
641 }
642 }
643 }
644 }
645 return 1;
646 }
647
648static int check_trust(X509_STORE_CTX *ctx)
649{
650#ifdef OPENSSL_NO_CHAIN_VERIFY
651 return 1;
652#else
653 int i, ok;
654 X509 *x;
655 int (*cb)(int xok,X509_STORE_CTX *xctx);
656 cb=ctx->verify_cb;
657/* For now just check the last certificate in the chain */
658 i = sk_X509_num(ctx->chain) - 1;
659 x = sk_X509_value(ctx->chain, i);
660 ok = X509_check_trust(x, ctx->param->trust, 0);
661 if (ok == X509_TRUST_TRUSTED)
662 return 1;
663 ctx->error_depth = i;
664 ctx->current_cert = x;
665 if (ok == X509_TRUST_REJECTED)
666 ctx->error = X509_V_ERR_CERT_REJECTED;
667 else
668 ctx->error = X509_V_ERR_CERT_UNTRUSTED;
669 ok = cb(0, ctx);
670 return ok;
671#endif
672}
673
674static int check_revocation(X509_STORE_CTX *ctx)
675 {
676 int i, last, ok;
677 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
678 return 1;
679 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
680 last = sk_X509_num(ctx->chain) - 1;
681 else
682 {
683 /* If checking CRL paths this isn't the EE certificate */
684 if (ctx->parent)
685 return 1;
686 last = 0;
687 }
688 for(i = 0; i <= last; i++)
689 {
690 ctx->error_depth = i;
691 ok = check_cert(ctx);
692 if (!ok) return ok;
693 }
694 return 1;
695 }
696
697static int check_cert(X509_STORE_CTX *ctx)
698 {
699 X509_CRL *crl = NULL, *dcrl = NULL;
700 X509 *x;
701 int ok, cnum;
702 cnum = ctx->error_depth;
703 x = sk_X509_value(ctx->chain, cnum);
704 ctx->current_cert = x;
705 ctx->current_issuer = NULL;
706 ctx->current_crl_score = 0;
707 ctx->current_reasons = 0;
708 while (ctx->current_reasons != CRLDP_ALL_REASONS)
709 {
710 /* Try to retrieve relevant CRL */
711 if (ctx->get_crl)
712 ok = ctx->get_crl(ctx, &crl, x);
713 else
714 ok = get_crl_delta(ctx, &crl, &dcrl, x);
715 /* If error looking up CRL, nothing we can do except
716 * notify callback
717 */
718 if(!ok)
719 {
720 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
721 ok = ctx->verify_cb(0, ctx);
722 goto err;
723 }
724 ctx->current_crl = crl;
725 ok = ctx->check_crl(ctx, crl);
726 if (!ok)
727 goto err;
728
729 if (dcrl)
730 {
731 ok = ctx->check_crl(ctx, dcrl);
732 if (!ok)
733 goto err;
734 ok = ctx->cert_crl(ctx, dcrl, x);
735 if (!ok)
736 goto err;
737 }
738 else
739 ok = 1;
740
741 /* Don't look in full CRL if delta reason is removefromCRL */
742 if (ok != 2)
743 {
744 ok = ctx->cert_crl(ctx, crl, x);
745 if (!ok)
746 goto err;
747 }
748
749 X509_CRL_free(crl);
750 X509_CRL_free(dcrl);
751 crl = NULL;
752 dcrl = NULL;
753 }
754 err:
755 X509_CRL_free(crl);
756 X509_CRL_free(dcrl);
757
758 ctx->current_crl = NULL;
759 return ok;
760
761 }
762
763/* Check CRL times against values in X509_STORE_CTX */
764
765static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
766 {
767 time_t *ptime;
768 int i;
769 if (notify)
770 ctx->current_crl = crl;
771 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
772 ptime = &ctx->param->check_time;
773 else
774 ptime = NULL;
775
776 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
777 if (i == 0)
778 {
779 if (!notify)
780 return 0;
781 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
782 if (!ctx->verify_cb(0, ctx))
783 return 0;
784 }
785
786 if (i > 0)
787 {
788 if (!notify)
789 return 0;
790 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
791 if (!ctx->verify_cb(0, ctx))
792 return 0;
793 }
794
795 if(X509_CRL_get_nextUpdate(crl))
796 {
797 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
798
799 if (i == 0)
800 {
801 if (!notify)
802 return 0;
803 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
804 if (!ctx->verify_cb(0, ctx))
805 return 0;
806 }
807 /* Ignore expiry of base CRL is delta is valid */
808 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
809 {
810 if (!notify)
811 return 0;
812 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
813 if (!ctx->verify_cb(0, ctx))
814 return 0;
815 }
816 }
817
818 if (notify)
819 ctx->current_crl = NULL;
820
821 return 1;
822 }
823
824static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
825 X509 **pissuer, int *pscore, unsigned int *preasons,
826 STACK_OF(X509_CRL) *crls)
827 {
828 int i, crl_score, best_score = *pscore;
829 unsigned int reasons, best_reasons = 0;
830 X509 *x = ctx->current_cert;
831 X509_CRL *crl, *best_crl = NULL;
832 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
833
834 for (i = 0; i < sk_X509_CRL_num(crls); i++)
835 {
836 crl = sk_X509_CRL_value(crls, i);
837 reasons = *preasons;
838 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
839
840 if (crl_score > best_score)
841 {
842 best_crl = crl;
843 best_crl_issuer = crl_issuer;
844 best_score = crl_score;
845 best_reasons = reasons;
846 }
847 }
848
849 if (best_crl)
850 {
851 if (*pcrl)
852 X509_CRL_free(*pcrl);
853 *pcrl = best_crl;
854 *pissuer = best_crl_issuer;
855 *pscore = best_score;
856 *preasons = best_reasons;
857 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
858 if (*pdcrl)
859 {
860 X509_CRL_free(*pdcrl);
861 *pdcrl = NULL;
862 }
863 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
864 }
865
866 if (best_score >= CRL_SCORE_VALID)
867 return 1;
868
869 return 0;
870 }
871
872/* Compare two CRL extensions for delta checking purposes. They should be
873 * both present or both absent. If both present all fields must be identical.
874 */
875
876static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
877 {
878 ASN1_OCTET_STRING *exta, *extb;
879 int i;
880 i = X509_CRL_get_ext_by_NID(a, nid, 0);
881 if (i >= 0)
882 {
883 /* Can't have multiple occurrences */
884 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
885 return 0;
886 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
887 }
888 else
889 exta = NULL;
890
891 i = X509_CRL_get_ext_by_NID(b, nid, 0);
892
893 if (i >= 0)
894 {
895
896 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
897 return 0;
898 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
899 }
900 else
901 extb = NULL;
902
903 if (!exta && !extb)
904 return 1;
905
906 if (!exta || !extb)
907 return 0;
908
909
910 if (ASN1_OCTET_STRING_cmp(exta, extb))
911 return 0;
912
913 return 1;
914 }
915
916/* See if a base and delta are compatible */
917
918static int check_delta_base(X509_CRL *delta, X509_CRL *base)
919 {
920 /* Delta CRL must be a delta */
921 if (!delta->base_crl_number)
922 return 0;
923 /* Base must have a CRL number */
924 if (!base->crl_number)
925 return 0;
926 /* Issuer names must match */
927 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
928 X509_CRL_get_issuer(delta)))
929 return 0;
930 /* AKID and IDP must match */
931 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
932 return 0;
933 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
934 return 0;
935 /* Delta CRL base number must not exceed Full CRL number. */
936 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
937 return 0;
938 /* Delta CRL number must exceed full CRL number */
939 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
940 return 1;
941 return 0;
942 }
943
944/* For a given base CRL find a delta... maybe extend to delta scoring
945 * or retrieve a chain of deltas...
946 */
947
948static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
949 X509_CRL *base, STACK_OF(X509_CRL) *crls)
950 {
951 X509_CRL *delta;
952 int i;
953 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
954 return;
955 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
956 return;
957 for (i = 0; i < sk_X509_CRL_num(crls); i++)
958 {
959 delta = sk_X509_CRL_value(crls, i);
960 if (check_delta_base(delta, base))
961 {
962 if (check_crl_time(ctx, delta, 0))
963 *pscore |= CRL_SCORE_TIME_DELTA;
964 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
965 *dcrl = delta;
966 return;
967 }
968 }
969 *dcrl = NULL;
970 }
971
972/* For a given CRL return how suitable it is for the supplied certificate 'x'.
973 * The return value is a mask of several criteria.
974 * If the issuer is not the certificate issuer this is returned in *pissuer.
975 * The reasons mask is also used to determine if the CRL is suitable: if
976 * no new reasons the CRL is rejected, otherwise reasons is updated.
977 */
978
979static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
980 unsigned int *preasons,
981 X509_CRL *crl, X509 *x)
982 {
983
984 int crl_score = 0;
985 unsigned int tmp_reasons = *preasons, crl_reasons;
986
987 /* First see if we can reject CRL straight away */
988
989 /* Invalid IDP cannot be processed */
990 if (crl->idp_flags & IDP_INVALID)
991 return 0;
992 /* Reason codes or indirect CRLs need extended CRL support */
993 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
994 {
995 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
996 return 0;
997 }
998 else if (crl->idp_flags & IDP_REASONS)
999 {
1000 /* If no new reasons reject */
1001 if (!(crl->idp_reasons & ~tmp_reasons))
1002 return 0;
1003 }
1004 /* Don't process deltas at this stage */
1005 else if (crl->base_crl_number)
1006 return 0;
1007 /* If issuer name doesn't match certificate need indirect CRL */
1008 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
1009 {
1010 if (!(crl->idp_flags & IDP_INDIRECT))
1011 return 0;
1012 }
1013 else
1014 crl_score |= CRL_SCORE_ISSUER_NAME;
1015
1016 if (!(crl->flags & EXFLAG_CRITICAL))
1017 crl_score |= CRL_SCORE_NOCRITICAL;
1018
1019 /* Check expiry */
1020 if (check_crl_time(ctx, crl, 0))
1021 crl_score |= CRL_SCORE_TIME;
1022
1023 /* Check authority key ID and locate certificate issuer */
1024 crl_akid_check(ctx, crl, pissuer, &crl_score);
1025
1026 /* If we can't locate certificate issuer at this point forget it */
1027
1028 if (!(crl_score & CRL_SCORE_AKID))
1029 return 0;
1030
1031 /* Check cert for matching CRL distribution points */
1032
1033 if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
1034 {
1035 /* If no new reasons reject */
1036 if (!(crl_reasons & ~tmp_reasons))
1037 return 0;
1038 tmp_reasons |= crl_reasons;
1039 crl_score |= CRL_SCORE_SCOPE;
1040 }
1041
1042 *preasons = tmp_reasons;
1043
1044 return crl_score;
1045
1046 }
1047
1048static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1049 X509 **pissuer, int *pcrl_score)
1050 {
1051 X509 *crl_issuer = NULL;
1052 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1053 int cidx = ctx->error_depth;
1054 int i;
1055
1056 if (cidx != sk_X509_num(ctx->chain) - 1)
1057 cidx++;
1058
1059 crl_issuer = sk_X509_value(ctx->chain, cidx);
1060
1061 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1062 {
1063 if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1064 {
1065 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1066 *pissuer = crl_issuer;
1067 return;
1068 }
1069 }
1070
1071 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
1072 {
1073 crl_issuer = sk_X509_value(ctx->chain, cidx);
1074 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1075 continue;
1076 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1077 {
1078 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1079 *pissuer = crl_issuer;
1080 return;
1081 }
1082 }
1083
1084 /* Anything else needs extended CRL support */
1085
1086 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1087 return;
1088
1089 /* Otherwise the CRL issuer is not on the path. Look for it in the
1090 * set of untrusted certificates.
1091 */
1092 for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
1093 {
1094 crl_issuer = sk_X509_value(ctx->untrusted, i);
1095 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1096 continue;
1097 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1098 {
1099 *pissuer = crl_issuer;
1100 *pcrl_score |= CRL_SCORE_AKID;
1101 return;
1102 }
1103 }
1104 }
1105
1106/* Check the path of a CRL issuer certificate. This creates a new
1107 * X509_STORE_CTX and populates it with most of the parameters from the
1108 * parent. This could be optimised somewhat since a lot of path checking
1109 * will be duplicated by the parent, but this will rarely be used in
1110 * practice.
1111 */
1112
1113static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1114 {
1115 X509_STORE_CTX crl_ctx;
1116 int ret;
1117 /* Don't allow recursive CRL path validation */
1118 if (ctx->parent)
1119 return 0;
1120 if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1121 return -1;
1122
1123 crl_ctx.crls = ctx->crls;
1124 /* Copy verify params across */
1125 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1126
1127 crl_ctx.parent = ctx;
1128 crl_ctx.verify_cb = ctx->verify_cb;
1129
1130 /* Verify CRL issuer */
1131 ret = X509_verify_cert(&crl_ctx);
1132
1133 if (ret <= 0)
1134 goto err;
1135
1136 /* Check chain is acceptable */
1137
1138 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1139 err:
1140 X509_STORE_CTX_cleanup(&crl_ctx);
1141 return ret;
1142 }
1143
1144/* RFC3280 says nothing about the relationship between CRL path
1145 * and certificate path, which could lead to situations where a
1146 * certificate could be revoked or validated by a CA not authorised
1147 * to do so. RFC5280 is more strict and states that the two paths must
1148 * end in the same trust anchor, though some discussions remain...
1149 * until this is resolved we use the RFC5280 version
1150 */
1151
1152static int check_crl_chain(X509_STORE_CTX *ctx,
1153 STACK_OF(X509) *cert_path,
1154 STACK_OF(X509) *crl_path)
1155 {
1156 X509 *cert_ta, *crl_ta;
1157 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1158 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1159 if (!X509_cmp(cert_ta, crl_ta))
1160 return 1;
1161 return 0;
1162 }
1163
1164/* Check for match between two dist point names: three separate cases.
1165 * 1. Both are relative names and compare X509_NAME types.
1166 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
1167 * 3. Both are full names and compare two GENERAL_NAMES.
1168 * 4. One is NULL: automatic match.
1169 */
1170
1171
1172static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1173 {
1174 X509_NAME *nm = NULL;
1175 GENERAL_NAMES *gens = NULL;
1176 GENERAL_NAME *gena, *genb;
1177 int i, j;
1178 if (!a || !b)
1179 return 1;
1180 if (a->type == 1)
1181 {
1182 if (!a->dpname)
1183 return 0;
1184 /* Case 1: two X509_NAME */
1185 if (b->type == 1)
1186 {
1187 if (!b->dpname)
1188 return 0;
1189 if (!X509_NAME_cmp(a->dpname, b->dpname))
1190 return 1;
1191 else
1192 return 0;
1193 }
1194 /* Case 2: set name and GENERAL_NAMES appropriately */
1195 nm = a->dpname;
1196 gens = b->name.fullname;
1197 }
1198 else if (b->type == 1)
1199 {
1200 if (!b->dpname)
1201 return 0;
1202 /* Case 2: set name and GENERAL_NAMES appropriately */
1203 gens = a->name.fullname;
1204 nm = b->dpname;
1205 }
1206
1207 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1208 if (nm)
1209 {
1210 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1211 {
1212 gena = sk_GENERAL_NAME_value(gens, i);
1213 if (gena->type != GEN_DIRNAME)
1214 continue;
1215 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1216 return 1;
1217 }
1218 return 0;
1219 }
1220
1221 /* Else case 3: two GENERAL_NAMES */
1222
1223 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
1224 {
1225 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1226 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
1227 {
1228 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1229 if (!GENERAL_NAME_cmp(gena, genb))
1230 return 1;
1231 }
1232 }
1233
1234 return 0;
1235
1236 }
1237
1238static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1239 {
1240 int i;
1241 X509_NAME *nm = X509_CRL_get_issuer(crl);
1242 /* If no CRLissuer return is successful iff don't need a match */
1243 if (!dp->CRLissuer)
1244 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1245 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
1246 {
1247 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1248 if (gen->type != GEN_DIRNAME)
1249 continue;
1250 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1251 return 1;
1252 }
1253 return 0;
1254 }
1255
1256/* Check CRLDP and IDP */
1257
1258static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1259 unsigned int *preasons)
1260 {
1261 int i;
1262 if (crl->idp_flags & IDP_ONLYATTR)
1263 return 0;
1264 if (x->ex_flags & EXFLAG_CA)
1265 {
1266 if (crl->idp_flags & IDP_ONLYUSER)
1267 return 0;
1268 }
1269 else
1270 {
1271 if (crl->idp_flags & IDP_ONLYCA)
1272 return 0;
1273 }
1274 *preasons = crl->idp_reasons;
1275 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
1276 {
1277 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1278 if (crldp_check_crlissuer(dp, crl, crl_score))
1279 {
1280 if (!crl->idp ||
1281 idp_check_dp(dp->distpoint, crl->idp->distpoint))
1282 {
1283 *preasons &= dp->dp_reasons;
1284 return 1;
1285 }
1286 }
1287 }
1288 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1289 return 1;
1290 return 0;
1291 }
1292
1293/* Retrieve CRL corresponding to current certificate.
1294 * If deltas enabled try to find a delta CRL too
1295 */
1296
1297static int get_crl_delta(X509_STORE_CTX *ctx,
1298 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1299 {
1300 int ok;
1301 X509 *issuer = NULL;
1302 int crl_score = 0;
1303 unsigned int reasons;
1304 X509_CRL *crl = NULL, *dcrl = NULL;
1305 STACK_OF(X509_CRL) *skcrl;
1306 X509_NAME *nm = X509_get_issuer_name(x);
1307 reasons = ctx->current_reasons;
1308 ok = get_crl_sk(ctx, &crl, &dcrl,
1309 &issuer, &crl_score, &reasons, ctx->crls);
1310
1311 if (ok)
1312 goto done;
1313
1314 /* Lookup CRLs from store */
1315
1316 skcrl = ctx->lookup_crls(ctx, nm);
1317
1318 /* If no CRLs found and a near match from get_crl_sk use that */
1319 if (!skcrl && crl)
1320 goto done;
1321
1322 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1323
1324 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1325
1326 done:
1327
1328 /* If we got any kind of CRL use it and return success */
1329 if (crl)
1330 {
1331 ctx->current_issuer = issuer;
1332 ctx->current_crl_score = crl_score;
1333 ctx->current_reasons = reasons;
1334 *pcrl = crl;
1335 *pdcrl = dcrl;
1336 return 1;
1337 }
1338
1339 return 0;
1340 }
1341
1342/* Check CRL validity */
1343static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1344 {
1345 X509 *issuer = NULL;
1346 EVP_PKEY *ikey = NULL;
1347 int ok = 0, chnum, cnum;
1348 cnum = ctx->error_depth;
1349 chnum = sk_X509_num(ctx->chain) - 1;
1350 /* if we have an alternative CRL issuer cert use that */
1351 if (ctx->current_issuer)
1352 issuer = ctx->current_issuer;
1353
1354 /* Else find CRL issuer: if not last certificate then issuer
1355 * is next certificate in chain.
1356 */
1357 else if (cnum < chnum)
1358 issuer = sk_X509_value(ctx->chain, cnum + 1);
1359 else
1360 {
1361 issuer = sk_X509_value(ctx->chain, chnum);
1362 /* If not self signed, can't check signature */
1363 if(!ctx->check_issued(ctx, issuer, issuer))
1364 {
1365 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1366 ok = ctx->verify_cb(0, ctx);
1367 if(!ok) goto err;
1368 }
1369 }
1370
1371 if(issuer)
1372 {
1373 /* Skip most tests for deltas because they have already
1374 * been done
1375 */
1376 if (!crl->base_crl_number)
1377 {
1378 /* Check for cRLSign bit if keyUsage present */
1379 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1380 !(issuer->ex_kusage & KU_CRL_SIGN))
1381 {
1382 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1383 ok = ctx->verify_cb(0, ctx);
1384 if(!ok) goto err;
1385 }
1386
1387 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
1388 {
1389 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1390 ok = ctx->verify_cb(0, ctx);
1391 if(!ok) goto err;
1392 }
1393
1394 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
1395 {
1396 if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1397 {
1398 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1399 ok = ctx->verify_cb(0, ctx);
1400 if(!ok) goto err;
1401 }
1402 }
1403
1404 if (crl->idp_flags & IDP_INVALID)
1405 {
1406 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1407 ok = ctx->verify_cb(0, ctx);
1408 if(!ok) goto err;
1409 }
1410
1411
1412 }
1413
1414 if (!(ctx->current_crl_score & CRL_SCORE_TIME))
1415 {
1416 ok = check_crl_time(ctx, crl, 1);
1417 if (!ok)
1418 goto err;
1419 }
1420
1421 /* Attempt to get issuer certificate public key */
1422 ikey = X509_get_pubkey(issuer);
1423
1424 if(!ikey)
1425 {
1426 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1427 ok = ctx->verify_cb(0, ctx);
1428 if (!ok) goto err;
1429 }
1430 else
1431 {
1432 /* Verify CRL signature */
1433 if(X509_CRL_verify(crl, ikey) <= 0)
1434 {
1435 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1436 ok = ctx->verify_cb(0, ctx);
1437 if (!ok) goto err;
1438 }
1439 }
1440 }
1441
1442 ok = 1;
1443
1444 err:
1445 EVP_PKEY_free(ikey);
1446 return ok;
1447 }
1448
1449/* Check certificate against CRL */
1450static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1451 {
1452 int ok;
1453 X509_REVOKED *rev;
1454 /* The rules changed for this... previously if a CRL contained
1455 * unhandled critical extensions it could still be used to indicate
1456 * a certificate was revoked. This has since been changed since
1457 * critical extension can change the meaning of CRL entries.
1458 */
1459 if (crl->flags & EXFLAG_CRITICAL)
1460 {
1461 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1462 return 1;
1463 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1464 ok = ctx->verify_cb(0, ctx);
1465 if(!ok)
1466 return 0;
1467 }
1468 /* Look for serial number of certificate in CRL
1469 * If found make sure reason is not removeFromCRL.
1470 */
1471 if (X509_CRL_get0_by_cert(crl, &rev, x))
1472 {
1473 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1474 return 2;
1475 ctx->error = X509_V_ERR_CERT_REVOKED;
1476 ok = ctx->verify_cb(0, ctx);
1477 if (!ok)
1478 return 0;
1479 }
1480
1481 return 1;
1482 }
1483
1484static int check_policy(X509_STORE_CTX *ctx)
1485 {
1486 int ret;
1487 if (ctx->parent)
1488 return 1;
1489 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1490 ctx->param->policies, ctx->param->flags);
1491 if (ret == 0)
1492 {
1493 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1494 return 0;
1495 }
1496 /* Invalid or inconsistent extensions */
1497 if (ret == -1)
1498 {
1499 /* Locate certificates with bad extensions and notify
1500 * callback.
1501 */
1502 X509 *x;
1503 int i;
1504 for (i = 1; i < sk_X509_num(ctx->chain); i++)
1505 {
1506 x = sk_X509_value(ctx->chain, i);
1507 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1508 continue;
1509 ctx->current_cert = x;
1510 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1511 if(!ctx->verify_cb(0, ctx))
1512 return 0;
1513 }
1514 return 1;
1515 }
1516 if (ret == -2)
1517 {
1518 ctx->current_cert = NULL;
1519 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1520 return ctx->verify_cb(0, ctx);
1521 }
1522
1523 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
1524 {
1525 ctx->current_cert = NULL;
1526 ctx->error = X509_V_OK;
1527 if (!ctx->verify_cb(2, ctx))
1528 return 0;
1529 }
1530
1531 return 1;
1532 }
1533
1534static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1535 {
1536 time_t *ptime;
1537 int i;
1538
1539 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1540 ptime = &ctx->param->check_time;
1541 else
1542 ptime = NULL;
1543
1544 i=X509_cmp_time(X509_get_notBefore(x), ptime);
1545 if (i == 0)
1546 {
1547 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1548 ctx->current_cert=x;
1549 if (!ctx->verify_cb(0, ctx))
1550 return 0;
1551 }
1552
1553 if (i > 0)
1554 {
1555 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1556 ctx->current_cert=x;
1557 if (!ctx->verify_cb(0, ctx))
1558 return 0;
1559 }
1560
1561 i=X509_cmp_time(X509_get_notAfter(x), ptime);
1562 if (i == 0)
1563 {
1564 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1565 ctx->current_cert=x;
1566 if (!ctx->verify_cb(0, ctx))
1567 return 0;
1568 }
1569
1570 if (i < 0)
1571 {
1572 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1573 ctx->current_cert=x;
1574 if (!ctx->verify_cb(0, ctx))
1575 return 0;
1576 }
1577
1578 return 1;
1579 }
1580
1581static int internal_verify(X509_STORE_CTX *ctx)
1582 {
1583 int ok=0,n;
1584 X509 *xs,*xi;
1585 EVP_PKEY *pkey=NULL;
1586 int (*cb)(int xok,X509_STORE_CTX *xctx);
1587
1588 cb=ctx->verify_cb;
1589
1590 n=sk_X509_num(ctx->chain);
1591 ctx->error_depth=n-1;
1592 n--;
1593 xi=sk_X509_value(ctx->chain,n);
1594
1595 if (ctx->check_issued(ctx, xi, xi))
1596 xs=xi;
1597 else
1598 {
1599 if (n <= 0)
1600 {
1601 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1602 ctx->current_cert=xi;
1603 ok=cb(0,ctx);
1604 goto end;
1605 }
1606 else
1607 {
1608 n--;
1609 ctx->error_depth=n;
1610 xs=sk_X509_value(ctx->chain,n);
1611 }
1612 }
1613
1614/* ctx->error=0; not needed */
1615 while (n >= 0)
1616 {
1617 ctx->error_depth=n;
1618
1619 /* Skip signature check for self signed certificates unless
1620 * explicitly asked for. It doesn't add any security and
1621 * just wastes time.
1622 */
1623 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
1624 {
1625 if ((pkey=X509_get_pubkey(xi)) == NULL)
1626 {
1627 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1628 ctx->current_cert=xi;
1629 ok=(*cb)(0,ctx);
1630 if (!ok) goto end;
1631 }
1632 else if (X509_verify(xs,pkey) <= 0)
1633 {
1634 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1635 ctx->current_cert=xs;
1636 ok=(*cb)(0,ctx);
1637 if (!ok)
1638 {
1639 EVP_PKEY_free(pkey);
1640 goto end;
1641 }
1642 }
1643 EVP_PKEY_free(pkey);
1644 pkey=NULL;
1645 }
1646
1647 xs->valid = 1;
1648
1649 ok = check_cert_time(ctx, xs);
1650 if (!ok)
1651 goto end;
1652
1653 /* The last error (if any) is still in the error value */
1654 ctx->current_issuer=xi;
1655 ctx->current_cert=xs;
1656 ok=(*cb)(1,ctx);
1657 if (!ok) goto end;
1658
1659 n--;
1660 if (n >= 0)
1661 {
1662 xi=xs;
1663 xs=sk_X509_value(ctx->chain,n);
1664 }
1665 }
1666 ok=1;
1667end:
1668 return ok;
1669 }
1670
1671int X509_cmp_current_time(const ASN1_TIME *ctm)
1672{
1673 return X509_cmp_time(ctm, NULL);
1674}
1675
1676int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1677 {
1678 char *str;
1679 ASN1_TIME atm;
1680 long offset;
1681 char buff1[24],buff2[24],*p;
1682 int i,j;
1683
1684 p=buff1;
1685 i=ctm->length;
1686 str=(char *)ctm->data;
1687 if (ctm->type == V_ASN1_UTCTIME)
1688 {
1689 if ((i < 11) || (i > 17)) return 0;
1690 memcpy(p,str,10);
1691 p+=10;
1692 str+=10;
1693 }
1694 else
1695 {
1696 if (i < 13) return 0;
1697 memcpy(p,str,12);
1698 p+=12;
1699 str+=12;
1700 }
1701
1702 if ((*str == 'Z') || (*str == '-') || (*str == '+'))
1703 { *(p++)='0'; *(p++)='0'; }
1704 else
1705 {
1706 *(p++)= *(str++);
1707 *(p++)= *(str++);
1708 /* Skip any fractional seconds... */
1709 if (*str == '.')
1710 {
1711 str++;
1712 while ((*str >= '0') && (*str <= '9')) str++;
1713 }
1714
1715 }
1716 *(p++)='Z';
1717 *(p++)='\0';
1718
1719 if (*str == 'Z')
1720 offset=0;
1721 else
1722 {
1723 if ((*str != '+') && (*str != '-'))
1724 return 0;
1725 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1726 offset+=(str[3]-'0')*10+(str[4]-'0');
1727 if (*str == '-')
1728 offset= -offset;
1729 }
1730 atm.type=ctm->type;
1731 atm.flags = 0;
1732 atm.length=sizeof(buff2);
1733 atm.data=(unsigned char *)buff2;
1734
1735 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
1736 return 0;
1737
1738 if (ctm->type == V_ASN1_UTCTIME)
1739 {
1740 i=(buff1[0]-'0')*10+(buff1[1]-'0');
1741 if (i < 50) i+=100; /* cf. RFC 2459 */
1742 j=(buff2[0]-'0')*10+(buff2[1]-'0');
1743 if (j < 50) j+=100;
1744
1745 if (i < j) return -1;
1746 if (i > j) return 1;
1747 }
1748 i=strcmp(buff1,buff2);
1749 if (i == 0) /* wait a second then return younger :-) */
1750 return -1;
1751 else
1752 return i;
1753 }
1754
1755ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1756{
1757 return X509_time_adj(s, adj, NULL);
1758}
1759
1760ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1761 {
1762 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1763 }
1764
1765ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1766 int offset_day, long offset_sec, time_t *in_tm)
1767 {
1768 time_t t;
1769
1770 if (in_tm) t = *in_tm;
1771 else time(&t);
1772
1773 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
1774 {
1775 if (s->type == V_ASN1_UTCTIME)
1776 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1777 if (s->type == V_ASN1_GENERALIZEDTIME)
1778 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1779 offset_sec);
1780 }
1781 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1782 }
1783
1784int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1785 {
1786 EVP_PKEY *ktmp=NULL,*ktmp2;
1787 int i,j;
1788
1789 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1790
1791 for (i=0; i<sk_X509_num(chain); i++)
1792 {
1793 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1794 if (ktmp == NULL)
1795 {
1796 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1797 return 0;
1798 }
1799 if (!EVP_PKEY_missing_parameters(ktmp))
1800 break;
1801 else
1802 {
1803 EVP_PKEY_free(ktmp);
1804 ktmp=NULL;
1805 }
1806 }
1807 if (ktmp == NULL)
1808 {
1809 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1810 return 0;
1811 }
1812
1813 /* first, populate the other certs */
1814 for (j=i-1; j >= 0; j--)
1815 {
1816 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1817 EVP_PKEY_copy_parameters(ktmp2,ktmp);
1818 EVP_PKEY_free(ktmp2);
1819 }
1820
1821 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1822 EVP_PKEY_free(ktmp);
1823 return 1;
1824 }
1825
1826int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1827 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1828 {
1829 /* This function is (usually) called only once, by
1830 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1831 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1832 new_func, dup_func, free_func);
1833 }
1834
1835int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1836 {
1837 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1838 }
1839
1840void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1841 {
1842 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1843 }
1844
1845int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1846 {
1847 return ctx->error;
1848 }
1849
1850void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1851 {
1852 ctx->error=err;
1853 }
1854
1855int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1856 {
1857 return ctx->error_depth;
1858 }
1859
1860X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1861 {
1862 return ctx->current_cert;
1863 }
1864
1865STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1866 {
1867 return ctx->chain;
1868 }
1869
1870STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1871 {
1872 int i;
1873 X509 *x;
1874 STACK_OF(X509) *chain;
1875 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1876 for (i = 0; i < sk_X509_num(chain); i++)
1877 {
1878 x = sk_X509_value(chain, i);
1879 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1880 }
1881 return chain;
1882 }
1883
1884X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1885 {
1886 return ctx->current_issuer;
1887 }
1888
1889X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1890 {
1891 return ctx->current_crl;
1892 }
1893
1894X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1895 {
1896 return ctx->parent;
1897 }
1898
1899void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1900 {
1901 ctx->cert=x;
1902 }
1903
1904void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1905 {
1906 ctx->untrusted=sk;
1907 }
1908
1909void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1910 {
1911 ctx->crls=sk;
1912 }
1913
1914int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1915 {
1916 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1917 }
1918
1919int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1920 {
1921 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1922 }
1923
1924/* This function is used to set the X509_STORE_CTX purpose and trust
1925 * values. This is intended to be used when another structure has its
1926 * own trust and purpose values which (if set) will be inherited by
1927 * the ctx. If they aren't set then we will usually have a default
1928 * purpose in mind which should then be used to set the trust value.
1929 * An example of this is SSL use: an SSL structure will have its own
1930 * purpose and trust settings which the application can set: if they
1931 * aren't set then we use the default of SSL client/server.
1932 */
1933
1934int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1935 int purpose, int trust)
1936{
1937 int idx;
1938 /* If purpose not set use default */
1939 if (!purpose) purpose = def_purpose;
1940 /* If we have a purpose then check it is valid */
1941 if (purpose)
1942 {
1943 X509_PURPOSE *ptmp;
1944 idx = X509_PURPOSE_get_by_id(purpose);
1945 if (idx == -1)
1946 {
1947 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1948 X509_R_UNKNOWN_PURPOSE_ID);
1949 return 0;
1950 }
1951 ptmp = X509_PURPOSE_get0(idx);
1952 if (ptmp->trust == X509_TRUST_DEFAULT)
1953 {
1954 idx = X509_PURPOSE_get_by_id(def_purpose);
1955 if (idx == -1)
1956 {
1957 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1958 X509_R_UNKNOWN_PURPOSE_ID);
1959 return 0;
1960 }
1961 ptmp = X509_PURPOSE_get0(idx);
1962 }
1963 /* If trust not set then get from purpose default */
1964 if (!trust) trust = ptmp->trust;
1965 }
1966 if (trust)
1967 {
1968 idx = X509_TRUST_get_by_id(trust);
1969 if (idx == -1)
1970 {
1971 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1972 X509_R_UNKNOWN_TRUST_ID);
1973 return 0;
1974 }
1975 }
1976
1977 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1978 if (trust && !ctx->param->trust) ctx->param->trust = trust;
1979 return 1;
1980}
1981
1982X509_STORE_CTX *X509_STORE_CTX_new(void)
1983{
1984 X509_STORE_CTX *ctx;
1985 ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
1986 if (!ctx)
1987 {
1988 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
1989 return NULL;
1990 }
1991 memset(ctx, 0, sizeof(X509_STORE_CTX));
1992 return ctx;
1993}
1994
1995void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1996{
1997 X509_STORE_CTX_cleanup(ctx);
1998 OPENSSL_free(ctx);
1999}
2000
2001int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2002 STACK_OF(X509) *chain)
2003 {
2004 int ret = 1;
2005 ctx->ctx=store;
2006 ctx->current_method=0;
2007 ctx->cert=x509;
2008 ctx->untrusted=chain;
2009 ctx->crls = NULL;
2010 ctx->last_untrusted=0;
2011 ctx->other_ctx=NULL;
2012 ctx->valid=0;
2013 ctx->chain=NULL;
2014 ctx->error=0;
2015 ctx->explicit_policy=0;
2016 ctx->error_depth=0;
2017 ctx->current_cert=NULL;
2018 ctx->current_issuer=NULL;
2019 ctx->current_crl=NULL;
2020 ctx->current_crl_score=0;
2021 ctx->current_reasons=0;
2022 ctx->tree = NULL;
2023 ctx->parent = NULL;
2024
2025 ctx->param = X509_VERIFY_PARAM_new();
2026
2027 if (!ctx->param)
2028 {
2029 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2030 return 0;
2031 }
2032
2033 /* Inherit callbacks and flags from X509_STORE if not set
2034 * use defaults.
2035 */
2036
2037
2038 if (store)
2039 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
2040 else
2041 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2042
2043 if (store)
2044 {
2045 ctx->verify_cb = store->verify_cb;
2046 ctx->cleanup = store->cleanup;
2047 }
2048 else
2049 ctx->cleanup = 0;
2050
2051 if (ret)
2052 ret = X509_VERIFY_PARAM_inherit(ctx->param,
2053 X509_VERIFY_PARAM_lookup("default"));
2054
2055 if (ret == 0)
2056 {
2057 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2058 return 0;
2059 }
2060
2061 if (store && store->check_issued)
2062 ctx->check_issued = store->check_issued;
2063 else
2064 ctx->check_issued = check_issued;
2065
2066 if (store && store->get_issuer)
2067 ctx->get_issuer = store->get_issuer;
2068 else
2069 ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2070
2071 if (store && store->verify_cb)
2072 ctx->verify_cb = store->verify_cb;
2073 else
2074 ctx->verify_cb = null_callback;
2075
2076 if (store && store->verify)
2077 ctx->verify = store->verify;
2078 else
2079 ctx->verify = internal_verify;
2080
2081 if (store && store->check_revocation)
2082 ctx->check_revocation = store->check_revocation;
2083 else
2084 ctx->check_revocation = check_revocation;
2085
2086 if (store && store->get_crl)
2087 ctx->get_crl = store->get_crl;
2088 else
2089 ctx->get_crl = NULL;
2090
2091 if (store && store->check_crl)
2092 ctx->check_crl = store->check_crl;
2093 else
2094 ctx->check_crl = check_crl;
2095
2096 if (store && store->cert_crl)
2097 ctx->cert_crl = store->cert_crl;
2098 else
2099 ctx->cert_crl = cert_crl;
2100
2101 if (store && store->lookup_certs)
2102 ctx->lookup_certs = store->lookup_certs;
2103 else
2104 ctx->lookup_certs = X509_STORE_get1_certs;
2105
2106 if (store && store->lookup_crls)
2107 ctx->lookup_crls = store->lookup_crls;
2108 else
2109 ctx->lookup_crls = X509_STORE_get1_crls;
2110
2111 ctx->check_policy = check_policy;
2112
2113
2114 /* This memset() can't make any sense anyway, so it's removed. As
2115 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
2116 * corresponding "new" here and remove this bogus initialisation. */
2117 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2118 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2119 &(ctx->ex_data)))
2120 {
2121 OPENSSL_free(ctx);
2122 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2123 return 0;
2124 }
2125 return 1;
2126 }
2127
2128/* Set alternative lookup method: just a STACK of trusted certificates.
2129 * This avoids X509_STORE nastiness where it isn't needed.
2130 */
2131
2132void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2133{
2134 ctx->other_ctx = sk;
2135 ctx->get_issuer = get_issuer_sk;
2136}
2137
2138void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2139 {
2140 if (ctx->cleanup) ctx->cleanup(ctx);
2141 if (ctx->param != NULL)
2142 {
2143 if (ctx->parent == NULL)
2144 X509_VERIFY_PARAM_free(ctx->param);
2145 ctx->param=NULL;
2146 }
2147 if (ctx->tree != NULL)
2148 {
2149 X509_policy_tree_free(ctx->tree);
2150 ctx->tree=NULL;
2151 }
2152 if (ctx->chain != NULL)
2153 {
2154 sk_X509_pop_free(ctx->chain,X509_free);
2155 ctx->chain=NULL;
2156 }
2157 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2158 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2159 }
2160
2161void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2162 {
2163 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2164 }
2165
2166void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2167 {
2168 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2169 }
2170
2171void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2172 {
2173 X509_VERIFY_PARAM_set_time(ctx->param, t);
2174 }
2175
2176void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2177 int (*verify_cb)(int, X509_STORE_CTX *))
2178 {
2179 ctx->verify_cb=verify_cb;
2180 }
2181
2182X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2183 {
2184 return ctx->tree;
2185 }
2186
2187int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2188 {
2189 return ctx->explicit_policy;
2190 }
2191
2192int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2193 {
2194 const X509_VERIFY_PARAM *param;
2195 param = X509_VERIFY_PARAM_lookup(name);
2196 if (!param)
2197 return 0;
2198 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2199 }
2200
2201X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2202 {
2203 return ctx->param;
2204 }
2205
2206void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2207 {
2208 if (ctx->param)
2209 X509_VERIFY_PARAM_free(ctx->param);
2210 ctx->param = param;
2211 }
2212
2213IMPLEMENT_STACK_OF(X509)
2214IMPLEMENT_ASN1_SET_OF(X509)
2215
2216IMPLEMENT_STACK_OF(X509_NAME)
2217
2218IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
2219IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
deleted file mode 100644
index fe09b30aaa..0000000000
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ /dev/null
@@ -1,567 +0,0 @@
1/* crypto/x509/x509_vfy.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#ifndef HEADER_X509_H
60#include <openssl/x509.h>
61/* openssl/x509.h ends up #include-ing this file at about the only
62 * appropriate moment. */
63#endif
64
65#ifndef HEADER_X509_VFY_H
66#define HEADER_X509_VFY_H
67
68#include <openssl/opensslconf.h>
69#ifndef OPENSSL_NO_LHASH
70#include <openssl/lhash.h>
71#endif
72#include <openssl/bio.h>
73#include <openssl/crypto.h>
74#include <openssl/symhacks.h>
75
76#ifdef __cplusplus
77extern "C" {
78#endif
79
80#if 0
81/* Outer object */
82typedef struct x509_hash_dir_st
83 {
84 int num_dirs;
85 char **dirs;
86 int *dirs_type;
87 int num_dirs_alloced;
88 } X509_HASH_DIR_CTX;
89#endif
90
91typedef struct x509_file_st
92 {
93 int num_paths; /* number of paths to files or directories */
94 int num_alloced;
95 char **paths; /* the list of paths or directories */
96 int *path_type;
97 } X509_CERT_FILE_CTX;
98
99/*******************************/
100/*
101SSL_CTX -> X509_STORE
102 -> X509_LOOKUP
103 ->X509_LOOKUP_METHOD
104 -> X509_LOOKUP
105 ->X509_LOOKUP_METHOD
106
107SSL -> X509_STORE_CTX
108 ->X509_STORE
109
110The X509_STORE holds the tables etc for verification stuff.
111A X509_STORE_CTX is used while validating a single certificate.
112The X509_STORE has X509_LOOKUPs for looking up certs.
113The X509_STORE then calls a function to actually verify the
114certificate chain.
115*/
116
117#define X509_LU_RETRY -1
118#define X509_LU_FAIL 0
119#define X509_LU_X509 1
120#define X509_LU_CRL 2
121#define X509_LU_PKEY 3
122
123typedef struct x509_object_st
124 {
125 /* one of the above types */
126 int type;
127 union {
128 char *ptr;
129 X509 *x509;
130 X509_CRL *crl;
131 EVP_PKEY *pkey;
132 } data;
133 } X509_OBJECT;
134
135typedef struct x509_lookup_st X509_LOOKUP;
136
137DECLARE_STACK_OF(X509_LOOKUP)
138DECLARE_STACK_OF(X509_OBJECT)
139
140/* This is a static that defines the function interface */
141typedef struct x509_lookup_method_st
142 {
143 const char *name;
144 int (*new_item)(X509_LOOKUP *ctx);
145 void (*free)(X509_LOOKUP *ctx);
146 int (*init)(X509_LOOKUP *ctx);
147 int (*shutdown)(X509_LOOKUP *ctx);
148 int (*ctrl)(X509_LOOKUP *ctx,int cmd,const char *argc,long argl,
149 char **ret);
150 int (*get_by_subject)(X509_LOOKUP *ctx,int type,X509_NAME *name,
151 X509_OBJECT *ret);
152 int (*get_by_issuer_serial)(X509_LOOKUP *ctx,int type,X509_NAME *name,
153 ASN1_INTEGER *serial,X509_OBJECT *ret);
154 int (*get_by_fingerprint)(X509_LOOKUP *ctx,int type,
155 unsigned char *bytes,int len,
156 X509_OBJECT *ret);
157 int (*get_by_alias)(X509_LOOKUP *ctx,int type,char *str,int len,
158 X509_OBJECT *ret);
159 } X509_LOOKUP_METHOD;
160
161/* This structure hold all parameters associated with a verify operation
162 * by including an X509_VERIFY_PARAM structure in related structures the
163 * parameters used can be customized
164 */
165
166typedef struct X509_VERIFY_PARAM_st
167 {
168 char *name;
169 time_t check_time; /* Time to use */
170 unsigned long inh_flags; /* Inheritance flags */
171 unsigned long flags; /* Various verify flags */
172 int purpose; /* purpose to check untrusted certificates */
173 int trust; /* trust setting to check */
174 int depth; /* Verify depth */
175 STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */
176 } X509_VERIFY_PARAM;
177
178DECLARE_STACK_OF(X509_VERIFY_PARAM)
179
180/* This is used to hold everything. It is used for all certificate
181 * validation. Once we have a certificate chain, the 'verify'
182 * function is then called to actually check the cert chain. */
183struct x509_store_st
184 {
185 /* The following is a cache of trusted certs */
186 int cache; /* if true, stash any hits */
187 STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */
188
189 /* These are external lookup methods */
190 STACK_OF(X509_LOOKUP) *get_cert_methods;
191
192 X509_VERIFY_PARAM *param;
193
194 /* Callbacks for various operations */
195 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
196 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
197 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
198 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
199 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
200 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
201 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
202 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
203 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
204 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
205 int (*cleanup)(X509_STORE_CTX *ctx);
206
207 CRYPTO_EX_DATA ex_data;
208 int references;
209 } /* X509_STORE */;
210
211int X509_STORE_set_depth(X509_STORE *store, int depth);
212
213#define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
214#define X509_STORE_set_verify_func(ctx,func) ((ctx)->verify=(func))
215
216/* This is the functions plus an instance of the local variables. */
217struct x509_lookup_st
218 {
219 int init; /* have we been started */
220 int skip; /* don't use us. */
221 X509_LOOKUP_METHOD *method; /* the functions */
222 char *method_data; /* method data */
223
224 X509_STORE *store_ctx; /* who owns us */
225 } /* X509_LOOKUP */;
226
227/* This is a used when verifying cert chains. Since the
228 * gathering of the cert chain can take some time (and have to be
229 * 'retried', this needs to be kept and passed around. */
230struct x509_store_ctx_st /* X509_STORE_CTX */
231 {
232 X509_STORE *ctx;
233 int current_method; /* used when looking up certs */
234
235 /* The following are set by the caller */
236 X509 *cert; /* The cert to check */
237 STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */
238 STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */
239
240 X509_VERIFY_PARAM *param;
241 void *other_ctx; /* Other info for use with get_issuer() */
242
243 /* Callbacks for various operations */
244 int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
245 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
246 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
247 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
248 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
249 int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
250 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
251 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
252 int (*check_policy)(X509_STORE_CTX *ctx);
253 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
254 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
255 int (*cleanup)(X509_STORE_CTX *ctx);
256
257 /* The following is built up */
258 int valid; /* if 0, rebuild chain */
259 int last_untrusted; /* index of last untrusted cert */
260 STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */
261 X509_POLICY_TREE *tree; /* Valid policy tree */
262
263 int explicit_policy; /* Require explicit policy value */
264
265 /* When something goes wrong, this is why */
266 int error_depth;
267 int error;
268 X509 *current_cert;
269 X509 *current_issuer; /* cert currently being tested as valid issuer */
270 X509_CRL *current_crl; /* current CRL */
271
272 int current_crl_score; /* score of current CRL */
273 unsigned int current_reasons; /* Reason mask */
274
275 X509_STORE_CTX *parent; /* For CRL path validation: parent context */
276
277 CRYPTO_EX_DATA ex_data;
278 } /* X509_STORE_CTX */;
279
280void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
281
282#define X509_STORE_CTX_set_app_data(ctx,data) \
283 X509_STORE_CTX_set_ex_data(ctx,0,data)
284#define X509_STORE_CTX_get_app_data(ctx) \
285 X509_STORE_CTX_get_ex_data(ctx,0)
286
287#define X509_L_FILE_LOAD 1
288#define X509_L_ADD_DIR 2
289
290#define X509_LOOKUP_load_file(x,name,type) \
291 X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)
292
293#define X509_LOOKUP_add_dir(x,name,type) \
294 X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
295
296#define X509_V_OK 0
297/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
298
299#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
300#define X509_V_ERR_UNABLE_TO_GET_CRL 3
301#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
302#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5
303#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
304#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7
305#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
306#define X509_V_ERR_CERT_NOT_YET_VALID 9
307#define X509_V_ERR_CERT_HAS_EXPIRED 10
308#define X509_V_ERR_CRL_NOT_YET_VALID 11
309#define X509_V_ERR_CRL_HAS_EXPIRED 12
310#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13
311#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14
312#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15
313#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16
314#define X509_V_ERR_OUT_OF_MEM 17
315#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18
316#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19
317#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20
318#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21
319#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22
320#define X509_V_ERR_CERT_REVOKED 23
321#define X509_V_ERR_INVALID_CA 24
322#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25
323#define X509_V_ERR_INVALID_PURPOSE 26
324#define X509_V_ERR_CERT_UNTRUSTED 27
325#define X509_V_ERR_CERT_REJECTED 28
326/* These are 'informational' when looking for issuer cert */
327#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29
328#define X509_V_ERR_AKID_SKID_MISMATCH 30
329#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31
330#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32
331
332#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
333#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
334#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
335#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
336#define X509_V_ERR_INVALID_NON_CA 37
337#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
338#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
339#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
340
341#define X509_V_ERR_INVALID_EXTENSION 41
342#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
343#define X509_V_ERR_NO_EXPLICIT_POLICY 43
344#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
345#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
346
347#define X509_V_ERR_UNNESTED_RESOURCE 46
348
349#define X509_V_ERR_PERMITTED_VIOLATION 47
350#define X509_V_ERR_EXCLUDED_VIOLATION 48
351#define X509_V_ERR_SUBTREE_MINMAX 49
352#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
353#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
354#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
355#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
356
357/* The application is not happy */
358#define X509_V_ERR_APPLICATION_VERIFICATION 50
359
360/* Certificate verify flags */
361
362/* Send issuer+subject checks to verify_cb */
363#define X509_V_FLAG_CB_ISSUER_CHECK 0x1
364/* Use check time instead of current time */
365#define X509_V_FLAG_USE_CHECK_TIME 0x2
366/* Lookup CRLs */
367#define X509_V_FLAG_CRL_CHECK 0x4
368/* Lookup CRLs for whole chain */
369#define X509_V_FLAG_CRL_CHECK_ALL 0x8
370/* Ignore unhandled critical extensions */
371#define X509_V_FLAG_IGNORE_CRITICAL 0x10
372/* Disable workarounds for broken certificates */
373#define X509_V_FLAG_X509_STRICT 0x20
374/* Enable proxy certificate validation */
375#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
376/* Enable policy checking */
377#define X509_V_FLAG_POLICY_CHECK 0x80
378/* Policy variable require-explicit-policy */
379#define X509_V_FLAG_EXPLICIT_POLICY 0x100
380/* Policy variable inhibit-any-policy */
381#define X509_V_FLAG_INHIBIT_ANY 0x200
382/* Policy variable inhibit-policy-mapping */
383#define X509_V_FLAG_INHIBIT_MAP 0x400
384/* Notify callback that policy is OK */
385#define X509_V_FLAG_NOTIFY_POLICY 0x800
386/* Extended CRL features such as indirect CRLs, alternate CRL signing keys */
387#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
388/* Delta CRL support */
389#define X509_V_FLAG_USE_DELTAS 0x2000
390/* Check selfsigned CA signature */
391#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
392
393
394#define X509_VP_FLAG_DEFAULT 0x1
395#define X509_VP_FLAG_OVERWRITE 0x2
396#define X509_VP_FLAG_RESET_FLAGS 0x4
397#define X509_VP_FLAG_LOCKED 0x8
398#define X509_VP_FLAG_ONCE 0x10
399
400/* Internal use: mask of policy related options */
401#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
402 | X509_V_FLAG_EXPLICIT_POLICY \
403 | X509_V_FLAG_INHIBIT_ANY \
404 | X509_V_FLAG_INHIBIT_MAP)
405
406int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
407 X509_NAME *name);
408X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name);
409X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x);
410void X509_OBJECT_up_ref_count(X509_OBJECT *a);
411void X509_OBJECT_free_contents(X509_OBJECT *a);
412X509_STORE *X509_STORE_new(void );
413void X509_STORE_free(X509_STORE *v);
414
415STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm);
416STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm);
417int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
418int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
419int X509_STORE_set_trust(X509_STORE *ctx, int trust);
420int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
421
422void X509_STORE_set_verify_cb(X509_STORE *ctx,
423 int (*verify_cb)(int, X509_STORE_CTX *));
424
425X509_STORE_CTX *X509_STORE_CTX_new(void);
426
427int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
428
429void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
430int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
431 X509 *x509, STACK_OF(X509) *chain);
432void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
433void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
434
435X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
436
437X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
438X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
439
440int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
441int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
442
443int X509_STORE_get_by_subject(X509_STORE_CTX *vs,int type,X509_NAME *name,
444 X509_OBJECT *ret);
445
446int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
447 long argl, char **ret);
448
449#ifndef OPENSSL_NO_STDIO
450int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
451int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
452int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
453#endif
454
455
456X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
457void X509_LOOKUP_free(X509_LOOKUP *ctx);
458int X509_LOOKUP_init(X509_LOOKUP *ctx);
459int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
460 X509_OBJECT *ret);
461int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
462 ASN1_INTEGER *serial, X509_OBJECT *ret);
463int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
464 unsigned char *bytes, int len, X509_OBJECT *ret);
465int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
466 int len, X509_OBJECT *ret);
467int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
468
469#ifndef OPENSSL_NO_STDIO
470int X509_STORE_load_locations (X509_STORE *ctx,
471 const char *file, const char *dir);
472int X509_STORE_set_default_paths(X509_STORE *ctx);
473#endif
474
475int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
476 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
477int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx,int idx,void *data);
478void * X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx);
479int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
480void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
481int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
482X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
483X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx);
484X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx);
485X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx);
486STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
487STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
488void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
489void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
490void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c,STACK_OF(X509_CRL) *sk);
491int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
492int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
493int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
494 int purpose, int trust);
495void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
496void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
497 time_t t);
498void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
499 int (*verify_cb)(int, X509_STORE_CTX *));
500
501X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
502int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
503
504X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
505void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
506int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
507
508/* X509_VERIFY_PARAM functions */
509
510X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void);
511void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param);
512int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to,
513 const X509_VERIFY_PARAM *from);
514int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
515 const X509_VERIFY_PARAM *from);
516int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name);
517int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
518int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
519 unsigned long flags);
520unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
521int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
522int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
523void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
524void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
525int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
526 ASN1_OBJECT *policy);
527int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
528 STACK_OF(ASN1_OBJECT) *policies);
529int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
530
531int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
532const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
533void X509_VERIFY_PARAM_table_cleanup(void);
534
535int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
536 STACK_OF(X509) *certs,
537 STACK_OF(ASN1_OBJECT) *policy_oids,
538 unsigned int flags);
539
540void X509_policy_tree_free(X509_POLICY_TREE *tree);
541
542int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
543X509_POLICY_LEVEL *
544 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i);
545
546STACK_OF(X509_POLICY_NODE) *
547 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
548
549STACK_OF(X509_POLICY_NODE) *
550 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
551
552int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
553
554X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i);
555
556const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
557
558STACK_OF(POLICYQUALINFO) *
559 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
560const X509_POLICY_NODE *
561 X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
562
563#ifdef __cplusplus
564}
565#endif
566#endif
567
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
deleted file mode 100644
index dfd89d89fa..0000000000
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ /dev/null
@@ -1,438 +0,0 @@
1/* x509_vpm.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include "cryptlib.h"
62#include <openssl/crypto.h>
63#include <openssl/lhash.h>
64#include <openssl/buffer.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68/* X509_VERIFY_PARAM functions */
69
70static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
71 {
72 if (!param)
73 return;
74 param->name = NULL;
75 param->purpose = 0;
76 param->trust = 0;
77 /*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
78 param->inh_flags = 0;
79 param->flags = 0;
80 param->depth = -1;
81 if (param->policies)
82 {
83 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
84 param->policies = NULL;
85 }
86 }
87
88X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
89 {
90 X509_VERIFY_PARAM *param;
91 param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
92 memset(param, 0, sizeof(X509_VERIFY_PARAM));
93 x509_verify_param_zero(param);
94 return param;
95 }
96
97void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
98 {
99 x509_verify_param_zero(param);
100 OPENSSL_free(param);
101 }
102
103/* This function determines how parameters are "inherited" from one structure
104 * to another. There are several different ways this can happen.
105 *
106 * 1. If a child structure needs to have its values initialized from a parent
107 * they are simply copied across. For example SSL_CTX copied to SSL.
108 * 2. If the structure should take on values only if they are currently unset.
109 * For example the values in an SSL structure will take appropriate value
110 * for SSL servers or clients but only if the application has not set new
111 * ones.
112 *
113 * The "inh_flags" field determines how this function behaves.
114 *
115 * Normally any values which are set in the default are not copied from the
116 * destination and verify flags are ORed together.
117 *
118 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
119 * to the destination. Effectively the values in "to" become default values
120 * which will be used only if nothing new is set in "from".
121 *
122 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
123 * they are set or not. Flags is still Ored though.
124 *
125 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
126 * of ORed.
127 *
128 * If X509_VP_FLAG_LOCKED is set then no values are copied.
129 *
130 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
131 * after the next call.
132 */
133
134/* Macro to test if a field should be copied from src to dest */
135
136#define test_x509_verify_param_copy(field, def) \
137 (to_overwrite || \
138 ((src->field != def) && (to_default || (dest->field == def))))
139
140/* Macro to test and copy a field if necessary */
141
142#define x509_verify_param_copy(field, def) \
143 if (test_x509_verify_param_copy(field, def)) \
144 dest->field = src->field
145
146
147int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
148 const X509_VERIFY_PARAM *src)
149 {
150 unsigned long inh_flags;
151 int to_default, to_overwrite;
152 if (!src)
153 return 1;
154 inh_flags = dest->inh_flags | src->inh_flags;
155
156 if (inh_flags & X509_VP_FLAG_ONCE)
157 dest->inh_flags = 0;
158
159 if (inh_flags & X509_VP_FLAG_LOCKED)
160 return 1;
161
162 if (inh_flags & X509_VP_FLAG_DEFAULT)
163 to_default = 1;
164 else
165 to_default = 0;
166
167 if (inh_flags & X509_VP_FLAG_OVERWRITE)
168 to_overwrite = 1;
169 else
170 to_overwrite = 0;
171
172 x509_verify_param_copy(purpose, 0);
173 x509_verify_param_copy(trust, 0);
174 x509_verify_param_copy(depth, -1);
175
176 /* If overwrite or check time not set, copy across */
177
178 if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
179 {
180 dest->check_time = src->check_time;
181 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
182 /* Don't need to copy flag: that is done below */
183 }
184
185 if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
186 dest->flags = 0;
187
188 dest->flags |= src->flags;
189
190 if (test_x509_verify_param_copy(policies, NULL))
191 {
192 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
193 return 0;
194 }
195
196 return 1;
197 }
198
199int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
200 const X509_VERIFY_PARAM *from)
201 {
202 unsigned long save_flags = to->inh_flags;
203 int ret;
204 to->inh_flags |= X509_VP_FLAG_DEFAULT;
205 ret = X509_VERIFY_PARAM_inherit(to, from);
206 to->inh_flags = save_flags;
207 return ret;
208 }
209
210int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
211 {
212 if (param->name)
213 OPENSSL_free(param->name);
214 param->name = BUF_strdup(name);
215 if (param->name)
216 return 1;
217 return 0;
218 }
219
220int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
221 {
222 param->flags |= flags;
223 if (flags & X509_V_FLAG_POLICY_MASK)
224 param->flags |= X509_V_FLAG_POLICY_CHECK;
225 return 1;
226 }
227
228int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
229 {
230 param->flags &= ~flags;
231 return 1;
232 }
233
234unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
235 {
236 return param->flags;
237 }
238
239int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
240 {
241 return X509_PURPOSE_set(&param->purpose, purpose);
242 }
243
244int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
245 {
246 return X509_TRUST_set(&param->trust, trust);
247 }
248
249void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
250 {
251 param->depth = depth;
252 }
253
254void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
255 {
256 param->check_time = t;
257 param->flags |= X509_V_FLAG_USE_CHECK_TIME;
258 }
259
260int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
261 {
262 if (!param->policies)
263 {
264 param->policies = sk_ASN1_OBJECT_new_null();
265 if (!param->policies)
266 return 0;
267 }
268 if (!sk_ASN1_OBJECT_push(param->policies, policy))
269 return 0;
270 return 1;
271 }
272
273int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
274 STACK_OF(ASN1_OBJECT) *policies)
275 {
276 int i;
277 ASN1_OBJECT *oid, *doid;
278 if (!param)
279 return 0;
280 if (param->policies)
281 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
282
283 if (!policies)
284 {
285 param->policies = NULL;
286 return 1;
287 }
288
289 param->policies = sk_ASN1_OBJECT_new_null();
290 if (!param->policies)
291 return 0;
292
293 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
294 {
295 oid = sk_ASN1_OBJECT_value(policies, i);
296 doid = OBJ_dup(oid);
297 if (!doid)
298 return 0;
299 if (!sk_ASN1_OBJECT_push(param->policies, doid))
300 {
301 ASN1_OBJECT_free(doid);
302 return 0;
303 }
304 }
305 param->flags |= X509_V_FLAG_POLICY_CHECK;
306 return 1;
307 }
308
309int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
310 {
311 return param->depth;
312 }
313
314/* Default verify parameters: these are used for various
315 * applications and can be overridden by the user specified table.
316 * NB: the 'name' field *must* be in alphabetical order because it
317 * will be searched using OBJ_search.
318 */
319
320static const X509_VERIFY_PARAM default_table[] = {
321 {
322 "default", /* X509 default parameters */
323 0, /* Check time */
324 0, /* internal flags */
325 0, /* flags */
326 0, /* purpose */
327 0, /* trust */
328 100, /* depth */
329 NULL /* policies */
330 },
331 {
332 "pkcs7", /* S/MIME sign parameters */
333 0, /* Check time */
334 0, /* internal flags */
335 0, /* flags */
336 X509_PURPOSE_SMIME_SIGN, /* purpose */
337 X509_TRUST_EMAIL, /* trust */
338 -1, /* depth */
339 NULL /* policies */
340 },
341 {
342 "smime_sign", /* S/MIME sign parameters */
343 0, /* Check time */
344 0, /* internal flags */
345 0, /* flags */
346 X509_PURPOSE_SMIME_SIGN, /* purpose */
347 X509_TRUST_EMAIL, /* trust */
348 -1, /* depth */
349 NULL /* policies */
350 },
351 {
352 "ssl_client", /* SSL/TLS client parameters */
353 0, /* Check time */
354 0, /* internal flags */
355 0, /* flags */
356 X509_PURPOSE_SSL_CLIENT, /* purpose */
357 X509_TRUST_SSL_CLIENT, /* trust */
358 -1, /* depth */
359 NULL /* policies */
360 },
361 {
362 "ssl_server", /* SSL/TLS server parameters */
363 0, /* Check time */
364 0, /* internal flags */
365 0, /* flags */
366 X509_PURPOSE_SSL_SERVER, /* purpose */
367 X509_TRUST_SSL_SERVER, /* trust */
368 -1, /* depth */
369 NULL /* policies */
370 }};
371
372static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
373
374static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
375
376 {
377 return strcmp(a->name, b->name);
378 }
379
380DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
381 table);
382IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
383 table);
384
385static int param_cmp(const X509_VERIFY_PARAM * const *a,
386 const X509_VERIFY_PARAM * const *b)
387 {
388 return strcmp((*a)->name, (*b)->name);
389 }
390
391int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
392 {
393 int idx;
394 X509_VERIFY_PARAM *ptmp;
395 if (!param_table)
396 {
397 param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
398 if (!param_table)
399 return 0;
400 }
401 else
402 {
403 idx = sk_X509_VERIFY_PARAM_find(param_table, param);
404 if (idx != -1)
405 {
406 ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
407 X509_VERIFY_PARAM_free(ptmp);
408 (void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
409 }
410 }
411 if (!sk_X509_VERIFY_PARAM_push(param_table, param))
412 return 0;
413 return 1;
414 }
415
416const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
417 {
418 int idx;
419 X509_VERIFY_PARAM pm;
420
421 pm.name = (char *)name;
422 if (param_table)
423 {
424 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
425 if (idx != -1)
426 return sk_X509_VERIFY_PARAM_value(param_table, idx);
427 }
428 return OBJ_bsearch_table(&pm, default_table,
429 sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
430 }
431
432void X509_VERIFY_PARAM_table_cleanup(void)
433 {
434 if (param_table)
435 sk_X509_VERIFY_PARAM_pop_free(param_table,
436 X509_VERIFY_PARAM_free);
437 param_table = NULL;
438 }
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
deleted file mode 100644
index 3109defb0b..0000000000
--- a/src/lib/libcrypto/x509/x509cset.c
+++ /dev/null
@@ -1,170 +0,0 @@
1/* crypto/x509/x509cset.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_CRL_set_version(X509_CRL *x, long version)
67 {
68 if (x == NULL) return(0);
69 if (x->crl->version == NULL)
70 {
71 if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
72 return(0);
73 }
74 return(ASN1_INTEGER_set(x->crl->version,version));
75 }
76
77int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
78 {
79 if ((x == NULL) || (x->crl == NULL)) return(0);
80 return(X509_NAME_set(&x->crl->issuer,name));
81 }
82
83
84int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
85 {
86 ASN1_TIME *in;
87
88 if (x == NULL) return(0);
89 in=x->crl->lastUpdate;
90 if (in != tm)
91 {
92 in=M_ASN1_TIME_dup(tm);
93 if (in != NULL)
94 {
95 M_ASN1_TIME_free(x->crl->lastUpdate);
96 x->crl->lastUpdate=in;
97 }
98 }
99 return(in != NULL);
100 }
101
102int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
103 {
104 ASN1_TIME *in;
105
106 if (x == NULL) return(0);
107 in=x->crl->nextUpdate;
108 if (in != tm)
109 {
110 in=M_ASN1_TIME_dup(tm);
111 if (in != NULL)
112 {
113 M_ASN1_TIME_free(x->crl->nextUpdate);
114 x->crl->nextUpdate=in;
115 }
116 }
117 return(in != NULL);
118 }
119
120int X509_CRL_sort(X509_CRL *c)
121 {
122 int i;
123 X509_REVOKED *r;
124 /* sort the data so it will be written in serial
125 * number order */
126 sk_X509_REVOKED_sort(c->crl->revoked);
127 for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++)
128 {
129 r=sk_X509_REVOKED_value(c->crl->revoked,i);
130 r->sequence=i;
131 }
132 c->crl->enc.modified = 1;
133 return 1;
134 }
135
136int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
137 {
138 ASN1_TIME *in;
139
140 if (x == NULL) return(0);
141 in=x->revocationDate;
142 if (in != tm)
143 {
144 in=M_ASN1_TIME_dup(tm);
145 if (in != NULL)
146 {
147 M_ASN1_TIME_free(x->revocationDate);
148 x->revocationDate=in;
149 }
150 }
151 return(in != NULL);
152 }
153
154int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
155 {
156 ASN1_INTEGER *in;
157
158 if (x == NULL) return(0);
159 in=x->serialNumber;
160 if (in != serial)
161 {
162 in=M_ASN1_INTEGER_dup(serial);
163 if (in != NULL)
164 {
165 M_ASN1_INTEGER_free(x->serialNumber);
166 x->serialNumber=in;
167 }
168 }
169 return(in != NULL);
170 }
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
deleted file mode 100644
index 27bc4dc9a3..0000000000
--- a/src/lib/libcrypto/x509/x509name.c
+++ /dev/null
@@ -1,383 +0,0 @@
1/* crypto/x509/x509name.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/objects.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66
67int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
68 {
69 ASN1_OBJECT *obj;
70
71 obj=OBJ_nid2obj(nid);
72 if (obj == NULL) return(-1);
73 return(X509_NAME_get_text_by_OBJ(name,obj,buf,len));
74 }
75
76int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
77 int len)
78 {
79 int i;
80 ASN1_STRING *data;
81
82 i=X509_NAME_get_index_by_OBJ(name,obj,-1);
83 if (i < 0) return(-1);
84 data=X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,i));
85 i=(data->length > (len-1))?(len-1):data->length;
86 if (buf == NULL) return(data->length);
87 memcpy(buf,data->data,i);
88 buf[i]='\0';
89 return(i);
90 }
91
92int X509_NAME_entry_count(X509_NAME *name)
93 {
94 if (name == NULL) return(0);
95 return(sk_X509_NAME_ENTRY_num(name->entries));
96 }
97
98int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
99 {
100 ASN1_OBJECT *obj;
101
102 obj=OBJ_nid2obj(nid);
103 if (obj == NULL) return(-2);
104 return(X509_NAME_get_index_by_OBJ(name,obj,lastpos));
105 }
106
107/* NOTE: you should be passsing -1, not 0 as lastpos */
108int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
109 int lastpos)
110 {
111 int n;
112 X509_NAME_ENTRY *ne;
113 STACK_OF(X509_NAME_ENTRY) *sk;
114
115 if (name == NULL) return(-1);
116 if (lastpos < 0)
117 lastpos= -1;
118 sk=name->entries;
119 n=sk_X509_NAME_ENTRY_num(sk);
120 for (lastpos++; lastpos < n; lastpos++)
121 {
122 ne=sk_X509_NAME_ENTRY_value(sk,lastpos);
123 if (OBJ_cmp(ne->object,obj) == 0)
124 return(lastpos);
125 }
126 return(-1);
127 }
128
129X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
130 {
131 if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
132 || loc < 0)
133 return(NULL);
134 else
135 return(sk_X509_NAME_ENTRY_value(name->entries,loc));
136 }
137
138X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
139 {
140 X509_NAME_ENTRY *ret;
141 int i,n,set_prev,set_next;
142 STACK_OF(X509_NAME_ENTRY) *sk;
143
144 if (name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
145 || loc < 0)
146 return(NULL);
147 sk=name->entries;
148 ret=sk_X509_NAME_ENTRY_delete(sk,loc);
149 n=sk_X509_NAME_ENTRY_num(sk);
150 name->modified=1;
151 if (loc == n) return(ret);
152
153 /* else we need to fixup the set field */
154 if (loc != 0)
155 set_prev=(sk_X509_NAME_ENTRY_value(sk,loc-1))->set;
156 else
157 set_prev=ret->set-1;
158 set_next=sk_X509_NAME_ENTRY_value(sk,loc)->set;
159
160 /* set_prev is the previous set
161 * set is the current set
162 * set_next is the following
163 * prev 1 1 1 1 1 1 1 1
164 * set 1 1 2 2
165 * next 1 1 2 2 2 2 3 2
166 * so basically only if prev and next differ by 2, then
167 * re-number down by 1 */
168 if (set_prev+1 < set_next)
169 for (i=loc; i<n; i++)
170 sk_X509_NAME_ENTRY_value(sk,i)->set--;
171 return(ret);
172 }
173
174int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
175 unsigned char *bytes, int len, int loc, int set)
176{
177 X509_NAME_ENTRY *ne;
178 int ret;
179 ne = X509_NAME_ENTRY_create_by_OBJ(NULL, obj, type, bytes, len);
180 if(!ne) return 0;
181 ret = X509_NAME_add_entry(name, ne, loc, set);
182 X509_NAME_ENTRY_free(ne);
183 return ret;
184}
185
186int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
187 unsigned char *bytes, int len, int loc, int set)
188{
189 X509_NAME_ENTRY *ne;
190 int ret;
191 ne = X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len);
192 if(!ne) return 0;
193 ret = X509_NAME_add_entry(name, ne, loc, set);
194 X509_NAME_ENTRY_free(ne);
195 return ret;
196}
197
198int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
199 const unsigned char *bytes, int len, int loc, int set)
200{
201 X509_NAME_ENTRY *ne;
202 int ret;
203 ne = X509_NAME_ENTRY_create_by_txt(NULL, field, type, bytes, len);
204 if(!ne) return 0;
205 ret = X509_NAME_add_entry(name, ne, loc, set);
206 X509_NAME_ENTRY_free(ne);
207 return ret;
208}
209
210/* if set is -1, append to previous set, 0 'a new one', and 1,
211 * prepend to the guy we are about to stomp on. */
212int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
213 int set)
214 {
215 X509_NAME_ENTRY *new_name=NULL;
216 int n,i,inc;
217 STACK_OF(X509_NAME_ENTRY) *sk;
218
219 if (name == NULL) return(0);
220 sk=name->entries;
221 n=sk_X509_NAME_ENTRY_num(sk);
222 if (loc > n) loc=n;
223 else if (loc < 0) loc=n;
224
225 name->modified=1;
226
227 if (set == -1)
228 {
229 if (loc == 0)
230 {
231 set=0;
232 inc=1;
233 }
234 else
235 {
236 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set;
237 inc=0;
238 }
239 }
240 else /* if (set >= 0) */
241 {
242 if (loc >= n)
243 {
244 if (loc != 0)
245 set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1;
246 else
247 set=0;
248 }
249 else
250 set=sk_X509_NAME_ENTRY_value(sk,loc)->set;
251 inc=(set == 0)?1:0;
252 }
253
254 if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL)
255 goto err;
256 new_name->set=set;
257 if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc))
258 {
259 X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE);
260 goto err;
261 }
262 if (inc)
263 {
264 n=sk_X509_NAME_ENTRY_num(sk);
265 for (i=loc+1; i<n; i++)
266 sk_X509_NAME_ENTRY_value(sk,i-1)->set+=1;
267 }
268 return(1);
269err:
270 if (new_name != NULL)
271 X509_NAME_ENTRY_free(new_name);
272 return(0);
273 }
274
275X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
276 const char *field, int type, const unsigned char *bytes, int len)
277 {
278 ASN1_OBJECT *obj;
279 X509_NAME_ENTRY *nentry;
280
281 obj=OBJ_txt2obj(field, 0);
282 if (obj == NULL)
283 {
284 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
285 X509_R_INVALID_FIELD_NAME);
286 ERR_add_error_data(2, "name=", field);
287 return(NULL);
288 }
289 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
290 ASN1_OBJECT_free(obj);
291 return nentry;
292 }
293
294X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
295 int type, unsigned char *bytes, int len)
296 {
297 ASN1_OBJECT *obj;
298 X509_NAME_ENTRY *nentry;
299
300 obj=OBJ_nid2obj(nid);
301 if (obj == NULL)
302 {
303 X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
304 return(NULL);
305 }
306 nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
307 ASN1_OBJECT_free(obj);
308 return nentry;
309 }
310
311X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
312 ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
313 {
314 X509_NAME_ENTRY *ret;
315
316 if ((ne == NULL) || (*ne == NULL))
317 {
318 if ((ret=X509_NAME_ENTRY_new()) == NULL)
319 return(NULL);
320 }
321 else
322 ret= *ne;
323
324 if (!X509_NAME_ENTRY_set_object(ret,obj))
325 goto err;
326 if (!X509_NAME_ENTRY_set_data(ret,type,bytes,len))
327 goto err;
328
329 if ((ne != NULL) && (*ne == NULL)) *ne=ret;
330 return(ret);
331err:
332 if ((ne == NULL) || (ret != *ne))
333 X509_NAME_ENTRY_free(ret);
334 return(NULL);
335 }
336
337int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
338 {
339 if ((ne == NULL) || (obj == NULL))
340 {
341 X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER);
342 return(0);
343 }
344 ASN1_OBJECT_free(ne->object);
345 ne->object=OBJ_dup(obj);
346 return((ne->object == NULL)?0:1);
347 }
348
349int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
350 const unsigned char *bytes, int len)
351 {
352 int i;
353
354 if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
355 if((type > 0) && (type & MBSTRING_FLAG))
356 return ASN1_STRING_set_by_NID(&ne->value, bytes,
357 len, type,
358 OBJ_obj2nid(ne->object)) ? 1 : 0;
359 if (len < 0) len=strlen((const char *)bytes);
360 i=ASN1_STRING_set(ne->value,bytes,len);
361 if (!i) return(0);
362 if (type != V_ASN1_UNDEF)
363 {
364 if (type == V_ASN1_APP_CHOOSE)
365 ne->value->type=ASN1_PRINTABLE_type(bytes,len);
366 else
367 ne->value->type=type;
368 }
369 return(1);
370 }
371
372ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
373 {
374 if (ne == NULL) return(NULL);
375 return(ne->object);
376 }
377
378ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
379 {
380 if (ne == NULL) return(NULL);
381 return(ne->value);
382 }
383
diff --git a/src/lib/libcrypto/x509/x509rset.c b/src/lib/libcrypto/x509/x509rset.c
deleted file mode 100644
index d9f6b57372..0000000000
--- a/src/lib/libcrypto/x509/x509rset.c
+++ /dev/null
@@ -1,83 +0,0 @@
1/* crypto/x509/x509rset.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65
66int X509_REQ_set_version(X509_REQ *x, long version)
67 {
68 if (x == NULL) return(0);
69 return(ASN1_INTEGER_set(x->req_info->version,version));
70 }
71
72int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
73 {
74 if ((x == NULL) || (x->req_info == NULL)) return(0);
75 return(X509_NAME_set(&x->req_info->subject,name));
76 }
77
78int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
79 {
80 if ((x == NULL) || (x->req_info == NULL)) return(0);
81 return(X509_PUBKEY_set(&x->req_info->pubkey,pkey));
82 }
83
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
deleted file mode 100644
index 02a203d72c..0000000000
--- a/src/lib/libcrypto/x509/x509spki.c
+++ /dev/null
@@ -1,121 +0,0 @@
1/* x509spki.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509.h>
62
63int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
64{
65 if ((x == NULL) || (x->spkac == NULL)) return(0);
66 return(X509_PUBKEY_set(&(x->spkac->pubkey),pkey));
67}
68
69EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x)
70{
71 if ((x == NULL) || (x->spkac == NULL))
72 return(NULL);
73 return(X509_PUBKEY_get(x->spkac->pubkey));
74}
75
76/* Load a Netscape SPKI from a base64 encoded string */
77
78NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
79{
80 unsigned char *spki_der;
81 const unsigned char *p;
82 int spki_len;
83 NETSCAPE_SPKI *spki;
84 if(len <= 0) len = strlen(str);
85 if (!(spki_der = OPENSSL_malloc(len + 1))) {
86 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89 spki_len = EVP_DecodeBlock(spki_der, (const unsigned char *)str, len);
90 if(spki_len < 0) {
91 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE,
92 X509_R_BASE64_DECODE_ERROR);
93 OPENSSL_free(spki_der);
94 return NULL;
95 }
96 p = spki_der;
97 spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);
98 OPENSSL_free(spki_der);
99 return spki;
100}
101
102/* Generate a base64 encoded string from an SPKI */
103
104char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
105{
106 unsigned char *der_spki, *p;
107 char *b64_str;
108 int der_len;
109 der_len = i2d_NETSCAPE_SPKI(spki, NULL);
110 der_spki = OPENSSL_malloc(der_len);
111 b64_str = OPENSSL_malloc(der_len * 2);
112 if(!der_spki || !b64_str) {
113 X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 p = der_spki;
117 i2d_NETSCAPE_SPKI(spki, &p);
118 EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);
119 OPENSSL_free(der_spki);
120 return b64_str;
121}
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
deleted file mode 100644
index 3385ad3f67..0000000000
--- a/src/lib/libcrypto/x509/x509type.c
+++ /dev/null
@@ -1,125 +0,0 @@
1/* crypto/x509/x509type.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/evp.h>
62#include <openssl/objects.h>
63#include <openssl/x509.h>
64
65int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
66 {
67 EVP_PKEY *pk;
68 int ret=0,i;
69
70 if (x == NULL) return(0);
71
72 if (pkey == NULL)
73 pk=X509_get_pubkey(x);
74 else
75 pk=pkey;
76
77 if (pk == NULL) return(0);
78
79 switch (pk->type)
80 {
81 case EVP_PKEY_RSA:
82 ret=EVP_PK_RSA|EVP_PKT_SIGN;
83/* if (!sign only extension) */
84 ret|=EVP_PKT_ENC;
85 break;
86 case EVP_PKEY_DSA:
87 ret=EVP_PK_DSA|EVP_PKT_SIGN;
88 break;
89 case EVP_PKEY_EC:
90 ret=EVP_PK_EC|EVP_PKT_SIGN|EVP_PKT_EXCH;
91 break;
92 case EVP_PKEY_DH:
93 ret=EVP_PK_DH|EVP_PKT_EXCH;
94 break;
95 case NID_id_GostR3410_94:
96 case NID_id_GostR3410_2001:
97 ret=EVP_PKT_EXCH|EVP_PKT_SIGN;
98 break;
99 default:
100 break;
101 }
102
103 i=X509_get_signature_type(x);
104 switch (i)
105 {
106 case EVP_PKEY_RSA:
107 ret|=EVP_PKS_RSA;
108 break;
109 case EVP_PKEY_DSA:
110 ret|=EVP_PKS_DSA;
111 break;
112 case EVP_PKEY_EC:
113 ret|=EVP_PKS_EC;
114 break;
115 default:
116 break;
117 }
118
119 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
120 for, not bytes */
121 ret|=EVP_PKT_EXP;
122 if(pkey==NULL) EVP_PKEY_free(pk);
123 return(ret);
124 }
125
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
deleted file mode 100644
index 8ec88c215a..0000000000
--- a/src/lib/libcrypto/x509/x_all.c
+++ /dev/null
@@ -1,516 +0,0 @@
1/* crypto/x509/x_all.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <openssl/stack.h>
61#include "cryptlib.h"
62#include <openssl/buffer.h>
63#include <openssl/asn1.h>
64#include <openssl/evp.h>
65#include <openssl/x509.h>
66#ifndef OPENSSL_NO_RSA
67#include <openssl/rsa.h>
68#endif
69#ifndef OPENSSL_NO_DSA
70#include <openssl/dsa.h>
71#endif
72
73int X509_verify(X509 *a, EVP_PKEY *r)
74 {
75 return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
76 a->signature,a->cert_info,r));
77 }
78
79int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
80 {
81 return( ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO),
82 a->sig_alg,a->signature,a->req_info,r));
83 }
84
85int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
86 {
87 return(ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
88 a->sig_algor,a->signature,a->spkac,r));
89 }
90
91int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
92 {
93 x->cert_info->enc.modified = 1;
94 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
95 x->sig_alg, x->signature, x->cert_info,pkey,md));
96 }
97
98int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
99 {
100 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL,
101 x->signature, x->req_info,pkey,md));
102 }
103
104int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
105 {
106 x->crl->enc.modified = 1;
107 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
108 x->sig_alg, x->signature, x->crl,pkey,md));
109 }
110
111int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
112 {
113 return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL,
114 x->signature, x->spkac,pkey,md));
115 }
116
117#ifndef OPENSSL_NO_FP_API
118X509 *d2i_X509_fp(FILE *fp, X509 **x509)
119 {
120 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509);
121 }
122
123int i2d_X509_fp(FILE *fp, X509 *x509)
124 {
125 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509), fp, x509);
126 }
127#endif
128
129X509 *d2i_X509_bio(BIO *bp, X509 **x509)
130 {
131 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), bp, x509);
132 }
133
134int i2d_X509_bio(BIO *bp, X509 *x509)
135 {
136 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509);
137 }
138
139#ifndef OPENSSL_NO_FP_API
140X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
141 {
142 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
143 }
144
145int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl)
146 {
147 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
148 }
149#endif
150
151X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
152 {
153 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
154 }
155
156int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl)
157 {
158 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
159 }
160
161#ifndef OPENSSL_NO_FP_API
162PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
163 {
164 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
165 }
166
167int i2d_PKCS7_fp(FILE *fp, PKCS7 *p7)
168 {
169 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
170 }
171#endif
172
173PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7)
174 {
175 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
176 }
177
178int i2d_PKCS7_bio(BIO *bp, PKCS7 *p7)
179 {
180 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
181 }
182
183#ifndef OPENSSL_NO_FP_API
184X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
185 {
186 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
187 }
188
189int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req)
190 {
191 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
192 }
193#endif
194
195X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
196 {
197 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
198 }
199
200int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req)
201 {
202 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
203 }
204
205#ifndef OPENSSL_NO_RSA
206
207#ifndef OPENSSL_NO_FP_API
208RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
209 {
210 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
211 }
212
213int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa)
214 {
215 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
216 }
217
218RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
219 {
220 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
221 }
222
223
224RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
225 {
226 return ASN1_d2i_fp((void *(*)(void))
227 RSA_new,(D2I_OF(void))d2i_RSA_PUBKEY, fp,
228 (void **)rsa);
229 }
230
231int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
232 {
233 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
234 }
235
236int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
237 {
238 return ASN1_i2d_fp((I2D_OF(void))i2d_RSA_PUBKEY,fp,rsa);
239 }
240#endif
241
242RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
243 {
244 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
245 }
246
247int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa)
248 {
249 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
250 }
251
252RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
253 {
254 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
255 }
256
257
258RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
259 {
260 return ASN1_d2i_bio_of(RSA,RSA_new,d2i_RSA_PUBKEY,bp,rsa);
261 }
262
263int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
264 {
265 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
266 }
267
268int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
269 {
270 return ASN1_i2d_bio_of(RSA,i2d_RSA_PUBKEY,bp,rsa);
271 }
272#endif
273
274#ifndef OPENSSL_NO_DSA
275#ifndef OPENSSL_NO_FP_API
276DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
277 {
278 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSAPrivateKey,fp,dsa);
279 }
280
281int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
282 {
283 return ASN1_i2d_fp_of_const(DSA,i2d_DSAPrivateKey,fp,dsa);
284 }
285
286DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa)
287 {
288 return ASN1_d2i_fp_of(DSA,DSA_new,d2i_DSA_PUBKEY,fp,dsa);
289 }
290
291int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa)
292 {
293 return ASN1_i2d_fp_of(DSA,i2d_DSA_PUBKEY,fp,dsa);
294 }
295#endif
296
297DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
298 {
299 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSAPrivateKey,bp,dsa
300);
301 }
302
303int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa)
304 {
305 return ASN1_i2d_bio_of_const(DSA,i2d_DSAPrivateKey,bp,dsa);
306 }
307
308DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa)
309 {
310 return ASN1_d2i_bio_of(DSA,DSA_new,d2i_DSA_PUBKEY,bp,dsa);
311 }
312
313int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
314 {
315 return ASN1_i2d_bio_of(DSA,i2d_DSA_PUBKEY,bp,dsa);
316 }
317
318#endif
319
320#ifndef OPENSSL_NO_EC
321#ifndef OPENSSL_NO_FP_API
322EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey)
323 {
324 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,fp,eckey);
325 }
326
327int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey)
328 {
329 return ASN1_i2d_fp_of(EC_KEY,i2d_EC_PUBKEY,fp,eckey);
330 }
331
332EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey)
333 {
334 return ASN1_d2i_fp_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,fp,eckey);
335 }
336
337int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey)
338 {
339 return ASN1_i2d_fp_of(EC_KEY,i2d_ECPrivateKey,fp,eckey);
340 }
341#endif
342EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey)
343 {
344 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_EC_PUBKEY,bp,eckey);
345 }
346
347int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *ecdsa)
348 {
349 return ASN1_i2d_bio_of(EC_KEY,i2d_EC_PUBKEY,bp,ecdsa);
350 }
351
352EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey)
353 {
354 return ASN1_d2i_bio_of(EC_KEY,EC_KEY_new,d2i_ECPrivateKey,bp,eckey);
355 }
356
357int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey)
358 {
359 return ASN1_i2d_bio_of(EC_KEY,i2d_ECPrivateKey,bp,eckey);
360 }
361#endif
362
363
364int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
365 unsigned int *len)
366 {
367 ASN1_BIT_STRING *key;
368 key = X509_get0_pubkey_bitstr(data);
369 if(!key) return 0;
370 return EVP_Digest(key->data, key->length, md, len, type, NULL);
371 }
372
373int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
374 unsigned int *len)
375 {
376 return(ASN1_item_digest(ASN1_ITEM_rptr(X509),type,(char *)data,md,len));
377 }
378
379int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
380 unsigned int *len)
381 {
382 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_CRL),type,(char *)data,md,len));
383 }
384
385int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,
386 unsigned int *len)
387 {
388 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ),type,(char *)data,md,len));
389 }
390
391int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md,
392 unsigned int *len)
393 {
394 return(ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME),type,(char *)data,md,len));
395 }
396
397int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
398 unsigned char *md, unsigned int *len)
399 {
400 return(ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL),type,
401 (char *)data,md,len));
402 }
403
404
405#ifndef OPENSSL_NO_FP_API
406X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
407 {
408 return ASN1_d2i_fp_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,fp,p8);
409 }
410
411int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8)
412 {
413 return ASN1_i2d_fp_of(X509_SIG,i2d_X509_SIG,fp,p8);
414 }
415#endif
416
417X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8)
418 {
419 return ASN1_d2i_bio_of(X509_SIG,X509_SIG_new,d2i_X509_SIG,bp,p8);
420 }
421
422int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
423 {
424 return ASN1_i2d_bio_of(X509_SIG,i2d_X509_SIG,bp,p8);
425 }
426
427#ifndef OPENSSL_NO_FP_API
428PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
429 PKCS8_PRIV_KEY_INFO **p8inf)
430 {
431 return ASN1_d2i_fp_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
432 d2i_PKCS8_PRIV_KEY_INFO,fp,p8inf);
433 }
434
435int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf)
436 {
437 return ASN1_i2d_fp_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,fp,
438 p8inf);
439 }
440
441int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
442 {
443 PKCS8_PRIV_KEY_INFO *p8inf;
444 int ret;
445 p8inf = EVP_PKEY2PKCS8(key);
446 if(!p8inf) return 0;
447 ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf);
448 PKCS8_PRIV_KEY_INFO_free(p8inf);
449 return ret;
450 }
451
452int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey)
453 {
454 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PrivateKey,fp,pkey);
455 }
456
457EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
458{
459 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,fp,a);
460}
461
462int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey)
463 {
464 return ASN1_i2d_fp_of(EVP_PKEY,i2d_PUBKEY,fp,pkey);
465 }
466
467EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
468{
469 return ASN1_d2i_fp_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,fp,a);
470}
471
472#endif
473
474PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
475 PKCS8_PRIV_KEY_INFO **p8inf)
476 {
477 return ASN1_d2i_bio_of(PKCS8_PRIV_KEY_INFO,PKCS8_PRIV_KEY_INFO_new,
478 d2i_PKCS8_PRIV_KEY_INFO,bp,p8inf);
479 }
480
481int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf)
482 {
483 return ASN1_i2d_bio_of(PKCS8_PRIV_KEY_INFO,i2d_PKCS8_PRIV_KEY_INFO,bp,
484 p8inf);
485 }
486
487int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
488 {
489 PKCS8_PRIV_KEY_INFO *p8inf;
490 int ret;
491 p8inf = EVP_PKEY2PKCS8(key);
492 if(!p8inf) return 0;
493 ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
494 PKCS8_PRIV_KEY_INFO_free(p8inf);
495 return ret;
496 }
497
498int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey)
499 {
500 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PrivateKey,bp,pkey);
501 }
502
503EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
504 {
505 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_AutoPrivateKey,bp,a);
506 }
507
508int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey)
509 {
510 return ASN1_i2d_bio_of(EVP_PKEY,i2d_PUBKEY,bp,pkey);
511 }
512
513EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a)
514 {
515 return ASN1_d2i_bio_of(EVP_PKEY,EVP_PKEY_new,d2i_PUBKEY,bp,a);
516 }
diff --git a/src/lib/libcrypto/x509v3/Makefile b/src/lib/libcrypto/x509v3/Makefile
deleted file mode 100644
index 556ef351bf..0000000000
--- a/src/lib/libcrypto/x509v3/Makefile
+++ /dev/null
@@ -1,591 +0,0 @@
1#
2# OpenSSL/crypto/x509v3/Makefile
3#
4
5DIR= x509v3
6TOP= ../..
7CC= cc
8INCLUDES= -I.. -I$(TOP) -I../../include
9CFLAG=-g
10MAKEFILE= Makefile
11AR= ar r
12
13CFLAGS= $(INCLUDES) $(CFLAG)
14
15GENERAL=Makefile README
16TEST=
17APPS=
18
19LIB=$(TOP)/libcrypto.a
20LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
21v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
22v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
23v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
24pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
25v3_asid.c v3_addr.c
26LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
27v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
28v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
29v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
30pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o \
31v3_asid.o v3_addr.o
32
33SRC= $(LIBSRC)
34
35EXHEADER= x509v3.h
36HEADER= $(EXHEADER) pcy_int.h
37
38ALL= $(GENERAL) $(SRC) $(HEADER)
39
40top:
41 (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
42
43all: lib
44
45lib: $(LIBOBJ)
46 $(AR) $(LIB) $(LIBOBJ)
47 $(RANLIB) $(LIB) || echo Never mind.
48 @touch lib
49
50files:
51 $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
52
53links:
54 @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
55 @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
56 @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
57
58install:
59 @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
60 @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
61 do \
62 (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
63 chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
64 done;
65
66tags:
67 ctags $(SRC)
68
69tests:
70
71lint:
72 lint -DLINT $(INCLUDES) $(SRC)>fluff
73
74depend:
75 @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
76 $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
77
78dclean:
79 $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
80 mv -f Makefile.new $(MAKEFILE)
81
82clean:
83 rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
84
85# DO NOT DELETE THIS LINE -- make depend depends on it.
86
87pcy_cache.o: ../../e_os.h ../../include/openssl/asn1.h
88pcy_cache.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
89pcy_cache.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
90pcy_cache.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
91pcy_cache.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
92pcy_cache.o: ../../include/openssl/err.h ../../include/openssl/evp.h
93pcy_cache.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
94pcy_cache.o: ../../include/openssl/objects.h
95pcy_cache.o: ../../include/openssl/opensslconf.h
96pcy_cache.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
97pcy_cache.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
98pcy_cache.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
99pcy_cache.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
100pcy_cache.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
101pcy_cache.o: ../cryptlib.h pcy_cache.c pcy_int.h
102pcy_data.o: ../../e_os.h ../../include/openssl/asn1.h
103pcy_data.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
104pcy_data.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
105pcy_data.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
106pcy_data.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
107pcy_data.o: ../../include/openssl/err.h ../../include/openssl/evp.h
108pcy_data.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
109pcy_data.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
110pcy_data.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
111pcy_data.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
112pcy_data.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
113pcy_data.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
114pcy_data.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
115pcy_data.o: ../cryptlib.h pcy_data.c pcy_int.h
116pcy_lib.o: ../../e_os.h ../../include/openssl/asn1.h
117pcy_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
118pcy_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
119pcy_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
120pcy_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
121pcy_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
122pcy_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
123pcy_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
124pcy_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
125pcy_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
126pcy_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
127pcy_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
128pcy_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
129pcy_lib.o: ../cryptlib.h pcy_int.h pcy_lib.c
130pcy_map.o: ../../e_os.h ../../include/openssl/asn1.h
131pcy_map.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
132pcy_map.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
133pcy_map.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
134pcy_map.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
135pcy_map.o: ../../include/openssl/err.h ../../include/openssl/evp.h
136pcy_map.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
137pcy_map.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
138pcy_map.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
139pcy_map.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
140pcy_map.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
141pcy_map.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
142pcy_map.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
143pcy_map.o: ../cryptlib.h pcy_int.h pcy_map.c
144pcy_node.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
145pcy_node.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
146pcy_node.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
147pcy_node.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
148pcy_node.o: ../../include/openssl/ecdsa.h ../../include/openssl/evp.h
149pcy_node.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
150pcy_node.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
151pcy_node.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
152pcy_node.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
153pcy_node.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
154pcy_node.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
155pcy_node.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
156pcy_node.o: pcy_int.h pcy_node.c
157pcy_tree.o: ../../e_os.h ../../include/openssl/asn1.h
158pcy_tree.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
159pcy_tree.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
160pcy_tree.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
161pcy_tree.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
162pcy_tree.o: ../../include/openssl/err.h ../../include/openssl/evp.h
163pcy_tree.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
164pcy_tree.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
165pcy_tree.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
166pcy_tree.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
167pcy_tree.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
168pcy_tree.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
169pcy_tree.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
170pcy_tree.o: ../cryptlib.h pcy_int.h pcy_tree.c
171v3_addr.o: ../../e_os.h ../../include/openssl/asn1.h
172v3_addr.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
173v3_addr.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
174v3_addr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
175v3_addr.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
176v3_addr.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
177v3_addr.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
178v3_addr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
179v3_addr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
180v3_addr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
181v3_addr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
182v3_addr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
183v3_addr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
184v3_addr.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_addr.c
185v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h
186v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
187v3_akey.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
188v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
189v3_akey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
190v3_akey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
191v3_akey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
192v3_akey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
193v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
194v3_akey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
195v3_akey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
196v3_akey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
197v3_akey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
198v3_akey.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_akey.c
199v3_akeya.o: ../../e_os.h ../../include/openssl/asn1.h
200v3_akeya.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
201v3_akeya.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
202v3_akeya.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
203v3_akeya.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
204v3_akeya.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
205v3_akeya.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
206v3_akeya.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
207v3_akeya.o: ../../include/openssl/opensslconf.h
208v3_akeya.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
209v3_akeya.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
210v3_akeya.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
211v3_akeya.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
212v3_akeya.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
213v3_akeya.o: ../cryptlib.h v3_akeya.c
214v3_alt.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
215v3_alt.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
216v3_alt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
217v3_alt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
218v3_alt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
219v3_alt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
220v3_alt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
221v3_alt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
222v3_alt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
223v3_alt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
224v3_alt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
225v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
226v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_alt.c
227v3_asid.o: ../../e_os.h ../../include/openssl/asn1.h
228v3_asid.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
229v3_asid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
230v3_asid.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
231v3_asid.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
232v3_asid.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
233v3_asid.o: ../../include/openssl/err.h ../../include/openssl/evp.h
234v3_asid.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
235v3_asid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
236v3_asid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
237v3_asid.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
238v3_asid.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
239v3_asid.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
240v3_asid.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
241v3_asid.o: ../cryptlib.h v3_asid.c
242v3_bcons.o: ../../e_os.h ../../include/openssl/asn1.h
243v3_bcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
244v3_bcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
245v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
246v3_bcons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
247v3_bcons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
248v3_bcons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
249v3_bcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
250v3_bcons.o: ../../include/openssl/opensslconf.h
251v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
252v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
253v3_bcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
254v3_bcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
255v3_bcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
256v3_bcons.o: ../cryptlib.h v3_bcons.c
257v3_bitst.o: ../../e_os.h ../../include/openssl/asn1.h
258v3_bitst.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
259v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
260v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
261v3_bitst.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
262v3_bitst.o: ../../include/openssl/err.h ../../include/openssl/evp.h
263v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
264v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
265v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
266v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
267v3_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
268v3_bitst.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
269v3_bitst.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
270v3_bitst.o: ../cryptlib.h v3_bitst.c
271v3_conf.o: ../../e_os.h ../../include/openssl/asn1.h
272v3_conf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
273v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
274v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
275v3_conf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
276v3_conf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
277v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
278v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
279v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
280v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
281v3_conf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
282v3_conf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
283v3_conf.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
284v3_conf.o: ../cryptlib.h v3_conf.c
285v3_cpols.o: ../../e_os.h ../../include/openssl/asn1.h
286v3_cpols.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
287v3_cpols.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
288v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
289v3_cpols.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
290v3_cpols.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
291v3_cpols.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
292v3_cpols.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
293v3_cpols.o: ../../include/openssl/opensslconf.h
294v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
295v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
296v3_cpols.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
297v3_cpols.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
298v3_cpols.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
299v3_cpols.o: ../cryptlib.h pcy_int.h v3_cpols.c
300v3_crld.o: ../../e_os.h ../../include/openssl/asn1.h
301v3_crld.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
302v3_crld.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
303v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
304v3_crld.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
305v3_crld.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
306v3_crld.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
307v3_crld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
308v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
309v3_crld.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
310v3_crld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
311v3_crld.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
312v3_crld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
313v3_crld.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_crld.c
314v3_enum.o: ../../e_os.h ../../include/openssl/asn1.h
315v3_enum.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
316v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
317v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
318v3_enum.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
319v3_enum.o: ../../include/openssl/err.h ../../include/openssl/evp.h
320v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
321v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
322v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
323v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
324v3_enum.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
325v3_enum.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
326v3_enum.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
327v3_enum.o: ../cryptlib.h v3_enum.c
328v3_extku.o: ../../e_os.h ../../include/openssl/asn1.h
329v3_extku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
330v3_extku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
331v3_extku.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
332v3_extku.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
333v3_extku.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
334v3_extku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
335v3_extku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
336v3_extku.o: ../../include/openssl/opensslconf.h
337v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
338v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
339v3_extku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
340v3_extku.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
341v3_extku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
342v3_extku.o: ../cryptlib.h v3_extku.c
343v3_genn.o: ../../e_os.h ../../include/openssl/asn1.h
344v3_genn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
345v3_genn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
346v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
347v3_genn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
348v3_genn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
349v3_genn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
350v3_genn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
351v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
352v3_genn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
353v3_genn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
354v3_genn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
355v3_genn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
356v3_genn.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_genn.c
357v3_ia5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
358v3_ia5.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
359v3_ia5.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
360v3_ia5.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
361v3_ia5.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
362v3_ia5.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
363v3_ia5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
364v3_ia5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
365v3_ia5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
366v3_ia5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
367v3_ia5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
368v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
369v3_ia5.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ia5.c
370v3_info.o: ../../e_os.h ../../include/openssl/asn1.h
371v3_info.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
372v3_info.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
373v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
374v3_info.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
375v3_info.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
376v3_info.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
377v3_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
378v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
379v3_info.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
380v3_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
381v3_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
382v3_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
383v3_info.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_info.c
384v3_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
385v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
386v3_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
387v3_int.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
388v3_int.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
389v3_int.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
390v3_int.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
391v3_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
392v3_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
393v3_int.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
394v3_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
395v3_int.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
396v3_int.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_int.c
397v3_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
398v3_lib.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
399v3_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
400v3_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
401v3_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
402v3_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
403v3_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
404v3_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
405v3_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
406v3_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
407v3_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
408v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
409v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h v3_lib.c
410v3_ncons.o: ../../e_os.h ../../include/openssl/asn1.h
411v3_ncons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
412v3_ncons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
413v3_ncons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
414v3_ncons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
415v3_ncons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
416v3_ncons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
417v3_ncons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
418v3_ncons.o: ../../include/openssl/opensslconf.h
419v3_ncons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
420v3_ncons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
421v3_ncons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
422v3_ncons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
423v3_ncons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
424v3_ncons.o: ../cryptlib.h v3_ncons.c
425v3_ocsp.o: ../../e_os.h ../../include/openssl/asn1.h
426v3_ocsp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
427v3_ocsp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
428v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
429v3_ocsp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
430v3_ocsp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
431v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
432v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
433v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
434v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
435v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
436v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
437v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
438v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c
439v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
440v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
441v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
442v3_pci.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
443v3_pci.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
444v3_pci.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
445v3_pci.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
446v3_pci.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
447v3_pci.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
448v3_pci.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
449v3_pci.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
450v3_pci.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
451v3_pci.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pci.c
452v3_pcia.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
453v3_pcia.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
454v3_pcia.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
455v3_pcia.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
456v3_pcia.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
457v3_pcia.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
458v3_pcia.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
459v3_pcia.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
460v3_pcia.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
461v3_pcia.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
462v3_pcia.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
463v3_pcia.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
464v3_pcia.o: ../../include/openssl/x509v3.h v3_pcia.c
465v3_pcons.o: ../../e_os.h ../../include/openssl/asn1.h
466v3_pcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
467v3_pcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
468v3_pcons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
469v3_pcons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
470v3_pcons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
471v3_pcons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
472v3_pcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
473v3_pcons.o: ../../include/openssl/opensslconf.h
474v3_pcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
475v3_pcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
476v3_pcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
477v3_pcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
478v3_pcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
479v3_pcons.o: ../cryptlib.h v3_pcons.c
480v3_pku.o: ../../e_os.h ../../include/openssl/asn1.h
481v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
482v3_pku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
483v3_pku.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
484v3_pku.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
485v3_pku.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
486v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
487v3_pku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
488v3_pku.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
489v3_pku.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
490v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
491v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
492v3_pku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
493v3_pku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pku.c
494v3_pmaps.o: ../../e_os.h ../../include/openssl/asn1.h
495v3_pmaps.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
496v3_pmaps.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
497v3_pmaps.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
498v3_pmaps.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
499v3_pmaps.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
500v3_pmaps.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
501v3_pmaps.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
502v3_pmaps.o: ../../include/openssl/opensslconf.h
503v3_pmaps.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
504v3_pmaps.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
505v3_pmaps.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
506v3_pmaps.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
507v3_pmaps.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
508v3_pmaps.o: ../cryptlib.h v3_pmaps.c
509v3_prn.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
510v3_prn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
511v3_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
512v3_prn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
513v3_prn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
514v3_prn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
515v3_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
516v3_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
517v3_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
518v3_prn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
519v3_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
520v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
521v3_prn.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_prn.c
522v3_purp.o: ../../e_os.h ../../include/openssl/asn1.h
523v3_purp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
524v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
525v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
526v3_purp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
527v3_purp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
528v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
529v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
530v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
531v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
532v3_purp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
533v3_purp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
534v3_purp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
535v3_purp.o: ../cryptlib.h v3_purp.c
536v3_skey.o: ../../e_os.h ../../include/openssl/asn1.h
537v3_skey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
538v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
539v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
540v3_skey.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
541v3_skey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
542v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
543v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
544v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
545v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
546v3_skey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
547v3_skey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
548v3_skey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
549v3_skey.o: ../cryptlib.h v3_skey.c
550v3_sxnet.o: ../../e_os.h ../../include/openssl/asn1.h
551v3_sxnet.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
552v3_sxnet.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
553v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
554v3_sxnet.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
555v3_sxnet.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
556v3_sxnet.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
557v3_sxnet.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
558v3_sxnet.o: ../../include/openssl/opensslconf.h
559v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
560v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
561v3_sxnet.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
562v3_sxnet.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
563v3_sxnet.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
564v3_sxnet.o: ../cryptlib.h v3_sxnet.c
565v3_utl.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
566v3_utl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
567v3_utl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
568v3_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
569v3_utl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
570v3_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
571v3_utl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
572v3_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
573v3_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
574v3_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
575v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
576v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
577v3_utl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
578v3_utl.o: ../cryptlib.h v3_utl.c
579v3err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
580v3err.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
581v3err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
582v3err.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
583v3err.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
584v3err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
585v3err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
586v3err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
587v3err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
588v3err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
589v3err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
590v3err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
591v3err.o: ../../include/openssl/x509v3.h v3err.c
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
deleted file mode 100644
index 76daee6fcd..0000000000
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ /dev/null
@@ -1,132 +0,0 @@
1/* ext_dat.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* This file contains a table of "standard" extensions */
59
60extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
61extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
62extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
63extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
64extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
65extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
66extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
67extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
68extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
69extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
70extern X509V3_EXT_METHOD v3_addr, v3_asid;
71
72/* This table will be searched using OBJ_bsearch so it *must* kept in
73 * order of the ext_nid values.
74 */
75
76static const X509V3_EXT_METHOD *standard_exts[] = {
77&v3_nscert,
78&v3_ns_ia5_list[0],
79&v3_ns_ia5_list[1],
80&v3_ns_ia5_list[2],
81&v3_ns_ia5_list[3],
82&v3_ns_ia5_list[4],
83&v3_ns_ia5_list[5],
84&v3_ns_ia5_list[6],
85&v3_skey_id,
86&v3_key_usage,
87&v3_pkey_usage_period,
88&v3_alt[0],
89&v3_alt[1],
90&v3_bcons,
91&v3_crl_num,
92&v3_cpols,
93&v3_akey_id,
94&v3_crld,
95&v3_ext_ku,
96&v3_delta_crl,
97&v3_crl_reason,
98#ifndef OPENSSL_NO_OCSP
99&v3_crl_invdate,
100#endif
101&v3_sxnet,
102&v3_info,
103#ifndef OPENSSL_NO_RFC3779
104&v3_addr,
105&v3_asid,
106#endif
107#ifndef OPENSSL_NO_OCSP
108&v3_ocsp_nonce,
109&v3_ocsp_crlid,
110&v3_ocsp_accresp,
111&v3_ocsp_nocheck,
112&v3_ocsp_acutoff,
113&v3_ocsp_serviceloc,
114#endif
115&v3_sinfo,
116&v3_policy_constraints,
117#ifndef OPENSSL_NO_OCSP
118&v3_crl_hold,
119#endif
120&v3_pci,
121&v3_name_constraints,
122&v3_policy_mappings,
123&v3_inhibit_anyp,
124&v3_idp,
125&v3_alt[2],
126&v3_freshest_crl,
127};
128
129/* Number of standard extensions */
130
131#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
132
diff --git a/src/lib/libcrypto/x509v3/pcy_cache.c b/src/lib/libcrypto/x509v3/pcy_cache.c
deleted file mode 100644
index 172b7e7ee4..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_cache.c
+++ /dev/null
@@ -1,286 +0,0 @@
1/* pcy_cache.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int policy_data_cmp(const X509_POLICY_DATA * const *a,
66 const X509_POLICY_DATA * const *b);
67static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
68
69/* Set cache entry according to CertificatePolicies extension.
70 * Note: this destroys the passed CERTIFICATEPOLICIES structure.
71 */
72
73static int policy_cache_create(X509 *x,
74 CERTIFICATEPOLICIES *policies, int crit)
75 {
76 int i;
77 int ret = 0;
78 X509_POLICY_CACHE *cache = x->policy_cache;
79 X509_POLICY_DATA *data = NULL;
80 POLICYINFO *policy;
81 if (sk_POLICYINFO_num(policies) == 0)
82 goto bad_policy;
83 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
84 if (!cache->data)
85 goto bad_policy;
86 for (i = 0; i < sk_POLICYINFO_num(policies); i++)
87 {
88 policy = sk_POLICYINFO_value(policies, i);
89 data = policy_data_new(policy, NULL, crit);
90 if (!data)
91 goto bad_policy;
92 /* Duplicate policy OIDs are illegal: reject if matches
93 * found.
94 */
95 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
96 {
97 if (cache->anyPolicy)
98 {
99 ret = -1;
100 goto bad_policy;
101 }
102 cache->anyPolicy = data;
103 }
104 else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1)
105 {
106 ret = -1;
107 goto bad_policy;
108 }
109 else if (!sk_X509_POLICY_DATA_push(cache->data, data))
110 goto bad_policy;
111 data = NULL;
112 }
113 ret = 1;
114 bad_policy:
115 if (ret == -1)
116 x->ex_flags |= EXFLAG_INVALID_POLICY;
117 if (data)
118 policy_data_free(data);
119 sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
120 if (ret <= 0)
121 {
122 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
123 cache->data = NULL;
124 }
125 return ret;
126 }
127
128
129static int policy_cache_new(X509 *x)
130 {
131 X509_POLICY_CACHE *cache;
132 ASN1_INTEGER *ext_any = NULL;
133 POLICY_CONSTRAINTS *ext_pcons = NULL;
134 CERTIFICATEPOLICIES *ext_cpols = NULL;
135 POLICY_MAPPINGS *ext_pmaps = NULL;
136 int i;
137 cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
138 if (!cache)
139 return 0;
140 cache->anyPolicy = NULL;
141 cache->data = NULL;
142 cache->any_skip = -1;
143 cache->explicit_skip = -1;
144 cache->map_skip = -1;
145
146 x->policy_cache = cache;
147
148 /* Handle requireExplicitPolicy *first*. Need to process this
149 * even if we don't have any policies.
150 */
151 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
152
153 if (!ext_pcons)
154 {
155 if (i != -1)
156 goto bad_cache;
157 }
158 else
159 {
160 if (!ext_pcons->requireExplicitPolicy
161 && !ext_pcons->inhibitPolicyMapping)
162 goto bad_cache;
163 if (!policy_cache_set_int(&cache->explicit_skip,
164 ext_pcons->requireExplicitPolicy))
165 goto bad_cache;
166 if (!policy_cache_set_int(&cache->map_skip,
167 ext_pcons->inhibitPolicyMapping))
168 goto bad_cache;
169 }
170
171 /* Process CertificatePolicies */
172
173 ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
174 /* If no CertificatePolicies extension or problem decoding then
175 * there is no point continuing because the valid policies will be
176 * NULL.
177 */
178 if (!ext_cpols)
179 {
180 /* If not absent some problem with extension */
181 if (i != -1)
182 goto bad_cache;
183 return 1;
184 }
185
186 i = policy_cache_create(x, ext_cpols, i);
187
188 /* NB: ext_cpols freed by policy_cache_set_policies */
189
190 if (i <= 0)
191 return i;
192
193 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
194
195 if (!ext_pmaps)
196 {
197 /* If not absent some problem with extension */
198 if (i != -1)
199 goto bad_cache;
200 }
201 else
202 {
203 i = policy_cache_set_mapping(x, ext_pmaps);
204 if (i <= 0)
205 goto bad_cache;
206 }
207
208 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
209
210 if (!ext_any)
211 {
212 if (i != -1)
213 goto bad_cache;
214 }
215 else if (!policy_cache_set_int(&cache->any_skip, ext_any))
216 goto bad_cache;
217
218 if (0)
219 {
220 bad_cache:
221 x->ex_flags |= EXFLAG_INVALID_POLICY;
222 }
223
224 if(ext_pcons)
225 POLICY_CONSTRAINTS_free(ext_pcons);
226
227 if (ext_any)
228 ASN1_INTEGER_free(ext_any);
229
230 return 1;
231
232
233}
234
235void policy_cache_free(X509_POLICY_CACHE *cache)
236 {
237 if (!cache)
238 return;
239 if (cache->anyPolicy)
240 policy_data_free(cache->anyPolicy);
241 if (cache->data)
242 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
243 OPENSSL_free(cache);
244 }
245
246const X509_POLICY_CACHE *policy_cache_set(X509 *x)
247 {
248
249 if (x->policy_cache == NULL)
250 {
251 CRYPTO_w_lock(CRYPTO_LOCK_X509);
252 policy_cache_new(x);
253 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
254 }
255
256 return x->policy_cache;
257
258 }
259
260X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
261 const ASN1_OBJECT *id)
262 {
263 int idx;
264 X509_POLICY_DATA tmp;
265 tmp.valid_policy = (ASN1_OBJECT *)id;
266 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
267 if (idx == -1)
268 return NULL;
269 return sk_X509_POLICY_DATA_value(cache->data, idx);
270 }
271
272static int policy_data_cmp(const X509_POLICY_DATA * const *a,
273 const X509_POLICY_DATA * const *b)
274 {
275 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
276 }
277
278static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
279 {
280 if (value == NULL)
281 return 1;
282 if (value->type == V_ASN1_NEG_INTEGER)
283 return 0;
284 *out = ASN1_INTEGER_get(value);
285 return 1;
286 }
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
deleted file mode 100644
index 3444b03195..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ /dev/null
@@ -1,135 +0,0 @@
1/* pcy_data.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Policy Node routines */
66
67void policy_data_free(X509_POLICY_DATA *data)
68 {
69 ASN1_OBJECT_free(data->valid_policy);
70 /* Don't free qualifiers if shared */
71 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
72 sk_POLICYQUALINFO_pop_free(data->qualifier_set,
73 POLICYQUALINFO_free);
74 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
75 OPENSSL_free(data);
76 }
77
78/* Create a data based on an existing policy. If 'id' is NULL use the
79 * oid in the policy, otherwise use 'id'. This behaviour covers the two
80 * types of data in RFC3280: data with from a CertificatePolcies extension
81 * and additional data with just the qualifiers of anyPolicy and ID from
82 * another source.
83 */
84
85X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
86 const ASN1_OBJECT *cid, int crit)
87 {
88 X509_POLICY_DATA *ret;
89 ASN1_OBJECT *id;
90 if (!policy && !cid)
91 return NULL;
92 if (cid)
93 {
94 id = OBJ_dup(cid);
95 if (!id)
96 return NULL;
97 }
98 else
99 id = NULL;
100 ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
101 if (!ret)
102 return NULL;
103 ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
104 if (!ret->expected_policy_set)
105 {
106 OPENSSL_free(ret);
107 if (id)
108 ASN1_OBJECT_free(id);
109 return NULL;
110 }
111
112 if (crit)
113 ret->flags = POLICY_DATA_FLAG_CRITICAL;
114 else
115 ret->flags = 0;
116
117 if (id)
118 ret->valid_policy = id;
119 else
120 {
121 ret->valid_policy = policy->policyid;
122 policy->policyid = NULL;
123 }
124
125 if (policy)
126 {
127 ret->qualifier_set = policy->qualifiers;
128 policy->qualifiers = NULL;
129 }
130 else
131 ret->qualifier_set = NULL;
132
133 return ret;
134 }
135
diff --git a/src/lib/libcrypto/x509v3/pcy_int.h b/src/lib/libcrypto/x509v3/pcy_int.h
deleted file mode 100644
index ccff92846e..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_int.h
+++ /dev/null
@@ -1,212 +0,0 @@
1/* pcy_int.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
61
62DECLARE_STACK_OF(X509_POLICY_DATA)
63
64/* Internal structures */
65
66/* This structure and the field names correspond to the Policy 'node' of
67 * RFC3280. NB this structure contains no pointers to parent or child
68 * data: X509_POLICY_NODE contains that. This means that the main policy data
69 * can be kept static and cached with the certificate.
70 */
71
72struct X509_POLICY_DATA_st
73 {
74 unsigned int flags;
75 /* Policy OID and qualifiers for this data */
76 ASN1_OBJECT *valid_policy;
77 STACK_OF(POLICYQUALINFO) *qualifier_set;
78 STACK_OF(ASN1_OBJECT) *expected_policy_set;
79 };
80
81/* X509_POLICY_DATA flags values */
82
83/* This flag indicates the structure has been mapped using a policy mapping
84 * extension. If policy mapping is not active its references get deleted.
85 */
86
87#define POLICY_DATA_FLAG_MAPPED 0x1
88
89/* This flag indicates the data doesn't correspond to a policy in Certificate
90 * Policies: it has been mapped to any policy.
91 */
92
93#define POLICY_DATA_FLAG_MAPPED_ANY 0x2
94
95/* AND with flags to see if any mapping has occurred */
96
97#define POLICY_DATA_FLAG_MAP_MASK 0x3
98
99/* qualifiers are shared and shouldn't be freed */
100
101#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4
102
103/* Parent node is an extra node and should be freed */
104
105#define POLICY_DATA_FLAG_EXTRA_NODE 0x8
106
107/* Corresponding CertificatePolicies is critical */
108
109#define POLICY_DATA_FLAG_CRITICAL 0x10
110
111/* This structure is cached with a certificate */
112
113struct X509_POLICY_CACHE_st {
114 /* anyPolicy data or NULL if no anyPolicy */
115 X509_POLICY_DATA *anyPolicy;
116 /* other policy data */
117 STACK_OF(X509_POLICY_DATA) *data;
118 /* If InhibitAnyPolicy present this is its value or -1 if absent. */
119 long any_skip;
120 /* If policyConstraints and requireExplicitPolicy present this is its
121 * value or -1 if absent.
122 */
123 long explicit_skip;
124 /* If policyConstraints and policyMapping present this is its
125 * value or -1 if absent.
126 */
127 long map_skip;
128 };
129
130/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/
131
132/* This structure represents the relationship between nodes */
133
134struct X509_POLICY_NODE_st
135 {
136 /* node data this refers to */
137 const X509_POLICY_DATA *data;
138 /* Parent node */
139 X509_POLICY_NODE *parent;
140 /* Number of child nodes */
141 int nchild;
142 };
143
144struct X509_POLICY_LEVEL_st
145 {
146 /* Cert for this level */
147 X509 *cert;
148 /* nodes at this level */
149 STACK_OF(X509_POLICY_NODE) *nodes;
150 /* anyPolicy node */
151 X509_POLICY_NODE *anyPolicy;
152 /* Extra data */
153 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/
154 unsigned int flags;
155 };
156
157struct X509_POLICY_TREE_st
158 {
159 /* This is the tree 'level' data */
160 X509_POLICY_LEVEL *levels;
161 int nlevel;
162 /* Extra policy data when additional nodes (not from the certificate)
163 * are required.
164 */
165 STACK_OF(X509_POLICY_DATA) *extra_data;
166 /* This is the authority constained policy set */
167 STACK_OF(X509_POLICY_NODE) *auth_policies;
168 STACK_OF(X509_POLICY_NODE) *user_policies;
169 unsigned int flags;
170 };
171
172/* Set if anyPolicy present in user policies */
173#define POLICY_FLAG_ANY_POLICY 0x2
174
175/* Useful macros */
176
177#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
178#define node_critical(node) node_data_critical(node->data)
179
180/* Internal functions */
181
182X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
183 int crit);
184void policy_data_free(X509_POLICY_DATA *data);
185
186X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
187 const ASN1_OBJECT *id);
188int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
189
190
191STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
192
193void policy_cache_init(void);
194
195void policy_cache_free(X509_POLICY_CACHE *cache);
196
197X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
198 const X509_POLICY_NODE *parent,
199 const ASN1_OBJECT *id);
200
201X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
202 const ASN1_OBJECT *id);
203
204X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
205 const X509_POLICY_DATA *data,
206 X509_POLICY_NODE *parent,
207 X509_POLICY_TREE *tree);
208void policy_node_free(X509_POLICY_NODE *node);
209int policy_node_match(const X509_POLICY_LEVEL *lvl,
210 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
211
212const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/src/lib/libcrypto/x509v3/pcy_lib.c b/src/lib/libcrypto/x509v3/pcy_lib.c
deleted file mode 100644
index 93bfd92703..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_lib.c
+++ /dev/null
@@ -1,167 +0,0 @@
1/* pcy_lib.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include "cryptlib.h"
61#include <openssl/x509.h>
62#include <openssl/x509v3.h>
63
64#include "pcy_int.h"
65
66/* accessor functions */
67
68/* X509_POLICY_TREE stuff */
69
70int X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
71 {
72 if (!tree)
73 return 0;
74 return tree->nlevel;
75 }
76
77X509_POLICY_LEVEL *
78 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
79 {
80 if (!tree || (i < 0) || (i >= tree->nlevel))
81 return NULL;
82 return tree->levels + i;
83 }
84
85STACK_OF(X509_POLICY_NODE) *
86 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
87 {
88 if (!tree)
89 return NULL;
90 return tree->auth_policies;
91 }
92
93STACK_OF(X509_POLICY_NODE) *
94 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
95 {
96 if (!tree)
97 return NULL;
98 if (tree->flags & POLICY_FLAG_ANY_POLICY)
99 return tree->auth_policies;
100 else
101 return tree->user_policies;
102 }
103
104/* X509_POLICY_LEVEL stuff */
105
106int X509_policy_level_node_count(X509_POLICY_LEVEL *level)
107 {
108 int n;
109 if (!level)
110 return 0;
111 if (level->anyPolicy)
112 n = 1;
113 else
114 n = 0;
115 if (level->nodes)
116 n += sk_X509_POLICY_NODE_num(level->nodes);
117 return n;
118 }
119
120X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
121 {
122 if (!level)
123 return NULL;
124 if (level->anyPolicy)
125 {
126 if (i == 0)
127 return level->anyPolicy;
128 i--;
129 }
130 return sk_X509_POLICY_NODE_value(level->nodes, i);
131 }
132
133/* X509_POLICY_NODE stuff */
134
135const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
136 {
137 if (!node)
138 return NULL;
139 return node->data->valid_policy;
140 }
141
142#if 0
143int X509_policy_node_get_critical(const X509_POLICY_NODE *node)
144 {
145 if (node_critical(node))
146 return 1;
147 return 0;
148 }
149#endif
150
151STACK_OF(POLICYQUALINFO) *
152 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
153 {
154 if (!node)
155 return NULL;
156 return node->data->qualifier_set;
157 }
158
159const X509_POLICY_NODE *
160 X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
161 {
162 if (!node)
163 return NULL;
164 return node->parent;
165 }
166
167
diff --git a/src/lib/libcrypto/x509v3/pcy_map.c b/src/lib/libcrypto/x509v3/pcy_map.c
deleted file mode 100644
index 21163b529d..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_map.c
+++ /dev/null
@@ -1,132 +0,0 @@
1/* pcy_map.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Set policy mapping entries in cache.
66 * Note: this modifies the passed POLICY_MAPPINGS structure
67 */
68
69int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
70 {
71 POLICY_MAPPING *map;
72 X509_POLICY_DATA *data;
73 X509_POLICY_CACHE *cache = x->policy_cache;
74 int i;
75 int ret = 0;
76 if (sk_POLICY_MAPPING_num(maps) == 0)
77 {
78 ret = -1;
79 goto bad_mapping;
80 }
81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++)
82 {
83 map = sk_POLICY_MAPPING_value(maps, i);
84 /* Reject if map to or from anyPolicy */
85 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy)
86 || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy))
87 {
88 ret = -1;
89 goto bad_mapping;
90 }
91
92 /* Attempt to find matching policy data */
93 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
94 /* If we don't have anyPolicy can't map */
95 if (!data && !cache->anyPolicy)
96 continue;
97
98 /* Create a NODE from anyPolicy */
99 if (!data)
100 {
101 data = policy_data_new(NULL, map->issuerDomainPolicy,
102 cache->anyPolicy->flags
103 & POLICY_DATA_FLAG_CRITICAL);
104 if (!data)
105 goto bad_mapping;
106 data->qualifier_set = cache->anyPolicy->qualifier_set;
107 /*map->issuerDomainPolicy = NULL;*/
108 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
109 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
110 if (!sk_X509_POLICY_DATA_push(cache->data, data))
111 {
112 policy_data_free(data);
113 goto bad_mapping;
114 }
115 }
116 else
117 data->flags |= POLICY_DATA_FLAG_MAPPED;
118 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
119 map->subjectDomainPolicy))
120 goto bad_mapping;
121 map->subjectDomainPolicy = NULL;
122
123 }
124
125 ret = 1;
126 bad_mapping:
127 if (ret == -1)
128 x->ex_flags |= EXFLAG_INVALID_POLICY;
129 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
130 return ret;
131
132 }
diff --git a/src/lib/libcrypto/x509v3/pcy_node.c b/src/lib/libcrypto/x509v3/pcy_node.c
deleted file mode 100644
index bd1e7f1ae8..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_node.c
+++ /dev/null
@@ -1,197 +0,0 @@
1/* pcy_node.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/asn1.h>
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int node_cmp(const X509_POLICY_NODE * const *a,
66 const X509_POLICY_NODE * const *b)
67 {
68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
69 }
70
71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void)
72 {
73 return sk_X509_POLICY_NODE_new(node_cmp);
74 }
75
76X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
77 const ASN1_OBJECT *id)
78 {
79 X509_POLICY_DATA n;
80 X509_POLICY_NODE l;
81 int idx;
82
83 n.valid_policy = (ASN1_OBJECT *)id;
84 l.data = &n;
85
86 idx = sk_X509_POLICY_NODE_find(nodes, &l);
87 if (idx == -1)
88 return NULL;
89
90 return sk_X509_POLICY_NODE_value(nodes, idx);
91
92 }
93
94X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
95 const X509_POLICY_NODE *parent,
96 const ASN1_OBJECT *id)
97 {
98 X509_POLICY_NODE *node;
99 int i;
100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++)
101 {
102 node = sk_X509_POLICY_NODE_value(level->nodes, i);
103 if (node->parent == parent)
104 {
105 if (!OBJ_cmp(node->data->valid_policy, id))
106 return node;
107 }
108 }
109 return NULL;
110 }
111
112X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
113 const X509_POLICY_DATA *data,
114 X509_POLICY_NODE *parent,
115 X509_POLICY_TREE *tree)
116 {
117 X509_POLICY_NODE *node;
118 node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
119 if (!node)
120 return NULL;
121 node->data = data;
122 node->parent = parent;
123 node->nchild = 0;
124 if (level)
125 {
126 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
127 {
128 if (level->anyPolicy)
129 goto node_error;
130 level->anyPolicy = node;
131 }
132 else
133 {
134
135 if (!level->nodes)
136 level->nodes = policy_node_cmp_new();
137 if (!level->nodes)
138 goto node_error;
139 if (!sk_X509_POLICY_NODE_push(level->nodes, node))
140 goto node_error;
141 }
142 }
143
144 if (tree)
145 {
146 if (!tree->extra_data)
147 tree->extra_data = sk_X509_POLICY_DATA_new_null();
148 if (!tree->extra_data)
149 goto node_error;
150 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
151 goto node_error;
152 }
153
154 if (parent)
155 parent->nchild++;
156
157 return node;
158
159 node_error:
160 policy_node_free(node);
161 return 0;
162
163 }
164
165void policy_node_free(X509_POLICY_NODE *node)
166 {
167 OPENSSL_free(node);
168 }
169
170/* See if a policy node matches a policy OID. If mapping enabled look through
171 * expected policy set otherwise just valid policy.
172 */
173
174int policy_node_match(const X509_POLICY_LEVEL *lvl,
175 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid)
176 {
177 int i;
178 ASN1_OBJECT *policy_oid;
179 const X509_POLICY_DATA *x = node->data;
180
181 if ( (lvl->flags & X509_V_FLAG_INHIBIT_MAP)
182 || !(x->flags & POLICY_DATA_FLAG_MAP_MASK))
183 {
184 if (!OBJ_cmp(x->valid_policy, oid))
185 return 1;
186 return 0;
187 }
188
189 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++)
190 {
191 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
192 if (!OBJ_cmp(policy_oid, oid))
193 return 1;
194 }
195 return 0;
196
197 }
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
deleted file mode 100644
index bb9777348f..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ /dev/null
@@ -1,872 +0,0 @@
1/* pcy_tree.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Enable this to print out the complete policy tree at various point during
66 * evaluation.
67 */
68
69/*#define OPENSSL_POLICY_DEBUG*/
70
71#ifdef OPENSSL_POLICY_DEBUG
72
73static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
74 X509_POLICY_NODE *node, int indent)
75 {
76 if ( (lev->flags & X509_V_FLAG_INHIBIT_MAP)
77 || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
78 BIO_puts(err, " Not Mapped\n");
79 else
80 {
81 int i;
82 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
83 ASN1_OBJECT *oid;
84 BIO_puts(err, " Expected: ");
85 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++)
86 {
87 oid = sk_ASN1_OBJECT_value(pset, i);
88 if (i)
89 BIO_puts(err, ", ");
90 i2a_ASN1_OBJECT(err, oid);
91 }
92 BIO_puts(err, "\n");
93 }
94 }
95
96static void tree_print(char *str, X509_POLICY_TREE *tree,
97 X509_POLICY_LEVEL *curr)
98 {
99 X509_POLICY_LEVEL *plev;
100 X509_POLICY_NODE *node;
101 int i;
102 BIO *err;
103 err = BIO_new_fp(stderr, BIO_NOCLOSE);
104 if (!curr)
105 curr = tree->levels + tree->nlevel;
106 else
107 curr++;
108 BIO_printf(err, "Level print after %s\n", str);
109 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
110 for (plev = tree->levels; plev != curr; plev++)
111 {
112 BIO_printf(err, "Level %ld, flags = %x\n",
113 plev - tree->levels, plev->flags);
114 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++)
115 {
116 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
117 X509_POLICY_NODE_print(err, node, 2);
118 expected_print(err, plev, node, 2);
119 BIO_printf(err, " Flags: %x\n", node->data->flags);
120 }
121 if (plev->anyPolicy)
122 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
123 }
124
125 BIO_free(err);
126
127 }
128#else
129
130#define tree_print(a,b,c) /* */
131
132#endif
133
134/* Initialize policy tree. Return values:
135 * 0 Some internal error occured.
136 * -1 Inconsistent or invalid extensions in certificates.
137 * 1 Tree initialized OK.
138 * 2 Policy tree is empty.
139 * 5 Tree OK and requireExplicitPolicy true.
140 * 6 Tree empty and requireExplicitPolicy true.
141 */
142
143static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
144 unsigned int flags)
145 {
146 X509_POLICY_TREE *tree;
147 X509_POLICY_LEVEL *level;
148 const X509_POLICY_CACHE *cache;
149 X509_POLICY_DATA *data = NULL;
150 X509 *x;
151 int ret = 1;
152 int i, n;
153 int explicit_policy;
154 int any_skip;
155 int map_skip;
156 *ptree = NULL;
157 n = sk_X509_num(certs);
158
159#if 0
160 /* Disable policy mapping for now... */
161 flags |= X509_V_FLAG_INHIBIT_MAP;
162#endif
163
164 if (flags & X509_V_FLAG_EXPLICIT_POLICY)
165 explicit_policy = 0;
166 else
167 explicit_policy = n + 1;
168
169 if (flags & X509_V_FLAG_INHIBIT_ANY)
170 any_skip = 0;
171 else
172 any_skip = n + 1;
173
174 if (flags & X509_V_FLAG_INHIBIT_MAP)
175 map_skip = 0;
176 else
177 map_skip = n + 1;
178
179 /* Can't do anything with just a trust anchor */
180 if (n == 1)
181 return 1;
182 /* First setup policy cache in all certificates apart from the
183 * trust anchor. Note any bad cache results on the way. Also can
184 * calculate explicit_policy value at this point.
185 */
186 for (i = n - 2; i >= 0; i--)
187 {
188 x = sk_X509_value(certs, i);
189 X509_check_purpose(x, -1, -1);
190 cache = policy_cache_set(x);
191 /* If cache NULL something bad happened: return immediately */
192 if (cache == NULL)
193 return 0;
194 /* If inconsistent extensions keep a note of it but continue */
195 if (x->ex_flags & EXFLAG_INVALID_POLICY)
196 ret = -1;
197 /* Otherwise if we have no data (hence no CertificatePolicies)
198 * and haven't already set an inconsistent code note it.
199 */
200 else if ((ret == 1) && !cache->data)
201 ret = 2;
202 if (explicit_policy > 0)
203 {
204 if (!(x->ex_flags & EXFLAG_SI))
205 explicit_policy--;
206 if ((cache->explicit_skip != -1)
207 && (cache->explicit_skip < explicit_policy))
208 explicit_policy = cache->explicit_skip;
209 }
210 }
211
212 if (ret != 1)
213 {
214 if (ret == 2 && !explicit_policy)
215 return 6;
216 return ret;
217 }
218
219
220 /* If we get this far initialize the tree */
221
222 tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
223
224 if (!tree)
225 return 0;
226
227 tree->flags = 0;
228 tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
229 tree->nlevel = 0;
230 tree->extra_data = NULL;
231 tree->auth_policies = NULL;
232 tree->user_policies = NULL;
233
234 if (!tree->levels)
235 {
236 OPENSSL_free(tree);
237 return 0;
238 }
239
240 memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
241
242 tree->nlevel = n;
243
244 level = tree->levels;
245
246 /* Root data: initialize to anyPolicy */
247
248 data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
249
250 if (!data || !level_add_node(level, data, NULL, tree))
251 goto bad_tree;
252
253 for (i = n - 2; i >= 0; i--)
254 {
255 level++;
256 x = sk_X509_value(certs, i);
257 cache = policy_cache_set(x);
258 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
259 level->cert = x;
260
261 if (!cache->anyPolicy)
262 level->flags |= X509_V_FLAG_INHIBIT_ANY;
263
264 /* Determine inhibit any and inhibit map flags */
265 if (any_skip == 0)
266 {
267 /* Any matching allowed if certificate is self
268 * issued and not the last in the chain.
269 */
270 if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
271 level->flags |= X509_V_FLAG_INHIBIT_ANY;
272 }
273 else
274 {
275 if (!(x->ex_flags & EXFLAG_SI))
276 any_skip--;
277 if ((cache->any_skip >= 0)
278 && (cache->any_skip < any_skip))
279 any_skip = cache->any_skip;
280 }
281
282 if (map_skip == 0)
283 level->flags |= X509_V_FLAG_INHIBIT_MAP;
284 else
285 {
286 if (!(x->ex_flags & EXFLAG_SI))
287 map_skip--;
288 if ((cache->map_skip >= 0)
289 && (cache->map_skip < map_skip))
290 map_skip = cache->map_skip;
291 }
292
293 }
294
295 *ptree = tree;
296
297 if (explicit_policy)
298 return 1;
299 else
300 return 5;
301
302 bad_tree:
303
304 X509_policy_tree_free(tree);
305
306 return 0;
307
308 }
309
310static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
311 const X509_POLICY_DATA *data)
312 {
313 X509_POLICY_LEVEL *last = curr - 1;
314 X509_POLICY_NODE *node;
315 int i, matched = 0;
316 /* Iterate through all in nodes linking matches */
317 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
318 {
319 node = sk_X509_POLICY_NODE_value(last->nodes, i);
320 if (policy_node_match(last, node, data->valid_policy))
321 {
322 if (!level_add_node(curr, data, node, NULL))
323 return 0;
324 matched = 1;
325 }
326 }
327 if (!matched && last->anyPolicy)
328 {
329 if (!level_add_node(curr, data, last->anyPolicy, NULL))
330 return 0;
331 }
332 return 1;
333 }
334
335/* This corresponds to RFC3280 6.1.3(d)(1):
336 * link any data from CertificatePolicies onto matching parent
337 * or anyPolicy if no match.
338 */
339
340static int tree_link_nodes(X509_POLICY_LEVEL *curr,
341 const X509_POLICY_CACHE *cache)
342 {
343 int i;
344 X509_POLICY_DATA *data;
345
346 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
347 {
348 data = sk_X509_POLICY_DATA_value(cache->data, i);
349 /* If a node is mapped any it doesn't have a corresponding
350 * CertificatePolicies entry.
351 * However such an identical node would be created
352 * if anyPolicy matching is enabled because there would be
353 * no match with the parent valid_policy_set. So we create
354 * link because then it will have the mapping flags
355 * right and we can prune it later.
356 */
357#if 0
358 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
359 && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
360 continue;
361#endif
362 /* Look for matching nodes in previous level */
363 if (!tree_link_matching_nodes(curr, data))
364 return 0;
365 }
366 return 1;
367 }
368
369/* This corresponds to RFC3280 6.1.3(d)(2):
370 * Create new data for any unmatched policies in the parent and link
371 * to anyPolicy.
372 */
373
374static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
375 const X509_POLICY_CACHE *cache,
376 const ASN1_OBJECT *id,
377 X509_POLICY_NODE *node,
378 X509_POLICY_TREE *tree)
379 {
380 X509_POLICY_DATA *data;
381 if (id == NULL)
382 id = node->data->valid_policy;
383 /* Create a new node with qualifiers from anyPolicy and
384 * id from unmatched node.
385 */
386 data = policy_data_new(NULL, id, node_critical(node));
387
388 if (data == NULL)
389 return 0;
390 /* Curr may not have anyPolicy */
391 data->qualifier_set = cache->anyPolicy->qualifier_set;
392 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
393 if (!level_add_node(curr, data, node, tree))
394 {
395 policy_data_free(data);
396 return 0;
397 }
398
399 return 1;
400 }
401
402static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
403 const X509_POLICY_CACHE *cache,
404 X509_POLICY_NODE *node,
405 X509_POLICY_TREE *tree)
406 {
407 const X509_POLICY_LEVEL *last = curr - 1;
408 int i;
409
410 if ( (last->flags & X509_V_FLAG_INHIBIT_MAP)
411 || !(node->data->flags & POLICY_DATA_FLAG_MAPPED))
412 {
413 /* If no policy mapping: matched if one child present */
414 if (node->nchild)
415 return 1;
416 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
417 return 0;
418 /* Add it */
419 }
420 else
421 {
422 /* If mapping: matched if one child per expected policy set */
423 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
424 if (node->nchild == sk_ASN1_OBJECT_num(expset))
425 return 1;
426 /* Locate unmatched nodes */
427 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++)
428 {
429 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
430 if (level_find_node(curr, node, oid))
431 continue;
432 if (!tree_add_unmatched(curr, cache, oid, node, tree))
433 return 0;
434 }
435
436 }
437
438 return 1;
439
440 }
441
442static int tree_link_any(X509_POLICY_LEVEL *curr,
443 const X509_POLICY_CACHE *cache,
444 X509_POLICY_TREE *tree)
445 {
446 int i;
447 /*X509_POLICY_DATA *data;*/
448 X509_POLICY_NODE *node;
449 X509_POLICY_LEVEL *last = curr - 1;
450
451 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
452 {
453 node = sk_X509_POLICY_NODE_value(last->nodes, i);
454
455 if (!tree_link_unmatched(curr, cache, node, tree))
456 return 0;
457
458#if 0
459
460 /* Skip any node with any children: we only want unmathced
461 * nodes.
462 *
463 * Note: need something better for policy mapping
464 * because each node may have multiple children
465 */
466 if (node->nchild)
467 continue;
468
469 /* Create a new node with qualifiers from anyPolicy and
470 * id from unmatched node.
471 */
472 data = policy_data_new(NULL, node->data->valid_policy,
473 node_critical(node));
474
475 if (data == NULL)
476 return 0;
477 /* Curr may not have anyPolicy */
478 data->qualifier_set = cache->anyPolicy->qualifier_set;
479 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
480 if (!level_add_node(curr, data, node, tree))
481 {
482 policy_data_free(data);
483 return 0;
484 }
485
486#endif
487
488 }
489 /* Finally add link to anyPolicy */
490 if (last->anyPolicy)
491 {
492 if (!level_add_node(curr, cache->anyPolicy,
493 last->anyPolicy, NULL))
494 return 0;
495 }
496 return 1;
497 }
498
499/* Prune the tree: delete any child mapped child data on the current level
500 * then proceed up the tree deleting any data with no children. If we ever
501 * have no data on a level we can halt because the tree will be empty.
502 */
503
504static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
505 {
506 STACK_OF(X509_POLICY_NODE) *nodes;
507 X509_POLICY_NODE *node;
508 int i;
509 nodes = curr->nodes;
510 if (curr->flags & X509_V_FLAG_INHIBIT_MAP)
511 {
512 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
513 {
514 node = sk_X509_POLICY_NODE_value(nodes, i);
515 /* Delete any mapped data: see RFC3280 XXXX */
516 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
517 {
518 node->parent->nchild--;
519 OPENSSL_free(node);
520 (void)sk_X509_POLICY_NODE_delete(nodes,i);
521 }
522 }
523 }
524
525 for(;;) {
526 --curr;
527 nodes = curr->nodes;
528 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
529 {
530 node = sk_X509_POLICY_NODE_value(nodes, i);
531 if (node->nchild == 0)
532 {
533 node->parent->nchild--;
534 OPENSSL_free(node);
535 (void)sk_X509_POLICY_NODE_delete(nodes, i);
536 }
537 }
538 if (curr->anyPolicy && !curr->anyPolicy->nchild)
539 {
540 if (curr->anyPolicy->parent)
541 curr->anyPolicy->parent->nchild--;
542 OPENSSL_free(curr->anyPolicy);
543 curr->anyPolicy = NULL;
544 }
545 if (curr == tree->levels)
546 {
547 /* If we zapped anyPolicy at top then tree is empty */
548 if (!curr->anyPolicy)
549 return 2;
550 return 1;
551 }
552 }
553
554 return 1;
555
556 }
557
558static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
559 X509_POLICY_NODE *pcy)
560 {
561 if (!*pnodes)
562 {
563 *pnodes = policy_node_cmp_new();
564 if (!*pnodes)
565 return 0;
566 }
567 else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
568 return 1;
569
570 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
571 return 0;
572
573 return 1;
574
575 }
576
577/* Calculate the authority set based on policy tree.
578 * The 'pnodes' parameter is used as a store for the set of policy nodes
579 * used to calculate the user set. If the authority set is not anyPolicy
580 * then pnodes will just point to the authority set. If however the authority
581 * set is anyPolicy then the set of valid policies (other than anyPolicy)
582 * is store in pnodes. The return value of '2' is used in this case to indicate
583 * that pnodes should be freed.
584 */
585
586static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
587 STACK_OF(X509_POLICY_NODE) **pnodes)
588 {
589 X509_POLICY_LEVEL *curr;
590 X509_POLICY_NODE *node, *anyptr;
591 STACK_OF(X509_POLICY_NODE) **addnodes;
592 int i, j;
593 curr = tree->levels + tree->nlevel - 1;
594
595 /* If last level contains anyPolicy set is anyPolicy */
596 if (curr->anyPolicy)
597 {
598 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
599 return 0;
600 addnodes = pnodes;
601 }
602 else
603 /* Add policies to authority set */
604 addnodes = &tree->auth_policies;
605
606 curr = tree->levels;
607 for (i = 1; i < tree->nlevel; i++)
608 {
609 /* If no anyPolicy node on this this level it can't
610 * appear on lower levels so end search.
611 */
612 if (!(anyptr = curr->anyPolicy))
613 break;
614 curr++;
615 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++)
616 {
617 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
618 if ((node->parent == anyptr)
619 && !tree_add_auth_node(addnodes, node))
620 return 0;
621 }
622 }
623
624 if (addnodes == pnodes)
625 return 2;
626
627 *pnodes = tree->auth_policies;
628
629 return 1;
630 }
631
632static int tree_calculate_user_set(X509_POLICY_TREE *tree,
633 STACK_OF(ASN1_OBJECT) *policy_oids,
634 STACK_OF(X509_POLICY_NODE) *auth_nodes)
635 {
636 int i;
637 X509_POLICY_NODE *node;
638 ASN1_OBJECT *oid;
639
640 X509_POLICY_NODE *anyPolicy;
641 X509_POLICY_DATA *extra;
642
643 /* Check if anyPolicy present in authority constrained policy set:
644 * this will happen if it is a leaf node.
645 */
646
647 if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
648 return 1;
649
650 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
651
652 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
653 {
654 oid = sk_ASN1_OBJECT_value(policy_oids, i);
655 if (OBJ_obj2nid(oid) == NID_any_policy)
656 {
657 tree->flags |= POLICY_FLAG_ANY_POLICY;
658 return 1;
659 }
660 }
661
662 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
663 {
664 oid = sk_ASN1_OBJECT_value(policy_oids, i);
665 node = tree_find_sk(auth_nodes, oid);
666 if (!node)
667 {
668 if (!anyPolicy)
669 continue;
670 /* Create a new node with policy ID from user set
671 * and qualifiers from anyPolicy.
672 */
673 extra = policy_data_new(NULL, oid,
674 node_critical(anyPolicy));
675 if (!extra)
676 return 0;
677 extra->qualifier_set = anyPolicy->data->qualifier_set;
678 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
679 | POLICY_DATA_FLAG_EXTRA_NODE;
680 node = level_add_node(NULL, extra, anyPolicy->parent,
681 tree);
682 }
683 if (!tree->user_policies)
684 {
685 tree->user_policies = sk_X509_POLICY_NODE_new_null();
686 if (!tree->user_policies)
687 return 1;
688 }
689 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
690 return 0;
691 }
692 return 1;
693
694 }
695
696static int tree_evaluate(X509_POLICY_TREE *tree)
697 {
698 int ret, i;
699 X509_POLICY_LEVEL *curr = tree->levels + 1;
700 const X509_POLICY_CACHE *cache;
701
702 for(i = 1; i < tree->nlevel; i++, curr++)
703 {
704 cache = policy_cache_set(curr->cert);
705 if (!tree_link_nodes(curr, cache))
706 return 0;
707
708 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
709 && !tree_link_any(curr, cache, tree))
710 return 0;
711 tree_print("before tree_prune()", tree, curr);
712 ret = tree_prune(tree, curr);
713 if (ret != 1)
714 return ret;
715 }
716
717 return 1;
718
719 }
720
721static void exnode_free(X509_POLICY_NODE *node)
722 {
723 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
724 OPENSSL_free(node);
725 }
726
727
728void X509_policy_tree_free(X509_POLICY_TREE *tree)
729 {
730 X509_POLICY_LEVEL *curr;
731 int i;
732
733 if (!tree)
734 return;
735
736 sk_X509_POLICY_NODE_free(tree->auth_policies);
737 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
738
739 for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++)
740 {
741 if (curr->cert)
742 X509_free(curr->cert);
743 if (curr->nodes)
744 sk_X509_POLICY_NODE_pop_free(curr->nodes,
745 policy_node_free);
746 if (curr->anyPolicy)
747 policy_node_free(curr->anyPolicy);
748 }
749
750 if (tree->extra_data)
751 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
752 policy_data_free);
753
754 OPENSSL_free(tree->levels);
755 OPENSSL_free(tree);
756
757 }
758
759/* Application policy checking function.
760 * Return codes:
761 * 0 Internal Error.
762 * 1 Successful.
763 * -1 One or more certificates contain invalid or inconsistent extensions
764 * -2 User constrained policy set empty and requireExplicit true.
765 */
766
767int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
768 STACK_OF(X509) *certs,
769 STACK_OF(ASN1_OBJECT) *policy_oids,
770 unsigned int flags)
771 {
772 int ret;
773 X509_POLICY_TREE *tree = NULL;
774 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
775 *ptree = NULL;
776
777 *pexplicit_policy = 0;
778 ret = tree_init(&tree, certs, flags);
779
780 switch (ret)
781 {
782
783 /* Tree empty requireExplicit False: OK */
784 case 2:
785 return 1;
786
787 /* Some internal error */
788 case -1:
789 return -1;
790
791 /* Some internal error */
792 case 0:
793 return 0;
794
795 /* Tree empty requireExplicit True: Error */
796
797 case 6:
798 *pexplicit_policy = 1;
799 return -2;
800
801 /* Tree OK requireExplicit True: OK and continue */
802 case 5:
803 *pexplicit_policy = 1;
804 break;
805
806 /* Tree OK: continue */
807
808 case 1:
809 if (!tree)
810 /*
811 * tree_init() returns success and a null tree
812 * if it's just looking at a trust anchor.
813 * I'm not sure that returning success here is
814 * correct, but I'm sure that reporting this
815 * as an internal error which our caller
816 * interprets as a malloc failure is wrong.
817 */
818 return 1;
819 break;
820 }
821
822 if (!tree) goto error;
823 ret = tree_evaluate(tree);
824
825 tree_print("tree_evaluate()", tree, NULL);
826
827 if (ret <= 0)
828 goto error;
829
830 /* Return value 2 means tree empty */
831 if (ret == 2)
832 {
833 X509_policy_tree_free(tree);
834 if (*pexplicit_policy)
835 return -2;
836 else
837 return 1;
838 }
839
840 /* Tree is not empty: continue */
841
842 ret = tree_calculate_authority_set(tree, &auth_nodes);
843
844 if (!ret)
845 goto error;
846
847 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
848 goto error;
849
850 if (ret == 2)
851 sk_X509_POLICY_NODE_free(auth_nodes);
852
853 if (tree)
854 *ptree = tree;
855
856 if (*pexplicit_policy)
857 {
858 nodes = X509_policy_tree_get0_user_policies(tree);
859 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
860 return -2;
861 }
862
863 return 1;
864
865 error:
866
867 X509_policy_tree_free(tree);
868
869 return 0;
870
871 }
872
diff --git a/src/lib/libcrypto/x509v3/tabtest.c b/src/lib/libcrypto/x509v3/tabtest.c
deleted file mode 100644
index 5ed6eb6891..0000000000
--- a/src/lib/libcrypto/x509v3/tabtest.c
+++ /dev/null
@@ -1,88 +0,0 @@
1/* tabtest.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59/* Simple program to check the ext_dat.h is correct and print out
60 * problems if it is not.
61 */
62
63#include <stdio.h>
64
65#include <openssl/x509v3.h>
66
67#include "ext_dat.h"
68
69main()
70{
71 int i, prev = -1, bad = 0;
72 X509V3_EXT_METHOD **tmp;
73 i = sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *);
74 if(i != STANDARD_EXTENSION_COUNT)
75 fprintf(stderr, "Extension number invalid expecting %d\n", i);
76 tmp = standard_exts;
77 for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++) {
78 if((*tmp)->ext_nid < prev) bad = 1;
79 prev = (*tmp)->ext_nid;
80
81 }
82 if(bad) {
83 tmp = standard_exts;
84 fprintf(stderr, "Extensions out of order!\n");
85 for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++)
86 printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid));
87 } else fprintf(stderr, "Order OK\n");
88}
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
deleted file mode 100644
index df46a4983b..0000000000
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ /dev/null
@@ -1,1338 +0,0 @@
1/*
2 * Contributed to the OpenSSL Project by the American Registry for
3 * Internet Numbers ("ARIN").
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 */
57
58/*
59 * Implementation of RFC 3779 section 2.2.
60 */
61
62#include <stdio.h>
63#include <stdlib.h>
64
65#include "cryptlib.h"
66#include <openssl/conf.h>
67#include <openssl/asn1.h>
68#include <openssl/asn1t.h>
69#include <openssl/buffer.h>
70#include <openssl/x509v3.h>
71
72#ifndef OPENSSL_NO_RFC3779
73
74/*
75 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
76 */
77
78ASN1_SEQUENCE(IPAddressRange) = {
79 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
80 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
81} ASN1_SEQUENCE_END(IPAddressRange)
82
83ASN1_CHOICE(IPAddressOrRange) = {
84 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
85 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
86} ASN1_CHOICE_END(IPAddressOrRange)
87
88ASN1_CHOICE(IPAddressChoice) = {
89 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
90 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
91} ASN1_CHOICE_END(IPAddressChoice)
92
93ASN1_SEQUENCE(IPAddressFamily) = {
94 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
95 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
96} ASN1_SEQUENCE_END(IPAddressFamily)
97
98ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
99 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
100 IPAddrBlocks, IPAddressFamily)
101ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
102
103IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
104IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
105IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
106IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
107
108/*
109 * How much buffer space do we need for a raw address?
110 */
111#define ADDR_RAW_BUF_LEN 16
112
113/*
114 * What's the address length associated with this AFI?
115 */
116static int length_from_afi(const unsigned afi)
117{
118 switch (afi) {
119 case IANA_AFI_IPV4:
120 return 4;
121 case IANA_AFI_IPV6:
122 return 16;
123 default:
124 return 0;
125 }
126}
127
128/*
129 * Extract the AFI from an IPAddressFamily.
130 */
131unsigned int v3_addr_get_afi(const IPAddressFamily *f)
132{
133 return ((f != NULL &&
134 f->addressFamily != NULL &&
135 f->addressFamily->data != NULL)
136 ? ((f->addressFamily->data[0] << 8) |
137 (f->addressFamily->data[1]))
138 : 0);
139}
140
141/*
142 * Expand the bitstring form of an address into a raw byte array.
143 * At the moment this is coded for simplicity, not speed.
144 */
145static int addr_expand(unsigned char *addr,
146 const ASN1_BIT_STRING *bs,
147 const int length,
148 const unsigned char fill)
149{
150 if (bs->length < 0 || bs->length > length)
151 return 0;
152 if (bs->length > 0) {
153 memcpy(addr, bs->data, bs->length);
154 if ((bs->flags & 7) != 0) {
155 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
156 if (fill == 0)
157 addr[bs->length - 1] &= ~mask;
158 else
159 addr[bs->length - 1] |= mask;
160 }
161 }
162 memset(addr + bs->length, fill, length - bs->length);
163 return 1;
164}
165
166/*
167 * Extract the prefix length from a bitstring.
168 */
169#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
170
171/*
172 * i2r handler for one address bitstring.
173 */
174static int i2r_address(BIO *out,
175 const unsigned afi,
176 const unsigned char fill,
177 const ASN1_BIT_STRING *bs)
178{
179 unsigned char addr[ADDR_RAW_BUF_LEN];
180 int i, n;
181
182 if (bs->length < 0)
183 return 0;
184 switch (afi) {
185 case IANA_AFI_IPV4:
186 if (!addr_expand(addr, bs, 4, fill))
187 return 0;
188 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
189 break;
190 case IANA_AFI_IPV6:
191 if (!addr_expand(addr, bs, 16, fill))
192 return 0;
193 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
194 ;
195 for (i = 0; i < n; i += 2)
196 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : ""));
197 if (i < 16)
198 BIO_puts(out, ":");
199 if (i == 0)
200 BIO_puts(out, ":");
201 break;
202 default:
203 for (i = 0; i < bs->length; i++)
204 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
205 BIO_printf(out, "[%d]", (int) (bs->flags & 7));
206 break;
207 }
208 return 1;
209}
210
211/*
212 * i2r handler for a sequence of addresses and ranges.
213 */
214static int i2r_IPAddressOrRanges(BIO *out,
215 const int indent,
216 const IPAddressOrRanges *aors,
217 const unsigned afi)
218{
219 int i;
220 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
221 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
222 BIO_printf(out, "%*s", indent, "");
223 switch (aor->type) {
224 case IPAddressOrRange_addressPrefix:
225 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
226 return 0;
227 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
228 continue;
229 case IPAddressOrRange_addressRange:
230 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
231 return 0;
232 BIO_puts(out, "-");
233 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
234 return 0;
235 BIO_puts(out, "\n");
236 continue;
237 }
238 }
239 return 1;
240}
241
242/*
243 * i2r handler for an IPAddrBlocks extension.
244 */
245static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
246 void *ext,
247 BIO *out,
248 int indent)
249{
250 const IPAddrBlocks *addr = ext;
251 int i;
252 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
253 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
254 const unsigned int afi = v3_addr_get_afi(f);
255 switch (afi) {
256 case IANA_AFI_IPV4:
257 BIO_printf(out, "%*sIPv4", indent, "");
258 break;
259 case IANA_AFI_IPV6:
260 BIO_printf(out, "%*sIPv6", indent, "");
261 break;
262 default:
263 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
264 break;
265 }
266 if (f->addressFamily->length > 2) {
267 switch (f->addressFamily->data[2]) {
268 case 1:
269 BIO_puts(out, " (Unicast)");
270 break;
271 case 2:
272 BIO_puts(out, " (Multicast)");
273 break;
274 case 3:
275 BIO_puts(out, " (Unicast/Multicast)");
276 break;
277 case 4:
278 BIO_puts(out, " (MPLS)");
279 break;
280 case 64:
281 BIO_puts(out, " (Tunnel)");
282 break;
283 case 65:
284 BIO_puts(out, " (VPLS)");
285 break;
286 case 66:
287 BIO_puts(out, " (BGP MDT)");
288 break;
289 case 128:
290 BIO_puts(out, " (MPLS-labeled VPN)");
291 break;
292 default:
293 BIO_printf(out, " (Unknown SAFI %u)",
294 (unsigned) f->addressFamily->data[2]);
295 break;
296 }
297 }
298 switch (f->ipAddressChoice->type) {
299 case IPAddressChoice_inherit:
300 BIO_puts(out, ": inherit\n");
301 break;
302 case IPAddressChoice_addressesOrRanges:
303 BIO_puts(out, ":\n");
304 if (!i2r_IPAddressOrRanges(out,
305 indent + 2,
306 f->ipAddressChoice->u.addressesOrRanges,
307 afi))
308 return 0;
309 break;
310 }
311 }
312 return 1;
313}
314
315/*
316 * Sort comparison function for a sequence of IPAddressOrRange
317 * elements.
318 *
319 * There's no sane answer we can give if addr_expand() fails, and an
320 * assertion failure on externally supplied data is seriously uncool,
321 * so we just arbitrarily declare that if given invalid inputs this
322 * function returns -1. If this messes up your preferred sort order
323 * for garbage input, tough noogies.
324 */
325static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
326 const IPAddressOrRange *b,
327 const int length)
328{
329 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
330 int prefixlen_a = 0, prefixlen_b = 0;
331 int r;
332
333 switch (a->type) {
334 case IPAddressOrRange_addressPrefix:
335 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
336 return -1;
337 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
338 break;
339 case IPAddressOrRange_addressRange:
340 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
341 return -1;
342 prefixlen_a = length * 8;
343 break;
344 }
345
346 switch (b->type) {
347 case IPAddressOrRange_addressPrefix:
348 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
349 return -1;
350 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
351 break;
352 case IPAddressOrRange_addressRange:
353 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
354 return -1;
355 prefixlen_b = length * 8;
356 break;
357 }
358
359 if ((r = memcmp(addr_a, addr_b, length)) != 0)
360 return r;
361 else
362 return prefixlen_a - prefixlen_b;
363}
364
365/*
366 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
367 * comparision routines are only allowed two arguments.
368 */
369static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
370 const IPAddressOrRange * const *b)
371{
372 return IPAddressOrRange_cmp(*a, *b, 4);
373}
374
375/*
376 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
377 * comparision routines are only allowed two arguments.
378 */
379static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
380 const IPAddressOrRange * const *b)
381{
382 return IPAddressOrRange_cmp(*a, *b, 16);
383}
384
385/*
386 * Calculate whether a range collapses to a prefix.
387 * See last paragraph of RFC 3779 2.2.3.7.
388 */
389static int range_should_be_prefix(const unsigned char *min,
390 const unsigned char *max,
391 const int length)
392{
393 unsigned char mask;
394 int i, j;
395
396 OPENSSL_assert(memcmp(min, max, length) <= 0);
397 for (i = 0; i < length && min[i] == max[i]; i++)
398 ;
399 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
400 ;
401 if (i < j)
402 return -1;
403 if (i > j)
404 return i * 8;
405 mask = min[i] ^ max[i];
406 switch (mask) {
407 case 0x01: j = 7; break;
408 case 0x03: j = 6; break;
409 case 0x07: j = 5; break;
410 case 0x0F: j = 4; break;
411 case 0x1F: j = 3; break;
412 case 0x3F: j = 2; break;
413 case 0x7F: j = 1; break;
414 default: return -1;
415 }
416 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
417 return -1;
418 else
419 return i * 8 + j;
420}
421
422/*
423 * Construct a prefix.
424 */
425static int make_addressPrefix(IPAddressOrRange **result,
426 unsigned char *addr,
427 const int prefixlen)
428{
429 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
430 IPAddressOrRange *aor = IPAddressOrRange_new();
431
432 if (aor == NULL)
433 return 0;
434 aor->type = IPAddressOrRange_addressPrefix;
435 if (aor->u.addressPrefix == NULL &&
436 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
437 goto err;
438 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
439 goto err;
440 aor->u.addressPrefix->flags &= ~7;
441 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
442 if (bitlen > 0) {
443 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
444 aor->u.addressPrefix->flags |= 8 - bitlen;
445 }
446
447 *result = aor;
448 return 1;
449
450 err:
451 IPAddressOrRange_free(aor);
452 return 0;
453}
454
455/*
456 * Construct a range. If it can be expressed as a prefix,
457 * return a prefix instead. Doing this here simplifies
458 * the rest of the code considerably.
459 */
460static int make_addressRange(IPAddressOrRange **result,
461 unsigned char *min,
462 unsigned char *max,
463 const int length)
464{
465 IPAddressOrRange *aor;
466 int i, prefixlen;
467
468 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
469 return make_addressPrefix(result, min, prefixlen);
470
471 if ((aor = IPAddressOrRange_new()) == NULL)
472 return 0;
473 aor->type = IPAddressOrRange_addressRange;
474 OPENSSL_assert(aor->u.addressRange == NULL);
475 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
476 goto err;
477 if (aor->u.addressRange->min == NULL &&
478 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
479 goto err;
480 if (aor->u.addressRange->max == NULL &&
481 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
482 goto err;
483
484 for (i = length; i > 0 && min[i - 1] == 0x00; --i)
485 ;
486 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
487 goto err;
488 aor->u.addressRange->min->flags &= ~7;
489 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
490 if (i > 0) {
491 unsigned char b = min[i - 1];
492 int j = 1;
493 while ((b & (0xFFU >> j)) != 0)
494 ++j;
495 aor->u.addressRange->min->flags |= 8 - j;
496 }
497
498 for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
499 ;
500 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
501 goto err;
502 aor->u.addressRange->max->flags &= ~7;
503 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
504 if (i > 0) {
505 unsigned char b = max[i - 1];
506 int j = 1;
507 while ((b & (0xFFU >> j)) != (0xFFU >> j))
508 ++j;
509 aor->u.addressRange->max->flags |= 8 - j;
510 }
511
512 *result = aor;
513 return 1;
514
515 err:
516 IPAddressOrRange_free(aor);
517 return 0;
518}
519
520/*
521 * Construct a new address family or find an existing one.
522 */
523static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
524 const unsigned afi,
525 const unsigned *safi)
526{
527 IPAddressFamily *f;
528 unsigned char key[3];
529 unsigned keylen;
530 int i;
531
532 key[0] = (afi >> 8) & 0xFF;
533 key[1] = afi & 0xFF;
534 if (safi != NULL) {
535 key[2] = *safi & 0xFF;
536 keylen = 3;
537 } else {
538 keylen = 2;
539 }
540
541 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
542 f = sk_IPAddressFamily_value(addr, i);
543 OPENSSL_assert(f->addressFamily->data != NULL);
544 if (f->addressFamily->length == keylen &&
545 !memcmp(f->addressFamily->data, key, keylen))
546 return f;
547 }
548
549 if ((f = IPAddressFamily_new()) == NULL)
550 goto err;
551 if (f->ipAddressChoice == NULL &&
552 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
553 goto err;
554 if (f->addressFamily == NULL &&
555 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
556 goto err;
557 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
558 goto err;
559 if (!sk_IPAddressFamily_push(addr, f))
560 goto err;
561
562 return f;
563
564 err:
565 IPAddressFamily_free(f);
566 return NULL;
567}
568
569/*
570 * Add an inheritance element.
571 */
572int v3_addr_add_inherit(IPAddrBlocks *addr,
573 const unsigned afi,
574 const unsigned *safi)
575{
576 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
577 if (f == NULL ||
578 f->ipAddressChoice == NULL ||
579 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
580 f->ipAddressChoice->u.addressesOrRanges != NULL))
581 return 0;
582 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
583 f->ipAddressChoice->u.inherit != NULL)
584 return 1;
585 if (f->ipAddressChoice->u.inherit == NULL &&
586 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
587 return 0;
588 f->ipAddressChoice->type = IPAddressChoice_inherit;
589 return 1;
590}
591
592/*
593 * Construct an IPAddressOrRange sequence, or return an existing one.
594 */
595static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
596 const unsigned afi,
597 const unsigned *safi)
598{
599 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
600 IPAddressOrRanges *aors = NULL;
601
602 if (f == NULL ||
603 f->ipAddressChoice == NULL ||
604 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
605 f->ipAddressChoice->u.inherit != NULL))
606 return NULL;
607 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
608 aors = f->ipAddressChoice->u.addressesOrRanges;
609 if (aors != NULL)
610 return aors;
611 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
612 return NULL;
613 switch (afi) {
614 case IANA_AFI_IPV4:
615 (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
616 break;
617 case IANA_AFI_IPV6:
618 (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
619 break;
620 }
621 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
622 f->ipAddressChoice->u.addressesOrRanges = aors;
623 return aors;
624}
625
626/*
627 * Add a prefix.
628 */
629int v3_addr_add_prefix(IPAddrBlocks *addr,
630 const unsigned afi,
631 const unsigned *safi,
632 unsigned char *a,
633 const int prefixlen)
634{
635 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
636 IPAddressOrRange *aor;
637 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
638 return 0;
639 if (sk_IPAddressOrRange_push(aors, aor))
640 return 1;
641 IPAddressOrRange_free(aor);
642 return 0;
643}
644
645/*
646 * Add a range.
647 */
648int v3_addr_add_range(IPAddrBlocks *addr,
649 const unsigned afi,
650 const unsigned *safi,
651 unsigned char *min,
652 unsigned char *max)
653{
654 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
655 IPAddressOrRange *aor;
656 int length = length_from_afi(afi);
657 if (aors == NULL)
658 return 0;
659 if (!make_addressRange(&aor, min, max, length))
660 return 0;
661 if (sk_IPAddressOrRange_push(aors, aor))
662 return 1;
663 IPAddressOrRange_free(aor);
664 return 0;
665}
666
667/*
668 * Extract min and max values from an IPAddressOrRange.
669 */
670static int extract_min_max(IPAddressOrRange *aor,
671 unsigned char *min,
672 unsigned char *max,
673 int length)
674{
675 if (aor == NULL || min == NULL || max == NULL)
676 return 0;
677 switch (aor->type) {
678 case IPAddressOrRange_addressPrefix:
679 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
680 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
681 case IPAddressOrRange_addressRange:
682 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
683 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
684 }
685 return 0;
686}
687
688/*
689 * Public wrapper for extract_min_max().
690 */
691int v3_addr_get_range(IPAddressOrRange *aor,
692 const unsigned afi,
693 unsigned char *min,
694 unsigned char *max,
695 const int length)
696{
697 int afi_length = length_from_afi(afi);
698 if (aor == NULL || min == NULL || max == NULL ||
699 afi_length == 0 || length < afi_length ||
700 (aor->type != IPAddressOrRange_addressPrefix &&
701 aor->type != IPAddressOrRange_addressRange) ||
702 !extract_min_max(aor, min, max, afi_length))
703 return 0;
704
705 return afi_length;
706}
707
708/*
709 * Sort comparision function for a sequence of IPAddressFamily.
710 *
711 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
712 * the ordering: I can read it as meaning that IPv6 without a SAFI
713 * comes before IPv4 with a SAFI, which seems pretty weird. The
714 * examples in appendix B suggest that the author intended the
715 * null-SAFI rule to apply only within a single AFI, which is what I
716 * would have expected and is what the following code implements.
717 */
718static int IPAddressFamily_cmp(const IPAddressFamily * const *a_,
719 const IPAddressFamily * const *b_)
720{
721 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
722 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
723 int len = ((a->length <= b->length) ? a->length : b->length);
724 int cmp = memcmp(a->data, b->data, len);
725 return cmp ? cmp : a->length - b->length;
726}
727
728/*
729 * Check whether an IPAddrBLocks is in canonical form.
730 */
731int v3_addr_is_canonical(IPAddrBlocks *addr)
732{
733 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
734 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
735 IPAddressOrRanges *aors;
736 int i, j, k;
737
738 /*
739 * Empty extension is cannonical.
740 */
741 if (addr == NULL)
742 return 1;
743
744 /*
745 * Check whether the top-level list is in order.
746 */
747 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
748 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
749 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
750 if (IPAddressFamily_cmp(&a, &b) >= 0)
751 return 0;
752 }
753
754 /*
755 * Top level's ok, now check each address family.
756 */
757 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
758 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
759 int length = length_from_afi(v3_addr_get_afi(f));
760
761 /*
762 * Inheritance is canonical. Anything other than inheritance or
763 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
764 */
765 if (f == NULL || f->ipAddressChoice == NULL)
766 return 0;
767 switch (f->ipAddressChoice->type) {
768 case IPAddressChoice_inherit:
769 continue;
770 case IPAddressChoice_addressesOrRanges:
771 break;
772 default:
773 return 0;
774 }
775
776 /*
777 * It's an IPAddressOrRanges sequence, check it.
778 */
779 aors = f->ipAddressChoice->u.addressesOrRanges;
780 if (sk_IPAddressOrRange_num(aors) == 0)
781 return 0;
782 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
783 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
784 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
785
786 if (!extract_min_max(a, a_min, a_max, length) ||
787 !extract_min_max(b, b_min, b_max, length))
788 return 0;
789
790 /*
791 * Punt misordered list, overlapping start, or inverted range.
792 */
793 if (memcmp(a_min, b_min, length) >= 0 ||
794 memcmp(a_min, a_max, length) > 0 ||
795 memcmp(b_min, b_max, length) > 0)
796 return 0;
797
798 /*
799 * Punt if adjacent or overlapping. Check for adjacency by
800 * subtracting one from b_min first.
801 */
802 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
803 ;
804 if (memcmp(a_max, b_min, length) >= 0)
805 return 0;
806
807 /*
808 * Check for range that should be expressed as a prefix.
809 */
810 if (a->type == IPAddressOrRange_addressRange &&
811 range_should_be_prefix(a_min, a_max, length) >= 0)
812 return 0;
813 }
814
815 /*
816 * Check range to see if it's inverted or should be a
817 * prefix.
818 */
819 j = sk_IPAddressOrRange_num(aors) - 1;
820 {
821 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
822 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
823 if (!extract_min_max(a, a_min, a_max, length))
824 return 0;
825 if (memcmp(a_min, a_max, length) > 0 ||
826 range_should_be_prefix(a_min, a_max, length) >= 0)
827 return 0;
828 }
829 }
830 }
831
832 /*
833 * If we made it through all that, we're happy.
834 */
835 return 1;
836}
837
838/*
839 * Whack an IPAddressOrRanges into canonical form.
840 */
841static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
842 const unsigned afi)
843{
844 int i, j, length = length_from_afi(afi);
845
846 /*
847 * Sort the IPAddressOrRanges sequence.
848 */
849 sk_IPAddressOrRange_sort(aors);
850
851 /*
852 * Clean up representation issues, punt on duplicates or overlaps.
853 */
854 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
855 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
856 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
857 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
858 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
859
860 if (!extract_min_max(a, a_min, a_max, length) ||
861 !extract_min_max(b, b_min, b_max, length))
862 return 0;
863
864 /*
865 * Punt inverted ranges.
866 */
867 if (memcmp(a_min, a_max, length) > 0 ||
868 memcmp(b_min, b_max, length) > 0)
869 return 0;
870
871 /*
872 * Punt overlaps.
873 */
874 if (memcmp(a_max, b_min, length) >= 0)
875 return 0;
876
877 /*
878 * Merge if a and b are adjacent. We check for
879 * adjacency by subtracting one from b_min first.
880 */
881 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
882 ;
883 if (memcmp(a_max, b_min, length) == 0) {
884 IPAddressOrRange *merged;
885 if (!make_addressRange(&merged, a_min, b_max, length))
886 return 0;
887 (void) sk_IPAddressOrRange_set(aors, i, merged);
888 (void) sk_IPAddressOrRange_delete(aors, i + 1);
889 IPAddressOrRange_free(a);
890 IPAddressOrRange_free(b);
891 --i;
892 continue;
893 }
894 }
895
896 /*
897 * Check for inverted final range.
898 */
899 j = sk_IPAddressOrRange_num(aors) - 1;
900 {
901 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
902 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
903 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
904 extract_min_max(a, a_min, a_max, length);
905 if (memcmp(a_min, a_max, length) > 0)
906 return 0;
907 }
908 }
909
910 return 1;
911}
912
913/*
914 * Whack an IPAddrBlocks extension into canonical form.
915 */
916int v3_addr_canonize(IPAddrBlocks *addr)
917{
918 int i;
919 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
920 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
921 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
922 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
923 v3_addr_get_afi(f)))
924 return 0;
925 }
926 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
927 sk_IPAddressFamily_sort(addr);
928 OPENSSL_assert(v3_addr_is_canonical(addr));
929 return 1;
930}
931
932/*
933 * v2i handler for the IPAddrBlocks extension.
934 */
935static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
936 struct v3_ext_ctx *ctx,
937 STACK_OF(CONF_VALUE) *values)
938{
939 static const char v4addr_chars[] = "0123456789.";
940 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
941 IPAddrBlocks *addr = NULL;
942 char *s = NULL, *t;
943 int i;
944
945 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
946 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
947 return NULL;
948 }
949
950 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
951 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
952 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
953 unsigned afi, *safi = NULL, safi_;
954 const char *addr_chars;
955 int prefixlen, i1, i2, delim, length;
956
957 if ( !name_cmp(val->name, "IPv4")) {
958 afi = IANA_AFI_IPV4;
959 } else if (!name_cmp(val->name, "IPv6")) {
960 afi = IANA_AFI_IPV6;
961 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
962 afi = IANA_AFI_IPV4;
963 safi = &safi_;
964 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
965 afi = IANA_AFI_IPV6;
966 safi = &safi_;
967 } else {
968 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR);
969 X509V3_conf_err(val);
970 goto err;
971 }
972
973 switch (afi) {
974 case IANA_AFI_IPV4:
975 addr_chars = v4addr_chars;
976 break;
977 case IANA_AFI_IPV6:
978 addr_chars = v6addr_chars;
979 break;
980 }
981
982 length = length_from_afi(afi);
983
984 /*
985 * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
986 * the other input values.
987 */
988 if (safi != NULL) {
989 *safi = strtoul(val->value, &t, 0);
990 t += strspn(t, " \t");
991 if (*safi > 0xFF || *t++ != ':') {
992 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
993 X509V3_conf_err(val);
994 goto err;
995 }
996 t += strspn(t, " \t");
997 s = BUF_strdup(t);
998 } else {
999 s = BUF_strdup(val->value);
1000 }
1001 if (s == NULL) {
1002 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1003 goto err;
1004 }
1005
1006 /*
1007 * Check for inheritance. Not worth additional complexity to
1008 * optimize this (seldom-used) case.
1009 */
1010 if (!strcmp(s, "inherit")) {
1011 if (!v3_addr_add_inherit(addr, afi, safi)) {
1012 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE);
1013 X509V3_conf_err(val);
1014 goto err;
1015 }
1016 OPENSSL_free(s);
1017 s = NULL;
1018 continue;
1019 }
1020
1021 i1 = strspn(s, addr_chars);
1022 i2 = i1 + strspn(s + i1, " \t");
1023 delim = s[i2++];
1024 s[i1] = '\0';
1025
1026 if (a2i_ipadd(min, s) != length) {
1027 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
1028 X509V3_conf_err(val);
1029 goto err;
1030 }
1031
1032 switch (delim) {
1033 case '/':
1034 prefixlen = (int) strtoul(s + i2, &t, 10);
1035 if (t == s + i2 || *t != '\0') {
1036 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1037 X509V3_conf_err(val);
1038 goto err;
1039 }
1040 if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
1041 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1042 goto err;
1043 }
1044 break;
1045 case '-':
1046 i1 = i2 + strspn(s + i2, " \t");
1047 i2 = i1 + strspn(s + i1, addr_chars);
1048 if (i1 == i2 || s[i2] != '\0') {
1049 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1050 X509V3_conf_err(val);
1051 goto err;
1052 }
1053 if (a2i_ipadd(max, s + i1) != length) {
1054 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
1055 X509V3_conf_err(val);
1056 goto err;
1057 }
1058 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1059 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1060 X509V3_conf_err(val);
1061 goto err;
1062 }
1063 if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1064 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1065 goto err;
1066 }
1067 break;
1068 case '\0':
1069 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1070 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1071 goto err;
1072 }
1073 break;
1074 default:
1075 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1076 X509V3_conf_err(val);
1077 goto err;
1078 }
1079
1080 OPENSSL_free(s);
1081 s = NULL;
1082 }
1083
1084 /*
1085 * Canonize the result, then we're done.
1086 */
1087 if (!v3_addr_canonize(addr))
1088 goto err;
1089 return addr;
1090
1091 err:
1092 OPENSSL_free(s);
1093 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1094 return NULL;
1095}
1096
1097/*
1098 * OpenSSL dispatch
1099 */
1100const X509V3_EXT_METHOD v3_addr = {
1101 NID_sbgp_ipAddrBlock, /* nid */
1102 0, /* flags */
1103 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1104 0, 0, 0, 0, /* old functions, ignored */
1105 0, /* i2s */
1106 0, /* s2i */
1107 0, /* i2v */
1108 v2i_IPAddrBlocks, /* v2i */
1109 i2r_IPAddrBlocks, /* i2r */
1110 0, /* r2i */
1111 NULL /* extension-specific data */
1112};
1113
1114/*
1115 * Figure out whether extension sues inheritance.
1116 */
1117int v3_addr_inherits(IPAddrBlocks *addr)
1118{
1119 int i;
1120 if (addr == NULL)
1121 return 0;
1122 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1123 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1124 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1125 return 1;
1126 }
1127 return 0;
1128}
1129
1130/*
1131 * Figure out whether parent contains child.
1132 */
1133static int addr_contains(IPAddressOrRanges *parent,
1134 IPAddressOrRanges *child,
1135 int length)
1136{
1137 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1138 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1139 int p, c;
1140
1141 if (child == NULL || parent == child)
1142 return 1;
1143 if (parent == NULL)
1144 return 0;
1145
1146 p = 0;
1147 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1148 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1149 c_min, c_max, length))
1150 return -1;
1151 for (;; p++) {
1152 if (p >= sk_IPAddressOrRange_num(parent))
1153 return 0;
1154 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1155 p_min, p_max, length))
1156 return 0;
1157 if (memcmp(p_max, c_max, length) < 0)
1158 continue;
1159 if (memcmp(p_min, c_min, length) > 0)
1160 return 0;
1161 break;
1162 }
1163 }
1164
1165 return 1;
1166}
1167
1168/*
1169 * Test whether a is a subset of b.
1170 */
1171int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1172{
1173 int i;
1174 if (a == NULL || a == b)
1175 return 1;
1176 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1177 return 0;
1178 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1179 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1180 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1181 int j = sk_IPAddressFamily_find(b, fa);
1182 IPAddressFamily *fb;
1183 fb = sk_IPAddressFamily_value(b, j);
1184 if (fb == NULL)
1185 return 0;
1186 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1187 fa->ipAddressChoice->u.addressesOrRanges,
1188 length_from_afi(v3_addr_get_afi(fb))))
1189 return 0;
1190 }
1191 return 1;
1192}
1193
1194/*
1195 * Validation error handling via callback.
1196 */
1197#define validation_err(_err_) \
1198 do { \
1199 if (ctx != NULL) { \
1200 ctx->error = _err_; \
1201 ctx->error_depth = i; \
1202 ctx->current_cert = x; \
1203 ret = ctx->verify_cb(0, ctx); \
1204 } else { \
1205 ret = 0; \
1206 } \
1207 if (!ret) \
1208 goto done; \
1209 } while (0)
1210
1211/*
1212 * Core code for RFC 3779 2.3 path validation.
1213 */
1214static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1215 STACK_OF(X509) *chain,
1216 IPAddrBlocks *ext)
1217{
1218 IPAddrBlocks *child = NULL;
1219 int i, j, ret = 1;
1220 X509 *x;
1221
1222 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1223 OPENSSL_assert(ctx != NULL || ext != NULL);
1224 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1225
1226 /*
1227 * Figure out where to start. If we don't have an extension to
1228 * check, we're done. Otherwise, check canonical form and
1229 * set up for walking up the chain.
1230 */
1231 if (ext != NULL) {
1232 i = -1;
1233 x = NULL;
1234 } else {
1235 i = 0;
1236 x = sk_X509_value(chain, i);
1237 OPENSSL_assert(x != NULL);
1238 if ((ext = x->rfc3779_addr) == NULL)
1239 goto done;
1240 }
1241 if (!v3_addr_is_canonical(ext))
1242 validation_err(X509_V_ERR_INVALID_EXTENSION);
1243 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1244 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1245 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
1246 ret = 0;
1247 goto done;
1248 }
1249
1250 /*
1251 * Now walk up the chain. No cert may list resources that its
1252 * parent doesn't list.
1253 */
1254 for (i++; i < sk_X509_num(chain); i++) {
1255 x = sk_X509_value(chain, i);
1256 OPENSSL_assert(x != NULL);
1257 if (!v3_addr_is_canonical(x->rfc3779_addr))
1258 validation_err(X509_V_ERR_INVALID_EXTENSION);
1259 if (x->rfc3779_addr == NULL) {
1260 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1261 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1262 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1263 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1264 break;
1265 }
1266 }
1267 continue;
1268 }
1269 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
1270 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1271 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1272 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1273 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k);
1274 if (fp == NULL) {
1275 if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1276 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1277 break;
1278 }
1279 continue;
1280 }
1281 if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1282 if (fc->ipAddressChoice->type == IPAddressChoice_inherit ||
1283 addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1284 fc->ipAddressChoice->u.addressesOrRanges,
1285 length_from_afi(v3_addr_get_afi(fc))))
1286 sk_IPAddressFamily_set(child, j, fp);
1287 else
1288 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1289 }
1290 }
1291 }
1292
1293 /*
1294 * Trust anchor can't inherit.
1295 */
1296 OPENSSL_assert(x != NULL);
1297 if (x->rfc3779_addr != NULL) {
1298 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1299 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
1300 if (fp->ipAddressChoice->type == IPAddressChoice_inherit &&
1301 sk_IPAddressFamily_find(child, fp) >= 0)
1302 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1303 }
1304 }
1305
1306 done:
1307 sk_IPAddressFamily_free(child);
1308 return ret;
1309}
1310
1311#undef validation_err
1312
1313/*
1314 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1315 */
1316int v3_addr_validate_path(X509_STORE_CTX *ctx)
1317{
1318 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
1319}
1320
1321/*
1322 * RFC 3779 2.3 path validation of an extension.
1323 * Test whether chain covers extension.
1324 */
1325int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
1326 IPAddrBlocks *ext,
1327 int allow_inheritance)
1328{
1329 if (ext == NULL)
1330 return 1;
1331 if (chain == NULL || sk_X509_num(chain) == 0)
1332 return 0;
1333 if (!allow_inheritance && v3_addr_inherits(ext))
1334 return 0;
1335 return v3_addr_validate_path_internal(NULL, chain, ext);
1336}
1337
1338#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
deleted file mode 100644
index c6b68ee221..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akey.c
+++ /dev/null
@@ -1,208 +0,0 @@
1/* v3_akey.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
67 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
68static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
70
71const X509V3_EXT_METHOD v3_akey_id =
72 {
73 NID_authority_key_identifier,
74 X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
75 0,0,0,0,
76 0,0,
77 (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
78 (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
79 0,0,
80 NULL
81 };
82
83static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
84 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
85{
86 char *tmp;
87 if(akeyid->keyid) {
88 tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
89 X509V3_add_value("keyid", tmp, &extlist);
90 OPENSSL_free(tmp);
91 }
92 if(akeyid->issuer)
93 extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
94 if(akeyid->serial) {
95 tmp = hex_to_string(akeyid->serial->data,
96 akeyid->serial->length);
97 X509V3_add_value("serial", tmp, &extlist);
98 OPENSSL_free(tmp);
99 }
100 return extlist;
101}
102
103/* Currently two options:
104 * keyid: use the issuers subject keyid, the value 'always' means its is
105 * an error if the issuer certificate doesn't have a key id.
106 * issuer: use the issuers cert issuer and serial number. The default is
107 * to only use this if keyid is not present. With the option 'always'
108 * this is always included.
109 */
110
111static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
112 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
113 {
114 char keyid=0, issuer=0;
115 int i;
116 CONF_VALUE *cnf;
117 ASN1_OCTET_STRING *ikeyid = NULL;
118 X509_NAME *isname = NULL;
119 GENERAL_NAMES * gens = NULL;
120 GENERAL_NAME *gen = NULL;
121 ASN1_INTEGER *serial = NULL;
122 X509_EXTENSION *ext;
123 X509 *cert;
124 AUTHORITY_KEYID *akeyid;
125
126 for(i = 0; i < sk_CONF_VALUE_num(values); i++)
127 {
128 cnf = sk_CONF_VALUE_value(values, i);
129 if(!strcmp(cnf->name, "keyid"))
130 {
131 keyid = 1;
132 if(cnf->value && !strcmp(cnf->value, "always"))
133 keyid = 2;
134 }
135 else if(!strcmp(cnf->name, "issuer"))
136 {
137 issuer = 1;
138 if(cnf->value && !strcmp(cnf->value, "always"))
139 issuer = 2;
140 }
141 else
142 {
143 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
144 ERR_add_error_data(2, "name=", cnf->name);
145 return NULL;
146 }
147 }
148
149 if(!ctx || !ctx->issuer_cert)
150 {
151 if(ctx && (ctx->flags==CTX_TEST))
152 return AUTHORITY_KEYID_new();
153 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
154 return NULL;
155 }
156
157 cert = ctx->issuer_cert;
158
159 if(keyid)
160 {
161 i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
162 if((i >= 0) && (ext = X509_get_ext(cert, i)))
163 ikeyid = X509V3_EXT_d2i(ext);
164 if(keyid==2 && !ikeyid)
165 {
166 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
167 return NULL;
168 }
169 }
170
171 if((issuer && !ikeyid) || (issuer == 2))
172 {
173 isname = X509_NAME_dup(X509_get_issuer_name(cert));
174 serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
175 if(!isname || !serial)
176 {
177 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
178 goto err;
179 }
180 }
181
182 if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
183
184 if(isname)
185 {
186 if(!(gens = sk_GENERAL_NAME_new_null())
187 || !(gen = GENERAL_NAME_new())
188 || !sk_GENERAL_NAME_push(gens, gen))
189 {
190 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
191 goto err;
192 }
193 gen->type = GEN_DIRNAME;
194 gen->d.dirn = isname;
195 }
196
197 akeyid->issuer = gens;
198 akeyid->serial = serial;
199 akeyid->keyid = ikeyid;
200
201 return akeyid;
202
203 err:
204 X509_NAME_free(isname);
205 M_ASN1_INTEGER_free(serial);
206 M_ASN1_OCTET_STRING_free(ikeyid);
207 return NULL;
208 }
diff --git a/src/lib/libcrypto/x509v3/v3_akeya.c b/src/lib/libcrypto/x509v3/v3_akeya.c
deleted file mode 100644
index 2c50f7360e..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akeya.c
+++ /dev/null
@@ -1,72 +0,0 @@
1/* v3_akey_asn1.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66ASN1_SEQUENCE(AUTHORITY_KEYID) = {
67 ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0),
68 ASN1_IMP_SEQUENCE_OF_OPT(AUTHORITY_KEYID, issuer, GENERAL_NAME, 1),
69 ASN1_IMP_OPT(AUTHORITY_KEYID, serial, ASN1_INTEGER, 2)
70} ASN1_SEQUENCE_END(AUTHORITY_KEYID)
71
72IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_KEYID)
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
deleted file mode 100644
index 91aefcddc1..0000000000
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ /dev/null
@@ -1,614 +0,0 @@
1/* v3_alt.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/x509v3.h>
63
64static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
65static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
66static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
67static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
68static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
69static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
70
71const X509V3_EXT_METHOD v3_alt[] = {
72{ NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
730,0,0,0,
740,0,
75(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
76(X509V3_EXT_V2I)v2i_subject_alt,
77NULL, NULL, NULL},
78
79{ NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
800,0,0,0,
810,0,
82(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
83(X509V3_EXT_V2I)v2i_issuer_alt,
84NULL, NULL, NULL},
85
86{ NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
870,0,0,0,
880,0,
89(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
90NULL, NULL, NULL, NULL},
91};
92
93STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
94 GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret)
95{
96 int i;
97 GENERAL_NAME *gen;
98 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
99 gen = sk_GENERAL_NAME_value(gens, i);
100 ret = i2v_GENERAL_NAME(method, gen, ret);
101 }
102 if(!ret) return sk_CONF_VALUE_new_null();
103 return ret;
104}
105
106STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
107 GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
108{
109 unsigned char *p;
110 char oline[256], htmp[5];
111 int i;
112 switch (gen->type)
113 {
114 case GEN_OTHERNAME:
115 X509V3_add_value("othername","<unsupported>", &ret);
116 break;
117
118 case GEN_X400:
119 X509V3_add_value("X400Name","<unsupported>", &ret);
120 break;
121
122 case GEN_EDIPARTY:
123 X509V3_add_value("EdiPartyName","<unsupported>", &ret);
124 break;
125
126 case GEN_EMAIL:
127 X509V3_add_value_uchar("email",gen->d.ia5->data, &ret);
128 break;
129
130 case GEN_DNS:
131 X509V3_add_value_uchar("DNS",gen->d.ia5->data, &ret);
132 break;
133
134 case GEN_URI:
135 X509V3_add_value_uchar("URI",gen->d.ia5->data, &ret);
136 break;
137
138 case GEN_DIRNAME:
139 X509_NAME_oneline(gen->d.dirn, oline, 256);
140 X509V3_add_value("DirName",oline, &ret);
141 break;
142
143 case GEN_IPADD:
144 p = gen->d.ip->data;
145 if(gen->d.ip->length == 4)
146 BIO_snprintf(oline, sizeof oline,
147 "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
148 else if(gen->d.ip->length == 16)
149 {
150 oline[0] = 0;
151 for (i = 0; i < 8; i++)
152 {
153 BIO_snprintf(htmp, sizeof htmp,
154 "%X", p[0] << 8 | p[1]);
155 p += 2;
156 strlcat(oline, htmp, sizeof(oline));
157 if (i != 7)
158 strlcat(oline, ":", sizeof(oline));
159 }
160 }
161 else
162 {
163 X509V3_add_value("IP Address","<invalid>", &ret);
164 break;
165 }
166 X509V3_add_value("IP Address",oline, &ret);
167 break;
168
169 case GEN_RID:
170 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
171 X509V3_add_value("Registered ID",oline, &ret);
172 break;
173 }
174 return ret;
175}
176
177int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
178{
179 unsigned char *p;
180 int i;
181 switch (gen->type)
182 {
183 case GEN_OTHERNAME:
184 BIO_printf(out, "othername:<unsupported>");
185 break;
186
187 case GEN_X400:
188 BIO_printf(out, "X400Name:<unsupported>");
189 break;
190
191 case GEN_EDIPARTY:
192 /* Maybe fix this: it is supported now */
193 BIO_printf(out, "EdiPartyName:<unsupported>");
194 break;
195
196 case GEN_EMAIL:
197 BIO_printf(out, "email:%s",gen->d.ia5->data);
198 break;
199
200 case GEN_DNS:
201 BIO_printf(out, "DNS:%s",gen->d.ia5->data);
202 break;
203
204 case GEN_URI:
205 BIO_printf(out, "URI:%s",gen->d.ia5->data);
206 break;
207
208 case GEN_DIRNAME:
209 BIO_printf(out, "DirName: ");
210 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
211 break;
212
213 case GEN_IPADD:
214 p = gen->d.ip->data;
215 if(gen->d.ip->length == 4)
216 BIO_printf(out, "IP Address:%d.%d.%d.%d",
217 p[0], p[1], p[2], p[3]);
218 else if(gen->d.ip->length == 16)
219 {
220 BIO_printf(out, "IP Address");
221 for (i = 0; i < 8; i++)
222 {
223 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
224 p += 2;
225 }
226 BIO_puts(out, "\n");
227 }
228 else
229 {
230 BIO_printf(out,"IP Address:<invalid>");
231 break;
232 }
233 break;
234
235 case GEN_RID:
236 BIO_printf(out, "Registered ID");
237 i2a_ASN1_OBJECT(out, gen->d.rid);
238 break;
239 }
240 return 1;
241}
242
243static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
244 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
245{
246 GENERAL_NAMES *gens = NULL;
247 CONF_VALUE *cnf;
248 int i;
249 if(!(gens = sk_GENERAL_NAME_new_null())) {
250 X509V3err(X509V3_F_V2I_ISSUER_ALT,ERR_R_MALLOC_FAILURE);
251 return NULL;
252 }
253 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
254 cnf = sk_CONF_VALUE_value(nval, i);
255 if(!name_cmp(cnf->name, "issuer") && cnf->value &&
256 !strcmp(cnf->value, "copy")) {
257 if(!copy_issuer(ctx, gens)) goto err;
258 } else {
259 GENERAL_NAME *gen;
260 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
261 goto err;
262 sk_GENERAL_NAME_push(gens, gen);
263 }
264 }
265 return gens;
266 err:
267 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
268 return NULL;
269}
270
271/* Append subject altname of issuer to issuer alt name of subject */
272
273static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
274{
275 GENERAL_NAMES *ialt;
276 GENERAL_NAME *gen;
277 X509_EXTENSION *ext;
278 int i;
279 if(ctx && (ctx->flags == CTX_TEST)) return 1;
280 if(!ctx || !ctx->issuer_cert) {
281 X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_NO_ISSUER_DETAILS);
282 goto err;
283 }
284 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
285 if(i < 0) return 1;
286 if(!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
287 !(ialt = X509V3_EXT_d2i(ext)) ) {
288 X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_ISSUER_DECODE_ERROR);
289 goto err;
290 }
291
292 for(i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
293 gen = sk_GENERAL_NAME_value(ialt, i);
294 if(!sk_GENERAL_NAME_push(gens, gen)) {
295 X509V3err(X509V3_F_COPY_ISSUER,ERR_R_MALLOC_FAILURE);
296 goto err;
297 }
298 }
299 sk_GENERAL_NAME_free(ialt);
300
301 return 1;
302
303 err:
304 return 0;
305
306}
307
308static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
309 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
310{
311 GENERAL_NAMES *gens = NULL;
312 CONF_VALUE *cnf;
313 int i;
314 if(!(gens = sk_GENERAL_NAME_new_null())) {
315 X509V3err(X509V3_F_V2I_SUBJECT_ALT,ERR_R_MALLOC_FAILURE);
316 return NULL;
317 }
318 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
319 cnf = sk_CONF_VALUE_value(nval, i);
320 if(!name_cmp(cnf->name, "email") && cnf->value &&
321 !strcmp(cnf->value, "copy")) {
322 if(!copy_email(ctx, gens, 0)) goto err;
323 } else if(!name_cmp(cnf->name, "email") && cnf->value &&
324 !strcmp(cnf->value, "move")) {
325 if(!copy_email(ctx, gens, 1)) goto err;
326 } else {
327 GENERAL_NAME *gen;
328 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
329 goto err;
330 sk_GENERAL_NAME_push(gens, gen);
331 }
332 }
333 return gens;
334 err:
335 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
336 return NULL;
337}
338
339/* Copy any email addresses in a certificate or request to
340 * GENERAL_NAMES
341 */
342
343static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
344{
345 X509_NAME *nm;
346 ASN1_IA5STRING *email = NULL;
347 X509_NAME_ENTRY *ne;
348 GENERAL_NAME *gen = NULL;
349 int i;
350 if(ctx != NULL && ctx->flags == CTX_TEST)
351 return 1;
352 if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
353 X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
354 goto err;
355 }
356 /* Find the subject name */
357 if(ctx->subject_cert) nm = X509_get_subject_name(ctx->subject_cert);
358 else nm = X509_REQ_get_subject_name(ctx->subject_req);
359
360 /* Now add any email address(es) to STACK */
361 i = -1;
362 while((i = X509_NAME_get_index_by_NID(nm,
363 NID_pkcs9_emailAddress, i)) >= 0) {
364 ne = X509_NAME_get_entry(nm, i);
365 email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
366 if (move_p)
367 {
368 X509_NAME_delete_entry(nm, i);
369 X509_NAME_ENTRY_free(ne);
370 i--;
371 }
372 if(!email || !(gen = GENERAL_NAME_new())) {
373 X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
374 goto err;
375 }
376 gen->d.ia5 = email;
377 email = NULL;
378 gen->type = GEN_EMAIL;
379 if(!sk_GENERAL_NAME_push(gens, gen)) {
380 X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
381 goto err;
382 }
383 gen = NULL;
384 }
385
386
387 return 1;
388
389 err:
390 GENERAL_NAME_free(gen);
391 M_ASN1_IA5STRING_free(email);
392 return 0;
393
394}
395
396GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
397 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
398{
399 GENERAL_NAME *gen;
400 GENERAL_NAMES *gens = NULL;
401 CONF_VALUE *cnf;
402 int i;
403 if(!(gens = sk_GENERAL_NAME_new_null())) {
404 X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
405 return NULL;
406 }
407 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
408 cnf = sk_CONF_VALUE_value(nval, i);
409 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
410 sk_GENERAL_NAME_push(gens, gen);
411 }
412 return gens;
413 err:
414 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
415 return NULL;
416}
417
418GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
419 CONF_VALUE *cnf)
420 {
421 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
422 }
423
424GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
425 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
426 int gen_type, char *value, int is_nc)
427 {
428 char is_string = 0;
429 GENERAL_NAME *gen = NULL;
430
431 if(!value)
432 {
433 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
434 return NULL;
435 }
436
437 if (out)
438 gen = out;
439 else
440 {
441 gen = GENERAL_NAME_new();
442 if(gen == NULL)
443 {
444 X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
445 return NULL;
446 }
447 }
448
449 switch (gen_type)
450 {
451 case GEN_URI:
452 case GEN_EMAIL:
453 case GEN_DNS:
454 is_string = 1;
455 break;
456
457 case GEN_RID:
458 {
459 ASN1_OBJECT *obj;
460 if(!(obj = OBJ_txt2obj(value,0)))
461 {
462 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
463 ERR_add_error_data(2, "value=", value);
464 goto err;
465 }
466 gen->d.rid = obj;
467 }
468 break;
469
470 case GEN_IPADD:
471 if (is_nc)
472 gen->d.ip = a2i_IPADDRESS_NC(value);
473 else
474 gen->d.ip = a2i_IPADDRESS(value);
475 if(gen->d.ip == NULL)
476 {
477 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
478 ERR_add_error_data(2, "value=", value);
479 goto err;
480 }
481 break;
482
483 case GEN_DIRNAME:
484 if (!do_dirname(gen, value, ctx))
485 {
486 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_DIRNAME_ERROR);
487 goto err;
488 }
489 break;
490
491 case GEN_OTHERNAME:
492 if (!do_othername(gen, value, ctx))
493 {
494 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_OTHERNAME_ERROR);
495 goto err;
496 }
497 break;
498 default:
499 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_TYPE);
500 goto err;
501 }
502
503 if(is_string)
504 {
505 if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
506 !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
507 strlen(value)))
508 {
509 X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
510 goto err;
511 }
512 }
513
514 gen->type = gen_type;
515
516 return gen;
517
518 err:
519 if (!out)
520 GENERAL_NAME_free(gen);
521 return NULL;
522 }
523
524GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
525 const X509V3_EXT_METHOD *method,
526 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
527 {
528 int type;
529
530 char *name, *value;
531
532 name = cnf->name;
533 value = cnf->value;
534
535 if(!value)
536 {
537 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
538 return NULL;
539 }
540
541 if(!name_cmp(name, "email"))
542 type = GEN_EMAIL;
543 else if(!name_cmp(name, "URI"))
544 type = GEN_URI;
545 else if(!name_cmp(name, "DNS"))
546 type = GEN_DNS;
547 else if(!name_cmp(name, "RID"))
548 type = GEN_RID;
549 else if(!name_cmp(name, "IP"))
550 type = GEN_IPADD;
551 else if(!name_cmp(name, "dirName"))
552 type = GEN_DIRNAME;
553 else if(!name_cmp(name, "otherName"))
554 type = GEN_OTHERNAME;
555 else
556 {
557 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
558 ERR_add_error_data(2, "name=", name);
559 return NULL;
560 }
561
562 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
563
564 }
565
566static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
567 {
568 char *objtmp = NULL, *p;
569 int objlen;
570 if (!(p = strchr(value, ';')))
571 return 0;
572 if (!(gen->d.otherName = OTHERNAME_new()))
573 return 0;
574 /* Free this up because we will overwrite it.
575 * no need to free type_id because it is static
576 */
577 ASN1_TYPE_free(gen->d.otherName->value);
578 if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
579 return 0;
580 objlen = p - value;
581 objtmp = OPENSSL_malloc(objlen + 1);
582 strncpy(objtmp, value, objlen);
583 objtmp[objlen] = 0;
584 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
585 OPENSSL_free(objtmp);
586 if (!gen->d.otherName->type_id)
587 return 0;
588 return 1;
589 }
590
591static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
592 {
593 int ret;
594 STACK_OF(CONF_VALUE) *sk;
595 X509_NAME *nm;
596 if (!(nm = X509_NAME_new()))
597 return 0;
598 sk = X509V3_get_section(ctx, value);
599 if (!sk)
600 {
601 X509V3err(X509V3_F_DO_DIRNAME,X509V3_R_SECTION_NOT_FOUND);
602 ERR_add_error_data(2, "section=", value);
603 X509_NAME_free(nm);
604 return 0;
605 }
606 /* FIXME: should allow other character types... */
607 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
608 if (!ret)
609 X509_NAME_free(nm);
610 gen->d.dirn = nm;
611 X509V3_section_free(ctx, sk);
612
613 return ret;
614 }
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
deleted file mode 100644
index 3f434c0603..0000000000
--- a/src/lib/libcrypto/x509v3/v3_asid.c
+++ /dev/null
@@ -1,843 +0,0 @@
1/*
2 * Contributed to the OpenSSL Project by the American Registry for
3 * Internet Numbers ("ARIN").
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 */
57
58/*
59 * Implementation of RFC 3779 section 3.2.
60 */
61
62#include <stdio.h>
63#include <string.h>
64#include "cryptlib.h"
65#include <openssl/conf.h>
66#include <openssl/asn1.h>
67#include <openssl/asn1t.h>
68#include <openssl/x509v3.h>
69#include <openssl/x509.h>
70#include <openssl/bn.h>
71
72#ifndef OPENSSL_NO_RFC3779
73
74/*
75 * OpenSSL ASN.1 template translation of RFC 3779 3.2.3.
76 */
77
78ASN1_SEQUENCE(ASRange) = {
79 ASN1_SIMPLE(ASRange, min, ASN1_INTEGER),
80 ASN1_SIMPLE(ASRange, max, ASN1_INTEGER)
81} ASN1_SEQUENCE_END(ASRange)
82
83ASN1_CHOICE(ASIdOrRange) = {
84 ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER),
85 ASN1_SIMPLE(ASIdOrRange, u.range, ASRange)
86} ASN1_CHOICE_END(ASIdOrRange)
87
88ASN1_CHOICE(ASIdentifierChoice) = {
89 ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL),
90 ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange)
91} ASN1_CHOICE_END(ASIdentifierChoice)
92
93ASN1_SEQUENCE(ASIdentifiers) = {
94 ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0),
95 ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1)
96} ASN1_SEQUENCE_END(ASIdentifiers)
97
98IMPLEMENT_ASN1_FUNCTIONS(ASRange)
99IMPLEMENT_ASN1_FUNCTIONS(ASIdOrRange)
100IMPLEMENT_ASN1_FUNCTIONS(ASIdentifierChoice)
101IMPLEMENT_ASN1_FUNCTIONS(ASIdentifiers)
102
103/*
104 * i2r method for an ASIdentifierChoice.
105 */
106static int i2r_ASIdentifierChoice(BIO *out,
107 ASIdentifierChoice *choice,
108 int indent,
109 const char *msg)
110{
111 int i;
112 char *s;
113 if (choice == NULL)
114 return 1;
115 BIO_printf(out, "%*s%s:\n", indent, "", msg);
116 switch (choice->type) {
117 case ASIdentifierChoice_inherit:
118 BIO_printf(out, "%*sinherit\n", indent + 2, "");
119 break;
120 case ASIdentifierChoice_asIdsOrRanges:
121 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) {
122 ASIdOrRange *aor = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
123 switch (aor->type) {
124 case ASIdOrRange_id:
125 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL)
126 return 0;
127 BIO_printf(out, "%*s%s\n", indent + 2, "", s);
128 OPENSSL_free(s);
129 break;
130 case ASIdOrRange_range:
131 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL)
132 return 0;
133 BIO_printf(out, "%*s%s-", indent + 2, "", s);
134 OPENSSL_free(s);
135 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL)
136 return 0;
137 BIO_printf(out, "%s\n", s);
138 OPENSSL_free(s);
139 break;
140 default:
141 return 0;
142 }
143 }
144 break;
145 default:
146 return 0;
147 }
148 return 1;
149}
150
151/*
152 * i2r method for an ASIdentifier extension.
153 */
154static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method,
155 void *ext,
156 BIO *out,
157 int indent)
158{
159 ASIdentifiers *asid = ext;
160 return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
161 "Autonomous System Numbers") &&
162 i2r_ASIdentifierChoice(out, asid->rdi, indent,
163 "Routing Domain Identifiers"));
164}
165
166/*
167 * Sort comparision function for a sequence of ASIdOrRange elements.
168 */
169static int ASIdOrRange_cmp(const ASIdOrRange * const *a_,
170 const ASIdOrRange * const *b_)
171{
172 const ASIdOrRange *a = *a_, *b = *b_;
173
174 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
175 (a->type == ASIdOrRange_range && a->u.range != NULL &&
176 a->u.range->min != NULL && a->u.range->max != NULL));
177
178 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
179 (b->type == ASIdOrRange_range && b->u.range != NULL &&
180 b->u.range->min != NULL && b->u.range->max != NULL));
181
182 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
183 return ASN1_INTEGER_cmp(a->u.id, b->u.id);
184
185 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
186 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
187 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max);
188 }
189
190 if (a->type == ASIdOrRange_id)
191 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
192 else
193 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
194}
195
196/*
197 * Add an inherit element.
198 */
199int v3_asid_add_inherit(ASIdentifiers *asid, int which)
200{
201 ASIdentifierChoice **choice;
202 if (asid == NULL)
203 return 0;
204 switch (which) {
205 case V3_ASID_ASNUM:
206 choice = &asid->asnum;
207 break;
208 case V3_ASID_RDI:
209 choice = &asid->rdi;
210 break;
211 default:
212 return 0;
213 }
214 if (*choice == NULL) {
215 if ((*choice = ASIdentifierChoice_new()) == NULL)
216 return 0;
217 OPENSSL_assert((*choice)->u.inherit == NULL);
218 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
219 return 0;
220 (*choice)->type = ASIdentifierChoice_inherit;
221 }
222 return (*choice)->type == ASIdentifierChoice_inherit;
223}
224
225/*
226 * Add an ID or range to an ASIdentifierChoice.
227 */
228int v3_asid_add_id_or_range(ASIdentifiers *asid,
229 int which,
230 ASN1_INTEGER *min,
231 ASN1_INTEGER *max)
232{
233 ASIdentifierChoice **choice;
234 ASIdOrRange *aor;
235 if (asid == NULL)
236 return 0;
237 switch (which) {
238 case V3_ASID_ASNUM:
239 choice = &asid->asnum;
240 break;
241 case V3_ASID_RDI:
242 choice = &asid->rdi;
243 break;
244 default:
245 return 0;
246 }
247 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
248 return 0;
249 if (*choice == NULL) {
250 if ((*choice = ASIdentifierChoice_new()) == NULL)
251 return 0;
252 OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);
253 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
254 if ((*choice)->u.asIdsOrRanges == NULL)
255 return 0;
256 (*choice)->type = ASIdentifierChoice_asIdsOrRanges;
257 }
258 if ((aor = ASIdOrRange_new()) == NULL)
259 return 0;
260 if (max == NULL) {
261 aor->type = ASIdOrRange_id;
262 aor->u.id = min;
263 } else {
264 aor->type = ASIdOrRange_range;
265 if ((aor->u.range = ASRange_new()) == NULL)
266 goto err;
267 ASN1_INTEGER_free(aor->u.range->min);
268 aor->u.range->min = min;
269 ASN1_INTEGER_free(aor->u.range->max);
270 aor->u.range->max = max;
271 }
272 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
273 goto err;
274 return 1;
275
276 err:
277 ASIdOrRange_free(aor);
278 return 0;
279}
280
281/*
282 * Extract min and max values from an ASIdOrRange.
283 */
284static void extract_min_max(ASIdOrRange *aor,
285 ASN1_INTEGER **min,
286 ASN1_INTEGER **max)
287{
288 OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
289 switch (aor->type) {
290 case ASIdOrRange_id:
291 *min = aor->u.id;
292 *max = aor->u.id;
293 return;
294 case ASIdOrRange_range:
295 *min = aor->u.range->min;
296 *max = aor->u.range->max;
297 return;
298 }
299}
300
301/*
302 * Check whether an ASIdentifierChoice is in canonical form.
303 */
304static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
305{
306 ASN1_INTEGER *a_max_plus_one = NULL;
307 BIGNUM *bn = NULL;
308 int i, ret = 0;
309
310 /*
311 * Empty element or inheritance is canonical.
312 */
313 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
314 return 1;
315
316 /*
317 * If not a list, or if empty list, it's broken.
318 */
319 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
320 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
321 return 0;
322
323 /*
324 * It's a list, check it.
325 */
326 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
327 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
328 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
329 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
330
331 extract_min_max(a, &a_min, &a_max);
332 extract_min_max(b, &b_min, &b_max);
333
334 /*
335 * Punt misordered list, overlapping start, or inverted range.
336 */
337 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
338 ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
339 ASN1_INTEGER_cmp(b_min, b_max) > 0)
340 goto done;
341
342 /*
343 * Calculate a_max + 1 to check for adjacency.
344 */
345 if ((bn == NULL && (bn = BN_new()) == NULL) ||
346 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
347 !BN_add_word(bn, 1) ||
348 (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
349 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
350 ERR_R_MALLOC_FAILURE);
351 goto done;
352 }
353
354 /*
355 * Punt if adjacent or overlapping.
356 */
357 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
358 goto done;
359 }
360
361 ret = 1;
362
363 done:
364 ASN1_INTEGER_free(a_max_plus_one);
365 BN_free(bn);
366 return ret;
367}
368
369/*
370 * Check whether an ASIdentifier extension is in canonical form.
371 */
372int v3_asid_is_canonical(ASIdentifiers *asid)
373{
374 return (asid == NULL ||
375 (ASIdentifierChoice_is_canonical(asid->asnum) &&
376 ASIdentifierChoice_is_canonical(asid->rdi)));
377}
378
379/*
380 * Whack an ASIdentifierChoice into canonical form.
381 */
382static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
383{
384 ASN1_INTEGER *a_max_plus_one = NULL;
385 BIGNUM *bn = NULL;
386 int i, ret = 0;
387
388 /*
389 * Nothing to do for empty element or inheritance.
390 */
391 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
392 return 1;
393
394 /*
395 * We have a list. Sort it.
396 */
397 OPENSSL_assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
398 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
399
400 /*
401 * Now check for errors and suboptimal encoding, rejecting the
402 * former and fixing the latter.
403 */
404 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
405 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
406 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
407 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
408
409 extract_min_max(a, &a_min, &a_max);
410 extract_min_max(b, &b_min, &b_max);
411
412 /*
413 * Make sure we're properly sorted (paranoia).
414 */
415 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
416
417 /*
418 * Check for overlaps.
419 */
420 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
421 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
422 X509V3_R_EXTENSION_VALUE_ERROR);
423 goto done;
424 }
425
426 /*
427 * Calculate a_max + 1 to check for adjacency.
428 */
429 if ((bn == NULL && (bn = BN_new()) == NULL) ||
430 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
431 !BN_add_word(bn, 1) ||
432 (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
433 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE);
434 goto done;
435 }
436
437 /*
438 * If a and b are adjacent, merge them.
439 */
440 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
441 ASRange *r;
442 switch (a->type) {
443 case ASIdOrRange_id:
444 if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) {
445 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
446 ERR_R_MALLOC_FAILURE);
447 goto done;
448 }
449 r->min = a_min;
450 r->max = b_max;
451 a->type = ASIdOrRange_range;
452 a->u.range = r;
453 break;
454 case ASIdOrRange_range:
455 ASN1_INTEGER_free(a->u.range->max);
456 a->u.range->max = b_max;
457 break;
458 }
459 switch (b->type) {
460 case ASIdOrRange_id:
461 b->u.id = NULL;
462 break;
463 case ASIdOrRange_range:
464 b->u.range->max = NULL;
465 break;
466 }
467 ASIdOrRange_free(b);
468 sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
469 i--;
470 continue;
471 }
472 }
473
474 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
475
476 ret = 1;
477
478 done:
479 ASN1_INTEGER_free(a_max_plus_one);
480 BN_free(bn);
481 return ret;
482}
483
484/*
485 * Whack an ASIdentifier extension into canonical form.
486 */
487int v3_asid_canonize(ASIdentifiers *asid)
488{
489 return (asid == NULL ||
490 (ASIdentifierChoice_canonize(asid->asnum) &&
491 ASIdentifierChoice_canonize(asid->rdi)));
492}
493
494/*
495 * v2i method for an ASIdentifier extension.
496 */
497static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
498 struct v3_ext_ctx *ctx,
499 STACK_OF(CONF_VALUE) *values)
500{
501 ASIdentifiers *asid = NULL;
502 int i;
503
504 if ((asid = ASIdentifiers_new()) == NULL) {
505 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
506 return NULL;
507 }
508
509 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
510 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
511 ASN1_INTEGER *min = NULL, *max = NULL;
512 int i1, i2, i3, is_range, which;
513
514 /*
515 * Figure out whether this is an AS or an RDI.
516 */
517 if ( !name_cmp(val->name, "AS")) {
518 which = V3_ASID_ASNUM;
519 } else if (!name_cmp(val->name, "RDI")) {
520 which = V3_ASID_RDI;
521 } else {
522 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_NAME_ERROR);
523 X509V3_conf_err(val);
524 goto err;
525 }
526
527 /*
528 * Handle inheritance.
529 */
530 if (!strcmp(val->value, "inherit")) {
531 if (v3_asid_add_inherit(asid, which))
532 continue;
533 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_INHERITANCE);
534 X509V3_conf_err(val);
535 goto err;
536 }
537
538 /*
539 * Number, range, or mistake, pick it apart and figure out which.
540 */
541 i1 = strspn(val->value, "0123456789");
542 if (val->value[i1] == '\0') {
543 is_range = 0;
544 } else {
545 is_range = 1;
546 i2 = i1 + strspn(val->value + i1, " \t");
547 if (val->value[i2] != '-') {
548 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASNUMBER);
549 X509V3_conf_err(val);
550 goto err;
551 }
552 i2++;
553 i2 = i2 + strspn(val->value + i2, " \t");
554 i3 = i2 + strspn(val->value + i2, "0123456789");
555 if (val->value[i3] != '\0') {
556 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASRANGE);
557 X509V3_conf_err(val);
558 goto err;
559 }
560 }
561
562 /*
563 * Syntax is ok, read and add it.
564 */
565 if (!is_range) {
566 if (!X509V3_get_value_int(val, &min)) {
567 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
568 goto err;
569 }
570 } else {
571 char *s = BUF_strdup(val->value);
572 if (s == NULL) {
573 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
574 goto err;
575 }
576 s[i1] = '\0';
577 min = s2i_ASN1_INTEGER(NULL, s);
578 max = s2i_ASN1_INTEGER(NULL, s + i2);
579 OPENSSL_free(s);
580 if (min == NULL || max == NULL) {
581 ASN1_INTEGER_free(min);
582 ASN1_INTEGER_free(max);
583 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
584 goto err;
585 }
586 }
587 if (!v3_asid_add_id_or_range(asid, which, min, max)) {
588 ASN1_INTEGER_free(min);
589 ASN1_INTEGER_free(max);
590 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
591 goto err;
592 }
593 }
594
595 /*
596 * Canonize the result, then we're done.
597 */
598 if (!v3_asid_canonize(asid))
599 goto err;
600 return asid;
601
602 err:
603 ASIdentifiers_free(asid);
604 return NULL;
605}
606
607/*
608 * OpenSSL dispatch.
609 */
610const X509V3_EXT_METHOD v3_asid = {
611 NID_sbgp_autonomousSysNum, /* nid */
612 0, /* flags */
613 ASN1_ITEM_ref(ASIdentifiers), /* template */
614 0, 0, 0, 0, /* old functions, ignored */
615 0, /* i2s */
616 0, /* s2i */
617 0, /* i2v */
618 v2i_ASIdentifiers, /* v2i */
619 i2r_ASIdentifiers, /* i2r */
620 0, /* r2i */
621 NULL /* extension-specific data */
622};
623
624/*
625 * Figure out whether extension uses inheritance.
626 */
627int v3_asid_inherits(ASIdentifiers *asid)
628{
629 return (asid != NULL &&
630 ((asid->asnum != NULL &&
631 asid->asnum->type == ASIdentifierChoice_inherit) ||
632 (asid->rdi != NULL &&
633 asid->rdi->type == ASIdentifierChoice_inherit)));
634}
635
636/*
637 * Figure out whether parent contains child.
638 */
639static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
640{
641 ASN1_INTEGER *p_min, *p_max, *c_min, *c_max;
642 int p, c;
643
644 if (child == NULL || parent == child)
645 return 1;
646 if (parent == NULL)
647 return 0;
648
649 p = 0;
650 for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
651 extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max);
652 for (;; p++) {
653 if (p >= sk_ASIdOrRange_num(parent))
654 return 0;
655 extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, &p_max);
656 if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
657 continue;
658 if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
659 return 0;
660 break;
661 }
662 }
663
664 return 1;
665}
666
667/*
668 * Test whether a is a subet of b.
669 */
670int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
671{
672 return (a == NULL ||
673 a == b ||
674 (b != NULL &&
675 !v3_asid_inherits(a) &&
676 !v3_asid_inherits(b) &&
677 asid_contains(b->asnum->u.asIdsOrRanges,
678 a->asnum->u.asIdsOrRanges) &&
679 asid_contains(b->rdi->u.asIdsOrRanges,
680 a->rdi->u.asIdsOrRanges)));
681}
682
683/*
684 * Validation error handling via callback.
685 */
686#define validation_err(_err_) \
687 do { \
688 if (ctx != NULL) { \
689 ctx->error = _err_; \
690 ctx->error_depth = i; \
691 ctx->current_cert = x; \
692 ret = ctx->verify_cb(0, ctx); \
693 } else { \
694 ret = 0; \
695 } \
696 if (!ret) \
697 goto done; \
698 } while (0)
699
700/*
701 * Core code for RFC 3779 3.3 path validation.
702 */
703static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
704 STACK_OF(X509) *chain,
705 ASIdentifiers *ext)
706{
707 ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
708 int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
709 X509 *x;
710
711 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
712 OPENSSL_assert(ctx != NULL || ext != NULL);
713 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
714
715 /*
716 * Figure out where to start. If we don't have an extension to
717 * check, we're done. Otherwise, check canonical form and
718 * set up for walking up the chain.
719 */
720 if (ext != NULL) {
721 i = -1;
722 x = NULL;
723 } else {
724 i = 0;
725 x = sk_X509_value(chain, i);
726 OPENSSL_assert(x != NULL);
727 if ((ext = x->rfc3779_asid) == NULL)
728 goto done;
729 }
730 if (!v3_asid_is_canonical(ext))
731 validation_err(X509_V_ERR_INVALID_EXTENSION);
732 if (ext->asnum != NULL) {
733 switch (ext->asnum->type) {
734 case ASIdentifierChoice_inherit:
735 inherit_as = 1;
736 break;
737 case ASIdentifierChoice_asIdsOrRanges:
738 child_as = ext->asnum->u.asIdsOrRanges;
739 break;
740 }
741 }
742 if (ext->rdi != NULL) {
743 switch (ext->rdi->type) {
744 case ASIdentifierChoice_inherit:
745 inherit_rdi = 1;
746 break;
747 case ASIdentifierChoice_asIdsOrRanges:
748 child_rdi = ext->rdi->u.asIdsOrRanges;
749 break;
750 }
751 }
752
753 /*
754 * Now walk up the chain. Extensions must be in canonical form, no
755 * cert may list resources that its parent doesn't list.
756 */
757 for (i++; i < sk_X509_num(chain); i++) {
758 x = sk_X509_value(chain, i);
759 OPENSSL_assert(x != NULL);
760 if (x->rfc3779_asid == NULL) {
761 if (child_as != NULL || child_rdi != NULL)
762 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
763 continue;
764 }
765 if (!v3_asid_is_canonical(x->rfc3779_asid))
766 validation_err(X509_V_ERR_INVALID_EXTENSION);
767 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
768 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
769 child_as = NULL;
770 inherit_as = 0;
771 }
772 if (x->rfc3779_asid->asnum != NULL &&
773 x->rfc3779_asid->asnum->type == ASIdentifierChoice_asIdsOrRanges) {
774 if (inherit_as ||
775 asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, child_as)) {
776 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
777 inherit_as = 0;
778 } else {
779 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
780 }
781 }
782 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
783 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
784 child_rdi = NULL;
785 inherit_rdi = 0;
786 }
787 if (x->rfc3779_asid->rdi != NULL &&
788 x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) {
789 if (inherit_rdi ||
790 asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) {
791 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
792 inherit_rdi = 0;
793 } else {
794 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
795 }
796 }
797 }
798
799 /*
800 * Trust anchor can't inherit.
801 */
802 OPENSSL_assert(x != NULL);
803 if (x->rfc3779_asid != NULL) {
804 if (x->rfc3779_asid->asnum != NULL &&
805 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
806 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
807 if (x->rfc3779_asid->rdi != NULL &&
808 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
809 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
810 }
811
812 done:
813 return ret;
814}
815
816#undef validation_err
817
818/*
819 * RFC 3779 3.3 path validation -- called from X509_verify_cert().
820 */
821int v3_asid_validate_path(X509_STORE_CTX *ctx)
822{
823 return v3_asid_validate_path_internal(ctx, ctx->chain, NULL);
824}
825
826/*
827 * RFC 3779 3.3 path validation of an extension.
828 * Test whether chain covers extension.
829 */
830int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
831 ASIdentifiers *ext,
832 int allow_inheritance)
833{
834 if (ext == NULL)
835 return 1;
836 if (chain == NULL || sk_X509_num(chain) == 0)
837 return 0;
838 if (!allow_inheritance && v3_asid_inherits(ext))
839 return 0;
840 return v3_asid_validate_path_internal(NULL, chain, ext);
841}
842
843#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
deleted file mode 100644
index 82aa488f75..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bcons.c
+++ /dev/null
@@ -1,124 +0,0 @@
1/* v3_bcons.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66
67static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
68static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
69
70const X509V3_EXT_METHOD v3_bcons = {
71NID_basic_constraints, 0,
72ASN1_ITEM_ref(BASIC_CONSTRAINTS),
730,0,0,0,
740,0,
75(X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
76(X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
77NULL,NULL,
78NULL
79};
80
81ASN1_SEQUENCE(BASIC_CONSTRAINTS) = {
82 ASN1_OPT(BASIC_CONSTRAINTS, ca, ASN1_FBOOLEAN),
83 ASN1_OPT(BASIC_CONSTRAINTS, pathlen, ASN1_INTEGER)
84} ASN1_SEQUENCE_END(BASIC_CONSTRAINTS)
85
86IMPLEMENT_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
87
88
89static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
90 BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist)
91{
92 X509V3_add_value_bool("CA", bcons->ca, &extlist);
93 X509V3_add_value_int("pathlen", bcons->pathlen, &extlist);
94 return extlist;
95}
96
97static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
98 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
99{
100 BASIC_CONSTRAINTS *bcons=NULL;
101 CONF_VALUE *val;
102 int i;
103 if(!(bcons = BASIC_CONSTRAINTS_new())) {
104 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
105 return NULL;
106 }
107 for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
108 val = sk_CONF_VALUE_value(values, i);
109 if(!strcmp(val->name, "CA")) {
110 if(!X509V3_get_value_bool(val, &bcons->ca)) goto err;
111 } else if(!strcmp(val->name, "pathlen")) {
112 if(!X509V3_get_value_int(val, &bcons->pathlen)) goto err;
113 } else {
114 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, X509V3_R_INVALID_NAME);
115 X509V3_conf_err(val);
116 goto err;
117 }
118 }
119 return bcons;
120 err:
121 BASIC_CONSTRAINTS_free(bcons);
122 return NULL;
123}
124
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
deleted file mode 100644
index 058d0d4dce..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ /dev/null
@@ -1,141 +0,0 @@
1/* v3_bitst.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/x509v3.h>
63
64static BIT_STRING_BITNAME ns_cert_type_table[] = {
65{0, "SSL Client", "client"},
66{1, "SSL Server", "server"},
67{2, "S/MIME", "email"},
68{3, "Object Signing", "objsign"},
69{4, "Unused", "reserved"},
70{5, "SSL CA", "sslCA"},
71{6, "S/MIME CA", "emailCA"},
72{7, "Object Signing CA", "objCA"},
73{-1, NULL, NULL}
74};
75
76static BIT_STRING_BITNAME key_usage_type_table[] = {
77{0, "Digital Signature", "digitalSignature"},
78{1, "Non Repudiation", "nonRepudiation"},
79{2, "Key Encipherment", "keyEncipherment"},
80{3, "Data Encipherment", "dataEncipherment"},
81{4, "Key Agreement", "keyAgreement"},
82{5, "Certificate Sign", "keyCertSign"},
83{6, "CRL Sign", "cRLSign"},
84{7, "Encipher Only", "encipherOnly"},
85{8, "Decipher Only", "decipherOnly"},
86{-1, NULL, NULL}
87};
88
89
90
91const X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
92const X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
93
94STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
95 ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
96{
97 BIT_STRING_BITNAME *bnam;
98 for(bnam =method->usr_data; bnam->lname; bnam++) {
99 if(ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
100 X509V3_add_value(bnam->lname, NULL, &ret);
101 }
102 return ret;
103}
104
105ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
106 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
107{
108 CONF_VALUE *val;
109 ASN1_BIT_STRING *bs;
110 int i;
111 BIT_STRING_BITNAME *bnam;
112 if(!(bs = M_ASN1_BIT_STRING_new())) {
113 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
117 val = sk_CONF_VALUE_value(nval, i);
118 for(bnam = method->usr_data; bnam->lname; bnam++) {
119 if(!strcmp(bnam->sname, val->name) ||
120 !strcmp(bnam->lname, val->name) ) {
121 if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
122 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
123 ERR_R_MALLOC_FAILURE);
124 M_ASN1_BIT_STRING_free(bs);
125 return NULL;
126 }
127 break;
128 }
129 }
130 if(!bnam->lname) {
131 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
132 X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
133 X509V3_conf_err(val);
134 M_ASN1_BIT_STRING_free(bs);
135 return NULL;
136 }
137 }
138 return bs;
139}
140
141
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
deleted file mode 100644
index 6730f9a6ee..0000000000
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ /dev/null
@@ -1,525 +0,0 @@
1/* v3_conf.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* extension creation utilities */
59
60
61
62#include <stdio.h>
63#include <ctype.h>
64#include "cryptlib.h"
65#include <openssl/conf.h>
66#include <openssl/x509.h>
67#include <openssl/x509v3.h>
68
69static int v3_check_critical(char **value);
70static int v3_check_generic(char **value);
71static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
72static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
73static char *conf_lhash_get_string(void *db, char *section, char *value);
74static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
75static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
76 int crit, void *ext_struc);
77static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
78/* CONF *conf: Config file */
79/* char *name: Name */
80/* char *value: Value */
81X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
82 char *value)
83 {
84 int crit;
85 int ext_type;
86 X509_EXTENSION *ret;
87 crit = v3_check_critical(&value);
88 if ((ext_type = v3_check_generic(&value)))
89 return v3_generic_extension(name, value, crit, ext_type, ctx);
90 ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
91 if (!ret)
92 {
93 X509V3err(X509V3_F_X509V3_EXT_NCONF,X509V3_R_ERROR_IN_EXTENSION);
94 ERR_add_error_data(4,"name=", name, ", value=", value);
95 }
96 return ret;
97 }
98
99/* CONF *conf: Config file */
100/* char *value: Value */
101X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
102 char *value)
103 {
104 int crit;
105 int ext_type;
106 crit = v3_check_critical(&value);
107 if ((ext_type = v3_check_generic(&value)))
108 return v3_generic_extension(OBJ_nid2sn(ext_nid),
109 value, crit, ext_type, ctx);
110 return do_ext_nconf(conf, ctx, ext_nid, crit, value);
111 }
112
113/* CONF *conf: Config file */
114/* char *value: Value */
115static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
116 int crit, char *value)
117 {
118 const X509V3_EXT_METHOD *method;
119 X509_EXTENSION *ext;
120 STACK_OF(CONF_VALUE) *nval;
121 void *ext_struc;
122 if (ext_nid == NID_undef)
123 {
124 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
125 return NULL;
126 }
127 if (!(method = X509V3_EXT_get_nid(ext_nid)))
128 {
129 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION);
130 return NULL;
131 }
132 /* Now get internal extension representation based on type */
133 if (method->v2i)
134 {
135 if(*value == '@') nval = NCONF_get_section(conf, value + 1);
136 else nval = X509V3_parse_list(value);
137 if(sk_CONF_VALUE_num(nval) <= 0)
138 {
139 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_INVALID_EXTENSION_STRING);
140 ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
141 return NULL;
142 }
143 ext_struc = method->v2i(method, ctx, nval);
144 if(*value != '@') sk_CONF_VALUE_pop_free(nval,
145 X509V3_conf_free);
146 if(!ext_struc) return NULL;
147 }
148 else if(method->s2i)
149 {
150 if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
151 }
152 else if(method->r2i)
153 {
154 if(!ctx->db || !ctx->db_meth)
155 {
156 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_NO_CONFIG_DATABASE);
157 return NULL;
158 }
159 if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
160 }
161 else
162 {
163 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
164 ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
165 return NULL;
166 }
167
168 ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
169 if(method->it) ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
170 else method->ext_free(ext_struc);
171 return ext;
172
173 }
174
175static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
176 int crit, void *ext_struc)
177 {
178 unsigned char *ext_der;
179 int ext_len;
180 ASN1_OCTET_STRING *ext_oct;
181 X509_EXTENSION *ext;
182 /* Convert internal representation to DER */
183 if (method->it)
184 {
185 ext_der = NULL;
186 ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
187 if (ext_len < 0) goto merr;
188 }
189 else
190 {
191 unsigned char *p;
192 ext_len = method->i2d(ext_struc, NULL);
193 if(!(ext_der = OPENSSL_malloc(ext_len))) goto merr;
194 p = ext_der;
195 method->i2d(ext_struc, &p);
196 }
197 if (!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
198 ext_oct->data = ext_der;
199 ext_oct->length = ext_len;
200
201 ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
202 if (!ext) goto merr;
203 M_ASN1_OCTET_STRING_free(ext_oct);
204
205 return ext;
206
207 merr:
208 X509V3err(X509V3_F_DO_EXT_I2D,ERR_R_MALLOC_FAILURE);
209 return NULL;
210
211 }
212
213/* Given an internal structure, nid and critical flag create an extension */
214
215X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
216 {
217 const X509V3_EXT_METHOD *method;
218 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
219 X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
220 return NULL;
221 }
222 return do_ext_i2d(method, ext_nid, crit, ext_struc);
223}
224
225/* Check the extension string for critical flag */
226static int v3_check_critical(char **value)
227{
228 char *p = *value;
229 if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
230 p+=9;
231 while(isspace((unsigned char)*p)) p++;
232 *value = p;
233 return 1;
234}
235
236/* Check extension string for generic extension and return the type */
237static int v3_check_generic(char **value)
238{
239 int gen_type = 0;
240 char *p = *value;
241 if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4))
242 {
243 p+=4;
244 gen_type = 1;
245 }
246 else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5))
247 {
248 p+=5;
249 gen_type = 2;
250 }
251 else
252 return 0;
253
254 while (isspace((unsigned char)*p)) p++;
255 *value = p;
256 return gen_type;
257}
258
259/* Create a generic extension: for now just handle DER type */
260static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
261 int crit, int gen_type,
262 X509V3_CTX *ctx)
263 {
264 unsigned char *ext_der=NULL;
265 long ext_len;
266 ASN1_OBJECT *obj=NULL;
267 ASN1_OCTET_STRING *oct=NULL;
268 X509_EXTENSION *extension=NULL;
269 if (!(obj = OBJ_txt2obj(ext, 0)))
270 {
271 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_NAME_ERROR);
272 ERR_add_error_data(2, "name=", ext);
273 goto err;
274 }
275
276 if (gen_type == 1)
277 ext_der = string_to_hex(value, &ext_len);
278 else if (gen_type == 2)
279 ext_der = generic_asn1(value, ctx, &ext_len);
280
281 if (ext_der == NULL)
282 {
283 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
284 ERR_add_error_data(2, "value=", value);
285 goto err;
286 }
287
288 if (!(oct = M_ASN1_OCTET_STRING_new()))
289 {
290 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE);
291 goto err;
292 }
293
294 oct->data = ext_der;
295 oct->length = ext_len;
296 ext_der = NULL;
297
298 extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
299
300 err:
301 ASN1_OBJECT_free(obj);
302 M_ASN1_OCTET_STRING_free(oct);
303 if(ext_der) OPENSSL_free(ext_der);
304 return extension;
305
306 }
307
308static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
309 {
310 ASN1_TYPE *typ;
311 unsigned char *ext_der = NULL;
312 typ = ASN1_generate_v3(value, ctx);
313 if (typ == NULL)
314 return NULL;
315 *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
316 ASN1_TYPE_free(typ);
317 return ext_der;
318 }
319
320/* This is the main function: add a bunch of extensions based on a config file
321 * section to an extension STACK.
322 */
323
324
325int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
326 STACK_OF(X509_EXTENSION) **sk)
327 {
328 X509_EXTENSION *ext;
329 STACK_OF(CONF_VALUE) *nval;
330 CONF_VALUE *val;
331 int i;
332 if (!(nval = NCONF_get_section(conf, section))) return 0;
333 for (i = 0; i < sk_CONF_VALUE_num(nval); i++)
334 {
335 val = sk_CONF_VALUE_value(nval, i);
336 if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
337 return 0;
338 if (sk) X509v3_add_ext(sk, ext, -1);
339 X509_EXTENSION_free(ext);
340 }
341 return 1;
342 }
343
344/* Convenience functions to add extensions to a certificate, CRL and request */
345
346int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
347 X509 *cert)
348 {
349 STACK_OF(X509_EXTENSION) **sk = NULL;
350 if (cert)
351 sk = &cert->cert_info->extensions;
352 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
353 }
354
355/* Same as above but for a CRL */
356
357int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
358 X509_CRL *crl)
359 {
360 STACK_OF(X509_EXTENSION) **sk = NULL;
361 if (crl)
362 sk = &crl->crl->extensions;
363 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
364 }
365
366/* Add extensions to certificate request */
367
368int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
369 X509_REQ *req)
370 {
371 STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
372 int i;
373 if (req)
374 sk = &extlist;
375 i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
376 if (!i || !sk)
377 return i;
378 i = X509_REQ_add_extensions(req, extlist);
379 sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
380 return i;
381 }
382
383/* Config database functions */
384
385char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
386 {
387 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string)
388 {
389 X509V3err(X509V3_F_X509V3_GET_STRING,X509V3_R_OPERATION_NOT_DEFINED);
390 return NULL;
391 }
392 if (ctx->db_meth->get_string)
393 return ctx->db_meth->get_string(ctx->db, name, section);
394 return NULL;
395 }
396
397STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
398 {
399 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section)
400 {
401 X509V3err(X509V3_F_X509V3_GET_SECTION,X509V3_R_OPERATION_NOT_DEFINED);
402 return NULL;
403 }
404 if (ctx->db_meth->get_section)
405 return ctx->db_meth->get_section(ctx->db, section);
406 return NULL;
407 }
408
409void X509V3_string_free(X509V3_CTX *ctx, char *str)
410 {
411 if (!str) return;
412 if (ctx->db_meth->free_string)
413 ctx->db_meth->free_string(ctx->db, str);
414 }
415
416void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
417 {
418 if (!section) return;
419 if (ctx->db_meth->free_section)
420 ctx->db_meth->free_section(ctx->db, section);
421 }
422
423static char *nconf_get_string(void *db, char *section, char *value)
424 {
425 return NCONF_get_string(db, section, value);
426 }
427
428static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
429 {
430 return NCONF_get_section(db, section);
431 }
432
433static X509V3_CONF_METHOD nconf_method = {
434nconf_get_string,
435nconf_get_section,
436NULL,
437NULL
438};
439
440void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
441 {
442 ctx->db_meth = &nconf_method;
443 ctx->db = conf;
444 }
445
446void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
447 X509_CRL *crl, int flags)
448 {
449 ctx->issuer_cert = issuer;
450 ctx->subject_cert = subj;
451 ctx->crl = crl;
452 ctx->subject_req = req;
453 ctx->flags = flags;
454 }
455
456/* Old conf compatibility functions */
457
458X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
459 char *name, char *value)
460 {
461 CONF ctmp;
462 CONF_set_nconf(&ctmp, conf);
463 return X509V3_EXT_nconf(&ctmp, ctx, name, value);
464 }
465
466/* LHASH *conf: Config file */
467/* char *value: Value */
468X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
469 int ext_nid, char *value)
470 {
471 CONF ctmp;
472 CONF_set_nconf(&ctmp, conf);
473 return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
474 }
475
476static char *conf_lhash_get_string(void *db, char *section, char *value)
477 {
478 return CONF_get_string(db, section, value);
479 }
480
481static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
482 {
483 return CONF_get_section(db, section);
484 }
485
486static X509V3_CONF_METHOD conf_lhash_method = {
487conf_lhash_get_string,
488conf_lhash_get_section,
489NULL,
490NULL
491};
492
493void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
494 {
495 ctx->db_meth = &conf_lhash_method;
496 ctx->db = lhash;
497 }
498
499int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
500 char *section, X509 *cert)
501 {
502 CONF ctmp;
503 CONF_set_nconf(&ctmp, conf);
504 return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
505 }
506
507/* Same as above but for a CRL */
508
509int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
510 char *section, X509_CRL *crl)
511 {
512 CONF ctmp;
513 CONF_set_nconf(&ctmp, conf);
514 return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
515 }
516
517/* Add extensions to certificate request */
518
519int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
520 char *section, X509_REQ *req)
521 {
522 CONF ctmp;
523 CONF_set_nconf(&ctmp, conf);
524 return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
525 }
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
deleted file mode 100644
index 1f0798b946..0000000000
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ /dev/null
@@ -1,457 +0,0 @@
1/* v3_cpols.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66#include "pcy_int.h"
67
68/* Certificate policies extension support: this one is a bit complex... */
69
70static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
71static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value);
72static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent);
73static void print_notice(BIO *out, USERNOTICE *notice, int indent);
74static POLICYINFO *policy_section(X509V3_CTX *ctx,
75 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
76static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
77 STACK_OF(CONF_VALUE) *unot, int ia5org);
78static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
79
80const X509V3_EXT_METHOD v3_cpols = {
81NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES),
820,0,0,0,
830,0,
840,0,
85(X509V3_EXT_I2R)i2r_certpol,
86(X509V3_EXT_R2I)r2i_certpol,
87NULL
88};
89
90ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) =
91 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)
92ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
93
94IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
95
96ASN1_SEQUENCE(POLICYINFO) = {
97 ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
98 ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
99} ASN1_SEQUENCE_END(POLICYINFO)
100
101IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO)
102
103ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
104
105ASN1_ADB(POLICYQUALINFO) = {
106 ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
107 ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
108} ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
109
110ASN1_SEQUENCE(POLICYQUALINFO) = {
111 ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
112 ASN1_ADB_OBJECT(POLICYQUALINFO)
113} ASN1_SEQUENCE_END(POLICYQUALINFO)
114
115IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO)
116
117ASN1_SEQUENCE(USERNOTICE) = {
118 ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
119 ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
120} ASN1_SEQUENCE_END(USERNOTICE)
121
122IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE)
123
124ASN1_SEQUENCE(NOTICEREF) = {
125 ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
126 ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
127} ASN1_SEQUENCE_END(NOTICEREF)
128
129IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
130
131static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
132 X509V3_CTX *ctx, char *value)
133{
134 STACK_OF(POLICYINFO) *pols = NULL;
135 char *pstr;
136 POLICYINFO *pol;
137 ASN1_OBJECT *pobj;
138 STACK_OF(CONF_VALUE) *vals;
139 CONF_VALUE *cnf;
140 int i, ia5org;
141 pols = sk_POLICYINFO_new_null();
142 if (pols == NULL) {
143 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
144 return NULL;
145 }
146 vals = X509V3_parse_list(value);
147 if (vals == NULL) {
148 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
149 goto err;
150 }
151 ia5org = 0;
152 for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
153 cnf = sk_CONF_VALUE_value(vals, i);
154 if(cnf->value || !cnf->name ) {
155 X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_POLICY_IDENTIFIER);
156 X509V3_conf_err(cnf);
157 goto err;
158 }
159 pstr = cnf->name;
160 if(!strcmp(pstr,"ia5org")) {
161 ia5org = 1;
162 continue;
163 } else if(*pstr == '@') {
164 STACK_OF(CONF_VALUE) *polsect;
165 polsect = X509V3_get_section(ctx, pstr + 1);
166 if(!polsect) {
167 X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_SECTION);
168
169 X509V3_conf_err(cnf);
170 goto err;
171 }
172 pol = policy_section(ctx, polsect, ia5org);
173 X509V3_section_free(ctx, polsect);
174 if(!pol) goto err;
175 } else {
176 if(!(pobj = OBJ_txt2obj(cnf->name, 0))) {
177 X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_OBJECT_IDENTIFIER);
178 X509V3_conf_err(cnf);
179 goto err;
180 }
181 pol = POLICYINFO_new();
182 pol->policyid = pobj;
183 }
184 if (!sk_POLICYINFO_push(pols, pol)){
185 POLICYINFO_free(pol);
186 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
187 goto err;
188 }
189 }
190 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
191 return pols;
192 err:
193 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
194 sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
195 return NULL;
196}
197
198static POLICYINFO *policy_section(X509V3_CTX *ctx,
199 STACK_OF(CONF_VALUE) *polstrs, int ia5org)
200{
201 int i;
202 CONF_VALUE *cnf;
203 POLICYINFO *pol;
204 POLICYQUALINFO *qual;
205 if(!(pol = POLICYINFO_new())) goto merr;
206 for(i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
207 cnf = sk_CONF_VALUE_value(polstrs, i);
208 if(!strcmp(cnf->name, "policyIdentifier")) {
209 ASN1_OBJECT *pobj;
210 if(!(pobj = OBJ_txt2obj(cnf->value, 0))) {
211 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OBJECT_IDENTIFIER);
212 X509V3_conf_err(cnf);
213 goto err;
214 }
215 pol->policyid = pobj;
216
217 } else if(!name_cmp(cnf->name, "CPS")) {
218 if(!pol->qualifiers) pol->qualifiers =
219 sk_POLICYQUALINFO_new_null();
220 if(!(qual = POLICYQUALINFO_new())) goto merr;
221 if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
222 goto merr;
223 qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
224 qual->d.cpsuri = M_ASN1_IA5STRING_new();
225 if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
226 strlen(cnf->value))) goto merr;
227 } else if(!name_cmp(cnf->name, "userNotice")) {
228 STACK_OF(CONF_VALUE) *unot;
229 if(*cnf->value != '@') {
230 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_EXPECTED_A_SECTION_NAME);
231 X509V3_conf_err(cnf);
232 goto err;
233 }
234 unot = X509V3_get_section(ctx, cnf->value + 1);
235 if(!unot) {
236 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_SECTION);
237
238 X509V3_conf_err(cnf);
239 goto err;
240 }
241 qual = notice_section(ctx, unot, ia5org);
242 X509V3_section_free(ctx, unot);
243 if(!qual) goto err;
244 if(!pol->qualifiers) pol->qualifiers =
245 sk_POLICYQUALINFO_new_null();
246 if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
247 goto merr;
248 } else {
249 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OPTION);
250
251 X509V3_conf_err(cnf);
252 goto err;
253 }
254 }
255 if(!pol->policyid) {
256 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_NO_POLICY_IDENTIFIER);
257 goto err;
258 }
259
260 return pol;
261
262 merr:
263 X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
264
265 err:
266 POLICYINFO_free(pol);
267 return NULL;
268
269
270}
271
272static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
273 STACK_OF(CONF_VALUE) *unot, int ia5org)
274{
275 int i, ret;
276 CONF_VALUE *cnf;
277 USERNOTICE *not;
278 POLICYQUALINFO *qual;
279 if(!(qual = POLICYQUALINFO_new())) goto merr;
280 qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
281 if(!(not = USERNOTICE_new())) goto merr;
282 qual->d.usernotice = not;
283 for(i = 0; i < sk_CONF_VALUE_num(unot); i++) {
284 cnf = sk_CONF_VALUE_value(unot, i);
285 if(!strcmp(cnf->name, "explicitText")) {
286 not->exptext = M_ASN1_VISIBLESTRING_new();
287 if(!ASN1_STRING_set(not->exptext, cnf->value,
288 strlen(cnf->value))) goto merr;
289 } else if(!strcmp(cnf->name, "organization")) {
290 NOTICEREF *nref;
291 if(!not->noticeref) {
292 if(!(nref = NOTICEREF_new())) goto merr;
293 not->noticeref = nref;
294 } else nref = not->noticeref;
295 if(ia5org) nref->organization->type = V_ASN1_IA5STRING;
296 else nref->organization->type = V_ASN1_VISIBLESTRING;
297 if(!ASN1_STRING_set(nref->organization, cnf->value,
298 strlen(cnf->value))) goto merr;
299 } else if(!strcmp(cnf->name, "noticeNumbers")) {
300 NOTICEREF *nref;
301 STACK_OF(CONF_VALUE) *nos;
302 if(!not->noticeref) {
303 if(!(nref = NOTICEREF_new())) goto merr;
304 not->noticeref = nref;
305 } else nref = not->noticeref;
306 nos = X509V3_parse_list(cnf->value);
307 if(!nos || !sk_CONF_VALUE_num(nos)) {
308 X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_NUMBERS);
309 X509V3_conf_err(cnf);
310 goto err;
311 }
312 ret = nref_nos(nref->noticenos, nos);
313 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
314 if (!ret)
315 goto err;
316 } else {
317 X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
318 X509V3_conf_err(cnf);
319 goto err;
320 }
321 }
322
323 if(not->noticeref &&
324 (!not->noticeref->noticenos || !not->noticeref->organization)) {
325 X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
326 goto err;
327 }
328
329 return qual;
330
331 merr:
332 X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
333
334 err:
335 POLICYQUALINFO_free(qual);
336 return NULL;
337}
338
339static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
340{
341 CONF_VALUE *cnf;
342 ASN1_INTEGER *aint;
343
344 int i;
345
346 for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
347 cnf = sk_CONF_VALUE_value(nos, i);
348 if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
349 X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER);
350 goto err;
351 }
352 if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr;
353 }
354 return 1;
355
356 merr:
357 X509V3err(X509V3_F_NREF_NOS,ERR_R_MALLOC_FAILURE);
358
359 err:
360 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
361 return 0;
362}
363
364
365static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
366 BIO *out, int indent)
367{
368 int i;
369 POLICYINFO *pinfo;
370 /* First print out the policy OIDs */
371 for(i = 0; i < sk_POLICYINFO_num(pol); i++) {
372 pinfo = sk_POLICYINFO_value(pol, i);
373 BIO_printf(out, "%*sPolicy: ", indent, "");
374 i2a_ASN1_OBJECT(out, pinfo->policyid);
375 BIO_puts(out, "\n");
376 if(pinfo->qualifiers)
377 print_qualifiers(out, pinfo->qualifiers, indent + 2);
378 }
379 return 1;
380}
381
382static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
383 int indent)
384{
385 POLICYQUALINFO *qualinfo;
386 int i;
387 for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
388 qualinfo = sk_POLICYQUALINFO_value(quals, i);
389 switch(OBJ_obj2nid(qualinfo->pqualid))
390 {
391 case NID_id_qt_cps:
392 BIO_printf(out, "%*sCPS: %s\n", indent, "",
393 qualinfo->d.cpsuri->data);
394 break;
395
396 case NID_id_qt_unotice:
397 BIO_printf(out, "%*sUser Notice:\n", indent, "");
398 print_notice(out, qualinfo->d.usernotice, indent + 2);
399 break;
400
401 default:
402 BIO_printf(out, "%*sUnknown Qualifier: ",
403 indent + 2, "");
404
405 i2a_ASN1_OBJECT(out, qualinfo->pqualid);
406 BIO_puts(out, "\n");
407 break;
408 }
409 }
410}
411
412static void print_notice(BIO *out, USERNOTICE *notice, int indent)
413{
414 int i;
415 if(notice->noticeref) {
416 NOTICEREF *ref;
417 ref = notice->noticeref;
418 BIO_printf(out, "%*sOrganization: %s\n", indent, "",
419 ref->organization->data);
420 BIO_printf(out, "%*sNumber%s: ", indent, "",
421 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
422 for(i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
423 ASN1_INTEGER *num;
424 char *tmp;
425 num = sk_ASN1_INTEGER_value(ref->noticenos, i);
426 if(i) BIO_puts(out, ", ");
427 tmp = i2s_ASN1_INTEGER(NULL, num);
428 BIO_puts(out, tmp);
429 OPENSSL_free(tmp);
430 }
431 BIO_puts(out, "\n");
432 }
433 if(notice->exptext)
434 BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
435 notice->exptext->data);
436}
437
438void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
439 {
440 const X509_POLICY_DATA *dat = node->data;
441
442 BIO_printf(out, "%*sPolicy: ", indent, "");
443
444 i2a_ASN1_OBJECT(out, dat->valid_policy);
445 BIO_puts(out, "\n");
446 BIO_printf(out, "%*s%s\n", indent + 2, "",
447 node_data_critical(dat) ? "Critical" : "Non Critical");
448 if (dat->qualifier_set)
449 print_qualifiers(out, dat->qualifier_set, indent + 2);
450 else
451 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
452 }
453
454
455IMPLEMENT_STACK_OF(X509_POLICY_NODE)
456IMPLEMENT_STACK_OF(X509_POLICY_DATA)
457
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
deleted file mode 100644
index 790a6dd032..0000000000
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ /dev/null
@@ -1,616 +0,0 @@
1/* v3_crld.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_crld(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
69 int indent);
70
71const X509V3_EXT_METHOD v3_crld =
72 {
73 NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
74 0,0,0,0,
75 0,0,
76 0,
77 v2i_crld,
78 i2r_crldp,0,
79 NULL
80 };
81
82const X509V3_EXT_METHOD v3_freshest_crl =
83 {
84 NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
85 0,0,0,0,
86 0,0,
87 0,
88 v2i_crld,
89 i2r_crldp,0,
90 NULL
91 };
92
93static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
94 {
95 STACK_OF(CONF_VALUE) *gnsect;
96 STACK_OF(GENERAL_NAME) *gens;
97 if (*sect == '@')
98 gnsect = X509V3_get_section(ctx, sect + 1);
99 else
100 gnsect = X509V3_parse_list(sect);
101 if (!gnsect)
102 {
103 X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
104 X509V3_R_SECTION_NOT_FOUND);
105 return NULL;
106 }
107 gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
108 if (*sect == '@')
109 X509V3_section_free(ctx, gnsect);
110 else
111 sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
112 return gens;
113 }
114
115static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
116 CONF_VALUE *cnf)
117 {
118 STACK_OF(GENERAL_NAME) *fnm = NULL;
119 STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
120 if (!strncmp(cnf->name, "fullname", 9))
121 {
122 fnm = gnames_from_sectname(ctx, cnf->value);
123 if (!fnm)
124 goto err;
125 }
126 else if (!strcmp(cnf->name, "relativename"))
127 {
128 int ret;
129 STACK_OF(CONF_VALUE) *dnsect;
130 X509_NAME *nm;
131 nm = X509_NAME_new();
132 if (!nm)
133 return -1;
134 dnsect = X509V3_get_section(ctx, cnf->value);
135 if (!dnsect)
136 {
137 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
138 X509V3_R_SECTION_NOT_FOUND);
139 return -1;
140 }
141 ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
142 X509V3_section_free(ctx, dnsect);
143 rnm = nm->entries;
144 nm->entries = NULL;
145 X509_NAME_free(nm);
146 if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
147 goto err;
148 /* Since its a name fragment can't have more than one
149 * RDNSequence
150 */
151 if (sk_X509_NAME_ENTRY_value(rnm,
152 sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
153 {
154 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
155 X509V3_R_INVALID_MULTIPLE_RDNS);
156 goto err;
157 }
158 }
159 else
160 return 0;
161
162 if (*pdp)
163 {
164 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
165 X509V3_R_DISTPOINT_ALREADY_SET);
166 goto err;
167 }
168
169 *pdp = DIST_POINT_NAME_new();
170 if (!*pdp)
171 goto err;
172 if (fnm)
173 {
174 (*pdp)->type = 0;
175 (*pdp)->name.fullname = fnm;
176 }
177 else
178 {
179 (*pdp)->type = 1;
180 (*pdp)->name.relativename = rnm;
181 }
182
183 return 1;
184
185 err:
186 if (fnm)
187 sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
188 if (rnm)
189 sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
190 return -1;
191 }
192
193static const BIT_STRING_BITNAME reason_flags[] = {
194{0, "Unused", "unused"},
195{1, "Key Compromise", "keyCompromise"},
196{2, "CA Compromise", "CACompromise"},
197{3, "Affiliation Changed", "affiliationChanged"},
198{4, "Superseded", "superseded"},
199{5, "Cessation Of Operation", "cessationOfOperation"},
200{6, "Certificate Hold", "certificateHold"},
201{7, "Privilege Withdrawn", "privilegeWithdrawn"},
202{8, "AA Compromise", "AACompromise"},
203{-1, NULL, NULL}
204};
205
206static int set_reasons(ASN1_BIT_STRING **preas, char *value)
207 {
208 STACK_OF(CONF_VALUE) *rsk = NULL;
209 const BIT_STRING_BITNAME *pbn;
210 const char *bnam;
211 int i, ret = 0;
212 rsk = X509V3_parse_list(value);
213 if (!rsk)
214 return 0;
215 if (*preas)
216 return 0;
217 for (i = 0; i < sk_CONF_VALUE_num(rsk); i++)
218 {
219 bnam = sk_CONF_VALUE_value(rsk, i)->name;
220 if (!*preas)
221 {
222 *preas = ASN1_BIT_STRING_new();
223 if (!*preas)
224 goto err;
225 }
226 for (pbn = reason_flags; pbn->lname; pbn++)
227 {
228 if (!strcmp(pbn->sname, bnam))
229 {
230 if (!ASN1_BIT_STRING_set_bit(*preas,
231 pbn->bitnum, 1))
232 goto err;
233 break;
234 }
235 }
236 if (!pbn->lname)
237 goto err;
238 }
239 ret = 1;
240
241 err:
242 sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
243 return ret;
244 }
245
246static int print_reasons(BIO *out, const char *rname,
247 ASN1_BIT_STRING *rflags, int indent)
248 {
249 int first = 1;
250 const BIT_STRING_BITNAME *pbn;
251 BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
252 for (pbn = reason_flags; pbn->lname; pbn++)
253 {
254 if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
255 {
256 if (first)
257 first = 0;
258 else
259 BIO_puts(out, ", ");
260 BIO_puts(out, pbn->lname);
261 }
262 }
263 if (first)
264 BIO_puts(out, "<EMPTY>\n");
265 else
266 BIO_puts(out, "\n");
267 return 1;
268 }
269
270static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
271 STACK_OF(CONF_VALUE) *nval)
272 {
273 int i;
274 CONF_VALUE *cnf;
275 DIST_POINT *point = NULL;
276 point = DIST_POINT_new();
277 if (!point)
278 goto err;
279 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
280 {
281 int ret;
282 cnf = sk_CONF_VALUE_value(nval, i);
283 ret = set_dist_point_name(&point->distpoint, ctx, cnf);
284 if (ret > 0)
285 continue;
286 if (ret < 0)
287 goto err;
288 if (!strcmp(cnf->name, "reasons"))
289 {
290 if (!set_reasons(&point->reasons, cnf->value))
291 goto err;
292 }
293 else if (!strcmp(cnf->name, "CRLissuer"))
294 {
295 point->CRLissuer =
296 gnames_from_sectname(ctx, cnf->value);
297 if (!point->CRLissuer)
298 goto err;
299 }
300 }
301
302 return point;
303
304
305 err:
306 if (point)
307 DIST_POINT_free(point);
308 return NULL;
309 }
310
311static void *v2i_crld(const X509V3_EXT_METHOD *method,
312 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
313 {
314 STACK_OF(DIST_POINT) *crld = NULL;
315 GENERAL_NAMES *gens = NULL;
316 GENERAL_NAME *gen = NULL;
317 CONF_VALUE *cnf;
318 int i;
319 if(!(crld = sk_DIST_POINT_new_null())) goto merr;
320 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
321 DIST_POINT *point;
322 cnf = sk_CONF_VALUE_value(nval, i);
323 if (!cnf->value)
324 {
325 STACK_OF(CONF_VALUE) *dpsect;
326 dpsect = X509V3_get_section(ctx, cnf->name);
327 if (!dpsect)
328 goto err;
329 point = crldp_from_section(ctx, dpsect);
330 X509V3_section_free(ctx, dpsect);
331 if (!point)
332 goto err;
333 if(!sk_DIST_POINT_push(crld, point))
334 {
335 DIST_POINT_free(point);
336 goto merr;
337 }
338 }
339 else
340 {
341 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
342 goto err;
343 if(!(gens = GENERAL_NAMES_new()))
344 goto merr;
345 if(!sk_GENERAL_NAME_push(gens, gen))
346 goto merr;
347 gen = NULL;
348 if(!(point = DIST_POINT_new()))
349 goto merr;
350 if(!sk_DIST_POINT_push(crld, point))
351 {
352 DIST_POINT_free(point);
353 goto merr;
354 }
355 if(!(point->distpoint = DIST_POINT_NAME_new()))
356 goto merr;
357 point->distpoint->name.fullname = gens;
358 point->distpoint->type = 0;
359 gens = NULL;
360 }
361 }
362 return crld;
363
364 merr:
365 X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
366 err:
367 GENERAL_NAME_free(gen);
368 GENERAL_NAMES_free(gens);
369 sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
370 return NULL;
371}
372
373IMPLEMENT_STACK_OF(DIST_POINT)
374IMPLEMENT_ASN1_SET_OF(DIST_POINT)
375
376static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
377 void *exarg)
378 {
379 DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
380
381 switch(operation)
382 {
383 case ASN1_OP_NEW_POST:
384 dpn->dpname = NULL;
385 break;
386
387 case ASN1_OP_FREE_POST:
388 if (dpn->dpname)
389 X509_NAME_free(dpn->dpname);
390 break;
391 }
392 return 1;
393 }
394
395
396ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
397 ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
398 ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
399} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
400
401
402IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
403
404ASN1_SEQUENCE(DIST_POINT) = {
405 ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),
406 ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),
407 ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2)
408} ASN1_SEQUENCE_END(DIST_POINT)
409
410IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
411
412ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
413 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT)
414ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
415
416IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
417
418ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
419 ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
420 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
421 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
422 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
423 ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
424 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
425} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
426
427IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
428
429static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
430 int indent);
431static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
432 STACK_OF(CONF_VALUE) *nval);
433
434const X509V3_EXT_METHOD v3_idp =
435 {
436 NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
437 ASN1_ITEM_ref(ISSUING_DIST_POINT),
438 0,0,0,0,
439 0,0,
440 0,
441 v2i_idp,
442 i2r_idp,0,
443 NULL
444 };
445
446static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
447 STACK_OF(CONF_VALUE) *nval)
448 {
449 ISSUING_DIST_POINT *idp = NULL;
450 CONF_VALUE *cnf;
451 char *name, *val;
452 int i, ret;
453 idp = ISSUING_DIST_POINT_new();
454 if (!idp)
455 goto merr;
456 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
457 {
458 cnf = sk_CONF_VALUE_value(nval, i);
459 name = cnf->name;
460 val = cnf->value;
461 ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
462 if (ret > 0)
463 continue;
464 if (ret < 0)
465 goto err;
466 if (!strcmp(name, "onlyuser"))
467 {
468 if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
469 goto err;
470 }
471 else if (!strcmp(name, "onlyCA"))
472 {
473 if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
474 goto err;
475 }
476 else if (!strcmp(name, "onlyAA"))
477 {
478 if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
479 goto err;
480 }
481 else if (!strcmp(name, "indirectCRL"))
482 {
483 if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
484 goto err;
485 }
486 else if (!strcmp(name, "onlysomereasons"))
487 {
488 if (!set_reasons(&idp->onlysomereasons, val))
489 goto err;
490 }
491 else
492 {
493 X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
494 X509V3_conf_err(cnf);
495 goto err;
496 }
497 }
498 return idp;
499
500 merr:
501 X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE);
502 err:
503 ISSUING_DIST_POINT_free(idp);
504 return NULL;
505 }
506
507static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
508 {
509 int i;
510 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
511 {
512 BIO_printf(out, "%*s", indent + 2, "");
513 GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
514 BIO_puts(out, "\n");
515 }
516 return 1;
517 }
518
519static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
520 {
521 if (dpn->type == 0)
522 {
523 BIO_printf(out, "%*sFull Name:\n", indent, "");
524 print_gens(out, dpn->name.fullname, indent);
525 }
526 else
527 {
528 X509_NAME ntmp;
529 ntmp.entries = dpn->name.relativename;
530 BIO_printf(out, "%*sRelative Name:\n%*s",
531 indent, "", indent + 2, "");
532 X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
533 BIO_puts(out, "\n");
534 }
535 return 1;
536 }
537
538static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
539 int indent)
540 {
541 ISSUING_DIST_POINT *idp = pidp;
542 if (idp->distpoint)
543 print_distpoint(out, idp->distpoint, indent);
544 if (idp->onlyuser > 0)
545 BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
546 if (idp->onlyCA > 0)
547 BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
548 if (idp->indirectCRL > 0)
549 BIO_printf(out, "%*sIndirect CRL\n", indent, "");
550 if (idp->onlysomereasons)
551 print_reasons(out, "Only Some Reasons",
552 idp->onlysomereasons, indent);
553 if (idp->onlyattr > 0)
554 BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
555 if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
556 && (idp->indirectCRL <= 0) && !idp->onlysomereasons
557 && (idp->onlyattr <= 0))
558 BIO_printf(out, "%*s<EMPTY>\n", indent, "");
559
560 return 1;
561 }
562
563static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
564 int indent)
565 {
566 STACK_OF(DIST_POINT) *crld = pcrldp;
567 DIST_POINT *point;
568 int i;
569 for(i = 0; i < sk_DIST_POINT_num(crld); i++)
570 {
571 BIO_puts(out, "\n");
572 point = sk_DIST_POINT_value(crld, i);
573 if(point->distpoint)
574 print_distpoint(out, point->distpoint, indent);
575 if(point->reasons)
576 print_reasons(out, "Reasons", point->reasons,
577 indent);
578 if(point->CRLissuer)
579 {
580 BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
581 print_gens(out, point->CRLissuer, indent);
582 }
583 }
584 return 1;
585 }
586
587int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
588 {
589 int i;
590 STACK_OF(X509_NAME_ENTRY) *frag;
591 X509_NAME_ENTRY *ne;
592 if (!dpn || (dpn->type != 1))
593 return 1;
594 frag = dpn->name.relativename;
595 dpn->dpname = X509_NAME_dup(iname);
596 if (!dpn->dpname)
597 return 0;
598 for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++)
599 {
600 ne = sk_X509_NAME_ENTRY_value(frag, i);
601 if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1))
602 {
603 X509_NAME_free(dpn->dpname);
604 dpn->dpname = NULL;
605 return 0;
606 }
607 }
608 /* generate cached encoding of name */
609 if (i2d_X509_NAME(dpn->dpname, NULL) < 0)
610 {
611 X509_NAME_free(dpn->dpname);
612 dpn->dpname = NULL;
613 return 0;
614 }
615 return 1;
616 }
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
deleted file mode 100644
index c0575e368d..0000000000
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ /dev/null
@@ -1,97 +0,0 @@
1/* v3_enum.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63static ENUMERATED_NAMES crl_reasons[] = {
64{CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
65{CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"},
66{CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"},
67{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
68{CRL_REASON_SUPERSEDED, "Superseded", "superseded"},
69{CRL_REASON_CESSATION_OF_OPERATION,
70 "Cessation Of Operation", "cessationOfOperation"},
71{CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"},
72{CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"},
73{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
74{CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"},
75{-1, NULL, NULL}
76};
77
78const X509V3_EXT_METHOD v3_crl_reason = {
79NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED),
800,0,0,0,
81(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
820,
830,0,0,0,
84crl_reasons};
85
86
87char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
88 ASN1_ENUMERATED *e)
89{
90 ENUMERATED_NAMES *enam;
91 long strval;
92 strval = ASN1_ENUMERATED_get(e);
93 for(enam = method->usr_data; enam->lname; enam++) {
94 if(strval == enam->bitnum) return BUF_strdup(enam->lname);
95 }
96 return i2s_ASN1_ENUMERATED(method, e);
97}
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
deleted file mode 100644
index 1c66532757..0000000000
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ /dev/null
@@ -1,144 +0,0 @@
1/* v3_extku.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx,
68 STACK_OF(CONF_VALUE) *nval);
69static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
70 void *eku, STACK_OF(CONF_VALUE) *extlist);
71
72const X509V3_EXT_METHOD v3_ext_ku = {
73 NID_ext_key_usage, 0,
74 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
75 0,0,0,0,
76 0,0,
77 i2v_EXTENDED_KEY_USAGE,
78 v2i_EXTENDED_KEY_USAGE,
79 0,0,
80 NULL
81};
82
83/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
84const X509V3_EXT_METHOD v3_ocsp_accresp = {
85 NID_id_pkix_OCSP_acceptableResponses, 0,
86 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
87 0,0,0,0,
88 0,0,
89 i2v_EXTENDED_KEY_USAGE,
90 v2i_EXTENDED_KEY_USAGE,
91 0,0,
92 NULL
93};
94
95ASN1_ITEM_TEMPLATE(EXTENDED_KEY_USAGE) =
96 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, EXTENDED_KEY_USAGE, ASN1_OBJECT)
97ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE)
98
99IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
100
101static STACK_OF(CONF_VALUE) *
102 i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
103 STACK_OF(CONF_VALUE) *ext_list)
104{
105 EXTENDED_KEY_USAGE *eku = a;
106 int i;
107 ASN1_OBJECT *obj;
108 char obj_tmp[80];
109 for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
110 obj = sk_ASN1_OBJECT_value(eku, i);
111 i2t_ASN1_OBJECT(obj_tmp, 80, obj);
112 X509V3_add_value(NULL, obj_tmp, &ext_list);
113 }
114 return ext_list;
115}
116
117static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
118 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
119{
120 EXTENDED_KEY_USAGE *extku;
121 char *extval;
122 ASN1_OBJECT *objtmp;
123 CONF_VALUE *val;
124 int i;
125
126 if(!(extku = sk_ASN1_OBJECT_new_null())) {
127 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,ERR_R_MALLOC_FAILURE);
128 return NULL;
129 }
130
131 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
132 val = sk_CONF_VALUE_value(nval, i);
133 if(val->value) extval = val->value;
134 else extval = val->name;
135 if(!(objtmp = OBJ_txt2obj(extval, 0))) {
136 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
137 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
138 X509V3_conf_err(val);
139 return NULL;
140 }
141 sk_ASN1_OBJECT_push(extku, objtmp);
142 }
143 return extku;
144}
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
deleted file mode 100644
index b628357301..0000000000
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ /dev/null
@@ -1,252 +0,0 @@
1/* v3_genn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66ASN1_SEQUENCE(OTHERNAME) = {
67 ASN1_SIMPLE(OTHERNAME, type_id, ASN1_OBJECT),
68 /* Maybe have a true ANY DEFINED BY later */
69 ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0)
70} ASN1_SEQUENCE_END(OTHERNAME)
71
72IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
73
74ASN1_SEQUENCE(EDIPARTYNAME) = {
75 ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
76 ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
77} ASN1_SEQUENCE_END(EDIPARTYNAME)
78
79IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
80
81ASN1_CHOICE(GENERAL_NAME) = {
82 ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME),
83 ASN1_IMP(GENERAL_NAME, d.rfc822Name, ASN1_IA5STRING, GEN_EMAIL),
84 ASN1_IMP(GENERAL_NAME, d.dNSName, ASN1_IA5STRING, GEN_DNS),
85 /* Don't decode this */
86 ASN1_IMP(GENERAL_NAME, d.x400Address, ASN1_SEQUENCE, GEN_X400),
87 /* X509_NAME is a CHOICE type so use EXPLICIT */
88 ASN1_EXP(GENERAL_NAME, d.directoryName, X509_NAME, GEN_DIRNAME),
89 ASN1_IMP(GENERAL_NAME, d.ediPartyName, EDIPARTYNAME, GEN_EDIPARTY),
90 ASN1_IMP(GENERAL_NAME, d.uniformResourceIdentifier, ASN1_IA5STRING, GEN_URI),
91 ASN1_IMP(GENERAL_NAME, d.iPAddress, ASN1_OCTET_STRING, GEN_IPADD),
92 ASN1_IMP(GENERAL_NAME, d.registeredID, ASN1_OBJECT, GEN_RID)
93} ASN1_CHOICE_END(GENERAL_NAME)
94
95IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAME)
96
97ASN1_ITEM_TEMPLATE(GENERAL_NAMES) =
98 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, GENERAL_NAME)
99ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)
100
101IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES)
102
103GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
104 {
105 return (GENERAL_NAME *) ASN1_dup((i2d_of_void *) i2d_GENERAL_NAME,
106 (d2i_of_void *) d2i_GENERAL_NAME,
107 (char *) a);
108 }
109
110/* Returns 0 if they are equal, != 0 otherwise. */
111int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
112 {
113 int result = -1;
114
115 if (!a || !b || a->type != b->type) return -1;
116 switch(a->type)
117 {
118 case GEN_X400:
119 case GEN_EDIPARTY:
120 result = ASN1_TYPE_cmp(a->d.other, b->d.other);
121 break;
122
123 case GEN_OTHERNAME:
124 result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
125 break;
126
127 case GEN_EMAIL:
128 case GEN_DNS:
129 case GEN_URI:
130 result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
131 break;
132
133 case GEN_DIRNAME:
134 result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
135 break;
136
137 case GEN_IPADD:
138 result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
139 break;
140
141 case GEN_RID:
142 result = OBJ_cmp(a->d.rid, b->d.rid);
143 break;
144 }
145 return result;
146 }
147
148/* Returns 0 if they are equal, != 0 otherwise. */
149int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
150 {
151 int result = -1;
152
153 if (!a || !b) return -1;
154 /* Check their type first. */
155 if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
156 return result;
157 /* Check the value. */
158 result = ASN1_TYPE_cmp(a->value, b->value);
159 return result;
160 }
161
162void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
163 {
164 switch(type)
165 {
166 case GEN_X400:
167 case GEN_EDIPARTY:
168 a->d.other = value;
169 break;
170
171 case GEN_OTHERNAME:
172 a->d.otherName = value;
173 break;
174
175 case GEN_EMAIL:
176 case GEN_DNS:
177 case GEN_URI:
178 a->d.ia5 = value;
179 break;
180
181 case GEN_DIRNAME:
182 a->d.dirn = value;
183 break;
184
185 case GEN_IPADD:
186 a->d.ip = value;
187 break;
188
189 case GEN_RID:
190 a->d.rid = value;
191 break;
192 }
193 a->type = type;
194 }
195
196void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
197 {
198 if (ptype)
199 *ptype = a->type;
200 switch(a->type)
201 {
202 case GEN_X400:
203 case GEN_EDIPARTY:
204 return a->d.other;
205
206 case GEN_OTHERNAME:
207 return a->d.otherName;
208
209 case GEN_EMAIL:
210 case GEN_DNS:
211 case GEN_URI:
212 return a->d.ia5;
213
214 case GEN_DIRNAME:
215 return a->d.dirn;
216
217 case GEN_IPADD:
218 return a->d.ip;
219
220 case GEN_RID:
221 return a->d.rid;
222
223 default:
224 return NULL;
225 }
226 }
227
228int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
229 ASN1_OBJECT *oid, ASN1_TYPE *value)
230 {
231 OTHERNAME *oth;
232 oth = OTHERNAME_new();
233 if (!oth)
234 return 0;
235 oth->type_id = oid;
236 oth->value = value;
237 GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
238 return 1;
239 }
240
241int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
242 ASN1_OBJECT **poid, ASN1_TYPE **pvalue)
243 {
244 if (gen->type != GEN_OTHERNAME)
245 return 0;
246 if (poid)
247 *poid = gen->d.otherName->type_id;
248 if (pvalue)
249 *pvalue = gen->d.otherName->value;
250 return 1;
251 }
252
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
deleted file mode 100644
index 4ff12b52b5..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ /dev/null
@@ -1,116 +0,0 @@
1/* v3_ia5.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
67static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
68const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
69EXT_IA5STRING(NID_netscape_base_url),
70EXT_IA5STRING(NID_netscape_revocation_url),
71EXT_IA5STRING(NID_netscape_ca_revocation_url),
72EXT_IA5STRING(NID_netscape_renewal_url),
73EXT_IA5STRING(NID_netscape_ca_policy_url),
74EXT_IA5STRING(NID_netscape_ssl_server_name),
75EXT_IA5STRING(NID_netscape_comment),
76EXT_END
77};
78
79
80static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
81 ASN1_IA5STRING *ia5)
82{
83 char *tmp;
84 if(!ia5 || !ia5->length) return NULL;
85 if(!(tmp = OPENSSL_malloc(ia5->length + 1))) {
86 X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89 memcpy(tmp, ia5->data, ia5->length);
90 tmp[ia5->length] = 0;
91 return tmp;
92}
93
94static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
95 X509V3_CTX *ctx, char *str)
96{
97 ASN1_IA5STRING *ia5;
98 if(!str) {
99 X509V3err(X509V3_F_S2I_ASN1_IA5STRING,X509V3_R_INVALID_NULL_ARGUMENT);
100 return NULL;
101 }
102 if(!(ia5 = M_ASN1_IA5STRING_new())) goto err;
103 if(!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
104 strlen(str))) {
105 M_ASN1_IA5STRING_free(ia5);
106 goto err;
107 }
108#ifdef CHARSET_EBCDIC
109 ebcdic2ascii(ia5->data, ia5->data, ia5->length);
110#endif /*CHARSET_EBCDIC*/
111 return ia5;
112 err:
113 X509V3err(X509V3_F_S2I_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
114 return NULL;
115}
116
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
deleted file mode 100644
index e1b8699f92..0000000000
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ /dev/null
@@ -1,193 +0,0 @@
1/* v3_info.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
67 AUTHORITY_INFO_ACCESS *ainfo,
68 STACK_OF(CONF_VALUE) *ret);
69static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
70 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
71
72const X509V3_EXT_METHOD v3_info =
73{ NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
740,0,0,0,
750,0,
76(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
77(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
780,0,
79NULL};
80
81const X509V3_EXT_METHOD v3_sinfo =
82{ NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
830,0,0,0,
840,0,
85(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
86(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
870,0,
88NULL};
89
90ASN1_SEQUENCE(ACCESS_DESCRIPTION) = {
91 ASN1_SIMPLE(ACCESS_DESCRIPTION, method, ASN1_OBJECT),
92 ASN1_SIMPLE(ACCESS_DESCRIPTION, location, GENERAL_NAME)
93} ASN1_SEQUENCE_END(ACCESS_DESCRIPTION)
94
95IMPLEMENT_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
96
97ASN1_ITEM_TEMPLATE(AUTHORITY_INFO_ACCESS) =
98 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, ACCESS_DESCRIPTION)
99ASN1_ITEM_TEMPLATE_END(AUTHORITY_INFO_ACCESS)
100
101IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
102
103static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
104 AUTHORITY_INFO_ACCESS *ainfo,
105 STACK_OF(CONF_VALUE) *ret)
106{
107 ACCESS_DESCRIPTION *desc;
108 int i,nlen;
109 char objtmp[80], *ntmp;
110 CONF_VALUE *vtmp;
111 for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
112 desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);
113 ret = i2v_GENERAL_NAME(method, desc->location, ret);
114 if(!ret) break;
115 vtmp = sk_CONF_VALUE_value(ret, i);
116 i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
117 nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
118 ntmp = OPENSSL_malloc(nlen);
119 if(!ntmp) {
120 X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
121 ERR_R_MALLOC_FAILURE);
122 return NULL;
123 }
124 BUF_strlcpy(ntmp, objtmp, nlen);
125 BUF_strlcat(ntmp, " - ", nlen);
126 BUF_strlcat(ntmp, vtmp->name, nlen);
127 OPENSSL_free(vtmp->name);
128 vtmp->name = ntmp;
129
130 }
131 if(!ret) return sk_CONF_VALUE_new_null();
132 return ret;
133}
134
135static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
136 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
137{
138 AUTHORITY_INFO_ACCESS *ainfo = NULL;
139 CONF_VALUE *cnf, ctmp;
140 ACCESS_DESCRIPTION *acc;
141 int i, objlen;
142 char *objtmp, *ptmp;
143 if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
144 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
145 return NULL;
146 }
147 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
148 cnf = sk_CONF_VALUE_value(nval, i);
149 if(!(acc = ACCESS_DESCRIPTION_new())
150 || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
151 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
152 goto err;
153 }
154 ptmp = strchr(cnf->name, ';');
155 if(!ptmp) {
156 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_INVALID_SYNTAX);
157 goto err;
158 }
159 objlen = ptmp - cnf->name;
160 ctmp.name = ptmp + 1;
161 ctmp.value = cnf->value;
162 if(!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
163 goto err;
164 if(!(objtmp = OPENSSL_malloc(objlen + 1))) {
165 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
166 goto err;
167 }
168 strncpy(objtmp, cnf->name, objlen);
169 objtmp[objlen] = 0;
170 acc->method = OBJ_txt2obj(objtmp, 0);
171 if(!acc->method) {
172 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_BAD_OBJECT);
173 ERR_add_error_data(2, "value=", objtmp);
174 OPENSSL_free(objtmp);
175 goto err;
176 }
177 OPENSSL_free(objtmp);
178
179 }
180 return ainfo;
181 err:
182 sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
183 return NULL;
184}
185
186int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a)
187 {
188 i2a_ASN1_OBJECT(bp, a->method);
189#ifdef UNDEF
190 i2a_GENERAL_NAME(bp, a->location);
191#endif
192 return 2;
193 }
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
deleted file mode 100644
index 4bfd14cf46..0000000000
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ /dev/null
@@ -1,89 +0,0 @@
1/* v3_int.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63const X509V3_EXT_METHOD v3_crl_num = {
64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
65 0,0,0,0,
66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
67 0,
68 0,0,0,0, NULL};
69
70const X509V3_EXT_METHOD v3_delta_crl = {
71 NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
72 0,0,0,0,
73 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
74 0,
75 0,0,0,0, NULL};
76
77static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
78 {
79 return s2i_ASN1_INTEGER(meth, value);
80 }
81
82const X509V3_EXT_METHOD v3_inhibit_anyp = {
83 NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER),
84 0,0,0,0,
85 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
86 (X509V3_EXT_S2I)s2i_asn1_int,
87 0,0,0,0, NULL};
88
89
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
deleted file mode 100644
index 0f1e1d4422..0000000000
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ /dev/null
@@ -1,309 +0,0 @@
1/* v3_lib.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/conf.h>
63#include <openssl/x509v3.h>
64
65#include "ext_dat.h"
66
67static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
68
69static int ext_cmp(const X509V3_EXT_METHOD * const *a,
70 const X509V3_EXT_METHOD * const *b);
71static void ext_list_free(X509V3_EXT_METHOD *ext);
72
73int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
74{
75 if(!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
76 X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
77 return 0;
78 }
79 if(!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
80 X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
81 return 0;
82 }
83 return 1;
84}
85
86static int ext_cmp(const X509V3_EXT_METHOD * const *a,
87 const X509V3_EXT_METHOD * const *b)
88{
89 return ((*a)->ext_nid - (*b)->ext_nid);
90}
91
92DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, const X509V3_EXT_METHOD *,
93 ext);
94IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
95 const X509V3_EXT_METHOD *, ext);
96
97const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
98{
99 X509V3_EXT_METHOD tmp;
100 const X509V3_EXT_METHOD *t = &tmp, * const *ret;
101 int idx;
102 if(nid < 0) return NULL;
103 tmp.ext_nid = nid;
104 ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
105 if(ret) return *ret;
106 if(!ext_list) return NULL;
107 idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
108 if(idx == -1) return NULL;
109 return sk_X509V3_EXT_METHOD_value(ext_list, idx);
110}
111
112const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
113{
114 int nid;
115 if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
116 return X509V3_EXT_get_nid(nid);
117}
118
119
120int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
121{
122 for(;extlist->ext_nid!=-1;extlist++)
123 if(!X509V3_EXT_add(extlist)) return 0;
124 return 1;
125}
126
127int X509V3_EXT_add_alias(int nid_to, int nid_from)
128{
129 const X509V3_EXT_METHOD *ext;
130 X509V3_EXT_METHOD *tmpext;
131
132 if(!(ext = X509V3_EXT_get_nid(nid_from))) {
133 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
134 return 0;
135 }
136 if(!(tmpext = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) {
137 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,ERR_R_MALLOC_FAILURE);
138 return 0;
139 }
140 *tmpext = *ext;
141 tmpext->ext_nid = nid_to;
142 tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
143 return X509V3_EXT_add(tmpext);
144}
145
146void X509V3_EXT_cleanup(void)
147{
148 sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
149 ext_list = NULL;
150}
151
152static void ext_list_free(X509V3_EXT_METHOD *ext)
153{
154 if(ext->ext_flags & X509V3_EXT_DYNAMIC) OPENSSL_free(ext);
155}
156
157/* Legacy function: we don't need to add standard extensions
158 * any more because they are now kept in ext_dat.h.
159 */
160
161int X509V3_add_standard_extensions(void)
162{
163 return 1;
164}
165
166/* Return an extension internal structure */
167
168void *X509V3_EXT_d2i(X509_EXTENSION *ext)
169{
170 const X509V3_EXT_METHOD *method;
171 const unsigned char *p;
172
173 if(!(method = X509V3_EXT_get(ext))) return NULL;
174 p = ext->value->data;
175 if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
176 return method->d2i(NULL, &p, ext->value->length);
177}
178
179/* Get critical flag and decoded version of extension from a NID.
180 * The "idx" variable returns the last found extension and can
181 * be used to retrieve multiple extensions of the same NID.
182 * However multiple extensions with the same NID is usually
183 * due to a badly encoded certificate so if idx is NULL we
184 * choke if multiple extensions exist.
185 * The "crit" variable is set to the critical value.
186 * The return value is the decoded extension or NULL on
187 * error. The actual error can have several different causes,
188 * the value of *crit reflects the cause:
189 * >= 0, extension found but not decoded (reflects critical value).
190 * -1 extension not found.
191 * -2 extension occurs more than once.
192 */
193
194void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
195{
196 int lastpos, i;
197 X509_EXTENSION *ex, *found_ex = NULL;
198 if(!x) {
199 if(idx) *idx = -1;
200 if(crit) *crit = -1;
201 return NULL;
202 }
203 if(idx) lastpos = *idx + 1;
204 else lastpos = 0;
205 if(lastpos < 0) lastpos = 0;
206 for(i = lastpos; i < sk_X509_EXTENSION_num(x); i++)
207 {
208 ex = sk_X509_EXTENSION_value(x, i);
209 if(OBJ_obj2nid(ex->object) == nid) {
210 if(idx) {
211 *idx = i;
212 found_ex = ex;
213 break;
214 } else if(found_ex) {
215 /* Found more than one */
216 if(crit) *crit = -2;
217 return NULL;
218 }
219 found_ex = ex;
220 }
221 }
222 if(found_ex) {
223 /* Found it */
224 if(crit) *crit = X509_EXTENSION_get_critical(found_ex);
225 return X509V3_EXT_d2i(found_ex);
226 }
227
228 /* Extension not found */
229 if(idx) *idx = -1;
230 if(crit) *crit = -1;
231 return NULL;
232}
233
234/* This function is a general extension append, replace and delete utility.
235 * The precise operation is governed by the 'flags' value. The 'crit' and
236 * 'value' arguments (if relevant) are the extensions internal structure.
237 */
238
239int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
240 int crit, unsigned long flags)
241{
242 int extidx = -1;
243 int errcode;
244 X509_EXTENSION *ext, *extmp;
245 unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
246
247 /* If appending we don't care if it exists, otherwise
248 * look for existing extension.
249 */
250 if(ext_op != X509V3_ADD_APPEND)
251 extidx = X509v3_get_ext_by_NID(*x, nid, -1);
252
253 /* See if extension exists */
254 if(extidx >= 0) {
255 /* If keep existing, nothing to do */
256 if(ext_op == X509V3_ADD_KEEP_EXISTING)
257 return 1;
258 /* If default then its an error */
259 if(ext_op == X509V3_ADD_DEFAULT) {
260 errcode = X509V3_R_EXTENSION_EXISTS;
261 goto err;
262 }
263 /* If delete, just delete it */
264 if(ext_op == X509V3_ADD_DELETE) {
265 if(!sk_X509_EXTENSION_delete(*x, extidx)) return -1;
266 return 1;
267 }
268 } else {
269 /* If replace existing or delete, error since
270 * extension must exist
271 */
272 if((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
273 (ext_op == X509V3_ADD_DELETE)) {
274 errcode = X509V3_R_EXTENSION_NOT_FOUND;
275 goto err;
276 }
277 }
278
279 /* If we get this far then we have to create an extension:
280 * could have some flags for alternative encoding schemes...
281 */
282
283 ext = X509V3_EXT_i2d(nid, crit, value);
284
285 if(!ext) {
286 X509V3err(X509V3_F_X509V3_ADD1_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
287 return 0;
288 }
289
290 /* If extension exists replace it.. */
291 if(extidx >= 0) {
292 extmp = sk_X509_EXTENSION_value(*x, extidx);
293 X509_EXTENSION_free(extmp);
294 if(!sk_X509_EXTENSION_set(*x, extidx, ext)) return -1;
295 return 1;
296 }
297
298 if(!*x && !(*x = sk_X509_EXTENSION_new_null())) return -1;
299 if(!sk_X509_EXTENSION_push(*x, ext)) return -1;
300
301 return 1;
302
303 err:
304 if(!(flags & X509V3_ADD_SILENT))
305 X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
306 return 0;
307}
308
309IMPLEMENT_STACK_OF(X509V3_EXT_METHOD)
diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
deleted file mode 100644
index a01dc64dd2..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ncons.c
+++ /dev/null
@@ -1,505 +0,0 @@
1/* v3_ncons.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
69 void *a, BIO *bp, int ind);
70static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
71 STACK_OF(GENERAL_SUBTREE) *trees,
72 BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74
75static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
76static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
77static int nc_dn(X509_NAME *sub, X509_NAME *nm);
78static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
79static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
80static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
81
82const X509V3_EXT_METHOD v3_name_constraints = {
83 NID_name_constraints, 0,
84 ASN1_ITEM_ref(NAME_CONSTRAINTS),
85 0,0,0,0,
86 0,0,
87 0, v2i_NAME_CONSTRAINTS,
88 i2r_NAME_CONSTRAINTS,0,
89 NULL
90};
91
92ASN1_SEQUENCE(GENERAL_SUBTREE) = {
93 ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
94 ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
95 ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
96} ASN1_SEQUENCE_END(GENERAL_SUBTREE)
97
98ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
99 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
100 GENERAL_SUBTREE, 0),
101 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
102 GENERAL_SUBTREE, 1),
103} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
104
105
106IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
107IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
108
109static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
110 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
111 {
112 int i;
113 CONF_VALUE tval, *val;
114 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
115 NAME_CONSTRAINTS *ncons = NULL;
116 GENERAL_SUBTREE *sub = NULL;
117 ncons = NAME_CONSTRAINTS_new();
118 if (!ncons)
119 goto memerr;
120 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
121 {
122 val = sk_CONF_VALUE_value(nval, i);
123 if (!strncmp(val->name, "permitted", 9) && val->name[9])
124 {
125 ptree = &ncons->permittedSubtrees;
126 tval.name = val->name + 10;
127 }
128 else if (!strncmp(val->name, "excluded", 8) && val->name[8])
129 {
130 ptree = &ncons->excludedSubtrees;
131 tval.name = val->name + 9;
132 }
133 else
134 {
135 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
136 goto err;
137 }
138 tval.value = val->value;
139 sub = GENERAL_SUBTREE_new();
140 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
141 goto err;
142 if (!*ptree)
143 *ptree = sk_GENERAL_SUBTREE_new_null();
144 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
145 goto memerr;
146 sub = NULL;
147 }
148
149 return ncons;
150
151 memerr:
152 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
153 err:
154 if (ncons)
155 NAME_CONSTRAINTS_free(ncons);
156 if (sub)
157 GENERAL_SUBTREE_free(sub);
158
159 return NULL;
160 }
161
162
163
164
165static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
166 BIO *bp, int ind)
167 {
168 NAME_CONSTRAINTS *ncons = a;
169 do_i2r_name_constraints(method, ncons->permittedSubtrees,
170 bp, ind, "Permitted");
171 do_i2r_name_constraints(method, ncons->excludedSubtrees,
172 bp, ind, "Excluded");
173 return 1;
174 }
175
176static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
177 STACK_OF(GENERAL_SUBTREE) *trees,
178 BIO *bp, int ind, char *name)
179 {
180 GENERAL_SUBTREE *tree;
181 int i;
182 if (sk_GENERAL_SUBTREE_num(trees) > 0)
183 BIO_printf(bp, "%*s%s:\n", ind, "", name);
184 for(i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++)
185 {
186 tree = sk_GENERAL_SUBTREE_value(trees, i);
187 BIO_printf(bp, "%*s", ind + 2, "");
188 if (tree->base->type == GEN_IPADD)
189 print_nc_ipadd(bp, tree->base->d.ip);
190 else
191 GENERAL_NAME_print(bp, tree->base);
192 BIO_puts(bp, "\n");
193 }
194 return 1;
195 }
196
197static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
198 {
199 int i, len;
200 unsigned char *p;
201 p = ip->data;
202 len = ip->length;
203 BIO_puts(bp, "IP:");
204 if(len == 8)
205 {
206 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
207 p[0], p[1], p[2], p[3],
208 p[4], p[5], p[6], p[7]);
209 }
210 else if(len == 32)
211 {
212 for (i = 0; i < 16; i++)
213 {
214 BIO_printf(bp, "%X", p[0] << 8 | p[1]);
215 p += 2;
216 if (i == 7)
217 BIO_puts(bp, "/");
218 else if (i != 15)
219 BIO_puts(bp, ":");
220 }
221 }
222 else
223 BIO_printf(bp, "IP Address:<invalid>");
224 return 1;
225 }
226
227/* Check a certificate conforms to a specified set of constraints.
228 * Return values:
229 * X509_V_OK: All constraints obeyed.
230 * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
231 * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
232 * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
233 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
234 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
235 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
236
237 */
238
239int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
240 {
241 int r, i;
242 X509_NAME *nm;
243
244 nm = X509_get_subject_name(x);
245
246 if (X509_NAME_entry_count(nm) > 0)
247 {
248 GENERAL_NAME gntmp;
249 gntmp.type = GEN_DIRNAME;
250 gntmp.d.directoryName = nm;
251
252 r = nc_match(&gntmp, nc);
253
254 if (r != X509_V_OK)
255 return r;
256
257 gntmp.type = GEN_EMAIL;
258
259
260 /* Process any email address attributes in subject name */
261
262 for (i = -1;;)
263 {
264 X509_NAME_ENTRY *ne;
265 i = X509_NAME_get_index_by_NID(nm,
266 NID_pkcs9_emailAddress,
267 i);
268 if (i == -1)
269 break;
270 ne = X509_NAME_get_entry(nm, i);
271 gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
272 if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
273 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
274
275 r = nc_match(&gntmp, nc);
276
277 if (r != X509_V_OK)
278 return r;
279 }
280
281 }
282
283 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++)
284 {
285 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
286 r = nc_match(gen, nc);
287 if (r != X509_V_OK)
288 return r;
289 }
290
291 return X509_V_OK;
292
293 }
294
295static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
296 {
297 GENERAL_SUBTREE *sub;
298 int i, r, match = 0;
299
300 /* Permitted subtrees: if any subtrees exist of matching the type
301 * at least one subtree must match.
302 */
303
304 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++)
305 {
306 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
307 if (gen->type != sub->base->type)
308 continue;
309 if (sub->minimum || sub->maximum)
310 return X509_V_ERR_SUBTREE_MINMAX;
311 /* If we already have a match don't bother trying any more */
312 if (match == 2)
313 continue;
314 if (match == 0)
315 match = 1;
316 r = nc_match_single(gen, sub->base);
317 if (r == X509_V_OK)
318 match = 2;
319 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
320 return r;
321 }
322
323 if (match == 1)
324 return X509_V_ERR_PERMITTED_VIOLATION;
325
326 /* Excluded subtrees: must not match any of these */
327
328 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++)
329 {
330 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
331 if (gen->type != sub->base->type)
332 continue;
333 if (sub->minimum || sub->maximum)
334 return X509_V_ERR_SUBTREE_MINMAX;
335
336 r = nc_match_single(gen, sub->base);
337 if (r == X509_V_OK)
338 return X509_V_ERR_EXCLUDED_VIOLATION;
339 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
340 return r;
341
342 }
343
344 return X509_V_OK;
345
346 }
347
348static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
349 {
350 switch(base->type)
351 {
352 case GEN_DIRNAME:
353 return nc_dn(gen->d.directoryName, base->d.directoryName);
354
355 case GEN_DNS:
356 return nc_dns(gen->d.dNSName, base->d.dNSName);
357
358 case GEN_EMAIL:
359 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
360
361 case GEN_URI:
362 return nc_uri(gen->d.uniformResourceIdentifier,
363 base->d.uniformResourceIdentifier);
364
365 default:
366 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
367 }
368
369 }
370
371/* directoryName name constraint matching.
372 * The canonical encoding of X509_NAME makes this comparison easy. It is
373 * matched if the subtree is a subset of the name.
374 */
375
376static int nc_dn(X509_NAME *nm, X509_NAME *base)
377 {
378 /* Ensure canonical encodings are up to date. */
379 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
380 return X509_V_ERR_OUT_OF_MEM;
381 if (base->modified && i2d_X509_NAME(base, NULL) < 0)
382 return X509_V_ERR_OUT_OF_MEM;
383 if (base->canon_enclen > nm->canon_enclen)
384 return X509_V_ERR_PERMITTED_VIOLATION;
385 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
386 return X509_V_ERR_PERMITTED_VIOLATION;
387 return X509_V_OK;
388 }
389
390static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
391 {
392 char *baseptr = (char *)base->data;
393 char *dnsptr = (char *)dns->data;
394 /* Empty matches everything */
395 if (!*baseptr)
396 return X509_V_OK;
397 /* Otherwise can add zero or more components on the left so
398 * compare RHS and if dns is longer and expect '.' as preceding
399 * character.
400 */
401 if (dns->length > base->length)
402 {
403 dnsptr += dns->length - base->length;
404 if (dnsptr[-1] != '.')
405 return X509_V_ERR_PERMITTED_VIOLATION;
406 }
407
408 if (strcasecmp(baseptr, dnsptr))
409 return X509_V_ERR_PERMITTED_VIOLATION;
410
411 return X509_V_OK;
412
413 }
414
415static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
416 {
417 const char *baseptr = (char *)base->data;
418 const char *emlptr = (char *)eml->data;
419
420 const char *baseat = strchr(baseptr, '@');
421 const char *emlat = strchr(emlptr, '@');
422 if (!emlat)
423 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
424 /* Special case: inital '.' is RHS match */
425 if (!baseat && (*baseptr == '.'))
426 {
427 if (eml->length > base->length)
428 {
429 emlptr += eml->length - base->length;
430 if (!strcasecmp(baseptr, emlptr))
431 return X509_V_OK;
432 }
433 return X509_V_ERR_PERMITTED_VIOLATION;
434 }
435
436 /* If we have anything before '@' match local part */
437
438 if (baseat)
439 {
440 if (baseat != baseptr)
441 {
442 if ((baseat - baseptr) != (emlat - emlptr))
443 return X509_V_ERR_PERMITTED_VIOLATION;
444 /* Case sensitive match of local part */
445 if (strncmp(baseptr, emlptr, emlat - emlptr))
446 return X509_V_ERR_PERMITTED_VIOLATION;
447 }
448 /* Position base after '@' */
449 baseptr = baseat + 1;
450 }
451 emlptr = emlat + 1;
452 /* Just have hostname left to match: case insensitive */
453 if (strcasecmp(baseptr, emlptr))
454 return X509_V_ERR_PERMITTED_VIOLATION;
455
456 return X509_V_OK;
457
458 }
459
460static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
461 {
462 const char *baseptr = (char *)base->data;
463 const char *hostptr = (char *)uri->data;
464 const char *p = strchr(hostptr, ':');
465 int hostlen;
466 /* Check for foo:// and skip past it */
467 if (!p || (p[1] != '/') || (p[2] != '/'))
468 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
469 hostptr = p + 3;
470
471 /* Determine length of hostname part of URI */
472
473 /* Look for a port indicator as end of hostname first */
474
475 p = strchr(hostptr, ':');
476 /* Otherwise look for trailing slash */
477 if (!p)
478 p = strchr(hostptr, '/');
479
480 if (!p)
481 hostlen = strlen(hostptr);
482 else
483 hostlen = p - hostptr;
484
485 if (hostlen == 0)
486 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
487
488 /* Special case: inital '.' is RHS match */
489 if (*baseptr == '.')
490 {
491 if (hostlen > base->length)
492 {
493 p = hostptr + hostlen - base->length;
494 if (!strncasecmp(p, baseptr, base->length))
495 return X509_V_OK;
496 }
497 return X509_V_ERR_PERMITTED_VIOLATION;
498 }
499
500 if ((base->length != (int)hostlen) || strncasecmp(hostptr, baseptr, hostlen))
501 return X509_V_ERR_PERMITTED_VIOLATION;
502
503 return X509_V_OK;
504
505 }
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
deleted file mode 100644
index 0c165af314..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ /dev/null
@@ -1,289 +0,0 @@
1/* v3_ocsp.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#ifndef OPENSSL_NO_OCSP
60
61#include <stdio.h>
62#include "cryptlib.h"
63#include <openssl/conf.h>
64#include <openssl/asn1.h>
65#include <openssl/ocsp.h>
66#include <openssl/x509v3.h>
67
68/* OCSP extensions and a couple of CRL entry extensions
69 */
70
71static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
72 BIO *out, int indent);
73static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
74 BIO *out, int indent);
75static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
76 int indent);
77
78static void *ocsp_nonce_new(void);
79static int i2d_ocsp_nonce(void *a, unsigned char **pp);
80static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
81static void ocsp_nonce_free(void *a);
82static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
83 BIO *out, int indent);
84
85static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
86 void *nocheck, BIO *out, int indent);
87static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
88 const char *str);
89static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
90 BIO *bp, int ind);
91
92const X509V3_EXT_METHOD v3_ocsp_crlid = {
93 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
94 0,0,0,0,
95 0,0,
96 0,0,
97 i2r_ocsp_crlid,0,
98 NULL
99};
100
101const X509V3_EXT_METHOD v3_ocsp_acutoff = {
102 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
103 0,0,0,0,
104 0,0,
105 0,0,
106 i2r_ocsp_acutoff,0,
107 NULL
108};
109
110const X509V3_EXT_METHOD v3_crl_invdate = {
111 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
112 0,0,0,0,
113 0,0,
114 0,0,
115 i2r_ocsp_acutoff,0,
116 NULL
117};
118
119const X509V3_EXT_METHOD v3_crl_hold = {
120 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
121 0,0,0,0,
122 0,0,
123 0,0,
124 i2r_object,0,
125 NULL
126};
127
128const X509V3_EXT_METHOD v3_ocsp_nonce = {
129 NID_id_pkix_OCSP_Nonce, 0, NULL,
130 ocsp_nonce_new,
131 ocsp_nonce_free,
132 d2i_ocsp_nonce,
133 i2d_ocsp_nonce,
134 0,0,
135 0,0,
136 i2r_ocsp_nonce,0,
137 NULL
138};
139
140const X509V3_EXT_METHOD v3_ocsp_nocheck = {
141 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
142 0,0,0,0,
143 0,s2i_ocsp_nocheck,
144 0,0,
145 i2r_ocsp_nocheck,0,
146 NULL
147};
148
149const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
150 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
151 0,0,0,0,
152 0,0,
153 0,0,
154 i2r_ocsp_serviceloc,0,
155 NULL
156};
157
158static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp,
159 int ind)
160{
161 OCSP_CRLID *a = in;
162 if (a->crlUrl)
163 {
164 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err;
165 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
166 if (BIO_write(bp, "\n", 1) <= 0) goto err;
167 }
168 if (a->crlNum)
169 {
170 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err;
171 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err;
172 if (BIO_write(bp, "\n", 1) <= 0) goto err;
173 }
174 if (a->crlTime)
175 {
176 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err;
177 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
178 if (BIO_write(bp, "\n", 1) <= 0) goto err;
179 }
180 return 1;
181 err:
182 return 0;
183}
184
185static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
186 BIO *bp, int ind)
187{
188 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
189 if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
190 return 1;
191}
192
193
194static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
195 int ind)
196{
197 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
198 if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0;
199 return 1;
200}
201
202/* OCSP nonce. This is needs special treatment because it doesn't have
203 * an ASN1 encoding at all: it just contains arbitrary data.
204 */
205
206static void *ocsp_nonce_new(void)
207{
208 return ASN1_OCTET_STRING_new();
209}
210
211static int i2d_ocsp_nonce(void *a, unsigned char **pp)
212{
213 ASN1_OCTET_STRING *os = a;
214 if(pp) {
215 memcpy(*pp, os->data, os->length);
216 *pp += os->length;
217 }
218 return os->length;
219}
220
221static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
222{
223 ASN1_OCTET_STRING *os, **pos;
224 pos = a;
225 if(!pos || !*pos) os = ASN1_OCTET_STRING_new();
226 else os = *pos;
227 if(!ASN1_OCTET_STRING_set(os, *pp, length)) goto err;
228
229 *pp += length;
230
231 if(pos) *pos = os;
232 return os;
233
234 err:
235 if(os && (!pos || (*pos != os))) M_ASN1_OCTET_STRING_free(os);
236 OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
237 return NULL;
238}
239
240static void ocsp_nonce_free(void *a)
241{
242 M_ASN1_OCTET_STRING_free(a);
243}
244
245static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
246 BIO *out, int indent)
247{
248 if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
249 if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
250 return 1;
251}
252
253/* Nocheck is just a single NULL. Don't print anything and always set it */
254
255static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
256 BIO *out, int indent)
257{
258 return 1;
259}
260
261static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
262 const char *str)
263{
264 return ASN1_NULL_new();
265}
266
267static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
268 BIO *bp, int ind)
269 {
270 int i;
271 OCSP_SERVICELOC *a = in;
272 ACCESS_DESCRIPTION *ad;
273
274 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) goto err;
275 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) goto err;
276 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++)
277 {
278 ad = sk_ACCESS_DESCRIPTION_value(a->locator,i);
279 if (BIO_printf(bp, "\n%*s", (2*ind), "") <= 0)
280 goto err;
281 if(i2a_ASN1_OBJECT(bp, ad->method) <= 0) goto err;
282 if(BIO_puts(bp, " - ") <= 0) goto err;
283 if(GENERAL_NAME_print(bp, ad->location) <= 0) goto err;
284 }
285 return 1;
286err:
287 return 0;
288 }
289#endif
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c
deleted file mode 100644
index 0dcfa004fe..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pci.c
+++ /dev/null
@@ -1,328 +0,0 @@
1/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <stdio.h>
38#include "cryptlib.h"
39#include <openssl/conf.h>
40#include <openssl/x509v3.h>
41
42static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
43 BIO *out, int indent);
44static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
45 X509V3_CTX *ctx, char *str);
46
47const X509V3_EXT_METHOD v3_pci =
48 { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
49 0,0,0,0,
50 0,0,
51 NULL, NULL,
52 (X509V3_EXT_I2R)i2r_pci,
53 (X509V3_EXT_R2I)r2i_pci,
54 NULL,
55 };
56
57static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
58 BIO *out, int indent)
59 {
60 BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
61 if (pci->pcPathLengthConstraint)
62 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
63 else
64 BIO_printf(out, "infinite");
65 BIO_puts(out, "\n");
66 BIO_printf(out, "%*sPolicy Language: ", indent, "");
67 i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
68 BIO_puts(out, "\n");
69 if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
70 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
71 pci->proxyPolicy->policy->data);
72 return 1;
73 }
74
75static int process_pci_value(CONF_VALUE *val,
76 ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
77 ASN1_OCTET_STRING **policy)
78 {
79 int free_policy = 0;
80
81 if (strcmp(val->name, "language") == 0)
82 {
83 if (*language)
84 {
85 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
86 X509V3_conf_err(val);
87 return 0;
88 }
89 if (!(*language = OBJ_txt2obj(val->value, 0)))
90 {
91 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
92 X509V3_conf_err(val);
93 return 0;
94 }
95 }
96 else if (strcmp(val->name, "pathlen") == 0)
97 {
98 if (*pathlen)
99 {
100 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
101 X509V3_conf_err(val);
102 return 0;
103 }
104 if (!X509V3_get_value_int(val, pathlen))
105 {
106 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
107 X509V3_conf_err(val);
108 return 0;
109 }
110 }
111 else if (strcmp(val->name, "policy") == 0)
112 {
113 unsigned char *tmp_data = NULL;
114 long val_len;
115 if (!*policy)
116 {
117 *policy = ASN1_OCTET_STRING_new();
118 if (!*policy)
119 {
120 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
121 X509V3_conf_err(val);
122 return 0;
123 }
124 free_policy = 1;
125 }
126 if (strncmp(val->value, "hex:", 4) == 0)
127 {
128 unsigned char *tmp_data2 =
129 string_to_hex(val->value + 4, &val_len);
130
131 if (!tmp_data2)
132 {
133 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);
134 X509V3_conf_err(val);
135 goto err;
136 }
137
138 tmp_data = OPENSSL_realloc((*policy)->data,
139 (*policy)->length + val_len + 1);
140 if (tmp_data)
141 {
142 (*policy)->data = tmp_data;
143 memcpy(&(*policy)->data[(*policy)->length],
144 tmp_data2, val_len);
145 (*policy)->length += val_len;
146 (*policy)->data[(*policy)->length] = '\0';
147 }
148 else
149 {
150 OPENSSL_free(tmp_data2);
151 /* realloc failure implies the original data space is b0rked too! */
152 (*policy)->data = NULL;
153 (*policy)->length = 0;
154 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
155 X509V3_conf_err(val);
156 goto err;
157 }
158 OPENSSL_free(tmp_data2);
159 }
160 else if (strncmp(val->value, "file:", 5) == 0)
161 {
162 unsigned char buf[2048];
163 int n;
164 BIO *b = BIO_new_file(val->value + 5, "r");
165 if (!b)
166 {
167 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
168 X509V3_conf_err(val);
169 goto err;
170 }
171 while((n = BIO_read(b, buf, sizeof(buf))) > 0
172 || (n == 0 && BIO_should_retry(b)))
173 {
174 if (!n) continue;
175
176 tmp_data = OPENSSL_realloc((*policy)->data,
177 (*policy)->length + n + 1);
178
179 if (!tmp_data)
180 break;
181
182 (*policy)->data = tmp_data;
183 memcpy(&(*policy)->data[(*policy)->length],
184 buf, n);
185 (*policy)->length += n;
186 (*policy)->data[(*policy)->length] = '\0';
187 }
188 BIO_free_all(b);
189
190 if (n < 0)
191 {
192 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
193 X509V3_conf_err(val);
194 goto err;
195 }
196 }
197 else if (strncmp(val->value, "text:", 5) == 0)
198 {
199 val_len = strlen(val->value + 5);
200 tmp_data = OPENSSL_realloc((*policy)->data,
201 (*policy)->length + val_len + 1);
202 if (tmp_data)
203 {
204 (*policy)->data = tmp_data;
205 memcpy(&(*policy)->data[(*policy)->length],
206 val->value + 5, val_len);
207 (*policy)->length += val_len;
208 (*policy)->data[(*policy)->length] = '\0';
209 }
210 else
211 {
212 /* realloc failure implies the original data space is b0rked too! */
213 (*policy)->data = NULL;
214 (*policy)->length = 0;
215 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
216 X509V3_conf_err(val);
217 goto err;
218 }
219 }
220 else
221 {
222 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
223 X509V3_conf_err(val);
224 goto err;
225 }
226 if (!tmp_data)
227 {
228 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
229 X509V3_conf_err(val);
230 goto err;
231 }
232 }
233 return 1;
234err:
235 if (free_policy)
236 {
237 ASN1_OCTET_STRING_free(*policy);
238 *policy = NULL;
239 }
240 return 0;
241 }
242
243static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
244 X509V3_CTX *ctx, char *value)
245 {
246 PROXY_CERT_INFO_EXTENSION *pci = NULL;
247 STACK_OF(CONF_VALUE) *vals;
248 ASN1_OBJECT *language = NULL;
249 ASN1_INTEGER *pathlen = NULL;
250 ASN1_OCTET_STRING *policy = NULL;
251 int i, j;
252
253 vals = X509V3_parse_list(value);
254 for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
255 {
256 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
257 if (!cnf->name || (*cnf->name != '@' && !cnf->value))
258 {
259 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
260 X509V3_conf_err(cnf);
261 goto err;
262 }
263 if (*cnf->name == '@')
264 {
265 STACK_OF(CONF_VALUE) *sect;
266 int success_p = 1;
267
268 sect = X509V3_get_section(ctx, cnf->name + 1);
269 if (!sect)
270 {
271 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
272 X509V3_conf_err(cnf);
273 goto err;
274 }
275 for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
276 {
277 success_p =
278 process_pci_value(sk_CONF_VALUE_value(sect, j),
279 &language, &pathlen, &policy);
280 }
281 X509V3_section_free(ctx, sect);
282 if (!success_p)
283 goto err;
284 }
285 else
286 {
287 if (!process_pci_value(cnf,
288 &language, &pathlen, &policy))
289 {
290 X509V3_conf_err(cnf);
291 goto err;
292 }
293 }
294 }
295
296 /* Language is mandatory */
297 if (!language)
298 {
299 X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
300 goto err;
301 }
302 i = OBJ_obj2nid(language);
303 if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
304 {
305 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
306 goto err;
307 }
308
309 pci = PROXY_CERT_INFO_EXTENSION_new();
310 if (!pci)
311 {
312 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
313 goto err;
314 }
315
316 pci->proxyPolicy->policyLanguage = language; language = NULL;
317 pci->proxyPolicy->policy = policy; policy = NULL;
318 pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
319 goto end;
320err:
321 if (language) { ASN1_OBJECT_free(language); language = NULL; }
322 if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
323 if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
324 if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
325end:
326 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
327 return pci;
328 }
diff --git a/src/lib/libcrypto/x509v3/v3_pcia.c b/src/lib/libcrypto/x509v3/v3_pcia.c
deleted file mode 100644
index bb362e0e5a..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcia.c
+++ /dev/null
@@ -1,55 +0,0 @@
1/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <openssl/asn1.h>
38#include <openssl/asn1t.h>
39#include <openssl/x509v3.h>
40
41ASN1_SEQUENCE(PROXY_POLICY) =
42 {
43 ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT),
44 ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING)
45} ASN1_SEQUENCE_END(PROXY_POLICY)
46
47IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY)
48
49ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) =
50 {
51 ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER),
52 ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY)
53} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)
54
55IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
diff --git a/src/lib/libcrypto/x509v3/v3_pcons.c b/src/lib/libcrypto/x509v3/v3_pcons.c
deleted file mode 100644
index 30ca652351..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcons.c
+++ /dev/null
@@ -1,140 +0,0 @@
1/* v3_pcons.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66
67static STACK_OF(CONF_VALUE) *
68i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
69 STACK_OF(CONF_VALUE) *extlist);
70static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx,
72 STACK_OF(CONF_VALUE) *values);
73
74const X509V3_EXT_METHOD v3_policy_constraints = {
75NID_policy_constraints, 0,
76ASN1_ITEM_ref(POLICY_CONSTRAINTS),
770,0,0,0,
780,0,
79i2v_POLICY_CONSTRAINTS,
80v2i_POLICY_CONSTRAINTS,
81NULL,NULL,
82NULL
83};
84
85ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
86 ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0),
87 ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1)
88} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
89
90IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
91
92
93static STACK_OF(CONF_VALUE) *
94i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
95 STACK_OF(CONF_VALUE) *extlist)
96{
97 POLICY_CONSTRAINTS *pcons = a;
98 X509V3_add_value_int("Require Explicit Policy",
99 pcons->requireExplicitPolicy, &extlist);
100 X509V3_add_value_int("Inhibit Policy Mapping",
101 pcons->inhibitPolicyMapping, &extlist);
102 return extlist;
103}
104
105static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
106 X509V3_CTX *ctx,
107 STACK_OF(CONF_VALUE) *values)
108{
109 POLICY_CONSTRAINTS *pcons=NULL;
110 CONF_VALUE *val;
111 int i;
112 if(!(pcons = POLICY_CONSTRAINTS_new())) {
113 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
117 val = sk_CONF_VALUE_value(values, i);
118 if(!strcmp(val->name, "requireExplicitPolicy")) {
119 if(!X509V3_get_value_int(val,
120 &pcons->requireExplicitPolicy)) goto err;
121 } else if(!strcmp(val->name, "inhibitPolicyMapping")) {
122 if(!X509V3_get_value_int(val,
123 &pcons->inhibitPolicyMapping)) goto err;
124 } else {
125 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
126 X509V3_conf_err(val);
127 goto err;
128 }
129 }
130 if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
131 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION);
132 goto err;
133 }
134
135 return pcons;
136 err:
137 POLICY_CONSTRAINTS_free(pcons);
138 return NULL;
139}
140
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
deleted file mode 100644
index 076f3ff48e..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pku.c
+++ /dev/null
@@ -1,108 +0,0 @@
1/* v3_pku.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/asn1t.h>
63#include <openssl/x509v3.h>
64
65static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
66/*
67static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
68*/
69const X509V3_EXT_METHOD v3_pkey_usage_period = {
70NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
710,0,0,0,
720,0,0,0,
73(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
74NULL
75};
76
77ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {
78 ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notBefore, ASN1_GENERALIZEDTIME, 0),
79 ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notAfter, ASN1_GENERALIZEDTIME, 1)
80} ASN1_SEQUENCE_END(PKEY_USAGE_PERIOD)
81
82IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
83
84static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
85 PKEY_USAGE_PERIOD *usage, BIO *out, int indent)
86{
87 BIO_printf(out, "%*s", indent, "");
88 if(usage->notBefore) {
89 BIO_write(out, "Not Before: ", 12);
90 ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
91 if(usage->notAfter) BIO_write(out, ", ", 2);
92 }
93 if(usage->notAfter) {
94 BIO_write(out, "Not After: ", 11);
95 ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
96 }
97 return 1;
98}
99
100/*
101static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values)
102X509V3_EXT_METHOD *method;
103X509V3_CTX *ctx;
104STACK_OF(CONF_VALUE) *values;
105{
106return NULL;
107}
108*/
diff --git a/src/lib/libcrypto/x509v3/v3_pmaps.c b/src/lib/libcrypto/x509v3/v3_pmaps.c
deleted file mode 100644
index 865bcd3980..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pmaps.c
+++ /dev/null
@@ -1,155 +0,0 @@
1/* v3_pmaps.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(CONF_VALUE) *
69i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *pmps,
70 STACK_OF(CONF_VALUE) *extlist);
71
72const X509V3_EXT_METHOD v3_policy_mappings = {
73 NID_policy_mappings, 0,
74 ASN1_ITEM_ref(POLICY_MAPPINGS),
75 0,0,0,0,
76 0,0,
77 i2v_POLICY_MAPPINGS,
78 v2i_POLICY_MAPPINGS,
79 0,0,
80 NULL
81};
82
83ASN1_SEQUENCE(POLICY_MAPPING) = {
84 ASN1_SIMPLE(POLICY_MAPPING, issuerDomainPolicy, ASN1_OBJECT),
85 ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT)
86} ASN1_SEQUENCE_END(POLICY_MAPPING)
87
88ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =
89 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,
90 POLICY_MAPPING)
91ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)
92
93IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
94
95
96static STACK_OF(CONF_VALUE) *
97i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
98 STACK_OF(CONF_VALUE) *ext_list)
99{
100 POLICY_MAPPINGS *pmaps = a;
101 POLICY_MAPPING *pmap;
102 int i;
103 char obj_tmp1[80];
104 char obj_tmp2[80];
105 for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
106 pmap = sk_POLICY_MAPPING_value(pmaps, i);
107 i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
108 i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
109 X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list);
110 }
111 return ext_list;
112}
113
114static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
115 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
116{
117 POLICY_MAPPINGS *pmaps;
118 POLICY_MAPPING *pmap;
119 ASN1_OBJECT *obj1, *obj2;
120 CONF_VALUE *val;
121 int i;
122
123 if(!(pmaps = sk_POLICY_MAPPING_new_null())) {
124 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
125 return NULL;
126 }
127
128 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
129 val = sk_CONF_VALUE_value(nval, i);
130 if(!val->value || !val->name) {
131 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
132 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
133 X509V3_conf_err(val);
134 return NULL;
135 }
136 obj1 = OBJ_txt2obj(val->name, 0);
137 obj2 = OBJ_txt2obj(val->value, 0);
138 if(!obj1 || !obj2) {
139 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
140 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
141 X509V3_conf_err(val);
142 return NULL;
143 }
144 pmap = POLICY_MAPPING_new();
145 if (!pmap) {
146 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
147 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
148 return NULL;
149 }
150 pmap->issuerDomainPolicy = obj1;
151 pmap->subjectDomainPolicy = obj2;
152 sk_POLICY_MAPPING_push(pmaps, pmap);
153 }
154 return pmaps;
155}
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
deleted file mode 100644
index 3146218708..0000000000
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ /dev/null
@@ -1,234 +0,0 @@
1/* v3_prn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/conf.h>
63#include <openssl/x509v3.h>
64
65/* Extension printing routines */
66
67static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported);
68
69/* Print out a name+value stack */
70
71void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
72{
73 int i;
74 CONF_VALUE *nval;
75 if(!val) return;
76 if(!ml || !sk_CONF_VALUE_num(val)) {
77 BIO_printf(out, "%*s", indent, "");
78 if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n");
79 }
80 for(i = 0; i < sk_CONF_VALUE_num(val); i++) {
81 if(ml) BIO_printf(out, "%*s", indent, "");
82 else if(i > 0) BIO_printf(out, ", ");
83 nval = sk_CONF_VALUE_value(val, i);
84 if(!nval->name) BIO_puts(out, nval->value);
85 else if(!nval->value) BIO_puts(out, nval->name);
86#ifndef CHARSET_EBCDIC
87 else BIO_printf(out, "%s:%s", nval->name, nval->value);
88#else
89 else {
90 int len;
91 char *tmp;
92 len = strlen(nval->value)+1;
93 tmp = OPENSSL_malloc(len);
94 if (tmp)
95 {
96 ascii2ebcdic(tmp, nval->value, len);
97 BIO_printf(out, "%s:%s", nval->name, tmp);
98 OPENSSL_free(tmp);
99 }
100 }
101#endif
102 if(ml) BIO_puts(out, "\n");
103 }
104}
105
106/* Main routine: print out a general extension */
107
108int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
109{
110 void *ext_str = NULL;
111 char *value = NULL;
112 const unsigned char *p;
113 const X509V3_EXT_METHOD *method;
114 STACK_OF(CONF_VALUE) *nval = NULL;
115 int ok = 1;
116
117 if(!(method = X509V3_EXT_get(ext)))
118 return unknown_ext_print(out, ext, flag, indent, 0);
119 p = ext->value->data;
120 if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
121 else ext_str = method->d2i(NULL, &p, ext->value->length);
122
123 if(!ext_str) return unknown_ext_print(out, ext, flag, indent, 1);
124
125 if(method->i2s) {
126 if(!(value = method->i2s(method, ext_str))) {
127 ok = 0;
128 goto err;
129 }
130#ifndef CHARSET_EBCDIC
131 BIO_printf(out, "%*s%s", indent, "", value);
132#else
133 {
134 int len;
135 char *tmp;
136 len = strlen(value)+1;
137 tmp = OPENSSL_malloc(len);
138 if (tmp)
139 {
140 ascii2ebcdic(tmp, value, len);
141 BIO_printf(out, "%*s%s", indent, "", tmp);
142 OPENSSL_free(tmp);
143 }
144 }
145#endif
146 } else if(method->i2v) {
147 if(!(nval = method->i2v(method, ext_str, NULL))) {
148 ok = 0;
149 goto err;
150 }
151 X509V3_EXT_val_prn(out, nval, indent,
152 method->ext_flags & X509V3_EXT_MULTILINE);
153 } else if(method->i2r) {
154 if(!method->i2r(method, ext_str, out, indent)) ok = 0;
155 } else ok = 0;
156
157 err:
158 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
159 if(value) OPENSSL_free(value);
160 if(method->it) ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
161 else method->ext_free(ext_str);
162 return ok;
163}
164
165int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent)
166{
167 int i, j;
168
169 if(sk_X509_EXTENSION_num(exts) <= 0) return 1;
170
171 if(title)
172 {
173 BIO_printf(bp,"%*s%s:\n",indent, "", title);
174 indent += 4;
175 }
176
177 for (i=0; i<sk_X509_EXTENSION_num(exts); i++)
178 {
179 ASN1_OBJECT *obj;
180 X509_EXTENSION *ex;
181 ex=sk_X509_EXTENSION_value(exts, i);
182 if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
183 obj=X509_EXTENSION_get_object(ex);
184 i2a_ASN1_OBJECT(bp,obj);
185 j=X509_EXTENSION_get_critical(ex);
186 if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
187 return 0;
188 if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
189 {
190 BIO_printf(bp, "%*s", indent + 4, "");
191 M_ASN1_OCTET_STRING_print(bp,ex->value);
192 }
193 if (BIO_write(bp,"\n",1) <= 0) return 0;
194 }
195 return 1;
196}
197
198static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported)
199{
200 switch(flag & X509V3_EXT_UNKNOWN_MASK) {
201
202 case X509V3_EXT_DEFAULT:
203 return 0;
204
205 case X509V3_EXT_ERROR_UNKNOWN:
206 if(supported)
207 BIO_printf(out, "%*s<Parse Error>", indent, "");
208 else
209 BIO_printf(out, "%*s<Not Supported>", indent, "");
210 return 1;
211
212 case X509V3_EXT_PARSE_UNKNOWN:
213 return ASN1_parse_dump(out,
214 ext->value->data, ext->value->length, indent, -1);
215 case X509V3_EXT_DUMP_UNKNOWN:
216 return BIO_dump_indent(out, (char *)ext->value->data, ext->value->length, indent);
217
218 default:
219 return 1;
220 }
221}
222
223
224#ifndef OPENSSL_NO_FP_API
225int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
226{
227 BIO *bio_tmp;
228 int ret;
229 if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0;
230 ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
231 BIO_free(bio_tmp);
232 return ret;
233}
234#endif
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
deleted file mode 100644
index 181bd34979..0000000000
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ /dev/null
@@ -1,767 +0,0 @@
1/* v3_purp.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62#include <openssl/x509_vfy.h>
63
64static void x509v3_cache_extensions(X509 *x);
65
66static int check_ssl_ca(const X509 *x);
67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
68static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
69static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
70static int purpose_smime(const X509 *x, int ca);
71static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
72static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
73static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
74static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
75static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
76static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
77
78static int xp_cmp(const X509_PURPOSE * const *a,
79 const X509_PURPOSE * const *b);
80static void xptable_free(X509_PURPOSE *p);
81
82static X509_PURPOSE xstandard[] = {
83 {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
84 {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
85 {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
86 {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
87 {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
88 {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
89 {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
90 {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
91 {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
92};
93
94#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
95
96IMPLEMENT_STACK_OF(X509_PURPOSE)
97
98static STACK_OF(X509_PURPOSE) *xptable = NULL;
99
100static int xp_cmp(const X509_PURPOSE * const *a,
101 const X509_PURPOSE * const *b)
102{
103 return (*a)->purpose - (*b)->purpose;
104}
105
106/* As much as I'd like to make X509_check_purpose use a "const" X509*
107 * I really can't because it does recalculate hashes and do other non-const
108 * things. */
109int X509_check_purpose(X509 *x, int id, int ca)
110{
111 int idx;
112 const X509_PURPOSE *pt;
113 if(!(x->ex_flags & EXFLAG_SET)) {
114 CRYPTO_w_lock(CRYPTO_LOCK_X509);
115 x509v3_cache_extensions(x);
116 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
117 }
118 if(id == -1) return 1;
119 idx = X509_PURPOSE_get_by_id(id);
120 if(idx == -1) return -1;
121 pt = X509_PURPOSE_get0(idx);
122 return pt->check_purpose(pt, x, ca);
123}
124
125int X509_PURPOSE_set(int *p, int purpose)
126{
127 if(X509_PURPOSE_get_by_id(purpose) == -1) {
128 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
129 return 0;
130 }
131 *p = purpose;
132 return 1;
133}
134
135int X509_PURPOSE_get_count(void)
136{
137 if(!xptable) return X509_PURPOSE_COUNT;
138 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
139}
140
141X509_PURPOSE * X509_PURPOSE_get0(int idx)
142{
143 if(idx < 0) return NULL;
144 if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx;
145 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
146}
147
148int X509_PURPOSE_get_by_sname(char *sname)
149{
150 int i;
151 X509_PURPOSE *xptmp;
152 for(i = 0; i < X509_PURPOSE_get_count(); i++) {
153 xptmp = X509_PURPOSE_get0(i);
154 if(!strcmp(xptmp->sname, sname)) return i;
155 }
156 return -1;
157}
158
159int X509_PURPOSE_get_by_id(int purpose)
160{
161 X509_PURPOSE tmp;
162 int idx;
163 if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
164 return purpose - X509_PURPOSE_MIN;
165 tmp.purpose = purpose;
166 if(!xptable) return -1;
167 idx = sk_X509_PURPOSE_find(xptable, &tmp);
168 if(idx == -1) return -1;
169 return idx + X509_PURPOSE_COUNT;
170}
171
172int X509_PURPOSE_add(int id, int trust, int flags,
173 int (*ck)(const X509_PURPOSE *, const X509 *, int),
174 char *name, char *sname, void *arg)
175{
176 int idx;
177 X509_PURPOSE *ptmp;
178 /* This is set according to what we change: application can't set it */
179 flags &= ~X509_PURPOSE_DYNAMIC;
180 /* This will always be set for application modified trust entries */
181 flags |= X509_PURPOSE_DYNAMIC_NAME;
182 /* Get existing entry if any */
183 idx = X509_PURPOSE_get_by_id(id);
184 /* Need a new entry */
185 if(idx == -1) {
186 if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
187 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
188 return 0;
189 }
190 ptmp->flags = X509_PURPOSE_DYNAMIC;
191 } else ptmp = X509_PURPOSE_get0(idx);
192
193 /* OPENSSL_free existing name if dynamic */
194 if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
195 OPENSSL_free(ptmp->name);
196 OPENSSL_free(ptmp->sname);
197 }
198 /* dup supplied name */
199 ptmp->name = BUF_strdup(name);
200 ptmp->sname = BUF_strdup(sname);
201 if(!ptmp->name || !ptmp->sname) {
202 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
203 return 0;
204 }
205 /* Keep the dynamic flag of existing entry */
206 ptmp->flags &= X509_PURPOSE_DYNAMIC;
207 /* Set all other flags */
208 ptmp->flags |= flags;
209
210 ptmp->purpose = id;
211 ptmp->trust = trust;
212 ptmp->check_purpose = ck;
213 ptmp->usr_data = arg;
214
215 /* If its a new entry manage the dynamic table */
216 if(idx == -1) {
217 if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
218 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
219 return 0;
220 }
221 if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
222 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
223 return 0;
224 }
225 }
226 return 1;
227}
228
229static void xptable_free(X509_PURPOSE *p)
230 {
231 if(!p) return;
232 if (p->flags & X509_PURPOSE_DYNAMIC)
233 {
234 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
235 OPENSSL_free(p->name);
236 OPENSSL_free(p->sname);
237 }
238 OPENSSL_free(p);
239 }
240 }
241
242void X509_PURPOSE_cleanup(void)
243{
244 unsigned int i;
245 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
246 for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
247 xptable = NULL;
248}
249
250int X509_PURPOSE_get_id(X509_PURPOSE *xp)
251{
252 return xp->purpose;
253}
254
255char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
256{
257 return xp->name;
258}
259
260char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
261{
262 return xp->sname;
263}
264
265int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
266{
267 return xp->trust;
268}
269
270static int nid_cmp(const int *a, const int *b)
271 {
272 return *a - *b;
273 }
274
275DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
276IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
277
278int X509_supported_extension(X509_EXTENSION *ex)
279 {
280 /* This table is a list of the NIDs of supported extensions:
281 * that is those which are used by the verify process. If
282 * an extension is critical and doesn't appear in this list
283 * then the verify process will normally reject the certificate.
284 * The list must be kept in numerical order because it will be
285 * searched using bsearch.
286 */
287
288 static const int supported_nids[] = {
289 NID_netscape_cert_type, /* 71 */
290 NID_key_usage, /* 83 */
291 NID_subject_alt_name, /* 85 */
292 NID_basic_constraints, /* 87 */
293 NID_certificate_policies, /* 89 */
294 NID_ext_key_usage, /* 126 */
295#ifndef OPENSSL_NO_RFC3779
296 NID_sbgp_ipAddrBlock, /* 290 */
297 NID_sbgp_autonomousSysNum, /* 291 */
298#endif
299 NID_policy_constraints, /* 401 */
300 NID_proxyCertInfo, /* 663 */
301 NID_name_constraints, /* 666 */
302 NID_policy_mappings, /* 747 */
303 NID_inhibit_any_policy /* 748 */
304 };
305
306 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
307
308 if (ex_nid == NID_undef)
309 return 0;
310
311 if (OBJ_bsearch_nid(&ex_nid, supported_nids,
312 sizeof(supported_nids)/sizeof(int)))
313 return 1;
314 return 0;
315 }
316
317static void setup_dp(X509 *x, DIST_POINT *dp)
318 {
319 X509_NAME *iname = NULL;
320 int i;
321 if (dp->reasons)
322 {
323 if (dp->reasons->length > 0)
324 dp->dp_reasons = dp->reasons->data[0];
325 if (dp->reasons->length > 1)
326 dp->dp_reasons |= (dp->reasons->data[1] << 8);
327 dp->dp_reasons &= CRLDP_ALL_REASONS;
328 }
329 else
330 dp->dp_reasons = CRLDP_ALL_REASONS;
331 if (!dp->distpoint || (dp->distpoint->type != 1))
332 return;
333 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
334 {
335 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
336 if (gen->type == GEN_DIRNAME)
337 {
338 iname = gen->d.directoryName;
339 break;
340 }
341 }
342 if (!iname)
343 iname = X509_get_issuer_name(x);
344
345 DIST_POINT_set_dpname(dp->distpoint, iname);
346
347 }
348
349static void setup_crldp(X509 *x)
350 {
351 int i;
352 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
353 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
354 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
355 }
356
357static void x509v3_cache_extensions(X509 *x)
358{
359 BASIC_CONSTRAINTS *bs;
360 PROXY_CERT_INFO_EXTENSION *pci;
361 ASN1_BIT_STRING *usage;
362 ASN1_BIT_STRING *ns;
363 EXTENDED_KEY_USAGE *extusage;
364 X509_EXTENSION *ex;
365
366 int i;
367 if(x->ex_flags & EXFLAG_SET) return;
368#ifndef OPENSSL_NO_SHA
369 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
370#endif
371 /* Does subject name match issuer ? */
372 if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
373 x->ex_flags |= EXFLAG_SI;
374 /* V1 should mean no extensions ... */
375 if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
376 /* Handle basic constraints */
377 if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
378 if(bs->ca) x->ex_flags |= EXFLAG_CA;
379 if(bs->pathlen) {
380 if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
381 || !bs->ca) {
382 x->ex_flags |= EXFLAG_INVALID;
383 x->ex_pathlen = 0;
384 } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
385 } else x->ex_pathlen = -1;
386 BASIC_CONSTRAINTS_free(bs);
387 x->ex_flags |= EXFLAG_BCONS;
388 }
389 /* Handle proxy certificates */
390 if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
391 if (x->ex_flags & EXFLAG_CA
392 || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
393 || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
394 x->ex_flags |= EXFLAG_INVALID;
395 }
396 if (pci->pcPathLengthConstraint) {
397 x->ex_pcpathlen =
398 ASN1_INTEGER_get(pci->pcPathLengthConstraint);
399 } else x->ex_pcpathlen = -1;
400 PROXY_CERT_INFO_EXTENSION_free(pci);
401 x->ex_flags |= EXFLAG_PROXY;
402 }
403 /* Handle key usage */
404 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
405 if(usage->length > 0) {
406 x->ex_kusage = usage->data[0];
407 if(usage->length > 1)
408 x->ex_kusage |= usage->data[1] << 8;
409 } else x->ex_kusage = 0;
410 x->ex_flags |= EXFLAG_KUSAGE;
411 ASN1_BIT_STRING_free(usage);
412 }
413 x->ex_xkusage = 0;
414 if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
415 x->ex_flags |= EXFLAG_XKUSAGE;
416 for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
417 switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
418 case NID_server_auth:
419 x->ex_xkusage |= XKU_SSL_SERVER;
420 break;
421
422 case NID_client_auth:
423 x->ex_xkusage |= XKU_SSL_CLIENT;
424 break;
425
426 case NID_email_protect:
427 x->ex_xkusage |= XKU_SMIME;
428 break;
429
430 case NID_code_sign:
431 x->ex_xkusage |= XKU_CODE_SIGN;
432 break;
433
434 case NID_ms_sgc:
435 case NID_ns_sgc:
436 x->ex_xkusage |= XKU_SGC;
437 break;
438
439 case NID_OCSP_sign:
440 x->ex_xkusage |= XKU_OCSP_SIGN;
441 break;
442
443 case NID_time_stamp:
444 x->ex_xkusage |= XKU_TIMESTAMP;
445 break;
446
447 case NID_dvcs:
448 x->ex_xkusage |= XKU_DVCS;
449 break;
450 }
451 }
452 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
453 }
454
455 if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
456 if(ns->length > 0) x->ex_nscert = ns->data[0];
457 else x->ex_nscert = 0;
458 x->ex_flags |= EXFLAG_NSCERT;
459 ASN1_BIT_STRING_free(ns);
460 }
461 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
462 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
463 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
464 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
465 if (!x->nc && (i != -1))
466 x->ex_flags |= EXFLAG_INVALID;
467 setup_crldp(x);
468
469#ifndef OPENSSL_NO_RFC3779
470 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
471 x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
472 NULL, NULL);
473#endif
474 for (i = 0; i < X509_get_ext_count(x); i++)
475 {
476 ex = X509_get_ext(x, i);
477 if (!X509_EXTENSION_get_critical(ex))
478 continue;
479 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
480 == NID_freshest_crl)
481 x->ex_flags |= EXFLAG_FRESHEST;
482 if (!X509_supported_extension(ex))
483 {
484 x->ex_flags |= EXFLAG_CRITICAL;
485 break;
486 }
487 }
488 x->ex_flags |= EXFLAG_SET;
489}
490
491/* CA checks common to all purposes
492 * return codes:
493 * 0 not a CA
494 * 1 is a CA
495 * 2 basicConstraints absent so "maybe" a CA
496 * 3 basicConstraints absent but self signed V1.
497 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
498 */
499
500#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
501#define ku_reject(x, usage) \
502 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
503#define xku_reject(x, usage) \
504 (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
505#define ns_reject(x, usage) \
506 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
507
508static int check_ca(const X509 *x)
509{
510 /* keyUsage if present should allow cert signing */
511 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
512 if(x->ex_flags & EXFLAG_BCONS) {
513 if(x->ex_flags & EXFLAG_CA) return 1;
514 /* If basicConstraints says not a CA then say so */
515 else return 0;
516 } else {
517 /* we support V1 roots for... uh, I don't really know why. */
518 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
519 /* If key usage present it must have certSign so tolerate it */
520 else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
521 /* Older certificates could have Netscape-specific CA types */
522 else if (x->ex_flags & EXFLAG_NSCERT
523 && x->ex_nscert & NS_ANY_CA) return 5;
524 /* can this still be regarded a CA certificate? I doubt it */
525 return 0;
526 }
527}
528
529int X509_check_ca(X509 *x)
530{
531 if(!(x->ex_flags & EXFLAG_SET)) {
532 CRYPTO_w_lock(CRYPTO_LOCK_X509);
533 x509v3_cache_extensions(x);
534 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
535 }
536
537 return check_ca(x);
538}
539
540/* Check SSL CA: common checks for SSL client and server */
541static int check_ssl_ca(const X509 *x)
542{
543 int ca_ret;
544 ca_ret = check_ca(x);
545 if(!ca_ret) return 0;
546 /* check nsCertType if present */
547 if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
548 else return 0;
549}
550
551
552static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
553{
554 if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
555 if(ca) return check_ssl_ca(x);
556 /* We need to do digital signatures with it */
557 if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
558 /* nsCertType if present should allow SSL client use */
559 if(ns_reject(x, NS_SSL_CLIENT)) return 0;
560 return 1;
561}
562
563static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
564{
565 if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
566 if(ca) return check_ssl_ca(x);
567
568 if(ns_reject(x, NS_SSL_SERVER)) return 0;
569 /* Now as for keyUsage: we'll at least need to sign OR encipher */
570 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
571
572 return 1;
573
574}
575
576static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
577{
578 int ret;
579 ret = check_purpose_ssl_server(xp, x, ca);
580 if(!ret || ca) return ret;
581 /* We need to encipher or Netscape complains */
582 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
583 return ret;
584}
585
586/* common S/MIME checks */
587static int purpose_smime(const X509 *x, int ca)
588{
589 if(xku_reject(x,XKU_SMIME)) return 0;
590 if(ca) {
591 int ca_ret;
592 ca_ret = check_ca(x);
593 if(!ca_ret) return 0;
594 /* check nsCertType if present */
595 if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
596 else return 0;
597 }
598 if(x->ex_flags & EXFLAG_NSCERT) {
599 if(x->ex_nscert & NS_SMIME) return 1;
600 /* Workaround for some buggy certificates */
601 if(x->ex_nscert & NS_SSL_CLIENT) return 2;
602 return 0;
603 }
604 return 1;
605}
606
607static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
608{
609 int ret;
610 ret = purpose_smime(x, ca);
611 if(!ret || ca) return ret;
612 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
613 return ret;
614}
615
616static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
617{
618 int ret;
619 ret = purpose_smime(x, ca);
620 if(!ret || ca) return ret;
621 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
622 return ret;
623}
624
625static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
626{
627 if(ca) {
628 int ca_ret;
629 if((ca_ret = check_ca(x)) != 2) return ca_ret;
630 else return 0;
631 }
632 if(ku_reject(x, KU_CRL_SIGN)) return 0;
633 return 1;
634}
635
636/* OCSP helper: this is *not* a full OCSP check. It just checks that
637 * each CA is valid. Additional checks must be made on the chain.
638 */
639
640static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
641{
642 /* Must be a valid CA. Should we really support the "I don't know"
643 value (2)? */
644 if(ca) return check_ca(x);
645 /* leaf certificate is checked in OCSP_verify() */
646 return 1;
647}
648
649static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
650 int ca)
651{
652 int i_ext;
653
654 /* If ca is true we must return if this is a valid CA certificate. */
655 if (ca) return check_ca(x);
656
657 /*
658 * Check the optional key usage field:
659 * if Key Usage is present, it must be one of digitalSignature
660 * and/or nonRepudiation (other values are not consistent and shall
661 * be rejected).
662 */
663 if ((x->ex_flags & EXFLAG_KUSAGE)
664 && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
665 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
666 return 0;
667
668 /* Only time stamp key usage is permitted and it's required. */
669 if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
670 return 0;
671
672 /* Extended Key Usage MUST be critical */
673 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
674 if (i_ext >= 0)
675 {
676 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
677 if (!X509_EXTENSION_get_critical(ext))
678 return 0;
679 }
680
681 return 1;
682}
683
684static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
685{
686 return 1;
687}
688
689/* Various checks to see if one certificate issued the second.
690 * This can be used to prune a set of possible issuer certificates
691 * which have been looked up using some simple method such as by
692 * subject name.
693 * These are:
694 * 1. Check issuer_name(subject) == subject_name(issuer)
695 * 2. If akid(subject) exists check it matches issuer
696 * 3. If key_usage(issuer) exists check it supports certificate signing
697 * returns 0 for OK, positive for reason for mismatch, reasons match
698 * codes for X509_verify_cert()
699 */
700
701int X509_check_issued(X509 *issuer, X509 *subject)
702{
703 if(X509_NAME_cmp(X509_get_subject_name(issuer),
704 X509_get_issuer_name(subject)))
705 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
706 x509v3_cache_extensions(issuer);
707 x509v3_cache_extensions(subject);
708
709 if(subject->akid)
710 {
711 int ret = X509_check_akid(issuer, subject->akid);
712 if (ret != X509_V_OK)
713 return ret;
714 }
715
716 if(subject->ex_flags & EXFLAG_PROXY)
717 {
718 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
719 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
720 }
721 else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
722 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
723 return X509_V_OK;
724}
725
726int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
727 {
728
729 if(!akid)
730 return X509_V_OK;
731
732 /* Check key ids (if present) */
733 if(akid->keyid && issuer->skid &&
734 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
735 return X509_V_ERR_AKID_SKID_MISMATCH;
736 /* Check serial number */
737 if(akid->serial &&
738 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
739 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
740 /* Check issuer name */
741 if(akid->issuer)
742 {
743 /* Ugh, for some peculiar reason AKID includes
744 * SEQUENCE OF GeneralName. So look for a DirName.
745 * There may be more than one but we only take any
746 * notice of the first.
747 */
748 GENERAL_NAMES *gens;
749 GENERAL_NAME *gen;
750 X509_NAME *nm = NULL;
751 int i;
752 gens = akid->issuer;
753 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
754 {
755 gen = sk_GENERAL_NAME_value(gens, i);
756 if(gen->type == GEN_DIRNAME)
757 {
758 nm = gen->d.dirn;
759 break;
760 }
761 }
762 if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
763 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
764 }
765 return X509_V_OK;
766 }
767
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
deleted file mode 100644
index 202c9e4896..0000000000
--- a/src/lib/libcrypto/x509v3/v3_skey.c
+++ /dev/null
@@ -1,144 +0,0 @@
1/* v3_skey.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/x509v3.h>
63
64static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
65const X509V3_EXT_METHOD v3_skey_id = {
66NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
670,0,0,0,
68(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
69(X509V3_EXT_S2I)s2i_skey_id,
700,0,0,0,
71NULL};
72
73char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
74 ASN1_OCTET_STRING *oct)
75{
76 return hex_to_string(oct->data, oct->length);
77}
78
79ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
80 X509V3_CTX *ctx, char *str)
81{
82 ASN1_OCTET_STRING *oct;
83 long length;
84
85 if(!(oct = M_ASN1_OCTET_STRING_new())) {
86 X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89
90 if(!(oct->data = string_to_hex(str, &length))) {
91 M_ASN1_OCTET_STRING_free(oct);
92 return NULL;
93 }
94
95 oct->length = length;
96
97 return oct;
98
99}
100
101static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
102 X509V3_CTX *ctx, char *str)
103{
104 ASN1_OCTET_STRING *oct;
105 ASN1_BIT_STRING *pk;
106 unsigned char pkey_dig[EVP_MAX_MD_SIZE];
107 unsigned int diglen;
108
109 if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
110
111 if(!(oct = M_ASN1_OCTET_STRING_new())) {
112 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
113 return NULL;
114 }
115
116 if(ctx && (ctx->flags == CTX_TEST)) return oct;
117
118 if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
119 X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
120 goto err;
121 }
122
123 if(ctx->subject_req)
124 pk = ctx->subject_req->req_info->pubkey->public_key;
125 else pk = ctx->subject_cert->cert_info->key->public_key;
126
127 if(!pk) {
128 X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
129 goto err;
130 }
131
132 EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL);
133
134 if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
135 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
136 goto err;
137 }
138
139 return oct;
140
141 err:
142 M_ASN1_OCTET_STRING_free(oct);
143 return NULL;
144}
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
deleted file mode 100644
index 2a6bf11b65..0000000000
--- a/src/lib/libcrypto/x509v3/v3_sxnet.c
+++ /dev/null
@@ -1,262 +0,0 @@
1/* v3_sxnet.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66/* Support for Thawte strong extranet extension */
67
68#define SXNET_TEST
69
70static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent);
71#ifdef SXNET_TEST
72static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
73 STACK_OF(CONF_VALUE) *nval);
74#endif
75const X509V3_EXT_METHOD v3_sxnet = {
76NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET),
770,0,0,0,
780,0,
790,
80#ifdef SXNET_TEST
81(X509V3_EXT_V2I)sxnet_v2i,
82#else
830,
84#endif
85(X509V3_EXT_I2R)sxnet_i2r,
860,
87NULL
88};
89
90ASN1_SEQUENCE(SXNETID) = {
91 ASN1_SIMPLE(SXNETID, zone, ASN1_INTEGER),
92 ASN1_SIMPLE(SXNETID, user, ASN1_OCTET_STRING)
93} ASN1_SEQUENCE_END(SXNETID)
94
95IMPLEMENT_ASN1_FUNCTIONS(SXNETID)
96
97ASN1_SEQUENCE(SXNET) = {
98 ASN1_SIMPLE(SXNET, version, ASN1_INTEGER),
99 ASN1_SEQUENCE_OF(SXNET, ids, SXNETID)
100} ASN1_SEQUENCE_END(SXNET)
101
102IMPLEMENT_ASN1_FUNCTIONS(SXNET)
103
104static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
105 int indent)
106{
107 long v;
108 char *tmp;
109 SXNETID *id;
110 int i;
111 v = ASN1_INTEGER_get(sx->version);
112 BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
113 for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
114 id = sk_SXNETID_value(sx->ids, i);
115 tmp = i2s_ASN1_INTEGER(NULL, id->zone);
116 BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
117 OPENSSL_free(tmp);
118 M_ASN1_OCTET_STRING_print(out, id->user);
119 }
120 return 1;
121}
122
123#ifdef SXNET_TEST
124
125/* NBB: this is used for testing only. It should *not* be used for anything
126 * else because it will just take static IDs from the configuration file and
127 * they should really be separate values for each user.
128 */
129
130
131static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
132 STACK_OF(CONF_VALUE) *nval)
133{
134 CONF_VALUE *cnf;
135 SXNET *sx = NULL;
136 int i;
137 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
138 cnf = sk_CONF_VALUE_value(nval, i);
139 if(!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
140 return NULL;
141 }
142 return sx;
143}
144
145
146#endif
147
148/* Strong Extranet utility functions */
149
150/* Add an id given the zone as an ASCII number */
151
152int SXNET_add_id_asc(SXNET **psx, char *zone, char *user,
153 int userlen)
154{
155 ASN1_INTEGER *izone = NULL;
156 if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
157 X509V3err(X509V3_F_SXNET_ADD_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
158 return 0;
159 }
160 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
161}
162
163/* Add an id given the zone as an unsigned long */
164
165int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
166 int userlen)
167{
168 ASN1_INTEGER *izone = NULL;
169 if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
170 X509V3err(X509V3_F_SXNET_ADD_ID_ULONG,ERR_R_MALLOC_FAILURE);
171 M_ASN1_INTEGER_free(izone);
172 return 0;
173 }
174 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
175
176}
177
178/* Add an id given the zone as an ASN1_INTEGER.
179 * Note this version uses the passed integer and doesn't make a copy so don't
180 * free it up afterwards.
181 */
182
183int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
184 int userlen)
185{
186 SXNET *sx = NULL;
187 SXNETID *id = NULL;
188 if(!psx || !zone || !user) {
189 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_INVALID_NULL_ARGUMENT);
190 return 0;
191 }
192 if(userlen == -1) userlen = strlen(user);
193 if(userlen > 64) {
194 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_USER_TOO_LONG);
195 return 0;
196 }
197 if(!*psx) {
198 if(!(sx = SXNET_new())) goto err;
199 if(!ASN1_INTEGER_set(sx->version, 0)) goto err;
200 *psx = sx;
201 } else sx = *psx;
202 if(SXNET_get_id_INTEGER(sx, zone)) {
203 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_DUPLICATE_ZONE_ID);
204 return 0;
205 }
206
207 if(!(id = SXNETID_new())) goto err;
208 if(userlen == -1) userlen = strlen(user);
209
210 if(!M_ASN1_OCTET_STRING_set(id->user, user, userlen)) goto err;
211 if(!sk_SXNETID_push(sx->ids, id)) goto err;
212 id->zone = zone;
213 return 1;
214
215 err:
216 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,ERR_R_MALLOC_FAILURE);
217 SXNETID_free(id);
218 SXNET_free(sx);
219 *psx = NULL;
220 return 0;
221}
222
223ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone)
224{
225 ASN1_INTEGER *izone = NULL;
226 ASN1_OCTET_STRING *oct;
227 if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
228 X509V3err(X509V3_F_SXNET_GET_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
229 return NULL;
230 }
231 oct = SXNET_get_id_INTEGER(sx, izone);
232 M_ASN1_INTEGER_free(izone);
233 return oct;
234}
235
236ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
237{
238 ASN1_INTEGER *izone = NULL;
239 ASN1_OCTET_STRING *oct;
240 if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
241 X509V3err(X509V3_F_SXNET_GET_ID_ULONG,ERR_R_MALLOC_FAILURE);
242 M_ASN1_INTEGER_free(izone);
243 return NULL;
244 }
245 oct = SXNET_get_id_INTEGER(sx, izone);
246 M_ASN1_INTEGER_free(izone);
247 return oct;
248}
249
250ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
251{
252 SXNETID *id;
253 int i;
254 for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
255 id = sk_SXNETID_value(sx->ids, i);
256 if(!M_ASN1_INTEGER_cmp(id->zone, zone)) return id->user;
257 }
258 return NULL;
259}
260
261IMPLEMENT_STACK_OF(SXNETID)
262IMPLEMENT_ASN1_SET_OF(SXNETID)
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
deleted file mode 100644
index e030234540..0000000000
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ /dev/null
@@ -1,874 +0,0 @@
1/* v3_utl.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60
61#include <stdio.h>
62#include <ctype.h>
63#include "cryptlib.h"
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66#include <openssl/bn.h>
67
68static char *strip_spaces(char *name);
69static int sk_strcmp(const char * const *a, const char * const *b);
70static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens);
71static void str_free(OPENSSL_STRING str);
72static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
73
74static int ipv4_from_asc(unsigned char *v4, const char *in);
75static int ipv6_from_asc(unsigned char *v6, const char *in);
76static int ipv6_cb(const char *elem, int len, void *usr);
77static int ipv6_hex(unsigned char *out, const char *in, int inlen);
78
79/* Add a CONF_VALUE name value pair to stack */
80
81int X509V3_add_value(const char *name, const char *value,
82 STACK_OF(CONF_VALUE) **extlist)
83{
84 CONF_VALUE *vtmp = NULL;
85 char *tname = NULL, *tvalue = NULL;
86 if(name && !(tname = BUF_strdup(name))) goto err;
87 if(value && !(tvalue = BUF_strdup(value))) goto err;
88 if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err;
89 if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err;
90 vtmp->section = NULL;
91 vtmp->name = tname;
92 vtmp->value = tvalue;
93 if(!sk_CONF_VALUE_push(*extlist, vtmp)) goto err;
94 return 1;
95 err:
96 X509V3err(X509V3_F_X509V3_ADD_VALUE,ERR_R_MALLOC_FAILURE);
97 if(vtmp) OPENSSL_free(vtmp);
98 if(tname) OPENSSL_free(tname);
99 if(tvalue) OPENSSL_free(tvalue);
100 return 0;
101}
102
103int X509V3_add_value_uchar(const char *name, const unsigned char *value,
104 STACK_OF(CONF_VALUE) **extlist)
105 {
106 return X509V3_add_value(name,(const char *)value,extlist);
107 }
108
109/* Free function for STACK_OF(CONF_VALUE) */
110
111void X509V3_conf_free(CONF_VALUE *conf)
112{
113 if(!conf) return;
114 if(conf->name) OPENSSL_free(conf->name);
115 if(conf->value) OPENSSL_free(conf->value);
116 if(conf->section) OPENSSL_free(conf->section);
117 OPENSSL_free(conf);
118}
119
120int X509V3_add_value_bool(const char *name, int asn1_bool,
121 STACK_OF(CONF_VALUE) **extlist)
122{
123 if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
124 return X509V3_add_value(name, "FALSE", extlist);
125}
126
127int X509V3_add_value_bool_nf(char *name, int asn1_bool,
128 STACK_OF(CONF_VALUE) **extlist)
129{
130 if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
131 return 1;
132}
133
134
135char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
136{
137 BIGNUM *bntmp = NULL;
138 char *strtmp = NULL;
139 if(!a) return NULL;
140 if(!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
141 !(strtmp = BN_bn2dec(bntmp)) )
142 X509V3err(X509V3_F_I2S_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
143 BN_free(bntmp);
144 return strtmp;
145}
146
147char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
148{
149 BIGNUM *bntmp = NULL;
150 char *strtmp = NULL;
151 if(!a) return NULL;
152 if(!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
153 !(strtmp = BN_bn2dec(bntmp)) )
154 X509V3err(X509V3_F_I2S_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
155 BN_free(bntmp);
156 return strtmp;
157}
158
159ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
160{
161 BIGNUM *bn = NULL;
162 ASN1_INTEGER *aint;
163 int isneg, ishex;
164 int ret;
165 if (!value) {
166 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
167 return 0;
168 }
169 bn = BN_new();
170 if (value[0] == '-') {
171 value++;
172 isneg = 1;
173 } else isneg = 0;
174
175 if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
176 value += 2;
177 ishex = 1;
178 } else ishex = 0;
179
180 if (ishex) ret = BN_hex2bn(&bn, value);
181 else ret = BN_dec2bn(&bn, value);
182
183 if (!ret || value[ret]) {
184 BN_free(bn);
185 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
186 return 0;
187 }
188
189 if (isneg && BN_is_zero(bn)) isneg = 0;
190
191 aint = BN_to_ASN1_INTEGER(bn, NULL);
192 BN_free(bn);
193 if (!aint) {
194 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
195 return 0;
196 }
197 if (isneg) aint->type |= V_ASN1_NEG;
198 return aint;
199}
200
201int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
202 STACK_OF(CONF_VALUE) **extlist)
203{
204 char *strtmp;
205 int ret;
206 if(!aint) return 1;
207 if(!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) return 0;
208 ret = X509V3_add_value(name, strtmp, extlist);
209 OPENSSL_free(strtmp);
210 return ret;
211}
212
213int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
214{
215 char *btmp;
216 if(!(btmp = value->value)) goto err;
217 if(!strcmp(btmp, "TRUE") || !strcmp(btmp, "true")
218 || !strcmp(btmp, "Y") || !strcmp(btmp, "y")
219 || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
220 *asn1_bool = 0xff;
221 return 1;
222 } else if(!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
223 || !strcmp(btmp, "N") || !strcmp(btmp, "n")
224 || !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
225 *asn1_bool = 0;
226 return 1;
227 }
228 err:
229 X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,X509V3_R_INVALID_BOOLEAN_STRING);
230 X509V3_conf_err(value);
231 return 0;
232}
233
234int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
235{
236 ASN1_INTEGER *itmp;
237 if(!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
238 X509V3_conf_err(value);
239 return 0;
240 }
241 *aint = itmp;
242 return 1;
243}
244
245#define HDR_NAME 1
246#define HDR_VALUE 2
247
248/*#define DEBUG*/
249
250STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
251{
252 char *p, *q, c;
253 char *ntmp, *vtmp;
254 STACK_OF(CONF_VALUE) *values = NULL;
255 char *linebuf;
256 int state;
257 /* We are going to modify the line so copy it first */
258 linebuf = BUF_strdup(line);
259 state = HDR_NAME;
260 ntmp = NULL;
261 /* Go through all characters */
262 for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
263
264 switch(state) {
265 case HDR_NAME:
266 if(c == ':') {
267 state = HDR_VALUE;
268 *p = 0;
269 ntmp = strip_spaces(q);
270 if(!ntmp) {
271 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
272 goto err;
273 }
274 q = p + 1;
275 } else if(c == ',') {
276 *p = 0;
277 ntmp = strip_spaces(q);
278 q = p + 1;
279#if 0
280 printf("%s\n", ntmp);
281#endif
282 if(!ntmp) {
283 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
284 goto err;
285 }
286 X509V3_add_value(ntmp, NULL, &values);
287 }
288 break ;
289
290 case HDR_VALUE:
291 if(c == ',') {
292 state = HDR_NAME;
293 *p = 0;
294 vtmp = strip_spaces(q);
295#if 0
296 printf("%s\n", ntmp);
297#endif
298 if(!vtmp) {
299 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
300 goto err;
301 }
302 X509V3_add_value(ntmp, vtmp, &values);
303 ntmp = NULL;
304 q = p + 1;
305 }
306
307 }
308 }
309
310 if(state == HDR_VALUE) {
311 vtmp = strip_spaces(q);
312#if 0
313 printf("%s=%s\n", ntmp, vtmp);
314#endif
315 if(!vtmp) {
316 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
317 goto err;
318 }
319 X509V3_add_value(ntmp, vtmp, &values);
320 } else {
321 ntmp = strip_spaces(q);
322#if 0
323 printf("%s\n", ntmp);
324#endif
325 if(!ntmp) {
326 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
327 goto err;
328 }
329 X509V3_add_value(ntmp, NULL, &values);
330 }
331OPENSSL_free(linebuf);
332return values;
333
334err:
335OPENSSL_free(linebuf);
336sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
337return NULL;
338
339}
340
341/* Delete leading and trailing spaces from a string */
342static char *strip_spaces(char *name)
343{
344 char *p, *q;
345 /* Skip over leading spaces */
346 p = name;
347 while(*p && isspace((unsigned char)*p)) p++;
348 if(!*p) return NULL;
349 q = p + strlen(p) - 1;
350 while((q != p) && isspace((unsigned char)*q)) q--;
351 if(p != q) q[1] = 0;
352 if(!*p) return NULL;
353 return p;
354}
355
356/* hex string utilities */
357
358/* Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its
359 * hex representation
360 * @@@ (Contents of buffer are always kept in ASCII, also on EBCDIC machines)
361 */
362
363char *hex_to_string(const unsigned char *buffer, long len)
364{
365 char *tmp, *q;
366 const unsigned char *p;
367 int i;
368 const static char hexdig[] = "0123456789ABCDEF";
369 if(!buffer || !len) return NULL;
370 if(!(tmp = OPENSSL_malloc(len * 3 + 1))) {
371 X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
372 return NULL;
373 }
374 q = tmp;
375 for(i = 0, p = buffer; i < len; i++,p++) {
376 *q++ = hexdig[(*p >> 4) & 0xf];
377 *q++ = hexdig[*p & 0xf];
378 *q++ = ':';
379 }
380 q[-1] = 0;
381#ifdef CHARSET_EBCDIC
382 ebcdic2ascii(tmp, tmp, q - tmp - 1);
383#endif
384
385 return tmp;
386}
387
388/* Give a string of hex digits convert to
389 * a buffer
390 */
391
392unsigned char *string_to_hex(const char *str, long *len)
393{
394 unsigned char *hexbuf, *q;
395 unsigned char ch, cl, *p;
396 if(!str) {
397 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_INVALID_NULL_ARGUMENT);
398 return NULL;
399 }
400 if(!(hexbuf = OPENSSL_malloc(strlen(str) >> 1))) goto err;
401 for(p = (unsigned char *)str, q = hexbuf; *p;) {
402 ch = *p++;
403#ifdef CHARSET_EBCDIC
404 ch = os_toebcdic[ch];
405#endif
406 if(ch == ':') continue;
407 cl = *p++;
408#ifdef CHARSET_EBCDIC
409 cl = os_toebcdic[cl];
410#endif
411 if(!cl) {
412 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ODD_NUMBER_OF_DIGITS);
413 OPENSSL_free(hexbuf);
414 return NULL;
415 }
416 if(isupper(ch)) ch = tolower(ch);
417 if(isupper(cl)) cl = tolower(cl);
418
419 if((ch >= '0') && (ch <= '9')) ch -= '0';
420 else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10;
421 else goto badhex;
422
423 if((cl >= '0') && (cl <= '9')) cl -= '0';
424 else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10;
425 else goto badhex;
426
427 *q++ = (ch << 4) | cl;
428 }
429
430 if(len) *len = q - hexbuf;
431
432 return hexbuf;
433
434 err:
435 if(hexbuf) OPENSSL_free(hexbuf);
436 X509V3err(X509V3_F_STRING_TO_HEX,ERR_R_MALLOC_FAILURE);
437 return NULL;
438
439 badhex:
440 OPENSSL_free(hexbuf);
441 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ILLEGAL_HEX_DIGIT);
442 return NULL;
443
444}
445
446/* V2I name comparison function: returns zero if 'name' matches
447 * cmp or cmp.*
448 */
449
450int name_cmp(const char *name, const char *cmp)
451{
452 int len, ret;
453 char c;
454 len = strlen(cmp);
455 if((ret = strncmp(name, cmp, len))) return ret;
456 c = name[len];
457 if(!c || (c=='.')) return 0;
458 return 1;
459}
460
461static int sk_strcmp(const char * const *a, const char * const *b)
462{
463 return strcmp(*a, *b);
464}
465
466STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
467{
468 GENERAL_NAMES *gens;
469 STACK_OF(OPENSSL_STRING) *ret;
470
471 gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
472 ret = get_email(X509_get_subject_name(x), gens);
473 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
474 return ret;
475}
476
477STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
478{
479 AUTHORITY_INFO_ACCESS *info;
480 STACK_OF(OPENSSL_STRING) *ret = NULL;
481 int i;
482
483 info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
484 if (!info)
485 return NULL;
486 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++)
487 {
488 ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
489 if (OBJ_obj2nid(ad->method) == NID_ad_OCSP)
490 {
491 if (ad->location->type == GEN_URI)
492 {
493 if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier))
494 break;
495 }
496 }
497 }
498 AUTHORITY_INFO_ACCESS_free(info);
499 return ret;
500}
501
502STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
503{
504 GENERAL_NAMES *gens;
505 STACK_OF(X509_EXTENSION) *exts;
506 STACK_OF(OPENSSL_STRING) *ret;
507
508 exts = X509_REQ_get_extensions(x);
509 gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
510 ret = get_email(X509_REQ_get_subject_name(x), gens);
511 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
512 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
513 return ret;
514}
515
516
517static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens)
518{
519 STACK_OF(OPENSSL_STRING) *ret = NULL;
520 X509_NAME_ENTRY *ne;
521 ASN1_IA5STRING *email;
522 GENERAL_NAME *gen;
523 int i;
524 /* Now add any email address(es) to STACK */
525 i = -1;
526 /* First supplied X509_NAME */
527 while((i = X509_NAME_get_index_by_NID(name,
528 NID_pkcs9_emailAddress, i)) >= 0) {
529 ne = X509_NAME_get_entry(name, i);
530 email = X509_NAME_ENTRY_get_data(ne);
531 if(!append_ia5(&ret, email)) return NULL;
532 }
533 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
534 {
535 gen = sk_GENERAL_NAME_value(gens, i);
536 if(gen->type != GEN_EMAIL) continue;
537 if(!append_ia5(&ret, gen->d.ia5)) return NULL;
538 }
539 return ret;
540}
541
542static void str_free(OPENSSL_STRING str)
543{
544 OPENSSL_free(str);
545}
546
547static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
548{
549 char *emtmp;
550 /* First some sanity checks */
551 if(email->type != V_ASN1_IA5STRING) return 1;
552 if(!email->data || !email->length) return 1;
553 if(!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp);
554 if(!*sk) return 0;
555 /* Don't add duplicates */
556 if(sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) return 1;
557 emtmp = BUF_strdup((char *)email->data);
558 if(!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
559 X509_email_free(*sk);
560 *sk = NULL;
561 return 0;
562 }
563 return 1;
564}
565
566void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
567{
568 sk_OPENSSL_STRING_pop_free(sk, str_free);
569}
570
571/* Convert IP addresses both IPv4 and IPv6 into an
572 * OCTET STRING compatible with RFC3280.
573 */
574
575ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
576 {
577 unsigned char ipout[16];
578 ASN1_OCTET_STRING *ret;
579 int iplen;
580
581 /* If string contains a ':' assume IPv6 */
582
583 iplen = a2i_ipadd(ipout, ipasc);
584
585 if (!iplen)
586 return NULL;
587
588 ret = ASN1_OCTET_STRING_new();
589 if (!ret)
590 return NULL;
591 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen))
592 {
593 ASN1_OCTET_STRING_free(ret);
594 return NULL;
595 }
596 return ret;
597 }
598
599ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
600 {
601 ASN1_OCTET_STRING *ret = NULL;
602 unsigned char ipout[32];
603 char *iptmp = NULL, *p;
604 int iplen1, iplen2;
605 p = strchr(ipasc,'/');
606 if (!p)
607 return NULL;
608 iptmp = BUF_strdup(ipasc);
609 if (!iptmp)
610 return NULL;
611 p = iptmp + (p - ipasc);
612 *p++ = 0;
613
614 iplen1 = a2i_ipadd(ipout, iptmp);
615
616 if (!iplen1)
617 goto err;
618
619 iplen2 = a2i_ipadd(ipout + iplen1, p);
620
621 OPENSSL_free(iptmp);
622 iptmp = NULL;
623
624 if (!iplen2 || (iplen1 != iplen2))
625 goto err;
626
627 ret = ASN1_OCTET_STRING_new();
628 if (!ret)
629 goto err;
630 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
631 goto err;
632
633 return ret;
634
635 err:
636 if (iptmp)
637 OPENSSL_free(iptmp);
638 if (ret)
639 ASN1_OCTET_STRING_free(ret);
640 return NULL;
641 }
642
643
644int a2i_ipadd(unsigned char *ipout, const char *ipasc)
645 {
646 /* If string contains a ':' assume IPv6 */
647
648 if (strchr(ipasc, ':'))
649 {
650 if (!ipv6_from_asc(ipout, ipasc))
651 return 0;
652 return 16;
653 }
654 else
655 {
656 if (!ipv4_from_asc(ipout, ipasc))
657 return 0;
658 return 4;
659 }
660 }
661
662static int ipv4_from_asc(unsigned char *v4, const char *in)
663 {
664 int a0, a1, a2, a3;
665 if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
666 return 0;
667 if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
668 || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
669 return 0;
670 v4[0] = a0;
671 v4[1] = a1;
672 v4[2] = a2;
673 v4[3] = a3;
674 return 1;
675 }
676
677typedef struct {
678 /* Temporary store for IPV6 output */
679 unsigned char tmp[16];
680 /* Total number of bytes in tmp */
681 int total;
682 /* The position of a zero (corresponding to '::') */
683 int zero_pos;
684 /* Number of zeroes */
685 int zero_cnt;
686 } IPV6_STAT;
687
688
689static int ipv6_from_asc(unsigned char *v6, const char *in)
690 {
691 IPV6_STAT v6stat;
692 v6stat.total = 0;
693 v6stat.zero_pos = -1;
694 v6stat.zero_cnt = 0;
695 /* Treat the IPv6 representation as a list of values
696 * separated by ':'. The presence of a '::' will parse
697 * as one, two or three zero length elements.
698 */
699 if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
700 return 0;
701
702 /* Now for some sanity checks */
703
704 if (v6stat.zero_pos == -1)
705 {
706 /* If no '::' must have exactly 16 bytes */
707 if (v6stat.total != 16)
708 return 0;
709 }
710 else
711 {
712 /* If '::' must have less than 16 bytes */
713 if (v6stat.total == 16)
714 return 0;
715 /* More than three zeroes is an error */
716 if (v6stat.zero_cnt > 3)
717 return 0;
718 /* Can only have three zeroes if nothing else present */
719 else if (v6stat.zero_cnt == 3)
720 {
721 if (v6stat.total > 0)
722 return 0;
723 }
724 /* Can only have two zeroes if at start or end */
725 else if (v6stat.zero_cnt == 2)
726 {
727 if ((v6stat.zero_pos != 0)
728 && (v6stat.zero_pos != v6stat.total))
729 return 0;
730 }
731 else
732 /* Can only have one zero if *not* start or end */
733 {
734 if ((v6stat.zero_pos == 0)
735 || (v6stat.zero_pos == v6stat.total))
736 return 0;
737 }
738 }
739
740 /* Format result */
741
742 if (v6stat.zero_pos >= 0)
743 {
744 /* Copy initial part */
745 memcpy(v6, v6stat.tmp, v6stat.zero_pos);
746 /* Zero middle */
747 memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
748 /* Copy final part */
749 if (v6stat.total != v6stat.zero_pos)
750 memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
751 v6stat.tmp + v6stat.zero_pos,
752 v6stat.total - v6stat.zero_pos);
753 }
754 else
755 memcpy(v6, v6stat.tmp, 16);
756
757 return 1;
758 }
759
760static int ipv6_cb(const char *elem, int len, void *usr)
761 {
762 IPV6_STAT *s = usr;
763 /* Error if 16 bytes written */
764 if (s->total == 16)
765 return 0;
766 if (len == 0)
767 {
768 /* Zero length element, corresponds to '::' */
769 if (s->zero_pos == -1)
770 s->zero_pos = s->total;
771 /* If we've already got a :: its an error */
772 else if (s->zero_pos != s->total)
773 return 0;
774 s->zero_cnt++;
775 }
776 else
777 {
778 /* If more than 4 characters could be final a.b.c.d form */
779 if (len > 4)
780 {
781 /* Need at least 4 bytes left */
782 if (s->total > 12)
783 return 0;
784 /* Must be end of string */
785 if (elem[len])
786 return 0;
787 if (!ipv4_from_asc(s->tmp + s->total, elem))
788 return 0;
789 s->total += 4;
790 }
791 else
792 {
793 if (!ipv6_hex(s->tmp + s->total, elem, len))
794 return 0;
795 s->total += 2;
796 }
797 }
798 return 1;
799 }
800
801/* Convert a string of up to 4 hex digits into the corresponding
802 * IPv6 form.
803 */
804
805static int ipv6_hex(unsigned char *out, const char *in, int inlen)
806 {
807 unsigned char c;
808 unsigned int num = 0;
809 if (inlen > 4)
810 return 0;
811 while(inlen--)
812 {
813 c = *in++;
814 num <<= 4;
815 if ((c >= '0') && (c <= '9'))
816 num |= c - '0';
817 else if ((c >= 'A') && (c <= 'F'))
818 num |= c - 'A' + 10;
819 else if ((c >= 'a') && (c <= 'f'))
820 num |= c - 'a' + 10;
821 else
822 return 0;
823 }
824 out[0] = num >> 8;
825 out[1] = num & 0xff;
826 return 1;
827 }
828
829
830int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
831 unsigned long chtype)
832 {
833 CONF_VALUE *v;
834 int i, mval;
835 char *p, *type;
836 if (!nm)
837 return 0;
838
839 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
840 {
841 v=sk_CONF_VALUE_value(dn_sk,i);
842 type=v->name;
843 /* Skip past any leading X. X: X, etc to allow for
844 * multiple instances
845 */
846 for(p = type; *p ; p++)
847#ifndef CHARSET_EBCDIC
848 if ((*p == ':') || (*p == ',') || (*p == '.'))
849#else
850 if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.']))
851#endif
852 {
853 p++;
854 if(*p) type = p;
855 break;
856 }
857#ifndef CHARSET_EBCDIC
858 if (*type == '+')
859#else
860 if (*type == os_toascii['+'])
861#endif
862 {
863 mval = -1;
864 type++;
865 }
866 else
867 mval = 0;
868 if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
869 (unsigned char *) v->value,-1,-1,mval))
870 return 0;
871
872 }
873 return 1;
874 }
diff --git a/src/lib/libcrypto/x509v3/v3conf.c b/src/lib/libcrypto/x509v3/v3conf.c
deleted file mode 100644
index a9e6ca3542..0000000000
--- a/src/lib/libcrypto/x509v3/v3conf.c
+++ /dev/null
@@ -1,127 +0,0 @@
1/* v3conf.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/conf.h>
64#include <openssl/x509.h>
65#include <openssl/x509v3.h>
66
67/* Test application to add extensions from a config file */
68
69int main(int argc, char **argv)
70{
71 LHASH *conf;
72 X509 *cert;
73 FILE *inf;
74 char *conf_file;
75 int i;
76 int count;
77 X509_EXTENSION *ext;
78 X509V3_add_standard_extensions();
79 ERR_load_crypto_strings();
80 if(!argv[1]) {
81 fprintf(stderr, "Usage: v3conf cert.pem [file.cnf]\n");
82 exit(1);
83 }
84 conf_file = argv[2];
85 if(!conf_file) conf_file = "test.cnf";
86 conf = CONF_load(NULL, "test.cnf", NULL);
87 if(!conf) {
88 fprintf(stderr, "Error opening Config file %s\n", conf_file);
89 ERR_print_errors_fp(stderr);
90 exit(1);
91 }
92
93 inf = fopen(argv[1], "r");
94 if(!inf) {
95 fprintf(stderr, "Can't open certificate file %s\n", argv[1]);
96 exit(1);
97 }
98 cert = PEM_read_X509(inf, NULL, NULL);
99 if(!cert) {
100 fprintf(stderr, "Error reading certificate file %s\n", argv[1]);
101 exit(1);
102 }
103 fclose(inf);
104
105 sk_pop_free(cert->cert_info->extensions, X509_EXTENSION_free);
106 cert->cert_info->extensions = NULL;
107
108 if(!X509V3_EXT_add_conf(conf, NULL, "test_section", cert)) {
109 fprintf(stderr, "Error adding extensions\n");
110 ERR_print_errors_fp(stderr);
111 exit(1);
112 }
113
114 count = X509_get_ext_count(cert);
115 printf("%d extensions\n", count);
116 for(i = 0; i < count; i++) {
117 ext = X509_get_ext(cert, i);
118 printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
119 if(ext->critical) printf(",critical:\n");
120 else printf(":\n");
121 X509V3_EXT_print_fp(stdout, ext, 0, 0);
122 printf("\n");
123
124 }
125 return 0;
126}
127
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
deleted file mode 100644
index f9f6f1f91f..0000000000
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ /dev/null
@@ -1,226 +0,0 @@
1/* crypto/x509v3/v3err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/x509v3.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
70
71static ERR_STRING_DATA X509V3_str_functs[]=
72 {
73{ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"},
74{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
75{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
76{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
77{ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
78{ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
79{ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
80{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
81{ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
82{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
83{ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"},
84{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
85{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
86{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
87{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"},
88{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"},
89{ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
90{ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
91{ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
92{ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
93{ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
94{ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
95{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
96{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
97{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
98{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
99{ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
100{ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"},
101{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
102{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
103{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
104{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
105{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
106{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
107{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
108{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
109{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"},
110{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
111{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
112{ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
113{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
114{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
115{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
116{ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
117{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
118{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
119{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
120{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
121{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
122{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
123{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"},
124{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
125{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
126{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
127{ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
128{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
129{ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
130{ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
131{ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
132{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
133{ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"},
134{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"},
135{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"},
136{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"},
137{ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"},
138{0,NULL}
139 };
140
141static ERR_STRING_DATA X509V3_str_reasons[]=
142 {
143{ERR_REASON(X509V3_R_BAD_IP_ADDRESS) ,"bad ip address"},
144{ERR_REASON(X509V3_R_BAD_OBJECT) ,"bad object"},
145{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"},
146{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
147{ERR_REASON(X509V3_R_DIRNAME_ERROR) ,"dirname error"},
148{ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET),"distpoint already set"},
149{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"},
150{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
151{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
152{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) ,"error in extension"},
153{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME),"expected a section name"},
154{ERR_REASON(X509V3_R_EXTENSION_EXISTS) ,"extension exists"},
155{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR),"extension name error"},
156{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"},
157{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"},
158{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"},
159{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
160{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"},
161{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
162{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS),"invalid multiple rdns"},
163{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"},
164{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"},
165{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
166{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"},
167{ERR_REASON(X509V3_R_INVALID_INHERITANCE),"invalid inheritance"},
168{ERR_REASON(X509V3_R_INVALID_IPADDRESS) ,"invalid ipaddress"},
169{ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"},
170{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
171{ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"},
172{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) ,"invalid null value"},
173{ERR_REASON(X509V3_R_INVALID_NUMBER) ,"invalid number"},
174{ERR_REASON(X509V3_R_INVALID_NUMBERS) ,"invalid numbers"},
175{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"},
176{ERR_REASON(X509V3_R_INVALID_OPTION) ,"invalid option"},
177{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"},
178{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"},
179{ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"},
180{ERR_REASON(X509V3_R_INVALID_SAFI) ,"invalid safi"},
181{ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"},
182{ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"},
183{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"},
184{ERR_REASON(X509V3_R_MISSING_VALUE) ,"missing value"},
185{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),"need organization and numbers"},
186{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) ,"no config database"},
187{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE),"no issuer certificate"},
188{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) ,"no issuer details"},
189{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER),"no policy identifier"},
190{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),"no proxy cert policy language defined"},
191{ERR_REASON(X509V3_R_NO_PUBLIC_KEY) ,"no public key"},
192{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"},
193{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
194{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
195{ERR_REASON(X509V3_R_OTHERNAME_ERROR) ,"othername error"},
196{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),"policy language already defined"},
197{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
198{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),"policy path length already defined"},
199{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
200{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
201{ERR_REASON(X509V3_R_SECTION_NOT_FOUND) ,"section not found"},
202{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"},
203{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"},
204{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"},
205{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) ,"unknown extension"},
206{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"},
207{ERR_REASON(X509V3_R_UNKNOWN_OPTION) ,"unknown option"},
208{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"},
209{ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) ,"unsupported type"},
210{ERR_REASON(X509V3_R_USER_TOO_LONG) ,"user too long"},
211{0,NULL}
212 };
213
214#endif
215
216void ERR_load_X509V3_strings(void)
217 {
218#ifndef OPENSSL_NO_ERR
219
220 if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL)
221 {
222 ERR_load_strings(0,X509V3_str_functs);
223 ERR_load_strings(0,X509V3_str_reasons);
224 }
225#endif
226 }
diff --git a/src/lib/libcrypto/x509v3/v3prin.c b/src/lib/libcrypto/x509v3/v3prin.c
deleted file mode 100644
index d5ff268296..0000000000
--- a/src/lib/libcrypto/x509v3/v3prin.c
+++ /dev/null
@@ -1,99 +0,0 @@
1/* v3prin.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60
61#include <stdio.h>
62#include <openssl/asn1.h>
63#include <openssl/conf.h>
64#include <openssl/x509.h>
65#include <openssl/x509v3.h>
66
67int main(int argc, char **argv)
68{
69 X509 *cert;
70 FILE *inf;
71 int i, count;
72 X509_EXTENSION *ext;
73 X509V3_add_standard_extensions();
74 ERR_load_crypto_strings();
75 if(!argv[1]) {
76 fprintf(stderr, "Usage v3prin cert.pem\n");
77 exit(1);
78 }
79 if(!(inf = fopen(argv[1], "r"))) {
80 fprintf(stderr, "Can't open %s\n", argv[1]);
81 exit(1);
82 }
83 if(!(cert = PEM_read_X509(inf, NULL, NULL))) {
84 fprintf(stderr, "Can't read certificate %s\n", argv[1]);
85 ERR_print_errors_fp(stderr);
86 exit(1);
87 }
88 fclose(inf);
89 count = X509_get_ext_count(cert);
90 printf("%d extensions\n", count);
91 for(i = 0; i < count; i++) {
92 ext = X509_get_ext(cert, i);
93 printf("%s\n", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
94 if(!X509V3_EXT_print_fp(stdout, ext, 0, 0)) ERR_print_errors_fp(stderr);
95 printf("\n");
96
97 }
98 return 0;
99}
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
deleted file mode 100644
index b308abe7cd..0000000000
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ /dev/null
@@ -1,1007 +0,0 @@
1/* x509v3.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#ifndef HEADER_X509V3_H
59#define HEADER_X509V3_H
60
61#include <openssl/bio.h>
62#include <openssl/x509.h>
63#include <openssl/conf.h>
64
65#ifdef __cplusplus
66extern "C" {
67#endif
68
69/* Forward reference */
70struct v3_ext_method;
71struct v3_ext_ctx;
72
73/* Useful typedefs */
74
75typedef void * (*X509V3_EXT_NEW)(void);
76typedef void (*X509V3_EXT_FREE)(void *);
77typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
78typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
79typedef STACK_OF(CONF_VALUE) *
80 (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
81 STACK_OF(CONF_VALUE) *extlist);
82typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
83 struct v3_ext_ctx *ctx,
84 STACK_OF(CONF_VALUE) *values);
85typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
86typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
87 struct v3_ext_ctx *ctx, const char *str);
88typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
89 BIO *out, int indent);
90typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
91 struct v3_ext_ctx *ctx, const char *str);
92
93/* V3 extension structure */
94
95struct v3_ext_method {
96int ext_nid;
97int ext_flags;
98/* If this is set the following four fields are ignored */
99ASN1_ITEM_EXP *it;
100/* Old style ASN1 calls */
101X509V3_EXT_NEW ext_new;
102X509V3_EXT_FREE ext_free;
103X509V3_EXT_D2I d2i;
104X509V3_EXT_I2D i2d;
105
106/* The following pair is used for string extensions */
107X509V3_EXT_I2S i2s;
108X509V3_EXT_S2I s2i;
109
110/* The following pair is used for multi-valued extensions */
111X509V3_EXT_I2V i2v;
112X509V3_EXT_V2I v2i;
113
114/* The following are used for raw extensions */
115X509V3_EXT_I2R i2r;
116X509V3_EXT_R2I r2i;
117
118void *usr_data; /* Any extension specific data */
119};
120
121typedef struct X509V3_CONF_METHOD_st {
122char * (*get_string)(void *db, char *section, char *value);
123STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
124void (*free_string)(void *db, char * string);
125void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
126} X509V3_CONF_METHOD;
127
128/* Context specific info */
129struct v3_ext_ctx {
130#define CTX_TEST 0x1
131int flags;
132X509 *issuer_cert;
133X509 *subject_cert;
134X509_REQ *subject_req;
135X509_CRL *crl;
136X509V3_CONF_METHOD *db_meth;
137void *db;
138/* Maybe more here */
139};
140
141typedef struct v3_ext_method X509V3_EXT_METHOD;
142
143DECLARE_STACK_OF(X509V3_EXT_METHOD)
144
145/* ext_flags values */
146#define X509V3_EXT_DYNAMIC 0x1
147#define X509V3_EXT_CTX_DEP 0x2
148#define X509V3_EXT_MULTILINE 0x4
149
150typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
151
152typedef struct BASIC_CONSTRAINTS_st {
153int ca;
154ASN1_INTEGER *pathlen;
155} BASIC_CONSTRAINTS;
156
157
158typedef struct PKEY_USAGE_PERIOD_st {
159ASN1_GENERALIZEDTIME *notBefore;
160ASN1_GENERALIZEDTIME *notAfter;
161} PKEY_USAGE_PERIOD;
162
163typedef struct otherName_st {
164ASN1_OBJECT *type_id;
165ASN1_TYPE *value;
166} OTHERNAME;
167
168typedef struct EDIPartyName_st {
169 ASN1_STRING *nameAssigner;
170 ASN1_STRING *partyName;
171} EDIPARTYNAME;
172
173typedef struct GENERAL_NAME_st {
174
175#define GEN_OTHERNAME 0
176#define GEN_EMAIL 1
177#define GEN_DNS 2
178#define GEN_X400 3
179#define GEN_DIRNAME 4
180#define GEN_EDIPARTY 5
181#define GEN_URI 6
182#define GEN_IPADD 7
183#define GEN_RID 8
184
185int type;
186union {
187 char *ptr;
188 OTHERNAME *otherName; /* otherName */
189 ASN1_IA5STRING *rfc822Name;
190 ASN1_IA5STRING *dNSName;
191 ASN1_TYPE *x400Address;
192 X509_NAME *directoryName;
193 EDIPARTYNAME *ediPartyName;
194 ASN1_IA5STRING *uniformResourceIdentifier;
195 ASN1_OCTET_STRING *iPAddress;
196 ASN1_OBJECT *registeredID;
197
198 /* Old names */
199 ASN1_OCTET_STRING *ip; /* iPAddress */
200 X509_NAME *dirn; /* dirn */
201 ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
202 ASN1_OBJECT *rid; /* registeredID */
203 ASN1_TYPE *other; /* x400Address */
204} d;
205} GENERAL_NAME;
206
207typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
208
209typedef struct ACCESS_DESCRIPTION_st {
210 ASN1_OBJECT *method;
211 GENERAL_NAME *location;
212} ACCESS_DESCRIPTION;
213
214typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
215
216typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
217
218DECLARE_STACK_OF(GENERAL_NAME)
219DECLARE_ASN1_SET_OF(GENERAL_NAME)
220
221DECLARE_STACK_OF(ACCESS_DESCRIPTION)
222DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION)
223
224typedef struct DIST_POINT_NAME_st {
225int type;
226union {
227 GENERAL_NAMES *fullname;
228 STACK_OF(X509_NAME_ENTRY) *relativename;
229} name;
230/* If relativename then this contains the full distribution point name */
231X509_NAME *dpname;
232} DIST_POINT_NAME;
233/* All existing reasons */
234#define CRLDP_ALL_REASONS 0x807f
235
236#define CRL_REASON_NONE -1
237#define CRL_REASON_UNSPECIFIED 0
238#define CRL_REASON_KEY_COMPROMISE 1
239#define CRL_REASON_CA_COMPROMISE 2
240#define CRL_REASON_AFFILIATION_CHANGED 3
241#define CRL_REASON_SUPERSEDED 4
242#define CRL_REASON_CESSATION_OF_OPERATION 5
243#define CRL_REASON_CERTIFICATE_HOLD 6
244#define CRL_REASON_REMOVE_FROM_CRL 8
245#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
246#define CRL_REASON_AA_COMPROMISE 10
247
248struct DIST_POINT_st {
249DIST_POINT_NAME *distpoint;
250ASN1_BIT_STRING *reasons;
251GENERAL_NAMES *CRLissuer;
252int dp_reasons;
253};
254
255typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
256
257DECLARE_STACK_OF(DIST_POINT)
258DECLARE_ASN1_SET_OF(DIST_POINT)
259
260struct AUTHORITY_KEYID_st {
261ASN1_OCTET_STRING *keyid;
262GENERAL_NAMES *issuer;
263ASN1_INTEGER *serial;
264};
265
266/* Strong extranet structures */
267
268typedef struct SXNET_ID_st {
269 ASN1_INTEGER *zone;
270 ASN1_OCTET_STRING *user;
271} SXNETID;
272
273DECLARE_STACK_OF(SXNETID)
274DECLARE_ASN1_SET_OF(SXNETID)
275
276typedef struct SXNET_st {
277 ASN1_INTEGER *version;
278 STACK_OF(SXNETID) *ids;
279} SXNET;
280
281typedef struct NOTICEREF_st {
282 ASN1_STRING *organization;
283 STACK_OF(ASN1_INTEGER) *noticenos;
284} NOTICEREF;
285
286typedef struct USERNOTICE_st {
287 NOTICEREF *noticeref;
288 ASN1_STRING *exptext;
289} USERNOTICE;
290
291typedef struct POLICYQUALINFO_st {
292 ASN1_OBJECT *pqualid;
293 union {
294 ASN1_IA5STRING *cpsuri;
295 USERNOTICE *usernotice;
296 ASN1_TYPE *other;
297 } d;
298} POLICYQUALINFO;
299
300DECLARE_STACK_OF(POLICYQUALINFO)
301DECLARE_ASN1_SET_OF(POLICYQUALINFO)
302
303typedef struct POLICYINFO_st {
304 ASN1_OBJECT *policyid;
305 STACK_OF(POLICYQUALINFO) *qualifiers;
306} POLICYINFO;
307
308typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
309
310DECLARE_STACK_OF(POLICYINFO)
311DECLARE_ASN1_SET_OF(POLICYINFO)
312
313typedef struct POLICY_MAPPING_st {
314 ASN1_OBJECT *issuerDomainPolicy;
315 ASN1_OBJECT *subjectDomainPolicy;
316} POLICY_MAPPING;
317
318DECLARE_STACK_OF(POLICY_MAPPING)
319
320typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
321
322typedef struct GENERAL_SUBTREE_st {
323 GENERAL_NAME *base;
324 ASN1_INTEGER *minimum;
325 ASN1_INTEGER *maximum;
326} GENERAL_SUBTREE;
327
328DECLARE_STACK_OF(GENERAL_SUBTREE)
329
330struct NAME_CONSTRAINTS_st {
331 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
332 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
333};
334
335typedef struct POLICY_CONSTRAINTS_st {
336 ASN1_INTEGER *requireExplicitPolicy;
337 ASN1_INTEGER *inhibitPolicyMapping;
338} POLICY_CONSTRAINTS;
339
340/* Proxy certificate structures, see RFC 3820 */
341typedef struct PROXY_POLICY_st
342 {
343 ASN1_OBJECT *policyLanguage;
344 ASN1_OCTET_STRING *policy;
345 } PROXY_POLICY;
346
347typedef struct PROXY_CERT_INFO_EXTENSION_st
348 {
349 ASN1_INTEGER *pcPathLengthConstraint;
350 PROXY_POLICY *proxyPolicy;
351 } PROXY_CERT_INFO_EXTENSION;
352
353DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
354DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
355
356struct ISSUING_DIST_POINT_st
357 {
358 DIST_POINT_NAME *distpoint;
359 int onlyuser;
360 int onlyCA;
361 ASN1_BIT_STRING *onlysomereasons;
362 int indirectCRL;
363 int onlyattr;
364 };
365
366/* Values in idp_flags field */
367/* IDP present */
368#define IDP_PRESENT 0x1
369/* IDP values inconsistent */
370#define IDP_INVALID 0x2
371/* onlyuser true */
372#define IDP_ONLYUSER 0x4
373/* onlyCA true */
374#define IDP_ONLYCA 0x8
375/* onlyattr true */
376#define IDP_ONLYATTR 0x10
377/* indirectCRL true */
378#define IDP_INDIRECT 0x20
379/* onlysomereasons present */
380#define IDP_REASONS 0x40
381
382#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
383",name:", val->name, ",value:", val->value);
384
385#define X509V3_set_ctx_test(ctx) \
386 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
387#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
388
389#define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
390 0,0,0,0, \
391 0,0, \
392 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
393 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
394 NULL, NULL, \
395 table}
396
397#define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
398 0,0,0,0, \
399 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
400 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
401 0,0,0,0, \
402 NULL}
403
404#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
405
406
407/* X509_PURPOSE stuff */
408
409#define EXFLAG_BCONS 0x1
410#define EXFLAG_KUSAGE 0x2
411#define EXFLAG_XKUSAGE 0x4
412#define EXFLAG_NSCERT 0x8
413
414#define EXFLAG_CA 0x10
415/* Really self issued not necessarily self signed */
416#define EXFLAG_SI 0x20
417#define EXFLAG_SS 0x20
418#define EXFLAG_V1 0x40
419#define EXFLAG_INVALID 0x80
420#define EXFLAG_SET 0x100
421#define EXFLAG_CRITICAL 0x200
422#define EXFLAG_PROXY 0x400
423
424#define EXFLAG_INVALID_POLICY 0x800
425#define EXFLAG_FRESHEST 0x1000
426
427#define KU_DIGITAL_SIGNATURE 0x0080
428#define KU_NON_REPUDIATION 0x0040
429#define KU_KEY_ENCIPHERMENT 0x0020
430#define KU_DATA_ENCIPHERMENT 0x0010
431#define KU_KEY_AGREEMENT 0x0008
432#define KU_KEY_CERT_SIGN 0x0004
433#define KU_CRL_SIGN 0x0002
434#define KU_ENCIPHER_ONLY 0x0001
435#define KU_DECIPHER_ONLY 0x8000
436
437#define NS_SSL_CLIENT 0x80
438#define NS_SSL_SERVER 0x40
439#define NS_SMIME 0x20
440#define NS_OBJSIGN 0x10
441#define NS_SSL_CA 0x04
442#define NS_SMIME_CA 0x02
443#define NS_OBJSIGN_CA 0x01
444#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
445
446#define XKU_SSL_SERVER 0x1
447#define XKU_SSL_CLIENT 0x2
448#define XKU_SMIME 0x4
449#define XKU_CODE_SIGN 0x8
450#define XKU_SGC 0x10
451#define XKU_OCSP_SIGN 0x20
452#define XKU_TIMESTAMP 0x40
453#define XKU_DVCS 0x80
454
455#define X509_PURPOSE_DYNAMIC 0x1
456#define X509_PURPOSE_DYNAMIC_NAME 0x2
457
458typedef struct x509_purpose_st {
459 int purpose;
460 int trust; /* Default trust ID */
461 int flags;
462 int (*check_purpose)(const struct x509_purpose_st *,
463 const X509 *, int);
464 char *name;
465 char *sname;
466 void *usr_data;
467} X509_PURPOSE;
468
469#define X509_PURPOSE_SSL_CLIENT 1
470#define X509_PURPOSE_SSL_SERVER 2
471#define X509_PURPOSE_NS_SSL_SERVER 3
472#define X509_PURPOSE_SMIME_SIGN 4
473#define X509_PURPOSE_SMIME_ENCRYPT 5
474#define X509_PURPOSE_CRL_SIGN 6
475#define X509_PURPOSE_ANY 7
476#define X509_PURPOSE_OCSP_HELPER 8
477#define X509_PURPOSE_TIMESTAMP_SIGN 9
478
479#define X509_PURPOSE_MIN 1
480#define X509_PURPOSE_MAX 9
481
482/* Flags for X509V3_EXT_print() */
483
484#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
485/* Return error for unknown extensions */
486#define X509V3_EXT_DEFAULT 0
487/* Print error for unknown extensions */
488#define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
489/* ASN1 parse unknown extensions */
490#define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
491/* BIO_dump unknown extensions */
492#define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
493
494/* Flags for X509V3_add1_i2d */
495
496#define X509V3_ADD_OP_MASK 0xfL
497#define X509V3_ADD_DEFAULT 0L
498#define X509V3_ADD_APPEND 1L
499#define X509V3_ADD_REPLACE 2L
500#define X509V3_ADD_REPLACE_EXISTING 3L
501#define X509V3_ADD_KEEP_EXISTING 4L
502#define X509V3_ADD_DELETE 5L
503#define X509V3_ADD_SILENT 0x10
504
505DECLARE_STACK_OF(X509_PURPOSE)
506
507DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
508
509DECLARE_ASN1_FUNCTIONS(SXNET)
510DECLARE_ASN1_FUNCTIONS(SXNETID)
511
512int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen);
513int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen);
514int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user, int userlen);
515
516ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone);
517ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
518ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
519
520DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
521
522DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
523
524DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
525GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
526int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
527
528
529
530ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
531 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
532STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
533 ASN1_BIT_STRING *bits,
534 STACK_OF(CONF_VALUE) *extlist);
535
536STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
537int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
538
539DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
540
541STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
542 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
543GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
544 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
545
546DECLARE_ASN1_FUNCTIONS(OTHERNAME)
547DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
548int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
549void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
550void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
551int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
552 ASN1_OBJECT *oid, ASN1_TYPE *value);
553int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
554 ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
555
556char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
557ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
558
559DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
560int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a);
561
562DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
563DECLARE_ASN1_FUNCTIONS(POLICYINFO)
564DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
565DECLARE_ASN1_FUNCTIONS(USERNOTICE)
566DECLARE_ASN1_FUNCTIONS(NOTICEREF)
567
568DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
569DECLARE_ASN1_FUNCTIONS(DIST_POINT)
570DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
571DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
572
573int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
574
575int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
576
577DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
578DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
579
580DECLARE_ASN1_ITEM(POLICY_MAPPING)
581DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
582DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
583
584DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
585DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
586
587DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
588DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
589
590DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
591DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
592
593GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
594 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
595 int gen_type, char *value, int is_nc);
596
597#ifdef HEADER_CONF_H
598GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
599 CONF_VALUE *cnf);
600GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
601 const X509V3_EXT_METHOD *method,
602 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
603void X509V3_conf_free(CONF_VALUE *val);
604
605X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
606X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value);
607int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, STACK_OF(X509_EXTENSION) **sk);
608int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert);
609int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
610int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
611
612X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
613 int ext_nid, char *value);
614X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
615 char *name, char *value);
616int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
617 char *section, X509 *cert);
618int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
619 char *section, X509_REQ *req);
620int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
621 char *section, X509_CRL *crl);
622
623int X509V3_add_value_bool_nf(char *name, int asn1_bool,
624 STACK_OF(CONF_VALUE) **extlist);
625int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
626int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
627void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
628void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
629#endif
630
631char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
632STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
633void X509V3_string_free(X509V3_CTX *ctx, char *str);
634void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
635void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
636 X509_REQ *req, X509_CRL *crl, int flags);
637
638int X509V3_add_value(const char *name, const char *value,
639 STACK_OF(CONF_VALUE) **extlist);
640int X509V3_add_value_uchar(const char *name, const unsigned char *value,
641 STACK_OF(CONF_VALUE) **extlist);
642int X509V3_add_value_bool(const char *name, int asn1_bool,
643 STACK_OF(CONF_VALUE) **extlist);
644int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
645 STACK_OF(CONF_VALUE) **extlist);
646char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
647ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
648char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
649char * i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
650int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
651int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
652int X509V3_EXT_add_alias(int nid_to, int nid_from);
653void X509V3_EXT_cleanup(void);
654
655const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
656const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
657int X509V3_add_standard_extensions(void);
658STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
659void *X509V3_EXT_d2i(X509_EXTENSION *ext);
660void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
661
662
663X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
664int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
665
666char *hex_to_string(const unsigned char *buffer, long len);
667unsigned char *string_to_hex(const char *str, long *len);
668int name_cmp(const char *name, const char *cmp);
669
670void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
671 int ml);
672int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent);
673int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
674
675int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
676
677int X509_check_ca(X509 *x);
678int X509_check_purpose(X509 *x, int id, int ca);
679int X509_supported_extension(X509_EXTENSION *ex);
680int X509_PURPOSE_set(int *p, int purpose);
681int X509_check_issued(X509 *issuer, X509 *subject);
682int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
683int X509_PURPOSE_get_count(void);
684X509_PURPOSE * X509_PURPOSE_get0(int idx);
685int X509_PURPOSE_get_by_sname(char *sname);
686int X509_PURPOSE_get_by_id(int id);
687int X509_PURPOSE_add(int id, int trust, int flags,
688 int (*ck)(const X509_PURPOSE *, const X509 *, int),
689 char *name, char *sname, void *arg);
690char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
691char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
692int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
693void X509_PURPOSE_cleanup(void);
694int X509_PURPOSE_get_id(X509_PURPOSE *);
695
696STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
697STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
698void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
699STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
700
701ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
702ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
703int a2i_ipadd(unsigned char *ipout, const char *ipasc);
704int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
705 unsigned long chtype);
706
707void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
708DECLARE_STACK_OF(X509_POLICY_NODE)
709
710#ifndef OPENSSL_NO_RFC3779
711
712typedef struct ASRange_st {
713 ASN1_INTEGER *min, *max;
714} ASRange;
715
716#define ASIdOrRange_id 0
717#define ASIdOrRange_range 1
718
719typedef struct ASIdOrRange_st {
720 int type;
721 union {
722 ASN1_INTEGER *id;
723 ASRange *range;
724 } u;
725} ASIdOrRange;
726
727typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
728DECLARE_STACK_OF(ASIdOrRange)
729
730#define ASIdentifierChoice_inherit 0
731#define ASIdentifierChoice_asIdsOrRanges 1
732
733typedef struct ASIdentifierChoice_st {
734 int type;
735 union {
736 ASN1_NULL *inherit;
737 ASIdOrRanges *asIdsOrRanges;
738 } u;
739} ASIdentifierChoice;
740
741typedef struct ASIdentifiers_st {
742 ASIdentifierChoice *asnum, *rdi;
743} ASIdentifiers;
744
745DECLARE_ASN1_FUNCTIONS(ASRange)
746DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
747DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
748DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
749
750
751typedef struct IPAddressRange_st {
752 ASN1_BIT_STRING *min, *max;
753} IPAddressRange;
754
755#define IPAddressOrRange_addressPrefix 0
756#define IPAddressOrRange_addressRange 1
757
758typedef struct IPAddressOrRange_st {
759 int type;
760 union {
761 ASN1_BIT_STRING *addressPrefix;
762 IPAddressRange *addressRange;
763 } u;
764} IPAddressOrRange;
765
766typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
767DECLARE_STACK_OF(IPAddressOrRange)
768
769#define IPAddressChoice_inherit 0
770#define IPAddressChoice_addressesOrRanges 1
771
772typedef struct IPAddressChoice_st {
773 int type;
774 union {
775 ASN1_NULL *inherit;
776 IPAddressOrRanges *addressesOrRanges;
777 } u;
778} IPAddressChoice;
779
780typedef struct IPAddressFamily_st {
781 ASN1_OCTET_STRING *addressFamily;
782 IPAddressChoice *ipAddressChoice;
783} IPAddressFamily;
784
785typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
786DECLARE_STACK_OF(IPAddressFamily)
787
788DECLARE_ASN1_FUNCTIONS(IPAddressRange)
789DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
790DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
791DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
792
793/*
794 * API tag for elements of the ASIdentifer SEQUENCE.
795 */
796#define V3_ASID_ASNUM 0
797#define V3_ASID_RDI 1
798
799/*
800 * AFI values, assigned by IANA. It'd be nice to make the AFI
801 * handling code totally generic, but there are too many little things
802 * that would need to be defined for other address families for it to
803 * be worth the trouble.
804 */
805#define IANA_AFI_IPV4 1
806#define IANA_AFI_IPV6 2
807
808/*
809 * Utilities to construct and extract values from RFC3779 extensions,
810 * since some of the encodings (particularly for IP address prefixes
811 * and ranges) are a bit tedious to work with directly.
812 */
813int v3_asid_add_inherit(ASIdentifiers *asid, int which);
814int v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
815 ASN1_INTEGER *min, ASN1_INTEGER *max);
816int v3_addr_add_inherit(IPAddrBlocks *addr,
817 const unsigned afi, const unsigned *safi);
818int v3_addr_add_prefix(IPAddrBlocks *addr,
819 const unsigned afi, const unsigned *safi,
820 unsigned char *a, const int prefixlen);
821int v3_addr_add_range(IPAddrBlocks *addr,
822 const unsigned afi, const unsigned *safi,
823 unsigned char *min, unsigned char *max);
824unsigned v3_addr_get_afi(const IPAddressFamily *f);
825int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
826 unsigned char *min, unsigned char *max,
827 const int length);
828
829/*
830 * Canonical forms.
831 */
832int v3_asid_is_canonical(ASIdentifiers *asid);
833int v3_addr_is_canonical(IPAddrBlocks *addr);
834int v3_asid_canonize(ASIdentifiers *asid);
835int v3_addr_canonize(IPAddrBlocks *addr);
836
837/*
838 * Tests for inheritance and containment.
839 */
840int v3_asid_inherits(ASIdentifiers *asid);
841int v3_addr_inherits(IPAddrBlocks *addr);
842int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
843int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
844
845/*
846 * Check whether RFC 3779 extensions nest properly in chains.
847 */
848int v3_asid_validate_path(X509_STORE_CTX *);
849int v3_addr_validate_path(X509_STORE_CTX *);
850int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
851 ASIdentifiers *ext,
852 int allow_inheritance);
853int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
854 IPAddrBlocks *ext,
855 int allow_inheritance);
856
857#endif /* OPENSSL_NO_RFC3779 */
858
859/* BEGIN ERROR CODES */
860/* The following lines are auto generated by the script mkerr.pl. Any changes
861 * made after this point may be overwritten when the script is next run.
862 */
863void ERR_load_X509V3_strings(void);
864
865/* Error codes for the X509V3 functions. */
866
867/* Function codes. */
868#define X509V3_F_A2I_GENERAL_NAME 164
869#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
870#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
871#define X509V3_F_COPY_EMAIL 122
872#define X509V3_F_COPY_ISSUER 123
873#define X509V3_F_DO_DIRNAME 144
874#define X509V3_F_DO_EXT_CONF 124
875#define X509V3_F_DO_EXT_I2D 135
876#define X509V3_F_DO_EXT_NCONF 151
877#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
878#define X509V3_F_GNAMES_FROM_SECTNAME 156
879#define X509V3_F_HEX_TO_STRING 111
880#define X509V3_F_I2S_ASN1_ENUMERATED 121
881#define X509V3_F_I2S_ASN1_IA5STRING 149
882#define X509V3_F_I2S_ASN1_INTEGER 120
883#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
884#define X509V3_F_NOTICE_SECTION 132
885#define X509V3_F_NREF_NOS 133
886#define X509V3_F_POLICY_SECTION 131
887#define X509V3_F_PROCESS_PCI_VALUE 150
888#define X509V3_F_R2I_CERTPOL 130
889#define X509V3_F_R2I_PCI 155
890#define X509V3_F_S2I_ASN1_IA5STRING 100
891#define X509V3_F_S2I_ASN1_INTEGER 108
892#define X509V3_F_S2I_ASN1_OCTET_STRING 112
893#define X509V3_F_S2I_ASN1_SKEY_ID 114
894#define X509V3_F_S2I_SKEY_ID 115
895#define X509V3_F_SET_DIST_POINT_NAME 158
896#define X509V3_F_STRING_TO_HEX 113
897#define X509V3_F_SXNET_ADD_ID_ASC 125
898#define X509V3_F_SXNET_ADD_ID_INTEGER 126
899#define X509V3_F_SXNET_ADD_ID_ULONG 127
900#define X509V3_F_SXNET_GET_ID_ASC 128
901#define X509V3_F_SXNET_GET_ID_ULONG 129
902#define X509V3_F_V2I_ASIDENTIFIERS 163
903#define X509V3_F_V2I_ASN1_BIT_STRING 101
904#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
905#define X509V3_F_V2I_AUTHORITY_KEYID 119
906#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
907#define X509V3_F_V2I_CRLD 134
908#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
909#define X509V3_F_V2I_GENERAL_NAMES 118
910#define X509V3_F_V2I_GENERAL_NAME_EX 117
911#define X509V3_F_V2I_IDP 157
912#define X509V3_F_V2I_IPADDRBLOCKS 159
913#define X509V3_F_V2I_ISSUER_ALT 153
914#define X509V3_F_V2I_NAME_CONSTRAINTS 147
915#define X509V3_F_V2I_POLICY_CONSTRAINTS 146
916#define X509V3_F_V2I_POLICY_MAPPINGS 145
917#define X509V3_F_V2I_SUBJECT_ALT 154
918#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
919#define X509V3_F_V3_GENERIC_EXTENSION 116
920#define X509V3_F_X509V3_ADD1_I2D 140
921#define X509V3_F_X509V3_ADD_VALUE 105
922#define X509V3_F_X509V3_EXT_ADD 104
923#define X509V3_F_X509V3_EXT_ADD_ALIAS 106
924#define X509V3_F_X509V3_EXT_CONF 107
925#define X509V3_F_X509V3_EXT_I2D 136
926#define X509V3_F_X509V3_EXT_NCONF 152
927#define X509V3_F_X509V3_GET_SECTION 142
928#define X509V3_F_X509V3_GET_STRING 143
929#define X509V3_F_X509V3_GET_VALUE_BOOL 110
930#define X509V3_F_X509V3_PARSE_LIST 109
931#define X509V3_F_X509_PURPOSE_ADD 137
932#define X509V3_F_X509_PURPOSE_SET 141
933
934/* Reason codes. */
935#define X509V3_R_BAD_IP_ADDRESS 118
936#define X509V3_R_BAD_OBJECT 119
937#define X509V3_R_BN_DEC2BN_ERROR 100
938#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
939#define X509V3_R_DIRNAME_ERROR 149
940#define X509V3_R_DISTPOINT_ALREADY_SET 160
941#define X509V3_R_DUPLICATE_ZONE_ID 133
942#define X509V3_R_ERROR_CONVERTING_ZONE 131
943#define X509V3_R_ERROR_CREATING_EXTENSION 144
944#define X509V3_R_ERROR_IN_EXTENSION 128
945#define X509V3_R_EXPECTED_A_SECTION_NAME 137
946#define X509V3_R_EXTENSION_EXISTS 145
947#define X509V3_R_EXTENSION_NAME_ERROR 115
948#define X509V3_R_EXTENSION_NOT_FOUND 102
949#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
950#define X509V3_R_EXTENSION_VALUE_ERROR 116
951#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
952#define X509V3_R_ILLEGAL_HEX_DIGIT 113
953#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
954#define X509V3_R_INVALID_MULTIPLE_RDNS 161
955#define X509V3_R_INVALID_ASNUMBER 162
956#define X509V3_R_INVALID_ASRANGE 163
957#define X509V3_R_INVALID_BOOLEAN_STRING 104
958#define X509V3_R_INVALID_EXTENSION_STRING 105
959#define X509V3_R_INVALID_INHERITANCE 165
960#define X509V3_R_INVALID_IPADDRESS 166
961#define X509V3_R_INVALID_NAME 106
962#define X509V3_R_INVALID_NULL_ARGUMENT 107
963#define X509V3_R_INVALID_NULL_NAME 108
964#define X509V3_R_INVALID_NULL_VALUE 109
965#define X509V3_R_INVALID_NUMBER 140
966#define X509V3_R_INVALID_NUMBERS 141
967#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
968#define X509V3_R_INVALID_OPTION 138
969#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
970#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
971#define X509V3_R_INVALID_PURPOSE 146
972#define X509V3_R_INVALID_SAFI 164
973#define X509V3_R_INVALID_SECTION 135
974#define X509V3_R_INVALID_SYNTAX 143
975#define X509V3_R_ISSUER_DECODE_ERROR 126
976#define X509V3_R_MISSING_VALUE 124
977#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 142
978#define X509V3_R_NO_CONFIG_DATABASE 136
979#define X509V3_R_NO_ISSUER_CERTIFICATE 121
980#define X509V3_R_NO_ISSUER_DETAILS 127
981#define X509V3_R_NO_POLICY_IDENTIFIER 139
982#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
983#define X509V3_R_NO_PUBLIC_KEY 114
984#define X509V3_R_NO_SUBJECT_DETAILS 125
985#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
986#define X509V3_R_OPERATION_NOT_DEFINED 148
987#define X509V3_R_OTHERNAME_ERROR 147
988#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
989#define X509V3_R_POLICY_PATH_LENGTH 156
990#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
991#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
992#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
993#define X509V3_R_SECTION_NOT_FOUND 150
994#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
995#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
996#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
997#define X509V3_R_UNKNOWN_EXTENSION 129
998#define X509V3_R_UNKNOWN_EXTENSION_NAME 130
999#define X509V3_R_UNKNOWN_OPTION 120
1000#define X509V3_R_UNSUPPORTED_OPTION 117
1001#define X509V3_R_UNSUPPORTED_TYPE 167
1002#define X509V3_R_USER_TOO_LONG 132
1003
1004#ifdef __cplusplus
1005}
1006#endif
1007#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-23 22:32:04 +0000