6 files changed, 102 insertions, 20 deletions
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index a5c306f1fd..6207340472 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -302,8 +302,38 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
                k=0;
                for (;;)
                        {
-                        snprintf(b->data,b->max,"%s/%08lx.%s%d",ctx->dirs[i],h,
+                        char c = '/';
-                                 postfix,k);
+#ifdef OPENSSL_SYS_VMS
+                        c = ctx->dirs[i][strlen(ctx->dirs[i])-1];
+                        if (c != ':' && c != '>' && c != ']')
+                                {
+                                /* If no separator is present, we assume the
+                                   directory specifier is a logical name, and
+                                   add a colon.  We really should use better
+                                   VMS routines for merging things like this,
+                                   but this will do for now...
+                                   -- Richard Levitte */
+                                c = ':';
+                                }
+                        else
+                                {
+                                c = '\0';
+                                }
+#endif
+                        if (c == '\0')
+                                {
+                                /* This is special.  When c == '\0', no
+                                   directory separator should be added. */
+                                BIO_snprintf(b->data,b->max,
+                                        "%s%08lx.%s%d",ctx->dirs[i],h,
+                                        postfix,k);
+                                }
+                        else
+                                {
+                                BIO_snprintf(b->data,b->max,
+                                        "%s%c%08lx.%s%d",ctx->dirs[i],c,h,
+                                        postfix,k);
+                                }
                        k++;
                        if (stat(b->data,&st) < 0)
                                break;
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index eaad5685a8..8d0c7e2e17 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -810,10 +810,6 @@ X509_REQ *X509_REQ_dup(X509_REQ *req);
 X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
 X509_NAME *X509_NAME_dup(X509_NAME *xn);
 X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
-#ifndef OPENSSL_NO_RSA
-RSA *RSAPublicKey_dup(RSA *rsa);
-RSA *RSAPrivateKey_dup(RSA *rsa);
-#endif
 #endif /* !SSLEAY_MACROS */
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index 9d09ae17e8..e31ebc6741 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -147,8 +147,14 @@ const char *X509_verify_cert_error_string(long n)
        case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
                return("unhandled critical extension");
+        case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
+                return("key usage does not include CRL signing");
+        case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
+                return("unhandled critical CRL extension");
        default:
-                snprintf(buf,sizeof buf,"error number %ld",n);
+                BIO_snprintf(buf,sizeof buf,"error number %ld",n);
                return(buf);
                }
        }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 2bb21b443e..2e4d0b823a 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
        /* Check all untrusted certificates */
        for (i = 0; i < ctx->last_untrusted; i++)
                {
+                int ret;
                x = sk_X509_value(ctx->chain, i);
                if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
                        && (x->ex_flags & EXFLAG_CRITICAL))
@@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
-                if (!X509_check_purpose(x, ctx->purpose, i))
+                ret = X509_check_purpose(x, ctx->purpose, i);
+                if ((ret == 0)
+                         || ((ctx->flags & X509_V_FLAG_X509_STRICT)
+                                && (ret != 1)))
                        {
                        if (i)
                                ctx->error = X509_V_ERR_INVALID_CA;
@@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
        if(issuer)
                {
+                /* Check for cRLSign bit if keyUsage present */
+                if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
+                        !(issuer->ex_kusage & KU_CRL_SIGN))
+                        {
+                        ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
+                        ok = ctx->verify_cb(0, ctx);
+                        if(!ok) goto err;
+                        }
                /* Attempt to get issuer certificate public key */
                ikey = X509_get_pubkey(issuer);
@@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
        {
        int idx, ok;
        X509_REVOKED rtmp;
+        STACK_OF(X509_EXTENSION) *exts;
+        X509_EXTENSION *ext;
        /* Look for serial number of certificate in CRL */
        rtmp.serialNumber = X509_get_serialNumber(x);
        idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
-        /* Not found: OK */
+        /* If found assume revoked: want something cleverer than
-        if(idx == -1) return 1;
-        /* Otherwise revoked: want something cleverer than
         * this to handle entry extensions in V2 CRLs.
         */
-        ctx->error = X509_V_ERR_CERT_REVOKED;
+        if(idx >= 0)
-        ok = ctx->verify_cb(0, ctx);
+                {
-        return ok;
+                ctx->error = X509_V_ERR_CERT_REVOKED;
+                ok = ctx->verify_cb(0, ctx);
+                if (!ok) return 0;
+                }
+        if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+                return 1;
+        /* See if we have any critical CRL extensions: since we
+         * currently don't handle any CRL extensions the CRL must be
+         * rejected. 
+         * This code accesses the X509_CRL structure directly: applications
+         * shouldn't do this.
+         */
+        exts = crl->crl->extensions;
+        for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
+                {
+                ext = sk_X509_EXTENSION_value(exts, idx);
+                if (ext->critical > 0)
+                        {
+                        ctx->error =
+                                X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
+                        ok = ctx->verify_cb(0, ctx);
+                        if(!ok) return 0;
+                        break;
+                        }
+                }
+        return 1;
        }
 static int internal_verify(X509_STORE_CTX *ctx)
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index f0be21f452..198495884c 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -304,17 +304,26 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define         X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER             33
 #define         X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION         34
+#define         X509_V_ERR_KEYUSAGE_NO_CRL_SIGN                 35
+#define         X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION     36
 /* The application is not happy */
 #define         X509_V_ERR_APPLICATION_VERIFICATION             50
 /* Certificate verify flags */
-#define X509_V_FLAG_CB_ISSUER_CHECK             0x1     /* Send issuer+subject checks to verify_cb */
+/* Send issuer+subject checks to verify_cb */
-#define X509_V_FLAG_USE_CHECK_TIME              0x2     /* Use check time instead of current time */
+#define X509_V_FLAG_CB_ISSUER_CHECK             0x1
-#define X509_V_FLAG_CRL_CHECK                   0x4     /* Lookup CRLs */
+/* Use check time instead of current time */
-#define X509_V_FLAG_CRL_CHECK_ALL               0x8     /* Lookup CRLs for whole chain */
+#define X509_V_FLAG_USE_CHECK_TIME              0x2
-#define X509_V_FLAG_IGNORE_CRITICAL             0x10    /* Ignore unhandled critical extensions */
+/* Lookup CRLs */
+#define X509_V_FLAG_CRL_CHECK                   0x4
+/* Lookup CRLs for whole chain */
+#define X509_V_FLAG_CRL_CHECK_ALL               0x8
+/* Ignore unhandled critical extensions */
+#define X509_V_FLAG_IGNORE_CRITICAL             0x10
+/* Disable workarounds for broken certificates */
+#define X509_V_FLAG_X509_STRICT                 0x20
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
             X509_NAME *name);
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
index f78c2a6b43..c25959a742 100644
--- a/src/lib/libcrypto/x509/x509type.c
+++ b/src/lib/libcrypto/x509/x509type.c
@@ -106,7 +106,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
                break;
                }
-        if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look
+        if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
                                           for, not bytes */
                ret|=EVP_PKT_EXP;
        if(pkey==NULL) EVP_PKEY_free(pk);

diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c index a5c306f1fd..6207340472 100644 --- a/src/lib/libcrypto/x509/by_dir.c +++ b/src/lib/libcrypto/x509/by_dir.c
@@ -302,8 +302,38 @@ static int get_cert_by_subject(X509_LOOKUP xl, int type, X509_NAME name,
302	k=0;	302	k=0;
303	for (;;)	303	for (;;)
304	{	304	{
305	snprintf(b->data,b->max,"%s/%08lx.%s%d",ctx->dirs[i],h,	305	char c = '/';
306	postfix,k);	306	#ifdef OPENSSL_SYS_VMS
		307	c = ctx->dirs[i][strlen(ctx->dirs[i])-1];
		308	if (c != ':' && c != '>' && c != ']')
		309	{
		310	/* If no separator is present, we assume the
		311	directory specifier is a logical name, and
		312	add a colon. We really should use better
		313	VMS routines for merging things like this,
		314	but this will do for now...
		315	-- Richard Levitte */
		316	c = ':';
		317	}
		318	else
		319	{
		320	c = '\0';
		321	}
		322	#endif
		323	if (c == '\0')
		324	{
		325	/* This is special. When c == '\0', no
		326	directory separator should be added. */
		327	BIO_snprintf(b->data,b->max,
		328	"%s%08lx.%s%d",ctx->dirs[i],h,
		329	postfix,k);
		330	}
		331	else
		332	{
		333	BIO_snprintf(b->data,b->max,
		334	"%s%c%08lx.%s%d",ctx->dirs[i],c,h,
		335	postfix,k);
		336	}
307	k++;	337	k++;
308	if (stat(b->data,&st) < 0)	338	if (stat(b->data,&st) < 0)
309	break;	339	break;


diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h index eaad5685a8..8d0c7e2e17 100644 --- a/src/lib/libcrypto/x509/x509.h +++ b/src/lib/libcrypto/x509/x509.h
@@ -810,10 +810,6 @@ X509_REQ X509_REQ_dup(X509_REQ req);
810	X509_ALGOR X509_ALGOR_dup(X509_ALGOR xn);	810	X509_ALGOR X509_ALGOR_dup(X509_ALGOR xn);
811	X509_NAME X509_NAME_dup(X509_NAME xn);	811	X509_NAME X509_NAME_dup(X509_NAME xn);
812	X509_NAME_ENTRY X509_NAME_ENTRY_dup(X509_NAME_ENTRY ne);	812	X509_NAME_ENTRY X509_NAME_ENTRY_dup(X509_NAME_ENTRY ne);
813	#ifndef OPENSSL_NO_RSA
814	RSA RSAPublicKey_dup(RSA rsa);
815	RSA RSAPrivateKey_dup(RSA rsa);
816	#endif
817		813
818	#endif /* !SSLEAY_MACROS */	814	#endif /* !SSLEAY_MACROS */
819		815


diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c index 9d09ae17e8..e31ebc6741 100644 --- a/src/lib/libcrypto/x509/x509_txt.c +++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -147,8 +147,14 @@ const char *X509_verify_cert_error_string(long n)
147	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:	147	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
148	return("unhandled critical extension");	148	return("unhandled critical extension");
149		149
		150	case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
		151	return("key usage does not include CRL signing");
		152
		153	case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
		154	return("unhandled critical CRL extension");
		155
150	default:	156	default:
151	snprintf(buf,sizeof buf,"error number %ld",n);	157	BIO_snprintf(buf,sizeof buf,"error number %ld",n);
152	return(buf);	158	return(buf);
153	}	159	}
154	}	160	}


diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 2bb21b443e..2e4d0b823a 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
383	/* Check all untrusted certificates */	383	/* Check all untrusted certificates */
384	for (i = 0; i < ctx->last_untrusted; i++)	384	for (i = 0; i < ctx->last_untrusted; i++)
385	{	385	{
		386	int ret;
386	x = sk_X509_value(ctx->chain, i);	387	x = sk_X509_value(ctx->chain, i);
387	if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)	388	if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
388	&& (x->ex_flags & EXFLAG_CRITICAL))	389	&& (x->ex_flags & EXFLAG_CRITICAL))
@@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
393	ok=cb(0,ctx);	394	ok=cb(0,ctx);
394	if (!ok) goto end;	395	if (!ok) goto end;
395	}	396	}
396	if (!X509_check_purpose(x, ctx->purpose, i))	397	ret = X509_check_purpose(x, ctx->purpose, i);
		398	if ((ret == 0)
		399	\|\| ((ctx->flags & X509_V_FLAG_X509_STRICT)
		400	&& (ret != 1)))
397	{	401	{
398	if (i)	402	if (i)
399	ctx->error = X509_V_ERR_INVALID_CA;	403	ctx->error = X509_V_ERR_INVALID_CA;
@@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX ctx, X509_CRL crl)
537		541
538	if(issuer)	542	if(issuer)
539	{	543	{
		544	/* Check for cRLSign bit if keyUsage present */
		545	if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
		546	!(issuer->ex_kusage & KU_CRL_SIGN))
		547	{
		548	ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
		549	ok = ctx->verify_cb(0, ctx);
		550	if(!ok) goto err;
		551	}
540		552
541	/* Attempt to get issuer certificate public key */	553	/* Attempt to get issuer certificate public key */
542	ikey = X509_get_pubkey(issuer);	554	ikey = X509_get_pubkey(issuer);
@@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX ctx, X509_CRL crl, X509 *x)
611	{	623	{
612	int idx, ok;	624	int idx, ok;
613	X509_REVOKED rtmp;	625	X509_REVOKED rtmp;
		626	STACK_OF(X509_EXTENSION) *exts;
		627	X509_EXTENSION *ext;
614	/* Look for serial number of certificate in CRL */	628	/* Look for serial number of certificate in CRL */
615	rtmp.serialNumber = X509_get_serialNumber(x);	629	rtmp.serialNumber = X509_get_serialNumber(x);
616	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);	630	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
617	/* Not found: OK */	631	/* If found assume revoked: want something cleverer than
618	if(idx == -1) return 1;
619	/* Otherwise revoked: want something cleverer than
620	* this to handle entry extensions in V2 CRLs.	632	* this to handle entry extensions in V2 CRLs.
621	*/	633	*/
622	ctx->error = X509_V_ERR_CERT_REVOKED;	634	if(idx >= 0)
623	ok = ctx->verify_cb(0, ctx);	635	{
624	return ok;	636	ctx->error = X509_V_ERR_CERT_REVOKED;
		637	ok = ctx->verify_cb(0, ctx);
		638	if (!ok) return 0;
		639	}
		640
		641	if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
		642	return 1;
		643
		644	/* See if we have any critical CRL extensions: since we
		645	* currently don't handle any CRL extensions the CRL must be
		646	* rejected.
		647	* This code accesses the X509_CRL structure directly: applications
		648	* shouldn't do this.
		649	*/
		650
		651	exts = crl->crl->extensions;
		652
		653	for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
		654	{
		655	ext = sk_X509_EXTENSION_value(exts, idx);
		656	if (ext->critical > 0)
		657	{
		658	ctx->error =
		659	X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
		660	ok = ctx->verify_cb(0, ctx);
		661	if(!ok) return 0;
		662	break;
		663	}
		664	}
		665	return 1;
625	}	666	}
626		667
627	static int internal_verify(X509_STORE_CTX *ctx)	668	static int internal_verify(X509_STORE_CTX *ctx)


diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h index f0be21f452..198495884c 100644 --- a/src/lib/libcrypto/x509/x509_vfy.h +++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -304,17 +304,26 @@ struct x509_store_ctx_st /* X509_STORE_CTX */
304		304
305	#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33	305	#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
306	#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34	306	#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
		307	#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
		308	#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
307		309
308	/* The application is not happy */	310	/* The application is not happy */
309	#define X509_V_ERR_APPLICATION_VERIFICATION 50	311	#define X509_V_ERR_APPLICATION_VERIFICATION 50
310		312
311	/* Certificate verify flags */	313	/* Certificate verify flags */
312		314
313	#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 /* Send issuer+subject checks to verify_cb */	315	/* Send issuer+subject checks to verify_cb */
314	#define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */	316	#define X509_V_FLAG_CB_ISSUER_CHECK 0x1
315	#define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */	317	/* Use check time instead of current time */
316	#define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */	318	#define X509_V_FLAG_USE_CHECK_TIME 0x2
317	#define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */	319	/* Lookup CRLs */
		320	#define X509_V_FLAG_CRL_CHECK 0x4
		321	/* Lookup CRLs for whole chain */
		322	#define X509_V_FLAG_CRL_CHECK_ALL 0x8
		323	/* Ignore unhandled critical extensions */
		324	#define X509_V_FLAG_IGNORE_CRITICAL 0x10
		325	/* Disable workarounds for broken certificates */
		326	#define X509_V_FLAG_X509_STRICT 0x20
318		327
319	int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,	328	int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
320	X509_NAME *name);	329	X509_NAME *name);


diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c index f78c2a6b43..c25959a742 100644 --- a/src/lib/libcrypto/x509/x509type.c +++ b/src/lib/libcrypto/x509/x509type.c
@@ -106,7 +106,7 @@ int X509_certificate_type(X509 x, EVP_PKEY pkey)
106	break;	106	break;
107	}	107	}
108		108
109	if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look	109	if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
110	for, not bytes */	110	for, not bytes */
111	ret\|=EVP_PKT_EXP;	111	ret\|=EVP_PKT_EXP;
112	if(pkey==NULL) EVP_PKEY_free(pk);	112	if(pkey==NULL) EVP_PKEY_free(pk);