1 files changed, 0 insertions, 463 deletions
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
deleted file mode 100644
index 5594a1d64f..0000000000
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ /dev/null
@@ -1,463 +0,0 @@
-/* v3_purp.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include "cryptlib.h"
-#include <openssl/x509v3.h>
-static void x509v3_cache_extensions(X509 *x);
-static int ca_check(X509 *x);
-static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca);
-static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
-static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
-static int purpose_smime(X509 *x, int ca);
-static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca);
-static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca);
-static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca);
-static int no_check(X509_PURPOSE *xp, X509 *x, int ca);
-static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b);
-static void xptable_free(X509_PURPOSE *p);
-static X509_PURPOSE xstandard[] = {
-        {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
-        {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
-        {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
-        {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
-        {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
-        {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
-        {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
-};
-#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
-IMPLEMENT_STACK_OF(X509_PURPOSE)
-static STACK_OF(X509_PURPOSE) *xptable = NULL;
-static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b)
-{
-        return (*a)->purpose - (*b)->purpose;
-}
-int X509_check_purpose(X509 *x, int id, int ca)
-{
-        int idx;
-        X509_PURPOSE *pt;
-        if(!(x->ex_flags & EXFLAG_SET)) {
-                CRYPTO_w_lock(CRYPTO_LOCK_X509);
-                x509v3_cache_extensions(x);
-                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-        }
-        if(id == -1) return 1;
-        idx = X509_PURPOSE_get_by_id(id);
-        if(idx == -1) return -1;
-        pt = X509_PURPOSE_get0(idx);
-        return pt->check_purpose(pt, x, ca);
-}
-int X509_PURPOSE_get_count(void)
-{
-        if(!xptable) return X509_PURPOSE_COUNT;
-        return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
-}
-X509_PURPOSE * X509_PURPOSE_get0(int idx)
-{
-        if(idx < 0) return NULL;
-        if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
-        return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
-}
-int X509_PURPOSE_get_by_sname(char *sname)
-{
-        int i;
-        X509_PURPOSE *xptmp;
-        for(i = 0; i < X509_PURPOSE_get_count(); i++) {
-                xptmp = X509_PURPOSE_get0(i);
-                if(!strcmp(xptmp->sname, sname)) return i;
-        }
-        return -1;
-}
-int X509_PURPOSE_get_by_id(int purpose)
-{
-        X509_PURPOSE tmp;
-        int idx;
-        if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
-                return purpose - X509_PURPOSE_MIN;
-        tmp.purpose = purpose;
-        if(!xptable) return -1;
-        idx = sk_X509_PURPOSE_find(xptable, &tmp);
-        if(idx == -1) return -1;
-        return idx + X509_PURPOSE_COUNT;
-}
-int X509_PURPOSE_add(int id, int trust, int flags,
-                        int (*ck)(X509_PURPOSE *, X509 *, int),
-                                        char *name, char *sname, void *arg)
-{
-        int idx;
-        X509_PURPOSE *ptmp;
-        /* This is set according to what we change: application can't set it */
-        flags &= ~X509_PURPOSE_DYNAMIC;
-        /* This will always be set for application modified trust entries */
-        flags |= X509_PURPOSE_DYNAMIC_NAME;
-        /* Get existing entry if any */
-        idx = X509_PURPOSE_get_by_id(id);
-        /* Need a new entry */
-        if(idx == -1) {
-                if(!(ptmp = Malloc(sizeof(X509_PURPOSE)))) {
-                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
-                        return 0;
-                }
-                ptmp->flags = X509_PURPOSE_DYNAMIC;
-        } else ptmp = X509_PURPOSE_get0(idx);
-        /* Free existing name if dynamic */
-        if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
-                Free(ptmp->name);
-                Free(ptmp->sname);
-        }
-        /* dup supplied name */
-        ptmp->name = BUF_strdup(name);
-        ptmp->sname = BUF_strdup(sname);
-        if(!ptmp->name || !ptmp->sname) {
-                X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        /* Keep the dynamic flag of existing entry */
-        ptmp->flags &= X509_PURPOSE_DYNAMIC;
-        /* Set all other flags */
-        ptmp->flags |= flags;
-        ptmp->purpose = id;
-        ptmp->trust = trust;
-        ptmp->check_purpose = ck;
-        ptmp->usr_data = arg;
-        /* If its a new entry manage the dynamic table */
-        if(idx == -1) {
-                if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
-                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
-                        return 0;
-                }
-                if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
-                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
-                        return 0;
-                }
-        }
-        return 1;
-}
-static void xptable_free(X509_PURPOSE *p)
-        {
-        if(!p) return;
-        if (p->flags & X509_PURPOSE_DYNAMIC) 
-                {
-                if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
-                        Free(p->name);
-                        Free(p->sname);
-                }
-                Free(p);
-                }
-        }
-void X509_PURPOSE_cleanup(void)
-{
-        int i;
-        sk_X509_PURPOSE_pop_free(xptable, xptable_free);
-        for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
-        xptable = NULL;
-}
-int X509_PURPOSE_get_id(X509_PURPOSE *xp)
-{
-        return xp->purpose;
-}
-char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
-{
-        return xp->name;
-}
-char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
-{
-        return xp->sname;
-}
-int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
-{
-        return xp->trust;
-}
-#ifndef NO_SHA
-static void x509v3_cache_extensions(X509 *x)
-{
-        BASIC_CONSTRAINTS *bs;
-        ASN1_BIT_STRING *usage;
-        ASN1_BIT_STRING *ns;
-        STACK_OF(ASN1_OBJECT) *extusage;
-        int i;
-        if(x->ex_flags & EXFLAG_SET) return;
-        X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
-        /* Does subject name match issuer ? */
-        if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                         x->ex_flags |= EXFLAG_SS;
-        /* V1 should mean no extensions ... */
-        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
-        /* Handle basic constraints */
-        if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
-                if(bs->ca) x->ex_flags |= EXFLAG_CA;
-                if(bs->pathlen) {
-                        if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
-                                                || !bs->ca) {
-                                x->ex_flags |= EXFLAG_INVALID;
-                                x->ex_pathlen = 0;
-                        } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
-                } else x->ex_pathlen = -1;
-                BASIC_CONSTRAINTS_free(bs);
-                x->ex_flags |= EXFLAG_BCONS;
-        }
-        /* Handle key usage */
-        if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
-                if(usage->length > 0) {
-                        x->ex_kusage = usage->data[0];
-                        if(usage->length > 1) 
-                                x->ex_kusage |= usage->data[1] << 8;
-                } else x->ex_kusage = 0;
-                x->ex_flags |= EXFLAG_KUSAGE;
-                ASN1_BIT_STRING_free(usage);
-        }
-        x->ex_xkusage = 0;
-        if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
-                x->ex_flags |= EXFLAG_XKUSAGE;
-                for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
-                        switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
-                                case NID_server_auth:
-                                x->ex_xkusage |= XKU_SSL_SERVER;
-                                break;
-                                case NID_client_auth:
-                                x->ex_xkusage |= XKU_SSL_CLIENT;
-                                break;
-                                case NID_email_protect:
-                                x->ex_xkusage |= XKU_SMIME;
-                                break;
-                                case NID_code_sign:
-                                x->ex_xkusage |= XKU_CODE_SIGN;
-                                break;
-                                case NID_ms_sgc:
-                                case NID_ns_sgc:
-                                x->ex_xkusage |= XKU_SGC;
-                        }
-                }
-                sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
-        }
-        if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
-                if(ns->length > 0) x->ex_nscert = ns->data[0];
-                else x->ex_nscert = 0;
-                x->ex_flags |= EXFLAG_NSCERT;
-                ASN1_BIT_STRING_free(ns);
-        }
-        x->ex_flags |= EXFLAG_SET;
-}
-#endif
-/* CA checks common to all purposes
- * return codes:
- * 0 not a CA
- * 1 is a CA
- * 2 basicConstraints absent so "maybe" a CA
- * 3 basicConstraints absent but self signed V1.
- */
-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-static int ca_check(X509 *x)
-{
-        /* keyUsage if present should allow cert signing */
-        if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
-        if(x->ex_flags & EXFLAG_BCONS) {
-                if(x->ex_flags & EXFLAG_CA) return 1;
-                /* If basicConstraints says not a CA then say so */
-                else return 0;
-        } else {
-                if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
-                else return 2;
-        }
-}
-static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
-{
-        if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
-        if(ca) {
-                int ca_ret;
-                ca_ret = ca_check(x);
-                if(!ca_ret) return 0;
-                /* check nsCertType if present */
-                if(x->ex_flags & EXFLAG_NSCERT) {
-                        if(x->ex_nscert & NS_SSL_CA) return ca_ret;
-                        return 0;
-                }
-                if(ca_ret != 2) return ca_ret;
-                else return 0;
-        }
-        /* We need to do digital signatures with it */
-        if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
-        /* nsCertType if present should allow SSL client use */ 
-        if(ns_reject(x, NS_SSL_CLIENT)) return 0;
-        return 1;
-}
-static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
-{
-        if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
-        /* Otherwise same as SSL client for a CA */
-        if(ca) return check_purpose_ssl_client(xp, x, 1);
-        if(ns_reject(x, NS_SSL_SERVER)) return 0;
-        /* Now as for keyUsage: we'll at least need to sign OR encipher */
-        if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
-        
-        return 1;
-}
-static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
-{
-        int ret;
-        ret = check_purpose_ssl_server(xp, x, ca);
-        if(!ret || ca) return ret;
-        /* We need to encipher or Netscape complains */
-        if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
-        return ret;
-}
-/* common S/MIME checks */
-static int purpose_smime(X509 *x, int ca)
-{
-        if(xku_reject(x,XKU_SMIME)) return 0;
-        if(ca) {
-                int ca_ret;
-                ca_ret = ca_check(x);
-                if(!ca_ret) return 0;
-                /* check nsCertType if present */
-                if(x->ex_flags & EXFLAG_NSCERT) {
-                        if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
-                        return 0;
-                }
-                if(ca_ret != 2) return ca_ret;
-                else return 0;
-        }
-        if(x->ex_flags & EXFLAG_NSCERT) {
-                if(x->ex_nscert & NS_SMIME) return 1;
-                /* Workaround for some buggy certificates */
-                if(x->ex_nscert & NS_SSL_CLIENT) return 2;
-                return 0;
-        }
-        return 1;
-}
-static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca)
-{
-        int ret;
-        ret = purpose_smime(x, ca);
-        if(!ret || ca) return ret;
-        if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
-        return ret;
-}
-static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca)
-{
-        int ret;
-        ret = purpose_smime(x, ca);
-        if(!ret || ca) return ret;
-        if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
-        return ret;
-}
-static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca)
-{
-        if(ca) {
-                int ca_ret;
-                if((ca_ret = ca_check(x)) != 2) return ca_ret;
-                else return 0;
-        }
-        if(ku_reject(x, KU_CRL_SIGN)) return 0;
-        return 1;
-}
-static int no_check(X509_PURPOSE *xp, X509 *x, int ca)
-{
-        return 1;
-}

diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c deleted file mode 100644 index 5594a1d64f..0000000000 --- a/src/lib/libcrypto/x509v3/v3_purp.c +++ /dev/null
@@ -1,463 +0,0 @@
1	/* v3_purp.c */
2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3	* project 1999.
4	*/
5	/* ====================================================================
6	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in
17	* the documentation and/or other materials provided with the
18	* distribution.
19	*
20	* 3. All advertising materials mentioning features or use of this
21	* software must display the following acknowledgment:
22	* "This product includes software developed by the OpenSSL Project
23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24	*
25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26	* endorse or promote products derived from this software without
27	* prior written permission. For written permission, please contact
28	* licensing@OpenSSL.org.
29	*
30	* 5. Products derived from this software may not be called "OpenSSL"
31	* nor may "OpenSSL" appear in their names without prior written
32	* permission of the OpenSSL Project.
33	*
34	* 6. Redistributions of any form whatsoever must retain the following
35	* acknowledgment:
36	* "This product includes software developed by the OpenSSL Project
37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38	*
39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	* OF THE POSSIBILITY OF SUCH DAMAGE.
51	* ====================================================================
52	*
53	* This product includes cryptographic software written by Eric Young
54	* (eay@cryptsoft.com). This product includes software written by Tim
55	* Hudson (tjh@cryptsoft.com).
56	*
57	*/
58
59	#include <stdio.h>
60	#include "cryptlib.h"
61	#include <openssl/x509v3.h>
62
63
64	static void x509v3_cache_extensions(X509 *x);
65
66	static int ca_check(X509 *x);
67	static int check_purpose_ssl_client(X509_PURPOSE xp, X509 x, int ca);
68	static int check_purpose_ssl_server(X509_PURPOSE xp, X509 x, int ca);
69	static int check_purpose_ns_ssl_server(X509_PURPOSE xp, X509 x, int ca);
70	static int purpose_smime(X509 *x, int ca);
71	static int check_purpose_smime_sign(X509_PURPOSE xp, X509 x, int ca);
72	static int check_purpose_smime_encrypt(X509_PURPOSE xp, X509 x, int ca);
73	static int check_purpose_crl_sign(X509_PURPOSE xp, X509 x, int ca);
74	static int no_check(X509_PURPOSE xp, X509 x, int ca);
75
76	static int xp_cmp(X509_PURPOSE a, X509_PURPOSE b);
77	static void xptable_free(X509_PURPOSE *p);
78
79	static X509_PURPOSE xstandard[] = {
80	{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
81	{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
82	{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
83	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
84	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
85	{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
86	{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
87	};
88
89	#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
90
91	IMPLEMENT_STACK_OF(X509_PURPOSE)
92
93	static STACK_OF(X509_PURPOSE) *xptable = NULL;
94
95	static int xp_cmp(X509_PURPOSE a, X509_PURPOSE b)
96	{
97	return (a)->purpose - (b)->purpose;
98	}
99
100	int X509_check_purpose(X509 *x, int id, int ca)
101	{
102	int idx;
103	X509_PURPOSE *pt;
104	if(!(x->ex_flags & EXFLAG_SET)) {
105	CRYPTO_w_lock(CRYPTO_LOCK_X509);
106	x509v3_cache_extensions(x);
107	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
108	}
109	if(id == -1) return 1;
110	idx = X509_PURPOSE_get_by_id(id);
111	if(idx == -1) return -1;
112	pt = X509_PURPOSE_get0(idx);
113	return pt->check_purpose(pt, x, ca);
114	}
115
116	int X509_PURPOSE_get_count(void)
117	{
118	if(!xptable) return X509_PURPOSE_COUNT;
119	return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
120	}
121
122	X509_PURPOSE * X509_PURPOSE_get0(int idx)
123	{
124	if(idx < 0) return NULL;
125	if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
126	return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
127	}
128
129	int X509_PURPOSE_get_by_sname(char *sname)
130	{
131	int i;
132	X509_PURPOSE *xptmp;
133	for(i = 0; i < X509_PURPOSE_get_count(); i++) {
134	xptmp = X509_PURPOSE_get0(i);
135	if(!strcmp(xptmp->sname, sname)) return i;
136	}
137	return -1;
138	}
139
140
141	int X509_PURPOSE_get_by_id(int purpose)
142	{
143	X509_PURPOSE tmp;
144	int idx;
145	if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
146	return purpose - X509_PURPOSE_MIN;
147	tmp.purpose = purpose;
148	if(!xptable) return -1;
149	idx = sk_X509_PURPOSE_find(xptable, &tmp);
150	if(idx == -1) return -1;
151	return idx + X509_PURPOSE_COUNT;
152	}
153
154	int X509_PURPOSE_add(int id, int trust, int flags,
155	int (ck)(X509_PURPOSE , X509 *, int),
156	char name, char sname, void *arg)
157	{
158	int idx;
159	X509_PURPOSE *ptmp;
160	/* This is set according to what we change: application can't set it */
161	flags &= ~X509_PURPOSE_DYNAMIC;
162	/* This will always be set for application modified trust entries */
163	flags \|= X509_PURPOSE_DYNAMIC_NAME;
164	/* Get existing entry if any */
165	idx = X509_PURPOSE_get_by_id(id);
166	/* Need a new entry */
167	if(idx == -1) {
168	if(!(ptmp = Malloc(sizeof(X509_PURPOSE)))) {
169	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
170	return 0;
171	}
172	ptmp->flags = X509_PURPOSE_DYNAMIC;
173	} else ptmp = X509_PURPOSE_get0(idx);
174
175	/* Free existing name if dynamic */
176	if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
177	Free(ptmp->name);
178	Free(ptmp->sname);
179	}
180	/* dup supplied name */
181	ptmp->name = BUF_strdup(name);
182	ptmp->sname = BUF_strdup(sname);
183	if(!ptmp->name \|\| !ptmp->sname) {
184	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
185	return 0;
186	}
187	/* Keep the dynamic flag of existing entry */
188	ptmp->flags &= X509_PURPOSE_DYNAMIC;
189	/* Set all other flags */
190	ptmp->flags \|= flags;
191
192	ptmp->purpose = id;
193	ptmp->trust = trust;
194	ptmp->check_purpose = ck;
195	ptmp->usr_data = arg;
196
197	/* If its a new entry manage the dynamic table */
198	if(idx == -1) {
199	if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
200	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
201	return 0;
202	}
203	if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
204	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
205	return 0;
206	}
207	}
208	return 1;
209	}
210
211	static void xptable_free(X509_PURPOSE *p)
212	{
213	if(!p) return;
214	if (p->flags & X509_PURPOSE_DYNAMIC)
215	{
216	if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
217	Free(p->name);
218	Free(p->sname);
219	}
220	Free(p);
221	}
222	}
223
224	void X509_PURPOSE_cleanup(void)
225	{
226	int i;
227	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
228	for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
229	xptable = NULL;
230	}
231
232	int X509_PURPOSE_get_id(X509_PURPOSE *xp)
233	{
234	return xp->purpose;
235	}
236
237	char X509_PURPOSE_get0_name(X509_PURPOSE xp)
238	{
239	return xp->name;
240	}
241
242	char X509_PURPOSE_get0_sname(X509_PURPOSE xp)
243	{
244	return xp->sname;
245	}
246
247	int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
248	{
249	return xp->trust;
250	}
251
252	#ifndef NO_SHA
253	static void x509v3_cache_extensions(X509 *x)
254	{
255	BASIC_CONSTRAINTS *bs;
256	ASN1_BIT_STRING *usage;
257	ASN1_BIT_STRING *ns;
258	STACK_OF(ASN1_OBJECT) *extusage;
259	int i;
260	if(x->ex_flags & EXFLAG_SET) return;
261	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
262	/* Does subject name match issuer ? */
263	if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
264	x->ex_flags \|= EXFLAG_SS;
265	/* V1 should mean no extensions ... */
266	if(!X509_get_version(x)) x->ex_flags \|= EXFLAG_V1;
267	/* Handle basic constraints */
268	if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
269	if(bs->ca) x->ex_flags \|= EXFLAG_CA;
270	if(bs->pathlen) {
271	if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
272	\|\| !bs->ca) {
273	x->ex_flags \|= EXFLAG_INVALID;
274	x->ex_pathlen = 0;
275	} else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
276	} else x->ex_pathlen = -1;
277	BASIC_CONSTRAINTS_free(bs);
278	x->ex_flags \|= EXFLAG_BCONS;
279	}
280	/* Handle key usage */
281	if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
282	if(usage->length > 0) {
283	x->ex_kusage = usage->data[0];
284	if(usage->length > 1)
285	x->ex_kusage \|= usage->data[1] << 8;
286	} else x->ex_kusage = 0;
287	x->ex_flags \|= EXFLAG_KUSAGE;
288	ASN1_BIT_STRING_free(usage);
289	}
290	x->ex_xkusage = 0;
291	if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
292	x->ex_flags \|= EXFLAG_XKUSAGE;
293	for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
294	switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
295	case NID_server_auth:
296	x->ex_xkusage \|= XKU_SSL_SERVER;
297	break;
298
299	case NID_client_auth:
300	x->ex_xkusage \|= XKU_SSL_CLIENT;
301	break;
302
303	case NID_email_protect:
304	x->ex_xkusage \|= XKU_SMIME;
305	break;
306
307	case NID_code_sign:
308	x->ex_xkusage \|= XKU_CODE_SIGN;
309	break;
310
311	case NID_ms_sgc:
312	case NID_ns_sgc:
313	x->ex_xkusage \|= XKU_SGC;
314	}
315	}
316	sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
317	}
318
319	if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
320	if(ns->length > 0) x->ex_nscert = ns->data[0];
321	else x->ex_nscert = 0;
322	x->ex_flags \|= EXFLAG_NSCERT;
323	ASN1_BIT_STRING_free(ns);
324	}
325	x->ex_flags \|= EXFLAG_SET;
326	}
327	#endif
328
329	/* CA checks common to all purposes
330	* return codes:
331	* 0 not a CA
332	* 1 is a CA
333	* 2 basicConstraints absent so "maybe" a CA
334	* 3 basicConstraints absent but self signed V1.
335	*/
336
337	#define V1_ROOT (EXFLAG_V1\|EXFLAG_SS)
338	#define ku_reject(x, usage) \
339	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
340	#define xku_reject(x, usage) \
341	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
342	#define ns_reject(x, usage) \
343	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
344
345	static int ca_check(X509 *x)
346	{
347	/* keyUsage if present should allow cert signing */
348	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
349	if(x->ex_flags & EXFLAG_BCONS) {
350	if(x->ex_flags & EXFLAG_CA) return 1;
351	/* If basicConstraints says not a CA then say so */
352	else return 0;
353	} else {
354	if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
355	else return 2;
356	}
357	}
358
359
360	static int check_purpose_ssl_client(X509_PURPOSE xp, X509 x, int ca)
361	{
362	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
363	if(ca) {
364	int ca_ret;
365	ca_ret = ca_check(x);
366	if(!ca_ret) return 0;
367	/* check nsCertType if present */
368	if(x->ex_flags & EXFLAG_NSCERT) {
369	if(x->ex_nscert & NS_SSL_CA) return ca_ret;
370	return 0;
371	}
372	if(ca_ret != 2) return ca_ret;
373	else return 0;
374	}
375	/* We need to do digital signatures with it */
376	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
377	/* nsCertType if present should allow SSL client use */
378	if(ns_reject(x, NS_SSL_CLIENT)) return 0;
379	return 1;
380	}
381
382	static int check_purpose_ssl_server(X509_PURPOSE xp, X509 x, int ca)
383	{
384	if(xku_reject(x,XKU_SSL_SERVER\|XKU_SGC)) return 0;
385	/* Otherwise same as SSL client for a CA */
386	if(ca) return check_purpose_ssl_client(xp, x, 1);
387
388	if(ns_reject(x, NS_SSL_SERVER)) return 0;
389	/* Now as for keyUsage: we'll at least need to sign OR encipher */
390	if(ku_reject(x, KU_DIGITAL_SIGNATURE\|KU_KEY_ENCIPHERMENT)) return 0;
391
392	return 1;
393
394	}
395
396	static int check_purpose_ns_ssl_server(X509_PURPOSE xp, X509 x, int ca)
397	{
398	int ret;
399	ret = check_purpose_ssl_server(xp, x, ca);
400	if(!ret \|\| ca) return ret;
401	/* We need to encipher or Netscape complains */
402	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
403	return ret;
404	}
405
406	/* common S/MIME checks */
407	static int purpose_smime(X509 *x, int ca)
408	{
409	if(xku_reject(x,XKU_SMIME)) return 0;
410	if(ca) {
411	int ca_ret;
412	ca_ret = ca_check(x);
413	if(!ca_ret) return 0;
414	/* check nsCertType if present */
415	if(x->ex_flags & EXFLAG_NSCERT) {
416	if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
417	return 0;
418	}
419	if(ca_ret != 2) return ca_ret;
420	else return 0;
421	}
422	if(x->ex_flags & EXFLAG_NSCERT) {
423	if(x->ex_nscert & NS_SMIME) return 1;
424	/* Workaround for some buggy certificates */
425	if(x->ex_nscert & NS_SSL_CLIENT) return 2;
426	return 0;
427	}
428	return 1;
429	}
430
431	static int check_purpose_smime_sign(X509_PURPOSE xp, X509 x, int ca)
432	{
433	int ret;
434	ret = purpose_smime(x, ca);
435	if(!ret \|\| ca) return ret;
436	if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
437	return ret;
438	}
439
440	static int check_purpose_smime_encrypt(X509_PURPOSE xp, X509 x, int ca)
441	{
442	int ret;
443	ret = purpose_smime(x, ca);
444	if(!ret \|\| ca) return ret;
445	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
446	return ret;
447	}
448
449	static int check_purpose_crl_sign(X509_PURPOSE xp, X509 x, int ca)
450	{
451	if(ca) {
452	int ca_ret;
453	if((ca_ret = ca_check(x)) != 2) return ca_ret;
454	else return 0;
455	}
456	if(ku_reject(x, KU_CRL_SIGN)) return 0;
457	return 1;
458	}
459
460	static int no_check(X509_PURPOSE xp, X509 x, int ca)
461	{
462	return 1;
463	}