1 files changed, 0 insertions, 535 deletions
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
deleted file mode 100644
index 8aecd00e63..0000000000
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ /dev/null
@@ -1,535 +0,0 @@
-/* v3_purp.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include "cryptlib.h"
-#include <openssl/x509v3.h>
-#include <openssl/x509_vfy.h>
-static void x509v3_cache_extensions(X509 *x);
-static int ca_check(const X509 *x);
-static int check_ssl_ca(const X509 *x);
-static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int purpose_smime(const X509 *x, int ca);
-static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int xp_cmp(const X509_PURPOSE * const *a,
-                const X509_PURPOSE * const *b);
-static void xptable_free(X509_PURPOSE *p);
-static X509_PURPOSE xstandard[] = {
-        {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
-        {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
-        {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
-        {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
-        {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
-        {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
-        {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
-};
-#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
-IMPLEMENT_STACK_OF(X509_PURPOSE)
-static STACK_OF(X509_PURPOSE) *xptable = NULL;
-static int xp_cmp(const X509_PURPOSE * const *a,
-                const X509_PURPOSE * const *b)
-{
-        return (*a)->purpose - (*b)->purpose;
-}
-/* As much as I'd like to make X509_check_purpose use a "const" X509*
- * I really can't because it does recalculate hashes and do other non-const
- * things. */
-int X509_check_purpose(X509 *x, int id, int ca)
-{
-        int idx;
-        const X509_PURPOSE *pt;
-        if(!(x->ex_flags & EXFLAG_SET)) {
-                CRYPTO_w_lock(CRYPTO_LOCK_X509);
-                x509v3_cache_extensions(x);
-                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-        }
-        if(id == -1) return 1;
-        idx = X509_PURPOSE_get_by_id(id);
-        if(idx == -1) return -1;
-        pt = X509_PURPOSE_get0(idx);
-        return pt->check_purpose(pt, x, ca);
-}
-int X509_PURPOSE_get_count(void)
-{
-        if(!xptable) return X509_PURPOSE_COUNT;
-        return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
-}
-X509_PURPOSE * X509_PURPOSE_get0(int idx)
-{
-        if(idx < 0) return NULL;
-        if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
-        return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
-}
-int X509_PURPOSE_get_by_sname(char *sname)
-{
-        int i;
-        X509_PURPOSE *xptmp;
-        for(i = 0; i < X509_PURPOSE_get_count(); i++) {
-                xptmp = X509_PURPOSE_get0(i);
-                if(!strcmp(xptmp->sname, sname)) return i;
-        }
-        return -1;
-}
-int X509_PURPOSE_get_by_id(int purpose)
-{
-        X509_PURPOSE tmp;
-        int idx;
-        if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
-                return purpose - X509_PURPOSE_MIN;
-        tmp.purpose = purpose;
-        if(!xptable) return -1;
-        idx = sk_X509_PURPOSE_find(xptable, &tmp);
-        if(idx == -1) return -1;
-        return idx + X509_PURPOSE_COUNT;
-}
-int X509_PURPOSE_add(int id, int trust, int flags,
-                        int (*ck)(const X509_PURPOSE *, const X509 *, int),
-                                        char *name, char *sname, void *arg)
-{
-        int idx;
-        X509_PURPOSE *ptmp;
-        /* This is set according to what we change: application can't set it */
-        flags &= ~X509_PURPOSE_DYNAMIC;
-        /* This will always be set for application modified trust entries */
-        flags |= X509_PURPOSE_DYNAMIC_NAME;
-        /* Get existing entry if any */
-        idx = X509_PURPOSE_get_by_id(id);
-        /* Need a new entry */
-        if(idx == -1) {
-                if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
-                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
-                        return 0;
-                }
-                ptmp->flags = X509_PURPOSE_DYNAMIC;
-        } else ptmp = X509_PURPOSE_get0(idx);
-        /* OPENSSL_free existing name if dynamic */
-        if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
-                OPENSSL_free(ptmp->name);
-                OPENSSL_free(ptmp->sname);
-        }
-        /* dup supplied name */
-        ptmp->name = BUF_strdup(name);
-        ptmp->sname = BUF_strdup(sname);
-        if(!ptmp->name || !ptmp->sname) {
-                X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        /* Keep the dynamic flag of existing entry */
-        ptmp->flags &= X509_PURPOSE_DYNAMIC;
-        /* Set all other flags */
-        ptmp->flags |= flags;
-        ptmp->purpose = id;
-        ptmp->trust = trust;
-        ptmp->check_purpose = ck;
-        ptmp->usr_data = arg;
-        /* If its a new entry manage the dynamic table */
-        if(idx == -1) {
-                if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
-                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
-                        return 0;
-                }
-                if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
-                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
-                        return 0;
-                }
-        }
-        return 1;
-}
-static void xptable_free(X509_PURPOSE *p)
-        {
-        if(!p) return;
-        if (p->flags & X509_PURPOSE_DYNAMIC) 
-                {
-                if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
-                        OPENSSL_free(p->name);
-                        OPENSSL_free(p->sname);
-                }
-                OPENSSL_free(p);
-                }
-        }
-void X509_PURPOSE_cleanup(void)
-{
-        int i;
-        sk_X509_PURPOSE_pop_free(xptable, xptable_free);
-        for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
-        xptable = NULL;
-}
-int X509_PURPOSE_get_id(X509_PURPOSE *xp)
-{
-        return xp->purpose;
-}
-char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
-{
-        return xp->name;
-}
-char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
-{
-        return xp->sname;
-}
-int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
-{
-        return xp->trust;
-}
-static void x509v3_cache_extensions(X509 *x)
-{
-        BASIC_CONSTRAINTS *bs;
-        ASN1_BIT_STRING *usage;
-        ASN1_BIT_STRING *ns;
-        STACK_OF(ASN1_OBJECT) *extusage;
-        
-        int i;
-        if(x->ex_flags & EXFLAG_SET) return;
-#ifndef NO_SHA
-        X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
-#endif
-        /* Does subject name match issuer ? */
-        if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                         x->ex_flags |= EXFLAG_SS;
-        /* V1 should mean no extensions ... */
-        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
-        /* Handle basic constraints */
-        if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
-                if(bs->ca) x->ex_flags |= EXFLAG_CA;
-                if(bs->pathlen) {
-                        if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
-                                                || !bs->ca) {
-                                x->ex_flags |= EXFLAG_INVALID;
-                                x->ex_pathlen = 0;
-                        } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
-                } else x->ex_pathlen = -1;
-                BASIC_CONSTRAINTS_free(bs);
-                x->ex_flags |= EXFLAG_BCONS;
-        }
-        /* Handle key usage */
-        if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
-                if(usage->length > 0) {
-                        x->ex_kusage = usage->data[0];
-                        if(usage->length > 1) 
-                                x->ex_kusage |= usage->data[1] << 8;
-                } else x->ex_kusage = 0;
-                x->ex_flags |= EXFLAG_KUSAGE;
-                ASN1_BIT_STRING_free(usage);
-        }
-        x->ex_xkusage = 0;
-        if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
-                x->ex_flags |= EXFLAG_XKUSAGE;
-                for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
-                        switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
-                                case NID_server_auth:
-                                x->ex_xkusage |= XKU_SSL_SERVER;
-                                break;
-                                case NID_client_auth:
-                                x->ex_xkusage |= XKU_SSL_CLIENT;
-                                break;
-                                case NID_email_protect:
-                                x->ex_xkusage |= XKU_SMIME;
-                                break;
-                                case NID_code_sign:
-                                x->ex_xkusage |= XKU_CODE_SIGN;
-                                break;
-                                case NID_ms_sgc:
-                                case NID_ns_sgc:
-                                x->ex_xkusage |= XKU_SGC;
-                        }
-                }
-                sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
-        }
-        if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
-                if(ns->length > 0) x->ex_nscert = ns->data[0];
-                else x->ex_nscert = 0;
-                x->ex_flags |= EXFLAG_NSCERT;
-                ASN1_BIT_STRING_free(ns);
-        }
-        x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
-        x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
-        x->ex_flags |= EXFLAG_SET;
-}
-/* CA checks common to all purposes
- * return codes:
- * 0 not a CA
- * 1 is a CA
- * 2 basicConstraints absent so "maybe" a CA
- * 3 basicConstraints absent but self signed V1.
- */
-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-static int ca_check(const X509 *x)
-{
-        /* keyUsage if present should allow cert signing */
-        if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
-        if(x->ex_flags & EXFLAG_BCONS) {
-                if(x->ex_flags & EXFLAG_CA) return 1;
-                /* If basicConstraints says not a CA then say so */
-                else return 0;
-        } else {
-                if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
-                /* If key usage present it must have certSign so tolerate it */
-                else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
-                else return 2;
-        }
-}
-/* Check SSL CA: common checks for SSL client and server */
-static int check_ssl_ca(const X509 *x)
-{
-        int ca_ret;
-        ca_ret = ca_check(x);
-        if(!ca_ret) return 0;
-        /* check nsCertType if present */
-        if(x->ex_flags & EXFLAG_NSCERT) {
-                if(x->ex_nscert & NS_SSL_CA) return ca_ret;
-                return 0;
-        }
-        if(ca_ret != 2) return ca_ret;
-        else return 0;
-}
-static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-        if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
-        if(ca) return check_ssl_ca(x);
-        /* We need to do digital signatures with it */
-        if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
-        /* nsCertType if present should allow SSL client use */ 
-        if(ns_reject(x, NS_SSL_CLIENT)) return 0;
-        return 1;
-}
-static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-        if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
-        if(ca) return check_ssl_ca(x);
-        if(ns_reject(x, NS_SSL_SERVER)) return 0;
-        /* Now as for keyUsage: we'll at least need to sign OR encipher */
-        if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
-        
-        return 1;
-}
-static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-        int ret;
-        ret = check_purpose_ssl_server(xp, x, ca);
-        if(!ret || ca) return ret;
-        /* We need to encipher or Netscape complains */
-        if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
-        return ret;
-}
-/* common S/MIME checks */
-static int purpose_smime(const X509 *x, int ca)
-{
-        if(xku_reject(x,XKU_SMIME)) return 0;
-        if(ca) {
-                int ca_ret;
-                ca_ret = ca_check(x);
-                if(!ca_ret) return 0;
-                /* check nsCertType if present */
-                if(x->ex_flags & EXFLAG_NSCERT) {
-                        if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
-                        return 0;
-                }
-                if(ca_ret != 2) return ca_ret;
-                else return 0;
-        }
-        if(x->ex_flags & EXFLAG_NSCERT) {
-                if(x->ex_nscert & NS_SMIME) return 1;
-                /* Workaround for some buggy certificates */
-                if(x->ex_nscert & NS_SSL_CLIENT) return 2;
-                return 0;
-        }
-        return 1;
-}
-static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-        int ret;
-        ret = purpose_smime(x, ca);
-        if(!ret || ca) return ret;
-        if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
-        return ret;
-}
-static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-        int ret;
-        ret = purpose_smime(x, ca);
-        if(!ret || ca) return ret;
-        if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
-        return ret;
-}
-static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-        if(ca) {
-                int ca_ret;
-                if((ca_ret = ca_check(x)) != 2) return ca_ret;
-                else return 0;
-        }
-        if(ku_reject(x, KU_CRL_SIGN)) return 0;
-        return 1;
-}
-static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-        return 1;
-}
-/* Various checks to see if one certificate issued the second.
- * This can be used to prune a set of possible issuer certificates
- * which have been looked up using some simple method such as by
- * subject name.
- * These are:
- * 1. Check issuer_name(subject) == subject_name(issuer)
- * 2. If akid(subject) exists check it matches issuer
- * 3. If key_usage(issuer) exists check it supports certificate signing
- * returns 0 for OK, positive for reason for mismatch, reasons match
- * codes for X509_verify_cert()
- */
-int X509_check_issued(X509 *issuer, X509 *subject)
-{
-        if(X509_NAME_cmp(X509_get_subject_name(issuer),
-                        X509_get_issuer_name(subject)))
-                                return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
-        x509v3_cache_extensions(issuer);
-        x509v3_cache_extensions(subject);
-        if(subject->akid) {
-                /* Check key ids (if present) */
-                if(subject->akid->keyid && issuer->skid &&
-                 ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) )
-                                return X509_V_ERR_AKID_SKID_MISMATCH;
-                /* Check serial number */
-                if(subject->akid->serial &&
-                        ASN1_INTEGER_cmp(X509_get_serialNumber(issuer),
-                                                subject->akid->serial))
-                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-                /* Check issuer name */
-                if(subject->akid->issuer) {
-                        /* Ugh, for some peculiar reason AKID includes
-                         * SEQUENCE OF GeneralName. So look for a DirName.
-                         * There may be more than one but we only take any
-                         * notice of the first.
-                         */
-                        STACK_OF(GENERAL_NAME) *gens;
-                        GENERAL_NAME *gen;
-                        X509_NAME *nm = NULL;
-                        int i;
-                        gens = subject->akid->issuer;
-                        for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-                                gen = sk_GENERAL_NAME_value(gens, i);
-                                if(gen->type == GEN_DIRNAME) {
-                                        nm = gen->d.dirn;
-                                        break;
-                                }
-                        }
-                        if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
-                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-                }
-        }
-        if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
-        return X509_V_OK;
-}

diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c deleted file mode 100644 index 8aecd00e63..0000000000 --- a/src/lib/libcrypto/x509v3/v3_purp.c +++ /dev/null
@@ -1,535 +0,0 @@
1	/* v3_purp.c */
2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3	* project 1999.
4	*/
5	/* ====================================================================
6	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in
17	* the documentation and/or other materials provided with the
18	* distribution.
19	*
20	* 3. All advertising materials mentioning features or use of this
21	* software must display the following acknowledgment:
22	* "This product includes software developed by the OpenSSL Project
23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24	*
25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26	* endorse or promote products derived from this software without
27	* prior written permission. For written permission, please contact
28	* licensing@OpenSSL.org.
29	*
30	* 5. Products derived from this software may not be called "OpenSSL"
31	* nor may "OpenSSL" appear in their names without prior written
32	* permission of the OpenSSL Project.
33	*
34	* 6. Redistributions of any form whatsoever must retain the following
35	* acknowledgment:
36	* "This product includes software developed by the OpenSSL Project
37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38	*
39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	* OF THE POSSIBILITY OF SUCH DAMAGE.
51	* ====================================================================
52	*
53	* This product includes cryptographic software written by Eric Young
54	* (eay@cryptsoft.com). This product includes software written by Tim
55	* Hudson (tjh@cryptsoft.com).
56	*
57	*/
58
59	#include <stdio.h>
60	#include "cryptlib.h"
61	#include <openssl/x509v3.h>
62	#include <openssl/x509_vfy.h>
63
64
65	static void x509v3_cache_extensions(X509 *x);
66
67	static int ca_check(const X509 *x);
68	static int check_ssl_ca(const X509 *x);
69	static int check_purpose_ssl_client(const X509_PURPOSE xp, const X509 x, int ca);
70	static int check_purpose_ssl_server(const X509_PURPOSE xp, const X509 x, int ca);
71	static int check_purpose_ns_ssl_server(const X509_PURPOSE xp, const X509 x, int ca);
72	static int purpose_smime(const X509 *x, int ca);
73	static int check_purpose_smime_sign(const X509_PURPOSE xp, const X509 x, int ca);
74	static int check_purpose_smime_encrypt(const X509_PURPOSE xp, const X509 x, int ca);
75	static int check_purpose_crl_sign(const X509_PURPOSE xp, const X509 x, int ca);
76	static int no_check(const X509_PURPOSE xp, const X509 x, int ca);
77
78	static int xp_cmp(const X509_PURPOSE * const *a,
79	const X509_PURPOSE * const *b);
80	static void xptable_free(X509_PURPOSE *p);
81
82	static X509_PURPOSE xstandard[] = {
83	{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
84	{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
85	{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
86	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
87	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
88	{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
89	{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
90	};
91
92	#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
93
94	IMPLEMENT_STACK_OF(X509_PURPOSE)
95
96	static STACK_OF(X509_PURPOSE) *xptable = NULL;
97
98	static int xp_cmp(const X509_PURPOSE * const *a,
99	const X509_PURPOSE * const *b)
100	{
101	return (a)->purpose - (b)->purpose;
102	}
103
104	/* As much as I'd like to make X509_check_purpose use a "const" X509*
105	* I really can't because it does recalculate hashes and do other non-const
106	* things. */
107	int X509_check_purpose(X509 *x, int id, int ca)
108	{
109	int idx;
110	const X509_PURPOSE *pt;
111	if(!(x->ex_flags & EXFLAG_SET)) {
112	CRYPTO_w_lock(CRYPTO_LOCK_X509);
113	x509v3_cache_extensions(x);
114	CRYPTO_w_unlock(CRYPTO_LOCK_X509);
115	}
116	if(id == -1) return 1;
117	idx = X509_PURPOSE_get_by_id(id);
118	if(idx == -1) return -1;
119	pt = X509_PURPOSE_get0(idx);
120	return pt->check_purpose(pt, x, ca);
121	}
122
123	int X509_PURPOSE_get_count(void)
124	{
125	if(!xptable) return X509_PURPOSE_COUNT;
126	return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
127	}
128
129	X509_PURPOSE * X509_PURPOSE_get0(int idx)
130	{
131	if(idx < 0) return NULL;
132	if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
133	return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
134	}
135
136	int X509_PURPOSE_get_by_sname(char *sname)
137	{
138	int i;
139	X509_PURPOSE *xptmp;
140	for(i = 0; i < X509_PURPOSE_get_count(); i++) {
141	xptmp = X509_PURPOSE_get0(i);
142	if(!strcmp(xptmp->sname, sname)) return i;
143	}
144	return -1;
145	}
146
147
148	int X509_PURPOSE_get_by_id(int purpose)
149	{
150	X509_PURPOSE tmp;
151	int idx;
152	if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
153	return purpose - X509_PURPOSE_MIN;
154	tmp.purpose = purpose;
155	if(!xptable) return -1;
156	idx = sk_X509_PURPOSE_find(xptable, &tmp);
157	if(idx == -1) return -1;
158	return idx + X509_PURPOSE_COUNT;
159	}
160
161	int X509_PURPOSE_add(int id, int trust, int flags,
162	int (ck)(const X509_PURPOSE , const X509 *, int),
163	char name, char sname, void *arg)
164	{
165	int idx;
166	X509_PURPOSE *ptmp;
167	/* This is set according to what we change: application can't set it */
168	flags &= ~X509_PURPOSE_DYNAMIC;
169	/* This will always be set for application modified trust entries */
170	flags \|= X509_PURPOSE_DYNAMIC_NAME;
171	/* Get existing entry if any */
172	idx = X509_PURPOSE_get_by_id(id);
173	/* Need a new entry */
174	if(idx == -1) {
175	if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
176	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
177	return 0;
178	}
179	ptmp->flags = X509_PURPOSE_DYNAMIC;
180	} else ptmp = X509_PURPOSE_get0(idx);
181
182	/* OPENSSL_free existing name if dynamic */
183	if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
184	OPENSSL_free(ptmp->name);
185	OPENSSL_free(ptmp->sname);
186	}
187	/* dup supplied name */
188	ptmp->name = BUF_strdup(name);
189	ptmp->sname = BUF_strdup(sname);
190	if(!ptmp->name \|\| !ptmp->sname) {
191	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
192	return 0;
193	}
194	/* Keep the dynamic flag of existing entry */
195	ptmp->flags &= X509_PURPOSE_DYNAMIC;
196	/* Set all other flags */
197	ptmp->flags \|= flags;
198
199	ptmp->purpose = id;
200	ptmp->trust = trust;
201	ptmp->check_purpose = ck;
202	ptmp->usr_data = arg;
203
204	/* If its a new entry manage the dynamic table */
205	if(idx == -1) {
206	if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
207	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
208	return 0;
209	}
210	if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
211	X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
212	return 0;
213	}
214	}
215	return 1;
216	}
217
218	static void xptable_free(X509_PURPOSE *p)
219	{
220	if(!p) return;
221	if (p->flags & X509_PURPOSE_DYNAMIC)
222	{
223	if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
224	OPENSSL_free(p->name);
225	OPENSSL_free(p->sname);
226	}
227	OPENSSL_free(p);
228	}
229	}
230
231	void X509_PURPOSE_cleanup(void)
232	{
233	int i;
234	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
235	for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
236	xptable = NULL;
237	}
238
239	int X509_PURPOSE_get_id(X509_PURPOSE *xp)
240	{
241	return xp->purpose;
242	}
243
244	char X509_PURPOSE_get0_name(X509_PURPOSE xp)
245	{
246	return xp->name;
247	}
248
249	char X509_PURPOSE_get0_sname(X509_PURPOSE xp)
250	{
251	return xp->sname;
252	}
253
254	int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
255	{
256	return xp->trust;
257	}
258
259	static void x509v3_cache_extensions(X509 *x)
260	{
261	BASIC_CONSTRAINTS *bs;
262	ASN1_BIT_STRING *usage;
263	ASN1_BIT_STRING *ns;
264	STACK_OF(ASN1_OBJECT) *extusage;
265
266	int i;
267	if(x->ex_flags & EXFLAG_SET) return;
268	#ifndef NO_SHA
269	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
270	#endif
271	/* Does subject name match issuer ? */
272	if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
273	x->ex_flags \|= EXFLAG_SS;
274	/* V1 should mean no extensions ... */
275	if(!X509_get_version(x)) x->ex_flags \|= EXFLAG_V1;
276	/* Handle basic constraints */
277	if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
278	if(bs->ca) x->ex_flags \|= EXFLAG_CA;
279	if(bs->pathlen) {
280	if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
281	\|\| !bs->ca) {
282	x->ex_flags \|= EXFLAG_INVALID;
283	x->ex_pathlen = 0;
284	} else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
285	} else x->ex_pathlen = -1;
286	BASIC_CONSTRAINTS_free(bs);
287	x->ex_flags \|= EXFLAG_BCONS;
288	}
289	/* Handle key usage */
290	if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
291	if(usage->length > 0) {
292	x->ex_kusage = usage->data[0];
293	if(usage->length > 1)
294	x->ex_kusage \|= usage->data[1] << 8;
295	} else x->ex_kusage = 0;
296	x->ex_flags \|= EXFLAG_KUSAGE;
297	ASN1_BIT_STRING_free(usage);
298	}
299	x->ex_xkusage = 0;
300	if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
301	x->ex_flags \|= EXFLAG_XKUSAGE;
302	for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
303	switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
304	case NID_server_auth:
305	x->ex_xkusage \|= XKU_SSL_SERVER;
306	break;
307
308	case NID_client_auth:
309	x->ex_xkusage \|= XKU_SSL_CLIENT;
310	break;
311
312	case NID_email_protect:
313	x->ex_xkusage \|= XKU_SMIME;
314	break;
315
316	case NID_code_sign:
317	x->ex_xkusage \|= XKU_CODE_SIGN;
318	break;
319
320	case NID_ms_sgc:
321	case NID_ns_sgc:
322	x->ex_xkusage \|= XKU_SGC;
323	}
324	}
325	sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
326	}
327
328	if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
329	if(ns->length > 0) x->ex_nscert = ns->data[0];
330	else x->ex_nscert = 0;
331	x->ex_flags \|= EXFLAG_NSCERT;
332	ASN1_BIT_STRING_free(ns);
333	}
334	x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
335	x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
336	x->ex_flags \|= EXFLAG_SET;
337	}
338
339	/* CA checks common to all purposes
340	* return codes:
341	* 0 not a CA
342	* 1 is a CA
343	* 2 basicConstraints absent so "maybe" a CA
344	* 3 basicConstraints absent but self signed V1.
345	*/
346
347	#define V1_ROOT (EXFLAG_V1\|EXFLAG_SS)
348	#define ku_reject(x, usage) \
349	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
350	#define xku_reject(x, usage) \
351	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
352	#define ns_reject(x, usage) \
353	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
354
355	static int ca_check(const X509 *x)
356	{
357	/* keyUsage if present should allow cert signing */
358	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
359	if(x->ex_flags & EXFLAG_BCONS) {
360	if(x->ex_flags & EXFLAG_CA) return 1;
361	/* If basicConstraints says not a CA then say so */
362	else return 0;
363	} else {
364	if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
365	/* If key usage present it must have certSign so tolerate it */
366	else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
367	else return 2;
368	}
369	}
370
371	/* Check SSL CA: common checks for SSL client and server */
372	static int check_ssl_ca(const X509 *x)
373	{
374	int ca_ret;
375	ca_ret = ca_check(x);
376	if(!ca_ret) return 0;
377	/* check nsCertType if present */
378	if(x->ex_flags & EXFLAG_NSCERT) {
379	if(x->ex_nscert & NS_SSL_CA) return ca_ret;
380	return 0;
381	}
382	if(ca_ret != 2) return ca_ret;
383	else return 0;
384	}
385
386
387	static int check_purpose_ssl_client(const X509_PURPOSE xp, const X509 x, int ca)
388	{
389	if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
390	if(ca) return check_ssl_ca(x);
391	/* We need to do digital signatures with it */
392	if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
393	/* nsCertType if present should allow SSL client use */
394	if(ns_reject(x, NS_SSL_CLIENT)) return 0;
395	return 1;
396	}
397
398	static int check_purpose_ssl_server(const X509_PURPOSE xp, const X509 x, int ca)
399	{
400	if(xku_reject(x,XKU_SSL_SERVER\|XKU_SGC)) return 0;
401	if(ca) return check_ssl_ca(x);
402
403	if(ns_reject(x, NS_SSL_SERVER)) return 0;
404	/* Now as for keyUsage: we'll at least need to sign OR encipher */
405	if(ku_reject(x, KU_DIGITAL_SIGNATURE\|KU_KEY_ENCIPHERMENT)) return 0;
406
407	return 1;
408
409	}
410
411	static int check_purpose_ns_ssl_server(const X509_PURPOSE xp, const X509 x, int ca)
412	{
413	int ret;
414	ret = check_purpose_ssl_server(xp, x, ca);
415	if(!ret \|\| ca) return ret;
416	/* We need to encipher or Netscape complains */
417	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
418	return ret;
419	}
420
421	/* common S/MIME checks */
422	static int purpose_smime(const X509 *x, int ca)
423	{
424	if(xku_reject(x,XKU_SMIME)) return 0;
425	if(ca) {
426	int ca_ret;
427	ca_ret = ca_check(x);
428	if(!ca_ret) return 0;
429	/* check nsCertType if present */
430	if(x->ex_flags & EXFLAG_NSCERT) {
431	if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
432	return 0;
433	}
434	if(ca_ret != 2) return ca_ret;
435	else return 0;
436	}
437	if(x->ex_flags & EXFLAG_NSCERT) {
438	if(x->ex_nscert & NS_SMIME) return 1;
439	/* Workaround for some buggy certificates */
440	if(x->ex_nscert & NS_SSL_CLIENT) return 2;
441	return 0;
442	}
443	return 1;
444	}
445
446	static int check_purpose_smime_sign(const X509_PURPOSE xp, const X509 x, int ca)
447	{
448	int ret;
449	ret = purpose_smime(x, ca);
450	if(!ret \|\| ca) return ret;
451	if(ku_reject(x, KU_DIGITAL_SIGNATURE\|KU_NON_REPUDIATION)) return 0;
452	return ret;
453	}
454
455	static int check_purpose_smime_encrypt(const X509_PURPOSE xp, const X509 x, int ca)
456	{
457	int ret;
458	ret = purpose_smime(x, ca);
459	if(!ret \|\| ca) return ret;
460	if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
461	return ret;
462	}
463
464	static int check_purpose_crl_sign(const X509_PURPOSE xp, const X509 x, int ca)
465	{
466	if(ca) {
467	int ca_ret;
468	if((ca_ret = ca_check(x)) != 2) return ca_ret;
469	else return 0;
470	}
471	if(ku_reject(x, KU_CRL_SIGN)) return 0;
472	return 1;
473	}
474
475	static int no_check(const X509_PURPOSE xp, const X509 x, int ca)
476	{
477	return 1;
478	}
479
480	/* Various checks to see if one certificate issued the second.
481	* This can be used to prune a set of possible issuer certificates
482	* which have been looked up using some simple method such as by
483	* subject name.
484	* These are:
485	* 1. Check issuer_name(subject) == subject_name(issuer)
486	* 2. If akid(subject) exists check it matches issuer
487	* 3. If key_usage(issuer) exists check it supports certificate signing
488	* returns 0 for OK, positive for reason for mismatch, reasons match
489	* codes for X509_verify_cert()
490	*/
491
492	int X509_check_issued(X509 issuer, X509 subject)
493	{
494	if(X509_NAME_cmp(X509_get_subject_name(issuer),
495	X509_get_issuer_name(subject)))
496	return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
497	x509v3_cache_extensions(issuer);
498	x509v3_cache_extensions(subject);
499	if(subject->akid) {
500	/* Check key ids (if present) */
501	if(subject->akid->keyid && issuer->skid &&
502	ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) )
503	return X509_V_ERR_AKID_SKID_MISMATCH;
504	/* Check serial number */
505	if(subject->akid->serial &&
506	ASN1_INTEGER_cmp(X509_get_serialNumber(issuer),
507	subject->akid->serial))
508	return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
509	/* Check issuer name */
510	if(subject->akid->issuer) {
511	/* Ugh, for some peculiar reason AKID includes
512	* SEQUENCE OF GeneralName. So look for a DirName.
513	* There may be more than one but we only take any
514	* notice of the first.
515	*/
516	STACK_OF(GENERAL_NAME) *gens;
517	GENERAL_NAME *gen;
518	X509_NAME *nm = NULL;
519	int i;
520	gens = subject->akid->issuer;
521	for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
522	gen = sk_GENERAL_NAME_value(gens, i);
523	if(gen->type == GEN_DIRNAME) {
524	nm = gen->d.dirn;
525	break;
526	}
527	}
528	if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
529	return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
530	}
531	}
532	if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
533	return X509_V_OK;
534	}
535