diff options
Diffstat (limited to 'src/lib/libcrypto/x509v3/v3_purp.c')
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_purp.c | 38 |
1 files changed, 25 insertions, 13 deletions
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c index bdcdf95d12..d692a19c25 100644 --- a/src/lib/libcrypto/x509v3/v3_purp.c +++ b/src/lib/libcrypto/x509v3/v3_purp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: v3_purp.c,v 1.29 2017/01/29 17:49:23 beck Exp $ */ | 1 | /* $OpenBSD: v3_purp.c,v 1.30 2017/06/22 17:28:00 jsing Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2001. | 3 | * project 2001. |
| 4 | */ | 4 | */ |
| @@ -65,6 +65,14 @@ | |||
| 65 | #include <openssl/x509v3.h> | 65 | #include <openssl/x509v3.h> |
| 66 | #include <openssl/x509_vfy.h> | 66 | #include <openssl/x509_vfy.h> |
| 67 | 67 | ||
| 68 | #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) | ||
| 69 | #define ku_reject(x, usage) \ | ||
| 70 | (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) | ||
| 71 | #define xku_reject(x, usage) \ | ||
| 72 | (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) | ||
| 73 | #define ns_reject(x, usage) \ | ||
| 74 | (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) | ||
| 75 | |||
| 68 | static void x509v3_cache_extensions(X509 *x); | 76 | static void x509v3_cache_extensions(X509 *x); |
| 69 | 77 | ||
| 70 | static int check_ssl_ca(const X509 *x); | 78 | static int check_ssl_ca(const X509 *x); |
| @@ -427,19 +435,19 @@ x509v3_cache_extensions(X509 *x) | |||
| 427 | ASN1_BIT_STRING *ns; | 435 | ASN1_BIT_STRING *ns; |
| 428 | EXTENDED_KEY_USAGE *extusage; | 436 | EXTENDED_KEY_USAGE *extusage; |
| 429 | X509_EXTENSION *ex; | 437 | X509_EXTENSION *ex; |
| 430 | |||
| 431 | int i; | 438 | int i; |
| 439 | |||
| 432 | if (x->ex_flags & EXFLAG_SET) | 440 | if (x->ex_flags & EXFLAG_SET) |
| 433 | return; | 441 | return; |
| 442 | |||
| 434 | #ifndef OPENSSL_NO_SHA | 443 | #ifndef OPENSSL_NO_SHA |
| 435 | X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); | 444 | X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); |
| 436 | #endif | 445 | #endif |
| 437 | /* Does subject name match issuer ? */ | 446 | |
| 438 | if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) | ||
| 439 | x->ex_flags |= EXFLAG_SI; | ||
| 440 | /* V1 should mean no extensions ... */ | 447 | /* V1 should mean no extensions ... */ |
| 441 | if (!X509_get_version(x)) | 448 | if (!X509_get_version(x)) |
| 442 | x->ex_flags |= EXFLAG_V1; | 449 | x->ex_flags |= EXFLAG_V1; |
| 450 | |||
| 443 | /* Handle basic constraints */ | 451 | /* Handle basic constraints */ |
| 444 | if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { | 452 | if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { |
| 445 | if (bs->ca) | 453 | if (bs->ca) |
| @@ -456,6 +464,7 @@ x509v3_cache_extensions(X509 *x) | |||
| 456 | BASIC_CONSTRAINTS_free(bs); | 464 | BASIC_CONSTRAINTS_free(bs); |
| 457 | x->ex_flags |= EXFLAG_BCONS; | 465 | x->ex_flags |= EXFLAG_BCONS; |
| 458 | } | 466 | } |
| 467 | |||
| 459 | /* Handle proxy certificates */ | 468 | /* Handle proxy certificates */ |
| 460 | if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { | 469 | if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { |
| 461 | if (x->ex_flags & EXFLAG_CA || | 470 | if (x->ex_flags & EXFLAG_CA || |
| @@ -477,6 +486,7 @@ x509v3_cache_extensions(X509 *x) | |||
| 477 | PROXY_CERT_INFO_EXTENSION_free(pci); | 486 | PROXY_CERT_INFO_EXTENSION_free(pci); |
| 478 | x->ex_flags |= EXFLAG_PROXY; | 487 | x->ex_flags |= EXFLAG_PROXY; |
| 479 | } | 488 | } |
| 489 | |||
| 480 | /* Handle key usage */ | 490 | /* Handle key usage */ |
| 481 | if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { | 491 | if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { |
| 482 | if (usage->length > 0) { | 492 | if (usage->length > 0) { |
| @@ -541,6 +551,16 @@ x509v3_cache_extensions(X509 *x) | |||
| 541 | 551 | ||
| 542 | x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); | 552 | x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); |
| 543 | x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); | 553 | x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); |
| 554 | |||
| 555 | /* Does subject name match issuer? */ | ||
| 556 | if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) { | ||
| 557 | x->ex_flags |= EXFLAG_SI; | ||
| 558 | /* If SKID matches AKID also indicate self signed. */ | ||
| 559 | if (X509_check_akid(x, x->akid) == X509_V_OK && | ||
| 560 | !ku_reject(x, KU_KEY_CERT_SIGN)) | ||
| 561 | x->ex_flags |= EXFLAG_SS; | ||
| 562 | } | ||
| 563 | |||
| 544 | x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); | 564 | x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); |
| 545 | x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); | 565 | x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); |
| 546 | if (!x->nc && (i != -1)) | 566 | if (!x->nc && (i != -1)) |
| @@ -571,14 +591,6 @@ x509v3_cache_extensions(X509 *x) | |||
| 571 | * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. | 591 | * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. |
| 572 | */ | 592 | */ |
| 573 | 593 | ||
| 574 | #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) | ||
| 575 | #define ku_reject(x, usage) \ | ||
| 576 | (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) | ||
| 577 | #define xku_reject(x, usage) \ | ||
| 578 | (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) | ||
| 579 | #define ns_reject(x, usage) \ | ||
| 580 | (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) | ||
| 581 | |||
| 582 | static int | 594 | static int |
| 583 | check_ca(const X509 *x) | 595 | check_ca(const X509 *x) |
| 584 | { | 596 | { |