summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509v3
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509v3')
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h129
-rw-r--r--src/lib/libcrypto/x509v3/pcy_cache.c271
-rw-r--r--src/lib/libcrypto/x509v3/pcy_data.c129
-rw-r--r--src/lib/libcrypto/x509v3/pcy_int.h206
-rw-r--r--src/lib/libcrypto/x509v3/pcy_lib.c157
-rw-r--r--src/lib/libcrypto/x509v3/pcy_map.c126
-rw-r--r--src/lib/libcrypto/x509v3/pcy_node.c191
-rw-r--r--src/lib/libcrypto/x509v3/pcy_tree.c767
-rw-r--r--src/lib/libcrypto/x509v3/v3_akey.c209
-rw-r--r--src/lib/libcrypto/x509v3/v3_akeya.c96
-rw-r--r--src/lib/libcrypto/x509v3/v3_alt.c646
-rw-r--r--src/lib/libcrypto/x509v3/v3_bcons.c157
-rw-r--r--src/lib/libcrypto/x509v3/v3_bitst.c147
-rw-r--r--src/lib/libcrypto/x509v3/v3_conf.c572
-rw-r--r--src/lib/libcrypto/x509v3/v3_cpols.c617
-rw-r--r--src/lib/libcrypto/x509v3/v3_crld.c685
-rw-r--r--src/lib/libcrypto/x509v3/v3_enum.c99
-rw-r--r--src/lib/libcrypto/x509v3/v3_extku.c180
-rw-r--r--src/lib/libcrypto/x509v3/v3_genn.c353
-rw-r--r--src/lib/libcrypto/x509v3/v3_ia5.c119
-rw-r--r--src/lib/libcrypto/x509v3/v3_info.c260
-rw-r--r--src/lib/libcrypto/x509v3/v3_int.c94
-rw-r--r--src/lib/libcrypto/x509v3/v3_lib.c345
-rw-r--r--src/lib/libcrypto/x509v3/v3_ncons.c506
-rw-r--r--src/lib/libcrypto/x509v3/v3_ocsp.c327
-rw-r--r--src/lib/libcrypto/x509v3/v3_pci.c327
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcia.c102
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcons.c156
-rw-r--r--src/lib/libcrypto/x509v3/v3_pku.c135
-rw-r--r--src/lib/libcrypto/x509v3/v3_pmaps.c177
-rw-r--r--src/lib/libcrypto/x509v3/v3_prn.c225
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c861
-rw-r--r--src/lib/libcrypto/x509v3/v3_skey.c151
-rw-r--r--src/lib/libcrypto/x509v3/v3_sxnet.c335
-rw-r--r--src/lib/libcrypto/x509v3/v3_utl.c925
-rw-r--r--src/lib/libcrypto/x509v3/v3err.c226
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h862
37 files changed, 0 insertions, 11870 deletions
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
deleted file mode 100644
index f8bf7916b3..0000000000
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ /dev/null
@@ -1,129 +0,0 @@
1/* $OpenBSD: ext_dat.h,v 1.12 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/opensslconf.h>
60
61/* This file contains a table of "standard" extensions */
62
63extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
64extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
65extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
66extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
67extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
68extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
69extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
70extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
71extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
72extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
73extern X509V3_EXT_METHOD v3_addr, v3_asid;
74
75/* This table will be searched using OBJ_bsearch so it *must* kept in
76 * order of the ext_nid values.
77 */
78
79static const X509V3_EXT_METHOD *standard_exts[] = {
80 &v3_nscert,
81 &v3_ns_ia5_list[0],
82 &v3_ns_ia5_list[1],
83 &v3_ns_ia5_list[2],
84 &v3_ns_ia5_list[3],
85 &v3_ns_ia5_list[4],
86 &v3_ns_ia5_list[5],
87 &v3_ns_ia5_list[6],
88 &v3_skey_id,
89 &v3_key_usage,
90 &v3_pkey_usage_period,
91 &v3_alt[0],
92 &v3_alt[1],
93 &v3_bcons,
94 &v3_crl_num,
95 &v3_cpols,
96 &v3_akey_id,
97 &v3_crld,
98 &v3_ext_ku,
99 &v3_delta_crl,
100 &v3_crl_reason,
101#ifndef OPENSSL_NO_OCSP
102 &v3_crl_invdate,
103#endif
104 &v3_sxnet,
105 &v3_info,
106#ifndef OPENSSL_NO_OCSP
107 &v3_ocsp_nonce,
108 &v3_ocsp_crlid,
109 &v3_ocsp_accresp,
110 &v3_ocsp_nocheck,
111 &v3_ocsp_acutoff,
112 &v3_ocsp_serviceloc,
113#endif
114 &v3_sinfo,
115 &v3_policy_constraints,
116#ifndef OPENSSL_NO_OCSP
117 &v3_crl_hold,
118#endif
119 &v3_pci,
120 &v3_name_constraints,
121 &v3_policy_mappings,
122 &v3_inhibit_anyp,
123 &v3_idp,
124 &v3_alt[2],
125 &v3_freshest_crl,
126};
127
128/* Number of standard extensions */
129#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
diff --git a/src/lib/libcrypto/x509v3/pcy_cache.c b/src/lib/libcrypto/x509v3/pcy_cache.c
deleted file mode 100644
index 9c8ba8298b..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_cache.c
+++ /dev/null
@@ -1,271 +0,0 @@
1/* $OpenBSD: pcy_cache.c,v 1.5 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64static int policy_data_cmp(const X509_POLICY_DATA * const *a,
65 const X509_POLICY_DATA * const *b);
66static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
67
68/* Set cache entry according to CertificatePolicies extension.
69 * Note: this destroys the passed CERTIFICATEPOLICIES structure.
70 */
71
72static int
73policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies, int crit)
74{
75 int i;
76 int ret = 0;
77 X509_POLICY_CACHE *cache = x->policy_cache;
78 X509_POLICY_DATA *data = NULL;
79 POLICYINFO *policy;
80
81 if (sk_POLICYINFO_num(policies) == 0)
82 goto bad_policy;
83 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
84 if (!cache->data)
85 goto bad_policy;
86 for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
87 policy = sk_POLICYINFO_value(policies, i);
88 data = policy_data_new(policy, NULL, crit);
89 if (!data)
90 goto bad_policy;
91 /* Duplicate policy OIDs are illegal: reject if matches
92 * found.
93 */
94 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
95 if (cache->anyPolicy) {
96 ret = -1;
97 goto bad_policy;
98 }
99 cache->anyPolicy = data;
100 } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
101 ret = -1;
102 goto bad_policy;
103 } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
104 goto bad_policy;
105 data = NULL;
106 }
107 ret = 1;
108
109bad_policy:
110 if (ret == -1)
111 x->ex_flags |= EXFLAG_INVALID_POLICY;
112 if (data)
113 policy_data_free(data);
114 sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
115 if (ret <= 0) {
116 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
117 cache->data = NULL;
118 }
119 return ret;
120}
121
122static int
123policy_cache_new(X509 *x)
124{
125 X509_POLICY_CACHE *cache;
126 ASN1_INTEGER *ext_any = NULL;
127 POLICY_CONSTRAINTS *ext_pcons = NULL;
128 CERTIFICATEPOLICIES *ext_cpols = NULL;
129 POLICY_MAPPINGS *ext_pmaps = NULL;
130 int i;
131
132 cache = malloc(sizeof(X509_POLICY_CACHE));
133 if (!cache)
134 return 0;
135 cache->anyPolicy = NULL;
136 cache->data = NULL;
137 cache->any_skip = -1;
138 cache->explicit_skip = -1;
139 cache->map_skip = -1;
140
141 x->policy_cache = cache;
142
143 /* Handle requireExplicitPolicy *first*. Need to process this
144 * even if we don't have any policies.
145 */
146 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
147
148 if (!ext_pcons) {
149 if (i != -1)
150 goto bad_cache;
151 } else {
152 if (!ext_pcons->requireExplicitPolicy &&
153 !ext_pcons->inhibitPolicyMapping)
154 goto bad_cache;
155 if (!policy_cache_set_int(&cache->explicit_skip,
156 ext_pcons->requireExplicitPolicy))
157 goto bad_cache;
158 if (!policy_cache_set_int(&cache->map_skip,
159 ext_pcons->inhibitPolicyMapping))
160 goto bad_cache;
161 }
162
163 /* Process CertificatePolicies */
164
165 ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
166 /* If no CertificatePolicies extension or problem decoding then
167 * there is no point continuing because the valid policies will be
168 * NULL.
169 */
170 if (!ext_cpols) {
171 /* If not absent some problem with extension */
172 if (i != -1)
173 goto bad_cache;
174 return 1;
175 }
176
177 i = policy_cache_create(x, ext_cpols, i);
178
179 /* NB: ext_cpols freed by policy_cache_set_policies */
180
181 if (i <= 0)
182 return i;
183
184 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
185
186 if (!ext_pmaps) {
187 /* If not absent some problem with extension */
188 if (i != -1)
189 goto bad_cache;
190 } else {
191 i = policy_cache_set_mapping(x, ext_pmaps);
192 if (i <= 0)
193 goto bad_cache;
194 }
195
196 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
197
198 if (!ext_any) {
199 if (i != -1)
200 goto bad_cache;
201 } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
202 goto bad_cache;
203
204 if (0) {
205bad_cache:
206 x->ex_flags |= EXFLAG_INVALID_POLICY;
207 }
208
209 if (ext_pcons)
210 POLICY_CONSTRAINTS_free(ext_pcons);
211
212 if (ext_any)
213 ASN1_INTEGER_free(ext_any);
214
215 return 1;
216}
217
218void
219policy_cache_free(X509_POLICY_CACHE *cache)
220{
221 if (!cache)
222 return;
223 if (cache->anyPolicy)
224 policy_data_free(cache->anyPolicy);
225 if (cache->data)
226 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
227 free(cache);
228}
229
230const X509_POLICY_CACHE *
231policy_cache_set(X509 *x)
232{
233 if (x->policy_cache == NULL) {
234 CRYPTO_w_lock(CRYPTO_LOCK_X509);
235 policy_cache_new(x);
236 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
237 }
238
239 return x->policy_cache;
240}
241
242X509_POLICY_DATA *
243policy_cache_find_data(const X509_POLICY_CACHE *cache, const ASN1_OBJECT *id)
244{
245 int idx;
246 X509_POLICY_DATA tmp;
247
248 tmp.valid_policy = (ASN1_OBJECT *)id;
249 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
250 if (idx == -1)
251 return NULL;
252 return sk_X509_POLICY_DATA_value(cache->data, idx);
253}
254
255static int
256policy_data_cmp(const X509_POLICY_DATA * const *a,
257 const X509_POLICY_DATA * const *b)
258{
259 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
260}
261
262static int
263policy_cache_set_int(long *out, ASN1_INTEGER *value)
264{
265 if (value == NULL)
266 return 1;
267 if (value->type == V_ASN1_NEG_INTEGER)
268 return 0;
269 *out = ASN1_INTEGER_get(value);
270 return 1;
271}
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
deleted file mode 100644
index 698ca6ace5..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ /dev/null
@@ -1,129 +0,0 @@
1/* $OpenBSD: pcy_data.c,v 1.8 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* Policy Node routines */
65
66void
67policy_data_free(X509_POLICY_DATA *data)
68{
69 ASN1_OBJECT_free(data->valid_policy);
70 /* Don't free qualifiers if shared */
71 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
72 sk_POLICYQUALINFO_pop_free(data->qualifier_set,
73 POLICYQUALINFO_free);
74 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
75 free(data);
76}
77
78/* Create a data based on an existing policy. If 'id' is NULL use the
79 * oid in the policy, otherwise use 'id'. This behaviour covers the two
80 * types of data in RFC3280: data with from a CertificatePolcies extension
81 * and additional data with just the qualifiers of anyPolicy and ID from
82 * another source.
83 */
84
85X509_POLICY_DATA *
86policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *cid, int crit)
87{
88 X509_POLICY_DATA *ret;
89 ASN1_OBJECT *id;
90
91 if (!policy && !cid)
92 return NULL;
93 if (cid) {
94 id = OBJ_dup(cid);
95 if (!id)
96 return NULL;
97 } else
98 id = NULL;
99 ret = malloc(sizeof(X509_POLICY_DATA));
100 if (!ret)
101 return NULL;
102 ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
103 if (!ret->expected_policy_set) {
104 free(ret);
105 if (id)
106 ASN1_OBJECT_free(id);
107 return NULL;
108 }
109
110 if (crit)
111 ret->flags = POLICY_DATA_FLAG_CRITICAL;
112 else
113 ret->flags = 0;
114
115 if (id)
116 ret->valid_policy = id;
117 else {
118 ret->valid_policy = policy->policyid;
119 policy->policyid = NULL;
120 }
121
122 if (policy) {
123 ret->qualifier_set = policy->qualifiers;
124 policy->qualifiers = NULL;
125 } else
126 ret->qualifier_set = NULL;
127
128 return ret;
129}
diff --git a/src/lib/libcrypto/x509v3/pcy_int.h b/src/lib/libcrypto/x509v3/pcy_int.h
deleted file mode 100644
index 3f8a8316e2..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_int.h
+++ /dev/null
@@ -1,206 +0,0 @@
1/* $OpenBSD: pcy_int.h,v 1.3 2014/06/12 15:49:31 deraadt Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
61
62DECLARE_STACK_OF(X509_POLICY_DATA)
63
64/* Internal structures */
65
66/* This structure and the field names correspond to the Policy 'node' of
67 * RFC3280. NB this structure contains no pointers to parent or child
68 * data: X509_POLICY_NODE contains that. This means that the main policy data
69 * can be kept static and cached with the certificate.
70 */
71
72struct X509_POLICY_DATA_st {
73 unsigned int flags;
74 /* Policy OID and qualifiers for this data */
75 ASN1_OBJECT *valid_policy;
76 STACK_OF(POLICYQUALINFO) *qualifier_set;
77 STACK_OF(ASN1_OBJECT) *expected_policy_set;
78};
79
80/* X509_POLICY_DATA flags values */
81
82/* This flag indicates the structure has been mapped using a policy mapping
83 * extension. If policy mapping is not active its references get deleted.
84 */
85
86#define POLICY_DATA_FLAG_MAPPED 0x1
87
88/* This flag indicates the data doesn't correspond to a policy in Certificate
89 * Policies: it has been mapped to any policy.
90 */
91
92#define POLICY_DATA_FLAG_MAPPED_ANY 0x2
93
94/* AND with flags to see if any mapping has occurred */
95
96#define POLICY_DATA_FLAG_MAP_MASK 0x3
97
98/* qualifiers are shared and shouldn't be freed */
99
100#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4
101
102/* Parent node is an extra node and should be freed */
103
104#define POLICY_DATA_FLAG_EXTRA_NODE 0x8
105
106/* Corresponding CertificatePolicies is critical */
107
108#define POLICY_DATA_FLAG_CRITICAL 0x10
109
110/* This structure is cached with a certificate */
111
112struct X509_POLICY_CACHE_st {
113 /* anyPolicy data or NULL if no anyPolicy */
114 X509_POLICY_DATA *anyPolicy;
115 /* other policy data */
116 STACK_OF(X509_POLICY_DATA) *data;
117 /* If InhibitAnyPolicy present this is its value or -1 if absent. */
118 long any_skip;
119 /* If policyConstraints and requireExplicitPolicy present this is its
120 * value or -1 if absent.
121 */
122 long explicit_skip;
123 /* If policyConstraints and policyMapping present this is its
124 * value or -1 if absent.
125 */
126 long map_skip;
127};
128
129/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/
130
131/* This structure represents the relationship between nodes */
132
133struct X509_POLICY_NODE_st {
134 /* node data this refers to */
135 const X509_POLICY_DATA *data;
136 /* Parent node */
137 X509_POLICY_NODE *parent;
138 /* Number of child nodes */
139 int nchild;
140};
141
142struct X509_POLICY_LEVEL_st {
143 /* Cert for this level */
144 X509 *cert;
145 /* nodes at this level */
146 STACK_OF(X509_POLICY_NODE) *nodes;
147 /* anyPolicy node */
148 X509_POLICY_NODE *anyPolicy;
149 /* Extra data */
150 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/
151 unsigned int flags;
152};
153
154struct X509_POLICY_TREE_st {
155 /* This is the tree 'level' data */
156 X509_POLICY_LEVEL *levels;
157 int nlevel;
158 /* Extra policy data when additional nodes (not from the certificate)
159 * are required.
160 */
161 STACK_OF(X509_POLICY_DATA) *extra_data;
162 /* This is the authority constained policy set */
163 STACK_OF(X509_POLICY_NODE) *auth_policies;
164 STACK_OF(X509_POLICY_NODE) *user_policies;
165 unsigned int flags;
166};
167
168/* Set if anyPolicy present in user policies */
169#define POLICY_FLAG_ANY_POLICY 0x2
170
171/* Useful macros */
172
173#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
174#define node_critical(node) node_data_critical(node->data)
175
176/* Internal functions */
177
178X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
179 int crit);
180void policy_data_free(X509_POLICY_DATA *data);
181
182X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
183 const ASN1_OBJECT *id);
184int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
185
186
187STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
188
189void policy_cache_init(void);
190
191void policy_cache_free(X509_POLICY_CACHE *cache);
192
193X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
194 const X509_POLICY_NODE *parent, const ASN1_OBJECT *id);
195
196X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
197 const ASN1_OBJECT *id);
198
199X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
200 const X509_POLICY_DATA *data, X509_POLICY_NODE *parent,
201 X509_POLICY_TREE *tree);
202void policy_node_free(X509_POLICY_NODE *node);
203int policy_node_match(const X509_POLICY_LEVEL *lvl,
204 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
205
206const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/src/lib/libcrypto/x509v3/pcy_lib.c b/src/lib/libcrypto/x509v3/pcy_lib.c
deleted file mode 100644
index 6f37064063..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_lib.c
+++ /dev/null
@@ -1,157 +0,0 @@
1/* $OpenBSD: pcy_lib.c,v 1.5 2015/02/07 13:19:15 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* accessor functions */
65
66/* X509_POLICY_TREE stuff */
67
68int
69X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
70{
71 if (!tree)
72 return 0;
73 return tree->nlevel;
74}
75
76X509_POLICY_LEVEL *
77X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
78{
79 if (!tree || (i < 0) || (i >= tree->nlevel))
80 return NULL;
81 return tree->levels + i;
82}
83
84STACK_OF(X509_POLICY_NODE) *
85X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
86{
87 if (!tree)
88 return NULL;
89 return tree->auth_policies;
90}
91
92STACK_OF(X509_POLICY_NODE) *
93X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
94{
95 if (!tree)
96 return NULL;
97 if (tree->flags & POLICY_FLAG_ANY_POLICY)
98 return tree->auth_policies;
99 else
100 return tree->user_policies;
101}
102
103/* X509_POLICY_LEVEL stuff */
104
105int
106X509_policy_level_node_count(X509_POLICY_LEVEL *level)
107{
108 int n;
109 if (!level)
110 return 0;
111 if (level->anyPolicy)
112 n = 1;
113 else
114 n = 0;
115 if (level->nodes)
116 n += sk_X509_POLICY_NODE_num(level->nodes);
117 return n;
118}
119
120X509_POLICY_NODE *
121X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
122{
123 if (!level)
124 return NULL;
125 if (level->anyPolicy) {
126 if (i == 0)
127 return level->anyPolicy;
128 i--;
129 }
130 return sk_X509_POLICY_NODE_value(level->nodes, i);
131}
132
133/* X509_POLICY_NODE stuff */
134
135const ASN1_OBJECT *
136X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
137{
138 if (!node)
139 return NULL;
140 return node->data->valid_policy;
141}
142
143STACK_OF(POLICYQUALINFO) *
144X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
145{
146 if (!node)
147 return NULL;
148 return node->data->qualifier_set;
149}
150
151const X509_POLICY_NODE *
152X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
153{
154 if (!node)
155 return NULL;
156 return node->parent;
157}
diff --git a/src/lib/libcrypto/x509v3/pcy_map.c b/src/lib/libcrypto/x509v3/pcy_map.c
deleted file mode 100644
index 6ee1ffe895..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_map.c
+++ /dev/null
@@ -1,126 +0,0 @@
1/* $OpenBSD: pcy_map.c,v 1.4 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* Set policy mapping entries in cache.
65 * Note: this modifies the passed POLICY_MAPPINGS structure
66 */
67
68int
69policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
70{
71 POLICY_MAPPING *map;
72 X509_POLICY_DATA *data;
73 X509_POLICY_CACHE *cache = x->policy_cache;
74 int i;
75 int ret = 0;
76
77 if (sk_POLICY_MAPPING_num(maps) == 0) {
78 ret = -1;
79 goto bad_mapping;
80 }
81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
82 map = sk_POLICY_MAPPING_value(maps, i);
83 /* Reject if map to or from anyPolicy */
84 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) ||
85 (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
86 ret = -1;
87 goto bad_mapping;
88 }
89
90 /* Attempt to find matching policy data */
91 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
92 /* If we don't have anyPolicy can't map */
93 if (!data && !cache->anyPolicy)
94 continue;
95
96 /* Create a NODE from anyPolicy */
97 if (!data) {
98 data = policy_data_new(NULL, map->issuerDomainPolicy,
99 cache->anyPolicy->flags &
100 POLICY_DATA_FLAG_CRITICAL);
101 if (!data)
102 goto bad_mapping;
103 data->qualifier_set = cache->anyPolicy->qualifier_set;
104 /*map->issuerDomainPolicy = NULL;*/
105 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
106 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
107 if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
108 policy_data_free(data);
109 goto bad_mapping;
110 }
111 } else
112 data->flags |= POLICY_DATA_FLAG_MAPPED;
113 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
114 map->subjectDomainPolicy))
115 goto bad_mapping;
116 map->subjectDomainPolicy = NULL;
117 }
118
119 ret = 1;
120
121bad_mapping:
122 if (ret == -1)
123 x->ex_flags |= EXFLAG_INVALID_POLICY;
124 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
125 return ret;
126}
diff --git a/src/lib/libcrypto/x509v3/pcy_node.c b/src/lib/libcrypto/x509v3/pcy_node.c
deleted file mode 100644
index 839113ea2f..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_node.c
+++ /dev/null
@@ -1,191 +0,0 @@
1/* $OpenBSD: pcy_node.c,v 1.5 2014/07/23 20:49:52 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/asn1.h>
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int
66node_cmp(const X509_POLICY_NODE * const *a, const X509_POLICY_NODE * const *b)
67{
68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
69}
70
71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void)
72{
73 return sk_X509_POLICY_NODE_new(node_cmp);
74}
75
76X509_POLICY_NODE *
77tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, const ASN1_OBJECT *id)
78{
79 X509_POLICY_DATA n;
80 X509_POLICY_NODE l;
81 int idx;
82
83 n.valid_policy = (ASN1_OBJECT *)id;
84 l.data = &n;
85
86 idx = sk_X509_POLICY_NODE_find(nodes, &l);
87 if (idx == -1)
88 return NULL;
89
90 return sk_X509_POLICY_NODE_value(nodes, idx);
91}
92
93X509_POLICY_NODE *
94level_find_node(const X509_POLICY_LEVEL *level, const X509_POLICY_NODE *parent,
95 const ASN1_OBJECT *id)
96{
97 X509_POLICY_NODE *node;
98 int i;
99
100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
101 node = sk_X509_POLICY_NODE_value(level->nodes, i);
102 if (node->parent == parent) {
103 if (!OBJ_cmp(node->data->valid_policy, id))
104 return node;
105 }
106 }
107 return NULL;
108}
109
110X509_POLICY_NODE *
111level_add_node(X509_POLICY_LEVEL *level, const X509_POLICY_DATA *data,
112 X509_POLICY_NODE *parent, X509_POLICY_TREE *tree)
113{
114 X509_POLICY_NODE *node;
115
116 node = malloc(sizeof(X509_POLICY_NODE));
117 if (!node)
118 return NULL;
119 node->data = data;
120 node->parent = parent;
121 node->nchild = 0;
122 if (level) {
123 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
124 if (level->anyPolicy)
125 goto node_error;
126 level->anyPolicy = node;
127 } else {
128
129 if (!level->nodes)
130 level->nodes = policy_node_cmp_new();
131 if (!level->nodes)
132 goto node_error;
133 if (!sk_X509_POLICY_NODE_push(level->nodes, node))
134 goto node_error;
135 }
136 }
137
138 if (tree) {
139 if (!tree->extra_data)
140 tree->extra_data = sk_X509_POLICY_DATA_new_null();
141 if (!tree->extra_data)
142 goto node_error_cond;
143 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
144 goto node_error_cond;
145 }
146
147 if (parent)
148 parent->nchild++;
149
150 return node;
151
152node_error_cond:
153 if (level)
154 node = NULL;
155node_error:
156 policy_node_free(node);
157 return NULL;
158}
159
160void
161policy_node_free(X509_POLICY_NODE *node)
162{
163 free(node);
164}
165
166/* See if a policy node matches a policy OID. If mapping enabled look through
167 * expected policy set otherwise just valid policy.
168 */
169
170int
171policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node,
172 const ASN1_OBJECT *oid)
173{
174 int i;
175 ASN1_OBJECT *policy_oid;
176 const X509_POLICY_DATA *x = node->data;
177
178 if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) ||
179 !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
180 if (!OBJ_cmp(x->valid_policy, oid))
181 return 1;
182 return 0;
183 }
184
185 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
186 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
187 if (!OBJ_cmp(policy_oid, oid))
188 return 1;
189 }
190 return 0;
191}
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
deleted file mode 100644
index fa0e161562..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ /dev/null
@@ -1,767 +0,0 @@
1/* $OpenBSD: pcy_tree.c,v 1.13 2015/02/07 13:19:15 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/x509.h>
60#include <openssl/x509v3.h>
61
62#include "pcy_int.h"
63
64/* Enable this to print out the complete policy tree at various point during
65 * evaluation.
66 */
67
68/*#define OPENSSL_POLICY_DEBUG*/
69
70#ifdef OPENSSL_POLICY_DEBUG
71
72static void
73expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
74 int indent)
75{
76 if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) ||
77 !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
78 BIO_puts(err, " Not Mapped\n");
79 else {
80 int i;
81 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
82 ASN1_OBJECT *oid;
83 BIO_puts(err, " Expected: ");
84 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
85 oid = sk_ASN1_OBJECT_value(pset, i);
86 if (i)
87 BIO_puts(err, ", ");
88 i2a_ASN1_OBJECT(err, oid);
89 }
90 BIO_puts(err, "\n");
91 }
92}
93
94static void
95tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
96{
97 X509_POLICY_LEVEL *plev;
98 X509_POLICY_NODE *node;
99 int i;
100 BIO *err;
101
102 err = BIO_new_fp(stderr, BIO_NOCLOSE);
103 if (!curr)
104 curr = tree->levels + tree->nlevel;
105 else
106 curr++;
107 BIO_printf(err, "Level print after %s\n", str);
108 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
109 for (plev = tree->levels; plev != curr; plev++) {
110 BIO_printf(err, "Level %ld, flags = %x\n",
111 plev - tree->levels, plev->flags);
112 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
113 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
114 X509_POLICY_NODE_print(err, node, 2);
115 expected_print(err, plev, node, 2);
116 BIO_printf(err, " Flags: %x\n", node->data->flags);
117 }
118 if (plev->anyPolicy)
119 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
120 }
121
122 BIO_free(err);
123}
124#else
125
126#define tree_print(a,b,c) /* */
127
128#endif
129
130/* Initialize policy tree. Return values:
131 * 0 Some internal error occured.
132 * -1 Inconsistent or invalid extensions in certificates.
133 * 1 Tree initialized OK.
134 * 2 Policy tree is empty.
135 * 5 Tree OK and requireExplicitPolicy true.
136 * 6 Tree empty and requireExplicitPolicy true.
137 */
138
139static int
140tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, unsigned int flags)
141{
142 X509_POLICY_TREE *tree;
143 X509_POLICY_LEVEL *level;
144 const X509_POLICY_CACHE *cache;
145 X509_POLICY_DATA *data = NULL;
146 X509 *x;
147 int ret = 1;
148 int i, n;
149 int explicit_policy;
150 int any_skip;
151 int map_skip;
152
153 *ptree = NULL;
154 n = sk_X509_num(certs);
155
156 if (flags & X509_V_FLAG_EXPLICIT_POLICY)
157 explicit_policy = 0;
158 else
159 explicit_policy = n + 1;
160
161 if (flags & X509_V_FLAG_INHIBIT_ANY)
162 any_skip = 0;
163 else
164 any_skip = n + 1;
165
166 if (flags & X509_V_FLAG_INHIBIT_MAP)
167 map_skip = 0;
168 else
169 map_skip = n + 1;
170
171 /* Can't do anything with just a trust anchor */
172 if (n == 1)
173 return 1;
174 /* First setup policy cache in all certificates apart from the
175 * trust anchor. Note any bad cache results on the way. Also can
176 * calculate explicit_policy value at this point.
177 */
178 for (i = n - 2; i >= 0; i--) {
179 x = sk_X509_value(certs, i);
180 X509_check_purpose(x, -1, -1);
181 cache = policy_cache_set(x);
182 /* If cache NULL something bad happened: return immediately */
183 if (cache == NULL)
184 return 0;
185 /* If inconsistent extensions keep a note of it but continue */
186 if (x->ex_flags & EXFLAG_INVALID_POLICY)
187 ret = -1;
188 /* Otherwise if we have no data (hence no CertificatePolicies)
189 * and haven't already set an inconsistent code note it.
190 */
191 else if ((ret == 1) && !cache->data)
192 ret = 2;
193 if (explicit_policy > 0) {
194 if (!(x->ex_flags & EXFLAG_SI))
195 explicit_policy--;
196 if ((cache->explicit_skip != -1) &&
197 (cache->explicit_skip < explicit_policy))
198 explicit_policy = cache->explicit_skip;
199 }
200 }
201
202 if (ret != 1) {
203 if (ret == 2 && !explicit_policy)
204 return 6;
205 return ret;
206 }
207
208
209 /* If we get this far initialize the tree */
210
211 tree = malloc(sizeof(X509_POLICY_TREE));
212
213 if (!tree)
214 return 0;
215
216 tree->flags = 0;
217 tree->levels = calloc(n, sizeof(X509_POLICY_LEVEL));
218 tree->nlevel = 0;
219 tree->extra_data = NULL;
220 tree->auth_policies = NULL;
221 tree->user_policies = NULL;
222
223 if (!tree->levels) {
224 free(tree);
225 return 0;
226 }
227
228 tree->nlevel = n;
229
230 level = tree->levels;
231
232 /* Root data: initialize to anyPolicy */
233
234 data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
235
236 if (!data || !level_add_node(level, data, NULL, tree))
237 goto bad_tree;
238
239 for (i = n - 2; i >= 0; i--) {
240 level++;
241 x = sk_X509_value(certs, i);
242 cache = policy_cache_set(x);
243 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
244 level->cert = x;
245
246 if (!cache->anyPolicy)
247 level->flags |= X509_V_FLAG_INHIBIT_ANY;
248
249 /* Determine inhibit any and inhibit map flags */
250 if (any_skip == 0) {
251 /* Any matching allowed if certificate is self
252 * issued and not the last in the chain.
253 */
254 if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
255 level->flags |= X509_V_FLAG_INHIBIT_ANY;
256 } else {
257 if (!(x->ex_flags & EXFLAG_SI))
258 any_skip--;
259 if ((cache->any_skip >= 0) &&
260 (cache->any_skip < any_skip))
261 any_skip = cache->any_skip;
262 }
263
264 if (map_skip == 0)
265 level->flags |= X509_V_FLAG_INHIBIT_MAP;
266 else {
267 if (!(x->ex_flags & EXFLAG_SI))
268 map_skip--;
269 if ((cache->map_skip >= 0) &&
270 (cache->map_skip < map_skip))
271 map_skip = cache->map_skip;
272 }
273
274 }
275
276 *ptree = tree;
277
278 if (explicit_policy)
279 return 1;
280 else
281 return 5;
282
283bad_tree:
284 X509_policy_tree_free(tree);
285
286 return 0;
287}
288
289static int
290tree_link_matching_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_DATA *data)
291{
292 X509_POLICY_LEVEL *last = curr - 1;
293 X509_POLICY_NODE *node;
294 int i, matched = 0;
295
296 /* Iterate through all in nodes linking matches */
297 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
298 node = sk_X509_POLICY_NODE_value(last->nodes, i);
299 if (policy_node_match(last, node, data->valid_policy)) {
300 if (!level_add_node(curr, data, node, NULL))
301 return 0;
302 matched = 1;
303 }
304 }
305 if (!matched && last->anyPolicy) {
306 if (!level_add_node(curr, data, last->anyPolicy, NULL))
307 return 0;
308 }
309 return 1;
310}
311
312/* This corresponds to RFC3280 6.1.3(d)(1):
313 * link any data from CertificatePolicies onto matching parent
314 * or anyPolicy if no match.
315 */
316
317static int
318tree_link_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache)
319{
320 int i;
321 X509_POLICY_DATA *data;
322
323 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
324 data = sk_X509_POLICY_DATA_value(cache->data, i);
325 /* Look for matching nodes in previous level */
326 if (!tree_link_matching_nodes(curr, data))
327 return 0;
328 }
329 return 1;
330}
331
332/* This corresponds to RFC3280 6.1.3(d)(2):
333 * Create new data for any unmatched policies in the parent and link
334 * to anyPolicy.
335 */
336
337static int
338tree_add_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
339 const ASN1_OBJECT *id, X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
340{
341 X509_POLICY_DATA *data;
342
343 if (id == NULL)
344 id = node->data->valid_policy;
345 /* Create a new node with qualifiers from anyPolicy and
346 * id from unmatched node.
347 */
348 data = policy_data_new(NULL, id, node_critical(node));
349
350 if (data == NULL)
351 return 0;
352 /* Curr may not have anyPolicy */
353 data->qualifier_set = cache->anyPolicy->qualifier_set;
354 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
355 if (!level_add_node(curr, data, node, tree)) {
356 policy_data_free(data);
357 return 0;
358 }
359
360 return 1;
361}
362
363static int
364tree_link_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
365 X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
366{
367 const X509_POLICY_LEVEL *last = curr - 1;
368 int i;
369
370 if ((last->flags & X509_V_FLAG_INHIBIT_MAP) ||
371 !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
372 /* If no policy mapping: matched if one child present */
373 if (node->nchild)
374 return 1;
375 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
376 return 0;
377 /* Add it */
378 } else {
379 /* If mapping: matched if one child per expected policy set */
380 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
381 if (node->nchild == sk_ASN1_OBJECT_num(expset))
382 return 1;
383 /* Locate unmatched nodes */
384 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
385 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
386 if (level_find_node(curr, node, oid))
387 continue;
388 if (!tree_add_unmatched(curr, cache, oid, node, tree))
389 return 0;
390 }
391 }
392
393 return 1;
394}
395
396static int
397tree_link_any(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
398 X509_POLICY_TREE *tree)
399{
400 int i;
401 X509_POLICY_NODE *node;
402 X509_POLICY_LEVEL *last = curr - 1;
403
404 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
405 node = sk_X509_POLICY_NODE_value(last->nodes, i);
406
407 if (!tree_link_unmatched(curr, cache, node, tree))
408 return 0;
409 }
410 /* Finally add link to anyPolicy */
411 if (last->anyPolicy) {
412 if (!level_add_node(curr, cache->anyPolicy,
413 last->anyPolicy, NULL))
414 return 0;
415 }
416 return 1;
417}
418
419/* Prune the tree: delete any child mapped child data on the current level
420 * then proceed up the tree deleting any data with no children. If we ever
421 * have no data on a level we can halt because the tree will be empty.
422 */
423
424static int
425tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
426{
427 STACK_OF(X509_POLICY_NODE) *nodes;
428 X509_POLICY_NODE *node;
429 int i;
430
431 nodes = curr->nodes;
432 if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
433 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
434 node = sk_X509_POLICY_NODE_value(nodes, i);
435 /* Delete any mapped data: see RFC3280 XXXX */
436 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
437 node->parent->nchild--;
438 free(node);
439 (void)sk_X509_POLICY_NODE_delete(nodes, i);
440 }
441 }
442 }
443
444 for (;;) {
445 --curr;
446 nodes = curr->nodes;
447 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
448 node = sk_X509_POLICY_NODE_value(nodes, i);
449 if (node->nchild == 0) {
450 node->parent->nchild--;
451 free(node);
452 (void)sk_X509_POLICY_NODE_delete(nodes, i);
453 }
454 }
455 if (curr->anyPolicy && !curr->anyPolicy->nchild) {
456 if (curr->anyPolicy->parent)
457 curr->anyPolicy->parent->nchild--;
458 free(curr->anyPolicy);
459 curr->anyPolicy = NULL;
460 }
461 if (curr == tree->levels) {
462 /* If we zapped anyPolicy at top then tree is empty */
463 if (!curr->anyPolicy)
464 return 2;
465 return 1;
466 }
467 }
468
469 return 1;
470}
471
472static int
473tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, X509_POLICY_NODE *pcy)
474{
475 if (!*pnodes) {
476 *pnodes = policy_node_cmp_new();
477 if (!*pnodes)
478 return 0;
479 } else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
480 return 1;
481
482 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
483 return 0;
484
485 return 1;
486}
487
488/* Calculate the authority set based on policy tree.
489 * The 'pnodes' parameter is used as a store for the set of policy nodes
490 * used to calculate the user set. If the authority set is not anyPolicy
491 * then pnodes will just point to the authority set. If however the authority
492 * set is anyPolicy then the set of valid policies (other than anyPolicy)
493 * is store in pnodes. The return value of '2' is used in this case to indicate
494 * that pnodes should be freed.
495 */
496
497static int
498tree_calculate_authority_set(X509_POLICY_TREE *tree,
499 STACK_OF(X509_POLICY_NODE) **pnodes)
500{
501 X509_POLICY_LEVEL *curr;
502 X509_POLICY_NODE *node, *anyptr;
503 STACK_OF(X509_POLICY_NODE) **addnodes;
504 int i, j;
505
506 curr = tree->levels + tree->nlevel - 1;
507
508 /* If last level contains anyPolicy set is anyPolicy */
509 if (curr->anyPolicy) {
510 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
511 return 0;
512 addnodes = pnodes;
513 } else
514 /* Add policies to authority set */
515 addnodes = &tree->auth_policies;
516
517 curr = tree->levels;
518 for (i = 1; i < tree->nlevel; i++) {
519 /* If no anyPolicy node on this this level it can't
520 * appear on lower levels so end search.
521 */
522 if (!(anyptr = curr->anyPolicy))
523 break;
524 curr++;
525 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
526 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
527 if ((node->parent == anyptr) &&
528 !tree_add_auth_node(addnodes, node))
529 return 0;
530 }
531 }
532
533 if (addnodes == pnodes)
534 return 2;
535
536 *pnodes = tree->auth_policies;
537
538 return 1;
539}
540
541static int
542tree_calculate_user_set(X509_POLICY_TREE *tree,
543 STACK_OF(ASN1_OBJECT) *policy_oids, STACK_OF(X509_POLICY_NODE) *auth_nodes)
544{
545 int i;
546 X509_POLICY_NODE *node;
547 ASN1_OBJECT *oid;
548 X509_POLICY_NODE *anyPolicy;
549 X509_POLICY_DATA *extra;
550
551 /* Check if anyPolicy present in authority constrained policy set:
552 * this will happen if it is a leaf node.
553 */
554
555 if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
556 return 1;
557
558 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
559
560 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
561 oid = sk_ASN1_OBJECT_value(policy_oids, i);
562 if (OBJ_obj2nid(oid) == NID_any_policy) {
563 tree->flags |= POLICY_FLAG_ANY_POLICY;
564 return 1;
565 }
566 }
567
568 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
569 oid = sk_ASN1_OBJECT_value(policy_oids, i);
570 node = tree_find_sk(auth_nodes, oid);
571 if (!node) {
572 if (!anyPolicy)
573 continue;
574 /* Create a new node with policy ID from user set
575 * and qualifiers from anyPolicy.
576 */
577 extra = policy_data_new(NULL, oid,
578 node_critical(anyPolicy));
579 if (!extra)
580 return 0;
581 extra->qualifier_set = anyPolicy->data->qualifier_set;
582 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS |
583 POLICY_DATA_FLAG_EXTRA_NODE;
584 node = level_add_node(NULL, extra, anyPolicy->parent,
585 tree);
586 }
587 if (!tree->user_policies) {
588 tree->user_policies = sk_X509_POLICY_NODE_new_null();
589 if (!tree->user_policies)
590 return 1;
591 }
592 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
593 return 0;
594 }
595 return 1;
596}
597
598static int
599tree_evaluate(X509_POLICY_TREE *tree)
600{
601 int ret, i;
602 X509_POLICY_LEVEL *curr = tree->levels + 1;
603 const X509_POLICY_CACHE *cache;
604
605 for (i = 1; i < tree->nlevel; i++, curr++) {
606 cache = policy_cache_set(curr->cert);
607 if (!tree_link_nodes(curr, cache))
608 return 0;
609
610 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) &&
611 !tree_link_any(curr, cache, tree))
612 return 0;
613 tree_print("before tree_prune()", tree, curr);
614 ret = tree_prune(tree, curr);
615 if (ret != 1)
616 return ret;
617 }
618
619 return 1;
620}
621
622static void
623exnode_free(X509_POLICY_NODE *node)
624{
625 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
626 free(node);
627}
628
629void
630X509_policy_tree_free(X509_POLICY_TREE *tree)
631{
632 X509_POLICY_LEVEL *curr;
633 int i;
634
635 if (!tree)
636 return;
637
638 sk_X509_POLICY_NODE_free(tree->auth_policies);
639 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
640
641 for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
642 if (curr->cert)
643 X509_free(curr->cert);
644 if (curr->nodes)
645 sk_X509_POLICY_NODE_pop_free(curr->nodes,
646 policy_node_free);
647 if (curr->anyPolicy)
648 policy_node_free(curr->anyPolicy);
649 }
650
651 if (tree->extra_data)
652 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
653 policy_data_free);
654
655 free(tree->levels);
656 free(tree);
657}
658
659/* Application policy checking function.
660 * Return codes:
661 * 0 Internal Error.
662 * 1 Successful.
663 * -1 One or more certificates contain invalid or inconsistent extensions
664 * -2 User constrained policy set empty and requireExplicit true.
665 */
666
667int
668X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
669 STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
670 unsigned int flags)
671{
672 int ret;
673 X509_POLICY_TREE *tree = NULL;
674 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
675
676 *ptree = NULL;
677 *pexplicit_policy = 0;
678 ret = tree_init(&tree, certs, flags);
679
680 switch (ret) {
681
682 /* Tree empty requireExplicit False: OK */
683 case 2:
684 return 1;
685
686 /* Some internal error */
687 case -1:
688 return -1;
689
690 /* Some internal error */
691 case 0:
692 return 0;
693
694 /* Tree empty requireExplicit True: Error */
695
696 case 6:
697 *pexplicit_policy = 1;
698 return -2;
699
700 /* Tree OK requireExplicit True: OK and continue */
701 case 5:
702 *pexplicit_policy = 1;
703 break;
704
705 /* Tree OK: continue */
706
707 case 1:
708 if (!tree)
709 /*
710 * tree_init() returns success and a null tree
711 * if it's just looking at a trust anchor.
712 * I'm not sure that returning success here is
713 * correct, but I'm sure that reporting this
714 * as an internal error which our caller
715 * interprets as a malloc failure is wrong.
716 */
717 return 1;
718 break;
719 }
720
721 if (!tree)
722 goto error;
723 ret = tree_evaluate(tree);
724
725 tree_print("tree_evaluate()", tree, NULL);
726
727 if (ret <= 0)
728 goto error;
729
730 /* Return value 2 means tree empty */
731 if (ret == 2) {
732 X509_policy_tree_free(tree);
733 if (*pexplicit_policy)
734 return -2;
735 else
736 return 1;
737 }
738
739 /* Tree is not empty: continue */
740
741 ret = tree_calculate_authority_set(tree, &auth_nodes);
742
743 if (!ret)
744 goto error;
745
746 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
747 goto error;
748
749 if (ret == 2)
750 sk_X509_POLICY_NODE_free(auth_nodes);
751
752 if (tree)
753 *ptree = tree;
754
755 if (*pexplicit_policy) {
756 nodes = X509_policy_tree_get0_user_policies(tree);
757 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
758 return -2;
759 }
760
761 return 1;
762
763error:
764 X509_policy_tree_free(tree);
765
766 return 0;
767}
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
deleted file mode 100644
index d5b5f685af..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akey.c
+++ /dev/null
@@ -1,209 +0,0 @@
1/* $OpenBSD: v3_akey.c,v 1.13 2014/10/05 18:26:22 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
69 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
70static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
72
73const X509V3_EXT_METHOD v3_akey_id = {
74 NID_authority_key_identifier,
75 X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
76 0, 0,0, 0,
77 0, 0,
78 (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
79 (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
80 0, 0,
81 NULL
82};
83
84static
85STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
86 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
87{
88 char *tmp;
89
90 if (akeyid->keyid) {
91 tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
92 X509V3_add_value("keyid", tmp, &extlist);
93 free(tmp);
94 }
95 if (akeyid->issuer)
96 extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
97 if (akeyid->serial) {
98 tmp = hex_to_string(akeyid->serial->data,
99 akeyid->serial->length);
100 X509V3_add_value("serial", tmp, &extlist);
101 free(tmp);
102 }
103 return extlist;
104}
105
106/* Currently two options:
107 * keyid: use the issuers subject keyid, the value 'always' means its is
108 * an error if the issuer certificate doesn't have a key id.
109 * issuer: use the issuers cert issuer and serial number. The default is
110 * to only use this if keyid is not present. With the option 'always'
111 * this is always included.
112 */
113
114static AUTHORITY_KEYID *
115v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
116 STACK_OF(CONF_VALUE) *values)
117{
118 char keyid = 0, issuer = 0;
119 int i;
120 CONF_VALUE *cnf;
121 ASN1_OCTET_STRING *ikeyid = NULL;
122 X509_NAME *isname = NULL;
123 STACK_OF(GENERAL_NAME) *gens = NULL;
124 GENERAL_NAME *gen = NULL;
125 ASN1_INTEGER *serial = NULL;
126 X509_EXTENSION *ext;
127 X509 *cert;
128 AUTHORITY_KEYID *akeyid = NULL;
129
130 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
131 cnf = sk_CONF_VALUE_value(values, i);
132 if (!strcmp(cnf->name, "keyid")) {
133 keyid = 1;
134 if (cnf->value && !strcmp(cnf->value, "always"))
135 keyid = 2;
136 }
137 else if (!strcmp(cnf->name, "issuer")) {
138 issuer = 1;
139 if (cnf->value && !strcmp(cnf->value, "always"))
140 issuer = 2;
141 } else {
142 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
143 X509V3_R_UNKNOWN_OPTION);
144 ERR_asprintf_error_data("name=%s", cnf->name);
145 return NULL;
146 }
147 }
148
149 if (!ctx || !ctx->issuer_cert) {
150 if (ctx && (ctx->flags == CTX_TEST))
151 return AUTHORITY_KEYID_new();
152 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
153 X509V3_R_NO_ISSUER_CERTIFICATE);
154 return NULL;
155 }
156
157 cert = ctx->issuer_cert;
158
159 if (keyid) {
160 i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
161 if ((i >= 0) && (ext = X509_get_ext(cert, i)))
162 ikeyid = X509V3_EXT_d2i(ext);
163 if (keyid == 2 && !ikeyid) {
164 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
165 X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
166 return NULL;
167 }
168 }
169
170 if ((issuer && !ikeyid) || (issuer == 2)) {
171 isname = X509_NAME_dup(X509_get_issuer_name(cert));
172 serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
173 if (!isname || !serial) {
174 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
175 X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
176 goto err;
177 }
178 }
179
180 if (!(akeyid = AUTHORITY_KEYID_new()))
181 goto err;
182
183 if (isname) {
184 if (!(gens = sk_GENERAL_NAME_new_null()) ||
185 !(gen = GENERAL_NAME_new()) ||
186 !sk_GENERAL_NAME_push(gens, gen)) {
187 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
188 ERR_R_MALLOC_FAILURE);
189 goto err;
190 }
191 gen->type = GEN_DIRNAME;
192 gen->d.dirn = isname;
193 }
194
195 akeyid->issuer = gens;
196 akeyid->serial = serial;
197 akeyid->keyid = ikeyid;
198
199 return akeyid;
200
201err:
202 AUTHORITY_KEYID_free(akeyid);
203 GENERAL_NAME_free(gen);
204 sk_GENERAL_NAME_free(gens);
205 X509_NAME_free(isname);
206 M_ASN1_INTEGER_free(serial);
207 M_ASN1_OCTET_STRING_free(ikeyid);
208 return NULL;
209}
diff --git a/src/lib/libcrypto/x509v3/v3_akeya.c b/src/lib/libcrypto/x509v3/v3_akeya.c
deleted file mode 100644
index 1848c0911e..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akeya.c
+++ /dev/null
@@ -1,96 +0,0 @@
1/* $OpenBSD: v3_akeya.c,v 1.6 2015/02/09 16:03:11 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1.h>
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66ASN1_SEQUENCE(AUTHORITY_KEYID) = {
67 ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0),
68 ASN1_IMP_SEQUENCE_OF_OPT(AUTHORITY_KEYID, issuer, GENERAL_NAME, 1),
69 ASN1_IMP_OPT(AUTHORITY_KEYID, serial, ASN1_INTEGER, 2)
70} ASN1_SEQUENCE_END(AUTHORITY_KEYID)
71
72
73AUTHORITY_KEYID *
74d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len)
75{
76 return (AUTHORITY_KEYID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
77 &AUTHORITY_KEYID_it);
78}
79
80int
81i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **out)
82{
83 return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_KEYID_it);
84}
85
86AUTHORITY_KEYID *
87AUTHORITY_KEYID_new(void)
88{
89 return (AUTHORITY_KEYID *)ASN1_item_new(&AUTHORITY_KEYID_it);
90}
91
92void
93AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
94{
95 ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_KEYID_it);
96}
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
deleted file mode 100644
index 2592288bdb..0000000000
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ /dev/null
@@ -1,646 +0,0 @@
1/* $OpenBSD: v3_alt.c,v 1.22 2014/10/28 05:46:56 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
70static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
71static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
72static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
73static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
74
75const X509V3_EXT_METHOD v3_alt[] = {
76 {
77 NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
78 0, 0, 0, 0,
79 0, 0,
80 (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
81 (X509V3_EXT_V2I)v2i_subject_alt,
82 NULL, NULL, NULL
83 },
84 {
85 NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
86 0, 0, 0, 0,
87 0, 0,
88 (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
89 (X509V3_EXT_V2I)v2i_issuer_alt,
90 NULL, NULL, NULL
91 },
92 {
93 NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
94 0, 0, 0, 0,
95 0, 0,
96 (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
97 NULL, NULL, NULL, NULL
98 },
99};
100
101STACK_OF(CONF_VALUE) *
102i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens,
103 STACK_OF(CONF_VALUE) *ret)
104{
105 int i;
106 GENERAL_NAME *gen;
107
108 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
109 gen = sk_GENERAL_NAME_value(gens, i);
110 ret = i2v_GENERAL_NAME(method, gen, ret);
111 }
112 if (!ret)
113 return sk_CONF_VALUE_new_null();
114 return ret;
115}
116
117STACK_OF(CONF_VALUE) *
118i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen,
119 STACK_OF(CONF_VALUE) *ret)
120{
121 unsigned char *p;
122 char oline[256], htmp[5];
123 int i;
124
125 switch (gen->type) {
126 case GEN_OTHERNAME:
127 X509V3_add_value("othername", "<unsupported>", &ret);
128 break;
129
130 case GEN_X400:
131 X509V3_add_value("X400Name", "<unsupported>", &ret);
132 break;
133
134 case GEN_EDIPARTY:
135 X509V3_add_value("EdiPartyName", "<unsupported>", &ret);
136 break;
137
138 case GEN_EMAIL:
139 X509V3_add_value_uchar("email", gen->d.ia5->data, &ret);
140 break;
141
142 case GEN_DNS:
143 X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret);
144 break;
145
146 case GEN_URI:
147 X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret);
148 break;
149
150 case GEN_DIRNAME:
151 X509_NAME_oneline(gen->d.dirn, oline, 256);
152 X509V3_add_value("DirName", oline, &ret);
153 break;
154
155 case GEN_IPADD:
156 p = gen->d.ip->data;
157 if (gen->d.ip->length == 4)
158 (void) snprintf(oline, sizeof oline,
159 "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
160 else if (gen->d.ip->length == 16) {
161 oline[0] = 0;
162 for (i = 0; i < 8; i++) {
163 (void) snprintf(htmp, sizeof htmp,
164 "%X", p[0] << 8 | p[1]);
165 p += 2;
166 strlcat(oline, htmp, sizeof(oline));
167 if (i != 7)
168 strlcat(oline, ":", sizeof(oline));
169 }
170 } else {
171 X509V3_add_value("IP Address", "<invalid>", &ret);
172 break;
173 }
174 X509V3_add_value("IP Address", oline, &ret);
175 break;
176
177 case GEN_RID:
178 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
179 X509V3_add_value("Registered ID", oline, &ret);
180 break;
181 }
182 return ret;
183}
184
185int
186GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
187{
188 unsigned char *p;
189 int i;
190
191 switch (gen->type) {
192 case GEN_OTHERNAME:
193 BIO_printf(out, "othername:<unsupported>");
194 break;
195
196 case GEN_X400:
197 BIO_printf(out, "X400Name:<unsupported>");
198 break;
199
200 case GEN_EDIPARTY:
201 /* Maybe fix this: it is supported now */
202 BIO_printf(out, "EdiPartyName:<unsupported>");
203 break;
204
205 case GEN_EMAIL:
206 BIO_printf(out, "email:%s", gen->d.ia5->data);
207 break;
208
209 case GEN_DNS:
210 BIO_printf(out, "DNS:%s", gen->d.ia5->data);
211 break;
212
213 case GEN_URI:
214 BIO_printf(out, "URI:%s", gen->d.ia5->data);
215 break;
216
217 case GEN_DIRNAME:
218 BIO_printf(out, "DirName: ");
219 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
220 break;
221
222 case GEN_IPADD:
223 p = gen->d.ip->data;
224 if (gen->d.ip->length == 4)
225 BIO_printf(out, "IP Address:%d.%d.%d.%d",
226 p[0], p[1], p[2], p[3]);
227 else if (gen->d.ip->length == 16) {
228 BIO_printf(out, "IP Address");
229 for (i = 0; i < 8; i++) {
230 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
231 p += 2;
232 }
233 BIO_puts(out, "\n");
234 } else {
235 BIO_printf(out, "IP Address:<invalid>");
236 break;
237 }
238 break;
239
240 case GEN_RID:
241 BIO_printf(out, "Registered ID");
242 i2a_ASN1_OBJECT(out, gen->d.rid);
243 break;
244 }
245 return 1;
246}
247
248static GENERAL_NAMES *
249v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
250 STACK_OF(CONF_VALUE) *nval)
251{
252 GENERAL_NAMES *gens = NULL;
253 CONF_VALUE *cnf;
254 int i;
255
256 if ((gens = sk_GENERAL_NAME_new_null()) == NULL) {
257 X509V3err(X509V3_F_V2I_ISSUER_ALT, ERR_R_MALLOC_FAILURE);
258 return NULL;
259 }
260 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
261 cnf = sk_CONF_VALUE_value(nval, i);
262 if (name_cmp(cnf->name, "issuer") == 0 && cnf->value != NULL &&
263 strcmp(cnf->value, "copy") == 0) {
264 if (!copy_issuer(ctx, gens))
265 goto err;
266 } else {
267 GENERAL_NAME *gen;
268 if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
269 goto err;
270 if (sk_GENERAL_NAME_push(gens, gen) == 0) {
271 GENERAL_NAME_free(gen);
272 goto err;
273 }
274 }
275 }
276 return gens;
277
278err:
279 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
280 return NULL;
281}
282
283/* Append subject altname of issuer to issuer alt name of subject */
284
285static int
286copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
287{
288 GENERAL_NAMES *ialt;
289 GENERAL_NAME *gen;
290 X509_EXTENSION *ext;
291 int i;
292
293 if (ctx && (ctx->flags == CTX_TEST))
294 return 1;
295 if (!ctx || !ctx->issuer_cert) {
296 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_NO_ISSUER_DETAILS);
297 goto err;
298 }
299 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
300 if (i < 0)
301 return 1;
302 if (!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
303 !(ialt = X509V3_EXT_d2i(ext))) {
304 X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_ISSUER_DECODE_ERROR);
305 goto err;
306 }
307
308 for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
309 gen = sk_GENERAL_NAME_value(ialt, i);
310 if (!sk_GENERAL_NAME_push(gens, gen)) {
311 X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
312 goto err;
313 }
314 }
315 sk_GENERAL_NAME_free(ialt);
316
317 return 1;
318
319err:
320 return 0;
321
322}
323
324static GENERAL_NAMES *
325v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
326 STACK_OF(CONF_VALUE) *nval)
327{
328 GENERAL_NAMES *gens = NULL;
329 CONF_VALUE *cnf;
330 int i;
331
332 if (!(gens = sk_GENERAL_NAME_new_null())) {
333 X509V3err(X509V3_F_V2I_SUBJECT_ALT, ERR_R_MALLOC_FAILURE);
334 return NULL;
335 }
336 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
337 cnf = sk_CONF_VALUE_value(nval, i);
338 if (!name_cmp(cnf->name, "email") && cnf->value &&
339 !strcmp(cnf->value, "copy")) {
340 if (!copy_email(ctx, gens, 0))
341 goto err;
342 } else if (!name_cmp(cnf->name, "email") && cnf->value &&
343 !strcmp(cnf->value, "move")) {
344 if (!copy_email(ctx, gens, 1))
345 goto err;
346 } else {
347 GENERAL_NAME *gen;
348 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
349 goto err;
350 if (sk_GENERAL_NAME_push(gens, gen) == 0) {
351 GENERAL_NAME_free(gen);
352 goto err;
353 }
354 }
355 }
356 return gens;
357
358err:
359 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
360 return NULL;
361}
362
363/* Copy any email addresses in a certificate or request to
364 * GENERAL_NAMES
365 */
366
367static int
368copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
369{
370 X509_NAME *nm;
371 ASN1_IA5STRING *email = NULL;
372 X509_NAME_ENTRY *ne;
373 GENERAL_NAME *gen = NULL;
374 int i;
375
376 if (ctx != NULL && ctx->flags == CTX_TEST)
377 return 1;
378 if (!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
379 X509V3err(X509V3_F_COPY_EMAIL, X509V3_R_NO_SUBJECT_DETAILS);
380 goto err;
381 }
382 /* Find the subject name */
383 if (ctx->subject_cert)
384 nm = X509_get_subject_name(ctx->subject_cert);
385 else
386 nm = X509_REQ_get_subject_name(ctx->subject_req);
387
388 /* Now add any email address(es) to STACK */
389 i = -1;
390 while ((i = X509_NAME_get_index_by_NID(nm,
391 NID_pkcs9_emailAddress, i)) >= 0) {
392 ne = X509_NAME_get_entry(nm, i);
393 email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
394 if (move_p) {
395 X509_NAME_delete_entry(nm, i);
396 X509_NAME_ENTRY_free(ne);
397 i--;
398 }
399 if (!email || !(gen = GENERAL_NAME_new())) {
400 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
401 goto err;
402 }
403 gen->d.ia5 = email;
404 email = NULL;
405 gen->type = GEN_EMAIL;
406 if (!sk_GENERAL_NAME_push(gens, gen)) {
407 X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
408 goto err;
409 }
410 gen = NULL;
411 }
412
413 return 1;
414
415err:
416 GENERAL_NAME_free(gen);
417 M_ASN1_IA5STRING_free(email);
418 return 0;
419}
420
421GENERAL_NAMES *
422v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
423 STACK_OF(CONF_VALUE) *nval)
424{
425 GENERAL_NAME *gen;
426 GENERAL_NAMES *gens = NULL;
427 CONF_VALUE *cnf;
428 int i;
429
430 if (!(gens = sk_GENERAL_NAME_new_null())) {
431 X509V3err(X509V3_F_V2I_GENERAL_NAMES, ERR_R_MALLOC_FAILURE);
432 return NULL;
433 }
434 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
435 cnf = sk_CONF_VALUE_value(nval, i);
436 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
437 goto err;
438 if (sk_GENERAL_NAME_push(gens, gen) == 0) {
439 GENERAL_NAME_free(gen);
440 goto err;
441 }
442 }
443 return gens;
444
445err:
446 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
447 return NULL;
448}
449
450GENERAL_NAME *
451v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
452 CONF_VALUE *cnf)
453{
454 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
455}
456
457GENERAL_NAME *
458a2i_GENERAL_NAME(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
459 X509V3_CTX *ctx, int gen_type, char *value, int is_nc)
460{
461 char is_string = 0;
462 GENERAL_NAME *gen = NULL;
463
464 if (!value) {
465 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_MISSING_VALUE);
466 return NULL;
467 }
468
469 if (out)
470 gen = out;
471 else {
472 gen = GENERAL_NAME_new();
473 if (gen == NULL) {
474 X509V3err(X509V3_F_A2I_GENERAL_NAME,
475 ERR_R_MALLOC_FAILURE);
476 return NULL;
477 }
478 }
479
480 switch (gen_type) {
481 case GEN_URI:
482 case GEN_EMAIL:
483 case GEN_DNS:
484 is_string = 1;
485 break;
486
487 case GEN_RID:
488 {
489 ASN1_OBJECT *obj;
490 if (!(obj = OBJ_txt2obj(value, 0))) {
491 X509V3err(X509V3_F_A2I_GENERAL_NAME,
492 X509V3_R_BAD_OBJECT);
493 ERR_asprintf_error_data("value=%s", value);
494 goto err;
495 }
496 gen->d.rid = obj;
497 }
498 break;
499
500 case GEN_IPADD:
501 if (is_nc)
502 gen->d.ip = a2i_IPADDRESS_NC(value);
503 else
504 gen->d.ip = a2i_IPADDRESS(value);
505 if (gen->d.ip == NULL) {
506 X509V3err(X509V3_F_A2I_GENERAL_NAME,
507 X509V3_R_BAD_IP_ADDRESS);
508 ERR_asprintf_error_data("value=%s", value);
509 goto err;
510 }
511 break;
512
513 case GEN_DIRNAME:
514 if (!do_dirname(gen, value, ctx)) {
515 X509V3err(X509V3_F_A2I_GENERAL_NAME,
516 X509V3_R_DIRNAME_ERROR);
517 goto err;
518 }
519 break;
520
521 case GEN_OTHERNAME:
522 if (!do_othername(gen, value, ctx)) {
523 X509V3err(X509V3_F_A2I_GENERAL_NAME,
524 X509V3_R_OTHERNAME_ERROR);
525 goto err;
526 }
527 break;
528
529 default:
530 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_UNSUPPORTED_TYPE);
531 goto err;
532 }
533
534 if (is_string) {
535 if (!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
536 !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
537 strlen(value))) {
538 X509V3err(X509V3_F_A2I_GENERAL_NAME,
539 ERR_R_MALLOC_FAILURE);
540 goto err;
541 }
542 }
543
544 gen->type = gen_type;
545
546 return gen;
547
548err:
549 if (out == NULL)
550 GENERAL_NAME_free(gen);
551 return NULL;
552}
553
554GENERAL_NAME *
555v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
556 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
557{
558 int type;
559 char *name, *value;
560
561 name = cnf->name;
562 value = cnf->value;
563
564 if (!value) {
565 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX, X509V3_R_MISSING_VALUE);
566 return NULL;
567 }
568
569 if (!name_cmp(name, "email"))
570 type = GEN_EMAIL;
571 else if (!name_cmp(name, "URI"))
572 type = GEN_URI;
573 else if (!name_cmp(name, "DNS"))
574 type = GEN_DNS;
575 else if (!name_cmp(name, "RID"))
576 type = GEN_RID;
577 else if (!name_cmp(name, "IP"))
578 type = GEN_IPADD;
579 else if (!name_cmp(name, "dirName"))
580 type = GEN_DIRNAME;
581 else if (!name_cmp(name, "otherName"))
582 type = GEN_OTHERNAME;
583 else {
584 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,
585 X509V3_R_UNSUPPORTED_OPTION);
586 ERR_asprintf_error_data("name=%s", name);
587 return NULL;
588 }
589
590 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
591}
592
593static int
594do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
595{
596 char *objtmp = NULL, *p;
597 int objlen;
598
599 if (!(p = strchr(value, ';')))
600 return 0;
601 if (!(gen->d.otherName = OTHERNAME_new()))
602 return 0;
603 /* Free this up because we will overwrite it.
604 * no need to free type_id because it is static
605 */
606 ASN1_TYPE_free(gen->d.otherName->value);
607 if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
608 return 0;
609 objlen = p - value;
610 objtmp = malloc(objlen + 1);
611 if (objtmp) {
612 strlcpy(objtmp, value, objlen + 1);
613 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
614 free(objtmp);
615 } else
616 gen->d.otherName->type_id = NULL;
617 if (!gen->d.otherName->type_id)
618 return 0;
619 return 1;
620}
621
622static int
623do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
624{
625 int ret;
626 STACK_OF(CONF_VALUE) *sk;
627 X509_NAME *nm;
628
629 if (!(nm = X509_NAME_new()))
630 return 0;
631 sk = X509V3_get_section(ctx, value);
632 if (!sk) {
633 X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND);
634 ERR_asprintf_error_data("section=%s", value);
635 X509_NAME_free(nm);
636 return 0;
637 }
638 /* FIXME: should allow other character types... */
639 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
640 if (!ret)
641 X509_NAME_free(nm);
642 gen->d.dirn = nm;
643 X509V3_section_free(ctx, sk);
644
645 return ret;
646}
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
deleted file mode 100644
index fb3f6c7619..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bcons.c
+++ /dev/null
@@ -1,157 +0,0 @@
1/* $OpenBSD: v3_bcons.c,v 1.11 2015/02/09 16:03:11 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
69 BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
70static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
72
73const X509V3_EXT_METHOD v3_bcons = {
74 NID_basic_constraints, 0,
75 ASN1_ITEM_ref(BASIC_CONSTRAINTS),
76 0, 0, 0, 0,
77 0, 0,
78 (X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
79 (X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
80 NULL, NULL,
81 NULL
82};
83
84ASN1_SEQUENCE(BASIC_CONSTRAINTS) = {
85 ASN1_OPT(BASIC_CONSTRAINTS, ca, ASN1_FBOOLEAN),
86 ASN1_OPT(BASIC_CONSTRAINTS, pathlen, ASN1_INTEGER)
87} ASN1_SEQUENCE_END(BASIC_CONSTRAINTS)
88
89
90BASIC_CONSTRAINTS *
91d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned char **in, long len)
92{
93 return (BASIC_CONSTRAINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
94 &BASIC_CONSTRAINTS_it);
95}
96
97int
98i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out)
99{
100 return ASN1_item_i2d((ASN1_VALUE *)a, out, &BASIC_CONSTRAINTS_it);
101}
102
103BASIC_CONSTRAINTS *
104BASIC_CONSTRAINTS_new(void)
105{
106 return (BASIC_CONSTRAINTS *)ASN1_item_new(&BASIC_CONSTRAINTS_it);
107}
108
109void
110BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
111{
112 ASN1_item_free((ASN1_VALUE *)a, &BASIC_CONSTRAINTS_it);
113}
114
115
116static STACK_OF(CONF_VALUE) *
117i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons,
118 STACK_OF(CONF_VALUE) *extlist)
119{
120 X509V3_add_value_bool("CA", bcons->ca, &extlist);
121 X509V3_add_value_int("pathlen", bcons->pathlen, &extlist);
122 return extlist;
123}
124
125static BASIC_CONSTRAINTS *
126v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
127 STACK_OF(CONF_VALUE) *values)
128{
129 BASIC_CONSTRAINTS *bcons = NULL;
130 CONF_VALUE *val;
131 int i;
132
133 if (!(bcons = BASIC_CONSTRAINTS_new())) {
134 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
135 return NULL;
136 }
137 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
138 val = sk_CONF_VALUE_value(values, i);
139 if (!strcmp(val->name, "CA")) {
140 if (!X509V3_get_value_bool(val, &bcons->ca))
141 goto err;
142 } else if (!strcmp(val->name, "pathlen")) {
143 if (!X509V3_get_value_int(val, &bcons->pathlen))
144 goto err;
145 } else {
146 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS,
147 X509V3_R_INVALID_NAME);
148 X509V3_conf_err(val);
149 goto err;
150 }
151 }
152 return bcons;
153
154err:
155 BASIC_CONSTRAINTS_free(bcons);
156 return NULL;
157}
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
deleted file mode 100644
index c0c6ad3d8c..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ /dev/null
@@ -1,147 +0,0 @@
1/* $OpenBSD: v3_bitst.c,v 1.10 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66static BIT_STRING_BITNAME ns_cert_type_table[] = {
67 {0, "SSL Client", "client"},
68 {1, "SSL Server", "server"},
69 {2, "S/MIME", "email"},
70 {3, "Object Signing", "objsign"},
71 {4, "Unused", "reserved"},
72 {5, "SSL CA", "sslCA"},
73 {6, "S/MIME CA", "emailCA"},
74 {7, "Object Signing CA", "objCA"},
75 {-1, NULL, NULL}
76};
77
78static BIT_STRING_BITNAME key_usage_type_table[] = {
79 {0, "Digital Signature", "digitalSignature"},
80 {1, "Non Repudiation", "nonRepudiation"},
81 {2, "Key Encipherment", "keyEncipherment"},
82 {3, "Data Encipherment", "dataEncipherment"},
83 {4, "Key Agreement", "keyAgreement"},
84 {5, "Certificate Sign", "keyCertSign"},
85 {6, "CRL Sign", "cRLSign"},
86 {7, "Encipher Only", "encipherOnly"},
87 {8, "Decipher Only", "decipherOnly"},
88 {-1, NULL, NULL}
89};
90
91
92const X509V3_EXT_METHOD v3_nscert =
93 EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
94const X509V3_EXT_METHOD v3_key_usage =
95 EXT_BITSTRING(NID_key_usage, key_usage_type_table);
96
97STACK_OF(CONF_VALUE) *
98i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits,
99 STACK_OF(CONF_VALUE) *ret)
100{
101 BIT_STRING_BITNAME *bnam;
102
103 for (bnam = method->usr_data; bnam->lname; bnam++) {
104 if (ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
105 X509V3_add_value(bnam->lname, NULL, &ret);
106 }
107 return ret;
108}
109
110ASN1_BIT_STRING *
111v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
112 STACK_OF(CONF_VALUE) *nval)
113{
114 CONF_VALUE *val;
115 ASN1_BIT_STRING *bs;
116 int i;
117 BIT_STRING_BITNAME *bnam;
118
119 if (!(bs = M_ASN1_BIT_STRING_new())) {
120 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, ERR_R_MALLOC_FAILURE);
121 return NULL;
122 }
123 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
124 val = sk_CONF_VALUE_value(nval, i);
125 for (bnam = method->usr_data; bnam->lname; bnam++) {
126 if (!strcmp(bnam->sname, val->name) ||
127 !strcmp(bnam->lname, val->name) ) {
128 if (!ASN1_BIT_STRING_set_bit(bs,
129 bnam->bitnum, 1)) {
130 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
131 ERR_R_MALLOC_FAILURE);
132 M_ASN1_BIT_STRING_free(bs);
133 return NULL;
134 }
135 break;
136 }
137 }
138 if (!bnam->lname) {
139 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
140 X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
141 X509V3_conf_err(val);
142 M_ASN1_BIT_STRING_free(bs);
143 return NULL;
144 }
145 }
146 return bs;
147}
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
deleted file mode 100644
index d48a4ac65c..0000000000
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ /dev/null
@@ -1,572 +0,0 @@
1/* $OpenBSD: v3_conf.c,v 1.17 2015/02/17 05:14:38 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* extension creation utilities */
59
60#include <ctype.h>
61#include <stdio.h>
62#include <string.h>
63
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509.h>
67#include <openssl/x509v3.h>
68
69static int v3_check_critical(char **value);
70static int v3_check_generic(char **value);
71static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
72 int crit, char *value);
73static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
74 int crit, int type, X509V3_CTX *ctx);
75static char *conf_lhash_get_string(void *db, char *section, char *value);
76static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
77static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
78 int crit, void *ext_struc);
79static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
80
81/* CONF *conf: Config file */
82/* char *name: Name */
83/* char *value: Value */
84X509_EXTENSION *
85X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value)
86{
87 int crit;
88 int ext_type;
89 X509_EXTENSION *ret;
90
91 crit = v3_check_critical(&value);
92 if ((ext_type = v3_check_generic(&value)))
93 return v3_generic_extension(name, value, crit, ext_type, ctx);
94 ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
95 if (!ret) {
96 X509V3err(X509V3_F_X509V3_EXT_NCONF,
97 X509V3_R_ERROR_IN_EXTENSION);
98 ERR_asprintf_error_data("name=%s, value=%s", name, value);
99 }
100 return ret;
101}
102
103/* CONF *conf: Config file */
104/* char *value: Value */
105X509_EXTENSION *
106X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value)
107{
108 int crit;
109 int ext_type;
110
111 crit = v3_check_critical(&value);
112 if ((ext_type = v3_check_generic(&value)))
113 return v3_generic_extension(OBJ_nid2sn(ext_nid),
114 value, crit, ext_type, ctx);
115 return do_ext_nconf(conf, ctx, ext_nid, crit, value);
116}
117
118/* CONF *conf: Config file */
119/* char *value: Value */
120static X509_EXTENSION *
121do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value)
122{
123 const X509V3_EXT_METHOD *method;
124 X509_EXTENSION *ext;
125 void *ext_struc;
126
127 if (ext_nid == NID_undef) {
128 X509V3err(X509V3_F_DO_EXT_NCONF,
129 X509V3_R_UNKNOWN_EXTENSION_NAME);
130 return NULL;
131 }
132 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
133 X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION);
134 return NULL;
135 }
136 /* Now get internal extension representation based on type */
137 if (method->v2i) {
138 STACK_OF(CONF_VALUE) *nval;
139
140 if (*value == '@')
141 nval = NCONF_get_section(conf, value + 1);
142 else
143 nval = X509V3_parse_list(value);
144 if (sk_CONF_VALUE_num(nval) <= 0) {
145 X509V3err(X509V3_F_DO_EXT_NCONF,
146 X509V3_R_INVALID_EXTENSION_STRING);
147 ERR_asprintf_error_data("name=%s,section=%s",
148 OBJ_nid2sn(ext_nid), value);
149 if (*value != '@')
150 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
151 return NULL;
152 }
153 ext_struc = method->v2i(method, ctx, nval);
154 if (*value != '@')
155 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
156 } else if (method->s2i) {
157 ext_struc = method->s2i(method, ctx, value);
158 } else if (method->r2i) {
159 if (!ctx->db || !ctx->db_meth) {
160 X509V3err(X509V3_F_DO_EXT_NCONF,
161 X509V3_R_NO_CONFIG_DATABASE);
162 return NULL;
163 }
164 ext_struc = method->r2i(method, ctx, value);
165 } else {
166 X509V3err(X509V3_F_DO_EXT_NCONF,
167 X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
168 ERR_asprintf_error_data("name=%s", OBJ_nid2sn(ext_nid));
169 return NULL;
170 }
171 if (ext_struc == NULL)
172 return NULL;
173
174 ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
175 if (method->it)
176 ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
177 else
178 method->ext_free(ext_struc);
179 return ext;
180}
181
182static X509_EXTENSION *
183do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid, int crit,
184 void *ext_struc)
185{
186 unsigned char *ext_der;
187 int ext_len;
188 ASN1_OCTET_STRING *ext_oct = NULL;
189 X509_EXTENSION *ext;
190
191 /* Convert internal representation to DER */
192 if (method->it) {
193 ext_der = NULL;
194 ext_len = ASN1_item_i2d(ext_struc, &ext_der,
195 ASN1_ITEM_ptr(method->it));
196 if (ext_len < 0)
197 goto merr;
198 } else {
199 unsigned char *p;
200 ext_len = method->i2d(ext_struc, NULL);
201 if (!(ext_der = malloc(ext_len)))
202 goto merr;
203 p = ext_der;
204 method->i2d(ext_struc, &p);
205 }
206 if (!(ext_oct = M_ASN1_OCTET_STRING_new()))
207 goto merr;
208 ext_oct->data = ext_der;
209 ext_oct->length = ext_len;
210
211 ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
212 if (!ext)
213 goto merr;
214 M_ASN1_OCTET_STRING_free(ext_oct);
215
216 return ext;
217
218merr:
219 M_ASN1_OCTET_STRING_free(ext_oct);
220 X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
221 return NULL;
222
223}
224
225/* Given an internal structure, nid and critical flag create an extension */
226
227X509_EXTENSION *
228X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
229{
230 const X509V3_EXT_METHOD *method;
231
232 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
233 X509V3err(X509V3_F_X509V3_EXT_I2D, X509V3_R_UNKNOWN_EXTENSION);
234 return NULL;
235 }
236 return do_ext_i2d(method, ext_nid, crit, ext_struc);
237}
238
239/* Check the extension string for critical flag */
240static int
241v3_check_critical(char **value)
242{
243 char *p = *value;
244
245 if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
246 return 0;
247 p += 9;
248 while (isspace((unsigned char)*p)) p++;
249 *value = p;
250 return 1;
251}
252
253/* Check extension string for generic extension and return the type */
254static int
255v3_check_generic(char **value)
256{
257 int gen_type = 0;
258 char *p = *value;
259
260 if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) {
261 p += 4;
262 gen_type = 1;
263 } else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
264 p += 5;
265 gen_type = 2;
266 } else
267 return 0;
268
269 while (isspace((unsigned char)*p))
270 p++;
271 *value = p;
272 return gen_type;
273}
274
275/* Create a generic extension: for now just handle DER type */
276static X509_EXTENSION *
277v3_generic_extension(const char *ext, char *value, int crit, int gen_type,
278 X509V3_CTX *ctx)
279{
280 unsigned char *ext_der = NULL;
281 long ext_len;
282 ASN1_OBJECT *obj = NULL;
283 ASN1_OCTET_STRING *oct = NULL;
284 X509_EXTENSION *extension = NULL;
285
286 if (!(obj = OBJ_txt2obj(ext, 0))) {
287 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
288 X509V3_R_EXTENSION_NAME_ERROR);
289 ERR_asprintf_error_data("name=%s", ext);
290 goto err;
291 }
292
293 if (gen_type == 1)
294 ext_der = string_to_hex(value, &ext_len);
295 else if (gen_type == 2)
296 ext_der = generic_asn1(value, ctx, &ext_len);
297
298 if (ext_der == NULL) {
299 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
300 X509V3_R_EXTENSION_VALUE_ERROR);
301 ERR_asprintf_error_data("value=%s", value);
302 goto err;
303 }
304
305 if (!(oct = M_ASN1_OCTET_STRING_new())) {
306 X509V3err(X509V3_F_V3_GENERIC_EXTENSION, ERR_R_MALLOC_FAILURE);
307 goto err;
308 }
309
310 oct->data = ext_der;
311 oct->length = ext_len;
312 ext_der = NULL;
313
314 extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
315
316err:
317 ASN1_OBJECT_free(obj);
318 M_ASN1_OCTET_STRING_free(oct);
319 free(ext_der);
320 return extension;
321}
322
323static unsigned char *
324generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
325{
326 ASN1_TYPE *typ;
327 unsigned char *ext_der = NULL;
328
329 typ = ASN1_generate_v3(value, ctx);
330 if (typ == NULL)
331 return NULL;
332 *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
333 ASN1_TYPE_free(typ);
334 return ext_der;
335}
336
337/* This is the main function: add a bunch of extensions based on a config file
338 * section to an extension STACK.
339 */
340
341int
342X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
343 STACK_OF(X509_EXTENSION) **sk)
344{
345 X509_EXTENSION *ext;
346 STACK_OF(CONF_VALUE) *nval;
347 CONF_VALUE *val;
348 int i;
349
350 if (!(nval = NCONF_get_section(conf, section)))
351 return 0;
352 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
353 val = sk_CONF_VALUE_value(nval, i);
354 if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
355 return 0;
356 if (sk)
357 X509v3_add_ext(sk, ext, -1);
358 X509_EXTENSION_free(ext);
359 }
360 return 1;
361}
362
363/* Convenience functions to add extensions to a certificate, CRL and request */
364
365int
366X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert)
367{
368 STACK_OF(X509_EXTENSION) **sk = NULL;
369
370 if (cert)
371 sk = &cert->cert_info->extensions;
372 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
373}
374
375/* Same as above but for a CRL */
376
377int
378X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
379 X509_CRL *crl)
380{
381 STACK_OF(X509_EXTENSION) **sk = NULL;
382
383 if (crl)
384 sk = &crl->crl->extensions;
385 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
386}
387
388/* Add extensions to certificate request */
389
390int
391X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
392 X509_REQ *req)
393{
394 STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
395 int i;
396
397 if (req)
398 sk = &extlist;
399 i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
400 if (!i || !sk)
401 return i;
402 i = X509_REQ_add_extensions(req, extlist);
403 sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
404 return i;
405}
406
407/* Config database functions */
408
409char *
410X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
411{
412 if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
413 X509V3err(X509V3_F_X509V3_GET_STRING,
414 X509V3_R_OPERATION_NOT_DEFINED);
415 return NULL;
416 }
417 if (ctx->db_meth->get_string)
418 return ctx->db_meth->get_string(ctx->db, name, section);
419 return NULL;
420}
421
422STACK_OF(CONF_VALUE) *
423X509V3_get_section(X509V3_CTX *ctx, char *section)
424{
425 if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
426 X509V3err(X509V3_F_X509V3_GET_SECTION,
427 X509V3_R_OPERATION_NOT_DEFINED);
428 return NULL;
429 }
430 if (ctx->db_meth->get_section)
431 return ctx->db_meth->get_section(ctx->db, section);
432 return NULL;
433}
434
435void
436X509V3_string_free(X509V3_CTX *ctx, char *str)
437{
438 if (!str)
439 return;
440 if (ctx->db_meth->free_string)
441 ctx->db_meth->free_string(ctx->db, str);
442}
443
444void
445X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
446{
447 if (!section)
448 return;
449 if (ctx->db_meth->free_section)
450 ctx->db_meth->free_section(ctx->db, section);
451}
452
453static char *
454nconf_get_string(void *db, char *section, char *value)
455{
456 return NCONF_get_string(db, section, value);
457}
458
459static
460STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
461{
462 return NCONF_get_section(db, section);
463}
464
465static X509V3_CONF_METHOD nconf_method = {
466 nconf_get_string,
467 nconf_get_section,
468 NULL,
469 NULL
470};
471
472void
473X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
474{
475 ctx->db_meth = &nconf_method;
476 ctx->db = conf;
477}
478
479void
480X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
481 X509_CRL *crl, int flags)
482{
483 ctx->issuer_cert = issuer;
484 ctx->subject_cert = subj;
485 ctx->crl = crl;
486 ctx->subject_req = req;
487 ctx->flags = flags;
488}
489
490/* Old conf compatibility functions */
491
492X509_EXTENSION *
493X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, char *name,
494 char *value)
495{
496 CONF ctmp;
497
498 CONF_set_nconf(&ctmp, conf);
499 return X509V3_EXT_nconf(&ctmp, ctx, name, value);
500}
501
502/* LHASH *conf: Config file */
503/* char *value: Value */
504X509_EXTENSION *
505X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int ext_nid,
506 char *value)
507{
508 CONF ctmp;
509
510 CONF_set_nconf(&ctmp, conf);
511 return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
512}
513
514static char *
515conf_lhash_get_string(void *db, char *section, char *value)
516{
517 return CONF_get_string(db, section, value);
518}
519
520static STACK_OF(CONF_VALUE) *
521conf_lhash_get_section(void *db, char *section)
522{
523 return CONF_get_section(db, section);
524}
525
526static X509V3_CONF_METHOD conf_lhash_method = {
527 conf_lhash_get_string,
528 conf_lhash_get_section,
529 NULL,
530 NULL
531};
532
533void
534X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
535{
536 ctx->db_meth = &conf_lhash_method;
537 ctx->db = lhash;
538}
539
540int
541X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, char *section,
542 X509 *cert)
543{
544 CONF ctmp;
545
546 CONF_set_nconf(&ctmp, conf);
547 return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
548}
549
550/* Same as above but for a CRL */
551
552int
553X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
554 char *section, X509_CRL *crl)
555{
556 CONF ctmp;
557
558 CONF_set_nconf(&ctmp, conf);
559 return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
560}
561
562/* Add extensions to certificate request */
563
564int
565X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
566 char *section, X509_REQ *req)
567{
568 CONF ctmp;
569
570 CONF_set_nconf(&ctmp, conf);
571 return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
572}
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
deleted file mode 100644
index 65916778aa..0000000000
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ /dev/null
@@ -1,617 +0,0 @@
1/* $OpenBSD: v3_cpols.c,v 1.19 2015/02/14 15:17:52 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68#include "pcy_int.h"
69
70/* Certificate policies extension support: this one is a bit complex... */
71
72static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
73 BIO *out, int indent);
74static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
75 X509V3_CTX *ctx, char *value);
76static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
77 int indent);
78static void print_notice(BIO *out, USERNOTICE *notice, int indent);
79static POLICYINFO *policy_section(X509V3_CTX *ctx,
80 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
81static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
82 STACK_OF(CONF_VALUE) *unot, int ia5org);
83static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
84
85const X509V3_EXT_METHOD v3_cpols = {
86 NID_certificate_policies, 0, ASN1_ITEM_ref(CERTIFICATEPOLICIES),
87 0, 0, 0, 0,
88 0, 0,
89 0, 0,
90 (X509V3_EXT_I2R)i2r_certpol,
91 (X509V3_EXT_R2I)r2i_certpol,
92 NULL
93};
94
95ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) =
96 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES,
97 POLICYINFO)
98ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
99
100
101CERTIFICATEPOLICIES *
102d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long len)
103{
104 return (CERTIFICATEPOLICIES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
105 &CERTIFICATEPOLICIES_it);
106}
107
108int
109i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out)
110{
111 return ASN1_item_i2d((ASN1_VALUE *)a, out, &CERTIFICATEPOLICIES_it);
112}
113
114CERTIFICATEPOLICIES *
115CERTIFICATEPOLICIES_new(void)
116{
117 return (CERTIFICATEPOLICIES *)ASN1_item_new(&CERTIFICATEPOLICIES_it);
118}
119
120void
121CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a)
122{
123 ASN1_item_free((ASN1_VALUE *)a, &CERTIFICATEPOLICIES_it);
124}
125
126ASN1_SEQUENCE(POLICYINFO) = {
127 ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
128 ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
129} ASN1_SEQUENCE_END(POLICYINFO)
130
131
132POLICYINFO *
133d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len)
134{
135 return (POLICYINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
136 &POLICYINFO_it);
137}
138
139int
140i2d_POLICYINFO(POLICYINFO *a, unsigned char **out)
141{
142 return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYINFO_it);
143}
144
145POLICYINFO *
146POLICYINFO_new(void)
147{
148 return (POLICYINFO *)ASN1_item_new(&POLICYINFO_it);
149}
150
151void
152POLICYINFO_free(POLICYINFO *a)
153{
154 ASN1_item_free((ASN1_VALUE *)a, &POLICYINFO_it);
155}
156
157ASN1_ADB_TEMPLATE(policydefault) =
158 ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
159
160ASN1_ADB(POLICYQUALINFO) = {
161 ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
162 ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
163} ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
164
165ASN1_SEQUENCE(POLICYQUALINFO) = {
166 ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
167 ASN1_ADB_OBJECT(POLICYQUALINFO)
168} ASN1_SEQUENCE_END(POLICYQUALINFO)
169
170
171POLICYQUALINFO *
172d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len)
173{
174 return (POLICYQUALINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
175 &POLICYQUALINFO_it);
176}
177
178int
179i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out)
180{
181 return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYQUALINFO_it);
182}
183
184POLICYQUALINFO *
185POLICYQUALINFO_new(void)
186{
187 return (POLICYQUALINFO *)ASN1_item_new(&POLICYQUALINFO_it);
188}
189
190void
191POLICYQUALINFO_free(POLICYQUALINFO *a)
192{
193 ASN1_item_free((ASN1_VALUE *)a, &POLICYQUALINFO_it);
194}
195
196ASN1_SEQUENCE(USERNOTICE) = {
197 ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
198 ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
199} ASN1_SEQUENCE_END(USERNOTICE)
200
201
202USERNOTICE *
203d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len)
204{
205 return (USERNOTICE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
206 &USERNOTICE_it);
207}
208
209int
210i2d_USERNOTICE(USERNOTICE *a, unsigned char **out)
211{
212 return ASN1_item_i2d((ASN1_VALUE *)a, out, &USERNOTICE_it);
213}
214
215USERNOTICE *
216USERNOTICE_new(void)
217{
218 return (USERNOTICE *)ASN1_item_new(&USERNOTICE_it);
219}
220
221void
222USERNOTICE_free(USERNOTICE *a)
223{
224 ASN1_item_free((ASN1_VALUE *)a, &USERNOTICE_it);
225}
226
227ASN1_SEQUENCE(NOTICEREF) = {
228 ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
229 ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
230} ASN1_SEQUENCE_END(NOTICEREF)
231
232
233NOTICEREF *
234d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len)
235{
236 return (NOTICEREF *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
237 &NOTICEREF_it);
238}
239
240int
241i2d_NOTICEREF(NOTICEREF *a, unsigned char **out)
242{
243 return ASN1_item_i2d((ASN1_VALUE *)a, out, &NOTICEREF_it);
244}
245
246NOTICEREF *
247NOTICEREF_new(void)
248{
249 return (NOTICEREF *)ASN1_item_new(&NOTICEREF_it);
250}
251
252void
253NOTICEREF_free(NOTICEREF *a)
254{
255 ASN1_item_free((ASN1_VALUE *)a, &NOTICEREF_it);
256}
257
258static
259STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
260 char *value)
261{
262 STACK_OF(POLICYINFO) *pols = NULL;
263 char *pstr;
264 POLICYINFO *pol;
265 ASN1_OBJECT *pobj;
266 STACK_OF(CONF_VALUE) *vals;
267 CONF_VALUE *cnf;
268 int i, ia5org;
269
270 pols = sk_POLICYINFO_new_null();
271 if (pols == NULL) {
272 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
273 return NULL;
274 }
275 vals = X509V3_parse_list(value);
276 if (vals == NULL) {
277 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
278 goto err;
279 }
280 ia5org = 0;
281 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
282 cnf = sk_CONF_VALUE_value(vals, i);
283 if (cnf->value || !cnf->name) {
284 X509V3err(X509V3_F_R2I_CERTPOL,
285 X509V3_R_INVALID_POLICY_IDENTIFIER);
286 X509V3_conf_err(cnf);
287 goto err;
288 }
289 pstr = cnf->name;
290 if (!strcmp(pstr, "ia5org")) {
291 ia5org = 1;
292 continue;
293 } else if (*pstr == '@') {
294 STACK_OF(CONF_VALUE) *polsect;
295 polsect = X509V3_get_section(ctx, pstr + 1);
296 if (!polsect) {
297 X509V3err(X509V3_F_R2I_CERTPOL,
298 X509V3_R_INVALID_SECTION);
299 X509V3_conf_err(cnf);
300 goto err;
301 }
302 pol = policy_section(ctx, polsect, ia5org);
303 X509V3_section_free(ctx, polsect);
304 if (!pol)
305 goto err;
306 } else {
307 if (!(pobj = OBJ_txt2obj(cnf->name, 0))) {
308 X509V3err(X509V3_F_R2I_CERTPOL,
309 X509V3_R_INVALID_OBJECT_IDENTIFIER);
310 X509V3_conf_err(cnf);
311 goto err;
312 }
313 pol = POLICYINFO_new();
314 pol->policyid = pobj;
315 }
316 if (!sk_POLICYINFO_push(pols, pol)){
317 POLICYINFO_free(pol);
318 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
319 goto err;
320 }
321 }
322 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
323 return pols;
324
325err:
326 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
327 sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
328 return NULL;
329}
330
331static POLICYINFO *
332policy_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *polstrs, int ia5org)
333{
334 int i;
335 CONF_VALUE *cnf;
336 POLICYINFO *pol;
337 POLICYQUALINFO *qual;
338
339 if (!(pol = POLICYINFO_new()))
340 goto merr;
341 for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
342 cnf = sk_CONF_VALUE_value(polstrs, i);
343 if (!strcmp(cnf->name, "policyIdentifier")) {
344 ASN1_OBJECT *pobj;
345 if (!(pobj = OBJ_txt2obj(cnf->value, 0))) {
346 X509V3err(X509V3_F_POLICY_SECTION,
347 X509V3_R_INVALID_OBJECT_IDENTIFIER);
348 X509V3_conf_err(cnf);
349 goto err;
350 }
351 pol->policyid = pobj;
352 } else if (!name_cmp(cnf->name, "CPS")) {
353 if (!pol->qualifiers)
354 pol->qualifiers = sk_POLICYQUALINFO_new_null();
355 if (!(qual = POLICYQUALINFO_new()))
356 goto merr;
357 if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
358 goto merr;
359 qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
360 qual->d.cpsuri = M_ASN1_IA5STRING_new();
361 if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
362 strlen(cnf->value)))
363 goto merr;
364 } else if (!name_cmp(cnf->name, "userNotice")) {
365 STACK_OF(CONF_VALUE) *unot;
366 if (*cnf->value != '@') {
367 X509V3err(X509V3_F_POLICY_SECTION,
368 X509V3_R_EXPECTED_A_SECTION_NAME);
369 X509V3_conf_err(cnf);
370 goto err;
371 }
372 unot = X509V3_get_section(ctx, cnf->value + 1);
373 if (!unot) {
374 X509V3err(X509V3_F_POLICY_SECTION,
375 X509V3_R_INVALID_SECTION);
376 X509V3_conf_err(cnf);
377 goto err;
378 }
379 qual = notice_section(ctx, unot, ia5org);
380 X509V3_section_free(ctx, unot);
381 if (!qual)
382 goto err;
383 if (!pol->qualifiers) pol->qualifiers =
384 sk_POLICYQUALINFO_new_null();
385 if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
386 goto merr;
387 } else {
388 X509V3err(X509V3_F_POLICY_SECTION,
389 X509V3_R_INVALID_OPTION);
390 X509V3_conf_err(cnf);
391 goto err;
392 }
393 }
394 if (!pol->policyid) {
395 X509V3err(X509V3_F_POLICY_SECTION,
396 X509V3_R_NO_POLICY_IDENTIFIER);
397 goto err;
398 }
399
400 return pol;
401
402merr:
403 X509V3err(X509V3_F_POLICY_SECTION, ERR_R_MALLOC_FAILURE);
404
405err:
406 POLICYINFO_free(pol);
407 return NULL;
408}
409
410static POLICYQUALINFO *
411notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org)
412{
413 int i, ret;
414 CONF_VALUE *cnf;
415 USERNOTICE *not;
416 POLICYQUALINFO *qual;
417
418 if (!(qual = POLICYQUALINFO_new()))
419 goto merr;
420 qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
421 if (!(not = USERNOTICE_new()))
422 goto merr;
423 qual->d.usernotice = not;
424 for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
425 cnf = sk_CONF_VALUE_value(unot, i);
426 if (!strcmp(cnf->name, "explicitText")) {
427 if (not->exptext == NULL) {
428 not->exptext = M_ASN1_VISIBLESTRING_new();
429 if (not->exptext == NULL)
430 goto merr;
431 }
432 if (!ASN1_STRING_set(not->exptext, cnf->value,
433 strlen(cnf->value)))
434 goto merr;
435 } else if (!strcmp(cnf->name, "organization")) {
436 NOTICEREF *nref;
437 if (!not->noticeref) {
438 if (!(nref = NOTICEREF_new()))
439 goto merr;
440 not->noticeref = nref;
441 } else
442 nref = not->noticeref;
443 if (ia5org)
444 nref->organization->type = V_ASN1_IA5STRING;
445 else
446 nref->organization->type = V_ASN1_VISIBLESTRING;
447 if (!ASN1_STRING_set(nref->organization, cnf->value,
448 strlen(cnf->value)))
449 goto merr;
450 } else if (!strcmp(cnf->name, "noticeNumbers")) {
451 NOTICEREF *nref;
452 STACK_OF(CONF_VALUE) *nos;
453 if (!not->noticeref) {
454 if (!(nref = NOTICEREF_new()))
455 goto merr;
456 not->noticeref = nref;
457 } else
458 nref = not->noticeref;
459 nos = X509V3_parse_list(cnf->value);
460 if (!nos || !sk_CONF_VALUE_num(nos)) {
461 X509V3err(X509V3_F_NOTICE_SECTION,
462 X509V3_R_INVALID_NUMBERS);
463 X509V3_conf_err(cnf);
464 if (nos != NULL)
465 sk_CONF_VALUE_pop_free(nos,
466 X509V3_conf_free);
467 goto err;
468 }
469 ret = nref_nos(nref->noticenos, nos);
470 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
471 if (!ret)
472 goto err;
473 } else {
474 X509V3err(X509V3_F_NOTICE_SECTION,
475 X509V3_R_INVALID_OPTION);
476 X509V3_conf_err(cnf);
477 goto err;
478 }
479 }
480
481 if (not->noticeref &&
482 (!not->noticeref->noticenos || !not->noticeref->organization)) {
483 X509V3err(X509V3_F_NOTICE_SECTION,
484 X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
485 goto err;
486 }
487
488 return qual;
489
490merr:
491 X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_MALLOC_FAILURE);
492
493err:
494 POLICYQUALINFO_free(qual);
495 return NULL;
496}
497
498static int
499nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
500{
501 CONF_VALUE *cnf;
502 ASN1_INTEGER *aint;
503 int i;
504
505 for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
506 cnf = sk_CONF_VALUE_value(nos, i);
507 if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
508 X509V3err(X509V3_F_NREF_NOS, X509V3_R_INVALID_NUMBER);
509 goto err;
510 }
511 if (!sk_ASN1_INTEGER_push(nnums, aint))
512 goto merr;
513 }
514 return 1;
515
516merr:
517 X509V3err(X509V3_F_NREF_NOS, ERR_R_MALLOC_FAILURE);
518
519err:
520 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
521 return 0;
522}
523
524static int
525i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out,
526 int indent)
527{
528 int i;
529 POLICYINFO *pinfo;
530
531 /* First print out the policy OIDs */
532 for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
533 pinfo = sk_POLICYINFO_value(pol, i);
534 BIO_printf(out, "%*sPolicy: ", indent, "");
535 i2a_ASN1_OBJECT(out, pinfo->policyid);
536 BIO_puts(out, "\n");
537 if (pinfo->qualifiers)
538 print_qualifiers(out, pinfo->qualifiers, indent + 2);
539 }
540 return 1;
541}
542
543static void
544print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent)
545{
546 POLICYQUALINFO *qualinfo;
547 int i;
548
549 for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
550 qualinfo = sk_POLICYQUALINFO_value(quals, i);
551 switch (OBJ_obj2nid(qualinfo->pqualid)) {
552 case NID_id_qt_cps:
553 BIO_printf(out, "%*sCPS: %s\n", indent, "",
554 qualinfo->d.cpsuri->data);
555 break;
556
557 case NID_id_qt_unotice:
558 BIO_printf(out, "%*sUser Notice:\n", indent, "");
559 print_notice(out, qualinfo->d.usernotice, indent + 2);
560 break;
561
562 default:
563 BIO_printf(out, "%*sUnknown Qualifier: ",
564 indent + 2, "");
565
566 i2a_ASN1_OBJECT(out, qualinfo->pqualid);
567 BIO_puts(out, "\n");
568 break;
569 }
570 }
571}
572
573static void
574print_notice(BIO *out, USERNOTICE *notice, int indent)
575{
576 int i;
577
578 if (notice->noticeref) {
579 NOTICEREF *ref;
580 ref = notice->noticeref;
581 BIO_printf(out, "%*sOrganization: %s\n", indent, "",
582 ref->organization->data);
583 BIO_printf(out, "%*sNumber%s: ", indent, "",
584 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
585 for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
586 ASN1_INTEGER *num;
587 char *tmp;
588 num = sk_ASN1_INTEGER_value(ref->noticenos, i);
589 if (i)
590 BIO_puts(out, ", ");
591 tmp = i2s_ASN1_INTEGER(NULL, num);
592 BIO_puts(out, tmp);
593 free(tmp);
594 }
595 BIO_puts(out, "\n");
596 }
597 if (notice->exptext)
598 BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
599 notice->exptext->data);
600}
601
602void
603X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
604{
605 const X509_POLICY_DATA *dat = node->data;
606
607 BIO_printf(out, "%*sPolicy: ", indent, "");
608
609 i2a_ASN1_OBJECT(out, dat->valid_policy);
610 BIO_puts(out, "\n");
611 BIO_printf(out, "%*s%s\n", indent + 2, "",
612 node_data_critical(dat) ? "Critical" : "Non Critical");
613 if (dat->qualifier_set)
614 print_qualifiers(out, dat->qualifier_set, indent + 2);
615 else
616 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
617}
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
deleted file mode 100644
index b2e4370658..0000000000
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ /dev/null
@@ -1,685 +0,0 @@
1/* $OpenBSD: v3_crld.c,v 1.16 2015/02/14 15:19:04 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static void *v2i_crld(const X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
70static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
71 int indent);
72
73const X509V3_EXT_METHOD v3_crld = {
74 NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
75 0, 0, 0, 0,
76 0, 0,
77 0,
78 v2i_crld,
79 i2r_crldp, 0,
80 NULL
81};
82
83const X509V3_EXT_METHOD v3_freshest_crl = {
84 NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
85 0, 0, 0, 0,
86 0, 0,
87 0,
88 v2i_crld,
89 i2r_crldp, 0,
90 NULL
91};
92
93static
94STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
95{
96 STACK_OF(CONF_VALUE) *gnsect;
97 STACK_OF(GENERAL_NAME) *gens;
98
99 if (*sect == '@')
100 gnsect = X509V3_get_section(ctx, sect + 1);
101 else
102 gnsect = X509V3_parse_list(sect);
103 if (!gnsect) {
104 X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
105 X509V3_R_SECTION_NOT_FOUND);
106 return NULL;
107 }
108 gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
109 if (*sect == '@')
110 X509V3_section_free(ctx, gnsect);
111 else
112 sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
113 return gens;
114}
115
116static int
117set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, CONF_VALUE *cnf)
118{
119 STACK_OF(GENERAL_NAME) *fnm = NULL;
120 STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
121
122 if (!strncmp(cnf->name, "fullname", 9)) {
123 fnm = gnames_from_sectname(ctx, cnf->value);
124 if (!fnm)
125 goto err;
126 } else if (!strcmp(cnf->name, "relativename")) {
127 int ret;
128 STACK_OF(CONF_VALUE) *dnsect;
129 X509_NAME *nm;
130 nm = X509_NAME_new();
131 if (!nm)
132 return -1;
133 dnsect = X509V3_get_section(ctx, cnf->value);
134 if (!dnsect) {
135 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
136 X509V3_R_SECTION_NOT_FOUND);
137 X509_NAME_free(nm);
138 return -1;
139 }
140 ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
141 X509V3_section_free(ctx, dnsect);
142 rnm = nm->entries;
143 nm->entries = NULL;
144 X509_NAME_free(nm);
145 if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
146 goto err;
147 /* Since its a name fragment can't have more than one
148 * RDNSequence
149 */
150 if (sk_X509_NAME_ENTRY_value(rnm,
151 sk_X509_NAME_ENTRY_num(rnm) - 1)->set) {
152 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
153 X509V3_R_INVALID_MULTIPLE_RDNS);
154 goto err;
155 }
156 } else
157 return 0;
158
159 if (*pdp) {
160 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
161 X509V3_R_DISTPOINT_ALREADY_SET);
162 goto err;
163 }
164
165 *pdp = DIST_POINT_NAME_new();
166 if (!*pdp)
167 goto err;
168 if (fnm) {
169 (*pdp)->type = 0;
170 (*pdp)->name.fullname = fnm;
171 } else {
172 (*pdp)->type = 1;
173 (*pdp)->name.relativename = rnm;
174 }
175
176 return 1;
177
178err:
179 if (fnm)
180 sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
181 if (rnm)
182 sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
183 return -1;
184}
185
186static const BIT_STRING_BITNAME reason_flags[] = {
187 {0, "Unused", "unused"},
188 {1, "Key Compromise", "keyCompromise"},
189 {2, "CA Compromise", "CACompromise"},
190 {3, "Affiliation Changed", "affiliationChanged"},
191 {4, "Superseded", "superseded"},
192 {5, "Cessation Of Operation", "cessationOfOperation"},
193 {6, "Certificate Hold", "certificateHold"},
194 {7, "Privilege Withdrawn", "privilegeWithdrawn"},
195 {8, "AA Compromise", "AACompromise"},
196 {-1, NULL, NULL}
197};
198
199static int
200set_reasons(ASN1_BIT_STRING **preas, char *value)
201{
202 STACK_OF(CONF_VALUE) *rsk = NULL;
203 const BIT_STRING_BITNAME *pbn;
204 const char *bnam;
205 int i, ret = 0;
206
207 if (*preas != NULL)
208 return 0;
209 rsk = X509V3_parse_list(value);
210 if (rsk == NULL)
211 return 0;
212 for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
213 bnam = sk_CONF_VALUE_value(rsk, i)->name;
214 if (!*preas) {
215 *preas = ASN1_BIT_STRING_new();
216 if (!*preas)
217 goto err;
218 }
219 for (pbn = reason_flags; pbn->lname; pbn++) {
220 if (!strcmp(pbn->sname, bnam)) {
221 if (!ASN1_BIT_STRING_set_bit(*preas,
222 pbn->bitnum, 1))
223 goto err;
224 break;
225 }
226 }
227 if (!pbn->lname)
228 goto err;
229 }
230 ret = 1;
231
232err:
233 sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
234 return ret;
235}
236
237static int
238print_reasons(BIO *out, const char *rname, ASN1_BIT_STRING *rflags, int indent)
239{
240 int first = 1;
241 const BIT_STRING_BITNAME *pbn;
242
243 BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
244 for (pbn = reason_flags; pbn->lname; pbn++) {
245 if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) {
246 if (first)
247 first = 0;
248 else
249 BIO_puts(out, ", ");
250 BIO_puts(out, pbn->lname);
251 }
252 }
253 if (first)
254 BIO_puts(out, "<EMPTY>\n");
255 else
256 BIO_puts(out, "\n");
257 return 1;
258}
259
260static DIST_POINT *
261crldp_from_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
262{
263 int i;
264 CONF_VALUE *cnf;
265 DIST_POINT *point = NULL;
266
267 point = DIST_POINT_new();
268 if (!point)
269 goto err;
270 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
271 int ret;
272 cnf = sk_CONF_VALUE_value(nval, i);
273 ret = set_dist_point_name(&point->distpoint, ctx, cnf);
274 if (ret > 0)
275 continue;
276 if (ret < 0)
277 goto err;
278 if (!strcmp(cnf->name, "reasons")) {
279 if (!set_reasons(&point->reasons, cnf->value))
280 goto err;
281 }
282 else if (!strcmp(cnf->name, "CRLissuer")) {
283 point->CRLissuer =
284 gnames_from_sectname(ctx, cnf->value);
285 if (!point->CRLissuer)
286 goto err;
287 }
288 }
289
290 return point;
291
292err:
293 if (point)
294 DIST_POINT_free(point);
295 return NULL;
296}
297
298static void *
299v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
300 STACK_OF(CONF_VALUE) *nval)
301{
302 STACK_OF(DIST_POINT) *crld = NULL;
303 GENERAL_NAMES *gens = NULL;
304 GENERAL_NAME *gen = NULL;
305 CONF_VALUE *cnf;
306 int i;
307
308 if (!(crld = sk_DIST_POINT_new_null()))
309 goto merr;
310 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
311 DIST_POINT *point;
312 cnf = sk_CONF_VALUE_value(nval, i);
313 if (!cnf->value) {
314 STACK_OF(CONF_VALUE) *dpsect;
315 dpsect = X509V3_get_section(ctx, cnf->name);
316 if (!dpsect)
317 goto err;
318 point = crldp_from_section(ctx, dpsect);
319 X509V3_section_free(ctx, dpsect);
320 if (!point)
321 goto err;
322 if (!sk_DIST_POINT_push(crld, point)) {
323 DIST_POINT_free(point);
324 goto merr;
325 }
326 } else {
327 if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
328 goto err;
329 if (!(gens = GENERAL_NAMES_new()))
330 goto merr;
331 if (!sk_GENERAL_NAME_push(gens, gen))
332 goto merr;
333 gen = NULL;
334 if (!(point = DIST_POINT_new()))
335 goto merr;
336 if (!sk_DIST_POINT_push(crld, point)) {
337 DIST_POINT_free(point);
338 goto merr;
339 }
340 if (!(point->distpoint = DIST_POINT_NAME_new()))
341 goto merr;
342 point->distpoint->name.fullname = gens;
343 point->distpoint->type = 0;
344 gens = NULL;
345 }
346 }
347 return crld;
348
349merr:
350 X509V3err(X509V3_F_V2I_CRLD, ERR_R_MALLOC_FAILURE);
351err:
352 GENERAL_NAME_free(gen);
353 GENERAL_NAMES_free(gens);
354 sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
355 return NULL;
356}
357
358static int
359dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
360{
361 DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
362
363 switch (operation) {
364 case ASN1_OP_NEW_POST:
365 dpn->dpname = NULL;
366 break;
367
368 case ASN1_OP_FREE_POST:
369 if (dpn->dpname)
370 X509_NAME_free(dpn->dpname);
371 break;
372 }
373 return 1;
374}
375
376
377ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
378 ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
379 ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
380} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
381
382
383
384DIST_POINT_NAME *
385d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len)
386{
387 return (DIST_POINT_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
388 &DIST_POINT_NAME_it);
389}
390
391int
392i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out)
393{
394 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_NAME_it);
395}
396
397DIST_POINT_NAME *
398DIST_POINT_NAME_new(void)
399{
400 return (DIST_POINT_NAME *)ASN1_item_new(&DIST_POINT_NAME_it);
401}
402
403void
404DIST_POINT_NAME_free(DIST_POINT_NAME *a)
405{
406 ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_NAME_it);
407}
408
409ASN1_SEQUENCE(DIST_POINT) = {
410 ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),
411 ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),
412 ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2)
413} ASN1_SEQUENCE_END(DIST_POINT)
414
415
416DIST_POINT *
417d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len)
418{
419 return (DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
420 &DIST_POINT_it);
421}
422
423int
424i2d_DIST_POINT(DIST_POINT *a, unsigned char **out)
425{
426 return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_it);
427}
428
429DIST_POINT *
430DIST_POINT_new(void)
431{
432 return (DIST_POINT *)ASN1_item_new(&DIST_POINT_it);
433}
434
435void
436DIST_POINT_free(DIST_POINT *a)
437{
438 ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_it);
439}
440
441ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
442 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints,
443 DIST_POINT)
444ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
445
446
447CRL_DIST_POINTS *
448d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len)
449{
450 return (CRL_DIST_POINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
451 &CRL_DIST_POINTS_it);
452}
453
454int
455i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out)
456{
457 return ASN1_item_i2d((ASN1_VALUE *)a, out, &CRL_DIST_POINTS_it);
458}
459
460CRL_DIST_POINTS *
461CRL_DIST_POINTS_new(void)
462{
463 return (CRL_DIST_POINTS *)ASN1_item_new(&CRL_DIST_POINTS_it);
464}
465
466void
467CRL_DIST_POINTS_free(CRL_DIST_POINTS *a)
468{
469 ASN1_item_free((ASN1_VALUE *)a, &CRL_DIST_POINTS_it);
470}
471
472ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
473 ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
474 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
475 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
476 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
477 ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
478 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
479} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
480
481
482ISSUING_DIST_POINT *
483d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long len)
484{
485 return (ISSUING_DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
486 &ISSUING_DIST_POINT_it);
487}
488
489int
490i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out)
491{
492 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ISSUING_DIST_POINT_it);
493}
494
495ISSUING_DIST_POINT *
496ISSUING_DIST_POINT_new(void)
497{
498 return (ISSUING_DIST_POINT *)ASN1_item_new(&ISSUING_DIST_POINT_it);
499}
500
501void
502ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a)
503{
504 ASN1_item_free((ASN1_VALUE *)a, &ISSUING_DIST_POINT_it);
505}
506
507static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
508 int indent);
509static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
510 STACK_OF(CONF_VALUE) *nval);
511
512const X509V3_EXT_METHOD v3_idp = {
513 NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
514 ASN1_ITEM_ref(ISSUING_DIST_POINT),
515 0, 0, 0, 0,
516 0, 0,
517 0,
518 v2i_idp,
519 i2r_idp, 0,
520 NULL
521};
522
523static void *
524v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
525 STACK_OF(CONF_VALUE) *nval)
526{
527 ISSUING_DIST_POINT *idp = NULL;
528 CONF_VALUE *cnf;
529 char *name, *val;
530 int i, ret;
531
532 idp = ISSUING_DIST_POINT_new();
533 if (!idp)
534 goto merr;
535 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
536 cnf = sk_CONF_VALUE_value(nval, i);
537 name = cnf->name;
538 val = cnf->value;
539 ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
540 if (ret > 0)
541 continue;
542 if (ret < 0)
543 goto err;
544 if (!strcmp(name, "onlyuser")) {
545 if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
546 goto err;
547 }
548 else if (!strcmp(name, "onlyCA")) {
549 if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
550 goto err;
551 }
552 else if (!strcmp(name, "onlyAA")) {
553 if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
554 goto err;
555 }
556 else if (!strcmp(name, "indirectCRL")) {
557 if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
558 goto err;
559 }
560 else if (!strcmp(name, "onlysomereasons")) {
561 if (!set_reasons(&idp->onlysomereasons, val))
562 goto err;
563 } else {
564 X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
565 X509V3_conf_err(cnf);
566 goto err;
567 }
568 }
569 return idp;
570
571merr:
572 X509V3err(X509V3_F_V2I_IDP, ERR_R_MALLOC_FAILURE);
573err:
574 ISSUING_DIST_POINT_free(idp);
575 return NULL;
576}
577
578static int
579print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
580{
581 int i;
582
583 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
584 BIO_printf(out, "%*s", indent + 2, "");
585 GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
586 BIO_puts(out, "\n");
587 }
588 return 1;
589}
590
591static int
592print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
593{
594 if (dpn->type == 0) {
595 BIO_printf(out, "%*sFull Name:\n", indent, "");
596 print_gens(out, dpn->name.fullname, indent);
597 } else {
598 X509_NAME ntmp;
599 ntmp.entries = dpn->name.relativename;
600 BIO_printf(out, "%*sRelative Name:\n%*s",
601 indent, "", indent + 2, "");
602 X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
603 BIO_puts(out, "\n");
604 }
605 return 1;
606}
607
608static int
609i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent)
610{
611 ISSUING_DIST_POINT *idp = pidp;
612
613 if (idp->distpoint)
614 print_distpoint(out, idp->distpoint, indent);
615 if (idp->onlyuser > 0)
616 BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
617 if (idp->onlyCA > 0)
618 BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
619 if (idp->indirectCRL > 0)
620 BIO_printf(out, "%*sIndirect CRL\n", indent, "");
621 if (idp->onlysomereasons)
622 print_reasons(out, "Only Some Reasons",
623 idp->onlysomereasons, indent);
624 if (idp->onlyattr > 0)
625 BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
626 if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) &&
627 (idp->indirectCRL <= 0) && !idp->onlysomereasons &&
628 (idp->onlyattr <= 0))
629 BIO_printf(out, "%*s<EMPTY>\n", indent, "");
630
631 return 1;
632}
633
634static int
635i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, int indent)
636{
637 STACK_OF(DIST_POINT) *crld = pcrldp;
638 DIST_POINT *point;
639 int i;
640
641 for (i = 0; i < sk_DIST_POINT_num(crld); i++) {
642 BIO_puts(out, "\n");
643 point = sk_DIST_POINT_value(crld, i);
644 if (point->distpoint)
645 print_distpoint(out, point->distpoint, indent);
646 if (point->reasons)
647 print_reasons(out, "Reasons", point->reasons,
648 indent);
649 if (point->CRLissuer) {
650 BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
651 print_gens(out, point->CRLissuer, indent);
652 }
653 }
654 return 1;
655}
656
657int
658DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
659{
660 int i;
661 STACK_OF(X509_NAME_ENTRY) *frag;
662 X509_NAME_ENTRY *ne;
663
664 if (!dpn || (dpn->type != 1))
665 return 1;
666 frag = dpn->name.relativename;
667 dpn->dpname = X509_NAME_dup(iname);
668 if (!dpn->dpname)
669 return 0;
670 for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) {
671 ne = sk_X509_NAME_ENTRY_value(frag, i);
672 if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) {
673 X509_NAME_free(dpn->dpname);
674 dpn->dpname = NULL;
675 return 0;
676 }
677 }
678 /* generate cached encoding of name */
679 if (i2d_X509_NAME(dpn->dpname, NULL) < 0) {
680 X509_NAME_free(dpn->dpname);
681 dpn->dpname = NULL;
682 return 0;
683 }
684 return 1;
685}
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
deleted file mode 100644
index c09601edad..0000000000
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ /dev/null
@@ -1,99 +0,0 @@
1/* $OpenBSD: v3_enum.c,v 1.10 2014/07/13 16:03:10 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61#include <openssl/x509v3.h>
62
63static ENUMERATED_NAMES crl_reasons[] = {
64 {CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
65 {CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"},
66 {CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"},
67 {CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
68 {CRL_REASON_SUPERSEDED, "Superseded", "superseded"},
69 {CRL_REASON_CESSATION_OF_OPERATION,
70 "Cessation Of Operation", "cessationOfOperation"},
71 {CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"},
72 {CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"},
73 {CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
74 {CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"},
75 {-1, NULL, NULL}
76};
77
78const X509V3_EXT_METHOD v3_crl_reason = {
79 NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED),
80 0, 0, 0, 0,
81 (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
82 0,
83 0, 0, 0, 0,
84 crl_reasons
85};
86
87char *
88i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *e)
89{
90 ENUMERATED_NAMES *enam;
91 long strval;
92
93 strval = ASN1_ENUMERATED_get(e);
94 for (enam = method->usr_data; enam->lname; enam++) {
95 if (strval == enam->bitnum)
96 return strdup(enam->lname);
97 }
98 return i2s_ASN1_ENUMERATED(method, e);
99}
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
deleted file mode 100644
index c37b65f7a5..0000000000
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ /dev/null
@@ -1,180 +0,0 @@
1/* $OpenBSD: v3_extku.c,v 1.11 2015/02/09 16:03:11 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1t.h>
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
69 const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);
70
71const X509V3_EXT_METHOD v3_ext_ku = {
72 NID_ext_key_usage, 0,
73 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
74 0, 0, 0, 0,
75 0, 0,
76 i2v_EXTENDED_KEY_USAGE,
77 v2i_EXTENDED_KEY_USAGE,
78 0, 0,
79 NULL
80};
81
82/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
83const X509V3_EXT_METHOD v3_ocsp_accresp = {
84 NID_id_pkix_OCSP_acceptableResponses, 0,
85 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
86 0, 0, 0, 0,
87 0, 0,
88 i2v_EXTENDED_KEY_USAGE,
89 v2i_EXTENDED_KEY_USAGE,
90 0, 0,
91 NULL
92};
93
94ASN1_ITEM_TEMPLATE(EXTENDED_KEY_USAGE) =
95 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, EXTENDED_KEY_USAGE,
96 ASN1_OBJECT)
97ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE)
98
99
100EXTENDED_KEY_USAGE *
101d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long len)
102{
103 return (EXTENDED_KEY_USAGE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
104 &EXTENDED_KEY_USAGE_it);
105}
106
107int
108i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out)
109{
110 return ASN1_item_i2d((ASN1_VALUE *)a, out, &EXTENDED_KEY_USAGE_it);
111}
112
113EXTENDED_KEY_USAGE *
114EXTENDED_KEY_USAGE_new(void)
115{
116 return (EXTENDED_KEY_USAGE *)ASN1_item_new(&EXTENDED_KEY_USAGE_it);
117}
118
119void
120EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a)
121{
122 ASN1_item_free((ASN1_VALUE *)a, &EXTENDED_KEY_USAGE_it);
123}
124
125static STACK_OF(CONF_VALUE) *
126i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
127 STACK_OF(CONF_VALUE) *ext_list)
128{
129 EXTENDED_KEY_USAGE *eku = a;
130 int i;
131 ASN1_OBJECT *obj;
132 char obj_tmp[80];
133
134 for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
135 obj = sk_ASN1_OBJECT_value(eku, i);
136 i2t_ASN1_OBJECT(obj_tmp, 80, obj);
137 X509V3_add_value(NULL, obj_tmp, &ext_list);
138 }
139 return ext_list;
140}
141
142static void *
143v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
144 STACK_OF(CONF_VALUE) *nval)
145{
146 EXTENDED_KEY_USAGE *extku;
147 char *extval;
148 ASN1_OBJECT *objtmp;
149 CONF_VALUE *val;
150 int i;
151
152 if (!(extku = sk_ASN1_OBJECT_new_null())) {
153 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
154 ERR_R_MALLOC_FAILURE);
155 return NULL;
156 }
157
158 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
159 val = sk_CONF_VALUE_value(nval, i);
160 if (val->value)
161 extval = val->value;
162 else
163 extval = val->name;
164 if (!(objtmp = OBJ_txt2obj(extval, 0))) {
165 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
166 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
167 X509V3_R_INVALID_OBJECT_IDENTIFIER);
168 X509V3_conf_err(val);
169 return NULL;
170 }
171 if (sk_ASN1_OBJECT_push(extku, objtmp) == 0) {
172 ASN1_OBJECT_free(objtmp);
173 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
174 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
175 ERR_R_MALLOC_FAILURE);
176 return NULL;
177 }
178 }
179 return extku;
180}
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
deleted file mode 100644
index 25d7f447d2..0000000000
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ /dev/null
@@ -1,353 +0,0 @@
1/* $OpenBSD: v3_genn.c,v 1.10 2015/02/09 16:03:11 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66ASN1_SEQUENCE(OTHERNAME) = {
67 ASN1_SIMPLE(OTHERNAME, type_id, ASN1_OBJECT),
68 /* Maybe have a true ANY DEFINED BY later */
69 ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0)
70} ASN1_SEQUENCE_END(OTHERNAME)
71
72
73OTHERNAME *
74d2i_OTHERNAME(OTHERNAME **a, const unsigned char **in, long len)
75{
76 return (OTHERNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
77 &OTHERNAME_it);
78}
79
80int
81i2d_OTHERNAME(OTHERNAME *a, unsigned char **out)
82{
83 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OTHERNAME_it);
84}
85
86OTHERNAME *
87OTHERNAME_new(void)
88{
89 return (OTHERNAME *)ASN1_item_new(&OTHERNAME_it);
90}
91
92void
93OTHERNAME_free(OTHERNAME *a)
94{
95 ASN1_item_free((ASN1_VALUE *)a, &OTHERNAME_it);
96}
97
98ASN1_SEQUENCE(EDIPARTYNAME) = {
99 ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
100 ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
101} ASN1_SEQUENCE_END(EDIPARTYNAME)
102
103
104EDIPARTYNAME *
105d2i_EDIPARTYNAME(EDIPARTYNAME **a, const unsigned char **in, long len)
106{
107 return (EDIPARTYNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
108 &EDIPARTYNAME_it);
109}
110
111int
112i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out)
113{
114 return ASN1_item_i2d((ASN1_VALUE *)a, out, &EDIPARTYNAME_it);
115}
116
117EDIPARTYNAME *
118EDIPARTYNAME_new(void)
119{
120 return (EDIPARTYNAME *)ASN1_item_new(&EDIPARTYNAME_it);
121}
122
123void
124EDIPARTYNAME_free(EDIPARTYNAME *a)
125{
126 ASN1_item_free((ASN1_VALUE *)a, &EDIPARTYNAME_it);
127}
128
129ASN1_CHOICE(GENERAL_NAME) = {
130 ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME),
131 ASN1_IMP(GENERAL_NAME, d.rfc822Name, ASN1_IA5STRING, GEN_EMAIL),
132 ASN1_IMP(GENERAL_NAME, d.dNSName, ASN1_IA5STRING, GEN_DNS),
133 /* Don't decode this */
134 ASN1_IMP(GENERAL_NAME, d.x400Address, ASN1_SEQUENCE, GEN_X400),
135 /* X509_NAME is a CHOICE type so use EXPLICIT */
136 ASN1_EXP(GENERAL_NAME, d.directoryName, X509_NAME, GEN_DIRNAME),
137 ASN1_IMP(GENERAL_NAME, d.ediPartyName, EDIPARTYNAME, GEN_EDIPARTY),
138 ASN1_IMP(GENERAL_NAME, d.uniformResourceIdentifier, ASN1_IA5STRING, GEN_URI),
139 ASN1_IMP(GENERAL_NAME, d.iPAddress, ASN1_OCTET_STRING, GEN_IPADD),
140 ASN1_IMP(GENERAL_NAME, d.registeredID, ASN1_OBJECT, GEN_RID)
141} ASN1_CHOICE_END(GENERAL_NAME)
142
143
144GENERAL_NAME *
145d2i_GENERAL_NAME(GENERAL_NAME **a, const unsigned char **in, long len)
146{
147 return (GENERAL_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
148 &GENERAL_NAME_it);
149}
150
151int
152i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **out)
153{
154 return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAME_it);
155}
156
157GENERAL_NAME *
158GENERAL_NAME_new(void)
159{
160 return (GENERAL_NAME *)ASN1_item_new(&GENERAL_NAME_it);
161}
162
163void
164GENERAL_NAME_free(GENERAL_NAME *a)
165{
166 ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAME_it);
167}
168
169ASN1_ITEM_TEMPLATE(GENERAL_NAMES) =
170 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, GENERAL_NAME)
171ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)
172
173
174GENERAL_NAMES *
175d2i_GENERAL_NAMES(GENERAL_NAMES **a, const unsigned char **in, long len)
176{
177 return (GENERAL_NAMES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
178 &GENERAL_NAMES_it);
179}
180
181int
182i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out)
183{
184 return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAMES_it);
185}
186
187GENERAL_NAMES *
188GENERAL_NAMES_new(void)
189{
190 return (GENERAL_NAMES *)ASN1_item_new(&GENERAL_NAMES_it);
191}
192
193void
194GENERAL_NAMES_free(GENERAL_NAMES *a)
195{
196 ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAMES_it);
197}
198
199GENERAL_NAME *
200GENERAL_NAME_dup(GENERAL_NAME *a)
201{
202 return (GENERAL_NAME *)ASN1_dup((i2d_of_void *)i2d_GENERAL_NAME,
203 (d2i_of_void *)d2i_GENERAL_NAME, (char *)a);
204}
205
206/* Returns 0 if they are equal, != 0 otherwise. */
207int
208GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
209{
210 int result = -1;
211
212 if (!a || !b || a->type != b->type)
213 return -1;
214 switch (a->type) {
215 case GEN_X400:
216 case GEN_EDIPARTY:
217 result = ASN1_TYPE_cmp(a->d.other, b->d.other);
218 break;
219
220 case GEN_OTHERNAME:
221 result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
222 break;
223
224 case GEN_EMAIL:
225 case GEN_DNS:
226 case GEN_URI:
227 result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
228 break;
229
230 case GEN_DIRNAME:
231 result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
232 break;
233
234 case GEN_IPADD:
235 result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
236 break;
237
238 case GEN_RID:
239 result = OBJ_cmp(a->d.rid, b->d.rid);
240 break;
241 }
242 return result;
243}
244
245/* Returns 0 if they are equal, != 0 otherwise. */
246int
247OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
248{
249 int result = -1;
250
251 if (!a || !b)
252 return -1;
253 /* Check their type first. */
254 if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
255 return result;
256 /* Check the value. */
257 result = ASN1_TYPE_cmp(a->value, b->value);
258 return result;
259}
260
261void
262GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
263{
264 switch (type) {
265 case GEN_X400:
266 case GEN_EDIPARTY:
267 a->d.other = value;
268 break;
269
270 case GEN_OTHERNAME:
271 a->d.otherName = value;
272 break;
273
274 case GEN_EMAIL:
275 case GEN_DNS:
276 case GEN_URI:
277 a->d.ia5 = value;
278 break;
279
280 case GEN_DIRNAME:
281 a->d.dirn = value;
282 break;
283
284 case GEN_IPADD:
285 a->d.ip = value;
286 break;
287
288 case GEN_RID:
289 a->d.rid = value;
290 break;
291 }
292 a->type = type;
293}
294
295void *
296GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
297{
298 if (ptype)
299 *ptype = a->type;
300 switch (a->type) {
301 case GEN_X400:
302 case GEN_EDIPARTY:
303 return a->d.other;
304
305 case GEN_OTHERNAME:
306 return a->d.otherName;
307
308 case GEN_EMAIL:
309 case GEN_DNS:
310 case GEN_URI:
311 return a->d.ia5;
312
313 case GEN_DIRNAME:
314 return a->d.dirn;
315
316 case GEN_IPADD:
317 return a->d.ip;
318
319 case GEN_RID:
320 return a->d.rid;
321
322 default:
323 return NULL;
324 }
325}
326
327int
328GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid,
329 ASN1_TYPE *value)
330{
331 OTHERNAME *oth;
332
333 oth = OTHERNAME_new();
334 if (!oth)
335 return 0;
336 oth->type_id = oid;
337 oth->value = value;
338 GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
339 return 1;
340}
341
342int
343GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid,
344 ASN1_TYPE **pvalue)
345{
346 if (gen->type != GEN_OTHERNAME)
347 return 0;
348 if (poid)
349 *poid = gen->d.otherName->type_id;
350 if (pvalue)
351 *pvalue = gen->d.otherName->value;
352 return 1;
353}
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
deleted file mode 100644
index a9ac7197b6..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ /dev/null
@@ -1,119 +0,0 @@
1/* $OpenBSD: v3_ia5.c,v 1.13 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/conf.h>
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66
67static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
68static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, char *str);
70
71const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
72 EXT_IA5STRING(NID_netscape_base_url),
73 EXT_IA5STRING(NID_netscape_revocation_url),
74 EXT_IA5STRING(NID_netscape_ca_revocation_url),
75 EXT_IA5STRING(NID_netscape_renewal_url),
76 EXT_IA5STRING(NID_netscape_ca_policy_url),
77 EXT_IA5STRING(NID_netscape_ssl_server_name),
78 EXT_IA5STRING(NID_netscape_comment),
79 EXT_END
80};
81
82static char *
83i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
84{
85 char *tmp;
86
87 if (!ia5 || !ia5->length)
88 return NULL;
89 if (!(tmp = malloc(ia5->length + 1))) {
90 X509V3err(X509V3_F_I2S_ASN1_IA5STRING, ERR_R_MALLOC_FAILURE);
91 return NULL;
92 }
93 memcpy(tmp, ia5->data, ia5->length);
94 tmp[ia5->length] = 0;
95 return tmp;
96}
97
98static ASN1_IA5STRING *
99s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
100{
101 ASN1_IA5STRING *ia5;
102 if (!str) {
103 X509V3err(X509V3_F_S2I_ASN1_IA5STRING,
104 X509V3_R_INVALID_NULL_ARGUMENT);
105 return NULL;
106 }
107 if (!(ia5 = M_ASN1_IA5STRING_new()))
108 goto err;
109 if (!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
110 strlen(str))) {
111 M_ASN1_IA5STRING_free(ia5);
112 goto err;
113 }
114 return ia5;
115
116err:
117 X509V3err(X509V3_F_S2I_ASN1_IA5STRING, ERR_R_MALLOC_FAILURE);
118 return NULL;
119}
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
deleted file mode 100644
index d9fa133308..0000000000
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ /dev/null
@@ -1,260 +0,0 @@
1/* $OpenBSD: v3_info.c,v 1.21 2015/02/09 16:03:11 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
69 X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo,
70 STACK_OF(CONF_VALUE) *ret);
71static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(
72 X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
73
74const X509V3_EXT_METHOD v3_info = {
75 NID_info_access, X509V3_EXT_MULTILINE,
76 ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
77 0, 0, 0, 0,
78 0, 0,
79 (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
80 (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
81 0, 0,
82 NULL
83};
84
85const X509V3_EXT_METHOD v3_sinfo = {
86 NID_sinfo_access, X509V3_EXT_MULTILINE,
87 ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
88 0, 0, 0, 0,
89 0, 0,
90 (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
91 (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
92 0, 0,
93 NULL
94};
95
96ASN1_SEQUENCE(ACCESS_DESCRIPTION) = {
97 ASN1_SIMPLE(ACCESS_DESCRIPTION, method, ASN1_OBJECT),
98 ASN1_SIMPLE(ACCESS_DESCRIPTION, location, GENERAL_NAME)
99} ASN1_SEQUENCE_END(ACCESS_DESCRIPTION)
100
101
102ACCESS_DESCRIPTION *
103d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, const unsigned char **in, long len)
104{
105 return (ACCESS_DESCRIPTION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
106 &ACCESS_DESCRIPTION_it);
107}
108
109int
110i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **out)
111{
112 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ACCESS_DESCRIPTION_it);
113}
114
115ACCESS_DESCRIPTION *
116ACCESS_DESCRIPTION_new(void)
117{
118 return (ACCESS_DESCRIPTION *)ASN1_item_new(&ACCESS_DESCRIPTION_it);
119}
120
121void
122ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
123{
124 ASN1_item_free((ASN1_VALUE *)a, &ACCESS_DESCRIPTION_it);
125}
126
127ASN1_ITEM_TEMPLATE(AUTHORITY_INFO_ACCESS) =
128 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames,
129 ACCESS_DESCRIPTION)
130ASN1_ITEM_TEMPLATE_END(AUTHORITY_INFO_ACCESS)
131
132
133AUTHORITY_INFO_ACCESS *
134d2i_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS **a, const unsigned char **in, long len)
135{
136 return (AUTHORITY_INFO_ACCESS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
137 &AUTHORITY_INFO_ACCESS_it);
138}
139
140int
141i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *a, unsigned char **out)
142{
143 return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_INFO_ACCESS_it);
144}
145
146AUTHORITY_INFO_ACCESS *
147AUTHORITY_INFO_ACCESS_new(void)
148{
149 return (AUTHORITY_INFO_ACCESS *)ASN1_item_new(&AUTHORITY_INFO_ACCESS_it);
150}
151
152void
153AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a)
154{
155 ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_INFO_ACCESS_it);
156}
157
158static STACK_OF(CONF_VALUE) *
159i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
160 AUTHORITY_INFO_ACCESS *ainfo, STACK_OF(CONF_VALUE) *ret)
161{
162 ACCESS_DESCRIPTION *desc;
163 int i, nlen;
164 char objtmp[80], *ntmp;
165 CONF_VALUE *vtmp;
166
167 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
168 desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);
169 ret = i2v_GENERAL_NAME(method, desc->location, ret);
170 if (!ret)
171 break;
172 vtmp = sk_CONF_VALUE_value(ret, i);
173 i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
174 nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
175 ntmp = malloc(nlen);
176 if (!ntmp) {
177 X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
178 ERR_R_MALLOC_FAILURE);
179 return NULL;
180 }
181 strlcpy(ntmp, objtmp, nlen);
182 strlcat(ntmp, " - ", nlen);
183 strlcat(ntmp, vtmp->name, nlen);
184 free(vtmp->name);
185 vtmp->name = ntmp;
186
187 }
188 if (!ret)
189 return sk_CONF_VALUE_new_null();
190 return ret;
191}
192
193static AUTHORITY_INFO_ACCESS *
194v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
195 STACK_OF(CONF_VALUE) *nval)
196{
197 AUTHORITY_INFO_ACCESS *ainfo = NULL;
198 CONF_VALUE *cnf, ctmp;
199 ACCESS_DESCRIPTION *acc;
200 int i, objlen;
201 char *objtmp, *ptmp;
202
203 if (!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
204 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
205 ERR_R_MALLOC_FAILURE);
206 return NULL;
207 }
208 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
209 cnf = sk_CONF_VALUE_value(nval, i);
210 if ((acc = ACCESS_DESCRIPTION_new()) == NULL) {
211 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
212 ERR_R_MALLOC_FAILURE);
213 goto err;
214 }
215 if (sk_ACCESS_DESCRIPTION_push(ainfo, acc) == 0) {
216 ACCESS_DESCRIPTION_free(acc);
217 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
218 ERR_R_MALLOC_FAILURE);
219 goto err;
220 }
221 ptmp = strchr(cnf->name, ';');
222 if (!ptmp) {
223 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
224 X509V3_R_INVALID_SYNTAX);
225 goto err;
226 }
227 objlen = ptmp - cnf->name;
228 ctmp.name = ptmp + 1;
229 ctmp.value = cnf->value;
230 if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
231 goto err;
232 if (!(objtmp = malloc(objlen + 1))) {
233 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
234 ERR_R_MALLOC_FAILURE);
235 goto err;
236 }
237 strlcpy(objtmp, cnf->name, objlen + 1);
238 acc->method = OBJ_txt2obj(objtmp, 0);
239 if (!acc->method) {
240 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
241 X509V3_R_BAD_OBJECT);
242 ERR_asprintf_error_data("value=%s", objtmp);
243 free(objtmp);
244 goto err;
245 }
246 free(objtmp);
247 }
248 return ainfo;
249
250err:
251 sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
252 return NULL;
253}
254
255int
256i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a)
257{
258 i2a_ASN1_OBJECT(bp, a->method);
259 return 2;
260}
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
deleted file mode 100644
index e1f6eb1c0a..0000000000
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ /dev/null
@@ -1,94 +0,0 @@
1/* $OpenBSD: v3_int.c,v 1.9 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/x509v3.h>
62
63const X509V3_EXT_METHOD v3_crl_num = {
64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
65 0, 0, 0, 0,
66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
67 0,
68 0, 0, 0, 0,
69 NULL
70};
71
72const X509V3_EXT_METHOD v3_delta_crl = {
73 NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
74 0, 0, 0, 0,
75 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
76 0,
77 0, 0, 0, 0,
78 NULL
79};
80
81static void *
82s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
83{
84 return s2i_ASN1_INTEGER(meth, value);
85}
86
87const X509V3_EXT_METHOD v3_inhibit_anyp = {
88 NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER),
89 0, 0, 0, 0,
90 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
91 (X509V3_EXT_S2I)s2i_asn1_int,
92 0, 0, 0, 0,
93 NULL
94};
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
deleted file mode 100644
index 7731c7c544..0000000000
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ /dev/null
@@ -1,345 +0,0 @@
1/* $OpenBSD: v3_lib.c,v 1.14 2015/02/10 11:22:22 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61
62#include <openssl/conf.h>
63#include <openssl/err.h>
64#include <openssl/x509v3.h>
65
66#include "ext_dat.h"
67
68static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
69
70static int ext_cmp(const X509V3_EXT_METHOD * const *a,
71 const X509V3_EXT_METHOD * const *b);
72static void ext_list_free(X509V3_EXT_METHOD *ext);
73
74int
75X509V3_EXT_add(X509V3_EXT_METHOD *ext)
76{
77 if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
78 X509V3err(X509V3_F_X509V3_EXT_ADD, ERR_R_MALLOC_FAILURE);
79 return 0;
80 }
81 if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
82 X509V3err(X509V3_F_X509V3_EXT_ADD, ERR_R_MALLOC_FAILURE);
83 return 0;
84 }
85 return 1;
86}
87
88static int
89ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b)
90{
91 return ((*a)->ext_nid - (*b)->ext_nid);
92}
93
94DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
95 const X509V3_EXT_METHOD *, ext);
96IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
97 const X509V3_EXT_METHOD *, ext);
98
99const X509V3_EXT_METHOD *
100X509V3_EXT_get_nid(int nid)
101{
102 X509V3_EXT_METHOD tmp;
103 const X509V3_EXT_METHOD *t = &tmp, * const *ret;
104 int idx;
105
106 if (nid < 0)
107 return NULL;
108 tmp.ext_nid = nid;
109 ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
110 if (ret)
111 return *ret;
112 if (!ext_list)
113 return NULL;
114 idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
115 if (idx == -1)
116 return NULL;
117 return sk_X509V3_EXT_METHOD_value(ext_list, idx);
118}
119
120const X509V3_EXT_METHOD *
121X509V3_EXT_get(X509_EXTENSION *ext)
122{
123 int nid;
124
125 if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
126 return NULL;
127 return X509V3_EXT_get_nid(nid);
128}
129
130int
131X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
132{
133 for (; extlist->ext_nid!=-1; extlist++)
134 if (!X509V3_EXT_add(extlist))
135 return 0;
136 return 1;
137}
138
139int
140X509V3_EXT_add_alias(int nid_to, int nid_from)
141{
142 const X509V3_EXT_METHOD *ext;
143 X509V3_EXT_METHOD *tmpext;
144
145 if (!(ext = X509V3_EXT_get_nid(nid_from))) {
146 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,
147 X509V3_R_EXTENSION_NOT_FOUND);
148 return 0;
149 }
150 if (!(tmpext = malloc(sizeof(X509V3_EXT_METHOD)))) {
151 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS, ERR_R_MALLOC_FAILURE);
152 return 0;
153 }
154 *tmpext = *ext;
155 tmpext->ext_nid = nid_to;
156 tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
157 return X509V3_EXT_add(tmpext);
158}
159
160void
161X509V3_EXT_cleanup(void)
162{
163 sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
164 ext_list = NULL;
165}
166
167static void
168ext_list_free(X509V3_EXT_METHOD *ext)
169{
170 if (ext->ext_flags & X509V3_EXT_DYNAMIC)
171 free(ext);
172}
173
174/* Legacy function: we don't need to add standard extensions
175 * any more because they are now kept in ext_dat.h.
176 */
177
178int
179X509V3_add_standard_extensions(void)
180{
181 return 1;
182}
183
184/* Return an extension internal structure */
185
186void *
187X509V3_EXT_d2i(X509_EXTENSION *ext)
188{
189 const X509V3_EXT_METHOD *method;
190 const unsigned char *p;
191
192 if (!(method = X509V3_EXT_get(ext)))
193 return NULL;
194 p = ext->value->data;
195 if (method->it)
196 return ASN1_item_d2i(NULL, &p, ext->value->length,
197 ASN1_ITEM_ptr(method->it));
198 return method->d2i(NULL, &p, ext->value->length);
199}
200
201/* Get critical flag and decoded version of extension from a NID.
202 * The "idx" variable returns the last found extension and can
203 * be used to retrieve multiple extensions of the same NID.
204 * However multiple extensions with the same NID is usually
205 * due to a badly encoded certificate so if idx is NULL we
206 * choke if multiple extensions exist.
207 * The "crit" variable is set to the critical value.
208 * The return value is the decoded extension or NULL on
209 * error. The actual error can have several different causes,
210 * the value of *crit reflects the cause:
211 * >= 0, extension found but not decoded (reflects critical value).
212 * -1 extension not found.
213 * -2 extension occurs more than once.
214 */
215
216void *
217X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
218{
219 int lastpos, i;
220 X509_EXTENSION *ex, *found_ex = NULL;
221
222 if (!x) {
223 if (idx)
224 *idx = -1;
225 if (crit)
226 *crit = -1;
227 return NULL;
228 }
229 if (idx)
230 lastpos = *idx + 1;
231 else
232 lastpos = 0;
233 if (lastpos < 0)
234 lastpos = 0;
235 for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
236 ex = sk_X509_EXTENSION_value(x, i);
237 if (OBJ_obj2nid(ex->object) == nid) {
238 if (idx) {
239 *idx = i;
240 found_ex = ex;
241 break;
242 } else if (found_ex) {
243 /* Found more than one */
244 if (crit)
245 *crit = -2;
246 return NULL;
247 }
248 found_ex = ex;
249 }
250 }
251 if (found_ex) {
252 /* Found it */
253 if (crit)
254 *crit = X509_EXTENSION_get_critical(found_ex);
255 return X509V3_EXT_d2i(found_ex);
256 }
257
258 /* Extension not found */
259 if (idx)
260 *idx = -1;
261 if (crit)
262 *crit = -1;
263 return NULL;
264}
265
266/* This function is a general extension append, replace and delete utility.
267 * The precise operation is governed by the 'flags' value. The 'crit' and
268 * 'value' arguments (if relevant) are the extensions internal structure.
269 */
270
271int
272X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
273 int crit, unsigned long flags)
274{
275 int extidx = -1;
276 int errcode;
277 X509_EXTENSION *ext, *extmp;
278 unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
279
280 /* If appending we don't care if it exists, otherwise
281 * look for existing extension.
282 */
283 if (ext_op != X509V3_ADD_APPEND)
284 extidx = X509v3_get_ext_by_NID(*x, nid, -1);
285
286 /* See if extension exists */
287 if (extidx >= 0) {
288 /* If keep existing, nothing to do */
289 if (ext_op == X509V3_ADD_KEEP_EXISTING)
290 return 1;
291 /* If default then its an error */
292 if (ext_op == X509V3_ADD_DEFAULT) {
293 errcode = X509V3_R_EXTENSION_EXISTS;
294 goto err;
295 }
296 /* If delete, just delete it */
297 if (ext_op == X509V3_ADD_DELETE) {
298 if (!sk_X509_EXTENSION_delete(*x, extidx))
299 return -1;
300 return 1;
301 }
302 } else {
303 /* If replace existing or delete, error since
304 * extension must exist
305 */
306 if ((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
307 (ext_op == X509V3_ADD_DELETE)) {
308 errcode = X509V3_R_EXTENSION_NOT_FOUND;
309 goto err;
310 }
311 }
312
313 /* If we get this far then we have to create an extension:
314 * could have some flags for alternative encoding schemes...
315 */
316
317 ext = X509V3_EXT_i2d(nid, crit, value);
318
319 if (!ext) {
320 X509V3err(X509V3_F_X509V3_ADD1_I2D,
321 X509V3_R_ERROR_CREATING_EXTENSION);
322 return 0;
323 }
324
325 /* If extension exists replace it.. */
326 if (extidx >= 0) {
327 extmp = sk_X509_EXTENSION_value(*x, extidx);
328 X509_EXTENSION_free(extmp);
329 if (!sk_X509_EXTENSION_set(*x, extidx, ext))
330 return -1;
331 return 1;
332 }
333
334 if (!*x && !(*x = sk_X509_EXTENSION_new_null()))
335 return -1;
336 if (!sk_X509_EXTENSION_push(*x, ext))
337 return -1;
338
339 return 1;
340
341err:
342 if (!(flags & X509V3_ADD_SILENT))
343 X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
344 return 0;
345}
diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
deleted file mode 100644
index 7cb272a58f..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ncons.c
+++ /dev/null
@@ -1,506 +0,0 @@
1/* $OpenBSD: v3_ncons.c,v 1.6 2015/02/10 05:43:09 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66
67static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
68 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
69static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
70 void *a, BIO *bp, int ind);
71static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
72 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74
75static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
76static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
77static int nc_dn(X509_NAME *sub, X509_NAME *nm);
78static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
79static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
80static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
81
82const X509V3_EXT_METHOD v3_name_constraints = {
83 NID_name_constraints, 0,
84 ASN1_ITEM_ref(NAME_CONSTRAINTS),
85 0, 0, 0, 0,
86 0, 0,
87 0, v2i_NAME_CONSTRAINTS,
88 i2r_NAME_CONSTRAINTS, 0,
89 NULL
90};
91
92ASN1_SEQUENCE(GENERAL_SUBTREE) = {
93 ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
94 ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
95 ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
96} ASN1_SEQUENCE_END(GENERAL_SUBTREE)
97
98ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
99 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
100 GENERAL_SUBTREE, 0),
101 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
102 GENERAL_SUBTREE, 1),
103} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
104
105
106
107GENERAL_SUBTREE *
108GENERAL_SUBTREE_new(void)
109{
110 return (GENERAL_SUBTREE*)ASN1_item_new(&GENERAL_SUBTREE_it);
111}
112
113void
114GENERAL_SUBTREE_free(GENERAL_SUBTREE *a)
115{
116 ASN1_item_free((ASN1_VALUE *)a, &GENERAL_SUBTREE_it);
117}
118
119NAME_CONSTRAINTS *
120NAME_CONSTRAINTS_new(void)
121{
122 return (NAME_CONSTRAINTS*)ASN1_item_new(&NAME_CONSTRAINTS_it);
123}
124
125void
126NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *a)
127{
128 ASN1_item_free((ASN1_VALUE *)a, &NAME_CONSTRAINTS_it);
129}
130
131static void *
132v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
133 STACK_OF(CONF_VALUE) *nval)
134{
135 int i;
136 CONF_VALUE tval, *val;
137 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
138 NAME_CONSTRAINTS *ncons = NULL;
139 GENERAL_SUBTREE *sub = NULL;
140
141 ncons = NAME_CONSTRAINTS_new();
142 if (!ncons)
143 goto memerr;
144 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
145 val = sk_CONF_VALUE_value(nval, i);
146 if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
147 ptree = &ncons->permittedSubtrees;
148 tval.name = val->name + 10;
149 } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
150 ptree = &ncons->excludedSubtrees;
151 tval.name = val->name + 9;
152 } else {
153 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS,
154 X509V3_R_INVALID_SYNTAX);
155 goto err;
156 }
157 tval.value = val->value;
158 sub = GENERAL_SUBTREE_new();
159 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
160 goto err;
161 if (!*ptree)
162 *ptree = sk_GENERAL_SUBTREE_new_null();
163 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
164 goto memerr;
165 sub = NULL;
166 }
167
168 return ncons;
169
170memerr:
171 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
172err:
173 if (ncons)
174 NAME_CONSTRAINTS_free(ncons);
175 if (sub)
176 GENERAL_SUBTREE_free(sub);
177
178 return NULL;
179}
180
181static int
182i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, BIO *bp, int ind)
183{
184 NAME_CONSTRAINTS *ncons = a;
185
186 do_i2r_name_constraints(method, ncons->permittedSubtrees,
187 bp, ind, "Permitted");
188 do_i2r_name_constraints(method, ncons->excludedSubtrees,
189 bp, ind, "Excluded");
190 return 1;
191}
192
193static int
194do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
195 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name)
196{
197 GENERAL_SUBTREE *tree;
198 int i;
199
200 if (sk_GENERAL_SUBTREE_num(trees) > 0)
201 BIO_printf(bp, "%*s%s:\n", ind, "", name);
202 for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
203 tree = sk_GENERAL_SUBTREE_value(trees, i);
204 BIO_printf(bp, "%*s", ind + 2, "");
205 if (tree->base->type == GEN_IPADD)
206 print_nc_ipadd(bp, tree->base->d.ip);
207 else
208 GENERAL_NAME_print(bp, tree->base);
209 BIO_puts(bp, "\n");
210 }
211 return 1;
212}
213
214static int
215print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
216{
217 int i, len;
218 unsigned char *p;
219
220 p = ip->data;
221 len = ip->length;
222 BIO_puts(bp, "IP:");
223 if (len == 8) {
224 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
225 p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
226 } else if (len == 32) {
227 for (i = 0; i < 16; i++) {
228 BIO_printf(bp, "%X", p[0] << 8 | p[1]);
229 p += 2;
230 if (i == 7)
231 BIO_puts(bp, "/");
232 else if (i != 15)
233 BIO_puts(bp, ":");
234 }
235 } else
236 BIO_printf(bp, "IP Address:<invalid>");
237 return 1;
238}
239
240/* Check a certificate conforms to a specified set of constraints.
241 * Return values:
242 * X509_V_OK: All constraints obeyed.
243 * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
244 * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
245 * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
246 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
247 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
248 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
249 */
250
251int
252NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
253{
254 int r, i;
255 X509_NAME *nm;
256
257 nm = X509_get_subject_name(x);
258
259 if (X509_NAME_entry_count(nm) > 0) {
260 GENERAL_NAME gntmp;
261 gntmp.type = GEN_DIRNAME;
262 gntmp.d.directoryName = nm;
263
264 r = nc_match(&gntmp, nc);
265
266 if (r != X509_V_OK)
267 return r;
268
269 gntmp.type = GEN_EMAIL;
270
271 /* Process any email address attributes in subject name */
272
273 for (i = -1;;) {
274 X509_NAME_ENTRY *ne;
275 i = X509_NAME_get_index_by_NID(nm,
276 NID_pkcs9_emailAddress, i);
277 if (i == -1)
278 break;
279 ne = X509_NAME_get_entry(nm, i);
280 gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
281 if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
282 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
283
284 r = nc_match(&gntmp, nc);
285
286 if (r != X509_V_OK)
287 return r;
288 }
289
290 }
291
292 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
293 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
294 r = nc_match(gen, nc);
295 if (r != X509_V_OK)
296 return r;
297 }
298
299 return X509_V_OK;
300}
301
302static int
303nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
304{
305 GENERAL_SUBTREE *sub;
306 int i, r, match = 0;
307
308 /* Permitted subtrees: if any subtrees exist of matching the type
309 * at least one subtree must match.
310 */
311
312 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
313 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
314 if (gen->type != sub->base->type)
315 continue;
316 if (sub->minimum || sub->maximum)
317 return X509_V_ERR_SUBTREE_MINMAX;
318 /* If we already have a match don't bother trying any more */
319 if (match == 2)
320 continue;
321 if (match == 0)
322 match = 1;
323 r = nc_match_single(gen, sub->base);
324 if (r == X509_V_OK)
325 match = 2;
326 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
327 return r;
328 }
329
330 if (match == 1)
331 return X509_V_ERR_PERMITTED_VIOLATION;
332
333 /* Excluded subtrees: must not match any of these */
334
335 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
336 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
337 if (gen->type != sub->base->type)
338 continue;
339 if (sub->minimum || sub->maximum)
340 return X509_V_ERR_SUBTREE_MINMAX;
341
342 r = nc_match_single(gen, sub->base);
343 if (r == X509_V_OK)
344 return X509_V_ERR_EXCLUDED_VIOLATION;
345 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
346 return r;
347
348 }
349
350 return X509_V_OK;
351}
352
353static int
354nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
355{
356 switch (base->type) {
357 case GEN_DIRNAME:
358 return nc_dn(gen->d.directoryName, base->d.directoryName);
359
360 case GEN_DNS:
361 return nc_dns(gen->d.dNSName, base->d.dNSName);
362
363 case GEN_EMAIL:
364 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
365
366 case GEN_URI:
367 return nc_uri(gen->d.uniformResourceIdentifier,
368 base->d.uniformResourceIdentifier);
369
370 default:
371 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
372 }
373}
374
375/* directoryName name constraint matching.
376 * The canonical encoding of X509_NAME makes this comparison easy. It is
377 * matched if the subtree is a subset of the name.
378 */
379
380static int
381nc_dn(X509_NAME *nm, X509_NAME *base)
382{
383 /* Ensure canonical encodings are up to date. */
384 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
385 return X509_V_ERR_OUT_OF_MEM;
386 if (base->modified && i2d_X509_NAME(base, NULL) < 0)
387 return X509_V_ERR_OUT_OF_MEM;
388 if (base->canon_enclen > nm->canon_enclen)
389 return X509_V_ERR_PERMITTED_VIOLATION;
390 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
391 return X509_V_ERR_PERMITTED_VIOLATION;
392 return X509_V_OK;
393}
394
395static int
396nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
397{
398 char *baseptr = (char *)base->data;
399 char *dnsptr = (char *)dns->data;
400
401 /* Empty matches everything */
402 if (!*baseptr)
403 return X509_V_OK;
404 /* Otherwise can add zero or more components on the left so
405 * compare RHS and if dns is longer and expect '.' as preceding
406 * character.
407 */
408 if (dns->length > base->length) {
409 dnsptr += dns->length - base->length;
410 if (dnsptr[-1] != '.')
411 return X509_V_ERR_PERMITTED_VIOLATION;
412 }
413
414 if (strcasecmp(baseptr, dnsptr))
415 return X509_V_ERR_PERMITTED_VIOLATION;
416
417 return X509_V_OK;
418}
419
420static int
421nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
422{
423 const char *baseptr = (char *)base->data;
424 const char *emlptr = (char *)eml->data;
425 const char *baseat = strchr(baseptr, '@');
426 const char *emlat = strchr(emlptr, '@');
427
428 if (!emlat)
429 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
430 /* Special case: inital '.' is RHS match */
431 if (!baseat && (*baseptr == '.')) {
432 if (eml->length > base->length) {
433 emlptr += eml->length - base->length;
434 if (!strcasecmp(baseptr, emlptr))
435 return X509_V_OK;
436 }
437 return X509_V_ERR_PERMITTED_VIOLATION;
438 }
439
440 /* If we have anything before '@' match local part */
441
442 if (baseat) {
443 if (baseat != baseptr) {
444 if ((baseat - baseptr) != (emlat - emlptr))
445 return X509_V_ERR_PERMITTED_VIOLATION;
446 /* Case sensitive match of local part */
447 if (strncmp(baseptr, emlptr, emlat - emlptr))
448 return X509_V_ERR_PERMITTED_VIOLATION;
449 }
450 /* Position base after '@' */
451 baseptr = baseat + 1;
452 }
453 emlptr = emlat + 1;
454 /* Just have hostname left to match: case insensitive */
455 if (strcasecmp(baseptr, emlptr))
456 return X509_V_ERR_PERMITTED_VIOLATION;
457
458 return X509_V_OK;
459}
460
461static int
462nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
463{
464 const char *baseptr = (char *)base->data;
465 const char *hostptr = (char *)uri->data;
466 const char *p = strchr(hostptr, ':');
467 int hostlen;
468
469 /* Check for foo:// and skip past it */
470 if (!p || (p[1] != '/') || (p[2] != '/'))
471 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
472 hostptr = p + 3;
473
474 /* Determine length of hostname part of URI */
475
476 /* Look for a port indicator as end of hostname first */
477
478 p = strchr(hostptr, ':');
479 /* Otherwise look for trailing slash */
480 if (!p)
481 p = strchr(hostptr, '/');
482
483 if (!p)
484 hostlen = strlen(hostptr);
485 else
486 hostlen = p - hostptr;
487
488 if (hostlen == 0)
489 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
490
491 /* Special case: inital '.' is RHS match */
492 if (*baseptr == '.') {
493 if (hostlen > base->length) {
494 p = hostptr + hostlen - base->length;
495 if (!strncasecmp(p, baseptr, base->length))
496 return X509_V_OK;
497 }
498 return X509_V_ERR_PERMITTED_VIOLATION;
499 }
500
501 if ((base->length != (int)hostlen) ||
502 strncasecmp(hostptr, baseptr, hostlen))
503 return X509_V_ERR_PERMITTED_VIOLATION;
504
505 return X509_V_OK;
506}
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
deleted file mode 100644
index 1d9c8a8513..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ /dev/null
@@ -1,327 +0,0 @@
1/* $OpenBSD: v3_ocsp.c,v 1.11 2015/02/15 08:45:27 miod Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/opensslconf.h>
63
64#ifndef OPENSSL_NO_OCSP
65
66#include <openssl/asn1.h>
67#include <openssl/conf.h>
68#include <openssl/err.h>
69#include <openssl/ocsp.h>
70#include <openssl/x509v3.h>
71
72/* OCSP extensions and a couple of CRL entry extensions
73 */
74
75static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
76 BIO *out, int indent);
77static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
78 BIO *out, int indent);
79static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
80 int indent);
81
82static void *ocsp_nonce_new(void);
83static int i2d_ocsp_nonce(void *a, unsigned char **pp);
84static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
85static void ocsp_nonce_free(void *a);
86static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
87 BIO *out, int indent);
88
89static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
90 void *nocheck, BIO *out, int indent);
91static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
92 const char *str);
93static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
94 BIO *bp, int ind);
95
96const X509V3_EXT_METHOD v3_ocsp_crlid = {
97 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
98 0, 0, 0, 0,
99 0, 0,
100 0, 0,
101 i2r_ocsp_crlid, 0,
102 NULL
103};
104
105const X509V3_EXT_METHOD v3_ocsp_acutoff = {
106 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
107 0, 0, 0, 0,
108 0, 0,
109 0, 0,
110 i2r_ocsp_acutoff, 0,
111 NULL
112};
113
114const X509V3_EXT_METHOD v3_crl_invdate = {
115 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
116 0, 0, 0, 0,
117 0, 0,
118 0, 0,
119 i2r_ocsp_acutoff, 0,
120 NULL
121};
122
123const X509V3_EXT_METHOD v3_crl_hold = {
124 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
125 0, 0, 0, 0,
126 0, 0,
127 0, 0,
128 i2r_object, 0,
129 NULL
130};
131
132const X509V3_EXT_METHOD v3_ocsp_nonce = {
133 NID_id_pkix_OCSP_Nonce, 0, NULL,
134 ocsp_nonce_new,
135 ocsp_nonce_free,
136 d2i_ocsp_nonce,
137 i2d_ocsp_nonce,
138 0, 0,
139 0, 0,
140 i2r_ocsp_nonce, 0,
141 NULL
142};
143
144const X509V3_EXT_METHOD v3_ocsp_nocheck = {
145 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
146 0, 0, 0, 0,
147 0, s2i_ocsp_nocheck,
148 0, 0,
149 i2r_ocsp_nocheck, 0,
150 NULL
151};
152
153const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
154 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
155 0, 0, 0, 0,
156 0, 0,
157 0, 0,
158 i2r_ocsp_serviceloc, 0,
159 NULL
160};
161
162static int
163i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
164{
165 OCSP_CRLID *a = in;
166 if (a->crlUrl) {
167 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0)
168 goto err;
169 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl))
170 goto err;
171 if (BIO_write(bp, "\n", 1) <= 0)
172 goto err;
173 }
174 if (a->crlNum) {
175 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0)
176 goto err;
177 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0)
178 goto err;
179 if (BIO_write(bp, "\n", 1) <= 0)
180 goto err;
181 }
182 if (a->crlTime) {
183 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0)
184 goto err;
185 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime))
186 goto err;
187 if (BIO_write(bp, "\n", 1) <= 0)
188 goto err;
189 }
190 return 1;
191
192err:
193 return 0;
194}
195
196static int
197i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, BIO *bp,
198 int ind)
199{
200 if (BIO_printf(bp, "%*s", ind, "") <= 0)
201 return 0;
202 if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
203 return 0;
204 return 1;
205}
206
207static int
208i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
209{
210 if (BIO_printf(bp, "%*s", ind, "") <= 0)
211 return 0;
212 if (i2a_ASN1_OBJECT(bp, oid) <= 0)
213 return 0;
214 return 1;
215}
216
217/* OCSP nonce. This is needs special treatment because it doesn't have
218 * an ASN1 encoding at all: it just contains arbitrary data.
219 */
220
221static void *
222ocsp_nonce_new(void)
223{
224 return ASN1_OCTET_STRING_new();
225}
226
227static int
228i2d_ocsp_nonce(void *a, unsigned char **pp)
229{
230 ASN1_OCTET_STRING *os = a;
231
232 if (pp) {
233 memcpy(*pp, os->data, os->length);
234 *pp += os->length;
235 }
236 return os->length;
237}
238
239static void *
240d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
241{
242 ASN1_OCTET_STRING *os, **pos;
243
244 pos = a;
245 if (pos == NULL || *pos == NULL) {
246 os = ASN1_OCTET_STRING_new();
247 if (os == NULL)
248 goto err;
249 } else
250 os = *pos;
251 if (ASN1_OCTET_STRING_set(os, *pp, length) == 0)
252 goto err;
253
254 *pp += length;
255
256 if (pos != NULL)
257 *pos = os;
258 return os;
259
260err:
261 if (pos == NULL || *pos != os)
262 M_ASN1_OCTET_STRING_free(os);
263 OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
264 return NULL;
265}
266
267static void
268ocsp_nonce_free(void *a)
269{
270 M_ASN1_OCTET_STRING_free(a);
271}
272
273static int
274i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, BIO *out,
275 int indent)
276{
277 if (BIO_printf(out, "%*s", indent, "") <= 0)
278 return 0;
279 if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0)
280 return 0;
281 return 1;
282}
283
284/* Nocheck is just a single NULL. Don't print anything and always set it */
285
286static int
287i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
288 int indent)
289{
290 return 1;
291}
292
293static void *
294s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
295 const char *str)
296{
297 return ASN1_NULL_new();
298}
299
300static int
301i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
302{
303 int i;
304 OCSP_SERVICELOC *a = in;
305 ACCESS_DESCRIPTION *ad;
306
307 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0)
308 goto err;
309 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0)
310 goto err;
311 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) {
312 ad = sk_ACCESS_DESCRIPTION_value(a->locator, i);
313 if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0)
314 goto err;
315 if (i2a_ASN1_OBJECT(bp, ad->method) <= 0)
316 goto err;
317 if (BIO_puts(bp, " - ") <= 0)
318 goto err;
319 if (GENERAL_NAME_print(bp, ad->location) <= 0)
320 goto err;
321 }
322 return 1;
323
324err:
325 return 0;
326}
327#endif
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c
deleted file mode 100644
index d3f73352d9..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pci.c
+++ /dev/null
@@ -1,327 +0,0 @@
1/* $OpenBSD: v3_pci.c,v 1.8 2014/07/11 08:44:49 jsing Exp $ */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <stdio.h>
38#include <string.h>
39
40#include <openssl/conf.h>
41#include <openssl/err.h>
42#include <openssl/x509v3.h>
43
44static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
45 BIO *out, int indent);
46static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
47 X509V3_CTX *ctx, char *str);
48
49const X509V3_EXT_METHOD v3_pci = {
50 NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
51 0, 0, 0, 0, 0, 0, NULL, NULL,
52 (X509V3_EXT_I2R)i2r_pci,
53 (X509V3_EXT_R2I)r2i_pci,
54 NULL,
55};
56
57static int
58i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
59 int indent)
60{
61 BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
62 if (pci->pcPathLengthConstraint)
63 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
64 else
65 BIO_printf(out, "infinite");
66 BIO_puts(out, "\n");
67 BIO_printf(out, "%*sPolicy Language: ", indent, "");
68 i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
69 BIO_puts(out, "\n");
70 if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
71 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
72 pci->proxyPolicy->policy->data);
73 return 1;
74}
75
76static int
77process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
78 ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
79{
80 int free_policy = 0;
81
82 if (strcmp(val->name, "language") == 0) {
83 if (*language) {
84 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
85 X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
86 X509V3_conf_err(val);
87 return 0;
88 }
89 if (!(*language = OBJ_txt2obj(val->value, 0))) {
90 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
91 X509V3_R_INVALID_OBJECT_IDENTIFIER);
92 X509V3_conf_err(val);
93 return 0;
94 }
95 }
96 else if (strcmp(val->name, "pathlen") == 0) {
97 if (*pathlen) {
98 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
99 X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
100 X509V3_conf_err(val);
101 return 0;
102 }
103 if (!X509V3_get_value_int(val, pathlen)) {
104 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
105 X509V3_R_POLICY_PATH_LENGTH);
106 X509V3_conf_err(val);
107 return 0;
108 }
109 }
110 else if (strcmp(val->name, "policy") == 0) {
111 unsigned char *tmp_data = NULL;
112 long val_len;
113 if (!*policy) {
114 *policy = ASN1_OCTET_STRING_new();
115 if (!*policy) {
116 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
117 ERR_R_MALLOC_FAILURE);
118 X509V3_conf_err(val);
119 return 0;
120 }
121 free_policy = 1;
122 }
123 if (strncmp(val->value, "hex:", 4) == 0) {
124 unsigned char *tmp_data2 =
125 string_to_hex(val->value + 4, &val_len);
126
127 if (!tmp_data2) {
128 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
129 X509V3_R_ILLEGAL_HEX_DIGIT);
130 X509V3_conf_err(val);
131 goto err;
132 }
133
134 tmp_data = realloc((*policy)->data,
135 (*policy)->length + val_len + 1);
136 if (tmp_data) {
137 (*policy)->data = tmp_data;
138 memcpy(&(*policy)->data[(*policy)->length],
139 tmp_data2, val_len);
140 (*policy)->length += val_len;
141 (*policy)->data[(*policy)->length] = '\0';
142 } else {
143 free(tmp_data2);
144 free((*policy)->data);
145 (*policy)->data = NULL;
146 (*policy)->length = 0;
147 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
148 ERR_R_MALLOC_FAILURE);
149 X509V3_conf_err(val);
150 goto err;
151 }
152 free(tmp_data2);
153 }
154 else if (strncmp(val->value, "file:", 5) == 0) {
155 unsigned char buf[2048];
156 int n;
157 BIO *b = BIO_new_file(val->value + 5, "r");
158 if (!b) {
159 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
160 ERR_R_BIO_LIB);
161 X509V3_conf_err(val);
162 goto err;
163 }
164 while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
165 (n == 0 && BIO_should_retry(b))) {
166 if (!n)
167 continue;
168
169 tmp_data = realloc((*policy)->data,
170 (*policy)->length + n + 1);
171
172 if (!tmp_data)
173 break;
174
175 (*policy)->data = tmp_data;
176 memcpy(&(*policy)->data[(*policy)->length],
177 buf, n);
178 (*policy)->length += n;
179 (*policy)->data[(*policy)->length] = '\0';
180 }
181 BIO_free_all(b);
182
183 if (n < 0) {
184 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
185 ERR_R_BIO_LIB);
186 X509V3_conf_err(val);
187 goto err;
188 }
189 }
190 else if (strncmp(val->value, "text:", 5) == 0) {
191 val_len = strlen(val->value + 5);
192 tmp_data = realloc((*policy)->data,
193 (*policy)->length + val_len + 1);
194 if (tmp_data) {
195 (*policy)->data = tmp_data;
196 memcpy(&(*policy)->data[(*policy)->length],
197 val->value + 5, val_len);
198 (*policy)->length += val_len;
199 (*policy)->data[(*policy)->length] = '\0';
200 } else {
201 free((*policy)->data);
202 (*policy)->data = NULL;
203 (*policy)->length = 0;
204 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
205 ERR_R_MALLOC_FAILURE);
206 X509V3_conf_err(val);
207 goto err;
208 }
209 } else {
210 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
211 X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
212 X509V3_conf_err(val);
213 goto err;
214 }
215 if (!tmp_data) {
216 X509V3err(X509V3_F_PROCESS_PCI_VALUE,
217 ERR_R_MALLOC_FAILURE);
218 X509V3_conf_err(val);
219 goto err;
220 }
221 }
222 return 1;
223
224err:
225 if (free_policy) {
226 ASN1_OCTET_STRING_free(*policy);
227 *policy = NULL;
228 }
229 return 0;
230}
231
232static PROXY_CERT_INFO_EXTENSION *
233r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
234{
235 PROXY_CERT_INFO_EXTENSION *pci = NULL;
236 STACK_OF(CONF_VALUE) *vals;
237 ASN1_OBJECT *language = NULL;
238 ASN1_INTEGER *pathlen = NULL;
239 ASN1_OCTET_STRING *policy = NULL;
240 int i, j;
241
242 vals = X509V3_parse_list(value);
243 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
244 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
245 if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
246 X509V3err(X509V3_F_R2I_PCI,
247 X509V3_R_INVALID_PROXY_POLICY_SETTING);
248 X509V3_conf_err(cnf);
249 goto err;
250 }
251 if (*cnf->name == '@') {
252 STACK_OF(CONF_VALUE) *sect;
253 int success_p = 1;
254
255 sect = X509V3_get_section(ctx, cnf->name + 1);
256 if (!sect) {
257 X509V3err(X509V3_F_R2I_PCI,
258 X509V3_R_INVALID_SECTION);
259 X509V3_conf_err(cnf);
260 goto err;
261 }
262 for (j = 0; success_p &&
263 j < sk_CONF_VALUE_num(sect); j++) {
264 success_p = process_pci_value(
265 sk_CONF_VALUE_value(sect, j),
266 &language, &pathlen, &policy);
267 }
268 X509V3_section_free(ctx, sect);
269 if (!success_p)
270 goto err;
271 } else {
272 if (!process_pci_value(cnf,
273 &language, &pathlen, &policy)) {
274 X509V3_conf_err(cnf);
275 goto err;
276 }
277 }
278 }
279
280 /* Language is mandatory */
281 if (!language) {
282 X509V3err(X509V3_F_R2I_PCI,
283 X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
284 goto err;
285 }
286 i = OBJ_obj2nid(language);
287 if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
288 X509V3err(X509V3_F_R2I_PCI,
289 X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
290 goto err;
291 }
292
293 pci = PROXY_CERT_INFO_EXTENSION_new();
294 if (!pci) {
295 X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE);
296 goto err;
297 }
298
299 pci->proxyPolicy->policyLanguage = language;
300 language = NULL;
301 pci->proxyPolicy->policy = policy;
302 policy = NULL;
303 pci->pcPathLengthConstraint = pathlen;
304 pathlen = NULL;
305 goto end;
306
307err:
308 if (language) {
309 ASN1_OBJECT_free(language);
310 language = NULL;
311 }
312 if (pathlen) {
313 ASN1_INTEGER_free(pathlen);
314 pathlen = NULL;
315 }
316 if (policy) {
317 ASN1_OCTET_STRING_free(policy);
318 policy = NULL;
319 }
320 if (pci) {
321 PROXY_CERT_INFO_EXTENSION_free(pci);
322 pci = NULL;
323 }
324end:
325 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
326 return pci;
327}
diff --git a/src/lib/libcrypto/x509v3/v3_pcia.c b/src/lib/libcrypto/x509v3/v3_pcia.c
deleted file mode 100644
index 07e294e633..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcia.c
+++ /dev/null
@@ -1,102 +0,0 @@
1/* $OpenBSD: v3_pcia.c,v 1.5 2015/02/09 16:03:11 jsing Exp $ */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <openssl/asn1.h>
38#include <openssl/asn1t.h>
39#include <openssl/x509v3.h>
40
41ASN1_SEQUENCE(PROXY_POLICY) = {
42 ASN1_SIMPLE(PROXY_POLICY, policyLanguage, ASN1_OBJECT),
43 ASN1_OPT(PROXY_POLICY, policy, ASN1_OCTET_STRING)
44} ASN1_SEQUENCE_END(PROXY_POLICY)
45
46
47PROXY_POLICY *
48d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len)
49{
50 return (PROXY_POLICY *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
51 &PROXY_POLICY_it);
52}
53
54int
55i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out)
56{
57 return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_POLICY_it);
58}
59
60PROXY_POLICY *
61PROXY_POLICY_new(void)
62{
63 return (PROXY_POLICY *)ASN1_item_new(&PROXY_POLICY_it);
64}
65
66void
67PROXY_POLICY_free(PROXY_POLICY *a)
68{
69 ASN1_item_free((ASN1_VALUE *)a, &PROXY_POLICY_it);
70}
71
72ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = {
73 ASN1_OPT(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint,
74 ASN1_INTEGER),
75 ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION, proxyPolicy, PROXY_POLICY)
76} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)
77
78
79PROXY_CERT_INFO_EXTENSION *
80d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len)
81{
82 return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
83 &PROXY_CERT_INFO_EXTENSION_it);
84}
85
86int
87i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out)
88{
89 return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_CERT_INFO_EXTENSION_it);
90}
91
92PROXY_CERT_INFO_EXTENSION *
93PROXY_CERT_INFO_EXTENSION_new(void)
94{
95 return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_new(&PROXY_CERT_INFO_EXTENSION_it);
96}
97
98void
99PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a)
100{
101 ASN1_item_free((ASN1_VALUE *)a, &PROXY_CERT_INFO_EXTENSION_it);
102}
diff --git a/src/lib/libcrypto/x509v3/v3_pcons.c b/src/lib/libcrypto/x509v3/v3_pcons.c
deleted file mode 100644
index 075efd8851..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcons.c
+++ /dev/null
@@ -1,156 +0,0 @@
1/* $OpenBSD: v3_pcons.c,v 1.6 2015/02/10 05:43:09 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68static STACK_OF(CONF_VALUE) *
69i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
70 STACK_OF(CONF_VALUE) *extlist);
71static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
72 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
73
74const X509V3_EXT_METHOD v3_policy_constraints = {
75 NID_policy_constraints, 0,
76 ASN1_ITEM_ref(POLICY_CONSTRAINTS),
77 0, 0, 0, 0,
78 0, 0,
79 i2v_POLICY_CONSTRAINTS,
80 v2i_POLICY_CONSTRAINTS,
81 NULL, NULL,
82 NULL
83};
84
85ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
86 ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy,
87 ASN1_INTEGER, 0),
88 ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER, 1)
89} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
90
91
92POLICY_CONSTRAINTS *
93POLICY_CONSTRAINTS_new(void)
94{
95 return (POLICY_CONSTRAINTS*)ASN1_item_new(&POLICY_CONSTRAINTS_it);
96}
97
98void
99POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *a)
100{
101 ASN1_item_free((ASN1_VALUE *)a, &POLICY_CONSTRAINTS_it);
102}
103
104static STACK_OF(CONF_VALUE) *
105i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
106 STACK_OF(CONF_VALUE) *extlist)
107{
108 POLICY_CONSTRAINTS *pcons = a;
109
110 X509V3_add_value_int("Require Explicit Policy",
111 pcons->requireExplicitPolicy, &extlist);
112 X509V3_add_value_int("Inhibit Policy Mapping",
113 pcons->inhibitPolicyMapping, &extlist);
114 return extlist;
115}
116
117static void *
118v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
119 STACK_OF(CONF_VALUE) *values)
120{
121 POLICY_CONSTRAINTS *pcons = NULL;
122 CONF_VALUE *val;
123 int i;
124
125 if (!(pcons = POLICY_CONSTRAINTS_new())) {
126 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
127 ERR_R_MALLOC_FAILURE);
128 return NULL;
129 }
130 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
131 val = sk_CONF_VALUE_value(values, i);
132 if (!strcmp(val->name, "requireExplicitPolicy")) {
133 if (!X509V3_get_value_int(val,
134 &pcons->requireExplicitPolicy)) goto err;
135 } else if (!strcmp(val->name, "inhibitPolicyMapping")) {
136 if (!X509V3_get_value_int(val,
137 &pcons->inhibitPolicyMapping)) goto err;
138 } else {
139 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
140 X509V3_R_INVALID_NAME);
141 X509V3_conf_err(val);
142 goto err;
143 }
144 }
145 if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
146 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
147 X509V3_R_ILLEGAL_EMPTY_EXTENSION);
148 goto err;
149 }
150
151 return pcons;
152
153err:
154 POLICY_CONSTRAINTS_free(pcons);
155 return NULL;
156}
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
deleted file mode 100644
index 4bce07f09c..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pku.c
+++ /dev/null
@@ -1,135 +0,0 @@
1/* $OpenBSD: v3_pku.c,v 1.10 2015/02/09 16:03:11 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/asn1.h>
62#include <openssl/asn1t.h>
63#include <openssl/x509v3.h>
64
65static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
66 PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
67/*
68static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
69*/
70const X509V3_EXT_METHOD v3_pkey_usage_period = {
71 NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
72 0, 0, 0, 0,
73 0, 0, 0, 0,
74 (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
75 NULL
76};
77
78ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {
79 ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notBefore, ASN1_GENERALIZEDTIME, 0),
80 ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notAfter, ASN1_GENERALIZEDTIME, 1)
81} ASN1_SEQUENCE_END(PKEY_USAGE_PERIOD)
82
83
84PKEY_USAGE_PERIOD *
85d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, const unsigned char **in, long len)
86{
87 return (PKEY_USAGE_PERIOD *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
88 &PKEY_USAGE_PERIOD_it);
89}
90
91int
92i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **out)
93{
94 return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKEY_USAGE_PERIOD_it);
95}
96
97PKEY_USAGE_PERIOD *
98PKEY_USAGE_PERIOD_new(void)
99{
100 return (PKEY_USAGE_PERIOD *)ASN1_item_new(&PKEY_USAGE_PERIOD_it);
101}
102
103void
104PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
105{
106 ASN1_item_free((ASN1_VALUE *)a, &PKEY_USAGE_PERIOD_it);
107}
108
109static int
110i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage,
111 BIO *out, int indent)
112{
113 BIO_printf(out, "%*s", indent, "");
114 if (usage->notBefore) {
115 BIO_write(out, "Not Before: ", 12);
116 ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
117 if (usage->notAfter)
118 BIO_write(out, ", ", 2);
119 }
120 if (usage->notAfter) {
121 BIO_write(out, "Not After: ", 11);
122 ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
123 }
124 return 1;
125}
126
127/*
128static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values)
129X509V3_EXT_METHOD *method;
130X509V3_CTX *ctx;
131STACK_OF(CONF_VALUE) *values;
132{
133return NULL;
134}
135*/
diff --git a/src/lib/libcrypto/x509v3/v3_pmaps.c b/src/lib/libcrypto/x509v3/v3_pmaps.c
deleted file mode 100644
index e8099d7f12..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pmaps.c
+++ /dev/null
@@ -1,177 +0,0 @@
1/* $OpenBSD: v3_pmaps.c,v 1.7 2015/02/13 01:16:26 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66
67static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
68 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
69static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
70 const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
71
72const X509V3_EXT_METHOD v3_policy_mappings = {
73 NID_policy_mappings, 0,
74 ASN1_ITEM_ref(POLICY_MAPPINGS),
75 0, 0, 0, 0,
76 0, 0,
77 i2v_POLICY_MAPPINGS,
78 v2i_POLICY_MAPPINGS,
79 0, 0,
80 NULL
81};
82
83ASN1_SEQUENCE(POLICY_MAPPING) = {
84 ASN1_SIMPLE(POLICY_MAPPING, issuerDomainPolicy, ASN1_OBJECT),
85 ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT)
86} ASN1_SEQUENCE_END(POLICY_MAPPING)
87
88ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =
89ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,
90 POLICY_MAPPING)
91ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)
92
93
94POLICY_MAPPING *
95POLICY_MAPPING_new(void)
96{
97 return (POLICY_MAPPING*)ASN1_item_new(&POLICY_MAPPING_it);
98}
99
100void
101POLICY_MAPPING_free(POLICY_MAPPING *a)
102{
103 ASN1_item_free((ASN1_VALUE *)a, &POLICY_MAPPING_it);
104}
105
106static STACK_OF(CONF_VALUE) *
107i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
108 STACK_OF(CONF_VALUE) *ext_list)
109{
110 POLICY_MAPPINGS *pmaps = a;
111 POLICY_MAPPING *pmap;
112 int i;
113 char obj_tmp1[80];
114 char obj_tmp2[80];
115
116 for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
117 pmap = sk_POLICY_MAPPING_value(pmaps, i);
118 i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
119 i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
120 X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list);
121 }
122 return ext_list;
123}
124
125static void *
126v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
127 STACK_OF(CONF_VALUE) *nval)
128{
129 POLICY_MAPPINGS *pmaps = NULL;
130 POLICY_MAPPING *pmap = NULL;
131 ASN1_OBJECT *obj1 = NULL, *obj2 = NULL;
132 CONF_VALUE *val;
133 int i, rc;
134
135 if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
136 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE);
137 return NULL;
138 }
139
140 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
141 val = sk_CONF_VALUE_value(nval, i);
142 if (!val->value || !val->name) {
143 rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
144 goto err;
145 }
146 obj1 = OBJ_txt2obj(val->name, 0);
147 obj2 = OBJ_txt2obj(val->value, 0);
148 if (!obj1 || !obj2) {
149 rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
150 goto err;
151 }
152 pmap = POLICY_MAPPING_new();
153 if (!pmap) {
154 rc = ERR_R_MALLOC_FAILURE;
155 goto err;
156 }
157 pmap->issuerDomainPolicy = obj1;
158 pmap->subjectDomainPolicy = obj2;
159 obj1 = obj2 = NULL;
160 if (sk_POLICY_MAPPING_push(pmaps, pmap) == 0) {
161 rc = ERR_R_MALLOC_FAILURE;
162 goto err;
163 }
164 pmap = NULL;
165 }
166 return pmaps;
167
168err:
169 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
170 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, rc);
171 if (rc == X509V3_R_INVALID_OBJECT_IDENTIFIER)
172 X509V3_conf_err(val);
173 ASN1_OBJECT_free(obj1);
174 ASN1_OBJECT_free(obj2);
175 POLICY_MAPPING_free(pmap);
176 return NULL;
177}
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
deleted file mode 100644
index 037d129c87..0000000000
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ /dev/null
@@ -1,225 +0,0 @@
1/* $OpenBSD: v3_prn.c,v 1.17 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61
62#include <openssl/conf.h>
63#include <openssl/x509v3.h>
64
65/* Extension printing routines */
66
67static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
68 int indent, int supported);
69
70/* Print out a name+value stack */
71
72void
73X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
74{
75 int i;
76 CONF_VALUE *nval;
77
78 if (!val)
79 return;
80 if (!ml || !sk_CONF_VALUE_num(val)) {
81 BIO_printf(out, "%*s", indent, "");
82 if (!sk_CONF_VALUE_num(val))
83 BIO_puts(out, "<EMPTY>\n");
84 }
85 for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
86 if (ml)
87 BIO_printf(out, "%*s", indent, "");
88 else if (i > 0) BIO_printf(out, ", ");
89 nval = sk_CONF_VALUE_value(val, i);
90 if (!nval->name)
91 BIO_puts(out, nval->value);
92 else if (!nval->value)
93 BIO_puts(out, nval->name);
94 else
95 BIO_printf(out, "%s:%s", nval->name, nval->value);
96 if (ml)
97 BIO_puts(out, "\n");
98 }
99}
100
101/* Main routine: print out a general extension */
102
103int
104X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
105{
106 void *ext_str = NULL;
107 char *value = NULL;
108 const unsigned char *p;
109 const X509V3_EXT_METHOD *method;
110 STACK_OF(CONF_VALUE) *nval = NULL;
111 int ok = 1;
112
113 if (!(method = X509V3_EXT_get(ext)))
114 return unknown_ext_print(out, ext, flag, indent, 0);
115 p = ext->value->data;
116 if (method->it)
117 ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,
118 ASN1_ITEM_ptr(method->it));
119 else
120 ext_str = method->d2i(NULL, &p, ext->value->length);
121
122 if (!ext_str)
123 return unknown_ext_print(out, ext, flag, indent, 1);
124
125 if (method->i2s) {
126 if (!(value = method->i2s(method, ext_str))) {
127 ok = 0;
128 goto err;
129 }
130 BIO_printf(out, "%*s%s", indent, "", value);
131 } else if (method->i2v) {
132 if (!(nval = method->i2v(method, ext_str, NULL))) {
133 ok = 0;
134 goto err;
135 }
136 X509V3_EXT_val_prn(out, nval, indent,
137 method->ext_flags & X509V3_EXT_MULTILINE);
138 } else if (method->i2r) {
139 if (!method->i2r(method, ext_str, out, indent))
140 ok = 0;
141 } else
142 ok = 0;
143
144err:
145 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
146 free(value);
147 if (method->it)
148 ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
149 else
150 method->ext_free(ext_str);
151 return ok;
152}
153
154int
155X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts,
156 unsigned long flag, int indent)
157{
158 int i, j;
159
160 if (sk_X509_EXTENSION_num(exts) <= 0)
161 return 1;
162
163 if (title) {
164 BIO_printf(bp, "%*s%s:\n",indent, "", title);
165 indent += 4;
166 }
167
168 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
169 ASN1_OBJECT *obj;
170 X509_EXTENSION *ex;
171 ex = sk_X509_EXTENSION_value(exts, i);
172 if (indent && BIO_printf(bp, "%*s",indent, "") <= 0)
173 return 0;
174 obj = X509_EXTENSION_get_object(ex);
175 i2a_ASN1_OBJECT(bp, obj);
176 j = X509_EXTENSION_get_critical(ex);
177 if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0)
178 return 0;
179 if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
180 BIO_printf(bp, "%*s", indent + 4, "");
181 M_ASN1_OCTET_STRING_print(bp, ex->value);
182 }
183 if (BIO_write(bp, "\n",1) <= 0)
184 return 0;
185 }
186 return 1;
187}
188
189static int
190unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
191 int indent, int supported)
192{
193 switch (flag & X509V3_EXT_UNKNOWN_MASK) {
194 case X509V3_EXT_DEFAULT:
195 return 0;
196 case X509V3_EXT_ERROR_UNKNOWN:
197 if (supported)
198 BIO_printf(out, "%*s<Parse Error>", indent, "");
199 else
200 BIO_printf(out, "%*s<Not Supported>", indent, "");
201 return 1;
202 case X509V3_EXT_PARSE_UNKNOWN:
203 return ASN1_parse_dump(out,
204 ext->value->data, ext->value->length, indent, -1);
205 case X509V3_EXT_DUMP_UNKNOWN:
206 return BIO_dump_indent(out, (char *)ext->value->data,
207 ext->value->length, indent);
208 default:
209 return 1;
210 }
211}
212
213
214int
215X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
216{
217 BIO *bio_tmp;
218 int ret;
219
220 if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
221 return 0;
222 ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
223 BIO_free(bio_tmp);
224 return ret;
225}
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
deleted file mode 100644
index 69a8d05f26..0000000000
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ /dev/null
@@ -1,861 +0,0 @@
1/* $OpenBSD: v3_purp.c,v 1.26 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/opensslconf.h>
63
64#include <openssl/err.h>
65#include <openssl/x509v3.h>
66#include <openssl/x509_vfy.h>
67
68static void x509v3_cache_extensions(X509 *x);
69
70static int check_ssl_ca(const X509 *x);
71static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
72 int ca);
73static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
74 int ca);
75static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
76 int ca);
77static int purpose_smime(const X509 *x, int ca);
78static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
79 int ca);
80static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
81 int ca);
82static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
83 int ca);
84static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
85 int ca);
86static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
87static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
88
89static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b);
90static void xptable_free(X509_PURPOSE *p);
91
92static X509_PURPOSE xstandard[] = {
93 {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
94 {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
95 {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
96 {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
97 {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
98 {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
99 {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
100 {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
101 {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
102};
103
104#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
105
106static STACK_OF(X509_PURPOSE) *xptable = NULL;
107
108static int
109xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b)
110{
111 return (*a)->purpose - (*b)->purpose;
112}
113
114/* As much as I'd like to make X509_check_purpose use a "const" X509*
115 * I really can't because it does recalculate hashes and do other non-const
116 * things. */
117int
118X509_check_purpose(X509 *x, int id, int ca)
119{
120 int idx;
121 const X509_PURPOSE *pt;
122
123 if (!(x->ex_flags & EXFLAG_SET)) {
124 CRYPTO_w_lock(CRYPTO_LOCK_X509);
125 x509v3_cache_extensions(x);
126 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
127 }
128 if (id == -1)
129 return 1;
130 idx = X509_PURPOSE_get_by_id(id);
131 if (idx == -1)
132 return -1;
133 pt = X509_PURPOSE_get0(idx);
134 return pt->check_purpose(pt, x, ca);
135}
136
137int
138X509_PURPOSE_set(int *p, int purpose)
139{
140 if (X509_PURPOSE_get_by_id(purpose) == -1) {
141 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
142 return 0;
143 }
144 *p = purpose;
145 return 1;
146}
147
148int
149X509_PURPOSE_get_count(void)
150{
151 if (!xptable)
152 return X509_PURPOSE_COUNT;
153 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
154}
155
156X509_PURPOSE *
157X509_PURPOSE_get0(int idx)
158{
159 if (idx < 0)
160 return NULL;
161 if (idx < (int)X509_PURPOSE_COUNT)
162 return xstandard + idx;
163 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
164}
165
166int
167X509_PURPOSE_get_by_sname(char *sname)
168{
169 int i;
170 X509_PURPOSE *xptmp;
171
172 for (i = 0; i < X509_PURPOSE_get_count(); i++) {
173 xptmp = X509_PURPOSE_get0(i);
174 if (!strcmp(xptmp->sname, sname))
175 return i;
176 }
177 return -1;
178}
179
180int
181X509_PURPOSE_get_by_id(int purpose)
182{
183 X509_PURPOSE tmp;
184 int idx;
185
186 if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
187 return purpose - X509_PURPOSE_MIN;
188 tmp.purpose = purpose;
189 if (!xptable)
190 return -1;
191 idx = sk_X509_PURPOSE_find(xptable, &tmp);
192 if (idx == -1)
193 return -1;
194 return idx + X509_PURPOSE_COUNT;
195}
196
197int
198X509_PURPOSE_add(int id, int trust, int flags,
199 int (*ck)(const X509_PURPOSE *, const X509 *, int), char *name,
200 char *sname, void *arg)
201{
202 int idx;
203 X509_PURPOSE *ptmp;
204 char *name_dup, *sname_dup;
205
206 name_dup = sname_dup = NULL;
207
208 if (name == NULL || sname == NULL) {
209 X509V3err(X509V3_F_X509_PURPOSE_ADD,
210 X509V3_R_INVALID_NULL_ARGUMENT);
211 return 0;
212 }
213
214 /* This is set according to what we change: application can't set it */
215 flags &= ~X509_PURPOSE_DYNAMIC;
216 /* This will always be set for application modified trust entries */
217 flags |= X509_PURPOSE_DYNAMIC_NAME;
218 /* Get existing entry if any */
219 idx = X509_PURPOSE_get_by_id(id);
220 /* Need a new entry */
221 if (idx == -1) {
222 if ((ptmp = malloc(sizeof(X509_PURPOSE))) == NULL) {
223 X509V3err(X509V3_F_X509_PURPOSE_ADD,
224 ERR_R_MALLOC_FAILURE);
225 return 0;
226 }
227 ptmp->flags = X509_PURPOSE_DYNAMIC;
228 } else
229 ptmp = X509_PURPOSE_get0(idx);
230
231 if ((name_dup = strdup(name)) == NULL)
232 goto err;
233 if ((sname_dup = strdup(sname)) == NULL)
234 goto err;
235
236 /* free existing name if dynamic */
237 if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
238 free(ptmp->name);
239 free(ptmp->sname);
240 }
241 /* dup supplied name */
242 ptmp->name = name_dup;
243 ptmp->sname = sname_dup;
244 /* Keep the dynamic flag of existing entry */
245 ptmp->flags &= X509_PURPOSE_DYNAMIC;
246 /* Set all other flags */
247 ptmp->flags |= flags;
248
249 ptmp->purpose = id;
250 ptmp->trust = trust;
251 ptmp->check_purpose = ck;
252 ptmp->usr_data = arg;
253
254 /* If its a new entry manage the dynamic table */
255 if (idx == -1) {
256 if (xptable == NULL &&
257 (xptable = sk_X509_PURPOSE_new(xp_cmp)) == NULL)
258 goto err;
259 if (sk_X509_PURPOSE_push(xptable, ptmp) == 0)
260 goto err;
261 }
262 return 1;
263
264err:
265 free(name_dup);
266 free(sname_dup);
267 if (idx == -1)
268 free(ptmp);
269 X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
270 return 0;
271}
272
273static void
274xptable_free(X509_PURPOSE *p)
275{
276 if (!p)
277 return;
278 if (p->flags & X509_PURPOSE_DYNAMIC) {
279 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
280 free(p->name);
281 free(p->sname);
282 }
283 free(p);
284 }
285}
286
287void
288X509_PURPOSE_cleanup(void)
289{
290 unsigned int i;
291
292 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
293 for(i = 0; i < X509_PURPOSE_COUNT; i++)
294 xptable_free(xstandard + i);
295 xptable = NULL;
296}
297
298int
299X509_PURPOSE_get_id(X509_PURPOSE *xp)
300{
301 return xp->purpose;
302}
303
304char *
305X509_PURPOSE_get0_name(X509_PURPOSE *xp)
306{
307 return xp->name;
308}
309
310char *
311X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
312{
313 return xp->sname;
314}
315
316int
317X509_PURPOSE_get_trust(X509_PURPOSE *xp)
318{
319 return xp->trust;
320}
321
322static int
323nid_cmp(const int *a, const int *b)
324{
325 return *a - *b;
326}
327
328DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
329IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
330
331int
332X509_supported_extension(X509_EXTENSION *ex)
333{
334 /* This table is a list of the NIDs of supported extensions:
335 * that is those which are used by the verify process. If
336 * an extension is critical and doesn't appear in this list
337 * then the verify process will normally reject the certificate.
338 * The list must be kept in numerical order because it will be
339 * searched using bsearch.
340 */
341
342 static const int supported_nids[] = {
343 NID_netscape_cert_type, /* 71 */
344 NID_key_usage, /* 83 */
345 NID_subject_alt_name, /* 85 */
346 NID_basic_constraints, /* 87 */
347 NID_certificate_policies, /* 89 */
348 NID_ext_key_usage, /* 126 */
349 NID_policy_constraints, /* 401 */
350 NID_proxyCertInfo, /* 663 */
351 NID_name_constraints, /* 666 */
352 NID_policy_mappings, /* 747 */
353 NID_inhibit_any_policy /* 748 */
354 };
355
356 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
357
358 if (ex_nid == NID_undef)
359 return 0;
360
361 if (OBJ_bsearch_nid(&ex_nid, supported_nids,
362 sizeof(supported_nids) / sizeof(int)))
363 return 1;
364 return 0;
365}
366
367static void
368setup_dp(X509 *x, DIST_POINT *dp)
369{
370 X509_NAME *iname = NULL;
371 int i;
372
373 if (dp->reasons) {
374 if (dp->reasons->length > 0)
375 dp->dp_reasons = dp->reasons->data[0];
376 if (dp->reasons->length > 1)
377 dp->dp_reasons |= (dp->reasons->data[1] << 8);
378 dp->dp_reasons &= CRLDP_ALL_REASONS;
379 } else
380 dp->dp_reasons = CRLDP_ALL_REASONS;
381 if (!dp->distpoint || (dp->distpoint->type != 1))
382 return;
383 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
384 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
385 if (gen->type == GEN_DIRNAME) {
386 iname = gen->d.directoryName;
387 break;
388 }
389 }
390 if (!iname)
391 iname = X509_get_issuer_name(x);
392
393 DIST_POINT_set_dpname(dp->distpoint, iname);
394
395}
396
397static void
398setup_crldp(X509 *x)
399{
400 int i;
401
402 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
403 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
404 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
405}
406
407static void
408x509v3_cache_extensions(X509 *x)
409{
410 BASIC_CONSTRAINTS *bs;
411 PROXY_CERT_INFO_EXTENSION *pci;
412 ASN1_BIT_STRING *usage;
413 ASN1_BIT_STRING *ns;
414 EXTENDED_KEY_USAGE *extusage;
415 X509_EXTENSION *ex;
416
417 int i;
418 if (x->ex_flags & EXFLAG_SET)
419 return;
420#ifndef OPENSSL_NO_SHA
421 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
422#endif
423 /* Does subject name match issuer ? */
424 if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
425 x->ex_flags |= EXFLAG_SI;
426 /* V1 should mean no extensions ... */
427 if (!X509_get_version(x))
428 x->ex_flags |= EXFLAG_V1;
429 /* Handle basic constraints */
430 if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
431 if (bs->ca)
432 x->ex_flags |= EXFLAG_CA;
433 if (bs->pathlen) {
434 if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) ||
435 !bs->ca) {
436 x->ex_flags |= EXFLAG_INVALID;
437 x->ex_pathlen = 0;
438 } else
439 x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
440 } else
441 x->ex_pathlen = -1;
442 BASIC_CONSTRAINTS_free(bs);
443 x->ex_flags |= EXFLAG_BCONS;
444 }
445 /* Handle proxy certificates */
446 if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
447 if (x->ex_flags & EXFLAG_CA ||
448 X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
449 X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
450 x->ex_flags |= EXFLAG_INVALID;
451 }
452 if (pci->pcPathLengthConstraint) {
453 x->ex_pcpathlen =
454 ASN1_INTEGER_get(pci->pcPathLengthConstraint);
455 } else
456 x->ex_pcpathlen = -1;
457 PROXY_CERT_INFO_EXTENSION_free(pci);
458 x->ex_flags |= EXFLAG_PROXY;
459 }
460 /* Handle key usage */
461 if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
462 if (usage->length > 0) {
463 x->ex_kusage = usage->data[0];
464 if (usage->length > 1)
465 x->ex_kusage |= usage->data[1] << 8;
466 } else
467 x->ex_kusage = 0;
468 x->ex_flags |= EXFLAG_KUSAGE;
469 ASN1_BIT_STRING_free(usage);
470 }
471 x->ex_xkusage = 0;
472 if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
473 x->ex_flags |= EXFLAG_XKUSAGE;
474 for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
475 switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
476 case NID_server_auth:
477 x->ex_xkusage |= XKU_SSL_SERVER;
478 break;
479
480 case NID_client_auth:
481 x->ex_xkusage |= XKU_SSL_CLIENT;
482 break;
483
484 case NID_email_protect:
485 x->ex_xkusage |= XKU_SMIME;
486 break;
487
488 case NID_code_sign:
489 x->ex_xkusage |= XKU_CODE_SIGN;
490 break;
491
492 case NID_ms_sgc:
493 case NID_ns_sgc:
494 x->ex_xkusage |= XKU_SGC;
495 break;
496
497 case NID_OCSP_sign:
498 x->ex_xkusage |= XKU_OCSP_SIGN;
499 break;
500
501 case NID_time_stamp:
502 x->ex_xkusage |= XKU_TIMESTAMP;
503 break;
504
505 case NID_dvcs:
506 x->ex_xkusage |= XKU_DVCS;
507 break;
508 }
509 }
510 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
511 }
512
513 if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
514 if (ns->length > 0)
515 x->ex_nscert = ns->data[0];
516 else
517 x->ex_nscert = 0;
518 x->ex_flags |= EXFLAG_NSCERT;
519 ASN1_BIT_STRING_free(ns);
520 }
521
522 x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
523 x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
524 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
525 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
526 if (!x->nc && (i != -1))
527 x->ex_flags |= EXFLAG_INVALID;
528 setup_crldp(x);
529
530 for (i = 0; i < X509_get_ext_count(x); i++) {
531 ex = X509_get_ext(x, i);
532 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
533 NID_freshest_crl)
534 x->ex_flags |= EXFLAG_FRESHEST;
535 if (!X509_EXTENSION_get_critical(ex))
536 continue;
537 if (!X509_supported_extension(ex)) {
538 x->ex_flags |= EXFLAG_CRITICAL;
539 break;
540 }
541 }
542 x->ex_flags |= EXFLAG_SET;
543}
544
545/* CA checks common to all purposes
546 * return codes:
547 * 0 not a CA
548 * 1 is a CA
549 * 2 basicConstraints absent so "maybe" a CA
550 * 3 basicConstraints absent but self signed V1.
551 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
552 */
553
554#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
555#define ku_reject(x, usage) \
556 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
557#define xku_reject(x, usage) \
558 (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
559#define ns_reject(x, usage) \
560 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
561
562static int
563check_ca(const X509 *x)
564{
565 /* keyUsage if present should allow cert signing */
566 if (ku_reject(x, KU_KEY_CERT_SIGN))
567 return 0;
568 if (x->ex_flags & EXFLAG_BCONS) {
569 if (x->ex_flags & EXFLAG_CA)
570 return 1;
571 /* If basicConstraints says not a CA then say so */
572 else
573 return 0;
574 } else {
575 /* we support V1 roots for... uh, I don't really know why. */
576 if ((x->ex_flags & V1_ROOT) == V1_ROOT)
577 return 3;
578 /* If key usage present it must have certSign so tolerate it */
579 else if (x->ex_flags & EXFLAG_KUSAGE)
580 return 4;
581 /* Older certificates could have Netscape-specific CA types */
582 else if (x->ex_flags & EXFLAG_NSCERT &&
583 x->ex_nscert & NS_ANY_CA)
584 return 5;
585 /* can this still be regarded a CA certificate? I doubt it */
586 return 0;
587 }
588}
589
590int
591X509_check_ca(X509 *x)
592{
593 if (!(x->ex_flags & EXFLAG_SET)) {
594 CRYPTO_w_lock(CRYPTO_LOCK_X509);
595 x509v3_cache_extensions(x);
596 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
597 }
598
599 return check_ca(x);
600}
601
602/* Check SSL CA: common checks for SSL client and server */
603static int
604check_ssl_ca(const X509 *x)
605{
606 int ca_ret;
607
608 ca_ret = check_ca(x);
609 if (!ca_ret)
610 return 0;
611 /* check nsCertType if present */
612 if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
613 return ca_ret;
614 else
615 return 0;
616}
617
618static int
619check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
620{
621 if (xku_reject(x, XKU_SSL_CLIENT))
622 return 0;
623 if (ca)
624 return check_ssl_ca(x);
625 /* We need to do digital signatures with it */
626 if (ku_reject(x, KU_DIGITAL_SIGNATURE))
627 return 0;
628 /* nsCertType if present should allow SSL client use */
629 if (ns_reject(x, NS_SSL_CLIENT))
630 return 0;
631 return 1;
632}
633
634static int
635check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
636{
637 if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC))
638 return 0;
639 if (ca)
640 return check_ssl_ca(x);
641
642 if (ns_reject(x, NS_SSL_SERVER))
643 return 0;
644 /* Now as for keyUsage: we'll at least need to sign OR encipher */
645 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT))
646 return 0;
647
648 return 1;
649}
650
651static int
652check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
653{
654 int ret;
655
656 ret = check_purpose_ssl_server(xp, x, ca);
657 if (!ret || ca)
658 return ret;
659 /* We need to encipher or Netscape complains */
660 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
661 return 0;
662 return ret;
663}
664
665/* common S/MIME checks */
666static int
667purpose_smime(const X509 *x, int ca)
668{
669 if (xku_reject(x, XKU_SMIME))
670 return 0;
671 if (ca) {
672 int ca_ret;
673 ca_ret = check_ca(x);
674 if (!ca_ret)
675 return 0;
676 /* check nsCertType if present */
677 if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
678 return ca_ret;
679 else
680 return 0;
681 }
682 if (x->ex_flags & EXFLAG_NSCERT) {
683 if (x->ex_nscert & NS_SMIME)
684 return 1;
685 /* Workaround for some buggy certificates */
686 if (x->ex_nscert & NS_SSL_CLIENT)
687 return 2;
688 return 0;
689 }
690 return 1;
691}
692
693static int
694check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
695{
696 int ret;
697
698 ret = purpose_smime(x, ca);
699 if (!ret || ca)
700 return ret;
701 if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION))
702 return 0;
703 return ret;
704}
705
706static int
707check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
708{
709 int ret;
710
711 ret = purpose_smime(x, ca);
712 if (!ret || ca)
713 return ret;
714 if (ku_reject(x, KU_KEY_ENCIPHERMENT))
715 return 0;
716 return ret;
717}
718
719static int
720check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
721{
722 if (ca) {
723 int ca_ret;
724 if ((ca_ret = check_ca(x)) != 2)
725 return ca_ret;
726 else
727 return 0;
728 }
729 if (ku_reject(x, KU_CRL_SIGN))
730 return 0;
731 return 1;
732}
733
734/* OCSP helper: this is *not* a full OCSP check. It just checks that
735 * each CA is valid. Additional checks must be made on the chain.
736 */
737static int
738ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
739{
740 /* Must be a valid CA. Should we really support the "I don't know"
741 value (2)? */
742 if (ca)
743 return check_ca(x);
744 /* leaf certificate is checked in OCSP_verify() */
745 return 1;
746}
747
748static int
749check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
750{
751 int i_ext;
752
753 /* If ca is true we must return if this is a valid CA certificate. */
754 if (ca)
755 return check_ca(x);
756
757 /*
758 * Check the optional key usage field:
759 * if Key Usage is present, it must be one of digitalSignature
760 * and/or nonRepudiation (other values are not consistent and shall
761 * be rejected).
762 */
763 if ((x->ex_flags & EXFLAG_KUSAGE) &&
764 ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
765 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
766 return 0;
767
768 /* Only time stamp key usage is permitted and it's required. */
769 if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
770 return 0;
771
772 /* Extended Key Usage MUST be critical */
773 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
774 if (i_ext >= 0) {
775 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
776 if (!X509_EXTENSION_get_critical(ext))
777 return 0;
778 }
779
780 return 1;
781}
782
783static int
784no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
785{
786 return 1;
787}
788
789/* Various checks to see if one certificate issued the second.
790 * This can be used to prune a set of possible issuer certificates
791 * which have been looked up using some simple method such as by
792 * subject name.
793 * These are:
794 * 1. Check issuer_name(subject) == subject_name(issuer)
795 * 2. If akid(subject) exists check it matches issuer
796 * 3. If key_usage(issuer) exists check it supports certificate signing
797 * returns 0 for OK, positive for reason for mismatch, reasons match
798 * codes for X509_verify_cert()
799 */
800
801int
802X509_check_issued(X509 *issuer, X509 *subject)
803{
804 if (X509_NAME_cmp(X509_get_subject_name(issuer),
805 X509_get_issuer_name(subject)))
806 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
807 x509v3_cache_extensions(issuer);
808 x509v3_cache_extensions(subject);
809
810 if (subject->akid) {
811 int ret = X509_check_akid(issuer, subject->akid);
812 if (ret != X509_V_OK)
813 return ret;
814 }
815
816 if (subject->ex_flags & EXFLAG_PROXY) {
817 if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
818 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
819 } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
820 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
821 return X509_V_OK;
822}
823
824int
825X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
826{
827 if (!akid)
828 return X509_V_OK;
829
830 /* Check key ids (if present) */
831 if (akid->keyid && issuer->skid &&
832 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
833 return X509_V_ERR_AKID_SKID_MISMATCH;
834 /* Check serial number */
835 if (akid->serial &&
836 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
837 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
838 /* Check issuer name */
839 if (akid->issuer) {
840 /* Ugh, for some peculiar reason AKID includes
841 * SEQUENCE OF GeneralName. So look for a DirName.
842 * There may be more than one but we only take any
843 * notice of the first.
844 */
845 GENERAL_NAMES *gens;
846 GENERAL_NAME *gen;
847 X509_NAME *nm = NULL;
848 int i;
849 gens = akid->issuer;
850 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
851 gen = sk_GENERAL_NAME_value(gens, i);
852 if (gen->type == GEN_DIRNAME) {
853 nm = gen->d.dirn;
854 break;
855 }
856 }
857 if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
858 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
859 }
860 return X509_V_OK;
861}
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
deleted file mode 100644
index ab2521f21a..0000000000
--- a/src/lib/libcrypto/x509v3/v3_skey.c
+++ /dev/null
@@ -1,151 +0,0 @@
1/* $OpenBSD: v3_skey.c,v 1.10 2014/07/11 08:44:49 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/err.h>
63#include <openssl/x509v3.h>
64
65static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
66 X509V3_CTX *ctx, char *str);
67const X509V3_EXT_METHOD v3_skey_id = {
68 NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
69 0, 0, 0, 0,
70 (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
71 (X509V3_EXT_S2I)s2i_skey_id,
72 0, 0, 0, 0,
73 NULL
74};
75
76char *
77i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct)
78{
79 return hex_to_string(oct->data, oct->length);
80}
81
82ASN1_OCTET_STRING *
83s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
84{
85 ASN1_OCTET_STRING *oct;
86 long length;
87
88 if (!(oct = M_ASN1_OCTET_STRING_new())) {
89 X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
90 return NULL;
91 }
92
93 if (!(oct->data = string_to_hex(str, &length))) {
94 M_ASN1_OCTET_STRING_free(oct);
95 return NULL;
96 }
97
98 oct->length = length;
99
100 return oct;
101}
102
103static ASN1_OCTET_STRING *
104s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
105{
106 ASN1_OCTET_STRING *oct;
107 ASN1_BIT_STRING *pk;
108 unsigned char pkey_dig[EVP_MAX_MD_SIZE];
109 unsigned int diglen;
110
111 if (strcmp(str, "hash"))
112 return s2i_ASN1_OCTET_STRING(method, ctx, str);
113
114 if (!(oct = M_ASN1_OCTET_STRING_new())) {
115 X509V3err(X509V3_F_S2I_SKEY_ID, ERR_R_MALLOC_FAILURE);
116 return NULL;
117 }
118
119 if (ctx && (ctx->flags == CTX_TEST))
120 return oct;
121
122 if (!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
123 X509V3err(X509V3_F_S2I_SKEY_ID, X509V3_R_NO_PUBLIC_KEY);
124 goto err;
125 }
126
127 if (ctx->subject_req)
128 pk = ctx->subject_req->req_info->pubkey->public_key;
129 else
130 pk = ctx->subject_cert->cert_info->key->public_key;
131
132 if (!pk) {
133 X509V3err(X509V3_F_S2I_SKEY_ID, X509V3_R_NO_PUBLIC_KEY);
134 goto err;
135 }
136
137 if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen,
138 EVP_sha1(), NULL))
139 goto err;
140
141 if (!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
142 X509V3err(X509V3_F_S2I_SKEY_ID, ERR_R_MALLOC_FAILURE);
143 goto err;
144 }
145
146 return oct;
147
148err:
149 M_ASN1_OCTET_STRING_free(oct);
150 return NULL;
151}
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
deleted file mode 100644
index 7029aad916..0000000000
--- a/src/lib/libcrypto/x509v3/v3_sxnet.c
+++ /dev/null
@@ -1,335 +0,0 @@
1/* $OpenBSD: v3_sxnet.c,v 1.13 2015/02/10 08:33:10 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68/* Support for Thawte strong extranet extension */
69
70#define SXNET_TEST
71
72static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
73 int indent);
74#ifdef SXNET_TEST
75static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
76 STACK_OF(CONF_VALUE) *nval);
77#endif
78const X509V3_EXT_METHOD v3_sxnet = {
79 NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET),
80 0, 0, 0, 0,
81 0, 0,
82 0,
83#ifdef SXNET_TEST
84 (X509V3_EXT_V2I)sxnet_v2i,
85#else
86 0,
87#endif
88 (X509V3_EXT_I2R)sxnet_i2r,
89 0,
90 NULL
91};
92
93ASN1_SEQUENCE(SXNETID) = {
94 ASN1_SIMPLE(SXNETID, zone, ASN1_INTEGER),
95 ASN1_SIMPLE(SXNETID, user, ASN1_OCTET_STRING)
96} ASN1_SEQUENCE_END(SXNETID)
97
98
99SXNETID *
100d2i_SXNETID(SXNETID **a, const unsigned char **in, long len)
101{
102 return (SXNETID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
103 &SXNETID_it);
104}
105
106int
107i2d_SXNETID(SXNETID *a, unsigned char **out)
108{
109 return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNETID_it);
110}
111
112SXNETID *
113SXNETID_new(void)
114{
115 return (SXNETID *)ASN1_item_new(&SXNETID_it);
116}
117
118void
119SXNETID_free(SXNETID *a)
120{
121 ASN1_item_free((ASN1_VALUE *)a, &SXNETID_it);
122}
123
124ASN1_SEQUENCE(SXNET) = {
125 ASN1_SIMPLE(SXNET, version, ASN1_INTEGER),
126 ASN1_SEQUENCE_OF(SXNET, ids, SXNETID)
127} ASN1_SEQUENCE_END(SXNET)
128
129
130SXNET *
131d2i_SXNET(SXNET **a, const unsigned char **in, long len)
132{
133 return (SXNET *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
134 &SXNET_it);
135}
136
137int
138i2d_SXNET(SXNET *a, unsigned char **out)
139{
140 return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNET_it);
141}
142
143SXNET *
144SXNET_new(void)
145{
146 return (SXNET *)ASN1_item_new(&SXNET_it);
147}
148
149void
150SXNET_free(SXNET *a)
151{
152 ASN1_item_free((ASN1_VALUE *)a, &SXNET_it);
153}
154
155static int
156sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent)
157{
158 long v;
159 char *tmp;
160 SXNETID *id;
161 int i;
162
163 v = ASN1_INTEGER_get(sx->version);
164 BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
165 for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
166 id = sk_SXNETID_value(sx->ids, i);
167 tmp = i2s_ASN1_INTEGER(NULL, id->zone);
168 BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
169 free(tmp);
170 M_ASN1_OCTET_STRING_print(out, id->user);
171 }
172 return 1;
173}
174
175#ifdef SXNET_TEST
176
177/* NBB: this is used for testing only. It should *not* be used for anything
178 * else because it will just take static IDs from the configuration file and
179 * they should really be separate values for each user.
180 */
181
182static SXNET *
183sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
184 STACK_OF(CONF_VALUE) *nval)
185{
186 CONF_VALUE *cnf;
187 SXNET *sx = NULL;
188 int i;
189
190 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
191 cnf = sk_CONF_VALUE_value(nval, i);
192 if (!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
193 return NULL;
194 }
195 return sx;
196}
197
198#endif
199
200/* Strong Extranet utility functions */
201
202/* Add an id given the zone as an ASCII number */
203
204int
205SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen)
206{
207 ASN1_INTEGER *izone = NULL;
208
209 if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
210 X509V3err(X509V3_F_SXNET_ADD_ID_ASC,
211 X509V3_R_ERROR_CONVERTING_ZONE);
212 return 0;
213 }
214 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
215}
216
217/* Add an id given the zone as an unsigned long */
218
219int
220SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen)
221{
222 ASN1_INTEGER *izone = NULL;
223
224 if (!(izone = M_ASN1_INTEGER_new()) ||
225 !ASN1_INTEGER_set(izone, lzone)) {
226 X509V3err(X509V3_F_SXNET_ADD_ID_ULONG, ERR_R_MALLOC_FAILURE);
227 M_ASN1_INTEGER_free(izone);
228 return 0;
229 }
230 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
231}
232
233/* Add an id given the zone as an ASN1_INTEGER.
234 * Note this version uses the passed integer and doesn't make a copy so don't
235 * free it up afterwards.
236 */
237
238int
239SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user, int userlen)
240{
241 SXNET *sx = NULL;
242 SXNETID *id = NULL;
243
244 if (!psx || !zone || !user) {
245 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,
246 X509V3_R_INVALID_NULL_ARGUMENT);
247 return 0;
248 }
249 if (userlen == -1)
250 userlen = strlen(user);
251 if (userlen > 64) {
252 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,
253 X509V3_R_USER_TOO_LONG);
254 return 0;
255 }
256 if (!*psx) {
257 if (!(sx = SXNET_new()))
258 goto err;
259 if (!ASN1_INTEGER_set(sx->version, 0))
260 goto err;
261 *psx = sx;
262 } else
263 sx = *psx;
264 if (SXNET_get_id_INTEGER(sx, zone)) {
265 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,
266 X509V3_R_DUPLICATE_ZONE_ID);
267 return 0;
268 }
269
270 if (!(id = SXNETID_new()))
271 goto err;
272 if (userlen == -1)
273 userlen = strlen(user);
274
275 if (!M_ASN1_OCTET_STRING_set(id->user, user, userlen))
276 goto err;
277 if (!sk_SXNETID_push(sx->ids, id))
278 goto err;
279 id->zone = zone;
280 return 1;
281
282err:
283 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER, ERR_R_MALLOC_FAILURE);
284 SXNETID_free(id);
285 SXNET_free(sx);
286 *psx = NULL;
287 return 0;
288}
289
290ASN1_OCTET_STRING *
291SXNET_get_id_asc(SXNET *sx, char *zone)
292{
293 ASN1_INTEGER *izone = NULL;
294 ASN1_OCTET_STRING *oct;
295
296 if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
297 X509V3err(X509V3_F_SXNET_GET_ID_ASC,
298 X509V3_R_ERROR_CONVERTING_ZONE);
299 return NULL;
300 }
301 oct = SXNET_get_id_INTEGER(sx, izone);
302 M_ASN1_INTEGER_free(izone);
303 return oct;
304}
305
306ASN1_OCTET_STRING *
307SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
308{
309 ASN1_INTEGER *izone = NULL;
310 ASN1_OCTET_STRING *oct;
311
312 if (!(izone = M_ASN1_INTEGER_new()) ||
313 !ASN1_INTEGER_set(izone, lzone)) {
314 X509V3err(X509V3_F_SXNET_GET_ID_ULONG, ERR_R_MALLOC_FAILURE);
315 M_ASN1_INTEGER_free(izone);
316 return NULL;
317 }
318 oct = SXNET_get_id_INTEGER(sx, izone);
319 M_ASN1_INTEGER_free(izone);
320 return oct;
321}
322
323ASN1_OCTET_STRING *
324SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
325{
326 SXNETID *id;
327 int i;
328
329 for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
330 id = sk_SXNETID_value(sx->ids, i);
331 if (!M_ASN1_INTEGER_cmp(id->zone, zone))
332 return id->user;
333 }
334 return NULL;
335}
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
deleted file mode 100644
index ee135a0b52..0000000000
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ /dev/null
@@ -1,925 +0,0 @@
1/* $OpenBSD: v3_utl.c,v 1.24 2015/02/07 13:19:15 doug Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <ctype.h>
61#include <stdio.h>
62#include <string.h>
63
64#include <openssl/bn.h>
65#include <openssl/conf.h>
66#include <openssl/err.h>
67#include <openssl/x509v3.h>
68
69static char *strip_spaces(char *name);
70static int sk_strcmp(const char * const *a, const char * const *b);
71static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
72 GENERAL_NAMES *gens);
73static void str_free(OPENSSL_STRING str);
74static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
75
76static int ipv4_from_asc(unsigned char *v4, const char *in);
77static int ipv6_from_asc(unsigned char *v6, const char *in);
78static int ipv6_cb(const char *elem, int len, void *usr);
79static int ipv6_hex(unsigned char *out, const char *in, int inlen);
80
81/* Add a CONF_VALUE name value pair to stack */
82
83int
84X509V3_add_value(const char *name, const char *value,
85 STACK_OF(CONF_VALUE) **extlist)
86{
87 CONF_VALUE *vtmp = NULL;
88 char *tname = NULL, *tvalue = NULL;
89
90 if (name && !(tname = strdup(name)))
91 goto err;
92 if (value && !(tvalue = strdup(value)))
93 goto err;
94 if (!(vtmp = malloc(sizeof(CONF_VALUE))))
95 goto err;
96 if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null()))
97 goto err;
98 vtmp->section = NULL;
99 vtmp->name = tname;
100 vtmp->value = tvalue;
101 if (!sk_CONF_VALUE_push(*extlist, vtmp))
102 goto err;
103 return 1;
104
105err:
106 X509V3err(X509V3_F_X509V3_ADD_VALUE, ERR_R_MALLOC_FAILURE);
107 free(vtmp);
108 free(tname);
109 free(tvalue);
110 return 0;
111}
112
113int
114X509V3_add_value_uchar(const char *name, const unsigned char *value,
115 STACK_OF(CONF_VALUE) **extlist)
116{
117 return X509V3_add_value(name, (const char *)value, extlist);
118}
119
120/* Free function for STACK_OF(CONF_VALUE) */
121
122void
123X509V3_conf_free(CONF_VALUE *conf)
124{
125 if (!conf)
126 return;
127 free(conf->name);
128 free(conf->value);
129 free(conf->section);
130 free(conf);
131}
132
133int
134X509V3_add_value_bool(const char *name, int asn1_bool,
135 STACK_OF(CONF_VALUE) **extlist)
136{
137 if (asn1_bool)
138 return X509V3_add_value(name, "TRUE", extlist);
139 return X509V3_add_value(name, "FALSE", extlist);
140}
141
142int
143X509V3_add_value_bool_nf(char *name, int asn1_bool,
144 STACK_OF(CONF_VALUE) **extlist)
145{
146 if (asn1_bool)
147 return X509V3_add_value(name, "TRUE", extlist);
148 return 1;
149}
150
151
152char *
153i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
154{
155 BIGNUM *bntmp = NULL;
156 char *strtmp = NULL;
157
158 if (!a)
159 return NULL;
160 if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
161 !(strtmp = BN_bn2dec(bntmp)))
162 X509V3err(X509V3_F_I2S_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
163 BN_free(bntmp);
164 return strtmp;
165}
166
167char *
168i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
169{
170 BIGNUM *bntmp = NULL;
171 char *strtmp = NULL;
172
173 if (!a)
174 return NULL;
175 if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
176 !(strtmp = BN_bn2dec(bntmp)))
177 X509V3err(X509V3_F_I2S_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
178 BN_free(bntmp);
179 return strtmp;
180}
181
182ASN1_INTEGER *
183s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
184{
185 BIGNUM *bn = NULL;
186 ASN1_INTEGER *aint;
187 int isneg, ishex;
188 int ret;
189
190 if (!value) {
191 X509V3err(X509V3_F_S2I_ASN1_INTEGER,
192 X509V3_R_INVALID_NULL_VALUE);
193 return 0;
194 }
195 bn = BN_new();
196 if (value[0] == '-') {
197 value++;
198 isneg = 1;
199 } else
200 isneg = 0;
201
202 if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
203 value += 2;
204 ishex = 1;
205 } else
206 ishex = 0;
207
208 if (ishex)
209 ret = BN_hex2bn(&bn, value);
210 else
211 ret = BN_dec2bn(&bn, value);
212
213 if (!ret || value[ret]) {
214 BN_free(bn);
215 X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_BN_DEC2BN_ERROR);
216 return 0;
217 }
218
219 if (isneg && BN_is_zero(bn))
220 isneg = 0;
221
222 aint = BN_to_ASN1_INTEGER(bn, NULL);
223 BN_free(bn);
224 if (!aint) {
225 X509V3err(X509V3_F_S2I_ASN1_INTEGER,
226 X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
227 return 0;
228 }
229 if (isneg)
230 aint->type |= V_ASN1_NEG;
231 return aint;
232}
233
234int
235X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
236 STACK_OF(CONF_VALUE) **extlist)
237{
238 char *strtmp;
239 int ret;
240
241 if (!aint)
242 return 1;
243 if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint)))
244 return 0;
245 ret = X509V3_add_value(name, strtmp, extlist);
246 free(strtmp);
247 return ret;
248}
249
250int
251X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
252{
253 char *btmp;
254
255 if (!(btmp = value->value))
256 goto err;
257 if (!strcmp(btmp, "TRUE") || !strcmp(btmp, "true") ||
258 !strcmp(btmp, "Y") || !strcmp(btmp, "y") ||
259 !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
260 *asn1_bool = 0xff;
261 return 1;
262 } else if (!strcmp(btmp, "FALSE") || !strcmp(btmp, "false") ||
263 !strcmp(btmp, "N") || !strcmp(btmp, "n") ||
264 !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
265 *asn1_bool = 0;
266 return 1;
267 }
268
269err:
270 X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,
271 X509V3_R_INVALID_BOOLEAN_STRING);
272 X509V3_conf_err(value);
273 return 0;
274}
275
276int
277X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
278{
279 ASN1_INTEGER *itmp;
280
281 if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
282 X509V3_conf_err(value);
283 return 0;
284 }
285 *aint = itmp;
286 return 1;
287}
288
289#define HDR_NAME 1
290#define HDR_VALUE 2
291
292/*#define DEBUG*/
293
294STACK_OF(CONF_VALUE) *
295X509V3_parse_list(const char *line)
296{
297 char *p, *q, c;
298 char *ntmp, *vtmp;
299 STACK_OF(CONF_VALUE) *values = NULL;
300 char *linebuf;
301 int state;
302
303 /* We are going to modify the line so copy it first */
304 if ((linebuf = strdup(line)) == NULL) {
305 X509V3err(X509V3_F_X509V3_PARSE_LIST, ERR_R_MALLOC_FAILURE);
306 goto err;
307 }
308 state = HDR_NAME;
309 ntmp = NULL;
310
311 /* Go through all characters */
312 for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') &&
313 (c != '\n'); p++) {
314
315 switch (state) {
316 case HDR_NAME:
317 if (c == ':') {
318 state = HDR_VALUE;
319 *p = 0;
320 ntmp = strip_spaces(q);
321 if (!ntmp) {
322 X509V3err(X509V3_F_X509V3_PARSE_LIST,
323 X509V3_R_INVALID_NULL_NAME);
324 goto err;
325 }
326 q = p + 1;
327 } else if (c == ',') {
328 *p = 0;
329 ntmp = strip_spaces(q);
330 q = p + 1;
331 if (!ntmp) {
332 X509V3err(X509V3_F_X509V3_PARSE_LIST,
333 X509V3_R_INVALID_NULL_NAME);
334 goto err;
335 }
336 X509V3_add_value(ntmp, NULL, &values);
337 }
338 break;
339
340 case HDR_VALUE:
341 if (c == ',') {
342 state = HDR_NAME;
343 *p = 0;
344 vtmp = strip_spaces(q);
345 if (!vtmp) {
346 X509V3err(X509V3_F_X509V3_PARSE_LIST,
347 X509V3_R_INVALID_NULL_VALUE);
348 goto err;
349 }
350 X509V3_add_value(ntmp, vtmp, &values);
351 ntmp = NULL;
352 q = p + 1;
353 }
354
355 }
356 }
357
358 if (state == HDR_VALUE) {
359 vtmp = strip_spaces(q);
360 if (!vtmp) {
361 X509V3err(X509V3_F_X509V3_PARSE_LIST,
362 X509V3_R_INVALID_NULL_VALUE);
363 goto err;
364 }
365 X509V3_add_value(ntmp, vtmp, &values);
366 } else {
367 ntmp = strip_spaces(q);
368 if (!ntmp) {
369 X509V3err(X509V3_F_X509V3_PARSE_LIST,
370 X509V3_R_INVALID_NULL_NAME);
371 goto err;
372 }
373 X509V3_add_value(ntmp, NULL, &values);
374 }
375 free(linebuf);
376 return values;
377
378err:
379 free(linebuf);
380 sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
381 return NULL;
382
383}
384
385/* Delete leading and trailing spaces from a string */
386static char *
387strip_spaces(char *name)
388{
389 char *p, *q;
390
391 /* Skip over leading spaces */
392 p = name;
393 while (*p && isspace((unsigned char)*p))
394 p++;
395 if (!*p)
396 return NULL;
397 q = p + strlen(p) - 1;
398 while ((q != p) && isspace((unsigned char)*q))
399 q--;
400 if (p != q)
401 q[1] = 0;
402 if (!*p)
403 return NULL;
404 return p;
405}
406
407/* hex string utilities */
408
409/* Given a buffer of length 'len' return a malloc'ed string with its
410 * hex representation
411 */
412char *
413hex_to_string(const unsigned char *buffer, long len)
414{
415 char *tmp, *q;
416 const unsigned char *p;
417 int i;
418 static const char hexdig[] = "0123456789ABCDEF";
419
420 if (!buffer || !len)
421 return NULL;
422 if (!(tmp = malloc(len * 3 + 1))) {
423 X509V3err(X509V3_F_HEX_TO_STRING, ERR_R_MALLOC_FAILURE);
424 return NULL;
425 }
426 q = tmp;
427 for (i = 0, p = buffer; i < len; i++, p++) {
428 *q++ = hexdig[(*p >> 4) & 0xf];
429 *q++ = hexdig[*p & 0xf];
430 *q++ = ':';
431 }
432 q[-1] = 0;
433 return tmp;
434}
435
436/* Give a string of hex digits convert to
437 * a buffer
438 */
439
440unsigned char *
441string_to_hex(const char *str, long *len)
442{
443 unsigned char *hexbuf, *q;
444 unsigned char ch, cl, *p;
445 if (!str) {
446 X509V3err(X509V3_F_STRING_TO_HEX,
447 X509V3_R_INVALID_NULL_ARGUMENT);
448 return NULL;
449 }
450 if (!(hexbuf = malloc(strlen(str) >> 1)))
451 goto err;
452 for (p = (unsigned char *)str, q = hexbuf; *p; ) {
453 ch = *p++;
454 if (ch == ':')
455 continue;
456 cl = *p++;
457 if (!cl) {
458 X509V3err(X509V3_F_STRING_TO_HEX,
459 X509V3_R_ODD_NUMBER_OF_DIGITS);
460 free(hexbuf);
461 return NULL;
462 }
463 ch = tolower(ch);
464 cl = tolower(cl);
465
466 if ((ch >= '0') && (ch <= '9'))
467 ch -= '0';
468 else if ((ch >= 'a') && (ch <= 'f'))
469 ch -= 'a' - 10;
470 else
471 goto badhex;
472
473 if ((cl >= '0') && (cl <= '9'))
474 cl -= '0';
475 else if ((cl >= 'a') && (cl <= 'f'))
476 cl -= 'a' - 10;
477 else
478 goto badhex;
479
480 *q++ = (ch << 4) | cl;
481 }
482
483 if (len)
484 *len = q - hexbuf;
485
486 return hexbuf;
487
488err:
489 free(hexbuf);
490 X509V3err(X509V3_F_STRING_TO_HEX, ERR_R_MALLOC_FAILURE);
491 return NULL;
492
493badhex:
494 free(hexbuf);
495 X509V3err(X509V3_F_STRING_TO_HEX, X509V3_R_ILLEGAL_HEX_DIGIT);
496 return NULL;
497}
498
499/* V2I name comparison function: returns zero if 'name' matches
500 * cmp or cmp.*
501 */
502
503int
504name_cmp(const char *name, const char *cmp)
505{
506 int len, ret;
507 char c;
508
509 len = strlen(cmp);
510 if ((ret = strncmp(name, cmp, len)))
511 return ret;
512 c = name[len];
513 if (!c || (c=='.'))
514 return 0;
515 return 1;
516}
517
518static int
519sk_strcmp(const char * const *a, const char * const *b)
520{
521 return strcmp(*a, *b);
522}
523
524STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
525{
526 GENERAL_NAMES *gens;
527 STACK_OF(OPENSSL_STRING) *ret;
528
529 gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
530 ret = get_email(X509_get_subject_name(x), gens);
531 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
532 return ret;
533}
534
535STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
536{
537 AUTHORITY_INFO_ACCESS *info;
538 STACK_OF(OPENSSL_STRING) *ret = NULL;
539 int i;
540
541 info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
542 if (!info)
543 return NULL;
544 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
545 ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
546 if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
547 if (ad->location->type == GEN_URI) {
548 if (!append_ia5(&ret,
549 ad->location->d.uniformResourceIdentifier))
550 break;
551 }
552 }
553 }
554 AUTHORITY_INFO_ACCESS_free(info);
555 return ret;
556}
557
558STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
559{
560 GENERAL_NAMES *gens;
561 STACK_OF(X509_EXTENSION) *exts;
562 STACK_OF(OPENSSL_STRING) *ret;
563
564 exts = X509_REQ_get_extensions(x);
565 gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
566 ret = get_email(X509_REQ_get_subject_name(x), gens);
567 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
568 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
569 return ret;
570}
571
572
573static
574STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens)
575{
576 STACK_OF(OPENSSL_STRING) *ret = NULL;
577 X509_NAME_ENTRY *ne;
578 ASN1_IA5STRING *email;
579 GENERAL_NAME *gen;
580 int i;
581
582 /* Now add any email address(es) to STACK */
583 i = -1;
584
585 /* First supplied X509_NAME */
586 while ((i = X509_NAME_get_index_by_NID(name,
587 NID_pkcs9_emailAddress, i)) >= 0) {
588 ne = X509_NAME_get_entry(name, i);
589 email = X509_NAME_ENTRY_get_data(ne);
590 if (!append_ia5(&ret, email))
591 return NULL;
592 }
593 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
594 gen = sk_GENERAL_NAME_value(gens, i);
595 if (gen->type != GEN_EMAIL)
596 continue;
597 if (!append_ia5(&ret, gen->d.ia5))
598 return NULL;
599 }
600 return ret;
601}
602
603static void
604str_free(OPENSSL_STRING str)
605{
606 free(str);
607}
608
609static int
610append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
611{
612 char *emtmp;
613
614 /* First some sanity checks */
615 if (email->type != V_ASN1_IA5STRING)
616 return 1;
617 if (!email->data || !email->length)
618 return 1;
619 if (!*sk)
620 *sk = sk_OPENSSL_STRING_new(sk_strcmp);
621 if (!*sk)
622 return 0;
623 /* Don't add duplicates */
624 if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
625 return 1;
626 emtmp = strdup((char *)email->data);
627 if (!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
628 X509_email_free(*sk);
629 *sk = NULL;
630 return 0;
631 }
632 return 1;
633}
634
635void
636X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
637{
638 sk_OPENSSL_STRING_pop_free(sk, str_free);
639}
640
641/* Convert IP addresses both IPv4 and IPv6 into an
642 * OCTET STRING compatible with RFC3280.
643 */
644
645ASN1_OCTET_STRING *
646a2i_IPADDRESS(const char *ipasc)
647{
648 unsigned char ipout[16];
649 ASN1_OCTET_STRING *ret;
650 int iplen;
651
652 /* If string contains a ':' assume IPv6 */
653
654 iplen = a2i_ipadd(ipout, ipasc);
655
656 if (!iplen)
657 return NULL;
658
659 ret = ASN1_OCTET_STRING_new();
660 if (!ret)
661 return NULL;
662 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
663 ASN1_OCTET_STRING_free(ret);
664 return NULL;
665 }
666 return ret;
667}
668
669ASN1_OCTET_STRING *
670a2i_IPADDRESS_NC(const char *ipasc)
671{
672 ASN1_OCTET_STRING *ret = NULL;
673 unsigned char ipout[32];
674 char *iptmp = NULL, *p;
675 int iplen1, iplen2;
676
677 p = strchr(ipasc, '/');
678 if (!p)
679 return NULL;
680 iptmp = strdup(ipasc);
681 if (!iptmp)
682 return NULL;
683 p = iptmp + (p - ipasc);
684 *p++ = 0;
685
686 iplen1 = a2i_ipadd(ipout, iptmp);
687
688 if (!iplen1)
689 goto err;
690
691 iplen2 = a2i_ipadd(ipout + iplen1, p);
692
693 free(iptmp);
694 iptmp = NULL;
695
696 if (!iplen2 || (iplen1 != iplen2))
697 goto err;
698
699 ret = ASN1_OCTET_STRING_new();
700 if (!ret)
701 goto err;
702 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
703 goto err;
704
705 return ret;
706
707err:
708 free(iptmp);
709 if (ret)
710 ASN1_OCTET_STRING_free(ret);
711 return NULL;
712}
713
714
715int
716a2i_ipadd(unsigned char *ipout, const char *ipasc)
717{
718 /* If string contains a ':' assume IPv6 */
719
720 if (strchr(ipasc, ':')) {
721 if (!ipv6_from_asc(ipout, ipasc))
722 return 0;
723 return 16;
724 } else {
725 if (!ipv4_from_asc(ipout, ipasc))
726 return 0;
727 return 4;
728 }
729}
730
731static int
732ipv4_from_asc(unsigned char *v4, const char *in)
733{
734 int a0, a1, a2, a3;
735 if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
736 return 0;
737 if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) ||
738 (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
739 return 0;
740 v4[0] = a0;
741 v4[1] = a1;
742 v4[2] = a2;
743 v4[3] = a3;
744 return 1;
745}
746
747typedef struct {
748 /* Temporary store for IPV6 output */
749 unsigned char tmp[16];
750 /* Total number of bytes in tmp */
751 int total;
752 /* The position of a zero (corresponding to '::') */
753 int zero_pos;
754 /* Number of zeroes */
755 int zero_cnt;
756} IPV6_STAT;
757
758
759static int
760ipv6_from_asc(unsigned char *v6, const char *in)
761{
762 IPV6_STAT v6stat;
763
764 v6stat.total = 0;
765 v6stat.zero_pos = -1;
766 v6stat.zero_cnt = 0;
767
768 /* Treat the IPv6 representation as a list of values
769 * separated by ':'. The presence of a '::' will parse
770 * as one, two or three zero length elements.
771 */
772 if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
773 return 0;
774
775 /* Now for some sanity checks */
776
777 if (v6stat.zero_pos == -1) {
778 /* If no '::' must have exactly 16 bytes */
779 if (v6stat.total != 16)
780 return 0;
781 } else {
782 /* If '::' must have less than 16 bytes */
783 if (v6stat.total == 16)
784 return 0;
785 /* More than three zeroes is an error */
786 if (v6stat.zero_cnt > 3)
787 return 0;
788 /* Can only have three zeroes if nothing else present */
789 else if (v6stat.zero_cnt == 3) {
790 if (v6stat.total > 0)
791 return 0;
792 }
793 /* Can only have two zeroes if at start or end */
794 else if (v6stat.zero_cnt == 2) {
795 if ((v6stat.zero_pos != 0) &&
796 (v6stat.zero_pos != v6stat.total))
797 return 0;
798 } else
799 /* Can only have one zero if *not* start or end */
800 {
801 if ((v6stat.zero_pos == 0) ||
802 (v6stat.zero_pos == v6stat.total))
803 return 0;
804 }
805 }
806
807 /* Format result */
808
809 if (v6stat.zero_pos >= 0) {
810 /* Copy initial part */
811 memcpy(v6, v6stat.tmp, v6stat.zero_pos);
812 /* Zero middle */
813 memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
814 /* Copy final part */
815 if (v6stat.total != v6stat.zero_pos)
816 memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
817 v6stat.tmp + v6stat.zero_pos,
818 v6stat.total - v6stat.zero_pos);
819 } else
820 memcpy(v6, v6stat.tmp, 16);
821
822 return 1;
823}
824
825static int
826ipv6_cb(const char *elem, int len, void *usr)
827{
828 IPV6_STAT *s = usr;
829
830 /* Error if 16 bytes written */
831 if (s->total == 16)
832 return 0;
833 if (len == 0) {
834 /* Zero length element, corresponds to '::' */
835 if (s->zero_pos == -1)
836 s->zero_pos = s->total;
837 /* If we've already got a :: its an error */
838 else if (s->zero_pos != s->total)
839 return 0;
840 s->zero_cnt++;
841 } else {
842 /* If more than 4 characters could be final a.b.c.d form */
843 if (len > 4) {
844 /* Need at least 4 bytes left */
845 if (s->total > 12)
846 return 0;
847 /* Must be end of string */
848 if (elem[len])
849 return 0;
850 if (!ipv4_from_asc(s->tmp + s->total, elem))
851 return 0;
852 s->total += 4;
853 } else {
854 if (!ipv6_hex(s->tmp + s->total, elem, len))
855 return 0;
856 s->total += 2;
857 }
858 }
859 return 1;
860}
861
862/* Convert a string of up to 4 hex digits into the corresponding
863 * IPv6 form.
864 */
865
866static int
867ipv6_hex(unsigned char *out, const char *in, int inlen)
868{
869 unsigned char c;
870 unsigned int num = 0;
871
872 if (inlen > 4)
873 return 0;
874 while (inlen--) {
875 c = *in++;
876 num <<= 4;
877 if ((c >= '0') && (c <= '9'))
878 num |= c - '0';
879 else if ((c >= 'A') && (c <= 'F'))
880 num |= c - 'A' + 10;
881 else if ((c >= 'a') && (c <= 'f'))
882 num |= c - 'a' + 10;
883 else
884 return 0;
885 }
886 out[0] = num >> 8;
887 out[1] = num & 0xff;
888 return 1;
889}
890
891int
892X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
893 unsigned long chtype)
894{
895 CONF_VALUE *v;
896 int i, mval;
897 char *p, *type;
898
899 if (!nm)
900 return 0;
901
902 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
903 v = sk_CONF_VALUE_value(dn_sk, i);
904 type = v->name;
905 /* Skip past any leading X. X: X, etc to allow for
906 * multiple instances
907 */
908 for (p = type; *p; p++)
909 if ((*p == ':') || (*p == ',') || (*p == '.')) {
910 p++;
911 if (*p)
912 type = p;
913 break;
914 }
915 if (*type == '+') {
916 mval = -1;
917 type++;
918 } else
919 mval = 0;
920 if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
921 (unsigned char *) v->value, -1, -1, mval))
922 return 0;
923 }
924 return 1;
925}
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
deleted file mode 100644
index a49632a069..0000000000
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ /dev/null
@@ -1,226 +0,0 @@
1/* $OpenBSD: v3err.c,v 1.11 2014/07/10 22:45:58 jsing Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/err.h>
66#include <openssl/x509v3.h>
67
68/* BEGIN ERROR CODES */
69#ifndef OPENSSL_NO_ERR
70
71#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
72#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
73
74static ERR_STRING_DATA X509V3_str_functs[] = {
75 {ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"},
76 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
77 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
78 {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
79 {ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
80 {ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
81 {ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
82 {ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
83 {ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
84 {ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
85 {ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"},
86 {ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
87 {ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
88 {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
89 {ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"},
90 {ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"},
91 {ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
92 {ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
93 {ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
94 {ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
95 {ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
96 {ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
97 {ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
98 {ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
99 {ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
100 {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
101 {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
102 {ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"},
103 {ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
104 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
105 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
106 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
107 {ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
108 {ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
109 {ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
110 {ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
111 {ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"},
112 {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
113 {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
114 {ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
115 {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
116 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
117 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
118 {ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
119 {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
120 {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
121 {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
122 {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
123 {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
124 {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
125 {ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"},
126 {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
127 {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
128 {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
129 {ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
130 {ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
131 {ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
132 {ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
133 {ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
134 {ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
135 {ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"},
136 {ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"},
137 {ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"},
138 {ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"},
139 {ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"},
140 {0, NULL}
141};
142
143static ERR_STRING_DATA X509V3_str_reasons[] = {
144 {ERR_REASON(X509V3_R_BAD_IP_ADDRESS) , "bad ip address"},
145 {ERR_REASON(X509V3_R_BAD_OBJECT) , "bad object"},
146 {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) , "bn dec2bn error"},
147 {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"},
148 {ERR_REASON(X509V3_R_DIRNAME_ERROR) , "dirname error"},
149 {ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"},
150 {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) , "duplicate zone id"},
151 {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"},
152 {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION), "error creating extension"},
153 {ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) , "error in extension"},
154 {ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"},
155 {ERR_REASON(X509V3_R_EXTENSION_EXISTS) , "extension exists"},
156 {ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"},
157 {ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"},
158 {ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "extension setting not supported"},
159 {ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"},
160 {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"},
161 {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) , "illegal hex digit"},
162 {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "incorrect policy syntax tag"},
163 {ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"},
164 {ERR_REASON(X509V3_R_INVALID_ASNUMBER) , "invalid asnumber"},
165 {ERR_REASON(X509V3_R_INVALID_ASRANGE) , "invalid asrange"},
166 {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"},
167 {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING), "invalid extension string"},
168 {ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"},
169 {ERR_REASON(X509V3_R_INVALID_IPADDRESS) , "invalid ipaddress"},
170 {ERR_REASON(X509V3_R_INVALID_NAME) , "invalid name"},
171 {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"},
172 {ERR_REASON(X509V3_R_INVALID_NULL_NAME) , "invalid null name"},
173 {ERR_REASON(X509V3_R_INVALID_NULL_VALUE) , "invalid null value"},
174 {ERR_REASON(X509V3_R_INVALID_NUMBER) , "invalid number"},
175 {ERR_REASON(X509V3_R_INVALID_NUMBERS) , "invalid numbers"},
176 {ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER), "invalid object identifier"},
177 {ERR_REASON(X509V3_R_INVALID_OPTION) , "invalid option"},
178 {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER), "invalid policy identifier"},
179 {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING), "invalid proxy policy setting"},
180 {ERR_REASON(X509V3_R_INVALID_PURPOSE) , "invalid purpose"},
181 {ERR_REASON(X509V3_R_INVALID_SAFI) , "invalid safi"},
182 {ERR_REASON(X509V3_R_INVALID_SECTION) , "invalid section"},
183 {ERR_REASON(X509V3_R_INVALID_SYNTAX) , "invalid syntax"},
184 {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"},
185 {ERR_REASON(X509V3_R_MISSING_VALUE) , "missing value"},
186 {ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "need organization and numbers"},
187 {ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) , "no config database"},
188 {ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"},
189 {ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) , "no issuer details"},
190 {ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"},
191 {ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "no proxy cert policy language defined"},
192 {ERR_REASON(X509V3_R_NO_PUBLIC_KEY) , "no public key"},
193 {ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) , "no subject details"},
194 {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"},
195 {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"},
196 {ERR_REASON(X509V3_R_OTHERNAME_ERROR) , "othername error"},
197 {ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "policy language already defined"},
198 {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) , "policy path length"},
199 {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "policy path length already defined"},
200 {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "policy syntax not currently supported"},
201 {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "policy when proxy language requires no policy"},
202 {ERR_REASON(X509V3_R_SECTION_NOT_FOUND) , "section not found"},
203 {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "unable to get issuer details"},
204 {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "unable to get issuer keyid"},
205 {ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "unknown bit string argument"},
206 {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) , "unknown extension"},
207 {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"},
208 {ERR_REASON(X509V3_R_UNKNOWN_OPTION) , "unknown option"},
209 {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) , "unsupported option"},
210 {ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) , "unsupported type"},
211 {ERR_REASON(X509V3_R_USER_TOO_LONG) , "user too long"},
212 {0, NULL}
213};
214
215#endif
216
217void
218ERR_load_X509V3_strings(void)
219{
220#ifndef OPENSSL_NO_ERR
221 if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) {
222 ERR_load_strings(0, X509V3_str_functs);
223 ERR_load_strings(0, X509V3_str_reasons);
224 }
225#endif
226}
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
deleted file mode 100644
index b45626a885..0000000000
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ /dev/null
@@ -1,862 +0,0 @@
1/* $OpenBSD: x509v3.h,v 1.16 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#ifndef HEADER_X509V3_H
59#define HEADER_X509V3_H
60
61#include <openssl/opensslconf.h>
62
63#include <openssl/bio.h>
64#include <openssl/x509.h>
65#include <openssl/conf.h>
66
67#ifdef __cplusplus
68extern "C" {
69#endif
70
71/* Forward reference */
72struct v3_ext_method;
73struct v3_ext_ctx;
74
75/* Useful typedefs */
76
77typedef void * (*X509V3_EXT_NEW)(void);
78typedef void (*X509V3_EXT_FREE)(void *);
79typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
80typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
81typedef STACK_OF(CONF_VALUE) *
82 (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
83 STACK_OF(CONF_VALUE) *extlist);
84typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
85 struct v3_ext_ctx *ctx,
86 STACK_OF(CONF_VALUE) *values);
87typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
88typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
89 struct v3_ext_ctx *ctx, const char *str);
90typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
91 BIO *out, int indent);
92typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
93 struct v3_ext_ctx *ctx, const char *str);
94
95/* V3 extension structure */
96
97struct v3_ext_method {
98int ext_nid;
99int ext_flags;
100/* If this is set the following four fields are ignored */
101ASN1_ITEM_EXP *it;
102/* Old style ASN1 calls */
103X509V3_EXT_NEW ext_new;
104X509V3_EXT_FREE ext_free;
105X509V3_EXT_D2I d2i;
106X509V3_EXT_I2D i2d;
107
108/* The following pair is used for string extensions */
109X509V3_EXT_I2S i2s;
110X509V3_EXT_S2I s2i;
111
112/* The following pair is used for multi-valued extensions */
113X509V3_EXT_I2V i2v;
114X509V3_EXT_V2I v2i;
115
116/* The following are used for raw extensions */
117X509V3_EXT_I2R i2r;
118X509V3_EXT_R2I r2i;
119
120void *usr_data; /* Any extension specific data */
121};
122
123typedef struct X509V3_CONF_METHOD_st {
124char * (*get_string)(void *db, char *section, char *value);
125STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
126void (*free_string)(void *db, char * string);
127void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
128} X509V3_CONF_METHOD;
129
130/* Context specific info */
131struct v3_ext_ctx {
132#define CTX_TEST 0x1
133int flags;
134X509 *issuer_cert;
135X509 *subject_cert;
136X509_REQ *subject_req;
137X509_CRL *crl;
138X509V3_CONF_METHOD *db_meth;
139void *db;
140/* Maybe more here */
141};
142
143typedef struct v3_ext_method X509V3_EXT_METHOD;
144
145DECLARE_STACK_OF(X509V3_EXT_METHOD)
146
147/* ext_flags values */
148#define X509V3_EXT_DYNAMIC 0x1
149#define X509V3_EXT_CTX_DEP 0x2
150#define X509V3_EXT_MULTILINE 0x4
151
152typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
153
154typedef struct BASIC_CONSTRAINTS_st {
155int ca;
156ASN1_INTEGER *pathlen;
157} BASIC_CONSTRAINTS;
158
159
160typedef struct PKEY_USAGE_PERIOD_st {
161ASN1_GENERALIZEDTIME *notBefore;
162ASN1_GENERALIZEDTIME *notAfter;
163} PKEY_USAGE_PERIOD;
164
165typedef struct otherName_st {
166ASN1_OBJECT *type_id;
167ASN1_TYPE *value;
168} OTHERNAME;
169
170typedef struct EDIPartyName_st {
171 ASN1_STRING *nameAssigner;
172 ASN1_STRING *partyName;
173} EDIPARTYNAME;
174
175typedef struct GENERAL_NAME_st {
176
177#define GEN_OTHERNAME 0
178#define GEN_EMAIL 1
179#define GEN_DNS 2
180#define GEN_X400 3
181#define GEN_DIRNAME 4
182#define GEN_EDIPARTY 5
183#define GEN_URI 6
184#define GEN_IPADD 7
185#define GEN_RID 8
186
187int type;
188union {
189 char *ptr;
190 OTHERNAME *otherName; /* otherName */
191 ASN1_IA5STRING *rfc822Name;
192 ASN1_IA5STRING *dNSName;
193 ASN1_TYPE *x400Address;
194 X509_NAME *directoryName;
195 EDIPARTYNAME *ediPartyName;
196 ASN1_IA5STRING *uniformResourceIdentifier;
197 ASN1_OCTET_STRING *iPAddress;
198 ASN1_OBJECT *registeredID;
199
200 /* Old names */
201 ASN1_OCTET_STRING *ip; /* iPAddress */
202 X509_NAME *dirn; /* dirn */
203 ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
204 ASN1_OBJECT *rid; /* registeredID */
205 ASN1_TYPE *other; /* x400Address */
206} d;
207} GENERAL_NAME;
208
209typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
210
211typedef struct ACCESS_DESCRIPTION_st {
212 ASN1_OBJECT *method;
213 GENERAL_NAME *location;
214} ACCESS_DESCRIPTION;
215
216typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
217
218typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
219
220DECLARE_STACK_OF(GENERAL_NAME)
221DECLARE_ASN1_SET_OF(GENERAL_NAME)
222
223DECLARE_STACK_OF(ACCESS_DESCRIPTION)
224DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION)
225
226typedef struct DIST_POINT_NAME_st {
227int type;
228union {
229 GENERAL_NAMES *fullname;
230 STACK_OF(X509_NAME_ENTRY) *relativename;
231} name;
232/* If relativename then this contains the full distribution point name */
233X509_NAME *dpname;
234} DIST_POINT_NAME;
235/* All existing reasons */
236#define CRLDP_ALL_REASONS 0x807f
237
238#define CRL_REASON_NONE -1
239#define CRL_REASON_UNSPECIFIED 0
240#define CRL_REASON_KEY_COMPROMISE 1
241#define CRL_REASON_CA_COMPROMISE 2
242#define CRL_REASON_AFFILIATION_CHANGED 3
243#define CRL_REASON_SUPERSEDED 4
244#define CRL_REASON_CESSATION_OF_OPERATION 5
245#define CRL_REASON_CERTIFICATE_HOLD 6
246#define CRL_REASON_REMOVE_FROM_CRL 8
247#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
248#define CRL_REASON_AA_COMPROMISE 10
249
250struct DIST_POINT_st {
251DIST_POINT_NAME *distpoint;
252ASN1_BIT_STRING *reasons;
253GENERAL_NAMES *CRLissuer;
254int dp_reasons;
255};
256
257typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
258
259DECLARE_STACK_OF(DIST_POINT)
260DECLARE_ASN1_SET_OF(DIST_POINT)
261
262struct AUTHORITY_KEYID_st {
263ASN1_OCTET_STRING *keyid;
264GENERAL_NAMES *issuer;
265ASN1_INTEGER *serial;
266};
267
268/* Strong extranet structures */
269
270typedef struct SXNET_ID_st {
271 ASN1_INTEGER *zone;
272 ASN1_OCTET_STRING *user;
273} SXNETID;
274
275DECLARE_STACK_OF(SXNETID)
276DECLARE_ASN1_SET_OF(SXNETID)
277
278typedef struct SXNET_st {
279 ASN1_INTEGER *version;
280 STACK_OF(SXNETID) *ids;
281} SXNET;
282
283typedef struct NOTICEREF_st {
284 ASN1_STRING *organization;
285 STACK_OF(ASN1_INTEGER) *noticenos;
286} NOTICEREF;
287
288typedef struct USERNOTICE_st {
289 NOTICEREF *noticeref;
290 ASN1_STRING *exptext;
291} USERNOTICE;
292
293typedef struct POLICYQUALINFO_st {
294 ASN1_OBJECT *pqualid;
295 union {
296 ASN1_IA5STRING *cpsuri;
297 USERNOTICE *usernotice;
298 ASN1_TYPE *other;
299 } d;
300} POLICYQUALINFO;
301
302DECLARE_STACK_OF(POLICYQUALINFO)
303DECLARE_ASN1_SET_OF(POLICYQUALINFO)
304
305typedef struct POLICYINFO_st {
306 ASN1_OBJECT *policyid;
307 STACK_OF(POLICYQUALINFO) *qualifiers;
308} POLICYINFO;
309
310typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
311
312DECLARE_STACK_OF(POLICYINFO)
313DECLARE_ASN1_SET_OF(POLICYINFO)
314
315typedef struct POLICY_MAPPING_st {
316 ASN1_OBJECT *issuerDomainPolicy;
317 ASN1_OBJECT *subjectDomainPolicy;
318} POLICY_MAPPING;
319
320DECLARE_STACK_OF(POLICY_MAPPING)
321
322typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
323
324typedef struct GENERAL_SUBTREE_st {
325 GENERAL_NAME *base;
326 ASN1_INTEGER *minimum;
327 ASN1_INTEGER *maximum;
328} GENERAL_SUBTREE;
329
330DECLARE_STACK_OF(GENERAL_SUBTREE)
331
332struct NAME_CONSTRAINTS_st {
333 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
334 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
335};
336
337typedef struct POLICY_CONSTRAINTS_st {
338 ASN1_INTEGER *requireExplicitPolicy;
339 ASN1_INTEGER *inhibitPolicyMapping;
340} POLICY_CONSTRAINTS;
341
342/* Proxy certificate structures, see RFC 3820 */
343typedef struct PROXY_POLICY_st
344 {
345 ASN1_OBJECT *policyLanguage;
346 ASN1_OCTET_STRING *policy;
347 } PROXY_POLICY;
348
349typedef struct PROXY_CERT_INFO_EXTENSION_st
350 {
351 ASN1_INTEGER *pcPathLengthConstraint;
352 PROXY_POLICY *proxyPolicy;
353 } PROXY_CERT_INFO_EXTENSION;
354
355DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
356DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
357
358struct ISSUING_DIST_POINT_st
359 {
360 DIST_POINT_NAME *distpoint;
361 int onlyuser;
362 int onlyCA;
363 ASN1_BIT_STRING *onlysomereasons;
364 int indirectCRL;
365 int onlyattr;
366 };
367
368/* Values in idp_flags field */
369/* IDP present */
370#define IDP_PRESENT 0x1
371/* IDP values inconsistent */
372#define IDP_INVALID 0x2
373/* onlyuser true */
374#define IDP_ONLYUSER 0x4
375/* onlyCA true */
376#define IDP_ONLYCA 0x8
377/* onlyattr true */
378#define IDP_ONLYATTR 0x10
379/* indirectCRL true */
380#define IDP_INDIRECT 0x20
381/* onlysomereasons present */
382#define IDP_REASONS 0x40
383
384#define X509V3_conf_err(val) ERR_asprintf_error_data( \
385 "section:%s,name:%s,value:%s", val->section, \
386 val->name, val->value);
387
388#define X509V3_set_ctx_test(ctx) \
389 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
390#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
391
392#define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
393 0,0,0,0, \
394 0,0, \
395 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
396 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
397 NULL, NULL, \
398 table}
399
400#define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
401 0,0,0,0, \
402 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
403 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
404 0,0,0,0, \
405 NULL}
406
407#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
408
409
410/* X509_PURPOSE stuff */
411
412#define EXFLAG_BCONS 0x1
413#define EXFLAG_KUSAGE 0x2
414#define EXFLAG_XKUSAGE 0x4
415#define EXFLAG_NSCERT 0x8
416
417#define EXFLAG_CA 0x10
418/* Really self issued not necessarily self signed */
419#define EXFLAG_SI 0x20
420#define EXFLAG_SS 0x20
421#define EXFLAG_V1 0x40
422#define EXFLAG_INVALID 0x80
423#define EXFLAG_SET 0x100
424#define EXFLAG_CRITICAL 0x200
425#define EXFLAG_PROXY 0x400
426
427#define EXFLAG_INVALID_POLICY 0x800
428#define EXFLAG_FRESHEST 0x1000
429
430#define KU_DIGITAL_SIGNATURE 0x0080
431#define KU_NON_REPUDIATION 0x0040
432#define KU_KEY_ENCIPHERMENT 0x0020
433#define KU_DATA_ENCIPHERMENT 0x0010
434#define KU_KEY_AGREEMENT 0x0008
435#define KU_KEY_CERT_SIGN 0x0004
436#define KU_CRL_SIGN 0x0002
437#define KU_ENCIPHER_ONLY 0x0001
438#define KU_DECIPHER_ONLY 0x8000
439
440#define NS_SSL_CLIENT 0x80
441#define NS_SSL_SERVER 0x40
442#define NS_SMIME 0x20
443#define NS_OBJSIGN 0x10
444#define NS_SSL_CA 0x04
445#define NS_SMIME_CA 0x02
446#define NS_OBJSIGN_CA 0x01
447#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
448
449#define XKU_SSL_SERVER 0x1
450#define XKU_SSL_CLIENT 0x2
451#define XKU_SMIME 0x4
452#define XKU_CODE_SIGN 0x8
453#define XKU_SGC 0x10
454#define XKU_OCSP_SIGN 0x20
455#define XKU_TIMESTAMP 0x40
456#define XKU_DVCS 0x80
457
458#define X509_PURPOSE_DYNAMIC 0x1
459#define X509_PURPOSE_DYNAMIC_NAME 0x2
460
461typedef struct x509_purpose_st {
462 int purpose;
463 int trust; /* Default trust ID */
464 int flags;
465 int (*check_purpose)(const struct x509_purpose_st *,
466 const X509 *, int);
467 char *name;
468 char *sname;
469 void *usr_data;
470} X509_PURPOSE;
471
472#define X509_PURPOSE_SSL_CLIENT 1
473#define X509_PURPOSE_SSL_SERVER 2
474#define X509_PURPOSE_NS_SSL_SERVER 3
475#define X509_PURPOSE_SMIME_SIGN 4
476#define X509_PURPOSE_SMIME_ENCRYPT 5
477#define X509_PURPOSE_CRL_SIGN 6
478#define X509_PURPOSE_ANY 7
479#define X509_PURPOSE_OCSP_HELPER 8
480#define X509_PURPOSE_TIMESTAMP_SIGN 9
481
482#define X509_PURPOSE_MIN 1
483#define X509_PURPOSE_MAX 9
484
485/* Flags for X509V3_EXT_print() */
486
487#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
488/* Return error for unknown extensions */
489#define X509V3_EXT_DEFAULT 0
490/* Print error for unknown extensions */
491#define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
492/* ASN1 parse unknown extensions */
493#define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
494/* BIO_dump unknown extensions */
495#define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
496
497/* Flags for X509V3_add1_i2d */
498
499#define X509V3_ADD_OP_MASK 0xfL
500#define X509V3_ADD_DEFAULT 0L
501#define X509V3_ADD_APPEND 1L
502#define X509V3_ADD_REPLACE 2L
503#define X509V3_ADD_REPLACE_EXISTING 3L
504#define X509V3_ADD_KEEP_EXISTING 4L
505#define X509V3_ADD_DELETE 5L
506#define X509V3_ADD_SILENT 0x10
507
508DECLARE_STACK_OF(X509_PURPOSE)
509
510DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
511
512DECLARE_ASN1_FUNCTIONS(SXNET)
513DECLARE_ASN1_FUNCTIONS(SXNETID)
514
515int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen);
516int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen);
517int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user, int userlen);
518
519ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone);
520ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
521ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
522
523DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
524
525DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
526
527DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
528GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
529int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
530
531
532
533ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
534 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
535STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
536 ASN1_BIT_STRING *bits,
537 STACK_OF(CONF_VALUE) *extlist);
538
539STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
540int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
541
542DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
543
544STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
545 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
546GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
547 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
548
549DECLARE_ASN1_FUNCTIONS(OTHERNAME)
550DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
551int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
552void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
553void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
554int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
555 ASN1_OBJECT *oid, ASN1_TYPE *value);
556int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
557 ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
558
559char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
560ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
561
562DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
563int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a);
564
565DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
566DECLARE_ASN1_FUNCTIONS(POLICYINFO)
567DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
568DECLARE_ASN1_FUNCTIONS(USERNOTICE)
569DECLARE_ASN1_FUNCTIONS(NOTICEREF)
570
571DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
572DECLARE_ASN1_FUNCTIONS(DIST_POINT)
573DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
574DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
575
576int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
577
578int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
579
580DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
581DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
582
583DECLARE_ASN1_ITEM(POLICY_MAPPING)
584DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
585DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
586
587DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
588DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
589
590DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
591DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
592
593DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
594DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
595
596GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
597 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
598 int gen_type, char *value, int is_nc);
599
600#ifdef HEADER_CONF_H
601GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
602 CONF_VALUE *cnf);
603GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
604 const X509V3_EXT_METHOD *method,
605 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
606void X509V3_conf_free(CONF_VALUE *val);
607
608X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
609X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value);
610int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, STACK_OF(X509_EXTENSION) **sk);
611int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert);
612int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
613int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
614
615X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
616 int ext_nid, char *value);
617X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
618 char *name, char *value);
619int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
620 char *section, X509 *cert);
621int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
622 char *section, X509_REQ *req);
623int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
624 char *section, X509_CRL *crl);
625
626int X509V3_add_value_bool_nf(char *name, int asn1_bool,
627 STACK_OF(CONF_VALUE) **extlist);
628int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
629int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
630void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
631void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
632#endif
633
634char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
635STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
636void X509V3_string_free(X509V3_CTX *ctx, char *str);
637void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
638void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
639 X509_REQ *req, X509_CRL *crl, int flags);
640
641int X509V3_add_value(const char *name, const char *value,
642 STACK_OF(CONF_VALUE) **extlist);
643int X509V3_add_value_uchar(const char *name, const unsigned char *value,
644 STACK_OF(CONF_VALUE) **extlist);
645int X509V3_add_value_bool(const char *name, int asn1_bool,
646 STACK_OF(CONF_VALUE) **extlist);
647int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
648 STACK_OF(CONF_VALUE) **extlist);
649char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
650ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
651char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
652char * i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
653int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
654int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
655int X509V3_EXT_add_alias(int nid_to, int nid_from);
656void X509V3_EXT_cleanup(void);
657
658const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
659const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
660int X509V3_add_standard_extensions(void);
661STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
662void *X509V3_EXT_d2i(X509_EXTENSION *ext);
663void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
664
665
666X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
667int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
668
669char *hex_to_string(const unsigned char *buffer, long len);
670unsigned char *string_to_hex(const char *str, long *len);
671int name_cmp(const char *name, const char *cmp);
672
673void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
674 int ml);
675int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent);
676int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
677
678int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
679
680int X509_check_ca(X509 *x);
681int X509_check_purpose(X509 *x, int id, int ca);
682int X509_supported_extension(X509_EXTENSION *ex);
683int X509_PURPOSE_set(int *p, int purpose);
684int X509_check_issued(X509 *issuer, X509 *subject);
685int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
686int X509_PURPOSE_get_count(void);
687X509_PURPOSE * X509_PURPOSE_get0(int idx);
688int X509_PURPOSE_get_by_sname(char *sname);
689int X509_PURPOSE_get_by_id(int id);
690int X509_PURPOSE_add(int id, int trust, int flags,
691 int (*ck)(const X509_PURPOSE *, const X509 *, int),
692 char *name, char *sname, void *arg);
693char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
694char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
695int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
696void X509_PURPOSE_cleanup(void);
697int X509_PURPOSE_get_id(X509_PURPOSE *);
698
699STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
700STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
701void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
702STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
703
704ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
705ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
706int a2i_ipadd(unsigned char *ipout, const char *ipasc);
707int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
708 unsigned long chtype);
709
710void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
711DECLARE_STACK_OF(X509_POLICY_NODE)
712
713
714/* BEGIN ERROR CODES */
715/* The following lines are auto generated by the script mkerr.pl. Any changes
716 * made after this point may be overwritten when the script is next run.
717 */
718void ERR_load_X509V3_strings(void);
719
720/* Error codes for the X509V3 functions. */
721
722/* Function codes. */
723#define X509V3_F_A2I_GENERAL_NAME 164
724#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
725#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
726#define X509V3_F_COPY_EMAIL 122
727#define X509V3_F_COPY_ISSUER 123
728#define X509V3_F_DO_DIRNAME 144
729#define X509V3_F_DO_EXT_CONF 124
730#define X509V3_F_DO_EXT_I2D 135
731#define X509V3_F_DO_EXT_NCONF 151
732#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
733#define X509V3_F_GNAMES_FROM_SECTNAME 156
734#define X509V3_F_HEX_TO_STRING 111
735#define X509V3_F_I2S_ASN1_ENUMERATED 121
736#define X509V3_F_I2S_ASN1_IA5STRING 149
737#define X509V3_F_I2S_ASN1_INTEGER 120
738#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
739#define X509V3_F_NOTICE_SECTION 132
740#define X509V3_F_NREF_NOS 133
741#define X509V3_F_POLICY_SECTION 131
742#define X509V3_F_PROCESS_PCI_VALUE 150
743#define X509V3_F_R2I_CERTPOL 130
744#define X509V3_F_R2I_PCI 155
745#define X509V3_F_S2I_ASN1_IA5STRING 100
746#define X509V3_F_S2I_ASN1_INTEGER 108
747#define X509V3_F_S2I_ASN1_OCTET_STRING 112
748#define X509V3_F_S2I_ASN1_SKEY_ID 114
749#define X509V3_F_S2I_SKEY_ID 115
750#define X509V3_F_SET_DIST_POINT_NAME 158
751#define X509V3_F_STRING_TO_HEX 113
752#define X509V3_F_SXNET_ADD_ID_ASC 125
753#define X509V3_F_SXNET_ADD_ID_INTEGER 126
754#define X509V3_F_SXNET_ADD_ID_ULONG 127
755#define X509V3_F_SXNET_GET_ID_ASC 128
756#define X509V3_F_SXNET_GET_ID_ULONG 129
757#define X509V3_F_V2I_ASIDENTIFIERS 163
758#define X509V3_F_V2I_ASN1_BIT_STRING 101
759#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
760#define X509V3_F_V2I_AUTHORITY_KEYID 119
761#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
762#define X509V3_F_V2I_CRLD 134
763#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
764#define X509V3_F_V2I_GENERAL_NAMES 118
765#define X509V3_F_V2I_GENERAL_NAME_EX 117
766#define X509V3_F_V2I_IDP 157
767#define X509V3_F_V2I_IPADDRBLOCKS 159
768#define X509V3_F_V2I_ISSUER_ALT 153
769#define X509V3_F_V2I_NAME_CONSTRAINTS 147
770#define X509V3_F_V2I_POLICY_CONSTRAINTS 146
771#define X509V3_F_V2I_POLICY_MAPPINGS 145
772#define X509V3_F_V2I_SUBJECT_ALT 154
773#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
774#define X509V3_F_V3_GENERIC_EXTENSION 116
775#define X509V3_F_X509V3_ADD1_I2D 140
776#define X509V3_F_X509V3_ADD_VALUE 105
777#define X509V3_F_X509V3_EXT_ADD 104
778#define X509V3_F_X509V3_EXT_ADD_ALIAS 106
779#define X509V3_F_X509V3_EXT_CONF 107
780#define X509V3_F_X509V3_EXT_I2D 136
781#define X509V3_F_X509V3_EXT_NCONF 152
782#define X509V3_F_X509V3_GET_SECTION 142
783#define X509V3_F_X509V3_GET_STRING 143
784#define X509V3_F_X509V3_GET_VALUE_BOOL 110
785#define X509V3_F_X509V3_PARSE_LIST 109
786#define X509V3_F_X509_PURPOSE_ADD 137
787#define X509V3_F_X509_PURPOSE_SET 141
788
789/* Reason codes. */
790#define X509V3_R_BAD_IP_ADDRESS 118
791#define X509V3_R_BAD_OBJECT 119
792#define X509V3_R_BN_DEC2BN_ERROR 100
793#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
794#define X509V3_R_DIRNAME_ERROR 149
795#define X509V3_R_DISTPOINT_ALREADY_SET 160
796#define X509V3_R_DUPLICATE_ZONE_ID 133
797#define X509V3_R_ERROR_CONVERTING_ZONE 131
798#define X509V3_R_ERROR_CREATING_EXTENSION 144
799#define X509V3_R_ERROR_IN_EXTENSION 128
800#define X509V3_R_EXPECTED_A_SECTION_NAME 137
801#define X509V3_R_EXTENSION_EXISTS 145
802#define X509V3_R_EXTENSION_NAME_ERROR 115
803#define X509V3_R_EXTENSION_NOT_FOUND 102
804#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
805#define X509V3_R_EXTENSION_VALUE_ERROR 116
806#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
807#define X509V3_R_ILLEGAL_HEX_DIGIT 113
808#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
809#define X509V3_R_INVALID_MULTIPLE_RDNS 161
810#define X509V3_R_INVALID_ASNUMBER 162
811#define X509V3_R_INVALID_ASRANGE 163
812#define X509V3_R_INVALID_BOOLEAN_STRING 104
813#define X509V3_R_INVALID_EXTENSION_STRING 105
814#define X509V3_R_INVALID_INHERITANCE 165
815#define X509V3_R_INVALID_IPADDRESS 166
816#define X509V3_R_INVALID_NAME 106
817#define X509V3_R_INVALID_NULL_ARGUMENT 107
818#define X509V3_R_INVALID_NULL_NAME 108
819#define X509V3_R_INVALID_NULL_VALUE 109
820#define X509V3_R_INVALID_NUMBER 140
821#define X509V3_R_INVALID_NUMBERS 141
822#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
823#define X509V3_R_INVALID_OPTION 138
824#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
825#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
826#define X509V3_R_INVALID_PURPOSE 146
827#define X509V3_R_INVALID_SAFI 164
828#define X509V3_R_INVALID_SECTION 135
829#define X509V3_R_INVALID_SYNTAX 143
830#define X509V3_R_ISSUER_DECODE_ERROR 126
831#define X509V3_R_MISSING_VALUE 124
832#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 142
833#define X509V3_R_NO_CONFIG_DATABASE 136
834#define X509V3_R_NO_ISSUER_CERTIFICATE 121
835#define X509V3_R_NO_ISSUER_DETAILS 127
836#define X509V3_R_NO_POLICY_IDENTIFIER 139
837#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
838#define X509V3_R_NO_PUBLIC_KEY 114
839#define X509V3_R_NO_SUBJECT_DETAILS 125
840#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
841#define X509V3_R_OPERATION_NOT_DEFINED 148
842#define X509V3_R_OTHERNAME_ERROR 147
843#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
844#define X509V3_R_POLICY_PATH_LENGTH 156
845#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
846#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
847#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
848#define X509V3_R_SECTION_NOT_FOUND 150
849#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
850#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
851#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
852#define X509V3_R_UNKNOWN_EXTENSION 129
853#define X509V3_R_UNKNOWN_EXTENSION_NAME 130
854#define X509V3_R_UNKNOWN_OPTION 120
855#define X509V3_R_UNSUPPORTED_OPTION 117
856#define X509V3_R_UNSUPPORTED_TYPE 167
857#define X509V3_R_USER_TOO_LONG 132
858
859#ifdef __cplusplus
860}
861#endif
862#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 00:57:50 +0000