diff options
Diffstat (limited to 'src/lib/libcrypto/x509v3')
| -rw-r--r-- | src/lib/libcrypto/x509v3/pcy_data.c | 8 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/pcy_tree.c | 18 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_addr.c | 12 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_asid.c | 2 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/v3_purp.c | 6 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509v3/x509v3.h | 4 |
6 files changed, 32 insertions, 18 deletions
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c index 614d2b4935..4711b1ee92 100644 --- a/src/lib/libcrypto/x509v3/pcy_data.c +++ b/src/lib/libcrypto/x509v3/pcy_data.c | |||
| @@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) | |||
| 87 | X509_POLICY_DATA *ret; | 87 | X509_POLICY_DATA *ret; |
| 88 | if (!policy && !id) | 88 | if (!policy && !id) |
| 89 | return NULL; | 89 | return NULL; |
| 90 | if (id) | ||
| 91 | { | ||
| 92 | id = OBJ_dup(id); | ||
| 93 | if (!id) | ||
| 94 | return NULL; | ||
| 95 | } | ||
| 90 | ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); | 96 | ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); |
| 91 | if (!ret) | 97 | if (!ret) |
| 92 | return NULL; | 98 | return NULL; |
| @@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) | |||
| 94 | if (!ret->expected_policy_set) | 100 | if (!ret->expected_policy_set) |
| 95 | { | 101 | { |
| 96 | OPENSSL_free(ret); | 102 | OPENSSL_free(ret); |
| 103 | if (id) | ||
| 104 | ASN1_OBJECT_free(id); | ||
| 97 | return NULL; | 105 | return NULL; |
| 98 | } | 106 | } |
| 99 | 107 | ||
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c index 4fda1d419a..b1ce77b9af 100644 --- a/src/lib/libcrypto/x509v3/pcy_tree.c +++ b/src/lib/libcrypto/x509v3/pcy_tree.c | |||
| @@ -130,9 +130,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, | |||
| 130 | ret = 2; | 130 | ret = 2; |
| 131 | if (explicit_policy > 0) | 131 | if (explicit_policy > 0) |
| 132 | { | 132 | { |
| 133 | explicit_policy--; | 133 | if (!(x->ex_flags & EXFLAG_SI)) |
| 134 | if (!(x->ex_flags & EXFLAG_SS) | 134 | explicit_policy--; |
| 135 | && (cache->explicit_skip != -1) | 135 | if ((cache->explicit_skip != -1) |
| 136 | && (cache->explicit_skip < explicit_policy)) | 136 | && (cache->explicit_skip < explicit_policy)) |
| 137 | explicit_policy = cache->explicit_skip; | 137 | explicit_policy = cache->explicit_skip; |
| 138 | } | 138 | } |
| @@ -197,13 +197,14 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, | |||
| 197 | /* Any matching allowed if certificate is self | 197 | /* Any matching allowed if certificate is self |
| 198 | * issued and not the last in the chain. | 198 | * issued and not the last in the chain. |
| 199 | */ | 199 | */ |
| 200 | if (!(x->ex_flags & EXFLAG_SS) || (i == 0)) | 200 | if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) |
| 201 | level->flags |= X509_V_FLAG_INHIBIT_ANY; | 201 | level->flags |= X509_V_FLAG_INHIBIT_ANY; |
| 202 | } | 202 | } |
| 203 | else | 203 | else |
| 204 | { | 204 | { |
| 205 | any_skip--; | 205 | if (!(x->ex_flags & EXFLAG_SI)) |
| 206 | if ((cache->any_skip > 0) | 206 | any_skip--; |
| 207 | if ((cache->any_skip >= 0) | ||
| 207 | && (cache->any_skip < any_skip)) | 208 | && (cache->any_skip < any_skip)) |
| 208 | any_skip = cache->any_skip; | 209 | any_skip = cache->any_skip; |
| 209 | } | 210 | } |
| @@ -213,7 +214,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, | |||
| 213 | else | 214 | else |
| 214 | { | 215 | { |
| 215 | map_skip--; | 216 | map_skip--; |
| 216 | if ((cache->map_skip > 0) | 217 | if ((cache->map_skip >= 0) |
| 217 | && (cache->map_skip < map_skip)) | 218 | && (cache->map_skip < map_skip)) |
| 218 | map_skip = cache->map_skip; | 219 | map_skip = cache->map_skip; |
| 219 | } | 220 | } |
| @@ -310,7 +311,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, | |||
| 310 | 311 | ||
| 311 | if (data == NULL) | 312 | if (data == NULL) |
| 312 | return 0; | 313 | return 0; |
| 313 | data->qualifier_set = curr->anyPolicy->data->qualifier_set; | 314 | /* Curr may not have anyPolicy */ |
| 315 | data->qualifier_set = cache->anyPolicy->qualifier_set; | ||
| 314 | data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; | 316 | data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; |
| 315 | if (!level_add_node(curr, data, node, tree)) | 317 | if (!level_add_node(curr, data, node, tree)) |
| 316 | { | 318 | { |
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c index ed9847b307..c6730ab3fd 100644 --- a/src/lib/libcrypto/x509v3/v3_addr.c +++ b/src/lib/libcrypto/x509v3/v3_addr.c | |||
| @@ -594,10 +594,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, | |||
| 594 | return NULL; | 594 | return NULL; |
| 595 | switch (afi) { | 595 | switch (afi) { |
| 596 | case IANA_AFI_IPV4: | 596 | case IANA_AFI_IPV4: |
| 597 | sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); | 597 | (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); |
| 598 | break; | 598 | break; |
| 599 | case IANA_AFI_IPV6: | 599 | case IANA_AFI_IPV6: |
| 600 | sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); | 600 | (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); |
| 601 | break; | 601 | break; |
| 602 | } | 602 | } |
| 603 | f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; | 603 | f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; |
| @@ -854,7 +854,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, | |||
| 854 | if (!make_addressRange(&merged, a_min, b_max, length)) | 854 | if (!make_addressRange(&merged, a_min, b_max, length)) |
| 855 | return 0; | 855 | return 0; |
| 856 | sk_IPAddressOrRange_set(aors, i, merged); | 856 | sk_IPAddressOrRange_set(aors, i, merged); |
| 857 | sk_IPAddressOrRange_delete(aors, i + 1); | 857 | (void)sk_IPAddressOrRange_delete(aors, i + 1); |
| 858 | IPAddressOrRange_free(a); | 858 | IPAddressOrRange_free(a); |
| 859 | IPAddressOrRange_free(b); | 859 | IPAddressOrRange_free(b); |
| 860 | --i; | 860 | --i; |
| @@ -1122,7 +1122,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) | |||
| 1122 | return 1; | 1122 | return 1; |
| 1123 | if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) | 1123 | if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) |
| 1124 | return 0; | 1124 | return 0; |
| 1125 | sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); | 1125 | (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); |
| 1126 | for (i = 0; i < sk_IPAddressFamily_num(a); i++) { | 1126 | for (i = 0; i < sk_IPAddressFamily_num(a); i++) { |
| 1127 | IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); | 1127 | IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); |
| 1128 | int j = sk_IPAddressFamily_find(b, fa); | 1128 | int j = sk_IPAddressFamily_find(b, fa); |
| @@ -1183,7 +1183,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, | |||
| 1183 | } | 1183 | } |
| 1184 | if (!v3_addr_is_canonical(ext)) | 1184 | if (!v3_addr_is_canonical(ext)) |
| 1185 | validation_err(X509_V_ERR_INVALID_EXTENSION); | 1185 | validation_err(X509_V_ERR_INVALID_EXTENSION); |
| 1186 | sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); | 1186 | (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); |
| 1187 | if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { | 1187 | if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { |
| 1188 | X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); | 1188 | X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); |
| 1189 | ret = 0; | 1189 | ret = 0; |
| @@ -1209,7 +1209,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, | |||
| 1209 | } | 1209 | } |
| 1210 | continue; | 1210 | continue; |
| 1211 | } | 1211 | } |
| 1212 | sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); | 1212 | (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); |
| 1213 | for (j = 0; j < sk_IPAddressFamily_num(child); j++) { | 1213 | for (j = 0; j < sk_IPAddressFamily_num(child); j++) { |
| 1214 | IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); | 1214 | IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); |
| 1215 | int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); | 1215 | int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); |
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c index 271930f967..abd497ed1f 100644 --- a/src/lib/libcrypto/x509v3/v3_asid.c +++ b/src/lib/libcrypto/x509v3/v3_asid.c | |||
| @@ -466,7 +466,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) | |||
| 466 | break; | 466 | break; |
| 467 | } | 467 | } |
| 468 | ASIdOrRange_free(b); | 468 | ASIdOrRange_free(b); |
| 469 | sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); | 469 | (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); |
| 470 | i--; | 470 | i--; |
| 471 | continue; | 471 | continue; |
| 472 | } | 472 | } |
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c index b2f5cdfa05..c54e7887c7 100644 --- a/src/lib/libcrypto/x509v3/v3_purp.c +++ b/src/lib/libcrypto/x509v3/v3_purp.c | |||
| @@ -291,7 +291,9 @@ int X509_supported_extension(X509_EXTENSION *ex) | |||
| 291 | NID_sbgp_ipAddrBlock, /* 290 */ | 291 | NID_sbgp_ipAddrBlock, /* 290 */ |
| 292 | NID_sbgp_autonomousSysNum, /* 291 */ | 292 | NID_sbgp_autonomousSysNum, /* 291 */ |
| 293 | #endif | 293 | #endif |
| 294 | NID_proxyCertInfo /* 661 */ | 294 | NID_policy_constraints, /* 401 */ |
| 295 | NID_proxyCertInfo, /* 661 */ | ||
| 296 | NID_inhibit_any_policy /* 748 */ | ||
| 295 | }; | 297 | }; |
| 296 | 298 | ||
| 297 | int ex_nid; | 299 | int ex_nid; |
| @@ -325,7 +327,7 @@ static void x509v3_cache_extensions(X509 *x) | |||
| 325 | #endif | 327 | #endif |
| 326 | /* Does subject name match issuer ? */ | 328 | /* Does subject name match issuer ? */ |
| 327 | if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) | 329 | if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) |
| 328 | x->ex_flags |= EXFLAG_SS; | 330 | x->ex_flags |= EXFLAG_SI; |
| 329 | /* V1 should mean no extensions ... */ | 331 | /* V1 should mean no extensions ... */ |
| 330 | if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; | 332 | if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; |
| 331 | /* Handle basic constraints */ | 333 | /* Handle basic constraints */ |
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h index db2b0482c1..5ba59f71c9 100644 --- a/src/lib/libcrypto/x509v3/x509v3.h +++ b/src/lib/libcrypto/x509v3/x509v3.h | |||
| @@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) | |||
| 363 | #define EXFLAG_NSCERT 0x8 | 363 | #define EXFLAG_NSCERT 0x8 |
| 364 | 364 | ||
| 365 | #define EXFLAG_CA 0x10 | 365 | #define EXFLAG_CA 0x10 |
| 366 | /* Really self issued not necessarily self signed */ | ||
| 367 | #define EXFLAG_SI 0x20 | ||
| 366 | #define EXFLAG_SS 0x20 | 368 | #define EXFLAG_SS 0x20 |
| 367 | #define EXFLAG_V1 0x40 | 369 | #define EXFLAG_V1 0x40 |
| 368 | #define EXFLAG_INVALID 0x80 | 370 | #define EXFLAG_INVALID 0x80 |
| @@ -370,7 +372,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) | |||
| 370 | #define EXFLAG_CRITICAL 0x200 | 372 | #define EXFLAG_CRITICAL 0x200 |
| 371 | #define EXFLAG_PROXY 0x400 | 373 | #define EXFLAG_PROXY 0x400 |
| 372 | 374 | ||
| 373 | #define EXFLAG_INVALID_POLICY 0x400 | 375 | #define EXFLAG_INVALID_POLICY 0x800 |
| 374 | 376 | ||
| 375 | #define KU_DIGITAL_SIGNATURE 0x0080 | 377 | #define KU_DIGITAL_SIGNATURE 0x0080 |
| 376 | #define KU_NON_REPUDIATION 0x0040 | 378 | #define KU_NON_REPUDIATION 0x0040 |