summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509v3
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509v3')
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h132
-rw-r--r--src/lib/libcrypto/x509v3/pcy_cache.c286
-rw-r--r--src/lib/libcrypto/x509v3/pcy_data.c135
-rw-r--r--src/lib/libcrypto/x509v3/pcy_int.h212
-rw-r--r--src/lib/libcrypto/x509v3/pcy_lib.c167
-rw-r--r--src/lib/libcrypto/x509v3/pcy_map.c132
-rw-r--r--src/lib/libcrypto/x509v3/pcy_node.c197
-rw-r--r--src/lib/libcrypto/x509v3/pcy_tree.c872
-rw-r--r--src/lib/libcrypto/x509v3/v3_addr.c1338
-rw-r--r--src/lib/libcrypto/x509v3/v3_akey.c208
-rw-r--r--src/lib/libcrypto/x509v3/v3_akeya.c72
-rw-r--r--src/lib/libcrypto/x509v3/v3_alt.c614
-rw-r--r--src/lib/libcrypto/x509v3/v3_asid.c843
-rw-r--r--src/lib/libcrypto/x509v3/v3_bcons.c124
-rw-r--r--src/lib/libcrypto/x509v3/v3_bitst.c141
-rw-r--r--src/lib/libcrypto/x509v3/v3_conf.c525
-rw-r--r--src/lib/libcrypto/x509v3/v3_cpols.c457
-rw-r--r--src/lib/libcrypto/x509v3/v3_crld.c616
-rw-r--r--src/lib/libcrypto/x509v3/v3_enum.c97
-rw-r--r--src/lib/libcrypto/x509v3/v3_extku.c144
-rw-r--r--src/lib/libcrypto/x509v3/v3_genn.c252
-rw-r--r--src/lib/libcrypto/x509v3/v3_ia5.c116
-rw-r--r--src/lib/libcrypto/x509v3/v3_info.c193
-rw-r--r--src/lib/libcrypto/x509v3/v3_int.c89
-rw-r--r--src/lib/libcrypto/x509v3/v3_lib.c309
-rw-r--r--src/lib/libcrypto/x509v3/v3_ncons.c505
-rw-r--r--src/lib/libcrypto/x509v3/v3_ocsp.c289
-rw-r--r--src/lib/libcrypto/x509v3/v3_pci.c328
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcia.c55
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcons.c140
-rw-r--r--src/lib/libcrypto/x509v3/v3_pku.c108
-rw-r--r--src/lib/libcrypto/x509v3/v3_pmaps.c155
-rw-r--r--src/lib/libcrypto/x509v3/v3_prn.c234
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c767
-rw-r--r--src/lib/libcrypto/x509v3/v3_skey.c144
-rw-r--r--src/lib/libcrypto/x509v3/v3_sxnet.c262
-rw-r--r--src/lib/libcrypto/x509v3/v3_utl.c874
-rw-r--r--src/lib/libcrypto/x509v3/v3err.c226
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h1007
39 files changed, 13365 insertions, 0 deletions
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
new file mode 100644
index 0000000000..76daee6fcd
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -0,0 +1,132 @@
1/* ext_dat.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* This file contains a table of "standard" extensions */
59
60extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
61extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
62extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
63extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
64extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
65extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
66extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
67extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
68extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
69extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
70extern X509V3_EXT_METHOD v3_addr, v3_asid;
71
72/* This table will be searched using OBJ_bsearch so it *must* kept in
73 * order of the ext_nid values.
74 */
75
76static const X509V3_EXT_METHOD *standard_exts[] = {
77&v3_nscert,
78&v3_ns_ia5_list[0],
79&v3_ns_ia5_list[1],
80&v3_ns_ia5_list[2],
81&v3_ns_ia5_list[3],
82&v3_ns_ia5_list[4],
83&v3_ns_ia5_list[5],
84&v3_ns_ia5_list[6],
85&v3_skey_id,
86&v3_key_usage,
87&v3_pkey_usage_period,
88&v3_alt[0],
89&v3_alt[1],
90&v3_bcons,
91&v3_crl_num,
92&v3_cpols,
93&v3_akey_id,
94&v3_crld,
95&v3_ext_ku,
96&v3_delta_crl,
97&v3_crl_reason,
98#ifndef OPENSSL_NO_OCSP
99&v3_crl_invdate,
100#endif
101&v3_sxnet,
102&v3_info,
103#ifndef OPENSSL_NO_RFC3779
104&v3_addr,
105&v3_asid,
106#endif
107#ifndef OPENSSL_NO_OCSP
108&v3_ocsp_nonce,
109&v3_ocsp_crlid,
110&v3_ocsp_accresp,
111&v3_ocsp_nocheck,
112&v3_ocsp_acutoff,
113&v3_ocsp_serviceloc,
114#endif
115&v3_sinfo,
116&v3_policy_constraints,
117#ifndef OPENSSL_NO_OCSP
118&v3_crl_hold,
119#endif
120&v3_pci,
121&v3_name_constraints,
122&v3_policy_mappings,
123&v3_inhibit_anyp,
124&v3_idp,
125&v3_alt[2],
126&v3_freshest_crl,
127};
128
129/* Number of standard extensions */
130
131#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
132
diff --git a/src/lib/libcrypto/x509v3/pcy_cache.c b/src/lib/libcrypto/x509v3/pcy_cache.c
new file mode 100644
index 0000000000..172b7e7ee4
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_cache.c
@@ -0,0 +1,286 @@
1/* pcy_cache.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int policy_data_cmp(const X509_POLICY_DATA * const *a,
66 const X509_POLICY_DATA * const *b);
67static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
68
69/* Set cache entry according to CertificatePolicies extension.
70 * Note: this destroys the passed CERTIFICATEPOLICIES structure.
71 */
72
73static int policy_cache_create(X509 *x,
74 CERTIFICATEPOLICIES *policies, int crit)
75 {
76 int i;
77 int ret = 0;
78 X509_POLICY_CACHE *cache = x->policy_cache;
79 X509_POLICY_DATA *data = NULL;
80 POLICYINFO *policy;
81 if (sk_POLICYINFO_num(policies) == 0)
82 goto bad_policy;
83 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
84 if (!cache->data)
85 goto bad_policy;
86 for (i = 0; i < sk_POLICYINFO_num(policies); i++)
87 {
88 policy = sk_POLICYINFO_value(policies, i);
89 data = policy_data_new(policy, NULL, crit);
90 if (!data)
91 goto bad_policy;
92 /* Duplicate policy OIDs are illegal: reject if matches
93 * found.
94 */
95 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
96 {
97 if (cache->anyPolicy)
98 {
99 ret = -1;
100 goto bad_policy;
101 }
102 cache->anyPolicy = data;
103 }
104 else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1)
105 {
106 ret = -1;
107 goto bad_policy;
108 }
109 else if (!sk_X509_POLICY_DATA_push(cache->data, data))
110 goto bad_policy;
111 data = NULL;
112 }
113 ret = 1;
114 bad_policy:
115 if (ret == -1)
116 x->ex_flags |= EXFLAG_INVALID_POLICY;
117 if (data)
118 policy_data_free(data);
119 sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
120 if (ret <= 0)
121 {
122 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
123 cache->data = NULL;
124 }
125 return ret;
126 }
127
128
129static int policy_cache_new(X509 *x)
130 {
131 X509_POLICY_CACHE *cache;
132 ASN1_INTEGER *ext_any = NULL;
133 POLICY_CONSTRAINTS *ext_pcons = NULL;
134 CERTIFICATEPOLICIES *ext_cpols = NULL;
135 POLICY_MAPPINGS *ext_pmaps = NULL;
136 int i;
137 cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
138 if (!cache)
139 return 0;
140 cache->anyPolicy = NULL;
141 cache->data = NULL;
142 cache->any_skip = -1;
143 cache->explicit_skip = -1;
144 cache->map_skip = -1;
145
146 x->policy_cache = cache;
147
148 /* Handle requireExplicitPolicy *first*. Need to process this
149 * even if we don't have any policies.
150 */
151 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
152
153 if (!ext_pcons)
154 {
155 if (i != -1)
156 goto bad_cache;
157 }
158 else
159 {
160 if (!ext_pcons->requireExplicitPolicy
161 && !ext_pcons->inhibitPolicyMapping)
162 goto bad_cache;
163 if (!policy_cache_set_int(&cache->explicit_skip,
164 ext_pcons->requireExplicitPolicy))
165 goto bad_cache;
166 if (!policy_cache_set_int(&cache->map_skip,
167 ext_pcons->inhibitPolicyMapping))
168 goto bad_cache;
169 }
170
171 /* Process CertificatePolicies */
172
173 ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
174 /* If no CertificatePolicies extension or problem decoding then
175 * there is no point continuing because the valid policies will be
176 * NULL.
177 */
178 if (!ext_cpols)
179 {
180 /* If not absent some problem with extension */
181 if (i != -1)
182 goto bad_cache;
183 return 1;
184 }
185
186 i = policy_cache_create(x, ext_cpols, i);
187
188 /* NB: ext_cpols freed by policy_cache_set_policies */
189
190 if (i <= 0)
191 return i;
192
193 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
194
195 if (!ext_pmaps)
196 {
197 /* If not absent some problem with extension */
198 if (i != -1)
199 goto bad_cache;
200 }
201 else
202 {
203 i = policy_cache_set_mapping(x, ext_pmaps);
204 if (i <= 0)
205 goto bad_cache;
206 }
207
208 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
209
210 if (!ext_any)
211 {
212 if (i != -1)
213 goto bad_cache;
214 }
215 else if (!policy_cache_set_int(&cache->any_skip, ext_any))
216 goto bad_cache;
217
218 if (0)
219 {
220 bad_cache:
221 x->ex_flags |= EXFLAG_INVALID_POLICY;
222 }
223
224 if(ext_pcons)
225 POLICY_CONSTRAINTS_free(ext_pcons);
226
227 if (ext_any)
228 ASN1_INTEGER_free(ext_any);
229
230 return 1;
231
232
233}
234
235void policy_cache_free(X509_POLICY_CACHE *cache)
236 {
237 if (!cache)
238 return;
239 if (cache->anyPolicy)
240 policy_data_free(cache->anyPolicy);
241 if (cache->data)
242 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
243 OPENSSL_free(cache);
244 }
245
246const X509_POLICY_CACHE *policy_cache_set(X509 *x)
247 {
248
249 if (x->policy_cache == NULL)
250 {
251 CRYPTO_w_lock(CRYPTO_LOCK_X509);
252 policy_cache_new(x);
253 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
254 }
255
256 return x->policy_cache;
257
258 }
259
260X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
261 const ASN1_OBJECT *id)
262 {
263 int idx;
264 X509_POLICY_DATA tmp;
265 tmp.valid_policy = (ASN1_OBJECT *)id;
266 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
267 if (idx == -1)
268 return NULL;
269 return sk_X509_POLICY_DATA_value(cache->data, idx);
270 }
271
272static int policy_data_cmp(const X509_POLICY_DATA * const *a,
273 const X509_POLICY_DATA * const *b)
274 {
275 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
276 }
277
278static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
279 {
280 if (value == NULL)
281 return 1;
282 if (value->type == V_ASN1_NEG_INTEGER)
283 return 0;
284 *out = ASN1_INTEGER_get(value);
285 return 1;
286 }
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
new file mode 100644
index 0000000000..3444b03195
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -0,0 +1,135 @@
1/* pcy_data.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Policy Node routines */
66
67void policy_data_free(X509_POLICY_DATA *data)
68 {
69 ASN1_OBJECT_free(data->valid_policy);
70 /* Don't free qualifiers if shared */
71 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
72 sk_POLICYQUALINFO_pop_free(data->qualifier_set,
73 POLICYQUALINFO_free);
74 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
75 OPENSSL_free(data);
76 }
77
78/* Create a data based on an existing policy. If 'id' is NULL use the
79 * oid in the policy, otherwise use 'id'. This behaviour covers the two
80 * types of data in RFC3280: data with from a CertificatePolcies extension
81 * and additional data with just the qualifiers of anyPolicy and ID from
82 * another source.
83 */
84
85X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
86 const ASN1_OBJECT *cid, int crit)
87 {
88 X509_POLICY_DATA *ret;
89 ASN1_OBJECT *id;
90 if (!policy && !cid)
91 return NULL;
92 if (cid)
93 {
94 id = OBJ_dup(cid);
95 if (!id)
96 return NULL;
97 }
98 else
99 id = NULL;
100 ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
101 if (!ret)
102 return NULL;
103 ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
104 if (!ret->expected_policy_set)
105 {
106 OPENSSL_free(ret);
107 if (id)
108 ASN1_OBJECT_free(id);
109 return NULL;
110 }
111
112 if (crit)
113 ret->flags = POLICY_DATA_FLAG_CRITICAL;
114 else
115 ret->flags = 0;
116
117 if (id)
118 ret->valid_policy = id;
119 else
120 {
121 ret->valid_policy = policy->policyid;
122 policy->policyid = NULL;
123 }
124
125 if (policy)
126 {
127 ret->qualifier_set = policy->qualifiers;
128 policy->qualifiers = NULL;
129 }
130 else
131 ret->qualifier_set = NULL;
132
133 return ret;
134 }
135
diff --git a/src/lib/libcrypto/x509v3/pcy_int.h b/src/lib/libcrypto/x509v3/pcy_int.h
new file mode 100644
index 0000000000..ccff92846e
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_int.h
@@ -0,0 +1,212 @@
1/* pcy_int.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
61
62DECLARE_STACK_OF(X509_POLICY_DATA)
63
64/* Internal structures */
65
66/* This structure and the field names correspond to the Policy 'node' of
67 * RFC3280. NB this structure contains no pointers to parent or child
68 * data: X509_POLICY_NODE contains that. This means that the main policy data
69 * can be kept static and cached with the certificate.
70 */
71
72struct X509_POLICY_DATA_st
73 {
74 unsigned int flags;
75 /* Policy OID and qualifiers for this data */
76 ASN1_OBJECT *valid_policy;
77 STACK_OF(POLICYQUALINFO) *qualifier_set;
78 STACK_OF(ASN1_OBJECT) *expected_policy_set;
79 };
80
81/* X509_POLICY_DATA flags values */
82
83/* This flag indicates the structure has been mapped using a policy mapping
84 * extension. If policy mapping is not active its references get deleted.
85 */
86
87#define POLICY_DATA_FLAG_MAPPED 0x1
88
89/* This flag indicates the data doesn't correspond to a policy in Certificate
90 * Policies: it has been mapped to any policy.
91 */
92
93#define POLICY_DATA_FLAG_MAPPED_ANY 0x2
94
95/* AND with flags to see if any mapping has occurred */
96
97#define POLICY_DATA_FLAG_MAP_MASK 0x3
98
99/* qualifiers are shared and shouldn't be freed */
100
101#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4
102
103/* Parent node is an extra node and should be freed */
104
105#define POLICY_DATA_FLAG_EXTRA_NODE 0x8
106
107/* Corresponding CertificatePolicies is critical */
108
109#define POLICY_DATA_FLAG_CRITICAL 0x10
110
111/* This structure is cached with a certificate */
112
113struct X509_POLICY_CACHE_st {
114 /* anyPolicy data or NULL if no anyPolicy */
115 X509_POLICY_DATA *anyPolicy;
116 /* other policy data */
117 STACK_OF(X509_POLICY_DATA) *data;
118 /* If InhibitAnyPolicy present this is its value or -1 if absent. */
119 long any_skip;
120 /* If policyConstraints and requireExplicitPolicy present this is its
121 * value or -1 if absent.
122 */
123 long explicit_skip;
124 /* If policyConstraints and policyMapping present this is its
125 * value or -1 if absent.
126 */
127 long map_skip;
128 };
129
130/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/
131
132/* This structure represents the relationship between nodes */
133
134struct X509_POLICY_NODE_st
135 {
136 /* node data this refers to */
137 const X509_POLICY_DATA *data;
138 /* Parent node */
139 X509_POLICY_NODE *parent;
140 /* Number of child nodes */
141 int nchild;
142 };
143
144struct X509_POLICY_LEVEL_st
145 {
146 /* Cert for this level */
147 X509 *cert;
148 /* nodes at this level */
149 STACK_OF(X509_POLICY_NODE) *nodes;
150 /* anyPolicy node */
151 X509_POLICY_NODE *anyPolicy;
152 /* Extra data */
153 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/
154 unsigned int flags;
155 };
156
157struct X509_POLICY_TREE_st
158 {
159 /* This is the tree 'level' data */
160 X509_POLICY_LEVEL *levels;
161 int nlevel;
162 /* Extra policy data when additional nodes (not from the certificate)
163 * are required.
164 */
165 STACK_OF(X509_POLICY_DATA) *extra_data;
166 /* This is the authority constained policy set */
167 STACK_OF(X509_POLICY_NODE) *auth_policies;
168 STACK_OF(X509_POLICY_NODE) *user_policies;
169 unsigned int flags;
170 };
171
172/* Set if anyPolicy present in user policies */
173#define POLICY_FLAG_ANY_POLICY 0x2
174
175/* Useful macros */
176
177#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
178#define node_critical(node) node_data_critical(node->data)
179
180/* Internal functions */
181
182X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
183 int crit);
184void policy_data_free(X509_POLICY_DATA *data);
185
186X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
187 const ASN1_OBJECT *id);
188int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
189
190
191STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
192
193void policy_cache_init(void);
194
195void policy_cache_free(X509_POLICY_CACHE *cache);
196
197X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
198 const X509_POLICY_NODE *parent,
199 const ASN1_OBJECT *id);
200
201X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
202 const ASN1_OBJECT *id);
203
204X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
205 const X509_POLICY_DATA *data,
206 X509_POLICY_NODE *parent,
207 X509_POLICY_TREE *tree);
208void policy_node_free(X509_POLICY_NODE *node);
209int policy_node_match(const X509_POLICY_LEVEL *lvl,
210 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
211
212const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/src/lib/libcrypto/x509v3/pcy_lib.c b/src/lib/libcrypto/x509v3/pcy_lib.c
new file mode 100644
index 0000000000..93bfd92703
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_lib.c
@@ -0,0 +1,167 @@
1/* pcy_lib.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include "cryptlib.h"
61#include <openssl/x509.h>
62#include <openssl/x509v3.h>
63
64#include "pcy_int.h"
65
66/* accessor functions */
67
68/* X509_POLICY_TREE stuff */
69
70int X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
71 {
72 if (!tree)
73 return 0;
74 return tree->nlevel;
75 }
76
77X509_POLICY_LEVEL *
78 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
79 {
80 if (!tree || (i < 0) || (i >= tree->nlevel))
81 return NULL;
82 return tree->levels + i;
83 }
84
85STACK_OF(X509_POLICY_NODE) *
86 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
87 {
88 if (!tree)
89 return NULL;
90 return tree->auth_policies;
91 }
92
93STACK_OF(X509_POLICY_NODE) *
94 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
95 {
96 if (!tree)
97 return NULL;
98 if (tree->flags & POLICY_FLAG_ANY_POLICY)
99 return tree->auth_policies;
100 else
101 return tree->user_policies;
102 }
103
104/* X509_POLICY_LEVEL stuff */
105
106int X509_policy_level_node_count(X509_POLICY_LEVEL *level)
107 {
108 int n;
109 if (!level)
110 return 0;
111 if (level->anyPolicy)
112 n = 1;
113 else
114 n = 0;
115 if (level->nodes)
116 n += sk_X509_POLICY_NODE_num(level->nodes);
117 return n;
118 }
119
120X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
121 {
122 if (!level)
123 return NULL;
124 if (level->anyPolicy)
125 {
126 if (i == 0)
127 return level->anyPolicy;
128 i--;
129 }
130 return sk_X509_POLICY_NODE_value(level->nodes, i);
131 }
132
133/* X509_POLICY_NODE stuff */
134
135const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
136 {
137 if (!node)
138 return NULL;
139 return node->data->valid_policy;
140 }
141
142#if 0
143int X509_policy_node_get_critical(const X509_POLICY_NODE *node)
144 {
145 if (node_critical(node))
146 return 1;
147 return 0;
148 }
149#endif
150
151STACK_OF(POLICYQUALINFO) *
152 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
153 {
154 if (!node)
155 return NULL;
156 return node->data->qualifier_set;
157 }
158
159const X509_POLICY_NODE *
160 X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
161 {
162 if (!node)
163 return NULL;
164 return node->parent;
165 }
166
167
diff --git a/src/lib/libcrypto/x509v3/pcy_map.c b/src/lib/libcrypto/x509v3/pcy_map.c
new file mode 100644
index 0000000000..21163b529d
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_map.c
@@ -0,0 +1,132 @@
1/* pcy_map.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Set policy mapping entries in cache.
66 * Note: this modifies the passed POLICY_MAPPINGS structure
67 */
68
69int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
70 {
71 POLICY_MAPPING *map;
72 X509_POLICY_DATA *data;
73 X509_POLICY_CACHE *cache = x->policy_cache;
74 int i;
75 int ret = 0;
76 if (sk_POLICY_MAPPING_num(maps) == 0)
77 {
78 ret = -1;
79 goto bad_mapping;
80 }
81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++)
82 {
83 map = sk_POLICY_MAPPING_value(maps, i);
84 /* Reject if map to or from anyPolicy */
85 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy)
86 || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy))
87 {
88 ret = -1;
89 goto bad_mapping;
90 }
91
92 /* Attempt to find matching policy data */
93 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
94 /* If we don't have anyPolicy can't map */
95 if (!data && !cache->anyPolicy)
96 continue;
97
98 /* Create a NODE from anyPolicy */
99 if (!data)
100 {
101 data = policy_data_new(NULL, map->issuerDomainPolicy,
102 cache->anyPolicy->flags
103 & POLICY_DATA_FLAG_CRITICAL);
104 if (!data)
105 goto bad_mapping;
106 data->qualifier_set = cache->anyPolicy->qualifier_set;
107 /*map->issuerDomainPolicy = NULL;*/
108 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
109 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
110 if (!sk_X509_POLICY_DATA_push(cache->data, data))
111 {
112 policy_data_free(data);
113 goto bad_mapping;
114 }
115 }
116 else
117 data->flags |= POLICY_DATA_FLAG_MAPPED;
118 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
119 map->subjectDomainPolicy))
120 goto bad_mapping;
121 map->subjectDomainPolicy = NULL;
122
123 }
124
125 ret = 1;
126 bad_mapping:
127 if (ret == -1)
128 x->ex_flags |= EXFLAG_INVALID_POLICY;
129 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
130 return ret;
131
132 }
diff --git a/src/lib/libcrypto/x509v3/pcy_node.c b/src/lib/libcrypto/x509v3/pcy_node.c
new file mode 100644
index 0000000000..bd1e7f1ae8
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_node.c
@@ -0,0 +1,197 @@
1/* pcy_node.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/asn1.h>
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int node_cmp(const X509_POLICY_NODE * const *a,
66 const X509_POLICY_NODE * const *b)
67 {
68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
69 }
70
71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void)
72 {
73 return sk_X509_POLICY_NODE_new(node_cmp);
74 }
75
76X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
77 const ASN1_OBJECT *id)
78 {
79 X509_POLICY_DATA n;
80 X509_POLICY_NODE l;
81 int idx;
82
83 n.valid_policy = (ASN1_OBJECT *)id;
84 l.data = &n;
85
86 idx = sk_X509_POLICY_NODE_find(nodes, &l);
87 if (idx == -1)
88 return NULL;
89
90 return sk_X509_POLICY_NODE_value(nodes, idx);
91
92 }
93
94X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
95 const X509_POLICY_NODE *parent,
96 const ASN1_OBJECT *id)
97 {
98 X509_POLICY_NODE *node;
99 int i;
100 for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++)
101 {
102 node = sk_X509_POLICY_NODE_value(level->nodes, i);
103 if (node->parent == parent)
104 {
105 if (!OBJ_cmp(node->data->valid_policy, id))
106 return node;
107 }
108 }
109 return NULL;
110 }
111
112X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
113 const X509_POLICY_DATA *data,
114 X509_POLICY_NODE *parent,
115 X509_POLICY_TREE *tree)
116 {
117 X509_POLICY_NODE *node;
118 node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
119 if (!node)
120 return NULL;
121 node->data = data;
122 node->parent = parent;
123 node->nchild = 0;
124 if (level)
125 {
126 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
127 {
128 if (level->anyPolicy)
129 goto node_error;
130 level->anyPolicy = node;
131 }
132 else
133 {
134
135 if (!level->nodes)
136 level->nodes = policy_node_cmp_new();
137 if (!level->nodes)
138 goto node_error;
139 if (!sk_X509_POLICY_NODE_push(level->nodes, node))
140 goto node_error;
141 }
142 }
143
144 if (tree)
145 {
146 if (!tree->extra_data)
147 tree->extra_data = sk_X509_POLICY_DATA_new_null();
148 if (!tree->extra_data)
149 goto node_error;
150 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
151 goto node_error;
152 }
153
154 if (parent)
155 parent->nchild++;
156
157 return node;
158
159 node_error:
160 policy_node_free(node);
161 return 0;
162
163 }
164
165void policy_node_free(X509_POLICY_NODE *node)
166 {
167 OPENSSL_free(node);
168 }
169
170/* See if a policy node matches a policy OID. If mapping enabled look through
171 * expected policy set otherwise just valid policy.
172 */
173
174int policy_node_match(const X509_POLICY_LEVEL *lvl,
175 const X509_POLICY_NODE *node, const ASN1_OBJECT *oid)
176 {
177 int i;
178 ASN1_OBJECT *policy_oid;
179 const X509_POLICY_DATA *x = node->data;
180
181 if ( (lvl->flags & X509_V_FLAG_INHIBIT_MAP)
182 || !(x->flags & POLICY_DATA_FLAG_MAP_MASK))
183 {
184 if (!OBJ_cmp(x->valid_policy, oid))
185 return 1;
186 return 0;
187 }
188
189 for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++)
190 {
191 policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
192 if (!OBJ_cmp(policy_oid, oid))
193 return 1;
194 }
195 return 0;
196
197 }
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
new file mode 100644
index 0000000000..bb9777348f
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -0,0 +1,872 @@
1/* pcy_tree.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Enable this to print out the complete policy tree at various point during
66 * evaluation.
67 */
68
69/*#define OPENSSL_POLICY_DEBUG*/
70
71#ifdef OPENSSL_POLICY_DEBUG
72
73static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
74 X509_POLICY_NODE *node, int indent)
75 {
76 if ( (lev->flags & X509_V_FLAG_INHIBIT_MAP)
77 || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
78 BIO_puts(err, " Not Mapped\n");
79 else
80 {
81 int i;
82 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
83 ASN1_OBJECT *oid;
84 BIO_puts(err, " Expected: ");
85 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++)
86 {
87 oid = sk_ASN1_OBJECT_value(pset, i);
88 if (i)
89 BIO_puts(err, ", ");
90 i2a_ASN1_OBJECT(err, oid);
91 }
92 BIO_puts(err, "\n");
93 }
94 }
95
96static void tree_print(char *str, X509_POLICY_TREE *tree,
97 X509_POLICY_LEVEL *curr)
98 {
99 X509_POLICY_LEVEL *plev;
100 X509_POLICY_NODE *node;
101 int i;
102 BIO *err;
103 err = BIO_new_fp(stderr, BIO_NOCLOSE);
104 if (!curr)
105 curr = tree->levels + tree->nlevel;
106 else
107 curr++;
108 BIO_printf(err, "Level print after %s\n", str);
109 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
110 for (plev = tree->levels; plev != curr; plev++)
111 {
112 BIO_printf(err, "Level %ld, flags = %x\n",
113 plev - tree->levels, plev->flags);
114 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++)
115 {
116 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
117 X509_POLICY_NODE_print(err, node, 2);
118 expected_print(err, plev, node, 2);
119 BIO_printf(err, " Flags: %x\n", node->data->flags);
120 }
121 if (plev->anyPolicy)
122 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
123 }
124
125 BIO_free(err);
126
127 }
128#else
129
130#define tree_print(a,b,c) /* */
131
132#endif
133
134/* Initialize policy tree. Return values:
135 * 0 Some internal error occured.
136 * -1 Inconsistent or invalid extensions in certificates.
137 * 1 Tree initialized OK.
138 * 2 Policy tree is empty.
139 * 5 Tree OK and requireExplicitPolicy true.
140 * 6 Tree empty and requireExplicitPolicy true.
141 */
142
143static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
144 unsigned int flags)
145 {
146 X509_POLICY_TREE *tree;
147 X509_POLICY_LEVEL *level;
148 const X509_POLICY_CACHE *cache;
149 X509_POLICY_DATA *data = NULL;
150 X509 *x;
151 int ret = 1;
152 int i, n;
153 int explicit_policy;
154 int any_skip;
155 int map_skip;
156 *ptree = NULL;
157 n = sk_X509_num(certs);
158
159#if 0
160 /* Disable policy mapping for now... */
161 flags |= X509_V_FLAG_INHIBIT_MAP;
162#endif
163
164 if (flags & X509_V_FLAG_EXPLICIT_POLICY)
165 explicit_policy = 0;
166 else
167 explicit_policy = n + 1;
168
169 if (flags & X509_V_FLAG_INHIBIT_ANY)
170 any_skip = 0;
171 else
172 any_skip = n + 1;
173
174 if (flags & X509_V_FLAG_INHIBIT_MAP)
175 map_skip = 0;
176 else
177 map_skip = n + 1;
178
179 /* Can't do anything with just a trust anchor */
180 if (n == 1)
181 return 1;
182 /* First setup policy cache in all certificates apart from the
183 * trust anchor. Note any bad cache results on the way. Also can
184 * calculate explicit_policy value at this point.
185 */
186 for (i = n - 2; i >= 0; i--)
187 {
188 x = sk_X509_value(certs, i);
189 X509_check_purpose(x, -1, -1);
190 cache = policy_cache_set(x);
191 /* If cache NULL something bad happened: return immediately */
192 if (cache == NULL)
193 return 0;
194 /* If inconsistent extensions keep a note of it but continue */
195 if (x->ex_flags & EXFLAG_INVALID_POLICY)
196 ret = -1;
197 /* Otherwise if we have no data (hence no CertificatePolicies)
198 * and haven't already set an inconsistent code note it.
199 */
200 else if ((ret == 1) && !cache->data)
201 ret = 2;
202 if (explicit_policy > 0)
203 {
204 if (!(x->ex_flags & EXFLAG_SI))
205 explicit_policy--;
206 if ((cache->explicit_skip != -1)
207 && (cache->explicit_skip < explicit_policy))
208 explicit_policy = cache->explicit_skip;
209 }
210 }
211
212 if (ret != 1)
213 {
214 if (ret == 2 && !explicit_policy)
215 return 6;
216 return ret;
217 }
218
219
220 /* If we get this far initialize the tree */
221
222 tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
223
224 if (!tree)
225 return 0;
226
227 tree->flags = 0;
228 tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
229 tree->nlevel = 0;
230 tree->extra_data = NULL;
231 tree->auth_policies = NULL;
232 tree->user_policies = NULL;
233
234 if (!tree->levels)
235 {
236 OPENSSL_free(tree);
237 return 0;
238 }
239
240 memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
241
242 tree->nlevel = n;
243
244 level = tree->levels;
245
246 /* Root data: initialize to anyPolicy */
247
248 data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
249
250 if (!data || !level_add_node(level, data, NULL, tree))
251 goto bad_tree;
252
253 for (i = n - 2; i >= 0; i--)
254 {
255 level++;
256 x = sk_X509_value(certs, i);
257 cache = policy_cache_set(x);
258 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
259 level->cert = x;
260
261 if (!cache->anyPolicy)
262 level->flags |= X509_V_FLAG_INHIBIT_ANY;
263
264 /* Determine inhibit any and inhibit map flags */
265 if (any_skip == 0)
266 {
267 /* Any matching allowed if certificate is self
268 * issued and not the last in the chain.
269 */
270 if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
271 level->flags |= X509_V_FLAG_INHIBIT_ANY;
272 }
273 else
274 {
275 if (!(x->ex_flags & EXFLAG_SI))
276 any_skip--;
277 if ((cache->any_skip >= 0)
278 && (cache->any_skip < any_skip))
279 any_skip = cache->any_skip;
280 }
281
282 if (map_skip == 0)
283 level->flags |= X509_V_FLAG_INHIBIT_MAP;
284 else
285 {
286 if (!(x->ex_flags & EXFLAG_SI))
287 map_skip--;
288 if ((cache->map_skip >= 0)
289 && (cache->map_skip < map_skip))
290 map_skip = cache->map_skip;
291 }
292
293 }
294
295 *ptree = tree;
296
297 if (explicit_policy)
298 return 1;
299 else
300 return 5;
301
302 bad_tree:
303
304 X509_policy_tree_free(tree);
305
306 return 0;
307
308 }
309
310static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
311 const X509_POLICY_DATA *data)
312 {
313 X509_POLICY_LEVEL *last = curr - 1;
314 X509_POLICY_NODE *node;
315 int i, matched = 0;
316 /* Iterate through all in nodes linking matches */
317 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
318 {
319 node = sk_X509_POLICY_NODE_value(last->nodes, i);
320 if (policy_node_match(last, node, data->valid_policy))
321 {
322 if (!level_add_node(curr, data, node, NULL))
323 return 0;
324 matched = 1;
325 }
326 }
327 if (!matched && last->anyPolicy)
328 {
329 if (!level_add_node(curr, data, last->anyPolicy, NULL))
330 return 0;
331 }
332 return 1;
333 }
334
335/* This corresponds to RFC3280 6.1.3(d)(1):
336 * link any data from CertificatePolicies onto matching parent
337 * or anyPolicy if no match.
338 */
339
340static int tree_link_nodes(X509_POLICY_LEVEL *curr,
341 const X509_POLICY_CACHE *cache)
342 {
343 int i;
344 X509_POLICY_DATA *data;
345
346 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
347 {
348 data = sk_X509_POLICY_DATA_value(cache->data, i);
349 /* If a node is mapped any it doesn't have a corresponding
350 * CertificatePolicies entry.
351 * However such an identical node would be created
352 * if anyPolicy matching is enabled because there would be
353 * no match with the parent valid_policy_set. So we create
354 * link because then it will have the mapping flags
355 * right and we can prune it later.
356 */
357#if 0
358 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
359 && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
360 continue;
361#endif
362 /* Look for matching nodes in previous level */
363 if (!tree_link_matching_nodes(curr, data))
364 return 0;
365 }
366 return 1;
367 }
368
369/* This corresponds to RFC3280 6.1.3(d)(2):
370 * Create new data for any unmatched policies in the parent and link
371 * to anyPolicy.
372 */
373
374static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
375 const X509_POLICY_CACHE *cache,
376 const ASN1_OBJECT *id,
377 X509_POLICY_NODE *node,
378 X509_POLICY_TREE *tree)
379 {
380 X509_POLICY_DATA *data;
381 if (id == NULL)
382 id = node->data->valid_policy;
383 /* Create a new node with qualifiers from anyPolicy and
384 * id from unmatched node.
385 */
386 data = policy_data_new(NULL, id, node_critical(node));
387
388 if (data == NULL)
389 return 0;
390 /* Curr may not have anyPolicy */
391 data->qualifier_set = cache->anyPolicy->qualifier_set;
392 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
393 if (!level_add_node(curr, data, node, tree))
394 {
395 policy_data_free(data);
396 return 0;
397 }
398
399 return 1;
400 }
401
402static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
403 const X509_POLICY_CACHE *cache,
404 X509_POLICY_NODE *node,
405 X509_POLICY_TREE *tree)
406 {
407 const X509_POLICY_LEVEL *last = curr - 1;
408 int i;
409
410 if ( (last->flags & X509_V_FLAG_INHIBIT_MAP)
411 || !(node->data->flags & POLICY_DATA_FLAG_MAPPED))
412 {
413 /* If no policy mapping: matched if one child present */
414 if (node->nchild)
415 return 1;
416 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
417 return 0;
418 /* Add it */
419 }
420 else
421 {
422 /* If mapping: matched if one child per expected policy set */
423 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
424 if (node->nchild == sk_ASN1_OBJECT_num(expset))
425 return 1;
426 /* Locate unmatched nodes */
427 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++)
428 {
429 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
430 if (level_find_node(curr, node, oid))
431 continue;
432 if (!tree_add_unmatched(curr, cache, oid, node, tree))
433 return 0;
434 }
435
436 }
437
438 return 1;
439
440 }
441
442static int tree_link_any(X509_POLICY_LEVEL *curr,
443 const X509_POLICY_CACHE *cache,
444 X509_POLICY_TREE *tree)
445 {
446 int i;
447 /*X509_POLICY_DATA *data;*/
448 X509_POLICY_NODE *node;
449 X509_POLICY_LEVEL *last = curr - 1;
450
451 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
452 {
453 node = sk_X509_POLICY_NODE_value(last->nodes, i);
454
455 if (!tree_link_unmatched(curr, cache, node, tree))
456 return 0;
457
458#if 0
459
460 /* Skip any node with any children: we only want unmathced
461 * nodes.
462 *
463 * Note: need something better for policy mapping
464 * because each node may have multiple children
465 */
466 if (node->nchild)
467 continue;
468
469 /* Create a new node with qualifiers from anyPolicy and
470 * id from unmatched node.
471 */
472 data = policy_data_new(NULL, node->data->valid_policy,
473 node_critical(node));
474
475 if (data == NULL)
476 return 0;
477 /* Curr may not have anyPolicy */
478 data->qualifier_set = cache->anyPolicy->qualifier_set;
479 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
480 if (!level_add_node(curr, data, node, tree))
481 {
482 policy_data_free(data);
483 return 0;
484 }
485
486#endif
487
488 }
489 /* Finally add link to anyPolicy */
490 if (last->anyPolicy)
491 {
492 if (!level_add_node(curr, cache->anyPolicy,
493 last->anyPolicy, NULL))
494 return 0;
495 }
496 return 1;
497 }
498
499/* Prune the tree: delete any child mapped child data on the current level
500 * then proceed up the tree deleting any data with no children. If we ever
501 * have no data on a level we can halt because the tree will be empty.
502 */
503
504static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
505 {
506 STACK_OF(X509_POLICY_NODE) *nodes;
507 X509_POLICY_NODE *node;
508 int i;
509 nodes = curr->nodes;
510 if (curr->flags & X509_V_FLAG_INHIBIT_MAP)
511 {
512 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
513 {
514 node = sk_X509_POLICY_NODE_value(nodes, i);
515 /* Delete any mapped data: see RFC3280 XXXX */
516 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
517 {
518 node->parent->nchild--;
519 OPENSSL_free(node);
520 (void)sk_X509_POLICY_NODE_delete(nodes,i);
521 }
522 }
523 }
524
525 for(;;) {
526 --curr;
527 nodes = curr->nodes;
528 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
529 {
530 node = sk_X509_POLICY_NODE_value(nodes, i);
531 if (node->nchild == 0)
532 {
533 node->parent->nchild--;
534 OPENSSL_free(node);
535 (void)sk_X509_POLICY_NODE_delete(nodes, i);
536 }
537 }
538 if (curr->anyPolicy && !curr->anyPolicy->nchild)
539 {
540 if (curr->anyPolicy->parent)
541 curr->anyPolicy->parent->nchild--;
542 OPENSSL_free(curr->anyPolicy);
543 curr->anyPolicy = NULL;
544 }
545 if (curr == tree->levels)
546 {
547 /* If we zapped anyPolicy at top then tree is empty */
548 if (!curr->anyPolicy)
549 return 2;
550 return 1;
551 }
552 }
553
554 return 1;
555
556 }
557
558static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
559 X509_POLICY_NODE *pcy)
560 {
561 if (!*pnodes)
562 {
563 *pnodes = policy_node_cmp_new();
564 if (!*pnodes)
565 return 0;
566 }
567 else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
568 return 1;
569
570 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
571 return 0;
572
573 return 1;
574
575 }
576
577/* Calculate the authority set based on policy tree.
578 * The 'pnodes' parameter is used as a store for the set of policy nodes
579 * used to calculate the user set. If the authority set is not anyPolicy
580 * then pnodes will just point to the authority set. If however the authority
581 * set is anyPolicy then the set of valid policies (other than anyPolicy)
582 * is store in pnodes. The return value of '2' is used in this case to indicate
583 * that pnodes should be freed.
584 */
585
586static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
587 STACK_OF(X509_POLICY_NODE) **pnodes)
588 {
589 X509_POLICY_LEVEL *curr;
590 X509_POLICY_NODE *node, *anyptr;
591 STACK_OF(X509_POLICY_NODE) **addnodes;
592 int i, j;
593 curr = tree->levels + tree->nlevel - 1;
594
595 /* If last level contains anyPolicy set is anyPolicy */
596 if (curr->anyPolicy)
597 {
598 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
599 return 0;
600 addnodes = pnodes;
601 }
602 else
603 /* Add policies to authority set */
604 addnodes = &tree->auth_policies;
605
606 curr = tree->levels;
607 for (i = 1; i < tree->nlevel; i++)
608 {
609 /* If no anyPolicy node on this this level it can't
610 * appear on lower levels so end search.
611 */
612 if (!(anyptr = curr->anyPolicy))
613 break;
614 curr++;
615 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++)
616 {
617 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
618 if ((node->parent == anyptr)
619 && !tree_add_auth_node(addnodes, node))
620 return 0;
621 }
622 }
623
624 if (addnodes == pnodes)
625 return 2;
626
627 *pnodes = tree->auth_policies;
628
629 return 1;
630 }
631
632static int tree_calculate_user_set(X509_POLICY_TREE *tree,
633 STACK_OF(ASN1_OBJECT) *policy_oids,
634 STACK_OF(X509_POLICY_NODE) *auth_nodes)
635 {
636 int i;
637 X509_POLICY_NODE *node;
638 ASN1_OBJECT *oid;
639
640 X509_POLICY_NODE *anyPolicy;
641 X509_POLICY_DATA *extra;
642
643 /* Check if anyPolicy present in authority constrained policy set:
644 * this will happen if it is a leaf node.
645 */
646
647 if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
648 return 1;
649
650 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
651
652 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
653 {
654 oid = sk_ASN1_OBJECT_value(policy_oids, i);
655 if (OBJ_obj2nid(oid) == NID_any_policy)
656 {
657 tree->flags |= POLICY_FLAG_ANY_POLICY;
658 return 1;
659 }
660 }
661
662 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
663 {
664 oid = sk_ASN1_OBJECT_value(policy_oids, i);
665 node = tree_find_sk(auth_nodes, oid);
666 if (!node)
667 {
668 if (!anyPolicy)
669 continue;
670 /* Create a new node with policy ID from user set
671 * and qualifiers from anyPolicy.
672 */
673 extra = policy_data_new(NULL, oid,
674 node_critical(anyPolicy));
675 if (!extra)
676 return 0;
677 extra->qualifier_set = anyPolicy->data->qualifier_set;
678 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
679 | POLICY_DATA_FLAG_EXTRA_NODE;
680 node = level_add_node(NULL, extra, anyPolicy->parent,
681 tree);
682 }
683 if (!tree->user_policies)
684 {
685 tree->user_policies = sk_X509_POLICY_NODE_new_null();
686 if (!tree->user_policies)
687 return 1;
688 }
689 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
690 return 0;
691 }
692 return 1;
693
694 }
695
696static int tree_evaluate(X509_POLICY_TREE *tree)
697 {
698 int ret, i;
699 X509_POLICY_LEVEL *curr = tree->levels + 1;
700 const X509_POLICY_CACHE *cache;
701
702 for(i = 1; i < tree->nlevel; i++, curr++)
703 {
704 cache = policy_cache_set(curr->cert);
705 if (!tree_link_nodes(curr, cache))
706 return 0;
707
708 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
709 && !tree_link_any(curr, cache, tree))
710 return 0;
711 tree_print("before tree_prune()", tree, curr);
712 ret = tree_prune(tree, curr);
713 if (ret != 1)
714 return ret;
715 }
716
717 return 1;
718
719 }
720
721static void exnode_free(X509_POLICY_NODE *node)
722 {
723 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
724 OPENSSL_free(node);
725 }
726
727
728void X509_policy_tree_free(X509_POLICY_TREE *tree)
729 {
730 X509_POLICY_LEVEL *curr;
731 int i;
732
733 if (!tree)
734 return;
735
736 sk_X509_POLICY_NODE_free(tree->auth_policies);
737 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
738
739 for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++)
740 {
741 if (curr->cert)
742 X509_free(curr->cert);
743 if (curr->nodes)
744 sk_X509_POLICY_NODE_pop_free(curr->nodes,
745 policy_node_free);
746 if (curr->anyPolicy)
747 policy_node_free(curr->anyPolicy);
748 }
749
750 if (tree->extra_data)
751 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
752 policy_data_free);
753
754 OPENSSL_free(tree->levels);
755 OPENSSL_free(tree);
756
757 }
758
759/* Application policy checking function.
760 * Return codes:
761 * 0 Internal Error.
762 * 1 Successful.
763 * -1 One or more certificates contain invalid or inconsistent extensions
764 * -2 User constrained policy set empty and requireExplicit true.
765 */
766
767int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
768 STACK_OF(X509) *certs,
769 STACK_OF(ASN1_OBJECT) *policy_oids,
770 unsigned int flags)
771 {
772 int ret;
773 X509_POLICY_TREE *tree = NULL;
774 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
775 *ptree = NULL;
776
777 *pexplicit_policy = 0;
778 ret = tree_init(&tree, certs, flags);
779
780 switch (ret)
781 {
782
783 /* Tree empty requireExplicit False: OK */
784 case 2:
785 return 1;
786
787 /* Some internal error */
788 case -1:
789 return -1;
790
791 /* Some internal error */
792 case 0:
793 return 0;
794
795 /* Tree empty requireExplicit True: Error */
796
797 case 6:
798 *pexplicit_policy = 1;
799 return -2;
800
801 /* Tree OK requireExplicit True: OK and continue */
802 case 5:
803 *pexplicit_policy = 1;
804 break;
805
806 /* Tree OK: continue */
807
808 case 1:
809 if (!tree)
810 /*
811 * tree_init() returns success and a null tree
812 * if it's just looking at a trust anchor.
813 * I'm not sure that returning success here is
814 * correct, but I'm sure that reporting this
815 * as an internal error which our caller
816 * interprets as a malloc failure is wrong.
817 */
818 return 1;
819 break;
820 }
821
822 if (!tree) goto error;
823 ret = tree_evaluate(tree);
824
825 tree_print("tree_evaluate()", tree, NULL);
826
827 if (ret <= 0)
828 goto error;
829
830 /* Return value 2 means tree empty */
831 if (ret == 2)
832 {
833 X509_policy_tree_free(tree);
834 if (*pexplicit_policy)
835 return -2;
836 else
837 return 1;
838 }
839
840 /* Tree is not empty: continue */
841
842 ret = tree_calculate_authority_set(tree, &auth_nodes);
843
844 if (!ret)
845 goto error;
846
847 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
848 goto error;
849
850 if (ret == 2)
851 sk_X509_POLICY_NODE_free(auth_nodes);
852
853 if (tree)
854 *ptree = tree;
855
856 if (*pexplicit_policy)
857 {
858 nodes = X509_policy_tree_get0_user_policies(tree);
859 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
860 return -2;
861 }
862
863 return 1;
864
865 error:
866
867 X509_policy_tree_free(tree);
868
869 return 0;
870
871 }
872
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
new file mode 100644
index 0000000000..df46a4983b
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -0,0 +1,1338 @@
1/*
2 * Contributed to the OpenSSL Project by the American Registry for
3 * Internet Numbers ("ARIN").
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 */
57
58/*
59 * Implementation of RFC 3779 section 2.2.
60 */
61
62#include <stdio.h>
63#include <stdlib.h>
64
65#include "cryptlib.h"
66#include <openssl/conf.h>
67#include <openssl/asn1.h>
68#include <openssl/asn1t.h>
69#include <openssl/buffer.h>
70#include <openssl/x509v3.h>
71
72#ifndef OPENSSL_NO_RFC3779
73
74/*
75 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
76 */
77
78ASN1_SEQUENCE(IPAddressRange) = {
79 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
80 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
81} ASN1_SEQUENCE_END(IPAddressRange)
82
83ASN1_CHOICE(IPAddressOrRange) = {
84 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
85 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
86} ASN1_CHOICE_END(IPAddressOrRange)
87
88ASN1_CHOICE(IPAddressChoice) = {
89 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
90 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
91} ASN1_CHOICE_END(IPAddressChoice)
92
93ASN1_SEQUENCE(IPAddressFamily) = {
94 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
95 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
96} ASN1_SEQUENCE_END(IPAddressFamily)
97
98ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
99 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
100 IPAddrBlocks, IPAddressFamily)
101ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
102
103IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
104IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
105IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
106IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
107
108/*
109 * How much buffer space do we need for a raw address?
110 */
111#define ADDR_RAW_BUF_LEN 16
112
113/*
114 * What's the address length associated with this AFI?
115 */
116static int length_from_afi(const unsigned afi)
117{
118 switch (afi) {
119 case IANA_AFI_IPV4:
120 return 4;
121 case IANA_AFI_IPV6:
122 return 16;
123 default:
124 return 0;
125 }
126}
127
128/*
129 * Extract the AFI from an IPAddressFamily.
130 */
131unsigned int v3_addr_get_afi(const IPAddressFamily *f)
132{
133 return ((f != NULL &&
134 f->addressFamily != NULL &&
135 f->addressFamily->data != NULL)
136 ? ((f->addressFamily->data[0] << 8) |
137 (f->addressFamily->data[1]))
138 : 0);
139}
140
141/*
142 * Expand the bitstring form of an address into a raw byte array.
143 * At the moment this is coded for simplicity, not speed.
144 */
145static int addr_expand(unsigned char *addr,
146 const ASN1_BIT_STRING *bs,
147 const int length,
148 const unsigned char fill)
149{
150 if (bs->length < 0 || bs->length > length)
151 return 0;
152 if (bs->length > 0) {
153 memcpy(addr, bs->data, bs->length);
154 if ((bs->flags & 7) != 0) {
155 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
156 if (fill == 0)
157 addr[bs->length - 1] &= ~mask;
158 else
159 addr[bs->length - 1] |= mask;
160 }
161 }
162 memset(addr + bs->length, fill, length - bs->length);
163 return 1;
164}
165
166/*
167 * Extract the prefix length from a bitstring.
168 */
169#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
170
171/*
172 * i2r handler for one address bitstring.
173 */
174static int i2r_address(BIO *out,
175 const unsigned afi,
176 const unsigned char fill,
177 const ASN1_BIT_STRING *bs)
178{
179 unsigned char addr[ADDR_RAW_BUF_LEN];
180 int i, n;
181
182 if (bs->length < 0)
183 return 0;
184 switch (afi) {
185 case IANA_AFI_IPV4:
186 if (!addr_expand(addr, bs, 4, fill))
187 return 0;
188 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
189 break;
190 case IANA_AFI_IPV6:
191 if (!addr_expand(addr, bs, 16, fill))
192 return 0;
193 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
194 ;
195 for (i = 0; i < n; i += 2)
196 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : ""));
197 if (i < 16)
198 BIO_puts(out, ":");
199 if (i == 0)
200 BIO_puts(out, ":");
201 break;
202 default:
203 for (i = 0; i < bs->length; i++)
204 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
205 BIO_printf(out, "[%d]", (int) (bs->flags & 7));
206 break;
207 }
208 return 1;
209}
210
211/*
212 * i2r handler for a sequence of addresses and ranges.
213 */
214static int i2r_IPAddressOrRanges(BIO *out,
215 const int indent,
216 const IPAddressOrRanges *aors,
217 const unsigned afi)
218{
219 int i;
220 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
221 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
222 BIO_printf(out, "%*s", indent, "");
223 switch (aor->type) {
224 case IPAddressOrRange_addressPrefix:
225 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
226 return 0;
227 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
228 continue;
229 case IPAddressOrRange_addressRange:
230 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
231 return 0;
232 BIO_puts(out, "-");
233 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
234 return 0;
235 BIO_puts(out, "\n");
236 continue;
237 }
238 }
239 return 1;
240}
241
242/*
243 * i2r handler for an IPAddrBlocks extension.
244 */
245static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
246 void *ext,
247 BIO *out,
248 int indent)
249{
250 const IPAddrBlocks *addr = ext;
251 int i;
252 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
253 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
254 const unsigned int afi = v3_addr_get_afi(f);
255 switch (afi) {
256 case IANA_AFI_IPV4:
257 BIO_printf(out, "%*sIPv4", indent, "");
258 break;
259 case IANA_AFI_IPV6:
260 BIO_printf(out, "%*sIPv6", indent, "");
261 break;
262 default:
263 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
264 break;
265 }
266 if (f->addressFamily->length > 2) {
267 switch (f->addressFamily->data[2]) {
268 case 1:
269 BIO_puts(out, " (Unicast)");
270 break;
271 case 2:
272 BIO_puts(out, " (Multicast)");
273 break;
274 case 3:
275 BIO_puts(out, " (Unicast/Multicast)");
276 break;
277 case 4:
278 BIO_puts(out, " (MPLS)");
279 break;
280 case 64:
281 BIO_puts(out, " (Tunnel)");
282 break;
283 case 65:
284 BIO_puts(out, " (VPLS)");
285 break;
286 case 66:
287 BIO_puts(out, " (BGP MDT)");
288 break;
289 case 128:
290 BIO_puts(out, " (MPLS-labeled VPN)");
291 break;
292 default:
293 BIO_printf(out, " (Unknown SAFI %u)",
294 (unsigned) f->addressFamily->data[2]);
295 break;
296 }
297 }
298 switch (f->ipAddressChoice->type) {
299 case IPAddressChoice_inherit:
300 BIO_puts(out, ": inherit\n");
301 break;
302 case IPAddressChoice_addressesOrRanges:
303 BIO_puts(out, ":\n");
304 if (!i2r_IPAddressOrRanges(out,
305 indent + 2,
306 f->ipAddressChoice->u.addressesOrRanges,
307 afi))
308 return 0;
309 break;
310 }
311 }
312 return 1;
313}
314
315/*
316 * Sort comparison function for a sequence of IPAddressOrRange
317 * elements.
318 *
319 * There's no sane answer we can give if addr_expand() fails, and an
320 * assertion failure on externally supplied data is seriously uncool,
321 * so we just arbitrarily declare that if given invalid inputs this
322 * function returns -1. If this messes up your preferred sort order
323 * for garbage input, tough noogies.
324 */
325static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
326 const IPAddressOrRange *b,
327 const int length)
328{
329 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
330 int prefixlen_a = 0, prefixlen_b = 0;
331 int r;
332
333 switch (a->type) {
334 case IPAddressOrRange_addressPrefix:
335 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
336 return -1;
337 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
338 break;
339 case IPAddressOrRange_addressRange:
340 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
341 return -1;
342 prefixlen_a = length * 8;
343 break;
344 }
345
346 switch (b->type) {
347 case IPAddressOrRange_addressPrefix:
348 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
349 return -1;
350 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
351 break;
352 case IPAddressOrRange_addressRange:
353 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
354 return -1;
355 prefixlen_b = length * 8;
356 break;
357 }
358
359 if ((r = memcmp(addr_a, addr_b, length)) != 0)
360 return r;
361 else
362 return prefixlen_a - prefixlen_b;
363}
364
365/*
366 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
367 * comparision routines are only allowed two arguments.
368 */
369static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
370 const IPAddressOrRange * const *b)
371{
372 return IPAddressOrRange_cmp(*a, *b, 4);
373}
374
375/*
376 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
377 * comparision routines are only allowed two arguments.
378 */
379static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
380 const IPAddressOrRange * const *b)
381{
382 return IPAddressOrRange_cmp(*a, *b, 16);
383}
384
385/*
386 * Calculate whether a range collapses to a prefix.
387 * See last paragraph of RFC 3779 2.2.3.7.
388 */
389static int range_should_be_prefix(const unsigned char *min,
390 const unsigned char *max,
391 const int length)
392{
393 unsigned char mask;
394 int i, j;
395
396 OPENSSL_assert(memcmp(min, max, length) <= 0);
397 for (i = 0; i < length && min[i] == max[i]; i++)
398 ;
399 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
400 ;
401 if (i < j)
402 return -1;
403 if (i > j)
404 return i * 8;
405 mask = min[i] ^ max[i];
406 switch (mask) {
407 case 0x01: j = 7; break;
408 case 0x03: j = 6; break;
409 case 0x07: j = 5; break;
410 case 0x0F: j = 4; break;
411 case 0x1F: j = 3; break;
412 case 0x3F: j = 2; break;
413 case 0x7F: j = 1; break;
414 default: return -1;
415 }
416 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
417 return -1;
418 else
419 return i * 8 + j;
420}
421
422/*
423 * Construct a prefix.
424 */
425static int make_addressPrefix(IPAddressOrRange **result,
426 unsigned char *addr,
427 const int prefixlen)
428{
429 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
430 IPAddressOrRange *aor = IPAddressOrRange_new();
431
432 if (aor == NULL)
433 return 0;
434 aor->type = IPAddressOrRange_addressPrefix;
435 if (aor->u.addressPrefix == NULL &&
436 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
437 goto err;
438 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
439 goto err;
440 aor->u.addressPrefix->flags &= ~7;
441 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
442 if (bitlen > 0) {
443 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
444 aor->u.addressPrefix->flags |= 8 - bitlen;
445 }
446
447 *result = aor;
448 return 1;
449
450 err:
451 IPAddressOrRange_free(aor);
452 return 0;
453}
454
455/*
456 * Construct a range. If it can be expressed as a prefix,
457 * return a prefix instead. Doing this here simplifies
458 * the rest of the code considerably.
459 */
460static int make_addressRange(IPAddressOrRange **result,
461 unsigned char *min,
462 unsigned char *max,
463 const int length)
464{
465 IPAddressOrRange *aor;
466 int i, prefixlen;
467
468 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
469 return make_addressPrefix(result, min, prefixlen);
470
471 if ((aor = IPAddressOrRange_new()) == NULL)
472 return 0;
473 aor->type = IPAddressOrRange_addressRange;
474 OPENSSL_assert(aor->u.addressRange == NULL);
475 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
476 goto err;
477 if (aor->u.addressRange->min == NULL &&
478 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
479 goto err;
480 if (aor->u.addressRange->max == NULL &&
481 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
482 goto err;
483
484 for (i = length; i > 0 && min[i - 1] == 0x00; --i)
485 ;
486 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
487 goto err;
488 aor->u.addressRange->min->flags &= ~7;
489 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
490 if (i > 0) {
491 unsigned char b = min[i - 1];
492 int j = 1;
493 while ((b & (0xFFU >> j)) != 0)
494 ++j;
495 aor->u.addressRange->min->flags |= 8 - j;
496 }
497
498 for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
499 ;
500 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
501 goto err;
502 aor->u.addressRange->max->flags &= ~7;
503 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
504 if (i > 0) {
505 unsigned char b = max[i - 1];
506 int j = 1;
507 while ((b & (0xFFU >> j)) != (0xFFU >> j))
508 ++j;
509 aor->u.addressRange->max->flags |= 8 - j;
510 }
511
512 *result = aor;
513 return 1;
514
515 err:
516 IPAddressOrRange_free(aor);
517 return 0;
518}
519
520/*
521 * Construct a new address family or find an existing one.
522 */
523static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
524 const unsigned afi,
525 const unsigned *safi)
526{
527 IPAddressFamily *f;
528 unsigned char key[3];
529 unsigned keylen;
530 int i;
531
532 key[0] = (afi >> 8) & 0xFF;
533 key[1] = afi & 0xFF;
534 if (safi != NULL) {
535 key[2] = *safi & 0xFF;
536 keylen = 3;
537 } else {
538 keylen = 2;
539 }
540
541 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
542 f = sk_IPAddressFamily_value(addr, i);
543 OPENSSL_assert(f->addressFamily->data != NULL);
544 if (f->addressFamily->length == keylen &&
545 !memcmp(f->addressFamily->data, key, keylen))
546 return f;
547 }
548
549 if ((f = IPAddressFamily_new()) == NULL)
550 goto err;
551 if (f->ipAddressChoice == NULL &&
552 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
553 goto err;
554 if (f->addressFamily == NULL &&
555 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
556 goto err;
557 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
558 goto err;
559 if (!sk_IPAddressFamily_push(addr, f))
560 goto err;
561
562 return f;
563
564 err:
565 IPAddressFamily_free(f);
566 return NULL;
567}
568
569/*
570 * Add an inheritance element.
571 */
572int v3_addr_add_inherit(IPAddrBlocks *addr,
573 const unsigned afi,
574 const unsigned *safi)
575{
576 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
577 if (f == NULL ||
578 f->ipAddressChoice == NULL ||
579 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
580 f->ipAddressChoice->u.addressesOrRanges != NULL))
581 return 0;
582 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
583 f->ipAddressChoice->u.inherit != NULL)
584 return 1;
585 if (f->ipAddressChoice->u.inherit == NULL &&
586 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
587 return 0;
588 f->ipAddressChoice->type = IPAddressChoice_inherit;
589 return 1;
590}
591
592/*
593 * Construct an IPAddressOrRange sequence, or return an existing one.
594 */
595static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
596 const unsigned afi,
597 const unsigned *safi)
598{
599 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
600 IPAddressOrRanges *aors = NULL;
601
602 if (f == NULL ||
603 f->ipAddressChoice == NULL ||
604 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
605 f->ipAddressChoice->u.inherit != NULL))
606 return NULL;
607 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
608 aors = f->ipAddressChoice->u.addressesOrRanges;
609 if (aors != NULL)
610 return aors;
611 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
612 return NULL;
613 switch (afi) {
614 case IANA_AFI_IPV4:
615 (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
616 break;
617 case IANA_AFI_IPV6:
618 (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
619 break;
620 }
621 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
622 f->ipAddressChoice->u.addressesOrRanges = aors;
623 return aors;
624}
625
626/*
627 * Add a prefix.
628 */
629int v3_addr_add_prefix(IPAddrBlocks *addr,
630 const unsigned afi,
631 const unsigned *safi,
632 unsigned char *a,
633 const int prefixlen)
634{
635 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
636 IPAddressOrRange *aor;
637 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
638 return 0;
639 if (sk_IPAddressOrRange_push(aors, aor))
640 return 1;
641 IPAddressOrRange_free(aor);
642 return 0;
643}
644
645/*
646 * Add a range.
647 */
648int v3_addr_add_range(IPAddrBlocks *addr,
649 const unsigned afi,
650 const unsigned *safi,
651 unsigned char *min,
652 unsigned char *max)
653{
654 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
655 IPAddressOrRange *aor;
656 int length = length_from_afi(afi);
657 if (aors == NULL)
658 return 0;
659 if (!make_addressRange(&aor, min, max, length))
660 return 0;
661 if (sk_IPAddressOrRange_push(aors, aor))
662 return 1;
663 IPAddressOrRange_free(aor);
664 return 0;
665}
666
667/*
668 * Extract min and max values from an IPAddressOrRange.
669 */
670static int extract_min_max(IPAddressOrRange *aor,
671 unsigned char *min,
672 unsigned char *max,
673 int length)
674{
675 if (aor == NULL || min == NULL || max == NULL)
676 return 0;
677 switch (aor->type) {
678 case IPAddressOrRange_addressPrefix:
679 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
680 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
681 case IPAddressOrRange_addressRange:
682 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
683 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
684 }
685 return 0;
686}
687
688/*
689 * Public wrapper for extract_min_max().
690 */
691int v3_addr_get_range(IPAddressOrRange *aor,
692 const unsigned afi,
693 unsigned char *min,
694 unsigned char *max,
695 const int length)
696{
697 int afi_length = length_from_afi(afi);
698 if (aor == NULL || min == NULL || max == NULL ||
699 afi_length == 0 || length < afi_length ||
700 (aor->type != IPAddressOrRange_addressPrefix &&
701 aor->type != IPAddressOrRange_addressRange) ||
702 !extract_min_max(aor, min, max, afi_length))
703 return 0;
704
705 return afi_length;
706}
707
708/*
709 * Sort comparision function for a sequence of IPAddressFamily.
710 *
711 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
712 * the ordering: I can read it as meaning that IPv6 without a SAFI
713 * comes before IPv4 with a SAFI, which seems pretty weird. The
714 * examples in appendix B suggest that the author intended the
715 * null-SAFI rule to apply only within a single AFI, which is what I
716 * would have expected and is what the following code implements.
717 */
718static int IPAddressFamily_cmp(const IPAddressFamily * const *a_,
719 const IPAddressFamily * const *b_)
720{
721 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
722 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
723 int len = ((a->length <= b->length) ? a->length : b->length);
724 int cmp = memcmp(a->data, b->data, len);
725 return cmp ? cmp : a->length - b->length;
726}
727
728/*
729 * Check whether an IPAddrBLocks is in canonical form.
730 */
731int v3_addr_is_canonical(IPAddrBlocks *addr)
732{
733 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
734 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
735 IPAddressOrRanges *aors;
736 int i, j, k;
737
738 /*
739 * Empty extension is cannonical.
740 */
741 if (addr == NULL)
742 return 1;
743
744 /*
745 * Check whether the top-level list is in order.
746 */
747 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
748 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
749 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
750 if (IPAddressFamily_cmp(&a, &b) >= 0)
751 return 0;
752 }
753
754 /*
755 * Top level's ok, now check each address family.
756 */
757 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
758 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
759 int length = length_from_afi(v3_addr_get_afi(f));
760
761 /*
762 * Inheritance is canonical. Anything other than inheritance or
763 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
764 */
765 if (f == NULL || f->ipAddressChoice == NULL)
766 return 0;
767 switch (f->ipAddressChoice->type) {
768 case IPAddressChoice_inherit:
769 continue;
770 case IPAddressChoice_addressesOrRanges:
771 break;
772 default:
773 return 0;
774 }
775
776 /*
777 * It's an IPAddressOrRanges sequence, check it.
778 */
779 aors = f->ipAddressChoice->u.addressesOrRanges;
780 if (sk_IPAddressOrRange_num(aors) == 0)
781 return 0;
782 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
783 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
784 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
785
786 if (!extract_min_max(a, a_min, a_max, length) ||
787 !extract_min_max(b, b_min, b_max, length))
788 return 0;
789
790 /*
791 * Punt misordered list, overlapping start, or inverted range.
792 */
793 if (memcmp(a_min, b_min, length) >= 0 ||
794 memcmp(a_min, a_max, length) > 0 ||
795 memcmp(b_min, b_max, length) > 0)
796 return 0;
797
798 /*
799 * Punt if adjacent or overlapping. Check for adjacency by
800 * subtracting one from b_min first.
801 */
802 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
803 ;
804 if (memcmp(a_max, b_min, length) >= 0)
805 return 0;
806
807 /*
808 * Check for range that should be expressed as a prefix.
809 */
810 if (a->type == IPAddressOrRange_addressRange &&
811 range_should_be_prefix(a_min, a_max, length) >= 0)
812 return 0;
813 }
814
815 /*
816 * Check range to see if it's inverted or should be a
817 * prefix.
818 */
819 j = sk_IPAddressOrRange_num(aors) - 1;
820 {
821 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
822 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
823 if (!extract_min_max(a, a_min, a_max, length))
824 return 0;
825 if (memcmp(a_min, a_max, length) > 0 ||
826 range_should_be_prefix(a_min, a_max, length) >= 0)
827 return 0;
828 }
829 }
830 }
831
832 /*
833 * If we made it through all that, we're happy.
834 */
835 return 1;
836}
837
838/*
839 * Whack an IPAddressOrRanges into canonical form.
840 */
841static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
842 const unsigned afi)
843{
844 int i, j, length = length_from_afi(afi);
845
846 /*
847 * Sort the IPAddressOrRanges sequence.
848 */
849 sk_IPAddressOrRange_sort(aors);
850
851 /*
852 * Clean up representation issues, punt on duplicates or overlaps.
853 */
854 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
855 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
856 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
857 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
858 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
859
860 if (!extract_min_max(a, a_min, a_max, length) ||
861 !extract_min_max(b, b_min, b_max, length))
862 return 0;
863
864 /*
865 * Punt inverted ranges.
866 */
867 if (memcmp(a_min, a_max, length) > 0 ||
868 memcmp(b_min, b_max, length) > 0)
869 return 0;
870
871 /*
872 * Punt overlaps.
873 */
874 if (memcmp(a_max, b_min, length) >= 0)
875 return 0;
876
877 /*
878 * Merge if a and b are adjacent. We check for
879 * adjacency by subtracting one from b_min first.
880 */
881 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
882 ;
883 if (memcmp(a_max, b_min, length) == 0) {
884 IPAddressOrRange *merged;
885 if (!make_addressRange(&merged, a_min, b_max, length))
886 return 0;
887 (void) sk_IPAddressOrRange_set(aors, i, merged);
888 (void) sk_IPAddressOrRange_delete(aors, i + 1);
889 IPAddressOrRange_free(a);
890 IPAddressOrRange_free(b);
891 --i;
892 continue;
893 }
894 }
895
896 /*
897 * Check for inverted final range.
898 */
899 j = sk_IPAddressOrRange_num(aors) - 1;
900 {
901 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
902 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
903 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
904 extract_min_max(a, a_min, a_max, length);
905 if (memcmp(a_min, a_max, length) > 0)
906 return 0;
907 }
908 }
909
910 return 1;
911}
912
913/*
914 * Whack an IPAddrBlocks extension into canonical form.
915 */
916int v3_addr_canonize(IPAddrBlocks *addr)
917{
918 int i;
919 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
920 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
921 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
922 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
923 v3_addr_get_afi(f)))
924 return 0;
925 }
926 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
927 sk_IPAddressFamily_sort(addr);
928 OPENSSL_assert(v3_addr_is_canonical(addr));
929 return 1;
930}
931
932/*
933 * v2i handler for the IPAddrBlocks extension.
934 */
935static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
936 struct v3_ext_ctx *ctx,
937 STACK_OF(CONF_VALUE) *values)
938{
939 static const char v4addr_chars[] = "0123456789.";
940 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
941 IPAddrBlocks *addr = NULL;
942 char *s = NULL, *t;
943 int i;
944
945 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
946 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
947 return NULL;
948 }
949
950 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
951 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
952 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
953 unsigned afi, *safi = NULL, safi_;
954 const char *addr_chars;
955 int prefixlen, i1, i2, delim, length;
956
957 if ( !name_cmp(val->name, "IPv4")) {
958 afi = IANA_AFI_IPV4;
959 } else if (!name_cmp(val->name, "IPv6")) {
960 afi = IANA_AFI_IPV6;
961 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
962 afi = IANA_AFI_IPV4;
963 safi = &safi_;
964 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
965 afi = IANA_AFI_IPV6;
966 safi = &safi_;
967 } else {
968 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR);
969 X509V3_conf_err(val);
970 goto err;
971 }
972
973 switch (afi) {
974 case IANA_AFI_IPV4:
975 addr_chars = v4addr_chars;
976 break;
977 case IANA_AFI_IPV6:
978 addr_chars = v6addr_chars;
979 break;
980 }
981
982 length = length_from_afi(afi);
983
984 /*
985 * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
986 * the other input values.
987 */
988 if (safi != NULL) {
989 *safi = strtoul(val->value, &t, 0);
990 t += strspn(t, " \t");
991 if (*safi > 0xFF || *t++ != ':') {
992 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
993 X509V3_conf_err(val);
994 goto err;
995 }
996 t += strspn(t, " \t");
997 s = BUF_strdup(t);
998 } else {
999 s = BUF_strdup(val->value);
1000 }
1001 if (s == NULL) {
1002 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1003 goto err;
1004 }
1005
1006 /*
1007 * Check for inheritance. Not worth additional complexity to
1008 * optimize this (seldom-used) case.
1009 */
1010 if (!strcmp(s, "inherit")) {
1011 if (!v3_addr_add_inherit(addr, afi, safi)) {
1012 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE);
1013 X509V3_conf_err(val);
1014 goto err;
1015 }
1016 OPENSSL_free(s);
1017 s = NULL;
1018 continue;
1019 }
1020
1021 i1 = strspn(s, addr_chars);
1022 i2 = i1 + strspn(s + i1, " \t");
1023 delim = s[i2++];
1024 s[i1] = '\0';
1025
1026 if (a2i_ipadd(min, s) != length) {
1027 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
1028 X509V3_conf_err(val);
1029 goto err;
1030 }
1031
1032 switch (delim) {
1033 case '/':
1034 prefixlen = (int) strtoul(s + i2, &t, 10);
1035 if (t == s + i2 || *t != '\0') {
1036 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1037 X509V3_conf_err(val);
1038 goto err;
1039 }
1040 if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
1041 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1042 goto err;
1043 }
1044 break;
1045 case '-':
1046 i1 = i2 + strspn(s + i2, " \t");
1047 i2 = i1 + strspn(s + i1, addr_chars);
1048 if (i1 == i2 || s[i2] != '\0') {
1049 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1050 X509V3_conf_err(val);
1051 goto err;
1052 }
1053 if (a2i_ipadd(max, s + i1) != length) {
1054 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
1055 X509V3_conf_err(val);
1056 goto err;
1057 }
1058 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1059 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1060 X509V3_conf_err(val);
1061 goto err;
1062 }
1063 if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1064 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1065 goto err;
1066 }
1067 break;
1068 case '\0':
1069 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1070 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1071 goto err;
1072 }
1073 break;
1074 default:
1075 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1076 X509V3_conf_err(val);
1077 goto err;
1078 }
1079
1080 OPENSSL_free(s);
1081 s = NULL;
1082 }
1083
1084 /*
1085 * Canonize the result, then we're done.
1086 */
1087 if (!v3_addr_canonize(addr))
1088 goto err;
1089 return addr;
1090
1091 err:
1092 OPENSSL_free(s);
1093 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1094 return NULL;
1095}
1096
1097/*
1098 * OpenSSL dispatch
1099 */
1100const X509V3_EXT_METHOD v3_addr = {
1101 NID_sbgp_ipAddrBlock, /* nid */
1102 0, /* flags */
1103 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1104 0, 0, 0, 0, /* old functions, ignored */
1105 0, /* i2s */
1106 0, /* s2i */
1107 0, /* i2v */
1108 v2i_IPAddrBlocks, /* v2i */
1109 i2r_IPAddrBlocks, /* i2r */
1110 0, /* r2i */
1111 NULL /* extension-specific data */
1112};
1113
1114/*
1115 * Figure out whether extension sues inheritance.
1116 */
1117int v3_addr_inherits(IPAddrBlocks *addr)
1118{
1119 int i;
1120 if (addr == NULL)
1121 return 0;
1122 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1123 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1124 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1125 return 1;
1126 }
1127 return 0;
1128}
1129
1130/*
1131 * Figure out whether parent contains child.
1132 */
1133static int addr_contains(IPAddressOrRanges *parent,
1134 IPAddressOrRanges *child,
1135 int length)
1136{
1137 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1138 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1139 int p, c;
1140
1141 if (child == NULL || parent == child)
1142 return 1;
1143 if (parent == NULL)
1144 return 0;
1145
1146 p = 0;
1147 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1148 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1149 c_min, c_max, length))
1150 return -1;
1151 for (;; p++) {
1152 if (p >= sk_IPAddressOrRange_num(parent))
1153 return 0;
1154 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1155 p_min, p_max, length))
1156 return 0;
1157 if (memcmp(p_max, c_max, length) < 0)
1158 continue;
1159 if (memcmp(p_min, c_min, length) > 0)
1160 return 0;
1161 break;
1162 }
1163 }
1164
1165 return 1;
1166}
1167
1168/*
1169 * Test whether a is a subset of b.
1170 */
1171int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1172{
1173 int i;
1174 if (a == NULL || a == b)
1175 return 1;
1176 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1177 return 0;
1178 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1179 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1180 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1181 int j = sk_IPAddressFamily_find(b, fa);
1182 IPAddressFamily *fb;
1183 fb = sk_IPAddressFamily_value(b, j);
1184 if (fb == NULL)
1185 return 0;
1186 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1187 fa->ipAddressChoice->u.addressesOrRanges,
1188 length_from_afi(v3_addr_get_afi(fb))))
1189 return 0;
1190 }
1191 return 1;
1192}
1193
1194/*
1195 * Validation error handling via callback.
1196 */
1197#define validation_err(_err_) \
1198 do { \
1199 if (ctx != NULL) { \
1200 ctx->error = _err_; \
1201 ctx->error_depth = i; \
1202 ctx->current_cert = x; \
1203 ret = ctx->verify_cb(0, ctx); \
1204 } else { \
1205 ret = 0; \
1206 } \
1207 if (!ret) \
1208 goto done; \
1209 } while (0)
1210
1211/*
1212 * Core code for RFC 3779 2.3 path validation.
1213 */
1214static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1215 STACK_OF(X509) *chain,
1216 IPAddrBlocks *ext)
1217{
1218 IPAddrBlocks *child = NULL;
1219 int i, j, ret = 1;
1220 X509 *x;
1221
1222 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1223 OPENSSL_assert(ctx != NULL || ext != NULL);
1224 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1225
1226 /*
1227 * Figure out where to start. If we don't have an extension to
1228 * check, we're done. Otherwise, check canonical form and
1229 * set up for walking up the chain.
1230 */
1231 if (ext != NULL) {
1232 i = -1;
1233 x = NULL;
1234 } else {
1235 i = 0;
1236 x = sk_X509_value(chain, i);
1237 OPENSSL_assert(x != NULL);
1238 if ((ext = x->rfc3779_addr) == NULL)
1239 goto done;
1240 }
1241 if (!v3_addr_is_canonical(ext))
1242 validation_err(X509_V_ERR_INVALID_EXTENSION);
1243 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1244 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1245 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
1246 ret = 0;
1247 goto done;
1248 }
1249
1250 /*
1251 * Now walk up the chain. No cert may list resources that its
1252 * parent doesn't list.
1253 */
1254 for (i++; i < sk_X509_num(chain); i++) {
1255 x = sk_X509_value(chain, i);
1256 OPENSSL_assert(x != NULL);
1257 if (!v3_addr_is_canonical(x->rfc3779_addr))
1258 validation_err(X509_V_ERR_INVALID_EXTENSION);
1259 if (x->rfc3779_addr == NULL) {
1260 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1261 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1262 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1263 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1264 break;
1265 }
1266 }
1267 continue;
1268 }
1269 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
1270 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1271 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1272 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1273 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k);
1274 if (fp == NULL) {
1275 if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1276 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1277 break;
1278 }
1279 continue;
1280 }
1281 if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1282 if (fc->ipAddressChoice->type == IPAddressChoice_inherit ||
1283 addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1284 fc->ipAddressChoice->u.addressesOrRanges,
1285 length_from_afi(v3_addr_get_afi(fc))))
1286 sk_IPAddressFamily_set(child, j, fp);
1287 else
1288 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1289 }
1290 }
1291 }
1292
1293 /*
1294 * Trust anchor can't inherit.
1295 */
1296 OPENSSL_assert(x != NULL);
1297 if (x->rfc3779_addr != NULL) {
1298 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1299 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
1300 if (fp->ipAddressChoice->type == IPAddressChoice_inherit &&
1301 sk_IPAddressFamily_find(child, fp) >= 0)
1302 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1303 }
1304 }
1305
1306 done:
1307 sk_IPAddressFamily_free(child);
1308 return ret;
1309}
1310
1311#undef validation_err
1312
1313/*
1314 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1315 */
1316int v3_addr_validate_path(X509_STORE_CTX *ctx)
1317{
1318 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
1319}
1320
1321/*
1322 * RFC 3779 2.3 path validation of an extension.
1323 * Test whether chain covers extension.
1324 */
1325int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
1326 IPAddrBlocks *ext,
1327 int allow_inheritance)
1328{
1329 if (ext == NULL)
1330 return 1;
1331 if (chain == NULL || sk_X509_num(chain) == 0)
1332 return 0;
1333 if (!allow_inheritance && v3_addr_inherits(ext))
1334 return 0;
1335 return v3_addr_validate_path_internal(NULL, chain, ext);
1336}
1337
1338#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
new file mode 100644
index 0000000000..c6b68ee221
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_akey.c
@@ -0,0 +1,208 @@
1/* v3_akey.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
67 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
68static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
70
71const X509V3_EXT_METHOD v3_akey_id =
72 {
73 NID_authority_key_identifier,
74 X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
75 0,0,0,0,
76 0,0,
77 (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
78 (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
79 0,0,
80 NULL
81 };
82
83static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
84 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
85{
86 char *tmp;
87 if(akeyid->keyid) {
88 tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
89 X509V3_add_value("keyid", tmp, &extlist);
90 OPENSSL_free(tmp);
91 }
92 if(akeyid->issuer)
93 extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
94 if(akeyid->serial) {
95 tmp = hex_to_string(akeyid->serial->data,
96 akeyid->serial->length);
97 X509V3_add_value("serial", tmp, &extlist);
98 OPENSSL_free(tmp);
99 }
100 return extlist;
101}
102
103/* Currently two options:
104 * keyid: use the issuers subject keyid, the value 'always' means its is
105 * an error if the issuer certificate doesn't have a key id.
106 * issuer: use the issuers cert issuer and serial number. The default is
107 * to only use this if keyid is not present. With the option 'always'
108 * this is always included.
109 */
110
111static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
112 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
113 {
114 char keyid=0, issuer=0;
115 int i;
116 CONF_VALUE *cnf;
117 ASN1_OCTET_STRING *ikeyid = NULL;
118 X509_NAME *isname = NULL;
119 GENERAL_NAMES * gens = NULL;
120 GENERAL_NAME *gen = NULL;
121 ASN1_INTEGER *serial = NULL;
122 X509_EXTENSION *ext;
123 X509 *cert;
124 AUTHORITY_KEYID *akeyid;
125
126 for(i = 0; i < sk_CONF_VALUE_num(values); i++)
127 {
128 cnf = sk_CONF_VALUE_value(values, i);
129 if(!strcmp(cnf->name, "keyid"))
130 {
131 keyid = 1;
132 if(cnf->value && !strcmp(cnf->value, "always"))
133 keyid = 2;
134 }
135 else if(!strcmp(cnf->name, "issuer"))
136 {
137 issuer = 1;
138 if(cnf->value && !strcmp(cnf->value, "always"))
139 issuer = 2;
140 }
141 else
142 {
143 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
144 ERR_add_error_data(2, "name=", cnf->name);
145 return NULL;
146 }
147 }
148
149 if(!ctx || !ctx->issuer_cert)
150 {
151 if(ctx && (ctx->flags==CTX_TEST))
152 return AUTHORITY_KEYID_new();
153 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
154 return NULL;
155 }
156
157 cert = ctx->issuer_cert;
158
159 if(keyid)
160 {
161 i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
162 if((i >= 0) && (ext = X509_get_ext(cert, i)))
163 ikeyid = X509V3_EXT_d2i(ext);
164 if(keyid==2 && !ikeyid)
165 {
166 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
167 return NULL;
168 }
169 }
170
171 if((issuer && !ikeyid) || (issuer == 2))
172 {
173 isname = X509_NAME_dup(X509_get_issuer_name(cert));
174 serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
175 if(!isname || !serial)
176 {
177 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
178 goto err;
179 }
180 }
181
182 if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
183
184 if(isname)
185 {
186 if(!(gens = sk_GENERAL_NAME_new_null())
187 || !(gen = GENERAL_NAME_new())
188 || !sk_GENERAL_NAME_push(gens, gen))
189 {
190 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
191 goto err;
192 }
193 gen->type = GEN_DIRNAME;
194 gen->d.dirn = isname;
195 }
196
197 akeyid->issuer = gens;
198 akeyid->serial = serial;
199 akeyid->keyid = ikeyid;
200
201 return akeyid;
202
203 err:
204 X509_NAME_free(isname);
205 M_ASN1_INTEGER_free(serial);
206 M_ASN1_OCTET_STRING_free(ikeyid);
207 return NULL;
208 }
diff --git a/src/lib/libcrypto/x509v3/v3_akeya.c b/src/lib/libcrypto/x509v3/v3_akeya.c
new file mode 100644
index 0000000000..2c50f7360e
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_akeya.c
@@ -0,0 +1,72 @@
1/* v3_akey_asn1.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66ASN1_SEQUENCE(AUTHORITY_KEYID) = {
67 ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0),
68 ASN1_IMP_SEQUENCE_OF_OPT(AUTHORITY_KEYID, issuer, GENERAL_NAME, 1),
69 ASN1_IMP_OPT(AUTHORITY_KEYID, serial, ASN1_INTEGER, 2)
70} ASN1_SEQUENCE_END(AUTHORITY_KEYID)
71
72IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_KEYID)
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
new file mode 100644
index 0000000000..91aefcddc1
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -0,0 +1,614 @@
1/* v3_alt.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/x509v3.h>
63
64static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
65static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
66static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
67static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
68static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
69static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
70
71const X509V3_EXT_METHOD v3_alt[] = {
72{ NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
730,0,0,0,
740,0,
75(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
76(X509V3_EXT_V2I)v2i_subject_alt,
77NULL, NULL, NULL},
78
79{ NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
800,0,0,0,
810,0,
82(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
83(X509V3_EXT_V2I)v2i_issuer_alt,
84NULL, NULL, NULL},
85
86{ NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
870,0,0,0,
880,0,
89(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
90NULL, NULL, NULL, NULL},
91};
92
93STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
94 GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret)
95{
96 int i;
97 GENERAL_NAME *gen;
98 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
99 gen = sk_GENERAL_NAME_value(gens, i);
100 ret = i2v_GENERAL_NAME(method, gen, ret);
101 }
102 if(!ret) return sk_CONF_VALUE_new_null();
103 return ret;
104}
105
106STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
107 GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
108{
109 unsigned char *p;
110 char oline[256], htmp[5];
111 int i;
112 switch (gen->type)
113 {
114 case GEN_OTHERNAME:
115 X509V3_add_value("othername","<unsupported>", &ret);
116 break;
117
118 case GEN_X400:
119 X509V3_add_value("X400Name","<unsupported>", &ret);
120 break;
121
122 case GEN_EDIPARTY:
123 X509V3_add_value("EdiPartyName","<unsupported>", &ret);
124 break;
125
126 case GEN_EMAIL:
127 X509V3_add_value_uchar("email",gen->d.ia5->data, &ret);
128 break;
129
130 case GEN_DNS:
131 X509V3_add_value_uchar("DNS",gen->d.ia5->data, &ret);
132 break;
133
134 case GEN_URI:
135 X509V3_add_value_uchar("URI",gen->d.ia5->data, &ret);
136 break;
137
138 case GEN_DIRNAME:
139 X509_NAME_oneline(gen->d.dirn, oline, 256);
140 X509V3_add_value("DirName",oline, &ret);
141 break;
142
143 case GEN_IPADD:
144 p = gen->d.ip->data;
145 if(gen->d.ip->length == 4)
146 BIO_snprintf(oline, sizeof oline,
147 "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
148 else if(gen->d.ip->length == 16)
149 {
150 oline[0] = 0;
151 for (i = 0; i < 8; i++)
152 {
153 BIO_snprintf(htmp, sizeof htmp,
154 "%X", p[0] << 8 | p[1]);
155 p += 2;
156 strlcat(oline, htmp, sizeof(oline));
157 if (i != 7)
158 strlcat(oline, ":", sizeof(oline));
159 }
160 }
161 else
162 {
163 X509V3_add_value("IP Address","<invalid>", &ret);
164 break;
165 }
166 X509V3_add_value("IP Address",oline, &ret);
167 break;
168
169 case GEN_RID:
170 i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
171 X509V3_add_value("Registered ID",oline, &ret);
172 break;
173 }
174 return ret;
175}
176
177int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
178{
179 unsigned char *p;
180 int i;
181 switch (gen->type)
182 {
183 case GEN_OTHERNAME:
184 BIO_printf(out, "othername:<unsupported>");
185 break;
186
187 case GEN_X400:
188 BIO_printf(out, "X400Name:<unsupported>");
189 break;
190
191 case GEN_EDIPARTY:
192 /* Maybe fix this: it is supported now */
193 BIO_printf(out, "EdiPartyName:<unsupported>");
194 break;
195
196 case GEN_EMAIL:
197 BIO_printf(out, "email:%s",gen->d.ia5->data);
198 break;
199
200 case GEN_DNS:
201 BIO_printf(out, "DNS:%s",gen->d.ia5->data);
202 break;
203
204 case GEN_URI:
205 BIO_printf(out, "URI:%s",gen->d.ia5->data);
206 break;
207
208 case GEN_DIRNAME:
209 BIO_printf(out, "DirName: ");
210 X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
211 break;
212
213 case GEN_IPADD:
214 p = gen->d.ip->data;
215 if(gen->d.ip->length == 4)
216 BIO_printf(out, "IP Address:%d.%d.%d.%d",
217 p[0], p[1], p[2], p[3]);
218 else if(gen->d.ip->length == 16)
219 {
220 BIO_printf(out, "IP Address");
221 for (i = 0; i < 8; i++)
222 {
223 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
224 p += 2;
225 }
226 BIO_puts(out, "\n");
227 }
228 else
229 {
230 BIO_printf(out,"IP Address:<invalid>");
231 break;
232 }
233 break;
234
235 case GEN_RID:
236 BIO_printf(out, "Registered ID");
237 i2a_ASN1_OBJECT(out, gen->d.rid);
238 break;
239 }
240 return 1;
241}
242
243static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
244 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
245{
246 GENERAL_NAMES *gens = NULL;
247 CONF_VALUE *cnf;
248 int i;
249 if(!(gens = sk_GENERAL_NAME_new_null())) {
250 X509V3err(X509V3_F_V2I_ISSUER_ALT,ERR_R_MALLOC_FAILURE);
251 return NULL;
252 }
253 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
254 cnf = sk_CONF_VALUE_value(nval, i);
255 if(!name_cmp(cnf->name, "issuer") && cnf->value &&
256 !strcmp(cnf->value, "copy")) {
257 if(!copy_issuer(ctx, gens)) goto err;
258 } else {
259 GENERAL_NAME *gen;
260 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
261 goto err;
262 sk_GENERAL_NAME_push(gens, gen);
263 }
264 }
265 return gens;
266 err:
267 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
268 return NULL;
269}
270
271/* Append subject altname of issuer to issuer alt name of subject */
272
273static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
274{
275 GENERAL_NAMES *ialt;
276 GENERAL_NAME *gen;
277 X509_EXTENSION *ext;
278 int i;
279 if(ctx && (ctx->flags == CTX_TEST)) return 1;
280 if(!ctx || !ctx->issuer_cert) {
281 X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_NO_ISSUER_DETAILS);
282 goto err;
283 }
284 i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
285 if(i < 0) return 1;
286 if(!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
287 !(ialt = X509V3_EXT_d2i(ext)) ) {
288 X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_ISSUER_DECODE_ERROR);
289 goto err;
290 }
291
292 for(i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
293 gen = sk_GENERAL_NAME_value(ialt, i);
294 if(!sk_GENERAL_NAME_push(gens, gen)) {
295 X509V3err(X509V3_F_COPY_ISSUER,ERR_R_MALLOC_FAILURE);
296 goto err;
297 }
298 }
299 sk_GENERAL_NAME_free(ialt);
300
301 return 1;
302
303 err:
304 return 0;
305
306}
307
308static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
309 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
310{
311 GENERAL_NAMES *gens = NULL;
312 CONF_VALUE *cnf;
313 int i;
314 if(!(gens = sk_GENERAL_NAME_new_null())) {
315 X509V3err(X509V3_F_V2I_SUBJECT_ALT,ERR_R_MALLOC_FAILURE);
316 return NULL;
317 }
318 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
319 cnf = sk_CONF_VALUE_value(nval, i);
320 if(!name_cmp(cnf->name, "email") && cnf->value &&
321 !strcmp(cnf->value, "copy")) {
322 if(!copy_email(ctx, gens, 0)) goto err;
323 } else if(!name_cmp(cnf->name, "email") && cnf->value &&
324 !strcmp(cnf->value, "move")) {
325 if(!copy_email(ctx, gens, 1)) goto err;
326 } else {
327 GENERAL_NAME *gen;
328 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
329 goto err;
330 sk_GENERAL_NAME_push(gens, gen);
331 }
332 }
333 return gens;
334 err:
335 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
336 return NULL;
337}
338
339/* Copy any email addresses in a certificate or request to
340 * GENERAL_NAMES
341 */
342
343static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
344{
345 X509_NAME *nm;
346 ASN1_IA5STRING *email = NULL;
347 X509_NAME_ENTRY *ne;
348 GENERAL_NAME *gen = NULL;
349 int i;
350 if(ctx != NULL && ctx->flags == CTX_TEST)
351 return 1;
352 if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
353 X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
354 goto err;
355 }
356 /* Find the subject name */
357 if(ctx->subject_cert) nm = X509_get_subject_name(ctx->subject_cert);
358 else nm = X509_REQ_get_subject_name(ctx->subject_req);
359
360 /* Now add any email address(es) to STACK */
361 i = -1;
362 while((i = X509_NAME_get_index_by_NID(nm,
363 NID_pkcs9_emailAddress, i)) >= 0) {
364 ne = X509_NAME_get_entry(nm, i);
365 email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
366 if (move_p)
367 {
368 X509_NAME_delete_entry(nm, i);
369 X509_NAME_ENTRY_free(ne);
370 i--;
371 }
372 if(!email || !(gen = GENERAL_NAME_new())) {
373 X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
374 goto err;
375 }
376 gen->d.ia5 = email;
377 email = NULL;
378 gen->type = GEN_EMAIL;
379 if(!sk_GENERAL_NAME_push(gens, gen)) {
380 X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
381 goto err;
382 }
383 gen = NULL;
384 }
385
386
387 return 1;
388
389 err:
390 GENERAL_NAME_free(gen);
391 M_ASN1_IA5STRING_free(email);
392 return 0;
393
394}
395
396GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
397 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
398{
399 GENERAL_NAME *gen;
400 GENERAL_NAMES *gens = NULL;
401 CONF_VALUE *cnf;
402 int i;
403 if(!(gens = sk_GENERAL_NAME_new_null())) {
404 X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
405 return NULL;
406 }
407 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
408 cnf = sk_CONF_VALUE_value(nval, i);
409 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
410 sk_GENERAL_NAME_push(gens, gen);
411 }
412 return gens;
413 err:
414 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
415 return NULL;
416}
417
418GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
419 CONF_VALUE *cnf)
420 {
421 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
422 }
423
424GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
425 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
426 int gen_type, char *value, int is_nc)
427 {
428 char is_string = 0;
429 GENERAL_NAME *gen = NULL;
430
431 if(!value)
432 {
433 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
434 return NULL;
435 }
436
437 if (out)
438 gen = out;
439 else
440 {
441 gen = GENERAL_NAME_new();
442 if(gen == NULL)
443 {
444 X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
445 return NULL;
446 }
447 }
448
449 switch (gen_type)
450 {
451 case GEN_URI:
452 case GEN_EMAIL:
453 case GEN_DNS:
454 is_string = 1;
455 break;
456
457 case GEN_RID:
458 {
459 ASN1_OBJECT *obj;
460 if(!(obj = OBJ_txt2obj(value,0)))
461 {
462 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
463 ERR_add_error_data(2, "value=", value);
464 goto err;
465 }
466 gen->d.rid = obj;
467 }
468 break;
469
470 case GEN_IPADD:
471 if (is_nc)
472 gen->d.ip = a2i_IPADDRESS_NC(value);
473 else
474 gen->d.ip = a2i_IPADDRESS(value);
475 if(gen->d.ip == NULL)
476 {
477 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
478 ERR_add_error_data(2, "value=", value);
479 goto err;
480 }
481 break;
482
483 case GEN_DIRNAME:
484 if (!do_dirname(gen, value, ctx))
485 {
486 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_DIRNAME_ERROR);
487 goto err;
488 }
489 break;
490
491 case GEN_OTHERNAME:
492 if (!do_othername(gen, value, ctx))
493 {
494 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_OTHERNAME_ERROR);
495 goto err;
496 }
497 break;
498 default:
499 X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_TYPE);
500 goto err;
501 }
502
503 if(is_string)
504 {
505 if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
506 !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
507 strlen(value)))
508 {
509 X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
510 goto err;
511 }
512 }
513
514 gen->type = gen_type;
515
516 return gen;
517
518 err:
519 if (!out)
520 GENERAL_NAME_free(gen);
521 return NULL;
522 }
523
524GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
525 const X509V3_EXT_METHOD *method,
526 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
527 {
528 int type;
529
530 char *name, *value;
531
532 name = cnf->name;
533 value = cnf->value;
534
535 if(!value)
536 {
537 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
538 return NULL;
539 }
540
541 if(!name_cmp(name, "email"))
542 type = GEN_EMAIL;
543 else if(!name_cmp(name, "URI"))
544 type = GEN_URI;
545 else if(!name_cmp(name, "DNS"))
546 type = GEN_DNS;
547 else if(!name_cmp(name, "RID"))
548 type = GEN_RID;
549 else if(!name_cmp(name, "IP"))
550 type = GEN_IPADD;
551 else if(!name_cmp(name, "dirName"))
552 type = GEN_DIRNAME;
553 else if(!name_cmp(name, "otherName"))
554 type = GEN_OTHERNAME;
555 else
556 {
557 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
558 ERR_add_error_data(2, "name=", name);
559 return NULL;
560 }
561
562 return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
563
564 }
565
566static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
567 {
568 char *objtmp = NULL, *p;
569 int objlen;
570 if (!(p = strchr(value, ';')))
571 return 0;
572 if (!(gen->d.otherName = OTHERNAME_new()))
573 return 0;
574 /* Free this up because we will overwrite it.
575 * no need to free type_id because it is static
576 */
577 ASN1_TYPE_free(gen->d.otherName->value);
578 if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
579 return 0;
580 objlen = p - value;
581 objtmp = OPENSSL_malloc(objlen + 1);
582 strncpy(objtmp, value, objlen);
583 objtmp[objlen] = 0;
584 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
585 OPENSSL_free(objtmp);
586 if (!gen->d.otherName->type_id)
587 return 0;
588 return 1;
589 }
590
591static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
592 {
593 int ret;
594 STACK_OF(CONF_VALUE) *sk;
595 X509_NAME *nm;
596 if (!(nm = X509_NAME_new()))
597 return 0;
598 sk = X509V3_get_section(ctx, value);
599 if (!sk)
600 {
601 X509V3err(X509V3_F_DO_DIRNAME,X509V3_R_SECTION_NOT_FOUND);
602 ERR_add_error_data(2, "section=", value);
603 X509_NAME_free(nm);
604 return 0;
605 }
606 /* FIXME: should allow other character types... */
607 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
608 if (!ret)
609 X509_NAME_free(nm);
610 gen->d.dirn = nm;
611 X509V3_section_free(ctx, sk);
612
613 return ret;
614 }
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
new file mode 100644
index 0000000000..3f434c0603
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_asid.c
@@ -0,0 +1,843 @@
1/*
2 * Contributed to the OpenSSL Project by the American Registry for
3 * Internet Numbers ("ARIN").
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 */
57
58/*
59 * Implementation of RFC 3779 section 3.2.
60 */
61
62#include <stdio.h>
63#include <string.h>
64#include "cryptlib.h"
65#include <openssl/conf.h>
66#include <openssl/asn1.h>
67#include <openssl/asn1t.h>
68#include <openssl/x509v3.h>
69#include <openssl/x509.h>
70#include <openssl/bn.h>
71
72#ifndef OPENSSL_NO_RFC3779
73
74/*
75 * OpenSSL ASN.1 template translation of RFC 3779 3.2.3.
76 */
77
78ASN1_SEQUENCE(ASRange) = {
79 ASN1_SIMPLE(ASRange, min, ASN1_INTEGER),
80 ASN1_SIMPLE(ASRange, max, ASN1_INTEGER)
81} ASN1_SEQUENCE_END(ASRange)
82
83ASN1_CHOICE(ASIdOrRange) = {
84 ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER),
85 ASN1_SIMPLE(ASIdOrRange, u.range, ASRange)
86} ASN1_CHOICE_END(ASIdOrRange)
87
88ASN1_CHOICE(ASIdentifierChoice) = {
89 ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL),
90 ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange)
91} ASN1_CHOICE_END(ASIdentifierChoice)
92
93ASN1_SEQUENCE(ASIdentifiers) = {
94 ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0),
95 ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1)
96} ASN1_SEQUENCE_END(ASIdentifiers)
97
98IMPLEMENT_ASN1_FUNCTIONS(ASRange)
99IMPLEMENT_ASN1_FUNCTIONS(ASIdOrRange)
100IMPLEMENT_ASN1_FUNCTIONS(ASIdentifierChoice)
101IMPLEMENT_ASN1_FUNCTIONS(ASIdentifiers)
102
103/*
104 * i2r method for an ASIdentifierChoice.
105 */
106static int i2r_ASIdentifierChoice(BIO *out,
107 ASIdentifierChoice *choice,
108 int indent,
109 const char *msg)
110{
111 int i;
112 char *s;
113 if (choice == NULL)
114 return 1;
115 BIO_printf(out, "%*s%s:\n", indent, "", msg);
116 switch (choice->type) {
117 case ASIdentifierChoice_inherit:
118 BIO_printf(out, "%*sinherit\n", indent + 2, "");
119 break;
120 case ASIdentifierChoice_asIdsOrRanges:
121 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) {
122 ASIdOrRange *aor = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
123 switch (aor->type) {
124 case ASIdOrRange_id:
125 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL)
126 return 0;
127 BIO_printf(out, "%*s%s\n", indent + 2, "", s);
128 OPENSSL_free(s);
129 break;
130 case ASIdOrRange_range:
131 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL)
132 return 0;
133 BIO_printf(out, "%*s%s-", indent + 2, "", s);
134 OPENSSL_free(s);
135 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL)
136 return 0;
137 BIO_printf(out, "%s\n", s);
138 OPENSSL_free(s);
139 break;
140 default:
141 return 0;
142 }
143 }
144 break;
145 default:
146 return 0;
147 }
148 return 1;
149}
150
151/*
152 * i2r method for an ASIdentifier extension.
153 */
154static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method,
155 void *ext,
156 BIO *out,
157 int indent)
158{
159 ASIdentifiers *asid = ext;
160 return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
161 "Autonomous System Numbers") &&
162 i2r_ASIdentifierChoice(out, asid->rdi, indent,
163 "Routing Domain Identifiers"));
164}
165
166/*
167 * Sort comparision function for a sequence of ASIdOrRange elements.
168 */
169static int ASIdOrRange_cmp(const ASIdOrRange * const *a_,
170 const ASIdOrRange * const *b_)
171{
172 const ASIdOrRange *a = *a_, *b = *b_;
173
174 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
175 (a->type == ASIdOrRange_range && a->u.range != NULL &&
176 a->u.range->min != NULL && a->u.range->max != NULL));
177
178 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
179 (b->type == ASIdOrRange_range && b->u.range != NULL &&
180 b->u.range->min != NULL && b->u.range->max != NULL));
181
182 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
183 return ASN1_INTEGER_cmp(a->u.id, b->u.id);
184
185 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
186 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
187 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max);
188 }
189
190 if (a->type == ASIdOrRange_id)
191 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
192 else
193 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
194}
195
196/*
197 * Add an inherit element.
198 */
199int v3_asid_add_inherit(ASIdentifiers *asid, int which)
200{
201 ASIdentifierChoice **choice;
202 if (asid == NULL)
203 return 0;
204 switch (which) {
205 case V3_ASID_ASNUM:
206 choice = &asid->asnum;
207 break;
208 case V3_ASID_RDI:
209 choice = &asid->rdi;
210 break;
211 default:
212 return 0;
213 }
214 if (*choice == NULL) {
215 if ((*choice = ASIdentifierChoice_new()) == NULL)
216 return 0;
217 OPENSSL_assert((*choice)->u.inherit == NULL);
218 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
219 return 0;
220 (*choice)->type = ASIdentifierChoice_inherit;
221 }
222 return (*choice)->type == ASIdentifierChoice_inherit;
223}
224
225/*
226 * Add an ID or range to an ASIdentifierChoice.
227 */
228int v3_asid_add_id_or_range(ASIdentifiers *asid,
229 int which,
230 ASN1_INTEGER *min,
231 ASN1_INTEGER *max)
232{
233 ASIdentifierChoice **choice;
234 ASIdOrRange *aor;
235 if (asid == NULL)
236 return 0;
237 switch (which) {
238 case V3_ASID_ASNUM:
239 choice = &asid->asnum;
240 break;
241 case V3_ASID_RDI:
242 choice = &asid->rdi;
243 break;
244 default:
245 return 0;
246 }
247 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
248 return 0;
249 if (*choice == NULL) {
250 if ((*choice = ASIdentifierChoice_new()) == NULL)
251 return 0;
252 OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);
253 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
254 if ((*choice)->u.asIdsOrRanges == NULL)
255 return 0;
256 (*choice)->type = ASIdentifierChoice_asIdsOrRanges;
257 }
258 if ((aor = ASIdOrRange_new()) == NULL)
259 return 0;
260 if (max == NULL) {
261 aor->type = ASIdOrRange_id;
262 aor->u.id = min;
263 } else {
264 aor->type = ASIdOrRange_range;
265 if ((aor->u.range = ASRange_new()) == NULL)
266 goto err;
267 ASN1_INTEGER_free(aor->u.range->min);
268 aor->u.range->min = min;
269 ASN1_INTEGER_free(aor->u.range->max);
270 aor->u.range->max = max;
271 }
272 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
273 goto err;
274 return 1;
275
276 err:
277 ASIdOrRange_free(aor);
278 return 0;
279}
280
281/*
282 * Extract min and max values from an ASIdOrRange.
283 */
284static void extract_min_max(ASIdOrRange *aor,
285 ASN1_INTEGER **min,
286 ASN1_INTEGER **max)
287{
288 OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
289 switch (aor->type) {
290 case ASIdOrRange_id:
291 *min = aor->u.id;
292 *max = aor->u.id;
293 return;
294 case ASIdOrRange_range:
295 *min = aor->u.range->min;
296 *max = aor->u.range->max;
297 return;
298 }
299}
300
301/*
302 * Check whether an ASIdentifierChoice is in canonical form.
303 */
304static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
305{
306 ASN1_INTEGER *a_max_plus_one = NULL;
307 BIGNUM *bn = NULL;
308 int i, ret = 0;
309
310 /*
311 * Empty element or inheritance is canonical.
312 */
313 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
314 return 1;
315
316 /*
317 * If not a list, or if empty list, it's broken.
318 */
319 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
320 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
321 return 0;
322
323 /*
324 * It's a list, check it.
325 */
326 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
327 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
328 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
329 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
330
331 extract_min_max(a, &a_min, &a_max);
332 extract_min_max(b, &b_min, &b_max);
333
334 /*
335 * Punt misordered list, overlapping start, or inverted range.
336 */
337 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
338 ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
339 ASN1_INTEGER_cmp(b_min, b_max) > 0)
340 goto done;
341
342 /*
343 * Calculate a_max + 1 to check for adjacency.
344 */
345 if ((bn == NULL && (bn = BN_new()) == NULL) ||
346 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
347 !BN_add_word(bn, 1) ||
348 (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
349 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
350 ERR_R_MALLOC_FAILURE);
351 goto done;
352 }
353
354 /*
355 * Punt if adjacent or overlapping.
356 */
357 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
358 goto done;
359 }
360
361 ret = 1;
362
363 done:
364 ASN1_INTEGER_free(a_max_plus_one);
365 BN_free(bn);
366 return ret;
367}
368
369/*
370 * Check whether an ASIdentifier extension is in canonical form.
371 */
372int v3_asid_is_canonical(ASIdentifiers *asid)
373{
374 return (asid == NULL ||
375 (ASIdentifierChoice_is_canonical(asid->asnum) &&
376 ASIdentifierChoice_is_canonical(asid->rdi)));
377}
378
379/*
380 * Whack an ASIdentifierChoice into canonical form.
381 */
382static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
383{
384 ASN1_INTEGER *a_max_plus_one = NULL;
385 BIGNUM *bn = NULL;
386 int i, ret = 0;
387
388 /*
389 * Nothing to do for empty element or inheritance.
390 */
391 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
392 return 1;
393
394 /*
395 * We have a list. Sort it.
396 */
397 OPENSSL_assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
398 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
399
400 /*
401 * Now check for errors and suboptimal encoding, rejecting the
402 * former and fixing the latter.
403 */
404 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
405 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
406 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
407 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
408
409 extract_min_max(a, &a_min, &a_max);
410 extract_min_max(b, &b_min, &b_max);
411
412 /*
413 * Make sure we're properly sorted (paranoia).
414 */
415 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
416
417 /*
418 * Check for overlaps.
419 */
420 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
421 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
422 X509V3_R_EXTENSION_VALUE_ERROR);
423 goto done;
424 }
425
426 /*
427 * Calculate a_max + 1 to check for adjacency.
428 */
429 if ((bn == NULL && (bn = BN_new()) == NULL) ||
430 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
431 !BN_add_word(bn, 1) ||
432 (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
433 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE);
434 goto done;
435 }
436
437 /*
438 * If a and b are adjacent, merge them.
439 */
440 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
441 ASRange *r;
442 switch (a->type) {
443 case ASIdOrRange_id:
444 if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) {
445 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
446 ERR_R_MALLOC_FAILURE);
447 goto done;
448 }
449 r->min = a_min;
450 r->max = b_max;
451 a->type = ASIdOrRange_range;
452 a->u.range = r;
453 break;
454 case ASIdOrRange_range:
455 ASN1_INTEGER_free(a->u.range->max);
456 a->u.range->max = b_max;
457 break;
458 }
459 switch (b->type) {
460 case ASIdOrRange_id:
461 b->u.id = NULL;
462 break;
463 case ASIdOrRange_range:
464 b->u.range->max = NULL;
465 break;
466 }
467 ASIdOrRange_free(b);
468 sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
469 i--;
470 continue;
471 }
472 }
473
474 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
475
476 ret = 1;
477
478 done:
479 ASN1_INTEGER_free(a_max_plus_one);
480 BN_free(bn);
481 return ret;
482}
483
484/*
485 * Whack an ASIdentifier extension into canonical form.
486 */
487int v3_asid_canonize(ASIdentifiers *asid)
488{
489 return (asid == NULL ||
490 (ASIdentifierChoice_canonize(asid->asnum) &&
491 ASIdentifierChoice_canonize(asid->rdi)));
492}
493
494/*
495 * v2i method for an ASIdentifier extension.
496 */
497static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
498 struct v3_ext_ctx *ctx,
499 STACK_OF(CONF_VALUE) *values)
500{
501 ASIdentifiers *asid = NULL;
502 int i;
503
504 if ((asid = ASIdentifiers_new()) == NULL) {
505 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
506 return NULL;
507 }
508
509 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
510 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
511 ASN1_INTEGER *min = NULL, *max = NULL;
512 int i1, i2, i3, is_range, which;
513
514 /*
515 * Figure out whether this is an AS or an RDI.
516 */
517 if ( !name_cmp(val->name, "AS")) {
518 which = V3_ASID_ASNUM;
519 } else if (!name_cmp(val->name, "RDI")) {
520 which = V3_ASID_RDI;
521 } else {
522 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_NAME_ERROR);
523 X509V3_conf_err(val);
524 goto err;
525 }
526
527 /*
528 * Handle inheritance.
529 */
530 if (!strcmp(val->value, "inherit")) {
531 if (v3_asid_add_inherit(asid, which))
532 continue;
533 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_INHERITANCE);
534 X509V3_conf_err(val);
535 goto err;
536 }
537
538 /*
539 * Number, range, or mistake, pick it apart and figure out which.
540 */
541 i1 = strspn(val->value, "0123456789");
542 if (val->value[i1] == '\0') {
543 is_range = 0;
544 } else {
545 is_range = 1;
546 i2 = i1 + strspn(val->value + i1, " \t");
547 if (val->value[i2] != '-') {
548 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASNUMBER);
549 X509V3_conf_err(val);
550 goto err;
551 }
552 i2++;
553 i2 = i2 + strspn(val->value + i2, " \t");
554 i3 = i2 + strspn(val->value + i2, "0123456789");
555 if (val->value[i3] != '\0') {
556 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASRANGE);
557 X509V3_conf_err(val);
558 goto err;
559 }
560 }
561
562 /*
563 * Syntax is ok, read and add it.
564 */
565 if (!is_range) {
566 if (!X509V3_get_value_int(val, &min)) {
567 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
568 goto err;
569 }
570 } else {
571 char *s = BUF_strdup(val->value);
572 if (s == NULL) {
573 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
574 goto err;
575 }
576 s[i1] = '\0';
577 min = s2i_ASN1_INTEGER(NULL, s);
578 max = s2i_ASN1_INTEGER(NULL, s + i2);
579 OPENSSL_free(s);
580 if (min == NULL || max == NULL) {
581 ASN1_INTEGER_free(min);
582 ASN1_INTEGER_free(max);
583 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
584 goto err;
585 }
586 }
587 if (!v3_asid_add_id_or_range(asid, which, min, max)) {
588 ASN1_INTEGER_free(min);
589 ASN1_INTEGER_free(max);
590 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
591 goto err;
592 }
593 }
594
595 /*
596 * Canonize the result, then we're done.
597 */
598 if (!v3_asid_canonize(asid))
599 goto err;
600 return asid;
601
602 err:
603 ASIdentifiers_free(asid);
604 return NULL;
605}
606
607/*
608 * OpenSSL dispatch.
609 */
610const X509V3_EXT_METHOD v3_asid = {
611 NID_sbgp_autonomousSysNum, /* nid */
612 0, /* flags */
613 ASN1_ITEM_ref(ASIdentifiers), /* template */
614 0, 0, 0, 0, /* old functions, ignored */
615 0, /* i2s */
616 0, /* s2i */
617 0, /* i2v */
618 v2i_ASIdentifiers, /* v2i */
619 i2r_ASIdentifiers, /* i2r */
620 0, /* r2i */
621 NULL /* extension-specific data */
622};
623
624/*
625 * Figure out whether extension uses inheritance.
626 */
627int v3_asid_inherits(ASIdentifiers *asid)
628{
629 return (asid != NULL &&
630 ((asid->asnum != NULL &&
631 asid->asnum->type == ASIdentifierChoice_inherit) ||
632 (asid->rdi != NULL &&
633 asid->rdi->type == ASIdentifierChoice_inherit)));
634}
635
636/*
637 * Figure out whether parent contains child.
638 */
639static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
640{
641 ASN1_INTEGER *p_min, *p_max, *c_min, *c_max;
642 int p, c;
643
644 if (child == NULL || parent == child)
645 return 1;
646 if (parent == NULL)
647 return 0;
648
649 p = 0;
650 for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
651 extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max);
652 for (;; p++) {
653 if (p >= sk_ASIdOrRange_num(parent))
654 return 0;
655 extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, &p_max);
656 if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
657 continue;
658 if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
659 return 0;
660 break;
661 }
662 }
663
664 return 1;
665}
666
667/*
668 * Test whether a is a subet of b.
669 */
670int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
671{
672 return (a == NULL ||
673 a == b ||
674 (b != NULL &&
675 !v3_asid_inherits(a) &&
676 !v3_asid_inherits(b) &&
677 asid_contains(b->asnum->u.asIdsOrRanges,
678 a->asnum->u.asIdsOrRanges) &&
679 asid_contains(b->rdi->u.asIdsOrRanges,
680 a->rdi->u.asIdsOrRanges)));
681}
682
683/*
684 * Validation error handling via callback.
685 */
686#define validation_err(_err_) \
687 do { \
688 if (ctx != NULL) { \
689 ctx->error = _err_; \
690 ctx->error_depth = i; \
691 ctx->current_cert = x; \
692 ret = ctx->verify_cb(0, ctx); \
693 } else { \
694 ret = 0; \
695 } \
696 if (!ret) \
697 goto done; \
698 } while (0)
699
700/*
701 * Core code for RFC 3779 3.3 path validation.
702 */
703static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
704 STACK_OF(X509) *chain,
705 ASIdentifiers *ext)
706{
707 ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
708 int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
709 X509 *x;
710
711 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
712 OPENSSL_assert(ctx != NULL || ext != NULL);
713 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
714
715 /*
716 * Figure out where to start. If we don't have an extension to
717 * check, we're done. Otherwise, check canonical form and
718 * set up for walking up the chain.
719 */
720 if (ext != NULL) {
721 i = -1;
722 x = NULL;
723 } else {
724 i = 0;
725 x = sk_X509_value(chain, i);
726 OPENSSL_assert(x != NULL);
727 if ((ext = x->rfc3779_asid) == NULL)
728 goto done;
729 }
730 if (!v3_asid_is_canonical(ext))
731 validation_err(X509_V_ERR_INVALID_EXTENSION);
732 if (ext->asnum != NULL) {
733 switch (ext->asnum->type) {
734 case ASIdentifierChoice_inherit:
735 inherit_as = 1;
736 break;
737 case ASIdentifierChoice_asIdsOrRanges:
738 child_as = ext->asnum->u.asIdsOrRanges;
739 break;
740 }
741 }
742 if (ext->rdi != NULL) {
743 switch (ext->rdi->type) {
744 case ASIdentifierChoice_inherit:
745 inherit_rdi = 1;
746 break;
747 case ASIdentifierChoice_asIdsOrRanges:
748 child_rdi = ext->rdi->u.asIdsOrRanges;
749 break;
750 }
751 }
752
753 /*
754 * Now walk up the chain. Extensions must be in canonical form, no
755 * cert may list resources that its parent doesn't list.
756 */
757 for (i++; i < sk_X509_num(chain); i++) {
758 x = sk_X509_value(chain, i);
759 OPENSSL_assert(x != NULL);
760 if (x->rfc3779_asid == NULL) {
761 if (child_as != NULL || child_rdi != NULL)
762 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
763 continue;
764 }
765 if (!v3_asid_is_canonical(x->rfc3779_asid))
766 validation_err(X509_V_ERR_INVALID_EXTENSION);
767 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
768 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
769 child_as = NULL;
770 inherit_as = 0;
771 }
772 if (x->rfc3779_asid->asnum != NULL &&
773 x->rfc3779_asid->asnum->type == ASIdentifierChoice_asIdsOrRanges) {
774 if (inherit_as ||
775 asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, child_as)) {
776 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
777 inherit_as = 0;
778 } else {
779 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
780 }
781 }
782 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
783 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
784 child_rdi = NULL;
785 inherit_rdi = 0;
786 }
787 if (x->rfc3779_asid->rdi != NULL &&
788 x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) {
789 if (inherit_rdi ||
790 asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) {
791 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
792 inherit_rdi = 0;
793 } else {
794 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
795 }
796 }
797 }
798
799 /*
800 * Trust anchor can't inherit.
801 */
802 OPENSSL_assert(x != NULL);
803 if (x->rfc3779_asid != NULL) {
804 if (x->rfc3779_asid->asnum != NULL &&
805 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
806 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
807 if (x->rfc3779_asid->rdi != NULL &&
808 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
809 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
810 }
811
812 done:
813 return ret;
814}
815
816#undef validation_err
817
818/*
819 * RFC 3779 3.3 path validation -- called from X509_verify_cert().
820 */
821int v3_asid_validate_path(X509_STORE_CTX *ctx)
822{
823 return v3_asid_validate_path_internal(ctx, ctx->chain, NULL);
824}
825
826/*
827 * RFC 3779 3.3 path validation of an extension.
828 * Test whether chain covers extension.
829 */
830int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
831 ASIdentifiers *ext,
832 int allow_inheritance)
833{
834 if (ext == NULL)
835 return 1;
836 if (chain == NULL || sk_X509_num(chain) == 0)
837 return 0;
838 if (!allow_inheritance && v3_asid_inherits(ext))
839 return 0;
840 return v3_asid_validate_path_internal(NULL, chain, ext);
841}
842
843#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
new file mode 100644
index 0000000000..82aa488f75
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_bcons.c
@@ -0,0 +1,124 @@
1/* v3_bcons.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66
67static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
68static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
69
70const X509V3_EXT_METHOD v3_bcons = {
71NID_basic_constraints, 0,
72ASN1_ITEM_ref(BASIC_CONSTRAINTS),
730,0,0,0,
740,0,
75(X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
76(X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
77NULL,NULL,
78NULL
79};
80
81ASN1_SEQUENCE(BASIC_CONSTRAINTS) = {
82 ASN1_OPT(BASIC_CONSTRAINTS, ca, ASN1_FBOOLEAN),
83 ASN1_OPT(BASIC_CONSTRAINTS, pathlen, ASN1_INTEGER)
84} ASN1_SEQUENCE_END(BASIC_CONSTRAINTS)
85
86IMPLEMENT_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
87
88
89static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
90 BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist)
91{
92 X509V3_add_value_bool("CA", bcons->ca, &extlist);
93 X509V3_add_value_int("pathlen", bcons->pathlen, &extlist);
94 return extlist;
95}
96
97static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
98 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
99{
100 BASIC_CONSTRAINTS *bcons=NULL;
101 CONF_VALUE *val;
102 int i;
103 if(!(bcons = BASIC_CONSTRAINTS_new())) {
104 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
105 return NULL;
106 }
107 for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
108 val = sk_CONF_VALUE_value(values, i);
109 if(!strcmp(val->name, "CA")) {
110 if(!X509V3_get_value_bool(val, &bcons->ca)) goto err;
111 } else if(!strcmp(val->name, "pathlen")) {
112 if(!X509V3_get_value_int(val, &bcons->pathlen)) goto err;
113 } else {
114 X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, X509V3_R_INVALID_NAME);
115 X509V3_conf_err(val);
116 goto err;
117 }
118 }
119 return bcons;
120 err:
121 BASIC_CONSTRAINTS_free(bcons);
122 return NULL;
123}
124
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
new file mode 100644
index 0000000000..058d0d4dce
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_bitst.c
@@ -0,0 +1,141 @@
1/* v3_bitst.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/x509v3.h>
63
64static BIT_STRING_BITNAME ns_cert_type_table[] = {
65{0, "SSL Client", "client"},
66{1, "SSL Server", "server"},
67{2, "S/MIME", "email"},
68{3, "Object Signing", "objsign"},
69{4, "Unused", "reserved"},
70{5, "SSL CA", "sslCA"},
71{6, "S/MIME CA", "emailCA"},
72{7, "Object Signing CA", "objCA"},
73{-1, NULL, NULL}
74};
75
76static BIT_STRING_BITNAME key_usage_type_table[] = {
77{0, "Digital Signature", "digitalSignature"},
78{1, "Non Repudiation", "nonRepudiation"},
79{2, "Key Encipherment", "keyEncipherment"},
80{3, "Data Encipherment", "dataEncipherment"},
81{4, "Key Agreement", "keyAgreement"},
82{5, "Certificate Sign", "keyCertSign"},
83{6, "CRL Sign", "cRLSign"},
84{7, "Encipher Only", "encipherOnly"},
85{8, "Decipher Only", "decipherOnly"},
86{-1, NULL, NULL}
87};
88
89
90
91const X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
92const X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
93
94STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
95 ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
96{
97 BIT_STRING_BITNAME *bnam;
98 for(bnam =method->usr_data; bnam->lname; bnam++) {
99 if(ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
100 X509V3_add_value(bnam->lname, NULL, &ret);
101 }
102 return ret;
103}
104
105ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
106 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
107{
108 CONF_VALUE *val;
109 ASN1_BIT_STRING *bs;
110 int i;
111 BIT_STRING_BITNAME *bnam;
112 if(!(bs = M_ASN1_BIT_STRING_new())) {
113 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
117 val = sk_CONF_VALUE_value(nval, i);
118 for(bnam = method->usr_data; bnam->lname; bnam++) {
119 if(!strcmp(bnam->sname, val->name) ||
120 !strcmp(bnam->lname, val->name) ) {
121 if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
122 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
123 ERR_R_MALLOC_FAILURE);
124 M_ASN1_BIT_STRING_free(bs);
125 return NULL;
126 }
127 break;
128 }
129 }
130 if(!bnam->lname) {
131 X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
132 X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
133 X509V3_conf_err(val);
134 M_ASN1_BIT_STRING_free(bs);
135 return NULL;
136 }
137 }
138 return bs;
139}
140
141
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
new file mode 100644
index 0000000000..6730f9a6ee
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -0,0 +1,525 @@
1/* v3_conf.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* extension creation utilities */
59
60
61
62#include <stdio.h>
63#include <ctype.h>
64#include "cryptlib.h"
65#include <openssl/conf.h>
66#include <openssl/x509.h>
67#include <openssl/x509v3.h>
68
69static int v3_check_critical(char **value);
70static int v3_check_generic(char **value);
71static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
72static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
73static char *conf_lhash_get_string(void *db, char *section, char *value);
74static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
75static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
76 int crit, void *ext_struc);
77static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
78/* CONF *conf: Config file */
79/* char *name: Name */
80/* char *value: Value */
81X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
82 char *value)
83 {
84 int crit;
85 int ext_type;
86 X509_EXTENSION *ret;
87 crit = v3_check_critical(&value);
88 if ((ext_type = v3_check_generic(&value)))
89 return v3_generic_extension(name, value, crit, ext_type, ctx);
90 ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
91 if (!ret)
92 {
93 X509V3err(X509V3_F_X509V3_EXT_NCONF,X509V3_R_ERROR_IN_EXTENSION);
94 ERR_add_error_data(4,"name=", name, ", value=", value);
95 }
96 return ret;
97 }
98
99/* CONF *conf: Config file */
100/* char *value: Value */
101X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
102 char *value)
103 {
104 int crit;
105 int ext_type;
106 crit = v3_check_critical(&value);
107 if ((ext_type = v3_check_generic(&value)))
108 return v3_generic_extension(OBJ_nid2sn(ext_nid),
109 value, crit, ext_type, ctx);
110 return do_ext_nconf(conf, ctx, ext_nid, crit, value);
111 }
112
113/* CONF *conf: Config file */
114/* char *value: Value */
115static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
116 int crit, char *value)
117 {
118 const X509V3_EXT_METHOD *method;
119 X509_EXTENSION *ext;
120 STACK_OF(CONF_VALUE) *nval;
121 void *ext_struc;
122 if (ext_nid == NID_undef)
123 {
124 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
125 return NULL;
126 }
127 if (!(method = X509V3_EXT_get_nid(ext_nid)))
128 {
129 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION);
130 return NULL;
131 }
132 /* Now get internal extension representation based on type */
133 if (method->v2i)
134 {
135 if(*value == '@') nval = NCONF_get_section(conf, value + 1);
136 else nval = X509V3_parse_list(value);
137 if(sk_CONF_VALUE_num(nval) <= 0)
138 {
139 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_INVALID_EXTENSION_STRING);
140 ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
141 return NULL;
142 }
143 ext_struc = method->v2i(method, ctx, nval);
144 if(*value != '@') sk_CONF_VALUE_pop_free(nval,
145 X509V3_conf_free);
146 if(!ext_struc) return NULL;
147 }
148 else if(method->s2i)
149 {
150 if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
151 }
152 else if(method->r2i)
153 {
154 if(!ctx->db || !ctx->db_meth)
155 {
156 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_NO_CONFIG_DATABASE);
157 return NULL;
158 }
159 if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
160 }
161 else
162 {
163 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
164 ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
165 return NULL;
166 }
167
168 ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
169 if(method->it) ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
170 else method->ext_free(ext_struc);
171 return ext;
172
173 }
174
175static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
176 int crit, void *ext_struc)
177 {
178 unsigned char *ext_der;
179 int ext_len;
180 ASN1_OCTET_STRING *ext_oct;
181 X509_EXTENSION *ext;
182 /* Convert internal representation to DER */
183 if (method->it)
184 {
185 ext_der = NULL;
186 ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
187 if (ext_len < 0) goto merr;
188 }
189 else
190 {
191 unsigned char *p;
192 ext_len = method->i2d(ext_struc, NULL);
193 if(!(ext_der = OPENSSL_malloc(ext_len))) goto merr;
194 p = ext_der;
195 method->i2d(ext_struc, &p);
196 }
197 if (!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
198 ext_oct->data = ext_der;
199 ext_oct->length = ext_len;
200
201 ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
202 if (!ext) goto merr;
203 M_ASN1_OCTET_STRING_free(ext_oct);
204
205 return ext;
206
207 merr:
208 X509V3err(X509V3_F_DO_EXT_I2D,ERR_R_MALLOC_FAILURE);
209 return NULL;
210
211 }
212
213/* Given an internal structure, nid and critical flag create an extension */
214
215X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
216 {
217 const X509V3_EXT_METHOD *method;
218 if (!(method = X509V3_EXT_get_nid(ext_nid))) {
219 X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
220 return NULL;
221 }
222 return do_ext_i2d(method, ext_nid, crit, ext_struc);
223}
224
225/* Check the extension string for critical flag */
226static int v3_check_critical(char **value)
227{
228 char *p = *value;
229 if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
230 p+=9;
231 while(isspace((unsigned char)*p)) p++;
232 *value = p;
233 return 1;
234}
235
236/* Check extension string for generic extension and return the type */
237static int v3_check_generic(char **value)
238{
239 int gen_type = 0;
240 char *p = *value;
241 if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4))
242 {
243 p+=4;
244 gen_type = 1;
245 }
246 else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5))
247 {
248 p+=5;
249 gen_type = 2;
250 }
251 else
252 return 0;
253
254 while (isspace((unsigned char)*p)) p++;
255 *value = p;
256 return gen_type;
257}
258
259/* Create a generic extension: for now just handle DER type */
260static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
261 int crit, int gen_type,
262 X509V3_CTX *ctx)
263 {
264 unsigned char *ext_der=NULL;
265 long ext_len;
266 ASN1_OBJECT *obj=NULL;
267 ASN1_OCTET_STRING *oct=NULL;
268 X509_EXTENSION *extension=NULL;
269 if (!(obj = OBJ_txt2obj(ext, 0)))
270 {
271 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_NAME_ERROR);
272 ERR_add_error_data(2, "name=", ext);
273 goto err;
274 }
275
276 if (gen_type == 1)
277 ext_der = string_to_hex(value, &ext_len);
278 else if (gen_type == 2)
279 ext_der = generic_asn1(value, ctx, &ext_len);
280
281 if (ext_der == NULL)
282 {
283 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
284 ERR_add_error_data(2, "value=", value);
285 goto err;
286 }
287
288 if (!(oct = M_ASN1_OCTET_STRING_new()))
289 {
290 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE);
291 goto err;
292 }
293
294 oct->data = ext_der;
295 oct->length = ext_len;
296 ext_der = NULL;
297
298 extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
299
300 err:
301 ASN1_OBJECT_free(obj);
302 M_ASN1_OCTET_STRING_free(oct);
303 if(ext_der) OPENSSL_free(ext_der);
304 return extension;
305
306 }
307
308static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
309 {
310 ASN1_TYPE *typ;
311 unsigned char *ext_der = NULL;
312 typ = ASN1_generate_v3(value, ctx);
313 if (typ == NULL)
314 return NULL;
315 *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
316 ASN1_TYPE_free(typ);
317 return ext_der;
318 }
319
320/* This is the main function: add a bunch of extensions based on a config file
321 * section to an extension STACK.
322 */
323
324
325int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
326 STACK_OF(X509_EXTENSION) **sk)
327 {
328 X509_EXTENSION *ext;
329 STACK_OF(CONF_VALUE) *nval;
330 CONF_VALUE *val;
331 int i;
332 if (!(nval = NCONF_get_section(conf, section))) return 0;
333 for (i = 0; i < sk_CONF_VALUE_num(nval); i++)
334 {
335 val = sk_CONF_VALUE_value(nval, i);
336 if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
337 return 0;
338 if (sk) X509v3_add_ext(sk, ext, -1);
339 X509_EXTENSION_free(ext);
340 }
341 return 1;
342 }
343
344/* Convenience functions to add extensions to a certificate, CRL and request */
345
346int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
347 X509 *cert)
348 {
349 STACK_OF(X509_EXTENSION) **sk = NULL;
350 if (cert)
351 sk = &cert->cert_info->extensions;
352 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
353 }
354
355/* Same as above but for a CRL */
356
357int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
358 X509_CRL *crl)
359 {
360 STACK_OF(X509_EXTENSION) **sk = NULL;
361 if (crl)
362 sk = &crl->crl->extensions;
363 return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
364 }
365
366/* Add extensions to certificate request */
367
368int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
369 X509_REQ *req)
370 {
371 STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
372 int i;
373 if (req)
374 sk = &extlist;
375 i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
376 if (!i || !sk)
377 return i;
378 i = X509_REQ_add_extensions(req, extlist);
379 sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
380 return i;
381 }
382
383/* Config database functions */
384
385char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
386 {
387 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string)
388 {
389 X509V3err(X509V3_F_X509V3_GET_STRING,X509V3_R_OPERATION_NOT_DEFINED);
390 return NULL;
391 }
392 if (ctx->db_meth->get_string)
393 return ctx->db_meth->get_string(ctx->db, name, section);
394 return NULL;
395 }
396
397STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
398 {
399 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section)
400 {
401 X509V3err(X509V3_F_X509V3_GET_SECTION,X509V3_R_OPERATION_NOT_DEFINED);
402 return NULL;
403 }
404 if (ctx->db_meth->get_section)
405 return ctx->db_meth->get_section(ctx->db, section);
406 return NULL;
407 }
408
409void X509V3_string_free(X509V3_CTX *ctx, char *str)
410 {
411 if (!str) return;
412 if (ctx->db_meth->free_string)
413 ctx->db_meth->free_string(ctx->db, str);
414 }
415
416void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
417 {
418 if (!section) return;
419 if (ctx->db_meth->free_section)
420 ctx->db_meth->free_section(ctx->db, section);
421 }
422
423static char *nconf_get_string(void *db, char *section, char *value)
424 {
425 return NCONF_get_string(db, section, value);
426 }
427
428static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
429 {
430 return NCONF_get_section(db, section);
431 }
432
433static X509V3_CONF_METHOD nconf_method = {
434nconf_get_string,
435nconf_get_section,
436NULL,
437NULL
438};
439
440void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
441 {
442 ctx->db_meth = &nconf_method;
443 ctx->db = conf;
444 }
445
446void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
447 X509_CRL *crl, int flags)
448 {
449 ctx->issuer_cert = issuer;
450 ctx->subject_cert = subj;
451 ctx->crl = crl;
452 ctx->subject_req = req;
453 ctx->flags = flags;
454 }
455
456/* Old conf compatibility functions */
457
458X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
459 char *name, char *value)
460 {
461 CONF ctmp;
462 CONF_set_nconf(&ctmp, conf);
463 return X509V3_EXT_nconf(&ctmp, ctx, name, value);
464 }
465
466/* LHASH *conf: Config file */
467/* char *value: Value */
468X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
469 int ext_nid, char *value)
470 {
471 CONF ctmp;
472 CONF_set_nconf(&ctmp, conf);
473 return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
474 }
475
476static char *conf_lhash_get_string(void *db, char *section, char *value)
477 {
478 return CONF_get_string(db, section, value);
479 }
480
481static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
482 {
483 return CONF_get_section(db, section);
484 }
485
486static X509V3_CONF_METHOD conf_lhash_method = {
487conf_lhash_get_string,
488conf_lhash_get_section,
489NULL,
490NULL
491};
492
493void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
494 {
495 ctx->db_meth = &conf_lhash_method;
496 ctx->db = lhash;
497 }
498
499int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
500 char *section, X509 *cert)
501 {
502 CONF ctmp;
503 CONF_set_nconf(&ctmp, conf);
504 return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
505 }
506
507/* Same as above but for a CRL */
508
509int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
510 char *section, X509_CRL *crl)
511 {
512 CONF ctmp;
513 CONF_set_nconf(&ctmp, conf);
514 return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
515 }
516
517/* Add extensions to certificate request */
518
519int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
520 char *section, X509_REQ *req)
521 {
522 CONF ctmp;
523 CONF_set_nconf(&ctmp, conf);
524 return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
525 }
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
new file mode 100644
index 0000000000..1f0798b946
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -0,0 +1,457 @@
1/* v3_cpols.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66#include "pcy_int.h"
67
68/* Certificate policies extension support: this one is a bit complex... */
69
70static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
71static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value);
72static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent);
73static void print_notice(BIO *out, USERNOTICE *notice, int indent);
74static POLICYINFO *policy_section(X509V3_CTX *ctx,
75 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
76static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
77 STACK_OF(CONF_VALUE) *unot, int ia5org);
78static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
79
80const X509V3_EXT_METHOD v3_cpols = {
81NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES),
820,0,0,0,
830,0,
840,0,
85(X509V3_EXT_I2R)i2r_certpol,
86(X509V3_EXT_R2I)r2i_certpol,
87NULL
88};
89
90ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) =
91 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)
92ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
93
94IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
95
96ASN1_SEQUENCE(POLICYINFO) = {
97 ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
98 ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
99} ASN1_SEQUENCE_END(POLICYINFO)
100
101IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO)
102
103ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
104
105ASN1_ADB(POLICYQUALINFO) = {
106 ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
107 ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
108} ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
109
110ASN1_SEQUENCE(POLICYQUALINFO) = {
111 ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
112 ASN1_ADB_OBJECT(POLICYQUALINFO)
113} ASN1_SEQUENCE_END(POLICYQUALINFO)
114
115IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO)
116
117ASN1_SEQUENCE(USERNOTICE) = {
118 ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
119 ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
120} ASN1_SEQUENCE_END(USERNOTICE)
121
122IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE)
123
124ASN1_SEQUENCE(NOTICEREF) = {
125 ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
126 ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
127} ASN1_SEQUENCE_END(NOTICEREF)
128
129IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
130
131static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
132 X509V3_CTX *ctx, char *value)
133{
134 STACK_OF(POLICYINFO) *pols = NULL;
135 char *pstr;
136 POLICYINFO *pol;
137 ASN1_OBJECT *pobj;
138 STACK_OF(CONF_VALUE) *vals;
139 CONF_VALUE *cnf;
140 int i, ia5org;
141 pols = sk_POLICYINFO_new_null();
142 if (pols == NULL) {
143 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
144 return NULL;
145 }
146 vals = X509V3_parse_list(value);
147 if (vals == NULL) {
148 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
149 goto err;
150 }
151 ia5org = 0;
152 for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
153 cnf = sk_CONF_VALUE_value(vals, i);
154 if(cnf->value || !cnf->name ) {
155 X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_POLICY_IDENTIFIER);
156 X509V3_conf_err(cnf);
157 goto err;
158 }
159 pstr = cnf->name;
160 if(!strcmp(pstr,"ia5org")) {
161 ia5org = 1;
162 continue;
163 } else if(*pstr == '@') {
164 STACK_OF(CONF_VALUE) *polsect;
165 polsect = X509V3_get_section(ctx, pstr + 1);
166 if(!polsect) {
167 X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_SECTION);
168
169 X509V3_conf_err(cnf);
170 goto err;
171 }
172 pol = policy_section(ctx, polsect, ia5org);
173 X509V3_section_free(ctx, polsect);
174 if(!pol) goto err;
175 } else {
176 if(!(pobj = OBJ_txt2obj(cnf->name, 0))) {
177 X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_OBJECT_IDENTIFIER);
178 X509V3_conf_err(cnf);
179 goto err;
180 }
181 pol = POLICYINFO_new();
182 pol->policyid = pobj;
183 }
184 if (!sk_POLICYINFO_push(pols, pol)){
185 POLICYINFO_free(pol);
186 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
187 goto err;
188 }
189 }
190 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
191 return pols;
192 err:
193 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
194 sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
195 return NULL;
196}
197
198static POLICYINFO *policy_section(X509V3_CTX *ctx,
199 STACK_OF(CONF_VALUE) *polstrs, int ia5org)
200{
201 int i;
202 CONF_VALUE *cnf;
203 POLICYINFO *pol;
204 POLICYQUALINFO *qual;
205 if(!(pol = POLICYINFO_new())) goto merr;
206 for(i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
207 cnf = sk_CONF_VALUE_value(polstrs, i);
208 if(!strcmp(cnf->name, "policyIdentifier")) {
209 ASN1_OBJECT *pobj;
210 if(!(pobj = OBJ_txt2obj(cnf->value, 0))) {
211 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OBJECT_IDENTIFIER);
212 X509V3_conf_err(cnf);
213 goto err;
214 }
215 pol->policyid = pobj;
216
217 } else if(!name_cmp(cnf->name, "CPS")) {
218 if(!pol->qualifiers) pol->qualifiers =
219 sk_POLICYQUALINFO_new_null();
220 if(!(qual = POLICYQUALINFO_new())) goto merr;
221 if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
222 goto merr;
223 qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
224 qual->d.cpsuri = M_ASN1_IA5STRING_new();
225 if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
226 strlen(cnf->value))) goto merr;
227 } else if(!name_cmp(cnf->name, "userNotice")) {
228 STACK_OF(CONF_VALUE) *unot;
229 if(*cnf->value != '@') {
230 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_EXPECTED_A_SECTION_NAME);
231 X509V3_conf_err(cnf);
232 goto err;
233 }
234 unot = X509V3_get_section(ctx, cnf->value + 1);
235 if(!unot) {
236 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_SECTION);
237
238 X509V3_conf_err(cnf);
239 goto err;
240 }
241 qual = notice_section(ctx, unot, ia5org);
242 X509V3_section_free(ctx, unot);
243 if(!qual) goto err;
244 if(!pol->qualifiers) pol->qualifiers =
245 sk_POLICYQUALINFO_new_null();
246 if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
247 goto merr;
248 } else {
249 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OPTION);
250
251 X509V3_conf_err(cnf);
252 goto err;
253 }
254 }
255 if(!pol->policyid) {
256 X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_NO_POLICY_IDENTIFIER);
257 goto err;
258 }
259
260 return pol;
261
262 merr:
263 X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
264
265 err:
266 POLICYINFO_free(pol);
267 return NULL;
268
269
270}
271
272static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
273 STACK_OF(CONF_VALUE) *unot, int ia5org)
274{
275 int i, ret;
276 CONF_VALUE *cnf;
277 USERNOTICE *not;
278 POLICYQUALINFO *qual;
279 if(!(qual = POLICYQUALINFO_new())) goto merr;
280 qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
281 if(!(not = USERNOTICE_new())) goto merr;
282 qual->d.usernotice = not;
283 for(i = 0; i < sk_CONF_VALUE_num(unot); i++) {
284 cnf = sk_CONF_VALUE_value(unot, i);
285 if(!strcmp(cnf->name, "explicitText")) {
286 not->exptext = M_ASN1_VISIBLESTRING_new();
287 if(!ASN1_STRING_set(not->exptext, cnf->value,
288 strlen(cnf->value))) goto merr;
289 } else if(!strcmp(cnf->name, "organization")) {
290 NOTICEREF *nref;
291 if(!not->noticeref) {
292 if(!(nref = NOTICEREF_new())) goto merr;
293 not->noticeref = nref;
294 } else nref = not->noticeref;
295 if(ia5org) nref->organization->type = V_ASN1_IA5STRING;
296 else nref->organization->type = V_ASN1_VISIBLESTRING;
297 if(!ASN1_STRING_set(nref->organization, cnf->value,
298 strlen(cnf->value))) goto merr;
299 } else if(!strcmp(cnf->name, "noticeNumbers")) {
300 NOTICEREF *nref;
301 STACK_OF(CONF_VALUE) *nos;
302 if(!not->noticeref) {
303 if(!(nref = NOTICEREF_new())) goto merr;
304 not->noticeref = nref;
305 } else nref = not->noticeref;
306 nos = X509V3_parse_list(cnf->value);
307 if(!nos || !sk_CONF_VALUE_num(nos)) {
308 X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_NUMBERS);
309 X509V3_conf_err(cnf);
310 goto err;
311 }
312 ret = nref_nos(nref->noticenos, nos);
313 sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
314 if (!ret)
315 goto err;
316 } else {
317 X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
318 X509V3_conf_err(cnf);
319 goto err;
320 }
321 }
322
323 if(not->noticeref &&
324 (!not->noticeref->noticenos || !not->noticeref->organization)) {
325 X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
326 goto err;
327 }
328
329 return qual;
330
331 merr:
332 X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
333
334 err:
335 POLICYQUALINFO_free(qual);
336 return NULL;
337}
338
339static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
340{
341 CONF_VALUE *cnf;
342 ASN1_INTEGER *aint;
343
344 int i;
345
346 for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
347 cnf = sk_CONF_VALUE_value(nos, i);
348 if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
349 X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER);
350 goto err;
351 }
352 if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr;
353 }
354 return 1;
355
356 merr:
357 X509V3err(X509V3_F_NREF_NOS,ERR_R_MALLOC_FAILURE);
358
359 err:
360 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
361 return 0;
362}
363
364
365static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
366 BIO *out, int indent)
367{
368 int i;
369 POLICYINFO *pinfo;
370 /* First print out the policy OIDs */
371 for(i = 0; i < sk_POLICYINFO_num(pol); i++) {
372 pinfo = sk_POLICYINFO_value(pol, i);
373 BIO_printf(out, "%*sPolicy: ", indent, "");
374 i2a_ASN1_OBJECT(out, pinfo->policyid);
375 BIO_puts(out, "\n");
376 if(pinfo->qualifiers)
377 print_qualifiers(out, pinfo->qualifiers, indent + 2);
378 }
379 return 1;
380}
381
382static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
383 int indent)
384{
385 POLICYQUALINFO *qualinfo;
386 int i;
387 for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
388 qualinfo = sk_POLICYQUALINFO_value(quals, i);
389 switch(OBJ_obj2nid(qualinfo->pqualid))
390 {
391 case NID_id_qt_cps:
392 BIO_printf(out, "%*sCPS: %s\n", indent, "",
393 qualinfo->d.cpsuri->data);
394 break;
395
396 case NID_id_qt_unotice:
397 BIO_printf(out, "%*sUser Notice:\n", indent, "");
398 print_notice(out, qualinfo->d.usernotice, indent + 2);
399 break;
400
401 default:
402 BIO_printf(out, "%*sUnknown Qualifier: ",
403 indent + 2, "");
404
405 i2a_ASN1_OBJECT(out, qualinfo->pqualid);
406 BIO_puts(out, "\n");
407 break;
408 }
409 }
410}
411
412static void print_notice(BIO *out, USERNOTICE *notice, int indent)
413{
414 int i;
415 if(notice->noticeref) {
416 NOTICEREF *ref;
417 ref = notice->noticeref;
418 BIO_printf(out, "%*sOrganization: %s\n", indent, "",
419 ref->organization->data);
420 BIO_printf(out, "%*sNumber%s: ", indent, "",
421 sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
422 for(i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
423 ASN1_INTEGER *num;
424 char *tmp;
425 num = sk_ASN1_INTEGER_value(ref->noticenos, i);
426 if(i) BIO_puts(out, ", ");
427 tmp = i2s_ASN1_INTEGER(NULL, num);
428 BIO_puts(out, tmp);
429 OPENSSL_free(tmp);
430 }
431 BIO_puts(out, "\n");
432 }
433 if(notice->exptext)
434 BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
435 notice->exptext->data);
436}
437
438void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
439 {
440 const X509_POLICY_DATA *dat = node->data;
441
442 BIO_printf(out, "%*sPolicy: ", indent, "");
443
444 i2a_ASN1_OBJECT(out, dat->valid_policy);
445 BIO_puts(out, "\n");
446 BIO_printf(out, "%*s%s\n", indent + 2, "",
447 node_data_critical(dat) ? "Critical" : "Non Critical");
448 if (dat->qualifier_set)
449 print_qualifiers(out, dat->qualifier_set, indent + 2);
450 else
451 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
452 }
453
454
455IMPLEMENT_STACK_OF(X509_POLICY_NODE)
456IMPLEMENT_STACK_OF(X509_POLICY_DATA)
457
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
new file mode 100644
index 0000000000..790a6dd032
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -0,0 +1,616 @@
1/* v3_crld.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_crld(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
69 int indent);
70
71const X509V3_EXT_METHOD v3_crld =
72 {
73 NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
74 0,0,0,0,
75 0,0,
76 0,
77 v2i_crld,
78 i2r_crldp,0,
79 NULL
80 };
81
82const X509V3_EXT_METHOD v3_freshest_crl =
83 {
84 NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
85 0,0,0,0,
86 0,0,
87 0,
88 v2i_crld,
89 i2r_crldp,0,
90 NULL
91 };
92
93static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
94 {
95 STACK_OF(CONF_VALUE) *gnsect;
96 STACK_OF(GENERAL_NAME) *gens;
97 if (*sect == '@')
98 gnsect = X509V3_get_section(ctx, sect + 1);
99 else
100 gnsect = X509V3_parse_list(sect);
101 if (!gnsect)
102 {
103 X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
104 X509V3_R_SECTION_NOT_FOUND);
105 return NULL;
106 }
107 gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
108 if (*sect == '@')
109 X509V3_section_free(ctx, gnsect);
110 else
111 sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
112 return gens;
113 }
114
115static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
116 CONF_VALUE *cnf)
117 {
118 STACK_OF(GENERAL_NAME) *fnm = NULL;
119 STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
120 if (!strncmp(cnf->name, "fullname", 9))
121 {
122 fnm = gnames_from_sectname(ctx, cnf->value);
123 if (!fnm)
124 goto err;
125 }
126 else if (!strcmp(cnf->name, "relativename"))
127 {
128 int ret;
129 STACK_OF(CONF_VALUE) *dnsect;
130 X509_NAME *nm;
131 nm = X509_NAME_new();
132 if (!nm)
133 return -1;
134 dnsect = X509V3_get_section(ctx, cnf->value);
135 if (!dnsect)
136 {
137 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
138 X509V3_R_SECTION_NOT_FOUND);
139 return -1;
140 }
141 ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
142 X509V3_section_free(ctx, dnsect);
143 rnm = nm->entries;
144 nm->entries = NULL;
145 X509_NAME_free(nm);
146 if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
147 goto err;
148 /* Since its a name fragment can't have more than one
149 * RDNSequence
150 */
151 if (sk_X509_NAME_ENTRY_value(rnm,
152 sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
153 {
154 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
155 X509V3_R_INVALID_MULTIPLE_RDNS);
156 goto err;
157 }
158 }
159 else
160 return 0;
161
162 if (*pdp)
163 {
164 X509V3err(X509V3_F_SET_DIST_POINT_NAME,
165 X509V3_R_DISTPOINT_ALREADY_SET);
166 goto err;
167 }
168
169 *pdp = DIST_POINT_NAME_new();
170 if (!*pdp)
171 goto err;
172 if (fnm)
173 {
174 (*pdp)->type = 0;
175 (*pdp)->name.fullname = fnm;
176 }
177 else
178 {
179 (*pdp)->type = 1;
180 (*pdp)->name.relativename = rnm;
181 }
182
183 return 1;
184
185 err:
186 if (fnm)
187 sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
188 if (rnm)
189 sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
190 return -1;
191 }
192
193static const BIT_STRING_BITNAME reason_flags[] = {
194{0, "Unused", "unused"},
195{1, "Key Compromise", "keyCompromise"},
196{2, "CA Compromise", "CACompromise"},
197{3, "Affiliation Changed", "affiliationChanged"},
198{4, "Superseded", "superseded"},
199{5, "Cessation Of Operation", "cessationOfOperation"},
200{6, "Certificate Hold", "certificateHold"},
201{7, "Privilege Withdrawn", "privilegeWithdrawn"},
202{8, "AA Compromise", "AACompromise"},
203{-1, NULL, NULL}
204};
205
206static int set_reasons(ASN1_BIT_STRING **preas, char *value)
207 {
208 STACK_OF(CONF_VALUE) *rsk = NULL;
209 const BIT_STRING_BITNAME *pbn;
210 const char *bnam;
211 int i, ret = 0;
212 rsk = X509V3_parse_list(value);
213 if (!rsk)
214 return 0;
215 if (*preas)
216 return 0;
217 for (i = 0; i < sk_CONF_VALUE_num(rsk); i++)
218 {
219 bnam = sk_CONF_VALUE_value(rsk, i)->name;
220 if (!*preas)
221 {
222 *preas = ASN1_BIT_STRING_new();
223 if (!*preas)
224 goto err;
225 }
226 for (pbn = reason_flags; pbn->lname; pbn++)
227 {
228 if (!strcmp(pbn->sname, bnam))
229 {
230 if (!ASN1_BIT_STRING_set_bit(*preas,
231 pbn->bitnum, 1))
232 goto err;
233 break;
234 }
235 }
236 if (!pbn->lname)
237 goto err;
238 }
239 ret = 1;
240
241 err:
242 sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
243 return ret;
244 }
245
246static int print_reasons(BIO *out, const char *rname,
247 ASN1_BIT_STRING *rflags, int indent)
248 {
249 int first = 1;
250 const BIT_STRING_BITNAME *pbn;
251 BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
252 for (pbn = reason_flags; pbn->lname; pbn++)
253 {
254 if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
255 {
256 if (first)
257 first = 0;
258 else
259 BIO_puts(out, ", ");
260 BIO_puts(out, pbn->lname);
261 }
262 }
263 if (first)
264 BIO_puts(out, "<EMPTY>\n");
265 else
266 BIO_puts(out, "\n");
267 return 1;
268 }
269
270static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
271 STACK_OF(CONF_VALUE) *nval)
272 {
273 int i;
274 CONF_VALUE *cnf;
275 DIST_POINT *point = NULL;
276 point = DIST_POINT_new();
277 if (!point)
278 goto err;
279 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
280 {
281 int ret;
282 cnf = sk_CONF_VALUE_value(nval, i);
283 ret = set_dist_point_name(&point->distpoint, ctx, cnf);
284 if (ret > 0)
285 continue;
286 if (ret < 0)
287 goto err;
288 if (!strcmp(cnf->name, "reasons"))
289 {
290 if (!set_reasons(&point->reasons, cnf->value))
291 goto err;
292 }
293 else if (!strcmp(cnf->name, "CRLissuer"))
294 {
295 point->CRLissuer =
296 gnames_from_sectname(ctx, cnf->value);
297 if (!point->CRLissuer)
298 goto err;
299 }
300 }
301
302 return point;
303
304
305 err:
306 if (point)
307 DIST_POINT_free(point);
308 return NULL;
309 }
310
311static void *v2i_crld(const X509V3_EXT_METHOD *method,
312 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
313 {
314 STACK_OF(DIST_POINT) *crld = NULL;
315 GENERAL_NAMES *gens = NULL;
316 GENERAL_NAME *gen = NULL;
317 CONF_VALUE *cnf;
318 int i;
319 if(!(crld = sk_DIST_POINT_new_null())) goto merr;
320 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
321 DIST_POINT *point;
322 cnf = sk_CONF_VALUE_value(nval, i);
323 if (!cnf->value)
324 {
325 STACK_OF(CONF_VALUE) *dpsect;
326 dpsect = X509V3_get_section(ctx, cnf->name);
327 if (!dpsect)
328 goto err;
329 point = crldp_from_section(ctx, dpsect);
330 X509V3_section_free(ctx, dpsect);
331 if (!point)
332 goto err;
333 if(!sk_DIST_POINT_push(crld, point))
334 {
335 DIST_POINT_free(point);
336 goto merr;
337 }
338 }
339 else
340 {
341 if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
342 goto err;
343 if(!(gens = GENERAL_NAMES_new()))
344 goto merr;
345 if(!sk_GENERAL_NAME_push(gens, gen))
346 goto merr;
347 gen = NULL;
348 if(!(point = DIST_POINT_new()))
349 goto merr;
350 if(!sk_DIST_POINT_push(crld, point))
351 {
352 DIST_POINT_free(point);
353 goto merr;
354 }
355 if(!(point->distpoint = DIST_POINT_NAME_new()))
356 goto merr;
357 point->distpoint->name.fullname = gens;
358 point->distpoint->type = 0;
359 gens = NULL;
360 }
361 }
362 return crld;
363
364 merr:
365 X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
366 err:
367 GENERAL_NAME_free(gen);
368 GENERAL_NAMES_free(gens);
369 sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
370 return NULL;
371}
372
373IMPLEMENT_STACK_OF(DIST_POINT)
374IMPLEMENT_ASN1_SET_OF(DIST_POINT)
375
376static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
377 void *exarg)
378 {
379 DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
380
381 switch(operation)
382 {
383 case ASN1_OP_NEW_POST:
384 dpn->dpname = NULL;
385 break;
386
387 case ASN1_OP_FREE_POST:
388 if (dpn->dpname)
389 X509_NAME_free(dpn->dpname);
390 break;
391 }
392 return 1;
393 }
394
395
396ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
397 ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
398 ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
399} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
400
401
402IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
403
404ASN1_SEQUENCE(DIST_POINT) = {
405 ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),
406 ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),
407 ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2)
408} ASN1_SEQUENCE_END(DIST_POINT)
409
410IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
411
412ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
413 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT)
414ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
415
416IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
417
418ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
419 ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
420 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
421 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
422 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
423 ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
424 ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
425} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
426
427IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
428
429static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
430 int indent);
431static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
432 STACK_OF(CONF_VALUE) *nval);
433
434const X509V3_EXT_METHOD v3_idp =
435 {
436 NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
437 ASN1_ITEM_ref(ISSUING_DIST_POINT),
438 0,0,0,0,
439 0,0,
440 0,
441 v2i_idp,
442 i2r_idp,0,
443 NULL
444 };
445
446static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
447 STACK_OF(CONF_VALUE) *nval)
448 {
449 ISSUING_DIST_POINT *idp = NULL;
450 CONF_VALUE *cnf;
451 char *name, *val;
452 int i, ret;
453 idp = ISSUING_DIST_POINT_new();
454 if (!idp)
455 goto merr;
456 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
457 {
458 cnf = sk_CONF_VALUE_value(nval, i);
459 name = cnf->name;
460 val = cnf->value;
461 ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
462 if (ret > 0)
463 continue;
464 if (ret < 0)
465 goto err;
466 if (!strcmp(name, "onlyuser"))
467 {
468 if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
469 goto err;
470 }
471 else if (!strcmp(name, "onlyCA"))
472 {
473 if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
474 goto err;
475 }
476 else if (!strcmp(name, "onlyAA"))
477 {
478 if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
479 goto err;
480 }
481 else if (!strcmp(name, "indirectCRL"))
482 {
483 if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
484 goto err;
485 }
486 else if (!strcmp(name, "onlysomereasons"))
487 {
488 if (!set_reasons(&idp->onlysomereasons, val))
489 goto err;
490 }
491 else
492 {
493 X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
494 X509V3_conf_err(cnf);
495 goto err;
496 }
497 }
498 return idp;
499
500 merr:
501 X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE);
502 err:
503 ISSUING_DIST_POINT_free(idp);
504 return NULL;
505 }
506
507static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
508 {
509 int i;
510 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
511 {
512 BIO_printf(out, "%*s", indent + 2, "");
513 GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
514 BIO_puts(out, "\n");
515 }
516 return 1;
517 }
518
519static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
520 {
521 if (dpn->type == 0)
522 {
523 BIO_printf(out, "%*sFull Name:\n", indent, "");
524 print_gens(out, dpn->name.fullname, indent);
525 }
526 else
527 {
528 X509_NAME ntmp;
529 ntmp.entries = dpn->name.relativename;
530 BIO_printf(out, "%*sRelative Name:\n%*s",
531 indent, "", indent + 2, "");
532 X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
533 BIO_puts(out, "\n");
534 }
535 return 1;
536 }
537
538static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
539 int indent)
540 {
541 ISSUING_DIST_POINT *idp = pidp;
542 if (idp->distpoint)
543 print_distpoint(out, idp->distpoint, indent);
544 if (idp->onlyuser > 0)
545 BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
546 if (idp->onlyCA > 0)
547 BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
548 if (idp->indirectCRL > 0)
549 BIO_printf(out, "%*sIndirect CRL\n", indent, "");
550 if (idp->onlysomereasons)
551 print_reasons(out, "Only Some Reasons",
552 idp->onlysomereasons, indent);
553 if (idp->onlyattr > 0)
554 BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
555 if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
556 && (idp->indirectCRL <= 0) && !idp->onlysomereasons
557 && (idp->onlyattr <= 0))
558 BIO_printf(out, "%*s<EMPTY>\n", indent, "");
559
560 return 1;
561 }
562
563static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
564 int indent)
565 {
566 STACK_OF(DIST_POINT) *crld = pcrldp;
567 DIST_POINT *point;
568 int i;
569 for(i = 0; i < sk_DIST_POINT_num(crld); i++)
570 {
571 BIO_puts(out, "\n");
572 point = sk_DIST_POINT_value(crld, i);
573 if(point->distpoint)
574 print_distpoint(out, point->distpoint, indent);
575 if(point->reasons)
576 print_reasons(out, "Reasons", point->reasons,
577 indent);
578 if(point->CRLissuer)
579 {
580 BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
581 print_gens(out, point->CRLissuer, indent);
582 }
583 }
584 return 1;
585 }
586
587int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
588 {
589 int i;
590 STACK_OF(X509_NAME_ENTRY) *frag;
591 X509_NAME_ENTRY *ne;
592 if (!dpn || (dpn->type != 1))
593 return 1;
594 frag = dpn->name.relativename;
595 dpn->dpname = X509_NAME_dup(iname);
596 if (!dpn->dpname)
597 return 0;
598 for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++)
599 {
600 ne = sk_X509_NAME_ENTRY_value(frag, i);
601 if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1))
602 {
603 X509_NAME_free(dpn->dpname);
604 dpn->dpname = NULL;
605 return 0;
606 }
607 }
608 /* generate cached encoding of name */
609 if (i2d_X509_NAME(dpn->dpname, NULL) < 0)
610 {
611 X509_NAME_free(dpn->dpname);
612 dpn->dpname = NULL;
613 return 0;
614 }
615 return 1;
616 }
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
new file mode 100644
index 0000000000..c0575e368d
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_enum.c
@@ -0,0 +1,97 @@
1/* v3_enum.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63static ENUMERATED_NAMES crl_reasons[] = {
64{CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
65{CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"},
66{CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"},
67{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
68{CRL_REASON_SUPERSEDED, "Superseded", "superseded"},
69{CRL_REASON_CESSATION_OF_OPERATION,
70 "Cessation Of Operation", "cessationOfOperation"},
71{CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"},
72{CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"},
73{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
74{CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"},
75{-1, NULL, NULL}
76};
77
78const X509V3_EXT_METHOD v3_crl_reason = {
79NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED),
800,0,0,0,
81(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
820,
830,0,0,0,
84crl_reasons};
85
86
87char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
88 ASN1_ENUMERATED *e)
89{
90 ENUMERATED_NAMES *enam;
91 long strval;
92 strval = ASN1_ENUMERATED_get(e);
93 for(enam = method->usr_data; enam->lname; enam++) {
94 if(strval == enam->bitnum) return BUF_strdup(enam->lname);
95 }
96 return i2s_ASN1_ENUMERATED(method, e);
97}
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
new file mode 100644
index 0000000000..1c66532757
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_extku.c
@@ -0,0 +1,144 @@
1/* v3_extku.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx,
68 STACK_OF(CONF_VALUE) *nval);
69static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
70 void *eku, STACK_OF(CONF_VALUE) *extlist);
71
72const X509V3_EXT_METHOD v3_ext_ku = {
73 NID_ext_key_usage, 0,
74 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
75 0,0,0,0,
76 0,0,
77 i2v_EXTENDED_KEY_USAGE,
78 v2i_EXTENDED_KEY_USAGE,
79 0,0,
80 NULL
81};
82
83/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
84const X509V3_EXT_METHOD v3_ocsp_accresp = {
85 NID_id_pkix_OCSP_acceptableResponses, 0,
86 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
87 0,0,0,0,
88 0,0,
89 i2v_EXTENDED_KEY_USAGE,
90 v2i_EXTENDED_KEY_USAGE,
91 0,0,
92 NULL
93};
94
95ASN1_ITEM_TEMPLATE(EXTENDED_KEY_USAGE) =
96 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, EXTENDED_KEY_USAGE, ASN1_OBJECT)
97ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE)
98
99IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
100
101static STACK_OF(CONF_VALUE) *
102 i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
103 STACK_OF(CONF_VALUE) *ext_list)
104{
105 EXTENDED_KEY_USAGE *eku = a;
106 int i;
107 ASN1_OBJECT *obj;
108 char obj_tmp[80];
109 for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
110 obj = sk_ASN1_OBJECT_value(eku, i);
111 i2t_ASN1_OBJECT(obj_tmp, 80, obj);
112 X509V3_add_value(NULL, obj_tmp, &ext_list);
113 }
114 return ext_list;
115}
116
117static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
118 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
119{
120 EXTENDED_KEY_USAGE *extku;
121 char *extval;
122 ASN1_OBJECT *objtmp;
123 CONF_VALUE *val;
124 int i;
125
126 if(!(extku = sk_ASN1_OBJECT_new_null())) {
127 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,ERR_R_MALLOC_FAILURE);
128 return NULL;
129 }
130
131 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
132 val = sk_CONF_VALUE_value(nval, i);
133 if(val->value) extval = val->value;
134 else extval = val->name;
135 if(!(objtmp = OBJ_txt2obj(extval, 0))) {
136 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
137 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
138 X509V3_conf_err(val);
139 return NULL;
140 }
141 sk_ASN1_OBJECT_push(extku, objtmp);
142 }
143 return extku;
144}
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
new file mode 100644
index 0000000000..b628357301
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_genn.c
@@ -0,0 +1,252 @@
1/* v3_genn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66ASN1_SEQUENCE(OTHERNAME) = {
67 ASN1_SIMPLE(OTHERNAME, type_id, ASN1_OBJECT),
68 /* Maybe have a true ANY DEFINED BY later */
69 ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0)
70} ASN1_SEQUENCE_END(OTHERNAME)
71
72IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
73
74ASN1_SEQUENCE(EDIPARTYNAME) = {
75 ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
76 ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
77} ASN1_SEQUENCE_END(EDIPARTYNAME)
78
79IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
80
81ASN1_CHOICE(GENERAL_NAME) = {
82 ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME),
83 ASN1_IMP(GENERAL_NAME, d.rfc822Name, ASN1_IA5STRING, GEN_EMAIL),
84 ASN1_IMP(GENERAL_NAME, d.dNSName, ASN1_IA5STRING, GEN_DNS),
85 /* Don't decode this */
86 ASN1_IMP(GENERAL_NAME, d.x400Address, ASN1_SEQUENCE, GEN_X400),
87 /* X509_NAME is a CHOICE type so use EXPLICIT */
88 ASN1_EXP(GENERAL_NAME, d.directoryName, X509_NAME, GEN_DIRNAME),
89 ASN1_IMP(GENERAL_NAME, d.ediPartyName, EDIPARTYNAME, GEN_EDIPARTY),
90 ASN1_IMP(GENERAL_NAME, d.uniformResourceIdentifier, ASN1_IA5STRING, GEN_URI),
91 ASN1_IMP(GENERAL_NAME, d.iPAddress, ASN1_OCTET_STRING, GEN_IPADD),
92 ASN1_IMP(GENERAL_NAME, d.registeredID, ASN1_OBJECT, GEN_RID)
93} ASN1_CHOICE_END(GENERAL_NAME)
94
95IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAME)
96
97ASN1_ITEM_TEMPLATE(GENERAL_NAMES) =
98 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, GENERAL_NAME)
99ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)
100
101IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES)
102
103GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
104 {
105 return (GENERAL_NAME *) ASN1_dup((i2d_of_void *) i2d_GENERAL_NAME,
106 (d2i_of_void *) d2i_GENERAL_NAME,
107 (char *) a);
108 }
109
110/* Returns 0 if they are equal, != 0 otherwise. */
111int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
112 {
113 int result = -1;
114
115 if (!a || !b || a->type != b->type) return -1;
116 switch(a->type)
117 {
118 case GEN_X400:
119 case GEN_EDIPARTY:
120 result = ASN1_TYPE_cmp(a->d.other, b->d.other);
121 break;
122
123 case GEN_OTHERNAME:
124 result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
125 break;
126
127 case GEN_EMAIL:
128 case GEN_DNS:
129 case GEN_URI:
130 result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
131 break;
132
133 case GEN_DIRNAME:
134 result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
135 break;
136
137 case GEN_IPADD:
138 result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
139 break;
140
141 case GEN_RID:
142 result = OBJ_cmp(a->d.rid, b->d.rid);
143 break;
144 }
145 return result;
146 }
147
148/* Returns 0 if they are equal, != 0 otherwise. */
149int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
150 {
151 int result = -1;
152
153 if (!a || !b) return -1;
154 /* Check their type first. */
155 if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
156 return result;
157 /* Check the value. */
158 result = ASN1_TYPE_cmp(a->value, b->value);
159 return result;
160 }
161
162void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
163 {
164 switch(type)
165 {
166 case GEN_X400:
167 case GEN_EDIPARTY:
168 a->d.other = value;
169 break;
170
171 case GEN_OTHERNAME:
172 a->d.otherName = value;
173 break;
174
175 case GEN_EMAIL:
176 case GEN_DNS:
177 case GEN_URI:
178 a->d.ia5 = value;
179 break;
180
181 case GEN_DIRNAME:
182 a->d.dirn = value;
183 break;
184
185 case GEN_IPADD:
186 a->d.ip = value;
187 break;
188
189 case GEN_RID:
190 a->d.rid = value;
191 break;
192 }
193 a->type = type;
194 }
195
196void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
197 {
198 if (ptype)
199 *ptype = a->type;
200 switch(a->type)
201 {
202 case GEN_X400:
203 case GEN_EDIPARTY:
204 return a->d.other;
205
206 case GEN_OTHERNAME:
207 return a->d.otherName;
208
209 case GEN_EMAIL:
210 case GEN_DNS:
211 case GEN_URI:
212 return a->d.ia5;
213
214 case GEN_DIRNAME:
215 return a->d.dirn;
216
217 case GEN_IPADD:
218 return a->d.ip;
219
220 case GEN_RID:
221 return a->d.rid;
222
223 default:
224 return NULL;
225 }
226 }
227
228int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
229 ASN1_OBJECT *oid, ASN1_TYPE *value)
230 {
231 OTHERNAME *oth;
232 oth = OTHERNAME_new();
233 if (!oth)
234 return 0;
235 oth->type_id = oid;
236 oth->value = value;
237 GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
238 return 1;
239 }
240
241int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
242 ASN1_OBJECT **poid, ASN1_TYPE **pvalue)
243 {
244 if (gen->type != GEN_OTHERNAME)
245 return 0;
246 if (poid)
247 *poid = gen->d.otherName->type_id;
248 if (pvalue)
249 *pvalue = gen->d.otherName->value;
250 return 1;
251 }
252
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
new file mode 100644
index 0000000000..4ff12b52b5
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_ia5.c
@@ -0,0 +1,116 @@
1/* v3_ia5.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
67static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
68const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
69EXT_IA5STRING(NID_netscape_base_url),
70EXT_IA5STRING(NID_netscape_revocation_url),
71EXT_IA5STRING(NID_netscape_ca_revocation_url),
72EXT_IA5STRING(NID_netscape_renewal_url),
73EXT_IA5STRING(NID_netscape_ca_policy_url),
74EXT_IA5STRING(NID_netscape_ssl_server_name),
75EXT_IA5STRING(NID_netscape_comment),
76EXT_END
77};
78
79
80static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
81 ASN1_IA5STRING *ia5)
82{
83 char *tmp;
84 if(!ia5 || !ia5->length) return NULL;
85 if(!(tmp = OPENSSL_malloc(ia5->length + 1))) {
86 X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89 memcpy(tmp, ia5->data, ia5->length);
90 tmp[ia5->length] = 0;
91 return tmp;
92}
93
94static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
95 X509V3_CTX *ctx, char *str)
96{
97 ASN1_IA5STRING *ia5;
98 if(!str) {
99 X509V3err(X509V3_F_S2I_ASN1_IA5STRING,X509V3_R_INVALID_NULL_ARGUMENT);
100 return NULL;
101 }
102 if(!(ia5 = M_ASN1_IA5STRING_new())) goto err;
103 if(!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
104 strlen(str))) {
105 M_ASN1_IA5STRING_free(ia5);
106 goto err;
107 }
108#ifdef CHARSET_EBCDIC
109 ebcdic2ascii(ia5->data, ia5->data, ia5->length);
110#endif /*CHARSET_EBCDIC*/
111 return ia5;
112 err:
113 X509V3err(X509V3_F_S2I_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
114 return NULL;
115}
116
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
new file mode 100644
index 0000000000..e1b8699f92
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -0,0 +1,193 @@
1/* v3_info.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
67 AUTHORITY_INFO_ACCESS *ainfo,
68 STACK_OF(CONF_VALUE) *ret);
69static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
70 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
71
72const X509V3_EXT_METHOD v3_info =
73{ NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
740,0,0,0,
750,0,
76(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
77(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
780,0,
79NULL};
80
81const X509V3_EXT_METHOD v3_sinfo =
82{ NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
830,0,0,0,
840,0,
85(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
86(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
870,0,
88NULL};
89
90ASN1_SEQUENCE(ACCESS_DESCRIPTION) = {
91 ASN1_SIMPLE(ACCESS_DESCRIPTION, method, ASN1_OBJECT),
92 ASN1_SIMPLE(ACCESS_DESCRIPTION, location, GENERAL_NAME)
93} ASN1_SEQUENCE_END(ACCESS_DESCRIPTION)
94
95IMPLEMENT_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
96
97ASN1_ITEM_TEMPLATE(AUTHORITY_INFO_ACCESS) =
98 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, ACCESS_DESCRIPTION)
99ASN1_ITEM_TEMPLATE_END(AUTHORITY_INFO_ACCESS)
100
101IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
102
103static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
104 AUTHORITY_INFO_ACCESS *ainfo,
105 STACK_OF(CONF_VALUE) *ret)
106{
107 ACCESS_DESCRIPTION *desc;
108 int i,nlen;
109 char objtmp[80], *ntmp;
110 CONF_VALUE *vtmp;
111 for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
112 desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);
113 ret = i2v_GENERAL_NAME(method, desc->location, ret);
114 if(!ret) break;
115 vtmp = sk_CONF_VALUE_value(ret, i);
116 i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
117 nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
118 ntmp = OPENSSL_malloc(nlen);
119 if(!ntmp) {
120 X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
121 ERR_R_MALLOC_FAILURE);
122 return NULL;
123 }
124 BUF_strlcpy(ntmp, objtmp, nlen);
125 BUF_strlcat(ntmp, " - ", nlen);
126 BUF_strlcat(ntmp, vtmp->name, nlen);
127 OPENSSL_free(vtmp->name);
128 vtmp->name = ntmp;
129
130 }
131 if(!ret) return sk_CONF_VALUE_new_null();
132 return ret;
133}
134
135static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
136 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
137{
138 AUTHORITY_INFO_ACCESS *ainfo = NULL;
139 CONF_VALUE *cnf, ctmp;
140 ACCESS_DESCRIPTION *acc;
141 int i, objlen;
142 char *objtmp, *ptmp;
143 if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
144 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
145 return NULL;
146 }
147 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
148 cnf = sk_CONF_VALUE_value(nval, i);
149 if(!(acc = ACCESS_DESCRIPTION_new())
150 || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
151 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
152 goto err;
153 }
154 ptmp = strchr(cnf->name, ';');
155 if(!ptmp) {
156 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_INVALID_SYNTAX);
157 goto err;
158 }
159 objlen = ptmp - cnf->name;
160 ctmp.name = ptmp + 1;
161 ctmp.value = cnf->value;
162 if(!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
163 goto err;
164 if(!(objtmp = OPENSSL_malloc(objlen + 1))) {
165 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
166 goto err;
167 }
168 strncpy(objtmp, cnf->name, objlen);
169 objtmp[objlen] = 0;
170 acc->method = OBJ_txt2obj(objtmp, 0);
171 if(!acc->method) {
172 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_BAD_OBJECT);
173 ERR_add_error_data(2, "value=", objtmp);
174 OPENSSL_free(objtmp);
175 goto err;
176 }
177 OPENSSL_free(objtmp);
178
179 }
180 return ainfo;
181 err:
182 sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
183 return NULL;
184}
185
186int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a)
187 {
188 i2a_ASN1_OBJECT(bp, a->method);
189#ifdef UNDEF
190 i2a_GENERAL_NAME(bp, a->location);
191#endif
192 return 2;
193 }
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
new file mode 100644
index 0000000000..4bfd14cf46
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_int.c
@@ -0,0 +1,89 @@
1/* v3_int.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62
63const X509V3_EXT_METHOD v3_crl_num = {
64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
65 0,0,0,0,
66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
67 0,
68 0,0,0,0, NULL};
69
70const X509V3_EXT_METHOD v3_delta_crl = {
71 NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
72 0,0,0,0,
73 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
74 0,
75 0,0,0,0, NULL};
76
77static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
78 {
79 return s2i_ASN1_INTEGER(meth, value);
80 }
81
82const X509V3_EXT_METHOD v3_inhibit_anyp = {
83 NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER),
84 0,0,0,0,
85 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
86 (X509V3_EXT_S2I)s2i_asn1_int,
87 0,0,0,0, NULL};
88
89
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
new file mode 100644
index 0000000000..0f1e1d4422
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -0,0 +1,309 @@
1/* v3_lib.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/conf.h>
63#include <openssl/x509v3.h>
64
65#include "ext_dat.h"
66
67static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
68
69static int ext_cmp(const X509V3_EXT_METHOD * const *a,
70 const X509V3_EXT_METHOD * const *b);
71static void ext_list_free(X509V3_EXT_METHOD *ext);
72
73int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
74{
75 if(!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
76 X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
77 return 0;
78 }
79 if(!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
80 X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
81 return 0;
82 }
83 return 1;
84}
85
86static int ext_cmp(const X509V3_EXT_METHOD * const *a,
87 const X509V3_EXT_METHOD * const *b)
88{
89 return ((*a)->ext_nid - (*b)->ext_nid);
90}
91
92DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, const X509V3_EXT_METHOD *,
93 ext);
94IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
95 const X509V3_EXT_METHOD *, ext);
96
97const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
98{
99 X509V3_EXT_METHOD tmp;
100 const X509V3_EXT_METHOD *t = &tmp, * const *ret;
101 int idx;
102 if(nid < 0) return NULL;
103 tmp.ext_nid = nid;
104 ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
105 if(ret) return *ret;
106 if(!ext_list) return NULL;
107 idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
108 if(idx == -1) return NULL;
109 return sk_X509V3_EXT_METHOD_value(ext_list, idx);
110}
111
112const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
113{
114 int nid;
115 if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
116 return X509V3_EXT_get_nid(nid);
117}
118
119
120int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
121{
122 for(;extlist->ext_nid!=-1;extlist++)
123 if(!X509V3_EXT_add(extlist)) return 0;
124 return 1;
125}
126
127int X509V3_EXT_add_alias(int nid_to, int nid_from)
128{
129 const X509V3_EXT_METHOD *ext;
130 X509V3_EXT_METHOD *tmpext;
131
132 if(!(ext = X509V3_EXT_get_nid(nid_from))) {
133 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
134 return 0;
135 }
136 if(!(tmpext = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) {
137 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,ERR_R_MALLOC_FAILURE);
138 return 0;
139 }
140 *tmpext = *ext;
141 tmpext->ext_nid = nid_to;
142 tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
143 return X509V3_EXT_add(tmpext);
144}
145
146void X509V3_EXT_cleanup(void)
147{
148 sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
149 ext_list = NULL;
150}
151
152static void ext_list_free(X509V3_EXT_METHOD *ext)
153{
154 if(ext->ext_flags & X509V3_EXT_DYNAMIC) OPENSSL_free(ext);
155}
156
157/* Legacy function: we don't need to add standard extensions
158 * any more because they are now kept in ext_dat.h.
159 */
160
161int X509V3_add_standard_extensions(void)
162{
163 return 1;
164}
165
166/* Return an extension internal structure */
167
168void *X509V3_EXT_d2i(X509_EXTENSION *ext)
169{
170 const X509V3_EXT_METHOD *method;
171 const unsigned char *p;
172
173 if(!(method = X509V3_EXT_get(ext))) return NULL;
174 p = ext->value->data;
175 if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
176 return method->d2i(NULL, &p, ext->value->length);
177}
178
179/* Get critical flag and decoded version of extension from a NID.
180 * The "idx" variable returns the last found extension and can
181 * be used to retrieve multiple extensions of the same NID.
182 * However multiple extensions with the same NID is usually
183 * due to a badly encoded certificate so if idx is NULL we
184 * choke if multiple extensions exist.
185 * The "crit" variable is set to the critical value.
186 * The return value is the decoded extension or NULL on
187 * error. The actual error can have several different causes,
188 * the value of *crit reflects the cause:
189 * >= 0, extension found but not decoded (reflects critical value).
190 * -1 extension not found.
191 * -2 extension occurs more than once.
192 */
193
194void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
195{
196 int lastpos, i;
197 X509_EXTENSION *ex, *found_ex = NULL;
198 if(!x) {
199 if(idx) *idx = -1;
200 if(crit) *crit = -1;
201 return NULL;
202 }
203 if(idx) lastpos = *idx + 1;
204 else lastpos = 0;
205 if(lastpos < 0) lastpos = 0;
206 for(i = lastpos; i < sk_X509_EXTENSION_num(x); i++)
207 {
208 ex = sk_X509_EXTENSION_value(x, i);
209 if(OBJ_obj2nid(ex->object) == nid) {
210 if(idx) {
211 *idx = i;
212 found_ex = ex;
213 break;
214 } else if(found_ex) {
215 /* Found more than one */
216 if(crit) *crit = -2;
217 return NULL;
218 }
219 found_ex = ex;
220 }
221 }
222 if(found_ex) {
223 /* Found it */
224 if(crit) *crit = X509_EXTENSION_get_critical(found_ex);
225 return X509V3_EXT_d2i(found_ex);
226 }
227
228 /* Extension not found */
229 if(idx) *idx = -1;
230 if(crit) *crit = -1;
231 return NULL;
232}
233
234/* This function is a general extension append, replace and delete utility.
235 * The precise operation is governed by the 'flags' value. The 'crit' and
236 * 'value' arguments (if relevant) are the extensions internal structure.
237 */
238
239int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
240 int crit, unsigned long flags)
241{
242 int extidx = -1;
243 int errcode;
244 X509_EXTENSION *ext, *extmp;
245 unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
246
247 /* If appending we don't care if it exists, otherwise
248 * look for existing extension.
249 */
250 if(ext_op != X509V3_ADD_APPEND)
251 extidx = X509v3_get_ext_by_NID(*x, nid, -1);
252
253 /* See if extension exists */
254 if(extidx >= 0) {
255 /* If keep existing, nothing to do */
256 if(ext_op == X509V3_ADD_KEEP_EXISTING)
257 return 1;
258 /* If default then its an error */
259 if(ext_op == X509V3_ADD_DEFAULT) {
260 errcode = X509V3_R_EXTENSION_EXISTS;
261 goto err;
262 }
263 /* If delete, just delete it */
264 if(ext_op == X509V3_ADD_DELETE) {
265 if(!sk_X509_EXTENSION_delete(*x, extidx)) return -1;
266 return 1;
267 }
268 } else {
269 /* If replace existing or delete, error since
270 * extension must exist
271 */
272 if((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
273 (ext_op == X509V3_ADD_DELETE)) {
274 errcode = X509V3_R_EXTENSION_NOT_FOUND;
275 goto err;
276 }
277 }
278
279 /* If we get this far then we have to create an extension:
280 * could have some flags for alternative encoding schemes...
281 */
282
283 ext = X509V3_EXT_i2d(nid, crit, value);
284
285 if(!ext) {
286 X509V3err(X509V3_F_X509V3_ADD1_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
287 return 0;
288 }
289
290 /* If extension exists replace it.. */
291 if(extidx >= 0) {
292 extmp = sk_X509_EXTENSION_value(*x, extidx);
293 X509_EXTENSION_free(extmp);
294 if(!sk_X509_EXTENSION_set(*x, extidx, ext)) return -1;
295 return 1;
296 }
297
298 if(!*x && !(*x = sk_X509_EXTENSION_new_null())) return -1;
299 if(!sk_X509_EXTENSION_push(*x, ext)) return -1;
300
301 return 1;
302
303 err:
304 if(!(flags & X509V3_ADD_SILENT))
305 X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
306 return 0;
307}
308
309IMPLEMENT_STACK_OF(X509V3_EXT_METHOD)
diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
new file mode 100644
index 0000000000..a01dc64dd2
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_ncons.c
@@ -0,0 +1,505 @@
1/* v3_ncons.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
69 void *a, BIO *bp, int ind);
70static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
71 STACK_OF(GENERAL_SUBTREE) *trees,
72 BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74
75static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
76static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
77static int nc_dn(X509_NAME *sub, X509_NAME *nm);
78static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
79static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
80static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
81
82const X509V3_EXT_METHOD v3_name_constraints = {
83 NID_name_constraints, 0,
84 ASN1_ITEM_ref(NAME_CONSTRAINTS),
85 0,0,0,0,
86 0,0,
87 0, v2i_NAME_CONSTRAINTS,
88 i2r_NAME_CONSTRAINTS,0,
89 NULL
90};
91
92ASN1_SEQUENCE(GENERAL_SUBTREE) = {
93 ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
94 ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
95 ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
96} ASN1_SEQUENCE_END(GENERAL_SUBTREE)
97
98ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
99 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
100 GENERAL_SUBTREE, 0),
101 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
102 GENERAL_SUBTREE, 1),
103} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
104
105
106IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
107IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
108
109static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
110 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
111 {
112 int i;
113 CONF_VALUE tval, *val;
114 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
115 NAME_CONSTRAINTS *ncons = NULL;
116 GENERAL_SUBTREE *sub = NULL;
117 ncons = NAME_CONSTRAINTS_new();
118 if (!ncons)
119 goto memerr;
120 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
121 {
122 val = sk_CONF_VALUE_value(nval, i);
123 if (!strncmp(val->name, "permitted", 9) && val->name[9])
124 {
125 ptree = &ncons->permittedSubtrees;
126 tval.name = val->name + 10;
127 }
128 else if (!strncmp(val->name, "excluded", 8) && val->name[8])
129 {
130 ptree = &ncons->excludedSubtrees;
131 tval.name = val->name + 9;
132 }
133 else
134 {
135 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
136 goto err;
137 }
138 tval.value = val->value;
139 sub = GENERAL_SUBTREE_new();
140 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
141 goto err;
142 if (!*ptree)
143 *ptree = sk_GENERAL_SUBTREE_new_null();
144 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
145 goto memerr;
146 sub = NULL;
147 }
148
149 return ncons;
150
151 memerr:
152 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
153 err:
154 if (ncons)
155 NAME_CONSTRAINTS_free(ncons);
156 if (sub)
157 GENERAL_SUBTREE_free(sub);
158
159 return NULL;
160 }
161
162
163
164
165static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
166 BIO *bp, int ind)
167 {
168 NAME_CONSTRAINTS *ncons = a;
169 do_i2r_name_constraints(method, ncons->permittedSubtrees,
170 bp, ind, "Permitted");
171 do_i2r_name_constraints(method, ncons->excludedSubtrees,
172 bp, ind, "Excluded");
173 return 1;
174 }
175
176static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
177 STACK_OF(GENERAL_SUBTREE) *trees,
178 BIO *bp, int ind, char *name)
179 {
180 GENERAL_SUBTREE *tree;
181 int i;
182 if (sk_GENERAL_SUBTREE_num(trees) > 0)
183 BIO_printf(bp, "%*s%s:\n", ind, "", name);
184 for(i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++)
185 {
186 tree = sk_GENERAL_SUBTREE_value(trees, i);
187 BIO_printf(bp, "%*s", ind + 2, "");
188 if (tree->base->type == GEN_IPADD)
189 print_nc_ipadd(bp, tree->base->d.ip);
190 else
191 GENERAL_NAME_print(bp, tree->base);
192 BIO_puts(bp, "\n");
193 }
194 return 1;
195 }
196
197static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
198 {
199 int i, len;
200 unsigned char *p;
201 p = ip->data;
202 len = ip->length;
203 BIO_puts(bp, "IP:");
204 if(len == 8)
205 {
206 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
207 p[0], p[1], p[2], p[3],
208 p[4], p[5], p[6], p[7]);
209 }
210 else if(len == 32)
211 {
212 for (i = 0; i < 16; i++)
213 {
214 BIO_printf(bp, "%X", p[0] << 8 | p[1]);
215 p += 2;
216 if (i == 7)
217 BIO_puts(bp, "/");
218 else if (i != 15)
219 BIO_puts(bp, ":");
220 }
221 }
222 else
223 BIO_printf(bp, "IP Address:<invalid>");
224 return 1;
225 }
226
227/* Check a certificate conforms to a specified set of constraints.
228 * Return values:
229 * X509_V_OK: All constraints obeyed.
230 * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
231 * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
232 * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
233 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
234 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
235 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
236
237 */
238
239int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
240 {
241 int r, i;
242 X509_NAME *nm;
243
244 nm = X509_get_subject_name(x);
245
246 if (X509_NAME_entry_count(nm) > 0)
247 {
248 GENERAL_NAME gntmp;
249 gntmp.type = GEN_DIRNAME;
250 gntmp.d.directoryName = nm;
251
252 r = nc_match(&gntmp, nc);
253
254 if (r != X509_V_OK)
255 return r;
256
257 gntmp.type = GEN_EMAIL;
258
259
260 /* Process any email address attributes in subject name */
261
262 for (i = -1;;)
263 {
264 X509_NAME_ENTRY *ne;
265 i = X509_NAME_get_index_by_NID(nm,
266 NID_pkcs9_emailAddress,
267 i);
268 if (i == -1)
269 break;
270 ne = X509_NAME_get_entry(nm, i);
271 gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
272 if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
273 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
274
275 r = nc_match(&gntmp, nc);
276
277 if (r != X509_V_OK)
278 return r;
279 }
280
281 }
282
283 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++)
284 {
285 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
286 r = nc_match(gen, nc);
287 if (r != X509_V_OK)
288 return r;
289 }
290
291 return X509_V_OK;
292
293 }
294
295static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
296 {
297 GENERAL_SUBTREE *sub;
298 int i, r, match = 0;
299
300 /* Permitted subtrees: if any subtrees exist of matching the type
301 * at least one subtree must match.
302 */
303
304 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++)
305 {
306 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
307 if (gen->type != sub->base->type)
308 continue;
309 if (sub->minimum || sub->maximum)
310 return X509_V_ERR_SUBTREE_MINMAX;
311 /* If we already have a match don't bother trying any more */
312 if (match == 2)
313 continue;
314 if (match == 0)
315 match = 1;
316 r = nc_match_single(gen, sub->base);
317 if (r == X509_V_OK)
318 match = 2;
319 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
320 return r;
321 }
322
323 if (match == 1)
324 return X509_V_ERR_PERMITTED_VIOLATION;
325
326 /* Excluded subtrees: must not match any of these */
327
328 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++)
329 {
330 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
331 if (gen->type != sub->base->type)
332 continue;
333 if (sub->minimum || sub->maximum)
334 return X509_V_ERR_SUBTREE_MINMAX;
335
336 r = nc_match_single(gen, sub->base);
337 if (r == X509_V_OK)
338 return X509_V_ERR_EXCLUDED_VIOLATION;
339 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
340 return r;
341
342 }
343
344 return X509_V_OK;
345
346 }
347
348static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
349 {
350 switch(base->type)
351 {
352 case GEN_DIRNAME:
353 return nc_dn(gen->d.directoryName, base->d.directoryName);
354
355 case GEN_DNS:
356 return nc_dns(gen->d.dNSName, base->d.dNSName);
357
358 case GEN_EMAIL:
359 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
360
361 case GEN_URI:
362 return nc_uri(gen->d.uniformResourceIdentifier,
363 base->d.uniformResourceIdentifier);
364
365 default:
366 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
367 }
368
369 }
370
371/* directoryName name constraint matching.
372 * The canonical encoding of X509_NAME makes this comparison easy. It is
373 * matched if the subtree is a subset of the name.
374 */
375
376static int nc_dn(X509_NAME *nm, X509_NAME *base)
377 {
378 /* Ensure canonical encodings are up to date. */
379 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
380 return X509_V_ERR_OUT_OF_MEM;
381 if (base->modified && i2d_X509_NAME(base, NULL) < 0)
382 return X509_V_ERR_OUT_OF_MEM;
383 if (base->canon_enclen > nm->canon_enclen)
384 return X509_V_ERR_PERMITTED_VIOLATION;
385 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
386 return X509_V_ERR_PERMITTED_VIOLATION;
387 return X509_V_OK;
388 }
389
390static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
391 {
392 char *baseptr = (char *)base->data;
393 char *dnsptr = (char *)dns->data;
394 /* Empty matches everything */
395 if (!*baseptr)
396 return X509_V_OK;
397 /* Otherwise can add zero or more components on the left so
398 * compare RHS and if dns is longer and expect '.' as preceding
399 * character.
400 */
401 if (dns->length > base->length)
402 {
403 dnsptr += dns->length - base->length;
404 if (dnsptr[-1] != '.')
405 return X509_V_ERR_PERMITTED_VIOLATION;
406 }
407
408 if (strcasecmp(baseptr, dnsptr))
409 return X509_V_ERR_PERMITTED_VIOLATION;
410
411 return X509_V_OK;
412
413 }
414
415static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
416 {
417 const char *baseptr = (char *)base->data;
418 const char *emlptr = (char *)eml->data;
419
420 const char *baseat = strchr(baseptr, '@');
421 const char *emlat = strchr(emlptr, '@');
422 if (!emlat)
423 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
424 /* Special case: inital '.' is RHS match */
425 if (!baseat && (*baseptr == '.'))
426 {
427 if (eml->length > base->length)
428 {
429 emlptr += eml->length - base->length;
430 if (!strcasecmp(baseptr, emlptr))
431 return X509_V_OK;
432 }
433 return X509_V_ERR_PERMITTED_VIOLATION;
434 }
435
436 /* If we have anything before '@' match local part */
437
438 if (baseat)
439 {
440 if (baseat != baseptr)
441 {
442 if ((baseat - baseptr) != (emlat - emlptr))
443 return X509_V_ERR_PERMITTED_VIOLATION;
444 /* Case sensitive match of local part */
445 if (strncmp(baseptr, emlptr, emlat - emlptr))
446 return X509_V_ERR_PERMITTED_VIOLATION;
447 }
448 /* Position base after '@' */
449 baseptr = baseat + 1;
450 }
451 emlptr = emlat + 1;
452 /* Just have hostname left to match: case insensitive */
453 if (strcasecmp(baseptr, emlptr))
454 return X509_V_ERR_PERMITTED_VIOLATION;
455
456 return X509_V_OK;
457
458 }
459
460static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
461 {
462 const char *baseptr = (char *)base->data;
463 const char *hostptr = (char *)uri->data;
464 const char *p = strchr(hostptr, ':');
465 int hostlen;
466 /* Check for foo:// and skip past it */
467 if (!p || (p[1] != '/') || (p[2] != '/'))
468 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
469 hostptr = p + 3;
470
471 /* Determine length of hostname part of URI */
472
473 /* Look for a port indicator as end of hostname first */
474
475 p = strchr(hostptr, ':');
476 /* Otherwise look for trailing slash */
477 if (!p)
478 p = strchr(hostptr, '/');
479
480 if (!p)
481 hostlen = strlen(hostptr);
482 else
483 hostlen = p - hostptr;
484
485 if (hostlen == 0)
486 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
487
488 /* Special case: inital '.' is RHS match */
489 if (*baseptr == '.')
490 {
491 if (hostlen > base->length)
492 {
493 p = hostptr + hostlen - base->length;
494 if (!strncasecmp(p, baseptr, base->length))
495 return X509_V_OK;
496 }
497 return X509_V_ERR_PERMITTED_VIOLATION;
498 }
499
500 if ((base->length != (int)hostlen) || strncasecmp(hostptr, baseptr, hostlen))
501 return X509_V_ERR_PERMITTED_VIOLATION;
502
503 return X509_V_OK;
504
505 }
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
new file mode 100644
index 0000000000..0c165af314
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -0,0 +1,289 @@
1/* v3_ocsp.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#ifndef OPENSSL_NO_OCSP
60
61#include <stdio.h>
62#include "cryptlib.h"
63#include <openssl/conf.h>
64#include <openssl/asn1.h>
65#include <openssl/ocsp.h>
66#include <openssl/x509v3.h>
67
68/* OCSP extensions and a couple of CRL entry extensions
69 */
70
71static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
72 BIO *out, int indent);
73static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
74 BIO *out, int indent);
75static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
76 int indent);
77
78static void *ocsp_nonce_new(void);
79static int i2d_ocsp_nonce(void *a, unsigned char **pp);
80static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
81static void ocsp_nonce_free(void *a);
82static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
83 BIO *out, int indent);
84
85static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
86 void *nocheck, BIO *out, int indent);
87static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
88 const char *str);
89static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
90 BIO *bp, int ind);
91
92const X509V3_EXT_METHOD v3_ocsp_crlid = {
93 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
94 0,0,0,0,
95 0,0,
96 0,0,
97 i2r_ocsp_crlid,0,
98 NULL
99};
100
101const X509V3_EXT_METHOD v3_ocsp_acutoff = {
102 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
103 0,0,0,0,
104 0,0,
105 0,0,
106 i2r_ocsp_acutoff,0,
107 NULL
108};
109
110const X509V3_EXT_METHOD v3_crl_invdate = {
111 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
112 0,0,0,0,
113 0,0,
114 0,0,
115 i2r_ocsp_acutoff,0,
116 NULL
117};
118
119const X509V3_EXT_METHOD v3_crl_hold = {
120 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
121 0,0,0,0,
122 0,0,
123 0,0,
124 i2r_object,0,
125 NULL
126};
127
128const X509V3_EXT_METHOD v3_ocsp_nonce = {
129 NID_id_pkix_OCSP_Nonce, 0, NULL,
130 ocsp_nonce_new,
131 ocsp_nonce_free,
132 d2i_ocsp_nonce,
133 i2d_ocsp_nonce,
134 0,0,
135 0,0,
136 i2r_ocsp_nonce,0,
137 NULL
138};
139
140const X509V3_EXT_METHOD v3_ocsp_nocheck = {
141 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
142 0,0,0,0,
143 0,s2i_ocsp_nocheck,
144 0,0,
145 i2r_ocsp_nocheck,0,
146 NULL
147};
148
149const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
150 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
151 0,0,0,0,
152 0,0,
153 0,0,
154 i2r_ocsp_serviceloc,0,
155 NULL
156};
157
158static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp,
159 int ind)
160{
161 OCSP_CRLID *a = in;
162 if (a->crlUrl)
163 {
164 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err;
165 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
166 if (BIO_write(bp, "\n", 1) <= 0) goto err;
167 }
168 if (a->crlNum)
169 {
170 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err;
171 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err;
172 if (BIO_write(bp, "\n", 1) <= 0) goto err;
173 }
174 if (a->crlTime)
175 {
176 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err;
177 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
178 if (BIO_write(bp, "\n", 1) <= 0) goto err;
179 }
180 return 1;
181 err:
182 return 0;
183}
184
185static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
186 BIO *bp, int ind)
187{
188 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
189 if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
190 return 1;
191}
192
193
194static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
195 int ind)
196{
197 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
198 if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0;
199 return 1;
200}
201
202/* OCSP nonce. This is needs special treatment because it doesn't have
203 * an ASN1 encoding at all: it just contains arbitrary data.
204 */
205
206static void *ocsp_nonce_new(void)
207{
208 return ASN1_OCTET_STRING_new();
209}
210
211static int i2d_ocsp_nonce(void *a, unsigned char **pp)
212{
213 ASN1_OCTET_STRING *os = a;
214 if(pp) {
215 memcpy(*pp, os->data, os->length);
216 *pp += os->length;
217 }
218 return os->length;
219}
220
221static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
222{
223 ASN1_OCTET_STRING *os, **pos;
224 pos = a;
225 if(!pos || !*pos) os = ASN1_OCTET_STRING_new();
226 else os = *pos;
227 if(!ASN1_OCTET_STRING_set(os, *pp, length)) goto err;
228
229 *pp += length;
230
231 if(pos) *pos = os;
232 return os;
233
234 err:
235 if(os && (!pos || (*pos != os))) M_ASN1_OCTET_STRING_free(os);
236 OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
237 return NULL;
238}
239
240static void ocsp_nonce_free(void *a)
241{
242 M_ASN1_OCTET_STRING_free(a);
243}
244
245static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
246 BIO *out, int indent)
247{
248 if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
249 if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
250 return 1;
251}
252
253/* Nocheck is just a single NULL. Don't print anything and always set it */
254
255static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
256 BIO *out, int indent)
257{
258 return 1;
259}
260
261static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
262 const char *str)
263{
264 return ASN1_NULL_new();
265}
266
267static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
268 BIO *bp, int ind)
269 {
270 int i;
271 OCSP_SERVICELOC *a = in;
272 ACCESS_DESCRIPTION *ad;
273
274 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) goto err;
275 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) goto err;
276 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++)
277 {
278 ad = sk_ACCESS_DESCRIPTION_value(a->locator,i);
279 if (BIO_printf(bp, "\n%*s", (2*ind), "") <= 0)
280 goto err;
281 if(i2a_ASN1_OBJECT(bp, ad->method) <= 0) goto err;
282 if(BIO_puts(bp, " - ") <= 0) goto err;
283 if(GENERAL_NAME_print(bp, ad->location) <= 0) goto err;
284 }
285 return 1;
286err:
287 return 0;
288 }
289#endif
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c
new file mode 100644
index 0000000000..0dcfa004fe
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pci.c
@@ -0,0 +1,328 @@
1/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <stdio.h>
38#include "cryptlib.h"
39#include <openssl/conf.h>
40#include <openssl/x509v3.h>
41
42static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
43 BIO *out, int indent);
44static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
45 X509V3_CTX *ctx, char *str);
46
47const X509V3_EXT_METHOD v3_pci =
48 { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
49 0,0,0,0,
50 0,0,
51 NULL, NULL,
52 (X509V3_EXT_I2R)i2r_pci,
53 (X509V3_EXT_R2I)r2i_pci,
54 NULL,
55 };
56
57static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
58 BIO *out, int indent)
59 {
60 BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
61 if (pci->pcPathLengthConstraint)
62 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
63 else
64 BIO_printf(out, "infinite");
65 BIO_puts(out, "\n");
66 BIO_printf(out, "%*sPolicy Language: ", indent, "");
67 i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
68 BIO_puts(out, "\n");
69 if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
70 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
71 pci->proxyPolicy->policy->data);
72 return 1;
73 }
74
75static int process_pci_value(CONF_VALUE *val,
76 ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
77 ASN1_OCTET_STRING **policy)
78 {
79 int free_policy = 0;
80
81 if (strcmp(val->name, "language") == 0)
82 {
83 if (*language)
84 {
85 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
86 X509V3_conf_err(val);
87 return 0;
88 }
89 if (!(*language = OBJ_txt2obj(val->value, 0)))
90 {
91 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
92 X509V3_conf_err(val);
93 return 0;
94 }
95 }
96 else if (strcmp(val->name, "pathlen") == 0)
97 {
98 if (*pathlen)
99 {
100 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
101 X509V3_conf_err(val);
102 return 0;
103 }
104 if (!X509V3_get_value_int(val, pathlen))
105 {
106 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
107 X509V3_conf_err(val);
108 return 0;
109 }
110 }
111 else if (strcmp(val->name, "policy") == 0)
112 {
113 unsigned char *tmp_data = NULL;
114 long val_len;
115 if (!*policy)
116 {
117 *policy = ASN1_OCTET_STRING_new();
118 if (!*policy)
119 {
120 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
121 X509V3_conf_err(val);
122 return 0;
123 }
124 free_policy = 1;
125 }
126 if (strncmp(val->value, "hex:", 4) == 0)
127 {
128 unsigned char *tmp_data2 =
129 string_to_hex(val->value + 4, &val_len);
130
131 if (!tmp_data2)
132 {
133 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);
134 X509V3_conf_err(val);
135 goto err;
136 }
137
138 tmp_data = OPENSSL_realloc((*policy)->data,
139 (*policy)->length + val_len + 1);
140 if (tmp_data)
141 {
142 (*policy)->data = tmp_data;
143 memcpy(&(*policy)->data[(*policy)->length],
144 tmp_data2, val_len);
145 (*policy)->length += val_len;
146 (*policy)->data[(*policy)->length] = '\0';
147 }
148 else
149 {
150 OPENSSL_free(tmp_data2);
151 /* realloc failure implies the original data space is b0rked too! */
152 (*policy)->data = NULL;
153 (*policy)->length = 0;
154 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
155 X509V3_conf_err(val);
156 goto err;
157 }
158 OPENSSL_free(tmp_data2);
159 }
160 else if (strncmp(val->value, "file:", 5) == 0)
161 {
162 unsigned char buf[2048];
163 int n;
164 BIO *b = BIO_new_file(val->value + 5, "r");
165 if (!b)
166 {
167 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
168 X509V3_conf_err(val);
169 goto err;
170 }
171 while((n = BIO_read(b, buf, sizeof(buf))) > 0
172 || (n == 0 && BIO_should_retry(b)))
173 {
174 if (!n) continue;
175
176 tmp_data = OPENSSL_realloc((*policy)->data,
177 (*policy)->length + n + 1);
178
179 if (!tmp_data)
180 break;
181
182 (*policy)->data = tmp_data;
183 memcpy(&(*policy)->data[(*policy)->length],
184 buf, n);
185 (*policy)->length += n;
186 (*policy)->data[(*policy)->length] = '\0';
187 }
188 BIO_free_all(b);
189
190 if (n < 0)
191 {
192 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
193 X509V3_conf_err(val);
194 goto err;
195 }
196 }
197 else if (strncmp(val->value, "text:", 5) == 0)
198 {
199 val_len = strlen(val->value + 5);
200 tmp_data = OPENSSL_realloc((*policy)->data,
201 (*policy)->length + val_len + 1);
202 if (tmp_data)
203 {
204 (*policy)->data = tmp_data;
205 memcpy(&(*policy)->data[(*policy)->length],
206 val->value + 5, val_len);
207 (*policy)->length += val_len;
208 (*policy)->data[(*policy)->length] = '\0';
209 }
210 else
211 {
212 /* realloc failure implies the original data space is b0rked too! */
213 (*policy)->data = NULL;
214 (*policy)->length = 0;
215 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
216 X509V3_conf_err(val);
217 goto err;
218 }
219 }
220 else
221 {
222 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
223 X509V3_conf_err(val);
224 goto err;
225 }
226 if (!tmp_data)
227 {
228 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
229 X509V3_conf_err(val);
230 goto err;
231 }
232 }
233 return 1;
234err:
235 if (free_policy)
236 {
237 ASN1_OCTET_STRING_free(*policy);
238 *policy = NULL;
239 }
240 return 0;
241 }
242
243static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
244 X509V3_CTX *ctx, char *value)
245 {
246 PROXY_CERT_INFO_EXTENSION *pci = NULL;
247 STACK_OF(CONF_VALUE) *vals;
248 ASN1_OBJECT *language = NULL;
249 ASN1_INTEGER *pathlen = NULL;
250 ASN1_OCTET_STRING *policy = NULL;
251 int i, j;
252
253 vals = X509V3_parse_list(value);
254 for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
255 {
256 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
257 if (!cnf->name || (*cnf->name != '@' && !cnf->value))
258 {
259 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
260 X509V3_conf_err(cnf);
261 goto err;
262 }
263 if (*cnf->name == '@')
264 {
265 STACK_OF(CONF_VALUE) *sect;
266 int success_p = 1;
267
268 sect = X509V3_get_section(ctx, cnf->name + 1);
269 if (!sect)
270 {
271 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
272 X509V3_conf_err(cnf);
273 goto err;
274 }
275 for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
276 {
277 success_p =
278 process_pci_value(sk_CONF_VALUE_value(sect, j),
279 &language, &pathlen, &policy);
280 }
281 X509V3_section_free(ctx, sect);
282 if (!success_p)
283 goto err;
284 }
285 else
286 {
287 if (!process_pci_value(cnf,
288 &language, &pathlen, &policy))
289 {
290 X509V3_conf_err(cnf);
291 goto err;
292 }
293 }
294 }
295
296 /* Language is mandatory */
297 if (!language)
298 {
299 X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
300 goto err;
301 }
302 i = OBJ_obj2nid(language);
303 if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
304 {
305 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
306 goto err;
307 }
308
309 pci = PROXY_CERT_INFO_EXTENSION_new();
310 if (!pci)
311 {
312 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
313 goto err;
314 }
315
316 pci->proxyPolicy->policyLanguage = language; language = NULL;
317 pci->proxyPolicy->policy = policy; policy = NULL;
318 pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
319 goto end;
320err:
321 if (language) { ASN1_OBJECT_free(language); language = NULL; }
322 if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
323 if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
324 if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
325end:
326 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
327 return pci;
328 }
diff --git a/src/lib/libcrypto/x509v3/v3_pcia.c b/src/lib/libcrypto/x509v3/v3_pcia.c
new file mode 100644
index 0000000000..bb362e0e5a
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pcia.c
@@ -0,0 +1,55 @@
1/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */
2/* Contributed to the OpenSSL Project 2004
3 * by Richard Levitte (richard@levitte.org)
4 */
5/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6 * (Royal Institute of Technology, Stockholm, Sweden).
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * 3. Neither the name of the Institute nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37#include <openssl/asn1.h>
38#include <openssl/asn1t.h>
39#include <openssl/x509v3.h>
40
41ASN1_SEQUENCE(PROXY_POLICY) =
42 {
43 ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT),
44 ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING)
45} ASN1_SEQUENCE_END(PROXY_POLICY)
46
47IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY)
48
49ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) =
50 {
51 ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER),
52 ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY)
53} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)
54
55IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
diff --git a/src/lib/libcrypto/x509v3/v3_pcons.c b/src/lib/libcrypto/x509v3/v3_pcons.c
new file mode 100644
index 0000000000..30ca652351
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pcons.c
@@ -0,0 +1,140 @@
1/* v3_pcons.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66
67static STACK_OF(CONF_VALUE) *
68i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
69 STACK_OF(CONF_VALUE) *extlist);
70static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
71 X509V3_CTX *ctx,
72 STACK_OF(CONF_VALUE) *values);
73
74const X509V3_EXT_METHOD v3_policy_constraints = {
75NID_policy_constraints, 0,
76ASN1_ITEM_ref(POLICY_CONSTRAINTS),
770,0,0,0,
780,0,
79i2v_POLICY_CONSTRAINTS,
80v2i_POLICY_CONSTRAINTS,
81NULL,NULL,
82NULL
83};
84
85ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
86 ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0),
87 ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1)
88} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
89
90IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
91
92
93static STACK_OF(CONF_VALUE) *
94i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
95 STACK_OF(CONF_VALUE) *extlist)
96{
97 POLICY_CONSTRAINTS *pcons = a;
98 X509V3_add_value_int("Require Explicit Policy",
99 pcons->requireExplicitPolicy, &extlist);
100 X509V3_add_value_int("Inhibit Policy Mapping",
101 pcons->inhibitPolicyMapping, &extlist);
102 return extlist;
103}
104
105static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
106 X509V3_CTX *ctx,
107 STACK_OF(CONF_VALUE) *values)
108{
109 POLICY_CONSTRAINTS *pcons=NULL;
110 CONF_VALUE *val;
111 int i;
112 if(!(pcons = POLICY_CONSTRAINTS_new())) {
113 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
114 return NULL;
115 }
116 for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
117 val = sk_CONF_VALUE_value(values, i);
118 if(!strcmp(val->name, "requireExplicitPolicy")) {
119 if(!X509V3_get_value_int(val,
120 &pcons->requireExplicitPolicy)) goto err;
121 } else if(!strcmp(val->name, "inhibitPolicyMapping")) {
122 if(!X509V3_get_value_int(val,
123 &pcons->inhibitPolicyMapping)) goto err;
124 } else {
125 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
126 X509V3_conf_err(val);
127 goto err;
128 }
129 }
130 if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
131 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION);
132 goto err;
133 }
134
135 return pcons;
136 err:
137 POLICY_CONSTRAINTS_free(pcons);
138 return NULL;
139}
140
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
new file mode 100644
index 0000000000..076f3ff48e
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pku.c
@@ -0,0 +1,108 @@
1/* v3_pku.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/asn1.h>
62#include <openssl/asn1t.h>
63#include <openssl/x509v3.h>
64
65static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
66/*
67static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
68*/
69const X509V3_EXT_METHOD v3_pkey_usage_period = {
70NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
710,0,0,0,
720,0,0,0,
73(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
74NULL
75};
76
77ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {
78 ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notBefore, ASN1_GENERALIZEDTIME, 0),
79 ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notAfter, ASN1_GENERALIZEDTIME, 1)
80} ASN1_SEQUENCE_END(PKEY_USAGE_PERIOD)
81
82IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
83
84static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
85 PKEY_USAGE_PERIOD *usage, BIO *out, int indent)
86{
87 BIO_printf(out, "%*s", indent, "");
88 if(usage->notBefore) {
89 BIO_write(out, "Not Before: ", 12);
90 ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
91 if(usage->notAfter) BIO_write(out, ", ", 2);
92 }
93 if(usage->notAfter) {
94 BIO_write(out, "Not After: ", 11);
95 ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
96 }
97 return 1;
98}
99
100/*
101static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values)
102X509V3_EXT_METHOD *method;
103X509V3_CTX *ctx;
104STACK_OF(CONF_VALUE) *values;
105{
106return NULL;
107}
108*/
diff --git a/src/lib/libcrypto/x509v3/v3_pmaps.c b/src/lib/libcrypto/x509v3/v3_pmaps.c
new file mode 100644
index 0000000000..865bcd3980
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pmaps.c
@@ -0,0 +1,155 @@
1/* v3_pmaps.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(CONF_VALUE) *
69i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *pmps,
70 STACK_OF(CONF_VALUE) *extlist);
71
72const X509V3_EXT_METHOD v3_policy_mappings = {
73 NID_policy_mappings, 0,
74 ASN1_ITEM_ref(POLICY_MAPPINGS),
75 0,0,0,0,
76 0,0,
77 i2v_POLICY_MAPPINGS,
78 v2i_POLICY_MAPPINGS,
79 0,0,
80 NULL
81};
82
83ASN1_SEQUENCE(POLICY_MAPPING) = {
84 ASN1_SIMPLE(POLICY_MAPPING, issuerDomainPolicy, ASN1_OBJECT),
85 ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT)
86} ASN1_SEQUENCE_END(POLICY_MAPPING)
87
88ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =
89 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,
90 POLICY_MAPPING)
91ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)
92
93IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
94
95
96static STACK_OF(CONF_VALUE) *
97i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
98 STACK_OF(CONF_VALUE) *ext_list)
99{
100 POLICY_MAPPINGS *pmaps = a;
101 POLICY_MAPPING *pmap;
102 int i;
103 char obj_tmp1[80];
104 char obj_tmp2[80];
105 for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
106 pmap = sk_POLICY_MAPPING_value(pmaps, i);
107 i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
108 i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
109 X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list);
110 }
111 return ext_list;
112}
113
114static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
115 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
116{
117 POLICY_MAPPINGS *pmaps;
118 POLICY_MAPPING *pmap;
119 ASN1_OBJECT *obj1, *obj2;
120 CONF_VALUE *val;
121 int i;
122
123 if(!(pmaps = sk_POLICY_MAPPING_new_null())) {
124 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
125 return NULL;
126 }
127
128 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
129 val = sk_CONF_VALUE_value(nval, i);
130 if(!val->value || !val->name) {
131 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
132 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
133 X509V3_conf_err(val);
134 return NULL;
135 }
136 obj1 = OBJ_txt2obj(val->name, 0);
137 obj2 = OBJ_txt2obj(val->value, 0);
138 if(!obj1 || !obj2) {
139 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
140 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
141 X509V3_conf_err(val);
142 return NULL;
143 }
144 pmap = POLICY_MAPPING_new();
145 if (!pmap) {
146 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
147 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
148 return NULL;
149 }
150 pmap->issuerDomainPolicy = obj1;
151 pmap->subjectDomainPolicy = obj2;
152 sk_POLICY_MAPPING_push(pmaps, pmap);
153 }
154 return pmaps;
155}
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
new file mode 100644
index 0000000000..3146218708
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -0,0 +1,234 @@
1/* v3_prn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/conf.h>
63#include <openssl/x509v3.h>
64
65/* Extension printing routines */
66
67static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported);
68
69/* Print out a name+value stack */
70
71void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
72{
73 int i;
74 CONF_VALUE *nval;
75 if(!val) return;
76 if(!ml || !sk_CONF_VALUE_num(val)) {
77 BIO_printf(out, "%*s", indent, "");
78 if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n");
79 }
80 for(i = 0; i < sk_CONF_VALUE_num(val); i++) {
81 if(ml) BIO_printf(out, "%*s", indent, "");
82 else if(i > 0) BIO_printf(out, ", ");
83 nval = sk_CONF_VALUE_value(val, i);
84 if(!nval->name) BIO_puts(out, nval->value);
85 else if(!nval->value) BIO_puts(out, nval->name);
86#ifndef CHARSET_EBCDIC
87 else BIO_printf(out, "%s:%s", nval->name, nval->value);
88#else
89 else {
90 int len;
91 char *tmp;
92 len = strlen(nval->value)+1;
93 tmp = OPENSSL_malloc(len);
94 if (tmp)
95 {
96 ascii2ebcdic(tmp, nval->value, len);
97 BIO_printf(out, "%s:%s", nval->name, tmp);
98 OPENSSL_free(tmp);
99 }
100 }
101#endif
102 if(ml) BIO_puts(out, "\n");
103 }
104}
105
106/* Main routine: print out a general extension */
107
108int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
109{
110 void *ext_str = NULL;
111 char *value = NULL;
112 const unsigned char *p;
113 const X509V3_EXT_METHOD *method;
114 STACK_OF(CONF_VALUE) *nval = NULL;
115 int ok = 1;
116
117 if(!(method = X509V3_EXT_get(ext)))
118 return unknown_ext_print(out, ext, flag, indent, 0);
119 p = ext->value->data;
120 if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
121 else ext_str = method->d2i(NULL, &p, ext->value->length);
122
123 if(!ext_str) return unknown_ext_print(out, ext, flag, indent, 1);
124
125 if(method->i2s) {
126 if(!(value = method->i2s(method, ext_str))) {
127 ok = 0;
128 goto err;
129 }
130#ifndef CHARSET_EBCDIC
131 BIO_printf(out, "%*s%s", indent, "", value);
132#else
133 {
134 int len;
135 char *tmp;
136 len = strlen(value)+1;
137 tmp = OPENSSL_malloc(len);
138 if (tmp)
139 {
140 ascii2ebcdic(tmp, value, len);
141 BIO_printf(out, "%*s%s", indent, "", tmp);
142 OPENSSL_free(tmp);
143 }
144 }
145#endif
146 } else if(method->i2v) {
147 if(!(nval = method->i2v(method, ext_str, NULL))) {
148 ok = 0;
149 goto err;
150 }
151 X509V3_EXT_val_prn(out, nval, indent,
152 method->ext_flags & X509V3_EXT_MULTILINE);
153 } else if(method->i2r) {
154 if(!method->i2r(method, ext_str, out, indent)) ok = 0;
155 } else ok = 0;
156
157 err:
158 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
159 if(value) OPENSSL_free(value);
160 if(method->it) ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
161 else method->ext_free(ext_str);
162 return ok;
163}
164
165int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent)
166{
167 int i, j;
168
169 if(sk_X509_EXTENSION_num(exts) <= 0) return 1;
170
171 if(title)
172 {
173 BIO_printf(bp,"%*s%s:\n",indent, "", title);
174 indent += 4;
175 }
176
177 for (i=0; i<sk_X509_EXTENSION_num(exts); i++)
178 {
179 ASN1_OBJECT *obj;
180 X509_EXTENSION *ex;
181 ex=sk_X509_EXTENSION_value(exts, i);
182 if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
183 obj=X509_EXTENSION_get_object(ex);
184 i2a_ASN1_OBJECT(bp,obj);
185 j=X509_EXTENSION_get_critical(ex);
186 if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
187 return 0;
188 if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
189 {
190 BIO_printf(bp, "%*s", indent + 4, "");
191 M_ASN1_OCTET_STRING_print(bp,ex->value);
192 }
193 if (BIO_write(bp,"\n",1) <= 0) return 0;
194 }
195 return 1;
196}
197
198static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported)
199{
200 switch(flag & X509V3_EXT_UNKNOWN_MASK) {
201
202 case X509V3_EXT_DEFAULT:
203 return 0;
204
205 case X509V3_EXT_ERROR_UNKNOWN:
206 if(supported)
207 BIO_printf(out, "%*s<Parse Error>", indent, "");
208 else
209 BIO_printf(out, "%*s<Not Supported>", indent, "");
210 return 1;
211
212 case X509V3_EXT_PARSE_UNKNOWN:
213 return ASN1_parse_dump(out,
214 ext->value->data, ext->value->length, indent, -1);
215 case X509V3_EXT_DUMP_UNKNOWN:
216 return BIO_dump_indent(out, (char *)ext->value->data, ext->value->length, indent);
217
218 default:
219 return 1;
220 }
221}
222
223
224#ifndef OPENSSL_NO_FP_API
225int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
226{
227 BIO *bio_tmp;
228 int ret;
229 if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0;
230 ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
231 BIO_free(bio_tmp);
232 return ret;
233}
234#endif
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
new file mode 100644
index 0000000000..181bd34979
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -0,0 +1,767 @@
1/* v3_purp.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/x509v3.h>
62#include <openssl/x509_vfy.h>
63
64static void x509v3_cache_extensions(X509 *x);
65
66static int check_ssl_ca(const X509 *x);
67static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
68static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
69static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
70static int purpose_smime(const X509 *x, int ca);
71static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
72static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
73static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
74static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
75static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
76static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
77
78static int xp_cmp(const X509_PURPOSE * const *a,
79 const X509_PURPOSE * const *b);
80static void xptable_free(X509_PURPOSE *p);
81
82static X509_PURPOSE xstandard[] = {
83 {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
84 {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
85 {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
86 {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
87 {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
88 {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
89 {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
90 {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
91 {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
92};
93
94#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
95
96IMPLEMENT_STACK_OF(X509_PURPOSE)
97
98static STACK_OF(X509_PURPOSE) *xptable = NULL;
99
100static int xp_cmp(const X509_PURPOSE * const *a,
101 const X509_PURPOSE * const *b)
102{
103 return (*a)->purpose - (*b)->purpose;
104}
105
106/* As much as I'd like to make X509_check_purpose use a "const" X509*
107 * I really can't because it does recalculate hashes and do other non-const
108 * things. */
109int X509_check_purpose(X509 *x, int id, int ca)
110{
111 int idx;
112 const X509_PURPOSE *pt;
113 if(!(x->ex_flags & EXFLAG_SET)) {
114 CRYPTO_w_lock(CRYPTO_LOCK_X509);
115 x509v3_cache_extensions(x);
116 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
117 }
118 if(id == -1) return 1;
119 idx = X509_PURPOSE_get_by_id(id);
120 if(idx == -1) return -1;
121 pt = X509_PURPOSE_get0(idx);
122 return pt->check_purpose(pt, x, ca);
123}
124
125int X509_PURPOSE_set(int *p, int purpose)
126{
127 if(X509_PURPOSE_get_by_id(purpose) == -1) {
128 X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
129 return 0;
130 }
131 *p = purpose;
132 return 1;
133}
134
135int X509_PURPOSE_get_count(void)
136{
137 if(!xptable) return X509_PURPOSE_COUNT;
138 return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
139}
140
141X509_PURPOSE * X509_PURPOSE_get0(int idx)
142{
143 if(idx < 0) return NULL;
144 if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx;
145 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
146}
147
148int X509_PURPOSE_get_by_sname(char *sname)
149{
150 int i;
151 X509_PURPOSE *xptmp;
152 for(i = 0; i < X509_PURPOSE_get_count(); i++) {
153 xptmp = X509_PURPOSE_get0(i);
154 if(!strcmp(xptmp->sname, sname)) return i;
155 }
156 return -1;
157}
158
159int X509_PURPOSE_get_by_id(int purpose)
160{
161 X509_PURPOSE tmp;
162 int idx;
163 if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
164 return purpose - X509_PURPOSE_MIN;
165 tmp.purpose = purpose;
166 if(!xptable) return -1;
167 idx = sk_X509_PURPOSE_find(xptable, &tmp);
168 if(idx == -1) return -1;
169 return idx + X509_PURPOSE_COUNT;
170}
171
172int X509_PURPOSE_add(int id, int trust, int flags,
173 int (*ck)(const X509_PURPOSE *, const X509 *, int),
174 char *name, char *sname, void *arg)
175{
176 int idx;
177 X509_PURPOSE *ptmp;
178 /* This is set according to what we change: application can't set it */
179 flags &= ~X509_PURPOSE_DYNAMIC;
180 /* This will always be set for application modified trust entries */
181 flags |= X509_PURPOSE_DYNAMIC_NAME;
182 /* Get existing entry if any */
183 idx = X509_PURPOSE_get_by_id(id);
184 /* Need a new entry */
185 if(idx == -1) {
186 if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
187 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
188 return 0;
189 }
190 ptmp->flags = X509_PURPOSE_DYNAMIC;
191 } else ptmp = X509_PURPOSE_get0(idx);
192
193 /* OPENSSL_free existing name if dynamic */
194 if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
195 OPENSSL_free(ptmp->name);
196 OPENSSL_free(ptmp->sname);
197 }
198 /* dup supplied name */
199 ptmp->name = BUF_strdup(name);
200 ptmp->sname = BUF_strdup(sname);
201 if(!ptmp->name || !ptmp->sname) {
202 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
203 return 0;
204 }
205 /* Keep the dynamic flag of existing entry */
206 ptmp->flags &= X509_PURPOSE_DYNAMIC;
207 /* Set all other flags */
208 ptmp->flags |= flags;
209
210 ptmp->purpose = id;
211 ptmp->trust = trust;
212 ptmp->check_purpose = ck;
213 ptmp->usr_data = arg;
214
215 /* If its a new entry manage the dynamic table */
216 if(idx == -1) {
217 if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
218 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
219 return 0;
220 }
221 if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
222 X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
223 return 0;
224 }
225 }
226 return 1;
227}
228
229static void xptable_free(X509_PURPOSE *p)
230 {
231 if(!p) return;
232 if (p->flags & X509_PURPOSE_DYNAMIC)
233 {
234 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
235 OPENSSL_free(p->name);
236 OPENSSL_free(p->sname);
237 }
238 OPENSSL_free(p);
239 }
240 }
241
242void X509_PURPOSE_cleanup(void)
243{
244 unsigned int i;
245 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
246 for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
247 xptable = NULL;
248}
249
250int X509_PURPOSE_get_id(X509_PURPOSE *xp)
251{
252 return xp->purpose;
253}
254
255char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
256{
257 return xp->name;
258}
259
260char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
261{
262 return xp->sname;
263}
264
265int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
266{
267 return xp->trust;
268}
269
270static int nid_cmp(const int *a, const int *b)
271 {
272 return *a - *b;
273 }
274
275DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
276IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
277
278int X509_supported_extension(X509_EXTENSION *ex)
279 {
280 /* This table is a list of the NIDs of supported extensions:
281 * that is those which are used by the verify process. If
282 * an extension is critical and doesn't appear in this list
283 * then the verify process will normally reject the certificate.
284 * The list must be kept in numerical order because it will be
285 * searched using bsearch.
286 */
287
288 static const int supported_nids[] = {
289 NID_netscape_cert_type, /* 71 */
290 NID_key_usage, /* 83 */
291 NID_subject_alt_name, /* 85 */
292 NID_basic_constraints, /* 87 */
293 NID_certificate_policies, /* 89 */
294 NID_ext_key_usage, /* 126 */
295#ifndef OPENSSL_NO_RFC3779
296 NID_sbgp_ipAddrBlock, /* 290 */
297 NID_sbgp_autonomousSysNum, /* 291 */
298#endif
299 NID_policy_constraints, /* 401 */
300 NID_proxyCertInfo, /* 663 */
301 NID_name_constraints, /* 666 */
302 NID_policy_mappings, /* 747 */
303 NID_inhibit_any_policy /* 748 */
304 };
305
306 int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
307
308 if (ex_nid == NID_undef)
309 return 0;
310
311 if (OBJ_bsearch_nid(&ex_nid, supported_nids,
312 sizeof(supported_nids)/sizeof(int)))
313 return 1;
314 return 0;
315 }
316
317static void setup_dp(X509 *x, DIST_POINT *dp)
318 {
319 X509_NAME *iname = NULL;
320 int i;
321 if (dp->reasons)
322 {
323 if (dp->reasons->length > 0)
324 dp->dp_reasons = dp->reasons->data[0];
325 if (dp->reasons->length > 1)
326 dp->dp_reasons |= (dp->reasons->data[1] << 8);
327 dp->dp_reasons &= CRLDP_ALL_REASONS;
328 }
329 else
330 dp->dp_reasons = CRLDP_ALL_REASONS;
331 if (!dp->distpoint || (dp->distpoint->type != 1))
332 return;
333 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
334 {
335 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
336 if (gen->type == GEN_DIRNAME)
337 {
338 iname = gen->d.directoryName;
339 break;
340 }
341 }
342 if (!iname)
343 iname = X509_get_issuer_name(x);
344
345 DIST_POINT_set_dpname(dp->distpoint, iname);
346
347 }
348
349static void setup_crldp(X509 *x)
350 {
351 int i;
352 x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
353 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
354 setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
355 }
356
357static void x509v3_cache_extensions(X509 *x)
358{
359 BASIC_CONSTRAINTS *bs;
360 PROXY_CERT_INFO_EXTENSION *pci;
361 ASN1_BIT_STRING *usage;
362 ASN1_BIT_STRING *ns;
363 EXTENDED_KEY_USAGE *extusage;
364 X509_EXTENSION *ex;
365
366 int i;
367 if(x->ex_flags & EXFLAG_SET) return;
368#ifndef OPENSSL_NO_SHA
369 X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
370#endif
371 /* Does subject name match issuer ? */
372 if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
373 x->ex_flags |= EXFLAG_SI;
374 /* V1 should mean no extensions ... */
375 if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
376 /* Handle basic constraints */
377 if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
378 if(bs->ca) x->ex_flags |= EXFLAG_CA;
379 if(bs->pathlen) {
380 if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
381 || !bs->ca) {
382 x->ex_flags |= EXFLAG_INVALID;
383 x->ex_pathlen = 0;
384 } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
385 } else x->ex_pathlen = -1;
386 BASIC_CONSTRAINTS_free(bs);
387 x->ex_flags |= EXFLAG_BCONS;
388 }
389 /* Handle proxy certificates */
390 if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
391 if (x->ex_flags & EXFLAG_CA
392 || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
393 || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
394 x->ex_flags |= EXFLAG_INVALID;
395 }
396 if (pci->pcPathLengthConstraint) {
397 x->ex_pcpathlen =
398 ASN1_INTEGER_get(pci->pcPathLengthConstraint);
399 } else x->ex_pcpathlen = -1;
400 PROXY_CERT_INFO_EXTENSION_free(pci);
401 x->ex_flags |= EXFLAG_PROXY;
402 }
403 /* Handle key usage */
404 if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
405 if(usage->length > 0) {
406 x->ex_kusage = usage->data[0];
407 if(usage->length > 1)
408 x->ex_kusage |= usage->data[1] << 8;
409 } else x->ex_kusage = 0;
410 x->ex_flags |= EXFLAG_KUSAGE;
411 ASN1_BIT_STRING_free(usage);
412 }
413 x->ex_xkusage = 0;
414 if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
415 x->ex_flags |= EXFLAG_XKUSAGE;
416 for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
417 switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
418 case NID_server_auth:
419 x->ex_xkusage |= XKU_SSL_SERVER;
420 break;
421
422 case NID_client_auth:
423 x->ex_xkusage |= XKU_SSL_CLIENT;
424 break;
425
426 case NID_email_protect:
427 x->ex_xkusage |= XKU_SMIME;
428 break;
429
430 case NID_code_sign:
431 x->ex_xkusage |= XKU_CODE_SIGN;
432 break;
433
434 case NID_ms_sgc:
435 case NID_ns_sgc:
436 x->ex_xkusage |= XKU_SGC;
437 break;
438
439 case NID_OCSP_sign:
440 x->ex_xkusage |= XKU_OCSP_SIGN;
441 break;
442
443 case NID_time_stamp:
444 x->ex_xkusage |= XKU_TIMESTAMP;
445 break;
446
447 case NID_dvcs:
448 x->ex_xkusage |= XKU_DVCS;
449 break;
450 }
451 }
452 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
453 }
454
455 if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
456 if(ns->length > 0) x->ex_nscert = ns->data[0];
457 else x->ex_nscert = 0;
458 x->ex_flags |= EXFLAG_NSCERT;
459 ASN1_BIT_STRING_free(ns);
460 }
461 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
462 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
463 x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
464 x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
465 if (!x->nc && (i != -1))
466 x->ex_flags |= EXFLAG_INVALID;
467 setup_crldp(x);
468
469#ifndef OPENSSL_NO_RFC3779
470 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
471 x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
472 NULL, NULL);
473#endif
474 for (i = 0; i < X509_get_ext_count(x); i++)
475 {
476 ex = X509_get_ext(x, i);
477 if (!X509_EXTENSION_get_critical(ex))
478 continue;
479 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
480 == NID_freshest_crl)
481 x->ex_flags |= EXFLAG_FRESHEST;
482 if (!X509_supported_extension(ex))
483 {
484 x->ex_flags |= EXFLAG_CRITICAL;
485 break;
486 }
487 }
488 x->ex_flags |= EXFLAG_SET;
489}
490
491/* CA checks common to all purposes
492 * return codes:
493 * 0 not a CA
494 * 1 is a CA
495 * 2 basicConstraints absent so "maybe" a CA
496 * 3 basicConstraints absent but self signed V1.
497 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
498 */
499
500#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
501#define ku_reject(x, usage) \
502 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
503#define xku_reject(x, usage) \
504 (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
505#define ns_reject(x, usage) \
506 (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
507
508static int check_ca(const X509 *x)
509{
510 /* keyUsage if present should allow cert signing */
511 if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
512 if(x->ex_flags & EXFLAG_BCONS) {
513 if(x->ex_flags & EXFLAG_CA) return 1;
514 /* If basicConstraints says not a CA then say so */
515 else return 0;
516 } else {
517 /* we support V1 roots for... uh, I don't really know why. */
518 if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
519 /* If key usage present it must have certSign so tolerate it */
520 else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
521 /* Older certificates could have Netscape-specific CA types */
522 else if (x->ex_flags & EXFLAG_NSCERT
523 && x->ex_nscert & NS_ANY_CA) return 5;
524 /* can this still be regarded a CA certificate? I doubt it */
525 return 0;
526 }
527}
528
529int X509_check_ca(X509 *x)
530{
531 if(!(x->ex_flags & EXFLAG_SET)) {
532 CRYPTO_w_lock(CRYPTO_LOCK_X509);
533 x509v3_cache_extensions(x);
534 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
535 }
536
537 return check_ca(x);
538}
539
540/* Check SSL CA: common checks for SSL client and server */
541static int check_ssl_ca(const X509 *x)
542{
543 int ca_ret;
544 ca_ret = check_ca(x);
545 if(!ca_ret) return 0;
546 /* check nsCertType if present */
547 if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
548 else return 0;
549}
550
551
552static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
553{
554 if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
555 if(ca) return check_ssl_ca(x);
556 /* We need to do digital signatures with it */
557 if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
558 /* nsCertType if present should allow SSL client use */
559 if(ns_reject(x, NS_SSL_CLIENT)) return 0;
560 return 1;
561}
562
563static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
564{
565 if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
566 if(ca) return check_ssl_ca(x);
567
568 if(ns_reject(x, NS_SSL_SERVER)) return 0;
569 /* Now as for keyUsage: we'll at least need to sign OR encipher */
570 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
571
572 return 1;
573
574}
575
576static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
577{
578 int ret;
579 ret = check_purpose_ssl_server(xp, x, ca);
580 if(!ret || ca) return ret;
581 /* We need to encipher or Netscape complains */
582 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
583 return ret;
584}
585
586/* common S/MIME checks */
587static int purpose_smime(const X509 *x, int ca)
588{
589 if(xku_reject(x,XKU_SMIME)) return 0;
590 if(ca) {
591 int ca_ret;
592 ca_ret = check_ca(x);
593 if(!ca_ret) return 0;
594 /* check nsCertType if present */
595 if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
596 else return 0;
597 }
598 if(x->ex_flags & EXFLAG_NSCERT) {
599 if(x->ex_nscert & NS_SMIME) return 1;
600 /* Workaround for some buggy certificates */
601 if(x->ex_nscert & NS_SSL_CLIENT) return 2;
602 return 0;
603 }
604 return 1;
605}
606
607static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
608{
609 int ret;
610 ret = purpose_smime(x, ca);
611 if(!ret || ca) return ret;
612 if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
613 return ret;
614}
615
616static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
617{
618 int ret;
619 ret = purpose_smime(x, ca);
620 if(!ret || ca) return ret;
621 if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
622 return ret;
623}
624
625static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
626{
627 if(ca) {
628 int ca_ret;
629 if((ca_ret = check_ca(x)) != 2) return ca_ret;
630 else return 0;
631 }
632 if(ku_reject(x, KU_CRL_SIGN)) return 0;
633 return 1;
634}
635
636/* OCSP helper: this is *not* a full OCSP check. It just checks that
637 * each CA is valid. Additional checks must be made on the chain.
638 */
639
640static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
641{
642 /* Must be a valid CA. Should we really support the "I don't know"
643 value (2)? */
644 if(ca) return check_ca(x);
645 /* leaf certificate is checked in OCSP_verify() */
646 return 1;
647}
648
649static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
650 int ca)
651{
652 int i_ext;
653
654 /* If ca is true we must return if this is a valid CA certificate. */
655 if (ca) return check_ca(x);
656
657 /*
658 * Check the optional key usage field:
659 * if Key Usage is present, it must be one of digitalSignature
660 * and/or nonRepudiation (other values are not consistent and shall
661 * be rejected).
662 */
663 if ((x->ex_flags & EXFLAG_KUSAGE)
664 && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
665 !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
666 return 0;
667
668 /* Only time stamp key usage is permitted and it's required. */
669 if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
670 return 0;
671
672 /* Extended Key Usage MUST be critical */
673 i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
674 if (i_ext >= 0)
675 {
676 X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
677 if (!X509_EXTENSION_get_critical(ext))
678 return 0;
679 }
680
681 return 1;
682}
683
684static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
685{
686 return 1;
687}
688
689/* Various checks to see if one certificate issued the second.
690 * This can be used to prune a set of possible issuer certificates
691 * which have been looked up using some simple method such as by
692 * subject name.
693 * These are:
694 * 1. Check issuer_name(subject) == subject_name(issuer)
695 * 2. If akid(subject) exists check it matches issuer
696 * 3. If key_usage(issuer) exists check it supports certificate signing
697 * returns 0 for OK, positive for reason for mismatch, reasons match
698 * codes for X509_verify_cert()
699 */
700
701int X509_check_issued(X509 *issuer, X509 *subject)
702{
703 if(X509_NAME_cmp(X509_get_subject_name(issuer),
704 X509_get_issuer_name(subject)))
705 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
706 x509v3_cache_extensions(issuer);
707 x509v3_cache_extensions(subject);
708
709 if(subject->akid)
710 {
711 int ret = X509_check_akid(issuer, subject->akid);
712 if (ret != X509_V_OK)
713 return ret;
714 }
715
716 if(subject->ex_flags & EXFLAG_PROXY)
717 {
718 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
719 return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
720 }
721 else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
722 return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
723 return X509_V_OK;
724}
725
726int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
727 {
728
729 if(!akid)
730 return X509_V_OK;
731
732 /* Check key ids (if present) */
733 if(akid->keyid && issuer->skid &&
734 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
735 return X509_V_ERR_AKID_SKID_MISMATCH;
736 /* Check serial number */
737 if(akid->serial &&
738 ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
739 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
740 /* Check issuer name */
741 if(akid->issuer)
742 {
743 /* Ugh, for some peculiar reason AKID includes
744 * SEQUENCE OF GeneralName. So look for a DirName.
745 * There may be more than one but we only take any
746 * notice of the first.
747 */
748 GENERAL_NAMES *gens;
749 GENERAL_NAME *gen;
750 X509_NAME *nm = NULL;
751 int i;
752 gens = akid->issuer;
753 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
754 {
755 gen = sk_GENERAL_NAME_value(gens, i);
756 if(gen->type == GEN_DIRNAME)
757 {
758 nm = gen->d.dirn;
759 break;
760 }
761 }
762 if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
763 return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
764 }
765 return X509_V_OK;
766 }
767
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
new file mode 100644
index 0000000000..202c9e4896
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_skey.c
@@ -0,0 +1,144 @@
1/* v3_skey.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/x509v3.h>
63
64static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
65const X509V3_EXT_METHOD v3_skey_id = {
66NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
670,0,0,0,
68(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
69(X509V3_EXT_S2I)s2i_skey_id,
700,0,0,0,
71NULL};
72
73char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
74 ASN1_OCTET_STRING *oct)
75{
76 return hex_to_string(oct->data, oct->length);
77}
78
79ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
80 X509V3_CTX *ctx, char *str)
81{
82 ASN1_OCTET_STRING *oct;
83 long length;
84
85 if(!(oct = M_ASN1_OCTET_STRING_new())) {
86 X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
87 return NULL;
88 }
89
90 if(!(oct->data = string_to_hex(str, &length))) {
91 M_ASN1_OCTET_STRING_free(oct);
92 return NULL;
93 }
94
95 oct->length = length;
96
97 return oct;
98
99}
100
101static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
102 X509V3_CTX *ctx, char *str)
103{
104 ASN1_OCTET_STRING *oct;
105 ASN1_BIT_STRING *pk;
106 unsigned char pkey_dig[EVP_MAX_MD_SIZE];
107 unsigned int diglen;
108
109 if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
110
111 if(!(oct = M_ASN1_OCTET_STRING_new())) {
112 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
113 return NULL;
114 }
115
116 if(ctx && (ctx->flags == CTX_TEST)) return oct;
117
118 if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
119 X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
120 goto err;
121 }
122
123 if(ctx->subject_req)
124 pk = ctx->subject_req->req_info->pubkey->public_key;
125 else pk = ctx->subject_cert->cert_info->key->public_key;
126
127 if(!pk) {
128 X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
129 goto err;
130 }
131
132 EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL);
133
134 if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
135 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
136 goto err;
137 }
138
139 return oct;
140
141 err:
142 M_ASN1_OCTET_STRING_free(oct);
143 return NULL;
144}
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
new file mode 100644
index 0000000000..2a6bf11b65
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_sxnet.c
@@ -0,0 +1,262 @@
1/* v3_sxnet.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/conf.h>
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h>
65
66/* Support for Thawte strong extranet extension */
67
68#define SXNET_TEST
69
70static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent);
71#ifdef SXNET_TEST
72static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
73 STACK_OF(CONF_VALUE) *nval);
74#endif
75const X509V3_EXT_METHOD v3_sxnet = {
76NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET),
770,0,0,0,
780,0,
790,
80#ifdef SXNET_TEST
81(X509V3_EXT_V2I)sxnet_v2i,
82#else
830,
84#endif
85(X509V3_EXT_I2R)sxnet_i2r,
860,
87NULL
88};
89
90ASN1_SEQUENCE(SXNETID) = {
91 ASN1_SIMPLE(SXNETID, zone, ASN1_INTEGER),
92 ASN1_SIMPLE(SXNETID, user, ASN1_OCTET_STRING)
93} ASN1_SEQUENCE_END(SXNETID)
94
95IMPLEMENT_ASN1_FUNCTIONS(SXNETID)
96
97ASN1_SEQUENCE(SXNET) = {
98 ASN1_SIMPLE(SXNET, version, ASN1_INTEGER),
99 ASN1_SEQUENCE_OF(SXNET, ids, SXNETID)
100} ASN1_SEQUENCE_END(SXNET)
101
102IMPLEMENT_ASN1_FUNCTIONS(SXNET)
103
104static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
105 int indent)
106{
107 long v;
108 char *tmp;
109 SXNETID *id;
110 int i;
111 v = ASN1_INTEGER_get(sx->version);
112 BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
113 for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
114 id = sk_SXNETID_value(sx->ids, i);
115 tmp = i2s_ASN1_INTEGER(NULL, id->zone);
116 BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
117 OPENSSL_free(tmp);
118 M_ASN1_OCTET_STRING_print(out, id->user);
119 }
120 return 1;
121}
122
123#ifdef SXNET_TEST
124
125/* NBB: this is used for testing only. It should *not* be used for anything
126 * else because it will just take static IDs from the configuration file and
127 * they should really be separate values for each user.
128 */
129
130
131static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
132 STACK_OF(CONF_VALUE) *nval)
133{
134 CONF_VALUE *cnf;
135 SXNET *sx = NULL;
136 int i;
137 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
138 cnf = sk_CONF_VALUE_value(nval, i);
139 if(!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
140 return NULL;
141 }
142 return sx;
143}
144
145
146#endif
147
148/* Strong Extranet utility functions */
149
150/* Add an id given the zone as an ASCII number */
151
152int SXNET_add_id_asc(SXNET **psx, char *zone, char *user,
153 int userlen)
154{
155 ASN1_INTEGER *izone = NULL;
156 if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
157 X509V3err(X509V3_F_SXNET_ADD_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
158 return 0;
159 }
160 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
161}
162
163/* Add an id given the zone as an unsigned long */
164
165int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
166 int userlen)
167{
168 ASN1_INTEGER *izone = NULL;
169 if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
170 X509V3err(X509V3_F_SXNET_ADD_ID_ULONG,ERR_R_MALLOC_FAILURE);
171 M_ASN1_INTEGER_free(izone);
172 return 0;
173 }
174 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
175
176}
177
178/* Add an id given the zone as an ASN1_INTEGER.
179 * Note this version uses the passed integer and doesn't make a copy so don't
180 * free it up afterwards.
181 */
182
183int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
184 int userlen)
185{
186 SXNET *sx = NULL;
187 SXNETID *id = NULL;
188 if(!psx || !zone || !user) {
189 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_INVALID_NULL_ARGUMENT);
190 return 0;
191 }
192 if(userlen == -1) userlen = strlen(user);
193 if(userlen > 64) {
194 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_USER_TOO_LONG);
195 return 0;
196 }
197 if(!*psx) {
198 if(!(sx = SXNET_new())) goto err;
199 if(!ASN1_INTEGER_set(sx->version, 0)) goto err;
200 *psx = sx;
201 } else sx = *psx;
202 if(SXNET_get_id_INTEGER(sx, zone)) {
203 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_DUPLICATE_ZONE_ID);
204 return 0;
205 }
206
207 if(!(id = SXNETID_new())) goto err;
208 if(userlen == -1) userlen = strlen(user);
209
210 if(!M_ASN1_OCTET_STRING_set(id->user, user, userlen)) goto err;
211 if(!sk_SXNETID_push(sx->ids, id)) goto err;
212 id->zone = zone;
213 return 1;
214
215 err:
216 X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,ERR_R_MALLOC_FAILURE);
217 SXNETID_free(id);
218 SXNET_free(sx);
219 *psx = NULL;
220 return 0;
221}
222
223ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone)
224{
225 ASN1_INTEGER *izone = NULL;
226 ASN1_OCTET_STRING *oct;
227 if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
228 X509V3err(X509V3_F_SXNET_GET_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
229 return NULL;
230 }
231 oct = SXNET_get_id_INTEGER(sx, izone);
232 M_ASN1_INTEGER_free(izone);
233 return oct;
234}
235
236ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
237{
238 ASN1_INTEGER *izone = NULL;
239 ASN1_OCTET_STRING *oct;
240 if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
241 X509V3err(X509V3_F_SXNET_GET_ID_ULONG,ERR_R_MALLOC_FAILURE);
242 M_ASN1_INTEGER_free(izone);
243 return NULL;
244 }
245 oct = SXNET_get_id_INTEGER(sx, izone);
246 M_ASN1_INTEGER_free(izone);
247 return oct;
248}
249
250ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
251{
252 SXNETID *id;
253 int i;
254 for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
255 id = sk_SXNETID_value(sx->ids, i);
256 if(!M_ASN1_INTEGER_cmp(id->zone, zone)) return id->user;
257 }
258 return NULL;
259}
260
261IMPLEMENT_STACK_OF(SXNETID)
262IMPLEMENT_ASN1_SET_OF(SXNETID)
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
new file mode 100644
index 0000000000..e030234540
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -0,0 +1,874 @@
1/* v3_utl.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* X509 v3 extension utilities */
59
60
61#include <stdio.h>
62#include <ctype.h>
63#include "cryptlib.h"
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66#include <openssl/bn.h>
67
68static char *strip_spaces(char *name);
69static int sk_strcmp(const char * const *a, const char * const *b);
70static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens);
71static void str_free(OPENSSL_STRING str);
72static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
73
74static int ipv4_from_asc(unsigned char *v4, const char *in);
75static int ipv6_from_asc(unsigned char *v6, const char *in);
76static int ipv6_cb(const char *elem, int len, void *usr);
77static int ipv6_hex(unsigned char *out, const char *in, int inlen);
78
79/* Add a CONF_VALUE name value pair to stack */
80
81int X509V3_add_value(const char *name, const char *value,
82 STACK_OF(CONF_VALUE) **extlist)
83{
84 CONF_VALUE *vtmp = NULL;
85 char *tname = NULL, *tvalue = NULL;
86 if(name && !(tname = BUF_strdup(name))) goto err;
87 if(value && !(tvalue = BUF_strdup(value))) goto err;
88 if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err;
89 if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err;
90 vtmp->section = NULL;
91 vtmp->name = tname;
92 vtmp->value = tvalue;
93 if(!sk_CONF_VALUE_push(*extlist, vtmp)) goto err;
94 return 1;
95 err:
96 X509V3err(X509V3_F_X509V3_ADD_VALUE,ERR_R_MALLOC_FAILURE);
97 if(vtmp) OPENSSL_free(vtmp);
98 if(tname) OPENSSL_free(tname);
99 if(tvalue) OPENSSL_free(tvalue);
100 return 0;
101}
102
103int X509V3_add_value_uchar(const char *name, const unsigned char *value,
104 STACK_OF(CONF_VALUE) **extlist)
105 {
106 return X509V3_add_value(name,(const char *)value,extlist);
107 }
108
109/* Free function for STACK_OF(CONF_VALUE) */
110
111void X509V3_conf_free(CONF_VALUE *conf)
112{
113 if(!conf) return;
114 if(conf->name) OPENSSL_free(conf->name);
115 if(conf->value) OPENSSL_free(conf->value);
116 if(conf->section) OPENSSL_free(conf->section);
117 OPENSSL_free(conf);
118}
119
120int X509V3_add_value_bool(const char *name, int asn1_bool,
121 STACK_OF(CONF_VALUE) **extlist)
122{
123 if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
124 return X509V3_add_value(name, "FALSE", extlist);
125}
126
127int X509V3_add_value_bool_nf(char *name, int asn1_bool,
128 STACK_OF(CONF_VALUE) **extlist)
129{
130 if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
131 return 1;
132}
133
134
135char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
136{
137 BIGNUM *bntmp = NULL;
138 char *strtmp = NULL;
139 if(!a) return NULL;
140 if(!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
141 !(strtmp = BN_bn2dec(bntmp)) )
142 X509V3err(X509V3_F_I2S_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
143 BN_free(bntmp);
144 return strtmp;
145}
146
147char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
148{
149 BIGNUM *bntmp = NULL;
150 char *strtmp = NULL;
151 if(!a) return NULL;
152 if(!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
153 !(strtmp = BN_bn2dec(bntmp)) )
154 X509V3err(X509V3_F_I2S_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
155 BN_free(bntmp);
156 return strtmp;
157}
158
159ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
160{
161 BIGNUM *bn = NULL;
162 ASN1_INTEGER *aint;
163 int isneg, ishex;
164 int ret;
165 if (!value) {
166 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
167 return 0;
168 }
169 bn = BN_new();
170 if (value[0] == '-') {
171 value++;
172 isneg = 1;
173 } else isneg = 0;
174
175 if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
176 value += 2;
177 ishex = 1;
178 } else ishex = 0;
179
180 if (ishex) ret = BN_hex2bn(&bn, value);
181 else ret = BN_dec2bn(&bn, value);
182
183 if (!ret || value[ret]) {
184 BN_free(bn);
185 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
186 return 0;
187 }
188
189 if (isneg && BN_is_zero(bn)) isneg = 0;
190
191 aint = BN_to_ASN1_INTEGER(bn, NULL);
192 BN_free(bn);
193 if (!aint) {
194 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
195 return 0;
196 }
197 if (isneg) aint->type |= V_ASN1_NEG;
198 return aint;
199}
200
201int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
202 STACK_OF(CONF_VALUE) **extlist)
203{
204 char *strtmp;
205 int ret;
206 if(!aint) return 1;
207 if(!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) return 0;
208 ret = X509V3_add_value(name, strtmp, extlist);
209 OPENSSL_free(strtmp);
210 return ret;
211}
212
213int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
214{
215 char *btmp;
216 if(!(btmp = value->value)) goto err;
217 if(!strcmp(btmp, "TRUE") || !strcmp(btmp, "true")
218 || !strcmp(btmp, "Y") || !strcmp(btmp, "y")
219 || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
220 *asn1_bool = 0xff;
221 return 1;
222 } else if(!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
223 || !strcmp(btmp, "N") || !strcmp(btmp, "n")
224 || !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
225 *asn1_bool = 0;
226 return 1;
227 }
228 err:
229 X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,X509V3_R_INVALID_BOOLEAN_STRING);
230 X509V3_conf_err(value);
231 return 0;
232}
233
234int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
235{
236 ASN1_INTEGER *itmp;
237 if(!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
238 X509V3_conf_err(value);
239 return 0;
240 }
241 *aint = itmp;
242 return 1;
243}
244
245#define HDR_NAME 1
246#define HDR_VALUE 2
247
248/*#define DEBUG*/
249
250STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
251{
252 char *p, *q, c;
253 char *ntmp, *vtmp;
254 STACK_OF(CONF_VALUE) *values = NULL;
255 char *linebuf;
256 int state;
257 /* We are going to modify the line so copy it first */
258 linebuf = BUF_strdup(line);
259 state = HDR_NAME;
260 ntmp = NULL;
261 /* Go through all characters */
262 for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
263
264 switch(state) {
265 case HDR_NAME:
266 if(c == ':') {
267 state = HDR_VALUE;
268 *p = 0;
269 ntmp = strip_spaces(q);
270 if(!ntmp) {
271 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
272 goto err;
273 }
274 q = p + 1;
275 } else if(c == ',') {
276 *p = 0;
277 ntmp = strip_spaces(q);
278 q = p + 1;
279#if 0
280 printf("%s\n", ntmp);
281#endif
282 if(!ntmp) {
283 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
284 goto err;
285 }
286 X509V3_add_value(ntmp, NULL, &values);
287 }
288 break ;
289
290 case HDR_VALUE:
291 if(c == ',') {
292 state = HDR_NAME;
293 *p = 0;
294 vtmp = strip_spaces(q);
295#if 0
296 printf("%s\n", ntmp);
297#endif
298 if(!vtmp) {
299 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
300 goto err;
301 }
302 X509V3_add_value(ntmp, vtmp, &values);
303 ntmp = NULL;
304 q = p + 1;
305 }
306
307 }
308 }
309
310 if(state == HDR_VALUE) {
311 vtmp = strip_spaces(q);
312#if 0
313 printf("%s=%s\n", ntmp, vtmp);
314#endif
315 if(!vtmp) {
316 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
317 goto err;
318 }
319 X509V3_add_value(ntmp, vtmp, &values);
320 } else {
321 ntmp = strip_spaces(q);
322#if 0
323 printf("%s\n", ntmp);
324#endif
325 if(!ntmp) {
326 X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
327 goto err;
328 }
329 X509V3_add_value(ntmp, NULL, &values);
330 }
331OPENSSL_free(linebuf);
332return values;
333
334err:
335OPENSSL_free(linebuf);
336sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
337return NULL;
338
339}
340
341/* Delete leading and trailing spaces from a string */
342static char *strip_spaces(char *name)
343{
344 char *p, *q;
345 /* Skip over leading spaces */
346 p = name;
347 while(*p && isspace((unsigned char)*p)) p++;
348 if(!*p) return NULL;
349 q = p + strlen(p) - 1;
350 while((q != p) && isspace((unsigned char)*q)) q--;
351 if(p != q) q[1] = 0;
352 if(!*p) return NULL;
353 return p;
354}
355
356/* hex string utilities */
357
358/* Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its
359 * hex representation
360 * @@@ (Contents of buffer are always kept in ASCII, also on EBCDIC machines)
361 */
362
363char *hex_to_string(const unsigned char *buffer, long len)
364{
365 char *tmp, *q;
366 const unsigned char *p;
367 int i;
368 const static char hexdig[] = "0123456789ABCDEF";
369 if(!buffer || !len) return NULL;
370 if(!(tmp = OPENSSL_malloc(len * 3 + 1))) {
371 X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
372 return NULL;
373 }
374 q = tmp;
375 for(i = 0, p = buffer; i < len; i++,p++) {
376 *q++ = hexdig[(*p >> 4) & 0xf];
377 *q++ = hexdig[*p & 0xf];
378 *q++ = ':';
379 }
380 q[-1] = 0;
381#ifdef CHARSET_EBCDIC
382 ebcdic2ascii(tmp, tmp, q - tmp - 1);
383#endif
384
385 return tmp;
386}
387
388/* Give a string of hex digits convert to
389 * a buffer
390 */
391
392unsigned char *string_to_hex(const char *str, long *len)
393{
394 unsigned char *hexbuf, *q;
395 unsigned char ch, cl, *p;
396 if(!str) {
397 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_INVALID_NULL_ARGUMENT);
398 return NULL;
399 }
400 if(!(hexbuf = OPENSSL_malloc(strlen(str) >> 1))) goto err;
401 for(p = (unsigned char *)str, q = hexbuf; *p;) {
402 ch = *p++;
403#ifdef CHARSET_EBCDIC
404 ch = os_toebcdic[ch];
405#endif
406 if(ch == ':') continue;
407 cl = *p++;
408#ifdef CHARSET_EBCDIC
409 cl = os_toebcdic[cl];
410#endif
411 if(!cl) {
412 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ODD_NUMBER_OF_DIGITS);
413 OPENSSL_free(hexbuf);
414 return NULL;
415 }
416 if(isupper(ch)) ch = tolower(ch);
417 if(isupper(cl)) cl = tolower(cl);
418
419 if((ch >= '0') && (ch <= '9')) ch -= '0';
420 else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10;
421 else goto badhex;
422
423 if((cl >= '0') && (cl <= '9')) cl -= '0';
424 else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10;
425 else goto badhex;
426
427 *q++ = (ch << 4) | cl;
428 }
429
430 if(len) *len = q - hexbuf;
431
432 return hexbuf;
433
434 err:
435 if(hexbuf) OPENSSL_free(hexbuf);
436 X509V3err(X509V3_F_STRING_TO_HEX,ERR_R_MALLOC_FAILURE);
437 return NULL;
438
439 badhex:
440 OPENSSL_free(hexbuf);
441 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ILLEGAL_HEX_DIGIT);
442 return NULL;
443
444}
445
446/* V2I name comparison function: returns zero if 'name' matches
447 * cmp or cmp.*
448 */
449
450int name_cmp(const char *name, const char *cmp)
451{
452 int len, ret;
453 char c;
454 len = strlen(cmp);
455 if((ret = strncmp(name, cmp, len))) return ret;
456 c = name[len];
457 if(!c || (c=='.')) return 0;
458 return 1;
459}
460
461static int sk_strcmp(const char * const *a, const char * const *b)
462{
463 return strcmp(*a, *b);
464}
465
466STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
467{
468 GENERAL_NAMES *gens;
469 STACK_OF(OPENSSL_STRING) *ret;
470
471 gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
472 ret = get_email(X509_get_subject_name(x), gens);
473 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
474 return ret;
475}
476
477STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
478{
479 AUTHORITY_INFO_ACCESS *info;
480 STACK_OF(OPENSSL_STRING) *ret = NULL;
481 int i;
482
483 info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
484 if (!info)
485 return NULL;
486 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++)
487 {
488 ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
489 if (OBJ_obj2nid(ad->method) == NID_ad_OCSP)
490 {
491 if (ad->location->type == GEN_URI)
492 {
493 if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier))
494 break;
495 }
496 }
497 }
498 AUTHORITY_INFO_ACCESS_free(info);
499 return ret;
500}
501
502STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
503{
504 GENERAL_NAMES *gens;
505 STACK_OF(X509_EXTENSION) *exts;
506 STACK_OF(OPENSSL_STRING) *ret;
507
508 exts = X509_REQ_get_extensions(x);
509 gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
510 ret = get_email(X509_REQ_get_subject_name(x), gens);
511 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
512 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
513 return ret;
514}
515
516
517static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens)
518{
519 STACK_OF(OPENSSL_STRING) *ret = NULL;
520 X509_NAME_ENTRY *ne;
521 ASN1_IA5STRING *email;
522 GENERAL_NAME *gen;
523 int i;
524 /* Now add any email address(es) to STACK */
525 i = -1;
526 /* First supplied X509_NAME */
527 while((i = X509_NAME_get_index_by_NID(name,
528 NID_pkcs9_emailAddress, i)) >= 0) {
529 ne = X509_NAME_get_entry(name, i);
530 email = X509_NAME_ENTRY_get_data(ne);
531 if(!append_ia5(&ret, email)) return NULL;
532 }
533 for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
534 {
535 gen = sk_GENERAL_NAME_value(gens, i);
536 if(gen->type != GEN_EMAIL) continue;
537 if(!append_ia5(&ret, gen->d.ia5)) return NULL;
538 }
539 return ret;
540}
541
542static void str_free(OPENSSL_STRING str)
543{
544 OPENSSL_free(str);
545}
546
547static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
548{
549 char *emtmp;
550 /* First some sanity checks */
551 if(email->type != V_ASN1_IA5STRING) return 1;
552 if(!email->data || !email->length) return 1;
553 if(!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp);
554 if(!*sk) return 0;
555 /* Don't add duplicates */
556 if(sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) return 1;
557 emtmp = BUF_strdup((char *)email->data);
558 if(!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
559 X509_email_free(*sk);
560 *sk = NULL;
561 return 0;
562 }
563 return 1;
564}
565
566void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
567{
568 sk_OPENSSL_STRING_pop_free(sk, str_free);
569}
570
571/* Convert IP addresses both IPv4 and IPv6 into an
572 * OCTET STRING compatible with RFC3280.
573 */
574
575ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
576 {
577 unsigned char ipout[16];
578 ASN1_OCTET_STRING *ret;
579 int iplen;
580
581 /* If string contains a ':' assume IPv6 */
582
583 iplen = a2i_ipadd(ipout, ipasc);
584
585 if (!iplen)
586 return NULL;
587
588 ret = ASN1_OCTET_STRING_new();
589 if (!ret)
590 return NULL;
591 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen))
592 {
593 ASN1_OCTET_STRING_free(ret);
594 return NULL;
595 }
596 return ret;
597 }
598
599ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
600 {
601 ASN1_OCTET_STRING *ret = NULL;
602 unsigned char ipout[32];
603 char *iptmp = NULL, *p;
604 int iplen1, iplen2;
605 p = strchr(ipasc,'/');
606 if (!p)
607 return NULL;
608 iptmp = BUF_strdup(ipasc);
609 if (!iptmp)
610 return NULL;
611 p = iptmp + (p - ipasc);
612 *p++ = 0;
613
614 iplen1 = a2i_ipadd(ipout, iptmp);
615
616 if (!iplen1)
617 goto err;
618
619 iplen2 = a2i_ipadd(ipout + iplen1, p);
620
621 OPENSSL_free(iptmp);
622 iptmp = NULL;
623
624 if (!iplen2 || (iplen1 != iplen2))
625 goto err;
626
627 ret = ASN1_OCTET_STRING_new();
628 if (!ret)
629 goto err;
630 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
631 goto err;
632
633 return ret;
634
635 err:
636 if (iptmp)
637 OPENSSL_free(iptmp);
638 if (ret)
639 ASN1_OCTET_STRING_free(ret);
640 return NULL;
641 }
642
643
644int a2i_ipadd(unsigned char *ipout, const char *ipasc)
645 {
646 /* If string contains a ':' assume IPv6 */
647
648 if (strchr(ipasc, ':'))
649 {
650 if (!ipv6_from_asc(ipout, ipasc))
651 return 0;
652 return 16;
653 }
654 else
655 {
656 if (!ipv4_from_asc(ipout, ipasc))
657 return 0;
658 return 4;
659 }
660 }
661
662static int ipv4_from_asc(unsigned char *v4, const char *in)
663 {
664 int a0, a1, a2, a3;
665 if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
666 return 0;
667 if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
668 || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
669 return 0;
670 v4[0] = a0;
671 v4[1] = a1;
672 v4[2] = a2;
673 v4[3] = a3;
674 return 1;
675 }
676
677typedef struct {
678 /* Temporary store for IPV6 output */
679 unsigned char tmp[16];
680 /* Total number of bytes in tmp */
681 int total;
682 /* The position of a zero (corresponding to '::') */
683 int zero_pos;
684 /* Number of zeroes */
685 int zero_cnt;
686 } IPV6_STAT;
687
688
689static int ipv6_from_asc(unsigned char *v6, const char *in)
690 {
691 IPV6_STAT v6stat;
692 v6stat.total = 0;
693 v6stat.zero_pos = -1;
694 v6stat.zero_cnt = 0;
695 /* Treat the IPv6 representation as a list of values
696 * separated by ':'. The presence of a '::' will parse
697 * as one, two or three zero length elements.
698 */
699 if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
700 return 0;
701
702 /* Now for some sanity checks */
703
704 if (v6stat.zero_pos == -1)
705 {
706 /* If no '::' must have exactly 16 bytes */
707 if (v6stat.total != 16)
708 return 0;
709 }
710 else
711 {
712 /* If '::' must have less than 16 bytes */
713 if (v6stat.total == 16)
714 return 0;
715 /* More than three zeroes is an error */
716 if (v6stat.zero_cnt > 3)
717 return 0;
718 /* Can only have three zeroes if nothing else present */
719 else if (v6stat.zero_cnt == 3)
720 {
721 if (v6stat.total > 0)
722 return 0;
723 }
724 /* Can only have two zeroes if at start or end */
725 else if (v6stat.zero_cnt == 2)
726 {
727 if ((v6stat.zero_pos != 0)
728 && (v6stat.zero_pos != v6stat.total))
729 return 0;
730 }
731 else
732 /* Can only have one zero if *not* start or end */
733 {
734 if ((v6stat.zero_pos == 0)
735 || (v6stat.zero_pos == v6stat.total))
736 return 0;
737 }
738 }
739
740 /* Format result */
741
742 if (v6stat.zero_pos >= 0)
743 {
744 /* Copy initial part */
745 memcpy(v6, v6stat.tmp, v6stat.zero_pos);
746 /* Zero middle */
747 memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
748 /* Copy final part */
749 if (v6stat.total != v6stat.zero_pos)
750 memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
751 v6stat.tmp + v6stat.zero_pos,
752 v6stat.total - v6stat.zero_pos);
753 }
754 else
755 memcpy(v6, v6stat.tmp, 16);
756
757 return 1;
758 }
759
760static int ipv6_cb(const char *elem, int len, void *usr)
761 {
762 IPV6_STAT *s = usr;
763 /* Error if 16 bytes written */
764 if (s->total == 16)
765 return 0;
766 if (len == 0)
767 {
768 /* Zero length element, corresponds to '::' */
769 if (s->zero_pos == -1)
770 s->zero_pos = s->total;
771 /* If we've already got a :: its an error */
772 else if (s->zero_pos != s->total)
773 return 0;
774 s->zero_cnt++;
775 }
776 else
777 {
778 /* If more than 4 characters could be final a.b.c.d form */
779 if (len > 4)
780 {
781 /* Need at least 4 bytes left */
782 if (s->total > 12)
783 return 0;
784 /* Must be end of string */
785 if (elem[len])
786 return 0;
787 if (!ipv4_from_asc(s->tmp + s->total, elem))
788 return 0;
789 s->total += 4;
790 }
791 else
792 {
793 if (!ipv6_hex(s->tmp + s->total, elem, len))
794 return 0;
795 s->total += 2;
796 }
797 }
798 return 1;
799 }
800
801/* Convert a string of up to 4 hex digits into the corresponding
802 * IPv6 form.
803 */
804
805static int ipv6_hex(unsigned char *out, const char *in, int inlen)
806 {
807 unsigned char c;
808 unsigned int num = 0;
809 if (inlen > 4)
810 return 0;
811 while(inlen--)
812 {
813 c = *in++;
814 num <<= 4;
815 if ((c >= '0') && (c <= '9'))
816 num |= c - '0';
817 else if ((c >= 'A') && (c <= 'F'))
818 num |= c - 'A' + 10;
819 else if ((c >= 'a') && (c <= 'f'))
820 num |= c - 'a' + 10;
821 else
822 return 0;
823 }
824 out[0] = num >> 8;
825 out[1] = num & 0xff;
826 return 1;
827 }
828
829
830int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
831 unsigned long chtype)
832 {
833 CONF_VALUE *v;
834 int i, mval;
835 char *p, *type;
836 if (!nm)
837 return 0;
838
839 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
840 {
841 v=sk_CONF_VALUE_value(dn_sk,i);
842 type=v->name;
843 /* Skip past any leading X. X: X, etc to allow for
844 * multiple instances
845 */
846 for(p = type; *p ; p++)
847#ifndef CHARSET_EBCDIC
848 if ((*p == ':') || (*p == ',') || (*p == '.'))
849#else
850 if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.']))
851#endif
852 {
853 p++;
854 if(*p) type = p;
855 break;
856 }
857#ifndef CHARSET_EBCDIC
858 if (*type == '+')
859#else
860 if (*type == os_toascii['+'])
861#endif
862 {
863 mval = -1;
864 type++;
865 }
866 else
867 mval = 0;
868 if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
869 (unsigned char *) v->value,-1,-1,mval))
870 return 0;
871
872 }
873 return 1;
874 }
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
new file mode 100644
index 0000000000..f9f6f1f91f
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -0,0 +1,226 @@
1/* crypto/x509v3/v3err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/x509v3.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
70
71static ERR_STRING_DATA X509V3_str_functs[]=
72 {
73{ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"},
74{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
75{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
76{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
77{ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
78{ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
79{ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
80{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
81{ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
82{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
83{ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"},
84{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
85{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
86{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
87{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"},
88{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"},
89{ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
90{ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
91{ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
92{ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
93{ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
94{ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
95{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
96{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
97{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
98{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
99{ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
100{ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"},
101{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
102{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
103{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
104{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
105{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
106{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
107{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
108{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
109{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"},
110{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
111{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
112{ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
113{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
114{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
115{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
116{ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
117{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
118{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
119{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
120{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
121{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
122{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
123{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"},
124{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
125{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
126{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
127{ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
128{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
129{ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
130{ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
131{ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
132{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
133{ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"},
134{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"},
135{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"},
136{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"},
137{ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"},
138{0,NULL}
139 };
140
141static ERR_STRING_DATA X509V3_str_reasons[]=
142 {
143{ERR_REASON(X509V3_R_BAD_IP_ADDRESS) ,"bad ip address"},
144{ERR_REASON(X509V3_R_BAD_OBJECT) ,"bad object"},
145{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"},
146{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
147{ERR_REASON(X509V3_R_DIRNAME_ERROR) ,"dirname error"},
148{ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET),"distpoint already set"},
149{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"},
150{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
151{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
152{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) ,"error in extension"},
153{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME),"expected a section name"},
154{ERR_REASON(X509V3_R_EXTENSION_EXISTS) ,"extension exists"},
155{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR),"extension name error"},
156{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"},
157{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"},
158{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"},
159{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
160{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"},
161{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
162{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS),"invalid multiple rdns"},
163{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"},
164{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"},
165{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
166{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"},
167{ERR_REASON(X509V3_R_INVALID_INHERITANCE),"invalid inheritance"},
168{ERR_REASON(X509V3_R_INVALID_IPADDRESS) ,"invalid ipaddress"},
169{ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"},
170{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
171{ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"},
172{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) ,"invalid null value"},
173{ERR_REASON(X509V3_R_INVALID_NUMBER) ,"invalid number"},
174{ERR_REASON(X509V3_R_INVALID_NUMBERS) ,"invalid numbers"},
175{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"},
176{ERR_REASON(X509V3_R_INVALID_OPTION) ,"invalid option"},
177{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"},
178{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"},
179{ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"},
180{ERR_REASON(X509V3_R_INVALID_SAFI) ,"invalid safi"},
181{ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"},
182{ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"},
183{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"},
184{ERR_REASON(X509V3_R_MISSING_VALUE) ,"missing value"},
185{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),"need organization and numbers"},
186{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) ,"no config database"},
187{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE),"no issuer certificate"},
188{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) ,"no issuer details"},
189{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER),"no policy identifier"},
190{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),"no proxy cert policy language defined"},
191{ERR_REASON(X509V3_R_NO_PUBLIC_KEY) ,"no public key"},
192{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"},
193{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
194{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
195{ERR_REASON(X509V3_R_OTHERNAME_ERROR) ,"othername error"},
196{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),"policy language already defined"},
197{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
198{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),"policy path length already defined"},
199{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
200{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
201{ERR_REASON(X509V3_R_SECTION_NOT_FOUND) ,"section not found"},
202{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"},
203{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"},
204{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"},
205{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) ,"unknown extension"},
206{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"},
207{ERR_REASON(X509V3_R_UNKNOWN_OPTION) ,"unknown option"},
208{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"},
209{ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) ,"unsupported type"},
210{ERR_REASON(X509V3_R_USER_TOO_LONG) ,"user too long"},
211{0,NULL}
212 };
213
214#endif
215
216void ERR_load_X509V3_strings(void)
217 {
218#ifndef OPENSSL_NO_ERR
219
220 if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL)
221 {
222 ERR_load_strings(0,X509V3_str_functs);
223 ERR_load_strings(0,X509V3_str_reasons);
224 }
225#endif
226 }
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
new file mode 100644
index 0000000000..b308abe7cd
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -0,0 +1,1007 @@
1/* x509v3.h */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#ifndef HEADER_X509V3_H
59#define HEADER_X509V3_H
60
61#include <openssl/bio.h>
62#include <openssl/x509.h>
63#include <openssl/conf.h>
64
65#ifdef __cplusplus
66extern "C" {
67#endif
68
69/* Forward reference */
70struct v3_ext_method;
71struct v3_ext_ctx;
72
73/* Useful typedefs */
74
75typedef void * (*X509V3_EXT_NEW)(void);
76typedef void (*X509V3_EXT_FREE)(void *);
77typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
78typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
79typedef STACK_OF(CONF_VALUE) *
80 (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
81 STACK_OF(CONF_VALUE) *extlist);
82typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
83 struct v3_ext_ctx *ctx,
84 STACK_OF(CONF_VALUE) *values);
85typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
86typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
87 struct v3_ext_ctx *ctx, const char *str);
88typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
89 BIO *out, int indent);
90typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
91 struct v3_ext_ctx *ctx, const char *str);
92
93/* V3 extension structure */
94
95struct v3_ext_method {
96int ext_nid;
97int ext_flags;
98/* If this is set the following four fields are ignored */
99ASN1_ITEM_EXP *it;
100/* Old style ASN1 calls */
101X509V3_EXT_NEW ext_new;
102X509V3_EXT_FREE ext_free;
103X509V3_EXT_D2I d2i;
104X509V3_EXT_I2D i2d;
105
106/* The following pair is used for string extensions */
107X509V3_EXT_I2S i2s;
108X509V3_EXT_S2I s2i;
109
110/* The following pair is used for multi-valued extensions */
111X509V3_EXT_I2V i2v;
112X509V3_EXT_V2I v2i;
113
114/* The following are used for raw extensions */
115X509V3_EXT_I2R i2r;
116X509V3_EXT_R2I r2i;
117
118void *usr_data; /* Any extension specific data */
119};
120
121typedef struct X509V3_CONF_METHOD_st {
122char * (*get_string)(void *db, char *section, char *value);
123STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
124void (*free_string)(void *db, char * string);
125void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
126} X509V3_CONF_METHOD;
127
128/* Context specific info */
129struct v3_ext_ctx {
130#define CTX_TEST 0x1
131int flags;
132X509 *issuer_cert;
133X509 *subject_cert;
134X509_REQ *subject_req;
135X509_CRL *crl;
136X509V3_CONF_METHOD *db_meth;
137void *db;
138/* Maybe more here */
139};
140
141typedef struct v3_ext_method X509V3_EXT_METHOD;
142
143DECLARE_STACK_OF(X509V3_EXT_METHOD)
144
145/* ext_flags values */
146#define X509V3_EXT_DYNAMIC 0x1
147#define X509V3_EXT_CTX_DEP 0x2
148#define X509V3_EXT_MULTILINE 0x4
149
150typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
151
152typedef struct BASIC_CONSTRAINTS_st {
153int ca;
154ASN1_INTEGER *pathlen;
155} BASIC_CONSTRAINTS;
156
157
158typedef struct PKEY_USAGE_PERIOD_st {
159ASN1_GENERALIZEDTIME *notBefore;
160ASN1_GENERALIZEDTIME *notAfter;
161} PKEY_USAGE_PERIOD;
162
163typedef struct otherName_st {
164ASN1_OBJECT *type_id;
165ASN1_TYPE *value;
166} OTHERNAME;
167
168typedef struct EDIPartyName_st {
169 ASN1_STRING *nameAssigner;
170 ASN1_STRING *partyName;
171} EDIPARTYNAME;
172
173typedef struct GENERAL_NAME_st {
174
175#define GEN_OTHERNAME 0
176#define GEN_EMAIL 1
177#define GEN_DNS 2
178#define GEN_X400 3
179#define GEN_DIRNAME 4
180#define GEN_EDIPARTY 5
181#define GEN_URI 6
182#define GEN_IPADD 7
183#define GEN_RID 8
184
185int type;
186union {
187 char *ptr;
188 OTHERNAME *otherName; /* otherName */
189 ASN1_IA5STRING *rfc822Name;
190 ASN1_IA5STRING *dNSName;
191 ASN1_TYPE *x400Address;
192 X509_NAME *directoryName;
193 EDIPARTYNAME *ediPartyName;
194 ASN1_IA5STRING *uniformResourceIdentifier;
195 ASN1_OCTET_STRING *iPAddress;
196 ASN1_OBJECT *registeredID;
197
198 /* Old names */
199 ASN1_OCTET_STRING *ip; /* iPAddress */
200 X509_NAME *dirn; /* dirn */
201 ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
202 ASN1_OBJECT *rid; /* registeredID */
203 ASN1_TYPE *other; /* x400Address */
204} d;
205} GENERAL_NAME;
206
207typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
208
209typedef struct ACCESS_DESCRIPTION_st {
210 ASN1_OBJECT *method;
211 GENERAL_NAME *location;
212} ACCESS_DESCRIPTION;
213
214typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
215
216typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
217
218DECLARE_STACK_OF(GENERAL_NAME)
219DECLARE_ASN1_SET_OF(GENERAL_NAME)
220
221DECLARE_STACK_OF(ACCESS_DESCRIPTION)
222DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION)
223
224typedef struct DIST_POINT_NAME_st {
225int type;
226union {
227 GENERAL_NAMES *fullname;
228 STACK_OF(X509_NAME_ENTRY) *relativename;
229} name;
230/* If relativename then this contains the full distribution point name */
231X509_NAME *dpname;
232} DIST_POINT_NAME;
233/* All existing reasons */
234#define CRLDP_ALL_REASONS 0x807f
235
236#define CRL_REASON_NONE -1
237#define CRL_REASON_UNSPECIFIED 0
238#define CRL_REASON_KEY_COMPROMISE 1
239#define CRL_REASON_CA_COMPROMISE 2
240#define CRL_REASON_AFFILIATION_CHANGED 3
241#define CRL_REASON_SUPERSEDED 4
242#define CRL_REASON_CESSATION_OF_OPERATION 5
243#define CRL_REASON_CERTIFICATE_HOLD 6
244#define CRL_REASON_REMOVE_FROM_CRL 8
245#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
246#define CRL_REASON_AA_COMPROMISE 10
247
248struct DIST_POINT_st {
249DIST_POINT_NAME *distpoint;
250ASN1_BIT_STRING *reasons;
251GENERAL_NAMES *CRLissuer;
252int dp_reasons;
253};
254
255typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
256
257DECLARE_STACK_OF(DIST_POINT)
258DECLARE_ASN1_SET_OF(DIST_POINT)
259
260struct AUTHORITY_KEYID_st {
261ASN1_OCTET_STRING *keyid;
262GENERAL_NAMES *issuer;
263ASN1_INTEGER *serial;
264};
265
266/* Strong extranet structures */
267
268typedef struct SXNET_ID_st {
269 ASN1_INTEGER *zone;
270 ASN1_OCTET_STRING *user;
271} SXNETID;
272
273DECLARE_STACK_OF(SXNETID)
274DECLARE_ASN1_SET_OF(SXNETID)
275
276typedef struct SXNET_st {
277 ASN1_INTEGER *version;
278 STACK_OF(SXNETID) *ids;
279} SXNET;
280
281typedef struct NOTICEREF_st {
282 ASN1_STRING *organization;
283 STACK_OF(ASN1_INTEGER) *noticenos;
284} NOTICEREF;
285
286typedef struct USERNOTICE_st {
287 NOTICEREF *noticeref;
288 ASN1_STRING *exptext;
289} USERNOTICE;
290
291typedef struct POLICYQUALINFO_st {
292 ASN1_OBJECT *pqualid;
293 union {
294 ASN1_IA5STRING *cpsuri;
295 USERNOTICE *usernotice;
296 ASN1_TYPE *other;
297 } d;
298} POLICYQUALINFO;
299
300DECLARE_STACK_OF(POLICYQUALINFO)
301DECLARE_ASN1_SET_OF(POLICYQUALINFO)
302
303typedef struct POLICYINFO_st {
304 ASN1_OBJECT *policyid;
305 STACK_OF(POLICYQUALINFO) *qualifiers;
306} POLICYINFO;
307
308typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
309
310DECLARE_STACK_OF(POLICYINFO)
311DECLARE_ASN1_SET_OF(POLICYINFO)
312
313typedef struct POLICY_MAPPING_st {
314 ASN1_OBJECT *issuerDomainPolicy;
315 ASN1_OBJECT *subjectDomainPolicy;
316} POLICY_MAPPING;
317
318DECLARE_STACK_OF(POLICY_MAPPING)
319
320typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
321
322typedef struct GENERAL_SUBTREE_st {
323 GENERAL_NAME *base;
324 ASN1_INTEGER *minimum;
325 ASN1_INTEGER *maximum;
326} GENERAL_SUBTREE;
327
328DECLARE_STACK_OF(GENERAL_SUBTREE)
329
330struct NAME_CONSTRAINTS_st {
331 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
332 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
333};
334
335typedef struct POLICY_CONSTRAINTS_st {
336 ASN1_INTEGER *requireExplicitPolicy;
337 ASN1_INTEGER *inhibitPolicyMapping;
338} POLICY_CONSTRAINTS;
339
340/* Proxy certificate structures, see RFC 3820 */
341typedef struct PROXY_POLICY_st
342 {
343 ASN1_OBJECT *policyLanguage;
344 ASN1_OCTET_STRING *policy;
345 } PROXY_POLICY;
346
347typedef struct PROXY_CERT_INFO_EXTENSION_st
348 {
349 ASN1_INTEGER *pcPathLengthConstraint;
350 PROXY_POLICY *proxyPolicy;
351 } PROXY_CERT_INFO_EXTENSION;
352
353DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
354DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
355
356struct ISSUING_DIST_POINT_st
357 {
358 DIST_POINT_NAME *distpoint;
359 int onlyuser;
360 int onlyCA;
361 ASN1_BIT_STRING *onlysomereasons;
362 int indirectCRL;
363 int onlyattr;
364 };
365
366/* Values in idp_flags field */
367/* IDP present */
368#define IDP_PRESENT 0x1
369/* IDP values inconsistent */
370#define IDP_INVALID 0x2
371/* onlyuser true */
372#define IDP_ONLYUSER 0x4
373/* onlyCA true */
374#define IDP_ONLYCA 0x8
375/* onlyattr true */
376#define IDP_ONLYATTR 0x10
377/* indirectCRL true */
378#define IDP_INDIRECT 0x20
379/* onlysomereasons present */
380#define IDP_REASONS 0x40
381
382#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
383",name:", val->name, ",value:", val->value);
384
385#define X509V3_set_ctx_test(ctx) \
386 X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
387#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
388
389#define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
390 0,0,0,0, \
391 0,0, \
392 (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
393 (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
394 NULL, NULL, \
395 table}
396
397#define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
398 0,0,0,0, \
399 (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
400 (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
401 0,0,0,0, \
402 NULL}
403
404#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
405
406
407/* X509_PURPOSE stuff */
408
409#define EXFLAG_BCONS 0x1
410#define EXFLAG_KUSAGE 0x2
411#define EXFLAG_XKUSAGE 0x4
412#define EXFLAG_NSCERT 0x8
413
414#define EXFLAG_CA 0x10
415/* Really self issued not necessarily self signed */
416#define EXFLAG_SI 0x20
417#define EXFLAG_SS 0x20
418#define EXFLAG_V1 0x40
419#define EXFLAG_INVALID 0x80
420#define EXFLAG_SET 0x100
421#define EXFLAG_CRITICAL 0x200
422#define EXFLAG_PROXY 0x400
423
424#define EXFLAG_INVALID_POLICY 0x800
425#define EXFLAG_FRESHEST 0x1000
426
427#define KU_DIGITAL_SIGNATURE 0x0080
428#define KU_NON_REPUDIATION 0x0040
429#define KU_KEY_ENCIPHERMENT 0x0020
430#define KU_DATA_ENCIPHERMENT 0x0010
431#define KU_KEY_AGREEMENT 0x0008
432#define KU_KEY_CERT_SIGN 0x0004
433#define KU_CRL_SIGN 0x0002
434#define KU_ENCIPHER_ONLY 0x0001
435#define KU_DECIPHER_ONLY 0x8000
436
437#define NS_SSL_CLIENT 0x80
438#define NS_SSL_SERVER 0x40
439#define NS_SMIME 0x20
440#define NS_OBJSIGN 0x10
441#define NS_SSL_CA 0x04
442#define NS_SMIME_CA 0x02
443#define NS_OBJSIGN_CA 0x01
444#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
445
446#define XKU_SSL_SERVER 0x1
447#define XKU_SSL_CLIENT 0x2
448#define XKU_SMIME 0x4
449#define XKU_CODE_SIGN 0x8
450#define XKU_SGC 0x10
451#define XKU_OCSP_SIGN 0x20
452#define XKU_TIMESTAMP 0x40
453#define XKU_DVCS 0x80
454
455#define X509_PURPOSE_DYNAMIC 0x1
456#define X509_PURPOSE_DYNAMIC_NAME 0x2
457
458typedef struct x509_purpose_st {
459 int purpose;
460 int trust; /* Default trust ID */
461 int flags;
462 int (*check_purpose)(const struct x509_purpose_st *,
463 const X509 *, int);
464 char *name;
465 char *sname;
466 void *usr_data;
467} X509_PURPOSE;
468
469#define X509_PURPOSE_SSL_CLIENT 1
470#define X509_PURPOSE_SSL_SERVER 2
471#define X509_PURPOSE_NS_SSL_SERVER 3
472#define X509_PURPOSE_SMIME_SIGN 4
473#define X509_PURPOSE_SMIME_ENCRYPT 5
474#define X509_PURPOSE_CRL_SIGN 6
475#define X509_PURPOSE_ANY 7
476#define X509_PURPOSE_OCSP_HELPER 8
477#define X509_PURPOSE_TIMESTAMP_SIGN 9
478
479#define X509_PURPOSE_MIN 1
480#define X509_PURPOSE_MAX 9
481
482/* Flags for X509V3_EXT_print() */
483
484#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
485/* Return error for unknown extensions */
486#define X509V3_EXT_DEFAULT 0
487/* Print error for unknown extensions */
488#define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
489/* ASN1 parse unknown extensions */
490#define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
491/* BIO_dump unknown extensions */
492#define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
493
494/* Flags for X509V3_add1_i2d */
495
496#define X509V3_ADD_OP_MASK 0xfL
497#define X509V3_ADD_DEFAULT 0L
498#define X509V3_ADD_APPEND 1L
499#define X509V3_ADD_REPLACE 2L
500#define X509V3_ADD_REPLACE_EXISTING 3L
501#define X509V3_ADD_KEEP_EXISTING 4L
502#define X509V3_ADD_DELETE 5L
503#define X509V3_ADD_SILENT 0x10
504
505DECLARE_STACK_OF(X509_PURPOSE)
506
507DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
508
509DECLARE_ASN1_FUNCTIONS(SXNET)
510DECLARE_ASN1_FUNCTIONS(SXNETID)
511
512int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen);
513int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen);
514int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user, int userlen);
515
516ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone);
517ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
518ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
519
520DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
521
522DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
523
524DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
525GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
526int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
527
528
529
530ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
531 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
532STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
533 ASN1_BIT_STRING *bits,
534 STACK_OF(CONF_VALUE) *extlist);
535
536STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
537int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
538
539DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
540
541STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
542 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
543GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
544 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
545
546DECLARE_ASN1_FUNCTIONS(OTHERNAME)
547DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
548int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
549void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
550void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
551int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
552 ASN1_OBJECT *oid, ASN1_TYPE *value);
553int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
554 ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
555
556char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
557ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
558
559DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
560int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a);
561
562DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
563DECLARE_ASN1_FUNCTIONS(POLICYINFO)
564DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
565DECLARE_ASN1_FUNCTIONS(USERNOTICE)
566DECLARE_ASN1_FUNCTIONS(NOTICEREF)
567
568DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
569DECLARE_ASN1_FUNCTIONS(DIST_POINT)
570DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
571DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
572
573int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
574
575int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
576
577DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
578DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
579
580DECLARE_ASN1_ITEM(POLICY_MAPPING)
581DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
582DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
583
584DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
585DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
586
587DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
588DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
589
590DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
591DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
592
593GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
594 const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
595 int gen_type, char *value, int is_nc);
596
597#ifdef HEADER_CONF_H
598GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
599 CONF_VALUE *cnf);
600GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
601 const X509V3_EXT_METHOD *method,
602 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
603void X509V3_conf_free(CONF_VALUE *val);
604
605X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
606X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value);
607int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, STACK_OF(X509_EXTENSION) **sk);
608int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert);
609int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
610int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
611
612X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
613 int ext_nid, char *value);
614X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
615 char *name, char *value);
616int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
617 char *section, X509 *cert);
618int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
619 char *section, X509_REQ *req);
620int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
621 char *section, X509_CRL *crl);
622
623int X509V3_add_value_bool_nf(char *name, int asn1_bool,
624 STACK_OF(CONF_VALUE) **extlist);
625int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
626int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
627void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
628void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
629#endif
630
631char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
632STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
633void X509V3_string_free(X509V3_CTX *ctx, char *str);
634void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
635void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
636 X509_REQ *req, X509_CRL *crl, int flags);
637
638int X509V3_add_value(const char *name, const char *value,
639 STACK_OF(CONF_VALUE) **extlist);
640int X509V3_add_value_uchar(const char *name, const unsigned char *value,
641 STACK_OF(CONF_VALUE) **extlist);
642int X509V3_add_value_bool(const char *name, int asn1_bool,
643 STACK_OF(CONF_VALUE) **extlist);
644int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
645 STACK_OF(CONF_VALUE) **extlist);
646char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
647ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
648char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
649char * i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
650int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
651int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
652int X509V3_EXT_add_alias(int nid_to, int nid_from);
653void X509V3_EXT_cleanup(void);
654
655const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
656const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
657int X509V3_add_standard_extensions(void);
658STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
659void *X509V3_EXT_d2i(X509_EXTENSION *ext);
660void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
661
662
663X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
664int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
665
666char *hex_to_string(const unsigned char *buffer, long len);
667unsigned char *string_to_hex(const char *str, long *len);
668int name_cmp(const char *name, const char *cmp);
669
670void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
671 int ml);
672int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent);
673int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
674
675int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
676
677int X509_check_ca(X509 *x);
678int X509_check_purpose(X509 *x, int id, int ca);
679int X509_supported_extension(X509_EXTENSION *ex);
680int X509_PURPOSE_set(int *p, int purpose);
681int X509_check_issued(X509 *issuer, X509 *subject);
682int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
683int X509_PURPOSE_get_count(void);
684X509_PURPOSE * X509_PURPOSE_get0(int idx);
685int X509_PURPOSE_get_by_sname(char *sname);
686int X509_PURPOSE_get_by_id(int id);
687int X509_PURPOSE_add(int id, int trust, int flags,
688 int (*ck)(const X509_PURPOSE *, const X509 *, int),
689 char *name, char *sname, void *arg);
690char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
691char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
692int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
693void X509_PURPOSE_cleanup(void);
694int X509_PURPOSE_get_id(X509_PURPOSE *);
695
696STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
697STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
698void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
699STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
700
701ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
702ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
703int a2i_ipadd(unsigned char *ipout, const char *ipasc);
704int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
705 unsigned long chtype);
706
707void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
708DECLARE_STACK_OF(X509_POLICY_NODE)
709
710#ifndef OPENSSL_NO_RFC3779
711
712typedef struct ASRange_st {
713 ASN1_INTEGER *min, *max;
714} ASRange;
715
716#define ASIdOrRange_id 0
717#define ASIdOrRange_range 1
718
719typedef struct ASIdOrRange_st {
720 int type;
721 union {
722 ASN1_INTEGER *id;
723 ASRange *range;
724 } u;
725} ASIdOrRange;
726
727typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
728DECLARE_STACK_OF(ASIdOrRange)
729
730#define ASIdentifierChoice_inherit 0
731#define ASIdentifierChoice_asIdsOrRanges 1
732
733typedef struct ASIdentifierChoice_st {
734 int type;
735 union {
736 ASN1_NULL *inherit;
737 ASIdOrRanges *asIdsOrRanges;
738 } u;
739} ASIdentifierChoice;
740
741typedef struct ASIdentifiers_st {
742 ASIdentifierChoice *asnum, *rdi;
743} ASIdentifiers;
744
745DECLARE_ASN1_FUNCTIONS(ASRange)
746DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
747DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
748DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
749
750
751typedef struct IPAddressRange_st {
752 ASN1_BIT_STRING *min, *max;
753} IPAddressRange;
754
755#define IPAddressOrRange_addressPrefix 0
756#define IPAddressOrRange_addressRange 1
757
758typedef struct IPAddressOrRange_st {
759 int type;
760 union {
761 ASN1_BIT_STRING *addressPrefix;
762 IPAddressRange *addressRange;
763 } u;
764} IPAddressOrRange;
765
766typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
767DECLARE_STACK_OF(IPAddressOrRange)
768
769#define IPAddressChoice_inherit 0
770#define IPAddressChoice_addressesOrRanges 1
771
772typedef struct IPAddressChoice_st {
773 int type;
774 union {
775 ASN1_NULL *inherit;
776 IPAddressOrRanges *addressesOrRanges;
777 } u;
778} IPAddressChoice;
779
780typedef struct IPAddressFamily_st {
781 ASN1_OCTET_STRING *addressFamily;
782 IPAddressChoice *ipAddressChoice;
783} IPAddressFamily;
784
785typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
786DECLARE_STACK_OF(IPAddressFamily)
787
788DECLARE_ASN1_FUNCTIONS(IPAddressRange)
789DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
790DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
791DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
792
793/*
794 * API tag for elements of the ASIdentifer SEQUENCE.
795 */
796#define V3_ASID_ASNUM 0
797#define V3_ASID_RDI 1
798
799/*
800 * AFI values, assigned by IANA. It'd be nice to make the AFI
801 * handling code totally generic, but there are too many little things
802 * that would need to be defined for other address families for it to
803 * be worth the trouble.
804 */
805#define IANA_AFI_IPV4 1
806#define IANA_AFI_IPV6 2
807
808/*
809 * Utilities to construct and extract values from RFC3779 extensions,
810 * since some of the encodings (particularly for IP address prefixes
811 * and ranges) are a bit tedious to work with directly.
812 */
813int v3_asid_add_inherit(ASIdentifiers *asid, int which);
814int v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
815 ASN1_INTEGER *min, ASN1_INTEGER *max);
816int v3_addr_add_inherit(IPAddrBlocks *addr,
817 const unsigned afi, const unsigned *safi);
818int v3_addr_add_prefix(IPAddrBlocks *addr,
819 const unsigned afi, const unsigned *safi,
820 unsigned char *a, const int prefixlen);
821int v3_addr_add_range(IPAddrBlocks *addr,
822 const unsigned afi, const unsigned *safi,
823 unsigned char *min, unsigned char *max);
824unsigned v3_addr_get_afi(const IPAddressFamily *f);
825int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
826 unsigned char *min, unsigned char *max,
827 const int length);
828
829/*
830 * Canonical forms.
831 */
832int v3_asid_is_canonical(ASIdentifiers *asid);
833int v3_addr_is_canonical(IPAddrBlocks *addr);
834int v3_asid_canonize(ASIdentifiers *asid);
835int v3_addr_canonize(IPAddrBlocks *addr);
836
837/*
838 * Tests for inheritance and containment.
839 */
840int v3_asid_inherits(ASIdentifiers *asid);
841int v3_addr_inherits(IPAddrBlocks *addr);
842int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
843int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
844
845/*
846 * Check whether RFC 3779 extensions nest properly in chains.
847 */
848int v3_asid_validate_path(X509_STORE_CTX *);
849int v3_addr_validate_path(X509_STORE_CTX *);
850int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
851 ASIdentifiers *ext,
852 int allow_inheritance);
853int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
854 IPAddrBlocks *ext,
855 int allow_inheritance);
856
857#endif /* OPENSSL_NO_RFC3779 */
858
859/* BEGIN ERROR CODES */
860/* The following lines are auto generated by the script mkerr.pl. Any changes
861 * made after this point may be overwritten when the script is next run.
862 */
863void ERR_load_X509V3_strings(void);
864
865/* Error codes for the X509V3 functions. */
866
867/* Function codes. */
868#define X509V3_F_A2I_GENERAL_NAME 164
869#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
870#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
871#define X509V3_F_COPY_EMAIL 122
872#define X509V3_F_COPY_ISSUER 123
873#define X509V3_F_DO_DIRNAME 144
874#define X509V3_F_DO_EXT_CONF 124
875#define X509V3_F_DO_EXT_I2D 135
876#define X509V3_F_DO_EXT_NCONF 151
877#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
878#define X509V3_F_GNAMES_FROM_SECTNAME 156
879#define X509V3_F_HEX_TO_STRING 111
880#define X509V3_F_I2S_ASN1_ENUMERATED 121
881#define X509V3_F_I2S_ASN1_IA5STRING 149
882#define X509V3_F_I2S_ASN1_INTEGER 120
883#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
884#define X509V3_F_NOTICE_SECTION 132
885#define X509V3_F_NREF_NOS 133
886#define X509V3_F_POLICY_SECTION 131
887#define X509V3_F_PROCESS_PCI_VALUE 150
888#define X509V3_F_R2I_CERTPOL 130
889#define X509V3_F_R2I_PCI 155
890#define X509V3_F_S2I_ASN1_IA5STRING 100
891#define X509V3_F_S2I_ASN1_INTEGER 108
892#define X509V3_F_S2I_ASN1_OCTET_STRING 112
893#define X509V3_F_S2I_ASN1_SKEY_ID 114
894#define X509V3_F_S2I_SKEY_ID 115
895#define X509V3_F_SET_DIST_POINT_NAME 158
896#define X509V3_F_STRING_TO_HEX 113
897#define X509V3_F_SXNET_ADD_ID_ASC 125
898#define X509V3_F_SXNET_ADD_ID_INTEGER 126
899#define X509V3_F_SXNET_ADD_ID_ULONG 127
900#define X509V3_F_SXNET_GET_ID_ASC 128
901#define X509V3_F_SXNET_GET_ID_ULONG 129
902#define X509V3_F_V2I_ASIDENTIFIERS 163
903#define X509V3_F_V2I_ASN1_BIT_STRING 101
904#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
905#define X509V3_F_V2I_AUTHORITY_KEYID 119
906#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
907#define X509V3_F_V2I_CRLD 134
908#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
909#define X509V3_F_V2I_GENERAL_NAMES 118
910#define X509V3_F_V2I_GENERAL_NAME_EX 117
911#define X509V3_F_V2I_IDP 157
912#define X509V3_F_V2I_IPADDRBLOCKS 159
913#define X509V3_F_V2I_ISSUER_ALT 153
914#define X509V3_F_V2I_NAME_CONSTRAINTS 147
915#define X509V3_F_V2I_POLICY_CONSTRAINTS 146
916#define X509V3_F_V2I_POLICY_MAPPINGS 145
917#define X509V3_F_V2I_SUBJECT_ALT 154
918#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
919#define X509V3_F_V3_GENERIC_EXTENSION 116
920#define X509V3_F_X509V3_ADD1_I2D 140
921#define X509V3_F_X509V3_ADD_VALUE 105
922#define X509V3_F_X509V3_EXT_ADD 104
923#define X509V3_F_X509V3_EXT_ADD_ALIAS 106
924#define X509V3_F_X509V3_EXT_CONF 107
925#define X509V3_F_X509V3_EXT_I2D 136
926#define X509V3_F_X509V3_EXT_NCONF 152
927#define X509V3_F_X509V3_GET_SECTION 142
928#define X509V3_F_X509V3_GET_STRING 143
929#define X509V3_F_X509V3_GET_VALUE_BOOL 110
930#define X509V3_F_X509V3_PARSE_LIST 109
931#define X509V3_F_X509_PURPOSE_ADD 137
932#define X509V3_F_X509_PURPOSE_SET 141
933
934/* Reason codes. */
935#define X509V3_R_BAD_IP_ADDRESS 118
936#define X509V3_R_BAD_OBJECT 119
937#define X509V3_R_BN_DEC2BN_ERROR 100
938#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
939#define X509V3_R_DIRNAME_ERROR 149
940#define X509V3_R_DISTPOINT_ALREADY_SET 160
941#define X509V3_R_DUPLICATE_ZONE_ID 133
942#define X509V3_R_ERROR_CONVERTING_ZONE 131
943#define X509V3_R_ERROR_CREATING_EXTENSION 144
944#define X509V3_R_ERROR_IN_EXTENSION 128
945#define X509V3_R_EXPECTED_A_SECTION_NAME 137
946#define X509V3_R_EXTENSION_EXISTS 145
947#define X509V3_R_EXTENSION_NAME_ERROR 115
948#define X509V3_R_EXTENSION_NOT_FOUND 102
949#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
950#define X509V3_R_EXTENSION_VALUE_ERROR 116
951#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
952#define X509V3_R_ILLEGAL_HEX_DIGIT 113
953#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
954#define X509V3_R_INVALID_MULTIPLE_RDNS 161
955#define X509V3_R_INVALID_ASNUMBER 162
956#define X509V3_R_INVALID_ASRANGE 163
957#define X509V3_R_INVALID_BOOLEAN_STRING 104
958#define X509V3_R_INVALID_EXTENSION_STRING 105
959#define X509V3_R_INVALID_INHERITANCE 165
960#define X509V3_R_INVALID_IPADDRESS 166
961#define X509V3_R_INVALID_NAME 106
962#define X509V3_R_INVALID_NULL_ARGUMENT 107
963#define X509V3_R_INVALID_NULL_NAME 108
964#define X509V3_R_INVALID_NULL_VALUE 109
965#define X509V3_R_INVALID_NUMBER 140
966#define X509V3_R_INVALID_NUMBERS 141
967#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
968#define X509V3_R_INVALID_OPTION 138
969#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
970#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
971#define X509V3_R_INVALID_PURPOSE 146
972#define X509V3_R_INVALID_SAFI 164
973#define X509V3_R_INVALID_SECTION 135
974#define X509V3_R_INVALID_SYNTAX 143
975#define X509V3_R_ISSUER_DECODE_ERROR 126
976#define X509V3_R_MISSING_VALUE 124
977#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 142
978#define X509V3_R_NO_CONFIG_DATABASE 136
979#define X509V3_R_NO_ISSUER_CERTIFICATE 121
980#define X509V3_R_NO_ISSUER_DETAILS 127
981#define X509V3_R_NO_POLICY_IDENTIFIER 139
982#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
983#define X509V3_R_NO_PUBLIC_KEY 114
984#define X509V3_R_NO_SUBJECT_DETAILS 125
985#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
986#define X509V3_R_OPERATION_NOT_DEFINED 148
987#define X509V3_R_OTHERNAME_ERROR 147
988#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
989#define X509V3_R_POLICY_PATH_LENGTH 156
990#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
991#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
992#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
993#define X509V3_R_SECTION_NOT_FOUND 150
994#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
995#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
996#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
997#define X509V3_R_UNKNOWN_EXTENSION 129
998#define X509V3_R_UNKNOWN_EXTENSION_NAME 130
999#define X509V3_R_UNKNOWN_OPTION 120
1000#define X509V3_R_UNSUPPORTED_OPTION 117
1001#define X509V3_R_UNSUPPORTED_TYPE 167
1002#define X509V3_R_USER_TOO_LONG 132
1003
1004#ifdef __cplusplus
1005}
1006#endif
1007#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-04 03:34:58 +0000