summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509v3
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509v3')
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h13
-rw-r--r--src/lib/libcrypto/x509v3/pcy_cache.c287
-rw-r--r--src/lib/libcrypto/x509v3/pcy_data.c123
-rw-r--r--src/lib/libcrypto/x509v3/pcy_int.h223
-rw-r--r--src/lib/libcrypto/x509v3/pcy_lib.c167
-rw-r--r--src/lib/libcrypto/x509v3/pcy_map.c186
-rw-r--r--src/lib/libcrypto/x509v3/pcy_node.c158
-rw-r--r--src/lib/libcrypto/x509v3/pcy_tree.c692
-rw-r--r--src/lib/libcrypto/x509v3/v3_akey.c190
-rw-r--r--src/lib/libcrypto/x509v3/v3_alt.c289
-rw-r--r--src/lib/libcrypto/x509v3/v3_bcons.c2
-rw-r--r--src/lib/libcrypto/x509v3/v3_bitst.c14
-rw-r--r--src/lib/libcrypto/x509v3/v3_conf.c73
-rw-r--r--src/lib/libcrypto/x509v3/v3_cpols.c24
-rw-r--r--src/lib/libcrypto/x509v3/v3_crld.c2
-rw-r--r--src/lib/libcrypto/x509v3/v3_enum.c2
-rw-r--r--src/lib/libcrypto/x509v3/v3_extku.c8
-rw-r--r--src/lib/libcrypto/x509v3/v3_ia5.c2
-rw-r--r--src/lib/libcrypto/x509v3/v3_info.c17
-rw-r--r--src/lib/libcrypto/x509v3/v3_int.c17
-rw-r--r--src/lib/libcrypto/x509v3/v3_lib.c7
-rw-r--r--src/lib/libcrypto/x509v3/v3_ncons.c220
-rw-r--r--src/lib/libcrypto/x509v3/v3_ocsp.c22
-rw-r--r--src/lib/libcrypto/x509v3/v3_pci.c31
-rw-r--r--src/lib/libcrypto/x509v3/v3_pcons.c136
-rw-r--r--src/lib/libcrypto/x509v3/v3_pku.c2
-rw-r--r--src/lib/libcrypto/x509v3/v3_pmaps.c153
-rw-r--r--src/lib/libcrypto/x509v3/v3_prn.c5
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c18
-rw-r--r--src/lib/libcrypto/x509v3/v3_skey.c10
-rw-r--r--src/lib/libcrypto/x509v3/v3_sxnet.c6
-rw-r--r--src/lib/libcrypto/x509v3/v3_utl.c343
-rw-r--r--src/lib/libcrypto/x509v3/v3err.c52
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h281
34 files changed, 3465 insertions, 310 deletions
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index d8328ac468..5c063ac65d 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -65,6 +65,11 @@ extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
65extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; 65extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
66extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; 66extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
67extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; 67extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
68extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
69extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp;
70#ifndef OPENSSL_NO_RFC3779
71extern X509V3_EXT_METHOD v3_addr, v3_asid;
72#endif
68 73
69/* This table will be searched using OBJ_bsearch so it *must* kept in 74/* This table will be searched using OBJ_bsearch so it *must* kept in
70 * order of the ext_nid values. 75 * order of the ext_nid values.
@@ -97,6 +102,10 @@ static X509V3_EXT_METHOD *standard_exts[] = {
97#endif 102#endif
98&v3_sxnet, 103&v3_sxnet,
99&v3_info, 104&v3_info,
105#ifndef OPENSSL_NO_RFC3779
106&v3_addr,
107&v3_asid,
108#endif
100#ifndef OPENSSL_NO_OCSP 109#ifndef OPENSSL_NO_OCSP
101&v3_ocsp_nonce, 110&v3_ocsp_nonce,
102&v3_ocsp_crlid, 111&v3_ocsp_crlid,
@@ -106,10 +115,14 @@ static X509V3_EXT_METHOD *standard_exts[] = {
106&v3_ocsp_serviceloc, 115&v3_ocsp_serviceloc,
107#endif 116#endif
108&v3_sinfo, 117&v3_sinfo,
118&v3_policy_constraints,
109#ifndef OPENSSL_NO_OCSP 119#ifndef OPENSSL_NO_OCSP
110&v3_crl_hold, 120&v3_crl_hold,
111#endif 121#endif
112&v3_pci, 122&v3_pci,
123&v3_name_constraints,
124&v3_policy_mappings,
125&v3_inhibit_anyp
113}; 126};
114 127
115/* Number of standard extensions */ 128/* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/pcy_cache.c b/src/lib/libcrypto/x509v3/pcy_cache.c
new file mode 100644
index 0000000000..c18beb89f5
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_cache.c
@@ -0,0 +1,287 @@
1/* pcy_cache.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int policy_data_cmp(const X509_POLICY_DATA * const *a,
66 const X509_POLICY_DATA * const *b);
67static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
68
69/* Set cache entry according to CertificatePolicies extension.
70 * Note: this destroys the passed CERTIFICATEPOLICIES structure.
71 */
72
73static int policy_cache_create(X509 *x,
74 CERTIFICATEPOLICIES *policies, int crit)
75 {
76 int i;
77 int ret = 0;
78 X509_POLICY_CACHE *cache = x->policy_cache;
79 X509_POLICY_DATA *data = NULL;
80 POLICYINFO *policy;
81 if (sk_POLICYINFO_num(policies) == 0)
82 goto bad_policy;
83 cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
84 if (!cache->data)
85 goto bad_policy;
86 for (i = 0; i < sk_POLICYINFO_num(policies); i++)
87 {
88 policy = sk_POLICYINFO_value(policies, i);
89 data = policy_data_new(policy, NULL, crit);
90 if (!data)
91 goto bad_policy;
92 /* Duplicate policy OIDs are illegal: reject if matches
93 * found.
94 */
95 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
96 {
97 if (cache->anyPolicy)
98 {
99 ret = -1;
100 goto bad_policy;
101 }
102 cache->anyPolicy = data;
103 }
104 else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1)
105 {
106 ret = -1;
107 goto bad_policy;
108 }
109 else if (!sk_X509_POLICY_DATA_push(cache->data, data))
110 goto bad_policy;
111 data = NULL;
112 }
113 ret = 1;
114 bad_policy:
115 if (ret == -1)
116 x->ex_flags |= EXFLAG_INVALID_POLICY;
117 if (data)
118 policy_data_free(data);
119 sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
120 if (ret <= 0)
121 {
122 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
123 cache->data = NULL;
124 }
125 return ret;
126 }
127
128
129static int policy_cache_new(X509 *x)
130 {
131 X509_POLICY_CACHE *cache;
132 ASN1_INTEGER *ext_any = NULL;
133 POLICY_CONSTRAINTS *ext_pcons = NULL;
134 CERTIFICATEPOLICIES *ext_cpols = NULL;
135 POLICY_MAPPINGS *ext_pmaps = NULL;
136 int i;
137 cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
138 if (!cache)
139 return 0;
140 cache->anyPolicy = NULL;
141 cache->data = NULL;
142 cache->maps = NULL;
143 cache->any_skip = -1;
144 cache->explicit_skip = -1;
145 cache->map_skip = -1;
146
147 x->policy_cache = cache;
148
149 /* Handle requireExplicitPolicy *first*. Need to process this
150 * even if we don't have any policies.
151 */
152 ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
153
154 if (!ext_pcons)
155 {
156 if (i != -1)
157 goto bad_cache;
158 }
159 else
160 {
161 if (!ext_pcons->requireExplicitPolicy
162 && !ext_pcons->inhibitPolicyMapping)
163 goto bad_cache;
164 if (!policy_cache_set_int(&cache->explicit_skip,
165 ext_pcons->requireExplicitPolicy))
166 goto bad_cache;
167 if (!policy_cache_set_int(&cache->map_skip,
168 ext_pcons->inhibitPolicyMapping))
169 goto bad_cache;
170 }
171
172 /* Process CertificatePolicies */
173
174 ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
175 /* If no CertificatePolicies extension or problem decoding then
176 * there is no point continuing because the valid policies will be
177 * NULL.
178 */
179 if (!ext_cpols)
180 {
181 /* If not absent some problem with extension */
182 if (i != -1)
183 goto bad_cache;
184 return 1;
185 }
186
187 i = policy_cache_create(x, ext_cpols, i);
188
189 /* NB: ext_cpols freed by policy_cache_set_policies */
190
191 if (i <= 0)
192 return i;
193
194 ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
195
196 if (!ext_pmaps)
197 {
198 /* If not absent some problem with extension */
199 if (i != -1)
200 goto bad_cache;
201 }
202 else
203 {
204 i = policy_cache_set_mapping(x, ext_pmaps);
205 if (i <= 0)
206 goto bad_cache;
207 }
208
209 ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
210
211 if (!ext_any)
212 {
213 if (i != -1)
214 goto bad_cache;
215 }
216 else if (!policy_cache_set_int(&cache->any_skip, ext_any))
217 goto bad_cache;
218
219 if (0)
220 {
221 bad_cache:
222 x->ex_flags |= EXFLAG_INVALID_POLICY;
223 }
224
225 if(ext_pcons)
226 POLICY_CONSTRAINTS_free(ext_pcons);
227
228 if (ext_any)
229 ASN1_INTEGER_free(ext_any);
230
231 return 1;
232
233
234}
235
236void policy_cache_free(X509_POLICY_CACHE *cache)
237 {
238 if (!cache)
239 return;
240 if (cache->anyPolicy)
241 policy_data_free(cache->anyPolicy);
242 if (cache->data)
243 sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
244 OPENSSL_free(cache);
245 }
246
247const X509_POLICY_CACHE *policy_cache_set(X509 *x)
248 {
249
250 if (x->policy_cache == NULL)
251 {
252 CRYPTO_w_lock(CRYPTO_LOCK_X509);
253 policy_cache_new(x);
254 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
255 }
256
257 return x->policy_cache;
258
259 }
260
261X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
262 const ASN1_OBJECT *id)
263 {
264 int idx;
265 X509_POLICY_DATA tmp;
266 tmp.valid_policy = (ASN1_OBJECT *)id;
267 idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
268 if (idx == -1)
269 return NULL;
270 return sk_X509_POLICY_DATA_value(cache->data, idx);
271 }
272
273static int policy_data_cmp(const X509_POLICY_DATA * const *a,
274 const X509_POLICY_DATA * const *b)
275 {
276 return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
277 }
278
279static int policy_cache_set_int(long *out, ASN1_INTEGER *value)
280 {
281 if (value == NULL)
282 return 1;
283 if (value->type == V_ASN1_NEG_INTEGER)
284 return 0;
285 *out = ASN1_INTEGER_get(value);
286 return 1;
287 }
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
new file mode 100644
index 0000000000..614d2b4935
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -0,0 +1,123 @@
1/* pcy_data.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Policy Node routines */
66
67void policy_data_free(X509_POLICY_DATA *data)
68 {
69 ASN1_OBJECT_free(data->valid_policy);
70 /* Don't free qualifiers if shared */
71 if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
72 sk_POLICYQUALINFO_pop_free(data->qualifier_set,
73 POLICYQUALINFO_free);
74 sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
75 OPENSSL_free(data);
76 }
77
78/* Create a data based on an existing policy. If 'id' is NULL use the
79 * oid in the policy, otherwise use 'id'. This behaviour covers the two
80 * types of data in RFC3280: data with from a CertificatePolcies extension
81 * and additional data with just the qualifiers of anyPolicy and ID from
82 * another source.
83 */
84
85X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
86 {
87 X509_POLICY_DATA *ret;
88 if (!policy && !id)
89 return NULL;
90 ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
91 if (!ret)
92 return NULL;
93 ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
94 if (!ret->expected_policy_set)
95 {
96 OPENSSL_free(ret);
97 return NULL;
98 }
99
100 if (crit)
101 ret->flags = POLICY_DATA_FLAG_CRITICAL;
102 else
103 ret->flags = 0;
104
105 if (id)
106 ret->valid_policy = id;
107 else
108 {
109 ret->valid_policy = policy->policyid;
110 policy->policyid = NULL;
111 }
112
113 if (policy)
114 {
115 ret->qualifier_set = policy->qualifiers;
116 policy->qualifiers = NULL;
117 }
118 else
119 ret->qualifier_set = NULL;
120
121 return ret;
122 }
123
diff --git a/src/lib/libcrypto/x509v3/pcy_int.h b/src/lib/libcrypto/x509v3/pcy_int.h
new file mode 100644
index 0000000000..ba62a209da
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_int.h
@@ -0,0 +1,223 @@
1/* pcy_int.h */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59DECLARE_STACK_OF(X509_POLICY_DATA)
60DECLARE_STACK_OF(X509_POLICY_REF)
61DECLARE_STACK_OF(X509_POLICY_NODE)
62
63typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
64typedef struct X509_POLICY_REF_st X509_POLICY_REF;
65
66/* Internal structures */
67
68/* This structure and the field names correspond to the Policy 'node' of
69 * RFC3280. NB this structure contains no pointers to parent or child
70 * data: X509_POLICY_NODE contains that. This means that the main policy data
71 * can be kept static and cached with the certificate.
72 */
73
74struct X509_POLICY_DATA_st
75 {
76 unsigned int flags;
77 /* Policy OID and qualifiers for this data */
78 ASN1_OBJECT *valid_policy;
79 STACK_OF(POLICYQUALINFO) *qualifier_set;
80 STACK_OF(ASN1_OBJECT) *expected_policy_set;
81 };
82
83/* X509_POLICY_DATA flags values */
84
85/* This flag indicates the structure has been mapped using a policy mapping
86 * extension. If policy mapping is not active its references get deleted.
87 */
88
89#define POLICY_DATA_FLAG_MAPPED 0x1
90
91/* This flag indicates the data doesn't correspond to a policy in Certificate
92 * Policies: it has been mapped to any policy.
93 */
94
95#define POLICY_DATA_FLAG_MAPPED_ANY 0x2
96
97/* AND with flags to see if any mapping has occurred */
98
99#define POLICY_DATA_FLAG_MAP_MASK 0x3
100
101/* qualifiers are shared and shouldn't be freed */
102
103#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4
104
105/* Parent node is an extra node and should be freed */
106
107#define POLICY_DATA_FLAG_EXTRA_NODE 0x8
108
109/* Corresponding CertificatePolicies is critical */
110
111#define POLICY_DATA_FLAG_CRITICAL 0x10
112
113/* This structure is an entry from a table of mapped policies which
114 * cross reference the policy it refers to.
115 */
116
117struct X509_POLICY_REF_st
118 {
119 ASN1_OBJECT *subjectDomainPolicy;
120 const X509_POLICY_DATA *data;
121 };
122
123/* This structure is cached with a certificate */
124
125struct X509_POLICY_CACHE_st {
126 /* anyPolicy data or NULL if no anyPolicy */
127 X509_POLICY_DATA *anyPolicy;
128 /* other policy data */
129 STACK_OF(X509_POLICY_DATA) *data;
130 /* If policyMappings extension present a table of mapped policies */
131 STACK_OF(X509_POLICY_REF) *maps;
132 /* If InhibitAnyPolicy present this is its value or -1 if absent. */
133 long any_skip;
134 /* If policyConstraints and requireExplicitPolicy present this is its
135 * value or -1 if absent.
136 */
137 long explicit_skip;
138 /* If policyConstraints and policyMapping present this is its
139 * value or -1 if absent.
140 */
141 long map_skip;
142 };
143
144/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/
145
146/* This structure represents the relationship between nodes */
147
148struct X509_POLICY_NODE_st
149 {
150 /* node data this refers to */
151 const X509_POLICY_DATA *data;
152 /* Parent node */
153 X509_POLICY_NODE *parent;
154 /* Number of child nodes */
155 int nchild;
156 };
157
158struct X509_POLICY_LEVEL_st
159 {
160 /* Cert for this level */
161 X509 *cert;
162 /* nodes at this level */
163 STACK_OF(X509_POLICY_NODE) *nodes;
164 /* anyPolicy node */
165 X509_POLICY_NODE *anyPolicy;
166 /* Extra data */
167 /*STACK_OF(X509_POLICY_DATA) *extra_data;*/
168 unsigned int flags;
169 };
170
171struct X509_POLICY_TREE_st
172 {
173 /* This is the tree 'level' data */
174 X509_POLICY_LEVEL *levels;
175 int nlevel;
176 /* Extra policy data when additional nodes (not from the certificate)
177 * are required.
178 */
179 STACK_OF(X509_POLICY_DATA) *extra_data;
180 /* This is the authority constained policy set */
181 STACK_OF(X509_POLICY_NODE) *auth_policies;
182 STACK_OF(X509_POLICY_NODE) *user_policies;
183 unsigned int flags;
184 };
185
186/* Set if anyPolicy present in user policies */
187#define POLICY_FLAG_ANY_POLICY 0x2
188
189/* Useful macros */
190
191#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
192#define node_critical(node) node_data_critical(node->data)
193
194/* Internal functions */
195
196X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id,
197 int crit);
198void policy_data_free(X509_POLICY_DATA *data);
199
200X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
201 const ASN1_OBJECT *id);
202int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
203
204
205STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
206
207void policy_cache_init(void);
208
209void policy_cache_free(X509_POLICY_CACHE *cache);
210
211X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
212 const ASN1_OBJECT *id);
213
214X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
215 const ASN1_OBJECT *id);
216
217X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
218 X509_POLICY_DATA *data,
219 X509_POLICY_NODE *parent,
220 X509_POLICY_TREE *tree);
221void policy_node_free(X509_POLICY_NODE *node);
222
223const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/src/lib/libcrypto/x509v3/pcy_lib.c b/src/lib/libcrypto/x509v3/pcy_lib.c
new file mode 100644
index 0000000000..dae4840bc5
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_lib.c
@@ -0,0 +1,167 @@
1/* pcy_lib.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include "cryptlib.h"
61#include <openssl/x509.h>
62#include <openssl/x509v3.h>
63
64#include "pcy_int.h"
65
66/* accessor functions */
67
68/* X509_POLICY_TREE stuff */
69
70int X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
71 {
72 if (!tree)
73 return 0;
74 return tree->nlevel;
75 }
76
77X509_POLICY_LEVEL *
78 X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
79 {
80 if (!tree || (i < 0) || (i >= tree->nlevel))
81 return NULL;
82 return tree->levels + i;
83 }
84
85STACK_OF(X509_POLICY_NODE) *
86 X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
87 {
88 if (!tree)
89 return NULL;
90 return tree->auth_policies;
91 }
92
93STACK_OF(X509_POLICY_NODE) *
94 X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
95 {
96 if (!tree)
97 return NULL;
98 if (tree->flags & POLICY_FLAG_ANY_POLICY)
99 return tree->auth_policies;
100 else
101 return tree->user_policies;
102 }
103
104/* X509_POLICY_LEVEL stuff */
105
106int X509_policy_level_node_count(X509_POLICY_LEVEL *level)
107 {
108 int n;
109 if (!level)
110 return 0;
111 if (level->anyPolicy)
112 n = 1;
113 else
114 n = 0;
115 if (level->nodes)
116 n += sk_X509_POLICY_NODE_num(level->nodes);
117 return n;
118 }
119
120X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
121 {
122 if (!level)
123 return NULL;
124 if (level->anyPolicy)
125 {
126 if (i == 0)
127 return level->anyPolicy;
128 i--;
129 }
130 return sk_X509_POLICY_NODE_value(level->nodes, i);
131 }
132
133/* X509_POLICY_NODE stuff */
134
135const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
136 {
137 if (!node)
138 return NULL;
139 return node->data->valid_policy;
140 }
141
142#if 0
143int X509_policy_node_get_critical(const X509_POLICY_NODE *node)
144 {
145 if (node_critical(node))
146 return 1;
147 return 0;
148 }
149#endif
150
151STACK_OF(POLICYQUALINFO) *
152 X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
153 {
154 if (!node)
155 return NULL;
156 return node->data->qualifier_set;
157 }
158
159const X509_POLICY_NODE *
160 X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
161 {
162 if (!node)
163 return NULL;
164 return node->parent;
165 }
166
167
diff --git a/src/lib/libcrypto/x509v3/pcy_map.c b/src/lib/libcrypto/x509v3/pcy_map.c
new file mode 100644
index 0000000000..35221e8ba8
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_map.c
@@ -0,0 +1,186 @@
1/* pcy_map.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int ref_cmp(const X509_POLICY_REF * const *a,
66 const X509_POLICY_REF * const *b)
67 {
68 return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy);
69 }
70
71static void policy_map_free(X509_POLICY_REF *map)
72 {
73 if (map->subjectDomainPolicy)
74 ASN1_OBJECT_free(map->subjectDomainPolicy);
75 OPENSSL_free(map);
76 }
77
78static X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *id)
79 {
80 X509_POLICY_REF tmp;
81 int idx;
82 tmp.subjectDomainPolicy = id;
83
84 idx = sk_X509_POLICY_REF_find(cache->maps, &tmp);
85 if (idx == -1)
86 return NULL;
87 return sk_X509_POLICY_REF_value(cache->maps, idx);
88 }
89
90/* Set policy mapping entries in cache.
91 * Note: this modifies the passed POLICY_MAPPINGS structure
92 */
93
94int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
95 {
96 POLICY_MAPPING *map;
97 X509_POLICY_REF *ref = NULL;
98 X509_POLICY_DATA *data;
99 X509_POLICY_CACHE *cache = x->policy_cache;
100 int i;
101 int ret = 0;
102 if (sk_POLICY_MAPPING_num(maps) == 0)
103 {
104 ret = -1;
105 goto bad_mapping;
106 }
107 cache->maps = sk_X509_POLICY_REF_new(ref_cmp);
108 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++)
109 {
110 map = sk_POLICY_MAPPING_value(maps, i);
111 /* Reject if map to or from anyPolicy */
112 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy)
113 || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy))
114 {
115 ret = -1;
116 goto bad_mapping;
117 }
118
119 /* If we've already mapped from this OID bad mapping */
120 if (policy_map_find(cache, map->subjectDomainPolicy) != NULL)
121 {
122 ret = -1;
123 goto bad_mapping;
124 }
125
126 /* Attempt to find matching policy data */
127 data = policy_cache_find_data(cache, map->issuerDomainPolicy);
128 /* If we don't have anyPolicy can't map */
129 if (!data && !cache->anyPolicy)
130 continue;
131
132 /* Create a NODE from anyPolicy */
133 if (!data)
134 {
135 data = policy_data_new(NULL, map->issuerDomainPolicy,
136 cache->anyPolicy->flags
137 & POLICY_DATA_FLAG_CRITICAL);
138 if (!data)
139 goto bad_mapping;
140 data->qualifier_set = cache->anyPolicy->qualifier_set;
141 map->issuerDomainPolicy = NULL;
142 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
143 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
144 if (!sk_X509_POLICY_DATA_push(cache->data, data))
145 {
146 policy_data_free(data);
147 goto bad_mapping;
148 }
149 }
150 else
151 data->flags |= POLICY_DATA_FLAG_MAPPED;
152
153 if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
154 map->subjectDomainPolicy))
155 goto bad_mapping;
156
157 ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
158 if (!ref)
159 goto bad_mapping;
160
161 ref->subjectDomainPolicy = map->subjectDomainPolicy;
162 map->subjectDomainPolicy = NULL;
163 ref->data = data;
164
165 if (!sk_X509_POLICY_REF_push(cache->maps, ref))
166 goto bad_mapping;
167
168 ref = NULL;
169
170 }
171
172 ret = 1;
173 bad_mapping:
174 if (ret == -1)
175 x->ex_flags |= EXFLAG_INVALID_POLICY;
176 if (ref)
177 policy_map_free(ref);
178 if (ret <= 0)
179 {
180 sk_X509_POLICY_REF_pop_free(cache->maps, policy_map_free);
181 cache->maps = NULL;
182 }
183 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
184 return ret;
185
186 }
diff --git a/src/lib/libcrypto/x509v3/pcy_node.c b/src/lib/libcrypto/x509v3/pcy_node.c
new file mode 100644
index 0000000000..dcc1554e29
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_node.c
@@ -0,0 +1,158 @@
1/* pcy_node.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/asn1.h>
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65static int node_cmp(const X509_POLICY_NODE * const *a,
66 const X509_POLICY_NODE * const *b)
67 {
68 return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
69 }
70
71STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void)
72 {
73 return sk_X509_POLICY_NODE_new(node_cmp);
74 }
75
76X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
77 const ASN1_OBJECT *id)
78 {
79 X509_POLICY_DATA n;
80 X509_POLICY_NODE l;
81 int idx;
82
83 n.valid_policy = (ASN1_OBJECT *)id;
84 l.data = &n;
85
86 idx = sk_X509_POLICY_NODE_find(nodes, &l);
87 if (idx == -1)
88 return NULL;
89
90 return sk_X509_POLICY_NODE_value(nodes, idx);
91
92 }
93
94X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
95 const ASN1_OBJECT *id)
96 {
97 return tree_find_sk(level->nodes, id);
98 }
99
100X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
101 X509_POLICY_DATA *data,
102 X509_POLICY_NODE *parent,
103 X509_POLICY_TREE *tree)
104 {
105 X509_POLICY_NODE *node;
106 node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
107 if (!node)
108 return NULL;
109 node->data = data;
110 node->parent = parent;
111 node->nchild = 0;
112 if (level)
113 {
114 if (OBJ_obj2nid(data->valid_policy) == NID_any_policy)
115 {
116 if (level->anyPolicy)
117 goto node_error;
118 level->anyPolicy = node;
119 }
120 else
121 {
122
123 if (!level->nodes)
124 level->nodes = policy_node_cmp_new();
125 if (!level->nodes)
126 goto node_error;
127 if (!sk_X509_POLICY_NODE_push(level->nodes, node))
128 goto node_error;
129 }
130 }
131
132 if (tree)
133 {
134 if (!tree->extra_data)
135 tree->extra_data = sk_X509_POLICY_DATA_new_null();
136 if (!tree->extra_data)
137 goto node_error;
138 if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
139 goto node_error;
140 }
141
142 if (parent)
143 parent->nchild++;
144
145 return node;
146
147 node_error:
148 policy_node_free(node);
149 return 0;
150
151 }
152
153void policy_node_free(X509_POLICY_NODE *node)
154 {
155 OPENSSL_free(node);
156 }
157
158
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
new file mode 100644
index 0000000000..4fda1d419a
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -0,0 +1,692 @@
1/* pcy_tree.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/x509.h>
61#include <openssl/x509v3.h>
62
63#include "pcy_int.h"
64
65/* Initialize policy tree. Return values:
66 * 0 Some internal error occured.
67 * -1 Inconsistent or invalid extensions in certificates.
68 * 1 Tree initialized OK.
69 * 2 Policy tree is empty.
70 * 5 Tree OK and requireExplicitPolicy true.
71 * 6 Tree empty and requireExplicitPolicy true.
72 */
73
74static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
75 unsigned int flags)
76 {
77 X509_POLICY_TREE *tree;
78 X509_POLICY_LEVEL *level;
79 const X509_POLICY_CACHE *cache;
80 X509_POLICY_DATA *data = NULL;
81 X509 *x;
82 int ret = 1;
83 int i, n;
84 int explicit_policy;
85 int any_skip;
86 int map_skip;
87 *ptree = NULL;
88 n = sk_X509_num(certs);
89
90 /* Disable policy mapping for now... */
91 flags |= X509_V_FLAG_INHIBIT_MAP;
92
93 if (flags & X509_V_FLAG_EXPLICIT_POLICY)
94 explicit_policy = 0;
95 else
96 explicit_policy = n + 1;
97
98 if (flags & X509_V_FLAG_INHIBIT_ANY)
99 any_skip = 0;
100 else
101 any_skip = n + 1;
102
103 if (flags & X509_V_FLAG_INHIBIT_MAP)
104 map_skip = 0;
105 else
106 map_skip = n + 1;
107
108 /* Can't do anything with just a trust anchor */
109 if (n == 1)
110 return 1;
111 /* First setup policy cache in all certificates apart from the
112 * trust anchor. Note any bad cache results on the way. Also can
113 * calculate explicit_policy value at this point.
114 */
115 for (i = n - 2; i >= 0; i--)
116 {
117 x = sk_X509_value(certs, i);
118 X509_check_purpose(x, -1, -1);
119 cache = policy_cache_set(x);
120 /* If cache NULL something bad happened: return immediately */
121 if (cache == NULL)
122 return 0;
123 /* If inconsistent extensions keep a note of it but continue */
124 if (x->ex_flags & EXFLAG_INVALID_POLICY)
125 ret = -1;
126 /* Otherwise if we have no data (hence no CertificatePolicies)
127 * and haven't already set an inconsistent code note it.
128 */
129 else if ((ret == 1) && !cache->data)
130 ret = 2;
131 if (explicit_policy > 0)
132 {
133 explicit_policy--;
134 if (!(x->ex_flags & EXFLAG_SS)
135 && (cache->explicit_skip != -1)
136 && (cache->explicit_skip < explicit_policy))
137 explicit_policy = cache->explicit_skip;
138 }
139 }
140
141 if (ret != 1)
142 {
143 if (ret == 2 && !explicit_policy)
144 return 6;
145 return ret;
146 }
147
148
149 /* If we get this far initialize the tree */
150
151 tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
152
153 if (!tree)
154 return 0;
155
156 tree->flags = 0;
157 tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
158 tree->nlevel = 0;
159 tree->extra_data = NULL;
160 tree->auth_policies = NULL;
161 tree->user_policies = NULL;
162
163 if (!tree)
164 {
165 OPENSSL_free(tree);
166 return 0;
167 }
168
169 memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
170
171 tree->nlevel = n;
172
173 level = tree->levels;
174
175 /* Root data: initialize to anyPolicy */
176
177 data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
178
179 if (!data || !level_add_node(level, data, NULL, tree))
180 goto bad_tree;
181
182 for (i = n - 2; i >= 0; i--)
183 {
184 level++;
185 x = sk_X509_value(certs, i);
186 cache = policy_cache_set(x);
187
188 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
189 level->cert = x;
190
191 if (!cache->anyPolicy)
192 level->flags |= X509_V_FLAG_INHIBIT_ANY;
193
194 /* Determine inhibit any and inhibit map flags */
195 if (any_skip == 0)
196 {
197 /* Any matching allowed if certificate is self
198 * issued and not the last in the chain.
199 */
200 if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
201 level->flags |= X509_V_FLAG_INHIBIT_ANY;
202 }
203 else
204 {
205 any_skip--;
206 if ((cache->any_skip > 0)
207 && (cache->any_skip < any_skip))
208 any_skip = cache->any_skip;
209 }
210
211 if (map_skip == 0)
212 level->flags |= X509_V_FLAG_INHIBIT_MAP;
213 else
214 {
215 map_skip--;
216 if ((cache->map_skip > 0)
217 && (cache->map_skip < map_skip))
218 map_skip = cache->map_skip;
219 }
220
221
222 }
223
224 *ptree = tree;
225
226 if (explicit_policy)
227 return 1;
228 else
229 return 5;
230
231 bad_tree:
232
233 X509_policy_tree_free(tree);
234
235 return 0;
236
237 }
238
239/* This corresponds to RFC3280 XXXX XXXXX:
240 * link any data from CertificatePolicies onto matching parent
241 * or anyPolicy if no match.
242 */
243
244static int tree_link_nodes(X509_POLICY_LEVEL *curr,
245 const X509_POLICY_CACHE *cache)
246 {
247 int i;
248 X509_POLICY_LEVEL *last;
249 X509_POLICY_DATA *data;
250 X509_POLICY_NODE *parent;
251 last = curr - 1;
252 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
253 {
254 data = sk_X509_POLICY_DATA_value(cache->data, i);
255 /* If a node is mapped any it doesn't have a corresponding
256 * CertificatePolicies entry.
257 * However such an identical node would be created
258 * if anyPolicy matching is enabled because there would be
259 * no match with the parent valid_policy_set. So we create
260 * link because then it will have the mapping flags
261 * right and we can prune it later.
262 */
263 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
264 && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
265 continue;
266 /* Look for matching node in parent */
267 parent = level_find_node(last, data->valid_policy);
268 /* If no match link to anyPolicy */
269 if (!parent)
270 parent = last->anyPolicy;
271 if (parent && !level_add_node(curr, data, parent, NULL))
272 return 0;
273 }
274 return 1;
275 }
276
277/* This corresponds to RFC3280 XXXX XXXXX:
278 * Create new data for any unmatched policies in the parent and link
279 * to anyPolicy.
280 */
281
282static int tree_link_any(X509_POLICY_LEVEL *curr,
283 const X509_POLICY_CACHE *cache,
284 X509_POLICY_TREE *tree)
285 {
286 int i;
287 X509_POLICY_DATA *data;
288 X509_POLICY_NODE *node;
289 X509_POLICY_LEVEL *last;
290
291 last = curr - 1;
292
293 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
294 {
295 node = sk_X509_POLICY_NODE_value(last->nodes, i);
296
297 /* Skip any node with any children: we only want unmathced
298 * nodes.
299 *
300 * Note: need something better for policy mapping
301 * because each node may have multiple children
302 */
303 if (node->nchild)
304 continue;
305 /* Create a new node with qualifiers from anyPolicy and
306 * id from unmatched node.
307 */
308 data = policy_data_new(NULL, node->data->valid_policy,
309 node_critical(node));
310
311 if (data == NULL)
312 return 0;
313 data->qualifier_set = curr->anyPolicy->data->qualifier_set;
314 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
315 if (!level_add_node(curr, data, node, tree))
316 {
317 policy_data_free(data);
318 return 0;
319 }
320 }
321 /* Finally add link to anyPolicy */
322 if (last->anyPolicy)
323 {
324 if (!level_add_node(curr, cache->anyPolicy,
325 last->anyPolicy, NULL))
326 return 0;
327 }
328 return 1;
329 }
330
331/* Prune the tree: delete any child mapped child data on the current level
332 * then proceed up the tree deleting any data with no children. If we ever
333 * have no data on a level we can halt because the tree will be empty.
334 */
335
336static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
337 {
338 X509_POLICY_NODE *node;
339 int i;
340 for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--)
341 {
342 node = sk_X509_POLICY_NODE_value(curr->nodes, i);
343 /* Delete any mapped data: see RFC3280 XXXX */
344 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
345 {
346 node->parent->nchild--;
347 OPENSSL_free(node);
348 (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
349 }
350 }
351
352 for(;;) {
353 --curr;
354 for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--)
355 {
356 node = sk_X509_POLICY_NODE_value(curr->nodes, i);
357 if (node->nchild == 0)
358 {
359 node->parent->nchild--;
360 OPENSSL_free(node);
361 (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
362 }
363 }
364 if (curr->anyPolicy && !curr->anyPolicy->nchild)
365 {
366 if (curr->anyPolicy->parent)
367 curr->anyPolicy->parent->nchild--;
368 OPENSSL_free(curr->anyPolicy);
369 curr->anyPolicy = NULL;
370 }
371 if (curr == tree->levels)
372 {
373 /* If we zapped anyPolicy at top then tree is empty */
374 if (!curr->anyPolicy)
375 return 2;
376 return 1;
377 }
378 }
379
380 return 1;
381
382 }
383
384static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
385 X509_POLICY_NODE *pcy)
386 {
387 if (!*pnodes)
388 {
389 *pnodes = policy_node_cmp_new();
390 if (!*pnodes)
391 return 0;
392 }
393 else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
394 return 1;
395
396 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
397 return 0;
398
399 return 1;
400
401 }
402
403/* Calculate the authority set based on policy tree.
404 * The 'pnodes' parameter is used as a store for the set of policy nodes
405 * used to calculate the user set. If the authority set is not anyPolicy
406 * then pnodes will just point to the authority set. If however the authority
407 * set is anyPolicy then the set of valid policies (other than anyPolicy)
408 * is store in pnodes. The return value of '2' is used in this case to indicate
409 * that pnodes should be freed.
410 */
411
412static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
413 STACK_OF(X509_POLICY_NODE) **pnodes)
414 {
415 X509_POLICY_LEVEL *curr;
416 X509_POLICY_NODE *node, *anyptr;
417 STACK_OF(X509_POLICY_NODE) **addnodes;
418 int i, j;
419 curr = tree->levels + tree->nlevel - 1;
420
421 /* If last level contains anyPolicy set is anyPolicy */
422 if (curr->anyPolicy)
423 {
424 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
425 return 0;
426 addnodes = pnodes;
427 }
428 else
429 /* Add policies to authority set */
430 addnodes = &tree->auth_policies;
431
432 curr = tree->levels;
433 for (i = 1; i < tree->nlevel; i++)
434 {
435 /* If no anyPolicy node on this this level it can't
436 * appear on lower levels so end search.
437 */
438 if (!(anyptr = curr->anyPolicy))
439 break;
440 curr++;
441 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++)
442 {
443 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
444 if ((node->parent == anyptr)
445 && !tree_add_auth_node(addnodes, node))
446 return 0;
447 }
448 }
449
450 if (addnodes == pnodes)
451 return 2;
452
453 *pnodes = tree->auth_policies;
454
455 return 1;
456 }
457
458static int tree_calculate_user_set(X509_POLICY_TREE *tree,
459 STACK_OF(ASN1_OBJECT) *policy_oids,
460 STACK_OF(X509_POLICY_NODE) *auth_nodes)
461 {
462 int i;
463 X509_POLICY_NODE *node;
464 ASN1_OBJECT *oid;
465
466 X509_POLICY_NODE *anyPolicy;
467 X509_POLICY_DATA *extra;
468
469 /* Check if anyPolicy present in authority constrained policy set:
470 * this will happen if it is a leaf node.
471 */
472
473 if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
474 return 1;
475
476 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
477
478 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
479 {
480 oid = sk_ASN1_OBJECT_value(policy_oids, i);
481 if (OBJ_obj2nid(oid) == NID_any_policy)
482 {
483 tree->flags |= POLICY_FLAG_ANY_POLICY;
484 return 1;
485 }
486 }
487
488 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
489 {
490 oid = sk_ASN1_OBJECT_value(policy_oids, i);
491 node = tree_find_sk(auth_nodes, oid);
492 if (!node)
493 {
494 if (!anyPolicy)
495 continue;
496 /* Create a new node with policy ID from user set
497 * and qualifiers from anyPolicy.
498 */
499 extra = policy_data_new(NULL, oid,
500 node_critical(anyPolicy));
501 if (!extra)
502 return 0;
503 extra->qualifier_set = anyPolicy->data->qualifier_set;
504 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
505 | POLICY_DATA_FLAG_EXTRA_NODE;
506 node = level_add_node(NULL, extra, anyPolicy->parent,
507 tree);
508 }
509 if (!tree->user_policies)
510 {
511 tree->user_policies = sk_X509_POLICY_NODE_new_null();
512 if (!tree->user_policies)
513 return 1;
514 }
515 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
516 return 0;
517 }
518 return 1;
519
520 }
521
522static int tree_evaluate(X509_POLICY_TREE *tree)
523 {
524 int ret, i;
525 X509_POLICY_LEVEL *curr = tree->levels + 1;
526 const X509_POLICY_CACHE *cache;
527
528 for(i = 1; i < tree->nlevel; i++, curr++)
529 {
530 cache = policy_cache_set(curr->cert);
531 if (!tree_link_nodes(curr, cache))
532 return 0;
533
534 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
535 && !tree_link_any(curr, cache, tree))
536 return 0;
537 ret = tree_prune(tree, curr);
538 if (ret != 1)
539 return ret;
540 }
541
542 return 1;
543
544 }
545
546static void exnode_free(X509_POLICY_NODE *node)
547 {
548 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
549 OPENSSL_free(node);
550 }
551
552
553void X509_policy_tree_free(X509_POLICY_TREE *tree)
554 {
555 X509_POLICY_LEVEL *curr;
556 int i;
557
558 if (!tree)
559 return;
560
561 sk_X509_POLICY_NODE_free(tree->auth_policies);
562 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
563
564 for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++)
565 {
566 if (curr->cert)
567 X509_free(curr->cert);
568 if (curr->nodes)
569 sk_X509_POLICY_NODE_pop_free(curr->nodes,
570 policy_node_free);
571 if (curr->anyPolicy)
572 policy_node_free(curr->anyPolicy);
573 }
574
575 if (tree->extra_data)
576 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
577 policy_data_free);
578
579 OPENSSL_free(tree->levels);
580 OPENSSL_free(tree);
581
582 }
583
584/* Application policy checking function.
585 * Return codes:
586 * 0 Internal Error.
587 * 1 Successful.
588 * -1 One or more certificates contain invalid or inconsistent extensions
589 * -2 User constrained policy set empty and requireExplicit true.
590 */
591
592int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
593 STACK_OF(X509) *certs,
594 STACK_OF(ASN1_OBJECT) *policy_oids,
595 unsigned int flags)
596 {
597 int ret;
598 X509_POLICY_TREE *tree = NULL;
599 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
600 *ptree = NULL;
601
602 *pexplicit_policy = 0;
603 ret = tree_init(&tree, certs, flags);
604
605
606 switch (ret)
607 {
608
609 /* Tree empty requireExplicit False: OK */
610 case 2:
611 return 1;
612
613 /* Some internal error */
614 case 0:
615 return 0;
616
617 /* Tree empty requireExplicit True: Error */
618
619 case 6:
620 *pexplicit_policy = 1;
621 return -2;
622
623 /* Tree OK requireExplicit True: OK and continue */
624 case 5:
625 *pexplicit_policy = 1;
626 break;
627
628 /* Tree OK: continue */
629
630 case 1:
631 if (!tree)
632 /*
633 * tree_init() returns success and a null tree
634 * if it's just looking at a trust anchor.
635 * I'm not sure that returning success here is
636 * correct, but I'm sure that reporting this
637 * as an internal error which our caller
638 * interprets as a malloc failure is wrong.
639 */
640 return 1;
641 break;
642 }
643
644 if (!tree) goto error;
645 ret = tree_evaluate(tree);
646
647 if (ret <= 0)
648 goto error;
649
650 /* Return value 2 means tree empty */
651 if (ret == 2)
652 {
653 X509_policy_tree_free(tree);
654 if (*pexplicit_policy)
655 return -2;
656 else
657 return 1;
658 }
659
660 /* Tree is not empty: continue */
661
662 ret = tree_calculate_authority_set(tree, &auth_nodes);
663
664 if (!ret)
665 goto error;
666
667 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
668 goto error;
669
670 if (ret == 2)
671 sk_X509_POLICY_NODE_free(auth_nodes);
672
673 if (tree)
674 *ptree = tree;
675
676 if (*pexplicit_policy)
677 {
678 nodes = X509_policy_tree_get0_user_policies(tree);
679 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
680 return -2;
681 }
682
683 return 1;
684
685 error:
686
687 X509_policy_tree_free(tree);
688
689 return 0;
690
691 }
692
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
index 97e686f97a..ac0548b775 100644
--- a/src/lib/libcrypto/x509v3/v3_akey.c
+++ b/src/lib/libcrypto/x509v3/v3_akey.c
@@ -68,15 +68,17 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
68static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, 68static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); 69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
70 70
71X509V3_EXT_METHOD v3_akey_id = { 71const X509V3_EXT_METHOD v3_akey_id =
72NID_authority_key_identifier, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID), 72 {
730,0,0,0, 73 NID_authority_key_identifier,
740,0, 74 X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
75(X509V3_EXT_I2V)i2v_AUTHORITY_KEYID, 75 0,0,0,0,
76(X509V3_EXT_V2I)v2i_AUTHORITY_KEYID, 76 0,0,
770,0, 77 (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
78NULL 78 (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
79}; 79 0,0,
80 NULL
81 };
80 82
81static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, 83static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
82 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist) 84 AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
@@ -108,83 +110,99 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
108 110
109static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, 111static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
110 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values) 112 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
111{ 113 {
112char keyid=0, issuer=0; 114 char keyid=0, issuer=0;
113int i; 115 int i;
114CONF_VALUE *cnf; 116 CONF_VALUE *cnf;
115ASN1_OCTET_STRING *ikeyid = NULL; 117 ASN1_OCTET_STRING *ikeyid = NULL;
116X509_NAME *isname = NULL; 118 X509_NAME *isname = NULL;
117GENERAL_NAMES * gens = NULL; 119 GENERAL_NAMES * gens = NULL;
118GENERAL_NAME *gen = NULL; 120 GENERAL_NAME *gen = NULL;
119ASN1_INTEGER *serial = NULL; 121 ASN1_INTEGER *serial = NULL;
120X509_EXTENSION *ext; 122 X509_EXTENSION *ext;
121X509 *cert; 123 X509 *cert;
122AUTHORITY_KEYID *akeyid; 124 AUTHORITY_KEYID *akeyid;
123for(i = 0; i < sk_CONF_VALUE_num(values); i++) { 125
124 cnf = sk_CONF_VALUE_value(values, i); 126 for(i = 0; i < sk_CONF_VALUE_num(values); i++)
125 if(!strcmp(cnf->name, "keyid")) { 127 {
126 keyid = 1; 128 cnf = sk_CONF_VALUE_value(values, i);
127 if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2; 129 if(!strcmp(cnf->name, "keyid"))
128 } else if(!strcmp(cnf->name, "issuer")) { 130 {
129 issuer = 1; 131 keyid = 1;
130 if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2; 132 if(cnf->value && !strcmp(cnf->value, "always"))
131 } else { 133 keyid = 2;
132 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION); 134 }
133 ERR_add_error_data(2, "name=", cnf->name); 135 else if(!strcmp(cnf->name, "issuer"))
136 {
137 issuer = 1;
138 if(cnf->value && !strcmp(cnf->value, "always"))
139 issuer = 2;
140 }
141 else
142 {
143 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
144 ERR_add_error_data(2, "name=", cnf->name);
145 return NULL;
146 }
147 }
148
149 if(!ctx || !ctx->issuer_cert)
150 {
151 if(ctx && (ctx->flags==CTX_TEST))
152 return AUTHORITY_KEYID_new();
153 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
134 return NULL; 154 return NULL;
135 } 155 }
136} 156
137 157 cert = ctx->issuer_cert;
138if(!ctx || !ctx->issuer_cert) { 158
139 if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new(); 159 if(keyid)
140 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE); 160 {
161 i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
162 if((i >= 0) && (ext = X509_get_ext(cert, i)))
163 ikeyid = X509V3_EXT_d2i(ext);
164 if(keyid==2 && !ikeyid)
165 {
166 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
167 return NULL;
168 }
169 }
170
171 if((issuer && !ikeyid) || (issuer == 2))
172 {
173 isname = X509_NAME_dup(X509_get_issuer_name(cert));
174 serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
175 if(!isname || !serial)
176 {
177 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
178 goto err;
179 }
180 }
181
182 if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
183
184 if(isname)
185 {
186 if(!(gens = sk_GENERAL_NAME_new_null())
187 || !(gen = GENERAL_NAME_new())
188 || !sk_GENERAL_NAME_push(gens, gen))
189 {
190 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
191 goto err;
192 }
193 gen->type = GEN_DIRNAME;
194 gen->d.dirn = isname;
195 }
196
197 akeyid->issuer = gens;
198 akeyid->serial = serial;
199 akeyid->keyid = ikeyid;
200
201 return akeyid;
202
203 err:
204 X509_NAME_free(isname);
205 M_ASN1_INTEGER_free(serial);
206 M_ASN1_OCTET_STRING_free(ikeyid);
141 return NULL; 207 return NULL;
142}
143
144cert = ctx->issuer_cert;
145
146if(keyid) {
147 i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
148 if((i >= 0) && (ext = X509_get_ext(cert, i)))
149 ikeyid = X509V3_EXT_d2i(ext);
150 if(keyid==2 && !ikeyid) {
151 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
152 return NULL;
153 }
154}
155
156if((issuer && !ikeyid) || (issuer == 2)) {
157 isname = X509_NAME_dup(X509_get_issuer_name(cert));
158 serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
159 if(!isname || !serial) {
160 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
161 goto err;
162 } 208 }
163}
164
165if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
166
167if(isname) {
168 if(!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new())
169 || !sk_GENERAL_NAME_push(gens, gen)) {
170 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
171 goto err;
172 }
173 gen->type = GEN_DIRNAME;
174 gen->d.dirn = isname;
175}
176
177akeyid->issuer = gens;
178akeyid->serial = serial;
179akeyid->keyid = ikeyid;
180
181return akeyid;
182
183err:
184X509_NAME_free(isname);
185M_ASN1_INTEGER_free(serial);
186M_ASN1_OCTET_STRING_free(ikeyid);
187return NULL;
188
189}
190
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
index 58b935a3b6..bb2f5bc54e 100644
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -1,9 +1,9 @@
1/* v3_alt.c */ 1/* v3_alt.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL 2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 1999. 3 * project.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -65,7 +65,10 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx
65static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 65static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
66static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p); 66static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
67static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens); 67static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
68X509V3_EXT_METHOD v3_alt[] = { 68static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
69static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
70
71const X509V3_EXT_METHOD v3_alt[] = {
69{ NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), 72{ NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
700,0,0,0, 730,0,0,0,
710,0, 740,0,
@@ -98,7 +101,8 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
98 GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret) 101 GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
99{ 102{
100 unsigned char *p; 103 unsigned char *p;
101 char oline[256]; 104 char oline[256], htmp[5];
105 int i;
102 switch (gen->type) 106 switch (gen->type)
103 { 107 {
104 case GEN_OTHERNAME: 108 case GEN_OTHERNAME:
@@ -132,13 +136,27 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
132 136
133 case GEN_IPADD: 137 case GEN_IPADD:
134 p = gen->d.ip->data; 138 p = gen->d.ip->data;
135 /* BUG: doesn't support IPV6 */ 139 if(gen->d.ip->length == 4)
136 if(gen->d.ip->length != 4) { 140 BIO_snprintf(oline, sizeof oline,
141 "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
142 else if(gen->d.ip->length == 16)
143 {
144 oline[0] = 0;
145 for (i = 0; i < 8; i++)
146 {
147 BIO_snprintf(htmp, sizeof htmp,
148 "%X", p[0] << 8 | p[1]);
149 p += 2;
150 strcat(oline, htmp);
151 if (i != 7)
152 strcat(oline, ":");
153 }
154 }
155 else
156 {
137 X509V3_add_value("IP Address","<invalid>", &ret); 157 X509V3_add_value("IP Address","<invalid>", &ret);
138 break; 158 break;
139 } 159 }
140 BIO_snprintf(oline, sizeof oline,
141 "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
142 X509V3_add_value("IP Address",oline, &ret); 160 X509V3_add_value("IP Address",oline, &ret);
143 break; 161 break;
144 162
@@ -153,6 +171,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
153int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) 171int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
154{ 172{
155 unsigned char *p; 173 unsigned char *p;
174 int i;
156 switch (gen->type) 175 switch (gen->type)
157 { 176 {
158 case GEN_OTHERNAME: 177 case GEN_OTHERNAME:
@@ -187,12 +206,24 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
187 206
188 case GEN_IPADD: 207 case GEN_IPADD:
189 p = gen->d.ip->data; 208 p = gen->d.ip->data;
190 /* BUG: doesn't support IPV6 */ 209 if(gen->d.ip->length == 4)
191 if(gen->d.ip->length != 4) { 210 BIO_printf(out, "IP Address:%d.%d.%d.%d",
211 p[0], p[1], p[2], p[3]);
212 else if(gen->d.ip->length == 16)
213 {
214 BIO_printf(out, "IP Address");
215 for (i = 0; i < 8; i++)
216 {
217 BIO_printf(out, ":%X", p[0] << 8 | p[1]);
218 p += 2;
219 }
220 BIO_puts(out, "\n");
221 }
222 else
223 {
192 BIO_printf(out,"IP Address:<invalid>"); 224 BIO_printf(out,"IP Address:<invalid>");
193 break; 225 break;
194 } 226 }
195 BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
196 break; 227 break;
197 228
198 case GEN_RID: 229 case GEN_RID:
@@ -210,7 +241,7 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
210 CONF_VALUE *cnf; 241 CONF_VALUE *cnf;
211 int i; 242 int i;
212 if(!(gens = sk_GENERAL_NAME_new_null())) { 243 if(!(gens = sk_GENERAL_NAME_new_null())) {
213 X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE); 244 X509V3err(X509V3_F_V2I_ISSUER_ALT,ERR_R_MALLOC_FAILURE);
214 return NULL; 245 return NULL;
215 } 246 }
216 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { 247 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
@@ -275,7 +306,7 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
275 CONF_VALUE *cnf; 306 CONF_VALUE *cnf;
276 int i; 307 int i;
277 if(!(gens = sk_GENERAL_NAME_new_null())) { 308 if(!(gens = sk_GENERAL_NAME_new_null())) {
278 X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE); 309 X509V3err(X509V3_F_V2I_SUBJECT_ALT,ERR_R_MALLOC_FAILURE);
279 return NULL; 310 return NULL;
280 } 311 }
281 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { 312 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
@@ -310,7 +341,8 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
310 X509_NAME_ENTRY *ne; 341 X509_NAME_ENTRY *ne;
311 GENERAL_NAME *gen = NULL; 342 GENERAL_NAME *gen = NULL;
312 int i; 343 int i;
313 if(ctx->flags == CTX_TEST) return 1; 344 if(ctx != NULL && ctx->flags == CTX_TEST)
345 return 1;
314 if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) { 346 if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
315 X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS); 347 X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
316 goto err; 348 goto err;
@@ -378,81 +410,172 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
378 410
379GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, 411GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
380 CONF_VALUE *cnf) 412 CONF_VALUE *cnf)
381{ 413 {
382char is_string = 0; 414 return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
383int type; 415 }
384GENERAL_NAME *gen = NULL;
385 416
386char *name, *value; 417GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
418 X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
419 CONF_VALUE *cnf, int is_nc)
420 {
421 char is_string = 0;
422 int type;
423 GENERAL_NAME *gen = NULL;
387 424
388name = cnf->name; 425 char *name, *value;
389value = cnf->value;
390 426
391if(!value) { 427 name = cnf->name;
392 X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE); 428 value = cnf->value;
393 return NULL;
394}
395 429
396if(!(gen = GENERAL_NAME_new())) { 430 if(!value)
397 X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); 431 {
398 return NULL; 432 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
399} 433 return NULL;
434 }
400 435
401if(!name_cmp(name, "email")) { 436 if (out)
402 is_string = 1; 437 gen = out;
403 type = GEN_EMAIL; 438 else
404} else if(!name_cmp(name, "URI")) { 439 {
405 is_string = 1; 440 gen = GENERAL_NAME_new();
406 type = GEN_URI; 441 if(gen == NULL)
407} else if(!name_cmp(name, "DNS")) { 442 {
408 is_string = 1; 443 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
409 type = GEN_DNS; 444 return NULL;
410} else if(!name_cmp(name, "RID")) { 445 }
411 ASN1_OBJECT *obj; 446 }
412 if(!(obj = OBJ_txt2obj(value,0))) { 447
413 X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT); 448 if(!name_cmp(name, "email"))
414 ERR_add_error_data(2, "value=", value); 449 {
415 goto err; 450 is_string = 1;
416 } 451 type = GEN_EMAIL;
417 gen->d.rid = obj; 452 }
418 type = GEN_RID; 453 else if(!name_cmp(name, "URI"))
419} else if(!name_cmp(name, "IP")) { 454 {
420 int i1,i2,i3,i4; 455 is_string = 1;
421 unsigned char ip[4]; 456 type = GEN_URI;
422 if((sscanf(value, "%d.%d.%d.%d",&i1,&i2,&i3,&i4) != 4) || 457 }
423 (i1 < 0) || (i1 > 255) || (i2 < 0) || (i2 > 255) || 458 else if(!name_cmp(name, "DNS"))
424 (i3 < 0) || (i3 > 255) || (i4 < 0) || (i4 > 255) ) { 459 {
425 X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS); 460 is_string = 1;
426 ERR_add_error_data(2, "value=", value); 461 type = GEN_DNS;
462 }
463 else if(!name_cmp(name, "RID"))
464 {
465 ASN1_OBJECT *obj;
466 if(!(obj = OBJ_txt2obj(value,0)))
467 {
468 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_OBJECT);
469 ERR_add_error_data(2, "value=", value);
470 goto err;
471 }
472 gen->d.rid = obj;
473 type = GEN_RID;
474 }
475 else if(!name_cmp(name, "IP"))
476 {
477 if (is_nc)
478 gen->d.ip = a2i_IPADDRESS_NC(value);
479 else
480 gen->d.ip = a2i_IPADDRESS(value);
481 if(gen->d.ip == NULL)
482 {
483 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_IP_ADDRESS);
484 ERR_add_error_data(2, "value=", value);
485 goto err;
486 }
487 type = GEN_IPADD;
488 }
489 else if(!name_cmp(name, "dirName"))
490 {
491 type = GEN_DIRNAME;
492 if (!do_dirname(gen, value, ctx))
493 {
494 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_DIRNAME_ERROR);
495 goto err;
496 }
497 }
498 else if(!name_cmp(name, "otherName"))
499 {
500 if (!do_othername(gen, value, ctx))
501 {
502 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_OTHERNAME_ERROR);
503 goto err;
504 }
505 type = GEN_OTHERNAME;
506 }
507 else
508 {
509 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
510 ERR_add_error_data(2, "name=", name);
427 goto err; 511 goto err;
428 } 512 }
429 ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4; 513
430 if(!(gen->d.ip = M_ASN1_OCTET_STRING_new()) || 514 if(is_string)
431 !ASN1_STRING_set(gen->d.ip, ip, 4)) { 515 {
432 X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); 516 if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
517 !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
518 strlen(value)))
519 {
520 X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
433 goto err; 521 goto err;
434 } 522 }
435 type = GEN_IPADD; 523 }
436} else {
437 X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION);
438 ERR_add_error_data(2, "name=", name);
439 goto err;
440}
441 524
442if(is_string) { 525 gen->type = type;
443 if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) || 526
444 !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value, 527 return gen;
445 strlen(value))) {
446 X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
447 goto err;
448 }
449}
450 528
451gen->type = type; 529 err:
530 GENERAL_NAME_free(gen);
531 return NULL;
532 }
452 533
453return gen; 534static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
535 {
536 char *objtmp = NULL, *p;
537 int objlen;
538 if (!(p = strchr(value, ';')))
539 return 0;
540 if (!(gen->d.otherName = OTHERNAME_new()))
541 return 0;
542 /* Free this up because we will overwrite it.
543 * no need to free type_id because it is static
544 */
545 ASN1_TYPE_free(gen->d.otherName->value);
546 if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
547 return 0;
548 objlen = p - value;
549 objtmp = OPENSSL_malloc(objlen + 1);
550 strncpy(objtmp, value, objlen);
551 objtmp[objlen] = 0;
552 gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
553 OPENSSL_free(objtmp);
554 if (!gen->d.otherName->type_id)
555 return 0;
556 return 1;
557 }
454 558
455err: 559static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
456GENERAL_NAME_free(gen); 560 {
457return NULL; 561 int ret;
458} 562 STACK_OF(CONF_VALUE) *sk;
563 X509_NAME *nm;
564 if (!(nm = X509_NAME_new()))
565 return 0;
566 sk = X509V3_get_section(ctx, value);
567 if (!sk)
568 {
569 X509V3err(X509V3_F_DO_DIRNAME,X509V3_R_SECTION_NOT_FOUND);
570 ERR_add_error_data(2, "section=", value);
571 X509_NAME_free(nm);
572 return 0;
573 }
574 /* FIXME: should allow other character types... */
575 ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
576 if (!ret)
577 X509_NAME_free(nm);
578 gen->d.dirn = nm;
579
580 return ret;
581 }
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
index cbb012715e..74b1233071 100644
--- a/src/lib/libcrypto/x509v3/v3_bcons.c
+++ b/src/lib/libcrypto/x509v3/v3_bcons.c
@@ -67,7 +67,7 @@
67static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist); 67static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
68static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); 68static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
69 69
70X509V3_EXT_METHOD v3_bcons = { 70const X509V3_EXT_METHOD v3_bcons = {
71NID_basic_constraints, 0, 71NID_basic_constraints, 0,
72ASN1_ITEM_ref(BASIC_CONSTRAINTS), 72ASN1_ITEM_ref(BASIC_CONSTRAINTS),
730,0,0,0, 730,0,0,0,
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
index 274965306d..cf31f0816e 100644
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ b/src/lib/libcrypto/x509v3/v3_bitst.c
@@ -61,12 +61,6 @@
61#include <openssl/conf.h> 61#include <openssl/conf.h>
62#include <openssl/x509v3.h> 62#include <openssl/x509v3.h>
63 63
64static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
65 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
66static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
67 ASN1_BIT_STRING *bits,
68 STACK_OF(CONF_VALUE) *extlist);
69
70static BIT_STRING_BITNAME ns_cert_type_table[] = { 64static BIT_STRING_BITNAME ns_cert_type_table[] = {
71{0, "SSL Client", "client"}, 65{0, "SSL Client", "client"},
72{1, "SSL Server", "server"}, 66{1, "SSL Server", "server"},
@@ -94,10 +88,10 @@ static BIT_STRING_BITNAME key_usage_type_table[] = {
94 88
95 89
96 90
97X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table); 91const X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
98X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table); 92const X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
99 93
100static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, 94STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
101 ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret) 95 ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
102{ 96{
103 BIT_STRING_BITNAME *bnam; 97 BIT_STRING_BITNAME *bnam;
@@ -108,7 +102,7 @@ static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
108 return ret; 102 return ret;
109} 103}
110 104
111static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, 105ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
112 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) 106 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
113{ 107{
114 CONF_VALUE *val; 108 CONF_VALUE *val;
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
index 1284d5aaa5..2b867305fb 100644
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -3,7 +3,7 @@
3 * project 1999. 3 * project 1999.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -69,11 +69,12 @@
69static int v3_check_critical(char **value); 69static int v3_check_critical(char **value);
70static int v3_check_generic(char **value); 70static int v3_check_generic(char **value);
71static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value); 71static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
72static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type); 72static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
73static char *conf_lhash_get_string(void *db, char *section, char *value); 73static char *conf_lhash_get_string(void *db, char *section, char *value);
74static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section); 74static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
75static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid, 75static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
76 int crit, void *ext_struc); 76 int crit, void *ext_struc);
77static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
77/* CONF *conf: Config file */ 78/* CONF *conf: Config file */
78/* char *name: Name */ 79/* char *name: Name */
79/* char *value: Value */ 80/* char *value: Value */
@@ -85,11 +86,11 @@ X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
85 X509_EXTENSION *ret; 86 X509_EXTENSION *ret;
86 crit = v3_check_critical(&value); 87 crit = v3_check_critical(&value);
87 if ((ext_type = v3_check_generic(&value))) 88 if ((ext_type = v3_check_generic(&value)))
88 return v3_generic_extension(name, value, crit, ext_type); 89 return v3_generic_extension(name, value, crit, ext_type, ctx);
89 ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value); 90 ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
90 if (!ret) 91 if (!ret)
91 { 92 {
92 X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_ERROR_IN_EXTENSION); 93 X509V3err(X509V3_F_X509V3_EXT_NCONF,X509V3_R_ERROR_IN_EXTENSION);
93 ERR_add_error_data(4,"name=", name, ", value=", value); 94 ERR_add_error_data(4,"name=", name, ", value=", value);
94 } 95 }
95 return ret; 96 return ret;
@@ -105,7 +106,7 @@ X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
105 crit = v3_check_critical(&value); 106 crit = v3_check_critical(&value);
106 if ((ext_type = v3_check_generic(&value))) 107 if ((ext_type = v3_check_generic(&value)))
107 return v3_generic_extension(OBJ_nid2sn(ext_nid), 108 return v3_generic_extension(OBJ_nid2sn(ext_nid),
108 value, crit, ext_type); 109 value, crit, ext_type, ctx);
109 return do_ext_nconf(conf, ctx, ext_nid, crit, value); 110 return do_ext_nconf(conf, ctx, ext_nid, crit, value);
110 } 111 }
111 112
@@ -120,12 +121,12 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
120 void *ext_struc; 121 void *ext_struc;
121 if (ext_nid == NID_undef) 122 if (ext_nid == NID_undef)
122 { 123 {
123 X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION_NAME); 124 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
124 return NULL; 125 return NULL;
125 } 126 }
126 if (!(method = X509V3_EXT_get_nid(ext_nid))) 127 if (!(method = X509V3_EXT_get_nid(ext_nid)))
127 { 128 {
128 X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION); 129 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION);
129 return NULL; 130 return NULL;
130 } 131 }
131 /* Now get internal extension representation based on type */ 132 /* Now get internal extension representation based on type */
@@ -133,9 +134,9 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
133 { 134 {
134 if(*value == '@') nval = NCONF_get_section(conf, value + 1); 135 if(*value == '@') nval = NCONF_get_section(conf, value + 1);
135 else nval = X509V3_parse_list(value); 136 else nval = X509V3_parse_list(value);
136 if(!nval) 137 if(sk_CONF_VALUE_num(nval) <= 0)
137 { 138 {
138 X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING); 139 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_INVALID_EXTENSION_STRING);
139 ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value); 140 ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
140 return NULL; 141 return NULL;
141 } 142 }
@@ -150,16 +151,16 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
150 } 151 }
151 else if(method->r2i) 152 else if(method->r2i)
152 { 153 {
153 if(!ctx->db) 154 if(!ctx->db || !ctx->db_meth)
154 { 155 {
155 X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_NO_CONFIG_DATABASE); 156 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_NO_CONFIG_DATABASE);
156 return NULL; 157 return NULL;
157 } 158 }
158 if(!(ext_struc = method->r2i(method, ctx, value))) return NULL; 159 if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
159 } 160 }
160 else 161 else
161 { 162 {
162 X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED); 163 X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
163 ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid)); 164 ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
164 return NULL; 165 return NULL;
165 } 166 }
@@ -235,17 +236,29 @@ static int v3_check_critical(char **value)
235/* Check extension string for generic extension and return the type */ 236/* Check extension string for generic extension and return the type */
236static int v3_check_generic(char **value) 237static int v3_check_generic(char **value)
237{ 238{
239 int gen_type = 0;
238 char *p = *value; 240 char *p = *value;
239 if ((strlen(p) < 4) || strncmp(p, "DER:", 4)) return 0; 241 if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4))
240 p+=4; 242 {
243 p+=4;
244 gen_type = 1;
245 }
246 else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5))
247 {
248 p+=5;
249 gen_type = 2;
250 }
251 else
252 return 0;
253
241 while (isspace((unsigned char)*p)) p++; 254 while (isspace((unsigned char)*p)) p++;
242 *value = p; 255 *value = p;
243 return 1; 256 return gen_type;
244} 257}
245 258
246/* Create a generic extension: for now just handle DER type */ 259/* Create a generic extension: for now just handle DER type */
247static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, 260static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
248 int crit, int type) 261 int crit, int gen_type, X509V3_CTX *ctx)
249 { 262 {
250 unsigned char *ext_der=NULL; 263 unsigned char *ext_der=NULL;
251 long ext_len; 264 long ext_len;
@@ -259,7 +272,12 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
259 goto err; 272 goto err;
260 } 273 }
261 274
262 if (!(ext_der = string_to_hex(value, &ext_len))) 275 if (gen_type == 1)
276 ext_der = string_to_hex(value, &ext_len);
277 else if (gen_type == 2)
278 ext_der = generic_asn1(value, ctx, &ext_len);
279
280 if (ext_der == NULL)
263 { 281 {
264 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR); 282 X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
265 ERR_add_error_data(2, "value=", value); 283 ERR_add_error_data(2, "value=", value);
@@ -286,6 +304,17 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
286 304
287 } 305 }
288 306
307static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
308 {
309 ASN1_TYPE *typ;
310 unsigned char *ext_der = NULL;
311 typ = ASN1_generate_v3(value, ctx);
312 if (typ == NULL)
313 return NULL;
314 *ext_len = i2d_ASN1_TYPE(typ, &ext_der);
315 ASN1_TYPE_free(typ);
316 return ext_der;
317 }
289 318
290/* This is the main function: add a bunch of extensions based on a config file 319/* This is the main function: add a bunch of extensions based on a config file
291 * section to an extension STACK. 320 * section to an extension STACK.
@@ -354,6 +383,11 @@ int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
354 383
355char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section) 384char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
356 { 385 {
386 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string)
387 {
388 X509V3err(X509V3_F_X509V3_GET_STRING,X509V3_R_OPERATION_NOT_DEFINED);
389 return NULL;
390 }
357 if (ctx->db_meth->get_string) 391 if (ctx->db_meth->get_string)
358 return ctx->db_meth->get_string(ctx->db, name, section); 392 return ctx->db_meth->get_string(ctx->db, name, section);
359 return NULL; 393 return NULL;
@@ -361,6 +395,11 @@ char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
361 395
362STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section) 396STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
363 { 397 {
398 if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section)
399 {
400 X509V3err(X509V3_F_X509V3_GET_SECTION,X509V3_R_OPERATION_NOT_DEFINED);
401 return NULL;
402 }
364 if (ctx->db_meth->get_section) 403 if (ctx->db_meth->get_section)
365 return ctx->db_meth->get_section(ctx->db, section); 404 return ctx->db_meth->get_section(ctx->db, section);
366 return NULL; 405 return NULL;
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
index 867525f336..a40f490aa9 100644
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -3,7 +3,7 @@
3 * project 1999. 3 * project 1999.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -63,6 +63,8 @@
63#include <openssl/asn1t.h> 63#include <openssl/asn1t.h>
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65 65
66#include "pcy_int.h"
67
66/* Certificate policies extension support: this one is a bit complex... */ 68/* Certificate policies extension support: this one is a bit complex... */
67 69
68static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent); 70static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
@@ -75,7 +77,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
75 STACK_OF(CONF_VALUE) *unot, int ia5org); 77 STACK_OF(CONF_VALUE) *unot, int ia5org);
76static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); 78static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
77 79
78X509V3_EXT_METHOD v3_cpols = { 80const X509V3_EXT_METHOD v3_cpols = {
79NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES), 81NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES),
800,0,0,0, 820,0,0,0,
810,0, 830,0,
@@ -348,7 +350,7 @@ static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
348 return 1; 350 return 1;
349 351
350 merr: 352 merr:
351 X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE); 353 X509V3err(X509V3_F_NREF_NOS,ERR_R_MALLOC_FAILURE);
352 354
353 err: 355 err:
354 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free); 356 sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
@@ -429,3 +431,19 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
429 notice->exptext->data); 431 notice->exptext->data);
430} 432}
431 433
434void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
435 {
436 const X509_POLICY_DATA *dat = node->data;
437
438 BIO_printf(out, "%*sPolicy: ", indent, "");
439
440 i2a_ASN1_OBJECT(out, dat->valid_policy);
441 BIO_puts(out, "\n");
442 BIO_printf(out, "%*s%s\n", indent + 2, "",
443 node_data_critical(dat) ? "Critical" : "Non Critical");
444 if (dat->qualifier_set)
445 print_qualifiers(out, dat->qualifier_set, indent + 2);
446 else
447 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
448 }
449
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
index f90829c574..c6e3ebae7b 100644
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -68,7 +68,7 @@ static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
68static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method, 68static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 69 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
70 70
71X509V3_EXT_METHOD v3_crld = { 71const X509V3_EXT_METHOD v3_crld = {
72NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS), 72NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS),
730,0,0,0, 730,0,0,0,
740,0, 740,0,
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
index 010c9d6260..a236cb22e1 100644
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ b/src/lib/libcrypto/x509v3/v3_enum.c
@@ -72,7 +72,7 @@ static ENUMERATED_NAMES crl_reasons[] = {
72{-1, NULL, NULL} 72{-1, NULL, NULL}
73}; 73};
74 74
75X509V3_EXT_METHOD v3_crl_reason = { 75const X509V3_EXT_METHOD v3_crl_reason = {
76NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED), 76NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED),
770,0,0,0, 770,0,0,0,
78(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE, 78(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
index b1cfaba1aa..a4efe0031e 100644
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ b/src/lib/libcrypto/x509v3/v3_extku.c
@@ -68,7 +68,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
68static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method, 68static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
69 void *eku, STACK_OF(CONF_VALUE) *extlist); 69 void *eku, STACK_OF(CONF_VALUE) *extlist);
70 70
71X509V3_EXT_METHOD v3_ext_ku = { 71const X509V3_EXT_METHOD v3_ext_ku = {
72 NID_ext_key_usage, 0, 72 NID_ext_key_usage, 0,
73 ASN1_ITEM_ref(EXTENDED_KEY_USAGE), 73 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
74 0,0,0,0, 74 0,0,0,0,
@@ -80,7 +80,7 @@ X509V3_EXT_METHOD v3_ext_ku = {
80}; 80};
81 81
82/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */ 82/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
83X509V3_EXT_METHOD v3_ocsp_accresp = { 83const X509V3_EXT_METHOD v3_ocsp_accresp = {
84 NID_id_pkix_OCSP_acceptableResponses, 0, 84 NID_id_pkix_OCSP_acceptableResponses, 0,
85 ASN1_ITEM_ref(EXTENDED_KEY_USAGE), 85 ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
86 0,0,0,0, 86 0,0,0,0,
@@ -122,7 +122,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
122 int i; 122 int i;
123 123
124 if(!(extku = sk_ASN1_OBJECT_new_null())) { 124 if(!(extku = sk_ASN1_OBJECT_new_null())) {
125 X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE); 125 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,ERR_R_MALLOC_FAILURE);
126 return NULL; 126 return NULL;
127 } 127 }
128 128
@@ -132,7 +132,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
132 else extval = val->name; 132 else extval = val->name;
133 if(!(objtmp = OBJ_txt2obj(extval, 0))) { 133 if(!(objtmp = OBJ_txt2obj(extval, 0))) {
134 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free); 134 sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
135 X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER); 135 X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
136 X509V3_conf_err(val); 136 X509V3_conf_err(val);
137 return NULL; 137 return NULL;
138 } 138 }
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
index 9683afa47c..b739ccd036 100644
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ b/src/lib/libcrypto/x509v3/v3_ia5.c
@@ -65,7 +65,7 @@
65 65
66static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5); 66static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
67static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); 67static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
68X509V3_EXT_METHOD v3_ns_ia5_list[] = { 68const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
69EXT_IA5STRING(NID_netscape_base_url), 69EXT_IA5STRING(NID_netscape_base_url),
70EXT_IA5STRING(NID_netscape_revocation_url), 70EXT_IA5STRING(NID_netscape_revocation_url),
71EXT_IA5STRING(NID_netscape_ca_revocation_url), 71EXT_IA5STRING(NID_netscape_ca_revocation_url),
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
index 53e3f48859..e0ef69de42 100644
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -69,7 +69,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
69static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, 69static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
70 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 70 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
71 71
72X509V3_EXT_METHOD v3_info = 72const X509V3_EXT_METHOD v3_info =
73{ NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), 73{ NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
740,0,0,0, 740,0,0,0,
750,0, 750,0,
@@ -78,7 +78,7 @@ X509V3_EXT_METHOD v3_info =
780,0, 780,0,
79NULL}; 79NULL};
80 80
81X509V3_EXT_METHOD v3_sinfo = 81const X509V3_EXT_METHOD v3_sinfo =
82{ NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), 82{ NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
830,0,0,0, 830,0,0,0,
840,0, 840,0,
@@ -141,36 +141,35 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *metho
141 int i, objlen; 141 int i, objlen;
142 char *objtmp, *ptmp; 142 char *objtmp, *ptmp;
143 if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) { 143 if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
144 X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE); 144 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
145 return NULL; 145 return NULL;
146 } 146 }
147 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { 147 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
148 cnf = sk_CONF_VALUE_value(nval, i); 148 cnf = sk_CONF_VALUE_value(nval, i);
149 if(!(acc = ACCESS_DESCRIPTION_new()) 149 if(!(acc = ACCESS_DESCRIPTION_new())
150 || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) { 150 || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
151 X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE); 151 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
152 goto err; 152 goto err;
153 } 153 }
154 ptmp = strchr(cnf->name, ';'); 154 ptmp = strchr(cnf->name, ';');
155 if(!ptmp) { 155 if(!ptmp) {
156 X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_INVALID_SYNTAX); 156 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_INVALID_SYNTAX);
157 goto err; 157 goto err;
158 } 158 }
159 objlen = ptmp - cnf->name; 159 objlen = ptmp - cnf->name;
160 ctmp.name = ptmp + 1; 160 ctmp.name = ptmp + 1;
161 ctmp.value = cnf->value; 161 ctmp.value = cnf->value;
162 GENERAL_NAME_free(acc->location); 162 if(!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
163 if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp)))
164 goto err; 163 goto err;
165 if(!(objtmp = OPENSSL_malloc(objlen + 1))) { 164 if(!(objtmp = OPENSSL_malloc(objlen + 1))) {
166 X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE); 165 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE);
167 goto err; 166 goto err;
168 } 167 }
169 strncpy(objtmp, cnf->name, objlen); 168 strncpy(objtmp, cnf->name, objlen);
170 objtmp[objlen] = 0; 169 objtmp[objlen] = 0;
171 acc->method = OBJ_txt2obj(objtmp, 0); 170 acc->method = OBJ_txt2obj(objtmp, 0);
172 if(!acc->method) { 171 if(!acc->method) {
173 X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_BAD_OBJECT); 172 X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_BAD_OBJECT);
174 ERR_add_error_data(2, "value=", objtmp); 173 ERR_add_error_data(2, "value=", objtmp);
175 OPENSSL_free(objtmp); 174 OPENSSL_free(objtmp);
176 goto err; 175 goto err;
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
index 7a43b4717b..9a48dc1508 100644
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ b/src/lib/libcrypto/x509v3/v3_int.c
@@ -60,17 +60,30 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/x509v3.h> 61#include <openssl/x509v3.h>
62 62
63X509V3_EXT_METHOD v3_crl_num = { 63const X509V3_EXT_METHOD v3_crl_num = {
64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), 64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
65 0,0,0,0, 65 0,0,0,0,
66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER, 66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
67 0, 67 0,
68 0,0,0,0, NULL}; 68 0,0,0,0, NULL};
69 69
70X509V3_EXT_METHOD v3_delta_crl = { 70const X509V3_EXT_METHOD v3_delta_crl = {
71 NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER), 71 NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
72 0,0,0,0, 72 0,0,0,0,
73 (X509V3_EXT_I2S)i2s_ASN1_INTEGER, 73 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
74 0, 74 0,
75 0,0,0,0, NULL}; 75 0,0,0,0, NULL};
76 76
77static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
78 {
79 return s2i_ASN1_INTEGER(meth, value);
80 }
81
82const X509V3_EXT_METHOD v3_inhibit_anyp = {
83 NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER),
84 0,0,0,0,
85 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
86 (X509V3_EXT_S2I)s2i_asn1_int,
87 0,0,0,0, NULL};
88
89
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
index ca5a4a4a57..f3015ea610 100644
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -162,7 +162,8 @@ int X509V3_add_standard_extensions(void)
162void *X509V3_EXT_d2i(X509_EXTENSION *ext) 162void *X509V3_EXT_d2i(X509_EXTENSION *ext)
163{ 163{
164 X509V3_EXT_METHOD *method; 164 X509V3_EXT_METHOD *method;
165 unsigned char *p; 165 const unsigned char *p;
166
166 if(!(method = X509V3_EXT_get(ext))) return NULL; 167 if(!(method = X509V3_EXT_get(ext))) return NULL;
167 p = ext->value->data; 168 p = ext->value->data;
168 if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it)); 169 if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
@@ -276,7 +277,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
276 ext = X509V3_EXT_i2d(nid, crit, value); 277 ext = X509V3_EXT_i2d(nid, crit, value);
277 278
278 if(!ext) { 279 if(!ext) {
279 X509V3err(X509V3_F_X509V3_ADD_I2D, X509V3_R_ERROR_CREATING_EXTENSION); 280 X509V3err(X509V3_F_X509V3_ADD1_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
280 return 0; 281 return 0;
281 } 282 }
282 283
@@ -295,7 +296,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
295 296
296 err: 297 err:
297 if(!(flags & X509V3_ADD_SILENT)) 298 if(!(flags & X509V3_ADD_SILENT))
298 X509V3err(X509V3_F_X509V3_ADD_I2D, errcode); 299 X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
299 return 0; 300 return 0;
300} 301}
301 302
diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
new file mode 100644
index 0000000000..42e7f5a879
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_ncons.c
@@ -0,0 +1,220 @@
1/* v3_ncons.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
69 void *a, BIO *bp, int ind);
70static int do_i2r_name_constraints(X509V3_EXT_METHOD *method,
71 STACK_OF(GENERAL_SUBTREE) *trees,
72 BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74
75const X509V3_EXT_METHOD v3_name_constraints = {
76 NID_name_constraints, 0,
77 ASN1_ITEM_ref(NAME_CONSTRAINTS),
78 0,0,0,0,
79 0,0,
80 0, v2i_NAME_CONSTRAINTS,
81 i2r_NAME_CONSTRAINTS,0,
82 NULL
83};
84
85ASN1_SEQUENCE(GENERAL_SUBTREE) = {
86 ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
87 ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
88 ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
89} ASN1_SEQUENCE_END(GENERAL_SUBTREE)
90
91ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
92 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
93 GENERAL_SUBTREE, 0),
94 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
95 GENERAL_SUBTREE, 1),
96} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
97
98
99IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
100IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
101
102static void *v2i_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
103 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
104 {
105 int i;
106 CONF_VALUE tval, *val;
107 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
108 NAME_CONSTRAINTS *ncons = NULL;
109 GENERAL_SUBTREE *sub = NULL;
110 ncons = NAME_CONSTRAINTS_new();
111 if (!ncons)
112 goto memerr;
113 for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
114 {
115 val = sk_CONF_VALUE_value(nval, i);
116 if (!strncmp(val->name, "permitted", 9) && val->name[9])
117 {
118 ptree = &ncons->permittedSubtrees;
119 tval.name = val->name + 10;
120 }
121 else if (!strncmp(val->name, "excluded", 8) && val->name[8])
122 {
123 ptree = &ncons->excludedSubtrees;
124 tval.name = val->name + 9;
125 }
126 else
127 {
128 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
129 goto err;
130 }
131 tval.value = val->value;
132 sub = GENERAL_SUBTREE_new();
133 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
134 goto err;
135 if (!*ptree)
136 *ptree = sk_GENERAL_SUBTREE_new_null();
137 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
138 goto memerr;
139 sub = NULL;
140 }
141
142 return ncons;
143
144 memerr:
145 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
146 err:
147 if (ncons)
148 NAME_CONSTRAINTS_free(ncons);
149 if (sub)
150 GENERAL_SUBTREE_free(sub);
151
152 return NULL;
153 }
154
155
156
157
158static int i2r_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
159 void *a, BIO *bp, int ind)
160 {
161 NAME_CONSTRAINTS *ncons = a;
162 do_i2r_name_constraints(method, ncons->permittedSubtrees,
163 bp, ind, "Permitted");
164 do_i2r_name_constraints(method, ncons->excludedSubtrees,
165 bp, ind, "Excluded");
166 return 1;
167 }
168
169static int do_i2r_name_constraints(X509V3_EXT_METHOD *method,
170 STACK_OF(GENERAL_SUBTREE) *trees,
171 BIO *bp, int ind, char *name)
172 {
173 GENERAL_SUBTREE *tree;
174 int i;
175 if (sk_GENERAL_SUBTREE_num(trees) > 0)
176 BIO_printf(bp, "%*s%s:\n", ind, "", name);
177 for(i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++)
178 {
179 tree = sk_GENERAL_SUBTREE_value(trees, i);
180 BIO_printf(bp, "%*s", ind + 2, "");
181 if (tree->base->type == GEN_IPADD)
182 print_nc_ipadd(bp, tree->base->d.ip);
183 else
184 GENERAL_NAME_print(bp, tree->base);
185 tree = sk_GENERAL_SUBTREE_value(trees, i);
186 BIO_puts(bp, "\n");
187 }
188 return 1;
189 }
190
191static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
192 {
193 int i, len;
194 unsigned char *p;
195 p = ip->data;
196 len = ip->length;
197 BIO_puts(bp, "IP:");
198 if(len == 8)
199 {
200 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
201 p[0], p[1], p[2], p[3],
202 p[4], p[5], p[6], p[7]);
203 }
204 else if(len == 32)
205 {
206 for (i = 0; i < 16; i++)
207 {
208 BIO_printf(bp, "%X", p[0] << 8 | p[1]);
209 p += 2;
210 if (i == 7)
211 BIO_puts(bp, "/");
212 else if (i != 15)
213 BIO_puts(bp, ":");
214 }
215 }
216 else
217 BIO_printf(bp, "IP Address:<invalid>");
218 return 1;
219 }
220
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
index 21badc13f9..62aac06335 100644
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -74,15 +74,15 @@ static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent
74 74
75static void *ocsp_nonce_new(void); 75static void *ocsp_nonce_new(void);
76static int i2d_ocsp_nonce(void *a, unsigned char **pp); 76static int i2d_ocsp_nonce(void *a, unsigned char **pp);
77static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length); 77static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
78static void ocsp_nonce_free(void *a); 78static void ocsp_nonce_free(void *a);
79static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent); 79static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
80 80
81static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent); 81static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent);
82static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); 82static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str);
83static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind); 83static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind);
84 84
85X509V3_EXT_METHOD v3_ocsp_crlid = { 85const X509V3_EXT_METHOD v3_ocsp_crlid = {
86 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID), 86 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
87 0,0,0,0, 87 0,0,0,0,
88 0,0, 88 0,0,
@@ -91,7 +91,7 @@ X509V3_EXT_METHOD v3_ocsp_crlid = {
91 NULL 91 NULL
92}; 92};
93 93
94X509V3_EXT_METHOD v3_ocsp_acutoff = { 94const X509V3_EXT_METHOD v3_ocsp_acutoff = {
95 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 95 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
96 0,0,0,0, 96 0,0,0,0,
97 0,0, 97 0,0,
@@ -100,7 +100,7 @@ X509V3_EXT_METHOD v3_ocsp_acutoff = {
100 NULL 100 NULL
101}; 101};
102 102
103X509V3_EXT_METHOD v3_crl_invdate = { 103const X509V3_EXT_METHOD v3_crl_invdate = {
104 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 104 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
105 0,0,0,0, 105 0,0,0,0,
106 0,0, 106 0,0,
@@ -109,7 +109,7 @@ X509V3_EXT_METHOD v3_crl_invdate = {
109 NULL 109 NULL
110}; 110};
111 111
112X509V3_EXT_METHOD v3_crl_hold = { 112const X509V3_EXT_METHOD v3_crl_hold = {
113 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT), 113 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
114 0,0,0,0, 114 0,0,0,0,
115 0,0, 115 0,0,
@@ -118,7 +118,7 @@ X509V3_EXT_METHOD v3_crl_hold = {
118 NULL 118 NULL
119}; 119};
120 120
121X509V3_EXT_METHOD v3_ocsp_nonce = { 121const X509V3_EXT_METHOD v3_ocsp_nonce = {
122 NID_id_pkix_OCSP_Nonce, 0, NULL, 122 NID_id_pkix_OCSP_Nonce, 0, NULL,
123 ocsp_nonce_new, 123 ocsp_nonce_new,
124 ocsp_nonce_free, 124 ocsp_nonce_free,
@@ -130,7 +130,7 @@ X509V3_EXT_METHOD v3_ocsp_nonce = {
130 NULL 130 NULL
131}; 131};
132 132
133X509V3_EXT_METHOD v3_ocsp_nocheck = { 133const X509V3_EXT_METHOD v3_ocsp_nocheck = {
134 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL), 134 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
135 0,0,0,0, 135 0,0,0,0,
136 0,s2i_ocsp_nocheck, 136 0,s2i_ocsp_nocheck,
@@ -139,7 +139,7 @@ X509V3_EXT_METHOD v3_ocsp_nocheck = {
139 NULL 139 NULL
140}; 140};
141 141
142X509V3_EXT_METHOD v3_ocsp_serviceloc = { 142const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
143 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC), 143 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
144 0,0,0,0, 144 0,0,0,0,
145 0,0, 145 0,0,
@@ -208,7 +208,7 @@ static int i2d_ocsp_nonce(void *a, unsigned char **pp)
208 return os->length; 208 return os->length;
209} 209}
210 210
211static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length) 211static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
212{ 212{
213 ASN1_OCTET_STRING *os, **pos; 213 ASN1_OCTET_STRING *os, **pos;
214 pos = a; 214 pos = a;
@@ -246,7 +246,7 @@ static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
246 return 1; 246 return 1;
247} 247}
248 248
249static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str) 249static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str)
250{ 250{
251 return ASN1_NULL_new(); 251 return ASN1_NULL_new();
252} 252}
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c
index b32d968619..601211f416 100644
--- a/src/lib/libcrypto/x509v3/v3_pci.c
+++ b/src/lib/libcrypto/x509v3/v3_pci.c
@@ -44,7 +44,7 @@ static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
44static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, 44static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
45 X509V3_CTX *ctx, char *str); 45 X509V3_CTX *ctx, char *str);
46 46
47X509V3_EXT_METHOD v3_pci = 47const X509V3_EXT_METHOD v3_pci =
48 { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), 48 { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
49 0,0,0,0, 49 0,0,0,0,
50 0,0, 50 0,0,
@@ -82,13 +82,13 @@ static int process_pci_value(CONF_VALUE *val,
82 { 82 {
83 if (*language) 83 if (*language)
84 { 84 {
85 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED); 85 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
86 X509V3_conf_err(val); 86 X509V3_conf_err(val);
87 return 0; 87 return 0;
88 } 88 }
89 if (!(*language = OBJ_txt2obj(val->value, 0))) 89 if (!(*language = OBJ_txt2obj(val->value, 0)))
90 { 90 {
91 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_OBJECT_IDENTIFIER); 91 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
92 X509V3_conf_err(val); 92 X509V3_conf_err(val);
93 return 0; 93 return 0;
94 } 94 }
@@ -97,13 +97,13 @@ static int process_pci_value(CONF_VALUE *val,
97 { 97 {
98 if (*pathlen) 98 if (*pathlen)
99 { 99 {
100 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED); 100 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
101 X509V3_conf_err(val); 101 X509V3_conf_err(val);
102 return 0; 102 return 0;
103 } 103 }
104 if (!X509V3_get_value_int(val, pathlen)) 104 if (!X509V3_get_value_int(val, pathlen))
105 { 105 {
106 X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH); 106 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
107 X509V3_conf_err(val); 107 X509V3_conf_err(val);
108 return 0; 108 return 0;
109 } 109 }
@@ -117,7 +117,7 @@ static int process_pci_value(CONF_VALUE *val,
117 *policy = ASN1_OCTET_STRING_new(); 117 *policy = ASN1_OCTET_STRING_new();
118 if (!*policy) 118 if (!*policy)
119 { 119 {
120 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); 120 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
121 X509V3_conf_err(val); 121 X509V3_conf_err(val);
122 return 0; 122 return 0;
123 } 123 }
@@ -148,7 +148,7 @@ static int process_pci_value(CONF_VALUE *val,
148 BIO *b = BIO_new_file(val->value + 5, "r"); 148 BIO *b = BIO_new_file(val->value + 5, "r");
149 if (!b) 149 if (!b)
150 { 150 {
151 X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB); 151 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
152 X509V3_conf_err(val); 152 X509V3_conf_err(val);
153 goto err; 153 goto err;
154 } 154 }
@@ -172,7 +172,7 @@ static int process_pci_value(CONF_VALUE *val,
172 172
173 if (n < 0) 173 if (n < 0)
174 { 174 {
175 X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB); 175 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
176 X509V3_conf_err(val); 176 X509V3_conf_err(val);
177 goto err; 177 goto err;
178 } 178 }
@@ -193,13 +193,13 @@ static int process_pci_value(CONF_VALUE *val,
193 } 193 }
194 else 194 else
195 { 195 {
196 X509V3err(X509V3_F_R2I_PCI,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); 196 X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
197 X509V3_conf_err(val); 197 X509V3_conf_err(val);
198 goto err; 198 goto err;
199 } 199 }
200 if (!tmp_data) 200 if (!tmp_data)
201 { 201 {
202 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); 202 X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
203 X509V3_conf_err(val); 203 X509V3_conf_err(val);
204 goto err; 204 goto err;
205 } 205 }
@@ -286,12 +286,6 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
286 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); 286 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
287 goto err; 287 goto err;
288 } 288 }
289 pci->proxyPolicy = PROXY_POLICY_new();
290 if (!pci->proxyPolicy)
291 {
292 X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
293 goto err;
294 }
295 289
296 pci->proxyPolicy->policyLanguage = language; language = NULL; 290 pci->proxyPolicy->policyLanguage = language; language = NULL;
297 pci->proxyPolicy->policy = policy; policy = NULL; 291 pci->proxyPolicy->policy = policy; policy = NULL;
@@ -301,11 +295,6 @@ err:
301 if (language) { ASN1_OBJECT_free(language); language = NULL; } 295 if (language) { ASN1_OBJECT_free(language); language = NULL; }
302 if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; } 296 if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
303 if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; } 297 if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
304 if (pci && pci->proxyPolicy)
305 {
306 PROXY_POLICY_free(pci->proxyPolicy);
307 pci->proxyPolicy = NULL;
308 }
309 if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; } 298 if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
310end: 299end:
311 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); 300 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
diff --git a/src/lib/libcrypto/x509v3/v3_pcons.c b/src/lib/libcrypto/x509v3/v3_pcons.c
new file mode 100644
index 0000000000..13248c2ada
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pcons.c
@@ -0,0 +1,136 @@
1/* v3_pcons.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1.h>
63#include <openssl/asn1t.h>
64#include <openssl/conf.h>
65#include <openssl/x509v3.h>
66
67static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
68 void *bcons, STACK_OF(CONF_VALUE) *extlist);
69static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
70 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
71
72const X509V3_EXT_METHOD v3_policy_constraints = {
73NID_policy_constraints, 0,
74ASN1_ITEM_ref(POLICY_CONSTRAINTS),
750,0,0,0,
760,0,
77i2v_POLICY_CONSTRAINTS,
78v2i_POLICY_CONSTRAINTS,
79NULL,NULL,
80NULL
81};
82
83ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
84 ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0),
85 ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1)
86} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
87
88IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
89
90
91static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
92 void *a, STACK_OF(CONF_VALUE) *extlist)
93{
94 POLICY_CONSTRAINTS *pcons = a;
95 X509V3_add_value_int("Require Explicit Policy",
96 pcons->requireExplicitPolicy, &extlist);
97 X509V3_add_value_int("Inhibit Policy Mapping",
98 pcons->inhibitPolicyMapping, &extlist);
99 return extlist;
100}
101
102static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
103 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
104{
105 POLICY_CONSTRAINTS *pcons=NULL;
106 CONF_VALUE *val;
107 int i;
108 if(!(pcons = POLICY_CONSTRAINTS_new())) {
109 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
110 return NULL;
111 }
112 for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
113 val = sk_CONF_VALUE_value(values, i);
114 if(!strcmp(val->name, "requireExplicitPolicy")) {
115 if(!X509V3_get_value_int(val,
116 &pcons->requireExplicitPolicy)) goto err;
117 } else if(!strcmp(val->name, "inhibitPolicyMapping")) {
118 if(!X509V3_get_value_int(val,
119 &pcons->inhibitPolicyMapping)) goto err;
120 } else {
121 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
122 X509V3_conf_err(val);
123 goto err;
124 }
125 }
126 if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
127 X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION);
128 goto err;
129 }
130
131 return pcons;
132 err:
133 POLICY_CONSTRAINTS_free(pcons);
134 return NULL;
135}
136
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
index 49a2e4697a..5c4626e89b 100644
--- a/src/lib/libcrypto/x509v3/v3_pku.c
+++ b/src/lib/libcrypto/x509v3/v3_pku.c
@@ -66,7 +66,7 @@ static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *u
66/* 66/*
67static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); 67static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
68*/ 68*/
69X509V3_EXT_METHOD v3_pkey_usage_period = { 69const X509V3_EXT_METHOD v3_pkey_usage_period = {
70NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD), 70NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
710,0,0,0, 710,0,0,0,
720,0,0,0, 720,0,0,0,
diff --git a/src/lib/libcrypto/x509v3/v3_pmaps.c b/src/lib/libcrypto/x509v3/v3_pmaps.c
new file mode 100644
index 0000000000..626303264f
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pmaps.c
@@ -0,0 +1,153 @@
1/* v3_pmaps.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project.
4 */
5/* ====================================================================
6 * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59
60#include <stdio.h>
61#include "cryptlib.h"
62#include <openssl/asn1t.h>
63#include <openssl/conf.h>
64#include <openssl/x509v3.h>
65
66static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
69 void *pmps, STACK_OF(CONF_VALUE) *extlist);
70
71const X509V3_EXT_METHOD v3_policy_mappings = {
72 NID_policy_mappings, 0,
73 ASN1_ITEM_ref(POLICY_MAPPINGS),
74 0,0,0,0,
75 0,0,
76 i2v_POLICY_MAPPINGS,
77 v2i_POLICY_MAPPINGS,
78 0,0,
79 NULL
80};
81
82ASN1_SEQUENCE(POLICY_MAPPING) = {
83 ASN1_SIMPLE(POLICY_MAPPING, issuerDomainPolicy, ASN1_OBJECT),
84 ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT)
85} ASN1_SEQUENCE_END(POLICY_MAPPING)
86
87ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =
88 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,
89 POLICY_MAPPING)
90ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)
91
92IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
93
94
95static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
96 void *a, STACK_OF(CONF_VALUE) *ext_list)
97{
98 POLICY_MAPPINGS *pmaps = a;
99 POLICY_MAPPING *pmap;
100 int i;
101 char obj_tmp1[80];
102 char obj_tmp2[80];
103 for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
104 pmap = sk_POLICY_MAPPING_value(pmaps, i);
105 i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
106 i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
107 X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list);
108 }
109 return ext_list;
110}
111
112static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
113 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
114{
115 POLICY_MAPPINGS *pmaps;
116 POLICY_MAPPING *pmap;
117 ASN1_OBJECT *obj1, *obj2;
118 CONF_VALUE *val;
119 int i;
120
121 if(!(pmaps = sk_POLICY_MAPPING_new_null())) {
122 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
123 return NULL;
124 }
125
126 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
127 val = sk_CONF_VALUE_value(nval, i);
128 if(!val->value || !val->name) {
129 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
130 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
131 X509V3_conf_err(val);
132 return NULL;
133 }
134 obj1 = OBJ_txt2obj(val->name, 0);
135 obj2 = OBJ_txt2obj(val->value, 0);
136 if(!obj1 || !obj2) {
137 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
138 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
139 X509V3_conf_err(val);
140 return NULL;
141 }
142 pmap = POLICY_MAPPING_new();
143 if (!pmap) {
144 sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
145 X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
146 return NULL;
147 }
148 pmap->issuerDomainPolicy = obj1;
149 pmap->subjectDomainPolicy = obj2;
150 sk_POLICY_MAPPING_push(pmaps, pmap);
151 }
152 return pmaps;
153}
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
index 5d268eb768..20bd9bda19 100644
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -109,10 +109,11 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int inde
109{ 109{
110 void *ext_str = NULL; 110 void *ext_str = NULL;
111 char *value = NULL; 111 char *value = NULL;
112 unsigned char *p; 112 const unsigned char *p;
113 X509V3_EXT_METHOD *method; 113 X509V3_EXT_METHOD *method;
114 STACK_OF(CONF_VALUE) *nval = NULL; 114 STACK_OF(CONF_VALUE) *nval = NULL;
115 int ok = 1; 115 int ok = 1;
116
116 if(!(method = X509V3_EXT_get(ext))) 117 if(!(method = X509V3_EXT_get(ext)))
117 return unknown_ext_print(out, ext, flag, indent, 0); 118 return unknown_ext_print(out, ext, flag, indent, 0);
118 p = ext->value->data; 119 p = ext->value->data;
@@ -182,7 +183,7 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts
182 obj=X509_EXTENSION_get_object(ex); 183 obj=X509_EXTENSION_get_object(ex);
183 i2a_ASN1_OBJECT(bp,obj); 184 i2a_ASN1_OBJECT(bp,obj);
184 j=X509_EXTENSION_get_critical(ex); 185 j=X509_EXTENSION_get_critical(ex);
185 if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0) 186 if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
186 return 0; 187 return 0;
187 if(!X509V3_EXT_print(bp, ex, flag, indent + 4)) 188 if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
188 { 189 {
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index bbdf6da493..b2f5cdfa05 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -139,7 +139,7 @@ int X509_PURPOSE_get_count(void)
139X509_PURPOSE * X509_PURPOSE_get0(int idx) 139X509_PURPOSE * X509_PURPOSE_get0(int idx)
140{ 140{
141 if(idx < 0) return NULL; 141 if(idx < 0) return NULL;
142 if(idx < X509_PURPOSE_COUNT) return xstandard + idx; 142 if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx;
143 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); 143 return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
144} 144}
145 145
@@ -239,7 +239,7 @@ static void xptable_free(X509_PURPOSE *p)
239 239
240void X509_PURPOSE_cleanup(void) 240void X509_PURPOSE_cleanup(void)
241{ 241{
242 int i; 242 unsigned int i;
243 sk_X509_PURPOSE_pop_free(xptable, xptable_free); 243 sk_X509_PURPOSE_pop_free(xptable, xptable_free);
244 for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i); 244 for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
245 xptable = NULL; 245 xptable = NULL;
@@ -285,7 +285,12 @@ int X509_supported_extension(X509_EXTENSION *ex)
285 NID_key_usage, /* 83 */ 285 NID_key_usage, /* 83 */
286 NID_subject_alt_name, /* 85 */ 286 NID_subject_alt_name, /* 85 */
287 NID_basic_constraints, /* 87 */ 287 NID_basic_constraints, /* 87 */
288 NID_certificate_policies, /* 89 */
288 NID_ext_key_usage, /* 126 */ 289 NID_ext_key_usage, /* 126 */
290#ifndef OPENSSL_NO_RFC3779
291 NID_sbgp_ipAddrBlock, /* 290 */
292 NID_sbgp_autonomousSysNum, /* 291 */
293#endif
289 NID_proxyCertInfo /* 661 */ 294 NID_proxyCertInfo /* 661 */
290 }; 295 };
291 296
@@ -343,6 +348,10 @@ static void x509v3_cache_extensions(X509 *x)
343 || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { 348 || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
344 x->ex_flags |= EXFLAG_INVALID; 349 x->ex_flags |= EXFLAG_INVALID;
345 } 350 }
351 if (pci->pcPathLengthConstraint) {
352 x->ex_pcpathlen =
353 ASN1_INTEGER_get(pci->pcPathLengthConstraint);
354 } else x->ex_pcpathlen = -1;
346 PROXY_CERT_INFO_EXTENSION_free(pci); 355 PROXY_CERT_INFO_EXTENSION_free(pci);
347 x->ex_flags |= EXFLAG_PROXY; 356 x->ex_flags |= EXFLAG_PROXY;
348 } 357 }
@@ -406,6 +415,11 @@ static void x509v3_cache_extensions(X509 *x)
406 } 415 }
407 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); 416 x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
408 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); 417 x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
418#ifndef OPENSSL_NO_RFC3779
419 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
420 x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
421 NULL, NULL);
422#endif
409 for (i = 0; i < X509_get_ext_count(x); i++) 423 for (i = 0; i < X509_get_ext_count(x); i++)
410 { 424 {
411 ex = X509_get_ext(x, i); 425 ex = X509_get_ext(x, i);
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
index c0f044ac1b..da0a3558f6 100644
--- a/src/lib/libcrypto/x509v3/v3_skey.c
+++ b/src/lib/libcrypto/x509v3/v3_skey.c
@@ -62,7 +62,7 @@
62#include <openssl/x509v3.h> 62#include <openssl/x509v3.h>
63 63
64static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); 64static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
65X509V3_EXT_METHOD v3_skey_id = { 65const X509V3_EXT_METHOD v3_skey_id = {
66NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING), 66NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
670,0,0,0, 670,0,0,0,
68(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING, 68(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
@@ -109,14 +109,14 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
109 if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str); 109 if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
110 110
111 if(!(oct = M_ASN1_OCTET_STRING_new())) { 111 if(!(oct = M_ASN1_OCTET_STRING_new())) {
112 X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE); 112 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
113 return NULL; 113 return NULL;
114 } 114 }
115 115
116 if(ctx && (ctx->flags == CTX_TEST)) return oct; 116 if(ctx && (ctx->flags == CTX_TEST)) return oct;
117 117
118 if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) { 118 if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
119 X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY); 119 X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
120 goto err; 120 goto err;
121 } 121 }
122 122
@@ -125,14 +125,14 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
125 else pk = ctx->subject_cert->cert_info->key->public_key; 125 else pk = ctx->subject_cert->cert_info->key->public_key;
126 126
127 if(!pk) { 127 if(!pk) {
128 X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY); 128 X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
129 goto err; 129 goto err;
130 } 130 }
131 131
132 EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL); 132 EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL);
133 133
134 if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) { 134 if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
135 X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE); 135 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
136 goto err; 136 goto err;
137 } 137 }
138 138
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
index d3f4ba3a72..eaea9ea01b 100644
--- a/src/lib/libcrypto/x509v3/v3_sxnet.c
+++ b/src/lib/libcrypto/x509v3/v3_sxnet.c
@@ -72,7 +72,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent)
72static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, 72static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
73 STACK_OF(CONF_VALUE) *nval); 73 STACK_OF(CONF_VALUE) *nval);
74#endif 74#endif
75X509V3_EXT_METHOD v3_sxnet = { 75const X509V3_EXT_METHOD v3_sxnet = {
76NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET), 76NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET),
770,0,0,0, 770,0,0,0,
780,0, 780,0,
@@ -109,7 +109,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
109 SXNETID *id; 109 SXNETID *id;
110 int i; 110 int i;
111 v = ASN1_INTEGER_get(sx->version); 111 v = ASN1_INTEGER_get(sx->version);
112 BIO_printf(out, "%*sVersion: %d (0x%X)", indent, "", v + 1, v); 112 BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
113 for(i = 0; i < sk_SXNETID_num(sx->ids); i++) { 113 for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
114 id = sk_SXNETID_value(sx->ids, i); 114 id = sk_SXNETID_value(sx->ids, i);
115 tmp = i2s_ASN1_INTEGER(NULL, id->zone); 115 tmp = i2s_ASN1_INTEGER(NULL, id->zone);
@@ -154,7 +154,7 @@ int SXNET_add_id_asc(SXNET **psx, char *zone, char *user,
154{ 154{
155 ASN1_INTEGER *izone = NULL; 155 ASN1_INTEGER *izone = NULL;
156 if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) { 156 if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
157 X509V3err(X509V3_F_SXNET_ADD_ASC,X509V3_R_ERROR_CONVERTING_ZONE); 157 X509V3err(X509V3_F_SXNET_ADD_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
158 return 0; 158 return 0;
159 } 159 }
160 return SXNET_add_id_INTEGER(psx, izone, user, userlen); 160 return SXNET_add_id_INTEGER(psx, izone, user, userlen);
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
index 34ac2998de..ac171ca940 100644
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -1,9 +1,9 @@
1/* v3_utl.c */ 1/* v3_utl.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL 2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 1999. 3 * project.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -63,6 +63,7 @@
63#include "cryptlib.h" 63#include "cryptlib.h"
64#include <openssl/conf.h> 64#include <openssl/conf.h>
65#include <openssl/x509v3.h> 65#include <openssl/x509v3.h>
66#include <openssl/bn.h>
66 67
67static char *strip_spaces(char *name); 68static char *strip_spaces(char *name);
68static int sk_strcmp(const char * const *a, const char * const *b); 69static int sk_strcmp(const char * const *a, const char * const *b);
@@ -70,6 +71,11 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens);
70static void str_free(void *str); 71static void str_free(void *str);
71static int append_ia5(STACK **sk, ASN1_IA5STRING *email); 72static int append_ia5(STACK **sk, ASN1_IA5STRING *email);
72 73
74static int ipv4_from_asc(unsigned char *v4, const char *in);
75static int ipv6_from_asc(unsigned char *v6, const char *in);
76static int ipv6_cb(const char *elem, int len, void *usr);
77static int ipv6_hex(unsigned char *out, const char *in, int inlen);
78
73/* Add a CONF_VALUE name value pair to stack */ 79/* Add a CONF_VALUE name value pair to stack */
74 80
75int X509V3_add_value(const char *name, const char *value, 81int X509V3_add_value(const char *name, const char *value,
@@ -156,11 +162,11 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
156 ASN1_INTEGER *aint; 162 ASN1_INTEGER *aint;
157 int isneg, ishex; 163 int isneg, ishex;
158 int ret; 164 int ret;
159 bn = BN_new();
160 if (!value) { 165 if (!value) {
161 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE); 166 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
162 return 0; 167 return 0;
163 } 168 }
169 bn = BN_new();
164 if (value[0] == '-') { 170 if (value[0] == '-') {
165 value++; 171 value++;
166 isneg = 1; 172 isneg = 1;
@@ -174,7 +180,8 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
174 if (ishex) ret = BN_hex2bn(&bn, value); 180 if (ishex) ret = BN_hex2bn(&bn, value);
175 else ret = BN_dec2bn(&bn, value); 181 else ret = BN_dec2bn(&bn, value);
176 182
177 if (!ret) { 183 if (!ret || value[ret]) {
184 BN_free(bn);
178 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR); 185 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
179 return 0; 186 return 0;
180 } 187 }
@@ -358,7 +365,7 @@ char *hex_to_string(unsigned char *buffer, long len)
358 char *tmp, *q; 365 char *tmp, *q;
359 unsigned char *p; 366 unsigned char *p;
360 int i; 367 int i;
361 static char hexdig[] = "0123456789ABCDEF"; 368 const static char hexdig[] = "0123456789ABCDEF";
362 if(!buffer || !len) return NULL; 369 if(!buffer || !len) return NULL;
363 if(!(tmp = OPENSSL_malloc(len * 3 + 1))) { 370 if(!(tmp = OPENSSL_malloc(len * 3 + 1))) {
364 X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE); 371 X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
@@ -466,6 +473,30 @@ STACK *X509_get1_email(X509 *x)
466 return ret; 473 return ret;
467} 474}
468 475
476STACK *X509_get1_ocsp(X509 *x)
477{
478 AUTHORITY_INFO_ACCESS *info;
479 STACK *ret = NULL;
480 int i;
481 info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
482 if (!info)
483 return NULL;
484 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++)
485 {
486 ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
487 if (OBJ_obj2nid(ad->method) == NID_ad_OCSP)
488 {
489 if (ad->location->type == GEN_URI)
490 {
491 if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier))
492 break;
493 }
494 }
495 }
496 AUTHORITY_INFO_ACCESS_free(info);
497 return ret;
498}
499
469STACK *X509_REQ_get1_email(X509_REQ *x) 500STACK *X509_REQ_get1_email(X509_REQ *x)
470{ 501{
471 GENERAL_NAMES *gens; 502 GENERAL_NAMES *gens;
@@ -533,3 +564,305 @@ void X509_email_free(STACK *sk)
533{ 564{
534 sk_pop_free(sk, str_free); 565 sk_pop_free(sk, str_free);
535} 566}
567
568/* Convert IP addresses both IPv4 and IPv6 into an
569 * OCTET STRING compatible with RFC3280.
570 */
571
572ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
573 {
574 unsigned char ipout[16];
575 ASN1_OCTET_STRING *ret;
576 int iplen;
577
578 /* If string contains a ':' assume IPv6 */
579
580 iplen = a2i_ipadd(ipout, ipasc);
581
582 if (!iplen)
583 return NULL;
584
585 ret = ASN1_OCTET_STRING_new();
586 if (!ret)
587 return NULL;
588 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen))
589 {
590 ASN1_OCTET_STRING_free(ret);
591 return NULL;
592 }
593 return ret;
594 }
595
596ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
597 {
598 ASN1_OCTET_STRING *ret = NULL;
599 unsigned char ipout[32];
600 char *iptmp = NULL, *p;
601 int iplen1, iplen2;
602 p = strchr(ipasc,'/');
603 if (!p)
604 return NULL;
605 iptmp = BUF_strdup(ipasc);
606 if (!iptmp)
607 return NULL;
608 p = iptmp + (p - ipasc);
609 *p++ = 0;
610
611 iplen1 = a2i_ipadd(ipout, iptmp);
612
613 if (!iplen1)
614 goto err;
615
616 iplen2 = a2i_ipadd(ipout + iplen1, p);
617
618 OPENSSL_free(iptmp);
619 iptmp = NULL;
620
621 if (!iplen2 || (iplen1 != iplen2))
622 goto err;
623
624 ret = ASN1_OCTET_STRING_new();
625 if (!ret)
626 goto err;
627 if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
628 goto err;
629
630 return ret;
631
632 err:
633 if (iptmp)
634 OPENSSL_free(iptmp);
635 if (ret)
636 ASN1_OCTET_STRING_free(ret);
637 return NULL;
638 }
639
640
641int a2i_ipadd(unsigned char *ipout, const char *ipasc)
642 {
643 /* If string contains a ':' assume IPv6 */
644
645 if (strchr(ipasc, ':'))
646 {
647 if (!ipv6_from_asc(ipout, ipasc))
648 return 0;
649 return 16;
650 }
651 else
652 {
653 if (!ipv4_from_asc(ipout, ipasc))
654 return 0;
655 return 4;
656 }
657 }
658
659static int ipv4_from_asc(unsigned char *v4, const char *in)
660 {
661 int a0, a1, a2, a3;
662 if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
663 return 0;
664 if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
665 || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
666 return 0;
667 v4[0] = a0;
668 v4[1] = a1;
669 v4[2] = a2;
670 v4[3] = a3;
671 return 1;
672 }
673
674typedef struct {
675 /* Temporary store for IPV6 output */
676 unsigned char tmp[16];
677 /* Total number of bytes in tmp */
678 int total;
679 /* The position of a zero (corresponding to '::') */
680 int zero_pos;
681 /* Number of zeroes */
682 int zero_cnt;
683 } IPV6_STAT;
684
685
686static int ipv6_from_asc(unsigned char *v6, const char *in)
687 {
688 IPV6_STAT v6stat;
689 v6stat.total = 0;
690 v6stat.zero_pos = -1;
691 v6stat.zero_cnt = 0;
692 /* Treat the IPv6 representation as a list of values
693 * separated by ':'. The presence of a '::' will parse
694 * as one, two or three zero length elements.
695 */
696 if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
697 return 0;
698
699 /* Now for some sanity checks */
700
701 if (v6stat.zero_pos == -1)
702 {
703 /* If no '::' must have exactly 16 bytes */
704 if (v6stat.total != 16)
705 return 0;
706 }
707 else
708 {
709 /* If '::' must have less than 16 bytes */
710 if (v6stat.total == 16)
711 return 0;
712 /* More than three zeroes is an error */
713 if (v6stat.zero_cnt > 3)
714 return 0;
715 /* Can only have three zeroes if nothing else present */
716 else if (v6stat.zero_cnt == 3)
717 {
718 if (v6stat.total > 0)
719 return 0;
720 }
721 /* Can only have two zeroes if at start or end */
722 else if (v6stat.zero_cnt == 2)
723 {
724 if ((v6stat.zero_pos != 0)
725 && (v6stat.zero_pos != v6stat.total))
726 return 0;
727 }
728 else
729 /* Can only have one zero if *not* start or end */
730 {
731 if ((v6stat.zero_pos == 0)
732 || (v6stat.zero_pos == v6stat.total))
733 return 0;
734 }
735 }
736
737 /* Format result */
738
739 /* Copy initial part */
740 if (v6stat.zero_pos > 0)
741 memcpy(v6, v6stat.tmp, v6stat.zero_pos);
742 /* Zero middle */
743 if (v6stat.total != 16)
744 memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
745 /* Copy final part */
746 if (v6stat.total != v6stat.zero_pos)
747 memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
748 v6stat.tmp + v6stat.zero_pos,
749 v6stat.total - v6stat.zero_pos);
750
751 return 1;
752 }
753
754static int ipv6_cb(const char *elem, int len, void *usr)
755 {
756 IPV6_STAT *s = usr;
757 /* Error if 16 bytes written */
758 if (s->total == 16)
759 return 0;
760 if (len == 0)
761 {
762 /* Zero length element, corresponds to '::' */
763 if (s->zero_pos == -1)
764 s->zero_pos = s->total;
765 /* If we've already got a :: its an error */
766 else if (s->zero_pos != s->total)
767 return 0;
768 s->zero_cnt++;
769 }
770 else
771 {
772 /* If more than 4 characters could be final a.b.c.d form */
773 if (len > 4)
774 {
775 /* Need at least 4 bytes left */
776 if (s->total > 12)
777 return 0;
778 /* Must be end of string */
779 if (elem[len])
780 return 0;
781 if (!ipv4_from_asc(s->tmp + s->total, elem))
782 return 0;
783 s->total += 4;
784 }
785 else
786 {
787 if (!ipv6_hex(s->tmp + s->total, elem, len))
788 return 0;
789 s->total += 2;
790 }
791 }
792 return 1;
793 }
794
795/* Convert a string of up to 4 hex digits into the corresponding
796 * IPv6 form.
797 */
798
799static int ipv6_hex(unsigned char *out, const char *in, int inlen)
800 {
801 unsigned char c;
802 unsigned int num = 0;
803 if (inlen > 4)
804 return 0;
805 while(inlen--)
806 {
807 c = *in++;
808 num <<= 4;
809 if ((c >= '0') && (c <= '9'))
810 num |= c - '0';
811 else if ((c >= 'A') && (c <= 'F'))
812 num |= c - 'A' + 10;
813 else if ((c >= 'a') && (c <= 'f'))
814 num |= c - 'a' + 10;
815 else
816 return 0;
817 }
818 out[0] = num >> 8;
819 out[1] = num & 0xff;
820 return 1;
821 }
822
823
824int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
825 unsigned long chtype)
826 {
827 CONF_VALUE *v;
828 int i, mval;
829 char *p, *type;
830 if (!nm)
831 return 0;
832
833 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
834 {
835 v=sk_CONF_VALUE_value(dn_sk,i);
836 type=v->name;
837 /* Skip past any leading X. X: X, etc to allow for
838 * multiple instances
839 */
840 for(p = type; *p ; p++)
841#ifndef CHARSET_EBCDIC
842 if ((*p == ':') || (*p == ',') || (*p == '.'))
843#else
844 if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.']))
845#endif
846 {
847 p++;
848 if(*p) type = p;
849 break;
850 }
851#ifndef CHARSET_EBCDIC
852 if (*type == '+')
853#else
854 if (*type == os_toascii['+'])
855#endif
856 {
857 mval = -1;
858 type++;
859 }
860 else
861 mval = 0;
862 if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
863 (unsigned char *) v->value,-1,-1,mval))
864 return 0;
865
866 }
867 return 1;
868 }
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
index e1edaf5248..d538ad8b80 100644
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -70,10 +70,15 @@
70 70
71static ERR_STRING_DATA X509V3_str_functs[]= 71static ERR_STRING_DATA X509V3_str_functs[]=
72 { 72 {
73{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
74{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
73{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"}, 75{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
74{ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"}, 76{ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
77{ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
75{ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"}, 78{ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
76{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"}, 79{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
80{ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
81{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
77{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"}, 82{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
78{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"}, 83{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
79{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"}, 84{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
@@ -82,34 +87,46 @@ static ERR_STRING_DATA X509V3_str_functs[]=
82{ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"}, 87{ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
83{ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"}, 88{ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
84{ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"}, 89{ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
90{ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
85{ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"}, 91{ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
86{ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"}, 92{ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
87{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"}, 93{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
88{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"}, 94{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
89{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"}, 95{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
90{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"}, 96{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
91{ERR_FUNC(X509V3_F_S2I_S2I_SKEY_ID), "S2I_S2I_SKEY_ID"}, 97{ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
92{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"}, 98{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
93{ERR_FUNC(X509V3_F_SXNET_ADD_ASC), "SXNET_ADD_ASC"}, 99{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
94{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"}, 100{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
95{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"}, 101{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
96{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"}, 102{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
97{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"}, 103{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
98{ERR_FUNC(X509V3_F_V2I_ACCESS_DESCRIPTION), "V2I_ACCESS_DESCRIPTION"}, 104{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
99{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "V2I_ASN1_BIT_STRING"}, 105{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
106{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"},
100{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"}, 107{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
101{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"}, 108{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
102{ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"}, 109{ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
103{ERR_FUNC(X509V3_F_V2I_EXT_KU), "V2I_EXT_KU"}, 110{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
104{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME), "v2i_GENERAL_NAME"},
105{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"}, 111{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
112{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
113{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
114{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
115{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
116{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
117{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
118{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
119{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"},
106{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"}, 120{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
107{ERR_FUNC(X509V3_F_X509V3_ADD_I2D), "X509V3_ADD_I2D"}, 121{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
108{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"}, 122{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
109{ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"}, 123{ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
110{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"}, 124{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
111{ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"}, 125{ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
112{ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"}, 126{ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
127{ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
128{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
129{ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"},
113{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"}, 130{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"},
114{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"}, 131{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"},
115{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"}, 132{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"},
@@ -123,6 +140,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
123{ERR_REASON(X509V3_R_BAD_OBJECT) ,"bad object"}, 140{ERR_REASON(X509V3_R_BAD_OBJECT) ,"bad object"},
124{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"}, 141{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"},
125{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"}, 142{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
143{ERR_REASON(X509V3_R_DIRNAME_ERROR) ,"dirname error"},
126{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"}, 144{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"},
127{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"}, 145{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
128{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"}, 146{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
@@ -133,10 +151,15 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
133{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"}, 151{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"},
134{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"}, 152{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"},
135{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"}, 153{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"},
154{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
136{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"}, 155{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"},
137{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"}, 156{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
157{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"},
158{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"},
138{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"}, 159{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
139{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"}, 160{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"},
161{ERR_REASON(X509V3_R_INVALID_INHERITANCE),"invalid inheritance"},
162{ERR_REASON(X509V3_R_INVALID_IPADDRESS) ,"invalid ipaddress"},
140{ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"}, 163{ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"},
141{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"}, 164{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
142{ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"}, 165{ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"},
@@ -146,9 +169,9 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
146{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"}, 169{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"},
147{ERR_REASON(X509V3_R_INVALID_OPTION) ,"invalid option"}, 170{ERR_REASON(X509V3_R_INVALID_OPTION) ,"invalid option"},
148{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"}, 171{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"},
149{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER),"invalid proxy policy identifier"},
150{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"}, 172{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"},
151{ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"}, 173{ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"},
174{ERR_REASON(X509V3_R_INVALID_SAFI) ,"invalid safi"},
152{ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"}, 175{ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"},
153{ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"}, 176{ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"},
154{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"}, 177{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"},
@@ -162,12 +185,14 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
162{ERR_REASON(X509V3_R_NO_PUBLIC_KEY) ,"no public key"}, 185{ERR_REASON(X509V3_R_NO_PUBLIC_KEY) ,"no public key"},
163{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"}, 186{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"},
164{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"}, 187{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
188{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
189{ERR_REASON(X509V3_R_OTHERNAME_ERROR) ,"othername error"},
165{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"}, 190{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"},
166{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"}, 191{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
167{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"}, 192{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"},
168{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT) ,"policy syntax not"},
169{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"}, 193{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
170{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"}, 194{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
195{ERR_REASON(X509V3_R_SECTION_NOT_FOUND) ,"section not found"},
171{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"}, 196{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"},
172{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"}, 197{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"},
173{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"}, 198{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"},
@@ -183,15 +208,12 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
183 208
184void ERR_load_X509V3_strings(void) 209void ERR_load_X509V3_strings(void)
185 { 210 {
186 static int init=1; 211#ifndef OPENSSL_NO_ERR
187 212
188 if (init) 213 if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL)
189 { 214 {
190 init=0;
191#ifndef OPENSSL_NO_ERR
192 ERR_load_strings(0,X509V3_str_functs); 215 ERR_load_strings(0,X509V3_str_functs);
193 ERR_load_strings(0,X509V3_str_reasons); 216 ERR_load_strings(0,X509V3_str_reasons);
194#endif
195
196 } 217 }
218#endif
197 } 219 }
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index e6d91251c2..db2b0482c1 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -3,7 +3,7 @@
3 * project 1999. 3 * project 1999.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -74,14 +74,14 @@ struct v3_ext_ctx;
74 74
75typedef void * (*X509V3_EXT_NEW)(void); 75typedef void * (*X509V3_EXT_NEW)(void);
76typedef void (*X509V3_EXT_FREE)(void *); 76typedef void (*X509V3_EXT_FREE)(void *);
77typedef void * (*X509V3_EXT_D2I)(void *, unsigned char ** , long); 77typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
78typedef int (*X509V3_EXT_I2D)(void *, unsigned char **); 78typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
79typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist); 79typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
80typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values); 80typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values);
81typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext); 81typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext);
82typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str); 82typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
83typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent); 83typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent);
84typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str); 84typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
85 85
86/* V3 extension structure */ 86/* V3 extension structure */
87 87
@@ -132,7 +132,6 @@ void *db;
132}; 132};
133 133
134typedef struct v3_ext_method X509V3_EXT_METHOD; 134typedef struct v3_ext_method X509V3_EXT_METHOD;
135typedef struct v3_ext_ctx X509V3_CTX;
136 135
137DECLARE_STACK_OF(X509V3_EXT_METHOD) 136DECLARE_STACK_OF(X509V3_EXT_METHOD)
138 137
@@ -287,6 +286,33 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
287DECLARE_STACK_OF(POLICYINFO) 286DECLARE_STACK_OF(POLICYINFO)
288DECLARE_ASN1_SET_OF(POLICYINFO) 287DECLARE_ASN1_SET_OF(POLICYINFO)
289 288
289typedef struct POLICY_MAPPING_st {
290 ASN1_OBJECT *issuerDomainPolicy;
291 ASN1_OBJECT *subjectDomainPolicy;
292} POLICY_MAPPING;
293
294DECLARE_STACK_OF(POLICY_MAPPING)
295
296typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
297
298typedef struct GENERAL_SUBTREE_st {
299 GENERAL_NAME *base;
300 ASN1_INTEGER *minimum;
301 ASN1_INTEGER *maximum;
302} GENERAL_SUBTREE;
303
304DECLARE_STACK_OF(GENERAL_SUBTREE)
305
306typedef struct NAME_CONSTRAINTS_st {
307 STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
308 STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
309} NAME_CONSTRAINTS;
310
311typedef struct POLICY_CONSTRAINTS_st {
312 ASN1_INTEGER *requireExplicitPolicy;
313 ASN1_INTEGER *inhibitPolicyMapping;
314} POLICY_CONSTRAINTS;
315
290/* Proxy certificate structures, see RFC 3820 */ 316/* Proxy certificate structures, see RFC 3820 */
291typedef struct PROXY_POLICY_st 317typedef struct PROXY_POLICY_st
292 { 318 {
@@ -344,6 +370,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
344#define EXFLAG_CRITICAL 0x200 370#define EXFLAG_CRITICAL 0x200
345#define EXFLAG_PROXY 0x400 371#define EXFLAG_PROXY 0x400
346 372
373#define EXFLAG_INVALID_POLICY 0x400
374
347#define KU_DIGITAL_SIGNATURE 0x0080 375#define KU_DIGITAL_SIGNATURE 0x0080
348#define KU_NON_REPUDIATION 0x0040 376#define KU_NON_REPUDIATION 0x0040
349#define KU_KEY_ENCIPHERMENT 0x0020 377#define KU_KEY_ENCIPHERMENT 0x0020
@@ -442,6 +470,13 @@ DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
442 470
443DECLARE_ASN1_FUNCTIONS(GENERAL_NAME) 471DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
444 472
473
474ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
475 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
476STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
477 ASN1_BIT_STRING *bits,
478 STACK_OF(CONF_VALUE) *extlist);
479
445STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret); 480STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
446int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen); 481int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
447 482
@@ -474,8 +509,24 @@ DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
474DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) 509DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
475DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) 510DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
476 511
512DECLARE_ASN1_ITEM(POLICY_MAPPING)
513DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
514DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
515
516DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
517DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
518
519DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
520DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
521
522DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
523DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
524
477#ifdef HEADER_CONF_H 525#ifdef HEADER_CONF_H
478GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf); 526GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
527 CONF_VALUE *cnf);
528GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_EXT_METHOD *method,
529 X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
479void X509V3_conf_free(CONF_VALUE *val); 530void X509V3_conf_free(CONF_VALUE *val);
480 531
481X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value); 532X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
@@ -566,7 +617,164 @@ int X509_PURPOSE_get_id(X509_PURPOSE *);
566STACK *X509_get1_email(X509 *x); 617STACK *X509_get1_email(X509 *x);
567STACK *X509_REQ_get1_email(X509_REQ *x); 618STACK *X509_REQ_get1_email(X509_REQ *x);
568void X509_email_free(STACK *sk); 619void X509_email_free(STACK *sk);
620STACK *X509_get1_ocsp(X509 *x);
621
622ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
623ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
624int a2i_ipadd(unsigned char *ipout, const char *ipasc);
625int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
626 unsigned long chtype);
627
628void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
629
630#ifndef OPENSSL_NO_RFC3779
631
632typedef struct ASRange_st {
633 ASN1_INTEGER *min, *max;
634} ASRange;
635
636#define ASIdOrRange_id 0
637#define ASIdOrRange_range 1
638
639typedef struct ASIdOrRange_st {
640 int type;
641 union {
642 ASN1_INTEGER *id;
643 ASRange *range;
644 } u;
645} ASIdOrRange;
646
647typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
648DECLARE_STACK_OF(ASIdOrRange)
649
650#define ASIdentifierChoice_inherit 0
651#define ASIdentifierChoice_asIdsOrRanges 1
652
653typedef struct ASIdentifierChoice_st {
654 int type;
655 union {
656 ASN1_NULL *inherit;
657 ASIdOrRanges *asIdsOrRanges;
658 } u;
659} ASIdentifierChoice;
660
661typedef struct ASIdentifiers_st {
662 ASIdentifierChoice *asnum, *rdi;
663} ASIdentifiers;
664
665DECLARE_ASN1_FUNCTIONS(ASRange)
666DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
667DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
668DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
669
670
671typedef struct IPAddressRange_st {
672 ASN1_BIT_STRING *min, *max;
673} IPAddressRange;
674
675#define IPAddressOrRange_addressPrefix 0
676#define IPAddressOrRange_addressRange 1
677
678typedef struct IPAddressOrRange_st {
679 int type;
680 union {
681 ASN1_BIT_STRING *addressPrefix;
682 IPAddressRange *addressRange;
683 } u;
684} IPAddressOrRange;
685
686typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
687DECLARE_STACK_OF(IPAddressOrRange)
688
689#define IPAddressChoice_inherit 0
690#define IPAddressChoice_addressesOrRanges 1
691
692typedef struct IPAddressChoice_st {
693 int type;
694 union {
695 ASN1_NULL *inherit;
696 IPAddressOrRanges *addressesOrRanges;
697 } u;
698} IPAddressChoice;
699
700typedef struct IPAddressFamily_st {
701 ASN1_OCTET_STRING *addressFamily;
702 IPAddressChoice *ipAddressChoice;
703} IPAddressFamily;
704
705typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
706DECLARE_STACK_OF(IPAddressFamily)
707
708DECLARE_ASN1_FUNCTIONS(IPAddressRange)
709DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
710DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
711DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
712
713/*
714 * API tag for elements of the ASIdentifer SEQUENCE.
715 */
716#define V3_ASID_ASNUM 0
717#define V3_ASID_RDI 1
718
719/*
720 * AFI values, assigned by IANA. It'd be nice to make the AFI
721 * handling code totally generic, but there are too many little things
722 * that would need to be defined for other address families for it to
723 * be worth the trouble.
724 */
725#define IANA_AFI_IPV4 1
726#define IANA_AFI_IPV6 2
727
728/*
729 * Utilities to construct and extract values from RFC3779 extensions,
730 * since some of the encodings (particularly for IP address prefixes
731 * and ranges) are a bit tedious to work with directly.
732 */
733int v3_asid_add_inherit(ASIdentifiers *asid, int which);
734int v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
735 ASN1_INTEGER *min, ASN1_INTEGER *max);
736int v3_addr_add_inherit(IPAddrBlocks *addr,
737 const unsigned afi, const unsigned *safi);
738int v3_addr_add_prefix(IPAddrBlocks *addr,
739 const unsigned afi, const unsigned *safi,
740 unsigned char *a, const int prefixlen);
741int v3_addr_add_range(IPAddrBlocks *addr,
742 const unsigned afi, const unsigned *safi,
743 unsigned char *min, unsigned char *max);
744unsigned v3_addr_get_afi(const IPAddressFamily *f);
745int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
746 unsigned char *min, unsigned char *max,
747 const int length);
748
749/*
750 * Canonical forms.
751 */
752int v3_asid_is_canonical(ASIdentifiers *asid);
753int v3_addr_is_canonical(IPAddrBlocks *addr);
754int v3_asid_canonize(ASIdentifiers *asid);
755int v3_addr_canonize(IPAddrBlocks *addr);
756
757/*
758 * Tests for inheritance and containment.
759 */
760int v3_asid_inherits(ASIdentifiers *asid);
761int v3_addr_inherits(IPAddrBlocks *addr);
762int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
763int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
764
765/*
766 * Check whether RFC 3779 extensions nest properly in chains.
767 */
768int v3_asid_validate_path(X509_STORE_CTX *);
769int v3_addr_validate_path(X509_STORE_CTX *);
770int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
771 ASIdentifiers *ext,
772 int allow_inheritance);
773int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
774 IPAddrBlocks *ext,
775 int allow_inheritance);
569 776
777#endif /* OPENSSL_NO_RFC3779 */
570 778
571/* BEGIN ERROR CODES */ 779/* BEGIN ERROR CODES */
572/* The following lines are auto generated by the script mkerr.pl. Any changes 780/* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -577,46 +785,63 @@ void ERR_load_X509V3_strings(void);
577/* Error codes for the X509V3 functions. */ 785/* Error codes for the X509V3 functions. */
578 786
579/* Function codes. */ 787/* Function codes. */
788#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 156
789#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 157
580#define X509V3_F_COPY_EMAIL 122 790#define X509V3_F_COPY_EMAIL 122
581#define X509V3_F_COPY_ISSUER 123 791#define X509V3_F_COPY_ISSUER 123
792#define X509V3_F_DO_DIRNAME 144
582#define X509V3_F_DO_EXT_CONF 124 793#define X509V3_F_DO_EXT_CONF 124
583#define X509V3_F_DO_EXT_I2D 135 794#define X509V3_F_DO_EXT_I2D 135
795#define X509V3_F_DO_EXT_NCONF 151
796#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
584#define X509V3_F_HEX_TO_STRING 111 797#define X509V3_F_HEX_TO_STRING 111
585#define X509V3_F_I2S_ASN1_ENUMERATED 121 798#define X509V3_F_I2S_ASN1_ENUMERATED 121
586#define X509V3_F_I2S_ASN1_IA5STRING 142 799#define X509V3_F_I2S_ASN1_IA5STRING 149
587#define X509V3_F_I2S_ASN1_INTEGER 120 800#define X509V3_F_I2S_ASN1_INTEGER 120
588#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 801#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
589#define X509V3_F_NOTICE_SECTION 132 802#define X509V3_F_NOTICE_SECTION 132
590#define X509V3_F_NREF_NOS 133 803#define X509V3_F_NREF_NOS 133
591#define X509V3_F_POLICY_SECTION 131 804#define X509V3_F_POLICY_SECTION 131
805#define X509V3_F_PROCESS_PCI_VALUE 150
592#define X509V3_F_R2I_CERTPOL 130 806#define X509V3_F_R2I_CERTPOL 130
593#define X509V3_F_R2I_PCI 142 807#define X509V3_F_R2I_PCI 155
594#define X509V3_F_S2I_ASN1_IA5STRING 100 808#define X509V3_F_S2I_ASN1_IA5STRING 100
595#define X509V3_F_S2I_ASN1_INTEGER 108 809#define X509V3_F_S2I_ASN1_INTEGER 108
596#define X509V3_F_S2I_ASN1_OCTET_STRING 112 810#define X509V3_F_S2I_ASN1_OCTET_STRING 112
597#define X509V3_F_S2I_ASN1_SKEY_ID 114 811#define X509V3_F_S2I_ASN1_SKEY_ID 114
598#define X509V3_F_S2I_S2I_SKEY_ID 115 812#define X509V3_F_S2I_SKEY_ID 115
599#define X509V3_F_STRING_TO_HEX 113 813#define X509V3_F_STRING_TO_HEX 113
600#define X509V3_F_SXNET_ADD_ASC 125 814#define X509V3_F_SXNET_ADD_ID_ASC 125
601#define X509V3_F_SXNET_ADD_ID_INTEGER 126 815#define X509V3_F_SXNET_ADD_ID_INTEGER 126
602#define X509V3_F_SXNET_ADD_ID_ULONG 127 816#define X509V3_F_SXNET_ADD_ID_ULONG 127
603#define X509V3_F_SXNET_GET_ID_ASC 128 817#define X509V3_F_SXNET_GET_ID_ASC 128
604#define X509V3_F_SXNET_GET_ID_ULONG 129 818#define X509V3_F_SXNET_GET_ID_ULONG 129
605#define X509V3_F_V2I_ACCESS_DESCRIPTION 139 819#define X509V3_F_V2I_ASIDENTIFIERS 158
606#define X509V3_F_V2I_ASN1_BIT_STRING 101 820#define X509V3_F_V2I_ASN1_BIT_STRING 101
821#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
607#define X509V3_F_V2I_AUTHORITY_KEYID 119 822#define X509V3_F_V2I_AUTHORITY_KEYID 119
608#define X509V3_F_V2I_BASIC_CONSTRAINTS 102 823#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
609#define X509V3_F_V2I_CRLD 134 824#define X509V3_F_V2I_CRLD 134
610#define X509V3_F_V2I_EXT_KU 103 825#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
611#define X509V3_F_V2I_GENERAL_NAME 117
612#define X509V3_F_V2I_GENERAL_NAMES 118 826#define X509V3_F_V2I_GENERAL_NAMES 118
827#define X509V3_F_V2I_GENERAL_NAME_EX 117
828#define X509V3_F_V2I_IPADDRBLOCKS 159
829#define X509V3_F_V2I_ISSUER_ALT 153
830#define X509V3_F_V2I_NAME_CONSTRAINTS 147
831#define X509V3_F_V2I_POLICY_CONSTRAINTS 146
832#define X509V3_F_V2I_POLICY_MAPPINGS 145
833#define X509V3_F_V2I_SUBJECT_ALT 154
834#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
613#define X509V3_F_V3_GENERIC_EXTENSION 116 835#define X509V3_F_V3_GENERIC_EXTENSION 116
614#define X509V3_F_X509V3_ADD_I2D 140 836#define X509V3_F_X509V3_ADD1_I2D 140
615#define X509V3_F_X509V3_ADD_VALUE 105 837#define X509V3_F_X509V3_ADD_VALUE 105
616#define X509V3_F_X509V3_EXT_ADD 104 838#define X509V3_F_X509V3_EXT_ADD 104
617#define X509V3_F_X509V3_EXT_ADD_ALIAS 106 839#define X509V3_F_X509V3_EXT_ADD_ALIAS 106
618#define X509V3_F_X509V3_EXT_CONF 107 840#define X509V3_F_X509V3_EXT_CONF 107
619#define X509V3_F_X509V3_EXT_I2D 136 841#define X509V3_F_X509V3_EXT_I2D 136
842#define X509V3_F_X509V3_EXT_NCONF 152
843#define X509V3_F_X509V3_GET_SECTION 142
844#define X509V3_F_X509V3_GET_STRING 143
620#define X509V3_F_X509V3_GET_VALUE_BOOL 110 845#define X509V3_F_X509V3_GET_VALUE_BOOL 110
621#define X509V3_F_X509V3_PARSE_LIST 109 846#define X509V3_F_X509V3_PARSE_LIST 109
622#define X509V3_F_X509_PURPOSE_ADD 137 847#define X509V3_F_X509_PURPOSE_ADD 137
@@ -627,6 +852,7 @@ void ERR_load_X509V3_strings(void);
627#define X509V3_R_BAD_OBJECT 119 852#define X509V3_R_BAD_OBJECT 119
628#define X509V3_R_BN_DEC2BN_ERROR 100 853#define X509V3_R_BN_DEC2BN_ERROR 100
629#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101 854#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
855#define X509V3_R_DIRNAME_ERROR 149
630#define X509V3_R_DUPLICATE_ZONE_ID 133 856#define X509V3_R_DUPLICATE_ZONE_ID 133
631#define X509V3_R_ERROR_CONVERTING_ZONE 131 857#define X509V3_R_ERROR_CONVERTING_ZONE 131
632#define X509V3_R_ERROR_CREATING_EXTENSION 144 858#define X509V3_R_ERROR_CREATING_EXTENSION 144
@@ -637,10 +863,15 @@ void ERR_load_X509V3_strings(void);
637#define X509V3_R_EXTENSION_NOT_FOUND 102 863#define X509V3_R_EXTENSION_NOT_FOUND 102
638#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 864#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
639#define X509V3_R_EXTENSION_VALUE_ERROR 116 865#define X509V3_R_EXTENSION_VALUE_ERROR 116
866#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
640#define X509V3_R_ILLEGAL_HEX_DIGIT 113 867#define X509V3_R_ILLEGAL_HEX_DIGIT 113
641#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 153 868#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
869#define X509V3_R_INVALID_ASNUMBER 160
870#define X509V3_R_INVALID_ASRANGE 161
642#define X509V3_R_INVALID_BOOLEAN_STRING 104 871#define X509V3_R_INVALID_BOOLEAN_STRING 104
643#define X509V3_R_INVALID_EXTENSION_STRING 105 872#define X509V3_R_INVALID_EXTENSION_STRING 105
873#define X509V3_R_INVALID_INHERITANCE 162
874#define X509V3_R_INVALID_IPADDRESS 163
644#define X509V3_R_INVALID_NAME 106 875#define X509V3_R_INVALID_NAME 106
645#define X509V3_R_INVALID_NULL_ARGUMENT 107 876#define X509V3_R_INVALID_NULL_ARGUMENT 107
646#define X509V3_R_INVALID_NULL_NAME 108 877#define X509V3_R_INVALID_NULL_NAME 108
@@ -650,9 +881,9 @@ void ERR_load_X509V3_strings(void);
650#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 881#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
651#define X509V3_R_INVALID_OPTION 138 882#define X509V3_R_INVALID_OPTION 138
652#define X509V3_R_INVALID_POLICY_IDENTIFIER 134 883#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
653#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER 147 884#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
654#define X509V3_R_INVALID_PROXY_POLICY_SETTING 151
655#define X509V3_R_INVALID_PURPOSE 146 885#define X509V3_R_INVALID_PURPOSE 146
886#define X509V3_R_INVALID_SAFI 164
656#define X509V3_R_INVALID_SECTION 135 887#define X509V3_R_INVALID_SECTION 135
657#define X509V3_R_INVALID_SYNTAX 143 888#define X509V3_R_INVALID_SYNTAX 143
658#define X509V3_R_ISSUER_DECODE_ERROR 126 889#define X509V3_R_ISSUER_DECODE_ERROR 126
@@ -662,16 +893,18 @@ void ERR_load_X509V3_strings(void);
662#define X509V3_R_NO_ISSUER_CERTIFICATE 121 893#define X509V3_R_NO_ISSUER_CERTIFICATE 121
663#define X509V3_R_NO_ISSUER_DETAILS 127 894#define X509V3_R_NO_ISSUER_DETAILS 127
664#define X509V3_R_NO_POLICY_IDENTIFIER 139 895#define X509V3_R_NO_POLICY_IDENTIFIER 139
665#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 148 896#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
666#define X509V3_R_NO_PUBLIC_KEY 114 897#define X509V3_R_NO_PUBLIC_KEY 114
667#define X509V3_R_NO_SUBJECT_DETAILS 125 898#define X509V3_R_NO_SUBJECT_DETAILS 125
668#define X509V3_R_ODD_NUMBER_OF_DIGITS 112 899#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
669#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 149 900#define X509V3_R_OPERATION_NOT_DEFINED 148
670#define X509V3_R_POLICY_PATH_LENGTH 152 901#define X509V3_R_OTHERNAME_ERROR 147
671#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 150 902#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 155
672#define X509V3_R_POLICY_SYNTAX_NOT 154 903#define X509V3_R_POLICY_PATH_LENGTH 156
673#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 155 904#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 157
674#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156 905#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
906#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
907#define X509V3_R_SECTION_NOT_FOUND 150
675#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 908#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
676#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 909#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
677#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 910#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-04 11:52:46 +0000