2 files changed, 40 insertions, 30 deletions
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index bdcdf95d12..d692a19c25 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: v3_purp.c,v 1.29 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: v3_purp.c,v 1.30 2017/06/22 17:28:00 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -65,6 +65,14 @@
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
 static void x509v3_cache_extensions(X509 *x);
 static int check_ssl_ca(const X509 *x);
@@ -427,19 +435,19 @@ x509v3_cache_extensions(X509 *x)
        ASN1_BIT_STRING *ns;
        EXTENDED_KEY_USAGE *extusage;
        X509_EXTENSION *ex;
        int i;
        if (x->ex_flags & EXFLAG_SET)
                return;
 #ifndef OPENSSL_NO_SHA
        X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
 #endif
-        /* Does subject name match issuer ? */
-        if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                x->ex_flags |= EXFLAG_SI;
        /* V1 should mean no extensions ... */
        if (!X509_get_version(x))
                x->ex_flags |= EXFLAG_V1;
        /* Handle basic constraints */
        if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
                if (bs->ca)
@@ -456,6 +464,7 @@ x509v3_cache_extensions(X509 *x)
                BASIC_CONSTRAINTS_free(bs);
                x->ex_flags |= EXFLAG_BCONS;
        }
        /* Handle proxy certificates */
        if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
                if (x->ex_flags & EXFLAG_CA ||
@@ -477,6 +486,7 @@ x509v3_cache_extensions(X509 *x)
                PROXY_CERT_INFO_EXTENSION_free(pci);
                x->ex_flags |= EXFLAG_PROXY;
        }
        /* Handle key usage */
        if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
                if (usage->length > 0) {
@@ -541,6 +551,16 @@ x509v3_cache_extensions(X509 *x)
        x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
        x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+        /* Does subject name match issuer? */
+        if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
+                x->ex_flags |= EXFLAG_SI;
+                /* If SKID matches AKID also indicate self signed. */
+                if (X509_check_akid(x, x->akid) == X509_V_OK &&
+                    !ku_reject(x, KU_KEY_CERT_SIGN))
+                        x->ex_flags |= EXFLAG_SS;
+        }
        x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
        x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
        if (!x->nc && (i != -1))
@@ -571,14 +591,6 @@ x509v3_cache_extensions(X509 *x)
 * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
 */
-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
 static int
 check_ca(const X509 *x)
 {
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index 0a8f66f917..fbafd694ed 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509v3.h,v 1.21 2016/12/30 16:19:24 jsing Exp $ */
+/* $OpenBSD: x509v3.h,v 1.22 2017/06/22 17:28:00 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -411,23 +411,21 @@ struct ISSUING_DIST_POINT_st
 /* X509_PURPOSE stuff */
-#define EXFLAG_BCONS            0x1
+#define EXFLAG_BCONS            0x0001
-#define EXFLAG_KUSAGE           0x2
+#define EXFLAG_KUSAGE           0x0002
-#define EXFLAG_XKUSAGE          0x4
+#define EXFLAG_XKUSAGE          0x0004
-#define EXFLAG_NSCERT           0x8
+#define EXFLAG_NSCERT           0x0008
-#define EXFLAG_CA               0x10
+#define EXFLAG_CA               0x0010
-/* Really self issued not necessarily self signed */
+#define EXFLAG_SI               0x0020  /* Self issued. */
-#define EXFLAG_SI               0x20
+#define EXFLAG_V1               0x0040
-#define EXFLAG_SS               0x20
+#define EXFLAG_INVALID          0x0080
-#define EXFLAG_V1               0x40
+#define EXFLAG_SET              0x0100
-#define EXFLAG_INVALID          0x80
+#define EXFLAG_CRITICAL         0x0200
-#define EXFLAG_SET              0x100
+#define EXFLAG_PROXY            0x0400
-#define EXFLAG_CRITICAL         0x200
+#define EXFLAG_INVALID_POLICY   0x0800
-#define EXFLAG_PROXY            0x400
-#define EXFLAG_INVALID_POLICY   0x800
 #define EXFLAG_FRESHEST         0x1000
+#define EXFLAG_SS               0x2000  /* Self signed. */
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040

diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c index bdcdf95d12..d692a19c25 100644 --- a/src/lib/libcrypto/x509v3/v3_purp.c +++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: v3_purp.c,v 1.29 2017/01/29 17:49:23 beck Exp $ */	1	/* $OpenBSD: v3_purp.c,v 1.30 2017/06/22 17:28:00 jsing Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2001.	3	* project 2001.
4	*/	4	*/
@@ -65,6 +65,14 @@
65	#include <openssl/x509v3.h>	65	#include <openssl/x509v3.h>
66	#include <openssl/x509_vfy.h>	66	#include <openssl/x509_vfy.h>
67		67
		68	#define V1_ROOT (EXFLAG_V1\|EXFLAG_SS)
		69	#define ku_reject(x, usage) \
		70	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
		71	#define xku_reject(x, usage) \
		72	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
		73	#define ns_reject(x, usage) \
		74	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
		75
68	static void x509v3_cache_extensions(X509 *x);	76	static void x509v3_cache_extensions(X509 *x);
69		77
70	static int check_ssl_ca(const X509 *x);	78	static int check_ssl_ca(const X509 *x);
@@ -427,19 +435,19 @@ x509v3_cache_extensions(X509 *x)
427	ASN1_BIT_STRING *ns;	435	ASN1_BIT_STRING *ns;
428	EXTENDED_KEY_USAGE *extusage;	436	EXTENDED_KEY_USAGE *extusage;
429	X509_EXTENSION *ex;	437	X509_EXTENSION *ex;
430
431	int i;	438	int i;
		439
432	if (x->ex_flags & EXFLAG_SET)	440	if (x->ex_flags & EXFLAG_SET)
433	return;	441	return;
		442
434	#ifndef OPENSSL_NO_SHA	443	#ifndef OPENSSL_NO_SHA
435	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);	444	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
436	#endif	445	#endif
437	/* Does subject name match issuer ? */	446
438	if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
439	x->ex_flags \|= EXFLAG_SI;
440	/* V1 should mean no extensions ... */	447	/* V1 should mean no extensions ... */
441	if (!X509_get_version(x))	448	if (!X509_get_version(x))
442	x->ex_flags \|= EXFLAG_V1;	449	x->ex_flags \|= EXFLAG_V1;
		450
443	/* Handle basic constraints */	451	/* Handle basic constraints */
444	if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {	452	if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
445	if (bs->ca)	453	if (bs->ca)
@@ -456,6 +464,7 @@ x509v3_cache_extensions(X509 *x)
456	BASIC_CONSTRAINTS_free(bs);	464	BASIC_CONSTRAINTS_free(bs);
457	x->ex_flags \|= EXFLAG_BCONS;	465	x->ex_flags \|= EXFLAG_BCONS;
458	}	466	}
		467
459	/* Handle proxy certificates */	468	/* Handle proxy certificates */
460	if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {	469	if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
461	if (x->ex_flags & EXFLAG_CA \|\|	470	if (x->ex_flags & EXFLAG_CA \|\|
@@ -477,6 +486,7 @@ x509v3_cache_extensions(X509 *x)
477	PROXY_CERT_INFO_EXTENSION_free(pci);	486	PROXY_CERT_INFO_EXTENSION_free(pci);
478	x->ex_flags \|= EXFLAG_PROXY;	487	x->ex_flags \|= EXFLAG_PROXY;
479	}	488	}
		489
480	/* Handle key usage */	490	/* Handle key usage */
481	if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {	491	if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
482	if (usage->length > 0) {	492	if (usage->length > 0) {
@@ -541,6 +551,16 @@ x509v3_cache_extensions(X509 *x)
541		551
542	x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);	552	x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
543	x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);	553	x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
		554
		555	/* Does subject name match issuer? */
		556	if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
		557	x->ex_flags \|= EXFLAG_SI;
		558	/* If SKID matches AKID also indicate self signed. */
		559	if (X509_check_akid(x, x->akid) == X509_V_OK &&
		560	!ku_reject(x, KU_KEY_CERT_SIGN))
		561	x->ex_flags \|= EXFLAG_SS;
		562	}
		563
544	x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);	564	x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
545	x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);	565	x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
546	if (!x->nc && (i != -1))	566	if (!x->nc && (i != -1))
@@ -571,14 +591,6 @@ x509v3_cache_extensions(X509 *x)
571	* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.	591	* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
572	*/	592	*/
573		593
574	#define V1_ROOT (EXFLAG_V1\|EXFLAG_SS)
575	#define ku_reject(x, usage) \
576	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
577	#define xku_reject(x, usage) \
578	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
579	#define ns_reject(x, usage) \
580	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
581
582	static int	594	static int
583	check_ca(const X509 *x)	595	check_ca(const X509 *x)
584	{	596	{


diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h index 0a8f66f917..fbafd694ed 100644 --- a/src/lib/libcrypto/x509v3/x509v3.h +++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509v3.h,v 1.21 2016/12/30 16:19:24 jsing Exp $ */	1	/* $OpenBSD: x509v3.h,v 1.22 2017/06/22 17:28:00 jsing Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -411,23 +411,21 @@ struct ISSUING_DIST_POINT_st
411		411
412	/* X509_PURPOSE stuff */	412	/* X509_PURPOSE stuff */
413		413
414	#define EXFLAG_BCONS 0x1	414	#define EXFLAG_BCONS 0x0001
415	#define EXFLAG_KUSAGE 0x2	415	#define EXFLAG_KUSAGE 0x0002
416	#define EXFLAG_XKUSAGE 0x4	416	#define EXFLAG_XKUSAGE 0x0004
417	#define EXFLAG_NSCERT 0x8	417	#define EXFLAG_NSCERT 0x0008
418		418
419	#define EXFLAG_CA 0x10	419	#define EXFLAG_CA 0x0010
420	/* Really self issued not necessarily self signed */	420	#define EXFLAG_SI 0x0020 /* Self issued. */
421	#define EXFLAG_SI 0x20	421	#define EXFLAG_V1 0x0040
422	#define EXFLAG_SS 0x20	422	#define EXFLAG_INVALID 0x0080
423	#define EXFLAG_V1 0x40	423	#define EXFLAG_SET 0x0100
424	#define EXFLAG_INVALID 0x80	424	#define EXFLAG_CRITICAL 0x0200
425	#define EXFLAG_SET 0x100	425	#define EXFLAG_PROXY 0x0400
426	#define EXFLAG_CRITICAL 0x200	426	#define EXFLAG_INVALID_POLICY 0x0800
427	#define EXFLAG_PROXY 0x400
428
429	#define EXFLAG_INVALID_POLICY 0x800
430	#define EXFLAG_FRESHEST 0x1000	427	#define EXFLAG_FRESHEST 0x1000
		428	#define EXFLAG_SS 0x2000 /* Self signed. */
431		429
432	#define KU_DIGITAL_SIGNATURE 0x0080	430	#define KU_DIGITAL_SIGNATURE 0x0080
433	#define KU_NON_REPUDIATION 0x0040	431	#define KU_NON_REPUDIATION 0x0040