summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/x509v3/v3_ncons.c258
-rw-r--r--src/lib/libcrypto/x509v3/v3_ocsp.c230
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_ncons.c258
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_ocsp.c230
4 files changed, 498 insertions, 478 deletions
diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
index a01dc64dd2..695176471b 100644
--- a/src/lib/libcrypto/x509v3/v3_ncons.c
+++ b/src/lib/libcrypto/x509v3/v3_ncons.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,12 +64,11 @@
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65 65
66static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, 66static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, 68static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
69 void *a, BIO *bp, int ind); 69 void *a, BIO *bp, int ind);
70static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, 70static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
71 STACK_OF(GENERAL_SUBTREE) *trees, 71 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name);
72 BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); 72static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74 73
75static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc); 74static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
@@ -82,10 +81,10 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
82const X509V3_EXT_METHOD v3_name_constraints = { 81const X509V3_EXT_METHOD v3_name_constraints = {
83 NID_name_constraints, 0, 82 NID_name_constraints, 0,
84 ASN1_ITEM_ref(NAME_CONSTRAINTS), 83 ASN1_ITEM_ref(NAME_CONSTRAINTS),
85 0,0,0,0, 84 0, 0, 0, 0,
86 0,0, 85 0, 0,
87 0, v2i_NAME_CONSTRAINTS, 86 0, v2i_NAME_CONSTRAINTS,
88 i2r_NAME_CONSTRAINTS,0, 87 i2r_NAME_CONSTRAINTS, 0,
89 NULL 88 NULL
90}; 89};
91 90
@@ -97,44 +96,41 @@ ASN1_SEQUENCE(GENERAL_SUBTREE) = {
97 96
98ASN1_SEQUENCE(NAME_CONSTRAINTS) = { 97ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
99 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees, 98 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
100 GENERAL_SUBTREE, 0), 99 GENERAL_SUBTREE, 0),
101 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees, 100 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
102 GENERAL_SUBTREE, 1), 101 GENERAL_SUBTREE, 1),
103} ASN1_SEQUENCE_END(NAME_CONSTRAINTS) 102} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
104 103
105 104
106IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) 105IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
107IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) 106IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
108 107
109static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, 108static void *
110 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) 109v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
111 { 110 STACK_OF(CONF_VALUE) *nval)
111{
112 int i; 112 int i;
113 CONF_VALUE tval, *val; 113 CONF_VALUE tval, *val;
114 STACK_OF(GENERAL_SUBTREE) **ptree = NULL; 114 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
115 NAME_CONSTRAINTS *ncons = NULL; 115 NAME_CONSTRAINTS *ncons = NULL;
116 GENERAL_SUBTREE *sub = NULL; 116 GENERAL_SUBTREE *sub = NULL;
117
117 ncons = NAME_CONSTRAINTS_new(); 118 ncons = NAME_CONSTRAINTS_new();
118 if (!ncons) 119 if (!ncons)
119 goto memerr; 120 goto memerr;
120 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) 121 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
121 {
122 val = sk_CONF_VALUE_value(nval, i); 122 val = sk_CONF_VALUE_value(nval, i);
123 if (!strncmp(val->name, "permitted", 9) && val->name[9]) 123 if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
124 {
125 ptree = &ncons->permittedSubtrees; 124 ptree = &ncons->permittedSubtrees;
126 tval.name = val->name + 10; 125 tval.name = val->name + 10;
127 } 126 } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
128 else if (!strncmp(val->name, "excluded", 8) && val->name[8])
129 {
130 ptree = &ncons->excludedSubtrees; 127 ptree = &ncons->excludedSubtrees;
131 tval.name = val->name + 9; 128 tval.name = val->name + 9;
132 } 129 } else {
133 else 130 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS,
134 { 131 X509V3_R_INVALID_SYNTAX);
135 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
136 goto err; 132 goto err;
137 } 133 }
138 tval.value = val->value; 134 tval.value = val->value;
139 sub = GENERAL_SUBTREE_new(); 135 sub = GENERAL_SUBTREE_new();
140 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1)) 136 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
@@ -144,45 +140,43 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
144 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub)) 140 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
145 goto memerr; 141 goto memerr;
146 sub = NULL; 142 sub = NULL;
147 } 143 }
148 144
149 return ncons; 145 return ncons;
150 146
151 memerr: 147memerr:
152 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE); 148 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
153 err: 149err:
154 if (ncons) 150 if (ncons)
155 NAME_CONSTRAINTS_free(ncons); 151 NAME_CONSTRAINTS_free(ncons);
156 if (sub) 152 if (sub)
157 GENERAL_SUBTREE_free(sub); 153 GENERAL_SUBTREE_free(sub);
158 154
159 return NULL; 155 return NULL;
160 } 156}
161
162 157
163 158static int
164 159i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, BIO *bp, int ind)
165static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, 160{
166 BIO *bp, int ind)
167 {
168 NAME_CONSTRAINTS *ncons = a; 161 NAME_CONSTRAINTS *ncons = a;
162
169 do_i2r_name_constraints(method, ncons->permittedSubtrees, 163 do_i2r_name_constraints(method, ncons->permittedSubtrees,
170 bp, ind, "Permitted"); 164 bp, ind, "Permitted");
171 do_i2r_name_constraints(method, ncons->excludedSubtrees, 165 do_i2r_name_constraints(method, ncons->excludedSubtrees,
172 bp, ind, "Excluded"); 166 bp, ind, "Excluded");
173 return 1; 167 return 1;
174 } 168}
175 169
176static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, 170static int
177 STACK_OF(GENERAL_SUBTREE) *trees, 171do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
178 BIO *bp, int ind, char *name) 172 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name)
179 { 173{
180 GENERAL_SUBTREE *tree; 174 GENERAL_SUBTREE *tree;
181 int i; 175 int i;
176
182 if (sk_GENERAL_SUBTREE_num(trees) > 0) 177 if (sk_GENERAL_SUBTREE_num(trees) > 0)
183 BIO_printf(bp, "%*s%s:\n", ind, "", name); 178 BIO_printf(bp, "%*s%s:\n", ind, "", name);
184 for(i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) 179 for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
185 {
186 tree = sk_GENERAL_SUBTREE_value(trees, i); 180 tree = sk_GENERAL_SUBTREE_value(trees, i);
187 BIO_printf(bp, "%*s", ind + 2, ""); 181 BIO_printf(bp, "%*s", ind + 2, "");
188 if (tree->base->type == GEN_IPADD) 182 if (tree->base->type == GEN_IPADD)
@@ -190,39 +184,35 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
190 else 184 else
191 GENERAL_NAME_print(bp, tree->base); 185 GENERAL_NAME_print(bp, tree->base);
192 BIO_puts(bp, "\n"); 186 BIO_puts(bp, "\n");
193 }
194 return 1;
195 } 187 }
188 return 1;
189}
196 190
197static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip) 191static int
198 { 192print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
193{
199 int i, len; 194 int i, len;
200 unsigned char *p; 195 unsigned char *p;
196
201 p = ip->data; 197 p = ip->data;
202 len = ip->length; 198 len = ip->length;
203 BIO_puts(bp, "IP:"); 199 BIO_puts(bp, "IP:");
204 if(len == 8) 200 if (len == 8) {
205 {
206 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d", 201 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
207 p[0], p[1], p[2], p[3], 202 p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
208 p[4], p[5], p[6], p[7]); 203 } else if (len == 32) {
209 } 204 for (i = 0; i < 16; i++) {
210 else if(len == 32)
211 {
212 for (i = 0; i < 16; i++)
213 {
214 BIO_printf(bp, "%X", p[0] << 8 | p[1]); 205 BIO_printf(bp, "%X", p[0] << 8 | p[1]);
215 p += 2; 206 p += 2;
216 if (i == 7) 207 if (i == 7)
217 BIO_puts(bp, "/"); 208 BIO_puts(bp, "/");
218 else if (i != 15) 209 else if (i != 15)
219 BIO_puts(bp, ":"); 210 BIO_puts(bp, ":");
220 }
221 } 211 }
222 else 212 } else
223 BIO_printf(bp, "IP Address:<invalid>"); 213 BIO_printf(bp, "IP Address:<invalid>");
224 return 1; 214 return 1;
225 } 215}
226 216
227/* Check a certificate conforms to a specified set of constraints. 217/* Check a certificate conforms to a specified set of constraints.
228 * Return values: 218 * Return values:
@@ -233,18 +223,17 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
233 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type. 223 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
234 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax. 224 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
235 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name 225 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
236
237 */ 226 */
238 227
239int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) 228int
240 { 229NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
230{
241 int r, i; 231 int r, i;
242 X509_NAME *nm; 232 X509_NAME *nm;
243 233
244 nm = X509_get_subject_name(x); 234 nm = X509_get_subject_name(x);
245 235
246 if (X509_NAME_entry_count(nm) > 0) 236 if (X509_NAME_entry_count(nm) > 0) {
247 {
248 GENERAL_NAME gntmp; 237 GENERAL_NAME gntmp;
249 gntmp.type = GEN_DIRNAME; 238 gntmp.type = GEN_DIRNAME;
250 gntmp.d.directoryName = nm; 239 gntmp.d.directoryName = nm;
@@ -256,15 +245,12 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
256 245
257 gntmp.type = GEN_EMAIL; 246 gntmp.type = GEN_EMAIL;
258 247
259
260 /* Process any email address attributes in subject name */ 248 /* Process any email address attributes in subject name */
261 249
262 for (i = -1;;) 250 for (i = -1;;) {
263 {
264 X509_NAME_ENTRY *ne; 251 X509_NAME_ENTRY *ne;
265 i = X509_NAME_get_index_by_NID(nm, 252 i = X509_NAME_get_index_by_NID(nm,
266 NID_pkcs9_emailAddress, 253 NID_pkcs9_emailAddress, i);
267 i);
268 if (i == -1) 254 if (i == -1)
269 break; 255 break;
270 ne = X509_NAME_get_entry(nm, i); 256 ne = X509_NAME_get_entry(nm, i);
@@ -276,24 +262,23 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
276 262
277 if (r != X509_V_OK) 263 if (r != X509_V_OK)
278 return r; 264 return r;
279 }
280
281 } 265 }
282 266
283 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) 267 }
284 { 268
269 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
285 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i); 270 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
286 r = nc_match(gen, nc); 271 r = nc_match(gen, nc);
287 if (r != X509_V_OK) 272 if (r != X509_V_OK)
288 return r; 273 return r;
289 } 274 }
290 275
291 return X509_V_OK; 276 return X509_V_OK;
277}
292 278
293 } 279static int
294 280nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
295static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) 281{
296 {
297 GENERAL_SUBTREE *sub; 282 GENERAL_SUBTREE *sub;
298 int i, r, match = 0; 283 int i, r, match = 0;
299 284
@@ -301,8 +286,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
301 * at least one subtree must match. 286 * at least one subtree must match.
302 */ 287 */
303 288
304 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) 289 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
305 {
306 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); 290 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
307 if (gen->type != sub->base->type) 291 if (gen->type != sub->base->type)
308 continue; 292 continue;
@@ -318,15 +302,14 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
318 match = 2; 302 match = 2;
319 else if (r != X509_V_ERR_PERMITTED_VIOLATION) 303 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
320 return r; 304 return r;
321 } 305 }
322 306
323 if (match == 1) 307 if (match == 1)
324 return X509_V_ERR_PERMITTED_VIOLATION; 308 return X509_V_ERR_PERMITTED_VIOLATION;
325 309
326 /* Excluded subtrees: must not match any of these */ 310 /* Excluded subtrees: must not match any of these */
327 311
328 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) 312 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
329 {
330 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); 313 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
331 if (gen->type != sub->base->type) 314 if (gen->type != sub->base->type)
332 continue; 315 continue;
@@ -339,42 +322,41 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
339 else if (r != X509_V_ERR_PERMITTED_VIOLATION) 322 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
340 return r; 323 return r;
341 324
342 } 325 }
343 326
344 return X509_V_OK; 327 return X509_V_OK;
328}
345 329
346 } 330static int
347 331nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
348static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) 332{
349 { 333 switch (base->type) {
350 switch(base->type) 334 case GEN_DIRNAME:
351 {
352 case GEN_DIRNAME:
353 return nc_dn(gen->d.directoryName, base->d.directoryName); 335 return nc_dn(gen->d.directoryName, base->d.directoryName);
354 336
355 case GEN_DNS: 337 case GEN_DNS:
356 return nc_dns(gen->d.dNSName, base->d.dNSName); 338 return nc_dns(gen->d.dNSName, base->d.dNSName);
357 339
358 case GEN_EMAIL: 340 case GEN_EMAIL:
359 return nc_email(gen->d.rfc822Name, base->d.rfc822Name); 341 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
360 342
361 case GEN_URI: 343 case GEN_URI:
362 return nc_uri(gen->d.uniformResourceIdentifier, 344 return nc_uri(gen->d.uniformResourceIdentifier,
363 base->d.uniformResourceIdentifier); 345 base->d.uniformResourceIdentifier);
364 346
365 default: 347 default:
366 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; 348 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
367 }
368
369 } 349 }
350}
370 351
371/* directoryName name constraint matching. 352/* directoryName name constraint matching.
372 * The canonical encoding of X509_NAME makes this comparison easy. It is 353 * The canonical encoding of X509_NAME makes this comparison easy. It is
373 * matched if the subtree is a subset of the name. 354 * matched if the subtree is a subset of the name.
374 */ 355 */
375 356
376static int nc_dn(X509_NAME *nm, X509_NAME *base) 357static int
377 { 358nc_dn(X509_NAME *nm, X509_NAME *base)
359{
378 /* Ensure canonical encodings are up to date. */ 360 /* Ensure canonical encodings are up to date. */
379 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0) 361 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
380 return X509_V_ERR_OUT_OF_MEM; 362 return X509_V_ERR_OUT_OF_MEM;
@@ -385,12 +367,14 @@ static int nc_dn(X509_NAME *nm, X509_NAME *base)
385 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen)) 367 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
386 return X509_V_ERR_PERMITTED_VIOLATION; 368 return X509_V_ERR_PERMITTED_VIOLATION;
387 return X509_V_OK; 369 return X509_V_OK;
388 } 370}
389 371
390static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base) 372static int
391 { 373nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
374{
392 char *baseptr = (char *)base->data; 375 char *baseptr = (char *)base->data;
393 char *dnsptr = (char *)dns->data; 376 char *dnsptr = (char *)dns->data;
377
394 /* Empty matches everything */ 378 /* Empty matches everything */
395 if (!*baseptr) 379 if (!*baseptr)
396 return X509_V_OK; 380 return X509_V_OK;
@@ -398,71 +382,67 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
398 * compare RHS and if dns is longer and expect '.' as preceding 382 * compare RHS and if dns is longer and expect '.' as preceding
399 * character. 383 * character.
400 */ 384 */
401 if (dns->length > base->length) 385 if (dns->length > base->length) {
402 {
403 dnsptr += dns->length - base->length; 386 dnsptr += dns->length - base->length;
404 if (dnsptr[-1] != '.') 387 if (dnsptr[-1] != '.')
405 return X509_V_ERR_PERMITTED_VIOLATION; 388 return X509_V_ERR_PERMITTED_VIOLATION;
406 } 389 }
407 390
408 if (strcasecmp(baseptr, dnsptr)) 391 if (strcasecmp(baseptr, dnsptr))
409 return X509_V_ERR_PERMITTED_VIOLATION; 392 return X509_V_ERR_PERMITTED_VIOLATION;
410 393
411 return X509_V_OK; 394 return X509_V_OK;
395}
412 396
413 } 397static int
414 398nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
415static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) 399{
416 {
417 const char *baseptr = (char *)base->data; 400 const char *baseptr = (char *)base->data;
418 const char *emlptr = (char *)eml->data; 401 const char *emlptr = (char *)eml->data;
419
420 const char *baseat = strchr(baseptr, '@'); 402 const char *baseat = strchr(baseptr, '@');
421 const char *emlat = strchr(emlptr, '@'); 403 const char *emlat = strchr(emlptr, '@');
404
422 if (!emlat) 405 if (!emlat)
423 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; 406 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
424 /* Special case: inital '.' is RHS match */ 407 /* Special case: inital '.' is RHS match */
425 if (!baseat && (*baseptr == '.')) 408 if (!baseat && (*baseptr == '.')) {
426 { 409 if (eml->length > base->length) {
427 if (eml->length > base->length)
428 {
429 emlptr += eml->length - base->length; 410 emlptr += eml->length - base->length;
430 if (!strcasecmp(baseptr, emlptr)) 411 if (!strcasecmp(baseptr, emlptr))
431 return X509_V_OK; 412 return X509_V_OK;
432 }
433 return X509_V_ERR_PERMITTED_VIOLATION;
434 } 413 }
414 return X509_V_ERR_PERMITTED_VIOLATION;
415 }
435 416
436 /* If we have anything before '@' match local part */ 417 /* If we have anything before '@' match local part */
437 418
438 if (baseat) 419 if (baseat) {
439 { 420 if (baseat != baseptr) {
440 if (baseat != baseptr)
441 {
442 if ((baseat - baseptr) != (emlat - emlptr)) 421 if ((baseat - baseptr) != (emlat - emlptr))
443 return X509_V_ERR_PERMITTED_VIOLATION; 422 return X509_V_ERR_PERMITTED_VIOLATION;
444 /* Case sensitive match of local part */ 423 /* Case sensitive match of local part */
445 if (strncmp(baseptr, emlptr, emlat - emlptr)) 424 if (strncmp(baseptr, emlptr, emlat - emlptr))
446 return X509_V_ERR_PERMITTED_VIOLATION; 425 return X509_V_ERR_PERMITTED_VIOLATION;
447 } 426 }
448 /* Position base after '@' */ 427 /* Position base after '@' */
449 baseptr = baseat + 1; 428 baseptr = baseat + 1;
450 } 429 }
451 emlptr = emlat + 1; 430 emlptr = emlat + 1;
452 /* Just have hostname left to match: case insensitive */ 431 /* Just have hostname left to match: case insensitive */
453 if (strcasecmp(baseptr, emlptr)) 432 if (strcasecmp(baseptr, emlptr))
454 return X509_V_ERR_PERMITTED_VIOLATION; 433 return X509_V_ERR_PERMITTED_VIOLATION;
455 434
456 return X509_V_OK; 435 return X509_V_OK;
436}
457 437
458 } 438static int
459 439nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
460static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base) 440{
461 {
462 const char *baseptr = (char *)base->data; 441 const char *baseptr = (char *)base->data;
463 const char *hostptr = (char *)uri->data; 442 const char *hostptr = (char *)uri->data;
464 const char *p = strchr(hostptr, ':'); 443 const char *p = strchr(hostptr, ':');
465 int hostlen; 444 int hostlen;
445
466 /* Check for foo:// and skip past it */ 446 /* Check for foo:// and skip past it */
467 if (!p || (p[1] != '/') || (p[2] != '/')) 447 if (!p || (p[1] != '/') || (p[2] != '/'))
468 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; 448 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
@@ -486,20 +466,18 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
486 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; 466 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
487 467
488 /* Special case: inital '.' is RHS match */ 468 /* Special case: inital '.' is RHS match */
489 if (*baseptr == '.') 469 if (*baseptr == '.') {
490 { 470 if (hostlen > base->length) {
491 if (hostlen > base->length)
492 {
493 p = hostptr + hostlen - base->length; 471 p = hostptr + hostlen - base->length;
494 if (!strncasecmp(p, baseptr, base->length)) 472 if (!strncasecmp(p, baseptr, base->length))
495 return X509_V_OK; 473 return X509_V_OK;
496 }
497 return X509_V_ERR_PERMITTED_VIOLATION;
498 } 474 }
475 return X509_V_ERR_PERMITTED_VIOLATION;
476 }
499 477
500 if ((base->length != (int)hostlen) || strncasecmp(hostptr, baseptr, hostlen)) 478 if ((base->length != (int)hostlen) ||
479 strncasecmp(hostptr, baseptr, hostlen))
501 return X509_V_ERR_PERMITTED_VIOLATION; 480 return X509_V_ERR_PERMITTED_VIOLATION;
502 481
503 return X509_V_OK; 482 return X509_V_OK;
504 483}
505 }
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
index 0c165af314..2fef484b9a 100644
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -69,59 +69,59 @@
69 */ 69 */
70 70
71static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce, 71static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
72 BIO *out, int indent); 72 BIO *out, int indent);
73static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce, 73static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
74 BIO *out, int indent); 74 BIO *out, int indent);
75static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out, 75static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
76 int indent); 76 int indent);
77 77
78static void *ocsp_nonce_new(void); 78static void *ocsp_nonce_new(void);
79static int i2d_ocsp_nonce(void *a, unsigned char **pp); 79static int i2d_ocsp_nonce(void *a, unsigned char **pp);
80static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length); 80static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
81static void ocsp_nonce_free(void *a); 81static void ocsp_nonce_free(void *a);
82static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, 82static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
83 BIO *out, int indent); 83 BIO *out, int indent);
84 84
85static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, 85static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
86 void *nocheck, BIO *out, int indent); 86 void *nocheck, BIO *out, int indent);
87static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, 87static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
88 const char *str); 88 const char *str);
89static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, 89static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
90 BIO *bp, int ind); 90 BIO *bp, int ind);
91 91
92const X509V3_EXT_METHOD v3_ocsp_crlid = { 92const X509V3_EXT_METHOD v3_ocsp_crlid = {
93 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID), 93 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
94 0,0,0,0, 94 0, 0, 0, 0,
95 0,0, 95 0, 0,
96 0,0, 96 0, 0,
97 i2r_ocsp_crlid,0, 97 i2r_ocsp_crlid, 0,
98 NULL 98 NULL
99}; 99};
100 100
101const X509V3_EXT_METHOD v3_ocsp_acutoff = { 101const X509V3_EXT_METHOD v3_ocsp_acutoff = {
102 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 102 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
103 0,0,0,0, 103 0, 0, 0, 0,
104 0,0, 104 0, 0,
105 0,0, 105 0, 0,
106 i2r_ocsp_acutoff,0, 106 i2r_ocsp_acutoff, 0,
107 NULL 107 NULL
108}; 108};
109 109
110const X509V3_EXT_METHOD v3_crl_invdate = { 110const X509V3_EXT_METHOD v3_crl_invdate = {
111 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 111 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
112 0,0,0,0, 112 0, 0, 0, 0,
113 0,0, 113 0, 0,
114 0,0, 114 0, 0,
115 i2r_ocsp_acutoff,0, 115 i2r_ocsp_acutoff, 0,
116 NULL 116 NULL
117}; 117};
118 118
119const X509V3_EXT_METHOD v3_crl_hold = { 119const X509V3_EXT_METHOD v3_crl_hold = {
120 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT), 120 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
121 0,0,0,0, 121 0, 0, 0, 0,
122 0,0, 122 0, 0,
123 0,0, 123 0, 0,
124 i2r_object,0, 124 i2r_object, 0,
125 NULL 125 NULL
126}; 126};
127 127
@@ -131,71 +131,82 @@ const X509V3_EXT_METHOD v3_ocsp_nonce = {
131 ocsp_nonce_free, 131 ocsp_nonce_free,
132 d2i_ocsp_nonce, 132 d2i_ocsp_nonce,
133 i2d_ocsp_nonce, 133 i2d_ocsp_nonce,
134 0,0, 134 0, 0,
135 0,0, 135 0, 0,
136 i2r_ocsp_nonce,0, 136 i2r_ocsp_nonce, 0,
137 NULL 137 NULL
138}; 138};
139 139
140const X509V3_EXT_METHOD v3_ocsp_nocheck = { 140const X509V3_EXT_METHOD v3_ocsp_nocheck = {
141 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL), 141 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
142 0,0,0,0, 142 0, 0, 0, 0,
143 0,s2i_ocsp_nocheck, 143 0, s2i_ocsp_nocheck,
144 0,0, 144 0, 0,
145 i2r_ocsp_nocheck,0, 145 i2r_ocsp_nocheck, 0,
146 NULL 146 NULL
147}; 147};
148 148
149const X509V3_EXT_METHOD v3_ocsp_serviceloc = { 149const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
150 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC), 150 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
151 0,0,0,0, 151 0, 0, 0, 0,
152 0,0, 152 0, 0,
153 0,0, 153 0, 0,
154 i2r_ocsp_serviceloc,0, 154 i2r_ocsp_serviceloc, 0,
155 NULL 155 NULL
156}; 156};
157 157
158static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, 158static int
159 int ind) 159i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
160{ 160{
161 OCSP_CRLID *a = in; 161 OCSP_CRLID *a = in;
162 if (a->crlUrl) 162 if (a->crlUrl) {
163 { 163 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0)
164 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err; 164 goto err;
165 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err; 165 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl))
166 if (BIO_write(bp, "\n", 1) <= 0) goto err; 166 goto err;
167 } 167 if (BIO_write(bp, "\n", 1) <= 0)
168 if (a->crlNum) 168 goto err;
169 { 169 }
170 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err; 170 if (a->crlNum) {
171 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err; 171 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0)
172 if (BIO_write(bp, "\n", 1) <= 0) goto err; 172 goto err;
173 } 173 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0)
174 if (a->crlTime) 174 goto err;
175 { 175 if (BIO_write(bp, "\n", 1) <= 0)
176 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err; 176 goto err;
177 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err; 177 }
178 if (BIO_write(bp, "\n", 1) <= 0) goto err; 178 if (a->crlTime) {
179 } 179 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0)
180 goto err;
181 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime))
182 goto err;
183 if (BIO_write(bp, "\n", 1) <= 0)
184 goto err;
185 }
180 return 1; 186 return 1;
181 err: 187
188err:
182 return 0; 189 return 0;
183} 190}
184 191
185static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, 192static int
186 BIO *bp, int ind) 193i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, BIO *bp,
194 int ind)
187{ 195{
188 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0; 196 if (BIO_printf(bp, "%*s", ind, "") <= 0)
189 if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0; 197 return 0;
198 if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
199 return 0;
190 return 1; 200 return 1;
191} 201}
192 202
193 203static int
194static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, 204i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
195 int ind)
196{ 205{
197 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0; 206 if (BIO_printf(bp, "%*s", ind, "") <= 0)
198 if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0; 207 return 0;
208 if (i2a_ASN1_OBJECT(bp, oid) <= 0)
209 return 0;
199 return 1; 210 return 1;
200} 211}
201 212
@@ -203,87 +214,108 @@ static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
203 * an ASN1 encoding at all: it just contains arbitrary data. 214 * an ASN1 encoding at all: it just contains arbitrary data.
204 */ 215 */
205 216
206static void *ocsp_nonce_new(void) 217static void *
218ocsp_nonce_new(void)
207{ 219{
208 return ASN1_OCTET_STRING_new(); 220 return ASN1_OCTET_STRING_new();
209} 221}
210 222
211static int i2d_ocsp_nonce(void *a, unsigned char **pp) 223static int
224i2d_ocsp_nonce(void *a, unsigned char **pp)
212{ 225{
213 ASN1_OCTET_STRING *os = a; 226 ASN1_OCTET_STRING *os = a;
214 if(pp) { 227
228 if (pp) {
215 memcpy(*pp, os->data, os->length); 229 memcpy(*pp, os->data, os->length);
216 *pp += os->length; 230 *pp += os->length;
217 } 231 }
218 return os->length; 232 return os->length;
219} 233}
220 234
221static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length) 235static void *
236d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
222{ 237{
223 ASN1_OCTET_STRING *os, **pos; 238 ASN1_OCTET_STRING *os, **pos;
239
224 pos = a; 240 pos = a;
225 if(!pos || !*pos) os = ASN1_OCTET_STRING_new(); 241 if (!pos || !*pos)
226 else os = *pos; 242 os = ASN1_OCTET_STRING_new();
227 if(!ASN1_OCTET_STRING_set(os, *pp, length)) goto err; 243 else
244 os = *pos;
245 if (!ASN1_OCTET_STRING_set(os, *pp, length))
246 goto err;
228 247
229 *pp += length; 248 *pp += length;
230 249
231 if(pos) *pos = os; 250 if (pos)
251 *pos = os;
232 return os; 252 return os;
233 253
234 err: 254err:
235 if(os && (!pos || (*pos != os))) M_ASN1_OCTET_STRING_free(os); 255 if (os && (!pos || (*pos != os)))
256 M_ASN1_OCTET_STRING_free(os);
236 OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE); 257 OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
237 return NULL; 258 return NULL;
238} 259}
239 260
240static void ocsp_nonce_free(void *a) 261static void
262ocsp_nonce_free(void *a)
241{ 263{
242 M_ASN1_OCTET_STRING_free(a); 264 M_ASN1_OCTET_STRING_free(a);
243} 265}
244 266
245static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, 267static int
246 BIO *out, int indent) 268i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, BIO *out,
269 int indent)
247{ 270{
248 if(BIO_printf(out, "%*s", indent, "") <= 0) return 0; 271 if (BIO_printf(out, "%*s", indent, "") <= 0)
249 if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0; 272 return 0;
273 if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0)
274 return 0;
250 return 1; 275 return 1;
251} 276}
252 277
253/* Nocheck is just a single NULL. Don't print anything and always set it */ 278/* Nocheck is just a single NULL. Don't print anything and always set it */
254 279
255static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, 280static int
256 BIO *out, int indent) 281i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
282 int indent)
257{ 283{
258 return 1; 284 return 1;
259} 285}
260 286
261static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, 287static void *
262 const char *str) 288s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
289 const char *str)
263{ 290{
264 return ASN1_NULL_new(); 291 return ASN1_NULL_new();
265} 292}
266 293
267static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, 294static int
268 BIO *bp, int ind) 295i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
269 { 296{
270 int i; 297 int i;
271 OCSP_SERVICELOC *a = in; 298 OCSP_SERVICELOC *a = in;
272 ACCESS_DESCRIPTION *ad; 299 ACCESS_DESCRIPTION *ad;
273 300
274 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) goto err; 301 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0)
275 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) goto err; 302 goto err;
276 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) 303 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0)
277 { 304 goto err;
278 ad = sk_ACCESS_DESCRIPTION_value(a->locator,i); 305 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) {
279 if (BIO_printf(bp, "\n%*s", (2*ind), "") <= 0) 306 ad = sk_ACCESS_DESCRIPTION_value(a->locator, i);
280 goto err; 307 if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0)
281 if(i2a_ASN1_OBJECT(bp, ad->method) <= 0) goto err; 308 goto err;
282 if(BIO_puts(bp, " - ") <= 0) goto err; 309 if (i2a_ASN1_OBJECT(bp, ad->method) <= 0)
283 if(GENERAL_NAME_print(bp, ad->location) <= 0) goto err; 310 goto err;
284 } 311 if (BIO_puts(bp, " - ") <= 0)
312 goto err;
313 if (GENERAL_NAME_print(bp, ad->location) <= 0)
314 goto err;
315 }
285 return 1; 316 return 1;
317
286err: 318err:
287 return 0; 319 return 0;
288 } 320}
289#endif 321#endif
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_ncons.c b/src/lib/libssl/src/crypto/x509v3/v3_ncons.c
index a01dc64dd2..695176471b 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_ncons.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_ncons.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -64,12 +64,11 @@
64#include <openssl/x509v3.h> 64#include <openssl/x509v3.h>
65 65
66static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, 66static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); 67 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
68static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, 68static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
69 void *a, BIO *bp, int ind); 69 void *a, BIO *bp, int ind);
70static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, 70static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
71 STACK_OF(GENERAL_SUBTREE) *trees, 71 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name);
72 BIO *bp, int ind, char *name);
73static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); 72static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
74 73
75static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc); 74static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
@@ -82,10 +81,10 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
82const X509V3_EXT_METHOD v3_name_constraints = { 81const X509V3_EXT_METHOD v3_name_constraints = {
83 NID_name_constraints, 0, 82 NID_name_constraints, 0,
84 ASN1_ITEM_ref(NAME_CONSTRAINTS), 83 ASN1_ITEM_ref(NAME_CONSTRAINTS),
85 0,0,0,0, 84 0, 0, 0, 0,
86 0,0, 85 0, 0,
87 0, v2i_NAME_CONSTRAINTS, 86 0, v2i_NAME_CONSTRAINTS,
88 i2r_NAME_CONSTRAINTS,0, 87 i2r_NAME_CONSTRAINTS, 0,
89 NULL 88 NULL
90}; 89};
91 90
@@ -97,44 +96,41 @@ ASN1_SEQUENCE(GENERAL_SUBTREE) = {
97 96
98ASN1_SEQUENCE(NAME_CONSTRAINTS) = { 97ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
99 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees, 98 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
100 GENERAL_SUBTREE, 0), 99 GENERAL_SUBTREE, 0),
101 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees, 100 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
102 GENERAL_SUBTREE, 1), 101 GENERAL_SUBTREE, 1),
103} ASN1_SEQUENCE_END(NAME_CONSTRAINTS) 102} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
104 103
105 104
106IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) 105IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
107IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) 106IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
108 107
109static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, 108static void *
110 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) 109v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
111 { 110 STACK_OF(CONF_VALUE) *nval)
111{
112 int i; 112 int i;
113 CONF_VALUE tval, *val; 113 CONF_VALUE tval, *val;
114 STACK_OF(GENERAL_SUBTREE) **ptree = NULL; 114 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
115 NAME_CONSTRAINTS *ncons = NULL; 115 NAME_CONSTRAINTS *ncons = NULL;
116 GENERAL_SUBTREE *sub = NULL; 116 GENERAL_SUBTREE *sub = NULL;
117
117 ncons = NAME_CONSTRAINTS_new(); 118 ncons = NAME_CONSTRAINTS_new();
118 if (!ncons) 119 if (!ncons)
119 goto memerr; 120 goto memerr;
120 for(i = 0; i < sk_CONF_VALUE_num(nval); i++) 121 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
121 {
122 val = sk_CONF_VALUE_value(nval, i); 122 val = sk_CONF_VALUE_value(nval, i);
123 if (!strncmp(val->name, "permitted", 9) && val->name[9]) 123 if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
124 {
125 ptree = &ncons->permittedSubtrees; 124 ptree = &ncons->permittedSubtrees;
126 tval.name = val->name + 10; 125 tval.name = val->name + 10;
127 } 126 } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
128 else if (!strncmp(val->name, "excluded", 8) && val->name[8])
129 {
130 ptree = &ncons->excludedSubtrees; 127 ptree = &ncons->excludedSubtrees;
131 tval.name = val->name + 9; 128 tval.name = val->name + 9;
132 } 129 } else {
133 else 130 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS,
134 { 131 X509V3_R_INVALID_SYNTAX);
135 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
136 goto err; 132 goto err;
137 } 133 }
138 tval.value = val->value; 134 tval.value = val->value;
139 sub = GENERAL_SUBTREE_new(); 135 sub = GENERAL_SUBTREE_new();
140 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1)) 136 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
@@ -144,45 +140,43 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
144 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub)) 140 if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
145 goto memerr; 141 goto memerr;
146 sub = NULL; 142 sub = NULL;
147 } 143 }
148 144
149 return ncons; 145 return ncons;
150 146
151 memerr: 147memerr:
152 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE); 148 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
153 err: 149err:
154 if (ncons) 150 if (ncons)
155 NAME_CONSTRAINTS_free(ncons); 151 NAME_CONSTRAINTS_free(ncons);
156 if (sub) 152 if (sub)
157 GENERAL_SUBTREE_free(sub); 153 GENERAL_SUBTREE_free(sub);
158 154
159 return NULL; 155 return NULL;
160 } 156}
161
162 157
163 158static int
164 159i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, BIO *bp, int ind)
165static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, 160{
166 BIO *bp, int ind)
167 {
168 NAME_CONSTRAINTS *ncons = a; 161 NAME_CONSTRAINTS *ncons = a;
162
169 do_i2r_name_constraints(method, ncons->permittedSubtrees, 163 do_i2r_name_constraints(method, ncons->permittedSubtrees,
170 bp, ind, "Permitted"); 164 bp, ind, "Permitted");
171 do_i2r_name_constraints(method, ncons->excludedSubtrees, 165 do_i2r_name_constraints(method, ncons->excludedSubtrees,
172 bp, ind, "Excluded"); 166 bp, ind, "Excluded");
173 return 1; 167 return 1;
174 } 168}
175 169
176static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, 170static int
177 STACK_OF(GENERAL_SUBTREE) *trees, 171do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
178 BIO *bp, int ind, char *name) 172 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name)
179 { 173{
180 GENERAL_SUBTREE *tree; 174 GENERAL_SUBTREE *tree;
181 int i; 175 int i;
176
182 if (sk_GENERAL_SUBTREE_num(trees) > 0) 177 if (sk_GENERAL_SUBTREE_num(trees) > 0)
183 BIO_printf(bp, "%*s%s:\n", ind, "", name); 178 BIO_printf(bp, "%*s%s:\n", ind, "", name);
184 for(i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) 179 for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
185 {
186 tree = sk_GENERAL_SUBTREE_value(trees, i); 180 tree = sk_GENERAL_SUBTREE_value(trees, i);
187 BIO_printf(bp, "%*s", ind + 2, ""); 181 BIO_printf(bp, "%*s", ind + 2, "");
188 if (tree->base->type == GEN_IPADD) 182 if (tree->base->type == GEN_IPADD)
@@ -190,39 +184,35 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
190 else 184 else
191 GENERAL_NAME_print(bp, tree->base); 185 GENERAL_NAME_print(bp, tree->base);
192 BIO_puts(bp, "\n"); 186 BIO_puts(bp, "\n");
193 }
194 return 1;
195 } 187 }
188 return 1;
189}
196 190
197static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip) 191static int
198 { 192print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
193{
199 int i, len; 194 int i, len;
200 unsigned char *p; 195 unsigned char *p;
196
201 p = ip->data; 197 p = ip->data;
202 len = ip->length; 198 len = ip->length;
203 BIO_puts(bp, "IP:"); 199 BIO_puts(bp, "IP:");
204 if(len == 8) 200 if (len == 8) {
205 {
206 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d", 201 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
207 p[0], p[1], p[2], p[3], 202 p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
208 p[4], p[5], p[6], p[7]); 203 } else if (len == 32) {
209 } 204 for (i = 0; i < 16; i++) {
210 else if(len == 32)
211 {
212 for (i = 0; i < 16; i++)
213 {
214 BIO_printf(bp, "%X", p[0] << 8 | p[1]); 205 BIO_printf(bp, "%X", p[0] << 8 | p[1]);
215 p += 2; 206 p += 2;
216 if (i == 7) 207 if (i == 7)
217 BIO_puts(bp, "/"); 208 BIO_puts(bp, "/");
218 else if (i != 15) 209 else if (i != 15)
219 BIO_puts(bp, ":"); 210 BIO_puts(bp, ":");
220 }
221 } 211 }
222 else 212 } else
223 BIO_printf(bp, "IP Address:<invalid>"); 213 BIO_printf(bp, "IP Address:<invalid>");
224 return 1; 214 return 1;
225 } 215}
226 216
227/* Check a certificate conforms to a specified set of constraints. 217/* Check a certificate conforms to a specified set of constraints.
228 * Return values: 218 * Return values:
@@ -233,18 +223,17 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
233 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type. 223 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
234 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax. 224 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
235 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name 225 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
236
237 */ 226 */
238 227
239int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) 228int
240 { 229NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
230{
241 int r, i; 231 int r, i;
242 X509_NAME *nm; 232 X509_NAME *nm;
243 233
244 nm = X509_get_subject_name(x); 234 nm = X509_get_subject_name(x);
245 235
246 if (X509_NAME_entry_count(nm) > 0) 236 if (X509_NAME_entry_count(nm) > 0) {
247 {
248 GENERAL_NAME gntmp; 237 GENERAL_NAME gntmp;
249 gntmp.type = GEN_DIRNAME; 238 gntmp.type = GEN_DIRNAME;
250 gntmp.d.directoryName = nm; 239 gntmp.d.directoryName = nm;
@@ -256,15 +245,12 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
256 245
257 gntmp.type = GEN_EMAIL; 246 gntmp.type = GEN_EMAIL;
258 247
259
260 /* Process any email address attributes in subject name */ 248 /* Process any email address attributes in subject name */
261 249
262 for (i = -1;;) 250 for (i = -1;;) {
263 {
264 X509_NAME_ENTRY *ne; 251 X509_NAME_ENTRY *ne;
265 i = X509_NAME_get_index_by_NID(nm, 252 i = X509_NAME_get_index_by_NID(nm,
266 NID_pkcs9_emailAddress, 253 NID_pkcs9_emailAddress, i);
267 i);
268 if (i == -1) 254 if (i == -1)
269 break; 255 break;
270 ne = X509_NAME_get_entry(nm, i); 256 ne = X509_NAME_get_entry(nm, i);
@@ -276,24 +262,23 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
276 262
277 if (r != X509_V_OK) 263 if (r != X509_V_OK)
278 return r; 264 return r;
279 }
280
281 } 265 }
282 266
283 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) 267 }
284 { 268
269 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
285 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i); 270 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
286 r = nc_match(gen, nc); 271 r = nc_match(gen, nc);
287 if (r != X509_V_OK) 272 if (r != X509_V_OK)
288 return r; 273 return r;
289 } 274 }
290 275
291 return X509_V_OK; 276 return X509_V_OK;
277}
292 278
293 } 279static int
294 280nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
295static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) 281{
296 {
297 GENERAL_SUBTREE *sub; 282 GENERAL_SUBTREE *sub;
298 int i, r, match = 0; 283 int i, r, match = 0;
299 284
@@ -301,8 +286,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
301 * at least one subtree must match. 286 * at least one subtree must match.
302 */ 287 */
303 288
304 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) 289 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
305 {
306 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); 290 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
307 if (gen->type != sub->base->type) 291 if (gen->type != sub->base->type)
308 continue; 292 continue;
@@ -318,15 +302,14 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
318 match = 2; 302 match = 2;
319 else if (r != X509_V_ERR_PERMITTED_VIOLATION) 303 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
320 return r; 304 return r;
321 } 305 }
322 306
323 if (match == 1) 307 if (match == 1)
324 return X509_V_ERR_PERMITTED_VIOLATION; 308 return X509_V_ERR_PERMITTED_VIOLATION;
325 309
326 /* Excluded subtrees: must not match any of these */ 310 /* Excluded subtrees: must not match any of these */
327 311
328 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) 312 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
329 {
330 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); 313 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
331 if (gen->type != sub->base->type) 314 if (gen->type != sub->base->type)
332 continue; 315 continue;
@@ -339,42 +322,41 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
339 else if (r != X509_V_ERR_PERMITTED_VIOLATION) 322 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
340 return r; 323 return r;
341 324
342 } 325 }
343 326
344 return X509_V_OK; 327 return X509_V_OK;
328}
345 329
346 } 330static int
347 331nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
348static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) 332{
349 { 333 switch (base->type) {
350 switch(base->type) 334 case GEN_DIRNAME:
351 {
352 case GEN_DIRNAME:
353 return nc_dn(gen->d.directoryName, base->d.directoryName); 335 return nc_dn(gen->d.directoryName, base->d.directoryName);
354 336
355 case GEN_DNS: 337 case GEN_DNS:
356 return nc_dns(gen->d.dNSName, base->d.dNSName); 338 return nc_dns(gen->d.dNSName, base->d.dNSName);
357 339
358 case GEN_EMAIL: 340 case GEN_EMAIL:
359 return nc_email(gen->d.rfc822Name, base->d.rfc822Name); 341 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
360 342
361 case GEN_URI: 343 case GEN_URI:
362 return nc_uri(gen->d.uniformResourceIdentifier, 344 return nc_uri(gen->d.uniformResourceIdentifier,
363 base->d.uniformResourceIdentifier); 345 base->d.uniformResourceIdentifier);
364 346
365 default: 347 default:
366 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; 348 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
367 }
368
369 } 349 }
350}
370 351
371/* directoryName name constraint matching. 352/* directoryName name constraint matching.
372 * The canonical encoding of X509_NAME makes this comparison easy. It is 353 * The canonical encoding of X509_NAME makes this comparison easy. It is
373 * matched if the subtree is a subset of the name. 354 * matched if the subtree is a subset of the name.
374 */ 355 */
375 356
376static int nc_dn(X509_NAME *nm, X509_NAME *base) 357static int
377 { 358nc_dn(X509_NAME *nm, X509_NAME *base)
359{
378 /* Ensure canonical encodings are up to date. */ 360 /* Ensure canonical encodings are up to date. */
379 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0) 361 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
380 return X509_V_ERR_OUT_OF_MEM; 362 return X509_V_ERR_OUT_OF_MEM;
@@ -385,12 +367,14 @@ static int nc_dn(X509_NAME *nm, X509_NAME *base)
385 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen)) 367 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
386 return X509_V_ERR_PERMITTED_VIOLATION; 368 return X509_V_ERR_PERMITTED_VIOLATION;
387 return X509_V_OK; 369 return X509_V_OK;
388 } 370}
389 371
390static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base) 372static int
391 { 373nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
374{
392 char *baseptr = (char *)base->data; 375 char *baseptr = (char *)base->data;
393 char *dnsptr = (char *)dns->data; 376 char *dnsptr = (char *)dns->data;
377
394 /* Empty matches everything */ 378 /* Empty matches everything */
395 if (!*baseptr) 379 if (!*baseptr)
396 return X509_V_OK; 380 return X509_V_OK;
@@ -398,71 +382,67 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
398 * compare RHS and if dns is longer and expect '.' as preceding 382 * compare RHS and if dns is longer and expect '.' as preceding
399 * character. 383 * character.
400 */ 384 */
401 if (dns->length > base->length) 385 if (dns->length > base->length) {
402 {
403 dnsptr += dns->length - base->length; 386 dnsptr += dns->length - base->length;
404 if (dnsptr[-1] != '.') 387 if (dnsptr[-1] != '.')
405 return X509_V_ERR_PERMITTED_VIOLATION; 388 return X509_V_ERR_PERMITTED_VIOLATION;
406 } 389 }
407 390
408 if (strcasecmp(baseptr, dnsptr)) 391 if (strcasecmp(baseptr, dnsptr))
409 return X509_V_ERR_PERMITTED_VIOLATION; 392 return X509_V_ERR_PERMITTED_VIOLATION;
410 393
411 return X509_V_OK; 394 return X509_V_OK;
395}
412 396
413 } 397static int
414 398nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
415static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) 399{
416 {
417 const char *baseptr = (char *)base->data; 400 const char *baseptr = (char *)base->data;
418 const char *emlptr = (char *)eml->data; 401 const char *emlptr = (char *)eml->data;
419
420 const char *baseat = strchr(baseptr, '@'); 402 const char *baseat = strchr(baseptr, '@');
421 const char *emlat = strchr(emlptr, '@'); 403 const char *emlat = strchr(emlptr, '@');
404
422 if (!emlat) 405 if (!emlat)
423 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; 406 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
424 /* Special case: inital '.' is RHS match */ 407 /* Special case: inital '.' is RHS match */
425 if (!baseat && (*baseptr == '.')) 408 if (!baseat && (*baseptr == '.')) {
426 { 409 if (eml->length > base->length) {
427 if (eml->length > base->length)
428 {
429 emlptr += eml->length - base->length; 410 emlptr += eml->length - base->length;
430 if (!strcasecmp(baseptr, emlptr)) 411 if (!strcasecmp(baseptr, emlptr))
431 return X509_V_OK; 412 return X509_V_OK;
432 }
433 return X509_V_ERR_PERMITTED_VIOLATION;
434 } 413 }
414 return X509_V_ERR_PERMITTED_VIOLATION;
415 }
435 416
436 /* If we have anything before '@' match local part */ 417 /* If we have anything before '@' match local part */
437 418
438 if (baseat) 419 if (baseat) {
439 { 420 if (baseat != baseptr) {
440 if (baseat != baseptr)
441 {
442 if ((baseat - baseptr) != (emlat - emlptr)) 421 if ((baseat - baseptr) != (emlat - emlptr))
443 return X509_V_ERR_PERMITTED_VIOLATION; 422 return X509_V_ERR_PERMITTED_VIOLATION;
444 /* Case sensitive match of local part */ 423 /* Case sensitive match of local part */
445 if (strncmp(baseptr, emlptr, emlat - emlptr)) 424 if (strncmp(baseptr, emlptr, emlat - emlptr))
446 return X509_V_ERR_PERMITTED_VIOLATION; 425 return X509_V_ERR_PERMITTED_VIOLATION;
447 } 426 }
448 /* Position base after '@' */ 427 /* Position base after '@' */
449 baseptr = baseat + 1; 428 baseptr = baseat + 1;
450 } 429 }
451 emlptr = emlat + 1; 430 emlptr = emlat + 1;
452 /* Just have hostname left to match: case insensitive */ 431 /* Just have hostname left to match: case insensitive */
453 if (strcasecmp(baseptr, emlptr)) 432 if (strcasecmp(baseptr, emlptr))
454 return X509_V_ERR_PERMITTED_VIOLATION; 433 return X509_V_ERR_PERMITTED_VIOLATION;
455 434
456 return X509_V_OK; 435 return X509_V_OK;
436}
457 437
458 } 438static int
459 439nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
460static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base) 440{
461 {
462 const char *baseptr = (char *)base->data; 441 const char *baseptr = (char *)base->data;
463 const char *hostptr = (char *)uri->data; 442 const char *hostptr = (char *)uri->data;
464 const char *p = strchr(hostptr, ':'); 443 const char *p = strchr(hostptr, ':');
465 int hostlen; 444 int hostlen;
445
466 /* Check for foo:// and skip past it */ 446 /* Check for foo:// and skip past it */
467 if (!p || (p[1] != '/') || (p[2] != '/')) 447 if (!p || (p[1] != '/') || (p[2] != '/'))
468 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; 448 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
@@ -486,20 +466,18 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
486 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; 466 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
487 467
488 /* Special case: inital '.' is RHS match */ 468 /* Special case: inital '.' is RHS match */
489 if (*baseptr == '.') 469 if (*baseptr == '.') {
490 { 470 if (hostlen > base->length) {
491 if (hostlen > base->length)
492 {
493 p = hostptr + hostlen - base->length; 471 p = hostptr + hostlen - base->length;
494 if (!strncasecmp(p, baseptr, base->length)) 472 if (!strncasecmp(p, baseptr, base->length))
495 return X509_V_OK; 473 return X509_V_OK;
496 }
497 return X509_V_ERR_PERMITTED_VIOLATION;
498 } 474 }
475 return X509_V_ERR_PERMITTED_VIOLATION;
476 }
499 477
500 if ((base->length != (int)hostlen) || strncasecmp(hostptr, baseptr, hostlen)) 478 if ((base->length != (int)hostlen) ||
479 strncasecmp(hostptr, baseptr, hostlen))
501 return X509_V_ERR_PERMITTED_VIOLATION; 480 return X509_V_ERR_PERMITTED_VIOLATION;
502 481
503 return X509_V_OK; 482 return X509_V_OK;
504 483}
505 }
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c b/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c
index 0c165af314..2fef484b9a 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -69,59 +69,59 @@
69 */ 69 */
70 70
71static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce, 71static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
72 BIO *out, int indent); 72 BIO *out, int indent);
73static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce, 73static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
74 BIO *out, int indent); 74 BIO *out, int indent);
75static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out, 75static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
76 int indent); 76 int indent);
77 77
78static void *ocsp_nonce_new(void); 78static void *ocsp_nonce_new(void);
79static int i2d_ocsp_nonce(void *a, unsigned char **pp); 79static int i2d_ocsp_nonce(void *a, unsigned char **pp);
80static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length); 80static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
81static void ocsp_nonce_free(void *a); 81static void ocsp_nonce_free(void *a);
82static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, 82static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
83 BIO *out, int indent); 83 BIO *out, int indent);
84 84
85static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, 85static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
86 void *nocheck, BIO *out, int indent); 86 void *nocheck, BIO *out, int indent);
87static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, 87static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
88 const char *str); 88 const char *str);
89static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, 89static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
90 BIO *bp, int ind); 90 BIO *bp, int ind);
91 91
92const X509V3_EXT_METHOD v3_ocsp_crlid = { 92const X509V3_EXT_METHOD v3_ocsp_crlid = {
93 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID), 93 NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
94 0,0,0,0, 94 0, 0, 0, 0,
95 0,0, 95 0, 0,
96 0,0, 96 0, 0,
97 i2r_ocsp_crlid,0, 97 i2r_ocsp_crlid, 0,
98 NULL 98 NULL
99}; 99};
100 100
101const X509V3_EXT_METHOD v3_ocsp_acutoff = { 101const X509V3_EXT_METHOD v3_ocsp_acutoff = {
102 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 102 NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
103 0,0,0,0, 103 0, 0, 0, 0,
104 0,0, 104 0, 0,
105 0,0, 105 0, 0,
106 i2r_ocsp_acutoff,0, 106 i2r_ocsp_acutoff, 0,
107 NULL 107 NULL
108}; 108};
109 109
110const X509V3_EXT_METHOD v3_crl_invdate = { 110const X509V3_EXT_METHOD v3_crl_invdate = {
111 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 111 NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
112 0,0,0,0, 112 0, 0, 0, 0,
113 0,0, 113 0, 0,
114 0,0, 114 0, 0,
115 i2r_ocsp_acutoff,0, 115 i2r_ocsp_acutoff, 0,
116 NULL 116 NULL
117}; 117};
118 118
119const X509V3_EXT_METHOD v3_crl_hold = { 119const X509V3_EXT_METHOD v3_crl_hold = {
120 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT), 120 NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
121 0,0,0,0, 121 0, 0, 0, 0,
122 0,0, 122 0, 0,
123 0,0, 123 0, 0,
124 i2r_object,0, 124 i2r_object, 0,
125 NULL 125 NULL
126}; 126};
127 127
@@ -131,71 +131,82 @@ const X509V3_EXT_METHOD v3_ocsp_nonce = {
131 ocsp_nonce_free, 131 ocsp_nonce_free,
132 d2i_ocsp_nonce, 132 d2i_ocsp_nonce,
133 i2d_ocsp_nonce, 133 i2d_ocsp_nonce,
134 0,0, 134 0, 0,
135 0,0, 135 0, 0,
136 i2r_ocsp_nonce,0, 136 i2r_ocsp_nonce, 0,
137 NULL 137 NULL
138}; 138};
139 139
140const X509V3_EXT_METHOD v3_ocsp_nocheck = { 140const X509V3_EXT_METHOD v3_ocsp_nocheck = {
141 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL), 141 NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
142 0,0,0,0, 142 0, 0, 0, 0,
143 0,s2i_ocsp_nocheck, 143 0, s2i_ocsp_nocheck,
144 0,0, 144 0, 0,
145 i2r_ocsp_nocheck,0, 145 i2r_ocsp_nocheck, 0,
146 NULL 146 NULL
147}; 147};
148 148
149const X509V3_EXT_METHOD v3_ocsp_serviceloc = { 149const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
150 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC), 150 NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
151 0,0,0,0, 151 0, 0, 0, 0,
152 0,0, 152 0, 0,
153 0,0, 153 0, 0,
154 i2r_ocsp_serviceloc,0, 154 i2r_ocsp_serviceloc, 0,
155 NULL 155 NULL
156}; 156};
157 157
158static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, 158static int
159 int ind) 159i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
160{ 160{
161 OCSP_CRLID *a = in; 161 OCSP_CRLID *a = in;
162 if (a->crlUrl) 162 if (a->crlUrl) {
163 { 163 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0)
164 if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err; 164 goto err;
165 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err; 165 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl))
166 if (BIO_write(bp, "\n", 1) <= 0) goto err; 166 goto err;
167 } 167 if (BIO_write(bp, "\n", 1) <= 0)
168 if (a->crlNum) 168 goto err;
169 { 169 }
170 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err; 170 if (a->crlNum) {
171 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err; 171 if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0)
172 if (BIO_write(bp, "\n", 1) <= 0) goto err; 172 goto err;
173 } 173 if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0)
174 if (a->crlTime) 174 goto err;
175 { 175 if (BIO_write(bp, "\n", 1) <= 0)
176 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err; 176 goto err;
177 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err; 177 }
178 if (BIO_write(bp, "\n", 1) <= 0) goto err; 178 if (a->crlTime) {
179 } 179 if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0)
180 goto err;
181 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime))
182 goto err;
183 if (BIO_write(bp, "\n", 1) <= 0)
184 goto err;
185 }
180 return 1; 186 return 1;
181 err: 187
188err:
182 return 0; 189 return 0;
183} 190}
184 191
185static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, 192static int
186 BIO *bp, int ind) 193i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, BIO *bp,
194 int ind)
187{ 195{
188 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0; 196 if (BIO_printf(bp, "%*s", ind, "") <= 0)
189 if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0; 197 return 0;
198 if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
199 return 0;
190 return 1; 200 return 1;
191} 201}
192 202
193 203static int
194static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, 204i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
195 int ind)
196{ 205{
197 if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0; 206 if (BIO_printf(bp, "%*s", ind, "") <= 0)
198 if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0; 207 return 0;
208 if (i2a_ASN1_OBJECT(bp, oid) <= 0)
209 return 0;
199 return 1; 210 return 1;
200} 211}
201 212
@@ -203,87 +214,108 @@ static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
203 * an ASN1 encoding at all: it just contains arbitrary data. 214 * an ASN1 encoding at all: it just contains arbitrary data.
204 */ 215 */
205 216
206static void *ocsp_nonce_new(void) 217static void *
218ocsp_nonce_new(void)
207{ 219{
208 return ASN1_OCTET_STRING_new(); 220 return ASN1_OCTET_STRING_new();
209} 221}
210 222
211static int i2d_ocsp_nonce(void *a, unsigned char **pp) 223static int
224i2d_ocsp_nonce(void *a, unsigned char **pp)
212{ 225{
213 ASN1_OCTET_STRING *os = a; 226 ASN1_OCTET_STRING *os = a;
214 if(pp) { 227
228 if (pp) {
215 memcpy(*pp, os->data, os->length); 229 memcpy(*pp, os->data, os->length);
216 *pp += os->length; 230 *pp += os->length;
217 } 231 }
218 return os->length; 232 return os->length;
219} 233}
220 234
221static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length) 235static void *
236d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
222{ 237{
223 ASN1_OCTET_STRING *os, **pos; 238 ASN1_OCTET_STRING *os, **pos;
239
224 pos = a; 240 pos = a;
225 if(!pos || !*pos) os = ASN1_OCTET_STRING_new(); 241 if (!pos || !*pos)
226 else os = *pos; 242 os = ASN1_OCTET_STRING_new();
227 if(!ASN1_OCTET_STRING_set(os, *pp, length)) goto err; 243 else
244 os = *pos;
245 if (!ASN1_OCTET_STRING_set(os, *pp, length))
246 goto err;
228 247
229 *pp += length; 248 *pp += length;
230 249
231 if(pos) *pos = os; 250 if (pos)
251 *pos = os;
232 return os; 252 return os;
233 253
234 err: 254err:
235 if(os && (!pos || (*pos != os))) M_ASN1_OCTET_STRING_free(os); 255 if (os && (!pos || (*pos != os)))
256 M_ASN1_OCTET_STRING_free(os);
236 OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE); 257 OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
237 return NULL; 258 return NULL;
238} 259}
239 260
240static void ocsp_nonce_free(void *a) 261static void
262ocsp_nonce_free(void *a)
241{ 263{
242 M_ASN1_OCTET_STRING_free(a); 264 M_ASN1_OCTET_STRING_free(a);
243} 265}
244 266
245static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, 267static int
246 BIO *out, int indent) 268i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, BIO *out,
269 int indent)
247{ 270{
248 if(BIO_printf(out, "%*s", indent, "") <= 0) return 0; 271 if (BIO_printf(out, "%*s", indent, "") <= 0)
249 if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0; 272 return 0;
273 if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0)
274 return 0;
250 return 1; 275 return 1;
251} 276}
252 277
253/* Nocheck is just a single NULL. Don't print anything and always set it */ 278/* Nocheck is just a single NULL. Don't print anything and always set it */
254 279
255static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, 280static int
256 BIO *out, int indent) 281i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
282 int indent)
257{ 283{
258 return 1; 284 return 1;
259} 285}
260 286
261static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, 287static void *
262 const char *str) 288s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
289 const char *str)
263{ 290{
264 return ASN1_NULL_new(); 291 return ASN1_NULL_new();
265} 292}
266 293
267static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, 294static int
268 BIO *bp, int ind) 295i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
269 { 296{
270 int i; 297 int i;
271 OCSP_SERVICELOC *a = in; 298 OCSP_SERVICELOC *a = in;
272 ACCESS_DESCRIPTION *ad; 299 ACCESS_DESCRIPTION *ad;
273 300
274 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) goto err; 301 if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0)
275 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) goto err; 302 goto err;
276 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) 303 if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0)
277 { 304 goto err;
278 ad = sk_ACCESS_DESCRIPTION_value(a->locator,i); 305 for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) {
279 if (BIO_printf(bp, "\n%*s", (2*ind), "") <= 0) 306 ad = sk_ACCESS_DESCRIPTION_value(a->locator, i);
280 goto err; 307 if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0)
281 if(i2a_ASN1_OBJECT(bp, ad->method) <= 0) goto err; 308 goto err;
282 if(BIO_puts(bp, " - ") <= 0) goto err; 309 if (i2a_ASN1_OBJECT(bp, ad->method) <= 0)
283 if(GENERAL_NAME_print(bp, ad->location) <= 0) goto err; 310 goto err;
284 } 311 if (BIO_puts(bp, " - ") <= 0)
312 goto err;
313 if (GENERAL_NAME_print(bp, ad->location) <= 0)
314 goto err;
315 }
285 return 1; 316 return 1;
317
286err: 318err:
287 return 0; 319 return 0;
288 } 320}
289#endif 321#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 19:47:30 +0000