src - FreeBSD source tree

diff options


context:
space:
mode:

author	Jung-uk Kim <jkim@FreeBSD.org>	2015-12-03 17:22:58 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2015-12-03 17:22:58 +0000
commit	737d7e8d3945c206c037e139055821aa0c64bb8e (patch)
tree	b0284af4e4144e27eb9f39e88c53868060774b16 /crypto/x509v3
parent	e9fcefce9bb70f20c272a996443928c5f6ab8cd8 (diff)
download	src-737d7e8d3945c206c037e139055821aa0c64bb8e.tar.gz src-737d7e8d3945c206c037e139055821aa0c64bb8e.zip

Import OpenSSL 1.0.2e.vendor/openssl/1.0.2e

Notes

Notes: svn path=/vendor-crypto/openssl/dist/; revision=291707 svn path=/vendor-crypto/openssl/1.0.2e/; revision=291708; tag=vendor/openssl/1.0.2e

Diffstat (limited to 'crypto/x509v3')

-rw-r--r--

crypto/x509v3/v3_cpols.c

-rw-r--r--

crypto/x509v3/v3_ncons.c

-rw-r--r--

crypto/x509v3/v3_pci.c

-rw-r--r--

crypto/x509v3/v3_pcia.c

-rw-r--r--

crypto/x509v3/v3_purp.c

-rw-r--r--

crypto/x509v3/v3_scts.c

-rw-r--r--

crypto/x509v3/v3_utl.c

7 files changed, 28 insertions, 15 deletions

diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index 0febc1b3edc1..d97f6226b9ee 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c

@@ -186,6 +186,10 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,

goto err;

}

pol = POLICYINFO_new();

+ if (pol == NULL) {

+ X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);

+ goto err;

+ }

pol->policyid = pobj;

}

if (!sk_POLICYINFO_push(pols, pol)) {

diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index b97ed271e3e2..2855269668be 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c

@@ -132,6 +132,8 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,

}

tval.value = val->value;

sub = GENERAL_SUBTREE_new();

+ if (sub == NULL)

+ goto memerr;

if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))

goto err;

if (!*ptree)

diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index fe0d8063d1f1..48ac0959cb10 100644
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c

@@ -3,7 +3,7 @@

* Contributed to the OpenSSL Project 2004 by Richard Levitte

* (richard@levitte.org)

* (Royal Institute of Technology, Stockholm, Sweden).

diff --git a/crypto/x509v3/v3_pcia.c b/crypto/x509v3/v3_pcia.c
index 350b39889fcc..43fd362aeda0 100644
--- a/crypto/x509v3/v3_pcia.c
+++ b/crypto/x509v3/v3_pcia.c

@@ -3,7 +3,7 @@

* Contributed to the OpenSSL Project 2004 by Richard Levitte

* (richard@levitte.org)

* (Royal Institute of Technology, Stockholm, Sweden).

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 36b0d87a0d8b..845be673b799 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c

@@ -380,6 +380,14 @@ static void setup_crldp(X509 *x)

setup_dp(x, sk_DIST_POINT_value(x->crldp, i));

}

+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)

+#define ku_reject(x, usage) \

+ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))

+#define xku_reject(x, usage) \

+ (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))

+#define ns_reject(x, usage) \

+ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))

static void x509v3_cache_extensions(X509 *x)

{

BASIC_CONSTRAINTS *bs;

@@ -499,7 +507,8 @@ static void x509v3_cache_extensions(X509 *x)

if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {

x->ex_flags |= EXFLAG_SI;

/* If SKID matches AKID also indicate self signed */

- if (X509_check_akid(x, x->akid) == X509_V_OK)

+ if (X509_check_akid(x, x->akid) == X509_V_OK &&

+ !ku_reject(x, KU_KEY_CERT_SIGN))

x->ex_flags |= EXFLAG_SS;

}

x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);

@@ -538,14 +547,6 @@ static void x509v3_cache_extensions(X509 *x)

* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.

-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)

-#define ku_reject(x, usage) \

- (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))

-#define xku_reject(x, usage) \

- (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))

-#define ns_reject(x, usage) \

- (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))

static int check_ca(const X509 *x)

{

/* keyUsage if present should allow cert signing */

diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c
index 6e0b8d6844c8..0b7c68180e78 100644
--- a/crypto/x509v3/v3_scts.c
+++ b/crypto/x509v3/v3_scts.c

@@ -190,8 +190,9 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,

SCT *sct;

unsigned char *p, *p2;

unsigned short listlen, sctlen = 0, fieldlen;

+ const unsigned char *q = *pp;

- if (d2i_ASN1_OCTET_STRING(&oct, pp, length) == NULL)

+ if (d2i_ASN1_OCTET_STRING(&oct, &q, length) == NULL)

return NULL;

if (oct->length < 2)

goto done;

@@ -279,6 +280,7 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,

done:

ASN1_OCTET_STRING_free(oct);

+ *pp = q;

return sk;

err:

diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index bdd7b95f4570..4d1ecc58bf94 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c

@@ -926,7 +926,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,

GENERAL_NAMES *gens = NULL;

X509_NAME *name = NULL;

int i;

- int cnid;

+ int cnid = NID_undef;

int alt_type;

int san_present = 0;

int rv = 0;

@@ -949,7 +949,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,

else

equal = equal_wildcard;

} else {

- cnid = 0;

alt_type = V_ASN1_OCTET_STRING;

equal = equal_case;

}

@@ -980,11 +979,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,

GENERAL_NAMES_free(gens);

if (rv != 0)

return rv;

- if (!cnid

+ if (cnid == NID_undef

|| (san_present

&& !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))

return 0;

}

+ /* We're done if CN-ID is not pertinent */

+ if (cnid == NID_undef)

+ return 0;

i = -1;

name = X509_get_subject_name(x);

while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {