aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/x509v3
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/x509v3')
-rw-r--r--crypto/x509v3/Makefile607
-rw-r--r--crypto/x509v3/build.info8
-rw-r--r--crypto/x509v3/ext_dat.h151
-rw-r--r--crypto/x509v3/pcy_cache.c129
-rw-r--r--crypto/x509v3/pcy_data.c90
-rw-r--r--crypto/x509v3/pcy_int.h66
-rw-r--r--crypto/x509v3/pcy_lib.c71
-rw-r--r--crypto/x509v3/pcy_map.c69
-rw-r--r--crypto/x509v3/pcy_node.c97
-rw-r--r--crypto/x509v3/pcy_tree.c608
-rw-r--r--crypto/x509v3/standard_exts.h78
-rw-r--r--crypto/x509v3/tabtest.c92
-rw-r--r--crypto/x509v3/v3_addr.c207
-rw-r--r--crypto/x509v3/v3_admis.c356
-rw-r--r--crypto/x509v3/v3_admis.h38
-rw-r--r--crypto/x509v3/v3_akey.c91
-rw-r--r--crypto/x509v3/v3_akeya.c62
-rw-r--r--crypto/x509v3/v3_alt.c201
-rw-r--r--crypto/x509v3/v3_asid.c222
-rw-r--r--crypto/x509v3/v3_bcons.c70
-rw-r--r--crypto/x509v3/v3_bitst.c73
-rw-r--r--crypto/x509v3/v3_conf.c201
-rw-r--r--crypto/x509v3/v3_cpols.c184
-rw-r--r--crypto/x509v3/v3_crld.c152
-rw-r--r--crypto/x509v3/v3_enum.c69
-rw-r--r--crypto/x509v3/v3_extku.c74
-rw-r--r--crypto/x509v3/v3_genn.c64
-rw-r--r--crypto/x509v3/v3_ia5.c88
-rw-r--r--crypto/x509v3/v3_info.c89
-rw-r--r--crypto/x509v3/v3_int.c65
-rw-r--r--crypto/x509v3/v3_lib.c130
-rw-r--r--crypto/x509v3/v3_ncons.c301
-rw-r--r--crypto/x509v3/v3_ocsp.c312
-rw-r--r--crypto/x509v3/v3_pci.c66
-rw-r--r--crypto/x509v3/v3_pcia.c16
-rw-r--r--crypto/x509v3/v3_pcons.c70
-rw-r--r--crypto/x509v3/v3_pku.c78
-rw-r--r--crypto/x509v3/v3_pmaps.c94
-rw-r--r--crypto/x509v3/v3_prn.c115
-rw-r--r--crypto/x509v3/v3_purp.c229
-rw-r--r--crypto/x509v3/v3_scts.c334
-rw-r--r--crypto/x509v3/v3_skey.c98
-rw-r--r--crypto/x509v3/v3_sxnet.c117
-rw-r--r--crypto/x509v3/v3_tlsf.c137
-rw-r--r--crypto/x509v3/v3_utl.c412
-rw-r--r--crypto/x509v3/v3conf.c129
-rw-r--r--crypto/x509v3/v3err.c464
-rw-r--r--crypto/x509v3/v3nametest.c346
-rw-r--r--crypto/x509v3/v3prin.c99
-rw-r--r--crypto/x509v3/x509v3.h1055
50 files changed, 2579 insertions, 6395 deletions
diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile
deleted file mode 100644
index 9791b77a0765..000000000000
--- a/crypto/x509v3/Makefile
+++ /dev/null
@@ -1,607 +0,0 @@
-#
-# OpenSSL/crypto/x509v3/Makefile
-#
-
-DIR= x509v3
-TOP= ../..
-CC= cc
-INCLUDES= -I.. -I$(TOP) -I../../include
-CFLAG=-g
-MAKEFILE= Makefile
-AR= ar r
-
-CFLAGS= $(INCLUDES) $(CFLAG)
-
-GENERAL=Makefile README
-TEST=v3nametest.c
-APPS=
-
-LIB=$(TOP)/libcrypto.a
-LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
-v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
-v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
-v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
-pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
-v3_asid.c v3_addr.c v3_scts.c
-LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
-v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
-v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
-v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
-pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o \
-v3_asid.o v3_addr.o v3_scts.o
-
-SRC= $(LIBSRC)
-
-EXHEADER= x509v3.h
-HEADER= $(EXHEADER) pcy_int.h
-
-ALL= $(GENERAL) $(SRC) $(HEADER)
-
-top:
- (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
-
-all: lib
-
-lib: $(LIBOBJ)
- $(AR) $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB) || echo Never mind.
- @touch lib
-
-files:
- $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-
-links:
- @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
- @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
- @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
-
-install:
- @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
- @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
- do \
- (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
- done;
-
-tags:
- ctags $(SRC)
-
-tests:
-
-lint:
- lint -DLINT $(INCLUDES) $(SRC)>fluff
-
-update: depend
-
-depend:
- @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
- $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
-
-dclean:
- $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
- mv -f Makefile.new $(MAKEFILE)
-
-clean:
- rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.
-
-pcy_cache.o: ../../e_os.h ../../include/openssl/asn1.h
-pcy_cache.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-pcy_cache.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-pcy_cache.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-pcy_cache.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-pcy_cache.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pcy_cache.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-pcy_cache.o: ../../include/openssl/objects.h
-pcy_cache.o: ../../include/openssl/opensslconf.h
-pcy_cache.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pcy_cache.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-pcy_cache.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pcy_cache.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pcy_cache.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pcy_cache.o: ../cryptlib.h pcy_cache.c pcy_int.h
-pcy_data.o: ../../e_os.h ../../include/openssl/asn1.h
-pcy_data.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-pcy_data.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-pcy_data.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-pcy_data.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-pcy_data.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pcy_data.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-pcy_data.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pcy_data.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pcy_data.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-pcy_data.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pcy_data.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pcy_data.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pcy_data.o: ../cryptlib.h pcy_data.c pcy_int.h
-pcy_lib.o: ../../e_os.h ../../include/openssl/asn1.h
-pcy_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-pcy_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-pcy_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-pcy_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-pcy_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pcy_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-pcy_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pcy_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pcy_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-pcy_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pcy_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pcy_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pcy_lib.o: ../cryptlib.h pcy_int.h pcy_lib.c
-pcy_map.o: ../../e_os.h ../../include/openssl/asn1.h
-pcy_map.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-pcy_map.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-pcy_map.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-pcy_map.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-pcy_map.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pcy_map.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-pcy_map.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pcy_map.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pcy_map.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-pcy_map.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pcy_map.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pcy_map.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pcy_map.o: ../cryptlib.h pcy_int.h pcy_map.c
-pcy_node.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pcy_node.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-pcy_node.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-pcy_node.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-pcy_node.o: ../../include/openssl/ecdsa.h ../../include/openssl/evp.h
-pcy_node.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-pcy_node.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pcy_node.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pcy_node.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-pcy_node.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pcy_node.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pcy_node.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pcy_node.o: pcy_int.h pcy_node.c
-pcy_tree.o: ../../e_os.h ../../include/openssl/asn1.h
-pcy_tree.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-pcy_tree.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-pcy_tree.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-pcy_tree.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-pcy_tree.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pcy_tree.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-pcy_tree.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pcy_tree.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pcy_tree.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-pcy_tree.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pcy_tree.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pcy_tree.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pcy_tree.o: ../cryptlib.h pcy_int.h pcy_tree.c
-v3_addr.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_addr.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_addr.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_addr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_addr.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_addr.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_addr.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_addr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_addr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_addr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_addr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_addr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_addr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_addr.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_addr.c
-v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_akey.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_akey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_akey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_akey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_akey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_akey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_akey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_akey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_akey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_akey.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_akey.c
-v3_akeya.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_akeya.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_akeya.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_akeya.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_akeya.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_akeya.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_akeya.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_akeya.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_akeya.o: ../../include/openssl/opensslconf.h
-v3_akeya.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_akeya.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_akeya.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_akeya.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_akeya.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_akeya.o: ../cryptlib.h v3_akeya.c
-v3_alt.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_alt.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_alt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_alt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_alt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_alt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_alt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_alt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_alt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_alt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_alt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_alt.c
-v3_asid.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_asid.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_asid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_asid.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_asid.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_asid.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_asid.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_asid.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_asid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_asid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_asid.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_asid.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_asid.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_asid.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_asid.o: ../cryptlib.h v3_asid.c
-v3_bcons.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_bcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_bcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_bcons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_bcons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_bcons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_bcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_bcons.o: ../../include/openssl/opensslconf.h
-v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_bcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_bcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_bcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_bcons.o: ../cryptlib.h v3_bcons.c
-v3_bitst.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_bitst.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_bitst.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_bitst.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_bitst.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_bitst.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_bitst.o: ../cryptlib.h v3_bitst.c
-v3_conf.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_conf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_conf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_conf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_conf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_conf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_conf.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_conf.o: ../cryptlib.h v3_conf.c
-v3_cpols.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_cpols.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_cpols.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_cpols.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_cpols.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_cpols.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_cpols.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_cpols.o: ../../include/openssl/opensslconf.h
-v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_cpols.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_cpols.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_cpols.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_cpols.o: ../cryptlib.h pcy_int.h v3_cpols.c
-v3_crld.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_crld.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_crld.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_crld.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_crld.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_crld.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_crld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_crld.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_crld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_crld.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_crld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_crld.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_crld.c
-v3_enum.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_enum.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_enum.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_enum.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_enum.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_enum.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_enum.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_enum.o: ../cryptlib.h v3_enum.c
-v3_extku.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_extku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_extku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_extku.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_extku.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_extku.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_extku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_extku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_extku.o: ../../include/openssl/opensslconf.h
-v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_extku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_extku.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_extku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_extku.o: ../cryptlib.h v3_extku.c
-v3_genn.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_genn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_genn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_genn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_genn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_genn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_genn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_genn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_genn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_genn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_genn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_genn.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_genn.c
-v3_ia5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_ia5.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_ia5.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_ia5.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_ia5.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_ia5.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_ia5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_ia5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_ia5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_ia5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_ia5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_ia5.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ia5.c
-v3_info.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_info.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_info.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_info.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_info.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_info.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_info.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_info.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_info.c
-v3_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_int.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_int.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_int.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_int.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_int.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_int.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_int.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_int.c
-v3_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_lib.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h v3_lib.c
-v3_ncons.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_ncons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_ncons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_ncons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_ncons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_ncons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_ncons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_ncons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_ncons.o: ../../include/openssl/opensslconf.h
-v3_ncons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_ncons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_ncons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_ncons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_ncons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_ncons.o: ../cryptlib.h v3_ncons.c
-v3_ocsp.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_ocsp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-v3_ocsp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_ocsp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_ocsp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
-v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c
-v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_pci.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_pci.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_pci.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_pci.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_pci.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_pci.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_pci.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_pci.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_pci.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_pci.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pci.c
-v3_pcia.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-v3_pcia.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-v3_pcia.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_pcia.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_pcia.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_pcia.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_pcia.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_pcia.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_pcia.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_pcia.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_pcia.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_pcia.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_pcia.o: ../../include/openssl/x509v3.h v3_pcia.c
-v3_pcons.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_pcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_pcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_pcons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_pcons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_pcons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_pcons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_pcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_pcons.o: ../../include/openssl/opensslconf.h
-v3_pcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_pcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_pcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_pcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_pcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_pcons.o: ../cryptlib.h v3_pcons.c
-v3_pku.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_pku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_pku.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_pku.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_pku.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_pku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_pku.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_pku.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_pku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_pku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pku.c
-v3_pmaps.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_pmaps.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_pmaps.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_pmaps.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_pmaps.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_pmaps.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_pmaps.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_pmaps.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_pmaps.o: ../../include/openssl/opensslconf.h
-v3_pmaps.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_pmaps.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_pmaps.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_pmaps.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_pmaps.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_pmaps.o: ../cryptlib.h v3_pmaps.c
-v3_prn.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_prn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_prn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_prn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_prn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3_prn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_prn.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_prn.c
-v3_purp.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_purp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_purp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_purp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_purp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_purp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_purp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_purp.o: ../cryptlib.h v3_purp.c
-v3_scts.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_scts.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-v3_scts.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_scts.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_scts.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_scts.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_scts.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_scts.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_scts.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_scts.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_scts.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_scts.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_scts.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_scts.o: ../cryptlib.h v3_scts.c
-v3_skey.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_skey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_skey.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_skey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_skey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_skey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_skey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_skey.o: ../cryptlib.h v3_skey.c
-v3_sxnet.o: ../../e_os.h ../../include/openssl/asn1.h
-v3_sxnet.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-v3_sxnet.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3_sxnet.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3_sxnet.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3_sxnet.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3_sxnet.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_sxnet.o: ../../include/openssl/opensslconf.h
-v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_sxnet.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_sxnet.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_sxnet.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_sxnet.o: ../cryptlib.h v3_sxnet.c
-v3_utl.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_utl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_utl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-v3_utl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-v3_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_utl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-v3_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-v3_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_utl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_utl.o: ../cryptlib.h v3_utl.c
-v3err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3err.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-v3err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-v3err.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-v3err.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-v3err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-v3err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-v3err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3err.o: ../../include/openssl/x509v3.h v3err.c
diff --git a/crypto/x509v3/build.info b/crypto/x509v3/build.info
new file mode 100644
index 000000000000..4ab648849367
--- /dev/null
+++ b/crypto/x509v3/build.info
@@ -0,0 +1,8 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]=\
+ v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
+ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
+ v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
+ v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
+ pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
+ v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index c3a6fce7524f..762e264bb22d 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -1,136 +1,25 @@
-/* ext_dat.h */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
-/* This file contains a table of "standard" extensions */
-
-extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
-extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
-extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
-extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
-extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
-extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
-extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
-extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
-extern X509V3_EXT_METHOD v3_addr, v3_asid;
-extern X509V3_EXT_METHOD v3_ct_scts[];
-
-/*
- * This table will be searched using OBJ_bsearch so it *must* kept in order
- * of the ext_nid values.
- */
-
-static const X509V3_EXT_METHOD *standard_exts[] = {
- &v3_nscert,
- &v3_ns_ia5_list[0],
- &v3_ns_ia5_list[1],
- &v3_ns_ia5_list[2],
- &v3_ns_ia5_list[3],
- &v3_ns_ia5_list[4],
- &v3_ns_ia5_list[5],
- &v3_ns_ia5_list[6],
- &v3_skey_id,
- &v3_key_usage,
- &v3_pkey_usage_period,
- &v3_alt[0],
- &v3_alt[1],
- &v3_bcons,
- &v3_crl_num,
- &v3_cpols,
- &v3_akey_id,
- &v3_crld,
- &v3_ext_ku,
- &v3_delta_crl,
- &v3_crl_reason,
-#ifndef OPENSSL_NO_OCSP
- &v3_crl_invdate,
-#endif
- &v3_sxnet,
- &v3_info,
-#ifndef OPENSSL_NO_RFC3779
- &v3_addr,
- &v3_asid,
-#endif
-#ifndef OPENSSL_NO_OCSP
- &v3_ocsp_nonce,
- &v3_ocsp_crlid,
- &v3_ocsp_accresp,
- &v3_ocsp_nocheck,
- &v3_ocsp_acutoff,
- &v3_ocsp_serviceloc,
-#endif
- &v3_sinfo,
- &v3_policy_constraints,
-#ifndef OPENSSL_NO_OCSP
- &v3_crl_hold,
-#endif
- &v3_pci,
- &v3_name_constraints,
- &v3_policy_mappings,
- &v3_inhibit_anyp,
- &v3_idp,
- &v3_alt[2],
- &v3_freshest_crl,
- &v3_ct_scts[0],
- &v3_ct_scts[1],
-};
-/* Number of standard extensions */
+int name_cmp(const char *name, const char *cmp);
-#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
+extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
+extern const X509V3_EXT_METHOD v3_ns_ia5_list[8], v3_alt[3], v3_skey_id, v3_akey_id;
+extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
+extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
+extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
+extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
+extern const X509V3_EXT_METHOD v3_crl_hold, v3_pci;
+extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
+extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
+extern const X509V3_EXT_METHOD v3_addr, v3_asid;
+extern const X509V3_EXT_METHOD v3_ct_scts[3];
+extern const X509V3_EXT_METHOD v3_tls_feature;
+extern const X509V3_EXT_METHOD v3_ext_admission;
diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c
index c8f41f24bc84..623870b1f6f5 100644
--- a/crypto/x509v3/pcy_cache.c
+++ b/crypto/x509v3/pcy_cache.c
@@ -1,65 +1,16 @@
-/* pcy_cache.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
#include "pcy_int.h"
@@ -75,21 +26,25 @@ static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
static int policy_cache_create(X509 *x,
CERTIFICATEPOLICIES *policies, int crit)
{
- int i;
- int ret = 0;
+ int i, num, ret = 0;
X509_POLICY_CACHE *cache = x->policy_cache;
X509_POLICY_DATA *data = NULL;
POLICYINFO *policy;
- if (sk_POLICYINFO_num(policies) == 0)
+
+ if ((num = sk_POLICYINFO_num(policies)) <= 0)
goto bad_policy;
cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
- if (!cache->data)
- goto bad_policy;
- for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
+ if (cache->data == NULL) {
+ X509V3err(X509V3_F_POLICY_CACHE_CREATE, ERR_R_MALLOC_FAILURE);
+ goto just_cleanup;
+ }
+ for (i = 0; i < num; i++) {
policy = sk_POLICYINFO_value(policies, i);
data = policy_data_new(policy, NULL, crit);
- if (!data)
- goto bad_policy;
+ if (data == NULL) {
+ X509V3err(X509V3_F_POLICY_CACHE_CREATE, ERR_R_MALLOC_FAILURE);
+ goto just_cleanup;
+ }
/*
* Duplicate policy OIDs are illegal: reject if matches found.
*/
@@ -99,19 +54,22 @@ static int policy_cache_create(X509 *x,
goto bad_policy;
}
cache->anyPolicy = data;
- } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
+ } else if (sk_X509_POLICY_DATA_find(cache->data, data) >=0 ) {
ret = -1;
goto bad_policy;
- } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
+ } else if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
+ X509V3err(X509V3_F_POLICY_CACHE_CREATE, ERR_R_MALLOC_FAILURE);
goto bad_policy;
+ }
data = NULL;
}
ret = 1;
+
bad_policy:
if (ret == -1)
x->ex_flags |= EXFLAG_INVALID_POLICY;
- if (data)
- policy_data_free(data);
+ policy_data_free(data);
+ just_cleanup:
sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
if (ret <= 0) {
sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
@@ -128,9 +86,14 @@ static int policy_cache_new(X509 *x)
CERTIFICATEPOLICIES *ext_cpols = NULL;
POLICY_MAPPINGS *ext_pmaps = NULL;
int i;
- cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
- if (!cache)
+
+ if (x->policy_cache != NULL)
+ return 1;
+ cache = OPENSSL_malloc(sizeof(*cache));
+ if (cache == NULL) {
+ X509V3err(X509V3_F_POLICY_CACHE_NEW, ERR_R_MALLOC_FAILURE);
return 0;
+ }
cache->anyPolicy = NULL;
cache->data = NULL;
cache->any_skip = -1;
@@ -200,18 +163,14 @@ static int policy_cache_new(X509 *x)
goto bad_cache;
} else if (!policy_cache_set_int(&cache->any_skip, ext_any))
goto bad_cache;
+ goto just_cleanup;
- if (0) {
bad_cache:
- x->ex_flags |= EXFLAG_INVALID_POLICY;
- }
-
- if (ext_pcons)
- POLICY_CONSTRAINTS_free(ext_pcons);
-
- if (ext_any)
- ASN1_INTEGER_free(ext_any);
+ x->ex_flags |= EXFLAG_INVALID_POLICY;
+ just_cleanup:
+ POLICY_CONSTRAINTS_free(ext_pcons);
+ ASN1_INTEGER_free(ext_any);
return 1;
}
@@ -220,10 +179,8 @@ void policy_cache_free(X509_POLICY_CACHE *cache)
{
if (!cache)
return;
- if (cache->anyPolicy)
- policy_data_free(cache->anyPolicy);
- if (cache->data)
- sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
+ policy_data_free(cache->anyPolicy);
+ sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
OPENSSL_free(cache);
}
@@ -231,9 +188,9 @@ const X509_POLICY_CACHE *policy_cache_set(X509 *x)
{
if (x->policy_cache == NULL) {
- CRYPTO_w_lock(CRYPTO_LOCK_X509);
+ CRYPTO_THREAD_write_lock(x->lock);
policy_cache_new(x);
- CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+ CRYPTO_THREAD_unlock(x->lock);
}
return x->policy_cache;
@@ -247,8 +204,6 @@ X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
X509_POLICY_DATA tmp;
tmp.valid_policy = (ASN1_OBJECT *)id;
idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
- if (idx == -1)
- return NULL;
return sk_X509_POLICY_DATA_value(cache->data, idx);
}
diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c
index 90e9970e46c0..bd3bb0e40dfe 100644
--- a/crypto/x509v3/pcy_data.c
+++ b/crypto/x509v3/pcy_data.c
@@ -1,63 +1,13 @@
-/* pcy_data.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -67,6 +17,8 @@
void policy_data_free(X509_POLICY_DATA *data)
{
+ if (data == NULL)
+ return;
ASN1_OBJECT_free(data->valid_policy);
/* Don't free qualifiers if shared */
if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
@@ -76,9 +28,9 @@ void policy_data_free(X509_POLICY_DATA *data)
}
/*
- * Create a data based on an existing policy. If 'id' is NULL use the oid in
+ * Create a data based on an existing policy. If 'id' is NULL use the OID in
* the policy, otherwise use 'id'. This behaviour covers the two types of
- * data in RFC3280: data with from a CertificatePolcies extension and
+ * data in RFC3280: data with from a CertificatePolicies extension and
* additional data with just the qualifiers of anyPolicy and ID from another
* source.
*/
@@ -88,29 +40,30 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
{
X509_POLICY_DATA *ret;
ASN1_OBJECT *id;
- if (!policy && !cid)
+
+ if (policy == NULL && cid == NULL)
return NULL;
if (cid) {
id = OBJ_dup(cid);
- if (!id)
+ if (id == NULL)
return NULL;
} else
id = NULL;
- ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
- if (!ret)
+ ret = OPENSSL_zalloc(sizeof(*ret));
+ if (ret == NULL) {
+ X509V3err(X509V3_F_POLICY_DATA_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
+ }
ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
- if (!ret->expected_policy_set) {
+ if (ret->expected_policy_set == NULL) {
OPENSSL_free(ret);
- if (id)
- ASN1_OBJECT_free(id);
+ ASN1_OBJECT_free(id);
+ X509V3err(X509V3_F_POLICY_DATA_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
if (crit)
ret->flags = POLICY_DATA_FLAG_CRITICAL;
- else
- ret->flags = 0;
if (id)
ret->valid_policy = id;
@@ -122,8 +75,7 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
if (policy) {
ret->qualifier_set = policy->qualifiers;
policy->qualifiers = NULL;
- } else
- ret->qualifier_set = NULL;
+ }
return ret;
}
diff --git a/crypto/x509v3/pcy_int.h b/crypto/x509v3/pcy_int.h
index b5075f9edbdd..5daf78de4585 100644
--- a/crypto/x509v3/pcy_int.h
+++ b/crypto/x509v3/pcy_int.h
@@ -1,65 +1,15 @@
-/* pcy_int.h */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
-DECLARE_STACK_OF(X509_POLICY_DATA)
+DEFINE_STACK_OF(X509_POLICY_DATA)
/* Internal structures */
@@ -169,7 +119,7 @@ struct X509_POLICY_TREE_st {
* required.
*/
STACK_OF(X509_POLICY_DATA) *extra_data;
- /* This is the authority constained policy set */
+ /* This is the authority constrained policy set */
STACK_OF(X509_POLICY_NODE) *auth_policies;
STACK_OF(X509_POLICY_NODE) *user_policies;
unsigned int flags;
@@ -207,7 +157,7 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
const ASN1_OBJECT *id);
X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- const X509_POLICY_DATA *data,
+ X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
X509_POLICY_TREE *tree);
void policy_node_free(X509_POLICY_NODE *node);
diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509v3/pcy_lib.c
index dbb29835fa97..67f7eafc6e8d 100644
--- a/crypto/x509v3/pcy_lib.c
+++ b/crypto/x509v3/pcy_lib.c
@@ -1,63 +1,13 @@
-/* pcy_lib.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -140,15 +90,6 @@ const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
return node->data->valid_policy;
}
-#if 0
-int X509_policy_node_get_critical(const X509_POLICY_NODE *node)
-{
- if (node_critical(node))
- return 1;
- return 0;
-}
-#endif
-
STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(const
X509_POLICY_NODE
*node)
diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c
index b99eb91cf7f5..ab9dd21b7d93 100644
--- a/crypto/x509v3/pcy_map.c
+++ b/crypto/x509v3/pcy_map.c
@@ -1,65 +1,16 @@
-/* pcy_map.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
#include "pcy_int.h"
@@ -91,15 +42,15 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
/* Attempt to find matching policy data */
data = policy_cache_find_data(cache, map->issuerDomainPolicy);
/* If we don't have anyPolicy can't map */
- if (!data && !cache->anyPolicy)
+ if (data == NULL && !cache->anyPolicy)
continue;
/* Create a NODE from anyPolicy */
- if (!data) {
+ if (data == NULL) {
data = policy_data_new(NULL, map->issuerDomainPolicy,
cache->anyPolicy->flags
& POLICY_DATA_FLAG_CRITICAL);
- if (!data)
+ if (data == NULL)
goto bad_mapping;
data->qualifier_set = cache->anyPolicy->qualifier_set;
/*
diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
index d6c917650aa4..1ffe98498bdb 100644
--- a/crypto/x509v3/pcy_node.c
+++ b/crypto/x509v3/pcy_node.c
@@ -1,65 +1,16 @@
-/* pcy_node.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <openssl/asn1.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include <openssl/err.h>
#include "pcy_int.h"
@@ -85,9 +36,6 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes,
l.data = &n;
idx = sk_X509_POLICY_NODE_find(nodes, &l);
- if (idx == -1)
- return NULL;
-
return sk_X509_POLICY_NODE_value(nodes, idx);
}
@@ -109,17 +57,19 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
}
X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- const X509_POLICY_DATA *data,
+ X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
X509_POLICY_TREE *tree)
{
X509_POLICY_NODE *node;
- node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
- if (!node)
+
+ node = OPENSSL_zalloc(sizeof(*node));
+ if (node == NULL) {
+ X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
return NULL;
+ }
node->data = data;
node->parent = parent;
- node->nchild = 0;
if (level) {
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
if (level->anyPolicy)
@@ -127,22 +77,30 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
level->anyPolicy = node;
} else {
- if (!level->nodes)
+ if (level->nodes == NULL)
level->nodes = policy_node_cmp_new();
- if (!level->nodes)
+ if (level->nodes == NULL) {
+ X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
goto node_error;
- if (!sk_X509_POLICY_NODE_push(level->nodes, node))
+ }
+ if (!sk_X509_POLICY_NODE_push(level->nodes, node)) {
+ X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
goto node_error;
+ }
}
}
if (tree) {
- if (!tree->extra_data)
+ if (tree->extra_data == NULL)
tree->extra_data = sk_X509_POLICY_DATA_new_null();
- if (!tree->extra_data)
+ if (tree->extra_data == NULL){
+ X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
goto node_error;
- if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
+ }
+ if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
+ X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
goto node_error;
+ }
}
if (parent)
@@ -152,8 +110,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
node_error:
policy_node_free(node);
- return 0;
-
+ return NULL;
}
void policy_node_free(X509_POLICY_NODE *node)
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 03c9533bcca9..87f51d001bbb 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -1,63 +1,13 @@
-/* pcy_tree.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -98,22 +48,26 @@ static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
static void tree_print(char *str, X509_POLICY_TREE *tree,
X509_POLICY_LEVEL *curr)
{
+ BIO *err = BIO_new_fp(stderr, BIO_NOCLOSE);
X509_POLICY_LEVEL *plev;
- X509_POLICY_NODE *node;
- int i;
- BIO *err;
- err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+ if (err == NULL)
+ return;
if (!curr)
curr = tree->levels + tree->nlevel;
else
curr++;
+
BIO_printf(err, "Level print after %s\n", str);
BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
for (plev = tree->levels; plev != curr; plev++) {
+ int i;
+
BIO_printf(err, "Level %ld, flags = %x\n",
- plev - tree->levels, plev->flags);
+ (long)(plev - tree->levels), plev->flags);
for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
- node = sk_X509_POLICY_NODE_value(plev->nodes, i);
+ X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(plev->nodes, i);
+
X509_POLICY_NODE_print(err, node, 2);
expected_print(err, plev, node, 2);
BIO_printf(err, " Flags: %x\n", node->data->flags);
@@ -121,26 +75,17 @@ static void tree_print(char *str, X509_POLICY_TREE *tree,
if (plev->anyPolicy)
X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
}
-
BIO_free(err);
-
}
-#else
-
-# define tree_print(a,b,c) /* */
-
#endif
/*-
- * Initialize policy tree. Return values:
- * 0 Some internal error occurred.
- * -1 Inconsistent or invalid extensions in certificates.
- * 1 Tree initialized OK.
- * 2 Policy tree is empty.
- * 5 Tree OK and requireExplicitPolicy true.
- * 6 Tree empty and requireExplicitPolicy true.
+ * Return value: <= 0 on error, or positive bit mask:
+ *
+ * X509_PCY_TREE_VALID: valid tree
+ * X509_PCY_TREE_EMPTY: empty tree (including bare TA case)
+ * X509_PCY_TREE_EXPLICIT: explicit policy required
*/
-
static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
unsigned int flags)
{
@@ -148,114 +93,115 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
X509_POLICY_LEVEL *level;
const X509_POLICY_CACHE *cache;
X509_POLICY_DATA *data = NULL;
- X509 *x;
- int ret = 1;
- int i, n;
- int explicit_policy;
- int any_skip;
- int map_skip;
+ int ret = X509_PCY_TREE_VALID;
+ int n = sk_X509_num(certs) - 1; /* RFC5280 paths omit the TA */
+ int explicit_policy = (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : n+1;
+ int any_skip = (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : n+1;
+ int map_skip = (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : n+1;
+ int i;
+
*ptree = NULL;
- n = sk_X509_num(certs);
-#if 0
- /* Disable policy mapping for now... */
- flags |= X509_V_FLAG_INHIBIT_MAP;
-#endif
+ /* Can't do anything with just a trust anchor */
+ if (n == 0)
+ return X509_PCY_TREE_EMPTY;
- if (flags & X509_V_FLAG_EXPLICIT_POLICY)
- explicit_policy = 0;
- else
- explicit_policy = n + 1;
+ /*
+ * First setup the policy cache in all n non-TA certificates, this will be
+ * used in X509_verify_cert() which will invoke the verify callback for all
+ * certificates with invalid policy extensions.
+ */
+ for (i = n - 1; i >= 0; i--) {
+ X509 *x = sk_X509_value(certs, i);
- if (flags & X509_V_FLAG_INHIBIT_ANY)
- any_skip = 0;
- else
- any_skip = n + 1;
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(x, -1, 0);
- if (flags & X509_V_FLAG_INHIBIT_MAP)
- map_skip = 0;
- else
- map_skip = n + 1;
+ /* If cache is NULL, likely ENOMEM: return immediately */
+ if (policy_cache_set(x) == NULL)
+ return X509_PCY_TREE_INTERNAL;
+ }
- /* Can't do anything with just a trust anchor */
- if (n == 1)
- return 1;
/*
- * First setup policy cache in all certificates apart from the trust
- * anchor. Note any bad cache results on the way. Also can calculate
- * explicit_policy value at this point.
+ * At this point check for invalid policies and required explicit policy.
+ * Note that the explicit_policy counter is a count-down to zero, with the
+ * requirement kicking in if and once it does that. The counter is
+ * decremented for every non-self-issued certificate in the path, but may
+ * be further reduced by policy constraints in a non-leaf certificate.
+ *
+ * The ultimate policy set is the intersection of all the policies along
+ * the path, if we hit a certificate with an empty policy set, and explicit
+ * policy is required we're done.
*/
- for (i = n - 2; i >= 0; i--) {
- x = sk_X509_value(certs, i);
- X509_check_purpose(x, -1, -1);
+ for (i = n - 1;
+ i >= 0 && (explicit_policy > 0 || (ret & X509_PCY_TREE_EMPTY) == 0);
+ i--) {
+ X509 *x = sk_X509_value(certs, i);
+ uint32_t ex_flags = X509_get_extension_flags(x);
+
+ /* All the policies are already cached, we can return early */
+ if (ex_flags & EXFLAG_INVALID_POLICY)
+ return X509_PCY_TREE_INVALID;
+
+ /* Access the cache which we now know exists */
cache = policy_cache_set(x);
- /* If cache NULL something bad happened: return immediately */
- if (cache == NULL)
- return 0;
- /*
- * If inconsistent extensions keep a note of it but continue
- */
- if (x->ex_flags & EXFLAG_INVALID_POLICY)
- ret = -1;
- /*
- * Otherwise if we have no data (hence no CertificatePolicies) and
- * haven't already set an inconsistent code note it.
- */
- else if ((ret == 1) && !cache->data)
- ret = 2;
+
+ if ((ret & X509_PCY_TREE_VALID) && cache->data == NULL)
+ ret = X509_PCY_TREE_EMPTY;
if (explicit_policy > 0) {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
explicit_policy--;
- if ((cache->explicit_skip != -1)
+ if ((cache->explicit_skip >= 0)
&& (cache->explicit_skip < explicit_policy))
explicit_policy = cache->explicit_skip;
}
}
- if (ret != 1) {
- if (ret == 2 && !explicit_policy)
- return 6;
+ if (explicit_policy == 0)
+ ret |= X509_PCY_TREE_EXPLICIT;
+ if ((ret & X509_PCY_TREE_VALID) == 0)
return ret;
- }
/* If we get this far initialize the tree */
+ if ((tree = OPENSSL_zalloc(sizeof(*tree))) == NULL) {
+ X509V3err(X509V3_F_TREE_INIT, ERR_R_MALLOC_FAILURE);
+ return X509_PCY_TREE_INTERNAL;
+ }
- tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
-
- if (!tree)
- return 0;
-
- tree->flags = 0;
- tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
- tree->nlevel = 0;
- tree->extra_data = NULL;
- tree->auth_policies = NULL;
- tree->user_policies = NULL;
-
- if (!tree->levels) {
+ /*
+ * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
+ *
+ * The top level is implicitly for the trust anchor with valid expected
+ * policies of anyPolicy. (RFC 5280 has the TA at depth 0 and the leaf at
+ * depth n, we have the leaf at depth 0 and the TA at depth n).
+ */
+ if ((tree->levels = OPENSSL_zalloc(sizeof(*tree->levels)*(n+1))) == NULL) {
OPENSSL_free(tree);
- return 0;
+ X509V3err(X509V3_F_TREE_INIT, ERR_R_MALLOC_FAILURE);
+ return X509_PCY_TREE_INTERNAL;
}
-
- memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
-
- tree->nlevel = n;
-
+ tree->nlevel = n+1;
level = tree->levels;
-
- /* Root data: initialize to anyPolicy */
-
- data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
-
- if (!data || !level_add_node(level, data, NULL, tree))
+ if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
goto bad_tree;
+ if (level_add_node(level, data, NULL, tree) == NULL) {
+ policy_data_free(data);
+ goto bad_tree;
+ }
- for (i = n - 2; i >= 0; i--) {
- level++;
- x = sk_X509_value(certs, i);
+ /*
+ * In this pass initialize all the tree levels and whether anyPolicy and
+ * policy mapping are inhibited at each level.
+ */
+ for (i = n - 1; i >= 0; i--) {
+ X509 *x = sk_X509_value(certs, i);
+ uint32_t ex_flags = X509_get_extension_flags(x);
+
+ /* Access the cache which we now know exists */
cache = policy_cache_set(x);
- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
- level->cert = x;
+
+ X509_up_ref(x);
+ (++level)->cert = x;
if (!cache->anyPolicy)
level->flags |= X509_V_FLAG_INHIBIT_ANY;
@@ -263,63 +209,57 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
/* Determine inhibit any and inhibit map flags */
if (any_skip == 0) {
/*
- * Any matching allowed if certificate is self issued and not the
- * last in the chain.
+ * Any matching allowed only if certificate is self issued and not
+ * the last in the chain.
*/
- if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
+ if (!(ex_flags & EXFLAG_SI) || (i == 0))
level->flags |= X509_V_FLAG_INHIBIT_ANY;
} else {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
any_skip--;
- if ((cache->any_skip >= 0)
- && (cache->any_skip < any_skip))
+ if ((cache->any_skip >= 0) && (cache->any_skip < any_skip))
any_skip = cache->any_skip;
}
if (map_skip == 0)
level->flags |= X509_V_FLAG_INHIBIT_MAP;
else {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
map_skip--;
- if ((cache->map_skip >= 0)
- && (cache->map_skip < map_skip))
+ if ((cache->map_skip >= 0) && (cache->map_skip < map_skip))
map_skip = cache->map_skip;
}
-
}
*ptree = tree;
-
- if (explicit_policy)
- return 1;
- else
- return 5;
+ return ret;
bad_tree:
-
X509_policy_tree_free(tree);
-
- return 0;
-
+ return X509_PCY_TREE_INTERNAL;
}
+/*
+ * Return value: 1 on success, 0 otherwise
+ */
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
- const X509_POLICY_DATA *data)
+ X509_POLICY_DATA *data)
{
X509_POLICY_LEVEL *last = curr - 1;
- X509_POLICY_NODE *node;
int i, matched = 0;
+
/* Iterate through all in nodes linking matches */
for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
- node = sk_X509_POLICY_NODE_value(last->nodes, i);
+ X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
+
if (policy_node_match(last, node, data->valid_policy)) {
- if (!level_add_node(curr, data, node, NULL))
+ if (level_add_node(curr, data, node, NULL) == NULL)
return 0;
matched = 1;
}
}
if (!matched && last->anyPolicy) {
- if (!level_add_node(curr, data, last->anyPolicy, NULL))
+ if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
return 0;
}
return 1;
@@ -328,29 +268,17 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
/*
* This corresponds to RFC3280 6.1.3(d)(1): link any data from
* CertificatePolicies onto matching parent or anyPolicy if no match.
+ *
+ * Return value: 1 on success, 0 otherwise.
*/
-
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
const X509_POLICY_CACHE *cache)
{
int i;
- X509_POLICY_DATA *data;
for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
- data = sk_X509_POLICY_DATA_value(cache->data, i);
- /*
- * If a node is mapped any it doesn't have a corresponding
- * CertificatePolicies entry. However such an identical node would
- * be created if anyPolicy matching is enabled because there would be
- * no match with the parent valid_policy_set. So we create link
- * because then it will have the mapping flags right and we can prune
- * it later.
- */
-#if 0
- if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
- && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
- continue;
-#endif
+ X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
+
/* Look for matching nodes in previous level */
if (!tree_link_matching_nodes(curr, data))
return 0;
@@ -361,35 +289,38 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
/*
* This corresponds to RFC3280 6.1.3(d)(2): Create new data for any unmatched
* policies in the parent and link to anyPolicy.
+ *
+ * Return value: 1 on success, 0 otherwise.
*/
-
static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
const X509_POLICY_CACHE *cache,
const ASN1_OBJECT *id,
X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
{
X509_POLICY_DATA *data;
+
if (id == NULL)
id = node->data->valid_policy;
/*
* Create a new node with qualifiers from anyPolicy and id from unmatched
* node.
*/
- data = policy_data_new(NULL, id, node_critical(node));
-
- if (data == NULL)
+ if ((data = policy_data_new(NULL, id, node_critical(node))) == NULL)
return 0;
+
/* Curr may not have anyPolicy */
data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
- if (!level_add_node(curr, data, node, tree)) {
+ if (level_add_node(curr, data, node, tree) == NULL) {
policy_data_free(data);
return 0;
}
-
return 1;
}
+/*
+ * Return value: 1 on success, 0 otherwise.
+ */
static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
const X509_POLICY_CACHE *cache,
X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
@@ -420,19 +351,17 @@ static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
}
}
-
return 1;
-
}
+/*
+ * Return value: 1 on success, 0 otherwise
+ */
static int tree_link_any(X509_POLICY_LEVEL *curr,
const X509_POLICY_CACHE *cache,
X509_POLICY_TREE *tree)
{
int i;
- /*
- * X509_POLICY_DATA *data;
- */
X509_POLICY_NODE *node;
X509_POLICY_LEVEL *last = curr - 1;
@@ -441,50 +370,24 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
if (!tree_link_unmatched(curr, cache, node, tree))
return 0;
-
-#if 0
-
- /*
- * Skip any node with any children: we only want unmathced nodes.
- * Note: need something better for policy mapping because each node
- * may have multiple children
- */
- if (node->nchild)
- continue;
-
- /*
- * Create a new node with qualifiers from anyPolicy and id from
- * unmatched node.
- */
- data = policy_data_new(NULL, node->data->valid_policy,
- node_critical(node));
-
- if (data == NULL)
- return 0;
- /* Curr may not have anyPolicy */
- data->qualifier_set = cache->anyPolicy->qualifier_set;
- data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
- if (!level_add_node(curr, data, node, tree)) {
- policy_data_free(data);
- return 0;
- }
-#endif
-
}
/* Finally add link to anyPolicy */
- if (last->anyPolicy) {
- if (!level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL))
- return 0;
- }
+ if (last->anyPolicy &&
+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
+ return 0;
return 1;
}
-/*
- * Prune the tree: delete any child mapped child data on the current level
- * then proceed up the tree deleting any data with no children. If we ever
- * have no data on a level we can halt because the tree will be empty.
+/*-
+ * Prune the tree: delete any child mapped child data on the current level then
+ * proceed up the tree deleting any data with no children. If we ever have no
+ * data on a level we can halt because the tree will be empty.
+ *
+ * Return value: <= 0 error, otherwise one of:
+ *
+ * X509_PCY_TREE_VALID: valid tree
+ * X509_PCY_TREE_EMPTY: empty tree
*/
-
static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
{
STACK_OF(X509_POLICY_NODE) *nodes;
@@ -523,41 +426,43 @@ static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
if (curr == tree->levels) {
/* If we zapped anyPolicy at top then tree is empty */
if (!curr->anyPolicy)
- return 2;
- return 1;
+ return X509_PCY_TREE_EMPTY;
+ break;
}
}
-
- return 1;
-
+ return X509_PCY_TREE_VALID;
}
+/*
+ * Return value: 1 on success, 0 otherwise.
+ */
static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
X509_POLICY_NODE *pcy)
{
- if (!*pnodes) {
- *pnodes = policy_node_cmp_new();
- if (!*pnodes)
- return 0;
- } else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
- return 1;
-
- if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
+ if (*pnodes == NULL &&
+ (*pnodes = policy_node_cmp_new()) == NULL)
return 0;
-
- return 1;
-
+ if (sk_X509_POLICY_NODE_find(*pnodes, pcy) >= 0)
+ return 1;
+ return sk_X509_POLICY_NODE_push(*pnodes, pcy) != 0;
}
-/*
- * Calculate the authority set based on policy tree. The 'pnodes' parameter
- * is used as a store for the set of policy nodes used to calculate the user
- * set. If the authority set is not anyPolicy then pnodes will just point to
- * the authority set. If however the authority set is anyPolicy then the set
- * of valid policies (other than anyPolicy) is store in pnodes. The return
- * value of '2' is used in this case to indicate that pnodes should be freed.
- */
+#define TREE_CALC_FAILURE 0
+#define TREE_CALC_OK_NOFREE 1
+#define TREE_CALC_OK_DOFREE 2
+/*-
+ * Calculate the authority set based on policy tree. The 'pnodes' parameter is
+ * used as a store for the set of policy nodes used to calculate the user set.
+ * If the authority set is not anyPolicy then pnodes will just point to the
+ * authority set. If however the authority set is anyPolicy then the set of
+ * valid policies (other than anyPolicy) is store in pnodes.
+ *
+ * Return value:
+ * TREE_CALC_FAILURE on failure,
+ * TREE_CALC_OK_NOFREE on success and pnodes need not be freed,
+ * TREE_CALC_OK_DOFREE on success and pnodes needs to be freed
+ */
static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
STACK_OF(X509_POLICY_NODE) **pnodes)
{
@@ -570,7 +475,7 @@ static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
/* If last level contains anyPolicy set is anyPolicy */
if (curr->anyPolicy) {
if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
- return 0;
+ return TREE_CALC_FAILURE;
addnodes = pnodes;
} else
/* Add policies to authority set */
@@ -582,25 +487,31 @@ static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
* If no anyPolicy node on this this level it can't appear on lower
* levels so end search.
*/
- if (!(anyptr = curr->anyPolicy))
+ if ((anyptr = curr->anyPolicy) == NULL)
break;
curr++;
for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
node = sk_X509_POLICY_NODE_value(curr->nodes, j);
if ((node->parent == anyptr)
- && !tree_add_auth_node(addnodes, node))
- return 0;
+ && !tree_add_auth_node(addnodes, node)) {
+ if (addnodes == pnodes) {
+ sk_X509_POLICY_NODE_free(*pnodes);
+ *pnodes = NULL;
+ }
+ return TREE_CALC_FAILURE;
+ }
}
}
-
if (addnodes == pnodes)
- return 2;
+ return TREE_CALC_OK_DOFREE;
*pnodes = tree->auth_policies;
-
- return 1;
+ return TREE_CALC_OK_NOFREE;
}
+/*
+ * Return value: 1 on success, 0 otherwise.
+ */
static int tree_calculate_user_set(X509_POLICY_TREE *tree,
STACK_OF(ASN1_OBJECT) *policy_oids,
STACK_OF(X509_POLICY_NODE) *auth_nodes)
@@ -608,7 +519,6 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
int i;
X509_POLICY_NODE *node;
ASN1_OBJECT *oid;
-
X509_POLICY_NODE *anyPolicy;
X509_POLICY_DATA *extra;
@@ -616,7 +526,6 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
* Check if anyPolicy present in authority constrained policy set: this
* will happen if it is a leaf node.
*/
-
if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
return 1;
@@ -641,7 +550,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
* from anyPolicy.
*/
extra = policy_data_new(NULL, oid, node_critical(anyPolicy));
- if (!extra)
+ if (extra == NULL)
return 0;
extra->qualifier_set = anyPolicy->data->qualifier_set;
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
@@ -657,9 +566,14 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
return 0;
}
return 1;
-
}
+/*-
+ * Return value: <= 0 error, otherwise one of:
+ * X509_PCY_TREE_VALID: valid tree
+ * X509_PCY_TREE_EMPTY: empty tree
+ * (see tree_prune()).
+ */
static int tree_evaluate(X509_POLICY_TREE *tree)
{
int ret, i;
@@ -669,19 +583,19 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
for (i = 1; i < tree->nlevel; i++, curr++) {
cache = policy_cache_set(curr->cert);
if (!tree_link_nodes(curr, cache))
- return 0;
+ return X509_PCY_TREE_INTERNAL;
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
&& !tree_link_any(curr, cache, tree))
- return 0;
+ return X509_PCY_TREE_INTERNAL;
+#ifdef OPENSSL_POLICY_DEBUG
tree_print("before tree_prune()", tree, curr);
+#endif
ret = tree_prune(tree, curr);
- if (ret != 1)
+ if (ret != X509_PCY_TREE_VALID)
return ret;
}
-
- return 1;
-
+ return X509_PCY_TREE_VALID;
}
static void exnode_free(X509_POLICY_NODE *node)
@@ -702,17 +616,12 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
- if (curr->cert)
- X509_free(curr->cert);
- if (curr->nodes)
- sk_X509_POLICY_NODE_pop_free(curr->nodes, policy_node_free);
- if (curr->anyPolicy)
- policy_node_free(curr->anyPolicy);
+ X509_free(curr->cert);
+ sk_X509_POLICY_NODE_pop_free(curr->nodes, policy_node_free);
+ policy_node_free(curr->anyPolicy);
}
- if (tree->extra_data)
- sk_X509_POLICY_DATA_pop_free(tree->extra_data, policy_data_free);
-
+ sk_X509_POLICY_DATA_pop_free(tree->extra_data, policy_data_free);
OPENSSL_free(tree->levels);
OPENSSL_free(tree);
@@ -721,115 +630,74 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
/*-
* Application policy checking function.
* Return codes:
- * 0 Internal Error.
- * 1 Successful.
- * -1 One or more certificates contain invalid or inconsistent extensions
- * -2 User constrained policy set empty and requireExplicit true.
+ * X509_PCY_TREE_FAILURE: Failure to satisfy explicit policy
+ * X509_PCY_TREE_INVALID: Inconsistent or invalid extensions
+ * X509_PCY_TREE_INTERNAL: Internal error, most likely malloc
+ * X509_PCY_TREE_VALID: Success (null tree if empty or bare TA)
*/
-
int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
STACK_OF(X509) *certs,
STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags)
{
+ int init_ret;
int ret;
int calc_ret;
X509_POLICY_TREE *tree = NULL;
STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
- *ptree = NULL;
+ *ptree = NULL;
*pexplicit_policy = 0;
- ret = tree_init(&tree, certs, flags);
-
- switch (ret) {
-
- /* Tree empty requireExplicit False: OK */
- case 2:
- return 1;
+ init_ret = tree_init(&tree, certs, flags);
- /* Some internal error */
- case -1:
- return -1;
+ if (init_ret <= 0)
+ return init_ret;
- /* Some internal error */
- case 0:
- return 0;
-
- /* Tree empty requireExplicit True: Error */
-
- case 6:
- *pexplicit_policy = 1;
- return -2;
-
- /* Tree OK requireExplicit True: OK and continue */
- case 5:
+ if ((init_ret & X509_PCY_TREE_EXPLICIT) == 0) {
+ if (init_ret & X509_PCY_TREE_EMPTY) {
+ X509_policy_tree_free(tree);
+ return X509_PCY_TREE_VALID;
+ }
+ } else {
*pexplicit_policy = 1;
- break;
-
- /* Tree OK: continue */
-
- case 1:
- if (!tree)
- /*
- * tree_init() returns success and a null tree
- * if it's just looking at a trust anchor.
- * I'm not sure that returning success here is
- * correct, but I'm sure that reporting this
- * as an internal error which our caller
- * interprets as a malloc failure is wrong.
- */
- return 1;
- break;
+ /* Tree empty and requireExplicit True: Error */
+ if (init_ret & X509_PCY_TREE_EMPTY)
+ return X509_PCY_TREE_FAILURE;
}
- if (!tree)
- goto error;
ret = tree_evaluate(tree);
-
+#ifdef OPENSSL_POLICY_DEBUG
tree_print("tree_evaluate()", tree, NULL);
-
+#endif
if (ret <= 0)
goto error;
- /* Return value 2 means tree empty */
- if (ret == 2) {
+ if (ret == X509_PCY_TREE_EMPTY) {
X509_policy_tree_free(tree);
- if (*pexplicit_policy)
- return -2;
- else
- return 1;
+ if (init_ret & X509_PCY_TREE_EXPLICIT)
+ return X509_PCY_TREE_FAILURE;
+ return X509_PCY_TREE_VALID;
}
/* Tree is not empty: continue */
- calc_ret = tree_calculate_authority_set(tree, &auth_nodes);
-
- if (!calc_ret)
+ if ((calc_ret = tree_calculate_authority_set(tree, &auth_nodes)) == 0)
goto error;
-
ret = tree_calculate_user_set(tree, policy_oids, auth_nodes);
-
- if (calc_ret == 2)
+ if (calc_ret == TREE_CALC_OK_DOFREE)
sk_X509_POLICY_NODE_free(auth_nodes);
-
if (!ret)
goto error;
+ *ptree = tree;
- if (tree)
- *ptree = tree;
-
- if (*pexplicit_policy) {
+ if (init_ret & X509_PCY_TREE_EXPLICIT) {
nodes = X509_policy_tree_get0_user_policies(tree);
if (sk_X509_POLICY_NODE_num(nodes) <= 0)
- return -2;
+ return X509_PCY_TREE_FAILURE;
}
-
- return 1;
+ return X509_PCY_TREE_VALID;
error:
-
X509_policy_tree_free(tree);
-
- return 0;
-
+ return X509_PCY_TREE_INTERNAL;
}
diff --git a/crypto/x509v3/standard_exts.h b/crypto/x509v3/standard_exts.h
new file mode 100644
index 000000000000..944f4de02eb5
--- /dev/null
+++ b/crypto/x509v3/standard_exts.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This table will be searched using OBJ_bsearch so it *must* kept in order
+ * of the ext_nid values.
+ */
+
+static const X509V3_EXT_METHOD *standard_exts[] = {
+ &v3_nscert,
+ &v3_ns_ia5_list[0],
+ &v3_ns_ia5_list[1],
+ &v3_ns_ia5_list[2],
+ &v3_ns_ia5_list[3],
+ &v3_ns_ia5_list[4],
+ &v3_ns_ia5_list[5],
+ &v3_ns_ia5_list[6],
+ &v3_skey_id,
+ &v3_key_usage,
+ &v3_pkey_usage_period,
+ &v3_alt[0],
+ &v3_alt[1],
+ &v3_bcons,
+ &v3_crl_num,
+ &v3_cpols,
+ &v3_akey_id,
+ &v3_crld,
+ &v3_ext_ku,
+ &v3_delta_crl,
+ &v3_crl_reason,
+#ifndef OPENSSL_NO_OCSP
+ &v3_crl_invdate,
+#endif
+ &v3_sxnet,
+ &v3_info,
+#ifndef OPENSSL_NO_RFC3779
+ &v3_addr,
+ &v3_asid,
+#endif
+#ifndef OPENSSL_NO_OCSP
+ &v3_ocsp_nonce,
+ &v3_ocsp_crlid,
+ &v3_ocsp_accresp,
+ &v3_ocsp_nocheck,
+ &v3_ocsp_acutoff,
+ &v3_ocsp_serviceloc,
+#endif
+ &v3_sinfo,
+ &v3_policy_constraints,
+#ifndef OPENSSL_NO_OCSP
+ &v3_crl_hold,
+#endif
+ &v3_pci,
+ &v3_name_constraints,
+ &v3_policy_mappings,
+ &v3_inhibit_anyp,
+ &v3_idp,
+ &v3_alt[2],
+ &v3_freshest_crl,
+#ifndef OPENSSL_NO_CT
+ &v3_ct_scts[0],
+ &v3_ct_scts[1],
+ &v3_ct_scts[2],
+#endif
+ &v3_tls_feature,
+ &v3_ext_admission
+};
+
+/* Number of standard extensions */
+
+#define STANDARD_EXTENSION_COUNT OSSL_NELEM(standard_exts)
+
diff --git a/crypto/x509v3/tabtest.c b/crypto/x509v3/tabtest.c
deleted file mode 100644
index 145dc9de5692..000000000000
--- a/crypto/x509v3/tabtest.c
+++ /dev/null
@@ -1,92 +0,0 @@
-/* tabtest.c */
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-/*
- * Simple program to check the ext_dat.h is correct and print out problems if
- * it is not.
- */
-
-#include <stdio.h>
-
-#include <openssl/x509v3.h>
-
-#include "ext_dat.h"
-
-main()
-{
- int i, prev = -1, bad = 0;
- X509V3_EXT_METHOD **tmp;
- i = sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *);
- if (i != STANDARD_EXTENSION_COUNT)
- fprintf(stderr, "Extension number invalid expecting %d\n", i);
- tmp = standard_exts;
- for (i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++) {
- if ((*tmp)->ext_nid < prev)
- bad = 1;
- prev = (*tmp)->ext_nid;
-
- }
- if (bad) {
- tmp = standard_exts;
- fprintf(stderr, "Extensions out of order!\n");
- for (i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++)
- printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid));
- } else
- fprintf(stderr, "Order OK\n");
-}
diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c
index af080a04f2ba..bb58e0484611 100644
--- a/crypto/x509v3/v3_addr.c
+++ b/crypto/x509v3/v3_addr.c
@@ -1,58 +1,10 @@
/*
- * Contributed to the OpenSSL Project by the American Registry for
- * Internet Numbers ("ARIN").
- */
-/* ====================================================================
- * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
+ * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
*
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
/*
@@ -62,12 +14,14 @@
#include <stdio.h>
#include <stdlib.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/buffer.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
+#include "ext_dat.h"
#ifndef OPENSSL_NO_RFC3779
@@ -98,7 +52,7 @@ ASN1_SEQUENCE(IPAddressFamily) = {
ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
IPAddrBlocks, IPAddressFamily)
-ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
+static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
@@ -108,7 +62,7 @@ IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
/*
* How much buffer space do we need for a raw address?
*/
-# define ADDR_RAW_BUF_LEN 16
+#define ADDR_RAW_BUF_LEN 16
/*
* What's the address length associated with this AFI?
@@ -128,7 +82,7 @@ static int length_from_afi(const unsigned afi)
/*
* Extract the AFI from an IPAddressFamily.
*/
-unsigned int v3_addr_get_afi(const IPAddressFamily *f)
+unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)
{
if (f == NULL
|| f->addressFamily == NULL
@@ -165,7 +119,7 @@ static int addr_expand(unsigned char *addr,
/*
* Extract the prefix length from a bitstring.
*/
-# define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
+#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
/*
* i2r handler for one address bitstring.
@@ -248,7 +202,7 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
int i;
for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
- const unsigned int afi = v3_addr_get_afi(f);
+ const unsigned int afi = X509v3_addr_get_afi(f);
switch (afi) {
case IANA_AFI_IPV4:
BIO_printf(out, "%*sIPv4", indent, "");
@@ -360,7 +314,7 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
/*
* IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
- * comparision routines are only allowed two arguments.
+ * comparison routines are only allowed two arguments.
*/
static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
const IPAddressOrRange *const *b)
@@ -370,7 +324,7 @@ static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
/*
* IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
- * comparision routines are only allowed two arguments.
+ * comparison routines are only allowed two arguments.
*/
static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
const IPAddressOrRange *const *b)
@@ -388,7 +342,8 @@ static int range_should_be_prefix(const unsigned char *min,
unsigned char mask;
int i, j;
- OPENSSL_assert(memcmp(min, max, length) <= 0);
+ if (memcmp(min, max, length) <= 0)
+ return -1;
for (i = 0; i < length && min[i] == max[i]; i++) ;
for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
if (i < j)
@@ -477,7 +432,6 @@ static int make_addressRange(IPAddressOrRange **result,
if ((aor = IPAddressOrRange_new()) == NULL)
return 0;
aor->type = IPAddressOrRange_addressRange;
- OPENSSL_assert(aor->u.addressRange == NULL);
if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
goto err;
if (aor->u.addressRange->min == NULL &&
@@ -530,7 +484,7 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
{
IPAddressFamily *f;
unsigned char key[3];
- unsigned keylen;
+ int keylen;
int i;
key[0] = (afi >> 8) & 0xFF;
@@ -544,7 +498,6 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
f = sk_IPAddressFamily_value(addr, i);
- OPENSSL_assert(f->addressFamily->data != NULL);
if (f->addressFamily->length == keylen &&
!memcmp(f->addressFamily->data, key, keylen))
return f;
@@ -573,8 +526,8 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
/*
* Add an inheritance element.
*/
-int v3_addr_add_inherit(IPAddrBlocks *addr,
- const unsigned afi, const unsigned *safi)
+int X509v3_addr_add_inherit(IPAddrBlocks *addr,
+ const unsigned afi, const unsigned *safi)
{
IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
if (f == NULL ||
@@ -629,10 +582,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
/*
* Add a prefix.
*/
-int v3_addr_add_prefix(IPAddrBlocks *addr,
- const unsigned afi,
- const unsigned *safi,
- unsigned char *a, const int prefixlen)
+int X509v3_addr_add_prefix(IPAddrBlocks *addr,
+ const unsigned afi,
+ const unsigned *safi,
+ unsigned char *a, const int prefixlen)
{
IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
IPAddressOrRange *aor;
@@ -647,10 +600,10 @@ int v3_addr_add_prefix(IPAddrBlocks *addr,
/*
* Add a range.
*/
-int v3_addr_add_range(IPAddrBlocks *addr,
- const unsigned afi,
- const unsigned *safi,
- unsigned char *min, unsigned char *max)
+int X509v3_addr_add_range(IPAddrBlocks *addr,
+ const unsigned afi,
+ const unsigned *safi,
+ unsigned char *min, unsigned char *max)
{
IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
IPAddressOrRange *aor;
@@ -687,10 +640,10 @@ static int extract_min_max(IPAddressOrRange *aor,
/*
* Public wrapper for extract_min_max().
*/
-int v3_addr_get_range(IPAddressOrRange *aor,
- const unsigned afi,
- unsigned char *min,
- unsigned char *max, const int length)
+int X509v3_addr_get_range(IPAddressOrRange *aor,
+ const unsigned afi,
+ unsigned char *min,
+ unsigned char *max, const int length)
{
int afi_length = length_from_afi(afi);
if (aor == NULL || min == NULL || max == NULL ||
@@ -704,7 +657,7 @@ int v3_addr_get_range(IPAddressOrRange *aor,
}
/*
- * Sort comparision function for a sequence of IPAddressFamily.
+ * Sort comparison function for a sequence of IPAddressFamily.
*
* The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
* the ordering: I can read it as meaning that IPv6 without a SAFI
@@ -726,7 +679,7 @@ static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
/*
* Check whether an IPAddrBLocks is in canonical form.
*/
-int v3_addr_is_canonical(IPAddrBlocks *addr)
+int X509v3_addr_is_canonical(IPAddrBlocks *addr)
{
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
@@ -734,7 +687,7 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
int i, j, k;
/*
- * Empty extension is cannonical.
+ * Empty extension is canonical.
*/
if (addr == NULL)
return 1;
@@ -754,7 +707,7 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
*/
for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
- int length = length_from_afi(v3_addr_get_afi(f));
+ int length = length_from_afi(X509v3_addr_get_afi(f));
/*
* Inheritance is canonical. Anything other than inheritance or
@@ -897,7 +850,8 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
if (a != NULL && a->type == IPAddressOrRange_addressRange) {
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
- extract_min_max(a, a_min, a_max, length);
+ if (!extract_min_max(a, a_min, a_max, length))
+ return 0;
if (memcmp(a_min, a_max, length) > 0)
return 0;
}
@@ -909,7 +863,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
/*
* Whack an IPAddrBlocks extension into canonical form.
*/
-int v3_addr_canonize(IPAddrBlocks *addr)
+int X509v3_addr_canonize(IPAddrBlocks *addr)
{
int i;
for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
@@ -917,12 +871,13 @@ int v3_addr_canonize(IPAddrBlocks *addr)
if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
!IPAddressOrRanges_canonize(f->ipAddressChoice->
u.addressesOrRanges,
- v3_addr_get_afi(f)))
+ X509v3_addr_get_afi(f)))
return 0;
}
(void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
sk_IPAddressFamily_sort(addr);
- OPENSSL_assert(v3_addr_is_canonical(addr));
+ if (!ossl_assert(X509v3_addr_is_canonical(addr)))
+ return 0;
return 1;
}
@@ -948,7 +903,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
unsigned afi, *safi = NULL, safi_;
- const char *addr_chars;
+ const char *addr_chars = NULL;
int prefixlen, i1, i2, delim, length;
if (!name_cmp(val->name, "IPv4")) {
@@ -980,7 +935,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
length = length_from_afi(afi);
/*
- * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
+ * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate
* the other input values.
*/
if (safi != NULL) {
@@ -992,9 +947,9 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
goto err;
}
t += strspn(t, " \t");
- s = BUF_strdup(t);
+ s = OPENSSL_strdup(t);
} else {
- s = BUF_strdup(val->value);
+ s = OPENSSL_strdup(val->value);
}
if (s == NULL) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
@@ -1005,8 +960,8 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
* Check for inheritance. Not worth additional complexity to
* optimize this (seldom-used) case.
*/
- if (!strcmp(s, "inherit")) {
- if (!v3_addr_add_inherit(addr, afi, safi)) {
+ if (strcmp(s, "inherit") == 0) {
+ if (!X509v3_addr_add_inherit(addr, afi, safi)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_INVALID_INHERITANCE);
X509V3_conf_err(val);
@@ -1037,7 +992,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
X509V3_conf_err(val);
goto err;
}
- if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
+ if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -1063,13 +1018,13 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
X509V3_conf_err(val);
goto err;
}
- if (!v3_addr_add_range(addr, afi, safi, min, max)) {
+ if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
goto err;
}
break;
case '\0':
- if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
+ if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -1088,7 +1043,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
/*
* Canonize the result, then we're done.
*/
- if (!v3_addr_canonize(addr))
+ if (!X509v3_addr_canonize(addr))
goto err;
return addr;
@@ -1118,7 +1073,7 @@ const X509V3_EXT_METHOD v3_addr = {
/*
* Figure out whether extension sues inheritance.
*/
-int v3_addr_inherits(IPAddrBlocks *addr)
+int X509v3_addr_inherits(IPAddrBlocks *addr)
{
int i;
if (addr == NULL)
@@ -1171,12 +1126,12 @@ static int addr_contains(IPAddressOrRanges *parent,
/*
* Test whether a is a subset of b.
*/
-int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
+int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
{
int i;
if (a == NULL || a == b)
return 1;
- if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
+ if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
return 0;
(void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
@@ -1188,7 +1143,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
return 0;
if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
fa->ipAddressChoice->u.addressesOrRanges,
- length_from_afi(v3_addr_get_afi(fb))))
+ length_from_afi(X509v3_addr_get_afi(fb))))
return 0;
}
return 1;
@@ -1197,7 +1152,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
/*
* Validation error handling via callback.
*/
-# define validation_err(_err_) \
+#define validation_err(_err_) \
do { \
if (ctx != NULL) { \
ctx->error = _err_; \
@@ -1219,17 +1174,21 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
* When returning 0, ctx->error MUST be set to an appropriate value other than
* X509_V_OK.
*/
-static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
- STACK_OF(X509) *chain,
- IPAddrBlocks *ext)
+static int addr_validate_path_internal(X509_STORE_CTX *ctx,
+ STACK_OF(X509) *chain,
+ IPAddrBlocks *ext)
{
IPAddrBlocks *child = NULL;
int i, j, ret = 1;
X509 *x;
- OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
- OPENSSL_assert(ctx != NULL || ext != NULL);
- OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
+ if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
+ || !ossl_assert(ctx != NULL || ext != NULL)
+ || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
+ if (ctx != NULL)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return 0;
+ }
/*
* Figure out where to start. If we don't have an extension to
@@ -1242,17 +1201,17 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
} else {
i = 0;
x = sk_X509_value(chain, i);
- OPENSSL_assert(x != NULL);
if ((ext = x->rfc3779_addr) == NULL)
goto done;
}
- if (!v3_addr_is_canonical(ext))
+ if (!X509v3_addr_is_canonical(ext))
validation_err(X509_V_ERR_INVALID_EXTENSION);
(void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
- X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL,
+ X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL,
ERR_R_MALLOC_FAILURE);
- ctx->error = X509_V_ERR_OUT_OF_MEM;
+ if (ctx != NULL)
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
ret = 0;
goto done;
}
@@ -1263,8 +1222,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
*/
for (i++; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
- OPENSSL_assert(x != NULL);
- if (!v3_addr_is_canonical(x->rfc3779_addr))
+ if (!X509v3_addr_is_canonical(x->rfc3779_addr))
validation_err(X509_V_ERR_INVALID_EXTENSION);
if (x->rfc3779_addr == NULL) {
for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
@@ -1296,7 +1254,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
if (fc->ipAddressChoice->type == IPAddressChoice_inherit
|| addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
fc->ipAddressChoice->u.addressesOrRanges,
- length_from_afi(v3_addr_get_afi(fc))))
+ length_from_afi(X509v3_addr_get_afi(fc))))
sk_IPAddressFamily_set(child, j, fp);
else
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
@@ -1307,7 +1265,6 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
/*
* Trust anchor can't inherit.
*/
- OPENSSL_assert(x != NULL);
if (x->rfc3779_addr != NULL) {
for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
IPAddressFamily *fp =
@@ -1323,30 +1280,36 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
return ret;
}
-# undef validation_err
+#undef validation_err
/*
* RFC 3779 2.3 path validation -- called from X509_verify_cert().
*/
-int v3_addr_validate_path(X509_STORE_CTX *ctx)
+int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
{
- return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
+ if (ctx->chain == NULL
+ || sk_X509_num(ctx->chain) == 0
+ || ctx->verify_cb == NULL) {
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return 0;
+ }
+ return addr_validate_path_internal(ctx, ctx->chain, NULL);
}
/*
* RFC 3779 2.3 path validation of an extension.
* Test whether chain covers extension.
*/
-int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
+int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
IPAddrBlocks *ext, int allow_inheritance)
{
if (ext == NULL)
return 1;
if (chain == NULL || sk_X509_num(chain) == 0)
return 0;
- if (!allow_inheritance && v3_addr_inherits(ext))
+ if (!allow_inheritance && X509v3_addr_inherits(ext))
return 0;
- return v3_addr_validate_path_internal(NULL, chain, ext);
+ return addr_validate_path_internal(NULL, chain, ext);
}
#endif /* OPENSSL_NO_RFC3779 */
diff --git a/crypto/x509v3/v3_admis.c b/crypto/x509v3/v3_admis.c
new file mode 100644
index 000000000000..c8e75191bb3b
--- /dev/null
+++ b/crypto/x509v3/v3_admis.c
@@ -0,0 +1,356 @@
+/*
+ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/ossl_typ.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+
+#include <openssl/x509v3.h>
+
+#include <openssl/safestack.h>
+
+#include "v3_admis.h"
+#include "ext_dat.h"
+
+
+ASN1_SEQUENCE(NAMING_AUTHORITY) = {
+ ASN1_OPT(NAMING_AUTHORITY, namingAuthorityId, ASN1_OBJECT),
+ ASN1_OPT(NAMING_AUTHORITY, namingAuthorityUrl, ASN1_IA5STRING),
+ ASN1_OPT(NAMING_AUTHORITY, namingAuthorityText, DIRECTORYSTRING),
+} ASN1_SEQUENCE_END(NAMING_AUTHORITY)
+
+ASN1_SEQUENCE(PROFESSION_INFO) = {
+ ASN1_EXP_OPT(PROFESSION_INFO, namingAuthority, NAMING_AUTHORITY, 0),
+ ASN1_SEQUENCE_OF(PROFESSION_INFO, professionItems, DIRECTORYSTRING),
+ ASN1_SEQUENCE_OF_OPT(PROFESSION_INFO, professionOIDs, ASN1_OBJECT),
+ ASN1_OPT(PROFESSION_INFO, registrationNumber, ASN1_PRINTABLESTRING),
+ ASN1_OPT(PROFESSION_INFO, addProfessionInfo, ASN1_OCTET_STRING),
+} ASN1_SEQUENCE_END(PROFESSION_INFO)
+
+ASN1_SEQUENCE(ADMISSIONS) = {
+ ASN1_EXP_OPT(ADMISSIONS, admissionAuthority, GENERAL_NAME, 0),
+ ASN1_EXP_OPT(ADMISSIONS, namingAuthority, NAMING_AUTHORITY, 1),
+ ASN1_SEQUENCE_OF(ADMISSIONS, professionInfos, PROFESSION_INFO),
+} ASN1_SEQUENCE_END(ADMISSIONS)
+
+ASN1_SEQUENCE(ADMISSION_SYNTAX) = {
+ ASN1_OPT(ADMISSION_SYNTAX, admissionAuthority, GENERAL_NAME),
+ ASN1_SEQUENCE_OF(ADMISSION_SYNTAX, contentsOfAdmissions, ADMISSIONS),
+} ASN1_SEQUENCE_END(ADMISSION_SYNTAX)
+
+IMPLEMENT_ASN1_FUNCTIONS(NAMING_AUTHORITY)
+IMPLEMENT_ASN1_FUNCTIONS(PROFESSION_INFO)
+IMPLEMENT_ASN1_FUNCTIONS(ADMISSIONS)
+IMPLEMENT_ASN1_FUNCTIONS(ADMISSION_SYNTAX)
+
+static int i2r_ADMISSION_SYNTAX(const struct v3_ext_method *method, void *in,
+ BIO *bp, int ind);
+
+const X509V3_EXT_METHOD v3_ext_admission = {
+ NID_x509ExtAdmission, /* .ext_nid = */
+ 0, /* .ext_flags = */
+ ASN1_ITEM_ref(ADMISSION_SYNTAX), /* .it = */
+ NULL, NULL, NULL, NULL,
+ NULL, /* .i2s = */
+ NULL, /* .s2i = */
+ NULL, /* .i2v = */
+ NULL, /* .v2i = */
+ &i2r_ADMISSION_SYNTAX, /* .i2r = */
+ NULL, /* .r2i = */
+ NULL /* extension-specific data */
+};
+
+
+static int i2r_NAMING_AUTHORITY(const struct v3_ext_method *method, void *in,
+ BIO *bp, int ind)
+{
+ NAMING_AUTHORITY * namingAuthority = (NAMING_AUTHORITY*) in;
+
+ if (namingAuthority == NULL)
+ return 0;
+
+ if (namingAuthority->namingAuthorityId == NULL
+ && namingAuthority->namingAuthorityText == NULL
+ && namingAuthority->namingAuthorityUrl == NULL)
+ return 0;
+
+ if (BIO_printf(bp, "%*snamingAuthority: ", ind, "") <= 0)
+ goto err;
+
+ if (namingAuthority->namingAuthorityId != NULL) {
+ char objbuf[128];
+ const char *ln = OBJ_nid2ln(OBJ_obj2nid(namingAuthority->namingAuthorityId));
+
+ if (BIO_printf(bp, "%*s admissionAuthorityId: ", ind, "") <= 0)
+ goto err;
+
+ OBJ_obj2txt(objbuf, sizeof(objbuf), namingAuthority->namingAuthorityId, 1);
+
+ if (BIO_printf(bp, "%s%s%s%s\n", ln ? ln : "",
+ ln ? " (" : "", objbuf, ln ? ")" : "") <= 0)
+ goto err;
+ }
+ if (namingAuthority->namingAuthorityText != NULL) {
+ if (BIO_printf(bp, "%*s namingAuthorityText: ", ind, "") <= 0
+ || ASN1_STRING_print(bp, namingAuthority->namingAuthorityText) <= 0
+ || BIO_printf(bp, "\n") <= 0)
+ goto err;
+ }
+ if (namingAuthority->namingAuthorityUrl != NULL ) {
+ if (BIO_printf(bp, "%*s namingAuthorityUrl: ", ind, "") <= 0
+ || ASN1_STRING_print(bp, namingAuthority->namingAuthorityUrl) <= 0
+ || BIO_printf(bp, "\n") <= 0)
+ goto err;
+ }
+ return 1;
+
+err:
+ return 0;
+}
+
+static int i2r_ADMISSION_SYNTAX(const struct v3_ext_method *method, void *in,
+ BIO *bp, int ind)
+{
+ ADMISSION_SYNTAX * admission = (ADMISSION_SYNTAX *)in;
+ int i, j, k;
+
+ if (admission->admissionAuthority != NULL) {
+ if (BIO_printf(bp, "%*sadmissionAuthority:\n", ind, "") <= 0
+ || BIO_printf(bp, "%*s ", ind, "") <= 0
+ || GENERAL_NAME_print(bp, admission->admissionAuthority) <= 0
+ || BIO_printf(bp, "\n") <= 0)
+ goto err;
+ }
+
+ for (i = 0; i < sk_ADMISSIONS_num(admission->contentsOfAdmissions); i++) {
+ ADMISSIONS* entry = sk_ADMISSIONS_value(admission->contentsOfAdmissions, i);
+
+ if (BIO_printf(bp, "%*sEntry %0d:\n", ind, "", 1 + i) <= 0) goto err;
+
+ if (entry->admissionAuthority != NULL) {
+ if (BIO_printf(bp, "%*s admissionAuthority:\n", ind, "") <= 0
+ || BIO_printf(bp, "%*s ", ind, "") <= 0
+ || GENERAL_NAME_print(bp, entry->admissionAuthority) <= 0
+ || BIO_printf(bp, "\n") <= 0)
+ goto err;
+ }
+
+ if (entry->namingAuthority != NULL) {
+ if (i2r_NAMING_AUTHORITY(method, entry->namingAuthority, bp, ind) <= 0)
+ goto err;
+ }
+
+ for (j = 0; j < sk_PROFESSION_INFO_num(entry->professionInfos); j++) {
+ PROFESSION_INFO* pinfo = sk_PROFESSION_INFO_value(entry->professionInfos, j);
+
+ if (BIO_printf(bp, "%*s Profession Info Entry %0d:\n", ind, "", 1 + j) <= 0)
+ goto err;
+
+ if (pinfo->registrationNumber != NULL) {
+ if (BIO_printf(bp, "%*s registrationNumber: ", ind, "") <= 0
+ || ASN1_STRING_print(bp, pinfo->registrationNumber) <= 0
+ || BIO_printf(bp, "\n") <= 0)
+ goto err;
+ }
+
+ if (pinfo->namingAuthority != NULL) {
+ if (i2r_NAMING_AUTHORITY(method, pinfo->namingAuthority, bp, ind + 2) <= 0)
+ goto err;
+ }
+
+ if (pinfo->professionItems != NULL) {
+
+ if (BIO_printf(bp, "%*s Info Entries:\n", ind, "") <= 0)
+ goto err;
+ for (k = 0; k < sk_ASN1_STRING_num(pinfo->professionItems); k++) {
+ ASN1_STRING* val = sk_ASN1_STRING_value(pinfo->professionItems, k);
+
+ if (BIO_printf(bp, "%*s ", ind, "") <= 0
+ || ASN1_STRING_print(bp, val) <= 0
+ || BIO_printf(bp, "\n") <= 0)
+ goto err;
+ }
+ }
+
+ if (pinfo->professionOIDs != NULL) {
+ if (BIO_printf(bp, "%*s Profession OIDs:\n", ind, "") <= 0)
+ goto err;
+ for (k = 0; k < sk_ASN1_OBJECT_num(pinfo->professionOIDs); k++) {
+ ASN1_OBJECT* obj = sk_ASN1_OBJECT_value(pinfo->professionOIDs, k);
+ const char *ln = OBJ_nid2ln(OBJ_obj2nid(obj));
+ char objbuf[128];
+
+ OBJ_obj2txt(objbuf, sizeof(objbuf), obj, 1);
+ if (BIO_printf(bp, "%*s %s%s%s%s\n", ind, "",
+ ln ? ln : "", ln ? " (" : "",
+ objbuf, ln ? ")" : "") <= 0)
+ goto err;
+ }
+ }
+ }
+ }
+ return 1;
+
+err:
+ return -1;
+}
+
+const ASN1_OBJECT *NAMING_AUTHORITY_get0_authorityId(const NAMING_AUTHORITY *n)
+{
+ return n->namingAuthorityId;
+}
+
+void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n, ASN1_OBJECT* id)
+{
+ ASN1_OBJECT_free(n->namingAuthorityId);
+ n->namingAuthorityId = id;
+}
+
+const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL(
+ const NAMING_AUTHORITY *n)
+{
+ return n->namingAuthorityUrl;
+}
+
+void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n, ASN1_IA5STRING* u)
+{
+ ASN1_IA5STRING_free(n->namingAuthorityUrl);
+ n->namingAuthorityUrl = u;
+}
+
+const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText(
+ const NAMING_AUTHORITY *n)
+{
+ return n->namingAuthorityText;
+}
+
+void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n, ASN1_STRING* t)
+{
+ ASN1_IA5STRING_free(n->namingAuthorityText);
+ n->namingAuthorityText = t;
+}
+
+const GENERAL_NAME *ADMISSION_SYNTAX_get0_admissionAuthority(const ADMISSION_SYNTAX *as)
+{
+ return as->admissionAuthority;
+}
+
+void ADMISSION_SYNTAX_set0_admissionAuthority(ADMISSION_SYNTAX *as,
+ GENERAL_NAME *aa)
+{
+ GENERAL_NAME_free(as->admissionAuthority);
+ as->admissionAuthority = aa;
+}
+
+const STACK_OF(ADMISSIONS) *ADMISSION_SYNTAX_get0_contentsOfAdmissions(const ADMISSION_SYNTAX *as)
+{
+ return as->contentsOfAdmissions;
+}
+
+void ADMISSION_SYNTAX_set0_contentsOfAdmissions(ADMISSION_SYNTAX *as,
+ STACK_OF(ADMISSIONS) *a)
+{
+ sk_ADMISSIONS_pop_free(as->contentsOfAdmissions, ADMISSIONS_free);
+ as->contentsOfAdmissions = a;
+}
+
+const GENERAL_NAME *ADMISSIONS_get0_admissionAuthority(const ADMISSIONS *a)
+{
+ return a->admissionAuthority;
+}
+
+void ADMISSIONS_set0_admissionAuthority(ADMISSIONS *a, GENERAL_NAME *aa)
+{
+ GENERAL_NAME_free(a->admissionAuthority);
+ a->admissionAuthority = aa;
+}
+
+const NAMING_AUTHORITY *ADMISSIONS_get0_namingAuthority(const ADMISSIONS *a)
+{
+ return a->namingAuthority;
+}
+
+void ADMISSIONS_set0_namingAuthority(ADMISSIONS *a, NAMING_AUTHORITY *na)
+{
+ NAMING_AUTHORITY_free(a->namingAuthority);
+ a->namingAuthority = na;
+}
+
+const PROFESSION_INFOS *ADMISSIONS_get0_professionInfos(const ADMISSIONS *a)
+{
+ return a->professionInfos;
+}
+
+void ADMISSIONS_set0_professionInfos(ADMISSIONS *a, PROFESSION_INFOS *pi)
+{
+ sk_PROFESSION_INFO_pop_free(a->professionInfos, PROFESSION_INFO_free);
+ a->professionInfos = pi;
+}
+
+const ASN1_OCTET_STRING *PROFESSION_INFO_get0_addProfessionInfo(const PROFESSION_INFO *pi)
+{
+ return pi->addProfessionInfo;
+}
+
+void PROFESSION_INFO_set0_addProfessionInfo(PROFESSION_INFO *pi,
+ ASN1_OCTET_STRING *aos)
+{
+ ASN1_OCTET_STRING_free(pi->addProfessionInfo);
+ pi->addProfessionInfo = aos;
+}
+
+const NAMING_AUTHORITY *PROFESSION_INFO_get0_namingAuthority(const PROFESSION_INFO *pi)
+{
+ return pi->namingAuthority;
+}
+
+void PROFESSION_INFO_set0_namingAuthority(PROFESSION_INFO *pi,
+ NAMING_AUTHORITY *na)
+{
+ NAMING_AUTHORITY_free(pi->namingAuthority);
+ pi->namingAuthority = na;
+}
+
+const STACK_OF(ASN1_STRING) *PROFESSION_INFO_get0_professionItems(const PROFESSION_INFO *pi)
+{
+ return pi->professionItems;
+}
+
+void PROFESSION_INFO_set0_professionItems(PROFESSION_INFO *pi,
+ STACK_OF(ASN1_STRING) *as)
+{
+ sk_ASN1_STRING_pop_free(pi->professionItems, ASN1_STRING_free);
+ pi->professionItems = as;
+}
+
+const STACK_OF(ASN1_OBJECT) *PROFESSION_INFO_get0_professionOIDs(const PROFESSION_INFO *pi)
+{
+ return pi->professionOIDs;
+}
+
+void PROFESSION_INFO_set0_professionOIDs(PROFESSION_INFO *pi,
+ STACK_OF(ASN1_OBJECT) *po)
+{
+ sk_ASN1_OBJECT_pop_free(pi->professionOIDs, ASN1_OBJECT_free);
+ pi->professionOIDs = po;
+}
+
+const ASN1_PRINTABLESTRING *PROFESSION_INFO_get0_registrationNumber(const PROFESSION_INFO *pi)
+{
+ return pi->registrationNumber;
+}
+
+void PROFESSION_INFO_set0_registrationNumber(PROFESSION_INFO *pi,
+ ASN1_PRINTABLESTRING *rn)
+{
+ ASN1_PRINTABLESTRING_free(pi->registrationNumber);
+ pi->registrationNumber = rn;
+}
diff --git a/crypto/x509v3/v3_admis.h b/crypto/x509v3/v3_admis.h
new file mode 100644
index 000000000000..fa23fc761759
--- /dev/null
+++ b/crypto/x509v3/v3_admis.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_V3_ADMISSION_H
+# define HEADER_V3_ADMISSION_H
+
+struct NamingAuthority_st {
+ ASN1_OBJECT* namingAuthorityId;
+ ASN1_IA5STRING* namingAuthorityUrl;
+ ASN1_STRING* namingAuthorityText; /* i.e. DIRECTORYSTRING */
+};
+
+struct ProfessionInfo_st {
+ NAMING_AUTHORITY* namingAuthority;
+ STACK_OF(ASN1_STRING)* professionItems; /* i.e. DIRECTORYSTRING */
+ STACK_OF(ASN1_OBJECT)* professionOIDs;
+ ASN1_PRINTABLESTRING* registrationNumber;
+ ASN1_OCTET_STRING* addProfessionInfo;
+};
+
+struct Admissions_st {
+ GENERAL_NAME* admissionAuthority;
+ NAMING_AUTHORITY* namingAuthority;
+ STACK_OF(PROFESSION_INFO)* professionInfos;
+};
+
+struct AdmissionSyntax_st {
+ GENERAL_NAME* admissionAuthority;
+ STACK_OF(ADMISSIONS)* contentsOfAdmissions;
+};
+
+#endif
diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c
index e920270e164f..d9f770433cfb 100644
--- a/crypto/x509v3/v3_akey.c
+++ b/crypto/x509v3/v3_akey.c
@@ -1,68 +1,19 @@
-/* v3_akey.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
AUTHORITY_KEYID *akeyid,
@@ -90,14 +41,14 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
{
char *tmp;
if (akeyid->keyid) {
- tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
+ tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length);
X509V3_add_value("keyid", tmp, &extlist);
OPENSSL_free(tmp);
}
if (akeyid->issuer)
extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
if (akeyid->serial) {
- tmp = hex_to_string(akeyid->serial->data, akeyid->serial->length);
+ tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length);
X509V3_add_value("serial", tmp, &extlist);
OPENSSL_free(tmp);
}
@@ -131,13 +82,13 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
cnf = sk_CONF_VALUE_value(values, i);
- if (!strcmp(cnf->name, "keyid")) {
+ if (strcmp(cnf->name, "keyid") == 0) {
keyid = 1;
- if (cnf->value && !strcmp(cnf->value, "always"))
+ if (cnf->value && strcmp(cnf->value, "always") == 0)
keyid = 2;
- } else if (!strcmp(cnf->name, "issuer")) {
+ } else if (strcmp(cnf->name, "issuer") == 0) {
issuer = 1;
- if (cnf->value && !strcmp(cnf->value, "always"))
+ if (cnf->value && strcmp(cnf->value, "always") == 0)
issuer = 2;
} else {
X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, X509V3_R_UNKNOWN_OPTION);
@@ -169,7 +120,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
if ((issuer && !ikeyid) || (issuer == 2)) {
isname = X509_NAME_dup(X509_get_issuer_name(cert));
- serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+ serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
if (!isname || !serial) {
X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
@@ -177,12 +128,12 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
}
}
- if (!(akeyid = AUTHORITY_KEYID_new()))
+ if ((akeyid = AUTHORITY_KEYID_new()) == NULL)
goto err;
if (isname) {
- if (!(gens = sk_GENERAL_NAME_new_null())
- || !(gen = GENERAL_NAME_new())
+ if ((gens = sk_GENERAL_NAME_new_null()) == NULL
+ || (gen = GENERAL_NAME_new()) == NULL
|| !sk_GENERAL_NAME_push(gens, gen)) {
X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);
goto err;
@@ -192,14 +143,18 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
}
akeyid->issuer = gens;
+ gen = NULL;
+ gens = NULL;
akeyid->serial = serial;
akeyid->keyid = ikeyid;
return akeyid;
err:
+ sk_GENERAL_NAME_free(gens);
+ GENERAL_NAME_free(gen);
X509_NAME_free(isname);
- M_ASN1_INTEGER_free(serial);
- M_ASN1_OCTET_STRING_free(ikeyid);
+ ASN1_INTEGER_free(serial);
+ ASN1_OCTET_STRING_free(ikeyid);
return NULL;
}
diff --git a/crypto/x509v3/v3_akeya.c b/crypto/x509v3/v3_akeya.c
index 2cc85b762345..d6dd6bcb9b96 100644
--- a/crypto/x509v3/v3_akeya.c
+++ b/crypto/x509v3/v3_akeya.c
@@ -1,64 +1,14 @@
-/* v3_akey_asn1.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index d4d024c561c8..832e6d128571 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -1,66 +1,17 @@
-/* v3_alt.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
@@ -70,10 +21,10 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
STACK_OF(CONF_VALUE) *nval);
static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
-static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
-static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
+static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
+static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
-const X509V3_EXT_METHOD v3_alt[] = {
+const X509V3_EXT_METHOD v3_alt[3] = {
{NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
0, 0, 0, 0,
0, 0,
@@ -117,6 +68,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
unsigned char *p;
char oline[256], htmp[5];
int i;
+
switch (gen->type) {
case GEN_OTHERNAME:
if (!X509V3_add_value("othername", "<unsupported>", &ret))
@@ -149,7 +101,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
break;
case GEN_DIRNAME:
- if (X509_NAME_oneline(gen->d.dirn, oline, 256) == NULL
+ if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
|| !X509V3_add_value("DirName", oline, &ret))
return NULL;
break;
@@ -157,8 +109,8 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
case GEN_IPADD:
p = gen->d.ip->data;
if (gen->d.ip->length == 4)
- BIO_snprintf(oline, sizeof(oline),
- "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+ BIO_snprintf(oline, sizeof(oline), "%d.%d.%d.%d",
+ p[0], p[1], p[2], p[3]);
else if (gen->d.ip->length == 16) {
oline[0] = 0;
for (i = 0; i < 8; i++) {
@@ -217,7 +169,7 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
break;
case GEN_DIRNAME:
- BIO_printf(out, "DirName: ");
+ BIO_printf(out, "DirName:");
X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
break;
@@ -239,7 +191,7 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
break;
case GEN_RID:
- BIO_printf(out, "Registered ID");
+ BIO_printf(out, "Registered ID:");
i2a_ASN1_OBJECT(out, gen->d.rid);
break;
}
@@ -250,24 +202,28 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval)
{
- GENERAL_NAMES *gens = NULL;
- CONF_VALUE *cnf;
+ const int num = sk_CONF_VALUE_num(nval);
+ GENERAL_NAMES *gens = sk_GENERAL_NAME_new_reserve(NULL, num);
int i;
- if (!(gens = sk_GENERAL_NAME_new_null())) {
+
+ if (gens == NULL) {
X509V3err(X509V3_F_V2I_ISSUER_ALT, ERR_R_MALLOC_FAILURE);
+ sk_GENERAL_NAME_free(gens);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- cnf = sk_CONF_VALUE_value(nval, i);
- if (!name_cmp(cnf->name, "issuer") && cnf->value &&
- !strcmp(cnf->value, "copy")) {
+ for (i = 0; i < num; i++) {
+ CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
+
+ if (!name_cmp(cnf->name, "issuer")
+ && cnf->value && strcmp(cnf->value, "copy") == 0) {
if (!copy_issuer(ctx, gens))
goto err;
} else {
- GENERAL_NAME *gen;
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+ GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);
+
+ if (gen == NULL)
goto err;
- sk_GENERAL_NAME_push(gens, gen);
+ sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
}
}
return gens;
@@ -283,7 +239,8 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
GENERAL_NAMES *ialt;
GENERAL_NAME *gen;
X509_EXTENSION *ext;
- int i;
+ int i, num;
+
if (ctx && (ctx->flags == CTX_TEST))
return 1;
if (!ctx || !ctx->issuer_cert) {
@@ -293,18 +250,21 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
if (i < 0)
return 1;
- if (!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
- !(ialt = X509V3_EXT_d2i(ext))) {
+ if ((ext = X509_get_ext(ctx->issuer_cert, i)) == NULL
+ || (ialt = X509V3_EXT_d2i(ext)) == NULL) {
X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_ISSUER_DECODE_ERROR);
goto err;
}
- for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
+ num = sk_GENERAL_NAME_num(ialt);
+ if (!sk_GENERAL_NAME_reserve(gens, num)) {
+ X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ for (i = 0; i < num; i++) {
gen = sk_GENERAL_NAME_value(ialt, i);
- if (!sk_GENERAL_NAME_push(gens, gen)) {
- X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
- goto err;
- }
+ sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
}
sk_GENERAL_NAME_free(ialt);
@@ -319,28 +279,33 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval)
{
- GENERAL_NAMES *gens = NULL;
+ GENERAL_NAMES *gens;
CONF_VALUE *cnf;
+ const int num = sk_CONF_VALUE_num(nval);
int i;
- if (!(gens = sk_GENERAL_NAME_new_null())) {
+
+ gens = sk_GENERAL_NAME_new_reserve(NULL, num);
+ if (gens == NULL) {
X509V3err(X509V3_F_V2I_SUBJECT_ALT, ERR_R_MALLOC_FAILURE);
+ sk_GENERAL_NAME_free(gens);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+
+ for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(nval, i);
- if (!name_cmp(cnf->name, "email") && cnf->value &&
- !strcmp(cnf->value, "copy")) {
+ if (!name_cmp(cnf->name, "email")
+ && cnf->value && strcmp(cnf->value, "copy") == 0) {
if (!copy_email(ctx, gens, 0))
goto err;
- } else if (!name_cmp(cnf->name, "email") && cnf->value &&
- !strcmp(cnf->value, "move")) {
+ } else if (!name_cmp(cnf->name, "email")
+ && cnf->value && strcmp(cnf->value, "move") == 0) {
if (!copy_email(ctx, gens, 1))
goto err;
} else {
GENERAL_NAME *gen;
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+ if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
goto err;
- sk_GENERAL_NAME_push(gens, gen);
+ sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
}
}
return gens;
@@ -359,10 +324,12 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
ASN1_IA5STRING *email = NULL;
X509_NAME_ENTRY *ne;
GENERAL_NAME *gen = NULL;
- int i;
+ int i = -1;
+
if (ctx != NULL && ctx->flags == CTX_TEST)
return 1;
- if (!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
+ if (ctx == NULL
+ || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) {
X509V3err(X509V3_F_COPY_EMAIL, X509V3_R_NO_SUBJECT_DETAILS);
goto err;
}
@@ -373,17 +340,16 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
nm = X509_REQ_get_subject_name(ctx->subject_req);
/* Now add any email address(es) to STACK */
- i = -1;
while ((i = X509_NAME_get_index_by_NID(nm,
NID_pkcs9_emailAddress, i)) >= 0) {
ne = X509_NAME_get_entry(nm, i);
- email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
+ email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
if (move_p) {
X509_NAME_delete_entry(nm, i);
X509_NAME_ENTRY_free(ne);
i--;
}
- if (!email || !(gen = GENERAL_NAME_new())) {
+ if (email == NULL || (gen = GENERAL_NAME_new()) == NULL) {
X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -401,7 +367,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
err:
GENERAL_NAME_free(gen);
- M_ASN1_IA5STRING_free(email);
+ ASN1_IA5STRING_free(email);
return 0;
}
@@ -410,18 +376,23 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
GENERAL_NAME *gen;
- GENERAL_NAMES *gens = NULL;
+ GENERAL_NAMES *gens;
CONF_VALUE *cnf;
+ const int num = sk_CONF_VALUE_num(nval);
int i;
- if (!(gens = sk_GENERAL_NAME_new_null())) {
+
+ gens = sk_GENERAL_NAME_new_reserve(NULL, num);
+ if (gens == NULL) {
X509V3err(X509V3_F_V2I_GENERAL_NAMES, ERR_R_MALLOC_FAILURE);
+ sk_GENERAL_NAME_free(gens);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+
+ for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(nval, i);
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+ if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
goto err;
- sk_GENERAL_NAME_push(gens, gen);
+ sk_GENERAL_NAME_push(gens, gen); /* no failure as it was reserved */
}
return gens;
err:
@@ -437,7 +408,7 @@ GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, int gen_type, char *value,
+ X509V3_CTX *ctx, int gen_type, const char *value,
int is_nc)
{
char is_string = 0;
@@ -468,7 +439,7 @@ GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
case GEN_RID:
{
ASN1_OBJECT *obj;
- if (!(obj = OBJ_txt2obj(value, 0))) {
+ if ((obj = OBJ_txt2obj(value, 0)) == NULL) {
X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_OBJECT);
ERR_add_error_data(2, "value=", value);
goto err;
@@ -508,7 +479,7 @@ GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
}
if (is_string) {
- if (!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
+ if ((gen->d.ia5 = ASN1_IA5STRING_new()) == NULL ||
!ASN1_STRING_set(gen->d.ia5, (unsigned char *)value,
strlen(value))) {
X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
@@ -566,27 +537,26 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
}
-static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
+static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
{
char *objtmp = NULL, *p;
int objlen;
- if (!(p = strchr(value, ';')))
+
+ if ((p = strchr(value, ';')) == NULL)
return 0;
- if (!(gen->d.otherName = OTHERNAME_new()))
+ if ((gen->d.otherName = OTHERNAME_new()) == NULL)
return 0;
/*
* Free this up because we will overwrite it. no need to free type_id
* because it is static
*/
ASN1_TYPE_free(gen->d.otherName->value);
- if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
+ if ((gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)) == NULL)
return 0;
objlen = p - value;
- objtmp = OPENSSL_malloc(objlen + 1);
+ objtmp = OPENSSL_strndup(value, objlen);
if (objtmp == NULL)
return 0;
- strncpy(objtmp, value, objlen);
- objtmp[objlen] = 0;
gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
OPENSSL_free(objtmp);
if (!gen->d.otherName->type_id)
@@ -594,12 +564,13 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
return 1;
}
-static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
+static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
{
int ret = 0;
STACK_OF(CONF_VALUE) *sk = NULL;
- X509_NAME *nm = NULL;
- if (!(nm = X509_NAME_new()))
+ X509_NAME *nm;
+
+ if ((nm = X509_NAME_new()) == NULL)
goto err;
sk = X509V3_get_section(ctx, value);
if (!sk) {
diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c
index 2a32c9d0c9ba..089f2ae29f0c 100644
--- a/crypto/x509v3/v3_asid.c
+++ b/crypto/x509v3/v3_asid.c
@@ -1,73 +1,28 @@
/*
- * Contributed to the OpenSSL Project by the American Registry for
- * Internet Numbers ("ARIN").
- */
-/* ====================================================================
- * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
+ * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
*
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
/*
* Implementation of RFC 3779 section 3.2.
*/
+#include <assert.h>
#include <stdio.h>
#include <string.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
#include <openssl/bn.h>
+#include "ext_dat.h"
#ifndef OPENSSL_NO_RFC3779
@@ -162,20 +117,20 @@ static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method,
}
/*
- * Sort comparision function for a sequence of ASIdOrRange elements.
+ * Sort comparison function for a sequence of ASIdOrRange elements.
*/
static int ASIdOrRange_cmp(const ASIdOrRange *const *a_,
const ASIdOrRange *const *b_)
{
const ASIdOrRange *a = *a_, *b = *b_;
- OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
- (a->type == ASIdOrRange_range && a->u.range != NULL &&
- a->u.range->min != NULL && a->u.range->max != NULL));
+ assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
+ (a->type == ASIdOrRange_range && a->u.range != NULL &&
+ a->u.range->min != NULL && a->u.range->max != NULL));
- OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
- (b->type == ASIdOrRange_range && b->u.range != NULL &&
- b->u.range->min != NULL && b->u.range->max != NULL));
+ assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
+ (b->type == ASIdOrRange_range && b->u.range != NULL &&
+ b->u.range->min != NULL && b->u.range->max != NULL));
if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
return ASN1_INTEGER_cmp(a->u.id, b->u.id);
@@ -195,7 +150,7 @@ static int ASIdOrRange_cmp(const ASIdOrRange *const *a_,
/*
* Add an inherit element.
*/
-int v3_asid_add_inherit(ASIdentifiers *asid, int which)
+int X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
{
ASIdentifierChoice **choice;
if (asid == NULL)
@@ -213,7 +168,6 @@ int v3_asid_add_inherit(ASIdentifiers *asid, int which)
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
- OPENSSL_assert((*choice)->u.inherit == NULL);
if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
return 0;
(*choice)->type = ASIdentifierChoice_inherit;
@@ -224,8 +178,8 @@ int v3_asid_add_inherit(ASIdentifiers *asid, int which)
/*
* Add an ID or range to an ASIdentifierChoice.
*/
-int v3_asid_add_id_or_range(ASIdentifiers *asid,
- int which, ASN1_INTEGER *min, ASN1_INTEGER *max)
+int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
+ int which, ASN1_INTEGER *min, ASN1_INTEGER *max)
{
ASIdentifierChoice **choice;
ASIdOrRange *aor;
@@ -246,7 +200,6 @@ int v3_asid_add_id_or_range(ASIdentifiers *asid,
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
- OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);
(*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
if ((*choice)->u.asIdsOrRanges == NULL)
return 0;
@@ -278,20 +231,23 @@ int v3_asid_add_id_or_range(ASIdentifiers *asid,
/*
* Extract min and max values from an ASIdOrRange.
*/
-static void extract_min_max(ASIdOrRange *aor,
- ASN1_INTEGER **min, ASN1_INTEGER **max)
+static int extract_min_max(ASIdOrRange *aor,
+ ASN1_INTEGER **min, ASN1_INTEGER **max)
{
- OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
+ if (!ossl_assert(aor != NULL))
+ return 0;
switch (aor->type) {
case ASIdOrRange_id:
*min = aor->u.id;
*max = aor->u.id;
- return;
+ return 1;
case ASIdOrRange_range:
*min = aor->u.range->min;
*max = aor->u.range->max;
- return;
+ return 1;
}
+
+ return 0;
}
/*
@@ -322,10 +278,12 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
- ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
+ ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =
+ NULL;
- extract_min_max(a, &a_min, &a_max);
- extract_min_max(b, &b_min, &b_max);
+ if (!extract_min_max(a, &a_min, &a_max)
+ || !extract_min_max(b, &b_min, &b_max))
+ goto done;
/*
* Punt misordered list, overlapping start, or inverted range.
@@ -363,8 +321,8 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
ASN1_INTEGER *a_min, *a_max;
if (a != NULL && a->type == ASIdOrRange_range) {
- extract_min_max(a, &a_min, &a_max);
- if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
+ if (!extract_min_max(a, &a_min, &a_max)
+ || ASN1_INTEGER_cmp(a_min, a_max) > 0)
goto done;
}
}
@@ -380,7 +338,7 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
/*
* Check whether an ASIdentifier extension is in canonical form.
*/
-int v3_asid_is_canonical(ASIdentifiers *asid)
+int X509v3_asid_is_canonical(ASIdentifiers *asid)
{
return (asid == NULL ||
(ASIdentifierChoice_is_canonical(asid->asnum) &&
@@ -424,15 +382,18 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
- ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
+ ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =
+ NULL;
- extract_min_max(a, &a_min, &a_max);
- extract_min_max(b, &b_min, &b_max);
+ if (!extract_min_max(a, &a_min, &a_max)
+ || !extract_min_max(b, &b_min, &b_max))
+ goto done;
/*
* Make sure we're properly sorted (paranoia).
*/
- OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
+ if (!ossl_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0))
+ goto done;
/*
* Punt inverted ranges.
@@ -470,7 +431,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
ASRange *r;
switch (a->type) {
case ASIdOrRange_id:
- if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) {
+ if ((r = OPENSSL_malloc(sizeof(*r))) == NULL) {
X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
ERR_R_MALLOC_FAILURE);
goto done;
@@ -508,13 +469,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
ASN1_INTEGER *a_min, *a_max;
if (a != NULL && a->type == ASIdOrRange_range) {
- extract_min_max(a, &a_min, &a_max);
- if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
+ if (!extract_min_max(a, &a_min, &a_max)
+ || ASN1_INTEGER_cmp(a_min, a_max) > 0)
goto done;
}
}
- OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
+ /* Paranoia */
+ if (!ossl_assert(ASIdentifierChoice_is_canonical(choice)))
+ goto done;
ret = 1;
@@ -527,7 +490,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
/*
* Whack an ASIdentifier extension into canonical form.
*/
-int v3_asid_canonize(ASIdentifiers *asid)
+int X509v3_asid_canonize(ASIdentifiers *asid)
{
return (asid == NULL ||
(ASIdentifierChoice_canonize(asid->asnum) &&
@@ -552,7 +515,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
- int i1, i2, i3, is_range, which;
+ int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0;
/*
* Figure out whether this is an AS or an RDI.
@@ -571,8 +534,8 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
/*
* Handle inheritance.
*/
- if (!strcmp(val->value, "inherit")) {
- if (v3_asid_add_inherit(asid, which))
+ if (strcmp(val->value, "inherit") == 0) {
+ if (X509v3_asid_add_inherit(asid, which))
continue;
X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
X509V3_R_INVALID_INHERITANCE);
@@ -615,7 +578,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
goto err;
}
} else {
- char *s = BUF_strdup(val->value);
+ char *s = OPENSSL_strdup(val->value);
if (s == NULL) {
X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
goto err;
@@ -634,7 +597,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
goto err;
}
}
- if (!v3_asid_add_id_or_range(asid, which, min, max)) {
+ if (!X509v3_asid_add_id_or_range(asid, which, min, max)) {
X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -644,7 +607,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
/*
* Canonize the result, then we're done.
*/
- if (!v3_asid_canonize(asid))
+ if (!X509v3_asid_canonize(asid))
goto err;
return asid;
@@ -675,7 +638,7 @@ const X509V3_EXT_METHOD v3_asid = {
/*
* Figure out whether extension uses inheritance.
*/
-int v3_asid_inherits(ASIdentifiers *asid)
+int X509v3_asid_inherits(ASIdentifiers *asid)
{
return (asid != NULL &&
((asid->asnum != NULL &&
@@ -689,7 +652,7 @@ int v3_asid_inherits(ASIdentifiers *asid)
*/
static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
{
- ASN1_INTEGER *p_min, *p_max, *c_min, *c_max;
+ ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL;
int p, c;
if (child == NULL || parent == child)
@@ -699,11 +662,14 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
p = 0;
for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
- extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max);
+ if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max))
+ return 0;
for (;; p++) {
if (p >= sk_ASIdOrRange_num(parent))
return 0;
- extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, &p_max);
+ if (!extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min,
+ &p_max))
+ return 0;
if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
continue;
if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
@@ -716,15 +682,15 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
}
/*
- * Test whether a is a subet of b.
+ * Test whether a is a subset of b.
*/
-int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
+int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
{
return (a == NULL ||
a == b ||
(b != NULL &&
- !v3_asid_inherits(a) &&
- !v3_asid_inherits(b) &&
+ !X509v3_asid_inherits(a) &&
+ !X509v3_asid_inherits(b) &&
asid_contains(b->asnum->u.asIdsOrRanges,
a->asnum->u.asIdsOrRanges) &&
asid_contains(b->rdi->u.asIdsOrRanges,
@@ -734,7 +700,7 @@ int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
/*
* Validation error handling via callback.
*/
-# define validation_err(_err_) \
+#define validation_err(_err_) \
do { \
if (ctx != NULL) { \
ctx->error = _err_; \
@@ -751,17 +717,22 @@ int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
/*
* Core code for RFC 3779 3.3 path validation.
*/
-static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
- STACK_OF(X509) *chain,
- ASIdentifiers *ext)
+static int asid_validate_path_internal(X509_STORE_CTX *ctx,
+ STACK_OF(X509) *chain,
+ ASIdentifiers *ext)
{
ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
X509 *x;
- OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
- OPENSSL_assert(ctx != NULL || ext != NULL);
- OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
+ if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
+ || !ossl_assert(ctx != NULL || ext != NULL)
+ || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
+ if (ctx != NULL)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return 0;
+ }
+
/*
* Figure out where to start. If we don't have an extension to
@@ -774,11 +745,10 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
} else {
i = 0;
x = sk_X509_value(chain, i);
- OPENSSL_assert(x != NULL);
if ((ext = x->rfc3779_asid) == NULL)
goto done;
}
- if (!v3_asid_is_canonical(ext))
+ if (!X509v3_asid_is_canonical(ext))
validation_err(X509_V_ERR_INVALID_EXTENSION);
if (ext->asnum != NULL) {
switch (ext->asnum->type) {
@@ -807,13 +777,17 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
*/
for (i++; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
- OPENSSL_assert(x != NULL);
+ if (!ossl_assert(x != NULL)) {
+ if (ctx != NULL)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return 0;
+ }
if (x->rfc3779_asid == NULL) {
if (child_as != NULL || child_rdi != NULL)
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
continue;
}
- if (!v3_asid_is_canonical(x->rfc3779_asid))
+ if (!X509v3_asid_is_canonical(x->rfc3779_asid))
validation_err(X509_V_ERR_INVALID_EXTENSION);
if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
@@ -853,7 +827,11 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
/*
* Trust anchor can't inherit.
*/
- OPENSSL_assert(x != NULL);
+ if (!ossl_assert(x != NULL)) {
+ if (ctx != NULL)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return 0;
+ }
if (x->rfc3779_asid != NULL) {
if (x->rfc3779_asid->asnum != NULL &&
x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
@@ -867,30 +845,36 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
return ret;
}
-# undef validation_err
+#undef validation_err
/*
* RFC 3779 3.3 path validation -- called from X509_verify_cert().
*/
-int v3_asid_validate_path(X509_STORE_CTX *ctx)
+int X509v3_asid_validate_path(X509_STORE_CTX *ctx)
{
- return v3_asid_validate_path_internal(ctx, ctx->chain, NULL);
+ if (ctx->chain == NULL
+ || sk_X509_num(ctx->chain) == 0
+ || ctx->verify_cb == NULL) {
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return 0;
+ }
+ return asid_validate_path_internal(ctx, ctx->chain, NULL);
}
/*
* RFC 3779 3.3 path validation of an extension.
* Test whether chain covers extension.
*/
-int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
- ASIdentifiers *ext, int allow_inheritance)
+int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
+ ASIdentifiers *ext, int allow_inheritance)
{
if (ext == NULL)
return 1;
if (chain == NULL || sk_X509_num(chain) == 0)
return 0;
- if (!allow_inheritance && v3_asid_inherits(ext))
+ if (!allow_inheritance && X509v3_asid_inherits(ext))
return 0;
- return v3_asid_validate_path_internal(NULL, chain, ext);
+ return asid_validate_path_internal(NULL, chain, ext);
}
#endif /* OPENSSL_NO_RFC3779 */
diff --git a/crypto/x509v3/v3_bcons.c b/crypto/x509v3/v3_bcons.c
index dc00b9cb05a6..3bbf15550d32 100644
--- a/crypto/x509v3/v3_bcons.c
+++ b/crypto/x509v3/v3_bcons.c
@@ -1,68 +1,19 @@
-/* v3_bcons.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
BASIC_CONSTRAINTS *bcons,
@@ -107,16 +58,17 @@ static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
BASIC_CONSTRAINTS *bcons = NULL;
CONF_VALUE *val;
int i;
- if (!(bcons = BASIC_CONSTRAINTS_new())) {
+
+ if ((bcons = BASIC_CONSTRAINTS_new()) == NULL) {
X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
return NULL;
}
for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
val = sk_CONF_VALUE_value(values, i);
- if (!strcmp(val->name, "CA")) {
+ if (strcmp(val->name, "CA") == 0) {
if (!X509V3_get_value_bool(val, &bcons->ca))
goto err;
- } else if (!strcmp(val->name, "pathlen")) {
+ } else if (strcmp(val->name, "pathlen") == 0) {
if (!X509V3_get_value_int(val, &bcons->pathlen))
goto err;
} else {
diff --git a/crypto/x509v3/v3_bitst.c b/crypto/x509v3/v3_bitst.c
index b7bb3b556f18..4802116ba0d4 100644
--- a/crypto/x509v3/v3_bitst.c
+++ b/crypto/x509v3/v3_bitst.c
@@ -1,66 +1,17 @@
-/* v3_bitst.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static BIT_STRING_BITNAME ns_cert_type_table[] = {
{0, "SSL Client", "client"},
@@ -112,19 +63,19 @@ ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
ASN1_BIT_STRING *bs;
int i;
BIT_STRING_BITNAME *bnam;
- if (!(bs = M_ASN1_BIT_STRING_new())) {
+ if ((bs = ASN1_BIT_STRING_new()) == NULL) {
X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, ERR_R_MALLOC_FAILURE);
return NULL;
}
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
for (bnam = method->usr_data; bnam->lname; bnam++) {
- if (!strcmp(bnam->sname, val->name) ||
- !strcmp(bnam->lname, val->name)) {
+ if (strcmp(bnam->sname, val->name) == 0
+ || strcmp(bnam->lname, val->name) == 0) {
if (!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
ERR_R_MALLOC_FAILURE);
- M_ASN1_BIT_STRING_free(bs);
+ ASN1_BIT_STRING_free(bs);
return NULL;
}
break;
@@ -134,7 +85,7 @@ ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
X509V3_conf_err(val);
- M_ASN1_BIT_STRING_free(bs);
+ ASN1_BIT_STRING_free(bs);
return NULL;
}
}
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index a38848cc1df7..7acaebfa2250 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -1,88 +1,40 @@
-/* v3_conf.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
+
/* extension creation utilities */
#include <stdio.h>
-#include <ctype.h>
-#include "cryptlib.h"
+#include "internal/ctype.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509.h>
+#include "internal/x509_int.h"
#include <openssl/x509v3.h>
-static int v3_check_critical(char **value);
-static int v3_check_generic(char **value);
+static int v3_check_critical(const char **value);
+static int v3_check_generic(const char **value);
static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
- int crit, char *value);
-static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
+ int crit, const char *value);
+static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
int crit, int type,
X509V3_CTX *ctx);
-static char *conf_lhash_get_string(void *db, char *section, char *value);
-static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
+static char *conf_lhash_get_string(void *db, const char *section, const char *value);
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, const char *section);
static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
int ext_nid, int crit, void *ext_struc);
-static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx,
+static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
long *ext_len);
/* CONF *conf: Config file */
/* char *name: Name */
/* char *value: Value */
-X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
- char *value)
+X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
+ const char *value)
{
int crit;
int ext_type;
@@ -101,7 +53,7 @@ X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
/* CONF *conf: Config file */
/* char *value: Value */
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
- char *value)
+ const char *value)
{
int crit;
int ext_type;
@@ -115,17 +67,18 @@ X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
/* CONF *conf: Config file */
/* char *value: Value */
static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
- int crit, char *value)
+ int crit, const char *value)
{
const X509V3_EXT_METHOD *method;
X509_EXTENSION *ext;
STACK_OF(CONF_VALUE) *nval;
void *ext_struc;
+
if (ext_nid == NID_undef) {
X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION_NAME);
return NULL;
}
- if (!(method = X509V3_EXT_get_nid(ext_nid))) {
+ if ((method = X509V3_EXT_get_nid(ext_nid)) == NULL) {
X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION);
return NULL;
}
@@ -141,7 +94,7 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=",
value);
if (*value != '@')
- sk_CONF_VALUE_free(nval);
+ sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
return NULL;
}
ext_struc = method->v2i(method, ctx, nval);
@@ -150,14 +103,14 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
if (!ext_struc)
return NULL;
} else if (method->s2i) {
- if (!(ext_struc = method->s2i(method, ctx, value)))
+ if ((ext_struc = method->s2i(method, ctx, value)) == NULL)
return NULL;
} else if (method->r2i) {
if (!ctx->db || !ctx->db_meth) {
X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_NO_CONFIG_DATABASE);
return NULL;
}
- if (!(ext_struc = method->r2i(method, ctx, value)))
+ if ((ext_struc = method->r2i(method, ctx, value)) == NULL)
return NULL;
} else {
X509V3err(X509V3_F_DO_EXT_NCONF,
@@ -178,9 +131,9 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
int ext_nid, int crit, void *ext_struc)
{
- unsigned char *ext_der;
+ unsigned char *ext_der = NULL;
int ext_len;
- ASN1_OCTET_STRING *ext_oct;
+ ASN1_OCTET_STRING *ext_oct = NULL;
X509_EXTENSION *ext;
/* Convert internal representation to DER */
if (method->it) {
@@ -191,26 +144,30 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
goto merr;
} else {
unsigned char *p;
+
ext_len = method->i2d(ext_struc, NULL);
- if (!(ext_der = OPENSSL_malloc(ext_len)))
+ if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
goto merr;
p = ext_der;
method->i2d(ext_struc, &p);
}
- if (!(ext_oct = M_ASN1_OCTET_STRING_new()))
+ if ((ext_oct = ASN1_OCTET_STRING_new()) == NULL)
goto merr;
ext_oct->data = ext_der;
+ ext_der = NULL;
ext_oct->length = ext_len;
ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
if (!ext)
goto merr;
- M_ASN1_OCTET_STRING_free(ext_oct);
+ ASN1_OCTET_STRING_free(ext_oct);
return ext;
merr:
X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
+ OPENSSL_free(ext_der);
+ ASN1_OCTET_STRING_free(ext_oct);
return NULL;
}
@@ -220,7 +177,8 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
{
const X509V3_EXT_METHOD *method;
- if (!(method = X509V3_EXT_get_nid(ext_nid))) {
+
+ if ((method = X509V3_EXT_get_nid(ext_nid)) == NULL) {
X509V3err(X509V3_F_X509V3_EXT_I2D, X509V3_R_UNKNOWN_EXTENSION);
return NULL;
}
@@ -228,49 +186,50 @@ X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
}
/* Check the extension string for critical flag */
-static int v3_check_critical(char **value)
+static int v3_check_critical(const char **value)
{
- char *p = *value;
+ const char *p = *value;
if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
return 0;
p += 9;
- while (isspace((unsigned char)*p))
+ while (ossl_isspace(*p))
p++;
*value = p;
return 1;
}
/* Check extension string for generic extension and return the type */
-static int v3_check_generic(char **value)
+static int v3_check_generic(const char **value)
{
int gen_type = 0;
- char *p = *value;
- if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) {
+ const char *p = *value;
+ if ((strlen(p) >= 4) && strncmp(p, "DER:", 4) == 0) {
p += 4;
gen_type = 1;
- } else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
+ } else if ((strlen(p) >= 5) && strncmp(p, "ASN1:", 5) == 0) {
p += 5;
gen_type = 2;
} else
return 0;
- while (isspace((unsigned char)*p))
+ while (ossl_isspace(*p))
p++;
*value = p;
return gen_type;
}
/* Create a generic extension: for now just handle DER type */
-static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
+static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
int crit, int gen_type,
X509V3_CTX *ctx)
{
unsigned char *ext_der = NULL;
- long ext_len;
+ long ext_len = 0;
ASN1_OBJECT *obj = NULL;
ASN1_OCTET_STRING *oct = NULL;
X509_EXTENSION *extension = NULL;
- if (!(obj = OBJ_txt2obj(ext, 0))) {
+
+ if ((obj = OBJ_txt2obj(ext, 0)) == NULL) {
X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
X509V3_R_EXTENSION_NAME_ERROR);
ERR_add_error_data(2, "name=", ext);
@@ -278,7 +237,7 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
}
if (gen_type == 1)
- ext_der = string_to_hex(value, &ext_len);
+ ext_der = OPENSSL_hexstr2buf(value, &ext_len);
else if (gen_type == 2)
ext_der = generic_asn1(value, ctx, &ext_len);
@@ -289,7 +248,7 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
goto err;
}
- if (!(oct = M_ASN1_OCTET_STRING_new())) {
+ if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
X509V3err(X509V3_F_V3_GENERIC_EXTENSION, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -302,14 +261,13 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
err:
ASN1_OBJECT_free(obj);
- M_ASN1_OCTET_STRING_free(oct);
- if (ext_der)
- OPENSSL_free(ext_der);
+ ASN1_OCTET_STRING_free(oct);
+ OPENSSL_free(ext_der);
return extension;
}
-static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx,
+static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
long *ext_len)
{
ASN1_TYPE *typ;
@@ -322,24 +280,39 @@ static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx,
return ext_der;
}
+static void delete_ext(STACK_OF(X509_EXTENSION) *sk, X509_EXTENSION *dext)
+{
+ int idx;
+ ASN1_OBJECT *obj;
+ obj = X509_EXTENSION_get_object(dext);
+ while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) {
+ X509_EXTENSION *tmpext = X509v3_get_ext(sk, idx);
+ X509v3_delete_ext(sk, idx);
+ X509_EXTENSION_free(tmpext);
+ }
+}
+
/*
* This is the main function: add a bunch of extensions based on a config
* file section to an extension STACK.
*/
-int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
+int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
STACK_OF(X509_EXTENSION) **sk)
{
X509_EXTENSION *ext;
STACK_OF(CONF_VALUE) *nval;
CONF_VALUE *val;
int i;
- if (!(nval = NCONF_get_section(conf, section)))
+
+ if ((nval = NCONF_get_section(conf, section)) == NULL)
return 0;
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
- if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
+ if ((ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)) == NULL)
return 0;
+ if (ctx->flags == X509V3_CTX_REPLACE)
+ delete_ext(*sk, ext);
if (sk != NULL) {
if (X509v3_add_ext(sk, ext, -1) == NULL) {
X509_EXTENSION_free(ext);
@@ -355,29 +328,29 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
* Convenience functions to add extensions to a certificate, CRL and request
*/
-int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
+int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509 *cert)
{
STACK_OF(X509_EXTENSION) **sk = NULL;
if (cert)
- sk = &cert->cert_info->extensions;
+ sk = &cert->cert_info.extensions;
return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}
/* Same as above but for a CRL */
-int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
+int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509_CRL *crl)
{
STACK_OF(X509_EXTENSION) **sk = NULL;
if (crl)
- sk = &crl->crl->extensions;
+ sk = &crl->crl.extensions;
return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}
/* Add extensions to certificate request */
-int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
+int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509_REQ *req)
{
STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
@@ -394,7 +367,7 @@ int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
/* Config database functions */
-char *X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
+char *X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section)
{
if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
X509V3err(X509V3_F_X509V3_GET_STRING, X509V3_R_OPERATION_NOT_DEFINED);
@@ -405,7 +378,7 @@ char *X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
return NULL;
}
-STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, char *section)
+STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section)
{
if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
X509V3err(X509V3_F_X509V3_GET_SECTION,
@@ -433,12 +406,12 @@ void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
ctx->db_meth->free_section(ctx->db, section);
}
-static char *nconf_get_string(void *db, char *section, char *value)
+static char *nconf_get_string(void *db, const char *section, const char *value)
{
return NCONF_get_string(db, section, value);
}
-static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
+static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, const char *section)
{
return NCONF_get_section(db, section);
}
@@ -469,7 +442,7 @@ void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
/* Old conf compatibility functions */
X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *name, char *value)
+ const char *name, const char *value)
{
CONF ctmp;
CONF_set_nconf(&ctmp, conf);
@@ -479,19 +452,19 @@ X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
/* LHASH *conf: Config file */
/* char *value: Value */
X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
- X509V3_CTX *ctx, int ext_nid, char *value)
+ X509V3_CTX *ctx, int ext_nid, const char *value)
{
CONF ctmp;
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
}
-static char *conf_lhash_get_string(void *db, char *section, char *value)
+static char *conf_lhash_get_string(void *db, const char *section, const char *value)
{
return CONF_get_string(db, section, value);
}
-static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, const char *section)
{
return CONF_get_section(db, section);
}
@@ -510,7 +483,7 @@ void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
}
int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509 *cert)
+ const char *section, X509 *cert)
{
CONF ctmp;
CONF_set_nconf(&ctmp, conf);
@@ -520,7 +493,7 @@ int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
/* Same as above but for a CRL */
int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509_CRL *crl)
+ const char *section, X509_CRL *crl)
{
CONF ctmp;
CONF_set_nconf(&ctmp, conf);
@@ -530,7 +503,7 @@ int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
/* Add extensions to certificate request */
int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509_REQ *req)
+ const char *section, X509_REQ *req)
{
CONF ctmp;
CONF_set_nconf(&ctmp, conf);
diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index b99269e7f839..7a47fd38b379 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@@ -1,77 +1,28 @@
-/* v3_cpols.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
#include "pcy_int.h"
+#include "ext_dat.h"
/* Certificate policies extension support: this one is a bit complex... */
static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
BIO *out, int indent);
static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, char *value);
+ X509V3_CTX *ctx, const char *value);
static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
int indent);
static void print_notice(BIO *out, USERNOTICE *notice, int indent);
@@ -80,6 +31,8 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *unot, int ia5org);
static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
+static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len);
+static int displaytext_get_tag_len(const char *tagstr);
const X509V3_EXT_METHOD v3_cpols = {
NID_certificate_policies, 0, ASN1_ITEM_ref(CERTIFICATEPOLICIES),
@@ -133,28 +86,32 @@ ASN1_SEQUENCE(NOTICEREF) = {
IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, char *value)
+ X509V3_CTX *ctx, const char *value)
{
- STACK_OF(POLICYINFO) *pols = NULL;
+ STACK_OF(POLICYINFO) *pols;
char *pstr;
POLICYINFO *pol;
ASN1_OBJECT *pobj;
- STACK_OF(CONF_VALUE) *vals;
+ STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value);
CONF_VALUE *cnf;
+ const int num = sk_CONF_VALUE_num(vals);
int i, ia5org;
- pols = sk_POLICYINFO_new_null();
- if (pols == NULL) {
- X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
- return NULL;
- }
- vals = X509V3_parse_list(value);
+
if (vals == NULL) {
X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
+ return NULL;
+ }
+
+ pols = sk_POLICYINFO_new_reserve(NULL, num);
+ if (pols == NULL) {
+ X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
goto err;
}
+
ia5org = 0;
- for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+ for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(vals, i);
+
if (cnf->value || !cnf->name) {
X509V3err(X509V3_F_R2I_CERTPOL,
X509V3_R_INVALID_POLICY_IDENTIFIER);
@@ -162,7 +119,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
goto err;
}
pstr = cnf->name;
- if (!strcmp(pstr, "ia5org")) {
+ if (strcmp(pstr, "ia5org") == 0) {
ia5org = 1;
continue;
} else if (*pstr == '@') {
@@ -176,10 +133,10 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
}
pol = policy_section(ctx, polsect, ia5org);
X509V3_section_free(ctx, polsect);
- if (!pol)
+ if (pol == NULL)
goto err;
} else {
- if (!(pobj = OBJ_txt2obj(cnf->name, 0))) {
+ if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) {
X509V3err(X509V3_F_R2I_CERTPOL,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(cnf);
@@ -187,6 +144,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
}
pol = POLICYINFO_new();
if (pol == NULL) {
+ ASN1_OBJECT_free(pobj);
X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -213,13 +171,14 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
CONF_VALUE *cnf;
POLICYINFO *pol;
POLICYQUALINFO *qual;
- if (!(pol = POLICYINFO_new()))
+
+ if ((pol = POLICYINFO_new()) == NULL)
goto merr;
for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
cnf = sk_CONF_VALUE_value(polstrs, i);
- if (!strcmp(cnf->name, "policyIdentifier")) {
+ if (strcmp(cnf->name, "policyIdentifier") == 0) {
ASN1_OBJECT *pobj;
- if (!(pobj = OBJ_txt2obj(cnf->value, 0))) {
+ if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
X509V3err(X509V3_F_POLICY_SECTION,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(cnf);
@@ -228,17 +187,17 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
pol->policyid = pobj;
} else if (!name_cmp(cnf->name, "CPS")) {
- if (!pol->qualifiers)
+ if (pol->qualifiers == NULL)
pol->qualifiers = sk_POLICYQUALINFO_new_null();
- if (!(qual = POLICYQUALINFO_new()))
+ if ((qual = POLICYQUALINFO_new()) == NULL)
goto merr;
if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
goto merr;
- if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) {
+ if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_cps)) == NULL) {
X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (!(qual->d.cpsuri = M_ASN1_IA5STRING_new()))
+ if ((qual->d.cpsuri = ASN1_IA5STRING_new()) == NULL)
goto merr;
if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
strlen(cnf->value)))
@@ -286,37 +245,76 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
err:
POLICYINFO_free(pol);
return NULL;
+}
+
+static int displaytext_get_tag_len(const char *tagstr)
+{
+ char *colon = strchr(tagstr, ':');
+ return (colon == NULL) ? -1 : colon - tagstr;
+}
+
+static int displaytext_str2tag(const char *tagstr, unsigned int *tag_len)
+{
+ int len;
+
+ *tag_len = 0;
+ len = displaytext_get_tag_len(tagstr);
+
+ if (len == -1)
+ return V_ASN1_VISIBLESTRING;
+ *tag_len = len;
+ if (len == sizeof("UTF8") - 1 && strncmp(tagstr, "UTF8", len) == 0)
+ return V_ASN1_UTF8STRING;
+ if (len == sizeof("UTF8String") - 1 && strncmp(tagstr, "UTF8String", len) == 0)
+ return V_ASN1_UTF8STRING;
+ if (len == sizeof("BMP") - 1 && strncmp(tagstr, "BMP", len) == 0)
+ return V_ASN1_BMPSTRING;
+ if (len == sizeof("BMPSTRING") - 1 && strncmp(tagstr, "BMPSTRING", len) == 0)
+ return V_ASN1_BMPSTRING;
+ if (len == sizeof("VISIBLE") - 1 && strncmp(tagstr, "VISIBLE", len) == 0)
+ return V_ASN1_VISIBLESTRING;
+ if (len == sizeof("VISIBLESTRING") - 1 && strncmp(tagstr, "VISIBLESTRING", len) == 0)
+ return V_ASN1_VISIBLESTRING;
+ *tag_len = 0;
+ return V_ASN1_VISIBLESTRING;
}
static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *unot, int ia5org)
{
- int i, ret;
+ int i, ret, len, tag;
+ unsigned int tag_len;
CONF_VALUE *cnf;
USERNOTICE *not;
POLICYQUALINFO *qual;
- if (!(qual = POLICYQUALINFO_new()))
+ char *value = NULL;
+
+ if ((qual = POLICYQUALINFO_new()) == NULL)
goto merr;
- if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) {
+ if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice)) == NULL) {
X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (!(not = USERNOTICE_new()))
+ if ((not = USERNOTICE_new()) == NULL)
goto merr;
qual->d.usernotice = not;
for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
cnf = sk_CONF_VALUE_value(unot, i);
- if (!strcmp(cnf->name, "explicitText")) {
- if (!(not->exptext = M_ASN1_VISIBLESTRING_new()))
+ value = cnf->value;
+ if (strcmp(cnf->name, "explicitText") == 0) {
+ tag = displaytext_str2tag(value, &tag_len);
+ if ((not->exptext = ASN1_STRING_type_new(tag)) == NULL)
goto merr;
- if (!ASN1_STRING_set(not->exptext, cnf->value,
- strlen(cnf->value)))
+ if (tag_len != 0)
+ value += tag_len + 1;
+ len = strlen(value);
+ if (!ASN1_STRING_set(not->exptext, value, len))
goto merr;
- } else if (!strcmp(cnf->name, "organization")) {
+ } else if (strcmp(cnf->name, "organization") == 0) {
NOTICEREF *nref;
if (!not->noticeref) {
- if (!(nref = NOTICEREF_new()))
+ if ((nref = NOTICEREF_new()) == NULL)
goto merr;
not->noticeref = nref;
} else
@@ -328,11 +326,11 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
if (!ASN1_STRING_set(nref->organization, cnf->value,
strlen(cnf->value)))
goto merr;
- } else if (!strcmp(cnf->name, "noticeNumbers")) {
+ } else if (strcmp(cnf->name, "noticeNumbers") == 0) {
NOTICEREF *nref;
STACK_OF(CONF_VALUE) *nos;
if (!not->noticeref) {
- if (!(nref = NOTICEREF_new()))
+ if ((nref = NOTICEREF_new()) == NULL)
goto merr;
not->noticeref = nref;
} else
@@ -341,6 +339,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
if (!nos || !sk_CONF_VALUE_num(nos)) {
X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS);
X509V3_conf_err(cnf);
+ sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
goto err;
}
ret = nref_nos(nref->noticenos, nos);
@@ -380,7 +379,7 @@ static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
cnf = sk_CONF_VALUE_value(nos, i);
- if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+ if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
X509V3err(X509V3_F_NREF_NOS, X509V3_R_INVALID_NUMBER);
goto err;
}
@@ -490,8 +489,3 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
else
BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
}
-
-
-IMPLEMENT_STACK_OF(X509_POLICY_NODE)
-
-IMPLEMENT_STACK_OF(X509_POLICY_DATA)
diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c
index d3e1d1b057b4..6cba4240abf1 100644
--- a/crypto/x509v3/v3_crld.c
+++ b/crypto/x509v3/v3_crld.c
@@ -1,69 +1,22 @@
-/* v3_crld.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
+#include "ext_dat.h"
+
static void *v2i_crld(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
@@ -115,16 +68,17 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
{
STACK_OF(GENERAL_NAME) *fnm = NULL;
STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
- if (!strncmp(cnf->name, "fullname", 9)) {
+
+ if (strncmp(cnf->name, "fullname", 9) == 0) {
fnm = gnames_from_sectname(ctx, cnf->value);
if (!fnm)
goto err;
- } else if (!strcmp(cnf->name, "relativename")) {
+ } else if (strcmp(cnf->name, "relativename") == 0) {
int ret;
STACK_OF(CONF_VALUE) *dnsect;
X509_NAME *nm;
nm = X509_NAME_new();
- if (!nm)
+ if (nm == NULL)
return -1;
dnsect = X509V3_get_section(ctx, cnf->value);
if (!dnsect) {
@@ -158,7 +112,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
}
*pdp = DIST_POINT_NAME_new();
- if (!*pdp)
+ if (*pdp == NULL)
goto err;
if (fnm) {
(*pdp)->type = 0;
@@ -171,10 +125,8 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
return 1;
err:
- if (fnm)
- sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
- if (rnm)
- sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
+ sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
+ sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
return -1;
}
@@ -198,19 +150,19 @@ static int set_reasons(ASN1_BIT_STRING **preas, char *value)
const char *bnam;
int i, ret = 0;
rsk = X509V3_parse_list(value);
- if (!rsk)
- return 0;
- if (*preas)
+ if (rsk == NULL)
return 0;
+ if (*preas != NULL)
+ goto err;
for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
bnam = sk_CONF_VALUE_value(rsk, i)->name;
- if (!*preas) {
+ if (*preas == NULL) {
*preas = ASN1_BIT_STRING_new();
- if (!*preas)
+ if (*preas == NULL)
goto err;
}
for (pbn = reason_flags; pbn->lname; pbn++) {
- if (!strcmp(pbn->sname, bnam)) {
+ if (strcmp(pbn->sname, bnam) == 0) {
if (!ASN1_BIT_STRING_set_bit(*preas, pbn->bitnum, 1))
goto err;
break;
@@ -253,9 +205,9 @@ static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
{
int i;
CONF_VALUE *cnf;
- DIST_POINT *point = NULL;
- point = DIST_POINT_new();
- if (!point)
+ DIST_POINT *point = DIST_POINT_new();
+
+ if (point == NULL)
goto err;
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
int ret;
@@ -265,10 +217,10 @@ static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
continue;
if (ret < 0)
goto err;
- if (!strcmp(cnf->name, "reasons")) {
+ if (strcmp(cnf->name, "reasons") == 0) {
if (!set_reasons(&point->reasons, cnf->value))
goto err;
- } else if (!strcmp(cnf->name, "CRLissuer")) {
+ } else if (strcmp(cnf->name, "CRLissuer") == 0) {
point->CRLissuer = gnames_from_sectname(ctx, cnf->value);
if (!point->CRLissuer)
goto err;
@@ -278,23 +230,26 @@ static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
return point;
err:
- if (point)
- DIST_POINT_free(point);
+ DIST_POINT_free(point);
return NULL;
}
static void *v2i_crld(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
- STACK_OF(DIST_POINT) *crld = NULL;
+ STACK_OF(DIST_POINT) *crld;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gen = NULL;
CONF_VALUE *cnf;
+ const int num = sk_CONF_VALUE_num(nval);
int i;
- if (!(crld = sk_DIST_POINT_new_null()))
+
+ crld = sk_DIST_POINT_new_reserve(NULL, num);
+ if (crld == NULL)
goto merr;
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ for (i = 0; i < num; i++) {
DIST_POINT *point;
+
cnf = sk_CONF_VALUE_value(nval, i);
if (!cnf->value) {
STACK_OF(CONF_VALUE) *dpsect;
@@ -305,25 +260,19 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
X509V3_section_free(ctx, dpsect);
if (!point)
goto err;
- if (!sk_DIST_POINT_push(crld, point)) {
- DIST_POINT_free(point);
- goto merr;
- }
+ sk_DIST_POINT_push(crld, point); /* no failure as it was reserved */
} else {
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+ if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
goto err;
- if (!(gens = GENERAL_NAMES_new()))
+ if ((gens = GENERAL_NAMES_new()) == NULL)
goto merr;
if (!sk_GENERAL_NAME_push(gens, gen))
goto merr;
gen = NULL;
- if (!(point = DIST_POINT_new()))
+ if ((point = DIST_POINT_new()) == NULL)
goto merr;
- if (!sk_DIST_POINT_push(crld, point)) {
- DIST_POINT_free(point);
- goto merr;
- }
- if (!(point->distpoint = DIST_POINT_NAME_new()))
+ sk_DIST_POINT_push(crld, point); /* no failure as it was reserved */
+ if ((point->distpoint = DIST_POINT_NAME_new()) == NULL)
goto merr;
point->distpoint->name.fullname = gens;
point->distpoint->type = 0;
@@ -341,10 +290,6 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
return NULL;
}
-IMPLEMENT_STACK_OF(DIST_POINT)
-
-IMPLEMENT_ASN1_SET_OF(DIST_POINT)
-
static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg)
{
@@ -356,8 +301,7 @@ static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
break;
case ASN1_OP_FREE_POST:
- if (dpn->dpname)
- X509_NAME_free(dpn->dpname);
+ X509_NAME_free(dpn->dpname);
break;
}
return 1;
@@ -421,7 +365,7 @@ static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
char *name, *val;
int i, ret;
idp = ISSUING_DIST_POINT_new();
- if (!idp)
+ if (idp == NULL)
goto merr;
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
cnf = sk_CONF_VALUE_value(nval, i);
@@ -432,19 +376,19 @@ static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
continue;
if (ret < 0)
goto err;
- if (!strcmp(name, "onlyuser")) {
+ if (strcmp(name, "onlyuser") == 0) {
if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
goto err;
- } else if (!strcmp(name, "onlyCA")) {
+ } else if (strcmp(name, "onlyCA") == 0) {
if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
goto err;
- } else if (!strcmp(name, "onlyAA")) {
+ } else if (strcmp(name, "onlyAA") == 0) {
if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
goto err;
- } else if (!strcmp(name, "indirectCRL")) {
+ } else if (strcmp(name, "indirectCRL") == 0) {
if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
goto err;
- } else if (!strcmp(name, "onlysomereasons")) {
+ } else if (strcmp(name, "onlysomereasons") == 0) {
if (!set_reasons(&idp->onlysomereasons, val))
goto err;
} else {
diff --git a/crypto/x509v3/v3_enum.c b/crypto/x509v3/v3_enum.c
index 7678664fc398..3b0f197444af 100644
--- a/crypto/x509v3/v3_enum.c
+++ b/crypto/x509v3/v3_enum.c
@@ -1,65 +1,16 @@
-/* v3_enum.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static ENUMERATED_NAMES crl_reasons[] = {
{CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
@@ -87,14 +38,16 @@ const X509V3_EXT_METHOD v3_crl_reason = {
crl_reasons
};
-char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *e)
+char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
+ const ASN1_ENUMERATED *e)
{
ENUMERATED_NAMES *enam;
long strval;
+
strval = ASN1_ENUMERATED_get(e);
for (enam = method->usr_data; enam->lname; enam++) {
if (strval == enam->bitnum)
- return BUF_strdup(enam->lname);
+ return OPENSSL_strdup(enam->lname);
}
return i2s_ASN1_ENUMERATED(method, e);
}
diff --git a/crypto/x509v3/v3_extku.c b/crypto/x509v3/v3_extku.c
index 6092c2e4bd47..91b24376ed8a 100644
--- a/crypto/x509v3/v3_extku.c
+++ b/crypto/x509v3/v3_extku.c
@@ -1,67 +1,18 @@
-/* v3_extku.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
@@ -123,27 +74,30 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
char *extval;
ASN1_OBJECT *objtmp;
CONF_VALUE *val;
+ const int num = sk_CONF_VALUE_num(nval);
int i;
- if (!(extku = sk_ASN1_OBJECT_new_null())) {
+ extku = sk_ASN1_OBJECT_new_reserve(NULL, num);
+ if (extku == NULL) {
X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE, ERR_R_MALLOC_FAILURE);
+ sk_ASN1_OBJECT_free(extku);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ for (i = 0; i < num; i++) {
val = sk_CONF_VALUE_value(nval, i);
if (val->value)
extval = val->value;
else
extval = val->name;
- if (!(objtmp = OBJ_txt2obj(extval, 0))) {
+ if ((objtmp = OBJ_txt2obj(extval, 0)) == NULL) {
sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
return NULL;
}
- sk_ASN1_OBJECT_push(extku, objtmp);
+ sk_ASN1_OBJECT_push(extku, objtmp); /* no failure as it was reserved */
}
return extku;
}
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index 9bb01ee38e63..85fc3fc24672 100644
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -1,64 +1,14 @@
-/* v3_genn.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
@@ -229,7 +179,7 @@ int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
{
OTHERNAME *oth;
oth = OTHERNAME_new();
- if (!oth)
+ if (oth == NULL)
return 0;
ASN1_TYPE_free(oth->value);
oth->type_id = oid;
diff --git a/crypto/x509v3/v3_ia5.c b/crypto/x509v3/v3_ia5.c
index c170a55ff4cc..c1170d46161e 100644
--- a/crypto/x509v3/v3_ia5.c
+++ b/crypto/x509v3/v3_ia5.c
@@ -1,73 +1,20 @@
-/* v3_ia5.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
-static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
- ASN1_IA5STRING *ia5);
-static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, char *str);
-const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
+const X509V3_EXT_METHOD v3_ns_ia5_list[8] = {
EXT_IA5STRING(NID_netscape_base_url),
EXT_IA5STRING(NID_netscape_revocation_url),
EXT_IA5STRING(NID_netscape_ca_revocation_url),
@@ -78,13 +25,13 @@ const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
EXT_END
};
-static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
- ASN1_IA5STRING *ia5)
+char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
{
char *tmp;
+
if (!ia5 || !ia5->length)
return NULL;
- if (!(tmp = OPENSSL_malloc(ia5->length + 1))) {
+ if ((tmp = OPENSSL_malloc(ia5->length + 1)) == NULL) {
X509V3err(X509V3_F_I2S_ASN1_IA5STRING, ERR_R_MALLOC_FAILURE);
return NULL;
}
@@ -93,8 +40,8 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
return tmp;
}
-static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, char *str)
+ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, const char *str)
{
ASN1_IA5STRING *ia5;
if (!str) {
@@ -102,12 +49,11 @@ static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
X509V3_R_INVALID_NULL_ARGUMENT);
return NULL;
}
- if (!(ia5 = M_ASN1_IA5STRING_new()))
- goto err;
- if (!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char *)str,
- strlen(str))) {
- M_ASN1_IA5STRING_free(ia5);
+ if ((ia5 = ASN1_IA5STRING_new()) == NULL)
goto err;
+ if (!ASN1_STRING_set((ASN1_STRING *)ia5, str, strlen(str))) {
+ ASN1_IA5STRING_free(ia5);
+ return NULL;
}
#ifdef CHARSET_EBCDIC
ebcdic2ascii(ia5->data, ia5->data, ia5->length);
diff --git a/crypto/x509v3/v3_info.c b/crypto/x509v3/v3_info.c
index 0c64b0adfcc9..7af9e23ae8c9 100644
--- a/crypto/x509v3/v3_info.c
+++ b/crypto/x509v3/v3_info.c
@@ -1,68 +1,19 @@
-/* v3_info.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
*method, AUTHORITY_INFO_ACCESS
@@ -127,16 +78,13 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
tret = tmp;
vtmp = sk_CONF_VALUE_value(tret, i);
i2t_ASN1_OBJECT(objtmp, sizeof(objtmp), desc->method);
- nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
+ nlen = strlen(objtmp) + 3 + strlen(vtmp->name) + 1;
ntmp = OPENSSL_malloc(nlen);
if (ntmp == NULL)
goto err;
- BUF_strlcpy(ntmp, objtmp, nlen);
- BUF_strlcat(ntmp, " - ", nlen);
- BUF_strlcat(ntmp, vtmp->name, nlen);
+ BIO_snprintf(ntmp, nlen, "%s - %s", objtmp, vtmp->name);
OPENSSL_free(vtmp->name);
vtmp->name = ntmp;
-
}
if (ret == NULL && tret == NULL)
return sk_CONF_VALUE_new_null();
@@ -159,19 +107,21 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
CONF_VALUE *cnf, ctmp;
ACCESS_DESCRIPTION *acc;
int i, objlen;
+ const int num = sk_CONF_VALUE_num(nval);
char *objtmp, *ptmp;
- if (!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
+
+ if ((ainfo = sk_ACCESS_DESCRIPTION_new_reserve(NULL, num)) == NULL) {
X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(nval, i);
- if (!(acc = ACCESS_DESCRIPTION_new())
- || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
+ if ((acc = ACCESS_DESCRIPTION_new()) == NULL) {
X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
ERR_R_MALLOC_FAILURE);
goto err;
}
+ sk_ACCESS_DESCRIPTION_push(ainfo, acc); /* Cannot fail due to reserve */
ptmp = strchr(cnf->name, ';');
if (!ptmp) {
X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
@@ -183,13 +133,11 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
ctmp.value = cnf->value;
if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
goto err;
- if (!(objtmp = OPENSSL_malloc(objlen + 1))) {
+ if ((objtmp = OPENSSL_strndup(cnf->name, objlen)) == NULL) {
X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
ERR_R_MALLOC_FAILURE);
goto err;
}
- strncpy(objtmp, cnf->name, objlen);
- objtmp[objlen] = 0;
acc->method = OBJ_txt2obj(objtmp, 0);
if (!acc->method) {
X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
@@ -207,11 +155,8 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
return NULL;
}
-int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION *a)
+int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a)
{
i2a_ASN1_OBJECT(bp, a->method);
-#ifdef UNDEF
- i2a_GENERAL_NAME(bp, a->location);
-#endif
return 2;
}
diff --git a/crypto/x509v3/v3_int.c b/crypto/x509v3/v3_int.c
index 8bfdb37e7a81..690c90e8f96e 100644
--- a/crypto/x509v3/v3_int.c
+++ b/crypto/x509v3/v3_int.c
@@ -1,65 +1,16 @@
-/* v3_int.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/x509v3.h>
+#include "ext_dat.h"
const X509V3_EXT_METHOD v3_crl_num = {
NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
@@ -78,7 +29,7 @@ const X509V3_EXT_METHOD v3_delta_crl = {
};
static void *s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx,
- char *value)
+ const char *value)
{
return s2i_ASN1_INTEGER(meth, value);
}
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index 1112802483a1..97c1cbc20fed 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -1,65 +1,16 @@
-/* v3_lib.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
+
/* X509 v3 extension utilities */
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
@@ -73,7 +24,8 @@ static void ext_list_free(X509V3_EXT_METHOD *ext);
int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
{
- if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
+ if (ext_list == NULL
+ && (ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp)) == NULL) {
X509V3err(X509V3_F_X509V3_EXT_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -95,11 +47,14 @@ DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
const X509V3_EXT_METHOD *, ext);
+#include "standard_exts.h"
+
const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
{
X509V3_EXT_METHOD tmp;
const X509V3_EXT_METHOD *t = &tmp, *const *ret;
int idx;
+
if (nid < 0)
return NULL;
tmp.ext_nid = nid;
@@ -109,41 +64,17 @@ const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
if (!ext_list)
return NULL;
idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
- if (idx == -1)
- return NULL;
return sk_X509V3_EXT_METHOD_value(ext_list, idx);
}
const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
{
int nid;
- if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
+ if ((nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext))) == NID_undef)
return NULL;
return X509V3_EXT_get_nid(nid);
}
-int X509V3_EXT_free(int nid, void *ext_data)
-{
- const X509V3_EXT_METHOD *ext_method = X509V3_EXT_get_nid(nid);
- if (ext_method == NULL) {
- X509V3err(X509V3_F_X509V3_EXT_FREE,
- X509V3_R_CANNOT_FIND_FREE_FUNCTION);
- return 0;
- }
-
- if (ext_method->it != NULL)
- ASN1_item_free(ext_data, ASN1_ITEM_ptr(ext_method->it));
- else if (ext_method->ext_free != NULL)
- ext_method->ext_free(ext_data);
- else {
- X509V3err(X509V3_F_X509V3_EXT_FREE,
- X509V3_R_CANNOT_FIND_FREE_FUNCTION);
- return 0;
- }
-
- return 1;
-}
-
int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
{
for (; extlist->ext_nid != -1; extlist++)
@@ -157,14 +88,11 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from)
const X509V3_EXT_METHOD *ext;
X509V3_EXT_METHOD *tmpext;
- if (!(ext = X509V3_EXT_get_nid(nid_from))) {
- X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,
- X509V3_R_EXTENSION_NOT_FOUND);
+ if ((ext = X509V3_EXT_get_nid(nid_from)) == NULL) {
+ X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS, X509V3_R_EXTENSION_NOT_FOUND);
return 0;
}
- if (!
- (tmpext =
- (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) {
+ if ((tmpext = OPENSSL_malloc(sizeof(*tmpext))) == NULL) {
X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -202,14 +130,17 @@ void *X509V3_EXT_d2i(X509_EXTENSION *ext)
{
const X509V3_EXT_METHOD *method;
const unsigned char *p;
+ ASN1_STRING *extvalue;
+ int extlen;
- if (!(method = X509V3_EXT_get(ext)))
+ if ((method = X509V3_EXT_get(ext)) == NULL)
return NULL;
- p = ext->value->data;
+ extvalue = X509_EXTENSION_get_data(ext);
+ p = ASN1_STRING_get0_data(extvalue);
+ extlen = ASN1_STRING_length(extvalue);
if (method->it)
- return ASN1_item_d2i(NULL, &p, ext->value->length,
- ASN1_ITEM_ptr(method->it));
- return method->d2i(NULL, &p, ext->value->length);
+ return ASN1_item_d2i(NULL, &p, extlen, ASN1_ITEM_ptr(method->it));
+ return method->d2i(NULL, &p, extlen);
}
/*-
@@ -228,11 +159,12 @@ void *X509V3_EXT_d2i(X509_EXTENSION *ext)
* -2 extension occurs more than once.
*/
-void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
+void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
int *idx)
{
int lastpos, i;
X509_EXTENSION *ex, *found_ex = NULL;
+
if (!x) {
if (idx)
*idx = -1;
@@ -248,7 +180,7 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
lastpos = 0;
for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
ex = sk_X509_EXTENSION_value(x, i);
- if (OBJ_obj2nid(ex->object) == nid) {
+ if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == nid) {
if (idx) {
*idx = i;
found_ex = ex;
@@ -347,8 +279,9 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
return 1;
}
- if ((ret = *x) == NULL
- && (ret = sk_X509_EXTENSION_new_null()) == NULL)
+ ret = *x;
+ if (*x == NULL
+ && (ret = sk_X509_EXTENSION_new_null()) == NULL)
goto m_fail;
if (!sk_X509_EXTENSION_push(ret, ext))
goto m_fail;
@@ -357,6 +290,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
return 1;
m_fail:
+ /* X509V3err(X509V3_F_X509V3_ADD1_I2D, ERR_R_MALLOC_FAILURE); */
if (ret != *x)
sk_X509_EXTENSION_free(ret);
X509_EXTENSION_free(ext);
@@ -367,5 +301,3 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
return 0;
}
-
-IMPLEMENT_STACK_OF(X509V3_EXT_METHOD)
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 1184091ccf30..9a2cd5af00c7 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -1,68 +1,23 @@
-/* v3_ncons.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2003-2018 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
+#include "internal/cryptlib.h"
+#include "internal/numbers.h"
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/asn1_int.h"
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
+#include "ext_dat.h"
+
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval);
@@ -70,7 +25,7 @@ static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
BIO *bp, int ind);
static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,
- int ind, char *name);
+ int ind, const char *name);
static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
@@ -79,6 +34,7 @@ static int nc_dn(X509_NAME *sub, X509_NAME *nm);
static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
+static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base);
const X509V3_EXT_METHOD v3_name_constraints = {
NID_name_constraints, 0,
@@ -144,8 +100,7 @@ static int ia5ncasecmp(const char *s1, const char *s2, size_t n)
static int ia5casecmp(const char *s1, const char *s2)
{
- /* No portable definition of SIZE_MAX, so we use (size_t)(-1) instead */
- return ia5ncasecmp(s1, s2, (size_t)(-1));
+ return ia5ncasecmp(s1, s2, SIZE_MAX);
}
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
@@ -156,15 +111,16 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
NAME_CONSTRAINTS *ncons = NULL;
GENERAL_SUBTREE *sub = NULL;
+
ncons = NAME_CONSTRAINTS_new();
- if (!ncons)
+ if (ncons == NULL)
goto memerr;
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
- if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
+ if (strncmp(val->name, "permitted", 9) == 0 && val->name[9]) {
ptree = &ncons->permittedSubtrees;
tval.name = val->name + 10;
- } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
+ } else if (strncmp(val->name, "excluded", 8) == 0 && val->name[8]) {
ptree = &ncons->excludedSubtrees;
tval.name = val->name + 9;
} else {
@@ -177,9 +133,9 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
goto memerr;
if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
goto err;
- if (!*ptree)
+ if (*ptree == NULL)
*ptree = sk_GENERAL_SUBTREE_new_null();
- if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
+ if (*ptree == NULL || !sk_GENERAL_SUBTREE_push(*ptree, sub))
goto memerr;
sub = NULL;
}
@@ -189,10 +145,8 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
memerr:
X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
err:
- if (ncons)
- NAME_CONSTRAINTS_free(ncons);
- if (sub)
- GENERAL_SUBTREE_free(sub);
+ NAME_CONSTRAINTS_free(ncons);
+ GENERAL_SUBTREE_free(sub);
return NULL;
}
@@ -210,7 +164,7 @@ static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
STACK_OF(GENERAL_SUBTREE) *trees,
- BIO *bp, int ind, char *name)
+ BIO *bp, int ind, const char *name)
{
GENERAL_SUBTREE *tree;
int i;
@@ -252,6 +206,22 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
return 1;
}
+#define NAME_CHECK_MAX (1 << 20)
+
+static int add_lengths(int *out, int a, int b)
+{
+ /* sk_FOO_num(NULL) returns -1 but is effectively 0 when iterating. */
+ if (a < 0)
+ a = 0;
+ if (b < 0)
+ b = 0;
+
+ if (a > INT_MAX - b)
+ return 0;
+ *out = a + b;
+ return 1;
+}
+
/*-
* Check a certificate conforms to a specified set of constraints.
* Return values:
@@ -266,11 +236,23 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
{
- int r, i;
+ int r, i, name_count, constraint_count;
X509_NAME *nm;
nm = X509_get_subject_name(x);
+ /*
+ * Guard against certificates with an excessive number of names or
+ * constraints causing a computationally expensive name constraints check.
+ */
+ if (!add_lengths(&name_count, X509_NAME_entry_count(nm),
+ sk_GENERAL_NAME_num(x->altname))
+ || !add_lengths(&constraint_count,
+ sk_GENERAL_SUBTREE_num(nc->permittedSubtrees),
+ sk_GENERAL_SUBTREE_num(nc->excludedSubtrees))
+ || (name_count > 0 && constraint_count > NAME_CHECK_MAX / name_count))
+ return X509_V_ERR_UNSPECIFIED;
+
if (X509_NAME_entry_count(nm) > 0) {
GENERAL_NAME gntmp;
gntmp.type = GEN_DIRNAME;
@@ -286,7 +268,8 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
/* Process any email address attributes in subject name */
for (i = -1;;) {
- X509_NAME_ENTRY *ne;
+ const X509_NAME_ENTRY *ne;
+
i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);
if (i == -1)
break;
@@ -314,6 +297,144 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
}
+static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
+{
+ int utf8_length;
+ unsigned char *utf8_value;
+ int i;
+ int isdnsname = 0;
+
+ /* Don't leave outputs uninitialized */
+ *dnsid = NULL;
+ *idlen = 0;
+
+ /*-
+ * Per RFC 6125, DNS-IDs representing internationalized domain names appear
+ * in certificates in A-label encoded form:
+ *
+ * https://tools.ietf.org/html/rfc6125#section-6.4.2
+ *
+ * The same applies to CNs which are intended to represent DNS names.
+ * However, while in the SAN DNS-IDs are IA5Strings, as CNs they may be
+ * needlessly encoded in 16-bit Unicode. We perform a conversion to UTF-8
+ * to ensure that we get an ASCII representation of any CNs that are
+ * representable as ASCII, but just not encoded as ASCII. The UTF-8 form
+ * may contain some non-ASCII octets, and that's fine, such CNs are not
+ * valid legacy DNS names.
+ *
+ * Note, 'int' is the return type of ASN1_STRING_to_UTF8() so that's what
+ * we must use for 'utf8_length'.
+ */
+ if ((utf8_length = ASN1_STRING_to_UTF8(&utf8_value, cn)) < 0)
+ return X509_V_ERR_OUT_OF_MEM;
+
+ /*
+ * Some certificates have had names that include a *trailing* NUL byte.
+ * Remove these harmless NUL characters. They would otherwise yield false
+ * alarms with the following embedded NUL check.
+ */
+ while (utf8_length > 0 && utf8_value[utf8_length - 1] == '\0')
+ --utf8_length;
+
+ /* Reject *embedded* NULs */
+ if ((size_t)utf8_length != strlen((char *)utf8_value)) {
+ OPENSSL_free(utf8_value);
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+ }
+
+ /*
+ * XXX: Deviation from strict DNS name syntax, also check names with '_'
+ * Check DNS name syntax, any '-' or '.' must be internal,
+ * and on either side of each '.' we can't have a '-' or '.'.
+ *
+ * If the name has just one label, we don't consider it a DNS name. This
+ * means that "CN=sometld" cannot be precluded by DNS name constraints, but
+ * that is not a problem.
+ */
+ for (i = 0; i < utf8_length; ++i) {
+ unsigned char c = utf8_value[i];
+
+ if ((c >= 'a' && c <= 'z')
+ || (c >= 'A' && c <= 'Z')
+ || (c >= '0' && c <= '9')
+ || c == '_')
+ continue;
+
+ /* Dot and hyphen cannot be first or last. */
+ if (i > 0 && i < utf8_length - 1) {
+ if (c == '-')
+ continue;
+ /*
+ * Next to a dot the preceding and following characters must not be
+ * another dot or a hyphen. Otherwise, record that the name is
+ * plausible, since it has two or more labels.
+ */
+ if (c == '.'
+ && utf8_value[i + 1] != '.'
+ && utf8_value[i - 1] != '-'
+ && utf8_value[i + 1] != '-') {
+ isdnsname = 1;
+ continue;
+ }
+ }
+ isdnsname = 0;
+ break;
+ }
+
+ if (isdnsname) {
+ *dnsid = utf8_value;
+ *idlen = (size_t)utf8_length;
+ return X509_V_OK;
+ }
+ OPENSSL_free(utf8_value);
+ return X509_V_OK;
+}
+
+/*
+ * Check CN against DNS-ID name constraints.
+ */
+int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
+{
+ int r, i;
+ X509_NAME *nm = X509_get_subject_name(x);
+ ASN1_STRING stmp;
+ GENERAL_NAME gntmp;
+
+ stmp.flags = 0;
+ stmp.type = V_ASN1_IA5STRING;
+ gntmp.type = GEN_DNS;
+ gntmp.d.dNSName = &stmp;
+
+ /* Process any commonName attributes in subject name */
+
+ for (i = -1;;) {
+ X509_NAME_ENTRY *ne;
+ ASN1_STRING *cn;
+ unsigned char *idval;
+ size_t idlen;
+
+ i = X509_NAME_get_index_by_NID(nm, NID_commonName, i);
+ if (i == -1)
+ break;
+ ne = X509_NAME_get_entry(nm, i);
+ cn = X509_NAME_ENTRY_get_data(ne);
+
+ /* Only process attributes that look like host names */
+ if ((r = cn2dnsid(cn, &idval, &idlen)) != X509_V_OK)
+ return r;
+ if (idlen == 0)
+ continue;
+
+ stmp.length = idlen;
+ stmp.data = idval;
+ r = nc_match(&gntmp, nc);
+ OPENSSL_free(idval);
+ if (r != X509_V_OK)
+ return r;
+ }
+ return X509_V_OK;
+}
+
static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
{
GENERAL_SUBTREE *sub;
@@ -382,6 +503,9 @@ static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
return nc_uri(gen->d.uniformResourceIdentifier,
base->d.uniformResourceIdentifier);
+ case GEN_IPADD:
+ return nc_ip(gen->d.iPAddress, base->d.iPAddress);
+
default:
return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
}
@@ -441,7 +565,7 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
const char *emlat = strchr(emlptr, '@');
if (!emlat)
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
- /* Special case: inital '.' is RHS match */
+ /* Special case: initial '.' is RHS match */
if (!baseat && (*baseptr == '.')) {
if (eml->length > base->length) {
emlptr += eml->length - base->length;
@@ -501,7 +625,7 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
if (hostlen == 0)
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
- /* Special case: inital '.' is RHS match */
+ /* Special case: initial '.' is RHS match */
if (*baseptr == '.') {
if (hostlen > base->length) {
p = hostptr + hostlen - base->length;
@@ -518,3 +642,34 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
return X509_V_OK;
}
+
+static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base)
+{
+ int hostlen, baselen, i;
+ unsigned char *hostptr, *baseptr, *maskptr;
+ hostptr = ip->data;
+ hostlen = ip->length;
+ baseptr = base->data;
+ baselen = base->length;
+
+ /* Invalid if not IPv4 or IPv6 */
+ if (!((hostlen == 4) || (hostlen == 16)))
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+ if (!((baselen == 8) || (baselen == 32)))
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+
+ /* Do not match IPv4 with IPv6 */
+ if (hostlen * 2 != baselen)
+ return X509_V_ERR_PERMITTED_VIOLATION;
+
+ maskptr = base->data + hostlen;
+
+ /* Considering possible not aligned base ipAddress */
+ /* Not checking for wrong mask definition: i.e.: 255.0.255.0 */
+ for (i = 0; i < hostlen; i++)
+ if ((hostptr[i] & maskptr[i]) != (baseptr[i] & maskptr[i]))
+ return X509_V_ERR_PERMITTED_VIOLATION;
+
+ return X509_V_OK;
+
+}
diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509v3/v3_ocsp.c
deleted file mode 100644
index b151eaccba44..000000000000
--- a/crypto/x509v3/v3_ocsp.c
+++ /dev/null
@@ -1,312 +0,0 @@
-/* v3_ocsp.c */
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#ifndef OPENSSL_NO_OCSP
-
-# include <stdio.h>
-# include "cryptlib.h"
-# include <openssl/conf.h>
-# include <openssl/asn1.h>
-# include <openssl/ocsp.h>
-# include <openssl/x509v3.h>
-
-/*
- * OCSP extensions and a couple of CRL entry extensions
- */
-
-static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
- BIO *out, int indent);
-static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
- BIO *out, int indent);
-static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
- int indent);
-
-static void *ocsp_nonce_new(void);
-static int i2d_ocsp_nonce(void *a, unsigned char **pp);
-static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
-static void ocsp_nonce_free(void *a);
-static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
- BIO *out, int indent);
-
-static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
- void *nocheck, BIO *out, int indent);
-static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, const char *str);
-static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
- BIO *bp, int ind);
-
-const X509V3_EXT_METHOD v3_ocsp_crlid = {
- NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_ocsp_crlid, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_ocsp_acutoff = {
- NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_ocsp_acutoff, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_crl_invdate = {
- NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_ocsp_acutoff, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_crl_hold = {
- NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_object, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_ocsp_nonce = {
- NID_id_pkix_OCSP_Nonce, 0, NULL,
- ocsp_nonce_new,
- ocsp_nonce_free,
- d2i_ocsp_nonce,
- i2d_ocsp_nonce,
- 0, 0,
- 0, 0,
- i2r_ocsp_nonce, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_ocsp_nocheck = {
- NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
- 0, 0, 0, 0,
- 0, s2i_ocsp_nocheck,
- 0, 0,
- i2r_ocsp_nocheck, 0,
- NULL
-};
-
-const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
- NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
- 0, 0, 0, 0,
- 0, 0,
- 0, 0,
- i2r_ocsp_serviceloc, 0,
- NULL
-};
-
-static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp,
- int ind)
-{
- OCSP_CRLID *a = in;
- if (a->crlUrl) {
- if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0)
- goto err;
- if (!ASN1_STRING_print(bp, (ASN1_STRING *)a->crlUrl))
- goto err;
- if (BIO_write(bp, "\n", 1) <= 0)
- goto err;
- }
- if (a->crlNum) {
- if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0)
- goto err;
- if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0)
- goto err;
- if (BIO_write(bp, "\n", 1) <= 0)
- goto err;
- }
- if (a->crlTime) {
- if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0)
- goto err;
- if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime))
- goto err;
- if (BIO_write(bp, "\n", 1) <= 0)
- goto err;
- }
- return 1;
- err:
- return 0;
-}
-
-static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
- BIO *bp, int ind)
-{
- if (BIO_printf(bp, "%*s", ind, "") <= 0)
- return 0;
- if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
- return 0;
- return 1;
-}
-
-static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
- int ind)
-{
- if (BIO_printf(bp, "%*s", ind, "") <= 0)
- return 0;
- if (i2a_ASN1_OBJECT(bp, oid) <= 0)
- return 0;
- return 1;
-}
-
-/*
- * OCSP nonce. This is needs special treatment because it doesn't have an
- * ASN1 encoding at all: it just contains arbitrary data.
- */
-
-static void *ocsp_nonce_new(void)
-{
- return ASN1_OCTET_STRING_new();
-}
-
-static int i2d_ocsp_nonce(void *a, unsigned char **pp)
-{
- ASN1_OCTET_STRING *os = a;
- if (pp) {
- memcpy(*pp, os->data, os->length);
- *pp += os->length;
- }
- return os->length;
-}
-
-static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
-{
- ASN1_OCTET_STRING *os, **pos;
- pos = a;
- if (!pos || !*pos)
- os = ASN1_OCTET_STRING_new();
- else
- os = *pos;
- if (!ASN1_OCTET_STRING_set(os, *pp, length))
- goto err;
-
- *pp += length;
-
- if (pos)
- *pos = os;
- return os;
-
- err:
- if (os && (!pos || (*pos != os)))
- M_ASN1_OCTET_STRING_free(os);
- OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
- return NULL;
-}
-
-static void ocsp_nonce_free(void *a)
-{
- M_ASN1_OCTET_STRING_free(a);
-}
-
-static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
- BIO *out, int indent)
-{
- if (BIO_printf(out, "%*s", indent, "") <= 0)
- return 0;
- if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0)
- return 0;
- return 1;
-}
-
-/* Nocheck is just a single NULL. Don't print anything and always set it */
-
-static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
- BIO *out, int indent)
-{
- return 1;
-}
-
-static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, const char *str)
-{
- return ASN1_NULL_new();
-}
-
-static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
- BIO *bp, int ind)
-{
- int i;
- OCSP_SERVICELOC *a = in;
- ACCESS_DESCRIPTION *ad;
-
- if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0)
- goto err;
- if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0)
- goto err;
- for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) {
- ad = sk_ACCESS_DESCRIPTION_value(a->locator, i);
- if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0)
- goto err;
- if (i2a_ASN1_OBJECT(bp, ad->method) <= 0)
- goto err;
- if (BIO_puts(bp, " - ") <= 0)
- goto err;
- if (GENERAL_NAME_print(bp, ad->location) <= 0)
- goto err;
- }
- return 1;
- err:
- return 0;
-}
-#endif
diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index 34cad53cb5f0..3d124fa6d95d 100644
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c
@@ -1,9 +1,17 @@
-/* v3_pci.c */
/*
- * Contributed to the OpenSSL Project 2004 by Richard Levitte
- * (richard@levitte.org)
+ * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+
+/*
+ * This file is dual-licensed and is also available under the following
+ * terms:
+ *
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -36,9 +44,10 @@
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
BIO *out, int indent);
@@ -86,7 +95,7 @@ static int process_pci_value(CONF_VALUE *val,
X509V3_conf_err(val);
return 0;
}
- if (!(*language = OBJ_txt2obj(val->value, 0))) {
+ if ((*language = OBJ_txt2obj(val->value, 0)) == NULL) {
X509V3err(X509V3_F_PROCESS_PCI_VALUE,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
@@ -110,7 +119,7 @@ static int process_pci_value(CONF_VALUE *val,
long val_len;
if (!*policy) {
*policy = ASN1_OCTET_STRING_new();
- if (!*policy) {
+ if (*policy == NULL) {
X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
X509V3_conf_err(val);
return 0;
@@ -119,11 +128,9 @@ static int process_pci_value(CONF_VALUE *val,
}
if (strncmp(val->value, "hex:", 4) == 0) {
unsigned char *tmp_data2 =
- string_to_hex(val->value + 4, &val_len);
+ OPENSSL_hexstr2buf(val->value + 4, &val_len);
if (!tmp_data2) {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,
- X509V3_R_ILLEGAL_HEX_DIGIT);
X509V3_conf_err(val);
goto err;
}
@@ -142,6 +149,7 @@ static int process_pci_value(CONF_VALUE *val,
* realloc failure implies the original data space is b0rked
* too!
*/
+ OPENSSL_free((*policy)->data);
(*policy)->data = NULL;
(*policy)->length = 0;
X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
@@ -166,8 +174,16 @@ static int process_pci_value(CONF_VALUE *val,
tmp_data = OPENSSL_realloc((*policy)->data,
(*policy)->length + n + 1);
- if (!tmp_data)
- break;
+ if (!tmp_data) {
+ OPENSSL_free((*policy)->data);
+ (*policy)->data = NULL;
+ (*policy)->length = 0;
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ ERR_R_MALLOC_FAILURE);
+ X509V3_conf_err(val);
+ BIO_free_all(b);
+ goto err;
+ }
(*policy)->data = tmp_data;
memcpy(&(*policy)->data[(*policy)->length], buf, n);
@@ -196,6 +212,7 @@ static int process_pci_value(CONF_VALUE *val,
* realloc failure implies the original data space is b0rked
* too!
*/
+ OPENSSL_free((*policy)->data);
(*policy)->data = NULL;
(*policy)->length = 0;
X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
@@ -282,7 +299,7 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
}
pci = PROXY_CERT_INFO_EXTENSION_new();
- if (!pci) {
+ if (pci == NULL) {
X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -295,22 +312,13 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
pathlen = NULL;
goto end;
err:
- if (language) {
- ASN1_OBJECT_free(language);
- language = NULL;
- }
- if (pathlen) {
- ASN1_INTEGER_free(pathlen);
- pathlen = NULL;
- }
- if (policy) {
- ASN1_OCTET_STRING_free(policy);
- policy = NULL;
- }
- if (pci) {
- PROXY_CERT_INFO_EXTENSION_free(pci);
- pci = NULL;
- }
+ ASN1_OBJECT_free(language);
+ ASN1_INTEGER_free(pathlen);
+ pathlen = NULL;
+ ASN1_OCTET_STRING_free(policy);
+ policy = NULL;
+ PROXY_CERT_INFO_EXTENSION_free(pci);
+ pci = NULL;
end:
sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
return pci;
diff --git a/crypto/x509v3/v3_pcia.c b/crypto/x509v3/v3_pcia.c
index e53c82e8dc79..8d6af60e5da6 100644
--- a/crypto/x509v3/v3_pcia.c
+++ b/crypto/x509v3/v3_pcia.c
@@ -1,9 +1,17 @@
-/* v3_pcia.c */
/*
- * Contributed to the OpenSSL Project 2004 by Richard Levitte
- * (richard@levitte.org)
+ * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+
+/*
+ * This file is dual-licensed and is also available under the following
+ * terms:
+ *
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509v3/v3_pcons.c
index cfccb97de6fb..24f7ff49e57c 100644
--- a/crypto/x509v3/v3_pcons.c
+++ b/crypto/x509v3/v3_pcons.c
@@ -1,68 +1,19 @@
-/* v3_pcons.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD
*method, void *bcons, STACK_OF(CONF_VALUE)
@@ -108,16 +59,17 @@ static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
POLICY_CONSTRAINTS *pcons = NULL;
CONF_VALUE *val;
int i;
- if (!(pcons = POLICY_CONSTRAINTS_new())) {
+
+ if ((pcons = POLICY_CONSTRAINTS_new()) == NULL) {
X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
return NULL;
}
for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
val = sk_CONF_VALUE_value(values, i);
- if (!strcmp(val->name, "requireExplicitPolicy")) {
+ if (strcmp(val->name, "requireExplicitPolicy") == 0) {
if (!X509V3_get_value_int(val, &pcons->requireExplicitPolicy))
goto err;
- } else if (!strcmp(val->name, "inhibitPolicyMapping")) {
+ } else if (strcmp(val->name, "inhibitPolicyMapping") == 0) {
if (!X509V3_get_value_int(val, &pcons->inhibitPolicyMapping))
goto err;
} else {
diff --git a/crypto/x509v3/v3_pku.c b/crypto/x509v3/v3_pku.c
index dd01c44169db..5a7e7d972516 100644
--- a/crypto/x509v3/v3_pku.c
+++ b/crypto/x509v3/v3_pku.c
@@ -1,75 +1,23 @@
-/* v3_pku.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
PKEY_USAGE_PERIOD *usage, BIO *out,
int indent);
-/*
- * static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
- * X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
- */
+
const X509V3_EXT_METHOD v3_pkey_usage_period = {
NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
0, 0, 0, 0,
@@ -102,13 +50,3 @@ static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
}
return 1;
}
-
-/*-
-static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values)
-X509V3_EXT_METHOD *method;
-X509V3_CTX *ctx;
-STACK_OF(CONF_VALUE) *values;
-{
-return NULL;
-}
-*/
diff --git a/crypto/x509v3/v3_pmaps.c b/crypto/x509v3/v3_pmaps.c
index a168343b821d..5b6a2af0fbf6 100644
--- a/crypto/x509v3/v3_pmaps.c
+++ b/crypto/x509v3/v3_pmaps.c
@@ -1,67 +1,18 @@
-/* v3_pmaps.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
@@ -101,6 +52,7 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD
int i;
char obj_tmp1[80];
char obj_tmp2[80];
+
for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
pmap = sk_POLICY_MAPPING_value(pmaps, i);
i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
@@ -113,44 +65,48 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD
static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
- POLICY_MAPPINGS *pmaps;
- POLICY_MAPPING *pmap;
- ASN1_OBJECT *obj1, *obj2;
+ POLICY_MAPPING *pmap = NULL;
+ ASN1_OBJECT *obj1 = NULL, *obj2 = NULL;
CONF_VALUE *val;
+ POLICY_MAPPINGS *pmaps;
+ const int num = sk_CONF_VALUE_num(nval);
int i;
- if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
+ if ((pmaps = sk_POLICY_MAPPING_new_reserve(NULL, num)) == NULL) {
X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ for (i = 0; i < num; i++) {
val = sk_CONF_VALUE_value(nval, i);
if (!val->value || !val->name) {
- sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
- return NULL;
+ goto err;
}
obj1 = OBJ_txt2obj(val->name, 0);
obj2 = OBJ_txt2obj(val->value, 0);
if (!obj1 || !obj2) {
- sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
- return NULL;
+ goto err;
}
pmap = POLICY_MAPPING_new();
- if (!pmap) {
- sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
+ if (pmap == NULL) {
X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE);
- return NULL;
+ goto err;
}
pmap->issuerDomainPolicy = obj1;
pmap->subjectDomainPolicy = obj2;
- sk_POLICY_MAPPING_push(pmaps, pmap);
+ obj1 = obj2 = NULL;
+ sk_POLICY_MAPPING_push(pmaps, pmap); /* no failure as it was reserved */
}
return pmaps;
+ err:
+ ASN1_OBJECT_free(obj1);
+ ASN1_OBJECT_free(obj2);
+ sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
+ return NULL;
}
diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c
index acc9c6d991a0..f384c342acc0 100644
--- a/crypto/x509v3/v3_prn.c
+++ b/crypto/x509v3/v3_prn.c
@@ -1,71 +1,22 @@
-/* v3_prn.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
+
/* X509 v3 extension utilities */
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
/* Extension printing routines */
-static int unknown_ext_print(BIO *out, X509_EXTENSION *ext,
+static int unknown_ext_print(BIO *out, const unsigned char *ext, int extlen,
unsigned long flag, int indent, int supported);
/* Print out a name+value stack */
@@ -101,7 +52,7 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
char *tmp;
len = strlen(nval->value) + 1;
tmp = OPENSSL_malloc(len);
- if (tmp) {
+ if (tmp != NULL) {
ascii2ebcdic(tmp, nval->value, len);
BIO_printf(out, "%s:%s", nval->name, tmp);
OPENSSL_free(tmp);
@@ -120,26 +71,29 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
{
void *ext_str = NULL;
char *value = NULL;
+ ASN1_OCTET_STRING *extoct;
const unsigned char *p;
+ int extlen;
const X509V3_EXT_METHOD *method;
STACK_OF(CONF_VALUE) *nval = NULL;
int ok = 1;
- if (!(method = X509V3_EXT_get(ext)))
- return unknown_ext_print(out, ext, flag, indent, 0);
- p = ext->value->data;
+ extoct = X509_EXTENSION_get_data(ext);
+ p = ASN1_STRING_get0_data(extoct);
+ extlen = ASN1_STRING_length(extoct);
+
+ if ((method = X509V3_EXT_get(ext)) == NULL)
+ return unknown_ext_print(out, p, extlen, flag, indent, 0);
if (method->it)
- ext_str =
- ASN1_item_d2i(NULL, &p, ext->value->length,
- ASN1_ITEM_ptr(method->it));
+ ext_str = ASN1_item_d2i(NULL, &p, extlen, ASN1_ITEM_ptr(method->it));
else
- ext_str = method->d2i(NULL, &p, ext->value->length);
+ ext_str = method->d2i(NULL, &p, extlen);
if (!ext_str)
- return unknown_ext_print(out, ext, flag, indent, 1);
+ return unknown_ext_print(out, p, extlen, flag, indent, 1);
if (method->i2s) {
- if (!(value = method->i2s(method, ext_str))) {
+ if ((value = method->i2s(method, ext_str)) == NULL) {
ok = 0;
goto err;
}
@@ -151,7 +105,7 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
char *tmp;
len = strlen(value) + 1;
tmp = OPENSSL_malloc(len);
- if (tmp) {
+ if (tmp != NULL) {
ascii2ebcdic(tmp, value, len);
BIO_printf(out, "%*s%s", indent, "", tmp);
OPENSSL_free(tmp);
@@ -159,7 +113,7 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
}
#endif
} else if (method->i2v) {
- if (!(nval = method->i2v(method, ext_str, NULL))) {
+ if ((nval = method->i2v(method, ext_str, NULL)) == NULL) {
ok = 0;
goto err;
}
@@ -173,8 +127,7 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
err:
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
- if (value)
- OPENSSL_free(value);
+ OPENSSL_free(value);
if (method->it)
ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
else
@@ -182,8 +135,8 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
return ok;
}
-int X509V3_extensions_print(BIO *bp, char *title,
- STACK_OF(X509_EXTENSION) *exts,
+int X509V3_extensions_print(BIO *bp, const char *title,
+ const STACK_OF(X509_EXTENSION) *exts,
unsigned long flag, int indent)
{
int i, j;
@@ -209,7 +162,7 @@ int X509V3_extensions_print(BIO *bp, char *title,
return 0;
if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
BIO_printf(bp, "%*s", indent + 4, "");
- M_ASN1_OCTET_STRING_print(bp, ex->value);
+ ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex));
}
if (BIO_write(bp, "\n", 1) <= 0)
return 0;
@@ -217,7 +170,7 @@ int X509V3_extensions_print(BIO *bp, char *title,
return 1;
}
-static int unknown_ext_print(BIO *out, X509_EXTENSION *ext,
+static int unknown_ext_print(BIO *out, const unsigned char *ext, int extlen,
unsigned long flag, int indent, int supported)
{
switch (flag & X509V3_EXT_UNKNOWN_MASK) {
@@ -233,24 +186,22 @@ static int unknown_ext_print(BIO *out, X509_EXTENSION *ext,
return 1;
case X509V3_EXT_PARSE_UNKNOWN:
- return ASN1_parse_dump(out,
- ext->value->data, ext->value->length, indent,
- -1);
+ return ASN1_parse_dump(out, ext, extlen, indent, -1);
case X509V3_EXT_DUMP_UNKNOWN:
- return BIO_dump_indent(out, (char *)ext->value->data,
- ext->value->length, indent);
+ return BIO_dump_indent(out, (const char *)ext, extlen, indent);
default:
return 1;
}
}
-#ifndef OPENSSL_NO_FP_API
+#ifndef OPENSSL_NO_STDIO
int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
{
BIO *bio_tmp;
int ret;
- if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
+
+ if ((bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)) == NULL)
return 0;
ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
BIO_free(bio_tmp);
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 96e629a9301f..70b0397d97b9 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -1,66 +1,19 @@
-/* v3_purp.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2001.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
+#include "internal/numbers.h"
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
+#include "internal/x509_int.h"
+#include "internal/tsan_assist.h"
static void x509v3_cache_extensions(X509 *x);
@@ -108,9 +61,7 @@ static X509_PURPOSE xstandard[] = {
NULL},
};
-#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
-
-IMPLEMENT_STACK_OF(X509_PURPOSE)
+#define X509_PURPOSE_COUNT OSSL_NELEM(xstandard)
static STACK_OF(X509_PURPOSE) *xptable = NULL;
@@ -128,11 +79,10 @@ int X509_check_purpose(X509 *x, int id, int ca)
{
int idx;
const X509_PURPOSE *pt;
- if (!(x->ex_flags & EXFLAG_SET)) {
- CRYPTO_w_lock(CRYPTO_LOCK_X509);
- x509v3_cache_extensions(x);
- CRYPTO_w_unlock(CRYPTO_LOCK_X509);
- }
+
+ x509v3_cache_extensions(x);
+
+ /* Return if side-effect only call */
if (id == -1)
return 1;
idx = X509_PURPOSE_get_by_id(id);
@@ -168,13 +118,13 @@ X509_PURPOSE *X509_PURPOSE_get0(int idx)
return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
}
-int X509_PURPOSE_get_by_sname(char *sname)
+int X509_PURPOSE_get_by_sname(const char *sname)
{
int i;
X509_PURPOSE *xptmp;
for (i = 0; i < X509_PURPOSE_get_count(); i++) {
xptmp = X509_PURPOSE_get0(i);
- if (!strcmp(xptmp->sname, sname))
+ if (strcmp(xptmp->sname, sname) == 0)
return i;
}
return -1;
@@ -184,20 +134,21 @@ int X509_PURPOSE_get_by_id(int purpose)
{
X509_PURPOSE tmp;
int idx;
+
if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
return purpose - X509_PURPOSE_MIN;
- tmp.purpose = purpose;
- if (!xptable)
+ if (xptable == NULL)
return -1;
+ tmp.purpose = purpose;
idx = sk_X509_PURPOSE_find(xptable, &tmp);
- if (idx == -1)
+ if (idx < 0)
return -1;
return idx + X509_PURPOSE_COUNT;
}
int X509_PURPOSE_add(int id, int trust, int flags,
int (*ck) (const X509_PURPOSE *, const X509 *, int),
- char *name, char *sname, void *arg)
+ const char *name, const char *sname, void *arg)
{
int idx;
X509_PURPOSE *ptmp;
@@ -211,7 +162,7 @@ int X509_PURPOSE_add(int id, int trust, int flags,
idx = X509_PURPOSE_get_by_id(id);
/* Need a new entry */
if (idx == -1) {
- if (!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
+ if ((ptmp = OPENSSL_malloc(sizeof(*ptmp))) == NULL) {
X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -225,11 +176,11 @@ int X509_PURPOSE_add(int id, int trust, int flags,
OPENSSL_free(ptmp->sname);
}
/* dup supplied name */
- ptmp->name = BUF_strdup(name);
- ptmp->sname = BUF_strdup(sname);
+ ptmp->name = OPENSSL_strdup(name);
+ ptmp->sname = OPENSSL_strdup(sname);
if (!ptmp->name || !ptmp->sname) {
X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
- return 0;
+ goto err;
}
/* Keep the dynamic flag of existing entry */
ptmp->flags &= X509_PURPOSE_DYNAMIC;
@@ -243,16 +194,24 @@ int X509_PURPOSE_add(int id, int trust, int flags,
/* If its a new entry manage the dynamic table */
if (idx == -1) {
- if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
+ if (xptable == NULL
+ && (xptable = sk_X509_PURPOSE_new(xp_cmp)) == NULL) {
X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
- return 0;
+ goto err;
}
if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
- return 0;
+ goto err;
}
}
return 1;
+ err:
+ if (idx == -1) {
+ OPENSSL_free(ptmp->name);
+ OPENSSL_free(ptmp->sname);
+ OPENSSL_free(ptmp);
+ }
+ return 0;
}
static void xptable_free(X509_PURPOSE *p)
@@ -270,29 +229,26 @@ static void xptable_free(X509_PURPOSE *p)
void X509_PURPOSE_cleanup(void)
{
- unsigned int i;
sk_X509_PURPOSE_pop_free(xptable, xptable_free);
- for (i = 0; i < X509_PURPOSE_COUNT; i++)
- xptable_free(xstandard + i);
xptable = NULL;
}
-int X509_PURPOSE_get_id(X509_PURPOSE *xp)
+int X509_PURPOSE_get_id(const X509_PURPOSE *xp)
{
return xp->purpose;
}
-char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
+char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp)
{
return xp->name;
}
-char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
+char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp)
{
return xp->sname;
}
-int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
+int X509_PURPOSE_get_trust(const X509_PURPOSE *xp)
{
return xp->trust;
}
@@ -339,8 +295,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
if (ex_nid == NID_undef)
return 0;
- if (OBJ_bsearch_nid(&ex_nid, supported_nids,
- sizeof(supported_nids) / sizeof(int)))
+ if (OBJ_bsearch_nid(&ex_nid, supported_nids, OSSL_NELEM(supported_nids)))
return 1;
return 0;
}
@@ -397,13 +352,21 @@ static void x509v3_cache_extensions(X509 *x)
ASN1_BIT_STRING *ns;
EXTENDED_KEY_USAGE *extusage;
X509_EXTENSION *ex;
-
int i;
- if (x->ex_flags & EXFLAG_SET)
+
+#ifdef tsan_ld_acq
+ /* fast lock-free check, see end of the function for details. */
+ if (tsan_ld_acq((TSAN_QUALIFIER int *)&x->ex_cached))
return;
-#ifndef OPENSSL_NO_SHA
- X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
+
+ CRYPTO_THREAD_write_lock(x->lock);
+ if (x->ex_flags & EXFLAG_SET) {
+ CRYPTO_THREAD_unlock(x->lock);
+ return;
+ }
+
+ X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
/* V1 should mean no extensions ... */
if (!X509_get_version(x))
x->ex_flags |= EXFLAG_V1;
@@ -535,7 +498,17 @@ static void x509v3_cache_extensions(X509 *x)
break;
}
}
+ x509_init_sig_info(x);
x->ex_flags |= EXFLAG_SET;
+#ifdef tsan_st_rel
+ tsan_st_rel((TSAN_QUALIFIER int *)&x->ex_cached, 1);
+ /*
+ * Above store triggers fast lock-free check in the beginning of the
+ * function. But one has to ensure that the structure is "stable", i.e.
+ * all stores are visible on all processors. Hence the release fence.
+ */
+#endif
+ CRYPTO_THREAD_unlock(x->lock);
}
/*-
@@ -576,13 +549,19 @@ static int check_ca(const X509 *x)
}
}
+void X509_set_proxy_flag(X509 *x)
+{
+ x->ex_flags |= EXFLAG_PROXY;
+}
+
+void X509_set_proxy_pathlen(X509 *x, long l)
+{
+ x->ex_pcpathlen = l;
+}
+
int X509_check_ca(X509 *x)
{
- if (!(x->ex_flags & EXFLAG_SET)) {
- CRYPTO_w_lock(CRYPTO_LOCK_X509);
- x509v3_cache_extensions(x);
- CRYPTO_w_unlock(CRYPTO_LOCK_X509);
- }
+ x509v3_cache_extensions(x);
return check_ca(x);
}
@@ -763,7 +742,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
return 0;
/* Extended Key Usage MUST be critical */
- i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1);
+ i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1);
if (i_ext >= 0) {
X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
if (!X509_EXTENSION_get_critical(ext))
@@ -796,6 +775,7 @@ int X509_check_issued(X509 *issuer, X509 *subject)
if (X509_NAME_cmp(X509_get_subject_name(issuer),
X509_get_issuer_name(subject)))
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
+
x509v3_cache_extensions(issuer);
x509v3_cache_extensions(subject);
@@ -851,3 +831,60 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
}
return X509_V_OK;
}
+
+uint32_t X509_get_extension_flags(X509 *x)
+{
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(x, -1, -1);
+ return x->ex_flags;
+}
+
+uint32_t X509_get_key_usage(X509 *x)
+{
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(x, -1, -1);
+ if (x->ex_flags & EXFLAG_KUSAGE)
+ return x->ex_kusage;
+ return UINT32_MAX;
+}
+
+uint32_t X509_get_extended_key_usage(X509 *x)
+{
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(x, -1, -1);
+ if (x->ex_flags & EXFLAG_XKUSAGE)
+ return x->ex_xkusage;
+ return UINT32_MAX;
+}
+
+const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x)
+{
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(x, -1, -1);
+ return x->skid;
+}
+
+const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x)
+{
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(x, -1, -1);
+ return (x->akid != NULL ? x->akid->keyid : NULL);
+}
+
+long X509_get_pathlen(X509 *x)
+{
+ /* Called for side effect of caching extensions */
+ if (X509_check_purpose(x, -1, -1) != 1
+ || (x->ex_flags & EXFLAG_BCONS) == 0)
+ return -1;
+ return x->ex_pathlen;
+}
+
+long X509_get_proxy_pathlen(X509 *x)
+{
+ /* Called for side effect of caching extensions */
+ if (X509_check_purpose(x, -1, -1) != 1
+ || (x->ex_flags & EXFLAG_PROXY) == 0)
+ return -1;
+ return x->ex_pcpathlen;
+}
diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c
deleted file mode 100644
index 87a6ae1da982..000000000000
--- a/crypto/x509v3/v3_scts.c
+++ /dev/null
@@ -1,334 +0,0 @@
-/* v3_scts.c */
-/*
- * Written by Rob Stradling (rob@comodo.com) for the OpenSSL project 2014.
- */
-/* ====================================================================
- * Copyright (c) 2014 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include "cryptlib.h"
-#include <openssl/asn1.h>
-#include <openssl/x509v3.h>
-
-/* Signature and hash algorithms from RFC 5246 */
-#define TLSEXT_hash_sha256 4
-
-#define TLSEXT_signature_rsa 1
-#define TLSEXT_signature_ecdsa 3
-
-
-#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
- (((unsigned int)(c[1])) )),c+=2)
-
-#if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
-# define SCT_TIMESTAMP unsigned __int64
-#elif defined(__arch64__)
-# define SCT_TIMESTAMP unsigned long
-#else
-# define SCT_TIMESTAMP unsigned long long
-#endif
-
-#define n2l8(c,l) (l =((SCT_TIMESTAMP)(*((c)++)))<<56, \
- l|=((SCT_TIMESTAMP)(*((c)++)))<<48, \
- l|=((SCT_TIMESTAMP)(*((c)++)))<<40, \
- l|=((SCT_TIMESTAMP)(*((c)++)))<<32, \
- l|=((SCT_TIMESTAMP)(*((c)++)))<<24, \
- l|=((SCT_TIMESTAMP)(*((c)++)))<<16, \
- l|=((SCT_TIMESTAMP)(*((c)++)))<< 8, \
- l|=((SCT_TIMESTAMP)(*((c)++))))
-
-typedef struct SCT_st {
- /* The encoded SCT */
- unsigned char *sct;
- unsigned short sctlen;
- /*
- * Components of the SCT. "logid", "ext" and "sig" point to addresses
- * inside "sct".
- */
- unsigned char version;
- unsigned char *logid;
- unsigned short logidlen;
- SCT_TIMESTAMP timestamp;
- unsigned char *ext;
- unsigned short extlen;
- unsigned char hash_alg;
- unsigned char sig_alg;
- unsigned char *sig;
- unsigned short siglen;
-} SCT;
-
-DECLARE_STACK_OF(SCT)
-
-static void SCT_LIST_free(STACK_OF(SCT) *a);
-static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
- const unsigned char **pp, long length);
-static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
- BIO *out, int indent);
-
-const X509V3_EXT_METHOD v3_ct_scts[] = {
- {NID_ct_precert_scts, 0, NULL,
- 0, (X509V3_EXT_FREE)SCT_LIST_free,
- (X509V3_EXT_D2I)d2i_SCT_LIST, 0,
- 0, 0, 0, 0,
- (X509V3_EXT_I2R)i2r_SCT_LIST, 0,
- NULL},
-
- {NID_ct_cert_scts, 0, NULL,
- 0, (X509V3_EXT_FREE)SCT_LIST_free,
- (X509V3_EXT_D2I)d2i_SCT_LIST, 0,
- 0, 0, 0, 0,
- (X509V3_EXT_I2R)i2r_SCT_LIST, 0,
- NULL},
-};
-
-static void tls12_signature_print(BIO *out, const unsigned char hash_alg,
- const unsigned char sig_alg)
-{
- int nid = NID_undef;
- /* RFC6962 only permits two signature algorithms */
- if (hash_alg == TLSEXT_hash_sha256) {
- if (sig_alg == TLSEXT_signature_rsa)
- nid = NID_sha256WithRSAEncryption;
- else if (sig_alg == TLSEXT_signature_ecdsa)
- nid = NID_ecdsa_with_SHA256;
- }
- if (nid == NID_undef)
- BIO_printf(out, "%02X%02X", hash_alg, sig_alg);
- else
- BIO_printf(out, "%s", OBJ_nid2ln(nid));
-}
-
-static void timestamp_print(BIO *out, SCT_TIMESTAMP timestamp)
-{
- ASN1_GENERALIZEDTIME *gen;
- char genstr[20];
- gen = ASN1_GENERALIZEDTIME_new();
- ASN1_GENERALIZEDTIME_adj(gen, (time_t)0,
- (int)(timestamp / 86400000),
- (int)(timestamp % 86400000) / 1000);
- /*
- * Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15
- * characters long with a final Z. Update it with fractional seconds.
- */
- BIO_snprintf(genstr, sizeof(genstr), "%.14s.%03dZ",
- ASN1_STRING_data(gen), (unsigned int)(timestamp % 1000));
- ASN1_GENERALIZEDTIME_set_string(gen, genstr);
- ASN1_GENERALIZEDTIME_print(out, gen);
- ASN1_GENERALIZEDTIME_free(gen);
-}
-
-static void SCT_free(SCT *sct)
-{
- if (sct) {
- if (sct->sct)
- OPENSSL_free(sct->sct);
- OPENSSL_free(sct);
- }
-}
-
-static void SCT_LIST_free(STACK_OF(SCT) *a)
-{
- sk_SCT_pop_free(a, SCT_free);
-}
-
-static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
- const unsigned char **pp, long length)
-{
- ASN1_OCTET_STRING *oct = NULL;
- STACK_OF(SCT) *sk = NULL;
- SCT *sct;
- unsigned char *p, *p2;
- unsigned short listlen, sctlen = 0, fieldlen;
- const unsigned char *q = *pp;
-
- if (d2i_ASN1_OCTET_STRING(&oct, &q, length) == NULL)
- return NULL;
- if (oct->length < 2)
- goto done;
- p = oct->data;
- n2s(p, listlen);
- if (listlen != oct->length - 2)
- goto done;
-
- if ((sk = sk_SCT_new_null()) == NULL)
- goto done;
-
- while (listlen > 0) {
- if (listlen < 2)
- goto err;
- n2s(p, sctlen);
- listlen -= 2;
-
- if ((sctlen < 1) || (sctlen > listlen))
- goto err;
- listlen -= sctlen;
-
- sct = OPENSSL_malloc(sizeof(SCT));
- if (!sct)
- goto err;
- if (!sk_SCT_push(sk, sct)) {
- OPENSSL_free(sct);
- goto err;
- }
-
- sct->sct = OPENSSL_malloc(sctlen);
- if (!sct->sct)
- goto err;
- memcpy(sct->sct, p, sctlen);
- sct->sctlen = sctlen;
- p += sctlen;
- p2 = sct->sct;
-
- sct->version = *p2++;
- if (sct->version == 0) { /* SCT v1 */
- /*-
- * Fixed-length header:
- * struct {
- * (1 byte) Version sct_version;
- * (32 bytes) LogID id;
- * (8 bytes) uint64 timestamp;
- * (2 bytes + ?) CtExtensions extensions;
- */
- if (sctlen < 43)
- goto err;
- sctlen -= 43;
-
- sct->logid = p2;
- sct->logidlen = 32;
- p2 += 32;
-
- n2l8(p2, sct->timestamp);
-
- n2s(p2, fieldlen);
- if (sctlen < fieldlen)
- goto err;
- sct->ext = p2;
- sct->extlen = fieldlen;
- p2 += fieldlen;
- sctlen -= fieldlen;
-
- /*-
- * digitally-signed struct header:
- * (1 byte) Hash algorithm
- * (1 byte) Signature algorithm
- * (2 bytes + ?) Signature
- */
- if (sctlen < 4)
- goto err;
- sctlen -= 4;
-
- sct->hash_alg = *p2++;
- sct->sig_alg = *p2++;
- n2s(p2, fieldlen);
- if (sctlen != fieldlen)
- goto err;
- sct->sig = p2;
- sct->siglen = fieldlen;
- }
- }
-
- done:
- ASN1_OCTET_STRING_free(oct);
- *pp = q;
- return sk;
-
- err:
- SCT_LIST_free(sk);
- sk = NULL;
- goto done;
-}
-
-static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
- BIO *out, int indent)
-{
- SCT *sct;
- int i;
-
- for (i = 0; i < sk_SCT_num(sct_list);) {
- sct = sk_SCT_value(sct_list, i);
-
- BIO_printf(out, "%*sSigned Certificate Timestamp:", indent, "");
- BIO_printf(out, "\n%*sVersion : ", indent + 4, "");
-
- if (sct->version == 0) { /* SCT v1 */
- BIO_printf(out, "v1(0)");
-
- BIO_printf(out, "\n%*sLog ID : ", indent + 4, "");
- BIO_hex_string(out, indent + 16, 16, sct->logid, sct->logidlen);
-
- BIO_printf(out, "\n%*sTimestamp : ", indent + 4, "");
- timestamp_print(out, sct->timestamp);
-
- BIO_printf(out, "\n%*sExtensions: ", indent + 4, "");
- if (sct->extlen == 0)
- BIO_printf(out, "none");
- else
- BIO_hex_string(out, indent + 16, 16, sct->ext, sct->extlen);
-
- BIO_printf(out, "\n%*sSignature : ", indent + 4, "");
- tls12_signature_print(out, sct->hash_alg, sct->sig_alg);
- BIO_printf(out, "\n%*s ", indent + 4, "");
- BIO_hex_string(out, indent + 16, 16, sct->sig, sct->siglen);
- } else { /* Unknown version */
-
- BIO_printf(out, "unknown\n%*s", indent + 16, "");
- BIO_hex_string(out, indent + 16, 16, sct->sct, sct->sctlen);
- }
-
- if (++i < sk_SCT_num(sct_list))
- BIO_printf(out, "\n");
- }
-
- return 1;
-}
diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509v3/v3_skey.c
index 1cede0472792..749f51b2f00e 100644
--- a/crypto/x509v3/v3_skey.c
+++ b/crypto/x509v3/v3_skey.c
@@ -1,65 +1,17 @@
-/* v3_skey.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
+#include "ext_dat.h"
static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, char *str);
@@ -72,24 +24,25 @@ const X509V3_EXT_METHOD v3_skey_id = {
NULL
};
-char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct)
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+ const ASN1_OCTET_STRING *oct)
{
- return hex_to_string(oct->data, oct->length);
+ return OPENSSL_buf2hexstr(oct->data, oct->length);
}
ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, char *str)
+ X509V3_CTX *ctx, const char *str)
{
ASN1_OCTET_STRING *oct;
long length;
- if (!(oct = M_ASN1_OCTET_STRING_new())) {
+ if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
return NULL;
}
- if (!(oct->data = string_to_hex(str, &length))) {
- M_ASN1_OCTET_STRING_free(oct);
+ if ((oct->data = OPENSSL_hexstr2buf(str, &length)) == NULL) {
+ ASN1_OCTET_STRING_free(oct);
return NULL;
}
@@ -103,14 +56,16 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, char *str)
{
ASN1_OCTET_STRING *oct;
- ASN1_BIT_STRING *pk;
+ X509_PUBKEY *pubkey;
+ const unsigned char *pk;
+ int pklen;
unsigned char pkey_dig[EVP_MAX_MD_SIZE];
unsigned int diglen;
if (strcmp(str, "hash"))
return s2i_ASN1_OCTET_STRING(method, ctx, str);
- if (!(oct = M_ASN1_OCTET_STRING_new())) {
+ if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
X509V3err(X509V3_F_S2I_SKEY_ID, ERR_R_MALLOC_FAILURE);
return NULL;
}
@@ -124,20 +79,21 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
}
if (ctx->subject_req)
- pk = ctx->subject_req->req_info->pubkey->public_key;
+ pubkey = ctx->subject_req->req_info.pubkey;
else
- pk = ctx->subject_cert->cert_info->key->public_key;
+ pubkey = ctx->subject_cert->cert_info.key;
- if (!pk) {
+ if (pubkey == NULL) {
X509V3err(X509V3_F_S2I_SKEY_ID, X509V3_R_NO_PUBLIC_KEY);
goto err;
}
- if (!EVP_Digest
- (pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL))
+ X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey);
+
+ if (!EVP_Digest(pk, pklen, pkey_dig, &diglen, EVP_sha1(), NULL))
goto err;
- if (!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
+ if (!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
X509V3err(X509V3_F_S2I_SKEY_ID, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -145,6 +101,6 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
return oct;
err:
- M_ASN1_OCTET_STRING_free(oct);
+ ASN1_OCTET_STRING_free(oct);
return NULL;
}
diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509v3/v3_sxnet.c
index a4e6a93e0b9b..89cda01be2a5 100644
--- a/crypto/x509v3/v3_sxnet.c
+++ b/crypto/x509v3/v3_sxnet.c
@@ -1,68 +1,19 @@
-/* v3_sxnet.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
+#include "ext_dat.h"
/* Support for Thawte strong extranet extension */
@@ -117,7 +68,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
tmp = i2s_ASN1_INTEGER(NULL, id->zone);
BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
OPENSSL_free(tmp);
- M_ASN1_OCTET_STRING_print(out, id->user);
+ ASN1_STRING_print(out, id->user);
}
return 1;
}
@@ -150,10 +101,11 @@ static SXNET *sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
/* Add an id given the zone as an ASCII number */
-int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen)
+int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen)
{
- ASN1_INTEGER *izone = NULL;
- if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+ ASN1_INTEGER *izone;
+
+ if ((izone = s2i_ASN1_INTEGER(NULL, zone)) == NULL) {
X509V3err(X509V3_F_SXNET_ADD_ID_ASC, X509V3_R_ERROR_CONVERTING_ZONE);
return 0;
}
@@ -162,13 +114,15 @@ int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen)
/* Add an id given the zone as an unsigned long */
-int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
+int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
int userlen)
{
- ASN1_INTEGER *izone = NULL;
- if (!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+ ASN1_INTEGER *izone;
+
+ if ((izone = ASN1_INTEGER_new()) == NULL
+ || !ASN1_INTEGER_set(izone, lzone)) {
X509V3err(X509V3_F_SXNET_ADD_ID_ULONG, ERR_R_MALLOC_FAILURE);
- M_ASN1_INTEGER_free(izone);
+ ASN1_INTEGER_free(izone);
return 0;
}
return SXNET_add_id_INTEGER(psx, izone, user, userlen);
@@ -180,7 +134,7 @@ int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
* passed integer and doesn't make a copy so don't free it up afterwards.
*/
-int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
+int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user,
int userlen)
{
SXNET *sx = NULL;
@@ -196,8 +150,8 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER, X509V3_R_USER_TOO_LONG);
return 0;
}
- if (!*psx) {
- if (!(sx = SXNET_new()))
+ if (*psx == NULL) {
+ if ((sx = SXNET_new()) == NULL)
goto err;
if (!ASN1_INTEGER_set(sx->version, 0))
goto err;
@@ -209,12 +163,12 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
return 0;
}
- if (!(id = SXNETID_new()))
+ if ((id = SXNETID_new()) == NULL)
goto err;
if (userlen == -1)
userlen = strlen(user);
- if (!M_ASN1_OCTET_STRING_set(id->user, user, userlen))
+ if (!ASN1_OCTET_STRING_set(id->user, (const unsigned char *)user, userlen))
goto err;
if (!sk_SXNETID_push(sx->ids, id))
goto err;
@@ -229,30 +183,33 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
return 0;
}
-ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone)
+ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone)
{
- ASN1_INTEGER *izone = NULL;
+ ASN1_INTEGER *izone;
ASN1_OCTET_STRING *oct;
- if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+
+ if ((izone = s2i_ASN1_INTEGER(NULL, zone)) == NULL) {
X509V3err(X509V3_F_SXNET_GET_ID_ASC, X509V3_R_ERROR_CONVERTING_ZONE);
return NULL;
}
oct = SXNET_get_id_INTEGER(sx, izone);
- M_ASN1_INTEGER_free(izone);
+ ASN1_INTEGER_free(izone);
return oct;
}
ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
{
- ASN1_INTEGER *izone = NULL;
+ ASN1_INTEGER *izone;
ASN1_OCTET_STRING *oct;
- if (!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+
+ if ((izone = ASN1_INTEGER_new()) == NULL
+ || !ASN1_INTEGER_set(izone, lzone)) {
X509V3err(X509V3_F_SXNET_GET_ID_ULONG, ERR_R_MALLOC_FAILURE);
- M_ASN1_INTEGER_free(izone);
+ ASN1_INTEGER_free(izone);
return NULL;
}
oct = SXNET_get_id_INTEGER(sx, izone);
- M_ASN1_INTEGER_free(izone);
+ ASN1_INTEGER_free(izone);
return oct;
}
@@ -262,12 +219,8 @@ ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
int i;
for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
id = sk_SXNETID_value(sx->ids, i);
- if (!M_ASN1_INTEGER_cmp(id->zone, zone))
+ if (!ASN1_INTEGER_cmp(id->zone, zone))
return id->user;
}
return NULL;
}
-
-IMPLEMENT_STACK_OF(SXNETID)
-
-IMPLEMENT_ASN1_SET_OF(SXNETID)
diff --git a/crypto/x509v3/v3_tlsf.c b/crypto/x509v3/v3_tlsf.c
new file mode 100644
index 000000000000..7fd6ef17dbee
--- /dev/null
+++ b/crypto/x509v3/v3_tlsf.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "e_os.h"
+#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "internal/o_str.h"
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+#include "ext_dat.h"
+
+static STACK_OF(CONF_VALUE) *i2v_TLS_FEATURE(const X509V3_EXT_METHOD *method,
+ TLS_FEATURE *tls_feature,
+ STACK_OF(CONF_VALUE) *ext_list);
+static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx,
+ STACK_OF(CONF_VALUE) *nval);
+
+ASN1_ITEM_TEMPLATE(TLS_FEATURE) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, TLS_FEATURE, ASN1_INTEGER)
+static_ASN1_ITEM_TEMPLATE_END(TLS_FEATURE)
+
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE)
+
+const X509V3_EXT_METHOD v3_tls_feature = {
+ NID_tlsfeature, 0,
+ ASN1_ITEM_ref(TLS_FEATURE),
+ 0, 0, 0, 0,
+ 0, 0,
+ (X509V3_EXT_I2V)i2v_TLS_FEATURE,
+ (X509V3_EXT_V2I)v2i_TLS_FEATURE,
+ 0, 0,
+ NULL
+};
+
+
+typedef struct {
+ long num;
+ const char *name;
+} TLS_FEATURE_NAME;
+
+static TLS_FEATURE_NAME tls_feature_tbl[] = {
+ { 5, "status_request" },
+ { 17, "status_request_v2" }
+};
+
+/*
+ * i2v_TLS_FEATURE converts the TLS_FEATURE structure tls_feature into the
+ * STACK_OF(CONF_VALUE) structure ext_list. STACK_OF(CONF_VALUE) is the format
+ * used by the CONF library to represent a multi-valued extension. ext_list is
+ * returned.
+ */
+static STACK_OF(CONF_VALUE) *i2v_TLS_FEATURE(const X509V3_EXT_METHOD *method,
+ TLS_FEATURE *tls_feature,
+ STACK_OF(CONF_VALUE) *ext_list)
+{
+ int i;
+ size_t j;
+ ASN1_INTEGER *ai;
+ long tlsextid;
+ for (i = 0; i < sk_ASN1_INTEGER_num(tls_feature); i++) {
+ ai = sk_ASN1_INTEGER_value(tls_feature, i);
+ tlsextid = ASN1_INTEGER_get(ai);
+ for (j = 0; j < OSSL_NELEM(tls_feature_tbl); j++)
+ if (tlsextid == tls_feature_tbl[j].num)
+ break;
+ if (j < OSSL_NELEM(tls_feature_tbl))
+ X509V3_add_value(NULL, tls_feature_tbl[j].name, &ext_list);
+ else
+ X509V3_add_value_int(NULL, ai, &ext_list);
+ }
+ return ext_list;
+}
+
+/*
+ * v2i_TLS_FEATURE converts the multi-valued extension nval into a TLS_FEATURE
+ * structure, which is returned if the conversion is successful. In case of
+ * error, NULL is returned.
+ */
+static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+ TLS_FEATURE *tlsf;
+ char *extval, *endptr;
+ ASN1_INTEGER *ai;
+ CONF_VALUE *val;
+ int i;
+ size_t j;
+ long tlsextid;
+
+ if ((tlsf = sk_ASN1_INTEGER_new_null()) == NULL) {
+ X509V3err(X509V3_F_V2I_TLS_FEATURE, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ val = sk_CONF_VALUE_value(nval, i);
+ if (val->value)
+ extval = val->value;
+ else
+ extval = val->name;
+
+ for (j = 0; j < OSSL_NELEM(tls_feature_tbl); j++)
+ if (strcasecmp(extval, tls_feature_tbl[j].name) == 0)
+ break;
+ if (j < OSSL_NELEM(tls_feature_tbl))
+ tlsextid = tls_feature_tbl[j].num;
+ else {
+ tlsextid = strtol(extval, &endptr, 10);
+ if (((*endptr) != '\0') || (extval == endptr) || (tlsextid < 0) ||
+ (tlsextid > 65535)) {
+ X509V3err(X509V3_F_V2I_TLS_FEATURE, X509V3_R_INVALID_SYNTAX);
+ X509V3_conf_err(val);
+ goto err;
+ }
+ }
+
+ if ((ai = ASN1_INTEGER_new()) == NULL
+ || !ASN1_INTEGER_set(ai, tlsextid)
+ || sk_ASN1_INTEGER_push(tlsf, ai) <= 0) {
+ X509V3err(X509V3_F_V2I_TLS_FEATURE, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ }
+ return tlsf;
+
+ err:
+ sk_ASN1_INTEGER_pop_free(tlsf, ASN1_INTEGER_free);
+ return NULL;
+}
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 43b9cb9c5861..c9b40d2c76eb 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -1,76 +1,31 @@
-/* v3_utl.c */
/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
+
/* X509 v3 extension utilities */
+#include "e_os.h"
+#include "internal/cryptlib.h"
#include <stdio.h>
-#include <ctype.h>
-#include "cryptlib.h"
+#include "internal/ctype.h"
#include <openssl/conf.h>
+#include <openssl/crypto.h>
#include <openssl/x509v3.h>
+#include "internal/x509_int.h"
#include <openssl/bn.h>
+#include "ext_dat.h"
static char *strip_spaces(char *name);
static int sk_strcmp(const char *const *a, const char *const *b);
static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
GENERAL_NAMES *gens);
static void str_free(OPENSSL_STRING str);
-static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
+static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email);
static int ipv4_from_asc(unsigned char *v4, const char *in);
static int ipv6_from_asc(unsigned char *v6, const char *in);
@@ -84,13 +39,15 @@ int X509V3_add_value(const char *name, const char *value,
{
CONF_VALUE *vtmp = NULL;
char *tname = NULL, *tvalue = NULL;
- if (name && !(tname = BUF_strdup(name)))
+ int sk_allocated = (*extlist == NULL);
+
+ if (name && (tname = OPENSSL_strdup(name)) == NULL)
goto err;
- if (value && !(tvalue = BUF_strdup(value)))
+ if (value && (tvalue = OPENSSL_strdup(value)) == NULL)
goto err;
- if (!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE))))
+ if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
goto err;
- if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null()))
+ if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL)
goto err;
vtmp->section = NULL;
vtmp->name = tname;
@@ -100,12 +57,13 @@ int X509V3_add_value(const char *name, const char *value,
return 1;
err:
X509V3err(X509V3_F_X509V3_ADD_VALUE, ERR_R_MALLOC_FAILURE);
- if (vtmp)
- OPENSSL_free(vtmp);
- if (tname)
- OPENSSL_free(tname);
- if (tvalue)
- OPENSSL_free(tvalue);
+ if (sk_allocated) {
+ sk_CONF_VALUE_free(*extlist);
+ *extlist = NULL;
+ }
+ OPENSSL_free(vtmp);
+ OPENSSL_free(tname);
+ OPENSSL_free(tvalue);
return 0;
}
@@ -121,12 +79,9 @@ void X509V3_conf_free(CONF_VALUE *conf)
{
if (!conf)
return;
- if (conf->name)
- OPENSSL_free(conf->name);
- if (conf->value)
- OPENSSL_free(conf->value);
- if (conf->section)
- OPENSSL_free(conf->section);
+ OPENSSL_free(conf->name);
+ OPENSSL_free(conf->value);
+ OPENSSL_free(conf->section);
OPENSSL_free(conf);
}
@@ -138,7 +93,7 @@ int X509V3_add_value_bool(const char *name, int asn1_bool,
return X509V3_add_value(name, "FALSE", extlist);
}
-int X509V3_add_value_bool_nf(char *name, int asn1_bool,
+int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
STACK_OF(CONF_VALUE) **extlist)
{
if (asn1_bool)
@@ -146,43 +101,86 @@ int X509V3_add_value_bool_nf(char *name, int asn1_bool,
return 1;
}
-char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
+static char *bignum_to_string(const BIGNUM *bn)
+{
+ char *tmp, *ret;
+ size_t len;
+
+ /*
+ * Display large numbers in hex and small numbers in decimal. Converting to
+ * decimal takes quadratic time and is no more useful than hex for large
+ * numbers.
+ */
+ if (BN_num_bits(bn) < 128)
+ return BN_bn2dec(bn);
+
+ tmp = BN_bn2hex(bn);
+ if (tmp == NULL)
+ return NULL;
+
+ len = strlen(tmp) + 3;
+ ret = OPENSSL_malloc(len);
+ if (ret == NULL) {
+ X509V3err(X509V3_F_BIGNUM_TO_STRING, ERR_R_MALLOC_FAILURE);
+ OPENSSL_free(tmp);
+ return NULL;
+ }
+
+ /* Prepend "0x", but place it after the "-" if negative. */
+ if (tmp[0] == '-') {
+ OPENSSL_strlcpy(ret, "-0x", len);
+ OPENSSL_strlcat(ret, tmp + 1, len);
+ } else {
+ OPENSSL_strlcpy(ret, "0x", len);
+ OPENSSL_strlcat(ret, tmp, len);
+ }
+ OPENSSL_free(tmp);
+ return ret;
+}
+
+char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
{
BIGNUM *bntmp = NULL;
char *strtmp = NULL;
+
if (!a)
return NULL;
- if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
- !(strtmp = BN_bn2dec(bntmp)))
+ if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL
+ || (strtmp = bignum_to_string(bntmp)) == NULL)
X509V3err(X509V3_F_I2S_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
BN_free(bntmp);
return strtmp;
}
-char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
+char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
{
BIGNUM *bntmp = NULL;
char *strtmp = NULL;
+
if (!a)
return NULL;
- if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
- !(strtmp = BN_bn2dec(bntmp)))
+ if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL
+ || (strtmp = bignum_to_string(bntmp)) == NULL)
X509V3err(X509V3_F_I2S_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
BN_free(bntmp);
return strtmp;
}
-ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
+ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
{
BIGNUM *bn = NULL;
ASN1_INTEGER *aint;
int isneg, ishex;
int ret;
- if (!value) {
+ if (value == NULL) {
X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_INVALID_NULL_VALUE);
- return 0;
+ return NULL;
}
bn = BN_new();
+ if (bn == NULL) {
+ X509V3err(X509V3_F_S2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
if (value[0] == '-') {
value++;
isneg = 1;
@@ -203,7 +201,7 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
if (!ret || value[ret]) {
BN_free(bn);
X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_BN_DEC2BN_ERROR);
- return 0;
+ return NULL;
}
if (isneg && BN_is_zero(bn))
@@ -214,40 +212,49 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
if (!aint) {
X509V3err(X509V3_F_S2I_ASN1_INTEGER,
X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
- return 0;
+ return NULL;
}
if (isneg)
aint->type |= V_ASN1_NEG;
return aint;
}
-int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
+int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
STACK_OF(CONF_VALUE) **extlist)
{
char *strtmp;
int ret;
+
if (!aint)
return 1;
- if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint)))
+ if ((strtmp = i2s_ASN1_INTEGER(NULL, aint)) == NULL)
return 0;
ret = X509V3_add_value(name, strtmp, extlist);
OPENSSL_free(strtmp);
return ret;
}
-int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
+int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
{
- char *btmp;
- if (!(btmp = value->value))
+ const char *btmp;
+
+ if ((btmp = value->value) == NULL)
goto err;
- if (!strcmp(btmp, "TRUE") || !strcmp(btmp, "true")
- || !strcmp(btmp, "Y") || !strcmp(btmp, "y")
- || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
+ if (strcmp(btmp, "TRUE") == 0
+ || strcmp(btmp, "true") == 0
+ || strcmp(btmp, "Y") == 0
+ || strcmp(btmp, "y") == 0
+ || strcmp(btmp, "YES") == 0
+ || strcmp(btmp, "yes") == 0) {
*asn1_bool = 0xff;
return 1;
- } else if (!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
- || !strcmp(btmp, "N") || !strcmp(btmp, "n")
- || !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
+ }
+ if (strcmp(btmp, "FALSE") == 0
+ || strcmp(btmp, "false") == 0
+ || strcmp(btmp, "N") == 0
+ || strcmp(btmp, "n") == 0
+ || strcmp(btmp, "NO") == 0
+ || strcmp(btmp, "no") == 0) {
*asn1_bool = 0;
return 1;
}
@@ -258,10 +265,11 @@ int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
return 0;
}
-int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
+int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
{
ASN1_INTEGER *itmp;
- if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
+
+ if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
X509V3_conf_err(value);
return 0;
}
@@ -284,7 +292,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
char *linebuf;
int state;
/* We are going to modify the line so copy it first */
- linebuf = BUF_strdup(line);
+ linebuf = OPENSSL_strdup(line);
if (linebuf == NULL) {
X509V3err(X509V3_F_X509V3_PARSE_LIST, ERR_R_MALLOC_FAILURE);
goto err;
@@ -311,9 +319,6 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
*p = 0;
ntmp = strip_spaces(q);
q = p + 1;
-#if 0
- printf("%s\n", ntmp);
-#endif
if (!ntmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
X509V3_R_INVALID_NULL_NAME);
@@ -328,9 +333,6 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
state = HDR_NAME;
*p = 0;
vtmp = strip_spaces(q);
-#if 0
- printf("%s\n", ntmp);
-#endif
if (!vtmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
X509V3_R_INVALID_NULL_VALUE);
@@ -346,9 +348,6 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
if (state == HDR_VALUE) {
vtmp = strip_spaces(q);
-#if 0
- printf("%s=%s\n", ntmp, vtmp);
-#endif
if (!vtmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
X509V3_R_INVALID_NULL_VALUE);
@@ -357,9 +356,6 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
X509V3_add_value(ntmp, vtmp, &values);
} else {
ntmp = strip_spaces(q);
-#if 0
- printf("%s\n", ntmp);
-#endif
if (!ntmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
goto err;
@@ -382,12 +378,12 @@ static char *strip_spaces(char *name)
char *p, *q;
/* Skip over leading spaces */
p = name;
- while (*p && isspace((unsigned char)*p))
+ while (*p && ossl_isspace(*p))
p++;
if (!*p)
return NULL;
q = p + strlen(p) - 1;
- while ((q != p) && isspace((unsigned char)*q))
+ while ((q != p) && ossl_isspace(*q))
q--;
if (p != q)
q[1] = 0;
@@ -396,109 +392,6 @@ static char *strip_spaces(char *name)
return p;
}
-/* hex string utilities */
-
-/*
- * Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its
- * hex representation @@@ (Contents of buffer are always kept in ASCII, also
- * on EBCDIC machines)
- */
-
-char *hex_to_string(const unsigned char *buffer, long len)
-{
- char *tmp, *q;
- const unsigned char *p;
- int i;
- const static char hexdig[] = "0123456789ABCDEF";
- if (!buffer || !len)
- return NULL;
- if (!(tmp = OPENSSL_malloc(len * 3 + 1))) {
- X509V3err(X509V3_F_HEX_TO_STRING, ERR_R_MALLOC_FAILURE);
- return NULL;
- }
- q = tmp;
- for (i = 0, p = buffer; i < len; i++, p++) {
- *q++ = hexdig[(*p >> 4) & 0xf];
- *q++ = hexdig[*p & 0xf];
- *q++ = ':';
- }
- q[-1] = 0;
-#ifdef CHARSET_EBCDIC
- ebcdic2ascii(tmp, tmp, q - tmp - 1);
-#endif
-
- return tmp;
-}
-
-/*
- * Give a string of hex digits convert to a buffer
- */
-
-unsigned char *string_to_hex(const char *str, long *len)
-{
- unsigned char *hexbuf, *q;
- unsigned char ch, cl, *p;
- if (!str) {
- X509V3err(X509V3_F_STRING_TO_HEX, X509V3_R_INVALID_NULL_ARGUMENT);
- return NULL;
- }
- if (!(hexbuf = OPENSSL_malloc(strlen(str) >> 1)))
- goto err;
- for (p = (unsigned char *)str, q = hexbuf; *p;) {
- ch = *p++;
-#ifdef CHARSET_EBCDIC
- ch = os_toebcdic[ch];
-#endif
- if (ch == ':')
- continue;
- cl = *p++;
-#ifdef CHARSET_EBCDIC
- cl = os_toebcdic[cl];
-#endif
- if (!cl) {
- X509V3err(X509V3_F_STRING_TO_HEX, X509V3_R_ODD_NUMBER_OF_DIGITS);
- OPENSSL_free(hexbuf);
- return NULL;
- }
- if (isupper(ch))
- ch = tolower(ch);
- if (isupper(cl))
- cl = tolower(cl);
-
- if ((ch >= '0') && (ch <= '9'))
- ch -= '0';
- else if ((ch >= 'a') && (ch <= 'f'))
- ch -= 'a' - 10;
- else
- goto badhex;
-
- if ((cl >= '0') && (cl <= '9'))
- cl -= '0';
- else if ((cl >= 'a') && (cl <= 'f'))
- cl -= 'a' - 10;
- else
- goto badhex;
-
- *q++ = (ch << 4) | cl;
- }
-
- if (len)
- *len = q - hexbuf;
-
- return hexbuf;
-
- err:
- if (hexbuf)
- OPENSSL_free(hexbuf);
- X509V3err(X509V3_F_STRING_TO_HEX, ERR_R_MALLOC_FAILURE);
- return NULL;
-
- badhex:
- OPENSSL_free(hexbuf);
- X509V3err(X509V3_F_STRING_TO_HEX, X509V3_R_ILLEGAL_HEX_DIGIT);
- return NULL;
-
-}
/*
* V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
@@ -575,11 +468,11 @@ static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
{
STACK_OF(OPENSSL_STRING) *ret = NULL;
X509_NAME_ENTRY *ne;
- ASN1_IA5STRING *email;
+ const ASN1_IA5STRING *email;
GENERAL_NAME *gen;
- int i;
+ int i = -1;
+
/* Now add any email address(es) to STACK */
- i = -1;
/* First supplied X509_NAME */
while ((i = X509_NAME_get_index_by_NID(name,
NID_pkcs9_emailAddress, i)) >= 0) {
@@ -603,7 +496,7 @@ static void str_free(OPENSSL_STRING str)
OPENSSL_free(str);
}
-static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
+static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email)
{
char *emtmp;
/* First some sanity checks */
@@ -611,15 +504,16 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
return 1;
if (!email->data || !email->length)
return 1;
- if (!*sk)
+ if (*sk == NULL)
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
- if (!*sk)
+ if (*sk == NULL)
return 0;
/* Don't add duplicates */
if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
return 1;
- emtmp = BUF_strdup((char *)email->data);
- if (!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
+ emtmp = OPENSSL_strdup((char *)email->data);
+ if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
+ OPENSSL_free(emtmp); /* free on push failure */
X509_email_free(*sk);
*sk = NULL;
return 0;
@@ -638,7 +532,7 @@ typedef int (*equal_fn) (const unsigned char *pattern, size_t pattern_len,
/* Skip pattern prefix to match "wildcard" subject */
static void skip_prefix(const unsigned char **p, size_t *plen,
- const unsigned char *subject, size_t subject_len,
+ size_t subject_len,
unsigned int flags)
{
const unsigned char *pattern = *p;
@@ -673,7 +567,7 @@ static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags)
{
- skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
+ skip_prefix(&pattern, &pattern_len, subject_len, flags);
if (pattern_len != subject_len)
return 0;
while (pattern_len) {
@@ -702,7 +596,7 @@ static int equal_case(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags)
{
- skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
+ skip_prefix(&pattern, &pattern_len, subject_len, flags);
if (pattern_len != subject_len)
return 0;
return !memcmp(pattern, subject, pattern_len);
@@ -885,7 +779,7 @@ static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
* to UTF8.
*/
-static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
+static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
unsigned int flags, const char *b, size_t blen,
char **peername)
{
@@ -901,7 +795,7 @@ static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
else if (a->length == (int)blen && !memcmp(a->data, b, blen))
rv = 1;
if (rv > 0 && peername)
- *peername = BUF_strndup((char *)a->data, a->length);
+ *peername = OPENSSL_strndup((char *)a->data, a->length);
} else {
int astrlen;
unsigned char *astr;
@@ -915,7 +809,7 @@ static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
}
rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
if (rv > 0 && peername)
- *peername = BUF_strndup((char *)astr, astrlen);
+ *peername = OPENSSL_strndup((char *)astr, astrlen);
OPENSSL_free(astr);
}
return rv;
@@ -980,23 +874,20 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
GENERAL_NAMES_free(gens);
if (rv != 0)
return rv;
- if (cnid == NID_undef
- || (san_present
- && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
+ if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
return 0;
}
/* We're done if CN-ID is not pertinent */
- if (cnid == NID_undef)
+ if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
return 0;
i = -1;
name = X509_get_subject_name(x);
while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
- X509_NAME_ENTRY *ne;
- ASN1_STRING *str;
- ne = X509_NAME_get_entry(name, i);
- str = X509_NAME_ENTRY_get_data(ne);
+ const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
+ const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
+
/* Positive on success, negative on error! */
if ((rv = do_check_string(str, -1, equal, flags,
chk, chklen, peername)) != 0)
@@ -1083,7 +974,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
return NULL;
ret = ASN1_OCTET_STRING_new();
- if (!ret)
+ if (ret == NULL)
return NULL;
if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
ASN1_OCTET_STRING_free(ret);
@@ -1101,7 +992,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
p = strchr(ipasc, '/');
if (!p)
return NULL;
- iptmp = BUF_strdup(ipasc);
+ iptmp = OPENSSL_strdup(ipasc);
if (!iptmp)
return NULL;
p = iptmp + (p - ipasc);
@@ -1121,7 +1012,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
goto err;
ret = ASN1_OCTET_STRING_new();
- if (!ret)
+ if (ret == NULL)
goto err;
if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
goto err;
@@ -1129,10 +1020,8 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
return ret;
err:
- if (iptmp)
- OPENSSL_free(iptmp);
- if (ret)
- ASN1_OCTET_STRING_free(ret);
+ OPENSSL_free(iptmp);
+ ASN1_OCTET_STRING_free(ret);
return NULL;
}
@@ -1284,19 +1173,17 @@ static int ipv6_hex(unsigned char *out, const char *in, int inlen)
{
unsigned char c;
unsigned int num = 0;
+ int x;
+
if (inlen > 4)
return 0;
while (inlen--) {
c = *in++;
num <<= 4;
- if ((c >= '0') && (c <= '9'))
- num |= c - '0';
- else if ((c >= 'A') && (c <= 'F'))
- num |= c - 'A' + 10;
- else if ((c >= 'a') && (c <= 'f'))
- num |= c - 'a' + 10;
- else
+ x = OPENSSL_hexchar2int(c);
+ if (x < 0)
return 0;
+ num |= (char)x;
}
out[0] = num >> 8;
out[1] = num & 0xff;
@@ -1307,7 +1194,7 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
unsigned long chtype)
{
CONF_VALUE *v;
- int i, mval;
+ int i, mval, spec_char, plus_char;
char *p, *type;
if (!nm)
return 0;
@@ -1318,25 +1205,26 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
/*
* Skip past any leading X. X: X, etc to allow for multiple instances
*/
- for (p = type; *p; p++)
+ for (p = type; *p; p++) {
#ifndef CHARSET_EBCDIC
- if ((*p == ':') || (*p == ',') || (*p == '.'))
+ spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
#else
- if ((*p == os_toascii[':']) || (*p == os_toascii[','])
- || (*p == os_toascii['.']))
+ spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
+ || (*p == os_toascii['.']));
#endif
- {
+ if (spec_char) {
p++;
if (*p)
type = p;
break;
}
+ }
#ifndef CHARSET_EBCDIC
- if (*type == '+')
+ plus_char = (*type == '+');
#else
- if (*type == os_toascii['+'])
+ plus_char = (*type == os_toascii['+']);
#endif
- {
+ if (plus_char) {
mval = -1;
type++;
} else
diff --git a/crypto/x509v3/v3conf.c b/crypto/x509v3/v3conf.c
deleted file mode 100644
index 41aa26694818..000000000000
--- a/crypto/x509v3/v3conf.c
+++ /dev/null
@@ -1,129 +0,0 @@
-/* v3conf.c */
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include "cryptlib.h"
-#include <openssl/asn1.h>
-#include <openssl/conf.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-/* Test application to add extensions from a config file */
-
-int main(int argc, char **argv)
-{
- LHASH *conf;
- X509 *cert;
- FILE *inf;
- char *conf_file;
- int i;
- int count;
- X509_EXTENSION *ext;
- X509V3_add_standard_extensions();
- ERR_load_crypto_strings();
- if (!argv[1]) {
- fprintf(stderr, "Usage: v3conf cert.pem [file.cnf]\n");
- exit(1);
- }
- conf_file = argv[2];
- if (!conf_file)
- conf_file = "test.cnf";
- conf = CONF_load(NULL, "test.cnf", NULL);
- if (!conf) {
- fprintf(stderr, "Error opening Config file %s\n", conf_file);
- ERR_print_errors_fp(stderr);
- exit(1);
- }
-
- inf = fopen(argv[1], "r");
- if (!inf) {
- fprintf(stderr, "Can't open certificate file %s\n", argv[1]);
- exit(1);
- }
- cert = PEM_read_X509(inf, NULL, NULL);
- if (!cert) {
- fprintf(stderr, "Error reading certificate file %s\n", argv[1]);
- exit(1);
- }
- fclose(inf);
-
- sk_pop_free(cert->cert_info->extensions, X509_EXTENSION_free);
- cert->cert_info->extensions = NULL;
-
- if (!X509V3_EXT_add_conf(conf, NULL, "test_section", cert)) {
- fprintf(stderr, "Error adding extensions\n");
- ERR_print_errors_fp(stderr);
- exit(1);
- }
-
- count = X509_get_ext_count(cert);
- printf("%d extensions\n", count);
- for (i = 0; i < count; i++) {
- ext = X509_get_ext(cert, i);
- printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
- if (ext->critical)
- printf(",critical:\n");
- else
- printf(":\n");
- X509V3_EXT_print_fp(stdout, ext, 0, 0);
- printf("\n");
-
- }
- return 0;
-}
diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c
index bcc1be722e42..4f2ea52a4a5f 100644
--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c
@@ -1,249 +1,257 @@
-/* crypto/x509v3/v3err.c */
-/* ====================================================================
- * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
/*
- * NOTE: this file was auto generated by the mkerr.pl script: any changes
- * made to it will be overwritten when the script next updates this file,
- * only reason strings will be preserved.
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
-#include <stdio.h>
#include <openssl/err.h>
-#include <openssl/x509v3.h>
+#include <openssl/x509v3err.h>
-/* BEGIN ERROR CODES */
#ifndef OPENSSL_NO_ERR
-# define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
-# define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
-
-static ERR_STRING_DATA X509V3_str_functs[] = {
- {ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "a2i_GENERAL_NAME"},
- {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE),
- "ASIDENTIFIERCHOICE_CANONIZE"},
- {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL),
- "ASIDENTIFIERCHOICE_IS_CANONICAL"},
- {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
- {ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
- {ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
- {ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
- {ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
- {ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
- {ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
- {ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"},
- {ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
- {ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
- {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
- {ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"},
- {ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS),
- "I2V_AUTHORITY_INFO_ACCESS"},
- {ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
- {ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
- {ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
- {ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
- {ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
- {ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
- {ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
- {ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
- {ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
- {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
- {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
- {ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"},
- {ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
- {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
- {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
- {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
- {ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
- {ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
- {ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
- {ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
- {ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS),
- "V2I_AUTHORITY_INFO_ACCESS"},
- {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
- {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
- {ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
- {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
- {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
- {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
- {ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
- {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
- {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
- {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
- {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
- {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
- {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
- {ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL),
- "V3_ADDR_VALIDATE_PATH_INTERNAL"},
- {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
- {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
- {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
- {ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
- {ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
- {ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
- {ERR_FUNC(X509V3_F_X509V3_EXT_FREE), "X509V3_EXT_free"},
- {ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
- {ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
- {ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
- {ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"},
- {ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"},
- {ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"},
- {ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"},
- {ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"},
+static const ERR_STRING_DATA X509V3_str_functs[] = {
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_A2I_GENERAL_NAME, 0),
+ "a2i_GENERAL_NAME"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_ADDR_VALIDATE_PATH_INTERNAL, 0),
+ "addr_validate_path_internal"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, 0),
+ "ASIdentifierChoice_canonize"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, 0),
+ "ASIdentifierChoice_is_canonical"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_BIGNUM_TO_STRING, 0),
+ "bignum_to_string"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_COPY_EMAIL, 0), "copy_email"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_COPY_ISSUER, 0), "copy_issuer"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_DO_DIRNAME, 0), "do_dirname"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_DO_EXT_I2D, 0), "do_ext_i2d"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_DO_EXT_NCONF, 0), "do_ext_nconf"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_GNAMES_FROM_SECTNAME, 0),
+ "gnames_from_sectname"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_ENUMERATED, 0),
+ "i2s_ASN1_ENUMERATED"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_IA5STRING, 0),
+ "i2s_ASN1_IA5STRING"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_INTEGER, 0),
+ "i2s_ASN1_INTEGER"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_INFO_ACCESS, 0),
+ "i2v_AUTHORITY_INFO_ACCESS"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_LEVEL_ADD_NODE, 0), "level_add_node"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_NOTICE_SECTION, 0), "notice_section"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_NREF_NOS, 0), "nref_nos"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_POLICY_CACHE_CREATE, 0),
+ "policy_cache_create"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_POLICY_CACHE_NEW, 0),
+ "policy_cache_new"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_POLICY_DATA_NEW, 0), "policy_data_new"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_POLICY_SECTION, 0), "policy_section"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_PROCESS_PCI_VALUE, 0),
+ "process_pci_value"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_R2I_CERTPOL, 0), "r2i_certpol"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_R2I_PCI, 0), "r2i_pci"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_IA5STRING, 0),
+ "s2i_ASN1_IA5STRING"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_INTEGER, 0),
+ "s2i_ASN1_INTEGER"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_OCTET_STRING, 0),
+ "s2i_ASN1_OCTET_STRING"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_SKEY_ID, 0), "s2i_skey_id"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SET_DIST_POINT_NAME, 0),
+ "set_dist_point_name"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_ADD_ID_ASC, 0),
+ "SXNET_add_id_asc"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_ADD_ID_INTEGER, 0),
+ "SXNET_add_id_INTEGER"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_ADD_ID_ULONG, 0),
+ "SXNET_add_id_ulong"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_GET_ID_ASC, 0),
+ "SXNET_get_id_asc"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_GET_ID_ULONG, 0),
+ "SXNET_get_id_ulong"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_TREE_INIT, 0), "tree_init"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_ASIDENTIFIERS, 0),
+ "v2i_ASIdentifiers"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_ASN1_BIT_STRING, 0),
+ "v2i_ASN1_BIT_STRING"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_AUTHORITY_INFO_ACCESS, 0),
+ "v2i_AUTHORITY_INFO_ACCESS"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_AUTHORITY_KEYID, 0),
+ "v2i_AUTHORITY_KEYID"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_BASIC_CONSTRAINTS, 0),
+ "v2i_BASIC_CONSTRAINTS"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_CRLD, 0), "v2i_crld"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_EXTENDED_KEY_USAGE, 0),
+ "v2i_EXTENDED_KEY_USAGE"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_GENERAL_NAMES, 0),
+ "v2i_GENERAL_NAMES"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_GENERAL_NAME_EX, 0),
+ "v2i_GENERAL_NAME_ex"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_IDP, 0), "v2i_idp"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_IPADDRBLOCKS, 0),
+ "v2i_IPAddrBlocks"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_ISSUER_ALT, 0), "v2i_issuer_alt"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_NAME_CONSTRAINTS, 0),
+ "v2i_NAME_CONSTRAINTS"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_POLICY_CONSTRAINTS, 0),
+ "v2i_POLICY_CONSTRAINTS"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_POLICY_MAPPINGS, 0),
+ "v2i_POLICY_MAPPINGS"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_SUBJECT_ALT, 0), "v2i_subject_alt"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V2I_TLS_FEATURE, 0), "v2i_TLS_FEATURE"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_V3_GENERIC_EXTENSION, 0),
+ "v3_generic_extension"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD1_I2D, 0), "X509V3_add1_i2d"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD_VALUE, 0),
+ "X509V3_add_value"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_ADD, 0), "X509V3_EXT_add"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_ADD_ALIAS, 0),
+ "X509V3_EXT_add_alias"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_I2D, 0), "X509V3_EXT_i2d"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_NCONF, 0),
+ "X509V3_EXT_nconf"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_GET_SECTION, 0),
+ "X509V3_get_section"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_GET_STRING, 0),
+ "X509V3_get_string"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_GET_VALUE_BOOL, 0),
+ "X509V3_get_value_bool"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_PARSE_LIST, 0),
+ "X509V3_parse_list"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509_PURPOSE_ADD, 0),
+ "X509_PURPOSE_add"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509_PURPOSE_SET, 0),
+ "X509_PURPOSE_set"},
{0, NULL}
};
-static ERR_STRING_DATA X509V3_str_reasons[] = {
- {ERR_REASON(X509V3_R_BAD_IP_ADDRESS), "bad ip address"},
- {ERR_REASON(X509V3_R_BAD_OBJECT), "bad object"},
- {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR), "bn dec2bn error"},
- {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),
- "bn to asn1 integer error"},
- {ERR_REASON(X509V3_R_CANNOT_FIND_FREE_FUNCTION),
- "cannot find free function"},
- {ERR_REASON(X509V3_R_DIRNAME_ERROR), "dirname error"},
- {ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"},
- {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID), "duplicate zone id"},
- {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"},
- {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),
- "error creating extension"},
- {ERR_REASON(X509V3_R_ERROR_IN_EXTENSION), "error in extension"},
- {ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"},
- {ERR_REASON(X509V3_R_EXTENSION_EXISTS), "extension exists"},
- {ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"},
- {ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"},
- {ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),
- "extension setting not supported"},
- {ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"},
- {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"},
- {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT), "illegal hex digit"},
- {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),
- "incorrect policy syntax tag"},
- {ERR_REASON(X509V3_R_INVALID_ASNUMBER), "invalid asnumber"},
- {ERR_REASON(X509V3_R_INVALID_ASRANGE), "invalid asrange"},
- {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"},
- {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),
- "invalid extension string"},
- {ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"},
- {ERR_REASON(X509V3_R_INVALID_IPADDRESS), "invalid ipaddress"},
- {ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"},
- {ERR_REASON(X509V3_R_INVALID_NAME), "invalid name"},
- {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"},
- {ERR_REASON(X509V3_R_INVALID_NULL_NAME), "invalid null name"},
- {ERR_REASON(X509V3_R_INVALID_NULL_VALUE), "invalid null value"},
- {ERR_REASON(X509V3_R_INVALID_NUMBER), "invalid number"},
- {ERR_REASON(X509V3_R_INVALID_NUMBERS), "invalid numbers"},
- {ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),
- "invalid object identifier"},
- {ERR_REASON(X509V3_R_INVALID_OPTION), "invalid option"},
- {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),
- "invalid policy identifier"},
- {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),
- "invalid proxy policy setting"},
- {ERR_REASON(X509V3_R_INVALID_PURPOSE), "invalid purpose"},
- {ERR_REASON(X509V3_R_INVALID_SAFI), "invalid safi"},
- {ERR_REASON(X509V3_R_INVALID_SECTION), "invalid section"},
- {ERR_REASON(X509V3_R_INVALID_SYNTAX), "invalid syntax"},
- {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"},
- {ERR_REASON(X509V3_R_MISSING_VALUE), "missing value"},
- {ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),
- "need organization and numbers"},
- {ERR_REASON(X509V3_R_NO_CONFIG_DATABASE), "no config database"},
- {ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"},
- {ERR_REASON(X509V3_R_NO_ISSUER_DETAILS), "no issuer details"},
- {ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"},
- {ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),
- "no proxy cert policy language defined"},
- {ERR_REASON(X509V3_R_NO_PUBLIC_KEY), "no public key"},
- {ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS), "no subject details"},
- {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"},
- {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"},
- {ERR_REASON(X509V3_R_OTHERNAME_ERROR), "othername error"},
- {ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),
- "policy language already defined"},
- {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH), "policy path length"},
- {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),
- "policy path length already defined"},
- {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),
- "policy syntax not currently supported"},
- {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),
- "policy when proxy language requires no policy"},
- {ERR_REASON(X509V3_R_SECTION_NOT_FOUND), "section not found"},
- {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),
- "unable to get issuer details"},
- {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),
- "unable to get issuer keyid"},
- {ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),
- "unknown bit string argument"},
- {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION), "unknown extension"},
- {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"},
- {ERR_REASON(X509V3_R_UNKNOWN_OPTION), "unknown option"},
- {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION), "unsupported option"},
- {ERR_REASON(X509V3_R_UNSUPPORTED_TYPE), "unsupported type"},
- {ERR_REASON(X509V3_R_USER_TOO_LONG), "user too long"},
+static const ERR_STRING_DATA X509V3_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_IP_ADDRESS), "bad ip address"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OBJECT), "bad object"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_DEC2BN_ERROR), "bn dec2bn error"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_TO_ASN1_INTEGER_ERROR),
+ "bn to asn1 integer error"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_DIRNAME_ERROR), "dirname error"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_DISTPOINT_ALREADY_SET),
+ "distpoint already set"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_DUPLICATE_ZONE_ID),
+ "duplicate zone id"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ERROR_CONVERTING_ZONE),
+ "error converting zone"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ERROR_CREATING_EXTENSION),
+ "error creating extension"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ERROR_IN_EXTENSION),
+ "error in extension"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXPECTED_A_SECTION_NAME),
+ "expected a section name"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_EXISTS),
+ "extension exists"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_NAME_ERROR),
+ "extension name error"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_NOT_FOUND),
+ "extension not found"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),
+ "extension setting not supported"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_VALUE_ERROR),
+ "extension value error"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ILLEGAL_EMPTY_EXTENSION),
+ "illegal empty extension"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),
+ "incorrect policy syntax tag"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_ASNUMBER),
+ "invalid asnumber"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_ASRANGE), "invalid asrange"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_BOOLEAN_STRING),
+ "invalid boolean string"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_EXTENSION_STRING),
+ "invalid extension string"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_INHERITANCE),
+ "invalid inheritance"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_IPADDRESS),
+ "invalid ipaddress"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_MULTIPLE_RDNS),
+ "invalid multiple rdns"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NAME), "invalid name"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_ARGUMENT),
+ "invalid null argument"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_NAME),
+ "invalid null name"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_VALUE),
+ "invalid null value"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NUMBER), "invalid number"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NUMBERS), "invalid numbers"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_OBJECT_IDENTIFIER),
+ "invalid object identifier"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_OPTION), "invalid option"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_POLICY_IDENTIFIER),
+ "invalid policy identifier"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_PROXY_POLICY_SETTING),
+ "invalid proxy policy setting"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_PURPOSE), "invalid purpose"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_SAFI), "invalid safi"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_SECTION), "invalid section"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_SYNTAX), "invalid syntax"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ISSUER_DECODE_ERROR),
+ "issuer decode error"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_MISSING_VALUE), "missing value"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),
+ "need organization and numbers"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_CONFIG_DATABASE),
+ "no config database"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_ISSUER_CERTIFICATE),
+ "no issuer certificate"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_ISSUER_DETAILS),
+ "no issuer details"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_POLICY_IDENTIFIER),
+ "no policy identifier"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),
+ "no proxy cert policy language defined"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_PUBLIC_KEY), "no public key"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_SUBJECT_DETAILS),
+ "no subject details"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_OPERATION_NOT_DEFINED),
+ "operation not defined"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_OTHERNAME_ERROR), "othername error"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),
+ "policy language already defined"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_PATH_LENGTH),
+ "policy path length"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),
+ "policy path length already defined"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),
+ "policy when proxy language requires no policy"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_SECTION_NOT_FOUND),
+ "section not found"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),
+ "unable to get issuer details"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),
+ "unable to get issuer keyid"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),
+ "unknown bit string argument"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION),
+ "unknown extension"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION_NAME),
+ "unknown extension name"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_OPTION), "unknown option"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_OPTION),
+ "unsupported option"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_TYPE),
+ "unsupported type"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_USER_TOO_LONG), "user too long"},
{0, NULL}
};
#endif
-void ERR_load_X509V3_strings(void)
+int ERR_load_X509V3_strings(void)
{
#ifndef OPENSSL_NO_ERR
-
if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) {
- ERR_load_strings(0, X509V3_str_functs);
- ERR_load_strings(0, X509V3_str_reasons);
+ ERR_load_strings_const(X509V3_str_functs);
+ ERR_load_strings_const(X509V3_str_reasons);
}
#endif
+ return 1;
}
diff --git a/crypto/x509v3/v3nametest.c b/crypto/x509v3/v3nametest.c
deleted file mode 100644
index ac5c9ff432d9..000000000000
--- a/crypto/x509v3/v3nametest.c
+++ /dev/null
@@ -1,346 +0,0 @@
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include "../e_os.h"
-#include <string.h>
-
-static const char *const names[] = {
- "a", "b", ".", "*", "@",
- ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..",
- "-example.com", "example-.com",
- "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com",
- "*@example.com", "test@*.example.com", "example.com", "www.example.com",
- "test.www.example.com", "*.example.com", "*.www.example.com",
- "test.*.example.com", "www.*.com",
- ".www.example.com", "*www.example.com",
- "example.net", "xn--rger-koa.example.com",
- "*.xn--rger-koa.example.com", "www.xn--rger-koa.example.com",
- "*.good--example.com", "www.good--example.com",
- "*.xn--bar.com", "xn--foo.xn--bar.com",
- "a.example.com", "b.example.com",
- "postmaster@example.com", "Postmaster@example.com",
- "postmaster@EXAMPLE.COM",
- NULL
-};
-
-static const char *const exceptions[] = {
- "set CN: host: [*.example.com] matches [a.example.com]",
- "set CN: host: [*.example.com] matches [b.example.com]",
- "set CN: host: [*.example.com] matches [www.example.com]",
- "set CN: host: [*.example.com] matches [xn--rger-koa.example.com]",
- "set CN: host: [*.www.example.com] matches [test.www.example.com]",
- "set CN: host: [*.www.example.com] matches [.www.example.com]",
- "set CN: host: [*www.example.com] matches [www.example.com]",
- "set CN: host: [test.www.example.com] matches [.www.example.com]",
- "set CN: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
- "set CN: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
- "set CN: host: [*.good--example.com] matches [www.good--example.com]",
- "set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
- "set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
- "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]",
- "set emailAddress: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
- "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@example.com]",
- "set emailAddress: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
- "set dnsName: host: [*.example.com] matches [www.example.com]",
- "set dnsName: host: [*.example.com] matches [a.example.com]",
- "set dnsName: host: [*.example.com] matches [b.example.com]",
- "set dnsName: host: [*.example.com] matches [xn--rger-koa.example.com]",
- "set dnsName: host: [*.www.example.com] matches [test.www.example.com]",
- "set dnsName: host-no-wildcards: [*.www.example.com] matches [.www.example.com]",
- "set dnsName: host-no-wildcards: [test.www.example.com] matches [.www.example.com]",
- "set dnsName: host: [*.www.example.com] matches [.www.example.com]",
- "set dnsName: host: [*www.example.com] matches [www.example.com]",
- "set dnsName: host: [test.www.example.com] matches [.www.example.com]",
- "set dnsName: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]",
- "set dnsName: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]",
- "set dnsName: host: [*.good--example.com] matches [www.good--example.com]",
- "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]",
- "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]",
- "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]",
- "set rfc822Name: email: [postmaster@EXAMPLE.COM] does not match [Postmaster@example.com]",
- NULL
-};
-
-static int is_exception(const char *msg)
-{
- const char *const *p;
- for (p = exceptions; *p; ++p)
- if (strcmp(msg, *p) == 0)
- return 1;
- return 0;
-}
-
-static int set_cn(X509 *crt, ...)
-{
- int ret = 0;
- X509_NAME *n = NULL;
- va_list ap;
- va_start(ap, crt);
- n = X509_NAME_new();
- if (n == NULL)
- goto out;
- while (1) {
- int nid;
- const char *name;
- nid = va_arg(ap, int);
- if (nid == 0)
- break;
- name = va_arg(ap, const char *);
- if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,
- (unsigned char *)name, -1, -1, 1))
- goto out;
- }
- if (!X509_set_subject_name(crt, n))
- goto out;
- ret = 1;
- out:
- X509_NAME_free(n);
- va_end(ap);
- return ret;
-}
-
-/*-
-int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
-X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
- int nid, int crit, ASN1_OCTET_STRING *data);
-int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
-*/
-
-static int set_altname(X509 *crt, ...)
-{
- int ret = 0;
- GENERAL_NAMES *gens = NULL;
- GENERAL_NAME *gen = NULL;
- ASN1_IA5STRING *ia5 = NULL;
- va_list ap;
- va_start(ap, crt);
- gens = sk_GENERAL_NAME_new_null();
- if (gens == NULL)
- goto out;
- while (1) {
- int type;
- const char *name;
- type = va_arg(ap, int);
- if (type == 0)
- break;
- name = va_arg(ap, const char *);
-
- gen = GENERAL_NAME_new();
- if (gen == NULL)
- goto out;
- ia5 = ASN1_IA5STRING_new();
- if (ia5 == NULL)
- goto out;
- if (!ASN1_STRING_set(ia5, name, -1))
- goto out;
- switch (type) {
- case GEN_EMAIL:
- case GEN_DNS:
- GENERAL_NAME_set0_value(gen, type, ia5);
- ia5 = NULL;
- break;
- default:
- abort();
- }
- sk_GENERAL_NAME_push(gens, gen);
- gen = NULL;
- }
- if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))
- goto out;
- ret = 1;
- out:
- ASN1_IA5STRING_free(ia5);
- GENERAL_NAME_free(gen);
- GENERAL_NAMES_free(gens);
- va_end(ap);
- return ret;
-}
-
-static int set_cn1(X509 *crt, const char *name)
-{
- return set_cn(crt, NID_commonName, name, 0);
-}
-
-static int set_cn_and_email(X509 *crt, const char *name)
-{
- return set_cn(crt, NID_commonName, name,
- NID_pkcs9_emailAddress, "dummy@example.com", 0);
-}
-
-static int set_cn2(X509 *crt, const char *name)
-{
- return set_cn(crt, NID_commonName, "dummy value",
- NID_commonName, name, 0);
-}
-
-static int set_cn3(X509 *crt, const char *name)
-{
- return set_cn(crt, NID_commonName, name,
- NID_commonName, "dummy value", 0);
-}
-
-static int set_email1(X509 *crt, const char *name)
-{
- return set_cn(crt, NID_pkcs9_emailAddress, name, 0);
-}
-
-static int set_email2(X509 *crt, const char *name)
-{
- return set_cn(crt, NID_pkcs9_emailAddress, "dummy@example.com",
- NID_pkcs9_emailAddress, name, 0);
-}
-
-static int set_email3(X509 *crt, const char *name)
-{
- return set_cn(crt, NID_pkcs9_emailAddress, name,
- NID_pkcs9_emailAddress, "dummy@example.com", 0);
-}
-
-static int set_email_and_cn(X509 *crt, const char *name)
-{
- return set_cn(crt, NID_pkcs9_emailAddress, name,
- NID_commonName, "www.example.org", 0);
-}
-
-static int set_altname_dns(X509 *crt, const char *name)
-{
- return set_altname(crt, GEN_DNS, name, 0);
-}
-
-static int set_altname_email(X509 *crt, const char *name)
-{
- return set_altname(crt, GEN_EMAIL, name, 0);
-}
-
-struct set_name_fn {
- int (*fn) (X509 *, const char *);
- const char *name;
- int host;
- int email;
-};
-
-static const struct set_name_fn name_fns[] = {
- {set_cn1, "set CN", 1, 0},
- {set_cn2, "set CN", 1, 0},
- {set_cn3, "set CN", 1, 0},
- {set_cn_and_email, "set CN", 1, 0},
- {set_email1, "set emailAddress", 0, 1},
- {set_email2, "set emailAddress", 0, 1},
- {set_email3, "set emailAddress", 0, 1},
- {set_email_and_cn, "set emailAddress", 0, 1},
- {set_altname_dns, "set dnsName", 1, 0},
- {set_altname_email, "set rfc822Name", 0, 1},
- {NULL, NULL, 0}
-};
-
-static X509 *make_cert()
-{
- X509 *ret = NULL;
- X509 *crt = NULL;
- X509_NAME *issuer = NULL;
- crt = X509_new();
- if (crt == NULL)
- goto out;
- if (!X509_set_version(crt, 3))
- goto out;
- ret = crt;
- crt = NULL;
- out:
- X509_NAME_free(issuer);
- return ret;
-}
-
-static int errors;
-
-static void check_message(const struct set_name_fn *fn, const char *op,
- const char *nameincert, int match, const char *name)
-{
- char msg[1024];
- if (match < 0)
- return;
- BIO_snprintf(msg, sizeof(msg), "%s: %s: [%s] %s [%s]",
- fn->name, op, nameincert,
- match ? "matches" : "does not match", name);
- if (is_exception(msg))
- return;
- puts(msg);
- ++errors;
-}
-
-static void run_cert(X509 *crt, const char *nameincert,
- const struct set_name_fn *fn)
-{
- const char *const *pname = names;
- while (*pname) {
- int samename = strcasecmp(nameincert, *pname) == 0;
- size_t namelen = strlen(*pname);
- char *name = malloc(namelen);
- int match, ret;
- memcpy(name, *pname, namelen);
-
- ret = X509_check_host(crt, name, namelen, 0, NULL);
- match = -1;
- if (ret < 0) {
- fprintf(stderr, "internal error in X509_check_host");
- ++errors;
- } else if (fn->host) {
- if (ret == 1 && !samename)
- match = 1;
- if (ret == 0 && samename)
- match = 0;
- } else if (ret == 1)
- match = 1;
- check_message(fn, "host", nameincert, match, *pname);
-
- ret = X509_check_host(crt, name, namelen,
- X509_CHECK_FLAG_NO_WILDCARDS, NULL);
- match = -1;
- if (ret < 0) {
- fprintf(stderr, "internal error in X509_check_host");
- ++errors;
- } else if (fn->host) {
- if (ret == 1 && !samename)
- match = 1;
- if (ret == 0 && samename)
- match = 0;
- } else if (ret == 1)
- match = 1;
- check_message(fn, "host-no-wildcards", nameincert, match, *pname);
-
- ret = X509_check_email(crt, name, namelen, 0);
- match = -1;
- if (fn->email) {
- if (ret && !samename)
- match = 1;
- if (!ret && samename && strchr(nameincert, '@') != NULL)
- match = 0;
- } else if (ret)
- match = 1;
- check_message(fn, "email", nameincert, match, *pname);
- ++pname;
- free(name);
- }
-}
-
-int main(void)
-{
- const struct set_name_fn *pfn = name_fns;
- while (pfn->name) {
- const char *const *pname = names;
- while (*pname) {
- X509 *crt = make_cert();
- if (crt == NULL) {
- fprintf(stderr, "make_cert failed\n");
- return 1;
- }
- if (!pfn->fn(crt, *pname)) {
- fprintf(stderr, "X509 name setting failed\n");
- return 1;
- }
- run_cert(crt, *pname, pfn);
- X509_free(crt);
- ++pname;
- }
- ++pfn;
- }
- return errors > 0 ? 1 : 0;
-}
diff --git a/crypto/x509v3/v3prin.c b/crypto/x509v3/v3prin.c
deleted file mode 100644
index cbc357079de7..000000000000
--- a/crypto/x509v3/v3prin.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/* v3prin.c */
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <openssl/asn1.h>
-#include <openssl/conf.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-int main(int argc, char **argv)
-{
- X509 *cert;
- FILE *inf;
- int i, count;
- X509_EXTENSION *ext;
- X509V3_add_standard_extensions();
- ERR_load_crypto_strings();
- if (!argv[1]) {
- fprintf(stderr, "Usage v3prin cert.pem\n");
- exit(1);
- }
- if (!(inf = fopen(argv[1], "r"))) {
- fprintf(stderr, "Can't open %s\n", argv[1]);
- exit(1);
- }
- if (!(cert = PEM_read_X509(inf, NULL, NULL))) {
- fprintf(stderr, "Can't read certificate %s\n", argv[1]);
- ERR_print_errors_fp(stderr);
- exit(1);
- }
- fclose(inf);
- count = X509_get_ext_count(cert);
- printf("%d extensions\n", count);
- for (i = 0; i < count; i++) {
- ext = X509_get_ext(cert, i);
- printf("%s\n", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
- if (!X509V3_EXT_print_fp(stdout, ext, 0, 0))
- ERR_print_errors_fp(stderr);
- printf("\n");
-
- }
- return 0;
-}
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
deleted file mode 100644
index f5c61560aa10..000000000000
--- a/crypto/x509v3/x509v3.h
+++ /dev/null
@@ -1,1055 +0,0 @@
-/* x509v3.h */
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#ifndef HEADER_X509V3_H
-# define HEADER_X509V3_H
-
-# include <openssl/bio.h>
-# include <openssl/x509.h>
-# include <openssl/conf.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-# ifdef OPENSSL_SYS_WIN32
-/* Under Win32 these are defined in wincrypt.h */
-# undef X509_NAME
-# undef X509_CERT_PAIR
-# undef X509_EXTENSIONS
-# endif
-
-/* Forward reference */
-struct v3_ext_method;
-struct v3_ext_ctx;
-
-/* Useful typedefs */
-
-typedef void *(*X509V3_EXT_NEW)(void);
-typedef void (*X509V3_EXT_FREE) (void *);
-typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long);
-typedef int (*X509V3_EXT_I2D) (void *, unsigned char **);
-typedef STACK_OF(CONF_VALUE) *
- (*X509V3_EXT_I2V) (const struct v3_ext_method *method, void *ext,
- STACK_OF(CONF_VALUE) *extlist);
-typedef void *(*X509V3_EXT_V2I)(const struct v3_ext_method *method,
- struct v3_ext_ctx *ctx,
- STACK_OF(CONF_VALUE) *values);
-typedef char *(*X509V3_EXT_I2S)(const struct v3_ext_method *method,
- void *ext);
-typedef void *(*X509V3_EXT_S2I)(const struct v3_ext_method *method,
- struct v3_ext_ctx *ctx, const char *str);
-typedef int (*X509V3_EXT_I2R) (const struct v3_ext_method *method, void *ext,
- BIO *out, int indent);
-typedef void *(*X509V3_EXT_R2I)(const struct v3_ext_method *method,
- struct v3_ext_ctx *ctx, const char *str);
-
-/* V3 extension structure */
-
-struct v3_ext_method {
- int ext_nid;
- int ext_flags;
-/* If this is set the following four fields are ignored */
- ASN1_ITEM_EXP *it;
-/* Old style ASN1 calls */
- X509V3_EXT_NEW ext_new;
- X509V3_EXT_FREE ext_free;
- X509V3_EXT_D2I d2i;
- X509V3_EXT_I2D i2d;
-/* The following pair is used for string extensions */
- X509V3_EXT_I2S i2s;
- X509V3_EXT_S2I s2i;
-/* The following pair is used for multi-valued extensions */
- X509V3_EXT_I2V i2v;
- X509V3_EXT_V2I v2i;
-/* The following are used for raw extensions */
- X509V3_EXT_I2R i2r;
- X509V3_EXT_R2I r2i;
- void *usr_data; /* Any extension specific data */
-};
-
-typedef struct X509V3_CONF_METHOD_st {
- char *(*get_string) (void *db, char *section, char *value);
- STACK_OF(CONF_VALUE) *(*get_section) (void *db, char *section);
- void (*free_string) (void *db, char *string);
- void (*free_section) (void *db, STACK_OF(CONF_VALUE) *section);
-} X509V3_CONF_METHOD;
-
-/* Context specific info */
-struct v3_ext_ctx {
-# define CTX_TEST 0x1
- int flags;
- X509 *issuer_cert;
- X509 *subject_cert;
- X509_REQ *subject_req;
- X509_CRL *crl;
- X509V3_CONF_METHOD *db_meth;
- void *db;
-/* Maybe more here */
-};
-
-typedef struct v3_ext_method X509V3_EXT_METHOD;
-
-DECLARE_STACK_OF(X509V3_EXT_METHOD)
-
-/* ext_flags values */
-# define X509V3_EXT_DYNAMIC 0x1
-# define X509V3_EXT_CTX_DEP 0x2
-# define X509V3_EXT_MULTILINE 0x4
-
-typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
-
-typedef struct BASIC_CONSTRAINTS_st {
- int ca;
- ASN1_INTEGER *pathlen;
-} BASIC_CONSTRAINTS;
-
-typedef struct PKEY_USAGE_PERIOD_st {
- ASN1_GENERALIZEDTIME *notBefore;
- ASN1_GENERALIZEDTIME *notAfter;
-} PKEY_USAGE_PERIOD;
-
-typedef struct otherName_st {
- ASN1_OBJECT *type_id;
- ASN1_TYPE *value;
-} OTHERNAME;
-
-typedef struct EDIPartyName_st {
- ASN1_STRING *nameAssigner;
- ASN1_STRING *partyName;
-} EDIPARTYNAME;
-
-typedef struct GENERAL_NAME_st {
-# define GEN_OTHERNAME 0
-# define GEN_EMAIL 1
-# define GEN_DNS 2
-# define GEN_X400 3
-# define GEN_DIRNAME 4
-# define GEN_EDIPARTY 5
-# define GEN_URI 6
-# define GEN_IPADD 7
-# define GEN_RID 8
- int type;
- union {
- char *ptr;
- OTHERNAME *otherName; /* otherName */
- ASN1_IA5STRING *rfc822Name;
- ASN1_IA5STRING *dNSName;
- ASN1_TYPE *x400Address;
- X509_NAME *directoryName;
- EDIPARTYNAME *ediPartyName;
- ASN1_IA5STRING *uniformResourceIdentifier;
- ASN1_OCTET_STRING *iPAddress;
- ASN1_OBJECT *registeredID;
- /* Old names */
- ASN1_OCTET_STRING *ip; /* iPAddress */
- X509_NAME *dirn; /* dirn */
- ASN1_IA5STRING *ia5; /* rfc822Name, dNSName,
- * uniformResourceIdentifier */
- ASN1_OBJECT *rid; /* registeredID */
- ASN1_TYPE *other; /* x400Address */
- } d;
-} GENERAL_NAME;
-
-typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
-
-typedef struct ACCESS_DESCRIPTION_st {
- ASN1_OBJECT *method;
- GENERAL_NAME *location;
-} ACCESS_DESCRIPTION;
-
-typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
-
-typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
-
-DECLARE_STACK_OF(GENERAL_NAME)
-DECLARE_ASN1_SET_OF(GENERAL_NAME)
-
-DECLARE_STACK_OF(ACCESS_DESCRIPTION)
-DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION)
-
-typedef struct DIST_POINT_NAME_st {
- int type;
- union {
- GENERAL_NAMES *fullname;
- STACK_OF(X509_NAME_ENTRY) *relativename;
- } name;
-/* If relativename then this contains the full distribution point name */
- X509_NAME *dpname;
-} DIST_POINT_NAME;
-/* All existing reasons */
-# define CRLDP_ALL_REASONS 0x807f
-
-# define CRL_REASON_NONE -1
-# define CRL_REASON_UNSPECIFIED 0
-# define CRL_REASON_KEY_COMPROMISE 1
-# define CRL_REASON_CA_COMPROMISE 2
-# define CRL_REASON_AFFILIATION_CHANGED 3
-# define CRL_REASON_SUPERSEDED 4
-# define CRL_REASON_CESSATION_OF_OPERATION 5
-# define CRL_REASON_CERTIFICATE_HOLD 6
-# define CRL_REASON_REMOVE_FROM_CRL 8
-# define CRL_REASON_PRIVILEGE_WITHDRAWN 9
-# define CRL_REASON_AA_COMPROMISE 10
-
-struct DIST_POINT_st {
- DIST_POINT_NAME *distpoint;
- ASN1_BIT_STRING *reasons;
- GENERAL_NAMES *CRLissuer;
- int dp_reasons;
-};
-
-typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
-
-DECLARE_STACK_OF(DIST_POINT)
-DECLARE_ASN1_SET_OF(DIST_POINT)
-
-struct AUTHORITY_KEYID_st {
- ASN1_OCTET_STRING *keyid;
- GENERAL_NAMES *issuer;
- ASN1_INTEGER *serial;
-};
-
-/* Strong extranet structures */
-
-typedef struct SXNET_ID_st {
- ASN1_INTEGER *zone;
- ASN1_OCTET_STRING *user;
-} SXNETID;
-
-DECLARE_STACK_OF(SXNETID)
-DECLARE_ASN1_SET_OF(SXNETID)
-
-typedef struct SXNET_st {
- ASN1_INTEGER *version;
- STACK_OF(SXNETID) *ids;
-} SXNET;
-
-typedef struct NOTICEREF_st {
- ASN1_STRING *organization;
- STACK_OF(ASN1_INTEGER) *noticenos;
-} NOTICEREF;
-
-typedef struct USERNOTICE_st {
- NOTICEREF *noticeref;
- ASN1_STRING *exptext;
-} USERNOTICE;
-
-typedef struct POLICYQUALINFO_st {
- ASN1_OBJECT *pqualid;
- union {
- ASN1_IA5STRING *cpsuri;
- USERNOTICE *usernotice;
- ASN1_TYPE *other;
- } d;
-} POLICYQUALINFO;
-
-DECLARE_STACK_OF(POLICYQUALINFO)
-DECLARE_ASN1_SET_OF(POLICYQUALINFO)
-
-typedef struct POLICYINFO_st {
- ASN1_OBJECT *policyid;
- STACK_OF(POLICYQUALINFO) *qualifiers;
-} POLICYINFO;
-
-typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
-
-DECLARE_STACK_OF(POLICYINFO)
-DECLARE_ASN1_SET_OF(POLICYINFO)
-
-typedef struct POLICY_MAPPING_st {
- ASN1_OBJECT *issuerDomainPolicy;
- ASN1_OBJECT *subjectDomainPolicy;
-} POLICY_MAPPING;
-
-DECLARE_STACK_OF(POLICY_MAPPING)
-
-typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
-
-typedef struct GENERAL_SUBTREE_st {
- GENERAL_NAME *base;
- ASN1_INTEGER *minimum;
- ASN1_INTEGER *maximum;
-} GENERAL_SUBTREE;
-
-DECLARE_STACK_OF(GENERAL_SUBTREE)
-
-struct NAME_CONSTRAINTS_st {
- STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
- STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
-};
-
-typedef struct POLICY_CONSTRAINTS_st {
- ASN1_INTEGER *requireExplicitPolicy;
- ASN1_INTEGER *inhibitPolicyMapping;
-} POLICY_CONSTRAINTS;
-
-/* Proxy certificate structures, see RFC 3820 */
-typedef struct PROXY_POLICY_st {
- ASN1_OBJECT *policyLanguage;
- ASN1_OCTET_STRING *policy;
-} PROXY_POLICY;
-
-typedef struct PROXY_CERT_INFO_EXTENSION_st {
- ASN1_INTEGER *pcPathLengthConstraint;
- PROXY_POLICY *proxyPolicy;
-} PROXY_CERT_INFO_EXTENSION;
-
-DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
-DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
-
-struct ISSUING_DIST_POINT_st {
- DIST_POINT_NAME *distpoint;
- int onlyuser;
- int onlyCA;
- ASN1_BIT_STRING *onlysomereasons;
- int indirectCRL;
- int onlyattr;
-};
-
-/* Values in idp_flags field */
-/* IDP present */
-# define IDP_PRESENT 0x1
-/* IDP values inconsistent */
-# define IDP_INVALID 0x2
-/* onlyuser true */
-# define IDP_ONLYUSER 0x4
-/* onlyCA true */
-# define IDP_ONLYCA 0x8
-/* onlyattr true */
-# define IDP_ONLYATTR 0x10
-/* indirectCRL true */
-# define IDP_INDIRECT 0x20
-/* onlysomereasons present */
-# define IDP_REASONS 0x40
-
-# define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
-",name:", val->name, ",value:", val->value);
-
-# define X509V3_set_ctx_test(ctx) \
- X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
-# define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
-
-# define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
- 0,0,0,0, \
- 0,0, \
- (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
- (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
- NULL, NULL, \
- table}
-
-# define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
- 0,0,0,0, \
- (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
- (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
- 0,0,0,0, \
- NULL}
-
-# define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
-
-/* X509_PURPOSE stuff */
-
-# define EXFLAG_BCONS 0x1
-# define EXFLAG_KUSAGE 0x2
-# define EXFLAG_XKUSAGE 0x4
-# define EXFLAG_NSCERT 0x8
-
-# define EXFLAG_CA 0x10
-/* Really self issued not necessarily self signed */
-# define EXFLAG_SI 0x20
-# define EXFLAG_V1 0x40
-# define EXFLAG_INVALID 0x80
-# define EXFLAG_SET 0x100
-# define EXFLAG_CRITICAL 0x200
-# define EXFLAG_PROXY 0x400
-
-# define EXFLAG_INVALID_POLICY 0x800
-# define EXFLAG_FRESHEST 0x1000
-/* Self signed */
-# define EXFLAG_SS 0x2000
-
-# define KU_DIGITAL_SIGNATURE 0x0080
-# define KU_NON_REPUDIATION 0x0040
-# define KU_KEY_ENCIPHERMENT 0x0020
-# define KU_DATA_ENCIPHERMENT 0x0010
-# define KU_KEY_AGREEMENT 0x0008
-# define KU_KEY_CERT_SIGN 0x0004
-# define KU_CRL_SIGN 0x0002
-# define KU_ENCIPHER_ONLY 0x0001
-# define KU_DECIPHER_ONLY 0x8000
-
-# define NS_SSL_CLIENT 0x80
-# define NS_SSL_SERVER 0x40
-# define NS_SMIME 0x20
-# define NS_OBJSIGN 0x10
-# define NS_SSL_CA 0x04
-# define NS_SMIME_CA 0x02
-# define NS_OBJSIGN_CA 0x01
-# define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
-
-# define XKU_SSL_SERVER 0x1
-# define XKU_SSL_CLIENT 0x2
-# define XKU_SMIME 0x4
-# define XKU_CODE_SIGN 0x8
-# define XKU_SGC 0x10
-# define XKU_OCSP_SIGN 0x20
-# define XKU_TIMESTAMP 0x40
-# define XKU_DVCS 0x80
-# define XKU_ANYEKU 0x100
-
-# define X509_PURPOSE_DYNAMIC 0x1
-# define X509_PURPOSE_DYNAMIC_NAME 0x2
-
-typedef struct x509_purpose_st {
- int purpose;
- int trust; /* Default trust ID */
- int flags;
- int (*check_purpose) (const struct x509_purpose_st *, const X509 *, int);
- char *name;
- char *sname;
- void *usr_data;
-} X509_PURPOSE;
-
-# define X509_PURPOSE_SSL_CLIENT 1
-# define X509_PURPOSE_SSL_SERVER 2
-# define X509_PURPOSE_NS_SSL_SERVER 3
-# define X509_PURPOSE_SMIME_SIGN 4
-# define X509_PURPOSE_SMIME_ENCRYPT 5
-# define X509_PURPOSE_CRL_SIGN 6
-# define X509_PURPOSE_ANY 7
-# define X509_PURPOSE_OCSP_HELPER 8
-# define X509_PURPOSE_TIMESTAMP_SIGN 9
-
-# define X509_PURPOSE_MIN 1
-# define X509_PURPOSE_MAX 9
-
-/* Flags for X509V3_EXT_print() */
-
-# define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
-/* Return error for unknown extensions */
-# define X509V3_EXT_DEFAULT 0
-/* Print error for unknown extensions */
-# define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
-/* ASN1 parse unknown extensions */
-# define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
-/* BIO_dump unknown extensions */
-# define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
-
-/* Flags for X509V3_add1_i2d */
-
-# define X509V3_ADD_OP_MASK 0xfL
-# define X509V3_ADD_DEFAULT 0L
-# define X509V3_ADD_APPEND 1L
-# define X509V3_ADD_REPLACE 2L
-# define X509V3_ADD_REPLACE_EXISTING 3L
-# define X509V3_ADD_KEEP_EXISTING 4L
-# define X509V3_ADD_DELETE 5L
-# define X509V3_ADD_SILENT 0x10
-
-DECLARE_STACK_OF(X509_PURPOSE)
-
-DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
-
-DECLARE_ASN1_FUNCTIONS(SXNET)
-DECLARE_ASN1_FUNCTIONS(SXNETID)
-
-int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen);
-int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
- int userlen);
-int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user,
- int userlen);
-
-ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone);
-ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
-ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
-
-DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
-
-DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
-
-DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
-GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
-int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
-
-ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval);
-STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
- ASN1_BIT_STRING *bits,
- STACK_OF(CONF_VALUE) *extlist);
-
-STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
- GENERAL_NAME *gen,
- STACK_OF(CONF_VALUE) *ret);
-int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
-
-DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
-
-STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
- GENERAL_NAMES *gen,
- STACK_OF(CONF_VALUE) *extlist);
-GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-
-DECLARE_ASN1_FUNCTIONS(OTHERNAME)
-DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
-int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
-void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
-void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
-int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
- ASN1_OBJECT *oid, ASN1_TYPE *value);
-int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen,
- ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
-
-char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
- ASN1_OCTET_STRING *ia5);
-ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, char *str);
-
-DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
-int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION *a);
-
-DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
-DECLARE_ASN1_FUNCTIONS(POLICYINFO)
-DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
-DECLARE_ASN1_FUNCTIONS(USERNOTICE)
-DECLARE_ASN1_FUNCTIONS(NOTICEREF)
-
-DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
-DECLARE_ASN1_FUNCTIONS(DIST_POINT)
-DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
-DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
-
-int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
-
-int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
-
-DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
-DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
-
-DECLARE_ASN1_ITEM(POLICY_MAPPING)
-DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
-DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
-
-DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
-DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
-
-DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
-DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
-
-DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
-DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
-
-GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
- const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, int gen_type, char *value,
- int is_nc);
-
-# ifdef HEADER_CONF_H
-GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, CONF_VALUE *cnf);
-GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
- const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, CONF_VALUE *cnf,
- int is_nc);
-void X509V3_conf_free(CONF_VALUE *val);
-
-X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
- char *value);
-X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
- char *value);
-int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
- STACK_OF(X509_EXTENSION) **sk);
-int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
- X509 *cert);
-int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
- X509_REQ *req);
-int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
- X509_CRL *crl);
-
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
- X509V3_CTX *ctx, int ext_nid,
- char *value);
-X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *name, char *value);
-int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509 *cert);
-int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509_REQ *req);
-int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509_CRL *crl);
-
-int X509V3_add_value_bool_nf(char *name, int asn1_bool,
- STACK_OF(CONF_VALUE) **extlist);
-int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
-int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
-void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
-# endif
-
-char *X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
-STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, char *section);
-void X509V3_string_free(X509V3_CTX *ctx, char *str);
-void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
-void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
- X509_REQ *req, X509_CRL *crl, int flags);
-
-int X509V3_add_value(const char *name, const char *value,
- STACK_OF(CONF_VALUE) **extlist);
-int X509V3_add_value_uchar(const char *name, const unsigned char *value,
- STACK_OF(CONF_VALUE) **extlist);
-int X509V3_add_value_bool(const char *name, int asn1_bool,
- STACK_OF(CONF_VALUE) **extlist);
-int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
- STACK_OF(CONF_VALUE) **extlist);
-char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
-ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
-char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
-char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth,
- ASN1_ENUMERATED *aint);
-int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
-int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
-int X509V3_EXT_add_alias(int nid_to, int nid_from);
-void X509V3_EXT_cleanup(void);
-
-const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
-const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
-int X509V3_add_standard_extensions(void);
-STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
-void *X509V3_EXT_d2i(X509_EXTENSION *ext);
-void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
- int *idx);
-int X509V3_EXT_free(int nid, void *ext_data);
-
-X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
-int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
- int crit, unsigned long flags);
-
-char *hex_to_string(const unsigned char *buffer, long len);
-unsigned char *string_to_hex(const char *str, long *len);
-int name_cmp(const char *name, const char *cmp);
-
-void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
- int ml);
-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
- int indent);
-int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
-
-int X509V3_extensions_print(BIO *out, char *title,
- STACK_OF(X509_EXTENSION) *exts,
- unsigned long flag, int indent);
-
-int X509_check_ca(X509 *x);
-int X509_check_purpose(X509 *x, int id, int ca);
-int X509_supported_extension(X509_EXTENSION *ex);
-int X509_PURPOSE_set(int *p, int purpose);
-int X509_check_issued(X509 *issuer, X509 *subject);
-int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
-int X509_PURPOSE_get_count(void);
-X509_PURPOSE *X509_PURPOSE_get0(int idx);
-int X509_PURPOSE_get_by_sname(char *sname);
-int X509_PURPOSE_get_by_id(int id);
-int X509_PURPOSE_add(int id, int trust, int flags,
- int (*ck) (const X509_PURPOSE *, const X509 *, int),
- char *name, char *sname, void *arg);
-char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
-char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
-int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
-void X509_PURPOSE_cleanup(void);
-int X509_PURPOSE_get_id(X509_PURPOSE *);
-
-STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
-STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
-void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
-STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
-/* Flags for X509_check_* functions */
-
-/*
- * Always check subject name for host match even if subject alt names present
- */
-# define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
-/* Disable wildcard matching for dnsName fields and common name. */
-# define X509_CHECK_FLAG_NO_WILDCARDS 0x2
-/* Wildcards must not match a partial label. */
-# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
-/* Allow (non-partial) wildcards to match multiple labels. */
-# define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
-/* Constraint verifier subdomain patterns to match a single labels. */
-# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
-/*
- * Match reference identifiers starting with "." to any sub-domain.
- * This is a non-public flag, turned on implicitly when the subject
- * reference identity is a DNS name.
- */
-# define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
-
-int X509_check_host(X509 *x, const char *chk, size_t chklen,
- unsigned int flags, char **peername);
-int X509_check_email(X509 *x, const char *chk, size_t chklen,
- unsigned int flags);
-int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
- unsigned int flags);
-int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags);
-
-ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
-ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
-int a2i_ipadd(unsigned char *ipout, const char *ipasc);
-int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
- unsigned long chtype);
-
-void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
-DECLARE_STACK_OF(X509_POLICY_NODE)
-
-# ifndef OPENSSL_NO_RFC3779
-
-typedef struct ASRange_st {
- ASN1_INTEGER *min, *max;
-} ASRange;
-
-# define ASIdOrRange_id 0
-# define ASIdOrRange_range 1
-
-typedef struct ASIdOrRange_st {
- int type;
- union {
- ASN1_INTEGER *id;
- ASRange *range;
- } u;
-} ASIdOrRange;
-
-typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
-DECLARE_STACK_OF(ASIdOrRange)
-
-# define ASIdentifierChoice_inherit 0
-# define ASIdentifierChoice_asIdsOrRanges 1
-
-typedef struct ASIdentifierChoice_st {
- int type;
- union {
- ASN1_NULL *inherit;
- ASIdOrRanges *asIdsOrRanges;
- } u;
-} ASIdentifierChoice;
-
-typedef struct ASIdentifiers_st {
- ASIdentifierChoice *asnum, *rdi;
-} ASIdentifiers;
-
-DECLARE_ASN1_FUNCTIONS(ASRange)
-DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
-DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
-DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
-
-typedef struct IPAddressRange_st {
- ASN1_BIT_STRING *min, *max;
-} IPAddressRange;
-
-# define IPAddressOrRange_addressPrefix 0
-# define IPAddressOrRange_addressRange 1
-
-typedef struct IPAddressOrRange_st {
- int type;
- union {
- ASN1_BIT_STRING *addressPrefix;
- IPAddressRange *addressRange;
- } u;
-} IPAddressOrRange;
-
-typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
-DECLARE_STACK_OF(IPAddressOrRange)
-
-# define IPAddressChoice_inherit 0
-# define IPAddressChoice_addressesOrRanges 1
-
-typedef struct IPAddressChoice_st {
- int type;
- union {
- ASN1_NULL *inherit;
- IPAddressOrRanges *addressesOrRanges;
- } u;
-} IPAddressChoice;
-
-typedef struct IPAddressFamily_st {
- ASN1_OCTET_STRING *addressFamily;
- IPAddressChoice *ipAddressChoice;
-} IPAddressFamily;
-
-typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
-DECLARE_STACK_OF(IPAddressFamily)
-
-DECLARE_ASN1_FUNCTIONS(IPAddressRange)
-DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
-DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
-DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
-
-/*
- * API tag for elements of the ASIdentifer SEQUENCE.
- */
-# define V3_ASID_ASNUM 0
-# define V3_ASID_RDI 1
-
-/*
- * AFI values, assigned by IANA. It'd be nice to make the AFI
- * handling code totally generic, but there are too many little things
- * that would need to be defined for other address families for it to
- * be worth the trouble.
- */
-# define IANA_AFI_IPV4 1
-# define IANA_AFI_IPV6 2
-
-/*
- * Utilities to construct and extract values from RFC3779 extensions,
- * since some of the encodings (particularly for IP address prefixes
- * and ranges) are a bit tedious to work with directly.
- */
-int v3_asid_add_inherit(ASIdentifiers *asid, int which);
-int v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
- ASN1_INTEGER *min, ASN1_INTEGER *max);
-int v3_addr_add_inherit(IPAddrBlocks *addr,
- const unsigned afi, const unsigned *safi);
-int v3_addr_add_prefix(IPAddrBlocks *addr,
- const unsigned afi, const unsigned *safi,
- unsigned char *a, const int prefixlen);
-int v3_addr_add_range(IPAddrBlocks *addr,
- const unsigned afi, const unsigned *safi,
- unsigned char *min, unsigned char *max);
-unsigned v3_addr_get_afi(const IPAddressFamily *f);
-int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
- unsigned char *min, unsigned char *max,
- const int length);
-
-/*
- * Canonical forms.
- */
-int v3_asid_is_canonical(ASIdentifiers *asid);
-int v3_addr_is_canonical(IPAddrBlocks *addr);
-int v3_asid_canonize(ASIdentifiers *asid);
-int v3_addr_canonize(IPAddrBlocks *addr);
-
-/*
- * Tests for inheritance and containment.
- */
-int v3_asid_inherits(ASIdentifiers *asid);
-int v3_addr_inherits(IPAddrBlocks *addr);
-int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
-int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
-
-/*
- * Check whether RFC 3779 extensions nest properly in chains.
- */
-int v3_asid_validate_path(X509_STORE_CTX *);
-int v3_addr_validate_path(X509_STORE_CTX *);
-int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
- ASIdentifiers *ext, int allow_inheritance);
-int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
- IPAddrBlocks *ext, int allow_inheritance);
-
-# endif /* OPENSSL_NO_RFC3779 */
-
-/* BEGIN ERROR CODES */
-/*
- * The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
- */
-void ERR_load_X509V3_strings(void);
-
-/* Error codes for the X509V3 functions. */
-
-/* Function codes. */
-# define X509V3_F_A2I_GENERAL_NAME 164
-# define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
-# define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
-# define X509V3_F_COPY_EMAIL 122
-# define X509V3_F_COPY_ISSUER 123
-# define X509V3_F_DO_DIRNAME 144
-# define X509V3_F_DO_EXT_CONF 124
-# define X509V3_F_DO_EXT_I2D 135
-# define X509V3_F_DO_EXT_NCONF 151
-# define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148
-# define X509V3_F_GNAMES_FROM_SECTNAME 156
-# define X509V3_F_HEX_TO_STRING 111
-# define X509V3_F_I2S_ASN1_ENUMERATED 121
-# define X509V3_F_I2S_ASN1_IA5STRING 149
-# define X509V3_F_I2S_ASN1_INTEGER 120
-# define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
-# define X509V3_F_NOTICE_SECTION 132
-# define X509V3_F_NREF_NOS 133
-# define X509V3_F_POLICY_SECTION 131
-# define X509V3_F_PROCESS_PCI_VALUE 150
-# define X509V3_F_R2I_CERTPOL 130
-# define X509V3_F_R2I_PCI 155
-# define X509V3_F_S2I_ASN1_IA5STRING 100
-# define X509V3_F_S2I_ASN1_INTEGER 108
-# define X509V3_F_S2I_ASN1_OCTET_STRING 112
-# define X509V3_F_S2I_ASN1_SKEY_ID 114
-# define X509V3_F_S2I_SKEY_ID 115
-# define X509V3_F_SET_DIST_POINT_NAME 158
-# define X509V3_F_STRING_TO_HEX 113
-# define X509V3_F_SXNET_ADD_ID_ASC 125
-# define X509V3_F_SXNET_ADD_ID_INTEGER 126
-# define X509V3_F_SXNET_ADD_ID_ULONG 127
-# define X509V3_F_SXNET_GET_ID_ASC 128
-# define X509V3_F_SXNET_GET_ID_ULONG 129
-# define X509V3_F_V2I_ASIDENTIFIERS 163
-# define X509V3_F_V2I_ASN1_BIT_STRING 101
-# define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
-# define X509V3_F_V2I_AUTHORITY_KEYID 119
-# define X509V3_F_V2I_BASIC_CONSTRAINTS 102
-# define X509V3_F_V2I_CRLD 134
-# define X509V3_F_V2I_EXTENDED_KEY_USAGE 103
-# define X509V3_F_V2I_GENERAL_NAMES 118
-# define X509V3_F_V2I_GENERAL_NAME_EX 117
-# define X509V3_F_V2I_IDP 157
-# define X509V3_F_V2I_IPADDRBLOCKS 159
-# define X509V3_F_V2I_ISSUER_ALT 153
-# define X509V3_F_V2I_NAME_CONSTRAINTS 147
-# define X509V3_F_V2I_POLICY_CONSTRAINTS 146
-# define X509V3_F_V2I_POLICY_MAPPINGS 145
-# define X509V3_F_V2I_SUBJECT_ALT 154
-# define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
-# define X509V3_F_V3_GENERIC_EXTENSION 116
-# define X509V3_F_X509V3_ADD1_I2D 140
-# define X509V3_F_X509V3_ADD_VALUE 105
-# define X509V3_F_X509V3_EXT_ADD 104
-# define X509V3_F_X509V3_EXT_ADD_ALIAS 106
-# define X509V3_F_X509V3_EXT_CONF 107
-# define X509V3_F_X509V3_EXT_FREE 165
-# define X509V3_F_X509V3_EXT_I2D 136
-# define X509V3_F_X509V3_EXT_NCONF 152
-# define X509V3_F_X509V3_GET_SECTION 142
-# define X509V3_F_X509V3_GET_STRING 143
-# define X509V3_F_X509V3_GET_VALUE_BOOL 110
-# define X509V3_F_X509V3_PARSE_LIST 109
-# define X509V3_F_X509_PURPOSE_ADD 137
-# define X509V3_F_X509_PURPOSE_SET 141
-
-/* Reason codes. */
-# define X509V3_R_BAD_IP_ADDRESS 118
-# define X509V3_R_BAD_OBJECT 119
-# define X509V3_R_BN_DEC2BN_ERROR 100
-# define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101
-# define X509V3_R_CANNOT_FIND_FREE_FUNCTION 168
-# define X509V3_R_DIRNAME_ERROR 149
-# define X509V3_R_DISTPOINT_ALREADY_SET 160
-# define X509V3_R_DUPLICATE_ZONE_ID 133
-# define X509V3_R_ERROR_CONVERTING_ZONE 131
-# define X509V3_R_ERROR_CREATING_EXTENSION 144
-# define X509V3_R_ERROR_IN_EXTENSION 128
-# define X509V3_R_EXPECTED_A_SECTION_NAME 137
-# define X509V3_R_EXTENSION_EXISTS 145
-# define X509V3_R_EXTENSION_NAME_ERROR 115
-# define X509V3_R_EXTENSION_NOT_FOUND 102
-# define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103
-# define X509V3_R_EXTENSION_VALUE_ERROR 116
-# define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
-# define X509V3_R_ILLEGAL_HEX_DIGIT 113
-# define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
-# define X509V3_R_INVALID_ASNUMBER 162
-# define X509V3_R_INVALID_ASRANGE 163
-# define X509V3_R_INVALID_BOOLEAN_STRING 104
-# define X509V3_R_INVALID_EXTENSION_STRING 105
-# define X509V3_R_INVALID_INHERITANCE 165
-# define X509V3_R_INVALID_IPADDRESS 166
-# define X509V3_R_INVALID_MULTIPLE_RDNS 161
-# define X509V3_R_INVALID_NAME 106
-# define X509V3_R_INVALID_NULL_ARGUMENT 107
-# define X509V3_R_INVALID_NULL_NAME 108
-# define X509V3_R_INVALID_NULL_VALUE 109
-# define X509V3_R_INVALID_NUMBER 140
-# define X509V3_R_INVALID_NUMBERS 141
-# define X509V3_R_INVALID_OBJECT_IDENTIFIER 110
-# define X509V3_R_INVALID_OPTION 138
-# define X509V3_R_INVALID_POLICY_IDENTIFIER 134
-# define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
-# define X509V3_R_INVALID_PURPOSE 146
-# define X509V3_R_INVALID_SAFI 164
-# define X509V3_R_INVALID_SECTION 135
-# define X509V3_R_INVALID_SYNTAX 143
-# define X509V3_R_ISSUER_DECODE_ERROR 126
-# define X509V3_R_MISSING_VALUE 124
-# define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 142
-# define X509V3_R_NO_CONFIG_DATABASE 136
-# define X509V3_R_NO_ISSUER_CERTIFICATE 121
-# define X509V3_R_NO_ISSUER_DETAILS 127
-# define X509V3_R_NO_POLICY_IDENTIFIER 139
-# define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154
-# define X509V3_R_NO_PUBLIC_KEY 114
-# define X509V3_R_NO_SUBJECT_DETAILS 125
-# define X509V3_R_ODD_NUMBER_OF_DIGITS 112
-# define X509V3_R_OPERATION_NOT_DEFINED 148
-# define X509V3_R_OTHERNAME_ERROR 147
-# define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
-# define X509V3_R_POLICY_PATH_LENGTH 156
-# define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
-# define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
-# define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
-# define X509V3_R_SECTION_NOT_FOUND 150
-# define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122
-# define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123
-# define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111
-# define X509V3_R_UNKNOWN_EXTENSION 129
-# define X509V3_R_UNKNOWN_EXTENSION_NAME 130
-# define X509V3_R_UNKNOWN_OPTION 120
-# define X509V3_R_UNSUPPORTED_OPTION 117
-# define X509V3_R_UNSUPPORTED_TYPE 167
-# define X509V3_R_USER_TOO_LONG 132
-
-#ifdef __cplusplus
-}
-#endif
-#endif