diff options
Diffstat (limited to 'openssl/crypto/x509v3')
42 files changed, 0 insertions, 13634 deletions
diff --git a/openssl/crypto/x509v3/ext_dat.h b/openssl/crypto/x509v3/ext_dat.h deleted file mode 100644 index 76daee6f..00000000 --- a/openssl/crypto/x509v3/ext_dat.h +++ /dev/null @@ -1,132 +0,0 @@ -/* ext_dat.h */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* This file contains a table of "standard" extensions */ - -extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; -extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; -extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; -extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; -extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl; -extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; -extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; -extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; -extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; -extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; -extern X509V3_EXT_METHOD v3_addr, v3_asid; - -/* This table will be searched using OBJ_bsearch so it *must* kept in - * order of the ext_nid values. - */ - -static const X509V3_EXT_METHOD *standard_exts[] = { -&v3_nscert, -&v3_ns_ia5_list[0], -&v3_ns_ia5_list[1], -&v3_ns_ia5_list[2], -&v3_ns_ia5_list[3], -&v3_ns_ia5_list[4], -&v3_ns_ia5_list[5], -&v3_ns_ia5_list[6], -&v3_skey_id, -&v3_key_usage, -&v3_pkey_usage_period, -&v3_alt[0], -&v3_alt[1], -&v3_bcons, -&v3_crl_num, -&v3_cpols, -&v3_akey_id, -&v3_crld, -&v3_ext_ku, -&v3_delta_crl, -&v3_crl_reason, -#ifndef OPENSSL_NO_OCSP -&v3_crl_invdate, -#endif -&v3_sxnet, -&v3_info, -#ifndef OPENSSL_NO_RFC3779 -&v3_addr, -&v3_asid, -#endif -#ifndef OPENSSL_NO_OCSP -&v3_ocsp_nonce, -&v3_ocsp_crlid, -&v3_ocsp_accresp, -&v3_ocsp_nocheck, -&v3_ocsp_acutoff, -&v3_ocsp_serviceloc, -#endif -&v3_sinfo, -&v3_policy_constraints, -#ifndef OPENSSL_NO_OCSP -&v3_crl_hold, -#endif -&v3_pci, -&v3_name_constraints, -&v3_policy_mappings, -&v3_inhibit_anyp, -&v3_idp, -&v3_alt[2], -&v3_freshest_crl, -}; - -/* Number of standard extensions */ - -#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *)) - diff --git a/openssl/crypto/x509v3/pcy_cache.c b/openssl/crypto/x509v3/pcy_cache.c deleted file mode 100644 index 172b7e7e..00000000 --- a/openssl/crypto/x509v3/pcy_cache.c +++ /dev/null @@ -1,286 +0,0 @@ -/* pcy_cache.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include "cryptlib.h" -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -#include "pcy_int.h" - -static int policy_data_cmp(const X509_POLICY_DATA * const *a, - const X509_POLICY_DATA * const *b); -static int policy_cache_set_int(long *out, ASN1_INTEGER *value); - -/* Set cache entry according to CertificatePolicies extension. - * Note: this destroys the passed CERTIFICATEPOLICIES structure. - */ - -static int policy_cache_create(X509 *x, - CERTIFICATEPOLICIES *policies, int crit) - { - int i; - int ret = 0; - X509_POLICY_CACHE *cache = x->policy_cache; - X509_POLICY_DATA *data = NULL; - POLICYINFO *policy; - if (sk_POLICYINFO_num(policies) == 0) - goto bad_policy; - cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp); - if (!cache->data) - goto bad_policy; - for (i = 0; i < sk_POLICYINFO_num(policies); i++) - { - policy = sk_POLICYINFO_value(policies, i); - data = policy_data_new(policy, NULL, crit); - if (!data) - goto bad_policy; - /* Duplicate policy OIDs are illegal: reject if matches - * found. - */ - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) - { - if (cache->anyPolicy) - { - ret = -1; - goto bad_policy; - } - cache->anyPolicy = data; - } - else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) - { - ret = -1; - goto bad_policy; - } - else if (!sk_X509_POLICY_DATA_push(cache->data, data)) - goto bad_policy; - data = NULL; - } - ret = 1; - bad_policy: - if (ret == -1) - x->ex_flags |= EXFLAG_INVALID_POLICY; - if (data) - policy_data_free(data); - sk_POLICYINFO_pop_free(policies, POLICYINFO_free); - if (ret <= 0) - { - sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); - cache->data = NULL; - } - return ret; - } - - -static int policy_cache_new(X509 *x) - { - X509_POLICY_CACHE *cache; - ASN1_INTEGER *ext_any = NULL; - POLICY_CONSTRAINTS *ext_pcons = NULL; - CERTIFICATEPOLICIES *ext_cpols = NULL; - POLICY_MAPPINGS *ext_pmaps = NULL; - int i; - cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE)); - if (!cache) - return 0; - cache->anyPolicy = NULL; - cache->data = NULL; - cache->any_skip = -1; - cache->explicit_skip = -1; - cache->map_skip = -1; - - x->policy_cache = cache; - - /* Handle requireExplicitPolicy *first*. Need to process this - * even if we don't have any policies. - */ - ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL); - - if (!ext_pcons) - { - if (i != -1) - goto bad_cache; - } - else - { - if (!ext_pcons->requireExplicitPolicy - && !ext_pcons->inhibitPolicyMapping) - goto bad_cache; - if (!policy_cache_set_int(&cache->explicit_skip, - ext_pcons->requireExplicitPolicy)) - goto bad_cache; - if (!policy_cache_set_int(&cache->map_skip, - ext_pcons->inhibitPolicyMapping)) - goto bad_cache; - } - - /* Process CertificatePolicies */ - - ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL); - /* If no CertificatePolicies extension or problem decoding then - * there is no point continuing because the valid policies will be - * NULL. - */ - if (!ext_cpols) - { - /* If not absent some problem with extension */ - if (i != -1) - goto bad_cache; - return 1; - } - - i = policy_cache_create(x, ext_cpols, i); - - /* NB: ext_cpols freed by policy_cache_set_policies */ - - if (i <= 0) - return i; - - ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL); - - if (!ext_pmaps) - { - /* If not absent some problem with extension */ - if (i != -1) - goto bad_cache; - } - else - { - i = policy_cache_set_mapping(x, ext_pmaps); - if (i <= 0) - goto bad_cache; - } - - ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL); - - if (!ext_any) - { - if (i != -1) - goto bad_cache; - } - else if (!policy_cache_set_int(&cache->any_skip, ext_any)) - goto bad_cache; - - if (0) - { - bad_cache: - x->ex_flags |= EXFLAG_INVALID_POLICY; - } - - if(ext_pcons) - POLICY_CONSTRAINTS_free(ext_pcons); - - if (ext_any) - ASN1_INTEGER_free(ext_any); - - return 1; - - -} - -void policy_cache_free(X509_POLICY_CACHE *cache) - { - if (!cache) - return; - if (cache->anyPolicy) - policy_data_free(cache->anyPolicy); - if (cache->data) - sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); - OPENSSL_free(cache); - } - -const X509_POLICY_CACHE *policy_cache_set(X509 *x) - { - - if (x->policy_cache == NULL) - { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - policy_cache_new(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } - - return x->policy_cache; - - } - -X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, - const ASN1_OBJECT *id) - { - int idx; - X509_POLICY_DATA tmp; - tmp.valid_policy = (ASN1_OBJECT *)id; - idx = sk_X509_POLICY_DATA_find(cache->data, &tmp); - if (idx == -1) - return NULL; - return sk_X509_POLICY_DATA_value(cache->data, idx); - } - -static int policy_data_cmp(const X509_POLICY_DATA * const *a, - const X509_POLICY_DATA * const *b) - { - return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy); - } - -static int policy_cache_set_int(long *out, ASN1_INTEGER *value) - { - if (value == NULL) - return 1; - if (value->type == V_ASN1_NEG_INTEGER) - return 0; - *out = ASN1_INTEGER_get(value); - return 1; - } diff --git a/openssl/crypto/x509v3/pcy_data.c b/openssl/crypto/x509v3/pcy_data.c deleted file mode 100644 index 3444b031..00000000 --- a/openssl/crypto/x509v3/pcy_data.c +++ /dev/null @@ -1,135 +0,0 @@ -/* pcy_data.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include "cryptlib.h" -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -#include "pcy_int.h" - -/* Policy Node routines */ - -void policy_data_free(X509_POLICY_DATA *data) - { - ASN1_OBJECT_free(data->valid_policy); - /* Don't free qualifiers if shared */ - if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS)) - sk_POLICYQUALINFO_pop_free(data->qualifier_set, - POLICYQUALINFO_free); - sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free); - OPENSSL_free(data); - } - -/* Create a data based on an existing policy. If 'id' is NULL use the - * oid in the policy, otherwise use 'id'. This behaviour covers the two - * types of data in RFC3280: data with from a CertificatePolcies extension - * and additional data with just the qualifiers of anyPolicy and ID from - * another source. - */ - -X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, - const ASN1_OBJECT *cid, int crit) - { - X509_POLICY_DATA *ret; - ASN1_OBJECT *id; - if (!policy && !cid) - return NULL; - if (cid) - { - id = OBJ_dup(cid); - if (!id) - return NULL; - } - else - id = NULL; - ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); - if (!ret) - return NULL; - ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); - if (!ret->expected_policy_set) - { - OPENSSL_free(ret); - if (id) - ASN1_OBJECT_free(id); - return NULL; - } - - if (crit) - ret->flags = POLICY_DATA_FLAG_CRITICAL; - else - ret->flags = 0; - - if (id) - ret->valid_policy = id; - else - { - ret->valid_policy = policy->policyid; - policy->policyid = NULL; - } - - if (policy) - { - ret->qualifier_set = policy->qualifiers; - policy->qualifiers = NULL; - } - else - ret->qualifier_set = NULL; - - return ret; - } - diff --git a/openssl/crypto/x509v3/pcy_int.h b/openssl/crypto/x509v3/pcy_int.h deleted file mode 100644 index ccff9284..00000000 --- a/openssl/crypto/x509v3/pcy_int.h +++ /dev/null @@ -1,212 +0,0 @@ -/* pcy_int.h */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; - -DECLARE_STACK_OF(X509_POLICY_DATA) - -/* Internal structures */ - -/* This structure and the field names correspond to the Policy 'node' of - * RFC3280. NB this structure contains no pointers to parent or child - * data: X509_POLICY_NODE contains that. This means that the main policy data - * can be kept static and cached with the certificate. - */ - -struct X509_POLICY_DATA_st - { - unsigned int flags; - /* Policy OID and qualifiers for this data */ - ASN1_OBJECT *valid_policy; - STACK_OF(POLICYQUALINFO) *qualifier_set; - STACK_OF(ASN1_OBJECT) *expected_policy_set; - }; - -/* X509_POLICY_DATA flags values */ - -/* This flag indicates the structure has been mapped using a policy mapping - * extension. If policy mapping is not active its references get deleted. - */ - -#define POLICY_DATA_FLAG_MAPPED 0x1 - -/* This flag indicates the data doesn't correspond to a policy in Certificate - * Policies: it has been mapped to any policy. - */ - -#define POLICY_DATA_FLAG_MAPPED_ANY 0x2 - -/* AND with flags to see if any mapping has occurred */ - -#define POLICY_DATA_FLAG_MAP_MASK 0x3 - -/* qualifiers are shared and shouldn't be freed */ - -#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4 - -/* Parent node is an extra node and should be freed */ - -#define POLICY_DATA_FLAG_EXTRA_NODE 0x8 - -/* Corresponding CertificatePolicies is critical */ - -#define POLICY_DATA_FLAG_CRITICAL 0x10 - -/* This structure is cached with a certificate */ - -struct X509_POLICY_CACHE_st { - /* anyPolicy data or NULL if no anyPolicy */ - X509_POLICY_DATA *anyPolicy; - /* other policy data */ - STACK_OF(X509_POLICY_DATA) *data; - /* If InhibitAnyPolicy present this is its value or -1 if absent. */ - long any_skip; - /* If policyConstraints and requireExplicitPolicy present this is its - * value or -1 if absent. - */ - long explicit_skip; - /* If policyConstraints and policyMapping present this is its - * value or -1 if absent. - */ - long map_skip; - }; - -/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/ - -/* This structure represents the relationship between nodes */ - -struct X509_POLICY_NODE_st - { - /* node data this refers to */ - const X509_POLICY_DATA *data; - /* Parent node */ - X509_POLICY_NODE *parent; - /* Number of child nodes */ - int nchild; - }; - -struct X509_POLICY_LEVEL_st - { - /* Cert for this level */ - X509 *cert; - /* nodes at this level */ - STACK_OF(X509_POLICY_NODE) *nodes; - /* anyPolicy node */ - X509_POLICY_NODE *anyPolicy; - /* Extra data */ - /*STACK_OF(X509_POLICY_DATA) *extra_data;*/ - unsigned int flags; - }; - -struct X509_POLICY_TREE_st - { - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; - /* Extra policy data when additional nodes (not from the certificate) - * are required. - */ - STACK_OF(X509_POLICY_DATA) *extra_data; - /* This is the authority constained policy set */ - STACK_OF(X509_POLICY_NODE) *auth_policies; - STACK_OF(X509_POLICY_NODE) *user_policies; - unsigned int flags; - }; - -/* Set if anyPolicy present in user policies */ -#define POLICY_FLAG_ANY_POLICY 0x2 - -/* Useful macros */ - -#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL) -#define node_critical(node) node_data_critical(node->data) - -/* Internal functions */ - -X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, - int crit); -void policy_data_free(X509_POLICY_DATA *data); - -X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, - const ASN1_OBJECT *id); -int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps); - - -STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void); - -void policy_cache_init(void); - -void policy_cache_free(X509_POLICY_CACHE *cache); - -X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - const X509_POLICY_NODE *parent, - const ASN1_OBJECT *id); - -X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - const ASN1_OBJECT *id); - -X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - const X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree); -void policy_node_free(X509_POLICY_NODE *node); -int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); - -const X509_POLICY_CACHE *policy_cache_set(X509 *x); diff --git a/openssl/crypto/x509v3/pcy_lib.c b/openssl/crypto/x509v3/pcy_lib.c deleted file mode 100644 index 93bfd927..00000000 --- a/openssl/crypto/x509v3/pcy_lib.c +++ /dev/null @@ -1,167 +0,0 @@ -/* pcy_lib.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include "cryptlib.h" -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -#include "pcy_int.h" - -/* accessor functions */ - -/* X509_POLICY_TREE stuff */ - -int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) - { - if (!tree) - return 0; - return tree->nlevel; - } - -X509_POLICY_LEVEL * - X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i) - { - if (!tree || (i < 0) || (i >= tree->nlevel)) - return NULL; - return tree->levels + i; - } - -STACK_OF(X509_POLICY_NODE) * - X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree) - { - if (!tree) - return NULL; - return tree->auth_policies; - } - -STACK_OF(X509_POLICY_NODE) * - X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree) - { - if (!tree) - return NULL; - if (tree->flags & POLICY_FLAG_ANY_POLICY) - return tree->auth_policies; - else - return tree->user_policies; - } - -/* X509_POLICY_LEVEL stuff */ - -int X509_policy_level_node_count(X509_POLICY_LEVEL *level) - { - int n; - if (!level) - return 0; - if (level->anyPolicy) - n = 1; - else - n = 0; - if (level->nodes) - n += sk_X509_POLICY_NODE_num(level->nodes); - return n; - } - -X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) - { - if (!level) - return NULL; - if (level->anyPolicy) - { - if (i == 0) - return level->anyPolicy; - i--; - } - return sk_X509_POLICY_NODE_value(level->nodes, i); - } - -/* X509_POLICY_NODE stuff */ - -const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) - { - if (!node) - return NULL; - return node->data->valid_policy; - } - -#if 0 -int X509_policy_node_get_critical(const X509_POLICY_NODE *node) - { - if (node_critical(node)) - return 1; - return 0; - } -#endif - -STACK_OF(POLICYQUALINFO) * - X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node) - { - if (!node) - return NULL; - return node->data->qualifier_set; - } - -const X509_POLICY_NODE * - X509_policy_node_get0_parent(const X509_POLICY_NODE *node) - { - if (!node) - return NULL; - return node->parent; - } - - diff --git a/openssl/crypto/x509v3/pcy_map.c b/openssl/crypto/x509v3/pcy_map.c deleted file mode 100644 index 21163b52..00000000 --- a/openssl/crypto/x509v3/pcy_map.c +++ /dev/null @@ -1,132 +0,0 @@ -/* pcy_map.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include "cryptlib.h" -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -#include "pcy_int.h" - -/* Set policy mapping entries in cache. - * Note: this modifies the passed POLICY_MAPPINGS structure - */ - -int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) - { - POLICY_MAPPING *map; - X509_POLICY_DATA *data; - X509_POLICY_CACHE *cache = x->policy_cache; - int i; - int ret = 0; - if (sk_POLICY_MAPPING_num(maps) == 0) - { - ret = -1; - goto bad_mapping; - } - for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) - { - map = sk_POLICY_MAPPING_value(maps, i); - /* Reject if map to or from anyPolicy */ - if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) - || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) - { - ret = -1; - goto bad_mapping; - } - - /* Attempt to find matching policy data */ - data = policy_cache_find_data(cache, map->issuerDomainPolicy); - /* If we don't have anyPolicy can't map */ - if (!data && !cache->anyPolicy) - continue; - - /* Create a NODE from anyPolicy */ - if (!data) - { - data = policy_data_new(NULL, map->issuerDomainPolicy, - cache->anyPolicy->flags - & POLICY_DATA_FLAG_CRITICAL); - if (!data) - goto bad_mapping; - data->qualifier_set = cache->anyPolicy->qualifier_set; - /*map->issuerDomainPolicy = NULL;*/ - data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; - if (!sk_X509_POLICY_DATA_push(cache->data, data)) - { - policy_data_free(data); - goto bad_mapping; - } - } - else - data->flags |= POLICY_DATA_FLAG_MAPPED; - if (!sk_ASN1_OBJECT_push(data->expected_policy_set, - map->subjectDomainPolicy)) - goto bad_mapping; - map->subjectDomainPolicy = NULL; - - } - - ret = 1; - bad_mapping: - if (ret == -1) - x->ex_flags |= EXFLAG_INVALID_POLICY; - sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); - return ret; - - } diff --git a/openssl/crypto/x509v3/pcy_node.c b/openssl/crypto/x509v3/pcy_node.c deleted file mode 100644 index bd1e7f1a..00000000 --- a/openssl/crypto/x509v3/pcy_node.c +++ /dev/null @@ -1,197 +0,0 @@ -/* pcy_node.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <openssl/asn1.h> -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -#include "pcy_int.h" - -static int node_cmp(const X509_POLICY_NODE * const *a, - const X509_POLICY_NODE * const *b) - { - return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); - } - -STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void) - { - return sk_X509_POLICY_NODE_new(node_cmp); - } - -X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, - const ASN1_OBJECT *id) - { - X509_POLICY_DATA n; - X509_POLICY_NODE l; - int idx; - - n.valid_policy = (ASN1_OBJECT *)id; - l.data = &n; - - idx = sk_X509_POLICY_NODE_find(nodes, &l); - if (idx == -1) - return NULL; - - return sk_X509_POLICY_NODE_value(nodes, idx); - - } - -X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - const X509_POLICY_NODE *parent, - const ASN1_OBJECT *id) - { - X509_POLICY_NODE *node; - int i; - for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) - { - node = sk_X509_POLICY_NODE_value(level->nodes, i); - if (node->parent == parent) - { - if (!OBJ_cmp(node->data->valid_policy, id)) - return node; - } - } - return NULL; - } - -X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - const X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree) - { - X509_POLICY_NODE *node; - node = OPENSSL_malloc(sizeof(X509_POLICY_NODE)); - if (!node) - return NULL; - node->data = data; - node->parent = parent; - node->nchild = 0; - if (level) - { - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) - { - if (level->anyPolicy) - goto node_error; - level->anyPolicy = node; - } - else - { - - if (!level->nodes) - level->nodes = policy_node_cmp_new(); - if (!level->nodes) - goto node_error; - if (!sk_X509_POLICY_NODE_push(level->nodes, node)) - goto node_error; - } - } - - if (tree) - { - if (!tree->extra_data) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (!tree->extra_data) - goto node_error; - if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) - goto node_error; - } - - if (parent) - parent->nchild++; - - return node; - - node_error: - policy_node_free(node); - return 0; - - } - -void policy_node_free(X509_POLICY_NODE *node) - { - OPENSSL_free(node); - } - -/* See if a policy node matches a policy OID. If mapping enabled look through - * expected policy set otherwise just valid policy. - */ - -int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid) - { - int i; - ASN1_OBJECT *policy_oid; - const X509_POLICY_DATA *x = node->data; - - if ( (lvl->flags & X509_V_FLAG_INHIBIT_MAP) - || !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) - { - if (!OBJ_cmp(x->valid_policy, oid)) - return 1; - return 0; - } - - for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) - { - policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i); - if (!OBJ_cmp(policy_oid, oid)) - return 1; - } - return 0; - - } diff --git a/openssl/crypto/x509v3/pcy_tree.c b/openssl/crypto/x509v3/pcy_tree.c deleted file mode 100644 index bb977734..00000000 --- a/openssl/crypto/x509v3/pcy_tree.c +++ /dev/null @@ -1,872 +0,0 @@ -/* pcy_tree.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include "cryptlib.h" -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -#include "pcy_int.h" - -/* Enable this to print out the complete policy tree at various point during - * evaluation. - */ - -/*#define OPENSSL_POLICY_DEBUG*/ - -#ifdef OPENSSL_POLICY_DEBUG - -static void expected_print(BIO *err, X509_POLICY_LEVEL *lev, - X509_POLICY_NODE *node, int indent) - { - if ( (lev->flags & X509_V_FLAG_INHIBIT_MAP) - || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK)) - BIO_puts(err, " Not Mapped\n"); - else - { - int i; - STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set; - ASN1_OBJECT *oid; - BIO_puts(err, " Expected: "); - for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) - { - oid = sk_ASN1_OBJECT_value(pset, i); - if (i) - BIO_puts(err, ", "); - i2a_ASN1_OBJECT(err, oid); - } - BIO_puts(err, "\n"); - } - } - -static void tree_print(char *str, X509_POLICY_TREE *tree, - X509_POLICY_LEVEL *curr) - { - X509_POLICY_LEVEL *plev; - X509_POLICY_NODE *node; - int i; - BIO *err; - err = BIO_new_fp(stderr, BIO_NOCLOSE); - if (!curr) - curr = tree->levels + tree->nlevel; - else - curr++; - BIO_printf(err, "Level print after %s\n", str); - BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels); - for (plev = tree->levels; plev != curr; plev++) - { - BIO_printf(err, "Level %ld, flags = %x\n", - plev - tree->levels, plev->flags); - for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) - { - node = sk_X509_POLICY_NODE_value(plev->nodes, i); - X509_POLICY_NODE_print(err, node, 2); - expected_print(err, plev, node, 2); - BIO_printf(err, " Flags: %x\n", node->data->flags); - } - if (plev->anyPolicy) - X509_POLICY_NODE_print(err, plev->anyPolicy, 2); - } - - BIO_free(err); - - } -#else - -#define tree_print(a,b,c) /* */ - -#endif - -/* Initialize policy tree. Return values: - * 0 Some internal error occured. - * -1 Inconsistent or invalid extensions in certificates. - * 1 Tree initialized OK. - * 2 Policy tree is empty. - * 5 Tree OK and requireExplicitPolicy true. - * 6 Tree empty and requireExplicitPolicy true. - */ - -static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - unsigned int flags) - { - X509_POLICY_TREE *tree; - X509_POLICY_LEVEL *level; - const X509_POLICY_CACHE *cache; - X509_POLICY_DATA *data = NULL; - X509 *x; - int ret = 1; - int i, n; - int explicit_policy; - int any_skip; - int map_skip; - *ptree = NULL; - n = sk_X509_num(certs); - -#if 0 - /* Disable policy mapping for now... */ - flags |= X509_V_FLAG_INHIBIT_MAP; -#endif - - if (flags & X509_V_FLAG_EXPLICIT_POLICY) - explicit_policy = 0; - else - explicit_policy = n + 1; - - if (flags & X509_V_FLAG_INHIBIT_ANY) - any_skip = 0; - else - any_skip = n + 1; - - if (flags & X509_V_FLAG_INHIBIT_MAP) - map_skip = 0; - else - map_skip = n + 1; - - /* Can't do anything with just a trust anchor */ - if (n == 1) - return 1; - /* First setup policy cache in all certificates apart from the - * trust anchor. Note any bad cache results on the way. Also can - * calculate explicit_policy value at this point. - */ - for (i = n - 2; i >= 0; i--) - { - x = sk_X509_value(certs, i); - X509_check_purpose(x, -1, -1); - cache = policy_cache_set(x); - /* If cache NULL something bad happened: return immediately */ - if (cache == NULL) - return 0; - /* If inconsistent extensions keep a note of it but continue */ - if (x->ex_flags & EXFLAG_INVALID_POLICY) - ret = -1; - /* Otherwise if we have no data (hence no CertificatePolicies) - * and haven't already set an inconsistent code note it. - */ - else if ((ret == 1) && !cache->data) - ret = 2; - if (explicit_policy > 0) - { - if (!(x->ex_flags & EXFLAG_SI)) - explicit_policy--; - if ((cache->explicit_skip != -1) - && (cache->explicit_skip < explicit_policy)) - explicit_policy = cache->explicit_skip; - } - } - - if (ret != 1) - { - if (ret == 2 && !explicit_policy) - return 6; - return ret; - } - - - /* If we get this far initialize the tree */ - - tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE)); - - if (!tree) - return 0; - - tree->flags = 0; - tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n); - tree->nlevel = 0; - tree->extra_data = NULL; - tree->auth_policies = NULL; - tree->user_policies = NULL; - - if (!tree->levels) - { - OPENSSL_free(tree); - return 0; - } - - memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL)); - - tree->nlevel = n; - - level = tree->levels; - - /* Root data: initialize to anyPolicy */ - - data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0); - - if (!data || !level_add_node(level, data, NULL, tree)) - goto bad_tree; - - for (i = n - 2; i >= 0; i--) - { - level++; - x = sk_X509_value(certs, i); - cache = policy_cache_set(x); - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - level->cert = x; - - if (!cache->anyPolicy) - level->flags |= X509_V_FLAG_INHIBIT_ANY; - - /* Determine inhibit any and inhibit map flags */ - if (any_skip == 0) - { - /* Any matching allowed if certificate is self - * issued and not the last in the chain. - */ - if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) - level->flags |= X509_V_FLAG_INHIBIT_ANY; - } - else - { - if (!(x->ex_flags & EXFLAG_SI)) - any_skip--; - if ((cache->any_skip >= 0) - && (cache->any_skip < any_skip)) - any_skip = cache->any_skip; - } - - if (map_skip == 0) - level->flags |= X509_V_FLAG_INHIBIT_MAP; - else - { - if (!(x->ex_flags & EXFLAG_SI)) - map_skip--; - if ((cache->map_skip >= 0) - && (cache->map_skip < map_skip)) - map_skip = cache->map_skip; - } - - } - - *ptree = tree; - - if (explicit_policy) - return 1; - else - return 5; - - bad_tree: - - X509_policy_tree_free(tree); - - return 0; - - } - -static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - const X509_POLICY_DATA *data) - { - X509_POLICY_LEVEL *last = curr - 1; - X509_POLICY_NODE *node; - int i, matched = 0; - /* Iterate through all in nodes linking matches */ - for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) - { - node = sk_X509_POLICY_NODE_value(last->nodes, i); - if (policy_node_match(last, node, data->valid_policy)) - { - if (!level_add_node(curr, data, node, NULL)) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) - { - if (!level_add_node(curr, data, last->anyPolicy, NULL)) - return 0; - } - return 1; - } - -/* This corresponds to RFC3280 6.1.3(d)(1): - * link any data from CertificatePolicies onto matching parent - * or anyPolicy if no match. - */ - -static int tree_link_nodes(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache) - { - int i; - X509_POLICY_DATA *data; - - for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) - { - data = sk_X509_POLICY_DATA_value(cache->data, i); - /* If a node is mapped any it doesn't have a corresponding - * CertificatePolicies entry. - * However such an identical node would be created - * if anyPolicy matching is enabled because there would be - * no match with the parent valid_policy_set. So we create - * link because then it will have the mapping flags - * right and we can prune it later. - */ -#if 0 - if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY) - && !(curr->flags & X509_V_FLAG_INHIBIT_ANY)) - continue; -#endif - /* Look for matching nodes in previous level */ - if (!tree_link_matching_nodes(curr, data)) - return 0; - } - return 1; - } - -/* This corresponds to RFC3280 6.1.3(d)(2): - * Create new data for any unmatched policies in the parent and link - * to anyPolicy. - */ - -static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache, - const ASN1_OBJECT *id, - X509_POLICY_NODE *node, - X509_POLICY_TREE *tree) - { - X509_POLICY_DATA *data; - if (id == NULL) - id = node->data->valid_policy; - /* Create a new node with qualifiers from anyPolicy and - * id from unmatched node. - */ - data = policy_data_new(NULL, id, node_critical(node)); - - if (data == NULL) - return 0; - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; - if (!level_add_node(curr, data, node, tree)) - { - policy_data_free(data); - return 0; - } - - return 1; - } - -static int tree_link_unmatched(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache, - X509_POLICY_NODE *node, - X509_POLICY_TREE *tree) - { - const X509_POLICY_LEVEL *last = curr - 1; - int i; - - if ( (last->flags & X509_V_FLAG_INHIBIT_MAP) - || !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) - { - /* If no policy mapping: matched if one child present */ - if (node->nchild) - return 1; - if (!tree_add_unmatched(curr, cache, NULL, node, tree)) - return 0; - /* Add it */ - } - else - { - /* If mapping: matched if one child per expected policy set */ - STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set; - if (node->nchild == sk_ASN1_OBJECT_num(expset)) - return 1; - /* Locate unmatched nodes */ - for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) - { - ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i); - if (level_find_node(curr, node, oid)) - continue; - if (!tree_add_unmatched(curr, cache, oid, node, tree)) - return 0; - } - - } - - return 1; - - } - -static int tree_link_any(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache, - X509_POLICY_TREE *tree) - { - int i; - /*X509_POLICY_DATA *data;*/ - X509_POLICY_NODE *node; - X509_POLICY_LEVEL *last = curr - 1; - - for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) - { - node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (!tree_link_unmatched(curr, cache, node, tree)) - return 0; - -#if 0 - - /* Skip any node with any children: we only want unmathced - * nodes. - * - * Note: need something better for policy mapping - * because each node may have multiple children - */ - if (node->nchild) - continue; - - /* Create a new node with qualifiers from anyPolicy and - * id from unmatched node. - */ - data = policy_data_new(NULL, node->data->valid_policy, - node_critical(node)); - - if (data == NULL) - return 0; - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; - if (!level_add_node(curr, data, node, tree)) - { - policy_data_free(data); - return 0; - } - -#endif - - } - /* Finally add link to anyPolicy */ - if (last->anyPolicy) - { - if (!level_add_node(curr, cache->anyPolicy, - last->anyPolicy, NULL)) - return 0; - } - return 1; - } - -/* Prune the tree: delete any child mapped child data on the current level - * then proceed up the tree deleting any data with no children. If we ever - * have no data on a level we can halt because the tree will be empty. - */ - -static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) - { - STACK_OF(X509_POLICY_NODE) *nodes; - X509_POLICY_NODE *node; - int i; - nodes = curr->nodes; - if (curr->flags & X509_V_FLAG_INHIBIT_MAP) - { - for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) - { - node = sk_X509_POLICY_NODE_value(nodes, i); - /* Delete any mapped data: see RFC3280 XXXX */ - if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) - { - node->parent->nchild--; - OPENSSL_free(node); - (void)sk_X509_POLICY_NODE_delete(nodes,i); - } - } - } - - for(;;) { - --curr; - nodes = curr->nodes; - for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) - { - node = sk_X509_POLICY_NODE_value(nodes, i); - if (node->nchild == 0) - { - node->parent->nchild--; - OPENSSL_free(node); - (void)sk_X509_POLICY_NODE_delete(nodes, i); - } - } - if (curr->anyPolicy && !curr->anyPolicy->nchild) - { - if (curr->anyPolicy->parent) - curr->anyPolicy->parent->nchild--; - OPENSSL_free(curr->anyPolicy); - curr->anyPolicy = NULL; - } - if (curr == tree->levels) - { - /* If we zapped anyPolicy at top then tree is empty */ - if (!curr->anyPolicy) - return 2; - return 1; - } - } - - return 1; - - } - -static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, - X509_POLICY_NODE *pcy) - { - if (!*pnodes) - { - *pnodes = policy_node_cmp_new(); - if (!*pnodes) - return 0; - } - else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1) - return 1; - - if (!sk_X509_POLICY_NODE_push(*pnodes, pcy)) - return 0; - - return 1; - - } - -/* Calculate the authority set based on policy tree. - * The 'pnodes' parameter is used as a store for the set of policy nodes - * used to calculate the user set. If the authority set is not anyPolicy - * then pnodes will just point to the authority set. If however the authority - * set is anyPolicy then the set of valid policies (other than anyPolicy) - * is store in pnodes. The return value of '2' is used in this case to indicate - * that pnodes should be freed. - */ - -static int tree_calculate_authority_set(X509_POLICY_TREE *tree, - STACK_OF(X509_POLICY_NODE) **pnodes) - { - X509_POLICY_LEVEL *curr; - X509_POLICY_NODE *node, *anyptr; - STACK_OF(X509_POLICY_NODE) **addnodes; - int i, j; - curr = tree->levels + tree->nlevel - 1; - - /* If last level contains anyPolicy set is anyPolicy */ - if (curr->anyPolicy) - { - if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy)) - return 0; - addnodes = pnodes; - } - else - /* Add policies to authority set */ - addnodes = &tree->auth_policies; - - curr = tree->levels; - for (i = 1; i < tree->nlevel; i++) - { - /* If no anyPolicy node on this this level it can't - * appear on lower levels so end search. - */ - if (!(anyptr = curr->anyPolicy)) - break; - curr++; - for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) - { - node = sk_X509_POLICY_NODE_value(curr->nodes, j); - if ((node->parent == anyptr) - && !tree_add_auth_node(addnodes, node)) - return 0; - } - } - - if (addnodes == pnodes) - return 2; - - *pnodes = tree->auth_policies; - - return 1; - } - -static int tree_calculate_user_set(X509_POLICY_TREE *tree, - STACK_OF(ASN1_OBJECT) *policy_oids, - STACK_OF(X509_POLICY_NODE) *auth_nodes) - { - int i; - X509_POLICY_NODE *node; - ASN1_OBJECT *oid; - - X509_POLICY_NODE *anyPolicy; - X509_POLICY_DATA *extra; - - /* Check if anyPolicy present in authority constrained policy set: - * this will happen if it is a leaf node. - */ - - if (sk_ASN1_OBJECT_num(policy_oids) <= 0) - return 1; - - anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy; - - for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) - { - oid = sk_ASN1_OBJECT_value(policy_oids, i); - if (OBJ_obj2nid(oid) == NID_any_policy) - { - tree->flags |= POLICY_FLAG_ANY_POLICY; - return 1; - } - } - - for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) - { - oid = sk_ASN1_OBJECT_value(policy_oids, i); - node = tree_find_sk(auth_nodes, oid); - if (!node) - { - if (!anyPolicy) - continue; - /* Create a new node with policy ID from user set - * and qualifiers from anyPolicy. - */ - extra = policy_data_new(NULL, oid, - node_critical(anyPolicy)); - if (!extra) - return 0; - extra->qualifier_set = anyPolicy->data->qualifier_set; - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS - | POLICY_DATA_FLAG_EXTRA_NODE; - node = level_add_node(NULL, extra, anyPolicy->parent, - tree); - } - if (!tree->user_policies) - { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); - if (!tree->user_policies) - return 1; - } - if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) - return 0; - } - return 1; - - } - -static int tree_evaluate(X509_POLICY_TREE *tree) - { - int ret, i; - X509_POLICY_LEVEL *curr = tree->levels + 1; - const X509_POLICY_CACHE *cache; - - for(i = 1; i < tree->nlevel; i++, curr++) - { - cache = policy_cache_set(curr->cert); - if (!tree_link_nodes(curr, cache)) - return 0; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) - && !tree_link_any(curr, cache, tree)) - return 0; - tree_print("before tree_prune()", tree, curr); - ret = tree_prune(tree, curr); - if (ret != 1) - return ret; - } - - return 1; - - } - -static void exnode_free(X509_POLICY_NODE *node) - { - if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE)) - OPENSSL_free(node); - } - - -void X509_policy_tree_free(X509_POLICY_TREE *tree) - { - X509_POLICY_LEVEL *curr; - int i; - - if (!tree) - return; - - sk_X509_POLICY_NODE_free(tree->auth_policies); - sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free); - - for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) - { - if (curr->cert) - X509_free(curr->cert); - if (curr->nodes) - sk_X509_POLICY_NODE_pop_free(curr->nodes, - policy_node_free); - if (curr->anyPolicy) - policy_node_free(curr->anyPolicy); - } - - if (tree->extra_data) - sk_X509_POLICY_DATA_pop_free(tree->extra_data, - policy_data_free); - - OPENSSL_free(tree->levels); - OPENSSL_free(tree); - - } - -/* Application policy checking function. - * Return codes: - * 0 Internal Error. - * 1 Successful. - * -1 One or more certificates contain invalid or inconsistent extensions - * -2 User constrained policy set empty and requireExplicit true. - */ - -int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, - STACK_OF(X509) *certs, - STACK_OF(ASN1_OBJECT) *policy_oids, - unsigned int flags) - { - int ret; - X509_POLICY_TREE *tree = NULL; - STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL; - *ptree = NULL; - - *pexplicit_policy = 0; - ret = tree_init(&tree, certs, flags); - - switch (ret) - { - - /* Tree empty requireExplicit False: OK */ - case 2: - return 1; - - /* Some internal error */ - case -1: - return -1; - - /* Some internal error */ - case 0: - return 0; - - /* Tree empty requireExplicit True: Error */ - - case 6: - *pexplicit_policy = 1; - return -2; - - /* Tree OK requireExplicit True: OK and continue */ - case 5: - *pexplicit_policy = 1; - break; - - /* Tree OK: continue */ - - case 1: - if (!tree) - /* - * tree_init() returns success and a null tree - * if it's just looking at a trust anchor. - * I'm not sure that returning success here is - * correct, but I'm sure that reporting this - * as an internal error which our caller - * interprets as a malloc failure is wrong. - */ - return 1; - break; - } - - if (!tree) goto error; - ret = tree_evaluate(tree); - - tree_print("tree_evaluate()", tree, NULL); - - if (ret <= 0) - goto error; - - /* Return value 2 means tree empty */ - if (ret == 2) - { - X509_policy_tree_free(tree); - if (*pexplicit_policy) - return -2; - else - return 1; - } - - /* Tree is not empty: continue */ - - ret = tree_calculate_authority_set(tree, &auth_nodes); - - if (!ret) - goto error; - - if (!tree_calculate_user_set(tree, policy_oids, auth_nodes)) - goto error; - - if (ret == 2) - sk_X509_POLICY_NODE_free(auth_nodes); - - if (tree) - *ptree = tree; - - if (*pexplicit_policy) - { - nodes = X509_policy_tree_get0_user_policies(tree); - if (sk_X509_POLICY_NODE_num(nodes) <= 0) - return -2; - } - - return 1; - - error: - - X509_policy_tree_free(tree); - - return 0; - - } - diff --git a/openssl/crypto/x509v3/tabtest.c b/openssl/crypto/x509v3/tabtest.c deleted file mode 100644 index 5ed6eb68..00000000 --- a/openssl/crypto/x509v3/tabtest.c +++ /dev/null @@ -1,88 +0,0 @@ -/* tabtest.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* Simple program to check the ext_dat.h is correct and print out - * problems if it is not. - */ - -#include <stdio.h> - -#include <openssl/x509v3.h> - -#include "ext_dat.h" - -main() -{ - int i, prev = -1, bad = 0; - X509V3_EXT_METHOD **tmp; - i = sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *); - if(i != STANDARD_EXTENSION_COUNT) - fprintf(stderr, "Extension number invalid expecting %d\n", i); - tmp = standard_exts; - for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++) { - if((*tmp)->ext_nid < prev) bad = 1; - prev = (*tmp)->ext_nid; - - } - if(bad) { - tmp = standard_exts; - fprintf(stderr, "Extensions out of order!\n"); - for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++) - printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid)); - } else fprintf(stderr, "Order OK\n"); -} diff --git a/openssl/crypto/x509v3/v3_addr.c b/openssl/crypto/x509v3/v3_addr.c deleted file mode 100644 index 0d70e869..00000000 --- a/openssl/crypto/x509v3/v3_addr.c +++ /dev/null @@ -1,1293 +0,0 @@ -/* - * Contributed to the OpenSSL Project by the American Registry for - * Internet Numbers ("ARIN"). - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - */ - -/* - * Implementation of RFC 3779 section 2.2. - */ - -#include <stdio.h> -#include <stdlib.h> - -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/buffer.h> -#include <openssl/x509v3.h> - -#ifndef OPENSSL_NO_RFC3779 - -/* - * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. - */ - -ASN1_SEQUENCE(IPAddressRange) = { - ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING), - ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING) -} ASN1_SEQUENCE_END(IPAddressRange) - -ASN1_CHOICE(IPAddressOrRange) = { - ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING), - ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange) -} ASN1_CHOICE_END(IPAddressOrRange) - -ASN1_CHOICE(IPAddressChoice) = { - ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL), - ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange) -} ASN1_CHOICE_END(IPAddressChoice) - -ASN1_SEQUENCE(IPAddressFamily) = { - ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING), - ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice) -} ASN1_SEQUENCE_END(IPAddressFamily) - -ASN1_ITEM_TEMPLATE(IPAddrBlocks) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, - IPAddrBlocks, IPAddressFamily) -ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) - -IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) -IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) -IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice) -IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily) - -/* - * How much buffer space do we need for a raw address? - */ -#define ADDR_RAW_BUF_LEN 16 - -/* - * What's the address length associated with this AFI? - */ -static int length_from_afi(const unsigned afi) -{ - switch (afi) { - case IANA_AFI_IPV4: - return 4; - case IANA_AFI_IPV6: - return 16; - default: - return 0; - } -} - -/* - * Extract the AFI from an IPAddressFamily. - */ -unsigned int v3_addr_get_afi(const IPAddressFamily *f) -{ - return ((f != NULL && - f->addressFamily != NULL && - f->addressFamily->data != NULL) - ? ((f->addressFamily->data[0] << 8) | - (f->addressFamily->data[1])) - : 0); -} - -/* - * Expand the bitstring form of an address into a raw byte array. - * At the moment this is coded for simplicity, not speed. - */ -static void addr_expand(unsigned char *addr, - const ASN1_BIT_STRING *bs, - const int length, - const unsigned char fill) -{ - OPENSSL_assert(bs->length >= 0 && bs->length <= length); - if (bs->length > 0) { - memcpy(addr, bs->data, bs->length); - if ((bs->flags & 7) != 0) { - unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); - if (fill == 0) - addr[bs->length - 1] &= ~mask; - else - addr[bs->length - 1] |= mask; - } - } - memset(addr + bs->length, fill, length - bs->length); -} - -/* - * Extract the prefix length from a bitstring. - */ -#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) - -/* - * i2r handler for one address bitstring. - */ -static int i2r_address(BIO *out, - const unsigned afi, - const unsigned char fill, - const ASN1_BIT_STRING *bs) -{ - unsigned char addr[ADDR_RAW_BUF_LEN]; - int i, n; - - if (bs->length < 0) - return 0; - switch (afi) { - case IANA_AFI_IPV4: - if (bs->length > 4) - return 0; - addr_expand(addr, bs, 4, fill); - BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); - break; - case IANA_AFI_IPV6: - if (bs->length > 16) - return 0; - addr_expand(addr, bs, 16, fill); - for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) - ; - for (i = 0; i < n; i += 2) - BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); - if (i < 16) - BIO_puts(out, ":"); - if (i == 0) - BIO_puts(out, ":"); - break; - default: - for (i = 0; i < bs->length; i++) - BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); - BIO_printf(out, "[%d]", (int) (bs->flags & 7)); - break; - } - return 1; -} - -/* - * i2r handler for a sequence of addresses and ranges. - */ -static int i2r_IPAddressOrRanges(BIO *out, - const int indent, - const IPAddressOrRanges *aors, - const unsigned afi) -{ - int i; - for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { - const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); - BIO_printf(out, "%*s", indent, ""); - switch (aor->type) { - case IPAddressOrRange_addressPrefix: - if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) - return 0; - BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); - continue; - case IPAddressOrRange_addressRange: - if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) - return 0; - BIO_puts(out, "-"); - if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) - return 0; - BIO_puts(out, "\n"); - continue; - } - } - return 1; -} - -/* - * i2r handler for an IPAddrBlocks extension. - */ -static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, - void *ext, - BIO *out, - int indent) -{ - const IPAddrBlocks *addr = ext; - int i; - for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { - IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - const unsigned int afi = v3_addr_get_afi(f); - switch (afi) { - case IANA_AFI_IPV4: - BIO_printf(out, "%*sIPv4", indent, ""); - break; - case IANA_AFI_IPV6: - BIO_printf(out, "%*sIPv6", indent, ""); - break; - default: - BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); - break; - } - if (f->addressFamily->length > 2) { - switch (f->addressFamily->data[2]) { - case 1: - BIO_puts(out, " (Unicast)"); - break; - case 2: - BIO_puts(out, " (Multicast)"); - break; - case 3: - BIO_puts(out, " (Unicast/Multicast)"); - break; - case 4: - BIO_puts(out, " (MPLS)"); - break; - case 64: - BIO_puts(out, " (Tunnel)"); - break; - case 65: - BIO_puts(out, " (VPLS)"); - break; - case 66: - BIO_puts(out, " (BGP MDT)"); - break; - case 128: - BIO_puts(out, " (MPLS-labeled VPN)"); - break; - default: - BIO_printf(out, " (Unknown SAFI %u)", - (unsigned) f->addressFamily->data[2]); - break; - } - } - switch (f->ipAddressChoice->type) { - case IPAddressChoice_inherit: - BIO_puts(out, ": inherit\n"); - break; - case IPAddressChoice_addressesOrRanges: - BIO_puts(out, ":\n"); - if (!i2r_IPAddressOrRanges(out, - indent + 2, - f->ipAddressChoice->u.addressesOrRanges, - afi)) - return 0; - break; - } - } - return 1; -} - -/* - * Sort comparison function for a sequence of IPAddressOrRange - * elements. - */ -static int IPAddressOrRange_cmp(const IPAddressOrRange *a, - const IPAddressOrRange *b, - const int length) -{ - unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; - int prefixlen_a = 0, prefixlen_b = 0; - int r; - - switch (a->type) { - case IPAddressOrRange_addressPrefix: - addr_expand(addr_a, a->u.addressPrefix, length, 0x00); - prefixlen_a = addr_prefixlen(a->u.addressPrefix); - break; - case IPAddressOrRange_addressRange: - addr_expand(addr_a, a->u.addressRange->min, length, 0x00); - prefixlen_a = length * 8; - break; - } - - switch (b->type) { - case IPAddressOrRange_addressPrefix: - addr_expand(addr_b, b->u.addressPrefix, length, 0x00); - prefixlen_b = addr_prefixlen(b->u.addressPrefix); - break; - case IPAddressOrRange_addressRange: - addr_expand(addr_b, b->u.addressRange->min, length, 0x00); - prefixlen_b = length * 8; - break; - } - - if ((r = memcmp(addr_a, addr_b, length)) != 0) - return r; - else - return prefixlen_a - prefixlen_b; -} - -/* - * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() - * comparision routines are only allowed two arguments. - */ -static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a, - const IPAddressOrRange * const *b) -{ - return IPAddressOrRange_cmp(*a, *b, 4); -} - -/* - * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() - * comparision routines are only allowed two arguments. - */ -static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a, - const IPAddressOrRange * const *b) -{ - return IPAddressOrRange_cmp(*a, *b, 16); -} - -/* - * Calculate whether a range collapses to a prefix. - * See last paragraph of RFC 3779 2.2.3.7. - */ -static int range_should_be_prefix(const unsigned char *min, - const unsigned char *max, - const int length) -{ - unsigned char mask; - int i, j; - - for (i = 0; i < length && min[i] == max[i]; i++) - ; - for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) - ; - if (i < j) - return -1; - if (i > j) - return i * 8; - mask = min[i] ^ max[i]; - switch (mask) { - case 0x01: j = 7; break; - case 0x03: j = 6; break; - case 0x07: j = 5; break; - case 0x0F: j = 4; break; - case 0x1F: j = 3; break; - case 0x3F: j = 2; break; - case 0x7F: j = 1; break; - default: return -1; - } - if ((min[i] & mask) != 0 || (max[i] & mask) != mask) - return -1; - else - return i * 8 + j; -} - -/* - * Construct a prefix. - */ -static int make_addressPrefix(IPAddressOrRange **result, - unsigned char *addr, - const int prefixlen) -{ - int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; - IPAddressOrRange *aor = IPAddressOrRange_new(); - - if (aor == NULL) - return 0; - aor->type = IPAddressOrRange_addressPrefix; - if (aor->u.addressPrefix == NULL && - (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) - goto err; - if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) - goto err; - aor->u.addressPrefix->flags &= ~7; - aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; - if (bitlen > 0) { - aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); - aor->u.addressPrefix->flags |= 8 - bitlen; - } - - *result = aor; - return 1; - - err: - IPAddressOrRange_free(aor); - return 0; -} - -/* - * Construct a range. If it can be expressed as a prefix, - * return a prefix instead. Doing this here simplifies - * the rest of the code considerably. - */ -static int make_addressRange(IPAddressOrRange **result, - unsigned char *min, - unsigned char *max, - const int length) -{ - IPAddressOrRange *aor; - int i, prefixlen; - - if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) - return make_addressPrefix(result, min, prefixlen); - - if ((aor = IPAddressOrRange_new()) == NULL) - return 0; - aor->type = IPAddressOrRange_addressRange; - OPENSSL_assert(aor->u.addressRange == NULL); - if ((aor->u.addressRange = IPAddressRange_new()) == NULL) - goto err; - if (aor->u.addressRange->min == NULL && - (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) - goto err; - if (aor->u.addressRange->max == NULL && - (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) - goto err; - - for (i = length; i > 0 && min[i - 1] == 0x00; --i) - ; - if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) - goto err; - aor->u.addressRange->min->flags &= ~7; - aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; - if (i > 0) { - unsigned char b = min[i - 1]; - int j = 1; - while ((b & (0xFFU >> j)) != 0) - ++j; - aor->u.addressRange->min->flags |= 8 - j; - } - - for (i = length; i > 0 && max[i - 1] == 0xFF; --i) - ; - if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) - goto err; - aor->u.addressRange->max->flags &= ~7; - aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; - if (i > 0) { - unsigned char b = max[i - 1]; - int j = 1; - while ((b & (0xFFU >> j)) != (0xFFU >> j)) - ++j; - aor->u.addressRange->max->flags |= 8 - j; - } - - *result = aor; - return 1; - - err: - IPAddressOrRange_free(aor); - return 0; -} - -/* - * Construct a new address family or find an existing one. - */ -static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, - const unsigned afi, - const unsigned *safi) -{ - IPAddressFamily *f; - unsigned char key[3]; - unsigned keylen; - int i; - - key[0] = (afi >> 8) & 0xFF; - key[1] = afi & 0xFF; - if (safi != NULL) { - key[2] = *safi & 0xFF; - keylen = 3; - } else { - keylen = 2; - } - - for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { - f = sk_IPAddressFamily_value(addr, i); - OPENSSL_assert(f->addressFamily->data != NULL); - if (f->addressFamily->length == keylen && - !memcmp(f->addressFamily->data, key, keylen)) - return f; - } - - if ((f = IPAddressFamily_new()) == NULL) - goto err; - if (f->ipAddressChoice == NULL && - (f->ipAddressChoice = IPAddressChoice_new()) == NULL) - goto err; - if (f->addressFamily == NULL && - (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) - goto err; - if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) - goto err; - if (!sk_IPAddressFamily_push(addr, f)) - goto err; - - return f; - - err: - IPAddressFamily_free(f); - return NULL; -} - -/* - * Add an inheritance element. - */ -int v3_addr_add_inherit(IPAddrBlocks *addr, - const unsigned afi, - const unsigned *safi) -{ - IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); - if (f == NULL || - f->ipAddressChoice == NULL || - (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && - f->ipAddressChoice->u.addressesOrRanges != NULL)) - return 0; - if (f->ipAddressChoice->type == IPAddressChoice_inherit && - f->ipAddressChoice->u.inherit != NULL) - return 1; - if (f->ipAddressChoice->u.inherit == NULL && - (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) - return 0; - f->ipAddressChoice->type = IPAddressChoice_inherit; - return 1; -} - -/* - * Construct an IPAddressOrRange sequence, or return an existing one. - */ -static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, - const unsigned afi, - const unsigned *safi) -{ - IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); - IPAddressOrRanges *aors = NULL; - - if (f == NULL || - f->ipAddressChoice == NULL || - (f->ipAddressChoice->type == IPAddressChoice_inherit && - f->ipAddressChoice->u.inherit != NULL)) - return NULL; - if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) - aors = f->ipAddressChoice->u.addressesOrRanges; - if (aors != NULL) - return aors; - if ((aors = sk_IPAddressOrRange_new_null()) == NULL) - return NULL; - switch (afi) { - case IANA_AFI_IPV4: - sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); - break; - case IANA_AFI_IPV6: - sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); - break; - } - f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; - f->ipAddressChoice->u.addressesOrRanges = aors; - return aors; -} - -/* - * Add a prefix. - */ -int v3_addr_add_prefix(IPAddrBlocks *addr, - const unsigned afi, - const unsigned *safi, - unsigned char *a, - const int prefixlen) -{ - IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); - IPAddressOrRange *aor; - if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) - return 0; - if (sk_IPAddressOrRange_push(aors, aor)) - return 1; - IPAddressOrRange_free(aor); - return 0; -} - -/* - * Add a range. - */ -int v3_addr_add_range(IPAddrBlocks *addr, - const unsigned afi, - const unsigned *safi, - unsigned char *min, - unsigned char *max) -{ - IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); - IPAddressOrRange *aor; - int length = length_from_afi(afi); - if (aors == NULL) - return 0; - if (!make_addressRange(&aor, min, max, length)) - return 0; - if (sk_IPAddressOrRange_push(aors, aor)) - return 1; - IPAddressOrRange_free(aor); - return 0; -} - -/* - * Extract min and max values from an IPAddressOrRange. - */ -static void extract_min_max(IPAddressOrRange *aor, - unsigned char *min, - unsigned char *max, - int length) -{ - OPENSSL_assert(aor != NULL && min != NULL && max != NULL); - switch (aor->type) { - case IPAddressOrRange_addressPrefix: - addr_expand(min, aor->u.addressPrefix, length, 0x00); - addr_expand(max, aor->u.addressPrefix, length, 0xFF); - return; - case IPAddressOrRange_addressRange: - addr_expand(min, aor->u.addressRange->min, length, 0x00); - addr_expand(max, aor->u.addressRange->max, length, 0xFF); - return; - } -} - -/* - * Public wrapper for extract_min_max(). - */ -int v3_addr_get_range(IPAddressOrRange *aor, - const unsigned afi, - unsigned char *min, - unsigned char *max, - const int length) -{ - int afi_length = length_from_afi(afi); - if (aor == NULL || min == NULL || max == NULL || - afi_length == 0 || length < afi_length || - (aor->type != IPAddressOrRange_addressPrefix && - aor->type != IPAddressOrRange_addressRange)) - return 0; - extract_min_max(aor, min, max, afi_length); - return afi_length; -} - -/* - * Sort comparision function for a sequence of IPAddressFamily. - * - * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about - * the ordering: I can read it as meaning that IPv6 without a SAFI - * comes before IPv4 with a SAFI, which seems pretty weird. The - * examples in appendix B suggest that the author intended the - * null-SAFI rule to apply only within a single AFI, which is what I - * would have expected and is what the following code implements. - */ -static int IPAddressFamily_cmp(const IPAddressFamily * const *a_, - const IPAddressFamily * const *b_) -{ - const ASN1_OCTET_STRING *a = (*a_)->addressFamily; - const ASN1_OCTET_STRING *b = (*b_)->addressFamily; - int len = ((a->length <= b->length) ? a->length : b->length); - int cmp = memcmp(a->data, b->data, len); - return cmp ? cmp : a->length - b->length; -} - -/* - * Check whether an IPAddrBLocks is in canonical form. - */ -int v3_addr_is_canonical(IPAddrBlocks *addr) -{ - unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; - unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; - IPAddressOrRanges *aors; - int i, j, k; - - /* - * Empty extension is cannonical. - */ - if (addr == NULL) - return 1; - - /* - * Check whether the top-level list is in order. - */ - for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { - const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); - const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); - if (IPAddressFamily_cmp(&a, &b) >= 0) - return 0; - } - - /* - * Top level's ok, now check each address family. - */ - for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { - IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - int length = length_from_afi(v3_addr_get_afi(f)); - - /* - * Inheritance is canonical. Anything other than inheritance or - * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. - */ - if (f == NULL || f->ipAddressChoice == NULL) - return 0; - switch (f->ipAddressChoice->type) { - case IPAddressChoice_inherit: - continue; - case IPAddressChoice_addressesOrRanges: - break; - default: - return 0; - } - - /* - * It's an IPAddressOrRanges sequence, check it. - */ - aors = f->ipAddressChoice->u.addressesOrRanges; - if (sk_IPAddressOrRange_num(aors) == 0) - return 0; - for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { - IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); - IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); - - extract_min_max(a, a_min, a_max, length); - extract_min_max(b, b_min, b_max, length); - - /* - * Punt misordered list, overlapping start, or inverted range. - */ - if (memcmp(a_min, b_min, length) >= 0 || - memcmp(a_min, a_max, length) > 0 || - memcmp(b_min, b_max, length) > 0) - return 0; - - /* - * Punt if adjacent or overlapping. Check for adjacency by - * subtracting one from b_min first. - */ - for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) - ; - if (memcmp(a_max, b_min, length) >= 0) - return 0; - - /* - * Check for range that should be expressed as a prefix. - */ - if (a->type == IPAddressOrRange_addressRange && - range_should_be_prefix(a_min, a_max, length) >= 0) - return 0; - } - - /* - * Check final range to see if it should be a prefix. - */ - j = sk_IPAddressOrRange_num(aors) - 1; - { - IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); - if (a->type == IPAddressOrRange_addressRange) { - extract_min_max(a, a_min, a_max, length); - if (range_should_be_prefix(a_min, a_max, length) >= 0) - return 0; - } - } - } - - /* - * If we made it through all that, we're happy. - */ - return 1; -} - -/* - * Whack an IPAddressOrRanges into canonical form. - */ -static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, - const unsigned afi) -{ - int i, j, length = length_from_afi(afi); - - /* - * Sort the IPAddressOrRanges sequence. - */ - sk_IPAddressOrRange_sort(aors); - - /* - * Clean up representation issues, punt on duplicates or overlaps. - */ - for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { - IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); - IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); - unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; - unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; - - extract_min_max(a, a_min, a_max, length); - extract_min_max(b, b_min, b_max, length); - - /* - * Punt overlaps. - */ - if (memcmp(a_max, b_min, length) >= 0) - return 0; - - /* - * Merge if a and b are adjacent. We check for - * adjacency by subtracting one from b_min first. - */ - for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) - ; - if (memcmp(a_max, b_min, length) == 0) { - IPAddressOrRange *merged; - if (!make_addressRange(&merged, a_min, b_max, length)) - return 0; - sk_IPAddressOrRange_set(aors, i, merged); - sk_IPAddressOrRange_delete(aors, i + 1); - IPAddressOrRange_free(a); - IPAddressOrRange_free(b); - --i; - continue; - } - } - - return 1; -} - -/* - * Whack an IPAddrBlocks extension into canonical form. - */ -int v3_addr_canonize(IPAddrBlocks *addr) -{ - int i; - for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { - IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && - !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, - v3_addr_get_afi(f))) - return 0; - } - sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); - sk_IPAddressFamily_sort(addr); - OPENSSL_assert(v3_addr_is_canonical(addr)); - return 1; -} - -/* - * v2i handler for the IPAddrBlocks extension. - */ -static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, - struct v3_ext_ctx *ctx, - STACK_OF(CONF_VALUE) *values) -{ - static const char v4addr_chars[] = "0123456789."; - static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; - IPAddrBlocks *addr = NULL; - char *s = NULL, *t; - int i; - - if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); - return NULL; - } - - for (i = 0; i < sk_CONF_VALUE_num(values); i++) { - CONF_VALUE *val = sk_CONF_VALUE_value(values, i); - unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; - unsigned afi, *safi = NULL, safi_; - const char *addr_chars; - int prefixlen, i1, i2, delim, length; - - if ( !name_cmp(val->name, "IPv4")) { - afi = IANA_AFI_IPV4; - } else if (!name_cmp(val->name, "IPv6")) { - afi = IANA_AFI_IPV6; - } else if (!name_cmp(val->name, "IPv4-SAFI")) { - afi = IANA_AFI_IPV4; - safi = &safi_; - } else if (!name_cmp(val->name, "IPv6-SAFI")) { - afi = IANA_AFI_IPV6; - safi = &safi_; - } else { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR); - X509V3_conf_err(val); - goto err; - } - - switch (afi) { - case IANA_AFI_IPV4: - addr_chars = v4addr_chars; - break; - case IANA_AFI_IPV6: - addr_chars = v6addr_chars; - break; - } - - length = length_from_afi(afi); - - /* - * Handle SAFI, if any, and BUF_strdup() so we can null-terminate - * the other input values. - */ - if (safi != NULL) { - *safi = strtoul(val->value, &t, 0); - t += strspn(t, " \t"); - if (*safi > 0xFF || *t++ != ':') { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI); - X509V3_conf_err(val); - goto err; - } - t += strspn(t, " \t"); - s = BUF_strdup(t); - } else { - s = BUF_strdup(val->value); - } - if (s == NULL) { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* - * Check for inheritance. Not worth additional complexity to - * optimize this (seldom-used) case. - */ - if (!strcmp(s, "inherit")) { - if (!v3_addr_add_inherit(addr, afi, safi)) { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE); - X509V3_conf_err(val); - goto err; - } - OPENSSL_free(s); - s = NULL; - continue; - } - - i1 = strspn(s, addr_chars); - i2 = i1 + strspn(s + i1, " \t"); - delim = s[i2++]; - s[i1] = '\0'; - - if (a2i_ipadd(min, s) != length) { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); - X509V3_conf_err(val); - goto err; - } - - switch (delim) { - case '/': - prefixlen = (int) strtoul(s + i2, &t, 10); - if (t == s + i2 || *t != '\0') { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); - X509V3_conf_err(val); - goto err; - } - if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); - goto err; - } - break; - case '-': - i1 = i2 + strspn(s + i2, " \t"); - i2 = i1 + strspn(s + i1, addr_chars); - if (i1 == i2 || s[i2] != '\0') { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); - X509V3_conf_err(val); - goto err; - } - if (a2i_ipadd(max, s + i1) != length) { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); - X509V3_conf_err(val); - goto err; - } - if (!v3_addr_add_range(addr, afi, safi, min, max)) { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); - goto err; - } - break; - case '\0': - if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); - goto err; - } - break; - default: - X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); - X509V3_conf_err(val); - goto err; - } - - OPENSSL_free(s); - s = NULL; - } - - /* - * Canonize the result, then we're done. - */ - if (!v3_addr_canonize(addr)) - goto err; - return addr; - - err: - OPENSSL_free(s); - sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); - return NULL; -} - -/* - * OpenSSL dispatch - */ -const X509V3_EXT_METHOD v3_addr = { - NID_sbgp_ipAddrBlock, /* nid */ - 0, /* flags */ - ASN1_ITEM_ref(IPAddrBlocks), /* template */ - 0, 0, 0, 0, /* old functions, ignored */ - 0, /* i2s */ - 0, /* s2i */ - 0, /* i2v */ - v2i_IPAddrBlocks, /* v2i */ - i2r_IPAddrBlocks, /* i2r */ - 0, /* r2i */ - NULL /* extension-specific data */ -}; - -/* - * Figure out whether extension sues inheritance. - */ -int v3_addr_inherits(IPAddrBlocks *addr) -{ - int i; - if (addr == NULL) - return 0; - for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { - IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - if (f->ipAddressChoice->type == IPAddressChoice_inherit) - return 1; - } - return 0; -} - -/* - * Figure out whether parent contains child. - */ -static int addr_contains(IPAddressOrRanges *parent, - IPAddressOrRanges *child, - int length) -{ - unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; - unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; - int p, c; - - if (child == NULL || parent == child) - return 1; - if (parent == NULL) - return 0; - - p = 0; - for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { - extract_min_max(sk_IPAddressOrRange_value(child, c), - c_min, c_max, length); - for (;; p++) { - if (p >= sk_IPAddressOrRange_num(parent)) - return 0; - extract_min_max(sk_IPAddressOrRange_value(parent, p), - p_min, p_max, length); - if (memcmp(p_max, c_max, length) < 0) - continue; - if (memcmp(p_min, c_min, length) > 0) - return 0; - break; - } - } - - return 1; -} - -/* - * Test whether a is a subset of b. - */ -int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) -{ - int i; - if (a == NULL || a == b) - return 1; - if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) - return 0; - sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); - for (i = 0; i < sk_IPAddressFamily_num(a); i++) { - IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); - int j = sk_IPAddressFamily_find(b, fa); - IPAddressFamily *fb; - fb = sk_IPAddressFamily_value(b, j); - if (fb == NULL) - return 0; - if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, - fa->ipAddressChoice->u.addressesOrRanges, - length_from_afi(v3_addr_get_afi(fb)))) - return 0; - } - return 1; -} - -/* - * Validation error handling via callback. - */ -#define validation_err(_err_) \ - do { \ - if (ctx != NULL) { \ - ctx->error = _err_; \ - ctx->error_depth = i; \ - ctx->current_cert = x; \ - ret = ctx->verify_cb(0, ctx); \ - } else { \ - ret = 0; \ - } \ - if (!ret) \ - goto done; \ - } while (0) - -/* - * Core code for RFC 3779 2.3 path validation. - */ -static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, - STACK_OF(X509) *chain, - IPAddrBlocks *ext) -{ - IPAddrBlocks *child = NULL; - int i, j, ret = 1; - X509 *x; - - OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); - OPENSSL_assert(ctx != NULL || ext != NULL); - OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); - - /* - * Figure out where to start. If we don't have an extension to - * check, we're done. Otherwise, check canonical form and - * set up for walking up the chain. - */ - if (ext != NULL) { - i = -1; - x = NULL; - } else { - i = 0; - x = sk_X509_value(chain, i); - OPENSSL_assert(x != NULL); - if ((ext = x->rfc3779_addr) == NULL) - goto done; - } - if (!v3_addr_is_canonical(ext)) - validation_err(X509_V_ERR_INVALID_EXTENSION); - sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); - if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { - X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); - ret = 0; - goto done; - } - - /* - * Now walk up the chain. No cert may list resources that its - * parent doesn't list. - */ - for (i++; i < sk_X509_num(chain); i++) { - x = sk_X509_value(chain, i); - OPENSSL_assert(x != NULL); - if (!v3_addr_is_canonical(x->rfc3779_addr)) - validation_err(X509_V_ERR_INVALID_EXTENSION); - if (x->rfc3779_addr == NULL) { - for (j = 0; j < sk_IPAddressFamily_num(child); j++) { - IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); - if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - break; - } - } - continue; - } - sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); - for (j = 0; j < sk_IPAddressFamily_num(child); j++) { - IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); - int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); - IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); - if (fp == NULL) { - if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - break; - } - continue; - } - if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { - if (fc->ipAddressChoice->type == IPAddressChoice_inherit || - addr_contains(fp->ipAddressChoice->u.addressesOrRanges, - fc->ipAddressChoice->u.addressesOrRanges, - length_from_afi(v3_addr_get_afi(fc)))) - sk_IPAddressFamily_set(child, j, fp); - else - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - } - } - } - - /* - * Trust anchor can't inherit. - */ - OPENSSL_assert(x != NULL); - if (x->rfc3779_addr != NULL) { - for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { - IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); - if (fp->ipAddressChoice->type == IPAddressChoice_inherit && - sk_IPAddressFamily_find(child, fp) >= 0) - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - } - } - - done: - sk_IPAddressFamily_free(child); - return ret; -} - -#undef validation_err - -/* - * RFC 3779 2.3 path validation -- called from X509_verify_cert(). - */ -int v3_addr_validate_path(X509_STORE_CTX *ctx) -{ - return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); -} - -/* - * RFC 3779 2.3 path validation of an extension. - * Test whether chain covers extension. - */ -int v3_addr_validate_resource_set(STACK_OF(X509) *chain, - IPAddrBlocks *ext, - int allow_inheritance) -{ - if (ext == NULL) - return 1; - if (chain == NULL || sk_X509_num(chain) == 0) - return 0; - if (!allow_inheritance && v3_addr_inherits(ext)) - return 0; - return v3_addr_validate_path_internal(NULL, chain, ext); -} - -#endif /* OPENSSL_NO_RFC3779 */ diff --git a/openssl/crypto/x509v3/v3_akey.c b/openssl/crypto/x509v3/v3_akey.c deleted file mode 100644 index c6b68ee2..00000000 --- a/openssl/crypto/x509v3/v3_akey.c +++ /dev/null @@ -1,208 +0,0 @@ -/* v3_akey.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/x509v3.h> - -static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, - AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist); -static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); - -const X509V3_EXT_METHOD v3_akey_id = - { - NID_authority_key_identifier, - X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID), - 0,0,0,0, - 0,0, - (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID, - (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID, - 0,0, - NULL - }; - -static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, - AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist) -{ - char *tmp; - if(akeyid->keyid) { - tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length); - X509V3_add_value("keyid", tmp, &extlist); - OPENSSL_free(tmp); - } - if(akeyid->issuer) - extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist); - if(akeyid->serial) { - tmp = hex_to_string(akeyid->serial->data, - akeyid->serial->length); - X509V3_add_value("serial", tmp, &extlist); - OPENSSL_free(tmp); - } - return extlist; -} - -/* Currently two options: - * keyid: use the issuers subject keyid, the value 'always' means its is - * an error if the issuer certificate doesn't have a key id. - * issuer: use the issuers cert issuer and serial number. The default is - * to only use this if keyid is not present. With the option 'always' - * this is always included. - */ - -static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values) - { - char keyid=0, issuer=0; - int i; - CONF_VALUE *cnf; - ASN1_OCTET_STRING *ikeyid = NULL; - X509_NAME *isname = NULL; - GENERAL_NAMES * gens = NULL; - GENERAL_NAME *gen = NULL; - ASN1_INTEGER *serial = NULL; - X509_EXTENSION *ext; - X509 *cert; - AUTHORITY_KEYID *akeyid; - - for(i = 0; i < sk_CONF_VALUE_num(values); i++) - { - cnf = sk_CONF_VALUE_value(values, i); - if(!strcmp(cnf->name, "keyid")) - { - keyid = 1; - if(cnf->value && !strcmp(cnf->value, "always")) - keyid = 2; - } - else if(!strcmp(cnf->name, "issuer")) - { - issuer = 1; - if(cnf->value && !strcmp(cnf->value, "always")) - issuer = 2; - } - else - { - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION); - ERR_add_error_data(2, "name=", cnf->name); - return NULL; - } - } - - if(!ctx || !ctx->issuer_cert) - { - if(ctx && (ctx->flags==CTX_TEST)) - return AUTHORITY_KEYID_new(); - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE); - return NULL; - } - - cert = ctx->issuer_cert; - - if(keyid) - { - i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); - if((i >= 0) && (ext = X509_get_ext(cert, i))) - ikeyid = X509V3_EXT_d2i(ext); - if(keyid==2 && !ikeyid) - { - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); - return NULL; - } - } - - if((issuer && !ikeyid) || (issuer == 2)) - { - isname = X509_NAME_dup(X509_get_issuer_name(cert)); - serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert)); - if(!isname || !serial) - { - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS); - goto err; - } - } - - if(!(akeyid = AUTHORITY_KEYID_new())) goto err; - - if(isname) - { - if(!(gens = sk_GENERAL_NAME_new_null()) - || !(gen = GENERAL_NAME_new()) - || !sk_GENERAL_NAME_push(gens, gen)) - { - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE); - goto err; - } - gen->type = GEN_DIRNAME; - gen->d.dirn = isname; - } - - akeyid->issuer = gens; - akeyid->serial = serial; - akeyid->keyid = ikeyid; - - return akeyid; - - err: - X509_NAME_free(isname); - M_ASN1_INTEGER_free(serial); - M_ASN1_OCTET_STRING_free(ikeyid); - return NULL; - } diff --git a/openssl/crypto/x509v3/v3_akeya.c b/openssl/crypto/x509v3/v3_akeya.c deleted file mode 100644 index 2c50f736..00000000 --- a/openssl/crypto/x509v3/v3_akeya.c +++ /dev/null @@ -1,72 +0,0 @@ -/* v3_akey_asn1.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/x509v3.h> - -ASN1_SEQUENCE(AUTHORITY_KEYID) = { - ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0), - ASN1_IMP_SEQUENCE_OF_OPT(AUTHORITY_KEYID, issuer, GENERAL_NAME, 1), - ASN1_IMP_OPT(AUTHORITY_KEYID, serial, ASN1_INTEGER, 2) -} ASN1_SEQUENCE_END(AUTHORITY_KEYID) - -IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_KEYID) diff --git a/openssl/crypto/x509v3/v3_alt.c b/openssl/crypto/x509v3/v3_alt.c deleted file mode 100644 index d29d9433..00000000 --- a/openssl/crypto/x509v3/v3_alt.c +++ /dev/null @@ -1,614 +0,0 @@ -/* v3_alt.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project. - */ -/* ==================================================================== - * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p); -static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens); -static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); -static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); - -const X509V3_EXT_METHOD v3_alt[] = { -{ NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), -0,0,0,0, -0,0, -(X509V3_EXT_I2V)i2v_GENERAL_NAMES, -(X509V3_EXT_V2I)v2i_subject_alt, -NULL, NULL, NULL}, - -{ NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), -0,0,0,0, -0,0, -(X509V3_EXT_I2V)i2v_GENERAL_NAMES, -(X509V3_EXT_V2I)v2i_issuer_alt, -NULL, NULL, NULL}, - -{ NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES), -0,0,0,0, -0,0, -(X509V3_EXT_I2V)i2v_GENERAL_NAMES, -NULL, NULL, NULL, NULL}, -}; - -STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, - GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret) -{ - int i; - GENERAL_NAME *gen; - for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) { - gen = sk_GENERAL_NAME_value(gens, i); - ret = i2v_GENERAL_NAME(method, gen, ret); - } - if(!ret) return sk_CONF_VALUE_new_null(); - return ret; -} - -STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, - GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret) -{ - unsigned char *p; - char oline[256], htmp[5]; - int i; - switch (gen->type) - { - case GEN_OTHERNAME: - X509V3_add_value("othername","<unsupported>", &ret); - break; - - case GEN_X400: - X509V3_add_value("X400Name","<unsupported>", &ret); - break; - - case GEN_EDIPARTY: - X509V3_add_value("EdiPartyName","<unsupported>", &ret); - break; - - case GEN_EMAIL: - X509V3_add_value_uchar("email",gen->d.ia5->data, &ret); - break; - - case GEN_DNS: - X509V3_add_value_uchar("DNS",gen->d.ia5->data, &ret); - break; - - case GEN_URI: - X509V3_add_value_uchar("URI",gen->d.ia5->data, &ret); - break; - - case GEN_DIRNAME: - X509_NAME_oneline(gen->d.dirn, oline, 256); - X509V3_add_value("DirName",oline, &ret); - break; - - case GEN_IPADD: - p = gen->d.ip->data; - if(gen->d.ip->length == 4) - BIO_snprintf(oline, sizeof oline, - "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); - else if(gen->d.ip->length == 16) - { - oline[0] = 0; - for (i = 0; i < 8; i++) - { - BIO_snprintf(htmp, sizeof htmp, - "%X", p[0] << 8 | p[1]); - p += 2; - strcat(oline, htmp); - if (i != 7) - strcat(oline, ":"); - } - } - else - { - X509V3_add_value("IP Address","<invalid>", &ret); - break; - } - X509V3_add_value("IP Address",oline, &ret); - break; - - case GEN_RID: - i2t_ASN1_OBJECT(oline, 256, gen->d.rid); - X509V3_add_value("Registered ID",oline, &ret); - break; - } - return ret; -} - -int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) -{ - unsigned char *p; - int i; - switch (gen->type) - { - case GEN_OTHERNAME: - BIO_printf(out, "othername:<unsupported>"); - break; - - case GEN_X400: - BIO_printf(out, "X400Name:<unsupported>"); - break; - - case GEN_EDIPARTY: - /* Maybe fix this: it is supported now */ - BIO_printf(out, "EdiPartyName:<unsupported>"); - break; - - case GEN_EMAIL: - BIO_printf(out, "email:%s",gen->d.ia5->data); - break; - - case GEN_DNS: - BIO_printf(out, "DNS:%s",gen->d.ia5->data); - break; - - case GEN_URI: - BIO_printf(out, "URI:%s",gen->d.ia5->data); - break; - - case GEN_DIRNAME: - BIO_printf(out, "DirName: "); - X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE); - break; - - case GEN_IPADD: - p = gen->d.ip->data; - if(gen->d.ip->length == 4) - BIO_printf(out, "IP Address:%d.%d.%d.%d", - p[0], p[1], p[2], p[3]); - else if(gen->d.ip->length == 16) - { - BIO_printf(out, "IP Address"); - for (i = 0; i < 8; i++) - { - BIO_printf(out, ":%X", p[0] << 8 | p[1]); - p += 2; - } - BIO_puts(out, "\n"); - } - else - { - BIO_printf(out,"IP Address:<invalid>"); - break; - } - break; - - case GEN_RID: - BIO_printf(out, "Registered ID"); - i2a_ASN1_OBJECT(out, gen->d.rid); - break; - } - return 1; -} - -static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) -{ - GENERAL_NAMES *gens = NULL; - CONF_VALUE *cnf; - int i; - if(!(gens = sk_GENERAL_NAME_new_null())) { - X509V3err(X509V3_F_V2I_ISSUER_ALT,ERR_R_MALLOC_FAILURE); - return NULL; - } - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { - cnf = sk_CONF_VALUE_value(nval, i); - if(!name_cmp(cnf->name, "issuer") && cnf->value && - !strcmp(cnf->value, "copy")) { - if(!copy_issuer(ctx, gens)) goto err; - } else { - GENERAL_NAME *gen; - if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) - goto err; - sk_GENERAL_NAME_push(gens, gen); - } - } - return gens; - err: - sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); - return NULL; -} - -/* Append subject altname of issuer to issuer alt name of subject */ - -static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) -{ - GENERAL_NAMES *ialt; - GENERAL_NAME *gen; - X509_EXTENSION *ext; - int i; - if(ctx && (ctx->flags == CTX_TEST)) return 1; - if(!ctx || !ctx->issuer_cert) { - X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_NO_ISSUER_DETAILS); - goto err; - } - i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1); - if(i < 0) return 1; - if(!(ext = X509_get_ext(ctx->issuer_cert, i)) || - !(ialt = X509V3_EXT_d2i(ext)) ) { - X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_ISSUER_DECODE_ERROR); - goto err; - } - - for(i = 0; i < sk_GENERAL_NAME_num(ialt); i++) { - gen = sk_GENERAL_NAME_value(ialt, i); - if(!sk_GENERAL_NAME_push(gens, gen)) { - X509V3err(X509V3_F_COPY_ISSUER,ERR_R_MALLOC_FAILURE); - goto err; - } - } - sk_GENERAL_NAME_free(ialt); - - return 1; - - err: - return 0; - -} - -static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) -{ - GENERAL_NAMES *gens = NULL; - CONF_VALUE *cnf; - int i; - if(!(gens = sk_GENERAL_NAME_new_null())) { - X509V3err(X509V3_F_V2I_SUBJECT_ALT,ERR_R_MALLOC_FAILURE); - return NULL; - } - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { - cnf = sk_CONF_VALUE_value(nval, i); - if(!name_cmp(cnf->name, "email") && cnf->value && - !strcmp(cnf->value, "copy")) { - if(!copy_email(ctx, gens, 0)) goto err; - } else if(!name_cmp(cnf->name, "email") && cnf->value && - !strcmp(cnf->value, "move")) { - if(!copy_email(ctx, gens, 1)) goto err; - } else { - GENERAL_NAME *gen; - if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) - goto err; - sk_GENERAL_NAME_push(gens, gen); - } - } - return gens; - err: - sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); - return NULL; -} - -/* Copy any email addresses in a certificate or request to - * GENERAL_NAMES - */ - -static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) -{ - X509_NAME *nm; - ASN1_IA5STRING *email = NULL; - X509_NAME_ENTRY *ne; - GENERAL_NAME *gen = NULL; - int i; - if(ctx != NULL && ctx->flags == CTX_TEST) - return 1; - if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) { - X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS); - goto err; - } - /* Find the subject name */ - if(ctx->subject_cert) nm = X509_get_subject_name(ctx->subject_cert); - else nm = X509_REQ_get_subject_name(ctx->subject_req); - - /* Now add any email address(es) to STACK */ - i = -1; - while((i = X509_NAME_get_index_by_NID(nm, - NID_pkcs9_emailAddress, i)) >= 0) { - ne = X509_NAME_get_entry(nm, i); - email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne)); - if (move_p) - { - X509_NAME_delete_entry(nm, i); - X509_NAME_ENTRY_free(ne); - i--; - } - if(!email || !(gen = GENERAL_NAME_new())) { - X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE); - goto err; - } - gen->d.ia5 = email; - email = NULL; - gen->type = GEN_EMAIL; - if(!sk_GENERAL_NAME_push(gens, gen)) { - X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE); - goto err; - } - gen = NULL; - } - - - return 1; - - err: - GENERAL_NAME_free(gen); - M_ASN1_IA5STRING_free(email); - return 0; - -} - -GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) -{ - GENERAL_NAME *gen; - GENERAL_NAMES *gens = NULL; - CONF_VALUE *cnf; - int i; - if(!(gens = sk_GENERAL_NAME_new_null())) { - X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE); - return NULL; - } - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { - cnf = sk_CONF_VALUE_value(nval, i); - if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; - sk_GENERAL_NAME_push(gens, gen); - } - return gens; - err: - sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); - return NULL; -} - -GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - CONF_VALUE *cnf) - { - return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0); - } - -GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - int gen_type, char *value, int is_nc) - { - char is_string = 0; - GENERAL_NAME *gen = NULL; - - if(!value) - { - X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_MISSING_VALUE); - return NULL; - } - - if (out) - gen = out; - else - { - gen = GENERAL_NAME_new(); - if(gen == NULL) - { - X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); - return NULL; - } - } - - switch (gen_type) - { - case GEN_URI: - case GEN_EMAIL: - case GEN_DNS: - is_string = 1; - break; - - case GEN_RID: - { - ASN1_OBJECT *obj; - if(!(obj = OBJ_txt2obj(value,0))) - { - X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_OBJECT); - ERR_add_error_data(2, "value=", value); - goto err; - } - gen->d.rid = obj; - } - break; - - case GEN_IPADD: - if (is_nc) - gen->d.ip = a2i_IPADDRESS_NC(value); - else - gen->d.ip = a2i_IPADDRESS(value); - if(gen->d.ip == NULL) - { - X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS); - ERR_add_error_data(2, "value=", value); - goto err; - } - break; - - case GEN_DIRNAME: - if (!do_dirname(gen, value, ctx)) - { - X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_DIRNAME_ERROR); - goto err; - } - break; - - case GEN_OTHERNAME: - if (!do_othername(gen, value, ctx)) - { - X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_OTHERNAME_ERROR); - goto err; - } - break; - default: - X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_TYPE); - goto err; - } - - if(is_string) - { - if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) || - !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value, - strlen(value))) - { - X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); - goto err; - } - } - - gen->type = gen_type; - - return gen; - - err: - if (!out) - GENERAL_NAME_free(gen); - return NULL; - } - -GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc) - { - int type; - - char *name, *value; - - name = cnf->name; - value = cnf->value; - - if(!value) - { - X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE); - return NULL; - } - - if(!name_cmp(name, "email")) - type = GEN_EMAIL; - else if(!name_cmp(name, "URI")) - type = GEN_URI; - else if(!name_cmp(name, "DNS")) - type = GEN_DNS; - else if(!name_cmp(name, "RID")) - type = GEN_RID; - else if(!name_cmp(name, "IP")) - type = GEN_IPADD; - else if(!name_cmp(name, "dirName")) - type = GEN_DIRNAME; - else if(!name_cmp(name, "otherName")) - type = GEN_OTHERNAME; - else - { - X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION); - ERR_add_error_data(2, "name=", name); - return NULL; - } - - return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc); - - } - -static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) - { - char *objtmp = NULL, *p; - int objlen; - if (!(p = strchr(value, ';'))) - return 0; - if (!(gen->d.otherName = OTHERNAME_new())) - return 0; - /* Free this up because we will overwrite it. - * no need to free type_id because it is static - */ - ASN1_TYPE_free(gen->d.otherName->value); - if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx))) - return 0; - objlen = p - value; - objtmp = OPENSSL_malloc(objlen + 1); - strncpy(objtmp, value, objlen); - objtmp[objlen] = 0; - gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0); - OPENSSL_free(objtmp); - if (!gen->d.otherName->type_id) - return 0; - return 1; - } - -static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) - { - int ret; - STACK_OF(CONF_VALUE) *sk; - X509_NAME *nm; - if (!(nm = X509_NAME_new())) - return 0; - sk = X509V3_get_section(ctx, value); - if (!sk) - { - X509V3err(X509V3_F_DO_DIRNAME,X509V3_R_SECTION_NOT_FOUND); - ERR_add_error_data(2, "section=", value); - X509_NAME_free(nm); - return 0; - } - /* FIXME: should allow other character types... */ - ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC); - if (!ret) - X509_NAME_free(nm); - gen->d.dirn = nm; - X509V3_section_free(ctx, sk); - - return ret; - } diff --git a/openssl/crypto/x509v3/v3_asid.c b/openssl/crypto/x509v3/v3_asid.c deleted file mode 100644 index 3f434c06..00000000 --- a/openssl/crypto/x509v3/v3_asid.c +++ /dev/null @@ -1,843 +0,0 @@ -/* - * Contributed to the OpenSSL Project by the American Registry for - * Internet Numbers ("ARIN"). - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - */ - -/* - * Implementation of RFC 3779 section 3.2. - */ - -#include <stdio.h> -#include <string.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/x509v3.h> -#include <openssl/x509.h> -#include <openssl/bn.h> - -#ifndef OPENSSL_NO_RFC3779 - -/* - * OpenSSL ASN.1 template translation of RFC 3779 3.2.3. - */ - -ASN1_SEQUENCE(ASRange) = { - ASN1_SIMPLE(ASRange, min, ASN1_INTEGER), - ASN1_SIMPLE(ASRange, max, ASN1_INTEGER) -} ASN1_SEQUENCE_END(ASRange) - -ASN1_CHOICE(ASIdOrRange) = { - ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER), - ASN1_SIMPLE(ASIdOrRange, u.range, ASRange) -} ASN1_CHOICE_END(ASIdOrRange) - -ASN1_CHOICE(ASIdentifierChoice) = { - ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL), - ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange) -} ASN1_CHOICE_END(ASIdentifierChoice) - -ASN1_SEQUENCE(ASIdentifiers) = { - ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0), - ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1) -} ASN1_SEQUENCE_END(ASIdentifiers) - -IMPLEMENT_ASN1_FUNCTIONS(ASRange) -IMPLEMENT_ASN1_FUNCTIONS(ASIdOrRange) -IMPLEMENT_ASN1_FUNCTIONS(ASIdentifierChoice) -IMPLEMENT_ASN1_FUNCTIONS(ASIdentifiers) - -/* - * i2r method for an ASIdentifierChoice. - */ -static int i2r_ASIdentifierChoice(BIO *out, - ASIdentifierChoice *choice, - int indent, - const char *msg) -{ - int i; - char *s; - if (choice == NULL) - return 1; - BIO_printf(out, "%*s%s:\n", indent, "", msg); - switch (choice->type) { - case ASIdentifierChoice_inherit: - BIO_printf(out, "%*sinherit\n", indent + 2, ""); - break; - case ASIdentifierChoice_asIdsOrRanges: - for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) { - ASIdOrRange *aor = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); - switch (aor->type) { - case ASIdOrRange_id: - if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL) - return 0; - BIO_printf(out, "%*s%s\n", indent + 2, "", s); - OPENSSL_free(s); - break; - case ASIdOrRange_range: - if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL) - return 0; - BIO_printf(out, "%*s%s-", indent + 2, "", s); - OPENSSL_free(s); - if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL) - return 0; - BIO_printf(out, "%s\n", s); - OPENSSL_free(s); - break; - default: - return 0; - } - } - break; - default: - return 0; - } - return 1; -} - -/* - * i2r method for an ASIdentifier extension. - */ -static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, - void *ext, - BIO *out, - int indent) -{ - ASIdentifiers *asid = ext; - return (i2r_ASIdentifierChoice(out, asid->asnum, indent, - "Autonomous System Numbers") && - i2r_ASIdentifierChoice(out, asid->rdi, indent, - "Routing Domain Identifiers")); -} - -/* - * Sort comparision function for a sequence of ASIdOrRange elements. - */ -static int ASIdOrRange_cmp(const ASIdOrRange * const *a_, - const ASIdOrRange * const *b_) -{ - const ASIdOrRange *a = *a_, *b = *b_; - - OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) || - (a->type == ASIdOrRange_range && a->u.range != NULL && - a->u.range->min != NULL && a->u.range->max != NULL)); - - OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) || - (b->type == ASIdOrRange_range && b->u.range != NULL && - b->u.range->min != NULL && b->u.range->max != NULL)); - - if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) - return ASN1_INTEGER_cmp(a->u.id, b->u.id); - - if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { - int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); - return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max); - } - - if (a->type == ASIdOrRange_id) - return ASN1_INTEGER_cmp(a->u.id, b->u.range->min); - else - return ASN1_INTEGER_cmp(a->u.range->min, b->u.id); -} - -/* - * Add an inherit element. - */ -int v3_asid_add_inherit(ASIdentifiers *asid, int which) -{ - ASIdentifierChoice **choice; - if (asid == NULL) - return 0; - switch (which) { - case V3_ASID_ASNUM: - choice = &asid->asnum; - break; - case V3_ASID_RDI: - choice = &asid->rdi; - break; - default: - return 0; - } - if (*choice == NULL) { - if ((*choice = ASIdentifierChoice_new()) == NULL) - return 0; - OPENSSL_assert((*choice)->u.inherit == NULL); - if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) - return 0; - (*choice)->type = ASIdentifierChoice_inherit; - } - return (*choice)->type == ASIdentifierChoice_inherit; -} - -/* - * Add an ID or range to an ASIdentifierChoice. - */ -int v3_asid_add_id_or_range(ASIdentifiers *asid, - int which, - ASN1_INTEGER *min, - ASN1_INTEGER *max) -{ - ASIdentifierChoice **choice; - ASIdOrRange *aor; - if (asid == NULL) - return 0; - switch (which) { - case V3_ASID_ASNUM: - choice = &asid->asnum; - break; - case V3_ASID_RDI: - choice = &asid->rdi; - break; - default: - return 0; - } - if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) - return 0; - if (*choice == NULL) { - if ((*choice = ASIdentifierChoice_new()) == NULL) - return 0; - OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL); - (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); - if ((*choice)->u.asIdsOrRanges == NULL) - return 0; - (*choice)->type = ASIdentifierChoice_asIdsOrRanges; - } - if ((aor = ASIdOrRange_new()) == NULL) - return 0; - if (max == NULL) { - aor->type = ASIdOrRange_id; - aor->u.id = min; - } else { - aor->type = ASIdOrRange_range; - if ((aor->u.range = ASRange_new()) == NULL) - goto err; - ASN1_INTEGER_free(aor->u.range->min); - aor->u.range->min = min; - ASN1_INTEGER_free(aor->u.range->max); - aor->u.range->max = max; - } - if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor))) - goto err; - return 1; - - err: - ASIdOrRange_free(aor); - return 0; -} - -/* - * Extract min and max values from an ASIdOrRange. - */ -static void extract_min_max(ASIdOrRange *aor, - ASN1_INTEGER **min, - ASN1_INTEGER **max) -{ - OPENSSL_assert(aor != NULL && min != NULL && max != NULL); - switch (aor->type) { - case ASIdOrRange_id: - *min = aor->u.id; - *max = aor->u.id; - return; - case ASIdOrRange_range: - *min = aor->u.range->min; - *max = aor->u.range->max; - return; - } -} - -/* - * Check whether an ASIdentifierChoice is in canonical form. - */ -static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) -{ - ASN1_INTEGER *a_max_plus_one = NULL; - BIGNUM *bn = NULL; - int i, ret = 0; - - /* - * Empty element or inheritance is canonical. - */ - if (choice == NULL || choice->type == ASIdentifierChoice_inherit) - return 1; - - /* - * If not a list, or if empty list, it's broken. - */ - if (choice->type != ASIdentifierChoice_asIdsOrRanges || - sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) - return 0; - - /* - * It's a list, check it. - */ - for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { - ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); - ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); - ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; - - extract_min_max(a, &a_min, &a_max); - extract_min_max(b, &b_min, &b_max); - - /* - * Punt misordered list, overlapping start, or inverted range. - */ - if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 || - ASN1_INTEGER_cmp(a_min, a_max) > 0 || - ASN1_INTEGER_cmp(b_min, b_max) > 0) - goto done; - - /* - * Calculate a_max + 1 to check for adjacency. - */ - if ((bn == NULL && (bn = BN_new()) == NULL) || - ASN1_INTEGER_to_BN(a_max, bn) == NULL || - !BN_add_word(bn, 1) || - (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { - X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, - ERR_R_MALLOC_FAILURE); - goto done; - } - - /* - * Punt if adjacent or overlapping. - */ - if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0) - goto done; - } - - ret = 1; - - done: - ASN1_INTEGER_free(a_max_plus_one); - BN_free(bn); - return ret; -} - -/* - * Check whether an ASIdentifier extension is in canonical form. - */ -int v3_asid_is_canonical(ASIdentifiers *asid) -{ - return (asid == NULL || - (ASIdentifierChoice_is_canonical(asid->asnum) && - ASIdentifierChoice_is_canonical(asid->rdi))); -} - -/* - * Whack an ASIdentifierChoice into canonical form. - */ -static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) -{ - ASN1_INTEGER *a_max_plus_one = NULL; - BIGNUM *bn = NULL; - int i, ret = 0; - - /* - * Nothing to do for empty element or inheritance. - */ - if (choice == NULL || choice->type == ASIdentifierChoice_inherit) - return 1; - - /* - * We have a list. Sort it. - */ - OPENSSL_assert(choice->type == ASIdentifierChoice_asIdsOrRanges); - sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); - - /* - * Now check for errors and suboptimal encoding, rejecting the - * former and fixing the latter. - */ - for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { - ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); - ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); - ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; - - extract_min_max(a, &a_min, &a_max); - extract_min_max(b, &b_min, &b_max); - - /* - * Make sure we're properly sorted (paranoia). - */ - OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); - - /* - * Check for overlaps. - */ - if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { - X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, - X509V3_R_EXTENSION_VALUE_ERROR); - goto done; - } - - /* - * Calculate a_max + 1 to check for adjacency. - */ - if ((bn == NULL && (bn = BN_new()) == NULL) || - ASN1_INTEGER_to_BN(a_max, bn) == NULL || - !BN_add_word(bn, 1) || - (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { - X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE); - goto done; - } - - /* - * If a and b are adjacent, merge them. - */ - if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) { - ASRange *r; - switch (a->type) { - case ASIdOrRange_id: - if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) { - X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, - ERR_R_MALLOC_FAILURE); - goto done; - } - r->min = a_min; - r->max = b_max; - a->type = ASIdOrRange_range; - a->u.range = r; - break; - case ASIdOrRange_range: - ASN1_INTEGER_free(a->u.range->max); - a->u.range->max = b_max; - break; - } - switch (b->type) { - case ASIdOrRange_id: - b->u.id = NULL; - break; - case ASIdOrRange_range: - b->u.range->max = NULL; - break; - } - ASIdOrRange_free(b); - sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); - i--; - continue; - } - } - - OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */ - - ret = 1; - - done: - ASN1_INTEGER_free(a_max_plus_one); - BN_free(bn); - return ret; -} - -/* - * Whack an ASIdentifier extension into canonical form. - */ -int v3_asid_canonize(ASIdentifiers *asid) -{ - return (asid == NULL || - (ASIdentifierChoice_canonize(asid->asnum) && - ASIdentifierChoice_canonize(asid->rdi))); -} - -/* - * v2i method for an ASIdentifier extension. - */ -static void *v2i_ASIdentifiers(const struct v3_ext_method *method, - struct v3_ext_ctx *ctx, - STACK_OF(CONF_VALUE) *values) -{ - ASIdentifiers *asid = NULL; - int i; - - if ((asid = ASIdentifiers_new()) == NULL) { - X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); - return NULL; - } - - for (i = 0; i < sk_CONF_VALUE_num(values); i++) { - CONF_VALUE *val = sk_CONF_VALUE_value(values, i); - ASN1_INTEGER *min = NULL, *max = NULL; - int i1, i2, i3, is_range, which; - - /* - * Figure out whether this is an AS or an RDI. - */ - if ( !name_cmp(val->name, "AS")) { - which = V3_ASID_ASNUM; - } else if (!name_cmp(val->name, "RDI")) { - which = V3_ASID_RDI; - } else { - X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_NAME_ERROR); - X509V3_conf_err(val); - goto err; - } - - /* - * Handle inheritance. - */ - if (!strcmp(val->value, "inherit")) { - if (v3_asid_add_inherit(asid, which)) - continue; - X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_INHERITANCE); - X509V3_conf_err(val); - goto err; - } - - /* - * Number, range, or mistake, pick it apart and figure out which. - */ - i1 = strspn(val->value, "0123456789"); - if (val->value[i1] == '\0') { - is_range = 0; - } else { - is_range = 1; - i2 = i1 + strspn(val->value + i1, " \t"); - if (val->value[i2] != '-') { - X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASNUMBER); - X509V3_conf_err(val); - goto err; - } - i2++; - i2 = i2 + strspn(val->value + i2, " \t"); - i3 = i2 + strspn(val->value + i2, "0123456789"); - if (val->value[i3] != '\0') { - X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASRANGE); - X509V3_conf_err(val); - goto err; - } - } - - /* - * Syntax is ok, read and add it. - */ - if (!is_range) { - if (!X509V3_get_value_int(val, &min)) { - X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); - goto err; - } - } else { - char *s = BUF_strdup(val->value); - if (s == NULL) { - X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); - goto err; - } - s[i1] = '\0'; - min = s2i_ASN1_INTEGER(NULL, s); - max = s2i_ASN1_INTEGER(NULL, s + i2); - OPENSSL_free(s); - if (min == NULL || max == NULL) { - ASN1_INTEGER_free(min); - ASN1_INTEGER_free(max); - X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); - goto err; - } - } - if (!v3_asid_add_id_or_range(asid, which, min, max)) { - ASN1_INTEGER_free(min); - ASN1_INTEGER_free(max); - X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); - goto err; - } - } - - /* - * Canonize the result, then we're done. - */ - if (!v3_asid_canonize(asid)) - goto err; - return asid; - - err: - ASIdentifiers_free(asid); - return NULL; -} - -/* - * OpenSSL dispatch. - */ -const X509V3_EXT_METHOD v3_asid = { - NID_sbgp_autonomousSysNum, /* nid */ - 0, /* flags */ - ASN1_ITEM_ref(ASIdentifiers), /* template */ - 0, 0, 0, 0, /* old functions, ignored */ - 0, /* i2s */ - 0, /* s2i */ - 0, /* i2v */ - v2i_ASIdentifiers, /* v2i */ - i2r_ASIdentifiers, /* i2r */ - 0, /* r2i */ - NULL /* extension-specific data */ -}; - -/* - * Figure out whether extension uses inheritance. - */ -int v3_asid_inherits(ASIdentifiers *asid) -{ - return (asid != NULL && - ((asid->asnum != NULL && - asid->asnum->type == ASIdentifierChoice_inherit) || - (asid->rdi != NULL && - asid->rdi->type == ASIdentifierChoice_inherit))); -} - -/* - * Figure out whether parent contains child. - */ -static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) -{ - ASN1_INTEGER *p_min, *p_max, *c_min, *c_max; - int p, c; - - if (child == NULL || parent == child) - return 1; - if (parent == NULL) - return 0; - - p = 0; - for (c = 0; c < sk_ASIdOrRange_num(child); c++) { - extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max); - for (;; p++) { - if (p >= sk_ASIdOrRange_num(parent)) - return 0; - extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, &p_max); - if (ASN1_INTEGER_cmp(p_max, c_max) < 0) - continue; - if (ASN1_INTEGER_cmp(p_min, c_min) > 0) - return 0; - break; - } - } - - return 1; -} - -/* - * Test whether a is a subet of b. - */ -int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) -{ - return (a == NULL || - a == b || - (b != NULL && - !v3_asid_inherits(a) && - !v3_asid_inherits(b) && - asid_contains(b->asnum->u.asIdsOrRanges, - a->asnum->u.asIdsOrRanges) && - asid_contains(b->rdi->u.asIdsOrRanges, - a->rdi->u.asIdsOrRanges))); -} - -/* - * Validation error handling via callback. - */ -#define validation_err(_err_) \ - do { \ - if (ctx != NULL) { \ - ctx->error = _err_; \ - ctx->error_depth = i; \ - ctx->current_cert = x; \ - ret = ctx->verify_cb(0, ctx); \ - } else { \ - ret = 0; \ - } \ - if (!ret) \ - goto done; \ - } while (0) - -/* - * Core code for RFC 3779 3.3 path validation. - */ -static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx, - STACK_OF(X509) *chain, - ASIdentifiers *ext) -{ - ASIdOrRanges *child_as = NULL, *child_rdi = NULL; - int i, ret = 1, inherit_as = 0, inherit_rdi = 0; - X509 *x; - - OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); - OPENSSL_assert(ctx != NULL || ext != NULL); - OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); - - /* - * Figure out where to start. If we don't have an extension to - * check, we're done. Otherwise, check canonical form and - * set up for walking up the chain. - */ - if (ext != NULL) { - i = -1; - x = NULL; - } else { - i = 0; - x = sk_X509_value(chain, i); - OPENSSL_assert(x != NULL); - if ((ext = x->rfc3779_asid) == NULL) - goto done; - } - if (!v3_asid_is_canonical(ext)) - validation_err(X509_V_ERR_INVALID_EXTENSION); - if (ext->asnum != NULL) { - switch (ext->asnum->type) { - case ASIdentifierChoice_inherit: - inherit_as = 1; - break; - case ASIdentifierChoice_asIdsOrRanges: - child_as = ext->asnum->u.asIdsOrRanges; - break; - } - } - if (ext->rdi != NULL) { - switch (ext->rdi->type) { - case ASIdentifierChoice_inherit: - inherit_rdi = 1; - break; - case ASIdentifierChoice_asIdsOrRanges: - child_rdi = ext->rdi->u.asIdsOrRanges; - break; - } - } - - /* - * Now walk up the chain. Extensions must be in canonical form, no - * cert may list resources that its parent doesn't list. - */ - for (i++; i < sk_X509_num(chain); i++) { - x = sk_X509_value(chain, i); - OPENSSL_assert(x != NULL); - if (x->rfc3779_asid == NULL) { - if (child_as != NULL || child_rdi != NULL) - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - continue; - } - if (!v3_asid_is_canonical(x->rfc3779_asid)) - validation_err(X509_V_ERR_INVALID_EXTENSION); - if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - child_as = NULL; - inherit_as = 0; - } - if (x->rfc3779_asid->asnum != NULL && - x->rfc3779_asid->asnum->type == ASIdentifierChoice_asIdsOrRanges) { - if (inherit_as || - asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, child_as)) { - child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; - inherit_as = 0; - } else { - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - } - } - if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) { - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - child_rdi = NULL; - inherit_rdi = 0; - } - if (x->rfc3779_asid->rdi != NULL && - x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { - if (inherit_rdi || - asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) { - child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; - inherit_rdi = 0; - } else { - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - } - } - } - - /* - * Trust anchor can't inherit. - */ - OPENSSL_assert(x != NULL); - if (x->rfc3779_asid != NULL) { - if (x->rfc3779_asid->asnum != NULL && - x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - if (x->rfc3779_asid->rdi != NULL && - x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - } - - done: - return ret; -} - -#undef validation_err - -/* - * RFC 3779 3.3 path validation -- called from X509_verify_cert(). - */ -int v3_asid_validate_path(X509_STORE_CTX *ctx) -{ - return v3_asid_validate_path_internal(ctx, ctx->chain, NULL); -} - -/* - * RFC 3779 3.3 path validation of an extension. - * Test whether chain covers extension. - */ -int v3_asid_validate_resource_set(STACK_OF(X509) *chain, - ASIdentifiers *ext, - int allow_inheritance) -{ - if (ext == NULL) - return 1; - if (chain == NULL || sk_X509_num(chain) == 0) - return 0; - if (!allow_inheritance && v3_asid_inherits(ext)) - return 0; - return v3_asid_validate_path_internal(NULL, chain, ext); -} - -#endif /* OPENSSL_NO_RFC3779 */ diff --git a/openssl/crypto/x509v3/v3_bcons.c b/openssl/crypto/x509v3/v3_bcons.c deleted file mode 100644 index 82aa488f..00000000 --- a/openssl/crypto/x509v3/v3_bcons.c +++ /dev/null @@ -1,124 +0,0 @@ -/* v3_bcons.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist); -static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); - -const X509V3_EXT_METHOD v3_bcons = { -NID_basic_constraints, 0, -ASN1_ITEM_ref(BASIC_CONSTRAINTS), -0,0,0,0, -0,0, -(X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS, -(X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS, -NULL,NULL, -NULL -}; - -ASN1_SEQUENCE(BASIC_CONSTRAINTS) = { - ASN1_OPT(BASIC_CONSTRAINTS, ca, ASN1_FBOOLEAN), - ASN1_OPT(BASIC_CONSTRAINTS, pathlen, ASN1_INTEGER) -} ASN1_SEQUENCE_END(BASIC_CONSTRAINTS) - -IMPLEMENT_ASN1_FUNCTIONS(BASIC_CONSTRAINTS) - - -static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, - BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist) -{ - X509V3_add_value_bool("CA", bcons->ca, &extlist); - X509V3_add_value_int("pathlen", bcons->pathlen, &extlist); - return extlist; -} - -static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values) -{ - BASIC_CONSTRAINTS *bcons=NULL; - CONF_VALUE *val; - int i; - if(!(bcons = BASIC_CONSTRAINTS_new())) { - X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE); - return NULL; - } - for(i = 0; i < sk_CONF_VALUE_num(values); i++) { - val = sk_CONF_VALUE_value(values, i); - if(!strcmp(val->name, "CA")) { - if(!X509V3_get_value_bool(val, &bcons->ca)) goto err; - } else if(!strcmp(val->name, "pathlen")) { - if(!X509V3_get_value_int(val, &bcons->pathlen)) goto err; - } else { - X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, X509V3_R_INVALID_NAME); - X509V3_conf_err(val); - goto err; - } - } - return bcons; - err: - BASIC_CONSTRAINTS_free(bcons); - return NULL; -} - diff --git a/openssl/crypto/x509v3/v3_bitst.c b/openssl/crypto/x509v3/v3_bitst.c deleted file mode 100644 index 058d0d4d..00000000 --- a/openssl/crypto/x509v3/v3_bitst.c +++ /dev/null @@ -1,141 +0,0 @@ -/* v3_bitst.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -static BIT_STRING_BITNAME ns_cert_type_table[] = { -{0, "SSL Client", "client"}, -{1, "SSL Server", "server"}, -{2, "S/MIME", "email"}, -{3, "Object Signing", "objsign"}, -{4, "Unused", "reserved"}, -{5, "SSL CA", "sslCA"}, -{6, "S/MIME CA", "emailCA"}, -{7, "Object Signing CA", "objCA"}, -{-1, NULL, NULL} -}; - -static BIT_STRING_BITNAME key_usage_type_table[] = { -{0, "Digital Signature", "digitalSignature"}, -{1, "Non Repudiation", "nonRepudiation"}, -{2, "Key Encipherment", "keyEncipherment"}, -{3, "Data Encipherment", "dataEncipherment"}, -{4, "Key Agreement", "keyAgreement"}, -{5, "Certificate Sign", "keyCertSign"}, -{6, "CRL Sign", "cRLSign"}, -{7, "Encipher Only", "encipherOnly"}, -{8, "Decipher Only", "decipherOnly"}, -{-1, NULL, NULL} -}; - - - -const X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table); -const X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table); - -STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, - ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret) -{ - BIT_STRING_BITNAME *bnam; - for(bnam =method->usr_data; bnam->lname; bnam++) { - if(ASN1_BIT_STRING_get_bit(bits, bnam->bitnum)) - X509V3_add_value(bnam->lname, NULL, &ret); - } - return ret; -} - -ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) -{ - CONF_VALUE *val; - ASN1_BIT_STRING *bs; - int i; - BIT_STRING_BITNAME *bnam; - if(!(bs = M_ASN1_BIT_STRING_new())) { - X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,ERR_R_MALLOC_FAILURE); - return NULL; - } - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { - val = sk_CONF_VALUE_value(nval, i); - for(bnam = method->usr_data; bnam->lname; bnam++) { - if(!strcmp(bnam->sname, val->name) || - !strcmp(bnam->lname, val->name) ) { - if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) { - X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, - ERR_R_MALLOC_FAILURE); - M_ASN1_BIT_STRING_free(bs); - return NULL; - } - break; - } - } - if(!bnam->lname) { - X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, - X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT); - X509V3_conf_err(val); - M_ASN1_BIT_STRING_free(bs); - return NULL; - } - } - return bs; -} - - diff --git a/openssl/crypto/x509v3/v3_conf.c b/openssl/crypto/x509v3/v3_conf.c deleted file mode 100644 index 6730f9a6..00000000 --- a/openssl/crypto/x509v3/v3_conf.c +++ /dev/null @@ -1,525 +0,0 @@ -/* v3_conf.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* extension creation utilities */ - - - -#include <stdio.h> -#include <ctype.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -static int v3_check_critical(char **value); -static int v3_check_generic(char **value); -static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value); -static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx); -static char *conf_lhash_get_string(void *db, char *section, char *value); -static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section); -static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid, - int crit, void *ext_struc); -static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len); -/* CONF *conf: Config file */ -/* char *name: Name */ -/* char *value: Value */ -X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, - char *value) - { - int crit; - int ext_type; - X509_EXTENSION *ret; - crit = v3_check_critical(&value); - if ((ext_type = v3_check_generic(&value))) - return v3_generic_extension(name, value, crit, ext_type, ctx); - ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value); - if (!ret) - { - X509V3err(X509V3_F_X509V3_EXT_NCONF,X509V3_R_ERROR_IN_EXTENSION); - ERR_add_error_data(4,"name=", name, ", value=", value); - } - return ret; - } - -/* CONF *conf: Config file */ -/* char *value: Value */ -X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, - char *value) - { - int crit; - int ext_type; - crit = v3_check_critical(&value); - if ((ext_type = v3_check_generic(&value))) - return v3_generic_extension(OBJ_nid2sn(ext_nid), - value, crit, ext_type, ctx); - return do_ext_nconf(conf, ctx, ext_nid, crit, value); - } - -/* CONF *conf: Config file */ -/* char *value: Value */ -static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, - int crit, char *value) - { - const X509V3_EXT_METHOD *method; - X509_EXTENSION *ext; - STACK_OF(CONF_VALUE) *nval; - void *ext_struc; - if (ext_nid == NID_undef) - { - X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION_NAME); - return NULL; - } - if (!(method = X509V3_EXT_get_nid(ext_nid))) - { - X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_UNKNOWN_EXTENSION); - return NULL; - } - /* Now get internal extension representation based on type */ - if (method->v2i) - { - if(*value == '@') nval = NCONF_get_section(conf, value + 1); - else nval = X509V3_parse_list(value); - if(sk_CONF_VALUE_num(nval) <= 0) - { - X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_INVALID_EXTENSION_STRING); - ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value); - return NULL; - } - ext_struc = method->v2i(method, ctx, nval); - if(*value != '@') sk_CONF_VALUE_pop_free(nval, - X509V3_conf_free); - if(!ext_struc) return NULL; - } - else if(method->s2i) - { - if(!(ext_struc = method->s2i(method, ctx, value))) return NULL; - } - else if(method->r2i) - { - if(!ctx->db || !ctx->db_meth) - { - X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_NO_CONFIG_DATABASE); - return NULL; - } - if(!(ext_struc = method->r2i(method, ctx, value))) return NULL; - } - else - { - X509V3err(X509V3_F_DO_EXT_NCONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED); - ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid)); - return NULL; - } - - ext = do_ext_i2d(method, ext_nid, crit, ext_struc); - if(method->it) ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it)); - else method->ext_free(ext_struc); - return ext; - - } - -static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid, - int crit, void *ext_struc) - { - unsigned char *ext_der; - int ext_len; - ASN1_OCTET_STRING *ext_oct; - X509_EXTENSION *ext; - /* Convert internal representation to DER */ - if (method->it) - { - ext_der = NULL; - ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it)); - if (ext_len < 0) goto merr; - } - else - { - unsigned char *p; - ext_len = method->i2d(ext_struc, NULL); - if(!(ext_der = OPENSSL_malloc(ext_len))) goto merr; - p = ext_der; - method->i2d(ext_struc, &p); - } - if (!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr; - ext_oct->data = ext_der; - ext_oct->length = ext_len; - - ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct); - if (!ext) goto merr; - M_ASN1_OCTET_STRING_free(ext_oct); - - return ext; - - merr: - X509V3err(X509V3_F_DO_EXT_I2D,ERR_R_MALLOC_FAILURE); - return NULL; - - } - -/* Given an internal structure, nid and critical flag create an extension */ - -X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc) - { - const X509V3_EXT_METHOD *method; - if (!(method = X509V3_EXT_get_nid(ext_nid))) { - X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION); - return NULL; - } - return do_ext_i2d(method, ext_nid, crit, ext_struc); -} - -/* Check the extension string for critical flag */ -static int v3_check_critical(char **value) -{ - char *p = *value; - if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0; - p+=9; - while(isspace((unsigned char)*p)) p++; - *value = p; - return 1; -} - -/* Check extension string for generic extension and return the type */ -static int v3_check_generic(char **value) -{ - int gen_type = 0; - char *p = *value; - if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) - { - p+=4; - gen_type = 1; - } - else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) - { - p+=5; - gen_type = 2; - } - else - return 0; - - while (isspace((unsigned char)*p)) p++; - *value = p; - return gen_type; -} - -/* Create a generic extension: for now just handle DER type */ -static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, - int crit, int gen_type, - X509V3_CTX *ctx) - { - unsigned char *ext_der=NULL; - long ext_len; - ASN1_OBJECT *obj=NULL; - ASN1_OCTET_STRING *oct=NULL; - X509_EXTENSION *extension=NULL; - if (!(obj = OBJ_txt2obj(ext, 0))) - { - X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_NAME_ERROR); - ERR_add_error_data(2, "name=", ext); - goto err; - } - - if (gen_type == 1) - ext_der = string_to_hex(value, &ext_len); - else if (gen_type == 2) - ext_der = generic_asn1(value, ctx, &ext_len); - - if (ext_der == NULL) - { - X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR); - ERR_add_error_data(2, "value=", value); - goto err; - } - - if (!(oct = M_ASN1_OCTET_STRING_new())) - { - X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE); - goto err; - } - - oct->data = ext_der; - oct->length = ext_len; - ext_der = NULL; - - extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct); - - err: - ASN1_OBJECT_free(obj); - M_ASN1_OCTET_STRING_free(oct); - if(ext_der) OPENSSL_free(ext_der); - return extension; - - } - -static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len) - { - ASN1_TYPE *typ; - unsigned char *ext_der = NULL; - typ = ASN1_generate_v3(value, ctx); - if (typ == NULL) - return NULL; - *ext_len = i2d_ASN1_TYPE(typ, &ext_der); - ASN1_TYPE_free(typ); - return ext_der; - } - -/* This is the main function: add a bunch of extensions based on a config file - * section to an extension STACK. - */ - - -int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, - STACK_OF(X509_EXTENSION) **sk) - { - X509_EXTENSION *ext; - STACK_OF(CONF_VALUE) *nval; - CONF_VALUE *val; - int i; - if (!(nval = NCONF_get_section(conf, section))) return 0; - for (i = 0; i < sk_CONF_VALUE_num(nval); i++) - { - val = sk_CONF_VALUE_value(nval, i); - if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value))) - return 0; - if (sk) X509v3_add_ext(sk, ext, -1); - X509_EXTENSION_free(ext); - } - return 1; - } - -/* Convenience functions to add extensions to a certificate, CRL and request */ - -int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, - X509 *cert) - { - STACK_OF(X509_EXTENSION) **sk = NULL; - if (cert) - sk = &cert->cert_info->extensions; - return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk); - } - -/* Same as above but for a CRL */ - -int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, - X509_CRL *crl) - { - STACK_OF(X509_EXTENSION) **sk = NULL; - if (crl) - sk = &crl->crl->extensions; - return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk); - } - -/* Add extensions to certificate request */ - -int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, - X509_REQ *req) - { - STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL; - int i; - if (req) - sk = &extlist; - i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk); - if (!i || !sk) - return i; - i = X509_REQ_add_extensions(req, extlist); - sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free); - return i; - } - -/* Config database functions */ - -char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section) - { - if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) - { - X509V3err(X509V3_F_X509V3_GET_STRING,X509V3_R_OPERATION_NOT_DEFINED); - return NULL; - } - if (ctx->db_meth->get_string) - return ctx->db_meth->get_string(ctx->db, name, section); - return NULL; - } - -STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section) - { - if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) - { - X509V3err(X509V3_F_X509V3_GET_SECTION,X509V3_R_OPERATION_NOT_DEFINED); - return NULL; - } - if (ctx->db_meth->get_section) - return ctx->db_meth->get_section(ctx->db, section); - return NULL; - } - -void X509V3_string_free(X509V3_CTX *ctx, char *str) - { - if (!str) return; - if (ctx->db_meth->free_string) - ctx->db_meth->free_string(ctx->db, str); - } - -void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section) - { - if (!section) return; - if (ctx->db_meth->free_section) - ctx->db_meth->free_section(ctx->db, section); - } - -static char *nconf_get_string(void *db, char *section, char *value) - { - return NCONF_get_string(db, section, value); - } - -static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section) - { - return NCONF_get_section(db, section); - } - -static X509V3_CONF_METHOD nconf_method = { -nconf_get_string, -nconf_get_section, -NULL, -NULL -}; - -void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf) - { - ctx->db_meth = &nconf_method; - ctx->db = conf; - } - -void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req, - X509_CRL *crl, int flags) - { - ctx->issuer_cert = issuer; - ctx->subject_cert = subj; - ctx->crl = crl; - ctx->subject_req = req; - ctx->flags = flags; - } - -/* Old conf compatibility functions */ - -X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *name, char *value) - { - CONF ctmp; - CONF_set_nconf(&ctmp, conf); - return X509V3_EXT_nconf(&ctmp, ctx, name, value); - } - -/* LHASH *conf: Config file */ -/* char *value: Value */ -X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - int ext_nid, char *value) - { - CONF ctmp; - CONF_set_nconf(&ctmp, conf); - return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value); - } - -static char *conf_lhash_get_string(void *db, char *section, char *value) - { - return CONF_get_string(db, section, value); - } - -static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section) - { - return CONF_get_section(db, section); - } - -static X509V3_CONF_METHOD conf_lhash_method = { -conf_lhash_get_string, -conf_lhash_get_section, -NULL, -NULL -}; - -void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash) - { - ctx->db_meth = &conf_lhash_method; - ctx->db = lhash; - } - -int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509 *cert) - { - CONF ctmp; - CONF_set_nconf(&ctmp, conf); - return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert); - } - -/* Same as above but for a CRL */ - -int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509_CRL *crl) - { - CONF ctmp; - CONF_set_nconf(&ctmp, conf); - return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl); - } - -/* Add extensions to certificate request */ - -int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509_REQ *req) - { - CONF ctmp; - CONF_set_nconf(&ctmp, conf); - return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req); - } diff --git a/openssl/crypto/x509v3/v3_cpols.c b/openssl/crypto/x509v3/v3_cpols.c deleted file mode 100644 index 1f0798b9..00000000 --- a/openssl/crypto/x509v3/v3_cpols.c +++ /dev/null @@ -1,457 +0,0 @@ -/* v3_cpols.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/x509v3.h> - -#include "pcy_int.h" - -/* Certificate policies extension support: this one is a bit complex... */ - -static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent); -static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value); -static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent); -static void print_notice(BIO *out, USERNOTICE *notice, int indent); -static POLICYINFO *policy_section(X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *polstrs, int ia5org); -static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *unot, int ia5org); -static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); - -const X509V3_EXT_METHOD v3_cpols = { -NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES), -0,0,0,0, -0,0, -0,0, -(X509V3_EXT_I2R)i2r_certpol, -(X509V3_EXT_R2I)r2i_certpol, -NULL -}; - -ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO) -ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES) - -IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES) - -ASN1_SEQUENCE(POLICYINFO) = { - ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT), - ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO) -} ASN1_SEQUENCE_END(POLICYINFO) - -IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO) - -ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY); - -ASN1_ADB(POLICYQUALINFO) = { - ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)), - ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE)) -} ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL); - -ASN1_SEQUENCE(POLICYQUALINFO) = { - ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT), - ASN1_ADB_OBJECT(POLICYQUALINFO) -} ASN1_SEQUENCE_END(POLICYQUALINFO) - -IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO) - -ASN1_SEQUENCE(USERNOTICE) = { - ASN1_OPT(USERNOTICE, noticeref, NOTICEREF), - ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT) -} ASN1_SEQUENCE_END(USERNOTICE) - -IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE) - -ASN1_SEQUENCE(NOTICEREF) = { - ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT), - ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER) -} ASN1_SEQUENCE_END(NOTICEREF) - -IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF) - -static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *value) -{ - STACK_OF(POLICYINFO) *pols = NULL; - char *pstr; - POLICYINFO *pol; - ASN1_OBJECT *pobj; - STACK_OF(CONF_VALUE) *vals; - CONF_VALUE *cnf; - int i, ia5org; - pols = sk_POLICYINFO_new_null(); - if (pols == NULL) { - X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); - return NULL; - } - vals = X509V3_parse_list(value); - if (vals == NULL) { - X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB); - goto err; - } - ia5org = 0; - for(i = 0; i < sk_CONF_VALUE_num(vals); i++) { - cnf = sk_CONF_VALUE_value(vals, i); - if(cnf->value || !cnf->name ) { - X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_POLICY_IDENTIFIER); - X509V3_conf_err(cnf); - goto err; - } - pstr = cnf->name; - if(!strcmp(pstr,"ia5org")) { - ia5org = 1; - continue; - } else if(*pstr == '@') { - STACK_OF(CONF_VALUE) *polsect; - polsect = X509V3_get_section(ctx, pstr + 1); - if(!polsect) { - X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_SECTION); - - X509V3_conf_err(cnf); - goto err; - } - pol = policy_section(ctx, polsect, ia5org); - X509V3_section_free(ctx, polsect); - if(!pol) goto err; - } else { - if(!(pobj = OBJ_txt2obj(cnf->name, 0))) { - X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_OBJECT_IDENTIFIER); - X509V3_conf_err(cnf); - goto err; - } - pol = POLICYINFO_new(); - pol->policyid = pobj; - } - if (!sk_POLICYINFO_push(pols, pol)){ - POLICYINFO_free(pol); - X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); - goto err; - } - } - sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); - return pols; - err: - sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); - sk_POLICYINFO_pop_free(pols, POLICYINFO_free); - return NULL; -} - -static POLICYINFO *policy_section(X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *polstrs, int ia5org) -{ - int i; - CONF_VALUE *cnf; - POLICYINFO *pol; - POLICYQUALINFO *qual; - if(!(pol = POLICYINFO_new())) goto merr; - for(i = 0; i < sk_CONF_VALUE_num(polstrs); i++) { - cnf = sk_CONF_VALUE_value(polstrs, i); - if(!strcmp(cnf->name, "policyIdentifier")) { - ASN1_OBJECT *pobj; - if(!(pobj = OBJ_txt2obj(cnf->value, 0))) { - X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OBJECT_IDENTIFIER); - X509V3_conf_err(cnf); - goto err; - } - pol->policyid = pobj; - - } else if(!name_cmp(cnf->name, "CPS")) { - if(!pol->qualifiers) pol->qualifiers = - sk_POLICYQUALINFO_new_null(); - if(!(qual = POLICYQUALINFO_new())) goto merr; - if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) - goto merr; - qual->pqualid = OBJ_nid2obj(NID_id_qt_cps); - qual->d.cpsuri = M_ASN1_IA5STRING_new(); - if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value, - strlen(cnf->value))) goto merr; - } else if(!name_cmp(cnf->name, "userNotice")) { - STACK_OF(CONF_VALUE) *unot; - if(*cnf->value != '@') { - X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_EXPECTED_A_SECTION_NAME); - X509V3_conf_err(cnf); - goto err; - } - unot = X509V3_get_section(ctx, cnf->value + 1); - if(!unot) { - X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_SECTION); - - X509V3_conf_err(cnf); - goto err; - } - qual = notice_section(ctx, unot, ia5org); - X509V3_section_free(ctx, unot); - if(!qual) goto err; - if(!pol->qualifiers) pol->qualifiers = - sk_POLICYQUALINFO_new_null(); - if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) - goto merr; - } else { - X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OPTION); - - X509V3_conf_err(cnf); - goto err; - } - } - if(!pol->policyid) { - X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_NO_POLICY_IDENTIFIER); - goto err; - } - - return pol; - - merr: - X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE); - - err: - POLICYINFO_free(pol); - return NULL; - - -} - -static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *unot, int ia5org) -{ - int i, ret; - CONF_VALUE *cnf; - USERNOTICE *not; - POLICYQUALINFO *qual; - if(!(qual = POLICYQUALINFO_new())) goto merr; - qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice); - if(!(not = USERNOTICE_new())) goto merr; - qual->d.usernotice = not; - for(i = 0; i < sk_CONF_VALUE_num(unot); i++) { - cnf = sk_CONF_VALUE_value(unot, i); - if(!strcmp(cnf->name, "explicitText")) { - not->exptext = M_ASN1_VISIBLESTRING_new(); - if(!ASN1_STRING_set(not->exptext, cnf->value, - strlen(cnf->value))) goto merr; - } else if(!strcmp(cnf->name, "organization")) { - NOTICEREF *nref; - if(!not->noticeref) { - if(!(nref = NOTICEREF_new())) goto merr; - not->noticeref = nref; - } else nref = not->noticeref; - if(ia5org) nref->organization->type = V_ASN1_IA5STRING; - else nref->organization->type = V_ASN1_VISIBLESTRING; - if(!ASN1_STRING_set(nref->organization, cnf->value, - strlen(cnf->value))) goto merr; - } else if(!strcmp(cnf->name, "noticeNumbers")) { - NOTICEREF *nref; - STACK_OF(CONF_VALUE) *nos; - if(!not->noticeref) { - if(!(nref = NOTICEREF_new())) goto merr; - not->noticeref = nref; - } else nref = not->noticeref; - nos = X509V3_parse_list(cnf->value); - if(!nos || !sk_CONF_VALUE_num(nos)) { - X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_NUMBERS); - X509V3_conf_err(cnf); - goto err; - } - ret = nref_nos(nref->noticenos, nos); - sk_CONF_VALUE_pop_free(nos, X509V3_conf_free); - if (!ret) - goto err; - } else { - X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION); - X509V3_conf_err(cnf); - goto err; - } - } - - if(not->noticeref && - (!not->noticeref->noticenos || !not->noticeref->organization)) { - X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_NEED_ORGANIZATION_AND_NUMBERS); - goto err; - } - - return qual; - - merr: - X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE); - - err: - POLICYQUALINFO_free(qual); - return NULL; -} - -static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos) -{ - CONF_VALUE *cnf; - ASN1_INTEGER *aint; - - int i; - - for(i = 0; i < sk_CONF_VALUE_num(nos); i++) { - cnf = sk_CONF_VALUE_value(nos, i); - if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) { - X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER); - goto err; - } - if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr; - } - return 1; - - merr: - X509V3err(X509V3_F_NREF_NOS,ERR_R_MALLOC_FAILURE); - - err: - sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free); - return 0; -} - - -static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, - BIO *out, int indent) -{ - int i; - POLICYINFO *pinfo; - /* First print out the policy OIDs */ - for(i = 0; i < sk_POLICYINFO_num(pol); i++) { - pinfo = sk_POLICYINFO_value(pol, i); - BIO_printf(out, "%*sPolicy: ", indent, ""); - i2a_ASN1_OBJECT(out, pinfo->policyid); - BIO_puts(out, "\n"); - if(pinfo->qualifiers) - print_qualifiers(out, pinfo->qualifiers, indent + 2); - } - return 1; -} - -static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, - int indent) -{ - POLICYQUALINFO *qualinfo; - int i; - for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) { - qualinfo = sk_POLICYQUALINFO_value(quals, i); - switch(OBJ_obj2nid(qualinfo->pqualid)) - { - case NID_id_qt_cps: - BIO_printf(out, "%*sCPS: %s\n", indent, "", - qualinfo->d.cpsuri->data); - break; - - case NID_id_qt_unotice: - BIO_printf(out, "%*sUser Notice:\n", indent, ""); - print_notice(out, qualinfo->d.usernotice, indent + 2); - break; - - default: - BIO_printf(out, "%*sUnknown Qualifier: ", - indent + 2, ""); - - i2a_ASN1_OBJECT(out, qualinfo->pqualid); - BIO_puts(out, "\n"); - break; - } - } -} - -static void print_notice(BIO *out, USERNOTICE *notice, int indent) -{ - int i; - if(notice->noticeref) { - NOTICEREF *ref; - ref = notice->noticeref; - BIO_printf(out, "%*sOrganization: %s\n", indent, "", - ref->organization->data); - BIO_printf(out, "%*sNumber%s: ", indent, "", - sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : ""); - for(i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) { - ASN1_INTEGER *num; - char *tmp; - num = sk_ASN1_INTEGER_value(ref->noticenos, i); - if(i) BIO_puts(out, ", "); - tmp = i2s_ASN1_INTEGER(NULL, num); - BIO_puts(out, tmp); - OPENSSL_free(tmp); - } - BIO_puts(out, "\n"); - } - if(notice->exptext) - BIO_printf(out, "%*sExplicit Text: %s\n", indent, "", - notice->exptext->data); -} - -void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) - { - const X509_POLICY_DATA *dat = node->data; - - BIO_printf(out, "%*sPolicy: ", indent, ""); - - i2a_ASN1_OBJECT(out, dat->valid_policy); - BIO_puts(out, "\n"); - BIO_printf(out, "%*s%s\n", indent + 2, "", - node_data_critical(dat) ? "Critical" : "Non Critical"); - if (dat->qualifier_set) - print_qualifiers(out, dat->qualifier_set, indent + 2); - else - BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); - } - - -IMPLEMENT_STACK_OF(X509_POLICY_NODE) -IMPLEMENT_STACK_OF(X509_POLICY_DATA) - diff --git a/openssl/crypto/x509v3/v3_crld.c b/openssl/crypto/x509v3/v3_crld.c deleted file mode 100644 index 790a6dd0..00000000 --- a/openssl/crypto/x509v3/v3_crld.c +++ /dev/null @@ -1,616 +0,0 @@ -/* v3_crld.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/x509v3.h> - -static void *v2i_crld(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, - int indent); - -const X509V3_EXT_METHOD v3_crld = - { - NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS), - 0,0,0,0, - 0,0, - 0, - v2i_crld, - i2r_crldp,0, - NULL - }; - -const X509V3_EXT_METHOD v3_freshest_crl = - { - NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS), - 0,0,0,0, - 0,0, - 0, - v2i_crld, - i2r_crldp,0, - NULL - }; - -static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect) - { - STACK_OF(CONF_VALUE) *gnsect; - STACK_OF(GENERAL_NAME) *gens; - if (*sect == '@') - gnsect = X509V3_get_section(ctx, sect + 1); - else - gnsect = X509V3_parse_list(sect); - if (!gnsect) - { - X509V3err(X509V3_F_GNAMES_FROM_SECTNAME, - X509V3_R_SECTION_NOT_FOUND); - return NULL; - } - gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect); - if (*sect == '@') - X509V3_section_free(ctx, gnsect); - else - sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free); - return gens; - } - -static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, - CONF_VALUE *cnf) - { - STACK_OF(GENERAL_NAME) *fnm = NULL; - STACK_OF(X509_NAME_ENTRY) *rnm = NULL; - if (!strncmp(cnf->name, "fullname", 9)) - { - fnm = gnames_from_sectname(ctx, cnf->value); - if (!fnm) - goto err; - } - else if (!strcmp(cnf->name, "relativename")) - { - int ret; - STACK_OF(CONF_VALUE) *dnsect; - X509_NAME *nm; - nm = X509_NAME_new(); - if (!nm) - return -1; - dnsect = X509V3_get_section(ctx, cnf->value); - if (!dnsect) - { - X509V3err(X509V3_F_SET_DIST_POINT_NAME, - X509V3_R_SECTION_NOT_FOUND); - return -1; - } - ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC); - X509V3_section_free(ctx, dnsect); - rnm = nm->entries; - nm->entries = NULL; - X509_NAME_free(nm); - if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0) - goto err; - /* Since its a name fragment can't have more than one - * RDNSequence - */ - if (sk_X509_NAME_ENTRY_value(rnm, - sk_X509_NAME_ENTRY_num(rnm) - 1)->set) - { - X509V3err(X509V3_F_SET_DIST_POINT_NAME, - X509V3_R_INVALID_MULTIPLE_RDNS); - goto err; - } - } - else - return 0; - - if (*pdp) - { - X509V3err(X509V3_F_SET_DIST_POINT_NAME, - X509V3_R_DISTPOINT_ALREADY_SET); - goto err; - } - - *pdp = DIST_POINT_NAME_new(); - if (!*pdp) - goto err; - if (fnm) - { - (*pdp)->type = 0; - (*pdp)->name.fullname = fnm; - } - else - { - (*pdp)->type = 1; - (*pdp)->name.relativename = rnm; - } - - return 1; - - err: - if (fnm) - sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free); - if (rnm) - sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free); - return -1; - } - -static const BIT_STRING_BITNAME reason_flags[] = { -{0, "Unused", "unused"}, -{1, "Key Compromise", "keyCompromise"}, -{2, "CA Compromise", "CACompromise"}, -{3, "Affiliation Changed", "affiliationChanged"}, -{4, "Superseded", "superseded"}, -{5, "Cessation Of Operation", "cessationOfOperation"}, -{6, "Certificate Hold", "certificateHold"}, -{7, "Privilege Withdrawn", "privilegeWithdrawn"}, -{8, "AA Compromise", "AACompromise"}, -{-1, NULL, NULL} -}; - -static int set_reasons(ASN1_BIT_STRING **preas, char *value) - { - STACK_OF(CONF_VALUE) *rsk = NULL; - const BIT_STRING_BITNAME *pbn; - const char *bnam; - int i, ret = 0; - rsk = X509V3_parse_list(value); - if (!rsk) - return 0; - if (*preas) - return 0; - for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) - { - bnam = sk_CONF_VALUE_value(rsk, i)->name; - if (!*preas) - { - *preas = ASN1_BIT_STRING_new(); - if (!*preas) - goto err; - } - for (pbn = reason_flags; pbn->lname; pbn++) - { - if (!strcmp(pbn->sname, bnam)) - { - if (!ASN1_BIT_STRING_set_bit(*preas, - pbn->bitnum, 1)) - goto err; - break; - } - } - if (!pbn->lname) - goto err; - } - ret = 1; - - err: - sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free); - return ret; - } - -static int print_reasons(BIO *out, const char *rname, - ASN1_BIT_STRING *rflags, int indent) - { - int first = 1; - const BIT_STRING_BITNAME *pbn; - BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, ""); - for (pbn = reason_flags; pbn->lname; pbn++) - { - if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) - { - if (first) - first = 0; - else - BIO_puts(out, ", "); - BIO_puts(out, pbn->lname); - } - } - if (first) - BIO_puts(out, "<EMPTY>\n"); - else - BIO_puts(out, "\n"); - return 1; - } - -static DIST_POINT *crldp_from_section(X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *nval) - { - int i; - CONF_VALUE *cnf; - DIST_POINT *point = NULL; - point = DIST_POINT_new(); - if (!point) - goto err; - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) - { - int ret; - cnf = sk_CONF_VALUE_value(nval, i); - ret = set_dist_point_name(&point->distpoint, ctx, cnf); - if (ret > 0) - continue; - if (ret < 0) - goto err; - if (!strcmp(cnf->name, "reasons")) - { - if (!set_reasons(&point->reasons, cnf->value)) - goto err; - } - else if (!strcmp(cnf->name, "CRLissuer")) - { - point->CRLissuer = - gnames_from_sectname(ctx, cnf->value); - if (!point->CRLissuer) - goto err; - } - } - - return point; - - - err: - if (point) - DIST_POINT_free(point); - return NULL; - } - -static void *v2i_crld(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) - { - STACK_OF(DIST_POINT) *crld = NULL; - GENERAL_NAMES *gens = NULL; - GENERAL_NAME *gen = NULL; - CONF_VALUE *cnf; - int i; - if(!(crld = sk_DIST_POINT_new_null())) goto merr; - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { - DIST_POINT *point; - cnf = sk_CONF_VALUE_value(nval, i); - if (!cnf->value) - { - STACK_OF(CONF_VALUE) *dpsect; - dpsect = X509V3_get_section(ctx, cnf->name); - if (!dpsect) - goto err; - point = crldp_from_section(ctx, dpsect); - X509V3_section_free(ctx, dpsect); - if (!point) - goto err; - if(!sk_DIST_POINT_push(crld, point)) - { - DIST_POINT_free(point); - goto merr; - } - } - else - { - if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) - goto err; - if(!(gens = GENERAL_NAMES_new())) - goto merr; - if(!sk_GENERAL_NAME_push(gens, gen)) - goto merr; - gen = NULL; - if(!(point = DIST_POINT_new())) - goto merr; - if(!sk_DIST_POINT_push(crld, point)) - { - DIST_POINT_free(point); - goto merr; - } - if(!(point->distpoint = DIST_POINT_NAME_new())) - goto merr; - point->distpoint->name.fullname = gens; - point->distpoint->type = 0; - gens = NULL; - } - } - return crld; - - merr: - X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE); - err: - GENERAL_NAME_free(gen); - GENERAL_NAMES_free(gens); - sk_DIST_POINT_pop_free(crld, DIST_POINT_free); - return NULL; -} - -IMPLEMENT_STACK_OF(DIST_POINT) -IMPLEMENT_ASN1_SET_OF(DIST_POINT) - -static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) - { - DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval; - - switch(operation) - { - case ASN1_OP_NEW_POST: - dpn->dpname = NULL; - break; - - case ASN1_OP_FREE_POST: - if (dpn->dpname) - X509_NAME_free(dpn->dpname); - break; - } - return 1; - } - - -ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = { - ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0), - ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1) -} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type) - - -IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME) - -ASN1_SEQUENCE(DIST_POINT) = { - ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0), - ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1), - ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2) -} ASN1_SEQUENCE_END(DIST_POINT) - -IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT) - -ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT) -ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS) - -IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS) - -ASN1_SEQUENCE(ISSUING_DIST_POINT) = { - ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0), - ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1), - ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2), - ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3), - ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4), - ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5) -} ASN1_SEQUENCE_END(ISSUING_DIST_POINT) - -IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT) - -static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, - int indent); -static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *nval); - -const X509V3_EXT_METHOD v3_idp = - { - NID_issuing_distribution_point, X509V3_EXT_MULTILINE, - ASN1_ITEM_ref(ISSUING_DIST_POINT), - 0,0,0,0, - 0,0, - 0, - v2i_idp, - i2r_idp,0, - NULL - }; - -static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *nval) - { - ISSUING_DIST_POINT *idp = NULL; - CONF_VALUE *cnf; - char *name, *val; - int i, ret; - idp = ISSUING_DIST_POINT_new(); - if (!idp) - goto merr; - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) - { - cnf = sk_CONF_VALUE_value(nval, i); - name = cnf->name; - val = cnf->value; - ret = set_dist_point_name(&idp->distpoint, ctx, cnf); - if (ret > 0) - continue; - if (ret < 0) - goto err; - if (!strcmp(name, "onlyuser")) - { - if (!X509V3_get_value_bool(cnf, &idp->onlyuser)) - goto err; - } - else if (!strcmp(name, "onlyCA")) - { - if (!X509V3_get_value_bool(cnf, &idp->onlyCA)) - goto err; - } - else if (!strcmp(name, "onlyAA")) - { - if (!X509V3_get_value_bool(cnf, &idp->onlyattr)) - goto err; - } - else if (!strcmp(name, "indirectCRL")) - { - if (!X509V3_get_value_bool(cnf, &idp->indirectCRL)) - goto err; - } - else if (!strcmp(name, "onlysomereasons")) - { - if (!set_reasons(&idp->onlysomereasons, val)) - goto err; - } - else - { - X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME); - X509V3_conf_err(cnf); - goto err; - } - } - return idp; - - merr: - X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE); - err: - ISSUING_DIST_POINT_free(idp); - return NULL; - } - -static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent) - { - int i; - for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) - { - BIO_printf(out, "%*s", indent + 2, ""); - GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i)); - BIO_puts(out, "\n"); - } - return 1; - } - -static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent) - { - if (dpn->type == 0) - { - BIO_printf(out, "%*sFull Name:\n", indent, ""); - print_gens(out, dpn->name.fullname, indent); - } - else - { - X509_NAME ntmp; - ntmp.entries = dpn->name.relativename; - BIO_printf(out, "%*sRelative Name:\n%*s", - indent, "", indent + 2, ""); - X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE); - BIO_puts(out, "\n"); - } - return 1; - } - -static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, - int indent) - { - ISSUING_DIST_POINT *idp = pidp; - if (idp->distpoint) - print_distpoint(out, idp->distpoint, indent); - if (idp->onlyuser > 0) - BIO_printf(out, "%*sOnly User Certificates\n", indent, ""); - if (idp->onlyCA > 0) - BIO_printf(out, "%*sOnly CA Certificates\n", indent, ""); - if (idp->indirectCRL > 0) - BIO_printf(out, "%*sIndirect CRL\n", indent, ""); - if (idp->onlysomereasons) - print_reasons(out, "Only Some Reasons", - idp->onlysomereasons, indent); - if (idp->onlyattr > 0) - BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, ""); - if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) - && (idp->indirectCRL <= 0) && !idp->onlysomereasons - && (idp->onlyattr <= 0)) - BIO_printf(out, "%*s<EMPTY>\n", indent, ""); - - return 1; - } - -static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, - int indent) - { - STACK_OF(DIST_POINT) *crld = pcrldp; - DIST_POINT *point; - int i; - for(i = 0; i < sk_DIST_POINT_num(crld); i++) - { - BIO_puts(out, "\n"); - point = sk_DIST_POINT_value(crld, i); - if(point->distpoint) - print_distpoint(out, point->distpoint, indent); - if(point->reasons) - print_reasons(out, "Reasons", point->reasons, - indent); - if(point->CRLissuer) - { - BIO_printf(out, "%*sCRL Issuer:\n", indent, ""); - print_gens(out, point->CRLissuer, indent); - } - } - return 1; - } - -int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname) - { - int i; - STACK_OF(X509_NAME_ENTRY) *frag; - X509_NAME_ENTRY *ne; - if (!dpn || (dpn->type != 1)) - return 1; - frag = dpn->name.relativename; - dpn->dpname = X509_NAME_dup(iname); - if (!dpn->dpname) - return 0; - for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) - { - ne = sk_X509_NAME_ENTRY_value(frag, i); - if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) - { - X509_NAME_free(dpn->dpname); - dpn->dpname = NULL; - return 0; - } - } - /* generate cached encoding of name */ - if (i2d_X509_NAME(dpn->dpname, NULL) < 0) - { - X509_NAME_free(dpn->dpname); - dpn->dpname = NULL; - return 0; - } - return 1; - } diff --git a/openssl/crypto/x509v3/v3_enum.c b/openssl/crypto/x509v3/v3_enum.c deleted file mode 100644 index c0575e36..00000000 --- a/openssl/crypto/x509v3/v3_enum.c +++ /dev/null @@ -1,97 +0,0 @@ -/* v3_enum.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/x509v3.h> - -static ENUMERATED_NAMES crl_reasons[] = { -{CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"}, -{CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"}, -{CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"}, -{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"}, -{CRL_REASON_SUPERSEDED, "Superseded", "superseded"}, -{CRL_REASON_CESSATION_OF_OPERATION, - "Cessation Of Operation", "cessationOfOperation"}, -{CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"}, -{CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"}, -{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"}, -{CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"}, -{-1, NULL, NULL} -}; - -const X509V3_EXT_METHOD v3_crl_reason = { -NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED), -0,0,0,0, -(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE, -0, -0,0,0,0, -crl_reasons}; - - -char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, - ASN1_ENUMERATED *e) -{ - ENUMERATED_NAMES *enam; - long strval; - strval = ASN1_ENUMERATED_get(e); - for(enam = method->usr_data; enam->lname; enam++) { - if(strval == enam->bitnum) return BUF_strdup(enam->lname); - } - return i2s_ASN1_ENUMERATED(method, e); -} diff --git a/openssl/crypto/x509v3/v3_extku.c b/openssl/crypto/x509v3/v3_extku.c deleted file mode 100644 index 1c665327..00000000 --- a/openssl/crypto/x509v3/v3_extku.c +++ /dev/null @@ -1,144 +0,0 @@ -/* v3_extku.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/asn1t.h> -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *nval); -static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, - void *eku, STACK_OF(CONF_VALUE) *extlist); - -const X509V3_EXT_METHOD v3_ext_ku = { - NID_ext_key_usage, 0, - ASN1_ITEM_ref(EXTENDED_KEY_USAGE), - 0,0,0,0, - 0,0, - i2v_EXTENDED_KEY_USAGE, - v2i_EXTENDED_KEY_USAGE, - 0,0, - NULL -}; - -/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */ -const X509V3_EXT_METHOD v3_ocsp_accresp = { - NID_id_pkix_OCSP_acceptableResponses, 0, - ASN1_ITEM_ref(EXTENDED_KEY_USAGE), - 0,0,0,0, - 0,0, - i2v_EXTENDED_KEY_USAGE, - v2i_EXTENDED_KEY_USAGE, - 0,0, - NULL -}; - -ASN1_ITEM_TEMPLATE(EXTENDED_KEY_USAGE) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, EXTENDED_KEY_USAGE, ASN1_OBJECT) -ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE) - -IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE) - -static STACK_OF(CONF_VALUE) * - i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a, - STACK_OF(CONF_VALUE) *ext_list) -{ - EXTENDED_KEY_USAGE *eku = a; - int i; - ASN1_OBJECT *obj; - char obj_tmp[80]; - for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) { - obj = sk_ASN1_OBJECT_value(eku, i); - i2t_ASN1_OBJECT(obj_tmp, 80, obj); - X509V3_add_value(NULL, obj_tmp, &ext_list); - } - return ext_list; -} - -static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) -{ - EXTENDED_KEY_USAGE *extku; - char *extval; - ASN1_OBJECT *objtmp; - CONF_VALUE *val; - int i; - - if(!(extku = sk_ASN1_OBJECT_new_null())) { - X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,ERR_R_MALLOC_FAILURE); - return NULL; - } - - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { - val = sk_CONF_VALUE_value(nval, i); - if(val->value) extval = val->value; - else extval = val->name; - if(!(objtmp = OBJ_txt2obj(extval, 0))) { - sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free); - X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,X509V3_R_INVALID_OBJECT_IDENTIFIER); - X509V3_conf_err(val); - return NULL; - } - sk_ASN1_OBJECT_push(extku, objtmp); - } - return extku; -} diff --git a/openssl/crypto/x509v3/v3_genn.c b/openssl/crypto/x509v3/v3_genn.c deleted file mode 100644 index b6283573..00000000 --- a/openssl/crypto/x509v3/v3_genn.c +++ /dev/null @@ -1,252 +0,0 @@ -/* v3_genn.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/asn1t.h> -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -ASN1_SEQUENCE(OTHERNAME) = { - ASN1_SIMPLE(OTHERNAME, type_id, ASN1_OBJECT), - /* Maybe have a true ANY DEFINED BY later */ - ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0) -} ASN1_SEQUENCE_END(OTHERNAME) - -IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME) - -ASN1_SEQUENCE(EDIPARTYNAME) = { - ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), - ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) -} ASN1_SEQUENCE_END(EDIPARTYNAME) - -IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME) - -ASN1_CHOICE(GENERAL_NAME) = { - ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME), - ASN1_IMP(GENERAL_NAME, d.rfc822Name, ASN1_IA5STRING, GEN_EMAIL), - ASN1_IMP(GENERAL_NAME, d.dNSName, ASN1_IA5STRING, GEN_DNS), - /* Don't decode this */ - ASN1_IMP(GENERAL_NAME, d.x400Address, ASN1_SEQUENCE, GEN_X400), - /* X509_NAME is a CHOICE type so use EXPLICIT */ - ASN1_EXP(GENERAL_NAME, d.directoryName, X509_NAME, GEN_DIRNAME), - ASN1_IMP(GENERAL_NAME, d.ediPartyName, EDIPARTYNAME, GEN_EDIPARTY), - ASN1_IMP(GENERAL_NAME, d.uniformResourceIdentifier, ASN1_IA5STRING, GEN_URI), - ASN1_IMP(GENERAL_NAME, d.iPAddress, ASN1_OCTET_STRING, GEN_IPADD), - ASN1_IMP(GENERAL_NAME, d.registeredID, ASN1_OBJECT, GEN_RID) -} ASN1_CHOICE_END(GENERAL_NAME) - -IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAME) - -ASN1_ITEM_TEMPLATE(GENERAL_NAMES) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, GENERAL_NAME) -ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES) - -IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES) - -GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a) - { - return (GENERAL_NAME *) ASN1_dup((i2d_of_void *) i2d_GENERAL_NAME, - (d2i_of_void *) d2i_GENERAL_NAME, - (char *) a); - } - -/* Returns 0 if they are equal, != 0 otherwise. */ -int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) - { - int result = -1; - - if (!a || !b || a->type != b->type) return -1; - switch(a->type) - { - case GEN_X400: - case GEN_EDIPARTY: - result = ASN1_TYPE_cmp(a->d.other, b->d.other); - break; - - case GEN_OTHERNAME: - result = OTHERNAME_cmp(a->d.otherName, b->d.otherName); - break; - - case GEN_EMAIL: - case GEN_DNS: - case GEN_URI: - result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5); - break; - - case GEN_DIRNAME: - result = X509_NAME_cmp(a->d.dirn, b->d.dirn); - break; - - case GEN_IPADD: - result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip); - break; - - case GEN_RID: - result = OBJ_cmp(a->d.rid, b->d.rid); - break; - } - return result; - } - -/* Returns 0 if they are equal, != 0 otherwise. */ -int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b) - { - int result = -1; - - if (!a || !b) return -1; - /* Check their type first. */ - if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0) - return result; - /* Check the value. */ - result = ASN1_TYPE_cmp(a->value, b->value); - return result; - } - -void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) - { - switch(type) - { - case GEN_X400: - case GEN_EDIPARTY: - a->d.other = value; - break; - - case GEN_OTHERNAME: - a->d.otherName = value; - break; - - case GEN_EMAIL: - case GEN_DNS: - case GEN_URI: - a->d.ia5 = value; - break; - - case GEN_DIRNAME: - a->d.dirn = value; - break; - - case GEN_IPADD: - a->d.ip = value; - break; - - case GEN_RID: - a->d.rid = value; - break; - } - a->type = type; - } - -void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype) - { - if (ptype) - *ptype = a->type; - switch(a->type) - { - case GEN_X400: - case GEN_EDIPARTY: - return a->d.other; - - case GEN_OTHERNAME: - return a->d.otherName; - - case GEN_EMAIL: - case GEN_DNS: - case GEN_URI: - return a->d.ia5; - - case GEN_DIRNAME: - return a->d.dirn; - - case GEN_IPADD: - return a->d.ip; - - case GEN_RID: - return a->d.rid; - - default: - return NULL; - } - } - -int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, - ASN1_OBJECT *oid, ASN1_TYPE *value) - { - OTHERNAME *oth; - oth = OTHERNAME_new(); - if (!oth) - return 0; - oth->type_id = oid; - oth->value = value; - GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth); - return 1; - } - -int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, - ASN1_OBJECT **poid, ASN1_TYPE **pvalue) - { - if (gen->type != GEN_OTHERNAME) - return 0; - if (poid) - *poid = gen->d.otherName->type_id; - if (pvalue) - *pvalue = gen->d.otherName->value; - return 1; - } - diff --git a/openssl/crypto/x509v3/v3_ia5.c b/openssl/crypto/x509v3/v3_ia5.c deleted file mode 100644 index 4ff12b52..00000000 --- a/openssl/crypto/x509v3/v3_ia5.c +++ /dev/null @@ -1,116 +0,0 @@ -/* v3_ia5.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/asn1.h> -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5); -static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -const X509V3_EXT_METHOD v3_ns_ia5_list[] = { -EXT_IA5STRING(NID_netscape_base_url), -EXT_IA5STRING(NID_netscape_revocation_url), -EXT_IA5STRING(NID_netscape_ca_revocation_url), -EXT_IA5STRING(NID_netscape_renewal_url), -EXT_IA5STRING(NID_netscape_ca_policy_url), -EXT_IA5STRING(NID_netscape_ssl_server_name), -EXT_IA5STRING(NID_netscape_comment), -EXT_END -}; - - -static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, - ASN1_IA5STRING *ia5) -{ - char *tmp; - if(!ia5 || !ia5->length) return NULL; - if(!(tmp = OPENSSL_malloc(ia5->length + 1))) { - X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE); - return NULL; - } - memcpy(tmp, ia5->data, ia5->length); - tmp[ia5->length] = 0; - return tmp; -} - -static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *str) -{ - ASN1_IA5STRING *ia5; - if(!str) { - X509V3err(X509V3_F_S2I_ASN1_IA5STRING,X509V3_R_INVALID_NULL_ARGUMENT); - return NULL; - } - if(!(ia5 = M_ASN1_IA5STRING_new())) goto err; - if(!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str, - strlen(str))) { - M_ASN1_IA5STRING_free(ia5); - goto err; - } -#ifdef CHARSET_EBCDIC - ebcdic2ascii(ia5->data, ia5->data, ia5->length); -#endif /*CHARSET_EBCDIC*/ - return ia5; - err: - X509V3err(X509V3_F_S2I_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE); - return NULL; -} - diff --git a/openssl/crypto/x509v3/v3_info.c b/openssl/crypto/x509v3/v3_info.c deleted file mode 100644 index e1b8699f..00000000 --- a/openssl/crypto/x509v3/v3_info.c +++ /dev/null @@ -1,193 +0,0 @@ -/* v3_info.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/x509v3.h> - -static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, - AUTHORITY_INFO_ACCESS *ainfo, - STACK_OF(CONF_VALUE) *ret); -static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); - -const X509V3_EXT_METHOD v3_info = -{ NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), -0,0,0,0, -0,0, -(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS, -(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS, -0,0, -NULL}; - -const X509V3_EXT_METHOD v3_sinfo = -{ NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), -0,0,0,0, -0,0, -(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS, -(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS, -0,0, -NULL}; - -ASN1_SEQUENCE(ACCESS_DESCRIPTION) = { - ASN1_SIMPLE(ACCESS_DESCRIPTION, method, ASN1_OBJECT), - ASN1_SIMPLE(ACCESS_DESCRIPTION, location, GENERAL_NAME) -} ASN1_SEQUENCE_END(ACCESS_DESCRIPTION) - -IMPLEMENT_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) - -ASN1_ITEM_TEMPLATE(AUTHORITY_INFO_ACCESS) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, ACCESS_DESCRIPTION) -ASN1_ITEM_TEMPLATE_END(AUTHORITY_INFO_ACCESS) - -IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) - -static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, - AUTHORITY_INFO_ACCESS *ainfo, - STACK_OF(CONF_VALUE) *ret) -{ - ACCESS_DESCRIPTION *desc; - int i,nlen; - char objtmp[80], *ntmp; - CONF_VALUE *vtmp; - for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) { - desc = sk_ACCESS_DESCRIPTION_value(ainfo, i); - ret = i2v_GENERAL_NAME(method, desc->location, ret); - if(!ret) break; - vtmp = sk_CONF_VALUE_value(ret, i); - i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method); - nlen = strlen(objtmp) + strlen(vtmp->name) + 5; - ntmp = OPENSSL_malloc(nlen); - if(!ntmp) { - X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS, - ERR_R_MALLOC_FAILURE); - return NULL; - } - BUF_strlcpy(ntmp, objtmp, nlen); - BUF_strlcat(ntmp, " - ", nlen); - BUF_strlcat(ntmp, vtmp->name, nlen); - OPENSSL_free(vtmp->name); - vtmp->name = ntmp; - - } - if(!ret) return sk_CONF_VALUE_new_null(); - return ret; -} - -static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) -{ - AUTHORITY_INFO_ACCESS *ainfo = NULL; - CONF_VALUE *cnf, ctmp; - ACCESS_DESCRIPTION *acc; - int i, objlen; - char *objtmp, *ptmp; - if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) { - X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE); - return NULL; - } - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { - cnf = sk_CONF_VALUE_value(nval, i); - if(!(acc = ACCESS_DESCRIPTION_new()) - || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) { - X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE); - goto err; - } - ptmp = strchr(cnf->name, ';'); - if(!ptmp) { - X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_INVALID_SYNTAX); - goto err; - } - objlen = ptmp - cnf->name; - ctmp.name = ptmp + 1; - ctmp.value = cnf->value; - if(!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0)) - goto err; - if(!(objtmp = OPENSSL_malloc(objlen + 1))) { - X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,ERR_R_MALLOC_FAILURE); - goto err; - } - strncpy(objtmp, cnf->name, objlen); - objtmp[objlen] = 0; - acc->method = OBJ_txt2obj(objtmp, 0); - if(!acc->method) { - X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,X509V3_R_BAD_OBJECT); - ERR_add_error_data(2, "value=", objtmp); - OPENSSL_free(objtmp); - goto err; - } - OPENSSL_free(objtmp); - - } - return ainfo; - err: - sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free); - return NULL; -} - -int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a) - { - i2a_ASN1_OBJECT(bp, a->method); -#ifdef UNDEF - i2a_GENERAL_NAME(bp, a->location); -#endif - return 2; - } diff --git a/openssl/crypto/x509v3/v3_int.c b/openssl/crypto/x509v3/v3_int.c deleted file mode 100644 index 4bfd14cf..00000000 --- a/openssl/crypto/x509v3/v3_int.c +++ /dev/null @@ -1,89 +0,0 @@ -/* v3_int.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/x509v3.h> - -const X509V3_EXT_METHOD v3_crl_num = { - NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), - 0,0,0,0, - (X509V3_EXT_I2S)i2s_ASN1_INTEGER, - 0, - 0,0,0,0, NULL}; - -const X509V3_EXT_METHOD v3_delta_crl = { - NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER), - 0,0,0,0, - (X509V3_EXT_I2S)i2s_ASN1_INTEGER, - 0, - 0,0,0,0, NULL}; - -static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value) - { - return s2i_ASN1_INTEGER(meth, value); - } - -const X509V3_EXT_METHOD v3_inhibit_anyp = { - NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER), - 0,0,0,0, - (X509V3_EXT_I2S)i2s_ASN1_INTEGER, - (X509V3_EXT_S2I)s2i_asn1_int, - 0,0,0,0, NULL}; - - diff --git a/openssl/crypto/x509v3/v3_lib.c b/openssl/crypto/x509v3/v3_lib.c deleted file mode 100644 index 0f1e1d44..00000000 --- a/openssl/crypto/x509v3/v3_lib.c +++ /dev/null @@ -1,309 +0,0 @@ -/* v3_lib.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* X509 v3 extension utilities */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -#include "ext_dat.h" - -static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL; - -static int ext_cmp(const X509V3_EXT_METHOD * const *a, - const X509V3_EXT_METHOD * const *b); -static void ext_list_free(X509V3_EXT_METHOD *ext); - -int X509V3_EXT_add(X509V3_EXT_METHOD *ext) -{ - if(!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) { - X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE); - return 0; - } - if(!sk_X509V3_EXT_METHOD_push(ext_list, ext)) { - X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE); - return 0; - } - return 1; -} - -static int ext_cmp(const X509V3_EXT_METHOD * const *a, - const X509V3_EXT_METHOD * const *b) -{ - return ((*a)->ext_nid - (*b)->ext_nid); -} - -DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, const X509V3_EXT_METHOD *, - ext); -IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, - const X509V3_EXT_METHOD *, ext); - -const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid) -{ - X509V3_EXT_METHOD tmp; - const X509V3_EXT_METHOD *t = &tmp, * const *ret; - int idx; - if(nid < 0) return NULL; - tmp.ext_nid = nid; - ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT); - if(ret) return *ret; - if(!ext_list) return NULL; - idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp); - if(idx == -1) return NULL; - return sk_X509V3_EXT_METHOD_value(ext_list, idx); -} - -const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext) -{ - int nid; - if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL; - return X509V3_EXT_get_nid(nid); -} - - -int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist) -{ - for(;extlist->ext_nid!=-1;extlist++) - if(!X509V3_EXT_add(extlist)) return 0; - return 1; -} - -int X509V3_EXT_add_alias(int nid_to, int nid_from) -{ - const X509V3_EXT_METHOD *ext; - X509V3_EXT_METHOD *tmpext; - - if(!(ext = X509V3_EXT_get_nid(nid_from))) { - X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND); - return 0; - } - if(!(tmpext = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) { - X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,ERR_R_MALLOC_FAILURE); - return 0; - } - *tmpext = *ext; - tmpext->ext_nid = nid_to; - tmpext->ext_flags |= X509V3_EXT_DYNAMIC; - return X509V3_EXT_add(tmpext); -} - -void X509V3_EXT_cleanup(void) -{ - sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free); - ext_list = NULL; -} - -static void ext_list_free(X509V3_EXT_METHOD *ext) -{ - if(ext->ext_flags & X509V3_EXT_DYNAMIC) OPENSSL_free(ext); -} - -/* Legacy function: we don't need to add standard extensions - * any more because they are now kept in ext_dat.h. - */ - -int X509V3_add_standard_extensions(void) -{ - return 1; -} - -/* Return an extension internal structure */ - -void *X509V3_EXT_d2i(X509_EXTENSION *ext) -{ - const X509V3_EXT_METHOD *method; - const unsigned char *p; - - if(!(method = X509V3_EXT_get(ext))) return NULL; - p = ext->value->data; - if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it)); - return method->d2i(NULL, &p, ext->value->length); -} - -/* Get critical flag and decoded version of extension from a NID. - * The "idx" variable returns the last found extension and can - * be used to retrieve multiple extensions of the same NID. - * However multiple extensions with the same NID is usually - * due to a badly encoded certificate so if idx is NULL we - * choke if multiple extensions exist. - * The "crit" variable is set to the critical value. - * The return value is the decoded extension or NULL on - * error. The actual error can have several different causes, - * the value of *crit reflects the cause: - * >= 0, extension found but not decoded (reflects critical value). - * -1 extension not found. - * -2 extension occurs more than once. - */ - -void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx) -{ - int lastpos, i; - X509_EXTENSION *ex, *found_ex = NULL; - if(!x) { - if(idx) *idx = -1; - if(crit) *crit = -1; - return NULL; - } - if(idx) lastpos = *idx + 1; - else lastpos = 0; - if(lastpos < 0) lastpos = 0; - for(i = lastpos; i < sk_X509_EXTENSION_num(x); i++) - { - ex = sk_X509_EXTENSION_value(x, i); - if(OBJ_obj2nid(ex->object) == nid) { - if(idx) { - *idx = i; - found_ex = ex; - break; - } else if(found_ex) { - /* Found more than one */ - if(crit) *crit = -2; - return NULL; - } - found_ex = ex; - } - } - if(found_ex) { - /* Found it */ - if(crit) *crit = X509_EXTENSION_get_critical(found_ex); - return X509V3_EXT_d2i(found_ex); - } - - /* Extension not found */ - if(idx) *idx = -1; - if(crit) *crit = -1; - return NULL; -} - -/* This function is a general extension append, replace and delete utility. - * The precise operation is governed by the 'flags' value. The 'crit' and - * 'value' arguments (if relevant) are the extensions internal structure. - */ - -int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, - int crit, unsigned long flags) -{ - int extidx = -1; - int errcode; - X509_EXTENSION *ext, *extmp; - unsigned long ext_op = flags & X509V3_ADD_OP_MASK; - - /* If appending we don't care if it exists, otherwise - * look for existing extension. - */ - if(ext_op != X509V3_ADD_APPEND) - extidx = X509v3_get_ext_by_NID(*x, nid, -1); - - /* See if extension exists */ - if(extidx >= 0) { - /* If keep existing, nothing to do */ - if(ext_op == X509V3_ADD_KEEP_EXISTING) - return 1; - /* If default then its an error */ - if(ext_op == X509V3_ADD_DEFAULT) { - errcode = X509V3_R_EXTENSION_EXISTS; - goto err; - } - /* If delete, just delete it */ - if(ext_op == X509V3_ADD_DELETE) { - if(!sk_X509_EXTENSION_delete(*x, extidx)) return -1; - return 1; - } - } else { - /* If replace existing or delete, error since - * extension must exist - */ - if((ext_op == X509V3_ADD_REPLACE_EXISTING) || - (ext_op == X509V3_ADD_DELETE)) { - errcode = X509V3_R_EXTENSION_NOT_FOUND; - goto err; - } - } - - /* If we get this far then we have to create an extension: - * could have some flags for alternative encoding schemes... - */ - - ext = X509V3_EXT_i2d(nid, crit, value); - - if(!ext) { - X509V3err(X509V3_F_X509V3_ADD1_I2D, X509V3_R_ERROR_CREATING_EXTENSION); - return 0; - } - - /* If extension exists replace it.. */ - if(extidx >= 0) { - extmp = sk_X509_EXTENSION_value(*x, extidx); - X509_EXTENSION_free(extmp); - if(!sk_X509_EXTENSION_set(*x, extidx, ext)) return -1; - return 1; - } - - if(!*x && !(*x = sk_X509_EXTENSION_new_null())) return -1; - if(!sk_X509_EXTENSION_push(*x, ext)) return -1; - - return 1; - - err: - if(!(flags & X509V3_ADD_SILENT)) - X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode); - return 0; -} - -IMPLEMENT_STACK_OF(X509V3_EXT_METHOD) diff --git a/openssl/crypto/x509v3/v3_ncons.c b/openssl/crypto/x509v3/v3_ncons.c deleted file mode 100644 index a01dc64d..00000000 --- a/openssl/crypto/x509v3/v3_ncons.c +++ /dev/null @@ -1,505 +0,0 @@ -/* v3_ncons.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project. - */ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/asn1t.h> -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, - void *a, BIO *bp, int ind); -static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, - STACK_OF(GENERAL_SUBTREE) *trees, - BIO *bp, int ind, char *name); -static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); - -static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc); -static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen); -static int nc_dn(X509_NAME *sub, X509_NAME *nm); -static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns); -static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml); -static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base); - -const X509V3_EXT_METHOD v3_name_constraints = { - NID_name_constraints, 0, - ASN1_ITEM_ref(NAME_CONSTRAINTS), - 0,0,0,0, - 0,0, - 0, v2i_NAME_CONSTRAINTS, - i2r_NAME_CONSTRAINTS,0, - NULL -}; - -ASN1_SEQUENCE(GENERAL_SUBTREE) = { - ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME), - ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0), - ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1) -} ASN1_SEQUENCE_END(GENERAL_SUBTREE) - -ASN1_SEQUENCE(NAME_CONSTRAINTS) = { - ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees, - GENERAL_SUBTREE, 0), - ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees, - GENERAL_SUBTREE, 1), -} ASN1_SEQUENCE_END(NAME_CONSTRAINTS) - - -IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) -IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) - -static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) - { - int i; - CONF_VALUE tval, *val; - STACK_OF(GENERAL_SUBTREE) **ptree = NULL; - NAME_CONSTRAINTS *ncons = NULL; - GENERAL_SUBTREE *sub = NULL; - ncons = NAME_CONSTRAINTS_new(); - if (!ncons) - goto memerr; - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) - { - val = sk_CONF_VALUE_value(nval, i); - if (!strncmp(val->name, "permitted", 9) && val->name[9]) - { - ptree = &ncons->permittedSubtrees; - tval.name = val->name + 10; - } - else if (!strncmp(val->name, "excluded", 8) && val->name[8]) - { - ptree = &ncons->excludedSubtrees; - tval.name = val->name + 9; - } - else - { - X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX); - goto err; - } - tval.value = val->value; - sub = GENERAL_SUBTREE_new(); - if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1)) - goto err; - if (!*ptree) - *ptree = sk_GENERAL_SUBTREE_new_null(); - if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub)) - goto memerr; - sub = NULL; - } - - return ncons; - - memerr: - X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE); - err: - if (ncons) - NAME_CONSTRAINTS_free(ncons); - if (sub) - GENERAL_SUBTREE_free(sub); - - return NULL; - } - - - - -static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, - BIO *bp, int ind) - { - NAME_CONSTRAINTS *ncons = a; - do_i2r_name_constraints(method, ncons->permittedSubtrees, - bp, ind, "Permitted"); - do_i2r_name_constraints(method, ncons->excludedSubtrees, - bp, ind, "Excluded"); - return 1; - } - -static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, - STACK_OF(GENERAL_SUBTREE) *trees, - BIO *bp, int ind, char *name) - { - GENERAL_SUBTREE *tree; - int i; - if (sk_GENERAL_SUBTREE_num(trees) > 0) - BIO_printf(bp, "%*s%s:\n", ind, "", name); - for(i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) - { - tree = sk_GENERAL_SUBTREE_value(trees, i); - BIO_printf(bp, "%*s", ind + 2, ""); - if (tree->base->type == GEN_IPADD) - print_nc_ipadd(bp, tree->base->d.ip); - else - GENERAL_NAME_print(bp, tree->base); - BIO_puts(bp, "\n"); - } - return 1; - } - -static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip) - { - int i, len; - unsigned char *p; - p = ip->data; - len = ip->length; - BIO_puts(bp, "IP:"); - if(len == 8) - { - BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d", - p[0], p[1], p[2], p[3], - p[4], p[5], p[6], p[7]); - } - else if(len == 32) - { - for (i = 0; i < 16; i++) - { - BIO_printf(bp, "%X", p[0] << 8 | p[1]); - p += 2; - if (i == 7) - BIO_puts(bp, "/"); - else if (i != 15) - BIO_puts(bp, ":"); - } - } - else - BIO_printf(bp, "IP Address:<invalid>"); - return 1; - } - -/* Check a certificate conforms to a specified set of constraints. - * Return values: - * X509_V_OK: All constraints obeyed. - * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation. - * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation. - * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type. - * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type. - * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax. - * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name - - */ - -int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) - { - int r, i; - X509_NAME *nm; - - nm = X509_get_subject_name(x); - - if (X509_NAME_entry_count(nm) > 0) - { - GENERAL_NAME gntmp; - gntmp.type = GEN_DIRNAME; - gntmp.d.directoryName = nm; - - r = nc_match(&gntmp, nc); - - if (r != X509_V_OK) - return r; - - gntmp.type = GEN_EMAIL; - - - /* Process any email address attributes in subject name */ - - for (i = -1;;) - { - X509_NAME_ENTRY *ne; - i = X509_NAME_get_index_by_NID(nm, - NID_pkcs9_emailAddress, - i); - if (i == -1) - break; - ne = X509_NAME_get_entry(nm, i); - gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne); - if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING) - return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; - - r = nc_match(&gntmp, nc); - - if (r != X509_V_OK) - return r; - } - - } - - for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) - { - GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i); - r = nc_match(gen, nc); - if (r != X509_V_OK) - return r; - } - - return X509_V_OK; - - } - -static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - { - GENERAL_SUBTREE *sub; - int i, r, match = 0; - - /* Permitted subtrees: if any subtrees exist of matching the type - * at least one subtree must match. - */ - - for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) - { - sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); - if (gen->type != sub->base->type) - continue; - if (sub->minimum || sub->maximum) - return X509_V_ERR_SUBTREE_MINMAX; - /* If we already have a match don't bother trying any more */ - if (match == 2) - continue; - if (match == 0) - match = 1; - r = nc_match_single(gen, sub->base); - if (r == X509_V_OK) - match = 2; - else if (r != X509_V_ERR_PERMITTED_VIOLATION) - return r; - } - - if (match == 1) - return X509_V_ERR_PERMITTED_VIOLATION; - - /* Excluded subtrees: must not match any of these */ - - for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) - { - sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); - if (gen->type != sub->base->type) - continue; - if (sub->minimum || sub->maximum) - return X509_V_ERR_SUBTREE_MINMAX; - - r = nc_match_single(gen, sub->base); - if (r == X509_V_OK) - return X509_V_ERR_EXCLUDED_VIOLATION; - else if (r != X509_V_ERR_PERMITTED_VIOLATION) - return r; - - } - - return X509_V_OK; - - } - -static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) - { - switch(base->type) - { - case GEN_DIRNAME: - return nc_dn(gen->d.directoryName, base->d.directoryName); - - case GEN_DNS: - return nc_dns(gen->d.dNSName, base->d.dNSName); - - case GEN_EMAIL: - return nc_email(gen->d.rfc822Name, base->d.rfc822Name); - - case GEN_URI: - return nc_uri(gen->d.uniformResourceIdentifier, - base->d.uniformResourceIdentifier); - - default: - return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; - } - - } - -/* directoryName name constraint matching. - * The canonical encoding of X509_NAME makes this comparison easy. It is - * matched if the subtree is a subset of the name. - */ - -static int nc_dn(X509_NAME *nm, X509_NAME *base) - { - /* Ensure canonical encodings are up to date. */ - if (nm->modified && i2d_X509_NAME(nm, NULL) < 0) - return X509_V_ERR_OUT_OF_MEM; - if (base->modified && i2d_X509_NAME(base, NULL) < 0) - return X509_V_ERR_OUT_OF_MEM; - if (base->canon_enclen > nm->canon_enclen) - return X509_V_ERR_PERMITTED_VIOLATION; - if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen)) - return X509_V_ERR_PERMITTED_VIOLATION; - return X509_V_OK; - } - -static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base) - { - char *baseptr = (char *)base->data; - char *dnsptr = (char *)dns->data; - /* Empty matches everything */ - if (!*baseptr) - return X509_V_OK; - /* Otherwise can add zero or more components on the left so - * compare RHS and if dns is longer and expect '.' as preceding - * character. - */ - if (dns->length > base->length) - { - dnsptr += dns->length - base->length; - if (dnsptr[-1] != '.') - return X509_V_ERR_PERMITTED_VIOLATION; - } - - if (strcasecmp(baseptr, dnsptr)) - return X509_V_ERR_PERMITTED_VIOLATION; - - return X509_V_OK; - - } - -static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) - { - const char *baseptr = (char *)base->data; - const char *emlptr = (char *)eml->data; - - const char *baseat = strchr(baseptr, '@'); - const char *emlat = strchr(emlptr, '@'); - if (!emlat) - return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; - /* Special case: inital '.' is RHS match */ - if (!baseat && (*baseptr == '.')) - { - if (eml->length > base->length) - { - emlptr += eml->length - base->length; - if (!strcasecmp(baseptr, emlptr)) - return X509_V_OK; - } - return X509_V_ERR_PERMITTED_VIOLATION; - } - - /* If we have anything before '@' match local part */ - - if (baseat) - { - if (baseat != baseptr) - { - if ((baseat - baseptr) != (emlat - emlptr)) - return X509_V_ERR_PERMITTED_VIOLATION; - /* Case sensitive match of local part */ - if (strncmp(baseptr, emlptr, emlat - emlptr)) - return X509_V_ERR_PERMITTED_VIOLATION; - } - /* Position base after '@' */ - baseptr = baseat + 1; - } - emlptr = emlat + 1; - /* Just have hostname left to match: case insensitive */ - if (strcasecmp(baseptr, emlptr)) - return X509_V_ERR_PERMITTED_VIOLATION; - - return X509_V_OK; - - } - -static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base) - { - const char *baseptr = (char *)base->data; - const char *hostptr = (char *)uri->data; - const char *p = strchr(hostptr, ':'); - int hostlen; - /* Check for foo:// and skip past it */ - if (!p || (p[1] != '/') || (p[2] != '/')) - return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; - hostptr = p + 3; - - /* Determine length of hostname part of URI */ - - /* Look for a port indicator as end of hostname first */ - - p = strchr(hostptr, ':'); - /* Otherwise look for trailing slash */ - if (!p) - p = strchr(hostptr, '/'); - - if (!p) - hostlen = strlen(hostptr); - else - hostlen = p - hostptr; - - if (hostlen == 0) - return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; - - /* Special case: inital '.' is RHS match */ - if (*baseptr == '.') - { - if (hostlen > base->length) - { - p = hostptr + hostlen - base->length; - if (!strncasecmp(p, baseptr, base->length)) - return X509_V_OK; - } - return X509_V_ERR_PERMITTED_VIOLATION; - } - - if ((base->length != (int)hostlen) || strncasecmp(hostptr, baseptr, hostlen)) - return X509_V_ERR_PERMITTED_VIOLATION; - - return X509_V_OK; - - } diff --git a/openssl/crypto/x509v3/v3_ocsp.c b/openssl/crypto/x509v3/v3_ocsp.c deleted file mode 100644 index 0c165af3..00000000 --- a/openssl/crypto/x509v3/v3_ocsp.c +++ /dev/null @@ -1,289 +0,0 @@ -/* v3_ocsp.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef OPENSSL_NO_OCSP - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/asn1.h> -#include <openssl/ocsp.h> -#include <openssl/x509v3.h> - -/* OCSP extensions and a couple of CRL entry extensions - */ - -static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce, - BIO *out, int indent); -static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce, - BIO *out, int indent); -static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out, - int indent); - -static void *ocsp_nonce_new(void); -static int i2d_ocsp_nonce(void *a, unsigned char **pp); -static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length); -static void ocsp_nonce_free(void *a); -static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, - BIO *out, int indent); - -static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, - void *nocheck, BIO *out, int indent); -static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - const char *str); -static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, - BIO *bp, int ind); - -const X509V3_EXT_METHOD v3_ocsp_crlid = { - NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID), - 0,0,0,0, - 0,0, - 0,0, - i2r_ocsp_crlid,0, - NULL -}; - -const X509V3_EXT_METHOD v3_ocsp_acutoff = { - NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), - 0,0,0,0, - 0,0, - 0,0, - i2r_ocsp_acutoff,0, - NULL -}; - -const X509V3_EXT_METHOD v3_crl_invdate = { - NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), - 0,0,0,0, - 0,0, - 0,0, - i2r_ocsp_acutoff,0, - NULL -}; - -const X509V3_EXT_METHOD v3_crl_hold = { - NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT), - 0,0,0,0, - 0,0, - 0,0, - i2r_object,0, - NULL -}; - -const X509V3_EXT_METHOD v3_ocsp_nonce = { - NID_id_pkix_OCSP_Nonce, 0, NULL, - ocsp_nonce_new, - ocsp_nonce_free, - d2i_ocsp_nonce, - i2d_ocsp_nonce, - 0,0, - 0,0, - i2r_ocsp_nonce,0, - NULL -}; - -const X509V3_EXT_METHOD v3_ocsp_nocheck = { - NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL), - 0,0,0,0, - 0,s2i_ocsp_nocheck, - 0,0, - i2r_ocsp_nocheck,0, - NULL -}; - -const X509V3_EXT_METHOD v3_ocsp_serviceloc = { - NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC), - 0,0,0,0, - 0,0, - 0,0, - i2r_ocsp_serviceloc,0, - NULL -}; - -static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, - int ind) -{ - OCSP_CRLID *a = in; - if (a->crlUrl) - { - if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err; - if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err; - if (BIO_write(bp, "\n", 1) <= 0) goto err; - } - if (a->crlNum) - { - if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err; - if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err; - if (BIO_write(bp, "\n", 1) <= 0) goto err; - } - if (a->crlTime) - { - if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err; - if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err; - if (BIO_write(bp, "\n", 1) <= 0) goto err; - } - return 1; - err: - return 0; -} - -static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, - BIO *bp, int ind) -{ - if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0; - if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0; - return 1; -} - - -static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, - int ind) -{ - if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0; - if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0; - return 1; -} - -/* OCSP nonce. This is needs special treatment because it doesn't have - * an ASN1 encoding at all: it just contains arbitrary data. - */ - -static void *ocsp_nonce_new(void) -{ - return ASN1_OCTET_STRING_new(); -} - -static int i2d_ocsp_nonce(void *a, unsigned char **pp) -{ - ASN1_OCTET_STRING *os = a; - if(pp) { - memcpy(*pp, os->data, os->length); - *pp += os->length; - } - return os->length; -} - -static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length) -{ - ASN1_OCTET_STRING *os, **pos; - pos = a; - if(!pos || !*pos) os = ASN1_OCTET_STRING_new(); - else os = *pos; - if(!ASN1_OCTET_STRING_set(os, *pp, length)) goto err; - - *pp += length; - - if(pos) *pos = os; - return os; - - err: - if(os && (!pos || (*pos != os))) M_ASN1_OCTET_STRING_free(os); - OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE); - return NULL; -} - -static void ocsp_nonce_free(void *a) -{ - M_ASN1_OCTET_STRING_free(a); -} - -static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, - BIO *out, int indent) -{ - if(BIO_printf(out, "%*s", indent, "") <= 0) return 0; - if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0; - return 1; -} - -/* Nocheck is just a single NULL. Don't print anything and always set it */ - -static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, - BIO *out, int indent) -{ - return 1; -} - -static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - const char *str) -{ - return ASN1_NULL_new(); -} - -static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, - BIO *bp, int ind) - { - int i; - OCSP_SERVICELOC *a = in; - ACCESS_DESCRIPTION *ad; - - if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) goto err; - if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) goto err; - for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) - { - ad = sk_ACCESS_DESCRIPTION_value(a->locator,i); - if (BIO_printf(bp, "\n%*s", (2*ind), "") <= 0) - goto err; - if(i2a_ASN1_OBJECT(bp, ad->method) <= 0) goto err; - if(BIO_puts(bp, " - ") <= 0) goto err; - if(GENERAL_NAME_print(bp, ad->location) <= 0) goto err; - } - return 1; -err: - return 0; - } -#endif diff --git a/openssl/crypto/x509v3/v3_pci.c b/openssl/crypto/x509v3/v3_pci.c deleted file mode 100644 index 0dcfa004..00000000 --- a/openssl/crypto/x509v3/v3_pci.c +++ /dev/null @@ -1,328 +0,0 @@ -/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */ -/* Contributed to the OpenSSL Project 2004 - * by Richard Levitte (richard@levitte.org) - */ -/* Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, - BIO *out, int indent); -static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *str); - -const X509V3_EXT_METHOD v3_pci = - { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), - 0,0,0,0, - 0,0, - NULL, NULL, - (X509V3_EXT_I2R)i2r_pci, - (X509V3_EXT_R2I)r2i_pci, - NULL, - }; - -static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, - BIO *out, int indent) - { - BIO_printf(out, "%*sPath Length Constraint: ", indent, ""); - if (pci->pcPathLengthConstraint) - i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); - else - BIO_printf(out, "infinite"); - BIO_puts(out, "\n"); - BIO_printf(out, "%*sPolicy Language: ", indent, ""); - i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); - BIO_puts(out, "\n"); - if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) - BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", - pci->proxyPolicy->policy->data); - return 1; - } - -static int process_pci_value(CONF_VALUE *val, - ASN1_OBJECT **language, ASN1_INTEGER **pathlen, - ASN1_OCTET_STRING **policy) - { - int free_policy = 0; - - if (strcmp(val->name, "language") == 0) - { - if (*language) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED); - X509V3_conf_err(val); - return 0; - } - if (!(*language = OBJ_txt2obj(val->value, 0))) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER); - X509V3_conf_err(val); - return 0; - } - } - else if (strcmp(val->name, "pathlen") == 0) - { - if (*pathlen) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED); - X509V3_conf_err(val); - return 0; - } - if (!X509V3_get_value_int(val, pathlen)) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH); - X509V3_conf_err(val); - return 0; - } - } - else if (strcmp(val->name, "policy") == 0) - { - unsigned char *tmp_data = NULL; - long val_len; - if (!*policy) - { - *policy = ASN1_OCTET_STRING_new(); - if (!*policy) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); - X509V3_conf_err(val); - return 0; - } - free_policy = 1; - } - if (strncmp(val->value, "hex:", 4) == 0) - { - unsigned char *tmp_data2 = - string_to_hex(val->value + 4, &val_len); - - if (!tmp_data2) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT); - X509V3_conf_err(val); - goto err; - } - - tmp_data = OPENSSL_realloc((*policy)->data, - (*policy)->length + val_len + 1); - if (tmp_data) - { - (*policy)->data = tmp_data; - memcpy(&(*policy)->data[(*policy)->length], - tmp_data2, val_len); - (*policy)->length += val_len; - (*policy)->data[(*policy)->length] = '\0'; - } - else - { - OPENSSL_free(tmp_data2); - /* realloc failure implies the original data space is b0rked too! */ - (*policy)->data = NULL; - (*policy)->length = 0; - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); - X509V3_conf_err(val); - goto err; - } - OPENSSL_free(tmp_data2); - } - else if (strncmp(val->value, "file:", 5) == 0) - { - unsigned char buf[2048]; - int n; - BIO *b = BIO_new_file(val->value + 5, "r"); - if (!b) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB); - X509V3_conf_err(val); - goto err; - } - while((n = BIO_read(b, buf, sizeof(buf))) > 0 - || (n == 0 && BIO_should_retry(b))) - { - if (!n) continue; - - tmp_data = OPENSSL_realloc((*policy)->data, - (*policy)->length + n + 1); - - if (!tmp_data) - break; - - (*policy)->data = tmp_data; - memcpy(&(*policy)->data[(*policy)->length], - buf, n); - (*policy)->length += n; - (*policy)->data[(*policy)->length] = '\0'; - } - BIO_free_all(b); - - if (n < 0) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB); - X509V3_conf_err(val); - goto err; - } - } - else if (strncmp(val->value, "text:", 5) == 0) - { - val_len = strlen(val->value + 5); - tmp_data = OPENSSL_realloc((*policy)->data, - (*policy)->length + val_len + 1); - if (tmp_data) - { - (*policy)->data = tmp_data; - memcpy(&(*policy)->data[(*policy)->length], - val->value + 5, val_len); - (*policy)->length += val_len; - (*policy)->data[(*policy)->length] = '\0'; - } - else - { - /* realloc failure implies the original data space is b0rked too! */ - (*policy)->data = NULL; - (*policy)->length = 0; - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); - X509V3_conf_err(val); - goto err; - } - } - else - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); - X509V3_conf_err(val); - goto err; - } - if (!tmp_data) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); - X509V3_conf_err(val); - goto err; - } - } - return 1; -err: - if (free_policy) - { - ASN1_OCTET_STRING_free(*policy); - *policy = NULL; - } - return 0; - } - -static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *value) - { - PROXY_CERT_INFO_EXTENSION *pci = NULL; - STACK_OF(CONF_VALUE) *vals; - ASN1_OBJECT *language = NULL; - ASN1_INTEGER *pathlen = NULL; - ASN1_OCTET_STRING *policy = NULL; - int i, j; - - vals = X509V3_parse_list(value); - for (i = 0; i < sk_CONF_VALUE_num(vals); i++) - { - CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i); - if (!cnf->name || (*cnf->name != '@' && !cnf->value)) - { - X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING); - X509V3_conf_err(cnf); - goto err; - } - if (*cnf->name == '@') - { - STACK_OF(CONF_VALUE) *sect; - int success_p = 1; - - sect = X509V3_get_section(ctx, cnf->name + 1); - if (!sect) - { - X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION); - X509V3_conf_err(cnf); - goto err; - } - for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++) - { - success_p = - process_pci_value(sk_CONF_VALUE_value(sect, j), - &language, &pathlen, &policy); - } - X509V3_section_free(ctx, sect); - if (!success_p) - goto err; - } - else - { - if (!process_pci_value(cnf, - &language, &pathlen, &policy)) - { - X509V3_conf_err(cnf); - goto err; - } - } - } - - /* Language is mandatory */ - if (!language) - { - X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED); - goto err; - } - i = OBJ_obj2nid(language); - if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) - { - X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY); - goto err; - } - - pci = PROXY_CERT_INFO_EXTENSION_new(); - if (!pci) - { - X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); - goto err; - } - - pci->proxyPolicy->policyLanguage = language; language = NULL; - pci->proxyPolicy->policy = policy; policy = NULL; - pci->pcPathLengthConstraint = pathlen; pathlen = NULL; - goto end; -err: - if (language) { ASN1_OBJECT_free(language); language = NULL; } - if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; } - if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; } - if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; } -end: - sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); - return pci; - } diff --git a/openssl/crypto/x509v3/v3_pcia.c b/openssl/crypto/x509v3/v3_pcia.c deleted file mode 100644 index bb362e0e..00000000 --- a/openssl/crypto/x509v3/v3_pcia.c +++ /dev/null @@ -1,55 +0,0 @@ -/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */ -/* Contributed to the OpenSSL Project 2004 - * by Richard Levitte (richard@levitte.org) - */ -/* Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/x509v3.h> - -ASN1_SEQUENCE(PROXY_POLICY) = - { - ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT), - ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING) -} ASN1_SEQUENCE_END(PROXY_POLICY) - -IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY) - -ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = - { - ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER), - ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY) -} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION) - -IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) diff --git a/openssl/crypto/x509v3/v3_pcons.c b/openssl/crypto/x509v3/v3_pcons.c deleted file mode 100644 index 30ca6523..00000000 --- a/openssl/crypto/x509v3/v3_pcons.c +++ /dev/null @@ -1,140 +0,0 @@ -/* v3_pcons.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project. - */ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -static STACK_OF(CONF_VALUE) * -i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons, - STACK_OF(CONF_VALUE) *extlist); -static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *values); - -const X509V3_EXT_METHOD v3_policy_constraints = { -NID_policy_constraints, 0, -ASN1_ITEM_ref(POLICY_CONSTRAINTS), -0,0,0,0, -0,0, -i2v_POLICY_CONSTRAINTS, -v2i_POLICY_CONSTRAINTS, -NULL,NULL, -NULL -}; - -ASN1_SEQUENCE(POLICY_CONSTRAINTS) = { - ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0), - ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1) -} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS) - -IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) - - -static STACK_OF(CONF_VALUE) * -i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, - STACK_OF(CONF_VALUE) *extlist) -{ - POLICY_CONSTRAINTS *pcons = a; - X509V3_add_value_int("Require Explicit Policy", - pcons->requireExplicitPolicy, &extlist); - X509V3_add_value_int("Inhibit Policy Mapping", - pcons->inhibitPolicyMapping, &extlist); - return extlist; -} - -static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *values) -{ - POLICY_CONSTRAINTS *pcons=NULL; - CONF_VALUE *val; - int i; - if(!(pcons = POLICY_CONSTRAINTS_new())) { - X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE); - return NULL; - } - for(i = 0; i < sk_CONF_VALUE_num(values); i++) { - val = sk_CONF_VALUE_value(values, i); - if(!strcmp(val->name, "requireExplicitPolicy")) { - if(!X509V3_get_value_int(val, - &pcons->requireExplicitPolicy)) goto err; - } else if(!strcmp(val->name, "inhibitPolicyMapping")) { - if(!X509V3_get_value_int(val, - &pcons->inhibitPolicyMapping)) goto err; - } else { - X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME); - X509V3_conf_err(val); - goto err; - } - } - if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) { - X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION); - goto err; - } - - return pcons; - err: - POLICY_CONSTRAINTS_free(pcons); - return NULL; -} - diff --git a/openssl/crypto/x509v3/v3_pku.c b/openssl/crypto/x509v3/v3_pku.c deleted file mode 100644 index 076f3ff4..00000000 --- a/openssl/crypto/x509v3/v3_pku.c +++ /dev/null @@ -1,108 +0,0 @@ -/* v3_pku.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/x509v3.h> - -static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent); -/* -static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -*/ -const X509V3_EXT_METHOD v3_pkey_usage_period = { -NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD), -0,0,0,0, -0,0,0,0, -(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL, -NULL -}; - -ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = { - ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notBefore, ASN1_GENERALIZEDTIME, 0), - ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notAfter, ASN1_GENERALIZEDTIME, 1) -} ASN1_SEQUENCE_END(PKEY_USAGE_PERIOD) - -IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD) - -static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, - PKEY_USAGE_PERIOD *usage, BIO *out, int indent) -{ - BIO_printf(out, "%*s", indent, ""); - if(usage->notBefore) { - BIO_write(out, "Not Before: ", 12); - ASN1_GENERALIZEDTIME_print(out, usage->notBefore); - if(usage->notAfter) BIO_write(out, ", ", 2); - } - if(usage->notAfter) { - BIO_write(out, "Not After: ", 11); - ASN1_GENERALIZEDTIME_print(out, usage->notAfter); - } - return 1; -} - -/* -static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values) -X509V3_EXT_METHOD *method; -X509V3_CTX *ctx; -STACK_OF(CONF_VALUE) *values; -{ -return NULL; -} -*/ diff --git a/openssl/crypto/x509v3/v3_pmaps.c b/openssl/crypto/x509v3/v3_pmaps.c deleted file mode 100644 index 865bcd39..00000000 --- a/openssl/crypto/x509v3/v3_pmaps.c +++ /dev/null @@ -1,155 +0,0 @@ -/* v3_pmaps.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project. - */ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/asn1t.h> -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -static STACK_OF(CONF_VALUE) * -i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *pmps, - STACK_OF(CONF_VALUE) *extlist); - -const X509V3_EXT_METHOD v3_policy_mappings = { - NID_policy_mappings, 0, - ASN1_ITEM_ref(POLICY_MAPPINGS), - 0,0,0,0, - 0,0, - i2v_POLICY_MAPPINGS, - v2i_POLICY_MAPPINGS, - 0,0, - NULL -}; - -ASN1_SEQUENCE(POLICY_MAPPING) = { - ASN1_SIMPLE(POLICY_MAPPING, issuerDomainPolicy, ASN1_OBJECT), - ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT) -} ASN1_SEQUENCE_END(POLICY_MAPPING) - -ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS, - POLICY_MAPPING) -ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS) - -IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) - - -static STACK_OF(CONF_VALUE) * -i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a, - STACK_OF(CONF_VALUE) *ext_list) -{ - POLICY_MAPPINGS *pmaps = a; - POLICY_MAPPING *pmap; - int i; - char obj_tmp1[80]; - char obj_tmp2[80]; - for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) { - pmap = sk_POLICY_MAPPING_value(pmaps, i); - i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy); - i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy); - X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list); - } - return ext_list; -} - -static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) -{ - POLICY_MAPPINGS *pmaps; - POLICY_MAPPING *pmap; - ASN1_OBJECT *obj1, *obj2; - CONF_VALUE *val; - int i; - - if(!(pmaps = sk_POLICY_MAPPING_new_null())) { - X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE); - return NULL; - } - - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { - val = sk_CONF_VALUE_value(nval, i); - if(!val->value || !val->name) { - sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free); - X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER); - X509V3_conf_err(val); - return NULL; - } - obj1 = OBJ_txt2obj(val->name, 0); - obj2 = OBJ_txt2obj(val->value, 0); - if(!obj1 || !obj2) { - sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free); - X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER); - X509V3_conf_err(val); - return NULL; - } - pmap = POLICY_MAPPING_new(); - if (!pmap) { - sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free); - X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE); - return NULL; - } - pmap->issuerDomainPolicy = obj1; - pmap->subjectDomainPolicy = obj2; - sk_POLICY_MAPPING_push(pmaps, pmap); - } - return pmaps; -} diff --git a/openssl/crypto/x509v3/v3_prn.c b/openssl/crypto/x509v3/v3_prn.c deleted file mode 100644 index 31462187..00000000 --- a/openssl/crypto/x509v3/v3_prn.c +++ /dev/null @@ -1,234 +0,0 @@ -/* v3_prn.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* X509 v3 extension utilities */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/x509v3.h> - -/* Extension printing routines */ - -static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported); - -/* Print out a name+value stack */ - -void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) -{ - int i; - CONF_VALUE *nval; - if(!val) return; - if(!ml || !sk_CONF_VALUE_num(val)) { - BIO_printf(out, "%*s", indent, ""); - if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n"); - } - for(i = 0; i < sk_CONF_VALUE_num(val); i++) { - if(ml) BIO_printf(out, "%*s", indent, ""); - else if(i > 0) BIO_printf(out, ", "); - nval = sk_CONF_VALUE_value(val, i); - if(!nval->name) BIO_puts(out, nval->value); - else if(!nval->value) BIO_puts(out, nval->name); -#ifndef CHARSET_EBCDIC - else BIO_printf(out, "%s:%s", nval->name, nval->value); -#else - else { - int len; - char *tmp; - len = strlen(nval->value)+1; - tmp = OPENSSL_malloc(len); - if (tmp) - { - ascii2ebcdic(tmp, nval->value, len); - BIO_printf(out, "%s:%s", nval->name, tmp); - OPENSSL_free(tmp); - } - } -#endif - if(ml) BIO_puts(out, "\n"); - } -} - -/* Main routine: print out a general extension */ - -int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent) -{ - void *ext_str = NULL; - char *value = NULL; - const unsigned char *p; - const X509V3_EXT_METHOD *method; - STACK_OF(CONF_VALUE) *nval = NULL; - int ok = 1; - - if(!(method = X509V3_EXT_get(ext))) - return unknown_ext_print(out, ext, flag, indent, 0); - p = ext->value->data; - if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it)); - else ext_str = method->d2i(NULL, &p, ext->value->length); - - if(!ext_str) return unknown_ext_print(out, ext, flag, indent, 1); - - if(method->i2s) { - if(!(value = method->i2s(method, ext_str))) { - ok = 0; - goto err; - } -#ifndef CHARSET_EBCDIC - BIO_printf(out, "%*s%s", indent, "", value); -#else - { - int len; - char *tmp; - len = strlen(value)+1; - tmp = OPENSSL_malloc(len); - if (tmp) - { - ascii2ebcdic(tmp, value, len); - BIO_printf(out, "%*s%s", indent, "", tmp); - OPENSSL_free(tmp); - } - } -#endif - } else if(method->i2v) { - if(!(nval = method->i2v(method, ext_str, NULL))) { - ok = 0; - goto err; - } - X509V3_EXT_val_prn(out, nval, indent, - method->ext_flags & X509V3_EXT_MULTILINE); - } else if(method->i2r) { - if(!method->i2r(method, ext_str, out, indent)) ok = 0; - } else ok = 0; - - err: - sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); - if(value) OPENSSL_free(value); - if(method->it) ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it)); - else method->ext_free(ext_str); - return ok; -} - -int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent) -{ - int i, j; - - if(sk_X509_EXTENSION_num(exts) <= 0) return 1; - - if(title) - { - BIO_printf(bp,"%*s%s:\n",indent, "", title); - indent += 4; - } - - for (i=0; i<sk_X509_EXTENSION_num(exts); i++) - { - ASN1_OBJECT *obj; - X509_EXTENSION *ex; - ex=sk_X509_EXTENSION_value(exts, i); - if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0; - obj=X509_EXTENSION_get_object(ex); - i2a_ASN1_OBJECT(bp,obj); - j=X509_EXTENSION_get_critical(ex); - if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0) - return 0; - if(!X509V3_EXT_print(bp, ex, flag, indent + 4)) - { - BIO_printf(bp, "%*s", indent + 4, ""); - M_ASN1_OCTET_STRING_print(bp,ex->value); - } - if (BIO_write(bp,"\n",1) <= 0) return 0; - } - return 1; -} - -static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported) -{ - switch(flag & X509V3_EXT_UNKNOWN_MASK) { - - case X509V3_EXT_DEFAULT: - return 0; - - case X509V3_EXT_ERROR_UNKNOWN: - if(supported) - BIO_printf(out, "%*s<Parse Error>", indent, ""); - else - BIO_printf(out, "%*s<Not Supported>", indent, ""); - return 1; - - case X509V3_EXT_PARSE_UNKNOWN: - return ASN1_parse_dump(out, - ext->value->data, ext->value->length, indent, -1); - case X509V3_EXT_DUMP_UNKNOWN: - return BIO_dump_indent(out, (char *)ext->value->data, ext->value->length, indent); - - default: - return 1; - } -} - - -#ifndef OPENSSL_NO_FP_API -int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent) -{ - BIO *bio_tmp; - int ret; - if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0; - ret = X509V3_EXT_print(bio_tmp, ext, flag, indent); - BIO_free(bio_tmp); - return ret; -} -#endif diff --git a/openssl/crypto/x509v3/v3_purp.c b/openssl/crypto/x509v3/v3_purp.c deleted file mode 100644 index 181bd349..00000000 --- a/openssl/crypto/x509v3/v3_purp.c +++ /dev/null @@ -1,767 +0,0 @@ -/* v3_purp.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2001. - */ -/* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/x509v3.h> -#include <openssl/x509_vfy.h> - -static void x509v3_cache_extensions(X509 *x); - -static int check_ssl_ca(const X509 *x); -static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); -static int purpose_smime(const X509 *x, int ca); -static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca); -static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); -static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); - -static int xp_cmp(const X509_PURPOSE * const *a, - const X509_PURPOSE * const *b); -static void xptable_free(X509_PURPOSE *p); - -static X509_PURPOSE xstandard[] = { - {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL}, - {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL}, - {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL}, - {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL}, - {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL}, - {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL}, - {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL}, - {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, - {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL}, -}; - -#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE)) - -IMPLEMENT_STACK_OF(X509_PURPOSE) - -static STACK_OF(X509_PURPOSE) *xptable = NULL; - -static int xp_cmp(const X509_PURPOSE * const *a, - const X509_PURPOSE * const *b) -{ - return (*a)->purpose - (*b)->purpose; -} - -/* As much as I'd like to make X509_check_purpose use a "const" X509* - * I really can't because it does recalculate hashes and do other non-const - * things. */ -int X509_check_purpose(X509 *x, int id, int ca) -{ - int idx; - const X509_PURPOSE *pt; - if(!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } - if(id == -1) return 1; - idx = X509_PURPOSE_get_by_id(id); - if(idx == -1) return -1; - pt = X509_PURPOSE_get0(idx); - return pt->check_purpose(pt, x, ca); -} - -int X509_PURPOSE_set(int *p, int purpose) -{ - if(X509_PURPOSE_get_by_id(purpose) == -1) { - X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE); - return 0; - } - *p = purpose; - return 1; -} - -int X509_PURPOSE_get_count(void) -{ - if(!xptable) return X509_PURPOSE_COUNT; - return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT; -} - -X509_PURPOSE * X509_PURPOSE_get0(int idx) -{ - if(idx < 0) return NULL; - if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx; - return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); -} - -int X509_PURPOSE_get_by_sname(char *sname) -{ - int i; - X509_PURPOSE *xptmp; - for(i = 0; i < X509_PURPOSE_get_count(); i++) { - xptmp = X509_PURPOSE_get0(i); - if(!strcmp(xptmp->sname, sname)) return i; - } - return -1; -} - -int X509_PURPOSE_get_by_id(int purpose) -{ - X509_PURPOSE tmp; - int idx; - if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) - return purpose - X509_PURPOSE_MIN; - tmp.purpose = purpose; - if(!xptable) return -1; - idx = sk_X509_PURPOSE_find(xptable, &tmp); - if(idx == -1) return -1; - return idx + X509_PURPOSE_COUNT; -} - -int X509_PURPOSE_add(int id, int trust, int flags, - int (*ck)(const X509_PURPOSE *, const X509 *, int), - char *name, char *sname, void *arg) -{ - int idx; - X509_PURPOSE *ptmp; - /* This is set according to what we change: application can't set it */ - flags &= ~X509_PURPOSE_DYNAMIC; - /* This will always be set for application modified trust entries */ - flags |= X509_PURPOSE_DYNAMIC_NAME; - /* Get existing entry if any */ - idx = X509_PURPOSE_get_by_id(id); - /* Need a new entry */ - if(idx == -1) { - if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) { - X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); - return 0; - } - ptmp->flags = X509_PURPOSE_DYNAMIC; - } else ptmp = X509_PURPOSE_get0(idx); - - /* OPENSSL_free existing name if dynamic */ - if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) { - OPENSSL_free(ptmp->name); - OPENSSL_free(ptmp->sname); - } - /* dup supplied name */ - ptmp->name = BUF_strdup(name); - ptmp->sname = BUF_strdup(sname); - if(!ptmp->name || !ptmp->sname) { - X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); - return 0; - } - /* Keep the dynamic flag of existing entry */ - ptmp->flags &= X509_PURPOSE_DYNAMIC; - /* Set all other flags */ - ptmp->flags |= flags; - - ptmp->purpose = id; - ptmp->trust = trust; - ptmp->check_purpose = ck; - ptmp->usr_data = arg; - - /* If its a new entry manage the dynamic table */ - if(idx == -1) { - if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) { - X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); - return 0; - } - if (!sk_X509_PURPOSE_push(xptable, ptmp)) { - X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); - return 0; - } - } - return 1; -} - -static void xptable_free(X509_PURPOSE *p) - { - if(!p) return; - if (p->flags & X509_PURPOSE_DYNAMIC) - { - if (p->flags & X509_PURPOSE_DYNAMIC_NAME) { - OPENSSL_free(p->name); - OPENSSL_free(p->sname); - } - OPENSSL_free(p); - } - } - -void X509_PURPOSE_cleanup(void) -{ - unsigned int i; - sk_X509_PURPOSE_pop_free(xptable, xptable_free); - for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i); - xptable = NULL; -} - -int X509_PURPOSE_get_id(X509_PURPOSE *xp) -{ - return xp->purpose; -} - -char *X509_PURPOSE_get0_name(X509_PURPOSE *xp) -{ - return xp->name; -} - -char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp) -{ - return xp->sname; -} - -int X509_PURPOSE_get_trust(X509_PURPOSE *xp) -{ - return xp->trust; -} - -static int nid_cmp(const int *a, const int *b) - { - return *a - *b; - } - -DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid); -IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid); - -int X509_supported_extension(X509_EXTENSION *ex) - { - /* This table is a list of the NIDs of supported extensions: - * that is those which are used by the verify process. If - * an extension is critical and doesn't appear in this list - * then the verify process will normally reject the certificate. - * The list must be kept in numerical order because it will be - * searched using bsearch. - */ - - static const int supported_nids[] = { - NID_netscape_cert_type, /* 71 */ - NID_key_usage, /* 83 */ - NID_subject_alt_name, /* 85 */ - NID_basic_constraints, /* 87 */ - NID_certificate_policies, /* 89 */ - NID_ext_key_usage, /* 126 */ -#ifndef OPENSSL_NO_RFC3779 - NID_sbgp_ipAddrBlock, /* 290 */ - NID_sbgp_autonomousSysNum, /* 291 */ -#endif - NID_policy_constraints, /* 401 */ - NID_proxyCertInfo, /* 663 */ - NID_name_constraints, /* 666 */ - NID_policy_mappings, /* 747 */ - NID_inhibit_any_policy /* 748 */ - }; - - int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); - - if (ex_nid == NID_undef) - return 0; - - if (OBJ_bsearch_nid(&ex_nid, supported_nids, - sizeof(supported_nids)/sizeof(int))) - return 1; - return 0; - } - -static void setup_dp(X509 *x, DIST_POINT *dp) - { - X509_NAME *iname = NULL; - int i; - if (dp->reasons) - { - if (dp->reasons->length > 0) - dp->dp_reasons = dp->reasons->data[0]; - if (dp->reasons->length > 1) - dp->dp_reasons |= (dp->reasons->data[1] << 8); - dp->dp_reasons &= CRLDP_ALL_REASONS; - } - else - dp->dp_reasons = CRLDP_ALL_REASONS; - if (!dp->distpoint || (dp->distpoint->type != 1)) - return; - for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) - { - GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); - if (gen->type == GEN_DIRNAME) - { - iname = gen->d.directoryName; - break; - } - } - if (!iname) - iname = X509_get_issuer_name(x); - - DIST_POINT_set_dpname(dp->distpoint, iname); - - } - -static void setup_crldp(X509 *x) - { - int i; - x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); - for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) - setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); - } - -static void x509v3_cache_extensions(X509 *x) -{ - BASIC_CONSTRAINTS *bs; - PROXY_CERT_INFO_EXTENSION *pci; - ASN1_BIT_STRING *usage; - ASN1_BIT_STRING *ns; - EXTENDED_KEY_USAGE *extusage; - X509_EXTENSION *ex; - - int i; - if(x->ex_flags & EXFLAG_SET) return; -#ifndef OPENSSL_NO_SHA - X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); -#endif - /* Does subject name match issuer ? */ - if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SI; - /* V1 should mean no extensions ... */ - if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; - /* Handle basic constraints */ - if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { - if(bs->ca) x->ex_flags |= EXFLAG_CA; - if(bs->pathlen) { - if((bs->pathlen->type == V_ASN1_NEG_INTEGER) - || !bs->ca) { - x->ex_flags |= EXFLAG_INVALID; - x->ex_pathlen = 0; - } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); - } else x->ex_pathlen = -1; - BASIC_CONSTRAINTS_free(bs); - x->ex_flags |= EXFLAG_BCONS; - } - /* Handle proxy certificates */ - if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { - if (x->ex_flags & EXFLAG_CA - || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0 - || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { - x->ex_flags |= EXFLAG_INVALID; - } - if (pci->pcPathLengthConstraint) { - x->ex_pcpathlen = - ASN1_INTEGER_get(pci->pcPathLengthConstraint); - } else x->ex_pcpathlen = -1; - PROXY_CERT_INFO_EXTENSION_free(pci); - x->ex_flags |= EXFLAG_PROXY; - } - /* Handle key usage */ - if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { - if(usage->length > 0) { - x->ex_kusage = usage->data[0]; - if(usage->length > 1) - x->ex_kusage |= usage->data[1] << 8; - } else x->ex_kusage = 0; - x->ex_flags |= EXFLAG_KUSAGE; - ASN1_BIT_STRING_free(usage); - } - x->ex_xkusage = 0; - if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { - x->ex_flags |= EXFLAG_XKUSAGE; - for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { - switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) { - case NID_server_auth: - x->ex_xkusage |= XKU_SSL_SERVER; - break; - - case NID_client_auth: - x->ex_xkusage |= XKU_SSL_CLIENT; - break; - - case NID_email_protect: - x->ex_xkusage |= XKU_SMIME; - break; - - case NID_code_sign: - x->ex_xkusage |= XKU_CODE_SIGN; - break; - - case NID_ms_sgc: - case NID_ns_sgc: - x->ex_xkusage |= XKU_SGC; - break; - - case NID_OCSP_sign: - x->ex_xkusage |= XKU_OCSP_SIGN; - break; - - case NID_time_stamp: - x->ex_xkusage |= XKU_TIMESTAMP; - break; - - case NID_dvcs: - x->ex_xkusage |= XKU_DVCS; - break; - } - } - sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); - } - - if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { - if(ns->length > 0) x->ex_nscert = ns->data[0]; - else x->ex_nscert = 0; - x->ex_flags |= EXFLAG_NSCERT; - ASN1_BIT_STRING_free(ns); - } - x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); - x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); - x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); - x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); - if (!x->nc && (i != -1)) - x->ex_flags |= EXFLAG_INVALID; - setup_crldp(x); - -#ifndef OPENSSL_NO_RFC3779 - x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); - x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, - NULL, NULL); -#endif - for (i = 0; i < X509_get_ext_count(x); i++) - { - ex = X509_get_ext(x, i); - if (!X509_EXTENSION_get_critical(ex)) - continue; - if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) - == NID_freshest_crl) - x->ex_flags |= EXFLAG_FRESHEST; - if (!X509_supported_extension(ex)) - { - x->ex_flags |= EXFLAG_CRITICAL; - break; - } - } - x->ex_flags |= EXFLAG_SET; -} - -/* CA checks common to all purposes - * return codes: - * 0 not a CA - * 1 is a CA - * 2 basicConstraints absent so "maybe" a CA - * 3 basicConstraints absent but self signed V1. - * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. - */ - -#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) -#define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#define xku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) -#define ns_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) - -static int check_ca(const X509 *x) -{ - /* keyUsage if present should allow cert signing */ - if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; - if(x->ex_flags & EXFLAG_BCONS) { - if(x->ex_flags & EXFLAG_CA) return 1; - /* If basicConstraints says not a CA then say so */ - else return 0; - } else { - /* we support V1 roots for... uh, I don't really know why. */ - if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; - /* If key usage present it must have certSign so tolerate it */ - else if (x->ex_flags & EXFLAG_KUSAGE) return 4; - /* Older certificates could have Netscape-specific CA types */ - else if (x->ex_flags & EXFLAG_NSCERT - && x->ex_nscert & NS_ANY_CA) return 5; - /* can this still be regarded a CA certificate? I doubt it */ - return 0; - } -} - -int X509_check_ca(X509 *x) -{ - if(!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } - - return check_ca(x); -} - -/* Check SSL CA: common checks for SSL client and server */ -static int check_ssl_ca(const X509 *x) -{ - int ca_ret; - ca_ret = check_ca(x); - if(!ca_ret) return 0; - /* check nsCertType if present */ - if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; - else return 0; -} - - -static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) -{ - if(xku_reject(x,XKU_SSL_CLIENT)) return 0; - if(ca) return check_ssl_ca(x); - /* We need to do digital signatures with it */ - if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; - /* nsCertType if present should allow SSL client use */ - if(ns_reject(x, NS_SSL_CLIENT)) return 0; - return 1; -} - -static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) -{ - if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; - if(ca) return check_ssl_ca(x); - - if(ns_reject(x, NS_SSL_SERVER)) return 0; - /* Now as for keyUsage: we'll at least need to sign OR encipher */ - if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0; - - return 1; - -} - -static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) -{ - int ret; - ret = check_purpose_ssl_server(xp, x, ca); - if(!ret || ca) return ret; - /* We need to encipher or Netscape complains */ - if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; - return ret; -} - -/* common S/MIME checks */ -static int purpose_smime(const X509 *x, int ca) -{ - if(xku_reject(x,XKU_SMIME)) return 0; - if(ca) { - int ca_ret; - ca_ret = check_ca(x); - if(!ca_ret) return 0; - /* check nsCertType if present */ - if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; - else return 0; - } - if(x->ex_flags & EXFLAG_NSCERT) { - if(x->ex_nscert & NS_SMIME) return 1; - /* Workaround for some buggy certificates */ - if(x->ex_nscert & NS_SSL_CLIENT) return 2; - return 0; - } - return 1; -} - -static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) -{ - int ret; - ret = purpose_smime(x, ca); - if(!ret || ca) return ret; - if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; - return ret; -} - -static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) -{ - int ret; - ret = purpose_smime(x, ca); - if(!ret || ca) return ret; - if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; - return ret; -} - -static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) -{ - if(ca) { - int ca_ret; - if((ca_ret = check_ca(x)) != 2) return ca_ret; - else return 0; - } - if(ku_reject(x, KU_CRL_SIGN)) return 0; - return 1; -} - -/* OCSP helper: this is *not* a full OCSP check. It just checks that - * each CA is valid. Additional checks must be made on the chain. - */ - -static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) -{ - /* Must be a valid CA. Should we really support the "I don't know" - value (2)? */ - if(ca) return check_ca(x); - /* leaf certificate is checked in OCSP_verify() */ - return 1; -} - -static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, - int ca) -{ - int i_ext; - - /* If ca is true we must return if this is a valid CA certificate. */ - if (ca) return check_ca(x); - - /* - * Check the optional key usage field: - * if Key Usage is present, it must be one of digitalSignature - * and/or nonRepudiation (other values are not consistent and shall - * be rejected). - */ - if ((x->ex_flags & EXFLAG_KUSAGE) - && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) || - !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) - return 0; - - /* Only time stamp key usage is permitted and it's required. */ - if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP) - return 0; - - /* Extended Key Usage MUST be critical */ - i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0); - if (i_ext >= 0) - { - X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext); - if (!X509_EXTENSION_get_critical(ext)) - return 0; - } - - return 1; -} - -static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) -{ - return 1; -} - -/* Various checks to see if one certificate issued the second. - * This can be used to prune a set of possible issuer certificates - * which have been looked up using some simple method such as by - * subject name. - * These are: - * 1. Check issuer_name(subject) == subject_name(issuer) - * 2. If akid(subject) exists check it matches issuer - * 3. If key_usage(issuer) exists check it supports certificate signing - * returns 0 for OK, positive for reason for mismatch, reasons match - * codes for X509_verify_cert() - */ - -int X509_check_issued(X509 *issuer, X509 *subject) -{ - if(X509_NAME_cmp(X509_get_subject_name(issuer), - X509_get_issuer_name(subject))) - return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; - x509v3_cache_extensions(issuer); - x509v3_cache_extensions(subject); - - if(subject->akid) - { - int ret = X509_check_akid(issuer, subject->akid); - if (ret != X509_V_OK) - return ret; - } - - if(subject->ex_flags & EXFLAG_PROXY) - { - if(ku_reject(issuer, KU_DIGITAL_SIGNATURE)) - return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; - } - else if(ku_reject(issuer, KU_KEY_CERT_SIGN)) - return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; - return X509_V_OK; -} - -int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) - { - - if(!akid) - return X509_V_OK; - - /* Check key ids (if present) */ - if(akid->keyid && issuer->skid && - ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) ) - return X509_V_ERR_AKID_SKID_MISMATCH; - /* Check serial number */ - if(akid->serial && - ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) - return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; - /* Check issuer name */ - if(akid->issuer) - { - /* Ugh, for some peculiar reason AKID includes - * SEQUENCE OF GeneralName. So look for a DirName. - * There may be more than one but we only take any - * notice of the first. - */ - GENERAL_NAMES *gens; - GENERAL_NAME *gen; - X509_NAME *nm = NULL; - int i; - gens = akid->issuer; - for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) - { - gen = sk_GENERAL_NAME_value(gens, i); - if(gen->type == GEN_DIRNAME) - { - nm = gen->d.dirn; - break; - } - } - if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) - return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; - } - return X509_V_OK; - } - diff --git a/openssl/crypto/x509v3/v3_skey.c b/openssl/crypto/x509v3/v3_skey.c deleted file mode 100644 index 202c9e48..00000000 --- a/openssl/crypto/x509v3/v3_skey.c +++ /dev/null @@ -1,144 +0,0 @@ -/* v3_skey.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/x509v3.h> - -static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -const X509V3_EXT_METHOD v3_skey_id = { -NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING), -0,0,0,0, -(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING, -(X509V3_EXT_S2I)s2i_skey_id, -0,0,0,0, -NULL}; - -char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, - ASN1_OCTET_STRING *oct) -{ - return hex_to_string(oct->data, oct->length); -} - -ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *str) -{ - ASN1_OCTET_STRING *oct; - long length; - - if(!(oct = M_ASN1_OCTET_STRING_new())) { - X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE); - return NULL; - } - - if(!(oct->data = string_to_hex(str, &length))) { - M_ASN1_OCTET_STRING_free(oct); - return NULL; - } - - oct->length = length; - - return oct; - -} - -static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *str) -{ - ASN1_OCTET_STRING *oct; - ASN1_BIT_STRING *pk; - unsigned char pkey_dig[EVP_MAX_MD_SIZE]; - unsigned int diglen; - - if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str); - - if(!(oct = M_ASN1_OCTET_STRING_new())) { - X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE); - return NULL; - } - - if(ctx && (ctx->flags == CTX_TEST)) return oct; - - if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) { - X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY); - goto err; - } - - if(ctx->subject_req) - pk = ctx->subject_req->req_info->pubkey->public_key; - else pk = ctx->subject_cert->cert_info->key->public_key; - - if(!pk) { - X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY); - goto err; - } - - EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL); - - if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) { - X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE); - goto err; - } - - return oct; - - err: - M_ASN1_OCTET_STRING_free(oct); - return NULL; -} diff --git a/openssl/crypto/x509v3/v3_sxnet.c b/openssl/crypto/x509v3/v3_sxnet.c deleted file mode 100644 index 2a6bf11b..00000000 --- a/openssl/crypto/x509v3/v3_sxnet.c +++ /dev/null @@ -1,262 +0,0 @@ -/* v3_sxnet.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include <openssl/x509v3.h> - -/* Support for Thawte strong extranet extension */ - -#define SXNET_TEST - -static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent); -#ifdef SXNET_TEST -static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *nval); -#endif -const X509V3_EXT_METHOD v3_sxnet = { -NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET), -0,0,0,0, -0,0, -0, -#ifdef SXNET_TEST -(X509V3_EXT_V2I)sxnet_v2i, -#else -0, -#endif -(X509V3_EXT_I2R)sxnet_i2r, -0, -NULL -}; - -ASN1_SEQUENCE(SXNETID) = { - ASN1_SIMPLE(SXNETID, zone, ASN1_INTEGER), - ASN1_SIMPLE(SXNETID, user, ASN1_OCTET_STRING) -} ASN1_SEQUENCE_END(SXNETID) - -IMPLEMENT_ASN1_FUNCTIONS(SXNETID) - -ASN1_SEQUENCE(SXNET) = { - ASN1_SIMPLE(SXNET, version, ASN1_INTEGER), - ASN1_SEQUENCE_OF(SXNET, ids, SXNETID) -} ASN1_SEQUENCE_END(SXNET) - -IMPLEMENT_ASN1_FUNCTIONS(SXNET) - -static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, - int indent) -{ - long v; - char *tmp; - SXNETID *id; - int i; - v = ASN1_INTEGER_get(sx->version); - BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v); - for(i = 0; i < sk_SXNETID_num(sx->ids); i++) { - id = sk_SXNETID_value(sx->ids, i); - tmp = i2s_ASN1_INTEGER(NULL, id->zone); - BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp); - OPENSSL_free(tmp); - M_ASN1_OCTET_STRING_print(out, id->user); - } - return 1; -} - -#ifdef SXNET_TEST - -/* NBB: this is used for testing only. It should *not* be used for anything - * else because it will just take static IDs from the configuration file and - * they should really be separate values for each user. - */ - - -static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *nval) -{ - CONF_VALUE *cnf; - SXNET *sx = NULL; - int i; - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { - cnf = sk_CONF_VALUE_value(nval, i); - if(!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1)) - return NULL; - } - return sx; -} - - -#endif - -/* Strong Extranet utility functions */ - -/* Add an id given the zone as an ASCII number */ - -int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, - int userlen) -{ - ASN1_INTEGER *izone = NULL; - if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) { - X509V3err(X509V3_F_SXNET_ADD_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE); - return 0; - } - return SXNET_add_id_INTEGER(psx, izone, user, userlen); -} - -/* Add an id given the zone as an unsigned long */ - -int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, - int userlen) -{ - ASN1_INTEGER *izone = NULL; - if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) { - X509V3err(X509V3_F_SXNET_ADD_ID_ULONG,ERR_R_MALLOC_FAILURE); - M_ASN1_INTEGER_free(izone); - return 0; - } - return SXNET_add_id_INTEGER(psx, izone, user, userlen); - -} - -/* Add an id given the zone as an ASN1_INTEGER. - * Note this version uses the passed integer and doesn't make a copy so don't - * free it up afterwards. - */ - -int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user, - int userlen) -{ - SXNET *sx = NULL; - SXNETID *id = NULL; - if(!psx || !zone || !user) { - X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_INVALID_NULL_ARGUMENT); - return 0; - } - if(userlen == -1) userlen = strlen(user); - if(userlen > 64) { - X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_USER_TOO_LONG); - return 0; - } - if(!*psx) { - if(!(sx = SXNET_new())) goto err; - if(!ASN1_INTEGER_set(sx->version, 0)) goto err; - *psx = sx; - } else sx = *psx; - if(SXNET_get_id_INTEGER(sx, zone)) { - X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_DUPLICATE_ZONE_ID); - return 0; - } - - if(!(id = SXNETID_new())) goto err; - if(userlen == -1) userlen = strlen(user); - - if(!M_ASN1_OCTET_STRING_set(id->user, user, userlen)) goto err; - if(!sk_SXNETID_push(sx->ids, id)) goto err; - id->zone = zone; - return 1; - - err: - X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,ERR_R_MALLOC_FAILURE); - SXNETID_free(id); - SXNET_free(sx); - *psx = NULL; - return 0; -} - -ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone) -{ - ASN1_INTEGER *izone = NULL; - ASN1_OCTET_STRING *oct; - if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) { - X509V3err(X509V3_F_SXNET_GET_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE); - return NULL; - } - oct = SXNET_get_id_INTEGER(sx, izone); - M_ASN1_INTEGER_free(izone); - return oct; -} - -ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone) -{ - ASN1_INTEGER *izone = NULL; - ASN1_OCTET_STRING *oct; - if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) { - X509V3err(X509V3_F_SXNET_GET_ID_ULONG,ERR_R_MALLOC_FAILURE); - M_ASN1_INTEGER_free(izone); - return NULL; - } - oct = SXNET_get_id_INTEGER(sx, izone); - M_ASN1_INTEGER_free(izone); - return oct; -} - -ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone) -{ - SXNETID *id; - int i; - for(i = 0; i < sk_SXNETID_num(sx->ids); i++) { - id = sk_SXNETID_value(sx->ids, i); - if(!M_ASN1_INTEGER_cmp(id->zone, zone)) return id->user; - } - return NULL; -} - -IMPLEMENT_STACK_OF(SXNETID) -IMPLEMENT_ASN1_SET_OF(SXNETID) diff --git a/openssl/crypto/x509v3/v3_utl.c b/openssl/crypto/x509v3/v3_utl.c deleted file mode 100644 index e0302345..00000000 --- a/openssl/crypto/x509v3/v3_utl.c +++ /dev/null @@ -1,874 +0,0 @@ -/* v3_utl.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project. - */ -/* ==================================================================== - * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* X509 v3 extension utilities */ - - -#include <stdio.h> -#include <ctype.h> -#include "cryptlib.h" -#include <openssl/conf.h> -#include <openssl/x509v3.h> -#include <openssl/bn.h> - -static char *strip_spaces(char *name); -static int sk_strcmp(const char * const *a, const char * const *b); -static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens); -static void str_free(OPENSSL_STRING str); -static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email); - -static int ipv4_from_asc(unsigned char *v4, const char *in); -static int ipv6_from_asc(unsigned char *v6, const char *in); -static int ipv6_cb(const char *elem, int len, void *usr); -static int ipv6_hex(unsigned char *out, const char *in, int inlen); - -/* Add a CONF_VALUE name value pair to stack */ - -int X509V3_add_value(const char *name, const char *value, - STACK_OF(CONF_VALUE) **extlist) -{ - CONF_VALUE *vtmp = NULL; - char *tname = NULL, *tvalue = NULL; - if(name && !(tname = BUF_strdup(name))) goto err; - if(value && !(tvalue = BUF_strdup(value))) goto err; - if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err; - if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err; - vtmp->section = NULL; - vtmp->name = tname; - vtmp->value = tvalue; - if(!sk_CONF_VALUE_push(*extlist, vtmp)) goto err; - return 1; - err: - X509V3err(X509V3_F_X509V3_ADD_VALUE,ERR_R_MALLOC_FAILURE); - if(vtmp) OPENSSL_free(vtmp); - if(tname) OPENSSL_free(tname); - if(tvalue) OPENSSL_free(tvalue); - return 0; -} - -int X509V3_add_value_uchar(const char *name, const unsigned char *value, - STACK_OF(CONF_VALUE) **extlist) - { - return X509V3_add_value(name,(const char *)value,extlist); - } - -/* Free function for STACK_OF(CONF_VALUE) */ - -void X509V3_conf_free(CONF_VALUE *conf) -{ - if(!conf) return; - if(conf->name) OPENSSL_free(conf->name); - if(conf->value) OPENSSL_free(conf->value); - if(conf->section) OPENSSL_free(conf->section); - OPENSSL_free(conf); -} - -int X509V3_add_value_bool(const char *name, int asn1_bool, - STACK_OF(CONF_VALUE) **extlist) -{ - if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist); - return X509V3_add_value(name, "FALSE", extlist); -} - -int X509V3_add_value_bool_nf(char *name, int asn1_bool, - STACK_OF(CONF_VALUE) **extlist) -{ - if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist); - return 1; -} - - -char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a) -{ - BIGNUM *bntmp = NULL; - char *strtmp = NULL; - if(!a) return NULL; - if(!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) || - !(strtmp = BN_bn2dec(bntmp)) ) - X509V3err(X509V3_F_I2S_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE); - BN_free(bntmp); - return strtmp; -} - -char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a) -{ - BIGNUM *bntmp = NULL; - char *strtmp = NULL; - if(!a) return NULL; - if(!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) || - !(strtmp = BN_bn2dec(bntmp)) ) - X509V3err(X509V3_F_I2S_ASN1_INTEGER,ERR_R_MALLOC_FAILURE); - BN_free(bntmp); - return strtmp; -} - -ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value) -{ - BIGNUM *bn = NULL; - ASN1_INTEGER *aint; - int isneg, ishex; - int ret; - if (!value) { - X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE); - return 0; - } - bn = BN_new(); - if (value[0] == '-') { - value++; - isneg = 1; - } else isneg = 0; - - if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) { - value += 2; - ishex = 1; - } else ishex = 0; - - if (ishex) ret = BN_hex2bn(&bn, value); - else ret = BN_dec2bn(&bn, value); - - if (!ret || value[ret]) { - BN_free(bn); - X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR); - return 0; - } - - if (isneg && BN_is_zero(bn)) isneg = 0; - - aint = BN_to_ASN1_INTEGER(bn, NULL); - BN_free(bn); - if (!aint) { - X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_TO_ASN1_INTEGER_ERROR); - return 0; - } - if (isneg) aint->type |= V_ASN1_NEG; - return aint; -} - -int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, - STACK_OF(CONF_VALUE) **extlist) -{ - char *strtmp; - int ret; - if(!aint) return 1; - if(!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) return 0; - ret = X509V3_add_value(name, strtmp, extlist); - OPENSSL_free(strtmp); - return ret; -} - -int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool) -{ - char *btmp; - if(!(btmp = value->value)) goto err; - if(!strcmp(btmp, "TRUE") || !strcmp(btmp, "true") - || !strcmp(btmp, "Y") || !strcmp(btmp, "y") - || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) { - *asn1_bool = 0xff; - return 1; - } else if(!strcmp(btmp, "FALSE") || !strcmp(btmp, "false") - || !strcmp(btmp, "N") || !strcmp(btmp, "n") - || !strcmp(btmp, "NO") || !strcmp(btmp, "no")) { - *asn1_bool = 0; - return 1; - } - err: - X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,X509V3_R_INVALID_BOOLEAN_STRING); - X509V3_conf_err(value); - return 0; -} - -int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint) -{ - ASN1_INTEGER *itmp; - if(!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) { - X509V3_conf_err(value); - return 0; - } - *aint = itmp; - return 1; -} - -#define HDR_NAME 1 -#define HDR_VALUE 2 - -/*#define DEBUG*/ - -STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line) -{ - char *p, *q, c; - char *ntmp, *vtmp; - STACK_OF(CONF_VALUE) *values = NULL; - char *linebuf; - int state; - /* We are going to modify the line so copy it first */ - linebuf = BUF_strdup(line); - state = HDR_NAME; - ntmp = NULL; - /* Go through all characters */ - for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) { - - switch(state) { - case HDR_NAME: - if(c == ':') { - state = HDR_VALUE; - *p = 0; - ntmp = strip_spaces(q); - if(!ntmp) { - X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME); - goto err; - } - q = p + 1; - } else if(c == ',') { - *p = 0; - ntmp = strip_spaces(q); - q = p + 1; -#if 0 - printf("%s\n", ntmp); -#endif - if(!ntmp) { - X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME); - goto err; - } - X509V3_add_value(ntmp, NULL, &values); - } - break ; - - case HDR_VALUE: - if(c == ',') { - state = HDR_NAME; - *p = 0; - vtmp = strip_spaces(q); -#if 0 - printf("%s\n", ntmp); -#endif - if(!vtmp) { - X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE); - goto err; - } - X509V3_add_value(ntmp, vtmp, &values); - ntmp = NULL; - q = p + 1; - } - - } - } - - if(state == HDR_VALUE) { - vtmp = strip_spaces(q); -#if 0 - printf("%s=%s\n", ntmp, vtmp); -#endif - if(!vtmp) { - X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE); - goto err; - } - X509V3_add_value(ntmp, vtmp, &values); - } else { - ntmp = strip_spaces(q); -#if 0 - printf("%s\n", ntmp); -#endif - if(!ntmp) { - X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME); - goto err; - } - X509V3_add_value(ntmp, NULL, &values); - } -OPENSSL_free(linebuf); -return values; - -err: -OPENSSL_free(linebuf); -sk_CONF_VALUE_pop_free(values, X509V3_conf_free); -return NULL; - -} - -/* Delete leading and trailing spaces from a string */ -static char *strip_spaces(char *name) -{ - char *p, *q; - /* Skip over leading spaces */ - p = name; - while(*p && isspace((unsigned char)*p)) p++; - if(!*p) return NULL; - q = p + strlen(p) - 1; - while((q != p) && isspace((unsigned char)*q)) q--; - if(p != q) q[1] = 0; - if(!*p) return NULL; - return p; -} - -/* hex string utilities */ - -/* Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its - * hex representation - * @@@ (Contents of buffer are always kept in ASCII, also on EBCDIC machines) - */ - -char *hex_to_string(const unsigned char *buffer, long len) -{ - char *tmp, *q; - const unsigned char *p; - int i; - const static char hexdig[] = "0123456789ABCDEF"; - if(!buffer || !len) return NULL; - if(!(tmp = OPENSSL_malloc(len * 3 + 1))) { - X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE); - return NULL; - } - q = tmp; - for(i = 0, p = buffer; i < len; i++,p++) { - *q++ = hexdig[(*p >> 4) & 0xf]; - *q++ = hexdig[*p & 0xf]; - *q++ = ':'; - } - q[-1] = 0; -#ifdef CHARSET_EBCDIC - ebcdic2ascii(tmp, tmp, q - tmp - 1); -#endif - - return tmp; -} - -/* Give a string of hex digits convert to - * a buffer - */ - -unsigned char *string_to_hex(const char *str, long *len) -{ - unsigned char *hexbuf, *q; - unsigned char ch, cl, *p; - if(!str) { - X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_INVALID_NULL_ARGUMENT); - return NULL; - } - if(!(hexbuf = OPENSSL_malloc(strlen(str) >> 1))) goto err; - for(p = (unsigned char *)str, q = hexbuf; *p;) { - ch = *p++; -#ifdef CHARSET_EBCDIC - ch = os_toebcdic[ch]; -#endif - if(ch == ':') continue; - cl = *p++; -#ifdef CHARSET_EBCDIC - cl = os_toebcdic[cl]; -#endif - if(!cl) { - X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ODD_NUMBER_OF_DIGITS); - OPENSSL_free(hexbuf); - return NULL; - } - if(isupper(ch)) ch = tolower(ch); - if(isupper(cl)) cl = tolower(cl); - - if((ch >= '0') && (ch <= '9')) ch -= '0'; - else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10; - else goto badhex; - - if((cl >= '0') && (cl <= '9')) cl -= '0'; - else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10; - else goto badhex; - - *q++ = (ch << 4) | cl; - } - - if(len) *len = q - hexbuf; - - return hexbuf; - - err: - if(hexbuf) OPENSSL_free(hexbuf); - X509V3err(X509V3_F_STRING_TO_HEX,ERR_R_MALLOC_FAILURE); - return NULL; - - badhex: - OPENSSL_free(hexbuf); - X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ILLEGAL_HEX_DIGIT); - return NULL; - -} - -/* V2I name comparison function: returns zero if 'name' matches - * cmp or cmp.* - */ - -int name_cmp(const char *name, const char *cmp) -{ - int len, ret; - char c; - len = strlen(cmp); - if((ret = strncmp(name, cmp, len))) return ret; - c = name[len]; - if(!c || (c=='.')) return 0; - return 1; -} - -static int sk_strcmp(const char * const *a, const char * const *b) -{ - return strcmp(*a, *b); -} - -STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) -{ - GENERAL_NAMES *gens; - STACK_OF(OPENSSL_STRING) *ret; - - gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); - ret = get_email(X509_get_subject_name(x), gens); - sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); - return ret; -} - -STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) -{ - AUTHORITY_INFO_ACCESS *info; - STACK_OF(OPENSSL_STRING) *ret = NULL; - int i; - - info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL); - if (!info) - return NULL; - for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) - { - ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i); - if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) - { - if (ad->location->type == GEN_URI) - { - if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier)) - break; - } - } - } - AUTHORITY_INFO_ACCESS_free(info); - return ret; -} - -STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) -{ - GENERAL_NAMES *gens; - STACK_OF(X509_EXTENSION) *exts; - STACK_OF(OPENSSL_STRING) *ret; - - exts = X509_REQ_get_extensions(x); - gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL); - ret = get_email(X509_REQ_get_subject_name(x), gens); - sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return ret; -} - - -static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens) -{ - STACK_OF(OPENSSL_STRING) *ret = NULL; - X509_NAME_ENTRY *ne; - ASN1_IA5STRING *email; - GENERAL_NAME *gen; - int i; - /* Now add any email address(es) to STACK */ - i = -1; - /* First supplied X509_NAME */ - while((i = X509_NAME_get_index_by_NID(name, - NID_pkcs9_emailAddress, i)) >= 0) { - ne = X509_NAME_get_entry(name, i); - email = X509_NAME_ENTRY_get_data(ne); - if(!append_ia5(&ret, email)) return NULL; - } - for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) - { - gen = sk_GENERAL_NAME_value(gens, i); - if(gen->type != GEN_EMAIL) continue; - if(!append_ia5(&ret, gen->d.ia5)) return NULL; - } - return ret; -} - -static void str_free(OPENSSL_STRING str) -{ - OPENSSL_free(str); -} - -static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email) -{ - char *emtmp; - /* First some sanity checks */ - if(email->type != V_ASN1_IA5STRING) return 1; - if(!email->data || !email->length) return 1; - if(!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp); - if(!*sk) return 0; - /* Don't add duplicates */ - if(sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) return 1; - emtmp = BUF_strdup((char *)email->data); - if(!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) { - X509_email_free(*sk); - *sk = NULL; - return 0; - } - return 1; -} - -void X509_email_free(STACK_OF(OPENSSL_STRING) *sk) -{ - sk_OPENSSL_STRING_pop_free(sk, str_free); -} - -/* Convert IP addresses both IPv4 and IPv6 into an - * OCTET STRING compatible with RFC3280. - */ - -ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc) - { - unsigned char ipout[16]; - ASN1_OCTET_STRING *ret; - int iplen; - - /* If string contains a ':' assume IPv6 */ - - iplen = a2i_ipadd(ipout, ipasc); - - if (!iplen) - return NULL; - - ret = ASN1_OCTET_STRING_new(); - if (!ret) - return NULL; - if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) - { - ASN1_OCTET_STRING_free(ret); - return NULL; - } - return ret; - } - -ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) - { - ASN1_OCTET_STRING *ret = NULL; - unsigned char ipout[32]; - char *iptmp = NULL, *p; - int iplen1, iplen2; - p = strchr(ipasc,'/'); - if (!p) - return NULL; - iptmp = BUF_strdup(ipasc); - if (!iptmp) - return NULL; - p = iptmp + (p - ipasc); - *p++ = 0; - - iplen1 = a2i_ipadd(ipout, iptmp); - - if (!iplen1) - goto err; - - iplen2 = a2i_ipadd(ipout + iplen1, p); - - OPENSSL_free(iptmp); - iptmp = NULL; - - if (!iplen2 || (iplen1 != iplen2)) - goto err; - - ret = ASN1_OCTET_STRING_new(); - if (!ret) - goto err; - if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2)) - goto err; - - return ret; - - err: - if (iptmp) - OPENSSL_free(iptmp); - if (ret) - ASN1_OCTET_STRING_free(ret); - return NULL; - } - - -int a2i_ipadd(unsigned char *ipout, const char *ipasc) - { - /* If string contains a ':' assume IPv6 */ - - if (strchr(ipasc, ':')) - { - if (!ipv6_from_asc(ipout, ipasc)) - return 0; - return 16; - } - else - { - if (!ipv4_from_asc(ipout, ipasc)) - return 0; - return 4; - } - } - -static int ipv4_from_asc(unsigned char *v4, const char *in) - { - int a0, a1, a2, a3; - if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) - return 0; - if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) - || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255)) - return 0; - v4[0] = a0; - v4[1] = a1; - v4[2] = a2; - v4[3] = a3; - return 1; - } - -typedef struct { - /* Temporary store for IPV6 output */ - unsigned char tmp[16]; - /* Total number of bytes in tmp */ - int total; - /* The position of a zero (corresponding to '::') */ - int zero_pos; - /* Number of zeroes */ - int zero_cnt; - } IPV6_STAT; - - -static int ipv6_from_asc(unsigned char *v6, const char *in) - { - IPV6_STAT v6stat; - v6stat.total = 0; - v6stat.zero_pos = -1; - v6stat.zero_cnt = 0; - /* Treat the IPv6 representation as a list of values - * separated by ':'. The presence of a '::' will parse - * as one, two or three zero length elements. - */ - if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat)) - return 0; - - /* Now for some sanity checks */ - - if (v6stat.zero_pos == -1) - { - /* If no '::' must have exactly 16 bytes */ - if (v6stat.total != 16) - return 0; - } - else - { - /* If '::' must have less than 16 bytes */ - if (v6stat.total == 16) - return 0; - /* More than three zeroes is an error */ - if (v6stat.zero_cnt > 3) - return 0; - /* Can only have three zeroes if nothing else present */ - else if (v6stat.zero_cnt == 3) - { - if (v6stat.total > 0) - return 0; - } - /* Can only have two zeroes if at start or end */ - else if (v6stat.zero_cnt == 2) - { - if ((v6stat.zero_pos != 0) - && (v6stat.zero_pos != v6stat.total)) - return 0; - } - else - /* Can only have one zero if *not* start or end */ - { - if ((v6stat.zero_pos == 0) - || (v6stat.zero_pos == v6stat.total)) - return 0; - } - } - - /* Format result */ - - if (v6stat.zero_pos >= 0) - { - /* Copy initial part */ - memcpy(v6, v6stat.tmp, v6stat.zero_pos); - /* Zero middle */ - memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total); - /* Copy final part */ - if (v6stat.total != v6stat.zero_pos) - memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total, - v6stat.tmp + v6stat.zero_pos, - v6stat.total - v6stat.zero_pos); - } - else - memcpy(v6, v6stat.tmp, 16); - - return 1; - } - -static int ipv6_cb(const char *elem, int len, void *usr) - { - IPV6_STAT *s = usr; - /* Error if 16 bytes written */ - if (s->total == 16) - return 0; - if (len == 0) - { - /* Zero length element, corresponds to '::' */ - if (s->zero_pos == -1) - s->zero_pos = s->total; - /* If we've already got a :: its an error */ - else if (s->zero_pos != s->total) - return 0; - s->zero_cnt++; - } - else - { - /* If more than 4 characters could be final a.b.c.d form */ - if (len > 4) - { - /* Need at least 4 bytes left */ - if (s->total > 12) - return 0; - /* Must be end of string */ - if (elem[len]) - return 0; - if (!ipv4_from_asc(s->tmp + s->total, elem)) - return 0; - s->total += 4; - } - else - { - if (!ipv6_hex(s->tmp + s->total, elem, len)) - return 0; - s->total += 2; - } - } - return 1; - } - -/* Convert a string of up to 4 hex digits into the corresponding - * IPv6 form. - */ - -static int ipv6_hex(unsigned char *out, const char *in, int inlen) - { - unsigned char c; - unsigned int num = 0; - if (inlen > 4) - return 0; - while(inlen--) - { - c = *in++; - num <<= 4; - if ((c >= '0') && (c <= '9')) - num |= c - '0'; - else if ((c >= 'A') && (c <= 'F')) - num |= c - 'A' + 10; - else if ((c >= 'a') && (c <= 'f')) - num |= c - 'a' + 10; - else - return 0; - } - out[0] = num >> 8; - out[1] = num & 0xff; - return 1; - } - - -int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, - unsigned long chtype) - { - CONF_VALUE *v; - int i, mval; - char *p, *type; - if (!nm) - return 0; - - for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) - { - v=sk_CONF_VALUE_value(dn_sk,i); - type=v->name; - /* Skip past any leading X. X: X, etc to allow for - * multiple instances - */ - for(p = type; *p ; p++) -#ifndef CHARSET_EBCDIC - if ((*p == ':') || (*p == ',') || (*p == '.')) -#else - if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.'])) -#endif - { - p++; - if(*p) type = p; - break; - } -#ifndef CHARSET_EBCDIC - if (*type == '+') -#else - if (*type == os_toascii['+']) -#endif - { - mval = -1; - type++; - } - else - mval = 0; - if (!X509_NAME_add_entry_by_txt(nm,type, chtype, - (unsigned char *) v->value,-1,-1,mval)) - return 0; - - } - return 1; - } diff --git a/openssl/crypto/x509v3/v3conf.c b/openssl/crypto/x509v3/v3conf.c deleted file mode 100644 index a9e6ca35..00000000 --- a/openssl/crypto/x509v3/v3conf.c +++ /dev/null @@ -1,127 +0,0 @@ -/* v3conf.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/asn1.h> -#include <openssl/conf.h> -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -/* Test application to add extensions from a config file */ - -int main(int argc, char **argv) -{ - LHASH *conf; - X509 *cert; - FILE *inf; - char *conf_file; - int i; - int count; - X509_EXTENSION *ext; - X509V3_add_standard_extensions(); - ERR_load_crypto_strings(); - if(!argv[1]) { - fprintf(stderr, "Usage: v3conf cert.pem [file.cnf]\n"); - exit(1); - } - conf_file = argv[2]; - if(!conf_file) conf_file = "test.cnf"; - conf = CONF_load(NULL, "test.cnf", NULL); - if(!conf) { - fprintf(stderr, "Error opening Config file %s\n", conf_file); - ERR_print_errors_fp(stderr); - exit(1); - } - - inf = fopen(argv[1], "r"); - if(!inf) { - fprintf(stderr, "Can't open certificate file %s\n", argv[1]); - exit(1); - } - cert = PEM_read_X509(inf, NULL, NULL); - if(!cert) { - fprintf(stderr, "Error reading certificate file %s\n", argv[1]); - exit(1); - } - fclose(inf); - - sk_pop_free(cert->cert_info->extensions, X509_EXTENSION_free); - cert->cert_info->extensions = NULL; - - if(!X509V3_EXT_add_conf(conf, NULL, "test_section", cert)) { - fprintf(stderr, "Error adding extensions\n"); - ERR_print_errors_fp(stderr); - exit(1); - } - - count = X509_get_ext_count(cert); - printf("%d extensions\n", count); - for(i = 0; i < count; i++) { - ext = X509_get_ext(cert, i); - printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object))); - if(ext->critical) printf(",critical:\n"); - else printf(":\n"); - X509V3_EXT_print_fp(stdout, ext, 0, 0); - printf("\n"); - - } - return 0; -} - diff --git a/openssl/crypto/x509v3/v3err.c b/openssl/crypto/x509v3/v3err.c deleted file mode 100644 index f9f6f1f9..00000000 --- a/openssl/crypto/x509v3/v3err.c +++ /dev/null @@ -1,226 +0,0 @@ -/* crypto/x509v3/v3err.c */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - -#include <stdio.h> -#include <openssl/err.h> -#include <openssl/x509v3.h> - -/* BEGIN ERROR CODES */ -#ifndef OPENSSL_NO_ERR - -#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0) -#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason) - -static ERR_STRING_DATA X509V3_str_functs[]= - { -{ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"}, -{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"}, -{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"}, -{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"}, -{ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"}, -{ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"}, -{ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"}, -{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"}, -{ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"}, -{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"}, -{ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"}, -{ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"}, -{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"}, -{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"}, -{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"}, -{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"}, -{ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"}, -{ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"}, -{ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"}, -{ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"}, -{ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"}, -{ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"}, -{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"}, -{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"}, -{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"}, -{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"}, -{ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"}, -{ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"}, -{ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"}, -{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"}, -{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"}, -{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"}, -{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"}, -{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"}, -{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"}, -{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"}, -{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"}, -{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"}, -{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"}, -{ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"}, -{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"}, -{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"}, -{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"}, -{ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"}, -{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"}, -{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"}, -{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"}, -{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"}, -{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"}, -{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"}, -{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"}, -{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"}, -{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"}, -{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"}, -{ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"}, -{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"}, -{ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"}, -{ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"}, -{ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"}, -{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"}, -{ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"}, -{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"}, -{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"}, -{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"}, -{ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"}, -{0,NULL} - }; - -static ERR_STRING_DATA X509V3_str_reasons[]= - { -{ERR_REASON(X509V3_R_BAD_IP_ADDRESS) ,"bad ip address"}, -{ERR_REASON(X509V3_R_BAD_OBJECT) ,"bad object"}, -{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) ,"bn dec2bn error"}, -{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"}, -{ERR_REASON(X509V3_R_DIRNAME_ERROR) ,"dirname error"}, -{ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET),"distpoint already set"}, -{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) ,"duplicate zone id"}, -{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"}, -{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"}, -{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) ,"error in extension"}, -{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME),"expected a section name"}, -{ERR_REASON(X509V3_R_EXTENSION_EXISTS) ,"extension exists"}, -{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR),"extension name error"}, -{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"}, -{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"}, -{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"}, -{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"}, -{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"}, -{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"}, -{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS),"invalid multiple rdns"}, -{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"}, -{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"}, -{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"}, -{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"}, -{ERR_REASON(X509V3_R_INVALID_INHERITANCE),"invalid inheritance"}, -{ERR_REASON(X509V3_R_INVALID_IPADDRESS) ,"invalid ipaddress"}, -{ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"}, -{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"}, -{ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"}, -{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) ,"invalid null value"}, -{ERR_REASON(X509V3_R_INVALID_NUMBER) ,"invalid number"}, -{ERR_REASON(X509V3_R_INVALID_NUMBERS) ,"invalid numbers"}, -{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"}, -{ERR_REASON(X509V3_R_INVALID_OPTION) ,"invalid option"}, -{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"}, -{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"}, -{ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"}, -{ERR_REASON(X509V3_R_INVALID_SAFI) ,"invalid safi"}, -{ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"}, -{ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"}, -{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"}, -{ERR_REASON(X509V3_R_MISSING_VALUE) ,"missing value"}, -{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),"need organization and numbers"}, -{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) ,"no config database"}, -{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE),"no issuer certificate"}, -{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) ,"no issuer details"}, -{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER),"no policy identifier"}, -{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),"no proxy cert policy language defined"}, -{ERR_REASON(X509V3_R_NO_PUBLIC_KEY) ,"no public key"}, -{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"}, -{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"}, -{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"}, -{ERR_REASON(X509V3_R_OTHERNAME_ERROR) ,"othername error"}, -{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),"policy language already defined"}, -{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"}, -{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),"policy path length already defined"}, -{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"}, -{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"}, -{ERR_REASON(X509V3_R_SECTION_NOT_FOUND) ,"section not found"}, -{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"}, -{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"}, -{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"}, -{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) ,"unknown extension"}, -{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"}, -{ERR_REASON(X509V3_R_UNKNOWN_OPTION) ,"unknown option"}, -{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"}, -{ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) ,"unsupported type"}, -{ERR_REASON(X509V3_R_USER_TOO_LONG) ,"user too long"}, -{0,NULL} - }; - -#endif - -void ERR_load_X509V3_strings(void) - { -#ifndef OPENSSL_NO_ERR - - if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) - { - ERR_load_strings(0,X509V3_str_functs); - ERR_load_strings(0,X509V3_str_reasons); - } -#endif - } diff --git a/openssl/crypto/x509v3/v3prin.c b/openssl/crypto/x509v3/v3prin.c deleted file mode 100644 index d5ff2682..00000000 --- a/openssl/crypto/x509v3/v3prin.c +++ /dev/null @@ -1,99 +0,0 @@ -/* v3prin.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - - - -#include <stdio.h> -#include <openssl/asn1.h> -#include <openssl/conf.h> -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -int main(int argc, char **argv) -{ - X509 *cert; - FILE *inf; - int i, count; - X509_EXTENSION *ext; - X509V3_add_standard_extensions(); - ERR_load_crypto_strings(); - if(!argv[1]) { - fprintf(stderr, "Usage v3prin cert.pem\n"); - exit(1); - } - if(!(inf = fopen(argv[1], "r"))) { - fprintf(stderr, "Can't open %s\n", argv[1]); - exit(1); - } - if(!(cert = PEM_read_X509(inf, NULL, NULL))) { - fprintf(stderr, "Can't read certificate %s\n", argv[1]); - ERR_print_errors_fp(stderr); - exit(1); - } - fclose(inf); - count = X509_get_ext_count(cert); - printf("%d extensions\n", count); - for(i = 0; i < count; i++) { - ext = X509_get_ext(cert, i); - printf("%s\n", OBJ_nid2ln(OBJ_obj2nid(ext->object))); - if(!X509V3_EXT_print_fp(stdout, ext, 0, 0)) ERR_print_errors_fp(stderr); - printf("\n"); - - } - return 0; -} diff --git a/openssl/crypto/x509v3/x509v3.h b/openssl/crypto/x509v3/x509v3.h deleted file mode 100644 index b308abe7..00000000 --- a/openssl/crypto/x509v3/x509v3.h +++ /dev/null @@ -1,1007 +0,0 @@ -/* x509v3.h */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -#ifndef HEADER_X509V3_H -#define HEADER_X509V3_H - -#include <openssl/bio.h> -#include <openssl/x509.h> -#include <openssl/conf.h> - -#ifdef __cplusplus -extern "C" { -#endif - -/* Forward reference */ -struct v3_ext_method; -struct v3_ext_ctx; - -/* Useful typedefs */ - -typedef void * (*X509V3_EXT_NEW)(void); -typedef void (*X509V3_EXT_FREE)(void *); -typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long); -typedef int (*X509V3_EXT_I2D)(void *, unsigned char **); -typedef STACK_OF(CONF_VALUE) * - (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext, - STACK_OF(CONF_VALUE) *extlist); -typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method, - struct v3_ext_ctx *ctx, - STACK_OF(CONF_VALUE) *values); -typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext); -typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method, - struct v3_ext_ctx *ctx, const char *str); -typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext, - BIO *out, int indent); -typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method, - struct v3_ext_ctx *ctx, const char *str); - -/* V3 extension structure */ - -struct v3_ext_method { -int ext_nid; -int ext_flags; -/* If this is set the following four fields are ignored */ -ASN1_ITEM_EXP *it; -/* Old style ASN1 calls */ -X509V3_EXT_NEW ext_new; -X509V3_EXT_FREE ext_free; -X509V3_EXT_D2I d2i; -X509V3_EXT_I2D i2d; - -/* The following pair is used for string extensions */ -X509V3_EXT_I2S i2s; -X509V3_EXT_S2I s2i; - -/* The following pair is used for multi-valued extensions */ -X509V3_EXT_I2V i2v; -X509V3_EXT_V2I v2i; - -/* The following are used for raw extensions */ -X509V3_EXT_I2R i2r; -X509V3_EXT_R2I r2i; - -void *usr_data; /* Any extension specific data */ -}; - -typedef struct X509V3_CONF_METHOD_st { -char * (*get_string)(void *db, char *section, char *value); -STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section); -void (*free_string)(void *db, char * string); -void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section); -} X509V3_CONF_METHOD; - -/* Context specific info */ -struct v3_ext_ctx { -#define CTX_TEST 0x1 -int flags; -X509 *issuer_cert; -X509 *subject_cert; -X509_REQ *subject_req; -X509_CRL *crl; -X509V3_CONF_METHOD *db_meth; -void *db; -/* Maybe more here */ -}; - -typedef struct v3_ext_method X509V3_EXT_METHOD; - -DECLARE_STACK_OF(X509V3_EXT_METHOD) - -/* ext_flags values */ -#define X509V3_EXT_DYNAMIC 0x1 -#define X509V3_EXT_CTX_DEP 0x2 -#define X509V3_EXT_MULTILINE 0x4 - -typedef BIT_STRING_BITNAME ENUMERATED_NAMES; - -typedef struct BASIC_CONSTRAINTS_st { -int ca; -ASN1_INTEGER *pathlen; -} BASIC_CONSTRAINTS; - - -typedef struct PKEY_USAGE_PERIOD_st { -ASN1_GENERALIZEDTIME *notBefore; -ASN1_GENERALIZEDTIME *notAfter; -} PKEY_USAGE_PERIOD; - -typedef struct otherName_st { -ASN1_OBJECT *type_id; -ASN1_TYPE *value; -} OTHERNAME; - -typedef struct EDIPartyName_st { - ASN1_STRING *nameAssigner; - ASN1_STRING *partyName; -} EDIPARTYNAME; - -typedef struct GENERAL_NAME_st { - -#define GEN_OTHERNAME 0 -#define GEN_EMAIL 1 -#define GEN_DNS 2 -#define GEN_X400 3 -#define GEN_DIRNAME 4 -#define GEN_EDIPARTY 5 -#define GEN_URI 6 -#define GEN_IPADD 7 -#define GEN_RID 8 - -int type; -union { - char *ptr; - OTHERNAME *otherName; /* otherName */ - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; - ASN1_TYPE *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; - ASN1_OCTET_STRING *iPAddress; - ASN1_OBJECT *registeredID; - - /* Old names */ - ASN1_OCTET_STRING *ip; /* iPAddress */ - X509_NAME *dirn; /* dirn */ - ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */ - ASN1_OBJECT *rid; /* registeredID */ - ASN1_TYPE *other; /* x400Address */ -} d; -} GENERAL_NAME; - -typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; - -typedef struct ACCESS_DESCRIPTION_st { - ASN1_OBJECT *method; - GENERAL_NAME *location; -} ACCESS_DESCRIPTION; - -typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; - -typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE; - -DECLARE_STACK_OF(GENERAL_NAME) -DECLARE_ASN1_SET_OF(GENERAL_NAME) - -DECLARE_STACK_OF(ACCESS_DESCRIPTION) -DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION) - -typedef struct DIST_POINT_NAME_st { -int type; -union { - GENERAL_NAMES *fullname; - STACK_OF(X509_NAME_ENTRY) *relativename; -} name; -/* If relativename then this contains the full distribution point name */ -X509_NAME *dpname; -} DIST_POINT_NAME; -/* All existing reasons */ -#define CRLDP_ALL_REASONS 0x807f - -#define CRL_REASON_NONE -1 -#define CRL_REASON_UNSPECIFIED 0 -#define CRL_REASON_KEY_COMPROMISE 1 -#define CRL_REASON_CA_COMPROMISE 2 -#define CRL_REASON_AFFILIATION_CHANGED 3 -#define CRL_REASON_SUPERSEDED 4 -#define CRL_REASON_CESSATION_OF_OPERATION 5 -#define CRL_REASON_CERTIFICATE_HOLD 6 -#define CRL_REASON_REMOVE_FROM_CRL 8 -#define CRL_REASON_PRIVILEGE_WITHDRAWN 9 -#define CRL_REASON_AA_COMPROMISE 10 - -struct DIST_POINT_st { -DIST_POINT_NAME *distpoint; -ASN1_BIT_STRING *reasons; -GENERAL_NAMES *CRLissuer; -int dp_reasons; -}; - -typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; - -DECLARE_STACK_OF(DIST_POINT) -DECLARE_ASN1_SET_OF(DIST_POINT) - -struct AUTHORITY_KEYID_st { -ASN1_OCTET_STRING *keyid; -GENERAL_NAMES *issuer; -ASN1_INTEGER *serial; -}; - -/* Strong extranet structures */ - -typedef struct SXNET_ID_st { - ASN1_INTEGER *zone; - ASN1_OCTET_STRING *user; -} SXNETID; - -DECLARE_STACK_OF(SXNETID) -DECLARE_ASN1_SET_OF(SXNETID) - -typedef struct SXNET_st { - ASN1_INTEGER *version; - STACK_OF(SXNETID) *ids; -} SXNET; - -typedef struct NOTICEREF_st { - ASN1_STRING *organization; - STACK_OF(ASN1_INTEGER) *noticenos; -} NOTICEREF; - -typedef struct USERNOTICE_st { - NOTICEREF *noticeref; - ASN1_STRING *exptext; -} USERNOTICE; - -typedef struct POLICYQUALINFO_st { - ASN1_OBJECT *pqualid; - union { - ASN1_IA5STRING *cpsuri; - USERNOTICE *usernotice; - ASN1_TYPE *other; - } d; -} POLICYQUALINFO; - -DECLARE_STACK_OF(POLICYQUALINFO) -DECLARE_ASN1_SET_OF(POLICYQUALINFO) - -typedef struct POLICYINFO_st { - ASN1_OBJECT *policyid; - STACK_OF(POLICYQUALINFO) *qualifiers; -} POLICYINFO; - -typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; - -DECLARE_STACK_OF(POLICYINFO) -DECLARE_ASN1_SET_OF(POLICYINFO) - -typedef struct POLICY_MAPPING_st { - ASN1_OBJECT *issuerDomainPolicy; - ASN1_OBJECT *subjectDomainPolicy; -} POLICY_MAPPING; - -DECLARE_STACK_OF(POLICY_MAPPING) - -typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; - -typedef struct GENERAL_SUBTREE_st { - GENERAL_NAME *base; - ASN1_INTEGER *minimum; - ASN1_INTEGER *maximum; -} GENERAL_SUBTREE; - -DECLARE_STACK_OF(GENERAL_SUBTREE) - -struct NAME_CONSTRAINTS_st { - STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; - STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; -}; - -typedef struct POLICY_CONSTRAINTS_st { - ASN1_INTEGER *requireExplicitPolicy; - ASN1_INTEGER *inhibitPolicyMapping; -} POLICY_CONSTRAINTS; - -/* Proxy certificate structures, see RFC 3820 */ -typedef struct PROXY_POLICY_st - { - ASN1_OBJECT *policyLanguage; - ASN1_OCTET_STRING *policy; - } PROXY_POLICY; - -typedef struct PROXY_CERT_INFO_EXTENSION_st - { - ASN1_INTEGER *pcPathLengthConstraint; - PROXY_POLICY *proxyPolicy; - } PROXY_CERT_INFO_EXTENSION; - -DECLARE_ASN1_FUNCTIONS(PROXY_POLICY) -DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) - -struct ISSUING_DIST_POINT_st - { - DIST_POINT_NAME *distpoint; - int onlyuser; - int onlyCA; - ASN1_BIT_STRING *onlysomereasons; - int indirectCRL; - int onlyattr; - }; - -/* Values in idp_flags field */ -/* IDP present */ -#define IDP_PRESENT 0x1 -/* IDP values inconsistent */ -#define IDP_INVALID 0x2 -/* onlyuser true */ -#define IDP_ONLYUSER 0x4 -/* onlyCA true */ -#define IDP_ONLYCA 0x8 -/* onlyattr true */ -#define IDP_ONLYATTR 0x10 -/* indirectCRL true */ -#define IDP_INDIRECT 0x20 -/* onlysomereasons present */ -#define IDP_REASONS 0x40 - -#define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ -",name:", val->name, ",value:", val->value); - -#define X509V3_set_ctx_test(ctx) \ - X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST) -#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL; - -#define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \ - 0,0,0,0, \ - 0,0, \ - (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \ - (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \ - NULL, NULL, \ - table} - -#define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \ - 0,0,0,0, \ - (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \ - (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \ - 0,0,0,0, \ - NULL} - -#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} - - -/* X509_PURPOSE stuff */ - -#define EXFLAG_BCONS 0x1 -#define EXFLAG_KUSAGE 0x2 -#define EXFLAG_XKUSAGE 0x4 -#define EXFLAG_NSCERT 0x8 - -#define EXFLAG_CA 0x10 -/* Really self issued not necessarily self signed */ -#define EXFLAG_SI 0x20 -#define EXFLAG_SS 0x20 -#define EXFLAG_V1 0x40 -#define EXFLAG_INVALID 0x80 -#define EXFLAG_SET 0x100 -#define EXFLAG_CRITICAL 0x200 -#define EXFLAG_PROXY 0x400 - -#define EXFLAG_INVALID_POLICY 0x800 -#define EXFLAG_FRESHEST 0x1000 - -#define KU_DIGITAL_SIGNATURE 0x0080 -#define KU_NON_REPUDIATION 0x0040 -#define KU_KEY_ENCIPHERMENT 0x0020 -#define KU_DATA_ENCIPHERMENT 0x0010 -#define KU_KEY_AGREEMENT 0x0008 -#define KU_KEY_CERT_SIGN 0x0004 -#define KU_CRL_SIGN 0x0002 -#define KU_ENCIPHER_ONLY 0x0001 -#define KU_DECIPHER_ONLY 0x8000 - -#define NS_SSL_CLIENT 0x80 -#define NS_SSL_SERVER 0x40 -#define NS_SMIME 0x20 -#define NS_OBJSIGN 0x10 -#define NS_SSL_CA 0x04 -#define NS_SMIME_CA 0x02 -#define NS_OBJSIGN_CA 0x01 -#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA) - -#define XKU_SSL_SERVER 0x1 -#define XKU_SSL_CLIENT 0x2 -#define XKU_SMIME 0x4 -#define XKU_CODE_SIGN 0x8 -#define XKU_SGC 0x10 -#define XKU_OCSP_SIGN 0x20 -#define XKU_TIMESTAMP 0x40 -#define XKU_DVCS 0x80 - -#define X509_PURPOSE_DYNAMIC 0x1 -#define X509_PURPOSE_DYNAMIC_NAME 0x2 - -typedef struct x509_purpose_st { - int purpose; - int trust; /* Default trust ID */ - int flags; - int (*check_purpose)(const struct x509_purpose_st *, - const X509 *, int); - char *name; - char *sname; - void *usr_data; -} X509_PURPOSE; - -#define X509_PURPOSE_SSL_CLIENT 1 -#define X509_PURPOSE_SSL_SERVER 2 -#define X509_PURPOSE_NS_SSL_SERVER 3 -#define X509_PURPOSE_SMIME_SIGN 4 -#define X509_PURPOSE_SMIME_ENCRYPT 5 -#define X509_PURPOSE_CRL_SIGN 6 -#define X509_PURPOSE_ANY 7 -#define X509_PURPOSE_OCSP_HELPER 8 -#define X509_PURPOSE_TIMESTAMP_SIGN 9 - -#define X509_PURPOSE_MIN 1 -#define X509_PURPOSE_MAX 9 - -/* Flags for X509V3_EXT_print() */ - -#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) -/* Return error for unknown extensions */ -#define X509V3_EXT_DEFAULT 0 -/* Print error for unknown extensions */ -#define X509V3_EXT_ERROR_UNKNOWN (1L << 16) -/* ASN1 parse unknown extensions */ -#define X509V3_EXT_PARSE_UNKNOWN (2L << 16) -/* BIO_dump unknown extensions */ -#define X509V3_EXT_DUMP_UNKNOWN (3L << 16) - -/* Flags for X509V3_add1_i2d */ - -#define X509V3_ADD_OP_MASK 0xfL -#define X509V3_ADD_DEFAULT 0L -#define X509V3_ADD_APPEND 1L -#define X509V3_ADD_REPLACE 2L -#define X509V3_ADD_REPLACE_EXISTING 3L -#define X509V3_ADD_KEEP_EXISTING 4L -#define X509V3_ADD_DELETE 5L -#define X509V3_ADD_SILENT 0x10 - -DECLARE_STACK_OF(X509_PURPOSE) - -DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS) - -DECLARE_ASN1_FUNCTIONS(SXNET) -DECLARE_ASN1_FUNCTIONS(SXNETID) - -int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen); -int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen); -int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user, int userlen); - -ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone); -ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone); -ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone); - -DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID) - -DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD) - -DECLARE_ASN1_FUNCTIONS(GENERAL_NAME) -GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a); -int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b); - - - -ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, - ASN1_BIT_STRING *bits, - STACK_OF(CONF_VALUE) *extlist); - -STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret); -int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen); - -DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES) - -STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, - GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist); -GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); - -DECLARE_ASN1_FUNCTIONS(OTHERNAME) -DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME) -int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b); -void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value); -void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype); -int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, - ASN1_OBJECT *oid, ASN1_TYPE *value); -int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, - ASN1_OBJECT **poid, ASN1_TYPE **pvalue); - -char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5); -ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); - -DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE) -int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a); - -DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES) -DECLARE_ASN1_FUNCTIONS(POLICYINFO) -DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO) -DECLARE_ASN1_FUNCTIONS(USERNOTICE) -DECLARE_ASN1_FUNCTIONS(NOTICEREF) - -DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS) -DECLARE_ASN1_FUNCTIONS(DIST_POINT) -DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME) -DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT) - -int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname); - -int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc); - -DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) -DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) - -DECLARE_ASN1_ITEM(POLICY_MAPPING) -DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) -DECLARE_ASN1_ITEM(POLICY_MAPPINGS) - -DECLARE_ASN1_ITEM(GENERAL_SUBTREE) -DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) - -DECLARE_ASN1_ITEM(NAME_CONSTRAINTS) -DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) - -DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) -DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) - -GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - int gen_type, char *value, int is_nc); - -#ifdef HEADER_CONF_H -GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - CONF_VALUE *cnf); -GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc); -void X509V3_conf_free(CONF_VALUE *val); - -X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value); -X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value); -int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, STACK_OF(X509_EXTENSION) **sk); -int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert); -int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req); -int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl); - -X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - int ext_nid, char *value); -X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *name, char *value); -int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509 *cert); -int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509_REQ *req); -int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509_CRL *crl); - -int X509V3_add_value_bool_nf(char *name, int asn1_bool, - STACK_OF(CONF_VALUE) **extlist); -int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool); -int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint); -void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf); -void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash); -#endif - -char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section); -STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section); -void X509V3_string_free(X509V3_CTX *ctx, char *str); -void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section); -void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject, - X509_REQ *req, X509_CRL *crl, int flags); - -int X509V3_add_value(const char *name, const char *value, - STACK_OF(CONF_VALUE) **extlist); -int X509V3_add_value_uchar(const char *name, const unsigned char *value, - STACK_OF(CONF_VALUE) **extlist); -int X509V3_add_value_bool(const char *name, int asn1_bool, - STACK_OF(CONF_VALUE) **extlist); -int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, - STACK_OF(CONF_VALUE) **extlist); -char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint); -ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value); -char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint); -char * i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint); -int X509V3_EXT_add(X509V3_EXT_METHOD *ext); -int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist); -int X509V3_EXT_add_alias(int nid_to, int nid_from); -void X509V3_EXT_cleanup(void); - -const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext); -const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); -int X509V3_add_standard_extensions(void); -STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); -void *X509V3_EXT_d2i(X509_EXTENSION *ext); -void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx); - - -X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); -int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags); - -char *hex_to_string(const unsigned char *buffer, long len); -unsigned char *string_to_hex(const char *str, long *len); -int name_cmp(const char *name, const char *cmp); - -void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, - int ml); -int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent); -int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); - -int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); - -int X509_check_ca(X509 *x); -int X509_check_purpose(X509 *x, int id, int ca); -int X509_supported_extension(X509_EXTENSION *ex); -int X509_PURPOSE_set(int *p, int purpose); -int X509_check_issued(X509 *issuer, X509 *subject); -int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid); -int X509_PURPOSE_get_count(void); -X509_PURPOSE * X509_PURPOSE_get0(int idx); -int X509_PURPOSE_get_by_sname(char *sname); -int X509_PURPOSE_get_by_id(int id); -int X509_PURPOSE_add(int id, int trust, int flags, - int (*ck)(const X509_PURPOSE *, const X509 *, int), - char *name, char *sname, void *arg); -char *X509_PURPOSE_get0_name(X509_PURPOSE *xp); -char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp); -int X509_PURPOSE_get_trust(X509_PURPOSE *xp); -void X509_PURPOSE_cleanup(void); -int X509_PURPOSE_get_id(X509_PURPOSE *); - -STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x); -STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x); -void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); -STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); - -ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); -ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); -int a2i_ipadd(unsigned char *ipout, const char *ipasc); -int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, - unsigned long chtype); - -void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); -DECLARE_STACK_OF(X509_POLICY_NODE) - -#ifndef OPENSSL_NO_RFC3779 - -typedef struct ASRange_st { - ASN1_INTEGER *min, *max; -} ASRange; - -#define ASIdOrRange_id 0 -#define ASIdOrRange_range 1 - -typedef struct ASIdOrRange_st { - int type; - union { - ASN1_INTEGER *id; - ASRange *range; - } u; -} ASIdOrRange; - -typedef STACK_OF(ASIdOrRange) ASIdOrRanges; -DECLARE_STACK_OF(ASIdOrRange) - -#define ASIdentifierChoice_inherit 0 -#define ASIdentifierChoice_asIdsOrRanges 1 - -typedef struct ASIdentifierChoice_st { - int type; - union { - ASN1_NULL *inherit; - ASIdOrRanges *asIdsOrRanges; - } u; -} ASIdentifierChoice; - -typedef struct ASIdentifiers_st { - ASIdentifierChoice *asnum, *rdi; -} ASIdentifiers; - -DECLARE_ASN1_FUNCTIONS(ASRange) -DECLARE_ASN1_FUNCTIONS(ASIdOrRange) -DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice) -DECLARE_ASN1_FUNCTIONS(ASIdentifiers) - - -typedef struct IPAddressRange_st { - ASN1_BIT_STRING *min, *max; -} IPAddressRange; - -#define IPAddressOrRange_addressPrefix 0 -#define IPAddressOrRange_addressRange 1 - -typedef struct IPAddressOrRange_st { - int type; - union { - ASN1_BIT_STRING *addressPrefix; - IPAddressRange *addressRange; - } u; -} IPAddressOrRange; - -typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges; -DECLARE_STACK_OF(IPAddressOrRange) - -#define IPAddressChoice_inherit 0 -#define IPAddressChoice_addressesOrRanges 1 - -typedef struct IPAddressChoice_st { - int type; - union { - ASN1_NULL *inherit; - IPAddressOrRanges *addressesOrRanges; - } u; -} IPAddressChoice; - -typedef struct IPAddressFamily_st { - ASN1_OCTET_STRING *addressFamily; - IPAddressChoice *ipAddressChoice; -} IPAddressFamily; - -typedef STACK_OF(IPAddressFamily) IPAddrBlocks; -DECLARE_STACK_OF(IPAddressFamily) - -DECLARE_ASN1_FUNCTIONS(IPAddressRange) -DECLARE_ASN1_FUNCTIONS(IPAddressOrRange) -DECLARE_ASN1_FUNCTIONS(IPAddressChoice) -DECLARE_ASN1_FUNCTIONS(IPAddressFamily) - -/* - * API tag for elements of the ASIdentifer SEQUENCE. - */ -#define V3_ASID_ASNUM 0 -#define V3_ASID_RDI 1 - -/* - * AFI values, assigned by IANA. It'd be nice to make the AFI - * handling code totally generic, but there are too many little things - * that would need to be defined for other address families for it to - * be worth the trouble. - */ -#define IANA_AFI_IPV4 1 -#define IANA_AFI_IPV6 2 - -/* - * Utilities to construct and extract values from RFC3779 extensions, - * since some of the encodings (particularly for IP address prefixes - * and ranges) are a bit tedious to work with directly. - */ -int v3_asid_add_inherit(ASIdentifiers *asid, int which); -int v3_asid_add_id_or_range(ASIdentifiers *asid, int which, - ASN1_INTEGER *min, ASN1_INTEGER *max); -int v3_addr_add_inherit(IPAddrBlocks *addr, - const unsigned afi, const unsigned *safi); -int v3_addr_add_prefix(IPAddrBlocks *addr, - const unsigned afi, const unsigned *safi, - unsigned char *a, const int prefixlen); -int v3_addr_add_range(IPAddrBlocks *addr, - const unsigned afi, const unsigned *safi, - unsigned char *min, unsigned char *max); -unsigned v3_addr_get_afi(const IPAddressFamily *f); -int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, - unsigned char *min, unsigned char *max, - const int length); - -/* - * Canonical forms. - */ -int v3_asid_is_canonical(ASIdentifiers *asid); -int v3_addr_is_canonical(IPAddrBlocks *addr); -int v3_asid_canonize(ASIdentifiers *asid); -int v3_addr_canonize(IPAddrBlocks *addr); - -/* - * Tests for inheritance and containment. - */ -int v3_asid_inherits(ASIdentifiers *asid); -int v3_addr_inherits(IPAddrBlocks *addr); -int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b); -int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b); - -/* - * Check whether RFC 3779 extensions nest properly in chains. - */ -int v3_asid_validate_path(X509_STORE_CTX *); -int v3_addr_validate_path(X509_STORE_CTX *); -int v3_asid_validate_resource_set(STACK_OF(X509) *chain, - ASIdentifiers *ext, - int allow_inheritance); -int v3_addr_validate_resource_set(STACK_OF(X509) *chain, - IPAddrBlocks *ext, - int allow_inheritance); - -#endif /* OPENSSL_NO_RFC3779 */ - -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ -void ERR_load_X509V3_strings(void); - -/* Error codes for the X509V3 functions. */ - -/* Function codes. */ -#define X509V3_F_A2I_GENERAL_NAME 164 -#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161 -#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162 -#define X509V3_F_COPY_EMAIL 122 -#define X509V3_F_COPY_ISSUER 123 -#define X509V3_F_DO_DIRNAME 144 -#define X509V3_F_DO_EXT_CONF 124 -#define X509V3_F_DO_EXT_I2D 135 -#define X509V3_F_DO_EXT_NCONF 151 -#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148 -#define X509V3_F_GNAMES_FROM_SECTNAME 156 -#define X509V3_F_HEX_TO_STRING 111 -#define X509V3_F_I2S_ASN1_ENUMERATED 121 -#define X509V3_F_I2S_ASN1_IA5STRING 149 -#define X509V3_F_I2S_ASN1_INTEGER 120 -#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 -#define X509V3_F_NOTICE_SECTION 132 -#define X509V3_F_NREF_NOS 133 -#define X509V3_F_POLICY_SECTION 131 -#define X509V3_F_PROCESS_PCI_VALUE 150 -#define X509V3_F_R2I_CERTPOL 130 -#define X509V3_F_R2I_PCI 155 -#define X509V3_F_S2I_ASN1_IA5STRING 100 -#define X509V3_F_S2I_ASN1_INTEGER 108 -#define X509V3_F_S2I_ASN1_OCTET_STRING 112 -#define X509V3_F_S2I_ASN1_SKEY_ID 114 -#define X509V3_F_S2I_SKEY_ID 115 -#define X509V3_F_SET_DIST_POINT_NAME 158 -#define X509V3_F_STRING_TO_HEX 113 -#define X509V3_F_SXNET_ADD_ID_ASC 125 -#define X509V3_F_SXNET_ADD_ID_INTEGER 126 -#define X509V3_F_SXNET_ADD_ID_ULONG 127 -#define X509V3_F_SXNET_GET_ID_ASC 128 -#define X509V3_F_SXNET_GET_ID_ULONG 129 -#define X509V3_F_V2I_ASIDENTIFIERS 163 -#define X509V3_F_V2I_ASN1_BIT_STRING 101 -#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139 -#define X509V3_F_V2I_AUTHORITY_KEYID 119 -#define X509V3_F_V2I_BASIC_CONSTRAINTS 102 -#define X509V3_F_V2I_CRLD 134 -#define X509V3_F_V2I_EXTENDED_KEY_USAGE 103 -#define X509V3_F_V2I_GENERAL_NAMES 118 -#define X509V3_F_V2I_GENERAL_NAME_EX 117 -#define X509V3_F_V2I_IDP 157 -#define X509V3_F_V2I_IPADDRBLOCKS 159 -#define X509V3_F_V2I_ISSUER_ALT 153 -#define X509V3_F_V2I_NAME_CONSTRAINTS 147 -#define X509V3_F_V2I_POLICY_CONSTRAINTS 146 -#define X509V3_F_V2I_POLICY_MAPPINGS 145 -#define X509V3_F_V2I_SUBJECT_ALT 154 -#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160 -#define X509V3_F_V3_GENERIC_EXTENSION 116 -#define X509V3_F_X509V3_ADD1_I2D 140 -#define X509V3_F_X509V3_ADD_VALUE 105 -#define X509V3_F_X509V3_EXT_ADD 104 -#define X509V3_F_X509V3_EXT_ADD_ALIAS 106 -#define X509V3_F_X509V3_EXT_CONF 107 -#define X509V3_F_X509V3_EXT_I2D 136 -#define X509V3_F_X509V3_EXT_NCONF 152 -#define X509V3_F_X509V3_GET_SECTION 142 -#define X509V3_F_X509V3_GET_STRING 143 -#define X509V3_F_X509V3_GET_VALUE_BOOL 110 -#define X509V3_F_X509V3_PARSE_LIST 109 -#define X509V3_F_X509_PURPOSE_ADD 137 -#define X509V3_F_X509_PURPOSE_SET 141 - -/* Reason codes. */ -#define X509V3_R_BAD_IP_ADDRESS 118 -#define X509V3_R_BAD_OBJECT 119 -#define X509V3_R_BN_DEC2BN_ERROR 100 -#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101 -#define X509V3_R_DIRNAME_ERROR 149 -#define X509V3_R_DISTPOINT_ALREADY_SET 160 -#define X509V3_R_DUPLICATE_ZONE_ID 133 -#define X509V3_R_ERROR_CONVERTING_ZONE 131 -#define X509V3_R_ERROR_CREATING_EXTENSION 144 -#define X509V3_R_ERROR_IN_EXTENSION 128 -#define X509V3_R_EXPECTED_A_SECTION_NAME 137 -#define X509V3_R_EXTENSION_EXISTS 145 -#define X509V3_R_EXTENSION_NAME_ERROR 115 -#define X509V3_R_EXTENSION_NOT_FOUND 102 -#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 -#define X509V3_R_EXTENSION_VALUE_ERROR 116 -#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151 -#define X509V3_R_ILLEGAL_HEX_DIGIT 113 -#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152 -#define X509V3_R_INVALID_MULTIPLE_RDNS 161 -#define X509V3_R_INVALID_ASNUMBER 162 -#define X509V3_R_INVALID_ASRANGE 163 -#define X509V3_R_INVALID_BOOLEAN_STRING 104 -#define X509V3_R_INVALID_EXTENSION_STRING 105 -#define X509V3_R_INVALID_INHERITANCE 165 -#define X509V3_R_INVALID_IPADDRESS 166 -#define X509V3_R_INVALID_NAME 106 -#define X509V3_R_INVALID_NULL_ARGUMENT 107 -#define X509V3_R_INVALID_NULL_NAME 108 -#define X509V3_R_INVALID_NULL_VALUE 109 -#define X509V3_R_INVALID_NUMBER 140 -#define X509V3_R_INVALID_NUMBERS 141 -#define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 -#define X509V3_R_INVALID_OPTION 138 -#define X509V3_R_INVALID_POLICY_IDENTIFIER 134 -#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153 -#define X509V3_R_INVALID_PURPOSE 146 -#define X509V3_R_INVALID_SAFI 164 -#define X509V3_R_INVALID_SECTION 135 -#define X509V3_R_INVALID_SYNTAX 143 -#define X509V3_R_ISSUER_DECODE_ERROR 126 -#define X509V3_R_MISSING_VALUE 124 -#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 142 -#define X509V3_R_NO_CONFIG_DATABASE 136 -#define X509V3_R_NO_ISSUER_CERTIFICATE 121 -#define X509V3_R_NO_ISSUER_DETAILS 127 -#define X509V3_R_NO_POLICY_IDENTIFIER 139 -#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 154 -#define X509V3_R_NO_PUBLIC_KEY 114 -#define X509V3_R_NO_SUBJECT_DETAILS 125 -#define X509V3_R_ODD_NUMBER_OF_DIGITS 112 -#define X509V3_R_OPERATION_NOT_DEFINED 148 -#define X509V3_R_OTHERNAME_ERROR 147 -#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155 -#define X509V3_R_POLICY_PATH_LENGTH 156 -#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157 -#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158 -#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159 -#define X509V3_R_SECTION_NOT_FOUND 150 -#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 -#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 -#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 -#define X509V3_R_UNKNOWN_EXTENSION 129 -#define X509V3_R_UNKNOWN_EXTENSION_NAME 130 -#define X509V3_R_UNKNOWN_OPTION 120 -#define X509V3_R_UNSUPPORTED_OPTION 117 -#define X509V3_R_UNSUPPORTED_TYPE 167 -#define X509V3_R_USER_TOO_LONG 132 - -#ifdef __cplusplus -} -#endif -#endif |