/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include "internal/x509_int.h"
+#include "internal/tsan_assist.h"
static void x509v3_cache_extensions(X509 *x);
{
int idx;
const X509_PURPOSE *pt;
- if (!(x->ex_flags & EXFLAG_SET)) {
- CRYPTO_THREAD_write_lock(x->lock);
- x509v3_cache_extensions(x);
- CRYPTO_THREAD_unlock(x->lock);
- }
+
+ x509v3_cache_extensions(x);
+
/* Return if side-effect only call */
if (id == -1)
return 1;
{
X509_PURPOSE tmp;
int idx;
+
if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
return purpose - X509_PURPOSE_MIN;
- tmp.purpose = purpose;
- if (!xptable)
+ if (xptable == NULL)
return -1;
+ tmp.purpose = purpose;
idx = sk_X509_PURPOSE_find(xptable, &tmp);
- if (idx == -1)
+ if (idx < 0)
return -1;
return idx + X509_PURPOSE_COUNT;
}
void X509_PURPOSE_cleanup(void)
{
- unsigned int i;
sk_X509_PURPOSE_pop_free(xptable, xptable_free);
- for (i = 0; i < X509_PURPOSE_COUNT; i++)
- xptable_free(xstandard + i);
xptable = NULL;
}
NID_subject_alt_name, /* 85 */
NID_basic_constraints, /* 87 */
NID_certificate_policies, /* 89 */
+ NID_crl_distribution_points, /* 103 */
NID_ext_key_usage, /* 126 */
#ifndef OPENSSL_NO_RFC3779
NID_sbgp_ipAddrBlock, /* 290 */
ASN1_BIT_STRING *ns;
EXTENDED_KEY_USAGE *extusage;
X509_EXTENSION *ex;
-
int i;
- if (x->ex_flags & EXFLAG_SET)
+
+ /* fast lock-free check, see end of the function for details. */
+ if (tsan_load((TSAN_QUALIFIER int *)&x->ex_cached))
+ return;
+
+ CRYPTO_THREAD_write_lock(x->lock);
+ if (x->ex_flags & EXFLAG_SET) {
+ CRYPTO_THREAD_unlock(x->lock);
return;
+ }
+
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
/* V1 should mean no extensions ... */
if (!X509_get_version(x))
break;
}
}
+ x509_init_sig_info(x);
x->ex_flags |= EXFLAG_SET;
+ CRYPTO_THREAD_unlock(x->lock);
+ /*
+ * It has to be placed after memory barrier, which is implied by unlock.
+ * Worst thing that can happen is that another thread proceeds to lock
+ * and checks x->ex_flags & EXFLAGS_SET. See beginning of the function.
+ */
+ tsan_store((TSAN_QUALIFIER int *)&x->ex_cached, 1);
}
/*-
}
}
+void X509_set_proxy_flag(X509 *x)
+{
+ x->ex_flags |= EXFLAG_PROXY;
+}
+
+void X509_set_proxy_pathlen(X509 *x, long l)
+{
+ x->ex_pcpathlen = l;
+}
+
int X509_check_ca(X509 *x)
{
- if (!(x->ex_flags & EXFLAG_SET)) {
- CRYPTO_THREAD_write_lock(x->lock);
- x509v3_cache_extensions(x);
- CRYPTO_THREAD_unlock(x->lock);
- }
+ x509v3_cache_extensions(x);
return check_ca(x);
}
return 0;
/* Extended Key Usage MUST be critical */
- i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1);
+ i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1);
if (i_ext >= 0) {
X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
if (!X509_EXTENSION_get_critical(ext))
if (X509_NAME_cmp(X509_get_subject_name(issuer),
X509_get_issuer_name(subject)))
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
+
x509v3_cache_extensions(issuer);
x509v3_cache_extensions(subject);
return x->skid;
}
+const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x)
+{
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(x, -1, -1);
+ return (x->akid != NULL ? x->akid->keyid : NULL);
+}
+
long X509_get_pathlen(X509 *x)
{
/* Called for side effect of caching extensions */
return -1;
return x->ex_pathlen;
}
+
+long X509_get_proxy_pathlen(X509 *x)
+{
+ /* Called for side effect of caching extensions */
+ if (X509_check_purpose(x, -1, -1) != 1
+ || (x->ex_flags & EXFLAG_PROXY) == 0)
+ return -1;
+ return x->ex_pcpathlen;
+}