X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=crypto%2Fx509v3%2Fv3_purp.c;h=4b986dfc5d6163158e6d5d8a42bb3e011d1e48e1;hb=057c8a2b9e24b91d4e98b38bf1c91f232f065637;hp=2161b6f1d89c84f8945566fc83e382df14e12564;hpb=10ca15f3fa50726a838fc8a61026dea2c303d218;p=oweals%2Fopenssl.git diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 2161b6f1d8..4b986dfc5d 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -1,5 +1,5 @@ /* v3_purp.c */ -/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ /* ==================================================================== @@ -267,11 +267,14 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp) return xp->trust; } -static int nid_cmp(int *a, int *b) +static int nid_cmp(const int *a, const int *b) { return *a - *b; } +DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid); +IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid); + int X509_supported_extension(X509_EXTENSION *ex) { /* This table is a list of the NIDs of supported extensions: @@ -282,7 +285,7 @@ int X509_supported_extension(X509_EXTENSION *ex) * searched using bsearch. */ - static int supported_nids[] = { + static const int supported_nids[] = { NID_netscape_cert_type, /* 71 */ NID_key_usage, /* 83 */ NID_subject_alt_name, /* 85 */ @@ -293,23 +296,63 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_sbgp_ipAddrBlock, /* 290 */ NID_sbgp_autonomousSysNum, /* 291 */ #endif - NID_proxyCertInfo /* 661 */ + NID_policy_constraints, /* 401 */ + NID_proxyCertInfo, /* 663 */ + NID_name_constraints, /* 666 */ + NID_policy_mappings, /* 747 */ + NID_inhibit_any_policy /* 748 */ }; - int ex_nid; - - ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); + int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); if (ex_nid == NID_undef) return 0; - if (OBJ_bsearch((char *)&ex_nid, (char *)supported_nids, - sizeof(supported_nids)/sizeof(int), sizeof(int), - (int (*)(const void *, const void *))nid_cmp)) + if (OBJ_bsearch_nid(&ex_nid, supported_nids, + sizeof(supported_nids)/sizeof(int))) return 1; return 0; } - + +static void setup_dp(X509 *x, DIST_POINT *dp) + { + X509_NAME *iname = NULL; + int i; + if (dp->reasons) + { + if (dp->reasons->length > 0) + dp->dp_reasons = dp->reasons->data[0]; + if (dp->reasons->length > 1) + dp->dp_reasons |= (dp->reasons->data[1] << 8); + dp->dp_reasons &= CRLDP_ALL_REASONS; + } + else + dp->dp_reasons = CRLDP_ALL_REASONS; + if (!dp->distpoint || (dp->distpoint->type != 1)) + return; + for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) + { + GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); + if (gen->type == GEN_DIRNAME) + { + iname = gen->d.directoryName; + break; + } + } + if (!iname) + iname = X509_get_issuer_name(x); + + DIST_POINT_set_dpname(dp->distpoint, iname); + + } + +static void setup_crldp(X509 *x) + { + int i; + x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); + for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) + setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); + } static void x509v3_cache_extensions(X509 *x) { @@ -325,9 +368,6 @@ static void x509v3_cache_extensions(X509 *x) #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif - /* Does subject name match issuer ? */ - if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SS; /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ @@ -404,6 +444,10 @@ static void x509v3_cache_extensions(X509 *x) case NID_dvcs: x->ex_xkusage |= XKU_DVCS; break; + + case NID_anyExtendedKeyUsage: + x->ex_xkusage |= XKU_ANYEKU; + break; } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); @@ -417,7 +461,20 @@ static void x509v3_cache_extensions(X509 *x) } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); - x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); + /* Does subject name match issuer ? */ + if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) + { + x->ex_flags |= EXFLAG_SI; + /* If SKID matches AKID also indicate self signed */ + if (X509_check_akid(x, x->akid) == X509_V_OK) + x->ex_flags |= EXFLAG_SS; + } + x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); + x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); + if (!x->nc && (i != -1)) + x->ex_flags |= EXFLAG_INVALID; + setup_crldp(x); + #ifndef OPENSSL_NO_RFC3779 x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, @@ -428,6 +485,9 @@ static void x509v3_cache_extensions(X509 *x) ex = X509_get_ext(x, i); if (!X509_EXTENSION_get_critical(ex)) continue; + if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) + == NID_freshest_crl) + x->ex_flags |= EXFLAG_FRESHEST; if (!X509_supported_extension(ex)) { x->ex_flags |= EXFLAG_CRITICAL; @@ -502,12 +562,18 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int c { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; if(ca) return check_ssl_ca(x); - /* We need to do digital signatures with it */ - if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; + /* We need to do digital signatures or key agreement */ + if(ku_reject(x,KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT)) return 0; /* nsCertType if present should allow SSL client use */ if(ns_reject(x, NS_SSL_CLIENT)) return 0; return 1; } +/* Key usage needed for TLS/SSL server: digital signature, encipherment or + * key agreement. The ssl code can check this more thoroughly for individual + * key types. + */ +#define KU_TLS \ + KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { @@ -515,8 +581,7 @@ static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int c if(ca) return check_ssl_ca(x); if(ns_reject(x, NS_SSL_SERVER)) return 0; - /* Now as for keyUsage: we'll at least need to sign OR encipher */ - if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0; + if(ku_reject(x, KU_TLS)) return 0; return 1;