--- /dev/null
+/* vpm_int.h */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2013.
+ */
+/* ====================================================================
+ * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* internal only structure to hold additional X509_VERIFY_PARAM data */
+
+struct X509_VERIFY_PARAM_ID_st
+ {
+ unsigned char *host; /* If not NULL hostname to match */
+ size_t hostlen;
+ unsigned char *email; /* If not NULL email address to match */
+ size_t emaillen;
+ unsigned char *ip; /* If not NULL IP address to match */
+ size_t iplen; /* Length of IP address */
+ };
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
+#include "vpm_int.h"
/* CRL score values */
static int check_id(X509_STORE_CTX *ctx)
{
X509_VERIFY_PARAM *vpm = ctx->param;
+ X509_VERIFY_PARAM_ID *id = vpm->id;
X509 *x = ctx->cert;
- if (vpm->host && !X509_check_host(x, vpm->host, vpm->hostlen, 0))
+ if (id->host && !X509_check_host(x, id->host, id->hostlen, 0))
{
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
return 0;
}
- if (vpm->email && !X509_check_email(x, vpm->email, vpm->emaillen, 0))
+ if (id->email && !X509_check_email(x, id->email, id->emaillen, 0))
{
if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
return 0;
}
- if (vpm->ip && !X509_check_ip(x, vpm->ip, vpm->iplen, 0))
+ if (id->ip && !X509_check_ip(x, id->ip, id->iplen, 0))
{
if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
return 0;
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "vpm_int.h"
+
/* X509_VERIFY_PARAM functions */
static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
{
+ X509_VERIFY_PARAM_ID *paramid;
if (!param)
return;
param->name = NULL;
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
param->policies = NULL;
}
- if (param->host)
+ paramid = param->id;
+ if (paramid->host)
{
- OPENSSL_free(param->host);
- param->host = NULL;
- param->hostlen = 0;
+ OPENSSL_free(paramid->host);
+ paramid->host = NULL;
+ paramid->hostlen = 0;
}
- if (param->email)
+ if (paramid->email)
{
- OPENSSL_free(param->email);
- param->email = NULL;
- param->emaillen = 0;
+ OPENSSL_free(paramid->email);
+ paramid->email = NULL;
+ paramid->emaillen = 0;
}
- if (param->ip)
+ if (paramid->ip)
{
- OPENSSL_free(param->ip);
- param->ip = NULL;
- param->iplen = 0;
+ OPENSSL_free(paramid->ip);
+ paramid->ip = NULL;
+ paramid->iplen = 0;
}
+
}
X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
{
X509_VERIFY_PARAM *param;
+ X509_VERIFY_PARAM_ID *paramid;
param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
+ if (!param)
+ return NULL;
+ paramid = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
+ if (!paramid)
+ {
+ OPENSSL_free(param);
+ return NULL;
+ }
memset(param, 0, sizeof(X509_VERIFY_PARAM));
+ memset(paramid, 0, sizeof(X509_VERIFY_PARAM_ID));
+ param->id = paramid;
x509_verify_param_zero(param);
return param;
}
void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
{
x509_verify_param_zero(param);
+ OPENSSL_free(param->id);
OPENSSL_free(param);
}
(to_overwrite || \
((src->field != def) && (to_default || (dest->field == def))))
+/* As above but for ID fields */
+
+#define test_x509_verify_param_copy_id(idf, def) \
+ test_x509_verify_param_copy(id->idf, def)
+
/* Macro to test and copy a field if necessary */
#define x509_verify_param_copy(field, def) \
if (test_x509_verify_param_copy(field, def)) \
dest->field = src->field
-
+
int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
const X509_VERIFY_PARAM *src)
{
unsigned long inh_flags;
int to_default, to_overwrite;
+ X509_VERIFY_PARAM_ID *id;
if (!src)
return 1;
+ id = src->id;
inh_flags = dest->inh_flags | src->inh_flags;
if (inh_flags & X509_VP_FLAG_ONCE)
return 0;
}
- if (test_x509_verify_param_copy(host, NULL))
+ if (test_x509_verify_param_copy_id(host, NULL))
{
- if (!X509_VERIFY_PARAM_set1_host(dest, src->host, src->hostlen))
+ if (!X509_VERIFY_PARAM_set1_host(dest, id->host, id->hostlen))
return 0;
}
- if (test_x509_verify_param_copy(email, NULL))
+ if (test_x509_verify_param_copy_id(email, NULL))
{
- if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen))
+ if (!X509_VERIFY_PARAM_set1_email(dest, id->email, id->emaillen))
return 0;
}
- if (test_x509_verify_param_copy(ip, NULL))
+ if (test_x509_verify_param_copy_id(ip, NULL))
{
- if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
+ if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))
return 0;
}
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
const unsigned char *name, size_t namelen)
{
- return int_x509_param_set1(¶m->host, ¶m->hostlen,
+ return int_x509_param_set1(¶m->id->host, ¶m->id->hostlen,
name, namelen);
}
int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
const unsigned char *email, size_t emaillen)
{
- return int_x509_param_set1(¶m->email, ¶m->emaillen,
+ return int_x509_param_set1(¶m->id->email, ¶m->id->emaillen,
email, emaillen);
}
{
if (iplen != 0 && iplen != 4 && iplen != 16)
return 0;
- return int_x509_param_set1(¶m->ip, ¶m->iplen, ip, iplen);
+ return int_x509_param_set1(¶m->id->ip, ¶m->id->iplen, ip, iplen);
}
int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
return param->depth;
}
+static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, NULL, 0, NULL, 0};
+
+#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
+
/* Default verify parameters: these are used for various
* applications and can be overridden by the user specified table.
* NB: the 'name' field *must* be in alphabetical order because it
0, /* purpose */
0, /* trust */
100, /* depth */
- NULL /* policies */
+ NULL, /* policies */
+ vpm_empty_id
},
{
"pkcs7", /* S/MIME sign parameters */
X509_PURPOSE_SMIME_SIGN, /* purpose */
X509_TRUST_EMAIL, /* trust */
-1, /* depth */
- NULL /* policies */
+ NULL, /* policies */
+ vpm_empty_id
},
{
"smime_sign", /* S/MIME sign parameters */
X509_PURPOSE_SMIME_SIGN, /* purpose */
X509_TRUST_EMAIL, /* trust */
-1, /* depth */
- NULL /* policies */
+ NULL, /* policies */
+ vpm_empty_id
},
{
"ssl_client", /* SSL/TLS client parameters */
X509_PURPOSE_SSL_CLIENT, /* purpose */
X509_TRUST_SSL_CLIENT, /* trust */
-1, /* depth */
- NULL /* policies */
+ NULL, /* policies */
+ vpm_empty_id
},
{
"ssl_server", /* SSL/TLS server parameters */
X509_PURPOSE_SSL_SERVER, /* purpose */
X509_TRUST_SSL_SERVER, /* trust */
-1, /* depth */
- NULL /* policies */
+ NULL, /* policies */
+ vpm_empty_id
}};
static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
projects / oweals / openssl.git / commitdiff