From adc6bd73e3bd10ce6e76867482e8d137071298d7 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 11 Dec 2013 14:28:57 +0000 Subject: [PATCH] Add opaque ID structure. Move the IP, email and host checking fields from the public X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID structure. By doing this the structure can be modified in future without risk of breaking any applications. --- crypto/x509/Makefile | 2 +- crypto/x509/vpm_int.h | 69 +++++++++++++++++++++++++++++++++ crypto/x509/x509_vfy.c | 8 ++-- crypto/x509/x509_vfy.h | 9 ++--- crypto/x509/x509_vpm.c | 87 +++++++++++++++++++++++++++++------------- 5 files changed, 138 insertions(+), 37 deletions(-) create mode 100644 crypto/x509/vpm_int.h diff --git a/crypto/x509/Makefile b/crypto/x509/Makefile index 5a61238830..1cbb9a85d2 100644 --- a/crypto/x509/Makefile +++ b/crypto/x509/Makefile @@ -33,7 +33,7 @@ LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \ SRC= $(LIBSRC) EXHEADER= x509.h x509_vfy.h -HEADER= $(EXHEADER) +HEADER= $(EXHEADER) vpm_int.h ALL= $(GENERAL) $(SRC) $(HEADER) diff --git a/crypto/x509/vpm_int.h b/crypto/x509/vpm_int.h new file mode 100644 index 0000000000..af998212a1 --- /dev/null +++ b/crypto/x509/vpm_int.h @@ -0,0 +1,69 @@ +/* vpm_int.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2013. + */ +/* ==================================================================== + * Copyright (c) 2013 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* internal only structure to hold additional X509_VERIFY_PARAM data */ + +struct X509_VERIFY_PARAM_ID_st + { + unsigned char *host; /* If not NULL hostname to match */ + size_t hostlen; + unsigned char *email; /* If not NULL email address to match */ + size_t emaillen; + unsigned char *ip; /* If not NULL IP address to match */ + size_t iplen; /* Length of IP address */ + }; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 15dd25fce5..677d9579d5 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -69,6 +69,7 @@ #include #include #include +#include "vpm_int.h" /* CRL score values */ @@ -708,18 +709,19 @@ static int check_id_error(X509_STORE_CTX *ctx, int errcode) static int check_id(X509_STORE_CTX *ctx) { X509_VERIFY_PARAM *vpm = ctx->param; + X509_VERIFY_PARAM_ID *id = vpm->id; X509 *x = ctx->cert; - if (vpm->host && !X509_check_host(x, vpm->host, vpm->hostlen, 0)) + if (id->host && !X509_check_host(x, id->host, id->hostlen, 0)) { if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) return 0; } - if (vpm->email && !X509_check_email(x, vpm->email, vpm->emaillen, 0)) + if (id->email && !X509_check_email(x, id->email, id->emaillen, 0)) { if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) return 0; } - if (vpm->ip && !X509_check_ip(x, vpm->ip, vpm->iplen, 0)) + if (id->ip && !X509_check_ip(x, id->ip, id->iplen, 0)) { if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) return 0; diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 6ba9846489..ce7681a9b5 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -158,6 +158,8 @@ typedef struct x509_lookup_method_st X509_OBJECT *ret); } X509_LOOKUP_METHOD; +typedef struct X509_VERIFY_PARAM_ID_st X509_VERIFY_PARAM_ID; + /* This structure hold all parameters associated with a verify operation * by including an X509_VERIFY_PARAM structure in related structures the * parameters used can be customized @@ -173,12 +175,7 @@ typedef struct X509_VERIFY_PARAM_st int trust; /* trust setting to check */ int depth; /* Verify depth */ STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ - unsigned char *host; /* If not NULL hostname to match */ - size_t hostlen; - unsigned char *email; /* If not NULL email address to match */ - size_t emaillen; - unsigned char *ip; /* If not NULL IP address to match */ - size_t iplen; /* Length of IP address */ + X509_VERIFY_PARAM_ID *id; /* opaque ID data */ } X509_VERIFY_PARAM; DECLARE_STACK_OF(X509_VERIFY_PARAM) diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 7b3246f477..754fd34679 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -65,10 +65,13 @@ #include #include +#include "vpm_int.h" + /* X509_VERIFY_PARAM functions */ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) { + X509_VERIFY_PARAM_ID *paramid; if (!param) return; param->name = NULL; @@ -83,31 +86,44 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); param->policies = NULL; } - if (param->host) + paramid = param->id; + if (paramid->host) { - OPENSSL_free(param->host); - param->host = NULL; - param->hostlen = 0; + OPENSSL_free(paramid->host); + paramid->host = NULL; + paramid->hostlen = 0; } - if (param->email) + if (paramid->email) { - OPENSSL_free(param->email); - param->email = NULL; - param->emaillen = 0; + OPENSSL_free(paramid->email); + paramid->email = NULL; + paramid->emaillen = 0; } - if (param->ip) + if (paramid->ip) { - OPENSSL_free(param->ip); - param->ip = NULL; - param->iplen = 0; + OPENSSL_free(paramid->ip); + paramid->ip = NULL; + paramid->iplen = 0; } + } X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) { X509_VERIFY_PARAM *param; + X509_VERIFY_PARAM_ID *paramid; param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM)); + if (!param) + return NULL; + paramid = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM)); + if (!paramid) + { + OPENSSL_free(param); + return NULL; + } memset(param, 0, sizeof(X509_VERIFY_PARAM)); + memset(paramid, 0, sizeof(X509_VERIFY_PARAM_ID)); + param->id = paramid; x509_verify_param_zero(param); return param; } @@ -115,6 +131,7 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { x509_verify_param_zero(param); + OPENSSL_free(param->id); OPENSSL_free(param); } @@ -155,20 +172,27 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) (to_overwrite || \ ((src->field != def) && (to_default || (dest->field == def)))) +/* As above but for ID fields */ + +#define test_x509_verify_param_copy_id(idf, def) \ + test_x509_verify_param_copy(id->idf, def) + /* Macro to test and copy a field if necessary */ #define x509_verify_param_copy(field, def) \ if (test_x509_verify_param_copy(field, def)) \ dest->field = src->field - + int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) { unsigned long inh_flags; int to_default, to_overwrite; + X509_VERIFY_PARAM_ID *id; if (!src) return 1; + id = src->id; inh_flags = dest->inh_flags | src->inh_flags; if (inh_flags & X509_VP_FLAG_ONCE) @@ -211,21 +235,21 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, return 0; } - if (test_x509_verify_param_copy(host, NULL)) + if (test_x509_verify_param_copy_id(host, NULL)) { - if (!X509_VERIFY_PARAM_set1_host(dest, src->host, src->hostlen)) + if (!X509_VERIFY_PARAM_set1_host(dest, id->host, id->hostlen)) return 0; } - if (test_x509_verify_param_copy(email, NULL)) + if (test_x509_verify_param_copy_id(email, NULL)) { - if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen)) + if (!X509_VERIFY_PARAM_set1_email(dest, id->email, id->emaillen)) return 0; } - if (test_x509_verify_param_copy(ip, NULL)) + if (test_x509_verify_param_copy_id(ip, NULL)) { - if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen)) + if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen)) return 0; } @@ -374,14 +398,14 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const unsigned char *name, size_t namelen) { - return int_x509_param_set1(¶m->host, ¶m->hostlen, + return int_x509_param_set1(¶m->id->host, ¶m->id->hostlen, name, namelen); } int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const unsigned char *email, size_t emaillen) { - return int_x509_param_set1(¶m->email, ¶m->emaillen, + return int_x509_param_set1(¶m->id->email, ¶m->id->emaillen, email, emaillen); } @@ -390,7 +414,7 @@ int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, { if (iplen != 0 && iplen != 4 && iplen != 16) return 0; - return int_x509_param_set1(¶m->ip, ¶m->iplen, ip, iplen); + return int_x509_param_set1(¶m->id->ip, ¶m->id->iplen, ip, iplen); } int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc) @@ -408,6 +432,10 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) return param->depth; } +static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, NULL, 0, NULL, 0}; + +#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id + /* Default verify parameters: these are used for various * applications and can be overridden by the user specified table. * NB: the 'name' field *must* be in alphabetical order because it @@ -423,7 +451,8 @@ static const X509_VERIFY_PARAM default_table[] = { 0, /* purpose */ 0, /* trust */ 100, /* depth */ - NULL /* policies */ + NULL, /* policies */ + vpm_empty_id }, { "pkcs7", /* S/MIME sign parameters */ @@ -433,7 +462,8 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SMIME_SIGN, /* purpose */ X509_TRUST_EMAIL, /* trust */ -1, /* depth */ - NULL /* policies */ + NULL, /* policies */ + vpm_empty_id }, { "smime_sign", /* S/MIME sign parameters */ @@ -443,7 +473,8 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SMIME_SIGN, /* purpose */ X509_TRUST_EMAIL, /* trust */ -1, /* depth */ - NULL /* policies */ + NULL, /* policies */ + vpm_empty_id }, { "ssl_client", /* SSL/TLS client parameters */ @@ -453,7 +484,8 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SSL_CLIENT, /* purpose */ X509_TRUST_SSL_CLIENT, /* trust */ -1, /* depth */ - NULL /* policies */ + NULL, /* policies */ + vpm_empty_id }, { "ssl_server", /* SSL/TLS server parameters */ @@ -463,7 +495,8 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SSL_SERVER, /* purpose */ X509_TRUST_SSL_SERVER, /* trust */ -1, /* depth */ - NULL /* policies */ + NULL, /* policies */ + vpm_empty_id }}; static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; -- 2.25.1