From 0f095e8a2af65fdcbf4af38dc6a00383e2fd6b3f Mon Sep 17 00:00:00 2001 From: nectar Date: Wed, 17 Mar 2004 15:49:33 +0000 Subject: Vendor import of OpenSSL 0.9.7d. --- crypto/openssl/crypto/x509/Makefile.ssl | 2 +- crypto/openssl/crypto/x509/by_dir.c | 34 ++++++++++++++++++-- crypto/openssl/crypto/x509/x509.h | 4 --- crypto/openssl/crypto/x509/x509_txt.c | 8 ++++- crypto/openssl/crypto/x509/x509_vfy.c | 55 ++++++++++++++++++++++++++++----- crypto/openssl/crypto/x509/x509_vfy.h | 19 +++++++++--- crypto/openssl/crypto/x509/x509type.c | 2 +- 7 files changed, 103 insertions(+), 21 deletions(-) (limited to 'crypto/openssl/crypto/x509') diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl index 6a5a879..3a34525 100644 --- a/crypto/openssl/crypto/x509/Makefile.ssl +++ b/crypto/openssl/crypto/x509/Makefile.ssl @@ -57,7 +57,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c index 448bd7e..6207340 100644 --- a/crypto/openssl/crypto/x509/by_dir.c +++ b/crypto/openssl/crypto/x509/by_dir.c @@ -302,8 +302,38 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, k=0; for (;;) { - sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h, - postfix,k); + char c = '/'; +#ifdef OPENSSL_SYS_VMS + c = ctx->dirs[i][strlen(ctx->dirs[i])-1]; + if (c != ':' && c != '>' && c != ']') + { + /* If no separator is present, we assume the + directory specifier is a logical name, and + add a colon. We really should use better + VMS routines for merging things like this, + but this will do for now... + -- Richard Levitte */ + c = ':'; + } + else + { + c = '\0'; + } +#endif + if (c == '\0') + { + /* This is special. When c == '\0', no + directory separator should be added. */ + BIO_snprintf(b->data,b->max, + "%s%08lx.%s%d",ctx->dirs[i],h, + postfix,k); + } + else + { + BIO_snprintf(b->data,b->max, + "%s%c%08lx.%s%d",ctx->dirs[i],c,h, + postfix,k); + } k++; if (stat(b->data,&st) < 0) break; diff --git a/crypto/openssl/crypto/x509/x509.h b/crypto/openssl/crypto/x509/x509.h index eaad568..8d0c7e2 100644 --- a/crypto/openssl/crypto/x509/x509.h +++ b/crypto/openssl/crypto/x509/x509.h @@ -810,10 +810,6 @@ X509_REQ *X509_REQ_dup(X509_REQ *req); X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); X509_NAME *X509_NAME_dup(X509_NAME *xn); X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); -#ifndef OPENSSL_NO_RSA -RSA *RSAPublicKey_dup(RSA *rsa); -RSA *RSAPrivateKey_dup(RSA *rsa); -#endif #endif /* !SSLEAY_MACROS */ diff --git a/crypto/openssl/crypto/x509/x509_txt.c b/crypto/openssl/crypto/x509/x509_txt.c index 4f83db8..e31ebc6 100644 --- a/crypto/openssl/crypto/x509/x509_txt.c +++ b/crypto/openssl/crypto/x509/x509_txt.c @@ -147,8 +147,14 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); + case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: + return("key usage does not include CRL signing"); + + case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: + return("unhandled critical CRL extension"); + default: - sprintf(buf,"error number %ld",n); + BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); } } diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 2bb21b4..2e4d0b8 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { + int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) @@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - if (!X509_check_purpose(x, ctx->purpose, i)) + ret = X509_check_purpose(x, ctx->purpose, i); + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) { if (i) ctx->error = X509_V_ERR_INVALID_CA; @@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) if(issuer) { + /* Check for cRLSign bit if keyUsage present */ + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & KU_CRL_SIGN)) + { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + ok = ctx->verify_cb(0, ctx); + if(!ok) goto err; + } /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); @@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { int idx, ok; X509_REVOKED rtmp; + STACK_OF(X509_EXTENSION) *exts; + X509_EXTENSION *ext; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); - /* Not found: OK */ - if(idx == -1) return 1; - /* Otherwise revoked: want something cleverer than + /* If found assume revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. */ - ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - return ok; + if(idx >= 0) + { + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + if (!ok) return 0; + } + + if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) + return 1; + + /* See if we have any critical CRL extensions: since we + * currently don't handle any CRL extensions the CRL must be + * rejected. + * This code accesses the X509_CRL structure directly: applications + * shouldn't do this. + */ + + exts = crl->crl->extensions; + + for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) + { + ext = sk_X509_EXTENSION_value(exts, idx); + if (ext->critical > 0) + { + ctx->error = + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if(!ok) return 0; + break; + } + } + return 1; } static int internal_verify(X509_STORE_CTX *ctx) diff --git a/crypto/openssl/crypto/x509/x509_vfy.h b/crypto/openssl/crypto/x509/x509_vfy.h index f0be21f..1984958 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.h +++ b/crypto/openssl/crypto/x509/x509_vfy.h @@ -304,17 +304,26 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 /* Certificate verify flags */ -#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 /* Send issuer+subject checks to verify_cb */ -#define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */ -#define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */ -#define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */ -#define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */ +/* Send issuer+subject checks to verify_cb */ +#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 +/* Use check time instead of current time */ +#define X509_V_FLAG_USE_CHECK_TIME 0x2 +/* Lookup CRLs */ +#define X509_V_FLAG_CRL_CHECK 0x4 +/* Lookup CRLs for whole chain */ +#define X509_V_FLAG_CRL_CHECK_ALL 0x8 +/* Ignore unhandled critical extensions */ +#define X509_V_FLAG_IGNORE_CRITICAL 0x10 +/* Disable workarounds for broken certificates */ +#define X509_V_FLAG_X509_STRICT 0x20 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); diff --git a/crypto/openssl/crypto/x509/x509type.c b/crypto/openssl/crypto/x509/x509type.c index f78c2a6..c25959a 100644 --- a/crypto/openssl/crypto/x509/x509type.c +++ b/crypto/openssl/crypto/x509/x509type.c @@ -106,7 +106,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; } - if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look + if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); -- cgit v1.1