Allow inheritance in "resource sets" since verification of certificate

requests will almost certainly require this. svn path=/openssl/trunk/crypto/x509v3/v3_addr.c; revision=232
author: Rob Austein <sra@hactrn.net> 2006-08-26 08:37:55 +0000
committer: Rob Austein <sra@hactrn.net> 2006-08-26 08:37:55 +0000
commit: 99b382d77e50198e59869fbb9c3cb52f0bf79ff5 (patch)
tree: dd1d790ddf822964536ec2beca3880bfdf309fdc /openssl/trunk/crypto
parent: f67ed9d59a451e0bb83396faed230a161a8f2b0f (diff)
3 files changed, 92 insertions, 102 deletions
diff --git a/openssl/trunk/crypto/x509v3/v3_addr.c b/openssl/trunk/crypto/x509v3/v3_addr.c
index 464b7628..70911805 100644
--- a/openssl/trunk/crypto/x509v3/v3_addr.c
+++ b/openssl/trunk/crypto/x509v3/v3_addr.c
@@ -997,6 +997,23 @@ X509V3_EXT_METHOD v3_addr = {
 };
 
 /*
+ * Figure out whether extension sues inheritance.
+ */
+static int addr_inherits(IPAddrBlocks *addr)
+{
+  int i;
+  if (addr == NULL)
+    return 0;
+  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
+    IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
+    if (f->ipAddressChoice->type == IPAddressChoice_inherit)
+      return 1;
+  }
+  return 0;
+}
+
+
+/*
  * Figure out whether parent contains child.
  */
 static int addr_contains(IPAddressOrRanges *parent,
@@ -1054,50 +1071,34 @@ static int addr_contains(IPAddressOrRanges *parent,
  */
 static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
 					  STACK_OF(X509) *chain,
-					  IPAddrBlocks *resource_set)
+					  IPAddrBlocks *ext)
 {
   IPAddrBlocks *child = NULL;
   int i, j, ret = 1;
   X509 *x;
 
   assert(chain != NULL && sk_X509_num(chain) > 0);
-  assert(ctx != NULL || resource_set != NULL);
+  assert(ctx != NULL || ext != NULL);
   assert(ctx == NULL || ctx->verify_cb != NULL);
 
-  if (resource_set != NULL) {
-    /*
-     * Separate resource set.  Check for canonical form, check for
-     * inheritance (not allowed in a resource set).
-     */
+  /*
+   * Figure out where to start.  If we don't have an extension to
+   * check, we're done.  Otherwise, check canonical form and
+   * set up for walking up the chain.
+   */
+  if (ext != NULL) {
     i = -1;
-    ret = v3_addr_is_canonical(resource_set);
-    for (j = 0; ret && j < sk_IPAddressFamily_num(resource_set); j++) {
-      IPAddressFamily *f = sk_IPAddressFamily_value(resource_set, j);
-      if (f->ipAddressChoice->type == IPAddressChoice_inherit)
-	ret = 0;
-    }
-    if (!ret)
-      goto done;
-    sk_IPAddressFamily_set_cmp_func(resource_set, IPAddressFamily_cmp);
-    child = sk_IPAddressFamily_dup(resource_set);
-
   } else {
-    /*
-     * Start with the target certificate.  If it doesn't have the
-     * extension, we're done.  Otherwise, we need to check the chain.
-     */
     i = 0;
     x = sk_X509_value(chain, i);
     assert(x != NULL);
-    if (x->rfc3779_addr == NULL)
+    if ((ext = x->rfc3779_addr) == NULL)
       goto done;
-    if (!v3_addr_is_canonical(x->rfc3779_addr))
-      validation_err(X509_V_ERR_INVALID_EXTENSION);
-    sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
-    child = sk_IPAddressFamily_dup(x->rfc3779_addr);
   }
-
-  if (child == NULL) {
+  if (!v3_addr_is_canonical(ext))
+    validation_err(X509_V_ERR_INVALID_EXTENSION);
+  sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
     X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
     ret = 0;
     goto done;
@@ -1174,15 +1175,18 @@ int v3_addr_validate_path(X509_STORE_CTX *ctx)
 }
 
 /*
- * RFC 3779 2.3 path validation of a "resource set".
- * Test whether chain covers resource_set.
+ * RFC 3779 2.3 path validation of an extension.
+ * Test whether chain covers extension.
  */
 int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
-				  IPAddrBlocks *resource_set)
+				  IPAddrBlocks *ext,
+				  int allow_inheritance)
 {
-  if (resource_set == NULL)
+  if (ext == NULL)
     return 1;
   if (chain == NULL || sk_X509_num(chain) == 0)
     return 0;
-  return v3_addr_validate_path_internal(NULL, chain, resource_set);
+  if (!allow_inheritance && addr_inherits(ext))
+    return 0;
+  return v3_addr_validate_path_internal(NULL, chain, ext);
 }
diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c
index 4420cc66..79dd262b 100644
--- a/openssl/trunk/crypto/x509v3/v3_asid.c
+++ b/openssl/trunk/crypto/x509v3/v3_asid.c
@@ -561,6 +561,18 @@ X509V3_EXT_METHOD v3_asid = {
 };
 
 /*
+ * Figure out whether extension uses inheritance.
+ */
+static int asid_inherits(ASIdentifiers *asid)
+{
+  return (asid != NULL &&
+	  ((asid->asnum != NULL &&
+	    asid->asnum->type == ASIdentifierChoice_inherit) ||
+	   (asid->rdi != NULL &&
+	    asid->rdi->type == ASIdentifierChoice_inherit)));
+}
+
+/*
  * Figure out whether parent contains child.
  */
 static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
@@ -613,81 +625,50 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
  */
 static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
 					  STACK_OF(X509) *chain,
-					  ASIdentifiers *resource_set)
+					  ASIdentifiers *ext)
 {
   ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
   int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
   X509 *x;
 
   assert(chain != NULL && sk_X509_num(chain) > 0);
-  assert(ctx != NULL || resource_set != NULL);
+  assert(ctx != NULL || ext != NULL);
   assert(ctx == NULL || ctx->verify_cb != NULL);
 
-  if (resource_set != NULL) {
-
-    /*
-     * Separate resource set.  Check for canonical form, check for
-     * inheritance (not allowed in a resource set).
-     */
+  /*
+   * Figure out where to start.  If we don't have an extension to
+   * check, we're done.  Otherwise, check canonical form and
+   * set up for walking up the chain.
+   */
+  if (ext != NULL) {
     i = -1;
-    ret = v3_asid_is_canonical(resource_set);
-    if (ret && resource_set->asnum != NULL) {
-      switch (resource_set->asnum->type) {
-      case ASIdentifierChoice_inherit:
-	ret = 0;
-	break;
-      case ASIdentifierChoice_asIdsOrRanges:
-	child_as = resource_set->asnum->u.asIdsOrRanges;
-	break;
-      }
-    }
-    if (ret && resource_set->rdi != NULL) {
-      switch (resource_set->rdi->type) {
-      case ASIdentifierChoice_inherit:
-	ret = 0;
-	break;
-      case ASIdentifierChoice_asIdsOrRanges:
-	child_rdi = resource_set->rdi->u.asIdsOrRanges;
-	break;
-      }
-    }
-    if (!ret)
-      goto done;
-
   } else {
-
-    /*
-     * Starting with target certificate.  If it doesn't have the
-     * extension, we're done.  If it does, extension must be in
-     * canonical form, then we pull its resource lists so
-     * we can check whether its parents have them to grant.
-     */
     i = 0;
     x = sk_X509_value(chain, i);
     assert(x != NULL);
-    if (x->rfc3779_asid == NULL)
+    if ((ext = x->rfc3779_asid) == NULL)
       goto done;
-    if (!v3_asid_is_canonical(x->rfc3779_asid))
-      validation_err(X509_V_ERR_INVALID_EXTENSION);
-    if (x->rfc3779_asid->asnum != NULL)  {
-      switch (x->rfc3779_asid->asnum->type) {
-      case ASIdentifierChoice_inherit:
-	inherit_as = 1;
-	break;
-      case ASIdentifierChoice_asIdsOrRanges:
-	child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
-	break;
-      }
+  }
+  if (!v3_asid_is_canonical(ext))
+    validation_err(X509_V_ERR_INVALID_EXTENSION);
+  if (ext->asnum != NULL)  {
+    switch (ext->asnum->type) {
+    case ASIdentifierChoice_inherit:
+      inherit_as = 1;
+      break;
+    case ASIdentifierChoice_asIdsOrRanges:
+      child_as = ext->asnum->u.asIdsOrRanges;
+      break;
     }
-    if (x->rfc3779_asid->rdi != NULL) {
-      switch (x->rfc3779_asid->rdi->type) {
-      case ASIdentifierChoice_inherit:
-	inherit_rdi = 1;
-	break;
-      case ASIdentifierChoice_asIdsOrRanges:
-	child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
-	break;
-      }
+  }
+  if (ext->rdi != NULL) {
+    switch (ext->rdi->type) {
+    case ASIdentifierChoice_inherit:
+      inherit_rdi = 1;
+      break;
+    case ASIdentifierChoice_asIdsOrRanges:
+      child_rdi = ext->rdi->u.asIdsOrRanges;
+      break;
     }
   }
 
@@ -764,15 +745,18 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx)
 }
 
 /*
- * RFC 3779 3.3 path validation of a "resource set".
- * Test whether chain covers resource_set.
+ * RFC 3779 3.3 path validation of an extension.
+ * Test whether chain covers extension.
  */
 int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
-				  ASIdentifiers *resource_set)
+				  ASIdentifiers *ext,
+				  int allow_inheritance)
 {
-  if (resource_set == NULL)
+  if (ext == NULL)
     return 1;
   if (chain == NULL || sk_X509_num(chain) == 0)
     return 0;
-  return v3_asid_validate_path_internal(NULL, chain, resource_set);
+  if (!allow_inheritance && asid_inherits(ext))
+    return 0;
+  return v3_asid_validate_path_internal(NULL, chain, ext);
 }
diff --git a/openssl/trunk/crypto/x509v3/x509v3.h b/openssl/trunk/crypto/x509v3/x509v3.h
index 4bcdd1dd..ea5d3f6e 100644
--- a/openssl/trunk/crypto/x509v3/x509v3.h
+++ b/openssl/trunk/crypto/x509v3/x509v3.h
@@ -739,10 +739,12 @@ int v3_addr_canonize(IPAddrBlocks *addr);
 int v3_asid_validate_path(X509_STORE_CTX *);
 int v3_addr_validate_path(X509_STORE_CTX *);
 int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
-				  ASIdentifiers *resource_set);
+				  ASIdentifiers *ext,
+				  int allow_inheritance);
 int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
-				  IPAddrBlocks *resource_set);
-    
+				  IPAddrBlocks *ext,
+				  int allow_inheritance);
+
 /*
  * [sra] End RFC 3779 stuff
  */
author	Rob Austein <sra@hactrn.net>	2006-08-26 08:37:55 +0000
committer	Rob Austein <sra@hactrn.net>	2006-08-26 08:37:55 +0000
commit	99b382d77e50198e59869fbb9c3cb52f0bf79ff5 (patch)
tree	dd1d790ddf822964536ec2beca3880bfdf309fdc /openssl/trunk/crypto
parent	f67ed9d59a451e0bb83396faed230a161a8f2b0f (diff)