diff options
| -rw-r--r-- | openssl/README | 7 | ||||
| -rw-r--r-- | openssl/trunk/crypto/asn1/x_x509.c | 4 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509/x509.h | 2 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/v3_addr.c | 2 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/v3_asid.c | 131 | ||||
| -rw-r--r-- | openssl/trunk/crypto/x509v3/v3_purp.c | 3 |
6 files changed, 84 insertions, 65 deletions
diff --git a/openssl/README b/openssl/README index d1851f09..186d2269 100644 --- a/openssl/README +++ b/openssl/README @@ -302,15 +302,18 @@ Random reminders and notes to myself: this, the code needing modification would be: - crypto/x509/x509.h: add rfc3779_addr and rfc3779_asid fields to - struct x509_st. + struct x509_st. [done] - crypto/asn1/x_x509.c: add initialization and cleanup code to x509_cb() (set new fields to NULL for ASN1_OP_NEW_POST, free new - fields for ASN1_OP_FREE_POST). + fields for ASN1_OP_FREE_POST). [done] - crypto/x509v3/v3_purp.c: add code to x509v3_cache_extensions() to call X509_get_ext_d2i() for our extensions and stash the result in the corresponding struct x509_st fields (see the akid handling). + [done] + + - Rewrite path validation routines to use this new stuff. - I need to rewrite the path validation code anyway to allow null inheritance, per mailing list discussion. diff --git a/openssl/trunk/crypto/asn1/x_x509.c b/openssl/trunk/crypto/asn1/x_x509.c index 12d1a256..01c586f4 100644 --- a/openssl/trunk/crypto/asn1/x_x509.c +++ b/openssl/trunk/crypto/asn1/x_x509.c @@ -94,6 +94,8 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) ret->ex_pathlen = -1; ret->skid = NULL; ret->akid = NULL; + ret->rfc3779_addr = NULL; + ret->rfc3779_asid = NULL; ret->aux = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); break; @@ -109,6 +111,8 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); policy_cache_free(ret->policy_cache); + sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); + ASIdentifiers_free(ret->rfc3779_asid); if (ret->name != NULL) OPENSSL_free(ret->name); break; diff --git a/openssl/trunk/crypto/x509/x509.h b/openssl/trunk/crypto/x509/x509.h index 66990ae5..16d7bbf5 100644 --- a/openssl/trunk/crypto/x509/x509.h +++ b/openssl/trunk/crypto/x509/x509.h @@ -288,6 +288,8 @@ struct x509_st ASN1_OCTET_STRING *skid; struct AUTHORITY_KEYID_st *akid; X509_POLICY_CACHE *policy_cache; + STACK_OF(IPAddressFamily) *rfc3779_addr; + struct ASIdentifiers_st *rfc3779_asid; #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif diff --git a/openssl/trunk/crypto/x509v3/v3_addr.c b/openssl/trunk/crypto/x509v3/v3_addr.c index 707fdd5f..0355dda2 100644 --- a/openssl/trunk/crypto/x509v3/v3_addr.c +++ b/openssl/trunk/crypto/x509v3/v3_addr.c @@ -922,6 +922,8 @@ static int addr_contains(IPAddressOrRanges *parent, break; } } + + return 1; } /* diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c index 39c43a21..98fa39cd 100644 --- a/openssl/trunk/crypto/x509v3/v3_asid.c +++ b/openssl/trunk/crypto/x509v3/v3_asid.c @@ -622,6 +622,8 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) break; } } + + return 1; } /* @@ -642,92 +644,95 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) */ int v3_asid_validate_path(X509_STORE_CTX *ctx) { - ASIdOrRanges *parent_as = NULL, *parent_rdi = NULL; - ASIdentifiers *asid = NULL; - int i, has_ext, ret = 1; + ASIdOrRanges *child_as, *child_rdi, *inherit_marker = (ASIdOrRanges *) 1; + int i, ret = 1; X509 *x; assert(ctx->verify_cb); /* - * Start with the ancestral cert. It can't inherit anything. + * Start with the target certificate. If it doesn't have the extension, + * we're done. */ - i = sk_X509_num(ctx->chain) - 1; - x = sk_X509_value(ctx->chain, i); + x = sk_X509_value(ctx->chain, 0); assert(x != NULL); - asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL, NULL); - has_ext = asid != NULL; - if (has_ext) { - if (asid->asnum != NULL) { - switch (asid->asnum->type) { - case ASIdentifierChoice_asIdsOrRanges: - parent_as = asid->asnum->u.asIdsOrRanges; - asid->asnum->u.asIdsOrRanges = NULL; - break; - case ASIdentifierChoice_inherit: - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - goto done; /* callback insists on continuing */ - } + if (x->rfc3779_asid == NULL) + goto done; + + /* + * Has extension, have to check the whole chain. + */ + if (x->rfc3779_asid->asnum == NULL) { + child_as = NULL; + } else { + switch (x->rfc3779_asid->asnum->type) { + case ASIdentifierChoice_inherit: + child_as = inherit_marker; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; + break; } - if (asid->rdi != NULL) { - switch (asid->rdi->type) { - case ASIdentifierChoice_asIdsOrRanges: - parent_rdi = asid->rdi->u.asIdsOrRanges; - asid->rdi->u.asIdsOrRanges = NULL; - break; - case ASIdentifierChoice_inherit: - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - goto done; /* callback insists on continuing */ - } + } + if (x->rfc3779_asid->rdi == NULL) { + child_rdi = NULL; + } else { + switch (x->rfc3779_asid->rdi->type) { + case ASIdentifierChoice_inherit: + child_rdi = inherit_marker; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; + break; } } - ASIdentifiers_free(asid); - asid = NULL; /* - * Now walk down the chain. No cert may list resources that its + * Now walk up the chain. No cert may list resources that its * parent doesn't list. */ - while (--i >= 0) { + for (i = 1; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); assert(x != NULL); - - assert(asid == NULL); - asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL, NULL); - if (asid == NULL) { - has_ext = 0; - } else if (!has_ext) { + if (x->rfc3779_asid == NULL) { validation_err(X509_V_ERR_UNNESTED_RESOURCE); - has_ext = 1; /* callback insists on continuing */ + continue; } - - if (has_ext) { - if (asid->asnum != NULL && - asid->asnum->type == ASIdentifierChoice_asIdsOrRanges) { - if (!asid_contains(parent_as, asid->asnum->u.asIdsOrRanges)) - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - sk_ASIdOrRange_pop_free(parent_as, ASIdOrRange_free); - parent_as = asid->asnum->u.asIdsOrRanges; - asid->asnum->u.asIdsOrRanges = NULL; - } - if (asid->rdi != NULL && - asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { - if (!asid_contains(parent_rdi, asid->rdi->u.asIdsOrRanges)) - validation_err(X509_V_ERR_UNNESTED_RESOURCE); - sk_ASIdOrRange_pop_free(parent_rdi, ASIdOrRange_free); - parent_rdi = asid->rdi->u.asIdsOrRanges; - asid->rdi->u.asIdsOrRanges = NULL; - } + if (x->rfc3779_asid->asnum == NULL && child_as != NULL) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + if (x->rfc3779_asid->asnum != NULL && + x->rfc3779_asid->asnum->type == ASIdentifierChoice_asIdsOrRanges) { + if (child_as == inherit_marker || + asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, child_as)) + child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; + else + validation_err(X509_V_ERR_UNNESTED_RESOURCE); } + if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + if (x->rfc3779_asid->rdi != NULL && + x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { + if (child_rdi == inherit_marker || + asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) + child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; + else + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } - ASIdentifiers_free(asid); - asid = NULL; + /* + * Trust anchor can't inherit. + */ + if (x->rfc3779_asid != NULL) { + if (x->rfc3779_asid->asnum != NULL && + x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + if (x->rfc3779_asid->rdi != NULL && + x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); } done: - sk_ASIdOrRange_pop_free(parent_as, ASIdOrRange_free); - sk_ASIdOrRange_pop_free(parent_rdi, ASIdOrRange_free); - ASIdentifiers_free(asid); return ret; } diff --git a/openssl/trunk/crypto/x509v3/v3_purp.c b/openssl/trunk/crypto/x509v3/v3_purp.c index ae05b39b..5ad2047e 100644 --- a/openssl/trunk/crypto/x509v3/v3_purp.c +++ b/openssl/trunk/crypto/x509v3/v3_purp.c @@ -413,6 +413,9 @@ static void x509v3_cache_extensions(X509 *x) } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); + x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, + NULL, NULL); for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); |