summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2014-05-26 12:10:12 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2014-05-26 12:10:12 +0000
commit661391785ea1636d807d57e99192342b52241db0 (patch)
tree2f3f8293bf9b64486bdeb4aef06d763f10467dab
parented4508eb4b3d8d0965c44f1b96e2e5428078de5c (diff)
KNF.
-rw-r--r--lib/libcrypto/x509v3/v3_pci.c309
-rw-r--r--lib/libcrypto/x509v3/v3_pcia.c15
-rw-r--r--lib/libcrypto/x509v3/v3_pcons.c82
-rw-r--r--lib/libcrypto/x509v3/v3_pku.c27
-rw-r--r--lib/libcrypto/x509v3/v3_pmaps.c57
-rw-r--r--lib/libcrypto/x509v3/v3_prn.c168
-rw-r--r--lib/libcrypto/x509v3/v3_purp.c550
7 files changed, 666 insertions, 542 deletions
diff --git a/lib/libcrypto/x509v3/v3_pci.c b/lib/libcrypto/x509v3/v3_pci.c
index 9cef94258c2..ab09a36436e 100644
--- a/lib/libcrypto/x509v3/v3_pci.c
+++ b/lib/libcrypto/x509v3/v3_pci.c
@@ -40,209 +40,196 @@
#include <openssl/x509v3.h>
static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
- BIO *out, int indent);
+ BIO *out, int indent);
static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, char *str);
+ X509V3_CTX *ctx, char *str);
-const X509V3_EXT_METHOD v3_pci =
- { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
- 0,0,0,0,
- 0,0,
- NULL, NULL,
- (X509V3_EXT_I2R)i2r_pci,
- (X509V3_EXT_R2I)r2i_pci,
- NULL,
- };
+const X509V3_EXT_METHOD v3_pci = {
+ NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
+ 0, 0, 0, 0, 0, 0, NULL, NULL,
+ (X509V3_EXT_I2R)i2r_pci,
+ (X509V3_EXT_R2I)r2i_pci,
+ NULL,
+};
-static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
- BIO *out, int indent)
- {
+static int
+i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
+ int indent)
+{
BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
if (pci->pcPathLengthConstraint)
- i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
+ i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
else
- BIO_printf(out, "infinite");
+ BIO_printf(out, "infinite");
BIO_puts(out, "\n");
BIO_printf(out, "%*sPolicy Language: ", indent, "");
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
BIO_puts(out, "\n");
if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
- BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
- pci->proxyPolicy->policy->data);
+ BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+ pci->proxyPolicy->policy->data);
return 1;
- }
+}
-static int process_pci_value(CONF_VALUE *val,
- ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
- ASN1_OCTET_STRING **policy)
- {
+static int
+process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
+ ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
+{
int free_policy = 0;
- if (strcmp(val->name, "language") == 0)
- {
- if (*language)
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
+ if (strcmp(val->name, "language") == 0) {
+ if (*language) {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
X509V3_conf_err(val);
return 0;
- }
- if (!(*language = OBJ_txt2obj(val->value, 0)))
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+ }
+ if (!(*language = OBJ_txt2obj(val->value, 0))) {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
return 0;
- }
}
- else if (strcmp(val->name, "pathlen") == 0)
- {
- if (*pathlen)
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
+ }
+ else if (strcmp(val->name, "pathlen") == 0) {
+ if (*pathlen) {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
X509V3_conf_err(val);
return 0;
- }
- if (!X509V3_get_value_int(val, pathlen))
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);
+ }
+ if (!X509V3_get_value_int(val, pathlen)) {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ X509V3_R_POLICY_PATH_LENGTH);
X509V3_conf_err(val);
return 0;
- }
}
- else if (strcmp(val->name, "policy") == 0)
- {
+ }
+ else if (strcmp(val->name, "policy") == 0) {
unsigned char *tmp_data = NULL;
long val_len;
- if (!*policy)
- {
+ if (!*policy) {
*policy = ASN1_OCTET_STRING_new();
- if (!*policy)
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+ if (!*policy) {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ ERR_R_MALLOC_FAILURE);
X509V3_conf_err(val);
return 0;
- }
- free_policy = 1;
}
- if (strncmp(val->value, "hex:", 4) == 0)
- {
+ free_policy = 1;
+ }
+ if (strncmp(val->value, "hex:", 4) == 0) {
unsigned char *tmp_data2 =
- string_to_hex(val->value + 4, &val_len);
+ string_to_hex(val->value + 4, &val_len);
- if (!tmp_data2)
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);
+ if (!tmp_data2) {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ X509V3_R_ILLEGAL_HEX_DIGIT);
X509V3_conf_err(val);
goto err;
- }
+ }
tmp_data = realloc((*policy)->data,
- (*policy)->length + val_len + 1);
- if (tmp_data)
- {
+ (*policy)->length + val_len + 1);
+ if (tmp_data) {
(*policy)->data = tmp_data;
memcpy(&(*policy)->data[(*policy)->length],
- tmp_data2, val_len);
+ tmp_data2, val_len);
(*policy)->length += val_len;
(*policy)->data[(*policy)->length] = '\0';
- }
- else
- {
+ } else {
free(tmp_data2);
/* realloc failure implies the original data space is b0rked too! */
(*policy)->data = NULL;
(*policy)->length = 0;
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ ERR_R_MALLOC_FAILURE);
X509V3_conf_err(val);
goto err;
- }
- free(tmp_data2);
}
- else if (strncmp(val->value, "file:", 5) == 0)
- {
+ free(tmp_data2);
+ }
+ else if (strncmp(val->value, "file:", 5) == 0) {
unsigned char buf[2048];
int n;
BIO *b = BIO_new_file(val->value + 5, "r");
- if (!b)
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
+ if (!b) {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ ERR_R_BIO_LIB);
X509V3_conf_err(val);
goto err;
- }
- while((n = BIO_read(b, buf, sizeof(buf))) > 0
- || (n == 0 && BIO_should_retry(b)))
- {
- if (!n) continue;
+ }
+ while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
+ (n == 0 && BIO_should_retry(b))) {
+ if (!n)
+ continue;
tmp_data = realloc((*policy)->data,
- (*policy)->length + n + 1);
+ (*policy)->length + n + 1);
if (!tmp_data)
break;
(*policy)->data = tmp_data;
memcpy(&(*policy)->data[(*policy)->length],
- buf, n);
+ buf, n);
(*policy)->length += n;
(*policy)->data[(*policy)->length] = '\0';
- }
+ }
BIO_free_all(b);
- if (n < 0)
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
+ if (n < 0) {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ ERR_R_BIO_LIB);
X509V3_conf_err(val);
goto err;
- }
}
- else if (strncmp(val->value, "text:", 5) == 0)
- {
+ }
+ else if (strncmp(val->value, "text:", 5) == 0) {
val_len = strlen(val->value + 5);
tmp_data = realloc((*policy)->data,
- (*policy)->length + val_len + 1);
- if (tmp_data)
- {
+ (*policy)->length + val_len + 1);
+ if (tmp_data) {
(*policy)->data = tmp_data;
memcpy(&(*policy)->data[(*policy)->length],
- val->value + 5, val_len);
+ val->value + 5, val_len);
(*policy)->length += val_len;
(*policy)->data[(*policy)->length] = '\0';
- }
- else
- {
+ } else {
/* realloc failure implies the original data space is b0rked too! */
(*policy)->data = NULL;
(*policy)->length = 0;
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ ERR_R_MALLOC_FAILURE);
X509V3_conf_err(val);
goto err;
- }
}
- else
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
+ } else {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
X509V3_conf_err(val);
goto err;
- }
- if (!tmp_data)
- {
- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+ }
+ if (!tmp_data) {
+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+ ERR_R_MALLOC_FAILURE);
X509V3_conf_err(val);
goto err;
- }
}
+ }
return 1;
+
err:
- if (free_policy)
- {
+ if (free_policy) {
ASN1_OCTET_STRING_free(*policy);
*policy = NULL;
- }
- return 0;
}
+ return 0;
+}
-static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, char *value)
- {
+static PROXY_CERT_INFO_EXTENSION *
+r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
+{
PROXY_CERT_INFO_EXTENSION *pci = NULL;
STACK_OF(CONF_VALUE) *vals;
ASN1_OBJECT *language = NULL;
@@ -251,78 +238,88 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
int i, j;
vals = X509V3_parse_list(value);
- for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
- {
+ for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
- if (!cnf->name || (*cnf->name != '@' && !cnf->value))
- {
- X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
+ if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
+ X509V3err(X509V3_F_R2I_PCI,
+ X509V3_R_INVALID_PROXY_POLICY_SETTING);
X509V3_conf_err(cnf);
goto err;
- }
- if (*cnf->name == '@')
- {
+ }
+ if (*cnf->name == '@') {
STACK_OF(CONF_VALUE) *sect;
int success_p = 1;
sect = X509V3_get_section(ctx, cnf->name + 1);
- if (!sect)
- {
- X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
+ if (!sect) {
+ X509V3err(X509V3_F_R2I_PCI,
+ X509V3_R_INVALID_SECTION);
X509V3_conf_err(cnf);
goto err;
- }
- for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
- {
- success_p =
- process_pci_value(sk_CONF_VALUE_value(sect, j),
- &language, &pathlen, &policy);
- }
+ }
+ for (j = 0; success_p &&
+ j < sk_CONF_VALUE_num(sect); j++) {
+ success_p = process_pci_value(
+ sk_CONF_VALUE_value(sect, j),
+ &language, &pathlen, &policy);
+ }
X509V3_section_free(ctx, sect);
if (!success_p)
goto err;
- }
- else
- {
+ } else {
if (!process_pci_value(cnf,
- &language, &pathlen, &policy))
- {
+ &language, &pathlen, &policy)) {
X509V3_conf_err(cnf);
goto err;
- }
}
}
+ }
/* Language is mandatory */
- if (!language)
- {
- X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
+ if (!language) {
+ X509V3err(X509V3_F_R2I_PCI,
+ X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
goto err;
- }
+ }
i = OBJ_obj2nid(language);
- if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)
- {
- X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
+ if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
+ X509V3err(X509V3_F_R2I_PCI,
+ X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
goto err;
- }
+ }
pci = PROXY_CERT_INFO_EXTENSION_new();
- if (!pci)
- {
- X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+ if (!pci) {
+ X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE);
goto err;
- }
+ }
- pci->proxyPolicy->policyLanguage = language; language = NULL;
- pci->proxyPolicy->policy = policy; policy = NULL;
- pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
+ pci->proxyPolicy->policyLanguage = language;
+ language = NULL;
+ pci->proxyPolicy->policy = policy;
+ policy = NULL;
+ pci->pcPathLengthConstraint = pathlen;
+ pathlen = NULL;
goto end;
+
err:
- if (language) { ASN1_OBJECT_free(language); language = NULL; }
- if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
- if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
- if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
+ if (language) {
+ ASN1_OBJECT_free(language);
+ language = NULL;
+ }
+ if (pathlen) {
+ ASN1_INTEGER_free(pathlen);
+ pathlen = NULL;
+ }
+ if (policy) {
+ ASN1_OCTET_STRING_free(policy);
+ policy = NULL;
+ }
+ if (pci) {
+ PROXY_CERT_INFO_EXTENSION_free(pci);
+ pci = NULL;
+ }
end:
sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
return pci;
- }
+}
diff --git a/lib/libcrypto/x509v3/v3_pcia.c b/lib/libcrypto/x509v3/v3_pcia.c
index bb362e0e5a9..ae5d58a009e 100644
--- a/lib/libcrypto/x509v3/v3_pcia.c
+++ b/lib/libcrypto/x509v3/v3_pcia.c
@@ -38,18 +38,17 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
-ASN1_SEQUENCE(PROXY_POLICY) =
- {
- ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT),
- ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING)
+ASN1_SEQUENCE(PROXY_POLICY) = {
+ ASN1_SIMPLE(PROXY_POLICY, policyLanguage, ASN1_OBJECT),
+ ASN1_OPT(PROXY_POLICY, policy, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(PROXY_POLICY)
IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY)
-ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) =
- {
- ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER),
- ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY)
+ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = {
+ ASN1_OPT(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint,
+ ASN1_INTEGER),
+ ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION, proxyPolicy, PROXY_POLICY)
} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)
IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
diff --git a/lib/libcrypto/x509v3/v3_pcons.c b/lib/libcrypto/x509v3/v3_pcons.c
index 13248c2adaf..c622cae85a6 100644
--- a/lib/libcrypto/x509v3/v3_pcons.c
+++ b/lib/libcrypto/x509v3/v3_pcons.c
@@ -1,5 +1,5 @@
/* v3_pcons.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
*/
/* ====================================================================
@@ -10,7 +10,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -64,73 +64,81 @@
#include <openssl/conf.h>
#include <openssl/x509v3.h>
-static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
- void *bcons, STACK_OF(CONF_VALUE) *extlist);
-static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
+ STACK_OF(CONF_VALUE) *extlist);
+static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
const X509V3_EXT_METHOD v3_policy_constraints = {
-NID_policy_constraints, 0,
-ASN1_ITEM_ref(POLICY_CONSTRAINTS),
-0,0,0,0,
-0,0,
-i2v_POLICY_CONSTRAINTS,
-v2i_POLICY_CONSTRAINTS,
-NULL,NULL,
-NULL
+ NID_policy_constraints, 0,
+ ASN1_ITEM_ref(POLICY_CONSTRAINTS),
+ 0, 0, 0, 0,
+ 0, 0,
+ i2v_POLICY_CONSTRAINTS,
+ v2i_POLICY_CONSTRAINTS,
+ NULL, NULL,
+ NULL
};
ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {
- ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0),
- ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1)
+ ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy,
+ ASN1_INTEGER, 0),
+ ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER, 1)
} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
-
-static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
- void *a, STACK_OF(CONF_VALUE) *extlist)
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
+ STACK_OF(CONF_VALUE) *extlist)
{
POLICY_CONSTRAINTS *pcons = a;
+
X509V3_add_value_int("Require Explicit Policy",
- pcons->requireExplicitPolicy, &extlist);
+ pcons->requireExplicitPolicy, &extlist);
X509V3_add_value_int("Inhibit Policy Mapping",
- pcons->inhibitPolicyMapping, &extlist);
+ pcons->inhibitPolicyMapping, &extlist);
return extlist;
}
-static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+static void *
+v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+ STACK_OF(CONF_VALUE) *values)
{
- POLICY_CONSTRAINTS *pcons=NULL;
+ POLICY_CONSTRAINTS *pcons = NULL;
CONF_VALUE *val;
int i;
- if(!(pcons = POLICY_CONSTRAINTS_new())) {
- X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
+
+ if (!(pcons = POLICY_CONSTRAINTS_new())) {
+ X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
+ ERR_R_MALLOC_FAILURE);
return NULL;
}
- for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+ for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
val = sk_CONF_VALUE_value(values, i);
- if(!strcmp(val->name, "requireExplicitPolicy")) {
- if(!X509V3_get_value_int(val,
- &pcons->requireExplicitPolicy)) goto err;
- } else if(!strcmp(val->name, "inhibitPolicyMapping")) {
- if(!X509V3_get_value_int(val,
- &pcons->inhibitPolicyMapping)) goto err;
+ if (!strcmp(val->name, "requireExplicitPolicy")) {
+ if (!X509V3_get_value_int(val,
+ &pcons->requireExplicitPolicy)) goto err;
+ } else if (!strcmp(val->name, "inhibitPolicyMapping")) {
+ if (!X509V3_get_value_int(val,
+ &pcons->inhibitPolicyMapping)) goto err;
} else {
- X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
+ X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
+ X509V3_R_INVALID_NAME);
X509V3_conf_err(val);
goto err;
}
}
if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
- X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION);
+ X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,
+ X509V3_R_ILLEGAL_EMPTY_EXTENSION);
goto err;
}
return pcons;
- err:
+
+err:
POLICY_CONSTRAINTS_free(pcons);
return NULL;
}
-
diff --git a/lib/libcrypto/x509v3/v3_pku.c b/lib/libcrypto/x509v3/v3_pku.c
index 076f3ff48e2..860b2471590 100644
--- a/lib/libcrypto/x509v3/v3_pku.c
+++ b/lib/libcrypto/x509v3/v3_pku.c
@@ -10,7 +10,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -62,16 +62,17 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
-static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
+static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
+ PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
/*
static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
*/
const X509V3_EXT_METHOD v3_pkey_usage_period = {
-NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
-0,0,0,0,
-0,0,0,0,
-(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
-NULL
+ NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
+ 0, 0, 0, 0,
+ 0, 0, 0, 0,
+ (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
+ NULL
};
ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {
@@ -81,16 +82,18 @@ ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {
IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
-static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
- PKEY_USAGE_PERIOD *usage, BIO *out, int indent)
+static int
+i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage,
+ BIO *out, int indent)
{
BIO_printf(out, "%*s", indent, "");
- if(usage->notBefore) {
+ if (usage->notBefore) {
BIO_write(out, "Not Before: ", 12);
ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
- if(usage->notAfter) BIO_write(out, ", ", 2);
+ if (usage->notAfter)
+ BIO_write(out, ", ", 2);
}
- if(usage->notAfter) {
+ if (usage->notAfter) {
BIO_write(out, "Not After: ", 11);
ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
}
diff --git a/lib/libcrypto/x509v3/v3_pmaps.c b/lib/libcrypto/x509v3/v3_pmaps.c
index 626303264f7..bf5f2918774 100644
--- a/lib/libcrypto/x509v3/v3_pmaps.c
+++ b/lib/libcrypto/x509v3/v3_pmaps.c
@@ -1,5 +1,5 @@
/* v3_pmaps.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
*/
/* ====================================================================
@@ -10,7 +10,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -63,19 +63,19 @@
#include <openssl/conf.h>
#include <openssl/x509v3.h>
-static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
- void *pmps, STACK_OF(CONF_VALUE) *extlist);
+static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
+ const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
const X509V3_EXT_METHOD v3_policy_mappings = {
NID_policy_mappings, 0,
ASN1_ITEM_ref(POLICY_MAPPINGS),
- 0,0,0,0,
- 0,0,
+ 0, 0, 0, 0,
+ 0, 0,
i2v_POLICY_MAPPINGS,
v2i_POLICY_MAPPINGS,
- 0,0,
+ 0, 0,
NULL
};
@@ -84,23 +84,24 @@ ASN1_SEQUENCE(POLICY_MAPPING) = {
ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT)
} ASN1_SEQUENCE_END(POLICY_MAPPING)
-ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =
- ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,
- POLICY_MAPPING)
+ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =
+ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,
+ POLICY_MAPPING)
ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
-
-static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
- void *a, STACK_OF(CONF_VALUE) *ext_list)
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
+ STACK_OF(CONF_VALUE) *ext_list)
{
POLICY_MAPPINGS *pmaps = a;
POLICY_MAPPING *pmap;
int i;
char obj_tmp1[80];
char obj_tmp2[80];
- for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
+
+ for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
pmap = sk_POLICY_MAPPING_value(pmaps, i);
i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
@@ -109,8 +110,9 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
return ext_list;
}
-static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+static void *
+v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+ STACK_OF(CONF_VALUE) *nval)
{
POLICY_MAPPINGS *pmaps;
POLICY_MAPPING *pmap;
@@ -118,31 +120,34 @@ static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
CONF_VALUE *val;
int i;
- if(!(pmaps = sk_POLICY_MAPPING_new_null())) {
- X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
+ if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
+ X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
- if(!val->value || !val->name) {
+ if (!val->value || !val->name) {
sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
- X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+ X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
+ X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
return NULL;
}
obj1 = OBJ_txt2obj(val->name, 0);
obj2 = OBJ_txt2obj(val->value, 0);
- if(!obj1 || !obj2) {
+ if (!obj1 || !obj2) {
sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
- X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+ X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
+ X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
return NULL;
}
pmap = POLICY_MAPPING_new();
if (!pmap) {
sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
- X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
+ ERR_R_MALLOC_FAILURE);
return NULL;
}
pmap->issuerDomainPolicy = obj1;
diff --git a/lib/libcrypto/x509v3/v3_prn.c b/lib/libcrypto/x509v3/v3_prn.c
index 565937af47e..3874ded51c9 100644
--- a/lib/libcrypto/x509v3/v3_prn.c
+++ b/lib/libcrypto/x509v3/v3_prn.c
@@ -10,7 +10,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -64,139 +64,163 @@
/* Extension printing routines */
-static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported);
+static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
+ int indent, int supported);
/* Print out a name+value stack */
-void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
+void
+X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
{
int i;
CONF_VALUE *nval;
- if(!val) return;
- if(!ml || !sk_CONF_VALUE_num(val)) {
+
+ if (!val)
+ return;
+ if (!ml || !sk_CONF_VALUE_num(val)) {
BIO_printf(out, "%*s", indent, "");
- if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n");
+ if (!sk_CONF_VALUE_num(val))
+ BIO_puts(out, "<EMPTY>\n");
}
- for(i = 0; i < sk_CONF_VALUE_num(val); i++) {
- if(ml) BIO_printf(out, "%*s", indent, "");
- else if(i > 0) BIO_printf(out, ", ");
- nval = sk_CONF_VALUE_value(val, i);
- if(!nval->name) BIO_puts(out, nval->value);
- else if(!nval->value) BIO_puts(out, nval->name);
- else BIO_printf(out, "%s:%s", nval->name, nval->value);
- if(ml) BIO_puts(out, "\n");
+ for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
+ if (ml)
+ BIO_printf(out, "%*s", indent, "");
+ else if (i > 0) BIO_printf(out, ", ");
+ nval = sk_CONF_VALUE_value(val, i);
+ if (!nval->name)
+ BIO_puts(out, nval->value);
+ else if (!nval->value)
+ BIO_puts(out, nval->name);
+ else
+ BIO_printf(out, "%s:%s", nval->name, nval->value);
+ if (ml)
+ BIO_puts(out, "\n");
}
}
/* Main routine: print out a general extension */
-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
+int
+X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
{
void *ext_str = NULL;
char *value = NULL;
const unsigned char *p;
- const X509V3_EXT_METHOD *method;
+ const X509V3_EXT_METHOD *method;
STACK_OF(CONF_VALUE) *nval = NULL;
int ok = 1;
- if(!(method = X509V3_EXT_get(ext)))
+ if (!(method = X509V3_EXT_get(ext)))
return unknown_ext_print(out, ext, flag, indent, 0);
p = ext->value->data;
- if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
- else ext_str = method->d2i(NULL, &p, ext->value->length);
+ if (method->it)
+ ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,
+ ASN1_ITEM_ptr(method->it));
+ else
+ ext_str = method->d2i(NULL, &p, ext->value->length);
- if(!ext_str) return unknown_ext_print(out, ext, flag, indent, 1);
+ if (!ext_str)
+ return unknown_ext_print(out, ext, flag, indent, 1);
- if(method->i2s) {
- if(!(value = method->i2s(method, ext_str))) {
+ if (method->i2s) {
+ if (!(value = method->i2s(method, ext_str))) {
ok = 0;
goto err;
}
BIO_printf(out, "%*s%s", indent, "", value);
- } else if(method->i2v) {
- if(!(nval = method->i2v(method, ext_str, NULL))) {
+ } else if (method->i2v) {
+ if (!(nval = method->i2v(method, ext_str, NULL))) {
ok = 0;
goto err;
}
X509V3_EXT_val_prn(out, nval, indent,
- method->ext_flags & X509V3_EXT_MULTILINE);
- } else if(method->i2r) {
- if(!method->i2r(method, ext_str, out, indent)) ok = 0;
- } else ok = 0;
-
- err:
- sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
- if(value) free(value);
- if(method->it) ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
- else method->ext_free(ext_str);
- return ok;
+ method->ext_flags & X509V3_EXT_MULTILINE);
+ } else if (method->i2r) {
+ if (!method->i2r(method, ext_str, out, indent))
+ ok = 0;
+ } else
+ ok = 0;
+
+err:
+ sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
+ if (value)
+ free(value);
+ if (method->it)
+ ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
+ else
+ method->ext_free(ext_str);
+ return ok;
}
-int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent)
+int
+X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts,
+ unsigned long flag, int indent)
{
int i, j;
- if(sk_X509_EXTENSION_num(exts) <= 0) return 1;
+ if (sk_X509_EXTENSION_num(exts) <= 0)
+ return 1;
- if(title)
- {
- BIO_printf(bp,"%*s%s:\n",indent, "", title);
+ if (title) {
+ BIO_printf(bp, "%*s%s:\n",indent, "", title);
indent += 4;
- }
+ }
- for (i=0; i<sk_X509_EXTENSION_num(exts); i++)
- {
+ for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
- ex=sk_X509_EXTENSION_value(exts, i);
- if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
- obj=X509_EXTENSION_get_object(ex);
- i2a_ASN1_OBJECT(bp,obj);
- j=X509_EXTENSION_get_critical(ex);
- if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
+ ex = sk_X509_EXTENSION_value(exts, i);
+ if (indent && BIO_printf(bp, "%*s",indent, "") <= 0)
return 0;
- if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
- {
+ obj = X509_EXTENSION_get_object(ex);
+ i2a_ASN1_OBJECT(bp, obj);
+ j = X509_EXTENSION_get_critical(ex);
+ if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0)
+ return 0;
+ if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
BIO_printf(bp, "%*s", indent + 4, "");
- M_ASN1_OCTET_STRING_print(bp,ex->value);
- }
- if (BIO_write(bp,"\n",1) <= 0) return 0;
+ M_ASN1_OCTET_STRING_print(bp, ex->value);
}
+ if (BIO_write(bp, "\n",1) <= 0)
+ return 0;
+ }
return 1;
}
-static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported)
+static int
+unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
+ int indent, int supported)
{
- switch(flag & X509V3_EXT_UNKNOWN_MASK) {
-
- case X509V3_EXT_DEFAULT:
+ switch (flag & X509V3_EXT_UNKNOWN_MASK) {
+ case X509V3_EXT_DEFAULT:
return 0;
-
- case X509V3_EXT_ERROR_UNKNOWN:
- if(supported)
+ case X509V3_EXT_ERROR_UNKNOWN:
+ if (supported)
BIO_printf(out, "%*s<Parse Error>", indent, "");
else
BIO_printf(out, "%*s<Not Supported>", indent, "");
return 1;
-
- case X509V3_EXT_PARSE_UNKNOWN:
- return ASN1_parse_dump(out,
- ext->value->data, ext->value->length, indent, -1);
- case X509V3_EXT_DUMP_UNKNOWN:
- return BIO_dump_indent(out, (char *)ext->value->data, ext->value->length, indent);
-
- default:
+ case X509V3_EXT_PARSE_UNKNOWN:
+ return ASN1_parse_dump(out,
+ ext->value->data, ext->value->length, indent, -1);
+ case X509V3_EXT_DUMP_UNKNOWN:
+ return BIO_dump_indent(out, (char *)ext->value->data,
+ ext->value->length, indent);
+ default:
return 1;
}
}
-
+
#ifndef OPENSSL_NO_FP_API
-int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
+int
+X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
{
BIO *bio_tmp;
int ret;
- if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0;
+
+ if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
+ return 0;
ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
BIO_free(bio_tmp);
return ret;
diff --git a/lib/libcrypto/x509v3/v3_purp.c b/lib/libcrypto/x509v3/v3_purp.c
index 45d7251c29f..2bf110c179d 100644
--- a/lib/libcrypto/x509v3/v3_purp.c
+++ b/lib/libcrypto/x509v3/v3_purp.c
@@ -10,7 +10,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -64,19 +64,25 @@
static void x509v3_cache_extensions(X509 *x);
static int check_ssl_ca(const X509 *x);
-static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
+ int ca);
+static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
+ int ca);
+static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
+ int ca);
static int purpose_smime(const X509 *x, int ca);
-static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
+ int ca);
+static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
+ int ca);
+static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
+ int ca);
+static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
+ int ca);
static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int xp_cmp(const X509_PURPOSE * const *a,
- const X509_PURPOSE * const *b);
+static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b);
static void xptable_free(X509_PURPOSE *p);
static X509_PURPOSE xstandard[] = {
@@ -97,8 +103,8 @@ IMPLEMENT_STACK_OF(X509_PURPOSE)
static STACK_OF(X509_PURPOSE) *xptable = NULL;
-static int xp_cmp(const X509_PURPOSE * const *a,
- const X509_PURPOSE * const *b)
+static int
+xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b)
{
return (*a)->purpose - (*b)->purpose;
}
@@ -106,25 +112,30 @@ static int xp_cmp(const X509_PURPOSE * const *a,
/* As much as I'd like to make X509_check_purpose use a "const" X509*
* I really can't because it does recalculate hashes and do other non-const
* things. */
-int X509_check_purpose(X509 *x, int id, int ca)
+int
+X509_check_purpose(X509 *x, int id, int ca)
{
int idx;
const X509_PURPOSE *pt;
- if(!(x->ex_flags & EXFLAG_SET)) {
+
+ if (!(x->ex_flags & EXFLAG_SET)) {
CRYPTO_w_lock(CRYPTO_LOCK_X509);
x509v3_cache_extensions(x);
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
}
- if(id == -1) return 1;
+ if (id == -1)
+ return 1;
idx = X509_PURPOSE_get_by_id(id);
- if(idx == -1) return -1;
+ if (idx == -1)
+ return -1;
pt = X509_PURPOSE_get0(idx);
return pt->check_purpose(pt, x, ca);
}
-int X509_PURPOSE_set(int *p, int purpose)
+int
+X509_PURPOSE_set(int *p, int purpose)
{
- if(X509_PURPOSE_get_by_id(purpose) == -1) {
+ if (X509_PURPOSE_get_by_id(purpose) == -1) {
X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
return 0;
}
@@ -132,49 +143,63 @@ int X509_PURPOSE_set(int *p, int purpose)
return 1;
}
-int X509_PURPOSE_get_count(void)
+int
+X509_PURPOSE_get_count(void)
{
- if(!xptable) return X509_PURPOSE_COUNT;
+ if (!xptable)
+ return X509_PURPOSE_COUNT;
return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
}
-X509_PURPOSE * X509_PURPOSE_get0(int idx)
+X509_PURPOSE *
+X509_PURPOSE_get0(int idx)
{
- if(idx < 0) return NULL;
- if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx;
+ if (idx < 0)
+ return NULL;
+ if (idx < (int)X509_PURPOSE_COUNT)
+ return xstandard + idx;
return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
}
-int X509_PURPOSE_get_by_sname(char *sname)
+int
+X509_PURPOSE_get_by_sname(char *sname)
{
int i;
X509_PURPOSE *xptmp;
- for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+
+ for (i = 0; i < X509_PURPOSE_get_count(); i++) {
xptmp = X509_PURPOSE_get0(i);
- if(!strcmp(xptmp->sname, sname)) return i;
+ if (!strcmp(xptmp->sname, sname))
+ return i;
}
return -1;
}
-int X509_PURPOSE_get_by_id(int purpose)
+int
+X509_PURPOSE_get_by_id(int purpose)
{
X509_PURPOSE tmp;
int idx;
- if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
+
+ if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
return purpose - X509_PURPOSE_MIN;
tmp.purpose = purpose;
- if(!xptable) return -1;
+ if (!xptable)
+ return -1;
idx = sk_X509_PURPOSE_find(xptable, &tmp);
- if(idx == -1) return -1;
+ if (idx == -1)
+ return -1;
return idx + X509_PURPOSE_COUNT;
}
-int X509_PURPOSE_add(int id, int trust, int flags,
- int (*ck)(const X509_PURPOSE *, const X509 *, int),
- char *name, char *sname, void *arg)
+int
+X509_PURPOSE_add(int id, int trust, int flags,
+ int (*ck)(const X509_PURPOSE *, const X509 *, int), char *name,
+ char *sname, void *arg)
{
int idx;
X509_PURPOSE *ptmp;
+
/* This is set according to what we change: application can't set it */
flags &= ~X509_PURPOSE_DYNAMIC;
/* This will always be set for application modified trust entries */
@@ -182,24 +207,26 @@ int X509_PURPOSE_add(int id, int trust, int flags,
/* Get existing entry if any */
idx = X509_PURPOSE_get_by_id(id);
/* Need a new entry */
- if(idx == -1) {
- if(!(ptmp = malloc(sizeof(X509_PURPOSE)))) {
- X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+ if (idx == -1) {
+ if (!(ptmp = malloc(sizeof(X509_PURPOSE)))) {
+ X509V3err(X509V3_F_X509_PURPOSE_ADD,
+ ERR_R_MALLOC_FAILURE);
return 0;
}
ptmp->flags = X509_PURPOSE_DYNAMIC;
- } else ptmp = X509_PURPOSE_get0(idx);
+ } else
+ ptmp = X509_PURPOSE_get0(idx);
/* free existing name if dynamic */
- if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
+ if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
free(ptmp->name);
free(ptmp->sname);
}
/* dup supplied name */
ptmp->name = BUF_strdup(name);
ptmp->sname = BUF_strdup(sname);
- if(!ptmp->name || !ptmp->sname) {
- X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+ if (!ptmp->name || !ptmp->sname) {
+ X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
/* Keep the dynamic flag of existing entry */
@@ -213,70 +240,82 @@ int X509_PURPOSE_add(int id, int trust, int flags,
ptmp->usr_data = arg;
/* If its a new entry manage the dynamic table */
- if(idx == -1) {
- if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
- X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+ if (idx == -1) {
+ if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
+ X509V3err(X509V3_F_X509_PURPOSE_ADD,
+ ERR_R_MALLOC_FAILURE);
return 0;
}
if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
- X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_X509_PURPOSE_ADD,
+ ERR_R_MALLOC_FAILURE);
return 0;
}
}
return 1;
}
-static void xptable_free(X509_PURPOSE *p)
- {
- if(!p) return;
- if (p->flags & X509_PURPOSE_DYNAMIC)
- {
+static void
+xptable_free(X509_PURPOSE *p)
+{
+ if (!p)
+ return;
+ if (p->flags & X509_PURPOSE_DYNAMIC) {
if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
free(p->name);
free(p->sname);
}
free(p);
- }
}
+}
-void X509_PURPOSE_cleanup(void)
+void
+X509_PURPOSE_cleanup(void)
{
unsigned int i;
+
sk_X509_PURPOSE_pop_free(xptable, xptable_free);
- for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
+ for(i = 0; i < X509_PURPOSE_COUNT; i++)
+ xptable_free(xstandard + i);
xptable = NULL;
}
-int X509_PURPOSE_get_id(X509_PURPOSE *xp)
+int
+X509_PURPOSE_get_id(X509_PURPOSE *xp)
{
return xp->purpose;
}
-char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
+char *
+X509_PURPOSE_get0_name(X509_PURPOSE *xp)
{
return xp->name;
}
-char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
+char *
+X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
{
return xp->sname;
}
-int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
+int
+X509_PURPOSE_get_trust(X509_PURPOSE *xp)
{
return xp->trust;
}
-static int nid_cmp(const int *a, const int *b)
- {
+static int
+nid_cmp(const int *a, const int *b)
+{
return *a - *b;
- }
+}
DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
-int X509_supported_extension(X509_EXTENSION *ex)
- {
+int
+X509_supported_extension(X509_EXTENSION *ex)
+{
/* This table is a list of the NIDs of supported extensions:
* that is those which are used by the verify process. If
* an extension is critical and doesn't appear in this list
@@ -287,11 +326,11 @@ int X509_supported_extension(X509_EXTENSION *ex)
static const int supported_nids[] = {
NID_netscape_cert_type, /* 71 */
- NID_key_usage, /* 83 */
+ NID_key_usage, /* 83 */
NID_subject_alt_name, /* 85 */
NID_basic_constraints, /* 87 */
NID_certificate_policies, /* 89 */
- NID_ext_key_usage, /* 126 */
+ NID_ext_key_usage, /* 126 */
#ifndef OPENSSL_NO_RFC3779
NID_sbgp_ipAddrBlock, /* 290 */
NID_sbgp_autonomousSysNum, /* 291 */
@@ -305,56 +344,57 @@ int X509_supported_extension(X509_EXTENSION *ex)
int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
- if (ex_nid == NID_undef)
+ if (ex_nid == NID_undef)
return 0;
if (OBJ_bsearch_nid(&ex_nid, supported_nids,
- sizeof(supported_nids)/sizeof(int)))
+ sizeof(supported_nids) / sizeof(int)))
return 1;
return 0;
- }
+}
-static void setup_dp(X509 *x, DIST_POINT *dp)
- {
+static void
+setup_dp(X509 *x, DIST_POINT *dp)
+{
X509_NAME *iname = NULL;
int i;
- if (dp->reasons)
- {
+
+ if (dp->reasons) {
if (dp->reasons->length > 0)
dp->dp_reasons = dp->reasons->data[0];
if (dp->reasons->length > 1)
dp->dp_reasons |= (dp->reasons->data[1] << 8);
dp->dp_reasons &= CRLDP_ALL_REASONS;
- }
- else
+ } else
dp->dp_reasons = CRLDP_ALL_REASONS;
if (!dp->distpoint || (dp->distpoint->type != 1))
return;
- for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
- {
+ for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
- if (gen->type == GEN_DIRNAME)
- {
+ if (gen->type == GEN_DIRNAME) {
iname = gen->d.directoryName;
break;
- }
}
+ }
if (!iname)
iname = X509_get_issuer_name(x);
DIST_POINT_set_dpname(dp->distpoint, iname);
- }
+}
-static void setup_crldp(X509 *x)
- {
+static void
+setup_crldp(X509 *x)
+{
int i;
+
x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
- }
+}
-static void x509v3_cache_extensions(X509 *x)
+static void
+x509v3_cache_extensions(X509 *x)
{
BASIC_CONSTRAINTS *bs;
PROXY_CERT_INFO_EXTENSION *pci;
@@ -362,89 +402,96 @@ static void x509v3_cache_extensions(X509 *x)
ASN1_BIT_STRING *ns;
EXTENDED_KEY_USAGE *extusage;
X509_EXTENSION *ex;
-
+
int i;
- if(x->ex_flags & EXFLAG_SET) return;
+ if (x->ex_flags & EXFLAG_SET)
+ return;
#ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
/* Does subject name match issuer ? */
- if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
- x->ex_flags |= EXFLAG_SI;
+ if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
+ x->ex_flags |= EXFLAG_SI;
/* V1 should mean no extensions ... */
- if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
+ if (!X509_get_version(x))
+ x->ex_flags |= EXFLAG_V1;
/* Handle basic constraints */
- if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
- if(bs->ca) x->ex_flags |= EXFLAG_CA;
- if(bs->pathlen) {
- if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
- || !bs->ca) {
+ if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
+ if (bs->ca)
+ x->ex_flags |= EXFLAG_CA;
+ if (bs->pathlen) {
+ if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) ||
+ !bs->ca) {
x->ex_flags |= EXFLAG_INVALID;
x->ex_pathlen = 0;
- } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
- } else x->ex_pathlen = -1;
+ } else
+ x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+ } else
+ x->ex_pathlen = -1;
BASIC_CONSTRAINTS_free(bs);
x->ex_flags |= EXFLAG_BCONS;
}
/* Handle proxy certificates */
- if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
- if (x->ex_flags & EXFLAG_CA
- || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
- || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
+ if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+ if (x->ex_flags & EXFLAG_CA ||
+ X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
+ X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
x->ex_flags |= EXFLAG_INVALID;
}
if (pci->pcPathLengthConstraint) {
x->ex_pcpathlen =
- ASN1_INTEGER_get(pci->pcPathLengthConstraint);
- } else x->ex_pcpathlen = -1;
+ ASN1_INTEGER_get(pci->pcPathLengthConstraint);
+ } else
+ x->ex_pcpathlen = -1;
PROXY_CERT_INFO_EXTENSION_free(pci);
x->ex_flags |= EXFLAG_PROXY;
}
/* Handle key usage */
- if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
- if(usage->length > 0) {
+ if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
+ if (usage->length > 0) {
x->ex_kusage = usage->data[0];
- if(usage->length > 1)
+ if (usage->length > 1)
x->ex_kusage |= usage->data[1] << 8;
- } else x->ex_kusage = 0;
+ } else
+ x->ex_kusage = 0;
x->ex_flags |= EXFLAG_KUSAGE;
ASN1_BIT_STRING_free(usage);
}
x->ex_xkusage = 0;
- if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
+ if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
x->ex_flags |= EXFLAG_XKUSAGE;
- for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
- switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
- case NID_server_auth:
+ for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
+ switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
+ case NID_server_auth:
x->ex_xkusage |= XKU_SSL_SERVER;
break;
- case NID_client_auth:
+ case NID_client_auth:
x->ex_xkusage |= XKU_SSL_CLIENT;
break;
- case NID_email_protect:
+ case NID_email_protect:
x->ex_xkusage |= XKU_SMIME;
break;
- case NID_code_sign:
+ case NID_code_sign:
x->ex_xkusage |= XKU_CODE_SIGN;
break;
- case NID_ms_sgc:
- case NID_ns_sgc:
+ case NID_ms_sgc:
+ case NID_ns_sgc:
x->ex_xkusage |= XKU_SGC;
break;
- case NID_OCSP_sign:
+ case NID_OCSP_sign:
x->ex_xkusage |= XKU_OCSP_SIGN;
break;
- case NID_time_stamp:
+ case NID_time_stamp:
x->ex_xkusage |= XKU_TIMESTAMP;
break;
- case NID_dvcs:
+ case NID_dvcs:
x->ex_xkusage |= XKU_DVCS;
break;
}
@@ -452,14 +499,17 @@ static void x509v3_cache_extensions(X509 *x)
sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
}
- if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
- if(ns->length > 0) x->ex_nscert = ns->data[0];
- else x->ex_nscert = 0;
+ if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
+ if (ns->length > 0)
+ x->ex_nscert = ns->data[0];
+ else
+ x->ex_nscert = 0;
x->ex_flags |= EXFLAG_NSCERT;
ASN1_BIT_STRING_free(ns);
}
- x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
- x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+
+ x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
+ x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
if (!x->nc && (i != -1))
@@ -467,24 +517,22 @@ static void x509v3_cache_extensions(X509 *x)
setup_crldp(x);
#ifndef OPENSSL_NO_RFC3779
- x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
- x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
- NULL, NULL);
+ x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
+ x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
+ NULL, NULL);
#endif
- for (i = 0; i < X509_get_ext_count(x); i++)
- {
+ for (i = 0; i < X509_get_ext_count(x); i++) {
ex = X509_get_ext(x, i);
- if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
- == NID_freshest_crl)
+ if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
+ NID_freshest_crl)
x->ex_flags |= EXFLAG_FRESHEST;
if (!X509_EXTENSION_get_critical(ex))
continue;
- if (!X509_supported_extension(ex))
- {
+ if (!X509_supported_extension(ex)) {
x->ex_flags |= EXFLAG_CRITICAL;
break;
- }
}
+ }
x->ex_flags |= EXFLAG_SET;
}
@@ -505,30 +553,38 @@ static void x509v3_cache_extensions(X509 *x)
#define ns_reject(x, usage) \
(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-static int check_ca(const X509 *x)
+static int
+check_ca(const X509 *x)
{
/* keyUsage if present should allow cert signing */
- if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
- if(x->ex_flags & EXFLAG_BCONS) {
- if(x->ex_flags & EXFLAG_CA) return 1;
+ if (ku_reject(x, KU_KEY_CERT_SIGN))
+ return 0;
+ if (x->ex_flags & EXFLAG_BCONS) {
+ if (x->ex_flags & EXFLAG_CA)
+ return 1;
/* If basicConstraints says not a CA then say so */
- else return 0;
+ else
+ return 0;
} else {
/* we support V1 roots for... uh, I don't really know why. */
- if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+ if ((x->ex_flags & V1_ROOT) == V1_ROOT)
+ return 3;
/* If key usage present it must have certSign so tolerate it */
- else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
+ else if (x->ex_flags & EXFLAG_KUSAGE)
+ return 4;
/* Older certificates could have Netscape-specific CA types */
- else if (x->ex_flags & EXFLAG_NSCERT
- && x->ex_nscert & NS_ANY_CA) return 5;
+ else if (x->ex_flags & EXFLAG_NSCERT &&
+ x->ex_nscert & NS_ANY_CA)
+ return 5;
/* can this still be regarded a CA certificate? I doubt it */
return 0;
}
}
-int X509_check_ca(X509 *x)
+int
+X509_check_ca(X509 *x)
{
- if(!(x->ex_flags & EXFLAG_SET)) {
+ if (!(x->ex_flags & EXFLAG_SET)) {
CRYPTO_w_lock(CRYPTO_LOCK_X509);
x509v3_cache_extensions(x);
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
@@ -538,131 +594,169 @@ int X509_check_ca(X509 *x)
}
/* Check SSL CA: common checks for SSL client and server */
-static int check_ssl_ca(const X509 *x)
+static int
+check_ssl_ca(const X509 *x)
{
int ca_ret;
+
ca_ret = check_ca(x);
- if(!ca_ret) return 0;
+ if (!ca_ret)
+ return 0;
/* check nsCertType if present */
- if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
- else return 0;
+ if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
+ return ca_ret;
+ else
+ return 0;
}
-
-static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
+static int
+check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
{
- if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
- if(ca) return check_ssl_ca(x);
+ if (xku_reject(x, XKU_SSL_CLIENT))
+ return 0;
+ if (ca)
+ return check_ssl_ca(x);
/* We need to do digital signatures with it */
- if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
- /* nsCertType if present should allow SSL client use */
- if(ns_reject(x, NS_SSL_CLIENT)) return 0;
+ if (ku_reject(x, KU_DIGITAL_SIGNATURE))
+ return 0;
+ /* nsCertType if present should allow SSL client use */
+ if (ns_reject(x, NS_SSL_CLIENT))
+ return 0;
return 1;
}
-static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
+static int
+check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
{
- if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
- if(ca) return check_ssl_ca(x);
+ if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC))
+ return 0;
+ if (ca)
+ return check_ssl_ca(x);
- if(ns_reject(x, NS_SSL_SERVER)) return 0;
+ if (ns_reject(x, NS_SSL_SERVER))
+ return 0;
/* Now as for keyUsage: we'll at least need to sign OR encipher */
- if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
-
- return 1;
+ if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT))
+ return 0;
+ return 1;
}
-static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
+static int
+check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
{
int ret;
+
ret = check_purpose_ssl_server(xp, x, ca);
- if(!ret || ca) return ret;
+ if (!ret || ca)
+ return ret;
/* We need to encipher or Netscape complains */
- if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
+ if (ku_reject(x, KU_KEY_ENCIPHERMENT))
+ return 0;
return ret;
}
/* common S/MIME checks */
-static int purpose_smime(const X509 *x, int ca)
+static int
+purpose_smime(const X509 *x, int ca)
{
- if(xku_reject(x,XKU_SMIME)) return 0;
- if(ca) {
+ if (xku_reject(x, XKU_SMIME))
+ return 0;
+ if (ca) {
int ca_ret;
ca_ret = check_ca(x);
- if(!ca_ret) return 0;
+ if (!ca_ret)
+ return 0;
/* check nsCertType if present */
- if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
- else return 0;
+ if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
+ return ca_ret;
+ else
+ return 0;
}
- if(x->ex_flags & EXFLAG_NSCERT) {
- if(x->ex_nscert & NS_SMIME) return 1;
+ if (x->ex_flags & EXFLAG_NSCERT) {
+ if (x->ex_nscert & NS_SMIME)
+ return 1;
/* Workaround for some buggy certificates */
- if(x->ex_nscert & NS_SSL_CLIENT) return 2;
+ if (x->ex_nscert & NS_SSL_CLIENT)
+ return 2;
return 0;
}
return 1;
}
-static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
+static int
+check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
{
int ret;
+
ret = purpose_smime(x, ca);
- if(!ret || ca) return ret;
- if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
+ if (!ret || ca)
+ return ret;
+ if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION))
+ return 0;
return ret;
}
-static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
+static int
+check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
{
int ret;
+
ret = purpose_smime(x, ca);
- if(!ret || ca) return ret;
- if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
+ if (!ret || ca)
+ return ret;
+ if (ku_reject(x, KU_KEY_ENCIPHERMENT))
+ return 0;
return ret;
}
-static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
+static int
+check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
{
- if(ca) {
+ if (ca) {
int ca_ret;
- if((ca_ret = check_ca(x)) != 2) return ca_ret;
- else return 0;
+ if ((ca_ret = check_ca(x)) != 2)
+ return ca_ret;
+ else
+ return 0;
}
- if(ku_reject(x, KU_CRL_SIGN)) return 0;
+ if (ku_reject(x, KU_CRL_SIGN))
+ return 0;
return 1;
}
/* OCSP helper: this is *not* a full OCSP check. It just checks that
* each CA is valid. Additional checks must be made on the chain.
*/
-
-static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
+static int
+ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
{
/* Must be a valid CA. Should we really support the "I don't know"
value (2)? */
- if(ca) return check_ca(x);
+ if (ca)
+ return check_ca(x);
/* leaf certificate is checked in OCSP_verify() */
return 1;
}
-static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
- int ca)
+static int
+check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
{
int i_ext;
/* If ca is true we must return if this is a valid CA certificate. */
- if (ca) return check_ca(x);
+ if (ca)
+ return check_ca(x);
- /*
+ /*
* Check the optional key usage field:
- * if Key Usage is present, it must be one of digitalSignature
+ * if Key Usage is present, it must be one of digitalSignature
* and/or nonRepudiation (other values are not consistent and shall
* be rejected).
*/
- if ((x->ex_flags & EXFLAG_KUSAGE)
- && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
- !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
+ if ((x->ex_flags & EXFLAG_KUSAGE) &&
+ ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
+ !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
return 0;
/* Only time stamp key usage is permitted and it's required. */
@@ -671,17 +765,17 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
/* Extended Key Usage MUST be critical */
i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
- if (i_ext >= 0)
- {
+ if (i_ext >= 0) {
X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
if (!X509_EXTENSION_get_critical(ext))
return 0;
- }
+ }
return 1;
}
-static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
+static int
+no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
{
return 1;
}
@@ -698,48 +792,45 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
* codes for X509_verify_cert()
*/
-int X509_check_issued(X509 *issuer, X509 *subject)
+int
+X509_check_issued(X509 *issuer, X509 *subject)
{
- if(X509_NAME_cmp(X509_get_subject_name(issuer),
- X509_get_issuer_name(subject)))
- return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
+ if (X509_NAME_cmp(X509_get_subject_name(issuer),
+ X509_get_issuer_name(subject)))
+ return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
x509v3_cache_extensions(issuer);
x509v3_cache_extensions(subject);
- if(subject->akid)
- {
+ if (subject->akid) {
int ret = X509_check_akid(issuer, subject->akid);
if (ret != X509_V_OK)
return ret;
- }
+ }
- if(subject->ex_flags & EXFLAG_PROXY)
- {
- if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+ if (subject->ex_flags & EXFLAG_PROXY) {
+ if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
- }
- else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
+ } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
return X509_V_OK;
}
-int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
- {
-
- if(!akid)
+int
+X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
+{
+ if (!akid)
return X509_V_OK;
/* Check key ids (if present) */
- if(akid->keyid && issuer->skid &&
- ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
- return X509_V_ERR_AKID_SKID_MISMATCH;
+ if (akid->keyid && issuer->skid &&
+ ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
+ return X509_V_ERR_AKID_SKID_MISMATCH;
/* Check serial number */
- if(akid->serial &&
- ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
- return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+ if (akid->serial &&
+ ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
+ return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
/* Check issuer name */
- if(akid->issuer)
- {
+ if (akid->issuer) {
/* Ugh, for some peculiar reason AKID includes
* SEQUENCE OF GeneralName. So look for a DirName.
* There may be more than one but we only take any
@@ -750,18 +841,15 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
X509_NAME *nm = NULL;
int i;
gens = akid->issuer;
- for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
- {
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
gen = sk_GENERAL_NAME_value(gens, i);
- if(gen->type == GEN_DIRNAME)
- {
+ if (gen->type == GEN_DIRNAME) {
nm = gen->d.dirn;
break;
- }
}
- if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
- return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
}
- return X509_V_OK;
+ if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
+ return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
}
-
+ return X509_V_OK;
+}