diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2014-05-26 12:10:12 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-05-26 12:10:12 +0000 |
commit | 661391785ea1636d807d57e99192342b52241db0 (patch) | |
tree | 2f3f8293bf9b64486bdeb4aef06d763f10467dab | |
parent | ed4508eb4b3d8d0965c44f1b96e2e5428078de5c (diff) |
KNF.
-rw-r--r-- | lib/libcrypto/x509v3/v3_pci.c | 309 | ||||
-rw-r--r-- | lib/libcrypto/x509v3/v3_pcia.c | 15 | ||||
-rw-r--r-- | lib/libcrypto/x509v3/v3_pcons.c | 82 | ||||
-rw-r--r-- | lib/libcrypto/x509v3/v3_pku.c | 27 | ||||
-rw-r--r-- | lib/libcrypto/x509v3/v3_pmaps.c | 57 | ||||
-rw-r--r-- | lib/libcrypto/x509v3/v3_prn.c | 168 | ||||
-rw-r--r-- | lib/libcrypto/x509v3/v3_purp.c | 550 |
7 files changed, 666 insertions, 542 deletions
diff --git a/lib/libcrypto/x509v3/v3_pci.c b/lib/libcrypto/x509v3/v3_pci.c index 9cef94258c2..ab09a36436e 100644 --- a/lib/libcrypto/x509v3/v3_pci.c +++ b/lib/libcrypto/x509v3/v3_pci.c @@ -40,209 +40,196 @@ #include <openssl/x509v3.h> static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, - BIO *out, int indent); + BIO *out, int indent); static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *str); + X509V3_CTX *ctx, char *str); -const X509V3_EXT_METHOD v3_pci = - { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), - 0,0,0,0, - 0,0, - NULL, NULL, - (X509V3_EXT_I2R)i2r_pci, - (X509V3_EXT_R2I)r2i_pci, - NULL, - }; +const X509V3_EXT_METHOD v3_pci = { + NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), + 0, 0, 0, 0, 0, 0, NULL, NULL, + (X509V3_EXT_I2R)i2r_pci, + (X509V3_EXT_R2I)r2i_pci, + NULL, +}; -static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, - BIO *out, int indent) - { +static int +i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out, + int indent) +{ BIO_printf(out, "%*sPath Length Constraint: ", indent, ""); if (pci->pcPathLengthConstraint) - i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); + i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); else - BIO_printf(out, "infinite"); + BIO_printf(out, "infinite"); BIO_puts(out, "\n"); BIO_printf(out, "%*sPolicy Language: ", indent, ""); i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); BIO_puts(out, "\n"); if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) - BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", - pci->proxyPolicy->policy->data); + BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", + pci->proxyPolicy->policy->data); return 1; - } +} -static int process_pci_value(CONF_VALUE *val, - ASN1_OBJECT **language, ASN1_INTEGER **pathlen, - ASN1_OCTET_STRING **policy) - { +static int +process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language, + ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy) +{ int free_policy = 0; - if (strcmp(val->name, "language") == 0) - { - if (*language) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED); + if (strcmp(val->name, "language") == 0) { + if (*language) { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED); X509V3_conf_err(val); return 0; - } - if (!(*language = OBJ_txt2obj(val->value, 0))) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER); + } + if (!(*language = OBJ_txt2obj(val->value, 0))) { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + X509V3_R_INVALID_OBJECT_IDENTIFIER); X509V3_conf_err(val); return 0; - } } - else if (strcmp(val->name, "pathlen") == 0) - { - if (*pathlen) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED); + } + else if (strcmp(val->name, "pathlen") == 0) { + if (*pathlen) { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED); X509V3_conf_err(val); return 0; - } - if (!X509V3_get_value_int(val, pathlen)) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH); + } + if (!X509V3_get_value_int(val, pathlen)) { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + X509V3_R_POLICY_PATH_LENGTH); X509V3_conf_err(val); return 0; - } } - else if (strcmp(val->name, "policy") == 0) - { + } + else if (strcmp(val->name, "policy") == 0) { unsigned char *tmp_data = NULL; long val_len; - if (!*policy) - { + if (!*policy) { *policy = ASN1_OCTET_STRING_new(); - if (!*policy) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); + if (!*policy) { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + ERR_R_MALLOC_FAILURE); X509V3_conf_err(val); return 0; - } - free_policy = 1; } - if (strncmp(val->value, "hex:", 4) == 0) - { + free_policy = 1; + } + if (strncmp(val->value, "hex:", 4) == 0) { unsigned char *tmp_data2 = - string_to_hex(val->value + 4, &val_len); + string_to_hex(val->value + 4, &val_len); - if (!tmp_data2) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT); + if (!tmp_data2) { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + X509V3_R_ILLEGAL_HEX_DIGIT); X509V3_conf_err(val); goto err; - } + } tmp_data = realloc((*policy)->data, - (*policy)->length + val_len + 1); - if (tmp_data) - { + (*policy)->length + val_len + 1); + if (tmp_data) { (*policy)->data = tmp_data; memcpy(&(*policy)->data[(*policy)->length], - tmp_data2, val_len); + tmp_data2, val_len); (*policy)->length += val_len; (*policy)->data[(*policy)->length] = '\0'; - } - else - { + } else { free(tmp_data2); /* realloc failure implies the original data space is b0rked too! */ (*policy)->data = NULL; (*policy)->length = 0; - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + ERR_R_MALLOC_FAILURE); X509V3_conf_err(val); goto err; - } - free(tmp_data2); } - else if (strncmp(val->value, "file:", 5) == 0) - { + free(tmp_data2); + } + else if (strncmp(val->value, "file:", 5) == 0) { unsigned char buf[2048]; int n; BIO *b = BIO_new_file(val->value + 5, "r"); - if (!b) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB); + if (!b) { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + ERR_R_BIO_LIB); X509V3_conf_err(val); goto err; - } - while((n = BIO_read(b, buf, sizeof(buf))) > 0 - || (n == 0 && BIO_should_retry(b))) - { - if (!n) continue; + } + while ((n = BIO_read(b, buf, sizeof(buf))) > 0 || + (n == 0 && BIO_should_retry(b))) { + if (!n) + continue; tmp_data = realloc((*policy)->data, - (*policy)->length + n + 1); + (*policy)->length + n + 1); if (!tmp_data) break; (*policy)->data = tmp_data; memcpy(&(*policy)->data[(*policy)->length], - buf, n); + buf, n); (*policy)->length += n; (*policy)->data[(*policy)->length] = '\0'; - } + } BIO_free_all(b); - if (n < 0) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB); + if (n < 0) { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + ERR_R_BIO_LIB); X509V3_conf_err(val); goto err; - } } - else if (strncmp(val->value, "text:", 5) == 0) - { + } + else if (strncmp(val->value, "text:", 5) == 0) { val_len = strlen(val->value + 5); tmp_data = realloc((*policy)->data, - (*policy)->length + val_len + 1); - if (tmp_data) - { + (*policy)->length + val_len + 1); + if (tmp_data) { (*policy)->data = tmp_data; memcpy(&(*policy)->data[(*policy)->length], - val->value + 5, val_len); + val->value + 5, val_len); (*policy)->length += val_len; (*policy)->data[(*policy)->length] = '\0'; - } - else - { + } else { /* realloc failure implies the original data space is b0rked too! */ (*policy)->data = NULL; (*policy)->length = 0; - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + ERR_R_MALLOC_FAILURE); X509V3_conf_err(val); goto err; - } } - else - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); + } else { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); X509V3_conf_err(val); goto err; - } - if (!tmp_data) - { - X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE); + } + if (!tmp_data) { + X509V3err(X509V3_F_PROCESS_PCI_VALUE, + ERR_R_MALLOC_FAILURE); X509V3_conf_err(val); goto err; - } } + } return 1; + err: - if (free_policy) - { + if (free_policy) { ASN1_OCTET_STRING_free(*policy); *policy = NULL; - } - return 0; } + return 0; +} -static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *value) - { +static PROXY_CERT_INFO_EXTENSION * +r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value) +{ PROXY_CERT_INFO_EXTENSION *pci = NULL; STACK_OF(CONF_VALUE) *vals; ASN1_OBJECT *language = NULL; @@ -251,78 +238,88 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, int i, j; vals = X509V3_parse_list(value); - for (i = 0; i < sk_CONF_VALUE_num(vals); i++) - { + for (i = 0; i < sk_CONF_VALUE_num(vals); i++) { CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i); - if (!cnf->name || (*cnf->name != '@' && !cnf->value)) - { - X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING); + if (!cnf->name || (*cnf->name != '@' && !cnf->value)) { + X509V3err(X509V3_F_R2I_PCI, + X509V3_R_INVALID_PROXY_POLICY_SETTING); X509V3_conf_err(cnf); goto err; - } - if (*cnf->name == '@') - { + } + if (*cnf->name == '@') { STACK_OF(CONF_VALUE) *sect; int success_p = 1; sect = X509V3_get_section(ctx, cnf->name + 1); - if (!sect) - { - X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION); + if (!sect) { + X509V3err(X509V3_F_R2I_PCI, + X509V3_R_INVALID_SECTION); X509V3_conf_err(cnf); goto err; - } - for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++) - { - success_p = - process_pci_value(sk_CONF_VALUE_value(sect, j), - &language, &pathlen, &policy); - } + } + for (j = 0; success_p && + j < sk_CONF_VALUE_num(sect); j++) { + success_p = process_pci_value( + sk_CONF_VALUE_value(sect, j), + &language, &pathlen, &policy); + } X509V3_section_free(ctx, sect); if (!success_p) goto err; - } - else - { + } else { if (!process_pci_value(cnf, - &language, &pathlen, &policy)) - { + &language, &pathlen, &policy)) { X509V3_conf_err(cnf); goto err; - } } } + } /* Language is mandatory */ - if (!language) - { - X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED); + if (!language) { + X509V3err(X509V3_F_R2I_PCI, + X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED); goto err; - } + } i = OBJ_obj2nid(language); - if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) - { - X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY); + if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) { + X509V3err(X509V3_F_R2I_PCI, + X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY); goto err; - } + } pci = PROXY_CERT_INFO_EXTENSION_new(); - if (!pci) - { - X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE); + if (!pci) { + X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE); goto err; - } + } - pci->proxyPolicy->policyLanguage = language; language = NULL; - pci->proxyPolicy->policy = policy; policy = NULL; - pci->pcPathLengthConstraint = pathlen; pathlen = NULL; + pci->proxyPolicy->policyLanguage = language; + language = NULL; + pci->proxyPolicy->policy = policy; + policy = NULL; + pci->pcPathLengthConstraint = pathlen; + pathlen = NULL; goto end; + err: - if (language) { ASN1_OBJECT_free(language); language = NULL; } - if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; } - if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; } - if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; } + if (language) { + ASN1_OBJECT_free(language); + language = NULL; + } + if (pathlen) { + ASN1_INTEGER_free(pathlen); + pathlen = NULL; + } + if (policy) { + ASN1_OCTET_STRING_free(policy); + policy = NULL; + } + if (pci) { + PROXY_CERT_INFO_EXTENSION_free(pci); + pci = NULL; + } end: sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); return pci; - } +} diff --git a/lib/libcrypto/x509v3/v3_pcia.c b/lib/libcrypto/x509v3/v3_pcia.c index bb362e0e5a9..ae5d58a009e 100644 --- a/lib/libcrypto/x509v3/v3_pcia.c +++ b/lib/libcrypto/x509v3/v3_pcia.c @@ -38,18 +38,17 @@ #include <openssl/asn1t.h> #include <openssl/x509v3.h> -ASN1_SEQUENCE(PROXY_POLICY) = - { - ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT), - ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING) +ASN1_SEQUENCE(PROXY_POLICY) = { + ASN1_SIMPLE(PROXY_POLICY, policyLanguage, ASN1_OBJECT), + ASN1_OPT(PROXY_POLICY, policy, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(PROXY_POLICY) IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY) -ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = - { - ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER), - ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY) +ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = { + ASN1_OPT(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint, + ASN1_INTEGER), + ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION, proxyPolicy, PROXY_POLICY) } ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION) IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) diff --git a/lib/libcrypto/x509v3/v3_pcons.c b/lib/libcrypto/x509v3/v3_pcons.c index 13248c2adaf..c622cae85a6 100644 --- a/lib/libcrypto/x509v3/v3_pcons.c +++ b/lib/libcrypto/x509v3/v3_pcons.c @@ -1,5 +1,5 @@ /* v3_pcons.c */ -/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ /* ==================================================================== @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -64,73 +64,81 @@ #include <openssl/conf.h> #include <openssl/x509v3.h> -static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, - void *bcons, STACK_OF(CONF_VALUE) *extlist); -static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); +static STACK_OF(CONF_VALUE) * +i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons, + STACK_OF(CONF_VALUE) *extlist); +static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); const X509V3_EXT_METHOD v3_policy_constraints = { -NID_policy_constraints, 0, -ASN1_ITEM_ref(POLICY_CONSTRAINTS), -0,0,0,0, -0,0, -i2v_POLICY_CONSTRAINTS, -v2i_POLICY_CONSTRAINTS, -NULL,NULL, -NULL + NID_policy_constraints, 0, + ASN1_ITEM_ref(POLICY_CONSTRAINTS), + 0, 0, 0, 0, + 0, 0, + i2v_POLICY_CONSTRAINTS, + v2i_POLICY_CONSTRAINTS, + NULL, NULL, + NULL }; ASN1_SEQUENCE(POLICY_CONSTRAINTS) = { - ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0), - ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1) + ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, + ASN1_INTEGER, 0), + ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER, 1) } ASN1_SEQUENCE_END(POLICY_CONSTRAINTS) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) - -static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, - void *a, STACK_OF(CONF_VALUE) *extlist) +static STACK_OF(CONF_VALUE) * +i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, + STACK_OF(CONF_VALUE) *extlist) { POLICY_CONSTRAINTS *pcons = a; + X509V3_add_value_int("Require Explicit Policy", - pcons->requireExplicitPolicy, &extlist); + pcons->requireExplicitPolicy, &extlist); X509V3_add_value_int("Inhibit Policy Mapping", - pcons->inhibitPolicyMapping, &extlist); + pcons->inhibitPolicyMapping, &extlist); return extlist; } -static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values) +static void * +v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, + STACK_OF(CONF_VALUE) *values) { - POLICY_CONSTRAINTS *pcons=NULL; + POLICY_CONSTRAINTS *pcons = NULL; CONF_VALUE *val; int i; - if(!(pcons = POLICY_CONSTRAINTS_new())) { - X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE); + + if (!(pcons = POLICY_CONSTRAINTS_new())) { + X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, + ERR_R_MALLOC_FAILURE); return NULL; } - for(i = 0; i < sk_CONF_VALUE_num(values); i++) { + for (i = 0; i < sk_CONF_VALUE_num(values); i++) { val = sk_CONF_VALUE_value(values, i); - if(!strcmp(val->name, "requireExplicitPolicy")) { - if(!X509V3_get_value_int(val, - &pcons->requireExplicitPolicy)) goto err; - } else if(!strcmp(val->name, "inhibitPolicyMapping")) { - if(!X509V3_get_value_int(val, - &pcons->inhibitPolicyMapping)) goto err; + if (!strcmp(val->name, "requireExplicitPolicy")) { + if (!X509V3_get_value_int(val, + &pcons->requireExplicitPolicy)) goto err; + } else if (!strcmp(val->name, "inhibitPolicyMapping")) { + if (!X509V3_get_value_int(val, + &pcons->inhibitPolicyMapping)) goto err; } else { - X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME); + X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, + X509V3_R_INVALID_NAME); X509V3_conf_err(val); goto err; } } if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) { - X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION); + X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, + X509V3_R_ILLEGAL_EMPTY_EXTENSION); goto err; } return pcons; - err: + +err: POLICY_CONSTRAINTS_free(pcons); return NULL; } - diff --git a/lib/libcrypto/x509v3/v3_pku.c b/lib/libcrypto/x509v3/v3_pku.c index 076f3ff48e2..860b2471590 100644 --- a/lib/libcrypto/x509v3/v3_pku.c +++ b/lib/libcrypto/x509v3/v3_pku.c @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -62,16 +62,17 @@ #include <openssl/asn1t.h> #include <openssl/x509v3.h> -static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent); +static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, + PKEY_USAGE_PERIOD *usage, BIO *out, int indent); /* static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); */ const X509V3_EXT_METHOD v3_pkey_usage_period = { -NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD), -0,0,0,0, -0,0,0,0, -(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL, -NULL + NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD), + 0, 0, 0, 0, + 0, 0, 0, 0, + (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL, + NULL }; ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = { @@ -81,16 +82,18 @@ ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = { IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD) -static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, - PKEY_USAGE_PERIOD *usage, BIO *out, int indent) +static int +i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, + BIO *out, int indent) { BIO_printf(out, "%*s", indent, ""); - if(usage->notBefore) { + if (usage->notBefore) { BIO_write(out, "Not Before: ", 12); ASN1_GENERALIZEDTIME_print(out, usage->notBefore); - if(usage->notAfter) BIO_write(out, ", ", 2); + if (usage->notAfter) + BIO_write(out, ", ", 2); } - if(usage->notAfter) { + if (usage->notAfter) { BIO_write(out, "Not After: ", 11); ASN1_GENERALIZEDTIME_print(out, usage->notAfter); } diff --git a/lib/libcrypto/x509v3/v3_pmaps.c b/lib/libcrypto/x509v3/v3_pmaps.c index 626303264f7..bf5f2918774 100644 --- a/lib/libcrypto/x509v3/v3_pmaps.c +++ b/lib/libcrypto/x509v3/v3_pmaps.c @@ -1,5 +1,5 @@ /* v3_pmaps.c */ -/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ /* ==================================================================== @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -63,19 +63,19 @@ #include <openssl/conf.h> #include <openssl/x509v3.h> -static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, - void *pmps, STACK_OF(CONF_VALUE) *extlist); +static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); +static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS( + const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist); const X509V3_EXT_METHOD v3_policy_mappings = { NID_policy_mappings, 0, ASN1_ITEM_ref(POLICY_MAPPINGS), - 0,0,0,0, - 0,0, + 0, 0, 0, 0, + 0, 0, i2v_POLICY_MAPPINGS, v2i_POLICY_MAPPINGS, - 0,0, + 0, 0, NULL }; @@ -84,23 +84,24 @@ ASN1_SEQUENCE(POLICY_MAPPING) = { ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT) } ASN1_SEQUENCE_END(POLICY_MAPPING) -ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS, - POLICY_MAPPING) +ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) = +ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS, + POLICY_MAPPING) ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) - -static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, - void *a, STACK_OF(CONF_VALUE) *ext_list) +static STACK_OF(CONF_VALUE) * +i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a, + STACK_OF(CONF_VALUE) *ext_list) { POLICY_MAPPINGS *pmaps = a; POLICY_MAPPING *pmap; int i; char obj_tmp1[80]; char obj_tmp2[80]; - for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) { + + for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) { pmap = sk_POLICY_MAPPING_value(pmaps, i); i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy); i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy); @@ -109,8 +110,9 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, return ext_list; } -static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) +static void * +v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, + STACK_OF(CONF_VALUE) *nval) { POLICY_MAPPINGS *pmaps; POLICY_MAPPING *pmap; @@ -118,31 +120,34 @@ static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, CONF_VALUE *val; int i; - if(!(pmaps = sk_POLICY_MAPPING_new_null())) { - X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE); + if (!(pmaps = sk_POLICY_MAPPING_new_null())) { + X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE); return NULL; } - for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { + for (i = 0; i < sk_CONF_VALUE_num(nval); i++) { val = sk_CONF_VALUE_value(nval, i); - if(!val->value || !val->name) { + if (!val->value || !val->name) { sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free); - X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER); + X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, + X509V3_R_INVALID_OBJECT_IDENTIFIER); X509V3_conf_err(val); return NULL; } obj1 = OBJ_txt2obj(val->name, 0); obj2 = OBJ_txt2obj(val->value, 0); - if(!obj1 || !obj2) { + if (!obj1 || !obj2) { sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free); - X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER); + X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, + X509V3_R_INVALID_OBJECT_IDENTIFIER); X509V3_conf_err(val); return NULL; } pmap = POLICY_MAPPING_new(); if (!pmap) { sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free); - X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE); + X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, + ERR_R_MALLOC_FAILURE); return NULL; } pmap->issuerDomainPolicy = obj1; diff --git a/lib/libcrypto/x509v3/v3_prn.c b/lib/libcrypto/x509v3/v3_prn.c index 565937af47e..3874ded51c9 100644 --- a/lib/libcrypto/x509v3/v3_prn.c +++ b/lib/libcrypto/x509v3/v3_prn.c @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -64,139 +64,163 @@ /* Extension printing routines */ -static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported); +static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, + int indent, int supported); /* Print out a name+value stack */ -void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) +void +X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) { int i; CONF_VALUE *nval; - if(!val) return; - if(!ml || !sk_CONF_VALUE_num(val)) { + + if (!val) + return; + if (!ml || !sk_CONF_VALUE_num(val)) { BIO_printf(out, "%*s", indent, ""); - if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n"); + if (!sk_CONF_VALUE_num(val)) + BIO_puts(out, "<EMPTY>\n"); } - for(i = 0; i < sk_CONF_VALUE_num(val); i++) { - if(ml) BIO_printf(out, "%*s", indent, ""); - else if(i > 0) BIO_printf(out, ", "); - nval = sk_CONF_VALUE_value(val, i); - if(!nval->name) BIO_puts(out, nval->value); - else if(!nval->value) BIO_puts(out, nval->name); - else BIO_printf(out, "%s:%s", nval->name, nval->value); - if(ml) BIO_puts(out, "\n"); + for (i = 0; i < sk_CONF_VALUE_num(val); i++) { + if (ml) + BIO_printf(out, "%*s", indent, ""); + else if (i > 0) BIO_printf(out, ", "); + nval = sk_CONF_VALUE_value(val, i); + if (!nval->name) + BIO_puts(out, nval->value); + else if (!nval->value) + BIO_puts(out, nval->name); + else + BIO_printf(out, "%s:%s", nval->name, nval->value); + if (ml) + BIO_puts(out, "\n"); } } /* Main routine: print out a general extension */ -int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent) +int +X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent) { void *ext_str = NULL; char *value = NULL; const unsigned char *p; - const X509V3_EXT_METHOD *method; + const X509V3_EXT_METHOD *method; STACK_OF(CONF_VALUE) *nval = NULL; int ok = 1; - if(!(method = X509V3_EXT_get(ext))) + if (!(method = X509V3_EXT_get(ext))) return unknown_ext_print(out, ext, flag, indent, 0); p = ext->value->data; - if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it)); - else ext_str = method->d2i(NULL, &p, ext->value->length); + if (method->it) + ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, + ASN1_ITEM_ptr(method->it)); + else + ext_str = method->d2i(NULL, &p, ext->value->length); - if(!ext_str) return unknown_ext_print(out, ext, flag, indent, 1); + if (!ext_str) + return unknown_ext_print(out, ext, flag, indent, 1); - if(method->i2s) { - if(!(value = method->i2s(method, ext_str))) { + if (method->i2s) { + if (!(value = method->i2s(method, ext_str))) { ok = 0; goto err; } BIO_printf(out, "%*s%s", indent, "", value); - } else if(method->i2v) { - if(!(nval = method->i2v(method, ext_str, NULL))) { + } else if (method->i2v) { + if (!(nval = method->i2v(method, ext_str, NULL))) { ok = 0; goto err; } X509V3_EXT_val_prn(out, nval, indent, - method->ext_flags & X509V3_EXT_MULTILINE); - } else if(method->i2r) { - if(!method->i2r(method, ext_str, out, indent)) ok = 0; - } else ok = 0; - - err: - sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); - if(value) free(value); - if(method->it) ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it)); - else method->ext_free(ext_str); - return ok; + method->ext_flags & X509V3_EXT_MULTILINE); + } else if (method->i2r) { + if (!method->i2r(method, ext_str, out, indent)) + ok = 0; + } else + ok = 0; + +err: + sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); + if (value) + free(value); + if (method->it) + ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it)); + else + method->ext_free(ext_str); + return ok; } -int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent) +int +X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, + unsigned long flag, int indent) { int i, j; - if(sk_X509_EXTENSION_num(exts) <= 0) return 1; + if (sk_X509_EXTENSION_num(exts) <= 0) + return 1; - if(title) - { - BIO_printf(bp,"%*s%s:\n",indent, "", title); + if (title) { + BIO_printf(bp, "%*s%s:\n",indent, "", title); indent += 4; - } + } - for (i=0; i<sk_X509_EXTENSION_num(exts); i++) - { + for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { ASN1_OBJECT *obj; X509_EXTENSION *ex; - ex=sk_X509_EXTENSION_value(exts, i); - if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0; - obj=X509_EXTENSION_get_object(ex); - i2a_ASN1_OBJECT(bp,obj); - j=X509_EXTENSION_get_critical(ex); - if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0) + ex = sk_X509_EXTENSION_value(exts, i); + if (indent && BIO_printf(bp, "%*s",indent, "") <= 0) return 0; - if(!X509V3_EXT_print(bp, ex, flag, indent + 4)) - { + obj = X509_EXTENSION_get_object(ex); + i2a_ASN1_OBJECT(bp, obj); + j = X509_EXTENSION_get_critical(ex); + if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0) + return 0; + if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) { BIO_printf(bp, "%*s", indent + 4, ""); - M_ASN1_OCTET_STRING_print(bp,ex->value); - } - if (BIO_write(bp,"\n",1) <= 0) return 0; + M_ASN1_OCTET_STRING_print(bp, ex->value); } + if (BIO_write(bp, "\n",1) <= 0) + return 0; + } return 1; } -static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported) +static int +unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, + int indent, int supported) { - switch(flag & X509V3_EXT_UNKNOWN_MASK) { - - case X509V3_EXT_DEFAULT: + switch (flag & X509V3_EXT_UNKNOWN_MASK) { + case X509V3_EXT_DEFAULT: return 0; - - case X509V3_EXT_ERROR_UNKNOWN: - if(supported) + case X509V3_EXT_ERROR_UNKNOWN: + if (supported) BIO_printf(out, "%*s<Parse Error>", indent, ""); else BIO_printf(out, "%*s<Not Supported>", indent, ""); return 1; - - case X509V3_EXT_PARSE_UNKNOWN: - return ASN1_parse_dump(out, - ext->value->data, ext->value->length, indent, -1); - case X509V3_EXT_DUMP_UNKNOWN: - return BIO_dump_indent(out, (char *)ext->value->data, ext->value->length, indent); - - default: + case X509V3_EXT_PARSE_UNKNOWN: + return ASN1_parse_dump(out, + ext->value->data, ext->value->length, indent, -1); + case X509V3_EXT_DUMP_UNKNOWN: + return BIO_dump_indent(out, (char *)ext->value->data, + ext->value->length, indent); + default: return 1; } } - + #ifndef OPENSSL_NO_FP_API -int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent) +int +X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent) { BIO *bio_tmp; int ret; - if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0; + + if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) + return 0; ret = X509V3_EXT_print(bio_tmp, ext, flag, indent); BIO_free(bio_tmp); return ret; diff --git a/lib/libcrypto/x509v3/v3_purp.c b/lib/libcrypto/x509v3/v3_purp.c index 45d7251c29f..2bf110c179d 100644 --- a/lib/libcrypto/x509v3/v3_purp.c +++ b/lib/libcrypto/x509v3/v3_purp.c @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -64,19 +64,25 @@ static void x509v3_cache_extensions(X509 *x); static int check_ssl_ca(const X509 *x); -static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); +static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, + int ca); +static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, + int ca); +static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, + int ca); static int purpose_smime(const X509 *x, int ca); -static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca); -static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca); +static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, + int ca); +static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, + int ca); +static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, + int ca); +static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, + int ca); static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); -static int xp_cmp(const X509_PURPOSE * const *a, - const X509_PURPOSE * const *b); +static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b); static void xptable_free(X509_PURPOSE *p); static X509_PURPOSE xstandard[] = { @@ -97,8 +103,8 @@ IMPLEMENT_STACK_OF(X509_PURPOSE) static STACK_OF(X509_PURPOSE) *xptable = NULL; -static int xp_cmp(const X509_PURPOSE * const *a, - const X509_PURPOSE * const *b) +static int +xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b) { return (*a)->purpose - (*b)->purpose; } @@ -106,25 +112,30 @@ static int xp_cmp(const X509_PURPOSE * const *a, /* As much as I'd like to make X509_check_purpose use a "const" X509* * I really can't because it does recalculate hashes and do other non-const * things. */ -int X509_check_purpose(X509 *x, int id, int ca) +int +X509_check_purpose(X509 *x, int id, int ca) { int idx; const X509_PURPOSE *pt; - if(!(x->ex_flags & EXFLAG_SET)) { + + if (!(x->ex_flags & EXFLAG_SET)) { CRYPTO_w_lock(CRYPTO_LOCK_X509); x509v3_cache_extensions(x); CRYPTO_w_unlock(CRYPTO_LOCK_X509); } - if(id == -1) return 1; + if (id == -1) + return 1; idx = X509_PURPOSE_get_by_id(id); - if(idx == -1) return -1; + if (idx == -1) + return -1; pt = X509_PURPOSE_get0(idx); return pt->check_purpose(pt, x, ca); } -int X509_PURPOSE_set(int *p, int purpose) +int +X509_PURPOSE_set(int *p, int purpose) { - if(X509_PURPOSE_get_by_id(purpose) == -1) { + if (X509_PURPOSE_get_by_id(purpose) == -1) { X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE); return 0; } @@ -132,49 +143,63 @@ int X509_PURPOSE_set(int *p, int purpose) return 1; } -int X509_PURPOSE_get_count(void) +int +X509_PURPOSE_get_count(void) { - if(!xptable) return X509_PURPOSE_COUNT; + if (!xptable) + return X509_PURPOSE_COUNT; return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT; } -X509_PURPOSE * X509_PURPOSE_get0(int idx) +X509_PURPOSE * +X509_PURPOSE_get0(int idx) { - if(idx < 0) return NULL; - if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx; + if (idx < 0) + return NULL; + if (idx < (int)X509_PURPOSE_COUNT) + return xstandard + idx; return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); } -int X509_PURPOSE_get_by_sname(char *sname) +int +X509_PURPOSE_get_by_sname(char *sname) { int i; X509_PURPOSE *xptmp; - for(i = 0; i < X509_PURPOSE_get_count(); i++) { + + for (i = 0; i < X509_PURPOSE_get_count(); i++) { xptmp = X509_PURPOSE_get0(i); - if(!strcmp(xptmp->sname, sname)) return i; + if (!strcmp(xptmp->sname, sname)) + return i; } return -1; } -int X509_PURPOSE_get_by_id(int purpose) +int +X509_PURPOSE_get_by_id(int purpose) { X509_PURPOSE tmp; int idx; - if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) + + if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) return purpose - X509_PURPOSE_MIN; tmp.purpose = purpose; - if(!xptable) return -1; + if (!xptable) + return -1; idx = sk_X509_PURPOSE_find(xptable, &tmp); - if(idx == -1) return -1; + if (idx == -1) + return -1; return idx + X509_PURPOSE_COUNT; } -int X509_PURPOSE_add(int id, int trust, int flags, - int (*ck)(const X509_PURPOSE *, const X509 *, int), - char *name, char *sname, void *arg) +int +X509_PURPOSE_add(int id, int trust, int flags, + int (*ck)(const X509_PURPOSE *, const X509 *, int), char *name, + char *sname, void *arg) { int idx; X509_PURPOSE *ptmp; + /* This is set according to what we change: application can't set it */ flags &= ~X509_PURPOSE_DYNAMIC; /* This will always be set for application modified trust entries */ @@ -182,24 +207,26 @@ int X509_PURPOSE_add(int id, int trust, int flags, /* Get existing entry if any */ idx = X509_PURPOSE_get_by_id(id); /* Need a new entry */ - if(idx == -1) { - if(!(ptmp = malloc(sizeof(X509_PURPOSE)))) { - X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); + if (idx == -1) { + if (!(ptmp = malloc(sizeof(X509_PURPOSE)))) { + X509V3err(X509V3_F_X509_PURPOSE_ADD, + ERR_R_MALLOC_FAILURE); return 0; } ptmp->flags = X509_PURPOSE_DYNAMIC; - } else ptmp = X509_PURPOSE_get0(idx); + } else + ptmp = X509_PURPOSE_get0(idx); /* free existing name if dynamic */ - if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) { + if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) { free(ptmp->name); free(ptmp->sname); } /* dup supplied name */ ptmp->name = BUF_strdup(name); ptmp->sname = BUF_strdup(sname); - if(!ptmp->name || !ptmp->sname) { - X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); + if (!ptmp->name || !ptmp->sname) { + X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE); return 0; } /* Keep the dynamic flag of existing entry */ @@ -213,70 +240,82 @@ int X509_PURPOSE_add(int id, int trust, int flags, ptmp->usr_data = arg; /* If its a new entry manage the dynamic table */ - if(idx == -1) { - if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) { - X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); + if (idx == -1) { + if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) { + X509V3err(X509V3_F_X509_PURPOSE_ADD, + ERR_R_MALLOC_FAILURE); return 0; } if (!sk_X509_PURPOSE_push(xptable, ptmp)) { - X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); + X509V3err(X509V3_F_X509_PURPOSE_ADD, + ERR_R_MALLOC_FAILURE); return 0; } } return 1; } -static void xptable_free(X509_PURPOSE *p) - { - if(!p) return; - if (p->flags & X509_PURPOSE_DYNAMIC) - { +static void +xptable_free(X509_PURPOSE *p) +{ + if (!p) + return; + if (p->flags & X509_PURPOSE_DYNAMIC) { if (p->flags & X509_PURPOSE_DYNAMIC_NAME) { free(p->name); free(p->sname); } free(p); - } } +} -void X509_PURPOSE_cleanup(void) +void +X509_PURPOSE_cleanup(void) { unsigned int i; + sk_X509_PURPOSE_pop_free(xptable, xptable_free); - for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i); + for(i = 0; i < X509_PURPOSE_COUNT; i++) + xptable_free(xstandard + i); xptable = NULL; } -int X509_PURPOSE_get_id(X509_PURPOSE *xp) +int +X509_PURPOSE_get_id(X509_PURPOSE *xp) { return xp->purpose; } -char *X509_PURPOSE_get0_name(X509_PURPOSE *xp) +char * +X509_PURPOSE_get0_name(X509_PURPOSE *xp) { return xp->name; } -char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp) +char * +X509_PURPOSE_get0_sname(X509_PURPOSE *xp) { return xp->sname; } -int X509_PURPOSE_get_trust(X509_PURPOSE *xp) +int +X509_PURPOSE_get_trust(X509_PURPOSE *xp) { return xp->trust; } -static int nid_cmp(const int *a, const int *b) - { +static int +nid_cmp(const int *a, const int *b) +{ return *a - *b; - } +} DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid); IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid); -int X509_supported_extension(X509_EXTENSION *ex) - { +int +X509_supported_extension(X509_EXTENSION *ex) +{ /* This table is a list of the NIDs of supported extensions: * that is those which are used by the verify process. If * an extension is critical and doesn't appear in this list @@ -287,11 +326,11 @@ int X509_supported_extension(X509_EXTENSION *ex) static const int supported_nids[] = { NID_netscape_cert_type, /* 71 */ - NID_key_usage, /* 83 */ + NID_key_usage, /* 83 */ NID_subject_alt_name, /* 85 */ NID_basic_constraints, /* 87 */ NID_certificate_policies, /* 89 */ - NID_ext_key_usage, /* 126 */ + NID_ext_key_usage, /* 126 */ #ifndef OPENSSL_NO_RFC3779 NID_sbgp_ipAddrBlock, /* 290 */ NID_sbgp_autonomousSysNum, /* 291 */ @@ -305,56 +344,57 @@ int X509_supported_extension(X509_EXTENSION *ex) int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); - if (ex_nid == NID_undef) + if (ex_nid == NID_undef) return 0; if (OBJ_bsearch_nid(&ex_nid, supported_nids, - sizeof(supported_nids)/sizeof(int))) + sizeof(supported_nids) / sizeof(int))) return 1; return 0; - } +} -static void setup_dp(X509 *x, DIST_POINT *dp) - { +static void +setup_dp(X509 *x, DIST_POINT *dp) +{ X509_NAME *iname = NULL; int i; - if (dp->reasons) - { + + if (dp->reasons) { if (dp->reasons->length > 0) dp->dp_reasons = dp->reasons->data[0]; if (dp->reasons->length > 1) dp->dp_reasons |= (dp->reasons->data[1] << 8); dp->dp_reasons &= CRLDP_ALL_REASONS; - } - else + } else dp->dp_reasons = CRLDP_ALL_REASONS; if (!dp->distpoint || (dp->distpoint->type != 1)) return; - for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) - { + for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); - if (gen->type == GEN_DIRNAME) - { + if (gen->type == GEN_DIRNAME) { iname = gen->d.directoryName; break; - } } + } if (!iname) iname = X509_get_issuer_name(x); DIST_POINT_set_dpname(dp->distpoint, iname); - } +} -static void setup_crldp(X509 *x) - { +static void +setup_crldp(X509 *x) +{ int i; + x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); - } +} -static void x509v3_cache_extensions(X509 *x) +static void +x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; PROXY_CERT_INFO_EXTENSION *pci; @@ -362,89 +402,96 @@ static void x509v3_cache_extensions(X509 *x) ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; - + int i; - if(x->ex_flags & EXFLAG_SET) return; + if (x->ex_flags & EXFLAG_SET) + return; #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif /* Does subject name match issuer ? */ - if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SI; + if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) + x->ex_flags |= EXFLAG_SI; /* V1 should mean no extensions ... */ - if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; + if (!X509_get_version(x)) + x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ - if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { - if(bs->ca) x->ex_flags |= EXFLAG_CA; - if(bs->pathlen) { - if((bs->pathlen->type == V_ASN1_NEG_INTEGER) - || !bs->ca) { + if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { + if (bs->ca) + x->ex_flags |= EXFLAG_CA; + if (bs->pathlen) { + if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) || + !bs->ca) { x->ex_flags |= EXFLAG_INVALID; x->ex_pathlen = 0; - } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); - } else x->ex_pathlen = -1; + } else + x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); + } else + x->ex_pathlen = -1; BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; } /* Handle proxy certificates */ - if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { - if (x->ex_flags & EXFLAG_CA - || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 - || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { + if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { + if (x->ex_flags & EXFLAG_CA || + X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || + X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { x->ex_flags |= EXFLAG_INVALID; } if (pci->pcPathLengthConstraint) { x->ex_pcpathlen = - ASN1_INTEGER_get(pci->pcPathLengthConstraint); - } else x->ex_pcpathlen = -1; + ASN1_INTEGER_get(pci->pcPathLengthConstraint); + } else + x->ex_pcpathlen = -1; PROXY_CERT_INFO_EXTENSION_free(pci); x->ex_flags |= EXFLAG_PROXY; } /* Handle key usage */ - if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { - if(usage->length > 0) { + if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { + if (usage->length > 0) { x->ex_kusage = usage->data[0]; - if(usage->length > 1) + if (usage->length > 1) x->ex_kusage |= usage->data[1] << 8; - } else x->ex_kusage = 0; + } else + x->ex_kusage = 0; x->ex_flags |= EXFLAG_KUSAGE; ASN1_BIT_STRING_free(usage); } x->ex_xkusage = 0; - if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { + if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { x->ex_flags |= EXFLAG_XKUSAGE; - for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { - switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) { - case NID_server_auth: + for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { + switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) { + case NID_server_auth: x->ex_xkusage |= XKU_SSL_SERVER; break; - case NID_client_auth: + case NID_client_auth: x->ex_xkusage |= XKU_SSL_CLIENT; break; - case NID_email_protect: + case NID_email_protect: x->ex_xkusage |= XKU_SMIME; break; - case NID_code_sign: + case NID_code_sign: x->ex_xkusage |= XKU_CODE_SIGN; break; - case NID_ms_sgc: - case NID_ns_sgc: + case NID_ms_sgc: + case NID_ns_sgc: x->ex_xkusage |= XKU_SGC; break; - case NID_OCSP_sign: + case NID_OCSP_sign: x->ex_xkusage |= XKU_OCSP_SIGN; break; - case NID_time_stamp: + case NID_time_stamp: x->ex_xkusage |= XKU_TIMESTAMP; break; - case NID_dvcs: + case NID_dvcs: x->ex_xkusage |= XKU_DVCS; break; } @@ -452,14 +499,17 @@ static void x509v3_cache_extensions(X509 *x) sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); } - if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { - if(ns->length > 0) x->ex_nscert = ns->data[0]; - else x->ex_nscert = 0; + if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { + if (ns->length > 0) + x->ex_nscert = ns->data[0]; + else + x->ex_nscert = 0; x->ex_flags |= EXFLAG_NSCERT; ASN1_BIT_STRING_free(ns); } - x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); - x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); + + x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); + x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL); if (!x->nc && (i != -1)) @@ -467,24 +517,22 @@ static void x509v3_cache_extensions(X509 *x) setup_crldp(x); #ifndef OPENSSL_NO_RFC3779 - x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); - x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, - NULL, NULL); + x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); + x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, + NULL, NULL); #endif - for (i = 0; i < X509_get_ext_count(x); i++) - { + for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); - if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) - == NID_freshest_crl) + if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == + NID_freshest_crl) x->ex_flags |= EXFLAG_FRESHEST; if (!X509_EXTENSION_get_critical(ex)) continue; - if (!X509_supported_extension(ex)) - { + if (!X509_supported_extension(ex)) { x->ex_flags |= EXFLAG_CRITICAL; break; - } } + } x->ex_flags |= EXFLAG_SET; } @@ -505,30 +553,38 @@ static void x509v3_cache_extensions(X509 *x) #define ns_reject(x, usage) \ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) -static int check_ca(const X509 *x) +static int +check_ca(const X509 *x) { /* keyUsage if present should allow cert signing */ - if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; - if(x->ex_flags & EXFLAG_BCONS) { - if(x->ex_flags & EXFLAG_CA) return 1; + if (ku_reject(x, KU_KEY_CERT_SIGN)) + return 0; + if (x->ex_flags & EXFLAG_BCONS) { + if (x->ex_flags & EXFLAG_CA) + return 1; /* If basicConstraints says not a CA then say so */ - else return 0; + else + return 0; } else { /* we support V1 roots for... uh, I don't really know why. */ - if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; + if ((x->ex_flags & V1_ROOT) == V1_ROOT) + return 3; /* If key usage present it must have certSign so tolerate it */ - else if (x->ex_flags & EXFLAG_KUSAGE) return 4; + else if (x->ex_flags & EXFLAG_KUSAGE) + return 4; /* Older certificates could have Netscape-specific CA types */ - else if (x->ex_flags & EXFLAG_NSCERT - && x->ex_nscert & NS_ANY_CA) return 5; + else if (x->ex_flags & EXFLAG_NSCERT && + x->ex_nscert & NS_ANY_CA) + return 5; /* can this still be regarded a CA certificate? I doubt it */ return 0; } } -int X509_check_ca(X509 *x) +int +X509_check_ca(X509 *x) { - if(!(x->ex_flags & EXFLAG_SET)) { + if (!(x->ex_flags & EXFLAG_SET)) { CRYPTO_w_lock(CRYPTO_LOCK_X509); x509v3_cache_extensions(x); CRYPTO_w_unlock(CRYPTO_LOCK_X509); @@ -538,131 +594,169 @@ int X509_check_ca(X509 *x) } /* Check SSL CA: common checks for SSL client and server */ -static int check_ssl_ca(const X509 *x) +static int +check_ssl_ca(const X509 *x) { int ca_ret; + ca_ret = check_ca(x); - if(!ca_ret) return 0; + if (!ca_ret) + return 0; /* check nsCertType if present */ - if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; - else return 0; + if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA) + return ca_ret; + else + return 0; } - -static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) +static int +check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { - if(xku_reject(x,XKU_SSL_CLIENT)) return 0; - if(ca) return check_ssl_ca(x); + if (xku_reject(x, XKU_SSL_CLIENT)) + return 0; + if (ca) + return check_ssl_ca(x); /* We need to do digital signatures with it */ - if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; - /* nsCertType if present should allow SSL client use */ - if(ns_reject(x, NS_SSL_CLIENT)) return 0; + if (ku_reject(x, KU_DIGITAL_SIGNATURE)) + return 0; + /* nsCertType if present should allow SSL client use */ + if (ns_reject(x, NS_SSL_CLIENT)) + return 0; return 1; } -static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) +static int +check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { - if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; - if(ca) return check_ssl_ca(x); + if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC)) + return 0; + if (ca) + return check_ssl_ca(x); - if(ns_reject(x, NS_SSL_SERVER)) return 0; + if (ns_reject(x, NS_SSL_SERVER)) + return 0; /* Now as for keyUsage: we'll at least need to sign OR encipher */ - if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0; - - return 1; + if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) + return 0; + return 1; } -static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) +static int +check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { int ret; + ret = check_purpose_ssl_server(xp, x, ca); - if(!ret || ca) return ret; + if (!ret || ca) + return ret; /* We need to encipher or Netscape complains */ - if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; + if (ku_reject(x, KU_KEY_ENCIPHERMENT)) + return 0; return ret; } /* common S/MIME checks */ -static int purpose_smime(const X509 *x, int ca) +static int +purpose_smime(const X509 *x, int ca) { - if(xku_reject(x,XKU_SMIME)) return 0; - if(ca) { + if (xku_reject(x, XKU_SMIME)) + return 0; + if (ca) { int ca_ret; ca_ret = check_ca(x); - if(!ca_ret) return 0; + if (!ca_ret) + return 0; /* check nsCertType if present */ - if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; - else return 0; + if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) + return ca_ret; + else + return 0; } - if(x->ex_flags & EXFLAG_NSCERT) { - if(x->ex_nscert & NS_SMIME) return 1; + if (x->ex_flags & EXFLAG_NSCERT) { + if (x->ex_nscert & NS_SMIME) + return 1; /* Workaround for some buggy certificates */ - if(x->ex_nscert & NS_SSL_CLIENT) return 2; + if (x->ex_nscert & NS_SSL_CLIENT) + return 2; return 0; } return 1; } -static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) +static int +check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { int ret; + ret = purpose_smime(x, ca); - if(!ret || ca) return ret; - if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; + if (!ret || ca) + return ret; + if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) + return 0; return ret; } -static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) +static int +check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) { int ret; + ret = purpose_smime(x, ca); - if(!ret || ca) return ret; - if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; + if (!ret || ca) + return ret; + if (ku_reject(x, KU_KEY_ENCIPHERMENT)) + return 0; return ret; } -static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) +static int +check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { - if(ca) { + if (ca) { int ca_ret; - if((ca_ret = check_ca(x)) != 2) return ca_ret; - else return 0; + if ((ca_ret = check_ca(x)) != 2) + return ca_ret; + else + return 0; } - if(ku_reject(x, KU_CRL_SIGN)) return 0; + if (ku_reject(x, KU_CRL_SIGN)) + return 0; return 1; } /* OCSP helper: this is *not* a full OCSP check. It just checks that * each CA is valid. Additional checks must be made on the chain. */ - -static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) +static int +ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) { /* Must be a valid CA. Should we really support the "I don't know" value (2)? */ - if(ca) return check_ca(x); + if (ca) + return check_ca(x); /* leaf certificate is checked in OCSP_verify() */ return 1; } -static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, - int ca) +static int +check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { int i_ext; /* If ca is true we must return if this is a valid CA certificate. */ - if (ca) return check_ca(x); + if (ca) + return check_ca(x); - /* + /* * Check the optional key usage field: - * if Key Usage is present, it must be one of digitalSignature + * if Key Usage is present, it must be one of digitalSignature * and/or nonRepudiation (other values are not consistent and shall * be rejected). */ - if ((x->ex_flags & EXFLAG_KUSAGE) - && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) || - !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) + if ((x->ex_flags & EXFLAG_KUSAGE) && + ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) || + !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) return 0; /* Only time stamp key usage is permitted and it's required. */ @@ -671,17 +765,17 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, /* Extended Key Usage MUST be critical */ i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1); - if (i_ext >= 0) - { + if (i_ext >= 0) { X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext); if (!X509_EXTENSION_get_critical(ext)) return 0; - } + } return 1; } -static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) +static int +no_check(const X509_PURPOSE *xp, const X509 *x, int ca) { return 1; } @@ -698,48 +792,45 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) * codes for X509_verify_cert() */ -int X509_check_issued(X509 *issuer, X509 *subject) +int +X509_check_issued(X509 *issuer, X509 *subject) { - if(X509_NAME_cmp(X509_get_subject_name(issuer), - X509_get_issuer_name(subject))) - return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + if (X509_NAME_cmp(X509_get_subject_name(issuer), + X509_get_issuer_name(subject))) + return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; x509v3_cache_extensions(issuer); x509v3_cache_extensions(subject); - if(subject->akid) - { + if (subject->akid) { int ret = X509_check_akid(issuer, subject->akid); if (ret != X509_V_OK) return ret; - } + } - if(subject->ex_flags & EXFLAG_PROXY) - { - if(ku_reject(issuer, KU_DIGITAL_SIGNATURE)) + if (subject->ex_flags & EXFLAG_PROXY) { + if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; - } - else if(ku_reject(issuer, KU_KEY_CERT_SIGN)) + } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; } -int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) - { - - if(!akid) +int +X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) +{ + if (!akid) return X509_V_OK; /* Check key ids (if present) */ - if(akid->keyid && issuer->skid && - ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) ) - return X509_V_ERR_AKID_SKID_MISMATCH; + if (akid->keyid && issuer->skid && + ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) ) + return X509_V_ERR_AKID_SKID_MISMATCH; /* Check serial number */ - if(akid->serial && - ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) - return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; + if (akid->serial && + ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) + return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; /* Check issuer name */ - if(akid->issuer) - { + if (akid->issuer) { /* Ugh, for some peculiar reason AKID includes * SEQUENCE OF GeneralName. So look for a DirName. * There may be more than one but we only take any @@ -750,18 +841,15 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) X509_NAME *nm = NULL; int i; gens = akid->issuer; - for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) - { + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gen = sk_GENERAL_NAME_value(gens, i); - if(gen->type == GEN_DIRNAME) - { + if (gen->type == GEN_DIRNAME) { nm = gen->d.dirn; break; - } } - if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) - return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } - return X509_V_OK; + if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) + return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } - + return X509_V_OK; +} |