src - OpenBSD base system

diff options


context:
space:
mode:

author	Joel Sing <jsing@cvs.openbsd.org>	2014-05-26 12:10:12 +0000
committer	Joel Sing <jsing@cvs.openbsd.org>	2014-05-26 12:10:12 +0000
commit	b6f8a020e9f83a123b80f1dff8e5726c8df73df5 (patch)
tree	9d8b381d509dff5b4428b7dca3014e55d4aba05d
parent	9e5896637f409b92169723b4890f96217b3f5146 (diff)

KNF.

Diffstat

-rw-r--r--

lib/libssl/src/crypto/x509v3/v3_pci.c

309

-rw-r--r--

lib/libssl/src/crypto/x509v3/v3_pcia.c

-rw-r--r--

lib/libssl/src/crypto/x509v3/v3_pcons.c

-rw-r--r--

lib/libssl/src/crypto/x509v3/v3_pku.c

-rw-r--r--

lib/libssl/src/crypto/x509v3/v3_pmaps.c

-rw-r--r--

lib/libssl/src/crypto/x509v3/v3_prn.c

168

-rw-r--r--

lib/libssl/src/crypto/x509v3/v3_purp.c

550

7 files changed, 666 insertions, 542 deletions

diff --git a/lib/libssl/src/crypto/x509v3/v3_pci.c b/lib/libssl/src/crypto/x509v3/v3_pci.c
index 9cef94258c2..ab09a36436e 100644
--- a/lib/libssl/src/crypto/x509v3/v3_pci.c
+++ b/lib/libssl/src/crypto/x509v3/v3_pci.c

@@ -40,209 +40,196 @@

#include <openssl/x509v3.h>

static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,

- BIO *out, int indent);

+ BIO *out, int indent);

static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,

- X509V3_CTX *ctx, char *str);

+ X509V3_CTX *ctx, char *str);

-const X509V3_EXT_METHOD v3_pci =

- { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),

- 0,0,0,0,

- 0,0,

- NULL, NULL,

- (X509V3_EXT_I2R)i2r_pci,

- (X509V3_EXT_R2I)r2i_pci,

- NULL,

- };

+const X509V3_EXT_METHOD v3_pci = {

+ NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),

+ 0, 0, 0, 0, 0, 0, NULL, NULL,

+ (X509V3_EXT_I2R)i2r_pci,

+ (X509V3_EXT_R2I)r2i_pci,

+ NULL,

+};

-static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,

- BIO *out, int indent)

- {

+static int

+i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,

+ int indent)

BIO_printf(out, "%*sPath Length Constraint: ", indent, "");

if (pci->pcPathLengthConstraint)

- i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);

+ i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);

else

- BIO_printf(out, "infinite");

+ BIO_printf(out, "infinite");

BIO_puts(out, "\n");

BIO_printf(out, "%*sPolicy Language: ", indent, "");

i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);

BIO_puts(out, "\n");

if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)

- BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",

- pci->proxyPolicy->policy->data);

+ BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",

+ pci->proxyPolicy->policy->data);

return 1;

- }

-static int process_pci_value(CONF_VALUE *val,

- ASN1_OBJECT **language, ASN1_INTEGER **pathlen,

- ASN1_OCTET_STRING **policy)

- {

+static int

+process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,

+ ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)

int free_policy = 0;

- if (strcmp(val->name, "language") == 0)

- {

- if (*language)

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);

+ if (strcmp(val->name, "language") == 0) {

+ if (*language) {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);

X509V3_conf_err(val);

return 0;

- }

- if (!(*language = OBJ_txt2obj(val->value, 0)))

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INVALID_OBJECT_IDENTIFIER);

+ }

+ if (!(*language = OBJ_txt2obj(val->value, 0))) {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ X509V3_R_INVALID_OBJECT_IDENTIFIER);

X509V3_conf_err(val);

return 0;

- }

}

- else if (strcmp(val->name, "pathlen") == 0)

- {

- if (*pathlen)

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);

+ }

+ else if (strcmp(val->name, "pathlen") == 0) {

+ if (*pathlen) {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);

X509V3_conf_err(val);

return 0;

- }

- if (!X509V3_get_value_int(val, pathlen))

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_POLICY_PATH_LENGTH);

+ }

+ if (!X509V3_get_value_int(val, pathlen)) {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ X509V3_R_POLICY_PATH_LENGTH);

X509V3_conf_err(val);

return 0;

- }

}

- else if (strcmp(val->name, "policy") == 0)

- {

+ }

+ else if (strcmp(val->name, "policy") == 0) {

unsigned char *tmp_data = NULL;

long val_len;

- if (!*policy)

- {

+ if (!*policy) {

*policy = ASN1_OCTET_STRING_new();

- if (!*policy)

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);

+ if (!*policy) {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ ERR_R_MALLOC_FAILURE);

X509V3_conf_err(val);

return 0;

- }

- free_policy = 1;

}

- if (strncmp(val->value, "hex:", 4) == 0)

- {

+ free_policy = 1;

+ }

+ if (strncmp(val->value, "hex:", 4) == 0) {

unsigned char *tmp_data2 =

- string_to_hex(val->value + 4, &val_len);

+ string_to_hex(val->value + 4, &val_len);

- if (!tmp_data2)

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX_DIGIT);

+ if (!tmp_data2) {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ X509V3_R_ILLEGAL_HEX_DIGIT);

X509V3_conf_err(val);

goto err;

- }

+ }

tmp_data = realloc((*policy)->data,

- (*policy)->length + val_len + 1);

- if (tmp_data)

- {

+ (*policy)->length + val_len + 1);

+ if (tmp_data) {

(*policy)->data = tmp_data;

memcpy(&(*policy)->data[(*policy)->length],

- tmp_data2, val_len);

+ tmp_data2, val_len);

(*policy)->length += val_len;

(*policy)->data[(*policy)->length] = '\0';

- }

- else

- {

+ } else {

free(tmp_data2);

/* realloc failure implies the original data space is b0rked too! */

(*policy)->data = NULL;

(*policy)->length = 0;

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ ERR_R_MALLOC_FAILURE);

X509V3_conf_err(val);

goto err;

- }

- free(tmp_data2);

}

- else if (strncmp(val->value, "file:", 5) == 0)

- {

+ free(tmp_data2);

+ }

+ else if (strncmp(val->value, "file:", 5) == 0) {

unsigned char buf[2048];

int n;

BIO *b = BIO_new_file(val->value + 5, "r");

- if (!b)

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);

+ if (!b) {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ ERR_R_BIO_LIB);

X509V3_conf_err(val);

goto err;

- }

- while((n = BIO_read(b, buf, sizeof(buf))) > 0

- || (n == 0 && BIO_should_retry(b)))

- {

- if (!n) continue;

+ }

+ while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||

+ (n == 0 && BIO_should_retry(b))) {

+ if (!n)

+ continue;

tmp_data = realloc((*policy)->data,

- (*policy)->length + n + 1);

+ (*policy)->length + n + 1);

if (!tmp_data)

break;

(*policy)->data = tmp_data;

memcpy(&(*policy)->data[(*policy)->length],

- buf, n);

+ buf, n);

(*policy)->length += n;

(*policy)->data[(*policy)->length] = '\0';

- }

+ }

BIO_free_all(b);

- if (n < 0)

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);

+ if (n < 0) {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ ERR_R_BIO_LIB);

X509V3_conf_err(val);

goto err;

- }

}

- else if (strncmp(val->value, "text:", 5) == 0)

- {

+ }

+ else if (strncmp(val->value, "text:", 5) == 0) {

val_len = strlen(val->value + 5);

tmp_data = realloc((*policy)->data,

- (*policy)->length + val_len + 1);

- if (tmp_data)

- {

+ (*policy)->length + val_len + 1);

+ if (tmp_data) {

(*policy)->data = tmp_data;

memcpy(&(*policy)->data[(*policy)->length],

- val->value + 5, val_len);

+ val->value + 5, val_len);

(*policy)->length += val_len;

(*policy)->data[(*policy)->length] = '\0';

- }

- else

- {

+ } else {

/* realloc failure implies the original data space is b0rked too! */

(*policy)->data = NULL;

(*policy)->length = 0;

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ ERR_R_MALLOC_FAILURE);

X509V3_conf_err(val);

goto err;

- }

}

- else

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);

+ } else {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);

X509V3_conf_err(val);

goto err;

- }

- if (!tmp_data)

- {

- X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);

+ }

+ if (!tmp_data) {

+ X509V3err(X509V3_F_PROCESS_PCI_VALUE,

+ ERR_R_MALLOC_FAILURE);

X509V3_conf_err(val);

goto err;

- }

}

+ }

return 1;

err:

- if (free_policy)

- {

+ if (free_policy) {

ASN1_OCTET_STRING_free(*policy);

*policy = NULL;

- }

- return 0;

}

+ return 0;

-static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,

- X509V3_CTX *ctx, char *value)

- {

+static PROXY_CERT_INFO_EXTENSION *

+r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)

PROXY_CERT_INFO_EXTENSION *pci = NULL;

STACK_OF(CONF_VALUE) *vals;

ASN1_OBJECT *language = NULL;

@@ -251,78 +238,88 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,

int i, j;

vals = X509V3_parse_list(value);

- for (i = 0; i < sk_CONF_VALUE_num(vals); i++)

- {

+ for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {

CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);

- if (!cnf->name || (*cnf->name != '@' && !cnf->value))

- {

- X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);

+ if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {

+ X509V3err(X509V3_F_R2I_PCI,

+ X509V3_R_INVALID_PROXY_POLICY_SETTING);

X509V3_conf_err(cnf);

goto err;

- }

- if (*cnf->name == '@')

- {

+ }

+ if (*cnf->name == '@') {

STACK_OF(CONF_VALUE) *sect;

int success_p = 1;

sect = X509V3_get_section(ctx, cnf->name + 1);

- if (!sect)

- {

- X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);

+ if (!sect) {

+ X509V3err(X509V3_F_R2I_PCI,

+ X509V3_R_INVALID_SECTION);

X509V3_conf_err(cnf);

goto err;

- }

- for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)

- {

- success_p =

- process_pci_value(sk_CONF_VALUE_value(sect, j),

- &language, &pathlen, &policy);

- }

+ }

+ for (j = 0; success_p &&

+ j < sk_CONF_VALUE_num(sect); j++) {

+ success_p = process_pci_value(

+ sk_CONF_VALUE_value(sect, j),

+ &language, &pathlen, &policy);

+ }

X509V3_section_free(ctx, sect);

if (!success_p)

goto err;

- }

- else

- {

+ } else {

if (!process_pci_value(cnf,

- &language, &pathlen, &policy))

- {

+ &language, &pathlen, &policy)) {

X509V3_conf_err(cnf);

goto err;

- }

}

+ }

/* Language is mandatory */

- if (!language)

- {

- X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);

+ if (!language) {

+ X509V3err(X509V3_F_R2I_PCI,

+ X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);

goto err;

- }

+ }

i = OBJ_obj2nid(language);

- if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy)

- {

- X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);

+ if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {

+ X509V3err(X509V3_F_R2I_PCI,

+ X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);

goto err;

- }

+ }

pci = PROXY_CERT_INFO_EXTENSION_new();

- if (!pci)

- {

- X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);

+ if (!pci) {

+ X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE);

goto err;

- }

+ }

- pci->proxyPolicy->policyLanguage = language; language = NULL;

- pci->proxyPolicy->policy = policy; policy = NULL;

- pci->pcPathLengthConstraint = pathlen; pathlen = NULL;

+ pci->proxyPolicy->policyLanguage = language;

+ language = NULL;

+ pci->proxyPolicy->policy = policy;

+ policy = NULL;

+ pci->pcPathLengthConstraint = pathlen;

+ pathlen = NULL;

goto end;

err:

- if (language) { ASN1_OBJECT_free(language); language = NULL; }

- if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }

- if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }

- if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }

+ if (language) {

+ ASN1_OBJECT_free(language);

+ language = NULL;

+ }

+ if (pathlen) {

+ ASN1_INTEGER_free(pathlen);

+ pathlen = NULL;

+ }

+ if (policy) {

+ ASN1_OCTET_STRING_free(policy);

+ policy = NULL;

+ }

+ if (pci) {

+ PROXY_CERT_INFO_EXTENSION_free(pci);

+ pci = NULL;

+ }

end:

sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);

return pci;

- }

diff --git a/lib/libssl/src/crypto/x509v3/v3_pcia.c b/lib/libssl/src/crypto/x509v3/v3_pcia.c
index bb362e0e5a9..ae5d58a009e 100644
--- a/lib/libssl/src/crypto/x509v3/v3_pcia.c
+++ b/lib/libssl/src/crypto/x509v3/v3_pcia.c

@@ -38,18 +38,17 @@

#include <openssl/asn1t.h>

#include <openssl/x509v3.h>

-ASN1_SEQUENCE(PROXY_POLICY) =

- {

- ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT),

- ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING)

+ASN1_SEQUENCE(PROXY_POLICY) = {

+ ASN1_SIMPLE(PROXY_POLICY, policyLanguage, ASN1_OBJECT),

+ ASN1_OPT(PROXY_POLICY, policy, ASN1_OCTET_STRING)

} ASN1_SEQUENCE_END(PROXY_POLICY)

IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY)

-ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) =

- {

- ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER),

- ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY)

+ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) = {

+ ASN1_OPT(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint,

+ ASN1_INTEGER),

+ ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION, proxyPolicy, PROXY_POLICY)

} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)

IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)

diff --git a/lib/libssl/src/crypto/x509v3/v3_pcons.c b/lib/libssl/src/crypto/x509v3/v3_pcons.c
index 13248c2adaf..c622cae85a6 100644
--- a/lib/libssl/src/crypto/x509v3/v3_pcons.c
+++ b/lib/libssl/src/crypto/x509v3/v3_pcons.c

@@ -1,5 +1,5 @@

/* v3_pcons.c */

-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL

+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

* project.

/* ====================================================================

@@ -10,7 +10,7 @@

* are met:

* 1. Redistributions of source code must retain the above copyright

- * notice, this list of conditions and the following disclaimer.

+ * notice, this list of conditions and the following disclaimer.

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in

@@ -64,73 +64,81 @@

#include <openssl/conf.h>

#include <openssl/x509v3.h>

-static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,

- void *bcons, STACK_OF(CONF_VALUE) *extlist);

-static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,

- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);

+static STACK_OF(CONF_VALUE) *

+i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,

+ STACK_OF(CONF_VALUE) *extlist);

+static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,

+ X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);

const X509V3_EXT_METHOD v3_policy_constraints = {

-NID_policy_constraints, 0,

-ASN1_ITEM_ref(POLICY_CONSTRAINTS),

-0,0,0,0,

-0,0,

-i2v_POLICY_CONSTRAINTS,

-v2i_POLICY_CONSTRAINTS,

-NULL,NULL,

-NULL

+ NID_policy_constraints, 0,

+ ASN1_ITEM_ref(POLICY_CONSTRAINTS),

+ 0, 0, 0, 0,

+ 0, 0,

+ i2v_POLICY_CONSTRAINTS,

+ v2i_POLICY_CONSTRAINTS,

+ NULL, NULL,

+ NULL

};

ASN1_SEQUENCE(POLICY_CONSTRAINTS) = {

- ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0),

- ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1)

+ ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy,

+ ASN1_INTEGER, 0),

+ ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER, 1)

} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)

IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)

-static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,

- void *a, STACK_OF(CONF_VALUE) *extlist)

+static STACK_OF(CONF_VALUE) *

+i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,

+ STACK_OF(CONF_VALUE) *extlist)

{

POLICY_CONSTRAINTS *pcons = a;

X509V3_add_value_int("Require Explicit Policy",

- pcons->requireExplicitPolicy, &extlist);

+ pcons->requireExplicitPolicy, &extlist);

X509V3_add_value_int("Inhibit Policy Mapping",

- pcons->inhibitPolicyMapping, &extlist);

+ pcons->inhibitPolicyMapping, &extlist);

return extlist;

}

-static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,

- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)

+static void *

+v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,

+ STACK_OF(CONF_VALUE) *values)

{

- POLICY_CONSTRAINTS *pcons=NULL;

+ POLICY_CONSTRAINTS *pcons = NULL;

CONF_VALUE *val;

int i;

- if(!(pcons = POLICY_CONSTRAINTS_new())) {

- X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);

+ if (!(pcons = POLICY_CONSTRAINTS_new())) {

+ X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,

+ ERR_R_MALLOC_FAILURE);

return NULL;

}

- for(i = 0; i < sk_CONF_VALUE_num(values); i++) {

+ for (i = 0; i < sk_CONF_VALUE_num(values); i++) {

val = sk_CONF_VALUE_value(values, i);

- if(!strcmp(val->name, "requireExplicitPolicy")) {

- if(!X509V3_get_value_int(val,

- &pcons->requireExplicitPolicy)) goto err;

- } else if(!strcmp(val->name, "inhibitPolicyMapping")) {

- if(!X509V3_get_value_int(val,

- &pcons->inhibitPolicyMapping)) goto err;

+ if (!strcmp(val->name, "requireExplicitPolicy")) {

+ if (!X509V3_get_value_int(val,

+ &pcons->requireExplicitPolicy)) goto err;

+ } else if (!strcmp(val->name, "inhibitPolicyMapping")) {

+ if (!X509V3_get_value_int(val,

+ &pcons->inhibitPolicyMapping)) goto err;

} else {

- X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);

+ X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,

+ X509V3_R_INVALID_NAME);

X509V3_conf_err(val);

goto err;

}

if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {

- X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_ILLEGAL_EMPTY_EXTENSION);

+ X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS,

+ X509V3_R_ILLEGAL_EMPTY_EXTENSION);

goto err;

}

return pcons;

- err:

+err:

POLICY_CONSTRAINTS_free(pcons);

return NULL;

}

diff --git a/lib/libssl/src/crypto/x509v3/v3_pku.c b/lib/libssl/src/crypto/x509v3/v3_pku.c
index 076f3ff48e2..860b2471590 100644
--- a/lib/libssl/src/crypto/x509v3/v3_pku.c
+++ b/lib/libssl/src/crypto/x509v3/v3_pku.c

@@ -10,7 +10,7 @@

* are met:

* 1. Redistributions of source code must retain the above copyright

- * notice, this list of conditions and the following disclaimer.

+ * notice, this list of conditions and the following disclaimer.

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in

@@ -62,16 +62,17 @@

#include <openssl/asn1t.h>

#include <openssl/x509v3.h>

-static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent);

+static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,

+ PKEY_USAGE_PERIOD *usage, BIO *out, int indent);

static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);

const X509V3_EXT_METHOD v3_pkey_usage_period = {

-NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),

-0,0,0,0,

-(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,

-NULL

+ NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),

+ 0, 0, 0, 0,

+ (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,

+ NULL

};

ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {

@@ -81,16 +82,18 @@ ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {

IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)

-static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,

- PKEY_USAGE_PERIOD *usage, BIO *out, int indent)

+static int

+i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage,

+ BIO *out, int indent)

{

BIO_printf(out, "%*s", indent, "");

- if(usage->notBefore) {

+ if (usage->notBefore) {

BIO_write(out, "Not Before: ", 12);

ASN1_GENERALIZEDTIME_print(out, usage->notBefore);

- if(usage->notAfter) BIO_write(out, ", ", 2);

+ if (usage->notAfter)

+ BIO_write(out, ", ", 2);

}

- if(usage->notAfter) {

+ if (usage->notAfter) {

BIO_write(out, "Not After: ", 11);

ASN1_GENERALIZEDTIME_print(out, usage->notAfter);

}

diff --git a/lib/libssl/src/crypto/x509v3/v3_pmaps.c b/lib/libssl/src/crypto/x509v3/v3_pmaps.c
index 626303264f7..bf5f2918774 100644
--- a/lib/libssl/src/crypto/x509v3/v3_pmaps.c
+++ b/lib/libssl/src/crypto/x509v3/v3_pmaps.c

@@ -1,5 +1,5 @@

/* v3_pmaps.c */

-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL

+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

* project.

/* ====================================================================

@@ -10,7 +10,7 @@

* are met:

* 1. Redistributions of source code must retain the above copyright

- * notice, this list of conditions and the following disclaimer.

+ * notice, this list of conditions and the following disclaimer.

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in

@@ -63,19 +63,19 @@

#include <openssl/conf.h>

#include <openssl/x509v3.h>

-static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,

- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);

-static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,

- void *pmps, STACK_OF(CONF_VALUE) *extlist);

+static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,

+ X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);

+static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(

+ const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);

const X509V3_EXT_METHOD v3_policy_mappings = {

NID_policy_mappings, 0,

ASN1_ITEM_ref(POLICY_MAPPINGS),

- 0,0,0,0,

- 0,0,

+ 0, 0, 0, 0,

+ 0, 0,

i2v_POLICY_MAPPINGS,

v2i_POLICY_MAPPINGS,

- 0,0,

+ 0, 0,

NULL

};

@@ -84,23 +84,24 @@ ASN1_SEQUENCE(POLICY_MAPPING) = {

ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT)

} ASN1_SEQUENCE_END(POLICY_MAPPING)

-ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =

- ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,

- POLICY_MAPPING)

+ASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) =

+ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS,

+ POLICY_MAPPING)

ASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)

IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)

-static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,

- void *a, STACK_OF(CONF_VALUE) *ext_list)

+static STACK_OF(CONF_VALUE) *

+i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,

+ STACK_OF(CONF_VALUE) *ext_list)

{

POLICY_MAPPINGS *pmaps = a;

POLICY_MAPPING *pmap;

int i;

char obj_tmp1[80];

char obj_tmp2[80];

- for(i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {

+ for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {

pmap = sk_POLICY_MAPPING_value(pmaps, i);

i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);

i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);

@@ -109,8 +110,9 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,

return ext_list;

}

-static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,

- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)

+static void *

+v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,

+ STACK_OF(CONF_VALUE) *nval)

{

POLICY_MAPPINGS *pmaps;

POLICY_MAPPING *pmap;

@@ -118,31 +120,34 @@ static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,

CONF_VALUE *val;

int i;

- if(!(pmaps = sk_POLICY_MAPPING_new_null())) {

- X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);

+ if (!(pmaps = sk_POLICY_MAPPING_new_null())) {

+ X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE);

return NULL;

}

- for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {

+ for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {

val = sk_CONF_VALUE_value(nval, i);

- if(!val->value || !val->name) {

+ if (!val->value || !val->name) {

sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);

- X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);

+ X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,

+ X509V3_R_INVALID_OBJECT_IDENTIFIER);

X509V3_conf_err(val);

return NULL;

}

obj1 = OBJ_txt2obj(val->name, 0);

obj2 = OBJ_txt2obj(val->value, 0);

- if(!obj1 || !obj2) {

+ if (!obj1 || !obj2) {

sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);

- X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,X509V3_R_INVALID_OBJECT_IDENTIFIER);

+ X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,

+ X509V3_R_INVALID_OBJECT_IDENTIFIER);

X509V3_conf_err(val);

return NULL;

}

pmap = POLICY_MAPPING_new();

if (!pmap) {

sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);

- X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,ERR_R_MALLOC_FAILURE);

+ X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,

+ ERR_R_MALLOC_FAILURE);

return NULL;

}

pmap->issuerDomainPolicy = obj1;

diff --git a/lib/libssl/src/crypto/x509v3/v3_prn.c b/lib/libssl/src/crypto/x509v3/v3_prn.c
index 565937af47e..3874ded51c9 100644
--- a/lib/libssl/src/crypto/x509v3/v3_prn.c
+++ b/lib/libssl/src/crypto/x509v3/v3_prn.c

@@ -10,7 +10,7 @@

* are met:

* 1. Redistributions of source code must retain the above copyright

- * notice, this list of conditions and the following disclaimer.

+ * notice, this list of conditions and the following disclaimer.

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in

@@ -64,139 +64,163 @@

/* Extension printing routines */

-static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported);

+static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,

+ int indent, int supported);

/* Print out a name+value stack */

-void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)

+void

+X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)

{

int i;

CONF_VALUE *nval;

- if(!val) return;

- if(!ml || !sk_CONF_VALUE_num(val)) {

+ if (!val)

+ return;

+ if (!ml || !sk_CONF_VALUE_num(val)) {

BIO_printf(out, "%*s", indent, "");

- if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n");

+ if (!sk_CONF_VALUE_num(val))

+ BIO_puts(out, "<EMPTY>\n");

}

- for(i = 0; i < sk_CONF_VALUE_num(val); i++) {

- if(ml) BIO_printf(out, "%*s", indent, "");

- else if(i > 0) BIO_printf(out, ", ");

- nval = sk_CONF_VALUE_value(val, i);

- if(!nval->name) BIO_puts(out, nval->value);

- else if(!nval->value) BIO_puts(out, nval->name);

- else BIO_printf(out, "%s:%s", nval->name, nval->value);

- if(ml) BIO_puts(out, "\n");

+ for (i = 0; i < sk_CONF_VALUE_num(val); i++) {

+ if (ml)

+ BIO_printf(out, "%*s", indent, "");

+ else if (i > 0) BIO_printf(out, ", ");

+ nval = sk_CONF_VALUE_value(val, i);

+ if (!nval->name)

+ BIO_puts(out, nval->value);

+ else if (!nval->value)

+ BIO_puts(out, nval->name);

+ else

+ BIO_printf(out, "%s:%s", nval->name, nval->value);

+ if (ml)

+ BIO_puts(out, "\n");

}

/* Main routine: print out a general extension */

-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)

+int

+X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)

{

void *ext_str = NULL;

char *value = NULL;

const unsigned char *p;

- const X509V3_EXT_METHOD *method;

+ const X509V3_EXT_METHOD *method;

STACK_OF(CONF_VALUE) *nval = NULL;

int ok = 1;

- if(!(method = X509V3_EXT_get(ext)))

+ if (!(method = X509V3_EXT_get(ext)))

return unknown_ext_print(out, ext, flag, indent, 0);

p = ext->value->data;

- if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));

- else ext_str = method->d2i(NULL, &p, ext->value->length);

+ if (method->it)

+ ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,

+ ASN1_ITEM_ptr(method->it));

+ else

+ ext_str = method->d2i(NULL, &p, ext->value->length);

- if(!ext_str) return unknown_ext_print(out, ext, flag, indent, 1);

+ if (!ext_str)

+ return unknown_ext_print(out, ext, flag, indent, 1);

- if(method->i2s) {

- if(!(value = method->i2s(method, ext_str))) {

+ if (method->i2s) {

+ if (!(value = method->i2s(method, ext_str))) {

ok = 0;

goto err;

}

BIO_printf(out, "%*s%s", indent, "", value);

- } else if(method->i2v) {

- if(!(nval = method->i2v(method, ext_str, NULL))) {

+ } else if (method->i2v) {

+ if (!(nval = method->i2v(method, ext_str, NULL))) {

ok = 0;

goto err;

}

X509V3_EXT_val_prn(out, nval, indent,

- method->ext_flags & X509V3_EXT_MULTILINE);

- } else if(method->i2r) {

- if(!method->i2r(method, ext_str, out, indent)) ok = 0;

- } else ok = 0;

- err:

- sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);

- if(value) free(value);

- if(method->it) ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));

- else method->ext_free(ext_str);

- return ok;

+ method->ext_flags & X509V3_EXT_MULTILINE);

+ } else if (method->i2r) {

+ if (!method->i2r(method, ext_str, out, indent))

+ ok = 0;

+ } else

+ ok = 0;

+err:

+ sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);

+ if (value)

+ free(value);

+ if (method->it)

+ ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));

+ else

+ method->ext_free(ext_str);

+ return ok;

}

-int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent)

+int

+X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts,

+ unsigned long flag, int indent)

{

int i, j;

- if(sk_X509_EXTENSION_num(exts) <= 0) return 1;

+ if (sk_X509_EXTENSION_num(exts) <= 0)

+ return 1;

- if(title)

- {

- BIO_printf(bp,"%*s%s:\n",indent, "", title);

+ if (title) {

+ BIO_printf(bp, "%*s%s:\n",indent, "", title);

indent += 4;

- }

+ }

- for (i=0; i<sk_X509_EXTENSION_num(exts); i++)

- {

+ for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {

ASN1_OBJECT *obj;

X509_EXTENSION *ex;

- ex=sk_X509_EXTENSION_value(exts, i);

- if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0;

- obj=X509_EXTENSION_get_object(ex);

- i2a_ASN1_OBJECT(bp,obj);

- j=X509_EXTENSION_get_critical(ex);

- if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)

+ ex = sk_X509_EXTENSION_value(exts, i);

+ if (indent && BIO_printf(bp, "%*s",indent, "") <= 0)

return 0;

- if(!X509V3_EXT_print(bp, ex, flag, indent + 4))

- {

+ obj = X509_EXTENSION_get_object(ex);

+ i2a_ASN1_OBJECT(bp, obj);

+ j = X509_EXTENSION_get_critical(ex);

+ if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0)

+ return 0;

+ if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {

BIO_printf(bp, "%*s", indent + 4, "");

- M_ASN1_OCTET_STRING_print(bp,ex->value);

- }

- if (BIO_write(bp,"\n",1) <= 0) return 0;

+ M_ASN1_OCTET_STRING_print(bp, ex->value);

}

+ if (BIO_write(bp, "\n",1) <= 0)

+ return 0;

+ }

return 1;

}

-static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported)

+static int

+unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,

+ int indent, int supported)

{

- switch(flag & X509V3_EXT_UNKNOWN_MASK) {

- case X509V3_EXT_DEFAULT:

+ switch (flag & X509V3_EXT_UNKNOWN_MASK) {

+ case X509V3_EXT_DEFAULT:

return 0;

- case X509V3_EXT_ERROR_UNKNOWN:

- if(supported)

+ case X509V3_EXT_ERROR_UNKNOWN:

+ if (supported)

BIO_printf(out, "%*s<Parse Error>", indent, "");

else

BIO_printf(out, "%*s<Not Supported>", indent, "");

return 1;

- case X509V3_EXT_PARSE_UNKNOWN:

- return ASN1_parse_dump(out,

- ext->value->data, ext->value->length, indent, -1);

- case X509V3_EXT_DUMP_UNKNOWN:

- return BIO_dump_indent(out, (char *)ext->value->data, ext->value->length, indent);

- default:

+ case X509V3_EXT_PARSE_UNKNOWN:

+ return ASN1_parse_dump(out,

+ ext->value->data, ext->value->length, indent, -1);

+ case X509V3_EXT_DUMP_UNKNOWN:

+ return BIO_dump_indent(out, (char *)ext->value->data,

+ ext->value->length, indent);

+ default:

return 1;

}

#ifndef OPENSSL_NO_FP_API

-int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)

+int

+X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)

{

BIO *bio_tmp;

int ret;

- if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0;

+ if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))

+ return 0;

ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);

BIO_free(bio_tmp);

return ret;

diff --git a/lib/libssl/src/crypto/x509v3/v3_purp.c b/lib/libssl/src/crypto/x509v3/v3_purp.c
index 45d7251c29f..2bf110c179d 100644
--- a/lib/libssl/src/crypto/x509v3/v3_purp.c
+++ b/lib/libssl/src/crypto/x509v3/v3_purp.c

@@ -10,7 +10,7 @@

* are met:

* 1. Redistributions of source code must retain the above copyright

- * notice, this list of conditions and the following disclaimer.

+ * notice, this list of conditions and the following disclaimer.

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in

@@ -64,19 +64,25 @@

static void x509v3_cache_extensions(X509 *x);

static int check_ssl_ca(const X509 *x);

-static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);

-static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);

-static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);

+static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,

+ int ca);

+static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,

+ int ca);

+static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,

+ int ca);

static int purpose_smime(const X509 *x, int ca);

-static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);

-static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);

-static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);

-static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca);

+static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,

+ int ca);

+static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,

+ int ca);

+static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,

+ int ca);

+static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,

+ int ca);

static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);

static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);

-static int xp_cmp(const X509_PURPOSE * const *a,

- const X509_PURPOSE * const *b);

+static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b);

static void xptable_free(X509_PURPOSE *p);

static X509_PURPOSE xstandard[] = {

@@ -97,8 +103,8 @@ IMPLEMENT_STACK_OF(X509_PURPOSE)

static STACK_OF(X509_PURPOSE) *xptable = NULL;

-static int xp_cmp(const X509_PURPOSE * const *a,

- const X509_PURPOSE * const *b)

+static int

+xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b)

{

return (*a)->purpose - (*b)->purpose;

}

@@ -106,25 +112,30 @@ static int xp_cmp(const X509_PURPOSE * const *a,

/* As much as I'd like to make X509_check_purpose use a "const" X509*

* I really can't because it does recalculate hashes and do other non-const

* things. */

-int X509_check_purpose(X509 *x, int id, int ca)

+int

+X509_check_purpose(X509 *x, int id, int ca)

{

int idx;

const X509_PURPOSE *pt;

- if(!(x->ex_flags & EXFLAG_SET)) {

+ if (!(x->ex_flags & EXFLAG_SET)) {

CRYPTO_w_lock(CRYPTO_LOCK_X509);

x509v3_cache_extensions(x);

CRYPTO_w_unlock(CRYPTO_LOCK_X509);

}

- if(id == -1) return 1;

+ if (id == -1)

+ return 1;

idx = X509_PURPOSE_get_by_id(id);

- if(idx == -1) return -1;

+ if (idx == -1)

+ return -1;

pt = X509_PURPOSE_get0(idx);

return pt->check_purpose(pt, x, ca);

}

-int X509_PURPOSE_set(int *p, int purpose)

+int

+X509_PURPOSE_set(int *p, int purpose)

{

- if(X509_PURPOSE_get_by_id(purpose) == -1) {

+ if (X509_PURPOSE_get_by_id(purpose) == -1) {

X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);

return 0;

}

@@ -132,49 +143,63 @@ int X509_PURPOSE_set(int *p, int purpose)

return 1;

}

-int X509_PURPOSE_get_count(void)

+int

+X509_PURPOSE_get_count(void)

{

- if(!xptable) return X509_PURPOSE_COUNT;

+ if (!xptable)

+ return X509_PURPOSE_COUNT;

return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;

}

-X509_PURPOSE * X509_PURPOSE_get0(int idx)

+X509_PURPOSE *

+X509_PURPOSE_get0(int idx)

{

- if(idx < 0) return NULL;

- if(idx < (int)X509_PURPOSE_COUNT) return xstandard + idx;

+ if (idx < 0)

+ return NULL;

+ if (idx < (int)X509_PURPOSE_COUNT)

+ return xstandard + idx;

return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);

}

-int X509_PURPOSE_get_by_sname(char *sname)

+int

+X509_PURPOSE_get_by_sname(char *sname)

{

int i;

X509_PURPOSE *xptmp;

- for(i = 0; i < X509_PURPOSE_get_count(); i++) {

+ for (i = 0; i < X509_PURPOSE_get_count(); i++) {

xptmp = X509_PURPOSE_get0(i);

- if(!strcmp(xptmp->sname, sname)) return i;

+ if (!strcmp(xptmp->sname, sname))

+ return i;

}

return -1;

}

-int X509_PURPOSE_get_by_id(int purpose)

+int

+X509_PURPOSE_get_by_id(int purpose)

{

X509_PURPOSE tmp;

int idx;

- if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))

+ if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))

return purpose - X509_PURPOSE_MIN;

tmp.purpose = purpose;

- if(!xptable) return -1;

+ if (!xptable)

+ return -1;

idx = sk_X509_PURPOSE_find(xptable, &tmp);

- if(idx == -1) return -1;

+ if (idx == -1)

+ return -1;

return idx + X509_PURPOSE_COUNT;

}

-int X509_PURPOSE_add(int id, int trust, int flags,

- int (*ck)(const X509_PURPOSE *, const X509 *, int),

- char *name, char *sname, void *arg)

+int

+X509_PURPOSE_add(int id, int trust, int flags,

+ int (*ck)(const X509_PURPOSE *, const X509 *, int), char *name,

+ char *sname, void *arg)

{

int idx;

X509_PURPOSE *ptmp;

/* This is set according to what we change: application can't set it */

flags &= ~X509_PURPOSE_DYNAMIC;

/* This will always be set for application modified trust entries */

@@ -182,24 +207,26 @@ int X509_PURPOSE_add(int id, int trust, int flags,

/* Get existing entry if any */

idx = X509_PURPOSE_get_by_id(id);

/* Need a new entry */

- if(idx == -1) {

- if(!(ptmp = malloc(sizeof(X509_PURPOSE)))) {

- X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);

+ if (idx == -1) {

+ if (!(ptmp = malloc(sizeof(X509_PURPOSE)))) {

+ X509V3err(X509V3_F_X509_PURPOSE_ADD,

+ ERR_R_MALLOC_FAILURE);

return 0;

}

ptmp->flags = X509_PURPOSE_DYNAMIC;

- } else ptmp = X509_PURPOSE_get0(idx);

+ } else

+ ptmp = X509_PURPOSE_get0(idx);

/* free existing name if dynamic */

- if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {

+ if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {

free(ptmp->name);

free(ptmp->sname);

}

/* dup supplied name */

ptmp->name = BUF_strdup(name);

ptmp->sname = BUF_strdup(sname);

- if(!ptmp->name || !ptmp->sname) {

- X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);

+ if (!ptmp->name || !ptmp->sname) {

+ X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);

return 0;

}

/* Keep the dynamic flag of existing entry */

@@ -213,70 +240,82 @@ int X509_PURPOSE_add(int id, int trust, int flags,

ptmp->usr_data = arg;

/* If its a new entry manage the dynamic table */

- if(idx == -1) {

- if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {

- X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);

+ if (idx == -1) {

+ if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {

+ X509V3err(X509V3_F_X509_PURPOSE_ADD,

+ ERR_R_MALLOC_FAILURE);

return 0;

}

if (!sk_X509_PURPOSE_push(xptable, ptmp)) {

- X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);

+ X509V3err(X509V3_F_X509_PURPOSE_ADD,

+ ERR_R_MALLOC_FAILURE);

return 0;

}

return 1;

}

-static void xptable_free(X509_PURPOSE *p)

- {

- if(!p) return;

- if (p->flags & X509_PURPOSE_DYNAMIC)

- {

+static void

+xptable_free(X509_PURPOSE *p)

+ if (!p)

+ return;

+ if (p->flags & X509_PURPOSE_DYNAMIC) {

if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {

free(p->name);

free(p->sname);

}

free(p);

- }

}

-void X509_PURPOSE_cleanup(void)

+void

+X509_PURPOSE_cleanup(void)

{

unsigned int i;

sk_X509_PURPOSE_pop_free(xptable, xptable_free);

- for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);

+ for(i = 0; i < X509_PURPOSE_COUNT; i++)

+ xptable_free(xstandard + i);

xptable = NULL;

}

-int X509_PURPOSE_get_id(X509_PURPOSE *xp)

+int

+X509_PURPOSE_get_id(X509_PURPOSE *xp)

{

return xp->purpose;

}

-char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)

+char *

+X509_PURPOSE_get0_name(X509_PURPOSE *xp)

{

return xp->name;

}

-char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)

+char *

+X509_PURPOSE_get0_sname(X509_PURPOSE *xp)

{

return xp->sname;

}

-int X509_PURPOSE_get_trust(X509_PURPOSE *xp)

+int

+X509_PURPOSE_get_trust(X509_PURPOSE *xp)

{

return xp->trust;

}

-static int nid_cmp(const int *a, const int *b)

- {

+static int

+nid_cmp(const int *a, const int *b)

return *a - *b;

- }

DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);

IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);

-int X509_supported_extension(X509_EXTENSION *ex)

- {

+int

+X509_supported_extension(X509_EXTENSION *ex)

/* This table is a list of the NIDs of supported extensions:

* that is those which are used by the verify process. If

* an extension is critical and doesn't appear in this list

@@ -287,11 +326,11 @@ int X509_supported_extension(X509_EXTENSION *ex)

static const int supported_nids[] = {

NID_netscape_cert_type, /* 71 */

- NID_key_usage, /* 83 */

+ NID_key_usage, /* 83 */

NID_subject_alt_name, /* 85 */

NID_basic_constraints, /* 87 */

NID_certificate_policies, /* 89 */

- NID_ext_key_usage, /* 126 */

+ NID_ext_key_usage, /* 126 */

#ifndef OPENSSL_NO_RFC3779

NID_sbgp_ipAddrBlock, /* 290 */

NID_sbgp_autonomousSysNum, /* 291 */

@@ -305,56 +344,57 @@ int X509_supported_extension(X509_EXTENSION *ex)

int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));

- if (ex_nid == NID_undef)

+ if (ex_nid == NID_undef)

return 0;

if (OBJ_bsearch_nid(&ex_nid, supported_nids,

- sizeof(supported_nids)/sizeof(int)))

+ sizeof(supported_nids) / sizeof(int)))

return 1;

return 0;

- }

-static void setup_dp(X509 *x, DIST_POINT *dp)

- {

+static void

+setup_dp(X509 *x, DIST_POINT *dp)

X509_NAME *iname = NULL;

int i;

- if (dp->reasons)

- {

+ if (dp->reasons) {

if (dp->reasons->length > 0)

dp->dp_reasons = dp->reasons->data[0];

if (dp->reasons->length > 1)

dp->dp_reasons |= (dp->reasons->data[1] << 8);

dp->dp_reasons &= CRLDP_ALL_REASONS;

- }

- else

+ } else

dp->dp_reasons = CRLDP_ALL_REASONS;

if (!dp->distpoint || (dp->distpoint->type != 1))

return;

- for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)

- {

+ for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {

GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);

- if (gen->type == GEN_DIRNAME)

- {

+ if (gen->type == GEN_DIRNAME) {

iname = gen->d.directoryName;

break;

- }

}

+ }

if (!iname)

iname = X509_get_issuer_name(x);

DIST_POINT_set_dpname(dp->distpoint, iname);

- }

-static void setup_crldp(X509 *x)

- {

+static void

+setup_crldp(X509 *x)

int i;

x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);

for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)

setup_dp(x, sk_DIST_POINT_value(x->crldp, i));

- }

-static void x509v3_cache_extensions(X509 *x)

+static void

+x509v3_cache_extensions(X509 *x)

{

BASIC_CONSTRAINTS *bs;

PROXY_CERT_INFO_EXTENSION *pci;

@@ -362,89 +402,96 @@ static void x509v3_cache_extensions(X509 *x)

ASN1_BIT_STRING *ns;

EXTENDED_KEY_USAGE *extusage;

X509_EXTENSION *ex;

int i;

- if(x->ex_flags & EXFLAG_SET) return;

+ if (x->ex_flags & EXFLAG_SET)

+ return;

#ifndef OPENSSL_NO_SHA

X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);

#endif

/* Does subject name match issuer ? */

- if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))

- x->ex_flags |= EXFLAG_SI;

+ if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))

+ x->ex_flags |= EXFLAG_SI;

/* V1 should mean no extensions ... */

- if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;

+ if (!X509_get_version(x))

+ x->ex_flags |= EXFLAG_V1;

/* Handle basic constraints */

- if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {

- if(bs->ca) x->ex_flags |= EXFLAG_CA;

- if(bs->pathlen) {

- if((bs->pathlen->type == V_ASN1_NEG_INTEGER)

- || !bs->ca) {

+ if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {

+ if (bs->ca)

+ x->ex_flags |= EXFLAG_CA;

+ if (bs->pathlen) {

+ if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) ||

+ !bs->ca) {

x->ex_flags |= EXFLAG_INVALID;

x->ex_pathlen = 0;

- } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);

- } else x->ex_pathlen = -1;

+ } else

+ x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);

+ } else

+ x->ex_pathlen = -1;

BASIC_CONSTRAINTS_free(bs);

x->ex_flags |= EXFLAG_BCONS;

}

/* Handle proxy certificates */

- if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {

- if (x->ex_flags & EXFLAG_CA

- || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0

- || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {

+ if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {

+ if (x->ex_flags & EXFLAG_CA ||

+ X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||

+ X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {

x->ex_flags |= EXFLAG_INVALID;

}

if (pci->pcPathLengthConstraint) {

x->ex_pcpathlen =

- ASN1_INTEGER_get(pci->pcPathLengthConstraint);

- } else x->ex_pcpathlen = -1;

+ ASN1_INTEGER_get(pci->pcPathLengthConstraint);

+ } else

+ x->ex_pcpathlen = -1;

PROXY_CERT_INFO_EXTENSION_free(pci);

x->ex_flags |= EXFLAG_PROXY;

}

/* Handle key usage */

- if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {

- if(usage->length > 0) {

+ if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {

+ if (usage->length > 0) {

x->ex_kusage = usage->data[0];

- if(usage->length > 1)

+ if (usage->length > 1)

x->ex_kusage |= usage->data[1] << 8;

- } else x->ex_kusage = 0;

+ } else

+ x->ex_kusage = 0;

x->ex_flags |= EXFLAG_KUSAGE;

ASN1_BIT_STRING_free(usage);

}

x->ex_xkusage = 0;

- if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {

+ if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {

x->ex_flags |= EXFLAG_XKUSAGE;

- for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {

- switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {

- case NID_server_auth:

+ for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {

+ switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {

+ case NID_server_auth:

x->ex_xkusage |= XKU_SSL_SERVER;

break;

- case NID_client_auth:

+ case NID_client_auth:

x->ex_xkusage |= XKU_SSL_CLIENT;

break;

- case NID_email_protect:

+ case NID_email_protect:

x->ex_xkusage |= XKU_SMIME;

break;

- case NID_code_sign:

+ case NID_code_sign:

x->ex_xkusage |= XKU_CODE_SIGN;

break;

- case NID_ms_sgc:

- case NID_ns_sgc:

+ case NID_ms_sgc:

+ case NID_ns_sgc:

x->ex_xkusage |= XKU_SGC;

break;

- case NID_OCSP_sign:

+ case NID_OCSP_sign:

x->ex_xkusage |= XKU_OCSP_SIGN;

break;

- case NID_time_stamp:

+ case NID_time_stamp:

x->ex_xkusage |= XKU_TIMESTAMP;

break;

- case NID_dvcs:

+ case NID_dvcs:

x->ex_xkusage |= XKU_DVCS;

break;

}

@@ -452,14 +499,17 @@ static void x509v3_cache_extensions(X509 *x)

sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);

}

- if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {

- if(ns->length > 0) x->ex_nscert = ns->data[0];

- else x->ex_nscert = 0;

+ if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {

+ if (ns->length > 0)

+ x->ex_nscert = ns->data[0];

+ else

+ x->ex_nscert = 0;

x->ex_flags |= EXFLAG_NSCERT;

ASN1_BIT_STRING_free(ns);

}

- x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);

- x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);

+ x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);

+ x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);

x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);

x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);

if (!x->nc && (i != -1))

@@ -467,24 +517,22 @@ static void x509v3_cache_extensions(X509 *x)

setup_crldp(x);

#ifndef OPENSSL_NO_RFC3779

- x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);

- x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,

- NULL, NULL);

+ x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);

+ x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,

+ NULL, NULL);

#endif

- for (i = 0; i < X509_get_ext_count(x); i++)

- {

+ for (i = 0; i < X509_get_ext_count(x); i++) {

ex = X509_get_ext(x, i);

- if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))

- == NID_freshest_crl)

+ if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==

+ NID_freshest_crl)

x->ex_flags |= EXFLAG_FRESHEST;

if (!X509_EXTENSION_get_critical(ex))

continue;

- if (!X509_supported_extension(ex))

- {

+ if (!X509_supported_extension(ex)) {

x->ex_flags |= EXFLAG_CRITICAL;

break;

- }

}

+ }

x->ex_flags |= EXFLAG_SET;

}

@@ -505,30 +553,38 @@ static void x509v3_cache_extensions(X509 *x)

#define ns_reject(x, usage) \

(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))

-static int check_ca(const X509 *x)

+static int

+check_ca(const X509 *x)

{

/* keyUsage if present should allow cert signing */

- if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;

- if(x->ex_flags & EXFLAG_BCONS) {

- if(x->ex_flags & EXFLAG_CA) return 1;

+ if (ku_reject(x, KU_KEY_CERT_SIGN))

+ return 0;

+ if (x->ex_flags & EXFLAG_BCONS) {

+ if (x->ex_flags & EXFLAG_CA)

+ return 1;

/* If basicConstraints says not a CA then say so */

- else return 0;

+ else

+ return 0;

} else {

/* we support V1 roots for... uh, I don't really know why. */

- if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;

+ if ((x->ex_flags & V1_ROOT) == V1_ROOT)

+ return 3;

/* If key usage present it must have certSign so tolerate it */

- else if (x->ex_flags & EXFLAG_KUSAGE) return 4;

+ else if (x->ex_flags & EXFLAG_KUSAGE)

+ return 4;

/* Older certificates could have Netscape-specific CA types */

- else if (x->ex_flags & EXFLAG_NSCERT

- && x->ex_nscert & NS_ANY_CA) return 5;

+ else if (x->ex_flags & EXFLAG_NSCERT &&

+ x->ex_nscert & NS_ANY_CA)

+ return 5;

/* can this still be regarded a CA certificate? I doubt it */

return 0;

}

-int X509_check_ca(X509 *x)

+int

+X509_check_ca(X509 *x)

{

- if(!(x->ex_flags & EXFLAG_SET)) {

+ if (!(x->ex_flags & EXFLAG_SET)) {

CRYPTO_w_lock(CRYPTO_LOCK_X509);

x509v3_cache_extensions(x);

CRYPTO_w_unlock(CRYPTO_LOCK_X509);

@@ -538,131 +594,169 @@ int X509_check_ca(X509 *x)

}

/* Check SSL CA: common checks for SSL client and server */

-static int check_ssl_ca(const X509 *x)

+static int

+check_ssl_ca(const X509 *x)

{

int ca_ret;

ca_ret = check_ca(x);

- if(!ca_ret) return 0;

+ if (!ca_ret)

+ return 0;

/* check nsCertType if present */

- if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;

- else return 0;

+ if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)

+ return ca_ret;

+ else

+ return 0;

}

-static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)

+static int

+check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)

{

- if(xku_reject(x,XKU_SSL_CLIENT)) return 0;

- if(ca) return check_ssl_ca(x);

+ if (xku_reject(x, XKU_SSL_CLIENT))

+ return 0;

+ if (ca)

+ return check_ssl_ca(x);

/* We need to do digital signatures with it */

- if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;

- /* nsCertType if present should allow SSL client use */

- if(ns_reject(x, NS_SSL_CLIENT)) return 0;

+ if (ku_reject(x, KU_DIGITAL_SIGNATURE))

+ return 0;

+ /* nsCertType if present should allow SSL client use */

+ if (ns_reject(x, NS_SSL_CLIENT))

+ return 0;

return 1;

}

-static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)

+static int

+check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)

{

- if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;

- if(ca) return check_ssl_ca(x);

+ if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC))

+ return 0;

+ if (ca)

+ return check_ssl_ca(x);

- if(ns_reject(x, NS_SSL_SERVER)) return 0;

+ if (ns_reject(x, NS_SSL_SERVER))

+ return 0;

/* Now as for keyUsage: we'll at least need to sign OR encipher */

- if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;

- return 1;

+ if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT))

+ return 0;

+ return 1;

}

-static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)

+static int

+check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)

{

int ret;

ret = check_purpose_ssl_server(xp, x, ca);

- if(!ret || ca) return ret;

+ if (!ret || ca)

+ return ret;

/* We need to encipher or Netscape complains */

- if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;

+ if (ku_reject(x, KU_KEY_ENCIPHERMENT))

+ return 0;

return ret;

}

/* common S/MIME checks */

-static int purpose_smime(const X509 *x, int ca)

+static int

+purpose_smime(const X509 *x, int ca)

{

- if(xku_reject(x,XKU_SMIME)) return 0;

- if(ca) {

+ if (xku_reject(x, XKU_SMIME))

+ return 0;

+ if (ca) {

int ca_ret;

ca_ret = check_ca(x);

- if(!ca_ret) return 0;

+ if (!ca_ret)

+ return 0;

/* check nsCertType if present */

- if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;

- else return 0;

+ if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)

+ return ca_ret;

+ else

+ return 0;

}

- if(x->ex_flags & EXFLAG_NSCERT) {

- if(x->ex_nscert & NS_SMIME) return 1;

+ if (x->ex_flags & EXFLAG_NSCERT) {

+ if (x->ex_nscert & NS_SMIME)

+ return 1;

/* Workaround for some buggy certificates */

- if(x->ex_nscert & NS_SSL_CLIENT) return 2;

+ if (x->ex_nscert & NS_SSL_CLIENT)

+ return 2;

return 0;

}

return 1;

}

-static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)

+static int

+check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)

{

int ret;

ret = purpose_smime(x, ca);

- if(!ret || ca) return ret;

- if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;

+ if (!ret || ca)

+ return ret;

+ if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION))

+ return 0;

return ret;

}

-static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)

+static int

+check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)

{

int ret;

ret = purpose_smime(x, ca);

- if(!ret || ca) return ret;

- if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;

+ if (!ret || ca)

+ return ret;

+ if (ku_reject(x, KU_KEY_ENCIPHERMENT))

+ return 0;

return ret;

}

-static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)

+static int

+check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)

{

- if(ca) {

+ if (ca) {

int ca_ret;

- if((ca_ret = check_ca(x)) != 2) return ca_ret;

- else return 0;

+ if ((ca_ret = check_ca(x)) != 2)

+ return ca_ret;

+ else

+ return 0;

}

- if(ku_reject(x, KU_CRL_SIGN)) return 0;

+ if (ku_reject(x, KU_CRL_SIGN))

+ return 0;

return 1;

}

/* OCSP helper: this is *not* a full OCSP check. It just checks that

* each CA is valid. Additional checks must be made on the chain.

-static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)

+static int

+ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)

{

/* Must be a valid CA. Should we really support the "I don't know"

value (2)? */

- if(ca) return check_ca(x);

+ if (ca)

+ return check_ca(x);

/* leaf certificate is checked in OCSP_verify() */

return 1;

}

-static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,

- int ca)

+static int

+check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca)

{

int i_ext;

/* If ca is true we must return if this is a valid CA certificate. */

- if (ca) return check_ca(x);

+ if (ca)

+ return check_ca(x);

- /*

+ /*

* Check the optional key usage field:

- * if Key Usage is present, it must be one of digitalSignature

+ * if Key Usage is present, it must be one of digitalSignature

* and/or nonRepudiation (other values are not consistent and shall

* be rejected).

- if ((x->ex_flags & EXFLAG_KUSAGE)

- && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||

- !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))

+ if ((x->ex_flags & EXFLAG_KUSAGE) &&

+ ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||

+ !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))

return 0;

/* Only time stamp key usage is permitted and it's required. */

@@ -671,17 +765,17 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,

/* Extended Key Usage MUST be critical */

i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);

- if (i_ext >= 0)

- {

+ if (i_ext >= 0) {

X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);

if (!X509_EXTENSION_get_critical(ext))

return 0;

- }

+ }

return 1;

}

-static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)

+static int

+no_check(const X509_PURPOSE *xp, const X509 *x, int ca)

{

return 1;

}

@@ -698,48 +792,45 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)

* codes for X509_verify_cert()

-int X509_check_issued(X509 *issuer, X509 *subject)

+int

+X509_check_issued(X509 *issuer, X509 *subject)

{

- if(X509_NAME_cmp(X509_get_subject_name(issuer),

- X509_get_issuer_name(subject)))

- return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;

+ if (X509_NAME_cmp(X509_get_subject_name(issuer),

+ X509_get_issuer_name(subject)))

+ return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;

x509v3_cache_extensions(issuer);

x509v3_cache_extensions(subject);

- if(subject->akid)

- {

+ if (subject->akid) {

int ret = X509_check_akid(issuer, subject->akid);

if (ret != X509_V_OK)

return ret;

- }

+ }

- if(subject->ex_flags & EXFLAG_PROXY)

- {

- if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))

+ if (subject->ex_flags & EXFLAG_PROXY) {

+ if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))

return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;

- }

- else if(ku_reject(issuer, KU_KEY_CERT_SIGN))

+ } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))

return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;

return X509_V_OK;

}

-int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)

- {

- if(!akid)

+int

+X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)

+ if (!akid)

return X509_V_OK;

/* Check key ids (if present) */

- if(akid->keyid && issuer->skid &&

- ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )

- return X509_V_ERR_AKID_SKID_MISMATCH;

+ if (akid->keyid && issuer->skid &&

+ ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )

+ return X509_V_ERR_AKID_SKID_MISMATCH;

/* Check serial number */

- if(akid->serial &&

- ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))

- return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;

+ if (akid->serial &&

+ ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))

+ return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;

/* Check issuer name */

- if(akid->issuer)

- {

+ if (akid->issuer) {

/* Ugh, for some peculiar reason AKID includes

* SEQUENCE OF GeneralName. So look for a DirName.

* There may be more than one but we only take any

@@ -750,18 +841,15 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)

X509_NAME *nm = NULL;

int i;

gens = akid->issuer;

- for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)

- {

+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {

gen = sk_GENERAL_NAME_value(gens, i);

- if(gen->type == GEN_DIRNAME)

- {

+ if (gen->type == GEN_DIRNAME) {

nm = gen->d.dirn;

break;

- }

}

- if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))

- return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;

}

- return X509_V_OK;

+ if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))

+ return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;

}

+ return X509_V_OK;