src - FreeBSD source tree

diff options


context:
space:
mode:

author	Jung-uk Kim <jkim@FreeBSD.org>	2021-09-01 02:23:22 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2021-09-01 02:23:22 +0000
commit	c1d1798abd60f12527b70443cb7d0b9cd78ef7b1 (patch)
tree	1ac1ccb6b23135a8b57efdff5c4a84ad03202f7a /crypto/x509v3
parent	94fa08a4bcdfbb3434b025d67d014af3b18e5380 (diff)
download	src-c1d1798abd60f12527b70443cb7d0b9cd78ef7b1.tar.gz src-c1d1798abd60f12527b70443cb7d0b9cd78ef7b1.zip

Import OpenSSL 1.1.1lvendor/openssl/1.1.1l

Diffstat (limited to 'crypto/x509v3')

-rw-r--r--

crypto/x509v3/v3_akey.c

-rw-r--r--

crypto/x509v3/v3_alt.c

-rw-r--r--

crypto/x509v3/v3_cpols.c

-rw-r--r--

crypto/x509v3/v3_ncons.c

-rw-r--r--

crypto/x509v3/v3_pci.c

-rw-r--r--

crypto/x509v3/v3_utl.c

-rw-r--r--

crypto/x509v3/v3err.c

7 files changed, 157 insertions, 56 deletions

diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c
index d9f770433cfb..33b1933d7228 100644
--- a/crypto/x509v3/v3_akey.c
+++ b/crypto/x509v3/v3_akey.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -39,20 +39,48 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,

STACK_OF(CONF_VALUE)

*extlist)

{

- char *tmp;

+ char *tmp = NULL;

+ STACK_OF(CONF_VALUE) *origextlist = extlist, *tmpextlist;

if (akeyid->keyid) {

tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length);

- X509V3_add_value("keyid", tmp, &extlist);

+ if (tmp == NULL) {

+ X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);

+ return NULL;

+ }

+ if (!X509V3_add_value("keyid", tmp, &extlist)) {

+ OPENSSL_free(tmp);

+ X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB);

+ goto err;

+ }

OPENSSL_free(tmp);

}

- if (akeyid->issuer)

- extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);

+ if (akeyid->issuer) {

+ tmpextlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);

+ if (tmpextlist == NULL) {

+ X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB);

+ goto err;

+ }

+ extlist = tmpextlist;

+ }

if (akeyid->serial) {

tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length);

- X509V3_add_value("serial", tmp, &extlist);

+ if (tmp == NULL) {

+ X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);

+ goto err;

+ }

+ if (!X509V3_add_value("serial", tmp, &extlist)) {

+ OPENSSL_free(tmp);

+ X509V3err(X509V3_F_I2V_AUTHORITY_KEYID, ERR_R_X509_LIB);

+ goto err;

+ }

OPENSSL_free(tmp);

}

return extlist;

+ err:

+ if (origextlist == NULL)

+ sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free);

+ return NULL;

}

/*-

diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 4dce0041012e..7c32d4031d11 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -9,6 +9,7 @@

#include <stdio.h>

#include "internal/cryptlib.h"

+#include "crypto/x509.h"

#include <openssl/conf.h>

#include <openssl/x509v3.h>

#include "ext_dat.h"

@@ -99,17 +100,20 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,

break;

case GEN_EMAIL:

- if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))

+ if (!x509v3_add_len_value_uchar("email", gen->d.ia5->data,

+ gen->d.ia5->length, &ret))

return NULL;

break;

case GEN_DNS:

- if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))

+ if (!x509v3_add_len_value_uchar("DNS", gen->d.ia5->data,

+ gen->d.ia5->length, &ret))

return NULL;

break;

case GEN_URI:

- if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))

+ if (!x509v3_add_len_value_uchar("URI", gen->d.ia5->data,

+ gen->d.ia5->length, &ret))

return NULL;

break;

diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index 1d12c899125c..09804b58482c 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -422,7 +422,8 @@ static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,

qualinfo = sk_POLICYQUALINFO_value(quals, i);

switch (OBJ_obj2nid(qualinfo->pqualid)) {

case NID_id_qt_cps:

- BIO_printf(out, "%*sCPS: %s\n", indent, "",

+ BIO_printf(out, "%*sCPS: %.*s\n", indent, "",

+ qualinfo->d.cpsuri->length,

qualinfo->d.cpsuri->data);

break;

@@ -447,7 +448,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)

if (notice->noticeref) {

NOTICEREF *ref;

ref = notice->noticeref;

- BIO_printf(out, "%*sOrganization: %s\n", indent, "",

+ BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",

+ ref->organization->length,

ref->organization->data);

BIO_printf(out, "%*sNumber%s: ", indent, "",

sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");

@@ -470,7 +472,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)

BIO_puts(out, "\n");

}

if (notice->exptext)

- BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",

+ BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",

+ notice->exptext->length,

notice->exptext->data);

}

diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 2a7b4f0992a8..d985aa91dacd 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -63,8 +63,31 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = {

IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)

IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)

+#define IA5_OFFSET_LEN(ia5base, offset) \

+ ((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data))

+/* Like memchr but for ASN1_IA5STRING. Additionally you can specify the

+ * starting point to search from

+ */

+# define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start))

+/* Like memrrchr but for ASN1_IA5STRING */

+static char *ia5memrchr(ASN1_IA5STRING *str, int c)

+ int i;

+ for (i = str->length; i > 0 && str->data[i - 1] != c; i--);

+ if (i == 0)

+ return NULL;

+ return (char *)&str->data[i - 1];

- * We cannot use strncasecmp here because that applies locale specific rules.

+ * We cannot use strncasecmp here because that applies locale specific rules. It

+ * also doesn't work with ASN1_STRINGs that may have embedded NUL characters.

* For example in Turkish 'I' is not the uppercase character for 'i'. We need to

* do a simple ASCII case comparison ignoring the locale (that is why we use

* numeric constants below).

@@ -89,20 +112,12 @@ static int ia5ncasecmp(const char *s1, const char *s2, size_t n)

/* c1 > c2 */

return 1;

- } else if (*s1 == 0) {

- /* If we get here we know that *s2 == 0 too */

- return 0;

}

return 0;

}

-static int ia5casecmp(const char *s1, const char *s2)

- return ia5ncasecmp(s1, s2, SIZE_MAX);

static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,

X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)

{

@@ -337,7 +352,7 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)

--utf8_length;

/* Reject *embedded* NULs */

- if ((size_t)utf8_length != strlen((char *)utf8_value)) {

+ if (memchr(utf8_value, 0, utf8_length) != NULL) {

OPENSSL_free(utf8_value);

return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;

}

@@ -536,9 +551,14 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)

{

char *baseptr = (char *)base->data;

char *dnsptr = (char *)dns->data;

/* Empty matches everything */

- if (!*baseptr)

+ if (base->length == 0)

return X509_V_OK;

+ if (dns->length < base->length)

+ return X509_V_ERR_PERMITTED_VIOLATION;

* Otherwise can add zero or more components on the left so compare RHS

* and if dns is longer and expect '.' as preceding character.

@@ -549,7 +569,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)

return X509_V_ERR_PERMITTED_VIOLATION;

}

- if (ia5casecmp(baseptr, dnsptr))

+ if (ia5ncasecmp(baseptr, dnsptr, base->length))

return X509_V_ERR_PERMITTED_VIOLATION;

return X509_V_OK;

@@ -560,16 +580,17 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)

{

const char *baseptr = (char *)base->data;

const char *emlptr = (char *)eml->data;

+ const char *baseat = ia5memrchr(base, '@');

+ const char *emlat = ia5memrchr(eml, '@');

+ size_t basehostlen, emlhostlen;

- const char *baseat = strchr(baseptr, '@');

- const char *emlat = strchr(emlptr, '@');

if (!emlat)

return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;

/* Special case: initial '.' is RHS match */

- if (!baseat && (*baseptr == '.')) {

+ if (!baseat && base->length > 0 && (*baseptr == '.')) {

if (eml->length > base->length) {

emlptr += eml->length - base->length;

- if (ia5casecmp(baseptr, emlptr) == 0)

+ if (ia5ncasecmp(baseptr, emlptr, base->length) == 0)

return X509_V_OK;

}

return X509_V_ERR_PERMITTED_VIOLATION;

@@ -589,8 +610,10 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)

baseptr = baseat + 1;

}

emlptr = emlat + 1;

+ basehostlen = IA5_OFFSET_LEN(base, baseptr);

+ emlhostlen = IA5_OFFSET_LEN(eml, emlptr);

/* Just have hostname left to match: case insensitive */

- if (ia5casecmp(baseptr, emlptr))

+ if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen))

return X509_V_ERR_PERMITTED_VIOLATION;

return X509_V_OK;

@@ -601,10 +624,14 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)

{

const char *baseptr = (char *)base->data;

const char *hostptr = (char *)uri->data;

- const char *p = strchr(hostptr, ':');

+ const char *p = ia5memchr(uri, (char *)uri->data, ':');

int hostlen;

/* Check for foo:// and skip past it */

- if (!p || (p[1] != '/') || (p[2] != '/'))

+ if (p == NULL

+ || IA5_OFFSET_LEN(uri, p) < 3

+ || p[1] != '/'

+ || p[2] != '/')

return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;

hostptr = p + 3;

@@ -612,13 +639,13 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)

/* Look for a port indicator as end of hostname first */

- p = strchr(hostptr, ':');

+ p = ia5memchr(uri, hostptr, ':');

/* Otherwise look for trailing slash */

- if (!p)

- p = strchr(hostptr, '/');

+ if (p == NULL)

+ p = ia5memchr(uri, hostptr, '/');

- if (!p)

- hostlen = strlen(hostptr);

+ if (p == NULL)

+ hostlen = IA5_OFFSET_LEN(uri, hostptr);

else

hostlen = p - hostptr;

@@ -626,7 +653,7 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)

return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;

/* Special case: initial '.' is RHS match */

- if (*baseptr == '.') {

+ if (base->length > 0 && *baseptr == '.') {

if (hostlen > base->length) {

p = hostptr + hostlen - base->length;

if (ia5ncasecmp(p, baseptr, base->length) == 0)

diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index 3d124fa6d95d..532d4e192fec 100644
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -77,7 +77,8 @@ static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,

i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);

BIO_puts(out, "\n");

if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)

- BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",

+ BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",

+ pci->proxyPolicy->policy->length,

pci->proxyPolicy->policy->data);

return 1;

}

diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 7281a7b917a8..f41c699b5af0 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -12,6 +12,7 @@

#include "e_os.h"

#include "internal/cryptlib.h"

#include <stdio.h>

+#include <string.h>

#include "crypto/ctype.h"

#include <openssl/conf.h>

#include <openssl/crypto.h>

@@ -34,17 +35,26 @@ static int ipv6_hex(unsigned char *out, const char *in, int inlen);

/* Add a CONF_VALUE name value pair to stack */

-int X509V3_add_value(const char *name, const char *value,

- STACK_OF(CONF_VALUE) **extlist)

+static int x509v3_add_len_value(const char *name, const char *value,

+ size_t vallen, STACK_OF(CONF_VALUE) **extlist)

{

CONF_VALUE *vtmp = NULL;

char *tname = NULL, *tvalue = NULL;

int sk_allocated = (*extlist == NULL);

- if (name && (tname = OPENSSL_strdup(name)) == NULL)

- goto err;

- if (value && (tvalue = OPENSSL_strdup(value)) == NULL)

+ if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)

goto err;

+ if (value != NULL && vallen > 0) {

+ /*

+ * We tolerate a single trailing NUL character, but otherwise no

+ * embedded NULs

+ */

+ if (memchr(value, 0, vallen - 1) != NULL)

+ goto err;

+ tvalue = OPENSSL_strndup(value, vallen);

+ if (tvalue == NULL)

+ goto err;

+ }

if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)

goto err;

if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL)

@@ -56,7 +66,7 @@ int X509V3_add_value(const char *name, const char *value,

goto err;

return 1;

err:

- X509V3err(X509V3_F_X509V3_ADD_VALUE, ERR_R_MALLOC_FAILURE);

+ X509V3err(X509V3_F_X509V3_ADD_LEN_VALUE, ERR_R_MALLOC_FAILURE);

if (sk_allocated) {

sk_CONF_VALUE_free(*extlist);

*extlist = NULL;

@@ -67,10 +77,26 @@ int X509V3_add_value(const char *name, const char *value,

return 0;

}

+int X509V3_add_value(const char *name, const char *value,

+ STACK_OF(CONF_VALUE) **extlist)

+ return x509v3_add_len_value(name, value,

+ value != NULL ? strlen((const char *)value) : 0,

+ extlist);

int X509V3_add_value_uchar(const char *name, const unsigned char *value,

STACK_OF(CONF_VALUE) **extlist)

{

- return X509V3_add_value(name, (const char *)value, extlist);

+ return x509v3_add_len_value(name, (const char *)value,

+ value != NULL ? strlen((const char *)value) : 0,

+ extlist);

+int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,

+ size_t vallen, STACK_OF(CONF_VALUE) **extlist)

+ return x509v3_add_len_value(name, (const char *)value, vallen, extlist);

}

/* Free function for STACK_OF(CONF_VALUE) */

@@ -502,18 +528,26 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email

/* First some sanity checks */

if (email->type != V_ASN1_IA5STRING)

return 1;

- if (!email->data || !email->length)

+ if (email->data == NULL || email->length == 0)

+ return 1;

+ if (memchr(email->data, 0, email->length) != NULL)

return 1;

if (*sk == NULL)

*sk = sk_OPENSSL_STRING_new(sk_strcmp);

if (*sk == NULL)

return 0;

+ emtmp = OPENSSL_strndup((char *)email->data, email->length);

+ if (emtmp == NULL)

+ return 0;

/* Don't add duplicates */

- if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)

+ if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {

+ OPENSSL_free(emtmp);

return 1;

- emtmp = OPENSSL_strdup((char *)email->data);

- if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {

- OPENSSL_free(emtmp); /* free on push failure */

+ }

+ if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {

+ OPENSSL_free(emtmp); /* free on push failure */

X509_email_free(*sk);

*sk = NULL;

return 0;

diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c
index 4f2ea52a4a5f..8b2918a64fff 100644
--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c

@@ -1,6 +1,6 @@

* Generated by util/mkerr.pl DO NOT EDIT

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -39,6 +39,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = {

"i2s_ASN1_INTEGER"},

{ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_INFO_ACCESS, 0),

"i2v_AUTHORITY_INFO_ACCESS"},

+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_KEYID, 0),

+ "i2v_AUTHORITY_KEYID"},

{ERR_PACK(ERR_LIB_X509V3, X509V3_F_LEVEL_ADD_NODE, 0), "level_add_node"},

{ERR_PACK(ERR_LIB_X509V3, X509V3_F_NOTICE_SECTION, 0), "notice_section"},

{ERR_PACK(ERR_LIB_X509V3, X509V3_F_NREF_NOS, 0), "nref_nos"},

@@ -104,6 +106,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = {

{ERR_PACK(ERR_LIB_X509V3, X509V3_F_V3_GENERIC_EXTENSION, 0),

"v3_generic_extension"},

{ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD1_I2D, 0), "X509V3_add1_i2d"},

+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD_LEN_VALUE, 0),

+ "x509v3_add_len_value"},

{ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_ADD_VALUE, 0),

"X509V3_add_value"},

{ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_ADD, 0), "X509V3_EXT_add"},