diff options
| author | Peter Jones <pjones@redhat.com> | 2017-08-31 13:57:30 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2017-08-31 15:13:58 -0400 |
| commit | 1d39ada8cb336d9e7c156be7526b674851fbdd40 (patch) | |
| tree | dc497e33b1d4830bf58d79dedc3026087f31f044 /Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c | |
| parent | eae64276ffe0361d2b4087c48390d12f157f65f0 (diff) | |
| download | efi-boot-shim-1d39ada8cb336d9e7c156be7526b674851fbdd40.tar.gz efi-boot-shim-1d39ada8cb336d9e7c156be7526b674851fbdd40.zip | |
Revert lots of Cryptlib updates.
OpenSSL changes quite a bit of the key validation, and most of the keys
I can find in the wild aren't marked as trusted by the new checker.
Intel noticed this too: https://github.com/vathpela/edk2/commit/f536d7c3ed
but instead of fixing the compatibility error, they switched their test
data to match the bug.
So that's pretty broken.
For now, I'm reverting OpenSSL 1.1.0e, because we need those certs in
the wild to work.
This reverts commit 513cbe2aea689bf968f171f894f3d4cdb43524d5.
This reverts commit e9cc33d6f2b7f35c6f5e349fd83fb9ae0bc66226.
This reverts commit 80d49f758ead0180bfe6161931838e0578248303.
This reverts commit 9bc647e2b23bcfd69a0077c0717fbc454c919a57.
This reverts commit ae75df6232ad30f3e8736e9449692d58a7439260.
This reverts commit e883479f35644d17db7efed710657c8543cfcb68.
This reverts commit 97469449fda5ba933a64280917e776487301a127.
This reverts commit e39692647f78e13d757ddbfdd36f440d5f526050.
This reverts commit 0f3dfc01e2d5e7df882c963dd8dc4a0dfbfc96ad.
This reverts commit 4da6ac819510c7cc4ba21d7a735d69b45daa5873.
This reverts commit d064bd7eef201f26cb926450a76260b5187ac689.
This reverts commit 9bc86cfd6f9387f0da9d5c0102b6aa5627e91c91.
This reverts commit ab9a05a10f16b33f7ee1e9da360c7801eebdb9d2.
Signed-off-by: Peter Jones <pjones@redhat.com>
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c')
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c | 179 |
1 files changed, 112 insertions, 67 deletions
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c index ef1d775a..1290dec9 100644 --- a/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c +++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c @@ -1,10 +1,58 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Contributed to the OpenSSL Project by the American Registry for + * Internet Numbers ("ARIN"). + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). */ /* @@ -14,14 +62,12 @@ #include <stdio.h> #include <stdlib.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/conf.h> #include <openssl/asn1.h> #include <openssl/asn1t.h> #include <openssl/buffer.h> #include <openssl/x509v3.h> -#include "internal/x509_int.h" -#include "ext_dat.h" #ifndef OPENSSL_NO_RFC3779 @@ -52,7 +98,7 @@ ASN1_SEQUENCE(IPAddressFamily) = { ASN1_ITEM_TEMPLATE(IPAddrBlocks) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, IPAddrBlocks, IPAddressFamily) -static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) +ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) @@ -62,7 +108,7 @@ IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily) /* * How much buffer space do we need for a raw address? */ -#define ADDR_RAW_BUF_LEN 16 +# define ADDR_RAW_BUF_LEN 16 /* * What's the address length associated with this AFI? @@ -82,7 +128,7 @@ static int length_from_afi(const unsigned afi) /* * Extract the AFI from an IPAddressFamily. */ -unsigned int X509v3_addr_get_afi(const IPAddressFamily *f) +unsigned int v3_addr_get_afi(const IPAddressFamily *f) { return ((f != NULL && f->addressFamily != NULL && f->addressFamily->data != NULL) @@ -117,7 +163,7 @@ static int addr_expand(unsigned char *addr, /* * Extract the prefix length from a bitstring. */ -#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) +# define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) /* * i2r handler for one address bitstring. @@ -200,7 +246,7 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, int i; for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - const unsigned int afi = X509v3_addr_get_afi(f); + const unsigned int afi = v3_addr_get_afi(f); switch (afi) { case IANA_AFI_IPV4: BIO_printf(out, "%*sIPv4", indent, ""); @@ -312,7 +358,7 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a, /* * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() - * comparison routines are only allowed two arguments. + * comparision routines are only allowed two arguments. */ static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, const IPAddressOrRange *const *b) @@ -322,7 +368,7 @@ static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, /* * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() - * comparison routines are only allowed two arguments. + * comparision routines are only allowed two arguments. */ static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, const IPAddressOrRange *const *b) @@ -482,7 +528,7 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, { IPAddressFamily *f; unsigned char key[3]; - int keylen; + unsigned keylen; int i; key[0] = (afi >> 8) & 0xFF; @@ -525,8 +571,8 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, /* * Add an inheritance element. */ -int X509v3_addr_add_inherit(IPAddrBlocks *addr, - const unsigned afi, const unsigned *safi) +int v3_addr_add_inherit(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi) { IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); if (f == NULL || @@ -581,10 +627,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, /* * Add a prefix. */ -int X509v3_addr_add_prefix(IPAddrBlocks *addr, - const unsigned afi, - const unsigned *safi, - unsigned char *a, const int prefixlen) +int v3_addr_add_prefix(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi, + unsigned char *a, const int prefixlen) { IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); IPAddressOrRange *aor; @@ -599,10 +645,10 @@ int X509v3_addr_add_prefix(IPAddrBlocks *addr, /* * Add a range. */ -int X509v3_addr_add_range(IPAddrBlocks *addr, - const unsigned afi, - const unsigned *safi, - unsigned char *min, unsigned char *max) +int v3_addr_add_range(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi, + unsigned char *min, unsigned char *max) { IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); IPAddressOrRange *aor; @@ -639,10 +685,10 @@ static int extract_min_max(IPAddressOrRange *aor, /* * Public wrapper for extract_min_max(). */ -int X509v3_addr_get_range(IPAddressOrRange *aor, - const unsigned afi, - unsigned char *min, - unsigned char *max, const int length) +int v3_addr_get_range(IPAddressOrRange *aor, + const unsigned afi, + unsigned char *min, + unsigned char *max, const int length) { int afi_length = length_from_afi(afi); if (aor == NULL || min == NULL || max == NULL || @@ -656,7 +702,7 @@ int X509v3_addr_get_range(IPAddressOrRange *aor, } /* - * Sort comparison function for a sequence of IPAddressFamily. + * Sort comparision function for a sequence of IPAddressFamily. * * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about * the ordering: I can read it as meaning that IPv6 without a SAFI @@ -678,7 +724,7 @@ static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, /* * Check whether an IPAddrBLocks is in canonical form. */ -int X509v3_addr_is_canonical(IPAddrBlocks *addr) +int v3_addr_is_canonical(IPAddrBlocks *addr) { unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; @@ -686,7 +732,7 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr) int i, j, k; /* - * Empty extension is canonical. + * Empty extension is cannonical. */ if (addr == NULL) return 1; @@ -706,7 +752,7 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr) */ for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - int length = length_from_afi(X509v3_addr_get_afi(f)); + int length = length_from_afi(v3_addr_get_afi(f)); /* * Inheritance is canonical. Anything other than inheritance or @@ -849,8 +895,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); if (a != NULL && a->type == IPAddressOrRange_addressRange) { unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; - if (!extract_min_max(a, a_min, a_max, length)) - return 0; + extract_min_max(a, a_min, a_max, length); if (memcmp(a_min, a_max, length) > 0) return 0; } @@ -862,7 +907,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, /* * Whack an IPAddrBlocks extension into canonical form. */ -int X509v3_addr_canonize(IPAddrBlocks *addr) +int v3_addr_canonize(IPAddrBlocks *addr) { int i; for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { @@ -870,12 +915,12 @@ int X509v3_addr_canonize(IPAddrBlocks *addr) if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && !IPAddressOrRanges_canonize(f->ipAddressChoice-> u.addressesOrRanges, - X509v3_addr_get_afi(f))) + v3_addr_get_afi(f))) return 0; } (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); sk_IPAddressFamily_sort(addr); - OPENSSL_assert(X509v3_addr_is_canonical(addr)); + OPENSSL_assert(v3_addr_is_canonical(addr)); return 1; } @@ -901,7 +946,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, CONF_VALUE *val = sk_CONF_VALUE_value(values, i); unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; unsigned afi, *safi = NULL, safi_; - const char *addr_chars = NULL; + const char *addr_chars; int prefixlen, i1, i2, delim, length; if (!name_cmp(val->name, "IPv4")) { @@ -933,7 +978,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, length = length_from_afi(afi); /* - * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate + * Handle SAFI, if any, and BUF_strdup() so we can null-terminate * the other input values. */ if (safi != NULL) { @@ -945,9 +990,9 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, goto err; } t += strspn(t, " \t"); - s = OPENSSL_strdup(t); + s = BUF_strdup(t); } else { - s = OPENSSL_strdup(val->value); + s = BUF_strdup(val->value); } if (s == NULL) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); @@ -958,8 +1003,8 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, * Check for inheritance. Not worth additional complexity to * optimize this (seldom-used) case. */ - if (strcmp(s, "inherit") == 0) { - if (!X509v3_addr_add_inherit(addr, afi, safi)) { + if (!strcmp(s, "inherit")) { + if (!v3_addr_add_inherit(addr, afi, safi)) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE); X509V3_conf_err(val); @@ -990,7 +1035,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, X509V3_conf_err(val); goto err; } - if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { + if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); goto err; } @@ -1016,13 +1061,13 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, X509V3_conf_err(val); goto err; } - if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { + if (!v3_addr_add_range(addr, afi, safi, min, max)) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); goto err; } break; case '\0': - if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { + if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); goto err; } @@ -1041,7 +1086,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, /* * Canonize the result, then we're done. */ - if (!X509v3_addr_canonize(addr)) + if (!v3_addr_canonize(addr)) goto err; return addr; @@ -1071,7 +1116,7 @@ const X509V3_EXT_METHOD v3_addr = { /* * Figure out whether extension sues inheritance. */ -int X509v3_addr_inherits(IPAddrBlocks *addr) +int v3_addr_inherits(IPAddrBlocks *addr) { int i; if (addr == NULL) @@ -1124,12 +1169,12 @@ static int addr_contains(IPAddressOrRanges *parent, /* * Test whether a is a subset of b. */ -int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) +int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) { int i; if (a == NULL || a == b) return 1; - if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b)) + if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) return 0; (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); for (i = 0; i < sk_IPAddressFamily_num(a); i++) { @@ -1141,7 +1186,7 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) return 0; if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, fa->ipAddressChoice->u.addressesOrRanges, - length_from_afi(X509v3_addr_get_afi(fb)))) + length_from_afi(v3_addr_get_afi(fb)))) return 0; } return 1; @@ -1150,7 +1195,7 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) /* * Validation error handling via callback. */ -#define validation_err(_err_) \ +# define validation_err(_err_) \ do { \ if (ctx != NULL) { \ ctx->error = _err_; \ @@ -1172,9 +1217,9 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) * When returning 0, ctx->error MUST be set to an appropriate value other than * X509_V_OK. */ -static int addr_validate_path_internal(X509_STORE_CTX *ctx, - STACK_OF(X509) *chain, - IPAddrBlocks *ext) +static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, + STACK_OF(X509) *chain, + IPAddrBlocks *ext) { IPAddrBlocks *child = NULL; int i, j, ret = 1; @@ -1199,11 +1244,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, if ((ext = x->rfc3779_addr) == NULL) goto done; } - if (!X509v3_addr_is_canonical(ext)) + if (!v3_addr_is_canonical(ext)) validation_err(X509_V_ERR_INVALID_EXTENSION); (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { - X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL, + X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; ret = 0; @@ -1217,7 +1262,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, for (i++; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); OPENSSL_assert(x != NULL); - if (!X509v3_addr_is_canonical(x->rfc3779_addr)) + if (!v3_addr_is_canonical(x->rfc3779_addr)) validation_err(X509_V_ERR_INVALID_EXTENSION); if (x->rfc3779_addr == NULL) { for (j = 0; j < sk_IPAddressFamily_num(child); j++) { @@ -1249,7 +1294,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, if (fc->ipAddressChoice->type == IPAddressChoice_inherit || addr_contains(fp->ipAddressChoice->u.addressesOrRanges, fc->ipAddressChoice->u.addressesOrRanges, - length_from_afi(X509v3_addr_get_afi(fc)))) + length_from_afi(v3_addr_get_afi(fc)))) sk_IPAddressFamily_set(child, j, fp); else validation_err(X509_V_ERR_UNNESTED_RESOURCE); @@ -1276,30 +1321,30 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, return ret; } -#undef validation_err +# undef validation_err /* * RFC 3779 2.3 path validation -- called from X509_verify_cert(). */ -int X509v3_addr_validate_path(X509_STORE_CTX *ctx) +int v3_addr_validate_path(X509_STORE_CTX *ctx) { - return addr_validate_path_internal(ctx, ctx->chain, NULL); + return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); } /* * RFC 3779 2.3 path validation of an extension. * Test whether chain covers extension. */ -int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, +int v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext, int allow_inheritance) { if (ext == NULL) return 1; if (chain == NULL || sk_X509_num(chain) == 0) return 0; - if (!allow_inheritance && X509v3_addr_inherits(ext)) + if (!allow_inheritance && v3_addr_inherits(ext)) return 0; - return addr_validate_path_internal(NULL, chain, ext); + return v3_addr_validate_path_internal(NULL, chain, ext); } #endif /* OPENSSL_NO_RFC3779 */ |