summaryrefslogtreecommitdiff
path: root/Cryptlib/OpenSSL/crypto/x509v3
diff options
context:
space:
mode:
authorMathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>2016-09-21 20:29:42 -0400
committerMathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>2016-09-21 20:29:42 -0400
commit62f0afa2ecead02b1258dabab8097ca278a22f8f (patch)
tree56132d617fff7c4f05e67024ec872d88fcafa92d /Cryptlib/OpenSSL/crypto/x509v3
parentd3819813b8e0a64400ddf3ce033bae7c3f245508 (diff)
downloadefi-boot-shim-62f0afa2ecead02b1258dabab8097ca278a22f8f.tar.gz
efi-boot-shim-62f0afa2ecead02b1258dabab8097ca278a22f8f.zip
Import upstream version 0.9+1474479173.6c180c6
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/x509v3')
-rw-r--r--Cryptlib/OpenSSL/crypto/x509v3/ext_dat.h2
-rw-r--r--Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c4
-rw-r--r--Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c2
-rw-r--r--Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c6
-rw-r--r--Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c4
-rw-r--r--Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c19
-rw-r--r--Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c13
7 files changed, 32 insertions, 18 deletions
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/ext_dat.h b/Cryptlib/OpenSSL/crypto/x509v3/ext_dat.h
index 01edd2af..09ebbcae 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/ext_dat.h
+++ b/Cryptlib/OpenSSL/crypto/x509v3/ext_dat.h
@@ -127,7 +127,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
&v3_idp,
&v3_alt[2],
&v3_freshest_crl,
-#ifndef OPENSSL_SYS_UEFI
+#ifndef OPENSSL_NO_SCT
&v3_ct_scts[0],
&v3_ct_scts[1],
#endif
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c
index 0febc1b3..d97f6226 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c
@@ -186,6 +186,10 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
goto err;
}
pol = POLICYINFO_new();
+ if (pol == NULL) {
+ X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
pol->policyid = pobj;
}
if (!sk_POLICYINFO_push(pols, pol)) {
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c
index b97ed271..28552696 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c
@@ -132,6 +132,8 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
}
tval.value = val->value;
sub = GENERAL_SUBTREE_new();
+ if (sub == NULL)
+ goto memerr;
if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
goto err;
if (!*ptree)
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
index fe0d8063..12f12a76 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
@@ -1,9 +1,9 @@
-/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
+/* v3_pci.c */
/*
* Contributed to the OpenSSL Project 2004 by Richard Levitte
* (richard@levitte.org)
*/
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -149,6 +149,7 @@ static int process_pci_value(CONF_VALUE *val,
goto err;
}
OPENSSL_free(tmp_data2);
+#ifndef OPENSSL_NO_STDIO
} else if (strncmp(val->value, "file:", 5) == 0) {
unsigned char buf[2048];
int n;
@@ -181,6 +182,7 @@ static int process_pci_value(CONF_VALUE *val,
X509V3_conf_err(val);
goto err;
}
+#endif /* !OPENSSL_NO_STDIO */
} else if (strncmp(val->value, "text:", 5) == 0) {
val_len = strlen(val->value + 5);
tmp_data = OPENSSL_realloc((*policy)->data,
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
index 350b3988..e53c82e8 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
@@ -1,9 +1,9 @@
-/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */
+/* v3_pcia.c */
/*
* Contributed to the OpenSSL Project 2004 by Richard Levitte
* (richard@levitte.org)
*/
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
index 36b0d87a..845be673 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
@@ -380,6 +380,14 @@ static void setup_crldp(X509 *x)
setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
}
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
static void x509v3_cache_extensions(X509 *x)
{
BASIC_CONSTRAINTS *bs;
@@ -499,7 +507,8 @@ static void x509v3_cache_extensions(X509 *x)
if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
x->ex_flags |= EXFLAG_SI;
/* If SKID matches AKID also indicate self signed */
- if (X509_check_akid(x, x->akid) == X509_V_OK)
+ if (X509_check_akid(x, x->akid) == X509_V_OK &&
+ !ku_reject(x, KU_KEY_CERT_SIGN))
x->ex_flags |= EXFLAG_SS;
}
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
@@ -538,14 +547,6 @@ static void x509v3_cache_extensions(X509 *x)
* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
*/
-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-
static int check_ca(const X509 *x)
{
/* keyUsage if present should allow cert signing */
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c
index bdd7b95f..43b9cb9c 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c
@@ -841,7 +841,8 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len,
state = LABEL_START;
++dots;
} else if (p[i] == '-') {
- if ((state & LABEL_HYPHEN) != 0)
+ /* no domain/subdomain starts with '-' */
+ if ((state & LABEL_START) != 0)
return NULL;
state |= LABEL_HYPHEN;
} else
@@ -926,7 +927,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
GENERAL_NAMES *gens = NULL;
X509_NAME *name = NULL;
int i;
- int cnid;
+ int cnid = NID_undef;
int alt_type;
int san_present = 0;
int rv = 0;
@@ -949,7 +950,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
else
equal = equal_wildcard;
} else {
- cnid = 0;
alt_type = V_ASN1_OCTET_STRING;
equal = equal_case;
}
@@ -980,11 +980,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
GENERAL_NAMES_free(gens);
if (rv != 0)
return rv;
- if (!cnid
+ if (cnid == NID_undef
|| (san_present
&& !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
return 0;
}
+
+ /* We're done if CN-ID is not pertinent */
+ if (cnid == NID_undef)
+ return 0;
+
i = -1;
name = X509_get_subject_name(x);
while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-17 07:02:04 +0000