Update from HEAD.
This commit is contained in:
Dr. Stephen Henson
@@ -394,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
|
|||||||
#ifdef OPENSSL_NO_CHAIN_VERIFY
|
#ifdef OPENSSL_NO_CHAIN_VERIFY
|
||||||
return 1;
|
return 1;
|
||||||
#else
|
#else
|
||||||
int i, ok=0, must_be_ca;
|
int i, ok=0, must_be_ca, plen = 0;
|
||||||
X509 *x;
|
X509 *x;
|
||||||
int (*cb)(int xok,X509_STORE_CTX *xctx);
|
int (*cb)(int xok,X509_STORE_CTX *xctx);
|
||||||
int proxy_path_length = 0;
|
int proxy_path_length = 0;
|
||||||
@@ -495,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
|
|||||||
if (!ok) goto end;
|
if (!ok) goto end;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
/* Check pathlen */
|
/* Check pathlen if not self issued */
|
||||||
if ((i > 1) && (x->ex_pathlen != -1)
|
if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
|
||||||
&& (i > (x->ex_pathlen + proxy_path_length + 1)))
|
&& (x->ex_pathlen != -1)
|
||||||
|
&& (plen > (x->ex_pathlen + proxy_path_length + 1)))
|
||||||
{
|
{
|
||||||
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
|
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
|
||||||
ctx->error_depth = i;
|
ctx->error_depth = i;
|
||||||
@@ -505,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
|
|||||||
ok=cb(0,ctx);
|
ok=cb(0,ctx);
|
||||||
if (!ok) goto end;
|
if (!ok) goto end;
|
||||||
}
|
}
|
||||||
|
/* Increment path length if not self issued */
|
||||||
|
if (!(x->ex_flags & EXFLAG_SI))
|
||||||
|
plen++;
|
||||||
/* If this certificate is a proxy certificate, the next
|
/* If this certificate is a proxy certificate, the next
|
||||||
certificate must be another proxy certificate or a EE
|
certificate must be another proxy certificate or a EE
|
||||||
certificate. If not, the next certificate must be a
|
certificate. If not, the next certificate must be a
|
||||||
|
|||||||
@@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
|
|||||||
X509_POLICY_DATA *ret;
|
X509_POLICY_DATA *ret;
|
||||||
if (!policy && !id)
|
if (!policy && !id)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
if (id)
|
||||||
|
{
|
||||||
|
id = OBJ_dup(id);
|
||||||
|
if (!id)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
|
ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
|
||||||
if (!ret)
|
if (!ret)
|
||||||
return NULL;
|
return NULL;
|
||||||
@@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
|
|||||||
if (!ret->expected_policy_set)
|
if (!ret->expected_policy_set)
|
||||||
{
|
{
|
||||||
OPENSSL_free(ret);
|
OPENSSL_free(ret);
|
||||||
|
if (id)
|
||||||
|
ASN1_OBJECT_free(id);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -131,7 +131,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
|||||||
if (explicit_policy > 0)
|
if (explicit_policy > 0)
|
||||||
{
|
{
|
||||||
explicit_policy--;
|
explicit_policy--;
|
||||||
if (!(x->ex_flags & EXFLAG_SS)
|
if (!(x->ex_flags & EXFLAG_SI)
|
||||||
&& (cache->explicit_skip != -1)
|
&& (cache->explicit_skip != -1)
|
||||||
&& (cache->explicit_skip < explicit_policy))
|
&& (cache->explicit_skip < explicit_policy))
|
||||||
explicit_policy = cache->explicit_skip;
|
explicit_policy = cache->explicit_skip;
|
||||||
@@ -197,7 +197,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
|||||||
/* Any matching allowed if certificate is self
|
/* Any matching allowed if certificate is self
|
||||||
* issued and not the last in the chain.
|
* issued and not the last in the chain.
|
||||||
*/
|
*/
|
||||||
if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
|
if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
|
||||||
level->flags |= X509_V_FLAG_INHIBIT_ANY;
|
level->flags |= X509_V_FLAG_INHIBIT_ANY;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
@@ -310,7 +310,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
|
|||||||
|
|
||||||
if (data == NULL)
|
if (data == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
data->qualifier_set = curr->anyPolicy->data->qualifier_set;
|
/* Curr may not have anyPolicy */
|
||||||
|
data->qualifier_set = cache->anyPolicy->qualifier_set;
|
||||||
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
|
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
|
||||||
if (!level_add_node(curr, data, node, tree))
|
if (!level_add_node(curr, data, node, tree))
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -291,6 +291,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
|
|||||||
NID_sbgp_ipAddrBlock, /* 290 */
|
NID_sbgp_ipAddrBlock, /* 290 */
|
||||||
NID_sbgp_autonomousSysNum, /* 291 */
|
NID_sbgp_autonomousSysNum, /* 291 */
|
||||||
#endif
|
#endif
|
||||||
|
NID_policy_constraints, /* 401 */
|
||||||
NID_proxyCertInfo /* 661 */
|
NID_proxyCertInfo /* 661 */
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -325,7 +326,7 @@ static void x509v3_cache_extensions(X509 *x)
|
|||||||
#endif
|
#endif
|
||||||
/* Does subject name match issuer ? */
|
/* Does subject name match issuer ? */
|
||||||
if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
|
if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
|
||||||
x->ex_flags |= EXFLAG_SS;
|
x->ex_flags |= EXFLAG_SI;
|
||||||
/* V1 should mean no extensions ... */
|
/* V1 should mean no extensions ... */
|
||||||
if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
|
if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
|
||||||
/* Handle basic constraints */
|
/* Handle basic constraints */
|
||||||
|
|||||||
@@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
|
|||||||
#define EXFLAG_NSCERT 0x8
|
#define EXFLAG_NSCERT 0x8
|
||||||
|
|
||||||
#define EXFLAG_CA 0x10
|
#define EXFLAG_CA 0x10
|
||||||
|
/* Really self issued not necessarily self signed */
|
||||||
|
#define EXFLAG_SI 0x20
|
||||||
#define EXFLAG_SS 0x20
|
#define EXFLAG_SS 0x20
|
||||||
#define EXFLAG_V1 0x40
|
#define EXFLAG_V1 0x40
|
||||||
#define EXFLAG_INVALID 0x80
|
#define EXFLAG_INVALID 0x80
|
||||||
|
|||||||
Reference in New Issue
Block a user