diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2008-07-13 14:25:36 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2008-07-13 14:25:36 +0000 |
| commit | db50661fce82a8f32bccaa7454be4041cbfad6d0 (patch) | |
| tree | 761d5622052f34f9e45f906bff544792af5efc75 /crypto | |
| parent | f9afd9f861bc7b5fc1ae32ceff15572ef73cbbec (diff) | |
| download | openssl-new-db50661fce82a8f32bccaa7454be4041cbfad6d0.tar.gz | |
X509 verification fixes.
Ignore self issued certificates when checking path length constraints.
Duplicate OIDs in policy tree in case they are allocated.
Use anyPolicy from certificate cache and not current tree level.
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/x509/x509_vfy.c | 12 | ||||
| -rw-r--r-- | crypto/x509v3/pcy_data.c | 8 | ||||
| -rw-r--r-- | crypto/x509v3/pcy_tree.c | 7 | ||||
| -rw-r--r-- | crypto/x509v3/v3_purp.c | 3 | ||||
| -rw-r--r-- | crypto/x509v3/x509v3.h | 2 |
5 files changed, 24 insertions, 8 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 625af4fd9f..22d520b88a 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -396,7 +396,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else - int i, ok=0, must_be_ca; + int i, ok=0, must_be_ca, plen = 0; X509 *x; int (*cb)(int xok,X509_STORE_CTX *xctx); int proxy_path_length = 0; @@ -497,9 +497,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (!ok) goto end; } } - /* Check pathlen */ - if ((i > 1) && (x->ex_pathlen != -1) - && (i > (x->ex_pathlen + proxy_path_length + 1))) + /* Check pathlen if not self issued */ + if ((i > 1) && !(x->ex_flags & EXFLAG_SI) + && (x->ex_pathlen != -1) + && (plen > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; @@ -507,6 +508,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } + /* Increment path length if not self issued */ + if (!(x->ex_flags & EXFLAG_SI)) + plen++; /* If this certificate is a proxy certificate, the next certificate must be another proxy certificate or a EE certificate. If not, the next certificate must be a diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c index 614d2b4935..4711b1ee92 100644 --- a/crypto/x509v3/pcy_data.c +++ b/crypto/x509v3/pcy_data.c @@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) X509_POLICY_DATA *ret; if (!policy && !id) return NULL; + if (id) + { + id = OBJ_dup(id); + if (!id) + return NULL; + } ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); if (!ret) return NULL; @@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) if (!ret->expected_policy_set) { OPENSSL_free(ret); + if (id) + ASN1_OBJECT_free(id); return NULL; } diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 4fda1d419a..aed0155c2a 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -131,7 +131,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, if (explicit_policy > 0) { explicit_policy--; - if (!(x->ex_flags & EXFLAG_SS) + if (!(x->ex_flags & EXFLAG_SI) && (cache->explicit_skip != -1) && (cache->explicit_skip < explicit_policy)) explicit_policy = cache->explicit_skip; @@ -197,7 +197,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, /* Any matching allowed if certificate is self * issued and not the last in the chain. */ - if (!(x->ex_flags & EXFLAG_SS) || (i == 0)) + if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) level->flags |= X509_V_FLAG_INHIBIT_ANY; } else @@ -310,7 +310,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, if (data == NULL) return 0; - data->qualifier_set = curr->anyPolicy->data->qualifier_set; + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; if (!level_add_node(curr, data, node, tree)) { diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index ab923bb0d0..f5f8d1c176 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -293,6 +293,7 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_sbgp_ipAddrBlock, /* 290 */ NID_sbgp_autonomousSysNum, /* 291 */ #endif + NID_policy_constraints, /* 401 */ NID_proxyCertInfo /* 663 */ }; @@ -327,7 +328,7 @@ static void x509v3_cache_extensions(X509 *x) #endif /* Does subject name match issuer ? */ if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SS; + x->ex_flags |= EXFLAG_SI; /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 381ea1315b..7cc24348b1 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -388,6 +388,8 @@ struct ISSUING_DIST_POINT_st #define EXFLAG_NSCERT 0x8 #define EXFLAG_CA 0x10 +/* Really self issued not necessarily self signed */ +#define EXFLAG_SI 0x20 #define EXFLAG_SS 0x20 #define EXFLAG_V1 0x40 #define EXFLAG_INVALID 0x80 |