X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=crypto%2Fx509%2Fx_x509.c;h=8a216c49cf75b603caca9dd616e85f65a040d6a8;hb=f000e82898af251442ca52e81fc1ee45996090dc;hp=c6ef8409421d5fb2a757959fd27368cc67afd4fb;hpb=349807608f31b20af01a342d0072bb92e0b036e2;p=openssl.git diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index c6ef840942..8a216c49cf 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -1,58 +1,10 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. +/* + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ #include @@ -61,7 +13,11 @@ #include #include #include -#include "internal/x509_int.h" +#include "crypto/x509.h" + +#ifndef OPENSSL_NO_RFC3779 +DEFINE_STACK_OF(IPAddressFamily) +#endif ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = { ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0), @@ -88,24 +44,45 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, switch (operation) { + case ASN1_OP_D2I_PRE: + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); + X509_CERT_AUX_free(ret->aux); + ASN1_OCTET_STRING_free(ret->skid); + AUTHORITY_KEYID_free(ret->akid); + CRL_DIST_POINTS_free(ret->crldp); + policy_cache_free(ret->policy_cache); + GENERAL_NAMES_free(ret->altname); + NAME_CONSTRAINTS_free(ret->nc); +#ifndef OPENSSL_NO_RFC3779 + sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); + ASIdentifiers_free(ret->rfc3779_asid); +#endif + ASN1_OCTET_STRING_free(ret->distinguishing_id); + + /* fall thru */ + case ASN1_OP_NEW_POST: - ret->name = NULL; + ret->ex_cached = 0; + ret->ex_kusage = 0; + ret->ex_xkusage = 0; + ret->ex_nscert = 0; ret->ex_flags = 0; ret->ex_pathlen = -1; + ret->ex_pcpathlen = -1; ret->skid = NULL; ret->akid = NULL; + ret->policy_cache = NULL; + ret->altname = NULL; + ret->nc = NULL; #ifndef OPENSSL_NO_RFC3779 ret->rfc3779_addr = NULL; ret->rfc3779_asid = NULL; #endif + ret->distinguishing_id = NULL; ret->aux = NULL; ret->crldp = NULL; - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); - break; - - case ASN1_OP_D2I_POST: - OPENSSL_free(ret->name); - ret->name = X509_NAME_oneline(ret->cert_info.subject, NULL, 0); + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data)) + return 0; break; case ASN1_OP_FREE_POST: @@ -121,7 +98,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); ASIdentifiers_free(ret->rfc3779_asid); #endif - OPENSSL_free(ret->name); + ASN1_OCTET_STRING_free(ret->distinguishing_id); break; } @@ -130,24 +107,23 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, } -ASN1_SEQUENCE_ref(X509, x509_cb, CRYPTO_LOCK_X509) = { +ASN1_SEQUENCE_ref(X509, x509_cb) = { ASN1_EMBED(X509, cert_info, X509_CINF), ASN1_EMBED(X509, sig_alg, X509_ALGOR), ASN1_EMBED(X509, signature, ASN1_BIT_STRING) } ASN1_SEQUENCE_END_ref(X509, X509) IMPLEMENT_ASN1_FUNCTIONS(X509) - IMPLEMENT_ASN1_DUP_FUNCTION(X509) int X509_set_ex_data(X509 *r, int idx, void *arg) { - return (CRYPTO_set_ex_data(&r->ex_data, idx, arg)); + return CRYPTO_set_ex_data(&r->ex_data, idx, arg); } -void *X509_get_ex_data(X509 *r, int idx) +void *X509_get_ex_data(const X509 *r, int idx) { - return (CRYPTO_get_ex_data(&r->ex_data, idx)); + return CRYPTO_get_ex_data(&r->ex_data, idx); } /* @@ -187,12 +163,72 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) return NULL; } -int i2d_X509_AUX(X509 *a, unsigned char **pp) +/* + * Serialize trusted certificate to *pp or just return the required buffer + * length if pp == NULL. We ultimately want to avoid modifying *pp in the + * error path, but that depends on similar hygiene in lower-level functions. + * Here we avoid compounding the problem. + */ +static int i2d_x509_aux_internal(const X509 *a, unsigned char **pp) { - int length; + int length, tmplen; + unsigned char *start = pp != NULL ? *pp : NULL; + + /* + * This might perturb *pp on error, but fixing that belongs in i2d_X509() + * not here. It should be that if a == NULL length is zero, but we check + * both just in case. + */ length = i2d_X509(a, pp); - if (a) - length += i2d_X509_CERT_AUX(a->aux, pp); + if (length <= 0 || a == NULL) + return length; + + tmplen = i2d_X509_CERT_AUX(a->aux, pp); + if (tmplen < 0) { + if (start != NULL) + *pp = start; + return tmplen; + } + length += tmplen; + + return length; +} + +/* + * Serialize trusted certificate to *pp, or just return the required buffer + * length if pp == NULL. + * + * When pp is not NULL, but *pp == NULL, we allocate the buffer, but since + * we're writing two ASN.1 objects back to back, we can't have i2d_X509() do + * the allocation, nor can we allow i2d_X509_CERT_AUX() to increment the + * allocated buffer. + */ +int i2d_X509_AUX(const X509 *a, unsigned char **pp) +{ + int length; + unsigned char *tmp; + + /* Buffer provided by caller */ + if (pp == NULL || *pp != NULL) + return i2d_x509_aux_internal(a, pp); + + /* Obtain the combined length */ + if ((length = i2d_x509_aux_internal(a, NULL)) <= 0) + return length; + + /* Allocate requisite combined storage */ + *pp = tmp = OPENSSL_malloc(length); + if (tmp == NULL) { + X509err(X509_F_I2D_X509_AUX, ERR_R_MALLOC_FAILURE); + return -1; + } + + /* Encode, but keep *pp at the originally malloced pointer */ + length = i2d_x509_aux_internal(a, &tmp); + if (length <= 0) { + OPENSSL_free(*pp); + *pp = NULL; + } return length; } @@ -202,7 +238,8 @@ int i2d_re_X509_tbs(X509 *x, unsigned char **pp) return i2d_X509_CINF(&x->cert_info, pp); } -void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509 *x) +void X509_get0_signature(const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg, const X509 *x) { if (psig) *psig = &x->signature; @@ -214,3 +251,14 @@ int X509_get_signature_nid(const X509 *x) { return OBJ_obj2nid(x->sig_alg.algorithm); } + +void X509_set0_distinguishing_id(X509 *x, ASN1_OCTET_STRING *d_id) +{ + ASN1_OCTET_STRING_free(x->distinguishing_id); + x->distinguishing_id = d_id; +} + +ASN1_OCTET_STRING *X509_get0_distinguishing_id(X509 *x) +{ + return x->distinguishing_id; +}