v3_utl.c@ 107835

Last change on this file since 107835 was 105949, checked in by vboxsync, 6 months ago
openssl-3.1.7: Applied and adjusted our OpenSSL changes to 3.1.7. bugref:10757
File size: 38.0 KB

Line
1	/*
2	* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	/* X509 v3 extension utilities */
11
12	#include "internal/e_os.h"
13	#include "internal/cryptlib.h"
14	#include <stdio.h>
15	#include <string.h>
16	#include "crypto/ctype.h"
17	#include <openssl/conf.h>
18	#include <openssl/crypto.h>
19	#include <openssl/x509v3.h>
20	#include "crypto/x509.h"
21	#include <openssl/bn.h>
22	#include "ext_dat.h"
23	#include "x509_local.h"
24
25	static char strip_spaces(char name);
26	static int sk_strcmp(const char const a, const char const b);
27	static STACK_OF(OPENSSL_STRING) get_email(const X509_NAME name,
28	GENERAL_NAMES *gens);
29	static void str_free(OPENSSL_STRING str);
30	static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
31	const ASN1_IA5STRING *email);
32
33	static int ipv4_from_asc(unsigned char v4, const char in);
34	static int ipv6_from_asc(unsigned char v6, const char in);
35	static int ipv6_cb(const char elem, int len, void usr);
36	static int ipv6_hex(unsigned char out, const char in, int inlen);
37
38	/* Add a CONF_VALUE name value pair to stack */
39
40	static int x509v3_add_len_value(const char name, const char value,
41	size_t vallen, STACK_OF(CONF_VALUE) **extlist)
42	{
43	CONF_VALUE *vtmp = NULL;
44	char tname = NULL, tvalue = NULL;
45	int sk_allocated = (*extlist == NULL);
46
47	if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)
48	goto err;
49	if (value != NULL) {
50	/* We don't allow embedded NUL characters */
51	if (memchr(value, 0, vallen) != NULL)
52	goto err;
53	tvalue = OPENSSL_strndup(value, vallen);
54	if (tvalue == NULL)
55	goto err;
56	}
57	if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
58	goto err;
59	if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL)
60	goto err;
61	vtmp->section = NULL;
62	vtmp->name = tname;
63	vtmp->value = tvalue;
64	if (!sk_CONF_VALUE_push(*extlist, vtmp))
65	goto err;
66	return 1;
67	err:
68	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
69	if (sk_allocated) {
70	sk_CONF_VALUE_free(*extlist);
71	*extlist = NULL;
72	}
73	OPENSSL_free(vtmp);
74	OPENSSL_free(tname);
75	OPENSSL_free(tvalue);
76	return 0;
77	}
78
79	int X509V3_add_value(const char name, const char value,
80	STACK_OF(CONF_VALUE) **extlist)
81	{
82	return x509v3_add_len_value(name, value,
83	value != NULL ? strlen((const char *)value) : 0,
84	extlist);
85	}
86
87	int X509V3_add_value_uchar(const char name, const unsigned char value,
88	STACK_OF(CONF_VALUE) **extlist)
89	{
90	return x509v3_add_len_value(name, (const char *)value,
91	value != NULL ? strlen((const char *)value) : 0,
92	extlist);
93	}
94
95	int x509v3_add_len_value_uchar(const char name, const unsigned char value,
96	size_t vallen, STACK_OF(CONF_VALUE) **extlist)
97	{
98	return x509v3_add_len_value(name, (const char *)value, vallen, extlist);
99	}
100
101	/* Free function for STACK_OF(CONF_VALUE) */
102
103	void X509V3_conf_free(CONF_VALUE *conf)
104	{
105	if (!conf)
106	return;
107	OPENSSL_free(conf->name);
108	OPENSSL_free(conf->value);
109	OPENSSL_free(conf->section);
110	OPENSSL_free(conf);
111	}
112
113	int X509V3_add_value_bool(const char *name, int asn1_bool,
114	STACK_OF(CONF_VALUE) **extlist)
115	{
116	if (asn1_bool)
117	return X509V3_add_value(name, "TRUE", extlist);
118	return X509V3_add_value(name, "FALSE", extlist);
119	}
120
121	int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
122	STACK_OF(CONF_VALUE) **extlist)
123	{
124	if (asn1_bool)
125	return X509V3_add_value(name, "TRUE", extlist);
126	return 1;
127	}
128
129	static char bignum_to_string(const BIGNUM bn)
130	{
131	char tmp, ret;
132	size_t len;
133
134	/*
135	* Display large numbers in hex and small numbers in decimal. Converting to
136	* decimal takes quadratic time and is no more useful than hex for large
137	* numbers.
138	*/
139	if (BN_num_bits(bn) < 128)
140	return BN_bn2dec(bn);
141
142	tmp = BN_bn2hex(bn);
143	if (tmp == NULL)
144	return NULL;
145
146	len = strlen(tmp) + 3;
147	ret = OPENSSL_malloc(len);
148	if (ret == NULL) {
149	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
150	OPENSSL_free(tmp);
151	return NULL;
152	}
153
154	/* Prepend "0x", but place it after the "-" if negative. */
155	if (tmp[0] == '-') {
156	OPENSSL_strlcpy(ret, "-0x", len);
157	OPENSSL_strlcat(ret, tmp + 1, len);
158	} else {
159	OPENSSL_strlcpy(ret, "0x", len);
160	OPENSSL_strlcat(ret, tmp, len);
161	}
162	OPENSSL_free(tmp);
163	return ret;
164	}
165
166	char i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD method, const ASN1_ENUMERATED *a)
167	{
168	BIGNUM *bntmp = NULL;
169	char *strtmp = NULL;
170
171	if (!a)
172	return NULL;
173	if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL
174	\|\| (strtmp = bignum_to_string(bntmp)) == NULL)
175	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
176	BN_free(bntmp);
177	return strtmp;
178	}
179
180	char i2s_ASN1_INTEGER(X509V3_EXT_METHOD method, const ASN1_INTEGER *a)
181	{
182	BIGNUM *bntmp = NULL;
183	char *strtmp = NULL;
184
185	if (!a)
186	return NULL;
187	if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL
188	\|\| (strtmp = bignum_to_string(bntmp)) == NULL)
189	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
190	BN_free(bntmp);
191	return strtmp;
192	}
193
194	ASN1_INTEGER s2i_ASN1_INTEGER(X509V3_EXT_METHOD method, const char *value)
195	{
196	BIGNUM *bn = NULL;
197	ASN1_INTEGER *aint;
198	int isneg, ishex;
199	int ret;
200
201	if (value == NULL) {
202	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_VALUE);
203	return NULL;
204	}
205	bn = BN_new();
206	if (bn == NULL) {
207	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
208	return NULL;
209	}
210	if (value[0] == '-') {
211	value++;
212	isneg = 1;
213	} else {
214	isneg = 0;
215	}
216
217	if (value[0] == '0' && ((value[1] == 'x') \|\| (value[1] == 'X'))) {
218	value += 2;
219	ishex = 1;
220	} else {
221	ishex = 0;
222	}
223
224	if (ishex)
225	ret = BN_hex2bn(&bn, value);
226	else
227	ret = BN_dec2bn(&bn, value);
228
229	if (!ret \|\| value[ret]) {
230	BN_free(bn);
231	ERR_raise(ERR_LIB_X509V3, X509V3_R_BN_DEC2BN_ERROR);
232	return NULL;
233	}
234
235	if (isneg && BN_is_zero(bn))
236	isneg = 0;
237
238	aint = BN_to_ASN1_INTEGER(bn, NULL);
239	BN_free(bn);
240	if (!aint) {
241	ERR_raise(ERR_LIB_X509V3, X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
242	return NULL;
243	}
244	if (isneg)
245	aint->type \|= V_ASN1_NEG;
246	return aint;
247	}
248
249	int X509V3_add_value_int(const char name, const ASN1_INTEGER aint,
250	STACK_OF(CONF_VALUE) **extlist)
251	{
252	char *strtmp;
253	int ret;
254
255	if (!aint)
256	return 1;
257	if ((strtmp = i2s_ASN1_INTEGER(NULL, aint)) == NULL)
258	return 0;
259	ret = X509V3_add_value(name, strtmp, extlist);
260	OPENSSL_free(strtmp);
261	return ret;
262	}
263
264	int X509V3_get_value_bool(const CONF_VALUE value, int asn1_bool)
265	{
266	const char *btmp;
267
268	if ((btmp = value->value) == NULL)
269	goto err;
270	if (strcmp(btmp, "TRUE") == 0
271	\|\| strcmp(btmp, "true") == 0
272	\|\| strcmp(btmp, "Y") == 0
273	\|\| strcmp(btmp, "y") == 0
274	\|\| strcmp(btmp, "YES") == 0
275	\|\| strcmp(btmp, "yes") == 0) {
276	*asn1_bool = 0xff;
277	return 1;
278	}
279	if (strcmp(btmp, "FALSE") == 0
280	\|\| strcmp(btmp, "false") == 0
281	\|\| strcmp(btmp, "N") == 0
282	\|\| strcmp(btmp, "n") == 0
283	\|\| strcmp(btmp, "NO") == 0
284	\|\| strcmp(btmp, "no") == 0) {
285	*asn1_bool = 0;
286	return 1;
287	}
288	err:
289	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_BOOLEAN_STRING);
290	X509V3_conf_add_error_name_value(value);
291	return 0;
292	}
293
294	int X509V3_get_value_int(const CONF_VALUE value, ASN1_INTEGER *aint)
295	{
296	ASN1_INTEGER *itmp;
297
298	if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
299	X509V3_conf_add_error_name_value(value);
300	return 0;
301	}
302	*aint = itmp;
303	return 1;
304	}
305
306	#define HDR_NAME 1
307	#define HDR_VALUE 2
308
309	/*
310	* #define DEBUG
311	*/
312
313	STACK_OF(CONF_VALUE) X509V3_parse_list(const char line)
314	{
315	char p, q, c;
316	char ntmp, vtmp;
317	STACK_OF(CONF_VALUE) *values = NULL;
318	char *linebuf;
319	int state;
320
321	/* We are going to modify the line so copy it first */
322	linebuf = OPENSSL_strdup(line);
323	if (linebuf == NULL) {
324	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
325	goto err;
326	}
327	state = HDR_NAME;
328	ntmp = NULL;
329	/* Go through all characters */
330	for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n');
331	p++) {
332
333	switch (state) {
334	case HDR_NAME:
335	if (c == ':') {
336	state = HDR_VALUE;
337	*p = 0;
338	ntmp = strip_spaces(q);
339	if (!ntmp) {
340	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_EMPTY_NAME);
341	goto err;
342	}
343	q = p + 1;
344	} else if (c == ',') {
345	*p = 0;
346	ntmp = strip_spaces(q);
347	q = p + 1;
348	if (!ntmp) {
349	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_EMPTY_NAME);
350	goto err;
351	}
352	if (!X509V3_add_value(ntmp, NULL, &values)) {
353	goto err;
354	}
355	}
356	break;
357
358	case HDR_VALUE:
359	if (c == ',') {
360	state = HDR_NAME;
361	*p = 0;
362	vtmp = strip_spaces(q);
363	if (!vtmp) {
364	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_VALUE);
365	goto err;
366	}
367	if (!X509V3_add_value(ntmp, vtmp, &values)) {
368	goto err;
369	}
370	ntmp = NULL;
371	q = p + 1;
372	}
373
374	}
375	}
376
377	if (state == HDR_VALUE) {
378	vtmp = strip_spaces(q);
379	if (!vtmp) {
380	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_VALUE);
381	goto err;
382	}
383	if (!X509V3_add_value(ntmp, vtmp, &values)) {
384	goto err;
385	}
386	} else {
387	ntmp = strip_spaces(q);
388	if (!ntmp) {
389	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_EMPTY_NAME);
390	goto err;
391	}
392	if (!X509V3_add_value(ntmp, NULL, &values)) {
393	goto err;
394	}
395	}
396	OPENSSL_free(linebuf);
397	return values;
398
399	err:
400	OPENSSL_free(linebuf);
401	sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
402	return NULL;
403
404	}
405
406	/* Delete leading and trailing spaces from a string */
407	static char strip_spaces(char name)
408	{
409	char p, q;
410
411	/* Skip over leading spaces */
412	p = name;
413	while (p && ossl_isspace(p))
414	p++;
415	if (*p == '\0')
416	return NULL;
417	q = p + strlen(p) - 1;
418	while ((q != p) && ossl_isspace(*q))
419	q--;
420	if (p != q)
421	q[1] = 0;
422	if (*p == '\0')
423	return NULL;
424	return p;
425	}
426
427
428	/*
429	* V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
430	*/
431
432	int ossl_v3_name_cmp(const char name, const char cmp)
433	{
434	int len, ret;
435	char c;
436
437	len = strlen(cmp);
438	if ((ret = strncmp(name, cmp, len)))
439	return ret;
440	c = name[len];
441	if (!c \|\| (c == '.'))
442	return 0;
443	return 1;
444	}
445
446	static int sk_strcmp(const char const a, const char const b)
447	{
448	return strcmp(a, b);
449	}
450
451	STACK_OF(OPENSSL_STRING) X509_get1_email(X509 x)
452	{
453	GENERAL_NAMES *gens;
454	STACK_OF(OPENSSL_STRING) *ret;
455
456	gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
457	ret = get_email(X509_get_subject_name(x), gens);
458	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
459	return ret;
460	}
461
462	STACK_OF(OPENSSL_STRING) X509_get1_ocsp(X509 x)
463	{
464	AUTHORITY_INFO_ACCESS *info;
465	STACK_OF(OPENSSL_STRING) *ret = NULL;
466	int i;
467
468	info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
469	if (!info)
470	return NULL;
471	for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
472	ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
473	if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
474	if (ad->location->type == GEN_URI) {
475	if (!append_ia5
476	(&ret, ad->location->d.uniformResourceIdentifier))
477	break;
478	}
479	}
480	}
481	AUTHORITY_INFO_ACCESS_free(info);
482	return ret;
483	}
484
485	STACK_OF(OPENSSL_STRING) X509_REQ_get1_email(X509_REQ x)
486	{
487	GENERAL_NAMES *gens;
488	STACK_OF(X509_EXTENSION) *exts;
489	STACK_OF(OPENSSL_STRING) *ret;
490
491	exts = X509_REQ_get_extensions(x);
492	gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
493	ret = get_email(X509_REQ_get_subject_name(x), gens);
494	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
495	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
496	return ret;
497	}
498
499	static STACK_OF(OPENSSL_STRING) get_email(const X509_NAME name,
500	GENERAL_NAMES *gens)
501	{
502	STACK_OF(OPENSSL_STRING) *ret = NULL;
503	X509_NAME_ENTRY *ne;
504	const ASN1_IA5STRING *email;
505	GENERAL_NAME *gen;
506	int i = -1;
507
508	/* Now add any email address(es) to STACK */
509	/* First supplied X509_NAME */
510	while ((i = X509_NAME_get_index_by_NID(name,
511	NID_pkcs9_emailAddress, i)) >= 0) {
512	ne = X509_NAME_get_entry(name, i);
513	email = X509_NAME_ENTRY_get_data(ne);
514	if (!append_ia5(&ret, email))
515	return NULL;
516	}
517	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
518	gen = sk_GENERAL_NAME_value(gens, i);
519	if (gen->type != GEN_EMAIL)
520	continue;
521	if (!append_ia5(&ret, gen->d.ia5))
522	return NULL;
523	}
524	return ret;
525	}
526
527	static void str_free(OPENSSL_STRING str)
528	{
529	OPENSSL_free(str);
530	}
531
532	static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
533	const ASN1_IA5STRING *email)
534	{
535	char *emtmp;
536
537	/* First some sanity checks */
538	if (email->type != V_ASN1_IA5STRING)
539	return 1;
540	if (email->data == NULL \|\| email->length == 0)
541	return 1;
542	if (memchr(email->data, 0, email->length) != NULL)
543	return 1;
544	if (*sk == NULL)
545	*sk = sk_OPENSSL_STRING_new(sk_strcmp);
546	if (*sk == NULL)
547	return 0;
548
549	emtmp = OPENSSL_strndup((char *)email->data, email->length);
550	if (emtmp == NULL) {
551	X509_email_free(*sk);
552	*sk = NULL;
553	return 0;
554	}
555
556	/* Don't add duplicates */
557	if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
558	OPENSSL_free(emtmp);
559	return 1;
560	}
561	if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
562	OPENSSL_free(emtmp); /* free on push failure */
563	X509_email_free(*sk);
564	*sk = NULL;
565	return 0;
566	}
567	return 1;
568	}
569
570	void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
571	{
572	sk_OPENSSL_STRING_pop_free(sk, str_free);
573	}
574
575	typedef int (equal_fn) (const unsigned char pattern, size_t pattern_len,
576	const unsigned char *subject, size_t subject_len,
577	unsigned int flags);
578
579	/* Skip pattern prefix to match "wildcard" subject */
580	static void skip_prefix(const unsigned char *p, size_t plen,
581	size_t subject_len,
582	unsigned int flags)
583	{
584	const unsigned char pattern = p;
585	size_t pattern_len = *plen;
586
587	/*
588	* If subject starts with a leading '.' followed by more octets, and
589	* pattern is longer, compare just an equal-length suffix with the
590	* full subject (starting at the '.'), provided the prefix contains
591	* no NULs.
592	*/
593	if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
594	return;
595
596	while (pattern_len > subject_len && *pattern) {
597	if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
598	*pattern == '.')
599	break;
600	++pattern;
601	--pattern_len;
602	}
603
604	/* Skip if entire prefix acceptable */
605	if (pattern_len == subject_len) {
606	*p = pattern;
607	*plen = pattern_len;
608	}
609	}
610
611	/* Compare while ASCII ignoring case. */
612	static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
613	const unsigned char *subject, size_t subject_len,
614	unsigned int flags)
615	{
616	skip_prefix(&pattern, &pattern_len, subject_len, flags);
617	if (pattern_len != subject_len)
618	return 0;
619	while (pattern_len != 0) {
620	unsigned char l = *pattern;
621	unsigned char r = *subject;
622
623	/* The pattern must not contain NUL characters. */
624	if (l == 0)
625	return 0;
626	if (l != r) {
627	if ('A' <= l && l <= 'Z')
628	l = (l - 'A') + 'a';
629	if ('A' <= r && r <= 'Z')
630	r = (r - 'A') + 'a';
631	if (l != r)
632	return 0;
633	}
634	++pattern;
635	++subject;
636	--pattern_len;
637	}
638	return 1;
639	}
640
641	/* Compare using memcmp. */
642	static int equal_case(const unsigned char *pattern, size_t pattern_len,
643	const unsigned char *subject, size_t subject_len,
644	unsigned int flags)
645	{
646	skip_prefix(&pattern, &pattern_len, subject_len, flags);
647	if (pattern_len != subject_len)
648	return 0;
649	return !memcmp(pattern, subject, pattern_len);
650	}
651
652	/*
653	* RFC 5280, section 7.5, requires that only the domain is compared in a
654	* case-insensitive manner.
655	*/
656	static int equal_email(const unsigned char *a, size_t a_len,
657	const unsigned char *b, size_t b_len,
658	unsigned int unused_flags)
659	{
660	size_t i = a_len;
661
662	if (a_len != b_len)
663	return 0;
664	/*
665	* We search backwards for the '@' character, so that we do not have to
666	* deal with quoted local-parts. The domain part is compared in a
667	* case-insensitive manner.
668	*/
669	while (i > 0) {
670	--i;
671	if (a[i] == '@' \|\| b[i] == '@') {
672	if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0))
673	return 0;
674	break;
675	}
676	}
677	if (i == 0)
678	i = a_len;
679	return equal_case(a, i, b, i, 0);
680	}
681
682	/*
683	* Compare the prefix and suffix with the subject, and check that the
684	* characters in-between are valid.
685	*/
686	static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
687	const unsigned char *suffix, size_t suffix_len,
688	const unsigned char *subject, size_t subject_len,
689	unsigned int flags)
690	{
691	const unsigned char *wildcard_start;
692	const unsigned char *wildcard_end;
693	const unsigned char *p;
694	int allow_multi = 0;
695	int allow_idna = 0;
696
697	if (subject_len < prefix_len + suffix_len)
698	return 0;
699	if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
700	return 0;
701	wildcard_start = subject + prefix_len;
702	wildcard_end = subject + (subject_len - suffix_len);
703	if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
704	return 0;
705	/*
706	* If the wildcard makes up the entire first label, it must match at
707	* least one character.
708	*/
709	if (prefix_len == 0 && *suffix == '.') {
710	if (wildcard_start == wildcard_end)
711	return 0;
712	allow_idna = 1;
713	if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
714	allow_multi = 1;
715	}
716	/* IDNA labels cannot match partial wildcards */
717	if (!allow_idna &&
718	subject_len >= 4 && OPENSSL_strncasecmp((char *)subject, "xn--", 4) == 0)
719	return 0;
720	/* The wildcard may match a literal '' /
721	if (wildcard_end == wildcard_start + 1 && wildcard_start == '')
722	return 1;
723	/*
724	* Check that the part matched by the wildcard contains only
725	* permitted characters and only matches a single label unless
726	* allow_multi is set.
727	*/
728	for (p = wildcard_start; p != wildcard_end; ++p)
729	if (!(('0' <= p && p <= '9') \|\|
730	('A' <= p && p <= 'Z') \|\|
731	('a' <= p && p <= 'z') \|\|
732	p == '-' \|\| (allow_multi && p == '.')))
733	return 0;
734	return 1;
735	}
736
737	#define LABEL_START (1 << 0)
738	#define LABEL_END (1 << 1)
739	#define LABEL_HYPHEN (1 << 2)
740	#define LABEL_IDNA (1 << 3)
741
742	static const unsigned char valid_star(const unsigned char p, size_t len,
743	unsigned int flags)
744	{
745	const unsigned char *star = 0;
746	size_t i;
747	int state = LABEL_START;
748	int dots = 0;
749
750	for (i = 0; i < len; ++i) {
751	/*
752	* Locate first and only legal wildcard, either at the start
753	* or end of a non-IDNA first and not final label.
754	*/
755	if (p[i] == '*') {
756	int atstart = (state & LABEL_START);
757	int atend = (i == len - 1 \|\| p[i + 1] == '.');
758	/*-
759	* At most one wildcard per pattern.
760	* No wildcards in IDNA labels.
761	* No wildcards after the first label.
762	*/
763	if (star != NULL \|\| (state & LABEL_IDNA) != 0 \|\| dots)
764	return NULL;
765	/* Only full-label '.example.com' wildcards? /
766	if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
767	&& (!atstart \|\| !atend))
768	return NULL;
769	/* No 'foobar' wildcards /
770	if (!atstart && !atend)
771	return NULL;
772	star = &p[i];
773	state &= ~LABEL_START;
774	} else if (('a' <= p[i] && p[i] <= 'z')
775	\|\| ('A' <= p[i] && p[i] <= 'Z')
776	\|\| ('0' <= p[i] && p[i] <= '9')) {
777	if ((state & LABEL_START) != 0
778	&& len - i >= 4 && OPENSSL_strncasecmp((char *)&p[i], "xn--", 4) == 0)
779	state \|= LABEL_IDNA;
780	state &= ~(LABEL_HYPHEN \| LABEL_START);
781	} else if (p[i] == '.') {
782	if ((state & (LABEL_HYPHEN \| LABEL_START)) != 0)
783	return NULL;
784	state = LABEL_START;
785	++dots;
786	} else if (p[i] == '-') {
787	/* no domain/subdomain starts with '-' */
788	if ((state & LABEL_START) != 0)
789	return NULL;
790	state \|= LABEL_HYPHEN;
791	} else {
792	return NULL;
793	}
794	}
795
796	/*
797	* The final label must not end in a hyphen or ".", and
798	* there must be at least two dots after the star.
799	*/
800	if ((state & (LABEL_START \| LABEL_HYPHEN)) != 0 \|\| dots < 2)
801	return NULL;
802	return star;
803	}
804
805	/* Compare using wildcards. */
806	static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
807	const unsigned char *subject, size_t subject_len,
808	unsigned int flags)
809	{
810	const unsigned char *star = NULL;
811
812	/*
813	* Subject names starting with '.' can only match a wildcard pattern
814	* via a subject sub-domain pattern suffix match.
815	*/
816	if (!(subject_len > 1 && subject[0] == '.'))
817	star = valid_star(pattern, pattern_len, flags);
818	if (star == NULL)
819	return equal_nocase(pattern, pattern_len,
820	subject, subject_len, flags);
821	return wildcard_match(pattern, star - pattern,
822	star + 1, (pattern + pattern_len) - star - 1,
823	subject, subject_len, flags);
824	}
825
826	/*
827	* Compare an ASN1_STRING to a supplied string. If they match return 1. If
828	* cmp_type > 0 only compare if string matches the type, otherwise convert it
829	* to UTF8.
830	*/
831
832	static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
833	unsigned int flags, const char *b, size_t blen,
834	char **peername)
835	{
836	int rv = 0;
837
838	if (!a->data \|\| !a->length)
839	return 0;
840	if (cmp_type > 0) {
841	if (cmp_type != a->type)
842	return 0;
843	if (cmp_type == V_ASN1_IA5STRING)
844	rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
845	else if (a->length == (int)blen && !memcmp(a->data, b, blen))
846	rv = 1;
847	if (rv > 0 && peername != NULL) {
848	peername = OPENSSL_strndup((char )a->data, a->length);
849	if (*peername == NULL)
850	return -1;
851	}
852	} else {
853	int astrlen;
854	unsigned char *astr;
855	astrlen = ASN1_STRING_to_UTF8(&astr, a);
856	if (astrlen < 0) {
857	/*
858	* -1 could be an internal malloc failure or a decoding error from
859	* malformed input; we can't distinguish.
860	*/
861	return -1;
862	}
863	rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
864	if (rv > 0 && peername != NULL) {
865	peername = OPENSSL_strndup((char )astr, astrlen);
866	if (*peername == NULL) {
867	OPENSSL_free(astr);
868	return -1;
869	}
870	}
871	OPENSSL_free(astr);
872	}
873	return rv;
874	}
875
876	static int do_x509_check(X509 x, const char chk, size_t chklen,
877	unsigned int flags, int check_type, char **peername)
878	{
879	GENERAL_NAMES *gens = NULL;
880	const X509_NAME *name = NULL;
881	int i;
882	int cnid = NID_undef;
883	int alt_type;
884	int san_present = 0;
885	int rv = 0;
886	equal_fn equal;
887
888	/* See below, this flag is internal-only */
889	flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
890	if (check_type == GEN_EMAIL) {
891	cnid = NID_pkcs9_emailAddress;
892	alt_type = V_ASN1_IA5STRING;
893	equal = equal_email;
894	} else if (check_type == GEN_DNS) {
895	cnid = NID_commonName;
896	/* Implicit client-side DNS sub-domain pattern */
897	if (chklen > 1 && chk[0] == '.')
898	flags \|= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
899	alt_type = V_ASN1_IA5STRING;
900	if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
901	equal = equal_nocase;
902	else
903	equal = equal_wildcard;
904	} else {
905	alt_type = V_ASN1_OCTET_STRING;
906	equal = equal_case;
907	}
908
909	if (chklen == 0)
910	chklen = strlen(chk);
911
912	gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
913	if (gens) {
914	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
915	GENERAL_NAME *gen;
916	ASN1_STRING *cstr;
917
918	gen = sk_GENERAL_NAME_value(gens, i);
919	if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
920	if (OBJ_obj2nid(gen->d.otherName->type_id) ==
921	NID_id_on_SmtpUTF8Mailbox) {
922	san_present = 1;
923
924	/*
925	* If it is not a UTF8String then that is unexpected and we
926	* treat it as no match
927	*/
928	if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
929	cstr = gen->d.otherName->value->value.utf8string;
930
931	/* Positive on success, negative on error! */
932	if ((rv = do_check_string(cstr, 0, equal, flags,
933	chk, chklen, peername)) != 0)
934	break;
935	}
936	} else
937	continue;
938	} else {
939	if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
940	continue;
941	}
942	san_present = 1;
943	if (check_type == GEN_EMAIL)
944	cstr = gen->d.rfc822Name;
945	else if (check_type == GEN_DNS)
946	cstr = gen->d.dNSName;
947	else
948	cstr = gen->d.iPAddress;
949	/* Positive on success, negative on error! */
950	if ((rv = do_check_string(cstr, alt_type, equal, flags,
951	chk, chklen, peername)) != 0)
952	break;
953	}
954	GENERAL_NAMES_free(gens);
955	if (rv != 0)
956	return rv;
957	if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
958	return 0;
959	}
960
961	/* We're done if CN-ID is not pertinent */
962	if (cnid == NID_undef \|\| (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
963	return 0;
964
965	i = -1;
966	name = X509_get_subject_name(x);
967	while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
968	const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
969	const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
970
971	/* Positive on success, negative on error! */
972	if ((rv = do_check_string(str, -1, equal, flags,
973	chk, chklen, peername)) != 0)
974	return rv;
975	}
976	return 0;
977	}
978
979	int X509_check_host(X509 x, const char chk, size_t chklen,
980	unsigned int flags, char **peername)
981	{
982	if (chk == NULL)
983	return -2;
984	/*
985	* Embedded NULs are disallowed, except as the last character of a
986	* string of length 2 or more (tolerate caller including terminating
987	* NUL in string length).
988	*/
989	if (chklen == 0)
990	chklen = strlen(chk);
991	else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
992	return -2;
993	if (chklen > 1 && chk[chklen - 1] == '\0')
994	--chklen;
995	return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
996	}
997
998	int X509_check_email(X509 x, const char chk, size_t chklen,
999	unsigned int flags)
1000	{
1001	if (chk == NULL)
1002	return -2;
1003	/*
1004	* Embedded NULs are disallowed, except as the last character of a
1005	* string of length 2 or more (tolerate caller including terminating
1006	* NUL in string length).
1007	*/
1008	if (chklen == 0)
1009	chklen = strlen((char *)chk);
1010	else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
1011	return -2;
1012	if (chklen > 1 && chk[chklen - 1] == '\0')
1013	--chklen;
1014	return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
1015	}
1016
1017	int X509_check_ip(X509 x, const unsigned char chk, size_t chklen,
1018	unsigned int flags)
1019	{
1020	if (chk == NULL)
1021	return -2;
1022	return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
1023	}
1024
1025	int X509_check_ip_asc(X509 x, const char ipasc, unsigned int flags)
1026	{
1027	unsigned char ipout[16];
1028	size_t iplen;
1029
1030	if (ipasc == NULL)
1031	return -2;
1032	iplen = (size_t)ossl_a2i_ipadd(ipout, ipasc);
1033	if (iplen == 0)
1034	return -2;
1035	return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
1036	}
1037
1038	char ossl_ipaddr_to_asc(unsigned char p, int len)
1039	{
1040	/*
1041	* 40 is enough space for the longest IPv6 address + nul terminator byte
1042	* XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX\0
1043	*/
1044	char buf[40], *out;
1045	int i = 0, remain = 0, bytes = 0;
1046
1047	switch (len) {
1048	case 4: /* IPv4 */
1049	BIO_snprintf(buf, sizeof(buf), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1050	break;
1051	case 16: /* IPv6 */
1052	for (out = buf, i = 8, remain = sizeof(buf);
1053	i-- > 0 && bytes >= 0;
1054	remain -= bytes, out += bytes) {
1055	const char *template = (i > 0 ? "%X:" : "%X");
1056
1057	bytes = BIO_snprintf(out, remain, template, p[0] << 8 \| p[1]);
1058	p += 2;
1059	}
1060	break;
1061	default:
1062	BIO_snprintf(buf, sizeof(buf), "<invalid length=%d>", len);
1063	break;
1064	}
1065	return OPENSSL_strdup(buf);
1066	}
1067
1068	/*
1069	* Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
1070	* with RFC3280.
1071	*/
1072
1073	ASN1_OCTET_STRING a2i_IPADDRESS(const char ipasc)
1074	{
1075	unsigned char ipout[16];
1076	ASN1_OCTET_STRING *ret;
1077	int iplen;
1078
1079	/* If string contains a ':' assume IPv6 */
1080
1081	iplen = ossl_a2i_ipadd(ipout, ipasc);
1082
1083	if (!iplen)
1084	return NULL;
1085
1086	ret = ASN1_OCTET_STRING_new();
1087	if (ret == NULL)
1088	return NULL;
1089	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
1090	ASN1_OCTET_STRING_free(ret);
1091	return NULL;
1092	}
1093	return ret;
1094	}
1095
1096	ASN1_OCTET_STRING a2i_IPADDRESS_NC(const char ipasc)
1097	{
1098	ASN1_OCTET_STRING *ret = NULL;
1099	unsigned char ipout[32];
1100	char iptmp = NULL, p;
1101	int iplen1, iplen2;
1102
1103	p = strchr(ipasc, '/');
1104	if (p == NULL)
1105	return NULL;
1106	iptmp = OPENSSL_strdup(ipasc);
1107	if (iptmp == NULL)
1108	return NULL;
1109	p = iptmp + (p - ipasc);
1110	*p++ = 0;
1111
1112	iplen1 = ossl_a2i_ipadd(ipout, iptmp);
1113
1114	if (!iplen1)
1115	goto err;
1116
1117	iplen2 = ossl_a2i_ipadd(ipout + iplen1, p);
1118
1119	OPENSSL_free(iptmp);
1120	iptmp = NULL;
1121
1122	if (!iplen2 \|\| (iplen1 != iplen2))
1123	goto err;
1124
1125	ret = ASN1_OCTET_STRING_new();
1126	if (ret == NULL)
1127	goto err;
1128	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
1129	goto err;
1130
1131	return ret;
1132
1133	err:
1134	OPENSSL_free(iptmp);
1135	ASN1_OCTET_STRING_free(ret);
1136	return NULL;
1137	}
1138
1139	int ossl_a2i_ipadd(unsigned char ipout, const char ipasc)
1140	{
1141	/* If string contains a ':' assume IPv6 */
1142
1143	if (strchr(ipasc, ':')) {
1144	if (!ipv6_from_asc(ipout, ipasc))
1145	return 0;
1146	return 16;
1147	} else {
1148	if (!ipv4_from_asc(ipout, ipasc))
1149	return 0;
1150	return 4;
1151	}
1152	}
1153
1154	static int ipv4_from_asc(unsigned char v4, const char in)
1155	{
1156	const char *p;
1157	int a0, a1, a2, a3, n;
1158
1159	if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4)
1160	return 0;
1161	if ((a0 < 0) \|\| (a0 > 255) \|\| (a1 < 0) \|\| (a1 > 255)
1162	\|\| (a2 < 0) \|\| (a2 > 255) \|\| (a3 < 0) \|\| (a3 > 255))
1163	return 0;
1164	p = in + n;
1165	if (!(p == '\0' \|\| ossl_isspace(p)))
1166	return 0;
1167	v4[0] = a0;
1168	v4[1] = a1;
1169	v4[2] = a2;
1170	v4[3] = a3;
1171	return 1;
1172	}
1173
1174	typedef struct {
1175	/* Temporary store for IPV6 output */
1176	unsigned char tmp[16];
1177	/* Total number of bytes in tmp */
1178	int total;
1179	/* The position of a zero (corresponding to '::') */
1180	int zero_pos;
1181	/* Number of zeroes */
1182	int zero_cnt;
1183	} IPV6_STAT;
1184
1185	static int ipv6_from_asc(unsigned char v6, const char in)
1186	{
1187	IPV6_STAT v6stat;
1188
1189	v6stat.total = 0;
1190	v6stat.zero_pos = -1;
1191	v6stat.zero_cnt = 0;
1192	/*
1193	* Treat the IPv6 representation as a list of values separated by ':'.
1194	* The presence of a '::' will parse as one, two or three zero length
1195	* elements.
1196	*/
1197	if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
1198	return 0;
1199
1200	/* Now for some sanity checks */
1201
1202	if (v6stat.zero_pos == -1) {
1203	/* If no '::' must have exactly 16 bytes */
1204	if (v6stat.total != 16)
1205	return 0;
1206	} else {
1207	/* If '::' must have less than 16 bytes */
1208	if (v6stat.total == 16)
1209	return 0;
1210	/* More than three zeroes is an error */
1211	if (v6stat.zero_cnt > 3) {
1212	return 0;
1213	/* Can only have three zeroes if nothing else present */
1214	} else if (v6stat.zero_cnt == 3) {
1215	if (v6stat.total > 0)
1216	return 0;
1217	} else if (v6stat.zero_cnt == 2) {
1218	/* Can only have two zeroes if at start or end */
1219	if ((v6stat.zero_pos != 0)
1220	&& (v6stat.zero_pos != v6stat.total))
1221	return 0;
1222	} else {
1223	/* Can only have one zero if not start or end */
1224	if ((v6stat.zero_pos == 0)
1225	\|\| (v6stat.zero_pos == v6stat.total))
1226	return 0;
1227	}
1228	}
1229
1230	/* Format result */
1231
1232	if (v6stat.zero_pos >= 0) {
1233	/* Copy initial part */
1234	memcpy(v6, v6stat.tmp, v6stat.zero_pos);
1235	/* Zero middle */
1236	memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
1237	/* Copy final part */
1238	if (v6stat.total != v6stat.zero_pos)
1239	memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
1240	v6stat.tmp + v6stat.zero_pos,
1241	v6stat.total - v6stat.zero_pos);
1242	} else {
1243	memcpy(v6, v6stat.tmp, 16);
1244	}
1245
1246	return 1;
1247	}
1248
1249	static int ipv6_cb(const char elem, int len, void usr)
1250	{
1251	IPV6_STAT *s = usr;
1252
1253	/* Error if 16 bytes written */
1254	if (s->total == 16)
1255	return 0;
1256	if (len == 0) {
1257	/* Zero length element, corresponds to '::' */
1258	if (s->zero_pos == -1)
1259	s->zero_pos = s->total;
1260	/* If we've already got a :: its an error */
1261	else if (s->zero_pos != s->total)
1262	return 0;
1263	s->zero_cnt++;
1264	} else {
1265	/* If more than 4 characters could be final a.b.c.d form */
1266	if (len > 4) {
1267	/* Need at least 4 bytes left */
1268	if (s->total > 12)
1269	return 0;
1270	/* Must be end of string */
1271	if (elem[len])
1272	return 0;
1273	if (!ipv4_from_asc(s->tmp + s->total, elem))
1274	return 0;
1275	s->total += 4;
1276	} else {
1277	if (!ipv6_hex(s->tmp + s->total, elem, len))
1278	return 0;
1279	s->total += 2;
1280	}
1281	}
1282	return 1;
1283	}
1284
1285	/*
1286	* Convert a string of up to 4 hex digits into the corresponding IPv6 form.
1287	*/
1288
1289	static int ipv6_hex(unsigned char out, const char in, int inlen)
1290	{
1291	unsigned char c;
1292	unsigned int num = 0;
1293	int x;
1294
1295	if (inlen > 4)
1296	return 0;
1297	while (inlen--) {
1298	c = *in++;
1299	num <<= 4;
1300	x = OPENSSL_hexchar2int(c);
1301	if (x < 0)
1302	return 0;
1303	num \|= (char)x;
1304	}
1305	out[0] = num >> 8;
1306	out[1] = num & 0xff;
1307	return 1;
1308	}
1309
1310	int X509V3_NAME_from_section(X509_NAME nm, STACK_OF(CONF_VALUE) dn_sk,
1311	unsigned long chtype)
1312	{
1313	CONF_VALUE *v;
1314	int i, mval, spec_char, plus_char;
1315	char p, type;
1316
1317	if (!nm)
1318	return 0;
1319
1320	for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1321	v = sk_CONF_VALUE_value(dn_sk, i);
1322	type = v->name;
1323	/*
1324	* Skip past any leading X. X: X, etc to allow for multiple instances
1325	*/
1326	for (p = type; *p; p++) {
1327	#ifndef CHARSET_EBCDIC
1328	spec_char = ((p == ':') \|\| (p == ',') \|\| (*p == '.'));
1329	#else
1330	spec_char = ((p == os_toascii[':']) \|\| (p == os_toascii[','])
1331	\|\| (*p == os_toascii['.']));
1332	#endif
1333	if (spec_char) {
1334	p++;
1335	if (*p)
1336	type = p;
1337	break;
1338	}
1339	}
1340	#ifndef CHARSET_EBCDIC
1341	plus_char = (*type == '+');
1342	#else
1343	plus_char = (*type == os_toascii['+']);
1344	#endif
1345	if (plus_char) {
1346	mval = -1;
1347	type++;
1348	} else {
1349	mval = 0;
1350	}
1351	if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
1352	(unsigned char *)v->value, -1, -1,
1353	mval))
1354	return 0;
1355
1356	}
1357	return 1;
1358	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.1.7/crypto/x509/v3_utl.c@ 107835

Download in other formats: