v3_utl.c 38 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358
  1. /*
  2. * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* X509 v3 extension utilities */
  10. #include "internal/e_os.h"
  11. #include "internal/cryptlib.h"
  12. #include <stdio.h>
  13. #include <string.h>
  14. #include "crypto/ctype.h"
  15. #include <openssl/conf.h>
  16. #include <openssl/crypto.h>
  17. #include <openssl/x509v3.h>
  18. #include "crypto/x509.h"
  19. #include <openssl/bn.h>
  20. #include "ext_dat.h"
  21. #include "x509_local.h"
  22. static char *strip_spaces(char *name);
  23. static int sk_strcmp(const char *const *a, const char *const *b);
  24. static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
  25. GENERAL_NAMES *gens);
  26. static void str_free(OPENSSL_STRING str);
  27. static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
  28. const ASN1_IA5STRING *email);
  29. static int ipv4_from_asc(unsigned char *v4, const char *in);
  30. static int ipv6_from_asc(unsigned char *v6, const char *in);
  31. static int ipv6_cb(const char *elem, int len, void *usr);
  32. static int ipv6_hex(unsigned char *out, const char *in, int inlen);
  33. /* Add a CONF_VALUE name value pair to stack */
  34. static int x509v3_add_len_value(const char *name, const char *value,
  35. size_t vallen, STACK_OF(CONF_VALUE) **extlist)
  36. {
  37. CONF_VALUE *vtmp = NULL;
  38. char *tname = NULL, *tvalue = NULL;
  39. int sk_allocated = (*extlist == NULL);
  40. if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)
  41. goto err;
  42. if (value != NULL) {
  43. /* We don't allow embedded NUL characters */
  44. if (memchr(value, 0, vallen) != NULL)
  45. goto err;
  46. tvalue = OPENSSL_strndup(value, vallen);
  47. if (tvalue == NULL)
  48. goto err;
  49. }
  50. if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
  51. goto err;
  52. if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL) {
  53. ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
  54. goto err;
  55. }
  56. vtmp->section = NULL;
  57. vtmp->name = tname;
  58. vtmp->value = tvalue;
  59. if (!sk_CONF_VALUE_push(*extlist, vtmp))
  60. goto err;
  61. return 1;
  62. err:
  63. if (sk_allocated) {
  64. sk_CONF_VALUE_free(*extlist);
  65. *extlist = NULL;
  66. }
  67. OPENSSL_free(vtmp);
  68. OPENSSL_free(tname);
  69. OPENSSL_free(tvalue);
  70. return 0;
  71. }
  72. int X509V3_add_value(const char *name, const char *value,
  73. STACK_OF(CONF_VALUE) **extlist)
  74. {
  75. return x509v3_add_len_value(name, value,
  76. value != NULL ? strlen((const char *)value) : 0,
  77. extlist);
  78. }
  79. int X509V3_add_value_uchar(const char *name, const unsigned char *value,
  80. STACK_OF(CONF_VALUE) **extlist)
  81. {
  82. return x509v3_add_len_value(name, (const char *)value,
  83. value != NULL ? strlen((const char *)value) : 0,
  84. extlist);
  85. }
  86. int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,
  87. size_t vallen, STACK_OF(CONF_VALUE) **extlist)
  88. {
  89. return x509v3_add_len_value(name, (const char *)value, vallen, extlist);
  90. }
  91. /* Free function for STACK_OF(CONF_VALUE) */
  92. void X509V3_conf_free(CONF_VALUE *conf)
  93. {
  94. if (!conf)
  95. return;
  96. OPENSSL_free(conf->name);
  97. OPENSSL_free(conf->value);
  98. OPENSSL_free(conf->section);
  99. OPENSSL_free(conf);
  100. }
  101. int X509V3_add_value_bool(const char *name, int asn1_bool,
  102. STACK_OF(CONF_VALUE) **extlist)
  103. {
  104. if (asn1_bool)
  105. return X509V3_add_value(name, "TRUE", extlist);
  106. return X509V3_add_value(name, "FALSE", extlist);
  107. }
  108. int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
  109. STACK_OF(CONF_VALUE) **extlist)
  110. {
  111. if (asn1_bool)
  112. return X509V3_add_value(name, "TRUE", extlist);
  113. return 1;
  114. }
  115. static char *bignum_to_string(const BIGNUM *bn)
  116. {
  117. char *tmp, *ret;
  118. size_t len;
  119. /*
  120. * Display large numbers in hex and small numbers in decimal. Converting to
  121. * decimal takes quadratic time and is no more useful than hex for large
  122. * numbers.
  123. */
  124. if (BN_num_bits(bn) < 128)
  125. return BN_bn2dec(bn);
  126. tmp = BN_bn2hex(bn);
  127. if (tmp == NULL)
  128. return NULL;
  129. len = strlen(tmp) + 3;
  130. ret = OPENSSL_malloc(len);
  131. if (ret == NULL) {
  132. OPENSSL_free(tmp);
  133. return NULL;
  134. }
  135. /* Prepend "0x", but place it after the "-" if negative. */
  136. if (tmp[0] == '-') {
  137. OPENSSL_strlcpy(ret, "-0x", len);
  138. OPENSSL_strlcat(ret, tmp + 1, len);
  139. } else {
  140. OPENSSL_strlcpy(ret, "0x", len);
  141. OPENSSL_strlcat(ret, tmp, len);
  142. }
  143. OPENSSL_free(tmp);
  144. return ret;
  145. }
  146. char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
  147. {
  148. BIGNUM *bntmp = NULL;
  149. char *strtmp = NULL;
  150. if (!a)
  151. return NULL;
  152. if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL)
  153. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  154. else if ((strtmp = bignum_to_string(bntmp)) == NULL)
  155. ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
  156. BN_free(bntmp);
  157. return strtmp;
  158. }
  159. char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
  160. {
  161. BIGNUM *bntmp = NULL;
  162. char *strtmp = NULL;
  163. if (!a)
  164. return NULL;
  165. if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL)
  166. ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
  167. else if ((strtmp = bignum_to_string(bntmp)) == NULL)
  168. ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
  169. BN_free(bntmp);
  170. return strtmp;
  171. }
  172. ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
  173. {
  174. BIGNUM *bn = NULL;
  175. ASN1_INTEGER *aint;
  176. int isneg, ishex;
  177. int ret;
  178. if (value == NULL) {
  179. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_VALUE);
  180. return NULL;
  181. }
  182. bn = BN_new();
  183. if (bn == NULL) {
  184. ERR_raise(ERR_LIB_X509V3, ERR_R_BN_LIB);
  185. return NULL;
  186. }
  187. if (value[0] == '-') {
  188. value++;
  189. isneg = 1;
  190. } else {
  191. isneg = 0;
  192. }
  193. if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
  194. value += 2;
  195. ishex = 1;
  196. } else {
  197. ishex = 0;
  198. }
  199. if (ishex)
  200. ret = BN_hex2bn(&bn, value);
  201. else
  202. ret = BN_dec2bn(&bn, value);
  203. if (!ret || value[ret]) {
  204. BN_free(bn);
  205. ERR_raise(ERR_LIB_X509V3, X509V3_R_BN_DEC2BN_ERROR);
  206. return NULL;
  207. }
  208. if (isneg && BN_is_zero(bn))
  209. isneg = 0;
  210. aint = BN_to_ASN1_INTEGER(bn, NULL);
  211. BN_free(bn);
  212. if (!aint) {
  213. ERR_raise(ERR_LIB_X509V3, X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
  214. return NULL;
  215. }
  216. if (isneg)
  217. aint->type |= V_ASN1_NEG;
  218. return aint;
  219. }
  220. int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
  221. STACK_OF(CONF_VALUE) **extlist)
  222. {
  223. char *strtmp;
  224. int ret;
  225. if (!aint)
  226. return 1;
  227. if ((strtmp = i2s_ASN1_INTEGER(NULL, aint)) == NULL)
  228. return 0;
  229. ret = X509V3_add_value(name, strtmp, extlist);
  230. OPENSSL_free(strtmp);
  231. return ret;
  232. }
  233. int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
  234. {
  235. const char *btmp;
  236. if ((btmp = value->value) == NULL)
  237. goto err;
  238. if (strcmp(btmp, "TRUE") == 0
  239. || strcmp(btmp, "true") == 0
  240. || strcmp(btmp, "Y") == 0
  241. || strcmp(btmp, "y") == 0
  242. || strcmp(btmp, "YES") == 0
  243. || strcmp(btmp, "yes") == 0) {
  244. *asn1_bool = 0xff;
  245. return 1;
  246. }
  247. if (strcmp(btmp, "FALSE") == 0
  248. || strcmp(btmp, "false") == 0
  249. || strcmp(btmp, "N") == 0
  250. || strcmp(btmp, "n") == 0
  251. || strcmp(btmp, "NO") == 0
  252. || strcmp(btmp, "no") == 0) {
  253. *asn1_bool = 0;
  254. return 1;
  255. }
  256. err:
  257. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_BOOLEAN_STRING);
  258. X509V3_conf_add_error_name_value(value);
  259. return 0;
  260. }
  261. int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
  262. {
  263. ASN1_INTEGER *itmp;
  264. if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
  265. X509V3_conf_add_error_name_value(value);
  266. return 0;
  267. }
  268. *aint = itmp;
  269. return 1;
  270. }
  271. #define HDR_NAME 1
  272. #define HDR_VALUE 2
  273. /*
  274. * #define DEBUG
  275. */
  276. STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
  277. {
  278. char *p, *q, c;
  279. char *ntmp, *vtmp;
  280. STACK_OF(CONF_VALUE) *values = NULL;
  281. char *linebuf;
  282. int state;
  283. /* We are going to modify the line so copy it first */
  284. linebuf = OPENSSL_strdup(line);
  285. if (linebuf == NULL)
  286. goto err;
  287. state = HDR_NAME;
  288. ntmp = NULL;
  289. /* Go through all characters */
  290. for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n');
  291. p++) {
  292. switch (state) {
  293. case HDR_NAME:
  294. if (c == ':') {
  295. state = HDR_VALUE;
  296. *p = 0;
  297. ntmp = strip_spaces(q);
  298. if (!ntmp) {
  299. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_EMPTY_NAME);
  300. goto err;
  301. }
  302. q = p + 1;
  303. } else if (c == ',') {
  304. *p = 0;
  305. ntmp = strip_spaces(q);
  306. q = p + 1;
  307. if (!ntmp) {
  308. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_EMPTY_NAME);
  309. goto err;
  310. }
  311. if (!X509V3_add_value(ntmp, NULL, &values)) {
  312. goto err;
  313. }
  314. }
  315. break;
  316. case HDR_VALUE:
  317. if (c == ',') {
  318. state = HDR_NAME;
  319. *p = 0;
  320. vtmp = strip_spaces(q);
  321. if (!vtmp) {
  322. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_VALUE);
  323. goto err;
  324. }
  325. if (!X509V3_add_value(ntmp, vtmp, &values)) {
  326. goto err;
  327. }
  328. ntmp = NULL;
  329. q = p + 1;
  330. }
  331. }
  332. }
  333. if (state == HDR_VALUE) {
  334. vtmp = strip_spaces(q);
  335. if (!vtmp) {
  336. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_VALUE);
  337. goto err;
  338. }
  339. if (!X509V3_add_value(ntmp, vtmp, &values)) {
  340. goto err;
  341. }
  342. } else {
  343. ntmp = strip_spaces(q);
  344. if (!ntmp) {
  345. ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_EMPTY_NAME);
  346. goto err;
  347. }
  348. if (!X509V3_add_value(ntmp, NULL, &values)) {
  349. goto err;
  350. }
  351. }
  352. OPENSSL_free(linebuf);
  353. return values;
  354. err:
  355. OPENSSL_free(linebuf);
  356. sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
  357. return NULL;
  358. }
  359. /* Delete leading and trailing spaces from a string */
  360. static char *strip_spaces(char *name)
  361. {
  362. char *p, *q;
  363. /* Skip over leading spaces */
  364. p = name;
  365. while (*p && ossl_isspace(*p))
  366. p++;
  367. if (*p == '\0')
  368. return NULL;
  369. q = p + strlen(p) - 1;
  370. while ((q != p) && ossl_isspace(*q))
  371. q--;
  372. if (p != q)
  373. q[1] = 0;
  374. if (*p == '\0')
  375. return NULL;
  376. return p;
  377. }
  378. /*
  379. * V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
  380. */
  381. int ossl_v3_name_cmp(const char *name, const char *cmp)
  382. {
  383. int len, ret;
  384. char c;
  385. len = strlen(cmp);
  386. if ((ret = strncmp(name, cmp, len)))
  387. return ret;
  388. c = name[len];
  389. if (!c || (c == '.'))
  390. return 0;
  391. return 1;
  392. }
  393. static int sk_strcmp(const char *const *a, const char *const *b)
  394. {
  395. return strcmp(*a, *b);
  396. }
  397. STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
  398. {
  399. GENERAL_NAMES *gens;
  400. STACK_OF(OPENSSL_STRING) *ret;
  401. gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
  402. ret = get_email(X509_get_subject_name(x), gens);
  403. sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
  404. return ret;
  405. }
  406. STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
  407. {
  408. AUTHORITY_INFO_ACCESS *info;
  409. STACK_OF(OPENSSL_STRING) *ret = NULL;
  410. int i;
  411. info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
  412. if (!info)
  413. return NULL;
  414. for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
  415. ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
  416. if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
  417. if (ad->location->type == GEN_URI) {
  418. if (!append_ia5
  419. (&ret, ad->location->d.uniformResourceIdentifier))
  420. break;
  421. }
  422. }
  423. }
  424. AUTHORITY_INFO_ACCESS_free(info);
  425. return ret;
  426. }
  427. STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
  428. {
  429. GENERAL_NAMES *gens;
  430. STACK_OF(X509_EXTENSION) *exts;
  431. STACK_OF(OPENSSL_STRING) *ret;
  432. exts = X509_REQ_get_extensions(x);
  433. gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
  434. ret = get_email(X509_REQ_get_subject_name(x), gens);
  435. sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
  436. sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
  437. return ret;
  438. }
  439. static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
  440. GENERAL_NAMES *gens)
  441. {
  442. STACK_OF(OPENSSL_STRING) *ret = NULL;
  443. X509_NAME_ENTRY *ne;
  444. const ASN1_IA5STRING *email;
  445. GENERAL_NAME *gen;
  446. int i = -1;
  447. /* Now add any email address(es) to STACK */
  448. /* First supplied X509_NAME */
  449. while ((i = X509_NAME_get_index_by_NID(name,
  450. NID_pkcs9_emailAddress, i)) >= 0) {
  451. ne = X509_NAME_get_entry(name, i);
  452. email = X509_NAME_ENTRY_get_data(ne);
  453. if (!append_ia5(&ret, email))
  454. return NULL;
  455. }
  456. for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
  457. gen = sk_GENERAL_NAME_value(gens, i);
  458. if (gen->type != GEN_EMAIL)
  459. continue;
  460. if (!append_ia5(&ret, gen->d.ia5))
  461. return NULL;
  462. }
  463. return ret;
  464. }
  465. static void str_free(OPENSSL_STRING str)
  466. {
  467. OPENSSL_free(str);
  468. }
  469. static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
  470. const ASN1_IA5STRING *email)
  471. {
  472. char *emtmp;
  473. /* First some sanity checks */
  474. if (email->type != V_ASN1_IA5STRING)
  475. return 1;
  476. if (email->data == NULL || email->length == 0)
  477. return 1;
  478. if (memchr(email->data, 0, email->length) != NULL)
  479. return 1;
  480. if (*sk == NULL)
  481. *sk = sk_OPENSSL_STRING_new(sk_strcmp);
  482. if (*sk == NULL)
  483. return 0;
  484. emtmp = OPENSSL_strndup((char *)email->data, email->length);
  485. if (emtmp == NULL) {
  486. X509_email_free(*sk);
  487. *sk = NULL;
  488. return 0;
  489. }
  490. /* Don't add duplicates */
  491. if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
  492. OPENSSL_free(emtmp);
  493. return 1;
  494. }
  495. if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
  496. OPENSSL_free(emtmp); /* free on push failure */
  497. X509_email_free(*sk);
  498. *sk = NULL;
  499. return 0;
  500. }
  501. return 1;
  502. }
  503. void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
  504. {
  505. sk_OPENSSL_STRING_pop_free(sk, str_free);
  506. }
  507. typedef int (*equal_fn) (const unsigned char *pattern, size_t pattern_len,
  508. const unsigned char *subject, size_t subject_len,
  509. unsigned int flags);
  510. /* Skip pattern prefix to match "wildcard" subject */
  511. static void skip_prefix(const unsigned char **p, size_t *plen,
  512. size_t subject_len,
  513. unsigned int flags)
  514. {
  515. const unsigned char *pattern = *p;
  516. size_t pattern_len = *plen;
  517. /*
  518. * If subject starts with a leading '.' followed by more octets, and
  519. * pattern is longer, compare just an equal-length suffix with the
  520. * full subject (starting at the '.'), provided the prefix contains
  521. * no NULs.
  522. */
  523. if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
  524. return;
  525. while (pattern_len > subject_len && *pattern) {
  526. if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
  527. *pattern == '.')
  528. break;
  529. ++pattern;
  530. --pattern_len;
  531. }
  532. /* Skip if entire prefix acceptable */
  533. if (pattern_len == subject_len) {
  534. *p = pattern;
  535. *plen = pattern_len;
  536. }
  537. }
  538. /* Compare while ASCII ignoring case. */
  539. static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
  540. const unsigned char *subject, size_t subject_len,
  541. unsigned int flags)
  542. {
  543. skip_prefix(&pattern, &pattern_len, subject_len, flags);
  544. if (pattern_len != subject_len)
  545. return 0;
  546. while (pattern_len != 0) {
  547. unsigned char l = *pattern;
  548. unsigned char r = *subject;
  549. /* The pattern must not contain NUL characters. */
  550. if (l == 0)
  551. return 0;
  552. if (l != r) {
  553. if ('A' <= l && l <= 'Z')
  554. l = (l - 'A') + 'a';
  555. if ('A' <= r && r <= 'Z')
  556. r = (r - 'A') + 'a';
  557. if (l != r)
  558. return 0;
  559. }
  560. ++pattern;
  561. ++subject;
  562. --pattern_len;
  563. }
  564. return 1;
  565. }
  566. /* Compare using memcmp. */
  567. static int equal_case(const unsigned char *pattern, size_t pattern_len,
  568. const unsigned char *subject, size_t subject_len,
  569. unsigned int flags)
  570. {
  571. skip_prefix(&pattern, &pattern_len, subject_len, flags);
  572. if (pattern_len != subject_len)
  573. return 0;
  574. return !memcmp(pattern, subject, pattern_len);
  575. }
  576. /*
  577. * RFC 5280, section 7.5, requires that only the domain is compared in a
  578. * case-insensitive manner.
  579. */
  580. static int equal_email(const unsigned char *a, size_t a_len,
  581. const unsigned char *b, size_t b_len,
  582. unsigned int unused_flags)
  583. {
  584. size_t i = a_len;
  585. if (a_len != b_len)
  586. return 0;
  587. /*
  588. * We search backwards for the '@' character, so that we do not have to
  589. * deal with quoted local-parts. The domain part is compared in a
  590. * case-insensitive manner.
  591. */
  592. while (i > 0) {
  593. --i;
  594. if (a[i] == '@' || b[i] == '@') {
  595. if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0))
  596. return 0;
  597. break;
  598. }
  599. }
  600. if (i == 0)
  601. i = a_len;
  602. return equal_case(a, i, b, i, 0);
  603. }
  604. /*
  605. * Compare the prefix and suffix with the subject, and check that the
  606. * characters in-between are valid.
  607. */
  608. static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
  609. const unsigned char *suffix, size_t suffix_len,
  610. const unsigned char *subject, size_t subject_len,
  611. unsigned int flags)
  612. {
  613. const unsigned char *wildcard_start;
  614. const unsigned char *wildcard_end;
  615. const unsigned char *p;
  616. int allow_multi = 0;
  617. int allow_idna = 0;
  618. if (subject_len < prefix_len + suffix_len)
  619. return 0;
  620. if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
  621. return 0;
  622. wildcard_start = subject + prefix_len;
  623. wildcard_end = subject + (subject_len - suffix_len);
  624. if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
  625. return 0;
  626. /*
  627. * If the wildcard makes up the entire first label, it must match at
  628. * least one character.
  629. */
  630. if (prefix_len == 0 && *suffix == '.') {
  631. if (wildcard_start == wildcard_end)
  632. return 0;
  633. allow_idna = 1;
  634. if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
  635. allow_multi = 1;
  636. }
  637. /* IDNA labels cannot match partial wildcards */
  638. if (!allow_idna &&
  639. subject_len >= 4 && HAS_CASE_PREFIX((const char *)subject, "xn--"))
  640. return 0;
  641. /* The wildcard may match a literal '*' */
  642. if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
  643. return 1;
  644. /*
  645. * Check that the part matched by the wildcard contains only
  646. * permitted characters and only matches a single label unless
  647. * allow_multi is set.
  648. */
  649. for (p = wildcard_start; p != wildcard_end; ++p)
  650. if (!(('0' <= *p && *p <= '9') ||
  651. ('A' <= *p && *p <= 'Z') ||
  652. ('a' <= *p && *p <= 'z') ||
  653. *p == '-' || (allow_multi && *p == '.')))
  654. return 0;
  655. return 1;
  656. }
  657. #define LABEL_START (1 << 0)
  658. #define LABEL_END (1 << 1)
  659. #define LABEL_HYPHEN (1 << 2)
  660. #define LABEL_IDNA (1 << 3)
  661. static const unsigned char *valid_star(const unsigned char *p, size_t len,
  662. unsigned int flags)
  663. {
  664. const unsigned char *star = 0;
  665. size_t i;
  666. int state = LABEL_START;
  667. int dots = 0;
  668. for (i = 0; i < len; ++i) {
  669. /*
  670. * Locate first and only legal wildcard, either at the start
  671. * or end of a non-IDNA first and not final label.
  672. */
  673. if (p[i] == '*') {
  674. int atstart = (state & LABEL_START);
  675. int atend = (i == len - 1 || p[i + 1] == '.');
  676. /*-
  677. * At most one wildcard per pattern.
  678. * No wildcards in IDNA labels.
  679. * No wildcards after the first label.
  680. */
  681. if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
  682. return NULL;
  683. /* Only full-label '*.example.com' wildcards? */
  684. if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
  685. && (!atstart || !atend))
  686. return NULL;
  687. /* No 'foo*bar' wildcards */
  688. if (!atstart && !atend)
  689. return NULL;
  690. star = &p[i];
  691. state &= ~LABEL_START;
  692. } else if (('a' <= p[i] && p[i] <= 'z')
  693. || ('A' <= p[i] && p[i] <= 'Z')
  694. || ('0' <= p[i] && p[i] <= '9')) {
  695. if ((state & LABEL_START) != 0
  696. && len - i >= 4 && HAS_CASE_PREFIX((const char *)&p[i], "xn--"))
  697. state |= LABEL_IDNA;
  698. state &= ~(LABEL_HYPHEN | LABEL_START);
  699. } else if (p[i] == '.') {
  700. if ((state & (LABEL_HYPHEN | LABEL_START)) != 0)
  701. return NULL;
  702. state = LABEL_START;
  703. ++dots;
  704. } else if (p[i] == '-') {
  705. /* no domain/subdomain starts with '-' */
  706. if ((state & LABEL_START) != 0)
  707. return NULL;
  708. state |= LABEL_HYPHEN;
  709. } else {
  710. return NULL;
  711. }
  712. }
  713. /*
  714. * The final label must not end in a hyphen or ".", and
  715. * there must be at least two dots after the star.
  716. */
  717. if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2)
  718. return NULL;
  719. return star;
  720. }
  721. /* Compare using wildcards. */
  722. static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
  723. const unsigned char *subject, size_t subject_len,
  724. unsigned int flags)
  725. {
  726. const unsigned char *star = NULL;
  727. /*
  728. * Subject names starting with '.' can only match a wildcard pattern
  729. * via a subject sub-domain pattern suffix match.
  730. */
  731. if (!(subject_len > 1 && subject[0] == '.'))
  732. star = valid_star(pattern, pattern_len, flags);
  733. if (star == NULL)
  734. return equal_nocase(pattern, pattern_len,
  735. subject, subject_len, flags);
  736. return wildcard_match(pattern, star - pattern,
  737. star + 1, (pattern + pattern_len) - star - 1,
  738. subject, subject_len, flags);
  739. }
  740. /*
  741. * Compare an ASN1_STRING to a supplied string. If they match return 1. If
  742. * cmp_type > 0 only compare if string matches the type, otherwise convert it
  743. * to UTF8.
  744. */
  745. static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
  746. unsigned int flags, const char *b, size_t blen,
  747. char **peername)
  748. {
  749. int rv = 0;
  750. if (!a->data || !a->length)
  751. return 0;
  752. if (cmp_type > 0) {
  753. if (cmp_type != a->type)
  754. return 0;
  755. if (cmp_type == V_ASN1_IA5STRING)
  756. rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
  757. else if (a->length == (int)blen && !memcmp(a->data, b, blen))
  758. rv = 1;
  759. if (rv > 0 && peername != NULL) {
  760. *peername = OPENSSL_strndup((char *)a->data, a->length);
  761. if (*peername == NULL)
  762. return -1;
  763. }
  764. } else {
  765. int astrlen;
  766. unsigned char *astr;
  767. astrlen = ASN1_STRING_to_UTF8(&astr, a);
  768. if (astrlen < 0) {
  769. /*
  770. * -1 could be an internal malloc failure or a decoding error from
  771. * malformed input; we can't distinguish.
  772. */
  773. return -1;
  774. }
  775. rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
  776. if (rv > 0 && peername != NULL) {
  777. *peername = OPENSSL_strndup((char *)astr, astrlen);
  778. if (*peername == NULL) {
  779. OPENSSL_free(astr);
  780. return -1;
  781. }
  782. }
  783. OPENSSL_free(astr);
  784. }
  785. return rv;
  786. }
  787. static int do_x509_check(X509 *x, const char *chk, size_t chklen,
  788. unsigned int flags, int check_type, char **peername)
  789. {
  790. GENERAL_NAMES *gens = NULL;
  791. const X509_NAME *name = NULL;
  792. int i;
  793. int cnid = NID_undef;
  794. int alt_type;
  795. int san_present = 0;
  796. int rv = 0;
  797. equal_fn equal;
  798. /* See below, this flag is internal-only */
  799. flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
  800. if (check_type == GEN_EMAIL) {
  801. cnid = NID_pkcs9_emailAddress;
  802. alt_type = V_ASN1_IA5STRING;
  803. equal = equal_email;
  804. } else if (check_type == GEN_DNS) {
  805. cnid = NID_commonName;
  806. /* Implicit client-side DNS sub-domain pattern */
  807. if (chklen > 1 && chk[0] == '.')
  808. flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
  809. alt_type = V_ASN1_IA5STRING;
  810. if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
  811. equal = equal_nocase;
  812. else
  813. equal = equal_wildcard;
  814. } else {
  815. alt_type = V_ASN1_OCTET_STRING;
  816. equal = equal_case;
  817. }
  818. if (chklen == 0)
  819. chklen = strlen(chk);
  820. gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
  821. if (gens) {
  822. for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
  823. GENERAL_NAME *gen;
  824. ASN1_STRING *cstr;
  825. gen = sk_GENERAL_NAME_value(gens, i);
  826. if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
  827. if (OBJ_obj2nid(gen->d.otherName->type_id) ==
  828. NID_id_on_SmtpUTF8Mailbox) {
  829. san_present = 1;
  830. /*
  831. * If it is not a UTF8String then that is unexpected and we
  832. * treat it as no match
  833. */
  834. if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
  835. cstr = gen->d.otherName->value->value.utf8string;
  836. /* Positive on success, negative on error! */
  837. if ((rv = do_check_string(cstr, 0, equal, flags,
  838. chk, chklen, peername)) != 0)
  839. break;
  840. }
  841. } else
  842. continue;
  843. } else {
  844. if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
  845. continue;
  846. }
  847. san_present = 1;
  848. if (check_type == GEN_EMAIL)
  849. cstr = gen->d.rfc822Name;
  850. else if (check_type == GEN_DNS)
  851. cstr = gen->d.dNSName;
  852. else
  853. cstr = gen->d.iPAddress;
  854. /* Positive on success, negative on error! */
  855. if ((rv = do_check_string(cstr, alt_type, equal, flags,
  856. chk, chklen, peername)) != 0)
  857. break;
  858. }
  859. GENERAL_NAMES_free(gens);
  860. if (rv != 0)
  861. return rv;
  862. if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
  863. return 0;
  864. }
  865. /* We're done if CN-ID is not pertinent */
  866. if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
  867. return 0;
  868. i = -1;
  869. name = X509_get_subject_name(x);
  870. while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
  871. const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
  872. const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
  873. /* Positive on success, negative on error! */
  874. if ((rv = do_check_string(str, -1, equal, flags,
  875. chk, chklen, peername)) != 0)
  876. return rv;
  877. }
  878. return 0;
  879. }
  880. int X509_check_host(X509 *x, const char *chk, size_t chklen,
  881. unsigned int flags, char **peername)
  882. {
  883. if (chk == NULL)
  884. return -2;
  885. /*
  886. * Embedded NULs are disallowed, except as the last character of a
  887. * string of length 2 or more (tolerate caller including terminating
  888. * NUL in string length).
  889. */
  890. if (chklen == 0)
  891. chklen = strlen(chk);
  892. else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
  893. return -2;
  894. if (chklen > 1 && chk[chklen - 1] == '\0')
  895. --chklen;
  896. return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
  897. }
  898. int X509_check_email(X509 *x, const char *chk, size_t chklen,
  899. unsigned int flags)
  900. {
  901. if (chk == NULL)
  902. return -2;
  903. /*
  904. * Embedded NULs are disallowed, except as the last character of a
  905. * string of length 2 or more (tolerate caller including terminating
  906. * NUL in string length).
  907. */
  908. if (chklen == 0)
  909. chklen = strlen((char *)chk);
  910. else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
  911. return -2;
  912. if (chklen > 1 && chk[chklen - 1] == '\0')
  913. --chklen;
  914. return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
  915. }
  916. int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
  917. unsigned int flags)
  918. {
  919. if (chk == NULL)
  920. return -2;
  921. return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
  922. }
  923. int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
  924. {
  925. unsigned char ipout[16];
  926. size_t iplen;
  927. if (ipasc == NULL)
  928. return -2;
  929. iplen = (size_t)ossl_a2i_ipadd(ipout, ipasc);
  930. if (iplen == 0)
  931. return -2;
  932. return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
  933. }
  934. char *ossl_ipaddr_to_asc(unsigned char *p, int len)
  935. {
  936. /*
  937. * 40 is enough space for the longest IPv6 address + nul terminator byte
  938. * XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX\0
  939. */
  940. char buf[40], *out;
  941. int i = 0, remain = 0, bytes = 0;
  942. switch (len) {
  943. case 4: /* IPv4 */
  944. BIO_snprintf(buf, sizeof(buf), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
  945. break;
  946. case 16: /* IPv6 */
  947. for (out = buf, i = 8, remain = sizeof(buf);
  948. i-- > 0 && bytes >= 0;
  949. remain -= bytes, out += bytes) {
  950. const char *template = (i > 0 ? "%X:" : "%X");
  951. bytes = BIO_snprintf(out, remain, template, p[0] << 8 | p[1]);
  952. p += 2;
  953. }
  954. break;
  955. default:
  956. BIO_snprintf(buf, sizeof(buf), "<invalid length=%d>", len);
  957. break;
  958. }
  959. return OPENSSL_strdup(buf);
  960. }
  961. /*
  962. * Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
  963. * with RFC3280.
  964. */
  965. ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
  966. {
  967. unsigned char ipout[16];
  968. ASN1_OCTET_STRING *ret;
  969. int iplen;
  970. /* If string contains a ':' assume IPv6 */
  971. iplen = ossl_a2i_ipadd(ipout, ipasc);
  972. if (!iplen)
  973. return NULL;
  974. ret = ASN1_OCTET_STRING_new();
  975. if (ret == NULL)
  976. return NULL;
  977. if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
  978. ASN1_OCTET_STRING_free(ret);
  979. return NULL;
  980. }
  981. return ret;
  982. }
  983. ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
  984. {
  985. ASN1_OCTET_STRING *ret = NULL;
  986. unsigned char ipout[32];
  987. char *iptmp = NULL, *p;
  988. int iplen1, iplen2;
  989. p = strchr(ipasc, '/');
  990. if (p == NULL)
  991. return NULL;
  992. iptmp = OPENSSL_strdup(ipasc);
  993. if (iptmp == NULL)
  994. return NULL;
  995. p = iptmp + (p - ipasc);
  996. *p++ = 0;
  997. iplen1 = ossl_a2i_ipadd(ipout, iptmp);
  998. if (!iplen1)
  999. goto err;
  1000. iplen2 = ossl_a2i_ipadd(ipout + iplen1, p);
  1001. OPENSSL_free(iptmp);
  1002. iptmp = NULL;
  1003. if (!iplen2 || (iplen1 != iplen2))
  1004. goto err;
  1005. ret = ASN1_OCTET_STRING_new();
  1006. if (ret == NULL)
  1007. goto err;
  1008. if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
  1009. goto err;
  1010. return ret;
  1011. err:
  1012. OPENSSL_free(iptmp);
  1013. ASN1_OCTET_STRING_free(ret);
  1014. return NULL;
  1015. }
  1016. int ossl_a2i_ipadd(unsigned char *ipout, const char *ipasc)
  1017. {
  1018. /* If string contains a ':' assume IPv6 */
  1019. if (strchr(ipasc, ':')) {
  1020. if (!ipv6_from_asc(ipout, ipasc))
  1021. return 0;
  1022. return 16;
  1023. } else {
  1024. if (!ipv4_from_asc(ipout, ipasc))
  1025. return 0;
  1026. return 4;
  1027. }
  1028. }
  1029. static int ipv4_from_asc(unsigned char *v4, const char *in)
  1030. {
  1031. const char *p;
  1032. int a0, a1, a2, a3, n;
  1033. if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4)
  1034. return 0;
  1035. if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
  1036. || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
  1037. return 0;
  1038. p = in + n;
  1039. if (!(*p == '\0' || ossl_isspace(*p)))
  1040. return 0;
  1041. v4[0] = a0;
  1042. v4[1] = a1;
  1043. v4[2] = a2;
  1044. v4[3] = a3;
  1045. return 1;
  1046. }
  1047. typedef struct {
  1048. /* Temporary store for IPV6 output */
  1049. unsigned char tmp[16];
  1050. /* Total number of bytes in tmp */
  1051. int total;
  1052. /* The position of a zero (corresponding to '::') */
  1053. int zero_pos;
  1054. /* Number of zeroes */
  1055. int zero_cnt;
  1056. } IPV6_STAT;
  1057. static int ipv6_from_asc(unsigned char *v6, const char *in)
  1058. {
  1059. IPV6_STAT v6stat;
  1060. v6stat.total = 0;
  1061. v6stat.zero_pos = -1;
  1062. v6stat.zero_cnt = 0;
  1063. /*
  1064. * Treat the IPv6 representation as a list of values separated by ':'.
  1065. * The presence of a '::' will parse as one, two or three zero length
  1066. * elements.
  1067. */
  1068. if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
  1069. return 0;
  1070. /* Now for some sanity checks */
  1071. if (v6stat.zero_pos == -1) {
  1072. /* If no '::' must have exactly 16 bytes */
  1073. if (v6stat.total != 16)
  1074. return 0;
  1075. } else {
  1076. /* If '::' must have less than 16 bytes */
  1077. if (v6stat.total == 16)
  1078. return 0;
  1079. /* More than three zeroes is an error */
  1080. if (v6stat.zero_cnt > 3) {
  1081. return 0;
  1082. /* Can only have three zeroes if nothing else present */
  1083. } else if (v6stat.zero_cnt == 3) {
  1084. if (v6stat.total > 0)
  1085. return 0;
  1086. } else if (v6stat.zero_cnt == 2) {
  1087. /* Can only have two zeroes if at start or end */
  1088. if ((v6stat.zero_pos != 0)
  1089. && (v6stat.zero_pos != v6stat.total))
  1090. return 0;
  1091. } else {
  1092. /* Can only have one zero if *not* start or end */
  1093. if ((v6stat.zero_pos == 0)
  1094. || (v6stat.zero_pos == v6stat.total))
  1095. return 0;
  1096. }
  1097. }
  1098. /* Format result */
  1099. if (v6stat.zero_pos >= 0) {
  1100. /* Copy initial part */
  1101. memcpy(v6, v6stat.tmp, v6stat.zero_pos);
  1102. /* Zero middle */
  1103. memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
  1104. /* Copy final part */
  1105. if (v6stat.total != v6stat.zero_pos)
  1106. memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
  1107. v6stat.tmp + v6stat.zero_pos,
  1108. v6stat.total - v6stat.zero_pos);
  1109. } else {
  1110. memcpy(v6, v6stat.tmp, 16);
  1111. }
  1112. return 1;
  1113. }
  1114. static int ipv6_cb(const char *elem, int len, void *usr)
  1115. {
  1116. IPV6_STAT *s = usr;
  1117. /* Error if 16 bytes written */
  1118. if (s->total == 16)
  1119. return 0;
  1120. if (len == 0) {
  1121. /* Zero length element, corresponds to '::' */
  1122. if (s->zero_pos == -1)
  1123. s->zero_pos = s->total;
  1124. /* If we've already got a :: its an error */
  1125. else if (s->zero_pos != s->total)
  1126. return 0;
  1127. s->zero_cnt++;
  1128. } else {
  1129. /* If more than 4 characters could be final a.b.c.d form */
  1130. if (len > 4) {
  1131. /* Need at least 4 bytes left */
  1132. if (s->total > 12)
  1133. return 0;
  1134. /* Must be end of string */
  1135. if (elem[len])
  1136. return 0;
  1137. if (!ipv4_from_asc(s->tmp + s->total, elem))
  1138. return 0;
  1139. s->total += 4;
  1140. } else {
  1141. if (!ipv6_hex(s->tmp + s->total, elem, len))
  1142. return 0;
  1143. s->total += 2;
  1144. }
  1145. }
  1146. return 1;
  1147. }
  1148. /*
  1149. * Convert a string of up to 4 hex digits into the corresponding IPv6 form.
  1150. */
  1151. static int ipv6_hex(unsigned char *out, const char *in, int inlen)
  1152. {
  1153. unsigned char c;
  1154. unsigned int num = 0;
  1155. int x;
  1156. if (inlen > 4)
  1157. return 0;
  1158. while (inlen--) {
  1159. c = *in++;
  1160. num <<= 4;
  1161. x = OPENSSL_hexchar2int(c);
  1162. if (x < 0)
  1163. return 0;
  1164. num |= (char)x;
  1165. }
  1166. out[0] = num >> 8;
  1167. out[1] = num & 0xff;
  1168. return 1;
  1169. }
  1170. int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
  1171. unsigned long chtype)
  1172. {
  1173. CONF_VALUE *v;
  1174. int i, mval, spec_char, plus_char;
  1175. char *p, *type;
  1176. if (!nm)
  1177. return 0;
  1178. for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
  1179. v = sk_CONF_VALUE_value(dn_sk, i);
  1180. type = v->name;
  1181. /*
  1182. * Skip past any leading X. X: X, etc to allow for multiple instances
  1183. */
  1184. for (p = type; *p; p++) {
  1185. #ifndef CHARSET_EBCDIC
  1186. spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
  1187. #else
  1188. spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
  1189. || (*p == os_toascii['.']));
  1190. #endif
  1191. if (spec_char) {
  1192. p++;
  1193. if (*p)
  1194. type = p;
  1195. break;
  1196. }
  1197. }
  1198. #ifndef CHARSET_EBCDIC
  1199. plus_char = (*type == '+');
  1200. #else
  1201. plus_char = (*type == os_toascii['+']);
  1202. #endif
  1203. if (plus_char) {
  1204. mval = -1;
  1205. type++;
  1206. } else {
  1207. mval = 0;
  1208. }
  1209. if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
  1210. (unsigned char *)v->value, -1, -1,
  1211. mval))
  1212. return 0;
  1213. }
  1214. return 1;
  1215. }