v3_utl.c 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239
  1. /*
  2. * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* X509 v3 extension utilities */
  10. #include "e_os.h"
  11. #include "internal/cryptlib.h"
  12. #include <stdio.h>
  13. #include "internal/ctype.h"
  14. #include <openssl/conf.h>
  15. #include <openssl/crypto.h>
  16. #include <openssl/x509v3.h>
  17. #include "internal/x509_int.h"
  18. #include <openssl/bn.h>
  19. #include "ext_dat.h"
  20. static char *strip_spaces(char *name);
  21. static int sk_strcmp(const char *const *a, const char *const *b);
  22. static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
  23. GENERAL_NAMES *gens);
  24. static void str_free(OPENSSL_STRING str);
  25. static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email);
  26. static int ipv4_from_asc(unsigned char *v4, const char *in);
  27. static int ipv6_from_asc(unsigned char *v6, const char *in);
  28. static int ipv6_cb(const char *elem, int len, void *usr);
  29. static int ipv6_hex(unsigned char *out, const char *in, int inlen);
  30. /* Add a CONF_VALUE name value pair to stack */
  31. int X509V3_add_value(const char *name, const char *value,
  32. STACK_OF(CONF_VALUE) **extlist)
  33. {
  34. CONF_VALUE *vtmp = NULL;
  35. char *tname = NULL, *tvalue = NULL;
  36. int sk_allocated = (*extlist == NULL);
  37. if (name && (tname = OPENSSL_strdup(name)) == NULL)
  38. goto err;
  39. if (value && (tvalue = OPENSSL_strdup(value)) == NULL)
  40. goto err;
  41. if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
  42. goto err;
  43. if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL)
  44. goto err;
  45. vtmp->section = NULL;
  46. vtmp->name = tname;
  47. vtmp->value = tvalue;
  48. if (!sk_CONF_VALUE_push(*extlist, vtmp))
  49. goto err;
  50. return 1;
  51. err:
  52. X509V3err(X509V3_F_X509V3_ADD_VALUE, ERR_R_MALLOC_FAILURE);
  53. if (sk_allocated) {
  54. sk_CONF_VALUE_free(*extlist);
  55. *extlist = NULL;
  56. }
  57. OPENSSL_free(vtmp);
  58. OPENSSL_free(tname);
  59. OPENSSL_free(tvalue);
  60. return 0;
  61. }
  62. int X509V3_add_value_uchar(const char *name, const unsigned char *value,
  63. STACK_OF(CONF_VALUE) **extlist)
  64. {
  65. return X509V3_add_value(name, (const char *)value, extlist);
  66. }
  67. /* Free function for STACK_OF(CONF_VALUE) */
  68. void X509V3_conf_free(CONF_VALUE *conf)
  69. {
  70. if (!conf)
  71. return;
  72. OPENSSL_free(conf->name);
  73. OPENSSL_free(conf->value);
  74. OPENSSL_free(conf->section);
  75. OPENSSL_free(conf);
  76. }
  77. int X509V3_add_value_bool(const char *name, int asn1_bool,
  78. STACK_OF(CONF_VALUE) **extlist)
  79. {
  80. if (asn1_bool)
  81. return X509V3_add_value(name, "TRUE", extlist);
  82. return X509V3_add_value(name, "FALSE", extlist);
  83. }
  84. int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
  85. STACK_OF(CONF_VALUE) **extlist)
  86. {
  87. if (asn1_bool)
  88. return X509V3_add_value(name, "TRUE", extlist);
  89. return 1;
  90. }
  91. static char *bignum_to_string(const BIGNUM *bn)
  92. {
  93. char *tmp, *ret;
  94. size_t len;
  95. /*
  96. * Display large numbers in hex and small numbers in decimal. Converting to
  97. * decimal takes quadratic time and is no more useful than hex for large
  98. * numbers.
  99. */
  100. if (BN_num_bits(bn) < 128)
  101. return BN_bn2dec(bn);
  102. tmp = BN_bn2hex(bn);
  103. if (tmp == NULL)
  104. return NULL;
  105. len = strlen(tmp) + 3;
  106. ret = OPENSSL_malloc(len);
  107. if (ret == NULL) {
  108. X509V3err(X509V3_F_BIGNUM_TO_STRING, ERR_R_MALLOC_FAILURE);
  109. OPENSSL_free(tmp);
  110. return NULL;
  111. }
  112. /* Prepend "0x", but place it after the "-" if negative. */
  113. if (tmp[0] == '-') {
  114. OPENSSL_strlcpy(ret, "-0x", len);
  115. OPENSSL_strlcat(ret, tmp + 1, len);
  116. } else {
  117. OPENSSL_strlcpy(ret, "0x", len);
  118. OPENSSL_strlcat(ret, tmp, len);
  119. }
  120. OPENSSL_free(tmp);
  121. return ret;
  122. }
  123. char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
  124. {
  125. BIGNUM *bntmp = NULL;
  126. char *strtmp = NULL;
  127. if (!a)
  128. return NULL;
  129. if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL
  130. || (strtmp = bignum_to_string(bntmp)) == NULL)
  131. X509V3err(X509V3_F_I2S_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
  132. BN_free(bntmp);
  133. return strtmp;
  134. }
  135. char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
  136. {
  137. BIGNUM *bntmp = NULL;
  138. char *strtmp = NULL;
  139. if (!a)
  140. return NULL;
  141. if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL
  142. || (strtmp = bignum_to_string(bntmp)) == NULL)
  143. X509V3err(X509V3_F_I2S_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
  144. BN_free(bntmp);
  145. return strtmp;
  146. }
  147. ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
  148. {
  149. BIGNUM *bn = NULL;
  150. ASN1_INTEGER *aint;
  151. int isneg, ishex;
  152. int ret;
  153. if (value == NULL) {
  154. X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_INVALID_NULL_VALUE);
  155. return NULL;
  156. }
  157. bn = BN_new();
  158. if (bn == NULL) {
  159. X509V3err(X509V3_F_S2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
  160. return NULL;
  161. }
  162. if (value[0] == '-') {
  163. value++;
  164. isneg = 1;
  165. } else
  166. isneg = 0;
  167. if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
  168. value += 2;
  169. ishex = 1;
  170. } else
  171. ishex = 0;
  172. if (ishex)
  173. ret = BN_hex2bn(&bn, value);
  174. else
  175. ret = BN_dec2bn(&bn, value);
  176. if (!ret || value[ret]) {
  177. BN_free(bn);
  178. X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_BN_DEC2BN_ERROR);
  179. return NULL;
  180. }
  181. if (isneg && BN_is_zero(bn))
  182. isneg = 0;
  183. aint = BN_to_ASN1_INTEGER(bn, NULL);
  184. BN_free(bn);
  185. if (!aint) {
  186. X509V3err(X509V3_F_S2I_ASN1_INTEGER,
  187. X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
  188. return NULL;
  189. }
  190. if (isneg)
  191. aint->type |= V_ASN1_NEG;
  192. return aint;
  193. }
  194. int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
  195. STACK_OF(CONF_VALUE) **extlist)
  196. {
  197. char *strtmp;
  198. int ret;
  199. if (!aint)
  200. return 1;
  201. if ((strtmp = i2s_ASN1_INTEGER(NULL, aint)) == NULL)
  202. return 0;
  203. ret = X509V3_add_value(name, strtmp, extlist);
  204. OPENSSL_free(strtmp);
  205. return ret;
  206. }
  207. int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
  208. {
  209. const char *btmp;
  210. if ((btmp = value->value) == NULL)
  211. goto err;
  212. if (strcmp(btmp, "TRUE") == 0
  213. || strcmp(btmp, "true") == 0
  214. || strcmp(btmp, "Y") == 0
  215. || strcmp(btmp, "y") == 0
  216. || strcmp(btmp, "YES") == 0
  217. || strcmp(btmp, "yes") == 0) {
  218. *asn1_bool = 0xff;
  219. return 1;
  220. }
  221. if (strcmp(btmp, "FALSE") == 0
  222. || strcmp(btmp, "false") == 0
  223. || strcmp(btmp, "N") == 0
  224. || strcmp(btmp, "n") == 0
  225. || strcmp(btmp, "NO") == 0
  226. || strcmp(btmp, "no") == 0) {
  227. *asn1_bool = 0;
  228. return 1;
  229. }
  230. err:
  231. X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,
  232. X509V3_R_INVALID_BOOLEAN_STRING);
  233. X509V3_conf_err(value);
  234. return 0;
  235. }
  236. int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
  237. {
  238. ASN1_INTEGER *itmp;
  239. if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
  240. X509V3_conf_err(value);
  241. return 0;
  242. }
  243. *aint = itmp;
  244. return 1;
  245. }
  246. #define HDR_NAME 1
  247. #define HDR_VALUE 2
  248. /*
  249. * #define DEBUG
  250. */
  251. STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
  252. {
  253. char *p, *q, c;
  254. char *ntmp, *vtmp;
  255. STACK_OF(CONF_VALUE) *values = NULL;
  256. char *linebuf;
  257. int state;
  258. /* We are going to modify the line so copy it first */
  259. linebuf = OPENSSL_strdup(line);
  260. if (linebuf == NULL) {
  261. X509V3err(X509V3_F_X509V3_PARSE_LIST, ERR_R_MALLOC_FAILURE);
  262. goto err;
  263. }
  264. state = HDR_NAME;
  265. ntmp = NULL;
  266. /* Go through all characters */
  267. for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n');
  268. p++) {
  269. switch (state) {
  270. case HDR_NAME:
  271. if (c == ':') {
  272. state = HDR_VALUE;
  273. *p = 0;
  274. ntmp = strip_spaces(q);
  275. if (!ntmp) {
  276. X509V3err(X509V3_F_X509V3_PARSE_LIST,
  277. X509V3_R_INVALID_NULL_NAME);
  278. goto err;
  279. }
  280. q = p + 1;
  281. } else if (c == ',') {
  282. *p = 0;
  283. ntmp = strip_spaces(q);
  284. q = p + 1;
  285. if (!ntmp) {
  286. X509V3err(X509V3_F_X509V3_PARSE_LIST,
  287. X509V3_R_INVALID_NULL_NAME);
  288. goto err;
  289. }
  290. X509V3_add_value(ntmp, NULL, &values);
  291. }
  292. break;
  293. case HDR_VALUE:
  294. if (c == ',') {
  295. state = HDR_NAME;
  296. *p = 0;
  297. vtmp = strip_spaces(q);
  298. if (!vtmp) {
  299. X509V3err(X509V3_F_X509V3_PARSE_LIST,
  300. X509V3_R_INVALID_NULL_VALUE);
  301. goto err;
  302. }
  303. X509V3_add_value(ntmp, vtmp, &values);
  304. ntmp = NULL;
  305. q = p + 1;
  306. }
  307. }
  308. }
  309. if (state == HDR_VALUE) {
  310. vtmp = strip_spaces(q);
  311. if (!vtmp) {
  312. X509V3err(X509V3_F_X509V3_PARSE_LIST,
  313. X509V3_R_INVALID_NULL_VALUE);
  314. goto err;
  315. }
  316. X509V3_add_value(ntmp, vtmp, &values);
  317. } else {
  318. ntmp = strip_spaces(q);
  319. if (!ntmp) {
  320. X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
  321. goto err;
  322. }
  323. X509V3_add_value(ntmp, NULL, &values);
  324. }
  325. OPENSSL_free(linebuf);
  326. return values;
  327. err:
  328. OPENSSL_free(linebuf);
  329. sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
  330. return NULL;
  331. }
  332. /* Delete leading and trailing spaces from a string */
  333. static char *strip_spaces(char *name)
  334. {
  335. char *p, *q;
  336. /* Skip over leading spaces */
  337. p = name;
  338. while (*p && ossl_isspace(*p))
  339. p++;
  340. if (!*p)
  341. return NULL;
  342. q = p + strlen(p) - 1;
  343. while ((q != p) && ossl_isspace(*q))
  344. q--;
  345. if (p != q)
  346. q[1] = 0;
  347. if (!*p)
  348. return NULL;
  349. return p;
  350. }
  351. /*
  352. * V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
  353. */
  354. int name_cmp(const char *name, const char *cmp)
  355. {
  356. int len, ret;
  357. char c;
  358. len = strlen(cmp);
  359. if ((ret = strncmp(name, cmp, len)))
  360. return ret;
  361. c = name[len];
  362. if (!c || (c == '.'))
  363. return 0;
  364. return 1;
  365. }
  366. static int sk_strcmp(const char *const *a, const char *const *b)
  367. {
  368. return strcmp(*a, *b);
  369. }
  370. STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
  371. {
  372. GENERAL_NAMES *gens;
  373. STACK_OF(OPENSSL_STRING) *ret;
  374. gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
  375. ret = get_email(X509_get_subject_name(x), gens);
  376. sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
  377. return ret;
  378. }
  379. STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
  380. {
  381. AUTHORITY_INFO_ACCESS *info;
  382. STACK_OF(OPENSSL_STRING) *ret = NULL;
  383. int i;
  384. info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
  385. if (!info)
  386. return NULL;
  387. for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
  388. ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
  389. if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
  390. if (ad->location->type == GEN_URI) {
  391. if (!append_ia5
  392. (&ret, ad->location->d.uniformResourceIdentifier))
  393. break;
  394. }
  395. }
  396. }
  397. AUTHORITY_INFO_ACCESS_free(info);
  398. return ret;
  399. }
  400. STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
  401. {
  402. GENERAL_NAMES *gens;
  403. STACK_OF(X509_EXTENSION) *exts;
  404. STACK_OF(OPENSSL_STRING) *ret;
  405. exts = X509_REQ_get_extensions(x);
  406. gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
  407. ret = get_email(X509_REQ_get_subject_name(x), gens);
  408. sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
  409. sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
  410. return ret;
  411. }
  412. static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
  413. GENERAL_NAMES *gens)
  414. {
  415. STACK_OF(OPENSSL_STRING) *ret = NULL;
  416. X509_NAME_ENTRY *ne;
  417. const ASN1_IA5STRING *email;
  418. GENERAL_NAME *gen;
  419. int i = -1;
  420. /* Now add any email address(es) to STACK */
  421. /* First supplied X509_NAME */
  422. while ((i = X509_NAME_get_index_by_NID(name,
  423. NID_pkcs9_emailAddress, i)) >= 0) {
  424. ne = X509_NAME_get_entry(name, i);
  425. email = X509_NAME_ENTRY_get_data(ne);
  426. if (!append_ia5(&ret, email))
  427. return NULL;
  428. }
  429. for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
  430. gen = sk_GENERAL_NAME_value(gens, i);
  431. if (gen->type != GEN_EMAIL)
  432. continue;
  433. if (!append_ia5(&ret, gen->d.ia5))
  434. return NULL;
  435. }
  436. return ret;
  437. }
  438. static void str_free(OPENSSL_STRING str)
  439. {
  440. OPENSSL_free(str);
  441. }
  442. static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email)
  443. {
  444. char *emtmp;
  445. /* First some sanity checks */
  446. if (email->type != V_ASN1_IA5STRING)
  447. return 1;
  448. if (!email->data || !email->length)
  449. return 1;
  450. if (*sk == NULL)
  451. *sk = sk_OPENSSL_STRING_new(sk_strcmp);
  452. if (*sk == NULL)
  453. return 0;
  454. /* Don't add duplicates */
  455. if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
  456. return 1;
  457. emtmp = OPENSSL_strdup((char *)email->data);
  458. if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
  459. OPENSSL_free(emtmp); /* free on push failure */
  460. X509_email_free(*sk);
  461. *sk = NULL;
  462. return 0;
  463. }
  464. return 1;
  465. }
  466. void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
  467. {
  468. sk_OPENSSL_STRING_pop_free(sk, str_free);
  469. }
  470. typedef int (*equal_fn) (const unsigned char *pattern, size_t pattern_len,
  471. const unsigned char *subject, size_t subject_len,
  472. unsigned int flags);
  473. /* Skip pattern prefix to match "wildcard" subject */
  474. static void skip_prefix(const unsigned char **p, size_t *plen,
  475. size_t subject_len,
  476. unsigned int flags)
  477. {
  478. const unsigned char *pattern = *p;
  479. size_t pattern_len = *plen;
  480. /*
  481. * If subject starts with a leading '.' followed by more octets, and
  482. * pattern is longer, compare just an equal-length suffix with the
  483. * full subject (starting at the '.'), provided the prefix contains
  484. * no NULs.
  485. */
  486. if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
  487. return;
  488. while (pattern_len > subject_len && *pattern) {
  489. if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
  490. *pattern == '.')
  491. break;
  492. ++pattern;
  493. --pattern_len;
  494. }
  495. /* Skip if entire prefix acceptable */
  496. if (pattern_len == subject_len) {
  497. *p = pattern;
  498. *plen = pattern_len;
  499. }
  500. }
  501. /* Compare while ASCII ignoring case. */
  502. static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
  503. const unsigned char *subject, size_t subject_len,
  504. unsigned int flags)
  505. {
  506. skip_prefix(&pattern, &pattern_len, subject_len, flags);
  507. if (pattern_len != subject_len)
  508. return 0;
  509. while (pattern_len) {
  510. unsigned char l = *pattern;
  511. unsigned char r = *subject;
  512. /* The pattern must not contain NUL characters. */
  513. if (l == 0)
  514. return 0;
  515. if (l != r) {
  516. if ('A' <= l && l <= 'Z')
  517. l = (l - 'A') + 'a';
  518. if ('A' <= r && r <= 'Z')
  519. r = (r - 'A') + 'a';
  520. if (l != r)
  521. return 0;
  522. }
  523. ++pattern;
  524. ++subject;
  525. --pattern_len;
  526. }
  527. return 1;
  528. }
  529. /* Compare using memcmp. */
  530. static int equal_case(const unsigned char *pattern, size_t pattern_len,
  531. const unsigned char *subject, size_t subject_len,
  532. unsigned int flags)
  533. {
  534. skip_prefix(&pattern, &pattern_len, subject_len, flags);
  535. if (pattern_len != subject_len)
  536. return 0;
  537. return !memcmp(pattern, subject, pattern_len);
  538. }
  539. /*
  540. * RFC 5280, section 7.5, requires that only the domain is compared in a
  541. * case-insensitive manner.
  542. */
  543. static int equal_email(const unsigned char *a, size_t a_len,
  544. const unsigned char *b, size_t b_len,
  545. unsigned int unused_flags)
  546. {
  547. size_t i = a_len;
  548. if (a_len != b_len)
  549. return 0;
  550. /*
  551. * We search backwards for the '@' character, so that we do not have to
  552. * deal with quoted local-parts. The domain part is compared in a
  553. * case-insensitive manner.
  554. */
  555. while (i > 0) {
  556. --i;
  557. if (a[i] == '@' || b[i] == '@') {
  558. if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0))
  559. return 0;
  560. break;
  561. }
  562. }
  563. if (i == 0)
  564. i = a_len;
  565. return equal_case(a, i, b, i, 0);
  566. }
  567. /*
  568. * Compare the prefix and suffix with the subject, and check that the
  569. * characters in-between are valid.
  570. */
  571. static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
  572. const unsigned char *suffix, size_t suffix_len,
  573. const unsigned char *subject, size_t subject_len,
  574. unsigned int flags)
  575. {
  576. const unsigned char *wildcard_start;
  577. const unsigned char *wildcard_end;
  578. const unsigned char *p;
  579. int allow_multi = 0;
  580. int allow_idna = 0;
  581. if (subject_len < prefix_len + suffix_len)
  582. return 0;
  583. if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
  584. return 0;
  585. wildcard_start = subject + prefix_len;
  586. wildcard_end = subject + (subject_len - suffix_len);
  587. if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
  588. return 0;
  589. /*
  590. * If the wildcard makes up the entire first label, it must match at
  591. * least one character.
  592. */
  593. if (prefix_len == 0 && *suffix == '.') {
  594. if (wildcard_start == wildcard_end)
  595. return 0;
  596. allow_idna = 1;
  597. if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
  598. allow_multi = 1;
  599. }
  600. /* IDNA labels cannot match partial wildcards */
  601. if (!allow_idna &&
  602. subject_len >= 4 && strncasecmp((char *)subject, "xn--", 4) == 0)
  603. return 0;
  604. /* The wildcard may match a literal '*' */
  605. if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
  606. return 1;
  607. /*
  608. * Check that the part matched by the wildcard contains only
  609. * permitted characters and only matches a single label unless
  610. * allow_multi is set.
  611. */
  612. for (p = wildcard_start; p != wildcard_end; ++p)
  613. if (!(('0' <= *p && *p <= '9') ||
  614. ('A' <= *p && *p <= 'Z') ||
  615. ('a' <= *p && *p <= 'z') ||
  616. *p == '-' || (allow_multi && *p == '.')))
  617. return 0;
  618. return 1;
  619. }
  620. #define LABEL_START (1 << 0)
  621. #define LABEL_END (1 << 1)
  622. #define LABEL_HYPHEN (1 << 2)
  623. #define LABEL_IDNA (1 << 3)
  624. static const unsigned char *valid_star(const unsigned char *p, size_t len,
  625. unsigned int flags)
  626. {
  627. const unsigned char *star = 0;
  628. size_t i;
  629. int state = LABEL_START;
  630. int dots = 0;
  631. for (i = 0; i < len; ++i) {
  632. /*
  633. * Locate first and only legal wildcard, either at the start
  634. * or end of a non-IDNA first and not final label.
  635. */
  636. if (p[i] == '*') {
  637. int atstart = (state & LABEL_START);
  638. int atend = (i == len - 1 || p[i + 1] == '.');
  639. /*-
  640. * At most one wildcard per pattern.
  641. * No wildcards in IDNA labels.
  642. * No wildcards after the first label.
  643. */
  644. if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
  645. return NULL;
  646. /* Only full-label '*.example.com' wildcards? */
  647. if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
  648. && (!atstart || !atend))
  649. return NULL;
  650. /* No 'foo*bar' wildcards */
  651. if (!atstart && !atend)
  652. return NULL;
  653. star = &p[i];
  654. state &= ~LABEL_START;
  655. } else if (('a' <= p[i] && p[i] <= 'z')
  656. || ('A' <= p[i] && p[i] <= 'Z')
  657. || ('0' <= p[i] && p[i] <= '9')) {
  658. if ((state & LABEL_START) != 0
  659. && len - i >= 4 && strncasecmp((char *)&p[i], "xn--", 4) == 0)
  660. state |= LABEL_IDNA;
  661. state &= ~(LABEL_HYPHEN | LABEL_START);
  662. } else if (p[i] == '.') {
  663. if ((state & (LABEL_HYPHEN | LABEL_START)) != 0)
  664. return NULL;
  665. state = LABEL_START;
  666. ++dots;
  667. } else if (p[i] == '-') {
  668. /* no domain/subdomain starts with '-' */
  669. if ((state & LABEL_START) != 0)
  670. return NULL;
  671. state |= LABEL_HYPHEN;
  672. } else
  673. return NULL;
  674. }
  675. /*
  676. * The final label must not end in a hyphen or ".", and
  677. * there must be at least two dots after the star.
  678. */
  679. if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2)
  680. return NULL;
  681. return star;
  682. }
  683. /* Compare using wildcards. */
  684. static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
  685. const unsigned char *subject, size_t subject_len,
  686. unsigned int flags)
  687. {
  688. const unsigned char *star = NULL;
  689. /*
  690. * Subject names starting with '.' can only match a wildcard pattern
  691. * via a subject sub-domain pattern suffix match.
  692. */
  693. if (!(subject_len > 1 && subject[0] == '.'))
  694. star = valid_star(pattern, pattern_len, flags);
  695. if (star == NULL)
  696. return equal_nocase(pattern, pattern_len,
  697. subject, subject_len, flags);
  698. return wildcard_match(pattern, star - pattern,
  699. star + 1, (pattern + pattern_len) - star - 1,
  700. subject, subject_len, flags);
  701. }
  702. /*
  703. * Compare an ASN1_STRING to a supplied string. If they match return 1. If
  704. * cmp_type > 0 only compare if string matches the type, otherwise convert it
  705. * to UTF8.
  706. */
  707. static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
  708. unsigned int flags, const char *b, size_t blen,
  709. char **peername)
  710. {
  711. int rv = 0;
  712. if (!a->data || !a->length)
  713. return 0;
  714. if (cmp_type > 0) {
  715. if (cmp_type != a->type)
  716. return 0;
  717. if (cmp_type == V_ASN1_IA5STRING)
  718. rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
  719. else if (a->length == (int)blen && !memcmp(a->data, b, blen))
  720. rv = 1;
  721. if (rv > 0 && peername)
  722. *peername = OPENSSL_strndup((char *)a->data, a->length);
  723. } else {
  724. int astrlen;
  725. unsigned char *astr;
  726. astrlen = ASN1_STRING_to_UTF8(&astr, a);
  727. if (astrlen < 0) {
  728. /*
  729. * -1 could be an internal malloc failure or a decoding error from
  730. * malformed input; we can't distinguish.
  731. */
  732. return -1;
  733. }
  734. rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
  735. if (rv > 0 && peername)
  736. *peername = OPENSSL_strndup((char *)astr, astrlen);
  737. OPENSSL_free(astr);
  738. }
  739. return rv;
  740. }
  741. static int do_x509_check(X509 *x, const char *chk, size_t chklen,
  742. unsigned int flags, int check_type, char **peername)
  743. {
  744. GENERAL_NAMES *gens = NULL;
  745. X509_NAME *name = NULL;
  746. int i;
  747. int cnid = NID_undef;
  748. int alt_type;
  749. int san_present = 0;
  750. int rv = 0;
  751. equal_fn equal;
  752. /* See below, this flag is internal-only */
  753. flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
  754. if (check_type == GEN_EMAIL) {
  755. cnid = NID_pkcs9_emailAddress;
  756. alt_type = V_ASN1_IA5STRING;
  757. equal = equal_email;
  758. } else if (check_type == GEN_DNS) {
  759. cnid = NID_commonName;
  760. /* Implicit client-side DNS sub-domain pattern */
  761. if (chklen > 1 && chk[0] == '.')
  762. flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
  763. alt_type = V_ASN1_IA5STRING;
  764. if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
  765. equal = equal_nocase;
  766. else
  767. equal = equal_wildcard;
  768. } else {
  769. alt_type = V_ASN1_OCTET_STRING;
  770. equal = equal_case;
  771. }
  772. if (chklen == 0)
  773. chklen = strlen(chk);
  774. gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
  775. if (gens) {
  776. for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
  777. GENERAL_NAME *gen;
  778. ASN1_STRING *cstr;
  779. gen = sk_GENERAL_NAME_value(gens, i);
  780. if (gen->type != check_type)
  781. continue;
  782. san_present = 1;
  783. if (check_type == GEN_EMAIL)
  784. cstr = gen->d.rfc822Name;
  785. else if (check_type == GEN_DNS)
  786. cstr = gen->d.dNSName;
  787. else
  788. cstr = gen->d.iPAddress;
  789. /* Positive on success, negative on error! */
  790. if ((rv = do_check_string(cstr, alt_type, equal, flags,
  791. chk, chklen, peername)) != 0)
  792. break;
  793. }
  794. GENERAL_NAMES_free(gens);
  795. if (rv != 0)
  796. return rv;
  797. if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
  798. return 0;
  799. }
  800. /* We're done if CN-ID is not pertinent */
  801. if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
  802. return 0;
  803. i = -1;
  804. name = X509_get_subject_name(x);
  805. while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
  806. const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
  807. const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
  808. /* Positive on success, negative on error! */
  809. if ((rv = do_check_string(str, -1, equal, flags,
  810. chk, chklen, peername)) != 0)
  811. return rv;
  812. }
  813. return 0;
  814. }
  815. int X509_check_host(X509 *x, const char *chk, size_t chklen,
  816. unsigned int flags, char **peername)
  817. {
  818. if (chk == NULL)
  819. return -2;
  820. /*
  821. * Embedded NULs are disallowed, except as the last character of a
  822. * string of length 2 or more (tolerate caller including terminating
  823. * NUL in string length).
  824. */
  825. if (chklen == 0)
  826. chklen = strlen(chk);
  827. else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
  828. return -2;
  829. if (chklen > 1 && chk[chklen - 1] == '\0')
  830. --chklen;
  831. return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
  832. }
  833. int X509_check_email(X509 *x, const char *chk, size_t chklen,
  834. unsigned int flags)
  835. {
  836. if (chk == NULL)
  837. return -2;
  838. /*
  839. * Embedded NULs are disallowed, except as the last character of a
  840. * string of length 2 or more (tolerate caller including terminating
  841. * NUL in string length).
  842. */
  843. if (chklen == 0)
  844. chklen = strlen((char *)chk);
  845. else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
  846. return -2;
  847. if (chklen > 1 && chk[chklen - 1] == '\0')
  848. --chklen;
  849. return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
  850. }
  851. int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
  852. unsigned int flags)
  853. {
  854. if (chk == NULL)
  855. return -2;
  856. return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
  857. }
  858. int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
  859. {
  860. unsigned char ipout[16];
  861. size_t iplen;
  862. if (ipasc == NULL)
  863. return -2;
  864. iplen = (size_t)a2i_ipadd(ipout, ipasc);
  865. if (iplen == 0)
  866. return -2;
  867. return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
  868. }
  869. /*
  870. * Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
  871. * with RFC3280.
  872. */
  873. ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
  874. {
  875. unsigned char ipout[16];
  876. ASN1_OCTET_STRING *ret;
  877. int iplen;
  878. /* If string contains a ':' assume IPv6 */
  879. iplen = a2i_ipadd(ipout, ipasc);
  880. if (!iplen)
  881. return NULL;
  882. ret = ASN1_OCTET_STRING_new();
  883. if (ret == NULL)
  884. return NULL;
  885. if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
  886. ASN1_OCTET_STRING_free(ret);
  887. return NULL;
  888. }
  889. return ret;
  890. }
  891. ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
  892. {
  893. ASN1_OCTET_STRING *ret = NULL;
  894. unsigned char ipout[32];
  895. char *iptmp = NULL, *p;
  896. int iplen1, iplen2;
  897. p = strchr(ipasc, '/');
  898. if (!p)
  899. return NULL;
  900. iptmp = OPENSSL_strdup(ipasc);
  901. if (!iptmp)
  902. return NULL;
  903. p = iptmp + (p - ipasc);
  904. *p++ = 0;
  905. iplen1 = a2i_ipadd(ipout, iptmp);
  906. if (!iplen1)
  907. goto err;
  908. iplen2 = a2i_ipadd(ipout + iplen1, p);
  909. OPENSSL_free(iptmp);
  910. iptmp = NULL;
  911. if (!iplen2 || (iplen1 != iplen2))
  912. goto err;
  913. ret = ASN1_OCTET_STRING_new();
  914. if (ret == NULL)
  915. goto err;
  916. if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
  917. goto err;
  918. return ret;
  919. err:
  920. OPENSSL_free(iptmp);
  921. ASN1_OCTET_STRING_free(ret);
  922. return NULL;
  923. }
  924. int a2i_ipadd(unsigned char *ipout, const char *ipasc)
  925. {
  926. /* If string contains a ':' assume IPv6 */
  927. if (strchr(ipasc, ':')) {
  928. if (!ipv6_from_asc(ipout, ipasc))
  929. return 0;
  930. return 16;
  931. } else {
  932. if (!ipv4_from_asc(ipout, ipasc))
  933. return 0;
  934. return 4;
  935. }
  936. }
  937. static int ipv4_from_asc(unsigned char *v4, const char *in)
  938. {
  939. int a0, a1, a2, a3;
  940. if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
  941. return 0;
  942. if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
  943. || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
  944. return 0;
  945. v4[0] = a0;
  946. v4[1] = a1;
  947. v4[2] = a2;
  948. v4[3] = a3;
  949. return 1;
  950. }
  951. typedef struct {
  952. /* Temporary store for IPV6 output */
  953. unsigned char tmp[16];
  954. /* Total number of bytes in tmp */
  955. int total;
  956. /* The position of a zero (corresponding to '::') */
  957. int zero_pos;
  958. /* Number of zeroes */
  959. int zero_cnt;
  960. } IPV6_STAT;
  961. static int ipv6_from_asc(unsigned char *v6, const char *in)
  962. {
  963. IPV6_STAT v6stat;
  964. v6stat.total = 0;
  965. v6stat.zero_pos = -1;
  966. v6stat.zero_cnt = 0;
  967. /*
  968. * Treat the IPv6 representation as a list of values separated by ':'.
  969. * The presence of a '::' will parse as one, two or three zero length
  970. * elements.
  971. */
  972. if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
  973. return 0;
  974. /* Now for some sanity checks */
  975. if (v6stat.zero_pos == -1) {
  976. /* If no '::' must have exactly 16 bytes */
  977. if (v6stat.total != 16)
  978. return 0;
  979. } else {
  980. /* If '::' must have less than 16 bytes */
  981. if (v6stat.total == 16)
  982. return 0;
  983. /* More than three zeroes is an error */
  984. if (v6stat.zero_cnt > 3)
  985. return 0;
  986. /* Can only have three zeroes if nothing else present */
  987. else if (v6stat.zero_cnt == 3) {
  988. if (v6stat.total > 0)
  989. return 0;
  990. }
  991. /* Can only have two zeroes if at start or end */
  992. else if (v6stat.zero_cnt == 2) {
  993. if ((v6stat.zero_pos != 0)
  994. && (v6stat.zero_pos != v6stat.total))
  995. return 0;
  996. } else
  997. /* Can only have one zero if *not* start or end */
  998. {
  999. if ((v6stat.zero_pos == 0)
  1000. || (v6stat.zero_pos == v6stat.total))
  1001. return 0;
  1002. }
  1003. }
  1004. /* Format result */
  1005. if (v6stat.zero_pos >= 0) {
  1006. /* Copy initial part */
  1007. memcpy(v6, v6stat.tmp, v6stat.zero_pos);
  1008. /* Zero middle */
  1009. memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
  1010. /* Copy final part */
  1011. if (v6stat.total != v6stat.zero_pos)
  1012. memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
  1013. v6stat.tmp + v6stat.zero_pos,
  1014. v6stat.total - v6stat.zero_pos);
  1015. } else
  1016. memcpy(v6, v6stat.tmp, 16);
  1017. return 1;
  1018. }
  1019. static int ipv6_cb(const char *elem, int len, void *usr)
  1020. {
  1021. IPV6_STAT *s = usr;
  1022. /* Error if 16 bytes written */
  1023. if (s->total == 16)
  1024. return 0;
  1025. if (len == 0) {
  1026. /* Zero length element, corresponds to '::' */
  1027. if (s->zero_pos == -1)
  1028. s->zero_pos = s->total;
  1029. /* If we've already got a :: its an error */
  1030. else if (s->zero_pos != s->total)
  1031. return 0;
  1032. s->zero_cnt++;
  1033. } else {
  1034. /* If more than 4 characters could be final a.b.c.d form */
  1035. if (len > 4) {
  1036. /* Need at least 4 bytes left */
  1037. if (s->total > 12)
  1038. return 0;
  1039. /* Must be end of string */
  1040. if (elem[len])
  1041. return 0;
  1042. if (!ipv4_from_asc(s->tmp + s->total, elem))
  1043. return 0;
  1044. s->total += 4;
  1045. } else {
  1046. if (!ipv6_hex(s->tmp + s->total, elem, len))
  1047. return 0;
  1048. s->total += 2;
  1049. }
  1050. }
  1051. return 1;
  1052. }
  1053. /*
  1054. * Convert a string of up to 4 hex digits into the corresponding IPv6 form.
  1055. */
  1056. static int ipv6_hex(unsigned char *out, const char *in, int inlen)
  1057. {
  1058. unsigned char c;
  1059. unsigned int num = 0;
  1060. int x;
  1061. if (inlen > 4)
  1062. return 0;
  1063. while (inlen--) {
  1064. c = *in++;
  1065. num <<= 4;
  1066. x = OPENSSL_hexchar2int(c);
  1067. if (x < 0)
  1068. return 0;
  1069. num |= (char)x;
  1070. }
  1071. out[0] = num >> 8;
  1072. out[1] = num & 0xff;
  1073. return 1;
  1074. }
  1075. int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
  1076. unsigned long chtype)
  1077. {
  1078. CONF_VALUE *v;
  1079. int i, mval, spec_char, plus_char;
  1080. char *p, *type;
  1081. if (!nm)
  1082. return 0;
  1083. for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
  1084. v = sk_CONF_VALUE_value(dn_sk, i);
  1085. type = v->name;
  1086. /*
  1087. * Skip past any leading X. X: X, etc to allow for multiple instances
  1088. */
  1089. for (p = type; *p; p++) {
  1090. #ifndef CHARSET_EBCDIC
  1091. spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
  1092. #else
  1093. spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
  1094. || (*p == os_toascii['.']));
  1095. #endif
  1096. if (spec_char) {
  1097. p++;
  1098. if (*p)
  1099. type = p;
  1100. break;
  1101. }
  1102. }
  1103. #ifndef CHARSET_EBCDIC
  1104. plus_char = (*type == '+');
  1105. #else
  1106. plus_char = (*type == os_toascii['+']);
  1107. #endif
  1108. if (plus_char) {
  1109. mval = -1;
  1110. type++;
  1111. } else
  1112. mval = 0;
  1113. if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
  1114. (unsigned char *)v->value, -1, -1,
  1115. mval))
  1116. return 0;
  1117. }
  1118. return 1;
  1119. }