diff options
author | Kenny Root <kroot@google.com> | 2015-11-06 15:31:15 -0800 |
---|---|---|
committer | Kenny Root <kroot@google.com> | 2015-11-06 15:31:15 -0800 |
commit | e99801b603dea8893dcc61c70b327ef2d00b652c (patch) | |
tree | 37655d933cb72bcd7553af526581d3e24e051d7d /src/crypto/x509v3 | |
parent | 8cd47e1f90ee6c1dbedb462b252c8e1e7b079e38 (diff) | |
download | boringssl-e99801b603dea8893dcc61c70b327ef2d00b652c.tar.gz |
Revert "Revert "external/boringssl: sync with upstream.""
This reverts commit 03bcf618b7ed811b305845461fbb5497dfe55ac3.
No changes here. trusty build was fixed with the required rules.mk changes.
Diffstat (limited to 'src/crypto/x509v3')
-rw-r--r-- | src/crypto/x509v3/CMakeLists.txt | 2 | ||||
-rw-r--r-- | src/crypto/x509v3/pcy_tree.c | 2 | ||||
-rw-r--r-- | src/crypto/x509v3/tab_test.c | 5 | ||||
-rw-r--r-- | src/crypto/x509v3/v3_alt.c | 24 | ||||
-rw-r--r-- | src/crypto/x509v3/v3_purp.c | 19 | ||||
-rw-r--r-- | src/crypto/x509v3/v3_utl.c | 10 |
6 files changed, 36 insertions, 26 deletions
diff --git a/src/crypto/x509v3/CMakeLists.txt b/src/crypto/x509v3/CMakeLists.txt index 5cc1b490..cf2474a4 100644 --- a/src/crypto/x509v3/CMakeLists.txt +++ b/src/crypto/x509v3/CMakeLists.txt @@ -52,6 +52,7 @@ add_executable( ) target_link_libraries(v3name_test crypto) +add_dependencies(all_tests v3name_test) add_executable( tab_test @@ -62,3 +63,4 @@ add_executable( ) target_link_libraries(tab_test crypto) +add_dependencies(all_tests tab_test) diff --git a/src/crypto/x509v3/pcy_tree.c b/src/crypto/x509v3/pcy_tree.c index 682474d8..8e9ef25d 100644 --- a/src/crypto/x509v3/pcy_tree.c +++ b/src/crypto/x509v3/pcy_tree.c @@ -426,7 +426,7 @@ static int tree_link_unmatched(X509_POLICY_LEVEL *curr, { /* If mapping: matched if one child per expected policy set */ STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set; - if (node->nchild == sk_ASN1_OBJECT_num(expset)) + if ((size_t) node->nchild == sk_ASN1_OBJECT_num(expset)) return 1; /* Locate unmatched nodes */ for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) diff --git a/src/crypto/x509v3/tab_test.c b/src/crypto/x509v3/tab_test.c index 6b97e918..c0e0cb61 100644 --- a/src/crypto/x509v3/tab_test.c +++ b/src/crypto/x509v3/tab_test.c @@ -73,7 +73,8 @@ int main(void) { #if !defined(BORINGSSL_SHARED_LIBRARY) - int i, prev = -1, bad = 0; + unsigned i; + int prev = -1, bad = 0; const X509V3_EXT_METHOD *const *tmp; CRYPTO_library_init(); i = sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *); @@ -89,7 +90,7 @@ int main(void) tmp = standard_exts; fprintf(stderr, "Extensions out of order!\n"); for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++) - printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid)); + printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid)); return 1; } else { printf("PASS\n"); diff --git a/src/crypto/x509v3/v3_alt.c b/src/crypto/x509v3/v3_alt.c index e639f458..cfc13486 100644 --- a/src/crypto/x509v3/v3_alt.c +++ b/src/crypto/x509v3/v3_alt.c @@ -596,25 +596,27 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) { - int ret; - STACK_OF(CONF_VALUE) *sk; - X509_NAME *nm; - if (!(nm = X509_NAME_new())) - return 0; + int ret = 0; + STACK_OF(CONF_VALUE) *sk = NULL; + X509_NAME *nm = X509_NAME_new(); + if (nm == NULL) + goto err; sk = X509V3_get_section(ctx, value); - if (!sk) + if (sk == NULL) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND); ERR_add_error_data(2, "section=", value); - X509_NAME_free(nm); - return 0; + goto err; } /* FIXME: should allow other character types... */ - ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC); + if (!X509V3_NAME_from_section(nm, sk, MBSTRING_ASC)) + goto err; + gen->d.dirn = nm; + ret = 1; + +err: if (!ret) X509_NAME_free(nm); - gen->d.dirn = nm; X509V3_section_free(ctx, sk); - return ret; } diff --git a/src/crypto/x509v3/v3_purp.c b/src/crypto/x509v3/v3_purp.c index f53c0f11..9a0a7bc4 100644 --- a/src/crypto/x509v3/v3_purp.c +++ b/src/crypto/x509v3/v3_purp.c @@ -70,6 +70,14 @@ #include "../internal.h" +#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) +#define ku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) +#define xku_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) +#define ns_reject(x, usage) \ + (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) + static void x509v3_cache_extensions(X509 *x); static int check_ssl_ca(const X509 *x); @@ -494,7 +502,8 @@ static void x509v3_cache_extensions(X509 *x) { x->ex_flags |= EXFLAG_SI; /* If SKID matches AKID also indicate self signed */ - if (X509_check_akid(x, x->akid) == X509_V_OK) + if (X509_check_akid(x, x->akid) == X509_V_OK && + !ku_reject(x, KU_KEY_CERT_SIGN)) x->ex_flags |= EXFLAG_SS; } x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); @@ -531,14 +540,6 @@ static void x509v3_cache_extensions(X509 *x) * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ -#define V1_ROOT (EXFLAG_V1|EXFLAG_SS) -#define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#define xku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) -#define ns_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) - static int check_ca(const X509 *x) { /* keyUsage if present should allow cert signing */ diff --git a/src/crypto/x509v3/v3_utl.c b/src/crypto/x509v3/v3_utl.c index aa65c798..6bcb6dab 100644 --- a/src/crypto/x509v3/v3_utl.c +++ b/src/crypto/x509v3/v3_utl.c @@ -899,7 +899,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, X509_NAME *name = NULL; size_t i; int j; - int cnid; + int cnid = NID_undef; int alt_type; int san_present = 0; int rv = 0; @@ -927,7 +927,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, } else { - cnid = 0; alt_type = V_ASN1_OCTET_STRING; equal = equal_case; } @@ -957,11 +956,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES_free(gens); if (rv != 0) return rv; - if (!cnid + if (cnid == NID_undef || (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))) return 0; } + + /* We're done if CN-ID is not pertinent */ + if (cnid == NID_undef) + return 0; + j = -1; name = X509_get_subject_name(x); while((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0) |