v3_utl.c@ 108358

最後變更在這個檔案從108358是 108206,由 vboxsync 提交於 6 週前
openssl-3.3.2: Exported all files to OSE and removed .scm-settings bugref:10757
屬性 svn:eol-style 設為 `native` 屬性 svn:keywords 設為 `Author Date Id Revision`
檔案大小: 39.3 KB

行
1	/*
2	* Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	/* X509 v3 extension utilities */
11
12	#include "internal/e_os.h"
13	#include "internal/cryptlib.h"
14	#include <stdio.h>
15	#include <string.h>
16	#include "crypto/ctype.h"
17	#include <openssl/conf.h>
18	#include <openssl/crypto.h>
19	#include <openssl/x509v3.h>
20	#include "crypto/x509.h"
21	#include <openssl/bn.h>
22	#include "ext_dat.h"
23	#include "x509_local.h"
24
25	static char strip_spaces(char name);
26	static int sk_strcmp(const char const a, const char const b);
27	static STACK_OF(OPENSSL_STRING) get_email(const X509_NAME name,
28	GENERAL_NAMES *gens);
29	static void str_free(OPENSSL_STRING str);
30	static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
31	const ASN1_IA5STRING *email);
32
33	static int ipv4_from_asc(unsigned char v4, const char in);
34	static int ipv6_from_asc(unsigned char v6, const char in);
35	static int ipv6_cb(const char elem, int len, void usr);
36	static int ipv6_hex(unsigned char out, const char in, int inlen);
37
38	/* Add a CONF_VALUE name value pair to stack */
39
40	static int x509v3_add_len_value(const char name, const char value,
41	size_t vallen, STACK_OF(CONF_VALUE) **extlist)
42	{
43	CONF_VALUE *vtmp = NULL;
44	char tname = NULL, tvalue = NULL;
45	int sk_allocated = (*extlist == NULL);
46
47	if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)
48	goto err;
49	if (value != NULL) {
50	/* We don't allow embedded NUL characters */
51	if (memchr(value, 0, vallen) != NULL)
52	goto err;
53	tvalue = OPENSSL_strndup(value, vallen);
54	if (tvalue == NULL)
55	goto err;
56	}
57	if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
58	goto err;
59	if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL) {
60	ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
61	goto err;
62	}
63	vtmp->section = NULL;
64	vtmp->name = tname;
65	vtmp->value = tvalue;
66	if (!sk_CONF_VALUE_push(*extlist, vtmp))
67	goto err;
68	return 1;
69	err:
70	if (sk_allocated) {
71	sk_CONF_VALUE_free(*extlist);
72	*extlist = NULL;
73	}
74	OPENSSL_free(vtmp);
75	OPENSSL_free(tname);
76	OPENSSL_free(tvalue);
77	return 0;
78	}
79
80	int X509V3_add_value(const char name, const char value,
81	STACK_OF(CONF_VALUE) **extlist)
82	{
83	return x509v3_add_len_value(name, value,
84	value != NULL ? strlen((const char *)value) : 0,
85	extlist);
86	}
87
88	int X509V3_add_value_uchar(const char name, const unsigned char value,
89	STACK_OF(CONF_VALUE) **extlist)
90	{
91	return x509v3_add_len_value(name, (const char *)value,
92	value != NULL ? strlen((const char *)value) : 0,
93	extlist);
94	}
95
96	int x509v3_add_len_value_uchar(const char name, const unsigned char value,
97	size_t vallen, STACK_OF(CONF_VALUE) **extlist)
98	{
99	return x509v3_add_len_value(name, (const char *)value, vallen, extlist);
100	}
101
102	/* Free function for STACK_OF(CONF_VALUE) */
103
104	void X509V3_conf_free(CONF_VALUE *conf)
105	{
106	if (!conf)
107	return;
108	OPENSSL_free(conf->name);
109	OPENSSL_free(conf->value);
110	OPENSSL_free(conf->section);
111	OPENSSL_free(conf);
112	}
113
114	int X509V3_add_value_bool(const char *name, int asn1_bool,
115	STACK_OF(CONF_VALUE) **extlist)
116	{
117	if (asn1_bool)
118	return X509V3_add_value(name, "TRUE", extlist);
119	return X509V3_add_value(name, "FALSE", extlist);
120	}
121
122	int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
123	STACK_OF(CONF_VALUE) **extlist)
124	{
125	if (asn1_bool)
126	return X509V3_add_value(name, "TRUE", extlist);
127	return 1;
128	}
129
130	static char bignum_to_string(const BIGNUM bn)
131	{
132	char tmp, ret;
133	size_t len;
134
135	/*
136	* Display large numbers in hex and small numbers in decimal. Converting to
137	* decimal takes quadratic time and is no more useful than hex for large
138	* numbers.
139	*/
140	if (BN_num_bits(bn) < 128)
141	return BN_bn2dec(bn);
142
143	tmp = BN_bn2hex(bn);
144	if (tmp == NULL)
145	return NULL;
146
147	len = strlen(tmp) + 3;
148	ret = OPENSSL_malloc(len);
149	if (ret == NULL) {
150	OPENSSL_free(tmp);
151	return NULL;
152	}
153
154	/* Prepend "0x", but place it after the "-" if negative. */
155	if (tmp[0] == '-') {
156	OPENSSL_strlcpy(ret, "-0x", len);
157	OPENSSL_strlcat(ret, tmp + 1, len);
158	} else {
159	OPENSSL_strlcpy(ret, "0x", len);
160	OPENSSL_strlcat(ret, tmp, len);
161	}
162	OPENSSL_free(tmp);
163	return ret;
164	}
165
166	char i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD method, const ASN1_ENUMERATED *a)
167	{
168	BIGNUM *bntmp = NULL;
169	char *strtmp = NULL;
170
171	if (!a)
172	return NULL;
173	if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL)
174	ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
175	else if ((strtmp = bignum_to_string(bntmp)) == NULL)
176	ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
177	BN_free(bntmp);
178	return strtmp;
179	}
180
181	char i2s_ASN1_INTEGER(X509V3_EXT_METHOD method, const ASN1_INTEGER *a)
182	{
183	BIGNUM *bntmp = NULL;
184	char *strtmp = NULL;
185
186	if (!a)
187	return NULL;
188	if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL)
189	ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
190	else if ((strtmp = bignum_to_string(bntmp)) == NULL)
191	ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
192	BN_free(bntmp);
193	return strtmp;
194	}
195
196	ASN1_INTEGER s2i_ASN1_INTEGER(X509V3_EXT_METHOD method, const char *value)
197	{
198	BIGNUM *bn = NULL;
199	ASN1_INTEGER *aint;
200	int isneg, ishex;
201	int ret;
202
203	if (value == NULL) {
204	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_VALUE);
205	return NULL;
206	}
207	bn = BN_new();
208	if (bn == NULL) {
209	ERR_raise(ERR_LIB_X509V3, ERR_R_BN_LIB);
210	return NULL;
211	}
212	if (value[0] == '-') {
213	value++;
214	isneg = 1;
215	} else {
216	isneg = 0;
217	}
218
219	if (value[0] == '0' && ((value[1] == 'x') \|\| (value[1] == 'X'))) {
220	value += 2;
221	ishex = 1;
222	} else {
223	ishex = 0;
224	}
225
226	if (ishex)
227	ret = BN_hex2bn(&bn, value);
228	else
229	ret = BN_dec2bn(&bn, value);
230
231	if (!ret \|\| value[ret]) {
232	BN_free(bn);
233	ERR_raise(ERR_LIB_X509V3, X509V3_R_BN_DEC2BN_ERROR);
234	return NULL;
235	}
236
237	if (isneg && BN_is_zero(bn))
238	isneg = 0;
239
240	aint = BN_to_ASN1_INTEGER(bn, NULL);
241	BN_free(bn);
242	if (!aint) {
243	ERR_raise(ERR_LIB_X509V3, X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
244	return NULL;
245	}
246	if (isneg)
247	aint->type \|= V_ASN1_NEG;
248	return aint;
249	}
250
251	int X509V3_add_value_int(const char name, const ASN1_INTEGER aint,
252	STACK_OF(CONF_VALUE) **extlist)
253	{
254	char *strtmp;
255	int ret;
256
257	if (!aint)
258	return 1;
259	if ((strtmp = i2s_ASN1_INTEGER(NULL, aint)) == NULL)
260	return 0;
261	ret = X509V3_add_value(name, strtmp, extlist);
262	OPENSSL_free(strtmp);
263	return ret;
264	}
265
266	int X509V3_get_value_bool(const CONF_VALUE value, int asn1_bool)
267	{
268	const char *btmp;
269
270	if ((btmp = value->value) == NULL)
271	goto err;
272	if (strcmp(btmp, "TRUE") == 0
273	\|\| strcmp(btmp, "true") == 0
274	\|\| strcmp(btmp, "Y") == 0
275	\|\| strcmp(btmp, "y") == 0
276	\|\| strcmp(btmp, "YES") == 0
277	\|\| strcmp(btmp, "yes") == 0) {
278	*asn1_bool = 0xff;
279	return 1;
280	}
281	if (strcmp(btmp, "FALSE") == 0
282	\|\| strcmp(btmp, "false") == 0
283	\|\| strcmp(btmp, "N") == 0
284	\|\| strcmp(btmp, "n") == 0
285	\|\| strcmp(btmp, "NO") == 0
286	\|\| strcmp(btmp, "no") == 0) {
287	*asn1_bool = 0;
288	return 1;
289	}
290	err:
291	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_BOOLEAN_STRING);
292	X509V3_conf_add_error_name_value(value);
293	return 0;
294	}
295
296	int X509V3_get_value_int(const CONF_VALUE value, ASN1_INTEGER *aint)
297	{
298	ASN1_INTEGER *itmp;
299
300	if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
301	X509V3_conf_add_error_name_value(value);
302	return 0;
303	}
304	*aint = itmp;
305	return 1;
306	}
307
308	#define HDR_NAME 1
309	#define HDR_VALUE 2
310
311	/*
312	* #define DEBUG
313	*/
314
315	STACK_OF(CONF_VALUE) X509V3_parse_list(const char line)
316	{
317	char p, q, c;
318	char ntmp, vtmp;
319	STACK_OF(CONF_VALUE) *values = NULL;
320	char *linebuf;
321	int state;
322
323	/* We are going to modify the line so copy it first */
324	linebuf = OPENSSL_strdup(line);
325	if (linebuf == NULL)
326	goto err;
327	state = HDR_NAME;
328	ntmp = NULL;
329	/* Go through all characters */
330	for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n');
331	p++) {
332
333	switch (state) {
334	case HDR_NAME:
335	if (c == ':') {
336	state = HDR_VALUE;
337	*p = 0;
338	ntmp = strip_spaces(q);
339	if (!ntmp) {
340	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_EMPTY_NAME);
341	goto err;
342	}
343	q = p + 1;
344	} else if (c == ',') {
345	*p = 0;
346	ntmp = strip_spaces(q);
347	q = p + 1;
348	if (!ntmp) {
349	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_EMPTY_NAME);
350	goto err;
351	}
352	if (!X509V3_add_value(ntmp, NULL, &values)) {
353	goto err;
354	}
355	}
356	break;
357
358	case HDR_VALUE:
359	if (c == ',') {
360	state = HDR_NAME;
361	*p = 0;
362	vtmp = strip_spaces(q);
363	if (!vtmp) {
364	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_VALUE);
365	goto err;
366	}
367	if (!X509V3_add_value(ntmp, vtmp, &values)) {
368	goto err;
369	}
370	ntmp = NULL;
371	q = p + 1;
372	}
373
374	}
375	}
376
377	if (state == HDR_VALUE) {
378	vtmp = strip_spaces(q);
379	if (!vtmp) {
380	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_VALUE);
381	goto err;
382	}
383	if (!X509V3_add_value(ntmp, vtmp, &values)) {
384	goto err;
385	}
386	} else {
387	ntmp = strip_spaces(q);
388	if (!ntmp) {
389	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_EMPTY_NAME);
390	goto err;
391	}
392	if (!X509V3_add_value(ntmp, NULL, &values)) {
393	goto err;
394	}
395	}
396	OPENSSL_free(linebuf);
397	return values;
398
399	err:
400	OPENSSL_free(linebuf);
401	sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
402	return NULL;
403
404	}
405
406	/* Delete leading and trailing spaces from a string */
407	static char strip_spaces(char name)
408	{
409	char p, q;
410
411	/* Skip over leading spaces */
412	p = name;
413	while (p && ossl_isspace(p))
414	p++;
415	if (*p == '\0')
416	return NULL;
417	q = p + strlen(p) - 1;
418	while ((q != p) && ossl_isspace(*q))
419	q--;
420	if (p != q)
421	q[1] = 0;
422	if (*p == '\0')
423	return NULL;
424	return p;
425	}
426
427
428	/*
429	* V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
430	*/
431
432	int ossl_v3_name_cmp(const char name, const char cmp)
433	{
434	int len, ret;
435	char c;
436
437	len = strlen(cmp);
438	if ((ret = strncmp(name, cmp, len)))
439	return ret;
440	c = name[len];
441	if (!c \|\| (c == '.'))
442	return 0;
443	return 1;
444	}
445
446	static int sk_strcmp(const char const a, const char const b)
447	{
448	return strcmp(a, b);
449	}
450
451	STACK_OF(OPENSSL_STRING) X509_get1_email(X509 x)
452	{
453	GENERAL_NAMES *gens;
454	STACK_OF(OPENSSL_STRING) *ret;
455
456	gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
457	ret = get_email(X509_get_subject_name(x), gens);
458	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
459	return ret;
460	}
461
462	STACK_OF(OPENSSL_STRING) X509_get1_ocsp(X509 x)
463	{
464	AUTHORITY_INFO_ACCESS *info;
465	STACK_OF(OPENSSL_STRING) *ret = NULL;
466	int i;
467
468	info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
469	if (!info)
470	return NULL;
471	for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
472	ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
473	if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
474	if (ad->location->type == GEN_URI) {
475	if (!append_ia5
476	(&ret, ad->location->d.uniformResourceIdentifier))
477	break;
478	}
479	}
480	}
481	AUTHORITY_INFO_ACCESS_free(info);
482	return ret;
483	}
484
485	STACK_OF(OPENSSL_STRING) X509_REQ_get1_email(X509_REQ x)
486	{
487	GENERAL_NAMES *gens;
488	STACK_OF(X509_EXTENSION) *exts;
489	STACK_OF(OPENSSL_STRING) *ret;
490
491	exts = X509_REQ_get_extensions(x);
492	gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
493	ret = get_email(X509_REQ_get_subject_name(x), gens);
494	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
495	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
496	return ret;
497	}
498
499	static STACK_OF(OPENSSL_STRING) get_email(const X509_NAME name,
500	GENERAL_NAMES *gens)
501	{
502	STACK_OF(OPENSSL_STRING) *ret = NULL;
503	X509_NAME_ENTRY *ne;
504	const ASN1_IA5STRING *email;
505	GENERAL_NAME *gen;
506	int i = -1;
507
508	/* Now add any email address(es) to STACK */
509	/* First supplied X509_NAME */
510	while ((i = X509_NAME_get_index_by_NID(name,
511	NID_pkcs9_emailAddress, i)) >= 0) {
512	ne = X509_NAME_get_entry(name, i);
513	email = X509_NAME_ENTRY_get_data(ne);
514	if (!append_ia5(&ret, email))
515	return NULL;
516	}
517	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
518	gen = sk_GENERAL_NAME_value(gens, i);
519	if (gen->type != GEN_EMAIL)
520	continue;
521	if (!append_ia5(&ret, gen->d.ia5))
522	return NULL;
523	}
524	return ret;
525	}
526
527	static void str_free(OPENSSL_STRING str)
528	{
529	OPENSSL_free(str);
530	}
531
532	static int append_ia5(STACK_OF(OPENSSL_STRING) **sk,
533	const ASN1_IA5STRING *email)
534	{
535	char *emtmp;
536
537	/* First some sanity checks */
538	if (email->type != V_ASN1_IA5STRING)
539	return 1;
540	if (email->data == NULL \|\| email->length == 0)
541	return 1;
542	if (memchr(email->data, 0, email->length) != NULL)
543	return 1;
544	if (*sk == NULL)
545	*sk = sk_OPENSSL_STRING_new(sk_strcmp);
546	if (*sk == NULL)
547	return 0;
548
549	emtmp = OPENSSL_strndup((char *)email->data, email->length);
550	if (emtmp == NULL) {
551	X509_email_free(*sk);
552	*sk = NULL;
553	return 0;
554	}
555
556	/* Don't add duplicates */
557	if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
558	OPENSSL_free(emtmp);
559	return 1;
560	}
561	if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
562	OPENSSL_free(emtmp); /* free on push failure */
563	X509_email_free(*sk);
564	*sk = NULL;
565	return 0;
566	}
567	return 1;
568	}
569
570	void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
571	{
572	sk_OPENSSL_STRING_pop_free(sk, str_free);
573	}
574
575	typedef int (equal_fn) (const unsigned char pattern, size_t pattern_len,
576	const unsigned char *subject, size_t subject_len,
577	unsigned int flags);
578
579	/* Skip pattern prefix to match "wildcard" subject */
580	static void skip_prefix(const unsigned char *p, size_t plen,
581	size_t subject_len,
582	unsigned int flags)
583	{
584	const unsigned char pattern = p;
585	size_t pattern_len = *plen;
586
587	/*
588	* If subject starts with a leading '.' followed by more octets, and
589	* pattern is longer, compare just an equal-length suffix with the
590	* full subject (starting at the '.'), provided the prefix contains
591	* no NULs.
592	*/
593	if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
594	return;
595
596	while (pattern_len > subject_len && *pattern) {
597	if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
598	*pattern == '.')
599	break;
600	++pattern;
601	--pattern_len;
602	}
603
604	/* Skip if entire prefix acceptable */
605	if (pattern_len == subject_len) {
606	*p = pattern;
607	*plen = pattern_len;
608	}
609	}
610
611	/* Compare while ASCII ignoring case. */
612	static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
613	const unsigned char *subject, size_t subject_len,
614	unsigned int flags)
615	{
616	skip_prefix(&pattern, &pattern_len, subject_len, flags);
617	if (pattern_len != subject_len)
618	return 0;
619	while (pattern_len != 0) {
620	unsigned char l = *pattern;
621	unsigned char r = *subject;
622
623	/* The pattern must not contain NUL characters. */
624	if (l == 0)
625	return 0;
626	if (l != r) {
627	if ('A' <= l && l <= 'Z')
628	l = (l - 'A') + 'a';
629	if ('A' <= r && r <= 'Z')
630	r = (r - 'A') + 'a';
631	if (l != r)
632	return 0;
633	}
634	++pattern;
635	++subject;
636	--pattern_len;
637	}
638	return 1;
639	}
640
641	/* Compare using memcmp. */
642	static int equal_case(const unsigned char *pattern, size_t pattern_len,
643	const unsigned char *subject, size_t subject_len,
644	unsigned int flags)
645	{
646	skip_prefix(&pattern, &pattern_len, subject_len, flags);
647	if (pattern_len != subject_len)
648	return 0;
649	return !memcmp(pattern, subject, pattern_len);
650	}
651
652	/*
653	* RFC 5280, section 7.5, requires that only the domain is compared in a
654	* case-insensitive manner.
655	*/
656	static int equal_email(const unsigned char *a, size_t a_len,
657	const unsigned char *b, size_t b_len,
658	unsigned int unused_flags)
659	{
660	size_t i = a_len;
661
662	if (a_len != b_len)
663	return 0;
664	/*
665	* We search backwards for the '@' character, so that we do not have to
666	* deal with quoted local-parts. The domain part is compared in a
667	* case-insensitive manner.
668	*/
669	while (i > 0) {
670	--i;
671	if (a[i] == '@' \|\| b[i] == '@') {
672	if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0))
673	return 0;
674	break;
675	}
676	}
677	if (i == 0)
678	i = a_len;
679	return equal_case(a, i, b, i, 0);
680	}
681
682	/*
683	* Compare the prefix and suffix with the subject, and check that the
684	* characters in-between are valid.
685	*/
686	static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
687	const unsigned char *suffix, size_t suffix_len,
688	const unsigned char *subject, size_t subject_len,
689	unsigned int flags)
690	{
691	const unsigned char *wildcard_start;
692	const unsigned char *wildcard_end;
693	const unsigned char *p;
694	int allow_multi = 0;
695	int allow_idna = 0;
696
697	if (subject_len < prefix_len + suffix_len)
698	return 0;
699	if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
700	return 0;
701	wildcard_start = subject + prefix_len;
702	wildcard_end = subject + (subject_len - suffix_len);
703	if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
704	return 0;
705	/*
706	* If the wildcard makes up the entire first label, it must match at
707	* least one character.
708	*/
709	if (prefix_len == 0 && *suffix == '.') {
710	if (wildcard_start == wildcard_end)
711	return 0;
712	allow_idna = 1;
713	if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
714	allow_multi = 1;
715	}
716	/* IDNA labels cannot match partial wildcards */
717	if (!allow_idna &&
718	subject_len >= 4 && HAS_CASE_PREFIX((const char *)subject, "xn--"))
719	return 0;
720	/* The wildcard may match a literal '' /
721	if (wildcard_end == wildcard_start + 1 && wildcard_start == '')
722	return 1;
723	/*
724	* Check that the part matched by the wildcard contains only
725	* permitted characters and only matches a single label unless
726	* allow_multi is set.
727	*/
728	for (p = wildcard_start; p != wildcard_end; ++p)
729	if (!(('0' <= p && p <= '9') \|\|
730	('A' <= p && p <= 'Z') \|\|
731	('a' <= p && p <= 'z') \|\|
732	p == '-' \|\| (allow_multi && p == '.')))
733	return 0;
734	return 1;
735	}
736
737	#define LABEL_START (1 << 0)
738	#define LABEL_END (1 << 1)
739	#define LABEL_HYPHEN (1 << 2)
740	#define LABEL_IDNA (1 << 3)
741
742	static const unsigned char valid_star(const unsigned char p, size_t len,
743	unsigned int flags)
744	{
745	const unsigned char *star = 0;
746	size_t i;
747	int state = LABEL_START;
748	int dots = 0;
749
750	for (i = 0; i < len; ++i) {
751	/*
752	* Locate first and only legal wildcard, either at the start
753	* or end of a non-IDNA first and not final label.
754	*/
755	if (p[i] == '*') {
756	int atstart = (state & LABEL_START);
757	int atend = (i == len - 1 \|\| p[i + 1] == '.');
758	/*-
759	* At most one wildcard per pattern.
760	* No wildcards in IDNA labels.
761	* No wildcards after the first label.
762	*/
763	if (star != NULL \|\| (state & LABEL_IDNA) != 0 \|\| dots)
764	return NULL;
765	/* Only full-label '.example.com' wildcards? /
766	if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
767	&& (!atstart \|\| !atend))
768	return NULL;
769	/* No 'foobar' wildcards /
770	if (!atstart && !atend)
771	return NULL;
772	star = &p[i];
773	state &= ~LABEL_START;
774	} else if (('a' <= p[i] && p[i] <= 'z')
775	\|\| ('A' <= p[i] && p[i] <= 'Z')
776	\|\| ('0' <= p[i] && p[i] <= '9')) {
777	if ((state & LABEL_START) != 0
778	&& len - i >= 4 && HAS_CASE_PREFIX((const char *)&p[i], "xn--"))
779	state \|= LABEL_IDNA;
780	state &= ~(LABEL_HYPHEN \| LABEL_START);
781	} else if (p[i] == '.') {
782	if ((state & (LABEL_HYPHEN \| LABEL_START)) != 0)
783	return NULL;
784	state = LABEL_START;
785	++dots;
786	} else if (p[i] == '-') {
787	/* no domain/subdomain starts with '-' */
788	if ((state & LABEL_START) != 0)
789	return NULL;
790	state \|= LABEL_HYPHEN;
791	} else {
792	return NULL;
793	}
794	}
795
796	/*
797	* The final label must not end in a hyphen or ".", and
798	* there must be at least two dots after the star.
799	*/
800	if ((state & (LABEL_START \| LABEL_HYPHEN)) != 0 \|\| dots < 2)
801	return NULL;
802	return star;
803	}
804
805	/* Compare using wildcards. */
806	static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
807	const unsigned char *subject, size_t subject_len,
808	unsigned int flags)
809	{
810	const unsigned char *star = NULL;
811
812	/*
813	* Subject names starting with '.' can only match a wildcard pattern
814	* via a subject sub-domain pattern suffix match.
815	*/
816	if (!(subject_len > 1 && subject[0] == '.'))
817	star = valid_star(pattern, pattern_len, flags);
818	if (star == NULL)
819	return equal_nocase(pattern, pattern_len,
820	subject, subject_len, flags);
821	return wildcard_match(pattern, star - pattern,
822	star + 1, (pattern + pattern_len) - star - 1,
823	subject, subject_len, flags);
824	}
825
826	/*
827	* Compare an ASN1_STRING to a supplied string. If they match return 1. If
828	* cmp_type > 0 only compare if string matches the type, otherwise convert it
829	* to UTF8.
830	*/
831
832	static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
833	unsigned int flags, const char *b, size_t blen,
834	char **peername)
835	{
836	int rv = 0;
837
838	if (!a->data \|\| !a->length)
839	return 0;
840	if (cmp_type > 0) {
841	if (cmp_type != a->type)
842	return 0;
843	if (cmp_type == V_ASN1_IA5STRING)
844	rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
845	else if (a->length == (int)blen && !memcmp(a->data, b, blen))
846	rv = 1;
847	if (rv > 0 && peername != NULL) {
848	peername = OPENSSL_strndup((char )a->data, a->length);
849	if (*peername == NULL)
850	return -1;
851	}
852	} else {
853	int astrlen;
854	unsigned char *astr;
855	astrlen = ASN1_STRING_to_UTF8(&astr, a);
856	if (astrlen < 0) {
857	/*
858	* -1 could be an internal malloc failure or a decoding error from
859	* malformed input; we can't distinguish.
860	*/
861	return -1;
862	}
863	rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
864	if (rv > 0 && peername != NULL) {
865	peername = OPENSSL_strndup((char )astr, astrlen);
866	if (*peername == NULL) {
867	OPENSSL_free(astr);
868	return -1;
869	}
870	}
871	OPENSSL_free(astr);
872	}
873	return rv;
874	}
875
876	static int do_x509_check(X509 x, const char chk, size_t chklen,
877	unsigned int flags, int check_type, char **peername)
878	{
879	GENERAL_NAMES *gens = NULL;
880	const X509_NAME *name = NULL;
881	int i;
882	int cnid = NID_undef;
883	int alt_type;
884	int san_present = 0;
885	int rv = 0;
886	equal_fn equal;
887
888	/* See below, this flag is internal-only */
889	flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
890	if (check_type == GEN_EMAIL) {
891	cnid = NID_pkcs9_emailAddress;
892	alt_type = V_ASN1_IA5STRING;
893	equal = equal_email;
894	} else if (check_type == GEN_DNS) {
895	cnid = NID_commonName;
896	/* Implicit client-side DNS sub-domain pattern */
897	if (chklen > 1 && chk[0] == '.')
898	flags \|= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
899	alt_type = V_ASN1_IA5STRING;
900	if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
901	equal = equal_nocase;
902	else
903	equal = equal_wildcard;
904	} else {
905	alt_type = V_ASN1_OCTET_STRING;
906	equal = equal_case;
907	}
908
909	if (chklen == 0)
910	chklen = strlen(chk);
911
912	gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
913	if (gens) {
914	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
915	GENERAL_NAME *gen;
916	ASN1_STRING *cstr;
917
918	gen = sk_GENERAL_NAME_value(gens, i);
919	switch (gen->type) {
920	default:
921	continue;
922	case GEN_OTHERNAME:
923	switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
924	default:
925	continue;
926	case NID_id_on_SmtpUTF8Mailbox:
927	/*-
928	* https://datatracker.ietf.org/doc/html/rfc8398#section-3
929	*
930	* Due to name constraint compatibility reasons described
931	* in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
932	* be used unless the local-part of the email address
933	* contains non-ASCII characters. When the local-part is
934	* ASCII, rfc822Name subjectAltName MUST be used instead
935	* of SmtpUTF8Mailbox. This is compatible with legacy
936	* software that supports only rfc822Name (and not
937	* SmtpUTF8Mailbox). [...]
938	*
939	* SmtpUTF8Mailbox is encoded as UTF8String.
940	*
941	* If it is not a UTF8String then that is unexpected, and
942	* we ignore the invalid SAN (neither set san_present nor
943	* consider it a candidate for equality). This does mean
944	* that the subject CN may be considered, as would be the
945	* case when the malformed SmtpUtf8Mailbox SAN is instead
946	* simply absent.
947	*
948	* When CN-ID matching is not desirable, applications can
949	* choose to turn it off, doing so is at this time a best
950	* practice.
951	*/
952	if (check_type != GEN_EMAIL
953	\|\| gen->d.otherName->value->type != V_ASN1_UTF8STRING)
954	continue;
955	alt_type = 0;
956	cstr = gen->d.otherName->value->value.utf8string;
957	break;
958	}
959	break;
960	case GEN_EMAIL:
961	if (check_type != GEN_EMAIL)
962	continue;
963	cstr = gen->d.rfc822Name;
964	break;
965	case GEN_DNS:
966	if (check_type != GEN_DNS)
967	continue;
968	cstr = gen->d.dNSName;
969	break;
970	case GEN_IPADD:
971	if (check_type != GEN_IPADD)
972	continue;
973	cstr = gen->d.iPAddress;
974	break;
975	}
976	san_present = 1;
977	/* Positive on success, negative on error! */
978	if ((rv = do_check_string(cstr, alt_type, equal, flags,
979	chk, chklen, peername)) != 0)
980	break;
981	}
982	GENERAL_NAMES_free(gens);
983	if (rv != 0)
984	return rv;
985	if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
986	return 0;
987	}
988
989	/* We're done if CN-ID is not pertinent */
990	if (cnid == NID_undef \|\| (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
991	return 0;
992
993	i = -1;
994	name = X509_get_subject_name(x);
995	while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
996	const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
997	const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
998
999	/* Positive on success, negative on error! */
1000	if ((rv = do_check_string(str, -1, equal, flags,
1001	chk, chklen, peername)) != 0)
1002	return rv;
1003	}
1004	return 0;
1005	}
1006
1007	int X509_check_host(X509 x, const char chk, size_t chklen,
1008	unsigned int flags, char **peername)
1009	{
1010	if (chk == NULL)
1011	return -2;
1012	/*
1013	* Embedded NULs are disallowed, except as the last character of a
1014	* string of length 2 or more (tolerate caller including terminating
1015	* NUL in string length).
1016	*/
1017	if (chklen == 0)
1018	chklen = strlen(chk);
1019	else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
1020	return -2;
1021	if (chklen > 1 && chk[chklen - 1] == '\0')
1022	--chklen;
1023	return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
1024	}
1025
1026	int X509_check_email(X509 x, const char chk, size_t chklen,
1027	unsigned int flags)
1028	{
1029	if (chk == NULL)
1030	return -2;
1031	/*
1032	* Embedded NULs are disallowed, except as the last character of a
1033	* string of length 2 or more (tolerate caller including terminating
1034	* NUL in string length).
1035	*/
1036	if (chklen == 0)
1037	chklen = strlen((char *)chk);
1038	else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
1039	return -2;
1040	if (chklen > 1 && chk[chklen - 1] == '\0')
1041	--chklen;
1042	return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
1043	}
1044
1045	int X509_check_ip(X509 x, const unsigned char chk, size_t chklen,
1046	unsigned int flags)
1047	{
1048	if (chk == NULL)
1049	return -2;
1050	return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
1051	}
1052
1053	int X509_check_ip_asc(X509 x, const char ipasc, unsigned int flags)
1054	{
1055	unsigned char ipout[16];
1056	size_t iplen;
1057
1058	if (ipasc == NULL)
1059	return -2;
1060	iplen = (size_t)ossl_a2i_ipadd(ipout, ipasc);
1061	if (iplen == 0)
1062	return -2;
1063	return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
1064	}
1065
1066	char ossl_ipaddr_to_asc(unsigned char p, int len)
1067	{
1068	/*
1069	* 40 is enough space for the longest IPv6 address + nul terminator byte
1070	* XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX\0
1071	*/
1072	char buf[40], *out;
1073	int i = 0, remain = 0, bytes = 0;
1074
1075	switch (len) {
1076	case 4: /* IPv4 */
1077	BIO_snprintf(buf, sizeof(buf), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1078	break;
1079	case 16: /* IPv6 */
1080	for (out = buf, i = 8, remain = sizeof(buf);
1081	i-- > 0 && bytes >= 0;
1082	remain -= bytes, out += bytes) {
1083	const char *template = (i > 0 ? "%X:" : "%X");
1084
1085	bytes = BIO_snprintf(out, remain, template, p[0] << 8 \| p[1]);
1086	p += 2;
1087	}
1088	break;
1089	default:
1090	BIO_snprintf(buf, sizeof(buf), "<invalid length=%d>", len);
1091	break;
1092	}
1093	return OPENSSL_strdup(buf);
1094	}
1095
1096	/*
1097	* Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
1098	* with RFC3280.
1099	*/
1100
1101	ASN1_OCTET_STRING a2i_IPADDRESS(const char ipasc)
1102	{
1103	unsigned char ipout[16];
1104	ASN1_OCTET_STRING *ret;
1105	int iplen;
1106
1107	/* If string contains a ':' assume IPv6 */
1108
1109	iplen = ossl_a2i_ipadd(ipout, ipasc);
1110
1111	if (!iplen)
1112	return NULL;
1113
1114	ret = ASN1_OCTET_STRING_new();
1115	if (ret == NULL)
1116	return NULL;
1117	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
1118	ASN1_OCTET_STRING_free(ret);
1119	return NULL;
1120	}
1121	return ret;
1122	}
1123
1124	ASN1_OCTET_STRING a2i_IPADDRESS_NC(const char ipasc)
1125	{
1126	ASN1_OCTET_STRING *ret = NULL;
1127	unsigned char ipout[32];
1128	char iptmp = NULL, p;
1129	int iplen1, iplen2;
1130
1131	p = strchr(ipasc, '/');
1132	if (p == NULL)
1133	return NULL;
1134	iptmp = OPENSSL_strdup(ipasc);
1135	if (iptmp == NULL)
1136	return NULL;
1137	p = iptmp + (p - ipasc);
1138	*p++ = 0;
1139
1140	iplen1 = ossl_a2i_ipadd(ipout, iptmp);
1141
1142	if (!iplen1)
1143	goto err;
1144
1145	iplen2 = ossl_a2i_ipadd(ipout + iplen1, p);
1146
1147	OPENSSL_free(iptmp);
1148	iptmp = NULL;
1149
1150	if (!iplen2 \|\| (iplen1 != iplen2))
1151	goto err;
1152
1153	ret = ASN1_OCTET_STRING_new();
1154	if (ret == NULL)
1155	goto err;
1156	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
1157	goto err;
1158
1159	return ret;
1160
1161	err:
1162	OPENSSL_free(iptmp);
1163	ASN1_OCTET_STRING_free(ret);
1164	return NULL;
1165	}
1166
1167	int ossl_a2i_ipadd(unsigned char ipout, const char ipasc)
1168	{
1169	/* If string contains a ':' assume IPv6 */
1170
1171	if (strchr(ipasc, ':')) {
1172	if (!ipv6_from_asc(ipout, ipasc))
1173	return 0;
1174	return 16;
1175	} else {
1176	if (!ipv4_from_asc(ipout, ipasc))
1177	return 0;
1178	return 4;
1179	}
1180	}
1181
1182	static int ipv4_from_asc(unsigned char v4, const char in)
1183	{
1184	const char *p;
1185	int a0, a1, a2, a3, n;
1186
1187	if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4)
1188	return 0;
1189	if ((a0 < 0) \|\| (a0 > 255) \|\| (a1 < 0) \|\| (a1 > 255)
1190	\|\| (a2 < 0) \|\| (a2 > 255) \|\| (a3 < 0) \|\| (a3 > 255))
1191	return 0;
1192	p = in + n;
1193	if (!(p == '\0' \|\| ossl_isspace(p)))
1194	return 0;
1195	v4[0] = a0;
1196	v4[1] = a1;
1197	v4[2] = a2;
1198	v4[3] = a3;
1199	return 1;
1200	}
1201
1202	typedef struct {
1203	/* Temporary store for IPV6 output */
1204	unsigned char tmp[16];
1205	/* Total number of bytes in tmp */
1206	int total;
1207	/* The position of a zero (corresponding to '::') */
1208	int zero_pos;
1209	/* Number of zeroes */
1210	int zero_cnt;
1211	} IPV6_STAT;
1212
1213	static int ipv6_from_asc(unsigned char v6, const char in)
1214	{
1215	IPV6_STAT v6stat;
1216
1217	v6stat.total = 0;
1218	v6stat.zero_pos = -1;
1219	v6stat.zero_cnt = 0;
1220	/*
1221	* Treat the IPv6 representation as a list of values separated by ':'.
1222	* The presence of a '::' will parse as one, two or three zero length
1223	* elements.
1224	*/
1225	if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
1226	return 0;
1227
1228	/* Now for some sanity checks */
1229
1230	if (v6stat.zero_pos == -1) {
1231	/* If no '::' must have exactly 16 bytes */
1232	if (v6stat.total != 16)
1233	return 0;
1234	} else {
1235	/* If '::' must have less than 16 bytes */
1236	if (v6stat.total == 16)
1237	return 0;
1238	/* More than three zeroes is an error */
1239	if (v6stat.zero_cnt > 3) {
1240	return 0;
1241	/* Can only have three zeroes if nothing else present */
1242	} else if (v6stat.zero_cnt == 3) {
1243	if (v6stat.total > 0)
1244	return 0;
1245	} else if (v6stat.zero_cnt == 2) {
1246	/* Can only have two zeroes if at start or end */
1247	if ((v6stat.zero_pos != 0)
1248	&& (v6stat.zero_pos != v6stat.total))
1249	return 0;
1250	} else {
1251	/* Can only have one zero if not start or end */
1252	if ((v6stat.zero_pos == 0)
1253	\|\| (v6stat.zero_pos == v6stat.total))
1254	return 0;
1255	}
1256	}
1257
1258	/* Format result */
1259
1260	if (v6stat.zero_pos >= 0) {
1261	/* Copy initial part */
1262	memcpy(v6, v6stat.tmp, v6stat.zero_pos);
1263	/* Zero middle */
1264	memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
1265	/* Copy final part */
1266	if (v6stat.total != v6stat.zero_pos)
1267	memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
1268	v6stat.tmp + v6stat.zero_pos,
1269	v6stat.total - v6stat.zero_pos);
1270	} else {
1271	memcpy(v6, v6stat.tmp, 16);
1272	}
1273
1274	return 1;
1275	}
1276
1277	static int ipv6_cb(const char elem, int len, void usr)
1278	{
1279	IPV6_STAT *s = usr;
1280
1281	/* Error if 16 bytes written */
1282	if (s->total == 16)
1283	return 0;
1284	if (len == 0) {
1285	/* Zero length element, corresponds to '::' */
1286	if (s->zero_pos == -1)
1287	s->zero_pos = s->total;
1288	/* If we've already got a :: its an error */
1289	else if (s->zero_pos != s->total)
1290	return 0;
1291	s->zero_cnt++;
1292	} else {
1293	/* If more than 4 characters could be final a.b.c.d form */
1294	if (len > 4) {
1295	/* Need at least 4 bytes left */
1296	if (s->total > 12)
1297	return 0;
1298	/* Must be end of string */
1299	if (elem[len])
1300	return 0;
1301	if (!ipv4_from_asc(s->tmp + s->total, elem))
1302	return 0;
1303	s->total += 4;
1304	} else {
1305	if (!ipv6_hex(s->tmp + s->total, elem, len))
1306	return 0;
1307	s->total += 2;
1308	}
1309	}
1310	return 1;
1311	}
1312
1313	/*
1314	* Convert a string of up to 4 hex digits into the corresponding IPv6 form.
1315	*/
1316
1317	static int ipv6_hex(unsigned char out, const char in, int inlen)
1318	{
1319	unsigned char c;
1320	unsigned int num = 0;
1321	int x;
1322
1323	if (inlen > 4)
1324	return 0;
1325	while (inlen--) {
1326	c = *in++;
1327	num <<= 4;
1328	x = OPENSSL_hexchar2int(c);
1329	if (x < 0)
1330	return 0;
1331	num \|= (char)x;
1332	}
1333	out[0] = num >> 8;
1334	out[1] = num & 0xff;
1335	return 1;
1336	}
1337
1338	int X509V3_NAME_from_section(X509_NAME nm, STACK_OF(CONF_VALUE) dn_sk,
1339	unsigned long chtype)
1340	{
1341	CONF_VALUE *v;
1342	int i, mval, spec_char, plus_char;
1343	char p, type;
1344
1345	if (!nm)
1346	return 0;
1347
1348	for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1349	v = sk_CONF_VALUE_value(dn_sk, i);
1350	type = v->name;
1351	/*
1352	* Skip past any leading X. X: X, etc to allow for multiple instances
1353	*/
1354	for (p = type; *p; p++) {
1355	#ifndef CHARSET_EBCDIC
1356	spec_char = ((p == ':') \|\| (p == ',') \|\| (*p == '.'));
1357	#else
1358	spec_char = ((p == os_toascii[':']) \|\| (p == os_toascii[','])
1359	\|\| (*p == os_toascii['.']));
1360	#endif
1361	if (spec_char) {
1362	p++;
1363	if (*p)
1364	type = p;
1365	break;
1366	}
1367	}
1368	#ifndef CHARSET_EBCDIC
1369	plus_char = (*type == '+');
1370	#else
1371	plus_char = (*type == os_toascii['+']);
1372	#endif
1373	if (plus_char) {
1374	mval = -1;
1375	type++;
1376	} else {
1377	mval = 0;
1378	}
1379	if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
1380	(unsigned char *)v->value, -1, -1,
1381	mval))
1382	return 0;
1383
1384	}
1385	return 1;
1386	}

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/openssl-3.3.2/crypto/x509/v3_utl.c@ 108358

以其他格式下載: