提交 96ea4ae9 编写于 作者: B Ben Laurie

Add RFC 3779 support.

上级 7af57261
......@@ -423,6 +423,9 @@
Changes between 0.9.8d and 0.9.8e [XX xxx XXXX]
*) Add RFC 3779 support.
[Rob Austein for ARIN, Ben Laurie]
Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
*) Introduce limits to prevent malicious keys being able to
......
......@@ -579,6 +579,7 @@ my $threads=0;
my $no_shared=0; # but "no-shared" is default
my $zlib=1; # but "no-zlib" is default
my $no_krb5=0; # but "no-krb5" is implied unless "--with-krb5-..." is used
my $rfc3779=1; # but "no-rfc3779" is default
my $no_asm=0;
my $no_dso=0;
my $no_gmp=0;
......@@ -614,6 +615,7 @@ my %disabled = ( # "what" => "comment"
"gmp" => "default",
"mdc2" => "default",
"rc5" => "default",
"rfc3779" => "default",
"shared" => "default",
"zlib" => "default",
"zlib-dynamic" => "default"
......@@ -901,6 +903,8 @@ foreach (sort (keys %disabled))
{ $symlink = 0; }
elsif (/^sse2$/)
{ $no_sse2 = 1; }
elsif (/^rfc3779$/)
{ $rfc3779 = 0; }
else
{
my ($ALGO, $algo);
......@@ -1137,6 +1141,11 @@ if ($zlib)
}
}
if ($rfc3779)
{
$openssl_other_defines.="#define OPENSSL_RFC3779\n";
}
# You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
my $shared_mark = "";
if ($shared_target eq "")
......
......@@ -1525,6 +1525,7 @@ err:
if (x509) X509_free(x509);
X509_CRL_free(crl);
NCONF_free(conf);
NCONF_free(extconf);
OBJ_cleanup();
apps_shutdown();
OPENSSL_EXIT(ret);
......
......@@ -95,6 +95,10 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
ret->ex_pathlen = -1;
ret->skid = NULL;
ret->akid = NULL;
#ifdef OPENSSL_RFC3779
ret->rfc3779_addr = NULL;
ret->rfc3779_asid = NULL;
#endif
ret->aux = NULL;
ret->crldp = NULL;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
......@@ -112,6 +116,10 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
AUTHORITY_KEYID_free(ret->akid);
CRL_DIST_POINTS_free(ret->crldp);
policy_cache_free(ret->policy_cache);
#ifdef OPENSSL_RFC3779
sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
ASIdentifiers_free(ret->rfc3779_asid);
#endif
if (ret->name != NULL) OPENSSL_free(ret->name);
break;
......
......@@ -297,6 +297,30 @@ STACK_OF(type) \
#define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st))
#define sk_ACCESS_DESCRIPTION_is_sorted(st) SKM_sk_is_sorted(ACCESS_DESCRIPTION, (st))
#ifdef OPENSSL_RFC3779
#define sk_ASIdOrRange_new(st) SKM_sk_new(ASIdOrRange, (st))
#define sk_ASIdOrRange_new_null() SKM_sk_new_null(ASIdOrRange)
#define sk_ASIdOrRange_free(st) SKM_sk_free(ASIdOrRange, (st))
#define sk_ASIdOrRange_num(st) SKM_sk_num(ASIdOrRange, (st))
#define sk_ASIdOrRange_value(st, i) SKM_sk_value(ASIdOrRange, (st), (i))
#define sk_ASIdOrRange_set(st, i, val) SKM_sk_set(ASIdOrRange, (st), (i), (val))
#define sk_ASIdOrRange_zero(st) SKM_sk_zero(ASIdOrRange, (st))
#define sk_ASIdOrRange_push(st, val) SKM_sk_push(ASIdOrRange, (st), (val))
#define sk_ASIdOrRange_unshift(st, val) SKM_sk_unshift(ASIdOrRange, (st), (val))
#define sk_ASIdOrRange_find(st, val) SKM_sk_find(ASIdOrRange, (st), (val))
#define sk_ASIdOrRange_find_ex(st, val) SKM_sk_find_ex(ASIdOrRange, (st), (val))
#define sk_ASIdOrRange_delete(st, i) SKM_sk_delete(ASIdOrRange, (st), (i))
#define sk_ASIdOrRange_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASIdOrRange, (st), (ptr))
#define sk_ASIdOrRange_insert(st, val, i) SKM_sk_insert(ASIdOrRange, (st), (val), (i))
#define sk_ASIdOrRange_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASIdOrRange, (st), (cmp))
#define sk_ASIdOrRange_dup(st) SKM_sk_dup(ASIdOrRange, st)
#define sk_ASIdOrRange_pop_free(st, free_func) SKM_sk_pop_free(ASIdOrRange, (st), (free_func))
#define sk_ASIdOrRange_shift(st) SKM_sk_shift(ASIdOrRange, (st))
#define sk_ASIdOrRange_pop(st) SKM_sk_pop(ASIdOrRange, (st))
#define sk_ASIdOrRange_sort(st) SKM_sk_sort(ASIdOrRange, (st))
#define sk_ASIdOrRange_is_sorted(st) SKM_sk_is_sorted(ASIdOrRange, (st))
#endif /* def OPENSSL_RFC3779 */
#define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st))
#define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING)
#define sk_ASN1_GENERALSTRING_free(st) SKM_sk_free(ASN1_GENERALSTRING, (st))
......@@ -781,6 +805,52 @@ STACK_OF(type) \
#define sk_GENERAL_SUBTREE_sort(st) SKM_sk_sort(GENERAL_SUBTREE, (st))
#define sk_GENERAL_SUBTREE_is_sorted(st) SKM_sk_is_sorted(GENERAL_SUBTREE, (st))
#ifdef OPENSSL_RFC3779
#define sk_IPAddressFamily_new(st) SKM_sk_new(IPAddressFamily, (st))
#define sk_IPAddressFamily_new_null() SKM_sk_new_null(IPAddressFamily)
#define sk_IPAddressFamily_free(st) SKM_sk_free(IPAddressFamily, (st))
#define sk_IPAddressFamily_num(st) SKM_sk_num(IPAddressFamily, (st))
#define sk_IPAddressFamily_value(st, i) SKM_sk_value(IPAddressFamily, (st), (i))
#define sk_IPAddressFamily_set(st, i, val) SKM_sk_set(IPAddressFamily, (st), (i), (val))
#define sk_IPAddressFamily_zero(st) SKM_sk_zero(IPAddressFamily, (st))
#define sk_IPAddressFamily_push(st, val) SKM_sk_push(IPAddressFamily, (st), (val))
#define sk_IPAddressFamily_unshift(st, val) SKM_sk_unshift(IPAddressFamily, (st), (val))
#define sk_IPAddressFamily_find(st, val) SKM_sk_find(IPAddressFamily, (st), (val))
#define sk_IPAddressFamily_find_ex(st, val) SKM_sk_find_ex(IPAddressFamily, (st), (val))
#define sk_IPAddressFamily_delete(st, i) SKM_sk_delete(IPAddressFamily, (st), (i))
#define sk_IPAddressFamily_delete_ptr(st, ptr) SKM_sk_delete_ptr(IPAddressFamily, (st), (ptr))
#define sk_IPAddressFamily_insert(st, val, i) SKM_sk_insert(IPAddressFamily, (st), (val), (i))
#define sk_IPAddressFamily_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(IPAddressFamily, (st), (cmp))
#define sk_IPAddressFamily_dup(st) SKM_sk_dup(IPAddressFamily, st)
#define sk_IPAddressFamily_pop_free(st, free_func) SKM_sk_pop_free(IPAddressFamily, (st), (free_func))
#define sk_IPAddressFamily_shift(st) SKM_sk_shift(IPAddressFamily, (st))
#define sk_IPAddressFamily_pop(st) SKM_sk_pop(IPAddressFamily, (st))
#define sk_IPAddressFamily_sort(st) SKM_sk_sort(IPAddressFamily, (st))
#define sk_IPAddressFamily_is_sorted(st) SKM_sk_is_sorted(IPAddressFamily, (st))
#define sk_IPAddressOrRange_new(st) SKM_sk_new(IPAddressOrRange, (st))
#define sk_IPAddressOrRange_new_null() SKM_sk_new_null(IPAddressOrRange)
#define sk_IPAddressOrRange_free(st) SKM_sk_free(IPAddressOrRange, (st))
#define sk_IPAddressOrRange_num(st) SKM_sk_num(IPAddressOrRange, (st))
#define sk_IPAddressOrRange_value(st, i) SKM_sk_value(IPAddressOrRange, (st), (i))
#define sk_IPAddressOrRange_set(st, i, val) SKM_sk_set(IPAddressOrRange, (st), (i), (val))
#define sk_IPAddressOrRange_zero(st) SKM_sk_zero(IPAddressOrRange, (st))
#define sk_IPAddressOrRange_push(st, val) SKM_sk_push(IPAddressOrRange, (st), (val))
#define sk_IPAddressOrRange_unshift(st, val) SKM_sk_unshift(IPAddressOrRange, (st), (val))
#define sk_IPAddressOrRange_find(st, val) SKM_sk_find(IPAddressOrRange, (st), (val))
#define sk_IPAddressOrRange_find_ex(st, val) SKM_sk_find_ex(IPAddressOrRange, (st), (val))
#define sk_IPAddressOrRange_delete(st, i) SKM_sk_delete(IPAddressOrRange, (st), (i))
#define sk_IPAddressOrRange_delete_ptr(st, ptr) SKM_sk_delete_ptr(IPAddressOrRange, (st), (ptr))
#define sk_IPAddressOrRange_insert(st, val, i) SKM_sk_insert(IPAddressOrRange, (st), (val), (i))
#define sk_IPAddressOrRange_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(IPAddressOrRange, (st), (cmp))
#define sk_IPAddressOrRange_dup(st) SKM_sk_dup(IPAddressOrRange, st)
#define sk_IPAddressOrRange_pop_free(st, free_func) SKM_sk_pop_free(IPAddressOrRange, (st), (free_func))
#define sk_IPAddressOrRange_shift(st) SKM_sk_shift(IPAddressOrRange, (st))
#define sk_IPAddressOrRange_pop(st) SKM_sk_pop(IPAddressOrRange, (st))
#define sk_IPAddressOrRange_sort(st) SKM_sk_sort(IPAddressOrRange, (st))
#define sk_IPAddressOrRange_is_sorted(st) SKM_sk_is_sorted(IPAddressOrRange, (st))
#endif /* def OPENSSL_RFC3779 */
#define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st))
#define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY)
#define sk_KRB5_APREQBODY_free(st) SKM_sk_free(KRB5_APREQBODY, (st))
......
......@@ -291,6 +291,10 @@ struct x509_st
AUTHORITY_KEYID *akid;
X509_POLICY_CACHE *policy_cache;
STACK_OF(DIST_POINT) *crldp;
#ifdef OPENSSL_RFC3779
STACK_OF(IPAddressFamily) *rfc3779_addr;
struct ASIdentifiers_st *rfc3779_asid;
#endif
#ifndef OPENSSL_NO_SHA
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
#endif
......
......@@ -166,6 +166,8 @@ const char *X509_verify_cert_error_string(long n)
return("Different CRL scope");
case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
return("Unsupported extension feature");
case X509_V_ERR_UNNESTED_RESOURCE:
return("RFC 3779 resource not subset of parent's resources");
default:
BIO_snprintf(buf,sizeof buf,"error number %ld",n);
return(buf);
......
......@@ -314,6 +314,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
ok=internal_verify(ctx);
if(!ok) goto end;
#ifdef OPENSSL_RFC3779
/* RFC 3779 path validation, now that CRL check has been done */
ok = v3_asid_validate_path(ctx);
if (!ok) goto end;
ok = v3_addr_validate_path(ctx);
if (!ok) goto end;
#endif
/* If we get this far evaluate policies */
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);
......
......@@ -339,6 +339,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
#define X509_V_ERR_UNNESTED_RESOURCE 46
/* The application is not happy */
#define X509_V_ERR_APPLICATION_VERIFICATION 50
......
......@@ -21,12 +21,14 @@ LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
v3_asid.c v3_addr.c
LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o
pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o \
v3_asid.o v3_addr.o
SRC= $(LIBSRC)
......@@ -166,6 +168,20 @@ pcy_tree.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
pcy_tree.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
pcy_tree.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
pcy_tree.o: ../cryptlib.h pcy_int.h pcy_tree.c
v3_addr.o: ../../e_os.h ../../include/openssl/asn1.h
v3_addr.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
v3_addr.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
v3_addr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
v3_addr.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
v3_addr.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
v3_addr.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
v3_addr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
v3_addr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
v3_addr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
v3_addr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
v3_addr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
v3_addr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
v3_addr.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_addr.c
v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h
v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
v3_akey.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
......@@ -208,6 +224,21 @@ v3_alt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
v3_alt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_alt.c
v3_asid.o: ../../e_os.h ../../include/openssl/asn1.h
v3_asid.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
v3_asid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
v3_asid.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
v3_asid.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
v3_asid.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
v3_asid.o: ../../include/openssl/err.h ../../include/openssl/evp.h
v3_asid.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
v3_asid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
v3_asid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
v3_asid.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
v3_asid.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
v3_asid.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
v3_asid.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
v3_asid.o: ../cryptlib.h v3_asid.c
v3_bcons.o: ../../e_os.h ../../include/openssl/asn1.h
v3_bcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
v3_bcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
......
......@@ -67,6 +67,7 @@ extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
extern X509V3_EXT_METHOD v3_addr, v3_asid;
/* This table will be searched using OBJ_bsearch so it *must* kept in
* order of the ext_nid values.
......@@ -99,6 +100,10 @@ static X509V3_EXT_METHOD *standard_exts[] = {
#endif
&v3_sxnet,
&v3_info,
#ifdef OPENSSL_RFC3779
&v3_addr,
&v3_asid,
#endif
#ifndef OPENSSL_NO_OCSP
&v3_ocsp_nonce,
&v3_ocsp_crlid,
......
......@@ -628,6 +628,16 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
/* Tree OK: continue */
case 1:
if (!tree)
/*
* tree_init() returns success and a null tree
* if it's just looking at a trust anchor.
* I'm not sure that returning success here is
* correct, but I'm sure that reporting this
* as an internal error which our caller
* interprets as a malloc failure is wrong.
*/
return 1;
break;
}
......
此差异已折叠。
此差异已折叠。
......@@ -287,7 +287,12 @@ int X509_supported_extension(X509_EXTENSION *ex)
NID_key_usage, /* 83 */
NID_subject_alt_name, /* 85 */
NID_basic_constraints, /* 87 */
NID_certificate_policies, /* 89 */
NID_ext_key_usage, /* 126 */
#ifdef OPENSSL_RFC3779
NID_sbgp_ipAddrBlock, /* 290 */
NID_sbgp_autonomousSysNum, /* 291 */
#endif
NID_proxyCertInfo /* 661 */
};
......@@ -413,6 +418,11 @@ static void x509v3_cache_extensions(X509 *x)
x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
#ifdef OPENSSL_RFC3779
x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
NULL, NULL);
#endif
for (i = 0; i < X509_get_ext_count(x); i++)
{
ex = X509_get_ext(x, i);
......
......@@ -71,7 +71,6 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens);
static void str_free(void *str);
static int append_ia5(STACK **sk, ASN1_IA5STRING *email);
static int a2i_ipadd(unsigned char *ipout, const char *ipasc);
static int ipv4_from_asc(unsigned char *v4, const char *in);
static int ipv6_from_asc(unsigned char *v6, const char *in);
static int ipv6_cb(const char *elem, int len, void *usr);
......@@ -615,7 +614,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
}
static int a2i_ipadd(unsigned char *ipout, const char *ipasc)
int a2i_ipadd(unsigned char *ipout, const char *ipasc)
{
/* If string contains a ':' assume IPv6 */
......
......@@ -70,6 +70,8 @@
static ERR_STRING_DATA X509V3_str_functs[]=
{
{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"},
{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"},
{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
{ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
{ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
......@@ -101,6 +103,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"},
{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
......@@ -110,11 +113,13 @@ static ERR_STRING_DATA X509V3_str_functs[]=
{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
{ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"},
{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
......@@ -154,8 +159,12 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"},
{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
{ERR_REASON(X509V3_R_INVAID_MULTIPLE_RDNS),"invaid multiple rdns"},
{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"},
{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"},
{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"},
{ERR_REASON(X509V3_R_INVALID_INHERITANCE),"invalid inheritance"},
{ERR_REASON(X509V3_R_INVALID_IPADDRESS) ,"invalid ipaddress"},
{ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"},
{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
{ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"},
......@@ -167,6 +176,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"},
{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"},
{ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"},
{ERR_REASON(X509V3_R_INVALID_SAFI) ,"invalid safi"},
{ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"},
{ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"},
{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"},
......
......@@ -652,11 +652,161 @@ void X509_email_free(STACK *sk);
ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
int a2i_ipadd(unsigned char *ipout, const char *ipasc);
int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
unsigned long chtype);
void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
#ifdef OPENSSL_RFC3779
typedef struct ASRange_st {
ASN1_INTEGER *min, *max;
} ASRange;
#define ASIdOrRange_id 0
#define ASIdOrRange_range 1
typedef struct ASIdOrRange_st {
int type;
union {
ASN1_INTEGER *id;
ASRange *range;
} u;
} ASIdOrRange;
typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
DECLARE_STACK_OF(ASIdOrRange)
#define ASIdentifierChoice_inherit 0
#define ASIdentifierChoice_asIdsOrRanges 1
typedef struct ASIdentifierChoice_st {
int type;
union {
ASN1_NULL *inherit;
ASIdOrRanges *asIdsOrRanges;
} u;
} ASIdentifierChoice;
typedef struct ASIdentifiers_st {
ASIdentifierChoice *asnum, *rdi;
} ASIdentifiers;
DECLARE_ASN1_FUNCTIONS(ASRange)
DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
typedef struct IPAddressRange_st {
ASN1_BIT_STRING *min, *max;
} IPAddressRange;
#define IPAddressOrRange_addressPrefix 0
#define IPAddressOrRange_addressRange 1
typedef struct IPAddressOrRange_st {
int type;
union {
ASN1_BIT_STRING *addressPrefix;
IPAddressRange *addressRange;
} u;
} IPAddressOrRange;
typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
DECLARE_STACK_OF(IPAddressOrRange)
#define IPAddressChoice_inherit 0
#define IPAddressChoice_addressesOrRanges 1
typedef struct IPAddressChoice_st {
int type;
union {
ASN1_NULL *inherit;
IPAddressOrRanges *addressesOrRanges;
} u;
} IPAddressChoice;
typedef struct IPAddressFamily_st {
ASN1_OCTET_STRING *addressFamily;
IPAddressChoice *ipAddressChoice;
} IPAddressFamily;
typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
DECLARE_STACK_OF(IPAddressFamily)
DECLARE_ASN1_FUNCTIONS(IPAddressRange)
DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
/*
* API tag for elements of the ASIdentifer SEQUENCE.
*/
#define V3_ASID_ASNUM 0
#define V3_ASID_RDI 1
/*
* AFI values, assigned by IANA. It'd be nice to make the AFI
* handling code totally generic, but there are too many little things
* that would need to be defined for other address families for it to
* be worth the trouble.
*/
#define IANA_AFI_IPV4 1
#define IANA_AFI_IPV6 2
/*
* Utilities to construct and extract values from RFC3779 extensions,
* since some of the encodings (particularly for IP address prefixes
* and ranges) are a bit tedious to work with directly.
*/
int v3_asid_add_inherit(ASIdentifiers *asid, int which);
int v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
ASN1_INTEGER *min, ASN1_INTEGER *max);
int v3_addr_add_inherit(IPAddrBlocks *addr,
const unsigned afi, const unsigned *safi);
int v3_addr_add_prefix(IPAddrBlocks *addr,
const unsigned afi, const unsigned *safi,
unsigned char *a, const int prefixlen);
int v3_addr_add_range(IPAddrBlocks *addr,
const unsigned afi, const unsigned *safi,
unsigned char *min, unsigned char *max);
unsigned v3_addr_get_afi(const IPAddressFamily *f);
int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
unsigned char *min, unsigned char *max,
const int length);
/*
* Canonical forms.
*/
int v3_asid_is_canonical(ASIdentifiers *asid);
int v3_addr_is_canonical(IPAddrBlocks *addr);
int v3_asid_canonize(ASIdentifiers *asid);
int v3_addr_canonize(IPAddrBlocks *addr);
/*
* Tests for inheritance and containment.
*/
int v3_asid_inherits(ASIdentifiers *asid);
int v3_addr_inherits(IPAddrBlocks *addr);
int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
/*
* Check whether RFC 3779 extensions nest properly in chains.
*/
int v3_asid_validate_path(X509_STORE_CTX *);
int v3_addr_validate_path(X509_STORE_CTX *);
int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
ASIdentifiers *ext,
int allow_inheritance);
int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
IPAddrBlocks *ext,
int allow_inheritance);
#endif /* OPENSSL_RFC3779 */
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
......@@ -666,6 +816,8 @@ void ERR_load_X509V3_strings(void);
/* Error codes for the X509V3 functions. */
/* Function codes. */
#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 161
#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 162
#define X509V3_F_COPY_EMAIL 122
#define X509V3_F_COPY_ISSUER 123
#define X509V3_F_DO_DIRNAME 144
......@@ -697,6 +849,7 @@ void ERR_load_X509V3_strings(void);
#define X509V3_F_SXNET_ADD_ID_ULONG 127
#define X509V3_F_SXNET_GET_ID_ASC 128
#define X509V3_F_SXNET_GET_ID_ULONG 129
#define X509V3_F_V2I_ASIDENTIFIERS 163
#define X509V3_F_V2I_ASN1_BIT_STRING 101
#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139
#define X509V3_F_V2I_AUTHORITY_KEYID 119
......@@ -706,11 +859,13 @@ void ERR_load_X509V3_strings(void);
#define X509V3_F_V2I_GENERAL_NAMES 118
#define X509V3_F_V2I_GENERAL_NAME_EX 117
#define X509V3_F_V2I_IDP 157
#define X509V3_F_V2I_IPADDRBLOCKS 159
#define X509V3_F_V2I_ISSUER_ALT 153
#define X509V3_F_V2I_NAME_CONSTRAINTS 147
#define X509V3_F_V2I_POLICY_CONSTRAINTS 146
#define X509V3_F_V2I_POLICY_MAPPINGS 145
#define X509V3_F_V2I_SUBJECT_ALT 154
#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160
#define X509V3_F_V3_GENERIC_EXTENSION 116
#define X509V3_F_X509V3_ADD1_I2D 140
#define X509V3_F_X509V3_ADD_VALUE 105
......@@ -747,8 +902,12 @@ void ERR_load_X509V3_strings(void);
#define X509V3_R_ILLEGAL_HEX_DIGIT 113
#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
#define X509V3_R_INVAID_MULTIPLE_RDNS 161
#define X509V3_R_INVALID_ASNUMBER 162
#define X509V3_R_INVALID_ASRANGE 163
#define X509V3_R_INVALID_BOOLEAN_STRING 104
#define X509V3_R_INVALID_EXTENSION_STRING 105
#define X509V3_R_INVALID_INHERITANCE 165
#define X509V3_R_INVALID_IPADDRESS 166
#define X509V3_R_INVALID_NAME 106
#define X509V3_R_INVALID_NULL_ARGUMENT 107
#define X509V3_R_INVALID_NULL_NAME 108
......@@ -760,6 +919,7 @@ void ERR_load_X509V3_strings(void);
#define X509V3_R_INVALID_POLICY_IDENTIFIER 134
#define X509V3_R_INVALID_PROXY_POLICY_SETTING 153
#define X509V3_R_INVALID_PURPOSE 146
#define X509V3_R_INVALID_SAFI 164
#define X509V3_R_INVALID_SECTION 135
#define X509V3_R_INVALID_SYNTAX 143
#define X509V3_R_ISSUER_DECODE_ERROR 126
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册