sync code with last fixes and improvements from OpenBSD

This commit is contained in:
purplerain 2023-06-07 21:20:56 +00:00
parent 4b78db449c
commit bf0676207f
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
2406 changed files with 6353 additions and 434004 deletions

View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_vpm.c,v 1.37 2023/04/28 16:50:16 beck Exp $ */
/* $OpenBSD: x509_vpm.c,v 1.40 2023/05/28 05:25:24 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
@ -122,7 +122,7 @@ sk_deep_copy(void *sk_void, void *copy_func_void, void *free_func_void)
}
static int
x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
const char *name, size_t namelen)
{
char *copy;
@ -135,9 +135,9 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
if (name && memchr(name, '\0', namelen))
return 0;
if (mode == SET_HOST && id->hosts) {
sk_OPENSSL_STRING_pop_free(id->hosts, str_free);
id->hosts = NULL;
if (mode == SET_HOST && vpm->hosts) {
sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
vpm->hosts = NULL;
}
if (name == NULL || namelen == 0)
return 1;
@ -145,17 +145,17 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
if (copy == NULL)
return 0;
if (id->hosts == NULL &&
(id->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
if (vpm->hosts == NULL &&
(vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
free(copy);
return 0;
}
if (!sk_OPENSSL_STRING_push(id->hosts, copy)) {
if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
free(copy);
if (sk_OPENSSL_STRING_num(id->hosts) == 0) {
sk_OPENSSL_STRING_free(id->hosts);
id->hosts = NULL;
if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
sk_OPENSSL_STRING_free(vpm->hosts);
vpm->hosts = NULL;
}
return 0;
}
@ -166,9 +166,9 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode,
static void
x509_verify_param_zero(X509_VERIFY_PARAM *param)
{
X509_VERIFY_PARAM_ID *paramid;
if (!param)
return;
free(param->name);
param->name = NULL;
param->purpose = 0;
@ -177,40 +177,29 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param)
param->inh_flags = 0;
param->flags = 0;
param->depth = -1;
if (param->policies) {
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
param->policies = NULL;
}
paramid = param->id;
if (paramid->hosts) {
sk_OPENSSL_STRING_pop_free(paramid->hosts, str_free);
paramid->hosts = NULL;
}
free(paramid->peername);
paramid->peername = NULL;
free(paramid->email);
paramid->email = NULL;
paramid->emaillen = 0;
free(paramid->ip);
paramid->ip = NULL;
paramid->iplen = 0;
paramid->poisoned = 0;
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
param->policies = NULL;
sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
param->hosts = NULL;
free(param->peername);
param->peername = NULL;
free(param->email);
param->email = NULL;
param->emaillen = 0;
free(param->ip);
param->ip = NULL;
param->iplen = 0;
param->poisoned = 0;
}
X509_VERIFY_PARAM *
X509_VERIFY_PARAM_new(void)
{
X509_VERIFY_PARAM *param;
X509_VERIFY_PARAM_ID *paramid;
param = calloc(1, sizeof(X509_VERIFY_PARAM));
if (param == NULL)
return NULL;
paramid = calloc(1, sizeof(X509_VERIFY_PARAM_ID));
if (paramid == NULL) {
free(param);
return NULL;
}
param->id = paramid;
x509_verify_param_zero(param);
return param;
}
@ -222,7 +211,6 @@ X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
if (param == NULL)
return;
x509_verify_param_zero(param);
free(param->id);
free(param);
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_free);
@ -260,18 +248,11 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_free);
*/
/* Macro to test if a field should be copied from src to dest */
#define test_x509_verify_param_copy(field, def) \
(to_overwrite || \
((src->field != def) && (to_default || (dest->field == def))))
/* As above but for ID fields */
#define test_x509_verify_param_copy_id(idf, def) \
test_x509_verify_param_copy(id->idf, def)
/* Macro to test and copy a field if necessary */
#define x509_verify_param_copy(field, def) \
if (test_x509_verify_param_copy(field, def)) \
dest->field = src->field
@ -281,11 +262,9 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
{
unsigned long inh_flags;
int to_default, to_overwrite;
X509_VERIFY_PARAM_ID *id;
if (!src)
return 1;
id = src->id;
inh_flags = dest->inh_flags | src->inh_flags;
if (inh_flags & X509_VP_FLAG_ONCE)
@ -326,29 +305,28 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
return 0;
}
/* Copy the host flags if and only if we're copying the host list */
if (test_x509_verify_param_copy_id(hosts, NULL)) {
if (dest->id->hosts) {
sk_OPENSSL_STRING_pop_free(dest->id->hosts, str_free);
dest->id->hosts = NULL;
x509_verify_param_copy(hostflags, 0);
if (test_x509_verify_param_copy(hosts, NULL)) {
if (dest->hosts) {
sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
dest->hosts = NULL;
}
if (id->hosts) {
dest->id->hosts =
sk_deep_copy(id->hosts, strdup, str_free);
if (dest->id->hosts == NULL)
if (src->hosts) {
dest->hosts = sk_deep_copy(src->hosts, strdup, str_free);
if (dest->hosts == NULL)
return 0;
dest->id->hostflags = id->hostflags;
}
}
if (test_x509_verify_param_copy_id(email, NULL)) {
if (!X509_VERIFY_PARAM_set1_email(dest, id->email,
id->emaillen))
if (test_x509_verify_param_copy(email, NULL)) {
if (!X509_VERIFY_PARAM_set1_email(dest, src->email,
src->emaillen))
return 0;
}
if (test_x509_verify_param_copy_id(ip, NULL)) {
if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))
if (test_x509_verify_param_copy(ip, NULL)) {
if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
return 0;
}
@ -533,9 +511,9 @@ int
X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
const char *name, size_t namelen)
{
if (x509_param_set_hosts_internal(param->id, SET_HOST, name, namelen))
if (x509_param_set_hosts_internal(param, SET_HOST, name, namelen))
return 1;
param->id->poisoned = 1;
param->poisoned = 1;
return 0;
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_host);
@ -544,24 +522,31 @@ int
X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
const char *name, size_t namelen)
{
if (x509_param_set_hosts_internal(param->id, ADD_HOST, name, namelen))
if (x509_param_set_hosts_internal(param, ADD_HOST, name, namelen))
return 1;
param->id->poisoned = 1;
param->poisoned = 1;
return 0;
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host);
/* Public API in OpenSSL - nothing seems to use this. */
unsigned int
X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param)
{
return param->hostflags;
}
void
X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags)
{
param->id->hostflags = flags;
param->hostflags = flags;
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_hostflags);
char *
X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
{
return param->id->peername;
return param->peername;
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_peername);
@ -569,10 +554,10 @@ int
X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email,
size_t emaillen)
{
if (x509_param_set1_internal(&param->id->email, &param->id->emaillen,
if (x509_param_set1_internal(&param->email, &param->emaillen,
email, emaillen, 1))
return 1;
param->id->poisoned = 1;
param->poisoned = 1;
return 0;
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_email);
@ -583,11 +568,11 @@ X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip,
{
if (iplen != 4 && iplen != 16)
goto err;
if (x509_param_set1_internal((char **)&param->id->ip, &param->id->iplen,
if (x509_param_set1_internal((char **)&param->ip, &param->iplen,
(char *)ip, iplen, 0))
return 1;
err:
param->id->poisoned = 1;
param->poisoned = 1;
return 0;
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_ip);
@ -617,10 +602,6 @@ X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_name);
static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
/*
* Default verify parameters: these are used for various applications and can
* be overridden by the user specified table.
@ -632,35 +613,30 @@ static const X509_VERIFY_PARAM default_table[] = {
.flags = X509_V_FLAG_TRUSTED_FIRST,
.depth = 100,
.trust = 0, /* XXX This is not the default trust value */
.id = vpm_empty_id
},
{
.name = "pkcs7",
.purpose = X509_PURPOSE_SMIME_SIGN,
.trust = X509_TRUST_EMAIL,
.depth = -1,
.id = vpm_empty_id
},
{
.name = "smime_sign",
.purpose = X509_PURPOSE_SMIME_SIGN,
.trust = X509_TRUST_EMAIL,
.depth = -1,
.id = vpm_empty_id
},
{
.name = "ssl_client",
.purpose = X509_PURPOSE_SSL_CLIENT,
.trust = X509_TRUST_SSL_CLIENT,
.depth = -1,
.id = vpm_empty_id
},
{
.name = "ssl_server",
.purpose = X509_PURPOSE_SSL_SERVER,
.trust = X509_TRUST_SSL_SERVER,
.depth = -1,
.id = vpm_empty_id
}
};