1 | /*
|
---|
2 | * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include <stdio.h>
|
---|
11 | #include "internal/cryptlib.h"
|
---|
12 | #include "internal/asn1_int.h"
|
---|
13 | #include <openssl/asn1t.h>
|
---|
14 | #include <openssl/conf.h>
|
---|
15 | #include <openssl/x509v3.h>
|
---|
16 |
|
---|
17 | #include "internal/x509_int.h"
|
---|
18 | #include "ext_dat.h"
|
---|
19 |
|
---|
20 | static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
|
---|
21 | X509V3_CTX *ctx,
|
---|
22 | STACK_OF(CONF_VALUE) *nval);
|
---|
23 | static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
|
---|
24 | BIO *bp, int ind);
|
---|
25 | static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
|
---|
26 | STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,
|
---|
27 | int ind, const char *name);
|
---|
28 | static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
|
---|
29 |
|
---|
30 | static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
|
---|
31 | static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
|
---|
32 | static int nc_dn(X509_NAME *sub, X509_NAME *nm);
|
---|
33 | static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
|
---|
34 | static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
|
---|
35 | static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
|
---|
36 | static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base);
|
---|
37 |
|
---|
38 | const X509V3_EXT_METHOD v3_name_constraints = {
|
---|
39 | NID_name_constraints, 0,
|
---|
40 | ASN1_ITEM_ref(NAME_CONSTRAINTS),
|
---|
41 | 0, 0, 0, 0,
|
---|
42 | 0, 0,
|
---|
43 | 0, v2i_NAME_CONSTRAINTS,
|
---|
44 | i2r_NAME_CONSTRAINTS, 0,
|
---|
45 | NULL
|
---|
46 | };
|
---|
47 |
|
---|
48 | ASN1_SEQUENCE(GENERAL_SUBTREE) = {
|
---|
49 | ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
|
---|
50 | ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
|
---|
51 | ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
|
---|
52 | } ASN1_SEQUENCE_END(GENERAL_SUBTREE)
|
---|
53 |
|
---|
54 | ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
|
---|
55 | ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
|
---|
56 | GENERAL_SUBTREE, 0),
|
---|
57 | ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
|
---|
58 | GENERAL_SUBTREE, 1),
|
---|
59 | } ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
|
---|
60 |
|
---|
61 |
|
---|
62 | IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
|
---|
63 | IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
|
---|
64 |
|
---|
65 | static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
|
---|
66 | X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
|
---|
67 | {
|
---|
68 | int i;
|
---|
69 | CONF_VALUE tval, *val;
|
---|
70 | STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
|
---|
71 | NAME_CONSTRAINTS *ncons = NULL;
|
---|
72 | GENERAL_SUBTREE *sub = NULL;
|
---|
73 |
|
---|
74 | ncons = NAME_CONSTRAINTS_new();
|
---|
75 | if (ncons == NULL)
|
---|
76 | goto memerr;
|
---|
77 | for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
|
---|
78 | val = sk_CONF_VALUE_value(nval, i);
|
---|
79 | if (strncmp(val->name, "permitted", 9) == 0 && val->name[9]) {
|
---|
80 | ptree = &ncons->permittedSubtrees;
|
---|
81 | tval.name = val->name + 10;
|
---|
82 | } else if (strncmp(val->name, "excluded", 8) == 0 && val->name[8]) {
|
---|
83 | ptree = &ncons->excludedSubtrees;
|
---|
84 | tval.name = val->name + 9;
|
---|
85 | } else {
|
---|
86 | X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
|
---|
87 | goto err;
|
---|
88 | }
|
---|
89 | tval.value = val->value;
|
---|
90 | sub = GENERAL_SUBTREE_new();
|
---|
91 | if (sub == NULL)
|
---|
92 | goto memerr;
|
---|
93 | if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
|
---|
94 | goto err;
|
---|
95 | if (*ptree == NULL)
|
---|
96 | *ptree = sk_GENERAL_SUBTREE_new_null();
|
---|
97 | if (*ptree == NULL || !sk_GENERAL_SUBTREE_push(*ptree, sub))
|
---|
98 | goto memerr;
|
---|
99 | sub = NULL;
|
---|
100 | }
|
---|
101 |
|
---|
102 | return ncons;
|
---|
103 |
|
---|
104 | memerr:
|
---|
105 | X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
|
---|
106 | err:
|
---|
107 | NAME_CONSTRAINTS_free(ncons);
|
---|
108 | GENERAL_SUBTREE_free(sub);
|
---|
109 |
|
---|
110 | return NULL;
|
---|
111 | }
|
---|
112 |
|
---|
113 | static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
|
---|
114 | BIO *bp, int ind)
|
---|
115 | {
|
---|
116 | NAME_CONSTRAINTS *ncons = a;
|
---|
117 | do_i2r_name_constraints(method, ncons->permittedSubtrees,
|
---|
118 | bp, ind, "Permitted");
|
---|
119 | do_i2r_name_constraints(method, ncons->excludedSubtrees,
|
---|
120 | bp, ind, "Excluded");
|
---|
121 | return 1;
|
---|
122 | }
|
---|
123 |
|
---|
124 | static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
|
---|
125 | STACK_OF(GENERAL_SUBTREE) *trees,
|
---|
126 | BIO *bp, int ind, const char *name)
|
---|
127 | {
|
---|
128 | GENERAL_SUBTREE *tree;
|
---|
129 | int i;
|
---|
130 | if (sk_GENERAL_SUBTREE_num(trees) > 0)
|
---|
131 | BIO_printf(bp, "%*s%s:\n", ind, "", name);
|
---|
132 | for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
|
---|
133 | tree = sk_GENERAL_SUBTREE_value(trees, i);
|
---|
134 | BIO_printf(bp, "%*s", ind + 2, "");
|
---|
135 | if (tree->base->type == GEN_IPADD)
|
---|
136 | print_nc_ipadd(bp, tree->base->d.ip);
|
---|
137 | else
|
---|
138 | GENERAL_NAME_print(bp, tree->base);
|
---|
139 | BIO_puts(bp, "\n");
|
---|
140 | }
|
---|
141 | return 1;
|
---|
142 | }
|
---|
143 |
|
---|
144 | static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
|
---|
145 | {
|
---|
146 | int i, len;
|
---|
147 | unsigned char *p;
|
---|
148 | p = ip->data;
|
---|
149 | len = ip->length;
|
---|
150 | BIO_puts(bp, "IP:");
|
---|
151 | if (len == 8) {
|
---|
152 | BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
|
---|
153 | p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
|
---|
154 | } else if (len == 32) {
|
---|
155 | for (i = 0; i < 16; i++) {
|
---|
156 | BIO_printf(bp, "%X", p[0] << 8 | p[1]);
|
---|
157 | p += 2;
|
---|
158 | if (i == 7)
|
---|
159 | BIO_puts(bp, "/");
|
---|
160 | else if (i != 15)
|
---|
161 | BIO_puts(bp, ":");
|
---|
162 | }
|
---|
163 | } else
|
---|
164 | BIO_printf(bp, "IP Address:<invalid>");
|
---|
165 | return 1;
|
---|
166 | }
|
---|
167 |
|
---|
168 | /*-
|
---|
169 | * Check a certificate conforms to a specified set of constraints.
|
---|
170 | * Return values:
|
---|
171 | * X509_V_OK: All constraints obeyed.
|
---|
172 | * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
|
---|
173 | * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
|
---|
174 | * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
|
---|
175 | * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
|
---|
176 | * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
|
---|
177 | * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
|
---|
178 | */
|
---|
179 |
|
---|
180 | int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
|
---|
181 | {
|
---|
182 | int r, i;
|
---|
183 | X509_NAME *nm;
|
---|
184 |
|
---|
185 | nm = X509_get_subject_name(x);
|
---|
186 |
|
---|
187 | if (X509_NAME_entry_count(nm) > 0) {
|
---|
188 | GENERAL_NAME gntmp;
|
---|
189 | gntmp.type = GEN_DIRNAME;
|
---|
190 | gntmp.d.directoryName = nm;
|
---|
191 |
|
---|
192 | r = nc_match(&gntmp, nc);
|
---|
193 |
|
---|
194 | if (r != X509_V_OK)
|
---|
195 | return r;
|
---|
196 |
|
---|
197 | gntmp.type = GEN_EMAIL;
|
---|
198 |
|
---|
199 | /* Process any email address attributes in subject name */
|
---|
200 |
|
---|
201 | for (i = -1;;) {
|
---|
202 | const X509_NAME_ENTRY *ne;
|
---|
203 |
|
---|
204 | i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);
|
---|
205 | if (i == -1)
|
---|
206 | break;
|
---|
207 | ne = X509_NAME_get_entry(nm, i);
|
---|
208 | gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
|
---|
209 | if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
|
---|
210 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
---|
211 |
|
---|
212 | r = nc_match(&gntmp, nc);
|
---|
213 |
|
---|
214 | if (r != X509_V_OK)
|
---|
215 | return r;
|
---|
216 | }
|
---|
217 |
|
---|
218 | }
|
---|
219 |
|
---|
220 | for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
|
---|
221 | GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
|
---|
222 | r = nc_match(gen, nc);
|
---|
223 | if (r != X509_V_OK)
|
---|
224 | return r;
|
---|
225 | }
|
---|
226 |
|
---|
227 | return X509_V_OK;
|
---|
228 |
|
---|
229 | }
|
---|
230 |
|
---|
231 | int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
|
---|
232 | {
|
---|
233 | int r, i;
|
---|
234 | X509_NAME *nm;
|
---|
235 |
|
---|
236 | ASN1_STRING stmp;
|
---|
237 | GENERAL_NAME gntmp;
|
---|
238 | stmp.flags = 0;
|
---|
239 | stmp.type = V_ASN1_IA5STRING;
|
---|
240 | gntmp.type = GEN_DNS;
|
---|
241 | gntmp.d.dNSName = &stmp;
|
---|
242 |
|
---|
243 | nm = X509_get_subject_name(x);
|
---|
244 |
|
---|
245 | /* Process any commonName attributes in subject name */
|
---|
246 |
|
---|
247 | for (i = -1;;) {
|
---|
248 | X509_NAME_ENTRY *ne;
|
---|
249 | ASN1_STRING *hn;
|
---|
250 | i = X509_NAME_get_index_by_NID(nm, NID_commonName, i);
|
---|
251 | if (i == -1)
|
---|
252 | break;
|
---|
253 | ne = X509_NAME_get_entry(nm, i);
|
---|
254 | hn = X509_NAME_ENTRY_get_data(ne);
|
---|
255 | /* Only process attributes that look like host names */
|
---|
256 | if (asn1_valid_host(hn)) {
|
---|
257 | unsigned char *h;
|
---|
258 | int hlen = ASN1_STRING_to_UTF8(&h, hn);
|
---|
259 | if (hlen <= 0)
|
---|
260 | return X509_V_ERR_OUT_OF_MEM;
|
---|
261 |
|
---|
262 | stmp.length = hlen;
|
---|
263 | stmp.data = h;
|
---|
264 |
|
---|
265 | r = nc_match(&gntmp, nc);
|
---|
266 |
|
---|
267 | OPENSSL_free(h);
|
---|
268 |
|
---|
269 | if (r != X509_V_OK)
|
---|
270 | return r;
|
---|
271 | }
|
---|
272 | }
|
---|
273 | return X509_V_OK;
|
---|
274 | }
|
---|
275 |
|
---|
276 | static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
---|
277 | {
|
---|
278 | GENERAL_SUBTREE *sub;
|
---|
279 | int i, r, match = 0;
|
---|
280 |
|
---|
281 | /*
|
---|
282 | * Permitted subtrees: if any subtrees exist of matching the type at
|
---|
283 | * least one subtree must match.
|
---|
284 | */
|
---|
285 |
|
---|
286 | for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
|
---|
287 | sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
|
---|
288 | if (gen->type != sub->base->type)
|
---|
289 | continue;
|
---|
290 | if (sub->minimum || sub->maximum)
|
---|
291 | return X509_V_ERR_SUBTREE_MINMAX;
|
---|
292 | /* If we already have a match don't bother trying any more */
|
---|
293 | if (match == 2)
|
---|
294 | continue;
|
---|
295 | if (match == 0)
|
---|
296 | match = 1;
|
---|
297 | r = nc_match_single(gen, sub->base);
|
---|
298 | if (r == X509_V_OK)
|
---|
299 | match = 2;
|
---|
300 | else if (r != X509_V_ERR_PERMITTED_VIOLATION)
|
---|
301 | return r;
|
---|
302 | }
|
---|
303 |
|
---|
304 | if (match == 1)
|
---|
305 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
306 |
|
---|
307 | /* Excluded subtrees: must not match any of these */
|
---|
308 |
|
---|
309 | for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
|
---|
310 | sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
|
---|
311 | if (gen->type != sub->base->type)
|
---|
312 | continue;
|
---|
313 | if (sub->minimum || sub->maximum)
|
---|
314 | return X509_V_ERR_SUBTREE_MINMAX;
|
---|
315 |
|
---|
316 | r = nc_match_single(gen, sub->base);
|
---|
317 | if (r == X509_V_OK)
|
---|
318 | return X509_V_ERR_EXCLUDED_VIOLATION;
|
---|
319 | else if (r != X509_V_ERR_PERMITTED_VIOLATION)
|
---|
320 | return r;
|
---|
321 |
|
---|
322 | }
|
---|
323 |
|
---|
324 | return X509_V_OK;
|
---|
325 |
|
---|
326 | }
|
---|
327 |
|
---|
328 | static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
|
---|
329 | {
|
---|
330 | switch (base->type) {
|
---|
331 | case GEN_DIRNAME:
|
---|
332 | return nc_dn(gen->d.directoryName, base->d.directoryName);
|
---|
333 |
|
---|
334 | case GEN_DNS:
|
---|
335 | return nc_dns(gen->d.dNSName, base->d.dNSName);
|
---|
336 |
|
---|
337 | case GEN_EMAIL:
|
---|
338 | return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
|
---|
339 |
|
---|
340 | case GEN_URI:
|
---|
341 | return nc_uri(gen->d.uniformResourceIdentifier,
|
---|
342 | base->d.uniformResourceIdentifier);
|
---|
343 |
|
---|
344 | case GEN_IPADD:
|
---|
345 | return nc_ip(gen->d.iPAddress, base->d.iPAddress);
|
---|
346 |
|
---|
347 | default:
|
---|
348 | return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
|
---|
349 | }
|
---|
350 |
|
---|
351 | }
|
---|
352 |
|
---|
353 | /*
|
---|
354 | * directoryName name constraint matching. The canonical encoding of
|
---|
355 | * X509_NAME makes this comparison easy. It is matched if the subtree is a
|
---|
356 | * subset of the name.
|
---|
357 | */
|
---|
358 |
|
---|
359 | static int nc_dn(X509_NAME *nm, X509_NAME *base)
|
---|
360 | {
|
---|
361 | /* Ensure canonical encodings are up to date. */
|
---|
362 | if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
|
---|
363 | return X509_V_ERR_OUT_OF_MEM;
|
---|
364 | if (base->modified && i2d_X509_NAME(base, NULL) < 0)
|
---|
365 | return X509_V_ERR_OUT_OF_MEM;
|
---|
366 | if (base->canon_enclen > nm->canon_enclen)
|
---|
367 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
368 | if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
|
---|
369 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
370 | return X509_V_OK;
|
---|
371 | }
|
---|
372 |
|
---|
373 | static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
|
---|
374 | {
|
---|
375 | char *baseptr = (char *)base->data;
|
---|
376 | char *dnsptr = (char *)dns->data;
|
---|
377 | /* Empty matches everything */
|
---|
378 | if (!*baseptr)
|
---|
379 | return X509_V_OK;
|
---|
380 | /*
|
---|
381 | * Otherwise can add zero or more components on the left so compare RHS
|
---|
382 | * and if dns is longer and expect '.' as preceding character.
|
---|
383 | */
|
---|
384 | if (dns->length > base->length) {
|
---|
385 | dnsptr += dns->length - base->length;
|
---|
386 | if (*baseptr != '.' && dnsptr[-1] != '.')
|
---|
387 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
388 | }
|
---|
389 |
|
---|
390 | if (strcasecmp(baseptr, dnsptr))
|
---|
391 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
392 |
|
---|
393 | return X509_V_OK;
|
---|
394 |
|
---|
395 | }
|
---|
396 |
|
---|
397 | static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
|
---|
398 | {
|
---|
399 | const char *baseptr = (char *)base->data;
|
---|
400 | const char *emlptr = (char *)eml->data;
|
---|
401 |
|
---|
402 | const char *baseat = strchr(baseptr, '@');
|
---|
403 | const char *emlat = strchr(emlptr, '@');
|
---|
404 | if (!emlat)
|
---|
405 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
---|
406 | /* Special case: initial '.' is RHS match */
|
---|
407 | if (!baseat && (*baseptr == '.')) {
|
---|
408 | if (eml->length > base->length) {
|
---|
409 | emlptr += eml->length - base->length;
|
---|
410 | if (strcasecmp(baseptr, emlptr) == 0)
|
---|
411 | return X509_V_OK;
|
---|
412 | }
|
---|
413 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
414 | }
|
---|
415 |
|
---|
416 | /* If we have anything before '@' match local part */
|
---|
417 |
|
---|
418 | if (baseat) {
|
---|
419 | if (baseat != baseptr) {
|
---|
420 | if ((baseat - baseptr) != (emlat - emlptr))
|
---|
421 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
422 | /* Case sensitive match of local part */
|
---|
423 | if (strncmp(baseptr, emlptr, emlat - emlptr))
|
---|
424 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
425 | }
|
---|
426 | /* Position base after '@' */
|
---|
427 | baseptr = baseat + 1;
|
---|
428 | }
|
---|
429 | emlptr = emlat + 1;
|
---|
430 | /* Just have hostname left to match: case insensitive */
|
---|
431 | if (strcasecmp(baseptr, emlptr))
|
---|
432 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
433 |
|
---|
434 | return X509_V_OK;
|
---|
435 |
|
---|
436 | }
|
---|
437 |
|
---|
438 | static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
|
---|
439 | {
|
---|
440 | const char *baseptr = (char *)base->data;
|
---|
441 | const char *hostptr = (char *)uri->data;
|
---|
442 | const char *p = strchr(hostptr, ':');
|
---|
443 | int hostlen;
|
---|
444 | /* Check for foo:// and skip past it */
|
---|
445 | if (!p || (p[1] != '/') || (p[2] != '/'))
|
---|
446 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
---|
447 | hostptr = p + 3;
|
---|
448 |
|
---|
449 | /* Determine length of hostname part of URI */
|
---|
450 |
|
---|
451 | /* Look for a port indicator as end of hostname first */
|
---|
452 |
|
---|
453 | p = strchr(hostptr, ':');
|
---|
454 | /* Otherwise look for trailing slash */
|
---|
455 | if (!p)
|
---|
456 | p = strchr(hostptr, '/');
|
---|
457 |
|
---|
458 | if (!p)
|
---|
459 | hostlen = strlen(hostptr);
|
---|
460 | else
|
---|
461 | hostlen = p - hostptr;
|
---|
462 |
|
---|
463 | if (hostlen == 0)
|
---|
464 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
---|
465 |
|
---|
466 | /* Special case: initial '.' is RHS match */
|
---|
467 | if (*baseptr == '.') {
|
---|
468 | if (hostlen > base->length) {
|
---|
469 | p = hostptr + hostlen - base->length;
|
---|
470 | if (strncasecmp(p, baseptr, base->length) == 0)
|
---|
471 | return X509_V_OK;
|
---|
472 | }
|
---|
473 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
474 | }
|
---|
475 |
|
---|
476 | if ((base->length != (int)hostlen)
|
---|
477 | || strncasecmp(hostptr, baseptr, hostlen))
|
---|
478 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
479 |
|
---|
480 | return X509_V_OK;
|
---|
481 |
|
---|
482 | }
|
---|
483 |
|
---|
484 | static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base)
|
---|
485 | {
|
---|
486 | int hostlen, baselen, i;
|
---|
487 | unsigned char *hostptr, *baseptr, *maskptr;
|
---|
488 | hostptr = ip->data;
|
---|
489 | hostlen = ip->length;
|
---|
490 | baseptr = base->data;
|
---|
491 | baselen = base->length;
|
---|
492 |
|
---|
493 | /* Invalid if not IPv4 or IPv6 */
|
---|
494 | if (!((hostlen == 4) || (hostlen == 16)))
|
---|
495 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
---|
496 | if (!((baselen == 8) || (baselen == 32)))
|
---|
497 | return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
---|
498 |
|
---|
499 | /* Do not match IPv4 with IPv6 */
|
---|
500 | if (hostlen * 2 != baselen)
|
---|
501 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
502 |
|
---|
503 | maskptr = base->data + hostlen;
|
---|
504 |
|
---|
505 | /* Considering possible not aligned base ipAddress */
|
---|
506 | /* Not checking for wrong mask definition: i.e.: 255.0.255.0 */
|
---|
507 | for (i = 0; i < hostlen; i++)
|
---|
508 | if ((hostptr[i] & maskptr[i]) != (baseptr[i] & maskptr[i]))
|
---|
509 | return X509_V_ERR_PERMITTED_VIOLATION;
|
---|
510 |
|
---|
511 | return X509_V_OK;
|
---|
512 |
|
---|
513 | }
|
---|