📄 v3_asid.c
字号:
X509V3_R_EXTENSION_VALUE_ERROR); goto done; } /* * Calculate a_max + 1 to check for adjacency. */ if ((bn == NULL && (bn = BN_new()) == NULL) || ASN1_INTEGER_to_BN(a_max, bn) == NULL || !BN_add_word(bn, 1) || (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE); goto done; } /* * If a and b are adjacent, merge them. */ if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) { ASRange *r; switch (a->type) { case ASIdOrRange_id: if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) { X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE); goto done; } r->min = a_min; r->max = b_max; a->type = ASIdOrRange_range; a->u.range = r; break; case ASIdOrRange_range: ASN1_INTEGER_free(a->u.range->max); a->u.range->max = b_max; break; } switch (b->type) { case ASIdOrRange_id: b->u.id = NULL; break; case ASIdOrRange_range: b->u.range->max = NULL; break; } ASIdOrRange_free(b); (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); i--; continue; } } assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */ ret = 1; done: ASN1_INTEGER_free(a_max_plus_one); BN_free(bn); return ret;}/* * Whack an ASIdentifier extension into canonical form. */int v3_asid_canonize(ASIdentifiers *asid){ return (asid == NULL || (ASIdentifierChoice_canonize(asid->asnum) && ASIdentifierChoice_canonize(asid->rdi)));}/* * v2i method for an ASIdentifier extension. */static void *v2i_ASIdentifiers(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values){ ASIdentifiers *asid = NULL; int i; if ((asid = ASIdentifiers_new()) == NULL) { X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); return NULL; } for (i = 0; i < sk_CONF_VALUE_num(values); i++) { CONF_VALUE *val = sk_CONF_VALUE_value(values, i); ASN1_INTEGER *min = NULL, *max = NULL; int i1, i2, i3, is_range, which; /* * Figure out whether this is an AS or an RDI. */ if ( !name_cmp(val->name, "AS")) { which = V3_ASID_ASNUM; } else if (!name_cmp(val->name, "RDI")) { which = V3_ASID_RDI; } else { X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_NAME_ERROR); X509V3_conf_err(val); goto err; } /* * Handle inheritance. */ if (!strcmp(val->value, "inherit")) { if (v3_asid_add_inherit(asid, which)) continue; X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_INHERITANCE); X509V3_conf_err(val); goto err; } /* * Number, range, or mistake, pick it apart and figure out which. */ i1 = strspn(val->value, "0123456789"); if (val->value[i1] == '\0') { is_range = 0; } else { is_range = 1; i2 = i1 + strspn(val->value + i1, " \t"); if (val->value[i2] != '-') { X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASNUMBER); X509V3_conf_err(val); goto err; } i2++; i2 = i2 + strspn(val->value + i2, " \t"); i3 = i2 + strspn(val->value + i2, "0123456789"); if (val->value[i3] != '\0') { X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASRANGE); X509V3_conf_err(val); goto err; } } /* * Syntax is ok, read and add it. */ if (!is_range) { if (!X509V3_get_value_int(val, &min)) { X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); goto err; } } else { char *s = BUF_strdup(val->value); if (s == NULL) { X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); goto err; } s[i1] = '\0'; min = s2i_ASN1_INTEGER(NULL, s); max = s2i_ASN1_INTEGER(NULL, s + i2); OPENSSL_free(s); if (min == NULL || max == NULL) { ASN1_INTEGER_free(min); ASN1_INTEGER_free(max); X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); goto err; } } if (!v3_asid_add_id_or_range(asid, which, min, max)) { ASN1_INTEGER_free(min); ASN1_INTEGER_free(max); X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); goto err; } } /* * Canonize the result, then we're done. */ if (!v3_asid_canonize(asid)) goto err; return asid; err: ASIdentifiers_free(asid); return NULL;}/* * OpenSSL dispatch. */const X509V3_EXT_METHOD v3_asid = { NID_sbgp_autonomousSysNum, /* nid */ 0, /* flags */ ASN1_ITEM_ref(ASIdentifiers), /* template */ 0, 0, 0, 0, /* old functions, ignored */ 0, /* i2s */ 0, /* s2i */ 0, /* i2v */ v2i_ASIdentifiers, /* v2i */ i2r_ASIdentifiers, /* i2r */ 0, /* r2i */ NULL /* extension-specific data */};/* * Figure out whether extension uses inheritance. */int v3_asid_inherits(ASIdentifiers *asid){ return (asid != NULL && ((asid->asnum != NULL && asid->asnum->type == ASIdentifierChoice_inherit) || (asid->rdi != NULL && asid->rdi->type == ASIdentifierChoice_inherit)));}/* * Figure out whether parent contains child. */static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child){ ASN1_INTEGER *p_min, *p_max, *c_min, *c_max; int p, c; if (child == NULL || parent == child) return 1; if (parent == NULL) return 0; p = 0; for (c = 0; c < sk_ASIdOrRange_num(child); c++) { extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max); for (;; p++) { if (p >= sk_ASIdOrRange_num(parent)) return 0; extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, &p_max); if (ASN1_INTEGER_cmp(p_max, c_max) < 0) continue; if (ASN1_INTEGER_cmp(p_min, c_min) > 0) return 0; break; } } return 1;}/* * Test whether a is a subet of b. */int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b){ return (a == NULL || a == b || (b != NULL && !v3_asid_inherits(a) && !v3_asid_inherits(b) && asid_contains(b->asnum->u.asIdsOrRanges, a->asnum->u.asIdsOrRanges) && asid_contains(b->rdi->u.asIdsOrRanges, a->rdi->u.asIdsOrRanges)));}/* * Validation error handling via callback. */#define validation_err(_err_) \ do { \ if (ctx != NULL) { \ ctx->error = _err_; \ ctx->error_depth = i; \ ctx->current_cert = x; \ ret = ctx->verify_cb(0, ctx); \ } else { \ ret = 0; \ } \ if (!ret) \ goto done; \ } while (0)/* * Core code for RFC 3779 3.3 path validation. */static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, ASIdentifiers *ext){ ASIdOrRanges *child_as = NULL, *child_rdi = NULL; int i, ret = 1, inherit_as = 0, inherit_rdi = 0; X509 *x = NULL; assert(chain != NULL && sk_X509_num(chain) > 0); assert(ctx != NULL || ext != NULL); assert(ctx == NULL || ctx->verify_cb != NULL); /* * Figure out where to start. If we don't have an extension to * check, we're done. Otherwise, check canonical form and * set up for walking up the chain. */ if (ext != NULL) { i = -1; } else { i = 0; x = sk_X509_value(chain, i); assert(x != NULL); if ((ext = x->rfc3779_asid) == NULL) goto done; } if (!v3_asid_is_canonical(ext)) validation_err(X509_V_ERR_INVALID_EXTENSION); if (ext->asnum != NULL) { switch (ext->asnum->type) { case ASIdentifierChoice_inherit: inherit_as = 1; break; case ASIdentifierChoice_asIdsOrRanges: child_as = ext->asnum->u.asIdsOrRanges; break; } } if (ext->rdi != NULL) { switch (ext->rdi->type) { case ASIdentifierChoice_inherit: inherit_rdi = 1; break; case ASIdentifierChoice_asIdsOrRanges: child_rdi = ext->rdi->u.asIdsOrRanges; break; } } /* * Now walk up the chain. Extensions must be in canonical form, no * cert may list resources that its parent doesn't list. */ for (i++; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); assert(x != NULL); if (x->rfc3779_asid == NULL) { if (child_as != NULL || child_rdi != NULL) validation_err(X509_V_ERR_UNNESTED_RESOURCE); continue; } if (!v3_asid_is_canonical(x->rfc3779_asid)) validation_err(X509_V_ERR_INVALID_EXTENSION); if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { validation_err(X509_V_ERR_UNNESTED_RESOURCE); child_as = NULL; inherit_as = 0; } if (x->rfc3779_asid->asnum != NULL && x->rfc3779_asid->asnum->type == ASIdentifierChoice_asIdsOrRanges) { if (inherit_as || asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, child_as)) { child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; inherit_as = 0; } else { validation_err(X509_V_ERR_UNNESTED_RESOURCE); } } if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) { validation_err(X509_V_ERR_UNNESTED_RESOURCE); child_rdi = NULL; inherit_rdi = 0; } if (x->rfc3779_asid->rdi != NULL && x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { if (inherit_rdi || asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) { child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; inherit_rdi = 0; } else { validation_err(X509_V_ERR_UNNESTED_RESOURCE); } } } /* * Trust anchor can't inherit. */ if (x->rfc3779_asid != NULL) { if (x->rfc3779_asid->asnum != NULL && x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) validation_err(X509_V_ERR_UNNESTED_RESOURCE); if (x->rfc3779_asid->rdi != NULL && x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) validation_err(X509_V_ERR_UNNESTED_RESOURCE); } done: return ret;}#undef validation_err/* * RFC 3779 3.3 path validation -- called from X509_verify_cert(). */int v3_asid_validate_path(X509_STORE_CTX *ctx){ return v3_asid_validate_path_internal(ctx, ctx->chain, NULL);}/* * RFC 3779 3.3 path validation of an extension. * Test whether chain covers extension. */int v3_asid_validate_resource_set(STACK_OF(X509) *chain, ASIdentifiers *ext, int allow_inheritance){ if (ext == NULL) return 1; if (chain == NULL || sk_X509_num(chain) == 0) return 0; if (!allow_inheritance && v3_asid_inherits(ext)) return 0; return v3_asid_validate_path_internal(NULL, chain, ext);}#endif /* OPENSSL_NO_RFC3779 */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -