diff options
Diffstat (limited to 'src/crypto/x509/x509_vpm.c')
-rw-r--r-- | src/crypto/x509/x509_vpm.c | 126 |
1 files changed, 105 insertions, 21 deletions
diff --git a/src/crypto/x509/x509_vpm.c b/src/crypto/x509/x509_vpm.c index 3daaf61..8c8f98e 100644 --- a/src/crypto/x509/x509_vpm.c +++ b/src/crypto/x509/x509_vpm.c @@ -58,6 +58,7 @@ #include <openssl/lhash.h> #include <openssl/mem.h> #include <openssl/obj.h> +#include <openssl/stack.h> #include <openssl/x509.h> #include <openssl/x509v3.h> @@ -66,6 +67,59 @@ /* X509_VERIFY_PARAM functions */ +#define SET_HOST 0 +#define ADD_HOST 1 + +static char *str_copy(char *s) { return OPENSSL_strdup(s); } +static void str_free(char *s) { OPENSSL_free(s); } + +#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free) + +static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode, + const char *name, size_t namelen) + { + char *copy; + + /* + * Refuse names with embedded NUL bytes. + * XXX: Do we need to push an error onto the error stack? + */ + if (name && memchr(name, '\0', namelen)) + return 0; + + if (mode == SET_HOST && id->hosts) + { + string_stack_free(id->hosts); + id->hosts = NULL; + } + if (name == NULL || namelen == 0) + return 1; + + copy = BUF_strndup(name, namelen); + if (copy == NULL) + return 0; + + if (id->hosts == NULL && + (id->hosts = sk_OPENSSL_STRING_new_null()) == NULL) + { + OPENSSL_free(copy); + return 0; + } + + if (!sk_OPENSSL_STRING_push(id->hosts, copy)) + { + OPENSSL_free(copy); + if (sk_OPENSSL_STRING_num(id->hosts) == 0) + { + sk_OPENSSL_STRING_free(id->hosts); + id->hosts = NULL; + } + return 0; + } + + return 1; + } + static void x509_verify_param_zero(X509_VERIFY_PARAM *param) { X509_VERIFY_PARAM_ID *paramid; @@ -84,11 +138,15 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) param->policies = NULL; } paramid = param->id; - if (paramid->host) + if (paramid->hosts) { - OPENSSL_free(paramid->host); - paramid->host = NULL; - paramid->hostlen = 0; + string_stack_free(paramid->hosts); + paramid->hosts = NULL; + } + if (paramid->peername) + { + OPENSSL_free(paramid->peername); + paramid->peername = NULL; } if (paramid->email) { @@ -127,6 +185,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { + if (param == NULL) + return; x509_verify_param_zero(param); OPENSSL_free(param->id); OPENSSL_free(param); @@ -232,11 +292,23 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, return 0; } - if (test_x509_verify_param_copy_id(host, NULL)) + /* Copy the host flags if and only if we're copying the host list */ + if (test_x509_verify_param_copy_id(hosts, NULL)) { - if (!X509_VERIFY_PARAM_set1_host(dest, id->host, id->hostlen)) - return 0; - dest->id->hostflags = id->hostflags; + if (dest->id->hosts) + { + string_stack_free(dest->id->hosts); + dest->id->hosts = NULL; + } + if (id->hosts) + { + dest->id->hosts = + sk_OPENSSL_STRING_deep_copy(id->hosts, + str_copy, str_free); + if (dest->id->hosts == NULL) + return 0; + dest->id->hostflags = id->hostflags; + } } if (test_x509_verify_param_copy_id(email, NULL)) @@ -265,16 +337,16 @@ int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, return ret; } -static int int_x509_param_set1(unsigned char **pdest, size_t *pdestlen, - const unsigned char *src, size_t srclen) +static int int_x509_param_set1(char **pdest, size_t *pdestlen, + const char *src, size_t srclen) { void *tmp; if (src) { if (srclen == 0) { - tmp = BUF_strdup((char *)src); - srclen = strlen((char *)src); + tmp = BUF_strdup(src); + srclen = strlen(src); } else tmp = BUF_memdup(src, srclen); @@ -394,10 +466,15 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, } int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, - const unsigned char *name, size_t namelen) + const char *name, size_t namelen) + { + return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen); + } + +int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, + const char *name, size_t namelen) { - return int_x509_param_set1(¶m->id->host, ¶m->id->hostlen, - name, namelen); + return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen); } void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, @@ -406,8 +483,13 @@ void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, param->id->hostflags = flags; } +char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param) + { + return param->id->peername; + } + int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, - const unsigned char *email, size_t emaillen) + const char *email, size_t emaillen) { return int_x509_param_set1(¶m->id->email, ¶m->id->emaillen, email, emaillen); @@ -418,17 +500,19 @@ int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, { if (iplen != 0 && iplen != 4 && iplen != 16) return 0; - return int_x509_param_set1(¶m->id->ip, ¶m->id->iplen, ip, iplen); + return int_x509_param_set1((char **)¶m->id->ip, ¶m->id->iplen, + (char *)ip, iplen); } int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc) { unsigned char ipout[16]; - int iplen; - iplen = a2i_ipadd(ipout, ipasc); + size_t iplen; + + iplen = (size_t) a2i_ipadd(ipout, ipasc); if (iplen == 0) return 0; - return X509_VERIFY_PARAM_set1_ip(param, ipout, (size_t)iplen); + return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen); } int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) @@ -441,7 +525,7 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) return param->name; } -static const X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, 0U, NULL, 0, NULL, 0}; +static const X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, NULL, 0, NULL, 0}; #define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id |