The branch master has been updated
via aff8c0a411824f29687a54a3aa82f7e770faff48 (commit)
via 57c05c57c3aab2755ec6eeae5d1800ac9cbd2f6d (commit)
via 02ae130e3dd1e4b4252692f65cb1f975bfe47935 (commit)
via 1ac658ac9d40711d0a9610e932ddfa7b90fdc537 (commit)
via c90c469376e28e87caf02e96bf6568131f1c5d1b (commit)
via b516a4b1399328ed2177e6bc5f717416a7d03806 (commit)
via 8f7e897995ae49546ab94a6969e85d797ac6c486 (commit)
from b5b6669fb63702233124c8fd5504e8477e559d07 (commit)
- Log -----------------------------------------------------------------
commit aff8c0a411824f29687a54a3aa82f7e770faff48
Author: Dr. David von Oheimb <[email protected]>
Date: Sat Jun 27 10:29:55 2020 +0200
Fix error message on setting cert validity period in apps/cmp.c
Fixes #12268
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit 57c05c57c3aab2755ec6eeae5d1800ac9cbd2f6d
Author: Dr. David von Oheimb <[email protected]>
Date: Sat Jun 27 10:28:45 2020 +0200
apps: Correct and extend diagnostics of parse_name()
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit 02ae130e3dd1e4b4252692f65cb1f975bfe47935
Author: Dr. David von Oheimb <[email protected]>
Date: Fri Jun 26 20:40:19 2020 +0200
Add 'section=...' info in error output of X509V3_EXT_nconf() as far as
appropriate
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit 1ac658ac9d40711d0a9610e932ddfa7b90fdc537
Author: Dr. David von Oheimb <[email protected]>
Date: Fri Jun 26 20:13:47 2020 +0200
Rename misleading X509V3_R_INVALID_NULL_NAME to X509V3_R_INVALID_EMPTY_NAME
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit c90c469376e28e87caf02e96bf6568131f1c5d1b
Author: Dr. David von Oheimb <[email protected]>
Date: Fri Jun 26 16:16:00 2020 +0200
Correct confusing X509V3 conf error output by removing needless
'section:<NULL>' etc.
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit b516a4b1399328ed2177e6bc5f717416a7d03806
Author: Dr. David von Oheimb <[email protected]>
Date: Fri Jun 26 16:16:56 2020 +0200
Correct misleading diagnostics of OBJ_txt2obj on unknown object name
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit 8f7e897995ae49546ab94a6969e85d797ac6c486
Author: Dr. David von Oheimb <[email protected]>
Date: Fri Jun 26 12:37:12 2020 +0200
apps/cmp.c: Defer diagnostic output on server+proxy to be contacted
Reviewed-by: Paul Dale <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/12296)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 2 +-
apps/cmp.c | 12 ++++++------
apps/include/apps.h | 3 ++-
apps/lib/apps.c | 38 ++++++++++++++++++++++----------------
apps/req.c | 2 +-
apps/storeutl.c | 12 ++++--------
apps/x509.c | 3 ++-
crypto/err/openssl.txt | 3 ++-
crypto/objects/obj_dat.c | 4 ++++
crypto/objects/obj_err.c | 4 +++-
crypto/x509/v3_addr.c | 19 ++++++++++---------
crypto/x509/v3_asid.c | 9 +++++----
crypto/x509/v3_bcons.c | 4 +++-
crypto/x509/v3_bitst.c | 2 +-
crypto/x509/v3_conf.c | 43 +++++++++++++++++++++++++++++++------------
crypto/x509/v3_cpols.c | 20 +++++++++++---------
crypto/x509/v3_crld.c | 5 +++--
crypto/x509/v3_extku.c | 2 +-
crypto/x509/v3_pci.c | 1 +
crypto/x509/v3_pcons.c | 2 +-
crypto/x509/v3_pmaps.c | 4 ++--
crypto/x509/v3_tlsf.c | 3 ++-
crypto/x509/v3_utl.c | 11 ++++++-----
crypto/x509/v3err.c | 4 ++--
crypto/x509/x509_local.h | 3 +++
include/openssl/objectserr.h | 5 +++--
include/openssl/x509v3err.h | 2 +-
27 files changed, 133 insertions(+), 89 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index e001a34190..fef0b82c39 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1463,7 +1463,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509
*x509,
row[i] = NULL;
if (subj) {
- X509_NAME *n = parse_name(subj, chtype, multirdn);
+ X509_NAME *n = parse_name(subj, chtype, multirdn, "subject");
if (!n) {
ERR_print_errors(bio_err);
diff --git a/apps/cmp.c b/apps/cmp.c
index e5f72cbea7..01c5394344 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1109,12 +1109,10 @@ static int set_name(const char *str,
OSSL_CMP_CTX *ctx, const char *desc)
{
if (str != NULL) {
- X509_NAME *n = parse_name(str, MBSTRING_ASC, 0);
+ X509_NAME *n = parse_name(str, MBSTRING_ASC, 0, desc);
- if (n == NULL) {
- CMP_err2("cannot parse %s DN '%s'", desc, str);
+ if (n == NULL)
return 0;
- }
if (!(*set_fn) (ctx, n)) {
X509_NAME_free(n);
CMP_err("out of memory");
@@ -1869,7 +1867,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
if (opt_days > 0
&& !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_VALIDITY_DAYS,
opt_days)) {
- CMP_err("could to set requested cert validity period");
+ CMP_err("could not set requested cert validity period");
goto err;
}
@@ -2095,7 +2093,6 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
if (opt_proxy != NULL)
(void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", opt_proxy);
- CMP_info2("will contact %s%s", server_buf, proxy_buf);
if (!transform_opts())
goto err;
@@ -2217,6 +2214,9 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE
*engine)
if (opt_geninfo != NULL && !handle_opt_geninfo(ctx))
goto err;
+ /* not printing earlier, to minimize confusion in case setup fails before
*/
+ CMP_info2("will contact %s%s", server_buf, proxy_buf);
+
ret = 1;
err:
diff --git a/apps/include/apps.h b/apps/include/apps.h
index e91cdcdb8f..554d33e1c9 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -201,7 +201,8 @@ void free_index(CA_DB *db);
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
int parse_yesno(const char *str, int def);
-X509_NAME *parse_name(const char *str, long chtype, int multirdn);
+X509_NAME *parse_name(const char *str, int chtype, int multirdn,
+ const char *desc);
void policies_print(X509_STORE_CTX *ctx);
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index cf99ca0ebf..e8592c4880 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -1670,7 +1670,8 @@ int parse_yesno(const char *str, int def)
* name is expected to be in the format /type0=value0/type1=value1/type2=...
* where characters may be escaped by \
*/
-X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
+X509_NAME *parse_name(const char *cp, int chtype, int canmulti,
+ const char *desc)
{
int nextismulti = 0;
char *work;
@@ -1678,19 +1679,22 @@ X509_NAME *parse_name(const char *cp, long chtype, int
canmulti)
if (*cp++ != '/') {
BIO_printf(bio_err,
- "name is expected to be in the format "
+ "%s: %s name is expected to be in the format "
"/type0=value0/type1=value1/type2=... where characters may "
"be escaped by \\. This name is not in that format: '%s'\n",
- --cp);
+ opt_getprog(), desc, --cp);
return NULL;
}
n = X509_NAME_new();
- if (n == NULL)
+ if (n == NULL) {
+ BIO_printf(bio_err, "%s: Out of memory\n", opt_getprog());
return NULL;
+ }
work = OPENSSL_strdup(cp);
if (work == NULL) {
- BIO_printf(bio_err, "%s: Error copying name input\n", opt_getprog());
+ BIO_printf(bio_err, "%s: Error copying %s name input\n",
+ opt_getprog(), desc);
goto err;
}
@@ -1705,13 +1709,13 @@ X509_NAME *parse_name(const char *cp, long chtype, int
canmulti)
/* Collect the type */
while (*cp != '\0' && *cp != '=')
*bp++ = *cp++;
+ *bp++ = '\0';
if (*cp == '\0') {
BIO_printf(bio_err,
- "%s: Hit end of string before finding the '='\n",
- opt_getprog());
+ "%s: Missing '=' after RDN type string '%s' in %s name
string\n",
+ opt_getprog(), typestr, desc);
goto err;
}
- *bp++ = '\0';
++cp;
/* Collect the value. */
@@ -1723,8 +1727,8 @@ X509_NAME *parse_name(const char *cp, long chtype, int
canmulti)
}
if (*cp == '\\' && *++cp == '\0') {
BIO_printf(bio_err,
- "%s: Escape character at end of string\n",
- opt_getprog());
+ "%s: Escape character at end of %s name string\n",
+ opt_getprog(), desc);
goto err;
}
}
@@ -1737,22 +1741,24 @@ X509_NAME *parse_name(const char *cp, long chtype, int
canmulti)
/* Parse */
nid = OBJ_txt2nid(typestr);
if (nid == NID_undef) {
- BIO_printf(bio_err, "%s: Skipping unknown attribute \"%s\"\n",
- opt_getprog(), typestr);
+ BIO_printf(bio_err,
+ "%s: Skipping unknown %s name attribute \"%s\"\n",
+ opt_getprog(), desc, typestr);
continue;
}
if (*valstr == '\0') {
BIO_printf(bio_err,
- "%s: No value provided for Subject Attribute %s,
skipped\n",
- opt_getprog(), typestr);
+ "%s: No value provided for %s name attribute \"%s\",
skipped\n",
+ opt_getprog(), desc, typestr);
continue;
}
if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
valstr, strlen((char *)valstr),
-1, ismulti ? -1 : 0)) {
ERR_print_errors(bio_err);
- BIO_printf(bio_err, "%s: Error adding name attribute \"/%s=%s\"\n",
- opt_getprog(), typestr ,valstr);
+ BIO_printf(bio_err,
+ "%s: Error adding %s name attribute \"/%s=%s\"\n",
+ opt_getprog(), desc, typestr ,valstr);
goto err;
}
}
diff --git a/apps/req.c b/apps/req.c
index 8931e9829f..46739554bd 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -1078,7 +1078,7 @@ static int build_subject(X509_REQ *req, const char
*subject, unsigned long chtyp
{
X509_NAME *n;
- if ((n = parse_name(subject, chtype, multirdn)) == NULL)
+ if ((n = parse_name(subject, chtype, multirdn, "subject")) == NULL)
return 0;
if (!X509_REQ_set_subject_name(req, n)) {
diff --git a/apps/storeutl.c b/apps/storeutl.c
index 95af277260..66fd423ab0 100644
--- a/apps/storeutl.c
+++ b/apps/storeutl.c
@@ -157,11 +157,9 @@ int storeutl_main(int argc, char *argv[])
prog);
goto end;
}
- if ((subject = parse_name(opt_arg(), MBSTRING_UTF8, 1)) == NULL) {
- BIO_printf(bio_err, "%s: can't parse subject argument.\n",
- prog);
+ subject = parse_name(opt_arg(), MBSTRING_UTF8, 1, "subject");
+ if (subject == NULL)
goto end;
- }
break;
case OPT_CRITERION_ISSUER:
if (criterion != 0
@@ -177,11 +175,9 @@ int storeutl_main(int argc, char *argv[])
prog);
goto end;
}
- if ((issuer = parse_name(opt_arg(), MBSTRING_UTF8, 1)) == NULL) {
- BIO_printf(bio_err, "%s: can't parse issuer argument.\n",
- prog);
+ issuer = parse_name(opt_arg(), MBSTRING_UTF8, 1, "issuer");
+ if (issuer == NULL)
goto end;
- }
break;
case OPT_CRITERION_SERIAL:
if (criterion != 0
diff --git a/apps/x509.c b/apps/x509.c
index d8f69c08eb..fbe4b8cefe 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -536,7 +536,8 @@ int x509_main(int argc, char **argv)
"The -new option requires a subject to be set using
-subj\n");
goto end;
}
- if (subj != NULL && (fsubj = parse_name(subj, chtype, multirdn)) == NULL)
+ if (subj != NULL
+ && (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL)
goto end;
if (CAkeyfile == NULL && CA_flag && CAformat == FORMAT_PEM) {
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 1b4fca9b97..53becb8ed4 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2668,6 +2668,7 @@ KDF_R_VALUE_MISSING:102:value missing
KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size
OBJ_R_OID_EXISTS:102:oid exists
OBJ_R_UNKNOWN_NID:101:unknown nid
+OBJ_R_UNKNOWN_OBJECT_NAME:103:unknown object name
OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
OCSP_R_DIGEST_ERR:102:digest err
OCSP_R_ERROR_IN_NEXTUPDATE_FIELD:122:error in nextupdate field
@@ -3470,7 +3471,7 @@ X509V3_R_INVALID_IPADDRESS:166:invalid ipaddress
X509V3_R_INVALID_MULTIPLE_RDNS:161:invalid multiple rdns
X509V3_R_INVALID_NAME:106:invalid name
X509V3_R_INVALID_NULL_ARGUMENT:107:invalid null argument
-X509V3_R_INVALID_NULL_NAME:108:invalid null name
+X509V3_R_INVALID_EMPTY_NAME:108:invalid empty name
X509V3_R_INVALID_NULL_VALUE:109:invalid null value
X509V3_R_INVALID_NUMBER:140:invalid number
X509V3_R_INVALID_NUMBERS:141:invalid numbers
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 0c4ec985cb..b2fd4a0226 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -372,6 +372,10 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
if (((nid = OBJ_sn2nid(s)) != NID_undef) ||
((nid = OBJ_ln2nid(s)) != NID_undef))
return OBJ_nid2obj(nid);
+ if (!ossl_isdigit(*s)) {
+ OBJerr(OBJ_F_OBJ_TXT2OBJ, OBJ_R_UNKNOWN_OBJECT_NAME);
+ return NULL;
+ }
}
/* Work out size of content octets */
diff --git a/crypto/objects/obj_err.c b/crypto/objects/obj_err.c
index b32e9f6f55..c55e8ef2d0 100644
--- a/crypto/objects/obj_err.c
+++ b/crypto/objects/obj_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -16,6 +16,8 @@
static const ERR_STRING_DATA OBJ_str_reasons[] = {
{ERR_PACK(ERR_LIB_OBJ, 0, OBJ_R_OID_EXISTS), "oid exists"},
{ERR_PACK(ERR_LIB_OBJ, 0, OBJ_R_UNKNOWN_NID), "unknown nid"},
+ {ERR_PACK(ERR_LIB_OBJ, 0, OBJ_R_UNKNOWN_OBJECT_NAME),
+ "unknown object name"},
{0, NULL}
};
diff --git a/crypto/x509/v3_addr.c b/crypto/x509/v3_addr.c
index 9e2b9d48a9..d965d74553 100644
--- a/crypto/x509/v3_addr.c
+++ b/crypto/x509/v3_addr.c
@@ -22,6 +22,7 @@
#include <openssl/x509v3.h>
#include "crypto/x509.h"
#include "ext_dat.h"
+#include "x509_local.h"
#ifndef OPENSSL_NO_RFC3779
@@ -925,7 +926,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method
*method,
} else {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_NAME_ERROR);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
goto err;
}
@@ -949,7 +950,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method
*method,
t += strspn(t, " \t");
if (*safi > 0xFF || *t++ != ':') {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
t += strspn(t, " \t");
@@ -970,7 +971,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method
*method,
if (!X509v3_addr_add_inherit(addr, afi, safi)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_INVALID_INHERITANCE);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
OPENSSL_free(s);
@@ -985,7 +986,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method
*method,
if (a2i_ipadd(min, s) != length) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
@@ -995,7 +996,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method
*method,
if (t == s + i2 || *t != '\0') {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_VALUE_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
@@ -1009,19 +1010,19 @@ static void *v2i_IPAddrBlocks(const struct
v3_ext_method *method,
if (i1 == i2 || s[i2] != '\0') {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_VALUE_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
if (a2i_ipadd(max, s + i1) != length) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_INVALID_IPADDRESS);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
if (memcmp(min, max, length_from_afi(afi)) > 0) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_VALUE_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
@@ -1038,7 +1039,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method
*method,
default:
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_VALUE_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
diff --git a/crypto/x509/v3_asid.c b/crypto/x509/v3_asid.c
index 0ff37073cf..0fc7641386 100644
--- a/crypto/x509/v3_asid.c
+++ b/crypto/x509/v3_asid.c
@@ -23,6 +23,7 @@
#include "crypto/x509.h"
#include <openssl/bn.h>
#include "ext_dat.h"
+#include "x509_local.h"
#ifndef OPENSSL_NO_RFC3779
@@ -545,7 +546,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method
*method,
} else {
X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
X509V3_R_EXTENSION_NAME_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
@@ -557,7 +558,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method
*method,
continue;
X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
X509V3_R_INVALID_INHERITANCE);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
@@ -573,7 +574,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method
*method,
if (val->value[i2] != '-') {
X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
X509V3_R_INVALID_ASNUMBER);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
i2++;
@@ -582,7 +583,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method
*method,
if (val->value[i3] != '\0') {
X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
X509V3_R_INVALID_ASRANGE);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
}
diff --git a/crypto/x509/v3_bcons.c b/crypto/x509/v3_bcons.c
index 6ab4aaf687..01d38473a3 100644
--- a/crypto/x509/v3_bcons.c
+++ b/crypto/x509/v3_bcons.c
@@ -14,6 +14,7 @@
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#include "ext_dat.h"
+#include "x509_local.h"
DEFINE_STACK_OF(CONF_VALUE)
@@ -73,9 +74,10 @@ static BASIC_CONSTRAINTS
*v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
} else if (strcmp(val->name, "pathlen") == 0) {
if (!X509V3_get_value_int(val, &bcons->pathlen))
goto err;
+ /* TODO add sanity check on int value - at least, must be >= 0 */
} else {
X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, X509V3_R_INVALID_NAME);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
}
diff --git a/crypto/x509/v3_bitst.c b/crypto/x509/v3_bitst.c
index ec8fdc55a1..02d40863a6 100644
--- a/crypto/x509/v3_bitst.c
+++ b/crypto/x509/v3_bitst.c
@@ -86,7 +86,7 @@ ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD
*method,
if (!bnam->lname) {
X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
ASN1_BIT_STRING_free(bs);
return NULL;
}
diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c
index bbe67dc3d3..88e29f9cc4 100644
--- a/crypto/x509/v3_conf.c
+++ b/crypto/x509/v3_conf.c
@@ -33,33 +33,42 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD
*method,
int ext_nid, int crit, void *ext_struc);
static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
long *ext_len);
-/* CONF *conf: Config file */
-/* char *name: Name */
-/* char *value: Value */
-X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
- const char *value)
+
+static X509_EXTENSION *X509V3_EXT_nconf_int(CONF *conf, X509V3_CTX *ctx,
+ const char *section,
+ const char *name, const char
*value)
{
int crit;
int ext_type;
X509_EXTENSION *ret;
+
crit = v3_check_critical(&value);
if ((ext_type = v3_check_generic(&value)))
return v3_generic_extension(name, value, crit, ext_type, ctx);
ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
if (!ret) {
- X509V3err(X509V3_F_X509V3_EXT_NCONF, X509V3_R_ERROR_IN_EXTENSION);
- ERR_add_error_data(4, "name=", name, ", value=", value);
+ X509V3err(0, X509V3_R_ERROR_IN_EXTENSION);
+ if (section != NULL)
+ ERR_add_error_data(6, "section=", section,
+ ", name=", name, ", value=", value);
+ else
+ ERR_add_error_data(4, "name=", name, ", value=", value);
}
return ret;
}
-/* CONF *conf: Config file */
-/* char *value: Value */
+X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
+ const char *value)
+{
+ return X509V3_EXT_nconf_int(conf, ctx, NULL, name, value);
+}
+
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
const char *value)
{
int crit;
int ext_type;
+
crit = v3_check_critical(&value);
if ((ext_type = v3_check_generic(&value)))
return v3_generic_extension(OBJ_nid2sn(ext_nid),
@@ -138,6 +147,7 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD
*method,
int ext_len;
ASN1_OCTET_STRING *ext_oct = NULL;
X509_EXTENSION *ext;
+
/* Convert internal representation to DER */
if (method->it) {
ext_der = NULL;
@@ -192,6 +202,7 @@ X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void
*ext_struc)
static int v3_check_critical(const char **value)
{
const char *p = *value;
+
if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
return 0;
p += 9;
@@ -206,6 +217,7 @@ static int v3_check_generic(const char **value)
{
int gen_type = 0;
const char *p = *value;
+
if ((strlen(p) >= 4) && strncmp(p, "DER:", 4) == 0) {
p += 4;
gen_type = 1;
@@ -275,6 +287,7 @@ static unsigned char *generic_asn1(const char *value,
X509V3_CTX *ctx,
{
ASN1_TYPE *typ;
unsigned char *ext_der = NULL;
+
typ = ASN1_generate_v3(value, ctx);
if (typ == NULL)
return NULL;
@@ -287,9 +300,11 @@ static void delete_ext(STACK_OF(X509_EXTENSION) *sk,
X509_EXTENSION *dext)
{
int idx;
ASN1_OBJECT *obj;
+
obj = X509_EXTENSION_get_object(dext);
while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) {
X509_EXTENSION *tmpext = X509v3_get_ext(sk, idx);
+
X509v3_delete_ext(sk, idx);
X509_EXTENSION_free(tmpext);
}
@@ -312,7 +327,8 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx,
const char *section,
return 0;
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
- if ((ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)) == NULL)
+ if ((ext = X509V3_EXT_nconf_int(conf, ctx, val->section,
+ val->name, val->value)) == NULL)
return 0;
if (ctx->flags == X509V3_CTX_REPLACE)
delete_ext(*sk, ext);
@@ -358,6 +374,7 @@ int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx,
const char *section,
{
STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
int i;
+
if (req)
sk = &extlist;
i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
@@ -448,12 +465,11 @@ X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE)
*conf, X509V3_CTX *ctx,
const char *name, const char *value)
{
CONF ctmp;
+
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_nconf(&ctmp, ctx, name, value);
}
-/* LHASH *conf: Config file */
-/* char *value: Value */
X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
X509V3_CTX *ctx, int ext_nid, const char
*value)
{
@@ -489,6 +505,7 @@ int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf,
X509V3_CTX *ctx,
const char *section, X509 *cert)
{
CONF ctmp;
+
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
}
@@ -499,6 +516,7 @@ int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf,
X509V3_CTX *ctx,
const char *section, X509_CRL *crl)
{
CONF ctmp;
+
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
}
@@ -509,6 +527,7 @@ int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf,
X509V3_CTX *ctx,
const char *section, X509_REQ *req)
{
CONF ctmp;
+
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
}
diff --git a/crypto/x509/v3_cpols.c b/crypto/x509/v3_cpols.c
index abbf5fbe60..6b507f40d7 100644
--- a/crypto/x509/v3_cpols.c
+++ b/crypto/x509/v3_cpols.c
@@ -14,6 +14,7 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
+#include "x509_local.h"
#include "pcy_local.h"
#include "ext_dat.h"
@@ -116,11 +117,10 @@ static STACK_OF(POLICYINFO)
*r2i_certpol(X509V3_EXT_METHOD *method,
ia5org = 0;
for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(vals, i);
-
- if (cnf->value || !cnf->name) {
+ if (cnf->value != NULL || cnf->name == NULL) {
X509V3err(X509V3_F_R2I_CERTPOL,
X509V3_R_INVALID_POLICY_IDENTIFIER);
- X509V3_conf_err(cnf);
+ X509V3_conf_add_error_name_value(cnf);
goto err;
}
pstr = cnf->name;
@@ -133,8 +133,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD
*method,
polsect = X509V3_get_section(ctx, pstr + 1);
if (polsect == NULL) {
X509V3err(X509V3_F_R2I_CERTPOL, X509V3_R_INVALID_SECTION);
-
- X509V3_conf_err(cnf);
+ ERR_add_error_data(1, cnf->name);
goto err;
}
pol = policy_section(ctx, polsect, ia5org);
@@ -145,7 +144,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD
*method,
if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) {
X509V3err(X509V3_F_R2I_CERTPOL,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
- X509V3_conf_err(cnf);
+ ERR_add_error_data(1, cnf->name);
goto err;
}
pol = POLICYINFO_new();
@@ -184,6 +183,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
cnf = sk_CONF_VALUE_value(polstrs, i);
if (strcmp(cnf->name, "policyIdentifier") == 0) {
ASN1_OBJECT *pobj;
+
if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
X509V3err(X509V3_F_POLICY_SECTION,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
@@ -233,7 +233,6 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
goto merr;
} else {
X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_OPTION);
-
X509V3_conf_err(cnf);
goto err;
}
@@ -307,6 +306,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
qual->d.usernotice = not;
for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
cnf = sk_CONF_VALUE_value(unot, i);
+
value = cnf->value;
if (strcmp(cnf->name, "explicitText") == 0) {
tag = displaytext_str2tag(value, &tag_len);
@@ -319,6 +319,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
goto merr;
} else if (strcmp(cnf->name, "organization") == 0) {
NOTICEREF *nref;
+
if (!not->noticeref) {
if ((nref = NOTICEREF_new()) == NULL)
goto merr;
@@ -334,6 +335,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
goto merr;
} else if (strcmp(cnf->name, "noticeNumbers") == 0) {
NOTICEREF *nref;
+
STACK_OF(CONF_VALUE) *nos;
if (!not->noticeref) {
if ((nref = NOTICEREF_new()) == NULL)
@@ -344,7 +346,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
nos = X509V3_parse_list(cnf->value);
if (!nos || !sk_CONF_VALUE_num(nos)) {
X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS);
- X509V3_conf_err(cnf);
+ X509V3_conf_add_error_name_value(cnf);
sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
goto err;
}
@@ -354,7 +356,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
goto err;
} else {
X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_OPTION);
- X509V3_conf_err(cnf);
+ X509V3_conf_add_error_name_value(cnf);
goto err;
}
}
diff --git a/crypto/x509/v3_crld.c b/crypto/x509/v3_crld.c
index 21a1bfcd7d..b54346d036 100644
--- a/crypto/x509/v3_crld.c
+++ b/crypto/x509/v3_crld.c
@@ -16,6 +16,7 @@
#include "crypto/x509.h"
#include "ext_dat.h"
+#include "x509_local.h"
DEFINE_STACK_OF(CONF_VALUE)
DEFINE_STACK_OF(GENERAL_NAME)
@@ -256,7 +257,7 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
DIST_POINT *point;
cnf = sk_CONF_VALUE_value(nval, i);
- if (!cnf->value) {
+ if (cnf->value == NULL) {
STACK_OF(CONF_VALUE) *dpsect;
dpsect = X509V3_get_section(ctx, cnf->name);
if (!dpsect)
@@ -398,7 +399,7 @@ static void *v2i_idp(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
goto err;
} else {
X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
- X509V3_conf_err(cnf);
+ X509V3_conf_add_error_name_value(cnf);
goto err;
}
}
diff --git a/crypto/x509/v3_extku.c b/crypto/x509/v3_extku.c
index ed51b60f0c..7769bc9931 100644
--- a/crypto/x509/v3_extku.c
+++ b/crypto/x509/v3_extku.c
@@ -97,7 +97,7 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD
*method,
sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, extval);
return NULL;
}
sk_ASN1_OBJECT_push(extku, objtmp); /* no failure as it was reserved
*/
diff --git a/crypto/x509/v3_pci.c b/crypto/x509/v3_pci.c
index 30711149ce..714733684b 100644
--- a/crypto/x509/v3_pci.c
+++ b/crypto/x509/v3_pci.c
@@ -255,6 +255,7 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD
*method,
vals = X509V3_parse_list(value);
for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
+
if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
X509V3err(X509V3_F_R2I_PCI,
X509V3_R_INVALID_PROXY_POLICY_SETTING);
diff --git a/crypto/x509/v3_pcons.c b/crypto/x509/v3_pcons.c
index e7bb7e9546..88a9497504 100644
--- a/crypto/x509/v3_pcons.c
+++ b/crypto/x509/v3_pcons.c
@@ -76,7 +76,7 @@ static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD
*method,
goto err;
} else {
X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
goto err;
}
}
diff --git a/crypto/x509/v3_pmaps.c b/crypto/x509/v3_pmaps.c
index d54384dac2..23aefb196c 100644
--- a/crypto/x509/v3_pmaps.c
+++ b/crypto/x509/v3_pmaps.c
@@ -85,7 +85,7 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD
*method,
if (!val->value || !val->name) {
X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
goto err;
}
obj1 = OBJ_txt2obj(val->name, 0);
@@ -93,7 +93,7 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD
*method,
if (!obj1 || !obj2) {
X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
goto err;
}
pmap = POLICY_MAPPING_new();
diff --git a/crypto/x509/v3_tlsf.c b/crypto/x509/v3_tlsf.c
index e494e4e8d1..81ce333a34 100644
--- a/crypto/x509/v3_tlsf.c
+++ b/crypto/x509/v3_tlsf.c
@@ -14,6 +14,7 @@
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#include "ext_dat.h"
+#include "x509_local.h"
DEFINE_STACK_OF(ASN1_INTEGER)
DEFINE_STACK_OF(CONF_VALUE)
@@ -119,7 +120,7 @@ static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD
*method,
if (((*endptr) != '\0') || (extval == endptr) || (tlsextid < 0) ||
(tlsextid > 65535)) {
X509V3err(X509V3_F_V2I_TLS_FEATURE, X509V3_R_INVALID_SYNTAX);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
}
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index aefb589743..acb0e35a42 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -19,6 +19,7 @@
#include "crypto/x509.h"
#include <openssl/bn.h>
#include "ext_dat.h"
+#include "x509_local.h"
DEFINE_STACK_OF(CONF_VALUE)
DEFINE_STACK_OF(GENERAL_NAME)
@@ -271,7 +272,7 @@ int X509V3_get_value_bool(const CONF_VALUE *value, int
*asn1_bool)
err:
X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,
X509V3_R_INVALID_BOOLEAN_STRING);
- X509V3_conf_err(value);
+ X509V3_conf_add_error_name_value(value);
return 0;
}
@@ -280,7 +281,7 @@ int X509V3_get_value_int(const CONF_VALUE *value,
ASN1_INTEGER **aint)
ASN1_INTEGER *itmp;
if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
- X509V3_conf_err(value);
+ X509V3_conf_add_error_name_value(value);
return 0;
}
*aint = itmp;
@@ -322,7 +323,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
ntmp = strip_spaces(q);
if (!ntmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
- X509V3_R_INVALID_NULL_NAME);
+ X509V3_R_INVALID_EMPTY_NAME);
goto err;
}
q = p + 1;
@@ -332,7 +333,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
q = p + 1;
if (!ntmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
- X509V3_R_INVALID_NULL_NAME);
+ X509V3_R_INVALID_EMPTY_NAME);
goto err;
}
X509V3_add_value(ntmp, NULL, &values);
@@ -368,7 +369,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
} else {
ntmp = strip_spaces(q);
if (!ntmp) {
- X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+ X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_EMPTY_NAME);
goto err;
}
X509V3_add_value(ntmp, NULL, &values);
diff --git a/crypto/x509/v3err.c b/crypto/x509/v3err.c
index cbda3f2cf8..91fe0d075a 100644
--- a/crypto/x509/v3err.c
+++ b/crypto/x509/v3err.c
@@ -62,8 +62,8 @@ static const ERR_STRING_DATA X509V3_str_reasons[] = {
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NAME), "invalid name"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_ARGUMENT),
"invalid null argument"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_NAME),
- "invalid null name"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_EMPTY_NAME),
+ "invalid empty name"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_VALUE),
"invalid null value"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NUMBER), "invalid number"},
diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h
index e944d16afe..6a2137129c 100644
--- a/crypto/x509/x509_local.h
+++ b/crypto/x509/x509_local.h
@@ -9,6 +9,9 @@
#include "internal/refcount.h"
+#define X509V3_conf_add_error_name_value(val) \
+ ERR_add_error_data(4, "name=", (val)->name, ", value=", (val)->value)
+
/*
* This structure holds all parameters associated with a verify operation by
* including an X509_VERIFY_PARAM structure in related structures the
diff --git a/include/openssl/objectserr.h b/include/openssl/objectserr.h
index 3cac9a7327..f1de77945b 100644
--- a/include/openssl/objectserr.h
+++ b/include/openssl/objectserr.h
@@ -8,8 +8,8 @@
* https://www.openssl.org/source/license.html
*/
-#ifndef OPENSSL_OBJECTSERR_H
-# define OPENSSL_OBJECTSERR_H
+#ifndef OPENSSL_OBJERR_H
+# define OPENSSL_OBJERR_H
# pragma once
# include <openssl/opensslconf.h>
@@ -41,5 +41,6 @@ int ERR_load_OBJ_strings(void);
*/
# define OBJ_R_OID_EXISTS 102
# define OBJ_R_UNKNOWN_NID 101
+# define OBJ_R_UNKNOWN_OBJECT_NAME 103
#endif
diff --git a/include/openssl/x509v3err.h b/include/openssl/x509v3err.h
index eb3593fa20..d7aa5da6ac 100644
--- a/include/openssl/x509v3err.h
+++ b/include/openssl/x509v3err.h
@@ -127,7 +127,7 @@ int ERR_load_X509V3_strings(void);
# define X509V3_R_INVALID_MULTIPLE_RDNS 161
# define X509V3_R_INVALID_NAME 106
# define X509V3_R_INVALID_NULL_ARGUMENT 107
-# define X509V3_R_INVALID_NULL_NAME 108
+# define X509V3_R_INVALID_EMPTY_NAME 108
# define X509V3_R_INVALID_NULL_VALUE 109
# define X509V3_R_INVALID_NUMBER 140
# define X509V3_R_INVALID_NUMBERS 141
