Here is the new patch for 0.9.7d that provides for the extended syntax of
CRL Distribution Points. As suggested, I have re-ordered the variable
definitions so that they are now before allocation statements within a
scope.
I have sent a new TSU notification for this patch for openssl 0.9.7d.
Thank you,
Abhijit Hayatnagarkar.
>
> On Mon, 12 Apr 2004, Chris Brook wrote:
>
> > I incorporated these patches in 0.9.7d STABLE and compiled using the Solaris
> > native compiler instead of gcc. There were several errors because variable
> > definitions were placed after allocation statements, e.g.
> > + for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
> > + cnf = sk_CONF_VALUE_value(nval, i);
> > + STACK_OF(CONF_VALUE) *sk;
> > I can list the corrections (about 12) or, more appriately, the author can
> > re-issue the patch with the necessary corrections so that it follows
> > standard C rules rather than C++.
> > Chris Brook
> >
diff -ur openssl-0.9.7d/crypto/x509v3/v3_crld.c
openssl-0.9.7d.modified/crypto/x509v3/v3_crld.c
--- openssl-0.9.7d/crypto/x509v3/v3_crld.c 2003-11-20 17:43:28.000000000 -0500
+++ openssl-0.9.7d.modified/crypto/x509v3/v3_crld.c 2004-04-12 15:03:23.000000000
-0400
@@ -63,8 +63,23 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, "Unused", "unused"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "cACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{7, "Privilege Withdrawn", "privilegeWithdrawn"},
+{8, "AA Compromise", "aACompromise"},
+{-1, NULL, NULL}
+};
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent);
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval);
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
@@ -72,31 +87,164 @@
NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS),
0,0,0,0,
0,0,
-(X509V3_EXT_I2V)i2v_crld,
-(X509V3_EXT_V2I)v2i_crld,
0,0,
-NULL
+(X509V3_EXT_I2R)i2r_crld,
+(X509V3_EXT_R2I)r2i_crld,
+crl_reasons
};
-static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
- STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
+static DIST_POINT *crld_section(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval) {
+
+ int i;
+ CONF_VALUE *cnf;
+ char *name, *value;
+ GENERAL_NAMES *gens = NULL;
+ DIST_POINT *point = NULL;
+ ASN1_BIT_STRING *bs = NULL;
+
+ if (!(point = DIST_POINT_new())) goto merr;
+ point->distpoint = NULL;
+
+ for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ STACK_OF(CONF_VALUE) *sk;
+ cnf = sk_CONF_VALUE_value(nval, i);
+ name = cnf->name;
+ value = cnf->value;
+ sk = X509V3_parse_list(value);
+
+ if (!strcmp (name, "fullname")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "relativename")) {
+ if (*value == '@') {
+ X509_NAME *nm = NULL;
+ STACK_OF(CONF_VALUE) *relsect = NULL;
+ if (!(nm = X509_NAME_new())) goto merr;
+
+ relsect = X509V3_get_section(ctx, value + 1);
+ if (!relsect) {
+ X509V3err(X509V3_F_R2I_CRLD,
X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value + 1);
+ X509_NAME_free(nm);
+ }
+
+ if (! X509V3_NAME_from_section(nm, relsect,
MBSTRING_ASC)) {
+ X509_NAME_free(nm);
+ nm = NULL;
+ }
+ X509V3_section_free(ctx, relsect);
+ if (!point->distpoint)
+ if(!(point->distpoint =
DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.relativename = nm->entries;
+ point->distpoint->type = 1;
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ else {
+ X509V3err(X509V3_F_R2I_CRLD, X509V3_R_INVALID_SECTION);
+ ERR_add_error_data(2, "section=", value);
+ goto err;
+ }
+ }
+ else if (!strcmp (name, "CRLissuer")) {
+ if (!(gens = v2i_GENERAL_NAMES(method, ctx, sk))) goto err;
+ point->CRLissuer = gens;
+ gens = NULL;
+ }
+ else if (!strcmp (name, "reasons")) {
+ int j;
+ if (! (bs = M_ASN1_BIT_STRING_new())) {
+ X509V3err(X509V3_F_R2I_CRLD, ERR_R_MALLOC_FAILURE);
+ goto merr;
+ }
+ for (j = 0; j < sk_CONF_VALUE_num(sk); j++) {
+ ENUMERATED_NAMES *enam;
+ CONF_VALUE *val = sk_CONF_VALUE_value(sk, j);
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (!strcmp(enam->sname, val->name) ||
+ !strcmp(enam->lname, val->name)) {
+ ASN1_BIT_STRING_set_bit(bs,
enam->bitnum, 1);
+ break;
+ }
+ }
+ if (!enam->lname) {
+ X509V3err(X509V3_F_R2I_CRLD,
+
X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
+ X509V3_conf_err(val);
+ goto err;
+ }
+ }
+ point->reasons = bs;
+ }
+ else {
+ /* For Backward Compatibility */
+ goto err;
+ }
+ }
+ return point;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAMES_free(gens);
+ M_ASN1_BIT_STRING_free(bs);
+ DIST_POINT_free(point);
+ return NULL;
+}
+
+static int i2r_crld(X509V3_EXT_METHOD *method,
+ STACK_OF(DIST_POINT) *crld, BIO *out, int indent)
{
DIST_POINT *point;
int i;
for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
point = sk_DIST_POINT_value(crld, i);
- if(point->distpoint) {
- if(point->distpoint->type == 0)
- exts = i2v_GENERAL_NAMES(NULL,
- point->distpoint->name.fullname, exts);
- else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
- }
- if(point->reasons)
- X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
- if(point->CRLissuer)
- X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+ if (point) {
+ BIO_printf(out, "%*sDistribution Point:\n", indent, "");
+ if(point->distpoint) {
+ if(point->distpoint->type == 0) {
+ BIO_printf(out, "%*sFull Name:\n", indent + 2,
"");
+ X509V3_EXT_val_prn(out, i2v_GENERAL_NAMES(NULL,
+
point->distpoint->name.fullname, NULL),
+ indent + 4,
method->ext_flags & X509V3_EXT_MULTILINE);
+ }
+ else if (point->distpoint->type == 1) {
+ STACK_OF(X509_NAME_ENTRY) *ne =
point->distpoint->name.relativename;
+ X509_NAME *nm = X509_NAME_new();
+ BIO_printf(out, "%*sRelative Name:\n", indent
+ 2, "");
+ if (nm) {
+ char oline[256];
+ nm->entries = ne;
+ X509_NAME_oneline(nm, oline, 256);
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", oline);
+ nm->entries = NULL;
+ X509_NAME_free(nm);
+ }
+ }
+ }
+ if(point->reasons) {
+ ENUMERATED_NAMES *enam;
+ ASN1_BIT_STRING *bits = point->reasons;
+ BIO_printf(out, "%*sReasons:\n", indent + 2, "");
+
+ for (enam = method->usr_data; enam->lname; enam++) {
+ if (ASN1_BIT_STRING_get_bit(bits,
enam->bitnum))
+ BIO_printf(out, "%*s%s\n", indent + 4,
"", enam->lname);
+ }
+ }
+ if(point->CRLissuer) {
+ BIO_printf(out, "%*sCRL Issuer:\n", indent + 2, "");
+ X509V3_EXT_val_prn(out,
i2v_GENERAL_NAMES(NULL,point->CRLissuer, NULL),
+ indent + 4, method->ext_flags &
X509V3_EXT_MULTILINE);
+ }
+ }
}
- return exts;
+ return 1;
}
static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
@@ -128,7 +276,85 @@
return crld;
merr:
- X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
+ err:
+ GENERAL_NAME_free(gen);
+ GENERAL_NAMES_free(gens);
+ sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+ return NULL;
+}
+
+static STACK_OF(DIST_POINT) *r2i_crld(X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, char *strval)
+{
+ STACK_OF(DIST_POINT) *crld = NULL;
+ GENERAL_NAMES *gens = NULL;
+ GENERAL_NAME *gen = NULL;
+ CONF_VALUE *cnf;
+ int i;
+ char *name;
+ STACK_OF(CONF_VALUE) *nval;
+ nval = X509V3_parse_list(strval);
+ if(!(crld = sk_DIST_POINT_new_null())) goto merr;
+ for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ cnf = sk_CONF_VALUE_value(nval, i);
+ name = cnf->name;
+ if (*name == '@') {
+ STACK_OF(CONF_VALUE) *crldsect;
+ DIST_POINT *sectpoint = NULL;
+ crldsect = X509V3_get_section(ctx, name + 1);
+ if (!crldsect) {
+
X509V3err(X509V3_F_R2I_CRLD,X509V3_R_INVALID_EXTENSION_STRING);
+ ERR_add_error_data(2, "section=", name);
+ goto err;
+ }
+ sectpoint = crld_section(method, ctx, crldsect);
+ X509V3_section_free(ctx, crldsect);
+
+ if (!sectpoint) {
+ /* For backward compatibility */
+ STACK_OF(DIST_POINT) *crld_tmp = NULL;
+ crld_tmp = v2i_crld(method, ctx, crldsect);
+
+ if (crld_tmp) {
+ DIST_POINT *dp = NULL;
+
+ while ((dp = sk_DIST_POINT_shift (crld_tmp))) {
+ if (!sk_DIST_POINT_push(crld, dp)) {
+ DIST_POINT_free(dp);
+
sk_DIST_POINT_pop_free(crld_tmp, DIST_POINT_free);
+ goto merr;
+ }
+ }
+ sk_DIST_POINT_pop_free(crld_tmp,
DIST_POINT_free);
+ }
+ }
+ else if(!sk_DIST_POINT_push(crld, sectpoint)) {
+ DIST_POINT_free(sectpoint);
+ goto merr;
+ }
+ }
+ else { /* For backward compatibility */
+ DIST_POINT *point;
+ if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err;
+ if(!(gens = GENERAL_NAMES_new())) goto merr;
+ if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+ gen = NULL;
+ if(!(point = DIST_POINT_new())) goto merr;
+ if(!sk_DIST_POINT_push(crld, point)) {
+ DIST_POINT_free(point);
+ goto merr;
+ }
+ if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+ point->distpoint->name.fullname = gens;
+ point->distpoint->type = 0;
+ gens = NULL;
+ }
+ }
+ return crld;
+
+ merr:
+ X509V3err(X509V3_F_R2I_CRLD,ERR_R_MALLOC_FAILURE);
err:
GENERAL_NAME_free(gen);
GENERAL_NAMES_free(gens);
diff -ur openssl-0.9.7d/crypto/x509v3/v3err.c
openssl-0.9.7d.modified/crypto/x509v3/v3err.c
--- openssl-0.9.7d/crypto/x509v3/v3err.c 2001-05-09 20:13:48.000000000 -0400
+++ openssl-0.9.7d.modified/crypto/x509v3/v3err.c 2004-04-12 14:39:59.000000000
-0400
@@ -93,7 +93,7 @@
{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0), "V2I_ASN1_BIT_STRING"},
{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0), "V2I_AUTHORITY_KEYID"},
{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0), "V2I_BASIC_CONSTRAINTS"},
-{ERR_PACK(0,X509V3_F_V2I_CRLD,0), "V2I_CRLD"},
+{ERR_PACK(0,X509V3_F_R2I_CRLD,0), "R2I_CRLD"},
{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"},
{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"},
diff -ur openssl-0.9.7d/crypto/x509v3/v3_utl.c
openssl-0.9.7d.modified/crypto/x509v3/v3_utl.c
--- openssl-0.9.7d/crypto/x509v3/v3_utl.c 2002-11-13 19:45:04.000000000 -0500
+++ openssl-0.9.7d.modified/crypto/x509v3/v3_utl.c 2004-04-12 14:39:59.000000000
-0400
@@ -533,3 +533,50 @@
{
sk_pop_free(sk, str_free);
}
+
+/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype)
+ {
+ CONF_VALUE *v;
+ int i, mval;
+ char *p, *type;
+ if (!nm)
+ return 0;
+
+ for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
+ {
+ v=sk_CONF_VALUE_value(dn_sk,i);
+ type=v->name;
+ /* Skip past any leading X. X: X, etc to allow for
+ * multiple instances
+ */
+ for(p = type; *p ; p++)
+#ifndef CHARSET_EBCDIC
+ if ((*p == ':') || (*p == ',') || (*p == '.'))
+#else
+ if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p
== os_toascii['.']))
+#endif
+ {
+ p++;
+ if(*p) type = p;
+ break;
+ }
+#ifndef CHARSET_EBCDIC
+ if (*p == '+')
+#else
+ if (*p == os_toascii['+'])
+#endif
+ {
+ mval = -1;
+ p++;
+ }
+ else
+ mval = 0;
+ if (!X509_NAME_add_entry_by_txt(nm,type, chtype,
+ (unsigned char *) v->value,-1,-1,mval))
+ return 0;
+
+ }
+ return 1;
+ }
diff -ur openssl-0.9.7d/crypto/x509v3/x509v3.h
openssl-0.9.7d.modified/crypto/x509v3/x509v3.h
--- openssl-0.9.7d/crypto/x509v3/x509v3.h 2003-01-29 10:06:38.000000000 -0500
+++ openssl-0.9.7d.modified/crypto/x509v3/x509v3.h 2004-04-12 14:39:59.000000000
-0400
@@ -547,6 +547,9 @@
STACK *X509_get1_email(X509 *x);
STACK *X509_REQ_get1_email(X509_REQ *x);
void X509_email_free(STACK *sk);
+/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype);
/* BEGIN ERROR CODES */
@@ -585,7 +588,7 @@
#define X509V3_F_V2I_ASN1_BIT_STRING 101
#define X509V3_F_V2I_AUTHORITY_KEYID 119
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
-#define X509V3_F_V2I_CRLD 134
+#define X509V3_F_R2I_CRLD 134
#define X509V3_F_V2I_EXT_KU 103
#define X509V3_F_V2I_GENERAL_NAME 117
#define X509V3_F_V2I_GENERAL_NAMES 118
diff -ur openssl-0.9.7d/include/openssl/x509v3.h
openssl-0.9.7d.modified/include/openssl/x509v3.h
--- openssl-0.9.7d/include/openssl/x509v3.h 2003-01-29 10:06:38.000000000 -0500
+++ openssl-0.9.7d.modified/include/openssl/x509v3.h 2004-04-12 14:39:59.000000000
-0400
@@ -547,6 +547,9 @@
STACK *X509_get1_email(X509 *x);
STACK *X509_REQ_get1_email(X509_REQ *x);
void X509_email_free(STACK *sk);
+/* From the openssl-SNAP-20040227 snapshot of openssl 0.9.8 */
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+ unsigned long chtype);
/* BEGIN ERROR CODES */
@@ -585,7 +588,7 @@
#define X509V3_F_V2I_ASN1_BIT_STRING 101
#define X509V3_F_V2I_AUTHORITY_KEYID 119
#define X509V3_F_V2I_BASIC_CONSTRAINTS 102
-#define X509V3_F_V2I_CRLD 134
+#define X509V3_F_R2I_CRLD 134
#define X509V3_F_V2I_EXT_KU 103
#define X509V3_F_V2I_GENERAL_NAME 117
#define X509V3_F_V2I_GENERAL_NAMES 118
