From: Dr. Stephen Henson Date: Sat, 13 Sep 2008 22:02:49 +0000 (+0000) Subject: Updates from stable branch. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7486fb655060b9d7c451d3d13f579872386a2f58;p=openssl Updates from stable branch. --- diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c index fe7c4ec7ab..bc80b20d63 100644 --- a/crypto/asn1/asn_mime.c +++ b/crypto/asn1/asn_mime.c @@ -526,6 +526,8 @@ int SMIME_text(BIO *in, BIO *out) sk_MIME_HEADER_pop_free(headers, mime_hdr_free); while ((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0) BIO_write(out, iobuf, len); + if (len < 0) + return 0; return 1; } diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c index eb776b7b3b..ae72b525d7 100644 --- a/crypto/asn1/t_x509.c +++ b/crypto/asn1/t_x509.c @@ -393,8 +393,9 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm) d= (v[6]-'0')*10+(v[7]-'0'); h= (v[8]-'0')*10+(v[9]-'0'); m= (v[10]-'0')*10+(v[11]-'0'); - if ( (v[12] >= '0') && (v[12] <= '9') && - (v[13] >= '0') && (v[13] <= '9')) + if (i >= 14 && + (v[12] >= '0') && (v[12] <= '9') && + (v[13] >= '0') && (v[13] <= '9')) s= (v[12]-'0')*10+(v[13]-'0'); if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s", @@ -428,8 +429,9 @@ int ASN1_UTCTIME_print(BIO *bp, ASN1_UTCTIME *tm) d= (v[4]-'0')*10+(v[5]-'0'); h= (v[6]-'0')*10+(v[7]-'0'); m= (v[8]-'0')*10+(v[9]-'0'); - if ( (v[10] >= '0') && (v[10] <= '9') && - (v[11] >= '0') && (v[11] <= '9')) + if (i >=12 && + (v[10] >= '0') && (v[10] <= '9') && + (v[11] >= '0') && (v[11] <= '9')) s= (v[10]-'0')*10+(v[11]-'0'); if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s", @@ -501,4 +503,3 @@ err: OPENSSL_free(b); return(ret); } - diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index f79c504e91..b35d28d411 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -89,11 +89,13 @@ static int cms_copy_content(BIO *out, BIO *in, unsigned int flags) if (!BIO_get_cipher_status(in)) goto err; } + if (i < 0) + goto err; break; } - if (tmpout) - BIO_write(tmpout, buf, i); + if (tmpout && (BIO_write(tmpout, buf, i) != i)) + goto err; } if(flags & CMS_TEXT) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9a62ebcf67..336c40ddd7 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -394,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else - int i, ok=0, must_be_ca; + int i, ok=0, must_be_ca, plen = 0; X509 *x; int (*cb)(int xok,X509_STORE_CTX *xctx); int proxy_path_length = 0; @@ -495,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (!ok) goto end; } } - /* Check pathlen */ - if ((i > 1) && (x->ex_pathlen != -1) - && (i > (x->ex_pathlen + proxy_path_length + 1))) + /* Check pathlen if not self issued */ + if ((i > 1) && !(x->ex_flags & EXFLAG_SI) + && (x->ex_pathlen != -1) + && (plen > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; @@ -505,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } + /* Increment path length if not self issued */ + if (!(x->ex_flags & EXFLAG_SI)) + plen++; /* If this certificate is a proxy certificate, the next certificate must be another proxy certificate or a EE certificate. If not, the next certificate must be a diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c index 614d2b4935..4711b1ee92 100644 --- a/crypto/x509v3/pcy_data.c +++ b/crypto/x509v3/pcy_data.c @@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) X509_POLICY_DATA *ret; if (!policy && !id) return NULL; + if (id) + { + id = OBJ_dup(id); + if (!id) + return NULL; + } ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); if (!ret) return NULL; @@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) if (!ret->expected_policy_set) { OPENSSL_free(ret); + if (id) + ASN1_OBJECT_free(id); return NULL; } diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 4fda1d419a..b1ce77b9af 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -130,9 +130,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, ret = 2; if (explicit_policy > 0) { - explicit_policy--; - if (!(x->ex_flags & EXFLAG_SS) - && (cache->explicit_skip != -1) + if (!(x->ex_flags & EXFLAG_SI)) + explicit_policy--; + if ((cache->explicit_skip != -1) && (cache->explicit_skip < explicit_policy)) explicit_policy = cache->explicit_skip; } @@ -197,13 +197,14 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, /* Any matching allowed if certificate is self * issued and not the last in the chain. */ - if (!(x->ex_flags & EXFLAG_SS) || (i == 0)) + if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) level->flags |= X509_V_FLAG_INHIBIT_ANY; } else { - any_skip--; - if ((cache->any_skip > 0) + if (!(x->ex_flags & EXFLAG_SI)) + any_skip--; + if ((cache->any_skip >= 0) && (cache->any_skip < any_skip)) any_skip = cache->any_skip; } @@ -213,7 +214,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, else { map_skip--; - if ((cache->map_skip > 0) + if ((cache->map_skip >= 0) && (cache->map_skip < map_skip)) map_skip = cache->map_skip; } @@ -310,7 +311,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, if (data == NULL) return 0; - data->qualifier_set = curr->anyPolicy->data->qualifier_set; + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; if (!level_add_node(curr, data, node, tree)) { diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index b2f5cdfa05..c54e7887c7 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -291,7 +291,9 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_sbgp_ipAddrBlock, /* 290 */ NID_sbgp_autonomousSysNum, /* 291 */ #endif - NID_proxyCertInfo /* 661 */ + NID_policy_constraints, /* 401 */ + NID_proxyCertInfo, /* 661 */ + NID_inhibit_any_policy /* 748 */ }; int ex_nid; @@ -325,7 +327,7 @@ static void x509v3_cache_extensions(X509 *x) #endif /* Does subject name match issuer ? */ if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) - x->ex_flags |= EXFLAG_SS; + x->ex_flags |= EXFLAG_SI; /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index db2b0482c1..5ba59f71c9 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) #define EXFLAG_NSCERT 0x8 #define EXFLAG_CA 0x10 +/* Really self issued not necessarily self signed */ +#define EXFLAG_SI 0x20 #define EXFLAG_SS 0x20 #define EXFLAG_V1 0x40 #define EXFLAG_INVALID 0x80 @@ -370,7 +372,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) #define EXFLAG_CRITICAL 0x200 #define EXFLAG_PROXY 0x400 -#define EXFLAG_INVALID_POLICY 0x400 +#define EXFLAG_INVALID_POLICY 0x800 #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040